FR2 - proxying inner tunnel
Dmitry Sergienko
trooper+freeradius+users at email.dp.ua
Thu Feb 14 15:57:27 CET 2008
Hi!
A.L.M.Buxey at lboro.ac.uk wrote:
> Hi,
>
>> Tue Feb 12 23:45:21 2008 : Error: Warning: Found 2 auth-types on request
>> for user 'myid at mynet.net'
>> Tue Feb 12 23:45:21 2008 : Debug: rad_check_password: Auth-Type = Accept, accepting the user
>
> whoah. WinXP is very fussy (as should all EAP clients) about getting a proper
> EAP return. you seem to have thrown an 'Accept' straight back to the challenge
> rather than let the EAP engine do its business.
>
> config file or startup debug output please
Config file is the same as default example proxy-inner-tunnel in 2.0.2 release with modified realm name only.
As I wrote before, double Auth-Type had been fixed by adding post-proxy { eap } part in proxy-inner-tunnel.
But authentication still fails to pass. Got the following error:
Thu Feb 14 16:42:06 2008 : Error: rlm_eap: No EAP session matching the State variable.
Thu Feb 14 16:42:06 2008 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
It comes after second authentication in eap module, after passing inner request to virtual server.
xsupplicant receives EAP-MSCHAPv2 Success and sends phase 2 success back to FreeRADIUS:
-----------------
[AUTH TYPE] (EAP-MSCHAPv2) Success!
[AUTH TYPE] Server authentication check success! Sending phase 2 success!
[AUTH TYPE] Unencrypted return frame :
000 | 1a 03 | ..
[AUTH TYPE] Encrypted return frame :
-----------------
FreeRADIUS debug output with failed authentication:
-----------------
rad_recv: Access-Request packet from host 192.168.2.3 port 8021, id=85, length=279
Framed-MTU = 1466
NAS-IP-Address = 192.168.2.3
NAS-Identifier = "D-Link"
User-Name = "myid at mynet.net"
Service-Type = Framed-User
NAS-Port = 33
NAS-Port-Type = Ethernet
NAS-Port-Id = "ether3_33"
Called-Station-Id = "00-15-e9-b8-79-dd"
Calling-Station-Id = "00-a9-40-0f-83-a5"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
State = 0x827a1bd58a710287540fbc1db46cf1a2
EAP-Message =
0x020b005019001703010020a8e33063d77e6a2f489c6f5d9a12306c870537dc721149322bd85623235edda1170301002088aaf69e118a31b4eac9
c0d7c106de95b51101eb9e1b0c70949645a855cc206c
Message-Authenticator = 0x82efd03b0f271f621eb2677ebf3c5902
Thu Feb 14 16:42:06 2008 : Debug: +- entering group authorize
Thu Feb 14 16:42:06 2008 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 9
Thu Feb 14 16:42:06 2008 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 9
Thu Feb 14 16:42:06 2008 : Debug: ++[preprocess] returns ok
Thu Feb 14 16:42:06 2008 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 9
Thu Feb 14 16:42:06 2008 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 9
Thu Feb 14 16:42:06 2008 : Debug: ++[chap] returns noop
Thu Feb 14 16:42:06 2008 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 9
Thu Feb 14 16:42:06 2008 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 9
Thu Feb 14 16:42:06 2008 : Debug: ++[mschap] returns noop
Thu Feb 14 16:42:06 2008 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 9
Thu Feb 14 16:42:06 2008 : Debug: rlm_realm: Looking up realm "mynet.net" for User-Name = "myid at mynet.net"
Thu Feb 14 16:42:06 2008 : Debug: rlm_realm: No such realm "mynet.net"
Thu Feb 14 16:42:06 2008 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 9
Thu Feb 14 16:42:06 2008 : Debug: ++[suffix] returns noop
Thu Feb 14 16:42:06 2008 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 9
Thu Feb 14 16:42:06 2008 : Debug: rlm_eap: EAP packet type response id 11 length 80
Thu Feb 14 16:42:06 2008 : Debug: rlm_eap: Continuing tunnel setup.
