<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>
Hi,<BR>
<BR>
I have set FreeRadius 2.1.12 Server, and configured it to authorize and authenticate users that are in Active Directory and users file. I have tested in real wireless environment to authenticate users from Active Directory & users file and it is successful. But according to our organization's requirement I need to authenticate users to allow or reject users for wireless or VPN access checking huntgroups and attribute in AD or users file accordingly so, I have configured huntgroup name in huntgroups "wirelesstest" and have configured my NAS-IP-Address as: (Some names & IP Address are edited for privacy)<BR>
<BR>
/usr/local/etc/raddb/huntgroups<BR>
<BR>
wirelesstest NAS-IP-Address == <STRONG>IP Address</STRONG><BR>
wirelesstest NAS-IP-Address == <STRONG>IP Address</STRONG><BR>
wirelesstest NAS-IP-Address == <STRONG>IP Address</STRONG><BR>
<STRONG></STRONG> <BR>
Clients are configured in clients.conf file as:<BR>
<BR>
/usr/local/etc/raddb/clients.conf<BR>
<BR>
client Primary_controller{<BR> ipaddr = <STRONG>IP Address</STRONG><BR>
secret = <STRONG>password</STRONG><BR>
shortname = primary<BR> nastype = enterasys<BR>}<BR>
<BR>
In default & inner_tunnel files configurations, unlang conditional checking are done under ldap & files sub-sections of "authorize" section<BR>
<BR>
/usr/local/etc/raddb/sites-enabled/default and /usr/local/etc/raddb/sites-enabled/inner-tunnel<BR>
<BR>
<BR>
authorize {<BR>
.............<BR>
............<BR>
<BR>
ldap<BR>
<BR>
if ("%{Huntgroup-Name}" == "wirelesstest"){<BR> if (control:Connect-Type == wireless){<BR> update control {<BR> Auth-Type := "Accept"<BR> }<BR> }<BR> else {<BR> update control {<BR> Auth-Type := "Reject"<BR> }<BR> }<BR> }<BR> <BR>
<BR>files<BR>
if ("%{Huntgroup-Name}" == "wirelesstest"){<BR> if (control:Connect-Type == wireless){<BR> update control {<BR> Auth-Type := "Accept"<BR> }<BR> }<BR> else {<BR> update control {<BR> Auth-Type := "Reject"<BR> }<BR> }<BR>}<BR>
<BR>
While testing through radtest it works as expected. Unlang condition is checked, and attribute is also checked against Active Directory or users file and authenticate users if it matches and it rejects if it doesn't match.<BR>
<BR>
But in Real wireless environment testing I don't get any response at Client side, and after long time it says can't connect. But while checking at debug log doing radiusd -X it shows it is checking the condition and sending Access-Accept or Access-Reject accordingly.<BR>
<BR>
I tried different conditional checkings in unlang; checking against shortname as:<BR>
<BR>
if ("%{client:shortname}" =~ /^primary/){<BR>
<BR>
checking against huntgroup as:<BR>
<BR>
if ("%{client:huntgroup}" == "wireless"){<BR>
<BR>
But any of these setting gives me no response at client side although my debug log shows the condition is being checked and Access-Accept ot Access-Reject is sent.<BR>
<BR>
<BR>
<STRONG>Part of debug log is as follows:</STRONG><BR>
<BR>
