problem fetching ldap attribute in inner tunnel
Hi everyone, I am doing PEAP with GTC authenticate my LDAP clients, I fetch some attribute in LDAP module and is store it in session-state and later check them in outer post-auth. I am facing this problem in which when client is re-authenticating and the Phase2 is skipped with 'Skipping Phase2 because of session resumption', for expediting the process. The LDAP attribute value is not fetched and hence post-auth doesn't get that value which then fails the authentication(configured like that by me, Set of rules which check value of the attribute and fails by default if none condition is matched or attribute is not fetched) Though I am able to fetch the attribute from elsewhere(running xlat) but I don't want to run it for every user, As I am running EAP-TLS, PAP also in my setup. BR, Anirudh Malhotra Mail: 8zero2.in@gmail.com Facebook: www.facebook.com/8zero2 Twitter: @8zero2_in Blog: blog.8zero2.in
On Apr 9, 2016, at 9:54 PM, Anirudh Malhotra <8zero2ops@gmail.com> wrote:
I am doing PEAP with GTC authenticate my LDAP clients, I fetch some attribute in LDAP module and is store it in session-state and later check them in outer post-auth.
That's good.
I am facing this problem in which when client is re-authenticating and the Phase2 is skipped with 'Skipping Phase2 because of session resumption', for expediting the process. The LDAP attribute value is not fetched and hence post-auth doesn't get that value which then fails the authentication(configured like that by me, Set of rules which check value of the attribute and fails by default if none condition is matched or attribute is not fetched)
You will need to cache those attributes. See the "cache" section of the "eap" module. Alan DeKok.
Hi, So I used the cache section of eap and Cached-Session-Policy is getting cached but somehow is not getting fetched in the subsequent packet. used in default update { User-Name := &reply:User-Name &session-state:wifi := &reply:Cached-Session-Policy } used in inner-tunnel update reply { User-Name = "%{request:User-Name}" Cached-Session-Policy = "%{outer.session-state:wifi}" } (155) Received Access-Request Id 90 from XXXXX:32769 to XXXXX:1812 length 343 (155) User-Name = "XXXX" (155) Chargeable-User-Identity = 0x00 (155) Location-Capable = Civix-Location (155) Calling-Station-Id = "XXXXX" (155) Called-Station-Id = "XXXXX" (155) NAS-Port = 4 (155) Cisco-AVPair = "audit-session-id=0a40c60a0029fe92b5e20b57" (155) Acct-Session-Id = "XXXXX" (155) NAS-IP-Address = XXXXX (155) NAS-Identifier = "XXXXX" (155) Airespace-Wlan-Id = 34 (155) Service-Type = Framed-User (155) Framed-MTU = 1300 (155) NAS-Port-Type = Wireless-802.11 (155) Tunnel-Type:0 = VLAN (155) Tunnel-Medium-Type:0 = IEEE-802 (155) Tunnel-Private-Group-Id:0 = "807" (155) EAP-Message = 0x0203004119001403010001011603010030a12e158d521c9b698161e9ea82f7b23143927840277f1830d0614bc27690aa72bbc32a104bb193ee0bfbe564d53e8f5a (155) State = 0x83aa71c482a968d0320cb2daa34b3bf1 (155) Message-Authenticator = 0x96e37aa278e02cad4e0e8ed05e0bf13c (155) Restoring &session-state (155) &session-state:unique-session-id = 76144 (155) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (155) authorize { (155) if (!&session-state:unique-session-id) { (155) if (!&session-state:unique-session-id) -> FALSE (155) policy filter_username { (155) update control { (155) linelogvar := "request_attrs" (155) } # update control = noop (155) [linelog] = ok (155) if (&User-Name) { (155) if (&User-Name) -> TRUE (155) if (&User-Name) { (155) if (&User-Name =~ /@[^@]*@/ ) { (155) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (155) if (&User-Name =~ /\.\./ ) { (155) if (&User-Name =~ /\.\./ ) -> FALSE (155) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (155) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (155) if (&User-Name =~ /\.