Config. Help please - ldap and Active Directory
Hi, I'm new to freeradius (3 weeks experience) and mailing lists (second attempt) so please have patience. I have freeradius 1.1.7 (prebuilt package) on Solaris 10 configured to authenticate against Active Directory using ntlm-auth. All working OK. Now I'm trying to return different reply attributes depending on Active Directory group membership and restrict which groups can authenticate. Ldap lookups against the active directory root fail with operation error. Reconfiguring Active Directory is not a viable option so I have to specify an OU=xxxx in the query. I have configured two instances of the ldap module for authorisation, one to query the staff ou and the other to query the student ou. Both work OK for valid queries but if the user does not exist in the ou the server still authenticates the username/password and grants access if valid. Relevant debug output: rlm_ldap: performing search in ou=students, dc=ad, dc=hud, dc=ac, dc=uk, with filter (sAMAccountName=stafftest) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap_student" returns notfound for request 8 modcall: leaving group student (returns notfound) for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list ............................... rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Success rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 8 modcall: leaving group authenticate (returns ok) for request 8 Sending Access-Accept of id 104 to 10.127.240.217 port 1645 Relevant bits of radiusd.conf: ldap ldap_student{ server = "server.hud.ac.uk" identity = "cn=user,ou=Specials,ou=Staff,dc=ad,dc=hud,dc=ac,dc=uk" password = secret port = 636 basedn = "ou=students, dc=ad, dc=hud, dc=ac, dc=uk" filter = "(sAMAccountName=%{mschap:User-Name:-%{User-Name}})" start_tls = no access_attr = "dialupAccess" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 } ........................................ instantiate { exec expr ldap_staff ldap_student } authorize { preprocess mschap suffix eap Autz-Type staff{ ldap_staff } Autz-Type student{ ldap_student } files } authenticate { Auth-Type MS-CHAP { mschap } eap } I want to reject the user if they are not in the relevant ou. I must be missing something obvious. Can anyone help please? Thanks in advance, Leighton
Am 06.03.2009 um 12:20 schrieb Leighton Man:
Hi, I'm new to freeradius (3 weeks experience) and mailing lists (second attempt) so please have patience. I have freeradius 1.1.7 (prebuilt package) on Solaris 10 configured to authenticate against Active Directory using ntlm-auth. All working OK. Now I'm trying to return different reply attributes depending on Active Directory group membership and restrict which groups can authenticate. Ldap lookups against the active directory root fail with operation error. Reconfiguring Active Directory is not a viable option so I have to specify an OU=xxxx in the query. I have configured two instances of the ldap module for authorisation, one to query the staff ou and the other to query the student ou. Both work OK for valid queries but if the user does not exist in the ou the server still authenticates the username/password and grants access if valid. Relevant debug output:
rlm_ldap: performing search in ou=students, dc=ad, dc=hud, dc=ac, dc=uk, with filter (sAMAccountName=stafftest) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap_student" returns notfound for request 8 modcall: leaving group student (returns notfound) for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list
...............................
rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Success rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 8 modcall: leaving group authenticate (returns ok) for request 8 Sending Access-Accept of id 104 to 10.127.240.217 port 1645
Relevant bits of radiusd.conf:
ldap ldap_student{ server = "server.hud.ac.uk" identity = "cn=user,ou=Specials,ou=Staff,dc=ad,dc=hud,dc=ac,dc=uk"
password = secret
Try using := instead of = or == You have to assign the password, not compare to it. Also perhaps you should use Cleartext-Password if the password is in clear here.
port = 636 basedn = "ou=students, dc=ad, dc=hud, dc=ac, dc=uk" filter = "(sAMAccountName=%{mschap:User-Name:-% {User-Name}})" start_tls = no
access_attr = "dialupAccess" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 groupname_attribute = cn groupmembership_filter = "(|(& (objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(& (objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 }
........................................
instantiate { exec expr ldap_staff ldap_student }
authorize { preprocess mschap suffix eap Autz-Type staff{ ldap_staff } Autz-Type student{ ldap_student } files }
authenticate { Auth-Type MS-CHAP { mschap } eap }
I want to reject the user if they are not in the relevant ou. I must be missing something obvious. Can anyone help please?
Thanks in advance, Leighton
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html
Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
I'm new to freeradius (3 weeks experience) and mailing lists (second attempt) so please have patience. I have freeradius 1.1.7 (prebuilt package) on Solaris 10 configured to authenticate against Active Directory using ntlm-auth. All working OK. Now I'm trying to return different reply attributes depending on Active Directory group membership and restrict which groups can authenticate. Ldap lookups against the active directory root fail with operation error. Reconfiguring Active Directory is not a viable option so I have to specify an OU=xxxx in the query. I have configured two instances of the ldap module for authorisation, one to query the staff ou and the other to query the student ou. Both work OK for valid queries but if the user does not exist in the ou the server still authenticates the username/password and grants access if valid.
You need to upgrade to 2.x and use unlang. See man unlang on freeradius site. You need something like: if Ldap-Group == staff { do something } elsif Ldap-Group == student { do something else} else update control { to reject } Ivan Kalik Kalik Informatika ISP
I'm new to freeradius (3 weeks experience) and mailing lists (second attempt) so please have patience. I have freeradius 1.1.7 (prebuilt package) on Solaris 10 configured to authenticate against Active Directory using ntlm-auth. All working OK. Now I'm trying to return different reply attributes depending on Active Directory group membership and restrict which groups can authenticate. Ldap lookups against the active directory root fail with operation error. Reconfiguring Active Directory is not a viable option so I have to specify an OU=xxxx in the query. I have configured two instances of the ldap module for authorisation, one to query the staff ou and the other to query the student ou. Both work OK for valid queries but if the user does not exist in the ou the server still authenticates the username/password and grants access if valid.
