Hello, I've been trying to configure a new freeradius server (ver. 2.1.7) to proxy a OTP passcode to an existing (production) freeradius server (ver. 1.0.1) that is already setup to accept and authenticate the OTP passcodes for our remote access NAS devices (VPN, etc). I would like to use PEAP/EAP-GTC for wired 802.1x on our Cisco edge switches and terminate the PEAP tunnel on the new radius server, sending the passcode on to the existing radius server for authentication by proxy. I've been able to accomplish this using Cisco ACS but would like to use freeradius instead so that some other things can be done easier which ACS is not well suited for. From what I've read, "proxy auth" is possible and done quite a bit but mainly using mschapv2 as the inner auth method instead of gtc. I've been beating on this for days now and starting to feel I may never get this accomplished w/o help. I get to the point where either the PEAP tunnel is terminated on the new server and the gtc passcode is not proxied to the other server or the authentication is proxied to the other server but as EAP instead of just the cleartext OTP passcode. Following is the output of starting freeradius in debug mode, followed by the dubug results during anauthentication attempt. I assume all the needed info will be in this output. Sorry in advance if I have not provided enough info or too much. ANy help or suggestions would be appreciated. I have read a lot of the documentation and forum info but I havent found any obvious solution to my problem yet. Thanks, Mark Debug output: [root@mackeral-dev raddb]# /usr/sbin/radiusd -X FreeRADIUS Version 2.1.7, for host x86_64-redhat-linux-gnu, built on Dec 30 2009 at 13:46:28 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/proxy-inner-tunnel group = radiusd user = radiusd including dictionary file /etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } realm test { authhost = 134.252.100.4:1812 accthost = 134.252.100.4:1813 secret = testing } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = no zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 134.252.100.101 { require_message_authenticator = no secret = "testing" shortname = "test-switch" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "gtc" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server proxy-inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking post-proxy {...} for more modules to load } # modules } # server server { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. And here's the dubug output during an authentication attempt: rad_recv: Access-Request packet from host 134.252.100.101 port 1645, id=224, length=151 User-Name = "mgmitch" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1C-B0-AB-3D-81" Calling-Station-Id = "00-16-D3-22-CD-24" EAP-Message = 0x0201000c016d676d69746368 Message-Authenticator = 0x876a775afd4fabbf05cbbc0553b468b5 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" NAS-IP-Address = 134.252.100.101 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "mgmitch", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 12 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 224 to 134.252.100.101 port 1645 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf6df016cf6dd18ad384e3bf6a1b809e8 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 134.252.100.101 port 1645, id=225, length=249 User-Name = "mgmitch" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1C-B0-AB-3D-81" Calling-Station-Id = "00-16-D3-22-CD-24" EAP-Message = 0x0202005c190016030100510100004d03014d07bf1a5fcc6ef6c0de63fc1777b6318be3085e6ab4e1332af2c047a13f0b5100002600390038003500160013000a00330032002f00050004001500120009001400110008000600030100 Message-Authenticator = 0xdd018506f3d2e96d9c604742f45250ba NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xf6df016cf6dd18ad384e3bf6a1b809e8 NAS-IP-Address = 134.252.100.101 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "mgmitch", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 92 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0051], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 225 to 134.252.100.101 port 1645 EAP-Message = 0x0103040019c000000aad160301002a0200002603014d07bef302ccc12b080dcdb66552a25cef9f005bdb002e2e5cf4289b6001d70f00003900160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3130313231343030303535365a170d3131313231343030303535365a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d0d45a9e0c004f6c289fa93a84e2479da04ffab1a10fb682e3d60bed94c02b567c3190b75131a31acbf87dccd6200c98549ebd798f40f543c3a543fc501e EAP-Message = 0x2b467b800da585500568f75522f09ff0883d9eadbfb7318aa12fa3f139f58101f50aae1ee837c47f3aaca81eb0e2f511e64d7a9a537138fcce8001aa36816a9094dbf2fa942171f2cb7f51b5f70ba8d842117e115a252ee4d8638260f76dac22dbfd8a43a825c4497dd5e7481ef5ec55fea860e615de43b7254311c2f6c83945be5c8858bf6008eff57b7af70d13fc52e73865528a5e6752eea0c79517559f77e33f5645afe277020ba1064e745e7e02874baa1c6e043aa2c1f1ba33e358e5c184650203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101009669ca63c16c9aa6ac