Reply attribute in access-accept while doing eap-mschapv2
free.aaa
free.aaa at gmail.com
Sat May 24 10:13:34 CEST 2014
I removed from config all stuff about update reply. And after detailed
review of debug output i see Class attribute in some access-challenge
messages, but not in access-accept.
Here it is all output from radiusd -X.
Received *Access-Request* Id 248 from 192.168.10.201:59882 to
192.168.10.191:1812 length 141
User-Name = 'temp'
NAS-Port-Type = Virtual
Service-Type = Framed-User
NAS-Port = 5
NAS-Port-Id = 'test1'
NAS-IP-Address = 192.168.10.234
Called-Station-Id = '192.168.10.234[4500]'
Calling-Station-Id = '93.80.16.38[4500]'
EAP-Message = 0x020000090174656d70
NAS-Identifier = 'gateway'
Message-Authenticator = 0x1b4fcfd646f936dceab6f4fddbc8f992
(0) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) filter_username filter_username {
(0) if (User-Name != "%{tolower:%{User-Name}}")
(0) EXPAND %{tolower:%{User-Name}}
(0) --> temp
(0) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(0) if (User-Name =~ / /)
(0) if (User-Name =~ / /) -> FALSE
(0) if (User-Name =~ /@.*@/ )
(0) if (User-Name =~ /@.*@/ ) -> FALSE
(0) if (User-Name =~ /\\.\\./ )
(0) if (User-Name =~ /\\.\\./ ) -> FALSE
(0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(0) if (User-Name =~ /\\.$/)
(0) if (User-Name =~ /\\.$/) -> FALSE
(0) if (User-Name =~ /@\\./)
(0) if (User-Name =~ /@\\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [preprocess] = ok
(0) update request {
(0) EXPAND %{User-Name}
(0) --> temp
(0) SQL-User-Name set to 'temp'
rlm_sql (sql): Reserved connection (4)
rlm_sql (sql): Executing query: 'SELECT groupname FROM radhuntgroup
WHERE nasipaddress='192.168.10.201''
rlm_sql (sql): Released connection (4)
(0) EXPAND %{sql:SELECT groupname FROM radhuntgroup WHERE
nasipaddress='%{Packet-Src-IP-Address}'}
(0) --> hVPN
(0) Huntgroup-Name := '"hVPN"'
(0) } # update request = noop
(0) switch &Huntgroup-Name {
(0) case hVPN {
(0) if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr")
(0) sql_groupcmp
(0) EXPAND %{User-Name}
(0) --> temp
(0) SQL-User-Name set to 'temp'
rlm_sql (sql): Reserved connection (4)
(0) EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority
(0) --> SELECT groupname FROM radusergroup WHERE username = 'temp'
ORDER BY priority
rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup
WHERE username = 'temp' ORDER BY priority'
(0) sql_groupcmp finished: User is a member of group vpn-usr
rlm_sql (sql): Released connection (4)
(0) if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr")
-> TRUE
(0) if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr") {
(0) [ok] = ok
(0) } # if (Service-Type == "Framed-User" && SQL-Group ==
"vpn-usr") = ok
(0) ... skipping elsif for request 0: Preceding "if" was taken
(0) ... skipping else for request 0: Preceding "if" was taken
(0) } # case hVPN = ok
(0) } # switch &Huntgroup-Name = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix : No '@' in User-Name = "temp", looking up realm NULL
(0) suffix : No such realm "NULL"
(0) [suffix] = noop
(0) eap : EAP packet type response id 0 length 9
(0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap : Peer sent Identity (1)
(0) eap : Calling eap_md5 to process EAP data
(0) eap_md5 : Issuing MD5 Challenge
(0) eap : New EAP session, adding 'State' attribute to reply
0x5df2a0505df3a42e
(0) [eap] = handled
(0) } # authenticate = handled
Sending *Access-Challenge *Id 248 from 192.168.10.191:1812 to
192.168.10.201:59882
EAP-Message = 0x010100160410155cc3fbd296329e1f248410d4b22746
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5df2a0505df3a42e07f74e7f5a56fbca
