Alan DeKok schrieb:
Marten Pape wrote:
Now my goal is to tell the NAS to assign every wifi-packet to a certain VLAN. I don't need to have a dynamic assignment of VLAN based on usernames or something else. One VLAN would be sufficient.
You can assign the vlan in the "post-auth" section.
Now, I did it in the sites-available/default files / post-auth section: update reply { Tunnel-Type := 13 Tunnel-Medium-Type = 6 Tunnel-Private-Group-ID = 123 } But it seems, that the access point does not assign the traffic to a certain VLAN and, as far as I know, this access point is able to do that. Do you see anything else, going wrong? The debug log of a new connection try is attached below.
The solution I found was to insert the following lines into the radgroupreply table (splitted up into the correct columns...): Tunnel-Type = 13 Tunnel-Medium-Type = 6 Tunnel-Private-Group-Id = 10
After I've done this entry, I hoped that it would work, but it didn't.
From the debug log you posted, it's clear that you didn't enable the "sql" module in the "authorize" section.
mhmm it is enabled (=listed) in sites-available/default and sites-available/inner-tunnel. Do you want to see these files? Thanks Marten Pape
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
==================================================================================== rad_recv: Access-Request packet from host 172.20.160.171 port 1812, id=2, length=135 User-Name = "marpap" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Port = 0 NAS-Identifier = "default\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" Calling-Station-Id = "00-60-b3-63-4e-03" EAP-Message = 0x0201000b016d6172706170 NAS-IP-Address = 172.20.160.171 Message-Authenticator = 0x4c68db4ae1e988fdc7b61ccd1375f3b7 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [eap] EAP packet type response id 1 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [sql] expand: %{User-Name} -> marpap [sql] sql_set_user escaped user --> 'marpap' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT logins.id, logins.username, radcheck.attribute, logins.pass_lm, radcheck.op FROM radcheck, logins WHERE logins.username = '%{SQL-User-Name}' AND radcheck.id='1' AND (SELECT internet_accounts.aktiv FROM internet_accounts, logins WHERE logins.username='%{SQL-User-Name}' AND logins.account_id = internet_accounts.account_id) = 'yes' ORDER BY id -> SELECT logins.id, logins.username, radcheck.attribute, logins.pass_lm, radcheck.op FROM radcheck, logins WHERE logins.username = 'marpap' AND radcheck.id='1' AND (SELECT internet_accounts.aktiv FROM internet_accounts, logins WHERE logins.username='marpap' AND logins.account_id = internet_accounts.account_id) = 'yes' ORDER BY id rlm_sql_mysql: query: SELECT logins.id, logins.username, radcheck.attribute, logins.pass_lm, radcheck.op FROM radcheck, logins WHERE logins.username = 'marpap' AND radcheck.id='1' AND (SELECT internet_accounts.aktiv FROM internet_accounts, logins WHERE logins.username='marpap' AND logins.account_id = internet_accounts.account_id) = 'yes' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT logins.id, logins.username, radreply.attribute, logins.pass_lm, radreply.op FROM radreply, logins WHERE logins.username = '%{SQL-User-Name}' AND radreply.id='1' AND (SELECT internet_accounts.aktiv FROM internet_accounts, logins WHERE logins.username='%{SQL-User-Name}' AND logins.account_id = internet_accounts.account_id) = 'yes' ORDER BY id -> SELECT logins.id, logins.username, radreply.attribute, logins.pass_lm, radreply.op FROM radreply, logins WHERE logins.username = 'marpap' AND radreply.id='1' AND (SELECT internet_accounts.aktiv FROM internet_accounts, logins WHERE logins.username='marpap' AND logins.account_id = internet_accounts.account_id) = 'yes' ORDER BY id rlm_sql_mysql: query: SELECT logins.id, logins.username, radreply.attribute, logins.pass_lm, radreply.op FROM radreply, logins WHERE logins.username = 'marpap' AND radreply.id='1' AND (SELECT internet_accounts.aktiv FROM internet_accounts, logins WHERE logins.username='marpap' AND logins.account_id = internet_accounts.account_id) = 'yes' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'marpap' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'marpap' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 2 to 172.20.160.171 port 1812 EAP-Message = 0x010200160410cc89b3225a82d01a8654a32775f9e4f6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe259fe12e25bfa2c7c464fa29a32360e Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.20.160.171 port 1812, id=3, length=148 User-Name = "marpap" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Port = 0 NAS-Identifier = "default\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" Calling-Station-Id = "00-60-b3-63-4e-03" EAP-Message = 0x020200060319 State = 0xe259fe12e25bfa2c7c464fa29a32360e NAS-IP-Address = 172.20.160.171 Message-Authenticator = 0xfb2d0002328c7451026bb0e9277431bf +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [eap] EAP packet type response id 2 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [sql] expand: %{User-Name} -> marpap [sql] sql_set_user escaped user --> 'marpap' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT logins.id, logins.username, radcheck.attribute, logins.pass_lm, radcheck.op FROM radcheck, logins WHERE logins.username = '%{SQL-User-Name}' AND radcheck.id='1' AND (SELECT internet_accounts.aktiv FROM internet_accounts, logins WHERE logins.username='%{SQL-User-Name}' AND logins.account_id = internet_accounts.account_id) = 'yes' ORDER BY id -> SELECT logins.id, logins.username, radcheck.attribute, logins.pass_lm, radcheck.op FROM radcheck, logins WHERE logins.username = 'marpap' AND radcheck.id='1' AND (SELECT internet_accounts.aktiv FROM internet_accounts, logins WHERE logins.username='marpap' AND logins.account_id = internet_accounts.account_id) = 'yes' ORDER BY id rlm_sql_mysql: query: SELECT logins.id, logins.username, radcheck.attribute, logins.pass_lm, radcheck.op FROM radcheck, logins WHERE logins.username = 'marpap' AND radcheck.id='1' AND (SELECT internet_accounts.aktiv FROM internet_accounts, logins WHERE logins.username='marpap' AND logins.account_id = internet_accounts.account_id) = 'yes' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT logins.id, logins.username, radreply.attribute, logins.pass_lm, radreply.op FROM radreply, logins WHERE logins.username = '%{SQL-User-Name}' AND radreply.id='1' AND (SELECT internet_accounts.aktiv FROM internet_accounts, logins WHERE logins.username='%{SQL-User-Name}' AND logins.account_id = internet_accounts.account_id) = 'yes' ORDER BY id -> SELECT logins.id, logins.username, radreply.attribute, logins.pass_lm, radreply.op FROM radreply, logins WHERE logins.username = 'marpap' AND radreply.id='1' AND (SELECT internet_accounts.aktiv FROM internet_accounts, logins WHERE logins.username='marpap' AND logins.account_id = internet_accounts.account_id) = 'yes' ORDER BY id rlm_sql_mysql: query: SELECT logins.id, logins.username, radreply.attribute, logins.pass_lm, radreply.op FROM radreply, logins WHERE logins.username = 'marpap' AND radreply.id='1' AND (SELECT internet_accounts.aktiv FROM internet_accounts, logins WHERE logins.username='marpap' AND logins.account_id = internet_accounts.account_id) = 'yes' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'marpap' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'marpap' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 3 to 172.20.160.171 port 1812 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe259fe12e35ae72c7c464fa29a32360e Finished request 1. