Hello,<br><br>I'm using FreeRADIUS version 2.1.10 <br><br>I would like to return diferent values of a personal atribute (Codigo-Reject) in a Access-Reject. I would like to do this in PEAPv0, EAP-TTLS-PAP and EAP-TTLS-MsCHAPv2 <br>
<br>With my configuration I can return Codigo-Reject in EAP-TTLS-PAP and EAP-TTLS-MsCHAPv2 but I can't in PEAP.<br><br>My config:<br><br><br>cat /etc/freeradius/users<br>...<br><br>DEFAULT Intentos-Reject > 10, Auth-Type := Reject<br>
Reply-Message += "NUMERO DE INTENTOS FALLIDOS (%{Intentos-Reject}) EXCEDIDO PARA %{%{Stripped-User-Name}:-%{User-Name}}",<br> Codigo-Reject = Cuenta-Bloqueada-Intentos-Reject,<br>
Fall-Through = yes<br>
...<br><br><br>cat /etc/freeradius/sites-enabled/e<br><br>server e {<br>authorize {<br> auth_log<br> suffix<br> files<br> eap {<br> ok = return<br> }<br>}<br><br>authenticate {<br> eap<br>}<br><br>post-auth {<br>
...<br><br> Post-Auth-Type REJECT {<br> update reply {<br> Codigo-Reject = Credenciales-Erroneas<br> }<br><br> sql{<br> fail=1<br> }<br><br> if (fail) {<br> ...<br>}<br><br>} #server e<br>
<br><br><br>cat /etc/freeradius/sites-enabled/inner-tunnel <br><br>server inner-tunnel {<br><br>authorize {<br> update outer.request {<br> User-Name := "%u"<br> }<br> mschap<br> auth_log<br> suffix<br> update control {<br>
Proxy-To-Realm := LOCAL<br> }<br> eap {<br> ok = return<br> }<br><br> if ("%{Realm}"=='<a href="http://test.es">test.es</a>'){<br> update request {<br> Intentos-Reject = "%{sql:SELECT COUNT(*) from radpostauth WHERE username = '%{User-Name}' AND authdate > CURRENT_DATE and reply = 'Access-Reject'}"<br>
Intentos-Reject += "%{sqlradiusba:SELECT COUNT(*) from radpostauth WHERE username = '%{User-Name}' AND authdate > CURRENT_DATE and reply = 'Access-Reject'}"<br> }<br> }<br><br> files<br>
<br> if ("%{control:Auth-Type}" == 'Reject') {<br> update outer.reply {<br> Codigo-Reject = "%{reply:Codigo-Reject}"<br> }<br> reject<br> }<br> ...<br><br> pap<br>}<br><br>authenticate {<br>
Auth-Type PAP {<br> pap<br> }<br><br> Auth-Type MS-CHAP {<br> mschap<br> }<br><br> eap<br>}<br><br>post-auth {<br> sql{<br> fail=1<br> }<br> if (fail) {<br> ...<br> }<br> reply_log<br><br>}<br><br>
} # -inner-tunnel server block<br>
<br><br>LOG EAP-TTLS-PAP:<br><br>Fri Aug 24 13:37:07 2012 : Info: [ttls] Got tunneled request<br> User-Name = "<a href="mailto:prueba@test.es">prueba@test.es</a>"<br> User-Password = "530"<br> FreeRADIUS-Proxied-To = 127.0.0.1<br>
Fri Aug 24 13:37:07 2012 : Info: [ttls] Sending tunneled request<br> User-Name = "<a href="mailto:prueba@test.es">prueba@test.es</a>"<br> User-Password = "530"<br> FreeRADIUS-Proxied-To = 127.0.0.1<br>
NAS-IP-Address = 127.0.0.1<br> Calling-Station-Id = "02:00:00:00:00:01"<br> Framed-MTU = 1400<br> NAS-Port-Type = Wireless-802.11<br> Connect-Info = "CONNECT 11Mbps 802.11b"<br>server inner-tunnel {<br>
Fri Aug 24 13:37:07 2012 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel<br>Fri Aug 24 13:37:07 2012 : Info: +- entering group authorize {...}<br>Fri Aug 24 13:37:07 2012 : Info: expand: %u -> <a href="mailto:prueba@test.es">prueba@test.es</a><br>
Fri Aug 24 13:37:07 2012 : Info: ++[outer.request] returns notfound<br>Fri Aug 24 13:37:07 2012 : Info: ++[mschap] returns noop<br>Fri Aug 24 13:37:07 2012 : Info: [auth_log] expand: /var/log/freeradius/radacct/%Y/%m/%d/%{Client-IP-Address}-auth-detail-%Y%m%d -> /var/log/freeradius/radacct/2012/08/24/1.2.3.4-auth-detail-20120824<br>
