Still problems with IOS9 and FR2.2.9

Mark Haselden levsky at gmail.com
Sun Oct 11 01:47:54 CEST 2015


Sorry Alan,  I'd already posted the freeradius output in the prior email,
and I didn't want to spam too much, but here it is again.

Thanks

Mark

Thread 3 handling request 25, (6 handled so far)
# Executing section authorize from file
/usr/share/ii/wifiproxy/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "levsky", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 1 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /usr/share/ii/wifiproxy/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Finished request 25.
Going to the next request
Thread 3 waiting to be assigned a request
Waking up in 0.9 seconds.
Thread 4 got semaphore
Thread 4 handling request 26, (6 handled so far)
# Executing section authorize from file
/usr/share/ii/wifiproxy/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "levsky", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 2 length 143
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/share/ii/wifiproxy/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
  TLS Length 133
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls]     (other): before/accept initialization
[ttls]     TLS_accept: before/accept initialization
[ttls] <<< TLS 1.0 Handshake [length 0080], ClientHello
[ttls]     TLS_accept: SSLv3 read client hello A
[ttls] >>> TLS 1.0 Handshake [length 0031], ServerHello
[ttls]     TLS_accept: SSLv3 write server hello A
[ttls] >>> TLS 1.0 Handshake [length 06b2], Certificate
[ttls]     TLS_accept: SSLv3 write certificate A
[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[ttls]     TLS_accept: SSLv3 write server done A
[ttls]     TLS_accept: SSLv3 flush data
[ttls]     TLS_accept: Need to read more data: SSLv3 read client
certificate A
[ttls]     TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Finished request 26.
Going to the next request
Thread 4 waiting to be assigned a request
Waking up in 0.9 seconds.
Thread 2 got semaphore
Thread 2 handling request 27, (6 handled so far)
# Executing section authorize from file
/usr/share/ii/wifiproxy/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "levsky", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/share/ii/wifiproxy/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Finished request 27.
Going to the next request
Thread 2 waiting to be assigned a request
Waking up in 0.9 seconds.
Thread 5 got semaphore
Thread 5 handling request 28, (6 handled so far)
# Executing section authorize from file
/usr/share/ii/wifiproxy/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "levsky", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 4 length 253
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/share/ii/wifiproxy/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
  TLS Length 326
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[ttls]     TLS_accept: SSLv3 read client key exchange A
[ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] <<< TLS 1.0 Handshake [length 0010], Finished
[ttls]     TLS_accept: SSLv3 read finished A
[ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[ttls]     TLS_accept: SSLv3 write change cipher spec A
[ttls] >>> TLS 1.0 Handshake [length 0010], Finished
[ttls]     TLS_accept: SSLv3 write finished A
[ttls]     TLS_accept: SSLv3 flush data
[ttls]     (other): SSL negotiation finished successfully
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Finished request 28.
Going to the next request
Thread 5 waiting to be assigned a request
Waking up in 0.8 seconds.
Thread 1 got semaphore
Thread 1 handling request 29, (7 handled so far)
# Executing section authorize from file
/usr/share/ii/wifiproxy/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "levsky", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 5 length 63
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/share/ii/wifiproxy/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
  TLS Length 53
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] eaptls_process returned 7
[ttls] Session established.  Proceeding to decode tunneled attributes.
[ttls] Got tunneled identity of levsky
[ttls] Setting default EAP type for tunneled EAP session.
# Executing section authorize from file
/usr/share/ii/wifiproxy/sites-enabled/ttls-proxy
+group authorize {
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Tunnel-Type = VLAN
rlm_perl: Added pair Called-Station-Id = 34dbfd24e9e0:iiNet Customer DEV
rlm_perl: Added pair Airespace-Wlan-Id = 155
rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1
rlm_perl: Added pair Location-Capable = Civix-Location
rlm_perl: Added pair II-Proxy-Realm = IIRADIUS
rlm_perl: Added pair NAS-IP-Address = 10.13.6.8
rlm_perl: Added pair Tunnel-Private-Group-Id = 151
rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802
rlm_perl: Added pair Calling-Station-Id = f0f61c739670
rlm_perl: Added pair Cisco-AVPair =
audit-session-id=0a19d7cb0005280162131656
rlm_perl: Added pair User-Name = levsky
rlm_perl: Added pair NAS-Identifier = wlc1.per3
rlm_perl: Added pair Chargeable-User-Identity =
rlm_perl: Added pair EAP-Message = 0x0200000b016c6576736b79
rlm_perl: Added pair NAS-Port = 1
rlm_perl: Added pair Framed-MTU = 1300
rlm_perl: Added pair EAP-Type = MD5-Challenge
++[perl-innertunnels] = ok
++update control {
expand: %{II-Proxy-Realm} -> IIRADIUS
++} # update control = noop
+} # group authorize = ok
[ttls] Tunneled authentication will be proxied to IIRADIUS
[eap]   Tunneled session will be proxied.  Not doing EAP.
++[eap] = handled
+} # group authenticate = handled
  WARNING: Empty pre-proxy section.  Using default return values.
Proxying request 29 to home server 10.10.24.1 port 1645
Going to the next request
Thread 1 waiting to be assigned a request
Waking up in 0.8 seconds.
Thread 3 got semaphore
Thread 3 handling request 29, (7 handled so far)
# Executing section post-proxy from file
/usr/share/ii/wifiproxy/sites-enabled/default
+group post-proxy {
[eap] Doing post-proxy callback
[eap] Passing reply from proxy back into the tunnel.
[eap] Got tunneled Access-Reject
[eap] Reply was rejected
[eap] Failed in post-proxy callback
rlm_eap_ttls: Freeing handler for user levsky
++[eap] = reject
+} # group post-proxy = reject
Login incorrect (Home Server says so): [levsky/<via Auth-Type = EAP>] (from
client wlc1.per3 port 1 cli f0f61c739670)
Using Post-Auth-Type Reject
# Executing group from file /usr/share/ii/wifiproxy/sites-enabled/default
+group REJECT {
[attr_filter.access_reject]  expand: %{User-Name} -> levsky
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 29 for 1 seconds
Going to the next request
Thread 3 waiting to be assigned a request
Sending delayed reject for request 29
Cleaning up request 23 ID 117 with timestamp +47
Waking up in 1.7 seconds.
Cleaning up request 24 ID 119 with timestamp +49
Waking up in 2.0 seconds.
Waking up in 0.9 seconds

On 9 October 2015 at 21:16, Alan DeKok <aland at deployingradius.com> wrote:

> On Oct 8, 2015, at 11:12 PM, Mark Haselden <levsky at gmail.com> wrote:
> > What I'm not getting is how come this isn't converting to straight
> MSCHAPV2
> > in the inner server definition.  We have the eap directive in both
> > post-proxy and authenticate stanzas defined for the server
> > (perl-innertunnels is just a quick bit of perl to set the correct realm
> > based on username)
>
>   OK.
>
> > Our inner tunnel server looks like:
>
>   No...
>
> > But what gets proxied to the (radiator) home servers looks like
>
>   And no...
>
>   Please post the debug output of *FreeRADIUS*, as suggested in the FAQ,
> "man" page, web pages, and daily on this list.  We need to see what's going
> on, and *why* it's happening.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


More information about the Freeradius-Users mailing list