FR2 EAP-PEAP proxy does not saving attributes

Daniil L. Kharoun daniil at chics.ru
Thu Sep 17 07:45:53 CEST 2009


Required to authorize wireless users by the protocol EAP-PEAP, but, 
unfortunately, the radius of the billing system can not EAP-PEAP. Installed 
freeradius 2.1.6 in proxy mode. Freeradius terminates the tunnel TLS, and 
requests the radius of the billing system goes on algorithm mschapv2.   
Problem - freeradius does not save or pass additional attributes of an access 
point, obtained from the radius of the billing system (attributes for 
example - WISPr-Bandwidth-Max-Up and WISPr-Bandwidth-Max-Down).         How to 
solve 
the problem?

192.168.145.42 - WiFi Access Point
192.168.151.59 - radius billing system
192.168.151.36 - freeradius

eap.conf:
        eap {
                default_eap_type = mschapv2
                timer_expire     = 60
                ignore_unknown_eap_types = yes
                cisco_accounting_username_bug = no
                max_sessions = 2048
                tls {
                        certdir = ${confdir}/certs
                        cadir = ${confdir}/certs
                        private_key_file = /etc/ssl/hotspot.pem
                        certificate_file = /etc/ssl/hotspot.pem
                        CA_file 
= /etc/ssl/Equifax_Secure_Certificate_Authority.cer
                        dh_file = ${certdir}/dh
                        random_file = ${certdir}/random
                        cipher_list = "DEFAULT"
                        make_cert_command = "${certdir}/bootstrap"
                        cache {
                              enable = no
                              lifetime = 24
                              max_entries = 255
                        }
                }
                peap {
                        default_eap_type = mschapv2
                        copy_request_to_tunnel = yes
                        use_tunneled_reply = yes
                        proxy_tunneled_request_as_eap = no
                        virtual_server = "proxy-inner-tunnel"
                }
                mschapv2 {
                }
        }

proxy-inner-tunnel:

server proxy-inner-tunnel {
authorize {
        update control {
                #  You should update this to be one of your realms.
                Proxy-To-Realm := "BILLING"
        }
}
authenticate {
        eap
}

post-proxy {
        eap
}
}

proxy.conf:

realm BILLING {
       authhost        = 192.168.151.59:1812
       secret          = secretkey
}


