PEAP mschapv2 Proxy not working.

Dmitry Sergienko trooper+freeradius+users at email.dp.ua
Wed Feb 6 14:16:45 CET 2008 

Hi!

If you still have no luck with 1.1.7 proxying mschapv2, try to move to 2.0.1 with patches in event.c discussed yesterday 
in freeradius-users. I'm trying to do the same authentication - extract MS-CHAPv2 from PEAP and authorize inner request 
against external RADIUS server. With 2.0.1 and a patch at least eapol_test passes authorization.

Andrew Olson wrote:
> Hello,
> 
> I'm having trouble getting freeradius-1.1.7 to proxy PEAP-mshcapv2 to 
> another RADIUS server.  My other server doesn't do EAP, so I'm just 
> sending mschapv2 achieved with proxy_tunneled_request_as_eap = no in 
> eap.conf.
> 
> When I proxy to my other server, I get back an Access-Accept packet.  
> Then, freeradius sends an Access Challenge to the client, receives a 
> response and then things appear to break.
> 
> I am able to successfully authenticate users with PEAP by defining them 
> locally in the users file.  Additionally, I have gotten TTLS to work by 
> proxying to another server, it's just PEAP that I'm having problems with.
> 
> The differing line in the debug seems to be:
> <proxied>
>   eaptls_process returned 7
>   rlm_eap_peap: EAPTLS_OK
>   rlm_eap_peap: Session established.  Decoding tunneled attributes.
>   rlm_eap_peap: EAP type mschapv2
> 
> -vs-
> 
> <non-proxied>
> 
>   eaptls_process returned 7
>   rlm_eap_peap: EAPTLS_OK
>   rlm_eap_peap: Session established.  Decoding tunneled attributes.
>   rlm_eap_peap: Received EAP-TLV response.
> 
> 
> I'm running a pretty standard config, I think.  I can send copies of it, 
> if that would help.
> 
> Thanks,
> Andrew Olson
> 
> 
> The complete proxied debug starting with the Access-Request is as follows:
> 
> Sending Access-Request of id 0 to 198.82.247.36 port 1812
>         User-Name = "anolson"
>         NAS-IP-Address := 198.82.245.57
>         MS-CHAP-Challenge = 0x85feba9cbed9e9191bf72a29f0f82312
>         MS-CHAP2-Response = 
> 0x0700b776d1433b4d6dab43d5bde9163e8b450000000000000000ee7fcb070f3766e7e7b0f198b72754b44a9ef0255d712db1 
> 
>         Proxy-State = 0x3136
>         Service-Type := Framed-User
> Waking up in 6 seconds...
> rad_recv: Access-Accept packet from host 198.82.247.36:1812, id=0, 
> length=189
>         Filter-Id = "CNS_NET1"
>         MS-CHAP2-Success = 
> 0x07533d43433041424443323542333046453444414131394238363737413941334136454631364134454634 
> 
>         MS-MPPE-Send-Key = 0x7b5fcacde0c3798261894df701a5cdd5
>         MS-MPPE-Recv-Key = 0x3900c03d5b5851da66e8fb27d90077f9
>         MS-MPPE-Encryption-Policy = 0x00000001
>         MS-MPPE-Encryption-Types = 0x0000000e
>   Processing the post-proxy section of radiusd.conf
> modcall: entering group post-proxy for request 6
>   PEAP: Passing reply from proxy back into the tunnel.
>   PEAP: Passing reply back for EAP-MS-CHAP-V2 0x8170500 2
>   Processing the post-proxy section of radiusd.conf
> modcall: entering group post-proxy for request 6
>   rlm_eap_mschapv2: Passing reply from proxy back into the tunnel 
> 0x8170500 2.
>   rlm_eap_mschapv2: Authentication succeeded.
> MSCHAP Success
>   modcall[post-proxy]: module "eap" returns ok for request 6
> modcall: leaving group post-proxy (returns ok) for request 6
>   POST-PROXY 2
>   POST-AUTH 2
>  PEAP: Got reply 11
>   PEAP: Got tunneled Access-Challenge
>   PEAP: Reply was handled
>   modcall[post-proxy]: module "eap" returns ok for request 6
> modcall: leaving group post-proxy (returns ok) for request 6
> Sending Access-Challenge of id 16 to 128.173.10.131 port 56945
>         EAP-Message = 
> 0x0107005b190017030100502c303c60e1337bcb4c17a281f71910d23777fd5f4a4d5aefab92a23ff28a993aa17ebc2d6bd7567b9386fec7c4e6f2f7ae4c4655a8492000e0e473fc7e8be63a1bf372449cba9f795dc6535b04648cdb 
