FR2 EAP-PEAP proxy does not saving attributes
Required to authorize wireless users by the protocol EAP-PEAP, but, unfortunately, the radius of the billing system can not EAP-PEAP. Installed freeradius 2.1.6 in proxy mode. Freeradius terminates the tunnel TLS, and requests the radius of the billing system goes on algorithm mschapv2. Problem - freeradius does not save or pass additional attributes of an access point, obtained from the radius of the billing system (attributes for example - WISPr-Bandwidth-Max-Up and WISPr-Bandwidth-Max-Down). How to solve the problem? 192.168.145.42 - WiFi Access Point 192.168.151.59 - radius billing system 192.168.151.36 - freeradius eap.conf: eap { default_eap_type = mschapv2 timer_expire = 60 ignore_unknown_eap_types = yes cisco_accounting_username_bug = no max_sessions = 2048 tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_file = /etc/ssl/hotspot.pem certificate_file = /etc/ssl/hotspot.pem CA_file = /etc/ssl/Equifax_Secure_Certificate_Authority.cer dh_file = ${certdir}/dh random_file = ${certdir}/random cipher_list = "DEFAULT" make_cert_command = "${certdir}/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = no virtual_server = "proxy-inner-tunnel" } mschapv2 { } } proxy-inner-tunnel: server proxy-inner-tunnel { authorize { update control { # You should update this to be one of your realms. Proxy-To-Realm := "BILLING" } } authenticate { eap } post-proxy { eap } } proxy.conf: realm BILLING { authhost = 192.168.151.59:1812 secret = secretkey } DEBUG: rad_recv: Access-Request packet from host 192.168.145.42 port 45920, id=222, length=118 User-Name = "10" EAP-Message = 0x02620007013130 Message-Authenticator = 0xe38b290e654269d95defc60fb7831415 Calling-Station-Id = "00:17:9A:0A:54:F1" Called-Station-Id = "00:15:6D:AD:1E:D7" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 NAS-IP-Address = 192.168.145.42 NAS-Identifier = "DreamWiFi" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "10", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 98 length 7 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 222 to 192.168.145.42 port 45920 EAP-Message = 0x0163001c1a01630017106ec1f0ae862c6445e9a4584a08ab62ef3130 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x07ead3a30789c9ac02fc8e14eb27c4dd Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.145.42 port 45920, id=223, length=135 User-Name = "10" State = 0x07ead3a30789c9ac02fc8e14eb27c4dd EAP-Message = 0x026300060319 Message-Authenticator = 0x9525673c0e27ecccf1ac9f6ce46db721 Calling-Station-Id = "00:17:9A:0A:54:F1" Called-Station-Id = "00:15:6D:AD:1E:D7" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 NAS-IP-Address = 192.168.145.42 NAS-Identifier = "DreamWiFi" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "10", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 99 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 223 to 192.168.145.42 port 45920 EAP-Message = 0x016400061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x07ead3a3068ecaac02fc8e14eb27c4dd Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.145.42 port 45920, id=224, length=209 User-Name = "10" State = 0x07ead3a3068ecaac02fc8e14eb27c4dd EAP-Message = 0x0264005019800000004616030100410100003d03014ab1b8781e54c0ed2319fa36048467e14e8ea2e75c7ffc26ce5bc8860fc7397d00001600040005000a000900640062000300060013001200630100 Message-Authenticator = 0x10d075914cfb960691940025bac92d35 Calling-Station-Id = "00:17:9A:0A:54:F1" Called-Station-Id = "00:15:6D:AD:1E:D7" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 NAS-IP-Address = 192.168.145.42 NAS-Identifier = "DreamWiFi" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "10", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 100 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 70 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0041], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 03e1], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 224 to 192.168.145.42 port 45920 EAP-Message = 