LDAP Groups to Freeradius and then Ruckus Wireless?

Enrique Sainz Baixauli enriquesainz.beca at intef.educacion.es
Mon Jun 9 11:31:01 CEST 2014


>> In the meantime, I am trying to configure EAP-TLS for a more secure 
>> authentication based on client certificates. I generated a CA 
>> certificate and used it to sign server and client certificates, which 
>> I installed where I needed. However, trying to associate a W7 machine 
>> to the AP resulted in freeradius segfaulting:
>>
>> (5) # executing section post-auth from file 
>> /etc/freeradius/sites-enabled/default
>> (5) cache: [... creating cache entry ...]
>> (5) [cache] = updated
>> (5) foreach &control:LDAP-Group
>> (5)   update reply {
>> Segmentation fault
>>
>> In update reply {} there is only one line of code:
>>
>> &Ruckus-User-Groups += "%{Foreach-Variable-0}"
>>
>> And the call to the cache module was the only previous uncommented 
>> line in post-auth. So I'm quite clueless about where the segfault 
>> comes from, since that same line worked perfectly with MSCHAPv2 inside 
>> of PEAP... If you need any more debug output feel free to ask :)
>
>I'm guessing you'd need to follow
>http://wiki.freeradius.org/project/bug-reports#Crashes-(Segmentation-violat
ions,-Memory-alignment-errors,-ASSERTs-etc...)
>or
http://lists.freeradius.org/pipermail/freeradius-devel/2014-January/009084.h
tml

Ok, so I installed the debug symbols from the PPA repository and uncommented
the panic_action line in radiusd.conf. This is the full debug output now:

(I have to say that I got a segfault last week that I could fix on my own,
but I have no idea where this one comes from. The previous one was about
setting outer.reply in default server's post-auth - there is no outer reply
in there. It doesn't look like that one though...)


Received Access-Request Id 39 from 192.168.60.1:1024 to 192.168.50.62:1812
length 190
        User-Name = 'juan'
        Calling-Station-Id = '00-26-C6-7C-C4-58'
        NAS-IP-Address = 192.168.60.1
        NAS-Port = 1
        Called-Station-Id = '2C-E6-CC-1A-3E-5C:PROFESORES'
        Service-Type = Framed-User
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = '2C-E6-CC-1A-3E-5C'
        Connect-Info = 'CONNECT 802.11a/n'
        EAP-Message = 0x02000009016a75616e
        Attr-26.25053.3 = 0x50524f4645534f524553
        Message-Authenticator = 0x6ccb32c7b00d65c7617e787ee0f8862b
(0) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(0)   authorize {
(0)   [preprocess] = ok
(0)   [chap] = noop
(0)   [mschap] = noop
(0)   [digest] = noop
(0) suffix : No '@' in User-Name = "juan", looking up realm NULL
(0) suffix : No such realm "NULL"
(0)   [suffix] = noop
(0) eap : EAP packet type response id 0 length 9
(0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0)   [eap] = ok
(0)  } #  authorize = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0)   authenticate {
(0) eap : Peer sent Identity (1)
(0) eap : Calling eap_tls to process EAP data
(0) eap_tls : Flushing SSL sessions (of #0)
(0) eap_tls : Requiring client certificate
(0) eap_tls : Initiate
(0) eap_tls : Requiring client certificate
(0) eap_tls : Start returned 1
(0) eap : New EAP session, adding 'State' attribute to reply
0x4b06bc534b07b123
(0)   [eap] = handled
(0)  } #  authenticate = handled
Sending Access-Challenge Id 39 from 192.168.50.62:1812 to 192.168.60.1:1024
        EAP-Message = 0x010100060d20
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x4b06bc534b07b123a5815ce5986a7061
(0) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 40 from 192.168.60.1:1024 to 192.168.50.62:1812
length 304
        User-Name = 'juan'
        Calling-Station-Id = '00-26-C6-7C-C4-58'
