Hi everyone, I am trying to map an attribute from ldap to freeradius control did this update { control:wifi := 'wifi' } getting this when parsing ldap (446) ldap: Processing user attributes (446) ldap: control:wifi := '5' created this wifi attribute in dictionary as well and when I am trying to use this in post auth in default but that is giving me an error (80) elsif ((control:wifi == "1") || (control:wifi == "5")) { (80) ERROR: Failed retrieving values required to evaluate condition I am missing something, maybe something very elementary sorry for that :p I am doing PEAP-GTC using LDAP by the way, so I though may be ldap is getting pasrsed inside inner-tunnel that is why i tried update { outer.control:wifi := 'wifi' } (437) ldap: Processing user attributes (437) ldap: outer.control:wifi := '5' elsif ((outer.control:wifi == "1") || (outer.control:wifi == "5")) { (71) ERROR: Failed retrieving values required to evaluate condition but still the same problem, please help BR, Anirudh Malhotra Mail: 8zero2.in@gmail.com Facebook: www.facebook.com/8zero2 Twitter: @8zero2_in Blog: blog.8zero2.in
On Mar 30, 2016, at 11:27 AM, Anirudh Malhotra <8zero2ops@gmail.com> wrote:
I am trying to map an attribute from ldap to freeradius control did this update { control:wifi := 'wifi' }
getting this when parsing ldap (446) ldap: Processing user attributes (446) ldap: control:wifi := '5'
That's good.
created this wifi attribute in dictionary as well
That's good.
and when I am trying to use this in post auth in default but that is giving me an error
(80) elsif ((control:wifi == "1") || (control:wifi == "5")) { (80) ERROR: Failed retrieving values required to evaluate condition
Read the debug output to see why. ALL OF IT.
I am missing something, maybe something very elementary sorry for that :p
Yes. You probably put the rules which create control:wifi AFTER the tools which look at it. You can't look at it if it doesn't exist.
I am doing PEAP-GTC using LDAP by the way, so I though may be ldap is getting pasrsed inside inner-tunnel
Your entire approach is wrong. There is no "may be". The server doesn't work randomly. The answer to your question is in the debug output. READ IT.
but still the same problem, please help
Read the debug output. I still don't know why people try to solve problems without looking at the debug output. The answers are there. If you're ignoring the debug output, you're wasting everyones time. Alan DeKok.
Hi Thanks for your prompt reply couple of questions, when using eap inner tunned would be used right? so ldap module when called and some control attributes are updated these are going to updated in the inner control or the outer control(or there is no such thing) and attributes are copied? Also the unlang which i ran was in post auth so that is the end of the request and ldap is parsed above it, so could that be a problem which u suggested in your previous reply. Secondly could the data type of ldap attribute(integer or string) affect the unlang would treat the attribute? BR, Anirudh Malhotra Mail: 8zero2.in@gmail.com Facebook: www.facebook.com/8zero2 Twitter: @8zero2_in Blog: blog.8zero2.in On Wed, Mar 30, 2016 at 9:02 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Mar 30, 2016, at 11:27 AM, Anirudh Malhotra <8zero2ops@gmail.com> wrote:
I am trying to map an attribute from ldap to freeradius control did this update { control:wifi := 'wifi' }
getting this when parsing ldap (446) ldap: Processing user attributes (446) ldap: control:wifi := '5'
That's good.
created this wifi attribute in dictionary as well
That's good.
and when I am trying to use this in post auth in default but that is giving me an error
(80) elsif ((control:wifi == "1") || (control:wifi == "5")) { (80) ERROR: Failed retrieving values required to evaluate condition
Read the debug output to see why. ALL OF IT.
I am missing something, maybe something very elementary sorry for that :p
Yes. You probably put the rules which create control:wifi AFTER the tools which look at it.
You can't look at it if it doesn't exist.
I am doing PEAP-GTC using LDAP by the way, so I though may be ldap is getting pasrsed inside inner-tunnel
Your entire approach is wrong. There is no "may be". The server doesn't work randomly.
