Cisco AV Pair
Dan Fleming
flemingdp at gmail.com
Mon Jul 28 13:38:31 CEST 2014
Here is the debug. For some reason my user dfleming is being accepted even
though the cisco-avpair does not match. Please see debug and layout of
mysql tables below. My aplogies to the moderator as I trimmed the message
to under 100kb.
khadmin at BSpa-KH-DaloRadius01:~$ sudo freeradius -X
FreeRADIUS Version 2.1.12, for host i686-pc-linux-gnu, built on Feb 24 2014
at 15:00:10
....
Ready to process requests.
! Connecting client that should be rejected dfleming
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.5.10 port 1645, id=104,
length=224
User-Name = "dfleming"
Framed-MTU = 1400
Called-Station-Id = "A8-B1-D4-21-73-41:BSpa-KH-Mgmt"
Calling-Station-Id = "80-1F-02-D3-97-74"
Cisco-AVPair = "ssid=BSpa-KH-Mgmt"
Service-Type = Login-User
Cisco-AVPair = "service-type=Login"
Message-Authenticator = 0x56c8d1976c38d0c15b3b7510788d1114
EAP-Message = 0x020300060319
NAS-Port-Type = Wireless-802.11
NAS-Port = 366
NAS-Port-Id = "366"
State = 0xe398c72ae39bc3112b2facf2414ef68a
NAS-IP-Address = 10.10.5.10
NAS-Identifier = "BSpa-KH-AP1"
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "dfleming", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[sql] expand: %{User-Name} -> dfleming
[sql] sql_set_user escaped user --> 'dfleming'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'dfleming' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'dfleming' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'dfleming' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'dfleming' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username = 'dfleming'
ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM radusergroup
WHERE username = 'dfleming' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'Test' ORDER BY
id
rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'Test'
ORDER BY id
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 104 to 10.10.5.10 port 1645
EAP-Message = 0x010400061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe398c72ae29cde112b2facf2414ef68a
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.5.10 port 1645, id=105,
length=323
User-Name = "dfleming"
Framed-MTU = 1400
Called-Station-Id = "A8-B1-D4-21-73-41:BSpa-KH-Mgmt"
Calling-Station-Id = "80-1F-02-D3-97-74"
Cisco-AVPair = "ssid=BSpa-KH-Mgmt"
Service-Type = Login-User
Cisco-AVPair = "service-type=Login"
Message-Authenticator = 0x705abcc41bc6453d98e488076368d5b0
EAP-Message =
0x0204006919800000005f160301005a01000056030153d0fc4150ae5171e308a2672ae8b0c2c02f72ec78a1f46b4988a1b7e7f83e73000018002f00350005000ac013c014c009c00a003200380013000401000015ff01000100000a0006000400170018000b00020100
NAS-Port-Type = Wireless-802.11
NAS-Port = 366
NAS-Port-Id = "366"
State = 0xe398c72ae29cde112b2facf2414ef68a
NAS-IP-Address = 10.10.5.10
NAS-Identifier = "BSpa-KH-AP1"
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "dfleming", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 105
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 95
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 005a], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 02dc], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 105 to 10.10.5.10 port 1645
EAP-Message =
0x01050326190016030100310200002d03010c97450f25def4ced7dc7df384079486f3542d07e6833013a884eb6bfb0bb94100002f000005ff0100010016030102dc0b0002d80002d50002d2308202ce308201b6a003020102020900822e76b7f4e676e6300d06092a864886f70d01010b0500301f311d301b06035504031314425370612d4b482d44616c6f5261646975733031301e170d3134303731363139303331345a170d3234303731333139303331345a301f311d301b06035504031314425370612d4b482d44616c6f526164697573303130820122300d06092a864886f70d01010105000382010f003082010a0282010100bd678d84e6eea050
EAP-Message =
0xf696bcf0d3ea9ac8dcc3895e630b82e19179fdf0bc32cbb9e38b749f7972e9b587116ef4e0962859d179ce4f59861167882f74aeef86e4a0e1fa808b84d034d0d0948f0a121690d58ba805a62fd3212cdabc26599ac01f6ae0f992d111e052a8cf5b3147301f63d76591be067e58d7939d0434bc135c606ae8843f81d47db30f2e2ec75faa656ee1744d1bcddbfaab9c25fbd573d82c024841e3fb98da541915e7d21c6f08dd7eddb9dc03fc8062512d649fc96be72a51b62fc05d3cadd285ee4858cdc52b90823c99de6130157151d0b12bbaee10bb574671052ef36786e9ccdad6be4209150df2db1b6c57ae25e0310ff2de90399678610203010001
EAP-Message =
