Class attribute in Reply message

Umut Arus umuta at sabanciuniv.edu
Tue Oct 3 11:23:50 CEST 2017


Hello,

I need to reply an deniedServices ldap variable in Class attribute for a
controller. I added it
"replyItem    Class   deniedServices +=" at ldap.attrmap file.
and sites-available/default file includes it. But it override the Class
value to empty.
                update reply {
                                Class += "%{Reply-Message}"
                }


Where it is wrong?

FreeRADIUS Version 2.2.8

Output parts are:

[peap] Setting User-Name to tayfund
Sending tunneled request
        EAP-Message =
0x020900421a0209003d3167738a93d83ed76e5251bbbaa183542f0000000000000000008955f2389888dbc3771d940bc5c9ade688b2ec3b08e4f80074617966756e64
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "tayfund"
        State = 0xb024cc1cb02dd66832d4a5f6f46a2d5f
        NAS-IP-Address = 10.200.0.2
        NAS-Port = 0
        NAS-Identifier = "10.200.0.5"
        NAS-Port-Type = Wireless-802.11
        Calling-Station-Id = "748D08E39D7F"
        Called-Station-Id = "001A1E0015F0"
        Service-Type = Framed-User
        Framed-MTU = 1100
        Aruba-Essid-Name = "SABANCIUNIV"
        Aruba-Location-Id = "BM_IT_NETSYS_7b:fe"
        Aruba-AP-Group = "BM_binasi"
        Aruba-Device-Type = "iPhone"
server inner-tunnel {
# Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[mschap] = noop
[suffix] No '@' in User-Name = "tayfund", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 9 length 66
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[ldap] performing user authorization for tayfund
[ldap]  expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=tayfund)
[ldap]  expand: o=sabanciuniv.edu -> o=sabanciuniv.edu
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in o=sabanciuniv.edu, with filter (uid=tayfund)
[ldap] Added User-Password = 5F479EB90623041F464CD3F4B685C80A in check items
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
  [ldap] userPassword -> Password-With-Header ==
"{SSHA}wM3CoVk5jYLVnHz8jyv6vHBlqv52bw=="
  [ldap] sambaNtPassword -> NT-Password ==
0x3546343739454239303632333034314634363443443346344236383543383041
  [ldap] sambaLmPassword -> LM-Password ==
0x3836413243354632393945434139444343313745393630323543414633314130
  [ldap] radiusAuthType -> Auth-Type == EAP
[ldap] looking for reply items in directory...
*  [ldap] deniedServices -> Class += 0x7375636f75727365*
  [ldap] ou -> Operator-Name = "admin"
  [ldap] ou -> Operator-Name = "IT"
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
+} # group authorize = updated
Found Auth-Type = EAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with Cleartext-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +group MS-CHAP {
[mschap] Found LM-Password
[mschap] Found NT-Password
[mschap] Creating challenge hash with username: tayfund
[mschap] Client is using MS-CHAPv2 for tayfund, we need NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] = ok
++update outer.request {
        expand: %{User-Name} -> tayfund
++} # update outer.request = noop
++update outer.reply {
        expand: %{User-Name} -> tayfund
++} # update outer.reply = noop
+} # group MS-CHAP = ok
MSCHAP Success
++[eap] = handled
+} # group authenticate = handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
        Class += 0x7375636f75727365
        Operator-Name = "admin"
        EAP-Message =
0x010a00331a0309002e533d38384136303239324543424441413244303139424145343031363537393336353637364246453633
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xb024cc1cb12ed66832d4a5f6f46a2d5f
[peap] Got tunneled reply RADIUS code Access-Challenge
*        Class += 0x7375636f75727365*
        Operator-Name = "admin"
        EAP-Message =
0x010a00331a0309002e533d38384136303239324543424441413244303139424145343031363537393336353637364246453633
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xb024cc1cb12ed66832d4a5f6f46a2d5f
[peap] Got tunneled Access-Challenge
[peap] >>> Unknown TLS version [length 0005]
++[eap] = handled
+} # group authenticate = handled
Going to the next request
rad_recv: Access-Request packet from host 10.200.0.5 port 52530, id=108,
length=259
        User-Name = "tayfund"
        NAS-IP-Address = 10.200.0.2
        NAS-Port = 0
        NAS-Identifier = "10.200.0.5"
        NAS-Port-Type = Wireless-802.11
        Calling-Station-Id = "748D08E39D7F"
        Called-Station-Id = "001A1E0015F0"
        Service-Type = Framed-User
        Framed-MTU = 1100
        EAP-Message =
0x020b002e190017030300239b010c14db2db49adb4087eaadbbbcf3628daf65188a552fdc7d8fbeb850ded62316e3
        State = 0x0f5a59a0065140db3a8c7af8ad4bf4cc
        Aruba-Essid-Name = "SABANCIUNIV"
        Aruba-Location-Id = "BM_IT_NETSYS_7b:fe"
        Aruba-AP-Group = "BM_binasi"
        Aruba-Device-Type = "iPhone"
        Message-Authenticator = 0xa1cfe667210437f5f5eaf132bf431a90
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "tayfund", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 11 length 46
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] <<< Unknown TLS version [length 0005]
