PEAP/EAP-GTC proxy?
mgmitch
mgmitch at sandia.gov
Tue Dec 14 20:25:51 CET 2010
Hello,
I've been trying to configure a new freeradius server (ver. 2.1.7) to proxy
a OTP passcode to an existing (production) freeradius server (ver. 1.0.1)
that is already setup to accept and authenticate the OTP passcodes for our
remote access NAS devices (VPN, etc). I would like to use PEAP/EAP-GTC for
wired 802.1x on our Cisco edge switches and terminate the PEAP tunnel on the
new radius server, sending the passcode on to the existing radius server for
authentication by proxy. I've been able to accomplish this using Cisco ACS
but would like to use freeradius instead so that some other things can be
done easier which ACS is not well suited for. From what I've read, "proxy
auth" is possible and done quite a bit but mainly using mschapv2 as the
inner auth method instead of gtc. I've been beating on this for days now
and starting to feel I may never get this accomplished w/o help. I get to
the point where either the PEAP tunnel is terminated on the new server and
the gtc passcode is not proxied to the other server or the authentication is
proxied to the other server but as EAP instead of just the cleartext OTP
passcode.
Following is the output of starting freeradius in debug mode, followed by
the dubug results during anauthentication attempt. I assume all the needed
info will be in this output. Sorry in advance if I have not provided enough
info or too much. ANy help or suggestions would be appreciated. I have read
a lot of the documentation and forum info but I havent found any obvious
solution to my problem yet.
Thanks,
Mark
Debug output:
[root at mackeral-dev raddb]# /usr/sbin/radiusd -X
FreeRADIUS Version 2.1.7, for host x86_64-redhat-linux-gnu, built on Dec 30
2009 at 13:46:28
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/proxy-inner-tunnel
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
realm test {
authhost = 134.252.100.4:1812
accthost = 134.252.100.4:1813
secret = testing
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = no
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 134.252.100.101 {
require_message_authenticator = no
secret = "testing"
shortname = "test-switch"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
CA_file = "/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "gtc"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/etc/raddb/users"
acctusersfile = "/etc/raddb/acct_users"
preproxy_usersfile = "/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server proxy-inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
} # modules
} # server
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/var/run/radiusd/radiusd.sock"
}
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
And here's the dubug output during an authentication attempt:
rad_recv: Access-Request packet from host 134.252.100.101 port 1645, id=224,
length=151
User-Name = "mgmitch"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-1C-B0-AB-3D-81"
Calling-Station-Id = "00-16-D3-22-CD-24"
EAP-Message = 0x0201000c016d676d69746368
Message-Authenticator = 0x876a775afd4fabbf05cbbc0553b468b5
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
NAS-IP-Address = 134.252.100.101
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "mgmitch", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 224 to 134.252.100.101 port 1645
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf6df016cf6dd18ad384e3bf6a1b809e8
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 134.252.100.101 port 1645, id=225,
length=249
User-Name = "mgmitch"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-1C-B0-AB-3D-81"
Calling-Station-Id = "00-16-D3-22-CD-24"
EAP-Message =