0xa30d300b30090603551d1304023000300d06092a864886f70d01010b050003820101004e8a90c9aa3f6aab067342e1a11faf0c678c2f7f4674372f9964687580fe9bb6185570fbe203d7f03a7140c607e0e3a4c76463754f380db2fe4f1e59eb759cb64ee43c51fb22f1d8f2027b8b695bae6185bbccf927a29b3c4cf96de82394521bbe90cc6467d05546c04e76cedb9483ab55de6450f06a924e176f532ebb75688d32f4b2d901db683c6deced70d56c6f811311d104b18720ab7c62803dbda5126ad15fe966ad36171fe6cf6f4f75b7eded5b4bee5f6ac5be52943cd9ae276d7a7f4ca26fb40bd4c92c12fb907f121b78c071f386f84ada8fa48a0c
EAP-Message =
0x97087d75ba9109d5bc56a0df73634094328e929b39a58e2c31b88b38be212a5dfd8544d0a63c16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe398c72ae19dde112b2facf2414ef68a
Finished request 10.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.5.10 port 1645, id=106,
length=556
User-Name = "dfleming"
Framed-MTU = 1400
Called-Station-Id = "A8-B1-D4-21-73-41:BSpa-KH-Mgmt"
Calling-Station-Id = "80-1F-02-D3-97-74"
Cisco-AVPair = "ssid=BSpa-KH-Mgmt"
Service-Type = Login-User
Cisco-AVPair = "service-type=Login"
Message-Authenticator = 0xcd089534fccab7db28693d5b9d86a442
EAP-Message =
0x02050150198000000146160301010610000102010022bd3a65d01781fa46b75b886bad8c50420d06048d350a244d2a70f4d676c8000374ebc77170059405c33a7910fd709d2829a1471f91a01c4a2a44adec666eb77a5d05995485115cb1d6854ca0fcf370ae2108ca25706257a7af922ec783a8442a9838e03496200e8bec1214d3f5c6af905c2a2e080f0354f9f37e29e96a6b23ad4ea4a7048bec25a870f3c53bceb0b95ed97e2d145b506ced5a94a1e6b2d79a031a58c445a698ec388e48abd18c466c2f1170d400b2d78cbb5c150f2c69d1889a84e4a20251457d3b3edd8d9d2ceb2b681b4ab9e926ae41b07380e6d44405cedf893b39da921314
EAP-Message =
0x94b437e41da7e053b8335b25d4f8a846c4554efb002cc8ec14030100010116030100304b985086678690c358d8a71cca3bd01d6792bf0f15f1387921d08f3ab7ebc8c8d27604abcc1facbd4e0674db9dd3925c
NAS-Port-Type = Wireless-802.11
NAS-Port = 366
NAS-Port-Id = "366"
State = 0xe398c72ae19dde112b2facf2414ef68a
NAS-IP-Address = 10.10.5.10
NAS-Identifier = "BSpa-KH-AP1"
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "dfleming", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 326
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 106 to 10.10.5.10 port 1645
EAP-Message =
0x01060041190014030100010116030100309e49c5fe400c66b74f39bfdcaf566e506165f4805af06d42706bd2ca4160016223229a71052b67ec2140e7bcedb29055
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe398c72ae09ede112b2facf2414ef68a
Finished request 11.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.10.5.10 port 1645, id=107,
length=224
User-Name = "dfleming"
Framed-MTU = 1400
Called-Station-Id = "A8-B1-D4-21-73-41:BSpa-KH-Mgmt"
Calling-Station-Id = "80-1F-02-D3-97-74"
Cisco-AVPair = "ssid=BSpa-KH-Mgmt"
Service-Type = Login-User
Cisco-AVPair = "service-type=Login"
Message-Authenticator = 0x903e413386202060c488c16f2f3e84de
EAP-Message = 0x020600061900
NAS-Port-Type = Wireless-802.11
NAS-Port = 366
NAS-Port-Id = "366"
State = 0xe398c72ae09ede112b2facf2414ef68a
NAS-IP-Address = 10.10.5.10
NAS-Identifier = "BSpa-KH-AP1"
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "dfleming", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 107 to 10.10.5.10 port 1645
EAP-Message =
0x0107002b1900170301002072b66494c00c9860d7ae27b5bdc316d95c67942e3d6909bd14b8e95144dad15c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe398c72ae79fde112b2facf2414ef68a
Finished request 12.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.10.5.10 port 1645, id=108,
length=261
User-Name = "dfleming"
Framed-MTU = 1400
Called-Station-Id = "A8-B1-D4-21-73-41:BSpa-KH-Mgmt"
Calling-Station-Id = "80-1F-02-D3-97-74"
Cisco-AVPair = "ssid=BSpa-KH-Mgmt"
Service-Type = Login-User
Cisco-AVPair = "service-type=Login"
Message-Authenticator = 0xd80759bc82877237c5ee00bb4982f0d3
EAP-Message =
0x0207002b190017030100200229e07a3163accabbf9d63f151206bdfe56866c6c0908833f0dc931a9e143a8
NAS-Port-Type = Wireless-802.11
NAS-Port = 366
NAS-Port-Id = "366"
State = 0xe398c72ae79fde112b2facf2414ef68a
NAS-IP-Address = 10.10.5.10
NAS-Identifier = "BSpa-KH-AP1"
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "dfleming", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - dfleming
[peap] Got inner identity 'dfleming'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x0207000d0164666c656d696e67
server {
[peap] Setting User-Name to dfleming
Sending tunneled request
EAP-Message = 0x0207000d0164666c656d696e67
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "dfleming"
server inner-tunnel {
# Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "dfleming", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 7 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql] expand: %{User-Name} -> dfleming
