Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
April 2012
- 112 participants
- 163 discussions
I have a working setup using FreeRadius 2.1.10 doing PEAP/MSCHAPv2 against a 2008 R2 Domain Controller via Samba 2.3.5.6 all running on Debian 6.0.4. My clients are D-Link DWL3200 and D-Link DAP-2360 access points. I am using the builtin Windows XP SP3 802.1x supplicant.
Currently FreeRadius will send back Access-Accepts for *both* user and machine/host accounts (in the Active Directory context of those terms). I would like to configure FreeRadius to ignore or reject authentication requests using the user creditionals. I spent the better part of yesterday afternoon searching the mailing list but I couldn't seem to conjure up the correct search terms to find out which configuration files I need to delve into to make this setting.
My goal is to implement 802.1x authentication for devices that are joined to the domain. I don't want people to be able to use their domain creditionals to authenticate non-domain devices to our wireless network.
Additionally, I just want to commend the developers and other folks associated with FreeRadius for a fantastic job. The configuration files are very well documented, I just can't figure out which one I need to re-read.
Thanks.
Debugging Output:
-----------------
FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 14 2010 at 21:12:30
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
main {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = yes
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 192.168.41.9 {
require_message_authenticator = no
secret = ""
shortname = "cshop-dap2360-wap"
nastype = "other"
}
client 192.168.52.0/22 {
require_message_authenticator = no
secret = ""
shortname = "cbj-downtown"
nastype = "other"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/freeradius/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/freeradius/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/freeradius/modules/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server.key"
certificate_file = "/etc/freeradius/certs/server.pem"
CA_file = "/etc/freeradius/certs/ca.pem"
private_key_password = "SECRET"
dh_file = "/etc/freeradius/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/freeradius/modules/files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server { # from file /etc/freeradius/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file /etc/freeradius/modules/digest
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /etc/freeradius/modules/detail
detail {
detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/freeradius/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
--
Kevin Elliott
Network Specialist
City and Borough of Juneau, MIS
(907) 586 - 0905
3
5
Greetings All!
We have set up Radius on OS X 10.6 Server running OD for use with several devices, including a Sonic Wall, and Ruckus WAPs. We have gotten everything working very nicely, but we would love to be able to include a small group of Windows users running on AD, so they can also use their network Credentials to access the WAP etc.
The main question is - Is it possible for FreeRadius (the OS X 10.6 version) to authenticate against both OD and AD?
And the second question is obviously... how?
Thanks in advance for your time!! Please reply directly, as I am not subscribed to the list...
Chris Morris
Nashville, TN
2
1
Hi everyone... I have a lan and wireless network... The wireless network i
want to use a captive portal (coovachilli) but in places that i don't have
wireless i need to use access points to access to the lan network... I use
freeradius with mysql... I configure 2 clients in clients.conf the
coovachilli is localhost and lan network 172.16.32.0 is another client, but
in coovachilli i login with my users in the database and y did, but i have
problems to the ap... The didn't login... In the database u stored username
with user-password attribute... Is it correct?
3
5
Is it possible configure freeradius to select a specific authentication mechanism on a wlan basis ?
Considering to have a couple of wlan , say ad_wifi and sql_wifi, I would allow only Active Directory authenticated users to associate to ad_wifi , while only users defined on a mySQL db can connect to sql_wifi.
Thanks for suggestions.
Regards,
Paolo.
------------------------------------------------------------------------------------------------
Paolo Barbato
Consorzio RFX
corso Stati Uniti,4
35127 Padova - Italy
Network Administrator
phone: +39 049 8295097 fax: +39 049 8700718
------------------------------------------------------------------------------------------------
2
2
Hello guys,
I recently installed freeradius server. I am only using the accounting
mechanism of the system for keeping logs. I am monitoring the server for a
week now and today I face with a problem that couldnt solve.
The problem is that, in the "detail" log of the client, I can see the
incoming STOP packets of a specific session_id and the cause of termination
is stated as "Idle-timeout". In general when these packets arrive to the
server, it goes and closes the active session of a user in the accounting
table stating that the connection of a user disconnected at a given time.
But sometimes, some STOP packets with Idle-Timeout cause, do not run the
necessary query in the radius for updating the accounting table for that
session. This do not happens always. But I need to find the solution for
that. I want to see that every LOG inside the "detail" log of a NAS client,
should be proceed by the radius for the necessary changes. Like I said, some
times, some packets inside the detail log is like ignored by the radius for
updating the accounting table.
What can be the reason of this situation? I can only think may be it is
because of the heavy loads of traffic at that time in terms of packets
arriving to the radius from NAS. I only have 1 client and the radiusd.conf
is set to default values.
What is the solution Guys?
Thank you in advance.
--
View this message in context: http://freeradius.1045715.n5.nabble.com/Incoming-Packet-information-do-not-…
Sent from the FreeRadius - User mailing list archive at Nabble.com.
3
8
We are using the Cisco ACS 5.3 as a RADIUS for database authentication and
authorization. The purpose is to authenticate incoming users based on the
NAS-PORT-ID. The problem is that we cannot find any solution for the Service
Router (Alcatel 7750) to send the NAS-PORT-ID to act as USERNAME. The
username field is set to the MAC address.
The ACS requires a USERNAME and there is not a way to manipulate the
User-Name value once it is received.
We heard that it could be possible to use the freeradius to act as a proxy
for the Cisco secure ACS.
This is what we want:
User --> [SR] --> User-Name = “MAC:xx.xx.xx.xx” Password = “secret”
NAS-Port-Id = 1/1/4.1001.129 --> [FR] --> User-Name = “1/1/4.1001.129”
Password = “secret” --> [ACS 5.3]
Is there a solution for this option in the Freeradius?
Is there a way to manipulate the User-Name sent from the service router,
(MAC address), and change it to its NAS-Port-Id before it reaches the ACS
RADIUS with help from the freeradius acting as a proxy?
--
View this message in context: http://freeradius.1045715.n5.nabble.com/Nas-Port-Id-as-username-tp5664812p5…
Sent from the FreeRadius - User mailing list archive at Nabble.com.
2
2
We are modifying the Wireless acccess to our LAN.
We are trying to use a Cisco WLC and our freeradius. We've been using this
same freeradius for authenticating users against the corporate LDAP. Now
we want WLC to talk to the radius server without losing any functionality
like user authentication or vlan assignment.
Our main problem is that the vlan assingment is not working when we use the
WLC. The scenario with the APs talking to the radius directly works fine,
but when we use lightweight AP and the WLC we can see that the vlan
assignment part is skipped by the authentication process and all the users
are sent to the same vlan.
The following is the output of the two cases. One of them is a user
authenticating without WLC, the AP talks directly to the Radius Server, and
the other is an authentication where WLC talks to the Radius Server (the
one that is not working)
- 10.32.2.81 is the WLC IP address.
- 10.32.2.39 is the AP IP address.
WLC Soft Version: 7.0.116.0
These are the outputs:
1) AP - RADIUS (No WLC)
*****************************************************
rad_recv: Access-Request packet from host 10.32.2.39 port 1645, id=205,
length=184
User-Name = "fcanales"
Framed-MTU = 1400
Called-Station-Id = "001d.4551.7da0"
Calling-Station-Id = "5894.6b0d.e86c"
Service-Type = Login-User
Message-Authenticator = 0x46192e9a5e4720bd6c721e03d8e6c3b4
EAP-Message =
0x0208002b19001703010020f7e5545e9d9e05ecff5f8be2d1bc992eeddba82eb4adef509bded9dd6c132712
NAS-Port-Type = Wireless-802.11
NAS-Port = 59460
State = 0xf4160a33f11e13898255a02243c509d6
NAS-IP-Address = 10.32.2.39
NAS-Identifier = "ap-Reco32"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "fcanales", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - fcanales
[peap] Got tunneled request
EAP-Message = 0x0208000d016663616e616c6573
server {
PEAP: Got tunneled identity of fcanales
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to fcanales
Sending tunneled request
EAP-Message = 0x0208000d016663616e616c6573
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "fcanales"
Framed-MTU = 1400
Called-Station-Id = "001d.4551.7da0"
Calling-Station-Id = "5894.6b0d.e86c"
Service-Type = Login-User
NAS-Port-Type = Wireless-802.11
NAS-Port = 59460
NAS-IP-Address = 10.32.2.39
NAS-Identifier = "ap-Reco32"
server inner-tunnel {
+- entering group authorize {...}
++[preprocess] returns ok
++? if (!Huntgroup-Name)
? Evaluating !(Huntgroup-Name) -> FALSE
++? if (!Huntgroup-Name) -> FALSE
++? if (Huntgroup-Name == "list")
? Evaluating (Huntgroup-Name == "list") -> TRUE
++? if (Huntgroup-Name == "list") -> TRUE
++- entering if (Huntgroup-Name == "list") {...}
+++? if (Ldap-Group == "WIFI-Direccion")
rlm_ldap: Entering ldap_groupcmp()
expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar
expand: (uid=%u) -> (uid=fcanales)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter
(uid=fcanales)
rlm_ldap: ldap_release_conn: Release Id: 0
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand:
(&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))
-> (&(objectClass=posixGroup)(memberUid=fcanales))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter
(&(cn=WIFI-Direccion)(&(objectClass=posixGroup)(memberUid=fcanales)))
rlm_ldap: object not found
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group WIFI-Direccion not found or user is not a
member.
