Hi,
I'm having a strange problem with a modified rlm_eap_md5
module and proxying - apparently I'm missing some details
of the internal workings of FreeRADIUS, now I don't understand
what's going on at all ...
I hacked rlm_eap_md5 to actually generate a fake request
containing FreeRADIUS-Proxied-To, Username, CHAP-Challenge
and CHAP-Response attributes and call "rad_authenticate"
with that fake request (following the example of EAP-TTLS).
This works fine, as long as I do everything on the FreeRADIUS
server.
However, the whole point of my modification was to be able to
proxy the generated CHAP request to some non-EAP-enabled RADIUS
server (similar to proxying inner PAP/CHAP/MSCHAP request of
EAP-TTLS to another server).
So I added something like
DEFAULT FreeRADIUS-Proxied-To !* 127.0.0.1, Proxy-To-Realm := LOCAL
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm :=
"myrealm"
to the users file.
The output of radiusd -X confirms that those lines do match the
requests as intended, however, for some reason, the "translated"
request does never get proxied to "myrealm". Any idea, why not?
I'm attaching some output of radiusd -X which shows
1) a packet with FreeRADIUS-Proxied-To=127.0.0.1 generated by
radclient
gets proxied as I would have expected.
2) an EAP packet generated by radeapclient gets "translated" in the
way
I intended.
3) even though the output confirms that the translated request matches
the line telling it to get proxied to "myrealm", I get a
reject without any proxying actually happening.
Does somebody have an idea what might be going wrong?
Regards,
Stefan
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 1645
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded detail
detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (auth_log)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/usr/local/etc/raddb/users"
files: acctusersfile = "/usr/local/etc/raddb/acct_users"
files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/usr/local/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1645
Listening on accounting *:1646
Listening on proxy *:1648
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.1.5:33400, id=230, length=57
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "test1"
User-Password = "test"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat:
'/usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20050127'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20050127
modcall[authorize]: module "auth_log" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "test1", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched DEFAULT at 156
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns ok for request 0
Sending Access-Request of id 0 to 192.168.1.24:1812
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "test1"
User-Password = "test"
NAS-IP-Address = 192.168.1.5
Proxy-State = 0x323330
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Accept packet from host 192.168.1.24:1812, id=0, length=25
Proxy-State = 0x323330
Processing the post-proxy section of radiusd.conf
modcall: entering group post-proxy for request 0
modcall[post-proxy]: module "eap" returns noop for request 0
modcall: group post-proxy returns noop for request 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat:
'/usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20050127'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20050127
modcall[authorize]: module "auth_log" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: Proxy reply, or no User-Name. Ignoring.
modcall[authorize]: module "suffix" returns noop for request 0
modcall[authorize]: module "eap" returns noop for request 0
users: Matched DEFAULT at 156
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [test1/test] (from client private-network-1 port 0)
Sending Access-Accept of id 230 to 192.168.1.5:33400
Finished request 0
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 230 with timestamp 41f90beb
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 192.168.1.5:33403, id=238, length=69
User-Name = "test1"
NAS-IP-Address = 192.168.1.5
Message-Authenticator = 0x92c01b59c1f0b38e5343e97d6d1e98d7
NAS-Port = 0
EAP-Message = 0x02d2000a017465737431
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
radius_xlat:
'/usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20050127'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20050127
modcall[authorize]: module "auth_log" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "test1", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: EAP packet type response id 210 length 10
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
users: Matched DEFAULT at 155
modcall[authorize]: module "files" returns ok for request 1
modcall: group authorize returns updated for request 1
WARNING: You set Proxy-To-Realm = LOCAL, but it is a LOCAL realm! Cancelling
invalid proxy request.
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: EAP Identity
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
modcall[authenticate]: module "eap" returns handled for request 1
modcall: group authenticate returns handled for request 1
WARNING: Cancelling proxy to Realm LOCAL, as the realm is local.
Sending Access-Challenge of id 238 to 192.168.1.5:33403
EAP-Message = 0x01d300160410b3e4546b5fa54fbb85056f3fd655e4a1
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x89965bc46345931e1eb0e4b4bd380499
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.5:33403, id=239, length=99
User-Name = "test1"
NAS-IP-Address = 192.168.1.5
Message-Authenticator = 0x5692ad9d36b45270edfec29ffd4b23e8
NAS-Port = 0
State = 0x89965bc46345931e1eb0e4b4bd380499
EAP-Message = 0x02d30016041021b019b351da3ec35a7527ed8bea2fb4
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
radius_xlat:
'/usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20050127'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20050127
modcall[authorize]: module "auth_log" returns ok for request 2
modcall[authorize]: module "chap" returns noop for request 2
modcall[authorize]: module "mschap" returns noop for request 2
rlm_realm: No '@' in User-Name = "test1", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 2
rlm_eap: EAP packet type response id 211 length 22
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
users: Matched DEFAULT at 155
modcall[authorize]: module "files" returns ok for request 2
modcall: group authorize returns updated for request 2
WARNING: You set Proxy-To-Realm = LOCAL, but it is a LOCAL realm! Cancelling
invalid proxy request.
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP/md5
rlm_eap: processing type md5
EAP-MD5: Translating request
FreeRADIUS-Proxied-To = 127.0.0.1
EAP-MD5: Sending translated request
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "test1"
CHAP-Password = 0xd321b019b351da3ec35a7527ed8bea2fb4
CHAP-Challenge = 0xb3e4546b5fa54fbb85056f3fd655e4a1
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
radius_xlat: '/usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20050127'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20050127
modcall[authorize]: module "auth_log" returns ok for request 2
rlm_chap: Setting 'Auth-Type := CHAP'
modcall[authorize]: module "chap" returns ok for request 2
modcall[authorize]: module "mschap" returns noop for request 2
rlm_realm: No '@' in User-Name = "test1", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 2
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 2
users: Matched DEFAULT at 156
modcall[authorize]: module "files" returns ok for request 2
modcall: group authorize returns ok for request 2
EAP-MD5: Got translated reply RADIUS code 0
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 2
modcall: group authenticate returns reject for request 2
auth: Failed to validate the user.
Login incorrect: [test1/<no User-Password attribute>] (from client
private-network-1 port 0)
Cancelling proxy as request was already rejected
Request 2 rejected in proxy_send.
Server rejecting request 2.
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.5:33403, id=239, length=99
Sending Access-Reject of id 239 to 192.168.1.5:33403
EAP-Message = 0x04d30004
Message-Authenticator = 0x00000000000000000000000000000000
--- Walking the entire request list ---
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 238 with timestamp 41f90bf6
Cleaning up request 2 ID 239 with timestamp 41f90bf6
Nothing to do. Sleeping until we see a request.