Hello, I need to reply an deniedServices ldap variable in Class attribute for a controller. I added it "replyItem Class deniedServices +=" at ldap.attrmap file. and sites-available/default file includes it. But it override the Class value to empty. update reply { Class += "%{Reply-Message}" } Where it is wrong? FreeRADIUS Version 2.2.8 Output parts are: [peap] Setting User-Name to tayfund Sending tunneled request EAP-Message = 0x020900421a0209003d3167738a93d83ed76e5251bbbaa183542f0000000000000000008955f2389888dbc3771d940bc5c9ade688b2ec3b08e4f80074617966756e64 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "tayfund" State = 0xb024cc1cb02dd66832d4a5f6f46a2d5f NAS-IP-Address = 10.200.0.2 NAS-Port = 0 NAS-Identifier = "10.200.0.5" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "748D08E39D7F" Called-Station-Id = "001A1E0015F0" Service-Type = Framed-User Framed-MTU = 1100 Aruba-Essid-Name = "SABANCIUNIV" Aruba-Location-Id = "BM_IT_NETSYS_7b:fe" Aruba-AP-Group = "BM_binasi" Aruba-Device-Type = "iPhone" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[mschap] = noop [suffix] No '@' in User-Name = "tayfund", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 9 length 66 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [ldap] performing user authorization for tayfund [ldap] expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=tayfund) [ldap] expand: o=sabanciuniv.edu -> o=sabanciuniv.edu [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in o=sabanciuniv.edu, with filter (uid=tayfund) [ldap] Added User-Password = 5F479EB90623041F464CD3F4B685C80A in check items [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{SSHA}wM3CoVk5jYLVnHz8jyv6vHBlqv52bw==" [ldap] sambaNtPassword -> NT-Password == 0x3546343739454239303632333034314634363443443346344236383543383041 [ldap] sambaLmPassword -> LM-Password == 0x3836413243354632393945434139444343313745393630323543414633314130 [ldap] radiusAuthType -> Auth-Type == EAP [ldap] looking for reply items in directory... * [ldap] deniedServices -> Class += 0x7375636f75727365* [ldap] ou -> Operator-Name = "admin" [ldap] ou -> Operator-Name = "IT" [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok +} # group authorize = updated Found Auth-Type = EAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +group MS-CHAP { [mschap] Found LM-Password [mschap] Found NT-Password [mschap] Creating challenge hash with username: tayfund [mschap] Client is using MS-CHAPv2 for tayfund, we need NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] = ok ++update outer.request { expand: %{User-Name} -> tayfund ++} # update outer.request = noop ++update outer.reply { expand: %{User-Name} -> tayfund ++} # update outer.reply = noop +} # group MS-CHAP = ok MSCHAP Success ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [peap] Got tunneled reply code 11 Class += 0x7375636f75727365 Operator-Name = "admin" EAP-Message = 0x010a00331a0309002e533d38384136303239324543424441413244303139424145343031363537393336353637364246453633 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb024cc1cb12ed66832d4a5f6f46a2d5f [peap] Got tunneled reply RADIUS code Access-Challenge * Class += 0x7375636f75727365* Operator-Name = "admin" EAP-Message = 0x010a00331a0309002e533d38384136303239324543424441413244303139424145343031363537393336353637364246453633 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb024cc1cb12ed66832d4a5f6f46a2d5f [peap] Got tunneled Access-Challenge [peap] >>> Unknown TLS version [length 0005] ++[eap] = handled +} # group authenticate = handled Going to the next request rad_recv: Access-Request packet from host 10.200.0.5 port 52530, id=108, length=259 User-Name = "tayfund" NAS-IP-Address = 10.200.0.2 NAS-Port = 0 NAS-Identifier = "10.200.0.5" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "748D08E39D7F" Called-Station-Id = "001A1E0015F0" Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x020b002e190017030300239b010c14db2db49adb4087eaadbbbcf3628daf65188a552fdc7d8fbeb850ded62316e3 State = 0x0f5a59a0065140db3a8c7af8ad4bf4cc Aruba-Essid-Name = "SABANCIUNIV" Aruba-Location-Id = "BM_IT_NETSYS_7b:fe" Aruba-AP-Group = "BM_binasi" Aruba-Device-Type = "iPhone" Message-Authenticator = 0xa1cfe667210437f5f5eaf132bf431a90 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "tayfund", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 11 length 46 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] <<< Unknown TLS version [length 0005] [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok Login OK: [tayfund] (from client 10.200.0.0/24 port 0 cli 748D08E39D7F) # Executing section post-auth from file /etc/freeradius/sites-enabled/default +group post-auth { [reply_log] expand: %{Packet-Src-IP-Address} -> 10.200.0.5 [reply_log] expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d -> /var/log/freeradius/radacct/10.200.0.5/reply-detail-20171003 [reply_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.200.0.5/reply-detail-20171003 [reply_log] expand: %t -> Tue Oct 3 12:06:11 2017 ++[reply_log] = ok ++[ldap] = noop ++[exec] = noop ++update reply { expand: %{Reply-Message} -> ++} # update reply = noop +} # group post-auth = ok Sending Access-Accept of id 108 to 10.200.0.5 port 52530 MS-MPPE-Recv-Key = 0xfc792d0aa5a1ff4c6e90676c80c47b799958fb603caf17dc11b68eeb182f922f MS-MPPE-Send-Key = 0x00176d351e6d75e96c0429fefa871f38022b851e2a897921fbc2ab0cc891ee5b EAP-Message = 0x030b0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "tayfund" Class = 0x Finished request 785. Going to the next request Cleaning up request 596 ID 154 with timestamp +11 Waking up in 0.1 seconds. rad_recv: Access-Request packet from host 10.200.0.5 port 52530, id=101, length=211 User-Name = "dbostan" NAS-IP-Address = 10.200.0.2 NAS-Port = 0 NAS-Identifier = "10.200.0.5" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "E0C767163B2F" Called-Station-Id = "001A1E0015F0" Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x020500061900 State = 0xf8fdecb8fbf8f57eaba961c2ded7fb6f Aruba-Essid-Name = "SABANCIUNIV" Aruba-Location-Id = "Yurt_A5_Kat1_AP4_60:6c" Aruba-AP-Group = "Yurt_Binasi" Message-Authenticator = 0xb071cd65a32ccfd350f5f7349f570df5 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "dbostan", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [reply_log] expand: %{Packet-Src-IP-Address} -> 10.200.0.5 [reply_log] expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d -> /var/log/freeradius/radacct/10.200.0.5/reply-detail-20171003 [reply_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.200.0.5/reply-detail-20171003 [reply_log] expand: %t -> Tue Oct 3 12:06:11 2017 ++[reply_log] = ok ++[ldap] = noop ++[exec] = noop ++update reply { * expand: %{Reply-Message} -> * ++} # update reply = noop +} # group post-auth = ok Sending Access-Accept of id 108 to 10.200.0.5 port 52530 MS-MPPE-Recv-Key = 0xfc792d0aa5a1ff4c6e90676c80c47b799958fb603caf17dc11b68eeb182f922f MS-MPPE-Send-Key = 0x00176d351e6d75e96c0429fefa871f38022b851e2a897921fbc2ab0cc891ee5b EAP-Message = 0x030b0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "tayfund" * Class = 0x* Finished request 785. Going to the next request Cleaning up request 596 ID 154 with timestamp +11 Waking up in 0.1 seconds. rad_recv: Access-Request packet from host 10.200.0.5 port 52530, id=101, length=211 User-Name = "dbostan" NAS-IP-Address = 10.200.0.2 NAS-Port = 0 NAS-Identifier = "10.200.0.5" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "E0C767163B2F" Called-Station-Id = "001A1E0015F0" Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x020500061900 State = 0xf8fdecb8fbf8f57eaba961c2ded7fb6f Aruba-Essid-Name = "SABANCIUNIV" Aruba-Location-Id = "Yurt_A5_Kat1_AP4_60:6c" Aruba-AP-Group = "Yurt_Binasi" Message-Authenticator = 0xb071cd65a32ccfd350f5f7349f570df5 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "dbostan", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 101 to 10.200.0.5 port 52530 EAP-Message = 0x010601d31900b69aa50fb8b93f207dae4ab5b89ce41db6abe694a5c1c783addbf527870e046cd5ffdda05ded8752b72b1502ae39a66a74e9dac4e7bc4d341ea95c4d335f92092f88665d7797c71d7613a9d5e5f116091135d5acdb2471702c98560bd917b4d1e3512b5e75e8d5d0dc4f34edc2056680a1cbe633160301014b0c000147030017410475fb60921d74cf2365a6e0348d653613d6e5d1222e87ed4d9b572cb9402e0429049ec55655bf436673431b9c907c0181d6b68feeb9f350adc2dccee8f376d53d01005606850c2d8755fc048572396aaee257a555261ad7deaa9d4d1983db0ddc0b26679e7a3aeab13623ff652de806acd87337d63a EAP-Message = 0x55b131ca32435839495c0a854ab8507fdf5c7a420c64e3f205ef607f2df152265f4544b6b1a5673e05417a38f1e10b63c28438bda216249aff502a43efc8a154ce646da60df5da11d182a059f010c082389b4ad9f901113c159cfd4a0653583ea745983ba8ef9aae665699c04d3a9b642a33ba7bdb9d8960948823747e88e115f41d2114d4cb5f63aec906b7c53c45fb117bccf41276015597025d295aed742520a5bfd019b54e91c4986655fee8f7832ac166433b1f9897eb02f307bae930dc01b8cd0edd0d526d8bd201a8b416030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf8fdecb8fcfbf57eaba961c2ded7fb6f Finished request 786. thanks.. -- *Umut A* System Specialist Information Technology Sabancı University
On Oct 3, 2017, at 5:23 AM, Umut Arus <umuta@sabanciuniv.edu> wrote:
I need to reply an deniedServices ldap variable in Class attribute for a controller. I added it "replyItem Class deniedServices +=" at ldap.attrmap file. and sites-available/default file includes it.
That should work.
But it override the Class value to empty. update reply { Class += "%{Reply-Message}" }
Read "man unlang". That sets Class to the contents of the Reply-Message contained in the *request*.
FreeRADIUS Version 2.2.8
Upgrade.
Output parts are:
[peap] Setting User-Name to tayfund Sending tunneled request EAP-Message = 0x020900421a0209003d3167738a93d83ed76e5251bbbaa183542f0000000000000000008955f2389888dbc3771d940bc5c9ade688b2ec3b08e4f80074617966756e64
EAP makes everything harder. You can't get get Class from LDAP in packet 3, and expect the same Class to be there in later packets. Upgrade to 3.0.15, and this will be MUCH easier to configure. Alan DeKok.
participants (2)
-
Alan DeKok -
Umut Arus