2017-05-08 15:37 GMT+03:00 Alan DeKok <aland@deployingradius.com>:
As always, run the server in debugging mode to see what it's doing.
My $0.02 is probably that it's the policy which removes SSID from the Called-Station-ID attribute.
But... if you go read the debug output, you will see this for yourself.
Alan DeKok.
I was looking for policy also, but wasn't able to find one, that matches. Here is the debug. Nothing obvious to me. (1) Received Access-Request Id 110 from 178.21.xxx.xxx:36276 to 178.21.xxx.xxx:1812 length 150 (1) Service-Type = Framed-User (1) Framed-Protocol = PPP (1) NAS-Port = 15731092 (1) NAS-Port-Type = Ethernet (1) User-Name = "tt23kswp17" (1) Calling-Station-Id = "00:A0:C5:3F:13:2D" (1) Called-Station-Id = "cli-ter1" (1) NAS-Port-Id = "Eth7-PPPoE" (1) CHAP-Challenge = 0x7a1ec1edc7c5622d3bad144a2fbed691 (1) CHAP-Password = 0x01888613696787a497e3e14105f7698998 (1) NAS-Identifier = "cli-ter1" (1) NAS-IP-Address = 178.21.xxx.xxx (1) # Executing section authorize from file /etc/freeradius/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (1) auth_log: --> /var/log/freeradius/radacct/178.21.xxx.xxx/auth-detail-20170508 (1) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/178.21.xxx.xxx/auth-detail-20170508 (1) auth_log: EXPAND %t (1) auth_log: --> Mon May 8 14:50:08 2017 (1) [auth_log] = ok (1) chap: &control:Auth-Type := CHAP (1) [chap] = ok (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "tt23kswp17", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) files: users: Matched entry tt23kswp17 at line 113 (1) [files] = ok (1) [expiration] = noop (1) [logintime] = noop (1) } # authorize = ok (1) Found Auth-Type = CHAP (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) Auth-Type CHAP { (1) chap: Comparing with "known good" Cleartext-Password (1) chap: CHAP user "tt23kswp17" authenticated successfully (1) [chap] = ok (1) } # Auth-Type CHAP = ok (1) # Executing section session from file /etc/freeradius/sites-enabled/default (1) session { (1) radutmp: EXPAND /var/log/freeradius/radutmp (1) radutmp: --> /var/log/freeradius/radutmp (1) radutmp: EXPAND %{User-Name} (1) radutmp: --> tt23kswp17 (1) [radutmp] = ok (1) } # session = ok (1) # Executing section post-auth from file /etc/freeradius/sites-enabled/default (1) post-auth { (1) update { (1) No attributes updated (1) } # update = noop (1) [exec] = noop (1) policy remove_reply_message_if_eap { (1) if (&reply:EAP-Message && &reply:Reply-Message) { (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (1) else { (1) [noop] = noop (1) } # else = noop (1) } # policy remove_reply_message_if_eap = noop (1) } # post-auth = noop (1) Login OK: [tt23kswp17/<CHAP-Password>] (from client cli-ter1-lo0 port 15731092 cli 00:A0:C5:3F:13:2D) (1) Sent Access-Accept Id 110 from 178.21.xxx.xxx:1812 to 178.21.xxx.xxx:36276 length 0 (1) Service-Type = Framed-User (1) Framed-IP-Address = 178.21.xxx.xxx (1) Framed-Protocol = PPP (1) Finished request Waking up in 4.9 seconds. (2) Received Accounting-Request Id 111 from 178.21.xxx.xxx:42841 to 178.21.xxx.xxxx:1813 length 153 (2) Service-Type = Framed-User (2) Framed-Protocol = PPP (2) NAS-Port = 15731092 (2) NAS-Port-Type = Ethernet (2) User-Name = "tt23kswp17" (2) Calling-Station-Id = "00:A0:C5:3F:13:2D" (2) Called-Station-Id = "cli-ter1" (2) NAS-Port-Id = "Eth7-PPPoE" (2) Acct-Session-Id = "8140098a" (2) Framed-IP-Address = 178.21.xxx.xxx (2) Acct-Authentic = RADIUS (2) Event-Timestamp = "May 8 2017 14:50:09 EEST" (2) Acct-Status-Type = Start (2) NAS-Identifier = "cli-ter1" (2) Acct-Delay-Time = 0 (2) NAS-IP-Address = 178.21.xxx.xxx (2) # Executing section preacct from file /etc/freeradius/sites-enabled/default (2) preacct { (2) [preprocess] = ok (2) policy acct_unique { (2) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) { (2) EXPAND %{string:Class} (2) --> (2) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) -> FALSE (2) else { (2) update request { (2) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}} (2) --> e78e5423f2f84959e6dd5c02ce765011 (2) &Acct-Unique-Session-Id := e78e5423f2f84959e6dd5c02ce765011 (2) } # update request = noop (2) } # else = noop (2) } # policy acct_unique = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "tt23kswp17", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) [files] = noop (2) } # preacct = ok (2) # Executing section accounting from file /etc/freeradius/sites-enabled/default (2) accounting { (2) detail: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d (2) detail: --> /var/log/freeradius/radacct/178.21.xxx.xxx/detail-20170508 (2) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/178.21.xxx.xxx/detail-20170508 (2) detail: EXPAND %t (2) detail: --> Mon May 8 14:50:08 2017 (2) [detail] = ok (2) [unix] = ok (2) radutmp: EXPAND /var/log/freeradius/radutmp (2) radutmp: --> /var/log/freeradius/radutmp (2) radutmp: EXPAND %{User-Name} (2) radutmp: --> tt23kswp17 (2) [radutmp] = ok (2) [exec] = noop (2) attr_filter.accounting_response: EXPAND %{User-Name} (2) attr_filter.accounting_response: --> tt23kswp17 (2) attr_filter.accounting_response: Matched entry DEFAULT at line 12 (2) [attr_filter.accounting_response] = updated (2) } # accounting = updated (2) Sent Accounting-Response Id 111 from 178.21.xxx.xxx:1813 to 178.21.xxx.xxx:42841 length 0 (2) Finished request (2) Cleaning up request packet ID 111 with timestamp +5 Waking up in 4.9 seconds. -- Best regards, Roman.