EAP with a non EAP Radius server
Hi, I want to use eap to authenticate Wireless users on an radius server wich don't know EAP protocol. It seems that is possible to do that using a proxy freeradius. The architecture should be : Access Point as a NAS Freeradius as a proxy Radius server without EAP 192.168.0.250 192.168.0.64 192.168.0.252 <-------------------------------EAP-----------------------------------------> <-----------------------------------MS-CHAP v2 or other--------------------------------------------------------------------> The idea is to convert an EAP Response/Identity to a radius Access-Request without EAP inside As the first radius i use freeradius Version 2.0.4 As the second one, i use IAS (just to test, but in the final configuration, it will not) When i configure IAS with EAP method in Remote access Policy, it works. When I remove EAP method from IAS, it's not. The problem is that freeradius is acting as a proxy without removing EAP and it is not what i want. This is the modifications i did on configuration files, ask me if you need more proxy.conf : realm DEFAULT { authhost = 192.168.0.252:1812 accthost = 192.168.0.252:1813 secret = secret } eap.conf : ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = no virtual_server = "inner-tunnel" } On wireless, i tried TTLS and PEAP with same unsuccessfull result. That is freeradius log : Ready to process requests. rad_recv: Access-Request packet from host 192.168.0.250 port 32769, id=30, length=229 Acct-Session-Id = "8b0b0795-0000009c" NAS-Port = 157 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "AP1" NAS-IP-Address = 192.168.0.250 Framed-MTU = 1496 User-Name = "test" Calling-Station-Id = "00-13-02-C4-80-4C" Called-Station-Id = "00-0F-61-FE-EF-D2" Service-Type = Framed-User EAP-Message = 0x021a00090174657374 Colubris-AVPair = "ssid=test2" Colubris-AVPair = "vsc-unique-id=3" Colubris-AVPair = "phytype=IEEE802dot11g" Colubris-Attr-250 = 0x00000000 Colubris-Attr-249 = 0x00000000 Message-Authenticator = 0x0ed85e6e5c0765e5390b037233c60d73 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: Found realm "DEFAULT" rlm_realm: Adding Stripped-User-Name = "test" rlm_realm: Adding Realm = "DEFAULT" rlm_realm: Proxying request from user test to realm DEFAULT rlm_realm: Preparing to proxy authentication request to realm "DEFAULT" ++[suffix] returns updated rlm_eap: Request is supposed to be proxied to Realm DEFAULT. Not doing EAP. ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Sending Access-Request of id 224 to 192.168.0.252 port 1812 Acct-Session-Id = "8b0b0795-0000009c" NAS-Port = 157 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "AP1" NAS-IP-Address = 192.168.0.250 Framed-MTU = 1496 User-Name = "test" Calling-Station-Id = "00-13-02-C4-80-4C" Called-Station-Id = "00-0F-61-FE-EF-D2" Service-Type = Framed-User EAP-Message = 0x021a00090174657374 Colubris-AVPair = "ssid=test2" Colubris-AVPair = "vsc-unique-id=3" Colubris-AVPair = "phytype=IEEE802dot11g" Colubris-Attr-250 = 0x00000000 Colubris-Attr-249 = 0x00000000 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x3330 Proxying request 1 to home server 192.168.0.252 port 1812 Sending Access-Request of id 224 to 192.168.0.252 port 1812 Acct-Session-Id = "8b0b0795-0000009c" NAS-Port = 157 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "AP1" NAS-IP-Address = 192.168.0.250 Framed-MTU = 1496 User-Name = "test" Calling-Station-Id = "00-13-02-C4-80-4C" Called-Station-Id = "00-0F-61-FE-EF-D2" Service-Type = Framed-User EAP-Message = 0x021a00090174657374 Colubris-AVPair = "ssid=test2" Colubris-AVPair = "vsc-unique-id=3" Colubris-AVPair = "phytype=IEEE802dot11g" Colubris-Attr-250 = 0x00000000 Colubris-Attr-249 = 0x00000000 