+++? if (Ldap-Group == "WIFI-MKTyCC")
rlm_ldap: Entering ldap_groupcmp()
expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand:
(&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))
-> (&(objectClass=posixGroup)(memberUid=fcanales))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter
(&(cn=WIFI-Finanzas)(&(objectClass=posixGroup)(memberUid=fcanales)))
rlm_ldap: object not found
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group WIFI-Finanzas not found or user is not a
member.
+++? if (Ldap-Group == "WIFI-TyO")
rlm_ldap: Entering ldap_groupcmp()
expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand:
(&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))
-> (&(objectClass=posixGroup)(memberUid=fcanales))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter
(&(cn=WIFI-TyO)(&(objectClass=posixGroup)(memberUid=fcanales)))
rlm_ldap::ldap_groupcmp: User found in group WIFI-TyO
rlm_ldap: ldap_release_conn: Release Id: 0
? Evaluating (Ldap-Group == "WIFI-TyO") -> TRUE
+++? if (Ldap-Group == "WIFI-TyO") -> TRUE
+++- entering if (Ldap-Group == "WIFI-TyO") {...}
++++[reply] returns ok
+++- if (Ldap-Group == "WIFI-TyO") returns ok
+++? if (Ldap-Group == "WIFI-ITfuncional")
rlm_ldap: Entering ldap_groupcmp()
expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand:
(&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))
-> (&(objectClass=posixGroup)(memberUid=fcanales))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter
(&(cn=WIFI-Monit)(&(objectClass=posixGroup)(memberUid=fcanales)))
rlm_ldap: object not found
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group WIFI-Monit not found or user is not a member.
++- if (Huntgroup-Name == "list") returns ok
++[chap] returns noop
++[mschap] returns noop
++[unix] returns updated
[suffix] No '@' in User-Name = "fcanales", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 8 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for fcanales
[ldap] expand: (uid=%u) -> (uid=fcanales)
[ldap] expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter
(uid=fcanales)
[ldap] looking for check items in directory...
rlm_ldap: sambaNtPassword -> NT-Password ==
0x3441313536383141373845384430414446424135364139373343343736374646
rlm_ldap: sambaLmPassword -> LM-Password ==
0x4446323634314431373041414432333739433530313441453437313841374545
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] user fcanales authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "212"
EAP-Message =
0x010900221a0109001d108279970f23460b83f1fffcc6e09626c56663616e616c6573
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x158baf111582b5a1fb3a126781117cd4
[peap] Got tunneled reply RADIUS code 11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "212"
EAP-Message =
0x010900221a0109001d108279970f23460b83f1fffcc6e09626c56663616e616c6573
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x158baf111582b5a1fb3a126781117cd4
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 205 to 10.32.2.39 port 1645
EAP-Message =
0x0109004b19001703010040640c0cb308474b42ecc083db0b3f47c66731a31c01801dde9b162f50d5bde13456412ab71e4d7d0e743b50cc42e91bba22dabeb375116f48b625e9691a3d3932
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf4160a33f21f13898255a02243c509d6
Finished request 38.
*****************************************************
2) WLC - RADIUS
*****************************************************
rad_recv: Access-Request packet from host 10.32.2.81 port 32768, id=119,
length=280
User-Name = "fcanales"
Calling-Station-Id = "58-94-6b-0d-e8-6c"
Called-Station-Id = "30-37-a6-4b-9f-90:IReconquista"
NAS-Port = 1
Cisco-AVPair = "audit-session-id=0a2002510000000f4eaaf051"
NAS-IP-Address = 10.32.2.81
NAS-Identifier = "Iplan_wcs"
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "60"
EAP-Message =
0x0208002b190017030100200c857843d879e361aad79c8a2dccee6de8b04225d90b753a81b636a8090f0193
State = 0xcb0bb3aace03aab2864a9aacb255d323
Message-Authenticator = 0x62ca91e9e88fbba794e6e51db7aa67ec
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "fcanales", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - fcanales
[peap] Got tunneled request
EAP-Message = 0x0208000d016663616e616c6573
server {
PEAP: Got tunneled identity of fcanales
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to fcanales
Sending tunneled request
EAP-Message = 0x0208000d016663616e616c6573
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "fcanales"
Calling-Station-Id = "58-94-6b-0d-e8-6c"
Called-Station-Id = "30-37-a6-4b-9f-90:IReconquista"
NAS-Port = 1
Cisco-AVPair = "audit-session-id=0a2002510000000f4eaaf051"
NAS-IP-Address = 10.32.2.81
NAS-Identifier = "Iplan_wcs"
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "60"
server inner-tunnel {
+- entering group authorize {...}
++[preprocess] returns ok
++? if (!Huntgroup-Name)
? Evaluating !(Huntgroup-Name) -> TRUE
++? if (!Huntgroup-Name) -> TRUE
++- entering if (!Huntgroup-Name) {...}
+++[reply] returns ok
++- if (!Huntgroup-Name) returns ok
++? if (Huntgroup-Name == "list")
(Attribute Huntgroup-Name was not found)
++[chap] returns noop
++[mschap] returns noop
++[unix] returns updated
[suffix] No '@' in User-Name = "fcanales", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 8 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for fcanales
[ldap] expand: (uid=%u) -> (uid=fcanales)
[ldap] expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter
(uid=fcanales)
[ldap] looking for check items in directory...
rlm_ldap: sambaNtPassword -> NT-Password ==
0x3441313536383141373845384430414446424135364139373343343736374646
rlm_ldap: sambaLmPassword -> LM-Password ==
0x4446323634314431373041414432333739433530313441453437313841374545
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] user fcanales authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "249"
EAP-Message =
0x010900221a0109001d10cc9cc5bb2b5812cf48051342472ad3af6663616e616c6573
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xab42e29bab4bf81ef23bc50dea94c334
[peap] Got tunneled reply RADIUS code 11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "249"
EAP-Message =
0x010900221a0109001d10cc9cc5bb2b5812cf48051342472ad3af6663616e616c6573
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xab42e29bab4bf81ef23bc50dea94c334
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 119 to 10.32.2.81 port 32768
EAP-Message =
0x0109004b1900170301004075cf3c75c7a8311c01bc5581aac330e49586ce6e0001e8add345d7773aeeacba61b235c462fe0966e565d9e6279f111bf94fa3d8a4bff8a4ce82ab24d65f9c31
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcb0bb3aacd02aab2864a9aacb255d323
Finished request 48.
Going to the next request
Waking up in 4.9 seconds.
*****************************************************
Thanks for all.
--
--
Silvero Martin
2
1
Hi all,
I know this subject have been brought up but I'm kind of stuck and I hope I
can get a little help.
I am trying to assign vlans from freeradius to a cisco 3550 switch but its
not working.
I keep getting the following in the debug in the switch:
3w6d: RADIUS: Tunnel-Medium-Type [65] 6 01:Unsupported [6]
3w6d: RADIUS: Tunnel-Type [64] 6 01:Unsupported [13]
I read the mail archives and googled with no luck.
Users file configuration:
wassim Cleartext-Password := "wassim"
Tunnel-Medium-Type:1 = IEEE-802,
Tunnel-Type:1 = VLAN,
Tunnel-Private-Group-Id:1 = 100
Switch debug log:
3w6d: RADIUS(00000000): Send Access-Request to 192.168.1.57:1812 id
1645/122, len 460
3w6d: RADIUS: authenticator 34 D8 18 38 24 86 99 F6 - 69 03 2C EB E2 8A F4
79
3w6d: RADIUS: NAS-IP-Address [4] 6 192.168.1.8
3w6d: RADIUS: NAS-Port [5] 6 50023
3w6d: RADIUS: NAS-Port-Type [61] 6 Eth [15]
3w6d: RADIUS: User-Name [1] 8 "wassim"
3w6d: RADIUS: Called-Station-Id [30] 19 "00-15-F9-F8-4E-97"
3w6d: RADIUS: Calling-Station-Id [31] 19 "00-1A-80-3F-F6-A1"
3w6d: RADIUS: Service-Type [6] 6 Framed [2]
3w6d: RADIUS: Framed-MTU [12] 6 1500
3w6d: RADIUS: State [24] 18
3w6d: RADIUS: DB C1 1C E7 DF C4 09 5E 75 5E 5B 0F 23 3A 54 E7
[???????^u^[?#:T?]
3w6d: RADIUS: EAP-Message [79] 255
3w6d: RADIUS: 02 05 01 44 15 00 16 03 01 01 06 10 00 01 02 01
[???D????????????]
3w6d: RADIUS: 00 A5 F6 DC 7F B9 4A 99 44 84 66 ED D5 4D CA F5
[??????J?D?f??M??]
