ldap attribute update

Anirudh Malhotra 8zero2ops at gmail.com
Thu Mar 31 06:29:41 CEST 2016


Hi Alan,

Sorry for making you angry, but I am looking at the debug logs very
carefully from the starting. I had to take permissions to post them here,
That is why I was asking those questions. Again I apologise for asking
probably wrong questions, I just thought the thing I posted was enough. But
here is the debug in which ldap module is called and unlang is called, if
you could please help me in finding my mistake, I have marked to relevant
information in red

Waking up in 4.9 seconds.
(8) Received Access-Request Id 150 from XXXXXXX:32769 to XXXXXXX:1812
length 337
(8)   User-Name = "XXXXXXX"
(8)   Chargeable-User-Identity = 0x00
(8)   Location-Capable = Civix-Location
(8)   Calling-Station-Id = "XXXXXXX"
(8)   Called-Station-Id = "XXXXXXX"
(8)   NAS-Port = 4
(8)   Cisco-AVPair = "audit-session-id=0a40c60a002395c88e03fc56"
(8)   Acct-Session-Id = "56fc038e/XXXXXXX/1349574"
(8)   NAS-IP-Address = XXXXXXX
(8)   NAS-Identifier = "XXXXXXX"
(8)   Airespace-Wlan-Id = 34
(8)   Service-Type = Framed-User
(8)   Framed-MTU = 1300
(8)   NAS-Port-Type = Wireless-802.11
(8)   Tunnel-Type:0 = VLAN
(8)   Tunnel-Medium-Type:0 = IEEE-802
(8)   Tunnel-Private-Group-Id:0 = "XXXXXXX"
(8)   EAP-Message =
0x0208002b1900170301002056f3330d56a405e14a56351e0016809d0fa578294eb6a15607f6e1b7d13d1fc8
(8)   State = 0xe36bb03de563a931219d4aaf40ddcdc2
(8)   Message-Authenticator = 0xbb491e6269085a6550c988322b7a5122
(8) session-state: No cached attributes
(8) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(8)   authorize {
(8)     policy filter_username {
(8)       update control {
(8)         linelogvar := "request_attrs"
(8)       } # update control = noop
(8) linelog: EXPAND messages.%{%{control:linelogvar}:-default}
(8) linelog:    --> messages.request_attrs
(8) linelog: EXPAND /usr/local/var/log/radius/linelog
(8) linelog:    --> /usr/local/var/log/radius/linelog
(8) linelog: EXPAND
%{User-Name},%{Calling-Station-Id},%{Called-Station-Id},%{NAS-Port},%{Acct-Session-Id},%{NAS-IP-Address},%{NAS-Identifier},%{Airespace-Wlan-Id},%{Service-Type},%{Framed-MTU},%{NAS-Port-Type},%{Tunnel-Type:0},%{Tunnel-Medium-Type:0},%{Tunnel-Private-Group-Id:0},%T,%{md5:%T,%{Calling-Station-Id}}
(8) linelog:    -->
XXXXXXX,XXXXXXX,XXXXXXX,4,56fc038e/XXXXXXX/1349574,XXXXXXX,XXXXXXX,34,Framed-User,1300,Wireless-802.11,VLAN,IEEE-802,XXXXXXX,2016-03-30-22.18.47.000000,e042f9def033579c3d4e304b73cd31db
(8)       [linelog] = ok
(8)       if (&User-Name) {
(8)       if (&User-Name)  -> TRUE
(8)       if (&User-Name)  {
(8)         if (&User-Name =~ / /) {
(8)         if (&User-Name =~ / /)  -> FALSE
(8)         if (&User-Name =~ /@[^@]*@/ ) {
(8)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(8)         if (&User-Name =~ /\.\./ ) {
(8)         if (&User-Name =~ /\.\./ )  -> FALSE
(8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(8)         if (&User-Name =~ /\.$/)  {
(8)         if (&User-Name =~ /\.$/)   -> FALSE
(8)         if (&User-Name =~ /@\./)  {
(8)         if (&User-Name =~ /@\./)   -> FALSE
(8)       } # if (&User-Name)  = ok
(8)       if ((User-Name =~
/^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i)
&&  (Service-Type == "Call-Check" )) {
(8)       if ((User-Name =~
/^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i)
&&  (Service-Type == "Call-Check" ))  -> FALSE
(8)     } # policy filter_username = ok
(8)     [preprocess] = ok
(8) auth_log: EXPAND
/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(8) auth_log:    -->
/usr/local/var/log/radius/radacct/XXXXXXX/auth-detail-20160330
(8) auth_log:
/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/XXXXXXX/auth-detail-20160330