Fri Aug 24 13:37:07 2012 : Info: [auth_log] /var/log/freeradius/radacct/%Y/%m/%d/%{Client-IP-Address}-auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/2012/08/24/1.2.3.4-auth-detail-20120824<br>Fri Aug 24 13:37:07 2012 : Info: [auth_log] expand: %t -> Fri Aug 24 13:37:07 2012<br>
Fri Aug 24 13:37:07 2012 : Info: ++[auth_log] returns ok<br>Fri Aug 24 13:37:07 2012 : Info: [suffix] Looking up realm "<a href="http://test.es">test.es</a>" for User-Name = "<a href="mailto:prueba@test.es">prueba@test.es</a>"<br>
Fri Aug 24 13:37:07 2012 : Info: [suffix] Found realm "<a href="http://test.es">test.es</a>"<br>Fri Aug 24 13:37:07 2012 : Info: [suffix] Adding Stripped-User-Name = "prueba"<br>Fri Aug 24 13:37:07 2012 : Info: [suffix] Adding Realm = "<a href="http://test.es">test.es</a>"<br>
Fri Aug 24 13:37:07 2012 : Info: [suffix] Authentication realm is LOCAL.<br>Fri Aug 24 13:37:07 2012 : Info: ++[suffix] returns ok<br>Fri Aug 24 13:37:07 2012 : Info: ++[control] returns ok<br>Fri Aug 24 13:37:07 2012 : Info: [eap] No EAP-Message, not doing EAP<br>
Fri Aug 24 13:37:07 2012 : Info: ++[eap] returns noop<br>Fri Aug 24 13:37:07 2012 : Info: ++? if ("%{Realm}"=='<a href="http://test.es">test.es</a>')<br>Fri Aug 24 13:37:07 2012 : Info: expand: %{Realm} -> <a href="http://test.es">test.es</a><br>
Fri Aug 24 13:37:07 2012 : Info: ?? Evaluating ("%{Realm}"=='<a href="http://test.es">test.es</a>') -> TRUE<br>Fri Aug 24 13:37:07 2012 : Info: ++? if ("%{Realm}"=='<a href="http://test.es">test.es</a>') -> TRUE<br>
Fri Aug 24 13:37:07 2012 : Info: ++- entering if ("%{Realm}"=='<a href="http://test.es">test.es</a>') {...}<br>Fri Aug 24 13:37:07 2012 : Info: sql_xlat<br>Fri Aug 24 13:37:07 2012 : Info: expand: %{Stripped-User-Name} -> prueba<br>
Fri Aug 24 13:37:07 2012 : Info: expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> prueba<br>Fri Aug 24 13:37:07 2012 : Info: sql_set_user escaped user --> 'prueba'<br>Fri Aug 24 13:37:07 2012 : Info: expand: SELECT COUNT(*) from radpostauth WHERE username = '%{User-Name}' AND authdate > CURRENT_DATE and reply = 'Access-Reject' -> SELECT COUNT(*) from radpostauth WHERE username = '<a href="mailto:prueba@test.es">prueba@test.es</a>' AND authdate > CURRENT_DATE and reply = 'Access-Reject'<br>
Fri Aug 24 13:37:07 2012 : Debug: rlm_sql (sql): Reserving sql socket id: 3<br>Fri Aug 24 13:37:07 2012 : Info: sql_xlat finished<br>Fri Aug 24 13:37:07 2012 : Debug: rlm_sql (sql): Released sql socket id: 3<br>Fri Aug 24 13:37:07 2012 : Info: expand: %{sql:SELECT COUNT(*) from radpostauth WHERE username = '%{User-Name}' AND authdate > CURRENT_DATE and reply = 'Access-Reject'} -> 26<br>
Fri Aug 24 13:37:07 2012 : Info: sql_xlat<br>Fri Aug 24 13:37:07 2012 : Info: expand: %{Stripped-User-Name} -> prueba<br>Fri Aug 24 13:37:07 2012 : Info: expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> prueba<br>
Fri Aug 24 13:37:07 2012 : Info: sql_set_user escaped user --> 'prueba'<br>Fri Aug 24 13:37:07 2012 : Info: expand: SELECT COUNT(*) from radpostauth WHERE username = '%{User-Name}' AND authdate > CURRENT_DATE and reply = 'Access-Reject' -> SELECT COUNT(*) from radpostauth WHERE username = '<a href="mailto:prueba@test.es">prueba@test.es</a>' AND authdate > CURRENT_DATE and reply = 'Access-Reject'<br>