EAP-Message = 0x3a89558c09f903100c9495d3f5c9f5b01e777ed6b7985d1e625dbbccc083027b5da02ef7ea415e0bda4aa0ac0b6f0bb53ee2549a96606c7985be7283d7c44ce5991634136b6bfa794730d291d41885e85e2d66c2fba74081605d15cd652dd3a72ac6dcd81756fbe8d2260867d38d943a11aecb78006a2a9df5c6405f56a4d48a76f390c90c62441890e506129012c74362d8f8b646c81ef6f6273664bceab33879927120e1038f8c976f93a9935443bd8adb207a8cf94e8a187c1cfea064db15df791baf0c376aaf562f2c16c877431047f6ca7d1588d36cb32850026ed74fbbaccba3b923149316f3da4b9a034a1e686c1387fe0cbac60004ab308204 EAP-Message = 0xa73082038fa0030201020209 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf6df016cf7dc18ad384e3bf6a1b809e8 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 134.252.100.101 port 1645, id=226, length=163 User-Name = "mgmitch" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1C-B0-AB-3D-81" Calling-Station-Id = "00-16-D3-22-CD-24" EAP-Message = 0x020300061900 Message-Authenticator = 0xe97484975a808e5c4c0e9c12b8eef547 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xf6df016cf7dc18ad384e3bf6a1b809e8 NAS-IP-Address = 134.252.100.101 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "mgmitch", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 226 to 134.252.100.101 port 1645 EAP-Message = 0x010403fc194000b3dfff6329b2c287300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3130313231343030303535365a170d3131313231343030303535365a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504 EAP-Message = 0x071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100be6446076d51f61b50f8c7d6440dc623bc88ec2fd4eb6bedc7dcdb3f8039bb7258e29d72d97527691ade608b7f87caa03f0e99f4273a8e9c2e03af1cad5d8a825c10b3039f0f94fcb817caa2b98523c20081aaf9891d75f7a94c57c7ba6f8578300da8d51a77353240aaac50238565 EAP-Message = 0xb2f80d654ae678a68384878c1d7cb13eb604ececde7b26a316538a418508a32b15bcb8dab6668382b71a3a61952a5e0e945a2f63af1d36f0545932153f8989a553be7754711ce944c0f34e0dbb3b1b384045d80ac3c09e603e55e115c1bcfa44c91e1678e63605cddad1867ae0c87804c71196aa775c98fe4e8b98e0112f4a25f3fcebde9b807541f568fd123a6fbd62ed0203010001a381fb3081f8301d0603551d0e0416041432afb08887cd32a6716c69351c51ea520190a0513081c80603551d230481c03081bd801432afb08887cd32a6716c69351c51ea520190a051a18199a48196308193310b3009060355040613024652310f300d06035504 EAP-Message = 0x0813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900b3dfff6329b2c287300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100b6cb9b651fe6fb5f6803de75ed2f1112b5e5634dec9dfba6476a1e4670f1f005946d26b8e0805bc99670dbff75379ea7438db86713548b83ea9f500b5b691f04c75971a1e00ea8d5ab815dc05664fba01256 EAP-Message = 0x2c59aed1eab2c2f1 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf6df016cf4db18ad384e3bf6a1b809e8 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 134.252.100.101 port 1645, id=227, length=163 User-Name = "mgmitch" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1C-B0-AB-3D-81" Calling-Station-Id = "00-16-D3-22-CD-24" EAP-Message = 0x020400061900 Message-Authenticator = 0xc748c58f114831f9e0c9efc212a54c00 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xf6df016cf4db18ad384e3bf6a1b809e8 NAS-IP-Address = 134.252.100.101 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "mgmitch", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 227 to 134.252.100.101 port 1645 EAP-Message = 0x010502c71900b889db3ff715c6e7d9ca4dc3cc09223bfc58b58d305bf7474f9996b93716326389025746caac9a81490f5064fe3e958847c31ec698181e88b2013ef1fe6c1f8661a6f6d32a7ad8894894bd7d78b08768b912e366557c555101842b7d30b400231de66ce7e6aa3e67216ee1703caa57b1a1c81ff6223ab5aa277cf7f6d7ccedf18004bcf25119de569aa7463498c107f973ee66da4721915654d256f437b210575e571c6bb139160301020d0c000209008090e641c758cb48b9b79bd0025e11e5b1233340b4e6061c1fc8dd585ea2886549731449e566c22f69a9f2652694957a4e7c3e792849e93a50efd7f8f68c5e08aa7bd2bc4a2c74 EAP-Message = 0x5a7f74ab742dcc0f42eb374805193aa74ef8b4d442c52529c1e9f2cf051d25a8ddf528dab0a027e2332a95e61bf53bbea78f4dfa50a5e9d3f38300010200806dcab35856d9db5bd61a29678e5ffcde24773684d8c410c5d9bb60e535be540f5ff3abc209ce01cdeb6807d740f85be94dcfd367ad2e20fb1078f5ca2778e582bd8c00332a87889df69d8f027451ca3a3ec1595abf4ad1a7128a31c8baeaae7498ea78e66523eb13c10828da135e54a0d013723a4d1a58fb91e39a2a186ca11f0100b06ab88a0e52f5c0a7b9b7d397cf450c28ba187fe3b3b9cec2ffa6fa709b4e04dd41e67d63c3cfc8eeffc348952209b6f2dec0b83a0c5d7580108e28 EAP-Message = 0x7632ad08b94c47c9793c1e3b225269792d93daa845b8d86c619458f0b1c418ef078a16b918822442537625283aa7c18610e93c0b137e277f1864e115fdc2d524c5859b50da5c70c1695cff740fbd72e905f1a42cef83f38f051a9f42673d9f5d17e1e84107cd6fe8f1ebfbdbb3ac198bee111e24dc258cacaadafb36c113ca67686deaea37d03c21684c505e11b5005fdaf6290ba1d9474da102e963639795c348fb81d4e23fed27e5dd0049d066f554df032ad9e3ef5cad1fb5cabc66cf0643ad8997d416030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf6df016cf5da18ad384e3bf6a1b809e8 