Reply attribute in access-accept while doing eap-mschapv2
Hi all! It seems like a missed some basic concepts about eap in freeradius. How to make freeradius return attribute for a specific user? I'm using freeradius-3.0.3. I created user in mysql (radcheck) as usual: test Cleartext-Password := test And add to radreply table: test Class = temp_class And when I do eap-mschapv2 I did not receive Class attribute. I need help to clarify this concept and advice how to include this attribute in the reply. PS: As one try I added to my default config in the post-auth section the following: update reply { Class = "%{Class}" } and after that the Class attribute appeared in the access-accept but it was empty. Thanks in advance! Best regards, Alex
This is my work around. Try this in post-auth update reply { Class = "%{sql:SELECT `value` FROM `radreply` WHERE `username`='%{User-Name}' and `attribute`='Class';}" } I tried enabling use_tunnled_reply=yes. But no reply is sent through access accept. On 23/05/2014 2:10 AM, "free.aaa" <free.aaa@gmail.com> wrote:
Hi all!
It seems like a missed some basic concepts about eap in freeradius. How to make freeradius return attribute for a specific user?
I'm using freeradius-3.0.3.
I created user in mysql (radcheck) as usual: test Cleartext-Password := test
And add to radreply table: test Class = temp_class
And when I do eap-mschapv2 I did not receive Class attribute.
I need help to clarify this concept and advice how to include this attribute in the reply.
PS: As one try I added to my default config in the post-auth section the following:
update reply { Class = "%{Class}" }
and after that the Class attribute appeared in the access-accept but it was empty.
Thanks in advance! Best regards, Alex
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
Thanks! It works! But anyway It would be nice if someone clarify why standard radreply attributes did not work with eap stuff. 23.05.2014 5:11, * ?????:
This is my work around.
Try this in post-auth
update reply {
Class = "%{sql:SELECT `value` FROM `radreply` WHERE `username`='%{User-Name}' and `attribute`='Class';}"
}
I tried enabling use_tunnled_reply=yes. But no reply is sent through access accept.
On 23/05/2014 2:10 AM, "free.aaa" <free.aaa@gmail.com <mailto:free.aaa@gmail.com>> wrote:
Hi all!
It seems like a missed some basic concepts about eap in freeradius. How to make freeradius return attribute for a specific user?
I'm using freeradius-3.0.3.
I created user in mysql (radcheck) as usual: test Cleartext-Password := test
And add to radreply table: test Class = temp_class
And when I do eap-mschapv2 I did not receive Class attribute.
I need help to clarify this concept and advice how to include this attribute in the reply.
PS: As one try I added to my default config in the post-auth section the following:
update reply { Class = "%{Class}" }
and after that the Class attribute appeared in the access-accept but it was empty.
Thanks in advance! Best regards, Alex
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Alan,
radiusd -X
Here it is the output starting with eap module: (3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (3) authenticate { (3) eap : Expiring EAP session with state 0x5a52ce915851d4f0 (3) eap : Finished EAP session with state 0x5a52ce915851d4f0 (3) eap : Previous EAP request found for state 0x5a52ce915851d4f0, released from the list (3) eap : Peer sent MSCHAPv2 (26) (3) eap : EAP MSCHAPv2 (26) (3) eap : Calling eap_mschapv2 to process EAP data (3) eap : Freeing handler (3) [eap] = ok (3) } # authenticate = ok (3) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (3) post-auth { (3) switch &Huntgroup-Name { (3) case hVPN { (3) *update reply {** **(3) EXPAND %{Class}** **(3) -->** **(3) Class = 0x* (3) } # update reply = noop (3) } # case hVPN = noop (3) } # switch &Huntgroup-Name = noop (3) sql : EXPAND .query (3) sql : --> .query (3) sql : Using query template 'query' rlm_sql (sql): Reserved connection (4) (3) sql : EXPAND %{User-Name} (3) sql : --> alex (3) sql : SQL-User-Name set to 'alex' (3) sql : EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (3) sql : --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'alex', '', 'Access-Accept', '2014-05-23 19:18:39') rlm_sql (sql): Executing query: 'INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'alex', '', 'Access-Accept', '2014-05-23 19:18:39')' rlm_sql (sql): Released connection (4) (3) [sql] = ok (3) [exec] = noop (3) remove_reply_message_if_eap remove_reply_message_if_eap { (3) if (reply:EAP-Message && reply:Reply-Message) (3) if (reply:EAP-Message && reply:Reply-Message) -> FALSE (3) else else { (3) [noop] = noop (3) } # else else = noop (3) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (3) } # post-auth = ok Sending Access-Accept Id 35 from 192.168.10.191:1812 to 192.168.10.201:37584 MS-MPPE-Encryption-Policy = Encryption-Allowed MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed MS-MPPE-Send-Key = 0xf8d37a9bb5a0ba0255cdf0b35460fedb MS-MPPE-Recv-Key = 0xe07010b108e1d452513af46337a818aa EAP-Message = 0x03030004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = 'alex' *Class = 0x* (3) Finished request This is a result when I do: post-auth { update reply { Class = "%{Class}" } }
free.aaa wrote:
Hi Alan,
radiusd -X
Here it is the output starting with eap module:
That isn't overly useful.
(3) * update reply {** **(3) EXPAND %{Class}** **(3) -->** **(3) Class = 0x*
All that means is there's no Class in the request. Go look at the REST of the debug output to see why. Alan DeKok.
(3) * update reply {** **(3) EXPAND %{Class}** **(3) -->** **(3) Class = 0x* All that means is there's no Class in the request. Go look at the REST of the debug output to see why.
Request does not contain Class attribute indeed. I thought that by using construction like:
update reply { Class = "%{Class}" }
i can grab that attribute from mysql radreply table and insert it in the reply. Anyway why attributes from radreply does not get inserted in access-accept when using eap-mschapv2 by default? Thanks for your help.
free.aaa wrote:
Request does not contain Class attribute indeed.
You didn't show that in the debug log.
I thought that by using construction like:
update reply { Class = "%{Class}" }
i can grab that attribute from mysql radreply table and insert it in the reply.
That comment makes no sense.
Anyway why attributes from radreply does not get inserted in access-accept when using eap-mschapv2 by default?
They should be. Alan DeKok.
I removed from config all stuff about update reply. And after detailed review of debug output i see Class attribute in some access-challenge messages, but not in access-accept. Here it is all output from radiusd -X. Received *Access-Request* Id 248 from 192.168.10.201:59882 to 192.168.10.191:1812 length 141 User-Name = 'temp' NAS-Port-Type = Virtual Service-Type = Framed-User NAS-Port = 5 NAS-Port-Id = 'test1' NAS-IP-Address = 192.168.10.234 Called-Station-Id = '192.168.10.234[4500]' Calling-Station-Id = '93.80.16.38[4500]' EAP-Message = 0x020000090174656d70 NAS-Identifier = 'gateway' Message-Authenticator = 0x1b4fcfd646f936dceab6f4fddbc8f992 (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) authorize { (0) filter_username filter_username { (0) if (User-Name != "%{tolower:%{User-Name}}") (0) EXPAND %{tolower:%{User-Name}} (0) --> temp (0) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (0) if (User-Name =~ / /) (0) if (User-Name =~ / /) -> FALSE (0) if (User-Name =~ /@.*@/ ) (0) if (User-Name =~ /@.*@/ ) -> FALSE (0) if (User-Name =~ /\\.\\./ ) (0) if (User-Name =~ /\\.\\./ ) -> FALSE (0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) if (User-Name =~ /\\.$/) (0) if (User-Name =~ /\\.