3w6d: RADIUS: 58 95 5F 5C CC FA E7 C3 B5 54 DB 01 C1 CA E1 62
[X?_\?????T?????b]
3w6d: RADIUS: 96 BF C1 E8 26 84 7C BF 56 7E 6A 9D 41 8C 0E 5C
[????&?|?V~j?A??\]
3w6d: RADIUS: E3 46 DC BE 33 38 28 7A 35 50 7D 7A 32 F8 A0 55
[?F??38(z5P}z2??U]
3w6d: RADIUS: 62 63 9B D1 15 8B C8 DC 97 D0 A3 DC 27 19 00 A0
[bc??????????'???]
3w6d: RADIUS: 61 CB C8 EC FA 02 EF 39 D8 5B CF CC 45 45 BF 08
[a??????9?[??EE??]
3w6d: RADIUS: C8 9E E5 87 70 DD 61 75 56 A5 B1 B6 B2 BA FC 3F
[????p?auV???????]
3w6d: RADIUS: FD A7 AC 37 DE DC 16 43 85 E9 ED 39 59 21 E5 19
[???7???C???9Y!??]
3w6d: RADIUS: 97 58 6D BC 3E B6 2C B5 BE 58 56 89 94 0B 70 B5
[?Xm?>?,??XV???p?]
3w6d: RADIUS: 49 F8 49 36 D7 B0 A8 44 10 A8 6F 05 B9 94 19 AB
[I?I6???D??o?????]
3w6d: RADIUS: 0C 52 00 4F BE D0 0D 99 56 12 B7 76 DF 07 04 C9
[?R?O????V??v????]
3w6d: RADIUS: 85 54 8D 3D E4 53 0C AF 49 15 CC D6 AD 02 62 43
[?T?=?S??I?????bC]
3w6d: RADIUS: 41 39 B8 1A 2F F0 40 09 93 BE 87 FD D9 CD AB 74
[A9??/?@????????t]
3w6d: RADIUS: F7 34 66 32 CC 87 4A 0B A7 3E 81 B1 F4 E4 EB 21
[?4f2??J??>?????!]
3w6d: RADIUS: DF 6F CD FF 9B 8A E6 87 A0 3B 3E B6 64
[?o???????;>?d]
3w6d: RADIUS: EAP-Message [79] 73
3w6d: RADIUS: E6 CB 54 03 10 69 D4 D2 7C D1 FA 89 72 F8 0C 53
[??T??i??|???r??S]
3w6d: RADIUS: 1B 78 32 E7 14 03 01 00 01 01 16 03 01 00 28 EA
[?x2???????????(?]
3w6d: RADIUS: 0B 2A A9 64 DE 57 6A 65 89 EA 19 63 4B 60 67 C8
[?*?d?Wje???cK`g?]
3w6d: RADIUS: CF C9 FF A2 A7 26 33 A5 C0 D0 CB 3C 01 F2 C5 96
[?????&3????<????]
3w6d: RADIUS: 38 65 0C 1F 39 1C 6F [8e??9?o]
3w6d: RADIUS: Message-Authenticato[80] 18
3w6d: RADIUS: FD AE 24 12 A9 F3 A5 BA F3 6D 60 52 F8 E0 D3 53
[??$??????m`R???S]
3w6d: RADIUS: Received from id 1645/122 192.168.1.57:1812, Access-Challenge,
len 119
3w6d: RADIUS: authenticator 57 E5 06 9F DD C4 E2 76 - E8 37 92 F1 C4 21 22
6B
3w6d: RADIUS: EAP-Message [79] 63
3w6d: RADIUS: 01 06 00 3D 15 80 00 00 00 33 14 03 01 00 01 01
[???=?????3??????]
3w6d: RADIUS: 16 03 01 00 28 87 23 7C B0 31 42 D1 B4 48 4A 89
[????(?#|?1B??HJ?]
3w6d: RADIUS: AB F3 22 51 D2 40 36 C9 45 DD 35 11 31 3C EF 59
[??"Q?@6?E?5?1<?Y]
3w6d: RADIUS: 86 B0 D3 D4 26 E3 58 DC E3 0F 76 3E 4A
[????&?X???v>J]
3w6d: RADIUS: Message-Authenticato[80] 18
3w6d: RADIUS: 49 9B 71 F9 9B 0C 53 BD D2 3D 20 79 8D F1 7F 9B [I?q???S??=
y????]
3w6d: RADIUS: State [24] 18
3w6d: RADIUS: DB C1 1C E7 DE C7 09 5E 75 5E 5B 0F 23 3A 54 E7
[???????^u^[?#:T?]
3w6d: RADIUS: EAP-login: length of eap packet = 61
3w6d: RADIUS: EAP-login: got challenge from radius
3w6d: RADIUS: Pick NAS IP for u=0x178E4C0 tableid=0 cfg_addr=0.0.0.0
3w6d: RADIUS: ustruct sharecount=1
3w6d: Radius: radius_port_info() success=1 radius_nas_port=1
3w6d: RADIUS: EAP-login: length of radius packet = 201 code = 1
3w6d: RADIUS(00000000): Send Access-Request to 192.168.1.57:1812 id
1645/123, len 201
3w6d: RADIUS: authenticator 99 15 53 A6 AB B7 0B 75 - 9F A7 5F 27 8F F1 2E
67
3w6d: RADIUS: NAS-IP-Address [4] 6 192.168.1.8
3w6d: RADIUS: NAS-Port [5] 6 50023
3w6d: RADIUS: NAS-Port-Type [61] 6 Eth [15]
3w6d: RADIUS: User-Name [1] 8 "wassim"
3w6d: RADIUS: Called-Station-Id [30] 19 "00-15-F9-F8-4E-97"
3w6d: RADIUS: Calling-Station-Id [31] 19 "00-1A-80-3F-F6-A1"
3w6d: RADIUS: Service-Type [6] 6 Framed [2]
3w6d: RADIUS: Framed-MTU [12] 6 1500
3w6d: RADIUS: State [24] 18
3w6d: RADIUS: DB C1 1C E7 DE C7 09 5E 75 5E 5B 0F 23 3A 54 E7
[???????^u^[?#:T?]
3w6d: RADIUS: EAP-Message [79] 69
3w6d: RADIUS: 02 06 00 43 15 00 17 03 01 00 38 BF 71 FC FA 04
[???C??????8?q???]
3w6d: RADIUS: BE DC FD CC 03 D2 7F 8B 09 63 2C B2 AE D8 AC 61
[?????????c,????a]
3w6d: RADIUS: 64 21 2B 00 ED 0E 6E E8 B0 49 50 6B 99 B8 88 A4
[d!+???n??IPk????]
3w6d: RADIUS: 36 C6 FD B9 F0 77 2D 82 28 0A 37 D1 D4 73 B4 59
[6????w-?(?7??s?Y]
3w6d: RADIUS: F9 37 E6 [?7?]
3w6d: RADIUS: Message-Authenticato[80] 18
3w6d: RADIUS: A2 59 A3 DE A6 98 5F 78 25 12 59 BB 4D B8 74 F0
[?Y????_x??Y?M?t?]
3w6d: RADIUS: Received from id 1645/123 192.168.1.57:1812, Access-Accept,
len 186
3w6d: RADIUS: authenticator C0 31 7F D7 A6 D4 1F C8 - 27 AA F0 99 EA 1F 92
C3
3w6d: RADIUS: Tunnel-Medium-Type [65] 6 01:Unsupported [6]
3w6d: RADIUS: Tunnel-Type [64] 6 01:Unsupported [13]
3w6d: RADIUS: Tunnel-Private-Group[81] 6 01:"100"
3w6d: RADIUS: Vendor, Microsoft [26] 58
3w6d: RADIUS: MS-MPPE-Recv-Key [17] 52
3w6d: RADIUS: 86 8B 3E 74 76 E7 CB 9A 8F EF F5 9C 16 2E 88 1A
[??>tv????????.??]
3w6d: RADIUS: 12 3B 80 A6 E9 9B B6 6F E6 63 C8 AA B0 DB 0E 76
[?;?????o?c?????v]
3w6d: RADIUS: 61 C1 6A 5D 62 BD 72 BE 78 C8 9D 4D A7 3F 54 35
[a?j]b?r?x??M??T5]
3w6d: RADIUS: 40 DC [@?]
3w6d: RADIUS: Vendor, Microsoft [26] 58
3w6d: RADIUS: MS-MPPE-Send-Key [16] 52
3w6d: RADIUS: 8A 61 97 87 78 FD CA 16 8D F0 ED 75 C0 70 93 AE
[?a??x??????u?p??]
3w6d: RADIUS: 71 EF 5A 21 53 35 A4 88 F9 84 16 83 10 43 6E 9E
[q?Z!S5???????Cn?]
3w6d: RADIUS: AB A7 8B 56 6C 42 0D AB 09 1D 82 D3 CB 7E 6C B8
[???VlB???????~l?]
3w6d: RADIUS: 56 58 [VX]
3w6d: RADIUS: EAP-Message [79] 6
3w6d: RADIUS: 03 06 00 04 [????]