DEBUG:
rad_recv: Access-Request packet from host 192.168.145.42 port 45920, id=222, 
length=118
        User-Name = "10"
        EAP-Message = 0x02620007013130
        Message-Authenticator = 0xe38b290e654269d95defc60fb7831415
        Calling-Station-Id = "00:17:9A:0A:54:F1"
        Called-Station-Id = "00:15:6D:AD:1E:D7"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        NAS-IP-Address = 192.168.145.42
        NAS-Identifier = "DreamWiFi"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "10", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 98 length 7
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication 
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 222 to 192.168.145.42 port 45920
        EAP-Message = 
0x0163001c1a01630017106ec1f0ae862c6445e9a4584a08ab62ef3130
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x07ead3a30789c9ac02fc8e14eb27c4dd
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.145.42 port 45920, id=223, 
length=135
        User-Name = "10"
        State = 0x07ead3a30789c9ac02fc8e14eb27c4dd
        EAP-Message = 0x026300060319
        Message-Authenticator = 0x9525673c0e27ecccf1ac9f6ce46db721
        Calling-Station-Id = "00:17:9A:0A:54:F1"
        Called-Station-Id = "00:15:6D:AD:1E:D7"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        NAS-IP-Address = 192.168.145.42
        NAS-Identifier = "DreamWiFi"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "10", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 99 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication 
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 223 to 192.168.145.42 port 45920
        EAP-Message = 0x016400061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x07ead3a3068ecaac02fc8e14eb27c4dd
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.145.42 port 45920, id=224, 
length=209
        User-Name = "10"
        State = 0x07ead3a3068ecaac02fc8e14eb27c4dd
        EAP-Message = 
0x0264005019800000004616030100410100003d03014ab1b8781e54c0ed2319fa36048467e14e8ea2e75c7ffc26ce5bc8860fc7397d00001600040005000a000900640062000300060013001200630100
        Message-Authenticator = 0x10d075914cfb960691940025bac92d35
        Calling-Station-Id = "00:17:9A:0A:54:F1"
        Called-Station-Id = "00:15:6D:AD:1E:D7"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        NAS-IP-Address = 192.168.145.42
        NAS-Identifier = "DreamWiFi"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "10", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 100 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 70
[peap] Length Included
[peap] eaptls_verify returned 11 
[peap]     (other): before/accept initialization 
[peap]     TLS_accept: before/accept initialization 
[peap] <<< TLS 1.0 Handshake [length 0041], ClientHello  
[peap]     TLS_accept: SSLv3 read client hello A 
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello  
[peap]     TLS_accept: SSLv3 write server hello A 
[peap] >>> TLS 1.0 Handshake [length 03e1], Certificate  
[peap]     TLS_accept: SSLv3 write certificate A 
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
[peap]     TLS_accept: SSLv3 write server done A 
[peap]     TLS_accept: SSLv3 flush data 
[peap]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase 
In SSL Accept mode  
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 224 to 192.168.145.42 port 45920
        EAP-Message = 
0x0165040019c00000041e160301002a0200002603014ab1b87373b948ae5201edc20184e227a46dd17a260533ac0ec56e0395439f4e0000040016030103e10b0003dd0003da0003d7308203d33082033ca0030201020203094f70300d06092a864886f70d0101040500305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d31301e170d3038303930343132333033355a170d3130303930353132333033355a3081be310b3009060355040613025255311a301806035504
        EAP-Message = 
0x0a1311686f7473706f742e7769666937342e727531133011060355040b130a475437393434363732313131302f060355040b1328536565207777772e726170696473736c2e636f6d2f7265736f75726365732f637073202863293038312f302d060355040b1326446f6d61696e20436f6e74726f6c2056616c696461746564202d20526170696453534c285229311a301806035504031311686f7473706f742e7769666937342e727530820122300d06092a864886f70d01010105000382010f003082010a0282010100c21b59eddbf221b2c2d09e7b8155902fc8aea111de5a1dfa8c79d4e72964fd058ed12a4d03dcd933cf09317670a6114251979b
        EAP-Message = 