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
Login OK: [tayfund] (from client 10.200.0.0/24 port 0 cli 748D08E39D7F)
# Executing section post-auth from file
/etc/freeradius/sites-enabled/default
+group post-auth {
[reply_log]     expand: %{Packet-Src-IP-Address} -> 10.200.0.5
[reply_log]     expand:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
-> /var/log/freeradius/radacct/10.200.0.5/reply-detail-20171003
[reply_log]
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
expands to /var/log/freeradius/radacct/10.200.0.5/reply-detail-20171003
[reply_log]     expand: %t -> Tue Oct  3 12:06:11 2017
++[reply_log] = ok
++[ldap] = noop
++[exec] = noop
++update reply {
        expand: %{Reply-Message} ->
++} # update reply = noop
+} # group post-auth = ok
Sending Access-Accept of id 108 to 10.200.0.5 port 52530
        MS-MPPE-Recv-Key =
0xfc792d0aa5a1ff4c6e90676c80c47b799958fb603caf17dc11b68eeb182f922f
        MS-MPPE-Send-Key =
0x00176d351e6d75e96c0429fefa871f38022b851e2a897921fbc2ab0cc891ee5b
        EAP-Message = 0x030b0004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "tayfund"
        Class = 0x
Finished request 785.
Going to the next request
Cleaning up request 596 ID 154 with timestamp +11
Waking up in 0.1 seconds.
rad_recv: Access-Request packet from host 10.200.0.5 port 52530, id=101,
length=211
        User-Name = "dbostan"
        NAS-IP-Address = 10.200.0.2
        NAS-Port = 0
        NAS-Identifier = "10.200.0.5"
        NAS-Port-Type = Wireless-802.11
        Calling-Station-Id = "E0C767163B2F"
        Called-Station-Id = "001A1E0015F0"
        Service-Type = Framed-User
        Framed-MTU = 1100
        EAP-Message = 0x020500061900
        State = 0xf8fdecb8fbf8f57eaba961c2ded7fb6f
        Aruba-Essid-Name = "SABANCIUNIV"
        Aruba-Location-Id = "Yurt_A5_Kat1_AP4_60:6c"
        Aruba-AP-Group = "Yurt_Binasi"
        Message-Authenticator = 0xb071cd65a32ccfd350f5f7349f570df5
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "dbostan", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[reply_log]     expand: %{Packet-Src-IP-Address} -> 10.200.0.5
[reply_log]     expand:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
-> /var/log/freeradius/radacct/10.200.0.5/reply-detail-20171003
[reply_log]
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
expands to /var/log/freeradius/radacct/10.200.0.5/reply-detail-20171003
[reply_log]     expand: %t -> Tue Oct  3 12:06:11 2017
++[reply_log] = ok
++[ldap] = noop
++[exec] = noop
++update reply {
 *       expand: %{Reply-Message} -> *
++} # update reply = noop
+} # group post-auth = ok
Sending Access-Accept of id 108 to 10.200.0.5 port 52530
        MS-MPPE-Recv-Key =
0xfc792d0aa5a1ff4c6e90676c80c47b799958fb603caf17dc11b68eeb182f922f
        MS-MPPE-Send-Key =
0x00176d351e6d75e96c0429fefa871f38022b851e2a897921fbc2ab0cc891ee5b
        EAP-Message = 0x030b0004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "tayfund"
      *  Class = 0x*
Finished request 785.
Going to the next request
Cleaning up request 596 ID 154 with timestamp +11
Waking up in 0.1 seconds.
rad_recv: Access-Request packet from host 10.200.0.5 port 52530, id=101,
length=211
        User-Name = "dbostan"
        NAS-IP-Address = 10.200.0.2
        NAS-Port = 0
        NAS-Identifier = "10.200.0.5"
        NAS-Port-Type = Wireless-802.11
        Calling-Station-Id = "E0C767163B2F"
        Called-Station-Id = "001A1E0015F0"
        Service-Type = Framed-User
        Framed-MTU = 1100
        EAP-Message = 0x020500061900
        State = 0xf8fdecb8fbf8f57eaba961c2ded7fb6f
        Aruba-Essid-Name = "SABANCIUNIV"
        Aruba-Location-Id = "Yurt_A5_Kat1_AP4_60:6c"
        Aruba-AP-Group = "Yurt_Binasi"
        Message-Authenticator = 0xb071cd65a32ccfd350f5f7349f570df5
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "dbostan", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 101 to 10.200.0.5 port 52530
        EAP-Message =
0x010601d31900b69aa50fb8b93f207dae4ab5b89ce41db6abe694a5c1c783addbf527870e046cd5ffdda05ded8752b72b1502ae39a66a74e9dac4e7bc4d341ea95c4d335f92092f88665d7797c71d7613a9d5e5f116091135d5acdb2471702c98560bd917b4d1e3512b5e75e8d5d0dc4f34edc2056680a1cbe633160301014b0c000147030017410475fb60921d74cf2365a6e0348d653613d6e5d1222e87ed4d9b572cb9402e0429049ec55655bf436673431b9c907c0181d6b68feeb9f350adc2dccee8f376d53d01005606850c2d8755fc048572396aaee257a555261ad7deaa9d4d1983db0ddc0b26679e7a3aeab13623ff652de806acd87337d63a
        EAP-Message =
0x55b131ca32435839495c0a854ab8507fdf5c7a420c64e3f205ef607f2df152265f4544b6b1a5673e05417a38f1e10b63c28438bda216249aff502a43efc8a154ce646da60df5da11d182a059f010c082389b4ad9f901113c159cfd4a0653583ea745983ba8ef9aae665699c04d3a9b642a33ba7bdb9d8960948823747e88e115f41d2114d4cb5f63aec906b7c53c45fb117bccf41276015597025d295aed742520a5bfd019b54e91c4986655fee8f7832ac166433b1f9897eb02f307bae930dc01b8cd0edd0d526d8bd201a8b416030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf8fdecb8fcfbf57eaba961c2ded7fb6f
Finished request 786.

thanks..

-- 
*Umut A*
System Specialist
Information Technology
Sabancı University


More information about the Freeradius-Users mailing list