Fri Aug 24 13:37:07 2012 : Debug: rlm_sql (sqlradiusba): Reserving sql socket id: 4<br>Fri Aug 24 13:37:08 2012 : Info: sql_xlat finished<br>Fri Aug 24 13:37:08 2012 : Debug: rlm_sql (sqlradiusba): Released sql socket id: 4<br>
Fri Aug 24 13:37:08 2012 : Info: expand: %{sqlradiusba:SELECT COUNT(*) from radpostauth WHERE username = '%{User-Name}' AND authdate > CURRENT_DATE and reply = 'Access-Reject'} -> 0<br>Fri Aug 24 13:37:08 2012 : Info: +++[request] returns noop<br>
Fri Aug 24 13:37:08 2012 : Info: ++- if ("%{Realm}"=='<a href="http://test.es">test.es</a>') returns noop<br>Fri Aug 24 13:37:08 2012 : Info: [files] users: Matched entry DEFAULT at line 29<br>Fri Aug 24 13:37:08 2012 : Info: [files] expand: %{Stripped-User-Name} -> prueba<br>
Fri Aug 24 13:37:08 2012 : Info: [files] expand: NUMERO DE INTENTOS FALLIDOS (%{Intentos-Reject}) EXCEDIDO PARA %{%{Stripped-User-Name}:-%{User-Name}} -> NUMERO DE INTENTOS FALLIDOS (26) EXCEDIDO PARA prueba<br>Fri Aug 24 13:37:08 2012 : Info: [files] users: Matched entry DEFAULT at line 36<br>
Fri Aug 24 13:37:08 2012 : Info: ++[files] returns ok<br>Fri Aug 24 13:37:08 2012 : Info: ++? if ("%{control:Auth-Type}" == 'Reject')<br>Fri Aug 24 13:37:08 2012 : Info: expand: %{control:Auth-Type} -> Reject<br>
Fri Aug 24 13:37:08 2012 : Info: ? Evaluating ("%{control:Auth-Type}" == 'Reject') -> TRUE<br>Fri Aug 24 13:37:08 2012 : Info: ++? if ("%{control:Auth-Type}" == 'Reject') -> TRUE<br>
Fri Aug 24 13:37:08 2012 : Info: ++- entering if ("%{control:Auth-Type}" == 'Reject') {...}<br>Fri Aug 24 13:37:08 2012 : Info: expand: %{reply:Codigo-Reject} -> Cuenta-Bloqueada-Intentos-Reject<br>
Fri Aug 24 13:37:08 2012 : Info: +++[outer.reply] returns ok<br>Fri Aug 24 13:37:08 2012 : Info: +++[reject] returns reject<br>Fri Aug 24 13:37:08 2012 : Info: ++- if ("%{control:Auth-Type}" == 'Reject') returns reject<br>
} # server inner-tunnel<br>Fri Aug 24 13:37:08 2012 : Info: [ttls] Got tunneled reply code 3<br> Reply-Message += "NUMERO DE INTENTOS FALLIDOS (26) EXCEDIDO PARA prueba"<br> Codigo-Reject = Cuenta-Bloqueada-Intentos-Reject<br>
Fri Aug 24 13:37:08 2012 : Info: [ttls] Got tunneled Access-Reject<br>Fri Aug 24 13:37:08 2012 : Info: [eap] Handler failed in EAP/ttls<br>Fri Aug 24 13:37:08 2012 : Info: [eap] Failed in EAP select<br>Fri Aug 24 13:37:08 2012 : Info: ++[eap] returns invalid<br>
Fri Aug 24 13:37:08 2012 : Info: Failed to authenticate the user.<br>Fri Aug 24 13:37:08 2012 : Info: } # server <br>Fri Aug 24 13:37:08 2012 : Info: Using Post-Auth-Type Reject<br>Fri Aug 24 13:37:08 2012 : Info: # Executing group from file /etc/freeradius/sites-enabled/<br>
Fri Aug 24 13:37:08 2012 : Info: +- entering group REJECT {...}<br>Fri Aug 24 13:37:08 2012 : Info: ++[reply] returns noop<br>Fri Aug 24 13:37:08 2012 : Info: [sql] expand: %{Stripped-User-Name} -> <br>Fri Aug 24 13:37:08 2012 : Info: [sql] ... expanding second conditional<br>
Fri Aug 24 13:37:08 2012 : Info: [sql] expand: %{User-Name} -> <a href="mailto:prueba@test.es">prueba@test.es</a><br>Fri Aug 24 13:37:08 2012 : Info: [sql] expand: %{%{User-Name}:-DEFAULT} -> <a href="mailto:prueba@test.es">prueba@test.es</a><br>
