Cache user access on eap-ttls with ldap as authenticate system
André
netriver at gmail.com
Thu Jan 14 14:20:33 CET 2021
Hello,
I'm using EAP-TTLS + LDAP with okta, all is working fine.
But I would like to use the cache system of freeradius in case the internet
goes down,
if no internet access to contact the ldap server is it possible to use a
cache?
(21) Received Access-Request Id 117 from 192.168.31.239:32773 to
192.168.31.183:1812 length 294
(21) User-Name = "leon.wolf at domain.local"
(21) Chargeable-User-Identity = 0x00
(21) Location-Capable = Civic-Location
(21) Calling-Station-Id = "90-78-41-4f-dd-73"
(21) Called-Station-Id = "00-b7-71-86-b8-80:testrd"
(21) NAS-Port = 1
(21) Cisco-AVPair = "audit-session-id=c0a81fef0001f1c46000318e"
(21) Acct-Session-Id = "60003186/90:78:41:4f:dd:73/237979"
(21) NAS-IP-Address = 192.168.31.239
(21) NAS-Identifier = "WLC1"
(21) Airespace-Wlan-Id = 3
(21) Service-Type = Framed-User
(21) Framed-MTU = 1300
(21) NAS-Port-Type = Wireless-802.11
(21) Tunnel-Type:0 = VLAN
(21) Tunnel-Medium-Type:0 = IEEE-802
(21) Tunnel-Private-Group-Id:0 = "96"
(21) EAP-Message = 0x020500061500
(21) State = 0xcab4fefcc8b1eb3813f65861255465ba
(21) Message-Authenticator = 0x29f8146d52be66b41004b4ed9a6d1296
(21) session-state: No cached attributes
(21) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(21) authorize {
(21) policy filter_username {
(21) if (&User-Name) {
(21) if (&User-Name) -> TRUE
(21) if (&User-Name) {
(21) if (&User-Name =~ / /) {
(21) if (&User-Name =~ / /) -> FALSE
(21) if (&User-Name =~ /@[^@]*@/ ) {
(21) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(21) if (&User-Name =~ /\.\./ ) {
(21) if (&User-Name =~ /\.\./ ) -> FALSE
(21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(21) if (&User-Name =~ /\.$/) {
(21) if (&User-Name =~ /\.$/) -> FALSE
(21) if (&User-Name =~ /@\./) {
(21) if (&User-Name =~ /@\./) -> FALSE
(21) } # if (&User-Name) = notfound
(21) } # policy filter_username = notfound
(21) [preprocess] = ok
(21) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(21) auth_log: --> /var/log/freeradius/radacct/
192.168.31.239/auth-detail-20210114
(21) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.31.239/auth-detail-20210114
(21) auth_log: EXPAND %t
(21) auth_log: --> Thu Jan 14 12:58:17 2021
(21) [auth_log] = ok
(21) eap: Peer sent EAP Response (code 2) ID 5 length 6
(21) eap: Continuing tunnel setup
(21) [eap] = ok
(21) } # authorize = ok
(21) Found Auth-Type = eap
(21) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(21) Auth-Type eap {
(21) eap: Expiring EAP session with state 0xcab4fefcc8b1eb38
(21) eap: Finished EAP session with state 0xcab4fefcc8b1eb38
(21) eap: Previous EAP request found for state 0xcab4fefcc8b1eb38, released
from the list
(21) eap: Peer sent packet with method EAP TTLS (21)
(21) eap: Calling submodule eap_ttls to process data
(21) eap_ttls: Authenticate
(21) eap_ttls: Continuing EAP-TLS
(21) eap_ttls: Peer ACKed our handshake fragment
(21) eap_ttls: [eaptls verify] = request
(21) eap_ttls: [eaptls process] = handled
(21) eap: Sending EAP Request (code 1) ID 6 length 957
(21) eap: EAP session adding &reply:State = 0xcab4fefcc9b2eb38
(21) [eap] = handled
(21) if (handled && (Response-Packet-Type == Access-Challenge)) {
(21) EXPAND Response-Packet-Type
(21) --> Access-Challenge
(21) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(21) if (handled && (Response-Packet-Type == Access-Challenge)) {
(21) attr_filter.access_challenge: EXPAND %{User-Name}
