Re: Proxying PEAP/MSCHAP

Bob McCormick Tue, 13 Apr 2004 09:51:26 -0700

Hmmm.. I must be doing something wrong. With this config in the users file:

DEFAULT Proxy-To-Realm := "adt.com"
        Fall-Through = Yes
DEFAULT EAP-Type == PEAP, Proxy-To-Realm := LOCAL
        Fall-Through = Yes

It *is* sending something to my "home" radius server, but the "home" radius server seems to thing it's getting an EAP message. I get this in the logs on the "home" server:

Ready to process requests. rad_recv: Access-Request packet from host 10.140.31.5:1814, id=1, length=125 User-Name = "bobm" Framed-MTU = 1400 Called-Station-Id = "000f.2418.ffb0" Calling-Station-Id = "0020.a64e.f148" Message-Authenticator = 0x8440919779e4075268398667a67f5902 EAP-Message = 0x0202000901626f626d NAS-Port-Type = Wireless-802.11 NAS-Port = 342 Service-Type = Framed-User NAS-IP-Address = 10.140.24.12 NAS-Identifier = "ap" Proxy-State = 0x3530 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "bobm", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 2 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched bobm at 65 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP"

Anyone have any ideas?

Below are the complete logs from both servers:

------------------- Proxy radius server ------------------------------ Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/usr/local/etc/raddb/certs/dh" tls: random_file = "/usr/local/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = yes peap: use_tunneled_reply = yes peap: proxy_tunneled_request_as_eap = no rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/usr/local/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy- detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (pre_proxy_log) detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/post-proxy- detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (post_proxy_log) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 10.140.24.12:21645, id=50, length=121 User-Name = "bobm" Framed-MTU = 1400 Called-Station-Id = "000f.2418.ffb0" Calling-Station-Id = "0020.a64e.f148" Message-Authenticator = 0x548202bfaa578a0066cf1ad9c0bad093 EAP-Message = 0x0202000901626f626d NAS-Port-Type = Wireless-802.11 NAS-Port = 342 Service-Type = Framed-User NAS-IP-Address = 10.140.24.12 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "bobm", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 2 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched DEFAULT at 1 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 Processing the pre-proxy section of radiusd.conf modcall: entering group pre-proxy for request 0 radius_xlat: '/usr/local/var/log/radius/radacct/10.140.24.12/pre-proxy-detail -20040413' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy- detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.140.24.12/pre-proxy-detail -20040413 modcall[pre-proxy]: module "pre_proxy_log" returns ok for request 0 modcall: group pre-proxy returns ok for request 0 Sending Access-Request of id 1 to 10.140.25.10:1812 User-Name = "bobm" Framed-MTU = 1400 Called-Station-Id = "000f.2418.ffb0" Calling-Station-Id = "0020.a64e.f148" Message-Authenticator = 0x00000000000000000000000000000000 EAP-Message = 0x0202000901626f626d NAS-Port-Type = Wireless-802.11 NAS-Port = 342 Service-Type = Framed-User NAS-IP-Address = 10.140.24.12 NAS-Identifier = "ap" Proxy-State = 0x3530 --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Challenge packet from host 10.140.25.10:1812, id=1, length=68 EAP-Message = 0x010300061920 Message-Authenticator = 0x42c3c65f8c9df25e99035fc3ea7be508 State = 0xc84d9ea39dd161e3b1cfaee0df5ad9e3 Proxy-State = 0x3530 Processing the post-proxy section of radiusd.conf modcall: entering group post-proxy for request 0 radius_xlat: '/usr/local/var/log/radius/radacct/10.140.24.12/post-proxy-detail -20040413' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/post-proxy- detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.140.24.12/post-proxy-detail -20040413 modcall[post-proxy]: module "post_proxy_log" returns ok for request 0 modcall[post-proxy]: module "eap" returns noop for request 0 modcall: group post-proxy returns ok for request 0 Sending Access-Challenge of id 50 to 10.140.24.12:21645 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc84d9ea39dd161e3b1cfaee0df5ad9e3 Finished request 0 Going to the next request rl_next: returning NULL Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.140.24.12:21645, id=51, length=210 User-Name = "bobm" Framed-MTU = 1400 Called-Station-Id = "000f.2418.ffb0" Calling-Station-Id = "0020.a64e.f148" Message-Authenticator = 0xa01a4e9a813c00c5ba8bf3c272d77141 EAP-Message = 0x0203005019800000004616030100410100003d0301407c1b8509d4fc5dc8ebe9437883 4bfc2abb4b444eb0d2bdd247aba3afe0352100001600040005000a000900640062000300 060013001200630100 NAS-Port-Type = Wireless-802.11 NAS-Port = 342 State = 0xc84d9ea39dd161e3b1cfaee0df5ad9e3 Service-Type = Framed-User NAS-IP-Address = 10.140.24.12 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "bobm", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 3 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched DEFAULT at 1 users: Matched DEFAULT at 3 modcall[authorize]: module "files" returns ok for request 1 modcall: group authorize returns updated for request 1 WARNING: You set Proxy-To-Realm = LOCAL, but it is a LOCAL realm! Cancelling invalid proxy request. rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request not found in the list rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request rlm_eap: Failed in handler modcall[authenticate]: module "eap" returns invalid for request 1 modcall: group authenticate returns invalid for request 1 auth: Failed to validate the user. Cancelling proxy as request was already rejected Request 1 rejected in proxy_send. Server rejecting request 1. Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.140.24.12:21645, id=51, length=210 Sending Access-Reject of id 51 to 10.140.24.12:21645 --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 50 with timestamp 407c0d31 Cleaning up request 1 ID 51 with timestamp 407c0d31 Nothing to do. Sleeping until we see a request.