Fri Aug 24 13:37:08 2012 : Info: [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> <a href="mailto:prueba@test.es">prueba@test.es</a><br>Fri Aug 24 13:37:08 2012 : Info: [sql] sql_set_user escaped user --> '<a href="mailto:prueba@test.es">prueba@test.es</a>'<br>
Fri Aug 24 13:37:08 2012 : Info: [sql] expand: INSERT INTO radpostauth (username, mac, client, reply, authdate,codreject,radauth) VALUES ( LOWER('%{User-Name}'), LOWER('%i'), '%C', '%{reply:Packet-Type}', NOW(), '%{reply:Codigo-Reject}','radiuscc') -> INSERT INTO radpostauth (username, mac, client, reply, authdate,codreject,radauth) VALUES ( LOWER('<a href="mailto:prueba@test.es">prueba@test.es</a>'), LOWER('02:00:00:00:00:01'), 'CAU1', 'Access-Reject', NOW(), 'Cuenta-Bloqueada-Intentos-Reject','radiuscc')<br>
Fri Aug 24 13:37:08 2012 : Debug: rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, mac, client, reply, authdate,codreject,radauth) VALUES ( LOWER('<a href="mailto:prueba@test.es">prueba@test.es</a>'), LOWER('02:00:00:00:00:01'), 'CAU1', 'Access-Reject', NOW(), 'Cuenta-Bloqueada-Intentos-Reject','radiuscc')<br>
Fri Aug 24 13:37:08 2012 : Debug: rlm_sql (sql): Reserving sql socket id: 2<br>Fri Aug 24 13:37:08 2012 : Debug: rlm_sql (sql): Released sql socket id: 2<br>Fri Aug 24 13:37:08 2012 : Info: ++[sql] returns ok<br>Fri Aug 24 13:37:08 2012 : Info: ++? if (fail)<br>
Fri Aug 24 13:37:08 2012 : Info: ? Evaluating (fail) -> FALSE<br>Fri Aug 24 13:37:08 2012 : Info: ++? if (fail) -> FALSE<br>Sending Access-Reject of id 8 to 1.2.3.4 port 53575<br> Codigo-Reject = Cuenta-Bloqueada-Intentos-Reject<br>
EAP-Message = 0x04080004<br> Message-Authenticator = 0x00000000000000000000000000000000<br><br><br><br><br>LOG PEAP:<br><br>Fri Aug 24 13:20:41 2012 : Debug: PEAP: Setting User-Name to <a href="mailto:prueba@test.es">prueba@test.es</a><br>
Sending tunneled request<br> EAP-Message = 0x0208001501303237343736333240756e65782e6573<br> FreeRADIUS-Proxied-To = 127.0.0.1<br> User-Name = "<a href="mailto:prueba@test.es">prueba@test.es</a>"<br> NAS-IP-Address = 2.2.2.2<br>
NAS-Port-Type = Wireless-802.11<br> NAS-Port = 2<br> Framed-MTU = 1400<br> Calling-Station-Id = "C4:46:19:75:7B:B1"<br> Called-Station-Id = "00-18-6E-D0-EC-04"<br> NAS-Identifier = "Enterprise Wireless AP"<br>
server inner-tunnel {<br>Fri Aug 24 13:20:41 2012 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel<br>Fri Aug 24 13:20:41 2012 : Info: +- entering group authorize {...}<br>Fri Aug 24 13:20:41 2012 : Info: expand: %u -> <a href="mailto:prueba@test.es">prueba@test.es</a><br>
Fri Aug 24 13:20:41 2012 : Info: ++[outer.request] returns notfound<br>Fri Aug 24 13:20:41 2012 : Info: ++[mschap] returns noop<br>Fri Aug 24 13:20:41 2012 : Info: [auth_log] expand: /var/log/freeradius/radacct/%Y/%m/%d/%{Client-IP-Address}-auth-detail-%Y%m%d -> /var/log/freeradius/radacct/2012/08/24/2.2.2.2-auth-detail-20120824<br>
Fri Aug 24 13:20:41 2012 : Info: [auth_log] /var/log/freeradius/radacct/%Y/%m/%d/%{Client-IP-Address}-auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/2012/08/24/2.2.2.2-auth-detail-20120824<br>Fri Aug 24 13:20:41 2012 : Info: [auth_log] expand: %t -> Fri Aug 24 13:20:41 2012<br>
Fri Aug 24 13:20:41 2012 : Info: ++[auth_log] returns ok<br>Fri Aug 24 13:20:41 2012 : Info: [suffix] Looking up realm "<a href="http://test.es">test.es</a>" for User-Name = "<a href="mailto:prueba@test.es">prueba@test.es</a>"<br>
