Hi

 

Is EAP-PEAP-GTC User-Password is set while using Free Radius as a proxy?

 

We have a radius server which does not understand EAP.

We want to authenticate the WiFi clients with this server.

In order to achieve this we have configured the Free Radius as proxy (EAP-PEAP-GTC).

But this does not seems to be working as at our server end we do not receive clear text password.

 

Here is the radiusd debug output:

 

main {

                name = "radiusd"

                prefix = "/home/freeradius"

                localstatedir = "/home/freeradius/var"

                sbindir = "/home/freeradius/sbin"

                logdir = "/home/freeradius/var/log/radius"

                run_dir = "/home/freeradius/var/run/radiusd"

                libdir = "/home/freeradius/lib"

                radacctdir = "/home/freeradius/var/log/radius/radacct"

                hostname_lookups = no

                max_request_time = 30

                cleanup_delay = 5

                max_requests = 1024

                pidfile = "/home/freeradius/var/run/radiusd/radiusd.pid"

                checkrad = "/home/freeradius/sbin/checkrad"

                debug_level = 0

                proxy_requests = yes

log {

                stripped_names = no

                auth = no

                auth_badpass = no

                auth_goodpass = no

}

security {

                max_attributes = 200

                reject_delay = 1

                status_server = yes

}

}

radiusd: #### Loading Realms and Home Servers ####

proxy server {

                retry_delay = 5

                retry_count = 3

                default_fallback = no

                dead_time = 120

                wake_all_if_all_dead = no

}

home_server localhost {

                ipaddr = 127.0.0.1

                port = 1812

                type = "auth"

                secret = "testing123"

                response_window = 20

                max_outstanding = 65536

                require_message_authenticator = yes

                zombie_period = 40

                status_check = "status-server"

                ping_interval = 30

                check_interval = 30

                num_answers_to_alive = 3

                num_pings_to_alive = 3

                revive_interval = 120

                status_check_timeout = 4

  coa {

                irt = 2

                mrt = 16

                mrc = 5

                mrd = 30

  }

}

home_server_pool my_auth_failover {

                type = fail-over

                home_server = localhost

}

realm example.com {

                auth_pool = my_auth_failover

}

realm LOCAL {

}

realm DEVLAB {

                authhost = 10.141.148.91:1812

                secret = testing123

}

radiusd: #### Loading Clients ####

client localhost {

                ipaddr = 127.0.0.1

                require_message_authenticator = no

                secret = "testing123"

                nastype = "other"

}

client netmotion {

                ipaddr = 10.141.150.34

                require_message_authenticator = no

                secret = "testing123"

                nastype = "other"

}

client wifi {

                ipaddr = 10.141.148.220

                require_message_authenticator = no

                secret = "testing123"

                nastype = "other"

}

radiusd: #### Instantiating modules ####

instantiate {

Module: Linked to module rlm_exec

Module: Instantiating module "exec" from file /home/freeradius/etc/raddb/modules/exec

  exec {

                wait = no

                input_pairs = "request"

                shell_escape = yes

  }

Module: Linked to module rlm_expr

Module: Instantiating module "expr" from file /home/freeradius/etc/raddb/modules/expr

Module: Linked to module rlm_expiration

Module: Instantiating module "expiration" from file /home/freeradius/etc/raddb/modules/expiration

  expiration {

                reply-message = "Password Has Expired  "

  }

Module: Linked to module rlm_logintime

Module: Instantiating module "logintime" from file /home/freeradius/etc/raddb/modules/logintime

  logintime {

                reply-message = "You are calling outside your allowed timespan  "

                minimum-timeout = 60

  }

}

radiusd: #### Loading Virtual Servers ####

server { # from file /home/freeradius/etc/raddb/radiusd.conf

modules {

  Module: Creating Auth-Type = digest

  Module: Creating Post-Auth-Type = REJECT

Module: Checking authenticate {...} for more modules to load

Module: Linked to module rlm_pap

Module: Instantiating module "pap" from file /home/freeradius/etc/raddb/modules/pap

  pap {

                encryption_scheme = "auto"

                auto_header = no

  }

Module: Linked to module rlm_chap

Module: Instantiating module "chap" from file /home/freeradius/etc/raddb/modules/chap

