Hi, I want to use eap to authenticate Wireless users on an radius server wich don't know EAP protocol. It seems that is possible to do that using a proxy freeradius. The architecture should be :
Access Point as a NAS Freeradius as a proxy Radius server without EAP 192.168.0.250 192.168.0.64 192.168.0.252 <-------------------------------EAP-----------------------------------------> <-----------------------------------MS-CHAP v2 or other--------------------------------------------------------------------> The idea is to convert an EAP Response/Identity to a radius Access-Request without EAP inside As the first radius i use freeradius Version 2.0.4 As the second one, i use IAS (just to test, but in the final configuration, it will not) When i configure IAS with EAP method in Remote access Policy, it works. When I remove EAP method from IAS, it's not. The problem is that freeradius is acting as a proxy without removing EAP and it is not what i want. This is the modifications i did on configuration files, ask me if you need more proxy.conf : realm DEFAULT { authhost = 192.168.0.252:1812 accthost = 192.168.0.252:1813 secret = secret } eap.conf : ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = no virtual_server = "inner-tunnel" } On wireless, i tried TTLS and PEAP with same unsuccessfull result. That is freeradius log : Ready to process requests. rad_recv: Access-Request packet from host 192.168.0.250 port 32769, id=30, length=229 Acct-Session-Id = "8b0b0795-0000009c" NAS-Port = 157 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "AP1" NAS-IP-Address = 192.168.0.250 Framed-MTU = 1496 User-Name = "test" Calling-Station-Id = "00-13-02-C4-80-4C" Called-Station-Id = "00-0F-61-FE-EF-D2" Service-Type = Framed-User EAP-Message = 0x021a00090174657374 Colubris-AVPair = "ssid=test2" Colubris-AVPair = "vsc-unique-id=3" Colubris-AVPair = "phytype=IEEE802dot11g" Colubris-Attr-250 = 0x00000000 Colubris-Attr-249 = 0x00000000 Message-Authenticator = 0x0ed85e6e5c0765e5390b037233c60d73 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: Found realm "DEFAULT" rlm_realm: Adding Stripped-User-Name = "test" rlm_realm: Adding Realm = "DEFAULT" rlm_realm: Proxying request from user test to realm DEFAULT rlm_realm: Preparing to proxy authentication request to realm "DEFAULT" ++[suffix] returns updated rlm_eap: Request is supposed to be proxied to Realm DEFAULT. Not doing EAP. ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Sending Access-Request of id 224 to 192.168.0.252 port 1812 Acct-Session-Id = "8b0b0795-0000009c" NAS-Port = 157 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "AP1" NAS-IP-Address = 192.168.0.250 Framed-MTU = 1496 User-Name = "test" Calling-Station-Id = "00-13-02-C4-80-4C" Called-Station-Id = "00-0F-61-FE-EF-D2" Service-Type = Framed-User EAP-Message = 0x021a00090174657374 Colubris-AVPair = "ssid=test2" Colubris-AVPair = "vsc-unique-id=3" Colubris-AVPair = "phytype=IEEE802dot11g" Colubris-Attr-250 = 0x00000000 Colubris-Attr-249 = 0x00000000 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x3330 Proxying request 1 to home server 192.168.0.252 port 1812 Sending Access-Request of id 224 to 192.168.0.252 port 1812 Acct-Session-Id = "8b0b0795-0000009c" NAS-Port = 157 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "AP1" NAS-IP-Address = 192.168.0.250 Framed-MTU = 1496 User-Name = "test" Calling-Station-Id = "00-13-02-C4-80-4C" Called-Station-Id = "00-0F-61-FE-EF-D2" Service-Type = Framed-User EAP-Message = 0x021a00090174657374 Colubris-AVPair = "ssid=test2" Colubris-AVPair = "vsc-unique-id=3" Colubris-AVPair = "phytype=IEEE802dot11g" Colubris-Attr-250 = 0x00000000 Colubris-Attr-249 = 0x00000000 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x3330 Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Reject packet from host 192.168.0.252 port 1812, id=224, length=24 Proxy-State = 0x3330 +- entering group post-proxy rlm_eap: No pre-existing handler found ++[eap] returns noop Login incorrect (Home Server says so): [test/<no User-Password attribute>] (from client AP1 port 157 cli 00-13-02-C4-80-4C) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 30 to 192.168.0.250 port 32769 Waking up in 4.9 seconds. On IAS Server, this is the error message (Sorry it is a french version, but the idea is IAS receive EAP message) L'accès a été refusé à l'utilisateur test. Nom-Complet-Utilisateur = jacques.net/Users/test Adresse-IP-NAS = 192.168.0.250 Identificateur-NAS = AP1 Identificateur-Station-Appelée = 00-0F-61-FE-EF-D2 Identificateur-Station-Appelante = 00-13-02-C4-80-4C Nom-Convivial-Client = freeradius Adresse-IP-Client = 192.168.0.64 Type-Port-NAS = Wireless - IEEE 802.11 Port-NAS = 107 Proxy-Policy-Name = test Authentication-Provider = Windows Authentication-Server = <non déterminé> Policy-Name = test Authentication-Type = EAP EAP-Type = <non déterminé> Reason-Code = 66 Reason = L'utilisateur a essayé d'utiliser une méthode d'authentification qui n'est pas activée sur la stratégie d'accès à distance correspondante. Le nom de la stratégie d'accès à distance correspondante. Pour plus d'informations, consultez le centre Aide et support à l'adresse http://go.microsoft.com/fwlink/events.asp. I hope you could help me. -- Jacques
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html