Alan, others, Ok, we are trying to get wireless clients configured for 802.1x authentication by using wpa configured with pap authentication. This works fine on the Freeradius server if we authenticate against system. However, when we try to proxy to other non eap supported radius servers, it fails and we have tried a lot of permutations. We know that proxy works if we simply use NTradPing test utility. However, our XP clients using SecureW2 or Mac OS X ver3 simply wont work. Below are our critical configuration lines as well as output from Debug. If anyone might tell us what we might be doing wrong, we would very much appreciate it! users: DEFAULT Auth-Type := PAP, Proxy-To-Realm = stu Fall-Through = 1 proxy.conf: realm stu { type = radius authhost = stu.beloit.edu:1645 accthost = stu.beloit.edu:1646 secret = testpass } eap.conf: eap { default_eap_type = ttls ignore_unknown_eap_types = yes } tls { private_key_password = tempprivate private_key_file = ${raddbdir}/certs/server_keycert.pem certificate_file = ${raddbdir}/certs/server_keycert.pem CA_file = ${raddbdir}/certs/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random } ttls { # default_eap_type = md5 # copy_request_to_tunnel = yes # use_tunneled_reply = yes } Debug: rad_recv: Access-Request packet from host 144.89.40.251:1451, id=254, length=144 NAS-IP-Address = 144.89.40.251 NAS-Port-Type = Wireless-802.11 NAS-Port = 2 Framed-MTU = 1400 User-Name = "leadacid@stu" Calling-Station-Id = "00119551d683" Called-Station-Id = "0001e6ffc493" NAS-Identifier = "ISR Test -don't use" EAP-Message = 0x020b0011016c6561646163696440737475 Message-Authenticator = 0x3a44d6f0ad7b1f8b6b550b65142e2b60 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: Looking up realm "stu" for User-Name = "leadacid@stu" rlm_realm: Found realm "stu" rlm_realm: Adding Stripped-User-Name = "leadacid" rlm_realm: Proxying request from user leadacid to realm stu rlm_realm: Adding Realm = "stu" rlm_realm: Preparing to proxy authentication request to realm "stu" modcall[authorize]: module "suffix" returns updated for request 5 rlm_eap: Request is supposed to be proxied to Realm stu. Not doing EAP. modcall[authorize]: module "eap" returns noop for request 5 modcall[authorize]: module "files" returns notfound for request 5 modcall: group authorize returns updated for request 5 Sending Access-Request of id 0 to 144.89.40.6:1645 NAS-IP-Address = 144.89.40.251 NAS-Port-Type = Wireless-802.11 NAS-Port = 2 Framed-MTU = 1400 User-Name = "leadacid" Calling-Station-Id = "00119551d683" Called-Station-Id = "0001e6ffc493" NAS-Identifier = "ISR Test -don't use" EAP-Message = 0x020b0011016c6561646163696440737475 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x323534 --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Reject packet from host 144.89.40.6:1645, id=0, length=25 Proxy-State = 0x323534 Processing the post-proxy section of radiusd.conf modcall: entering group post-proxy for request 5 modcall[post-proxy]: module "eap" returns noop for request 5 modcall: group post-proxy returns noop for request 5 Delaying request 5 for 1 seconds Finished request 5 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 144.89.40.251:1451, id=254, length=144 Sending Access-Reject of id 254 to 144.89.40.251:1451 Tim Tyler Network Engineer
"Tim Tyler" <tyler@beloit.edu> wrote:
users: DEFAULT Auth-Type := PAP, Proxy-To-Realm = stu Fall-Through = 1
This makes no sense. It says "do PAP authentication, but don't do PAP, do proxy".
ttls { # default_eap_type = md5 # copy_request_to_tunnel = yes # use_tunneled_reply = yes }
I suggest uncommenting those 3 lines.
rlm_realm: Preparing to proxy authentication request to realm "stu"
...
rlm_eap: Request is supposed to be proxied to Realm stu. Not doing EAP. modcall[authorize]: module "eap" returns noop for request 5
You've sent the server an EAP message, but *also* told it to proxy the request to realm "stu". As a result, the server doesn't do PAP, CHAP, MSCHAP, or EAP. Instead, it proxies the request to realm "stu", as you told it to do. The solution is to use the "users" file entry I previously sent you: DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := "stu" That will proxy the tunneled session, and ONLY the tunneled session to realm "stu". Alan DeKok.
participants (2)
-
Alan DeKok -
Tim Tyler