Peap mschapv2 proxy early termination of EAP
Andy Goy
Andy.Goy at kcom.com
Fri Dec 30 14:34:17 CET 2005
Hi Alan
I have a number of XP and Windows 2K wifi clients to Proxim AP700 AP's using
FreeRADIUS on Fedora C4
These use eap peap mschapv2
The system works well on ver 1.0.2 using usernames/passwords in the users
file or by configuring LDAP and using a LDAP database, and logs to mysql
I now need to authenticate by proxy to a legacy SteelBelted radius server
capable of PAP,CHAP and MSCHAPv2 but not able to support EAP
I configured the proxy.conf for the realm wifi (with nostrip)
and I can communicate with the legacy server, it sends back a reject due to
not supporting EAP
I therefore need to terminate EAP on Freeradius and pass on the MSchapv2 to
the proxy server
Having read all I can on early termination of EAP
I added the LOCAL realm
realm LOCAL {
type = radius
authhost = LOCAL
accthost = LOCAL
}
I have added 2 lines to the users file
DEFAULT FreeRADIUS-Proxied-To !* 127.0.0.1, Proxy-To-Realm := LOCAL,
Auth-Type = EAP (line 167)
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := wifi
(line 168)
The first line (at line 167) causes the proxy to be cancelled and the eap is
handled locally, it gets to the mschapv2 part
matched (at line 168)
It appears as if its going to send the request to wifi, with no EAP, then it
stops. The AP then retries the request, with the same result.
This seems to be due to
WARNING: Cancelling proxy to Realm LOCAL, as the realm is local
rather than proxying only the mschapv2 to wifi
I have upgraded to v 1.0.5 I still get the same results
Authorise and accounting in radiusd.conf has EAP and mschap
Is it possible ?
I have researched from your site as much as possible before asking, Am I
missing a configuration option?
Your help would be much appreciated, Thanks Andy.
eap.conf
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
include_length = yes
# check_crl = yes
# check_cert_cn = %{User-Name}
}
#
peap {
default_eap_type = mschapv2
proxy_tunneled_request_as_eap = no
}
mschapv2 {
}
}
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host 172.24.2.10:6001, id=40,
length=154
User-Name = "andygoy at wifi"
NAS-IP-Address = 172.24.2.10
Called-Station-Id = "00-20-a6-56-3a-4a:XXHOTSPOTFC1"
Calling-Station-Id = "00-13-ce-0e-f5-c6"
NAS-Identifier = "XX-HOTSPOT-1"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0202001101616e6479676f794077696669
Message-Authenticator = 0x206d804b1c31514e5743b1c03efdfcaf
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat: '/etc/var/log/radius/radacct/172.24.2.10/auth-detail-20051230'
rlm_detail:
/etc/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /etc/var/log/radius/radacct/172.24.2.10/auth-detail-20051230
modcall[authorize]: module "auth_log" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
rlm_realm: Looking up realm "wifi" for User-Name = "andygoy at wifi"
rlm_realm: Found realm "wifi"
rlm_realm: Proxying request from user andygoy to realm wifi
rlm_realm: Adding Realm = "wifi"
rlm_realm: Preparing to proxy authentication request to realm "wifi"
modcall[authorize]: module "suffix" returns updated for request 0
rlm_eap: Request is supposed to be proxied to Realm wifi. Not doing EAP.
modcall[authorize]: module "eap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
users: Matched entry DEFAULT at line 167
modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns updated) for request 0
WARNING: You set Proxy-To-Realm = LOCAL, but it is a LOCAL realm!
Cancelling invalid proxy request.
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
WARNING: Cancelling proxy to Realm LOCAL, as the realm is local
Sending Access-Challenge of id 40 to 172.24.2.10 port 6001
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0b7df43e9fc35a77966d3c95bb99a754
Finished request 0
Going to the next request
etc
etc-----------------------------------------------------------------------
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
rlm_eap_peap: Tunneled data is valid.
PEAP: Setting User-Name to andygoy at wifi
PEAP: Adding old state with 0e aa
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
radius_xlat: '/etc/var/log/radius/radacct/127.0.0.1/auth-detail-20051230'
rlm_detail:
/etc/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /etc/var/log/radius/radacct/127.0.0.1/auth-detail-20051230
modcall[authorize]: module "auth_log" returns ok for request 6
modcall[authorize]: module "chap" returns noop for request 6
rlm_realm: Looking up realm "wifi" for User-Name = "andygoy at wifi"
rlm_realm: Found realm "wifi"
rlm_realm: Proxying request from user andygoy to realm wifi
rlm_realm: Adding Realm = "wifi"
rlm_realm: Preparing to proxy authentication request to realm "wifi"
modcall[authorize]: module "suffix" returns updated for request 6
rlm_eap: Request is supposed to be proxied to Realm wifi. Not doing EAP.
modcall[authorize]: module "eap" returns noop for request 6
modcall[authorize]: module "mschap" returns noop for request 6
users: Matched entry DEFAULT at line 168
modcall[authorize]: module "files" returns ok for request 6
modcall: leaving group authorize (returns updated) for request 6
PEAP: Calling authenticate in order to initiate tunneled EAP session.
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
Not-EAP proxy set. Not composing EAP
modcall[authenticate]: module "eap" returns handled for request 6
modcall: leaving group authenticate (returns handled) for request 6
PEAP: Tunneled authentication will be proxied to wifi
PEAP: Remembering to do EAP-MS-CHAP-V2 post-proxy.
Tunneled session will be proxied. Not doing EAP.
modcall[authenticate]: module "eap" returns handled for request 6
modcall: leaving group authenticate (returns handled) for request 6
WARNING: Cancelling proxy to Realm LOCAL, as the realm is local
Finished request 6
Going to the next request
Waking up in 4 seconds...
rad_recv: Access-Request packet from host 172.24.2.10:6001, id=46,
length=249
The content of this e-mail and any attachment is private and may be legally
privileged. If you are not
the intended recipient, any use, disclosure, copying or forwarding of this
e-mail and/or its
attachments is unauthorised. If you have received this e-mail in error
please notify the sender by e-
mail and delete this message and any attachments immediately from this
system.
Kingston Communications (HULL) PLC is a public limited company incorporated
in England and Wales
with registration number 02150618 and whose registered office is at 37 Carr
Lane, Hull HU1 3RE
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20051230/5f95ae9d/attachment.html>
More information about the Freeradius-Users
mailing list