Hello Everybody, I am configuring my freeradius to be integrated in the EDUROAM federation. It works when the VLAN (as configured in the accesspoint) is statically assigned. Now I would like to implement a "dynamic vlan assignment" on a per user basis; in this case the Macintosh I am using for test gets authenticated but is not able to get the ip address frm DHCP (it shows as 169.254.120.248), so remaing isolated. I carefully followed instructions (regarding the accesspoint and freeradius) and searched the web for a possible reason, but unsuccessfully. I am not sure the problem is not in the accesspoint configuration (a CISCO AP1131AG), anyway the accesspoint receives the indication to use the specified vlan. I will appreciate any suggestion you would like to provide Thanks and regards Dario P.S.: I know the request is quite generic, but I am ready to provide radius log, or configuration files.
On 19 Jul 2013, at 14:37, Dario Palmisano <Dario.Palmisano@icgeb.org> wrote:
Hello Everybody,
I am configuring my freeradius to be integrated in the EDUROAM federation. It works when the VLAN (as configured in the accesspoint) is statically assigned.
Now I would like to implement a "dynamic vlan assignment" on a per user basis; in this case the Macintosh I am using for test gets authenticated but is not able to get the ip address frm DHCP (it shows as 169.254.120.248), so remaing isolated.
I carefully followed instructions (regarding the accesspoint and freeradius) and searched the web for a possible reason, but unsuccessfully.
I am not sure the problem is not in the accesspoint configuration (a CISCO AP1131AG), anyway the accesspoint receives the indication to use the specified vlan.
You want to post the contents of an Access-Accept so we can check you're sending the correct attributes Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
On Friday 19 July 2013 15:49:55 Arran Cudbard-Bell wrote:
On 19 Jul 2013, at 14:37, Dario Palmisano <Dario.Palmisano@icgeb.org> wrote:
Hello Everybody,
I am configuring my freeradius to be integrated in the EDUROAM federation. It works when the VLAN (as configured in the accesspoint) is statically assigned.
Now I would like to implement a "dynamic vlan assignment" on a per user basis; in this case the Macintosh I am using for test gets authenticated but is not able to get the ip address frm DHCP (it shows as 169.254.120.248), so remaing isolated.
I carefully followed instructions (regarding the accesspoint and freeradius) and searched the web for a possible reason, but unsuccessfully.
I am not sure the problem is not in the accesspoint configuration (a CISCO AP1131AG), anyway the accesspoint receives the indication to use the specified vlan.
You want to post the contents of an Access-Accept so we can check you're sending the correct attributes
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Here you can download the (almost complete) debug log. Near the end I added a text to make evident when I disconnected. http://webshare.icgeb.org//data/public/ce2e2ee9fbd84c362fd49b10805b36c8.php?... Thanks for your quick answer
On 19 Jul 2013, at 15:10, Dario Palmisano <Dario.Palmisano@icgeb.org> wrote:
On Friday 19 July 2013 15:49:55 Arran Cudbard-Bell wrote:
On 19 Jul 2013, at 14:37, Dario Palmisano <Dario.Palmisano@icgeb.org> wrote:
Hello Everybody,
I am configuring my freeradius to be integrated in the EDUROAM federation. It works when the VLAN (as configured in the accesspoint) is statically assigned.
Now I would like to implement a "dynamic vlan assignment" on a per user basis; in this case the Macintosh I am using for test gets authenticated but is not able to get the ip address frm DHCP (it shows as 169.254.120.248), so remaing isolated.
I carefully followed instructions (regarding the accesspoint and freeradius) and searched the web for a possible reason, but unsuccessfully.
I am not sure the problem is not in the accesspoint configuration (a CISCO AP1131AG), anyway the accesspoint receives the indication to use the specified vlan.
You want to post the contents of an Access-Accept so we can check you're sending the correct attributes
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Here you can download the (almost complete) debug log. Near the end I added a text to make evident when I disconnected.
http://webshare.icgeb.org//data/public/ce2e2ee9fbd84c362fd49b10805b36c8.php?...
For everyone following along at home: Sending Access-Accept of id 189 to 172.16.254.45 port 1645 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "220" User-Name = "palmi" MS-MPPE-Recv-Key = 0xf308f970d2507771e30d0f1cc87c6d35ab9a6c65b56dfec2141f50273d6045ff MS-MPPE-Send-Key = 0xa68961323bdf00916cf8ee1043d99477eeaf6a46de78f1101234e9a8a5faf8e2 EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 Which looks ok to me. I'm guessing VLAN 220 is actually configured on the NAS? Some also require you to send back 'Service-Type = Framed-User'. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
On Friday 19 July 2013 16:29:57 Arran Cudbard-Bell wrote:
On 19 Jul 2013, at 15:10, Dario Palmisano <Dario.Palmisano@icgeb.org> wrote:
On Friday 19 July 2013 15:49:55 Arran Cudbard-Bell wrote:
On 19 Jul 2013, at 14:37, Dario Palmisano <Dario.Palmisano@icgeb.org> wrote:
Hello Everybody,
I am configuring my freeradius to be integrated in the EDUROAM federation. It works when the VLAN (as configured in the accesspoint) is statically assigned.
Now I would like to implement a "dynamic vlan assignment" on a per user basis; in this case the Macintosh I am using for test gets authenticated but is not able to get the ip address frm DHCP (it shows as 169.254.120.248), so remaing isolated.
I carefully followed instructions (regarding the accesspoint and freeradius) and searched the web for a possible reason, but unsuccessfully.
I am not sure the problem is not in the accesspoint configuration (a CISCO AP1131AG), anyway the accesspoint receives the indication to use the specified vlan.
You want to post the contents of an Access-Accept so we can check you're sending the correct attributes
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Here you can download the (almost complete) debug log. Near the end I added a text to make evident when I disconnected.
http://webshare.icgeb.org//data/public/ce2e2ee9fbd84c362fd49b10805b36c8.p hp?lang=en
For everyone following along at home:
Sending Access-Accept of id 189 to 172.16.254.45 port 1645 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "220" User-Name = "palmi" MS-MPPE-Recv-Key = 0xf308f970d2507771e30d0f1cc87c6d35ab9a6c65b56dfec2141f50273d6045ff MS-MPPE-Send-Key = 0xa68961323bdf00916cf8ee1043d99477eeaf6a46de78f1101234e9a8a5faf8e2 EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000
Which looks ok to me. I'm guessing VLAN 220 is actually configured on the NAS? Some also require you to send back 'Service-Type = Framed-User'. Yes vlan 220 is assigned (statically) to "XXX-WPA" SSID.
If file users contains: palmi Huntgroup-Name == "WIFI", Simultaneous-Use := 5, ICGEB- Eduroam-Enabled := Yes Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private- Group-ID := 218 and I connect to SSID XXX-WPA (assigned in accesspoint to vlan 220), it does not work. If I connect to SSID XXX-ER (assigned in accesspoint to vlan 218) it works. If file users contains: palmi Huntgroup-Name == "WIFI", Simultaneous-Use := 5, ICGEB- Eduroam-Enabled := Yes Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private- Group-ID := 220 if I connect to SSID XXX-ER (assigned in accesspoint to vlan 218), it does not work, if I connect to SSID XXX-WPA (assigned in accesspoint to vlan 220), it works. Modifying users file as suggested: palmi Huntgroup-Name == "WIFI", Simultaneous-Use := 5, ICGEB- Eduroam-Enabled := Yes Service-Type := Framed-User, Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private-Group-ID := 220 did not change the result.
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Here you can download the (almost complete) debug log. Near the end I added a text to make evident when I disconnected.
http://webshare.icgeb.org//data/public/ce2e2ee9fbd84c362fd49b10805b36c8.php?...
please dont ask me to visit random web sites that require to to click on things etc. just email the output to this list. alan
On Friday 19 July 2013 16:57:07 A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
Here you can download the (almost complete) debug log. Near the end I added a text to make evident when I disconnected.
http://webshare.icgeb.org//data/public/ce2e2ee9fbd84c362fd49b10805b36c8.p hp?lang=en
please dont ask me to visit random web sites that require to to click on things etc. just email the output to this list.
