EAP issue

Stefan Winter stefan.winter at restena.lu
Tue Mar 30 16:11:40 CEST 2010


Well,

proxying is activated in this config, so the server doesn't do EAP at
all. Instead, it proxies the request to "example.com" on IP 1.2.3.4. Is
that what it is supposed to do?

Stefan

Am 30.03.2010 16:03, schrieb David Peterson:
>
> I cannot figure out where this new server is going awry.  From what I
> can tell EAP is misconfigured but I cannot find the issue.  If anyone
> sees anything in the debug please let me know. 
>
>  
>
> FreeRADIUS Version 2.1.8, for host i386-portbld-freebsd7.2, built on
> Mar 26 2010 at 15:24:36
>
> Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
>
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
>
> PARTICULAR PURPOSE.
>
> You may redistribute copies of FreeRADIUS under the terms of the
>
> GNU General Public License v2.
>
> Starting - reading configuration files ...
>
> including configuration file /usr/local/etc/raddb/radiusd.conf
>
> including configuration file /usr/local/etc/raddb/proxy.conf
>
> including configuration file /usr/local/etc/raddb/clients.conf
>
> including files in directory /usr/local/etc/raddb/modules/
>
> including configuration file /usr/local/etc/raddb/modules/wimax
>
> including configuration file /usr/local/etc/raddb/modules/always
>
> including configuration file /usr/local/etc/raddb/modules/attr_filter
>
> including configuration file /usr/local/etc/raddb/modules/attr_rewrite
>
> including configuration file /usr/local/etc/raddb/modules/chap
>
> including configuration file /usr/local/etc/raddb/modules/checkval
>
> including configuration file /usr/local/etc/raddb/modules/counter
>
> including configuration file /usr/local/etc/raddb/modules/detail
>
> including configuration file
> /usr/local/etc/raddb/modules/detail.example.com
>
> including configuration file /usr/local/etc/raddb/modules/detail.log
>
> including configuration file /usr/local/etc/raddb/modules/digest
>
> including configuration file /usr/local/etc/raddb/modules/echo
>
> including configuration file /usr/local/etc/raddb/modules/etc_group
>
> including configuration file /usr/local/etc/raddb/modules/exec
>
> including configuration file /usr/local/etc/raddb/modules/expiration
>
> including configuration file /usr/local/etc/raddb/modules/expr
>
> including configuration file /usr/local/etc/raddb/modules/files
>
> including configuration file /usr/local/etc/raddb/modules/inner-eap
>
> including configuration file /usr/local/etc/raddb/modules/ippool
>
> including configuration file /usr/local/etc/raddb/modules/krb5
>
> including configuration file /usr/local/etc/raddb/modules/ldap
>
> including configuration file /usr/local/etc/raddb/modules/linelog
>
> including configuration file /usr/local/etc/raddb/modules/logintime
>
> including configuration file /usr/local/etc/raddb/modules/mac2ip
>
> including configuration file /usr/local/etc/raddb/modules/mac2vlan
>
> including configuration file /usr/local/etc/raddb/modules/mschap
>
> including configuration file /usr/local/etc/raddb/modules/otp
>
> including configuration file /usr/local/etc/raddb/modules/pam
>
> including configuration file /usr/local/etc/raddb/modules/pap
>
> including configuration file /usr/local/etc/raddb/modules/passwd
>
> including configuration file /usr/local/etc/raddb/modules/perl
>
> including configuration file /usr/local/etc/raddb/modules/policy
>
> including configuration file /usr/local/etc/raddb/modules/preprocess
>
> including configuration file /usr/local/etc/raddb/modules/radutmp
>
> including configuration file /usr/local/etc/raddb/modules/realm
>
> including configuration file /usr/local/etc/raddb/modules/smbpasswd
>
> including configuration file /usr/local/etc/raddb/modules/smsotp
>
> including configuration file /usr/local/etc/raddb/modules/sql_log
>
> including configuration file
> /usr/local/etc/raddb/modules/sqlcounter_expire_on_login
>
> including configuration file /usr/local/etc/raddb/modules/sradutmp
>
> including configuration file /usr/local/etc/raddb/modules/unix
>
> including configuration file /usr/local/etc/raddb/modules/acct_unique
>
> including configuration file /usr/local/etc/raddb/eap.conf
>
> including configuration file /usr/local/etc/raddb/policy.conf
>
> including files in directory /usr/local/etc/raddb/sites-enabled/
>