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 134.252.100.101 port 1645, id=228, length=361 User-Name = "mgmitch" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1C-B0-AB-3D-81" Calling-Station-Id = "00-16-D3-22-CD-24" EAP-Message = 0x020500cc190016030100861000008200806291880fa7b79626174f23d5f6721ac50472c9df0cd0238bfd340093ef5a3a37e2c118c719d860503824b2d1556a6ece75ec8826d34069ac90a37c966f5f6465c4ac82c4e66079871ff7b53198cfd0c1b25ff9434a1c2610c10ea6c498b16add34b613f7aecfafac5d2da4e65ca15c67500f38a0407bee960b767c4e3e90ac501403010001011603010030550f02713778b5ed8bac34b9324b96b129ba173c5b5439370b763ec0e1925ffe45d46f69a132518b618e38626e2ec7fc Message-Authenticator = 0x5e9a5e77e0b55fc6414a51a2c65cd60e NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xf6df016cf5da18ad384e3bf6a1b809e8 NAS-IP-Address = 134.252.100.101 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "mgmitch", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 204 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 228 to 134.252.100.101 port 1645 EAP-Message = 0x01060041190014030100010116030100309ce4dfdcda99ddbc9bbcc74a898f71af83b5830b1aa99e78bd4e4f57cc65916215ed36fcaf6c639c78d8d4ca22bf438b Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf6df016cf2d918ad384e3bf6a1b809e8 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 134.252.100.101 port 1645, id=229, length=163 User-Name = "mgmitch" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1C-B0-AB-3D-81" Calling-Station-Id = "00-16-D3-22-CD-24" EAP-Message = 0x020600061900 Message-Authenticator = 0xbdec9b5d34c954ced59ac3ea5d6e650e NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xf6df016cf2d918ad384e3bf6a1b809e8 NAS-IP-Address = 134.252.100.101 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "mgmitch", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 229 to 134.252.100.101 port 1645 EAP-Message = 0x0107002b190017030100204f5ba94ae701deed703075cae85510032bd8be397f7328c417df5e189bfd7904 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf6df016cf3d818ad384e3bf6a1b809e8 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 134.252.100.101 port 1645, id=230, length=237 User-Name = "mgmitch" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1C-B0-AB-3D-81" Calling-Station-Id = "00-16-D3-22-CD-24" EAP-Message = 0x020700501900170301002034606c2eb986608c5a00ac95d5d2a3041fdc2403e074597c9ebc9aa918f73b4317030100209640e4ae80130fa82d07483ca91154c4eb7f73d98d1fcb6c81fd739108781a28 Message-Authenticator = 0x499bb31965aa74f94d70460b29e04cb1 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xf6df016cf3d818ad384e3bf6a1b809e8 NAS-IP-Address = 134.252.100.101 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "mgmitch", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - mgmitch [peap] Got tunneled request EAP-Message = 0x0207000c016d676d69746368 server { PEAP: Got tunneled identity of mgmitch PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to mgmitch Sending tunneled request EAP-Message = 0x0207000c016d676d69746368 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "mgmitch" server { +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "mgmitch", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 12 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop } # server [peap] Got tunneled reply code 0 PEAP: Calling authenticate in order to initiate tunneled EAP session. +- entering group authenticate {...} [eap] EAP Identity [eap] processing type gtc [eap] Not-EAP proxy set. Not composing EAP ++[eap] returns handled PEAP: Tunneled authentication will be proxied to test PEAP: Remembering to do EAP-MS-CHAP-V2 post-proxy. [eap] Tunneled session will be proxied. Not doing EAP. ++[eap] returns handled WARNING: Empty section. Using default return values. ERROR: Failed to create a new socket for proxying requests. ERROR: Failed inserting request into proxy hash. ERROR: Failed to proxy request 6 There was no response configured: rejecting request 6 Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> mgmitch attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 6 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 6 Sending Access-Reject of id 230 to 134.252.100.101 port 1645 Waking up in 3.8 seconds. Cleaning up request 0 ID 224 with timestamp +14 Cleaning up request 1 ID 225 with timestamp +14 Cleaning up request 2 ID 226 with timestamp +14 Cleaning up request 3 ID 227 with timestamp +14 Cleaning up request 4 ID 228 with timestamp +14 Cleaning up request 5 ID 229 with timestamp +14 Waking up in 1.0 seconds. Cleaning up request 6 ID 230 with timestamp +14 Ready to process requests. -- View this message in context: http://freeradius.1045715.n5.nabble.com/PEAP-EAP-GTC-proxy-tp3305142p3305142... Sent from the FreeRadius - User mailing list archive at Nabble.com.