Hello, I am using daloradius with free radius 2.1.12 on Ubuntu 14.04. I have configured users and passwords and sucessfully authenticate users connecting to a standalone cisco 1142 accesspoint. I can see in the debug that the cisco-avpair is sending the ssid to the free radius server in the debug but I dont think it is being checked. No matter what I put in av pair the user gets Access-Accept. I have tried both operator == and =: but neither make a difference. Any help is greatly appreciated. Regards, Daniel
Here is the debug. For some reason my user dfleming is being accepted even though the cisco-avpair does not match. Please see debug and layout of mysql tables below. My aplogies to the moderator as I trimmed the message to under 100kb. khadmin@BSpa-KH-DaloRadius01:~$ sudo freeradius -X FreeRADIUS Version 2.1.12, for host i686-pc-linux-gnu, built on Feb 24 2014 at 15:00:10 .... Ready to process requests. ! Connecting client that should be rejected dfleming Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.5.10 port 1645, id=104, length=224 User-Name = "dfleming" Framed-MTU = 1400 Called-Station-Id = "A8-B1-D4-21-73-41:BSpa-KH-Mgmt" Calling-Station-Id = "80-1F-02-D3-97-74" Cisco-AVPair = "ssid=BSpa-KH-Mgmt" Service-Type = Login-User Cisco-AVPair = "service-type=Login" Message-Authenticator = 0x56c8d1976c38d0c15b3b7510788d1114 EAP-Message = 0x020300060319 NAS-Port-Type = Wireless-802.11 NAS-Port = 366 NAS-Port-Id = "366" State = 0xe398c72ae39bc3112b2facf2414ef68a NAS-IP-Address = 10.10.5.10 NAS-Identifier = "BSpa-KH-AP1" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "dfleming", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [sql] expand: %{User-Name} -> dfleming [sql] sql_set_user escaped user --> 'dfleming' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dfleming' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dfleming' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'dfleming' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'dfleming' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'dfleming' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'dfleming' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Test' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Test' ORDER BY id rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 104 to 10.10.5.10 port 1645 EAP-Message = 0x010400061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe398c72ae29cde112b2facf2414ef68a Finished request 9. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.5.10 port 1645, id=105, length=323 User-Name = "dfleming" Framed-MTU = 1400 Called-Station-Id = "A8-B1-D4-21-73-41:BSpa-KH-Mgmt" Calling-Station-Id = "80-1F-02-D3-97-74" Cisco-AVPair = "ssid=BSpa-KH-Mgmt" Service-Type = Login-User Cisco-AVPair = "service-type=Login" Message-Authenticator = 0x705abcc41bc6453d98e488076368d5b0 EAP-Message = 0x0204006919800000005f160301005a01000056030153d0fc4150ae5171e308a2672ae8b0c2c02f72ec78a1f46b4988a1b7e7f83e73000018002f00350005000ac013c014c009c00a003200380013000401000015ff01000100000a0006000400170018000b00020100 NAS-Port-Type = Wireless-802.11 NAS-Port = 366 NAS-Port-Id = "366" State = 0xe398c72ae29cde112b2facf2414ef68a NAS-IP-Address = 10.10.5.10 NAS-Identifier = "BSpa-KH-AP1" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "dfleming", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 105 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 95 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 005a], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 02dc], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 105 to 10.10.5.10 port 1645 EAP-Message = 0x01050326190016030100310200002d03010c97450f25def4ced7dc7df384079486f3542d07e6833013a884eb6bfb0bb94100002f000005ff0100010016030102dc0b0002d80002d50002d2308202ce308201b6a003020102020900822e76b7f4e676e6300d06092a864886f70d01010b0500301f311d301b06035504031314425370612d4b482d44616c6f5261646975733031301e170d3134303731363139303331345a170d3234303731333139303331345a301f311d301b06035504031314425370612d4b482d44616c6f526164697573303130820122300d06092a864886f70d01010105000382010f003082010a0282010100bd678d84e6eea050 EAP-Message = 0xf696bcf0d3ea9ac8dcc3895e630b82e19179fdf0bc32cbb9e38b749f7972e9b587116ef4e0962859d179ce4f59861167882f74aeef86e4a0e1fa808b84d034d0d0948f0a121690d58ba805a62fd3212cdabc26599ac01f6ae0f992d111e052a8cf5b3147301f63d76591be067e58d7939d0434bc135c606ae8843f81d47db30f2e2ec75faa656ee1744d1bcddbfaab9c25fbd573d82c024841e3fb98da541915e7d21c6f08dd7eddb9dc03fc8062512d649fc96be72a51b62fc05d3cadd285ee4858cdc52b90823c99de6130157151d0b12bbaee10bb574671052ef36786e9ccdad6be4209150df2db1b6c57ae25e0310ff2de90399678610203010001 