(0) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 249 from 192.168.10.201:59882 to
192.168.10.191:1812 length 156
User-Name = 'temp'
NAS-Port-Type = Virtual
Service-Type = Framed-User
NAS-Port = 5
NAS-Port-Id = 'test1'
NAS-IP-Address = 192.168.10.234
Called-Station-Id = '192.168.10.234[4500]'
Calling-Station-Id = '93.80.16.38[4500]'
EAP-Message = 0x02010006031a
NAS-Identifier = 'gateway'
State = 0x5df2a0505df3a42e07f74e7f5a56fbca
Message-Authenticator = 0x379292a6a43305dfd5ba975c67efea76
(1) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(1) authorize {
(1) filter_username filter_username {
(1) if (User-Name != "%{tolower:%{User-Name}}")
(1) EXPAND %{tolower:%{User-Name}}
(1) --> temp
(1) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(1) if (User-Name =~ / /)
(1) if (User-Name =~ / /) -> FALSE
(1) if (User-Name =~ /@.*@/ )
(1) if (User-Name =~ /@.*@/ ) -> FALSE
(1) if (User-Name =~ /\\.\\./ )
(1) if (User-Name =~ /\\.\\./ ) -> FALSE
(1) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(1) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(1) if (User-Name =~ /\\.$/)
(1) if (User-Name =~ /\\.$/) -> FALSE
(1) if (User-Name =~ /@\\./)
(1) if (User-Name =~ /@\\./) -> FALSE
(1) } # filter_username filter_username = notfound
(1) [preprocess] = ok
(1) update request {
(1) EXPAND %{User-Name}
(1) --> temp
(1) SQL-User-Name set to 'temp'
rlm_sql (sql): Reserved connection (4)
rlm_sql (sql): Executing query: 'SELECT groupname FROM radhuntgroup
WHERE nasipaddress='192.168.10.201''
rlm_sql (sql): Released connection (4)
(1) EXPAND %{sql:SELECT groupname FROM radhuntgroup WHERE
nasipaddress='%{Packet-Src-IP-Address}'}
(1) --> hVPN
(1) Huntgroup-Name := '"hVPN"'
(1) } # update request = noop
(1) switch &Huntgroup-Name {
(1) case hVPN {
(1) if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr")
(1) sql_groupcmp
(1) EXPAND %{User-Name}
(1) --> temp
(1) SQL-User-Name set to 'temp'
rlm_sql (sql): Reserved connection (4)
(1) EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority
(1) --> SELECT groupname FROM radusergroup WHERE username = 'temp'
ORDER BY priority
rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup
WHERE username = 'temp' ORDER BY priority'
(1) sql_groupcmp finished: User is a member of group vpn-usr
rlm_sql (sql): Released connection (4)
(1) if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr")
-> TRUE
(1) if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr") {
(1) [ok] = ok
(1) } # if (Service-Type == "Framed-User" && SQL-Group ==
"vpn-usr") = ok
(1) ... skipping elsif for request 1: Preceding "if" was taken
(1) ... skipping else for request 1: Preceding "if" was taken
(1) } # case hVPN = ok
(1) } # switch &Huntgroup-Name = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix : No '@' in User-Name = "temp", looking up realm NULL
(1) suffix : No such realm "NULL"
(1) [suffix] = noop
(1) eap : EAP packet type response id 1 length 6
(1) eap : No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) sql : EXPAND %{User-Name}
(1) sql : --> temp
(1) sql : SQL-User-Name set to 'temp'
rlm_sql (sql): Reserved connection (4)
(1) sql : EXPAND SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sql : --> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'temp' ORDER BY id
rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value,
op FROM radcheck WHERE username = 'temp' ORDER BY id'
(1) sql : User found in radcheck table
(1) sql : Check items matched
(1) sql : EXPAND SELECT id, username, attribute, value, op FROM radreply
WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sql : --> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'temp' ORDER BY id
rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value,
