Hi Alan, Sorry for making you angry, but I am looking at the debug logs very carefully from the starting. I had to take permissions to post them here, That is why I was asking those questions. Again I apologise for asking probably wrong questions, I just thought the thing I posted was enough. But here is the debug in which ldap module is called and unlang is called, if you could please help me in finding my mistake, I have marked to relevant information in red Waking up in 4.9 seconds. (8) Received Access-Request Id 150 from XXXXXXX:32769 to XXXXXXX:1812 length 337 (8) User-Name = "XXXXXXX" (8) Chargeable-User-Identity = 0x00 (8) Location-Capable = Civix-Location (8) Calling-Station-Id = "XXXXXXX" (8) Called-Station-Id = "XXXXXXX" (8) NAS-Port = 4 (8) Cisco-AVPair = "audit-session-id=0a40c60a002395c88e03fc56" (8) Acct-Session-Id = "56fc038e/XXXXXXX/1349574" (8) NAS-IP-Address = XXXXXXX (8) NAS-Identifier = "XXXXXXX" (8) Airespace-Wlan-Id = 34 (8) Service-Type = Framed-User (8) Framed-MTU = 1300 (8) NAS-Port-Type = Wireless-802.11 (8) Tunnel-Type:0 = VLAN (8) Tunnel-Medium-Type:0 = IEEE-802 (8) Tunnel-Private-Group-Id:0 = "XXXXXXX" (8) EAP-Message = 0x0208002b1900170301002056f3330d56a405e14a56351e0016809d0fa578294eb6a15607f6e1b7d13d1fc8 (8) State = 0xe36bb03de563a931219d4aaf40ddcdc2 (8) Message-Authenticator = 0xbb491e6269085a6550c988322b7a5122 (8) session-state: No cached attributes (8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (8) authorize { (8) policy filter_username { (8) update control { (8) linelogvar := "request_attrs" (8) } # update control = noop (8) linelog: EXPAND messages.%{%{control:linelogvar}:-default} (8) linelog: --> messages.request_attrs (8) linelog: EXPAND /usr/local/var/log/radius/linelog (8) linelog: --> /usr/local/var/log/radius/linelog (8) linelog: EXPAND %{User-Name},%{Calling-Station-Id},%{Called-Station-Id},%{NAS-Port},%{Acct-Session-Id},%{NAS-IP-Address},%{NAS-Identifier},%{Airespace-Wlan-Id},%{Service-Type},%{Framed-MTU},%{NAS-Port-Type},%{Tunnel-Type:0},%{Tunnel-Medium-Type:0},%{Tunnel-Private-Group-Id:0},%T,%{md5:%T,%{Calling-Station-Id}} (8) linelog: --> XXXXXXX,XXXXXXX,XXXXXXX,4,56fc038e/XXXXXXX/1349574,XXXXXXX,XXXXXXX,34,Framed-User,1300,Wireless-802.11,VLAN,IEEE-802,XXXXXXX,2016-03-30-22.18.47.000000,e042f9def033579c3d4e304b73cd31db (8) [linelog] = ok (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = ok (8) if ((User-Name =~ /^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i) && (Service-Type == "Call-Check" )) { (8) if ((User-Name =~ /^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i) && (Service-Type == "Call-Check" )) -> FALSE (8) } # policy filter_username = ok (8) [preprocess] = ok (8) auth_log: EXPAND /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (8) auth_log: --> /usr/local/var/log/radius/radacct/XXXXXXX/auth-detail-20160330 (8) auth_log: /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/XXXXXXX/auth-detail-20160330 (8) auth_log: EXPAND %t (8) auth_log: --> Wed Mar 30 22:18:47 2016 (8) [auth_log] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "XXXXXXX", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) eap: Peer sent EAP Response (code 2) ID 8 length 43 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0x1752f35a175af5a6 (8) eap: Finished EAP session with state 0xe36bb03de563a931 (8) eap: Previous EAP request found for state 0xe36bb03de563a931, released from the list (8) eap: Peer sent packet with method EAP PEAP (25) (8) eap: Calling submodule eap_peap to process data (8) eap_peap: Continuing EAP-TLS (8) eap_peap: [eaptls verify] = ok (8) eap_peap: Done initial handshake (8) eap_peap: [eaptls process] = ok (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state phase2 (8) eap_peap: EAP method GTC (6) (8) eap_peap: Got tunneled request (8) eap_peap: EAP-Message = 0x0208000f064b6170696c4031333839 (8) eap_peap: Setting User-Name to XXXXXXX (8) eap_peap: Sending tunneled request to inner-tunnel (8) eap_peap: EAP-Message = 0x0208000f064b6170696c4031333839 (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (8) eap_peap: User-Name = "XXXXXXX" (8) eap_peap: State = 0x1752f35a175af5a68cefacfb12f667e9 (8) Virtual server inner-tunnel received request (8) EAP-Message = 0x0208000f064b6170696c4031333839 (8) FreeRADIUS-Proxied-To = 127.0.0.1 (8) User-Name = "XXXXXXX" (8) State = 0x1752f35a175af5a68cefacfb12f667e9 (8) WARNING: Outer and inner identities are the same. User privacy is compromised. (8) server inner-tunnel { (8) session-state: No cached attributes (8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (8) authorize { (8) policy filter_username { (8) update control { (8) linelogvar := "request_attrs" (8) } # update control = noop (8) linelog: EXPAND messages.%{%{control:linelogvar}:-default} (8) linelog: --> messages.request_attrs (8) linelog: EXPAND /usr/local/var/log/radius/linelog (8) linelog: --> /usr/local/var/log/radius/linelog (8) linelog: EXPAND %{User-Name},%{Calling-Station-Id},%{Called-Station-Id},%{NAS-Port},%{Acct-Session-Id},%{NAS-IP-Address},%{NAS-Identifier},%{Airespace-Wlan-Id},%{Service-Type},%{Framed-MTU},%{NAS-Port-Type},%{Tunnel-Type:0},%{Tunnel-Medium-Type:0},%{Tunnel-Private-Group-Id:0},%T,%{md5:%T,%{Calling-Station-Id}} (8) linelog: --> XXXXXXX,,,,,,,,,,,,,,2016-03-30-22.18.47.000000,c13a6b07eeffc487a39e58a748bcce06 (8) [linelog] = ok (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = ok (8) if ((User-Name =~ /^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i) && (Service-Type == "Call-Check" )) { (8) if ((User-Name =~ /^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i) && (Service-Type == "Call-Check" )) -> FALSE (8) } # policy filter_username = ok (8) [chap] = noop (8) [mschap] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "XXXXXXX", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) update control { (8) &Proxy-To-Realm := LOCAL (8) } # update control = noop (8) eap: Peer sent EAP Response (code 2) ID 8 length 15 (8) eap: No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) [files] = noop (8) sql: EXPAND %{User-Name} (8) sql: --> XXXXXXX (8) sql: SQL-User-Name set to 'XXXXXXX' rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 76 seconds rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for 76 seconds rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (3): Hit idle_timeout, was idle for 76 seconds rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (4): Hit idle_timeout, was idle for 76 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (0): Hit idle_timeout, was idle for 76 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (5): Hit idle_timeout, was idle for 76 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare" rlm_sql (sql): Opening additional connection (6), 1 of 32 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.48-MariaDB, protocol version 10 rlm_sql (sql): Reserved connection (6) (8) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (8) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'XXXXXXX' ORDER BY id (8) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'XXXXXXX' ORDER BY id (8) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (8) sql: --> SELECT groupname FROM radusergroup WHERE username = 'XXXXXXX' ORDER BY priority (8) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'XXXXXXX' ORDER BY priority (8) sql: User