<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
I removed from config all stuff about update reply. And after
detailed review of debug output i see Class attribute in some
access-challenge messages, but not in access-accept.<br>
Here it is all output from radiusd -X. <br>
<br>
<br>
<br>
Received <b>Access-Request</b> Id 248 from 192.168.10.201:59882 to
192.168.10.191:1812 length 141<br>
User-Name = 'temp'<br>
NAS-Port-Type = Virtual<br>
Service-Type = Framed-User<br>
NAS-Port = 5<br>
NAS-Port-Id = 'test1'<br>
NAS-IP-Address = 192.168.10.234<br>
Called-Station-Id = '192.168.10.234[4500]'<br>
Calling-Station-Id = '93.80.16.38[4500]'<br>
EAP-Message = 0x020000090174656d70<br>
NAS-Identifier = 'gateway'<br>
Message-Authenticator = 0x1b4fcfd646f936dceab6f4fddbc8f992<br>
(0) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default<br>
(0) authorize {<br>
(0) filter_username filter_username {<br>
(0) if (User-Name != "%{tolower:%{User-Name}}")<br>
(0) EXPAND %{tolower:%{User-Name}}<br>
(0) --> temp<br>
(0) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE<br>
(0) if (User-Name =~ / /)<br>
(0) if (User-Name =~ / /) -> FALSE<br>
(0) if (User-Name =~ /@.*@/ )<br>
(0) if (User-Name =~ /@.*@/ ) -> FALSE<br>
(0) if (User-Name =~ /\\.\\./ )<br>
(0) if (User-Name =~ /\\.\\./ ) -> FALSE<br>
(0) if ((User-Name =~ /@/) && (User-Name !~
/@(.+)\\.(.+)$/))<br>
(0) if ((User-Name =~ /@/) && (User-Name !~
/@(.+)\\.(.+)$/)) -> FALSE<br>
(0) if (User-Name =~ /\\.$/)<br>
(0) if (User-Name =~ /\\.$/) -> FALSE<br>
(0) if (User-Name =~ /@\\./)<br>
(0) if (User-Name =~ /@\\./) -> FALSE<br>
(0) } # filter_username filter_username = notfound<br>
(0) [preprocess] = ok<br>
(0) update request {<br>
(0) EXPAND %{User-Name}<br>
(0) --> temp<br>
(0) SQL-User-Name set to 'temp'<br>
rlm_sql (sql): Reserved connection (4)<br>
rlm_sql (sql): Executing query: 'SELECT groupname FROM radhuntgroup
WHERE nasipaddress='192.168.10.201''<br>
rlm_sql (sql): Released connection (4)<br>
(0) EXPAND %{sql:SELECT groupname FROM radhuntgroup WHERE
nasipaddress='%{Packet-Src-IP-Address}'}<br>
(0) --> hVPN<br>
(0) Huntgroup-Name := '"hVPN"'<br>
(0) } # update request = noop<br>
(0) switch &Huntgroup-Name {<br>
(0) case hVPN {<br>
(0) if (Service-Type == "Framed-User" && SQL-Group ==
"vpn-usr")<br>
(0) sql_groupcmp<br>
(0) EXPAND %{User-Name}<br>
(0) --> temp<br>
(0) SQL-User-Name set to 'temp'<br>
rlm_sql (sql): Reserved connection (4)<br>
(0) EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority<br>
(0) --> SELECT groupname FROM radusergroup WHERE username =
'temp' ORDER BY priority<br>
rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup
WHERE username = 'temp' ORDER BY priority'<br>
(0) sql_groupcmp finished: User is a member of group vpn-usr<br>
rlm_sql (sql): Released connection (4)<br>
(0) if (Service-Type == "Framed-User" && SQL-Group ==
"vpn-usr") -> TRUE<br>
(0) if (Service-Type == "Framed-User" && SQL-Group ==
"vpn-usr") {<br>
(0) [ok] = ok<br>
(0) } # if (Service-Type == "Framed-User" && SQL-Group
== "vpn-usr") = ok<br>
(0) ... skipping elsif for request 0: Preceding "if" was taken<br>