$/) -> FALSE (0) if (User-Name =~ /@\\./) (0) if (User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) update request { (0) EXPAND %{User-Name} (0) --> temp (0) SQL-User-Name set to 'temp' rlm_sql (sql): Reserved connection (4) rlm_sql (sql): Executing query: 'SELECT groupname FROM radhuntgroup WHERE nasipaddress='192.168.10.201'' rlm_sql (sql): Released connection (4) (0) EXPAND %{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{Packet-Src-IP-Address}'} (0) --> hVPN (0) Huntgroup-Name := '"hVPN"' (0) } # update request = noop (0) switch &Huntgroup-Name { (0) case hVPN { (0) if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr") (0) sql_groupcmp (0) EXPAND %{User-Name} (0) --> temp (0) SQL-User-Name set to 'temp' rlm_sql (sql): Reserved connection (4) (0) EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (0) --> SELECT groupname FROM radusergroup WHERE username = 'temp' ORDER BY priority rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup WHERE username = 'temp' ORDER BY priority' (0) sql_groupcmp finished: User is a member of group vpn-usr rlm_sql (sql): Released connection (4) (0) if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr") -> TRUE (0) if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr") { (0) [ok] = ok (0) } # if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr") = ok (0) ... skipping elsif for request 0: Preceding "if" was taken (0) ... skipping else for request 0: Preceding "if" was taken (0) } # case hVPN = ok (0) } # switch &Huntgroup-Name = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix : No '@' in User-Name = "temp", looking up realm NULL (0) suffix : No such realm "NULL" (0) [suffix] = noop (0) eap : EAP packet type response id 0 length 9 (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = EAP (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) authenticate { (0) eap : Peer sent Identity (1) (0) eap : Calling eap_md5 to process EAP data (0) eap_md5 : Issuing MD5 Challenge (0) eap : New EAP session, adding 'State' attribute to reply 0x5df2a0505df3a42e (0) [eap] = handled (0) } # authenticate = handled Sending *Access-Challenge *Id 248 from 192.168.10.191:1812 to 192.168.10.201:59882 EAP-Message = 0x010100160410155cc3fbd296329e1f248410d4b22746 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5df2a0505df3a42e07f74e7f5a56fbca (0) Finished request Waking up in 0.3 seconds. Received Access-Request Id 249 from 192.168.10.201:59882 to 192.168.10.191:1812 length 156 User-Name = 'temp' NAS-Port-Type = Virtual Service-Type = Framed-User NAS-Port = 5 NAS-Port-Id = 'test1' NAS-IP-Address = 192.168.10.234 Called-Station-Id = '192.168.10.234[4500]' Calling-Station-Id = '93.80.16.38[4500]' EAP-Message = 0x02010006031a NAS-Identifier = 'gateway' State = 0x5df2a0505df3a42e07f74e7f5a56fbca Message-Authenticator = 0x379292a6a43305dfd5ba975c67efea76 (1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (1) authorize { (1) filter_username filter_username { (1) if (User-Name != "%{tolower:%{User-Name}}") (1) EXPAND %{tolower:%{User-Name}} (1) --> temp (1) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (1) if (User-Name =~ / /) (1) if (User-Name =~ / /) -> FALSE (1) if (User-Name =~ /@.*@/ ) (1) if (User-Name =~ /@.*@/ ) -> FALSE (1) if (User-Name =~ /\\.\\./ ) (1) if (User-Name =~ /\\.\\./ ) -> FALSE (1) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (1) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (1) if (User-Name =~ /\\.$/) (1) if (User-Name =~ /\\.$/) -> FALSE (1) if (User-Name =~ /@\\./) (1) if (User-Name =~ /@\\./) -> FALSE (1) } # filter_username filter_username = notfound (1) [preprocess] = ok (1) update request { (1) EXPAND %{User-Name} (1) --> temp (1) SQL-User-Name set to 'temp' rlm_sql (sql): Reserved connection (4) rlm_sql (sql): Executing query: 'SELECT groupname FROM radhuntgroup WHERE nasipaddress='192.168.10.201'' rlm_sql (sql): Released connection (4) (1) EXPAND %{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{Packet-Src-IP-Address}'} (1) --> hVPN (1) Huntgroup-Name := '"hVPN"' (1) } # update request = noop (1) switch &Huntgroup-Name { (1) case hVPN { (1) if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr") (1) sql_groupcmp (1) EXPAND %{User-Name} (1) --> temp (1) SQL-User-Name set to 'temp' rlm_sql (sql): Reserved connection (4) (1) EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (1) --> SELECT groupname FROM radusergroup WHERE username = 'temp' ORDER BY priority rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup WHERE username = 'temp' ORDER BY priority' (1) sql_groupcmp finished: User is a member of group vpn-usr rlm_sql (sql): Released connection (4) (1) if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr") -> TRUE (1) if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr") { (1) [ok] = ok (1) } # if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr") = ok (1) ... skipping elsif for request 1: Preceding "if" was taken (1) ... skipping else for request 1: Preceding "if" was taken (1) } # case hVPN = ok (1) } # switch &Huntgroup-Name = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix : No '@' in User-Name = "temp", looking up realm NULL (1) suffix : No such realm "NULL" (1) [suffix] = noop (1) eap : EAP packet type response id 1 length 6 (1) eap : No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) sql : EXPAND %{User-Name} (1) sql : --> temp (1) sql : SQL-User-Name set to 'temp' rlm_sql (sql): Reserved connection (4) (1) sql : EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (1) sql : --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'temp' ORDER BY id rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'temp' ORDER BY id' (1) sql : User found in radcheck table (1) sql : Check items matched (1) sql : EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (1) sql : --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'temp' ORDER BY id rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radreply WHERE username = 'temp' ORDER BY id' (1) sql : User found in radreply table (1) sql : EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (1) sql : --> SELECT groupname FROM radusergroup WHERE username = 'temp' ORDER BY priority rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup WHERE username = 'temp' ORDER BY priority' (1) sql : User found in the group table (1) sql : EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id (1) sql : --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'vpn-usr' ORDER BY id rlm_sql (sql): Executing query: 'SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'vpn-usr' ORDER BY id' (1) sql : Group "vpn-usr" check items matched (1) sql : EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id (1) sql : --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'vpn-usr' ORDER BY id rlm_sql (sql): Executing query: 'SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'vpn-usr' ORDER BY id' (1) sql : Group "vpn-usr" reply items processed rlm_sql (sql): Released connection (4) (1) [sql] = ok (1) [expiration] = noop (1) [logintime] = noop (1) WARNING: pap : Auth-Type already set. Not setting to PAP (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = EAP (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (1) authenticate { (1) eap : Expiring EAP session with state 0x5df2a0505df3a42e (1) eap : Finished EAP session with state 0x5df2a0505df3a42e (1) eap : Previous EAP request found for state 0x5df2a0505df3a42e, released from the list (1) eap : Peer sent NAK (3) (1) eap : Found mutually acceptable type MSCHAPv2 (26) (1) eap : Calling eap_mschapv2 to process EAP data (1) eap_mschapv2 : Issuing Challenge (1) eap : New EAP session, adding 'State' attribute to reply 0x5df2a0505cf0ba2e (1) [eap] = handled (1) } # authenticate = handled Sending *Access-Challenge* Id 249 from 192.168.10.191:1812 to 192.168.10.201:59882 *Class *= 0x6d79636c617373 EAP-Message = 0x0102001e1a0102001910362d923290bd75ecc6814d14e491598774656d70 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5df2a0505cf0ba2e07f74e7f5a56fbca (1) Finished