> 
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0x23a96486ec5dbd008e1eddcee31dfa93
> Finished request 6
> Going to the next request
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 128.173.10.131:56945, id=17, 
> length=151
>         User-Name = "anolson"
>         State = 0x23a96486ec5dbd008e1eddcee31dfa93
>         EAP-Message = 
> 0x0207005419800000004e170301002050f4490743b89308d9bb84f411a1629e7b6f06dd6c02c2525747560f657f63d117030100209d0c853d82e17d05938ab49201447c135a90d068d1641a23db5fc04cfcc0dd08 
> 
>         Message-Authenticator = 0x3c828120c544cde1b5d4366b7e735350
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 7
>   modcall[authorize]: module "preprocess" returns ok for request 7
>   modcall[authorize]: module "chap" returns noop for request 7
>   modcall[authorize]: module "mschap" returns noop for request 7
>     rlm_realm: No '@' in User-Name = "anolson", looking up realm NULL
>     rlm_realm: No such realm "NULL"
>   modcall[authorize]: module "suffix" returns noop for request 7
>   rlm_eap: EAP packet type response id 7 length 84
>   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>   modcall[authorize]: module "eap" returns updated for request 7
>   modcall[authorize]: module "files" returns notfound for request 7
> modcall: leaving group authorize (returns updated) for request 7
>   rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
>   Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 7
>   rlm_eap: Request found, released from the list
>   rlm_eap: EAP/peap
>   rlm_eap: processing type peap
>   rlm_eap_peap: Authenticate
>   rlm_eap_tls: processing TLS
> rlm_eap_tls:  Length Included
>   eaptls_verify returned 11
>   eaptls_process returned 7
>   rlm_eap_peap: EAPTLS_OK
>   rlm_eap_peap: Session established.  Decoding tunneled attributes.
>   rlm_eap_peap: EAP type mschapv2
>   rlm_eap_peap: Tunneled data is valid.
>   PEAP: Setting User-Name to anolson
>   PEAP: Adding old state with dc 84
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 7
>   modcall[authorize]: module "preprocess" returns ok for request 7
>   modcall[authorize]: module "chap" returns noop for request 7
>   modcall[authorize]: module "mschap" returns noop for request 7
>     rlm_realm: No '@' in User-Name = "anolson", looking up realm NULL
>     rlm_realm: No such realm "NULL"
>   modcall[authorize]: module "suffix" returns noop for request 7
>   rlm_eap: EAP packet type response id 7 length 9
>   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>   modcall[authorize]: module "eap" returns updated for request 7
>     users: Matched entry DEFAULT at line 57
>   modcall[authorize]: module "files" returns ok for request 7
> modcall: leaving group authorize (returns updated) for request 7
>   PEAP: Calling authenticate in order to initiate tunneled EAP session.
>   Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 7
>   rlm_eap: Request not found in the list
> rlm_eap: Either EAP-request timed out OR EAP-response to an unknown 
> EAP-request
>   rlm_eap: Failed in handler
>   modcall[authenticate]: module "eap" returns invalid for request 7
> modcall: leaving group authenticate (returns invalid) for request 7
>   PEAP: Can't handle the return code 4
>  rlm_eap: Handler failed in EAP/peap
>   rlm_eap: Failed in EAP select
>   modcall[authenticate]: module "eap" returns invalid for request 7
> modcall: leaving group authenticate (returns invalid) for request 7
> auth: Failed to validate the user.
> Delaying request 7 for 1 seconds
> Finished request 7
> Going to the next request
> Waking up in 6 seconds...
> --- Walking the entire request list ---
