Terminate EAP-PEAP client connection at FreeRadius and proxy(forward) request as MS-CHAP

Ryan majereryan at gmail.com
Mon Mar 24 11:03:13 CET 2008


Hi All,

Need some help on the configuration to have an EAP-PEAP request
proxied as MS-CHAP to another radius.

Main Radius server: version 2.0.2
Radius to be proxied to: version 1.1.3

Key configuration entries on main radius server as follows:

------------------
radiusd.conf
------------------
modules {
        pap {
                auto_header = no
        #       encryption_scheme = clear
        }
        chap {
                authtype = CHAP
        }
        mschap {
                use_mppe = yes
                authtype = MS-CHAP
                require_encryption = yes
                require_strong = yes
        }
}

--------
users
--------
DEFAULT                 FreeRADIUS-Proxied-To == 127.0.0.1,
Proxy-To-Realm := SECURACCESS

----------------
proxy.conf
----------------
home_server goebbels {
        type = auth+acct
        ipaddr = xxx.xxx.xxx.151
        port = 1812
        secret = xxxxxx
        response_window = 20
        zombie_period = 40
        revive_interval = 120
        status_check = request
        check_interval = 30
        num_answers_to_alive = 3
}
home_server_pool my_auth_failover {
        type = fail-over
        home_server = goebbels
}
realm gmail.com {
}
realm SECURACCESS {
        pool            = my_auth_failover
        nostrip
        hints
}

-------------
eap.conf
-------------
eap {
                peap {
                        default_eap_type = mschapv2
                        proxy_tunneled_request_as_eap = no
                }
}

----------------------------
site-enabled/default
----------------------------
authorize {
     preprocess
     chap
     mschap
     IPASS
     suffix
     eap
     files
     pap
}
authenticate {
        Auth-Type MS-CHAP {
                mschap
        }
        eap
}

The request is proxied successfully to the inner radius using MS-CHAP
and the authentication is correct however when the reply is returned,
I'm getting errors. Here is the output for reference.

