FR2 - proxying inner tunnel

Dmitry Sergienko trooper+freeradius+users at email.dp.ua
Wed Feb 13 02:30:53 CET 2008 

Hi!

Situation gets more clear if eap module is being called in post-proxy section of 
proxy-inner-tunnel:

Wed Feb 13 01:31:41 2008 : Debug: +- entering group post-proxy
Wed Feb 13 01:31:41 2008 : Debug:   modsingle[post-proxy]: calling eap (rlm_eap) for request 7
Wed Feb 13 01:31:41 2008 : Debug:   rlm_eap_mschapv2: Passing reply from proxy back into 
the tunnel 0x8185f20 2.
Wed Feb 13 01:31:41 2008 : Debug:   rlm_eap_mschapv2: Authentication succeeded.
Wed Feb 13 01:31:41 2008 : Debug: MSCHAP Success
Wed Feb 13 01:31:41 2008 : Debug:   modsingle[post-proxy]: returned from eap (rlm_eap) for 
request 7
Wed Feb 13 01:31:41 2008 : Debug: ++[eap] returns ok
Wed Feb 13 01:31:41 2008 : Debug:   POST-PROXY 2
Wed Feb 13 01:31:41 2008 : Debug:   POST-AUTH 2


But it still fails to authorize:


Wed Feb 13 03:17:19 2008 : Debug:   rlm_eap_peap: Session established.  Decoding tunneled 
attributes.
   PEAP tunnel data in 0000: 1a 03
Wed Feb 13 03:17:19 2008 : Debug:   rlm_eap_peap: EAP type mschapv2
   PEAP: Got tunneled EAP-Message
         EAP-Message = 0x020a00061a03
Wed Feb 13 03:17:19 2008 : Debug:   PEAP: Setting User-Name to aaa
   PEAP: Sending tunneled request
         EAP-Message = 0x020a00061a03
         FreeRADIUS-Proxied-To = 127.0.0.1
         User-Name = "aaa"
         State = 0x29fd9dc228f787186321d63394dc60d5
         Framed-MTU = 1466
         NAS-IP-Address = 192.168.2.3
         NAS-Identifier = "D-Link"
         Service-Type = Framed-User
         NAS-Port = 33
         NAS-Port-Type = Ethernet
         NAS-Port-Id = "ether3_33"
         Called-Station-Id = "00-15-e9-b8-79-dd"
         Calling-Station-Id = "00-a9-40-0f-83-a5"
         Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
server proxy-inner-tunnel {
Wed Feb 13 03:17:19 2008 : Debug: +- entering group authorize
Wed Feb 13 03:17:19 2008 : Debug: ++[control] returns notfound
} # server proxy-inner-tunnel
   PEAP: Got tunneled reply RADIUS code 0
Wed Feb 13 03:17:19 2008 : Debug:   PEAP: Calling authenticate in order to initiate 
tunneled EAP session.
Wed Feb 13 03:17:19 2008 : Debug: +- entering group authenticate
Wed Feb 13 03:17:19 2008 : Debug:   modsingle[authenticate]: calling eap (rlm_eap) for 
request 8
Wed Feb 13 03:17:19 2008 : Error: rlm_eap: No EAP session matching the State variable.
Wed Feb 13 03:17:19 2008 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to 
an unknown EAP-request
Wed Feb 13 03:17:19 2008 : Debug:   rlm_eap: Failed in handler
Wed Feb 13 03:17:19 2008 : Debug:   modsingle[authenticate]: returned from eap (rlm_eap) 
for request 8
Wed Feb 13 03:17:19 2008 : Debug: ++[eap] returns invalid


In normal case inner tunnel has "EAP-Type = MS-CHAP-V2" and Auth-Type = EAP in check_items:

Wed Feb 13 03:09:51 2008 : Debug:      EAP-Message = 0x020a00061a03
Wed Feb 13 03:09:51 2008 : Debug:      FreeRADIUS-Proxied-To = 127.0.0.1
Wed Feb 13 03:09:51 2008 : Debug:      User-Name = "aaa"
Wed Feb 13 03:09:51 2008 : Debug:      State = 0xe314f6cee21eecffcdeca66afa541172
Wed Feb 13 03:09:51 2008 : Debug:      Framed-MTU = 1466
Wed Feb 13 03:09:51 2008 : Debug:      NAS-IP-Address = 192.168.2.3
Wed Feb 13 03:09:51 2008 : Debug:      NAS-Identifier = "D-Link"
Wed Feb 13 03:09:51 2008 : Debug:      Service-Type = Framed-User
Wed Feb 13 03:09:51 2008 : Debug:      NAS-Port = 33
Wed Feb 13 03:09:51 2008 : Debug:      NAS-Port-Type = Ethernet
Wed Feb 13 03:09:51 2008 : Debug:      NAS-Port-Id = "ether3_33"
Wed Feb 13 03:09:51 2008 : Debug:      Called-Station-Id = "00-15-e9-b8-79-dd"
Wed Feb 13 03:09:51 2008 : Debug:      Calling-Station-Id = "00-a9-40-0f-83-a5"
Wed Feb 13 03:09:51 2008 : Debug:      Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
Wed Feb 13 03:09:51 2008 : Debug:      EAP-Type = MS-CHAP-V2

In this (proxied) case inner tunnel contains only following attributes:

(gdb) p vp_listdebug(request->packet->vps)
Wed Feb 13 03:15:10 2008 : Debug:      EAP-Message = 0x020a00061a03
Wed Feb 13 03:15:10 2008 : Debug:      FreeRADIUS-Proxied-To = 127.0.0.1
Wed Feb 13 03:15:10 2008 : Debug:      User-Name = "aaa"
Wed Feb 13 03:15:10 2008 : Debug:      State = 0x7f6817377e620dc906c84fac864d0550
Wed Feb 13 03:15:10 2008 : Debug:      Framed-MTU = 1466
Wed Feb 13 03:15:10 2008 : Debug:      NAS-IP-Address = 192.168.2.3
Wed Feb 13 03:15:10 2008 : Debug:      NAS-Identifier = "D-Link"
Wed Feb 13 03:15:10 2008 : Debug:      Service-Type = Framed-User
Wed Feb 13 03:15:10 2008 : Debug:      NAS-Port = 33
Wed Feb 13 03:15:10 2008 : Debug:      NAS-Port-Type = Ethernet
Wed Feb 13 03:15:10 2008 : Debug:      NAS-Port-Id = "ether3_33"
Wed Feb 13 03:15:10 2008 : Debug:      Called-Station-Id = "00-15-e9-b8-79-dd"
Wed Feb 13 03:15:10 2008 : Debug:      Calling-Station-Id = "00-a9-40-0f-83-a5"
Wed Feb 13 03:15:10 2008 : Debug:      Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"

request->check_items contain only Proxy-To-Realm AVPair.


Dmitry Sergienko wrote:
> Thanks for committing patches.
> But I have to return to the question of proxying EAP-PEAP-MS-CHAPv2. 
> I've spent several nights with gdb, radsniff and xsupplicant to figure 
> out why authentication passes on eapol_test and fails on WinXP 
> supplicant. Even tried Juniper Odissey 802.1x client :)
> 
> The reason why authentication fails is missing EAP-MSCHAP Success packet 
> inside EAP-PEAP response.

-- 
Best regards,
Dmitry Sergienko

More information about the Freeradius-Users mailing list