EAP with a non EAP Radius server

Jacques FOUCHER jacques.foucher at gmail.com
Sun Sep 27 09:35:25 CEST 2009


Hi,

is it possible that because of the configuration of the proxy.conf (proxying
to an external radius), I  don't use configuration on eap.conf (wich would
be use only for local authentication) ? It would be the explanation i send
EAP messages.

2009/9/26 Jacques FOUCHER <jacques.foucher at gmail.com>

> Hi,
>
> I want to use eap to authenticate Wireless users on an radius server wich
> don't know EAP protocol. It seems that is possible to do that using a proxy
> freeradius. The architecture should be :
>
> Access Point as a NAS               Freeradius as a
> proxy                     Radius server without EAP
> 192.168.0.250
> 192.168.0.64                                  192.168.0.252
>
>
> <-------------------------------EAP----------------------------------------->
> <-----------------------------------MS-CHAP v2 or
> other-------------------------------------------------------------------->
>
> The idea is to convert an EAP Response/Identity to a radius Access-Request
> without EAP inside
>
>
> As the first radius i use freeradius Version 2.0.4
> As the second one, i use IAS (just to test, but in the final configuration,
> it will not)
>
> When i configure IAS with EAP method in Remote access Policy, it works.
> When I remove EAP method from IAS, it's not.
> The problem is that freeradius is acting as a proxy without removing EAP
> and it is not what i want.
>
> This is the modifications i did on configuration files, ask me if you need
> more
>
> proxy.conf :
> realm DEFAULT {
>        authhost        = 192.168.0.252:1812
>        accthost        = 192.168.0.252:1813
>        secret          = secret
> }
>
> eap.conf :
>  ttls {
>                         default_eap_type = md5
>                         copy_request_to_tunnel = no
>                         use_tunneled_reply = no
>                         virtual_server = "inner-tunnel"
>                 }
> peap {
>                         default_eap_type = mschapv2
>                         copy_request_to_tunnel = no
>                         use_tunneled_reply = no
>                         proxy_tunneled_request_as_eap = no
>                         virtual_server = "inner-tunnel"
>                 }
>
> On wireless, i tried TTLS and PEAP with same unsuccessfull result.
> That is freeradius log :
> Ready to process requests.
> rad_recv: Access-Request packet from host 192.168.0.250 port 32769, id=30,
> length=229
>         Acct-Session-Id = "8b0b0795-0000009c"
>         NAS-Port = 157
>         NAS-Port-Type = Wireless-802.11
>         NAS-Identifier = "AP1"
>         NAS-IP-Address = 192.168.0.250
>         Framed-MTU = 1496
>         User-Name = "test"
>         Calling-Station-Id = "00-13-02-C4-80-4C"
>         Called-Station-Id = "00-0F-61-FE-EF-D2"
>         Service-Type = Framed-User
>         EAP-Message = 0x021a00090174657374
>         Colubris-AVPair = "ssid=test2"
>         Colubris-AVPair = "vsc-unique-id=3"
>         Colubris-AVPair = "phytype=IEEE802dot11g"
>         Colubris-Attr-250 = 0x00000000
>         Colubris-Attr-249 = 0x00000000
>         Message-Authenticator = 0x0ed85e6e5c0765e5390b037233c60d73
> +- entering group authorize
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
>     rlm_realm: No '@' in User-Name = "test", looking up realm NULL
>     rlm_realm: Found realm "DEFAULT"
>     rlm_realm: Adding Stripped-User-Name = "test"
>     rlm_realm: Adding Realm = "DEFAULT"
>     rlm_realm: Proxying request from user test to realm DEFAULT
>     rlm_realm: Preparing to proxy authentication request to realm "DEFAULT"
> ++[suffix] returns updated
>   rlm_eap: Request is supposed to be proxied to Realm DEFAULT.  Not doing
> EAP.
