Hi All, Need some help on the configuration to have an EAP-PEAP request proxied as MS-CHAP to another radius.
Main Radius server: version 2.0.2 Radius to be proxied to: version 1.1.3 Key configuration entries on main radius server as follows: ------------------ radiusd.conf ------------------ modules { pap { auto_header = no # encryption_scheme = clear } chap { authtype = CHAP } mschap { use_mppe = yes authtype = MS-CHAP require_encryption = yes require_strong = yes } } -------- users -------- DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := SECURACCESS ---------------- proxy.conf ---------------- home_server goebbels { type = auth+acct ipaddr = xxx.xxx.xxx.151 port = 1812 secret = xxxxxx response_window = 20 zombie_period = 40 revive_interval = 120 status_check = request check_interval = 30 num_answers_to_alive = 3 } home_server_pool my_auth_failover { type = fail-over home_server = goebbels } realm gmail.com { } realm SECURACCESS { pool = my_auth_failover nostrip hints } ------------- eap.conf ------------- eap { peap { default_eap_type = mschapv2 proxy_tunneled_request_as_eap = no } } ---------------------------- site-enabled/default ---------------------------- authorize { preprocess chap mschap IPASS suffix eap files pap } authenticate { Auth-Type MS-CHAP { mschap } eap } The request is proxied successfully to the inner radius using MS-CHAP and the authentication is correct however when the reply is returned, I'm getting errors. Here is the output for reference. rad_recv: Access-Request packet from host xxx.xxx.xxx.219 port 62987, id=22, length=158 User-Name = "[EMAIL PROTECTED]" Framed-MTU = 1400 Called-Station-Id = "001e.7a3c.7a10" Calling-Station-Id = "001e.3a8b.f065" Service-Type = Login-User Message-Authenticator = 0x749ecae7e4f112c2dc2c4edad03ab8f3 EAP-Message = 0x02020017016d616a65726540716d61782e636f6d2e7367 NAS-Port-Type = Wireless-802.11 NAS-Port = 288 NAS-IP-Address = 192.168.0.88 NAS-Identifier = "Test_802_1x" +- entering group authorize expand: %{Client-IP-Address} -> xxx.xxx.xxx.219 ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '/' in User-Name = "[EMAIL PROTECTED]", skipping NULL due to config. ++[IPASS] returns noop rlm_realm: Looking up realm "gmail.com" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "gmail.com" rlm_realm: Adding Stripped-User-Name = "majere" rlm_realm: Proxying request from user majere to realm gmail.com rlm_realm: Adding Realm = "gmail.com" rlm_realm: Authentication realm is LOCAL. ++[suffix] returns noop rlm_eap: EAP packet type response id 2 length 23 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry DEFAULT at line 41 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 22 to xxx.xxx.xxx.219 port 62987 Service-Type = Framed-User Session-Timeout = 36000 Idle-Timeout = 10800 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3d9c5d6c3d9f44de59e52e5a67a9cf7f Finished request 0. Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host xxx.xxx.xxx.219 port 62987, id=23, length=219 User-Name = "[EMAIL PROTECTED]" Framed-MTU = 1400 Called-Station-Id = "001e.7a3c.7a10" Calling-Station-Id = "001e.3a8b.f065" Service-Type = Login-User Message-Authenticator = 0xcbcc4b5fac3cad3cedb45f85d411f1a1 EAP-Message = 0x0203004219800000003816030100330100002f030147e775d6e6585e5c5af14cae88358db237b2036cb19a1b44dd865f48b4bd86ad000008000a002f001600330100 NAS-Port-Type = Wireless-802.11 NAS-Port = 288 State = 0x3d9c5d6c3d9f44de59e52e5a67a9cf7f NAS-IP-Address = 192.168.0.88 NAS-Identifier = "Test_802_1x" +- entering group authorize expand: %{Client-IP-Address} -> xxx.xxx.xxx.219 ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '/' in User-Name = "[EMAIL PROTECTED]", skipping NULL due to config. ++[IPASS] returns noop rlm_realm: Looking up realm "gmail.com" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "gmail.com" rlm_realm: Adding Stripped-User-Name = "majere" rlm_realm: Proxying request from user majere to realm gmail.com rlm_realm: Adding Realm = "gmail.com" rlm_realm: Authentication realm is LOCAL. ++[suffix] returns noop rlm_eap: EAP packet type response id 3 length 66 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS TLS Length 56 rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0033], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0c2d], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 23 to xxx.xxx.xxx.219 port 62987 EAP-Message = 0x0104040019c000000c8a160301004a02000046030147e775d7acdfb705710141663b058234d2bb9ce24dd0a972c026aa2b5d2700de208e1a18df3ecb9ce8c1015331eaa444cc93baebc8423d07c038860ef666174f90000a001603010c2d0b000c29000c260004df308204db308202c3a003020102020304d931300d06092a864886f70d010105050030793110300e060355040a1307526f6f74204341311e301c060355040b1315687474703a2f2f7777772e6361636572742e6f7267312230200603550403131943412043657274205369676e696e6720417574686f726974793121301f06092a864886f70d0109011612737570706f727440636163 EAP-Message = 0x6572742e6f7267301e170d3038303331393037343035335a170d3038303931353037343035335a301c311a30180603550403131173616272652e716d61782e6e65742e736730820122300d06092a864886f70d01010105000382010f003082010a0282010100e654a1a0247e825410f8c197fa6b89a46e915bfc58209652f2692b97e158d9ac38bccf95947af8c1b45b142fe4fbfcbd5ad50bb8cc4b9f326313ce41e76051fd29ec19c8ae28cae1c3c6d669ce5868a32d6f2540b664b14b27adcfd380c4c595db5cfe90f93ba9ee81c61f0b437b6266953e918ae103e0d2e82ff55cbb67ef4fe2b7717cdaf7a35d92aa98af912c0ab440e73343c04f82 EAP-Message = 0x85119bd665b28168c05f72732ee013da440eecea5771d4908f9a3bfed423a8095949933d24eedeafcb333aaaf93e6e072ec543f6bf6f1378fd7d5dc3b0a064e116739c46523a7f84cae13d4a3bac4404eda0c9ea4cae63e36ac24bba8648991a4ef55edb6cf4ad3b7b0203010001a381c83081c5300c0603551d130101ff0402300030340603551d25042d302b06082b0601050507030206082b0601050507030106096086480186f8420401060a2b0601040182370a0303300b0603551d0f0404030205a0303306082b0601050507010104273025302306082b060105050730018617687474703a2f2f6f6373702e6361636572742e6f72672f303d06 EAP-Message = 0x03551d1104363034821173616272652e716d61782e6e65742e7367a01f06082b06010505070805a0130c1173616272652e716d61782e6e65742e7367300d06092a864886f70d0101050500038202010093811ff53747ff2b6208d5b3d54abad96cb795ee1692bb8a6a98aa18feb32550bd0570724afcc0b746430ee1002a5ec2228e7bf40e26dcc49bed5b20777160efb837a4f70eb8e642770fe673c0ca53bd39db7e72b9694d1f00fea2c30190b3b0585a4d44f244b0ebb91cb44afec59b944e8ae60652d7716a2ff44e17871aa0f6f0907bb127725ae69632d1979d6b619ccc54f6b15bbb0af8ce28a3e9d9de137700b8fb9b5bf8fe7deffdbdb32a EAP-Message = 0xa9d10b5c95fbffbeb9296b02 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3d9c5d6c3c9844de59e52e5a67a9cf7f Finished request 1. Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host xxx.xxx.xxx.219 port 62987, id=24, length=159 User-Name = "[EMAIL PROTECTED]" Framed-MTU = 1400 Called-Station-Id = "001e.7a3c.7a10" Calling-Station-Id = "001e.3a8b.f065" Service-Type = Login-User Message-Authenticator = 0xe210919a74fb784b321b8817189a9d31 EAP-Message = 0x020400061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 288 State = 0x3d9c5d6c3c9844de59e52e5a67a9cf7f NAS-IP-Address = 192.168.0.88 NAS-Identifier = "Test_802_1x" +- entering group authorize expand: %{Client-IP-Address} -> xxx.xxx.xxx.219 ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '/' in User-Name = "[EMAIL PROTECTED]", skipping NULL due to config. ++[IPASS] returns noop rlm_realm: Looking up realm "gmail.com" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "gmail.com" rlm_realm: Adding Stripped-User-Name = "majere" rlm_realm: Proxying request from user majere to realm gmail.com rlm_realm: Adding Realm = "gmail.com" rlm_realm: Authentication realm is LOCAL. ++[suffix] returns