[sql] sql_set_user escaped user --> 'dfleming'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'dfleming' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'dfleming' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'dfleming' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'dfleming' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username = 'dfleming'
ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM radusergroup
WHERE username = 'dfleming' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'Test' ORDER BY
id
rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'Test'
ORDER BY id
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x010800221a0108001d10922d3619e3e3ae7153865670afca067064666c656d696e67
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc9b7eee2c9bff40721db4de2f5e8d831
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010800221a0108001d10922d3619e3e3ae7153865670afca067064666c656d696e67
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc9b7eee2c9bff40721db4de2f5e8d831
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 108 to 10.10.5.10 port 1645
EAP-Message =
0x0108004b19001703010040e354ae24f8e5f9d802fd99a568a505148dae956713eeee1fe29b6cf13ab582b5c7e15342748bc0b5cf4794a5c47774cede06c276834338ff8f7187e268d2e6d8
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe398c72ae690de112b2facf2414ef68a
Finished request 13.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.10.5.10 port 1645, id=109,
length=325
User-Name = "dfleming"
Framed-MTU = 1400
Called-Station-Id = "A8-B1-D4-21-73-41:BSpa-KH-Mgmt"
Calling-Station-Id = "80-1F-02-D3-97-74"
Cisco-AVPair = "ssid=BSpa-KH-Mgmt"
Service-Type = Login-User
Cisco-AVPair = "service-type=Login"
Message-Authenticator = 0xb4f91fc4a74780dd8d59ca37a367f017
EAP-Message =
0x0208006b190017030100606d6568104b85243dc9d97a2a632d19fd9a8d232a88d86ef8b1322f3a74f5946692b8fc279afe278b92f8085b48136721801cbc31a68be167d8e697af0ad1262c2b84c00849d98fe5380ea6eb61f193f27fbd396e781c8e847be168312372effb
NAS-Port-Type = Wireless-802.11
NAS-Port = 366
NAS-Port-Id = "366"
State = 0xe398c72ae690de112b2facf2414ef68a
NAS-IP-Address = 10.10.5.10
NAS-Identifier = "BSpa-KH-AP1"
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "dfleming", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x020800431a0208003e3168b2631d0a7e9207d78112c36e6c9aeb00000000000000000d2ffe427cf7f4b21ba561639b16ea0fac9ec0fd7619f0980064666c656d696e67
server {
[peap] Setting User-Name to dfleming
Sending tunneled request
EAP-Message =
0x020800431a0208003e3168b2631d0a7e9207d78112c36e6c9aeb00000000000000000d2ffe427cf7f4b21ba561639b16ea0fac9ec0fd7619f0980064666c656d696e67
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "dfleming"
State = 0xc9b7eee2c9bff40721db4de2f5e8d831
server inner-tunnel {
# Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "dfleming", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 8 length 67
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql] expand: %{User-Name} -> dfleming
[sql] sql_set_user escaped user --> 'dfleming'
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'dfleming' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'dfleming' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'dfleming' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'dfleming' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username = 'dfleming'
ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM radusergroup
WHERE username = 'dfleming' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'Test' ORDER BY
id
rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'Test'
ORDER BY id
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: dfleming
[mschap] Told to do MS-CHAPv2 for dfleming with NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x010900331a0308002e533d43464330373236373634334537313837364241463430433441443939374431343844394531393832
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc9b7eee2c8bef40721db4de2f5e8d831
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010900331a0308002e533d43464330373236373634334537313837364241463430433441443939374431343844394531393832
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc9b7eee2c8bef40721db4de2f5e8d831
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 109 to 10.10.5.10 port 1645
EAP-Message =
0x0109005b190017030100506185ff39cb0494708efdc81974e25f277642b11486bfe766086d403b0f9e0a544ff9b3c52790e64e9b993633880722ce7da761ac18a7fe587e831cdf7a964c10ef0f0b652c6a73635173e6875e54f4af
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe398c72ae591de112b2facf2414ef68a
