EAP-PEAP/MSCHAPv2 Proxy

Влад Власов vlasglass at mail.ru
Wed Nov 3 15:18:53 CET 2010


Hello everyone,
Please help me
I try to setup FreeRadius as proxy.
I want to extract MSCHAPv2 auth from EAP-PEAP/MSCHAPv2 ,and proxy only MSCHAPv2 request to another radius server ,that does not work with a EAP-PEAP.
changed only the following items:

clients.conf
client 172.100.100.24/30 { secret = secretpass  
                           shortname = AP_50 }

proxy.conf

realm nc { authhost = 172.10.10.1:1812  
accthost = 172.10.10.1:1813 
secret = secretpass } 
 
realm DEFAULT { authhost = 172.10.10.1:1812 
 accthost = 172.10.10.1:1813 
 secret = secretpass }

eap.conf

default_eap_type = peap   
default_eap_type = mschapv2  
proxy_tunneled_request_as_eap = no

Result:

Ready to process requests.
rad_recv: Access-Request packet from host 172.100.50.24 port 1041, id=0, length=165
        NAS-IP-Address = 172.100.50.24
        NAS-Port = 1
        Framed-MTU = 1388
        NAS-Port-Type = Wireless-802.11
        Service-Type = Authenticate-Only
        Called-Station-Id = "00-18-25-10-2b-20:SOME"
        Calling-Station-Id = "0c-60-76-7c-af-d0"
        NAS-Port-Id = "0c-60-76-7c-af-d0"
        User-Name = "testuser at nc"
        EAP-Message = 0x020000120174612d32323331313236406e63
        Message-Authenticator = 0x0d82a782af2e0cc67d993968ef2b793c
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm "nc" for User-Name = "testuser at nc"
[suffix] Found realm "nc"
[suffix] Adding Stripped-User-Name = "testuser"
[suffix] Adding Realm = "nc"
[suffix] Proxying request from user testuser to realm nc
[suffix] Preparing to proxy authentication request to realm "nc"
++[suffix] returns updated
[eap] Request is supposed to be proxied to Realm nc.  Not doing EAP.
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
  WARNING: Empty pre-proxy section.  Using default return values.
Sending Access-Request of id 79 to 172.10.10.1 port 1812
        NAS-IP-Address = 172.100.50.24
        NAS-Port = 1
        Framed-MTU = 1388
        NAS-Port-Type = Wireless-802.11
        Service-Type = Authenticate-Only
        Called-Station-Id = "00-18-25-10-2b-20:SOME"
        Calling-Station-Id = "0c-60-76-7c-af-d0"
        NAS-Port-Id = "0c-60-76-7c-af-d0"
        User-Name = "testuser"
        EAP-Message = 0x020000120174612d32323331313236406e63
        Message-Authenticator = 0x00000000000000000000000000000000
        Proxy-State = 0x30
Proxying request 0 to home server 172.10.10.1 port 1812
Sending Access-Request of id 79 to 172.10.10.1 port 1812
        NAS-IP-Address = 172.100.50.24
        NAS-Port = 1
        Framed-MTU = 1388
        NAS-Port-Type = Wireless-802.11
        Service-Type = Authenticate-Only
        Called-Station-Id = "00-18-25-10-2b-20:SOME"
        Calling-Station-Id = "0c-60-76-7c-af-d0"
        NAS-Port-Id = "0c-60-76-7c-af-d0"
        User-Name = "testuser"
        EAP-Message = 0x020000120174612d32323331313236406e63
        Message-Authenticator = 0x00000000000000000000000000000000
        Proxy-State = 0x30
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 172.10.10.1 port 1812, id=79, length=44
Invalid packet code 1 sent to a proxy port from home server 172.10.10.1 port 1812 - ID 79 : IGNORED
Waking up in 0.9 seconds.
Waking up in 13.0 seconds.



More information about the Freeradius-Users mailing list