Hello,
I'm having trouble getting freeradius-1.1.7 to proxy PEAP-mshcapv2 to
another RADIUS server. My other server doesn't do EAP, so I'm just sending
mschapv2 achieved with proxy_tunneled_request_as_eap = no in eap.conf.
When I proxy to my other server, I get back an Access-Accept packet. Then,
freeradius sends an Access Challenge to the client, receives a response and
then things appear to break.
I am able to successfully authenticate users with PEAP by defining them
locally in the users file. Additionally, I have gotten TTLS to work by
proxying to another server, it's just PEAP that I'm having problems with.
The differing line in the debug seems to be:
<proxied>
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
-vs-
<non-proxied>
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
I'm running a pretty standard config, I think. I can send copies of it, if
that would help.
Thanks,
Andrew Olson
The complete proxied debug starting with the Access-Request is as follows:
Sending Access-Request of id 0 to 198.82.247.36 port 1812
User-Name = "anolson"
NAS-IP-Address := 198.82.245.57
MS-CHAP-Challenge = 0x85feba9cbed9e9191bf72a29f0f82312
MS-CHAP2-Response =
0x0700b776d1433b4d6dab43d5bde9163e8b450000000000000000ee7fcb070f3766e7e7b0f198b72754b44a9ef0255d712db1
Proxy-State = 0x3136
Service-Type := Framed-User
Waking up in 6 seconds...
rad_recv: Access-Accept packet from host 198.82.247.36:1812, id=0, length=189
Filter-Id = "CNS_NET1"
MS-CHAP2-Success =
0x07533d43433041424443323542333046453444414131394238363737413941334136454631364134454634
MS-MPPE-Send-Key = 0x7b5fcacde0c3798261894df701a5cdd5
MS-MPPE-Recv-Key = 0x3900c03d5b5851da66e8fb27d90077f9
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x0000000e
Processing the post-proxy section of radiusd.conf
modcall: entering group post-proxy for request 6
PEAP: Passing reply from proxy back into the tunnel.
PEAP: Passing reply back for EAP-MS-CHAP-V2 0x8170500 2
Processing the post-proxy section of radiusd.conf
modcall: entering group post-proxy for request 6
rlm_eap_mschapv2: Passing reply from proxy back into the tunnel 0x8170500 2.
rlm_eap_mschapv2: Authentication succeeded.
MSCHAP Success
modcall[post-proxy]: module "eap" returns ok for request 6
modcall: leaving group post-proxy (returns ok) for request 6
POST-PROXY 2
POST-AUTH 2
PEAP: Got reply 11
PEAP: Got tunneled Access-Challenge
PEAP: Reply was handled
modcall[post-proxy]: module "eap" returns ok for request 6
modcall: leaving group post-proxy (returns ok) for request 6
Sending Access-Challenge of id 16 to 128.173.10.131 port 56945
EAP-Message =
0x0107005b190017030100502c303c60e1337bcb4c17a281f71910d23777fd5f4a4d5aefab92a23ff28a993aa17ebc2d6bd7567b9386fec7c4e6f2f7ae4c4655a8492000e0e473fc7e8be63a1bf372449cba9f795dc6535b04648cdb
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x23a96486ec5dbd008e1eddcee31dfa93
Finished request 6
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 128.173.10.131:56945, id=17,
length=151
User-Name = "anolson"
State = 0x23a96486ec5dbd008e1eddcee31dfa93
EAP-Message =
0x0207005419800000004e170301002050f4490743b89308d9bb84f411a1629e7b6f06dd6c02c2525747560f657f63d117030100209d0c853d82e17d05938ab49201447c135a90d068d1641a23db5fc04cfcc0dd08
Message-Authenticator = 0x3c828120c544cde1b5d4366b7e735350
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
modcall[authorize]: module "preprocess" returns ok for request 7
modcall[authorize]: module "chap" returns noop for request 7
modcall[authorize]: module "mschap" returns noop for request 7
rlm_realm: No '@' in User-Name = "anolson", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 7
rlm_eap: EAP packet type response id 7 length 84
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 7
modcall[authorize]: module "files" returns notfound for request 7
modcall: leaving group authorize (returns updated) for request 7
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
rlm_eap_peap: Tunneled data is valid.