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 172.20.160.171 port 1812, id=4, length=407 User-Name = "marpap" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Port = 0 NAS-Identifier = "default\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" Calling-Station-Id = "00-60-b3-63-4e-03" EAP-Message = 0x020301071980000000fd16030100f8010000f403014c7d20f3fa216ccffbe4c3766774a615b3df331dd1b6c5a8e71d6418f000af1300002600390038003500160013000a00330032002f000500040015001200090014001100080006000302010000a4002300a06f3f44d1030e19f01a26014ebb90bb4d30ebedf651941a44c981c2725fa7f74d497304a67e3fcc2a3238341f64c879a94462bb6ec961c0d0c30f1e7aab938ab83be023485226f47cab774aab19cdec8869894da7545c478fffe6a2bf0323a2cf6e0b6e281c20cd9cc341d2da3ba4dfc637cbd82e61a0c31c166878c05b5ea6c22786596da21587619cff7e60f02c26cc6428b89a6557 EAP-Message = 0xb602f6a821cd661755c5 State = 0xe259fe12e35ae72c7c464fa29a32360e NAS-IP-Address = 172.20.160.171 Message-Authenticator = 0xb64933ff5487a81eb73845fe3b883de1 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [eap] EAP packet type response id 3 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 253 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 00f8], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0030], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 066b], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 010d], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 4 to 172.20.160.171 port 1812 EAP-Message = 0x0104040019c0000007c016030100300200002c03014c7d26c25b5679783a15c69df1d7e20cf3e8a8d601a8b4a8b0d90d816944de6900003901000400230000160301066b0b0006670006640002cb308202c730820230a003020102020101300d06092a864886f70d0101050500308192310b3009060355040613024445310b300906035504081302425731143012060355040a130b41424820756e642052534831183016060355040b130f496e7465726e65747475746f72656e311830160603550403130f496e7465726e65747475746f72656e312c302a06092a864886f70d010901161d696e7465726e6574406162682e756e692d6b61726c737275 EAP-Message = 0x68652e6465301e170d3130303432393132353032305a170d3131303432393132353032305a3081a6310b3009060355040613024445310b300906035504081302425731123010060355040713094b61726c737275686531143012060355040a130b41424820756e642052534831183016060355040b130f496e7465726e65747475746f72656e311830160603550403130f496e7465726e65747475746f72656e312c302a06092a864886f70d010901161d696e7465726e6574406162682e756e692d6b61726c73727568652e646530819f300d06092a864886f70d010101050003818d0030818902818100e37557356ce2962b24717823a65441ba1bcf EAP-Message = 0x86283adbe99e40434effc0828ffdd4310d26c5d6a6b394c9e6de115e8a1dfe28c044dc5a8c42de5116cc21fd09b9d755bde7e08b9915ab79bf5fe6aed64e54e7fb4493bd5744310d0deea244a55f235f3d8cf20f759c59de8248cc8a60f246ee46197100d9859e20e21baa2230250203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500038181004eeb94bcddd320b658bc280887659ff063462714947a0b8c5755bc3868c8407395974494f6b519671a1987a73c3595c6fe5466b0a99d40548fd6036cedcb4a5aa0cd364b3e7d16cf4955381ada37724840a29709975f823293e29bda0fd0 EAP-Message = 0x21972fe49cd753d971dcde764b8a60ec5e424ed95c54aaacbc89a92daee26094c01b0003933082038f308202f8a003020102020100300d06092a864886f70d0101050500308192310b3009060355040613024445310b300906035504081302425731143012060355040a130b41424820756e642052534831183016060355040b130f496e7465726e65747475746f72656e311830160603550403130f496e7465726e65747475746f72656e312c302a06092a864886f70d010901161d696e7465726e6574406162682e756e692d6b61726c73727568652e6465301e170d3130303432393132333933315a170d3133303432383132333933315a30819231 EAP-Message = 0x0b3009060355040613024445 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe259fe12e05de72c7c464fa29a32360e Finished request 2. Going to the next request Waking up in 3.7 seconds. rad_recv: Access-Request packet from host 172.20.160.171 port 1812, id=5, length=148 User-Name = "marpap" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Port = 0 NAS-Identifier = "default\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" Calling-Station-Id = "00-60-b3-63-4e-03" EAP-Message = 0x020400061900 State = 0xe259fe12e05de72c7c464fa29a32360e NAS-IP-Address = 172.20.160.171 Message-Authenticator = 0xbe1d186150159736a954c6531efa002c +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 5 to 172.20.160.171 port 1812 EAP-Message = 0x010503d01900310b300906035504081302425731143012060355040a130b41424820756e642052534831183016060355040b130f496e7465726e65747475746f72656e311830160603550403130f496e7465726e65747475746f72656e312c302a06092a864886f70d010901161d696e7465726e6574406162682e756e692d6b61726c73727568652e646530819f300d06092a864886f70d010101050003818d0030818902818100c111b48452ef2ce1ed2f09ae837d35631ae023ed67b8c0f4e954280344bed7b623a40a1e8f44dd778d8f9e4b4c7d1fc52b9c0c0bece2446a7a742b7974df4fde3c2277f9e1c3afb0b633f2e6d146a85ca1d6b0a6ff