Hi,<br> I have configured freeradius to select ldap modules according to NAS-IP-Address so clients (using PEAP/MSCHAPv2) associating to particular AP should only get authenticated. For that I did changes as:<br><br>1. modules/ldap file <br>
--------------------------<br>ldap HR {<br> ou=HR,dc=prateek,dc=com<br> ...<br>}<br><br>ldap dev {<br> ou=dev,dc=prateek,dc=com<br> ...<br>}<br><br>2. In ldap.attrmap <br>
-------------------<br>checkItem Cleartext-Password userPassword :=<br><br>3. In both sites-available/default & sites-available/inner-tunnel <br> ------------------------------ --------------------------------------<br>
<br>a. in authorize section<br><br>if (NAS-IP-Address == 127.0.0.1) {<br> HR<br>}<br>else {<br> dev<br>}<br><br>b. in authenticate section have uncommented <br> Auth-Type MS-CHAP { <br> mschap<br>
}<br><br><br>Now when I use eapol_test to test I get Success.. It first checks HR which returns search failed as there is no user in ou=HR but when freeradius processes the inner-tunnel I get the message <br>
<br>
++? if (NAS-IP-Address == 127.0.0.1)<br> (Attribute NAS-IP-Address was not found)<br>++- entering else else {...}<br><br>And after that user "dave" is getting authenticated who should not get authenticated.<br>
<br>I want to know that why it didn't get NAS-IP-Adderss.<br>
<br>Is there some thing I have missed ?<br><br>Regards,<br>Prateek<br><br>radiusd -X ( Deleating some EAP messages ) <br><br>rad_recv: Access-Request packet from host 127.0.0.1 port 46032, id=0, length=116<br> User-Name = "dave"<br>
NAS-IP-Address = 127.0.0.1<br> Calling-Station-Id = "02-00-00-00-00-01"<br>
Framed-MTU = 1400<br> NAS-Port-Type = Wireless-802.11<br> Connect-Info = "CONNECT 11Mbps 802.11b"<br> EAP-Message = 0x020000090164617665<br> Message-Authenticator = 0x1eb24decc31fcd482762d37920cb6f5d<br>
+- entering group authorize {...}<br>++[preprocess] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>[suffix] No '@' in User-Name = "dave", looking up realm NULL<br>[suffix] No such realm "NULL"<br>
++[suffix] returns noop<br>++? if (NAS-IP-Address == 127.0.0.1)<br>? Evaluating (NAS-IP-Address == 127.0.0.1) -> TRUE<br>++? if (NAS-IP-Address == 127.0.0.1) -> TRUE<br>++- entering if (NAS-IP-Address == 127.0.0.1) {...}<br>
[HR] performing user authorization for dave<br>[HR] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details<br>[HR] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=dave)<br>
[HR] expand: ou=HR,dc=prateek,dc=com -> ou=HR,dc=prateek,dc=com<br>rlm_ldap: ldap_get_conn: Checking Id: 0<br>rlm_ldap: ldap_get_conn: Got Id: 0<br>rlm_ldap: attempting LDAP reconnection<br>rlm_ldap: (re)connect to <a href="http://127.0.0.1:389" target="_blank">127.0.0.1:389</a>, authentication 0<br>
rlm_ldap: bind as cn=Administrator,dc=prateek,dc=com/mypass to <a href="http://127.0.0.1:389" target="_blank">127.0.0.1:389</a><br>rlm_ldap: waiting for bind result ...<br>rlm_ldap: Bind was successful<br>rlm_ldap: performing search in ou=HR,dc=prateek,dc=com, with filter (uid=dave)<br>
rlm_ldap: object not found<br>[HR] search failed<br>rlm_ldap: ldap_release_conn: Release Id: 0<br>+++[HR] returns notfound<br>++- if (NAS-IP-Address == 127.0.0.1) returns notfound<br>++ ... skipping else for request 0: Preceding "if" was taken<br>
[eap] EAP packet type response id 0 length 9<br>[eap] No EAP Start, assuming it's an on-going EAP conversation<br>++[eap] returns updated<br>++[unix] returns notfound<br>++[files] returns noop<br>rlm_counter: Entering module authorize code<br>
rlm_counter: Could not find Check item value pair<br>++[daily] returns noop<br>++[expiration] returns noop<br>++[logintime] returns noop<br>[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.<br>
++[pap] returns noop<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>[eap] EAP Identity<br>[eap] processing type tls<br>[tls] Requiring client certificate<br>[tls] Initiate<br>[tls] Start returned 1<br>
++[eap] returns handled<br>Sending Access-Challenge of id 0 to 127.0.0.1 port 46032<br> EAP-Message = 0x010100060d20<br> Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0xa098c2e9a099cf6a77937551a6a21d9f<br>
Finished request 0.<br>Going to the next request<br>Waking up in 4.9 seconds.<br>rad_recv: Access-Request packet from host 127.0.0.1 port 46032, id=1, length=131<br> User-Name = "dave"<br> NAS-IP-Address = 127.0.0.1<br>
Calling-Station-Id = "02-00-00-00-00-01"<br> Framed-MTU = 1400<br> NAS-Port-Type = Wireless-802.11<br> Connect-Info = "CONNECT 11Mbps 802.11b"<br> EAP-Message = 0x020100060319<br>