rad_recv: Access-Request packet from host xxx.xxx.xxx.219 port 62987,
id=22, length=158
	User-Name = "majereryan at gmail.com"
	Framed-MTU = 1400
	Called-Station-Id = "001e.7a3c.7a10"
	Calling-Station-Id = "001e.3a8b.f065"
	Service-Type = Login-User
	Message-Authenticator = 0x749ecae7e4f112c2dc2c4edad03ab8f3
	EAP-Message = 0x02020017016d616a65726540716d61782e636f6d2e7367
	NAS-Port-Type = Wireless-802.11
	NAS-Port = 288
	NAS-IP-Address = 192.168.0.88
	NAS-Identifier = "Test_802_1x"
+- entering group authorize
	expand: %{Client-IP-Address} -> xxx.xxx.xxx.219
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '/' in User-Name = "majereryan at gmail.com", skipping
NULL due to config.
++[IPASS] returns noop
    rlm_realm: Looking up realm "gmail.com" for User-Name =
"majereryan at gmail.com"
    rlm_realm: Found realm "gmail.com"
    rlm_realm: Adding Stripped-User-Name = "majere"
    rlm_realm: Proxying request from user majere to realm gmail.com
    rlm_realm: Adding Realm = "gmail.com"
    rlm_realm: Authentication realm is LOCAL.
++[suffix] returns noop
  rlm_eap: EAP packet type response id 2 length 23
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
    users: Matched entry DEFAULT at line 41
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 22 to xxx.xxx.xxx.219 port 62987
	Service-Type = Framed-User
	Session-Timeout = 36000
	Idle-Timeout = 10800
	EAP-Message = 0x010300061920
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x3d9c5d6c3d9f44de59e52e5a67a9cf7f
Finished request 0.
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host xxx.xxx.xxx.219 port 62987,
id=23, length=219
	User-Name = "majereryan at gmail.com"
	Framed-MTU = 1400
	Called-Station-Id = "001e.7a3c.7a10"
	Calling-Station-Id = "001e.3a8b.f065"
	Service-Type = Login-User
	Message-Authenticator = 0xcbcc4b5fac3cad3cedb45f85d411f1a1
	EAP-Message = 0x0203004219800000003816030100330100002f030147e775d6e6585e5c5af14cae88358db237b2036cb19a1b44dd865f48b4bd86ad000008000a002f001600330100
	NAS-Port-Type = Wireless-802.11
	NAS-Port = 288
	State = 0x3d9c5d6c3d9f44de59e52e5a67a9cf7f
	NAS-IP-Address = 192.168.0.88
	NAS-Identifier = "Test_802_1x"
+- entering group authorize
	expand: %{Client-IP-Address} -> xxx.xxx.xxx.219
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '/' in User-Name = "majereryan at gmail.com", skipping
NULL due to config.
++[IPASS] returns noop
    rlm_realm: Looking up realm "gmail.com" for User-Name =
"majereryan at gmail.com"
    rlm_realm: Found realm "gmail.com"
    rlm_realm: Adding Stripped-User-Name = "majere"
    rlm_realm: Proxying request from user majere to realm gmail.com
    rlm_realm: Adding Realm = "gmail.com"
    rlm_realm: Authentication realm is LOCAL.
++[suffix] returns noop
  rlm_eap: EAP packet type response id 3 length 66
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  TLS Length 56
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
    (other): before/accept initialization
    TLS_accept: before/accept initialization
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0033], ClientHello
    TLS_accept: SSLv3 read client hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
    TLS_accept: SSLv3 write server hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0c2d], Certificate
    TLS_accept: SSLv3 write certificate A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
    TLS_accept: SSLv3 write server done A
    TLS_accept: SSLv3 flush data
    TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 23 to xxx.xxx.xxx.219 port 62987
	EAP-Message = 0x0104040019c000000c8a160301004a02000046030147e775d7acdfb705710141663b058234d2bb9ce24dd0a972c026aa2b5d2700de208e1a18df3ecb9ce8c1015331eaa444cc93baebc8423d07c038860ef666174f90000a001603010c2d0b000c29000c260004df308204db308202c3a003020102020304d931300d06092a864886f70d010105050030793110300e060355040a1307526f6f74204341311e301c060355040b1315687474703a2f2f7777772e6361636572742e6f7267312230200603550403131943412043657274205369676e696e6720417574686f726974793121301f06092a864886f70d0109011612737570706f727440636163
	EAP-Message = 0x6572742e6f7267301e170d3038303331393037343035335a170d3038303931353037343035335a301c311a30180603550403131173616272652e716d61782e6e65742e736730820122300d06092a864886f70d01010105000382010f003082010a0282010100e654a1a0247e825410f8c197fa6b89a46e915bfc58209652f2692b97e158d9ac38bccf95947af8c1b45b142fe4fbfcbd5ad50bb8cc4b9f326313ce41e76051fd29ec19c8ae28cae1c3c6d669ce5868a32d6f2540b664b14b27adcfd380c4c595db5cfe90f93ba9ee81c61f0b437b6266953e918ae103e0d2e82ff55cbb67ef4fe2b7717cdaf7a35d92aa98af912c0ab440e73343c04f82