EAP-Message = 0x7e198320efe37208296b8b974b42024adeb4b4a8fec17666ef702f5a0406bb9d506e79613d2e02ce4171590203010001a381f23081ef301d0603551d0e04160414e6292f8ee610197b0e952c3ceaee6de6898029253081bf0603551d230481b73081b48014e6292f8ee610197b0e952c3ceaee6de689802925a18198a48195308192310b3009060355040613024445310b300906035504081302425731143012060355040a130b41424820756e642052534831183016060355040b130f496e7465726e65747475746f72656e311830160603550403130f496e7465726e65747475746f72656e312c302a06092a864886f70d010901161d696e7465726e EAP-Message = 0x6574406162682e756e692d6b61726c73727568652e6465820100300c0603551d13040530030101ff300d06092a864886f70d010105050003818100a4f951a1a0cf7d1d9ea06b944351512c3f498fedca5da170a3ca057c2e03d143d37ad8bafe2f647afc67f99191c0b14e891323c7f2a2dc2babcfec7959a9ab88b5f66235d586b6eb13541338e2db423c3b3ace184be71bb8e1538f37880d2ce2501fe1f3c3fb22b1eeb6af7fb180e91d037109f6df113f8001fbc00bdf752289160301010d0c00010900409a1fe380d6584eedb413c8212ecff8cb0671793d5baf315842054b754ed5aeb883ea1bee3bc8843ddaf1aa6d8a604ce0f478ba662c0584 EAP-Message = 0x7de987277998c963ab0001020040379238420cf45d32ee9ed5dfdf3107fd726373dfcd34e425f7d9f0107f6cf6c67490032b2e37954bea5f4c58fa0a373cd5692b71194546b24c1bb92444fbf2df0080be55fa60e63eceb40fd8c34486d5f76fc8ffeefb483139c55657ffd755ea15dd306f67946f33fcb990dbbd5dfdc7a6ef9ed7307d175c00747278ebd8989ae3b7363866caea9b0ca6bd8e93eda3c64fe19d215db5c69a49414730f72ce0d557b5f259d48cd19ea73b1ce25a77e23452ea36671c4fbd7777a3353f40371e2b6c0916030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe259fe12e15ce72c7c464fa29a32360e Finished request 3. Going to the next request Waking up in 2.7 seconds. rad_recv: Access-Request packet from host 172.20.160.171 port 1812, id=6, length=286 User-Name = "marpap" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Port = 0 NAS-Identifier = "default\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" Calling-Station-Id = "00-60-b3-63-4e-03" EAP-Message = 0x02050090198000000086160301004610000042004086ff635b6acd5edf3bbdeb989141e8aacf8f374c373dd882d88ed24328f184363c5f0d3034135aeed659c48e3eddeeba361ee37ff418c94051213436a2ce322514030100010116030100308d883a4e915796bfadced45c11620bf8ab5943d0d3b23f67029d2696b6cfba3c4bb39b004274d45af9383e7b65a64a8c State = 0xe259fe12e15ce72c7c464fa29a32360e NAS-IP-Address = 172.20.160.171 Message-Authenticator = 0x9bc8be05544e6e946523cc2a2cd6f950 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [eap] EAP packet type response id 5 length 144 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 134 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 Handshake [length 00aa]??? [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 6 to 172.20.160.171 port 1812 EAP-Message = 0x010600f0190016030100aa040000a60000000000a0cf73dfba597c06dd86bb94a2b382e913bc6b8bc5e660d5f86ff3707aeab944ddf1d4bebeffd1afd0154af8fd2e551d8168209a799662bfe471cdf2a2707205cc8236d1ec06f44d75910ada87a68160569275f406c0b0d12eeb51594d1c9efe026d2c5d1a971e2a56f9dcfce385e335b1e0ad7c8bc23e720aa0ce542f3002d8d6948a0042dde52904ee0b104121d0d5190973d56a37372c6a86ba216031e81b091403010001011603010030d3783002e4f5fbaf016aa04bce082458dfcfe4cf932b4d264bab5e3f83d62cac67cf557a75c9590667105a2451962373 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe259fe12e65fe72c7c464fa29a32360e Finished request 4. Going to the next request Waking up in 1.7 seconds. rad_recv: Access-Request packet from host 172.20.160.171 port 1812, id=7, length=148 User-Name = "marpap" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Port = 0 NAS-Identifier = "default\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" Calling-Station-Id = "00-60-b3-63-4e-03" EAP-Message = 0x020600061900 State = 0xe259fe12e65fe72c7c464fa29a32360e NAS-IP-Address = 172.20.160.171 Message-Authenticator = 0xbd22b652240bed2cae865dd7d624f7df +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 7 to 172.20.160.171 port 1812 EAP-Message = 0x0107002b190017030100203cdcb53ac51156f2c11810063c218c6481a6451c580fe83d6b014b56207e88d9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe259fe12e75ee72c7c464fa29a32360e