Terminate EAP-PEAP client connection at FreeRadiusProxyandproxy(forward) request as PAP

Ivan Kalik tnt at kalik.net
Mon Feb 4 15:11:33 CET 2008 

You are (still) not listening.

>
>========
>Proxy.conf
>====================================================================
>realm NULL {
>       type            = radius
>       authhost        = LOCAL
>       accthost        = LOCAL
>}
>
>realm LOCAL {
>        type            = radius
>        authhost        = LOCAL
>        accthost        = LOCAL
>}
>
>realm DOMAIN {
>        type            = radius
>        authhost        = LOCAL
>        accthost        = LOCAL
>}
>
>
>realm SECURACCESS {
>        type            = radius
>        authhost        = 192.168.1.75:1812
>        accthost        = 192.168.1.75:1813
>        secret          = toor
>#       nostrip
>}
>
>

I have told you to split user and server domains. Rename this
SECUREACCESS into something like SECURE and make another entry for
SECUREACCESS that will be the same as LOCAL.

>====
>users
>===========================================================================
>DEFAULT                 FreeRADIUS-Proxied-To !* 127.0.0.1, Proxy-To-Realm
>:= LOCAL
>SECURACCESS             FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm
>:= "SECURACCESS"
>==ENDusers===================================================================
>

Is that first entry doing anything? Proxy to (now renamed) SECURE (server
realm, leave users realm alone).

>
>========
>output:
>===================================================
>rad_recv: Access-Request packet from host 192.168.1.150:32797, id=185,
>length=199
>        User-Name = "joakimlindgren at SECURACCESS"
>        NAS-IP-Address = 192.168.1.73
>        NAS-Port = 1
>        NAS-Identifier = "10"
>        NAS-Port-Type = Wireless-802.11
>        Calling-Station-Id = "0012793DFC0C"
>        Called-Station-Id = "000B86600A58"
>        Framed-MTU = 1100
>        EAP-Message =
>0x0201001f016a6f616b696d6c696e646772656e405345435552414343455353
>        Aruba-Essid-Name = "demo-wpa-aes-eap-radius"
>        Aruba-Location-Id = "1.1.1"
>        Message-Authenticator = 0x4a71e7a8e828c5fbfeba6f153ee22c40
..
>Mon Feb  4 13:04:03 2008 : Debug:     rlm_realm: Proxying request from user
>joakimlindgren to realm SECURACCESS
>Mon Feb  4 13:04:03 2008 : Debug:     rlm_realm: Adding Realm =
>"SECURACCESS"
>Mon Feb  4 13:04:03 2008 : Debug:     rlm_realm: Preparing to proxy
>authentication request to realm "SECURACCESS"
..

EAP doesn't get terminated - it gets proxied. Or at least that's where
this is heading.

..
..
>Mon Feb  4 13:04:03 2008 : Debug:   rlm_eap: Request is supposed to be
>proxied to Realm SECURACCESS.  Not doing EAP.
..

Server thinks so too.

..
>Mon Feb  4 13:04:04 2008 : Debug: rlm_pap: No clear-text password in the
>request.  Not performing PAP.
..

Because it is an EAP request.

..
>Mon Feb  4 13:04:04 2008 : Debug:   WARNING: You set Proxy-To-Realm = LOCAL,
>but it is a LOCAL realm!  Cancelling invalid proxy request.
..

Hm, so that first entry in users file does something. Try wihout it. This
is why the request doesn't get proxied.

..
>Sending Access-Reject of id 185 to 192.168.1.150 port 32797
>        Reply-Message = ""
..

Without proxying the request at all.

>========
>My thoughts about the output:
>==========================================
>>Mon Feb  4 13:04:03 2008 : Debug:   rlm_eap: Request is supposed to be
>proxied to Realm >SECURACCESS.  Not doing EAP.
>
>Detects that we want to proxy domain SECURACCESS. Terminate EAP and only
>proxy PAP.
>

That's not how you terminate EAP. You need to go through the whole TLS
negotiation first. Once that is done, inner request will be extracted
and that can be proxied.
>
>>Mon Feb  4 13:04:03 2008 : Debug:   modsingle[authorize]: calling files
>(rlm_files) for request 0
>>Mon Feb  4 13:04:03 2008 : Debug:     users: Matched entry DEFAULT at line
>209
>>Mon Feb  4 13:04:03 2008 : Debug:   modsingle[authorize]: returned from
>files (rlm_files) for request 0
>>Mon Feb  4 13:04:03 2008 : Debug:   modcall[authorize]: module "files"
>returns ok for request 0
>
>Found the DEFAULT entry in users:
>DEFAULT                 FreeRADIUS-Proxied-To !* 127.0.0.1, Proxy-To-Realm
>:= LOCAL
>

OK, but that's irrelevant. You should make (users) realm SECURACCESS
local too.

>>Mon Feb  4 13:04:04 2008 : Debug: rlm_pap: No clear-text password in the
>request.  Not performing PAP.
>
>Not finding a clear-text password?
>Why can´t it suddenly use the password stored in the eDirectory (Stored as
>clear-text?).
>

Read the debug ==> No clear-text password in the *request*. That's
because the request is still EAP.

>
>>Mon Feb  4 13:04:04 2008 : Debug:   modsingle[authorize]: returned from pap
>(rlm_pap) for request 0
>>Mon Feb  4 13:04:04 2008 : Debug:   modcall[authorize]: module "pap"
>returns noop for request 0
>>Mon Feb  4 13:04:04 2008 : Debug: modcall: leaving group authorize (returns
>updated) for request 0
>>Mon Feb  4 13:04:04 2008 : Debug:   WARNING: You set Proxy-To-Realm =
>LOCAL, but it is a LOCAL >realm!  Cancelling invalid proxy request.
>
>Only a warning right?
>
>>Mon Feb  4 13:04:04 2008 : Debug: auth: type Local
>>Mon Feb  4 13:04:04 2008 : Debug: auth: No User-Password or CHAP-Password
>attribute in the request
>
>Failed due to not finding a User-Password...Why?

Because there is no password in the request - it's an EAP request. You
need to finish with EAP first and then PAP attributes will be available.

Ivan Kalik
Kalik Informatika ISP

More information about the Freeradius-Users mailing list