0xefb178907be72a83920a14a80924fd8dd99f0ed93143a8b8f3515c6caaf04a567a7608bf452fa4632cb87ce64088c938cfb6299e9dfb2f76b0316e6aae25123422a4417656a21a2bb2cc840f3d7b6dc800e7d8074517374ffe4e748db3e9200e8b7c686d51b64f245260e84d2cc53fbdee5fc1ddfc15abdb8aeed19c920136cdc68db83ab6ecbb3874e2583c2da213b67ddc1394329a82b0d5602d7e9fd1e07d4afac9c0453ed34ae44b7ca5f27bc42a62a71ed145885bc906ba94d7f0086ba7d1eb5803ec282ec530a55b06f70203010001a381bd3081ba300e0603551d0f0101ff0404030204f0301d0603551d0e04160414453f042356bf8c2f19f2
        EAP-Message = 
0x739089c71bb78487a81a303b0603551d1f043430323030a02ea02c862a687474703a2f2f63726c2e67656f74727573742e636f6d2f63726c732f676c6f62616c6361312e63726c301f0603551d23041830168014bea8a07472506b44b7c923d8fba8ffb3576b686c301d0603551d250416301406082b0601050507030106082b06010505070302300c0603551d130101ff04023000300d06092a864886f70d0101040500038181004a2a1f1e9ee05ed6c39653a22fe44ca0040da2fc8606d3554b6607e1d360c8c6822213ee20fa2d81d227d909d5796c0a43e0ae0b97e659fd97322708ef4084669c0ff27c3419b134b118e2aa72cab82e076f93aa60
        EAP-Message = 0x62671f10333727cd338cd3cd
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x07ead3a3058fcaac02fc8e14eb27c4dd
Finished request 2.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.145.42 port 45920, id=225, 
length=135
        User-Name = "10"
        State = 0x07ead3a3058fcaac02fc8e14eb27c4dd
        EAP-Message = 0x026500061900
        Message-Authenticator = 0x0891f11bfcde8025eb587ef050e6275d
        Calling-Station-Id = "00:17:9A:0A:54:F1"
        Called-Station-Id = "00:15:6D:AD:1E:D7"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        NAS-IP-Address = 192.168.145.42
        NAS-Identifier = "DreamWiFi"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "10", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 101 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 225 to 192.168.145.42 port 45920
        EAP-Message = 
0x0166002e1900702f3a043f13f2d5e5aec143aa600f630c62aa96fdbf5e831ae59e7d9712a816030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x07ead3a3048ccaac02fc8e14eb27c4dd
Finished request 3.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.145.42 port 45920, id=226, 
length=451
        User-Name = "10"
        State = 0x07ead3a3048ccaac02fc8e14eb27c4dd
        EAP-Message = 
0x0266014019800000013616030101061000010201004fb56d910fa42a14aa3c6eea33555362d8b39f1a2d77d313bdf079cf50ef4f71679689ec46c0b3577a595bab267f66fbb8b438340d0aceb29255a31a21f06c6fedc4cf0a1b21cb5598998789d459ba071492bb0c3dc88aa298175053356df80f427ad2174f0bd9ff49b1811923ac82e7bae0246f597e697174f90846bd2228ce7c309d62cedfb336b841cdc398ac39d961ee667a60fa8b090bb6aa7b4aa63a8508dbd4d274210bea74e32b96e2a8356eef15f8eac7589b875818656d1f45f5b9fc2afd37644ac93369f11a61c29d3048a906aa43f7edbb70944882868bc3f42581b063fe52f0667b
        EAP-Message = 
0x80eea00922809693b706592d39e0b15bb7041c28f500cae3140301000101160301002065aa79b35b69f62a83173f7ab8f5b5a8d32d26a88721a8ee678de11e2b491929
        Message-Authenticator = 0xbbab16716509bef7bd587a9571871429
        Calling-Station-Id = "00:17:9A:0A:54:F1"
        Called-Station-Id = "00:15:6D:AD:1E:D7"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        NAS-IP-Address = 192.168.145.42
        NAS-Identifier = "DreamWiFi"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "10", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 102 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 310
[peap] Length Included
[peap] eaptls_verify returned 11 
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange  
[peap]     TLS_accept: SSLv3 read client key exchange A 
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]  
[peap] <<< TLS 1.0 Handshake [length 0010], Finished  
[peap]     TLS_accept: SSLv3 read finished A 
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]  
[peap]     TLS_accept: SSLv3 write change cipher spec A 
[peap] >>> TLS 1.0 Handshake [length 0010], Finished  
[peap]     TLS_accept: SSLv3 write finished A 
[peap]     TLS_accept: SSLv3 flush data 
[peap]     (other): SSL negotiation finished successfully 
SSL Connection Established 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 226 to 192.168.145.42 port 45920
        EAP-Message = 
0x01670031190014030100010116030100206aacab4436bbf44e492d852573dfe1266992043b58bbe3f8899aff0353065bc3
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x07ead3a3038dcaac02fc8e14eb27c4dd
Finished request 4.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.145.42 port 45920, id=227, 
length=135
        User-Name = "10"
        State = 0x07ead3a3038dcaac02fc8e14eb27c4dd
        EAP-Message = 0x026700061900
        Message-Authenticator = 0x8cacd03c12a16673a93fa5f29a008a9f
