PEAP mschapv2 Proxy not working.

Andrew Olson anolson at exchange.vt.edu
Tue Feb 5 21:37:25 CET 2008


Hello,

I'm having trouble getting freeradius-1.1.7 to proxy PEAP-mshcapv2 to 
another RADIUS server.  My other server doesn't do EAP, so I'm just sending 
mschapv2 achieved with proxy_tunneled_request_as_eap = no in eap.conf.

When I proxy to my other server, I get back an Access-Accept packet.  Then, 
freeradius sends an Access Challenge to the client, receives a response and 
then things appear to break.

I am able to successfully authenticate users with PEAP by defining them 
locally in the users file.  Additionally, I have gotten TTLS to work by 
proxying to another server, it's just PEAP that I'm having problems with.

The differing line in the debug seems to be:
<proxied>
   eaptls_process returned 7
   rlm_eap_peap: EAPTLS_OK
   rlm_eap_peap: Session established.  Decoding tunneled attributes.
   rlm_eap_peap: EAP type mschapv2

-vs-

<non-proxied>

   eaptls_process returned 7
   rlm_eap_peap: EAPTLS_OK
   rlm_eap_peap: Session established.  Decoding tunneled attributes.
   rlm_eap_peap: Received EAP-TLV response.


I'm running a pretty standard config, I think.  I can send copies of it, if 
that would help.

Thanks,
Andrew Olson


The complete proxied debug starting with the Access-Request is as follows:

Sending Access-Request of id 0 to 198.82.247.36 port 1812
         User-Name = "anolson"
         NAS-IP-Address := 198.82.245.57
         MS-CHAP-Challenge = 0x85feba9cbed9e9191bf72a29f0f82312
         MS-CHAP2-Response = 
0x0700b776d1433b4d6dab43d5bde9163e8b450000000000000000ee7fcb070f3766e7e7b0f198b72754b44a9ef0255d712db1
         Proxy-State = 0x3136
         Service-Type := Framed-User
Waking up in 6 seconds...
rad_recv: Access-Accept packet from host 198.82.247.36:1812, id=0, length=189
         Filter-Id = "CNS_NET1"
         MS-CHAP2-Success = 
0x07533d43433041424443323542333046453444414131394238363737413941334136454631364134454634
         MS-MPPE-Send-Key = 0x7b5fcacde0c3798261894df701a5cdd5
         MS-MPPE-Recv-Key = 0x3900c03d5b5851da66e8fb27d90077f9
         MS-MPPE-Encryption-Policy = 0x00000001
         MS-MPPE-Encryption-Types = 0x0000000e
   Processing the post-proxy section of radiusd.conf
modcall: entering group post-proxy for request 6
   PEAP: Passing reply from proxy back into the tunnel.
   PEAP: Passing reply back for EAP-MS-CHAP-V2 0x8170500 2
   Processing the post-proxy section of radiusd.conf
modcall: entering group post-proxy for request 6
   rlm_eap_mschapv2: Passing reply from proxy back into the tunnel 0x8170500 2.
   rlm_eap_mschapv2: Authentication succeeded.
MSCHAP Success
   modcall[post-proxy]: module "eap" returns ok for request 6
modcall: leaving group post-proxy (returns ok) for request 6
   POST-PROXY 2
   POST-AUTH 2
  PEAP: Got reply 11
   PEAP: Got tunneled Access-Challenge
   PEAP: Reply was handled
   modcall[post-proxy]: module "eap" returns ok for request 6
modcall: leaving group post-proxy (returns ok) for request 6
Sending Access-Challenge of id 16 to 128.173.10.131 port 56945
         EAP-Message = 
0x0107005b190017030100502c303c60e1337bcb4c17a281f71910d23777fd5f4a4d5aefab92a23ff28a993aa17ebc2d6bd7567b9386fec7c4e6f2f7ae4c4655a8492000e0e473fc7e8be63a1bf372449cba9f795dc6535b04648cdb
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0x23a96486ec5dbd008e1eddcee31dfa93
Finished request 6
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 128.173.10.131:56945, id=17, 
length=151
         User-Name = "anolson"
         State = 0x23a96486ec5dbd008e1eddcee31dfa93
         EAP-Message = 
0x0207005419800000004e170301002050f4490743b89308d9bb84f411a1629e7b6f06dd6c02c2525747560f657f63d117030100209d0c853d82e17d05938ab49201447c135a90d068d1641a23db5fc04cfcc0dd08
         Message-Authenticator = 0x3c828120c544cde1b5d4366b7e735350
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
   modcall[authorize]: module "preprocess" returns ok for request 7
   modcall[authorize]: module "chap" returns noop for request 7
   modcall[authorize]: module "mschap" returns noop for request 7
     rlm_realm: No '@' in User-Name = "anolson", looking up realm NULL
     rlm_realm: No such realm "NULL"
   modcall[authorize]: module "suffix" returns noop for request 7
   rlm_eap: EAP packet type response id 7 length 84
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 7
   modcall[authorize]: module "files" returns notfound for request 7
modcall: leaving group authorize (returns updated) for request 7
   rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
   rlm_eap: Request found, released from the list
   rlm_eap: EAP/peap
   rlm_eap: processing type peap
   rlm_eap_peap: Authenticate
   rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
   eaptls_verify returned 11
   eaptls_process returned 7
   rlm_eap_peap: EAPTLS_OK
   rlm_eap_peap: Session established.  Decoding tunneled attributes.
   rlm_eap_peap: EAP type mschapv2
   rlm_eap_peap: Tunneled data is valid.
   PEAP: Setting User-Name to anolson
   PEAP: Adding old state with dc 84
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
   modcall[authorize]: module "preprocess" returns ok for request 7
   modcall[authorize]: module "chap" returns noop for request 7
   modcall[authorize]: module "mschap" returns noop for request 7
     rlm_realm: No '@' in User-Name = "anolson", looking up realm NULL
     rlm_realm: No such realm "NULL"
   modcall[authorize]: module "suffix" returns noop for request 7
   rlm_eap: EAP packet type response id 7 length 9
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 7
     users: Matched entry DEFAULT at line 57
   modcall[authorize]: module "files" returns ok for request 7
modcall: leaving group authorize (returns updated) for request 7
   PEAP: Calling authenticate in order to initiate tunneled EAP session.
   Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
   rlm_eap: Request not found in the list
rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
   rlm_eap: Failed in handler
   modcall[authenticate]: module "eap" returns invalid for request 7
modcall: leaving group authenticate (returns invalid) for request 7
   PEAP: Can't handle the return code 4
  rlm_eap: Handler failed in EAP/peap
   rlm_eap: Failed in EAP select
   modcall[authenticate]: module "eap" returns invalid for request 7
modcall: leaving group authenticate (returns invalid) for request 7
auth: Failed to validate the user.
Delaying request 7 for 1 seconds
Finished request 7
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 10 with timestamp 47a8d136
Cleaning up request 1 ID 11 with timestamp 47a8d136
Cleaning up request 2 ID 12 with timestamp 47a8d136
Cleaning up request 3 ID 13 with timestamp 47a8d136
Cleaning up request 4 ID 14 with timestamp 47a8d136
Cleaning up request 5 ID 15 with timestamp 47a8d136
Cleaning up request 6 ID 16 with timestamp 47a8d136
Sending Access-Reject of id 17 to 128.173.10.131 port 56945
         EAP-Message = 0x04070004
         Message-Authenticator = 0x00000000000000000000000000000000
Cleaning up request 7 ID 17 with timestamp 47a8d136
Nothing to do.  Sleeping until we see a request.