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OK, I thought it was wiser not to send on the list... FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built on Oct 2 2012 at 23:16:43 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/replicate including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/redis including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/soh including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/f_ticks including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/rediswho including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/eap.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/eduroam including configuration file /etc/raddb/sites-enabled/eduroam-inner-tunnel main { user = "radiusd" group = "radiusd" allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { name = "radiusd" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 0 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server eduroam-upstream-flr-1 { ipaddr = 192.168.1.1 port = 1812 type = "auth+acct" secret = "secretstuff" response_window = 30 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 300 status_check_timeout = 4 } home_server eduroam-upstream-flr-2 { ipaddr = 192.168.1.2 port = 1812 type = "auth+acct" secret = "secretstuff" response_window = 30 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 300 status_check_timeout = 4 } realm icgeb.trieste.it { } realm icgeb.ts.it { } realm NULL { } realm LOCAL { } home_server_pool EDUROAM { type = fail-over home_server = eduroam-upstream-flr-1 home_server = eduroam-upstream-flr-2 } realm ~.+$ { pool = EDUROAM nostrip } radiusd: #### Loading Clients #### client 172.16.254.45 { require_message_authenticator = yes secret = "SECRET" shortname = "ap-test-1" } radiusd: #### Instantiating modules #### radiusd: #### Loading Virtual Servers #### server { # from file /etc/raddb/radiusd.conf modules { } # modules } # server server eduroam { # from file /etc/raddb/sites-enabled/eduroam modules { Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/raddb/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/raddb/certs/radius- radiust.icgeb.trieste.it.key" certificate_file = "/etc/raddb/certs/radius- radiust.icgeb.trieste.it.crt" CA_file = "/etc/raddb/certs/ca-helixt.icgeb.trieste.it.crt" private_key_password = "ICGEB_PaSsWoRd" dh_file = "/etc/raddb/certs/radius-dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" cache { enable = yes lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = "eduroam-inner-tunnel" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/raddb/modules/preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_detail Module: Instantiating module "auth_log" from file /etc/raddb/modules/detail.log detail auth_log { detailfile = "/var/log/radius/radacct/auth-detail.log" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/raddb/modules/files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" key = "%{%{Stripped-User-Name}:-%{User-Name}}" } Module: Checking accounting {...} for more modules to load Module: Instantiating module "detail" from file /etc/raddb/modules/detail detail { detailfile = "/var/log/radius/radacct/detail" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{%{Stripped-User-Name}:-%{User-Name}}" case_sensitive = yes check_with_nas = no perm = 384 callerid = yes } Module: Instantiating module "sradutmp" from file /etc/raddb/modules/sradutmp radutmp sradutmp { filename = "/var/log/radius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 420 callerid = no } Module: Checking pre-proxy {...} for more modules to load Module: Instantiating module "pre_proxy_log" from file /etc/raddb/modules/detail.log detail pre_proxy_log { detailfile = "/var/log/radius/radacct/pre-proxy-detail.log" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.pre-proxy { attrsfile = "/etc/raddb/attrs.pre-proxy" key = "%{Realm}" relaxed = no } Module: Checking post-proxy {...} for more modules to load Module: Instantiating module "post_proxy_log" from file /etc/raddb/modules/detail.log detail post_proxy_log { detailfile = "/var/log/radius/radacct/post-proxy-detail.log" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "attr_filter.post-proxy" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.post-proxy { attrsfile = "/etc/raddb/attrs" key = "%{Realm}" relaxed = no } Module: Checking post-auth {...} for more modules to load Module: Instantiating module "reply_log" from file /etc/raddb/modules/detail.log detail reply_log { detailfile = "/var/log/radius/radacct/reply-detail.log" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_linelog Module: Instantiating module "f_ticks" from file /etc/raddb/modules/f_ticks linelog f_ticks { filename = "/var/log/radius/radacct/f_ticks" permissions = 384 format = "" reference = "f_ticks.%{%{reply:Packet-Type}:-format}" } } # modules } # server server eduroam-inner-tunnel { # from file /etc/raddb/sites-enabled/eduroam- inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_always Module: Instantiating module "reject" from file /etc/raddb/modules/always always reject { rcode = "reject" simulcount = 0 mpp = no } Module: Linked to module rlm_ldap Module: Instantiating module "ldap1" from file /etc/raddb/modules/ldap ldap ldap1 { server = "ldap1.icgeb.org" port = 389 password = "SECRET" identity = "cn=samba,dc=icgeb,dc=org" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = yes require_cert = "never" } basedn = "ou=Users,dc=icgeb,dc=org" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" auto_header = no access_attr = "uid" access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames) (member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames) (uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes set_auth_type = yes keepalive { idle = 60 probes = 3 interval = 3 } } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Creating new attribute ldap1-Ldap-Group rlm_ldap: Registering ldap_groupcmp for ldap1-Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap1 rlm_ldap: Over-riding set_auth_type, as there is no module ldap1 listed in the "authenticate" section. rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk- Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk- Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk- Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private- Group-Id conns: 0x7f4c61f9ac40 Module: Instantiating module "ldap2" from file /etc/raddb/modules/ldap ldap ldap2 { server = "ldap2.icgeb.org" port = 389 password = "SECRET" identity = "cn=samba,dc=icgeb,dc=org" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = yes require_cert = "never" } basedn = "ou=Users,dc=icgeb,dc=org" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" auto_header = no access_attr = "uid" access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames) (member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames) (uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes set_auth_type = yes keepalive { idle = 60 probes = 3 interval = 3 } } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Creating new attribute ldap2-Ldap-Group rlm_ldap: Registering ldap_groupcmp for ldap2-Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap2 rlm_ldap: Over-riding set_auth_type, as there is no module ldap2 listed in the "authenticate" section. rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk- Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk- Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk- Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private- Group-Id conns: 0x7f4c61f9c680 Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Checking session {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" virtual_server = "eduroam" ipaddr = * port = 0 } listen { type = "acct" virtual_server = "eduroam" ipaddr = * port = 0 } ... adding new socket proxy address * port 50818 ... adding new socket proxy address * port 48997 ... adding new socket proxy address * port 36625 ... adding new socket proxy address * port 51958 Listening on authentication address * port 1812 as server eduroam Listening on accounting address * port 1813 as server eduroam Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 172.16.254.45 port 1645, id=180, length=251 User-Name = "palmi@icgeb.ts.it" Framed-MTU = 1400 Called-Station-Id = "003a.9ae0.1460" Calling-Station-Id = "d49a.2063.2450" Cisco-AVPair = "ssid=XXX-ER" WISPr-Location-Name = "Floor Ground, Building F1 (test)" Service-Type = Login-User Message-Authenticator = 0xfc2c0afcddc3f092eb89869e5cdccbcc EAP-Message = 0x020100160170616c6d694069636765622e74732e6974 NAS-Port-Type = Wireless-802.11 NAS-Port = 1016 NAS-Port-Id = "1016" NAS-IP-Address = 172.16.254.45 server eduroam { # Executing section authorize from file /etc/raddb/sites-enabled/eduroam +- entering group authorize {...