Le 13/06/2012 10:55, Alan DeKok a écrit :
rs do*not* have this feature. The "inner-tunnel" authentication is handled by various special-purpose magic. That makes the configuration more complex a Thanks a lot for the time you spent on this request. I will not understand all, but i think (i hope) i can roughly follow the mechanism. I often try to known what a product do for configuring it. Maybe it is a mistake...
Here are the last lines of a successful connexion. It begins with the last outside tunnel authenticate section, just before entering inner-tunnel parsing. I obviously believe you about all what you said, but i can't find an explicite authenticate section between * ldap authorization and * entering LDAP. It's quite possible (likely) that i don't read correctly the output, please don't be offended about my questions. I only try to understand. ... # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 61 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request User-Name = "user1" User-Password = "toutou" FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request User-Name = "user1" User-Password = "toutou" FreeRADIUS-Proxied-To = 127.0.0.1 server inner-tunnel {************************************************************* entering tunnel ? # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "user1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [ldap] performing user authorization for user1*********************************************************** ldap authorization [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> user1 [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> user1 [ldap] expand: (|(uid=%{%{Stripped-User-Name}:-%{User-Name}})(mail=%{%{Stripped-User-Name}:-%{User-Name}})) -> (|(uid=user1)(mail=user1)) [ldap] expand: ou=ac-orleans-tours,ou=education,o=gouv,c=fr -> ou=ac-orleans-tours,ou=education,o=gouv,c=fr [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to replica.in.ac-orleans-tours.fr:389, authentication 0 [ldap] bind as / to replica.in.ac-orleans-tours.fr:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in ou=ac-orleans-tours,ou=education,o=gouv,c=fr, with filter (|(uid=user1)(mail=user1)) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] Setting Auth-Type = LDAP*********************************************************************** ldap authorization successful [ldap] user user1 authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = LDAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group LDAP {...}************************************************************* entering LDAP [ldap] login attempt by "user1" with password "toutou" [ldap] user DN: uid=user1,ou=personnels EN,ou=ac-orleans-tours,ou=education,o=gouv,c=fr [ldap] (re)connect to replica.in.ac-orleans-tours.fr:389, authentication 1 [ldap] bind as uid=user1,ou=personnels EN,ou=ac-orleans-tours,ou=education,o=gouv,c=fr/toutou to replica.in.ac-orleans-tours.fr:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] user user1 authenticated succesfully ++[ldap] returns ok WARNING: Empty post-auth section. Using default return values. # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel } # server inner-tunnel [ttls] Got tunneled reply code 2 [ttls] Got tunneled Access-Accept [eap] Freeing handler ++[eap] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 230 to 172.30.145.70 port 32769 MS-MPPE-Recv-Key = 0xffc75d74e5bf1ac3d87ad519d6717eb47335013ecdf9d90b911054432b3a14f9 MS-MPPE-Send-Key = 0xc56881775c6929ffb64a59e4f9cbac06d99eb03ab5925f182555d2ec3af2b91e EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "user1" Finished request 6. Going to the next request Waking up in 4.6 seconds. rad_recv: Accounting-Request packet from host 172.30.145.70 port 32769, id=249, length=192 User-Name = "user1" NAS-Port = 2 NAS-IP-Address = 172.30.145.70 NAS-Identifier = "wifi-admin" Airespace-Wlan-Id = 1 Acct-Session-Id = "4fd83d9f/00:1d:e0:21:7b:31/94" Acct-Authentic = RADIUS Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "164" Acct-Status-Type = Interim-Update Acct-Input-Octets = 16133 Acct-Output-Octets = 21904 Acct-Input-Packets = 458 Acct-Output-Packets = 238 Acct-Session-Time = 47 Acct-Delay-Time = 0 Calling-Station-Id = "192.168.234.10" Called-Station-Id = "172.30.145.70" # Executing section preacct from file /etc/raddb/sites-enabled/default +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 2,Client-IP-Address = 172.30.145.70,NAS-IP-Address = 172.30.145.70,Acct-Session-Id = "4fd83d9f/00:1d:e0:21:7b:31/94",User-Name = "user1"' [acct_unique] Acct-Unique-Session-ID = "9fcc14215b25e276". ++[acct_unique] returns ok [suffix] No '@' in User-Name = "user1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /etc/raddb/sites-enabled/default +- entering group accounting {...} [detail] expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/radius/radacct/172.30.145.70/detail-20120613 [detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/172.30.145.70/detail-20120613 [detail] expand: %t -> Wed Jun 13 09:14:29 2012 ++[detail] returns ok ++[unix] returns noop [radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp [radutmp] expand: %{User-Name} -> user1 ++[radutmp] returns ok ++[exec] returns noop [attr_filter.accounting_response] expand: %{User-Name} -> user1 attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 249 to 172.30.145.70 port 32769 Finished request 7. Cleaning up request 7 ID 249 with timestamp +40 Going to the next request Waking up in 4.6 seconds. Cleaning up request 0 ID 224 with timestamp +39 Cleaning up request 1 ID 225 with timestamp +39 Cleaning up request 2 ID 226 with timestamp +39 Cleaning up request 3 ID 227 with timestamp +39 Cleaning up request 4 ID 228 with timestamp +39 Waking up in 0.3 seconds. Cleaning up request 5 ID 229 with timestamp +40 Cleaning up request 6 ID 230 with timestamp +40 Ready to process requests. -- Emmanuel BILLOT CATEL - Dpt. Système et Réseaux Rectorat - Académie d'Orléans-Tours 10, rue Molière - 45000 Orléans Tél : 02 38 79 45 57