(0) ... skipping else for request 0: Preceding "if" was taken<br>
(0) } # case hVPN = ok<br>
(0) } # switch &Huntgroup-Name = ok<br>
(0) [chap] = noop<br>
(0) [mschap] = noop<br>
(0) [digest] = noop<br>
(0) suffix : No '@' in User-Name = "temp", looking up realm NULL<br>
(0) suffix : No such realm "NULL"<br>
(0) [suffix] = noop<br>
(0) eap : EAP packet type response id 0 length 9<br>
(0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit
the rest of authorize<br>
(0) [eap] = ok<br>
(0) } # authorize = ok<br>
(0) Found Auth-Type = EAP<br>
(0) # Executing group from file
/usr/local/etc/raddb/sites-enabled/default<br>
(0) authenticate {<br>
(0) eap : Peer sent Identity (1)<br>
(0) eap : Calling eap_md5 to process EAP data<br>
(0) eap_md5 : Issuing MD5 Challenge<br>
(0) eap : New EAP session, adding 'State' attribute to reply
0x5df2a0505df3a42e<br>
(0) [eap] = handled<br>
(0) } # authenticate = handled<br>
Sending <b>Access-Challenge </b>Id 248 from 192.168.10.191:1812 to
192.168.10.201:59882<br>
EAP-Message = 0x010100160410155cc3fbd296329e1f248410d4b22746<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0x5df2a0505df3a42e07f74e7f5a56fbca<br>
(0) Finished request<br>
Waking up in 0.3 seconds.<br>
Received Access-Request Id 249 from 192.168.10.201:59882 to
192.168.10.191:1812 length 156<br>
User-Name = 'temp'<br>
NAS-Port-Type = Virtual<br>
Service-Type = Framed-User<br>
NAS-Port = 5<br>
NAS-Port-Id = 'test1'<br>
NAS-IP-Address = 192.168.10.234<br>
Called-Station-Id = '192.168.10.234[4500]'<br>
Calling-Station-Id = '93.80.16.38[4500]'<br>
EAP-Message = 0x02010006031a<br>
NAS-Identifier = 'gateway'<br>
State = 0x5df2a0505df3a42e07f74e7f5a56fbca<br>
Message-Authenticator = 0x379292a6a43305dfd5ba975c67efea76<br>
(1) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default<br>
(1) authorize {<br>
(1) filter_username filter_username {<br>
(1) if (User-Name != "%{tolower:%{User-Name}}")<br>
(1) EXPAND %{tolower:%{User-Name}}<br>
(1) --> temp<br>
(1) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE<br>
(1) if (User-Name =~ / /)<br>
(1) if (User-Name =~ / /) -> FALSE<br>
(1) if (User-Name =~ /@.*@/ )<br>
(1) if (User-Name =~ /@.*@/ ) -> FALSE<br>
(1) if (User-Name =~ /\\.\\./ )<br>
(1) if (User-Name =~ /\\.\\./ ) -> FALSE<br>
(1) if ((User-Name =~ /@/) && (User-Name !~
/@(.+)\\.(.+)$/))<br>
(1) if ((User-Name =~ /@/) && (User-Name !~
/@(.+)\\.(.+)$/)) -> FALSE<br>
(1) if (User-Name =~ /\\.$/)<br>
(1) if (User-Name =~ /\\.$/) -> FALSE<br>
(1) if (User-Name =~ /@\\./)<br>
(1) if (User-Name =~ /@\\./) -> FALSE<br>
(1) } # filter_username filter_username = notfound<br>
(1) [preprocess] = ok<br>
(1) update request {<br>
(1) EXPAND %{User-Name}<br>
(1) --> temp<br>
(1) SQL-User-Name set to 'temp'<br>
rlm_sql (sql): Reserved connection (4)<br>
rlm_sql (sql): Executing query: 'SELECT groupname FROM radhuntgroup
WHERE nasipaddress='192.168.10.201''<br>
rlm_sql (sql): Released connection (4)<br>
(1) EXPAND %{sql:SELECT groupname FROM radhuntgroup WHERE
nasipaddress='%{Packet-Src-IP-Address}'}<br>
(1) --> hVPN<br>
(1) Huntgroup-Name := '"hVPN"'<br>