        NAS-IP-Address = 192.168.60.1
        NAS-Port = 1
        Called-Station-Id = '2C-E6-CC-1A-3E-5C:PROFESORES'
        Service-Type = Framed-User
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = '2C-E6-CC-1A-3E-5C'
        Connect-Info = 'CONNECT 802.11a/n'
        EAP-Message =
0x020100690d800000005f160301005a01000056030153957c5a9884652d6bb6c5d6bb19564d
4010cad78f6021d6f9bb42a26c6332a0000018002f00350005000ac013c014c009c00a003200
380013000401000015ff01000100000a0006000400170018000b00020100
        State = 0x4b06bc534b07b123a5815ce5986a7061
        Attr-26.25053.3 = 0x50524f4645534f524553
        Message-Authenticator = 0x424c68d593e8b471a7168fa8f90c84aa
(1) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(1)   authorize {
(1)   [preprocess] = ok
(1)   [chap] = noop
(1)   [mschap] = noop
(1)   [digest] = noop
(1) suffix : No '@' in User-Name = "juan", looking up realm NULL
(1) suffix : No such realm "NULL"
(1)   [suffix] = noop
(1) eap : EAP packet type response id 1 length 105
(1) eap : No EAP Start, assuming it's an on-going EAP conversation
(1)   [eap] = updated
(1)   [files] = noop
rlm_ldap (ldap): Reserved connection (4)
(1) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(1) ldap :    --> (uid=juan)
(1) ldap : EXPAND dc=ejemplo,dc=org
(1) ldap :    --> dc=ejemplo,dc=org
(1) ldap : Performing search in 'dc=ejemplo,dc=org' with filter
'(uid=juan)', scope 'sub'
(1) ldap : Waiting for search result...
(1) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org"
(1) ldap : No cacheable group memberships found in user object
(1) ldap : EXPAND
(&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn}))
(1) ldap :    -->
(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejempl
o\2cdc\3dorg))
(1) ldap : EXPAND dc=ejemplo,dc=org
(1) ldap :    --> dc=ejemplo,dc=org
(1) ldap : Performing search in 'dc=ejemplo,dc=org' with filter
'(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemp
lo\2cdc\3dorg))', scope 'sub'
(1) ldap : Waiting for search result...
(1) ldap : Added control:Ldap-Group with value "profesores"
(1) ldap : Processing user attributes
(1) ldap :      control:Password-With-Header += ''1234''
rlm_ldap (ldap): Released connection (4)
(1)   [ldap] = ok
(1)   foreach &control:LDAP-Group
(1)    update reply {
(1) EXPAND %{Foreach-Variable-0}
(1)    --> profesores
(1)     &Ruckus-User-Groups += '"profesores"'
(1)    } # update reply = noop
(1)   } # foreach &control:LDAP-Group = noop
(1)   [expiration] = noop
(1)   [logintime] = noop
(1) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password
(1) WARNING: pap : Auth-Type already set.  Not setting to PAP
(1)   [pap] = noop
(1)  } #  authorize = updated
(1) Found Auth-Type = EAP
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1)   authenticate {
(1) eap : Expiring EAP session with state 0x4b06bc534b07b123
(1) eap : Finished EAP session with state 0x4b06bc534b07b123
(1) eap : Previous EAP request found for state 0x4b06bc534b07b123, released
from the list
(1) eap : Peer sent TLS (13)
(1) eap : EAP TLS (13)
(1) eap : Calling eap_tls to process EAP data
(1) eap_tls : Authenticate
(1) eap_tls : processing EAP-TLS
  TLS Length 95
(1) eap_tls : Length Included
(1) eap_tls : eaptls_verify returned 11
(1) eap_tls :     (other): before/accept initialization
(1) eap_tls :     TLS_accept: before/accept initialization
(1) eap_tls : <<< TLS 1.0 Handshake [length 005a], ClientHello
(1) eap_tls :     TLS_accept: SSLv3 read client hello A
(1) eap_tls : >>> TLS 1.0 Handshake [length 0051], ServerHello
(1) eap_tls :     TLS_accept: SSLv3 write server hello A
(1) eap_tls : >>> TLS 1.0 Handshake [length 0707], Certificate
(1) eap_tls :     TLS_accept: SSLv3 write certificate A