Finished request 5. Going to the next request Waking up in 0.7 seconds. Cleaning up request 0 ID 2 with timestamp +6 Waking up in 0.2 seconds. Cleaning up request 1 ID 3 with timestamp +6 Waking up in 1.0 seconds. rad_recv: Access-Request packet from host 172.20.160.171 port 1812, id=8, length=238 User-Name = "marpap" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Port = 0 NAS-Identifier = "default\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" Calling-Station-Id = "00-60-b3-63-4e-03" EAP-Message = 0x02070060190017030100202b298c4cb2829f58d430afcd835386a5f1d8d5406a4ecfe378729bd47041c4ba170301003060ae2c4208d05100e3d595095b3e3f9908f1954b2f1a310c889c623d751d0037feff76628ac672c3f8f7d82e29c2bfd8 State = 0xe259fe12e75ee72c7c464fa29a32360e NAS-IP-Address = 172.20.160.171 Message-Authenticator = 0xaf8eafe2466000e8be56847385ea807e +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [eap] EAP packet type response id 7 length 96 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - marpap [peap] Got tunneled request EAP-Message = 0x0207000b016d6172706170 server { PEAP: Got tunneled identity of marpap PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to marpap Sending tunneled request EAP-Message = 0x0207000b016d6172706170 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "marpap" server inner-tunnel { +- entering group authorize {...} ++[control] returns notfound [eap] EAP packet type response id 7 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [sql] expand: %{User-Name} -> marpap [sql] sql_set_user escaped user --> 'marpap' rlm_sql (sql): Reserving sql socket id: 2 [sql] expand: SELECT logins.id, logins.username, radcheck.attribute, logins.pass_lm, radcheck.op FROM radcheck, logins WHERE logins.username = '%{SQL-User-Name}' AND radcheck.id='1' AND (SELECT internet_accounts.aktiv FROM internet_accounts, logins WHERE logins.username='%{SQL-User-Name}' AND logins.account_id = internet_accounts.account_id) = 'yes' ORDER BY id -> SELECT logins.id, logins.username, radcheck.attribute, logins.pass_lm, radcheck.op FROM radcheck, logins WHERE logins.username = 'marpap' AND radcheck.id='1' AND (SELECT internet_accounts.aktiv FROM internet_accounts, logins WHERE logins.username='marpap' AND logins.account_id = internet_accounts.account_id) = 'yes' ORDER BY id rlm_sql_mysql: query: SELECT logins.id, logins.username, radcheck.attribute, logins.pass_lm, radcheck.op FROM radcheck, logins WHERE logins.username = 'marpap' AND radcheck.id='1' AND (SELECT internet_accounts.aktiv FROM internet_accounts, logins WHERE logins.username='marpap' AND logins.account_id = internet_accounts.account_id) = 'yes' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT logins.id, logins.username, radreply.attribute, logins.pass_lm, radreply.op FROM radreply, logins WHERE logins.username = '%{SQL-User-Name}' AND radreply.id='1' AND (SELECT internet_accounts.aktiv FROM internet_accounts, logins WHERE logins.username='%{SQL-User-Name}' AND logins.account_id = internet_accounts.account_id) = 'yes' ORDER BY id -> SELECT logins.id, logins.username, radreply.attribute, logins.pass_lm, radreply.op FROM radreply, logins WHERE logins.username = 'marpap' AND radreply.id='1' AND (SELECT internet_accounts.aktiv FROM internet_accounts, logins WHERE logins.username='marpap' AND logins.account_id = internet_accounts.account_id) = 'yes' ORDER BY id rlm_sql_mysql: query: SELECT logins.id, logins.username, radreply.attribute, logins.pass_lm, radreply.op FROM radreply, logins WHERE logins.username = 'marpap' AND radreply.id='1' AND (SELECT internet_accounts.aktiv FROM internet_accounts, logins WHERE logins.username='marpap' AND logins.account_id = internet_accounts.account_id) = 'yes' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'marpap' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'marpap' ORDER BY priority rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010800201a0108001b10c6b081df2c654a8a679008b2e2710fd06d6172706170 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf0d328dff0db32c653a8b81dca2d1d07 