request Waking up in 0.3 seconds. Received *Access-Request* Id 250 from 192.168.10.201:59882 to 192.168.10.191:1812 length 213 User-Name = 'temp' NAS-Port-Type = Virtual Service-Type = Framed-User NAS-Port = 5 NAS-Port-Id = 'test1' NAS-IP-Address = 192.168.10.234 Called-Station-Id = '192.168.10.234[4500]' Calling-Station-Id = '93.80.16.38[4500]' EAP-Message = 0x0202003f1a0202003a31440620e8b9a9a347ad6c2f345041ee5b000000000000000036451431ac5eebe501d403085a2c344aee284396153aaf210074656d70 NAS-Identifier = 'gateway' State = 0x5df2a0505cf0ba2e07f74e7f5a56fbca Message-Authenticator = 0x8e5b760a40c5c11205c4f6348f947c66 (2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (2) authorize { (2) filter_username filter_username { (2) if (User-Name != "%{tolower:%{User-Name}}") (2) EXPAND %{tolower:%{User-Name}} (2) --> temp (2) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (2) if (User-Name =~ / /) (2) if (User-Name =~ / /) -> FALSE (2) if (User-Name =~ /@.*@/ ) (2) if (User-Name =~ /@.*@/ ) -> FALSE (2) if (User-Name =~ /\\.\\./ ) (2) if (User-Name =~ /\\.\\./ ) -> FALSE (2) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (2) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (2) if (User-Name =~ /\\.$/) (2) if (User-Name =~ /\\.$/) -> FALSE (2) if (User-Name =~ /@\\./) (2) if (User-Name =~ /@\\./) -> FALSE (2) } # filter_username filter_username = notfound (2) [preprocess] = ok (2) update request { (2) EXPAND %{User-Name} (2) --> temp (2) SQL-User-Name set to 'temp' rlm_sql (sql): Reserved connection (4) rlm_sql (sql): Executing query: 'SELECT groupname FROM radhuntgroup WHERE nasipaddress='192.168.10.201'' rlm_sql (sql): Released connection (4) (2) EXPAND %{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{Packet-Src-IP-Address}'} (2) --> hVPN (2) Huntgroup-Name := '"hVPN"' (2) } # update request = noop (2) switch &Huntgroup-Name { (2) case hVPN { (2) if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr") (2) sql_groupcmp (2) EXPAND %{User-Name} (2) --> temp (2) SQL-User-Name set to 'temp' rlm_sql (sql): Reserved connection (4) (2) EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (2) --> SELECT groupname FROM radusergroup WHERE username = 'temp' ORDER BY priority rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup WHERE username = 'temp' ORDER BY priority' (2) sql_groupcmp finished: User is a member of group vpn-usr rlm_sql (sql): Released connection (4) (2) if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr") -> TRUE (2) if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr") { (2) [ok] = ok (2) } # if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr") = ok (2) ... skipping elsif for request 2: Preceding "if" was taken (2) ... skipping else for request 2: Preceding "if" was taken (2) } # case hVPN = ok (2) } # switch &Huntgroup-Name = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix : No '@' in User-Name = "temp", looking up realm NULL (2) suffix : No such realm "NULL" (2) [suffix] = noop (2) eap : EAP packet type response id 2 length 63 (2) eap : No EAP Start, assuming it's an on-going EAP conversation (2) [eap] = updated (2) sql : EXPAND %{User-Name} (2) sql : --> temp (2) sql : SQL-User-Name set to 'temp' rlm_sql (sql): Reserved connection (4) (2) sql : EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (2) sql : --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'temp' ORDER BY id rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'temp' ORDER BY id' (2) sql : User found in radcheck table (2) sql : Check items matched (2) sql : EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (2) sql : --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'temp' ORDER BY id rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radreply WHERE username = 'temp' ORDER BY id' (2) sql : User found in radreply table (2) sql : EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (2) sql : --> SELECT groupname FROM radusergroup