0x0165040019c00000041e160301002a0200002603014ab1b87373b948ae5201edc20184e227a46dd17a260533ac0ec56e0395439f4e0000040016030103e10b0003dd0003da0003d7308203d33082033ca0030201020203094f70300d06092a864886f70d0101040500305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d31301e170d3038303930343132333033355a170d3130303930353132333033355a3081be310b3009060355040613025255311a301806035504 EAP-Message = 0x0a1311686f7473706f742e7769666937342e727531133011060355040b130a475437393434363732313131302f060355040b1328536565207777772e726170696473736c2e636f6d2f7265736f75726365732f637073202863293038312f302d060355040b1326446f6d61696e20436f6e74726f6c2056616c696461746564202d20526170696453534c285229311a301806035504031311686f7473706f742e7769666937342e727530820122300d06092a864886f70d01010105000382010f003082010a0282010100c21b59eddbf221b2c2d09e7b8155902fc8aea111de5a1dfa8c79d4e72964fd058ed12a4d03dcd933cf09317670a6114251979b EAP-Message = 0xefb178907be72a83920a14a80924fd8dd99f0ed93143a8b8f3515c6caaf04a567a7608bf452fa4632cb87ce64088c938cfb6299e9dfb2f76b0316e6aae25123422a4417656a21a2bb2cc840f3d7b6dc800e7d8074517374ffe4e748db3e9200e8b7c686d51b64f245260e84d2cc53fbdee5fc1ddfc15abdb8aeed19c920136cdc68db83ab6ecbb3874e2583c2da213b67ddc1394329a82b0d5602d7e9fd1e07d4afac9c0453ed34ae44b7ca5f27bc42a62a71ed145885bc906ba94d7f0086ba7d1eb5803ec282ec530a55b06f70203010001a381bd3081ba300e0603551d0f0101ff0404030204f0301d0603551d0e04160414453f042356bf8c2f19f2 EAP-Message = 0x739089c71bb78487a81a303b0603551d1f043430323030a02ea02c862a687474703a2f2f63726c2e67656f74727573742e636f6d2f63726c732f676c6f62616c6361312e63726c301f0603551d23041830168014bea8a07472506b44b7c923d8fba8ffb3576b686c301d0603551d250416301406082b0601050507030106082b06010505070302300c0603551d130101ff04023000300d06092a864886f70d0101040500038181004a2a1f1e9ee05ed6c39653a22fe44ca0040da2fc8606d3554b6607e1d360c8c6822213ee20fa2d81d227d909d5796c0a43e0ae0b97e659fd97322708ef4084669c0ff27c3419b134b118e2aa72cab82e076f93aa60 EAP-Message = 0x62671f10333727cd338cd3cd Message-Authenticator = 0x00000000000000000000000000000000 State = 0x07ead3a3058fcaac02fc8e14eb27c4dd Finished request 2. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.145.42 port 45920, id=225, length=135 User-Name = "10" State = 0x07ead3a3058fcaac02fc8e14eb27c4dd EAP-Message = 0x026500061900 Message-Authenticator = 0x0891f11bfcde8025eb587ef050e6275d Calling-Station-Id = "00:17:9A:0A:54:F1" Called-Station-Id = "00:15:6D:AD:1E:D7" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 NAS-IP-Address = 192.168.145.42 NAS-Identifier = "DreamWiFi" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "10", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 101 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 225 to 192.168.145.42 port 45920 EAP-Message = 0x0166002e1900702f3a043f13f2d5e5aec143aa600f630c62aa96fdbf5e831ae59e7d9712a816030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x07ead3a3048ccaac02fc8e14eb27c4dd Finished request 3. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.145.42 port 45920, id=226, length=451 User-Name = "10" State = 0x07ead3a3048ccaac02fc8e14eb27c4dd EAP-Message = 0x0266014019800000013616030101061000010201004fb56d910fa42a14aa3c6eea33555362d8b39f1a2d77d313bdf079cf50ef4f71679689ec46c0b3577a595bab267f66fbb8b438340d0aceb29255a31a21f06c6fedc4cf0a1b21cb5598998789d459ba071492bb0c3dc88aa298175053356df80f427ad2174f0bd9ff49b1811923ac82e7bae0246f597e697174f90846bd2228ce7c309d62cedfb336b841cdc398ac39d961ee667a60fa8b090bb6aa7b4aa63a8508dbd4d274210bea74e32b96e2a8356eef15f8eac7589b875818656d1f45f5b9fc2afd37644ac93369f11a61c29d3048a906aa43f7edbb70944882868bc3f42581b063fe52f0667b EAP-Message = 0x80eea00922809693b706592d39e0b15bb7041c28f500cae3140301000101160301002065aa79b35b69f62a83173f7ab8f5b5a8d32d26a88721a8ee678de11e2b491929 Message-Authenticator = 0xbbab16716509bef7bd587a9571871429 Calling-Station-Id = "00:17:9A:0A:54:F1" Called-Station-Id = "00:15:6D:AD:1E:D7" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 NAS-IP-Address = 192.168.145.42 NAS-Identifier = "DreamWiFi" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "10", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 102 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 310 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 226 to 192.168.145.42 port 45920 EAP-Message = 0x01670031190014030100010116030100206aacab4436bbf44e492d852573dfe1266992043b58bbe3f8899aff0353065bc3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x07ead3a3038dcaac02fc8e14eb27c4dd Finished request 4. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.145.42 port 45920, id=227, length=135 User-Name = "10" State = 0x07ead3a3038dcaac02fc8e14eb27c4dd EAP-Message = 0x026700061900 Message-Authenticator = 0x8cacd03c12a16673a93fa5f29a008a9f Calling-Station-Id = "00:17:9A:0A:54:F1" Called-Station-Id = "00:15:6D:AD:1E:D7" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 NAS-IP-Address = 192.168.145.42 NAS-Identifier = "DreamWiFi" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "10", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 103 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 227 to 192.168.145.42 port 45920 EAP-Message = 0x01680020190017030100151f5ac40f4ba30f1f7a95c7e53868bb2f92829d3504 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x07ead3a30282caac02fc8e14eb27c4dd Finished request 5. Going to the next request Waking up in 4.6 seconds. rad_recv: Access-Request packet from host 192.168.145.42 port 45920, id=228, length=159 User-Name = "10" State = 0x07ead3a30282caac02fc8e14eb27c4dd EAP-Message = 0x0268001e19001703010013c5e116d8769ea065b0481bac42772977282860 Message-Authenticator = 0x3a5e3bd0c1eda2cae9ba82bae0fa84c2 Calling-Station-Id = "00:17:9A:0A:54:F1" Called-Station-Id = "00:15:6D:AD:1E:D7" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 NAS-IP-Address = 192.168.145.42 NAS-Identifier = "DreamWiFi" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "10", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 104 length 30 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - 10 [peap] Got tunneled request EAP-Message = 0x02680007013130 server { PEAP: Got tunneled identity of 10 PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to 10 Sending tunneled request EAP-Message = 0x02680007013130 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "10" Calling-Station-Id = "00:17:9A:0A:54:F1" Called-Station-Id = "00:15:6D:AD:1E:D7" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 NAS-IP-Address = 192.168.145.42 NAS-Identifier = "DreamWiFi" server proxy-inner-tunnel { +- entering group authorize {...} ++[control] returns notfound } # server proxy-inner-tunnel [peap] Got tunneled reply code 0 PEAP: Calling authenticate in order to initiate tunneled EAP session. +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled PEAP: Cancelling proxy to realm BILLING until the tunneled EAP session has been established [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x0169001c1a0169001710d01d8df2bebb58a339c9c0b7d7caa2173130 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xed5f6a24ed3670cb0fe406473891ab01 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 228 to 192.168.145.42 port 45920 EAP-Message = 0x0169003319001703010028974ef70851394a0c9a4a9783c4e94ef4b3b55dd38ce01d825860cca95b3b17454b897a2b291d5659 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x07ead3a30183caac02fc8e14eb27c4dd Finished request 6. Going to the next request Waking up in 4.6 seconds. rad_recv: Access-Request packet from host 192.168.145.42 port 45920, id=229, length=213 User-Name = "10" State = 0x07ead3a30183caac02fc8e14eb27c4dd EAP-Message = 0x02690054190017030100490a8a2dceac8c7bf8f6ef0a654c42c8dadc887fc06747ec53c2b84f03ad4cab7787dd12fbde394d8c0a931f3fc632a4a14d834fcf2751b9d2cd8fd7e1795b4c02b858804be81e5dba50 Message-Authenticator = 0x8e1a99d600d67e4900cddbe680e0ea8d Calling-Station-Id = "00:17:9A:0A:54:F1" Called-Station-Id = "00:15:6D:AD:1E:D7" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 NAS-IP-Address = 192.168.145.42 NAS-Identifier = "DreamWiFi" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "10", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 