	EAP-Message = 0x85119bd665b28168c05f72732ee013da440eecea5771d4908f9a3bfed423a8095949933d24eedeafcb333aaaf93e6e072ec543f6bf6f1378fd7d5dc3b0a064e116739c46523a7f84cae13d4a3bac4404eda0c9ea4cae63e36ac24bba8648991a4ef55edb6cf4ad3b7b0203010001a381c83081c5300c0603551d130101ff0402300030340603551d25042d302b06082b0601050507030206082b0601050507030106096086480186f8420401060a2b0601040182370a0303300b0603551d0f0404030205a0303306082b0601050507010104273025302306082b060105050730018617687474703a2f2f6f6373702e6361636572742e6f72672f303d06
	EAP-Message = 0x03551d1104363034821173616272652e716d61782e6e65742e7367a01f06082b06010505070805a0130c1173616272652e716d61782e6e65742e7367300d06092a864886f70d0101050500038202010093811ff53747ff2b6208d5b3d54abad96cb795ee1692bb8a6a98aa18feb32550bd0570724afcc0b746430ee1002a5ec2228e7bf40e26dcc49bed5b20777160efb837a4f70eb8e642770fe673c0ca53bd39db7e72b9694d1f00fea2c30190b3b0585a4d44f244b0ebb91cb44afec59b944e8ae60652d7716a2ff44e17871aa0f6f0907bb127725ae69632d1979d6b619ccc54f6b15bbb0af8ce28a3e9d9de137700b8fb9b5bf8fe7deffdbdb32a
	EAP-Message = 0xa9d10b5c95fbffbeb9296b02
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x3d9c5d6c3c9844de59e52e5a67a9cf7f
Finished request 1.
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host xxx.xxx.xxx.219 port 62987,
id=24, length=159
	User-Name = "majereryan at gmail.com"
	Framed-MTU = 1400
	Called-Station-Id = "001e.7a3c.7a10"
	Calling-Station-Id = "001e.3a8b.f065"
	Service-Type = Login-User
	Message-Authenticator = 0xe210919a74fb784b321b8817189a9d31
	EAP-Message = 0x020400061900
	NAS-Port-Type = Wireless-802.11
	NAS-Port = 288
	State = 0x3d9c5d6c3c9844de59e52e5a67a9cf7f
	NAS-IP-Address = 192.168.0.88
	NAS-Identifier = "Test_802_1x"
+- entering group authorize
	expand: %{Client-IP-Address} -> xxx.xxx.xxx.219
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '/' in User-Name = "majereryan at gmail.com", skipping
NULL due to config.
++[IPASS] returns noop
    rlm_realm: Looking up realm "gmail.com" for User-Name =
"majereryan at gmail.com"
    rlm_realm: Found realm "gmail.com"
    rlm_realm: Adding Stripped-User-Name = "majere"
    rlm_realm: Proxying request from user majere to realm gmail.com
    rlm_realm: Adding Realm = "gmail.com"
    rlm_realm: Authentication realm is LOCAL.
++[suffix] returns noop
  rlm_eap: EAP packet type response id 4 length 6
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 24 to xxx.xxx.xxx.219 port 62987
	EAP-Message = 0x010503fc1940edf48f0c0243a84e5ff7e2d5196f4d1387936c0a43a90cdce1f51b105920981c6db8b3ae274b199721ea3f7e3d4f9dd19f26ce13c4d161cd32957f72c5e8dccee4ccd7b3f6fb8706abdf7765a7d442dfcb6c3a4920787a64e16eac578543e5012da0a003fa12c889af11ed0f8d39f34dedda9fc24716668a46610e6e6797c3577ef21ff255769799f87d20b1dd4f28447cbe6f09ffa7f7c91cb84cdb0e9d846e7581fdd496cde9acddcc96be02677282a68b21a6b70e131b6f15eb833a8c48c8a1f5796d9c28217a4adc70511d8711ea02baa39b2b7f26dd5d467b29a6b3e46d2b7a3c4c7bcbbcf9872dfc8e785589b27fb1ba751041d4
	EAP-Message = 0x11899ef7202320f56b61855c82f0acf298e639da1cbabd95fb366ca263ece17b8dda92eb789647e404f619c7040662e0a1900dbcb27382bddda608636e4d71bf72e1fec47657731ec9993995a595258a0007413082073d30820525a003020102020100300d06092a864886f70d010104050030793110300e060355040a1307526f6f74204341311e301c060355040b1315687474703a2f2f7777772e6361636572742e6f7267312230200603550403131943412043657274205369676e696e6720417574686f726974793121301f06092a864886f70d0109011612737570706f7274406361636572742e6f7267301e170d303330333330313232393439
	EAP-Message = 0x5a170d3333303332393132323934395a30793110300e060355040a1307526f6f74204341311e301c060355040b1315687474703a2f2f7777772e6361636572742e6f7267312230200603550403131943412043657274205369676e696e6720417574686f726974793121301f06092a864886f70d0109011612737570706f7274406361636572742e6f726730820222300d06092a864886f70d01010105000382020f003082020a0282020100ce22c0e2467dec3628075096f2a033408c4bf13b663f31e56b0236dbd67cf6f1888f4e7736054195f909f012cf46867360b76e7ee8c05864aecdb0ad45170c63fa670ae8d6d2bf3ee798c4f04cfae003bb
	EAP-Message = 0x355d6c21de9e20d9bacd66323772faf708f5c7cd58c98ee70e5eea3efe1ca1140a156c86845b64662a7aa94b5379f588a27bee2f0a612b8db27e4d56a513eceada929eac44411e5860650566f8c044bdcb94f7427e0bf76568985105f0f30591041d1b1782ecc857bbc36b7a88f1b072cc255b2091ec1602128f32e9171848d0c7052e023042b8259c056b3faa3aa7eb5348f7e8d2b60798dc1bc6347f7fc91c827a05582b085bf338a2ab175d66c998d79e108ba2d2dd749af7710c7260dfcd6f98339d9634763e247a92b00e951e6fe6a0453847aad741ed4ab712f6d71b838a0f2ed809b659d7aa04ffd2937d682edd8b4bab58ba2f8dea95a7a0c3
