FreeRadius2 issue when deployed as proxy for EAP-TLS

Muhammad Faisal faisalusuf at yahoo.com
Tue Apr 14 15:21:31 CEST 2015


Thanks Matthew. Let me recheck the server configuration. Just a quick query is it important for a proxy server to configure the desires auth mode correctly (EAP-TLS in our case) for proper exchange of the messages, can't we configure it like a relaying agent only as we do not intend to modify the packet for now? Regards,
Muhammad Faisal.

 
      From: Matthew Newton <mcn4 at leicester.ac.uk>
 To: Muhammad Faisal <faisalusuf at yahoo.com> 
Cc: FreeRadius users mailing list <freeradius-users at lists.freeradius.org> 
 Sent: Tuesday, April 14, 2015 6:11 PM
 Subject: Re: FreeRadius2 issue when deployed as proxy for EAP-TLS
   
On Tue, Apr 14, 2015 at 12:57:48PM +0000, Muhammad Faisal wrote:
> Do excuse me for sending wrong file. I have attached a correct file within now.

That's much better, thanks.

If you read that output, you'll notice the packet that was proxied
on is identical to the packet that was received.

Therefore FreeRADIUS is doing its job correctly. You need to
investigate what is broken on your other RADIUS server.

It either doesn't understand eap, or doesn't have eap configured
correctly.

Matthew


> Ready to process requests.
> rad_recv: Access-Request packet from host 192.168.52.75 port 10034, id=71, length=235
>     User-Name = "001C1127E021 at setuptest.com"
>     NAS-IP-Address = 192.168.52.75
>     Calling-Station-Id = "001c1127e021"
>     NAS-Identifier = "HW-WASN"
>     Event-Timestamp = "Apr 14 2015 17:10:55 PKT"
>     EAP-Message = 0x0217001f01303031433131323745303231407175626565746573742e636f6d
>     WiMAX-Release = "1.1"
>     WiMAX-Accounting-Capabilities = Flow-Based
>     WiMAX-Hotlining-Capabilities = Hotline-Profile-Id
>     WiMAX-Idle-Mode-Notification-Cap = Supported
>     WiMAX-Attr-1281 = 0x01
>     BS-Id = 0x303030303037303031313130
>     WiMAX-GMT-Timezone-offset = 18000
>     NAS-Port-Type = Wireless-802.16
>     WiMAX-Available-In-Client = 99
>     Service-Type = Framed-User
>     Chargeable-User-Identity = "\000\000"
>     Message-Authenticator = 0x1a5e73e60c133a6586d7adb34776c7c5
> # Executing section authorize from file /etc/raddb/sites-enabled/default


...


> +- entering group pre-proxy {...}
> [pre_proxy_log]     expand: /var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d -> /var/log/radius/radacct/192.168.52.75/pre-proxy-detail-20150414
> [pre_proxy_log] /var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.52.75/pre-proxy-detail-20150414
> [pre_proxy_log]     expand: %t -> Tue Apr 14 17:20:23 2015
> ++[pre_proxy_log] returns ok
> Sending Access-Request of id 66 to 192.168.51.6 port 1812
>     User-Name = "001C1127E021 at setuptest.com"
>     NAS-IP-Address = 192.168.52.75
>     Calling-Station-Id = "001c1127e021"
>     NAS-Identifier = "HW-WASN"
>     Event-Timestamp = "Apr 14 2015 17:10:55 PKT"
>     EAP-Message = 0x0217001f01303031433131323745303231407175626565746573742e636f6d
>     WiMAX-Release = "1.1"
>     WiMAX-Accounting-Capabilities = Flow-Based
>     WiMAX-Hotlining-Capabilities = Hotline-Profile-Id
>     WiMAX-Idle-Mode-Notification-Cap = Supported
>     WiMAX-Attr-1281 = 0x01
>     BS-Id = 0x303030303037303031313130
>     WiMAX-GMT-Timezone-offset = 18000
>     NAS-Port-Type = Wireless-802.16
>     WiMAX-Available-In-Client = 99
>     Service-Type = Framed-User
>     Chargeable-User-Identity = "\000\000"
>     Message-Authenticator = 0x00000000000000000000000000000000
>     Proxy-State = 0x3731
> Proxying request 0 to home server 192.168.51.6 port 1812
> Sending Access-Request of id 66 to 192.168.51.6 port 1812
>     User-Name = "001C1127E021 at setuptest.com"
>     NAS-IP-Address = 192.168.52.75
>     Calling-Station-Id = "001c1127e021"
>     NAS-Identifier = "HW-WASN"
>     Event-Timestamp = "Apr 14 2015 17:10:55 PKT"
>     EAP-Message = 0x0217001f01303031433131323745303231407175626565746573742e636f6d
>     WiMAX-Release = "1.1"
>     WiMAX-Capability = 0x0105312e31020302030301040301
>     WiMAX-Accounting-Capabilities = Flow-Based
>     WiMAX-Hotlining-Capabilities = Hotline-Profile-Id
>     WiMAX-Idle-Mode-Notification-Cap = Supported
>     WiMAX-Attr-1281 = 0x01
>     BS-Id = 0x303030303037303031313130
>     WiMAX-GMT-Timezone-offset = 18000
>     NAS-Port-Type = Wireless-802.16
>     WiMAX-Available-In-Client = 99
>     PPAC = 0x010600000063
>     Service-Type = Framed-User
>     Chargeable-User-Identity = "\000\000"
>     Message-Authenticator = 0x00000000000000000000000000000000
>     Proxy-State = 0x3731
> Going to the next request
> Waking up in 0.9 seconds.
> rad_recv: Access-Reject packet from host 192.168.51.6 port 1812, id=66, length=38
>     Reply-Message = "Invalid Password"




-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


   


More information about the Freeradius-Users mailing list