WHERE username = 'temp' ORDER BY priority rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup WHERE username = 'temp' ORDER BY priority' (2) sql : User found in the group table (2) sql : EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id (2) sql : --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'vpn-usr' ORDER BY id rlm_sql (sql): Executing query: 'SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'vpn-usr' ORDER BY id' (2) sql : Group "vpn-usr" check items matched (2) sql : EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id (2) sql : --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'vpn-usr' ORDER BY id rlm_sql (sql): Executing query: 'SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'vpn-usr' ORDER BY id' (2) sql : Group "vpn-usr" reply items processed rlm_sql (sql): Released connection (4) (2) [sql] = ok (2) [expiration] = noop (2) [logintime] = noop (2) WARNING: pap : Auth-Type already set. Not setting to PAP (2) [pap] = noop (2) } # authorize = updated (2) Found Auth-Type = EAP (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (2) authenticate { (2) eap : Expiring EAP session with state 0x5df2a0505cf0ba2e (2) eap : Finished EAP session with state 0x5df2a0505cf0ba2e (2) eap : Previous EAP request found for state 0x5df2a0505cf0ba2e, released from the list (2) eap : Peer sent MSCHAPv2 (26) (2) eap : EAP MSCHAPv2 (26) (2) eap : Calling eap_mschapv2 to process EAP data (2) eap_mschapv2 : # Executing group from file /usr/local/etc/raddb/sites-enabled/default (2) eap_mschapv2 : Auth-Type MS-CHAP { (2) mschap : Found Cleartext-Password, hashing to create LM-Password (2) mschap : Found Cleartext-Password, hashing to create NT-Password (2) mschap : Creating challenge hash with username: temp (2) mschap : Client is using MS-CHAPv2 (2) mschap : Adding MS-CHAPv2 MPPE keys (2) [mschap] = ok (2) } # Auth-Type MS-CHAP = ok MSCHAP Success (2) eap : New EAP session, adding 'State' attribute to reply 0x5df2a0505ff1ba2e (2) [eap] = handled (2) } # authenticate = handled Sending *Access-Challenge *Id 250 from 192.168.10.191:1812 to 192.168.10.201:59882 * Class = *0x6d79636c617373 EAP-Message = 0x010300331a0302002e533d37433431313734354230434342434642433642443939384239313546374639354339443630303232 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5df2a0505ff1ba2e07f74e7f5a56fbca (2) Finished request Waking up in 0.3 seconds. Received *Access-Request* Id 251 from 192.168.10.201:59882 to 192.168.10.191:1812 length 156 User-Name = 'temp' NAS-Port-Type = Virtual Service-Type = Framed-User NAS-Port = 5 NAS-Port-Id = 'test1' NAS-IP-Address = 192.168.10.234 Called-Station-Id = '192.168.10.234[4500]' Calling-Station-Id = '93.80.16.38[4500]' EAP-Message = 0x020300061a03 NAS-Identifier = 'gateway' State = 0x5df2a0505ff1ba2e07f74e7f5a56fbca Message-Authenticator = 0x0651a29f80e0bee2a19fcbb7e6d6e58a (3) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (3) authorize { (3) filter_username filter_username { (3) if (User-Name != "%{tolower:%{User-Name}}") (3) EXPAND %{tolower:%{User-Name}} (3) --> temp (3) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (3) if (User-Name =~ / /) (3) if (User-Name =~ / /) -> FALSE (3) if (User-Name =~ /@.*@/ ) (3) if (User-Name =~ /@.*@/ ) -> FALSE (3) if (User-Name =~ /\\.\\./ ) (3) if (User-Name =~ /\\.\\./ ) -> FALSE (3) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (3) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (3) if (User-Name =~ /\\.$/) (3) if (User-Name =~ /\\.