On 23 Jun 2016, at 14:31, Alan DeKok <aland@deployingradius.com> wrote:
On Jun 23, 2016, at 7:58 AM, Scott Armitage <S.P.Armitage@lboro.ac.uk> wrote:
I noticed an issue using the NAS-IP-Address. This bug (if it is one) did disappear for a while but now seems to be back. Is this a bug or should I retrieve the value in a different way?
What's the bug?
using unlang %{NAS-IP-Address} returns an empty value. You have to use %{outer.request:NAS-IP-Address} to get the NAS-IP-Address value. This happened a few weeks ago but then a couple of days later the behaviour returned to normal. Then it returned again. Also you can’t Ctrl+C in debug mode (something which also came, disappeared and is now back).
The debug output shows that there's no NAS-IP-Address being expanded. Is there one in the packet?
Yes, the NAS-IP-Address appears to be in the Access-Request: radiusd: FreeRADIUS Version 3.1.0 (git #fa0bec1), for host x86_64-unknown-linux-gnu, built on Jun 23 2016 at 07:59:51 FreeRADIUS Version 3.1.0 (14) Received Access-Request Id 37 from 10.53.253.21:40090 to 158.125.161.128:1812 via eno16777984 length 375 (14) User-Name = "itis@lboro.ac.uk" (14) Chargeable-User-Identity = 0x15 (14) Operator-Name = "1lboro.ac.uk" (14) Location-Capable = Civix-Location (14) Calling-Station-Id = "ec-35-86-4d-29-54" (14) Called-Station-Id = "fc-5b-39-c6-2c-30:wirefree" (14) NAS-Port = 8 (14) Cisco-AVPair = "audit-session-id=15fd350a000ee49c6fea6b57" (14) Acct-Session-Id = "576bea6f/ec:35:86:4d:29:54/934911" (14) Cisco-AVPair = "mDNS=true" (14) NAS-IP-Address = 10.53.253.21 (14) NAS-IPv6-Address = 2001:630:301:9101::21 (14) NAS-Identifier = "wlc-1" (14) Airespace-Wlan-Id = 3 (14) Service-Type = Framed-User (14) Framed-MTU = 1300 (14) NAS-Port-Type = Wireless-802.11 (14) Tunnel-Type:0 = VLAN (14) Tunnel-Medium-Type:0 = IEEE-802 (14) Tunnel-Private-Group-Id:0 = "1122" (14) EAP-Message = 0x020c002b19001703010020775a437edbe7a406b0f41ad9edd0c05d2f3c60e037fb06b2815c6524bc947b3b (14) State = 0x0b010b004b820892082a0a220b36f2f3 (14) Message-Authenticator = 0x5eb283a6b026feff593cd417eeb8abfe (14,3) Running section authorize from file /etc/raddb/sites-enabled/lboro (14,3) authorize { (14,3) nagios_check { (14,3) if (User-Name == "nagios01aa" && "%{client:group}" == "nagios") { (14,3) ... (14,3) } (14,3) } # nagios_check (notfound) (14,3) wism_check { (14,3) if (User-Name =~ /wism-check/ ) { (14,3) ... (14,3) } (14,3) } # wism_check (notfound) (14,3) switch_check { (14,3) if (User-Name =~ /switch-test/ ) { (14,3) ... (14,3) } (14,3) } # switch_check (notfound) (14,3) filter_duff_realms { (14,3) if (User-Name =~ /\\.ax\\.uk$/i ) { (14,3) ... (14,3) } (14,3) elsif (User-Name =~ /\\.sc\\.uk$/i ) { (14,3) ... (14,3) } (14,3) elsif (User-Name =~ /\\.ac\\.u$/i ) { (14,3) ... (14,3) } (14,3) elsif (User-Name =~ /lboro$/i ) { (14,3) ... (14,3) } (14,3) elsif (User-Name =~ /lboro\\.co\\.uk$/i ) { (14,3) ... (14,3) } (14,3) elsif (User-Name =~ /ac\\.lboro\\.uk$/i ) { (14,3) ... (14,3) } (14,3) elsif (User-Name =~ /unilboro\\.ac\\.uk$/i ) { (14,3) ... (14,3) } (14,3) elsif (User-Name =~ /\\.a\\.c\\.uk$/i ) { (14,3) ... (14,3) } (14,3) elsif (User-Name =~ /3gppnetwork\\.org$/i) { (14,3) ... (14,3) } (14,3) elsif (User-Name =~ /myabc\\.com$/i) { (14,3) ... (14,3) } (14,3) elsif (User-Name !