Hi,
Before beginning, sorry for my bad English, I'm French.
I'm trying to implement PEAP-MSCHAPV2 support in an existing and working
configuration with EAP-TTLS + PAP,
giving users a full support of eduroam. There are proxy radius maintained by
our national "provider", and they test
authentication every 15 minutes.
When they only test EAP-TTLS authentication, it works, and this is a part of
the output of freeradius -X.
Login OK: [user/password] (from client proxyradius port 0 cli 02-00-00-00-00-01
via TLS tunnel)
+- entering group post-auth {...}
[sql] expand: %{User-Name} -> u...@realm
[sql] sql_set_user escaped user --> 'u...@realm'
[sql] expand: %{User-Password} -> password
[sql] expand: INSERT INTO radpostauth (username,
pass, reply, authdate) VALUES (
'%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES (
'u...@realm', 'password',
'Access-Accept', '2010-06-17 18:17:02')
[sql] expand: /var/log/freeradius/sqltrace.sql ->
/var/log/freeradius/sqltrace.sql
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES (
'u...@realm', 'password',
'Access-Accept', '2010-06-17 18:17:02')
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_mysql: query: INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES (
'u...@realm', 'password',
'Access-Accept', '2010-06-17 18:17:02')
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
expand: %{request:User-Name} -> u...@realm
++[outer.reply] returns ok
} # server inner-tunnel
[ttls] Got tunneled reply code 2
User-Name := "u...@realm"
[ttls] Got tunneled Access-Accept
[eap] Freeing handler
++[eap] returns ok
Login OK: [anonymous/<via Auth-Type = EAP>] (from client proxyradius port 0 cli
02-00-00-00-00-01)
Then, when I specify that our FreeRADIUS server support PEAP-MSCHAPV2, they
test PEAP first and never
receive an access-accept or access-reject request form only the outer identity,
anonym...@realm. So there is
the ouput :
Login OK: [user/<via Auth-Type = mschap>] (from client proxyradius port 0 cli
02-00-00-00-00-01 via TLS tunnel)
+- entering group post-auth {...}
[sql] expand: %{User-Name} -> u...@realm
[sql] sql_set_user escaped user --> 'u...@realm'
[sql] expand: %{User-Password} ->
[sql] ... expanding second conditional
[sql] expand: %{Chap-Password} ->
[sql] expand: INSERT INTO radpostauth (username,
pass, reply, authdate) VALUES (
'%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES (
'u...@realm', '',
'Access-Accept', '2010-06-17 15:32:07')
[sql] expand: /var/log/freeradius/sqltrace.sql ->
/var/log/freeradius/sqltrace.sql
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES (
'u...@realm', '',
'Access-Accept', '2010-06-17 15:32:07')
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql_mysql: query: INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES (
'u...@realm', '',
'Access-Accept', '2010-06-17 15:32:07')
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
expand: %{request:User-Name} -> u...@realm
++[outer.reply] returns ok
} # server inner-tunnel
[ttls] Got tunneled reply code 2
User-Name := "u...@realm"
MS-CHAP2-Success =
0x54533d42374134413830313835384530453531383135373131384643424442444432464133384345413836
[ttls] Got tunneled Access-Accept
[ttls] Got MS-CHAP2-Success, tunneling it to the client in a challenge.
++[eap] returns handled
Sending Access-Challenge of id 9 to 193.51.182.121 port 35055
User-Name = "u...@realm"
EAP-Message =
0x010a005f1580000000551703010050f984b434f276e050b0697e427d30ddfe2c0d9cc56a8f5da6ab447bbabae115d8181dfce1b6e52f33fcd2a20d5e26f574b9be69fa946342eafbd7ea350d5782490593a260401dae6b1c71f16f30b3ab38
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcda13382c4ab2647095b27820a4b1850
Finished request 11.
Going to the next request
Waking up in 4.7 seconds.
And then, the proxyradius sends new Access-Request and the outer identity is
never accepted. But the u...@realm is authenticated...
I'm sorry I know you need more informations about my confs and outputs, but I
don't want to make this post longer than it is... So, I can
post more informations...
Thank you for helping me !
J-P.
_________________________________________________________________
Installez gratuitement les nouvelles Emoch'ticones !
http://www.ilovemessenger.fr/emoticones/telecharger-emoticones-emochticones.aspx
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html