<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=US-ASCII">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2658.24">
<TITLE>Peap mschapv2 proxy early termination of EAP</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2 FACE="Courier New">Hi Alan</FONT>
</P>
<P><FONT SIZE=2 FACE="Courier New">I have a number of XP and Windows 2K wifi clients to Proxim AP700 AP's using FreeRADIUS on Fedora C4</FONT>
<BR><FONT SIZE=2 FACE="Courier New">These use eap peap mschapv2</FONT>
<BR><FONT SIZE=2 FACE="Courier New">The system works well on ver 1.0.2 using usernames/passwords in the users file or by configuring LDAP and using a LDAP database, and logs to mysql</FONT></P>
<P><FONT SIZE=2 FACE="Courier New">I now need to authenticate by proxy to a legacy SteelBelted radius server capable of PAP,CHAP and MSCHAPv2 but not able to support EAP</FONT></P>
<P><FONT SIZE=2 FACE="Courier New">I configured the proxy.conf for the realm wifi (with nostrip)</FONT>
<BR><FONT SIZE=2 FACE="Courier New">and I can communicate with the legacy server, it sends back a reject due to not supporting EAP</FONT>
<BR><FONT SIZE=2 FACE="Courier New">I therefore need to terminate EAP on Freeradius and pass on the MSchapv2 to the proxy server</FONT>
<BR><FONT SIZE=2 FACE="Courier New">Having read all I can on early termination of EAP</FONT>
</P>
<P><FONT SIZE=2 FACE="Courier New">I added the LOCAL realm </FONT>
<BR><FONT SIZE=2 FACE="Courier New">realm LOCAL {</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> type = radius</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> authhost = LOCAL</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> accthost = LOCAL</FONT>
<BR><FONT SIZE=2 FACE="Courier New">}</FONT>
</P>
<P><FONT SIZE=2 FACE="Courier New">I have added 2 lines to the users file</FONT>
</P>
<P><FONT SIZE=2 FACE="Courier New">DEFAULT FreeRADIUS-Proxied-To !* 127.0.0.1, Proxy-To-Realm := LOCAL, Auth-Type = EAP (line 167)</FONT>
<BR><FONT SIZE=2 FACE="Courier New">DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := wifi (line 168)</FONT>
</P>
<BR>
<P><FONT SIZE=2 FACE="Courier New">The first line (at line 167) causes the proxy to be cancelled and the eap is handled locally, it gets to the mschapv2 part</FONT></P>
<P><FONT SIZE=2 FACE="Courier New">matched (at line 168) </FONT>
<BR><FONT SIZE=2 FACE="Courier New">It appears as if its going to send the request to wifi, with no EAP, then it stops. The AP then retries the request, with the same result.</FONT></P>
<P><FONT SIZE=2 FACE="Courier New">This seems to be due to</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> WARNING: Cancelling proxy to Realm LOCAL, as the realm is local</FONT>
<BR><FONT SIZE=2 FACE="Courier New">rather than proxying only the mschapv2 to wifi</FONT>
</P>
<P><FONT SIZE=2 FACE="Courier New">I have upgraded to v 1.0.5 I still get the same results </FONT>
<BR><FONT SIZE=2 FACE="Courier New">Authorise and accounting in radiusd.conf has EAP and mschap</FONT>
</P>
<P><FONT SIZE=2 FACE="Courier New">Is it possible ? </FONT>
<BR><FONT SIZE=2 FACE="Courier New">I have researched from your site as much as possible before asking, Am I missing a configuration option?</FONT>
</P>
<P><FONT SIZE=2 FACE="Courier New">Your help would be much appreciated, Thanks Andy.</FONT>
</P>
<P><FONT SIZE=2 FACE="Courier New">eap.conf</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> eap {</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> default_eap_type = peap</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> timer_expire = 60</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> ignore_unknown_eap_types = no</FONT>
</P>
<P><FONT SIZE=2 FACE="Courier New"> tls {</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> private_key_password = whatever</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> private_key_file = ${raddbdir}/certs/cert-srv.pem</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> certificate_file = ${raddbdir}/certs/cert-srv.pem</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> CA_file = ${raddbdir}/certs/demoCA/cacert.pem</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> dh_file = ${raddbdir}/certs/dh</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> random_file = ${raddbdir}/certs/random</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> include_length = yes</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> # check_crl = yes</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> # check_cert_cn = %{User-Name}</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> }</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> #</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> peap {</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> default_eap_type = mschapv2</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> proxy_tunneled_request_as_eap = no</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> }</FONT>
</P>
<P><FONT SIZE=2 FACE="Courier New"> mschapv2 {</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> }</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> }</FONT>
</P>
<P><FONT SIZE=2 FACE="Courier New">Listening on authentication *:1812</FONT>
<BR><FONT SIZE=2 FACE="Courier New">Listening on accounting *:1813</FONT>
<BR><FONT SIZE=2 FACE="Courier New">Listening on proxy *:1814</FONT>
<BR><FONT SIZE=2 FACE="Courier New">Ready to process requests.</FONT>