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x3330 Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Reject packet from host 192.168.0.252 port 1812, id=224, length=24 Proxy-State = 0x3330 +- entering group post-proxy rlm_eap: No pre-existing handler found ++[eap] returns noop Login incorrect (Home Server says so): [test/<no User-Password attribute>] (from client AP1 port 157 cli 00-13-02-C4-80-4C) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 30 to 192.168.0.250 port 32769 Waking up in 4.9 seconds. On IAS Server, this is the error message (Sorry it is a french version, but the idea is IAS receive EAP message) L'accès a été refusé à l'utilisateur test. Nom-Complet-Utilisateur = jacques.net/Users/test Adresse-IP-NAS = 192.168.0.250 Identificateur-NAS = AP1 Identificateur-Station-Appelée = 00-0F-61-FE-EF-D2 Identificateur-Station-Appelante = 00-13-02-C4-80-4C Nom-Convivial-Client = freeradius Adresse-IP-Client = 192.168.0.64 Type-Port-NAS = Wireless - IEEE 802.11 Port-NAS = 107 Proxy-Policy-Name = test Authentication-Provider = Windows Authentication-Server = <non déterminé> Policy-Name = test Authentication-Type = EAP EAP-Type = <non déterminé> Reason-Code = 66 Reason = L'utilisateur a essayé d'utiliser une méthode d'authentification qui n'est pas activée sur la stratégie d'accès à distance correspondante. Le nom de la stratégie d'accès à distance correspondante. Pour plus d'informations, consultez le centre Aide et support à l'adresse http://go.microsoft.com/fwlink/events.asp. I hope you could help me. -- Jacques
I want to use eap to authenticate Wireless users on an radius server wich don't know EAP protocol. It seems that is possible to do that using a proxy freeradius .... As the first radius i use freeradius Version 2.0.4
Use current version. See raddb/sites-available/proxy-inner-tunnel. Ivan Kalik Kalik Informatika ISP
Hi, I copied proxy-inner-tunnel from sites-available to sites-enabled I declared proxy-inner-tunnel in eap.conf but unfortunaly, EAP is still proxified *eap.conf* ttls { default_eap_type = mschapv2 copy_request_to_tunnel = yes (or no) use_tunneled_reply = yes (or no) virtual_server = "proxy-inner-tunnel" } *proxy-inner-tunnel* server proxy-inner-tunnel { authorize { update control { Proxy-To-Realm := LOCAL } } authenticate { eap } post-proxy { eap } } 2009/9/26 Ivan Kalik <tnt@kalik.net>
I want to use eap to authenticate Wireless users on an radius server wich don't know EAP protocol. It seems that is possible to do that using a proxy freeradius .... As the first radius i use freeradius Version 2.0.4
Use current version. See raddb/sites-available/proxy-inner-tunnel.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Jacques FOUCHER
I copied proxy-inner-tunnel from sites-available to sites-enabled I declared proxy-inner-tunnel in eap.conf but unfortunaly, EAP is still proxified
*eap.conf* ttls { default_eap_type = mschapv2 copy_request_to_tunnel = yes (or no) use_tunneled_reply = yes (or no) virtual_server = "proxy-inner-tunnel" }
*proxy-inner-tunnel* server proxy-inner-tunnel { authorize { update control { Proxy-To-Realm := LOCAL } }
authenticate { eap }
post-proxy { eap } }
Use <proxy_tunneled_request_as_eap = no> in eap.conf. Example for EAP-PEAP: eap.conf: eap { default_eap_type = mschapv2 timer_expire = 60 ignore_unknown_eap_types = yes cisco_accounting_username_bug = no max_sessions = 2048 tls { ... } peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = no virtual_server = "proxy-inner-tunnel" } mschapv2 { } } proxy-inner-tunnel: server proxy-inner-tunnel { authorize { update control { # You should update this to be one of your realms. Proxy-To-Realm := "BILLING" } } authenticate { eap } post-proxy { eap } } proxy.conf: realm BILLING { authhost = 192.168.0.252:1812 secret = secret } -- Best regards, Daniil Kharun
