Thank you for your answers, you help a lot, could you answer a couple more questions? On 20 October 2017 at 16:56, Alan DeKok <aland@deployingradius.com> wrote:
If request is peap-mschapv2 and I set proxy_tunneled_request_as_eap = yes, home radius server(fremypythonmoduleius v3.0.x branch) not understand eap message,
Then read *that* debug output to see what's going on. FreeRADIUS *can* proxy inner EAP methods. It *can* also act as a home server for those proxied requests.
there is part of my log from proxy server == ... } # server peap_and_ttls (8) Virtual server sending reply (8) Supplicant-Use-Remote = "yes" (8) Supplicant-Password = "testing" (8) Supplicant-User-Name = "testing_remote" (8) Supplicant-Group = "testaccount::foo" (8) eap_peap: Got tunneled reply code 0 (8) eap_peap: Supplicant-Use-Remote = "yes" (8) eap_peap: Supplicant-Password = "testing" (8) eap_peap: Supplicant-User-Name = "testing_remote" (8) eap_peap: Supplicant-Group = "testaccount::foo" (8) eap_peap: Tunnelled authentication will be proxied to testing-realm (8) eap: WARNING: Tunneled session will be proxied. Not doing EAP (8) [eap] = handled (8) } # authenticate = handled (8) Starting proxy to home server 172.18.0.4 port 1812 (8) Proxying request to home server 172.18.0.4 port 1812 timeout 20.000000 (8) Sent Access-Request Id 14 from 0.0.0.0:43371 to 172.18.0.4:1812 length 265 (8) EAP-Message = 0x020800491a0208004431ef0b17ce3dd0e033380d0a0396b4fc2e000000000000000060800026d7a31747894bdd9887cf258fe12e06f6f3950c560074657374696e675f72656d6f7465 (8) User-Name = "testing_remote" (8) State = 0x0998f23b0990e83ccf3e67f5bc936f77 (8) NAS-IP-Address = 127.0.0.1 (8) Calling-Station-Id = "02-00-00-00-00-01" (8) Framed-MTU = 1400 (8) NAS-Port-Type = Wireless-802.11 (8) Service-Type = Framed-User (8) Connect-Info = "CONNECT 11Mbps 802.11b" (8) Called-Station-Id = "testaccount" (8) NAS-Identifier = "foo" (8) Event-Timestamp = "Oct 20 2017 16:15:16 UTC" (8) Supplicant-Radius-Ip = "0.0.0.0" (8) Supplicant-Radius-Port = "1812" (8) Message-Authenticator = 0x (8) Proxy-State = 0x38 Waking up in 0.2 seconds. (8) Expecting proxy response no later than 19.794262 seconds from now ... == log from home server == ... Ready to process requests (0) Received Access-Request Id 14 from 172.18.0.5:43371 to 172.18.0.4:1812 length 265 (0) EAP-Message = 0x020800491a0208004431ef0b17ce3dd0e033380d0a0396b4fc2e000000000000000060800026d7a31747894bdd9887cf258fe12e06f6f3950c560074657374696e675f72656d6f7465 (0) User-Name = "testing_remote" (0) State = 0x0998f23b0990e83ccf3e67f5bc936f77 (0) NAS-IP-Address = 127.0.0.1 (0) Calling-Station-Id = "02-00-00-00-00-01" (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) Service-Type = Framed-User (0) Connect-Info = "CONNECT 11Mbps 802.11b" (0) Called-Station-Id = "testaccount" (0) NAS-Identifier = "foo" (0) Event-Timestamp = "Oct 20 2017 16:15:16 UTC" (0) Supplicant-Radius-Ip = "0.0.0.0" (0) Supplicant-Radius-Port = "1812" (0) Message-Authenticator = 0x799a6faef910ebeff0beacd45c6e946e (0) Proxy-State = 0x38 (0) session-state: No cached attributes (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/testing-site (0) authorize { (0) [preprocess] = ok (0) auth_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d:%H (0) auth_log: --> /var/log/radius/radacct/172.18.0.5/auth-detail-20171020:16 (0) auth_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d:%H expands to /var/log/radius/radacct/172.18.0.5/auth-detail-20171020:16 (0) auth_log: EXPAND %t (0) auth_log: --> Fri Oct 20 16:15:16 2017 (0) [auth_log] = ok (0) update request { (0) Supplicant-Radius-Ip = 0.0.0.0 (0) Supplicant-Radius-Port = 1812 (0) } # update request = noop (0) eap: Peer sent EAP Response (code 2) ID 8 length 73 (0) eap: No EAP Start, assuming it's an on-going EAP conversation (0) [eap] = updated (0) if (noop) { (0) if (noop) -> FALSE (0) [chap] = noop (0) [mschap] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) update control { (0) Cache-Status-Only := no (0) } # update control = noop (0) cache_mypythonmodule: EXPAND %{request:Supplicant-User-Name}-%{request:Calling-Station-Id}-%{request:Supplicant-Radius-Port} (0) cache_mypythonmodule: --> -02-00-00-00-00-01-1812 (0) cache_mypythonmodule: No cache entry found for "-02-00-00-00-00-01-1812" (0) cache_mypythonmodule: Creating new cache entry (0) cache_mypythonmodule: control::Auth-Type += &control:Auth-Type[*] -> eap (0) cache_mypythonmodule: Skipping Cache-Status-Only (0) cache_mypythonmodule: control:State := &request:State -> 0x0998f23b0990e83ccf3e67f5bc936f77 (0) cache_mypythonmodule: Merging cache entry into request (0) cache_mypythonmodule: &control:Auth-Type := eap (0) cache_mypythonmodule: &control:State := 0x0998f23b0990e83ccf3e67f5bc936f77 (0) cache_mypythonmodule: Committed entry, TTL 5 seconds (0) [cache_mypythonmodule] = updated (0) update reply { (0) Supplicant-Radius-Ip !