EAP-Peap-MSchapv2 proxy from innertunnel

Robert Roll Robert.Roll at utah.edu
Thu Aug 29 15:35:25 CEST 2013 

 I'm trying to do a proxy from the inner-tunnel over to another radius server.
The primary reason for this is that we need to strip off the realm before
passing to the proxy.

 I'm getting an EAP error response from the other server about it not liking the
id number 

      "Supplicant sent unmatched EAP response packet identifier"

        ( This is an EAP-PEAP-MSCHAPv2 scenerio)

 The EAP.conf file is configured with:

       proxy_tunneled_request_as_eap = yes

I've included a TCP dump of the main freeradius server below

  WC -- Wireless controller
  FR-2.10 -- Freeradius server
  ISE-proxy -- The server FR-2.10 is sending proxy requests to:

It does appear that FR-2.10 is beginning a conversation with ISE-proxy and id: 0xde
It seem that ISE-proxy responds ok, but then the next message from FR-2.10 to ISE-proxy
has id: 0xa8, but I'm thinking that ISE-proxy is expecting 0xdf ?..

I'll admit I'm still pretty confused about much of the EAP, stuff.. but maybe I'm missing
something simple in the config ? Any ideas would be greatly appreciated..

Thanks,

Robert

07:03:51.286831 IP WC.32769 > FR-2.10.radius: RADIUS, Access Request (1), id: 0x82 length: 227
07:03:51.287639 IP FR-2.10.radius > WC.32769: RADIUS, Access Challenge (11), id: 0x82 length: 64
07:03:51.289921 IP WC.32769 > FR-2.10.radius: RADIUS, Access Request (1), id: 0x83 length: 354
07:03:51.300931 IP FR-2.10.radius > WC.32769: RADIUS, Access Challenge (11), id: 0x83 length: 1090
07:03:51.304143 IP WC.32769 > FR-2.10.radius: RADIUS, Access Request (1), id: 0x84 length: 238
07:03:51.304640 IP FR-2.10.radius > WC.32769: RADIUS, Access Challenge (11), id: 0x84 length: 1086
07:03:51.307583 IP WC.32769 > FR-2.10.radius: RADIUS, Access Request (1), id: 0x85 length: 238
07:03:51.314568 IP FR-2.10.radius > WC.32769: RADIUS, Access Challenge (11), id: 0x85 length: 1086
07:03:51.317658 IP WC.32769 > FR-2.10.radius: RADIUS, Access Request (1), id: 0x86 length: 238
07:03:51.324409 IP FR-2.10.radius > WC.32769: RADIUS, Access Challenge (11), id: 0x86 length: 923
07:03:51.335322 IP WC.32769 > FR-2.10.radius: RADIUS, Access Request (1), id: 0x87 length: 440
07:03:51.337658 IP FR-2.10.radius > WC.32769: RADIUS, Access Challenge (11), id: 0x87 length: 123
07:03:51.339867 IP WC.32769 > FR-2.10.radius: RADIUS, Access Request (1), id: 0x88 length: 238
07:03:51.344424 IP FR-2.10.radius > WC.32769: RADIUS, Access Challenge (11), id: 0x88 length: 101
07:03:51.346564 IP WC.32769 > FR-2.10.radius: RADIUS, Access Request (1), id: 0x89 length: 328

--- Begin proxy ?

07:03:51.354527 IP FR-2.10.1814 > ISE-proxy.radius: RADIUS, Access Request (1), id: 0xde length: 246
07:03:51.371848 IP ISE-proxy.radius > FR-2.10.1814: RADIUS, Access Challenge (11), id: 0xde length: 132
07:03:51.372108 IP FR-2.10.radius > WC.32769: RADIUS, Access Challenge (11), id: 0x89 length: 101
07:03:51.374137 IP WC.32769 > FR-2.10.radius: RADIUS, Access Request (1), id: 0x8a length: 312
07:03:51.384449 IP FR-2.10.1814 > ISE-proxy.radius: RADIUS, Access Request (1), id: 0xa8 length: 306
07:03:51.386386 IP ISE-proxy.radius > FR-2.10.1814: RADIUS, Access Reject (3), id: 0xa8 length: 49
07:03:52.387589 IP FR-2.10.radius > WC.32769: RADIUS, Access Reject (3), id: 0x8a length: 101

--End proxy

More information about the Freeradius-Users mailing list