State = 0xa098c2e9a099cf6a77937551a6a21d9f<br> Message-Authenticator = 0xb0f144be9973b7716b25f5b7a09ffd9c<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>
[suffix] No '@' in User-Name = "dave", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>++? if (NAS-IP-Address == 127.0.0.1)<br>? Evaluating (NAS-IP-Address == 127.0.0.1) -> TRUE<br>
++? if (NAS-IP-Address == 127.0.0.1) -> TRUE<br>++- entering if (NAS-IP-Address == 127.0.0.1) {...}<br>[HR] performing user authorization for dave<br>[HR] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details<br>
[HR] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=dave)<br>[HR] expand: ou=HR,dc=prateek,dc=com -> ou=HR,dc=prateek,dc=com<br>rlm_ldap: ldap_get_conn: Checking Id: 0<br>rlm_ldap: ldap_get_conn: Got Id: 0<br>
rlm_ldap: performing search in ou=HR,dc=prateek,dc=com, with filter (uid=dave)<br>rlm_ldap: object not found<br>[HR] search failed<br>rlm_ldap: ldap_release_conn: Release Id: 0<br>+++[HR] returns notfound<br>++- if (NAS-IP-Address == 127.0.0.1) returns notfound<br>
++ ... skipping else for request 1: Preceding "if" was taken<br>[eap] EAP packet type response id 1 length 6<br>[eap] No EAP Start, assuming it's an on-going EAP conversation<br>++[eap] returns updated<br>++[unix] returns notfound<br>
++[files] returns noop<br>rlm_counter: Entering module authorize code<br>rlm_counter: Could not find Check item value pair<br>++[daily] returns noop<br>++[expiration] returns noop<br>++[logintime] returns noop<br>[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.<br>
++[pap] returns noop<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>[eap] Request found, released from the list<br>[eap] EAP NAK<br>[eap] EAP-NAK asked for EAP-Type/peap<br>[eap] processing type tls<br>
[tls] Initiate<br>[tls] Start returned 1<br>++[eap] returns handled<br>Sending Access-Challenge of id 1 to 127.0.0.1 port 46032<br> EAP-Message = 0x010200061920<br> Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0xa098c2e9a19adb6a77937551a6a21d9f<br>Finished request 1.<br>Going to the next request<br>rad_recv: Access-Request packet from host 127.0.0.1 port 46032, id=2, length=242<br> User-Name = "dave"<br>
NAS-IP-Address = 127.0.0.1<br> Calling-Station-Id = "02-00-00-00-00-01"<br> Framed-MTU = 1400<br> NAS-Port-Type = Wireless-802.11<br> Connect-Info = "CONNECT 11Mbps 802.11b"<br>
EAP-Message = some long value<br> State = 0xa098c2e9a19adb6a77937551a6a21d9f<br> Message-Authenticator = 0xabcfe03ec5688a184e25c56589ea8e2a<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>
++[chap] returns noop<br>++[mschap] returns noop<br>[suffix] No '@' in User-Name = "dave", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>++? if (NAS-IP-Address == 127.0.0.1)<br>
? Evaluating (NAS-IP-Address == 127.0.0.1) -> TRUE<br>++? if (NAS-IP-Address == 127.0.0.1) -> TRUE<br>++- entering if (NAS-IP-Address == 127.0.0.1) {...}<br>[HR] performing user authorization for dave<br>[HR] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details<br>
[HR] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=dave)<br>[HR] expand: ou=HR,dc=prateek,dc=com -> ou=HR,dc=prateek,dc=com<br>rlm_ldap: ldap_get_conn: Checking Id: 0<br>rlm_ldap: ldap_get_conn: Got Id: 0<br>
rlm_ldap: performing search in ou=HR,dc=prateek,dc=com, with filter (uid=dave)<br>rlm_ldap: object not found<br>[HR] search failed<br>rlm_ldap: ldap_release_conn: Release Id: 0<br>+++[HR] returns notfound<br>++- if (NAS-IP-Address == 127.0.0.1) returns notfound<br>
++ ... skipping else for request 2: Preceding "if" was taken<br>[eap] EAP packet type response id 2 length 117<br>[eap] Continuing tunnel setup.<br>++[eap] returns ok<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>
[eap] Request found, released from the list<br>[eap] EAP/peap<br>[eap] processing type peap<br>[peap] processing EAP-TLS<br> TLS Length 107<br>[peap] Length Included<br>[peap] eaptls_verify returned 11<br>[peap] (other): before/accept initialization<br>
[peap] TLS_accept: before/accept initialization<br>[peap] <<< TLS 1.0 Handshake [length 0066], ClientHello<br>[peap] TLS_accept: SSLv3 read client hello A<br>[peap] >>> TLS 1.0 Handshake [length 0035], ServerHello<br>
[peap] TLS_accept: SSLv3 write server hello A<br>[peap] >>> TLS 1.0 Handshake [length 0870], Certificate<br>[peap] TLS_accept: SSLv3 write certificate A<br>[peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange<br>
