<div dir="ltr"><p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif">Hello All,</span></p><p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif"> </span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif">As suggested in earlier replies I have modified the sql query
and the schema. We are trying to use NAS-Identifier to segregate the customers.</span></p><p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif">However I am running into an issue when trying to authenticate user using PEAP MSCHAP. </span></p><p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif">While sending the tunneled request, its not containing the NAS-Identifier. Is it possible to send the NAS-Identifier in the tunneled request?</span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif;font-size:12pt">I
am using freeradius version 2.1.12</span><br></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif">Please let me know if there is something wrong with my config.</span></p><p class="MsoNormal"><br></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif"> </span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif">FreeRadius LOG (i have removed many log output lines to reduce the size of the mail)</span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif">--------------------------------------------------------------------------------------------------------------------</span></p>
<p class="MsoNormal"><br></p><p class="MsoNormal">rad_recv: Access-Request packet from host 192.168.1.62 port 32953, id=154, length=226</p><p class="MsoNormal"> Acct-Session-Id = "eaea9572-00000065"</p><p class="MsoNormal"> NAS-Port = 95</p><p class="MsoNormal"> NAS-Port-Type = Wireless-802.11</p><p class="MsoNormal"> NAS-Identifier = "CN3BD321SM"</p><p class="MsoNormal"> NAS-IP-Address = 192.168.1.62</p><p class="MsoNormal"> Framed-MTU = 1496</p><p class="MsoNormal"> User-Name = "radtest"</p><p class="MsoNormal"> Calling-Station-Id = "F0-25-B7-48-08-2C"</p><p class="MsoNormal"> Called-Station-Id = "A0-D3-C1-AB-71-62"</p><p class="MsoNormal"> Service-Type = Framed-User</p><p class="MsoNormal"> EAP-Message = 0x025a000c0172616474657374</p><p class="MsoNormal"> Colubris-AVPair = "ssid=tenant"</p><p class="MsoNormal"> Colubris-AVPair = "phytype=IEEE802dot11 "</p><p class="MsoNormal"> Colubris-Attr-250 = 0x00000000</p><p class="MsoNormal"> Colubris-Attr-249 = 0x00000000</p><p class="MsoNormal"> Message-Authenticator = 0xb9bfc73c2e480450d46170ae43dc7721</p><p class="MsoNormal"># Executing section authorize from file /etc/freeradius/sites-enabled/default</p><p class="MsoNormal">+- entering group authorize {...}</p><p class="MsoNormal">++[preprocess] returns ok</p><p class="MsoNormal">++[chap] returns noop</p><p class="MsoNormal">++[mschap] returns noop</p><p class="MsoNormal">++[digest] returns noop</p><p class="MsoNormal">[suffix] No '@' in User-Name = "radtest", looking up realm NULL</p><p class="MsoNormal">[suffix] No such realm "NULL"</p><p class="MsoNormal">++[suffix] returns noop</p><p class="MsoNormal">[eap] EAP packet type response id 90 length 12</p><p class="MsoNormal">[eap] No EAP Start, assuming it's an on-going EAP conversation</p><p class="MsoNormal">++[eap] returns updated</p><p class="MsoNormal">++[files] returns noop</p><p class="MsoNormal">[sql] expand: %{User-Name} -> radtest</p><p class="MsoNormal">[sql] sql_set_user escaped user --> 'radtest'</p><p class="MsoNormal">rlm_sql (sql): Reserving sql socket id: 3</p><p class="MsoNormal">[sql] expand: SELECT <a href="http://radcheck.id">radcheck.id</a>, radcheck.UserName, radcheck.Attribute, radcheck.Value, radcheck.Op FROM radcheck, nasgroup WHERE Username = '%{SQL-User-Name}' AND nasgroup.nasid = '%{NAS-Identifier}' AND nasgroup.groupname = radcheck.Groupname ORDER BY <a href="http://radcheck.id">radcheck.id</a> -> SELECT <a href="http://radcheck.id">radcheck.id</a>, radcheck.UserName, radcheck.Attribute, radcheck.Value, radcheck.Op FROM radcheck, nasgroup WHERE Username = 'radtest' AND nasgroup.nasid = 'CN3BD321SM' AND