On 17/04/2024 12:06, dominic.stalder@unibe.ch wrote:
sp { Access-Accept = "%t : AuthZ: (%I) Access-Accept: [%{%{reply:User-Name}:-%{User-Name}}] TLS-Version=%{%{session-state:TLS-Session-Version}:-NULL} TLS-Ciphers=%{%{session-state:TLS-Session-Cipher-Suite}:-NULL} SSID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} cli %{%{request:Calling-Station-Id}:-Unknown})"
Looks OK at a quite glance.
And somehow (I really don't know why), it seems to work know:
OK
(21) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, Finished' (21) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384' (21) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2' (21) } # update = noop (21) if (EAP-Message) { (21) if (EAP-Message) -> TRUE (21) if (EAP-Message) { (21) 802.1x_authz_log: EXPAND sp.%{%{reply:Packet-Type}:-format} (21) 802.1x_authz_log: --> sp.Access-Accept (21) 802.1x_authz_log: EXPAND %t : AuthZ: (%I) Access-Accept: [%{%{reply:User-Name}:-%{User-Name}}] TLS-Version=%{%{session-state:TLS-Session-Version}:-NULL} TLS-Ciphers=%{%{session-state:TLS-Session-Cipher-Suite}:-NULL} SSID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} cli %{%{request:Calling-Station-Id}:-Unknown}) (21) 802.1x_authz_log: --> Wed Apr 17 12:55:51 2024 : AuthZ: (135) Access-Accept: [dominic.stalder@unibe.ch] TLS-Version=TLS 1.2 TLS-Ciphers=ECDHE-RSA-AES256-GCM-SHA384 SSID=eduroam Calling-Station-Id=6A-05-BD-E0-F2-80 Called-Station-Id=3C-51-0E-72-2A-00 Filter-ID=staff VLAN=1874 Class=staff (from client cisco-wlc-9800-mgmt.wifi.unibe.ch port 4219 cli 6A-05-BD-E0-F2-80) (21) 802.1x_authz_log: EXPAND /var/log/freeradius/authz.log (21) 802.1x_authz_log: --> /var/log/freeradius/authz.log (21) [802.1x_authz_log] = ok (21) } # if (EAP-Message) = ok
...
Wed Apr 17 12:55:51 2024 : AuthZ: (135) Access-Accept: [dominic.stalder@unibe.ch] TLS-Version=TLS 1.2 TLS-Ciphers=ECDHE-RSA-AES256-GCM-SHA384 SSID=eduroam Calling-Station-Id=6A-05-BD-E0-F2-80 Called-Station-Id=3C-51-0E-72-2A-00 Filter-ID=staff VLAN=1874 Class=staff (from client cisco-wlc-9800-mgmt.wifi.unibe.ch port 4219 cli 6A-05-BD-E0-F2-80)
Looks good.
As written above, I am sorry "that it works", more so that I don't know why it is working now, because in my opinion I did not really change any thing than before lunch time...
Won't really know without seeing the failure. Could be anything from client state issues to wifi timers to an attribute missing that's there this time.
But do we somehow need to close this "discussion" an mark it as resovled or how does this work? __
This is a mailing list... it's working so all's good! -- Matthew