FR2 - proxying inner tunnel

Dmitry Sergienko trooper+freeradius+users at email.dp.ua
Wed Feb 6 00:16:05 CET 2008 

Hi!

Alan DeKok wrote:
> Dmitry Sergienko wrote:
>> Does anyone here have working inner tunnel proxying with freeradius 2.0.x?
>>
>> Still having troubles with doing EAP-PEAP-MSCHAPv2 authorization.
>> Switched to FreeRadius 2.0.1 from 1.1.7.
> 
>   I think the issue was introduced recently.  Try editing
> src/main/event.c, function request_post_handler()
> 
> ...
> 	if (request->root->proxy_requests &&
> 	    /* !request->proxy &&  */         // comment out this line
>             !request->in_proxy_hash &&        // add this line
> 	    (request->reply->code == 0) &&
> 	    (request->packet->dst_port != 0) &&
> 	    (request->packet->code != PW_STATUS_SERVER)) {
> ...
> 
>   Re-build && install.  See if that helps...

Thanks for the tip.
successfully_proxied_request() also needs patching:

         /* 

          *      If it was already proxied, do nothing. 

          * 

          *      FIXME: This should really be a serious error. 

          */ 

/*      if (request->in_proxy_hash || request->proxy) { */ 

         if (request->in_proxy_hash) { 

                 return 0; 

         } 


AFAIU this function relies on empty request->packet, but it is not empty because has been 
filled in eappeap_process():

                         /* 

                          *      Seed the proxy packet with the 

                          *      tunneled request. 

                          */ 

                         rad_assert(request->proxy == NULL); 

                         request->proxy = fake->packet; 



The second oddity: when setting "proxy_tunneled_request_as_eap = no" proxying is not 
working because no inner MSCHAPv2 request extracted. Debug looks like this:

Wed Feb  6 00:33:09 2008 : Debug:   PEAP: Calling authenticate in order to initiate 
tunneled EAP session.
Wed Feb  6 00:33:09 2008 : Debug:   WARNING: Unknown value specified for Auth-Type. 
Cannot perform requested action.

Solution is quite simple: write down the following in proxy-inner-tunnel file after 
authorize {} section:

     authenticate { 

         eap 

     } 



module_authenticate() is being called in eappeap_process() to extract MSCHAPv2 request and 
when no authenticate section in virtual server proxying will fail. IMHO it will be useful 
to have these lines in example proxy-inner-tunnel as a comment for 
"proxy_tunneled_request_as_eap" set to "no". Maybe someone will run into the same issue 
and spend several hours or days to figure out how to fix this.



-- 
Best regards,
Dmitry Sergienko

More information about the Freeradius-Users mailing list