Trying to get tunneling to work

Mike Bernhardt bernhardt at bart.gov
Fri Dec 11 00:16:19 CET 2009 

I am trying to set up freeradius to proxy requests 802.11 MSCHAPv2 to an IAS
server. The IAS requests are authenticated by a Safeword server, which
doesn't support 802.11. So the idea is that freeradius takes the request,
proxies it to IAS as if it was a non-802.11 client, IAS passes it to the
integrated Safeword server, and everything is happy.

 

My configuration works from a 802.11 supplicant if the user exist locally in
freeradius, but no proxying happens when the user doesn't exist locally. It
doesn't appear to ever leave radiusd. What I hope is the relevant debug
output is below. Please be nice, I am very new to RADIUS! If you could point
out the issues you see and where to look for resolution I'd really
appreciate it. If you need more info or the contents of any files, just ask.

 

rad_recv: Access-Request packet from host 192.168.7.139 port 1645, id=90,
length=253

        User-Name = "mbernhardt"

        Framed-MTU = 1400

        Called-Station-Id = "000a.f4e2.2a00"

        Calling-Station-Id = "0021.6a46.b0cc"

        Service-Type = Login-User

        Message-Authenticator = 0x6d0c7d1550b928f2c1e4819363b4c655

        EAP-Message = 

0x0209006b190017030100605b9dff6664aed05daf847f94f2c5653aeb8bd71c24eb8cb32250
7777f2326709a15aa5cca25c1fd4a80

78736d29db8a366c19e511ead9cd2464eea7d6c7c9ed1d334d140b044029ab54bad420b8a1a6
e09d0d98be53e16ce732e7ae903591d

65

        NAS-Port-Type = Wireless-802.11

        NAS-Port = 2948

        State = 0x7986d88d7f8fc1cc817b41b32920e7cd

        NAS-IP-Address = 192.168.7.139

        NAS-Identifier = "lks15w-ap350"

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

[suffix] No '@' in User-Name = "mbernhardt", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

[eap] EAP packet type response id 9 length 107

[eap] Continuing tunnel setup.

++[eap] returns ok

Found Auth-Type = EAP

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP/peap

[eap] processing type peap

[peap] processing EAP-TLS

[peap] eaptls_verify returned 7 

[peap] Done initial handshake

[peap] eaptls_process returned 7 

[peap] EAPTLS_OK

[peap] Session established.  Decoding tunneled attributes.

[peap] EAP type mschapv2

[peap] Got tunneled request

        EAP-Message = 

0x020900451a0209004031d64addabbce8df20ddb2b2bf5f76e1e00000000000000000b3641d
7bbaa84d8e02bd692d2b804b6eb8632

9e81e2c878c006d6265726e6861726474

server  {

  PEAP: Setting User-Name to mbernhardt

Sending tunneled request

        EAP-Message = 

0x020900451a0209004031d64addabbce8df20ddb2b2bf5f76e1e00000000000000000b3641d
7bbaa84d8e02bd692d2b804b6eb8632

9e81e2c878c006d6265726e6861726474

        FreeRADIUS-Proxied-To = 127.0.0.1

        User-Name = "mbernhardt"

        State = 0xf069bb62f060a15804b7cea0a47025dc

        Framed-MTU = 1400

        Called-Station-Id = "000a.f4e2.2a00"

        Calling-Station-Id = "0021.6a46.b0cc"

        Service-Type = Login-User

        NAS-Port-Type = Wireless-802.11

        NAS-Port = 2948

        NAS-IP-Address = 192.168.7.139

        NAS-Identifier = "lks15w-ap350"

server inner-tunnel {

+- entering group authorize {...}

++[chap] returns noop

++[mschap] returns noop

++[unix] returns updated

[suffix] No '@' in User-Name = "mbernhardt", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

++[control] returns noop

[eap] EAP packet type response id 9 length 69

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

[files] users: Matched entry DEFAULT at line 3

++[files] returns ok

++[expiration] returns noop

++[logintime] returns noop

++[pap] returns noop

} # server inner-tunnel

[peap] Got tunneled reply code 0

  PEAP: Calling authenticate in order to initiate tunneled EAP session.

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP/mschapv2

[eap] processing type mschapv2

[eap]   Not-EAP proxy set.  Not composing EAP

++[eap] returns handled

  PEAP: Tunneled authentication will be proxied to safeword.eng

  PEAP: Remembering to do EAP-MS-CHAP-V2 post-proxy.

[eap]   Tunneled session will be proxied.  Not doing EAP.

++[eap] returns handled

  WARNING: Empty section.  Using default return values.

ERROR: Failed to create a new socket for proxying requests.

ERROR: Failed inserting request into proxy hash.

ERROR: Failed to proxy request 7

There was no response configured: rejecting request 7

Using Post-Auth-Type Reject

+- entering group REJECT {...}

[attr_filter.access_reject]     expand: %{User-Name} -> mbernhardt

 attr_filter: Matched entry DEFAULT at line 11

++[attr_filter.access_reject] returns updated

Delaying reject of request 7 for 1 seconds

Going to the next request

Waking up in 0.9 seconds.

Sending delayed reject for request 7

Sending Access-Reject of id 90 to 192.168.7.139 port 1645 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20091210/5e95fe14/attachment.html>

More information about the Freeradius-Users mailing list