        Calling-Station-Id = "00:17:9A:0A:54:F1"
        Called-Station-Id = "00:15:6D:AD:1E:D7"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        NAS-IP-Address = 192.168.145.42
        NAS-Identifier = "DreamWiFi"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "10", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 103 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3 
[peap] eaptls_process returned 3 
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 227 to 192.168.145.42 port 45920
        EAP-Message = 
0x01680020190017030100151f5ac40f4ba30f1f7a95c7e53868bb2f92829d3504
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x07ead3a30282caac02fc8e14eb27c4dd
Finished request 5.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 192.168.145.42 port 45920, id=228, 
length=159
        User-Name = "10"
        State = 0x07ead3a30282caac02fc8e14eb27c4dd
        EAP-Message = 
0x0268001e19001703010013c5e116d8769ea065b0481bac42772977282860
        Message-Authenticator = 0x3a5e3bd0c1eda2cae9ba82bae0fa84c2
        Calling-Station-Id = "00:17:9A:0A:54:F1"
        Called-Station-Id = "00:15:6D:AD:1E:D7"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        NAS-IP-Address = 192.168.145.42
        NAS-Identifier = "DreamWiFi"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "10", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 104 length 30
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Identity - 10
[peap] Got tunneled request
        EAP-Message = 0x02680007013130
server  {
  PEAP: Got tunneled identity of 10
  PEAP: Setting default EAP type for tunneled EAP session.
  PEAP: Setting User-Name to 10
Sending tunneled request
        EAP-Message = 0x02680007013130
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "10"
        Calling-Station-Id = "00:17:9A:0A:54:F1"
        Called-Station-Id = "00:15:6D:AD:1E:D7"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        NAS-IP-Address = 192.168.145.42
        NAS-Identifier = "DreamWiFi"
server proxy-inner-tunnel {
+- entering group authorize {...}
++[control] returns notfound
} # server proxy-inner-tunnel
[peap] Got tunneled reply code 0
  PEAP: Calling authenticate in order to initiate tunneled EAP session.
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
    PEAP: Cancelling proxy to realm BILLING until the tunneled EAP session has 
been established
[peap] Got tunneled reply RADIUS code 11
        EAP-Message = 
0x0169001c1a0169001710d01d8df2bebb58a339c9c0b7d7caa2173130
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xed5f6a24ed3670cb0fe406473891ab01
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 228 to 192.168.145.42 port 45920
        EAP-Message = 
0x0169003319001703010028974ef70851394a0c9a4a9783c4e94ef4b3b55dd38ce01d825860cca95b3b17454b897a2b291d5659
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x07ead3a30183caac02fc8e14eb27c4dd
Finished request 6.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 192.168.145.42 port 45920, id=229, 
length=213
        User-Name = "10"
        State = 0x07ead3a30183caac02fc8e14eb27c4dd
        EAP-Message = 
0x02690054190017030100490a8a2dceac8c7bf8f6ef0a654c42c8dadc887fc06747ec53c2b84f03ad4cab7787dd12fbde394d8c0a931f3fc632a4a14d834fcf2751b9d2cd8fd7e1795b4c02b858804be81e5dba50
        Message-Authenticator = 0x8e1a99d600d67e4900cddbe680e0ea8d
        Calling-Station-Id = "00:17:9A:0A:54:F1"
        Called-Station-Id = "00:15:6D:AD:1E:D7"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        NAS-IP-Address = 192.168.145.42
        NAS-Identifier = "DreamWiFi"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "10", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 105 length 84
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
        EAP-Message = 
0x0269003d1a0269003831082b6e438ecf27aae769335526e67a4300000000000000001fef103523937a5a401a1f294a3a15cca7aca61bfc5e5cce003130
server  {
  PEAP: Setting User-Name to 10
Sending tunneled request
        EAP-Message = 
0x0269003d1a0269003831082b6e438ecf27aae769335526e67a4300000000000000001fef103523937a5a401a1f294a3a15cca7aca61bfc5e5cce003130
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "10"
        State = 0xed5f6a24ed3670cb0fe406473891ab01
        Calling-Station-Id = "00:17:9A:0A:54:F1"
        Called-Station-Id = "00:15:6D:AD:1E:D7"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        NAS-IP-Address = 192.168.145.42
        NAS-Identifier = "DreamWiFi"
server proxy-inner-tunnel {
+- entering group authorize {...}