(1) } # update request = noop<br>
(1) switch &Huntgroup-Name {<br>
(1) case hVPN {<br>
(1) if (Service-Type == "Framed-User" && SQL-Group ==
"vpn-usr")<br>
(1) sql_groupcmp<br>
(1) EXPAND %{User-Name}<br>
(1) --> temp<br>
(1) SQL-User-Name set to 'temp'<br>
rlm_sql (sql): Reserved connection (4)<br>
(1) EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority<br>
(1) --> SELECT groupname FROM radusergroup WHERE username =
'temp' ORDER BY priority<br>
rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup
WHERE username = 'temp' ORDER BY priority'<br>
(1) sql_groupcmp finished: User is a member of group vpn-usr<br>
rlm_sql (sql): Released connection (4)<br>
(1) if (Service-Type == "Framed-User" && SQL-Group ==
"vpn-usr") -> TRUE<br>
(1) if (Service-Type == "Framed-User" && SQL-Group ==
"vpn-usr") {<br>
(1) [ok] = ok<br>
(1) } # if (Service-Type == "Framed-User" && SQL-Group
== "vpn-usr") = ok<br>
(1) ... skipping elsif for request 1: Preceding "if" was taken<br>
(1) ... skipping else for request 1: Preceding "if" was taken<br>
(1) } # case hVPN = ok<br>
(1) } # switch &Huntgroup-Name = ok<br>
(1) [chap] = noop<br>
(1) [mschap] = noop<br>
(1) [digest] = noop<br>
(1) suffix : No '@' in User-Name = "temp", looking up realm NULL<br>
(1) suffix : No such realm "NULL"<br>
(1) [suffix] = noop<br>
(1) eap : EAP packet type response id 1 length 6<br>
(1) eap : No EAP Start, assuming it's an on-going EAP conversation<br>
(1) [eap] = updated<br>
(1) sql : EXPAND %{User-Name}<br>
(1) sql : --> temp<br>
(1) sql : SQL-User-Name set to 'temp'<br>
rlm_sql (sql): Reserved connection (4)<br>
(1) sql : EXPAND SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id<br>
(1) sql : --> SELECT id, username, attribute, value, op FROM
radcheck WHERE username = 'temp' ORDER BY id<br>
rlm_sql (sql): Executing query: 'SELECT id, username, attribute,
value, op FROM radcheck WHERE username = 'temp' ORDER BY id'<br>
(1) sql : User found in radcheck table<br>
(1) sql : Check items matched<br>
(1) sql : EXPAND SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id<br>
(1) sql : --> SELECT id, username, attribute, value, op FROM
radreply WHERE username = 'temp' ORDER BY id<br>
rlm_sql (sql): Executing query: 'SELECT id, username, attribute,
value, op FROM radreply WHERE username = 'temp' ORDER BY id'<br>
(1) sql : User found in radreply table<br>
(1) sql : EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority<br>
(1) sql : --> SELECT groupname FROM radusergroup WHERE
username = 'temp' ORDER BY priority<br>
rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup
WHERE username = 'temp' ORDER BY priority'<br>
(1) sql : User found in the group table<br>
(1) sql : EXPAND SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id<br>
(1) sql : --> SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = 'vpn-usr' ORDER BY id<br>
rlm_sql (sql): Executing query: 'SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname = 'vpn-usr' ORDER BY
id'<br>
(1) sql : Group "vpn-usr" check items matched<br>
(1) sql : EXPAND SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id<br>