Module: Linked to module rlm_mschap

Module: Instantiating module "mschap" from file /home/freeradius/etc/raddb/modules/mschap

  mschap {

                use_mppe = yes

                require_encryption = no

                require_strong = no

                with_ntdomain_hack = no

                allow_retry = yes

  }

Module: Linked to module rlm_digest

Module: Instantiating module "digest" from file /home/freeradius/etc/raddb/modules/digest

Module: Linked to module rlm_unix

Module: Instantiating module "unix" from file /home/freeradius/etc/raddb/modules/unix

  unix {

                radwtmp = "/home/freeradius/var/log/radius/radwtmp"

  }

Module: Linked to module rlm_eap

Module: Instantiating module "eap" from file /home/freeradius/etc/raddb/eap.conf

  eap {

                default_eap_type = "gtc"

                timer_expire = 60

                ignore_unknown_eap_types = no

                cisco_accounting_username_bug = no

                max_sessions = 4096

  }

Module: Linked to sub-module rlm_eap_md5

Module: Instantiating eap-md5

Module: Linked to sub-module rlm_eap_leap

Module: Instantiating eap-leap

Module: Linked to sub-module rlm_eap_gtc

Module: Instantiating eap-gtc

   gtc {

                challenge = "Password: "

                auth_type = "PAP"

   }

Module: Linked to sub-module rlm_eap_tls

Module: Instantiating eap-tls

   tls {

                rsa_key_exchange = no

                dh_key_exchange = yes

                rsa_key_length = 512

                dh_key_length = 512

                verify_depth = 0

                CA_path = "/home/freeradius/etc/raddb/certs"

                pem_file_type = yes

                private_key_file = "/home/freeradius/etc/raddb/certs/server.pem"

                certificate_file = "/home/freeradius/etc/raddb/certs/server.pem"

                CA_file = "/home/freeradius/etc/raddb/certs/ca.pem"

                private_key_password = "whatever"

                dh_file = "/home/freeradius/etc/raddb/certs/dh"

                random_file = "/home/freeradius/etc/raddb/certs/random"

                fragment_size = 1024

                include_length = yes

                check_crl = no

                cipher_list = "DEFAULT"

                make_cert_command = "/home/freeradius/etc/raddb/certs/bootstrap"

    cache {

                enable = no

                lifetime = 24

                max_entries = 255

    }

    verify {

    }

    ocsp {

                enable = no

                override_cert_url = yes

                url = "http://127.0.0.1/ocsp/"

                use_nonce = yes

                timeout = 0

                softfail = no

    }

   }

Module: Linked to sub-module rlm_eap_ttls

Module: Instantiating eap-ttls

   ttls {

                default_eap_type = "md5"

                copy_request_to_tunnel = no

                use_tunneled_reply = no

                virtual_server = "inner-tunnel"

                include_length = yes

   }

Module: Linked to sub-module rlm_eap_peap

Module: Instantiating eap-peap

   peap {

                default_eap_type = "gtc"

                copy_request_to_tunnel = no

                use_tunneled_reply = no

                proxy_tunneled_request_as_eap = no

                virtual_server = "proxy-inner-tunnel"

                soh = no

   }

Module: Linked to sub-module rlm_eap_mschapv2

Module: Instantiating eap-mschapv2

   mschapv2 {

                with_ntdomain_hack = no

                send_error = no

   }

Module: Checking authorize {...} for more modules to load

Module: Linked to module rlm_preprocess

Module: Instantiating module "preprocess" from file /home/freeradius/etc/raddb/modules/preprocess

  preprocess {

                huntgroups = "/home/freeradius/etc/raddb/huntgroups"

                hints = "/home/freeradius/etc/raddb/hints"

                with_ascend_hack = no

                ascend_channels_per_line = 23

                with_ntdomain_hack = no

                with_specialix_jetstream_hack = no

                with_cisco_vsa_hack = no

                with_alvarion_vsa_hack = no

  }

reading pairlist file /home/freeradius/etc/raddb/huntgroups

reading pairlist file /home/freeradius/etc/raddb/hints

Module: Linked to module rlm_realm

Module: Instantiating module "suffix" from file /home/freeradius/etc/raddb/modules/realm

  realm suffix {

                format = "suffix"

                delimiter = "@"

                ignore_default = no

                ignore_null = no

  }

Module: Linked to module rlm_files

Module: Instantiating module "files" from file /home/freeradius/etc/raddb/modules/files

  files {

                usersfile = "/home/freeradius/etc/raddb/users"

                acctusersfile = "/home/freeradius/etc/raddb/acct_users"

                preproxy_usersfile = "/home/freeradius/etc/raddb/preproxy_users"

                compat = "no"

