Integration with CISCO Router for PEAP requests

Andras Ionut ionut.andras at gmail.com
Thu Aug 30 18:52:13 CEST 2012


Hi Phil,

Sorry if this looks dump for you.

I've read your post the reason I've explicitely asked how to do this in
PEAP is because in the post it says:
"This only works for PAP, and does NOT work for EAP-TLS, CHAP, *MSCHAP*, or
WIMAX authentication."

Now, I especially need to send Access-Accept for PEAP with inner
EAP-MSCHAPv2, and I also I don't use MyQL to select the users.
I've also tried to set Access-Accept as any other AVP from my Freeradius
module, but doesn't work. (extract from log attached)

Can you please help?

Thanks in advance.
Andras





On 30/08/12 15:11, Andras Ionut wrote:
> Hi Phil,
>
> Thanks a lot for the quick response.
>
> I need this for PEAP with EAP protocol inside the tunnel, like
EAP-MSCHAPv2.
>
> Again, The device MUST reject the connection as EAP is not completed,
> but the ROUTER needs that Access-Accept,
> in order to be able to redirect user to portal.
>
> Can this be done?

The technique to do this is described in the FAQ entry I linked. Did you
read it?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120830/896edf19/attachment.html>
-------------- next part --------------
node Name: Auth-Type Value: Accept
node Name: Session-Timeout Value: 100
node Name: Termination-Action Value: 1
node Name: Idle-Timeout Value: 180
node Name: WISPr-Bandwidth-Max-Up Value: 100000
node Name: WISPr-Bandwidth-Max-Down Value: 250000
node Name: Framed-Protocol Value: PPP
node Name: Reply-Message Value: OK
[test_mod]  INFO: Cleartext-Password set based on Mobif 
++[test_mod] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: user1 at home.com
[mschap] Told to do MS-CHAPv2 for user1 at home.com with NT-Password
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
	Auth-Type := Accept
	Session-Timeout := 100
	Termination-Action := RADIUS-Request
	Idle-Timeout := 180
	WISPr-Bandwidth-Max-Up := 100000
	WISPr-Bandwidth-Max-Down := 250000
	Framed-Protocol := PPP
	Reply-Message := "OK"
	MS-CHAP-Error = "\tE=691 R=1"
	EAP-Message = 0x04090004
	Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
	Auth-Type := Accept
	Session-Timeout := 100
	Termination-Action := RADIUS-Request
	Idle-Timeout := 180
	WISPr-Bandwidth-Max-Up := 100000
	WISPr-Bandwidth-Max-Down := 250000
	Framed-Protocol := PPP
	Reply-Message := "OK"
	MS-CHAP-Error = "\tE=691 R=1"
	EAP-Message = 0x04090004
	Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 60 to 192.168.2.145 port 1337
	User-Name = "user1 at home.com"
	EAP-Message = 0x010a002b19001703010020ad227ff42051a2119a3fdfcc0999ebcd51f07b78079146e092f0f85f8604137f
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x23f93a462bf32393cc91e8892c409246
Finished request 18.
Going to the next request
Waking up in 3.8 seconds.
rad_recv: Access-Request packet from host 192.168.2.145 port 1337, id=61, length=269
	User-Name = "user1 at home.com"
	NAS-IP-Address = 192.168.2.2
	NAS-Identifier = "hello"
	NAS-Port = 0
	Called-Station-Id = "00-11-22-33-44-55:SSID-1"
	Calling-Station-Id = "00-11-22-33-44-55"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless
	Connect-Info = "0Mbps 802.11b"
	EAP-Message = 0x020a0050190017030100205d777644a41a5fee4c658652b55fcd128b1fa7fe21dd1edcabeea1ca001c076117030100205719da5b2d9845746ebf187441a4b8724d074b043fd7e36a297dd45fc55a0c95
	State = 0x23f93a462bf32393cc91e8892c409246
	Message-Authenticator = 0x44e5ac78c039e29bc4798902f9c5b10f
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
	expand: %{request:User-Name} -> user1 at home.com
++[reply] returns notfound
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm "home.com" for User-Name = "user1 at home.com"
[suffix] No such realm "home.com"
++[suffix] returns noop
[eap] EAP packet type response id 10 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap]  The users session was previously rejected: returning reject (again.)
[peap]  *** This means you need to read the PREVIOUS messages in the debug output
[peap]  *** to find out the reason why the user was rejected.
[peap]  *** Look for "reject" or "fail".  Those earlier messages will tell you.
[peap]  *** what went wrong, and how to fix the problem.
  SSL: Removing session 34ae8bf5fcb9242ca155baa7eb42097a96d72f29008c63185bb75a719e0fde41 from the cache
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] 	expand: %{User-Name} -> user1 at home.com
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 19 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 19
Sending Access-Reject of id 61 to 192.168.2.145 port 1337
	EAP-Message = 0x040a0004
	Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Request packet from host 192.168.2.145 port 1337, id=61, length=269
Sending duplicate reply to client 192.168.0.0/16 port 1337 - ID: 61
Sending Access-Reject of id 61 to 192.168.2.145 port 1337
	EAP-Message = 0x040a0004
	Message-Authenticator = 0x00000000000000000000000000000000


More information about the Freeradius-Users mailing list