[peap] TLS_accept: SSLv3 write key exchange A<br>[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone<br>[peap] TLS_accept: SSLv3 write server done A<br>[peap] TLS_accept: SSLv3 flush data<br>
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A<br>
In SSL Handshake Phase<br>In SSL Accept mode<br>[peap] eaptls_process returned 13<br>[peap] EAPTLS_HANDLED<br>++[eap] returns handled<br>Sending Access-Challenge of id 2 to 127.0.0.1 port 46032<br> EAP-Message = some value<br>
EAP-Message = "<br> EAP-Message = "<br> EAP-Message = "<br> EAP-Message = 0xb70064119cfc40adfde72ecc<br> Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0xa098c2e9a29bdb6a77937551a6a21d9f<br>Finished request 2.<br>Going to the next request<br>Waking up in 4.9 seconds.<br>rad_recv: Access-Request packet from host 127.0.0.1 port 46032, id=3, length=131<br> User-Name = "dave"<br>
NAS-IP-Address = 127.0.0.1<br>Calling-Station-Id = "02-00-00-00-00-01"<br> Framed-MTU = 1400<br> NAS-Port-Type = Wireless-802.11<br> Connect-Info = "CONNECT 11Mbps 802.11b"<br>
EAP-Message = 0x020300061900<br> State = 0xa098c2e9a29bdb6a77937551a6a21d9f<br> Message-Authenticator = 0xc7a295a94c264c2b101dabae43ad8557<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>
++[chap] returns noop<br>++[mschap] returns noop<br>[suffix] No '@' in User-Name = "dave", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>++? if (NAS-IP-Address == 127.0.0.1)<br>
? Evaluating (NAS-IP-Address == 127.0.0.1) -> TRUE<br>++? if (NAS-IP-Address == 127.0.0.1) -> TRUE<br>++- entering if (NAS-IP-Address == 127.0.0.1) {...}<br>[HR] performing user authorization for dave<br>[HR] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details<br>
[HR] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=dave)<br>[HR] expand: ou=HR,dc=prateek,dc=com -> ou=HR,dc=prateek,dc=com<br>rlm_ldap: ldap_get_conn: Checking Id: 0<br>rlm_ldap: ldap_get_conn: Got Id: 0<br>
rlm_ldap: performing search in ou=HR,dc=prateek,dc=com, with filter (uid=dave)<br>rlm_ldap: object not found<br>[HR] search failed<br>rlm_ldap: ldap_release_conn: Release Id: 0<br>+++[HR] returns notfound<br>++- if (NAS-IP-Address == 127.0.0.1) returns notfound<br>
++ ... skipping else for request 3: Preceding "if" was taken<br>[eap] EAP packet type response id 3 length 6<br>[eap] Continuing tunnel setup.<br>++[eap] returns ok<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>
[eap] Request found, released from the list<br>[eap] EAP/peap<br>[eap] processing type peap<br>[peap] processing EAP-TLS<br>[peap] Received TLS ACK<br>[peap] ACK handshake fragment handler<br>[peap] eaptls_verify returned 1<br>
[peap] eaptls_process returned 13<br>[peap] EAPTLS_HANDLED<br>++[eap] returns handled<br>Sending Access-Challenge of id 3 to 127.0.0.1 port 46032<br> EAP-Message = <br> EAP-Message = <br>
EAP-Message =<br>
EAP-Message =<br>
EAP-Message = 0x30c3456c19147657<br> Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0xa098c2e9a39cdb6a77937551a6a21d9f<br>Finished request 3.<br>Going to the next request<br>
Waking up in 4.9 seconds.<br>
rad_recv: Access-Request packet from host 127.0.0.1 port 46032, id=4, length=131<br> User-Name = "dave"<br> NAS-IP-Address = 127.0.0.1<br> Calling-Station-Id = "02-00-00-00-00-01"<br>
Framed-MTU = 1400<br> NAS-Port-Type = Wireless-802.11<br> Connect-Info = "CONNECT 11Mbps 802.11b"<br> EAP-Message = 0x020400061900<br> State = 0xa098c2e9a39cdb6a77937551a6a21d9f<br>
Message-Authenticator = 0x64a3ceaa178064f424d2830f6d59ade4<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>[suffix] No '@' in User-Name = "dave", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>++? if (NAS-IP-Address == 127.0.0.1)<br>? Evaluating (NAS-IP-Address == 127.0.0.1) -> TRUE<br>++? if (NAS-IP-Address == 127.0.0.1) -> TRUE<br>++- entering if (NAS-IP-Address == 127.0.0.1) {...}<br>
[HR] performing user authorization for dave<br>[HR] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details<br>[HR] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=dave)<br>
[HR] expand: ou=HR,dc=prateek,dc=com -> ou=HR,dc=prateek,dc=com<br>rlm_ldap: ldap_get_conn: Checking Id: 0<br>rlm_ldap: ldap_get_conn: Got Id: 0<br>rlm_ldap: performing search in ou=HR,dc=prateek,dc=com, with filter (uid=dave)<br>
rlm_ldap: object not found<br>[HR] search failed<br>rlm_ldap: ldap_release_conn: Release Id: 0<br>+++[HR] returns notfound<br>++- if (NAS-IP-Address == 127.0.0.1) returns notfound<br>++ ... skipping else for request 4: Preceding "if" was taken<br>