Hi everybody, thanks to Daniil and Yvan who helped me, but unfortunalety, my problem still alive. First , I want to explain again what I want to do, because may be there is a missunderstanding. I have a wireless system wich need EAP and my users are allready known in a Radius system (Radius n°2) wich don't know that protocol. The idea is to use in between a freeradius (Radius n°1) wich will convert EAP-Response/Identity from Access Point and will forward Radius Access-Request without EAP message inside to my existing Radius server (Radius n°2). My problem IS NOT to manage some requests with EAP and some without. May be some of you understood that ? This weekend, i updated frreradius to the last version 2.1.7. I changed configuration files too. But problem didn't change : Radius n°2 receive EAP request that it don't know how to manage them. This is the last modifications I did : Supplicant is configuring for PEAP MSCHAPv2 (I tryied with TTLS but main problem is the same) *raddb/proxy.conf* realm jacques.net { authhost = 192.168.0.252:1812 accthost = 192.168.0.252:1813 secret = secret } *raddb/**eap.conf* peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = no virtual_server = "proxy-inner-tunnel" } mschapv2 { } } *raddb/**sites-enabled/proxy-inner-tunnel* server proxy-inner-tunnel { authorize { update control { Proxy-To-Realm := "jacques.net" } } authenticate { eap } post-proxy { eap } } I have a "big" answer. When i configure an external radius server in proxy.conf . Is eap.conf is use ? Because it is like it was not. Best regards
The idea is to use in between a freeradius (Radius n°1) wich will convert EAP-Response/Identity from Access Point and will forward Radius Access-Request without EAP message inside to my existing Radius server (Radius n°2).
This weekend, i updated frreradius to the last version 2.1.7. I changed configuration files too. But problem didn't change : Radius n°2 receive EAP request that it don't know how to manage them.
Post the debug (server startup + request handling).
This is the last modifications I did : Supplicant is configuring for PEAP MSCHAPv2 (I tryied with TTLS but main problem is the same) *raddb/proxy.conf* realm jacques.net { authhost = 192.168.0.252:1812 accthost = 192.168.0.252:1813 secret = secret }
Is your username something like user@jacques.net? With a name like that outer request will get proxied too if you have suffix/whatever enabled. Ivan Kalik Kalik Informatika ISP
thanks Yvan, looking at debug, I saw : Ignoring EAP-Type/tls because we do not have OpenSSL support. Ignoring EAP-Type/ttls because we do not have OpenSSL support. Ignoring EAP-Type/peap because we do not have OpenSSL support. So: I installed that : apt-get install openssl apt-get install libssl-devdebian:/usr/local/etc/raddb apt-get install libcurl4-openssl-dev debian:/tmp/freeradius-server-2.1.7# dpkg -l | grep ssl ii libcurl4-openssl-dev 7.18.2-8lenny3 Development files and documentation for libcurl (OpenSSL) ii libssl-dev 0.9.8g-15+lenny5 SSL development libraries, header files and documentation ii libssl0.9.8 0.9.8g-15+lenny5 SSL shared libraries ii openssl 0.9.8g-15+lenny5 Secure Socket Layer (SSL) binary and related cryptographic too Then I removed freeradius rm -rf /usr/local/etc/raddb rm -rf /usr/local/etc/raddb and reinstalled it (./configure, make, make install) but error messages about ignoring EAP-Type stay alive. Do you have an idea ? Could it be my problem. Jacques who go in bed right now
Hi,
Ignoring EAP-Type/tls because we do not have OpenSSL support. Ignoring EAP-Type/ttls because we do not have OpenSSL support. Ignoring EAP-Type/peap because we do not have OpenSSL support.
