Peap mschapv2 proxy early termination of EAP

Yogesh Nagarkar yogesh.nagarkar at gmail.com
Sun Oct 29 00:33:07 CEST 2006


EAP-PEAP-MSCHAPv2 hack for FreeRADIUS 1.1.3
If anyone has been following the threads
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg30477.html
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg22903.html
The solution was:
Edit :
freeradius-1.1.3/src/main/request_list.c
Comment out line 321:
-----------------------------------------
proxy_ipaddr = listener->ipaddr;
change to
/*proxy_ipaddr = listener->ipaddr;*/
-----------------------------------------
Comment out  line 797:
request->proxy->src_ipaddr = proxy_ipaddr;
Change to
/*request->proxy->src_ipaddr = proxy_ipaddr;*/
----------------------------------------
Compile request_list.c
make && make install
and we have FreeRADIUS 1.1.3 successfully authenticating:

Microsoft Windows Supplicant  -------> Request--------> Proxy
Server           -------- MSCHAPv2------> Home Server
(WPA1/TKIP/PEAP)                                                  (PEAP
tunnel ends)                                      (Access Accept)
Microsoft Windows Supplicant <------- Response------ Proxy Server
<--------- MSCHAPv2------ Home Server
(success)
(Copy to PEAP tunnel)
--------------------------------------------------
/etc/raddb/users file (proxy server)

DEFAULT User-Name =~ "@somerealm.net", FreeRADIUS-Proxied-To == 127.0.0.1,
Proxy-To-Realm := inner-somerealm

/etc/raddb/proxy.conf file (proxy server)

realm somerealm.net {
        type            = radius
        authhost        = LOCAL
        accthost        = LOCAL
        nostrip
}
realm inner- somerealm{
        type            = radius
        authhost        = xxxxxxxxx:1645
        accthost        = xxxxxxxxx:1646
        secret          = xxxxxxxx
        ldflag = round_robin
    nostrip
}
-------------------------------------------------
/etc/raddb/users file (home server)

kirkhammet at somerealm.net              User-Password == xxxxxxxxxx
                                                         Reply-Message =
"Enter Sandman!"
-------------------------------------------------

Good luck :)
Yogesh Nagarkar



------------------- Related thread ----------------------------------

I have tried the examples in those postings as well as suggestions from other
postings without any success. I have started with the default config and turned
on the debug option. However, looking at the debug output yet I couldn't quite
figure out what went wrong.

What I got so far is as follow:
1) Send a PEAP/MSCHAPv2 request using Linux's Xsupplicant or Mac client to the
proxy radius
2) Proxy radius terminated EAP locally and proxied request (MSCHAPv2 minus EAP)
to home radius
3) Home radius responded with an access-accept packet to proxy radius
4) Proxy Radius sent access-reject to client. See error output below.

Tue Oct  3 20:10:37 2006 : Debug:   rlm_eap: Request not found in the list
Tue Oct  3 20:10:37 2006 : Error: rlm_eap: Either EAP-request timed out OR
EAP-response
to an unknown EAP-request
Tue Oct  3 20:10:37 2006 : Debug:   rlm_eap: Failed in handler

I am running Freeradius 1.1.3 and have attached below my configuration files
and an excerpt of
the debug output  hoping that the mistake would look obvious to some of you and
that you could
provide some helpful pointers or links.

Thanks a lot for your help.


-David

In case, anyone is following this thread, the problem was solved by downgrading
from Freeradius 1.1.2 and above running on Solaris 9 down to Freeradius
1.0.5 running on the same OS. Still tracing this issue through the debugger
and will post to this thread if more information is available.

Best,
David
----------------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20061028/dbddac25/attachment.html>


More information about the Freeradius-Users mailing list