(1) eap_tls : >>> TLS 1.0 Handshake [length 0056], CertificateRequest
(1) eap_tls :     TLS_accept: SSLv3 write certificate request A
(1) eap_tls :     TLS_accept: SSLv3 flush data
(1) eap_tls :     TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
(1) eap_tls : eaptls_process returned 13
(1) eap : New EAP session, adding 'State' attribute to reply
0x4b06bc534a04b123
(1)   [eap] = handled
(1)  } #  authenticate = handled
Sending Access-Challenge Id 40 from 192.168.50.62:1812 to 192.168.60.1:1024
        Ruckus-User-Groups += 'profesores'
        EAP-Message =
0x010203ec0dc0000007bd16030100510200004d030153800d41db8bc00fc64e65976eef8ad5
05728f175a82585bb671517fa25b004220e538ae19205137b530866cbe9c73fda07251b82edf
134c60a8556d5601036be8002f000005ff0100010016030107070b00070300070000039b3082
03973082027fa003020102020900c43f77feef6a22ef300d06092a864886f70d010105050030
44310b3009060355040613024553310f300d06035504080c064d6164726964310e300c060355
040a0c05494e5445463114301206035504030c0b656a656d706c6f2e6f7267301e170d313430
3532303037313134325a170d3135303532303037313134325a3055310b300906035504061302
4553310f300d06035504080c064d6164726964310f300d06035504070c064d6164726964310e
300c060355040a0c05494e5445463114301206035504030c0b656a656d706c6f2e6f72673082
0122300d06092a864886f70d01010105000382010f003082010a0282010100d86d13ea2fa99e
fe3982e0ceface40d345221a17f49a4cbdf8774fc1cea663192790995f1df5c32c30ea86fe51
90ff99a3012ff8e54e94de9d81e96fb282562e1264f059238606c51afebce65604a4902dcdfc
803041f6240e2c7a03cca18c70238e9c0fda027487bcb8868c95850aae68986c068f737434ee
cdbbbdaabfd83780ce9
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x4b06bc534a04b123a5815ce5986a7061
(1) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 41 from 192.168.60.1:1024 to 192.168.50.62:1812
length 205
        User-Name = 'juan'
        Calling-Station-Id = '00-26-C6-7C-C4-58'
        NAS-IP-Address = 192.168.60.1
        NAS-Port = 1
        Called-Station-Id = '2C-E6-CC-1A-3E-5C:PROFESORES'
        Service-Type = Framed-User
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = '2C-E6-CC-1A-3E-5C'
        Connect-Info = 'CONNECT 802.11a/n'
        EAP-Message = 0x020200060d00
        State = 0x4b06bc534a04b123a5815ce5986a7061
        Attr-26.25053.3 = 0x50524f4645534f524553
        Message-Authenticator = 0x957db049fc1d0e94a5a57f9776395e30
(2) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(2)   authorize {
(2)   [preprocess] = ok
(2)   [chap] = noop
(2)   [mschap] = noop
(2)   [digest] = noop
(2) suffix : No '@' in User-Name = "juan", looking up realm NULL
(2) suffix : No such realm "NULL"
(2)   [suffix] = noop
(2) eap : EAP packet type response id 2 length 6
(2) eap : No EAP Start, assuming it's an on-going EAP conversation
(2)   [eap] = updated
(2)   [files] = noop
rlm_ldap (ldap): Reserved connection (4)
(2) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(2) ldap :    --> (uid=juan)
(2) ldap : EXPAND dc=ejemplo,dc=org
(2) ldap :    --> dc=ejemplo,dc=org
(2) ldap : Performing search in 'dc=ejemplo,dc=org' with filter
'(uid=juan)', scope 'sub'
(2) ldap : Waiting for search result...
(2) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org"
(2) ldap : No cacheable group memberships found in user object
(2) ldap : EXPAND
(&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn}))
(2) ldap :    -->
(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejempl
o\2cdc\3dorg))
(2) ldap : EXPAND dc=ejemplo,dc=org
(2) ldap :    --> dc=ejemplo,dc=org
(2) ldap : Performing search in 'dc=ejemplo,dc=org' with filter
'(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemp
lo\2cdc\3dorg))', scope 'sub'
(2) ldap : Waiting for search result...