(21) attr_filter.access_challenge: --> leon.wolf at domain.local
(21) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(21) [attr_filter.access_challenge.post-auth] = updated
(21) [handled] = handled
(21) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(21) } # Auth-Type eap = handled
(21) Using Post-Auth-Type Challenge
(21) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(21) Post-Auth-Type Challenge {
(21) policy remove_reply_message_if_eap {
(21) if (&reply:EAP-Message && &reply:Reply-Message) {
(21) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(21) else {
(21) [noop] = noop
(21) } # else = noop
(21) } # policy remove_reply_message_if_eap = noop
(21) attr_filter.access_challenge: EXPAND %{User-Name}
(21) attr_filter.access_challenge: --> leon.wolf at domain.local
(21) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(21) [attr_filter.access_challenge.post-auth] = updated
(21) } # Post-Auth-Type Challenge = updated
(21) Sent Access-Challenge Id 117 from 192.168.31.183:1812 to
192.168.31.239:32773 length 0
(21) EAP-Message =
0x010603bd158000000b9f03020186304b06082b06010505070101043f303d303b06082b06010505073002862f687474703a2f2f617070732e6964656e74727573742e636f6d2f726f6f74732f647374726f6f74636178332e703763301f0603551d23041830168014c4a7b1a47b2c71fadbe14b9075ffc4156085891030540603551d20044d304b3008060667810c010201303f060b2b0601040182df130101013030302e06082b060105050702011622687474703a2f2f6370732e726f6f742d78312e6c657473656e63727970742e6f7267303c0603551d1f043530333031a02fa02d862b687474703a2f2f63726c2e6964656e74727573742e636f6d2f445354524f4f544341583343524c2e63726c301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301d0603551d250416301406082b0601050507030106082b06010505070302300d06092a864886f70d01010b05000382010100d94ce0c9f584883731dbbb13e2b3fc8b6b62126c58
(21) Message-Authenticator = 0x00000000000000000000000000000000
(21) State = 0xcab4fefcc9b2eb3813f65861255465ba
(21) Finished request
Waking up in 4.9 seconds.
(22) Received Access-Request Id 118 from 192.168.31.239:32773 to
192.168.31.183:1812 length 424
(22) User-Name = "leon.wolf at domain.local"
(22) Chargeable-User-Identity = 0x00
(22) Location-Capable = Civic-Location
(22) Calling-Station-Id = "90-78-41-4f-dd-73"
(22) Called-Station-Id = "00-b7-71-86-b8-80:testrd"
(22) NAS-Port = 1
(22) Cisco-AVPair = "audit-session-id=c0a81fef0001f1c46000318e"
(22) Acct-Session-Id = "60003186/90:78:41:4f:dd:73/237979"
(22) NAS-IP-Address = 192.168.31.239
(22) NAS-Identifier = "WLC1"
(22) Airespace-Wlan-Id = 3
(22) Service-Type = Framed-User
(22) Framed-MTU = 1300
(22) NAS-Port-Type = Wireless-802.11
(22) Tunnel-Type:0 = VLAN
(22) Tunnel-Medium-Type:0 = IEEE-802
(22) Tunnel-Private-Group-Id:0 = "96"
(22) EAP-Message =
0x0206008815800000007e160303004610000042410436fe757ae06837679e32e33eef46449bfb57126ab725fbc270219624e528203360ee7521080563eb18d57ed754f7079e1bf3c4423f5975e1d2aedd7597251c87140303000101160303002800000000000000009b5217d1d18538b885d7f88ff00291a7d352e5b47e9b660c263b64b9f36067dd
(22) State = 0xcab4fefcc9b2eb3813f65861255465ba
(22) Message-Authenticator = 0x6e609bd8d4caf0c99454c818de75af99
(22) session-state: No cached attributes
(22) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(22) authorize {
(22) policy filter_username {
(22) if (&User-Name) {
(22) if (&User-Name) -> TRUE
(22) if (&User-Name) {
(22) if (&User-Name =~ / /) {
(22) if (&User-Name =~ / /) -> FALSE
(22) if (&User-Name =~ /@[^@]*@/ ) {