Fri Aug 24 13:20:41 2012 : Info: [suffix] Found realm "<a href="http://test.es">test.es</a>"<br>Fri Aug 24 13:20:41 2012 : Info: [suffix] Adding Stripped-User-Name = "prueba"<br>Fri Aug 24 13:20:41 2012 : Info: [suffix] Adding Realm = "<a href="http://test.es">test.es</a>"<br>
Fri Aug 24 13:20:41 2012 : Info: [suffix] Authentication realm is LOCAL.<br>Fri Aug 24 13:20:41 2012 : Info: ++[suffix] returns ok<br>Fri Aug 24 13:20:41 2012 : Info: ++[control] returns ok<br>Fri Aug 24 13:20:41 2012 : Info: [eap] EAP packet type response id 8 length 21<br>
Fri Aug 24 13:20:41 2012 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation<br>Fri Aug 24 13:20:41 2012 : Info: ++[eap] returns updated<br>Fri Aug 24 13:20:41 2012 : Info: ++? if ("%{Realm}"=='<a href="http://test.es">test.es</a>')<br>
Fri Aug 24 13:20:41 2012 : Info: expand: %{Realm} -> <a href="http://test.es">test.es</a><br>Fri Aug 24 13:20:41 2012 : Info: ?? Evaluating ("%{Realm}"=='<a href="http://test.es">test.es</a>') -> TRUE<br>
Fri Aug 24 13:20:41 2012 : Info: ++? if ("%{Realm}"=='<a href="http://test.es">test.es</a>') -> TRUE<br>Fri Aug 24 13:20:41 2012 : Info: ++- entering if ("%{Realm}"=='<a href="http://test.es">test.es</a>') {...}<br>
Fri Aug 24 13:20:41 2012 : Info: sql_xlat<br>Fri Aug 24 13:20:41 2012 : Info: expand: %{Stripped-User-Name} -> prueba<br>Fri Aug 24 13:20:41 2012 : Info: expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> prueba<br>
Fri Aug 24 13:20:41 2012 : Info: sql_set_user escaped user --> 'prueba'<br>Fri Aug 24 13:20:41 2012 : Info: expand: SELECT COUNT(*) from radpostauth WHERE username = '%{User-Name}' AND authdate > CURRENT_DATE and reply = 'Access-Reject' -> SELECT COUNT(*) from radpostauth WHERE username = '<a href="mailto:prueba@test.es">prueba@test.es</a>' AND authdate > CURRENT_DATE and reply = 'Access-Reject'<br>
Fri Aug 24 13:20:41 2012 : Debug: rlm_sql (sql): Reserving sql socket id: 3<br>Fri Aug 24 13:20:42 2012 : Info: sql_xlat finished<br>Fri Aug 24 13:20:42 2012 : Debug: rlm_sql (sql): Released sql socket id: 3<br>Fri Aug 24 13:20:42 2012 : Info: expand: %{sql:SELECT COUNT(*) from radpostauth WHERE username = '%{User-Name}' AND authdate > CURRENT_DATE and reply = 'Access-Reject'} -> 7<br>
Fri Aug 24 13:20:42 2012 : Info: sql_xlat<br>Fri Aug 24 13:20:42 2012 : Info: expand: %{Stripped-User-Name} -> prueba<br>Fri Aug 24 13:20:42 2012 : Info: expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> prueba<br>
Fri Aug 24 13:20:42 2012 : Info: sql_set_user escaped user --> 'prueba'<br>Fri Aug 24 13:20:42 2012 : Info: expand: SELECT COUNT(*) from radpostauth WHERE username = '%{User-Name}' AND authdate > CURRENT_DATE and reply = 'Access-Reject' -> SELECT COUNT(*) from radpostauth WHERE username = '<a href="mailto:prueba@test.es">prueba@test.es</a>' AND authdate > CURRENT_DATE and reply = 'Access-Reject'<br>
Fri Aug 24 13:20:42 2012 : Debug: rlm_sql (sqlradiusba): Reserving sql socket id: 4<br>Fri Aug 24 13:20:42 2012 : Info: sql_xlat finished<br>Fri Aug 24 13:20:42 2012 : Debug: rlm_sql (sqlradiusba): Released sql socket id: 4<br>
Fri Aug 24 13:20:42 2012 : Info: expand: %{sqlradiusba:SELECT COUNT(*) from radpostauth WHERE username = '%{User-Name}' AND authdate > CURRENT_DATE and reply = 'Access-Reject'} -> 0<br>Fri Aug 24 13:20:42 2012 : Info: +++[request] returns updated<br>
