Proxy to realm after eap-ttls authantication

Mesut Ozturk mesut at nevotek.com
Mon Nov 23 14:44:40 CET 2020


Hello,







I desperately need your help. I am noob with FreeRadius so please guide me what i am doing wrong.







My point is using freeradius as a Proxy. Because we already have a PAP supported Radius, so i want to do eap auth part on freeradius and then Proxy the Access-request to our own Radius. We are trying 802.1x authantication.







According to my readings i did below steps :







1 . Edit clients.conf for my mobile devices to Access freeradius







client nevotek {



                       ipaddr          = 213.74.143.140



          secret          = testing1234



}







2. add home_server in proxy.conf







home_server IAS {



          ipaddr = 192.168.0.252



          port = 1812



          type = "auth"



          secret = "secret"



          response_window = 20



          max_outstanding = 65536



}







home_server_pool jack_pool {



        type = fail-over



        home_server = IAS



}



realm nevotek {



        auth_pool = jack_pool



        nostirp



}







3. edit eap.cof







         default_eap_type = ttls







and in ttls function :







ttls {



       default_eap_type = md5



        copy_request_to_tunnel = no



        use_tunneled_reply = yes



        proxy_tunneled_request_as_eap = no



        virtual_server = "proxy-inner-tunnel"



}







4. prepare Proxy.config soft link for sites-enabled, added nevotek  in proxy-inner-tunnel:











server proxy-inner-tunnel {



authorize {



        update control {



                Proxy-To-Realm := "nevotek"



        }



}







authenticate {



        eap



}







post-proxy {



        eap



}



}







5. disabled "suffix" part in sites-enabled/default







But no chance. Also android and IOS devices has different behaviors.







Here is the output of IOS device :







(2) Received Access-Request Id 216 from 213.74.143.148:19733 to 10.0.0.4:1812 length 311



(2)   User-Name = "iosuser2 at nevotek.com<mailto:iosuser2 at nevotek.com><mailto:iosuser2 at nevotek.com%3cmailto:iosuser2 at nevotek.com%3e>"



(2)   Chargeable-User-Identity = 0x00



(2)   Operator-Name = "1nevotek.com"



(2)   Location-Capable = Civic-Location



(2)   Calling-Station-Id = "74-8d-08-b1-f2-17"



(2)   Called-Station-Id = "58-f3-9c-43-52-a0:Nevotek"



(2)   NAS-Port = 4



(2)   Cisco-AVPair = "audit-session-id=0a0102e1000001205fbba08c"



(2)   Acct-Session-Id = "5fbba08c/74:8d:08:b1:f2:17/352"



(2)   NAS-IP-Address = 10.1.2.225



(2)   NAS-Identifier = "aa5a6c45-b2c2-436b-90da-0ed2031"



(2)   Airespace-Wlan-Id = 7



(2)   Service-Type = Framed-User



(2)   Framed-MTU = 1300



(2)   NAS-Port-Type = Wireless-802.11



(2)   EAP-Message = 0x020300061500



(2)   State = 0xca8e79cacb8d6ce3fd1d37ee8f32d170



(2)   Message-Authenticator = 0xc7b01c5b471b2eb70578f1dc7ed6e7ea



(2) session-state: No cached attributes



(2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default



(2)   authorize {



(2)     policy filter_username {



(2)       if (&User-Name) {



(2)       if (&User-Name)  -> TRUE



(2)       if (&User-Name)  {



(2)         if (&User-Name =~ / /) {



(2)         if (&User-Name =~ / /)  -> FALSE



(2)         if (&User-Name =~ /@[^@]*@/ ) {



(2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE



(2)         if (&User-Name =~ /\.\./ ) {



(2)         if (&User-Name =~ /\.\./ )  -> FALSE



(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)%3cmailto:/@(.+)\.(.+)$/)>>)  {



(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)%3cmailto:/@(.+)\.(.+)$/)>>)   -> FALSE



(2)         if (&User-Name =~ /\.$/)  {



(2)         if (&User-Name =~ /\.$/)   -> FALSE



(2)         if (&User-Name =~ /@\./<mailto:/@\./<mailto:/@\./%3cmailto:/@\./>>)  {



(2)         if (&User-Name =~ /@\./<mailto:/@\./<mailto:/@\./%3cmailto:/@\./>>)   -> FALSE



(2)       } # if (&User-Name)  = notfound



(2)     } # policy filter_username = notfound



(2)     [preprocess] = ok



(2)     [chap] = noop



(2)     [mschap] = noop



(2)     [digest] = noop



(2) eap: Peer sent EAP Response (code 2) ID 3 length 6



(2) eap: Continuing tunnel setup



(2)     [eap] = ok



(2)   } # authorize = ok



(2) Found Auth-Type = eap



(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default



(2)   authenticate {



(2) eap: Expiring EAP session with state 0xca8e79cacb8d6ce3



(2) eap: Finished EAP session with state 0xca8e79cacb8d6ce3



(2) eap: Previous EAP request found for state 0xca8e79cacb8d6ce3, released from the list