  }

reading pairlist file /home/freeradius/etc/raddb/users

reading pairlist file /home/freeradius/etc/raddb/acct_users

reading pairlist file /home/freeradius/etc/raddb/preproxy_users

Module: Checking preacct {...} for more modules to load

Module: Linked to module rlm_acct_unique

Module: Instantiating module "acct_unique" from file /home/freeradius/etc/raddb/modules/acct_unique

  acct_unique {

                key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port"

  }

Module: Checking accounting {...} for more modules to load

Module: Linked to module rlm_detail

Module: Instantiating module "detail" from file /home/freeradius/etc/raddb/modules/detail

  detail {

                detailfile = "/home/freeradius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"

                header = "%t"

                detailperm = 384

                dirperm = 493

                locking = no

                log_packet_header = no

  }

Module: Linked to module rlm_attr_filter

Module: Instantiating module "attr_filter.accounting_response" from file /home/freeradius/etc/raddb/modules/attr_filter

  attr_filter attr_filter.accounting_response {

                attrsfile = "/home/freeradius/etc/raddb/attrs.accounting_response"

                key = "%{User-Name}"

                relaxed = no

  }

reading pairlist file /home/freeradius/etc/raddb/attrs.accounting_response

Module: Checking session {...} for more modules to load

Module: Linked to module rlm_radutmp

Module: Instantiating module "radutmp" from file /home/freeradius/etc/raddb/modules/radutmp

  radutmp {

                filename = "/home/freeradius/var/log/radius/radutmp"

                username = "%{User-Name}"

                case_sensitive = yes

                check_with_nas = yes

                perm = 384

                callerid = yes

  }

Module: Checking post-proxy {...} for more modules to load

Module: Checking post-auth {...} for more modules to load

Module: Instantiating module "attr_filter.access_reject" from file /home/freeradius/etc/raddb/modules/attr_filter

  attr_filter attr_filter.access_reject {

                attrsfile = "/home/freeradius/etc/raddb/attrs.access_reject"

                key = "%{User-Name}"

                relaxed = no

  }

reading pairlist file /home/freeradius/etc/raddb/attrs.access_reject

} # modules

} # server

server proxy-inner-tunnel { # from file /home/freeradius/etc/raddb/sites-enabled/proxy-inner-tunnel

modules {

Module: Checking authenticate {...} for more modules to load

Module: Checking authorize {...} for more modules to load

Module: Checking post-proxy {...} for more modules to load

} # modules

} # server

server inner-tunnel { # from file /home/freeradius/etc/raddb/sites-enabled/inner-tunnel

modules {

  Module: Creating Auth-Type = inner-eap

Module: Checking authenticate {...} for more modules to load

Module: Instantiating module "inner-eap" from file /home/freeradius/etc/raddb/modules/inner-eap

  eap inner-eap {

                default_eap_type = "gtc"

                timer_expire = 60

                ignore_unknown_eap_types = no

                cisco_accounting_username_bug = no

                max_sessions = 2048

  }

Module: Linked to sub-module rlm_eap_md5

Module: Instantiating eap-md5

Module: Linked to sub-module rlm_eap_gtc

Module: Instantiating eap-gtc

   gtc {

                challenge = "Enter your Security Code innear-eap: "

                auth_type = "PAP"

   }

Module: Linked to sub-module rlm_eap_mschapv2

Module: Instantiating eap-mschapv2

   mschapv2 {

                with_ntdomain_hack = no

                send_error = no

   }

Module: Linked to sub-module rlm_eap_tls

Module: Instantiating eap-tls

   tls {

                rsa_key_exchange = no

                dh_key_exchange = yes

                rsa_key_length = 512

                dh_key_length = 512

                verify_depth = 0

                pem_file_type = yes

                private_key_file = "/home/freeradius/etc/raddb/certs/server.pem"

                certificate_file = "/home/freeradius/etc/raddb/certs/server.pem"