(22) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(22) if (&User-Name =~ /\.\./ ) {
(22) if (&User-Name =~ /\.\./ ) -> FALSE
(22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(22) if (&User-Name =~ /\.$/) {
(22) if (&User-Name =~ /\.$/) -> FALSE
(22) if (&User-Name =~ /@\./) {
(22) if (&User-Name =~ /@\./) -> FALSE
(22) } # if (&User-Name) = notfound
(22) } # policy filter_username = notfound
(22) [preprocess] = ok
(22) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(22) auth_log: --> /var/log/freeradius/radacct/
192.168.31.239/auth-detail-20210114
(22) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.31.239/auth-detail-20210114
(22) auth_log: EXPAND %t
(22) auth_log: --> Thu Jan 14 12:58:17 2021
(22) [auth_log] = ok
(22) eap: Peer sent EAP Response (code 2) ID 6 length 136
(22) eap: Continuing tunnel setup
(22) [eap] = ok
(22) } # authorize = ok
(22) Found Auth-Type = eap
(22) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(22) Auth-Type eap {
(22) eap: Expiring EAP session with state 0xcab4fefcc9b2eb38
(22) eap: Finished EAP session with state 0xcab4fefcc9b2eb38
(22) eap: Previous EAP request found for state 0xcab4fefcc9b2eb38, released
from the list
(22) eap: Peer sent packet with method EAP TTLS (21)
(22) eap: Calling submodule eap_ttls to process data
(22) eap_ttls: Authenticate
(22) eap_ttls: Continuing EAP-TLS
(22) eap_ttls: Peer indicated complete TLS record size will be 126 bytes
(22) eap_ttls: Got complete TLS record (126 bytes)
(22) eap_ttls: [eaptls verify] = length included
(22) eap_ttls: TLS_accept: SSLv3/TLS write server done
(22) eap_ttls: <<< recv TLS 1.2 [length 0046]
(22) eap_ttls: TLS_accept: SSLv3/TLS read client key exchange
(22) eap_ttls: TLS_accept: SSLv3/TLS read change cipher spec
(22) eap_ttls: <<< recv TLS 1.2 [length 0010]
(22) eap_ttls: TLS_accept: SSLv3/TLS read finished
(22) eap_ttls: >>> send TLS 1.2 [length 0001]
(22) eap_ttls: TLS_accept: SSLv3/TLS write change cipher spec
(22) eap_ttls: >>> send TLS 1.2 [length 0010]
(22) eap_ttls: TLS_accept: SSLv3/TLS write finished
(22) eap_ttls: Serialising session
36e87b2e23855a94095eeb8a40b2fe08eedc7eeb03d6a3aa50f95511fb46838f, and
storing in cache
(22) eap_ttls: WARNING: Wrote session
36e87b2e23855a94095eeb8a40b2fe08eedc7eeb03d6a3aa50f95511fb46838f to
/var/log/freeradius/tlscache/36e87b2e23855a94095eeb8a40b2fe08eedc7eeb03d6a3aa50f95511fb46838f.asn1
(139 bytes)
(22) eap_ttls: (other): SSL negotiation finished successfully
(22) eap_ttls: TLS - Connection Established
(22) eap_ttls: Attr-156.7 =
0x45434448452d5253412d4145533235362d47434d2d534841333834
(22) eap_ttls: Attr-155.7 = 0x544c5320312e32
(22) eap_ttls: TLS - got 51 bytes of data
(22) eap_ttls: [eaptls process] = handled
(22) eap: Sending EAP Request (code 1) ID 7 length 61
(22) eap: EAP session adding &reply:State = 0xcab4fefcceb3eb38
(22) [eap] = handled
(22) if (handled && (Response-Packet-Type == Access-Challenge)) {
(22) EXPAND Response-Packet-Type
(22) --> Access-Challenge
(22) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(22) if (handled && (Response-Packet-Type == Access-Challenge)) {
(22) attr_filter.access_challenge: EXPAND %{User-Name}
(22) attr_filter.access_challenge: --> leon.wolf at domain.local
(22) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(22) [attr_filter.access_challenge.post-auth] = updated
(22) [handled] = handled
(22) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(22) } # Auth-Type eap = handled
(22) Using Post-Auth-Type Challenge
