Proxying authentication from FreeRadius to Cisco ACS

Erisan Nyamutenha Erisan.Nyamutenha at uct.ac.za
Wed Jan 19 08:08:48 CET 2011


Hello All,
 
I am setting up an Eduroam authentication server using FreeRadius 2.1.1
on Suse Linux 12. I am proxying authentication requests to a Cisco ACS.
When testing using radtest from the FreeRadius box authentication is
proxyed to ACS fine and i get an access-accept back. However when i try
from a wireless client the proxy response from the ACS is an
Access-Reject. In the failed attempts logs on the ACS it says bad
username or password. i'm pretty sure im using the correct password. Is
there any reason why this should not work? I've posted my logs below:-
 
rad_recv: Access-Request packet from host 1.1.1.1 port 32768, id=210,
length=255
        User-Name = "username ( mailto:01420893 at uct.ac.za )@xyz.ac.za"
        Calling-Station-Id = "00-1e-64-8f-f1-2a"
        Called-Station-Id = "08-17-35-32-f2-90:Eduroam"
        NAS-Port = 29
        NAS-IP-Address = 1.1.1.1       
        NAS-Identifier = "uc-wism-2"
        Airespace-Wlan-Id = 4
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "63"
        EAP-Message =
0x02a0002b190017030100204673d48ae9e9d21afa7fe1fd6cae4d95841ae136e4fe85ad44acd3a4d0228a69
        State =
0x4541503d302e66666666666666662e63666337302e373b5356433d302e31363139623b
        Message-Authenticator = 0xaab2e06ffb5753411ad8d42b71cafbdd
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "xyz.ac.za" for User-Name =
"username at xyz.ac.za"
[suffix] Found realm "xyz.ac.za"
[suffix] Adding Stripped-User-Name = "username"
[suffix] Adding Realm = "xyz.ac.za"
[suffix] Proxying request from user username to realm xyz.ac.za
[suffix] Preparing to proxy authentication request to realm
"xyz.ac.za"
++[suffix] returns updated
[eap] Request is supposed to be proxied to Realm xyz.ac.za.  Not doing
EAP.
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Sending Access-Request of id 81 to 2.2.2.2 port 1812
        User-Name = "username"
        Calling-Station-Id = "00-1e-64-8f-f1-2a"
        Called-Station-Id = "08-17-35-32-f2-90:Eduroam"
        NAS-Port = 29
        NAS-IP-Address = 1.1.1.1        
        NAS-Identifier = "uc-wism-2"
        Airespace-Wlan-Id = 4
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "63"
        EAP-Message =
0x02a0002b190017030100204673d48ae9e9d21afa7fe1fd6cae4d95841ae136e4fe85ad44acd3a4d0228a69
        State =
0x4541503d302e66666666666666662e63666337302e373b5356433d302e31363139623b
        Message-Authenticator = 0x00000000000000000000000000000000
        Proxy-State = 0x323130
Proxying request 8 to home server 2.2.2.2 port 1812
Sending Access-Request of id 81 to 2.2.2.2 port 1812
        User-Name = "username"
        Calling-Station-Id = "00-1e-64-8f-f1-2a"
        Called-Station-Id = "08-17-35-32-f2-90:Eduroam"
        NAS-Port = 29
        NAS-IP-Address = 1.1.1.1        
        NAS-Identifier = "uc-wism-2"
        Airespace-Wlan-Id = 4
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "63"
        EAP-Message =
0x02a0002b190017030100204673d48ae9e9d21afa7fe1fd6cae4d95841ae136e4fe85ad44acd3a4d0228a69
        State =
0x4541503d302e66666666666666662e63666337302e373b5356433d302e31363139623b
        Message-Authenticator = 0x00000000000000000000000000000000
        Proxy-State = 0x323130
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Reject packet from host 2.2.2.2 port 1812, id=81,
length=61
        Proxy-State = 0x323130
        EAP-Message = 0x04a00004
        Reply-Message = "Rejected\n\r"
        Message-Authenticator = 0xbcede120e168d2d92558e5f4ab8e03d5
 
Thanks 
 
Erisan


 

###
UNIVERSITY OF CAPE TOWN 

This e-mail is subject to the UCT ICT policies and e-mail disclaimer
published on our website at
http://www.uct.ac.za/about/policies/emaildisclaimer/ or obtainable from
+27 21 650 9111. This e-mail is intended only for the person(s) to whom
it is addressed. If the e-mail has reached you in error, please notify
the author. If you are not the intended recipient of the e-mail you may
not use, disclose, copy, redirect or print the content. If this e-mail
is not related to the business of UCT it is sent by the sender in the
sender's individual capacity.

###
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110119/97945781/attachment.html>


More information about the Freeradius-Users mailing list