op FROM radreply WHERE username = 'temp' ORDER BY id'
(1) sql : User found in radreply table
(1) sql : EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority
(1) sql : --> SELECT groupname FROM radusergroup WHERE username =
'temp' ORDER BY priority
rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup
WHERE username = 'temp' ORDER BY priority'
(1) sql : User found in the group table
(1) sql : EXPAND SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id
(1) sql : --> SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = 'vpn-usr' ORDER BY id
rlm_sql (sql): Executing query: 'SELECT id, groupname, attribute, Value,
op FROM radgroupcheck WHERE groupname = 'vpn-usr' ORDER BY id'
(1) sql : Group "vpn-usr" check items matched
(1) sql : EXPAND SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id
(1) sql : --> SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = 'vpn-usr' ORDER BY id
rlm_sql (sql): Executing query: 'SELECT id, groupname, attribute, value,
op FROM radgroupreply WHERE groupname = 'vpn-usr' ORDER BY id'
(1) sql : Group "vpn-usr" reply items processed
rlm_sql (sql): Released connection (4)
(1) [sql] = ok
(1) [expiration] = noop
(1) [logintime] = noop
(1) WARNING: pap : Auth-Type already set. Not setting to PAP
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = EAP
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap : Expiring EAP session with state 0x5df2a0505df3a42e
(1) eap : Finished EAP session with state 0x5df2a0505df3a42e
(1) eap : Previous EAP request found for state 0x5df2a0505df3a42e,
released from the list
(1) eap : Peer sent NAK (3)
(1) eap : Found mutually acceptable type MSCHAPv2 (26)
(1) eap : Calling eap_mschapv2 to process EAP data
(1) eap_mschapv2 : Issuing Challenge
(1) eap : New EAP session, adding 'State' attribute to reply
0x5df2a0505cf0ba2e
(1) [eap] = handled
(1) } # authenticate = handled
Sending *Access-Challenge* Id 249 from 192.168.10.191:1812 to
192.168.10.201:59882
*Class *= 0x6d79636c617373
EAP-Message =
0x0102001e1a0102001910362d923290bd75ecc6814d14e491598774656d70
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5df2a0505cf0ba2e07f74e7f5a56fbca
(1) Finished request
Waking up in 0.3 seconds.
Received *Access-Request* Id 250 from 192.168.10.201:59882 to
192.168.10.191:1812 length 213
User-Name = 'temp'
NAS-Port-Type = Virtual
Service-Type = Framed-User
NAS-Port = 5
NAS-Port-Id = 'test1'
NAS-IP-Address = 192.168.10.234
Called-Station-Id = '192.168.10.234[4500]'
Calling-Station-Id = '93.80.16.38[4500]'
EAP-Message =
0x0202003f1a0202003a31440620e8b9a9a347ad6c2f345041ee5b000000000000000036451431ac5eebe501d403085a2c344aee284396153aaf210074656d70
NAS-Identifier = 'gateway'
State = 0x5df2a0505cf0ba2e07f74e7f5a56fbca
Message-Authenticator = 0x8e5b760a40c5c11205c4f6348f947c66
(2) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(2) authorize {
(2) filter_username filter_username {
(2) if (User-Name != "%{tolower:%{User-Name}}")
(2) EXPAND %{tolower:%{User-Name}}
(2) --> temp
(2) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(2) if (User-Name =~ / /)
(2) if (User-Name =~ / /) -> FALSE
(2) if (User-Name =~ /@.*@/ )
(2) if (User-Name =~ /@.*@/ ) -> FALSE
(2) if (User-Name =~ /\\.\\./ )
(2) if (User-Name =~ /\\.\\./ ) -> FALSE
(2) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(2) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(2) if (User-Name =~ /\\.$/)
(2) if (User-Name =~ /\\.$/) -> FALSE
(2) if (User-Name =~ /@\\./)
(2) if (User-Name =~ /@\\./) -> FALSE
(2) } # filter_username filter_username = notfound
(2) [preprocess] = ok
(2) update request {
(2) EXPAND %{User-Name}
(2) --> temp
(2) SQL-User-Name set to 'temp'