You need to upgrade to 2.x and use unlang. See man unlang on freeradius site. You need something like: if Ldap-Group == staff { do something } elsif Ldap-Group == student { do something else} else update control { to reject } Ivan Kalik Kalik Informatika ISP Many thanks for this. I'm using 1.1.7 because it's available as a pre-built package on solaris for both sparc and x86 architectures. The idea is to get freeradius configured and working as fast as possible so it can be demo'd to management (I'm trying to retire Cisco ACS). Then to test it on x86 standard build which is being developed in parallel. Then, if all works, upgrade to latest version. Version 2.1.3 won't compile on my solaris box and the problem looks, to me, non-trivial. (dict.c:83: error: `PW_TYPE_STRING' undeclared here (not in a function)) Is there any way to do what I want without upgrading? Regards, Leighton
Leighton Man wrote:
Many thanks for this. I'm using 1.1.7 because it's available as a pre-built package on solaris for both sparc and x86 architectures. The idea is to get freeradius configured and working as fast as possible so it can be demo'd to management (I'm trying to retire Cisco ACS). Then to test it on x86 standard build which is being developed in parallel. Then, if all works, upgrade to latest version. Version 2.1.3 won't compile on my solaris box and the problem looks, to me, non-trivial. (dict.c:83: error: `PW_TYPE_STRING' undeclared here (not in a function))
Huh? It compiles on 3-4 different Solaris boxes that I have access to. Did you run "make" from the TOP directory, or by cd'ing to src/lib? Alan DeKok.
Huh? It compiles on 3-4 different Solaris boxes that I have access to. Did you run "make" from the TOP directory, or by cd'ing to src/lib? Alan DeKok. Tried "gmake" from the top directory and "gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -D_LIBRADIUS -I/export/home/cmsxljm/freeradius-server-2.1.3/src -c dict.c -fPIC -DPIC -o .libs/dict.o" (copy and paste from the gmake output) from the src/libs directory. Same error both times. Leighton
Leighton Man wrote:
Tried "gmake" from the top directory and "gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -D_LIBRADIUS -I/export/home/cmsxljm/freeradius-server-2.1.3/src -c dict.c -fPIC -DPIC -o .libs/dict.o" (copy and paste from the gmake output) from the src/libs directory. Same error both times.
Hmm... would it be possible to have to give *more* output? i.e. start from a fresh directory: $ tar -zxf freeradius-server-2.1.3.tar.gz $ cd freeradius-server 2.1.3 $ ./configure $ gmake And show the errors (not the dozens of lines saying "building foo", or the last dozen lines saying "error"), but the real informative errors about building dict.c, and what errors were encountered building dict.c. The only way I can see that error happening is if the source and/or build process is broken. Alan DeKok.
Hmm... would it be possible to have to give *more* output? i.e. start from a fresh directory: $ tar -zxf freeradius-server-2.1.3.tar.gz $ cd freeradius-server 2.1.3 $ ./configure $ gmake And show the errors (not the dozens of lines saying "building foo", or the last dozen lines saying "error"), but the real informative errors about building dict.c, and what errors were encountered building dict.c. The only way I can see that error happening is if the source and/or build process is broken. Alan DeKok.
From the beginning:
rm -rf freeradius-server-2.1.3 tar xvf freeradius-server-2.1.3.tar (it's already been unzipped with "gzip -d") cd freeradius-server-2.1.3 ./configure | grep configure ...........Lots of output including: configure: WARNING: pcap library not found, silently disabling the RADIUS sniffer. config.status: WARNING: ./Make.inc.in seems to ignore the --datarootdir setting config.status: WARNING: ./src/include/build-radpaths-h.in seems to ignore the --datarootdir setting configure: WARNING: silently not building rlm_counter. configure: WARNING: FAILURE: rlm_counter requires: libgdbm. configure: WARNING: EVP_sha256 not found, may have issues wirh WiMAX certificates configure: WARNING: the TNCS libraryconfigure: WARNING: silently not building rlm_ippool. configure: WARNING: FAILURE: rlm_ippool requires: libgdbm. isn't found! configure: WARNING: silently not building rlm_perl. configure: WARNING: FAILURE: rlm_perl requires: EXTERN.h perl.h libperl.so. configure: WARNING: silently not building rlm_eap_tnc. configure: WARNING: FAILURE: rlm_eap_tnc requires: -lTNCS. configure: WARNING: silently not building rlm_eap_ikev2. configure: WARNING: FAILURE: rlm_eap_ikev2 requires: libeap-ikev2 EAPIKEv2/connector.h. configure: WARNING: the comm_err library isn't found! configure: WARNING: silently not building rlm_krb5. configure: WARNING: FAILURE: rlm_krb5 requires: krb5.h.configure: WARNING: silently not building rlm_python. configure: WARNING: FAILURE: rlm_python requires: Python.h libpython2.3. configure: WARNING: silently not building rlm_sql_iodbc. configure: WARNING: FAILURE: rlm_sql_iodbc requires: libiodbc isql.h. configure: WARNING: oracle headers not found. Use --with-oracle-home-dir=<path>. configure: WARNING: silently not building rlm_sql_oracle. configure: WARNING: FAILURE: rlm_sql_oracle requires: oci.h. configure: WARNING: silently not building rlm_sql_unixodbc. configure: WARNING: FAILURE: rlm_sql_unixodbc requires: libodbc sql.h. Then: gmake Got the error about undefined symbol SUN_LEN Edited src/include/radiusd.h Gmake ...and it all compiles OK. Not sure what I did wrong the first time but many thanks for your help. Leighton
Is there any way to do what I want without upgrading?