(8) auth_log: EXPAND %t
(8) auth_log:    --> Wed Mar 30 22:18:47 2016
(8)     [auth_log] = ok
(8)     [chap] = noop
(8)     [mschap] = noop
(8)     [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "XXXXXXX", looking up realm NULL
(8) suffix: No such realm "NULL"
(8)     [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 8 length 43
(8) eap: Continuing tunnel setup
(8)     [eap] = ok
(8)   } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(8)   authenticate {
(8) eap: Expiring EAP session with state 0x1752f35a175af5a6
(8) eap: Finished EAP session with state 0xe36bb03de563a931
(8) eap: Previous EAP request found for state 0xe36bb03de563a931, released
from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established.  Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP method GTC (6)
(8) eap_peap: Got tunneled request
(8) eap_peap:   EAP-Message = 0x0208000f064b6170696c4031333839
(8) eap_peap: Setting User-Name to XXXXXXX
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap:   EAP-Message = 0x0208000f064b6170696c4031333839
(8) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap:   User-Name = "XXXXXXX"
(8) eap_peap:   State = 0x1752f35a175af5a68cefacfb12f667e9
(8) Virtual server inner-tunnel received request
(8)   EAP-Message = 0x0208000f064b6170696c4031333839
(8)   FreeRADIUS-Proxied-To = 127.0.0.1
(8)   User-Name = "XXXXXXX"
(8)   State = 0x1752f35a175af5a68cefacfb12f667e9
(8) WARNING: Outer and inner identities are the same.  User privacy is
compromised.
(8) server inner-tunnel {
(8)   session-state: No cached attributes
(8)   # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(8)     authorize {
(8)       policy filter_username {
(8)         update control {
(8)           linelogvar := "request_attrs"
(8)         } # update control = noop
(8) linelog: EXPAND messages.%{%{control:linelogvar}:-default}
(8) linelog:    --> messages.request_attrs
(8) linelog: EXPAND /usr/local/var/log/radius/linelog
(8) linelog:    --> /usr/local/var/log/radius/linelog
(8) linelog: EXPAND
%{User-Name},%{Calling-Station-Id},%{Called-Station-Id},%{NAS-Port},%{Acct-Session-Id},%{NAS-IP-Address},%{NAS-Identifier},%{Airespace-Wlan-Id},%{Service-Type},%{Framed-MTU},%{NAS-Port-Type},%{Tunnel-Type:0},%{Tunnel-Medium-Type:0},%{Tunnel-Private-Group-Id:0},%T,%{md5:%T,%{Calling-Station-Id}}
(8) linelog:    -->
XXXXXXX,,,,,,,,,,,,,,2016-03-30-22.18.47.000000,c13a6b07eeffc487a39e58a748bcce06
(8)         [linelog] = ok
(8)         if (&User-Name) {
(8)         if (&User-Name)  -> TRUE
(8)         if (&User-Name)  {
(8)           if (&User-Name =~ / /) {
(8)           if (&User-Name =~ / /)  -> FALSE
(8)           if (&User-Name =~ /@[^@]*@/ ) {
(8)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(8)           if (&User-Name =~ /\.\./ ) {
(8)           if (&User-Name =~ /\.\./ )  -> FALSE
(8)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(8)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(8)           if (&User-Name =~ /\.$/)  {
(8)           if (&User-Name =~ /\.$/)   -> FALSE
(8)           if (&User-Name =~ /@\./)  {
(8)           if (&User-Name =~ /@\./)   -> FALSE
(8)         } # if (&User-Name)  = ok
(8)         if ((User-Name =~
/^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i)
&&  (Service-Type == "Call-Check" )) {
(8)         if ((User-Name =~
/^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i)
&&  (Service-Type == "Call-Check" ))  -> FALSE
(8)       } # policy filter_username = ok
(8)       [chap] = noop
(8)       [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "XXXXXXX", looking up realm NULL
(8) suffix: No such realm "NULL"
(8)       [suffix] = noop
(8)       update control {
(8)         &Proxy-To-Realm := LOCAL