3w6d: RADIUS: Message-Authenticato[80] 18
3w6d: RADIUS: 82 4B 64 0F 07 64 59 18 0F 27 07 95 A5 15 09 33
[?Kd??dY??'?????3]
3w6d: RADIUS: User-Name [1] 8 "wassim"
3w6d: RADIUS: EAP-login: length of eap packet = 4
3w6d: RADIUS: Tunnel-MType, [01] 00 00 06
3w6d: RADIUS: TAS(1) created and enqueued.
3w6d: RADIUS: Tunnel-Type, [01] 00 00 0D
3w6d: RADIUS: Tunnel-GID, [01] 100
3w6d: RADIUS: unrecognized Microsoft VSA type 17
3w6d: RADIUS: unrecognized Microsoft VSA type 16
3w6d: RADIUS: TAS(1) takes precedence over tagged attributes,
tunnel_type=vlan
3w6d: RADIUS: free TAS(1)
3w6d: RADIUS: no appropriate authorization type for user.
3w6d: RADIUS: Tunnel-MType, [01] 00 00 06
3w6d: RADIUS: TAS(1) created and enqueued.
3w6d: RADIUS: Tunnel-Type, [01] 00 00 0D
3w6d: RADIUS: unrecognized Microsoft VSA type 17
3w6d: RADIUS: unrecognized Microsoft VSA type 16
3w6d: RADIUS: TAS(1) takes precedence over tagged attributes,
tunnel_type=vlan
3w6d: RADIUS: free TAS(1)
3w6d: RADIUS: no appropriate authorization type for user.
3w6d: RADIUS: Tunnel-MType, [01] 00 00 06
3w6d: RADIUS: TAS(1) created and enqueued.
3w6d: RADIUS: Tunnel-Type, [01] 00 00 0D
3w6d: RADIUS: unrecognized Microsoft VSA type 17
3w6d: RADIUS: unrecognized Microsoft VSA type 16
3w6d: RADIUS: TAS(1) takes precedence over tagged attributes,
tunnel_type=vlan
3w6d: RADIUS: free TAS(1)
3w6d: RADIUS: no appropriate authorization type for user.
3w6d: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/23,
changed state to up
5
11
Wow. Unsubscribe... rumors are true
:(
On Apr 25, 2012 4:04 PM, <freeradius-users-request(a)lists.freeradius.org>
wrote:
> Send Freeradius-Users mailing list submissions to
> freeradius-users(a)lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request(a)lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner(a)lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Re: Fwd: FreeRadius Dictionary Attributes (Alan DeKok)
> 2. Re: Assign VLAN from freeradius to Cisco 3550 switch.
> (Wassim Zaarour)
> 3. Re: Assign VLAN from freeradius to Cisco 3550 switch. (alan buxey)
> 4. Cisco WLC - Freeradius Vlan assigment problem (Martin Silvero)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 25 Apr 2012 18:03:06 +0200
> From: Alan DeKok <aland(a)deployingradius.com>
> To: FreeRadius users mailing list
> <freeradius-users(a)lists.freeradius.org>
> Subject: Re: Fwd: FreeRadius Dictionary Attributes
> Message-ID: <4F98203A.3080303(a)deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Corey Jones wrote:
> > ---------- Forwarded message ----------
> ...
>
> That's not nice. Is it really that difficult to post the *original*
> message? Why forward a bounce?
>
> > I'm trying to get a freeradius server up and running but I'm having
> > trouble with the attributes I've included in the master dictionary file
> > showing up in the detail file:
> >
> > ATTRIBUTE client-mac-address 9001 string
>
> This is wrong.
>
> Read share/dictionary. Use the numbers *it* recommends, rather than
> inventing your own.
>
> > The output of the detail-<date> file of the non-functioning server:
>
> Which is... which version? How did you configure it?
>
> > The output of the detail-<date> file for the functioning server:
>
> Which is... which version? How did you configure it?
>
> > If you compare the non-functioning server output file to the functioning
> > server output file, there are two fields that are missing that are
> > defined in the master dictionary file.
> >
> > disc-cause-ext = "PPP Receive Term" <---------------HERE
> > client-mac-address = "0002.xxxx.xxxx" <---------------HERE
>
> If the two servers are identical, they will behave the same.
>
> If they're different, find out what the differences are, and fix them.
>
> > I am having trouble with a different part of the server setup where that
> > file is pulled and those fields are read and needed by another
> application.
>
> What does that mean?
>
> > Does anyone know why those two fields are not pulled or processed on the
> > non-functioning server's output file?
>
> The fields are "pulled" from... where?
>
> > freeradius -X dump of non-functioning server:
>
> In which it doesn't receive any packets. So it's useless.
>
> Good questions get good answers.
>
> These questions are bad. As a result, the only possible answer is
> unhelpful. Along with the advice "ask good questions."
>
> Alan DeKok.
>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 25 Apr 2012 19:05:26 +0300
> From: Wassim Zaarour <wassim.zaarour(a)navlink.com>
> To: FreeRadius users mailing list
> <freeradius-users(a)lists.freeradius.org>
> Subject: Re: Assign VLAN from freeradius to Cisco 3550 switch.
> Message-ID: <CBBDFB26.EE39%wassim.zaarour(a)navlink.com>
> Content-Type: text/plain; CHARSET=US-ASCII
>
> Hi Brian,
>
> Thanks for your reply, where do I exactly need to put this configuration?
> In the users file?
>
> Do you have any experience with the 2960 switches?
>
>
> Wassim
>
>
>
>
>
> On 4/25/12 4:07 PM, "Brian Julin" <BJulin(a)clarku.edu> wrote:
>
> >
> >Wassim Zaarour wrote:
> >> Look at this
> >>
> >>
> http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg4016
> >>2.html
> >>
> >> The user says that it worked, I tried the attributes he used and still
> >>got
> >> the same error.
> >
> >I don't even know how this was ever working for that user. On my wired
> >switch plant, which
> >includes some 3550s, wherever I have tested VLAN assignment I have had to
> >use Cisco's
> >cretinous hack:
> >
> >
> > if (Cisco-AVPair) { # Cisco switch.
> > # We have to "Accept" it to the Registration VLAN manually
> > # (because host-mode multi-auth is currently retarded.)
> > update reply {
> > Tunnel-Type = VLAN
> > Tunnel-Medium-Type = 6
> > # CISCO broke the IETF attribute...
> > # Tunnel-Private-Group-Id = "Registration"
> > # ... so use their proprietary method to get it in there.
> > # NOTE: This is CaSe SeNsItIvE!!
> > Cisco-AVPair += "tunnel-private-group-id=Registration"
> > }
> >
> >This is of course extremely case-sensitive. It also uses the vlan names,
> >not the numbers, though
> >you can use the automatically generated names just fine.
> >
> >Be warned the 3550s are old EOL switches and their latest software
> >version (the one that is only
> >supposed to be used for the 24 port switch but works on the 48 port one)
> >is still not current enough
> >to pick up the latest bugfixes to multi-auth mode. Not that multi-auth
> >mode works sensibly in the
> >newest firmware either, but at least it has workarounds.
> >
> >(BTW, even I am starting to pull these 3550s from the net, and I tend to
> >try to bleed devices for every
> >minute they can manage to hack it. Right now the only ones I have out
> >there are essentially
> >serving as lightening rods for this summer's thunder storms, and then
> >will be replaced by new
> >switches after that.)
> >
> >Typical switch port configuration (this is not from a 3550, sorry):
> >
> >
> >interface FastEthernet0/24
> > switchport access vlan XXX
> > switchport mode access
> > switchport block unicast
> > switchport port-security maximum 16
> > switchport port-security
> > switchport port-security aging time 240
> > switchport port-security violation restrict
> > switchport port-security aging type inactivity
> > ip arp inspection limit rate 100
> > authentication control-direction in
> > authentication event fail action authorize vlan YYY
> > authentication event server dead action authorize vlan XXX
> > authentication event no-response action authorize vlan XXX
> > authentication event server alive action reinitialize
> > authentication host-mode multi-auth
> > authentication order mab
> > authentication priority mab
> > authentication port-control auto
> > authentication periodic
> > authentication timer reauthenticate 1300
> > authentication timer inactivity 1200
> > authentication violation restrict
> > mab
> > no lldp transmit
> > no lldp receive
> > no cdp enable
> > no cdp tlv server-location
> > no cdp tlv app
> > spanning-tree portfast
> > spanning-tree bpduguard enable
> > ip verify source port-security
> > ip dhcp snooping limit rate 50
> >end
> >
> >
> >XXX and YYY above are actually decimals.
> >
> >Note that the auth-fail VLAN setting is not actually used, because in
> >order to get multi-auth to behave
> >sensibly (so you can handle VMs) you have to actually succeed every
> >authentication and just send
> >the quaranteen VLAN from RADIUS when you want the user locked out.
> >-
> >List info/subscribe/unsubscribe? See
> >http://www.freeradius.org/list/users.html
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Wed, 25 Apr 2012 18:13:22 +0100
> From: alan buxey <A.L.M.Buxey(a)lboro.ac.uk>
> To: FreeRadius users mailing list
> <freeradius-users(a)lists.freeradius.org>
> Subject: Re: Assign VLAN from freeradius to Cisco 3550 switch.
