eappeap_postproxy() - set fake->proxy_reply

Ken-ichirou MATSUZAWA chamas at h4.dion.ne.jp
Wed Feb 16 13:42:31 CET 2011


 Hello,

Could I explain in more detail? I want proxying PEAP, with
old server which can not deal with EAP. This worked on 2.0.4
but didn't work on 2.1.10. I can't understand what's wrong.

Compared those debug output, I noticed difference, after
''[eap] Passing reply back for EAP-MS-CHAP-V2'' 
mschap_postproxy() was called in 2.0.4, but not in 2.0.10.

thanks.

-------- configuration

prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
name = freeradius
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid

max_request_time = 30
cleanup_delay = 5
max_requests = 1024

hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions        = yes

checkrad = ${sbindir}/checkrad
proxy_requests  = yes

listen {
    type = auth
    ipaddr = *
    port = 0
}

log {
        destination = files
        file = ${logdir}/radius.log
        syslog_facility = daemon
        stripped_names = no
        auth = no
        auth_badpass = no
        auth_goodpass = no
}

security {
        max_attributes = 200
        reject_delay = 1
        status_server = yes
}

realm legacy {
        authhost = 192.168.1.5:1645
        secret = testing123
}

client 10.0.0.0/8 {
        secret          = testing456
        shortname       = priv10
        nastype         = other
}

thread pool {
        start_servers = 5
        max_servers = 32
        min_spare_servers = 3
        max_spare_servers = 10
        max_requests_per_server = 0
}

modules {
        eap {
                default_eap_type = mschapv2
                timer_expire     = 60
                ignore_unknown_eap_types = no
                cisco_accounting_username_bug = no
                max_sessions = 2048

                tls {
                        certdir = ${confdir}/certs
                        cadir = ${confdir}/certs
                        private_key_password = tetest123
                        private_key_file = ${certdir}/server.key
                        certificate_file = ${certdir}/server.pem
                        CA_file = ${cadir}/ca.pem
                        dh_file = ${certdir}/dh
                        random_file = ${certdir}/random
                        cipher_list = "DEFAULT"
                        cache {
                              enable = no
                              lifetime = 24 # hours
                              max_entries = 255
                        }
                }

                peap {
                        default_eap_type = mschapv2
                        copy_request_to_tunnel = no
                        use_tunneled_reply = no
                        proxy_tunneled_request_as_eap = no
                        virtual_server = "inner-tunnel"
                }

                mschapv2 {
                }
        }
}

server inner-tunnel {
        authorize {
                update control {
                       Proxy-To-Realm := legacy
                }
        }

