EAP-Peap-MSchapv2 proxy from innertunnel

Phil Mayers p.mayers at imperial.ac.uk
Thu Aug 29 19:10:04 CEST 2013

On 29/08/13 17:01, Robert Roll wrote:
> Ok, Below is the TCP dump. I have attached the Freeradius Debug output beginning
> near the start of the proxy..

The problem here is pretty straightforward, but not obvious from the 
debugs since FR is just proxying.

Basically, the client sends the inner EAP-identity, and the proxy server 
responds with an EAP-TLS start i.e. you would be doing EAP-TLS inside 
PEAP, if this worked:

rad_recv: Access-Challenge packet from host port 1812, 
id=216, length=128
	State = ...
	Proxy-State = 0x313231
	EAP-Message = 0x010900060d20

0x0d == 13 == EAP-TLS. This is encrypted and sent down the tunnel. The 
client then sends an EAP-NAK, listing 26 as the only supported EAP type 
(which is weird - is it a Windows machines set to some odd combo like 
cryptobinding enabled?):

[peap] Got tunneled request
	EAP-Message = 0x02090006031a

0x03 == 3 = NAK, 0x1a == 26 == MS-EAP (SoH, I think?)

...which the proxy server then rejects:

rad_recv: Access-Reject packet from host port 1812, id=71, 
	Proxy-State = 0x313232
	EAP-Message = 0x04090004

So the solution is simple - if you're going to proxy the inner auth, 
ensure the client inner auth method and upstream proxy auth method are 
mutually compatible.

More information about the Freeradius-Users mailing list