PEAP/EAP-GTC proxy?

mgmitch mgmitch at sandia.gov
Tue Dec 14 20:25:51 CET 2010


Hello,

I've been trying to configure a new freeradius server (ver. 2.1.7)  to proxy
a OTP passcode to an existing (production) freeradius server (ver. 1.0.1)
that is already setup to accept and authenticate the OTP passcodes for our
remote access NAS devices (VPN, etc).  I would like to use PEAP/EAP-GTC for
wired 802.1x on our Cisco edge switches and terminate the PEAP tunnel on the
new radius server, sending the passcode on to the existing radius server for
authentication by proxy.  I've been able to accomplish this using Cisco ACS
but would like to use freeradius instead so that some other things can be
done easier which ACS is not well suited for.   From what I've read, "proxy
auth" is possible and done quite a bit but mainly using mschapv2 as the
inner auth method instead of gtc.  I've been beating on this for days now
and starting to feel I may never get this accomplished w/o help.  I get to
the point where either the PEAP tunnel is terminated on the new server and
the gtc passcode is not proxied to the other server or the authentication is
proxied to the other server but as EAP instead of just the cleartext OTP
passcode.

Following is the output of starting freeradius in debug mode, followed by
the dubug results during anauthentication attempt.  I assume all the needed
info will be in this output.  Sorry in advance if I have not provided enough
info or too much. ANy help or suggestions would be appreciated.  I have read
a lot of the documentation and forum info but I havent found any obvious
solution to my problem yet.


Thanks,

Mark


Debug output:


[root at mackeral-dev raddb]# /usr/sbin/radiusd -X
FreeRADIUS Version 2.1.7, for host x86_64-redhat-linux-gnu, built on Dec 30
2009 at 13:46:28
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. 
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A 
PARTICULAR PURPOSE. 
You may redistribute copies of FreeRADIUS under the terms of the 
GNU General Public License v2. 
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/proxy-inner-tunnel
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
        prefix = "/usr"
        localstatedir = "/var"
        logdir = "/var/log/radius"
        libdir = "/usr/lib64/freeradius"
        radacctdir = "/var/log/radius/radacct"
        hostname_lookups = no
        max_request_time = 30
        cleanup_delay = 5
        max_requests = 1024
        allow_core_dumps = no
        pidfile = "/var/run/radiusd/radiusd.pid"
        checkrad = "/usr/sbin/checkrad"
        debug_level = 0
        proxy_requests = yes
 log {
        stripped_names = no
        auth = no
        auth_badpass = no
        auth_goodpass = no
 }
 security {
        max_attributes = 200
        reject_delay = 1
        status_server = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
        retry_delay = 5
        retry_count = 3
        default_fallback = no
        dead_time = 120
        wake_all_if_all_dead = no
 }
 realm test {
        authhost = 134.252.100.4:1812
        accthost = 134.252.100.4:1813
        secret = testing
 }
 home_server localhost {
        ipaddr = 127.0.0.1
        port = 1812
        type = "auth"
        secret = "testing123"
        response_window = 20
        max_outstanding = 65536
        require_message_authenticator = no
        zombie_period = 40
        status_check = "status-server"
        ping_interval = 30
        check_interval = 30
        num_answers_to_alive = 3
        num_pings_to_alive = 3
        revive_interval = 120
        status_check_timeout = 4
        irt = 2
        mrt = 16
        mrc = 5
        mrd = 30
 }
 home_server_pool my_auth_failover {
        type = fail-over
        home_server = localhost
 }
 realm example.com {
        auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
radiusd: #### Loading Clients ####
 client localhost {
        ipaddr = 127.0.0.1
        require_message_authenticator = no
        secret = "testing123"
        nastype = "other"
 }
 client 134.252.100.101 {
        require_message_authenticator = no
        secret = "testing"
        shortname = "test-switch"
 }
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating exec
  exec {
        wait = no
        input_pairs = "request"
        shell_escape = yes
  }
 Module: Linked to module rlm_expr
 Module: Instantiating expr
 Module: Linked to module rlm_expiration
 Module: Instantiating expiration
  expiration {
        reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating logintime
  logintime {
        reply-message = "You are calling outside your allowed timespan  "
        minimum-timeout = 60
  }
 }
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating pap
  pap {
        encryption_scheme = "auto"
        auto_header = no
  }
 Module: Linked to module rlm_chap
 Module: Instantiating chap
 Module: Linked to module rlm_mschap
 Module: Instantiating mschap
  mschap {
        use_mppe = yes
        require_encryption = no
        require_strong = no
        with_ntdomain_hack = no
  }
 Module: Linked to module rlm_unix
 Module: Instantiating unix
  unix {
        radwtmp = "/var/log/radius/radwtmp"
  }
 Module: Linked to module rlm_eap
 Module: Instantiating eap
  eap {
        default_eap_type = "peap"
        timer_expire = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        max_sessions = 2048
  }
 Module: Linked to sub-module rlm_eap_md5
 Module: Instantiating eap-md5
 Module: Linked to sub-module rlm_eap_leap
 Module: Instantiating eap-leap
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
   gtc {
        challenge = "Password: "
        auth_type = "PAP"
   }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
        rsa_key_exchange = no
        dh_key_exchange = yes
        rsa_key_length = 512
        dh_key_length = 512
        verify_depth = 0
        pem_file_type = yes
        private_key_file = "/etc/raddb/certs/server.pem"
        certificate_file = "/etc/raddb/certs/server.pem"
        CA_file = "/etc/raddb/certs/ca.pem"
        private_key_password = "whatever"
        dh_file = "/etc/raddb/certs/dh"
        random_file = "/etc/raddb/certs/random"
        fragment_size = 1024
        include_length = yes
        check_crl = no
        cipher_list = "DEFAULT"
        make_cert_command = "/etc/raddb/certs/bootstrap"
    cache {
        enable = no
        lifetime = 24
        max_entries = 255
    }
   }
 Module: Linked to sub-module rlm_eap_ttls
 Module: Instantiating eap-ttls
   ttls {
        default_eap_type = "md5"
        copy_request_to_tunnel = no
        use_tunneled_reply = no
        virtual_server = "inner-tunnel"
        include_length = yes
   }
 Module: Linked to sub-module rlm_eap_peap
 Module: Instantiating eap-peap
   peap {
        default_eap_type = "gtc"
        copy_request_to_tunnel = no
        use_tunneled_reply = no
        proxy_tunneled_request_as_eap = no
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
        with_ntdomain_hack = no
   }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_realm
 Module: Instantiating suffix
  realm suffix {
        format = "suffix"
        delimiter = "@"
        ignore_default = no
        ignore_null = no
  }
 Module: Linked to module rlm_files
 Module: Instantiating files
  files {
        usersfile = "/etc/raddb/users"
        acctusersfile = "/etc/raddb/acct_users"
        preproxy_usersfile = "/etc/raddb/preproxy_users"
        compat = "no"
  }
 Module: Checking session {...} for more modules to load
 Module: Linked to module rlm_radutmp
 Module: Instantiating radutmp
  radutmp {
        filename = "/var/log/radius/radutmp"
        username = "%{User-Name}"
        case_sensitive = yes
        check_with_nas = yes
        perm = 384
        callerid = yes
  }
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 Module: Linked to module rlm_attr_filter
 Module: Instantiating attr_filter.access_reject
  attr_filter attr_filter.access_reject {
        attrsfile = "/etc/raddb/attrs.access_reject"
        key = "%{User-Name}"
  }
 } # modules
} # server
server proxy-inner-tunnel {
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Checking authorize {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 } # modules
} # server
server {
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_preprocess
 Module: Instantiating preprocess
  preprocess {
        huntgroups = "/etc/raddb/huntgroups"
        hints = "/etc/raddb/hints"
        with_ascend_hack = no
        ascend_channels_per_line = 23
        with_ntdomain_hack = no
        with_specialix_jetstream_hack = no
        with_cisco_vsa_hack = no
        with_alvarion_vsa_hack = no
  }
 Module: Checking preacct {...} for more modules to load
 Module: Linked to module rlm_acct_unique
 Module: Instantiating acct_unique
  acct_unique {
        key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
  }
 Module: Checking accounting {...} for more modules to load
 Module: Linked to module rlm_detail
 Module: Instantiating detail
  detail {
        detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
        header = "%t"
        detailperm = 384
        dirperm = 493
        locking = no
        log_packet_header = no
  }
 Module: Instantiating attr_filter.accounting_response
  attr_filter attr_filter.accounting_response {
        attrsfile = "/etc/raddb/attrs.accounting_response"
        key = "%{User-Name}"
  }
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
        type = "auth"
        ipaddr = *
        port = 0
}
listen {
        type = "acct"
        ipaddr = *
        port = 0
}
listen {
        type = "control"
 listen {
        socket = "/var/run/radiusd/radiusd.sock"
 }
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.