        authenticate {
                eap
        }

        post-proxy {
                eap
        }
}

authorize {
        eap {
                ok = return
        }
}

authenticate {
        eap
}

post-proxy {
        eap
}

-------- debug output

FreeRADIUS Version 2.1.10, for host i486-pc-linux-gnu, built on Feb 16 2011 at 10:52:08
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. 
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A 
PARTICULAR PURPOSE. 
You may redistribute copies of FreeRADIUS under the terms of the 
GNU General Public License v2. 
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
main {
	allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
	prefix = "/usr"
	localstatedir = "/var"
	logdir = "/var/log/freeradius"
	libdir = "/usr/lib/freeradius"
	radacctdir = "/var/log/freeradius/radacct"
	hostname_lookups = no
	max_request_time = 30
	cleanup_delay = 5
	max_requests = 1024
	pidfile = "/var/run/freeradius/freeradius.pid"
	checkrad = "/usr/sbin/checkrad"
	debug_level = 0
	proxy_requests = yes
 log {
	stripped_names = no
	auth = no
	auth_badpass = no
	auth_goodpass = no
 }
 security {
	max_attributes = 200
	reject_delay = 1
	status_server = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
 realm legacy {
	authhost = 192.168.1.5:1645
	secret = testing123
 }
radiusd: #### Loading Clients ####
 client 10.0.0.0/8 {
	require_message_authenticator = no
	secret = "testing456"
	shortname = "priv10"
	nastype = "other"
 }
radiusd: #### Instantiating modules ####
radiusd: #### Loading Virtual Servers ####
server inner-tunnel { # from file /etc/freeradius/radiusd.conf
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_eap
 Module: Instantiating module "eap" from file /etc/freeradius/radiusd.conf
  eap {
	default_eap_type = "mschapv2"
	timer_expire = 60
	ignore_unknown_eap_types = no
	cisco_accounting_username_bug = no
	max_sessions = 2048
  }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
	rsa_key_exchange = no
	dh_key_exchange = yes
	rsa_key_length = 512
	dh_key_length = 512
	verify_depth = 0
	pem_file_type = yes
	private_key_file = "/etc/freeradius/certs/server.key"
	certificate_file = "/etc/freeradius/certs/server.pem"
	CA_file = "/etc/freeradius/certs/ca.pem"
	private_key_password = "tetest123"
	dh_file = "/etc/freeradius/certs/dh"
	random_file = "/etc/freeradius/certs/random"
	fragment_size = 1024
	include_length = yes
	check_crl = no
	cipher_list = "DEFAULT"
    cache {
	enable = no
	lifetime = 24
	max_entries = 255
    }
   }
 Module: Linked to sub-module rlm_eap_peap
 Module: Instantiating eap-peap
   peap {
	default_eap_type = "mschapv2"
	copy_request_to_tunnel = no
	use_tunneled_reply = no
	proxy_tunneled_request_as_eap = no
	virtual_server = "inner-tunnel"
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
	with_ntdomain_hack = no
   }
 Module: Checking authorize {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 } # modules
} # server
server { # from file /etc/freeradius/radiusd.conf
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Checking authorize {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
	type = "auth"
	ipaddr = *
	port = 0
}
Listening on authentication address * port 1812
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.1.2.3 port 53932, id=0, length=126
	User-Name = "anonymous"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "02-00-00-00-00-01"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 11Mbps 802.11b"
	EAP-Message = 0x0200000e01616e6f6e796d6f7573
	Message-Authenticator = 0x91266a66dc1560f4b180f267046f49cb
# Executing section authorize from file /etc/freeradius/radiusd.conf
+- entering group authorize {...}
[eap] EAP packet type response id 0 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/radiusd.conf
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.1.2.3 port 53932
	EAP-Message = 0x010100231a0101001e10fe76bcb9c6b236ae40e3adc55e66f46f616e6f6e796d6f7573