(2) eap: Peer sent packet with method EAP TTLS (21)



(2) eap: Calling submodule eap_ttls to process data



(2) eap_ttls: Authenticate



(2) eap_ttls: Continuing EAP-TLS



(2) eap_ttls: Peer ACKed our handshake fragment



(2) eap_ttls: [eaptls verify] = request



(2) eap_ttls: [eaptls process] = handled



(2) eap: Sending EAP Request (code 1) ID 4 length 336



(2) eap: EAP session adding &reply:State = 0xca8e79cac88a6ce3



(2)     [eap] = handled



(2)   } # authenticate = handled



(2) Using Post-Auth-Type Challenge



(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default



(2)   Challenge { ... } # empty sub-section is ignored



(2) Sent Access-Challenge Id 216 from 10.0.0.4:1812 to 213.74.143.148:19733 length 0



(2)   EAP-Message = 0x01040150158000000528d123b84f84592a0a7ccb12b23ec09a0c025464d3f258d5090bffa282b17870910449329f906380b0b4340ef2b6a1dc73e72d35763148b65bfc0401010038af8b17d95590598994e5ec35c96642e3e8fce291173f61b7e1ca06aa4b749dd3f2bbe12175a964524311069490e0f6



(2)   Message-Authenticator = 0x00000000000000000000000000000000



(2)   State = 0xca8e79cac88a6ce3fd1d37ee8f32d170



(2) Finished request







And here is the output of Android device :







(2) Received Access-Request Id 59 from 213.74.143.148:38031 to 10.0.0.4:1812 length 312



(2)   User-Name = "anonymous at nevotek.com<mailto:anonymous at nevotek.com><mailto:anonymous at nevotek.com%3cmailto:anonymous at nevotek.com%3e>"



(2)   Chargeable-User-Identity = 0x00



(2)   Operator-Name = "1nevotek.com"



(2)   Location-Capable = Civic-Location



(2)   Calling-Station-Id = "04-b1-a1-53-4d-1e"



(2)   Called-Station-Id = "58-f3-9c-43-52-a0:Nevotek"



(2)   NAS-Port = 4



(2)   Cisco-AVPair = "audit-session-id=0a0102e1000001275fbbbb17"



(2)   Acct-Session-Id = "5fbbbb17/04:b1:a1:53:4d:1e/359"



(2)   NAS-IP-Address = 10.1.2.225



(2)   NAS-Identifier = "aa5a6c45-b2c2-436b-90da-0ed2031"



(2)   Airespace-Wlan-Id = 7



(2)   Service-Type = Framed-User



(2)   Framed-MTU = 1300



(2)   NAS-Port-Type = Wireless-802.11



(2)   EAP-Message = 0x020300061500



(2)   State = 0xd875f9c9d976ec270910ae6415adb475



(2)   Message-Authenticator = 0xe92ebb9e5e7641c5515a25ae2ee50929



(2) session-state: No cached attributes



(2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default



(2)   authorize {



(2)     policy filter_username {



(2)       if (&User-Name) {



(2)       if (&User-Name)  -> TRUE



(2)       if (&User-Name)  {



(2)         if (&User-Name =~ / /) {



(2)         if (&User-Name =~ / /)  -> FALSE



(2)         if (&User-Name =~ /@[^@]*@/ ) {



(2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE



(2)         if (&User-Name =~ /\.\./ ) {



(2)         if (&User-Name =~ /\.\./ )  -> FALSE



(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)%3cmailto:/@(.+)\.(.+)$/)>>)  {



(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)%3cmailto:/@(.+)\.(.+)$/)>>)   -> FALSE



(2)         if (&User-Name =~ /\.$/)  {



(2)         if (&User-Name =~ /\.$/)   -> FALSE



(2)         if (&User-Name =~ /@\./<mailto:/@\./<mailto:/@\./%3cmailto:/@\./>>)  {



(2)         if (&User-Name =~ /@\./<mailto:/@\./<mailto:/@\./%3cmailto:/@\./>>)   -> FALSE



(2)       } # if (&User-Name)  = notfound



(2)     } # policy filter_username = notfound



(2)     [preprocess] = ok



(2)     [chap] = noop



(2)     [mschap] = noop



(2)     [digest] = noop



(2) eap: Peer sent EAP Response (code 2) ID 3 length 6



(2) eap: Continuing tunnel setup



(2)     [eap] = ok



(2)   } # authorize = ok



(2) Found Auth-Type = eap



(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default



(2)   authenticate {



(2) eap: Expiring EAP session with state 0xd875f9c9d976ec27



(2) eap: Finished EAP session with state 0xd875f9c9d976ec27



(2) eap: Previous EAP request found for state 0xd875f9c9d976ec27, released from the list



