Proxy to realm after eap-ttls authantication
Hello, I desperately need your help. I am noob with FreeRadius so please guide me what i am doing wrong. My point is using freeradius as a Proxy. Because we already have a PAP supported Radius, so i want to do eap auth part on freeradius and then Proxy the Access-request to our own Radius. We are trying 802.1x authantication. According to my readings i did below steps : 1 . Edit clients.conf for my mobile devices to Access freeradius client nevotek { ipaddr = 213.74.143.140 secret = testing1234 } 2. add home_server in proxy.conf home_server IAS { ipaddr = 192.168.0.252 port = 1812 type = "auth" secret = "secret" response_window = 20 max_outstanding = 65536 } home_server_pool jack_pool { type = fail-over home_server = IAS } realm nevotek { auth_pool = jack_pool nostirp } 3. edit eap.cof default_eap_type = ttls and in ttls function : ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = yes proxy_tunneled_request_as_eap = no virtual_server = "proxy-inner-tunnel" } 4. prepare Proxy.config soft link for sites-enabled, added nevotek in proxy-inner-tunnel: server proxy-inner-tunnel { authorize { update control { Proxy-To-Realm := "nevotek" } } authenticate { eap } post-proxy { eap } } 5. disabled "suffix" part in sites-enabled/default But no chance. Also android and IOS devices has different behaviors. Here is the output of IOS device : (2) Received Access-Request Id 216 from 213.74.143.148:19733 to 10.0.0.4:1812 length 311 (2) User-Name = "iosuser2@nevotek.com" (2) Chargeable-User-Identity = 0x00 (2) Operator-Name = "1nevotek.com" (2) Location-Capable = Civic-Location (2) Calling-Station-Id = "74-8d-08-b1-f2-17" (2) Called-Station-Id = "58-f3-9c-43-52-a0:Nevotek" (2) NAS-Port = 4 (2) Cisco-AVPair = "audit-session-id=0a0102e1000001205fbba08c" (2) Acct-Session-Id = "5fbba08c/74:8d:08:b1:f2:17/352" (2) NAS-IP-Address = 10.1.2.225 (2) NAS-Identifier = "aa5a6c45-b2c2-436b-90da-0ed2031" (2) Airespace-Wlan-Id = 7 (2) Service-Type = Framed-User (2) Framed-MTU = 1300 (2) NAS-Port-Type = Wireless-802.11 (2) EAP-Message = 0x020300061500 (2) State = 0xca8e79cacb8d6ce3fd1d37ee8f32d170 (2) Message-Authenticator = 0xc7b01c5b471b2eb70578f1dc7ed6e7ea (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) eap: Peer sent EAP Response (code 2) ID 3 length 6 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0xca8e79cacb8d6ce3 (2) eap: Finished EAP session with state 0xca8e79cacb8d6ce3 (2) eap: Previous EAP request found for state 0xca8e79cacb8d6ce3, released from the list (2) eap: Peer sent packet with method EAP TTLS (21) (2) eap: Calling submodule eap_ttls to process data (2) eap_ttls: Authenticate (2) eap_ttls: Continuing EAP-TLS (2) eap_ttls: Peer ACKed our handshake fragment (2) eap_ttls: [eaptls verify] = request (2) eap_ttls: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 4 length 336 (2) eap: EAP session adding &reply:State = 0xca8e79cac88a6ce3 (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) Challenge { ... } # empty sub-section is ignored (2) Sent Access-Challenge Id 216 from 10.0.0.4:1812 to 213.74.143.148:19733 length 0 (2) EAP-Message = 0x01040150158000000528d123b84f84592a0a7ccb12b23ec09a0c025464d3f258d5090bffa282b17870910449329f906380b0b4340ef2b6a1dc73e72d35763148b65bfc0401010038af8b17d95590598994e5ec35c96642e3e8fce291173f61b7e1ca06aa4b749dd3f2bbe12175a964524311069490e0f6 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0xca8e79cac88a6ce3fd1d37ee8f32d170 (2) Finished request And here is the output of Android device : (2) Received Access-Request Id 59 from 213.74.143.148:38031 to 10.0.0.4:1812 length 312 (2) User-Name = "anonymous@nevotek.com" (2) Chargeable-User-Identity = 0x00 (2) Operator-Name = "1nevotek.com" (2) Location-Capable = Civic-Location (2) Calling-Station-Id = "04-b1-a1-53-4d-1e" (2) Called-Station-Id = "58-f3-9c-43-52-a0:Nevotek" (2) NAS-Port = 4 (2) Cisco-AVPair = "audit-session-id=0a0102e1000001275fbbbb17" (2) Acct-Session-Id = "5fbbbb17/04:b1:a1:53:4d:1e/359" (2) NAS-IP-Address = 10.1.2.225 (2) NAS-Identifier = "aa5a6c45-b2c2-436b-90da-0ed2031" (2) Airespace-Wlan-Id = 7 (2) Service-Type = Framed-User (2) Framed-MTU = 1300 (2) NAS-Port-Type = Wireless-802.11 (2) EAP-Message = 0x020300061500 (2) State = 0xd875f9c9d976ec270910ae6415adb475 (2) Message-Authenticator = 0xe92ebb9e5e7641c5515a25ae2ee50929 (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) eap: Peer sent EAP Response (code 2) ID 3 length 6 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0xd875f9c9d976ec27 (2) eap: Finished EAP session with state 0xd875f9c9d976ec27 (2) eap: Previous EAP request found for state 0xd875f9c9d976ec27, released from the list (2) eap: Peer sent packet with method EAP TTLS (21) (2) eap: Calling submodule eap_ttls to process data (2) eap_ttls: Authenticate (2) eap_ttls: Continuing EAP-TLS (2) eap_ttls: Peer ACKed our handshake fragment (2) eap_ttls: [eaptls verify] = request (2) eap_ttls: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 4 length 336 (2) eap: EAP session adding &reply:State = 0xd875f9c9da71ec27 (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) Challenge { ... } # empty sub-section is ignored (2) Sent Access-Challenge Id 59 from 10.0.0.4:1812 to 213.74.143.148:38031 length 0 (2) EAP-Message = 0x01040150158000000528a2e03207e6a1163699a1cff7af74692beaafff15b2a3033c4d0238dd7014db04f7f40d669da91832dd39bbdbfca1bdb456f26f4a981b5a820108040100b7a20cf24aad9d35b94575b849f9e8ef528d1b13e7caea59f3cc578845763a601b7fceb8ffda9d989423730b5ea4c0f3 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0xd875f9c9da71ec270910ae6415adb475 (2) Finished request Waking up in 4.3 seconds. (3) Received Access-Request Id 60 from 213.74.143.148:38031 to 10.0.0.4:1812 length 319 (3) User-Name = "anonymous@nevotek.com" (3) Chargeable-User-Identity = 0x00 (3) Operator-Name = "1nevotek.com" (3) Location-Capable = Civic-Location (3) Calling-Station-Id = "04-b1-a1-53-4d-1e" (3) Called-Station-Id = "58-f3-9c-43-52-a0:Nevotek" (3) NAS-Port = 4 (3) Cisco-AVPair = "audit-session-id=0a0102e1000001275fbbbb17" (3) Acct-Session-Id = "5fbbbb17/04:b1:a1:53:4d:1e/359" (3) NAS-IP-Address = 10.1.2.225 (3) NAS-Identifier = "aa5a6c45-b2c2-436b-90da-0ed2031" (3) Airespace-Wlan-Id = 7 (3) Service-Type = Framed-User (3) Framed-MTU = 1300 (3) NAS-Port-Type = Wireless-802.11 (3) EAP-Message = 0x0204000d150015030300020230 (3) State = 0xd875f9c9da71ec270910ae6415adb475 (3) Message-Authenticator = 0xbd27e9cbdb496b0f8072580915cabc5d (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) eap: Peer sent EAP Response (code 2) ID 4 length 13 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0xd875f9c9da71ec27 (3) eap: Finished EAP session with state 0xd875f9c9da71ec27 (3) eap: Previous EAP request found for state 0xd875f9c9da71ec27, released from the list (3) eap: Peer sent packet with method EAP TTLS (21) (3) eap: Calling submodule eap_ttls to process data (3) eap_ttls: Authenticate (3) eap_ttls: Continuing EAP-TLS (3) eap_ttls: [eaptls verify] = ok (3) eap_ttls: Done initial handshake (3) eap_ttls: <<< recv TLS 1.2 [length 0002] (3) eap_ttls: ERROR: TLS Alert read:fatal:unknown CA (3) eap_ttls: TLS_accept: Need to read more data: error (3) eap_ttls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (3) eap_ttls: In SSL Handshake Phase (3) eap_ttls: In SSL Accept mode (3) eap_ttls: SSL Application Data (3) eap_ttls: ERROR: TLS failed during operation (3) eap_ttls: ERROR: [eaptls process] = fail (3) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed (3) eap: Sending EAP Failure (code 4) ID 4 length 4 (3) eap: Failed in EAP select (3) [eap] = invalid (3) } # authenticate = invalid (3) Failed to authenticate the