> including configuration file /usr/local/etc/raddb/sites-enabled/default
>
> including configuration file
> /usr/local/etc/raddb/sites-enabled/inner-tunnel
>
> including configuration file
> /usr/local/etc/raddb/sites-enabled/control-socket
>
> main {
>
>                 user = "freeradius"
>
>                 group = "freeradius"
>
>                 allow_core_dumps = no
>
> }
>
> including dictionary file /usr/local/etc/raddb/dictionary
>
> main {
>
>                 prefix = "/usr/local"
>
>                 localstatedir = "/var"
>
>                 logdir = "/var/log"
>
>                 libdir = "/usr/local/lib/freeradius-2.1.8"
>
>                 radacctdir = "/var/log/radacct"
>
>                 hostname_lookups = no
>
>                 max_request_time = 30
>
>                 cleanup_delay = 5
>
>                 max_requests = 1024
>
>                 pidfile = "/var/run/radiusd/radiusd.pid"
>
>                 checkrad = "/usr/local/sbin/checkrad"
>
>                 debug_level = 0
>
>                 proxy_requests = yes
>
>  log {
>
>                 stripped_names = no
>
>                 auth = no
>
>                 auth_badpass = no
>
>                 auth_goodpass = no
>
>  }
>
>  security {
>
>                 max_attributes = 200
>
>                 reject_delay = 1
>
>                 status_server = yes
>
>  }
>
> }
>
> radiusd: #### Loading Realms and Home Servers ####
>
>  proxy server {
>
>                 retry_delay = 5
>
>                 retry_count = 3
>
>                 default_fallback = no
>
>                 dead_time = 120
>
>                 wake_all_if_all_dead = no
>
>  }
>
>  home_server radius01 {
>
>                 ipaddr = 1.2.3.4
>
>                 port = 1812
>
>                 type = "auth"
>
>                 secret = "secret1"
>
>                 response_window = 20
>
>                 max_outstanding = 65536
>
>                 require_message_authenticator = no
>
>                 zombie_period = 40
>
>                 status_check = "status-server"
>
>                 ping_interval = 30
>
>                 check_interval = 30
>
>                 num_answers_to_alive = 3
>
>                 num_pings_to_alive = 3
>
>                 revive_interval = 120
>
>                 status_check_timeout = 4
>
>                 irt = 2
>
>                 mrt = 16
>
>                 mrc = 5
>
>                 mrd = 30
>
>  }
>
>  home_server_pool my_auth_failover {
>
>                 type = fail-over
>
>                 home_server = radius01
>
>  }
>
>  realm example.com {
>
>                 auth_pool = my_auth_failover
>
>  }
>
>  realm LOCAL {
>
>  }
>
> radiusd: #### Loading Clients ####
>
>  client localhost {
>
>                 ipaddr = 127.0.0.1
>
>                 require_message_authenticator = no
>
>                 secret = "testing123"
>
>                 nastype = "other"
>
>  }
>
>  client 3.4.5.6 {
>
>                 require_message_authenticator = no
>
>                 secret = "secret2"
>
>                 shortname = "Alvarion"
>
>  }
>
> radiusd: #### Instantiating modules ####
>
>  instantiate {
>
>  Module: Linked to module rlm_exec
>
>  Module: Instantiating exec
>
>   exec {
>
>                 wait = no
>
>                 input_pairs = "request"
>
>                 shell_escape = yes
>
>   }
>
>  Module: Linked to module rlm_expr
>
>  Module: Instantiating expr
>
>  Module: Linked to module rlm_expiration
>
>  Module: Instantiating expiration
>
>   expiration {
>
>                 reply-message = "Password Has Expired  "
>
>   }
>
>  Module: Linked to module rlm_logintime
>
>  Module: Instantiating logintime
>
>   logintime {
>
>                 reply-message = "You are calling outside your allowed
> timespan  "
>
>                 minimum-timeout = 60
>
>   }
>
>  }
>
> radiusd: #### Loading Virtual Servers ####
>
> server inner-tunnel {
>
>  modules {
>
>  Module: Checking authenticate {...} for more modules to load
>
>  Module: Linked to module rlm_pap
>
>  Module: Instantiating pap
>
>   pap {
>
>                 encryption_scheme = "auto"
>
>                 auto_header = no
>
>   }
>
>  Module: Linked to module rlm_chap
>
>  Module: Instantiating chap
>
>  Module: Linked to module rlm_mschap
>
>  Module: Instantiating mschap
>
>   mschap {
>
>                 use_mppe = yes