$/) { (155) if (&User-Name =~ /\.$/) -> FALSE (155) if (&User-Name =~ /@\./) { (155) if (&User-Name =~ /@\./) -> FALSE (155) } # if (&User-Name) = ok (155) } # policy filter_username = ok (155) eap: Peer sent EAP Response (code 2) ID 3 length 65 (155) eap: Continuing tunnel setup (155) [eap] = ok (155) } # authorize = ok (155) Found Auth-Type = eap (155) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (155) authenticate { (155) eap: Expiring EAP session with state 0x83aa71c482a968d0 (155) eap: Finished EAP session with state 0x83aa71c482a968d0 (155) eap: Previous EAP request found for state 0x83aa71c482a968d0, released from the list (155) eap: Peer sent packet with method EAP PEAP (25) (155) eap: Calling submodule eap_peap to process data (155) eap_peap: Continuing EAP-TLS (155) eap_peap: [eaptls verify] = ok (155) eap_peap: Done initial handshake (155) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001] (155) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished (155) eap_peap: TLS_accept: SSLv3 read finished A (155) eap_peap: (other): SSL negotiation finished successfully (155) eap_peap: SSL Connection Established (155) eap_peap: SSL Application Data (155) eap_peap: Adding cached attributes from session 8693643200304c6dc4ac65acdcf863be1c9683ef191edf40f44e16a9575211a6 (155) eap_peap: reply:User-Name = "XXXX" (155) eap_peap: reply:Cached-Session-Policy = "7" (155) eap_peap: [eaptls process] = success (155) eap_peap: Session established. Decoding tunneled attributes (155) eap_peap: PEAP state TUNNEL ESTABLISHED (155) eap_peap: Skipping Phase2 because of session resumption (155) eap_peap: SUCCESS (155) eap: Sending EAP Request (code 1) ID 4 length 43 (155) eap: EAP session adding &reply:State = 0x83aa71c481ae68d0 (155) [eap] = handled (155) } # authenticate = handled (155) Using Post-Auth-Type Challenge (155) Post-Auth-Type sub-section not found. Ignoring. (155) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (155) session-state: Saving cached attributes (155) unique-session-id = 76144 (155) Sent Access-Challenge Id 90 from XXXXX:1812 to XXXXX:32769 length 0 (155) User-Name = "XXXX" (155) EAP-Message = 0x0104002b190017030100202e4258578386119f3d858e0645f2069e2908381a88e997d1eb2575fffaf7d455 (155) Message-Authenticator = XXXXX (155) State = 0x83aa71c481ae68d0320cb2daa34b3bf1 (155) Finished request (155) Cleaning up request packet ID 90 with timestamp +2221 (156) Received Access-Request Id 91 from XXXXX:32769 to XXXXX:1812 length 321 (156) User-Name = "XXXX" (156) Chargeable-User-Identity = 0x00 (156) Location-Capable = Civix-Location (156) Calling-Station-Id = "XXXXX" (156) Called-Station-Id = "XXXXX" (156) NAS-Port = 4 (156) Cisco-AVPair = "audit-session-id=0a40c60a0029fe92b5e20b57" (156) Acct-Session-Id = "XXXXX" (156) NAS-IP-Address = XXXXX (156) NAS-Identifier = "XXXXX" (156) Airespace-Wlan-Id = 34 (156) Service-Type = Framed-User (156) Framed-MTU = 1300 (156) NAS-Port-Type = Wireless-802.11 (156) Tunnel-Type:0 = VLAN (156) Tunnel-Medium-Type:0 = IEEE-802 (156) Tunnel-Private-Group-Id:0 = "807" (156) EAP-Message = 0x0204002b19001703010020984f9696f0740833946b2c86e0d217c282ae98378bbf9ad96a54e32024e88773 (156) State = 0x83aa71c481ae68d0320cb2daa34b3bf1 (156) Message-Authenticator = 0x67654e881210dd0d4ad47dda94080725 (156) Restoring &session-state (156) &session-state:unique-session-id = 76144 (156) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (156) authorize { (156) if (!&session-state:unique-session-id) { (156) if (!&session-state:unique-session-id) -> FALSE (156) policy filter_username { (156) update control { (156) linelogvar := "request_attrs" (156) } # update control = noop (156) [linelog] = ok (156) if (&User-Name) { (156) if (&User-Name) -> TRUE (156) if (&User-Name) { (156) if (&User-Name =~ /@[^@]*@/ ) { (156) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (156) if (&User-Name =~ /\.