rlm_sql (sql): Reserved connection (4)
rlm_sql (sql): Executing query: 'SELECT groupname FROM radhuntgroup
WHERE nasipaddress='192.168.10.201''
rlm_sql (sql): Released connection (4)
(2) EXPAND %{sql:SELECT groupname FROM radhuntgroup WHERE
nasipaddress='%{Packet-Src-IP-Address}'}
(2) --> hVPN
(2) Huntgroup-Name := '"hVPN"'
(2) } # update request = noop
(2) switch &Huntgroup-Name {
(2) case hVPN {
(2) if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr")
(2) sql_groupcmp
(2) EXPAND %{User-Name}
(2) --> temp
(2) SQL-User-Name set to 'temp'
rlm_sql (sql): Reserved connection (4)
(2) EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority
(2) --> SELECT groupname FROM radusergroup WHERE username = 'temp'
ORDER BY priority
rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup
WHERE username = 'temp' ORDER BY priority'
(2) sql_groupcmp finished: User is a member of group vpn-usr
rlm_sql (sql): Released connection (4)
(2) if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr")
-> TRUE
(2) if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr") {
(2) [ok] = ok
(2) } # if (Service-Type == "Framed-User" && SQL-Group ==
"vpn-usr") = ok
(2) ... skipping elsif for request 2: Preceding "if" was taken
(2) ... skipping else for request 2: Preceding "if" was taken
(2) } # case hVPN = ok
(2) } # switch &Huntgroup-Name = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix : No '@' in User-Name = "temp", looking up realm NULL
(2) suffix : No such realm "NULL"
(2) [suffix] = noop
(2) eap : EAP packet type response id 2 length 63
(2) eap : No EAP Start, assuming it's an on-going EAP conversation
(2) [eap] = updated
(2) sql : EXPAND %{User-Name}
(2) sql : --> temp
(2) sql : SQL-User-Name set to 'temp'
rlm_sql (sql): Reserved connection (4)
(2) sql : EXPAND SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id
(2) sql : --> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'temp' ORDER BY id
rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value,
op FROM radcheck WHERE username = 'temp' ORDER BY id'
(2) sql : User found in radcheck table
(2) sql : Check items matched
(2) sql : EXPAND SELECT id, username, attribute, value, op FROM radreply
WHERE username = '%{SQL-User-Name}' ORDER BY id
(2) sql : --> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'temp' ORDER BY id
rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value,
op FROM radreply WHERE username = 'temp' ORDER BY id'
(2) sql : User found in radreply table
(2) sql : EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority
(2) sql : --> SELECT groupname FROM radusergroup WHERE username =
'temp' ORDER BY priority
rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup
WHERE username = 'temp' ORDER BY priority'
(2) sql : User found in the group table
(2) sql : EXPAND SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id
(2) sql : --> SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = 'vpn-usr' ORDER BY id
rlm_sql (sql): Executing query: 'SELECT id, groupname, attribute, Value,
op FROM radgroupcheck WHERE groupname = 'vpn-usr' ORDER BY id'
(2) sql : Group "vpn-usr" check items matched
(2) sql : EXPAND SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id
(2) sql : --> SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = 'vpn-usr' ORDER BY id
rlm_sql (sql): Executing query: 'SELECT id, groupname, attribute, value,
op FROM radgroupreply WHERE groupname = 'vpn-usr' ORDER BY id'
(2) sql : Group "vpn-usr" reply items processed
rlm_sql (sql): Released connection (4)
(2) [sql] = ok
(2) [expiration] = noop
(2) [logintime] = noop
(2) WARNING: pap : Auth-Type already set. Not setting to PAP
(2) [pap] = noop