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xc93753dfc93649d1dbf26d3ddaf88693
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.2.3 port 53932, id=1, length=136
	User-Name = "anonymous"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "02-00-00-00-00-01"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 11Mbps 802.11b"
	EAP-Message = 0x020100060319
	State = 0xc93753dfc93649d1dbf26d3ddaf88693
	Message-Authenticator = 0xdeaac1d575e4baf3e91cb822c6b3dc2d
# Executing section authorize from file /etc/freeradius/radiusd.conf
+- entering group authorize {...}
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 1 to 10.1.2.3 port 53932
	EAP-Message = 0x010200061920
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xc93753dfc8354ad1dbf26d3ddaf88693
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.2.3 port 53932, id=2, length=235
	User-Name = "anonymous"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "02-00-00-00-00-01"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 11Mbps 802.11b"
	EAP-Message = 0x0202006919800000005f160301005a0100005603014d5b0126eb0b34c231395606b2889596742fb84cc68a448175351ed334f887c100002800390038003500160013000a00330032002f000500040015001200090014001100080006000300ff020100000400230000
	State = 0xc93753dfc8354ad1dbf26d3ddaf88693
	Message-Authenticator = 0xef9b9bf03448e138a16225eb9800d247
# Executing section authorize from file /etc/freeradius/radiusd.conf
+- entering group authorize {...}
[eap] EAP packet type response id 2 length 105
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 95
[peap] Length Included
[peap] eaptls_verify returned 11 
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 005a], ClientHello  
[peap]     TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello  
[peap]     TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 06f0], Certificate  
[peap]     TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange  
[peap]     TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
[peap]     TLS_accept: SSLv3 write server done A
[peap]     TLS_accept: SSLv3 flush data
[peap]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase 
In SSL Accept mode  
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 2 to 10.1.2.3 port 53932
	EAP-Message = 0x0103040019c00000094616030100310200002d03014d5b01261ae097d7b7ad205191e6391b387ab027f7c81d26cd53e97cc1462e32000039010005ff0100010016030106f00b0006ec0006e90003b6308203b23082031ba003020102020101300d06092a864886f70d010105050030819b310b3009060355040613024a50310f300d060355040813064e6167616e6f31133011060355040a130a4550534f4e2f5342544d31163014060355040b130d4e6574776f726b2041646d696e311a30180603550403131163612e7362746d2e6570736f6e2e6e65743132303006092a864886f70d01090116236d617473757a6177612e6b656e69636869726f40
	EAP-Message = 0x6578632e6570736f6e2e636f2e6a70301e170d3130303732313030323235305a170d3138303732313030323235305a3081a0310b3009060355040613024a50310f300d060355040813064e6167616e6f31133011060355040a130a4550534f4e2f5342544d31163014060355040b130d4e6574776f726b2041646d696e311f301d06035504031316657069747564652e7362746d2e6570736f6e2e6e65743132303006092a864886f70d01090116236d617473757a6177612e6b656e69636869726f406578632e6570736f6e2e636f2e6a7030820122300d06092a864886f70d01010105000382010f003082010a0282010100b6fa8a6044b5d42e5d59
	EAP-Message = 0x0fd3f162aadf1970cae3e4044f79a73b6167e78a34fbeeddd5c345f270ce53bb0755b27705683afc2b443a11c949ae57d4224753e5da91473b6d602cd1d222d5ea1dd6f6630c94963964c39812463c93db79f261a07855239fffec8441d686adaa3480529be7d95df55130d538072cf55f2a995435a96e5f7cb5fe4227e3fe3dfe866a4cac1d8ff384188ac4cb04f88310a966eb53cc6efcdfe5daf4f709956f26c0f72dc7729272add4fa3ca4ceee3de8f7b801f61869f03f9d3d7d739990dd8fa25f5b2b945c25de40eaf50943a67b7f1da86ddf6a1f962ea054732b731d537ac9ee87508e94bf25d5070dd5d3424d5e546f0061850203010001a37b
