Free radius as Proxy EAP-PEAP-GTC User-Password is never set
Hi Is EAP-PEAP-GTC User-Password is set while using Free Radius as a proxy? We have a radius server which does not understand EAP. We want to authenticate the WiFi clients with this server. In order to achieve this we have configured the Free Radius as proxy (EAP-PEAP-GTC). But this does not seems to be working as at our server end we do not receive clear text password. Here is the radiusd debug output: main { name = "radiusd" prefix = "/home/freeradius" localstatedir = "/home/freeradius/var" sbindir = "/home/freeradius/sbin" logdir = "/home/freeradius/var/log/radius" run_dir = "/home/freeradius/var/run/radiusd" libdir = "/home/freeradius/lib" radacctdir = "/home/freeradius/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/home/freeradius/var/run/radiusd/radiusd.pid" checkrad = "/home/freeradius/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } realm DEVLAB { authhost = 10.141.148.91:1812 secret = testing123 } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client netmotion { ipaddr = 10.141.150.34 require_message_authenticator = no secret = "testing123" nastype = "other" } client wifi { ipaddr = 10.141.148.220 require_message_authenticator = no secret = "testing123" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /home/freeradius/etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /home/freeradius/etc/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /home/freeradius/etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /home/freeradius/etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file /home/freeradius/etc/raddb/radiusd.conf modules { Module: Creating Auth-Type = digest Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /home/freeradius/etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /home/freeradius/etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /home/freeradius/etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /home/freeradius/etc/raddb/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /home/freeradius/etc/raddb/modules/unix unix { radwtmp = "/home/freeradius/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /home/freeradius/etc/raddb/eap.conf eap { default_eap_type = "gtc" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/home/freeradius/etc/raddb/certs" pem_file_type = yes private_key_file = "/home/freeradius/etc/raddb/certs/server.pem" certificate_file = "/home/freeradius/etc/raddb/certs/server.pem" CA_file = "/home/freeradius/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/home/freeradius/etc/raddb/certs/dh" random_file = "/home/freeradius/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/home/freeradius/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "gtc" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = no virtual_server = "proxy-inner-tunnel" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /home/freeradius/etc/raddb/modules/preprocess preprocess { huntgroups = "/home/freeradius/etc/raddb/huntgroups" hints = "/home/freeradius/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /home/freeradius/etc/raddb/huntgroups reading pairlist file /home/freeradius/etc/raddb/hints Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /home/freeradius/etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /home/freeradius/etc/raddb/modules/files files { usersfile = "/home/freeradius/etc/raddb/users" acctusersfile = "/home/freeradius/etc/raddb/acct_users" preproxy_usersfile = "/home/freeradius/etc/raddb/preproxy_users" compat = "no" } reading pairlist file /home/freeradius/etc/raddb/users reading pairlist file /home/freeradius/etc/raddb/acct_users reading pairlist file /home/freeradius/etc/raddb/preproxy_users Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /home/freeradius/etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /home/freeradius/etc/raddb/modules/detail detail { detailfile = "/home/freeradius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /home/freeradius/etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/home/freeradius/etc/raddb/attrs.accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /home/freeradius/etc/raddb/attrs.accounting_response Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /home/freeradius/etc/raddb/modules/radutmp radutmp { filename = "/home/freeradius/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /home/freeradius/etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/home/freeradius/etc/raddb/attrs.access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /home/freeradius/etc/raddb/attrs.access_reject } # modules } # server server proxy-inner-tunnel { # from file /home/freeradius/etc/raddb/sites-enabled/proxy-inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking post-proxy {...} for more modules to load } # modules } # server server inner-tunnel { # from file /home/freeradius/etc/raddb/sites-enabled/inner-tunnel modules { Module: Creating Auth-Type = inner-eap Module: Checking authenticate {...} for more modules to load Module: Instantiating module "inner-eap" from file /home/freeradius/etc/raddb/modules/inner-eap eap inner-eap { default_eap_type = "gtc" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Enter your Security Code innear-eap: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/home/freeradius/etc/raddb/certs/server.pem" certificate_file = "/home/freeradius/etc/raddb/certs/server.pem" CA_file = "/home/freeradius/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/home/freeradius/etc/raddb/certs/dh" random_file = "/home/freeradius/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" } Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/home/freeradius/var/run/radiusd/radiusd.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 51628 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /home/freeradius/var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.141.150.34 port 50001, id=159, length=88 NAS-Identifier = "symc-2k8-150-34" User-Name = "user3" Calling-Station-Id = "0000005e5554" EAP-Message = 0x0200000a017573657233 Message-Authenticator = 0x2863faee4523a276cbac192585bb7c6c # Executing section authorize from file /home/freeradius/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "user3", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 10 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /home/freeradius/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type gtc [gtc] expand: Password: -> Password: ++[eap] returns handled Sending Access-Challenge of id 159 to 10.141.150.34 port 50001 EAP-Message = 0x0101000f0650617373776f72643a20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0f2467dc0f2561157cc843c3aeb740bb Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.141.150.34 port 50001, id=160, length=103 NAS-Identifier = "symc-2k8-150-34" User-Name = "user3" Calling-Station-Id = "0000005e5554" EAP-Message = 0x0201000703190d Message-Authenticator = 0x9ca44cf06d9b92a8d8423fdfe6a12c71 State = 0x0f2467dc0f2561157cc843c3aeb740bb # Executing section authorize from file /home/freeradius/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "user3", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 7 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /home/freeradius/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 160 to 10.141.150.34 port 50001 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0f2467dc0e267e157cc843c3aeb740bb Finished request 1. Going to the next request Waking up in 4.9 seconds.