Finished request 14.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 10.10.5.10 port 1645, id=110,
length=261
User-Name = "dfleming"
Framed-MTU = 1400
Called-Station-Id = "A8-B1-D4-21-73-41:BSpa-KH-Mgmt"
Calling-Station-Id = "80-1F-02-D3-97-74"
Cisco-AVPair = "ssid=BSpa-KH-Mgmt"
Service-Type = Login-User
Cisco-AVPair = "service-type=Login"
Message-Authenticator = 0x212023c32292d56925e14f1147bdabe4
EAP-Message =
0x0209002b19001703010020ac7315140c4adcdef21a749af693f0a7b8a7efda8ddb0f82bd692b1d8a7c8465
NAS-Port-Type = Wireless-802.11
NAS-Port = 366
NAS-Port-Id = "366"
State = 0xe398c72ae591de112b2facf2414ef68a
NAS-IP-Address = 10.10.5.10
NAS-Identifier = "BSpa-KH-AP1"
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "dfleming", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020900061a03
server {
[peap] Setting User-Name to dfleming
Sending tunneled request
EAP-Message = 0x020900061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "dfleming"
State = 0xc9b7eee2c8bef40721db4de2f5e8d831
server inner-tunnel {
# Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "dfleming", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 9 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql] expand: %{User-Name} -> dfleming
[sql] sql_set_user escaped user --> 'dfleming'
rlm_sql (sql): Reserving sql socket id: 1
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'dfleming' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'dfleming' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'dfleming' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'dfleming' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username = 'dfleming'
ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM radusergroup
WHERE username = 'dfleming' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'Test' ORDER BY
id
rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'Test'
ORDER BY id
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
# Executing section post-auth from file
/etc/freeradius/sites-enabled/inner-tunnel
+- entering group post-auth {...}
[sql] expand: %{User-Name} -> dfleming
[sql] sql_set_user escaped user --> 'dfleming'
[sql] expand: %{User-Password} ->
[sql] ... expanding second conditional
[sql] expand: %{Chap-Password} ->
[sql] expand: INSERT INTO radpostauth (username,
pass, reply, authdate) VALUES (
'%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES
( 'dfleming', '',
'Access-Accept', '2014-07-24 08:28:17')
[sql] expand: /var/log/freeradius/sqltrace.sql ->
/var/log/freeradius/sqltrace.sql
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
(username, pass, reply, authdate)
VALUES ( 'dfleming',
'', 'Access-Accept', '2014-07-24 08:28:17')
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql_mysql: query: INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES (
'dfleming', '',
'Access-Accept', '2014-07-24 08:28:17')
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
} # server inner-tunnel
[peap] Got tunneled reply code 2
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Send-Key = 0x21b836e93eff70f6d6b2ec627ea1fbaf
MS-MPPE-Recv-Key = 0xa73e45851d20023ff89a50e099c7ac0a
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "dfleming"
[peap] Got tunneled reply RADIUS code 2
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Send-Key = 0x21b836e93eff70f6d6b2ec627ea1fbaf
MS-MPPE-Recv-Key = 0xa73e45851d20023ff89a50e099c7ac0a
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "dfleming"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 110 to 10.10.5.10 port 1645
EAP-Message =
0x010a002b19001703010020ffd2d4391027944a955f2a80e75582385d2bb77d88a0da77a3c35e870ab878e6
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe398c72ae492de112b2facf2414ef68a
Finished request 15.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 10.10.5.10 port 1645, id=111,
length=261
User-Name = "dfleming"
Framed-MTU = 1400
Called-Station-Id = "A8-B1-D4-21-73-41:BSpa-KH-Mgmt"
Calling-Station-Id = "80-1F-02-D3-97-74"
Cisco-AVPair = "ssid=BSpa-KH-Mgmt"
Service-Type = Login-User
Cisco-AVPair = "service-type=Login"
Message-Authenticator = 0x9ad507ccd512242f7bf2caec1f20c3d7
EAP-Message =
0x020a002b190017030100203e355252ae01ca7b5f1465ce21b3bb9285bba4ef32e64818a0cd5cc8143b5fd5
NAS-Port-Type = Wireless-802.11
NAS-Port = 366
NAS-Port-Id = "366"
State = 0xe398c72ae492de112b2facf2414ef68a
NAS-IP-Address = 10.10.5.10
NAS-Identifier = "BSpa-KH-AP1"