$/) -> FALSE (3) if (User-Name =~ /@\\./) (3) if (User-Name =~ /@\\./) -> FALSE (3) } # filter_username filter_username = notfound (3) [preprocess] = ok (3) update request { (3) EXPAND %{User-Name} (3) --> temp (3) SQL-User-Name set to 'temp' rlm_sql (sql): Reserved connection (4) rlm_sql (sql): Executing query: 'SELECT groupname FROM radhuntgroup WHERE nasipaddress='192.168.10.201'' rlm_sql (sql): Released connection (4) (3) EXPAND %{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{Packet-Src-IP-Address}'} (3) --> hVPN (3) Huntgroup-Name := '"hVPN"' (3) } # update request = noop (3) switch &Huntgroup-Name { (3) case hVPN { (3) if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr") (3) sql_groupcmp (3) EXPAND %{User-Name} (3) --> temp (3) SQL-User-Name set to 'temp' rlm_sql (sql): Reserved connection (4) (3) EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (3) --> SELECT groupname FROM radusergroup WHERE username = 'temp' ORDER BY priority rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup WHERE username = 'temp' ORDER BY priority' (3) sql_groupcmp finished: User is a member of group vpn-usr rlm_sql (sql): Released connection (4) (3) if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr") -> TRUE (3) if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr") { (3) [ok] = ok (3) } # if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr") = ok (3) ... skipping elsif for request 3: Preceding "if" was taken (3) ... skipping else for request 3: Preceding "if" was taken (3) } # case hVPN = ok (3) } # switch &Huntgroup-Name = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix : No '@' in User-Name = "temp", looking up realm NULL (3) suffix : No such realm "NULL" (3) [suffix] = noop (3) eap : EAP packet type response id 3 length 6 (3) eap : EAP-MSCHAPV2 success, returning short-circuit ok (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = EAP (3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (3) authenticate { (3) eap : Expiring EAP session with state 0x5df2a0505ff1ba2e (3) eap : Finished EAP session with state 0x5df2a0505ff1ba2e (3) eap : Previous EAP request found for state 0x5df2a0505ff1ba2e, released from the list (3) eap : Peer sent MSCHAPv2 (26) (3) eap : EAP MSCHAPv2 (26) (3) eap : Calling eap_mschapv2 to process EAP data (3) eap : Freeing handler (3) [eap] = ok (3) } # authenticate = ok (3) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (3) post-auth { (3) sql : EXPAND .query (3) sql : --> .query (3) sql : Using query template 'query' rlm_sql (sql): Reserved connection (4) (3) sql : EXPAND %{User-Name} (3) sql : --> temp (3) sql : SQL-User-Name set to 'temp' (3) sql : EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (3) sql : --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'temp', '', 'Access-Accept', '2014-05-24 16:02:04') rlm_sql (sql): Executing query: 'INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'temp', '', 'Access-Accept', '2014-05-24 16:02:04')' rlm_sql (sql): Released connection (4) (3) [sql] = ok (3) [exec] = noop (3) remove_reply_message_if_eap remove_reply_message_if_eap { (3) if (reply:EAP-Message && reply:Reply-Message) (3) if (reply:EAP-Message && reply:Reply-Message) -> FALSE (3) else else { (3) [noop] = noop (3) } # else else = noop (3) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (3) } # post-auth = ok Sending *Access-Accept* Id 251 from 192.168.10.191:1812 to 192.168.10.201:59882 MS-MPPE-Encryption-Policy = Encryption-Allowed MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed MS-MPPE-Send-Key = 0x49955e70c686fcc5f62abd7bac225266 MS-MPPE-Recv-Key = 0x74a2ad3fd3b60c672a35d5c5ad028f3c EAP-Message = 0x03030004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = 'temp' (3) Finished request Waking up in 0.2 seconds. Waking up in 4.6 seconds. (0) Cleaning up request packet ID 248 with timestamp +15 (1) Cleaning up request packet ID 249 with timestamp +15 (2) Cleaning up request packet ID 250 with timestamp +15 (3) Cleaning up request packet ID 251 with timestamp +15 Ready to process requests. 23.05.2014 19:27, Alan DeKok ?????:
free.aaa wrote:
Request does not contain Class attribute indeed. You didn't show that in the debug log.
I thought that by using construction like:
update reply { Class = "%{Class}" }
i can grab that attribute from mysql radreply table and insert it in the reply. That comment makes no sense.