Hi Is EAP-PEAP-GTC User-Password is set while using Free Radius as a proxy? We have a radius server which does not understand EAP. We want to authenticate the WiFi clients with this server. In order to achieve this we have configured the Free Radius as proxy (EAP-PEAP-GTC). But this does not seems to be working as at our server end we do not receive clear text password. Here is the radiusd debug output: main { name = "radiusd" prefix = "/home/freeradius" localstatedir = "/home/freeradius/var" sbindir = "/home/freeradius/sbin" logdir = "/home/freeradius/var/log/radius" run_dir = "/home/freeradius/var/run/radiusd" libdir = "/home/freeradius/lib" radacctdir = "/home/freeradius/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/home/freeradius/var/run/radiusd/radiusd.pid" checkrad = "/home/freeradius/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } realm DEVLAB { authhost = 10.141.148.91:1812 secret = testing123 } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client netmotion { ipaddr = 10.141.150.34 require_message_authenticator = no secret = "testing123" nastype = "other" } client wifi { ipaddr = 10.141.148.220 require_message_authenticator = no secret = "testing123" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /home/freeradius/etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /home/freeradius/etc/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /home/freeradius/etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /home/freeradius/etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file /home/freeradius/etc/raddb/radiusd.conf modules { Module: Creating Auth-Type = digest Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /home/freeradius/etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /home/freeradius/etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /home/freeradius/etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /home/freeradius/etc/raddb/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /home/freeradius/etc/raddb/modules/unix unix { radwtmp = "/home/freeradius/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /home/freeradius/etc/raddb/eap.conf eap { default_eap_type = "gtc" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/home/freeradius/etc/raddb/certs" pem_file_type = yes private_key_file = "/home/freeradius/etc/raddb/certs/server.pem" certificate_file = "/home/freeradius/etc/raddb/certs/server.pem" CA_file = "/home/freeradius/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/home/freeradius/etc/raddb/certs/dh" random_file = "/home/freeradius/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/home/freeradius/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "gtc" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = no virtual_server = "proxy-inner-tunnel" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /home/freeradius/etc/raddb/modules/preprocess preprocess { huntgroups = "/home/freeradius/etc/raddb/huntgroups" hints = "/home/freeradius/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /home/freeradius/etc/raddb/huntgroups reading pairlist file /home/freeradius/etc/raddb/hints Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /home/freeradius/etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /home/freeradius/etc/raddb/modules/files files { usersfile = "/home/freeradius/etc/raddb/users" acctusersfile = "/home/freeradius/etc/raddb/acct_users" preproxy_usersfile = "/home/freeradius/etc/raddb/preproxy_users" compat = "no" } reading pairlist file /home/freeradius/etc/raddb/users reading pairlist file /home/freeradius/etc/raddb/acct_users reading pairlist file /home/freeradius/etc/raddb/preproxy_users Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /home/freeradius/etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /home/freeradius/etc/raddb/modules/detail detail { detailfile = "/home/freeradius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /home/freeradius/etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/home/freeradius/etc/raddb/attrs.accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /home/freeradius/etc/raddb/attrs.accounting_response Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /home/freeradius/etc/raddb/modules/radutmp radutmp { filename = "/home/freeradius/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /home/freeradius/etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/home/freeradius/etc/raddb/attrs.access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /home/freeradius/etc/raddb/attrs.access_reject } # modules } # server server proxy-inner-tunnel { # from file /home/freeradius/etc/raddb/sites-enabled/proxy-inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking post-proxy {...} for more modules to load } # modules } # server server inner-tunnel { # from file /home/freeradius/etc/raddb/sites-enabled/inner-tunnel modules { Module: Creating Auth-Type = inner-eap Module: Checking authenticate {...} for more modules to load Module: Instantiating module "inner-eap" from file /home/freeradius/etc/raddb/modules/inner-eap eap inner-eap { default_eap_type = "gtc" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Enter your Security Code innear-eap: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/home/freeradius/etc/raddb/certs/server.pem" certificate_file = "/home/freeradius/etc/raddb/certs/server.pem" CA_file = "/home/freeradius/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/home/freeradius/etc/raddb/certs/dh" random_file = "/home/freeradius/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" } Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/home/freeradius/var/run/radiusd/radiusd.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 51628 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /home/freeradius/var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.141.150.34 port 50001, id=159, length=88 NAS-Identifier = "symc-2k8-150-34" User-Name = "user3" Calling-Station-Id = "0000005e5554" EAP-Message = 0x0200000a017573657233 Message-Authenticator = 0x2863faee4523a276cbac192585bb7c6c # Executing section authorize from file /home/freeradius/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "user3", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 10 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /home/freeradius/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type gtc [gtc] expand: Password: -> Password: ++[eap] returns handled Sending Access-Challenge of id 159 to 10.141.150.34 port 50001 EAP-Message = 0x0101000f0650617373776f72643a20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0f2467dc0f2561157cc843c3aeb740bb Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.141.150.34 port 50001, id=160, length=103 NAS-Identifier = "symc-2k8-150-34" User-Name = "user3" Calling-Station-Id = "0000005e5554" EAP-Message = 0x0201000703190d Message-Authenticator = 0x9ca44cf06d9b92a8d8423fdfe6a12c71 State = 0x0f2467dc0f2561157cc843c3aeb740bb # Executing section authorize from file /home/freeradius/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "user3", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 7 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /home/freeradius/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 160 to 10.141.150.34 port 50001 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0f2467dc0e267e157cc843c3aeb740bb Finished request 1. Going to the next request Waking up in 4.9 seconds.
