EAP-Peap-MSchapv2 proxy from innertunnel
Phil Mayers
p.mayers at imperial.ac.uk
Thu Aug 29 19:10:04 CEST 2013
On 29/08/13 17:01, Robert Roll wrote:
> Ok, Below is the TCP dump. I have attached the Freeradius Debug output beginning
> near the start of the proxy..
The problem here is pretty straightforward, but not obvious from the
debugs since FR is just proxying.
Basically, the client sends the inner EAP-identity, and the proxy server
responds with an EAP-TLS start i.e. you would be doing EAP-TLS inside
PEAP, if this worked:
rad_recv: Access-Challenge packet from host 155.97.185.76 port 1812,
id=216, length=128
State = ...
Proxy-State = 0x313231
EAP-Message = 0x010900060d20
0x0d == 13 == EAP-TLS. This is encrypted and sent down the tunnel. The
client then sends an EAP-NAK, listing 26 as the only supported EAP type
(which is weird - is it a Windows machines set to some odd combo like
cryptobinding enabled?):
[peap] Got tunneled request
EAP-Message = 0x02090006031a
0x03 == 3 = NAK, 0x1a == 26 == MS-EAP (SoH, I think?)
...which the proxy server then rejects:
rad_recv: Access-Reject packet from host 155.97.185.76 port 1812, id=71,
length=49
Proxy-State = 0x313232
EAP-Message = 0x04090004
So the solution is simple - if you're going to proxy the inner auth,
ensure the client inner auth method and upstream proxy auth method are
mutually compatible.
More information about the Freeradius-Users
mailing list