(I'm reposting this message because previous message was sent with wrong e-mail
account, moderator has not yet approved message. Please forgive me for possible
double entry)
Hi all,
I have a NAS, a Nortel Contivity VPN-Concentrator (in this case used for PPTP
tunnels) which I have configured to use freeradius as a proxy for a VASCO
radius-server (with response-only tokens). The reason for using freeradius as a
proxy is that Vasco does not support custom attributes which are very helpful
for the Contivity: freeradius is configured to add an attribute Class which
varies depending on the Realm.
If I configure the Contivity to authenticate directly to the Vasco all works
fine. This is also the case if I configure the Contivity to authenticate
directly on the freeradius (not proxy-ing the request to the vasco).
However if freeradius acts as a proxy, when setting up a PPTP WinXP reports:
"Error 778: It was not possible to verify the identity of the server".
Both Vasco and freeradius reply with: Login Ok
Below is the output if radiusd is started with -X -A
Ready to process requests.
rad_recv: Access-Request packet from host IPnumber-contivity:3460, id=16,
length=154
User-Name = "[EMAIL PROTECTED]"
MS-CHAP2-Response =
0x0200756c0c8f74d1a3ac8b9f0d2b233699d600000000000000006719ecb56d9d1fafe1e253c494bb92992ca7c58b3bdf39f8
MS-CHAP-Challenge = 0x5786567db9c1949a8cad50d612547094
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-IP-Address = IPnumber-contivity
NAS-Port = 566439
NAS-Port-Type = Virtual
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat: '/var/log/radius/radacct/IPnumber-contivity/reply-detail-20050119'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
expands to /var/log/radius/radacct/IPnumber-contivity/reply-detail-20050119
modcall[authorize]: module "reply_log" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "attr_filter" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
rlm_realm: Looking up realm "company.realm " for User-Name = "rene@
company.realm "
rlm_realm: Found realm "company.realm"
rlm_realm: Proxying request from user rene to realm company.realm
rlm_realm: Adding Realm = "company.realm "
rlm_realm: Preparing to proxy authentication request to realm
"company.realm"
modcall[authorize]: module "suffix" returns updated for request 0
rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = MS-CHAP'
modcall[authorize]: module "mschap" returns ok for request 0
modcall: group authorize returns updated for request 0 Sending Access-Request
of id 0 to IPnumber-Vasco:1645
User-Name = "[EMAIL PROTECTED] "
MS-CHAP2-Response =
0x0200756c0c8f74d1a3ac8b9f0d2b233699d600000000000000006719ecb56d9d1fafe1e253c494bb92992ca7c58b3bdf39f8
MS-CHAP-Challenge = 0x5786567db9c1949a8cad50d612547094
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-IP-Address = IPnumber-contivity
NAS-Port = 566439
NAS-Port-Type = Virtual
Proxy-State = 0x3136
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Accept packet from host IPnumber-Vasco:1645, id=0, length=198
Reply-Message = "Login successful."
MS-CHAP2-Success =
0x02533d46453430464243324341313641363730453135463039443438314145423830364331463031423943
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Send-Key = 0xe4b73fbf37c00ff323fe50b697961dd0
MS-MPPE-Recv-Key = 0x02fc5aa8347af34df114fc9072e70240
Processing the post-proxy section of radiusd.conf
modcall: entering group post-proxy for request 0
modcall[post-proxy]: module "eap" returns noop for request 0
modcall: group post-proxy returns noop for request 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat: '/var/log/radius/radacct/IPnumber-contivity/reply-detail-20050119'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
expands to /var/log/radius/radacct/IPnumber-contivity/reply-detail-20050119
modcall[authorize]: module "reply_log" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
attr_filter: Matched entry company.realm at line 87
modcall[authorize]: module "attr_filter" returns updated for request 0
modcall[authorize]: module "eap" returns noop for request 0
rlm_realm: Proxy reply, or no User-Name. Ignoring.
modcall[authorize]: module "suffix" returns noop for request 0
rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = MS-CHAP'
modcall[authorize]: module "mschap" returns ok for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type MS-CHAP
rad_check_password: Auth-Type = Accept, accepting the user Login OK: [EMAIL
PROTECTED] (from client Contivity port 566439) Sending Access-Accept of id 16
to IPnumber-contivity:3460 Finished request 0 Going to the next request Waking
up in 6 seconds...
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
modules {
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
# require_strong = yes
}
#and so on..
}
authorize {
preprocess
chap
attr_filter
eap
suffix
sql
mschap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
# Allow EAP authentication.
eap
}
pre-proxy {
}
post-proxy {
eap
}
In proxy.conf:
realm company.realm {
type = radius
authhost = IPnumber-Vasco:1645
accthost = LOCAL
secret = verysecret
nostrip
}
Since direct authentication works just fine, I figure it's a proxy problem.
Using Fedora Core 2 with freeradius RPM freeradius-1.0.1-0.FC2
Thanks in advance,
René
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