okay - so built without required SLS Development stuff installed
and reinstalled it (./configure, make, make install)
..and it still didnt work - did you check the outout of that ./configure (eg ./configure | grep WARN) to see any nastiness like no SSL support - you need to ensure that things get found - eg 'make clean' first to make sure everything is cleared up first. alan
The problem about opennssl is solved afer make clean or/and reboot but my main problem about converting EAP-Response/Identity to Radius Access-Request without EAP message inside to my existing Radius server stay alive :-( This is the debug message : debian:~# radiusd -X FreeRADIUS Version 2.1.7, for host i686-pc-linux-gnu, built on Sep 29 2009 at 07:38:47 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/control-socket including configuration file /usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel including dictionary file /usr/local/etc/raddb/dictionary main { prefix = "/usr/local" localstatedir = "/usr/local/var" logdir = "/usr/local/var/log/radius" libdir = "/usr/local/lib" radacctdir = "/usr/local/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/usr/local/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = no zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } realm jacques.net { authhost = 192.168.0.252:1812 accthost = 192.168.0.252:1813 secret = lrnp2tlm } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 192.168.0.250 { require_message_authenticator = no secret = "lrnp2tlm" shortname = "AP-Cheops" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server proxy-inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/server.pem" certificate_file = "/usr/local/etc/raddb/certs/server.pem" CA_file = "/usr/local/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/usr/local/etc/raddb/certs/dh" random_file = "/usr/local/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/usr/local/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = no virtual_server = "proxy-inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Checking post-proxy {...} for more modules to load } # modules } # server server { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/usr/local/var/log/radius/radwtmp" } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/usr/local/etc/raddb/huntgroups" hints = "/usr/local/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/usr/local/etc/raddb/users" acctusersfile = "/usr/local/etc/raddb/acct_users" preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" compat = "no" } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/usr/local/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/usr/local/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/usr/local/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/usr/local/var/run/radiusd/radiusd.sock" } } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /usr/local/var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.0.250 port 32769, id=245, length=253 Acct-Session-Id = "d19167a1-00000006" NAS-Port = 7 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "AP1" NAS-IP-Address = 192.168.0.250 Framed-MTU = 1496 User-Name = "test@jacques.net" Calling-Station-Id = "00-13-02-C4-80-4C" Called-Station-Id = "00-0F-61-FE-EF-D2" Service-Type = Framed-User EAP-Message = 0x023400150174657374406a6163717565732e6e6574 Colubris-AVPair = "ssid=test2" Colubris-AVPair = "vsc-unique-id=3" Colubris-AVPair = "phytype=IEEE802dot11g" Colubris-Attr-250 = 0x00000000 Colubris-Attr-249 = 0x00000000 Message-Authenticator = 0xf8e3a67508d878cb48d23e3e11af4702 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "jacques.net" for User-Name = "test@jacques.net" [suffix] Found realm "jacques.net" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "jacques.net" [suffix] Proxying request from user test to realm jacques.net [suffix] Preparing to proxy authentication request to realm "jacques.net" ++[suffix] returns updated [eap] Request is supposed to be proxied to Realm jacques.net. Not doing EAP. ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: Empty section. Using default return values. Sending Access-Request of id 155 to 192.168.0.252 port 1812 Acct-Session-Id = "d19167a1-00000006" NAS-Port = 7 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "AP1" NAS-IP-Address = 192.168.0.250 Framed-MTU = 1496 User-Name = "test" Calling-Station-Id = "00-13-02-C4-80-4C" Called-Station-Id = "00-0F-61-FE-EF-D2" Service-Type = Framed-User EAP-Message = 0x023400150174657374406a6163717565732e6e6574 Colubris-AVPair = "ssid=test2" Colubris-AVPair = "vsc-unique-id=3" Colubris-AVPair = "phytype=IEEE802dot11g" Colubris-Attr-250 = 0x00000000 Colubris-Attr-249 = 0x00000000 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x323435 Proxying request 0 to home server 192.168.0.252 port 1812 Sending Access-Request of id 155 to 192.168.0.252 port 1812 Acct-Session-Id = "d19167a1-00000006" NAS-Port = 7 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "AP1" NAS-IP-Address = 192.168.0.250 Framed-MTU = 1496 User-Name = "test" Calling-Station-Id = "00-13-02-C4-80-4C" Called-Station-Id = "00-0F-61-FE-EF-D2" Service-Type = Framed-User EAP-Message = 0x023400150174657374406a6163717565732e6e6574 Colubris-AVPair = "ssid=test2" Colubris-AVPair = "vsc-unique-id=3" Colubris-AVPair = "phytype=IEEE802dot11g" Colubris-Attr-250 = 0x00000000 Colubris-Attr-249 = 0x00000000 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x323435 Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Reject packet from host 192.168.0.252 port 1812, id=155, length=25 Proxy-State = 0x323435 +- entering group post-proxy {...} [eap] No pre-existing handler found ++[eap] returns noop Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> test@jacques.net attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 245 to 192.168.0.250 port 32769 Waking up in 4.9 seconds. ^C 2009/9/27 Jacques FOUCHER <jacques.foucher@gmail.com>
Hi everybody,
thanks to Daniil and Yvan who helped me, but unfortunalety, my problem still alive.