[eap] EAP packet type response id 4 length 6<br>[eap] Continuing tunnel setup.<br>++[eap] returns ok<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>[eap] Request found, released from the list<br>[eap] EAP/peap<br>
[eap] processing type peap<br>[peap] processing EAP-TLS<br>[peap] Received TLS ACK<br>[peap] ACK handshake fragment handler<br>[peap] eaptls_verify returned 1<br>[peap] eaptls_process returned 13<br>[peap] EAPTLS_HANDLED<br>
++[eap] returns handled<br>Sending Access-Challenge of id 4 to 127.0.0.1 port 46032<br> EAP-Message =<br>
EAP-Message =<br>
EAP-Message =<br>
Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0xa098c2e9a49ddb6a77937551a6a21d9f<br>Finished request 4.<br><br>Waking up in 4.9 seconds.<br>
rad_recv: Access-Request packet from host 127.0.0.1 port 46032, id=5, length=333<br> User-Name = "dave"<br> NAS-IP-Address = 127.0.0.1<br> Calling-Station-Id = "02-00-00-00-00-01"<br>
Framed-MTU = 1400<br> NAS-Port-Type = Wireless-802.11<br> Connect-Info = "CONNECT 11Mbps 802.11b"<br> EAP-Message = <br>
State = 0xa098c2e9a49ddb6a77937551a6a21d9f<br> Message-Authenticator = 0xa3cadaf5d585e4499d7e2d587f9924ae<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>
[suffix] No '@' in User-Name = "dave", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>++? if (NAS-IP-Address == 127.0.0.1)<br>? Evaluating (NAS-IP-Address == 127.0.0.1) -> TRUE<br>
++? if (NAS-IP-Address == 127.0.0.1) -> TRUE<br>++- entering if (NAS-IP-Address == 127.0.0.1) {...}<br>[HR] performing user authorization for dave<br>[HR] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details<br>
[HR] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=dave)<br>[HR] expand: ou=HR,dc=prateek,dc=com -> ou=HR,dc=prateek,dc=com<br>rlm_ldap: ldap_get_conn: Checking Id: 0<br>rlm_ldap: ldap_get_conn: Got Id: 0<br>
rlm_ldap: performing search in ou=HR,dc=prateek,dc=com, with filter (uid=dave)<br>rlm_ldap: object not found<br>[HR] search failed<br>rlm_ldap: ldap_release_conn: Release Id: 0<br>+++[HR] returns notfound<br>++- if (NAS-IP-Address == 127.0.0.1) returns notfound<br>
++ ... skipping else for request 5: Preceding "if" was taken<br>[eap] EAP packet type response id 5 length 208<br>[eap] Continuing tunnel setup.<br>++[eap] returns ok<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>
[eap] Request found, released from the list<br>[eap] EAP/peap<br>[eap] processing type peap<br>[peap] processing EAP-TLS<br> TLS Length 198<br>[peap] Length Included<br>[peap] eaptls_verify returned 11<br>[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange<br>
[peap] TLS_accept: SSLv3 read client key exchange A<br>[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]<br>[peap] <<< TLS 1.0 Handshake [length 0010], Finished<br>[peap] TLS_accept: SSLv3 read finished A<br>
[peap] >>> TLS 1.0 Handshake [length 00aa]???<br>[peap] TLS_accept: SSLv3 write session ticket A<br>[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]<br>[peap] TLS_accept: SSLv3 write change cipher spec A<br>
[peap] >>> TLS 1.0 Handshake [length 0010], Finished<br>[peap] TLS_accept: SSLv3 write finished A<br>[peap] TLS_accept: SSLv3 flush data<br>[peap] (other): SSL negotiation finished successfully<br>SSL Connection Established<br>
[peap] eaptls_process returned 13<br>[peap] EAPTLS_HANDLED<br>++[eap] returns handled<br>Sending Access-Challenge of id 5 to 127.0.0.1 port 46032<br> EAP-Message = <br>
Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0xa098c2e9a59edb6a77937551a6a21d9f<br>Finished request 5.<br>Going to the next request<br>Waking up in 4.9 seconds.<br>rad_recv: Access-Request packet from host 127.0.0.1 port 46032, id=6, length=131<br>
User-Name = "dave"<br> NAS-IP-Address = 127.0.0.1<br> Calling-Station-Id = "02-00-00-00-00-01"<br> Framed-MTU = 1400<br> NAS-Port-Type = Wireless-802.11<br> Connect-Info = "CONNECT 11Mbps 802.11b"<br>
EAP-Message = 0x020600061900<br> State = 0xa098c2e9a59edb6a77937551a6a21d9f<br> Message-Authenticator = 0x7aeef64b2758737cbc8720c0dafbeca6<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>
++[chap] returns noop<br>++[mschap] returns noop<br>[suffix] No '@' in User-Name = "dave", looking up realm NULL<br>[suffix] No such realm "NULL"<br>rad_recv: Access-Request packet from host 127.0.0.1 port 46032, id=0, length=116<br>
User-Name = "dave"<br> NAS-IP-Address = 127.0.0.1<br> Calling-Station-Id = "02-00-00-00-00-01"<br> Framed-MTU = 1400<br> NAS-Port-Type = Wireless-802.11<br> Connect-Info = "CONNECT 11Mbps 802.11b"<br>