PEAP: Setting User-Name to anolson
PEAP: Adding old state with dc 84
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
modcall[authorize]: module "preprocess" returns ok for request 7
modcall[authorize]: module "chap" returns noop for request 7
modcall[authorize]: module "mschap" returns noop for request 7
rlm_realm: No '@' in User-Name = "anolson", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 7
rlm_eap: EAP packet type response id 7 length 9
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 7
users: Matched entry DEFAULT at line 57
modcall[authorize]: module "files" returns ok for request 7
modcall: leaving group authorize (returns updated) for request 7
PEAP: Calling authenticate in order to initiate tunneled EAP session.
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
rlm_eap: Request not found in the list
rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
rlm_eap: Failed in handler
modcall[authenticate]: module "eap" returns invalid for request 7
modcall: leaving group authenticate (returns invalid) for request 7
PEAP: Can't handle the return code 4
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 7
modcall: leaving group authenticate (returns invalid) for request 7
auth: Failed to validate the user.
Delaying request 7 for 1 seconds
Finished request 7
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 10 with timestamp 47a8d136
Cleaning up request 1 ID 11 with timestamp 47a8d136
Cleaning up request 2 ID 12 with timestamp 47a8d136
Cleaning up request 3 ID 13 with timestamp 47a8d136
Cleaning up request 4 ID 14 with timestamp 47a8d136
Cleaning up request 5 ID 15 with timestamp 47a8d136
Cleaning up request 6 ID 16 with timestamp 47a8d136
Sending Access-Reject of id 17 to 128.173.10.131 port 56945
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
Cleaning up request 7 ID 17 with timestamp 47a8d136
Nothing to do. Sleeping until we see a request.
The complete non-proxied debug starting with the final Access-Challenge is
as follows:
Sending Access-Challenge of id 18 to 128.173.10.131 port 56939
EAP-Message =
0x0108002b190017030100206ae9bd54b7c0124979401818f662bec45aea2853b277e8dda897e8a645571887
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x00e512dd6dbcc968bffd9f8b8dc13bc4
Finished request 40
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 128.173.10.131:56939, id=19,
length=166
User-Name = "andrew"
State = 0x00e512dd6dbcc968bffd9f8b8dc13bc4
EAP-Message =
0x0208006419800000005e1703010020a0257f0df72e93adb495d9ab98f8e65ee4b526e563dd80bcdd464a3735f1d83417030100304c5de1fa016827d3181b8a26a7a31091f8f4474167c5424e0b51913e0ede50c14e04ec233670bd9888b1ea89ed510131
Message-Authenticator = 0xf3079323771a635bac1bdaa00b2e850f
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 41
modcall[authorize]: module "preprocess" returns ok for request 41
modcall[authorize]: module "chap" returns noop for request 41
modcall[authorize]: module "mschap" returns noop for request 41
rlm_realm: No '@' in User-Name = "andrew", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 41
rlm_eap: EAP packet type response id 8 length 100
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 41
users: Matched entry andrew at line 53
modcall[authorize]: module "files" returns ok for request 41
modcall: leaving group authorize (returns updated) for request 41
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 41
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Success
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns ok for request 41
modcall: leaving group authenticate (returns ok) for request 41
Sending Access-Accept of id 19 to 128.173.10.131 port 56939
MS-MPPE-Recv-Key =
0x1aa22f77848e2c89b4a6681bd67b45483d25b05232dd9e37748bba578fff2700
MS-MPPE-Send-Key =
0x62d67197e6bfbce385f1b6e2ccd03c183281bca70e810a79cd85e7d2a38d654d
EAP-Message = 0x03080004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "andrew"
Finished request 41
Going to the next request
Waking up in 6 seconds...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