nasgroup.groupname = radcheck.Groupname ORDER BY <a href="http://radcheck.id">radcheck.id</a></p><p class="MsoNormal">rlm_sql_postgresql: Status: PGRES_TUPLES_OK</p><p class="MsoNormal">rlm_sql_postgresql: query affected rows = 1 , fields = 5</p><p class="MsoNormal">[sql] User found in radcheck table</p><p class="MsoNormal">[sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = 'radtest' ORDER BY id</p><p class="MsoNormal">rlm_sql_postgresql: Status: PGRES_TUPLES_OK</p><p class="MsoNormal">rlm_sql_postgresql: query affected rows = 1 , fields = 5</p><p class="MsoNormal">[sql] expand: SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM radusergroup WHERE UserName='radtest' ORDER BY priority</p><p class="MsoNormal">rlm_sql_postgresql: Status: PGRES_TUPLES_OK</p><p class="MsoNormal">rlm_sql_postgresql: query affected rows = 0 , fields = 1</p><p class="MsoNormal">rlm_sql (sql): Released sql socket id: 3</p><p class="MsoNormal">++[sql] returns ok</p><p class="MsoNormal">++[expiration] returns noop</p><p class="MsoNormal">++[logintime] returns noop</p><p class="MsoNormal">[pap] WARNING: Auth-Type already set. Not setting to PAP</p><p class="MsoNormal">++[pap] returns noop</p><p class="MsoNormal">Found Auth-Type = EAP</p><p class="MsoNormal"># Executing group from file /etc/freeradius/sites-enabled/default</p><p class="MsoNormal">+- entering group authenticate {...}</p><p class="MsoNormal">[eap] EAP Identity</p><p class="MsoNormal">[eap] processing type md5</p><p class="MsoNormal">rlm_eap_md5: Issuing Challenge</p><p class="MsoNormal">++[eap] returns handled</p><p class="MsoNormal">Sending Access-Challenge of id 154 to 192.168.1.62 port 32953</p><p class="MsoNormal"> EAP-Message = 0x015b00160410c29fa2a1e7b48d23a6e801c718e9f7a7</p><p class="MsoNormal"> Message-Authenticator = 0x00000000000000000000000000000000</p><p class="MsoNormal"> State = 0x005655b7000d519bfcf3bbcabb4eb013</p><p class="MsoNormal">Finished request 0.</p><p class="MsoNormal">Going to the next request</p><p class="MsoNormal">Waking up in 4.9 seconds.</p><p class="MsoNormal">rad_recv: Access-Request packet from host 192.168.1.62 port 32953, id=77, length=238</p><p class="MsoNormal"> Acct-Session-Id = "eaea9572-00000065"</p><p class="MsoNormal"> NAS-Port = 95</p><p class="MsoNormal"> NAS-Port-Type = Wireless-802.11</p><p class="MsoNormal"> NAS-Identifier = "CN3BD321SM"</p><p class="MsoNormal"> NAS-IP-Address = 192.168.1.62</p><p class="MsoNormal"> Framed-MTU = 1496</p><p class="MsoNormal"> User-Name = "radtest"</p><p class="MsoNormal"> Calling-Station-Id = "F0-25-B7-48-08-2C"</p><p class="MsoNormal"> Called-Station-Id = "A0-D3-C1-AB-71-62"</p><p class="MsoNormal"> Service-Type = Framed-User</p><p class="MsoNormal"> EAP-Message = 0x025b00060319</p><p class="MsoNormal"> State = 0x005655b7000d519bfcf3bbcabb4eb013</p><p class="MsoNormal"> Colubris-AVPair = "ssid=tenant"</p><p class="MsoNormal"> Colubris-AVPair = "phytype=IEEE802dot11 "</p><p class="MsoNormal"> Colubris-Attr-250 = 0x00000000</p><p class="MsoNormal"> Colubris-Attr-249 = 0x00000000</p><p class="MsoNormal"> Message-Authenticator = 0x9815cb4c5cca3bcebc15d622c5f9e0f9</p><p class="MsoNormal"># Executing section authorize from file /etc/freeradius/sites-enabled/default</p><p class="MsoNormal">+- entering group authorize {...}</p><p class="MsoNormal">++[preprocess] returns ok</p><p class="MsoNormal">++[chap] returns noop</p><p class="MsoNormal">++[mschap] returns noop</p><p class="MsoNormal">++[digest] returns noop</p><p class="MsoNormal">[suffix] No '@' in User-Name = "radtest", looking up realm NULL</p><p class="MsoNormal">[suffix] No such realm "NULL"</p><p class="MsoNormal">++[suffix] returns noop</p><p class="MsoNormal">[eap] EAP packet type response id 91 length 6</p><p class="MsoNormal">[eap] No EAP Start, assuming it's an on-going EAP conversation</p><p class="MsoNormal">++[eap] returns updated</p><p class="MsoNormal">++[files] returns noop</p><p class="MsoNormal">[sql] expand: %{User-Name} -> radtest</p><p class="MsoNormal">[sql] sql_set_user