> Cleaning up request 0 ID 10 with timestamp 47a8d136
> Cleaning up request 1 ID 11 with timestamp 47a8d136
> Cleaning up request 2 ID 12 with timestamp 47a8d136
> Cleaning up request 3 ID 13 with timestamp 47a8d136
> Cleaning up request 4 ID 14 with timestamp 47a8d136
> Cleaning up request 5 ID 15 with timestamp 47a8d136
> Cleaning up request 6 ID 16 with timestamp 47a8d136
> Sending Access-Reject of id 17 to 128.173.10.131 port 56945
>         EAP-Message = 0x04070004
>         Message-Authenticator = 0x00000000000000000000000000000000
> Cleaning up request 7 ID 17 with timestamp 47a8d136
> Nothing to do.  Sleeping until we see a request.
> 
> 
> 
> The complete non-proxied debug starting with the final Access-Challenge 
> is as follows:
> 
> Sending Access-Challenge of id 18 to 128.173.10.131 port 56939
>         EAP-Message = 
> 0x0108002b190017030100206ae9bd54b7c0124979401818f662bec45aea2853b277e8dda897e8a645571887 
> 
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0x00e512dd6dbcc968bffd9f8b8dc13bc4
> Finished request 40
> Going to the next request
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 128.173.10.131:56939, id=19, 
> length=166
>         User-Name = "andrew"
>         State = 0x00e512dd6dbcc968bffd9f8b8dc13bc4
>         EAP-Message = 
> 0x0208006419800000005e1703010020a0257f0df72e93adb495d9ab98f8e65ee4b526e563dd80bcdd464a3735f1d83417030100304c5de1fa016827d3181b8a26a7a31091f8f4474167c5424e0b51913e0ede50c14e04ec233670bd9888b1ea89ed510131 
> 
>         Message-Authenticator = 0xf3079323771a635bac1bdaa00b2e850f
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 41
>   modcall[authorize]: module "preprocess" returns ok for request 41
>   modcall[authorize]: module "chap" returns noop for request 41
>   modcall[authorize]: module "mschap" returns noop for request 41
>     rlm_realm: No '@' in User-Name = "andrew", looking up realm NULL
>     rlm_realm: No such realm "NULL"
>   modcall[authorize]: module "suffix" returns noop for request 41
>   rlm_eap: EAP packet type response id 8 length 100
>   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>   modcall[authorize]: module "eap" returns updated for request 41
>     users: Matched entry andrew at line 53
>   modcall[authorize]: module "files" returns ok for request 41
> modcall: leaving group authorize (returns updated) for request 41
>   rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
>   Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 41
>   rlm_eap: Request found, released from the list
>   rlm_eap: EAP/peap
>   rlm_eap: processing type peap
>   rlm_eap_peap: Authenticate
>   rlm_eap_tls: processing TLS
> rlm_eap_tls:  Length Included
>   eaptls_verify returned 11
>   eaptls_process returned 7
>   rlm_eap_peap: EAPTLS_OK
>   rlm_eap_peap: Session established.  Decoding tunneled attributes.
>   rlm_eap_peap: Received EAP-TLV response.
>   rlm_eap_peap: Tunneled data is valid.
>   rlm_eap_peap: Success
>   rlm_eap: Freeing handler
>   modcall[authenticate]: module "eap" returns ok for request 41
> modcall: leaving group authenticate (returns ok) for request 41
> Sending Access-Accept of id 19 to 128.173.10.131 port 56939
>         MS-MPPE-Recv-Key = 
> 0x1aa22f77848e2c89b4a6681bd67b45483d25b05232dd9e37748bba578fff2700
>         MS-MPPE-Send-Key = 
> 0x62d67197e6bfbce385f1b6e2ccd03c183281bca70e810a79cd85e7d2a38d654d
>         EAP-Message = 0x03080004
>         Message-Authenticator = 0x00000000000000000000000000000000
>         User-Name = "andrew"
> Finished request 41
> Going to the next request
> Waking up in 6 seconds...
> 
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html

-- 
Best wishes,
Dmitry Sergienko (SDA104-RIPE)
Trifle Co., Ltd.

More information about the Freeradius-Users mailing list