(22) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(22) Post-Auth-Type Challenge {
(22) policy remove_reply_message_if_eap {
(22) if (&reply:EAP-Message && &reply:Reply-Message) {
(22) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(22) else {
(22) [noop] = noop
(22) } # else = noop
(22) } # policy remove_reply_message_if_eap = noop
(22) attr_filter.access_challenge: EXPAND %{User-Name}
(22) attr_filter.access_challenge: --> leon.wolf at domain.local
(22) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(22) [attr_filter.access_challenge.post-auth] = updated
(22) } # Post-Auth-Type Challenge = updated
(22) session-state: Saving cached attributes
(22) TLS-Cache-Filename =
"/var/log/freeradius/tlscache/36e87b2e23855a94095eeb8a40b2fe08eedc7eeb03d6a3aa50f95511fb46838f.asn1"
(22) Attr-156.7 = 0x45434448452d5253412d4145533235362d47434d2d534841333834
(22) Attr-155.7 = 0x544c5320312e32
(22) Sent Access-Challenge Id 118 from 192.168.31.183:1812 to
192.168.31.239:32773 length 0
(22) EAP-Message =
0x0107003d158000000033140303000101160303002836d8a1ff6b2afaae621fc261218f4483f1c4545f86a9b8fe41deae7225f2324e15c977fd19b170a0
(22) Message-Authenticator = 0x00000000000000000000000000000000
(22) State = 0xcab4fefcceb3eb3813f65861255465ba
(22) Finished request
Waking up in 4.9 seconds.
(23) Received Access-Request Id 119 from 192.168.31.239:32773 to
192.168.31.183:1812 length 387
(23) User-Name = "leon.wolf at domain.local"
(23) Chargeable-User-Identity = 0x00
(23) Location-Capable = Civic-Location
(23) Calling-Station-Id = "90-78-41-4f-dd-73"
(23) Called-Station-Id = "00-b7-71-86-b8-80:testrd"
(23) NAS-Port = 1
(23) Cisco-AVPair = "audit-session-id=c0a81fef0001f1c46000318e"
(23) Acct-Session-Id = "60003186/90:78:41:4f:dd:73/237979"
(23) NAS-IP-Address = 192.168.31.239
(23) NAS-Identifier = "WLC1"
(23) Airespace-Wlan-Id = 3
(23) Service-Type = Framed-User
(23) Framed-MTU = 1300
(23) NAS-Port-Type = Wireless-802.11
(23) Tunnel-Type:0 = VLAN
(23) Tunnel-Medium-Type:0 = IEEE-802
(23) Tunnel-Private-Group-Id:0 = "96"
(23) EAP-Message =
0x0207006315800000005917030300540000000000000001e70b56177cd34eacf86e9bd90e8fe557e020b9f6d814adddf9bde349e67f3e9a1dda72f8fd14224098f24cae3410220287d1814b3984a577db30a8289bd48a898a69c25b4667f3cc93b0ab0b
(23) State = 0xcab4fefcceb3eb3813f65861255465ba
(23) Message-Authenticator = 0x19e54adcb4aeb90d8bcb07f5984056ec
(23) Restoring &session-state
(23) &session-state:TLS-Cache-Filename =
"/var/log/freeradius/tlscache/36e87b2e23855a94095eeb8a40b2fe08eedc7eeb03d6a3aa50f95511fb46838f.asn1"
(23) &session-state:Attr-156.7 =
0x45434448452d5253412d4145533235362d47434d2d534841333834
(23) &session-state:Attr-155.7 = 0x544c5320312e32
(23) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(23) authorize {
(23) policy filter_username {
(23) if (&User-Name) {
(23) if (&User-Name) -> TRUE
(23) if (&User-Name) {
(23) if (&User-Name =~ / /) {
(23) if (&User-Name =~ / /) -> FALSE
(23) if (&User-Name =~ /@[^@]*@/ ) {
(23) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(23) if (&User-Name =~ /\.\./ ) {
(23) if (&User-Name =~ /\.\./ ) -> FALSE
(23) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(23) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(23) if (&User-Name =~ /\.$/) {
(23) if (&User-Name =~ /\.$/) -> FALSE
(23) if (&User-Name =~ /@\./) {
(23) if (&User-Name =~ /@\./) -> FALSE
(23) } # if (&User-Name) = notfound
(23) } # policy filter_username = notfound
(23) [preprocess] = ok
