AW: Proxy problem when switching from version2 to version3

Bornemann, Hans hans.bornemann at tu-dortmund.de
Wed Jan 24 11:37:18 CET 2018


Hi,

thank you very much. This hint was very useful.

Regards

-----Ursprüngliche Nachricht-----
Von: Freeradius-Users [mailto:freeradius-users-bounces+hans.bornemann=tu-dortmund.de at lists.freeradius.org] Im Auftrag von Alan DeKok
Gesendet: Dienstag, 23. Januar 2018 14:27
An: FreeRadius users mailing list
Betreff: Re: Proxy problem when switching from version2 to version3

On Jan 23, 2018, at 8:13 AM, Bornemann, Hans <hans.bornemann at tu-dortmund.de> wrote:
>
> if you like, take a look to the debug output.
>
> first the failing proxy with version 3, then successful with version 2, proxy conf.
>
> anything more needed?

  PLEASE FOLLOW THE DOCUMENTATION.

  Honestly... everything says to use "freeradius -X".   Can you explain why people keep using "-xxx"?  Just... don't.

> ...
> Thu Jan 18 10:22:38 2018 : Debug: (1) eapoldca: Request is supposed to be proxied to Realm rtmobil. Not doing EAP.

  That's telling.

> Thu Jan 18 10:22:38 2018 : Debug: (1) Proxying request to home server
> 129.217.197.132 port 1812 timeout 20.000000
...
> Thu Jan 18 10:22:38 2018 : Debug: (1) Sent Access-Request Id 189 from 0.0.0.0:48124 to 129.217.197.132:1812 length 336
> Thu Jan 18 10:22:38 2018 : Debug: (1)   User-Name = "rtmobilnetz at rtmobil"
> Thu Jan 18 10:22:38 2018 : Debug: (1)   Chargeable-User-Identity = 0x00
> Thu Jan 18 10:22:38 2018 : Debug: (1)   Location-Capable = Civic-Location
> Thu Jan 18 10:22:38 2018 : Debug: (1)   Calling-Station-Id = "3c-15-c2-e8-40-fe"
> Thu Jan 18 10:22:38 2018 : Debug: (1)   Called-Station-Id = "6c-b2-ae-30-36-c0:ITMC-WPA2-STAGING"
> Thu Jan 18 10:22:38 2018 : Debug: (1)   NAS-Port = 1
> Thu Jan 18 10:22:38 2018 : Debug: (1)   Cisco-AVPair = "audit-session-id=81d9fbf2000000b85a60641b"
> Thu Jan 18 10:22:38 2018 : Debug: (1)   Acct-Session-Id = "5a60641b/3c:15:c2:e8:40:fe/307"
> Thu Jan 18 10:22:38 2018 : Debug: (1)   NAS-IP-Address = 129.217.251.242
> Thu Jan 18 10:22:38 2018 : Debug: (1)   NAS-Identifier = "wlc-staging"
> Thu Jan 18 10:22:38 2018 : Debug: (1)   Airespace-Wlan-Id = 8
> Thu Jan 18 10:22:38 2018 : Debug: (1)   Service-Type = Framed-User
> Thu Jan 18 10:22:38 2018 : Debug: (1)   Framed-MTU = 1300
> Thu Jan 18 10:22:38 2018 : Debug: (1)   NAS-Port-Type = Wireless-802.11
> Thu Jan 18 10:22:38 2018 : Debug: (1)   Tunnel-Type:0 = VLAN
> Thu Jan 18 10:22:38 2018 : Debug: (1)   Tunnel-Medium-Type:0 = IEEE-802
> Thu Jan 18 10:22:38 2018 : Debug: (1)   Tunnel-Private-Group-Id:0 = "3503"
> Thu Jan 18 10:22:38 2018 : Debug: (1)   EAP-Message = 0x020200080319152b

  That isn't an EAP NAK.  It's just an empty PEAP ACK.