++[control] returns notfound
} # server proxy-inner-tunnel
[peap] Got tunneled reply code 0
  PEAP: Calling authenticate in order to initiate tunneled EAP session.
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap]   Not-EAP proxy set.  Not composing EAP
++[eap] returns handled
  PEAP: Tunneled authentication will be proxied to BILLING
  PEAP: Remembering to do EAP-MS-CHAP-V2 post-proxy.
[eap]   Tunneled session will be proxied.  Not doing EAP.
++[eap] returns handled
Sending Access-Request of id 210 to 192.168.151.59 port 1812
        User-Name = "10"
        Calling-Station-Id = "00:17:9A:0A:54:F1"
        Called-Station-Id = "00:15:6D:AD:1E:D7"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        NAS-IP-Address = 192.168.145.42
        NAS-Identifier = "DreamWiFi"
        MS-CHAP-Challenge = 0xd01d8df2bebb58a339c9c0b7d7caa217
        MS-CHAP2-Response = 
0x6930082b6e438ecf27aae769335526e67a4300000000000000001fef103523937a5a401a1f294a3a15cca7aca61bfc5e5cce
        Proxy-State = 0x323239
Proxying request 7 to home server 192.168.151.59 port 1812
Sending Access-Request of id 210 to 192.168.151.59 port 1812
        User-Name = "10"
        Calling-Station-Id = "00:17:9A:0A:54:F1"
        Called-Station-Id = "00:15:6D:AD:1E:D7"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        NAS-IP-Address = 192.168.145.42
        NAS-Identifier = "DreamWiFi"
        MS-CHAP-Challenge = 0xd01d8df2bebb58a339c9c0b7d7caa217
        MS-CHAP2-Response = 
0x6930082b6e438ecf27aae769335526e67a4300000000000000001fef103523937a5a401a1f294a3a15cca7aca61bfc5e5cce
        Proxy-State = 0x323239
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Accept packet from host 192.168.151.59 port 1812, id=210, 
length=190
        Acct-Interim-Interval = 100
        Vendor-14559-Attr-2 = 0x3746bdf7
        WISPr-Bandwidth-Max-Up = 256000
        WISPr-Bandwidth-Max-Down = 1024000
        MS-CHAP2-Success = 
0x69533d38364544453342343842363931353546304535343645363831414538304436454232373039384144
        MS-MPPE-Recv-Key = 0xe7f1174e7beff1487910dc87d142d6e6
        MS-MPPE-Send-Key = 0x57c39cbbbdb601ce38ef7909bd7f9e12
        MS-MPPE-Encryption-Policy = 0x00000001
        MS-MPPE-Encryption-Types = 0x00000006
        Proxy-State = 0x323239
+- entering group post-proxy {...}
[eap] Doing post-proxy callback
[eap] Passing reply from proxy back into the tunnel.
server proxy-inner-tunnel {
[eap] Passing reply back for EAP-MS-CHAP-V2
+- entering group post-proxy {...}
[eap] Doing post-proxy callback
  rlm_eap_mschapv2: Passing reply from proxy back into the tunnel 0x8178f00 2.
  rlm_eap_mschapv2: Authentication succeeded.
MSCHAP Success 
++[eap] returns ok
} # server proxy-inner-tunnel
[eap] Final reply from tunneled session code 11
        Acct-Interim-Interval = 100
        Vendor-14559-Attr-2 = 0x3746bdf7
        WISPr-Bandwidth-Max-Up = 256000
        WISPr-Bandwidth-Max-Down = 1024000
        Proxy-State = 0x323239
        EAP-Message = 
0x016a00331a0369002e533d38364544453342343842363931353546304535343645363831414538304436454232373039384144
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xed5f6a24ec3570cb0fe406473891ab01
[eap] Got reply 11
[eap] Got tunneled reply RADIUS code 11
        Acct-Interim-Interval = 100
        Vendor-14559-Attr-2 = 0x3746bdf7
        WISPr-Bandwidth-Max-Up = 256000
        WISPr-Bandwidth-Max-Down = 1024000
        Proxy-State = 0x323239
        EAP-Message = 
0x016a00331a0369002e533d38364544453342343842363931353546304535343645363831414538304436454232373039384144
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xed5f6a24ec3570cb0fe406473891ab01
[eap] Got tunneled Access-Challenge
[eap] Saving tunneled attributes for later
[eap] Reply was handled
++[eap] returns ok
Sending Access-Challenge of id 229 to 192.168.145.42 port 45920
        EAP-Message = 
0x016a004a1900170301003fd2ea6e8b90e35bd3dc79e64ecc7ae61cd620a7629fd3abf26723951ef19cfefbc3902e8c6b69247948560d9d5a2ffd957aaccfc6275fbeb408f6b9298c0b63
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x07ead3a30080caac02fc8e14eb27c4dd
Finished request 7.
Going to the next request
Waking up in 4.4 seconds.
rad_recv: Access-Request packet from host 192.168.145.42 port 45920, id=230, 
length=158
        User-Name = "10"
        State = 0x07ead3a30080caac02fc8e14eb27c4dd
        EAP-Message = 
0x026a001d1900170301001205f944ba8b8681891372395b7988718791f7
        Message-Authenticator = 0x650b5766f4853772e7afc56471b7a0a0
        Calling-Station-Id = "00:17:9A:0A:54:F1"