} ++[preprocess] returns ok ++[request] returns ok [auth_log] expand: /var/log/radius/radacct/auth-detail.log -> /var/log/radius/radacct/auth-detail.log [auth_log] /var/log/radius/radacct/auth-detail.log expands to /var/log/radius/radacct/auth-detail.log [auth_log] expand: %t -> Fri Jul 19 15:02:51 2013 ++[auth_log] returns ok [suffix] Looking up realm "icgeb.ts.it" for User-Name = "palmi@icgeb.ts.it" [suffix] Found realm "icgeb.ts.it" [suffix] Adding Stripped-User-Name = "palmi" [suffix] Adding Realm = "icgeb.ts.it" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 1 length 22 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/eduroam +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Flushing SSL sessions (of #0) [tls] Initiate [tls] Start returned 1 ++[eap] returns handled } # server eduroam Sending Access-Challenge of id 180 to 172.16.254.45 port 1645 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x669027bd66923e30f26eb21d75d65d85 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.254.45 port 1645, id=181, length=411 User-Name = "palmi@icgeb.ts.it" Framed-MTU = 1400 Called-Station-Id = "003a.9ae0.1460" Calling-Station-Id = "d49a.2063.2450" Cisco-AVPair = "ssid=XXX-ER" WISPr-Location-Name = "Floor Ground, Building F1 (test)" Service-Type = Login-User Message-Authenticator = 0x79d8e016f5c847ef528f668472bb9a59 EAP-Message = 0x020200a419800000009a160301009501000091030151e93900542f13df3626ff6d17f8c44f8a5b2e5d2789dbdcf49a02dc36bc7d1e000056c00ac009c007c008c013c014c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a000900030008000600320033003800390016001500140013001200110034003a0018001b001a00170019000101000012000a00080006001700180019000b00020100 NAS-Port-Type = Wireless-802.11 NAS-Port = 1016 NAS-Port-Id = "1016" State = 0x669027bd66923e30f26eb21d75d65d85 NAS-IP-Address = 172.16.254.45 server eduroam { # Executing section authorize from file /etc/raddb/sites-enabled/eduroam +- entering group authorize {...} ++[preprocess] returns ok ++[request] returns ok [auth_log] expand: /var/log/radius/radacct/auth-detail.log -> /var/log/radius/radacct/auth-detail.log [auth_log] /var/log/radius/radacct/auth-detail.log expands to /var/log/radius/radacct/auth-detail.log [auth_log] expand: %t -> Fri Jul 19 15:02:51 2013 ++[auth_log] returns ok [suffix] Looking up realm "icgeb.ts.it" for User-Name = "palmi@icgeb.ts.it" [suffix] Found realm "icgeb.ts.it" [suffix] Adding Stripped-User-Name = "palmi" [suffix] Adding Realm = "icgeb.ts.it" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 2 length 164 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/eduroam +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 154 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0095], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 004a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0790], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled } # server eduroam Sending Access-Challenge of id 181 to 172.16.254.45 port 1645 EAP-Message = 0x0103040019c0000007ed160301004a02000046030151e938fbc7620d4fbcde52beebee35261e32ac240ac914ded87da542f76fce5420d13d4c1b37c5a8c5abc874c7b8ebcfb2adee9ed86972f10820789335d57620cd002f0016030107900b00078c0007890003cd308203c9308202b1a003020102020101300d06092a864886f70d010105050030819a310b3009060355040613024954310e300c060355040813054974616c793110300e0603550407130754726965737465310e300c060355040a1305494347454231163014060355040b130d436f6d707574657220556e6974311f301d06092a864886f70d010901161073797361646d4069636765 EAP-Message = 0x622e6f72673120301e0603550403131768656c6978742e69636765622e747269657374652e6974301e170d3133303730393039313634345a170d3433303730323039313634345a30819b310b3009060355040613024954310e300c060355040813054974616c793110300e0603550407130754726965737465310e300c060355040a1305494347454231163014060355040b130d436f6d707574657220556e6974311f301d06092a864886f70d010901161073797361646d4069636765622e6f72673121301f06035504031318726164697573742e69636765622e747269657374652e697430820122300d06092a864886f70d01010105000382010f00 EAP-Message = 0x3082010a0282010100c979e46c9cde8cf2c80df8c846dafaf642d4e5855fd369b069bfdf09e1d4d0bad965114dbec1aaacb81543e9399a87a73d723b6ee2a6ff4d1fddb96ca6a8b540bb82bc0fe8d2578937fd34d1b7945c2288f13f4f996a35316c413ce361db45f5b460ce35b5c294a4bf165030bcfd4986b9fc3790d4b4811c06e4f51f473a288029f8e674faa574eafd5d356abfe1295b05d32a344eb19d159526be6d9efc99f4d9f8f5a0a3269441c8535f933b535510e8848bd2518a4cb2096bd3e5e637296072a4ba1e0dff960b124a108329988b2a0eaaa9688cac3f9913bc37b1025f47527f2d972555d65685c509fc0906001fdee214de19 EAP-Message = 0xe2889d4fa82f472920611b0f0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003820101004fc473c5789733c97ddc8b7fe530ecb0fe4f3a86d4c27c8c8154a0872e21d15ee25b16f106b6330921292ec1627cd6e9e066cb36b8ffdd640e87bd8dfa496b362850ef8af23d8f8e3b74714208461fd250240cd7d4a77015e69640b0eeb7ac4a1601329a2c97aee6799446e2320f9a0c670d7b67732a7f3e3a425462adc297d384f4ca3b31bb318061b9f002553d7cbadd8b6342e54823ef44a34a525ea02772b6e6220724e6a2e39ccd9ed54b7d44b58afceff3de5f178ef4ebe691e5210d EAP-Message = 0x5f3eb23962f874699e641862 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x669027bd67933e30f26eb21d75d65d85 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.254.45 port 1645, id=182, length=253 User-Name = "palmi@icgeb.ts.it" Framed-MTU = 1400 Called-Station-Id = "003a.9ae0.1460" Calling-Station-Id = "d49a.2063.2450" Cisco-AVPair = "ssid=XXX-ER" WISPr-Location-Name = "Floor Ground, Building F1 (test)" Service-Type = Login-User Message-Authenticator = 0x538a1d81b611fde158176047d16a7a69 EAP-Message = 0x020300061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 1016 NAS-Port-Id = "1016" State = 0x669027bd67933e30f26eb21d75d65d85 NAS-IP-Address = 172.16.254.45 server eduroam { # Executing section authorize from file /etc/raddb/sites-enabled/eduroam +- entering group authorize {...} ++[preprocess] returns ok ++[request] returns ok [auth_log] expand: /var/log/radius/radacct/auth-detail.log -> /var/log/radius/radacct/auth-detail.log [auth_log] /var/log/radius/radacct/auth-detail.log expands to /var/log/radius/radacct/auth-detail.log [auth_log] expand: %t -> Fri Jul 19 15:02:52 2013 ++[auth_log] returns ok [suffix] Looking up realm "icgeb.ts.it" for User-Name = "palmi@icgeb.ts.it" [suffix] Found realm "icgeb.ts.it" [suffix] Adding Stripped-User-Name = "palmi" [suffix] Adding Realm = "icgeb.ts.it" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/eduroam +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled } # server eduroam Sending Access-Challenge of id 182 to 172.16.254.45 port 1645 EAP-Message = 0x010403fc1940258df22a84e2e9a9aff58ca761d45210d122606db6735bffcea1ad8d0c27606ba3326203b3e415d84d513a1692b992e31683a729d50003b6308203b23082029a020900db825bfb96c90cea300d06092a864886f70d010105050030819a310b3009060355040613024954310e300c060355040813054974616c793110300e0603550407130754726965737465310e300c060355040a1305494347454231163014060355040b130d436f6d707574657220556e6974311f301d06092a864886f70d010901161073797361646d4069636765622e6f72673120301e0603550403131768656c6978742e69636765622e747269657374652e6974 EAP-Message = 0x301e170d3133303730393039313633315a170d3233303730373039313633315a30819a310b3009060355040613024954310e300c060355040813054974616c793110300e0603550407130754726965737465310e300c060355040a1305494347454231163014060355040b130d436f6d707574657220556e6974311f301d06092a864886f70d010901161073797361646d4069636765622e6f72673120301e0603550403131768656c6978742e69636765622e747269657374652e697430820122300d06092a864886f70d01010105000382010f003082010a0282010100ba393288c78bc251ede2a3928cf908844db6bea8a9850b86765ec6bf6ca650 