(23) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(23) auth_log: --> /var/log/freeradius/radacct/
192.168.31.239/auth-detail-20210114
(23) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.31.239/auth-detail-20210114
(23) auth_log: EXPAND %t
(23) auth_log: --> Thu Jan 14 12:58:17 2021
(23) [auth_log] = ok
(23) eap: Peer sent EAP Response (code 2) ID 7 length 99
(23) eap: Continuing tunnel setup
(23) [eap] = ok
(23) } # authorize = ok
(23) Found Auth-Type = eap
(23) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(23) Auth-Type eap {
(23) eap: Expiring EAP session with state 0xcab4fefcceb3eb38
(23) eap: Finished EAP session with state 0xcab4fefcceb3eb38
(23) eap: Previous EAP request found for state 0xcab4fefcceb3eb38, released
from the list
(23) eap: Peer sent packet with method EAP TTLS (21)
(23) eap: Calling submodule eap_ttls to process data
(23) eap_ttls: Authenticate
(23) eap_ttls: Continuing EAP-TLS
(23) eap_ttls: Peer indicated complete TLS record size will be 89 bytes
(23) eap_ttls: Got complete TLS record (89 bytes)
(23) eap_ttls: [eaptls verify] = length included
(23) eap_ttls: [eaptls process] = ok
(23) eap_ttls: Session established. Proceeding to decode tunneled
attributes
(23) eap_ttls: Got tunneled request
(23) eap_ttls: User-Name = "leon.wolf at domain.local"
(23) eap_ttls: User-Password = "scN3VXa4XZvm7N4!"
(23) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(23) eap_ttls: Sending tunneled request
(23) Virtual server default received request
(23) User-Name = "leon.wolf at domain.local"
(23) User-Password = "scN3VXa4XZvm7N4!"
(23) FreeRADIUS-Proxied-To = 127.0.0.1
(23) Chargeable-User-Identity = 0x00
(23) Location-Capable = Civic-Location
(23) Calling-Station-Id = "90-78-41-4f-dd-73"
(23) Called-Station-Id = "00-b7-71-86-b8-80:testrd"
(23) NAS-Port = 1
(23) Cisco-AVPair = "audit-session-id=c0a81fef0001f1c46000318e"
(23) Acct-Session-Id = "60003186/90:78:41:4f:dd:73/237979"
(23) NAS-IP-Address = 192.168.31.239
(23) NAS-Identifier = "WLC1"
(23) Airespace-Wlan-Id = 3
(23) Service-Type = Framed-User
(23) Framed-MTU = 1300
(23) NAS-Port-Type = Wireless-802.11
(23) Tunnel-Type:0 = VLAN
(23) Tunnel-Medium-Type:0 = IEEE-802
(23) Tunnel-Private-Group-Id:0 = "96"
(23) Event-Timestamp = "Jan 14 2021 12:58:17 WET"
(23) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(23) server default {
(23) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(23) authorize {
(23) policy filter_username {
(23) if (&User-Name) {
(23) if (&User-Name) -> TRUE
(23) if (&User-Name) {
(23) if (&User-Name =~ / /) {
(23) if (&User-Name =~ / /) -> FALSE
(23) if (&User-Name =~ /@[^@]*@/ ) {
(23) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(23) if (&User-Name =~ /\.\./ ) {
(23) if (&User-Name =~ /\.\./ ) -> FALSE
(23) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(23) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(23) if (&User-Name =~ /\.$/) {
(23) if (&User-Name =~ /\.$/) -> FALSE
(23) if (&User-Name =~ /@\./) {
(23) if (&User-Name =~ /@\./) -> FALSE
(23) } # if (&User-Name) = notfound
(23) } # policy filter_username = notfound
(23) [preprocess] = ok
(23) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(23) auth_log: --> /var/log/freeradius/radacct/
192.168.31.239/auth-detail-20210114
(23) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.31.239/auth-detail-20210114
(23) auth_log: EXPAND %t
(23) auth_log: --> Thu Jan 14 12:58:17 2021
(23) [auth_log] = ok
(23) eap: No EAP-Message, not doing EAP
(23) [eap] = noop
(23) [expiration] = noop