<BR><FONT SIZE=2 FACE="Courier New">rad_recv: Access-Request packet from host 172.24.2.10:6001, id=40, length=154</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> User-Name = "andygoy@wifi"</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> NAS-IP-Address = 172.24.2.10</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> Called-Station-Id = "00-20-a6-56-3a-4a:XXHOTSPOTFC1"</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> Calling-Station-Id = "00-13-ce-0e-f5-c6"</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> NAS-Identifier = "XX-HOTSPOT-1"</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> Framed-MTU = 1400</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> NAS-Port-Type = Wireless-802.11</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> EAP-Message = 0x0202001101616e6479676f794077696669</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> Message-Authenticator = 0x206d804b1c31514e5743b1c03efdfcaf</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> Processing the authorize section of radiusd.conf</FONT>
<BR><FONT SIZE=2 FACE="Courier New">modcall: entering group authorize for request 0</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> modcall[authorize]: module "preprocess" returns ok for request 0</FONT>
<BR><FONT SIZE=2 FACE="Courier New">radius_xlat: '/etc/var/log/radius/radacct/172.24.2.10/auth-detail-20051230'</FONT>
<BR><FONT SIZE=2 FACE="Courier New">rlm_detail: /etc/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /etc/var/log/radius/radacct/172.24.2.10/auth-detail-20051230</FONT></P>
<P><FONT SIZE=2 FACE="Courier New"> modcall[authorize]: module "auth_log" returns ok for request 0</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> modcall[authorize]: module "chap" returns noop for request 0</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> rlm_realm: Looking up realm "wifi" for User-Name = "andygoy@wifi"</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> rlm_realm: Found realm "wifi"</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> rlm_realm: Proxying request from user andygoy to realm wifi</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> rlm_realm: Adding Realm = "wifi"</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> rlm_realm: Preparing to proxy authentication request to realm "wifi"</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> modcall[authorize]: module "suffix" returns updated for request 0</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> rlm_eap: Request is supposed to be proxied to Realm wifi. Not doing EAP.</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> modcall[authorize]: module "eap" returns noop for request 0</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> modcall[authorize]: module "mschap" returns noop for request 0</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> users: Matched entry DEFAULT at line 167</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> modcall[authorize]: module "files" returns ok for request 0</FONT>
<BR><FONT SIZE=2 FACE="Courier New">modcall: leaving group authorize (returns updated) for request 0</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> WARNING: You set Proxy-To-Realm = LOCAL, but it is a LOCAL realm! Cancelling invalid proxy request.</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> rad_check_password: Found Auth-Type EAP</FONT>
<BR><FONT SIZE=2 FACE="Courier New">auth: type "EAP"</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> Processing the authenticate section of radiusd.conf</FONT>
<BR><FONT SIZE=2 FACE="Courier New">modcall: entering group authenticate for request 0</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> rlm_eap: EAP Identity</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> rlm_eap: processing type tls</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> rlm_eap_tls: Initiate</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> rlm_eap_tls: Start returned 1</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> modcall[authenticate]: module "eap" returns handled for request 0</FONT>
<BR><FONT SIZE=2 FACE="Courier New">modcall: leaving group authenticate (returns handled) for request 0</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> WARNING: Cancelling proxy to Realm LOCAL, as the realm is local</FONT>
<BR><FONT SIZE=2 FACE="Courier New">Sending Access-Challenge of id 40 to 172.24.2.10 port 6001</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> EAP-Message = 0x010300061920</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> Message-Authenticator = 0x00000000000000000000000000000000</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> State = 0x0b7df43e9fc35a77966d3c95bb99a754</FONT>
<BR><FONT SIZE=2 FACE="Courier New">Finished request 0</FONT>
<BR><FONT SIZE=2 FACE="Courier New">Going to the next request</FONT>
<BR><FONT SIZE=2 FACE="Courier New">etc etc-----------------------------------------------------------------------</FONT>
</P>
<BR>