The complete non-proxied debug starting with the final Access-Challenge is 
as follows:

Sending Access-Challenge of id 18 to 128.173.10.131 port 56939
         EAP-Message = 
0x0108002b190017030100206ae9bd54b7c0124979401818f662bec45aea2853b277e8dda897e8a645571887
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0x00e512dd6dbcc968bffd9f8b8dc13bc4
Finished request 40
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 128.173.10.131:56939, id=19, 
length=166
         User-Name = "andrew"
         State = 0x00e512dd6dbcc968bffd9f8b8dc13bc4
         EAP-Message = 
0x0208006419800000005e1703010020a0257f0df72e93adb495d9ab98f8e65ee4b526e563dd80bcdd464a3735f1d83417030100304c5de1fa016827d3181b8a26a7a31091f8f4474167c5424e0b51913e0ede50c14e04ec233670bd9888b1ea89ed510131
         Message-Authenticator = 0xf3079323771a635bac1bdaa00b2e850f
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 41
   modcall[authorize]: module "preprocess" returns ok for request 41
   modcall[authorize]: module "chap" returns noop for request 41
   modcall[authorize]: module "mschap" returns noop for request 41
     rlm_realm: No '@' in User-Name = "andrew", looking up realm NULL
     rlm_realm: No such realm "NULL"
   modcall[authorize]: module "suffix" returns noop for request 41
   rlm_eap: EAP packet type response id 8 length 100
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 41
     users: Matched entry andrew at line 53
   modcall[authorize]: module "files" returns ok for request 41
modcall: leaving group authorize (returns updated) for request 41
   rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 41
   rlm_eap: Request found, released from the list
   rlm_eap: EAP/peap
   rlm_eap: processing type peap
   rlm_eap_peap: Authenticate
   rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
   eaptls_verify returned 11
   eaptls_process returned 7
   rlm_eap_peap: EAPTLS_OK
   rlm_eap_peap: Session established.  Decoding tunneled attributes.
   rlm_eap_peap: Received EAP-TLV response.
   rlm_eap_peap: Tunneled data is valid.
   rlm_eap_peap: Success
   rlm_eap: Freeing handler
   modcall[authenticate]: module "eap" returns ok for request 41
modcall: leaving group authenticate (returns ok) for request 41
Sending Access-Accept of id 19 to 128.173.10.131 port 56939
         MS-MPPE-Recv-Key = 
0x1aa22f77848e2c89b4a6681bd67b45483d25b05232dd9e37748bba578fff2700
         MS-MPPE-Send-Key = 
0x62d67197e6bfbce385f1b6e2ccd03c183281bca70e810a79cd85e7d2a38d654d
         EAP-Message = 0x03080004
         Message-Authenticator = 0x00000000000000000000000000000000
         User-Name = "andrew"
Finished request 41
Going to the next request
Waking up in 6 seconds...




More information about the Freeradius-Users mailing list