105 length 84 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x0269003d1a0269003831082b6e438ecf27aae769335526e67a4300000000000000001fef103523937a5a401a1f294a3a15cca7aca61bfc5e5cce003130 server { PEAP: Setting User-Name to 10 Sending tunneled request EAP-Message = 0x0269003d1a0269003831082b6e438ecf27aae769335526e67a4300000000000000001fef103523937a5a401a1f294a3a15cca7aca61bfc5e5cce003130 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "10" State = 0xed5f6a24ed3670cb0fe406473891ab01 Calling-Station-Id = "00:17:9A:0A:54:F1" Called-Station-Id = "00:15:6D:AD:1E:D7" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 NAS-IP-Address = 192.168.145.42 NAS-Identifier = "DreamWiFi" server proxy-inner-tunnel { +- entering group authorize {...} ++[control] returns notfound } # server proxy-inner-tunnel [peap] Got tunneled reply code 0 PEAP: Calling authenticate in order to initiate tunneled EAP session. +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Not-EAP proxy set. Not composing EAP ++[eap] returns handled PEAP: Tunneled authentication will be proxied to BILLING PEAP: Remembering to do EAP-MS-CHAP-V2 post-proxy. [eap] Tunneled session will be proxied. Not doing EAP. ++[eap] returns handled Sending Access-Request of id 210 to 192.168.151.59 port 1812 User-Name = "10" Calling-Station-Id = "00:17:9A:0A:54:F1" Called-Station-Id = "00:15:6D:AD:1E:D7" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 NAS-IP-Address = 192.168.145.42 NAS-Identifier = "DreamWiFi" MS-CHAP-Challenge = 0xd01d8df2bebb58a339c9c0b7d7caa217 MS-CHAP2-Response = 0x6930082b6e438ecf27aae769335526e67a4300000000000000001fef103523937a5a401a1f294a3a15cca7aca61bfc5e5cce Proxy-State = 0x323239 Proxying request 7 to home server 192.168.151.59 port 1812 Sending Access-Request of id 210 to 192.168.151.59 port 1812 User-Name = "10" Calling-Station-Id = "00:17:9A:0A:54:F1" Called-Station-Id = "00:15:6D:AD:1E:D7" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 NAS-IP-Address = 192.168.145.42 NAS-Identifier = "DreamWiFi" MS-CHAP-Challenge = 0xd01d8df2bebb58a339c9c0b7d7caa217 MS-CHAP2-Response = 0x6930082b6e438ecf27aae769335526e67a4300000000000000001fef103523937a5a401a1f294a3a15cca7aca61bfc5e5cce Proxy-State = 0x323239 Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Accept packet from host 192.168.151.59 port 1812, id=210, length=190 Acct-Interim-Interval = 100 Vendor-14559-Attr-2 = 0x3746bdf7 WISPr-Bandwidth-Max-Up = 256000 WISPr-Bandwidth-Max-Down = 1024000 MS-CHAP2-Success = 0x69533d38364544453342343842363931353546304535343645363831414538304436454232373039384144 MS-MPPE-Recv-Key = 0xe7f1174e7beff1487910dc87d142d6e6 MS-MPPE-Send-Key = 0x57c39cbbbdb601ce38ef7909bd7f9e12 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 Proxy-State = 0x323239 +- entering group post-proxy {...} [eap] Doing post-proxy callback [eap] Passing reply from proxy back into the tunnel. server proxy-inner-tunnel { [eap] Passing reply back for EAP-MS-CHAP-V2 +- entering group post-proxy {...} [eap] Doing post-proxy callback rlm_eap_mschapv2: Passing reply from proxy back into the tunnel 0x8178f00 2. rlm_eap_mschapv2: Authentication succeeded. MSCHAP Success ++[eap] returns ok } # server proxy-inner-tunnel [eap] Final reply from tunneled session code 11 Acct-Interim-Interval = 100 Vendor-14559-Attr-2 = 0x3746bdf7 WISPr-Bandwidth-Max-Up = 256000 WISPr-Bandwidth-Max-Down = 1024000 Proxy-State = 0x323239 EAP-Message = 0x016a00331a0369002e533d38364544453342343842363931353546304535343645363831414538304436454232373039384144 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xed5f6a24ec3570cb0fe406473891ab01 [eap] Got reply 11 [eap] Got tunneled reply RADIUS code 11 Acct-Interim-Interval = 100 Vendor-14559-Attr-2 = 0x3746bdf7 WISPr-Bandwidth-Max-Up = 256000 WISPr-Bandwidth-Max-Down = 1024000 Proxy-State = 0x323239 EAP-Message = 0x016a00331a0369002e533d38364544453342343842363931353546304535343645363831414538304436454232373039384144 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xed5f6a24ec3570cb0fe406473891ab01 [eap] Got tunneled Access-Challenge [eap] Saving tunneled attributes for later [eap] Reply was handled ++[eap] returns ok Sending Access-Challenge of id 229 to 192.168.145.42 port 45920 EAP-Message = 0x016a004a1900170301003fd2ea6e8b90e35bd3dc79e64ecc7ae61cd620a7629fd3abf26723951ef19cfefbc3902e8c6b69247948560d9d5a2ffd957aaccfc6275fbeb408f6b9298c0b63 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x07ead3a30080caac02fc8e14eb27c4dd Finished request 7. Going to the next request Waking up in 4.4 seconds. rad_recv: Access-Request packet from host 192.168.145.42 port 45920, id=230, length=158 User-Name = "10" State = 0x07ead3a30080caac02fc8e14eb27c4dd EAP-Message = 0x026a001d1900170301001205f944ba8b8681891372395b7988718791f7 Message-Authenticator = 0x650b5766f4853772e7afc56471b7a0a0 Calling-Station-Id = "00:17:9A:0A:54:F1" Called-Station-Id = "00:15:6D:AD:1E:D7" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 NAS-IP-Address = 192.168.145.42 NAS-Identifier = "DreamWiFi" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "10", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 106 length 29 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x026a00061a03 server { PEAP: Setting User-Name to 10 Sending tunneled request EAP-Message = 0x026a00061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "10" State = 0xed5f6a24ec3570cb0fe406473891ab01 Calling-Station-Id = "00:17:9A:0A:54:F1" Called-Station-Id = "00:15:6D:AD:1E:D7" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 NAS-IP-Address = 192.168.145.42 NAS-Identifier = "DreamWiFi" server proxy-inner-tunnel { +- entering group authorize {...} ++[control] returns notfound } # server proxy-inner-tunnel [peap] Got tunneled reply code 0 PEAP: Calling authenticate in order to initiate tunneled EAP session. +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok [peap] Got tunneled reply RADIUS code 2 EAP-Message = 0x036a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "10" [peap] Tunneled authentication was successful. [peap] SUCCESS [peap] Saving tunneled attributes for later ++[eap] returns handled Sending Access-Challenge of id 230 to 192.168.145.42 port 45920 EAP-Message = 0x016b00261900170301001b6e683e898fecffe435a9ac6da18b14d763fce8469753e75845e608 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x07ead3a30f81caac02fc8e14eb27c4dd Finished request 8. Going to the next request Waking up in 4.4 seconds. rad_recv: Access-Request packet from host 192.168.145.42 port 45920, id=231, length=167 User-Name = "10" State = 0x07ead3a30f81caac02fc8e14eb27c4dd EAP-Message = 0x026b00261900170301001b460a94724013aed47c0d5d4baf51a28b8e327f5dc38f3c4f8409eb Message-Authenticator = 0xc6f562fa8c5e6f07251406f048927499 Calling-Station-Id = "00:17:9A:0A:54:F1" Called-Station-Id = "00:15:6D:AD:1E:D7" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 NAS-IP-Address = 192.168.145.42 NAS-Identifier = "DreamWiFi" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "10", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 107 length 38 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Success [peap] Using saved attributes from the original Access-Accept [eap] Freeing handler ++[eap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 231 to 192.168.145.42 port 45920 User-Name = "10" MS-MPPE-Recv-Key = 0x95cd48dc452bb7ea093e2a2945d4337a6112847f9ac1dafce280a27713ec34ca MS-MPPE-Send-Key = 0x34066a293d5a0f0f5269014040f41bc79d125807510bc15bf99f75e7e3307977 EAP-Message = 0x036b0004 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 9. Going to the next request Waking up in 4.3 seconds. rad_recv: Accounting-Request packet from host 192.168.145.42 port 45920, id=232, length=131 Acct-Status-Type = Start User-Name = "10" Calling-Station-Id = "00:17:9A:0A:54:F1" Called-Station-Id = "00:15:6D:AD:1E:D7" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 NAS-Port-Id = "00000000" NAS-IP-Address = 192.168.145.42 NAS-Identifier = "DreamWiFi" Framed-IP-Address = 192.168.40.19 Acct-Session-Id = "4ab1b87300000000" +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 192.168.145.42,NAS-IP-Address = 192.168.145.42,Acct-Session-Id = "4ab1b87300000000",User-Name = "10"' [acct_unique] Acct-Unique-Session-ID = "1e54eedf8186ab47". ++[acct_unique] returns ok [suffix] No '@' in User-Name = "10", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[files] returns noop +- entering group accounting {...