Still problems with IOS9 and FR2.2.9

Mark Haselden levsky at gmail.com
Thu Oct 8 09:12:23 CEST 2015


Hi,

Like lots of people, we've been hit with the changes to TLS support in
IOS9.  I've upgraded to FR2.2.9 (we're a moderate sized ISP and can't
upgrade to 3.x in a hurry) but there's still little change to the matter.

Our configuration is an proxy configuration which forwards normal (non-EAP)
RADIUS to our customer facing radius platform.
The difference that we're seeing between an 8.x connection attempt (which
works fine) and a 9.x connection attempt is that we don't see the MSCHAP
attributes passed through in the request.

If anyone has any ideas, that would be greatly appreciated.  I'm kind of at
a dead end at this point.

Cheers

Mark

Thread 3 handling request 25, (6 handled so far)
# Executing section authorize from file
/usr/share/ii/wifiproxy/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "levsky", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 1 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /usr/share/ii/wifiproxy/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Finished request 25.
Going to the next request
Thread 3 waiting to be assigned a request
Waking up in 0.9 seconds.
Thread 4 got semaphore
Thread 4 handling request 26, (6 handled so far)
# Executing section authorize from file
/usr/share/ii/wifiproxy/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "levsky", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 2 length 143
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/share/ii/wifiproxy/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
  TLS Length 133
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls]     (other): before/accept initialization
[ttls]     TLS_accept: before/accept initialization
[ttls] <<< TLS 1.0 Handshake [length 0080], ClientHello
[ttls]     TLS_accept: SSLv3 read client hello A
[ttls] >>> TLS 1.0 Handshake [length 0031], ServerHello
[ttls]     TLS_accept: SSLv3 write server hello A
[ttls] >>> TLS 1.0 Handshake [length 06b2], Certificate
[ttls]     TLS_accept: SSLv3 write certificate A
[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[ttls]     TLS_accept: SSLv3 write server done A
[ttls]     TLS_accept: SSLv3 flush data
[ttls]     TLS_accept: Need to read more data: SSLv3 read client
certificate A
[ttls]     TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Finished request 26.
Going to the next request
Thread 4 waiting to be assigned a request
Waking up in 0.9 seconds.
Thread 2 got semaphore
Thread 2 handling request 27, (6 handled so far)
# Executing section authorize from file
/usr/share/ii/wifiproxy/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "levsky", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/share/ii/wifiproxy/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Finished request 27.
Going to the next request
Thread 2 waiting to be assigned a request
Waking up in 0.9 seconds.
Thread 5 got semaphore
Thread 5 handling request 28, (6 handled so far)
# Executing section authorize from file
/usr/share/ii/wifiproxy/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "levsky", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 4 length 253
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/share/ii/wifiproxy/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
  TLS Length 326
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[ttls]     TLS_accept: SSLv3 read client key exchange A
[ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] <<< TLS 1.0 Handshake [length 0010], Finished
[ttls]     TLS_accept: SSLv3 read finished A
[ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[ttls]     TLS_accept: SSLv3 write change cipher spec A
[ttls] >>> TLS 1.0 Handshake [length 0010], Finished
[ttls]     TLS_accept: SSLv3 write finished A
[ttls]     TLS_accept: SSLv3 flush data
[ttls]     (other): SSL negotiation finished successfully
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Finished request 28.
Going to the next request
Thread 5 waiting to be assigned a request
Waking up in 0.8 seconds.
Thread 1 got semaphore
Thread 1 handling request 29, (7 handled so far)
# Executing section authorize from file
/usr/share/ii/wifiproxy/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "levsky", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 5 length 63
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/share/ii/wifiproxy/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
  TLS Length 53
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] eaptls_process returned 7
[ttls] Session established.  Proceeding to decode tunneled attributes.
[ttls] Got tunneled identity of levsky
[ttls] Setting default EAP type for tunneled EAP session.
# Executing section authorize from file
/usr/share/ii/wifiproxy/sites-enabled/ttls-proxy
+group authorize {
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Tunnel-Type = VLAN
rlm_perl: Added pair Called-Station-Id = 34dbfd24e9e0:iiNet Customer DEV
rlm_perl: Added pair Airespace-Wlan-Id = 155
rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1
rlm_perl: Added pair Location-Capable = Civix-Location
rlm_perl: Added pair II-Proxy-Realm = IIRADIUS
rlm_perl: Added pair NAS-IP-Address = 10.13.6.8
rlm_perl: Added pair Tunnel-Private-Group-Id = 151
rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802
rlm_perl: Added pair Calling-Station-Id = f0f61c739670
rlm_perl: Added pair Cisco-AVPair =
audit-session-id=0a19d7cb0005280162131656
rlm_perl: Added pair User-Name = levsky
rlm_perl: Added pair NAS-Identifier = wlc1.per3
rlm_perl: Added pair Chargeable-User-Identity =
rlm_perl: Added pair EAP-Message = 0x0200000b016c6576736b79
rlm_perl: Added pair NAS-Port = 1
rlm_perl: Added pair Framed-MTU = 1300
rlm_perl: Added pair EAP-Type = MD5-Challenge
++[perl-innertunnels] = ok
++update control {
expand: %{II-Proxy-Realm} -> IIRADIUS
++} # update control = noop
+} # group authorize = ok
[ttls] Tunneled authentication will be proxied to IIRADIUS
[eap]   Tunneled session will be proxied.  Not doing EAP.
++[eap] = handled
+} # group authenticate = handled
  WARNING: Empty pre-proxy section.  Using default return values.
Proxying request 29 to home server 10.10.24.1 port 1645
Going to the next request
Thread 1 waiting to be assigned a request
Waking up in 0.8 seconds.
Thread 3 got semaphore
Thread 3 handling request 29, (7 handled so far)
# Executing section post-proxy from file
/usr/share/ii/wifiproxy/sites-enabled/default
+group post-proxy {
[eap] Doing post-proxy callback
[eap] Passing reply from proxy back into the tunnel.
[eap] Got tunneled Access-Reject
[eap] Reply was rejected
[eap] Failed in post-proxy callback
rlm_eap_ttls: Freeing handler for user levsky
++[eap] = reject
+} # group post-proxy = reject
Login incorrect (Home Server says so): [levsky/<via Auth-Type = EAP>] (from
client wlc1.per3 port 1 cli f0f61c739670)
Using Post-Auth-Type Reject
# Executing group from file /usr/share/ii/wifiproxy/sites-enabled/default
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> levsky
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 29 for 1 seconds
Going to the next request
Thread 3 waiting to be assigned a request
Sending delayed reject for request 29
Cleaning up request 23 ID 117 with timestamp +47
Waking up in 1.7 seconds.
Cleaning up request 24 ID 119 with timestamp +49
Waking up in 2.0 seconds.
Waking up in 0.9 seconds.


More information about the Freeradius-Users mailing list