noop rlm_eap: EAP packet type response id 4 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 24 to xxx.xxx.xxx.219 port 62987 EAP-Message = 0x010503fc1940edf48f0c0243a84e5ff7e2d5196f4d1387936c0a43a90cdce1f51b105920981c6db8b3ae274b199721ea3f7e3d4f9dd19f26ce13c4d161cd32957f72c5e8dccee4ccd7b3f6fb8706abdf7765a7d442dfcb6c3a4920787a64e16eac578543e5012da0a003fa12c889af11ed0f8d39f34dedda9fc24716668a46610e6e6797c3577ef21ff255769799f87d20b1dd4f28447cbe6f09ffa7f7c91cb84cdb0e9d846e7581fdd496cde9acddcc96be02677282a68b21a6b70e131b6f15eb833a8c48c8a1f5796d9c28217a4adc70511d8711ea02baa39b2b7f26dd5d467b29a6b3e46d2b7a3c4c7bcbbcf9872dfc8e785589b27fb1ba751041d4 EAP-Message = 0x11899ef7202320f56b61855c82f0acf298e639da1cbabd95fb366ca263ece17b8dda92eb789647e404f619c7040662e0a1900dbcb27382bddda608636e4d71bf72e1fec47657731ec9993995a595258a0007413082073d30820525a003020102020100300d06092a864886f70d010104050030793110300e060355040a1307526f6f74204341311e301c060355040b1315687474703a2f2f7777772e6361636572742e6f7267312230200603550403131943412043657274205369676e696e6720417574686f726974793121301f06092a864886f70d0109011612737570706f7274406361636572742e6f7267301e170d303330333330313232393439 EAP-Message = 0x5a170d3333303332393132323934395a30793110300e060355040a1307526f6f74204341311e301c060355040b1315687474703a2f2f7777772e6361636572742e6f7267312230200603550403131943412043657274205369676e696e6720417574686f726974793121301f06092a864886f70d0109011612737570706f7274406361636572742e6f726730820222300d06092a864886f70d01010105000382020f003082020a0282020100ce22c0e2467dec3628075096f2a033408c4bf13b663f31e56b0236dbd67cf6f1888f4e7736054195f909f012cf46867360b76e7ee8c05864aecdb0ad45170c63fa670ae8d6d2bf3ee798c4f04cfae003bb EAP-Message = 0x355d6c21de9e20d9bacd66323772faf708f5c7cd58c98ee70e5eea3efe1ca1140a156c86845b64662a7aa94b5379f588a27bee2f0a612b8db27e4d56a513eceada929eac44411e5860650566f8c044bdcb94f7427e0bf76568985105f0f30591041d1b1782ecc857bbc36b7a88f1b072cc255b2091ec1602128f32e9171848d0c7052e023042b8259c056b3faa3aa7eb5348f7e8d2b60798dc1bc6347f7fc91c827a05582b085bf338a2ab175d66c998d79e108ba2d2dd749af7710c7260dfcd6f98339d9634763e247a92b00e951e6fe6a0453847aad741ed4ab712f6d71b838a0f2ed809b659d7aa04ffd2937d682edd8b4bab58ba2f8dea95a7a0c3 EAP-Message = 0x5489a5fbdb8b5122 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3d9c5d6c3f9944de59e52e5a67a9cf7f Finished request 2. Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host xxx.xxx.xxx.219 port 62987, id=25, length=159 User-Name = "[EMAIL PROTECTED]" Framed-MTU = 1400 Called-Station-Id = "001e.7a3c.7a10" Calling-Station-Id = "001e.3a8b.f065" Service-Type = Login-User Message-Authenticator = 0x1831b9c6ed39e206304a0bae85d5a8a1 EAP-Message = 0x020500061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 288 State = 0x3d9c5d6c3f9944de59e52e5a67a9cf7f NAS-IP-Address = 192.168.0.88 NAS-Identifier = "Test_802_1x" +- entering group authorize expand: %{Client-IP-Address} -> xxx.xxx.xxx.219 ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '/' in User-Name = "[EMAIL PROTECTED]", skipping NULL due to config. ++[IPASS] returns noop rlm_realm: Looking up realm "gmail.com" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "gmail.com" rlm_realm: Adding Stripped-User-Name = "majere" rlm_realm: Proxying request from user majere to realm gmail.com rlm_realm: Adding Realm = "gmail.com" rlm_realm: Authentication realm is LOCAL. ++[suffix] returns noop rlm_eap: EAP packet type response id 5 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 25 to xxx.xxx.xxx.219 port 62987 EAP-Message = 0x010603fc19409db2c3be11be2c91868b9678ad20d38a2f1a3fc6d051658721b11901657f451c87f57cd0414c4f299821fd331f750c0451fa1977dbd4141cee81c31df598b769069122dd0050cc8131ac12077b38da685be62bd47ec95fade8eb724cf301e54b20bf9aa657ca9100018ba1752137b5630d673e464f702067cec5d659db02e0f0d2cbcdba62b79041e8dd20e429bc642942c822dc789aff43ec981b09514b5a5ac271f1c4cb73a9e5a10b0203010001a38201ce308201ca301d0603551d0e0416041416b5321bd4c7f3e0e68ef3bdd2b03aeeb23918d13081a30603551d2304819b308198801416b5321bd4c7f3e0e68ef3bdd2b03aeeb2 