	EAP-Message = 0x5489a5fbdb8b5122
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x3d9c5d6c3f9944de59e52e5a67a9cf7f
Finished request 2.
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host xxx.xxx.xxx.219 port 62987,
id=25, length=159
	User-Name = "majereryan at gmail.com"
	Framed-MTU = 1400
	Called-Station-Id = "001e.7a3c.7a10"
	Calling-Station-Id = "001e.3a8b.f065"
	Service-Type = Login-User
	Message-Authenticator = 0x1831b9c6ed39e206304a0bae85d5a8a1
	EAP-Message = 0x020500061900
	NAS-Port-Type = Wireless-802.11
	NAS-Port = 288
	State = 0x3d9c5d6c3f9944de59e52e5a67a9cf7f
	NAS-IP-Address = 192.168.0.88
	NAS-Identifier = "Test_802_1x"
+- entering group authorize
	expand: %{Client-IP-Address} -> xxx.xxx.xxx.219
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '/' in User-Name = "majereryan at gmail.com", skipping
NULL due to config.
++[IPASS] returns noop
    rlm_realm: Looking up realm "gmail.com" for User-Name =
"majereryan at gmail.com"
    rlm_realm: Found realm "gmail.com"
    rlm_realm: Adding Stripped-User-Name = "majere"
    rlm_realm: Proxying request from user majere to realm gmail.com
    rlm_realm: Adding Realm = "gmail.com"
    rlm_realm: Authentication realm is LOCAL.
++[suffix] returns noop
  rlm_eap: EAP packet type response id 5 length 6
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 25 to xxx.xxx.xxx.219 port 62987
	EAP-Message = 0x010603fc19409db2c3be11be2c91868b9678ad20d38a2f1a3fc6d051658721b11901657f451c87f57cd0414c4f299821fd331f750c0451fa1977dbd4141cee81c31df598b769069122dd0050cc8131ac12077b38da685be62bd47ec95fade8eb724cf301e54b20bf9aa657ca9100018ba1752137b5630d673e464f702067cec5d659db02e0f0d2cbcdba62b79041e8dd20e429bc642942c822dc789aff43ec981b09514b5a5ac271f1c4cb73a9e5a10b0203010001a38201ce308201ca301d0603551d0e0416041416b5321bd4c7f3e0e68ef3bdd2b03aeeb23918d13081a30603551d2304819b308198801416b5321bd4c7f3e0e68ef3bdd2b03aeeb2
	EAP-Message = 0x3918d1a17da47b30793110300e060355040a1307526f6f74204341311e301c060355040b1315687474703a2f2f7777772e6361636572742e6f7267312230200603550403131943412043657274205369676e696e6720417574686f726974793121301f06092a864886f70d0109011612737570706f7274406361636572742e6f7267820100300f0603551d130101ff040530030101ff30320603551d1f042b30293027a025a023862168747470733a2f2f7777772e6361636572742e6f72672f7265766f6b652e63726c303006096086480186f84201040423162168747470733a2f2f7777772e6361636572742e6f72672f7265766f6b652e63726c30
	EAP-Message = 0x3406096086480186f842010804271625687474703a2f2f7777772e6361636572742e6f72672f696e6465782e7068703f69643d3130305606096086480186f842010d04491647546f2067657420796f7572206f776e20636572746966696361746520666f7220465245452068656164206f76657220746f20687474703a2f2f7777772e6361636572742e6f7267300d06092a864886f70d0101040500038202010028c7ee9c8202ba5c8012ca350a1d816f896a99ccf2680f7fa7e18d58953ebdf206c3905aacb560f6994301a388709c9d629da487af67580d30363be6ad48d3cb740286713ee22b0368f1346240463b53ea28f4acfb6695538a4d5dfd
	EAP-Message = 0x3bd960d7ca79693bb16592a6c681825c9ccdeb4d018aa5df1155aa15ca1f37c082987061db6a7c96a38e2e543e4f21a990efdc82bfdce845ad4d9073083c9465b00499767fe2bcc26a15aa97043724d81e944e6d0e51bed6c48fca966df743dfe83065273b7bbb434363c443f7b2ec68cce1198e22fb98e17b5a3e01373b8b08b0a2f3954e1acb9bcd9ab1dbb270f02d4adbd8b0e36f45483312fffe3c322a54f7c4f78af08823c247fe647a71c0d11ea663b0077ea42fd3018fdc9f2bb6c608a90f934825fc12fd9f42dcf3c43ef657b0d7dd69d10677340a4bd2caa0ff1cc68cc916bec4cc323768735f08fb51f7495336050a95024cf2791a10f6d8
	EAP-Message = 0x3a759cf31df1a20d
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x3d9c5d6c3e9a44de59e52e5a67a9cf7f
Finished request 3.
Going to the next request
Waking up in 0.8 seconds.
rad_recv: Access-Request packet from host xxx.xxx.xxx.219 port 62987,
id=26, length=159
	User-Name = "majereryan at gmail.com"
	Framed-MTU = 1400
	Called-Station-Id = "001e.7a3c.7a10"
	Calling-Station-Id = "001e.3a8b.f065"
	Service-Type = Login-User
	Message-Authenticator = 0x0a71bcc21970eb9c06a717f1577e3124
	EAP-Message = 0x020600061900
	NAS-Port-Type = Wireless-802.11
	NAS-Port = 288
	State = 0x3d9c5d6c3e9a44de59e52e5a67a9cf7f
	NAS-IP-Address = 192.168.0.88
	NAS-Identifier = "Test_802_1x"
+- entering group authorize
	expand: %{Client-IP-Address} -> xxx.xxx.xxx.219
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '/' in User-Name = "majereryan at gmail.com", skipping
NULL due to config.
++[IPASS] returns noop
    rlm_realm: Looking up realm "gmail.com" for User-Name =