Fri Aug 24 13:20:42 2012 : Info: ++- if ("%{Realm}"=='<a href="http://test.es">test.es</a>') returns updated<br>Fri Aug 24 13:20:42 2012 : Info: [files] users: Matched entry DEFAULT at line 29<br>Fri Aug 24 13:20:42 2012 : Info: [files] expand: %{Stripped-User-Name} -> prueba<br>
Fri Aug 24 13:20:42 2012 : Info: [files] expand: NUMERO DE INTENTOS FALLIDOS (%{Intentos-Reject}) EXCEDIDO PARA %{%{Stripped-User-Name}:-%{User-Name}} -> NUMERO DE INTENTOS FALLIDOS (7) EXCEDIDO PARA prueba<br>Fri Aug 24 13:20:42 2012 : Info: [files] users: Matched entry DEFAULT at line 36<br>
Fri Aug 24 13:20:42 2012 : Info: ++[files] returns ok<br>Fri Aug 24 13:20:42 2012 : Info: ++? if ("%{control:Auth-Type}" == 'Reject')<br>Fri Aug 24 13:20:42 2012 : Info: expand: %{control:Auth-Type} -> Reject<br>
Fri Aug 24 13:20:42 2012 : Info: ? Evaluating ("%{control:Auth-Type}" == 'Reject') -> TRUE<br>Fri Aug 24 13:20:42 2012 : Info: ++? if ("%{control:Auth-Type}" == 'Reject') -> TRUE<br>
Fri Aug 24 13:20:42 2012 : Info: ++- entering if ("%{control:Auth-Type}" == 'Reject') {...}<br>Fri Aug 24 13:20:42 2012 : Info: expand: %{reply:Codigo-Reject} -> Cuenta-Bloqueada-Intentos-Reject<br>
Fri Aug 24 13:20:42 2012 : Info: +++[outer.reply] returns ok<br>Fri Aug 24 13:20:42 2012 : Info: +++[reject] returns reject<br>Fri Aug 24 13:20:42 2012 : Info: ++- if ("%{control:Auth-Type}" == 'Reject') returns reject<br>
} # server inner-tunnel<br>Fri Aug 24 13:20:42 2012 : Info: [peap] Got tunneled reply code 3<br> Reply-Message += "NUMERO DE INTENTOS FALLIDOS (7) EXCEDIDO PARA prueba"<br> Codigo-Reject = Cuenta-Bloqueada-Intentos-Reject<br>
Fri Aug 24 13:20:42 2012 : Info: [peap] Got tunneled reply RADIUS code 3<br> Reply-Message += "NUMERO DE INTENTOS FALLIDOS (7) EXCEDIDO PARA prueba"<br> Codigo-Reject = Cuenta-Bloqueada-Intentos-Reject<br>
Fri Aug 24 13:20:42 2012 : Info: [peap] Tunneled authentication was rejected.<br>Fri Aug 24 13:20:42 2012 : Info: [peap] FAILURE<br>Fri Aug 24 13:20:42 2012 : Info: ++[eap] returns handled<br>Fri Aug 24 13:20:42 2012 : Info: } # server <br>
<br><br>Sending Access-Challenge of id 32 to 2.2.2.2 port 1500<br> Codigo-Reject = Cuenta-Bloqueada-Intentos-Reject<br> EAP-Message = 0x0109002b190017030100205f329253b5d9c4913c1f8f6f154f9d8771fa5a48be2993d753c9848b55710216<br>
Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0xcbd9304bccd029a9cfcde266d7e75d03<br>Fri Aug 24 13:20:42 2012 : Info: Finished request 7.<br>Fri Aug 24 13:20:42 2012 : Debug: Going to the next request<br>
Fri Aug 24 13:20:42 2012 : Debug: Waking up in 3.2 seconds.<br>rad_recv: Access-Request packet from host 2.2.2.2 port 1501, id=33, length=205<br> NAS-IP-Address = 2.2.2.2<br> NAS-Port-Type = Wireless-802.11<br> NAS-Port = 2<br>
Framed-MTU = 1400<br> User-Name = "<a href="mailto:prueba@test.es">prueba@test.es</a>"<br> Calling-Station-Id = "C4-46-19-75-7B-B1"<br> Called-Station-Id = "00-18-6E-D0-EC-04"<br>
NAS-Identifier = "Enterprise Wireless AP"<br> State = 0xcbd9304bccd029a9cfcde266d7e75d03<br> EAP-Message = 0x0209002b19001703010020d99c0d3ff24027b3d2f3d9ff6b999c50343b16224b5ea431c4f061165e9d7bbd<br> Message-Authenticator = 0x9ea3d3262c5cf1762dfcc08226e0ff14<br>
Fri Aug 24 13:20:42 2012 : Info: server {<br>Fri Aug 24 13:20:42 2012 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/<br>Fri Aug 24 13:20:42 2012 : Info: +- entering group authorize {...}<br>
