Hi,
I'm having a strange problem with a modified rlm_eap_md5
module and proxying - apparently I'm missing some details
of the internal workings of FreeRADIUS, now I don't understand
what's going on at all ...
I hacked rlm_eap_md5 to actually generate a fake request
containing FreeRADIUS-Proxied-To, Username, CHAP-Challenge
and CHAP-Response attributes and call rad_authenticate
with that fake request (following the example of EAP-TTLS).
This works fine, as long as I do everything on the FreeRADIUS
server.
However, the whole point of my modification was to be able to
proxy the generated CHAP request to some non-EAP-enabled RADIUS
server (similar to proxying inner PAP/CHAP/MSCHAP request of
EAP-TTLS to another server).
So I added something like
DEFAULT FreeRADIUS-Proxied-To !* 127.0.0.1, Proxy-To-Realm := LOCAL
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm :=
myrealm
to the users file.
The output of radiusd -X confirms that those lines do match the
requests as intended, however, for some reason, the translated
request does never get proxied to myrealm. Any idea, why not?
I'm attaching some output of radiusd -X which shows
1) a packet with FreeRADIUS-Proxied-To=127.0.0.1 generated by
radclient
gets proxied as I would have expected.
2) an EAP packet generated by radeapclient gets translated in the
way
I intended.
3) even though the output confirms that the translated request matches
the line telling it to get proxied to myrealm, I get a
reject without any proxying actually happening.
Does somebody have an idea what might be going wrong?
Regards,
StefanStarting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /usr/local/var
main: logdir = /usr/local/var/log/radius
main: libdir = /usr/local/lib
main: radacctdir = /usr/local/var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 1645
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /usr/local/var/log/radius/radius.log
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = /usr/local/var/run/radiusd/radiusd.pid
main: user = (null)
main: group = (null)
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = /usr/local/var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = md5
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /usr/local/etc/raddb/huntgroups
preprocess: hints = /usr/local/etc/raddb/hints