EAP-Message = 0x3918d1a17da47b30793110300e060355040a1307526f6f74204341311e301c060355040b1315687474703a2f2f7777772e6361636572742e6f7267312230200603550403131943412043657274205369676e696e6720417574686f726974793121301f06092a864886f70d0109011612737570706f7274406361636572742e6f7267820100300f0603551d130101ff040530030101ff30320603551d1f042b30293027a025a023862168747470733a2f2f7777772e6361636572742e6f72672f7265766f6b652e63726c303006096086480186f84201040423162168747470733a2f2f7777772e6361636572742e6f72672f7265766f6b652e63726c30 EAP-Message = 0x3406096086480186f842010804271625687474703a2f2f7777772e6361636572742e6f72672f696e6465782e7068703f69643d3130305606096086480186f842010d04491647546f2067657420796f7572206f776e20636572746966696361746520666f7220465245452068656164206f76657220746f20687474703a2f2f7777772e6361636572742e6f7267300d06092a864886f70d0101040500038202010028c7ee9c8202ba5c8012ca350a1d816f896a99ccf2680f7fa7e18d58953ebdf206c3905aacb560f6994301a388709c9d629da487af67580d30363be6ad48d3cb740286713ee22b0368f1346240463b53ea28f4acfb6695538a4d5dfd EAP-Message = 0x3bd960d7ca79693bb16592a6c681825c9ccdeb4d018aa5df1155aa15ca1f37c082987061db6a7c96a38e2e543e4f21a990efdc82bfdce845ad4d9073083c9465b00499767fe2bcc26a15aa97043724d81e944e6d0e51bed6c48fca966df743dfe83065273b7bbb434363c443f7b2ec68cce1198e22fb98e17b5a3e01373b8b08b0a2f3954e1acb9bcd9ab1dbb270f02d4adbd8b0e36f45483312fffe3c322a54f7c4f78af08823c247fe647a71c0d11ea663b0077ea42fd3018fdc9f2bb6c608a90f934825fc12fd9f42dcf3c43ef657b0d7dd69d10677340a4bd2caa0ff1cc68cc916bec4cc323768735f08fb51f7495336050a95024cf2791a10f6d8 EAP-Message = 0x3a759cf31df1a20d Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3d9c5d6c3e9a44de59e52e5a67a9cf7f Finished request 3. Going to the next request Waking up in 0.8 seconds. rad_recv: Access-Request packet from host xxx.xxx.xxx.219 port 62987, id=26, length=159 User-Name = "[EMAIL PROTECTED]" Framed-MTU = 1400 Called-Station-Id = "001e.7a3c.7a10" Calling-Station-Id = "001e.3a8b.f065" Service-Type = Login-User Message-Authenticator = 0x0a71bcc21970eb9c06a717f1577e3124 EAP-Message = 0x020600061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 288 State = 0x3d9c5d6c3e9a44de59e52e5a67a9cf7f NAS-IP-Address = 192.168.0.88 NAS-Identifier = "Test_802_1x" +- entering group authorize expand: %{Client-IP-Address} -> xxx.xxx.xxx.219 ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '/' in User-Name = "[EMAIL PROTECTED]", skipping NULL due to config. ++[IPASS] returns noop rlm_realm: Looking up realm "gmail.com" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "gmail.com" rlm_realm: Adding Stripped-User-Name = "majere" rlm_realm: Proxying request from user majere to realm gmail.com rlm_realm: Adding Realm = "gmail.com" rlm_realm: Authentication realm is LOCAL. ++[suffix] returns noop rlm_eap: EAP packet type response id 6 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 26 to xxx.xxx.xxx.219 port 62987 EAP-Message = 0x010700ae19007067861bb316f52fe5a4eb7986f93d0bc2730ba599ac6ffc67b8e52f0ba618248d7bd14835291840ac9360e1968650b47a59d88f210b9fcf8291c63bbf6bdc0791b9975623aab66c94c648063ce4ce4eaae4f62f09dc536f2efc74eb3a6399c2a6ac89bca7b244a00d8a10e36cf224cbfa9b9f70472ede148bd4b2200996a264f1241cdca1359c15b2d4bc552e7d06f59c0e55f45ad693da76ad25734cc54316030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3d9c5d6c399b44de59e52e5a67a9cf7f Finished request 4. Going to the next request Waking up in 0.8 seconds. rad_recv: Access-Request packet from host xxx.xxx.xxx.219 port 62987, id=27, length=483 User-Name = "[EMAIL PROTECTED]" Framed-MTU = 1400 Called-Station-Id = "001e.7a3c.7a10" Calling-Station-Id = "001e.3a8b.f065" Service-Type = Login-User Message-Authenticator = 0x822399b94b0bc1594b5b849189d31868 EAP-Message = 0x0207014819800000013e1603010106100001020100170ad80d5a2cd2fcb9d0a4a40eea398e52008afac68b2470ea250f7440dab21e43294467175ee5a24d366ea5e84a1fe2964aea5c55c01375fc3e5666d553bf3b83674694c7b713105e167810033f88222eeead7868843e2e6ab8165d9d7ce3b820cabf4cbe0926ec2b6f18ef48603576e3df1ba92b3dace41b17a97f690057e9f16689b072ed11b78e1a361409d699385dc1338942718e07de64efe811c1cb160f829d8481d74de028c2c83b240796455ef721d75092fe02f5eaee4d8c305f8d5b4e376b13aa1becf11474ea3dc7a62439d88da215bfefc41cd75073c1399085d1e8bd8c55f9e287 EAP-Message = 0xcb469d3cd49d56c02c19b6717b6a647892830384a3a0cc2b14030100010116030100287747b2da88c656a202dd69c5c460b346189416e6ff86cb124f2bff6b9443c04fa7f9c324d5644021 NAS-Port-Type = Wireless-802.11 NAS-Port = 288 State = 0x3d9c5d6c399b44de59e52e5a67a9cf7f NAS-IP-Address = 192.168.0.88 NAS-Identifier = "Test_802_1x" +- entering group authorize expand: %{Client-IP-Address} -> xxx.xxx.xxx.219 ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '/' in User-Name = "[EMAIL PROTECTED]", skipping NULL due to config. ++[IPASS] returns noop rlm_realm: Looking up realm "gmail.com" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "gmail.com" rlm_realm: Adding Stripped-User-Name = "majere" rlm_realm: Proxying request from user majere to realm gmail.com rlm_realm: Adding Realm = "gmail.com" rlm_realm: Authentication realm is LOCAL. ++[suffix] returns noop rlm_eap: EAP packet type response id 7 length 253 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS TLS Length 318 rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 27 to xxx.xxx.xxx.219 port 62987 EAP-Message = 0x0108003919001403010001011603010028f7057de02b9d0e5184efd841fab6a4b44d3877cd7b25a3e786145bf58a866c76e6bda53e876b473d Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3d9c5d6c389444de59e52e5a67a9cf7f Finished request 5. Going to the next request Waking up in 0.5 seconds. rad_recv: Access-Request packet from host xxx.xxx.xxx.219 port 62987, id=28, length=159 User-Name = "[EMAIL PROTECTED]" Framed-MTU = 1400 Called-Station-Id = "001e.7a3c.7a10" Calling-Station-Id = "001e.3a8b.f065" Service-Type = Login-User Message-Authenticator = 0x9aa9d97e0e231cea6b19cb67a7427212 EAP-Message = 0x020800061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 288 State = 0x3d9c5d6c389444de59e52e5a67a9cf7f NAS-IP-Address = 192.168.0.88 NAS-Identifier = "Test_802_1x" +- entering group authorize expand: %{Client-IP-Address} -> xxx.xxx.xxx.219 ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '/' in User-Name = "[EMAIL PROTECTED]", skipping NULL due to config. ++[IPASS] returns noop rlm_realm: Looking up realm "gmail.com" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "gmail.com" rlm_realm: Adding Stripped-User-Name = "majere" rlm_realm: Proxying request from user majere to realm gmail.com rlm_realm: Adding Realm = "gmail.com" rlm_realm: Authentication realm is LOCAL. ++[suffix] returns noop rlm_eap: EAP packet type response id 8 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 28 to xxx.xxx.xxx.219 port 62987 EAP-Message = 0x0109002b19001703010020eedbab1e5637b6f9a112f580254e552325658744d6663cd65b9a405cc43ffe6e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3d9c5d6c3b9544de59e52e5a67a9cf7f Finished request 6. Going to the next request Waking up in 0.5 seconds. rad_recv: Access-Request packet from host xxx.xxx.xxx.219 port 62987, id=29, length=204 User-Name = "[EMAIL PROTECTED]" Framed-MTU = 1400 Called-Station-Id = "001e.7a3c.7a10" Calling-Station-Id = "001e.3a8b.f065" Service-Type = Login-User Message-Authenticator = 0x96b9aec4b089096c9bc1d6d2598c65a4 EAP-Message = 0x0209003319001703010028b6876e498464cf83b2c91427000ebfa013931247315f451d4cfe1c43fb21d97e7a74d1138289b578 