Fri Aug 24 13:20:42 2012 : Info: ++? if ("%{request:Calling-Station-Id}" =~ /^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i )<br>Fri Aug 24 13:20:42 2012 : Info: expand: %{request:Calling-Station-Id} -> C4-46-19-75-7B-B1<br>
Fri Aug 24 13:20:42 2012 : Info: ? Evaluating ("%{request:Calling-Station-Id}" =~ /^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i) -> TRUE<br>Fri Aug 24 13:20:42 2012 : Info: ++? if ("%{request:Calling-Station-Id}" =~ /^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i ) -> TRUE<br>
Fri Aug 24 13:20:42 2012 : Info: ++- entering if ("%{request:Calling-Station-Id}" =~ /^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i ) {...}<br>Fri Aug 24 13:20:42 2012 : Info: expand: %{1}:%{2}:%{3}:%{4}:%{5}:%{6} -> C4:46:19:75:7B:B1<br>
Fri Aug 24 13:20:42 2012 : Info: +++[request] returns notfound<br>Fri Aug 24 13:20:42 2012 : Info: ++- if ("%{request:Calling-Station-Id}" =~ /^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i ) returns notfound<br>
Fri Aug 24 13:20:42 2012 : Info: [auth_log] expand: /var/log/freeradius/radacct/%Y/%m/%d/%{Client-IP-Address}-auth-detail-%Y%m%d -> /var/log/freeradius/radacct/2012/08/24/2.2.2.2-auth-detail-20120824<br>Fri Aug 24 13:20:42 2012 : Info: [auth_log] /var/log/freeradius/radacct/%Y/%m/%d/%{Client-IP-Address}-auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/2012/08/24/2.2.2.2-auth-detail-20120824<br>
Fri Aug 24 13:20:42 2012 : Info: [auth_log] expand: %t -> Fri Aug 24 13:20:42 2012<br>Fri Aug 24 13:20:42 2012 : Info: ++[auth_log] returns ok<br>Fri Aug 24 13:20:42 2012 : Info: [suffix] Looking up realm "<a href="http://test.es">test.es</a>" for User-Name = "<a href="mailto:prueba@test.es">prueba@test.es</a>"<br>
Fri Aug 24 13:20:42 2012 : Info: [suffix] Found realm "<a href="http://test.es">test.es</a>"<br>Fri Aug 24 13:20:42 2012 : Info: [suffix] Adding Stripped-User-Name = "prueba"<br>Fri Aug 24 13:20:42 2012 : Info: [suffix] Adding Realm = "<a href="http://test.es">test.es</a>"<br>
Fri Aug 24 13:20:42 2012 : Info: [suffix] Authentication realm is LOCAL.<br>Fri Aug 24 13:20:42 2012 : Info: ++[suffix] returns ok<br>Fri Aug 24 13:20:42 2012 : Info: [files] users: Matched entry DEFAULT at line 36<br>Fri Aug 24 13:20:42 2012 : Info: ++[files] returns ok<br>
Fri Aug 24 13:20:42 2012 : Info: [eap] EAP packet type response id 9 length 43<br>Fri Aug 24 13:20:42 2012 : Info: [eap] Continuing tunnel setup.<br>Fri Aug 24 13:20:42 2012 : Info: ++[eap] returns ok<br>Fri Aug 24 13:20:42 2012 : Info: Found Auth-Type = eap<br>
Fri Aug 24 13:20:42 2012 : Info: # Executing group from file /etc/freeradius/sites-enabled/<br>Fri Aug 24 13:20:42 2012 : Info: +- entering group authenticate {...}<br>Fri Aug 24 13:20:42 2012 : Info: [eap] Request found, released from the list<br>
Fri Aug 24 13:20:42 2012 : Info: [eap] EAP/peap<br>Fri Aug 24 13:20:42 2012 : Info: [eap] processing type peap<br>Fri Aug 24 13:20:42 2012 : Info: [peap] processing EAP-TLS<br>Fri Aug 24 13:20:42 2012 : Info: [peap] eaptls_verify returned 7 <br>
Fri Aug 24 13:20:42 2012 : Info: [peap] Done initial handshake<br>Fri Aug 24 13:20:42 2012 : Info: [peap] eaptls_process returned 7 <br>Fri Aug 24 13:20:42 2012 : Info: [peap] EAPTLS_OK<br>Fri Aug 24 13:20:42 2012 : Info: [peap] Session established. Decoding tunneled attributes.<br>