	EAP-Message = 0x307930090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e04160414e9873373dbc0100cca4b8dc5daf3f8cb1bd25a4f301f0603551d23041830168014ff2917752399ff77b0d9660a8b76b304e1b5e430300d06092a864886f70d0101050500038181006c79497d775f6fa7129a769381c8b45136270a6462af9bf340d9667d19274f32702299f51833350e7e82cd86711195b248d30251945558e4b914049da65ee6ddae7f9fc860c995f3c07850a809cde91864b4799701dba0a2605c0d2771d012db3e202dcae23274b4ee2e753a576b5a
	EAP-Message = 0x35b397c3989cc525cf33cc0c
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xc93753dfcb344ad1dbf26d3ddaf88693
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.2.3 port 53932, id=3, length=136
	User-Name = "anonymous"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "02-00-00-00-00-01"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 11Mbps 802.11b"
	EAP-Message = 0x020300061900
	State = 0xc93753dfcb344ad1dbf26d3ddaf88693
	Message-Authenticator = 0x19b455b774785afdcd942e93c3759284
# Executing section authorize from file /etc/freeradius/radiusd.conf
+- entering group authorize {...}
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 3 to 10.1.2.3 port 53932
	EAP-Message = 0x010403fc1940c07f0c9fce00032d3082032930820292a003020102020100300d06092a864886f70d010105050030819b310b3009060355040613024a50310f300d060355040813064e6167616e6f31133011060355040a130a4550534f4e2f5342544d31163014060355040b130d4e6574776f726b2041646d696e311a30180603550403131163612e7362746d2e6570736f6e2e6e65743132303006092a864886f70d01090116236d617473757a6177612e6b656e69636869726f406578632e6570736f6e2e636f2e6a70301e170d3130303732303039303230305a170d3133303731393039303230305a30819b310b3009060355040613024a50310f
	EAP-Message = 0x300d060355040813064e6167616e6f31133011060355040a130a4550534f4e2f5342544d31163014060355040b130d4e6574776f726b2041646d696e311a30180603550403131163612e7362746d2e6570736f6e2e6e65743132303006092a864886f70d01090116236d617473757a6177612e6b656e69636869726f406578632e6570736f6e2e636f2e6a7030819f300d06092a864886f70d010101050003818d0030818902818100bd99ddea067ab5c99c910c310f73bccc10ef2456008d7151d366932202341ad6fd1dc136925489fef51e242401b22aa7a8aca7842b7eec55f765b9981440e0657ed5db9f8772906e2a0d41937475ad1ecd176909
	EAP-Message = 0x051fa71db5139164ca9acbda56761308919dc2001252e5b1a827a5f24ac18604ca23b5c30bf6e4d139420a850203010001a37b307930090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e04160414ff2917752399ff77b0d9660a8b76b304e1b5e430301f0603551d23041830168014ff2917752399ff77b0d9660a8b76b304e1b5e430300d06092a864886f70d01010505000381810018bd4f1763a2965ee8de2f4cde966cf09669508c2171dd08e088e5ee5e3967177af52216b926ee8cf5931019deda92d3b6353c99b731b6fb0f903e11
	EAP-Message = 0x0af01f015b6df59297cded690adef79c2d523fdd1c08e08e8e4483dff64eb3b71d201db5567a2e1630c9f892b7baa3ed577317e60dc5883e22cab34a0c99164c252178b8160301020d0c0002090080a4c47d05e1daa33ff9a80d58172117ecf5ae49f018a000b0b71d781e7b883dcc6c03903321927a500d9cdc4602cd092b9a4a86ac99857e171422d238e3f3202c56a0f5bbe7b46263faf4c70f99a251e07b9b915cb8a7d5eed8836050176a430c53b8ce0f6be396ba7604cf073362ad829ccf6d4ad7b12e23bd4b6a492e039033000102008006c47e66c0fb2f82a6e2e534fca5f85c3b48c0f4fab817722a253128e7bf8e7b57ffbf4a510e0c622e
	EAP-Message = 0x8afb26e9fe80edb5
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xc93753dfca334ad1dbf26d3ddaf88693
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.2.3 port 53932, id=4, length=136
	User-Name = "anonymous"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "02-00-00-00-00-01"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 11Mbps 802.11b"
	EAP-Message = 0x020400061900
	State = 0xc93753dfca334ad1dbf26d3ddaf88693
	Message-Authenticator = 0xd39c3c8109213e51672010199a0870ac
# Executing section authorize from file /etc/freeradius/radiusd.conf
+- entering group authorize {...}
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 4 to 10.1.2.3 port 53932