NAS-Port-Type = Wireless-802.11 NAS-Port = 288 State = 0x3d9c5d6c3b9544de59e52e5a67a9cf7f NAS-IP-Address = 192.168.0.88 NAS-Identifier = "Test_802_1x" +- entering group authorize expand: %{Client-IP-Address} -> xxx.xxx.xxx.219 ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '/' in User-Name = "[EMAIL PROTECTED]", skipping NULL due to config. ++[IPASS] returns noop rlm_realm: Looking up realm "gmail.com" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "gmail.com" rlm_realm: Adding Stripped-User-Name = "majere" rlm_realm: Proxying request from user majere to realm gmail.com rlm_realm: Adding Realm = "gmail.com" rlm_realm: Authentication realm is LOCAL. ++[suffix] returns noop rlm_eap: EAP packet type response id 9 length 51 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - [EMAIL PROTECTED] PEAP: Got tunneled identity of [EMAIL PROTECTED] PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to [EMAIL PROTECTED] +- entering group authorize expand: %{Client-IP-Address} -> xxx.xxx.xxx.219 ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '/' in User-Name = "[EMAIL PROTECTED]", skipping NULL due to config. ++[IPASS] returns noop rlm_realm: Looking up realm "gmail.com" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "gmail.com" rlm_realm: Adding Stripped-User-Name = "majere" rlm_realm: Proxying request from user majere to realm gmail.com rlm_realm: Adding Realm = "gmail.com" rlm_realm: Authentication realm is LOCAL. ++[suffix] returns noop rlm_eap: EAP packet type response id 9 length 23 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry DEFAULT at line 5 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop PEAP: Calling authenticate in order to initiate tunneled EAP session. +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled PEAP: Cancelling proxy to realm SECURACCESS until the tunneled EAP session has been established PEAP: Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 29 to xxx.xxx.xxx.219 port 62987 EAP-Message = 0x010a004b19001703010040650e624cd28f313fcdaa01569602f1b5c46136cbe5807506d27344870727fcaefd991233d94b0b695e9888a3f104d8f9611b03212fc6762840ca318a5ab8dfe7 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3d9c5d6c3a9644de59e52e5a67a9cf7f Finished request 7. Going to the next request Waking up in 0.4 seconds. rad_recv: Access-Request packet from host xxx.xxx.xxx.219 port 62987, id=30, length=260 User-Name = "[EMAIL PROTECTED]" Framed-MTU = 1400 Called-Station-Id = "001e.7a3c.7a10" Calling-Station-Id = "001e.3a8b.f065" Service-Type = Login-User Message-Authenticator = 0x97de9e8789eb63dd4e16c3acf1663d79 EAP-Message = 0x020a006b19001703010060b2c9dbe814f29a10ef2fd8f8e39a7f63976d9ef95692d2062c4d148432e7e0ddcfe869c72ff3e3e55496d2a432990bd1b2526e4e95621c082d40089bedc6376916d2d615d323b5ea3ab2a7078b0fb89d90401eff5baa808b9cfaf1364a4ead75 NAS-Port-Type = Wireless-802.11 NAS-Port = 288 State = 0x3d9c5d6c3a9644de59e52e5a67a9cf7f NAS-IP-Address = 192.168.0.88 NAS-Identifier = "Test_802_1x" +- entering group authorize expand: %{Client-IP-Address} -> xxx.xxx.xxx.219 ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '/' in User-Name = "[EMAIL PROTECTED]", skipping NULL due to config. ++[IPASS] returns noop rlm_realm: Looking up realm "gmail.com" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "gmail.com" rlm_realm: Adding Stripped-User-Name = "majere" rlm_realm: Proxying request from user majere to realm gmail.com rlm_realm: Adding Realm = "gmail.com" rlm_realm: Authentication realm is LOCAL. ++[suffix] returns noop rlm_eap: EAP packet type response id 10 length 107 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 PEAP: Setting User-Name to [EMAIL PROTECTED] +- entering group authorize expand: %{Client-IP-Address} -> xxx.xxx.xxx.219 ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '/' in