You can try users file: DEFAULT Ldap-Group == staff some reply DEFAULT Ldap-Group == student some other reply DEFAULT Auth-Type := Reject That should be at the end of the users file (ie. anything below this will never match) and you need to fall through if there are other user file entries. These can't have Fall-Through. Ivan Kalik Kalik Informatika ISP
Now I'm trying to return different reply attributes depending on Active Directory group membership and restrict which groups can authenticate. Ldap lookups against the active directory root fail with operation error. Reconfiguring Active Directory is not a viable option so I have to specify an OU=xxxx in the query. I have configured two instances of the ldap module for authorisation, one to query the staff ou and the other to query the student ou. Both work OK for valid queries but if the user does not exist in the ou the server still authenticates the username/password and grants access if valid.
You need to upgrade to 2.x and use unlang. See man unlang on freeradius site. You need something like:
if Ldap-Group == staff { do something } elsif Ldap-Group == student { do something else} else update control { to reject }
I've upgraded to 2.1.3 but, sorry, I'm really struggling with the concepts. I can't do "if Ldap-Group" because there is no container in Active Directory above staff and student to query. What I think I need is: if ladp_staff returns "ok" { update reply{ .................. } elsif ladp_student returns "ok" { update reply{ .................. } else { Auth-Type := Reject } ,where ldap_staff and ldap_student are instances of the ldap module I simply can't get the syntax right. Am I on the right track? If so, a little help please. Regards, Leighton
Leighton Man wrote:
I've upgraded to 2.1.3 but, sorry, I'm really struggling with the concepts. I can't do "if Ldap-Group" because there is no container in Active Directory above staff and student to query.
What I think I need is:
if ladp_staff returns "ok" { update reply{ .................. } elsif ladp_student returns "ok" { update reply{ .................. } else { Auth-Type := Reject }
,where ldap_staff and ldap_student are instances of the ldap module I simply can't get the syntax right.
see "man unlang". The syntax and examples are documented. ... ldap_staff if (ok) { update reply { ... } } else { ldap_student if (ok) { update reply { ... } } else { reject } } Alan DeKok.
see "man unlang". The syntax and examples are documented.
Read it many times. The problem is not the documentation, which is great, but my understanding which isn't! I'm working on it but finding it heavy going.
... ldap_staff if (ok) { update reply { ... } } else { ldap_student if (ok) { update reply { ... } } else { reject } }
Logic now working correctly - Many thanks Final problem is to return reply attributes in the access accept message. As a test I added Reply-Message := "User is staff" in the update reply section and the server duly added it to the next access challenge message. I assume I need something in the post-auth section? How do I pass information about which ldap instance was successful in the authorize section to post-auth? Leighton
Leighton Man wrote:
Logic now working correctly - Many thanks Final problem is to return reply attributes in the access accept message. As a test I added Reply-Message := "User is staff" in the update reply section and the server duly added it to the next access challenge message. I assume I need something in the post-auth section?
Yes.
How do I pass information about which ldap instance was successful in the authorize section to post-auth?
Update a server-side attribute when you use the module: update control { Tmp-String-0 = "ldap-student" } then in post-auth: if (control:Tm-String-0 == "ldap-student") { ... }
Update a server-side attribute when you use the module:
update control { Tmp-String-0 = "ldap-student" }
then in post-auth:
if (control:Tm-String-0 == "ldap-student") { ...
}
I'm really grateful for all your help but it still doesn't work and after hours of experimenting, here's where I am: I add if (control:Tmp-String-0 == "ldap-student") { update reply { Reply-Message := "User is student" } } To the end of the post-auth section and radiusd -X reports: ++[eap] returns ok +- entering group post-auth {...} ++[exec] returns noop ++? if (control:Tmp-String-0 == "ldap-student") (Attribute control:Tmp-String-0 was not found) Sending Access-Accept of id 53 to 10.127.240.217 port 1645 Fair enough - The user is authenticated but Tmp-String-0 hasn't been assigned a string. I add update control { Tmp-String-0 = "ldap-student" } To the beginning of the post-auth section and radiusd -X reports: ++[eap] returns ok +- entering group post-auth {...} ++[control] returns noop ++[exec] returns noop ++? if (control:Tmp-String-0 == "ldap-student") ? Evaluating (control:Tmp-String-0 == "ldap-student") -> TRUE ++? if (control:Tmp-String-0 == "ldap-student") -> TRUE ++- entering if (control:Tmp-String-0 == "ldap-student") {...} +++[reply] returns noop ++- if (control:Tmp-String-0 == "ldap-student") returns noop Sending Access-Accept of id 101 to 10.127.240.217 port 1645 OK so far, so I move update control { Tmp-String-0 = "ldap-student" } To the authorise section thus: ldap_staff if (ok) { update reply { Reply-Message = "ldap-staff" } } else { ldap_student if (ok) { update control { Tmp-String-0 = "ldap-student" } } else { reject } } And I get: ++[eap] returns ok +- entering group post-auth {...