<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Verdana
}
--></style>
</head>
<body class='hmmessage'>
Hi,<br><br>Before beginning, sorry for my bad English, I'm French.<br><br>I'm trying to implement PEAP-MSCHAPV2 support in an existing and working configuration with EAP-TTLS + PAP,<br>giving users a full support of eduroam. There are proxy radius maintained by our national "provider", and they test<br>authentication every 15 minutes.<br><br>When they only test EAP-TTLS authentication, it works, and this is a part of the output of freeradius -X.<br><br>Login OK: [<i>user</i>/<i>password</i>] (from client <i>proxyradius</i> port 0 cli 02-00-00-00-00-01 via TLS tunnel)<br>+- entering group post-auth {...}<br>[sql] expand: %{User-Name} -> <i>user</i>@<i>realm</i><br>[sql] sql_set_user escaped user --> '<i>user</i>@<i>realm</i>'<br>[sql] expand: %{User-Password} -> <i>password</i><br>[sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '<i>user</i>@<i>realm</i>', 'password', 'Access-Accept', '2010-06-17 18:17:02')<br>[sql] expand: /var/log/freeradius/sqltrace.sql -> /var/log/freeradius/sqltrace.sql<br>rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '<i>user</i>@<i>realm</i>', 'password', 'Access-Accept', '2010-06-17 18:17:02')<br>rlm_sql (sql): Reserving sql socket id: 4<br>rlm_sql_mysql: query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '<i>user</i>@<i>realm</i>', 'password', 'Access-Accept', '2010-06-17 18:17:02')<br>rlm_sql (sql): Released sql socket id: 4<br>++[sql] returns ok<br> expand: %{request:User-Name} -> <i>user</i>@<i>realm</i><br>++[outer.reply] returns ok<br>} # server inner-tunnel<br>[ttls] Got tunneled reply code 2<br> User-Name := "<i>user</i>@<i>realm</i>"<br>[ttls] Got tunneled Access-Accept<br>[eap] Freeing handler<br>++[eap] returns ok<br>Login OK: [anonymous/<via Auth-Type = EAP>] (from client <i>proxyradius</i> port 0 cli 02-00-00-00-00-01)<br><br>Then, when I specify that our FreeRADIUS server support PEAP-MSCHAPV2, they test PEAP first and never <br>receive an access-accept or access-reject request form only the outer identity, anonymous@<i>realm</i>. So there is <br>the ouput :<br><br>Login OK: [<i>user</i>/<via Auth-Type = mschap>] (from client <i>proxyradius</i> port 0 cli 02-00-00-00-00-01 via TLS tunnel)<br>+- entering group post-auth {...}<br>[sql] expand: %{User-Name} -> <i>user</i>@<i>realm</i><br>[sql] sql_set_user escaped user --> '<i>user</i>@<i>realm</i>'<br>[sql] expand: %{User-Password} -><br>[sql] ... expanding second conditional<br>[sql] expand: %{Chap-Password} -><br>[sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '<i>user</i>@<i>realm</i>', '', 'Access-Accept', '2010-06-17 15:32:07')<br>[sql] expand: /var/log/freeradius/sqltrace.sql -> /var/log/freeradius/sqltrace.sql<br>rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '<i>user</i>@<i>realm</i>', '', 'Access-Accept', '2010-06-17 15:32:07')<br>rlm_sql (sql): Reserving sql socket id: 2<br>rlm_sql_mysql: query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '<i>user</i>@<i>realm</i>', '', 'Access-Accept', '2010-06-17 15:32:07')<br>rlm_sql (sql): Released sql socket id: 2<br>++[sql] returns ok<br> expand: %{request:User-Name} -> <i>user</i>@<i>realm</i><br>++[outer.reply] returns ok<br>} # server inner-tunnel<br>[ttls] Got tunneled reply code 2<br> User-Name := "<i>user</i>@<i>realm</i>"<br> MS-CHAP2-Success = 0x54533d42374134413830313835384530453531383135373131384643424442444432464133384345413836<br>[ttls] Got tunneled Access-Accept<br>[ttls] Got MS-CHAP2-Success, tunneling it to the client in a challenge.<br>++[eap] returns handled<br>Sending Access-Challenge of id 9 to 193.51.182.121 port 35055<br> User-Name = "<i>user</i>@<i>realm</i>"<br> EAP-Message = 0x010a005f1580000000551703010050f984b434f276e050b0697e427d30ddfe2c0d9cc56a8f5da6ab447bbabae115d8181dfce1b6e52f33fcd2a20d5e26f574b9be69fa946342eafbd7ea350d5782490593a260401dae6b1c71f16f30b3ab38<br> Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0xcda13382c4ab2647095b27820a4b1850<br>Finished request 11.<br>Going to the next request<br>Waking up in 4.7 seconds.<br><br>And then, the <i>proxyradius</i> sends new Access-Request and the outer identity is never accepted. But the <i>user</i>@<i>realm</i> is authenticated...<br><br>I'm sorry I know you need more informations about my confs and outputs, but I don't want to make this post longer than it is... So, I can<br>post more informations...<br><br>Thank you for helping me !<br><br>J-P.<br><br> <br /><hr />Vous voulez protéger votre vie privée ? <a href='http://clk.atdmt.com/FRM/go/232102477/direct/01/' target='_new'>La solution avec Internet Explorer 8</a></body>
</html>