PEAP/EAP-GTC proxy?
mgmitch
mgmitch at sandia.gov
Wed Dec 15 20:11:13 CET 2010
OK, upgraded to 2.1.10 as suggested. Thanks. However, I have a different
issue now -- seems that the passcode is not being proxied over to the home
server. I only see a username, nas IP address and proxy state being proxied
in the access-request packet but no user-password. Also get a segmentation
fault after the authentication is rejected.
Thanks for the help....
Here's the debug output:
[root at mackeral-dev raddb]# /usr/sbin/radiusd -X
FreeRADIUS Version 2.1.10, for host x86_64-redhat-linux-gnu, built on Dec 15
2010 at 09:27:40
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/proxy-inner-tunnel
main {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server meddle {
ipaddr = 134.252.100.4
port = 1812
type = "auth"
secret = "test"
response_window = 30
max_outstanding = 65536
zombie_period = 40
status_check = "none"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 300
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool test {
type = fail-over
home_server = meddle
}
realm test {
auth_pool = test
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 134.252.100.101 {
require_message_authenticator = no
secret = "Test"
shortname = "test-switch"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/raddb/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/raddb/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/etc/raddb/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/etc/raddb/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/raddb/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/raddb/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/raddb/modules/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/raddb/eap.conf
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
CA_file = "/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "gtc"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /etc/raddb/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/raddb/modules/files
files {
usersfile = "/etc/raddb/users"
acctusersfile = "/etc/raddb/acct_users"
preproxy_usersfile = "/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.access_reject" from file
/etc/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server proxy-inner-tunnel { # from file
/etc/raddb/sites-enabled/proxy-inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
} # modules
} # server
server { # from file /etc/raddb/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file /etc/raddb/modules/digest
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file
/etc/raddb/modules/preprocess
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/etc/raddb/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /etc/raddb/modules/detail
detail {
detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating module "attr_filter.accounting_response" from file
/etc/raddb/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/var/run/radiusd/radiusd.sock"
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 134.252.100.101 port 1645, id=13,
length=151
User-Name = "mgmitch"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-1C-B0-AB-3D-81"
Calling-Station-Id = "00-16-D3-22-CD-24"
EAP-Message = 0x0201000c016d676d69746368
Message-Authenticator = 0xfff47d69fb565addee12523ae360276e
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
NAS-IP-Address = 134.252.100.101
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "mgmitch", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 13 to 134.252.100.101 port 1645
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0aa2d2230aa0cb718e7cf059aa843088
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 134.252.100.101 port 1645, id=14,
length=249
User-Name = "mgmitch"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-1C-B0-AB-3D-81"
Calling-Station-Id = "00-16-D3-22-CD-24"
EAP-Message =
0x0202005c190016030100510100004d03014d090f99754a9aa09fb6c2ac0ab658da930045791857816716c39244be7eecb800002600390038003500160013000a00330032002f00050004001500120009001400110008000600030100
Message-Authenticator = 0x6e0724471f481d08d0c919b96767f7aa
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
State = 0x0aa2d2230aa0cb718e7cf059aa843088
NAS-IP-Address = 134.252.100.101
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "mgmitch", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 92
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0051], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate
A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 14 to 134.252.100.101 port 1645
EAP-Message =
0x0103040019c000000aad160301002a0200002603014d090f71400ab631ddaeff146bf33fabfe7024cc8f8405d50c45e7773c37a6a500003900160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
EAP-Message =
0x301e170d3130313231353137333335325a170d3131313231353137333335325a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d9c67f82dce4d0202c096f1ee45fa8a24a93c186911e7ca3e1b270468cdb2f65c0a3e75c53f4a3bed11f5807310bf542061ed09deecd032dc66bca8aef1f
EAP-Message =