>
>                 require_encryption = no
>
>                 require_strong = no
>
>                 with_ntdomain_hack = no
>
>   }
>
>  Module: Linked to module rlm_unix
>
>  Module: Instantiating unix
>
>   unix {
>
>                 radwtmp = "/var/log/radwtmp"
>
>   }
>
>  Module: Linked to module rlm_eap
>
>  Module: Instantiating eap
>
>   eap {
>
>                 default_eap_type = "md5"
>
>                 timer_expire = 60
>
>                 ignore_unknown_eap_types = no
>
>                 cisco_accounting_username_bug = no
>
>                 max_sessions = 2048
>
>   }
>
>  Module: Linked to sub-module rlm_eap_md5
>
>  Module: Instantiating eap-md5
>
>  Module: Linked to sub-module rlm_eap_leap
>
>  Module: Instantiating eap-leap
>
>  Module: Linked to sub-module rlm_eap_gtc
>
>  Module: Instantiating eap-gtc
>
>    gtc {
>
>                 challenge = "Password: "
>
>                 auth_type = "PAP"
>
>    }
>
>  Module: Linked to sub-module rlm_eap_tls
>
>  Module: Instantiating eap-tls
>
>    tls {
>
>                 rsa_key_exchange = no
>
>                 dh_key_exchange = yes
>
>                 rsa_key_length = 512
>
>                 dh_key_length = 512
>
>                 verify_depth = 0
>
>                 pem_file_type = yes
>
>                 private_key_file = "/usr/local/etc/raddb/certs/server.pem"
>
>                 certificate_file = "/usr/local/etc/raddb/certs/server.pem"
>
>                 CA_file = "/usr/local/etc/raddb/certs/ca.pem"
>
>                 private_key_password = "whatever"
>
>                 dh_file = "/usr/local/etc/raddb/certs/dh"
>
>                 random_file = "/usr/local/etc/raddb/certs/random"
>
>                 fragment_size = 1024
>
>                 include_length = yes
>
>                 check_crl = no
>
>                 cipher_list = "DEFAULT"
>
>                 make_cert_command = "/usr/local/etc/raddb/certs/bootstrap"
>
>     cache {
>
>                 enable = no
>
>                 lifetime = 24
>
>                 max_entries = 255
>
>     }
>
>    }
>
>  Module: Linked to sub-module rlm_eap_ttls
>
>  Module: Instantiating eap-ttls
>
>    ttls {
>
>                 default_eap_type = "md5"
>
>                 copy_request_to_tunnel = yes
>
>                 use_tunneled_reply = yes
>
>                 virtual_server = "inner-tunnel"
>
>                 include_length = yes
>
>    }
>
>  Module: Linked to sub-module rlm_eap_peap
>
>  Module: Instantiating eap-peap
>
>    peap {
>
>                 default_eap_type = "mschapv2"
>
>                 copy_request_to_tunnel = no
>
>                 use_tunneled_reply = no
>
>                 proxy_tunneled_request_as_eap = yes
>
>                 virtual_server = "inner-tunnel"
>
>    }
>
>  Module: Checking authorize {...} for more modules to load
>
>  Module: Linked to module rlm_realm
>
>  Module: Instantiating suffix
>
>   realm suffix {
>
>                 format = "suffix"
>
>                 delimiter = "@"
>
>                 ignore_default = no
>
>                 ignore_null = no
>
>   }
>
>  Module: Linked to module rlm_files
>
>  Module: Instantiating files
>
>   files {
>
>                 usersfile = "/usr/local/etc/raddb/users"
>
>                 acctusersfile = "/usr/local/etc/raddb/acct_users"
>
>                 preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
>
>                 compat = "no"
>
>   }
>
>  Module: Checking session {...} for more modules to load
>
>  Module: Linked to module rlm_radutmp
>
>  Module: Instantiating radutmp
>
>   radutmp {
>
>                 filename = "/var/log/radutmp"
>
>                 username = "%{User-Name}"
>
>                 case_sensitive = yes
>
>                 check_with_nas = yes
>
>                 perm = 384
>
>                 callerid = yes
>
>   }
>
>  Module: Checking post-proxy {...} for more modules to load
>
>  Module: Checking post-auth {...} for more modules to load
>
>  Module: Linked to module rlm_attr_filter
>
>  Module: Instantiating attr_filter.access_reject
>
>   attr_filter attr_filter.access_reject {
>
>                 attrsfile = "/usr/local/etc/raddb/attrs.access_reject"
>
>                 key = "%{User-Name}"
>
>   }
>
>  } # modules
>
> } # server
>
> server {
>
>  modules {
>
>  Module: Checking authenticate {...} for more modules to load