"majereryan at gmail.com"
    rlm_realm: Found realm "gmail.com"
    rlm_realm: Adding Stripped-User-Name = "majere"
    rlm_realm: Proxying request from user majere to realm gmail.com
    rlm_realm: Adding Realm = "gmail.com"
    rlm_realm: Authentication realm is LOCAL.
++[suffix] returns noop
  rlm_eap: EAP packet type response id 6 length 6
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 26 to xxx.xxx.xxx.219 port 62987
	EAP-Message = 0x010700ae19007067861bb316f52fe5a4eb7986f93d0bc2730ba599ac6ffc67b8e52f0ba618248d7bd14835291840ac9360e1968650b47a59d88f210b9fcf8291c63bbf6bdc0791b9975623aab66c94c648063ce4ce4eaae4f62f09dc536f2efc74eb3a6399c2a6ac89bca7b244a00d8a10e36cf224cbfa9b9f70472ede148bd4b2200996a264f1241cdca1359c15b2d4bc552e7d06f59c0e55f45ad693da76ad25734cc54316030100040e000000
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x3d9c5d6c399b44de59e52e5a67a9cf7f
Finished request 4.
Going to the next request
Waking up in 0.8 seconds.
rad_recv: Access-Request packet from host xxx.xxx.xxx.219 port 62987,
id=27, length=483
	User-Name = "majereryan at gmail.com"
	Framed-MTU = 1400
	Called-Station-Id = "001e.7a3c.7a10"
	Calling-Station-Id = "001e.3a8b.f065"
	Service-Type = Login-User
	Message-Authenticator = 0x822399b94b0bc1594b5b849189d31868
	EAP-Message = 0x0207014819800000013e1603010106100001020100170ad80d5a2cd2fcb9d0a4a40eea398e52008afac68b2470ea250f7440dab21e43294467175ee5a24d366ea5e84a1fe2964aea5c55c01375fc3e5666d553bf3b83674694c7b713105e167810033f88222eeead7868843e2e6ab8165d9d7ce3b820cabf4cbe0926ec2b6f18ef48603576e3df1ba92b3dace41b17a97f690057e9f16689b072ed11b78e1a361409d699385dc1338942718e07de64efe811c1cb160f829d8481d74de028c2c83b240796455ef721d75092fe02f5eaee4d8c305f8d5b4e376b13aa1becf11474ea3dc7a62439d88da215bfefc41cd75073c1399085d1e8bd8c55f9e287
	EAP-Message = 0xcb469d3cd49d56c02c19b6717b6a647892830384a3a0cc2b14030100010116030100287747b2da88c656a202dd69c5c460b346189416e6ff86cb124f2bff6b9443c04fa7f9c324d5644021
	NAS-Port-Type = Wireless-802.11
	NAS-Port = 288
	State = 0x3d9c5d6c399b44de59e52e5a67a9cf7f
	NAS-IP-Address = 192.168.0.88
	NAS-Identifier = "Test_802_1x"
+- entering group authorize
	expand: %{Client-IP-Address} -> xxx.xxx.xxx.219
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '/' in User-Name = "majereryan at gmail.com", skipping
NULL due to config.
++[IPASS] returns noop
    rlm_realm: Looking up realm "gmail.com" for User-Name =
"majereryan at gmail.com"
    rlm_realm: Found realm "gmail.com"
    rlm_realm: Adding Stripped-User-Name = "majere"
    rlm_realm: Proxying request from user majere to realm gmail.com
    rlm_realm: Adding Realm = "gmail.com"
    rlm_realm: Authentication realm is LOCAL.
++[suffix] returns noop
  rlm_eap: EAP packet type response id 7 length 253
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  TLS Length 318
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
    TLS_accept: SSLv3 read client key exchange A
  rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
    TLS_accept: SSLv3 read finished A
  rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
    TLS_accept: SSLv3 write change cipher spec A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
    TLS_accept: SSLv3 write finished A
    TLS_accept: SSLv3 flush data
    (other): SSL negotiation finished successfully
SSL Connection Established
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 27 to xxx.xxx.xxx.219 port 62987
	EAP-Message = 0x0108003919001403010001011603010028f7057de02b9d0e5184efd841fab6a4b44d3877cd7b25a3e786145bf58a866c76e6bda53e876b473d
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x3d9c5d6c389444de59e52e5a67a9cf7f
Finished request 5.
Going to the next request
Waking up in 0.5 seconds.
rad_recv: Access-Request packet from host xxx.xxx.xxx.219 port 62987,
id=28, length=159
	User-Name = "majereryan at gmail.com"
	Framed-MTU = 1400
	Called-Station-Id = "001e.7a3c.7a10"
	Calling-Station-Id = "001e.3a8b.f065"
	Service-Type = Login-User
	Message-Authenticator = 0x9aa9d97e0e231cea6b19cb67a7427212
	EAP-Message = 0x020800061900
	NAS-Port-Type = Wireless-802.11
	NAS-Port = 288
	State = 0x3d9c5d6c389444de59e52e5a67a9cf7f
	NAS-IP-Address = 192.168.0.88
	NAS-Identifier = "Test_802_1x"
+- entering group authorize
	expand: %{Client-IP-Address} -> xxx.xxx.xxx.219
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '/' in User-Name = "majereryan at gmail.com", skipping
NULL due to config.
++[IPASS] returns noop
    rlm_realm: Looking up realm "gmail.com" for User-Name =
"majereryan at gmail.com"