User-Name = "[EMAIL PROTECTED]", skipping NULL due to config. ++[IPASS] returns noop rlm_realm: Looking up realm "gmail.com" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "gmail.com" rlm_realm: Adding Stripped-User-Name = "majere" rlm_realm: Proxying request from user majere to realm gmail.com rlm_realm: Adding Realm = "gmail.com" rlm_realm: Authentication realm is LOCAL. ++[suffix] returns noop rlm_eap: EAP packet type response id 10 length 77 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry DEFAULT at line 5 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop PEAP: Calling authenticate in order to initiate tunneled EAP session. +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Not-EAP proxy set. Not composing EAP ++[eap] returns handled PEAP: Tunneled authentication will be proxied to SECURACCESS PEAP: Remembering to do EAP-MS-CHAP-V2 post-proxy. Tunneled session will be proxied. Not doing EAP. ++[eap] returns handled Sending Access-Request of id 212 to xxx.xxx.xxx.151 port 1812 User-Name = "[EMAIL PROTECTED]" NAS-IP-Address = xxx.xxx.xxx.219 MS-CHAP-Challenge = 0x5d6e0e7c347dfb2e0d636bb267dbbb25 MS-CHAP2-Response = 0x0a613cd2bf39eed5861aabb762c1c824164f0000000000000000034b01fe706028ca1c4aac06d12203ba01fb335cc5849983 Proxy-State = 0x3330 Proxying request 8 to home server xxx.xxx.xxx.151 port 1812 Sending Access-Request of id 212 to xxx.xxx.xxx.151 port 1812 User-Name = "[EMAIL PROTECTED]" NAS-IP-Address = xxx.xxx.xxx.219 MS-CHAP-Challenge = 0x5d6e0e7c347dfb2e0d636bb267dbbb25 MS-CHAP2-Response = 0x0a613cd2bf39eed5861aabb762c1c824164f0000000000000000034b01fe706028ca1c4aac06d12203ba01fb335cc5849983 Proxy-State = 0x3330 Going to the next request Waking up in 0.4 seconds. rad_recv: Access-Accept packet from host xxx.xxx.xxx.151 port 1812, id=212, length=210 Class = 0x7773675f353132 Service-Type = Framed-User Session-Timeout = 36000 Idle-Timeout = 10800 MS-CHAP2-Success = 0x0a533d34414246383744434131334641313736423838364530413830334530464244303739454539433042 MS-MPPE-Recv-Key = 0xd05b8c013b092f1d163f93190e1f9049 MS-MPPE-Send-Key = 0x03ffeba42e61c4fe7f41d9c2d6ab2725 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 Proxy-State = 0x3330 +- entering group post-proxy expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/post-proxy-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/xxx.xxx.xxx.219/post-proxy-detail-20080324 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/post-proxy-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/xxx.xxx.xxx.219/post-proxy-detail-20080324 expand: %t -> Mon Mar 24 17:35:20 2008 ++[post_proxy_log] returns ok PEAP: Passing reply from proxy back into the tunnel. PEAP: Passing reply back for EAP-MS-CHAP-V2 0x8177078 2 +- entering group post-proxy expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/post-proxy-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/0.0.0.0/post-proxy-detail-20080324 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/post-proxy-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/0.0.0.0/post-proxy-detail-20080324 expand: %t -> Mon Mar 24 17:35:20 2008 ++[post_proxy_log] returns ok rlm_eap_mschapv2: Passing reply from proxy back into the tunnel 0x8177078 2. rlm_eap_mschapv2: Authentication succeeded. MSCHAP Success ++[eap] returns ok POST-PROXY 2 +- entering group post-auth expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/0.0.0.0/reply-detail-20080324 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/0.0.0.0/reply-detail-20080324 expand: %t -> Mon Mar 24 17:35:20 2008 ++[reply_log] returns ok POST-AUTH 2 PEAP: Got reply 11 PEAP: Got tunneled Access-Challenge PEAP: Reply was handled ++[eap] returns ok Sending Access-Challenge of id 30 to xxx.xxx.xxx.219 port 62987 EAP-Message = 