And here's the dubug output during an authentication attempt:


rad_recv: Access-Request packet from host 134.252.100.101 port 1645, id=224,
length=151
        User-Name = "mgmitch"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Called-Station-Id = "00-1C-B0-AB-3D-81"
        Calling-Station-Id = "00-16-D3-22-CD-24"
        EAP-Message = 0x0201000c016d676d69746368
        Message-Authenticator = 0x876a775afd4fabbf05cbbc0553b468b5
        NAS-Port-Type = Ethernet
        NAS-Port = 50101
        NAS-Port-Id = "GigabitEthernet1/0/1"
        NAS-IP-Address = 134.252.100.101
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "mgmitch", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 224 to 134.252.100.101 port 1645
        EAP-Message = 0x010200061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf6df016cf6dd18ad384e3bf6a1b809e8
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 134.252.100.101 port 1645, id=225,
length=249
        User-Name = "mgmitch"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Called-Station-Id = "00-1C-B0-AB-3D-81"
        Calling-Station-Id = "00-16-D3-22-CD-24"
        EAP-Message =
0x0202005c190016030100510100004d03014d07bf1a5fcc6ef6c0de63fc1777b6318be3085e6ab4e1332af2c047a13f0b5100002600390038003500160013000a00330032002f00050004001500120009001400110008000600030100
        Message-Authenticator = 0xdd018506f3d2e96d9c604742f45250ba
        NAS-Port-Type = Ethernet
        NAS-Port = 50101
        NAS-Port-Id = "GigabitEthernet1/0/1"
        State = 0xf6df016cf6dd18ad384e3bf6a1b809e8
        NAS-IP-Address = 134.252.100.101
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "mgmitch", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 92
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap]     (other): before/accept initialization 
[peap]     TLS_accept: before/accept initialization 
[peap] <<< TLS 1.0 Handshake [length 0051], ClientHello  
[peap]     TLS_accept: SSLv3 read client hello A 
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello  
[peap]     TLS_accept: SSLv3 write server hello A 
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate  
[peap]     TLS_accept: SSLv3 write certificate A 
[peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange  
[peap]     TLS_accept: SSLv3 write key exchange A 
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
[peap]     TLS_accept: SSLv3 write server done A 
[peap]     TLS_accept: SSLv3 flush data 
[peap]     TLS_accept: Need to read more data: SSLv3 read client certificate
A
In SSL Handshake Phase 
In SSL Accept mode  
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 225 to 134.252.100.101 port 1645
        EAP-Message =
0x0103040019c000000aad160301002a0200002603014d07bef302ccc12b080dcdb66552a25cef9f005bdb002e2e5cf4289b6001d70f00003900160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
        EAP-Message =
0x301e170d3130313231343030303535365a170d3131313231343030303535365a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d0d45a9e0c004f6c289fa93a84e2479da04ffab1a10fb682e3d60bed94c02b567c3190b75131a31acbf87dccd6200c98549ebd798f40f543c3a543fc501e
        EAP-Message =
0x2b467b800da585500568f75522f09ff0883d9eadbfb7318aa12fa3f139f58101f50aae1ee837c47f3aaca81eb0e2f511e64d7a9a537138fcce8001aa36816a9094dbf2fa942171f2cb7f51b5f70ba8d842117e115a252ee4d8638260f76dac22dbfd8a43a825c4497dd5e7481ef5ec55fea860e615de43b7254311c2f6c83945be5c8858bf6008eff57b7af70d13fc52e73865528a5e6752eea0c79517559f77e33f5645afe277020ba1064e745e7e02874baa1c6e043aa2c1f1ba33e358e5c184650203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101009669ca63c16c9aa6ac
        EAP-Message =