> Message-ID: <20120425171322.GB9623(a)lboro.ac.uk>
> Content-Type: text/plain; charset=us-ascii
>
> Hi,
>
> > Thanks for your reply, where do I exactly need to put this configuration?
> > In the users file?
>
> I can tell you right now that you dont need that hack to assign VLANs on
> cisco
> switches (well, not if you are running reasonably up to date firmware on
> the
> cisco devices anyway - ie something less than 2 years old)
>
> we run an enterprise network of > 1500 cisco switches, most of them using
> FreeRADIUS as the AAA server in 802.1X mode (others still have VMPS - with
> FreeRADIUS
> of course). we certainly dont have that kind of configuration for VLAN
> assignment.
> straight simple reply values are all that are needed.
> as already said, the issue looks like its your Cisco config - and the cisco
> guides tell you exactly how to configure the cisco switches, its not a
> freeRADIUS
> question.
>
> alan
>
>
> ------------------------------
>
> Message: 4
> Date: Wed, 25 Apr 2012 16:49:29 -0300
> From: Martin Silvero <silvero.martin(a)gmail.com>
> To: freeradius-users(a)lists.freeradius.org
> Subject: Cisco WLC - Freeradius Vlan assigment problem
> Message-ID:
> <CALmvTSSRrfx9eyOoXxcwYjtxF6oEKHS8MNtewGBONG_wxP9cTQ(a)mail.gmail.com
> >
> Content-Type: text/plain; charset="iso-8859-1"
>
> We are modifying the Wireless acccess to our LAN.
> We are trying to use a Cisco WLC and our freeradius. We've been using this
> same freeradius for authenticating users against the corporate LDAP. Now
> we want WLC to talk to the radius server without losing any functionality
> like user authentication or vlan assignment.
>
> Our main problem is that the vlan assingment is not working when we use the
> WLC. The scenario with the APs talking to the radius directly works fine,
> but when we use lightweight AP and the WLC we can see that the vlan
> assignment part is skipped by the authentication process and all the users
> are sent to the same vlan.
>
> The following is the output of the two cases. One of them is a user
> authenticating without WLC, the AP talks directly to the Radius Server, and
> the other is an authentication where WLC talks to the Radius Server (the
> one that is not working)
>
> - 10.32.2.81 is the WLC IP address.
>
> - 10.32.2.39 is the AP IP address.
>
> WLC Soft Version: 7.0.116.0
>
> These are the outputs:
>
> 1) AP - RADIUS (No WLC)
>
> *****************************************************
> rad_recv: Access-Request packet from host 10.32.2.39 port 1645, id=205,
> length=184
> User-Name = "fcanales"
> Framed-MTU = 1400
> Called-Station-Id = "001d.4551.7da0"
> Calling-Station-Id = "5894.6b0d.e86c"
> Service-Type = Login-User
> Message-Authenticator = 0x46192e9a5e4720bd6c721e03d8e6c3b4
> EAP-Message =
>
> 0x0208002b19001703010020f7e5545e9d9e05ecff5f8be2d1bc992eeddba82eb4adef509bded9dd6c132712
> NAS-Port-Type = Wireless-802.11
> NAS-Port = 59460
> State = 0xf4160a33f11e13898255a02243c509d6
> NAS-IP-Address = 10.32.2.39
> NAS-Identifier = "ap-Reco32"
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "fcanales", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 8 length 43
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
> [peap] Done initial handshake
> [peap] eaptls_process returned 7
> [peap] EAPTLS_OK
> [peap] Session established. Decoding tunneled attributes.
> [peap] Identity - fcanales
> [peap] Got tunneled request
> EAP-Message = 0x0208000d016663616e616c6573
> server {
> PEAP: Got tunneled identity of fcanales
> PEAP: Setting default EAP type for tunneled EAP session.
> PEAP: Setting User-Name to fcanales
> Sending tunneled request
> EAP-Message = 0x0208000d016663616e616c6573
> FreeRADIUS-Proxied-To = 127.0.0.1
> User-Name = "fcanales"
> Framed-MTU = 1400
> Called-Station-Id = "001d.4551.7da0"
> Calling-Station-Id = "5894.6b0d.e86c"
> Service-Type = Login-User
> NAS-Port-Type = Wireless-802.11
> NAS-Port = 59460
> NAS-IP-Address = 10.32.2.39
> NAS-Identifier = "ap-Reco32"
> server inner-tunnel {
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++? if (!Huntgroup-Name)
> ? Evaluating !(Huntgroup-Name) -> FALSE
> ++? if (!Huntgroup-Name) -> FALSE
> ++? if (Huntgroup-Name == "list")
> ? Evaluating (Huntgroup-Name == "list") -> TRUE
> ++? if (Huntgroup-Name == "list") -> TRUE
> ++- entering if (Huntgroup-Name == "list") {...}
> +++? if (Ldap-Group == "WIFI-Direccion")
> rlm_ldap: Entering ldap_groupcmp()
> expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar
> expand: (uid=%u) -> (uid=fcanales)
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter
> (uid=fcanales)
> rlm_ldap: ldap_release_conn: Release Id: 0
> WARNING: Deprecated conditional expansion ":-". See "man unlang" for
> details
> expand:
> (&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))
> -> (&(objectClass=posixGroup)(memberUid=fcanales))
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter
> (&(cn=WIFI-Direccion)(&(objectClass=posixGroup)(memberUid=fcanales)))
> rlm_ldap: object not found
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap::ldap_groupcmp: Group WIFI-Direccion not found or user is not a
> member.
> +++? if (Ldap-Group == "WIFI-MKTyCC")
> rlm_ldap: Entering ldap_groupcmp()
> expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar
>
> WARNING: Deprecated conditional expansion ":-". See "man unlang" for
> details
> expand:
> (&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))
> -> (&(objectClass=posixGroup)(memberUid=fcanales))
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter
> (&(cn=WIFI-Finanzas)(&(objectClass=posixGroup)(memberUid=fcanales)))
> rlm_ldap: object not found
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap::ldap_groupcmp: Group WIFI-Finanzas not found or user is not a
> member.
> +++? if (Ldap-Group == "WIFI-TyO")
> rlm_ldap: Entering ldap_groupcmp()
> expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar
> WARNING: Deprecated conditional expansion ":-". See "man unlang" for
> details
> expand:
> (&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))
> -> (&(objectClass=posixGroup)(memberUid=fcanales))
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter
> (&(cn=WIFI-TyO)(&(objectClass=posixGroup)(memberUid=fcanales)))
> rlm_ldap::ldap_groupcmp: User found in group WIFI-TyO
> rlm_ldap: ldap_release_conn: Release Id: 0
> ? Evaluating (Ldap-Group == "WIFI-TyO") -> TRUE
> +++? if (Ldap-Group == "WIFI-TyO") -> TRUE
> +++- entering if (Ldap-Group == "WIFI-TyO") {...}
> ++++[reply] returns ok
> +++- if (Ldap-Group == "WIFI-TyO") returns ok
> +++? if (Ldap-Group == "WIFI-ITfuncional")
> rlm_ldap: Entering ldap_groupcmp()
> expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar
> WARNING: Deprecated conditional expansion ":-". See "man unlang" for
> details
> expand:
> (&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))
> -> (&(objectClass=posixGroup)(memberUid=fcanales))
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter
> (&(cn=WIFI-Monit)(&(objectClass=posixGroup)(memberUid=fcanales)))
> rlm_ldap: object not found
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap::ldap_groupcmp: Group WIFI-Monit not found or user is not a
> member.
> ++- if (Huntgroup-Name == "list") returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[unix] returns updated
> [suffix] No '@' in User-Name = "fcanales", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> ++[control] returns noop
> [eap] EAP packet type response id 8 length 13
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[files] returns noop
> [ldap] performing user authorization for fcanales
> [ldap] expand: (uid=%u) -> (uid=fcanales)
> [ldap] expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter
> (uid=fcanales)
> [ldap] looking for check items in directory...
> rlm_ldap: sambaNtPassword -> NT-Password ==
> 0x3441313536383141373845384430414446424135364139373343343736374646
> rlm_ldap: sambaLmPassword -> LM-Password ==
> 0x4446323634314431373041414432333739433530313441453437313841374545
> [ldap] looking for reply items in directory...
> WARNING: No "known good" password was found in LDAP. Are you sure that the
> user is configured correctly?
> [ldap] user fcanales authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] Normalizing NT-Password from hex encoding
> [pap] Normalizing LM-Password from hex encoding
> [pap] Found existing Auth-Type, not changing it.