(1) sql : --> SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = 'vpn-usr' ORDER BY id<br>
rlm_sql (sql): Executing query: 'SELECT id, groupname, attribute,
value, op FROM radgroupreply WHERE groupname = 'vpn-usr' ORDER BY
id'<br>
(1) sql : Group "vpn-usr" reply items processed<br>
rlm_sql (sql): Released connection (4)<br>
(1) [sql] = ok<br>
(1) [expiration] = noop<br>
(1) [logintime] = noop<br>
(1) WARNING: pap : Auth-Type already set. Not setting to PAP<br>
(1) [pap] = noop<br>
(1) } # authorize = updated<br>
(1) Found Auth-Type = EAP<br>
(1) # Executing group from file
/usr/local/etc/raddb/sites-enabled/default<br>
(1) authenticate {<br>
(1) eap : Expiring EAP session with state 0x5df2a0505df3a42e<br>
(1) eap : Finished EAP session with state 0x5df2a0505df3a42e<br>
(1) eap : Previous EAP request found for state 0x5df2a0505df3a42e,
released from the list<br>
(1) eap : Peer sent NAK (3)<br>
(1) eap : Found mutually acceptable type MSCHAPv2 (26)<br>
(1) eap : Calling eap_mschapv2 to process EAP data<br>
(1) eap_mschapv2 : Issuing Challenge<br>
(1) eap : New EAP session, adding 'State' attribute to reply
0x5df2a0505cf0ba2e<br>
(1) [eap] = handled<br>
(1) } # authenticate = handled<br>
Sending <b>Access-Challenge</b> Id 249 from 192.168.10.191:1812 to
192.168.10.201:59882<br>
<b>Class </b>= 0x6d79636c617373<br>
EAP-Message =
0x0102001e1a0102001910362d923290bd75ecc6814d14e491598774656d70<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0x5df2a0505cf0ba2e07f74e7f5a56fbca<br>
(1) Finished request<br>
Waking up in 0.3 seconds.<br>
Received <b>Access-Request</b> Id 250 from 192.168.10.201:59882 to
192.168.10.191:1812 length 213<br>
User-Name = 'temp'<br>
NAS-Port-Type = Virtual<br>
Service-Type = Framed-User<br>
NAS-Port = 5<br>
NAS-Port-Id = 'test1'<br>
NAS-IP-Address = 192.168.10.234<br>
Called-Station-Id = '192.168.10.234[4500]'<br>
Calling-Station-Id = '93.80.16.38[4500]'<br>
EAP-Message =
0x0202003f1a0202003a31440620e8b9a9a347ad6c2f345041ee5b000000000000000036451431ac5eebe501d403085a2c344aee284396153aaf210074656d70<br>
NAS-Identifier = 'gateway'<br>
State = 0x5df2a0505cf0ba2e07f74e7f5a56fbca<br>
Message-Authenticator = 0x8e5b760a40c5c11205c4f6348f947c66<br>
(2) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default<br>
(2) authorize {<br>
(2) filter_username filter_username {<br>
(2) if (User-Name != "%{tolower:%{User-Name}}")<br>
(2) EXPAND %{tolower:%{User-Name}}<br>
(2) --> temp<br>
(2) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE<br>
(2) if (User-Name =~ / /)<br>
(2) if (User-Name =~ / /) -> FALSE<br>
(2) if (User-Name =~ /@.*@/ )<br>
(2) if (User-Name =~ /@.*@/ ) -> FALSE<br>
(2) if (User-Name =~ /\\.\\./ )<br>
(2) if (User-Name =~ /\\.\\./ ) -> FALSE<br>
(2) if ((User-Name =~ /@/) && (User-Name !~
/@(.+)\\.(.+)$/))<br>
(2) if ((User-Name =~ /@/) && (User-Name !~
/@(.+)\\.(.+)$/)) -> FALSE<br>
(2) if (User-Name =~ /\\.$/)<br>
(2) if (User-Name =~ /\\.$/) -> FALSE<br>
(2) if (User-Name =~ /@\\./)<br>
(2) if (User-Name =~ /@\\./) -> FALSE<br>
(2) } # filter_username filter_username = notfound<br>
(2) [preprocess] = ok<br>
(2) update request {<br>