Thu Feb 14 16:42:06 2008 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 9
Thu Feb 14 16:42:06 2008 : Debug: ++[eap] returns ok
Thu Feb 14 16:42:06 2008 : Debug: rad_check_password: Found Auth-Type EAP
Thu Feb 14 16:42:06 2008 : Debug: auth: type "EAP"
Thu Feb 14 16:42:06 2008 : Debug: +- entering group authenticate
Thu Feb 14 16:42:06 2008 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 9
Thu Feb 14 16:42:06 2008 : Debug: rlm_eap: Request found, released from the list
Thu Feb 14 16:42:06 2008 : Debug: rlm_eap: EAP/peap
Thu Feb 14 16:42:06 2008 : Debug: rlm_eap: processing type peap
Thu Feb 14 16:42:06 2008 : Debug: rlm_eap_peap: Authenticate
Thu Feb 14 16:42:06 2008 : Debug: rlm_eap_tls: processing TLS
Thu Feb 14 16:42:06 2008 : Debug: eaptls_verify returned 7
Thu Feb 14 16:42:06 2008 : Debug: rlm_eap_tls: Done initial handshake
Thu Feb 14 16:42:06 2008 : Debug: eaptls_process returned 7
Thu Feb 14 16:42:06 2008 : Debug: rlm_eap_peap: EAPTLS_OK
Thu Feb 14 16:42:06 2008 : Debug: rlm_eap_peap: Session established. Decoding tunneled attributes.
PEAP tunnel data in 0000: 1a 03
Thu Feb 14 16:42:06 2008 : Debug: rlm_eap_peap: EAP type mschapv2
PEAP: Got tunneled EAP-Message
EAP-Message = 0x020b00061a03
Thu Feb 14 16:42:06 2008 : Debug: PEAP: Setting User-Name to aaa
PEAP: Sending tunneled request
EAP-Message = 0x020b00061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "aaa"
State = 0xc858015dc9531b78fbe76e30aaba109e
Framed-MTU = 1466
NAS-IP-Address = 192.168.2.3
NAS-Identifier = "D-Link"
Service-Type = Framed-User
NAS-Port = 33
NAS-Port-Type = Ethernet
NAS-Port-Id = "ether3_33"
Called-Station-Id = "00-15-e9-b8-79-dd"
Calling-Station-Id = "00-a9-40-0f-83-a5"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
server proxy-inner-tunnel {
Thu Feb 14 16:42:06 2008 : Debug: +- entering group authorize
Thu Feb 14 16:42:06 2008 : Debug: ++[control] returns notfound
} # server proxy-inner-tunnel
PEAP: Got tunneled reply RADIUS code 0
Thu Feb 14 16:42:06 2008 : Debug: PEAP: Calling authenticate in order to initiate tunneled EAP session.
Thu Feb 14 16:42:06 2008 : Debug: +- entering group authenticate
Thu Feb 14 16:42:06 2008 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 9
Thu Feb 14 16:42:06 2008 : Error: rlm_eap: No EAP session matching the State variable.
Thu Feb 14 16:42:06 2008 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
Thu Feb 14 16:42:06 2008 : Debug: rlm_eap: Failed in handler
Thu Feb 14 16:42:06 2008 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 9
Thu Feb 14 16:42:06 2008 : Debug: ++[eap] returns invalid
Thu Feb 14 16:42:06 2008 : Debug: PEAP: Can't handle the return code 4
Thu Feb 14 16:42:06 2008 : Debug: rlm_eap: Handler failed in EAP/peap
Thu Feb 14 16:42:06 2008 : Debug: rlm_eap: Failed in EAP select
Thu Feb 14 16:42:06 2008 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 9
Thu Feb 14 16:42:06 2008 : Debug: ++[eap] returns invalid
Thu Feb 14 16:42:06 2008 : Debug: auth: Failed to validate the user.
Thu Feb 14 16:42:06 2008 : Auth: Login incorrect: [myid at mynet.net/<via Auth-Type = EAP>] (from client sw-local port 33
cli 00-a9-40-0f-83-a5)
-----------------
--
Best wishes,
Dmitry Sergienko (SDA104-RIPE)
Trifle Co., Ltd.
More information about the Freeradius-Users
mailing list