The answer to your question is in the debug output. READ IT.
but still the same problem, please help
Read the debug output.
I still don't know why people try to solve problems without looking at the debug output. The answers are there. If you're ignoring the debug output, you're wasting everyones time.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Mar 30, 2016, at 11:47 AM, Anirudh Malhotra <8zero2ops@gmail.com> wrote:
when using eap inner tunned would be used right?
It depends on the EAP method.
so ldap module when called and some control attributes are updated these are going to updated in the inner control or the outer control(or there is no such thing) and attributes are copied?
If you configured it that way.
Also the unlang which i ran was in post auth so that is the end of the request and ldap is parsed above it, so could that be a problem which u suggested in your previous reply.
No, that's not what I said.
Secondly could the data type of ldap attribute(integer or string) affect the unlang would treat the attribute?
No. You're doing everything *except* looking at the debug output. You need to either follow instructions, or to stop asking questions on this list. Alan DeKok.
Hi Alan, Sorry for making you angry, but I am looking at the debug logs very carefully from the starting. I had to take permissions to post them here, That is why I was asking those questions. Again I apologise for asking probably wrong questions, I just thought the thing I posted was enough. But here is the debug in which ldap module is called and unlang is called, if you could please help me in finding my mistake, I have marked to relevant information in red Waking up in 4.9 seconds. (8) Received Access-Request Id 150 from XXXXXXX:32769 to XXXXXXX:1812 length 337 (8) User-Name = "XXXXXXX" (8) Chargeable-User-Identity = 0x00 (8) Location-Capable = Civix-Location (8) Calling-Station-Id = "XXXXXXX" (8) Called-Station-Id = "XXXXXXX" (8) NAS-Port = 4 (8) Cisco-AVPair = "audit-session-id=0a40c60a002395c88e03fc56" (8) Acct-Session-Id = "56fc038e/XXXXXXX/1349574" (8) NAS-IP-Address = XXXXXXX (8) NAS-Identifier = "XXXXXXX" (8) Airespace-Wlan-Id = 34 (8) Service-Type = Framed-User (8) Framed-MTU = 1300 (8) NAS-Port-Type = Wireless-802.11 (8) Tunnel-Type:0 = VLAN (8) Tunnel-Medium-Type:0 = IEEE-802 (8) Tunnel-Private-Group-Id:0 = "XXXXXXX" (8) EAP-Message = 0x0208002b1900170301002056f3330d56a405e14a56351e0016809d0fa578294eb6a15607f6e1b7d13d1fc8 (8) State = 0xe36bb03de563a931219d4aaf40ddcdc2 (8) Message-Authenticator = 0xbb491e6269085a6550c988322b7a5122 (8) session-state: No cached attributes (8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (8) authorize { (8) policy filter_username { (8) update control { (8) linelogvar := "request_attrs" (8) } # update control = noop (8) linelog: EXPAND messages.%{%{control:linelogvar}:-default} (8) linelog: --> messages.request_attrs (8) linelog: EXPAND /usr/local/var/log/radius/linelog (8) linelog: --> /usr/local/var/log/radius/linelog (8) linelog: EXPAND %{User-Name},%{Calling-Station-Id},%{Called-Station-Id},%{NAS-Port},%{Acct-Session-Id},%{NAS-IP-Address},%{NAS-Identifier},%{Airespace-Wlan-Id},%{Service-Type},%{Framed-MTU},%{NAS-Port-Type},%{Tunnel-Type:0},%{Tunnel-Medium-Type:0},%{Tunnel-Private-Group-Id:0},%T,%{md5:%T,%{Calling-Station-Id}} (8) linelog: --> XXXXXXX,XXXXXXX,XXXXXXX,4,56fc038e/XXXXXXX/1349574,XXXXXXX,XXXXXXX,34,Framed-User,1300,Wireless-802.11,VLAN,IEEE-802,XXXXXXX,2016-03-30-22.18.47.000000,e042f9def033579c3d4e304b73cd31db (8) [linelog] = ok (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = ok (8) if ((User-Name =~ /^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i) && (Service-Type == "Call-Check" )) { (8) if ((User-Name =~ /^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i) && (Service-Type == "Call-Check" )) -> FALSE (8) } # policy filter_username = ok (8) [preprocess] = ok (8) auth_log: EXPAND /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (8) auth_log: --> /usr/local/var/log/radius/radacct/XXXXXXX/auth-detail-20160330 (8) auth_log: /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/XXXXXXX/auth-detail-20160330 (8) auth_log: EXPAND %t (8) auth_log: --> Wed Mar 30 22:18:47 2016 (8) [auth_log] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "XXXXXXX", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) eap: Peer sent EAP Response (code 2) ID 8 length 43 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0x1752f35a175af5a6 (8) eap: Finished EAP session with state 0xe36bb03de563a931 (8) eap: Previous EAP request found for state 0xe36bb03de563a931, released from the list (8) eap: Peer sent packet with method EAP PEAP (25) (8) eap: Calling submodule eap_peap to process data (8) eap_peap: Continuing EAP-TLS (8) eap_peap: [eaptls verify] = ok (8) eap_peap: Done initial handshake (8) eap_peap: [eaptls process] = ok (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state phase2 (8) eap_peap: EAP method GTC (6) (8) eap_peap: Got tunneled request (8) eap_peap: EAP-Message = 0x0208000f064b6170696c4031333839 (8) eap_peap: Setting User-Name to XXXXXXX (8) eap_peap: Sending tunneled request to inner-tunnel (8) eap_peap: EAP-Message = 0x0208000f064b6170696c4031333839 (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (8) eap_peap: User-Name = "XXXXXXX" (8) eap_peap: State = 0x1752f35a175af5a68cefacfb12f667e9 (8) Virtual server inner-tunnel received request (8) EAP-Message = 0x0208000f064b6170696c4031333839 (8) FreeRADIUS-Proxied-To = 127.0.0.1 (8) User-Name = "XXXXXXX" (8) State = 0x1752f35a175af5a68cefacfb12f667e9 (8) WARNING: Outer and inner identities are the same. User privacy is compromised. (8) server inner-tunnel { (8) session-state: No cached attributes (8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (8) authorize { (8) policy filter_username { (8) update control { (8) linelogvar := "request_attrs" (8) } # update control = noop (8) linelog: EXPAND messages.%{%{control:linelogvar}:-default} (8) linelog: --> messages.request_attrs (8) linelog: EXPAND /usr/local/var/log/radius/linelog (8) linelog: --> /usr/local/var/log/radius/linelog (8) linelog: EXPAND %{User-Name},%{Calling-Station-Id},%{Called-Station-Id},%{NAS-Port},%{Acct-Session-Id},%{NAS-IP-Address},%{NAS-Identifier},%{Airespace-Wlan-Id},%{Service-Type},%{Framed-MTU},%{NAS-Port-Type},%{Tunnel-Type:0},%{Tunnel-Medium-Type:0},%{Tunnel-Private-Group-Id:0},%T,%{md5:%T,%{Calling-Station-Id}} (8) linelog: --> XXXXXXX,,,,,,,,,,,,,,2016-03-30-22.18.47.000000,c13a6b07eeffc487a39e58a748bcce06 (8) [linelog] = ok (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = ok (8) if ((User-Name =~ /^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i) && (Service-Type == "Call-Check" )) { (8) if ((User-Name =~ /^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i) && (Service-Type == "Call-Check" )) -> FALSE (8) } # policy filter_username = ok (8) [chap] = noop (8) [mschap] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "XXXXXXX", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) update control { (8) &Proxy-To-Realm := LOCAL (8) } # update control = noop (8) eap: Peer sent EAP Response (code 2) ID 8 length 15 (8) eap: No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) [files] = noop (8) sql: EXPAND %{User-Name} (8) sql: --> XXXXXXX (8) sql: SQL-User-Name set to 'XXXXXXX' rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 76 seconds rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for 76 seconds rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (3): Hit idle_timeout, was idle for 76 seconds rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (4): Hit idle_timeout, was idle for 76 