(23) [logintime] = noop
(23) update control {
(23) Cache-Status-Only = yes
(23) } # update control = noop
(23) cache: EXPAND %{User-Name}
(23) cache: --> leon.wolf at domain.local
(23) cache: Found entry for "leon.wolf at domain.local"
(23) [cache] = ok
(23) if (notfound) {
(23) if (notfound) -> FALSE
(23) if (User-Password) {
(23) if (User-Password) -> TRUE
(23) if (User-Password) {
(23) update control {
(23) Auth-Type := LDAP
(23) } # update control = noop
(23) } # if (User-Password) = noop
(23) cache: EXPAND %{User-Name}
(23) cache: --> leon.wolf at domain.local
(23) cache: Found entry for "leon.wolf at domain.local"
(23) cache: Merging cache entry into request
(23) cache: &reply:Reply-Message += "Cache last updated at Thu Jan 14
11:57:02 2021"
(23) cache: &reply:Class :=
0x4b703872434c46586d6c6c6953624238735a644a42746459576945614b2e4e65
(23) [cache] = ok
(23) } # authorize = ok
(23) Found Auth-Type = LDAP
(23) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(23) Auth-Type LDAP {
rlm_ldap (ldap): Closing connection (9): Hit idle_timeout, was idle for 162
seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (10): Hit idle_timeout, was idle for
160 seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase
"spare"
rlm_ldap (ldap): Opening additional connection (11), 1 of 32 pending slots
used
rlm_ldap (ldap): Connecting to ldap://jumia.ldap.idp.com:389
rlm_ldap (ldap): Could not start TLS: Can't contact LDAP server
rlm_ldap (ldap): Opening connection failed (11)
(23) [ldap] = fail
(23) } # Auth-Type LDAP = fail
(23) Failed to authenticate the user
(23) Using Post-Auth-Type Reject
(23) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(23) Post-Auth-Type REJECT {
(23) attr_filter.access_reject: EXPAND %{User-Name}
(23) attr_filter.access_reject: --> leon.wolf at domain.local
(23) attr_filter.access_reject: Matched entry DEFAULT at line 11
(23) [attr_filter.access_reject] = updated
(23) [eap] = noop
(23) policy remove_reply_message_if_eap {
(23) if (&reply:EAP-Message && &reply:Reply-Message) {
(23) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(23) else {
(23) [noop] = noop
(23) } # else = noop
(23) } # policy remove_reply_message_if_eap = noop
(23) } # Post-Auth-Type REJECT = updated
(23) } # server default
(23) Virtual server sending reply
(23) Reply-Message = "Cache last updated at Thu Jan 14 11:57:02 2021"
(23) eap_ttls: Got tunneled Access-Reject
tls: Removing session
36e87b2e23855a94095eeb8a40b2fe08eedc7eeb03d6a3aa50f95511fb46838f from the
cache
(23) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module
failed
(23) eap: Sending EAP Failure (code 4) ID 7 length 4
(23) eap: Failed in EAP select
(23) [eap] = invalid
(23) } # Auth-Type eap = invalid
(23) Failed to authenticate the user
(23) Using Post-Auth-Type Reject
(23) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(23) Post-Auth-Type REJECT {
(23) attr_filter.access_reject: EXPAND %{User-Name}
(23) attr_filter.access_reject: --> leon.wolf at domain.local
(23) attr_filter.access_reject: Matched entry DEFAULT at line 11
(23) [attr_filter.access_reject] = updated
(23) [eap] = noop
(23) policy remove_reply_message_if_eap {
(23) if (&reply:EAP-Message && &reply:Reply-Message) {
(23) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(23) else {
(23) [noop] = noop
(23) } # else = noop
(23) } # policy remove_reply_message_if_eap = noop
(23) } # Post-Auth-Type REJECT = updated
(23) Delaying response for 1.000000 seconds
Waking up in 0.6 seconds.