> ++[eap] returns noop
> ++[unix] returns notfound
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> ++[pap] returns noop
> Sending Access-Request of id 224 to 192.168.0.252 port 1812
>         Acct-Session-Id = "8b0b0795-0000009c"
>         NAS-Port = 157
>         NAS-Port-Type = Wireless-802.11
>         NAS-Identifier = "AP1"
>         NAS-IP-Address = 192.168.0.250
>         Framed-MTU = 1496
>         User-Name = "test"
>         Calling-Station-Id = "00-13-02-C4-80-4C"
>         Called-Station-Id = "00-0F-61-FE-EF-D2"
>         Service-Type = Framed-User
>         EAP-Message = 0x021a00090174657374
>         Colubris-AVPair = "ssid=test2"
>         Colubris-AVPair = "vsc-unique-id=3"
>         Colubris-AVPair = "phytype=IEEE802dot11g"
>         Colubris-Attr-250 = 0x00000000
>         Colubris-Attr-249 = 0x00000000
>         Message-Authenticator = 0x00000000000000000000000000000000
>         Proxy-State = 0x3330
> Proxying request 1 to home server 192.168.0.252 port 1812
> Sending Access-Request of id 224 to 192.168.0.252 port 1812
>         Acct-Session-Id = "8b0b0795-0000009c"
>         NAS-Port = 157
>         NAS-Port-Type = Wireless-802.11
>         NAS-Identifier = "AP1"
>         NAS-IP-Address = 192.168.0.250
>         Framed-MTU = 1496
>         User-Name = "test"
>         Calling-Station-Id = "00-13-02-C4-80-4C"
>         Called-Station-Id = "00-0F-61-FE-EF-D2"
>         Service-Type = Framed-User
>         EAP-Message = 0x021a00090174657374
>         Colubris-AVPair = "ssid=test2"
>         Colubris-AVPair = "vsc-unique-id=3"
>         Colubris-AVPair = "phytype=IEEE802dot11g"
>         Colubris-Attr-250 = 0x00000000
>         Colubris-Attr-249 = 0x00000000
>         Message-Authenticator = 0x00000000000000000000000000000000
>         Proxy-State = 0x3330
> Going to the next request
> Waking up in 0.9 seconds.
> rad_recv: Access-Reject packet from host 192.168.0.252 port 1812, id=224,
> length=24
>         Proxy-State = 0x3330
> +- entering group post-proxy
>   rlm_eap: No pre-existing handler found
> ++[eap] returns noop
> Login incorrect (Home Server says so): [test/<no User-Password attribute>]
> (from client AP1 port 157 cli 00-13-02-C4-80-4C)
>   Found Post-Auth-Type Reject
> +- entering group REJECT
>         expand: %{User-Name} -> test
>  attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 1 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 1
> Sending Access-Reject of id 30 to 192.168.0.250 port 32769
> Waking up in 4.9 seconds.
>
> On IAS Server, this is the error message (Sorry it is a french version, but
> the idea is IAS receive EAP message)
>
> L'accès a été refusé à l'utilisateur test.
>  Nom-Complet-Utilisateur = jacques.net/Users/test
>  Adresse-IP-NAS = 192.168.0.250
>  Identificateur-NAS = AP1
>  Identificateur-Station-Appelée = 00-0F-61-FE-EF-D2
>  Identificateur-Station-Appelante = 00-13-02-C4-80-4C
>  Nom-Convivial-Client = freeradius
>  Adresse-IP-Client = 192.168.0.64
>  Type-Port-NAS = Wireless - IEEE 802.11
>  Port-NAS = 107
>  Proxy-Policy-Name = test
>  Authentication-Provider = Windows
>  Authentication-Server = <non déterminé>
>  Policy-Name = test
>  Authentication-Type = EAP
>  EAP-Type = <non déterminé>
>  Reason-Code = 66
>  Reason = L'utilisateur a essayé d'utiliser une méthode d'authentification
> qui n'est pas activée sur la stratégie d'accès à distance correspondante. Le
> nom de la stratégie d'accès à distance correspondante.
>
> Pour plus d'informations, consultez le centre Aide et support à l'adresse
> http://go.microsoft.com/fwlink/events.asp.
>
> I hope you could help me.
> --
> Jacques
>



-- 
Jacques FOUCHER
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090927/23bcd074/attachment.html>


More information about the Freeradius-Users mailing list