EAP-Message = 0xa30d300b30090603551d1304023000300d06092a864886f70d01010b050003820101004e8a90c9aa3f6aab067342e1a11faf0c678c2f7f4674372f9964687580fe9bb6185570fbe203d7f03a7140c607e0e3a4c76463754f380db2fe4f1e59eb759cb64ee43c51fb22f1d8f2027b8b695bae6185bbccf927a29b3c4cf96de82394521bbe90cc6467d05546c04e76cedb9483ab55de6450f06a924e176f532ebb75688d32f4b2d901db683c6deced70d56c6f811311d104b18720ab7c62803dbda5126ad15fe966ad36171fe6cf6f4f75b7eded5b4bee5f6ac5be52943cd9ae276d7a7f4ca26fb40bd4c92c12fb907f121b78c071f386f84ada8fa48a0c EAP-Message = 0x97087d75ba9109d5bc56a0df73634094328e929b39a58e2c31b88b38be212a5dfd8544d0a63c16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe398c72ae19dde112b2facf2414ef68a Finished request 10. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.5.10 port 1645, id=106, length=556 User-Name = "dfleming" Framed-MTU = 1400 Called-Station-Id = "A8-B1-D4-21-73-41:BSpa-KH-Mgmt" Calling-Station-Id = "80-1F-02-D3-97-74" Cisco-AVPair = "ssid=BSpa-KH-Mgmt" Service-Type = Login-User Cisco-AVPair = "service-type=Login" Message-Authenticator = 0xcd089534fccab7db28693d5b9d86a442 EAP-Message = 0x02050150198000000146160301010610000102010022bd3a65d01781fa46b75b886bad8c50420d06048d350a244d2a70f4d676c8000374ebc77170059405c33a7910fd709d2829a1471f91a01c4a2a44adec666eb77a5d05995485115cb1d6854ca0fcf370ae2108ca25706257a7af922ec783a8442a9838e03496200e8bec1214d3f5c6af905c2a2e080f0354f9f37e29e96a6b23ad4ea4a7048bec25a870f3c53bceb0b95ed97e2d145b506ced5a94a1e6b2d79a031a58c445a698ec388e48abd18c466c2f1170d400b2d78cbb5c150f2c69d1889a84e4a20251457d3b3edd8d9d2ceb2b681b4ab9e926ae41b07380e6d44405cedf893b39da921314 EAP-Message = 0x94b437e41da7e053b8335b25d4f8a846c4554efb002cc8ec14030100010116030100304b985086678690c358d8a71cca3bd01d6792bf0f15f1387921d08f3ab7ebc8c8d27604abcc1facbd4e0674db9dd3925c NAS-Port-Type = Wireless-802.11 NAS-Port = 366 NAS-Port-Id = "366" State = 0xe398c72ae19dde112b2facf2414ef68a NAS-IP-Address = 10.10.5.10 NAS-Identifier = "BSpa-KH-AP1" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "dfleming", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 106 to 10.10.5.10 port 1645 EAP-Message = 0x01060041190014030100010116030100309e49c5fe400c66b74f39bfdcaf566e506165f4805af06d42706bd2ca4160016223229a71052b67ec2140e7bcedb29055 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe398c72ae09ede112b2facf2414ef68a Finished request 11. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.10.5.10 port 1645, id=107, length=224 User-Name = "dfleming" Framed-MTU = 1400 Called-Station-Id = "A8-B1-D4-21-73-41:BSpa-KH-Mgmt" Calling-Station-Id = "80-1F-02-D3-97-74" Cisco-AVPair = "ssid=BSpa-KH-Mgmt" Service-Type = Login-User Cisco-AVPair = "service-type=Login" Message-Authenticator = 0x903e413386202060c488c16f2f3e84de EAP-Message = 0x020600061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 366 NAS-Port-Id = "366" State = 0xe398c72ae09ede112b2facf2414ef68a NAS-IP-Address = 10.10.5.10 NAS-Identifier = "BSpa-KH-AP1" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "dfleming", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 107 to 10.10.5.10 port 1645 EAP-Message = 0x0107002b1900170301002072b66494c00c9860d7ae27b5bdc316d95c67942e3d6909bd14b8e95144dad15c Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe398c72ae79fde112b2facf2414ef68a Finished request 12. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.10.5.10 port 1645, id=108, length=261 User-Name = "dfleming" Framed-MTU = 1400 Called-Station-Id = "A8-B1-D4-21-73-41:BSpa-KH-Mgmt" Calling-Station-Id = "80-1F-02-D3-97-74" Cisco-AVPair = "ssid=BSpa-KH-Mgmt" Service-Type = Login-User Cisco-AVPair = "service-type=Login" Message-Authenticator = 0xd80759bc82877237c5ee00bb4982f0d3 EAP-Message = 0x0207002b190017030100200229e07a3163accabbf9d63f151206bdfe56866c6c0908833f0dc931a9e143a8 NAS-Port-Type = Wireless-802.11 NAS-Port = 366 NAS-Port-Id = "366" State = 0xe398c72ae79fde112b2facf2414ef68a NAS-IP-Address = 10.10.5.10 NAS-Identifier = "BSpa-KH-AP1" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "dfleming", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - dfleming [peap] Got inner identity 'dfleming' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0207000d0164666c656d696e67 server { [peap] Setting User-Name to dfleming Sending tunneled request EAP-Message = 0x0207000d0164666c656d696e67 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "dfleming" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "dfleming", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 7 length 13 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [sql] expand: %{User-Name} -> dfleming [sql] sql_set_user escaped user --> 'dfleming' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dfleming' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dfleming' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'dfleming' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'dfleming' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'dfleming' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'dfleming' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Test' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Test' ORDER BY id rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010800221a0108001d10922d3619e3e3ae7153865670afca067064666c656d696e67 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc9b7eee2c9bff40721db4de2f5e8d831 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010800221a0108001d10922d3619e3e3ae7153865670afca067064666c656d696e67 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc9b7eee2c9bff40721db4de2f5e8d831 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 108 to 10.10.5.10 port 1645 EAP-Message = 0x0108004b19001703010040e354ae24f8e5f9d802fd99a568a505148dae956713eeee1fe29b6cf13ab582b5c7e15342748bc0b5cf4794a5c47774cede06c276834338ff8f7187e268d2e6d8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe398c72ae690de112b2facf2414ef68a Finished request 13. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.10.5.10 port 1645, id=109, length=325 User-Name = "dfleming" Framed-MTU = 1400 Called-Station-Id = "A8-B1-D4-21-73-41:BSpa-KH-Mgmt" Calling-Station-Id = "80-1F-02-D3-97-74" Cisco-AVPair = "ssid=BSpa-KH-Mgmt" Service-Type = Login-User Cisco-AVPair = "service-type=Login" Message-Authenticator = 0xb4f91fc4a74780dd8d59ca37a367f017 EAP-Message = 0x0208006b190017030100606d6568104b85243dc9d97a2a632d19fd9a8d232a88d86ef8b1322f3a74f5946692b8fc279afe278b92f8085b48136721801cbc31a68be167d8e697af0ad1262c2b84c00849d98fe5380ea6eb61f193f27fbd396e781c8e847be168312372effb NAS-Port-Type = Wireless-802.11 NAS-Port = 366 NAS-Port-Id = "366" State = 0xe398c72ae690de112b2facf2414ef68a NAS-IP-Address = 10.10.5.10 NAS-Identifier = "BSpa-KH-AP1" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "dfleming", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020800431a0208003e3168b2631d0a7e9207d78112c36e6c9aeb00000000000000000d2ffe427cf7f4b21ba561639b16ea0fac9ec0fd7619f0980064666c656d696e67 server { [peap] Setting User-Name to dfleming Sending tunneled request EAP-Message = 0x020800431a0208003e3168b2631d0a7e9207d78112c36e6c9aeb00000000000000000d2ffe427cf7f4b21ba561639b16ea0fac9ec0fd7619f0980064666c656d696e67 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "dfleming" State = 0xc9b7eee2c9bff40721db4de2f5e8d831 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "dfleming", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 8 length 67 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [sql] expand: %{User-Name} -> dfleming [sql] sql_set_user escaped user --> 'dfleming' rlm_sql (sql): Reserving sql socket id: 2 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dfleming' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dfleming' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'dfleming' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'dfleming' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'dfleming' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'dfleming' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Test' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Test' ORDER BY id rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: dfleming [mschap] Told to do MS-CHAPv2 for dfleming with NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010900331a0308002e533d43464330373236373634334537313837364241463430433441443939374431343844394531393832 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc9b7eee2c8bef40721db4de2f5e8d831 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010900331a0308002e533d43464330373236373634334537313837364241463430433441443939374431343844394531393832 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc9b7eee2c8bef40721db4de2f5e8d831 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 109 to 10.10.5.10 port 1645 EAP-Message = 0x0109005b190017030100506185ff39cb0494708efdc81974e25f277642b11486bfe766086d403b0f9e0a544ff9b3c52790e64e9b993633880722ce7da761ac18a7fe587e831cdf7a964c10ef0f0b652c6a73635173e6875e54f4af Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe398c72ae591de112b2facf2414ef68a Finished request 14. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 10.10.5.10 port 1645, id=110, length=261 User-Name = "dfleming" Framed-MTU = 1400 Called-Station-Id = "A8-B1-D4-21-73-41:BSpa-KH-Mgmt" Calling-Station-Id = "80-1F-02-D3-97-74" Cisco-AVPair = "ssid=BSpa-KH-Mgmt" Service-Type = Login-User Cisco-AVPair = "service-type=Login" Message-Authenticator = 0x212023c32292d56925e14f1147bdabe4 EAP-Message = 0x0209002b19001703010020ac7315140c4adcdef21a749af693f0a7b8a7efda8ddb0f82bd692b1d8a7c8465 NAS-Port-Type = Wireless-802.11 NAS-Port = 366 NAS-Port-Id = "366" State = 0xe398c72ae591de112b2facf2414ef68a NAS-IP-Address = 10.10.5.10 NAS-Identifier = "BSpa-KH-AP1" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "dfleming", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020900061a03 server { [peap] Setting User-Name to dfleming Sending tunneled request EAP-Message = 0x020900061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "dfleming" State = 0xc9b7eee2c8bef40721db4de2f5e8d831 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "dfleming", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 9 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [sql] expand: %{User-Name} -> dfleming [sql] sql_set_user escaped user --> 'dfleming' rlm_sql (sql): Reserving sql socket id: 1 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dfleming' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dfleming' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'dfleming' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'dfleming' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'dfleming' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'dfleming' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Test' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Test' ORDER BY id rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group post-auth {...} [sql] expand: %{User-Name} -> dfleming [sql] sql_set_user escaped user --> 'dfleming' [sql] expand: %{User-Password} -> [sql] ... expanding second conditional [sql] expand: %{Chap-Password} -> [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'dfleming', '', 'Access-Accept', '2014-07-24 08:28:17') [sql] expand: /var/log/freeradius/sqltrace.sql -> /var/log/freeradius/sqltrace.sql rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'dfleming', '', 'Access-Accept', '2014-07-24 08:28:17') rlm_sql (sql): Reserving sql socket id: 0 rlm_sql_mysql: query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'dfleming', '', 'Access-Accept', '2014-07-24 08:28:17') rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok } # server inner-tunnel [peap] Got tunneled reply code 2 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0x21b836e93eff70f6d6b2ec627ea1fbaf MS-MPPE-Recv-Key = 0xa73e45851d20023ff89a50e099c7ac0a EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "dfleming" [peap] Got tunneled reply RADIUS code 2 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0x21b836e93eff70f6d6b2ec627ea1fbaf MS-MPPE-Recv-Key = 0xa73e45851d20023ff89a50e099c7ac0a EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "dfleming" [peap] Tunneled authentication was successful. [peap] SUCCESS ++[eap] returns handled Sending Access-Challenge of id 110 to 10.10.5.10 port 1645 EAP-Message = 0x010a002b19001703010020ffd2d4391027944a955f2a80e75582385d2bb77d88a0da77a3c35e870ab878e6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe398c72ae492de112b2facf2414ef68a Finished request 15. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 10.10.5.10 port 1645, id=111, length=261 User-Name = "dfleming" Framed-MTU = 1400 Called-Station-Id = "A8-B1-D4-21-73-41:BSpa-KH-Mgmt" Calling-Station-Id = "80-1F-02-D3-97-74" Cisco-AVPair = "ssid=BSpa-KH-Mgmt" Service-Type = Login-User Cisco-AVPair = "service-type=Login" Message-Authenticator = 0x9ad507ccd512242f7bf2caec1f20c3d7 EAP-Message = 0x020a002b190017030100203e355252ae01ca7b5f1465ce21b3bb9285bba4ef32e64818a0cd5cc8143b5fd5 NAS-Port-Type = Wireless-802.11 NAS-Port = 366 NAS-Port-Id = "366" State = 0xe398c72ae492de112b2facf2414ef68a NAS-IP-Address = 10.10.5.10 NAS-Identifier = "BSpa-KH-AP1" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "dfleming", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 10 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} [sql] expand: %{User-Name} -> dfleming [sql] sql_set_user escaped user --> 'dfleming' [sql] expand: %{User-Password} -> [sql] ... expanding second conditional [sql] expand: %{Chap-Password} -> [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'dfleming', '', 'Access-Accept', '2014-07-24 08:28:17') [sql] expand: /var/log/freeradius/sqltrace.sql -> /var/log/freeradius/sqltrace.sql rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'dfleming', '', 'Access-Accept', '2014-07-24 08:28:17') rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'dfleming', '', 'Access-Accept', '2014-07-24 08:28:17') rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 111 to 10.10.5.10 port 1645 MS-MPPE-Recv-Key = 0x5b480d2d4a8cde312f61c2c611543f1aebcc8abae61eb9155cda840760c3cea0 MS-MPPE-Send-Key = 0x56ec6be73861d6e421949f14631c05facadbeff6689370618d373d2b633ce24d EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "dfleming" Finished request 16. Going to the next request mysql> select * from radgroupcheck; +----+---------------------------+-------------------+----+-----------------------+ | id | groupname | attribute | op | value | +----+---------------------------+-------------------+----+-----------------------+ | 1 | daloRADIUS-Disabled-Users | Auth-Type | := | Reject | | 7 | Mgmt-Wireless | Cisco-AVPair | == | "ssid=1BSpa-KH-Mgmt1" | | 8 | Mgmt-Wireless | Called-Station-Id | := | *BSpa | | 9 | Test | Cisco-AVPair | == | df | +----+---------------------------+-------------------+----+-----------------------+ mysql> select * from userinfo; +----+-----------+-----------+----------+-------+------------+---------+-----------+-----------+-------------+---------+------+-------+---------+------+-------+----------------+---------------------+-------------------+---------------------+---------------+---------------------+----------+ | id | username | firstname | lastname | email | department | company | workphone | homephone | mobilephone | address | city | state | country | zip | notes | changeuserinfo | portalloginpassword | enableportallogin | creationdate | creationby | updatedate | updateby | +----+-----------+-----------+----------+-------+------------+---------+-----------+-----------+-------------+---------+------+-------+---------+------+-------+----------------+---------------------+-------------------+---------------------+---------------+---------------------+----------+ | 1 | dfleming | | | | | | | | | | | | | | | 0 | | 0 | 2014-07-16 15:24:47 | administrator | 2014-07-23 15:50:42 | admin | | 2 | mefleming | | | | | | | | | | | | | | | 0 | | 0 | 2014-07-16 16:57:27 | administrator | 2014-07-23 16:40:28 | admin | +----+-----------+-----------+----------+-------+------------+---------+-----------+-----------+-------------+---------+------+-------+---------+------+-------+----------------+---------------------+-------------------+---------------------+---------------+---------------------+----------+ mysql> select * from userinfo;radusergroup; +-----------+---------------+----------+ | username | groupname | priority | +-----------+---------------+----------+ | dfleming | Test | 0 | | mefleming | Mgmt-Wireless | 1 | +-----------+---------------+----------+ On Wed, Jul 23, 2014 at 5:20 PM, Dan Fleming <flemingdp@gmail.com> wrote:
Hello,
I am using daloradius with free radius 2.1.12 on Ubuntu 14.04.
I have configured users and passwords and sucessfully authenticate users
connecting to a standalone cisco 1142 accesspoint. I can see in the debug that the cisco-avpair is sending the ssid to the free radius server in the debug but I dont think it is being checked.
No matter what I put in av pair the user gets Access-Accept.
I have tried both operator == and =: but neither make a difference.
Any help is greatly appreciated.
Regards,
Daniel
Dan Fleming wrote:
Here is the debug. For some reason my user dfleming is being accepted even though the cisco-avpair does not match.
Users are accepted when their credentials are OK. The SQL tables you posted shows it *checking* the Cisco-AVPair. But not *doing* anything with it. The SQL module doesn't reject people if the conditions don't match. It just doesn't match the conditions. Read this to see how the SQL module works: http://wiki.freeradius.org/modules/Rlm_sql Odds are you're assuming it works differently than how it's documented. Alan DeKok.