> Thu Jan 18 10:22:38 2018 : Debug: (1)   State = 0x45300497000001370001020081d9c584000000000000000000000000000000100d436aee
> Thu Jan 18 10:22:38 2018 : Debug: (1)   Message-Authenticator = 0x31a7b8a02c1f45acee5e637c48d8f20d
> Thu Jan 18 10:22:38 2018 : Debug: (1)   Event-Timestamp = "Jan 18 2018 10:22:38 CET"
> Thu Jan 18 10:22:38 2018 : Debug: (1)   Proxy-State = 0x3639
> Thu Jan 18 10:22:38 2018 : Debug: Waking up in 0.3 seconds.
> Thu Jan 18 10:22:38 2018 : Debug: (1) Clearing existing &reply:
> attributes Thu Jan 18 10:22:38 2018 : Debug: (1) Received
> Access-Reject Id 189 from 129.217.197.132:1812 to
> 129.217.131.207:48124 length 48

  Well, the home server is rejecting the packet.  There isn't much you can do to FreeRADIUS to fix that.

> Debug freeradius 2 - proxy to home server  - ok ...
> Thu Jan 18 10:08:43 2018 : Info: [eap_wlan] EAP packet type response
> id 2 length 161 Thu Jan 18 10:08:43 2018 : Info: [eap_wlan] Continuing tunnel setup.
> Thu Jan 18 10:08:43 2018 : Info: ++[eap_wlan] = ok Thu Jan 18 10:08:43
> 2018 : Info: +} # group authorize = ok Thu Jan 18 10:08:43 2018 :
> Info: Found Auth-Type = eap_wlan Thu Jan 18 10:08:43 2018 : Info: #
> Executing group from file /etc/freeradius/sites-enabled/itmc-wlan
> Thu Jan 18 10:08:43 2018 : Info: +group authenticate { Thu Jan 18
> 10:08:43 2018 : Info: [eap_wlan] Request found, released from the list
> Thu Jan 18 10:08:43 2018 : Info: [eap_wlan] EAP/peap Thu Jan 18
> 10:08:43 2018 : Info: [eap_wlan] processing type peap Thu Jan 18
> 10:08:43 2018 : Info: [peap] processing EAP-TLS

  Uh... you do realize that v2 isn't proxying the packets, right?  It's doing PEAP itself.

  i.e. the two systems are configured to do different things.  Which sort of explains why they're behaving differently.
>
> Thu Jan 18 10:08:43 2018 : Info: # Executing section authorize from
> file /etc/freeradius/sites-enabled/inner-wlan-peap
> Thu Jan 18 10:08:43 2018 : Info: +group authorize { Thu Jan 18
> 10:08:43 2018 : Info: ++[preprocess] = ok Thu Jan 18 10:08:43 2018 :
> Info: [suffix] Looking up realm "rtmobil" for User-Name = "rtmobilnetz at rtmobil"
> Thu Jan 18 10:08:43 2018 : Info: [suffix] Found realm "rtmobil"
> Thu Jan 18 10:08:43 2018 : Info: [suffix] Adding Realm = "rtmobil"
> Thu Jan 18 10:08:43 2018 : Info: [suffix] Proxying request from user
> rtmobilnetz to realm rtmobil Thu Jan 18 10:08:43 2018 : Info: [suffix] Preparing to proxy authentication request to realm "rtmobil"

  In v2, you're proxying the *inner* authentication data to the home server.  In v3, you're proxying the *outer* data.  i.e. all of PEAP.

  This would have been a WHOLE lot easier to see without the utterly useless extra debugging.

> Proxy config

  Which was never asked for.

  So.. you've configured the systems to do two different things.  As a result, they behave differently.

  If you want to make v3 behave like v2, you have to configure v3 with the same / similar configuration as v2.  This means understanding what the v2 system does, and why.  And then making v3 do the same thing.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wichtiger Hinweis: Die Information in dieser E-Mail ist vertraulich. Sie ist ausschließlich für den Adressaten bestimmt. Sollten Sie nicht der für diese E-Mail bestimmte Adressat sein, unterrichten Sie bitte den Absender und vernichten Sie diese Mail. Vielen Dank.
Unbeschadet der Korrespondenz per E-Mail, sind unsere Erklärungen ausschließlich final rechtsverbindlich, wenn sie in herkömmlicher Schriftform (mit eigenhändiger Unterschrift) oder durch Übermittlung eines solchen Schriftstücks per Telefax erfolgen.

Important note: The information included in this e-mail is confidential. It is solely intended for the recipient. If you are not the intended recipient of this e-mail please contact the sender and delete this message. Thank you. Without prejudice of e-mail correspondence, our statements are only legally binding when they are made in the conventional written form (with personal signature) or when such documents are sent by fax.



More information about the Freeradius-Users mailing list