0x0202005c190016030100510100004d03014d07bf1a5fcc6ef6c0de63fc1777b6318be3085e6ab4e1332af2c047a13f0b5100002600390038003500160013000a00330032002f00050004001500120009001400110008000600030100
Message-Authenticator = 0xdd018506f3d2e96d9c604742f45250ba
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
State = 0xf6df016cf6dd18ad384e3bf6a1b809e8
NAS-IP-Address = 134.252.100.101
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "mgmitch", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 92
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0051], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate
A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 225 to 134.252.100.101 port 1645
EAP-Message =
0x0103040019c000000aad160301002a0200002603014d07bef302ccc12b080dcdb66552a25cef9f005bdb002e2e5cf4289b6001d70f00003900160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
EAP-Message =
0x301e170d3130313231343030303535365a170d3131313231343030303535365a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d0d45a9e0c004f6c289fa93a84e2479da04ffab1a10fb682e3d60bed94c02b567c3190b75131a31acbf87dccd6200c98549ebd798f40f543c3a543fc501e
EAP-Message =
0x2b467b800da585500568f75522f09ff0883d9eadbfb7318aa12fa3f139f58101f50aae1ee837c47f3aaca81eb0e2f511e64d7a9a537138fcce8001aa36816a9094dbf2fa942171f2cb7f51b5f70ba8d842117e115a252ee4d8638260f76dac22dbfd8a43a825c4497dd5e7481ef5ec55fea860e615de43b7254311c2f6c83945be5c8858bf6008eff57b7af70d13fc52e73865528a5e6752eea0c79517559f77e33f5645afe277020ba1064e745e7e02874baa1c6e043aa2c1f1ba33e358e5c184650203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101009669ca63c16c9aa6ac
EAP-Message =
0x3a89558c09f903100c9495d3f5c9f5b01e777ed6b7985d1e625dbbccc083027b5da02ef7ea415e0bda4aa0ac0b6f0bb53ee2549a96606c7985be7283d7c44ce5991634136b6bfa794730d291d41885e85e2d66c2fba74081605d15cd652dd3a72ac6dcd81756fbe8d2260867d38d943a11aecb78006a2a9df5c6405f56a4d48a76f390c90c62441890e506129012c74362d8f8b646c81ef6f6273664bceab33879927120e1038f8c976f93a9935443bd8adb207a8cf94e8a187c1cfea064db15df791baf0c376aaf562f2c16c877431047f6ca7d1588d36cb32850026ed74fbbaccba3b923149316f3da4b9a034a1e686c1387fe0cbac60004ab308204
EAP-Message = 0xa73082038fa0030201020209
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf6df016cf7dc18ad384e3bf6a1b809e8
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 134.252.100.101 port 1645, id=226,
length=163
User-Name = "mgmitch"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-1C-B0-AB-3D-81"
Calling-Station-Id = "00-16-D3-22-CD-24"
EAP-Message = 0x020300061900
Message-Authenticator = 0xe97484975a808e5c4c0e9c12b8eef547
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
State = 0xf6df016cf7dc18ad384e3bf6a1b809e8
NAS-IP-Address = 134.252.100.101
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "mgmitch", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 226 to 134.252.100.101 port 1645
EAP-Message =
0x010403fc194000b3dfff6329b2c287300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3130313231343030303535365a170d3131313231343030303535365a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504
EAP-Message =
0x071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100be6446076d51f61b50f8c7d6440dc623bc88ec2fd4eb6bedc7dcdb3f8039bb7258e29d72d97527691ade608b7f87caa03f0e99f4273a8e9c2e03af1cad5d8a825c10b3039f0f94fcb817caa2b98523c20081aaf9891d75f7a94c57c7ba6f8578300da8d51a77353240aaac50238565
EAP-Message =
0xb2f80d654ae678a68384878c1d7cb13eb604ececde7b26a316538a418508a32b15bcb8dab6668382b71a3a61952a5e0e945a2f63af1d36f0545932153f8989a553be7754711ce944c0f34e0dbb3b1b384045d80ac3c09e603e55e115c1bcfa44c91e1678e63605cddad1867ae0c87804c71196aa775c98fe4e8b98e0112f4a25f3fcebde9b807541f568fd123a6fbd62ed0203010001a381fb3081f8301d0603551d0e0416041432afb08887cd32a6716c69351c51ea520190a0513081c80603551d230481c03081bd801432afb08887cd32a6716c69351c51ea520190a051a18199a48196308193310b3009060355040613024652310f300d06035504