(2) } # authorize = updated
(2) Found Auth-Type = EAP
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(2) authenticate {
(2) eap : Expiring EAP session with state 0x5df2a0505cf0ba2e
(2) eap : Finished EAP session with state 0x5df2a0505cf0ba2e
(2) eap : Previous EAP request found for state 0x5df2a0505cf0ba2e,
released from the list
(2) eap : Peer sent MSCHAPv2 (26)
(2) eap : EAP MSCHAPv2 (26)
(2) eap : Calling eap_mschapv2 to process EAP data
(2) eap_mschapv2 : # Executing group from file
/usr/local/etc/raddb/sites-enabled/default
(2) eap_mschapv2 : Auth-Type MS-CHAP {
(2) mschap : Found Cleartext-Password, hashing to create LM-Password
(2) mschap : Found Cleartext-Password, hashing to create NT-Password
(2) mschap : Creating challenge hash with username: temp
(2) mschap : Client is using MS-CHAPv2
(2) mschap : Adding MS-CHAPv2 MPPE keys
(2) [mschap] = ok
(2) } # Auth-Type MS-CHAP = ok
MSCHAP Success
(2) eap : New EAP session, adding 'State' attribute to reply
0x5df2a0505ff1ba2e
(2) [eap] = handled
(2) } # authenticate = handled
Sending *Access-Challenge *Id 250 from 192.168.10.191:1812 to
192.168.10.201:59882
* Class = *0x6d79636c617373
EAP-Message =
0x010300331a0302002e533d37433431313734354230434342434642433642443939384239313546374639354339443630303232
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5df2a0505ff1ba2e07f74e7f5a56fbca
(2) Finished request
Waking up in 0.3 seconds.
Received *Access-Request* Id 251 from 192.168.10.201:59882 to
192.168.10.191:1812 length 156
User-Name = 'temp'
NAS-Port-Type = Virtual
Service-Type = Framed-User
NAS-Port = 5
NAS-Port-Id = 'test1'
NAS-IP-Address = 192.168.10.234
Called-Station-Id = '192.168.10.234[4500]'
Calling-Station-Id = '93.80.16.38[4500]'
EAP-Message = 0x020300061a03
NAS-Identifier = 'gateway'
State = 0x5df2a0505ff1ba2e07f74e7f5a56fbca
Message-Authenticator = 0x0651a29f80e0bee2a19fcbb7e6d6e58a
(3) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(3) authorize {
(3) filter_username filter_username {
(3) if (User-Name != "%{tolower:%{User-Name}}")
(3) EXPAND %{tolower:%{User-Name}}
(3) --> temp
(3) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(3) if (User-Name =~ / /)
(3) if (User-Name =~ / /) -> FALSE
(3) if (User-Name =~ /@.*@/ )
(3) if (User-Name =~ /@.*@/ ) -> FALSE
(3) if (User-Name =~ /\\.\\./ )
(3) if (User-Name =~ /\\.\\./ ) -> FALSE
(3) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(3) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(3) if (User-Name =~ /\\.$/)
(3) if (User-Name =~ /\\.$/) -> FALSE
(3) if (User-Name =~ /@\\./)
(3) if (User-Name =~ /@\\./) -> FALSE
(3) } # filter_username filter_username = notfound
(3) [preprocess] = ok
(3) update request {
(3) EXPAND %{User-Name}
(3) --> temp
(3) SQL-User-Name set to 'temp'
rlm_sql (sql): Reserved connection (4)
rlm_sql (sql): Executing query: 'SELECT groupname FROM radhuntgroup
WHERE nasipaddress='192.168.10.201''
rlm_sql (sql): Released connection (4)
(3) EXPAND %{sql:SELECT groupname FROM radhuntgroup WHERE
nasipaddress='%{Packet-Src-IP-Address}'}
(3) --> hVPN
(3) Huntgroup-Name := '"hVPN"'
(3) } # update request = noop
(3) switch &Huntgroup-Name {
(3) case hVPN {
(3) if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr")
(3) sql_groupcmp
(3) EXPAND %{User-Name}
(3) --> temp
(3) SQL-User-Name set to 'temp'
rlm_sql (sql): Reserved connection (4)
(3) EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority
(3) --> SELECT groupname FROM radusergroup WHERE username = 'temp'
ORDER BY priority
rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup
WHERE username = 'temp' ORDER BY priority'
(3) sql_groupcmp finished: User is a member of group vpn-usr
rlm_sql (sql): Released connection (4)