    rlm_realm: Found realm "gmail.com"
    rlm_realm: Adding Stripped-User-Name = "majere"
    rlm_realm: Proxying request from user majere to realm gmail.com
    rlm_realm: Adding Realm = "gmail.com"
    rlm_realm: Authentication realm is LOCAL.
++[suffix] returns noop
  rlm_eap: EAP packet type response id 8 length 6
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake is finished
  eaptls_verify returned 3
  eaptls_process returned 3
  rlm_eap_peap: EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 28 to xxx.xxx.xxx.219 port 62987
	EAP-Message = 0x0109002b19001703010020eedbab1e5637b6f9a112f580254e552325658744d6663cd65b9a405cc43ffe6e
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x3d9c5d6c3b9544de59e52e5a67a9cf7f
Finished request 6.
Going to the next request
Waking up in 0.5 seconds.
rad_recv: Access-Request packet from host xxx.xxx.xxx.219 port 62987,
id=29, length=204
	User-Name = "majereryan at gmail.com"
	Framed-MTU = 1400
	Called-Station-Id = "001e.7a3c.7a10"
	Calling-Station-Id = "001e.3a8b.f065"
	Service-Type = Login-User
	Message-Authenticator = 0x96b9aec4b089096c9bc1d6d2598c65a4
	EAP-Message = 0x0209003319001703010028b6876e498464cf83b2c91427000ebfa013931247315f451d4cfe1c43fb21d97e7a74d1138289b578
	NAS-Port-Type = Wireless-802.11
	NAS-Port = 288
	State = 0x3d9c5d6c3b9544de59e52e5a67a9cf7f
	NAS-IP-Address = 192.168.0.88
	NAS-Identifier = "Test_802_1x"
+- entering group authorize
	expand: %{Client-IP-Address} -> xxx.xxx.xxx.219
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '/' in User-Name = "majereryan at gmail.com", skipping
NULL due to config.
++[IPASS] returns noop
    rlm_realm: Looking up realm "gmail.com" for User-Name =
"majereryan at gmail.com"
    rlm_realm: Found realm "gmail.com"
    rlm_realm: Adding Stripped-User-Name = "majere"
    rlm_realm: Proxying request from user majere to realm gmail.com
    rlm_realm: Adding Realm = "gmail.com"
    rlm_realm: Authentication realm is LOCAL.
++[suffix] returns noop
  rlm_eap: EAP packet type response id 9 length 51
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: Identity - majereryan at gmail.com
  PEAP: Got tunneled identity of majereryan at gmail.com
  PEAP: Setting default EAP type for tunneled EAP session.
  PEAP: Setting User-Name to majereryan at gmail.com
+- entering group authorize
	expand: %{Client-IP-Address} -> xxx.xxx.xxx.219
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '/' in User-Name = "majereryan at gmail.com", skipping
NULL due to config.
++[IPASS] returns noop
    rlm_realm: Looking up realm "gmail.com" for User-Name =
"majereryan at gmail.com"
    rlm_realm: Found realm "gmail.com"
    rlm_realm: Adding Stripped-User-Name = "majere"
    rlm_realm: Proxying request from user majere to realm gmail.com
    rlm_realm: Adding Realm = "gmail.com"
    rlm_realm: Authentication realm is LOCAL.
++[suffix] returns noop
  rlm_eap: EAP packet type response id 9 length 23
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
    users: Matched entry DEFAULT at line 5
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
  PEAP: Calling authenticate in order to initiate tunneled EAP session.
+- entering group authenticate
  rlm_eap: EAP Identity
  rlm_eap: processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
    PEAP: Cancelling proxy to realm SECURACCESS until the tunneled EAP
session has been established
  PEAP: Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 29 to xxx.xxx.xxx.219 port 62987
	EAP-Message = 0x010a004b19001703010040650e624cd28f313fcdaa01569602f1b5c46136cbe5807506d27344870727fcaefd991233d94b0b695e9888a3f104d8f9611b03212fc6762840ca318a5ab8dfe7
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x3d9c5d6c3a9644de59e52e5a67a9cf7f
Finished request 7.
Going to the next request
Waking up in 0.4 seconds.
rad_recv: Access-Request packet from host xxx.xxx.xxx.219 port 62987,
id=30, length=260
	User-Name = "majereryan at gmail.com"
	Framed-MTU = 1400
	Called-Station-Id = "001e.7a3c.7a10"
	Calling-Station-Id = "001e.3a8b.f065"
	Service-Type = Login-User
	Message-Authenticator = 0x97de9e8789eb63dd4e16c3acf1663d79
	EAP-Message = 0x020a006b19001703010060b2c9dbe814f29a10ef2fd8f8e39a7f63976d9ef95692d2062c4d148432e7e0ddcfe869c72ff3e3e55496d2a432990bd1b2526e4e95621c082d40089bedc6376916d2d615d323b5ea3ab2a7078b0fb89d90401eff5baa808b9cfaf1364a4ead75
	NAS-Port-Type = Wireless-802.11
	NAS-Port = 288
	State = 0x3d9c5d6c3a9644de59e52e5a67a9cf7f
	NAS-IP-Address = 192.168.0.88
	NAS-Identifier = "Test_802_1x"
+- entering group authorize