0x609ca824d0f4433c8183da27f5f9c06257483a9d3c2c68260867965272beaadbb6ed2e511fead11cca2f10fc2e53493dbbb387d8a394905214eeb929ae7e630ddb540b152dafef6136c350b0c53711de213c4c2f4d86a0e6414ef9ad69f54a5eb6f200c277db6aa931e88d4ab6bbedf06588dcc364838b74f280c6b10ad9e3981111366da92596c72b1944e62b5e1f69659aa4df976a58cb36281c3df3fa93e11fe13d460a770cad99cb110d895d34245eb8868f9d4e2a6841dab4fe43ecafdfe39f0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038201010090f589dd90e4c0e865
EAP-Message =
0x520c06dbdedde38b94e85bec468ae0721c109424f3d33569c7592676eb6995047e857194af65b3c55ac0d481903f18acf7a85db86329dd13b44b377f9b7552377be131109b4531f20281174f2a7b0ede173b3e62c8ec03b7ee2eb9540d08e8b9f5c5c1a1511b93e11aa95aa95f75d03d454a6addcb0c7b4f4e9bb6ead6a9cd2d8e4ee8d74b3d095a1883b8e365eb08ebf850b180352bf13a2f4c06b1480d77a70370446cd35cfeb729146223832aa8022b08039cd3cb91fa32f2d9550d356951e87d563dc14f10da17516fe99fc5618543838cfff153d70f5fed7972dc3202b54f63290c65f1ceee6fd110e54ea94e8e93bdbe1135f2bd0004ab308204
EAP-Message = 0xa73082038fa0030201020209
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0aa2d2230ba1cb718e7cf059aa843088
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 134.252.100.101 port 1645, id=15,
length=163
User-Name = "mgmitch"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-1C-B0-AB-3D-81"
Calling-Station-Id = "00-16-D3-22-CD-24"
EAP-Message = 0x020300061900
Message-Authenticator = 0x44f24e6fe9c42608d4e627ae696bf53d
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
State = 0x0aa2d2230ba1cb718e7cf059aa843088
NAS-IP-Address = 134.252.100.101
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "mgmitch", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 15 to 134.252.100.101 port 1645
EAP-Message =
0x010403fc194000bb3d0f8116926fbe300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3130313231353137333335325a170d3131313231353137333335325a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504
EAP-Message =
0x071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100cbc8ca1cb787a478cd1a14b6a887e32a8bd6e3616abbb16e4bd9cccabf3e9421f35b7c4f1f6637972023d9ca9283e5e33b1ad968f7bb9ba7613e2f17c56cf7a87ea0e42cc45c1ef7f2adf40b55869a925dc94050826d62e31657e20ed5f4c16218338c49f3a3ab4fa84facbe834ac4
EAP-Message =
0x66dcaf382fe61faa71cd4a593027aa04fda6de7473a8853cd1ee3615bd0ab1f3c3ff93fb92a51f4f0d300472c28eaaebc2b0646ab8ad0ff17a07232ad0084876b6a5b7da7f225aa9f23db6739594d61e496e71549f13a0ca47ae530ce7cb2458dd7520dd7913b5fd5131deadfad9965715227993282611eb79aa1b1b76692942c89cda7b9ffb7a073dd53904ca2ae7bf850203010001a381fb3081f8301d0603551d0e0416041474f599b81fd78e00931669387bfe1a7b4870e4343081c80603551d230481c03081bd801474f599b81fd78e00931669387bfe1a7b4870e434a18199a48196308193310b3009060355040613024652310f300d06035504
EAP-Message =
0x0813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900bb3d0f8116926fbe300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100caeafede55d0d432fb77f0fa1c8344c78347223e7e18e371d1ac4ea857137cd11b976423199e6ef403052219c29f01a7327b93063ad619bbb009732bb48ffe9589f719e34f1fd23b50d1170fc667b9e9db32
EAP-Message = 0x1bd7363d349e0898
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0aa2d22308a6cb718e7cf059aa843088
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 134.252.100.101 port 1645, id=16,
length=163
User-Name = "mgmitch"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-1C-B0-AB-3D-81"
Calling-Station-Id = "00-16-D3-22-CD-24"
EAP-Message = 0x020400061900
Message-Authenticator = 0x9efe32076646fa05d4935ab0454b2d32
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
State = 0x0aa2d22308a6cb718e7cf059aa843088
NAS-IP-Address = 134.252.100.101
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "mgmitch", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 16 to 134.252.100.101 port 1645
EAP-Message =
0x010502c719005ec683609ed024b287f567e4d64a3fc7d1f2e521cca96db28fc953ca044b17025d0fffc622d11f7a4c1c8c32c6c530f2114dcc6bdcdfb1dfe39b484fb5ac267b75627a4ad9fe2d186f843fad90cd654c60b4c4448e0b067eef69d03f788bab9eef8cef463763cb012b32d64ca4bcda6000b870081a09283c2bca01ff250c5698112bd93e72c2006ce87bd55ac5b8835956a5a791336aa4bb13887386c913984d59f32483ce86160301020d0c0002090080fc9acf09408c0fb7291137c25fb429bc7a168c8f5cff13535f6c59b0d613143d3613060d91e69f7063a1a1fb05279f76689045bd337cc0055ce33708e784810193f210d97bb4
EAP-Message =
0x01fa3ce07e57d8f9b47fda401b5259c4dcdcdf668de5b45edbaf5f2323b9afe21a5fe91a314372af66b97937d53e27646dc144847eccdb43ed230001020080a4e19b3d876141ee6dcab3a399d4be695916aabf169ed7a4a95d0df02dae653ecf00388e54e7b204b7b9d0ecf4235f81f14263a1c5f4b57c100be2641d75a218d5911960d7b17e731ffe78588a6396d7ef2679719b714197c7d5576e3466c83b8fb42be26b3bccf36bc384f1a6d5a48705ac66446e3e5c9e96bb81e2bbb34e7801004f34ce2d47e7b6c056242abc778bb911542711047b8e107aa09f096c62b24467fd9c8b5defede787e275543393437cf7512adf5396483f5656554849
EAP-Message =