~ /lboro\\.local$/i && User-Name =~ /\\.local$/i) { (14,3) ... (14,3) } (14,3) elsif (User-Name =~ /lbro\\.ac\\.uk$/i ) { (14,3) ... (14,3) } (14,3) elsif (User-Name =~ /lboro\\.student\\.ac\\.uk$/i ) { (14,3) ... (14,3) } (14,3) } # filter_duff_realms (notfound) (14,3) filter_username { (14,3) if (!&User-Name) { (14,3) ... (14,3) } (14,3) if (&User-Name =~ / /) { (14,3) ... (14,3) } (14,3) if (&User-Name =~ /@.*@/ ) { (14,3) ... (14,3) } (14,3) if (&User-Name =~ /\.\./ ) { (14,3) ... (14,3) } (14,3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (14,3) ... (14,3) } (14,3) if (&User-Name =~ /\.$/) { (14,3) ... (14,3) } (14,3) if (&User-Name =~ /@\./) { (14,3) ... (14,3) } (14,3) } # filter_username (notfound) (14,3) preprocess (ok) (14,3) operator-name.authorize { (14,3) if ("%{client:Operator-Name}") { (14,3) EXPAND %{client:Operator-Name} (14,3) --> (14,3) ... (14,3) } (14,3) } # operator-name.authorize (ok) (14,3) cui.authorize { (14,3) if ("%{client:add_cui}" == 'yes') { (14,3) EXPAND %{client:add_cui} (14,3) --> yes (14,3) update request { (14,3) &Chargeable-User-Identity := 0x00 (14,3) } # update request (noop) (14,3) } # if ("%{client:add_cui}" == 'yes') (noop) (14,3) } # cui.authorize (noop) (14,3) suffix - Checking for suffix after "@" (14,3) suffix - Looking up realm "lboro.ac.uk" for User-Name = "itis@lboro.ac.uk" (14,3) suffix - Found realm "lboro.ac.uk" (14,3) suffix - Adding Stripped-User-Name = "itis" (14,3) suffix - Adding Realm = "lboro.ac.uk" (14,3) suffix - Authentication realm is LOCAL (14,3) suffix (ok) (14,3) ntdomain - Request already has destination realm set. Ignoring (14,3) ntdomain (noop) (14,3) if ( Called-Station-Id =~ /:eduroam$/ ) { (14,3) ... (14,3) } (14,3) elsif ( Called-Station-Id =~ /.*:YST$/ ) { (14,3) ... (14,3) } (14,3) elsif ( Called-Station-Id =~ /.*:ecb$/ || "%{client:group}" == "ecb" ) { (14,3) EXPAND %{client:group} (14,3) --> wireless (14,3) ... (14,3) } (14,3) if ((User-Name =~ /youthsporttrust\\.org$/) || (User-Name =~ /^YOUTHSPORTTRUST\\\\/)) { (14,3) ... (14,3) } (14,3) elsif (User-Name =~ /\@ecb\.co\.uk/i && "%{client:shortname}" == "dulcimer" ) { (14,3) ... (14,3) } (14,3) elsif ( Realm == "ECB" || Realm == "ecb.co.uk" ) { (14,3) ... (14,3) } (14,3) elsif (Service-Type == Call-Check && !EAP-Message && User-Name =~ /[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]/) { (14,3) ... (14,3) } (14,3) elsif ( Realm == "lsu.co.uk" ) { (14,3) ... (14,3) } (14,3) elsif (User-Name =~ /\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/) { (14,3) ... (14,3) } (14,3) else { (14,3) update request { (14,3) &Realm := local (14,3) } # update request (noop) (14,3) } # else (noop) (14,3) eap - Peer sent EAP Response (code 2) ID 12 length 43 (14,3) eap - Continuing tunnel setup (14,3) eap (ok) (14,3) Using 'Auth-Type = eap' for authenticate {...