not found in any groups rlm_sql (sql): Released connection (6) rlm_sql (sql): Need 2 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (7), 1 of 31 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.48-MariaDB, protocol version 10 (8) [sql] = notfound rlm_ldap (ldap): Closing connection (0): Hit idle_timeout, was idle for 76 seconds rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for 76 seconds rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 76 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 76 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (4): Hit idle_timeout, was idle for 76 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare" rlm_ldap (ldap): Opening additional connection (5), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to XXXXXXX rlm_ldap (ldap): Waiting for bind result... ber_get_next failed. rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Reserved connection (5) (8) ldap: EXPAND (|(mail=%{%{Stripped-User-Name}:-%{User-Name}})(mailEquivalentAddress=%{%{Stripped-User-Name}:-%{User-Name}})(uid=%{%{Stripped-User-Name}:-%{User-Name}})) (8) ldap: --> (|(mail=XXXXXXX)(mailEquivalentAddress=XXXXXXX)(uid=XXXXXXX)) (8) ldap: Performing search in "o=nic.in,dc=nic,dc=in" with filter "(|(mail=XXXXXXX)(mailEquivalentAddress=XXXXXXX)(uid=XXXXXXX))", scope "sub" (8) ldap: Waiting for search result... ber_get_next failed. ber_get_next failed. (8) ldap: User object found at DN "uid=XXXXXXX,ou=XXXXXXX" (8) ldap: Processing user attributes (8) ldap: control:wifi := '7' (8) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (8) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Released connection (5) rlm_ldap (ldap): Need 2 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (6), 1 of 31 pending slots used rlm_ldap (ldap): Connecting to XXXXXXX rlm_ldap (ldap): Waiting for bind result... ber_get_next failed. rlm_ldap (ldap): Bind successful (8) [ldap] = updated (8) [expiration] = noop (8) [logintime] = noop (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = eap (8) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (8) authenticate { (8) eap: Expiring EAP session with state 0x1752f35a175af5a6 (8) eap: Finished EAP session with state 0x1752f35a175af5a6 (8) eap: Previous EAP request found for state 0x1752f35a175af5a6, released from the list (8) eap: Peer sent packet with method EAP GTC (6) (8) eap: Calling submodule eap_gtc to process data (8) eap_gtc: # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (8) eap_gtc: Auth-Type LDAP { rlm_ldap (ldap): Reserved connection (5) (8) ldap: Login attempt by "XXXXXXX" (8) ldap: Using user DN from request "uid=XXXXXXX,ou=XXXXXXX" (8) ldap: Waiting for bind result... ber_get_next failed. (8) ldap: Bind successful (8) ldap: Bind as user "uid=XXXXXXX,ou=XXXXXXX" was successful rlm_ldap (ldap): Released connection (5) (8) [ldap] = ok (8) } # Auth-Type LDAP = ok (8) eap: Sending EAP Success (code 3) ID 8 length 4 (8) eap: Freeing handler (8) [eap] = ok (8) } # authenticate = ok (8) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (8) post-auth { (8) sql: EXPAND .query (8) sql: --> .query (8) sql: Using query template 'query' rlm_sql (sql): Reserved connection (6) (8) sql: EXPAND %{User-Name} (8) sql: --> XXXXXXX (8) sql: SQL-User-Name set to 'XXXXXXX' (8) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (8) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'XXXXXXX', 'XXXXXXX', 'Access-Accept', '2016-03-30 22:18:47') (8) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'XXXXXXX', 'XXXXXXX', 'Access-Accept', '2016-03-30 22:18:47') (8) sql: SQL query returned: success (8) sql: 1 record(s) updated rlm_sql (sql): Released