user (3) Using Post-Auth-Type Reject (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) Post-Auth-Type REJECT { (3) attr_filter.access_reject: EXPAND %{User-Name} (3) attr_filter.access_reject: --> anonymous@nevotek.com (3) attr_filter.access_reject: Matched entry DEFAULT at line 11 (3) [attr_filter.access_reject] = updated (3) [eap] = noop (3) policy remove_reply_message_if_eap { (3) if (&reply:EAP-Message && &reply:Reply-Message) { (3) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (3) else { (3) [noop] = noop (3) } # else = noop (3) } # policy remove_reply_message_if_eap = noop (3) } # Post-Auth-Type REJECT = updated (3) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (3) Sending delayed response (3) Sent Access-Reject Id 60 from 10.0.0.4:1812 to 213.74.143.148:38031 length 44 (3) EAP-Message = 0x04040004 (3) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.1 seconds. (0) Cleaning up request packet ID 57 with timestamp +25 Waking up in 0.2 seconds. (1) Cleaning up request packet ID 58 with timestamp +26 Waking up in 0.3 seconds. (2) Cleaning up request packet ID 59 with timestamp +26 Waking up in 0.2 seconds. (3) Cleaning up request packet ID 60 with timestamp +26 Regards. [http://www.nevotek.com/nevotekmail/logo.png] Mesut Ozturk R&D Senior Developer P: +902122867576 E: mesut@nevotek.com F: +902122867476 W: www.nevotek.com [http://www.nevotek.com/nevotekmail/maps-icon.png] Santa Clara-CA, USA<https://www.google.com/maps/place/5201+Great+America+Pkwy+%23320,+Santa+Clara,+CA+95054,+USA/@37.4063062,-121.978682,923m/data=!3m2!1e3!4b1!4m5!3m4!1s0x808fc9cc6fc08be1:0xa189e7ab47ebcdc!8m2!3d37.4063062!4d-121.9764933?hl=en> [http://www.nevotek.com/nevotekmail/maps-icon.png] Istanbul, TURKEY<https://www.google.com/maps/search/teknokent,+Istanbul,+Turkey/@41.106333,29.015257,876m/data=!3m1!1e3?hl=en> [http://www.nevotek.com/nevotekmail/maps-icon.png] Dubai, UAE<https://www.google.com/maps/place/Internet+City,+Building+%2314+-+Dubai+-+United+Arab+Emirates/@25.0984488,55.1609574,1052m/data=!3m2!1e3!4b1!4m13!1m7!3m6!1s0x3e5f6b696d88a9ab:0x6d495147845cd0f1!2sInternet+City,+Building+%2314+-+Dubai+-+United+Arab+Emirates!3b1!8m2!3d25.0983618!4d55.1631953!3m4!1s0x3e5f6b696d88a9ab:0x6d495147845cd0f1!8m2!3d25.0983618!4d55.1631953?hl=en> [www.nevotek.com]<www.nevotek.com>
On Nov 23, 2020, at 8:40 AM, Mesut Ozturk <mesut@nevotek.com> wrote: Please send messages to the list ONCE, and ONLY ONCE. There is NO NEED to send the SAME MESSAGE MULTIPLE TIMES. If you insist on posting the same messages multiple times, you will be banned from the list.
I desperately need your help. I am noob with FreeRadius so please guide me what i am doing wrong.
My point is using freeradius as a Proxy. Because we already have a PAP supported Radius, so i want to do eap auth part on freeradius and then Proxy the Access-request to our own Radius. We are trying 802.1x authantication.
That should work.
According to my readings i did below steps :
1 . Edit clients.conf for my mobile devices to Access freeradius ... 2. add home_server in proxy.conf ... 3. edit eap.cof ... 4. prepare Proxy.config soft link for sites-enabled, added nevotek in proxy-inner-tunnel:
Yes, all that should work.
But no chance. Also android and IOS devices has different behaviors.
Because they are configured differently.
And here is the output of Android device : ... (3) eap_ttls: <<< recv TLS 1.2 [length 0002] (3) eap_ttls: ERROR: TLS Alert read:fatal:unknown CA (3) eap_ttls: TLS_accept: Need to read more data: error (3) eap_ttls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
That's pretty definitive. The Android device wasn't configured with the CA used by FreeRADIUS. So... add the CA to the android system, and configure it to use that CA when authenticating to FreeRADIUS. Alan DeKok.
participants (2)
-
Alan DeKok -
Mesut Ozturk