Hi Alan, Thanks for your contribute.
Did you follow the instructions at the top of the "inner-tunnel" virtual server? They describe how to do more detailed testing.
I launched the following command from another server: radtest -t mschap danilo.raspa%realm_example.com 1234 192.168.0.158:1812 0 password Sending Access-Request Id 91 from 0.0.0.0:36986 to 192.168.0.158:1812 User-Name = 'danilo.raspa%realm_example.com' NAS-IP-Address = 192.168.0.158 NAS-Port = 0 Message-Authenticator = 0x00 MS-CHAP-Challenge = 0xfd0947b33c5ba968 MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000007c95160f801e9ec0811d7b6f29e4c4dab3627a5669d4a235 Received Access-Accept Id 91 from 192.168.0.158:1812 to 192.168.0.155:36986 length 68 MS-CHAP-MPPE-Keys = 0xb757bf5c0d87772f6ece635e056440 MS-MPPE-Encryption-Policy = Encryption-Allowed MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed Everything work great but from the radius server log I can read: (0) eap : No EAP-Message, not doing EAP (0) [eap] = noop
You have the proxy editing the User-Name. Don't do that.
See the documentation in proxy.conf. You can configure it to *not* edit the User-Name.
I added "nostrip" inside the realm "realm_example.com" in proxy.conf and the error changed("(82) ERROR: mschap : MS-CHAP2-Response is incorrect"), I attached the radius server log below: (82) eap : Peer sent code Response (2) ID 9 length 123 (82) eap : Continuing tunnel setup (82) [eap] = ok (82) } # authorize = ok (82) Found Auth-Type = EAP (82) # Executing group from file /etc/raddb/sites-enabled/default (82) authenticate { (82) eap : Expiring EAP session with state 0x90a420c290ad3a6f (82) eap : Finished EAP session with state 0x38cae7a53fc3fe25 (82) eap : Previous EAP request found for state 0x38cae7a53fc3fe25, released from the list (82) eap : Peer sent method PEAP (25) (82) eap : EAP PEAP (25) (82) eap : Calling eap_peap to process EAP data (82) eap_peap : processing EAP-TLS (82) eap_peap : eaptls_verify returned 7 (82) eap_peap : Done initial handshake (82) eap_peap : eaptls_process returned 7 (82) eap_peap : FR_TLS_OK (82) eap_peap : Session established. Decoding tunneled attributes (82) eap_peap : Peap state phase2 (82) eap_peap : EAP type MSCHAPv2 (26) (82) eap_peap : Got tunneled request EAP-Message = 0x020900531a0209004e3176495e338130f40a70357647b9aa0fcc000000000000000049632cf2caac4929ad1f63acf90fa2b39931f340df9ba7a00064616e696c6f2e7261737061256d6f76656e64612e636f6d server default { (82) eap_peap : Setting User-Name to danilo.raspa%realm_example.com Sending tunneled request EAP-Message = 0x020900531a0209004e3176495e338130f40a70357647b9aa0fcc000000000000000049632cf2caac4929ad1f63acf90fa2b39931f340df9ba7a00064616e696c6f2e7261737061256d6f76656e64612e636f6d FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'danilo.raspa%realm_example.com' State = 0x90a420c290ad3a6f59be74fda79cf503 server inner-tunnel { (82) server inner-tunnel { (82) Request: EAP-Message = 0x020900531a0209004e3176495e338130f40a70357647b9aa0fcc000000000000000049632cf2caac4929ad1f63acf90fa2b39931f340df9ba7a00064616e696c6f2e7261737061256d6f76656e64612e636f6d FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'danilo.raspa%realm_example.com' State = 0x90a420c290ad3a6f59be74fda79cf503 (82) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (82) authorize { (82) [chap] = noop (82) [mschap] = noop (82) suffix : Checking for suffix after "@" (82) suffix : No '@' in User-Name = "danilo.raspa%realm_example.com", looking up realm NULL (82) suffix : No such realm "NULL" (82) [suffix] = noop (82) update control { (82) Proxy-To-Realm := 'LOCAL' (82) } # update control = noop (82) eap : Peer sent code Response (2) ID 9 length 83 (82) eap : No EAP Start, assuming it's an on-going EAP conversation (82) [eap] = updated (82) [files] = noop (82) sql : EXPAND %{User-Name} (82) sql : --> danilo.raspa%realm_example.com (82) sql : SQL-User-Name set to 'danilo.raspa%realm_example.com' rlm_sql (sql): Reserved connection (11) (82) sql : EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (82) sql : --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'danilo.raspa=25realm_example.com' ORDER BY id rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'danilo.raspa=25realm_example.com' ORDER BY id' (82) sql : EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (82) sql : --> SELECT groupname FROM radusergroup WHERE username = 'danilo.raspa=25realm_example.com' ORDER BY priority rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup WHERE username = 'danilo.raspa=25realm_example.com' ORDER BY priority' (82) sql : User not found in any groups rlm_sql (sql): Released connection (11) (82) [sql] = notfound (82) [expiration] = noop (82) [logintime] = noop (82) [pap] = noop (82) } # authorize = updated (82) Found Auth-Type = EAP (82) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (82) authenticate { (82) eap : Expiring EAP session with state 0x90a420c290ad3a6f (82) eap : Finished EAP session with state 0x90a420c290ad3a6f (82) eap : Previous EAP request found for state 0x90a420c290ad3a6f, released from the list (82) eap : Peer sent method MSCHAPv2 (26) (82) eap : EAP MSCHAPv2 (26) (82) eap : Calling eap_mschapv2 to process EAP data (82) eap_mschapv2 : # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (82) eap_mschapv2 : Auth-Type MS-CHAP { (82) WARNING: mschap : No Cleartext-Password configured. Cannot create LM-Password (82) WARNING: mschap : No Cleartext-Password configured. Cannot create NT-Password (82) mschap : Creating challenge hash with username: danilo.raspa% realm_example.com (82) mschap : Client is using MS-CHAPv2 (82) ERROR: mschap : FAILED: No NT/LM-Password. Cannot perform authentication (82) ERROR: mschap : MS-CHAP2-Response is incorrect (82) [mschap] = reject (82) } # Auth-Type MS-CHAP = reject Thank you in advance Danilo Raspa