0x3a89558c09f903100c9495d3f5c9f5b01e777ed6b7985d1e625dbbccc083027b5da02ef7ea415e0bda4aa0ac0b6f0bb53ee2549a96606c7985be7283d7c44ce5991634136b6bfa794730d291d41885e85e2d66c2fba74081605d15cd652dd3a72ac6dcd81756fbe8d2260867d38d943a11aecb78006a2a9df5c6405f56a4d48a76f390c90c62441890e506129012c74362d8f8b646c81ef6f6273664bceab33879927120e1038f8c976f93a9935443bd8adb207a8cf94e8a187c1cfea064db15df791baf0c376aaf562f2c16c877431047f6ca7d1588d36cb32850026ed74fbbaccba3b923149316f3da4b9a034a1e686c1387fe0cbac60004ab308204
        EAP-Message = 0xa73082038fa0030201020209
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf6df016cf7dc18ad384e3bf6a1b809e8
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 134.252.100.101 port 1645, id=226,
length=163
        User-Name = "mgmitch"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Called-Station-Id = "00-1C-B0-AB-3D-81"
        Calling-Station-Id = "00-16-D3-22-CD-24"
        EAP-Message = 0x020300061900
        Message-Authenticator = 0xe97484975a808e5c4c0e9c12b8eef547
        NAS-Port-Type = Ethernet
        NAS-Port = 50101
        NAS-Port-Id = "GigabitEthernet1/0/1"
        State = 0xf6df016cf7dc18ad384e3bf6a1b809e8
        NAS-IP-Address = 134.252.100.101
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "mgmitch", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 226 to 134.252.100.101 port 1645
        EAP-Message =
0x010403fc194000b3dfff6329b2c287300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3130313231343030303535365a170d3131313231343030303535365a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504
        EAP-Message =
0x071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100be6446076d51f61b50f8c7d6440dc623bc88ec2fd4eb6bedc7dcdb3f8039bb7258e29d72d97527691ade608b7f87caa03f0e99f4273a8e9c2e03af1cad5d8a825c10b3039f0f94fcb817caa2b98523c20081aaf9891d75f7a94c57c7ba6f8578300da8d51a77353240aaac50238565
        EAP-Message =
0xb2f80d654ae678a68384878c1d7cb13eb604ececde7b26a316538a418508a32b15bcb8dab6668382b71a3a61952a5e0e945a2f63af1d36f0545932153f8989a553be7754711ce944c0f34e0dbb3b1b384045d80ac3c09e603e55e115c1bcfa44c91e1678e63605cddad1867ae0c87804c71196aa775c98fe4e8b98e0112f4a25f3fcebde9b807541f568fd123a6fbd62ed0203010001a381fb3081f8301d0603551d0e0416041432afb08887cd32a6716c69351c51ea520190a0513081c80603551d230481c03081bd801432afb08887cd32a6716c69351c51ea520190a051a18199a48196308193310b3009060355040613024652310f300d06035504
        EAP-Message =
0x0813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900b3dfff6329b2c287300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100b6cb9b651fe6fb5f6803de75ed2f1112b5e5634dec9dfba6476a1e4670f1f005946d26b8e0805bc99670dbff75379ea7438db86713548b83ea9f500b5b691f04c75971a1e00ea8d5ab815dc05664fba01256
        EAP-Message = 0x2c59aed1eab2c2f1
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf6df016cf4db18ad384e3bf6a1b809e8
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 134.252.100.101 port 1645, id=227,
length=163
        User-Name = "mgmitch"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Called-Station-Id = "00-1C-B0-AB-3D-81"
        Calling-Station-Id = "00-16-D3-22-CD-24"
        EAP-Message = 0x020400061900
        Message-Authenticator = 0xc748c58f114831f9e0c9efc212a54c00
        NAS-Port-Type = Ethernet
        NAS-Port = 50101
        NAS-Port-Id = "GigabitEthernet1/0/1"
        State = 0xf6df016cf4db18ad384e3bf6a1b809e8
        NAS-IP-Address = 134.252.100.101
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "mgmitch", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 227 to 134.252.100.101 port 1645
        EAP-Message =
