FR3.x - EAP proxy - EAP-TLS to MS NPS trouble

Kylián Martin kylianm at plzen.eu
Wed Jun 28 11:07:10 CEST 2017 

Hi to everybody,
I use freeradius for mac authentication bypass and as proxy for EAP. Specifically, an EAP-TLS that is routed to one of the MS NPS servers.
I run the production environment on debian8 and FreeRadius 2.2.5, where everything works as it should.

There is a problem I can not solve on the FreeRadius 3.0.12 (deb9) test server.
After forwarding the access-request to the AD server, the request is not processed on the MS NPS server (w2012r2):

Reason Code: 3
Reason: The RADIUS Request message that the Network Policy Server received from the network access server was malformed.

NPS discards this request and does not respond.

When I look at access-request with wireshark, I do not see any problem. (Message-authenticator is different from that sent by the client and which sends FreeRadius to NPS and Proxy-State added.)
The same configuration with FR2.2.5 is parsed on NPS and is responded.

Is there something I've overlooked when migrating to FR3? Is anyone running a similar configuration? I am doing something wrong?
Thank you for any help




Log:

(2) Received Access-Request Id 27 from 192.168.59.80:1645 to 172.31.12.100:1812 length 340
(2)   User-Name = "host/NB106484.example-edu.cz"
(2)   Service-Type = Framed-User
(2)   Framed-MTU = 1500
(2)   Called-Station-Id = "28-34-A2-F0-7F-83"
(2)   Calling-Station-Id = "28-92-4A-25-56-CC"
(2)   EAP-Message = 0x020200710d800000006716030100620100005e03015953650a19b07c0ab643096685c9141950ad6c79abf54fa72736f856abd72b9900001cc014c013003900330035002fc00ac00900380032000a00130005000401000019000a0006000400170018000b0002010000170000ff01000100
(2)   Message-Authenticator = 0xbfcf629e3a34b88c37d824ec7358e314
(2)   NAS-Port-Type = Ethernet
(2)   NAS-Port = 50003
(2)   NAS-Port-Id = "FastEthernet0/3"
(2)   State = 0x540106e70000013700011700fe800000000000002114a20fdc26eb140000000448ff01e5
(2)   NAS-IP-Address = 192.168.59.80
(2)   NAS-Identifier = "d4-cat2960-sw-132-2.net.sitmp.cz"
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(2)   authorize {
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Released connection (0)
(2)     [sql] = notfound
(2)     if (!EAP-Message) {
(2)     if (!EAP-Message)  -> FALSE
(2)     else {
(2)       if ("%{User-Name}" =~ /\.example-edu\.cz$/) {
(2)       EXPAND %{User-Name}
(2)          --> host/NB106484.example-edu.cz
(2)       if ("%{User-Name}" =~ /\.example-edu\.cz$/)  -> TRUE
(2)       if ("%{User-Name}" =~ /\.example-edu\.cz$/)  {
(2)         update control {
(2)           Proxy-To-Realm := 'EXAMPLE-EDU'
(2)         } # update control = noop
(2)       } # if ("%{User-Name}" =~ /\.example-edu\.cz$/)  = noop
(2)       ... skipping elsif: Preceding "if" was taken
(2)       ... skipping elsif: Preceding "if" was taken
(2)       ... skipping else: Preceding "if" was taken
(2) eap: Request is supposed to be proxied to Realm EXAMPLE-EDU. Not doing EAP.
(2)       [eap] = noop
(2)     } # else = noop
(2)   } # authorize = noop
(2) Starting proxy to home server 172.31.12.14 port 1812
(2) Proxying request to home server 172.31.12.14 port 1812 timeout 20.000000
(2) Sent Access-Request Id 243 from 0.0.0.0:59582 to 172.31.12.14:1812 length 342
(2)   User-Name = "host/NB106484.example-edu.cz"
(2)   Service-Type = Framed-User
(2)   Framed-MTU = 1500
(2)   Called-Station-Id = "28-34-A2-F0-7F-83"
(2)   Calling-Station-Id = "28-92-4A-25-56-CC"
(2)   EAP-Message = 0x020200710d800000006716030100620100005e03015953650a19b07c0ab643096685c9141950ad6c79abf54fa72736f856abd72b9900001cc014c013003900330035002fc00ac00900380032000a00130005000401000019000a0006000400170018000b0002010000170000ff01000100
(2)   Message-Authenticator = 0xbfcf629e3a34b88c37d824ec7358e314
(2)   NAS-Port-Type = Ethernet
(2)   NAS-Port = 50003
(2)   NAS-Port-Id = "FastEthernet0/3"
(2)   State = 0x540106e70000013700011700fe800000000000002114a20fdc26eb140000000448ff01e5
(2)   NAS-IP-Address = 192.168.59.80
(2)   NAS-Identifier = "d4-cat2960-sw-132-2.net.example.cz"
(2)   Proxy-State = 0x3237
Waking up in 0.3 seconds.
(2) Expecting proxy response no later than 19.671053 seconds from now

NPS receives (and discards for unknown reason):

RADIUS Protocol
    Code: Access-Request (1)
    Packet identifier: 0xf3 (243)
    Length: 342
    Authenticator: 0e4c4171a7c216d63ea6c394e98175bd
    Attribute Value Pairs
        AVP: l=28 t=User-Name(1): host/NB106484.plzen-edu.cz
        AVP: l=6 t=Service-Type(6): Framed(2)
        AVP: l=6 t=Framed-MTU(12): 1500
        AVP: l=19 t=Called-Station-Id(30): 28-34-A2-F0-7F-83
        AVP: l=19 t=Calling-Station-Id(31): 28-92-4A-25-56-CC
        AVP: l=115 t=EAP-Message(79) Last Segment[1]
            AVP Type: 79
            AVP Length: 115
            EAP fragment: 020200710d800000006716030100620100005e0301595365...
            Extensible Authentication Protocol
        AVP: l=18 t=Message-Authenticator(80): b2b9f1cf1e3ab216e63a949451ba2c69
        AVP: l=6 t=NAS-Port-Type(61): Ethernet(15)
        AVP: l=6 t=NAS-Port(5): 50003
        AVP: l=17 t=NAS-Port-Id(87): FastEthernet0/3
        AVP: l=38 t=State(24): 540106e70000013700011700fe800000000000002114a20f...
        AVP: l=6 t=NAS-IP-Address(4): 192.168.59.80
        AVP: l=34 t=NAS-Identifier(32): d4-cat2960-sw-132-2.net.sitmp.cz
        AVP: l=4 t=Proxy-State(33): 3237

More information about the Freeradius-Users mailing list