(8)       } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 8 length 15
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8)       [eap] = updated
(8)       [files] = noop
(8) sql: EXPAND %{User-Name}
(8) sql:    --> XXXXXXX
(8) sql: SQL-User-Name set to 'XXXXXXX'
rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 76
seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for 76
seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (3): Hit idle_timeout, was idle for 76
seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (4): Hit idle_timeout, was idle for 76
seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (0): Hit idle_timeout, was idle for 76
seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (5): Hit idle_timeout, was idle for 76
seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): 0 of 0 connections in use.  You  may need to increase "spare"
rlm_sql (sql): Opening additional connection (6), 1 of 32 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket,
server version 5.5.48-MariaDB, protocol version 10
rlm_sql (sql): Reserved connection (6)
(8) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id
(8) sql:    --> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'XXXXXXX' ORDER BY id
(8) sql: Executing select query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'XXXXXXX' ORDER BY id
(8) sql: EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority
(8) sql:    --> SELECT groupname FROM radusergroup WHERE username =
'XXXXXXX' ORDER BY priority
(8) sql: Executing select query: SELECT groupname FROM radusergroup WHERE
username = 'XXXXXXX' ORDER BY priority
(8) sql: User not found in any groups
rlm_sql (sql): Released connection (6)
rlm_sql (sql): Need 2 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (7), 1 of 31 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket,
server version 5.5.48-MariaDB, protocol version 10
(8)       [sql] = notfound
rlm_ldap (ldap): Closing connection (0): Hit idle_timeout, was idle for 76
seconds
rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for 76
seconds
rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 76
seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 76
seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (4): Hit idle_timeout, was idle for 76
seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): 0 of 0 connections in use.  You  may need to increase
"spare"
rlm_ldap (ldap): Opening additional connection (5), 1 of 32 pending slots
used
rlm_ldap (ldap): Connecting to XXXXXXX
rlm_ldap (ldap): Waiting for bind result...
ber_get_next failed.
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Reserved connection (5)
(8) ldap: EXPAND
(|(mail=%{%{Stripped-User-Name}:-%{User-Name}})(mailEquivalentAddress=%{%{Stripped-User-Name}:-%{User-Name}})(uid=%{%{Stripped-User-Name}:-%{User-Name}}))
(8) ldap:    -->
(|(mail=XXXXXXX)(mailEquivalentAddress=XXXXXXX)(uid=XXXXXXX))
(8) ldap: Performing search in "o=nic.in,dc=nic,dc=in" with filter
"(|(mail=XXXXXXX)(mailEquivalentAddress=XXXXXXX)(uid=XXXXXXX))", scope "sub"
(8) ldap: Waiting for search result...
ber_get_next failed.
ber_get_next failed.
(8) ldap: User object found at DN "uid=XXXXXXX,ou=XXXXXXX"
(8) ldap: Processing user attributes
(8) ldap: control:wifi := '7'
(8) ldap: WARNING: No "known good" password added. Ensure the admin user
has permission to read the password attribute
(8) ldap: WARNING: PAP authentication will *NOT* work with Active Directory
(if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (5)
rlm_ldap (ldap): Need 2 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (6), 1 of 31 pending slots
used
rlm_ldap (ldap): Connecting to XXXXXXX
rlm_ldap (ldap): Waiting for bind result...
ber_get_next failed.