0x010502c71900b889db3ff715c6e7d9ca4dc3cc09223bfc58b58d305bf7474f9996b93716326389025746caac9a81490f5064fe3e958847c31ec698181e88b2013ef1fe6c1f8661a6f6d32a7ad8894894bd7d78b08768b912e366557c555101842b7d30b400231de66ce7e6aa3e67216ee1703caa57b1a1c81ff6223ab5aa277cf7f6d7ccedf18004bcf25119de569aa7463498c107f973ee66da4721915654d256f437b210575e571c6bb139160301020d0c000209008090e641c758cb48b9b79bd0025e11e5b1233340b4e6061c1fc8dd585ea2886549731449e566c22f69a9f2652694957a4e7c3e792849e93a50efd7f8f68c5e08aa7bd2bc4a2c74
        EAP-Message =
0x5a7f74ab742dcc0f42eb374805193aa74ef8b4d442c52529c1e9f2cf051d25a8ddf528dab0a027e2332a95e61bf53bbea78f4dfa50a5e9d3f38300010200806dcab35856d9db5bd61a29678e5ffcde24773684d8c410c5d9bb60e535be540f5ff3abc209ce01cdeb6807d740f85be94dcfd367ad2e20fb1078f5ca2778e582bd8c00332a87889df69d8f027451ca3a3ec1595abf4ad1a7128a31c8baeaae7498ea78e66523eb13c10828da135e54a0d013723a4d1a58fb91e39a2a186ca11f0100b06ab88a0e52f5c0a7b9b7d397cf450c28ba187fe3b3b9cec2ffa6fa709b4e04dd41e67d63c3cfc8eeffc348952209b6f2dec0b83a0c5d7580108e28
        EAP-Message =
0x7632ad08b94c47c9793c1e3b225269792d93daa845b8d86c619458f0b1c418ef078a16b918822442537625283aa7c18610e93c0b137e277f1864e115fdc2d524c5859b50da5c70c1695cff740fbd72e905f1a42cef83f38f051a9f42673d9f5d17e1e84107cd6fe8f1ebfbdbb3ac198bee111e24dc258cacaadafb36c113ca67686deaea37d03c21684c505e11b5005fdaf6290ba1d9474da102e963639795c348fb81d4e23fed27e5dd0049d066f554df032ad9e3ef5cad1fb5cabc66cf0643ad8997d416030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf6df016cf5da18ad384e3bf6a1b809e8
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 134.252.100.101 port 1645, id=228,
length=361
        User-Name = "mgmitch"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Called-Station-Id = "00-1C-B0-AB-3D-81"
        Calling-Station-Id = "00-16-D3-22-CD-24"
        EAP-Message =
0x020500cc190016030100861000008200806291880fa7b79626174f23d5f6721ac50472c9df0cd0238bfd340093ef5a3a37e2c118c719d860503824b2d1556a6ece75ec8826d34069ac90a37c966f5f6465c4ac82c4e66079871ff7b53198cfd0c1b25ff9434a1c2610c10ea6c498b16add34b613f7aecfafac5d2da4e65ca15c67500f38a0407bee960b767c4e3e90ac501403010001011603010030550f02713778b5ed8bac34b9324b96b129ba173c5b5439370b763ec0e1925ffe45d46f69a132518b618e38626e2ec7fc
        Message-Authenticator = 0x5e9a5e77e0b55fc6414a51a2c65cd60e
        NAS-Port-Type = Ethernet
        NAS-Port = 50101
        NAS-Port-Id = "GigabitEthernet1/0/1"
        State = 0xf6df016cf5da18ad384e3bf6a1b809e8
        NAS-IP-Address = 134.252.100.101
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "mgmitch", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 204
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange  
[peap]     TLS_accept: SSLv3 read client key exchange A 
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]  
[peap] <<< TLS 1.0 Handshake [length 0010], Finished  
[peap]     TLS_accept: SSLv3 read finished A 
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]  
[peap]     TLS_accept: SSLv3 write change cipher spec A 
[peap] >>> TLS 1.0 Handshake [length 0010], Finished  
[peap]     TLS_accept: SSLv3 write finished A 
[peap]     TLS_accept: SSLv3 flush data 
[peap]     (other): SSL negotiation finished successfully 
SSL Connection Established 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 228 to 134.252.100.101 port 1645
        EAP-Message =
0x01060041190014030100010116030100309ce4dfdcda99ddbc9bbcc74a898f71af83b5830b1aa99e78bd4e4f57cc65916215ed36fcaf6c639c78d8d4ca22bf438b
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf6df016cf2d918ad384e3bf6a1b809e8
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 134.252.100.101 port 1645, id=229,
length=163
        User-Name = "mgmitch"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Called-Station-Id = "00-1C-B0-AB-3D-81"
