EAP with a non EAP Radius server
Jacques FOUCHER
jacques.foucher at gmail.com
Sat Sep 26 11:39:44 CEST 2009
Hi,
I want to use eap to authenticate Wireless users on an radius server wich
don't know EAP protocol. It seems that is possible to do that using a proxy
freeradius. The architecture should be :
Access Point as a NAS Freeradius as a
proxy Radius server without EAP
192.168.0.250
192.168.0.64 192.168.0.252
<-------------------------------EAP----------------------------------------->
<-----------------------------------MS-CHAP v2 or
other-------------------------------------------------------------------->
The idea is to convert an EAP Response/Identity to a radius Access-Request
without EAP inside
As the first radius i use freeradius Version 2.0.4
As the second one, i use IAS (just to test, but in the final configuration,
it will not)
When i configure IAS with EAP method in Remote access Policy, it works. When
I remove EAP method from IAS, it's not.
The problem is that freeradius is acting as a proxy without removing EAP and
it is not what i want.
This is the modifications i did on configuration files, ask me if you need
more
proxy.conf :
realm DEFAULT {
authhost = 192.168.0.252:1812
accthost = 192.168.0.252:1813
secret = secret
}
eap.conf :
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = no
virtual_server = "inner-tunnel"
}
On wireless, i tried TTLS and PEAP with same unsuccessfull result.
That is freeradius log :
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.0.250 port 32769, id=30,
length=229
Acct-Session-Id = "8b0b0795-0000009c"
NAS-Port = 157
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "AP1"
NAS-IP-Address = 192.168.0.250
Framed-MTU = 1496
User-Name = "test"
Calling-Station-Id = "00-13-02-C4-80-4C"
Called-Station-Id = "00-0F-61-FE-EF-D2"
Service-Type = Framed-User
EAP-Message = 0x021a00090174657374
Colubris-AVPair = "ssid=test2"
Colubris-AVPair = "vsc-unique-id=3"
Colubris-AVPair = "phytype=IEEE802dot11g"
Colubris-Attr-250 = 0x00000000
Colubris-Attr-249 = 0x00000000
Message-Authenticator = 0x0ed85e6e5c0765e5390b037233c60d73
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: Found realm "DEFAULT"
rlm_realm: Adding Stripped-User-Name = "test"
rlm_realm: Adding Realm = "DEFAULT"
rlm_realm: Proxying request from user test to realm DEFAULT
rlm_realm: Preparing to proxy authentication request to realm "DEFAULT"
++[suffix] returns updated
rlm_eap: Request is supposed to be proxied to Realm DEFAULT. Not doing
EAP.
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Sending Access-Request of id 224 to 192.168.0.252 port 1812
Acct-Session-Id = "8b0b0795-0000009c"
NAS-Port = 157
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "AP1"
NAS-IP-Address = 192.168.0.250
Framed-MTU = 1496
User-Name = "test"
Calling-Station-Id = "00-13-02-C4-80-4C"
Called-Station-Id = "00-0F-61-FE-EF-D2"
Service-Type = Framed-User
EAP-Message = 0x021a00090174657374
Colubris-AVPair = "ssid=test2"
Colubris-AVPair = "vsc-unique-id=3"
Colubris-AVPair = "phytype=IEEE802dot11g"
Colubris-Attr-250 = 0x00000000
Colubris-Attr-249 = 0x00000000
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x3330
Proxying request 1 to home server 192.168.0.252 port 1812
Sending Access-Request of id 224 to 192.168.0.252 port 1812
Acct-Session-Id = "8b0b0795-0000009c"
NAS-Port = 157
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "AP1"
NAS-IP-Address = 192.168.0.250
Framed-MTU = 1496
User-Name = "test"
Calling-Station-Id = "00-13-02-C4-80-4C"
Called-Station-Id = "00-0F-61-FE-EF-D2"
Service-Type = Framed-User
EAP-Message = 0x021a00090174657374
Colubris-AVPair = "ssid=test2"
Colubris-AVPair = "vsc-unique-id=3"
Colubris-AVPair = "phytype=IEEE802dot11g"
Colubris-Attr-250 = 0x00000000
Colubris-Attr-249 = 0x00000000
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x3330
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Reject packet from host 192.168.0.252 port 1812, id=224,
length=24
Proxy-State = 0x3330
+- entering group post-proxy
rlm_eap: No pre-existing handler found
++[eap] returns noop
Login incorrect (Home Server says so): [test/<no User-Password attribute>]
(from client AP1 port 157 cli 00-13-02-C4-80-4C)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> test
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 30 to 192.168.0.250 port 32769
Waking up in 4.9 seconds.
On IAS Server, this is the error message (Sorry it is a french version, but
the idea is IAS receive EAP message)
L'accès a été refusé à l'utilisateur test.
Nom-Complet-Utilisateur = jacques.net/Users/test
Adresse-IP-NAS = 192.168.0.250
Identificateur-NAS = AP1
Identificateur-Station-Appelée = 00-0F-61-FE-EF-D2
Identificateur-Station-Appelante = 00-13-02-C4-80-4C
Nom-Convivial-Client = freeradius
Adresse-IP-Client = 192.168.0.64
Type-Port-NAS = Wireless - IEEE 802.11
Port-NAS = 107
Proxy-Policy-Name = test
Authentication-Provider = Windows
Authentication-Server = <non déterminé>
Policy-Name = test
Authentication-Type = EAP
EAP-Type = <non déterminé>
Reason-Code = 66
Reason = L'utilisateur a essayé d'utiliser une méthode d'authentification
qui n'est pas activée sur la stratégie d'accès à distance correspondante. Le
nom de la stratégie d'accès à distance correspondante.
Pour plus d'informations, consultez le centre Aide et support à l'adresse
http://go.microsoft.com/fwlink/events.asp.
I hope you could help me.
--
Jacques
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090926/4fa27752/attachment.html>
More information about the Freeradius-Users
mailing list