How to convert the Reply-Message as challenge

Sankalp Dubey Sankalp_Dubey at symantec.com
Tue May 14 13:42:17 CEST 2013 

Hi

We have a radius server which does not understand EAP and we are using Free Radius as EAP-PEAP-GTC proxy-inner-tunnel.

As the present code does not set User-Password in EAP-PEAP-GTC mode so we made the following code changes:


1. File:  src/modules/rlm_eap/types/rlm_eap_gtc/rlm_eap_gtc.c

    In function gtc_initiate(void *type_data, EAP_HANDLER *handler)

    Added following lines with reference to  the src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c file

   #ifdef WITH_PROXY

        /*

         *      The EAP session doesn't have enough information to

         *      proxy the "inside EAP" protocol.  Disable EAP proxying.

         */

        handler->request->options &= ~RAD_REQUEST_OPTION_PROXY_EAP;

    #endif



2. We also added the following  functions in rlm_eap_gtc.c file

      static int gtc_postproxy(EAP_HANDLER *handler, void *tunnel_data)

      This functions doesn't seem to be called.



3. gtc_autheticate changes:

#ifdef WITH_PROXY

        /*

         *      If this options is set, then we do NOT authenticate the

         *      user here.  Instead, now that we've added the PAP

         *      attributes to the request, we STOP, and let the outer

         *      tunnel code handle it.

         *

         *      This means that the outer tunnel code will DELETE the

         *      EAP attributes, and proxy the PAP attributes to a

         *      home server.

         */

        if (handler->request->options & RAD_REQUEST_OPTION_PROXY_EAP) {



                /*

                 *      Set up the callbacks for the tunnel

                */

                eap_tunnel_data_t *tunnel;

                tunnel = rad_malloc(sizeof(*tunnel));

                memset(tunnel, 0, sizeof(*tunnel));



                tunnel->tls_session = type_data;

                tunnel->callback = gtc_postproxy;



                /*

                 *      Associate the callback with the request.

                */

                rcode = request_data_add(handler->request,

                                         handler->request->proxy,

                                         REQUEST_DATA_EAP_TUNNEL_CALLBACK,

                                         tunnel, free);

                rad_assert(rcode == 0);



                pairdelete(&handler->request->packet->vps, PW_STATE);



                return 1;

        }

#endif



The modified rlm_eap_gtc.c is attached for reference.



With these code changes we are able to set the User-Password in EAP-PEAP-GTC proxy mode. Also, debug message from gtc_postproxy is not visible in the log file.



However, when the proxied-to RADIUS Server throws Access-Challenge the same is not  forwarded by Free RADIUS to the client i.e. Reply-Message is stripped by Free RADIUS.



Please let us know how to convert the Reply-Message as challenge for the client.



Thanks n regards

Sankalp Dubey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20130514/22c4bda0/attachment-0001.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: rlm_eap_gtc.c
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20130514/22c4bda0/attachment-0001.c>

More information about the Freeradius-Devel mailing list