rlm_ldap (ldap): Bind successful
(8)       [ldap] = updated
(8)       [expiration] = noop
(8)       [logintime] = noop
(8)       [pap] = noop
(8)     } # authorize = updated
(8)   Found Auth-Type = eap
(8)   # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(8)     authenticate {
(8) eap: Expiring EAP session with state 0x1752f35a175af5a6
(8) eap: Finished EAP session with state 0x1752f35a175af5a6
(8) eap: Previous EAP request found for state 0x1752f35a175af5a6, released
from the list
(8) eap: Peer sent packet with method EAP GTC (6)
(8) eap: Calling submodule eap_gtc to process data
(8) eap_gtc: # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(8) eap_gtc:   Auth-Type LDAP {
rlm_ldap (ldap): Reserved connection (5)
(8) ldap: Login attempt by "XXXXXXX"
(8) ldap: Using user DN from request "uid=XXXXXXX,ou=XXXXXXX"
(8) ldap: Waiting for bind result...
ber_get_next failed.
(8) ldap: Bind successful
(8) ldap: Bind as user "uid=XXXXXXX,ou=XXXXXXX" was successful
rlm_ldap (ldap): Released connection (5)
(8)     [ldap] = ok
(8)   } # Auth-Type LDAP = ok
(8) eap: Sending EAP Success (code 3) ID 8 length 4
(8) eap: Freeing handler
(8)       [eap] = ok
(8)     } # authenticate = ok
(8)   # Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(8)     post-auth {
(8) sql: EXPAND .query
(8) sql:    --> .query
(8) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (6)
(8) sql: EXPAND %{User-Name}
(8) sql:    --> XXXXXXX
(8) sql: SQL-User-Name set to 'XXXXXXX'
(8) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S')
(8) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( 'XXXXXXX', 'XXXXXXX', 'Access-Accept', '2016-03-30 22:18:47')
(8) sql: Executing query: INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES ( 'XXXXXXX', 'XXXXXXX', 'Access-Accept', '2016-03-30
22:18:47')
(8) sql: SQL query returned: success
(8) sql: 1 record(s) updated
rlm_sql (sql): Released connection (6)
(8)       [sql] = ok
(8)     } # post-auth = ok
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8)   EAP-Message = 0x03080004
(8)   Message-Authenticator = 0x00000000000000000000000000000000
(8)   User-Name = "XXXXXXX"
(8) eap_peap: Got tunneled reply code 2
(8) eap_peap:   EAP-Message = 0x03080004
(8) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap:   User-Name = "XXXXXXX"
(8) eap_peap: Got tunneled reply RADIUS code 2
(8) eap_peap:   EAP-Message = 0x03080004
(8) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap:   User-Name = "XXXXXXX"
(8) eap_peap: Tunneled authentication was successful
(8) eap_peap: SUCCESS
(8) eap: Sending EAP Request (code 1) ID 9 length 43
(8) eap: EAP session adding &reply:State = 0xe36bb03de462a931
(8)     [eap] = handled
(8)   } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found.  Ignoring.
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(8) Sent Access-Challenge Id 150 from XXXXXXX:1812 to XXXXXXX:32769 length 0
(8)   EAP-Message =
0x0109002b19001703010020a745019fca4818ea30f0e0f6e52566ddef61d8e0063d7cd291953cce65163e37
(8)   Message-Authenticator = 0x00000000000000000000000000000000
(8)   State = 0xe36bb03de462a931219d4aaf40ddcdc2
(8) Finished request
Waking up in 4.8 seconds.