} (14,3) Running Auth-Type eap from file <internal> (14,3) Auth-Type eap { (14,3) eap - Peer sent packet with EAP method PEAP (25) (14,3) eap - Calling submodule eap_peap to process data (14,3) eap_peap - Continuing EAP-TLS (14,3) eap_peap - Got complete TLS record (37 bytes) (14,3) eap_peap - [eap-tls verify] = complete (14,3) eap_peap - Decrypted TLS application data (2 bytes) (14,3) eap_peap - [eap-tls process] = complete (14,3) eap_peap - Session established. Decoding tunneled data (14,3) eap_peap - PEAP state phase2 (14,3) eap_peap - EAP method MSCHAPv2 (26) (14,3) eap_peap - Got tunneled request (14,3) eap_peap - &EAP-Message = 0x020c00061a03 (14,3) eap_peap - Setting &request:User-Name from tunnel (protected) identity "itis@lboro.ac.uk" (14,3) eap_peap - Proxying tunneled request to virtual server "inner-tunnel" (14,3) Virtual server inner-tunnel received request (14,3) &EAP-Message = 0x020c00061a03 (14,3) &FreeRADIUS-Proxied-To = 127.0.0.1 (14,3) &User-Name = "itis@lboro.ac.uk" (14,3) WARNING: Outer and inner identities are the same. User privacy is compromised. (14,3) server inner-tunnel { (14,3) Running section authorize from file /etc/raddb/sites-enabled/inner-tunnel (14,3) authorize { (14,3) mschap (noop) (14,3) suffix - Checking for suffix after "@" (14,3) suffix - Looking up realm "lboro.ac.uk" for User-Name = "itis@lboro.ac.uk" (14,3) suffix - Found realm "lboro.ac.uk" (14,3) suffix - Adding Stripped-User-Name = "itis" (14,3) suffix - Adding Realm = "lboro.ac.uk" (14,3) suffix - Authentication realm is LOCAL (14,3) suffix (ok) (14,3) update control { (14,3) &control:Proxy-To-Realm := LOCAL (14,3) } # update control (noop) (14,3) eap - Peer sent EAP Response (code 2) ID 12 length 6 (14,3) eap - Continuing on-going EAP conversation (14,3) eap (updated) (14,3) files (noop) (14,3) convertEmailToUser { (14,3) if ( &User-Name =~ /.+\..+\@.*lboro\.ac\.uk$/i ) { (14,3) ... (14,3) } (14,3) } # convertEmailToUser (updated) (14,3) pap (noop) (14,3) Using 'Auth-Type = eap' for authenticate {...} (14,3) Running Auth-Type eap from file <internal> (14,3) Auth-Type eap { (14,3) eap - Peer sent packet with EAP method MSCHAPv2 (26) (14,3) eap - Calling submodule eap_mschapv2 to process data (14,3) eap - Sending EAP Success (code 3) ID 12 length 4 (14,3) eap - Cleaning up EAP session (14,3) eap (ok) (14,3) Login OK: [itis@lboro.ac.uk] (from client wlc-1 port 0 via TLS tunnel) (14,3) Running section post-auth from file /etc/raddb/sites-enabled/inner-tunnel (14,3) post-auth { (14,3) cui-inner.post-auth { (14,3) if (&outer.request:Chargeable-User-Identity && (&outer.request:Operator-Name || ('yes' != 'yes'))) { (14,3) update reply { <SNIP> (14,3) } # update reply (noop) (14,3) } # if (&outer.request:Chargeable-User-Identity && (&outer.request:Operator-Name || ('yes' != 'yes'))) (noop) (14,3) } # cui-inner.post-auth (noop) (14,3) reply_log - EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d (14,3) reply_log - --> /var/log/radius/radacct/10.53.253.21/reply-detail-20160623 (14,3) reply_log - /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/10.53.253.21/reply-detail-20160623 (14,3) reply_log - EXPAND %t (14,3) reply_log - --> Thu Jun 23 13:55:59 2016 (14,3) reply_log (ok) (14,3) update reply { (14,3) EXPAND %{request:User-Name} (14,3) --> itis@lboro.ac.uk (14,3) &reply:User-Name := itis@lboro.ac.uk (14,3) EXPAND %{request:Stripped-User-Name} (14,3) --> itis (14,3) &reply:Stripped-User-Name := itis (14,3) } # update reply (noop) (14,3) lboro-inner { (14,3) innerGetUserType { (14,3) if ( &User-Name =~ /^host\/(.