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010800201a0108001b10c6b081df2c654a8a679008b2e2710fd06d6172706170 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf0d328dff0db32c653a8b81dca2d1d07 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 8 to 172.20.160.171 port 1812 EAP-Message = 0x0108004b19001703010040cc4756e012ff1f167cd3af426d562ac651c31423c3f17f33e094c76b3dcd8cd2cb7880071a9c86e39ce1e98e547c5e2895a12afab3f12e4063a79ef085f183eb Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe259fe12e451e72c7c464fa29a32360e Finished request 6. Going to the next request Waking up in 0.9 seconds. Cleaning up request 2 ID 4 with timestamp +7 rad_recv: Access-Request packet from host 172.20.160.171 port 1812, id=9, length=286 User-Name = "marpap" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Port = 0 NAS-Identifier = "default\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" Calling-Station-Id = "00-60-b3-63-4e-03" EAP-Message = 0x0208009019001703010020db117f6a4213a280b8c8b81dc380515a3c51cad1936497f49e4c135a8d32a68c1703010060d899c5bec375f74915ec3830ac88e1af2fe071a96f8e36cb48d28b2aceee47360bc8b810f5f9521fbbf65ca4ca01873d8ebb2d1dcbc0a982056579268993fe86b4a39705c7c625fc95bd9787eca3336611165d19354e8a1c6140634daa94d75e State = 0xe259fe12e451e72c7c464fa29a32360e NAS-IP-Address = 172.20.160.171 Message-Authenticator = 0x394906002929a9ade62c13af2f0fb812 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [eap] EAP packet type response id 8 length 144 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020800411a0208003c319638518d9abfbbd6fd487bfc22202f550000000000000000258a4493454de759c37caa281d4f4fff8ef0e602b2507b97006d6172706170 server { PEAP: Setting User-Name to marpap Sending tunneled request EAP-Message = 0x020800411a0208003c319638518d9abfbbd6fd487bfc22202f550000000000000000258a4493454de759c37caa281d4f4fff8ef0e602b2507b97006d6172706170 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "marpap" State = 0xf0d328dff0db32c653a8b81dca2d1d07 server inner-tunnel { +- entering group authorize {...} ++[control] returns notfound [eap] EAP packet type response id 8 length 65 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [sql] expand: %{User-Name} -> marpap [sql] sql_set_user escaped user --> 'marpap' rlm_sql (sql): Reserving sql socket id: 1 [sql] expand: SELECT logins.id, logins.username, radcheck.attribute, logins.pass_lm, radcheck.op FROM radcheck, logins WHERE logins.username = '%{SQL-User-Name}' AND radcheck.id='1' AND (SELECT internet_accounts.aktiv FROM internet_accounts, logins WHERE logins.username='%{SQL-User-Name}' AND logins.account_id = internet_accounts.account_id) = 'yes' ORDER BY id -> SELECT logins.id, logins.username, radcheck.attribute, logins.pass_lm, radcheck.op FROM radcheck, logins WHERE logins.username = 'marpap' AND radcheck.id='1' AND (SELECT internet_accounts.aktiv FROM internet_accounts, logins WHERE logins.username='marpap' AND logins.account_id = internet_accounts.account_id) = 'yes' ORDER BY id rlm_sql_mysql: query: SELECT logins.id, logins.username, radcheck.attribute, logins.pass_lm, radcheck.op FROM radcheck, logins WHERE logins.username = 'marpap' AND radcheck.id='1' AND (SELECT internet_accounts.aktiv FROM internet_accounts, logins WHERE logins.username='marpap' AND logins.account_id = internet_accounts.account_id) = 'yes' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT logins.id, logins.username, radreply.attribute, logins.pass_lm, radreply.op FROM radreply, logins WHERE logins.username = '%{SQL-User-Name}' AND radreply.id='1' AND (SELECT internet_accounts.aktiv FROM internet_accounts, logins WHERE logins.username='%{SQL-User-Name}' AND logins.account_id = internet_accounts.account_id) = 'yes' ORDER BY id -> SELECT logins.id, logins.username, radreply.attribute, logins.pass_lm, radreply.op FROM radreply, logins WHERE logins.username = 'marpap' AND radreply.id='1' AND (SELECT internet_accounts.aktiv FROM internet_accounts, logins WHERE logins.username='marpap' AND logins.account_id = internet_accounts.account_id) = 'yes' ORDER BY id