First , I want to explain again what I want to do, because may be there is a missunderstanding. I have a wireless system wich need EAP and my users are allready known in a Radius system (Radius n°2) wich don't know that protocol. The idea is to use in between a freeradius (Radius n°1) wich will convert EAP-Response/Identity from Access Point and will forward Radius Access-Request without EAP message inside to my existing Radius server (Radius n°2). My problem IS NOT to manage some requests with EAP and some without. May be some of you understood that ?
This weekend, i updated frreradius to the last version 2.1.7. I changed configuration files too. But problem didn't change : Radius n°2 receive EAP request that it don't know how to manage them. This is the last modifications I did : Supplicant is configuring for PEAP MSCHAPv2 (I tryied with TTLS but main problem is the same) *raddb/proxy.conf* realm jacques.net { authhost = 192.168.0.252:1812 accthost = 192.168.0.252:1813 secret = secret } *raddb/**eap.conf* peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = no virtual_server = "proxy-inner-tunnel" }
mschapv2 { } }
*raddb/**sites-enabled/proxy-inner-tunnel* server proxy-inner-tunnel { authorize { update control { Proxy-To-Realm := "jacques.net" } } authenticate { eap } post-proxy { eap } }
I have a "big" answer. When i configure an external radius server in proxy.conf . Is eap.conf is use ? Because it is like it was not.
Best regards
-- Jacques FOUCHER
The problem about opennssl is solved afer make clean or/and reboot but my main problem about converting EAP-Response/Identity to Radius Access-Request without EAP message inside to my existing Radius server stay alive :-(
I was under the impression that I have told you what is the likely problem. Now that you posted the debug it turns out that it is.
rad_recv: Access-Request packet from host 192.168.0.250 port 32769, id=245, length=253 ... User-Name = "test@jacques.net" ... [suffix] Looking up realm "jacques.net" for User-Name = "test@jacques.net" [suffix] Found realm "jacques.net" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "jacques.net" [suffix] Proxying request from user test to realm jacques.net ...
Comment suffix out. Let proxy-inner-tunnel virtual server proxy the request when it feels like it. Ivan Kalik Kalik Informatika ISP
Hi, is it possible that because of the configuration of the proxy.conf (proxying to an external radius), I don't use configuration on eap.conf (wich would be use only for local authentication) ? It would be the explanation i send EAP messages. 2009/9/26 Jacques FOUCHER <jacques.foucher@gmail.com>
Hi,
I want to use eap to authenticate Wireless users on an radius server wich don't know EAP protocol. It seems that is possible to do that using a proxy freeradius. The architecture should be :
Access Point as a NAS Freeradius as a proxy Radius server without EAP 192.168.0.250 192.168.0.64 192.168.0.252
<-------------------------------EAP-----------------------------------------> <-----------------------------------MS-CHAP v2 or other-------------------------------------------------------------------->
The idea is to convert an EAP Response/Identity to a radius Access-Request without EAP inside
As the first radius i use freeradius Version 2.0.4 As the second one, i use IAS (just to test, but in the final configuration, it will not)
When i configure IAS with EAP method in Remote access Policy, it works. When I remove EAP method from IAS, it's not. The problem is that freeradius is acting as a proxy without removing EAP and it is not what i want.