*)\.lunet\.lboro\.ac\.uk$/i ) { (14,3) ... (14,3) } (14,3) else { (14,3) update session-state { (14,3) EXPAND %{ldap1:ldaps:///dc=lunet,dc=lboro,dc=ac,dc=uk?distinguishedName?sub?sAMAccountName=%{Stripped-User-Name}} (14,3) Reserved connection (0) (14,3) Performing search in "dc=lunet,dc=lboro,dc=ac,dc=uk" with filter "sAMAccountName=itis", scope "sub" (14,3) Waiting for search result... rlm_ldap (ldap1) - Rebinding to URL ldaps://DomainDnsZones.lunet.lboro.ac.uk/DC=DomainDnsZones,DC=lunet,DC=lboro,DC=ac,DC=uk rlm_ldap (ldap1) - Waiting for bind result... rlm_ldap (ldap1) - Rebinding to URL ldaps://ForestDnsZones.lunet.lboro.ac.uk/DC=ForestDnsZones,DC=lunet,DC=lboro,DC=ac,DC=uk rlm_ldap (ldap1) - Waiting for bind result... rlm_ldap (ldap1) - Rebinding to URL ldaps://lunet.lboro.ac.uk/CN=Configuration,DC=lunet,DC=lboro,DC=ac,DC=uk rlm_ldap (ldap1) - Waiting for bind result... rlm_ldap (ldap1) - Bind successful rlm_ldap (ldap1) - Bind successful rlm_ldap (ldap1) - Bind successful (14,3) Deleting connection (0) (14,3) --> CN=itis,OU=Students,DC=lunet,DC=lboro,DC=ac,DC=uk (14,3) &session-state:User-DN := CN=itis,OU=Students,DC=lunet,DC=lboro,DC=ac,DC=uk (14,3) } # update session-state (noop) (14,3) } # else (noop) (14,3) if ( "%{session-state:User-DN}" =~ /OU\=Staff/ || "%{session-state:User-DN}" =~ /OU\=Partners/ ) { (14,3) EXPAND %{session-state:User-DN} (14,3) --> CN=itis,OU=Students,DC=lunet,DC=lboro,DC=ac,DC=uk (14,3) EXPAND %{session-state:User-DN} (14,3) --> CN=itis,OU=Students,DC=lunet,DC=lboro,DC=ac,DC=uk (14,3) ... (14,3) } (14,3) elsif ( "%{session-state:User-DN}" =~ /OU\=Student/ ) { (14,3) EXPAND %{session-state:User-DN} (14,3) --> CN=itis,OU=Students,DC=lunet,DC=lboro,DC=ac,DC=uk (14,3) update session-state { (14,3) &session-state:User-Type := student (14,3) } # update session-state (noop) (14,3) } # elsif ( "%{session-state:User-DN}" =~ /OU\=Student/ ) (noop) (14,3) else { (14,3) ... skipping else for request 14: Preceding "if" was taken (14,3) } (14,3) } # innerGetUserType (noop) (14,3) innerGetPartnerDept { (14,3) if (&session-state:User-DN =~ /OU\=Partners/ ) { (14,3) ... (14,3) } (14,3) } # innerGetPartnerDept (noop) (14,3) getWlanUserVlan { (14,3) if ("%{client:group}" == "wireless" && !&reply:Tunnel-Private-Group-Id ) { (14,3) EXPAND %{client:group} (14,3) --> wireless (14,3) switch &session-state:User-Type { (14,3) update reply { (14,3) &reply:Tunnel-Private-Group-Id := eduroam-student-pool (14,3) } # update reply (noop) (14,3) } # switch &session-state:User-Type (noop) (14,3) } # if ("%{client:group}" == "wireless" && !&reply:Tunnel-Private-Group-Id ) (noop) (14,3) } # getWlanUserVlan (noop) (14,3) getUserGroupVlan { (14,3) if (!&session-state:Nas-Group) { (14,3) update session-state { (14,3) EXPAND %{sql:SELECT groupid from staffbaseschema.nas where ipaddress = '%{NAS-IP-Address}'::inet} (14,3) Reserved connection (2) (14,3) Executing select query: SELECT groupid from staffbaseschema.nas where ipaddress = ''::inet rlm_sql_postgresql - Status: PGRES_FATAL_ERROR rlm_sql_postgresql - 22P02: INVALID TEXT REPRESENTATION (14,3) ERROR: rlm_sql_postgresql: ERROR: invalid input syntax for type inet: "" (14,3) ERROR: rlm_sql_postgresql: LINE 1: ... groupid from staffbaseschema.nas where ipaddress = ''::inet (14,3) ERROR: rlm_sql_postgresql: ^ (14,3) ERROR: SQL query failed: server error (14,3) Released connection (2) (14,3) --> (14,3) &session-state:Nas-Group := 0 Thanks Scott