EAP-Message = 0x2d67ab8fb53bead648f7f1c2aaa1a88fc2224317dce1c4e176aa072edb3cb640353dfcfedee8695bce862b7ba1a224ccfc1b96615067d6e7bf824bde42b52763e392b91f2ba163ac501ef4dbeab18eb6e7ed08a8e02a5b4558cb21886d69974ab1404cad961044af66069d1cab98475e5a47ee503111b4a61a7bb393665e5a4404d547e4fc86437ffca7c1073ca29930932977b86b063144e7c6356ac42ed0aa1458275d0f487805142170f29659b175d36eadd01218ac19107ce1a37216fc1372076bbe3d25deef56656eb5905a8be2f0d2e245bf7c1cdde2b97c544c3dc045f10203010001300d06092a864886f70d010105050003820101002ce5c1 EAP-Message = 0x1608e87136325db92df41abad7837ba24969dd7a6833c66a3386cf5a804805fe91c77f46a544da5bd650e09750a3766933b028c8ac6dc91d7c67b9301d50cfb1b820ffd24615e3c6c0dfae04fb1b108af7d15a1c141bc9b3d4cb71e97748495376dd09dfbc791db404b66d2e5226947d2eec3789981daecf310dfb46139e9e054efe7e7eea41e92923db041f91ace2745a19a44e817bc1dc753fda067d35dd33155d468f99240b718d9b30f86e299734860d4e20654c9fead475723ff2720f5f68c63a8530999198b515e3f89012f15bd1696ecb3ef035703d68af0d63f53994c2dcdbb774c0a4ef19db8a7ff047523187b4b7c0d50e549ccde4b77db2 EAP-Message = 0x16030100040e0000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x669027bd64943e30f26eb21d75d65d85 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.254.45 port 1645, id=183, length=253 User-Name = "palmi@icgeb.ts.it" Framed-MTU = 1400 Called-Station-Id = "003a.9ae0.1460" Calling-Station-Id = "d49a.2063.2450" Cisco-AVPair = "ssid=XXX-ER" WISPr-Location-Name = "Floor Ground, Building F1 (test)" Service-Type = Login-User Message-Authenticator = 0x27c83e5b3123ec9cd32a9a0e4287ea7a EAP-Message = 0x020400061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 1016 NAS-Port-Id = "1016" State = 0x669027bd64943e30f26eb21d75d65d85 NAS-IP-Address = 172.16.254.45 server eduroam { # Executing section authorize from file /etc/raddb/sites-enabled/eduroam +- entering group authorize {...} ++[preprocess] returns ok ++[request] returns ok [auth_log] expand: /var/log/radius/radacct/auth-detail.log -> /var/log/radius/radacct/auth-detail.log [auth_log] /var/log/radius/radacct/auth-detail.log expands to /var/log/radius/radacct/auth-detail.log [auth_log] expand: %t -> Fri Jul 19 15:02:52 2013 ++[auth_log] returns ok [suffix] Looking up realm "icgeb.ts.it" for User-Name = "palmi@icgeb.ts.it" [suffix] Found realm "icgeb.ts.it" [suffix] Adding Stripped-User-Name = "palmi" [suffix] Adding Realm = "icgeb.ts.it" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/eduroam +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled } # server eduroam Sending Access-Challenge of id 183 to 172.16.254.45 port 1645 EAP-Message = 0x01050007190000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x669027bd65953e30f26eb21d75d65d85 Finished request 3. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.16.254.45 port 1645, id=184, length=585 User-Name = "palmi@icgeb.ts.it" Framed-MTU = 1400 Called-Station-Id = "003a.9ae0.1460" Calling-Station-Id = "d49a.2063.2450" Cisco-AVPair = "ssid=XXX-ER" WISPr-Location-Name = "Floor Ground, Building F1 (test)" Service-Type = Login-User Message-Authenticator = 0x4f4006c7ee8fc3c4d08f33997ef0f9ea EAP-Message = 0x0205015019800000014616030101061000010201005cbeaf7e39a5128df9b044ded226d6da6a1df06c4c14b6248c3b017e350a3c18ff08ea6e865545f21f29187c9cbbeca27526b21e5d3e7c172068d92318972e404019e7d241b473c0f2f6288f6b25f78cec134805f2d45b51a8d09095e30be78c069e8c2681c00da8bde4cd70411f0a5e694d4f7f94e4efaaabb32fb80e99b8b79163e574aa56094b6007743d0ae1886934242ee6bca933f4d500df29976c80ef6b77dac039faa296079b9eb8fa234a800788add69c2981962048ba3a965d56c93438a808db460918deac5deb2af03ebb682c972cb9a8361897793b667a77317c4027e29fe7f69c5e EAP-Message = 0x97bb4f0d9afebd4e276d9c2e7ae1565dae8fcb2c50bf94681403010001011603010030cac6507c26ca4546f6571611d86d8a9cf189a6cd3d7a827e0693e92fc2403dd8d394adf41b299e3a165846ba39108984 NAS-Port-Type = Wireless-802.11 NAS-Port = 1016 NAS-Port-Id = "1016" State = 0x669027bd65953e30f26eb21d75d65d85 NAS-IP-Address = 172.16.254.45 server eduroam { # Executing section authorize from file /etc/raddb/sites-enabled/eduroam +- entering group authorize {...} ++[preprocess] returns ok ++[request] returns ok [auth_log] expand: /var/log/radius/radacct/auth-detail.log -> /var/log/radius/radacct/auth-detail.log [auth_log] /var/log/radius/radacct/auth-detail.log expands to /var/log/radius/radacct/auth-detail.log [auth_log] expand: %t -> Fri Jul 19 15:02:52 2013 ++[auth_log] returns ok [suffix] Looking up realm "icgeb.ts.it" for User-Name = "palmi@icgeb.ts.it" [suffix] Found realm "icgeb.ts.it" [suffix] Adding Stripped-User-Name = "palmi" [suffix] Adding Realm = "icgeb.ts.it" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 5 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/eduroam +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data SSL: adding session d13d4c1b37c5a8c5abc874c7b8ebcfb2adee9ed86972f10820789335d57620cd to cache [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled } # server eduroam Sending Access-Challenge of id 184 to 172.16.254.45 port 1645 EAP-Message = 0x01060041190014030100010116030100307628a872abf1034fb3f8c9e92cde545d25d682118edb43927185247ec8f5ab630379ea6045aa8a5177f25cbae275a27f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x669027bd62963e30f26eb21d75d65d85 Finished request 4. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.16.254.45 port 1645, id=185, length=253 User-Name = "palmi@icgeb.ts.it" Framed-MTU = 1400 Called-Station-Id = "003a.9ae0.1460" Calling-Station-Id = "d49a.2063.2450" Cisco-AVPair = "ssid=XXX-ER" WISPr-Location-Name = "Floor Ground, Building F1 (test)" Service-Type = Login-User Message-Authenticator = 0x12b44dd4d38f59bdfd0f7cdf01739c54 EAP-Message = 0x020600061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 1016 NAS-Port-Id = "1016" State = 0x669027bd62963e30f26eb21d75d65d85 NAS-IP-Address = 172.16.254.45 server eduroam { # Executing section authorize from file /etc/raddb/sites-enabled/eduroam +- entering group authorize {...} ++[preprocess] returns ok ++[request] returns ok [auth_log] expand: /var/log/radius/radacct/auth-detail.log -> /var/log/radius/radacct/auth-detail.log [auth_log] /var/log/radius/radacct/auth-detail.log expands to /var/log/radius/radacct/auth-detail.log [auth_log] expand: %t -> Fri Jul 19 15:02:52 2013 ++[auth_log] returns ok [suffix] Looking up realm "icgeb.ts.it" for User-Name = "palmi@icgeb.ts.it" [suffix] Found realm "icgeb.ts.it" [suffix] Adding Stripped-User-Name = "palmi" [suffix] Adding Realm = "icgeb.ts.it" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/eduroam +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled } # server eduroam Sending Access-Challenge of id 185 to 172.16.254.45 port 1645 EAP-Message = 0x0107002b19001703010020a9e273a342b9e50c6f22c2b7decbfa7a9ad396cbbcb7c91663c8c6dc3059382e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x669027bd63973e30f26eb21d75d65d85 Finished request 5. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 172.16.254.45 port 1645, id=186, length=306 User-Name = "palmi@icgeb.ts.it" Framed-MTU = 1400 Called-Station-Id = "003a.9ae0.1460" Calling-Station-Id = "d49a.2063.2450" Cisco-AVPair = "ssid=XXX-ER" WISPr-Location-Name = "Floor Ground, Building F1 (test)" Service-Type = Login-User Message-Authenticator = 0x58780dba17878ac8570d3045fb9218b4 EAP-Message = 0x0207003b19001703010030d4189c5081ce041f25e2e134a4e9d7ba2067f9c7a525156f41405eec84b3c4e9255fa1fbb1db92587f815951ee27b8e9 NAS-Port-Type = Wireless-802.11 NAS-Port = 1016 NAS-Port-Id = "1016" State = 0x669027bd63973e30f26eb21d75d65d85 NAS-IP-Address = 172.16.254.45 server eduroam { # Executing section authorize from file /etc/raddb/sites-enabled/eduroam +- entering group authorize {...