escaped user --> 'radtest'</p><p class="MsoNormal">rlm_sql (sql): Reserving sql socket id: 2</p><p class="MsoNormal">[sql] expand: SELECT <a href="http://radcheck.id">radcheck.id</a>, radcheck.UserName, radcheck.Attribute, radcheck.Value, radcheck.Op FROM radcheck, nasgroup WHERE Username = '%{SQL-User-Name}' AND nasgroup.nasid = '%{NAS-Identifier}' AND nasgroup.groupname = radcheck.Groupname ORDER BY <a href="http://radcheck.id">radcheck.id</a> -> SELECT <a href="http://radcheck.id">radcheck.id</a>, radcheck.UserName, radcheck.Attribute, radcheck.Value, radcheck.Op FROM radcheck, nasgroup WHERE Username = 'radtest' AND nasgroup.nasid = 'CN3BD321SM' AND nasgroup.groupname = radcheck.Groupname ORDER BY <a href="http://radcheck.id">radcheck.id</a></p><p class="MsoNormal">rlm_sql_postgresql: Status: PGRES_TUPLES_OK</p><p class="MsoNormal">rlm_sql_postgresql: query affected rows = 1 , fields = 5</p><p class="MsoNormal">[sql] User found in radcheck table</p><p class="MsoNormal">[sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = 'radtest' ORDER BY id</p><p class="MsoNormal">rlm_sql_postgresql: Status: PGRES_TUPLES_OK</p><p class="MsoNormal">rlm_sql_postgresql: query affected rows = 1 , fields = 5</p><p class="MsoNormal">[sql] expand: SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM radusergroup WHERE UserName='radtest' ORDER BY priority</p><p class="MsoNormal">rlm_sql_postgresql: Status: PGRES_TUPLES_OK</p><p class="MsoNormal">rlm_sql_postgresql: query affected rows = 0 , fields = 1</p><p class="MsoNormal">rlm_sql (sql): Released sql socket id: 2</p><p class="MsoNormal">++[sql] returns ok</p><p class="MsoNormal">++[expiration] returns noop</p><p class="MsoNormal">++[logintime] returns noop</p><p class="MsoNormal">[pap] WARNING: Auth-Type already set. Not setting to PAP</p><p class="MsoNormal">++[pap] returns noop</p><p class="MsoNormal">Found Auth-Type = EAP</p><p class="MsoNormal"># Executing group from file /etc/freeradius/sites-enabled/default</p><p class="MsoNormal">+- entering group authenticate {...}</p><p class="MsoNormal">[eap] Request found, released from the list</p><p class="MsoNormal">[eap] EAP NAK</p><p class="MsoNormal">[eap] EAP-NAK asked for EAP-Type/peap</p><p class="MsoNormal">[eap] processing type tls</p><p class="MsoNormal">[tls] Initiate</p><p class="MsoNormal">[tls] Start returned 1</p><p class="MsoNormal">++[eap] returns handled</p><p class="MsoNormal">Sending Access-Challenge of id 77 to 192.168.1.62 port 32953</p><p class="MsoNormal"> EAP-Message = 0x015c00061920</p><p class="MsoNormal"> Message-Authenticator = 0x00000000000000000000000000000000</p><p class="MsoNormal"> State = 0x005655b7010a4c9bfcf3bbcabb4eb013</p><p class="MsoNormal">Finished request 1.</p><p class="MsoNormal">Going to the next request</p><p class="MsoNormal">Waking up in 4.9 seconds.</p><p class="MsoNormal">rad_recv: Access-Request packet from host 192.168.1.62 port 32953, id=213, length=440</p><p class="MsoNormal"> Acct-Session-Id = "eaea9572-00000065"</p><p class="MsoNormal"> NAS-Port = 95</p><p class="MsoNormal"> NAS-Port-Type = Wireless-802.11</p><p class="MsoNormal"> NAS-Identifier = "CN3BD321SM"</p><p class="MsoNormal"> NAS-IP-Address = 192.168.1.62</p><p class="MsoNormal"> Framed-MTU = 1496</p><p class="MsoNormal"> User-Name = "radtest"</p><p class="MsoNormal"> Calling-Station-Id = "F0-25-B7-48-08-2C"</p><p class="MsoNormal"> Called-Station-Id = "A0-D3-C1-AB-71-62"</p><p class="MsoNormal"> Service-Type = Framed-User</p><p class="MsoNormal"> EAP-Message = 0x025c00d01980000000c616030100c1010000bd0301545bede983c64b84e5579021f2c8c1bba854b49152249d40e262132606fb4d13000054c014c00ac022c02100390038c00fc0050035c012c008c01cc01b00160013c00dc003000ac013c009c01fc01e00330032c00ec004002fc011c007c00cc002000500040015001200090014001100080006000300ff01000040000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f00100011</p><p class="MsoNormal"> State = 0x005655b7010a4c9bfcf3bbcabb4eb013</p><p class="MsoNormal"> Colubris-AVPair = "ssid=tenant"</p><p class="MsoNormal"> Colubris-AVPair = "phytype=IEEE802dot11 "</p><p class="MsoNormal"> Colubris-Attr-250 = 0x00000000</p><p class="MsoNormal"> Colubris-Attr-249 = 0x00000000</p><p class="MsoNormal"> Message-Authenticator = 0x1981daace80a8b50b267b588801fa7c6</p><p class="MsoNormal"># Executing section authorize from file /etc/freeradius/sites-enabled/default</p><p class="MsoNormal">+- entering group authorize {...