In v4 I can see the cert fields in the `recv Access-Request` section (after setting `virtual_server = default` in mods-available/eap) but they are all empty when I try to read them from the `send Access-Accept` section. In fact, if I uncomment these sections from the default config, the fields are all empty too:
Look at the debug output. You should be able to see when these attributes are added (or not).
Hi Alan, They are getting set under "authenticate eap" and they are being correctly parsed under "recv Access-Request". But then when I hit the "send Access-Accept" step, they all vanish: (14) Received Access-Request ID 237 from [redacted] to [redacted] length 397 via socket radius_udp server * port 1812 (14) User-Name = "a" (14) NAS-IP-Address = [redacted] (14) NAS-Identifier = [redacted] (14) Called-Station-Id = [redacted] (14) NAS-Port-Type = Wireless-802.11 (14) Service-Type = Framed-User (14) Calling-Station-Id = [redacted] (14) Connect-Info = "CONNECT 0Mbps 802.11b" (14) Acct-Session-Id = [redacted] (14) Acct-Multi-Session-Id = [redacted] (14) Mobility-Domain-Id = 21689 (14) WLAN-Pairwise-Cipher.OUI = [redacted] (14) WLAN-Pairwise-Cipher.Suite-Type = 4 (14) WLAN-Group-Cipher.OUI = [redacted] (14) WLAN-Group-Cipher.Type = 4 (14) WLAN-AKM-Suite.OUI = [redacted] (14) WLAN-AKM-Suite.Suite-Type = 3 (14) Framed-MTU = 1400 (14) EAP-Message = [redacted] (14) State = [redacted] (14) Message-Authenticator = [redacted] (14) Running request (14,8) Restored &session-state (14,8) &session-state.Session-State-User-Name = "a" (14,8) Running 'recv Access-Request' from file /root/freeradius-server/pfx/etc/raddb/sites-enabled/default (14,8) recv Access-Request { (14,8) policy filter_username { (14,8) if (&State) { (14,8) if (&User-Name) { (14,8) if (!&session-state.Session-State-User-Name) { (14,8) ... (14,8) } (14,8) if (&User-Name != &session-state.Session-State-User-Name) { (14,8) ... (14,8) } (14,8) } # if (&User-Name) (...) (14,8) } # if (&State) (...) (14,8) } # policy filter_username (...) (14,8) eap - Peer sent EAP Response (code 2) ID 19 length 153 (14,8) eap - Continuing on-going EAP conversation (14,8) eap - Setting &control.Auth-Type = eap (14,8) eap (updated) (14,8) if ("%{session-state.TLS-Client-Cert-Common-Name}" != '') { (14,8) EXPAND %{session-state.TLS-Client-Cert-Common-Name} (14,8) --> (14,8) ... (14,8) } (14,8) files - EXPAND %{session-state.TLS-Client-Cert-Common-Name} (14,8) files - --> (14,8) files (noop) (14,8) expiration (noop) (14,8) logintime (noop) (14,8) pap (noop) (14,8) } # recv Access-Request (updated) (14,8) Running 'authenticate eap' from file /root/freeradius-server/pfx/etc/raddb/sites-enabled/default (14,8) authenticate eap { (14,8) eap - Continuing EAP session (14,8) eap - Peer sent packet with EAP method TLS (13) (14,8) eap - Calling submodule eap_tls (14,8) eap (noop) (14,8) subrequest { (14,8) Creating subrequest (14.0) (14,8) EAP-Type = TLS (14,8) EAP-Identity = "a" (14.0) eap.tls - Continuing EAP-TLS (14.0) eap.tls - Got final TLS record fragment (147 bytes) (14.0) eap.tls - [eap-tls verify] = complete (14.0) eap.tls - Handshake state - Server SSLv3/TLS write server done (26) (14.0) eap.tls - <<< recv TLS 1.2, handshake[length 2543], unknown_handshake_type_0x000b (14.0) eap.tls - [verify chain] = ok (14.0) eap.tls - Adding certificate attributes to session-state (14.0) eap.tls - &session-state.TLS-Cert-Serial = [redacted] (14.0) eap.tls - &session-state.TLS-Cert-Expiration = "Jun 11 1979 21:19:41 UTC" (14.0) eap.tls - &session-state.TLS-Cert-Subject = [redacted] (14.0) eap.tls - &session-state.TLS-Cert-Common-Name = [redacted] (14.0) eap.tls - &session-state.TLS-Cert-Issuer = [redacted] (14.0) eap.tls - [verify chain] = ok (14.0) eap.tls - Adding certificate attributes to session-state (14.0) eap.tls - &session-state.TLS-Client-Cert-Serial = [redacted] (14.0) eap.tls - &session-state.TLS-Client-Cert-Expiration = [redacted] (14.0) eap.tls - &session-state.TLS-Client-Cert-Subject = [redacted] (14.0) eap.tls - &session-state.TLS-Client-Cert-Common-Name = [redacted] (14.0) eap.tls - &session-state.TLS-Client-Cert-Issuer = [redacted] (14.0) eap.tls - &session-state.TLS-Client-Cert-X509v3-Basic-Constraints = "CA:FALSE" (14.0) eap.tls - &session-state.TLS-Client-Cert-X509v3-Subject-Key-Identifier = [redacted] (14.0) eap.tls - &session-state.TLS-Client-Cert-X509v3-Authority-Key-Identifier = [redacted] (14.0) eap.tls - [verify client] = ok (14.0) eap.tls - Handshake state - Server SSLv3/TLS read client certificate (27) (14.0) eap.tls - <<< recv TLS 1.2, handshake[length 70], unknown_handshake_type_0x0010 (14.0) eap.tls - Handshake state - Server SSLv3/TLS read client key exchange (28) (14.0) eap.tls - <<< recv TLS 1.2, handshake[length 264], unknown_handshake_type_0x000f (14.0) eap.tls - Handshake state - Server SSLv3/TLS read certificate verify (29) (14.0) eap.tls - Handshake state - Server SSLv3/TLS read change cipher spec (31) (14.0) eap.tls - <<< recv TLS 1.2, handshake[length 16], unknown_handshake_type_0x0014 (14.0) eap.tls - Handshake state - Server SSLv3/TLS read finished (32) (14.0) eap.tls - >>> send TLS 1.2, change_cipher_spec[length 1] (14.0) eap.tls - Handshake state - Server SSLv3/TLS write change cipher spec (35) (14.0) eap.tls - >>> send TLS 1.2, handshake[length 16], unknown_handshake_type_0x0014 (14.0) eap.tls - Handshake state - Server SSLv3/TLS write finished (36) (14.0) eap.tls - Handshake state - SSL negotiation finished successfully (1) (14.0) eap.tls - Cipher suite: ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD (14.0) eap.tls - Adding TLS session information to request (14.0) eap.tls - &session-state.TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (14.0) eap.tls - &session-state.TLS-Session-Version := "TLS 1.2" (14.0) eap.tls - Sending complete TLS record (51 bytes) (14.0) eap.tls - [eap-tls process] = handled (14.0) eap.tls (handled) (14,8) } # subrequest (handled) (14,8) eap - Sending EAP Request (code 1) ID 20 length 61 (14,8) eap (handled) (14,8) } # authenticate eap (handled) (14,8) Running 'send Access-Challenge' from file /root/freeradius-server/pfx/etc/raddb/sites-enabled/default (14,8) send Access-Challenge { (14,8) attr_filter.access_challenge - EXPAND %{User-Name} (14,8) attr_filter.access_challenge - --> a (14,8) attr_filter.access_challenge - Matched entry DEFAULT at line 12 (14,8) attr_filter.access_challenge.post-auth (updated) (14,8) handled (handled) (14,8) } # send Access-Challenge (handled) (14,8) Saving &session-state (14,8) &session-state.Session-State-User-Name = "a" (14,8) Done request (14,8) Sending Access-Challenge ID 237 from [redacted] to [redacted] length 119 via socket radius_udp server * port 1812 (14,8) State = [redacted] (14,8) Message-Authenticator = [redacted] (14,8) EAP-Message = [redacted] (14,8) Finished request proto_radius_udp - cleaning up request in 5.000000s proto_radius_udp - Received Access-Request ID 238 length 250 radius_udp server * port 1812 (15) Received Access-Request ID 238 from [redacted] to [redacted] length 250 via socket radius_udp server * port 1812 (15) User-Name = "a" (15) NAS-IP-Address = [redacted] (15) NAS-Identifier = [redacted] (15) Called-Station-Id = [redacted] (15) NAS-Port-Type = Wireless-802.11 (15) Service-Type = Framed-User (15) Calling-Station-Id = [redacted] (15) Connect-Info = "CONNECT 0Mbps 802.11b" (15) Acct-Session-Id = [redacted] (15) Acct-Multi-Session-Id = [redacted] (15) Mobility-Domain-Id = 21689 (15) WLAN-Pairwise-Cipher.OUI = [redacted] (15) WLAN-Pairwise-Cipher.Suite-Type = 4 (15) WLAN-Group-Cipher.OUI = [redacted] (15) WLAN-Group-Cipher.Type = 4 (15) WLAN-AKM-Suite.OUI = [redacted] (15) WLAN-AKM-Suite.Suite-Type = 3 (15) Framed-MTU = 1400 (15) EAP-Message = [redacted] (15) State = [redacted] (15) Message-Authenticator = [redacted] (15) Running request (15,8) Restored &session-state (15,8) &session-state.Session-State-User-Name = "a" (15,8) Running 'recv Access-Request' from file /root/freeradius-server/pfx/etc/raddb/sites-enabled/default (15,8) recv Access-Request { (15,8) policy filter_username { (15,8) if (&State) { (15,8) if (&User-Name) { (15,8) if (!&session-state.Session-State-User-Name) { (15,8) ... (15,8) } (15,8) if (&User-Name != &session-state.Session-State-User-Name) { (15,8) ... (15,8) } (15,8) } # if (&User-Name) (...) (15,8) } # if (&State) (...) (15,8) } # policy filter_username (...) (15,8) eap - Peer sent EAP Response (code 2) ID 20 length 6 (15,8) eap - Continuing on-going EAP conversation (15,8) eap - Setting &control.Auth-Type = eap (15,8) eap (updated) (15,8) if ("%{session-state.TLS-Client-Cert-Common-Name}" != '') { (15,8) EXPAND %{session-state.TLS-Client-Cert-Common-Name} (15,8) --> (15,8) ... (15,8) } (15,8) files - EXPAND %{session-state.TLS-Client-Cert-Common-Name} (15,8) files - --> (15,8) files (noop) (15,8) expiration (noop) (15,8) logintime (noop) (15,8) pap (noop) (15,8) } # recv Access-Request (updated) (15,8) Running 'authenticate eap' from file /root/freeradius-server/pfx/etc/raddb/sites-enabled/default (15,8) authenticate eap { (15,8) eap - Continuing EAP session (15,8) eap - Peer sent packet with EAP method TLS (13) (15,8) eap - Calling submodule eap_tls (15,8) eap (noop) (15,8) subrequest { (15,8) Creating subrequest (15.0) (15,8) EAP-Type = TLS (15,8) EAP-Identity = "a" (15.0) eap.tls - Continuing EAP-TLS (15.0) eap.tls - Peer ACKed our handshake fragment. handshake is finished (15.0) eap.tls - [eap-tls verify] = established (15.0) eap.tls - [eap-tls process] = established (15.0) eap.tls - Validating certificate (15.0) eap.tls (yield) (15.0) recv Access-Request { (15.0) policy filter_username { (15.0) if (&State) { (15.0) ... (15.0) } (15.0) elsif (&User-Name) { (15.0) ... (15.0) } (15.0) } # policy filter_username (...) (15.0) eap - No EAP-Message, not doing EAP (15.0) eap (noop) (15.0) if ("%{session-state.TLS-Client-Cert-Common-Name}" != '') { (15.0) EXPAND %{session-state.TLS-Client-Cert-Common-Name} (15.0) --> [redacted] (15.0) files - EXPAND %{session-state.TLS-Client-Cert-Common-Name} (15.0) files - --> [redacted] (15.0) files - Found match "[redacted]" on line 3 of /root/freeradius-server/pfx/etc/raddb/mods-config/files/authorize (15.0) files (ok) (15.0) if (!ok) { (15.0) ... (15.0) } (15.0) update reply { (15.0) &Tunnel-Type = VLAN (15.0) &Tunnel-Medium-Type = IEEE-802 (15.0) } # update reply (noop) (15.0) if ("%{session-state.TLS-Client-Cert-Subject}" =~ /[redacted]/) { (15.0) EXPAND %{session-state.TLS-Client-Cert-Subject} (15.0) --> /CN=[redacted] (15.0) ... (15.0) } (15.0) elsif ("%{session-state.TLS-Client-Cert-Subject}" =~ /[redacted]/) { (15.0) EXPAND %{session-state.TLS-Client-Cert-Subject} (15.0) --> /CN=[redacted] (15.0) update reply { (15.0) &Tunnel-Private-Group-Id = "7" (15.0) } # update reply (noop) (15.0) update session-state { (15.0) &Tmp-String-9 = "7" (15.0) } # update