\./ ) { (156) if (&User-Name =~ /\.\./ ) -> FALSE (156) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (156) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (156) if (&User-Name =~ /\.$/) { (156) if (&User-Name =~ /\.$/) -> FALSE (156) if (&User-Name =~ /@\./) { (156) if (&User-Name =~ /@\./) -> FALSE (156) } # if (&User-Name) = ok (156) } # policy filter_username = ok (156) eap: Peer sent EAP Response (code 2) ID 4 length 43 (156) eap: Continuing tunnel setup (156) [eap] = ok (156) } # authorize = ok (156) Found Auth-Type = eap (156) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (156) authenticate { (156) eap: Expiring EAP session with state 0x83aa71c481ae68d0 (156) eap: Finished EAP session with state 0x83aa71c481ae68d0 (156) eap: Previous EAP request found for state 0x83aa71c481ae68d0, released from the list (156) eap: Peer sent packet with method EAP PEAP (25) (156) eap: Calling submodule eap_peap to process data (156) eap_peap: Continuing EAP-TLS (156) eap_peap: [eaptls verify] = ok (156) eap_peap: Done initial handshake (156) eap_peap: [eaptls process] = ok (156) eap_peap: Session established. Decoding tunneled attributes (156) eap_peap: PEAP state send tlv success (156) eap_peap: Received EAP-TLV response (156) eap_peap: Success (156) eap_peap: No saved attributes in the original Access-Accept (156) eap: Sending EAP Success (code 3) ID 4 length 4 (156) eap: Freeing handler (156) [eap] = ok (156) } # authenticate = ok (156) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (156) post-auth { (156) update { (156) User-Name := &reply:User-Name -> 'XXXX' ------------------------------> username is update but not the other attribute (156) No attributes updated (156) } # update = noop (156) if (&reply:Cached-Session-Policy) { (156) if (&reply:Cached-Session-Policy) -> FALSE (156) reply_log: EXPAND /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d (156) reply_log: --> /usr/local/var/log/radius/radacct/XXXXX/reply-detail-20160411 (156) reply_log: /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/XXXXX/reply-detail-20160411 (156) reply_log: EXPAND %t (156) reply_log: --> Mon Apr 11 23:45:36 2016 (156) [reply_log] = ok (156) sql: EXPAND .query (156) sql: --> .query (156) sql: Using query template 'query' (156) sql: EXPAND %{User-Name} (156) sql: --> XXXX (156) sql: SQL-User-Name set to 'XXXX' (156) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '', '%{reply:Packet-Type}', '%S') (156) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'XXXX', '', 'Access-Accept', '2016-04-11 23:45:36') (156) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'XXXX', '', 'Access-Accept', '2016-04-11 23:45:36') (156) sql: SQL query returned: success (156) sql: 1 record(s) updated (156) [sql] = ok (156) [exec] = noop (156) update control { (156) linelogvar := "request_attrs" (156) } # update control = noop (156) if (&EAP-Type == "TLS") { (156) if (&EAP-Type == "TLS") -> FALSE (156) policy remove_reply_message_if_eap { (156) if (&reply:EAP-Message && &reply:Reply-Message) { (156) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (156) else { (156) [noop] = noop (156) } # else = noop (156) } # policy remove_reply_message_if_eap = noop (156) update control { (156) linelogvar := "Access-Accept" (156) } # update control = noop (156) linelog: EXPAND messages.%{%{control:linelogvar}:-default} (156) linelog: --> messages.Access-Accept (156) linelog: EXPAND /usr/local/var/log/radius/linelog (156) linelog: --> /usr/local/var/log/radius/linelog (156) linelog: EXPAND %{md5:%{Acct-Session-Id},%{session-state:unique-session-id}} Result: Authentication Passed,Access-Accept (156) linelog: --> 8feb837cb2dce75e588bbf56c457d4fa Result: Authentication Passed,Access-Accept (156) [linelog] = ok (156) update control { (156) linelogvar := "auth_result_accept_log" (156) } # update control = noop (156) linelog: EXPAND messages.