(2) ldap : Added control:Ldap-Group with value "profesores"
(2) ldap : Processing user attributes
(2) ldap :      control:Password-With-Header += ''1234''
rlm_ldap (ldap): Released connection (4)
(2)   [ldap] = ok
(2)   foreach &control:LDAP-Group
(2)    update reply {
(2) EXPAND %{Foreach-Variable-0}
(2)    --> profesores
(2)     &Ruckus-User-Groups += '"profesores"'
(2)    } # update reply = noop
(2)   } # foreach &control:LDAP-Group = noop
(2)   [expiration] = noop
(2)   [logintime] = noop
(2) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password
(2) WARNING: pap : Auth-Type already set.  Not setting to PAP
(2)   [pap] = noop
(2)  } #  authorize = updated
(2) Found Auth-Type = EAP
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2)   authenticate {
(2) eap : Expiring EAP session with state 0x4b06bc534a04b123
(2) eap : Finished EAP session with state 0x4b06bc534a04b123
(2) eap : Previous EAP request found for state 0x4b06bc534a04b123, released
from the list
(2) eap : Peer sent TLS (13)
(2) eap : EAP TLS (13)
(2) eap : Calling eap_tls to process EAP data
(2) eap_tls : Authenticate
(2) eap_tls : processing EAP-TLS
(2) eap_tls : Received TLS ACK
(2) eap_tls : Received TLS ACK
(2) eap_tls : ACK handshake fragment handler
(2) eap_tls : eaptls_verify returned 1
(2) eap_tls : eaptls_process returned 13
(2) eap : New EAP session, adding 'State' attribute to reply
0x4b06bc534905b123
(2)   [eap] = handled
(2)  } #  authenticate = handled
Sending Access-Challenge Id 41 from 192.168.50.62:1812 to 192.168.60.1:1024
        Ruckus-User-Groups += 'profesores'
        EAP-Message =
0x010303e50d80000007bd3849d248b1dfa322109bc7213dc7b995e11cf1ec9e393177e1d411
f1b83700035f3082035b30820243a003020102020900c43f77feef6a22ee300d06092a864886
f70d01010505003044310b3009060355040613024553310f300d06035504080c064d61647269
64310e300c060355040a0c05494e5445463114301206035504030c0b656a656d706c6f2e6f72
67301e170d3134303532303037303835355a170d3137303531393037303835355a3044310b30
09060355040613024553310f300d06035504080c064d6164726964310e300c060355040a0c05
494e5445463114301206035504030c0b656a656d706c6f2e6f726730820122300d06092a8648
86f70d01010105000382010f003082010a0282010100b34d31cc087201a6f5f91e1f411fbe7c
8175e68364d88e7bc6fb454918d40aca5f65cb2caf0496d4c7ef1b62379ab4ddfc60338d8785
d6f4b208091cda2f566d39b233c9a76cfcd2e14a21a5c1c1ad30c6c6734fb0024ef4511a7867
9f4b2e6085113cb24d3229fa288b7ae5a460348f253fa438172cfb0b2c66c005747d6b716d6e
221e492e793c17439a19d638bc84ecde2aaf864e1b22007c29b5aa056637d4dd4bde4783dd1b
2994b87522662742b8c5477ce8c39227a3bf8b71b2dce5323150b49cd27134e4a79f7f98d371
cad38b0e72363efbc62
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x4b06bc534905b123a5815ce5986a7061
(2) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 42 from 192.168.60.1:1024 to 192.168.50.62:1812
length 1701
        User-Name = 'juan'
        Calling-Station-Id = '00-26-C6-7C-C4-58'
        NAS-IP-Address = 192.168.60.1
        NAS-Port = 1
        Called-Station-Id = '2C-E6-CC-1A-3E-5C:PROFESORES'
        Service-Type = Framed-User
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = '2C-E6-CC-1A-3E-5C'
        Connect-Info = 'CONNECT 802.11a/n'
        EAP-Message =
0x020305d40dc0000005d916030105990b0003890003860003833082037f30820267a0030201
02020900c43f77feef6a22f0300d06092a864886f70d01010505003044310b30090603550406
13024553310f300d06035504080c064d6164726964310e300c060355040a0c05494e54454631
14301206035504030c0b656a656d706c6f2e6f7267301e170d3134303532313035323130335a
170d3135303532313035323130335a303d310b3009060355040613024553310f300d06035504
080c064d6164726964310e300c060355040a0c05494e544546310d300b06035504030c046a75
616e30820122300d06092a864886f70d01010105000382010f003082010a0282010100d8fe45