} ++[exec] returns noop ++? if (control:Tmp-String-0 == "ldap-student") (Attribute control:Tmp-String-0 was not found) Sending Access-Accept of id 129 to 10.127.240.217 port 1645 Towards the beginning of the debug output is: rlm_ldap: Bind was successful rlm_ldap: performing search in ou=students, dc=ad, dc=hud, dc=ac, dc=uk, with filter (sAMAccountName=cmsxleig) [ldap_student] looking for check items in directory... [ldap_student] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap_student] user cmsxleig authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap_student] returns ok +++? if (ok) ? Evaluating (ok) -> TRUE +++? if (ok) -> TRUE +++- entering if (ok) {...} ++++[control] returns ok +++- if (ok) returns ok +++ ... skipping else for request 0: Preceding "if" was taken ++- else else returns ok ++[expiration] returns noop ++[logintime] returns noop Does "++++[control] returns ok" mean the string was successfully assigned? If so, how do I find where it gets lost? A search for ldap-s through the file only produces two matches, one where the string is assigned and the other where it is tested. Similarly a search for Tmp-Str only finds two matches. History | grep vi shows I haven't accidentally edited another file. Leighton
And I get:
++[eap] returns ok +- entering group post-auth {...} ++[exec] returns noop ++? if (control:Tmp-String-0 == "ldap-student") (Attribute control:Tmp-String-0 was not found) Sending Access-Accept of id 129 to 10.127.240.217 port 1645
Towards the beginning of the debug output is:
rlm_ldap: Bind was successful rlm_ldap: performing search in ou=students, dc=ad, dc=hud, dc=ac, dc=uk, with filter (sAMAccountName=cmsxleig) [ldap_student] looking for check items in directory... [ldap_student] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap_student] user cmsxleig authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap_student] returns ok +++? if (ok) ? Evaluating (ok) -> TRUE +++? if (ok) -> TRUE +++- entering if (ok) {...} ++++[control] returns ok +++- if (ok) returns ok +++ ... skipping else for request 0: Preceding "if" was taken ++- else else returns ok ++[expiration] returns noop ++[logintime] returns noop
Can you post the whole debug, not just snipetts. Are these from the same or from different requests in the exchange? Perhaps you need use_tunneled_reply rather than this. Ivan Kalik Kalik Informatika ISP
Can you post the whole debug, not just snipetts. Are these from the same or from different requests in the exchange? Perhaps you need use_tunneled_reply rather than this.
Here's the complete debug (excluding the server start-up messages). There's rather a lot of it which is why I tried to post the bits relevant to what I'm trying (rather unsuccessfully :-) ) to understand. Leighton rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=36, length=148 User-Name = "cmsxleig" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1B-54-DB-BB-01" Calling-Station-Id = "00-1B-63-B0-C9-E9" EAP-Message = 0x0203000d01636d73786c656967 Message-Authenticator = 0xbc90b1b0b5ceba80a6767ff94c59ed43 NAS-Port-Type = Ethernet NAS-Port = 50001 NAS-Port-Id = "FastEthernet0/1" NAS-IP-Address = 10.127.240.217 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "cmsxleig" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 3 length 13 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop [ldap_staff] performing user authorization for cmsxleig [ldap_staff] expand: (sAMAccountName=%{mschap:User-Name:-%{User-Name}}) -> (sAMAccountName=cmsxleig) [ldap_staff] expand: ou=staff, dc=ad, dc=hud, dc=ac, dc=uk -> ou=staff, dc=ad, dc=hud, dc=ac, dc=uk rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to burns.hud.ac.uk:389, authentication 0 rlm_ldap: bind as cn=username,ou=Specials,ou=Staff,dc=ad,dc=hud,dc=ac,dc=uk/passwd to burns.hud.ac.uk:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=staff, dc=ad, dc=hud, dc=ac, dc=uk, with filter (sAMAccountName=cmsxleig) rlm_ldap: object not found or got ambiguous search result [ldap_staff] search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap_staff] returns notfound ++? if (ok) ? Evaluating (ok) -> FALSE ++? if (ok) -> FALSE ++- entering else else {...} [ldap_student] performing user authorization for cmsxleig [ldap_student] expand: (sAMAccountName=%{mschap:User-Name:-%{User-Name}}) -> (sAMAccountName=cmsxleig) [ldap_student] expand: ou=students, dc=ad, dc=hud, dc=ac, dc=uk -> ou=students, dc=ad, dc=hud, dc=ac, dc=uk rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to burns.hud.ac.uk:389, authentication 0 rlm_ldap: bind as cn=username,ou=Specials,ou=Staff,dc=ad,dc=hud,dc=ac,dc=uk/passwd to burns.hud.ac.uk:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=students, dc=ad, dc=hud, dc=ac, dc=uk, with filter (sAMAccountName=cmsxleig) [ldap_student] looking for check items in directory... [ldap_student] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap_student] user cmsxleig authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap_student] returns ok +++? if (ok) ? Evaluating (ok) -> TRUE +++? if (ok) -> TRUE +++- entering if (ok) {...