Re: FR2 - proxying inner tunnel

Thu, 14 Feb 2008 06:59:27 -0800 

Hi!

[EMAIL PROTECTED] wrote:

Hi,
Tue Feb 12 23:45:21 2008 : Error: Warning: Found 2 auth-types on request for user '[EMAIL PROTECTED]' 
Tue Feb 12 23:45:21 2008 : Debug:   rad_check_password: Auth-Type = Accept, 
accepting the user


whoah.  WinXP is very fussy (as should all EAP clients) about getting a proper
EAP return.  you seem to have thrown an 'Accept' straight back to the challenge
rather than let the EAP engine do its business. 
config file or startup debug output please


Config file is the same as default example proxy-inner-tunnel in 2.0.2 release 
with modified realm name only.
As I wrote before, double Auth-Type had been fixed by adding post-proxy { eap } 
part in proxy-inner-tunnel.

But authentication still fails to pass. Got the following error:

Thu Feb 14 16:42:06 2008 : Error: rlm_eap: No EAP session matching the State 
variable.
Thu Feb 14 16:42:06 2008 : Error: rlm_eap: Either EAP-request timed out OR 
EAP-response to an unknown EAP-request

It comes after second authentication in eap module, after passing inner request 
to virtual server.

xsupplicant receives  EAP-MSCHAPv2 Success and sends phase 2 success back to 
FreeRADIUS:
-----------------
[AUTH TYPE] (EAP-MSCHAPv2) Success!
[AUTH TYPE] Server authentication check success!  Sending phase 2 success!
[AUTH TYPE] Unencrypted return frame :
000 | 1a 03                                           | ..
[AUTH TYPE] Encrypted return frame :
-----------------

FreeRADIUS debug output with failed authentication:

-----------------
rad_recv: Access-Request packet from host 192.168.2.3 port 8021, id=85, 
length=279
        Framed-MTU = 1466
        NAS-IP-Address = 192.168.2.3
        NAS-Identifier = "D-Link"
        User-Name = "[EMAIL PROTECTED]"
        Service-Type = Framed-User
        NAS-Port = 33
        NAS-Port-Type = Ethernet
        NAS-Port-Id = "ether3_33"
        Called-Station-Id = "00-15-e9-b8-79-dd"
        Calling-Station-Id = "00-a9-40-0f-83-a5"
        Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
        State = 0x827a1bd58a710287540fbc1db46cf1a2
EAP-Message = 0x020b005019001703010020a8e33063d77e6a2f489c6f5d9a12306c870537dc721149322bd85623235edda1170301002088aaf69e118a31b4eac9 
c0d7c106de95b51101eb9e1b0c70949645a855cc206c
        Message-Authenticator = 0x82efd03b0f271f621eb2677ebf3c5902
Thu Feb 14 16:42:06 2008 : Debug: +- entering group authorize
Thu Feb 14 16:42:06 2008 : Debug:   modsingle[authorize]: calling preprocess 
(rlm_preprocess) for request 9
Thu Feb 14 16:42:06 2008 : Debug:   modsingle[authorize]: returned from 
preprocess (rlm_preprocess) for request 9
Thu Feb 14 16:42:06 2008 : Debug: ++[preprocess] returns ok
Thu Feb 14 16:42:06 2008 : Debug:   modsingle[authorize]: calling chap 
(rlm_chap) for request 9
Thu Feb 14 16:42:06 2008 : Debug:   modsingle[authorize]: returned from chap 
(rlm_chap) for request 9
Thu Feb 14 16:42:06 2008 : Debug: ++[chap] returns noop
Thu Feb 14 16:42:06 2008 : Debug:   modsingle[authorize]: calling mschap 
(rlm_mschap) for request 9
Thu Feb 14 16:42:06 2008 : Debug:   modsingle[authorize]: returned from mschap 
(rlm_mschap) for request 9
Thu Feb 14 16:42:06 2008 : Debug: ++[mschap] returns noop
Thu Feb 14 16:42:06 2008 : Debug:   modsingle[authorize]: calling suffix 
(rlm_realm) for request 9
Thu Feb 14 16:42:06 2008 : Debug:     rlm_realm: Looking up realm "mynet.net" for 
User-Name = "[EMAIL PROTECTED]"
Thu Feb 14 16:42:06 2008 : Debug:     rlm_realm: No such realm "mynet.net"
Thu Feb 14 16:42:06 2008 : Debug:   modsingle[authorize]: returned from suffix 
(rlm_realm) for request 9
Thu Feb 14 16:42:06 2008 : Debug: ++[suffix] returns noop
Thu Feb 14 16:42:06 2008 : Debug:   modsingle[authorize]: calling eap (rlm_eap) 
for request 9
Thu Feb 14 16:42:06 2008 : Debug:   rlm_eap: EAP packet type response id 11 
length 80
Thu Feb 14 16:42:06 2008 : Debug:   rlm_eap: Continuing tunnel setup.
Thu Feb 14 16:42:06 2008 : Debug:   modsingle[authorize]: returned from eap 
(rlm_eap) for request 9
Thu Feb 14 16:42:06 2008 : Debug: ++[eap] returns ok
Thu Feb 14 16:42:06 2008 : Debug:   rad_check_password:  Found Auth-Type EAP
Thu Feb 14 16:42:06 2008 : Debug: auth: type "EAP"
Thu Feb 14 16:42:06 2008 : Debug: +- entering group authenticate
Thu Feb 14 16:42:06 2008 : Debug:   modsingle[authenticate]: calling eap 
(rlm_eap) for request 9
Thu Feb 14 16:42:06 2008 : Debug:   rlm_eap: Request found, released from the 
list
Thu Feb 14 16:42:06 2008 : Debug:   rlm_eap: EAP/peap
Thu Feb 14 16:42:06 2008 : Debug:   rlm_eap: processing type peap
Thu Feb 14 16:42:06 2008 : Debug:   rlm_eap_peap: Authenticate
Thu Feb 14 16:42:06 2008 : Debug:   rlm_eap_tls: processing TLS
Thu Feb 14 16:42:06 2008 : Debug:   eaptls_verify returned 7
Thu Feb 14 16:42:06 2008 : Debug:   rlm_eap_tls: Done initial handshake
Thu Feb 14 16:42:06 2008 : Debug:   eaptls_process returned 7
Thu Feb 14 16:42:06 2008 : Debug:   rlm_eap_peap: EAPTLS_OK
Thu Feb 14 16:42:06 2008 : Debug:   rlm_eap_peap: Session established.  
Decoding tunneled attributes.
  PEAP tunnel data in 0000: 1a 03
Thu Feb 14 16:42:06 2008 : Debug:   rlm_eap_peap: EAP type mschapv2
  PEAP: Got tunneled EAP-Message
        EAP-Message = 0x020b00061a03
Thu Feb 14 16:42:06 2008 : Debug:   PEAP: Setting User-Name to aaa
  PEAP: Sending tunneled request
        EAP-Message = 0x020b00061a03
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "aaa"
        State = 0xc858015dc9531b78fbe76e30aaba109e
        Framed-MTU = 1466
        NAS-IP-Address = 192.168.2.3
        NAS-Identifier = "D-Link"
        Service-Type = Framed-User
        NAS-Port = 33
        NAS-Port-Type = Ethernet
        NAS-Port-Id = "ether3_33"
        Called-Station-Id = "00-15-e9-b8-79-dd"
        Calling-Station-Id = "00-a9-40-0f-83-a5"
        Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
server proxy-inner-tunnel {
Thu Feb 14 16:42:06 2008 : Debug: +- entering group authorize
Thu Feb 14 16:42:06 2008 : Debug: ++[control] returns notfound
} # server proxy-inner-tunnel
  PEAP: Got tunneled reply RADIUS code 0
Thu Feb 14 16:42:06 2008 : Debug:   PEAP: Calling authenticate in order to 
initiate tunneled EAP session.
Thu Feb 14 16:42:06 2008 : Debug: +- entering group authenticate
Thu Feb 14 16:42:06 2008 : Debug:   modsingle[authenticate]: calling eap 
(rlm_eap) for request 9
Thu Feb 14 16:42:06 2008 : Error: rlm_eap: No EAP session matching the State 
variable.
Thu Feb 14 16:42:06 2008 : Error: rlm_eap: Either EAP-request timed out OR 
EAP-response to an unknown EAP-request
Thu Feb 14 16:42:06 2008 : Debug:   rlm_eap: Failed in handler
Thu Feb 14 16:42:06 2008 : Debug:   modsingle[authenticate]: returned from eap 
(rlm_eap) for request 9
Thu Feb 14 16:42:06 2008 : Debug: ++[eap] returns invalid
Thu Feb 14 16:42:06 2008 : Debug:   PEAP: Can't handle the return code 4
Thu Feb 14 16:42:06 2008 : Debug:  rlm_eap: Handler failed in EAP/peap
Thu Feb 14 16:42:06 2008 : Debug:   rlm_eap: Failed in EAP select
Thu Feb 14 16:42:06 2008 : Debug:   modsingle[authenticate]: returned from eap 
(rlm_eap) for request 9
Thu Feb 14 16:42:06 2008 : Debug: ++[eap] returns invalid
Thu Feb 14 16:42:06 2008 : Debug: auth: Failed to validate the user.
Thu Feb 14 16:42:06 2008 : Auth: Login incorrect: [EMAIL PROTECTED]/<via Auth-Type = EAP>] (from client sw-local port 33 cli 00-a9-40-0f-83-a5) 
-----------------

--
Best wishes,
Dmitry Sergienko (SDA104-RIPE)
Trifle Co., Ltd.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to