> ++[pap] returns noop
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] EAP Identity
> [eap] processing type mschapv2
> rlm_eap_mschapv2: Issuing Challenge
> ++[eap] returns handled
> } # server inner-tunnel
> [peap] Got tunneled reply code 11
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "212"
> EAP-Message =
> 0x010900221a0109001d108279970f23460b83f1fffcc6e09626c56663616e616c6573
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x158baf111582b5a1fb3a126781117cd4
> [peap] Got tunneled reply RADIUS code 11
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "212"
> EAP-Message =
> 0x010900221a0109001d108279970f23460b83f1fffcc6e09626c56663616e616c6573
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x158baf111582b5a1fb3a126781117cd4
> [peap] Got tunneled Access-Challenge
> ++[eap] returns handled
> Sending Access-Challenge of id 205 to 10.32.2.39 port 1645
> EAP-Message =
>
> 0x0109004b19001703010040640c0cb308474b42ecc083db0b3f47c66731a31c01801dde9b162f50d5bde13456412ab71e4d7d0e743b50cc42e91bba22dabeb375116f48b625e9691a3d3932
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xf4160a33f21f13898255a02243c509d6
> Finished request 38.
>
> *****************************************************
>
>
>
>
> 2) WLC - RADIUS
>
> *****************************************************
>
> rad_recv: Access-Request packet from host 10.32.2.81 port 32768, id=119,
> length=280
> User-Name = "fcanales"
> Calling-Station-Id = "58-94-6b-0d-e8-6c"
> Called-Station-Id = "30-37-a6-4b-9f-90:IReconquista"
> NAS-Port = 1
> Cisco-AVPair = "audit-session-id=0a2002510000000f4eaaf051"
> NAS-IP-Address = 10.32.2.81
> NAS-Identifier = "Iplan_wcs"
> Airespace-Wlan-Id = 1
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-802.11
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "60"
> EAP-Message =
>
> 0x0208002b190017030100200c857843d879e361aad79c8a2dccee6de8b04225d90b753a81b636a8090f0193
> State = 0xcb0bb3aace03aab2864a9aacb255d323
> Message-Authenticator = 0x62ca91e9e88fbba794e6e51db7aa67ec
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "fcanales", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 8 length 43
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
> [peap] Done initial handshake
> [peap] eaptls_process returned 7
> [peap] EAPTLS_OK
> [peap] Session established. Decoding tunneled attributes.
> [peap] Identity - fcanales
> [peap] Got tunneled request
> EAP-Message = 0x0208000d016663616e616c6573
> server {
> PEAP: Got tunneled identity of fcanales
> PEAP: Setting default EAP type for tunneled EAP session.
> PEAP: Setting User-Name to fcanales
> Sending tunneled request
> EAP-Message = 0x0208000d016663616e616c6573
> FreeRADIUS-Proxied-To = 127.0.0.1
> User-Name = "fcanales"
> Calling-Station-Id = "58-94-6b-0d-e8-6c"
> Called-Station-Id = "30-37-a6-4b-9f-90:IReconquista"
> NAS-Port = 1
> Cisco-AVPair = "audit-session-id=0a2002510000000f4eaaf051"
> NAS-IP-Address = 10.32.2.81
> NAS-Identifier = "Iplan_wcs"
> Airespace-Wlan-Id = 1
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-802.11
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "60"
> server inner-tunnel {
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++? if (!Huntgroup-Name)
> ? Evaluating !(Huntgroup-Name) -> TRUE
> ++? if (!Huntgroup-Name) -> TRUE
> ++- entering if (!Huntgroup-Name) {...}
> +++[reply] returns ok
> ++- if (!Huntgroup-Name) returns ok
> ++? if (Huntgroup-Name == "list")
> (Attribute Huntgroup-Name was not found)
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[unix] returns updated
> [suffix] No '@' in User-Name = "fcanales", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> ++[control] returns noop
> [eap] EAP packet type response id 8 length 13
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[files] returns noop
> [ldap] performing user authorization for fcanales
> [ldap] expand: (uid=%u) -> (uid=fcanales)
> [ldap] expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter
> (uid=fcanales)
> [ldap] looking for check items in directory...
> rlm_ldap: sambaNtPassword -> NT-Password ==
> 0x3441313536383141373845384430414446424135364139373343343736374646
> rlm_ldap: sambaLmPassword -> LM-Password ==
> 0x4446323634314431373041414432333739433530313441453437313841374545
> [ldap] looking for reply items in directory...
> WARNING: No "known good" password was found in LDAP. Are you sure that the
> user is configured correctly?
> [ldap] user fcanales authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] Normalizing NT-Password from hex encoding
> [pap] Normalizing LM-Password from hex encoding
> [pap] Found existing Auth-Type, not changing it.
> ++[pap] returns noop
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] EAP Identity
> [eap] processing type mschapv2
> rlm_eap_mschapv2: Issuing Challenge
> ++[eap] returns handled
> } # server inner-tunnel
> [peap] Got tunneled reply code 11
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "249"
> EAP-Message =
> 0x010900221a0109001d10cc9cc5bb2b5812cf48051342472ad3af6663616e616c6573
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xab42e29bab4bf81ef23bc50dea94c334
> [peap] Got tunneled reply RADIUS code 11
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "249"
> EAP-Message =
> 0x010900221a0109001d10cc9cc5bb2b5812cf48051342472ad3af6663616e616c6573
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xab42e29bab4bf81ef23bc50dea94c334
> [peap] Got tunneled Access-Challenge
> ++[eap] returns handled
> Sending Access-Challenge of id 119 to 10.32.2.81 port 32768
> EAP-Message =
>
> 0x0109004b1900170301004075cf3c75c7a8311c01bc5581aac330e49586ce6e0001e8add345d7773aeeacba61b235c462fe0966e565d9e6279f111bf94fa3d8a4bff8a4ce82ab24d65f9c31
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xcb0bb3aacd02aab2864a9aacb255d323
> Finished request 48.
> Going to the next request
> Waking up in 4.9 seconds.
>
> *****************************************************
>
> Thanks for all.
>
>
> --
> --
>
> Silvero Martin
>
1
0
I was out if the office and in a meeting on my cell phone. Sorry.. didn't
mean to offend.
On Apr 25, 2012 4:04 PM, <freeradius-users-request(a)lists.freeradius.org>
wrote:
> Send Freeradius-Users mailing list submissions to
> freeradius-users(a)lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request(a)lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner(a)lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Re: Fwd: FreeRadius Dictionary Attributes (Alan DeKok)
> 2. Re: Assign VLAN from freeradius to Cisco 3550 switch.
> (Wassim Zaarour)
> 3. Re: Assign VLAN from freeradius to Cisco 3550 switch. (alan buxey)
> 4. Cisco WLC - Freeradius Vlan assigment problem (Martin Silvero)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 25 Apr 2012 18:03:06 +0200
> From: Alan DeKok <aland(a)deployingradius.com>
> To: FreeRadius users mailing list
> <freeradius-users(a)lists.freeradius.org>
> Subject: Re: Fwd: FreeRadius Dictionary Attributes
> Message-ID: <4F98203A.3080303(a)deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Corey Jones wrote:
> > ---------- Forwarded message ----------
> ...
>
> That's not nice. Is it really that difficult to post the *original*
> message? Why forward a bounce?
>
> > I'm trying to get a freeradius server up and running but I'm having
> > trouble with the attributes I've included in the master dictionary file
> > showing up in the detail file:
> >
> > ATTRIBUTE client-mac-address 9001 string
>
> This is wrong.
>
> Read share/dictionary. Use the numbers *it* recommends, rather than
> inventing your own.
>
> > The output of the detail-<date> file of the non-functioning server:
>
> Which is... which version? How did you configure it?
>
> > The output of the detail-<date> file for the functioning server:
>
> Which is... which version? How did you configure it?
>
> > If you compare the non-functioning server output file to the functioning
> > server output file, there are two fields that are missing that are
> > defined in the master dictionary file.
> >
> > disc-cause-ext = "PPP Receive Term" <---------------HERE
> > client-mac-address = "0002.xxxx.xxxx" <---------------HERE
>
> If the two servers are identical, they will behave the same.
>
> If they're different, find out what the differences are, and fix them.
>
> > I am having trouble with a different part of the server setup where that
> > file is pulled and those fields are read and needed by another
> application.
>
> What does that mean?
>
> > Does anyone know why those two fields are not pulled or processed on the
> > non-functioning server's output file?
>
> The fields are "pulled" from... where?
>
> > freeradius -X dump of non-functioning server:
>
> In which it doesn't receive any packets. So it's useless.
>
> Good questions get good answers.
>
> These questions are bad. As a result, the only possible answer is
> unhelpful. Along with the advice "ask good questions."
>
> Alan DeKok.
>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 25 Apr 2012 19:05:26 +0300
> From: Wassim Zaarour <wassim.zaarour(a)navlink.com>
> To: FreeRadius users mailing list
> <freeradius-users(a)lists.freeradius.org>
> Subject: Re: Assign VLAN from freeradius to Cisco 3550 switch.
> Message-ID: <CBBDFB26.EE39%wassim.zaarour(a)navlink.com>
> Content-Type: text/plain; CHARSET=US-ASCII
>
> Hi Brian,
>
> Thanks for your reply, where do I exactly need to put this configuration?
> In the users file?
>
> Do you have any experience with the 2960 switches?
>
>
> Wassim
>
>
>
>
>
> On 4/25/12 4:07 PM, "Brian Julin" <BJulin(a)clarku.edu> wrote:
>
> >
> >Wassim Zaarour wrote:
> >> Look at this
> >>
> >>
> http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg4016
> >>2.html
> >>
> >> The user says that it worked, I tried the attributes he used and still
> >>got
> >> the same error.