---------------------------------------------- "home" radius server ---------------------------------------------- Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients Using deprecated clients file. Support for this will go away soon. read_config_files: reading realms Using deprecated realms file. Support for this will go away soon. radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/usr/local/etc/raddb/certs/dh" tls: random_file = "/usr/local/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = yes peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/usr/local/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. rad_recv: Access-Request packet from host 10.140.31.5:1814, id=1, length=125 User-Name = "bobm" Framed-MTU = 1400 Called-Station-Id = "000f.2418.ffb0" Calling-Station-Id = "0020.a64e.f148" Message-Authenticator = 0x8440919779e4075268398667a67f5902 EAP-Message = 0x0202000901626f626d NAS-Port-Type = Wireless-802.11 NAS-Port = 342 Service-Type = Framed-User NAS-IP-Address = 10.140.24.12 NAS-Identifier = "ap" Proxy-State = 0x3530 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "bobm", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 2 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched bobm at 65 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 1 to 10.140.31.5:1814 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc84d9ea39dd161e3b1cfaee0df5ad9e3 Proxy-State = 0x3530 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 1 with timestamp 407c0d31 Nothing to do. Sleeping until we see a request.

On Apr 12, 2004, at 2:38 PM, Alan DeKok wrote:

Bob McCormick <[EMAIL PROTECTED]> wrote:

I read the post quoted below, and it seemed to indicate that it should
be possible to get freeradius to handle PEAP or TTLS, and proxy the
inner MSCHAP request to another radius server.  Has anyone ever got
this to work?  I've tried, but I keep getting the following error
message:

  WARNING: You set Proxy-To-Realm = LOCAL, but it is a LOCAL realm!
Cancelling invalid proxy request.

It's a warning, not an error.

The way to get it to work is to configure the server to NOT proxy the outer session, but to proxy the inner session. This is another way:

#---
DEFAULT FreeRADIUS-Proxied-To !* 127.0.0.1, Proxy-To-Realm := LOCAL

DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := "realm"
#---

  Which marks the outer session as always local, and the inner as
always proxied.

  Configure it in a test system FIRST.  Use a minimalist test system,
which should make debugging much easier.

Alan DeKok.

- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxying PEAP/MSCHAP

Reply via email to