EAP-Message = 0x020000090164617665<br> Message-Authenticator = 0x1eb24decc31fcd482762d37920cb6f5d<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>
[suffix] No '@' in User-Name = "dave", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>++? if (NAS-IP-Address == 127.0.0.1)<br>? Evaluating (NAS-IP-Address == 127.0.0.1) -> TRUE<br>
++? if (NAS-IP-Address == 127.0.0.1) -> TRUE<br>++- entering if (NAS-IP-Address == 127.0.0.1) {...}<br>[HR] performing user authorization for dave<br>[HR] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details<br>
[HR] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=dave)<br>[HR] expand: ou=HR,dc=prateek,dc=com -> ou=HR,dc=prateek,dc=com<br>rlm_ldap: ldap_get_conn: Checking Id: 0<br>rlm_ldap: ldap_get_conn: Got Id: 0<br>
rlm_ldap: attempting LDAP reconnection<br>rlm_ldap: (re)connect to <a href="http://127.0.0.1:389" target="_blank">127.0.0.1:389</a>, authentication 0<br>rlm_ldap: bind as cn=Administrator,dc=prateek,dc=com/mypass to <a href="http://127.0.0.1:389" target="_blank">127.0.0.1:389</a><br>
rlm_ldap: waiting for bind result ...<br>rlm_ldap: Bind was successful<br>rlm_ldap: performing search in ou=HR,dc=prateek,dc=com, with filter (uid=dave)<br>rlm_ldap: object not found<br>[HR] search failed<br>rlm_ldap: ldap_release_conn: Release Id: 0<br>
+++[HR] returns notfound<br>++- if (NAS-IP-Address == 127.0.0.1) returns notfound<br>++ ... skipping else for request 0: Preceding "if" was taken<br>[eap] EAP packet type response id 0 length 9<br>[eap] No EAP Start, assuming it's an on-going EAP conversation<br>
++[eap] returns updated<br>++[unix] returns notfound<br>++[files] returns noop<br>rlm_counter: Entering module authorize code<br>Connect-Info = "CONNECT 11Mbps 802.11b"<br> EAP-Message = <br>
State = 0xa098c2e9a69fdb6a77937551a6a21d9f<br> Message-Authenticator = 0x91d0e9b22d3e6b84caf5e58aeae97b9b<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>
[suffix] No '@' in User-Name = "dave", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>++? if (NAS-IP-Address == 127.0.0.1)<br>? Evaluating (NAS-IP-Address == 127.0.0.1) -> TRUE<br>
++? if (NAS-IP-Address == 127.0.0.1) -> TRUE<br>++- entering if (NAS-IP-Address == 127.0.0.1) {...}<br>[HR] performing user authorization for dave<br>[HR] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details<br>
[HR] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=dave)<br>[HR] expand: ou=HR,dc=prateek,dc=com -> ou=HR,dc=prateek,dc=com<br>rlm_ldap: ldap_get_conn: Checking Id: 0<br>rlm_ldap: ldap_get_conn: Got Id: 0<br>
rlm_ldap: performing search in ou=HR,dc=prateek,dc=com, with filter (uid=dave)<br>rlm_ldap: object not found<br>[HR] search failed<br>rlm_ldap: ldap_release_conn: Release Id: 0<br>+++[HR] returns notfound<br>++- if (NAS-IP-Address == 127.0.0.1) returns notfound<br>
++ ... skipping else for request 7: Preceding "if" was taken<br>[eap] EAP packet type response id 7 length 80<br>[eap] Continuing tunnel setup.<br>++[eap] returns ok<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>
[eap] Request found, released from the list<br>[eap] EAP/peap<br>[eap] processing type peap<br>[peap] processing EAP-TLS<br>[peap] eaptls_verify returned 7<br>[peap] Done initial handshake<br>[peap] eaptls_process returned 7<br>
[peap] EAPTLS_OK<br>[peap] Session established. Decoding tunneled attributes.<br>[peap] Identity - dave<br>[peap] Got tunneled request<br> EAP-Message = 0x020700090164617665<br>server {<br> PEAP: Got tunneled identity of dave<br>
PEAP: Setting default EAP type for tunneled EAP session.<br> PEAP: Setting User-Name to dave<br>Sending tunneled request<br> EAP-Message = 0x020700090164617665<br> FreeRADIUS-Proxied-To = 127.0.0.1<br> User-Name = "dave"<br>
server inner-tunnel {<br>+- entering group authorize {...}<br>++[chap] returns noop<br>++[mschap] returns noop<br>++[unix] returns notfound<br>[suffix] No '@' in User-Name = "dave", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>++[control] returns noop<br>++? if (NAS-IP-Address == 127.0.0.1)<br> (Attribute NAS-IP-Address was not found) <-----------------------------------------------------------------<br>
++- entering else else {...}<br>[dev] performing user authorization for dave<br>
[dev] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details<br>[dev] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=dave)<br>[dev] expand: ou=development,dc=prateek,dc=com -> ou=development,dc=prateek,dc=com<br>
