Access-Accept but condition isn't correct
Hello, I'd like to check mac condition with ISG cisco. in users file: 192.168.10.100 Cleartext-Password := "cisco", *Calling-Station-Id := "00:50:79:66:68:01"* Cisco-Service-info = "QU;200000;D;600000", Cisco-Avpair += 'subscriber:accounting-list=BRAS', Cisco-Avpair += 'subscriber:keepalive=interval 10', Cisco-Avpair += 'subscriber:idle-timeout-direction=inbound' debug: (0) Received Access-Request Id 60 from 1.1.1.3:1645 to 1.1.1.2:1812 length 135 (0) User-Name = "192.168.10.100" (0) User-Password = "cisco" (0) Framed-IP-Address = 192.168.10.100 (0) *Calling-Station-Id = "00:50:79:66:68:00"* (0) NAS-Port-Type = Virtual (0) NAS-Port = 0 (0) NAS-Port-Id = "0/0/0/0" (0) Service-Type = Outbound-User (0) NAS-IP-Address = 1.1.1.3 (0) Acct-Session-Id = "00000FDE" (0) NAS-Identifier = "ASR_1" (0) Event-Timestamp = "Jan 26 2020 18:54:55 UTC" (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "192.168.10.100", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry 192.168.10.100 at line 37 (0) [files] = ok (0) [expiration] = noop (0) [logintime] = noop (0) [pap] = updated (0) } # authorize = updated (0) Found Auth-Type = PAP (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Auth-Type PAP { (0) pap: Login attempt with password (0) pap: Comparing with "known good" Cleartext-Password (0) pap: User authenticated successfully (0) [pap] = ok (0) } # Auth-Type PAP = ok (0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (0) post-auth { (0) update { (0) No attributes updated (0) } # update = noop (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = noop (0) Sent Access-Accept Id 60 from 1.1.1.2:1812 to 1.1.1.3:1645 length 0 (0) Cisco-Service-Info = "QU;200000;D;600000" (0) Cisco-AVPair = "subscriber:accounting-list=BRAS" (0) Cisco-AVPair = "subscriber:keepalive=interval 10" (0) Cisco-AVPair = "subscriber:idle-timeout-direction=inbound" (0) Finished request Calling-Station-Id is different than in config but i get Access-Accept. Where I'm doing wrong? Best Regards Marcin
niedz., 26 sty 2020 o 20:01 Marcin Romanowski <marcin@nicram.net> napisaĆ(a):
Hello, I'd like to check mac condition with ISG cisco.
in users file: 192.168.10.100 Cleartext-Password := "cisco", *Calling-Station-Id := "00:50:79:66:68:01"*
my mistake, this should be Calling-Station-Id *== *"00:50:79:66:68:01"
Cisco-Service-info = "QU;200000;D;600000", Cisco-Avpair += 'subscriber:accounting-list=BRAS', Cisco-Avpair += 'subscriber:keepalive=interval 10', Cisco-Avpair += 'subscriber:idle-timeout-direction=inbound'
debug:
(0) Received Access-Request Id 60 from 1.1.1.3:1645 to 1.1.1.2:1812 length 135 (0) User-Name = "192.168.10.100" (0) User-Password = "cisco" (0) Framed-IP-Address = 192.168.10.100 (0) *Calling-Station-Id = "00:50:79:66:68:00"* (0) NAS-Port-Type = Virtual (0) NAS-Port = 0 (0) NAS-Port-Id = "0/0/0/0" (0) Service-Type = Outbound-User (0) NAS-IP-Address = 1.1.1.3 (0) Acct-Session-Id = "00000FDE" (0) NAS-Identifier = "ASR_1" (0) Event-Timestamp = "Jan 26 2020 18:54:55 UTC" (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "192.168.10.100", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry 192.168.10.100 at line 37 (0) [files] = ok (0) [expiration] = noop (0) [logintime] = noop (0) [pap] = updated (0) } # authorize = updated (0) Found Auth-Type = PAP (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Auth-Type PAP { (0) pap: Login attempt with password (0) pap: Comparing with "known good" Cleartext-Password (0) pap: User authenticated successfully (0) [pap] = ok (0) } # Auth-Type PAP = ok (0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (0) post-auth { (0) update { (0) No attributes updated (0) } # update = noop (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = noop (0) Sent Access-Accept Id 60 from 1.1.1.2:1812 to 1.1.1.3:1645 length 0 (0) Cisco-Service-Info = "QU;200000;D;600000" (0) Cisco-AVPair = "subscriber:accounting-list=BRAS" (0) Cisco-AVPair = "subscriber:keepalive=interval 10" (0) Cisco-AVPair = "subscriber:idle-timeout-direction=inbound" (0) Finished request
Calling-Station-Id is different than in config but i get Access-Accept.
Where I'm doing wrong?
Best Regards Marcin
-- Marcin Romanowski / nicraM
participants (1)
-
Marcin Romanowski