(2) EXPAND %{User-Name}<br>
(2) --> temp<br>
(2) SQL-User-Name set to 'temp'<br>
rlm_sql (sql): Reserved connection (4)<br>
rlm_sql (sql): Executing query: 'SELECT groupname FROM radhuntgroup
WHERE nasipaddress='192.168.10.201''<br>
rlm_sql (sql): Released connection (4)<br>
(2) EXPAND %{sql:SELECT groupname FROM radhuntgroup WHERE
nasipaddress='%{Packet-Src-IP-Address}'}<br>
(2) --> hVPN<br>
(2) Huntgroup-Name := '"hVPN"'<br>
(2) } # update request = noop<br>
(2) switch &Huntgroup-Name {<br>
(2) case hVPN {<br>
(2) if (Service-Type == "Framed-User" && SQL-Group ==
"vpn-usr")<br>
(2) sql_groupcmp<br>
(2) EXPAND %{User-Name}<br>
(2) --> temp<br>
(2) SQL-User-Name set to 'temp'<br>
rlm_sql (sql): Reserved connection (4)<br>
(2) EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority<br>
(2) --> SELECT groupname FROM radusergroup WHERE username =
'temp' ORDER BY priority<br>
rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup
WHERE username = 'temp' ORDER BY priority'<br>
(2) sql_groupcmp finished: User is a member of group vpn-usr<br>
rlm_sql (sql): Released connection (4)<br>
(2) if (Service-Type == "Framed-User" && SQL-Group ==
"vpn-usr") -> TRUE<br>
(2) if (Service-Type == "Framed-User" && SQL-Group ==
"vpn-usr") {<br>
(2) [ok] = ok<br>
(2) } # if (Service-Type == "Framed-User" && SQL-Group
== "vpn-usr") = ok<br>
(2) ... skipping elsif for request 2: Preceding "if" was taken<br>
(2) ... skipping else for request 2: Preceding "if" was taken<br>
(2) } # case hVPN = ok<br>
(2) } # switch &Huntgroup-Name = ok<br>
(2) [chap] = noop<br>
(2) [mschap] = noop<br>
(2) [digest] = noop<br>
(2) suffix : No '@' in User-Name = "temp", looking up realm NULL<br>
(2) suffix : No such realm "NULL"<br>
(2) [suffix] = noop<br>
(2) eap : EAP packet type response id 2 length 63<br>
(2) eap : No EAP Start, assuming it's an on-going EAP conversation<br>
(2) [eap] = updated<br>
(2) sql : EXPAND %{User-Name}<br>
(2) sql : --> temp<br>
(2) sql : SQL-User-Name set to 'temp'<br>
rlm_sql (sql): Reserved connection (4)<br>
(2) sql : EXPAND SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id<br>
(2) sql : --> SELECT id, username, attribute, value, op FROM
radcheck WHERE username = 'temp' ORDER BY id<br>
rlm_sql (sql): Executing query: 'SELECT id, username, attribute,
value, op FROM radcheck WHERE username = 'temp' ORDER BY id'<br>
(2) sql : User found in radcheck table<br>
(2) sql : Check items matched<br>
(2) sql : EXPAND SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id<br>
(2) sql : --> SELECT id, username, attribute, value, op FROM
radreply WHERE username = 'temp' ORDER BY id<br>
rlm_sql (sql): Executing query: 'SELECT id, username, attribute,
value, op FROM radreply WHERE username = 'temp' ORDER BY id'<br>
(2) sql : User found in radreply table<br>
(2) sql : EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority<br>
(2) sql : --> SELECT groupname FROM radusergroup WHERE
username = 'temp' ORDER BY priority<br>
rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup
WHERE username = 'temp' ORDER BY priority'<br>
(2) sql : User found in the group table<br>