Waking up in 0.3 seconds.
(23) Sending delayed response
(23) Sent Access-Reject Id 119 from 192.168.31.183:1812 to
192.168.31.239:32773 length 44
(23) EAP-Message = 0x04070004
(23) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(18) Cleaning up request packet ID 114 with timestamp +3690
(19) Cleaning up request packet ID 115 with timestamp +3690
(20) Cleaning up request packet ID 116 with timestamp +3690
(21) Cleaning up request packet ID 117 with timestamp +3690
(22) Cleaning up request packet ID 118 with timestamp +3690
(23) Cleaning up request packet ID 119 with timestamp +3690
Ready to process requests
***** Config for sites-enabled/default ******
server default {
listen {
type = auth
ipaddr = 192.168.31.183
port = 0
limit {
#
# Limit the number of simultaneous TCP connections to the socket
#
# The default is 16.
# Setting this to 0 means "no limit"
max_connections = 16
# The per-socket "max_requests" option does not exist.
#
# The lifetime, in seconds, of a TCP connection. After
# this lifetime, the connection will be closed.
#
# Setting this to 0 means "forever".
lifetime = 0
#
# The idle timeout, in seconds, of a TCP connection.
# If no packets have been received over the connection for
# this time, the connection will be closed.
#
# Setting this to 0 means "no timeout".
#
# We STRONGLY RECOMMEND that you set an idle timeout.
#
idle_timeout = 30
}
}
listen {
ipaddr = *
port = 0
type = acct
limit {
# Only for "proto = tcp". These are ignored for "udp" sockets.
#
}
}
listen {
type = auth
ipv6addr = :: # any. ::1 == localhost
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipv6addr = ::
port = 0
type = acct
limit {
}
}
authorize {
filter_username
preprocess
auth_log
eap {
ok = return
updated = return
}
expiration
logintime
update control {
Cache-Status-Only = 'yes'
}
cache
if (notfound) {
ldap
}
if (User-Password) { # <- when using cache this it's here with True
update control {
Auth-Type := ldap
}
}
cache
}
authenticate {
Auth-Type PAP {
#pap
ldap # eap-ttls comes here for authentication
}
Auth-Type LDAP {
ldap
}
Auth-Type eap {
eap {
handled = 1
}
if (handled && (Response-Packet-Type == Access-Challenge)) {
attr_filter.access_challenge.post-auth
handled # override the "updated" code from attr_filter
}
}
}
preacct {
preprocess
acct_unique
suffix
}
accounting {
detail
-sql
attr_filter.accounting_response
}
session {
}
post-auth {
if (session-state:User-Name && reply:User-Name && request:User-Name &&
(reply:User-Name == request:User-Name)) {
update reply {
&User-Name !* ANY
}
}
update {
&reply: += &session-state:
}
remove_reply_message_if_eap
Post-Auth-Type REJECT {
# log failed authentications in SQL, too.
-sql
attr_filter.access_reject
# Insert EAP-Failure message if the request was
# rejected by policy instead of because of an
# authentication failure
eap
# Remove reply message if the response contains an EAP-Message
remove_reply_message_if_eap
}
Post-Auth-Type Challenge {
remove_reply_message_if_eap
attr_filter.access_challenge.post-auth
}
}
pre-proxy {
}
post-proxy {
eap
}
}
****** eap config ****
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = ${max_requests}
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls-config tls-common {
private_key_file = /etc/freeradius/3.0/certs/rsa/fullchain2.key
certificate_file = /etc/freeradius/3.0/certs/rsa/fullchain2.pem
ca_file = /etc/ssl/certs/ca-certificates.crt
ca_file = /etc/freeradius/3.0/certs/rsa/rootDSTX3.pem
dh_file = ${certdir}/dh
ca_path = ${cadir}
cipher_list = "DEFAULT"
cipher_server_preference = no
tls_min_version = "1.2"
ecdh_curve = "prime256v1"
cache {
enable = yes
name = "EAP module"
persist_dir = "${logdir}/tlscache"
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
ttls {
tls = tls-common
default_eap_type = gtc
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "default"
}
virtual_server = default
}
More information about the Freeradius-Users
mailing list