> >
> >I don't even know how this was ever working for that user. On my wired
> >switch plant, which
> >includes some 3550s, wherever I have tested VLAN assignment I have had to
> >use Cisco's
> >cretinous hack:
> >
> >
> > if (Cisco-AVPair) { # Cisco switch.
> > # We have to "Accept" it to the Registration VLAN manually
> > # (because host-mode multi-auth is currently retarded.)
> > update reply {
> > Tunnel-Type = VLAN
> > Tunnel-Medium-Type = 6
> > # CISCO broke the IETF attribute...
> > # Tunnel-Private-Group-Id = "Registration"
> > # ... so use their proprietary method to get it in there.
> > # NOTE: This is CaSe SeNsItIvE!!
> > Cisco-AVPair += "tunnel-private-group-id=Registration"
> > }
> >
> >This is of course extremely case-sensitive. It also uses the vlan names,
> >not the numbers, though
> >you can use the automatically generated names just fine.
> >
> >Be warned the 3550s are old EOL switches and their latest software
> >version (the one that is only
> >supposed to be used for the 24 port switch but works on the 48 port one)
> >is still not current enough
> >to pick up the latest bugfixes to multi-auth mode. Not that multi-auth
> >mode works sensibly in the
> >newest firmware either, but at least it has workarounds.
> >
> >(BTW, even I am starting to pull these 3550s from the net, and I tend to
> >try to bleed devices for every
> >minute they can manage to hack it. Right now the only ones I have out
> >there are essentially
> >serving as lightening rods for this summer's thunder storms, and then
> >will be replaced by new
> >switches after that.)
> >
> >Typical switch port configuration (this is not from a 3550, sorry):
> >
> >
> >interface FastEthernet0/24
> > switchport access vlan XXX
> > switchport mode access
> > switchport block unicast
> > switchport port-security maximum 16
> > switchport port-security
> > switchport port-security aging time 240
> > switchport port-security violation restrict
> > switchport port-security aging type inactivity
> > ip arp inspection limit rate 100
> > authentication control-direction in
> > authentication event fail action authorize vlan YYY
> > authentication event server dead action authorize vlan XXX
> > authentication event no-response action authorize vlan XXX
> > authentication event server alive action reinitialize
> > authentication host-mode multi-auth
> > authentication order mab
> > authentication priority mab
> > authentication port-control auto
> > authentication periodic
> > authentication timer reauthenticate 1300
> > authentication timer inactivity 1200
> > authentication violation restrict
> > mab
> > no lldp transmit
> > no lldp receive
> > no cdp enable
> > no cdp tlv server-location
> > no cdp tlv app
> > spanning-tree portfast
> > spanning-tree bpduguard enable
> > ip verify source port-security
> > ip dhcp snooping limit rate 50
> >end
> >
> >
> >XXX and YYY above are actually decimals.
> >
> >Note that the auth-fail VLAN setting is not actually used, because in
> >order to get multi-auth to behave
> >sensibly (so you can handle VMs) you have to actually succeed every
> >authentication and just send
> >the quaranteen VLAN from RADIUS when you want the user locked out.
> >-
> >List info/subscribe/unsubscribe? See
> >http://www.freeradius.org/list/users.html
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Wed, 25 Apr 2012 18:13:22 +0100
> From: alan buxey <A.L.M.Buxey(a)lboro.ac.uk>
> To: FreeRadius users mailing list
> <freeradius-users(a)lists.freeradius.org>
> Subject: Re: Assign VLAN from freeradius to Cisco 3550 switch.
> Message-ID: <20120425171322.GB9623(a)lboro.ac.uk>
> Content-Type: text/plain; charset=us-ascii
>
> Hi,
>
> > Thanks for your reply, where do I exactly need to put this configuration?
> > In the users file?
>
> I can tell you right now that you dont need that hack to assign VLANs on
> cisco
> switches (well, not if you are running reasonably up to date firmware on
> the
> cisco devices anyway - ie something less than 2 years old)
>
> we run an enterprise network of > 1500 cisco switches, most of them using
> FreeRADIUS as the AAA server in 802.1X mode (others still have VMPS - with
> FreeRADIUS
> of course). we certainly dont have that kind of configuration for VLAN
> assignment.
> straight simple reply values are all that are needed.
> as already said, the issue looks like its your Cisco config - and the cisco
> guides tell you exactly how to configure the cisco switches, its not a
> freeRADIUS
> question.
>
> alan
>
>
> ------------------------------
>
> Message: 4
> Date: Wed, 25 Apr 2012 16:49:29 -0300
> From: Martin Silvero <silvero.martin(a)gmail.com>
> To: freeradius-users(a)lists.freeradius.org
> Subject: Cisco WLC - Freeradius Vlan assigment problem
> Message-ID:
> <CALmvTSSRrfx9eyOoXxcwYjtxF6oEKHS8MNtewGBONG_wxP9cTQ(a)mail.gmail.com
> >
> Content-Type: text/plain; charset="iso-8859-1"
>
> We are modifying the Wireless acccess to our LAN.
> We are trying to use a Cisco WLC and our freeradius. We've been using this
> same freeradius for authenticating users against the corporate LDAP. Now
> we want WLC to talk to the radius server without losing any functionality
> like user authentication or vlan assignment.
>
> Our main problem is that the vlan assingment is not working when we use the
> WLC. The scenario with the APs talking to the radius directly works fine,
> but when we use lightweight AP and the WLC we can see that the vlan
> assignment part is skipped by the authentication process and all the users
> are sent to the same vlan.
>
> The following is the output of the two cases. One of them is a user
> authenticating without WLC, the AP talks directly to the Radius Server, and
> the other is an authentication where WLC talks to the Radius Server (the
> one that is not working)
>
> - 10.32.2.81 is the WLC IP address.
>
> - 10.32.2.39 is the AP IP address.
>
> WLC Soft Version: 7.0.116.0
>
> These are the outputs:
>
> 1) AP - RADIUS (No WLC)
>
> *****************************************************
> rad_recv: Access-Request packet from host 10.32.2.39 port 1645, id=205,
> length=184
> User-Name = "fcanales"
> Framed-MTU = 1400
> Called-Station-Id = "001d.4551.7da0"
> Calling-Station-Id = "5894.6b0d.e86c"
> Service-Type = Login-User
> Message-Authenticator = 0x46192e9a5e4720bd6c721e03d8e6c3b4
> EAP-Message =
>
> 0x0208002b19001703010020f7e5545e9d9e05ecff5f8be2d1bc992eeddba82eb4adef509bded9dd6c132712
> NAS-Port-Type = Wireless-802.11
> NAS-Port = 59460
> State = 0xf4160a33f11e13898255a02243c509d6
> NAS-IP-Address = 10.32.2.39
> NAS-Identifier = "ap-Reco32"
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "fcanales", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 8 length 43
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
> [peap] Done initial handshake
> [peap] eaptls_process returned 7
> [peap] EAPTLS_OK
> [peap] Session established. Decoding tunneled attributes.
> [peap] Identity - fcanales
> [peap] Got tunneled request
> EAP-Message = 0x0208000d016663616e616c6573
> server {
> PEAP: Got tunneled identity of fcanales
> PEAP: Setting default EAP type for tunneled EAP session.
> PEAP: Setting User-Name to fcanales
> Sending tunneled request
> EAP-Message = 0x0208000d016663616e616c6573
> FreeRADIUS-Proxied-To = 127.0.0.1
> User-Name = "fcanales"
> Framed-MTU = 1400
> Called-Station-Id = "001d.4551.7da0"
> Calling-Station-Id = "5894.6b0d.e86c"
> Service-Type = Login-User
> NAS-Port-Type = Wireless-802.11
> NAS-Port = 59460
> NAS-IP-Address = 10.32.2.39
> NAS-Identifier = "ap-Reco32"
> server inner-tunnel {
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++? if (!Huntgroup-Name)
> ? Evaluating !(Huntgroup-Name) -> FALSE
> ++? if (!Huntgroup-Name) -> FALSE
> ++? if (Huntgroup-Name == "list")
> ? Evaluating (Huntgroup-Name == "list") -> TRUE
> ++? if (Huntgroup-Name == "list") -> TRUE
> ++- entering if (Huntgroup-Name == "list") {...}
> +++? if (Ldap-Group == "WIFI-Direccion")
> rlm_ldap: Entering ldap_groupcmp()
> expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar
> expand: (uid=%u) -> (uid=fcanales)
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter
> (uid=fcanales)
> rlm_ldap: ldap_release_conn: Release Id: 0
> WARNING: Deprecated conditional expansion ":-". See "man unlang" for
> details
> expand:
> (&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))
> -> (&(objectClass=posixGroup)(memberUid=fcanales))
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter
> (&(cn=WIFI-Direccion)(&(objectClass=posixGroup)(memberUid=fcanales)))
> rlm_ldap: object not found
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap::ldap_groupcmp: Group WIFI-Direccion not found or user is not a
> member.
