Hi, I am not sure but have you tried to use: outer.request:Called-Station-Id in place of outer:Called-Station-Id People: does this clauses work in Freeradius 2.2.x or does Adam have to use Freeradkius 3.X ? 2017-08-25 13:13 GMT-03:00 Adam Cage <adamcage27@gmail.com>:
Dear, I've tried to understand the outer condition uses. I think it has to be used only in the inner-tunnel file, in order to evaluate the outer session. In my case I have now:
*default file:*
if (LDAP-Group == "GROUP1" && NAS-Identifier == "WLC01") { update reply { Reply-Message = "Hello %{User-Name}: access accept" } ok } else { reject } }
*inner-tunnel file:*
if (LDAP-Group == "GROUP1" && *outer*:NAS-Identifier == "WLC01") { update reply { Reply-Message = "Hello %{User-Name}: access accept" } ok } else { reject } }
But I fail again, obtaining this error and being that this attribute is presenta:
*? Evaluating (outer:NAS-Identifier == "WLC01") -> FALSE*
Please can you explain me more in detail please??? Maybe I can't understand the use of defaut and inner-tunnel files, or the freeradius service in this case. Here is the debug output for "freeradius -X"....Special thanks.
Ready to process requests.
rad_recv: Access-Request packet from host 10.10.1.100 port 32769, id=228, length=393 User-Name = "adam" Calling-Station-Id = "54:27:1e:0c:0b:fc" Called-Station-Id = "44:ad:d9:0e:dd:40:Free" NAS-Port = 13 Cisco-AVPair = "audit-session-id=ac1f0c62000001c459a0487f" NAS-IP-Address = 10.10.1.100 NAS-Identifier = "WLC01" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "5" EAP-Message = 0x02050090198000000086160301004610000042410432792b036bc17091 57e9445300659df8e6cf018b852670087cb1872e45d8761d642753670fff 9f0f4b2ace10852d4bcab684b4d631b0b3fb4d3471a3e4512f3914030100 010116030100300552e45342d366c067ee5176b2c0e9082d5eb83c62dc7d 9de87f6b25f0c47b3172a486bfad09e4925648e1208251f27b State = 0x1dbde0c41fb8f982d90bece46c6e4509 Message-Authenticator = 0x8a2a7ce59d3a714c2798ff5a6d0b272d # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "adam", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 5 length 144 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 134 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: unknown state [peap] TLS_accept: unknown state [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: unknown state [peap] TLS_accept: unknown state [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 228 to 10.10.1.100 port 32769 EAP-Message = 0x01060041190014030100010116030100306d19383a9faaa50c050b9d84 368783de27c6c838e42614994a241d335fa33d920410bc9c618e3a65c753c7d35f0e8ecb Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1dbde0c41ebbf982d90bece46c6e4509 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.1.100 port 32769, id=229, length=255 User-Name = "adam" Calling-Station-Id = "54:27:1e:0c:0b:fc" Called-Station-Id = "44:ad:d9:0e:dd:40:Free" NAS-Port = 13 Cisco-AVPair = "audit-session-id=ac1f0c62000001c459a0487f" NAS-IP-Address = 10.10.1.100 NAS-Identifier = "WLC01" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "5" EAP-Message = 0x020600061900 State = 0x1dbde0c41ebbf982d90bece46c6e4509 Message-Authenticator = 0x03765dcebe56926425508b7d393479fc # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "adam", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 229 to 10.10.1.100 port 32769 EAP-Message = 0x0107002b190017030100204c55bea2a6991c719a753f19dc13e87d872e dd5639901eb0181643885baa89c9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1dbde0c419baf982d90bece46c6e4509 Finished request 5. Going to the next request Waking up in 3.7 seconds. rad_recv: Access-Request packet from host 10.10.1.100 port 32769, id=230, length=292 User-Name = "adam" Calling-Station-Id = "54:27:1e:0c:0b:fc" Called-Station-Id = "44:ad:d9:0e:dd:40:Free" NAS-Port = 13 Cisco-AVPair = "audit-session-id=ac1f0c62000001c459a0487f" NAS-IP-Address = 10.10.1.100 NAS-Identifier = "WLC01" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "5" EAP-Message = 0x0207002b19001703010020033da24f215ff6770592352ee0baf65289e6 783f14fc951694bfcf523340d15e State = 0x1dbde0c419baf982d90bece46c6e4509 Message-Authenticator = 0x25023a51868485812fdf968ca7c2ac85 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "adam", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 7 length 43 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - adam [peap] Got inner identity 'adam' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0207000f0165616c6d6f6e61636964 server { [peap] Setting User-Name to adam Sending tunneled request EAP-Message = 0x0207000f0165616c6d6f6e61636964 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "adam" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++[mschap] = noop [suffix] No '@' in User-Name = "adam", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop ++update control { ++} # update control = noop [eap] EAP packet type response id 7 length 15 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [ldap] performing user authorization for adam [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> adam [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=adam) [ldap] expand: OU=Bapro Pagos,DC=g-bapro,DC=net -> OU=Bapro Pagos,DC=g-bapro,DC=net [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in OU=Bapro Pagos,DC=g-bapro,DC=net, with filter (sAMAccountName=adam) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok ++[expiration] = noop ++[logintime] = noop ++[pap] = noop ++? if (LDAP-Group == "GROUP1" && outer:NAS-Identifier == "WLC01") [ldap] Entering ldap_groupcmp() expand: OU=My Company,DC=company,DC=net -> OU=My Company,DC=company,DC=net expand: (|(&(objectClass=group)(member=%{control:Ldap-UserDn}))) -> (|(&(objectClass=group)(member=CN\3dAdam Cage\2cOU\3dInfra\2cOU\3dG. Infra\2cOU\3dTech\2cOU\3dUsers\2cOU\3dMy Company\2cDC\3dcompany\2cDC\3dnet))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in OU=My Company,DC=company,DC=net, with filter (&(cn=GROUP1)(|(&(objectClass=group)(member=CN\3dAdam Cage\2cOU\3dInfra\2cOU\3dG. Infra\2cOU\3dTech\2cOU\3dUsers\2cOU\3dMy Company\2cDC\3dcompany\2cDC\3dnet)))) rlm_ldap::ldap_groupcmp: User found in group GROUP1 [ldap] ldap_release_conn: Release Id: 0 ? Evaluating (LDAP-Group == "GROUP1" ) -> TRUE *? Evaluating (outer:NAS-Identifier == "WLC01") -> FALSE* *++? if (LDAP-Group == "GROUP1" && outer:NAS-Identifier == "WLC01") -> FALSE* ++else else { +++[reject] = reject ++} # else else = reject +} # group authorize = reject Using Post-Auth-Type REJECT # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> adam attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated } # server inner-tunnel [peap] Got tunneled reply code 3 [peap] Got tunneled reply RADIUS code 3 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 230 to 10.10.1.100 port 32769 EAP-Message = 0x0108002b190017030100200110bb6389cea250a4fc8af36ccb735d1511 3f987e1111157885061c0ca49f7e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1dbde0c418b5f982d90bece46c6e4509 Finished request 6. Going to the next request Waking up in 3.7 seconds. rad_recv: Access-Request packet from host 10.10.1.100 port 32769, id=231, length=292 User-Name = "adam" Calling-Station-Id = "54:27:1e:0c:0b:fc" Called-Station-Id = "44:ad:d9:0e:dd:40:Free" NAS-Port = 13 Cisco-AVPair = "audit-session-id=ac1f0c62000001c459a0487f" NAS-IP-Address = 10.10.1.100 NAS-Identifier = "WLC01" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "5" EAP-Message = 0x0208002b190017030100209e06e7779f2ee5fa88ec212fd2bfefd507fe 3c35fa6307e630725297878cfb69 State = 0x1dbde0c418b5f982d90bece46c6e4509 Message-Authenticator = 0xfd7de78469c2187df23354803c7deef3 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "adam", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 8 length 43 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. Using Post-Auth-Type REJECT # Executing group from file /etc/freeradius/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> adam attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 7 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 7 Sending Access-Reject of id 231 to 10.10.1.100 port 32769 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000
2017-08-25 11:37 GMT-03:00 Alan DeKok <aland@deployingradius.com>:
On Aug 25, 2017, at 9:36 AM, Adam Cage <adamcage27@gmail.com> wrote:
Dear Alan and Mattheu....I really appreciate your help.
Following Alan's unlang clause, I've defined in default and
inner-tunnel
files:
if (LDAP-Group == "GROUP1" && outer:Called-Station-Id =~ /:Free$/) {
<sigh>
I think you're not really paying attention. You don't understand how the server works, which is fine. The worse bit is you're not trying to understand how the server works.
You're either not following instructions, or you're doing more than suggested without thinking about what's going on.
Read "man unlang" to see what "outer" refers to. Then, think of the difference between the "default" server, and the "inner-tunnel" server. Which one is likely to allow "outer", and which one isn't likely to allow "outer"?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html