%{%{control:linelogvar}:-default} (156) linelog: --> messages.auth_result_accept_log (156) linelog: EXPAND /usr/local/var/log/radius/linelog (156) linelog: --> /usr/local/var/log/radius/linelog (156) linelog: EXPAND Access-Request,%T,%{User-Name},%{Calling-Station-Id},%{NAS-IP-Address},%{NAS-Identifier},%{md5:%{Acct-Session-Id},%{session-state:unique-session-id}},Authentication Passed,%{Called-Station-Id} (156) linelog: --> Access-Request,2016-04-11-23.45.36.000000,XXXX,XXXXX,XXXXX,XXXXX,8feb837cb2dce75e588bbf56c457d4fa,Authentication Passed,XXXXX (156) [linelog] = ok (156) update control { (156) linelogvar := "empty_line" (156) } # update control = noop (156) linelog: EXPAND messages.%{%{control:linelogvar}:-default} (156) linelog: --> messages.empty_line (156) linelog: EXPAND /usr/local/var/log/radius/linelog (156) linelog: --> /usr/local/var/log/radius/linelog (156) linelog: EXPAND (156) linelog: --> (156) [linelog] = ok (156) update { (156) session-state:unique-session-id !* ANY (156) } # update = noop (156) } # post-auth = ok (156) Sent Access-Accept Id 91 from XXXXX:1812 to XXXXX:32769 length 0 (156) MS-MPPE-Recv-Key = 0x33c5031d6ac9c255a095a57164047d9b16e490c6545a9fb4bd09ad37d619a592 (156) MS-MPPE-Send-Key = 0x0a338ad1dd02e2fbcfb2580a541db5f70acf7b30a2fc947b7ec3b7fbde7eb96d (156) EAP-Message = 0x03040004 (156) Message-Authenticator = XXXXX (156) User-Name := "XXXX" (156) Finished request (156) Cleaning up request packet ID 91 with timestamp +2221 BR, Anirudh Malhotra Mail: 8zero2.in@gmail.com Facebook: www.facebook.com/8zero2 Twitter: @8zero2_in Blog: blog.8zero2.in On Mon, Apr 11, 2016 at 4:04 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Apr 9, 2016, at 9:54 PM, Anirudh Malhotra <8zero2ops@gmail.com> wrote:
I am doing PEAP with GTC authenticate my LDAP clients, I fetch some attribute in LDAP module and is store it in session-state and later check them in outer post-auth.
That's good.
I am facing this problem in which when client is re-authenticating and the Phase2 is skipped with 'Skipping Phase2 because of session resumption', for expediting the process. The LDAP attribute value is not fetched and hence post-auth doesn't get that value which then fails the authentication(configured like that by me, Set of rules which check value of the attribute and fails by default if none condition is matched or attribute is not fetched)
You will need to cache those attributes. See the "cache" section of the "eap" module.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, Anybody has this working? Can suggest me what am I missing? BR, Anirudh Malhotra 8zero2 Mail: 8zero2.in@gmail.com Facebook: www.facebook.com/8zero2 Twitter: @8zero2_in Blog: blog.8zero2.in On 12 Apr 2016, 00:16 +0530, Anirudh Malhotra<8zero2ops@gmail.com>, wrote:
Hi,
So I used the cache section of eap and Cached-Session-Policy is getting cached but somehow is not getting fetched in the subsequent packet.
used in default update { User-Name :=&reply:User-Name &session-state:wifi :=&reply:Cached-Session-Policy }
used in inner-tunnel update reply { User-Name = "%{request:User-Name}" Cached-Session-Policy = "%{outer.session-state:wifi}" }