} ++++[control] returns ok +++- if (ok) returns ok +++ ... skipping else for request 0: Preceding "if" was taken ++- else else returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 36 to 10.127.240.217 port 1645 EAP-Message = 0x010400160410d7424da981434c0db858d196aa1331b4 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5de163455de567c927acd591e49a319b Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=37, length=159 User-Name = "cmsxleig" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1B-54-DB-BB-01" Calling-Station-Id = "00-1B-63-B0-C9-E9" EAP-Message = 0x020400060319 Message-Authenticator = 0x4dbcf0832938a2550152bfdcb815ec8c NAS-Port-Type = Ethernet NAS-Port = 50001 NAS-Port-Id = "FastEthernet0/1" State = 0x5de163455de567c927acd591e49a319b NAS-IP-Address = 10.127.240.217 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "cmsxleig" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 4 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop [ldap_staff] performing user authorization for cmsxleig [ldap_staff] expand: (sAMAccountName=%{mschap:User-Name:-%{User-Name}}) -> (sAMAccountName=cmsxleig) [ldap_staff] expand: ou=staff, dc=ad, dc=hud, dc=ac, dc=uk -> ou=staff, dc=ad, dc=hud, dc=ac, dc=uk rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=staff, dc=ad, dc=hud, dc=ac, dc=uk, with filter (sAMAccountName=cmsxleig) rlm_ldap: object not found or got ambiguous search result [ldap_staff] search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap_staff] returns notfound ++? if (ok) ? Evaluating (ok) -> FALSE ++? if (ok) -> FALSE ++- entering else else {...} [ldap_student] performing user authorization for cmsxleig [ldap_student] expand: (sAMAccountName=%{mschap:User-Name:-%{User-Name}}) -> (sAMAccountName=cmsxleig) [ldap_student] expand: ou=students, dc=ad, dc=hud, dc=ac, dc=uk -> ou=students, dc=ad, dc=hud, dc=ac, dc=uk rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=students, dc=ad, dc=hud, dc=ac, dc=uk, with filter (sAMAccountName=cmsxleig) [ldap_student] looking for check items in directory... [ldap_student] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap_student] user cmsxleig authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap_student] returns ok +++? if (ok) ? Evaluating (ok) -> TRUE +++? if (ok) -> TRUE +++- entering if (ok) {...} ++++[control] returns ok +++- if (ok) returns ok +++ ... skipping else for request 1: Preceding "if" was taken ++- else else returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 37 to 10.127.240.217 port 1645 EAP-Message = 0x010500061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5de163455ce47ac927acd591e49a319b Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=38, length=265 User-Name = "cmsxleig" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1B-54-DB-BB-01" Calling-Station-Id = "00-1B-63-B0-C9-E9" EAP-Message = 0x0205007019800000006616030100610100005d030149b7c1aeab2f6dbd3b06e21c6335a864e2b6c1c3aa77dea8567f202a7b06e0f3000036002f000500040035000a000900030008000600320033003800390016001500140013001200110034003a0018001b001a0017001900010100 Message-Authenticator = 0x6db5036a3ae4bb0b29d1397a150437a8 NAS-Port-Type = Ethernet NAS-Port = 50001 NAS-Port-Id = "FastEthernet0/1" State = 0x5de163455ce47ac927acd591e49a319b NAS-IP-Address = 10.127.240.217 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "cmsxleig" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 5 length 112 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 102 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0061], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 084e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 38 to 10.127.240.217 port 1645 EAP-Message = 0x0106040019c00000088b160301002a02000026030149b7c1ac6f4ea7d744b484ea8dccf4252ea401fae4499880c49c39adb8cfd33900002f00160301084e0b00084a0008470003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3039303330393131353330315a170d3130303330393131353330315a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100e0f486a32a63ea8c5f3be2dab6e7754cd4040e44619a48776d26127a632b2861ffb099f624a244a369c00d4a7a745f1508321fb0dde8001f47ffabb2baef EAP-Message = 0x4475eb993d9ca3fab222f7778ccce5dddb7f7c64c8dddb7a11a78531638cbfb59d489e2b201f77d4356a225c1dba8245c94f56a5081e79adea5d3624467c7135be351a4d011edc230aa13d0526e25f817ade783433d4b1dfc075dc514252532b27be4bedbc950c25829ce0606629a6a31dd6294304890f737d959542eeccb023666d43df003953b971d5bf1ebbcea37f4912761ea19f914bebad71acb985bce93ec2af6c366e87640db363d1e613cba97d236e5add9ff9eed22e5d4b6ee772edfc7d0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038201010082e17a19587d75cd61 EAP-Message = 0xf93fd77c415b6e117856f4c728a4b787d05d8dfe3e21bd16753db864dd2e1f152688a0574c880fb6b38bb533de26f7267fd9b3477956e5c66d9c9a60f5516642321fde34863335c06b0b344c956a63911707606633a6bb20fcad4eb7b8180e324a32ef4e0f35343d82ad7d2f23848acfe1d9adddd61de8de51159533b5ebe52be9de278593d1cbfbb647a711dd3c930442aaf5a8ce71d31b7bf6162326dcb3be1c601c559d062a1b9e5a79938bd6282492e574a71da3766c8029614c21322945cf420ea1ac171c6769051fc9038e02283a72c7ca64e37ffc21528918a951fcd9a5b1959cfef34aa6fb5606bbfb82623872718bf280538d00049b308204 EAP-Message = 0x973082037fa0030201020201 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5de163455fe77ac927acd591e49a319b Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=39, length=159 User-Name = "cmsxleig" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1B-54-DB-BB-01" Calling-Station-Id = "00-1B-63-B0-C9-E9" EAP-Message = 0x020600061900 Message-Authenticator = 0xb1a47b6e94e316447e41877f2a847ed6 NAS-Port-Type = Ethernet NAS-Port = 50001 NAS-Port-Id = "FastEthernet0/1" State = 0x5de163455fe77ac927acd591e49a319b