Ok, openSLL is installed on my server. No more issue on EAP. However, my debug line in sub authenticate still is not being called: #example.pl # Function to handle authorize sub authorize { print "TEST-authorize: username=$RAD_REQUEST{'User-Name'}\n"; # For debugging purposes only # &log_request_attributes; # Here's where your authorization code comes # You can call another function from here: &test_call; return RLM_MODULE_OK; } # Function to handle authenticate sub authenticate { print "TEST-authenticate\n"; # For debugging purposes only # &log_request_attributes; if ($RAD_REQUEST{'User-Name'} =~ /^baduser/i) { # Reject user and tell him why $RAD_REPLY{'Reply-Message'} = "Denied access by rlm_perl function"; return RLM_MODULE_REJECT; } else { # Accept user and set some attribute $RAD_REPLY{'h323-credit-amount'} = "100"; return RLM_MODULE_OK; } } and here is the debug: Cleaning up request 9 ID 9 with timestamp +7 Ready to process requests. rad_recv: Access-Request packet from host 10.0.0.31 port 50071, id=19, length=169 User-Name = "abc" NAS-IP-Address = 10.0.0.31 NAS-Identifier = "belair" NAS-Port = 0 Called-Station-Id = "00-0D-67-12-15-80:SSO_BelAir-PMIP-8021x" Calling-Station-Id = "5C-59-48-F0-34-8B" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200000801616263 Message-Authenticator = 0xb952dcdfcec1e39a79c029ccdc94c2ca +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "abc", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 8 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [sql] expand: %{User-Name} -> abc [sql] sql_set_user escaped user --> 'abc' rlm_sql (sql): Reserving sql socket id: 1 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'abc' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'abc' ORDER BY priority rlm_sql (sql): Released sql socket id: 1 [sql] User abc not found ++[sql] returns notfound TEST-authorize: username=abc rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Calling-Station-Id = 5C-59-48-F0-34-8B rlm_perl: Added pair Called-Station-Id = 00-0D-67-12-15-80:SSO_BelAir-PMIP-8021x rlm_perl: Added pair Message-Authenticator = 0xb952dcdfcec1e39a79c029ccdc94c2ca rlm_perl: Added pair User-Name = abc rlm_perl: Added pair NAS-Identifier = belair rlm_perl: Added pair EAP-Message = 0x0200000801616263 rlm_perl: Added pair Connect-Info = CONNECT 11Mbps 802.11b rlm_perl: Added pair EAP-Type = Identity rlm_perl: Added pair NAS-IP-Address = 10.0.0.31 rlm_perl: Added pair NAS-Port = 0 rlm_perl: Added pair Framed-MTU = 1400 rlm_perl: Added pair Auth-Type = EAP ++[perl] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 19 to 10.0.0.31 port 50071 EAP-Message = 0x0101001604108bc56309ea2103957c2aee6450696f68 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2c81558c2c8051de6687486c2848c067 Finished request 10. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.31 port 50071, id=20, length=185 User-Name = "abc" NAS-IP-Address = 10.0.0.31 NAS-Identifier = "belair" NAS-Port = 0 Called-Station-Id = "00-0D-67-12-15-80:SSO_BelAir-PMIP-8021x" Calling-Station-Id = "5C-59-48-F0-34-8B" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020100060319 State = 0x2c81558c2c8051de6687486c2848c067 Message-Authenticator = 0x959b11a51401f767f5b52bc58298d730 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "abc", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [sql] expand: %{User-Name} -> abc [sql] sql_set_user escaped user --> 'abc' rlm_sql (sql): Reserving sql socket id: 0 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'abc' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'abc' ORDER BY priority rlm_sql (sql): Released sql socket id: 0 [sql] User abc not found ++[sql] returns notfound TEST-authorize: username=abc rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair State = 0x2c81558c2c8051de6687486c2848c067 rlm_perl: Added pair Calling-Station-Id = 5C-59-48-F0-34-8B rlm_perl: Added pair Called-Station-Id = 00-0D-67-12-15-80:SSO_BelAir-PMIP-8021x rlm_perl: Added pair Message-Authenticator = 0x959b11a51401f767f5b52bc58298d730 rlm_perl: Added pair User-Name = abc rlm_perl: Added pair NAS-Identifier = belair rlm_perl: Added pair EAP-Message = 0x020100060319 rlm_perl: Added pair Connect-Info = CONNECT 11Mbps 802.11b rlm_perl: Added pair EAP-Type = NAK rlm_perl: Added pair NAS-IP-Address = 10.0.0.31 rlm_perl: Added pair NAS-Port = 0 rlm_perl: Added pair Framed-MTU = 1400 rlm_perl: Added pair Auth-Type = EAP ++[perl] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 20 to 10.0.0.31 port 50071 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2c81558c2d834cde6687486c2848c067 Finished request 11. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.31 port 50071, id=21, length=315 User-Name = "abc" NAS-IP-Address = 10.0.0.31 NAS-Identifier = "belair" NAS-Port = 0 Called-Station-Id = "00-0D-67-12-15-80:SSO_BelAir-PMIP-8021x" Calling-Station-Id = "5C-59-48-F0-34-8B" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0202008819800000007e16030100790100007503014e8a158f57cc1fc7dc587b4d0f71db7fe7535bd8d558d366554b98ffea94d54e00003ac00ac009c007c008c013c014c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a0009000300080033003900160015001401000012000a00080006001700180019000b00020100 State = 0x2c81558c2d834cde6687486c2848c067 Message-Authenticator = 0xbc890b747815cfe2a522b36ce4298072 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "abc", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 136 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 126 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0079], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 035d], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 21 to 10.0.0.31 port 50071 EAP-Message = 0x010303a01900160301002a0200002603014e8a15900e786bf596f3aacf0a8613466bde700fd2039caa47f40e4e6ff7eebf00002f00160301035d0b0003590003560003533082034f308202b8020900c4503b0d3db1eb6a300d06092a864886f70d01010505003081eb310b3009060355040613025858312a3028060355040813215468657265206973206e6f2073756368207468696e67206f757473696465205553311330110603550407130a45766572797768657265310e300c060355040a13054f434f5341313c303a060355040b13334f666669636520666f7220436f6d706c69636174696f6e206f66204f74686572776973652053696d706c65 EAP-Message = 0x20416666616972733120301e060355040313176c61622d7375706572686f73742e62686e69732e6e6574312b302906092a864886f70d010901161c726f6f74406c61622d7375706572686f73742e62686e69732e6e6574301e170d3130303432323230333833355a170d3130303532323230333833355a3081eb310b3009060355040613025858312a3028060355040813215468657265206973206e6f2073756368207468696e67206f757473696465205553311330110603550407130a45766572797768657265310e300c060355040a13054f434f5341313c303a060355040b13334f666669636520666f7220436f6d706c69636174696f6e206f66 EAP-Message = 0x204f74686572776973652053696d706c6520416666616972733120301e060355040313176c61622d7375706572686f73742e62686e69732e6e6574312b302906092a864886f70d010901161c726f6f74406c61622d7375706572686f73742e62686e69732e6e657430819f300d06092a864886f70d010101050003818d0030818902818100a8095e7a92fe7feabe7940d9ba51310a55bba6c96949d67a1798a515961ab951cfe04d4234251d36e6854920ced26224b1d6ae09fa4e793c14d464b53e2faa9606b4f785c63f270a3c1a18fee3abfc1985e86e19d86fbe775c6171c952b3bd88dc6659099d07a84ac6d360d7cd23745031635d9093ea91d4 EAP-Message = 0x8108b36edcb15eb10203010001300d06092a864886f70d0101050500038181002ac5e5a95601c5d650cf06ab8b89bde90ff4435de070cb80076e7f0e25411dc2826996807af37acccfe9ada9a1f41c90be7301fda6bf6f1e9282c57e4a4923ae6c33b827032b0691cf516299f084f128c6631e3e80a6b7e77bc214ee36b3861a39819fae257557a2a023482750e50a19755919348bcb32d83e6cf0be37e0281716030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2c81558c2e824cde6687486c2848c067 Finished request 12. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 10.0.0.31 port 50071, id=22, length=387 User-Name = "abc" NAS-IP-Address = 10.0.0.31 NAS-Identifier = "belair" NAS-Port = 0 Called-Station-Id = "00-0D-67-12-15-80:SSO_BelAir-PMIP-8021x" Calling-Station-Id = "5C-59-48-F0-34-8B" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020300d01980000000c61603010086100000820080371b287b2a288bb51773c591b925c51dc9dd35e78e31ca6572ba50103ff255b33f8f8d50222d2a360a84f9a626651502fce20b21dd5fd14a59094f2b1655bb2a2d11332b186fc5a94438859f67ec287724f63519e5cc82820cf91b5a9a9c4c26f33e31a74bddb88d1cb3b0b64ebf82e98fa1c5d1bd12b88a6774889fd868140d14030100010116030100304dcd33a4d2301013eb09a3e10798b8b1f5a6321a50a5b0ca6bd7c16c43fa7f1a4d442c1d5b5ab7421a7aa42b715abce2 State = 0x2c81558c2e824cde6687486c2848c067 Message-Authenticator = 0xa0a47b0b334f107a54ff4e9abac2969a +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "abc", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 208 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 198 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 22 to 10.0.0.31 port 50071 EAP-Message = 0x0104004119001403010001011603010030b7da9f1ff65aa82945313f6e0b13f88565316368755ae23680a9a60583941b0aacfc3e71103a1e5eec9da651ae5a9d2d Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2c81558c2f854cde6687486c2848c067 Finished request 13. Going to the next request Waking up in 4.6 seconds.
Date: Mon, 3 Oct 2011 18:55:42 +0100 From: A.L.M.Buxey@lboro.ac.uk To: alex-rsm@hotmail.com Subject: Re: "authentication" sub in perl
Hi,
hint: https://help.ubuntu.com/community/OpenSSL
alan