eap: Freeradius proxy doesn't work with EAP PEAP auth

Danilo Raspa danilo.raspa at gmail.com
Wed Jul 5 17:11:12 CEST 2017 

Hi Alan,
Thanks for your contribute.

 > Did you follow the instructions at the top of the "inner-tunnel" virtual
server?  They describe how to do more detailed testing.

I launched the following command from another server:
radtest -t mschap danilo.raspa%realm_example.com 1234 192.168.0.158:1812 0
password
Sending Access-Request Id 91 from 0.0.0.0:36986 to 192.168.0.158:1812
User-Name = 'danilo.raspa%realm_example.com'
NAS-IP-Address = 192.168.0.158
NAS-Port = 0
Message-Authenticator = 0x00
MS-CHAP-Challenge = 0xfd0947b33c5ba968
MS-CHAP-Response =
0x00010000000000000000000000000000000000000000000000007c95160f801e9ec0811d7b6f29e4c4dab3627a5669d4a235
Received Access-Accept Id 91 from 192.168.0.158:1812 to 192.168.0.155:36986
length 68
MS-CHAP-MPPE-Keys = 0xb757bf5c0d87772f6ece635e056440
MS-MPPE-Encryption-Policy = Encryption-Allowed
MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed

Everything work great but from the radius server log I can read:

(0)  eap : No EAP-Message, not doing EAP
(0)   [eap] = noop


  >You have the proxy editing the User-Name.  Don't do that.

  >See the documentation in proxy.conf.  You can configure it to *not* edit
the User-Name.

  I added "nostrip" inside the realm "realm_example.com" in proxy.conf and
the error changed("(82)    ERROR: mschap : MS-CHAP2-Response is
incorrect"), I attached the radius server log below:


(82)  eap : Peer sent code Response (2) ID 9 length 123
(82)  eap : Continuing tunnel setup
(82)   [eap] = ok
(82)  } #  authorize = ok
(82) Found Auth-Type = EAP
(82) # Executing group from file /etc/raddb/sites-enabled/default
(82)   authenticate {
(82)  eap : Expiring EAP session with state 0x90a420c290ad3a6f
(82)  eap : Finished EAP session with state 0x38cae7a53fc3fe25
(82)  eap : Previous EAP request found for state 0x38cae7a53fc3fe25,
released from the list
(82)  eap : Peer sent method PEAP (25)
(82)  eap : EAP PEAP (25)
(82)  eap : Calling eap_peap to process EAP data
(82)  eap_peap : processing EAP-TLS
(82)  eap_peap : eaptls_verify returned 7
(82)  eap_peap : Done initial handshake
(82)  eap_peap : eaptls_process returned 7
(82)  eap_peap : FR_TLS_OK
(82)  eap_peap : Session established.  Decoding tunneled attributes
(82)  eap_peap : Peap state phase2
(82)  eap_peap : EAP type MSCHAPv2 (26)
(82)  eap_peap : Got tunneled request
EAP-Message =
0x020900531a0209004e3176495e338130f40a70357647b9aa0fcc000000000000000049632cf2caac4929ad1f63acf90fa2b39931f340df9ba7a00064616e696c6f2e7261737061256d6f76656e64612e636f6d
server default {
(82)  eap_peap : Setting User-Name to danilo.raspa%realm_example.com
Sending tunneled request
EAP-Message =
0x020900531a0209004e3176495e338130f40a70357647b9aa0fcc000000000000000049632cf2caac4929ad1f63acf90fa2b39931f340df9ba7a00064616e696c6f2e7261737061256d6f76656e64612e636f6d
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'danilo.raspa%realm_example.com'
State = 0x90a420c290ad3a6f59be74fda79cf503
server inner-tunnel {
(82)  server inner-tunnel {
(82)    Request:
EAP-Message =
0x020900531a0209004e3176495e338130f40a70357647b9aa0fcc000000000000000049632cf2caac4929ad1f63acf90fa2b39931f340df9ba7a00064616e696c6f2e7261737061256d6f76656e64612e636f6d
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'danilo.raspa%realm_example.com'
State = 0x90a420c290ad3a6f59be74fda79cf503
(82)  # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(82)    authorize {
(82)    [chap] = noop
(82)    [mschap] = noop
(82)   suffix : Checking for suffix after "@"
(82)   suffix : No '@' in User-Name = "danilo.raspa%realm_example.com",
looking up realm NULL
(82)   suffix : No such realm "NULL"
(82)    [suffix] = noop
(82)    update control {
(82)   Proxy-To-Realm := 'LOCAL'
(82)    } # update control = noop
(82)   eap : Peer sent code Response (2) ID 9 length 83
(82)   eap : No EAP Start, assuming it's an on-going EAP conversation
(82)    [eap] = updated
(82)    [files] = noop
(82)   sql : EXPAND %{User-Name}
(82)   sql :    --> danilo.raspa%realm_example.com
(82)   sql : SQL-User-Name set to 'danilo.raspa%realm_example.com'
rlm_sql (sql): Reserved connection (11)
(82)   sql : EXPAND SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id
(82)   sql :    --> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'danilo.raspa=25realm_example.com' ORDER BY id
rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'danilo.raspa=25realm_example.com' ORDER BY
id'
(82)   sql : EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority
(82)   sql :    --> SELECT groupname FROM radusergroup WHERE username =
'danilo.raspa=25realm_example.com' ORDER BY priority
rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup WHERE
username = 'danilo.raspa=25realm_example.com' ORDER BY priority'
(82)   sql : User not found in any groups
rlm_sql (sql): Released connection (11)
(82)    [sql] = notfound
(82)    [expiration] = noop
(82)    [logintime] = noop
(82)    [pap] = noop
(82)   } #  authorize = updated
(82)  Found Auth-Type = EAP
(82)  # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(82)    authenticate {
(82)   eap : Expiring EAP session with state 0x90a420c290ad3a6f
(82)   eap : Finished EAP session with state 0x90a420c290ad3a6f
(82)   eap : Previous EAP request found for state 0x90a420c290ad3a6f,
released from the list
(82)   eap : Peer sent method MSCHAPv2 (26)
(82)   eap : EAP MSCHAPv2 (26)
(82)   eap : Calling eap_mschapv2 to process EAP data
(82)   eap_mschapv2 : # Executing group from file
/etc/raddb/sites-enabled/inner-tunnel
(82)   eap_mschapv2 :  Auth-Type MS-CHAP {
(82)    WARNING: mschap : No Cleartext-Password configured.  Cannot create
LM-Password
(82)    WARNING: mschap : No Cleartext-Password configured.  Cannot create
NT-Password
(82)    mschap : Creating challenge hash with username: danilo.raspa%
realm_example.com
(82)    mschap : Client is using MS-CHAPv2
(82)    ERROR: mschap : FAILED: No NT/LM-Password.  Cannot perform
authentication
(82)    ERROR: mschap : MS-CHAP2-Response is incorrect
(82)     [mschap] = reject
(82)    } # Auth-Type MS-CHAP = reject

Thank you in advance

Danilo Raspa

More information about the Freeradius-Users mailing list