c46e4743d7ecaf6c82f5206a6d1683234f11e54af93501eba03aaadf6c4a123bb2aeebce0717
b6930a3e550f9e75e38fb7f0057acebdeecb6d396c4547ed2cb496d887ae6973982c7b708898
d3d4e080c44679ffc2eeea7b707f3d03aacfd8544465a96f0988366c5c8a8fd9e84bd38006f7
1b572a526759eaf147a20c21f42ef7c8f8c37915768eec7e41402c3869e8c06a06d6d53a3fac
290b9db34a737a55ce6c3bc544396ee4f35ff28622c2318c57b0ce8b86aac710ed16e56960d4
a2fafbe851afb250256e5b03cf37f52ace63f3eb801d78d6e2e3ebdb4ac5493bbca5129d60cb
ea4a1f7e96391a9216a
        State = 0x4b06bc534905b123a5815ce5986a7061
        Attr-26.25053.3 = 0x50524f4645534f524553
        Message-Authenticator = 0x73f8a458222a4c6bb7eec10883f1b056
(3) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(3)   authorize {
(3)   [preprocess] = ok
(3)   [chap] = noop
(3)   [mschap] = noop
(3)   [digest] = noop
(3) suffix : No '@' in User-Name = "juan", looking up realm NULL
(3) suffix : No such realm "NULL"
(3)   [suffix] = noop
(3) eap : EAP packet type response id 3 length 1492
(3) eap : No EAP Start, assuming it's an on-going EAP conversation
(3)   [eap] = updated
(3)   [files] = noop
rlm_ldap (ldap): Reserved connection (4)
(3) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(3) ldap :    --> (uid=juan)
(3) ldap : EXPAND dc=ejemplo,dc=org
(3) ldap :    --> dc=ejemplo,dc=org
(3) ldap : Performing search in 'dc=ejemplo,dc=org' with filter
'(uid=juan)', scope 'sub'
(3) ldap : Waiting for search result...
(3) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org"
(3) ldap : No cacheable group memberships found in user object
(3) ldap : EXPAND
(&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn}))
(3) ldap :    -->
(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejempl
o\2cdc\3dorg))
(3) ldap : EXPAND dc=ejemplo,dc=org
(3) ldap :    --> dc=ejemplo,dc=org
(3) ldap : Performing search in 'dc=ejemplo,dc=org' with filter
'(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemp
lo\2cdc\3dorg))', scope 'sub'
(3) ldap : Waiting for search result...
(3) ldap : Added control:Ldap-Group with value "profesores"
(3) ldap : Processing user attributes
(3) ldap :      control:Password-With-Header += ''1234''
rlm_ldap (ldap): Released connection (4)
(3)   [ldap] = ok
(3)   foreach &control:LDAP-Group
(3)    update reply {
(3) EXPAND %{Foreach-Variable-0}
(3)    --> profesores
(3)     &Ruckus-User-Groups += '"profesores"'
(3)    } # update reply = noop
(3)   } # foreach &control:LDAP-Group = noop
(3)   [expiration] = noop
(3)   [logintime] = noop
(3) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password
(3) WARNING: pap : Auth-Type already set.  Not setting to PAP
(3)   [pap] = noop
(3)  } #  authorize = updated
(3) Found Auth-Type = EAP
(3) # Executing group from file /etc/freeradius/sites-enabled/default
(3)   authenticate {
(3) eap : Expiring EAP session with state 0x4b06bc534905b123
(3) eap : Finished EAP session with state 0x4b06bc534905b123
(3) eap : Previous EAP request found for state 0x4b06bc534905b123, released
from the list
(3) eap : Peer sent TLS (13)
(3) eap : EAP TLS (13)
(3) eap : Calling eap_tls to process EAP data
(3) eap_tls : Authenticate
(3) eap_tls : processing EAP-TLS
  TLS Length 1497
(3) eap_tls : Received EAP-TLS First Fragment of the message
(3) eap_tls : eaptls_verify returned 9
(3) eap_tls : eaptls_process returned 13
(3) eap : New EAP session, adding 'State' attribute to reply
0x4b06bc534802b123
(3)   [eap] = handled
(3)  } #  authenticate = handled
Sending Access-Challenge Id 42 from 192.168.50.62:1812 to 192.168.60.1:1024
        Ruckus-User-Groups += 'profesores'
        EAP-Message = 0x010400060d00
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x4b06bc534802b123a5815ce5986a7061