<BR>Found Auth-Type = EAP<BR># Executing group from file /usr/local/etc/raddb/sites-enabled/default<BR>+- entering group authenticate {...}<BR>[eap] Request found, released from the list<BR>[eap] EAP/ttls<BR>[eap] processing type ttls<BR>[ttls] Authenticate<BR>[ttls] processing EAP-TLS<BR>[ttls] eaptls_verify returned 7<BR>[ttls] Done initial handshake<BR>[ttls] eaptls_process returned 7<BR>[ttls] Session established. Proceeding to decode tunneled attributes.<BR>[ttls] Got tunneled request<BR> User-Name = "test"<BR> User-Password = "password"<BR> FreeRADIUS-Proxied-To = 127.0.0.1<BR>[ttls] Sending tunneled request<BR> User-Name = "test"<BR> User-Password = "password"<BR> FreeRADIUS-Proxied-To = 127.0.0.1<BR> NAS-IP-Address = IP Address<BR> NAS-Port = 116<BR> Framed-MTU = 1400<BR> Called-Station-Id = "00:1e:35:7f:ec:35"<BR> Calling-Station-Id = "00:35:5c:68:c0:08"<BR> NAS-Port-Type = Wireless-802.11<BR> NAS-Identifier = "Wireless_Test"<BR> Service-Type = Framed-User<BR> Siemens-AP-Serial = "0600010084050956"<BR> Siemens-AP-Name = "TEST"<BR> Siemens-VNS-Name = "Wireless_Test"<BR> Siemens-SSID = "Wireless_Test"<BR> Siemens-BSS-MAC = "00:1e:35:7f:ec:35"<BR>server inner-tunnel {<BR># Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel<BR>+- entering group authorize {...}<BR>++[mschap] returns noop<BR>[eap] No EAP-Message, not doing EAP<BR>++[eap] returns noop<BR>[ldap] performing user authorization for test<BR>[ldap] expand: %{Stripped-User-Name} -><BR>[ldap] ... expanding second conditional<BR>[ldap] expand: %{User-Name} -> test<BR>[ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=test)<BR>[ldap] expand: dc=example,dc=com -> dc=example,dc=com<BR> [ldap] ldap_get_conn: Checking Id: 0<BR> [ldap] ldap_get_conn: Got Id: 0<BR> [ldap] performing search in dc=example,dc=com, with filter (sAMAccountName=test)<BR>[ldap] looking for check items in directory...<BR> [ldap] extensionAttribute15 -> Connect-Type == "wireless"<BR>[ldap] looking for reply items in directory...<BR>WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?<BR>[ldap] Setting Auth-Type = LDAP<BR>[ldap] user test authorized to use remote access<BR> [ldap] ldap_release_conn: Release Id: 0<BR>++[ldap] returns ok<BR>++? if ("%{Huntgroup-Name}" == "wirelesstest")<BR> expand: %{Huntgroup-Name} -><BR>? Evaluating ("%{Huntgroup-Name}" == "wirelesstest") -> TRUE<BR>++? if ("%{Huntgroup-Name}" == "wirelesstest") -> TRUE<BR>++- entering if ("%{Huntgroup-Name}" == wirelesstest) {...}<BR>+++? if (control:Connect-Type == wireless)<BR>? Evaluating (control:Connect-Type == wireless) -> TRUE<BR>+++? if (control:Connect-Type == wireless) -> TRUE<BR>+++- entering if (control:Connect-Type == wireless) {...}<BR>++++[control] returns ok<BR>+++- if (control:Connect-Type == wireless) returns ok<BR>+++ ... skipping else for request 1: Preceding "if" was taken<BR>++- if ("%{Huntgroup-Name}" == wirelesstest) returns ok<BR>++? if (control:Ldap-UserDN =~ /^[^,]+,OU=([^,]+),/)<BR>? Evaluating (control:Ldap-UserDN =~ /^[^,]+,OU=([^,]+),/) -> TRUE<BR>++? if (control:Ldap-UserDN =~ /^[^,]+,OU=([^,]+),/) -> TRUE<BR>++- entering if (control:Ldap-UserDN =~ /^[^,]+,OU=([^,]+),/) {...}<BR> expand: %{1} -> Staff<BR>+++[control] returns ok<BR>++- if (control:Ldap-UserDN =~ /^[^,]+,OU=([^,]+),/) returns ok<BR>[files] users: Matched entry DEFAULT at line 16<BR>[files] expand: Enterasys:version=1:policy=%{control:Tmp-String-1} -> Enterasys:version=1:policy=Staff<BR>++[files] returns ok<BR>++? if ("%{Huntgroup-Name}" == "wirelesstest")<BR> expand: %{Huntgroup-Name} -><BR>? Evaluating ("%{Huntgroup-Name}" == "wirelesstest") -> TRUE<BR>++? if ("%{Huntgroup-Name}" == "wirelesstest") -> TRUE<BR>++[expiration] returns noop<BR>++[logintime] returns noop<BR>[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.