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (0): Hit idle_timeout, was idle for 76 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (5): Hit idle_timeout, was idle for 76 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare" rlm_sql (sql): Opening additional connection (6), 1 of 32 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.48-MariaDB, protocol version 10 rlm_sql (sql): Reserved connection (6) (8) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (8) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'XXXXXXX' ORDER BY id (8) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'XXXXXXX' ORDER BY id (8) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (8) sql: --> SELECT groupname FROM radusergroup WHERE username = 'XXXXXXX' ORDER BY priority (8) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'XXXXXXX' ORDER BY priority (8) sql: User not found in any groups rlm_sql (sql): Released connection (6) rlm_sql (sql): Need 2 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (7), 1 of 31 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.48-MariaDB, protocol version 10 (8) [sql] = notfound rlm_ldap (ldap): Closing connection (0): Hit idle_timeout, was idle for 76 seconds rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for 76 seconds rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 76 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 76 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (4): Hit idle_timeout, was idle for 76 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare" rlm_ldap (ldap): Opening additional connection (5), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to XXXXXXX rlm_ldap (ldap): Waiting for bind result... ber_get_next failed. rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Reserved connection (5) (8) ldap: EXPAND (|(mail=%{%{Stripped-User-Name}:-%{User-Name}})(mailEquivalentAddress=%{%{Stripped-User-Name}:-%{User-Name}})(uid=%{%{Stripped-User-Name}:-%{User-Name}})) (8) ldap: --> (|(mail=XXXXXXX)(mailEquivalentAddress=XXXXXXX)(uid=XXXXXXX)) (8) ldap: Performing search in "o=nic.in,dc=nic,dc=in" with filter "(|(mail=XXXXXXX)(mailEquivalentAddress=XXXXXXX)(uid=XXXXXXX))", scope "sub" (8) ldap: Waiting for search result... ber_get_next failed. ber_get_next failed. (8) ldap: User object found at DN "uid=XXXXXXX,ou=XXXXXXX" (8) ldap: Processing user attributes (8) ldap: control:wifi := '7' (8) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (8) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Released connection (5) rlm_ldap (ldap): Need 2 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (6), 1 of 31 pending slots used rlm_ldap (ldap): Connecting to XXXXXXX rlm_ldap (ldap): Waiting for bind result... ber_get_next failed. rlm_ldap (ldap): Bind successful (8) [ldap] = updated (8) [expiration] = noop (8) [logintime] = noop (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = eap (8) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (8) authenticate { (8) eap: Expiring EAP session with state 0x1752f35a175af5a6 (8) eap: Finished EAP session with state 0x1752f35a175af5a6 (8) eap: Previous EAP request found for state 0x1752f35a175af5a6, released from the list (8) eap: Peer sent packet with method EAP GTC (6) (8) eap: Calling submodule eap_gtc to process data (8) eap_gtc: # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (8) eap_gtc: Auth-Type LDAP { rlm_ldap (ldap): Reserved connection (5) (8) ldap: Login attempt by "XXXXXXX" (8) ldap: Using user DN from request "uid=XXXXXXX,ou=XXXXXXX" (8) ldap: Waiting for bind result... ber_get_next failed. (8) ldap: Bind successful (8) ldap: Bind as user "uid=XXXXXXX,ou=XXXXXXX" was successful rlm_ldap (ldap): Released connection (5) (8) [ldap] = ok (8) } # Auth-Type LDAP = ok (8) eap: Sending EAP Success (code 3) ID 8 length 4 (8) eap: Freeing handler (8) [eap] = ok (8) } # authenticate = ok (8) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (8) post-auth { (8) sql: EXPAND .query (8) sql: --> .query (8) sql: Using query template 'query' rlm_sql (sql): Reserved connection (6) (8) sql: EXPAND %{User-Name} (8) sql: --> XXXXXXX (8) sql: SQL-User-Name set to 'XXXXXXX' (8) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (8) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'XXXXXXX', 'XXXXXXX', 'Access-Accept', '2016-03-30 22:18:47') (8) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'XXXXXXX', 'XXXXXXX', 'Access-Accept', '2016-03-30 22:18:47') (8) sql: SQL query returned: success (8) sql: 1 record(s) updated rlm_sql (sql): Released connection (6) (8) [sql] = ok (8) } # post-auth = ok (8) } # server inner-tunnel (8) Virtual server sending reply (8) EAP-Message = 0x03080004 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) User-Name = "XXXXXXX" (8) eap_peap: Got tunneled reply code 2 (8) eap_peap: EAP-Message = 0x03080004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: User-Name = "XXXXXXX" (8) eap_peap: Got tunneled reply RADIUS code 2 (8) eap_peap: EAP-Message = 0x03080004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: User-Name = "XXXXXXX" (8) eap_peap: Tunneled authentication was successful (8) eap_peap: SUCCESS (8) eap: Sending EAP Request (code 1) ID 9 length 43 (8) eap: EAP session adding &reply:State = 0xe36bb03de462a931 (8) [eap] = handled (8) } # authenticate = handled (8) Using Post-Auth-Type Challenge (8) Post-Auth-Type sub-section not found. Ignoring. (8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (8) Sent Access-Challenge Id 150 from XXXXXXX:1812 to XXXXXXX:32769 length 0 (8) EAP-Message = 0x0109002b19001703010020a745019fca4818ea30f0e0f6e52566ddef61d8e0063d7cd291953cce65163e37 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0xe36bb03de462a931219d4aaf40ddcdc2 (8) Finished request Waking up in 4.8 seconds. (9) Received Access-Request Id 151 from XXXXXXX:32769 to XXXXXXX:1812 length 337 (9) User-Name = "XXXXXXX" (9) Chargeable-User-Identity = 0x00 (9) Location-Capable = Civix-Location (9) Calling-Station-Id = "XXXXXXX" (9) Called-Station-Id = "XXXXXXX" (9) NAS-Port = 4 (9) Cisco-AVPair = "audit-session-id=0a40c60a002395c88e03fc56" (9) Acct-Session-Id = "56fc038e/XXXXXXX/1349574" (9) NAS-IP-Address = XXXXXXX (9) NAS-Identifier = "XXXXXXX" (9) Airespace-Wlan-Id = 34 (9) Service-Type = Framed-User (9) Framed-MTU = 1300 (9) NAS-Port-Type = Wireless-802.11 (9) Tunnel-Type:0 = VLAN (9) Tunnel-Medium-Type:0 = IEEE-802 (9) Tunnel-Private-Group-Id:0 = "XXXXXXX" (9) EAP-Message = 0x0209002b19001703010020aa02bff51b2622bd8427c864799bae941f9eda6e20db96dbfe5192cbcd424504 (9) State = 0xe36bb03de462a931219d4aaf40ddcdc2 (9) Message-Authenticator = 0x56d99d69897d457fa7537c194a490584 (9) session-state: No cached attributes (9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (9) authorize { (9) policy filter_username { (9) update control { (9) linelogvar := "request_attrs" (9) } # update control = noop (9) linelog: EXPAND messages.%{%{control:linelogvar}:-default} (9) linelog: --> messages.request_attrs (9) linelog: EXPAND /usr/local/var/log/radius/linelog (9) linelog: --> /usr/local/var/log/radius/linelog (9) linelog: EXPAND %{User-Name},%{Calling-Station-Id},%{Called-Station-Id},%{NAS-Port},%{Acct-Session-Id},%{NAS-IP-Address},%{NAS-Identifier},%{Airespace-Wlan-Id},%{Service-Type},%{Framed-MTU},%{NAS-Port-Type},%{Tunnel-Type:0},%{Tunnel-Medium-Type:0},%{Tunnel-Private-Group-Id:0},%T,%{md5:%T,%{Calling-Station-Id}} (9) linelog: --> XXXXXXX,XXXXXXX,XXXXXXX,4,56fc038e/XXXXXXX/1349574,XXXXXXX,XXXXXXX,34,Framed-User,1300,Wireless-802.11,VLAN,IEEE-802,XXXXXXX,2016-03-30-22.18.47.000000,e042f9def033579c3d4e304b73cd31db (9) [linelog] = ok (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = ok (9) if ((User-Name =~ /^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i) && (Service-Type == "Call-Check" )) { (9) if ((User-Name =~ /^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i) && (Service-Type == "Call-Check" )) -> FALSE (9) } # policy filter_username = ok (9) [preprocess] = ok (9) auth_log: EXPAND /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (9) auth_log: --> /usr/local/var/log/radius/radacct/XXXXXXX/auth-detail-20160330 (9) auth_log: /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/XXXXXXX/auth-detail-20160330 (9) auth_log: EXPAND %t (9) auth_log: --> Wed Mar 30 22:18:47 2016 (9) [auth_log] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "XXXXXXX", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) eap: Peer sent EAP Response (code 2) ID 9 length 43 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = eap (9) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (9) authenticate { (9) eap: Expiring EAP session with state 0xe36bb03de462a931 (9) eap: Finished EAP session with state 0xe36bb03de462a931 (9) eap: Previous EAP request found for state 0xe36bb03de462a931, released from the list (9) eap: Peer sent packet with method EAP PEAP (25) (9) eap: Calling submodule eap_peap to process data (9) eap_peap: Continuing EAP-TLS (9) eap_peap: [eaptls verify] = ok (9) eap_peap: Done initial handshake (9) eap_peap: [eaptls process] = ok (9) eap_peap: Session established. Decoding tunneled attributes (9) eap_peap: PEAP state send tlv success (9) eap_peap: Received EAP-TLV response (9) eap_peap: Success (9) eap_peap: No information to cache: session caching will be disabled for session 189621f6108cf110e1734e2e6926c30fac3d3204884d0327242e3ab13243de13 (9) eap: Sending EAP Success (code 3) ID 9 length 4 (9) eap: Freeing handler (9) [eap] = ok (9) } # authenticate = ok (9) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (9) post-auth { (9) update { (9) No attributes updated (9) } # update = noop (9) if ((User-Name =~ /^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i) && (Service-Type == "Call-Check")) { (9) if ((User-Name =~ /^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i) && (Service-Type == "Call-Check")) -> FALSE (9) elsif ((Called-Station-Id =~ /XXXXXXX$/) && (("%{control:wifi}" == "7") || ("%{control:wifi}" == "5"))) { (9) ERROR: Failed retrieving values required to evaluate condition (9) else { (9) [reject] = reject (9) } # else = reject (9) } # post-auth = reject (9) Using Post-Auth-Type Reject (9) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (9) Post-Auth-Type REJECT { (9) if ("%{control:linelogvar}" == "auth_type_pap"){ (9) if ("%{control:linelogvar}" == "auth_type_pap") -> FALSE (9) update control { (9) linelogvar := "Access-Reject" (9) } # update control = noop (9) linelog: EXPAND messages.%{%{control:linelogvar}:-default} (9) linelog: --> messages.Access-Reject (9) linelog: EXPAND /usr/local/var/log/radius/linelog (9) linelog: --> /usr/local/var/log/radius/linelog (9) linelog: EXPAND %{md5:%T,%{Calling-Station-Id}} Result: Authentication Failed,Access-Reject (9) linelog: --> e042f9def033579c3d4e304b73cd31db Result: Authentication Failed,Access-Reject (9) [linelog] = ok (9) update control { (9) linelogvar := "auth_result_reject_log" (9) } # update control = noop (9) linelog: EXPAND messages.%{%{control:linelogvar}:-default} (9) linelog: --> messages.auth_result_reject_log (9) linelog: EXPAND /usr/local/var/log/radius/linelog (9) linelog: --> /usr/local/var/log/radius/linelog (9) linelog: EXPAND Access-Request,%T,%{User-Name},%{Calling-Station-Id},%{NAS-IP-Address},%{NAS-Identifier},%{md5:%T,%{Calling-Station-Id}},Authentication Failed,%{Called-Station-Id} (9) linelog: --> Access-Request,2016-03-30-22.18.47.000000,XXXXXXX,XXXXXXX,XXXXXXX,XXXXXXX,e042f9def033579c3d4e304b73cd31db,Authentication Failed,XXXXXXX (9) [linelog] = ok (9) update control { (9) linelogvar := "empty_line" (9) } # update control = noop (9) linelog: EXPAND messages.