Fri Aug 24 13:20:42 2012 : Info: [peap] Peap state send tlv failure<br>Fri Aug 24 13:20:42 2012 : Info: [peap] Received EAP-TLV response.<br>Fri Aug 24 13:20:42 2012 : Info: [peap] The users session was previously rejected: returning reject (again.)<br>
Fri Aug 24 13:20:42 2012 : Info: [peap] *** This means you need to read the PREVIOUS messages in the debug output<br>Fri Aug 24 13:20:42 2012 : Info: [peap] *** to find out the reason why the user was rejected.<br>Fri Aug 24 13:20:42 2012 : Info: [peap] *** Look for "reject" or "fail". Those earlier messages will tell you.<br>
Fri Aug 24 13:20:42 2012 : Info: [peap] *** what went wrong, and how to fix the problem.<br>Fri Aug 24 13:20:42 2012 : Info: [eap] Handler failed in EAP/peap<br>Fri Aug 24 13:20:42 2012 : Info: [eap] Failed in EAP select<br>
Fri Aug 24 13:20:42 2012 : Info: ++[eap] returns invalid<br>Fri Aug 24 13:20:42 2012 : Info: Failed to authenticate the user.<br>Fri Aug 24 13:20:42 2012 : Info: } # server <br>Fri Aug 24 13:20:42 2012 : Info: Using Post-Auth-Type Reject<br>
Fri Aug 24 13:20:42 2012 : Info: # Executing group from file /etc/freeradius/sites-enabled/<br>Fri Aug 24 13:20:42 2012 : Info: +- entering group REJECT {...}<br>Fri Aug 24 13:20:42 2012 : Info: ++[reply] returns noop<br>
Fri Aug 24 13:20:42 2012 : Info: [sql] expand: %{Stripped-User-Name} -> prueba<br>Fri Aug 24 13:20:42 2012 : Info: [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> prueba<br>Fri Aug 24 13:20:42 2012 : Info: [sql] sql_set_user escaped user --> 'prueba'<br>
Fri Aug 24 13:20:42 2012 : Info: [sql] expand: INSERT INTO radpostauth (username, mac, client, reply, authdate,codreject,radauth) VALUES ( LOWER('%{User-Name}'), LOWER('%i'), '%C', '%{reply:Packet-Type}', NOW(), '%{reply:Codigo-Reject}','radiuscc') -> INSERT INTO radpostauth (username, mac, client, reply, authdate,codreject,radauth) VALUES ( LOWER('<a href="mailto:prueba@test.es">prueba@test.es</a>'), LOWER('C4:46:19:75:7B:B1'), 'PACCIPV601I', 'Access-Reject', NOW(), 'Credenciales-Erroneas','radiuscc')<br>
Fri Aug 24 13:20:42 2012 : Debug: rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, mac, client, reply, authdate,codreject,radauth) VALUES ( LOWER('<a href="mailto:prueba@test.es">prueba@test.es</a>'), LOWER('C4:46:19:75:7B:B1'), 'PACCIPV601I', 'Access-Reject', NOW(), 'Credenciales-Erroneas','radiuscc')<br>
Fri Aug 24 13:20:42 2012 : Debug: rlm_sql (sql): Reserving sql socket id: 2<br>Fri Aug 24 13:20:42 2012 : Debug: rlm_sql (sql): Released sql socket id: 2<br>Fri Aug 24 13:20:42 2012 : Info: ++[sql] returns ok<br>Fri Aug 24 13:20:42 2012 : Info: ++? if (fail)<br>
Fri Aug 24 13:20:42 2012 : Info: ? Evaluating (fail) -> FALSE<br>Fri Aug 24 13:20:42 2012 : Info: ++? if (fail) -> FALSE<br>Fri Aug 24 13:20:42 2012 : Info: Delaying reject of request 8 for 1 seconds<br>Fri Aug 24 13:20:42 2012 : Debug: Going to the next request<br>
Fri Aug 24 13:20:42 2012 : Debug: Waking up in 0.9 seconds.<br>Fri Aug 24 13:20:43 2012 : Info: Sending delayed reject for request 8<br>Sending Access-Reject of id 33 to 2.2.2.2 port 1501<br> EAP-Message = 0x04090004<br>
Message-Authenticator = 0x00000000000000000000000000000000<br> Codigo-Reject = Credenciales-Erroneas<br><br><br><br><br>Any ideas about how can I do that?<br><br>Thank you very much and sorry for my english<br><br>
<br><br>Ana Gallardo<br>