NAS-IP-Address = 10.127.240.217 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "cmsxleig" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 39 to 10.127.240.217 port 1645 EAP-Message = 0x010703fc194000300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039303330393131353330305a170d3130303330393131353330305a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d6577 EAP-Message = 0x6865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100b4760f3fe6fe399f5be030fd803543f5958cfd8ae679612b56700ac92f876a34b2aa7e1a1c665bf3f5852977d2fa28126ab3927360676ddeebebdbb7d229ad64b337146ead10468e405f2558d2b9d11e73cbe6a53ee9411775b5f0ea978bac53b78f8572f81aa54fe86bdef98e946e1cab364bd0631763 EAP-Message = 0xed10dba2e049d5f20a1423d1ef5010cc3da9e9b3a3f11c539b11e0c9a4e22cec5c1161598b385db5214dd21f8799c55906f9ef75ce77d9b58ca609664f13c3db7d6c94e168d7d45c54d86e2b8477806570d6302aeba2c2f0f3058f6047a0e24d9b77009e93467144011b475874ea9cc09365d2cb861eb3a7b9d237489746fe59f7076db06bf2e3e30b0203010001a381f33081f0301d0603551d0e04160414abd501507cc9d78a8278093949d47c0c35eb38393081c00603551d230481b83081b58014abd501507cc9d78a8278093949d47c0c35eb3839a18199a48196308193310b3009060355040613024652310f300d060355040813065261646975 EAP-Message = 0x733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d010104050003820101004ae49fb5afa9a0e756198402b0668357d21c879707a9426a0cd2d1d5b57e76d56f3bcb9b6195a5e3f5d20654371234d6a94f3c8ddb836aac3e73f6856b072fe19e3b29e1e3e6bacb5b04bfabbef33fa3033fdac3a6f992edc70efa0593bac9a26577 EAP-Message = 0x39df2f69b8aa23b1 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5de163455ee67ac927acd591e49a319b Finished request 3. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=40, length=159 User-Name = "cmsxleig" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1B-54-DB-BB-01" Calling-Station-Id = "00-1B-63-B0-C9-E9" EAP-Message = 0x020700061900 Message-Authenticator = 0x014fc3a1d0d55913f78f89a13d8776d1 NAS-Port-Type = Ethernet NAS-Port = 50001 NAS-Port-Id = "FastEthernet0/1" State = 0x5de163455ee67ac927acd591e49a319b NAS-IP-Address = 10.127.240.217 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "cmsxleig" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 7 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 40 to 10.127.240.217 port 1645 EAP-Message = 0x010800a519004c501cf4cabac8631623dbda4db158d1ac52dad5e46001166444635b465ea4b801cc6a60eb9306b4f7e418a95a16b9c0f8dbe94d4673fe8cb5cd9565a3d51d03425ae8171fb37917ee224a648f84b9b0d3d4c6fb2d4bba7cbae284ca0ee09edf3ef60f454eb751316f7df0d3b877b5d9c3f16bab23828fd6935dadb8007d6ecf8a89741fa608c51873c1a1a2db818e3f8bee7d73fd5316030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5de1634559e97ac927acd591e49a319b Finished request 4. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=41, length=491 User-Name = "cmsxleig" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1B-54-DB-BB-01" Calling-Station-Id = "00-1B-63-B0-C9-E9" EAP-Message = 0x0208015019800000014616030101061000010201002c95a9c6250c5436c12a1a8a4cab44c1f93ed567306cbc33d37de3d4c13d89310ce71779710ab5229309ee9fb224653da882814609f40f33791749952104bcc025e0f1a0f24c40dfe0de8f8f13f9a3047f3837b6abb3707b294d35c5e5e750b45996a3a6c2e60e3331466cee191731cd9a2c9ae6e3636725fe5de936989cece0e793eacd65904bfb68dba0ed5efc10ed5754838c33fc42878890c81852bd1eefdab8653f0cdaf9a738d2e69fbbe9474f36eac05950ef331f6c4af69d0593125118fa284c8eb920a6768a58979078a159a81dae0ad8fda8b0ec6352b9a474dea41ec69dcc1540f858 EAP-Message = 0xcc65716966474d97f1d09f94e1e7c5dd97700e9a207431e614030100010116030100309f33527bc6c37cc1b398772be7b61bcbd1f7b84656772a339937480ec216eaaac58902a3079c17c5e168f535e65d8cf2 Message-Authenticator = 0x4022f3dcf9eb58a9ab62621ab615cd42 NAS-Port-Type = Ethernet NAS-Port = 50001 NAS-Port-Id = "FastEthernet0/1" State = 0x5de1634559e97ac927acd591e49a319b NAS-IP-Address = 10.127.240.217 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "cmsxleig" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 8 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 41 to 10.127.240.217 port 1645 EAP-Message = 0x0109004119001403010001011603010030361b56b20c41691b4f426dff7f2ad4894816568ad01864f4f67f9cc47f9c6616af70c9c8a11649b30091e576a2da1cb7 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5de1634558e87ac927acd591e49a319b Finished request 5. Going to the next request Waking up in 4.6 seconds. rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=42, length=159 User-Name = "cmsxleig" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1B-54-DB-BB-01" Calling-Station-Id = "00-1B-63-B0-C9-E9" EAP-Message = 0x020900061900 Message-Authenticator = 0x4808cbbee6269aa33148b8676dda8818 NAS-Port-Type = Ethernet NAS-Port = 50001 NAS-Port-Id = "FastEthernet0/1" State = 0x5de1634558e87ac927acd591e49a319b NAS-IP-Address = 10.127.240.217 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "cmsxleig" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 9 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 42 to 10.127.240.217 port 1645 EAP-Message = 0x010a002b19001703010020a77557a3286e24cac6b15b0aeb79555638904414d9fbd5a819655603459d9a0f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5de163455beb7ac927acd591e49a319b Finished request 6. Going to the next request Waking up in 4.5 seconds. rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=43, length=196 User-Name = "cmsxleig" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1B-54-DB-BB-01" Calling-Station-Id = "00-1B-63-B0-C9-E9" EAP-Message = 0x020a002b19001703010020eea35b9513930a5db7b16a7b8feb65acbeac46a368b5de191dafbb3b6d2a25eb Message-Authenticator = 0xaa3b637009406a52001d206bc4b55204 NAS-Port-Type = Ethernet NAS-Port = 50001 NAS-Port-Id = "FastEthernet0/1" State = 0x5de163455beb7ac927acd591e49a319b NAS-IP-Address = 10.127.240.217 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "cmsxleig" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 10 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - cmsxleig [peap] Got tunneled request EAP-Message = 0x020a000d01636d73786c656967 server { PEAP: Got tunneled identity of cmsxleig PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to cmsxleig Sending tunneled request EAP-Message = 0x020a000d01636d73786c656967 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "cmsxleig" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "cmsxleig" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++[control] returns ok [eap] EAP packet type response id 10 length 13 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010b00221a010b001d10ffb9aa2a11578ce200343aaa418bfec9636d73786c656967 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x774ed13b7745cb6204cdbc439a2405d2 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010b00221a010b001d10ffb9aa2a11578ce200343aaa418bfec9636d73786c656967 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x774ed13b7745cb6204cdbc439a2405d2 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 43 to 10.127.240.217 port 1645 EAP-Message = 0x010b004b19001703010040f2043b3eda010e357d940971e35f409540d5919f5fb9ad76d18e77f4ff187dc5292d0bb7f34346fbe2775e56e24e6aa18c3fd39c685328b40cd51ad6b4e0f194 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5de163455aea7ac927acd591e49a319b Finished request 7. Going to the next request Waking up in 4.5 seconds. rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=44, length=260 User-Name = "cmsxleig" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1B-54-DB-BB-01" Calling-Station-Id = "00-1B-63-B0-C9-E9" EAP-Message = 0x020b006b190017030100600cc1c638a3d913ce9ae454e7877dae26ab957df3f61b1854e3bb157c0632368ef73804859b340b0163e2367e579279a01fae7d896c73e938132b2624c277e9695721e02704708a31dfafe99089bbeac3570e76f1e0013abaf54458c0ce5d0e55 Message-Authenticator = 0x222c9aae92494ff78b6adb03ccae5c44 NAS-Port-Type = Ethernet NAS-Port = 50001 NAS-Port-Id = "FastEthernet0/1" State = 0x5de163455aea7ac927acd591e49a319b NAS-IP-Address = 10.127.240.217 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "cmsxleig" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 11 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020b00431a020b003e312e204239aed55c69cf85e06acc07e01e0000000000000000efe90dcf578043bbfc1188f4eb3f004b7dd9695559d1ee3900636d73786c656967 server { PEAP: Setting User-Name to cmsxleig Sending tunneled request EAP-Message = 0x020b00431a020b003e312e204239aed55c69cf85e06acc07e01e0000000000000000efe90dcf578043bbfc1188f4eb3f004b7dd9695559d1ee3900636d73786c656967 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "cmsxleig" State = 0x774ed13b7745cb6204cdbc439a2405d2 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "cmsxleig" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++[control] returns ok [eap] EAP packet type response id 11 length 67 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for cmsxleig with NT-Password [mschap] expand: --username=%{mschap:User-Name} -> --username=cmsxleig [mschap] mschap2: ff [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=cd174960e64892c4 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=efe90dcf578043bbfc1188f4eb3f004b7dd9695559d1ee39 Exec-Program output: NT_KEY: 35ADC25F14496E3A8B5B3EC7E1D9E2E9 Exec-Program-Wait: plaintext: NT_KEY: 35ADC25F14496E3A8B5B3EC7E1D9E2E9 Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010c00331a030b002e533d35424437413739444339353241463641324443353539423733343236453841433734364246343735 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x774ed13b7642cb6204cdbc439a2405d2 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010c00331a030b002e533d35424437413739444339353241463641324443353539423733343236453841433734364246343735 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x774ed13b7642cb6204cdbc439a2405d2 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 44 to 10.127.240.217 port 1645 EAP-Message = 0x010c005b190017030100501c537d1a5a82418315fd235711df9b767768e5b09642bc8f0e20915aa3f018d2b8f6171d8cc02dfde46b8fb44eecd88d9f420d88fb5399de0e217eda274321e48a733969f5d78f750197ad251d6c3ea9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5de1634555ed7ac927acd591e49a319b Finished request 8. Going to the next request Waking up in 4.3 seconds. rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=45, length=196 User-Name = "cmsxleig" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1B-54-DB-BB-01" Calling-Station-Id = "00-1B-63-B0-C9-E9" EAP-Message = 0x020c002b19001703010020eeea80c427ae52b88611ecdffbebc327c99f58f5ea94a7c63fcd140576f462d6 Message-Authenticator = 0x2720a841e60e010671b3f15ea60f83bc NAS-Port-Type = Ethernet NAS-Port = 50001 NAS-Port-Id = "FastEthernet0/1" State = 0x5de1634555ed7ac927acd591e49a319b NAS-IP-Address = 10.127.240.217 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "cmsxleig" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 12 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020c00061a03 server { PEAP: Setting User-Name to cmsxleig Sending tunneled request EAP-Message = 0x020c00061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "cmsxleig" State = 0x774ed13b7642cb6204cdbc439a2405d2 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "cmsxleig" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++[control] returns ok [eap] EAP packet type response id 12 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok } # server inner-tunnel [peap] Got tunneled reply code 2 EAP-Message = 0x030c0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "cmsxleig" [peap] Got tunneled reply RADIUS code 2 EAP-Message = 0x030c0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "cmsxleig" [peap] Tunneled authentication was successful. [peap] SUCCESS ++[eap] returns handled Sending Access-Challenge of id 45 to 10.127.240.217 port 1645 EAP-Message = 0x010d002b190017030100201a408b6dd31ee818348d93b79251401690a60378f8dbf01292e53f3864354f92 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5de1634554ec7ac927acd591e49a319b Finished request 9. Going to the next request Waking up in 4.2 seconds. rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=46, length=196 User-Name = "cmsxleig" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1B-54-DB-BB-01" Calling-Station-Id = "00-1B-63-B0-C9-E9" EAP-Message = 0x020d002b19001703010020d343176158acf8e2a0e5b7e6603cd4b92b47f02bd41ff6b133e3f09978ac0a09 Message-Authenticator = 0x3eb31b44a57adfaa84fc8cad44729966 NAS-Port-Type = Ethernet NAS-Port = 50001 NAS-Port-Id = "FastEthernet0/1" State = 0x5de1634554ec7ac927acd591e49a319b NAS-IP-Address = 10.127.240.217 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "cmsxleig" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 13 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] returns ok +- entering group post-auth {...} ++[exec] returns noop ++? if (control:Tmp-String-0 == "ldap-student") (Attribute control:Tmp-String-0 was not found) Sending Access-Accept of id 46 to 10.127.240.217 port 1645 MS-MPPE-Recv-Key = 0xe4a8a039b0329307e40bd293849cffd24a04d4e668d687e7adc4c9fa6340693b MS-MPPE-Send-Key = 0x788fca79956ede0a43ce8bda8458a97a28fcded1a7d55b74d104d727a46b1024 EAP-Message = 0x030d0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "cmsxleig" Finished request 10. Going to the next request Waking up in 4.2 seconds. Cleaning up request 0 ID 36 with timestamp +29 Cleaning up request 1 ID 37 with timestamp +29 Cleaning up request 2 ID 38 with timestamp +29 Cleaning up request 3 ID 39 with timestamp +29 Cleaning up request 4 ID 40 with timestamp +29 Waking up in 0.2 seconds. Cleaning up request 5 ID 41 with timestamp +29 Cleaning up request 6 ID 42 with timestamp +30 Cleaning up request 7 ID 43 with timestamp +30 Waking up in 0.1 seconds. Cleaning up request 8 ID 44 with timestamp +30 Cleaning up request 9 ID 45 with timestamp +30 Cleaning up request 10 ID 46 with timestamp +30 Ready to process requests.
Here's the complete debug (excluding the server start-up messages). There's rather a lot of it which is why I tried to post the bits relevant to what I'm trying (rather unsuccessfully :-) ) to understand.
rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=36, length=148 .. [ldap_staff] search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap_staff] returns notfound ++? if (ok) ? Evaluating (ok) -> FALSE ++? if (ok) -> FALSE ++- entering else else {...} .. +++[ldap_student] returns ok +++? if (ok) ? Evaluating (ok) -> TRUE +++? if (ok) -> TRUE +++- entering if (ok) {...}
That is the unlang construction - in default virtual server.
++++[control] returns ok
I assume this is where you set temp attribute.
+++- if (ok) returns ok +++ ... skipping else for request 0: Preceding "if" was taken ++- else else returns ok
And then it goes on ...
Sending Access-Challenge of id 36 to 10.127.240.217 port 1645 .. rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=37, length=159
etc. And many requests later you ask about it:
++? if (control:Tmp-String-0 == "ldap-student") (Attribute control:Tmp-String-0 was not found)
.. and it's not there. Of course it's not, since it wasn't set during processing of that Access-Request but much earlier in the exchange. I would suggest that you move unlang statements to inner-tunnel virtual server. You can do update reply and set Reply-Message in authorize there (forget about temp attribute and changeing it in post-auth). Just enable use_tunneled_reply in peap section of eap.conf and Reply-Message will be passed on from inner tunnel into the final reply. Ivan Kalik Kalik Informatika ISP
And many requests later you ask about it:
++? if (control:Tmp-String-0 == "ldap-student") (Attribute control:Tmp-String-0 was not found)
.. and it's not there. Of course it's not, since it wasn't set during processing of that Access-Request but much earlier in the exchange.
Obvious when it's pointed out but I really don't understand the whole process yet. I'll keep reading the docs until I do!
I would suggest that you move unlang statements to inner-tunnel virtual server. You can do update reply and set Reply-Message in authorize there (forget about temp attribute and changeing it in post-auth). Just enable use_tunneled_reply in peap section of eap.conf and Reply-Message will be passed on from inner tunnel into the final reply.
All working now. Thank you. Leighton
participants (4)
-
Alan DeKok -
Leighton Man -
Nicolas Goutte -
tnt@kalik.net