Hi, I have configured freeradius to select ldap modules according to NAS-IP-Address so clients (using PEAP/MSCHAPv2) associating to particular AP should only get authenticated. For that I did changes as: 1. modules/ldap file -------------------------- ldap HR { ou=HR,dc=prateek,dc=com ... } ldap dev { ou=dev,dc=prateek,dc=com ... } 2. In ldap.attrmap ------------------- checkItem Cleartext-Password userPassword := 3. In both sites-available/default & sites-available/inner-tunnel ------------------------------ -------------------------------------- a. in authorize section if (NAS-IP-Address == 127.0.0.1) { HR } else { dev } b. in authenticate section have uncommented Auth-Type MS-CHAP { mschap } Now when I use eapol_test to test I get Success.. It first checks HR which returns search failed as there is no user in ou=HR but when freeradius processes the inner-tunnel I get the message ++? if (NAS-IP-Address == 127.0.0.1) (Attribute NAS-IP-Address was not found) ++- entering else else {...} And after that user "dave" is getting authenticated who should not get authenticated. I want to know that why it didn't get NAS-IP-Adderss. Is there some thing I have missed ? Regards, Prateek radiusd -X ( Deleating some EAP messages ) rad_recv: Access-Request packet from host 127.0.0.1 port 46032, id=0, length=116 User-Name = "dave" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020000090164617665 Message-Authenticator = 0x1eb24decc31fcd482762d37920cb6f5d +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "dave", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++? if (NAS-IP-Address == 127.0.0.1) ? Evaluating (NAS-IP-Address == 127.0.0.1) -> TRUE ++? if (NAS-IP-Address == 127.0.0.1) -> TRUE ++- entering if (NAS-IP-Address == 127.0.0.1) {...} [HR] performing user authorization for dave [HR] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [HR] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=dave) [HR] expand: ou=HR,dc=prateek,dc=com -> ou=HR,dc=prateek,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0 rlm_ldap: bind as cn=Administrator,dc=prateek,dc=com/mypass to 127.0.0.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=HR,dc=prateek,dc=com, with filter (uid=dave) rlm_ldap: object not found [HR] search failed rlm_ldap: ldap_release_conn: Release Id: 0 +++[HR] returns notfound ++- if (NAS-IP-Address == 127.0.0.1) returns notfound ++ ... skipping else for request 0: Preceding "if" was taken [eap] EAP packet type response id 0 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[daily] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 127.0.0.1 port 46032 EAP-Message = 0x010100060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa098c2e9a099cf6a77937551a6a21d9f Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 46032, id=1, length=131 User-Name = "dave" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020100060319 State = 0xa098c2e9a099cf6a77937551a6a21d9f Message-Authenticator = 0xb0f144be9973b7716b25f5b7a09ffd9c +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "dave", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++? if (NAS-IP-Address == 127.0.0.1) ? Evaluating (NAS-IP-Address == 127.0.0.1) -> TRUE ++? if (NAS-IP-Address == 127.0.0.1) -> TRUE ++- entering if (NAS-IP-Address == 127.0.0.1) {...} [HR] performing user authorization for dave [HR] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [HR] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=dave) [HR] expand: ou=HR,dc=prateek,dc=com -> ou=HR,dc=prateek,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=HR,dc=prateek,dc=com, with filter (uid=dave) rlm_ldap: object not found [HR] search failed rlm_ldap: ldap_release_conn: Release Id: 0 +++[HR] returns notfound ++- if (NAS-IP-Address == 127.0.0.1) returns notfound ++ ... skipping else for request 1: Preceding "if" was taken [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[daily] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 1 to 127.0.0.1 port 46032 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa098c2e9a19adb6a77937551a6a21d9f Finished request 1. Going to the next request rad_recv: Access-Request packet from host 127.0.0.1 port 46032, id=2, length=242 User-Name = "dave" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = some long value State = 0xa098c2e9a19adb6a77937551a6a21d9f Message-Authenticator = 0xabcfe03ec5688a184e25c56589ea8e2a +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "dave", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++? if (NAS-IP-Address == 127.0.0.1) ? Evaluating (NAS-IP-Address == 127.0.0.1) -> TRUE ++? if (NAS-IP-Address == 127.0.0.1) -> TRUE ++- entering if (NAS-IP-Address == 127.0.0.1) {...