rlm_ldap: ldap_get_conn: Checking Id: 0<br>rlm_ldap: ldap_get_conn: Got Id: 0<br>rlm_ldap: attempting LDAP reconnection<br>rlm_ldap: (re)connect to <a href="http://127.0.0.1:389" target="_blank">127.0.0.1:389</a>, authentication 0<br>
rlm_ldap: bind as cn=Administrator,dc=prateek,dc=com/mypass to <a href="http://127.0.0.1:389" target="_blank">127.0.0.1:389</a><br>
rlm_ldap: waiting for bind result ...<br>rlm_ldap: Bind was successful<br>rlm_ldap: performing search in ou=development,dc=prateek,dc=com, with filter (uid=dave)<br>[dev] No default NMAS login sequence<br>[dev] looking for check items in directory...<br>
rlm_ldap: userPassword -> Cleartext-Password := "davesecret"<br>[dev] looking for reply items in directory...<br>[dev] user dave authorized to use remote access<br>rlm_ldap: ldap_release_conn: Release Id: 0<br>
+++[dev] returns ok<br>++- else else returns ok<br>[eap] EAP packet type response id 7 length 9<br>[eap] No EAP Start, assuming it's an on-going EAP conversation<br>++[eap] returns updated<br>++[files] returns noop<br>
++[expiration] returns noop<br>++[logintime] returns noop<br>[pap] Found existing Auth-Type, not changing it.<br>++[pap] returns noop<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>[eap] EAP Identity<br>
[eap] processing type mschapv2<br>rlm_eap_mschapv2: Issuing Challenge<br>++[eap] returns handled<br>} # server inner-tunnel<br>[peap] Got tunneled reply code 11<br> EAP-Message = <br>
Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0x1b9d7bc71b9561595ab9d2c73552e623<br>[peap] Got tunneled reply RADIUS code 11<br> EAP-Message =<br>
Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0x1b9d7bc71b9561595ab9d2c73552e623<br>[peap] Got tunneled Access-Challenge<br>++[eap] returns handled<br>Sending Access-Challenge of id 7 to 127.0.0.1 port 46032<br>
EAP-Message = <br> Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0xa098c2e9a790db6a77937551a6a21d9f<br>Finished request 7.<br>Going to the next request<br>Waking up in 4.9 seconds.<br>rad_recv: Access-Request packet from host 127.0.0.1 port 46032, id=8, length=269<br> User-Name = "dave"<br>
NAS-IP-Address = 127.0.0.1<br> Calling-Station-Id = "02-00-00-00-00-01"<br> Framed-MTU = 1400<br> NAS-Port-Type = Wireless-802.11<br> Connect-Info = "CONNECT 11Mbps 802.11b"<br>
EAP-Message =<br>
State = 0xa098c2e9a790db6a77937551a6a21d9f<br> Message-Authenticator = 0x5b313677254c02c3556f0d2067e4922d<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>
[suffix] No '@' in User-Name = "dave", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>++? if (NAS-IP-Address == 127.0.0.1)<br>? Evaluating (NAS-IP-Address == 127.0.0.1) -> TRUE<br>
++? if (NAS-IP-Address == 127.0.0.1) -> TRUE<br>++- entering if (NAS-IP-Address == 127.0.0.1) {...}<br>[HR] performing user authorization for dave<br>[HR] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details<br>
[HR] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=dave)<br>[HR] expand: ou=HR,dc=prateek,dc=com -> ou=HR,dc=prateek,dc=com<br>rlm_ldap: ldap_get_conn: Checking Id: 0<br>rlm_ldap: ldap_get_conn: Got Id: 0<br>
rlm_ldap: performing search in ou=HR,dc=prateek,dc=com, with filter (uid=dave)<br>rlm_ldap: object not found<br>[HR] search failed<br>rlm_ldap: ldap_release_conn: Release Id: 0<br>+++[HR] returns notfound<br>++- if (NAS-IP-Address == 127.0.0.1) returns notfound<br>
++ ... skipping else for request 8: Preceding "if" was taken<br>[eap] EAP packet type response id 8 length 144<br>[eap] Continuing tunnel setup.<br>++[eap] returns ok<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>
[eap] Request found, released from the list<br>[eap] EAP/peap<br>[eap] processing type peap<br>[peap] processing EAP-TLS<br>[peap] eaptls_verify returned 7<br>[peap] Done initial handshake<br>[peap] eaptls_process returned 7<br>
[peap] EAPTLS_OK<br>[peap] Session established. Decoding tunneled attributes.<br>[peap] EAP type mschapv2<br>[peap] Got tunneled request<br> EAP-Message = <br>
server {<br> PEAP: Setting User-Name to dave<br>Sending tunneled request<br> EAP-Message = <br>
FreeRADIUS-Proxied-To = 127.0.0.1<br> User-Name = "dave"<br> State = 0x1b9d7bc71b9561595ab9d2c73552e623<br>server inner-tunnel {<br>+- entering group authorize {...}<br>++[chap] returns noop<br>
++[mschap] returns noop<br>++[unix] returns notfound<br>[suffix] No '@' in User-Name = "dave", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>++[control] returns noop<br>