} ++[preprocess] returns ok ++[request] returns ok [auth_log] expand: /var/log/radius/radacct/auth-detail.log -> /var/log/radius/radacct/auth-detail.log [auth_log] /var/log/radius/radacct/auth-detail.log expands to /var/log/radius/radacct/auth-detail.log [auth_log] expand: %t -> Fri Jul 19 15:02:52 2013 ++[auth_log] returns ok [suffix] Looking up realm "icgeb.ts.it" for User-Name = "palmi@icgeb.ts.it" [suffix] Found realm "icgeb.ts.it" [suffix] Adding Stripped-User-Name = "palmi" [suffix] Adding Realm = "icgeb.ts.it" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 7 length 59 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/eduroam +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - palmi@icgeb.ts.it [peap] Got inner identity 'palmi@icgeb.ts.it' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x020700160170616c6d694069636765622e74732e6974 server eduroam { [peap] Setting User-Name to palmi@icgeb.ts.it Sending tunneled request EAP-Message = 0x020700160170616c6d694069636765622e74732e6974 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "palmi@icgeb.ts.it" Framed-MTU = 1400 Called-Station-Id = "003a.9ae0.1460" Calling-Station-Id = "d49a.2063.2450" Cisco-AVPair = "ssid=XXX-ER" WISPr-Location-Name = "Floor Ground, Building F1 (test)" Service-Type = Login-User NAS-Port-Type = Wireless-802.11 NAS-Port = 1016 NAS-Port-Id = "1016" NAS-IP-Address = 172.16.254.45 Operator-Name = "1icgeb.trieste.it" server eduroam-inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/eduroam- inner-tunnel +- entering group authorize {...} ++[preprocess] returns ok [suffix] Looking up realm "icgeb.ts.it" for User-Name = "palmi@icgeb.ts.it" [suffix] Found realm "icgeb.ts.it" [suffix] Adding Stripped-User-Name = "palmi" [suffix] Adding Realm = "icgeb.ts.it" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [auth_log] expand: /var/log/radius/radacct/auth-detail.log -> /var/log/radius/radacct/auth-detail.log [auth_log] /var/log/radius/radacct/auth-detail.log expands to /var/log/radius/radacct/auth-detail.log [auth_log] expand: %t -> Fri Jul 19 15:02:52 2013 ++[auth_log] returns ok [eap] EAP packet type response id 7 length 22 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] expand: %{Stripped-User-Name} -> palmi [files] expand: %{%{Stripped-User-Name}:-%{User-Name}} -> palmi [files] users: Matched entry palmi at line 438 ++[files] returns ok ++? if (Cisco-AVPair == "ssid=XXX-ER" && Realm == NULL) ? Evaluating (Cisco-AVPair == "ssid=XXX-ER" ) -> TRUE ? Evaluating (Realm == NULL) -> FALSE ++? if (Cisco-AVPair == "ssid=XXX-ER" && Realm == NULL) -> FALSE ++? elsif (Cisco-AVPair == "ssid=XXX-ER" && (!control:ICGEB-Eduroam-Enabled || control:ICGEB-Eduroam-Enabled != Yes)) ? Evaluating (Cisco-AVPair == "ssid=XXX-ER" ) -> TRUE ?? Evaluating !(control:ICGEB-Eduroam-Enabled ) -> FALSE ?? Evaluating (control:ICGEB-Eduroam-Enabled != Yes) -> FALSE ++? elsif (Cisco-AVPair == "ssid=XXX-ER" && (!control:ICGEB-Eduroam-Enabled || control:ICGEB-Eduroam-Enabled != Yes)) -> FALSE ++- entering else else {...} +++- entering redundant-load-balance group redundant-load-balance {...} [ldap1] performing user authorization for palmi [ldap1] expand: %{Stripped-User-Name} -> palmi [ldap1] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=palmi) [ldap1] expand: ou=Users,dc=icgeb,dc=org -> ou=Users,dc=icgeb,dc=org [ldap1] ldap_get_conn: Checking Id: 0 [ldap1] ldap_get_conn: Got Id: 0 [ldap1] attempting LDAP reconnection [ldap1] (re)connect to ldap1.icgeb.org:389, authentication 0 [ldap1] setting TLS Require Cert to never [ldap1] starting TLS [ldap1] bind as cn=samba,dc=icgeb,dc=org/SECRET to ldap1.icgeb.org:389 [ldap1] waiting for bind result ... [ldap1] Bind was successful [ldap1] performing search in ou=Users,dc=icgeb,dc=org, with filter (uid=palmi) [ldap1] checking if remote access for palmi is allowed by uid [ldap1] looking for check items in directory... [ldap1] sambaNtPassword -> NT-Password == 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX [ldap1] sambaLmPassword -> LM-Password == 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX [ldap1] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap1] user palmi authorized to use remote access [ldap1] ldap_release_conn: Release Id: 0 ++++[ldap1] returns ok +++- redundant-load-balance group redundant-load-balance returns ok +++[expiration] returns noop ++- else else returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server eduroam-inner-tunnel [peap] Got tunneled reply code 11 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "220" EAP-Message = 0x0108002b1a010800261031bbf45a68ff5991a784b7775ad66d0f70616c6d694069636765622e74732e6974 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xac6f4ed7ac6754fe563139e39634b030 [peap] Got tunneled reply RADIUS code 11 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "220" EAP-Message = 0x0108002b1a010800261031bbf45a68ff5991a784b7775ad66d0f70616c6d694069636765622e74732e6974 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xac6f4ed7ac6754fe563139e39634b030 [peap] Got tunneled Access-Challenge ++[eap] returns handled } # server eduroam Sending Access-Challenge of id 186 to 172.16.254.45 port 1645 EAP-Message = 0x0108004b190017030100407551bcc12b2ed0feac5f15ba5fa6ad83f217dd6ae55063326b6059264b1f953c94ccc718eadc9621d0be180137c8f111fbafe7bc100eff058756bebb490d095a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x669027bd60983e30f26eb21d75d65d85 Finished request 6. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 172.16.254.45 port 1645, id=187, length=354 User-Name = "palmi@icgeb.ts.it" Framed-MTU = 1400 Called-Station-Id = "003a.9ae0.1460" Calling-Station-Id = "d49a.2063.2450" Cisco-AVPair = "ssid=XXX-ER" WISPr-Location-Name = "Floor Ground, Building F1 (test)" Service-Type = Login-User Message-Authenticator = 0x9a32cc720eca9c8424fd7ad00e8ab3bf EAP-Message = 0x0208006b19001703010060adc8a19d618921aa8fa847c35215bbd5da5aff1bb2e5181cee87cc1be6f7a74a4fd73f16dc290bf5937c44dfe080a9b6b9570b42011aac39617c06480c879c28116d65575bf375e04be2490fb411ba819a4411060d439e2a366841bfe801a741 NAS-Port-Type = Wireless-802.11 NAS-Port = 1016 NAS-Port-Id = "1016" State = 0x669027bd60983e30f26eb21d75d65d85 NAS-IP-Address = 172.16.254.45 server eduroam { # Executing section authorize from file /etc/raddb/sites-enabled/eduroam +- entering group authorize {...} ++[preprocess] returns ok ++[request] returns ok [auth_log] expand: /var/log/radius/radacct/auth-detail.log -> /var/log/radius/radacct/auth-detail.log [auth_log] /var/log/radius/radacct/auth-detail.log expands to /var/log/radius/radacct/auth-detail.log [auth_log] expand: %t -> Fri Jul 19 15:02:52 2013 ++[auth_log] returns ok [suffix] Looking up realm "icgeb.ts.it" for User-Name = "palmi@icgeb.ts.it" [suffix] Found realm "icgeb.ts.it" [suffix] Adding Stripped-User-Name = "palmi" [suffix] Adding Realm = "icgeb.ts.it" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 8 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/eduroam +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x0208004c1a02080047317b0c4f82dc21d6ba0960f3d09523fda00000000000000000f3daf62acb5f6cbc9566592c64b57d73ba4ebf437eb029910070616c6d694069636765622e74732e6974 server eduroam { [peap] Setting User-Name to palmi@icgeb.ts.it Sending tunneled request EAP-Message = 0x0208004c1a02080047317b0c4f82dc21d6ba0960f3d09523fda00000000000000000f3daf62acb5f6cbc9566592c64b57d73ba4ebf437eb029910070616c6d694069636765622e74732e6974 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "palmi@icgeb.ts.it" State = 0xac6f4ed7ac6754fe563139e39634b030 Framed-MTU = 1400 Called-Station-Id = "003a.9ae0.1460" Calling-Station-Id = "d49a.2063.2450" Cisco-AVPair = "ssid=XXX-ER" WISPr-Location-Name = "Floor Ground, Building F1 (test)" Service-Type = Login-User NAS-Port-Type = Wireless-802.11 NAS-Port = 1016 NAS-Port-Id = "1016" NAS-IP-Address = 172.16.254.45 Operator-Name = "1icgeb.trieste.it" server eduroam-inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/eduroam- inner-tunnel +- entering group authorize {...} ++[preprocess] returns ok [suffix] Looking up realm "icgeb.ts.it" for User-Name = "palmi@icgeb.ts.it" [suffix] Found realm "icgeb.ts.it" [suffix] Adding Stripped-User-Name = "palmi" [suffix] Adding Realm = "icgeb.ts.it" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [auth_log] expand: /var/log/radius/radacct/auth-detail.log -> /var/log/radius/radacct/auth-detail.log [auth_log] /var/log/radius/radacct/auth-detail.log expands to /var/log/radius/radacct/auth-detail.log [auth_log] expand: %t -> Fri Jul 19 15:02:52 2013 ++[auth_log] returns ok [eap] EAP packet type response id 8 length 76 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] expand: %{Stripped-User-Name} -> palmi [files] expand: %{%{Stripped-User-Name}:-%{User-Name}} -> palmi [files] users: Matched entry palmi at line 438 ++[files] returns ok ++? if (Cisco-AVPair == "ssid=XXX-ER" && Realm == NULL) ? Evaluating (Cisco-AVPair == "ssid=XXX-ER" ) -> TRUE ? Evaluating (Realm == NULL) -> FALSE ++? if (Cisco-AVPair == "ssid=XXX-ER" && Realm == NULL) -> FALSE ++? elsif (Cisco-AVPair == "ssid=XXX-ER" && (!control:ICGEB-Eduroam-Enabled || control:ICGEB-Eduroam-Enabled != Yes)) ? Evaluating (Cisco-AVPair == "ssid=XXX-ER" ) -> TRUE ?? Evaluating !