(3) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 43 from 192.168.60.1:1024 to 192.168.50.62:1812
length 220
        User-Name = 'juan'
        Calling-Station-Id = '00-26-C6-7C-C4-58'
        NAS-IP-Address = 192.168.60.1
        NAS-Port = 1
        Called-Station-Id = '2C-E6-CC-1A-3E-5C:PROFESORES'
        Service-Type = Framed-User
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = '2C-E6-CC-1A-3E-5C'
        Connect-Info = 'CONNECT 802.11a/n'
        EAP-Message = 0x020400150d003739040f9689b4ab4612f7dce2d48e
        State = 0x4b06bc534802b123a5815ce5986a7061
        Attr-26.25053.3 = 0x50524f4645534f524553
        Message-Authenticator = 0x39dbec026a12ec8acebb4f68297652a0
(4) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(4)   authorize {
(4)   [preprocess] = ok
(4)   [chap] = noop
(4)   [mschap] = noop
(4)   [digest] = noop
(4) suffix : No '@' in User-Name = "juan", looking up realm NULL
(4) suffix : No such realm "NULL"
(4)   [suffix] = noop
(4) eap : EAP packet type response id 4 length 21
(4) eap : No EAP Start, assuming it's an on-going EAP conversation
(4)   [eap] = updated
(4)   [files] = noop
rlm_ldap (ldap): Reserved connection (4)
(4) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(4) ldap :    --> (uid=juan)
(4) ldap : EXPAND dc=ejemplo,dc=org
(4) ldap :    --> dc=ejemplo,dc=org
(4) ldap : Performing search in 'dc=ejemplo,dc=org' with filter
'(uid=juan)', scope 'sub'
(4) ldap : Waiting for search result...
(4) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org"
(4) ldap : No cacheable group memberships found in user object
(4) ldap : EXPAND
(&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn}))
(4) ldap :    -->
(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejempl
o\2cdc\3dorg))
(4) ldap : EXPAND dc=ejemplo,dc=org
(4) ldap :    --> dc=ejemplo,dc=org
(4) ldap : Performing search in 'dc=ejemplo,dc=org' with filter
'(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemp
lo\2cdc\3dorg))', scope 'sub'
(4) ldap : Waiting for search result...
(4) ldap : Added control:Ldap-Group with value "profesores"
(4) ldap : Processing user attributes
(4) ldap :      control:Password-With-Header += ''1234''
rlm_ldap (ldap): Released connection (4)
(4)   [ldap] = ok
(4)   foreach &control:LDAP-Group
(4)    update reply {
(4) EXPAND %{Foreach-Variable-0}
(4)    --> profesores
(4)     &Ruckus-User-Groups += '"profesores"'
(4)    } # update reply = noop
(4)   } # foreach &control:LDAP-Group = noop
(4)   [expiration] = noop
(4)   [logintime] = noop
(4) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password
(4) WARNING: pap : Auth-Type already set.  Not setting to PAP
(4)   [pap] = noop
(4)  } #  authorize = updated
(4) Found Auth-Type = EAP
(4) # Executing group from file /etc/freeradius/sites-enabled/default
(4)   authenticate {
(4) eap : Expiring EAP session with state 0x4b06bc534802b123
(4) eap : Finished EAP session with state 0x4b06bc534802b123
(4) eap : Previous EAP request found for state 0x4b06bc534802b123, released
from the list
(4) eap : Peer sent TLS (13)
(4) eap : EAP TLS (13)
(4) eap : Calling eap_tls to process EAP data
(4) eap_tls : Authenticate
(4) eap_tls : processing EAP-TLS
(4) eap_tls : eaptls_verify returned 7
(4) eap_tls : Done initial handshake
(4) eap_tls : <<< TLS 1.0 Handshake [length 038d], Certificate
(4) eap_tls : chain-depth=1,
(4) eap_tls : error=0
(4) eap_tls : --> User-Name = juan
(4) eap_tls : --> BUF-Name = ejemplo.org
(4) eap_tls : --> subject = /C=ES/ST=Madrid/O=INTEF/CN=ejemplo.org
(4) eap_tls : --> issuer  = /C=ES/ST=Madrid/O=INTEF/CN=ejemplo.org
(4) eap_tls : --> verify return:1
(4) eap_tls : chain-depth=0,
(4) eap_tls : error=0
(4) eap_tls : --> User-Name = juan