} [HR] performing user authorization for dave [HR] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [HR] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=dave) [HR] expand: ou=HR,dc=prateek,dc=com -> ou=HR,dc=prateek,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=HR,dc=prateek,dc=com, with filter (uid=dave) rlm_ldap: object not found [HR] search failed rlm_ldap: ldap_release_conn: Release Id: 0 +++[HR] returns notfound ++- if (NAS-IP-Address == 127.0.0.1) returns notfound ++ ... skipping else for request 2: Preceding "if" was taken [eap] EAP packet type response id 2 length 117 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 107 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0066], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0035], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0870], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 2 to 127.0.0.1 port 46032 EAP-Message = some value EAP-Message = " EAP-Message = " EAP-Message = " EAP-Message = 0xb70064119cfc40adfde72ecc Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa098c2e9a29bdb6a77937551a6a21d9f Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 46032, id=3, length=131 User-Name = "dave" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020300061900 State = 0xa098c2e9a29bdb6a77937551a6a21d9f Message-Authenticator = 0xc7a295a94c264c2b101dabae43ad8557 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "dave", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++? if (NAS-IP-Address == 127.0.0.1) ? Evaluating (NAS-IP-Address == 127.0.0.1) -> TRUE ++? if (NAS-IP-Address == 127.0.0.1) -> TRUE ++- entering if (NAS-IP-Address == 127.0.0.1) {...} [HR] performing user authorization for dave [HR] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [HR] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=dave) [HR] expand: ou=HR,dc=prateek,dc=com -> ou=HR,dc=prateek,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=HR,dc=prateek,dc=com, with filter (uid=dave) rlm_ldap: object not found [HR] search failed rlm_ldap: ldap_release_conn: Release Id: 0 +++[HR] returns notfound ++- if (NAS-IP-Address == 127.0.0.1) returns notfound ++ ... skipping else for request 3: Preceding "if" was taken [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 3 to 127.0.0.1 port 46032 EAP-Message = EAP-Message = EAP-Message = EAP-Message = EAP-Message = 0x30c3456c19147657 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa098c2e9a39cdb6a77937551a6a21d9f Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 46032, id=4, length=131 User-Name = "dave" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020400061900 State = 0xa098c2e9a39cdb6a77937551a6a21d9f Message-Authenticator = 0x64a3ceaa178064f424d2830f6d59ade4 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "dave", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++? if (NAS-IP-Address == 127.0.0.1) ? Evaluating (NAS-IP-Address == 127.0.0.1) -> TRUE ++? if (NAS-IP-Address == 127.0.0.1) -> TRUE ++- entering if (NAS-IP-Address == 127.0.0.1) {...} [HR] performing user authorization for dave [HR] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [HR] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=dave) [HR] expand: ou=HR,dc=prateek,dc=com -> ou=HR,dc=prateek,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=HR,dc=prateek,dc=com, with filter (uid=dave) rlm_ldap: object not found [HR] search failed rlm_ldap: ldap_release_conn: Release Id: 0 +++[HR] returns notfound ++- if (NAS-IP-Address == 127.0.0.1) returns notfound ++ ... skipping else for request 4: Preceding "if" was taken [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 4 to 127.0.0.1 port 46032 EAP-Message = EAP-Message = EAP-Message = Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa098c2e9a49ddb6a77937551a6a21d9f Finished request 4. Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 46032, id=5, length=333 User-Name = "dave" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = State = 0xa098c2e9a49ddb6a77937551a6a21d9f Message-Authenticator = 0xa3cadaf5d585e4499d7e2d587f9924ae +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "dave", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++? if (NAS-IP-Address == 127.0.0.1) ? Evaluating (NAS-IP-Address == 127.0.0.1) -> TRUE ++? if (NAS-IP-Address == 127.0.0.1) -> TRUE ++- entering if (NAS-IP-Address == 127.0.0.1) {...} [HR] performing user authorization for dave [HR] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [HR] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=dave) [HR] expand: ou=HR,dc=prateek,dc=com -> ou=HR,dc=prateek,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=HR,dc=prateek,dc=com, with filter (uid=dave) rlm_ldap: object not found [HR] search failed rlm_ldap: ldap_release_conn: Release Id: 0 +++[HR] returns notfound ++- if (NAS-IP-Address == 127.0.0.1) returns notfound ++ ... skipping else for request 5: Preceding "if" was taken [eap] EAP packet type response id 5 length 208 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 198 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 Handshake [length 00aa]??? [peap] TLS_accept: SSLv3 write session ticket A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 5 to 127.0.0.1 port 46032 EAP-Message = Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa098c2e9a59edb6a77937551a6a21d9f Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 46032, id=6, length=131 User-Name = "dave" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020600061900 State = 0xa098c2e9a59edb6a77937551a6a21d9f Message-Authenticator = 0x7aeef64b2758737cbc8720c0dafbeca6 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "dave", looking up realm NULL [suffix] No such realm "NULL" rad_recv: Access-Request packet from host 127.0.0.1 port 46032, id=0, length=116 User-Name = "dave" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020000090164617665 Message-Authenticator = 0x1eb24decc31fcd482762d37920cb6f5d +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "dave", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++? if (NAS-IP-Address == 127.0.0.1) ? Evaluating (NAS-IP-Address == 127.0.0.1) -> TRUE ++? if (NAS-IP-Address == 127.0.0.1) -> TRUE ++- entering if (NAS-IP-Address == 127.0.0.1) {...