Sorry Alan, I'd already posted the freeradius output in the prior email, and I didn't want to spam too much, but here it is again. Thanks Mark Thread 3 handling request 25, (6 handled so far) # Executing section authorize from file /usr/share/ii/wifiproxy/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "levsky", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 1 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/share/ii/wifiproxy/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Finished request 25. Going to the next request Thread 3 waiting to be assigned a request Waking up in 0.9 seconds. Thread 4 got semaphore Thread 4 handling request 26, (6 handled so far) # Executing section authorize from file /usr/share/ii/wifiproxy/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "levsky", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 2 length 143 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/share/ii/wifiproxy/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 133 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] <<< TLS 1.0 Handshake [length 0080], ClientHello [ttls] TLS_accept: SSLv3 read client hello A [ttls] >>> TLS 1.0 Handshake [length 0031], ServerHello [ttls] TLS_accept: SSLv3 write server hello A [ttls] >>> TLS 1.0 Handshake [length 06b2], Certificate [ttls] TLS_accept: SSLv3 write certificate A [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [ttls] TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Finished request 26. Going to the next request Thread 4 waiting to be assigned a request Waking up in 0.9 seconds. Thread 2 got semaphore Thread 2 handling request 27, (6 handled so far) # Executing section authorize from file /usr/share/ii/wifiproxy/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "levsky", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/share/ii/wifiproxy/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Finished request 27. Going to the next request Thread 2 waiting to be assigned a request Waking up in 0.9 seconds. Thread 5 got semaphore Thread 5 handling request 28, (6 handled so far) # Executing section authorize from file /usr/share/ii/wifiproxy/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "levsky", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 4 length 253 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/share/ii/wifiproxy/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 326 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [ttls] TLS_accept: SSLv3 read client key exchange A [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [ttls] <<< TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 read finished A [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS_accept: SSLv3 write change cipher spec A [ttls] >>> TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 write finished A [ttls] TLS_accept: SSLv3 flush data [ttls] (other): SSL negotiation finished successfully SSL Connection Established [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Finished request 28. Going to the next request Thread 5 waiting to be assigned a request Waking up in 0.8 seconds. Thread 1 got semaphore Thread 1 handling request 29, (7 handled so far) # Executing section authorize from file /usr/share/ii/wifiproxy/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "levsky", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 5 length 63 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/share/ii/wifiproxy/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 53 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled identity of levsky [ttls] Setting default EAP type for tunneled EAP session. # Executing section authorize from file /usr/share/ii/wifiproxy/sites-enabled/ttls-proxy +group authorize { rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Tunnel-Type = VLAN rlm_perl: Added pair Called-Station-Id = 34dbfd24e9e0:iiNet Customer DEV rlm_perl: Added pair Airespace-Wlan-Id = 155 rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1 rlm_perl: Added pair Location-Capable = Civix-Location rlm_perl: Added pair II-Proxy-Realm = IIRADIUS rlm_perl: Added pair NAS-IP-Address = 10.13.6.8 rlm_perl: Added pair Tunnel-Private-Group-Id = 151 rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802 rlm_perl: Added pair Calling-Station-Id = f0f61c739670 rlm_perl: Added pair Cisco-AVPair = audit-session-id=0a19d7cb0005280162131656 rlm_perl: Added pair User-Name = levsky rlm_perl: Added pair NAS-Identifier = wlc1.per3 rlm_perl: Added pair Chargeable-User-Identity = rlm_perl: Added pair EAP-Message = 0x0200000b016c6576736b79 rlm_perl: Added pair NAS-Port = 1 rlm_perl: Added pair Framed-MTU = 1300 rlm_perl: Added pair EAP-Type = MD5-Challenge ++[perl-innertunnels] = ok ++update control { expand: %{II-Proxy-Realm} -> IIRADIUS ++} # update control = noop +} # group authorize = ok [ttls] Tunneled authentication will be proxied to IIRADIUS [eap] Tunneled session will be proxied. Not doing EAP. ++[eap] = handled +} # group authenticate = handled WARNING: Empty pre-proxy section. Using default return values. Proxying request 29 to home server 10.10.24.1 port 1645 Going to the next request Thread 1 waiting to be assigned a request Waking up in 0.8 seconds. Thread 3 got semaphore Thread 3 handling request 29, (7 handled so far) # Executing section post-proxy from file /usr/share/ii/wifiproxy/sites-enabled/default +group post-proxy { [eap] Doing post-proxy callback [eap] Passing reply from proxy back into the tunnel. [eap] Got tunneled Access-Reject [eap] Reply was rejected [eap] Failed in post-proxy callback rlm_eap_ttls: Freeing handler for user levsky ++[eap] = reject +} # group post-proxy = reject Login incorrect (Home Server says so): [levsky/<via Auth-Type = EAP>] (from client wlc1.per3 port 1 cli f0f61c739670) Using Post-Auth-Type Reject # Executing group from file /usr/share/ii/wifiproxy/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> levsky attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 29 for 1 seconds Going to the next request Thread 3 waiting to be assigned a request Sending delayed reject for request 29 Cleaning up request 23 ID 117 with timestamp +47 Waking up in 1.7 seconds. Cleaning up request 24 ID 119 with timestamp +49 Waking up in 2.0 seconds. Waking up in 0.9 seconds On 9 October 2015 at 21:16, Alan DeKok <aland@deployingradius.com> wrote:
On Oct 8, 2015, at 11:12 PM, Mark Haselden <levsky@gmail.com> wrote:
What I'm not getting is how come this isn't converting to straight MSCHAPV2 in the inner server definition. We have the eap directive in both post-proxy and authenticate stanzas defined for the server (perl-innertunnels is just a quick bit of perl to set the correct realm based on username)
OK.
Our inner tunnel server looks like:
No...
But what gets proxied to the (radiator) home servers looks like
And no...
Please post the debug output of *FreeRADIUS*, as suggested in the FAQ, "man" page, web pages, and daily on this list. We need to see what's going on, and *why* it's happening.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html