}</p><p class="MsoNormal">++[preprocess] returns ok</p><p class="MsoNormal">++[chap] returns noop</p><p class="MsoNormal">++[mschap] returns noop</p><p class="MsoNormal">++[digest] returns noop</p><p class="MsoNormal">[suffix] No '@' in User-Name = "radtest", looking up realm NULL</p><p class="MsoNormal">[suffix] No such realm "NULL"</p><p class="MsoNormal">++[suffix] returns noop</p><p class="MsoNormal">[eap] EAP packet type response id 92 length 208</p><p class="MsoNormal">[eap] Continuing tunnel setup.</p><p class="MsoNormal">++[eap] returns ok</p><p class="MsoNormal">Found Auth-Type = EAP</p><p class="MsoNormal"># Executing group from file /etc/freeradius/sites-enabled/default</p><p class="MsoNormal">+- entering group authenticate {...}</p><p class="MsoNormal">[eap] Request found, released from the list</p><p class="MsoNormal">[eap] EAP/peap</p><p class="MsoNormal">[eap] processing type peap</p><p class="MsoNormal">[peap] processing EAP-TLS</p><p class="MsoNormal"> TLS Length 198</p><p class="MsoNormal">[peap] Length Included</p><p class="MsoNormal">[peap] eaptls_verify returned 11 </p><p class="MsoNormal">Finished request 2.<br></p><p class="MsoNormal">Going to the next request</p><p class="MsoNormal">Waking up in 4.9 seconds.</p><p class="MsoNormal">rad_recv: Access-Request packet from host 192.168.1.62 port 32953, id=247, length=238</p><p class="MsoNormal"> Acct-Session-Id = "eaea9572-00000065"</p><p class="MsoNormal"> NAS-Port = 95</p><p class="MsoNormal"> NAS-Port-Type = Wireless-802.11</p><p class="MsoNormal"> NAS-Identifier = "CN3BD321SM"</p><p class="MsoNormal"> NAS-IP-Address = 192.168.1.62</p><p class="MsoNormal"> Framed-MTU = 1496</p><p class="MsoNormal"> User-Name = "radtest"</p><p class="MsoNormal"> Calling-Station-Id = "F0-25-B7-48-08-2C"</p><p class="MsoNormal"> Called-Station-Id = "A0-D3-C1-AB-71-62"</p><p class="MsoNormal"> Service-Type = Framed-User</p><p class="MsoNormal"> EAP-Message = 0x025d00061900</p><p class="MsoNormal"> State = 0x005655b7020b4c9bfcf3bbcabb4eb013</p><p class="MsoNormal"> Colubris-AVPair = "ssid=tenant"</p><p class="MsoNormal"> Colubris-AVPair = "phytype=IEEE802dot11 "</p><p class="MsoNormal"> Colubris-Attr-250 = 0x00000000</p><p class="MsoNormal"> Colubris-Attr-249 = 0x00000000</p><p class="MsoNormal"> Message-Authenticator = 0x3194e87ace606247da24d510ebdbb259</p><p class="MsoNormal"># Executing section authorize from file /etc/freeradius/sites-enabled/default</p><p class="MsoNormal">+- entering group authorize {...}</p><p class="MsoNormal">++[preprocess] returns ok</p><p class="MsoNormal">++[chap] returns noop</p><p class="MsoNormal">++[mschap] returns noop</p><p class="MsoNormal">++[digest] returns noop</p><p class="MsoNormal">[suffix] No '@' in User-Name = "radtest", looking up realm NULL</p><p class="MsoNormal">[suffix] No such realm "NULL"</p><p class="MsoNormal">++[suffix] returns noop</p><p class="MsoNormal">[eap] EAP packet type response id 93 length 6</p><p class="MsoNormal">[eap] Continuing tunnel setup.</p><p class="MsoNormal">++[eap] returns ok</p><p class="MsoNormal">Found Auth-Type = EAP</p><p class="MsoNormal"># Executing group from file /etc/freeradius/sites-enabled/default</p><p class="MsoNormal">+- entering group authenticate {...}</p><p class="MsoNormal">[eap] Request found, released from the list</p><p class="MsoNormal">[eap] EAP/peap</p><p class="MsoNormal">[eap] processing type peap</p><p class="MsoNormal">[peap] processing EAP-TLS</p><p class="MsoNormal">[peap] Received TLS ACK</p><p class="MsoNormal">[peap] ACK handshake fragment handler</p><p class="MsoNormal">[peap] eaptls_verify returned 1 </p><p class="MsoNormal">[peap] eaptls_process returned 13 </p><p class="MsoNormal">+- entering group authorize {...