0x010b005319001703010048123d1f08e9391db9d1fdaaffd38640765bc5bf7468f612ba7fcc5865888b259a8fb79f1a745c0390e6f4be1e216bbe72b48e8f6478adf27f6a7e1fc824c97ff0ad244185501e6f93 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3d9c5d6c359744de59e52e5a67a9cf7f Finished request 8. Going to the next request Waking up in 0.4 seconds. rad_recv: Access-Request packet from host xxx.xxx.xxx.219 port 62987, id=31, length=188 User-Name = "[EMAIL PROTECTED]" Framed-MTU = 1400 Called-Station-Id = "001e.7a3c.7a10" Calling-Station-Id = "001e.3a8b.f065" Service-Type = Login-User Message-Authenticator = 0xc9fe0bbade3ca7d7279e162081682679 EAP-Message = 0x020b002319001703010018f832b95c14b1b34d82496c06d938a70470f470e31e44e795 NAS-Port-Type = Wireless-802.11 NAS-Port = 288 State = 0x3d9c5d6c359744de59e52e5a67a9cf7f NAS-IP-Address = 192.168.0.88 NAS-Identifier = "Test_802_1x" +- entering group authorize expand: %{Client-IP-Address} -> xxx.xxx.xxx.219 ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '/' in User-Name = "[EMAIL PROTECTED]", skipping NULL due to config. ++[IPASS] returns noop rlm_realm: Looking up realm "gmail.com" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "gmail.com" rlm_realm: Adding Stripped-User-Name = "majere" rlm_realm: Proxying request from user majere to realm gmail.com rlm_realm: Adding Realm = "gmail.com" rlm_realm: Authentication realm is LOCAL. ++[suffix] returns noop rlm_eap: EAP packet type response id 11 length 35 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 PEAP: Setting User-Name to [EMAIL PROTECTED] +- entering group authorize expand: %{Client-IP-Address} -> xxx.xxx.xxx.219 ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '/' in User-Name = "[EMAIL PROTECTED]", skipping NULL due to config. ++[IPASS] returns noop rlm_realm: Looking up realm "gmail.com" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "gmail.com" rlm_realm: Adding Stripped-User-Name = "majere" rlm_realm: Proxying request from user majere to realm gmail.com rlm_realm: Adding Realm = "gmail.com" rlm_realm: Authentication realm is LOCAL. ++[suffix] returns noop rlm_eap: EAP packet type response id 11 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry DEFAULT at line 5 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop PEAP: Calling authenticate in order to initiate tunneled EAP session. +- entering group authenticate rlm_eap: No EAP session matching the State variable. rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request rlm_eap: Failed in handler ++[eap] returns invalid PEAP: Can't handle the return code 4 rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Login incorrect: [EMAIL PROTECTED]/<via Auth-Type = EAP>] (from client gecko port 288 cli 001e.3a8b.f065) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> [EMAIL PROTECTED] attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 9 for 1 seconds Going to the next request Waking up in 0.4 seconds. Waking up in 0.3 seconds. Sending delayed reject for request 9 Sending Access-Reject of id 31 to xxx.xxx.xxx.219 port 62987 EAP-Message = 0x040b0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.4 seconds. It seems to be that it can't match the EAP session based on the output as shown ------------------------------------------------------------------------------------------------------ PEAP: Calling authenticate in order to initiate tunneled EAP session. +- entering group authenticate rlm_eap: No EAP session matching the State variable. rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request rlm_eap: Failed in handler ++[eap] returns invalid PEAP: Can't handle the return code 4 rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select ++[eap] returns invalid ------------------------------------------------------------------------------------------------------ Thanks/Regards, Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html