	expand: %{Client-IP-Address} -> xxx.xxx.xxx.219
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '/' in User-Name = "majereryan at gmail.com", skipping
NULL due to config.
++[IPASS] returns noop
    rlm_realm: Looking up realm "gmail.com" for User-Name =
"majereryan at gmail.com"
    rlm_realm: Found realm "gmail.com"
    rlm_realm: Adding Stripped-User-Name = "majere"
    rlm_realm: Proxying request from user majere to realm gmail.com
    rlm_realm: Adding Realm = "gmail.com"
    rlm_realm: Authentication realm is LOCAL.
++[suffix] returns noop
  rlm_eap: EAP packet type response id 10 length 107
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: EAP type mschapv2
  PEAP: Setting User-Name to majereryan at gmail.com
+- entering group authorize
	expand: %{Client-IP-Address} -> xxx.xxx.xxx.219
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '/' in User-Name = "majereryan at gmail.com", skipping
NULL due to config.
++[IPASS] returns noop
    rlm_realm: Looking up realm "gmail.com" for User-Name =
"majereryan at gmail.com"
    rlm_realm: Found realm "gmail.com"
    rlm_realm: Adding Stripped-User-Name = "majere"
    rlm_realm: Proxying request from user majere to realm gmail.com
    rlm_realm: Adding Realm = "gmail.com"
    rlm_realm: Authentication realm is LOCAL.
++[suffix] returns noop
  rlm_eap: EAP packet type response id 10 length 77
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
    users: Matched entry DEFAULT at line 5
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
  PEAP: Calling authenticate in order to initiate tunneled EAP session.
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/mschapv2
  rlm_eap: processing type mschapv2
  Not-EAP proxy set.  Not composing EAP
++[eap] returns handled
  PEAP: Tunneled authentication will be proxied to SECURACCESS
  PEAP: Remembering to do EAP-MS-CHAP-V2 post-proxy.
  Tunneled session will be proxied.  Not doing EAP.
++[eap] returns handled
Sending Access-Request of id 212 to xxx.xxx.xxx.151 port 1812
	User-Name = "majereryan at gmail.com"
	NAS-IP-Address = xxx.xxx.xxx.219
	MS-CHAP-Challenge = 0x5d6e0e7c347dfb2e0d636bb267dbbb25
	MS-CHAP2-Response =
0x0a613cd2bf39eed5861aabb762c1c824164f0000000000000000034b01fe706028ca1c4aac06d12203ba01fb335cc5849983
	Proxy-State = 0x3330
Proxying request 8 to home server xxx.xxx.xxx.151 port 1812
Sending Access-Request of id 212 to xxx.xxx.xxx.151 port 1812
	User-Name = "majereryan at gmail.com"
	NAS-IP-Address = xxx.xxx.xxx.219
	MS-CHAP-Challenge = 0x5d6e0e7c347dfb2e0d636bb267dbbb25
	MS-CHAP2-Response =
0x0a613cd2bf39eed5861aabb762c1c824164f0000000000000000034b01fe706028ca1c4aac06d12203ba01fb335cc5849983
	Proxy-State = 0x3330
Going to the next request
Waking up in 0.4 seconds.
rad_recv: Access-Accept packet from host xxx.xxx.xxx.151 port 1812,
id=212, length=210
	Class = 0x7773675f353132
	Service-Type = Framed-User
	Session-Timeout = 36000
	Idle-Timeout = 10800
	MS-CHAP2-Success =
0x0a533d34414246383744434131334641313736423838364530413830334530464244303739454539433042
	MS-MPPE-Recv-Key = 0xd05b8c013b092f1d163f93190e1f9049
	MS-MPPE-Send-Key = 0x03ffeba42e61c4fe7f41d9c2d6ab2725
	MS-MPPE-Encryption-Policy = 0x00000001
	MS-MPPE-Encryption-Types = 0x00000006
	Proxy-State = 0x3330
+- entering group post-proxy
	expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/post-proxy-detail-%Y%m%d
-> /usr/local/var/log/radius/radacct/xxx.xxx.xxx.219/post-proxy-detail-20080324
rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/post-proxy-detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/xxx.xxx.xxx.219/post-proxy-detail-20080324
	expand: %t -> Mon Mar 24 17:35:20 2008
++[post_proxy_log] returns ok
  PEAP: Passing reply from proxy back into the tunnel.
  PEAP: Passing reply back for EAP-MS-CHAP-V2 0x8177078 2
+- entering group post-proxy
	expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/post-proxy-detail-%Y%m%d
-> /usr/local/var/log/radius/radacct/0.0.0.0/post-proxy-detail-20080324
rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/post-proxy-detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/0.0.0.0/post-proxy-detail-20080324
	expand: %t -> Mon Mar 24 17:35:20 2008
++[post_proxy_log] returns ok
  rlm_eap_mschapv2: Passing reply from proxy back into the tunnel 0x8177078 2.
  rlm_eap_mschapv2: Authentication succeeded.
MSCHAP Success
++[eap] returns ok
  POST-PROXY 2
+- entering group post-auth
	expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
-> /usr/local/var/log/radius/radacct/0.0.0.0/reply-detail-20080324
rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/0.0.0.0/reply-detail-20080324
	expand: %t -> Mon Mar 24 17:35:20 2008
++[reply_log] returns ok
  POST-AUTH 2
 PEAP: Got reply 11
  PEAP: Got tunneled Access-Challenge
  PEAP: Reply was handled
++[eap] returns ok
Sending Access-Challenge of id 30 to xxx.xxx.xxx.219 port 62987
	EAP-Message = 0x010b005319001703010048123d1f08e9391db9d1fdaaffd38640765bc5bf7468f612ba7fcc5865888b259a8fb79f1a745c0390e6f4be1e216bbe72b48e8f6478adf27f6a7e1fc824c97ff0ad244185501e6f93
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x3d9c5d6c359744de59e52e5a67a9cf7f
Finished request 8.
Going to the next request
Waking up in 0.4 seconds.
rad_recv: Access-Request packet from host xxx.xxx.xxx.219 port 62987,
id=31, length=188
	User-Name = "majereryan at gmail.com"
	Framed-MTU = 1400
	Called-Station-Id = "001e.7a3c.7a10"
	Calling-Station-Id = "001e.3a8b.f065"
	Service-Type = Login-User
	Message-Authenticator = 0xc9fe0bbade3ca7d7279e162081682679
	EAP-Message = 0x020b002319001703010018f832b95c14b1b34d82496c06d938a70470f470e31e44e795
	NAS-Port-Type = Wireless-802.11
	NAS-Port = 288
	State = 0x3d9c5d6c359744de59e52e5a67a9cf7f
	NAS-IP-Address = 192.168.0.88
	NAS-Identifier = "Test_802_1x"
+- entering group authorize
	expand: %{Client-IP-Address} -> xxx.xxx.xxx.219
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '/' in User-Name = "majereryan at gmail.com", skipping
NULL due to config.
++[IPASS] returns noop
    rlm_realm: Looking up realm "gmail.com" for User-Name =
"majereryan at gmail.com"
    rlm_realm: Found realm "gmail.com"
    rlm_realm: Adding Stripped-User-Name = "majere"
    rlm_realm: Proxying request from user majere to realm gmail.com
    rlm_realm: Adding Realm = "gmail.com"
    rlm_realm: Authentication realm is LOCAL.
++[suffix] returns noop
  rlm_eap: EAP packet type response id 11 length 35
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: EAP type mschapv2
  PEAP: Setting User-Name to majereryan at gmail.com
+- entering group authorize
	expand: %{Client-IP-Address} -> xxx.xxx.xxx.219
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '/' in User-Name = "majereryan at gmail.com", skipping
NULL due to config.
++[IPASS] returns noop
    rlm_realm: Looking up realm "gmail.com" for User-Name =
"majereryan at gmail.com"
    rlm_realm: Found realm "gmail.com"
    rlm_realm: Adding Stripped-User-Name = "majere"
    rlm_realm: Proxying request from user majere to realm gmail.com
    rlm_realm: Adding Realm = "gmail.com"
    rlm_realm: Authentication realm is LOCAL.
++[suffix] returns noop
  rlm_eap: EAP packet type response id 11 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
    users: Matched entry DEFAULT at line 5
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
  PEAP: Calling authenticate in order to initiate tunneled EAP session.
+- entering group authenticate
rlm_eap: No EAP session matching the State variable.
rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
  rlm_eap: Failed in handler
++[eap] returns invalid
  PEAP: Can't handle the return code 4
 rlm_eap: Handler failed in EAP/peap
  rlm_eap: Failed in EAP select
++[eap] returns invalid
auth: Failed to validate the user.
Login incorrect: [majereryan at gmail.com/<via Auth-Type = EAP>] (from
client gecko port 288 cli 001e.3a8b.f065)
  Found Post-Auth-Type Reject
+- entering group REJECT
	expand: %{User-Name} -> majereryan at gmail.com
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 9 for 1 seconds
Going to the next request
Waking up in 0.4 seconds.
Waking up in 0.3 seconds.
Sending delayed reject for request 9
Sending Access-Reject of id 31 to xxx.xxx.xxx.219 port 62987
	EAP-Message = 0x040b0004
	Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.4 seconds.

It seems to be that it can't match the EAP session based on the output as shown
------------------------------------------------------------------------------------------------------
  PEAP: Calling authenticate in order to initiate tunneled EAP session.
+- entering group authenticate
rlm_eap: No EAP session matching the State variable.
rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
  rlm_eap: Failed in handler
++[eap] returns invalid
  PEAP: Can't handle the return code 4
 rlm_eap: Handler failed in EAP/peap
  rlm_eap: Failed in EAP select
++[eap] returns invalid
------------------------------------------------------------------------------------------------------

Thanks/Regards,
Ryan



More information about the Freeradius-Users mailing list