session-state (noop) (15.0) } # elsif ("%{session-state.TLS-Client-Cert-Subject}" =~ /[redacted]/) (noop) (15.0) } # if ("%{session-state.TLS-Client-Cert-Common-Name}" != '') (ok) (15.0) files - EXPAND %{session-state.TLS-Client-Cert-Common-Name} (15.0) files - --> [redacted] (15.0) files - Found match "[redacted]" on line 3 of /root/freeradius-server/pfx/etc/raddb/mods-config/files/authorize (15.0) files (ok) (15.0) expiration (noop) (15.0) logintime (noop) (15.0) pap - No User-Password attribute in the request. Cannot do PAP (15.0) pap (noop) (15.0) } # recv Access-Request (ok) (15.0) No session data available to cache (15,8) Adding session keys (15,8) &reply.Vendor-Specific.Microsoft.MPPE-Recv-Key = [redacted] (15,8) &reply.Vendor-Specific.Microsoft.MPPE-Send-Key = [redacted] (15,8) &reply.EAP-MSK = [redacted] (15,8) &reply.EAP-EMSK = [redacted] (15.0) &reply.EAP-Session-Id = [redacted] (15,8) } # subrequest (ok) (15,8) eap - Sending EAP Success (code 3) ID 20 length 4 (15,8) eap - Cleaning up EAP session (15,8) eap (ok) (15,8) } # authenticate eap (ok) (15,8) Running 'send Access-Accept' from file /root/freeradius-server/pfx/etc/raddb/sites-enabled/default (15,8) send Access-Accept { (15,8) update { (15,8) &reply += &session-state -> "a" (15,8) } # update (noop) (15,8) eap (noop) (15,8) update reply { (15,8) EXPAND %{session-state.TLS-Cert-Serial} (15,8) --> (null) (15,8) EXPAND %{session-state.TLS-Cert-Expiration} (15,8) --> (null) (15,8) EXPAND %{session-state.TLS-Cert-Subject} (15,8) --> (null) (15,8) EXPAND %{session-state.TLS-Cert-Issuer} (15,8) --> (null) (15,8) EXPAND %{session-state.TLS-Cert-Common-Name} (15,8) --> (null) (15,8) EXPAND %{session-state.TLS-Cert-Subject-Alt-Name-Email} (15,8) --> (null) (15,8) EXPAND %{session-state.TLS-Client-Cert-Serial} (15,8) --> (null) (15,8) EXPAND %{session-state.TLS-Client-Cert-Expiration} (15,8) --> (null) (15,8) EXPAND %{session-state.TLS-Client-Cert-Subject} (15,8) --> (null) (15,8) EXPAND %{session-state.TLS-Client-Cert-Issuer} (15,8) --> (null) (15,8) EXPAND %{session-state.TLS-Client-Cert-Common-Name} (15,8) --> (null) (15,8) EXPAND %{session-state.TLS-Client-Cert-Subject-Alt-Name-Email} (15,8) --> (null) (15,8) &Reply-Message += "" (15,8) &Reply-Message += "" (15,8) &Reply-Message += "" (15,8) &Reply-Message += "" (15,8) &Reply-Message += "" (15,8) &Reply-Message += "" (15,8) &Reply-Message += "" (15,8) &Reply-Message += "" (15,8) &Reply-Message += "" (15,8) &Reply-Message += "" (15,8) &Reply-Message += "" (15,8) &Reply-Message += "" (15,8) } # update reply (noop) (15,8) update reply { (15,8) EXPAND %{session-state.Tmp-String-9} (15,8) --> (null) (15,8) EXPAND %{session-state.TLS-Client-Cert-Subject} (15,8) --> (null) (15,8) &Tunnel-Type = VLAN (15,8) &Tunnel-Medium-Type = IEEE-802 (15,8) &Tunnel-Private-Group-Id = "" (15,8) &Tmp-String-9 := "" (15,8) } # update reply (noop) (15,8) if ("%{reply.Tunnel-Private-Group-Id}" == "") { (15,8) EXPAND %{reply.Tunnel-Private-Group-Id} (15,8) --> (15,8) reject (reject) (15,8) } # if ("%{reply.Tunnel-Private-Group-Id}" == "") (reject) (15,8) } # send Access-Accept (reject) (15,8) WARNING: Failed running 'send Access-Accept', trying 'send Access-Reject' Notes: 1) The above log also reflects some unsuccessful experiments I was doing to try to get the Tunnel-Private-Group-Id to propagate to the Access-Accept stage, so some of the variable assignments might not make sense. 2) I don't think session-state.TLS-Cert-Expiration is being parsed correctly. 3) I didn't enable delivery of every freeradius-users message, so if you could cc: me on replies that would be much appreciated.