-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hi, I configured FR v.3.0.9 against LDAP and can successfully auth with EAPMD5/TLS/TTLS+PAP now I want to add check for Called-Station-SSID and am failing ... please, help me to understand what I miss? as you can see from debug bellow, configured in LDAP Called-Station-SSID (via radiusCheckItem as well as via mapped attribute) is ignored, and client is granted access I hoped if I set radiusCheckItem: Called-Station-SSID := 'SSID_ALLOWED' then check will be performed against Called-Station-SSID value processed - From Called-Station-Id what is wrong? here is debug: - ----[ quotation start ]------------------------------------------- (6) Received Access-Request Id 16 from 192.168.0.1:46326 to 192.168.0.254:1812 length 314 (6) User-Name = "jdoe" (6) NAS-Identifier = "jdoe.wrt" (6) Called-Station-Id = "9A-46-5E-3B-A1-0E:SSID_REQUESTED" (6) NAS-Port-Type = Wireless-802.11 (6) NAS-Port = 1 (6) Calling-Station-Id = "73-62-0A-DA-7C-5A" (6) Connect-Info = "CONNECT 54Mbps 802.11g" (6) Acct-Session-Id = "55BE1E6B-0000001C" (6) Framed-MTU = 1400 (6) EAP-Message = 0x0223008015001703010020b9f3cc80bf61ea3ab2b9ad0e3d5492f814652d30a19f2a0d562832d6db02468f1703010050e426680ec3a1a7db12904734432af8744492e725b6689affce7e093ed666bc0c3338fb8d3fd12d2eaca8b304c373e8e1d42f14db0683b1f4de08004 67ff2d302e44d864249a30d (6) State = 0x1df02c2d18d339202ca9dbdadeae133a (6) Message-Authenticator = 0x7e5712cf45d3b99b42e4b80452950d1a (6) session-state: No cached attributes (6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (6) authorize { (6) [preprocess] = ok (6) policy rewrite_calling_station_id { (6) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) { (6) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) -> TRUE (6) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) { (6) update request { (6) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (6) --> 73-62-0A-DA-7C-5A (6) &Calling-Station-Id := 73-62-0A-DA-7C-5A (6) } # update request = noop (6) [updated] = updated (6) } # if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) = updated (6) ... skipping else for request 6: Preceding "if" was taken (6) } # policy rewrite_calling_station_id = updated (6) auth_log: EXPAND /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (6) auth_log: --> /var/log/radacct/192.168.0.1/auth-detail-20150803 (6) auth_log: /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radacct/192.168.0.1/auth-detail-20150803 (6) auth_log: EXPAND %t (6) auth_log: --> Mon Aug 3 23:46:13 2015 (6) [auth_log] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "jdoe", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) ntdomain: Checking for prefix before "\" (6) ntdomain: No '\' in User-Name = "jdoe", looking up realm NULL (6) ntdomain: No such realm "NULL" (6) [ntdomain] = noop (6) policy rewrite_called_station_id { (6) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (6) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (6) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (6) update request { (6) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (6) --> 9A-46-5E-3B-A1-0E (6) &Called-Station-Id := 9A-46-5E-3B-A1-0E (6) } # update request = noop (6) if ("%{8}") { (6) --> SSID_REQUESTED (6) if ("%{8}") -> TRUE (6) if ("%{8}") { (6) update request { (6) EXPAND %{8} (6) --> SSID_REQUESTED (6) &Called-Station-SSID := SSID_REQUESTED (6) } # update request = noop (6) } # if ("%{8}") = noop (6) [updated] = updated (6) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (6) ... skipping else for request 6: Preceding "if" was taken (6) } # policy rewrite_called_station_id = updated (6) eap: Peer sent EAP Response (code 2) ID 35 length 128 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = EAP (6) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0x1df02c2d18d33920 (6) eap: Finished EAP session with state 0x1df02c2d18d33920 (6) eap: Previous EAP request found for state 0x1df02c2d18d33920, released from the list (6) eap: Peer sent packet with method EAP TTLS (21) (6) eap: Calling submodule eap_ttls to process data (6) eap_ttls: Authenticate (6) eap_ttls: Continuing EAP-TLS (6) eap_ttls: Done initial handshake (6) eap_ttls: [eaptls process] = ok (6) eap_ttls: Session established. Proceeding to decode tunneled attributes (6) eap_ttls: Got tunneled request (6) eap_ttls: User-Name = "jdoe" (6) eap_ttls: User-Password = "jdoe" (6) eap_ttls: Sending tunneled request (6) Virtual server inner-tunnel received request (6) User-Name = "jdoe" (6) User-Password = "jdoe" (6) server inner-tunnel { (6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (6) authorize { (6) [chap] = noop (6) [mschap] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "jdoe", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) ntdomain: Checking for prefix before "\" (6) ntdomain: No '\' in User-Name = "jdoe", looking up realm NULL (6) ntdomain: No such realm "NULL" (6) [ntdomain] = noop (6) update control { (6) &Proxy-To-Realm := LOCAL (6) } # update control = noop (6) eap: No EAP-Message, not doing EAP (6) files: EXPAND %{%{Stripped-User-Name}:-%{User-Name}:-%{Calling-Station-Id}} (6) files: --> jdoe (6) [files] = noop rlm_ldap (ldap): Reserved connection (2) (6) ldap: EXPAND (|(&(cn=%{%{Stripped-User-Name}:-%{User-Name}})(|(authorizedService=802.1x@xyz)(authorizedService=802.1x-mac@xyz)))(&(cn=%{User-Name})(authorizedService=802.1x-eap-tls@xyz))) (6) ldap: --> (|(&(cn=jdoe)(|(authorizedService=802.1x@xyz)(authorizedService=802.1x-mac@xyz)))(&(cn=jdoe)(authorizedService=802.1x-eap-tls@xyz))) (6) ldap: Performing search in "ou=People,dc=xyz" with filter "(|(&(cn=jdoe)(|(authorizedService=802.1x@xyz)(authorizedService=802.1x-mac@xyz)))(&(cn=jdoe)(authorizedService=802.1x-eap-tls@xyz)))", scope "sub" (6) ldap: Waiting for search result... (6) ldap: User object found at DN "uid=jdoe,authorizedService=802.1x-eap-tls@xyz,uid=jdoe,ou=People,dc=xyz" (6) ldap: Performing search in "cn=wifi-xyz,ou=profiles,ou=RADIUS,dc=xyz" with filter "(objectclass=radiusprofile)", scope "base" (6) ldap: Waiting for search result... (6) ldap: Processing profile attributes (6) ldap: control:Called-Station-SSID := 'SSID_ALLOWED' (6) ldap: reply:Session-Timeout := 900 (6) ldap: reply:Reply-Message := 'You have entered SSID: SSID_ALLOWED.' (6) ldap: reply:Tunnel-Type := VLAN (6) ldap: reply:Tunnel-Medium-Type := IEEE-802 (6) ldap: reply:Tunnel-Private-Group-Id := '3481' (6) ldap: Processing user attributes (6) ldap: control:Cleartext-Password := 'jdoe' (6) ldap: control:Password-With-Header += 'jdoe' rlm_ldap (ldap): Released connection (2) (6) [ldap] = updated (6) [expiration] = noop (6) [logintime] = noop (6) pap: WARNING: Config already contains a "known good" password (&control:Cleartext-Password). Ignoring &config:Password-With-Header (6) [pap] = updated (6) } # authorize = updated (6) Found Auth-Type = PAP (6) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (6) Auth-Type PAP { (6) pap: Login attempt with password (6) pap: Comparing with "known good" Cleartext-Password (6) pap: User authenticated successfully (6) [pap] = ok (6) } # Auth-Type PAP = ok (6) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (6) Login OK: [jdoe] (from client office021.xyz port 0 via TLS tunnel) (6) } # server inner-tunnel (6) Virtual server sending reply (6) Session-Timeout := 900 (6) Reply-Message := "You have entered SSID: SSID_ALLOWED." (6) Tunnel-Type := VLAN (6) Tunnel-Medium-Type := IEEE-802 (6) Tunnel-Private-Group-Id := "3481" (6) eap_ttls: Got tunneled Access-Accept (6) eap_ttls: No information to cache: session caching will be disabled for session e5b5fc820be72baebe838286f4df80848a5bfadd06493077391aec818504665c (6) eap: Sending EAP Success (code 3) ID 35 length 4 (6) eap: Freeing handler (6) [eap] = ok (6) } # authenticate = ok (6) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (6) post-auth { (6) update { (6) No attributes updated (6) } # update = noop (6) [exec] = noop (6) policy remove_reply_message_if_eap { (6) if (&reply:EAP-Message && &reply:Reply-Message) { (6) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (6) else { (6) [noop] = noop (6) } # else = noop (6) } # policy remove_reply_message_if_eap = noop (6) } # post-auth = noop (6) Login OK: [jdoe] (from client office021.xyz port 1 cli 73-62-0A-DA-7C-5A) (6) Sent Access-Accept Id 16 from 192.168.0.254:1812 to 192.168.0.1:46326 length 0 (6) MS-MPPE-Recv-Key = 0x27eec264980471ed15d7d03785d - ----[ quotation end ]------------------------------------------- - -- Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlXAqooACgkQr3jpPg/3oypphACg/KT1YUFx9s3c7ay0iX6TYhUe rt8AoOAQNtaSkKj6Kna7EzjHJEl7sKSt =jM5p -----END PGP SIGNATURE-----