(155) Received Access-Request Id 90 from XXXXX:32769 to XXXXX:1812 length 343 (155)User-Name = "XXXX" (155)Chargeable-User-Identity = 0x00 (155)Location-Capable = Civix-Location (155)Calling-Station-Id = "XXXXX" (155)Called-Station-Id = "XXXXX" (155)NAS-Port = 4 (155)Cisco-AVPair = "audit-session-id=0a40c60a0029fe92b5e20b57" (155)Acct-Session-Id = "XXXXX" (155)NAS-IP-Address = XXXXX (155)NAS-Identifier = "XXXXX" (155)Airespace-Wlan-Id = 34 (155)Service-Type = Framed-User (155)Framed-MTU = 1300 (155)NAS-Port-Type = Wireless-802.11 (155)Tunnel-Type:0 = VLAN (155)Tunnel-Medium-Type:0 = IEEE-802 (155)Tunnel-Private-Group-Id:0 = "807" (155)EAP-Message = 0x0203004119001403010001011603010030a12e158d521c9b698161e9ea82f7b23143927840277f1830d0614bc27690aa72bbc32a104bb193ee0bfbe564d53e8f5a (155)State = 0x83aa71c482a968d0320cb2daa34b3bf1 (155)Message-Authenticator = 0x96e37aa278e02cad4e0e8ed05e0bf13c (155) Restoring&session-state (155)&session-state:unique-session-id = 76144 (155) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (155)authorize { (155)if (!&session-state:unique-session-id) { (155)if (!&session-state:unique-session-id)->FALSE (155)policy filter_username { (155)update control { (155)linelogvar := "request_attrs" (155)} # update control = noop (155)[linelog] = ok (155)if (&User-Name) { (155)if (&User-Name)->TRUE (155)if (&User-Name){ (155)if (&User-Name =~ /@[^@]*@/ ) { (155)if (&User-Name =~ /@[^@]*@/ )->FALSE (155)if (&User-Name =~ /\.\./ ) { (155)if (&User-Name =~ /\.\./ )->FALSE (155)if ((&User-Name =~ /@/)&&(&User-Name !~ /@(.+)\.(.+)$/)){ (155)if ((&User-Name =~ /@/)&&(&User-Name !~ /@(.+)\.(.+)$/))->FALSE (155)if (&User-Name =~ /\.$/){ (155)if (&User-Name =~ /\.$/)->FALSE (155)if (&User-Name =~ /@\./){ (155)if (&User-Name =~ /@\./)->FALSE (155)} # if (&User-Name)= ok (155)} # policy filter_username = ok (155) eap: Peer sent EAP Response (code 2) ID 3 length 65 (155) eap: Continuing tunnel setup (155)[eap] = ok (155)} # authorize = ok (155) Found Auth-Type = eap (155) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (155)authenticate { (155) eap: Expiring EAP session with state 0x83aa71c482a968d0 (155) eap: Finished EAP session with state 0x83aa71c482a968d0 (155) eap: Previous EAP request found for state 0x83aa71c482a968d0, released from the list (155) eap: Peer sent packet with method EAP PEAP (25) (155) eap: Calling submodule eap_peap to process data (155) eap_peap: Continuing EAP-TLS (155) eap_peap: [eaptls verify] = ok (155) eap_peap: Done initial handshake (155) eap_peap:<<<recv TLS 1.0 ChangeCipherSpec [length 0001] (155) eap_peap:<<<recv TLS 1.0 Handshake [length 0010], Finished (155) eap_peap: TLS_accept: SSLv3 read finished A (155) eap_peap: (other): SSL negotiation finished successfully (155) eap_peap: SSL Connection Established (155) eap_peap: SSL Application Data (155) eap_peap: Adding cached attributes from session 8693643200304c6dc4ac65acdcf863be1c9683ef191edf40f44e16a9575211a6 (155) eap_peap:reply:User-Name = "XXXX" (155) eap_peap:reply:Cached-Session-Policy = "7" (155) eap_peap: [eaptls process] = success (155) eap_peap: Session established.Decoding tunneled attributes (155) eap_peap: PEAP state TUNNEL ESTABLISHED (155) eap_peap: Skipping Phase2 because of session resumption (155) eap_peap: SUCCESS (155) eap: Sending EAP Request (code 1) ID 4 length 43 (155) eap: EAP session adding&reply:State = 0x83aa71c481ae68d0 (155)[eap] = handled (155)} # authenticate = handled (155) Using Post-Auth-Type Challenge (155) Post-Auth-Type sub-section not found.Ignoring. (155) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (155) session-state: Saving cached attributes (155)unique-session-id = 76144 (155) Sent Access-Challenge Id 90 from XXXXX:1812 to XXXXX:32769 length 0 (155)User-Name = "XXXX" (155)EAP-Message = 0x0104002b190017030100202e4258578386119f3d858e0645f2069e2908381a88e997d1eb2575fffaf7d455 (155)Message-Authenticator = XXXXX (155)State = 0x83aa71c481ae68d0320cb2daa34b3bf1 (155) Finished request (155) Cleaning up request packet ID 90 with timestamp +2221 (156) Received Access-Request Id 91 from XXXXX:32769 to XXXXX:1812 length 321 (156)User-Name = "XXXX" (156)Chargeable-User-Identity = 0x00 (156)Location-Capable = Civix-Location (156)Calling-Station-Id = "XXXXX" (156)Called-Station-Id = "XXXXX" (156)NAS-Port = 4 (156)Cisco-AVPair = "audit-session-id=0a40c60a0029fe92b5e20b57" (156)Acct-Session-Id = "XXXXX" (156)NAS-IP-Address = XXXXX (156)NAS-Identifier = "XXXXX" (156)Airespace-Wlan-Id = 34 (156)Service-Type = Framed-User (156)Framed-MTU = 1300 (156)NAS-Port-Type = Wireless-802.11 (156)Tunnel-Type:0 = VLAN (156)Tunnel-Medium-Type:0 = IEEE-802 (156)Tunnel-Private-Group-Id:0 = "807" (156)EAP-Message = 0x0204002b19001703010020984f9696f0740833946b2c86e0d217c282ae98378bbf9ad96a54e32024e88773 (156)State = 0x83aa71c481ae68d0320cb2daa34b3bf1 (156)Message-Authenticator = 0x67654e881210dd0d4ad47dda94080725 (156) Restoring&session-state (156)&session-state:unique-session-id = 76144 (156) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (156)authorize { (156)if (!&session-state:unique-session-id) { (156)if (!&session-state:unique-session-id)->FALSE (156)policy filter_username { (156)update control { (156)linelogvar := "request_attrs" (156)} # update control = noop (156)[linelog] = ok (156)if (&User-Name) { (156)if (&User-Name)->TRUE (156)if (&User-Name){ (156)if (&User-Name =~ /@[^@]*@/ ) { (156)if (&User-Name =~ /@[^@]*@/ )->FALSE (156)if (&User-Name =~ /\.\./ ) { (156)if (&User-Name =~ /\.\./ )->FALSE (156)if ((&User-Name =~ /@/)&&(&User-Name !~ /@(.+)\.(.+)$/)){ (156)if ((&User-Name =~ /@/)&&(&User-Name !~ /@(.+)\.(.+)$/))->FALSE (156)if (&User-Name =~ /\.$/){ (156)if (&User-Name =~ /\.$/)->FALSE (156)if (&User-Name =~ /@\./){ (156)if (&User-Name =~ /@\./)->FALSE (156)} # if (&User-Name)= ok (156)} # policy filter_username = ok (156) eap: Peer sent EAP Response (code 2) ID 4 length 43 (156) eap: Continuing tunnel setup (156)[eap] = ok (156)} # authorize = ok (156) Found Auth-Type = eap (156) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (156)authenticate { (156) eap: Expiring EAP session with state 0x83aa71c481ae68d0 (156) eap: Finished EAP session with state 0x83aa71c481ae68d0 (156) eap: Previous EAP request found for state 0x83aa71c481ae68d0, released from the list (156) eap: Peer sent packet with method EAP PEAP (25) (156) eap: Calling submodule eap_peap to process data (156) eap_peap: Continuing EAP-TLS (156) eap_peap: [eaptls verify] = ok (156) eap_peap: Done initial handshake (156) eap_peap: [eaptls process] = ok (156) eap_peap: Session established.Decoding tunneled attributes (156) eap_peap: PEAP state send tlv success (156) eap_peap: Received EAP-TLV response (156) eap_peap: Success (156) eap_peap: No saved attributes in the original Access-Accept (156) eap: Sending EAP Success (code 3) ID 4 length 4 (156) eap: Freeing handler (156)[eap] = ok (156)} # authenticate = ok (156) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (156)post-auth { (156)update { (156)User-Name :=&reply:User-Name ->'XXXX'------------------------------>username is update but not the other attribute (156)No attributes updated (156)} # update = noop (156)if (&reply:Cached-Session-Policy) { (156)if (&reply:Cached-Session-Policy)->FALSE (156) reply_log: EXPAND /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d (156) reply_log:-->/usr/local/var/log/radius/radacct/XXXXX/reply-detail-20160411 (156) reply_log: /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/XXXXX/reply-detail-20160411 (156) reply_log: EXPAND %t (156) reply_log:-->Mon Apr 11 23:45:36 2016 (156)[reply_log] = ok (156) sql: EXPAND .query (156) sql:-->.query (156) sql: Using query template 'query' (156) sql: EXPAND %{User-Name} (156) sql:-->XXXX (156) sql: SQL-User-Name set to 'XXXX' (156) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '', '%{reply:Packet-Type}', '%S') (156) sql:-->INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'XXXX', '', 'Access-Accept', '2016-04-11 23:45:36') (156) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'XXXX', '', 'Access-Accept', '2016-04-11 23:45:36') (156) sql: SQL query returned: success (156) sql: 1 record(s) updated (156)[sql] = ok (156)[exec] = noop (156)update control { (156)linelogvar := "request_attrs" (156)} # update control = noop (156)if (&EAP-Type == "TLS") { (156)if (&EAP-Type == "TLS")->FALSE (156)policy remove_reply_message_if_eap { (156)if (&reply:EAP-Message&&&reply:Reply-Message) { (156)if (&reply:EAP-Message&&&reply:Reply-Message)->FALSE (156)else { (156)[noop] = noop (156)} # else = noop (156)} # policy remove_reply_message_if_eap = noop (156)update control { (156)linelogvar := "Access-Accept" (156)} # update control = noop (156) linelog: EXPAND messages.