<P><FONT SIZE=2 FACE="Courier New"> rlm_eap: Request found, released from the list</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> rlm_eap: EAP/peap</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> rlm_eap: processing type peap</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> rlm_eap_peap: Authenticate</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> rlm_eap_tls: processing TLS</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> eaptls_verify returned 7</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> rlm_eap_tls: Done initial handshake</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> eaptls_process returned 7</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> rlm_eap_peap: EAPTLS_OK</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> rlm_eap_peap: Session established. Decoding tunneled attributes.</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> rlm_eap_peap: EAP type mschapv2</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> rlm_eap_peap: Tunneled data is valid.</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> PEAP: Setting User-Name to andygoy@wifi</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> PEAP: Adding old state with 0e aa</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> Processing the authorize section of radiusd.conf</FONT>
<BR><FONT SIZE=2 FACE="Courier New">modcall: entering group authorize for request 6</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> modcall[authorize]: module "preprocess" returns ok for request 6</FONT>
<BR><FONT SIZE=2 FACE="Courier New">radius_xlat: '/etc/var/log/radius/radacct/127.0.0.1/auth-detail-20051230'</FONT>
<BR><FONT SIZE=2 FACE="Courier New">rlm_detail: /etc/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /etc/var/log/radius/radacct/127.0.0.1/auth-detail-20051230</FONT></P>
<P><FONT SIZE=2 FACE="Courier New"> modcall[authorize]: module "auth_log" returns ok for request 6</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> modcall[authorize]: module "chap" returns noop for request 6</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> rlm_realm: Looking up realm "wifi" for User-Name = "andygoy@wifi"</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> rlm_realm: Found realm "wifi"</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> rlm_realm: Proxying request from user andygoy to realm wifi</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> rlm_realm: Adding Realm = "wifi"</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> rlm_realm: Preparing to proxy authentication request to realm "wifi"</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> modcall[authorize]: module "suffix" returns updated for request 6</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> rlm_eap: Request is supposed to be proxied to Realm wifi. Not doing EAP.</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> modcall[authorize]: module "eap" returns noop for request 6</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> modcall[authorize]: module "mschap" returns noop for request 6</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> users: Matched entry DEFAULT at line 168</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> modcall[authorize]: module "files" returns ok for request 6</FONT>
<BR><FONT SIZE=2 FACE="Courier New">modcall: leaving group authorize (returns updated) for request 6</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> PEAP: Calling authenticate in order to initiate tunneled EAP session.</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> Processing the authenticate section of radiusd.conf</FONT>
<BR><FONT SIZE=2 FACE="Courier New">modcall: entering group authenticate for request 6</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> rlm_eap: Request found, released from the list</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> rlm_eap: EAP/mschapv2</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> rlm_eap: processing type mschapv2</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> Not-EAP proxy set. Not composing EAP</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> modcall[authenticate]: module "eap" returns handled for request 6</FONT>
<BR><FONT SIZE=2 FACE="Courier New">modcall: leaving group authenticate (returns handled) for request 6</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> PEAP: Tunneled authentication will be proxied to wifi</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> PEAP: Remembering to do EAP-MS-CHAP-V2 post-proxy.</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> Tunneled session will be proxied. Not doing EAP.</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> modcall[authenticate]: module "eap" returns handled for request 6</FONT>
<BR><FONT SIZE=2 FACE="Courier New">modcall: leaving group authenticate (returns handled) for request 6</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> WARNING: Cancelling proxy to Realm LOCAL, as the realm is local</FONT>
<BR><FONT SIZE=2 FACE="Courier New">Finished request 6</FONT>
<BR><FONT SIZE=2 FACE="Courier New">Going to the next request</FONT>
<BR><FONT SIZE=2 FACE="Courier New">Waking up in 4 seconds...</FONT>
<BR><FONT SIZE=2 FACE="Courier New">rad_recv: Access-Request packet from host 172.24.2.10:6001, id=46, length=249</FONT>
</P>
<BR>
<BR>
<BR>
<P><FONT SIZE=1 FACE="Arial">The content of this e-mail and any attachment is private and may be legally privileged. If you are not </FONT>
<BR><FONT SIZE=1 FACE="Arial">the intended recipient, any use, disclosure, copying or forwarding of this e-mail and/or its </FONT>
<BR><FONT SIZE=1 FACE="Arial">attachments is unauthorised. If you have received this e-mail in error please notify the sender by e-</FONT>
<BR><FONT SIZE=1 FACE="Arial">mail and delete this message and any attachments immediately from this system.</FONT>
</P>
<P><FONT SIZE=1 FACE="Arial">Kingston Communications (HULL) PLC is a public limited company incorporated in England and Wales </FONT>
<BR><FONT SIZE=1 FACE="Arial">with registration number 02150618 and whose registered office is at 37 Carr Lane, Hull HU1 3RE</FONT>
</P>
</BODY>
</HTML>