Community discussions

MikroTik App
 
sherwinaval
just joined
Topic Author
Posts: 4
Joined: Tue Jul 09, 2024 3:04 pm

Freeradius authentication issue

Tue Jul 09, 2024 3:12 pm

Hi,

I'm new to MT and generally in networking. I have been watching youtube tutorials and videos in creating a hotspot.

I wish to implement a hotspot with radius authentication using freeradius. I got an RB750gr3 and an Ubuntu 24.04 with freeradius and daloradius. So far I believe i did everything right but i keep getting authentication issues. I don't see any errors from daloradius/freeradius logs but here's what i get from MT
14:59:29 radius,debug,packet sending Access-Request with id 6 to 10.0.0.100:1812
 14:59:29 radius,debug,packet     Signature = 0x902ab5e88fc6db52c2029735e54def15
 14:59:29 radius,debug,packet     NAS-Port-Type = 19
 14:59:29 radius,debug,packet     Calling-Station-Id = "E2:13:96:32:68:9E"
 14:59:29 radius,debug,packet     Called-Station-Id = "hotspot1"
 14:59:29 radius,debug,packet     NAS-Port-Id = "bridge-hotspot"
 14:59:29 radius,debug,packet     User-Name = "abc"
 14:59:29 radius,debug,packet     NAS-Port = 2153775122
 14:59:29 radius,debug,packet     Acct-Session-Id = "80600012"
 14:59:29 radius,debug,packet     Framed-IP-Address = 10.0.0.19
 14:59:29 radius,debug,packet     MT-Host-IP = 10.0.0.19
 14:59:29 radius,debug,packet     CHAP-Challenge = 0x3b16f02c8cc70f23da9f7ef183b869c0
 14:59:29 radius,debug,packet     CHAP-Password = 0x35a6822b8aa202f8bca1fc6e3d34c932
 14:59:29 radius,debug,packet       50
 14:59:29 radius,debug,packet     Service-Type = 1
 14:59:29 radius,debug,packet     WISPr-Logoff-URL = "http://10.0.0.1/logout"
 14:59:29 radius,debug,packet     NAS-Identifier = "MikroTik"
 14:59:29 radius,debug,packet     NAS-IP-Address = 10.0.0.1
 14:59:29 radius,debug,packet     Message-Authenticator = 0x0ab5b33eb9eddcb6a40319a5b2abf5e4
 14:59:29 radius,debug,packet received bad Access-Accept with id 6 from 10.0.0.100:1812
 14:59:29 radius,debug,packet     Signature = 0x6111ee7d327ba89b7f66c599fae90568
 14:59:29 radius,debug received packet for 3f:5a with missing message auth, dropping
 14:59:29 radius,debug timeout for 3f:5a
 14:59:30 hotspot,info,debug abc (10.0.0.19): login failed: RADIUS server is not responding
It is not always like that, I sometimes get this
 14:42:08 radius,debug,packet sending Access-Request with id 5 to 10.0.0.100:1812
 14:42:08 radius,debug,packet     Signature = 0x46c8b00c28700adbae02b82651e4f309
 14:42:08 radius,debug,packet     NAS-Port-Type = 19
 14:42:08 radius,debug,packet     Calling-Station-Id = "E2:13:96:32:68:9E"
 14:42:08 radius,debug,packet     Called-Station-Id = "hotspot1"
 14:42:08 radius,debug,packet     NAS-Port-Id = "bridge-hotspot"
 14:42:08 radius,debug,packet     User-Name = "abc"
 14:42:08 radius,debug,packet     NAS-Port = 2153775121
 14:42:08 radius,debug,packet     Acct-Session-Id = "80600011"
 14:42:08 radius,debug,packet     Framed-IP-Address = 10.0.0.19
 14:42:08 radius,debug,packet     MT-Host-IP = 10.0.0.19
 14:42:08 radius,debug,packet     CHAP-Challenge = 0xedfa03492d088ed3b691822b10076f2e
 14:42:08 radius,debug,packet     CHAP-Password = 0x980c8ebf42618e38fc637cb590aa1e7b
 14:42:08 radius,debug,packet       7a
 14:42:08 radius,debug,packet     Service-Type = 1
 14:42:08 radius,debug,packet     WISPr-Logoff-URL = "http://10.0.0.1/logout"
 14:42:08 radius,debug,packet     NAS-Identifier = "MikroTik"
 14:42:08 radius,debug,packet     NAS-IP-Address = 10.0.0.1
 14:42:08 radius,debug,packet     Message-Authenticator = 0x900cf611fd695ecd41ecdde1ed5437df
 14:42:09 radius,debug timeout for 3f:59
 14:42:10 hotspot,info,debug abc (10.0.0.19): login failed: RADIUS server is not responding
I trimmed down the logs, it always resends 3 times but I feel it is redundant as they are the same message.

I hope someone can point me to the right direction. I'm still learning so I ask that please be patient. I'm willing to learn :)
 
sherwinaval
just joined
Topic Author
Posts: 4
Joined: Tue Jul 09, 2024 3:04 pm

Re: Freeradius authentication issue

Tue Jul 09, 2024 3:14 pm

Btw, I got the latest 7.15.2 ROS version if that matters.
 
fuhry
just joined
Posts: 3
Joined: Sun Sep 24, 2023 12:52 am

Re: Freeradius authentication issue  [SOLVED]

Tue Jul 09, 2024 4:52 pm

The recent changes to support a message authenticator caused a regression with radsec support. This thread is another report of the same issue.

If you are not using radsec, make sure your radius server is including a message authenticator in its response. In FreeRADIUS I was able to do this by initializing the Message-Authenticator attribute to all zeroes in all Access-Accept, Access-Challenge and Access-Reject replies in a post-auth clause; the server populates the authenticator with the correct value automatically just before it writes the response to the wire.