	EAP-Message = 0x01050160190061c912c36b2165cf1a239301310855ad81b7b860d4110cb7a4be573dea8d517c924e457905742e9aa16e40abf5dfda77ac776d0f332fd9dcf5f8f292d8baf633a418e3d9a6e5b74625d6e7f2e23d3e0100737511255bd24cf728fceeb7ccfb4f7f4a26a0b082c76a9f4f3a6d53eff7966daf4d211bfda853740b3bfb6884183f72f4b0ac810d61c314284bf5020ad0dcfcf66ce68bd81c68dc0c0227e35ca16db15a6f8fd0b90cfbe78345eb8b66b6a2ed9d14ee5614c96eadfa155fd6d0c3f7e8e7044e29a35afee458bb603967c17a2d0f16e78f5f17594ee2f9f625fe3d97c2a08e6f5ac8484bcd934f9138fdf89b85016ee221f1fe
	EAP-Message = 0x3364d4cf0903e62ae1f34421cf0681798655d2db77706eb086246040dd2ad28971747a80db9f92cc008ef36f5965585d14c590024a612ffd357d6852f94365a1d99019cfd6802be247a9bb188372b55987be699f1d290784e09816030100040e000000
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xc93753dfcd324ad1dbf26d3ddaf88693
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.2.3 port 53932, id=5, length=338
	User-Name = "anonymous"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "02-00-00-00-00-01"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 11Mbps 802.11b"
	EAP-Message = 0x020500d01980000000c616030100861000008200800981f81ae3cd35f3a3971747e253480d8ccfd725b293088467b2c223c8bf8efe60d1937a436e1437c93484d52c54bba8c4e708f90b159034005359ab2af17da5e934a0375b87408c9179b904ae61db47c9a134f4b0ce467c522c484d43eabb2e92d5444d941950caab012f29afd86cf4662da8be658c56ecb48db7912a88303c1403010001011603010030c257ac05008e9b2b659c79c4c17c6a0d4a0ad6aaac10af0662e5d8ba7bb225dd470ddaa06db836b439466ab80539b599
	State = 0xc93753dfcd324ad1dbf26d3ddaf88693
	Message-Authenticator = 0x3bb0fea544806206b3685b7cb195aa64
# Executing section authorize from file /etc/freeradius/radiusd.conf
+- entering group authorize {...}
[eap] EAP packet type response id 5 length 208
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 198
[peap] Length Included
[peap] eaptls_verify returned 11 
[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange  
[peap]     TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]  
[peap] <<< TLS 1.0 Handshake [length 0010], Finished  
[peap]     TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]  
[peap]     TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished  
[peap]     TLS_accept: SSLv3 write finished A
[peap]     TLS_accept: SSLv3 flush data
[peap]     (other): SSL negotiation finished successfully
SSL Connection Established 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 5 to 10.1.2.3 port 53932
	EAP-Message = 0x01060041190014030100010116030100306fa84b71fad492af87f8a5e11025acca4d1b0d95e2c44cdd36dd7f40d4e101a2aa061d8bc3b6282e49e95d295b2f2d53
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xc93753dfcc314ad1dbf26d3ddaf88693
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.2.3 port 53932, id=6, length=136
	User-Name = "anonymous"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "02-00-00-00-00-01"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 11Mbps 802.11b"
	EAP-Message = 0x020600061900
	State = 0xc93753dfcc314ad1dbf26d3ddaf88693
	Message-Authenticator = 0xdc2f3864a660fa4113a3192cf7f105d8
# Executing section authorize from file /etc/freeradius/radiusd.conf
+- entering group authorize {...}
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3 
[peap] eaptls_process returned 3 
[peap] EAPTLS_SUCCESS
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 6 to 10.1.2.3 port 53932
	EAP-Message = 0x0107002b190017030100209d5d7425f026a1f645310b814af57e7e0900f663b20b163033316466c3adc4a3
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xc93753dfcf304ad1dbf26d3ddaf88693
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.2.3 port 53932, id=7, length=226
	User-Name = "anonymous"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "02-00-00-00-00-01"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 11Mbps 802.11b"
	EAP-Message = 0x02070060190017030100207f737a9d48c1143a532fc83d0f5338fa6e8c1156490566a273890465a1f8b49a17030100307a3ecfc7e51e42647369ec31959395e0256306e8a66e9b9bbd3a151fb2cbf0b054f88118d7bde8c143d84e371173f25f
	State = 0xc93753dfcf304ad1dbf26d3ddaf88693
	Message-Authenticator = 0x0279ebc7ebc97234254458b36cf86753
# Executing section authorize from file /etc/freeradius/radiusd.conf
+- entering group authorize {...}