(4) eap_tls : --> BUF-Name = juan
(4) eap_tls : --> subject = /C=ES/ST=Madrid/O=INTEF/CN=juan
(4) eap_tls : --> issuer  = /C=ES/ST=Madrid/O=INTEF/CN=ejemplo.org
(4) eap_tls : --> verify return:1
(4) eap_tls :     TLS_accept: SSLv3 read client certificate A
(4) eap_tls : <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
(4) eap_tls :     TLS_accept: SSLv3 read client key exchange A
(4) eap_tls : <<< TLS 1.0 Handshake [length 0106], CertificateVerify
(4) eap_tls :     TLS_accept: SSLv3 read certificate verify A
(4) eap_tls : <<< TLS 1.0 ChangeCipherSpec [length 0001]
(4) eap_tls : <<< TLS 1.0 Handshake [length 0010], Finished
(4) eap_tls :     TLS_accept: SSLv3 read finished A
(4) eap_tls : >>> TLS 1.0 ChangeCipherSpec [length 0001]
(4) eap_tls :     TLS_accept: SSLv3 write change cipher spec A
(4) eap_tls : >>> TLS 1.0 Handshake [length 0010], Finished
(4) eap_tls :     TLS_accept: SSLv3 write finished A
(4) eap_tls :     TLS_accept: SSLv3 flush data
  SSL: adding session
e538ae19205137b530866cbe9c73fda07251b82edf134c60a8556d5601036be8 to cache
(4) eap_tls :     (other): SSL negotiation finished successfully
SSL Connection Established
(4) eap_tls : eaptls_process returned 13
(4) eap : New EAP session, adding 'State' attribute to reply
0x4b06bc534f03b123
(4)   [eap] = handled
(4)  } #  authenticate = handled
Sending Access-Challenge Id 43 from 192.168.50.62:1812 to 192.168.60.1:1024
        Ruckus-User-Groups += 'profesores'
        EAP-Message =
0x010500450d800000003b1403010001011603010030b6f41d63244fff84ccbe996ef0b09ff2
9df45c4049b85e335adae27b0653521c7719c521ec4e3b611d6c399e2458022b
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x4b06bc534f03b123a5815ce5986a7061
(4) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 44 from 192.168.60.1:1024 to 192.168.50.62:1812
length 205
        User-Name = 'juan'
        Calling-Station-Id = '00-26-C6-7C-C4-58'
        NAS-IP-Address = 192.168.60.1
        NAS-Port = 1
        Called-Station-Id = '2C-E6-CC-1A-3E-5C:PROFESORES'
        Service-Type = Framed-User
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = '2C-E6-CC-1A-3E-5C'
        Connect-Info = 'CONNECT 802.11a/n'
        EAP-Message = 0x020500060d00
        State = 0x4b06bc534f03b123a5815ce5986a7061
        Attr-26.25053.3 = 0x50524f4645534f524553
        Message-Authenticator = 0xe145b729ae7f53c07a05f6250273b5a5
(5) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(5)   authorize {
(5)   [preprocess] = ok
(5)   [chap] = noop
(5)   [mschap] = noop
(5)   [digest] = noop
(5) suffix : No '@' in User-Name = "juan", looking up realm NULL
(5) suffix : No such realm "NULL"
(5)   [suffix] = noop
(5) eap : EAP packet type response id 5 length 6
(5) eap : No EAP Start, assuming it's an on-going EAP conversation
(5)   [eap] = updated
(5)   [files] = noop
rlm_ldap (ldap): Reserved connection (4)
(5) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(5) ldap :    --> (uid=juan)
(5) ldap : EXPAND dc=ejemplo,dc=org
(5) ldap :    --> dc=ejemplo,dc=org
(5) ldap : Performing search in 'dc=ejemplo,dc=org' with filter
'(uid=juan)', scope 'sub'
(5) ldap : Waiting for search result...
(5) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org"
(5) ldap : No cacheable group memberships found in user object
(5) ldap : EXPAND
(&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn}))
(5) ldap :    -->
(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejempl
o\2cdc\3dorg))
(5) ldap : EXPAND dc=ejemplo,dc=org
(5) ldap :    --> dc=ejemplo,dc=org
(5) ldap : Performing search in 'dc=ejemplo,dc=org' with filter
'(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemp
lo\2cdc\3dorg))', scope 'sub'
(5) ldap : Waiting for search result...
