Re: FR2 - proxying inner tunnel

[Dmitry Sergienko <trooper+freeradius+users@email.dp.ua>]

Hi!

Alan DeKok wrote:
> Dmitry Sergienko wrote:
> > Does anyone here have working inner tunnel proxying with freeradius 2.0.x?
> >
> > Still having troubles with doing EAP-PEAP-MSCHAPv2 authorization.
> > Switched to FreeRadius 2.0.1 from 1.1.7.
>
>   I think the issue was introduced recently.  Try editing
> src/main/event.c, function request_post_handler()
>
> ...
> 	if (request->root->proxy_requests &&
> 	    /* !request->proxy &&  */         // comment out this line
>             !request->in_proxy_hash &&        // add this line
> 	    (request->reply->code == 0) &&
> 	    (request->packet->dst_port != 0) &&
> 	    (request->packet->code != PW_STATUS_SERVER)) {
> ...
>
>   Re-build && install.  See if that helps...

Thanks for the tip.
successfully_proxied_request() also needs patching:

        /* 

         *      If it was already proxied, do nothing. 

         * 

         *      FIXME: This should really be a serious error. 

         */ 

/*      if (request->in_proxy_hash || request->proxy) { */ 

        if (request->in_proxy_hash) { 

                return 0; 

        } 


AFAIU this function relies on empty request->packet, but it is not empty because has been 
filled in eappeap_process():

                        /* 

                         *      Seed the proxy packet with the 

                         *      tunneled request. 

                         */ 

                        rad_assert(request->proxy == NULL); 

                        request->proxy = fake->packet; 



The second oddity: when setting "proxy_tunneled_request_as_eap = no" proxying is not 
working because no inner MSCHAPv2 request extracted. Debug looks like this:

Wed Feb  6 00:33:09 2008 : Debug:   PEAP: Calling authenticate in order to initiate 
tunneled EAP session.
Wed Feb  6 00:33:09 2008 : Debug:   WARNING: Unknown value specified for Auth-Type. 
Cannot perform requested action.

Solution is quite simple: write down the following in proxy-inner-tunnel file after 
authorize {} section:

    authenticate { 

        eap 

    } 



module_authenticate() is being called in eappeap_process() to extract MSCHAPv2 request and 
when no authenticate section in virtual server proxying will fail. IMHO it will be useful 
to have these lines in example proxy-inner-tunnel as a comment for 
"proxy_tunneled_request_as_eap" set to "no". Maybe someone will run into the same issue 
and spend several hours or days to figure out how to fix this.



--
Best regards,
Dmitry Sergienko