[eap] EAP packet type response id 7 length 96
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - testuser1
[peap] Got inner identity 'testuser1'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
	EAP-Message = 0x0207000c0139353732393037
server  {
  PEAP: Setting User-Name to testuser1
Sending tunneled request
	EAP-Message = 0x0207000c0139353732393037
	FreeRADIUS-Proxied-To = 127.0.0.1
	User-Name = "testuser1"
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/radiusd.conf
+- entering group authorize {...}
++[control] returns notfound
} # server inner-tunnel
[peap] Got tunneled reply code 0
  PEAP: Calling authenticate in order to initiate tunneled EAP session.
# Executing group from file /etc/freeradius/radiusd.conf
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
    PEAP: Cancelling proxy to realm legacy until the tunneled EAP session has been established
[peap] Got tunneled reply RADIUS code 11
	EAP-Message = 0x010800211a0108001c109daef7bb0892bcb96f4dfeccdf4a10be39353732393037
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x688571cd688d6b54446bcd4ca98084f6
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 7 to 10.1.2.3 port 53932
	EAP-Message = 0x0108004b19001703010040ff16c45a2ce5393c0acb3826003af0124949f4a66127990679643164dfb9e6409dbfe408c25e347a101477f5891e9b3328dedbaeb5c92cc6262bcdadd59076b0
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xc93753dfce3f4ad1dbf26d3ddaf88693
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.2.3 port 53932, id=8, length=258
	User-Name = "anonymous"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "02-00-00-00-00-01"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 11Mbps 802.11b"
	EAP-Message = 0x020800801900170301002062cf7f5b217fd63ad2fe213494f63a6ad86b7e445418beb080f7952df21a71d81703010050ef2bea5015abb6d99b198701b94c7c436100fe12e499ecd550270ffb544aacbf1a664e20bd55fe3d185747de90246b248d4da9efb6d30fd075720bf9c392a961b5d0118cd0e74677a185ec8d1af99bf2
	State = 0xc93753dfce3f4ad1dbf26d3ddaf88693
	Message-Authenticator = 0x4aaf30054d7a126cfc58a1fe4f8b78d2
# Executing section authorize from file /etc/freeradius/radiusd.conf
+- entering group authorize {...}
[eap] EAP packet type response id 8 length 128
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
	EAP-Message = 0x020800421a0208003d31828a2d7a21903addce73462073635e330000000000000000a7790a0fabf812d9ff5952be61bb960e426380e5cbaea5710039353732393037
server  {
  PEAP: Setting User-Name to testuser1
Sending tunneled request
	EAP-Message = 0x020800421a0208003d31828a2d7a21903addce73462073635e330000000000000000a7790a0fabf812d9ff5952be61bb960e426380e5cbaea5710039353732393037
	FreeRADIUS-Proxied-To = 127.0.0.1
	User-Name = "testuser1"
	State = 0x688571cd688d6b54446bcd4ca98084f6
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/radiusd.conf
+- entering group authorize {...}
++[control] returns notfound
} # server inner-tunnel
[peap] Got tunneled reply code 0
  PEAP: Calling authenticate in order to initiate tunneled EAP session.
# Executing group from file /etc/freeradius/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap]   Not-EAP proxy set.  Not composing EAP
++[eap] returns handled
  PEAP: Tunneled authentication will be proxied to legacy
  PEAP: Remembering to do EAP-MS-CHAP-V2 post-proxy.
[eap]   Tunneled session will be proxied.  Not doing EAP.
++[eap] returns handled
  WARNING: Empty pre-proxy section.  Using default return values.
Sending Access-Request of id 243 to 192.168.1.5 port 1645
	User-Name = "testuser1"
	MS-CHAP-Challenge = 0x9daef7bb0892bcb96f4dfeccdf4a10be
	MS-CHAP2-Response = 0x0835828a2d7a21903addce73462073635e330000000000000000a7790a0fabf812d9ff5952be61bb960e426380e5cbaea571
	Proxy-State = 0x38
Proxying request 8 to home server 192.168.1.5 port 1645
Sending Access-Request of id 243 to 192.168.1.5 port 1645
	User-Name = "testuser1"
	MS-CHAP-Challenge = 0x9daef7bb0892bcb96f4dfeccdf4a10be