EAP-Message =
0x0813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900b3dfff6329b2c287300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100b6cb9b651fe6fb5f6803de75ed2f1112b5e5634dec9dfba6476a1e4670f1f005946d26b8e0805bc99670dbff75379ea7438db86713548b83ea9f500b5b691f04c75971a1e00ea8d5ab815dc05664fba01256
EAP-Message = 0x2c59aed1eab2c2f1
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf6df016cf4db18ad384e3bf6a1b809e8
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 134.252.100.101 port 1645, id=227,
length=163
User-Name = "mgmitch"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-1C-B0-AB-3D-81"
Calling-Station-Id = "00-16-D3-22-CD-24"
EAP-Message = 0x020400061900
Message-Authenticator = 0xc748c58f114831f9e0c9efc212a54c00
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
State = 0xf6df016cf4db18ad384e3bf6a1b809e8
NAS-IP-Address = 134.252.100.101
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "mgmitch", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 227 to 134.252.100.101 port 1645
EAP-Message =
0x010502c71900b889db3ff715c6e7d9ca4dc3cc09223bfc58b58d305bf7474f9996b93716326389025746caac9a81490f5064fe3e958847c31ec698181e88b2013ef1fe6c1f8661a6f6d32a7ad8894894bd7d78b08768b912e366557c555101842b7d30b400231de66ce7e6aa3e67216ee1703caa57b1a1c81ff6223ab5aa277cf7f6d7ccedf18004bcf25119de569aa7463498c107f973ee66da4721915654d256f437b210575e571c6bb139160301020d0c000209008090e641c758cb48b9b79bd0025e11e5b1233340b4e6061c1fc8dd585ea2886549731449e566c22f69a9f2652694957a4e7c3e792849e93a50efd7f8f68c5e08aa7bd2bc4a2c74
EAP-Message =
0x5a7f74ab742dcc0f42eb374805193aa74ef8b4d442c52529c1e9f2cf051d25a8ddf528dab0a027e2332a95e61bf53bbea78f4dfa50a5e9d3f38300010200806dcab35856d9db5bd61a29678e5ffcde24773684d8c410c5d9bb60e535be540f5ff3abc209ce01cdeb6807d740f85be94dcfd367ad2e20fb1078f5ca2778e582bd8c00332a87889df69d8f027451ca3a3ec1595abf4ad1a7128a31c8baeaae7498ea78e66523eb13c10828da135e54a0d013723a4d1a58fb91e39a2a186ca11f0100b06ab88a0e52f5c0a7b9b7d397cf450c28ba187fe3b3b9cec2ffa6fa709b4e04dd41e67d63c3cfc8eeffc348952209b6f2dec0b83a0c5d7580108e28
EAP-Message =
0x7632ad08b94c47c9793c1e3b225269792d93daa845b8d86c619458f0b1c418ef078a16b918822442537625283aa7c18610e93c0b137e277f1864e115fdc2d524c5859b50da5c70c1695cff740fbd72e905f1a42cef83f38f051a9f42673d9f5d17e1e84107cd6fe8f1ebfbdbb3ac198bee111e24dc258cacaadafb36c113ca67686deaea37d03c21684c505e11b5005fdaf6290ba1d9474da102e963639795c348fb81d4e23fed27e5dd0049d066f554df032ad9e3ef5cad1fb5cabc66cf0643ad8997d416030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf6df016cf5da18ad384e3bf6a1b809e8
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 134.252.100.101 port 1645, id=228,
length=361
User-Name = "mgmitch"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-1C-B0-AB-3D-81"
Calling-Station-Id = "00-16-D3-22-CD-24"
EAP-Message =
0x020500cc190016030100861000008200806291880fa7b79626174f23d5f6721ac50472c9df0cd0238bfd340093ef5a3a37e2c118c719d860503824b2d1556a6ece75ec8826d34069ac90a37c966f5f6465c4ac82c4e66079871ff7b53198cfd0c1b25ff9434a1c2610c10ea6c498b16add34b613f7aecfafac5d2da4e65ca15c67500f38a0407bee960b767c4e3e90ac501403010001011603010030550f02713778b5ed8bac34b9324b96b129ba173c5b5439370b763ec0e1925ffe45d46f69a132518b618e38626e2ec7fc
Message-Authenticator = 0x5e9a5e77e0b55fc6414a51a2c65cd60e
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
State = 0xf6df016cf5da18ad384e3bf6a1b809e8
NAS-IP-Address = 134.252.100.101
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "mgmitch", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 204
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 228 to 134.252.100.101 port 1645