(2) sql : EXPAND SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id<br>
(2) sql : --> SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = 'vpn-usr' ORDER BY id<br>
rlm_sql (sql): Executing query: 'SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname = 'vpn-usr' ORDER BY
id'<br>
(2) sql : Group "vpn-usr" check items matched<br>
(2) sql : EXPAND SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id<br>
(2) sql : --> SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = 'vpn-usr' ORDER BY id<br>
rlm_sql (sql): Executing query: 'SELECT id, groupname, attribute,
value, op FROM radgroupreply WHERE groupname = 'vpn-usr' ORDER BY
id'<br>
(2) sql : Group "vpn-usr" reply items processed<br>
rlm_sql (sql): Released connection (4)<br>
(2) [sql] = ok<br>
(2) [expiration] = noop<br>
(2) [logintime] = noop<br>
(2) WARNING: pap : Auth-Type already set. Not setting to PAP<br>
(2) [pap] = noop<br>
(2) } # authorize = updated<br>
(2) Found Auth-Type = EAP<br>
(2) # Executing group from file
/usr/local/etc/raddb/sites-enabled/default<br>
(2) authenticate {<br>
(2) eap : Expiring EAP session with state 0x5df2a0505cf0ba2e<br>
(2) eap : Finished EAP session with state 0x5df2a0505cf0ba2e<br>
(2) eap : Previous EAP request found for state 0x5df2a0505cf0ba2e,
released from the list<br>
(2) eap : Peer sent MSCHAPv2 (26)<br>
(2) eap : EAP MSCHAPv2 (26)<br>
(2) eap : Calling eap_mschapv2 to process EAP data<br>
(2) eap_mschapv2 : # Executing group from file
/usr/local/etc/raddb/sites-enabled/default<br>
(2) eap_mschapv2 : Auth-Type MS-CHAP {<br>
(2) mschap : Found Cleartext-Password, hashing to create LM-Password<br>
(2) mschap : Found Cleartext-Password, hashing to create NT-Password<br>
(2) mschap : Creating challenge hash with username: temp<br>
(2) mschap : Client is using MS-CHAPv2<br>
(2) mschap : Adding MS-CHAPv2 MPPE keys<br>
(2) [mschap] = ok<br>
(2) } # Auth-Type MS-CHAP = ok<br>
MSCHAP Success<br>
(2) eap : New EAP session, adding 'State' attribute to reply
0x5df2a0505ff1ba2e<br>
(2) [eap] = handled<br>
(2) } # authenticate = handled<br>
Sending <b>Access-Challenge </b>Id 250 from 192.168.10.191:1812 to
192.168.10.201:59882<br>
<b> Class = </b>0x6d79636c617373<br>
EAP-Message =
0x010300331a0302002e533d37433431313734354230434342434642433642443939384239313546374639354339443630303232<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0x5df2a0505ff1ba2e07f74e7f5a56fbca<br>
(2) Finished request<br>
Waking up in 0.3 seconds.<br>
Received <b>Access-Request</b> Id 251 from 192.168.10.201:59882 to
192.168.10.191:1812 length 156<br>
User-Name = 'temp'<br>
NAS-Port-Type = Virtual<br>
Service-Type = Framed-User<br>
NAS-Port = 5<br>
NAS-Port-Id = 'test1'<br>
NAS-IP-Address = 192.168.10.234<br>
Called-Station-Id = '192.168.10.234[4500]'<br>
Calling-Station-Id = '93.80.16.38[4500]'<br>
EAP-Message = 0x020300061a03<br>
NAS-Identifier = 'gateway'<br>
State = 0x5df2a0505ff1ba2e07f74e7f5a56fbca<br>
Message-Authenticator = 0x0651a29f80e0bee2a19fcbb7e6d6e58a<br>
(3) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default<br>
(3) authorize {<br>
(3) filter_username filter_username {<br>