}<br></p><p class="MsoNormal">++[preprocess] returns ok</p><p class="MsoNormal">++[chap] returns noop</p><p class="MsoNormal">++[mschap] returns noop</p><p class="MsoNormal">++[digest] returns noop</p><p class="MsoNormal">[suffix] No '@' in User-Name = "radtest", looking up realm NULL</p><p class="MsoNormal">[suffix] No such realm "NULL"</p><p class="MsoNormal">++[suffix] returns noop</p><p class="MsoNormal">[eap] EAP packet type response id 94 length 144</p><p class="MsoNormal">[eap] Continuing tunnel setup.</p><p class="MsoNormal">++[eap] returns ok</p><p class="MsoNormal">Found Auth-Type = EAP</p><p class="MsoNormal"># Executing group from file /etc/freeradius/sites-enabled/default</p><p class="MsoNormal">+- entering group authenticate {...}</p><p class="MsoNormal">[eap] Request found, released from the list</p><p class="MsoNormal">[eap] EAP/peap</p><p class="MsoNormal">[eap] processing type peap</p><p class="MsoNormal">Going to the next request<br></p><p class="MsoNormal">Waking up in 4.9 seconds.</p><p class="MsoNormal">rad_recv: Access-Request packet from host 192.168.1.62 port 32953, id=3, length=238</p><p class="MsoNormal"> Acct-Session-Id = "eaea9572-00000065"</p><p class="MsoNormal"> NAS-Port = 95</p><p class="MsoNormal"> NAS-Port-Type = Wireless-802.11</p><p class="MsoNormal"> NAS-Identifier = "CN3BD321SM"</p><p class="MsoNormal"> NAS-IP-Address = 192.168.1.62</p><p class="MsoNormal"> Framed-MTU = 1496</p><p class="MsoNormal"> User-Name = "radtest"</p><p class="MsoNormal"> Calling-Station-Id = "F0-25-B7-48-08-2C"</p><p class="MsoNormal"> Called-Station-Id = "A0-D3-C1-AB-71-62"</p><p class="MsoNormal"> Service-Type = Framed-User</p><p class="MsoNormal"> EAP-Message = 0x025f00061900</p><p class="MsoNormal"> State = 0x005655b704094c9bfcf3bbcabb4eb013</p><p class="MsoNormal"> Colubris-AVPair = "ssid=tenant"</p><p class="MsoNormal"> Colubris-AVPair = "phytype=IEEE802dot11 "</p><p class="MsoNormal"> Colubris-Attr-250 = 0x00000000</p><p class="MsoNormal"> Colubris-Attr-249 = 0x00000000</p><p class="MsoNormal"> Message-Authenticator = 0xf14dd2f6c72a4c3ceb5375a80413b223</p><p class="MsoNormal"># Executing section authorize from file /etc/freeradius/sites-enabled/default</p><p class="MsoNormal">+- entering group authorize {...}</p><p class="MsoNormal">++[preprocess] returns ok</p><p class="MsoNormal">++[chap] returns noop</p><p class="MsoNormal">++[mschap] returns noop</p><p class="MsoNormal">++[digest] returns noop</p><p class="MsoNormal">[suffix] No '@' in User-Name = "radtest", looking up realm NULL</p><p class="MsoNormal">[suffix] No such realm "NULL"</p><p class="MsoNormal">++[suffix] returns noop</p><p class="MsoNormal">[eap] EAP packet type response id 95 length 6</p><p class="MsoNormal">[eap] Continuing tunnel setup.</p><p class="MsoNormal">++[eap] returns ok</p><p class="MsoNormal">Found Auth-Type = EAP</p><p class="MsoNormal"># Executing group from file /etc/freeradius/sites-enabled/default</p><p class="MsoNormal">+- entering group authenticate {...}</p><p class="MsoNormal">[eap] Request found, released from the list</p><p class="MsoNormal">[eap] EAP/peap</p><p class="MsoNormal">[eap] processing type peap</p><p class="MsoNormal">[peap] processing EAP-TLS</p><p class="MsoNormal">[peap] Received TLS ACK</p><p class="MsoNormal">[peap] ACK handshake is finished</p><p class="MsoNormal">[peap] eaptls_verify returned 3 </p><p class="MsoNormal">[peap] eaptls_process returned 3 </p><p class="MsoNormal">[peap] EAPTLS_SUCCESS</p><p class="MsoNormal">[peap] Session established. Decoding tunneled attributes.</p><p class="MsoNormal">[peap] Peap state TUNNEL ESTABLISHED</p><p class="MsoNormal">++[eap] returns handled</p><p class="MsoNormal">Sending Access-Challenge of id 3 to 192.168.1.62 port 32953</p><p class="MsoNormal"> EAP-Message = 0x0160002b190017030100206f520d286e0a8531cad4f96f3d16ff71290206fbd472476c97983544bf77ce37</p><p class="MsoNormal"> Message-Authenticator = 0x00000000000000000000000000000000</p><p class="MsoNormal"> State = 0x005655b705364c9bfcf3bbcabb4eb013</p><p class="MsoNormal">Finished request 5.