> +++? if (Ldap-Group == "WIFI-MKTyCC")
> rlm_ldap: Entering ldap_groupcmp()
> expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar
>
> WARNING: Deprecated conditional expansion ":-". See "man unlang" for
> details
> expand:
> (&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))
> -> (&(objectClass=posixGroup)(memberUid=fcanales))
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter
> (&(cn=WIFI-Finanzas)(&(objectClass=posixGroup)(memberUid=fcanales)))
> rlm_ldap: object not found
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap::ldap_groupcmp: Group WIFI-Finanzas not found or user is not a
> member.
> +++? if (Ldap-Group == "WIFI-TyO")
> rlm_ldap: Entering ldap_groupcmp()
> expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar
> WARNING: Deprecated conditional expansion ":-". See "man unlang" for
> details
> expand:
> (&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))
> -> (&(objectClass=posixGroup)(memberUid=fcanales))
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter
> (&(cn=WIFI-TyO)(&(objectClass=posixGroup)(memberUid=fcanales)))
> rlm_ldap::ldap_groupcmp: User found in group WIFI-TyO
> rlm_ldap: ldap_release_conn: Release Id: 0
> ? Evaluating (Ldap-Group == "WIFI-TyO") -> TRUE
> +++? if (Ldap-Group == "WIFI-TyO") -> TRUE
> +++- entering if (Ldap-Group == "WIFI-TyO") {...}
> ++++[reply] returns ok
> +++- if (Ldap-Group == "WIFI-TyO") returns ok
> +++? if (Ldap-Group == "WIFI-ITfuncional")
> rlm_ldap: Entering ldap_groupcmp()
> expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar
> WARNING: Deprecated conditional expansion ":-". See "man unlang" for
> details
> expand:
> (&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))
> -> (&(objectClass=posixGroup)(memberUid=fcanales))
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter
> (&(cn=WIFI-Monit)(&(objectClass=posixGroup)(memberUid=fcanales)))
> rlm_ldap: object not found
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap::ldap_groupcmp: Group WIFI-Monit not found or user is not a
> member.
> ++- if (Huntgroup-Name == "list") returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[unix] returns updated
> [suffix] No '@' in User-Name = "fcanales", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> ++[control] returns noop
> [eap] EAP packet type response id 8 length 13
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[files] returns noop
> [ldap] performing user authorization for fcanales
> [ldap] expand: (uid=%u) -> (uid=fcanales)
> [ldap] expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter
> (uid=fcanales)
> [ldap] looking for check items in directory...
> rlm_ldap: sambaNtPassword -> NT-Password ==
> 0x3441313536383141373845384430414446424135364139373343343736374646
> rlm_ldap: sambaLmPassword -> LM-Password ==
> 0x4446323634314431373041414432333739433530313441453437313841374545
> [ldap] looking for reply items in directory...
> WARNING: No "known good" password was found in LDAP. Are you sure that the
> user is configured correctly?
> [ldap] user fcanales authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] Normalizing NT-Password from hex encoding
> [pap] Normalizing LM-Password from hex encoding
> [pap] Found existing Auth-Type, not changing it.
> ++[pap] returns noop
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] EAP Identity
> [eap] processing type mschapv2
> rlm_eap_mschapv2: Issuing Challenge
> ++[eap] returns handled
> } # server inner-tunnel
> [peap] Got tunneled reply code 11
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "212"
> EAP-Message =
> 0x010900221a0109001d108279970f23460b83f1fffcc6e09626c56663616e616c6573
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x158baf111582b5a1fb3a126781117cd4
> [peap] Got tunneled reply RADIUS code 11
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "212"
> EAP-Message =
> 0x010900221a0109001d108279970f23460b83f1fffcc6e09626c56663616e616c6573
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x158baf111582b5a1fb3a126781117cd4
> [peap] Got tunneled Access-Challenge
> ++[eap] returns handled
> Sending Access-Challenge of id 205 to 10.32.2.39 port 1645
> EAP-Message =
>
> 0x0109004b19001703010040640c0cb308474b42ecc083db0b3f47c66731a31c01801dde9b162f50d5bde13456412ab71e4d7d0e743b50cc42e91bba22dabeb375116f48b625e9691a3d3932
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xf4160a33f21f13898255a02243c509d6
> Finished request 38.
>
> *****************************************************
>
>
>
>
> 2) WLC - RADIUS
>
> *****************************************************
>
> rad_recv: Access-Request packet from host 10.32.2.81 port 32768, id=119,
> length=280
> User-Name = "fcanales"
> Calling-Station-Id = "58-94-6b-0d-e8-6c"
> Called-Station-Id = "30-37-a6-4b-9f-90:IReconquista"
> NAS-Port = 1
> Cisco-AVPair = "audit-session-id=0a2002510000000f4eaaf051"
> NAS-IP-Address = 10.32.2.81
> NAS-Identifier = "Iplan_wcs"
> Airespace-Wlan-Id = 1
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-802.11
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "60"
> EAP-Message =
>
> 0x0208002b190017030100200c857843d879e361aad79c8a2dccee6de8b04225d90b753a81b636a8090f0193
> State = 0xcb0bb3aace03aab2864a9aacb255d323
> Message-Authenticator = 0x62ca91e9e88fbba794e6e51db7aa67ec
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "fcanales", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 8 length 43
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
> [peap] Done initial handshake
> [peap] eaptls_process returned 7
> [peap] EAPTLS_OK
> [peap] Session established. Decoding tunneled attributes.
> [peap] Identity - fcanales
> [peap] Got tunneled request
> EAP-Message = 0x0208000d016663616e616c6573
> server {
> PEAP: Got tunneled identity of fcanales
> PEAP: Setting default EAP type for tunneled EAP session.
> PEAP: Setting User-Name to fcanales
> Sending tunneled request
> EAP-Message = 0x0208000d016663616e616c6573
> FreeRADIUS-Proxied-To = 127.0.0.1
> User-Name = "fcanales"
> Calling-Station-Id = "58-94-6b-0d-e8-6c"
> Called-Station-Id = "30-37-a6-4b-9f-90:IReconquista"
> NAS-Port = 1
> Cisco-AVPair = "audit-session-id=0a2002510000000f4eaaf051"
> NAS-IP-Address = 10.32.2.81
> NAS-Identifier = "Iplan_wcs"
> Airespace-Wlan-Id = 1
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-802.11
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "60"
> server inner-tunnel {
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++? if (!Huntgroup-Name)
> ? Evaluating !(Huntgroup-Name) -> TRUE
> ++? if (!Huntgroup-Name) -> TRUE
> ++- entering if (!Huntgroup-Name) {...}
> +++[reply] returns ok
> ++- if (!Huntgroup-Name) returns ok
> ++? if (Huntgroup-Name == "list")
> (Attribute Huntgroup-Name was not found)
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[unix] returns updated
> [suffix] No '@' in User-Name = "fcanales", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> ++[control] returns noop
> [eap] EAP packet type response id 8 length 13
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[files] returns noop
> [ldap] performing user authorization for fcanales
> [ldap] expand: (uid=%u) -> (uid=fcanales)
> [ldap] expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter
> (uid=fcanales)
> [ldap] looking for check items in directory...
> rlm_ldap: sambaNtPassword -> NT-Password ==
> 0x3441313536383141373845384430414446424135364139373343343736374646
> rlm_ldap: sambaLmPassword -> LM-Password ==
> 0x4446323634314431373041414432333739433530313441453437313841374545
> [ldap] looking for reply items in directory...
> WARNING: No "known good" password was found in LDAP. Are you sure that the
> user is configured correctly?
> [ldap] user fcanales authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] Normalizing NT-Password from hex encoding
> [pap] Normalizing LM-Password from hex encoding
> [pap] Found existing Auth-Type, not changing it.
> ++[pap] returns noop
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] EAP Identity
> [eap] processing type mschapv2
> rlm_eap_mschapv2: Issuing Challenge
> ++[eap] returns handled
> } # server inner-tunnel
> [peap] Got tunneled reply code 11
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "249"
> EAP-Message =
> 0x010900221a0109001d10cc9cc5bb2b5812cf48051342472ad3af6663616e616c6573
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xab42e29bab4bf81ef23bc50dea94c334
> [peap] Got tunneled reply RADIUS code 11
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "249"
> EAP-Message =
> 0x010900221a0109001d10cc9cc5bb2b5812cf48051342472ad3af6663616e616c6573
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xab42e29bab4bf81ef23bc50dea94c334
> [peap] Got tunneled Access-Challenge
> ++[eap] returns handled
> Sending Access-Challenge of id 119 to 10.32.2.81 port 32768
> EAP-Message =
>
> 0x0109004b1900170301004075cf3c75c7a8311c01bc5581aac330e49586ce6e0001e8add345d7773aeeacba61b235c462fe0966e565d9e6279f111bf94fa3d8a4bff8a4ce82ab24d65f9c31
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xcb0bb3aacd02aab2864a9aacb255d323
> Finished request 48.
> Going to the next request
> Waking up in 4.9 seconds.
>
> *****************************************************
>
> Thanks for all.
>
>
> --
> --
>
> Silvero Martin
>
1
0