%{%{control:linelogvar}:-default} (9) linelog: --> messages.empty_line (9) linelog: EXPAND /usr/local/var/log/radius/linelog (9) linelog: --> /usr/local/var/log/radius/linelog (9) linelog: EXPAND (9) linelog: --> (9) [linelog] = ok (9) sql: EXPAND .query (9) sql: --> .query (9) sql: Using query template 'query' rlm_sql (sql): Reserved connection (7) (9) sql: EXPAND %{User-Name} (9) sql: --> XXXXXXX (9) sql: SQL-User-Name set to 'XXXXXXX' (9) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (9) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'XXXXXXX', '', 'Access-Accept', '2016-03-30 22:18:47') (9) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'XXXXXXX', '', 'Access-Accept', '2016-03-30 22:18:47') (9) sql: SQL query returned: success (9) sql: 1 record(s) updated rlm_sql (sql): Released connection (7) (9) [sql] = ok (9) attr_filter.access_reject: EXPAND %{User-Name} (9) attr_filter.access_reject: --> XXXXXXX (9) attr_filter.access_reject: Matched entry DEFAULT at line 11 (9) [attr_filter.access_reject] = updated (9) [eap] = noop (9) policy remove_reply_message_if_eap { (9) if (&reply:EAP-Message && &reply:Reply-Message) { (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (9) else { (9) [noop] = noop (9) } # else = noop (9) } # policy remove_reply_message_if_eap = noop (9) } # Post-Auth-Type REJECT = updated (9) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (9) Sending delayed response (9) Sent Access-Reject Id 151 from XXXXXXX:1812 to XXXXXXX:32769 length 44 (9) EAP-Message = 0x03090004 (9) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.7 seconds. (1) Cleaning up request packet ID 143 with timestamp +76 (2) Cleaning up request packet ID 144 with timestamp +76 (3) Cleaning up request packet ID 145 with timestamp +76 (4) Cleaning up request packet ID 146 with timestamp +76 (5) Cleaning up request packet ID 147 with timestamp +76 (6) Cleaning up request packet ID 148 with timestamp +76 (7) Cleaning up request packet ID 149 with timestamp +76 Waking up in 0.1 seconds. (8) Cleaning up request packet ID 150 with timestamp +76 (9) Cleaning up request packet ID 151 with timestamp +76 ldap config ldap { update { control:Password-With-Header += 'userPassword' control:wifi := 'wifi' # control:NT-Password := 'ntPassword' # reply:Reply-Message := 'radiusReplyMessage' # reply:Tunnel-Type := 'radiusTunnelType' # reply:Tunnel-Medium-Type := 'radiusTunnelMediumType' # reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId' # Where only a list is specified as the RADIUS attribute, # the value of the LDAP attribute is parsed as a valuepair # in the same format as the 'valuepair_attribute' (above). control: += 'radiusControlAttribute' request: += 'radiusRequestAttribute' reply: += 'radiusReplyAttribute' } } I tried using xlat also but that also is not helping. BR, Anirudh Malhotra Mail: 8zero2.in@gmail.com Facebook: www.facebook.com/8zero2 Twitter: @8zero2_in Blog: blog.8zero2.in On Thu, Mar 31, 2016 at 1:56 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Mar 30, 2016, at 11:47 AM, Anirudh Malhotra <8zero2ops@gmail.com> wrote:
when using eap inner tunned would be used right?
It depends on the EAP method.
so ldap module when called and some control attributes are updated these are going to updated in the inner control or the outer control(or there is no such thing) and attributes are copied?
If you configured it that way.
Also the unlang which i ran was in post auth so that is the end of the request and ldap is parsed above it, so could that be a problem which u suggested in your previous reply.
No, that's not what I said.
Secondly could the data type of ldap attribute(integer or string) affect the unlang would treat the attribute?
No.
