Freeradius as a proxy converting EAP to non EAP radius Request
Jacques FOUCHER
jacques.foucher at gmail.com
Sat Oct 3 07:55:09 CEST 2009
Hello guys,
allways problems to convert EAP to non EAP requests. I try to do what those
who helped me without succes. Is anybody could help me to understand how it
works before I become crasy ?
This is my configuration files:
*clients.conf*
client 192.168.0.250 {
secret = lrnp2tlm
shortname = AP1
}
*proxy.conf
*realm jack {
authhost = 192.168.0.252:1812
accthost = 192.168.0.252:1813
secret = lrnp2tlm
}
*eap.conf*
default_eap_type = md5 (or peap - see tryings)
...
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes *(or no, i don't
see any difference)*
use_tunneled_reply = yes *(or no, i don't
see any difference)*
proxy_tunneled_request_as_eap = no
virtual_server = "inner-tunnel"
}
*users*
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := jack
*sites-enabled/default and sites-enabled/inner-tunnel*
some tryings with or without suffix (see tryings later)
That is what i have when "default_eap_type = peap" in eap.conf and suffix
commented
rad_recv: Access-Request packet from host 192.168.0.250 port 32769, id=26,
length=239
Acct-Session-Id = "1f15e604-0000006e"
NAS-Port = 111
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "AP1"
NAS-IP-Address = 192.168.0.250
Framed-MTU = 1496
User-Name = "test at jack"
Calling-Station-Id = "00-13-02-C4-80-4C"
Called-Station-Id = "00-0F-61-FE-EF-D2"
Service-Type = Framed-User
EAP-Message = 0x0202000e0174657374406a61636b
Colubris-AVPair = "ssid=test2"
Colubris-AVPair = "vsc-unique-id=3"
Colubris-AVPair = "phytype=IEEE802dot11g"
Colubris-Attr-250 = 0x00000000
Colubris-Attr-249 = 0x00000000
Message-Authenticator = 0x62375f6948b6efde2a86ec186367ca77
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "jack" for User-Name = "test at jack"
[suffix] Found realm "jack"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "jack"
[suffix] Proxying request from user test to realm jack
[suffix] Preparing to proxy authentication request to realm "jack"
++[suffix] returns updated
[eap] Request is supposed to be proxied to Realm jack. Not doing EAP.
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
WARNING: Empty section. Using default return values.
Sending Access-Request of id 43 to 192.168.0.252 port 1812
Acct-Session-Id = "1f15e604-0000006e"
NAS-Port = 111
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "AP1"
NAS-IP-Address = 192.168.0.250
Framed-MTU = 1496
User-Name = "test"
Calling-Station-Id = "00-13-02-C4-80-4C"
Called-Station-Id = "00-0F-61-FE-EF-D2"
Service-Type = Framed-User
EAP-Message = 0x0202000e0174657374406a61636b
Colubris-AVPair = "ssid=test2"
Colubris-AVPair = "vsc-unique-id=3"
Colubris-AVPair = "phytype=IEEE802dot11g"
Colubris-Attr-250 = 0x00000000
Colubris-Attr-249 = 0x00000000
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x3236
That is what i have when "default_eap_type = peap" in eap.conf and suffix
commented
rad_recv: Access-Request packet from host 192.168.0.250 port 32769, id=195,
length=387
Acct-Session-Id = "1f15e604-00000067"
NAS-Port = 104
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "AP1"
NAS-IP-Address = 192.168.0.250
Framed-MTU = 1496
User-Name = "test at jack"
Calling-Station-Id = "00-13-02-C4-80-4C"
Called-Station-Id = "00-0F-61-FE-EF-D2"
Service-Type = Framed-User
EAP-Message =
0x02c30090190017030100206ef157f1edb209ced6df7284ef870774d1adc808c2f7393a443abde91a4eb99017030100607d4d8d08c8c680d2d06afc57337fa4cce547e386b98106b6c80393c7d131a1279fe2d7a2db1721c7df77a9eaf71cf2a3cad712f2e48dabd36454632ea81428c537a746ae38f08546d6f06766fe8574365a5f87f3689cbde6763580e173ef60ce
State = 0x939ea92a945db03a6035c51f15a10082
Colubris-AVPair = "ssid=test2"
Colubris-AVPair = "vsc-unique-id=3"
Colubris-AVPair = "phytype=IEEE802dot11g"
Colubris-Attr-250 = 0x00000000
Colubris-Attr-249 = 0x00000000
Message-Authenticator = 0x89e1bcd7e7ce60181bdb737896d18bbe
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 195 length 144
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x02c3004b1a02c300463160397ae5a1c3f5a575162355af3a810a00000000000000001c9fc0b11ba69c8647aef4a10cc29ffece47522c5bc98e94006a6163717565732e6e65745c74657374
server {
PEAP: Setting User-Name to jacques.net\test
Sending tunneled request
EAP-Message =
0x02c3004b1a02c300463160397ae5a1c3f5a575162355af3a810a00000000000000001c9fc0b11ba69c8647aef4a10cc29ffece47522c5bc98e94006a6163717565732e6e65745c74657374
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "jacques.net\\test"
State = 0xfbacdee0fb6fc428f0638ecd3474d47e
Acct-Session-Id = "1f15e604-00000067"
NAS-Port = 104
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "AP1"
NAS-IP-Address = 192.168.0.250
Framed-MTU = 1496
Calling-Station-Id = "00-13-02-C4-80-4C"
Called-Station-Id = "00-0F-61-FE-EF-D2"
Service-Type = Framed-User
Colubris-AVPair = "ssid=test2"
Colubris-AVPair = "vsc-unique-id=3"
Colubris-AVPair = "phytype=IEEE802dot11g"
Colubris-Attr-250 = 0x00000000
Colubris-Attr-249 = 0x00000000
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
++[control] returns notfound
[eap] Request is supposed to be proxied to Realm jack. Not doing EAP.