(2) eap: Peer sent packet with method EAP TTLS (21)



(2) eap: Calling submodule eap_ttls to process data



(2) eap_ttls: Authenticate



(2) eap_ttls: Continuing EAP-TLS



(2) eap_ttls: Peer ACKed our handshake fragment



(2) eap_ttls: [eaptls verify] = request



(2) eap_ttls: [eaptls process] = handled



(2) eap: Sending EAP Request (code 1) ID 4 length 336



(2) eap: EAP session adding &reply:State = 0xd875f9c9da71ec27



(2)     [eap] = handled



(2)   } # authenticate = handled



(2) Using Post-Auth-Type Challenge



(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default



(2)   Challenge { ... } # empty sub-section is ignored



(2) Sent Access-Challenge Id 59 from 10.0.0.4:1812 to 213.74.143.148:38031 length 0



(2)   EAP-Message = 0x01040150158000000528a2e03207e6a1163699a1cff7af74692beaafff15b2a3033c4d0238dd7014db04f7f40d669da91832dd39bbdbfca1bdb456f26f4a981b5a820108040100b7a20cf24aad9d35b94575b849f9e8ef528d1b13e7caea59f3cc578845763a601b7fceb8ffda9d989423730b5ea4c0f3



(2)   Message-Authenticator = 0x00000000000000000000000000000000



(2)   State = 0xd875f9c9da71ec270910ae6415adb475



(2) Finished request



Waking up in 4.3 seconds.



(3) Received Access-Request Id 60 from 213.74.143.148:38031 to 10.0.0.4:1812 length 319



(3)   User-Name = "anonymous at nevotek.com<mailto:anonymous at nevotek.com><mailto:anonymous at nevotek.com%3cmailto:anonymous at nevotek.com%3e>"



(3)   Chargeable-User-Identity = 0x00



(3)   Operator-Name = "1nevotek.com"



(3)   Location-Capable = Civic-Location



(3)   Calling-Station-Id = "04-b1-a1-53-4d-1e"



(3)   Called-Station-Id = "58-f3-9c-43-52-a0:Nevotek"



(3)   NAS-Port = 4



(3)   Cisco-AVPair = "audit-session-id=0a0102e1000001275fbbbb17"



(3)   Acct-Session-Id = "5fbbbb17/04:b1:a1:53:4d:1e/359"



(3)   NAS-IP-Address = 10.1.2.225



(3)   NAS-Identifier = "aa5a6c45-b2c2-436b-90da-0ed2031"



(3)   Airespace-Wlan-Id = 7



(3)   Service-Type = Framed-User



(3)   Framed-MTU = 1300



(3)   NAS-Port-Type = Wireless-802.11



(3)   EAP-Message = 0x0204000d150015030300020230



(3)   State = 0xd875f9c9da71ec270910ae6415adb475



(3)   Message-Authenticator = 0xbd27e9cbdb496b0f8072580915cabc5d



(3) session-state: No cached attributes



(3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default



(3)   authorize {



(3)     policy filter_username {



(3)       if (&User-Name) {



(3)       if (&User-Name)  -> TRUE



(3)       if (&User-Name)  {



(3)         if (&User-Name =~ / /) {



(3)         if (&User-Name =~ / /)  -> FALSE



(3)         if (&User-Name =~ /@[^@]*@/ ) {



(3)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE



(3)         if (&User-Name =~ /\.\./ ) {



(3)         if (&User-Name =~ /\.\./ )  -> FALSE



(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)%3cmailto:/@(.+)\.(.+)$/)>>)  {



(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)%3cmailto:/@(.+)\.(.+)$/)>>)   -> FALSE



(3)         if (&User-Name =~ /\.$/)  {



(3)         if (&User-Name =~ /\.$/)   -> FALSE



(3)         if (&User-Name =~ /@\./<mailto:/@\./<mailto:/@\./%3cmailto:/@\./>>)  {



(3)         if (&User-Name =~ /@\./<mailto:/@\./<mailto:/@\./%3cmailto:/@\./>>)   -> FALSE



(3)       } # if (&User-Name)  = notfound



(3)     } # policy filter_username = notfound



(3)     [preprocess] = ok



(3)     [chap] = noop



(3)     [mschap] = noop



(3)     [digest] = noop



(3) eap: Peer sent EAP Response (code 2) ID 4 length 13



(3) eap: Continuing tunnel setup



(3)     [eap] = ok



(3)   } # authorize = ok



(3) Found Auth-Type = eap



(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default



(3)   authenticate {



(3) eap: Expiring EAP session with state 0xd875f9c9da71ec27



(3) eap: Finished EAP session with state 0xd875f9c9da71ec27



(3) eap: Previous EAP request found for state 0xd875f9c9da71ec27, released from the list