Alan Can you please help out how to achieve it or else you can point out what's wrong in our configuration. Thanks in advance ----- Original Message ----- From: Alan DeKok [mailto:aland@deployingradius.com] Sent: Tuesday, May 07, 2013 05:52 AM Pacific Standard Time To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Free radius as Proxy EAP-PEAP-GTC User-Password is never set Sankalp Dubey wrote:
Is EAP-PEAP-GTC User-Password is set while using Free Radius as a proxy?
No. The GTC password isn't copied to User-Password when proxying. It probably wouldn't be hard to do, though. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Alan Can you please provide some pointers on where to carry out code change to achieve this. Thanks n regards Sankalp Dubey -----Original Message----- From: freeradius-users-bounces+sankalp_dubey=symantec.com@lists.freeradius.org [mailto:freeradius-users-bounces+sankalp_dubey=symantec.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Tuesday, May 07, 2013 7:07 PM To: FreeRadius users mailing list Subject: Re: Free radius as Proxy EAP-PEAP-GTC User-Password is never set Sankalp Dubey wrote:
Can you please help out how to achieve it
Code changes.
or else you can point out what's wrong in our configuration.
If it was possible via a configuration change, I would have told you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Alan We did the following changes in code 1. File: src/modules/rlm_eap/types/rlm_eap_gtc/rlm_eap_gtc.c In function gtc_initiate(void *type_data, EAP_HANDLER *handler) Added following lines with reference to the src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c file #ifdef WITH_PROXY /* * The EAP session doesn't have enough information to * proxy the "inside EAP" protocol. Disable EAP proxying. */ handler->request->options &= ~RAD_REQUEST_OPTION_PROXY_EAP; #endif 2. We also added the following functions in rlm_eap_gtc file static int gtc_postproxy(EAP_HANDLER *handler, void *tunnel_data) 3. If we try to add callback for post proxy in gtc_authenticate() function its start crashing. If we assign the callback function as NULL then we are able to set the User-Password in Proxy EAP-PEAP_GTC. But the access challenge thrown by Radius server is never sent back to client. The modified rlm_eap_gtc.c is attached for your reference. We want to forward the access challenge thrown by server back to client. Can someone help what more changes are required to achieve this? Thanks n regards Sankalp Dubey -----Original Message----- From: freeradius-users-bounces+sankalp_dubey=symantec.com@lists.freeradius.org [mailto:freeradius-users-bounces+sankalp_dubey=symantec.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, May 08, 2013 6:53 PM To: FreeRadius users mailing list Subject: Re: Free radius as Proxy EAP-PEAP-GTC User-Password is never set Sankalp Dubey wrote:
Can you please provide some pointers on where to carry out code change to achieve this.
Well... looking at the EAP-GTC code would be a good start. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sankalp Dubey wrote:
3. If we try to add callback for post proxy in gtc_authenticate() function its start crashing.
Well... that's what code debugging is for. I haven't looked at it, so I can't comment more. It *should* be possible. It just requires a careful walk-through of the code.
If we assign the callback function as NULL then we are able to set the User-Password in Proxy EAP-PEAP_GTC. But the access challenge thrown by Radius server is never sent back to client.
The modified rlm_eap_gtc.c is attached for your reference.
We want to forward the access challenge thrown by server back to client. Can someone help what more changes are required to achieve this?
Do it in pieces, and debug it. There really isn't much more to say. Alan DeKok.
participants (2)
-
Alan DeKok -
Sankalp Dubey