%{%{control:linelogvar}:-default} (156) linelog:-->messages.Access-Accept (156) linelog: EXPAND /usr/local/var/log/radius/linelog (156) linelog:-->/usr/local/var/log/radius/linelog (156) linelog: EXPAND %{md5:%{Acct-Session-Id},%{session-state:unique-session-id}} Result: Authentication Passed,Access-Accept (156) linelog:-->8feb837cb2dce75e588bbf56c457d4fa Result: Authentication Passed,Access-Accept (156)[linelog] = ok (156)update control { (156)linelogvar := "auth_result_accept_log" (156)} # update control = noop (156) linelog: EXPAND messages.%{%{control:linelogvar}:-default} (156) linelog:-->messages.auth_result_accept_log (156) linelog: EXPAND /usr/local/var/log/radius/linelog (156) linelog:-->/usr/local/var/log/radius/linelog (156) linelog: EXPAND Access-Request,%T,%{User-Name},%{Calling-Station-Id},%{NAS-IP-Address},%{NAS-Identifier},%{md5:%{Acct-Session-Id},%{session-state:unique-session-id}},Authentication Passed,%{Called-Station-Id} (156) linelog:-->Access-Request,2016-04-11-23.45.36.000000,XXXX,XXXXX,XXXXX,XXXXX,8feb837cb2dce75e588bbf56c457d4fa,Authentication Passed,XXXXX (156)[linelog] = ok (156)update control { (156)linelogvar := "empty_line" (156)} # update control = noop (156) linelog: EXPAND messages.%{%{control:linelogvar}:-default} (156) linelog:-->messages.empty_line (156) linelog: EXPAND /usr/local/var/log/radius/linelog (156) linelog:-->/usr/local/var/log/radius/linelog (156) linelog: EXPAND (156) linelog:--> (156)[linelog] = ok (156)update { (156)session-state:unique-session-id !* ANY (156)} # update = noop (156)} # post-auth = ok (156) Sent Access-Accept Id 91 from XXXXX:1812 to XXXXX:32769 length 0 (156)MS-MPPE-Recv-Key = 0x33c5031d6ac9c255a095a57164047d9b16e490c6545a9fb4bd09ad37d619a592 (156)MS-MPPE-Send-Key = 0x0a338ad1dd02e2fbcfb2580a541db5f70acf7b30a2fc947b7ec3b7fbde7eb96d (156)EAP-Message = 0x03040004 (156)Message-Authenticator = XXXXX (156)User-Name := "XXXX" (156) Finished request (156) Cleaning up request packet ID 91 with timestamp +2221
BR, Anirudh Malhotra Mail:8zero2.in@gmail.com(mailto:8zero2.in@gmail.com) Facebook:www.facebook.com/8zero2(http://www.facebook.com/8zero2) Twitter: @8zero2_in Blog:blog.8zero2.in(http://blog.8zero2.in/)
On Mon, Apr 11, 2016 at 4:04 AM, Alan DeKok<aland@deployingradius.com(mailto:aland@deployingradius.com)>wrote:
On Apr 9, 2016, at 9:54 PM, Anirudh Malhotra<8zero2ops@gmail.com(mailto:8zero2ops@gmail.com)>wrote:
I am doing PEAP with GTC authenticate my LDAP clients, I fetch some attribute in LDAP module and is store it in session-state and later check them in outer post-auth.
That's good.
I am facing this problem in which when client is re-authenticating and the Phase2 is skipped with'Skipping Phase2 because of session resumption', for expediting the process. The LDAP attribute value is not fetched and hence post-auth doesn't get that value which then fails the authentication(configured like that by me, Set of rules which check value of the attribute and fails by default if none condition is matched or attribute is not fetched)
You will need to cache those attributes.See the "cache" section of the "eap" module.
Alan DeKok.
- List info/subscribe/unsubscribe? Seehttp://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Anirudh Malhotra