Thank you I have read through it makes sense. So how do I do something based on the results? I would like to only authorize a connection if the users password matches and they are connecting to the correct ssid in the av-pair. Is there a HOWTO or other document outlining how to do that? Thank you again for your assistance. Regards, Dan On Mon, Jul 28, 2014 at 8:02 AM, Alan DeKok <aland@deployingradius.com> wrote:
Dan Fleming wrote:
Here is the debug. For some reason my user dfleming is being accepted even though the cisco-avpair does not match.
Users are accepted when their credentials are OK.
The SQL tables you posted shows it *checking* the Cisco-AVPair. But not *doing* anything with it. The SQL module doesn't reject people if the conditions don't match. It just doesn't match the conditions.
Read this to see how the SQL module works:
http://wiki.freeradius.org/modules/Rlm_sql
Odds are you're assuming it works differently than how it's documented.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dan Fleming wrote:
Thank you I have read through it makes sense. So how do I do something based on the results?
The SQL document talks about "radreply", which lets you do something with the results.
I would like to only authorize a connection if the users password matches and they are connecting to the correct ssid in the av-pair. Is there a HOWTO or other document outlining how to do that?
No. Because that's a specific solution. The documents describe how the server works, and lets you put it together yourself. For your situation, the key is to understand that the server accepts users if their password is correct. If you add more conditional checks, the user is still accepted. The solution is either to: a) set the "known good" password ONLY if the conditions also match. The SQL documentation describes how to set conditions b) if the password is stored somewhere else (e.g. LDAP), then you need to REJECT the user if the conditions match. Alan DeKok.
Reading the documentation I am still at a loss. I am familiar on how to do this with Cisco ACS, but looking to do it now with free radius. I now have it working if I check the Cisco-avpair under the user in dalo Radius (Cisco-avpair =~ .*SSID$) . Is there a way to configure this so i dont have to keep typing that attribute under every user? I thought the group would work, but from what you are saying it sounds like it wouldnt. I have tried saying if it doesnt match the above regex then the Radgroupreply says ( Auth-Typ := Reject) Thank you for your time. Dan On Mon, Jul 28, 2014 at 2:15 PM, Alan DeKok <aland@deployingradius.com> wrote:
Dan Fleming wrote:
Thank you I have read through it makes sense. So how do I do something based on the results?
The SQL document talks about "radreply", which lets you do something with the results.
I would like to only authorize a connection if the users password matches and they are connecting to the correct ssid in the av-pair. Is there a HOWTO or other document outlining how to do
that?
No. Because that's a specific solution. The documents describe how the server works, and lets you put it together yourself.
For your situation, the key is to understand that the server accepts users if their password is correct. If you add more conditional checks, the user is still accepted.
The solution is either to:
a) set the "known good" password ONLY if the conditions also match. The SQL documentation describes how to set conditions
b) if the password is stored somewhere else (e.g. LDAP), then you need to REJECT the user if the conditions match.
Alan DeKok. - List info/subscribe/unsubscribe? See
Reading the documentation I am still at a loss. I am familiar on how to do this with Cisco ACS, but looking to do it now with free radius. I now have it working if I check the Cisco-avpair under the user in dalo Radius (Cisco-avpair =~ .*SSID$) . Is there a way to configure this so i dont have to keep typing that attribute under every user? I thought the group would work, but from what you are saying it sounds like it wouldnt. I have tried saying if it doesnt match the above regex then the Radgroupreply says ( Auth-Typ := Reject) Thank you for your time. Dan On Mon, Jul 28, 2014 at 2:15 PM, Alan DeKok <aland@deployingradius.com> wrote:
Dan Fleming wrote:
Thank you I have read through it makes sense. So how do I do something based on the results?
The SQL document talks about "radreply", which lets you do something with the results.
I would like to only authorize a connection if the users password matches and they are connecting to the correct ssid in the av-pair. Is there a HOWTO or other document outlining how to do
that?
No. Because that's a specific solution. The documents describe how the server works, and lets you put it together yourself.
For your situation, the key is to understand that the server accepts users if their password is correct. If you add more conditional checks, the user is still accepted.
The solution is either to:
a) set the "known good" password ONLY if the conditions also match. The SQL documentation describes how to set conditions
b) if the password is stored somewhere else (e.g. LDAP), then you need to REJECT the user if the conditions match.
Alan DeKok. - List info/subscribe/unsubscribe? See
participants (2)
-
Alan DeKok -
Dan Fleming