Re: FR2 - proxying inner tunnel

Tue, 12 Feb 2008 17:35:22 -0800 

Hi!
Situation gets more clear if eap module is being called in post-proxy section of proxy-inner-tunnel: 

Wed Feb 13 01:31:41 2008 : Debug: +- entering group post-proxy
Wed Feb 13 01:31:41 2008 : Debug:   modsingle[post-proxy]: calling eap 
(rlm_eap) for request 7

Wed Feb 13 01:31:41 2008 : Debug:   rlm_eap_mschapv2: Passing reply from proxy back into 
the tunnel 0x8185f20 2.

Wed Feb 13 01:31:41 2008 : Debug:   rlm_eap_mschapv2: Authentication succeeded.
Wed Feb 13 01:31:41 2008 : Debug: MSCHAP Success

Wed Feb 13 01:31:41 2008 : Debug:   modsingle[post-proxy]: returned from eap (rlm_eap) for 
request 7

Wed Feb 13 01:31:41 2008 : Debug: ++[eap] returns ok
Wed Feb 13 01:31:41 2008 : Debug:   POST-PROXY 2
Wed Feb 13 01:31:41 2008 : Debug:   POST-AUTH 2


But it still fails to authorize:



Wed Feb 13 03:17:19 2008 : Debug:   rlm_eap_peap: Session established.  Decoding tunneled 
attributes.

  PEAP tunnel data in 0000: 1a 03
Wed Feb 13 03:17:19 2008 : Debug:   rlm_eap_peap: EAP type mschapv2
  PEAP: Got tunneled EAP-Message
        EAP-Message = 0x020a00061a03
Wed Feb 13 03:17:19 2008 : Debug:   PEAP: Setting User-Name to aaa
  PEAP: Sending tunneled request
        EAP-Message = 0x020a00061a03
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "aaa"
        State = 0x29fd9dc228f787186321d63394dc60d5
        Framed-MTU = 1466
        NAS-IP-Address = 192.168.2.3
        NAS-Identifier = "D-Link"
        Service-Type = Framed-User
        NAS-Port = 33
        NAS-Port-Type = Ethernet
        NAS-Port-Id = "ether3_33"
        Called-Station-Id = "00-15-e9-b8-79-dd"
        Calling-Station-Id = "00-a9-40-0f-83-a5"
        Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
server proxy-inner-tunnel {
Wed Feb 13 03:17:19 2008 : Debug: +- entering group authorize
Wed Feb 13 03:17:19 2008 : Debug: ++[control] returns notfound
} # server proxy-inner-tunnel
  PEAP: Got tunneled reply RADIUS code 0

Wed Feb 13 03:17:19 2008 : Debug:   PEAP: Calling authenticate in order to initiate 
tunneled EAP session.

Wed Feb 13 03:17:19 2008 : Debug: +- entering group authenticate

Wed Feb 13 03:17:19 2008 : Debug:   modsingle[authenticate]: calling eap (rlm_eap) for 
request 8

Wed Feb 13 03:17:19 2008 : Error: rlm_eap: No EAP session matching the State 
variable.

Wed Feb 13 03:17:19 2008 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to 
an unknown EAP-request

Wed Feb 13 03:17:19 2008 : Debug:   rlm_eap: Failed in handler

Wed Feb 13 03:17:19 2008 : Debug:   modsingle[authenticate]: returned from eap (rlm_eap) 
for request 8

Wed Feb 13 03:17:19 2008 : Debug: ++[eap] returns invalid


In normal case inner tunnel has "EAP-Type = MS-CHAP-V2" and Auth-Type = EAP in 
check_items:

Wed Feb 13 03:09:51 2008 : Debug:      EAP-Message = 0x020a00061a03
Wed Feb 13 03:09:51 2008 : Debug:      FreeRADIUS-Proxied-To = 127.0.0.1
Wed Feb 13 03:09:51 2008 : Debug:      User-Name = "aaa"
Wed Feb 13 03:09:51 2008 : Debug:      State = 
0xe314f6cee21eecffcdeca66afa541172
Wed Feb 13 03:09:51 2008 : Debug:      Framed-MTU = 1466
Wed Feb 13 03:09:51 2008 : Debug:      NAS-IP-Address = 192.168.2.3
Wed Feb 13 03:09:51 2008 : Debug:      NAS-Identifier = "D-Link"
Wed Feb 13 03:09:51 2008 : Debug:      Service-Type = Framed-User
Wed Feb 13 03:09:51 2008 : Debug:      NAS-Port = 33
Wed Feb 13 03:09:51 2008 : Debug:      NAS-Port-Type = Ethernet
Wed Feb 13 03:09:51 2008 : Debug:      NAS-Port-Id = "ether3_33"
Wed Feb 13 03:09:51 2008 : Debug:      Called-Station-Id = "00-15-e9-b8-79-dd"
Wed Feb 13 03:09:51 2008 : Debug:      Calling-Station-Id = "00-a9-40-0f-83-a5"
Wed Feb 13 03:09:51 2008 : Debug:      Connect-Info = "CONNECT Ethernet 100Mbps Full 
duplex"
Wed Feb 13 03:09:51 2008 : Debug:      EAP-Type = MS-CHAP-V2

In this (proxied) case inner tunnel contains only following attributes:

(gdb) p vp_listdebug(request->packet->vps)
Wed Feb 13 03:15:10 2008 : Debug:      EAP-Message = 0x020a00061a03
Wed Feb 13 03:15:10 2008 : Debug:      FreeRADIUS-Proxied-To = 127.0.0.1
Wed Feb 13 03:15:10 2008 : Debug:      User-Name = "aaa"
Wed Feb 13 03:15:10 2008 : Debug:      State = 
0x7f6817377e620dc906c84fac864d0550
Wed Feb 13 03:15:10 2008 : Debug:      Framed-MTU = 1466
Wed Feb 13 03:15:10 2008 : Debug:      NAS-IP-Address = 192.168.2.3
Wed Feb 13 03:15:10 2008 : Debug:      NAS-Identifier = "D-Link"
Wed Feb 13 03:15:10 2008 : Debug:      Service-Type = Framed-User
Wed Feb 13 03:15:10 2008 : Debug:      NAS-Port = 33
Wed Feb 13 03:15:10 2008 : Debug:      NAS-Port-Type = Ethernet
Wed Feb 13 03:15:10 2008 : Debug:      NAS-Port-Id = "ether3_33"
Wed Feb 13 03:15:10 2008 : Debug:      Called-Station-Id = "00-15-e9-b8-79-dd"
Wed Feb 13 03:15:10 2008 : Debug:      Calling-Station-Id = "00-a9-40-0f-83-a5"
Wed Feb 13 03:15:10 2008 : Debug:      Connect-Info = "CONNECT Ethernet 100Mbps Full 
duplex"

request->check_items contain only Proxy-To-Realm AVPair.


Dmitry Sergienko wrote:

Thanks for committing patches.

But I have to return to the question of proxying EAP-PEAP-MS-CHAPv2. 
I've spent several nights with gdb, radsniff and xsupplicant to figure 
out why authentication passes on eapol_test and fails on WinXP 
supplicant. Even tried Juniper Odissey 802.1x client :)



The reason why authentication fails is missing EAP-MSCHAP Success packet 
inside EAP-PEAP response.


--
Best regards,
Dmitry Sergienko
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






















					Reply via email to