Dear, I've tried to understand the outer condition uses. I think it has to be used only in the inner-tunnel file, in order to evaluate the outer session. In my case I have now: *default file:* if (LDAP-Group == "GROUP1" && NAS-Identifier == "WLC01") { update reply { Reply-Message = "Hello %{User-Name}: access accept" } ok } else { reject } } *inner-tunnel file:* if (LDAP-Group == "GROUP1" && *outer*:NAS-Identifier == "WLC01") { update reply { Reply-Message = "Hello %{User-Name}: access accept" } ok } else { reject } } But I fail again, obtaining this error and being that this attribute is presenta: *? Evaluating (outer:NAS-Identifier == "WLC01") -> FALSE* Please can you explain me more in detail please??? Maybe I can't understand the use of defaut and inner-tunnel files, or the freeradius service in this case. Here is the debug output for "freeradius -X"....Special thanks. Ready to process requests. rad_recv: Access-Request packet from host 10.10.1.100 port 32769, id=228, length=393 User-Name = "adam" Calling-Station-Id = "54:27:1e:0c:0b:fc" Called-Station-Id = "44:ad:d9:0e:dd:40:Free" NAS-Port = 13 Cisco-AVPair = "audit-session-id=ac1f0c62000001c459a0487f" NAS-IP-Address = 10.10.1.100 NAS-Identifier = "WLC01" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "5" EAP-Message = 0x02050090198000000086160301004610000042410432792b036bc1709157e9445300659df8e6cf018b852670087cb1872e45d8761d642753670fff9f0f4b2ace10852d4bcab684b4d631b0b3fb4d3471a3e4512f3914030100010116030100300552e45342d366c067ee5176b2c0e9082d5eb83c62dc7d9de87f6b25f0c47b3172a486bfad09e4925648e1208251f27b State = 0x1dbde0c41fb8f982d90bece46c6e4509 Message-Authenticator = 0x8a2a7ce59d3a714c2798ff5a6d0b272d # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "adam", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 5 length 144 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 134 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: unknown state [peap] TLS_accept: unknown state [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: unknown state [peap] TLS_accept: unknown state [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 228 to 10.10.1.100 port 32769 EAP-Message = 0x01060041190014030100010116030100306d19383a9faaa50c050b9d84368783de27c6c838e42614994a241d335fa33d920410bc9c618e3a65c753c7d35f0e8ecb Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1dbde0c41ebbf982d90bece46c6e4509 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.1.100 port 32769, id=229, length=255 User-Name = "adam" Calling-Station-Id = "54:27:1e:0c:0b:fc" Called-Station-Id = "44:ad:d9:0e:dd:40:Free" NAS-Port = 13 Cisco-AVPair = "audit-session-id=ac1f0c62000001c459a0487f" NAS-IP-Address = 10.10.1.100 NAS-Identifier = "WLC01" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "5" EAP-Message = 0x020600061900 State = 0x1dbde0c41ebbf982d90bece46c6e4509 Message-Authenticator = 0x03765dcebe56926425508b7d393479fc # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "adam", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 229 to 10.10.1.100 port 32769 EAP-Message = 0x0107002b190017030100204c55bea2a6991c719a753f19dc13e87d872edd5639901eb0181643885baa89c9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1dbde0c419baf982d90bece46c6e4509 Finished request 5. Going to the next request Waking up in 3.7 seconds. rad_recv: Access-Request packet from host 10.10.1.100 port 32769, id=230, length=292 User-Name = "adam" Calling-Station-Id = "54:27:1e:0c:0b:fc" Called-Station-Id = "44:ad:d9:0e:dd:40:Free" NAS-Port = 13 Cisco-AVPair = "audit-session-id=ac1f0c62000001c459a0487f" NAS-IP-Address = 10.10.1.100 NAS-Identifier = "WLC01" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "5" EAP-Message = 0x0207002b19001703010020033da24f215ff6770592352ee0baf65289e6783f14fc951694bfcf523340d15e State = 0x1dbde0c419baf982d90bece46c6e4509 Message-Authenticator = 0x25023a51868485812fdf968ca7c2ac85 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "adam", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 7 length 43 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - adam [peap] Got inner identity 'adam' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0207000f0165616c6d6f6e61636964 server { [peap] Setting User-Name to adam Sending tunneled request EAP-Message = 0x0207000f0165616c6d6f6e61636964 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "adam" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++[mschap] = noop [suffix] No '@' in User-Name = "adam", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop ++update control { ++} # update control = noop [eap] EAP packet type response id 7 length 15 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [ldap] performing user authorization for adam [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> adam [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=adam) [ldap] expand: OU=Bapro Pagos,DC=g-bapro,DC=net -> OU=Bapro Pagos,DC=g-bapro,DC=net [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in OU=Bapro Pagos,DC=g-bapro,DC=net, with filter (sAMAccountName=adam) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok ++[expiration] = noop ++[logintime] = noop ++[pap] = noop ++? if (LDAP-Group == "GROUP1" && outer:NAS-Identifier == "WLC01") [ldap] Entering ldap_groupcmp() expand: OU=My Company,DC=company,DC=net -> OU=My Company,DC=company,DC=net expand: (|(&(objectClass=group)(member=%{control:Ldap-UserDn}))) -> (|(&(objectClass=group)(member=CN\3dAdam Cage\2cOU\3dInfra\2cOU\3dG. Infra\2cOU\3dTech\2cOU\3dUsers\2cOU\3dMy Company\2cDC\3dcompany\2cDC\3dnet))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in OU=My Company,DC=company,DC=net, with filter (&(cn=GROUP1)(|(&(objectClass=group)(member=CN\3dAdam Cage\2cOU\3dInfra\2cOU\3dG. Infra\2cOU\3dTech\2cOU\3dUsers\2cOU\3dMy Company\2cDC\3dcompany\2cDC\3dnet)))) rlm_ldap::ldap_groupcmp: User found in group GROUP1 [ldap] ldap_release_conn: Release Id: 0 ? Evaluating (LDAP-Group == "GROUP1" ) -> TRUE *? Evaluating (outer:NAS-Identifier == "WLC01") -> FALSE* *++? if (LDAP-Group == "GROUP1" && outer:NAS-Identifier == "WLC01") -> FALSE* ++else else { +++[reject] = reject ++} # else else = reject +} # group authorize = reject Using Post-Auth-Type REJECT # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> adam attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated } # server inner-tunnel [peap] Got tunneled reply code 3 [peap] Got tunneled reply RADIUS code 3 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 230 to 10.10.1.100 port 32769 EAP-Message = 0x0108002b190017030100200110bb6389cea250a4fc8af36ccb735d15113f987e1111157885061c0ca49f7e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1dbde0c418b5f982d90bece46c6e4509 Finished request 6. Going to the next request Waking up in 3.7 seconds. rad_recv: Access-Request packet from host 10.10.1.100 port 32769, id=231, length=292 User-Name = "adam" Calling-Station-Id = "54:27:1e:0c:0b:fc" Called-Station-Id = "44:ad:d9:0e:dd:40:Free" NAS-Port = 13 Cisco-AVPair = "audit-session-id=ac1f0c62000001c459a0487f" NAS-IP-Address = 10.10.1.100 NAS-Identifier = "WLC01" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "5" EAP-Message = 0x0208002b190017030100209e06e7779f2ee5fa88ec212fd2bfefd507fe3c35fa6307e630725297878cfb69 State = 0x1dbde0c418b5f982d90bece46c6e4509 Message-Authenticator = 0xfd7de78469c2187df23354803c7deef3 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "adam", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 8 length 43 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. Using Post-Auth-Type REJECT # Executing group from file /etc/freeradius/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> adam attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 7 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 7 Sending Access-Reject of id 231 to 10.10.1.100 port 32769 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 2017-08-25 11:37 GMT-03:00 Alan DeKok <aland@deployingradius.com>:
On Aug 25, 2017, at 9:36 AM, Adam Cage <adamcage27@gmail.com> wrote:
Dear Alan and Mattheu....I really appreciate your help.
Following Alan's unlang clause, I've defined in default and inner-tunnel files:
if (LDAP-Group == "GROUP1" && outer:Called-Station-Id =~ /:Free$/) {
<sigh>
I think you're not really paying attention. You don't understand how the server works, which is fine. The worse bit is you're not trying to understand how the server works.
You're either not following instructions, or you're doing more than suggested without thinking about what's going on.
Read "man unlang" to see what "outer" refers to. Then, think of the difference between the "default" server, and the "inner-tunnel" server. Which one is likely to allow "outer", and which one isn't likely to allow "outer"?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html