(control:ICGEB-Eduroam-Enabled ) -> FALSE ?? Evaluating (control:ICGEB-Eduroam-Enabled != Yes) -> FALSE ++? elsif (Cisco-AVPair == "ssid=XXX-ER" && (!control:ICGEB-Eduroam-Enabled || control:ICGEB-Eduroam-Enabled != Yes)) -> FALSE ++- entering else else {...} +++- entering redundant-load-balance group redundant-load-balance {...} [ldap1] performing user authorization for palmi [ldap1] expand: %{Stripped-User-Name} -> palmi [ldap1] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=palmi) [ldap1] expand: ou=Users,dc=icgeb,dc=org -> ou=Users,dc=icgeb,dc=org [ldap1] ldap_get_conn: Checking Id: 0 [ldap1] ldap_get_conn: Got Id: 0 [ldap1] performing search in ou=Users,dc=icgeb,dc=org, with filter (uid=palmi) [ldap1] checking if remote access for palmi is allowed by uid [ldap1] looking for check items in directory... [ldap1] sambaNtPassword -> NT-Password == 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX [ldap1] sambaLmPassword -> LM-Password == 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX [ldap1] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap1] user palmi authorized to use remote access [ldap1] ldap_release_conn: Release Id: 0 ++++[ldap1] returns ok +++- redundant-load-balance group redundant-load-balance returns ok +++[expiration] returns noop ++- else else returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/eduroam-inner- tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Found LM-Password [mschap] Found NT-Password [mschap] Creating challenge hash with username: palmi@icgeb.ts.it [mschap] Told to do MS-CHAPv2 for palmi@icgeb.ts.it with NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server eduroam-inner-tunnel [peap] Got tunneled reply code 11 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "220" EAP-Message = 0x010900331a0308002e533d46434546384137334445324244353032344230414632413139334635464446444637453838364532 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xac6f4ed7ad6654fe563139e39634b030 [peap] Got tunneled reply RADIUS code 11 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "220" EAP-Message = 0x010900331a0308002e533d46434546384137334445324244353032344230414632413139334635464446444637453838364532 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xac6f4ed7ad6654fe563139e39634b030 [peap] Got tunneled Access-Challenge ++[eap] returns handled } # server eduroam Sending Access-Challenge of id 187 to 172.16.254.45 port 1645 EAP-Message = 0x0109005b190017030100508b428fcbaba9455852f5170646e2df5522351f71a2ce8c1d7a276dcd36366d325356aec936a2282d9fe3386fde30c15f2c6b08faf44485a0d35b368aa684156593d286df9a3dbb8285733e737f2bc604 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x669027bd61993e30f26eb21d75d65d85 Finished request 7. Going to the next request Waking up in 4.6 seconds. rad_recv: Access-Request packet from host 172.16.254.45 port 1645, id=188, length=290 User-Name = "palmi@icgeb.ts.it" Framed-MTU = 1400 Called-Station-Id = "003a.9ae0.1460" Calling-Station-Id = "d49a.2063.2450" Cisco-AVPair = "ssid=XXX-ER" WISPr-Location-Name = "Floor Ground, Building F1 (test)" Service-Type = Login-User Message-Authenticator = 0x1b70ff8392af063cd76871601bb653aa EAP-Message = 0x0209002b19001703010020aca48497bb2e628cb8380aecb52865e5ff28b39d4cf95a8aef162a3b0bc703fe NAS-Port-Type = Wireless-802.11 NAS-Port = 1016 NAS-Port-Id = "1016" State = 0x669027bd61993e30f26eb21d75d65d85 NAS-IP-Address = 172.16.254.45 server eduroam { # Executing section authorize from file /etc/raddb/sites-enabled/eduroam +- entering group authorize {...} ++[preprocess] returns ok ++[request] returns ok [auth_log] expand: /var/log/radius/radacct/auth-detail.log -> /var/log/radius/radacct/auth-detail.log [auth_log] /var/log/radius/radacct/auth-detail.log expands to /var/log/radius/radacct/auth-detail.log [auth_log] expand: %t -> Fri Jul 19 15:02:52 2013 ++[auth_log] returns ok [suffix] Looking up realm "icgeb.ts.it" for User-Name = "palmi@icgeb.ts.it" [suffix] Found realm "icgeb.ts.it" [suffix] Adding Stripped-User-Name = "palmi" [suffix] Adding Realm = "icgeb.ts.it" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 9 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/eduroam +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020900061a03 server eduroam { [peap] Setting User-Name to palmi@icgeb.ts.it Sending tunneled request EAP-Message = 0x020900061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "palmi@icgeb.ts.it" State = 0xac6f4ed7ad6654fe563139e39634b030 Framed-MTU = 1400 Called-Station-Id = "003a.9ae0.1460" Calling-Station-Id = "d49a.2063.2450" Cisco-AVPair = "ssid=XXX-ER" WISPr-Location-Name = "Floor Ground, Building F1 (test)" Service-Type = Login-User NAS-Port-Type = Wireless-802.11 NAS-Port = 1016 NAS-Port-Id = "1016" NAS-IP-Address = 172.16.254.45 Operator-Name = "1icgeb.trieste.it" server eduroam-inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/eduroam- inner-tunnel +- entering group authorize {...} ++[preprocess] returns ok [suffix] Looking up realm "icgeb.ts.it" for User-Name = "palmi@icgeb.ts.it" [suffix] Found realm "icgeb.ts.it" [suffix] Adding Stripped-User-Name = "palmi" [suffix] Adding Realm = "icgeb.ts.it" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [auth_log] expand: /var/log/radius/radacct/auth-detail.log -> /var/log/radius/radacct/auth-detail.log [auth_log] /var/log/radius/radacct/auth-detail.log expands to /var/log/radius/radacct/auth-detail.log [auth_log] expand: %t -> Fri Jul 19 15:02:52 2013 ++[auth_log] returns ok [eap] EAP packet type response id 9 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] expand: %{Stripped-User-Name} -> palmi [files] expand: %{%{Stripped-User-Name}:-%{User-Name}} -> palmi [files] users: Matched entry palmi at line 438 ++[files] returns ok ++? if (Cisco-AVPair == "ssid=XXX-ER" && Realm == NULL) ? Evaluating (Cisco-AVPair == "ssid=XXX-ER" ) -> TRUE ? Evaluating (Realm == NULL) -> FALSE ++? if (Cisco-AVPair == "ssid=XXX-ER" && Realm == NULL) -> FALSE ++? elsif (Cisco-AVPair == "ssid=XXX-ER" && (!control:ICGEB-Eduroam-Enabled || control:ICGEB-Eduroam-Enabled != Yes)) ? Evaluating (Cisco-AVPair == "ssid=XXX-ER" ) -> TRUE ?? Evaluating !(control:ICGEB-Eduroam-Enabled ) -> FALSE ?? Evaluating (control:ICGEB-Eduroam-Enabled != Yes) -> FALSE ++? elsif (Cisco-AVPair == "ssid=XXX-ER" && (!control:ICGEB-Eduroam-Enabled || control:ICGEB-Eduroam-Enabled != Yes)) -> FALSE ++- entering else else {...} +++- entering redundant-load-balance group redundant-load-balance {...} [ldap1] performing user authorization for palmi [ldap1] expand: %{Stripped-User-Name} -> palmi [ldap1] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=palmi) [ldap1] expand: ou=Users,dc=icgeb,dc=org -> ou=Users,dc=icgeb,dc=org [ldap1] ldap_get_conn: Checking Id: 0 [ldap1] ldap_get_conn: Got Id: 0 [ldap1] performing search in ou=Users,dc=icgeb,dc=org, with filter (uid=palmi) [ldap1] checking if remote access for palmi is allowed by uid [ldap1] looking for check items in directory... [ldap1] sambaNtPassword -> NT-Password == 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX [ldap1] sambaLmPassword -> LM-Password == 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX [ldap1] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap1] user palmi authorized to use remote access [ldap1] ldap_release_conn: Release Id: 0 ++++[ldap1] returns ok +++- redundant-load-balance group redundant-load-balance returns ok +++[expiration] returns noop ++- else else returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok # Executing section session from file /etc/raddb/sites-enabled/eduroam-inner- tunnel +- entering group session {...