This is the modifications i did on configuration files, ask me if you need more
proxy.conf : realm DEFAULT { authhost = 192.168.0.252:1812 accthost = 192.168.0.252:1813 secret = secret }
eap.conf : ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = no virtual_server = "inner-tunnel" }
On wireless, i tried TTLS and PEAP with same unsuccessfull result. That is freeradius log : Ready to process requests. rad_recv: Access-Request packet from host 192.168.0.250 port 32769, id=30, length=229 Acct-Session-Id = "8b0b0795-0000009c" NAS-Port = 157 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "AP1" NAS-IP-Address = 192.168.0.250 Framed-MTU = 1496 User-Name = "test" Calling-Station-Id = "00-13-02-C4-80-4C" Called-Station-Id = "00-0F-61-FE-EF-D2" Service-Type = Framed-User EAP-Message = 0x021a00090174657374 Colubris-AVPair = "ssid=test2" Colubris-AVPair = "vsc-unique-id=3" Colubris-AVPair = "phytype=IEEE802dot11g" Colubris-Attr-250 = 0x00000000 Colubris-Attr-249 = 0x00000000 Message-Authenticator = 0x0ed85e6e5c0765e5390b037233c60d73 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: Found realm "DEFAULT" rlm_realm: Adding Stripped-User-Name = "test" rlm_realm: Adding Realm = "DEFAULT" rlm_realm: Proxying request from user test to realm DEFAULT rlm_realm: Preparing to proxy authentication request to realm "DEFAULT" ++[suffix] returns updated rlm_eap: Request is supposed to be proxied to Realm DEFAULT. Not doing EAP. ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Sending Access-Request of id 224 to 192.168.0.252 port 1812 Acct-Session-Id = "8b0b0795-0000009c" NAS-Port = 157 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "AP1" NAS-IP-Address = 192.168.0.250 Framed-MTU = 1496 User-Name = "test" Calling-Station-Id = "00-13-02-C4-80-4C" Called-Station-Id = "00-0F-61-FE-EF-D2" Service-Type = Framed-User EAP-Message = 0x021a00090174657374 Colubris-AVPair = "ssid=test2" Colubris-AVPair = "vsc-unique-id=3" Colubris-AVPair = "phytype=IEEE802dot11g" Colubris-Attr-250 = 0x00000000 Colubris-Attr-249 = 0x00000000 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x3330 Proxying request 1 to home server 192.168.0.252 port 1812 Sending Access-Request of id 224 to 192.168.0.252 port 1812 Acct-Session-Id = "8b0b0795-0000009c" NAS-Port = 157 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "AP1" NAS-IP-Address = 192.168.0.250 Framed-MTU = 1496 User-Name = "test" Calling-Station-Id = "00-13-02-C4-80-4C" Called-Station-Id = "00-0F-61-FE-EF-D2" Service-Type = Framed-User EAP-Message = 0x021a00090174657374 Colubris-AVPair = "ssid=test2" Colubris-AVPair = "vsc-unique-id=3" Colubris-AVPair = "phytype=IEEE802dot11g" Colubris-Attr-250 = 0x00000000 Colubris-Attr-249 = 0x00000000 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x3330 Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Reject packet from host 192.168.0.252 port 1812, id=224, length=24 Proxy-State = 0x3330 +- entering group post-proxy rlm_eap: No pre-existing handler found ++[eap] returns noop Login incorrect (Home Server says so): [test/<no User-Password attribute>] (from client AP1 port 157 cli 00-13-02-C4-80-4C) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 30 to 192.168.0.250 port 32769 Waking up in 4.9 seconds.
On IAS Server, this is the error message (Sorry it is a french version, but the idea is IAS receive EAP message)
L'accès a été refusé à l'utilisateur test. Nom-Complet-Utilisateur = jacques.net/Users/test Adresse-IP-NAS = 192.168.0.250 Identificateur-NAS = AP1 Identificateur-Station-Appelée = 00-0F-61-FE-EF-D2 Identificateur-Station-Appelante = 00-13-02-C4-80-4C Nom-Convivial-Client = freeradius Adresse-IP-Client = 192.168.0.64 Type-Port-NAS = Wireless - IEEE 802.11 Port-NAS = 107 Proxy-Policy-Name = test Authentication-Provider = Windows Authentication-Server = <non déterminé> Policy-Name = test Authentication-Type = EAP EAP-Type = <non déterminé> Reason-Code = 66 Reason = L'utilisateur a essayé d'utiliser une méthode d'authentification qui n'est pas activée sur la stratégie d'accès à distance correspondante. Le nom de la stratégie d'accès à distance correspondante.
Pour plus d'informations, consultez le centre Aide et support à l'adresse http://go.microsoft.com/fwlink/events.asp.
I hope you could help me. -- Jacques
-- Jacques FOUCHER
participants (4)
-
Alan Buxey -
Daniil Kharun -
Ivan Kalik -
Jacques FOUCHER