(3) eap: Peer sent packet with method EAP TTLS (21)



(3) eap: Calling submodule eap_ttls to process data



(3) eap_ttls: Authenticate



(3) eap_ttls: Continuing EAP-TLS



(3) eap_ttls: [eaptls verify] = ok



(3) eap_ttls: Done initial handshake



(3) eap_ttls: <<< recv TLS 1.2  [length 0002]



(3) eap_ttls: ERROR: TLS Alert read:fatal:unknown CA



(3) eap_ttls: TLS_accept: Need to read more data: error



(3) eap_ttls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca



(3) eap_ttls: In SSL Handshake Phase



(3) eap_ttls: In SSL Accept mode



(3) eap_ttls: SSL Application Data



(3) eap_ttls: ERROR: TLS failed during operation



(3) eap_ttls: ERROR: [eaptls process] = fail



(3) eap: ERROR: Failed continuing EAP TTLS (21) session.  EAP sub-module failed



(3) eap: Sending EAP Failure (code 4) ID 4 length 4



(3) eap: Failed in EAP select



(3)     [eap] = invalid



(3)   } # authenticate = invalid



(3) Failed to authenticate the user



(3) Using Post-Auth-Type Reject



(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default



(3)   Post-Auth-Type REJECT {



(3) attr_filter.access_reject: EXPAND %{User-Name}



(3) attr_filter.access_reject:    --> anonymous at nevotek.com<mailto:anonymous at nevotek.com<mailto:anonymous at nevotek.com%3cmailto:anonymous at nevotek.com>>



(3) attr_filter.access_reject: Matched entry DEFAULT at line 11



(3)     [attr_filter.access_reject] = updated



(3)     [eap] = noop



(3)     policy remove_reply_message_if_eap {



(3)       if (&reply:EAP-Message && &reply:Reply-Message) {



(3)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE



(3)       else {



(3)         [noop] = noop



(3)       } # else = noop



(3)     } # policy remove_reply_message_if_eap = noop



(3)   } # Post-Auth-Type REJECT = updated



(3) Delaying response for 1.000000 seconds Waking up in 0.3 seconds.



Waking up in 0.6 seconds.



(3) Sending delayed response



(3) Sent Access-Reject Id 60 from 10.0.0.4:1812 to 213.74.143.148:38031 length 44



(3)   EAP-Message = 0x04040004



(3)   Message-Authenticator = 0x00000000000000000000000000000000



Waking up in 3.1 seconds.



(0) Cleaning up request packet ID 57 with timestamp +25 Waking up in 0.2 seconds.



(1) Cleaning up request packet ID 58 with timestamp +26 Waking up in 0.3 seconds.



(2) Cleaning up request packet ID 59 with timestamp +26 Waking up in 0.2 seconds.



(3) Cleaning up request packet ID 60 with timestamp +26











Regards.

[http://www.nevotek.com/nevotekmail/logo.png]   Mesut Ozturk
R&D Senior Developer
P: +902122867576        E:  mesut at nevotek.com
F: +902122867476        W: www.nevotek.com
[http://www.nevotek.com/nevotekmail/maps-icon.png] Santa Clara-CA, USA<https://www.google.com/maps/place/5201+Great+America+Pkwy+%23320,+Santa+Clara,+CA+95054,+USA/@37.4063062,-121.978682,923m/data=!3m2!1e3!4b1!4m5!3m4!1s0x808fc9cc6fc08be1:0xa189e7ab47ebcdc!8m2!3d37.4063062!4d-121.9764933?hl=en>   [http://www.nevotek.com/nevotekmail/maps-icon.png]  Istanbul, TURKEY<https://www.google.com/maps/search/teknokent,+Istanbul,+Turkey/@41.106333,29.015257,876m/data=!3m1!1e3?hl=en>   [http://www.nevotek.com/nevotekmail/maps-icon.png]  Dubai, UAE<https://www.google.com/maps/place/Internet+City,+Building+%2314+-+Dubai+-+United+Arab+Emirates/@25.0984488,55.1609574,1052m/data=!3m2!1e3!4b1!4m13!1m7!3m6!1s0x3e5f6b696d88a9ab:0x6d495147845cd0f1!2sInternet+City,+Building+%2314+-+Dubai+-+United+Arab+Emirates!3b1!8m2!3d25.0983618!4d55.1631953!3m4!1s0x3e5f6b696d88a9ab:0x6d495147845cd0f1!8m2!3d25.0983618!4d55.1631953?hl=en>

[www.nevotek.com]<www.nevotek.com>


More information about the Freeradius-Users mailing list