FR2 - proxying inner tunnel

Dmitry Sergienko trooper+freeradius+users at email.dp.ua
Tue Feb 12 23:31:16 CET 2008 

Hi!

Alan DeKok wrote:
> Dmitry Sergienko wrote:
>> Thanks for the tip.
>> successfully_proxied_request() also needs patching:
> 
>   Fixed, thanks.

Thanks for committing patches.
But I have to return to the question of proxying EAP-PEAP-MS-CHAPv2. I've spent several 
nights with gdb, radsniff and xsupplicant to figure out why authentication passes on 
eapol_test and fails on WinXP supplicant. Even tried Juniper Odissey 802.1x client :)

The reason why authentication fails is missing EAP-MSCHAP Success packet inside EAP-PEAP 
response.

Here is a debug output from CVS current snapshot:

Tue Feb 12 23:45:21 2008 : Debug:   PEAP: Tunneled authentication was successful.
Tue Feb 12 23:45:21 2008 : Debug:   rlm_eap_peap: SUCCESS
Tue Feb 12 23:45:21 2008 : Debug:   PEAP: Reply was handled
Tue Feb 12 23:45:21 2008 : Debug:   modsingle[post-proxy]: returned from eap (rlm_eap) for 
request 7
Tue Feb 12 23:45:21 2008 : Debug: ++[eap] returns ok
Tue Feb 12 23:45:21 2008 : Debug: +- entering group authorize
.....
Tue Feb 12 23:45:21 2008 : Debug: ++[pap] returns noop
Tue Feb 12 23:45:21 2008 : Debug:   rad_check_password:  Found Auth-Type EAP
Tue Feb 12 23:45:21 2008 : Debug:   rad_check_password:  Found Auth-Type
Tue Feb 12 23:45:21 2008 : Error: Warning:  Found 2 auth-types on request for user 
'myid at mynet.net'
Tue Feb 12 23:45:21 2008 : Debug:   rad_check_password: Auth-Type = Accept, accepting the user
Tue Feb 12 23:45:21 2008 : Auth: Login OK: [myid at mynet.net/<via Auth-Type = EAP>] (from 
client sw-local port 33 cli 00-a9-40-0f-83-a5)
Sending Access-Challenge of id 207 to 192.168.2.3 port 8021
         EAP-Message = 
0x010a003b190017030100302dab2609196723fb8eeb007a902318e351b22e5da4aae2777dbb6d788504c8528a4e3950e2239c1a37793f835ff8ce46
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0x2fdece8d28d4d781421b7dc8777de66c



1. We have duplicate Auth-Type which seems to be incorrect.
2. We haven't finished EAP-MSCHAPv2 challenge and return empty EAP request to supplicant:

/sending EAP-MS-CHAPv2 challenge/
[AUTH TYPE] (EAP-MSCHAPv2) Challenge
[AUTH TYPE] (EAP-MS-CHAPv2) ID : 09
[AUTH TYPE] Authenticator Challenge : 02 71 99 df 1a 3e 5e 4f 5e e6 02 44 46 55 13 b9
[AUTH TYPE] Generated PeerChallenge : a0 50 6b 66 b1 af ef af c2 cd 19 93 93 fd d8 e9
[AUTH TYPE] PeerChallenge : a0 50 6b 66 b1 af ef af
[AUTH TYPE] AuthenticatorChallenge : 02 71 99 df 1a 3e 5e 4f
[AUTH TYPE] Username : aaa
[AUTH TYPE] Challenge : a2 6e 27 64 a4 25 5d 34
[AUTH TYPE] PasswordHash : 75 f1 d2 3f 3a 25 27 c6 bf aa da 3e 93 b3 2a 8b
[AUTH TYPE] Response : a0 bd 3f 60 4c 55 37 09 3f af e8 06 04 5d 74 c1 e8 18 07 6e 90 53 
5f b1
[AUTH TYPE] myvars->NtResponse = a0 bd 3f 60 4c 55 37 09 3f af e8 06 04 5d 74 c1 e8 18 07 
6e 90 53 5f b1
[AUTH TYPE] response->NT_Response = a0 bd 3f 60 4c 55 37 09 3f af e8 06 04 5d 74 c1 e8 18 
07 6e 90 53 5f b1
[AUTH TYPE] Unencrypted return frame :
[AUTH TYPE] Encrypted return frame :
[STATE] [backend_sm] REQUEST -> RESPONSE
[ALL] Frame to be sent (162) :
[STATE] [backend_sm] RESPONSE -> RECEIVE