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
} # server inner-tunnel
[peap] Got tunneled reply code 0
PEAP: Calling authenticate in order to initiate tunneled EAP session.
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Not-EAP proxy set. Not composing EAP
++[eap] returns handled
PEAP: Tunneled authentication will be proxied to jack
PEAP: Remembering to do EAP-MS-CHAP-V2 post-proxy.
[eap] Tunneled session will be proxied. Not doing EAP.
++[eap] returns handled
WARNING: Empty section. Using default return values.
ERROR: Failed to create a new socket for proxying requests.
ERROR: Failed inserting request into proxy hash.
ERROR: Failed to proxy request 8
There was no response configured: rejecting request 8
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> test at jack
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 8 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 8
Sending Access-Reject of id 195 to 192.168.0.250 port 32769
Waking up in 3.5 seconds.
^C
That is what i have when "default_eap_type = mschapv2" in eap.conf
rad_recv: Access-Request packet from host 192.168.0.250 port 32769, id=4,
length=387
Acct-Session-Id = "1f15e604-00000062"
NAS-Port = 99
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "AP1"
NAS-IP-Address = 192.168.0.250
Framed-MTU = 1496
User-Name = "test at jack"
Calling-Station-Id = "00-13-02-C4-80-4C"
Called-Station-Id = "00-0F-61-FE-EF-D2"
Service-Type = Framed-User
EAP-Message =
0x029c009019001703010020386a87a32d54ce789a58bf0797c8fec2146cab40657d2844f3c669d3ff74437317030100604ab4dde3619f7b2e4b7d8813d7bb491f9cda910d8d648759b9214dba32a2247c5fa5d7341f8f0c61150144b29e4d7d0a05d0afd057ceb43f5bfc81d8ae6b6028063bd44616c025592dbf694424da9e1420d26b07b6a3fd76ac3cba16a8cdc7fe
State = 0x9495ab219309b2f8e681988bdb8e38dd
Colubris-AVPair = "ssid=test2"
Colubris-AVPair = "vsc-unique-id=3"
Colubris-AVPair = "phytype=IEEE802dot11g"
Colubris-Attr-250 = 0x00000000
Colubris-Attr-249 = 0x00000000
Message-Authenticator = 0x4e5c523271e20690afa7deb40b198fc6
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 156 length 144
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x029c004b1a029c0046311d53cb59aa4d9b9b1bcbe6b548560779000000000000000037033132aa97f5429493f665e083a7691d6524037460f7a8006a6163717565732e6e65745c74657374
server {
PEAP: Setting User-Name to jacques.net\test
Sending tunneled request
EAP-Message =
0x029c004b1a029c0046311d53cb59aa4d9b9b1bcbe6b548560779000000000000000037033132aa97f5429493f665e083a7691d6524037460f7a8006a6163717565732e6e65745c74657374
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "jacques.net\\test"
State = 0x25cd979825518d94ace7ecd0c04358cd
Acct-Session-Id = "1f15e604-00000062"
NAS-Port = 99
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "AP1"
NAS-IP-Address = 192.168.0.250
Framed-MTU = 1496
Calling-Station-Id = "00-13-02-C4-80-4C"
Called-Station-Id = "00-0F-61-FE-EF-D2"
Service-Type = Framed-User
Colubris-AVPair = "ssid=test2"
Colubris-AVPair = "vsc-unique-id=3"
Colubris-AVPair = "phytype=IEEE802dot11g"
Colubris-Attr-250 = 0x00000000
Colubris-Attr-249 = 0x00000000
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
++[control] returns notfound
[eap] Request is supposed to be proxied to Realm jack. Not doing EAP.
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
} # server inner-tunnel
[peap] Got tunneled reply code 0
PEAP: Calling authenticate in order to initiate tunneled EAP session.
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Not-EAP proxy set. Not composing EAP
++[eap] returns handled
PEAP: Tunneled authentication will be proxied to jack
PEAP: Remembering to do EAP-MS-CHAP-V2 post-proxy.
[eap] Tunneled session will be proxied. Not doing EAP.
++[eap] returns handled
WARNING: Empty section. Using default return values.
ERROR: Failed to create a new socket for proxying requests.
ERROR: Failed inserting request into proxy hash.
ERROR: Failed to proxy request 8
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20091003/6c7b34de/attachment.html>
More information about the Freeradius-Users
mailing list