>
>  Module: Checking authorize {...} for more modules to load
>
>  Module: Linked to module rlm_preprocess
>
>  Module: Instantiating preprocess
>
>   preprocess {
>
>                 huntgroups = "/usr/local/etc/raddb/huntgroups"
>
>                 hints = "/usr/local/etc/raddb/hints"
>
>                 with_ascend_hack = no
>
>                 ascend_channels_per_line = 23
>
>                 with_ntdomain_hack = no
>
>                 with_specialix_jetstream_hack = no
>
>                 with_cisco_vsa_hack = no
>
>                 with_alvarion_vsa_hack = no
>
>   }
>
>  Module: Linked to module rlm_wimax
>
>  Module: Instantiating wimax
>
>   wimax {
>
>                 delete_mppe_keys = no
>
>   }
>
>  Module: Checking preacct {...} for more modules to load
>
>  Module: Linked to module rlm_acct_unique
>
>  Module: Instantiating acct_unique
>
>   acct_unique {
>
>                 key = "User-Name, Acct-Session-Id, NAS-IP-Address,
> Client-IP-Address, NAS-Port"
>
>   }
>
>  Module: Checking accounting {...} for more modules to load
>
>  Module: Linked to module rlm_detail
>
>  Module: Instantiating detail
>
>   detail {
>
>                 detailfile =
> "/var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d"
>
>                 header = "%t"
>
>                 detailperm = 384
>
>                 dirperm = 493
>
>                 locking = no
>
>                 log_packet_header = no
>
>   }
>
>  Module: Instantiating attr_filter.accounting_response
>
>   attr_filter attr_filter.accounting_response {
>
>                 attrsfile =
> "/usr/local/etc/raddb/attrs.accounting_response"
>
>                 key = "%{User-Name}"
>
>   }
>
>  Module: Checking session {...} for more modules to load
>
>  Module: Checking post-proxy {...} for more modules to load
>
>  Module: Checking post-auth {...} for more modules to load
>
>  } # modules
>
> } # server
>
> radiusd: #### Opening IP addresses and Ports ####
>
> listen {
>
>                 type = "auth"
>
>                 ipaddr = *
>
>                 port = 0
>
> }
>
> listen {
>
>                 type = "acct"
>
>                 ipaddr = *
>
>                 port = 0
>
> }
>
> listen {
>
>                 type = "control"
>
>  listen {
>
>                 socket = "/var/run/radiusd/radiusd.sock"
>
>  }
>
> }
>
> Listening on authentication address * port 1812
>
> Listening on accounting address * port 1813
>
> Listening on command file /var/run/radiusd/radiusd.sock
>
> Listening on proxy address * port 1814
>
> Ready to process requests.
>
> rad_recv: Access-Request packet from host 3.4.5.6 port 49157, id=33,
> length=260
>
>                 User-Name =
> "{am=1}d9331e46a19a9d6ffac45999467fd418 at example.com"
>
>                 NAS-IP-Address = 172.16.4.6
>
>                 NAS-Port-Type = 27
>
>                 NAS-Port = 1
>
>                 Calling-Station-Id = "\000\020\347AK\024"
>
>                 NAS-Identifier = "001001001000131001"
>
>                 WiMAX-GMT-Timezone-offset = 0
>
>                 Framed-MTU = 1490
>
>                 Service-Type = Framed-User
>
>                 WiMAX-Release = "1.0"
>
>                 WiMAX-Accounting-Capabilities = IP-Session-Based
>
>                 WiMAX-BS-Id = 0x303031303031303031303030313331303031
>
>                 EAP-Message =
> 0x02010036017b616d3d317d643933333165343661313961396436666661633435393939343637666434313840736361726c65742e616e
>
>                 Message-Authenticator = 0x90a2f3c8f27af034fb51225e1753c977
>
> +- entering group authorize {...}
>
> ++[preprocess] returns ok
>
> ++[chap] returns noop
>
> ++[mschap] returns noop
>
> rlm_wimax: Fixing WiMAX binary Calling-Station-Id to 00-10-e7-41-4b-14
>
> ++[wimax] returns ok
>
> [suffix] Looking up realm "example.com" for User-Name =
> "{am=1}d9331e46a19a9d6ffac45999467fd418 at example.com"
>
> [suffix] Found realm "example.com"
>
> [suffix] Adding Stripped-User-Name =
> "{am=1}d9331e46a19a9d6ffac45999467fd418"
>
> [suffix] Adding Realm = "example.com"
>
> [suffix] Proxying request from user
> {am=1}d9331e46a19a9d6ffac45999467fd418 to realm example.com
>
> [suffix] Preparing to proxy authentication request to realm "example.com"
>
> ++[suffix] returns updated
>
> [eap] Request is supposed to be proxied to Realm example.com.  Not
> doing EAP.