You're doing everything *except* looking at the debug output.
You need to either follow instructions, or to stop asking questions on this list.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Mar 31, 2016, at 12:29 AM, Anirudh Malhotra <8zero2ops@gmail.com> wrote:
Sorry for making you angry, but I am looking at the debug logs very carefully from the starting.
I'm not angry. I'm telling you you need to read the debug logs. Because so far, it looks like you're not reading them. i.e. your questions are answered by reading the debug logs.
I had to take permissions to post them here, That is why I was asking those questions. Again I apologise for asking probably wrong questions, I just thought the thing I posted was enough.
Since you were told REPEATEDLY to post / read the debug logs. No, what you posted wasn't enough.
But here is the debug in which ldap module is called and unlang is called, if you could please help me in finding my mistake, I have marked to relevant information in red
The list strips HTML. The debug logs shows what I suspected. You're not reading it. Packet 8 shows it using LDAP and setting control:wifi. Then in packet 9, it checks control:wifi. Which doesn't exist. In case you hadn't noticed, each packet is processed independently. If you want control:wifi to be available in packet 9, you either have to cache the results from packet 8, or run ldap when packet 9 is received. In recent versions of the server, see raddb/sites-available/default. Look for "session-state". Alan DeKok.
Hi, Alan yes thats what i was suspecting that my inner tunnel attributes were not getting to outer virtual server. That is why remember i tried outer.control in my first mail, so i was on the right track but was doing it with the wrong approach i know i didnt read that i can use tunnelled reply(depreciated) or as u said session-state and not control as its not cached. So i was able to achieve what i wanted. Apologies again for asking bad question and not reading the document properly(i read the debug properly though :p) One small question if i am using session-state only to cache username Like: Update { outer.session-state:User-Name :=&User-Name } Do i still need to unset MS-MPPE attributes? BR, Anirudh Malhotra 8zero2 Mail: 8zero2.in@gmail.com Facebook: www.facebook.com/8zero2 Twitter: @8zero2_in Blog: blog.8zero2.in On 31 Mar 2016, 19:14 +0530, Alan DeKok<aland@deployingradius.com>, wrote:
On Mar 31, 2016, at 12:29 AM, Anirudh Malhotra<8zero2ops@gmail.com>wrote:
Sorry for making you angry, but I am looking at the debug logs very carefully from the starting.
I'm not angry. I'm telling you you need to read the debug logs. Because so far, it looks like you're not reading them.
i.e. your questions are answered by reading the debug logs.
I had to take permissions to post them here, That is why I was asking those questions. Again I apologise for asking probably wrong questions, I just thought the thing I posted was enough.
Since you were told REPEATEDLY to post / read the debug logs. No, what you posted wasn't enough.
But here is the debug in which ldap module is called and unlang is called, if you could please help me in finding my mistake, I have marked to relevant information in red
The list strips HTML.
The debug logs shows what I suspected. You're not reading it.
Packet 8 shows it using LDAP and setting control:wifi. Then in packet 9, it checks control:wifi. Which doesn't exist.
In case you hadn't noticed, each packet is processed independently. If you want control:wifi to be available in packet 9, you either have to cache the results from packet 8, or run ldap when packet 9 is received.
In recent versions of the server, see raddb/sites-available/default. Look for "session-state".
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Mar 31, 2016, at 10:37 AM, Anirudh Malhotra <8zero2ops@gmail.com> wrote:
Alan yes thats what i was suspecting that my inner tunnel attributes were not getting to outer virtual server. That is why remember i tried outer.control in my first mail, so i was on the right track but was doing it with the wrong approach i know i didnt read that i can use tunnelled reply(depreciated) or as u said session-state and not control as its not cached. So i was able to achieve what i wanted.
That's good.
Apologies again for asking bad question and not reading the document properly(i read the debug properly though :p)
One small question if i am using session-state only to cache username Like: Update { outer.session-state:User-Name :=&User-Name } Do i still need to unset MS-MPPE attributes?
Yes. Alan DeKok.
participants (2)
-
Alan DeKok -
Anirudh Malhotra