<BR>++[pap] returns noop<BR>Found Auth-Type = LDAP<BR># Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel<BR>+- entering group LDAP {...}<BR>[ldap] login attempt by "test" with password "password"<BR>[ldap] user DN: CN=test,OU=Staff,OU=Employees,OU=Users,DC=example,DC=com<BR> [ldap] (re)connect to example.com:389, authentication 1<BR> [ldap] bind as CN=test,OU=Staff,OU=Employees,OU=Users,DC=example,DC=com/test to example.com:389<BR> [ldap] waiting for bind result ...<BR> [ldap] Bind was successful<BR>[ldap] user test authenticated succesfully<BR>++[ldap] returns ok<BR>Login OK: [test] (from client Primary_controller port 116 cli 00:1e:35:7f:ec:35 via TLS tunnel)<BR># Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/inner-tunnel<BR>+- entering group post-auth {...}<BR>[reply_log] expand: /usr/local/var/log/radius/radacct/reply-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/reply-detail-20121204<BR>[reply_log] /usr/local/var/log/radius/radacct/reply-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/reply-detail-20121204<BR>[reply_log] expand: %t -> Tue Dec 4 13:50:45 2012<BR>++[reply_log] returns ok<BR>} # server inner-tunnel<BR>[ttls] Got tunneled reply code 2<BR> Filter-Id := "Enterasys:version=1:policy=Staff"<BR>[ttls] Got tunneled Access-Accept<BR>[eap] Freeing handler<BR>++[eap] returns ok<BR>Login OK: [test] (from client Primary_controller port 116 cli 00:1e:35:7f:ec:35)<BR># Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default<BR>+- entering group post-auth {...}<BR>++[exec] returns noop<BR>Sending Access-Accept of id 239 to IP Address port 57700<BR> Filter-Id := "Enterasys:version=1:policy=Staff"<BR> MS-MPPE-Recv-Key = 0xfc711ebb1ff8ea41b4f0d9bf76e424796aca3d9b7518154f00ab6f1e4d0cc474<BR> MS-MPPE-Send-Key = 0x9fb92d6b82ec067b31dacae9e16e63ff86d702501266713701a377f220e4cbbb<BR> EAP-Message = 0x03060004<BR> Message-Authenticator = 0x00000000000000000000000000000000<BR> User-Name = "test"<BR>Finished request 5.<BR>Going to the next request<BR>Waking up in 2.4 seconds.<BR>Cleaning up request 0 ID 231 with timestamp +5<BR>Waking up in 1.0 seconds.<BR>Cleaning up request 1 ID 252 with timestamp +6<BR>Cleaning up request 2 ID 86 with timestamp +7<BR>Cleaning up request 3 ID 227 with timestamp +7<BR>Waking up in 0.3 seconds.<BR>Cleaning up request 4 ID 169 with timestamp +7<BR>Waking up in 1.0 seconds.<BR>Cleaning up request 5 ID 239 with timestamp +7<BR>Ready to process requests.<BR>
<BR>
In /usr/local/var/log/radius/radius.log I see log message as:<BR>
<BR>
Tue Dec 4 15:02:56 2012 : Auth: Login OK: [test] (from client Primary_controller port 116 cli 00:1e:35:7f:ec:35)<BR>
<BR>
I don't get log as "Login OK via TLS tunnel".<BR>
<BR>
<STRONG>But any of these setting gives me no response at client side although my debug log shows the condition is being checked and Access-Accept ot Access-Reject is sent. Any Idea if I am missing something in my configuration that is preventing me to get response at Client side? I am using SecureW2 supplicant with EAP-PAP.</STRONG><BR>
<STRONG> </STRONG><BR>
<BR> <BR> </div></body>
</html>