(9) Received Access-Request Id 151 from XXXXXXX:32769 to XXXXXXX:1812
length 337
(9)   User-Name = "XXXXXXX"
(9)   Chargeable-User-Identity = 0x00
(9)   Location-Capable = Civix-Location
(9)   Calling-Station-Id = "XXXXXXX"
(9)   Called-Station-Id = "XXXXXXX"
(9)   NAS-Port = 4
(9)   Cisco-AVPair = "audit-session-id=0a40c60a002395c88e03fc56"
(9)   Acct-Session-Id = "56fc038e/XXXXXXX/1349574"
(9)   NAS-IP-Address = XXXXXXX
(9)   NAS-Identifier = "XXXXXXX"
(9)   Airespace-Wlan-Id = 34
(9)   Service-Type = Framed-User
(9)   Framed-MTU = 1300
(9)   NAS-Port-Type = Wireless-802.11
(9)   Tunnel-Type:0 = VLAN
(9)   Tunnel-Medium-Type:0 = IEEE-802
(9)   Tunnel-Private-Group-Id:0 = "XXXXXXX"
(9)   EAP-Message =
0x0209002b19001703010020aa02bff51b2622bd8427c864799bae941f9eda6e20db96dbfe5192cbcd424504
(9)   State = 0xe36bb03de462a931219d4aaf40ddcdc2
(9)   Message-Authenticator = 0x56d99d69897d457fa7537c194a490584
(9) session-state: No cached attributes
(9) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(9)   authorize {
(9)     policy filter_username {
(9)       update control {
(9)         linelogvar := "request_attrs"
(9)       } # update control = noop
(9) linelog: EXPAND messages.%{%{control:linelogvar}:-default}
(9) linelog:    --> messages.request_attrs
(9) linelog: EXPAND /usr/local/var/log/radius/linelog
(9) linelog:    --> /usr/local/var/log/radius/linelog
(9) linelog: EXPAND
%{User-Name},%{Calling-Station-Id},%{Called-Station-Id},%{NAS-Port},%{Acct-Session-Id},%{NAS-IP-Address},%{NAS-Identifier},%{Airespace-Wlan-Id},%{Service-Type},%{Framed-MTU},%{NAS-Port-Type},%{Tunnel-Type:0},%{Tunnel-Medium-Type:0},%{Tunnel-Private-Group-Id:0},%T,%{md5:%T,%{Calling-Station-Id}}
(9) linelog:    -->
XXXXXXX,XXXXXXX,XXXXXXX,4,56fc038e/XXXXXXX/1349574,XXXXXXX,XXXXXXX,34,Framed-User,1300,Wireless-802.11,VLAN,IEEE-802,XXXXXXX,2016-03-30-22.18.47.000000,e042f9def033579c3d4e304b73cd31db
(9)       [linelog] = ok
(9)       if (&User-Name) {
(9)       if (&User-Name)  -> TRUE
(9)       if (&User-Name)  {
(9)         if (&User-Name =~ / /) {
(9)         if (&User-Name =~ / /)  -> FALSE
(9)         if (&User-Name =~ /@[^@]*@/ ) {
(9)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(9)         if (&User-Name =~ /\.\./ ) {
(9)         if (&User-Name =~ /\.\./ )  -> FALSE
(9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(9)         if (&User-Name =~ /\.$/)  {
(9)         if (&User-Name =~ /\.$/)   -> FALSE
(9)         if (&User-Name =~ /@\./)  {
(9)         if (&User-Name =~ /@\./)   -> FALSE
(9)       } # if (&User-Name)  = ok
(9)       if ((User-Name =~
/^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i)
&&  (Service-Type == "Call-Check" )) {
(9)       if ((User-Name =~
/^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i)
&&  (Service-Type == "Call-Check" ))  -> FALSE
(9)     } # policy filter_username = ok
(9)     [preprocess] = ok
(9) auth_log: EXPAND
/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(9) auth_log:    -->
/usr/local/var/log/radius/radacct/XXXXXXX/auth-detail-20160330
(9) auth_log:
/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/XXXXXXX/auth-detail-20160330
(9) auth_log: EXPAND %t
(9) auth_log:    --> Wed Mar 30 22:18:47 2016
(9)     [auth_log] = ok
(9)     [chap] = noop
(9)     [mschap] = noop
(9)     [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "XXXXXXX", looking up realm NULL
(9) suffix: No such realm "NULL"
(9)     [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 9 length 43
(9) eap: Continuing tunnel setup
(9)     [eap] = ok
(9)   } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(9)   authenticate {
(9) eap: Expiring EAP session with state 0xe36bb03de462a931