/receiving response from FreeRADIUS/
[ALL] Got Frame (77) :
000 | 00 a9 40 0f 83 a5 00 15 e9 b8 79 dd 88 8e 01 00 | .. at .......y.....
010 | 00 3b 01 0a 00 3b 19 00 17 03 01 00 30 2d ab 26 | .;...;......0-.&
020 | 09 19 67 23 fb 8e eb 00 7a 90 23 18 e3 51 b2 2e | ..g#....z.#..Q..
030 | 5d a4 aa e2 77 7d bb 6d 78 85 04 c8 52 8a 4e 39 | ]...w}.mx...R.N9
040 | 50 e2 23 9c 1a 37 79 3f 83 5f f8 ce 46          | P.#..7y?._..F
[ALL] Got EAP-Request for type 25 (EAP_PEAP).
[ALL] Got EAP-Request-Authentication.
[STATE] [backend_sm] RECEIVE -> REQUEST
[ALL] Got EAP-Request for type 25 (EAP_PEAP).
[ALL] Got EAP-Request-Authentication.
[STATE] Building EAPOL-Response-Authentication
[AUTH TYPE] Packet in (54) :
000 | 00 17 03 01 00 30 2d ab 26 09 19 67 23 fb 8e eb | .....0-.&..g#...
010 | 00 7a 90 23 18 e3 51 b2 2e 5d a4 aa e2 77 7d bb | .z.#..Q..]...w}.
020 | 6d 78 85 04 c8 52 8a 4e 39 50 e2 23 9c 1a 37 79 | mx...R.N9P.#..7y
030 | 3f 83 5f f8 ce 46                               | ?._..F
[AUTH TYPE] Decrypted dump :
000 | 01 0a 00 0b 21 80 03 00 02 00 01                | ....!......
[AUTH TYPE] Decrypted packet returned 11 byte(s)
[AUTH TYPE] Doing PEAP v0!
[AUTH TYPE] Inner packet :
000 | 01 0a 00 0b 21 80 03 00 02 00 01                | ....!......
[AUTH TYPE] Got an EAP extension frame!
[AUTH TYPE] Unencrypted return frame :
000 | 02 0a 00 0b 21 80 03 00 02 00 01                | ....!......
[AUTH TYPE] Encrypted return frame :
000 | 00 17 03 01 00 20 dd 2e 66 ce be ad ab 66 4b 56 | ..... ..f....fKV
010 | 22 21 6e 8f 2c a9 89 fe 3f 99 63 50 da 24 25 9b | "!n.,...?.cP.$%.
020 | 38 56 03 cb 05 1a 17 03 01 00 30 74 f0 f7 c5 09 | 8V........0t....
030 | 75 c0 ab ec f6 84 9e 97 11 ae ce 63 64 6f e4 27 | u..........cdo.'
040 | 4c dc c0 54 b5 b3 23 72 99 96 74 8f 23 dd 8b 45 | L..T..#r..t.#..E
050 | ce dc 7b c0 cf 05 dc 47 b6 ac 8d                | ..{....G...
[STATE] [backend_sm] REQUEST -> RESPONSE


And here is correct authentication with username/password configured in users and no 
proxying has been done:


[STATE] Building EAPOL-Response-Authentication 

[AUTH TYPE] Packet in (86) : 

000 | 00 17 03 01 00 50 6b 3a 34 1d ce c5 39 05 e6 14 | .....Pk:4...9... 

010 | a5 18 a2 96 56 c8 42 10 5d 34 9d 41 9b fe 3e ee | ....V.B.]4.A..>. 

020 | a6 40 c7 bb a6 19 bb 11 b2 b6 10 20 5d 97 0b b3 | . at ......... ]... 

030 | 36 ee bc 91 85 08 9b 6a dc b9 00 40 3d d0 88 3f | 6......j...@=..? 

040 | 63 5b 66 87 e1 df ae fc 00 41 f6 25 f0 8b 35 75 | c[f......A.%..5u 

050 | f4 7d aa 91 b2 cd                               | .}.... 

[AUTH TYPE] Decrypted dump : 

000 | 1a 03 09 00 2e 53 3d 42 46 37 42 35 34 32 46 46 | .....S=BF7B542FF 

010 | 43 35 46 45 45 41 44 33 45 46 44 34 43 35 35 36 | C5FEEAD3EFD4C556 

020 | 44 39 44 32 38 36 38 30 31 32 41 42 31 42 44    | D9D2868012AB1BD 

[AUTH TYPE] Decrypted packet returned 47 byte(s) 

[AUTH TYPE] Doing PEAP v0! 

[AUTH TYPE] Inner packet : 

000 | 00 00 00 00 1a 03 09 00 2e 53 3d 42 46 37 42 35 | .........S=BF7B5 

010 | 34 32 46 46 43 35 46 45 45 41 44 33 45 46 44 34 | 42FFC5FEEAD3EFD4 

020 | 43 35 35 36 44 39 44 32 38 36 38 30 31 32 41 42 | C556D9D2868012AB 

030 | 31 42 44                                        | 1BD 

[AUTH TYPE] (EAP-MSCHAPv2) Success! 

[AUTH TYPE] Server authentication check success!  Sending phase 2 success! 


As you can see, 802.1x supplicant waits for EAP-MSCHAPv2 Success inside PEAP.

-- 
Best wishes,
Dmitry Sergienko (SDA104-RIPE)
Trifle Co., Ltd.

More information about the Freeradius-Users mailing list