} [detail] expand: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/radacct/192.168.145.42/detail-20090917 [detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radacct/192.168.145.42/detail-20090917 [detail] expand: %t -> Thu Sep 17 10:17:55 2009 ++[detail] returns ok ++[unix] returns ok [radutmp] expand: /var/log/radutmp -> /var/log/radutmp [radutmp] expand: %{User-Name} -> 10 ++[radutmp] returns ok [attr_filter.accounting_response] expand: %{User-Name} -> 10 attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 232 to 192.168.145.42 port 45920 Finished request 10. -- Best regards, Daniil Kharun
Hi,
Required to authorize wireless users by the protocol EAP-PEAP, but, unfortunately, the radius of the billing system can not EAP-PEAP. Installed freeradius 2.1.6 in proxy mode. Freeradius terminates the tunnel TLS, and requests the radius of the billing system goes on algorithm mschapv2. Problem - freeradius does not save or pass additional attributes of an access point, obtained from the radius of the billing system (attributes for example - WISPr-Bandwidth-Max-Up and WISPr-Bandwidth-Max-Down). How to solve the problem?
edit the attrs file so that those attributes are allowed through the proxy (its fairly well documented in the configurationo files) alan
Daniil L. Kharoun wrote:
Required to authorize wireless users by the protocol EAP-PEAP, but, unfortunately, the radius of the billing system can not EAP-PEAP. Installed freeradius 2.1.6 in proxy mode. Freeradius terminates the tunnel TLS, and requests the radius of the billing system goes on algorithm mschapv2. Problem - freeradius does not save or pass additional attributes of an access point, obtained from the radius of the billing system (attributes for example - WISPr-Bandwidth-Max-Up and WISPr-Bandwidth-Max-Down). How to solve the problem? ... [peap] Tunneled authentication was successful. [peap] SUCCESS [peap] Saving tunneled attributes for later ... Sending Access-Accept of id 231 to 192.168.145.42 port 45920 User-Name = "10" MS-MPPE-Recv-Key = 0x95cd48dc452bb7ea093e2a2945d4337a6112847f9ac1dafce280a27713ec34ca MS-MPPE-Send-Key = 0x34066a293d5a0f0f5269014040f41bc79d125807510bc15bf99f75e7e3307977 EAP-Message = 0x036b0004 Message-Authenticator = 0x00000000000000000000000000000000
Hmm... that's awkward. You have "use_tunneled_reply = yes", so it *should* work. I'd suggest debugging the code in more detail. There's little else that can be done. Alan DeKok.
[peap] Tunneled authentication was successful. [peap] SUCCESS [peap] Saving tunneled attributes for later
...
Sending Access-Accept of id 231 to 192.168.145.42 port 45920 User-Name = "10" MS-MPPE-Recv-Key = 0x95cd48dc452bb7ea093e2a2945d4337a6112847f9ac1dafce280a27713ec34ca MS-MPPE-Send-Key = 0x34066a293d5a0f0f5269014040f41bc79d125807510bc15bf99f75e7e3307977 EAP-Message = 0x036b0004 Message-Authenticator = 0x00000000000000000000000000000000
Hmm... that's awkward. You have "use_tunneled_reply = yes", so it *should* work.
I'd suggest debugging the code in more detail. There's little else that can be done.
Alan DeKok.
How can I make more detailed debugging? -- Best regards, Daniil Kharun
[peap] Tunneled authentication was successful. [peap] SUCCESS [peap] Saving tunneled attributes for later
...
Sending Access-Accept of id 231 to 192.168.145.42 port 45920 User-Name = "10" MS-MPPE-Recv-Key = 0x95cd48dc452bb7ea093e2a2945d4337a6112847f9ac1dafce280a27713ec34ca MS-MPPE-Send-Key = 0x34066a293d5a0f0f5269014040f41bc79d125807510bc15bf99f75e7e3307977 EAP-Message = 0x036b0004 Message-Authenticator = 0x00000000000000000000000000000000
Hmm... that's awkward. You have "use_tunneled_reply = yes", so it *should* work.