(5) ldap : Added control:Ldap-Group with value "profesores"
(5) ldap : Processing user attributes
(5) ldap :      control:Password-With-Header += ''1234''
rlm_ldap (ldap): Released connection (4)
(5)   [ldap] = ok
(5)   foreach &control:LDAP-Group
(5)    update reply {
(5) EXPAND %{Foreach-Variable-0}
(5)    --> profesores
(5)     &Ruckus-User-Groups += '"profesores"'
(5)    } # update reply = noop
(5)   } # foreach &control:LDAP-Group = noop
(5)   [expiration] = noop
(5)   [logintime] = noop
(5) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password
(5) WARNING: pap : Auth-Type already set.  Not setting to PAP
(5)   [pap] = noop
(5)  } #  authorize = updated
(5) Found Auth-Type = EAP
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5)   authenticate {
(5) eap : Expiring EAP session with state 0x4b06bc534f03b123
(5) eap : Finished EAP session with state 0x4b06bc534f03b123
(5) eap : Previous EAP request found for state 0x4b06bc534f03b123, released
from the list
(5) eap : Peer sent TLS (13)
(5) eap : EAP TLS (13)
(5) eap : Calling eap_tls to process EAP data
(5) eap_tls : Authenticate
(5) eap_tls : processing EAP-TLS
(5) eap_tls : Received TLS ACK
(5) eap_tls : Received TLS ACK
(5) eap_tls : ACK handshake is finished
(5) eap_tls : eaptls_verify returned 3
(5) eap_tls : eaptls_process returned 3
(5) eap_tls : Saving session
e538ae19205137b530866cbe9c73fda07251b82edf134c60a8556d5601036be8 vps
0x2886620 in the cache
(5) eap : Freeing handler
(5)   [eap] = ok
(5)  } #  authenticate = ok
(5) # Executing section post-auth from file
/etc/freeradius/sites-enabled/default
(5)   post-auth {
(5) cache : EXPAND %{User-Name}
(5) cache :    --> juan
(5) cache : Creating entry for "juan"
(5) cache :     control:LDAP-Group += &control:LDAP-Group
(5) cache : Inserted entry, TTL 3600 seconds
(5)   [cache] = updated
(5)   foreach &control:LDAP-Group
(5)    update reply {
CAUGHT SIGNAL: Segmentation fault
Backtrace of last 25 frames:
/usr/lib/freeradius/libfreeradius-radius.so(fr_fault+0x61)[0x7f56ae6cbc51]
/lib/x86_64-linux-gnu/libpthread.so.0(+0xf030)[0x7f56ad415030]
/usr/lib/freeradius/libfreeradius-radius.so(+0x1505e)[0x7f56ae6d605e]
/usr/lib/freeradius/libfreeradius-server.so(+0x136b7)[0x7f56ae90a6b7]
/usr/lib/freeradius/libfreeradius-server.so(+0x13998)[0x7f56ae90a998]
/usr/lib/freeradius/libfreeradius-server.so(+0x144c4)[0x7f56ae90b4c4]
/usr/lib/freeradius/libfreeradius-server.so(+0x14532)[0x7f56ae90b532]
/usr/lib/freeradius/libfreeradius-server.so(radius_map2vp+0x1ef)[0x7f56ae905
def]
/usr/lib/freeradius/libfreeradius-server.so(radius_map2request+0xa6)[0x7f56a
e905386]
freeradius[0x41f955]
freeradius[0x41fd1a]
freeradius[0x41f221]
freeradius[0x41f3de]
freeradius(modcall+0x3d)[0x4204fd]
freeradius(indexed_modcall+0xb3)[0x41dc03]
freeradius(rad_postauth+0x5e)[0x40f57e]
freeradius[0x42ca9c]
freeradius[0x429d05]
freeradius(request_receive+0x247)[0x42af27]
freeradius[0x4190a8]
freeradius[0x42966d]
/usr/lib/freeradius/libfreeradius-radius.so(fr_event_loop+0x2d9)[0x7f56ae6e5
629]
freeradius(main+0x65a)[0x40eb2a]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd)[0x7f56acc1bead]
freeradius[0x40ee85]
Calling: gdb -silent -x /etc/freeradius/panic.gdb freeradius 3192 2>&1 | tee
/var/log/freeradius/gdb-freeradius-3192.log
Temporarily setting PR_DUMPABLE to 1
sh: 1: gdb: not found
Resetting PR_DUMPABLE to 0
Panic action exited with 0



More information about the Freeradius-Users mailing list