rlm_sql_mysql: query: SELECT logins.id, logins.username, radreply.attribute, logins.pass_lm, radreply.op FROM radreply, logins WHERE logins.username = 'marpap' AND radreply.id='1' AND (SELECT internet_accounts.aktiv FROM internet_accounts, logins WHERE logins.username='marpap' AND logins.account_id = internet_accounts.account_id) = 'yes' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'marpap' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'marpap' ORDER BY priority rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] Found NT-Password [mschap] Told to do MS-CHAPv2 for marpap with NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010900331a0308002e533d30353236444342323142323145443233394546424239413037363239343134344332353942354536 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf0d328dff1da32c653a8b81dca2d1d07 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010900331a0308002e533d30353236444342323142323145443233394546424239413037363239343134344332353942354536 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf0d328dff1da32c653a8b81dca2d1d07 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 9 to 172.20.160.171 port 1812 EAP-Message = 0x0109005b1900170301005017a3a02c28820c047a06d62f0a2f2e30a8501c919a40426b8c6bb7b26dae2a52c5f65713700c8357e92a0c5e2767eaa6d91058d996c754ef5404b13473395d1de1e107dbf8031d8a634aaeae0decd8ce Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe259fe12e550e72c7c464fa29a32360e Finished request 7. Going to the next request Waking up in 0.9 seconds. Cleaning up request 3 ID 5 with timestamp +8 Waking up in 1.0 seconds. rad_recv: Access-Request packet from host 172.20.160.171 port 1812, id=10, length=222 User-Name = "marpap" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Port = 0 NAS-Identifier = "default\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" Calling-Station-Id = "00-60-b3-63-4e-03" EAP-Message = 0x0209005019001703010020ea45ba7ab2126e05b40327975bb649779f732691225d8b13c8095e196ceef48c170301002017fcf2f1e53c0a8fc2b1cd312abd77e62e0306c7d4f4bcc6fe2f24f04ee35732 State = 0xe259fe12e550e72c7c464fa29a32360e NAS-IP-Address = 172.20.160.171 Message-Authenticator = 0xb6867159aae4b6a8241660c47a794da2 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [eap] EAP packet type response id 9 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020900061a03 server { PEAP: Setting User-Name to marpap Sending tunneled request EAP-Message = 0x020900061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "marpap" State = 0xf0d328dff1da32c653a8b81dca2d1d07 server inner-tunnel { +- entering group authorize {...} ++[control] returns notfound [eap] EAP packet type response id 9 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [sql] expand: %{User-Name} -> marpap [sql] sql_set_user escaped user --> 'marpap' rlm_sql (sql): Reserving sql socket id: 0 [sql] expand: SELECT logins.id, logins.username, radcheck.attribute, logins.pass_lm, radcheck.op FROM radcheck, logins WHERE logins.username = '%{SQL-User-Name}' AND radcheck.id='1' AND (SELECT internet_accounts.aktiv FROM internet_accounts, logins WHERE logins.username='%{SQL-User-Name}' AND logins.account_id = internet_accounts.account_id) = 'yes' ORDER BY id -> SELECT logins.id, logins.username, radcheck.attribute, logins.pass_lm, radcheck.op FROM radcheck, logins WHERE logins.username = 'marpap' AND radcheck.id='1' AND (SELECT internet_accounts.aktiv FROM internet_accounts, logins WHERE logins.username='marpap' AND logins.account_id = internet_accounts.account_id) = 'yes' ORDER BY id rlm_sql_mysql: query: SELECT logins.id, logins.username, radcheck.attribute, logins.pass_lm, radcheck.op FROM radcheck, logins WHERE logins.username = 'marpap' AND radcheck.id='1' AND (SELECT internet_accounts.aktiv FROM internet_accounts, logins WHERE logins.username='marpap' AND logins.account_id = internet_accounts.account_id) = 'yes' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT logins.id, logins.username, radreply.attribute, logins.pass_lm, radreply.op FROM radreply, logins WHERE logins.username = '%{SQL-User-Name}' AND radreply.id='1' AND (SELECT internet_accounts.aktiv FROM internet_accounts, logins WHERE logins.username='%{SQL-User-Name}' AND logins.account_id = internet_accounts.account_id) = 'yes' ORDER BY id -> SELECT logins.id, logins.username, radreply.attribute, logins.pass_lm, radreply.op FROM radreply, logins WHERE logins.username = 'marpap' AND radreply.id='1' AND (SELECT internet_accounts.aktiv FROM internet_accounts, logins WHERE logins.username='marpap' AND logins.account_id = internet_accounts.account_id) = 'yes' ORDER BY id rlm_sql_mysql: query: SELECT logins.id, logins.username, radreply.attribute, logins.pass_lm, radreply.op FROM radreply, logins WHERE logins.username = 'marpap' AND radreply.id='1' AND (SELECT internet_accounts.aktiv FROM internet_accounts, logins WHERE logins.username='marpap' AND logins.account_id = internet_accounts.account_id) = 'yes' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'marpap' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'marpap' ORDER BY priority rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok WARNING: Empty section. Using default return values. } # server inner-tunnel [peap] Got tunneled reply code 2 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "marpap" [peap] Got tunneled reply RADIUS code 2 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "marpap" [peap] Tunneled authentication was successful. [peap] SUCCESS ++[eap] returns handled Sending Access-Challenge of id 10 to 172.20.160.171 port 1812 EAP-Message = 0x010a003b190017030100308d1101b1c350d4328ebe3ce50675f915848a0c09c7ac0114cc569409948903d28694d60747d490ad19887f2e657a701a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe259fe12ea53e72c7c464fa29a32360e Finished request 8. Going to the next request Waking up in 0.9 seconds. Cleaning up request 4 ID 6 with timestamp +9 Waking up in 1.0 seconds. rad_recv: Access-Request packet from host 172.20.160.171 port 1812, id=11, length=238 User-Name = "marpap" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Port = 0 NAS-Identifier = "default\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" Calling-Station-Id = "00-60-b3-63-4e-03" EAP-Message = 0x020a0060190017030100201246b2d46e1ba6b660948078c75ecb1c32333ae90a280a5b371b072cb28a65231703010030bcbc8fec75782b5f139c2a090733a5602a62fb27f26f5cbcf02425c34279a49107f659f3775b8a533cd226fc6588c2f1 State = 0xe259fe12ea53e72c7c464fa29a32360e NAS-IP-Address = 172.20.160.171 Message-Authenticator = 0x5233cb5b3343b5ea0db86d94bf4150d9 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [eap] EAP packet type response id 10 length 96 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] returns ok +- entering group post-auth {...} ++[reply] returns noop [sql] expand: %{User-Name} -> marpap [sql] sql_set_user escaped user --> 'marpap' [sql] expand: %{User-Password} -> [sql] ... expanding second conditional [sql] expand: %{Chap-Password} -> [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'marpap', '', 'Access-Accept', '2010-08-31 17:59:05') [sql] expand: /var/log/freeradius/sqltrace.sql -> /var/log/freeradius/sqltrace.sql rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'marpap', '', 'Access-Accept', '2010-08-31 17:59:05') rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'marpap', '', 'Access-Accept', '2010-08-31 17:59:05') rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 11 to 172.20.160.171 port 1812 MS-MPPE-Recv-Key = 0x35b16df4a592e9da418da46ab5164210166ad66293fd8831c5dec7d2f7eb1a8d MS-MPPE-Send-Key = 0x0709cee111f7985f495c7208fe4ceb3b57b1657f9fc10762578ba41ba9727b85 EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "marpap" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "123" Finished request 9. Going to the next request Waking up in 0.9 seconds. Cleaning up request 5 ID 7 with timestamp +10 Waking up in 1.0 seconds. Cleaning up request 6 ID 8 with timestamp +11 Waking up in 0.9 seconds. Cleaning up request 7 ID 9 with timestamp +12 Waking up in 0.9 seconds. Cleaning up request 8 ID 10 with timestamp +13 Waking up in 0.9 seconds. Cleaning up request 9 ID 11 with timestamp +14 Ready to process requests.