                CA_file = "/home/freeradius/etc/raddb/certs/ca.pem"

                private_key_password = "whatever"

                dh_file = "/home/freeradius/etc/raddb/certs/dh"

                random_file = "/home/freeradius/etc/raddb/certs/random"

                fragment_size = 1024

                include_length = yes

                check_crl = no

                cipher_list = "DEFAULT"

   }

Module: Checking authorize {...} for more modules to load

Module: Checking session {...} for more modules to load

Module: Checking post-proxy {...} for more modules to load

Module: Checking post-auth {...} for more modules to load

} # modules

} # server

radiusd: #### Opening IP addresses and Ports ####

listen {

                type = "auth"

                ipaddr = *

                port = 0

}

listen {

                type = "acct"

                ipaddr = *

                port = 0

}

listen {

                type = "control"

listen {

                socket = "/home/freeradius/var/run/radiusd/radiusd.sock"

}

}

listen {

                type = "auth"

                ipaddr = 127.0.0.1

                port = 18120

}

... adding new socket proxy address * port 51628

Listening on authentication address * port 1812

Listening on accounting address * port 1813

Listening on command file /home/freeradius/var/run/radiusd/radiusd.sock

Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel

Listening on proxy address * port 1814

Ready to process requests.

rad_recv: Access-Request packet from host 10.141.150.34 port 50001, id=159, length=88

                NAS-Identifier = "symc-2k8-150-34"

                User-Name = "user3"

                Calling-Station-Id = "0000005e5554"

                EAP-Message = 0x0200000a017573657233

                Message-Authenticator = 0x2863faee4523a276cbac192585bb7c6c

# Executing section authorize from file /home/freeradius/etc/raddb/sites-enabled/default

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

++[digest] returns noop

[suffix] No '@' in User-Name = "user3", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

[eap] EAP packet type response id 0 length 10

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

++[files] returns noop

++[expiration] returns noop

++[logintime] returns noop

[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.

++[pap] returns noop

Found Auth-Type = EAP

# Executing group from file /home/freeradius/etc/raddb/sites-enabled/default

+- entering group authenticate {...}

[eap] EAP Identity

[eap] processing type gtc

[gtc]       expand: Password:  -> Password:

++[eap] returns handled

Sending Access-Challenge of id 159 to 10.141.150.34 port 50001

                EAP-Message = 0x0101000f0650617373776f72643a20

                Message-Authenticator = 0x00000000000000000000000000000000

                State = 0x0f2467dc0f2561157cc843c3aeb740bb

Finished request 0.

Going to the next request

Waking up in 4.9 seconds.

rad_recv: Access-Request packet from host 10.141.150.34 port 50001, id=160, length=103

                NAS-Identifier = "symc-2k8-150-34"

                User-Name = "user3"

                Calling-Station-Id = "0000005e5554"

                EAP-Message = 0x0201000703190d

                Message-Authenticator = 0x9ca44cf06d9b92a8d8423fdfe6a12c71

                State = 0x0f2467dc0f2561157cc843c3aeb740bb

# Executing section authorize from file /home/freeradius/etc/raddb/sites-enabled/default

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

++[digest] returns noop

[suffix] No '@' in User-Name = "user3", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

[eap] EAP packet type response id 1 length 7

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

++[files] returns noop

++[expiration] returns noop

++[logintime] returns noop

[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.

++[pap] returns noop

Found Auth-Type = EAP

# Executing group from file /home/freeradius/etc/raddb/sites-enabled/default

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP NAK

[eap] EAP-NAK asked for EAP-Type/peap

[eap] processing type tls

[tls] Initiate

[tls] Start returned 1

++[eap] returns handled

Sending Access-Challenge of id 160 to 10.141.150.34 port 50001

                EAP-Message = 0x010200061920

                Message-Authenticator = 0x00000000000000000000000000000000

                State = 0x0f2467dc0e267e157cc843c3aeb740bb

Finished request 1.

Going to the next request

Waking up in 4.9 seconds.