Freeradius PROXY: EAP-PEAP - TLS with NT-Password and Cleartext-Password

Andrei Antonelli andreirp at gmail.com
Thu Jun 28 20:15:25 CEST 2018 

Hi, could someone help me with the example of my configuration below?

I have
*Client* <---> * Wireless Controller*: MYWLAN(802.1x EAP) <--->
*Freeradius.*
AAA Server setting in Controller with IP: 192.168.100.3 (my internal
freeradius)

Freeradius *Version 3.0.16 with Mysql*

*Two Freeradius servers: one HCRPP(internal) and CR(External)*
radcheck attribute is *NT-Password* (HCRPP) , and the user stored in the
database is without suffix.
*radcheck attribute is Cleartext-Password to (CR)*

*Freeradius HCRRP use EAP 802.1x and CR - PAP cleartext*

*What I need is  when a user authenticates without suffix or with suffix
(@hcrpp.com <http://hcrpp.com/>), use EAP-PEAP or TLS to authenticates in
my local freeradius and if the suffix was @cr.net <http://cr.net/> proxy
to 126.100.20.3 with cleartext password.*

When i'm logging with username and password *without suffix*, *it's works*,
but when i'm logging with *suffix *like testuser at hcrpp.com or testuser@
cr.net  i get this error message:

 suffix: Checking for suffix after "@"
(22) suffix: Looking up realm "hcrpp.com" for User-Name = "testuser@
hcrpp.com"
(22) suffix: Found realm "hcrpp.com"
(22) suffix: Adding Realm = "hcrpp.com"
(22) suffix: Proxying request from user testuser at hcrpp.com to realm
hcrpp.com
(22) suffix: Preparing to proxy authentication request to realm "hcrpp.com"
(22)       [suffix] = updated
(22)       update control {
(22)         &Proxy-To-Realm := "LOCAL"
(22)       } # update control = noop
(22) eap: Peer sent EAP Response (code 2) ID 6 length 81
(22) eap: No EAP Start, assuming it's an on-going EAP conversation
(22)       [eap] = updated
(22) sql: EXPAND %{User-Name}
(22) sql:    --> testuser at hcrpp.com
(22) sql: SQL-User-Name set to 'testuser at hcrpp.com'
rlm_sql (sql): Reserved connection (19)
(22) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id
(22) sql:    --> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'testuser at hcrpp.com' ORDER BY id
(22) sql: Executing select query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'testuser at hcrpp.com' ORDER BY id
(22) sql: EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority
(22) sql:    --> SELECT groupname FROM radusergroup WHERE username = '
testuser at hcrpp.com' ORDER BY priority
(22) sql: Executing select query: SELECT groupname FROM radusergroup WHERE
username = 'testuser at hcrpp.com' ORDER BY priority
(22) sql: User not found in any groups
rlm_sql (sql): Released connection (19)
(22)       [sql] = notfound
(22)       [pap] = noop
(22)     } # authorize = updated
(22)   Found Auth-Type = eap
(22)   # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(22)     authenticate {
(22) eap: Expiring EAP session with state 0xa05ae720a05cfdb8
(22) eap: Finished EAP session with state 0xa05ae720a05cfdb8
(22) eap: Previous EAP request found for state 0xa05ae720a05cfdb8, released
from the list
(22) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(22) eap: Calling submodule eap_mschapv2 to process data
(22) eap_mschapv2: # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(22) eap_mschapv2:   Auth-Type MS-CHAP {
*(22) mschap: WARNING: No Cleartext-Password configured.  Cannot create
NT-Password*
*(22) mschap: WARNING: No Cleartext-Password configured.  Cannot create
LM-Password*
(22) mschap: Creating challenge hash with username: testuser@
<dbarcelini at cirp.usp.br>hcrpp.com
(22) mschap: Client is using MS-CHAPv2
*(22) mschap: ERROR: FAILED: No NT/LM-Password.  Cannot perform
authentication*
*(22) mschap: ERROR: MS-CHAP2-Response is incorrect*


*My config below*

*proxy.conf*
home_server HCRPP {
     type = auth+acct
     ipaddr = 192.168.100.3
     port = 1821
     secret = XXXX
     require_message_authenticator = yes
     response_window = 20
     zombie_period = 40
     status_check = status-server
     check_interval = 30
     num_answers_to_alive = 3
     max_outstanding = 65536
}

home_server CR {
    type = auth+acct
    ipaddr = 126.100.20.3
    port = 1812
    secret = XXXX
}

home_server_pool HCRPPOOL {
 type = fail-over
 home_server = HCRPP
}

home_server_pool CRPOOL {
 type = fail-over
 home_server = CR
}

realm hcrpp.com {
 auth_pool = HCRPPOOL
 strip
}
realm cr.net {
 auth_pool = CRPOOL
 nostrip
}

------------------------------------------

*mods-enabled/eap*

eap {
default_eap_type = peap
timer_expire     = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = ${max_requests}
md5 {
}
*   ...*

ttls {
tls = tls-common
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"

peap {
tls = tls-common
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = no
virtual_server = "inner-tunnel"


*sites-enabled/default*
authorize {

preprocess
sql
eap {
ok = return
updated = return
}
suffix

*sites-enabled/inner-tunnel*

authorize {

suffix
update control {
&Proxy-To-Realm := "LOCAL"
}
eap {
ok = return
}
sql


Thanks

More information about the Freeradius-Users mailing list