(9) eap: Finished EAP session with state 0xe36bb03de462a931
(9) eap: Previous EAP request found for state 0xe36bb03de462a931, released
from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established.  Decoding tunneled attributes
(9) eap_peap: PEAP state send tlv success
(9) eap_peap: Received EAP-TLV response
(9) eap_peap: Success
(9) eap_peap: No information to cache: session caching will be disabled for
session 189621f6108cf110e1734e2e6926c30fac3d3204884d0327242e3ab13243de13
(9) eap: Sending EAP Success (code 3) ID 9 length 4
(9) eap: Freeing handler
(9)     [eap] = ok
(9)   } # authenticate = ok
(9) # Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/default
(9)   post-auth {
(9)     update {
(9)       No attributes updated
(9)     } # update = noop
(9)     if ((User-Name =~
/^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i)
&& (Service-Type == "Call-Check")) {
(9)     if ((User-Name =~
/^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i)
&& (Service-Type == "Call-Check"))  -> FALSE
(9)     elsif ((Called-Station-Id =~ /XXXXXXX$/) && (("%{control:wifi}" ==
"7") || ("%{control:wifi}" == "5"))) {
(9)     ERROR: Failed retrieving values required to evaluate condition
(9)     else {
(9)       [reject] = reject
(9)     } # else = reject
(9)   } # post-auth = reject
(9) Using Post-Auth-Type Reject
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(9)   Post-Auth-Type REJECT {
(9)     if ("%{control:linelogvar}" == "auth_type_pap"){
(9)     if ("%{control:linelogvar}" == "auth_type_pap") -> FALSE
(9)     update control {
(9)       linelogvar := "Access-Reject"
(9)     } # update control = noop
(9) linelog: EXPAND messages.%{%{control:linelogvar}:-default}
(9) linelog:    --> messages.Access-Reject
(9) linelog: EXPAND /usr/local/var/log/radius/linelog
(9) linelog:    --> /usr/local/var/log/radius/linelog
(9) linelog: EXPAND %{md5:%T,%{Calling-Station-Id}} Result: Authentication
Failed,Access-Reject
(9) linelog:    --> e042f9def033579c3d4e304b73cd31db Result: Authentication
Failed,Access-Reject
(9)     [linelog] = ok
(9)     update control {
(9)       linelogvar := "auth_result_reject_log"
(9)     } # update control = noop
(9) linelog: EXPAND messages.%{%{control:linelogvar}:-default}
(9) linelog:    --> messages.auth_result_reject_log
(9) linelog: EXPAND /usr/local/var/log/radius/linelog
(9) linelog:    --> /usr/local/var/log/radius/linelog
(9) linelog: EXPAND
Access-Request,%T,%{User-Name},%{Calling-Station-Id},%{NAS-IP-Address},%{NAS-Identifier},%{md5:%T,%{Calling-Station-Id}},Authentication
Failed,%{Called-Station-Id}
(9) linelog:    -->
Access-Request,2016-03-30-22.18.47.000000,XXXXXXX,XXXXXXX,XXXXXXX,XXXXXXX,e042f9def033579c3d4e304b73cd31db,Authentication
Failed,XXXXXXX
(9)     [linelog] = ok
(9)     update control {
(9)       linelogvar := "empty_line"
(9)     } # update control = noop
(9) linelog: EXPAND messages.%{%{control:linelogvar}:-default}
(9) linelog:    --> messages.empty_line
(9) linelog: EXPAND /usr/local/var/log/radius/linelog
(9) linelog:    --> /usr/local/var/log/radius/linelog
(9) linelog: EXPAND
(9) linelog:    -->
(9)     [linelog] = ok
(9) sql: EXPAND .query
(9) sql:    --> .query
(9) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (7)
(9) sql: EXPAND %{User-Name}
(9) sql:    --> XXXXXXX
(9) sql: SQL-User-Name set to 'XXXXXXX'
(9) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S')
(9) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( 'XXXXXXX', '', 'Access-Accept', '2016-03-30 22:18:47')
(9) sql: Executing query: INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES ( 'XXXXXXX', '', 'Access-Accept', '2016-03-30 22:18:47')
(9) sql: SQL query returned: success
(9) sql: 1 record(s) updated
