Re: FR2 - proxying inner tunnel

[Dmitry Sergienko]

Hi!

Alan DeKok wrote:
Dmitry Sergienko wrote:
Does anyone here have working inner tunnel proxying with freeradius 2.0.x?
Still having troubles with doing EAP-PEAP-MSCHAPv2 authorization.
Switched to FreeRadius 2.0.1 from 1.1.7.

  I think the issue was introduced recently.  Try editing
src/main/event.c, function request_post_handler()

...
        if (request->root->proxy_requests &&
            /* !request->proxy &&  */         // comment out this line
            !request->in_proxy_hash &&        // add this line
            (request->reply->code == 0) &&
            (request->packet->dst_port != 0) &&
            (request->packet->code != PW_STATUS_SERVER)) {
...

  Re-build && install.  See if that helps...

Thanks for the tip.
successfully_proxied_request() also needs patching:

        /* 

         *      If it was already proxied, do nothing. 

         * 

         *      FIXME: This should really be a serious error. 

         */ 

/*      if (request->in_proxy_hash || request->proxy) { */ 

        if (request->in_proxy_hash) { 

                return 0; 

        } 


AFAIU this function relies on empty request->packet, but it is not empty because has been 
filled in eappeap_process():

                        /* 

                         *      Seed the proxy packet with the 

                         *      tunneled request. 

                         */ 

                        rad_assert(request->proxy == NULL); 

                        request->proxy = fake->packet; 



The second oddity: when setting "proxy_tunneled_request_as_eap = no" proxying is not 
working because no inner MSCHAPv2 request extracted. Debug looks like this:

Wed Feb  6 00:33:09 2008 : Debug:   PEAP: Calling authenticate in order to initiate 
tunneled EAP session.
Wed Feb  6 00:33:09 2008 : Debug:   WARNING: Unknown value specified for Auth-Type. 
Cannot perform requested action.

Solution is quite simple: write down the following in proxy-inner-tunnel file after 
authorize {} section:

    authenticate { 

        eap 

    } 



module_authenticate() is being called in eappeap_process() to extract MSCHAPv2 request and 
when no authenticate section in virtual server proxying will fail. IMHO it will be useful 
to have these lines in example proxy-inner-tunnel as a comment for 
"proxy_tunneled_request_as_eap" set to "no". Maybe someone will run into the same issue 
and spend several hours or days to figure out how to fix this.



--
Best regards,
Dmitry Sergienko
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html