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "dfleming", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 10 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[eap] Freeing handler
++[eap] returns ok
# Executing section post-auth from file
/etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
[sql] expand: %{User-Name} -> dfleming
[sql] sql_set_user escaped user --> 'dfleming'
[sql] expand: %{User-Password} ->
[sql] ... expanding second conditional
[sql] expand: %{Chap-Password} ->
[sql] expand: INSERT INTO radpostauth (username,
pass, reply, authdate) VALUES (
'%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES
( 'dfleming', '',
'Access-Accept', '2014-07-24 08:28:17')
[sql] expand: /var/log/freeradius/sqltrace.sql ->
/var/log/freeradius/sqltrace.sql
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
(username, pass, reply, authdate)
VALUES ( 'dfleming',
'', 'Access-Accept', '2014-07-24 08:28:17')
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_mysql: query: INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES (
'dfleming', '',
'Access-Accept', '2014-07-24 08:28:17')
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[exec] returns noop
Sending Access-Accept of id 111 to 10.10.5.10 port 1645
MS-MPPE-Recv-Key =
0x5b480d2d4a8cde312f61c2c611543f1aebcc8abae61eb9155cda840760c3cea0
MS-MPPE-Send-Key =
0x56ec6be73861d6e421949f14631c05facadbeff6689370618d373d2b633ce24d
EAP-Message = 0x030a0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "dfleming"
Finished request 16.
Going to the next request
mysql> select * from radgroupcheck;
+----+---------------------------+-------------------+----+-----------------------+
| id | groupname | attribute | op | value
|
+----+---------------------------+-------------------+----+-----------------------+
| 1 | daloRADIUS-Disabled-Users | Auth-Type | := | Reject
|
| 7 | Mgmt-Wireless | Cisco-AVPair | == |
"ssid=1BSpa-KH-Mgmt1" |
| 8 | Mgmt-Wireless | Called-Station-Id | := | *BSpa
|
| 9 | Test | Cisco-AVPair | == | df
|
+----+---------------------------+-------------------+----+-----------------------+
mysql> select * from userinfo;
+----+-----------+-----------+----------+-------+------------+---------+-----------+-----------+-------------+---------+------+-------+---------+------+-------+----------------+---------------------+-------------------+---------------------+---------------+---------------------+----------+
| id | username | firstname | lastname | email | department | company |
workphone | homephone | mobilephone | address | city | state | country |
zip | notes | changeuserinfo | portalloginpassword | enableportallogin |
creationdate | creationby | updatedate | updateby |
+----+-----------+-----------+----------+-------+------------+---------+-----------+-----------+-------------+---------+------+-------+---------+------+-------+----------------+---------------------+-------------------+---------------------+---------------+---------------------+----------+
| 1 | dfleming | | | | | |
| | | | | | |
| | 0 | | 0 |
2014-07-16 15:24:47 | administrator | 2014-07-23 15:50:42 | admin |
| 2 | mefleming | | | | | |
| | | | | | |
| | 0 | | 0 |
2014-07-16 16:57:27 | administrator | 2014-07-23 16:40:28 | admin |
+----+-----------+-----------+----------+-------+------------+---------+-----------+-----------+-------------+---------+------+-------+---------+------+-------+----------------+---------------------+-------------------+---------------------+---------------+---------------------+----------+
mysql> select * from userinfo;radusergroup;
+-----------+---------------+----------+
| username | groupname | priority |
+-----------+---------------+----------+
| dfleming | Test | 0 |
| mefleming | Mgmt-Wireless | 1 |
+-----------+---------------+----------+
On Wed, Jul 23, 2014 at 5:20 PM, Dan Fleming <flemingdp at gmail.com> wrote:
>
> Hello,
>
> I am using daloradius with free radius 2.1.12 on Ubuntu 14.04.
>
> I have configured users and passwords and sucessfully authenticate users
connecting to a standalone cisco 1142 accesspoint. I can see in the debug
that the cisco-avpair is sending the ssid to the free radius server in the
debug but I dont think it is being checked.
>
> No matter what I put in av pair the user gets Access-Accept.
>
> I have tried both operator == and =: but neither make a difference.
>
> Any help is greatly appreciated.
>
> Regards,
>
> Daniel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140728/3bd08f66/attachment-0001.html>
More information about the Freeradius-Users
mailing list