</p><p class="MsoNormal">Going to the next request</p><p class="MsoNormal">Waking up in 4.9 seconds.</p><p class="MsoNormal">rad_recv: Access-Request packet from host 192.168.1.62 port 32953, id=137, length=312</p><p class="MsoNormal"> Acct-Session-Id = "eaea9572-00000065"</p><p class="MsoNormal"> NAS-Port = 95</p><p class="MsoNormal"> NAS-Port-Type = Wireless-802.11</p><p class="MsoNormal"> NAS-Identifier = "CN3BD321SM"</p><p class="MsoNormal"> NAS-IP-Address = 192.168.1.62</p><p class="MsoNormal"> Framed-MTU = 1496</p><p class="MsoNormal"> User-Name = "radtest"</p><p class="MsoNormal"> Calling-Station-Id = "F0-25-B7-48-08-2C"</p><p class="MsoNormal"> Called-Station-Id = "A0-D3-C1-AB-71-62"</p><p class="MsoNormal"> Service-Type = Framed-User</p><p class="MsoNormal"> EAP-Message = 0x0260005019001703010020be7393b22523f27ba53a2a90ae5022b7e6ac7a1733cbb1d10ea97dc3871c60001703010020e0e4b12bd1ad0ad1918c19eb36449ea6e0a94e322f9aeacee86bf5db4613e7e1</p><p class="MsoNormal"> State = 0x005655b705364c9bfcf3bbcabb4eb013</p><p class="MsoNormal"> Colubris-AVPair = "ssid=tenant"</p><p class="MsoNormal"> Colubris-AVPair = "phytype=IEEE802dot11 "</p><p class="MsoNormal"> Colubris-Attr-250 = 0x00000000</p><p class="MsoNormal"> Colubris-Attr-249 = 0x00000000</p><p class="MsoNormal"> Message-Authenticator = 0xd3c41c6be1d9c598f08c4b289f092589</p><p class="MsoNormal"># Executing section authorize from file /etc/freeradius/sites-enabled/default</p><p class="MsoNormal">+- entering group authorize {...}</p><p class="MsoNormal">++[preprocess] returns ok</p><p class="MsoNormal">++[chap] returns noop</p><p class="MsoNormal">++[mschap] returns noop</p><p class="MsoNormal">++[digest] returns noop</p><p class="MsoNormal">[suffix] No '@' in User-Name = "radtest", looking up realm NULL</p><p class="MsoNormal">[suffix] No such realm "NULL"</p><p class="MsoNormal">++[suffix] returns noop</p><p class="MsoNormal">[eap] EAP packet type response id 96 length 80</p><p class="MsoNormal">[eap] Continuing tunnel setup.</p><p class="MsoNormal">++[eap] returns ok</p><p class="MsoNormal">Found Auth-Type = EAP</p><p class="MsoNormal"># Executing group from file /etc/freeradius/sites-enabled/default</p><p class="MsoNormal">+- entering group authenticate {...}</p><p class="MsoNormal">[eap] Request found, released from the list</p><p class="MsoNormal">[eap] EAP/peap</p><p class="MsoNormal">[eap] processing type peap</p><p class="MsoNormal">[peap] processing EAP-TLS</p><p class="MsoNormal">[peap] eaptls_verify returned 7 </p><p class="MsoNormal">[peap] Done initial handshake</p><p class="MsoNormal">[peap] eaptls_process returned 7 </p><p class="MsoNormal">[peap] EAPTLS_OK</p><p class="MsoNormal">[peap] Session established. Decoding tunneled attributes.</p><p class="MsoNormal">[peap] Peap state WAITING FOR INNER IDENTITY</p><p class="MsoNormal">[peap] Identity - radtest</p><p class="MsoNormal">[peap] Got inner identity 'radtest'</p><p class="MsoNormal">[peap] Setting default EAP type for tunneled EAP session.</p><p class="MsoNormal">[peap] Got tunneled request</p><p class="MsoNormal"> EAP-Message = 0x0260000c0172616474657374</p><p class="MsoNormal">server {</p><p class="MsoNormal">[peap] Setting User-Name to radtest</p><p class="MsoNormal">Sending tunneled request</p><p class="MsoNormal"> EAP-Message = 0x0260000c0172616474657374</p><p class="MsoNormal"> FreeRADIUS-Proxied-To = 127.0.0.1</p><p class="MsoNormal"> User-Name = "radtest"</p><p class="MsoNormal">server inner-tunnel {</p><p class="MsoNormal"># Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel</p><p class="MsoNormal">+- entering group authorize {...