EAP-Message =
0x01060041190014030100010116030100309ce4dfdcda99ddbc9bbcc74a898f71af83b5830b1aa99e78bd4e4f57cc65916215ed36fcaf6c639c78d8d4ca22bf438b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf6df016cf2d918ad384e3bf6a1b809e8
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 134.252.100.101 port 1645, id=229,
length=163
User-Name = "mgmitch"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-1C-B0-AB-3D-81"
Calling-Station-Id = "00-16-D3-22-CD-24"
EAP-Message = 0x020600061900
Message-Authenticator = 0xbdec9b5d34c954ced59ac3ea5d6e650e
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
State = 0xf6df016cf2d918ad384e3bf6a1b809e8
NAS-IP-Address = 134.252.100.101
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "mgmitch", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 229 to 134.252.100.101 port 1645
EAP-Message =
0x0107002b190017030100204f5ba94ae701deed703075cae85510032bd8be397f7328c417df5e189bfd7904
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf6df016cf3d818ad384e3bf6a1b809e8
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 134.252.100.101 port 1645, id=230,
length=237
User-Name = "mgmitch"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-1C-B0-AB-3D-81"
Calling-Station-Id = "00-16-D3-22-CD-24"
EAP-Message =
0x020700501900170301002034606c2eb986608c5a00ac95d5d2a3041fdc2403e074597c9ebc9aa918f73b4317030100209640e4ae80130fa82d07483ca91154c4eb7f73d98d1fcb6c81fd739108781a28
Message-Authenticator = 0x499bb31965aa74f94d70460b29e04cb1
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
State = 0xf6df016cf3d818ad384e3bf6a1b809e8
NAS-IP-Address = 134.252.100.101
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "mgmitch", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - mgmitch
[peap] Got tunneled request
EAP-Message = 0x0207000c016d676d69746368
server {
PEAP: Got tunneled identity of mgmitch
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to mgmitch
Sending tunneled request
EAP-Message = 0x0207000c016d676d69746368
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "mgmitch"
server {
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "mgmitch", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
} # server
[peap] Got tunneled reply code 0
PEAP: Calling authenticate in order to initiate tunneled EAP session.
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type gtc
[eap] Not-EAP proxy set. Not composing EAP
++[eap] returns handled
PEAP: Tunneled authentication will be proxied to test
PEAP: Remembering to do EAP-MS-CHAP-V2 post-proxy.
[eap] Tunneled session will be proxied. Not doing EAP.
++[eap] returns handled
WARNING: Empty section. Using default return values.
ERROR: Failed to create a new socket for proxying requests.
ERROR: Failed inserting request into proxy hash.
ERROR: Failed to proxy request 6
There was no response configured: rejecting request 6
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> mgmitch
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 6 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 6
Sending Access-Reject of id 230 to 134.252.100.101 port 1645
Waking up in 3.8 seconds.
Cleaning up request 0 ID 224 with timestamp +14
Cleaning up request 1 ID 225 with timestamp +14
Cleaning up request 2 ID 226 with timestamp +14
Cleaning up request 3 ID 227 with timestamp +14
Cleaning up request 4 ID 228 with timestamp +14
Cleaning up request 5 ID 229 with timestamp +14
Waking up in 1.0 seconds.
Cleaning up request 6 ID 230 with timestamp +14
Ready to process requests.
--
View this message in context: http://freeradius.1045715.n5.nabble.com/PEAP-EAP-GTC-proxy-tp3305142p3305142.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
More information about the Freeradius-Users
mailing list