++? if (NAS-IP-Address == 127.0.0.1)<br> (Attribute NAS-IP-Address was not found) <-------------------------------------------------------------------------------------------<br>++- entering else else {...}<br>
[dev] performing user authorization for dave<br>
[dev] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details<br>
[dev] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=dave)<br>[dev] expand: ou=development,dc=prateek,dc=com -> ou=development,dc=prateek,dc=com<br>rlm_ldap: ldap_get_conn: Checking Id: 0<br>rlm_ldap: ldap_get_conn: Got Id: 0<br>
rlm_ldap: performing search in ou=development,dc=prateek,dc=com, with filter (uid=dave)<br>[dev] No default NMAS login sequence<br>[dev] looking for check items in directory...<br>rlm_ldap: userPassword -> Cleartext-Password := "davesecret"<br>
[dev] looking for reply items in directory...<br>[dev] user dave authorized to use remote access<br>rlm_ldap: ldap_release_conn: Release Id: 0<br>+++[dev] returns ok<br>++- else else returns ok<br>[eap] EAP packet type response id 8 length 63<br>
[eap] No EAP Start, assuming it's an on-going EAP conversation<br>++[eap] returns updated<br>++[files] returns noop<br>++[expiration] returns noop<br>++[logintime] returns noop<br>[pap] Found existing Auth-Type, not changing it.<br>
++[pap] returns noop<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>[eap] Request found, released from the list<br>[eap] EAP/mschapv2<br>[eap] processing type mschapv2<br>[mschapv2] +- entering group MS-CHAP {...}<br>
[mschap] Told to do MS-CHAPv2 for dave with NT-Password<br>[mschap] adding MS-CHAPv2 MPPE keys<br>++[mschap] returns ok<br>MSCHAP Success<br>++[eap] returns handled<br>} # server inner-tunnel<br>[peap] Got tunneled reply code 11<br>
EAP-Message =<br> Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0x1b9d7bc71a9461595ab9d2c73552e623<br>
[peap] Got tunneled reply RADIUS code 11<br> EAP-Message = <br> Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0x1b9d7bc71a9461595ab9d2c73552e623<br>[peap] Got tunneled Access-Challenge<br>++[eap] returns handled<br>Sending Access-Challenge of id 8 to 127.0.0.1 port 46032<br> EAP-Message =<br>
Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0xa098c2e9a891db6a77937551a6a21d9f<br>Finished request 8.<br>Going to the next request<br>Waking up in 4.9 seconds.<br>rad_recv: Access-Request packet from host 127.0.0.1 port 46032, id=9, length=205<br>
User-Name = "dave"<br> NAS-IP-Address = 127.0.0.1<br> Calling-Station-Id = "02-00-00-00-00-01"<br> Framed-MTU = 1400<br> NAS-Port-Type = Wireless-802.11<br> Connect-Info = "CONNECT 11Mbps 802.11b"<br>
EAP-Message =<br>
Message-Authenticator = 0x1e2153de29daf702780bb061ae5a1281<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>[suffix] No '@' in User-Name = "dave", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>++? if (NAS-IP-Address == 127.0.0.1)<br>? Evaluating (NAS-IP-Address == 127.0.0.1) -> TRUE<br>++? if (NAS-IP-Address == 127.0.0.1) -> TRUE<br>++- entering if (NAS-IP-Address == 127.0.0.1) {...}<br>
[HR] performing user authorization for dave<br>[HR] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details<br>[HR] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=dave)<br>
[HR] expand: ou=HR,dc=prateek,dc=com -> ou=HR,dc=prateek,dc=com<br>rlm_ldap: ldap_get_conn: Checking Id: 0<br>rlm_ldap: ldap_get_conn: Got Id: 0<br>rlm_ldap: performing search in ou=HR,dc=prateek,dc=com, with filter (uid=dave)<br>
rlm_ldap: object not found<br>[HR] search failed<br>rlm_ldap: ldap_release_conn: Release Id: 0<br>+++[HR] returns notfound<br>++- if (NAS-IP-Address == 127.0.0.1) returns notfound<br>++ ... skipping else for request 9: Preceding "if" was taken<br>
[eap] EAP packet type response id 9 length 80<br>[eap] Continuing tunnel setup.<br>++[eap] returns ok<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>[eap] Request found, released from the list<br>[eap] EAP/peap<br>
[eap] processing type peap<br>[peap] processing EAP-TLS<br>[peap] eaptls_verify returned 7<br>[peap] Done initial handshake<br>[peap] eaptls_process returned 7<br>[peap] EAPTLS_OK<br>[peap] Session established. Decoding tunneled attributes.<br>
[peap] EAP type mschapv2<br>[peap] Got tunneled request<br> EAP-Message = 0x020900061a03<br>server {<br> PEAP: Setting User-Name to dave<br>Sending tunneled request<br> EAP-Message = 0x020900061a03<br> FreeRADIUS-Proxied-To = 127.0.0.1<br>