        Calling-Station-Id = "00-16-D3-22-CD-24"
        EAP-Message = 0x020600061900
        Message-Authenticator = 0xbdec9b5d34c954ced59ac3ea5d6e650e
        NAS-Port-Type = Ethernet
        NAS-Port = 50101
        NAS-Port-Id = "GigabitEthernet1/0/1"
        State = 0xf6df016cf2d918ad384e3bf6a1b809e8
        NAS-IP-Address = 134.252.100.101
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "mgmitch", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3 
[peap] eaptls_process returned 3 
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 229 to 134.252.100.101 port 1645
        EAP-Message =
0x0107002b190017030100204f5ba94ae701deed703075cae85510032bd8be397f7328c417df5e189bfd7904
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf6df016cf3d818ad384e3bf6a1b809e8
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 134.252.100.101 port 1645, id=230,
length=237
        User-Name = "mgmitch"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Called-Station-Id = "00-1C-B0-AB-3D-81"
        Calling-Station-Id = "00-16-D3-22-CD-24"
        EAP-Message =
0x020700501900170301002034606c2eb986608c5a00ac95d5d2a3041fdc2403e074597c9ebc9aa918f73b4317030100209640e4ae80130fa82d07483ca91154c4eb7f73d98d1fcb6c81fd739108781a28
        Message-Authenticator = 0x499bb31965aa74f94d70460b29e04cb1
        NAS-Port-Type = Ethernet
        NAS-Port = 50101
        NAS-Port-Id = "GigabitEthernet1/0/1"
        State = 0xf6df016cf3d818ad384e3bf6a1b809e8
        NAS-IP-Address = 134.252.100.101
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "mgmitch", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Identity - mgmitch
[peap] Got tunneled request
        EAP-Message = 0x0207000c016d676d69746368
server  {
  PEAP: Got tunneled identity of mgmitch
  PEAP: Setting default EAP type for tunneled EAP session.
  PEAP: Setting User-Name to mgmitch
Sending tunneled request
        EAP-Message = 0x0207000c016d676d69746368
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "mgmitch"
server  {
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "mgmitch", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
} # server 
[peap] Got tunneled reply code 0
  PEAP: Calling authenticate in order to initiate tunneled EAP session.
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type gtc
[eap]   Not-EAP proxy set.  Not composing EAP
++[eap] returns handled
  PEAP: Tunneled authentication will be proxied to test
  PEAP: Remembering to do EAP-MS-CHAP-V2 post-proxy.
[eap]   Tunneled session will be proxied.  Not doing EAP.
++[eap] returns handled
  WARNING: Empty section.  Using default return values.
ERROR: Failed to create a new socket for proxying requests.
ERROR: Failed inserting request into proxy hash.
ERROR: Failed to proxy request 6
There was no response configured: rejecting request 6
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> mgmitch
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 6 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 6
Sending Access-Reject of id 230 to 134.252.100.101 port 1645
Waking up in 3.8 seconds.
Cleaning up request 0 ID 224 with timestamp +14
Cleaning up request 1 ID 225 with timestamp +14
Cleaning up request 2 ID 226 with timestamp +14
Cleaning up request 3 ID 227 with timestamp +14
Cleaning up request 4 ID 228 with timestamp +14
Cleaning up request 5 ID 229 with timestamp +14
Waking up in 1.0 seconds.
Cleaning up request 6 ID 230 with timestamp +14
Ready to process requests.
 





-- 
View this message in context: http://freeradius.1045715.n5.nabble.com/PEAP-EAP-GTC-proxy-tp3305142p3305142.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.



More information about the Freeradius-Users mailing list