rlm_sql (sql): Released connection (7)
(9)     [sql] = ok
(9) attr_filter.access_reject: EXPAND %{User-Name}
(9) attr_filter.access_reject:    --> XXXXXXX
(9) attr_filter.access_reject: Matched entry DEFAULT at line 11
(9)     [attr_filter.access_reject] = updated
(9)     [eap] = noop
(9)     policy remove_reply_message_if_eap {
(9)       if (&reply:EAP-Message && &reply:Reply-Message) {
(9)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(9)       else {
(9)         [noop] = noop
(9)       } # else = noop
(9)     } # policy remove_reply_message_if_eap = noop
(9)   } # Post-Auth-Type REJECT = updated
(9) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(9) Sending delayed response
(9) Sent Access-Reject Id 151 from XXXXXXX:1812 to XXXXXXX:32769 length 44
(9)   EAP-Message = 0x03090004
(9)   Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.7 seconds.
(1) Cleaning up request packet ID 143 with timestamp +76
(2) Cleaning up request packet ID 144 with timestamp +76
(3) Cleaning up request packet ID 145 with timestamp +76
(4) Cleaning up request packet ID 146 with timestamp +76
(5) Cleaning up request packet ID 147 with timestamp +76
(6) Cleaning up request packet ID 148 with timestamp +76
(7) Cleaning up request packet ID 149 with timestamp +76
Waking up in 0.1 seconds.
(8) Cleaning up request packet ID 150 with timestamp +76
(9) Cleaning up request packet ID 151 with timestamp +76


ldap config
ldap {
update {
                control:Password-With-Header    += 'userPassword'
                control:wifi                 := 'wifi'
#               control:NT-Password             := 'ntPassword'
#               reply:Reply-Message             := 'radiusReplyMessage'
#               reply:Tunnel-Type               := 'radiusTunnelType'
#               reply:Tunnel-Medium-Type        := 'radiusTunnelMediumType'
#               reply:Tunnel-Private-Group-ID   :=
'radiusTunnelPrivategroupId'

                #  Where only a list is specified as the RADIUS attribute,
                #  the value of the LDAP attribute is parsed as a valuepair
                #  in the same format as the 'valuepair_attribute' (above).
                control:                        += 'radiusControlAttribute'
                request:                        += 'radiusRequestAttribute'
                reply:                          += 'radiusReplyAttribute'
        }
}


I tried using xlat also but that also is not helping.

BR,
Anirudh Malhotra
Mail: 8zero2.in at gmail.com
Facebook: www.facebook.com/8zero2
Twitter: @8zero2_in
Blog: blog.8zero2.in

On Thu, Mar 31, 2016 at 1:56 AM, Alan DeKok <aland at deployingradius.com>
wrote:

> On Mar 30, 2016, at 11:47 AM, Anirudh Malhotra <8zero2ops at gmail.com>
> wrote:
> > when using eap inner tunned would be used right?
>
>   It depends on the EAP method.
>
> > so ldap module when called and some control attributes are updated these
> > are going to updated in the inner control or the outer control(or there
> is
> > no such thing) and attributes are copied?
>
>   If you configured it that way.
>
> > Also the unlang which i ran was in post auth so that is the end of the
> > request and ldap is parsed above it, so could that be a problem which u
> > suggested in your previous reply.
>
>   No, that's not what I said.
>
> > Secondly could the data type of ldap attribute(integer or string) affect
> > the unlang would treat the attribute?
>
>   No.
>
>   You're doing everything *except* looking at the debug output.
>
>   You need to either follow instructions, or to stop asking questions on
> this list.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


More information about the Freeradius-Users mailing list