        Called-Station-Id = "00:15:6D:AD:1E:D7"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        NAS-IP-Address = 192.168.145.42
        NAS-Identifier = "DreamWiFi"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "10", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 106 length 29
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
        EAP-Message = 0x026a00061a03
server  {
  PEAP: Setting User-Name to 10
Sending tunneled request
        EAP-Message = 0x026a00061a03
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "10"
        State = 0xed5f6a24ec3570cb0fe406473891ab01
        Calling-Station-Id = "00:17:9A:0A:54:F1"
        Called-Station-Id = "00:15:6D:AD:1E:D7"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        NAS-IP-Address = 192.168.145.42
        NAS-Identifier = "DreamWiFi"
server proxy-inner-tunnel {
+- entering group authorize {...}
++[control] returns notfound
} # server proxy-inner-tunnel
[peap] Got tunneled reply code 0
  PEAP: Calling authenticate in order to initiate tunneled EAP session.
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
[peap] Got tunneled reply RADIUS code 2
        EAP-Message = 0x036a0004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "10"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
[peap] Saving tunneled attributes for later
++[eap] returns handled
Sending Access-Challenge of id 230 to 192.168.145.42 port 45920
        EAP-Message = 
0x016b00261900170301001b6e683e898fecffe435a9ac6da18b14d763fce8469753e75845e608
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x07ead3a30f81caac02fc8e14eb27c4dd
Finished request 8.
Going to the next request
Waking up in 4.4 seconds.
rad_recv: Access-Request packet from host 192.168.145.42 port 45920, id=231, 
length=167
        User-Name = "10"
        State = 0x07ead3a30f81caac02fc8e14eb27c4dd
        EAP-Message = 
0x026b00261900170301001b460a94724013aed47c0d5d4baf51a28b8e327f5dc38f3c4f8409eb
        Message-Authenticator = 0xc6f562fa8c5e6f07251406f048927499
        Calling-Station-Id = "00:17:9A:0A:54:F1"
        Called-Station-Id = "00:15:6D:AD:1E:D7"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        NAS-IP-Address = 192.168.145.42
        NAS-Identifier = "DreamWiFi"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "10", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 107 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Success
[peap] Using saved attributes from the original Access-Accept
[eap] Freeing handler
++[eap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 231 to 192.168.145.42 port 45920
        User-Name = "10"
        MS-MPPE-Recv-Key = 
0x95cd48dc452bb7ea093e2a2945d4337a6112847f9ac1dafce280a27713ec34ca
        MS-MPPE-Send-Key = 
0x34066a293d5a0f0f5269014040f41bc79d125807510bc15bf99f75e7e3307977
        EAP-Message = 0x036b0004
        Message-Authenticator = 0x00000000000000000000000000000000
Finished request 9.
Going to the next request
Waking up in 4.3 seconds.
rad_recv: Accounting-Request packet from host 192.168.145.42 port 45920, 
id=232, length=131
        Acct-Status-Type = Start
        User-Name = "10"
        Calling-Station-Id = "00:17:9A:0A:54:F1"
        Called-Station-Id = "00:15:6D:AD:1E:D7"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        NAS-Port-Id = "00000000"
        NAS-IP-Address = 192.168.145.42
        NAS-Identifier = "DreamWiFi"
        Framed-IP-Address = 192.168.40.19
        Acct-Session-Id = "4ab1b87300000000"
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 
192.168.145.42,NAS-IP-Address = 192.168.145.42,Acct-Session-Id 
= "4ab1b87300000000",User-Name = "10"'
[acct_unique] Acct-Unique-Session-ID = "1e54eedf8186ab47".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "10", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail]        
expand: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/radacct/192.168.145.42/detail-20090917
[detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands 
to /var/log/radacct/192.168.145.42/detail-20090917
[detail]        expand: %t -> Thu Sep 17 10:17:55 2009
++[detail] returns ok
++[unix] returns ok
[radutmp]       expand: /var/log/radutmp -> /var/log/radutmp
[radutmp]       expand: %{User-Name} -> 10
++[radutmp] returns ok
[attr_filter.accounting_response]       expand: %{User-Name} -> 10
 attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 232 to 192.168.145.42 port 45920
Finished request 10.

-- 
Best regards, Daniil Kharun




More information about the Freeradius-Users mailing list