Proxy problem when switching from version2 to version3
Alan DeKok
aland at deployingradius.com
Tue Jan 23 14:27:09 CET 2018
On Jan 23, 2018, at 8:13 AM, Bornemann, Hans <hans.bornemann at tu-dortmund.de> wrote:
>
> if you like, take a look to the debug output.
>
> first the failing proxy with version 3, then successful with version 2, proxy conf.
>
> anything more needed?
PLEASE FOLLOW THE DOCUMENTATION.
Honestly... everything says to use "freeradius -X". Can you explain why people keep using "-xxx"? Just... don't.
> ...
> Thu Jan 18 10:22:38 2018 : Debug: (1) eapoldca: Request is supposed to be proxied to Realm rtmobil. Not doing EAP.
That's telling.
> Thu Jan 18 10:22:38 2018 : Debug: (1) Proxying request to home server 129.217.197.132 port 1812 timeout 20.000000
...
> Thu Jan 18 10:22:38 2018 : Debug: (1) Sent Access-Request Id 189 from 0.0.0.0:48124 to 129.217.197.132:1812 length 336
> Thu Jan 18 10:22:38 2018 : Debug: (1) User-Name = "rtmobilnetz at rtmobil"
> Thu Jan 18 10:22:38 2018 : Debug: (1) Chargeable-User-Identity = 0x00
> Thu Jan 18 10:22:38 2018 : Debug: (1) Location-Capable = Civic-Location
> Thu Jan 18 10:22:38 2018 : Debug: (1) Calling-Station-Id = "3c-15-c2-e8-40-fe"
> Thu Jan 18 10:22:38 2018 : Debug: (1) Called-Station-Id = "6c-b2-ae-30-36-c0:ITMC-WPA2-STAGING"
> Thu Jan 18 10:22:38 2018 : Debug: (1) NAS-Port = 1
> Thu Jan 18 10:22:38 2018 : Debug: (1) Cisco-AVPair = "audit-session-id=81d9fbf2000000b85a60641b"
> Thu Jan 18 10:22:38 2018 : Debug: (1) Acct-Session-Id = "5a60641b/3c:15:c2:e8:40:fe/307"
> Thu Jan 18 10:22:38 2018 : Debug: (1) NAS-IP-Address = 129.217.251.242
> Thu Jan 18 10:22:38 2018 : Debug: (1) NAS-Identifier = "wlc-staging"
> Thu Jan 18 10:22:38 2018 : Debug: (1) Airespace-Wlan-Id = 8
> Thu Jan 18 10:22:38 2018 : Debug: (1) Service-Type = Framed-User
> Thu Jan 18 10:22:38 2018 : Debug: (1) Framed-MTU = 1300
> Thu Jan 18 10:22:38 2018 : Debug: (1) NAS-Port-Type = Wireless-802.11
> Thu Jan 18 10:22:38 2018 : Debug: (1) Tunnel-Type:0 = VLAN
> Thu Jan 18 10:22:38 2018 : Debug: (1) Tunnel-Medium-Type:0 = IEEE-802
> Thu Jan 18 10:22:38 2018 : Debug: (1) Tunnel-Private-Group-Id:0 = "3503"
> Thu Jan 18 10:22:38 2018 : Debug: (1) EAP-Message = 0x020200080319152b
That isn't an EAP NAK. It's just an empty PEAP ACK.
> Thu Jan 18 10:22:38 2018 : Debug: (1) State = 0x45300497000001370001020081d9c584000000000000000000000000000000100d436aee
> Thu Jan 18 10:22:38 2018 : Debug: (1) Message-Authenticator = 0x31a7b8a02c1f45acee5e637c48d8f20d
> Thu Jan 18 10:22:38 2018 : Debug: (1) Event-Timestamp = "Jan 18 2018 10:22:38 CET"
> Thu Jan 18 10:22:38 2018 : Debug: (1) Proxy-State = 0x3639
> Thu Jan 18 10:22:38 2018 : Debug: Waking up in 0.3 seconds.
> Thu Jan 18 10:22:38 2018 : Debug: (1) Clearing existing &reply: attributes
> Thu Jan 18 10:22:38 2018 : Debug: (1) Received Access-Reject Id 189 from 129.217.197.132:1812 to 129.217.131.207:48124 length 48
Well, the home server is rejecting the packet. There isn't much you can do to FreeRADIUS to fix that.
> Debug freeradius 2 - proxy to home server - ok
> ...
> Thu Jan 18 10:08:43 2018 : Info: [eap_wlan] EAP packet type response id 2 length 161
> Thu Jan 18 10:08:43 2018 : Info: [eap_wlan] Continuing tunnel setup.
> Thu Jan 18 10:08:43 2018 : Info: ++[eap_wlan] = ok
> Thu Jan 18 10:08:43 2018 : Info: +} # group authorize = ok
> Thu Jan 18 10:08:43 2018 : Info: Found Auth-Type = eap_wlan
> Thu Jan 18 10:08:43 2018 : Info: # Executing group from file /etc/freeradius/sites-enabled/itmc-wlan
> Thu Jan 18 10:08:43 2018 : Info: +group authenticate {
> Thu Jan 18 10:08:43 2018 : Info: [eap_wlan] Request found, released from the list
> Thu Jan 18 10:08:43 2018 : Info: [eap_wlan] EAP/peap
> Thu Jan 18 10:08:43 2018 : Info: [eap_wlan] processing type peap
> Thu Jan 18 10:08:43 2018 : Info: [peap] processing EAP-TLS
Uh... you do realize that v2 isn't proxying the packets, right? It's doing PEAP itself.
i.e. the two systems are configured to do different things. Which sort of explains why they're behaving differently.
>
> Thu Jan 18 10:08:43 2018 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/inner-wlan-peap
> Thu Jan 18 10:08:43 2018 : Info: +group authorize {
> Thu Jan 18 10:08:43 2018 : Info: ++[preprocess] = ok
> Thu Jan 18 10:08:43 2018 : Info: [suffix] Looking up realm "rtmobil" for User-Name = "rtmobilnetz at rtmobil"
> Thu Jan 18 10:08:43 2018 : Info: [suffix] Found realm "rtmobil"
> Thu Jan 18 10:08:43 2018 : Info: [suffix] Adding Realm = "rtmobil"
> Thu Jan 18 10:08:43 2018 : Info: [suffix] Proxying request from user rtmobilnetz to realm rtmobil
> Thu Jan 18 10:08:43 2018 : Info: [suffix] Preparing to proxy authentication request to realm "rtmobil"
In v2, you're proxying the *inner* authentication data to the home server. In v3, you're proxying the *outer* data. i.e. all of PEAP.
This would have been a WHOLE lot easier to see without the utterly useless extra debugging.
> Proxy config
Which was never asked for.
So.. you've configured the systems to do two different things. As a result, they behave differently.
If you want to make v3 behave like v2, you have to configure v3 with the same / similar configuration as v2. This means understanding what the v2 system does, and why. And then making v3 do the same thing.
Alan DeKok.
More information about the Freeradius-Users
mailing list