connection (6) (8) [sql] = ok (8) } # post-auth = ok (8) } # server inner-tunnel (8) Virtual server sending reply (8) EAP-Message = 0x03080004 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) User-Name = "XXXXXXX" (8) eap_peap: Got tunneled reply code 2 (8) eap_peap: EAP-Message = 0x03080004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: User-Name = "XXXXXXX" (8) eap_peap: Got tunneled reply RADIUS code 2 (8) eap_peap: EAP-Message = 0x03080004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: User-Name = "XXXXXXX" (8) eap_peap: Tunneled authentication was successful (8) eap_peap: SUCCESS (8) eap: Sending EAP Request (code 1) ID 9 length 43 (8) eap: EAP session adding &reply:State = 0xe36bb03de462a931 (8) [eap] = handled (8) } # authenticate = handled (8) Using Post-Auth-Type Challenge (8) Post-Auth-Type sub-section not found. Ignoring. (8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (8) Sent Access-Challenge Id 150 from XXXXXXX:1812 to XXXXXXX:32769 length 0 (8) EAP-Message = 0x0109002b19001703010020a745019fca4818ea30f0e0f6e52566ddef61d8e0063d7cd291953cce65163e37 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0xe36bb03de462a931219d4aaf40ddcdc2 (8) Finished request Waking up in 4.8 seconds. (9) Received Access-Request Id 151 from XXXXXXX:32769 to XXXXXXX:1812 length 337 (9) User-Name = "XXXXXXX" (9) Chargeable-User-Identity = 0x00 (9) Location-Capable = Civix-Location (9) Calling-Station-Id = "XXXXXXX" (9) Called-Station-Id = "XXXXXXX" (9) NAS-Port = 4 (9) Cisco-AVPair = "audit-session-id=0a40c60a002395c88e03fc56" (9) Acct-Session-Id = "56fc038e/XXXXXXX/1349574" (9) NAS-IP-Address = XXXXXXX (9) NAS-Identifier = "XXXXXXX" (9) Airespace-Wlan-Id = 34 (9) Service-Type = Framed-User (9) Framed-MTU = 1300 (9) NAS-Port-Type = Wireless-802.11 (9) Tunnel-Type:0 = VLAN (9) Tunnel-Medium-Type:0 = IEEE-802 (9) Tunnel-Private-Group-Id:0 = "XXXXXXX" (9) EAP-Message = 0x0209002b19001703010020aa02bff51b2622bd8427c864799bae941f9eda6e20db96dbfe5192cbcd424504 (9) State = 0xe36bb03de462a931219d4aaf40ddcdc2 (9) Message-Authenticator = 0x56d99d69897d457fa7537c194a490584 (9) session-state: No cached attributes (9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (9) authorize { (9) policy filter_username { (9) update control { (9) linelogvar := "request_attrs" (9) } # update control = noop (9) linelog: EXPAND messages.%{%{control:linelogvar}:-default} (9) linelog: --> messages.request_attrs (9) linelog: EXPAND /usr/local/var/log/radius/linelog (9) linelog: --> /usr/local/var/log/radius/linelog (9) linelog: EXPAND %{User-Name},%{Calling-Station-Id},%{Called-Station-Id},%{NAS-Port},%{Acct-Session-Id},%{NAS-IP-Address},%{NAS-Identifier},%{Airespace-Wlan-Id},%{Service-Type},%{Framed-MTU},%{NAS-Port-Type},%{Tunnel-Type:0},%{Tunnel-Medium-Type:0},%{Tunnel-Private-Group-Id:0},%T,%{md5:%T,%{Calling-Station-Id}} (9) linelog: --> XXXXXXX,XXXXXXX,XXXXXXX,4,56fc038e/XXXXXXX/1349574,XXXXXXX,XXXXXXX,34,Framed-User,1300,Wireless-802.11,VLAN,IEEE-802,XXXXXXX,2016-03-30-22.18.47.000000,e042f9def033579c3d4e304b73cd31db (9) [linelog] = ok (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = ok (9) if ((User-Name =~ /^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i) && (Service-Type == "Call-Check" )) { (9) if ((User-Name =~ /^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i) && (Service-Type == "Call-Check" )) -> FALSE (9) } # policy filter_username = ok (9) [preprocess] = ok (9) auth_log: EXPAND /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (9) auth_log: --> /usr/local/var/log/radius/radacct/XXXXXXX/auth-detail-20160330 (9) auth_log: /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/XXXXXXX/auth-detail-20160330 (9) auth_log: EXPAND %t (9) auth_log: --> Wed Mar 30 22:18:47 2016 (9) [auth_log] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "XXXXXXX", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) eap: Peer sent EAP Response (code 2) ID 9 length 43 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = eap (9) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (9) authenticate { (9) eap: Expiring EAP session with state 0xe36bb03de462a931 (9) eap: Finished EAP session with state 0xe36bb03de462a931 (9) eap: Previous EAP request found for state 0xe36bb03de462a931, released from the list (9) eap: Peer sent packet with method EAP PEAP (25) (9) eap: Calling submodule eap_peap to process data (9) eap_peap: Continuing EAP-TLS (9) eap_peap: [eaptls verify] = ok (9) eap_peap: Done initial handshake (9) eap_peap: [eaptls process] = ok (9) eap_peap: Session established. Decoding tunneled attributes (9) eap_peap: PEAP state send tlv success (9) eap_peap: Received EAP-TLV response (9) eap_peap: Success (9) eap_peap: No information to cache: session caching will be disabled for session 189621f6108cf110e1734e2e6926c30fac3d3204884d0327242e3ab13243de13 (9) eap: Sending EAP Success (code 3) ID 9 length 4 (9) eap: Freeing handler (9) [eap] = ok (9) } # authenticate = ok (9) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (9) post-auth { (9) update { (9) No attributes updated (9) } # update = noop (9) if ((User-Name =~ /^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i) && (Service-Type == "Call-Check")) { (9) if ((User-Name =~ /^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i) && (Service-Type == "Call-Check")) -> FALSE (9) elsif ((Called-Station-Id =~ /XXXXXXX$/) && (("%{control:wifi}" == "7") || ("%{control:wifi}" == "5"))) { (9) ERROR: Failed retrieving values required to evaluate condition (9) else { (9) [reject] = reject (9) } # else = reject (9) } # post-auth = reject (9) Using Post-Auth-Type Reject (9) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (9) Post-Auth-Type REJECT { (9) if ("%{control:linelogvar}" == "auth_type_pap"){ (9) if ("%{control:linelogvar}" == "auth_type_pap") -> FALSE (9) update control { (9) linelogvar := "Access-Reject" (9) } # update control = noop (9) linelog: EXPAND messages.%{%{control:linelogvar}:-default} (9) linelog: --> messages.Access-Reject (9) linelog: EXPAND /usr/local/var/log/radius/linelog (9) linelog: --> /usr/local/var/log/radius/linelog (9) linelog: EXPAND %{md5:%T,%{Calling-Station-Id}} Result: Authentication Failed,Access-Reject (9) linelog: --> e042f9def033579c3d4e304b73cd31db Result: Authentication Failed,Access-Reject (9) [linelog] = ok (9) update control { (9) linelogvar := "auth_result_reject_log" (9) } # update control = noop (9) linelog: EXPAND messages.%{%{control:linelogvar}:-default} (9) linelog: --> messages.auth_result_reject_log (9) linelog: EXPAND /usr/local/var/log/radius/linelog (9) linelog: --> /usr/local/var/log/radius/linelog (9) linelog: EXPAND Access-Request,%T,%{User-Name},%{Calling-Station-Id},%{NAS-IP-Address},%{NAS-Identifier},%{md5:%T,%{Calling-Station-Id}},Authentication Failed,%{Called-Station-Id} (9) linelog: --> Access-Request,2016-03-30-22.18.47.000000,XXXXXXX,XXXXXXX,XXXXXXX,XXXXXXX,e042f9def033579c3d4e304b73cd31db,Authentication Failed,XXXXXXX (9) [linelog] = ok (9) update control { (9) linelogvar := "empty_line" (9) } # update control = noop (9) linelog: EXPAND messages.