(3) if (User-Name != "%{tolower:%{User-Name}}")<br>
(3) EXPAND %{tolower:%{User-Name}}<br>
(3) --> temp<br>
(3) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE<br>
(3) if (User-Name =~ / /)<br>
(3) if (User-Name =~ / /) -> FALSE<br>
(3) if (User-Name =~ /@.*@/ )<br>
(3) if (User-Name =~ /@.*@/ ) -> FALSE<br>
(3) if (User-Name =~ /\\.\\./ )<br>
(3) if (User-Name =~ /\\.\\./ ) -> FALSE<br>
(3) if ((User-Name =~ /@/) && (User-Name !~
/@(.+)\\.(.+)$/))<br>
(3) if ((User-Name =~ /@/) && (User-Name !~
/@(.+)\\.(.+)$/)) -> FALSE<br>
(3) if (User-Name =~ /\\.$/)<br>
(3) if (User-Name =~ /\\.$/) -> FALSE<br>
(3) if (User-Name =~ /@\\./)<br>
(3) if (User-Name =~ /@\\./) -> FALSE<br>
(3) } # filter_username filter_username = notfound<br>
(3) [preprocess] = ok<br>
(3) update request {<br>
(3) EXPAND %{User-Name}<br>
(3) --> temp<br>
(3) SQL-User-Name set to 'temp'<br>
rlm_sql (sql): Reserved connection (4)<br>
rlm_sql (sql): Executing query: 'SELECT groupname FROM radhuntgroup
WHERE nasipaddress='192.168.10.201''<br>
rlm_sql (sql): Released connection (4)<br>
(3) EXPAND %{sql:SELECT groupname FROM radhuntgroup WHERE
nasipaddress='%{Packet-Src-IP-Address}'}<br>
(3) --> hVPN<br>
(3) Huntgroup-Name := '"hVPN"'<br>
(3) } # update request = noop<br>
(3) switch &Huntgroup-Name {<br>
(3) case hVPN {<br>
(3) if (Service-Type == "Framed-User" && SQL-Group ==
"vpn-usr")<br>
(3) sql_groupcmp<br>
(3) EXPAND %{User-Name}<br>
(3) --> temp<br>
(3) SQL-User-Name set to 'temp'<br>
rlm_sql (sql): Reserved connection (4)<br>
(3) EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority<br>
(3) --> SELECT groupname FROM radusergroup WHERE username =
'temp' ORDER BY priority<br>
rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup
WHERE username = 'temp' ORDER BY priority'<br>
(3) sql_groupcmp finished: User is a member of group vpn-usr<br>
rlm_sql (sql): Released connection (4)<br>
(3) if (Service-Type == "Framed-User" && SQL-Group ==
"vpn-usr") -> TRUE<br>
(3) if (Service-Type == "Framed-User" && SQL-Group ==
"vpn-usr") {<br>
(3) [ok] = ok<br>
(3) } # if (Service-Type == "Framed-User" && SQL-Group
== "vpn-usr") = ok<br>
(3) ... skipping elsif for request 3: Preceding "if" was taken<br>
(3) ... skipping else for request 3: Preceding "if" was taken<br>
(3) } # case hVPN = ok<br>
(3) } # switch &Huntgroup-Name = ok<br>
(3) [chap] = noop<br>
(3) [mschap] = noop<br>
(3) [digest] = noop<br>
(3) suffix : No '@' in User-Name = "temp", looking up realm NULL<br>
(3) suffix : No such realm "NULL"<br>
(3) [suffix] = noop<br>
(3) eap : EAP packet type response id 3 length 6<br>
(3) eap : EAP-MSCHAPV2 success, returning short-circuit ok<br>
(3) [eap] = ok<br>
(3) } # authorize = ok<br>
(3) Found Auth-Type = EAP<br>
(3) # Executing group from file
/usr/local/etc/raddb/sites-enabled/default<br>
(3) authenticate {<br>
(3) eap : Expiring EAP session with state 0x5df2a0505ff1ba2e<br>
(3) eap : Finished EAP session with state 0x5df2a0505ff1ba2e<br>
(3) eap : Previous EAP request found for state 0x5df2a0505ff1ba2e,
released from the list<br>
(3) eap : Peer sent MSCHAPv2 (26)<br>
(3) eap : EAP MSCHAPv2 (26)<br>