	MS-CHAP2-Response = 0x0835828a2d7a21903addce73462073635e330000000000000000a7790a0fabf812d9ff5952be61bb960e426380e5cbaea571
	Proxy-State = 0x38
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Accept packet from host 192.168.1.5 port 1645, id=243, length=122
	MS-CHAP2-Success = 0x08533d38413537333944413130374135454330333631464545323132444239413845354142324133384331
	Service-Type = Framed-User
	Framed-Protocol = PPP
	Proxy-State = 0x38
	Class = 0x434953434f4143533a30313432386463662f38353961333537622f39353732393037
# Executing section post-proxy from file /etc/freeradius/radiusd.conf
+- entering group post-proxy {...}
[eap] Doing post-proxy callback
[eap] Passing reply from proxy back into the tunnel.
server inner-tunnel {
[eap] Passing reply back for EAP-MS-CHAP-V2
# Executing section post-proxy from file /etc/freeradius/radiusd.conf
+- entering group post-proxy {...}
++[eap] returns noop
  WARNING: Empty post-auth section.  Using default return values.
} # server inner-tunnel
[eap] Final reply from tunneled session code 2
	MS-CHAP2-Success = 0x08533d38413537333944413130374135454330333631464545323132444239413845354142324133384331
	Service-Type = Framed-User
	Framed-Protocol = PPP
	Proxy-State = 0x38
	Class = 0x434953434f4143533a30313432386463662f38353961333537622f39353732393037
[eap] Got reply 2
[eap] Got tunneled reply RADIUS code 2
	MS-CHAP2-Success = 0x08533d38413537333944413130374135454330333631464545323132444239413845354142324133384331
	Service-Type = Framed-User
	Framed-Protocol = PPP
	Proxy-State = 0x38
	Class = 0x434953434f4143533a30313432386463662f38353961333537622f39353732393037
[eap] Tunneled authentication was successful.
[eap] SUCCESS
[eap] Reply was handled
++[eap] returns ok
Found Auth-Type = EAP
Found Auth-Type = Accept
Warning:  Found 2 auth-types on request for user 'anonymous'
Auth-Type = Accept, accepting the user
  WARNING: Empty post-auth section.  Using default return values.
Sending Access-Challenge of id 8 to 10.1.2.3 port 53932
	EAP-Message = 0x0109003b19001703010030640e81acec93c51e59bba8ce414fb9bd6a1460257e048338092073395b6a7212c29694ceab37a8f51493b9d9dda31900
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xc93753dfc13e4ad1dbf26d3ddaf88693
Finished request 8.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.1.2.3 port 53932, id=9, length=226
	User-Name = "anonymous"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "02-00-00-00-00-01"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 11Mbps 802.11b"
	EAP-Message = 0x0209006019001703010020b3bd77af125e8598b4d0fa4500fe192b9e3549d4bf505ecda2c577b4442b441f1703010030fac4e8e250747ad2eacfce0a984d1ac4f01a995522125078e1a5e26d9c623d0ac843b8849872911fc94a64f72c2b2355
	State = 0xc93753dfc13e4ad1dbf26d3ddaf88693
	Message-Authenticator = 0x44bc1230fec13f85ae315e404f550d88
# Executing section authorize from file /etc/freeradius/radiusd.conf
+- entering group authorize {...}
[eap] EAP packet type response id 9 length 96
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Client rejected our response.  The password is probably incorrect.
[peap] We sent a success, but received something weird in return.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Delaying reject of request 9 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 9
Sending Access-Reject of id 9 to 10.1.2.3 port 53932
	EAP-Message = 0x04090004
	Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.8 seconds.
Cleaning up request 0 ID 0 with timestamp +17
Cleaning up request 1 ID 1 with timestamp +17
Cleaning up request 2 ID 2 with timestamp +17
Cleaning up request 3 ID 3 with timestamp +17
Cleaning up request 4 ID 4 with timestamp +17
Cleaning up request 5 ID 5 with timestamp +17
Cleaning up request 6 ID 6 with timestamp +17
Cleaning up request 7 ID 7 with timestamp +17
Cleaning up request 8 ID 8 with timestamp +17
Waking up in 1.0 seconds.
Cleaning up request 9 ID 9 with timestamp +17
Ready to process requests.



More information about the Freeradius-Users mailing list