Terminate EAP-TTLS then proxy

adrian.p.smith at bt.com adrian.p.smith at bt.com
Thu Sep 21 22:27:35 CEST 2017 

OK, so I send a request to the inner-tunnel:

Ready to process requests
(0) Received Access-Request Id 68 from 127.0.0.1:31482 to 127.0.0.1:18120 length 86
(0)   User-Name = "passpoint/adrian"
(0)   User-Password = "xxx"
(0)   NAS-IP-Address = 127.0.1.1
(0)   NAS-Port = 0
(0)   Message-Authenticator = 0xdb9b44df28c428b47f82ed0ad6065ea4
(0) # Executing section authorize from file /home/adrian/freeradius-server-3.0.15/etc/raddb/sites-enabled/inner-tunnel
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [chap] = noop
(0)     [mschap] = noop
(0) IPASS: Checking for prefix before "/"
(0) IPASS: Looking up realm "passpoint" for User-Name = "passpoint/adrian"
(0) IPASS: Found realm "passpoint"
(0) IPASS: Adding Realm = "passpoint"
(0) IPASS: Proxying request from user passpoint/adrian to realm passpoint
(0) IPASS: Preparing to proxy authentication request to realm "passpoint" 
(0) suffix: Request already has destination realm set.  Ignoring
(0)     [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0)     [files] = noop
(0)     [expiration] = noop
(0)     [logintime] = noop
(0)     [pap] = noop
(0)   } # authorize = updated
(0) Starting proxy to home server 192.168.19.20 port 1812
(0) Proxying request to home server 192.168.19.20 port 1812 timeout 20.000000
(0) Sent Access-Request Id 162 from 0.0.0.0:50236 to 192.168.19.20:1812 length 90
(0)   User-Name = "passpoint/adrian"
(0)   User-Password = "xxx"
(0)   NAS-IP-Address = 127.0.1.1
(0)   NAS-Port = 0
(0)   Message-Authenticator = 0xdb9b44df28c428b47f82ed0ad6065ea4
(0)   Proxy-State = 0x3638


All looks good, same config.

TIA.





-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+adrian.p.smith=bt.com at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: 21 September 2017 21:13
To: FreeRadius users mailing list
Subject: Re: Terminate EAP-TTLS then proxy

On Sep 21, 2017, at 3:31 PM, adrian.p.smith at bt.com wrote:
> 
> I have returned to this problem and am using a fresh copy of 3.0.15 and the eapol_test client.

  I'd suggest just using radtest on the inner-tunnel virtual server.  If that can proxy, *then* test EAP-TTLS.  Otherwise, the debug output will be huge and hard to read.

> (6) IPASS: Checking for prefix before "/"
> (6) IPASS: Looking up realm "passpoint" for User-Name = "passpoint/adrian"
> (6) IPASS: Found realm "passpoint"
> (6) IPASS: Adding Realm = "passpoint"
> (6) IPASS: Proxying request from user passpoint/adrian to realm passport

  So... what's the configuration for that realm?

> (6) IPASS: Preparing to proxy authentication request to realm "passpoint" 
> (6)       [IPASS] = updated
> (6) suffix: Request already has destination realm set.  Ignoring
> (6)       [suffix] = noop
> (6) eap: No EAP-Message, not doing EAP
> (6)       [eap] = noop
> (6)       [files] = noop
> (6)       [expiration] = noop
> (6)       [logintime] = noop
> (6)       [pap] = noop
> (6)     } # authorize = updated
> (6) } # server inner-tunnel
> (6) Virtual server sending reply
> (6) eap_ttls: Tunneled authentication will be proxied to passpoint
> (6) eap: WARNING: Tunneled session will be proxied.  Not doing EAP
> (6)     [eap] = handled
> (6)   } # authenticate = handled
> (6) WARNING: Cancelling proxy as no home pool exists

  Probably because you defined the realm, but didn't define a home_pool for it.

  See raddb/proxy.conf for docs and examples/

> The offending line appears to be:
> 
> (6) WARNING: Cancelling proxy as no home pool exists

  It's often useful to read earlier messages to see what happened *before* that error occurred.

  In this case, it tried to proxy to realm "passpoint".  But it can't.  So... what's wrong with that realm?

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list