User-Name = "dave"<br> State = 0x1b9d7bc71a9461595ab9d2c73552e623<br>server inner-tunnel {<br>+- entering group authorize {...}<br>++[chap] returns noop<br>++[mschap] returns noop<br>++[unix] returns notfound<br>
[suffix] No '@' in User-Name = "dave", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>++[control] returns noop<br>++? if (NAS-IP-Address == 127.0.0.1)<br>
(Attribute NAS-IP-Address was not found) <-----------------------------------------------------------------------------------------------------<br>
++- entering else else {...}<br>[dev] performing user authorization for dave<br>[dev] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details<br>[dev] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=dave)<br>
[dev] expand: ou=development,dc=prateek,dc=com -> ou=development,dc=prateek,dc=com<br>rlm_ldap: ldap_get_conn: Checking Id: 0<br>rlm_ldap: ldap_get_conn: Got Id: 0<br>rlm_ldap: performing search in ou=development,dc=prateek,dc=com, with filter (uid=dave)<br>
[dev] No default NMAS login sequence<br>[dev] looking for check items in directory...<br>rlm_ldap: userPassword -> Cleartext-Password := "davesecret"<br>[dev] looking for reply items in directory...<br>[dev] user dave authorized to use remote access<br>
rlm_ldap: ldap_release_conn: Release Id: 0<br>+++[dev] returns ok<br>++- else else returns ok<br>[eap] EAP packet type response id 9 length 6<br>[eap] No EAP Start, assuming it's an on-going EAP conversation<br>++[eap] returns updated<br>
++[files] returns noop<br>++[expiration] returns noop<br>++[logintime] returns noop<br>[pap] Found existing Auth-Type, not changing it.<br>++[pap] returns noop<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>
[eap] Request found, released from the list<br>[eap] EAP/mschapv2<br>[eap] processing type mschapv2<br>[eap] Freeing handler<br>++[eap] returns ok<br>} # server inner-tunnel<br>[peap] Got tunneled reply code 2<br> EAP-Message = 0x03090004<br>
Message-Authenticator = 0x00000000000000000000000000000000<br> User-Name = "dave"<br>[peap] Got tunneled reply RADIUS code 2<br> EAP-Message = 0x03090004<br> Message-Authenticator = 0x00000000000000000000000000000000<br>
User-Name = "dave"<br>[peap] Tunneled authentication was successful.<br>[peap] SUCCESS<br>++[eap] returns handled<br>Sending Access-Challenge of id 9 to 127.0.0.1 port 46032<br> EAP-Message = <br>
Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0xa098c2e9a992db6a77937551a6a21d9f<br>Finished request 9<br>rad_recv: Access-Request packet from host 127.0.0.1 port 46032, id=10, length=221<br>
User-Name = "dave"<br> NAS-IP-Address = 127.0.0.1<br> Calling-Station-Id = "02-00-00-00-00-01"<br> Framed-MTU = 1400<br> NAS-Port-Type = Wireless-802.11<br> Connect-Info = "CONNECT 11Mbps 802.11b"<br>
EAP-Message = <br>
Message-Authenticator = 0x8ab3c117c8c59031dd6294781bd2de68<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>[suffix] No '@' in User-Name = "dave", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>++? if (NAS-IP-Address == 127.0.0.1)<br>? Evaluating (NAS-IP-Address == 127.0.0.1) -> TRUE<br>++? if (NAS-IP-Address == 127.0.0.1) -> TRUE<br>++- entering if (NAS-IP-Address == 127.0.0.1) {...}<br>
[HR] performing user authorization for dave<br>[HR] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details<br>[HR] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=dave)<br>
[HR] expand: ou=HR,dc=prateek,dc=com -> ou=HR,dc=prateek,dc=com<br>rlm_ldap: ldap_get_conn: Checking Id: 0<br>rlm_ldap: ldap_get_conn: Got Id: 0<br>rlm_ldap: performing search in ou=HR,dc=prateek,dc=com, with filter (uid=dave)<br>
rlm_ldap: object not found<br>[HR] search failed<br>rlm_ldap: ldap_release_conn: Release Id: 0<br>+++[HR] returns notfound<br>++- if (NAS-IP-Address == 127.0.0.1) returns notfound<br>++ ... skipping else for request 10: Preceding "if" was taken<br>
[eap] EAP packet type response id 10 length 96<br>[eap] Continuing tunnel setup.<br>++[eap] returns ok<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>[eap] Request found, released from the list<br>[eap] EAP/peap<br>
[eap] processing type p[peap] processing EAP-TLS<br>[peap] eaptls_verify returned 7<br>[peap] Done initial handshake<br>[peap] eaptls_process returned 7<br>[peap] EAPTLS_OK<br>[peap] Session established. Decoding tunneled attributes.<br>
[peap] Received EAP-TLV response.<br>[peap] Success<br>[eap] Freeing handler<br>++[eap] returns ok<br>+- entering group post-auth {...}<br>++[exec] returns noop<br>Sending Access-Accept of id 10 to 127.0.0.1 port 46032eap<br>
<br>