* ANY (0) Supplicant-Radius-Port !* ANY (0) } # update reply = noop (0) } # authorize = updated (0) Found Auth-Type = eap (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/testing-site (0) authenticate { (0) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x0998f23b0990e83c (0) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request (0) eap: Failed in handler (0) [eap] = invalid (0) } # authenticate = invalid (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject ... === there is config from proxy server == server testing-site { listen { type = auth ipaddr = * port = 1812 } authorize { preprocess #sanitizies attributes auth_log #log authorization request update request { Supplicant-Radius-Ip = 0.0.0.0 Supplicant-Radius-Port = 1812 } eap { ok = return } if (noop) { update request { Supplicant-User-Name := &User-Name } update control { Cache-Status-Only := 'yes' } cache_mypythonmodule if (notfound) { update request { Supplicant-User-Name !* ANY } mypythonmodule_auth if (updated){ update request { Supplicant-User-Name := &reply:Supplicant-User-Name } if(&reply:Supplicant-Password){ update control { Cleartext-Password := &reply:Supplicant-Password } } if(&reply:Supplicant-Use-Remote == 'yes') { update control { Proxy-To-Realm := 'testing-realm' Supplicant-Use-Remote := 'yes' } } if(&reply:Supplicant-Use-Mac-Auth == 'yes') { update control { Auth-Type := MYPYTHONMODULE } } } elsif (reject){ reject } } elsif (ok) { update control { Cache-Status-Only := 'no' } cache_mypythonmodule } } chap mschap pap update control { Cache-Status-Only := 'no' } cache_mypythonmodule update reply { Supplicant-Radius-Ip !* ANY Supplicant-Radius-Port !* ANY } } authenticate { Auth-Type MYPYTHONMODULE{ mypythonmodule_auth } Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } eap } post-auth { if(User-Name !~ /^anonymous*/){ linelog `test line` } exec remove_reply_message_if_eap Post-Auth-Type REJECT { linelog `test reject line` attr_filter.access_reject eap remove_reply_message_if_eap } } pre-proxy { } post-proxy { eap cache_mypythonmodule } } == and virtual site for inner tunnel == server peap_and_ttls { authorize { eap { ok = return } update request { Supplicant-User-Name := &User-Name } update control { Cache-Status-Only := 'yes' } cache_mypythonmodule if (notfound) { update request { Supplicant-User-Name !* ANY } mypythonmodule_auth if (reject){ reject } update request { Supplicant-User-Name := &reply:Supplicant-User-Name } if(&reply:Supplicant-Password ){ update control { Cleartext-Password := &reply:Supplicant-Password } } if(&reply:Supplicant-Use-Remote == 'yes') { update control { Proxy-To-Realm := 'testing-realm' Supplicant-Use-Remote := 'yes' } } if(&reply:Supplicant-Use-Mac-Auth == 'yes') { update control { Auth-Type := MYPYTHONMODULE } } } elsif (ok) { update control { Cache-Status-Only := 'no' } cache_mypythonmodule } chap mschap pap update control { Cache-Status-Only := 'no' } cache_mypythonmodule update reply { Supplicant-Radius-Ip !* ANY Supplicant-Radius-Port !* ANY } } authenticate { Auth-Type MYPYTHONMODULE { mypythonmodule_auth } Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } eap } post-auth { linelog `test log` exec remove_reply_message_if_eap Post-Auth-Type REJECT { linelog `test reject log` attr_filter.access_reject eap remove_reply_message_if_eap } } pre-proxy { } post-proxy { eap cache_mypythonmodule } } on home server virtual sites are the same except they don't have this block == if(&reply:Supplicant-Use-Remote == 'yes') { update control { Proxy-To-Realm := 'testing-realm' Supplicant-Use-Remote := 'yes' } } == and this peap config from both proxy and home server peap { tls = tls-common default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = peap_and_ttls } Why home server not accept eap-mscchpv2 message?
And I could not configure proxy server to send request after it look inside eap-tls request. Home server inform what eap message has a wrong state.
Posting debug output would be more useful than posting vague descriptions.
And on this questions I think you already answered
No. You can (a) process EAP at a server, or (b) proxy it. You can't do both.
i.e I can't read common name property from certificate in proxy server on eap-tls request, and then proxy this request to home server. Am I right?