Hi Phil,
Sorry if this looks dump for you.
I've read your post the reason I've explicitely asked how to do this in
PEAP is because in the post it says:
"This only works for PAP, and does NOT work for EAP-TLS, CHAP, *MSCHAP*, or
WIMAX authentication."
Now, I especially need to send Access-Accept for PEAP with inner
EAP-MSCHAPv2, and I also I don't use MyQL to select the users.
I've also tried to set Access-Accept as any other AVP from my Freeradius
module, but doesn't work. (extract from log attached)
Can you please help?
Thanks in advance.
Andras
On 30/08/12 15:11, Andras Ionut wrote:
> Hi Phil,
>
> Thanks a lot for the quick response.
>
> I need this for PEAP with EAP protocol inside the tunnel, like
EAP-MSCHAPv2.
>
> Again, The device MUST reject the connection as EAP is not completed,
> but the ROUTER needs that Access-Accept,
> in order to be able to redirect user to portal.
>
> Can this be done?
The technique to do this is described in the FAQ entry I linked. Did you
read it?
node Name: Auth-Type Value: Accept
node Name: Session-Timeout Value: 100
node Name: Termination-Action Value: 1
node Name: Idle-Timeout Value: 180
node Name: WISPr-Bandwidth-Max-Up Value: 100000
node Name: WISPr-Bandwidth-Max-Down Value: 250000
node Name: Framed-Protocol Value: PPP
node Name: Reply-Message Value: OK
[test_mod] INFO: Cleartext-Password set based on Mobif
++[test_mod] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: [email protected]
[mschap] Told to do MS-CHAPv2 for [email protected] with NT-Password
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
Auth-Type := Accept
Session-Timeout := 100
Termination-Action := RADIUS-Request
Idle-Timeout := 180
WISPr-Bandwidth-Max-Up := 100000
WISPr-Bandwidth-Max-Down := 250000
Framed-Protocol := PPP
Reply-Message := "OK"
MS-CHAP-Error = "\tE=691 R=1"
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
Auth-Type := Accept
Session-Timeout := 100
Termination-Action := RADIUS-Request
Idle-Timeout := 180
WISPr-Bandwidth-Max-Up := 100000
WISPr-Bandwidth-Max-Down := 250000
Framed-Protocol := PPP
Reply-Message := "OK"
MS-CHAP-Error = "\tE=691 R=1"
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 60 to 192.168.2.145 port 1337
User-Name = "[email protected]"
EAP-Message =
0x010a002b19001703010020ad227ff42051a2119a3fdfcc0999ebcd51f07b78079146e092f0f85f8604137f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x23f93a462bf32393cc91e8892c409246
Finished request 18.
Going to the next request
Waking up in 3.8 seconds.
rad_recv: Access-Request packet from host 192.168.2.145 port 1337, id=61,
length=269
User-Name = "[email protected]"
NAS-IP-Address = 192.168.2.2
NAS-Identifier = "hello"
NAS-Port = 0
Called-Station-Id = "00-11-22-33-44-55:SSID-1"
Calling-Station-Id = "00-11-22-33-44-55"
Framed-MTU = 1400
NAS-Port-Type = Wireless
Connect-Info = "0Mbps 802.11b"
EAP-Message =
0x020a0050190017030100205d777644a41a5fee4c658652b55fcd128b1fa7fe21dd1edcabeea1ca001c076117030100205719da5b2d9845746ebf187441a4b8724d074b043fd7e36a297dd45fc55a0c95
State = 0x23f93a462bf32393cc91e8892c409246
Message-Authenticator = 0x44e5ac78c039e29bc4798902f9c5b10f
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
expand: %{request:User-Name} -> [email protected]
++[reply] returns notfound
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm "home.com" for User-Name = "[email protected]"
[suffix] No such realm "home.com"
++[suffix] returns noop
[eap] EAP packet type response id 10 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap] The users session was previously rejected: returning reject (again.)
[peap] *** This means you need to read the PREVIOUS messages in the debug
output
[peap] *** to find out the reason why the user was rejected.
[peap] *** Look for "reject" or "fail". Those earlier messages will tell you.
[peap] *** what went wrong, and how to fix the problem.
SSL: Removing session
34ae8bf5fcb9242ca155baa7eb42097a96d72f29008c63185bb75a719e0fde41 from the cache
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> [email protected]
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 19 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 19
Sending Access-Reject of id 61 to 192.168.2.145 port 1337
EAP-Message = 0x040a0004
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Request packet from host 192.168.2.145 port 1337, id=61,
length=269
Sending duplicate reply to client 192.168.0.0/16 port 1337 - ID: 61
Sending Access-Reject of id 61 to 192.168.2.145 port 1337
EAP-Message = 0x040a0004
Message-Authenticator = 0x00000000000000000000000000000000
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