}</p><p class="MsoNormal">++[chap] returns noop</p><p class="MsoNormal">++[mschap] returns noop</p><p class="MsoNormal">[suffix] No '@' in User-Name = "radtest", looking up realm NULL</p><p class="MsoNormal">[suffix] No such realm "NULL"</p><p class="MsoNormal">++[suffix] returns noop</p><p class="MsoNormal">++[control] returns noop</p><p class="MsoNormal">[eap] EAP packet type response id 96 length 12</p><p class="MsoNormal">[eap] No EAP Start, assuming it's an on-going EAP conversation</p><p class="MsoNormal">++[eap] returns updated</p><p class="MsoNormal">[sql] expand: %{User-Name} -> radtest</p><p class="MsoNormal">[sql] sql_set_user escaped user --> 'radtest'</p><p class="MsoNormal">rlm_sql (sql): Reserving sql socket id: 1</p><p class="MsoNormal">[sql] expand: SELECT <a href="http://radcheck.id">radcheck.id</a>, radcheck.UserName, radcheck.Attribute, radcheck.Value, radcheck.Op FROM radcheck, nasgroup WHERE Username = '%{SQL-User-Name}' AND nasgroup.nasid = '%{NAS-Identifier}' AND nasgroup.groupname = radcheck.Groupname ORDER BY <a href="http://radcheck.id">radcheck.id</a> -> SELECT <a href="http://radcheck.id">radcheck.id</a>, radcheck.UserName, radcheck.Attribute, radcheck.Value, radcheck.Op FROM radcheck, nasgroup WHERE Username = 'radtest' AND nasgroup.nasid = '' AND nasgroup.groupname = radcheck.Groupname ORDER BY <a href="http://radcheck.id">radcheck.id</a></p><p class="MsoNormal">rlm_sql_postgresql: Status: PGRES_TUPLES_OK</p><p class="MsoNormal">rlm_sql_postgresql: query affected rows = 0 , fields = 5</p><p class="MsoNormal">[sql] expand: SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM radusergroup WHERE UserName='radtest' ORDER BY priority</p><p class="MsoNormal">rlm_sql_postgresql: Status: PGRES_TUPLES_OK</p><p class="MsoNormal">rlm_sql_postgresql: query affected rows = 0 , fields = 1</p><p class="MsoNormal">rlm_sql (sql): Released sql socket id: 1</p><p class="MsoNormal">[sql] User radtest not found</p><p class="MsoNormal">++[sql] returns notfound</p><p class="MsoNormal">++[expiration] returns noop</p><p class="MsoNormal">++[logintime] returns noop</p><p class="MsoNormal">++[pap] returns noop</p><p class="MsoNormal">Found Auth-Type = EAP</p><p class="MsoNormal"># Executing group from file /etc/freeradius/sites-enabled/inner-tunnel</p><p class="MsoNormal">+- entering group authenticate {...}</p><p class="MsoNormal"><br></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif">---------------------------------------------------------------------------------------------------------------------------------------- </span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif;background-image:initial;background-repeat:initial">Database schema changes - </span><span style="font-size:12pt;font-family:'Times New Roman',serif"></span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif">----------------------------------------</span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif"> </span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif">A new table has been added called "nasgroup" and the
radcheck table has been modified to include an extra column called groupname
- </span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif"> </span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif">radiusdb=# select * from nasgroup;</span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif"> id | groupname | nasid </span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif">----+-----------+------------</span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif"> 1 | test | CN3BD321SM</span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif"> 3 | temp | XYZABDG</span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif"> </span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif"> </span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif">radiusdb=# select * from radcheck;</span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif"> id | username | attribute
| op | value | groupname </span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif">----+----------+--------------------+----+---------+-----------</span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif"> 1 | radtest | Cleartext-Password | := | radtest |