%{%{control:linelogvar}:-default} (9) linelog: --> messages.empty_line (9) linelog: EXPAND /usr/local/var/log/radius/linelog (9) linelog: --> /usr/local/var/log/radius/linelog (9) linelog: EXPAND (9) linelog: --> (9) [linelog] = ok (9) sql: EXPAND .query (9) sql: --> .query (9) sql: Using query template 'query' rlm_sql (sql): Reserved connection (7) (9) sql: EXPAND %{User-Name} (9) sql: --> XXXXXXX (9) sql: SQL-User-Name set to 'XXXXXXX' (9) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (9) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'XXXXXXX', '', 'Access-Accept', '2016-03-30 22:18:47') (9) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'XXXXXXX', '', 'Access-Accept', '2016-03-30 22:18:47') (9) sql: SQL query returned: success (9) sql: 1 record(s) updated rlm_sql (sql): Released connection (7) (9) [sql] = ok (9) attr_filter.access_reject: EXPAND %{User-Name} (9) attr_filter.access_reject: --> XXXXXXX (9) attr_filter.access_reject: Matched entry DEFAULT at line 11 (9) [attr_filter.access_reject] = updated (9) [eap] = noop (9) policy remove_reply_message_if_eap { (9) if (&reply:EAP-Message && &reply:Reply-Message) { (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (9) else { (9) [noop] = noop (9) } # else = noop (9) } # policy remove_reply_message_if_eap = noop (9) } # Post-Auth-Type REJECT = updated (9) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (9) Sending delayed response (9) Sent Access-Reject Id 151 from XXXXXXX:1812 to XXXXXXX:32769 length 44 (9) EAP-Message = 0x03090004 (9) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.7 seconds. (1) Cleaning up request packet ID 143 with timestamp +76 (2) Cleaning up request packet ID 144 with timestamp +76 (3) Cleaning up request packet ID 145 with timestamp +76 (4) Cleaning up request packet ID 146 with timestamp +76 (5) Cleaning up request packet ID 147 with timestamp +76 (6) Cleaning up request packet ID 148 with timestamp +76 (7) Cleaning up request packet ID 149 with timestamp +76 Waking up in 0.1 seconds. (8) Cleaning up request packet ID 150 with timestamp +76 (9) Cleaning up request packet ID 151 with timestamp +76 ldap config ldap { update { control:Password-With-Header += 'userPassword' control:wifi := 'wifi' # control:NT-Password := 'ntPassword' # reply:Reply-Message := 'radiusReplyMessage' # reply:Tunnel-Type := 'radiusTunnelType' # reply:Tunnel-Medium-Type := 'radiusTunnelMediumType' # reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId' # Where only a list is specified as the RADIUS attribute, # the value of the LDAP attribute is parsed as a valuepair # in the same format as the 'valuepair_attribute' (above). control: += 'radiusControlAttribute' request: += 'radiusRequestAttribute' reply: += 'radiusReplyAttribute' } } I tried using xlat also but that also is not helping. BR, Anirudh Malhotra Mail: 8zero2.in@gmail.com Facebook: www.facebook.com/8zero2 Twitter: @8zero2_in Blog: blog.8zero2.in On Thu, Mar 31, 2016 at 1:56 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Mar 30, 2016, at 11:47 AM, Anirudh Malhotra <8zero2ops@gmail.com> wrote:
when using eap inner tunned would be used right?
It depends on the EAP method.
so ldap module when called and some control attributes are updated these are going to updated in the inner control or the outer control(or there is no such thing) and attributes are copied?
If you configured it that way.
Also the unlang which i ran was in post auth so that is the end of the request and ldap is parsed above it, so could that be a problem which u suggested in your previous reply.
No, that's not what I said.
Secondly could the data type of ldap attribute(integer or string) affect the unlang would treat the attribute?
No.
You're doing everything *except* looking at the debug output.
You need to either follow instructions, or to stop asking questions on this list.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html