0x15682d05bf5e02b20669398839f081064563db387a44c32cf3b1ab9c2ca2c218482ec6e132b0bbf9cdd3eefc2a6a19c6152e22dc78a9fbb91c4b2e673e74d41bafea14432af277a9a35eac72250706622107a81eec23f44649494f9c1cb9a56ee057a9d7ac66ddb106ec4333703da0dec56ba3321dde97a059e3b0bf6d8a646be2833eb68cbd0b2066701339100b76d8fe61cffcb77ab39ecf5a7c1a911815f686ff35fdada6fc6c7990170e3a08a6dae931900161d3132c6bffd0d0e77255dfc7e02af916030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0aa2d22309a7cb718e7cf059aa843088
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 134.252.100.101 port 1645, id=17,
length=361
User-Name = "mgmitch"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-1C-B0-AB-3D-81"
Calling-Station-Id = "00-16-D3-22-CD-24"
EAP-Message =
0x020500cc19001603010086100000820080260c98ad95d05c3f6d43065b84ea9035d539330250625e8dbc6ba3df6ab433ec1df18bfeac8abfb695b2480df71439270ca777928a8bb2a5cd11d4194f06900dc5c24617bd1ad94769750e34741a54f82778b7379d76a76f1a7d74b7ca353765d29ba4d0624b37b1064bc7f6182db29b141040317b93508fe8f7dec817158bec1403010001011603010030790ff0638fa3dab6ea239cb6270504dc81ae4cfe1c916dccc2cbc205d21bdabfec046eb4033c6a782919fe95e1b762fd
Message-Authenticator = 0x664d7e9278ea342ce4b764610141cb2b
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
State = 0x0aa2d22309a7cb718e7cf059aa843088
NAS-IP-Address = 134.252.100.101
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "mgmitch", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 204
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 17 to 134.252.100.101 port 1645
EAP-Message =
0x01060041190014030100010116030100300f24ad21bcb20b197c8c331a1454ae5cfb148a3b52bd49058807bea9ab3f6cfe9970873032e245c75f0bb6f3497eb266
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0aa2d2230ea4cb718e7cf059aa843088
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 134.252.100.101 port 1645, id=18,
length=163
User-Name = "mgmitch"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-1C-B0-AB-3D-81"
Calling-Station-Id = "00-16-D3-22-CD-24"
EAP-Message = 0x020600061900
Message-Authenticator = 0x21e58c0c30402dd15914c2f101514f24
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
State = 0x0aa2d2230ea4cb718e7cf059aa843088
NAS-IP-Address = 134.252.100.101
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "mgmitch", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 18 to 134.252.100.101 port 1645
EAP-Message =
0x0107002b19001703010020598cb7d843234db29292fd06a18df1d74e45608280818e156732be210abf6006
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0aa2d2230fa5cb718e7cf059aa843088
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 134.252.100.101 port 1645, id=19,
length=237
User-Name = "mgmitch"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-1C-B0-AB-3D-81"
Calling-Station-Id = "00-16-D3-22-CD-24"
EAP-Message =
0x02070050190017030100200842c33f1f23bbc06e236ad99df23be2624ddd7bdc31399e68f415942cabdb1a170301002029dd3cffcc960257563b3ac74f5789158e7ac623e544986ff7bcdc75f1944fbf
Message-Authenticator = 0x2c9342d1d678d60374bfb6e0dabff1af
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
State = 0x0aa2d2230fa5cb718e7cf059aa843088
NAS-IP-Address = 134.252.100.101
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "mgmitch", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - mgmitch
[peap] Got inner identity 'mgmitch'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x0207000c016d676d69746368
server {
PEAP: Setting User-Name to mgmitch
Sending tunneled request
EAP-Message = 0x0207000c016d676d69746368
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "mgmitch"
server {
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "mgmitch", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
} # server
[peap] Got tunneled reply code 0
PEAP: Calling authenticate in order to initiate tunneled EAP session.
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type gtc
[eap] Not-EAP proxy set. Not composing EAP
++[eap] returns handled
PEAP: Tunneled authentication will be proxied to test
PEAP: Remembering to do EAP-MS-CHAP-V2 post-proxy.
[eap] Tunneled session will be proxied. Not doing EAP.
++[eap] returns handled
WARNING: Empty pre-proxy section. Using default return values.
Sending Access-Request of id 8 to 134.252.100.4 port 1812
User-Name = "mgmitch"
NAS-IP-Address = 134.252.100.101
Proxy-State = 0x3139
Proxying request 6 to home server 134.252.100.4 port 1812
Sending Access-Request of id 8 to 134.252.100.4 port 1812
User-Name = "mgmitch"
NAS-IP-Address = 134.252.100.101
Proxy-State = 0x3139
Going to the next request
Waking up in 0.9 seconds.
Waking up in 3.9 seconds.
rad_recv: Access-Reject packet from host 134.252.100.4 port 1812, id=8,
length=24
Proxy-State = 0x3139
# Executing section post-proxy from file /etc/raddb/sites-enabled/default
+- entering group post-proxy {...}
[eap] Doing post-proxy callback
[eap] Passing reply from proxy back into the tunnel.
Segmentation fault
[root at mackeral-dev raddb]#
[root at mackeral-dev raddb]#
[root at mackeral-dev raddb]#
--
View this message in context: http://freeradius.1045715.n5.nabble.com/PEAP-EAP-GTC-proxy-tp3305142p3306797.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
More information about the Freeradius-Users
mailing list