(edit) BTW - you should censor the combination of your CHAP challenge + response - it is quite easily bruteforceable these days.
 
sherwinaval
just joined
Topic Author
Posts: 4
Joined: Tue Jul 09, 2024 3:04 pm

Re: Freeradius authentication issue

Tue Jul 09, 2024 9:13 pm

The recent changes to support a message authenticator caused a regression with radsec support. This thread is another report of the same issue.

If you are not using radsec, make sure your radius server is including a message authenticator in its response. In FreeRADIUS I was able to do this by initializing the Message-Authenticator attribute to all zeroes in all Access-Accept, Access-Challenge and Access-Reject replies in a post-auth clause; the server populates the authenticator with the correct value automatically just before it writes the response to the wire.

(edit) BTW - you should censor the combination of your CHAP challenge + response - it is quite easily bruteforceable these days.
Wow!!! It worked! What I did was I created a profile with the attribute of Message-Authenticator and just typed in 0 and operator is = and target is reply. 1 click and boom it got authenticated! One thing though, if I entered a wrong password, instead of giving me an error of wrong password, it gives out Radius server not responding. It would have been nice if it gives the correct error message of invalid username and password. Is this normal or am I missing something?

Since I'm really new to this one, now I'm trying to explore more things, like bandwidth limiting, the time allowed that a specific username can be online and then get's booted when that time is finished and much more... It would be helpful if you could point me out to those things but, like I said, I'm willing to learn and will take my time researching it.

Once again thank you so much! It was a big relief coz I have been banging my head for a few days now thinking what went wrong since I followed all the tutorials. Such a simple
 
sherwinaval
just joined
Topic Author
Posts: 4
Joined: Tue Jul 09, 2024 3:04 pm

Re: Freeradius authentication issue

Tue Jul 09, 2024 9:14 pm

(edit) BTW - you should censor the combination of your CHAP challenge + response - it is quite easily bruteforceable these days.
I would like to get some advise on how to do this? But I've removed CHAP and just have PAP now. Not really sure if that would solve the CHAP issue.
 
RichardJackson
just joined
Posts: 4
Joined: Fri May 24, 2024 12:18 pm

Re: Freeradius authentication issue

Tue Jul 16, 2024 9:37 am

I am just posting so I can keep track of this thread.
 
User avatar
loloski
Member
Member
Posts: 420
Joined: Mon Mar 15, 2021 9:10 pm

Re: Freeradius authentication issue

Tue Jul 16, 2024 10:23 am

if I entered a wrong password, instead of giving me an error of wrong password, it gives out Radius server not responding. It would have been nice if it gives the correct error message of invalid username and password. Is this normal or am I missing something?
That's by design at least in ROS v6, I don't know if in v7 that can be customized or override to display the actual message from radius reply, I'm also interested on this I just don't dig enough
 
ipavlik
just joined
Posts: 19
Joined: Thu Dec 22, 2016 3:47 pm

Re: Freeradius authentication issue

Thu Jul 18, 2024 7:44 am

The recent changes to support a message authenticator caused a regression with radsec support. This thread is another report of the same issue.

If you are not using radsec, make sure your radius server is including a message authenticator in its response. In FreeRADIUS I was able to do this by initializing the Message-Authenticator attribute to all zeroes in all Access-Accept, Access-Challenge and Access-Reject replies in a post-auth clause; the server populates the authenticator with the correct value automatically just before it writes the response to the wire.

(edit) BTW - you should censor the combination of your CHAP challenge + response - it is quite easily bruteforceable these days.
Hello,

I'm completely new to radius infrastructure and I need to implement VPN 2FA with FreeRadius server. I have the same issue with "received packet for 1b:37 with missing message auth, dropping" log message. Can you please explain in details what configuration changes did you make?

Complete request log:
 07-17 20:54:23 radius,debug,packet sending Access-Request with id 60 to 192.168.1.199:1812
 07-17 20:54:23 radius,debug,packet     Signature = 0xd5ddc08c7d585fc93c7a0acdd5955f9d
 07-17 20:54:23 radius,debug,packet     Service-Type = 2
 07-17 20:54:23 radius,debug,packet     Framed-Protocol = 1
 07-17 20:54:23 radius,debug,packet     NAS-Port = 15728701
 07-17 20:54:23 radius,debug,packet     NAS-Port-Type = 0
 07-17 20:54:23 radius,debug,packet     User-Name = "vpnuser01"
 07-17 20:54:23 radius,debug,packet     Calling-Station-Id = "192.168.0.158"
 07-17 20:54:23 radius,debug,packet     Called-Station-Id = "192.168.1.3"
 07-17 20:54:23 radius,debug,packet     Acct-Session-Id = "81a00035"
 07-17 20:54:23 radius,debug,packet     User-Password = 0x343931343632
 07-17 20:54:23 radius,debug,packet     NAS-Identifier = "EMIS_LAN1_Backup"
 07-17 20:54:23 radius,debug,packet     NAS-IP-Address = 192.168.1.3
 07-17 20:54:23 radius,debug,packet     Message-Authenticator = 0x6b86dc2721e1bbb0fa531ffcf9d10ac4
 07-17 20:54:23 radius,debug,packet received bad Access-Accept with id 60 from 192.168.1.199:1812
 07-17 20:54:23 radius,debug,packet     Signature = 0xbda0de7e3d8abf5780a33d6e3eac6ab5
 07-17 20:54:23 radius,debug received packet for 1b:37 with missing message auth, dropping
Thank you.

Who is online

Users browsing this forum: almdandi, kbabioch, sindy and 33 guests