(3) eap : Calling eap_mschapv2 to process EAP data<br>
(3) eap : Freeing handler<br>
(3) [eap] = ok<br>
(3) } # authenticate = ok<br>
(3) # Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/default<br>
(3) post-auth {<br>
(3) sql : EXPAND .query<br>
(3) sql : --> .query<br>
(3) sql : Using query template 'query'<br>
rlm_sql (sql): Reserved connection (4)<br>
(3) sql : EXPAND %{User-Name}<br>
(3) sql : --> temp<br>
(3) sql : SQL-User-Name set to 'temp'<br>
(3) sql : EXPAND INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES ( '%{SQL-User-Name}',
'%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}',
'%S')<br>
(3) sql : --> INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES ( 'temp', '', 'Access-Accept', '2014-05-24
16:02:04')<br>
rlm_sql (sql): Executing query: 'INSERT INTO radpostauth (username,
pass, reply, authdate) VALUES ( 'temp', '', 'Access-Accept',
'2014-05-24 16:02:04')'<br>
rlm_sql (sql): Released connection (4)<br>
(3) [sql] = ok<br>
(3) [exec] = noop<br>
(3) remove_reply_message_if_eap remove_reply_message_if_eap {<br>
(3) if (reply:EAP-Message && reply:Reply-Message)<br>
(3) if (reply:EAP-Message && reply:Reply-Message) ->
FALSE<br>
(3) else else {<br>
(3) [noop] = noop<br>
(3) } # else else = noop<br>
(3) } # remove_reply_message_if_eap remove_reply_message_if_eap =
noop<br>
(3) } # post-auth = ok<br>
Sending <b>Access-Accept</b> Id 251 from 192.168.10.191:1812 to
192.168.10.201:59882<br>
MS-MPPE-Encryption-Policy = Encryption-Allowed<br>
MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed<br>
MS-MPPE-Send-Key = 0x49955e70c686fcc5f62abd7bac225266<br>
MS-MPPE-Recv-Key = 0x74a2ad3fd3b60c672a35d5c5ad028f3c<br>
EAP-Message = 0x03030004<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
User-Name = 'temp'<br>
(3) Finished request<br>
Waking up in 0.2 seconds.<br>
Waking up in 4.6 seconds.<br>
(0) Cleaning up request packet ID 248 with timestamp +15<br>
(1) Cleaning up request packet ID 249 with timestamp +15<br>
(2) Cleaning up request packet ID 250 with timestamp +15<br>
(3) Cleaning up request packet ID 251 with timestamp +15<br>
Ready to process requests.<br>
<br>
<br>
<br>
<br>
<div class="moz-cite-prefix">23.05.2014 19:27, Alan DeKok пишет:<br>
</div>
<blockquote cite="mid:537F68DF.90009@deployingradius.com"
type="cite">
<pre wrap="">free.aaa wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Request does not contain Class attribute indeed.
</pre>
</blockquote>
<pre wrap="">
You didn't show that in the debug log.
</pre>
<blockquote type="cite">
<pre wrap="">I thought that by using
construction like:
</pre>
<blockquote type="cite">
<pre wrap=""> update reply {
Class = "%{Class}"
}
</pre>
</blockquote>
<pre wrap="">i can grab that attribute from mysql radreply table and insert it in the
reply.
</pre>
</blockquote>
<pre wrap="">
That comment makes no sense.
</pre>
<blockquote type="cite">
<pre wrap="">Anyway why attributes from radreply does not get inserted in
access-accept when using eap-mschapv2 by default?
</pre>
</blockquote>
<pre wrap="">
They should be.
</pre>
</blockquote>
<br>
<br>
</body>
</html>