I'd suggest debugging the code in more detail. There's little else that can be done.
Original Access-Accept: rad_recv: Access-Accept packet from host 192.168.151.59 port 1812, id=210, length=190 Acct-Interim-Interval = 100 Vendor-14559-Attr-2 = 0x3746bdf7 WISPr-Bandwidth-Max-Up = 256000 WISPr-Bandwidth-Max-Down = 1024000 MS-CHAP2-Success = 0x69533d38364544453342343842363931353546304535343645363831414538304436454232373039384144 MS-MPPE-Recv-Key = 0xe7f1174e7beff1487910dc87d142d6e6 MS-MPPE-Send-Key = 0x57c39cbbbdb601ce38ef7909bd7f9e12 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 Proxy-State = 0x323239 ... [eap] Passing reply from proxy back into the tunnel. ... rlm_eap_mschapv2: Passing reply from proxy back into the tunnel 0x8178f00 2. ... [eap] Saving tunneled attributes for later ... Sending Access-Challenge of id 229 to 192.168.145.42 port 45920 EAP-Message = 0x016a004a1900170301003fd2ea6e8b90e35bd3dc79e64ecc7ae61cd620a7629fd3abf26723951ef19cfefbc3902e8c6b69247948560d9d5a2ffd957aaccfc6275fbeb408f6b9298c0b63 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x07ead3a30080caac02fc8e14eb27c4dd ... [peap] Got tunneled reply RADIUS code 2 EAP-Message = 0x036a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "10" [peap] Tunneled authentication was successful. [peap] SUCCESS [peap] Saving tunneled attributes for later Perhaps this save wipes them off. There are no attributes in this reply. ... Sending Access-Challenge of id 230 to 192.168.145.42 port 45920 EAP-Message = 0x016b00261900170301001b6e683e898fecffe435a9ac6da18b14d763fce8469753e75845e608 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x07ead3a30f81caac02fc8e14eb27c4dd ... [peap] Using saved attributes from the original Access-Accept They might not be there because interim save between original Access-Accept and this wipes them off. [eap] Freeing handler ++[eap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 231 to 192.168.145.42 port 45920 User-Name = "10" MS-MPPE-Recv-Key = 0x95cd48dc452bb7ea093e2a2945d4337a6112847f9ac1dafce280a27713ec34ca MS-MPPE-Send-Key = 0x34066a293d5a0f0f5269014040f41bc79d125807510bc15bf99f75e7e3307977 EAP-Message = 0x036b0004 Message-Authenticator = 0x00000000000000000000000000000000 Ivan Kalik Kalik Informatika ISP
Poblem with eap-peap proxy can not solve? -- Best regards, Daniil Kharun
Poblem with eap-peap proxy can not solve?
You should report that as a bug. https://bugs.freeradius.org/bugzilla/index.cgi Ivan Kalik Kalik Informatika ISP
Dirty hack: --- freeradius-server-2.1.6.orig/src/modules/rlm_eap/types/rlm_eap_peap/peap.c 2009-05-18 17:13:55.000000000 +0600 +++ freeradius-server-2.1.6/src/modules/rlm_eap/types/rlm_eap_peap/peap.c 2009-11-03 17:42:21.000000000 +0500 @@ -312,26 +312,6 @@ static int process_reply(EAP_HANDLER *ha eappeap_success(handler, tls_session); rcode = RLM_MODULE_HANDLED; - /* - * If we've been told to use the attributes from - * the reply, then do so. - * - * WARNING: This may leak information about the - * tunneled user! - */ - if (t->use_tunneled_reply) { - RDEBUG2("Saving tunneled attributes for later"); - - /* - * Clean up the tunneled reply. - */ - pairdelete(&reply->vps, PW_PROXY_STATE); - pairdelete(&reply->vps, PW_EAP_MESSAGE); - pairdelete(&reply->vps, PW_MESSAGE_AUTHENTICATOR); - - t->accept_vps = reply->vps; - reply->vps = NULL; - } break; case PW_AUTHENTICATION_REJECT: it works...
participants (6)
-
Alan Buxey -
Alan DeKok -
Daniil Harun -
Daniil Kharun -
Daniil L. Kharoun -
Ivan Kalik