(3) if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr")
-> TRUE
(3) if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr") {
(3) [ok] = ok
(3) } # if (Service-Type == "Framed-User" && SQL-Group ==
"vpn-usr") = ok
(3) ... skipping elsif for request 3: Preceding "if" was taken
(3) ... skipping else for request 3: Preceding "if" was taken
(3) } # case hVPN = ok
(3) } # switch &Huntgroup-Name = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix : No '@' in User-Name = "temp", looking up realm NULL
(3) suffix : No such realm "NULL"
(3) [suffix] = noop
(3) eap : EAP packet type response id 3 length 6
(3) eap : EAP-MSCHAPV2 success, returning short-circuit ok
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = EAP
(3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(3) authenticate {
(3) eap : Expiring EAP session with state 0x5df2a0505ff1ba2e
(3) eap : Finished EAP session with state 0x5df2a0505ff1ba2e
(3) eap : Previous EAP request found for state 0x5df2a0505ff1ba2e,
released from the list
(3) eap : Peer sent MSCHAPv2 (26)
(3) eap : EAP MSCHAPv2 (26)
(3) eap : Calling eap_mschapv2 to process EAP data
(3) eap : Freeing handler
(3) [eap] = ok
(3) } # authenticate = ok
(3) # Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/default
(3) post-auth {
(3) sql : EXPAND .query
(3) sql : --> .query
(3) sql : Using query template 'query'
rlm_sql (sql): Reserved connection (4)
(3) sql : EXPAND %{User-Name}
(3) sql : --> temp
(3) sql : SQL-User-Name set to 'temp'
(3) sql : EXPAND INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES ( '%{SQL-User-Name}',
'%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(3) sql : --> INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES ( 'temp', '', 'Access-Accept', '2014-05-24 16:02:04')
rlm_sql (sql): Executing query: 'INSERT INTO radpostauth (username,
pass, reply, authdate) VALUES ( 'temp', '', 'Access-Accept', '2014-05-24
16:02:04')'
rlm_sql (sql): Released connection (4)
(3) [sql] = ok
(3) [exec] = noop
(3) remove_reply_message_if_eap remove_reply_message_if_eap {
(3) if (reply:EAP-Message && reply:Reply-Message)
(3) if (reply:EAP-Message && reply:Reply-Message) -> FALSE
(3) else else {
(3) [noop] = noop
(3) } # else else = noop
(3) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(3) } # post-auth = ok
Sending *Access-Accept* Id 251 from 192.168.10.191:1812 to
192.168.10.201:59882
MS-MPPE-Encryption-Policy = Encryption-Allowed
MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
MS-MPPE-Send-Key = 0x49955e70c686fcc5f62abd7bac225266
MS-MPPE-Recv-Key = 0x74a2ad3fd3b60c672a35d5c5ad028f3c
EAP-Message = 0x03030004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = 'temp'
(3) Finished request
Waking up in 0.2 seconds.
Waking up in 4.6 seconds.
(0) Cleaning up request packet ID 248 with timestamp +15
(1) Cleaning up request packet ID 249 with timestamp +15
(2) Cleaning up request packet ID 250 with timestamp +15
(3) Cleaning up request packet ID 251 with timestamp +15
Ready to process requests.
23.05.2014 19:27, Alan DeKok ?????:
> free.aaa wrote:
>> Request does not contain Class attribute indeed.
> You didn't show that in the debug log.
>
>> I thought that by using
>> construction like:
>>> update reply {
>>> Class = "%{Class}"
>>> }
>> i can grab that attribute from mysql radreply table and insert it in the
>> reply.
> That comment makes no sense.
>
>> Anyway why attributes from radreply does not get inserted in
>> access-accept when using eap-mschapv2 by default?
> They should be.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140524/fddc143a/attachment-0001.html>
More information about the Freeradius-Users
mailing list