} [HR] performing user authorization for dave [HR] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [HR] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=dave) [HR] expand: ou=HR,dc=prateek,dc=com -> ou=HR,dc=prateek,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0 rlm_ldap: bind as cn=Administrator,dc=prateek,dc=com/mypass to 127.0.0.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=HR,dc=prateek,dc=com, with filter (uid=dave) rlm_ldap: object not found [HR] search failed rlm_ldap: ldap_release_conn: Release Id: 0 +++[HR] returns notfound ++- if (NAS-IP-Address == 127.0.0.1) returns notfound ++ ... skipping else for request 0: Preceding "if" was taken [eap] EAP packet type response id 0 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop rlm_counter: Entering module authorize code Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = State = 0xa098c2e9a69fdb6a77937551a6a21d9f Message-Authenticator = 0x91d0e9b22d3e6b84caf5e58aeae97b9b +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "dave", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++? if (NAS-IP-Address == 127.0.0.1) ? Evaluating (NAS-IP-Address == 127.0.0.1) -> TRUE ++? if (NAS-IP-Address == 127.0.0.1) -> TRUE ++- entering if (NAS-IP-Address == 127.0.0.1) {...} [HR] performing user authorization for dave [HR] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [HR] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=dave) [HR] expand: ou=HR,dc=prateek,dc=com -> ou=HR,dc=prateek,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=HR,dc=prateek,dc=com, with filter (uid=dave) rlm_ldap: object not found [HR] search failed rlm_ldap: ldap_release_conn: Release Id: 0 +++[HR] returns notfound ++- if (NAS-IP-Address == 127.0.0.1) returns notfound ++ ... skipping else for request 7: Preceding "if" was taken [eap] EAP packet type response id 7 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - dave [peap] Got tunneled request EAP-Message = 0x020700090164617665 server { PEAP: Got tunneled identity of dave PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to dave Sending tunneled request EAP-Message = 0x020700090164617665 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "dave" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "dave", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop ++? if (NAS-IP-Address == 127.0.0.1) (Attribute NAS-IP-Address was not found) <----------------------------------------------------------------- ++- entering else else {...} [dev] performing user authorization for dave [dev] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [dev] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=dave) [dev] expand: ou=development,dc=prateek,dc=com -> ou=development,dc=prateek,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0 rlm_ldap: bind as cn=Administrator,dc=prateek,dc=com/mypass to 127.0.0.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=development,dc=prateek,dc=com, with filter (uid=dave) [dev] No default NMAS login sequence [dev] looking for check items in directory... rlm_ldap: userPassword -> Cleartext-Password := "davesecret" [dev] looking for reply items in directory... [dev] user dave authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[dev] returns ok ++- else else returns ok [eap] EAP packet type response id 7 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1b9d7bc71b9561595ab9d2c73552e623 [peap] Got tunneled reply RADIUS code 11 EAP-Message = Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1b9d7bc71b9561595ab9d2c73552e623 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 7 to 127.0.0.1 port 46032 EAP-Message = Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa098c2e9a790db6a77937551a6a21d9f Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 46032, id=8, length=269 User-Name = "dave" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = State = 0xa098c2e9a790db6a77937551a6a21d9f Message-Authenticator = 0x5b313677254c02c3556f0d2067e4922d +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "dave", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++? if (NAS-IP-Address == 127.0.0.1) ? Evaluating (NAS-IP-Address == 127.0.0.1) -> TRUE ++? if (NAS-IP-Address == 127.0.0.1) -> TRUE ++- entering if (NAS-IP-Address == 127.0.0.1) {...} [HR] performing user authorization for dave [HR] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [HR] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=dave) [HR] expand: ou=HR,dc=prateek,dc=com -> ou=HR,dc=prateek,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=HR,dc=prateek,dc=com, with filter (uid=dave) rlm_ldap: object not found [HR] search failed rlm_ldap: ldap_release_conn: Release Id: 0 +++[HR] returns notfound ++- if (NAS-IP-Address == 127.0.0.1) returns notfound ++ ... skipping else for request 8: Preceding "if" was taken [eap] EAP packet type response id 8 length 144 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = server { PEAP: Setting User-Name to dave Sending tunneled request EAP-Message = FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "dave" State = 0x1b9d7bc71b9561595ab9d2c73552e623 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "dave", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop ++? if (NAS-IP-Address == 127.0.0.1) (Attribute NAS-IP-Address was not found) <------------------------------------------------------------------------------------------- ++- entering else else {...