Anyway why attributes from radreply does not get inserted in access-accept when using eap-mschapv2 by default? They should be.
free.aaa wrote:
I removed from config all stuff about update reply. And after detailed review of debug output i see Class attribute in some access-challenge messages, but not in access-accept.
Where is the Class attribute coming from? Normally, if it's in SQL radreply table, it gets sent back in *all* packets. Alan DeKok.
24.05.2014 18:56, Alan DeKok пишет:
free.aaa wrote:
I removed from config all stuff about update reply. And after detailed review of debug output i see Class attribute in some access-challenge messages, but not in access-accept. Where is the Class attribute coming from? Yep, I have that attribute in radreply mysql table:
temp Class = myclass
Normally, if it's in SQL radreply table, it gets sent back in *all* packets.
That's what i'm asking about. I have almost default config, so I have no idea why in some replies i see class but in others i don't.
I compared 2 debug outputs, one for the access-challenge and one for access-accept and found that in access-accept there is a string
eap : EAP-MSCHAPV2 success, returning short-circuit ok after which radius completely skip the radcheck and radreply table lookup. Contrary, in access-challenge all this lookups are not skipped and are inserted in reply packet.
Any help? 24.05.2014 18:56, Alan DeKok пишет:
free.aaa wrote:
I removed from config all stuff about update reply. And after detailed review of debug output i see Class attribute in some access-challenge messages, but not in access-accept. Where is the Class attribute coming from?
Normally, if it's in SQL radreply table, it gets sent back in *all* packets.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Any help how to do this with LDAP lookup? I add radiusAttribute to the user with the value of "class=temp_class" and in the post-auth section inserted the following:
update reply { Class = "%{ldap:ldap:///ou=accounts,ou=radius,dc=company,dc=org?radiusAttribute?sub?uid=%{User-Name}}" }
But as you can guess the result is that reply packet contains "Class = Class=temp_class". How to correctly handle this? 23.05.2014 5:11, * ?????:
This is my work around.
Try this in post-auth
update reply {
Class = "%{sql:SELECT `value` FROM `radreply` WHERE `username`='%{User-Name}' and `attribute`='Class';}"
}
I tried enabling use_tunnled_reply=yes. But no reply is sent through access accept.
On 23/05/2014 2:10 AM, "free.aaa" <free.aaa@gmail.com <mailto:free.aaa@gmail.com>> wrote:
Hi all!
It seems like a missed some basic concepts about eap in freeradius. How to make freeradius return attribute for a specific user?
I'm using freeradius-3.0.3.
I created user in mysql (radcheck) as usual: test Cleartext-Password := test
And add to radreply table: test Class = temp_class
And when I do eap-mschapv2 I did not receive Class attribute.
I need help to clarify this concept and advice how to include this attribute in the reply.
PS: As one try I added to my default config in the post-auth section the following:
update reply { Class = "%{Class}" }
and after that the Class attribute appeared in the access-accept but it was empty.
Thanks in advance! Best regards, Alex
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 22.05.2014 16:52, free.aaa wrote:
And when I do eap-mschapv2 I did not receive Class attribute.
That remains me an good 'old story : http://lists.freeradius.org/pipermail/freeradius-devel/2013-July/008451.html You'll have to either use a cache module, or do your SQL calls in post-auth in order to have your attributes in the final access-accept Olivier -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mail: olivier@heliosnet.org
Olivier, Thanks for reference! Did not find it before. 26.05.2014 13:50, Olivier Beytrison пишет:
On 22.05.2014 16:52, free.aaa wrote:
And when I do eap-mschapv2 I did not receive Class attribute. That remains me an good 'old story : http://lists.freeradius.org/pipermail/freeradius-devel/2013-July/008451.html
You'll have to either use a cache module, or do your SQL calls in post-auth in order to have your attributes in the final access-accept
Olivier
participants (5)
-
* -
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
free.aaa -
Olivier Beytrison