EAP-PEAP-MS-CHAPv2: MS-CHAPv2 attributes discarded after proxying

Dmitry Sergienko trooper+freeradius+users at email.dp.ua
Wed Jan 30 15:59:01 CET 2008 

Hi!

I'm trying to setup the following scheme:

[win_xp]-----[Wi-Fi AP with WPA]-------[FreeRADIUS]--------[home RADIUS server]

FreeRADIUS: 1.1.7

Users being connected to access point must be authenticated against EAP-PEAP-MS-CHAPv2 protocol.
Home RADIUS server can do only MS-CHAPv2 authorization and knows nothing about EAP.
To pass extracted MS-CHAPv2 request from PEAP tunnel I've turned off proxy_tunneled_request_as_eap:

---------eap.conf-------------
peap {
    default_eap_type = mschapv2
    copy_request_to_tunnel = yes
    use_tunneled_reply = yes
    proxy_tunneled_request_as_eap = no
}

--------users-----------------
aaa     FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := "xxx"
         Fall-Through := No

--------proxy.conf------------
realm xxx {
         type            = radius 

         authhost        = 192.168.2.80:1812
         accthost        = 192.168.2.80:1813
         secret          = pretty_secret
} 

------------------------------

Authorization requests are being proxied from FreeRADIUS to home RADIUS server as plain MS-CHAPv2.
Home server authorizes client and passes back MS-MPPE-*-Keys. But FreeRADIUS discards all MS-CHAPv2 attributes from
proxy reply just saying "rlm_eap_mschapv2: Authentication succeeded.".


Here is the response from home server:


rad_recv: Access-Accept packet from host 192.168.2.80:1812, id=0, length=262
Wed Jan 30 15:03:33 2008 : Debug:  proxy: de-allocating 5002a8c0:1812 0
Reply-Message = "ACCESS: GRANTED"
Reply-Message = "AGREEMENT-ID: 587986"
Framed-IP-Address = 192.168.2.56
Framed-IP-Netmask = 255.255.255.255
Framed-Protocol = PPP
MS-CHAP2-Success = 0x00533d37354142314531443945333538353133414541334245443244314630344333384533363742384232
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Recv-Key = 0xadfa59550658460011ffff6aee8df748
MS-MPPE-Send-Key = 0x2f62bd6b536d9e6141790bf5c477a5b8
Service-Type = Framed-User
Reply-Message = "STATUS: 0.00000000"



and the response to Wi-Fi AP before tunnel:



PEAP: Final reply from tunneled session code 11
Reply-Message = "ACCESS: GRANTED"
Reply-Message = "AGREEMENT-ID: 587986"
Framed-IP-Address = 192.168.2.56
Framed-IP-Netmask = 255.255.255.255
Framed-Protocol = PPP
Service-Type = Framed-User
Reply-Message = "STATUS: 0.00000000"
EAP-Message = 0x010700331a0306002e533d37354142314531443945333538353133414541334245443244314630344333384533363742384232
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbb336a79c074253ad516aa753953f8aa


There is no MS-CHAP2-Success attribute here. So no "rlm_eap_peap: Success" at the end of challenge and no
Access-Accept packet being sent to Wi-Fi AP.

When username is configured locally (i.e. with no proxying request to home server), everything works fine.

Does anyone have such working scheme here?
Please find complete log attached.

-- 
Best wishes,
Dmitry Sergienko (SDA104-RIPE)
Trifle Co., Ltd.


-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 1.1.7_log
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080130/ea4af73e/attachment.ksh>

More information about the Freeradius-Users mailing list