} [radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp [radutmp] expand: %{Stripped-User-Name} -> palmi [radutmp] expand: %{%{Stripped-User-Name}:-%{User-Name}} -> palmi ++[radutmp] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/eduroam- inner-tunnel +- entering group post-auth {...} ++? if (outer.request:User-Name != "%{request:User-Name}") expand: %{request:User-Name} -> palmi@icgeb.ts.it ? Evaluating (outer.request:User-Name != "%{request:User-Name}") -> FALSE ++? if (outer.request:User-Name != "%{request:User-Name}") -> FALSE [reply_log] expand: /var/log/radius/radacct/reply-detail.log -> /var/log/radius/radacct/reply-detail.log [reply_log] /var/log/radius/radacct/reply-detail.log expands to /var/log/radius/radacct/reply-detail.log [reply_log] expand: %t -> Fri Jul 19 15:02:52 2013 ++[reply_log] returns ok } # server eduroam-inner-tunnel [peap] Got tunneled reply code 2 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "220" MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0xbe1daddb8ed87c9b5e06ce402b322c71 MS-MPPE-Recv-Key = 0x4bd89713a7634f3d3ce739d3e21738f3 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "palmi" [peap] Got tunneled reply RADIUS code 2 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "220" MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0xbe1daddb8ed87c9b5e06ce402b322c71 MS-MPPE-Recv-Key = 0x4bd89713a7634f3d3ce739d3e21738f3 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "palmi" [peap] Tunneled authentication was successful. [peap] SUCCESS [peap] Saving tunneled attributes for later ++[eap] returns handled } # server eduroam Sending Access-Challenge of id 188 to 172.16.254.45 port 1645 EAP-Message = 0x010a002b19001703010020723574f51e400d5fd7c58894bf8b6d79afe0482191f3a11696858d1afad5bded Message-Authenticator = 0x00000000000000000000000000000000 State = 0x669027bd6e9a3e30f26eb21d75d65d85 Finished request 8. Going to the next request Waking up in 4.6 seconds. rad_recv: Access-Request packet from host 172.16.254.45 port 1645, id=189, length=290 User-Name = "palmi@icgeb.ts.it" Framed-MTU = 1400 Called-Station-Id = "003a.9ae0.1460" Calling-Station-Id = "d49a.2063.2450" Cisco-AVPair = "ssid=XXX-ER" WISPr-Location-Name = "Floor Ground, Building F1 (test)" Service-Type = Login-User Message-Authenticator = 0xf30f3bd40f6109c508a83f933cd65d1e EAP-Message = 0x020a002b190017030100209afce8ff8c13dd63d65628da201d3ea4bf820c83dbc028062ce807b02c1931e4 NAS-Port-Type = Wireless-802.11 NAS-Port = 1016 NAS-Port-Id = "1016" State = 0x669027bd6e9a3e30f26eb21d75d65d85 NAS-IP-Address = 172.16.254.45 server eduroam { # Executing section authorize from file /etc/raddb/sites-enabled/eduroam +- entering group authorize {...} ++[preprocess] returns ok ++[request] returns ok [auth_log] expand: /var/log/radius/radacct/auth-detail.log -> /var/log/radius/radacct/auth-detail.log [auth_log] /var/log/radius/radacct/auth-detail.log expands to /var/log/radius/radacct/auth-detail.log [auth_log] expand: %t -> Fri Jul 19 15:02:52 2013 ++[auth_log] returns ok [suffix] Looking up realm "icgeb.ts.it" for User-Name = "palmi@icgeb.ts.it" [suffix] Found realm "icgeb.ts.it" [suffix] Adding Stripped-User-Name = "palmi" [suffix] Adding Realm = "icgeb.ts.it" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 10 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/eduroam +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [peap] Using saved attributes from the original Access-Accept Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "220" User-Name = "palmi" [peap] Saving response in the cache [eap] Freeing handler ++[eap] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/eduroam +- entering group post-auth {...} [reply_log] expand: /var/log/radius/radacct/reply-detail.log -> /var/log/radius/radacct/reply-detail.log [reply_log] /var/log/radius/radacct/reply-detail.log expands to /var/log/radius/radacct/reply-detail.log [reply_log] expand: %t -> Fri Jul 19 15:02:52 2013 ++[reply_log] returns ok ++? if (Cisco-AVPair == "ssid=XXX-ER") ? Evaluating (Cisco-AVPair == "ssid=XXX-ER") -> TRUE ++? if (Cisco-AVPair == "ssid=XXX-ER") -> TRUE ++- entering if (Cisco-AVPair == "ssid=XXX-ER") {...} [f_ticks] expand: %{reply:Packet-Type} -> Access-Accept [f_ticks] expand: f_ticks.%{%{reply:Packet-Type}:-format} -> f_ticks.Access-Accept [f_ticks] expand: /var/log/radius/radacct/f_ticks -> /var/log/radius/radacct/f_ticks [f_ticks] expand: F- TICKS/eduroam/1.0#REALM=%{Realm}#VISCOUNTRY=LU#VISINST=YOUR-ID#CSI=%{Calling- Station-Id}#RESULT=OK# -> F- TICKS/eduroam/1.0#REALM=icgeb.ts.it#VISCOUNTRY=LU#VISINST=YOUR- ID#CSI=d49a.2063.2450#RESULT=OK# +++[f_ticks] returns ok ++- if (Cisco-AVPair == "ssid=XXX-ER") returns ok } # server eduroam Sending Access-Accept of id 189 to 172.16.254.45 port 1645 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "220" User-Name = "palmi" MS-MPPE-Recv-Key = 0xf308f970d2507771e30d0f1cc87c6d35ab9a6c65b56dfec2141f50273d6045ff MS-MPPE-Send-Key = 0xa68961323bdf00916cf8ee1043d99477eeaf6a46de78f1101234e9a8a5faf8e2 EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 9. Going to the next request Waking up in 4.6 seconds. rad_recv: Accounting-Request packet from host 172.16.254.45 port 1646, id=17, length=366 Acct-Session-Id = "0000038C" Called-Station-Id = "003a.9ae0.1460" Calling-Station-Id = "d49a.2063.2450" Cisco-AVPair = "ssid=XXX-ER" Cisco-AVPair = "vlan-id=220" Cisco-AVPair = "nas-location=Floor Ground, Building F1 (test)" WISPr-Location-Name = "Floor Ground, Building F1 (test)" User-Name = "palmi" Cisco-AVPair = "connect-progress=Call Up" Acct-Authentic = RADIUS Acct-Status-Type = Start NAS-Port-Type = Wireless-802.11 NAS-Port = 1016 NAS-Port-Id = "1016" Service-Type = Framed-User NAS-IP-Address = 172.16.254.45 Acct-Delay-Time = 0 server eduroam { # Executing section preacct from file /etc/raddb/sites-enabled/eduroam +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 1016,Client-IP-Address = 172.16.254.45,NAS- IP-Address = 172.16.254.45,Acct-Session-Id = "0000038C",User-Name = "palmi"' [acct_unique] Acct-Unique-Session-ID = "4cdcd06ed9699fd5". ++[acct_unique] returns ok [suffix] No '@' in User-Name = "palmi", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "palmi" [suffix] Adding Realm = "NULL" [suffix] Accounting realm is LOCAL. ++[suffix] returns ok [files] expand: %{Stripped-User-Name} -> palmi [files] expand: %{%{Stripped-User-Name}:-%{User-Name}} -> palmi ++[files] returns noop # Executing section accounting from file /etc/raddb/sites-enabled/eduroam +- entering group accounting {...} [detail] expand: /var/log/radius/radacct/detail -> /var/log/radius/radacct/detail [detail] /var/log/radius/radacct/detail expands to /var/log/radius/radacct/detail [detail] expand: %t -> Fri Jul 19 15:02:52 2013 ++[detail] returns ok [radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp [radutmp] expand: %{Stripped-User-Name} -> palmi [radutmp] expand: %{%{Stripped-User-Name}:-%{User-Name}} -> palmi ++[radutmp] returns ok [sradutmp] expand: /var/log/radius/sradutmp -> /var/log/radius/sradutmp [sradutmp] expand: %{User-Name} -> palmi ++[sradutmp] returns ok } # server eduroam Sending Accounting-Response of id 17 to 172.16.254.45 port 1646 Finished request 10. Cleaning up request 10 ID 17 with timestamp +7 Going to the next request Waking up in 4.5 seconds. Cleaning up request 0 ID 180 with timestamp +6 Cleaning up request 1 ID 181 with timestamp +6 Cleaning up request 2 ID 182 with timestamp +7 Cleaning up request 3 ID 183 with timestamp +7 Cleaning up request 4 ID 184 with timestamp +7 Cleaning up request 5 ID 185 with timestamp +7 Cleaning up request 6 ID 186 with timestamp +7 Cleaning up request 7 ID 187 with timestamp +7 Cleaning up request 8 ID 188 with timestamp +7 Cleaning up request 9 ID 189 with timestamp +7 Ready to process requests. ################################################################################################### HERE I DISCONNECTED FROM WIRELESS NETWORK ################################################################################################### rad_recv: Accounting-Request packet from host 172.16.254.45 port 1646, id=18, length=465 Acct-Session-Id = "0000038C" Called-Station-Id = "003a.9ae0.1460" Calling-Station-Id = "d49a.2063.2450" Cisco-AVPair = "ssid=XXX-ER" Cisco-AVPair = "vlan-id=220" Cisco-AVPair = "nas-location=Floor Ground, Building F1 (test)" WISPr-Location-Name = "Floor Ground, Building F1 (test)" Cisco-AVPair = "auth-algo-type=eap-peap" User-Name = "palmi" Acct-Authentic = RADIUS Cisco-AVPair = "connect-progress=Call Up" Acct-Session-Time = 37 Acct-Input-Octets = 19549 Acct-Output-Octets = 15498 Acct-Input-Packets = 88 Acct-Output-Packets = 72 Acct-Terminate-Cause = Lost-Carrier Cisco-AVPair = "disc-cause-ext=No Reason" Acct-Status-Type = Stop NAS-Port-Type = Wireless-802.11 NAS-Port = 1016 NAS-Port-Id = "1016" Service-Type = Framed-User NAS-IP-Address = 172.16.254.45 Acct-Delay-Time = 0 server eduroam { # Executing section preacct from file /etc/raddb/sites-enabled/eduroam +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 1016,Client-IP-Address = 172.16.254.45,NAS- IP-Address = 172.16.254.45,Acct-Session-Id = "0000038C",User-Name = "palmi"' [acct_unique] Acct-Unique-Session-ID = "4cdcd06ed9699fd5". ++[acct_unique] returns ok [suffix] No '@' in User-Name = "palmi", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "palmi" [suffix] Adding Realm = "NULL" [suffix] Accounting realm is LOCAL. ++[suffix] returns ok [files] expand: %{Stripped-User-Name} -> palmi [files] expand: %{%{Stripped-User-Name}:-%{User-Name}} -> palmi ++[files] returns noop # Executing section accounting from file /etc/raddb/sites-enabled/eduroam +- entering group accounting {...} [detail] expand: /var/log/radius/radacct/detail -> /var/log/radius/radacct/detail [detail] /var/log/radius/radacct/detail expands to /var/log/radius/radacct/detail [detail] expand: %t -> Fri Jul 19 15:03:28 2013 ++[detail] returns ok [radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp [radutmp] expand: %{Stripped-User-Name} -> palmi [radutmp] expand: %{%{Stripped-User-Name}:-%{User-Name}} -> palmi ++[radutmp] returns ok [sradutmp] expand: /var/log/radius/sradutmp -> /var/log/radius/sradutmp [sradutmp] expand: %{User-Name} -> palmi ++[sradutmp] returns ok } # server eduroam Sending Accounting-Response of id 18 to 172.16.254.45 port 1646 Finished request 11. Cleaning up request 11 ID 18 with timestamp +43 Going to the next request Ready to process requests.
Hi,
I am configuring my freeradius to be integrated in the EDUROAM federation. It works when the VLAN (as configured in the accesspoint) is statically assigned.
there are hundreds of sites using this sort of configuration for eduroam - so its perfectly possible and fine (and standard!) so you're going wrong somewhere. so, thats the piece of mind part. where has it gone wrong? well, firstly, is there DHCP etc on the VLAN this client is being dropped onto? have you tested the network? what happens if the AP only handles that VLAN? is this a 'fat/autonomous' AP? if so, then only latest firmware can handle multiple VLANS per 802.1X SSID with multiple BSSIDs present. are you returning ALL the VLAN attributes needed to assign VLAN on the AP? not JUST the VLAN number..name.... ah yes, are you sending NAME or VLAN int he VLAN tag? are you sending the replys from the tunnel = check eap.conf settings! debug output helps a lot so yes, send it. alan
You are right, I know! On Friday 19 July 2013 15:52:43 A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
I am configuring my freeradius to be integrated in the EDUROAM federation. It works when the VLAN (as configured in the accesspoint) is statically assigned.
there are hundreds of sites using this sort of configuration for eduroam - so its perfectly possible and fine (and standard!) so you're going wrong somewhere.
so, thats the piece of mind part. where has it gone wrong? well, firstly, is there DHCP etc on the VLAN this client is being dropped onto? have you tested the network? what happens if the AP only handles that VLAN?
The specific configuration works fine I remove the following line from users file: Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private- Group-ID := 218 In this case the user is placed in the vlan 220 (the statically configured in the accesspoint).
is this a 'fat/autonomous' AP? if so, then only latest firmware can handle multiple VLANS per 802.1X SSID with multiple BSSIDs present.
This could be the problem, I found something in the Cisco documentation but was unsure the problem could be this. The accesspoint is running Cisco IOS Software, C1130 Software (C1130-K9W7-M), Version 12.4(10b)JDA3, RELEASE SOFTWARE (fc1) I will try to verify what you say on the cisco site. My accesspoints are End Of Life, I do not know if any new IOS version has been developed to eventually correct the problem you say.
are you returning ALL the VLAN attributes needed to assign VLAN on the AP? not JUST the VLAN number..name.... ah yes, are you sending NAME or VLAN int he VLAN tag?
number
are you sending the replys from the tunnel = check eap.conf settings!
eap.conf (in peap stanza) says: copy_request_to_tunnel = yes use_tunneled_reply = yes
debug output helps a lot so yes, send it.
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks for your directions (many) Dario
On Friday 19 July 2013 16:54:13 A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
The specific configuration works fine I remove the following line from users file: Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private- Group-ID := 218
Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 218
Same result, do not get the ip, it is isolated.
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Fri, Jul 19, 2013 at 04:20:51PM +0200, Dario Palmisano wrote:
is this a 'fat/autonomous' AP? if so, then only latest firmware can handle multiple VLANS per 802.1X SSID with multiple BSSIDs present.
This could be the problem, I found something in the Cisco documentation but was unsure the problem could be this. The accesspoint is running
If you have mbssid configured on the AP then user cannot be switched to a different vlan than the one bound to the ssid this user is connected to. Can you actually check if/how the users is associated on the AP? show dot11 associations shows the associated clients and show dot11 associations <mac address> shows the specific client detail information including the vlan. mk
At the end, thanks to the list suggestions I found in the cisco docs the sentence: "Keep these guidelines in mind when configuring multiple BSSIDs: RADIUS-assigned VLANs are not supported when you enable multiple BSSIDs." So it seems not to be related to the IOS version, is it? Is there any way to overcome this somehow, if not... Thanks everybody for the kind cooperation Best regards Dario
On Fri, Jul 19, 2013 at 04:20:51PM +0200, Dario Palmisano wrote:
is this a 'fat/autonomous' AP? if so, then only latest firmware can handle multiple VLANS per 802.1X SSID with multiple BSSIDs present.
This could be the problem, I found something in the Cisco documentation but was unsure the problem could be this. The accesspoint is running
If you have mbssid configured on the AP then user cannot be switched to a different vlan than the one bound to the ssid this user is connected to.
I have such configuration! Can you
Can you actually check if/how the users is associated on the AP?
show dot11 associations
shows the associated clients and
show dot11 associations <mac address>
shows the specific client detail information including the vlan.
mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
______________________________________________________________ Dario Palmisano ICGEB Computer System & Network Administrator Tel: +39 040 3757330 Fax: +39 040 226555 E-Mail: Dario.Palmisano@icgeb.org International Centre for Genetic Engineering and Biotechnology Area Science Park, Padriciano 99, I-34149 Trieste, ITALY ______________________________________________________________
On Fri, Jul 19, 2013 at 06:03:31PM +0200, Dario Palmisano wrote:
RADIUS-assigned VLANs are not supported when you enable multiple BSSIDs."
So it seems not to be related to the IOS version, is it?
Is there any way to overcome this somehow, if not...
Do you actually need multiple bssids? mk
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Arran Cudbard-Bell -
Dario Palmisano -
Martin Kraus