>
> ++[eap] returns noop
>
> ++[unix] returns notfound
>
> [files] users: Matched entry DEFAULT at line 203
>
> ++[files] returns ok
>
> ++[expiration] returns noop
>
> ++[logintime] returns noop
>
> ++[pap] returns noop
>
>   WARNING: Empty section.  Using default return values.
>
> Sending Access-Request of id 200 to 1.2.3.4 port 1812
>
>                 User-Name = "{am=1}d9331e46a19a9d6ffac45999467fd418"
>
>                 NAS-IP-Address = 172.16.4.6
>
>                 NAS-Port-Type = 27
>
>                 NAS-Port = 1
>
>                 Calling-Station-Id = "00-10-e7-41-4b-14"
>
>                 NAS-Identifier = "001001001000131001"
>
>                 WiMAX-GMT-Timezone-offset = 0
>
>                 Framed-MTU = 1490
>
>                 Service-Type = Framed-User
>
>                 WiMAX-Release = "1.0"
>
>                 WiMAX-Accounting-Capabilities = IP-Session-Based
>
>                 WiMAX-BS-Id = 0x303031303031303031303030313331303031
>
>                 EAP-Message =
> 0x02010036017b616d3d317d643933333165343661313961396436666661633435393939343637666434313840736361726c65742e616e
>
>                 Message-Authenticator = 0x00000000000000000000000000000000
>
>                 Proxy-State = 0x3333
>
> Proxying request 47 to home server 1.2.3.4 port 1812
>
> Sending Access-Request of id 200 to 1.2.3.4 port 1812
>
>                 User-Name = "{am=1}d9331e46a19a9d6ffac45999467fd418"
>
>                 NAS-IP-Address = 172.16.4.6
>
>                 NAS-Port-Type = 27
>
>                 NAS-Port = 1
>
>                 Calling-Station-Id = "00-10-e7-41-4b-14"
>
>                 NAS-Identifier = "001001001000131001"
>
>                 WiMAX-GMT-Timezone-offset = 0
>
>                 Framed-MTU = 1490
>
>                 Service-Type = Framed-User
>
>                 WiMAX-Release = "1.0"
>
>                 WiMAX-Capability = 0x0105312e30020301
>
>                 WiMAX-Accounting-Capabilities = IP-Session-Based
>
>                 WiMAX-BS-Id = 0x303031303031303031303030313331303031
>
>                 EAP-Message =
> 0x02010036017b616d3d317d643933333165343661313961396436666661633435393939343637666434313840736361726c65742e616e
>
>                 Message-Authenticator = 0x00000000000000000000000000000000
>
>                 Proxy-State = 0x3333
>
> Going to the next request
>
> Waking up in 0.9 seconds.
>
> rad_recv: Access-Reject packet from host 1.2.3.4 port 1812, id=200,
> length=24
>
>                 Proxy-State = 0x3333
>
> +- entering group post-proxy {...}
>
> [eap] No pre-existing handler found
>
> ++[eap] returns noop
>
> Using Post-Auth-Type Reject
>
> +- entering group REJECT {...}
>
> [attr_filter.access_reject]            expand: %{User-Name} ->
> {am=1}d9331e46a19a9d6ffac45999467fd418 at example.com
>
>  attr_filter: Matched entry DEFAULT at line 11
>
> ++[attr_filter.access_reject] returns updated
>
> Delaying reject of request 47 for 1 seconds
>
> Going to the next request
>
> Waking up in 0.9 seconds.
>
> Sending delayed reject for request 47
>
> Sending Access-Reject of id 33 to 3.4.5.6 port 49157
>
> Waking up in 4.9 seconds.
>
> Cleaning up request 47 ID 33 with timestamp +2476
>
> Ready to process requests.
>
>  
>
> David Peterson
> *Engineer*
> *Wireless Connections
> 166 Milan Ave., Norwalk, Oh. 44857
> **/ACCessing the Future Today!!
> /*ofc. 419.660.6100 ext 2287
>
> cell 419-706-7355
> fax  419-668-4077
> http://www.wirelessconnections.net <http://www.wirelessconnections.net/>
>
> This transmission and any files attached to it, may contain
> confidential and/or privileged information and intended only for the
> named recipient. If you are not the intended recipient, you are hereby
> notified that any disclosure, reproduction, retransmission,
> dissemination, disclosure, copying or any use of the information or
> files contained is strictly prohibited. If you have received this
> transmission in error, please notify the sender by reply transmission
> and delete this electronic mail
>
>  
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100330/1b84948d/attachment.pgp>


More information about the Freeradius-Users mailing list