FR2 - proxying inner tunnel

Dmitry Sergienko trooper+freeradius+users at email.dp.ua
Thu Feb 14 15:57:27 CET 2008 

Hi!

A.L.M.Buxey at lboro.ac.uk wrote:
> Hi,
> 
>> Tue Feb 12 23:45:21 2008 : Error: Warning:  Found 2 auth-types on request 
>> for user 'myid at mynet.net'
>> Tue Feb 12 23:45:21 2008 : Debug:   rad_check_password: Auth-Type = Accept, accepting the user
> 
> whoah.  WinXP is very fussy (as should all EAP clients) about getting a proper
> EAP return.  you seem to have thrown an 'Accept' straight back to the challenge
> rather than let the EAP engine do its business. 
> 
> config file or startup debug output please

Config file is the same as default example proxy-inner-tunnel in 2.0.2 release with modified realm name only.
As I wrote before, double Auth-Type had been fixed by adding post-proxy { eap } part in proxy-inner-tunnel.

But authentication still fails to pass. Got the following error:

Thu Feb 14 16:42:06 2008 : Error: rlm_eap: No EAP session matching the State variable.
Thu Feb 14 16:42:06 2008 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request

It comes after second authentication in eap module, after passing inner request to virtual server.

xsupplicant receives  EAP-MSCHAPv2 Success and sends phase 2 success back to FreeRADIUS:
-----------------
[AUTH TYPE] (EAP-MSCHAPv2) Success!
[AUTH TYPE] Server authentication check success!  Sending phase 2 success!
[AUTH TYPE] Unencrypted return frame :
000 | 1a 03                                           | ..
[AUTH TYPE] Encrypted return frame :
-----------------

FreeRADIUS debug output with failed authentication:

-----------------
rad_recv: Access-Request packet from host 192.168.2.3 port 8021, id=85, length=279
         Framed-MTU = 1466
         NAS-IP-Address = 192.168.2.3
         NAS-Identifier = "D-Link"
         User-Name = "myid at mynet.net"
         Service-Type = Framed-User
         NAS-Port = 33
         NAS-Port-Type = Ethernet
         NAS-Port-Id = "ether3_33"
         Called-Station-Id = "00-15-e9-b8-79-dd"
         Calling-Station-Id = "00-a9-40-0f-83-a5"
         Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
         State = 0x827a1bd58a710287540fbc1db46cf1a2
         EAP-Message = 
0x020b005019001703010020a8e33063d77e6a2f489c6f5d9a12306c870537dc721149322bd85623235edda1170301002088aaf69e118a31b4eac9
c0d7c106de95b51101eb9e1b0c70949645a855cc206c
         Message-Authenticator = 0x82efd03b0f271f621eb2677ebf3c5902
Thu Feb 14 16:42:06 2008 : Debug: +- entering group authorize
Thu Feb 14 16:42:06 2008 : Debug:   modsingle[authorize]: calling preprocess (rlm_preprocess) for request 9
Thu Feb 14 16:42:06 2008 : Debug:   modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 9
Thu Feb 14 16:42:06 2008 : Debug: ++[preprocess] returns ok
Thu Feb 14 16:42:06 2008 : Debug:   modsingle[authorize]: calling chap (rlm_chap) for request 9
Thu Feb 14 16:42:06 2008 : Debug:   modsingle[authorize]: returned from chap (rlm_chap) for request 9
Thu Feb 14 16:42:06 2008 : Debug: ++[chap] returns noop
Thu Feb 14 16:42:06 2008 : Debug:   modsingle[authorize]: calling mschap (rlm_mschap) for request 9
Thu Feb 14 16:42:06 2008 : Debug:   modsingle[authorize]: returned from mschap (rlm_mschap) for request 9
Thu Feb 14 16:42:06 2008 : Debug: ++[mschap] returns noop
Thu Feb 14 16:42:06 2008 : Debug:   modsingle[authorize]: calling suffix (rlm_realm) for request 9
Thu Feb 14 16:42:06 2008 : Debug:     rlm_realm: Looking up realm "mynet.net" for User-Name = "myid at mynet.net"
Thu Feb 14 16:42:06 2008 : Debug:     rlm_realm: No such realm "mynet.net"
Thu Feb 14 16:42:06 2008 : Debug:   modsingle[authorize]: returned from suffix (rlm_realm) for request 9
Thu Feb 14 16:42:06 2008 : Debug: ++[suffix] returns noop
Thu Feb 14 16:42:06 2008 : Debug:   modsingle[authorize]: calling eap (rlm_eap) for request 9
Thu Feb 14 16:42:06 2008 : Debug:   rlm_eap: EAP packet type response id 11 length 80
Thu Feb 14 16:42:06 2008 : Debug:   rlm_eap: Continuing tunnel setup.
Thu Feb 14 16:42:06 2008 : Debug:   modsingle[authorize]: returned from eap (rlm_eap) for request 9
Thu Feb 14 16:42:06 2008 : Debug: ++[eap] returns ok
Thu Feb 14 16:42:06 2008 : Debug:   rad_check_password:  Found Auth-Type EAP
Thu Feb 14 16:42:06 2008 : Debug: auth: type "EAP"
Thu Feb 14 16:42:06 2008 : Debug: +- entering group authenticate
Thu Feb 14 16:42:06 2008 : Debug:   modsingle[authenticate]: calling eap (rlm_eap) for request 9
Thu Feb 14 16:42:06 2008 : Debug:   rlm_eap: Request found, released from the list
Thu Feb 14 16:42:06 2008 : Debug:   rlm_eap: EAP/peap
Thu Feb 14 16:42:06 2008 : Debug:   rlm_eap: processing type peap
Thu Feb 14 16:42:06 2008 : Debug:   rlm_eap_peap: Authenticate
Thu Feb 14 16:42:06 2008 : Debug:   rlm_eap_tls: processing TLS
Thu Feb 14 16:42:06 2008 : Debug:   eaptls_verify returned 7
Thu Feb 14 16:42:06 2008 : Debug:   rlm_eap_tls: Done initial handshake
Thu Feb 14 16:42:06 2008 : Debug:   eaptls_process returned 7
Thu Feb 14 16:42:06 2008 : Debug:   rlm_eap_peap: EAPTLS_OK
Thu Feb 14 16:42:06 2008 : Debug:   rlm_eap_peap: Session established.  Decoding tunneled attributes.
   PEAP tunnel data in 0000: 1a 03
Thu Feb 14 16:42:06 2008 : Debug:   rlm_eap_peap: EAP type mschapv2
   PEAP: Got tunneled EAP-Message
         EAP-Message = 0x020b00061a03
Thu Feb 14 16:42:06 2008 : Debug:   PEAP: Setting User-Name to aaa
   PEAP: Sending tunneled request
         EAP-Message = 0x020b00061a03
         FreeRADIUS-Proxied-To = 127.0.0.1
         User-Name = "aaa"
         State = 0xc858015dc9531b78fbe76e30aaba109e
         Framed-MTU = 1466
         NAS-IP-Address = 192.168.2.3
         NAS-Identifier = "D-Link"
         Service-Type = Framed-User
         NAS-Port = 33
         NAS-Port-Type = Ethernet
         NAS-Port-Id = "ether3_33"
         Called-Station-Id = "00-15-e9-b8-79-dd"
         Calling-Station-Id = "00-a9-40-0f-83-a5"
         Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
server proxy-inner-tunnel {
Thu Feb 14 16:42:06 2008 : Debug: +- entering group authorize
Thu Feb 14 16:42:06 2008 : Debug: ++[control] returns notfound
} # server proxy-inner-tunnel
   PEAP: Got tunneled reply RADIUS code 0
Thu Feb 14 16:42:06 2008 : Debug:   PEAP: Calling authenticate in order to initiate tunneled EAP session.
Thu Feb 14 16:42:06 2008 : Debug: +- entering group authenticate
Thu Feb 14 16:42:06 2008 : Debug:   modsingle[authenticate]: calling eap (rlm_eap) for request 9
Thu Feb 14 16:42:06 2008 : Error: rlm_eap: No EAP session matching the State variable.
Thu Feb 14 16:42:06 2008 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
Thu Feb 14 16:42:06 2008 : Debug:   rlm_eap: Failed in handler
Thu Feb 14 16:42:06 2008 : Debug:   modsingle[authenticate]: returned from eap (rlm_eap) for request 9
Thu Feb 14 16:42:06 2008 : Debug: ++[eap] returns invalid
Thu Feb 14 16:42:06 2008 : Debug:   PEAP: Can't handle the return code 4
Thu Feb 14 16:42:06 2008 : Debug:  rlm_eap: Handler failed in EAP/peap
Thu Feb 14 16:42:06 2008 : Debug:   rlm_eap: Failed in EAP select
Thu Feb 14 16:42:06 2008 : Debug:   modsingle[authenticate]: returned from eap (rlm_eap) for request 9
Thu Feb 14 16:42:06 2008 : Debug: ++[eap] returns invalid
Thu Feb 14 16:42:06 2008 : Debug: auth: Failed to validate the user.
Thu Feb 14 16:42:06 2008 : Auth: Login incorrect: [myid at mynet.net/<via Auth-Type = EAP>] (from client sw-local port 33 
cli 00-a9-40-0f-83-a5)
-----------------

-- 
Best wishes,
Dmitry Sergienko (SDA104-RIPE)
Trifle Co., Ltd.

More information about the Freeradius-Users mailing list