test</span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif"> 2 | radtest | Cleartext-Password | := | radtest |
temp</span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif"> </span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif"> </span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif">Dialup.conf</span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif">---------------</span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif"> </span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif">"authorize_check_query" has been modified but
"authorize_reply_query" has not been changed.</span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif"> </span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif">authorize_check_query = "SELECT ${authcheck_table}.id,
${authcheck_table}.UserName, ${authcheck_table}.Attribute,
${authcheck_table}.Value, ${authcheck_table}.Op \</span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif"> FROM ${authcheck_table}, nasgroup \</span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif"> WHERE Username = '%{SQL-User-Name}' \</span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif"> AND nasgroup.nasid = '%{NAS-Identifier}' \</span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif"> AND nasgroup.groupname = ${authcheck_table}.Groupname \</span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif"> ORDER BY <a href="http://radcheck.id" target="_blank">radcheck.id</a>"</span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif"> </span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif">authorize_reply_query = "SELECT id, UserName, Attribute,
Value, Op \</span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif"> FROM radreply \</span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif"> WHERE Username = '%{SQL-User-Name}' \</span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif"> ORDER BY id"</span></p>
<p class="MsoNormal"> </p><p class="MsoNormal"><br></p><p class="MsoNormal">Thanks,</p><p class="MsoNormal">Ila.</p><p class="MsoNormal"><br></p></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Oct 27, 2014 at 4:36 PM, Pshem Kowalczyk <span dir="ltr"><<a href="mailto:pshem.k@gmail.com" target="_blank">pshem.k@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi,<div><br></div><div>One method that I used in the past is to create a virtual server per 'tenant' and then use the 'main' server to proxy to the correct virtual server based on the attributes in the requests.</div><div><br></div><div>kind regards</div><span class="HOEnZb"><font color="#888888"><div>Pshem</div><div><br></div></font></span></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="h5">On 28 October 2014 07:09, Ilavajuthy Palanisamy <span dir="ltr"><<a href="mailto:ilavajuthy@gmail.com" target="_blank">ilavajuthy@gmail.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5"><div dir="ltr">Hi All,<div><br></div><div>We are hosting an application in the cloud which is managing multiple customers.</div><div>Customers will be authenticated using the FreeRadius server. </div><div>We are planning to use the user authentication through the database(PostgreSQL).</div><div>I have configured the radcheck table and able to make the user authentication successfully.</div><div><br></div><div>In order to support multiple customers, what are all the options/design available in FreeRadius.</div><div><br></div><div>One option we are thinking is to modify the schema to introduce customer-id and modify the sql module to support the new schema. If this is possible, please provide pointers in achieving this.</div><div><br></div><div>If there are other options available, please provide pointers.</div><div><br></div><div>Thanks,</div><div>Ila.</div><div><br></div><div><br></div><div> </div><div><br></div><div><br></div></div>
<br></div></div><span class="">-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br></span></blockquote></div><br></div>
<br>-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br></blockquote></div><br></div>