} [dev] performing user authorization for dave [dev] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [dev] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=dave) [dev] expand: ou=development,dc=prateek,dc=com -> ou=development,dc=prateek,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=development,dc=prateek,dc=com, with filter (uid=dave) [dev] No default NMAS login sequence [dev] looking for check items in directory... rlm_ldap: userPassword -> Cleartext-Password := "davesecret" [dev] looking for reply items in directory... [dev] user dave authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[dev] returns ok ++- else else returns ok [eap] EAP packet type response id 8 length 63 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for dave with NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1b9d7bc71a9461595ab9d2c73552e623 [peap] Got tunneled reply RADIUS code 11 EAP-Message = Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1b9d7bc71a9461595ab9d2c73552e623 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 8 to 127.0.0.1 port 46032 EAP-Message = Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa098c2e9a891db6a77937551a6a21d9f Finished request 8. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 46032, id=9, length=205 User-Name = "dave" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = Message-Authenticator = 0x1e2153de29daf702780bb061ae5a1281 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "dave", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++? if (NAS-IP-Address == 127.0.0.1) ? Evaluating (NAS-IP-Address == 127.0.0.1) -> TRUE ++? if (NAS-IP-Address == 127.0.0.1) -> TRUE ++- entering if (NAS-IP-Address == 127.0.0.1) {...} [HR] performing user authorization for dave [HR] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [HR] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=dave) [HR] expand: ou=HR,dc=prateek,dc=com -> ou=HR,dc=prateek,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=HR,dc=prateek,dc=com, with filter (uid=dave) rlm_ldap: object not found [HR] search failed rlm_ldap: ldap_release_conn: Release Id: 0 +++[HR] returns notfound ++- if (NAS-IP-Address == 127.0.0.1) returns notfound ++ ... skipping else for request 9: Preceding "if" was taken [eap] EAP packet type response id 9 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020900061a03 server { PEAP: Setting User-Name to dave Sending tunneled request EAP-Message = 0x020900061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "dave" State = 0x1b9d7bc71a9461595ab9d2c73552e623 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "dave", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop ++? if (NAS-IP-Address == 127.0.0.1) (Attribute NAS-IP-Address was not found) <----------------------------------------------------------------------------------------------------- ++- entering else else {...} [dev] performing user authorization for dave [dev] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [dev] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=dave) [dev] expand: ou=development,dc=prateek,dc=com -> ou=development,dc=prateek,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=development,dc=prateek,dc=com, with filter (uid=dave) [dev] No default NMAS login sequence [dev] looking for check items in directory... rlm_ldap: userPassword -> Cleartext-Password := "davesecret" [dev] looking for reply items in directory... [dev] user dave authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[dev] returns ok ++- else else returns ok [eap] EAP packet type response id 9 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok } # server inner-tunnel [peap] Got tunneled reply code 2 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "dave" [peap] Got tunneled reply RADIUS code 2 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "dave" [peap] Tunneled authentication was successful. [peap] SUCCESS ++[eap] returns handled Sending Access-Challenge of id 9 to 127.0.0.1 port 46032 EAP-Message = Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa098c2e9a992db6a77937551a6a21d9f Finished request 9 rad_recv: Access-Request packet from host 127.0.0.1 port 46032, id=10, length=221 User-Name = "dave" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = Message-Authenticator = 0x8ab3c117c8c59031dd6294781bd2de68 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "dave", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++? if (NAS-IP-Address == 127.0.0.1) ? Evaluating (NAS-IP-Address == 127.0.0.1) -> TRUE ++? if (NAS-IP-Address == 127.0.0.1) -> TRUE ++- entering if (NAS-IP-Address == 127.0.0.1) {...} [HR] performing user authorization for dave [HR] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [HR] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=dave) [HR] expand: ou=HR,dc=prateek,dc=com -> ou=HR,dc=prateek,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=HR,dc=prateek,dc=com, with filter (uid=dave) rlm_ldap: object not found [HR] search failed rlm_ldap: ldap_release_conn: Release Id: 0 +++[HR] returns notfound ++- if (NAS-IP-Address == 127.0.0.1) returns notfound ++ ... skipping else for request 10: Preceding "if" was taken [eap] EAP packet type response id 10 length 96 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type p[peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 10 to 127.0.0.1 port 46032eap