FreeRadius 3.0.13 - Using SSID to check AD groups
Hi, I am currently trying to set up a single FreeRadius 3.0.13 server to handle diffenrents SSID on a network. Users should be allowed to use certain SSID IF they are in certain AD Group. We (my collegue and myself) have been to work things out, BUT we would like to optimise. Here is what has been done: In the DEFAULT site: Authenticate --> With the MSCHAP via NTLM_Auth Authorize ---> we have configured the LDAP module to be able to query the AD We could see that is was working, in the "radiusd -X" output. Then we implemented this, under.... But the first "if" does not work, although it should be ENOUGH and really enought dynamic.... if the SSID and AD Group are created the right way. We encountered the following problem: UNABLE to use "%{Called-Station-SSID}" (nor %Called-Station-SSID) But %{User-Name} works great. - rewrite_called_station_id --> has been called in "authorized" that should "instantiate" the Called-Station-SSID post-auth { if (LDAP-Group == "grp-ssid-%{Called-Station-SSID}") { update reply { Reply-Message = "Hello %{User-Name}: accès permis sur %{Called-Station-SSID} a" } ok return } if (LDAP-Group == "grp-ssid-GRP-Radius" && Called-Station-SSID == "GRP-Radius") { update reply { Reply-Message = "Hello %{User-Name}: accès permis sur %{Called-Station-SSID} b" } ok return } if (LDAP-Group == "grp-ssid-GRP-Radius2" && Called-Station-SSID == "GRP-Radius2") { update reply { Reply-Message = "Hello %{User-Name}: accès permis sur %{Called-Station-SSID} " } ok return } else { update reply { Reply-Message = "Hello %{User-Name}: Vous n'avez pas accès" } reject } #### - Is there any ways to use that "CALLED-STATION-SSID"? anywhere.... or, where is it "usable". - Is that kind of "mechanisme" the good way to go ? - Is there a way to initialise a "global" variable, so that we can use it "anywhere" ? (UNLANG) Thanks in advance Pierre de Jong -.-.-.-.-.-.-.-.-.-.-
On 04/04/2017 09:30, Pierre de Jong wrote:
We could see that is was working, in the "radiusd -X" output. So please show us the radiusd -X output from an exchange where the problem occurs.
We encountered the following problem:
UNABLE to use "%{Called-Station-SSID}" (nor %Called-Station-SSID) What do you mean by "unable to use"?
What's important is what attributes are in the incoming request, and which attribute identifies the SSID the user is connecting to. This is different depending on what AP you are using.
- rewrite_called_station_id --> has been called in "authorized" that should "instantiate" the Called-Station-SSID
Only if your AP generates a Called-Station-ID attribute in the format expected by that policy function. Does it? The freeradius -X output would show this.
post-auth { if (LDAP-Group ="grp-ssid-%{Called-Station-SSID}") { update reply { Reply-Message =Hello %{User-Name}: accès permis sur %{Called-Station-SSID} a" }
freeradius -X output would show what's happening. Note that the "=" operator is probably not what you want. And that the LDAP-Group attribute is multi-valued so you want [*] to check for all values, not just the first. And also, dependent on how you've configured your LDAP lookup, the LDAP-Group attribtue is a "magic" attribute which may return empty string unless you explicitly use the "&" prefix. So I'd suggest writing it like this: if (&LDAP-Group[*] == "grp-ssid-%{Called-Station-SSID}") { ... } HTH, Brian.
UNABLE to use "%{Called-Station-SSID}" (nor %Called-Station-SSID)
What do you mean by "unable to use"? I mean that when i try to "show" the %{Called-Station-SSID} ..... like, in a message, we do a" ## %{user} - %{Called-Station-SSID} ## --> it returns: ## username - ## That is what I mean. I will send and radiusd -X output soon... But YES, in the radiusd -X, I can see that Called-Station-SSID is set to a "RIGHT" value.... but we do not seem to be able to use it "anywhere". Pierre de Jong -.-.-.-.-.-.-.-.-.-.- 2017-04-04 11:24 GMT+02:00 Brian Candler <b.candler@pobox.com>:
On 04/04/2017 09:30, Pierre de Jong wrote:
We could see that is was working, in the "radiusd -X" output.
So please show us the radiusd -X output from an exchange where the problem occurs.
We encountered the following problem:
UNABLE to use "%{Called-Station-SSID}" (nor %Called-Station-SSID)
What do you mean by "unable to use"?
What's important is what attributes are in the incoming request, and which attribute identifies the SSID the user is connecting to. This is different depending on what AP you are using.
- rewrite_called_station_id --> has been called in "authorized" that should "instantiate" the Called-Station-SSID
Only if your AP generates a Called-Station-ID attribute in the format expected by that policy function. Does it? The freeradius -X output would show this.
post-auth { if (LDAP-Group ="grp-ssid-%{Called-Station-SSID}") { update reply { Reply-Message =Hello %{User-Name}: accès permis sur %{Called-Station-SSID} a" }
freeradius -X output would show what's happening. Note that the "=" operator is probably not what you want. And that the LDAP-Group attribute is multi-valued so you want [*] to check for all values, not just the first. And also, dependent on how you've configured your LDAP lookup, the LDAP-Group attribtue is a "magic" attribute which may return empty string unless you explicitly use the "&" prefix.
So I'd suggest writing it like this:
if (&LDAP-Group[*] == "grp-ssid-%{Called-Station-SSID}") { ... }
HTH,
Brian.
On 04/04/2017 12:47, Pierre de Jong wrote:
But YES, in the radiusd -X, I can see that Called-Station-SSID is set to a "RIGHT" value.... but we do not seem to be able to use it "anywhere".
In the invocation of rewrite_called_station_id, you should be able to see if it's being set when this is executed: # SSID component? if ("%{8}") { update request { &Called-Station-SSID := "%{8}" } }
On Apr 4, 2017, at 7:47 AM, Pierre de Jong <pierredejong@gmail.com> wrote:
UNABLE to use "%{Called-Station-SSID}" (nor %Called-Station-SSID)
What do you mean by "unable to use"?
I mean that when i try to "show" the %{Called-Station-SSID} ..... like, in a message, we do a" ## %{user} - %{Called-Station-SSID} ## --> it returns: ## username - ##
That is what I mean.
Then at the Called-Station-Id isn't available at that point.
I will send and radiusd -X output soon...
But YES, in the radiusd -X, I can see that Called-Station-SSID is set to a "RIGHT" value.... but we do not seem to be able to use it "anywhere".
I doubt that very much. Put that check at the start of the "authorize" section, in the default virtual server. You *will* see it. My guess is that you're trying to expand it in the "inner-tunnel" virtual server, where it's not available. There are solutions for that. Again, as always... a *careful* reading of the debug output will show this. The server tells you what attributes are received, and what attributes are sent to the inner-tunnel virtual server. Alan DeKok.
As promised, I send you an radiusd -X output. complete. I see that straight at the beginning, policy rewrite_called_station_id is done. --> EXPAND %{Called-Station-SSID} (0) --> TSSID1 even with that, as I said, I cannot use that "%{Called-Station-SSID} anywhere else than in "post-auth"... Is that normal? Do you see "horror" in those logs ? :-D Thanks for reading, and thanks for your return. (0) Received Access-Request Id 194 from 192.168.30.206:42291 to 192.168.30.66:1812 length 151 (0) User-Name = "u2" (0) NAS-Identifier = "44d9e7023ad1" (0) NAS-Port = 0 (0) Called-Station-Id = "46-D9-E7-03-3A-D1:TSSID1" (0) Calling-Station-Id = "C0-EE-FB-4B-FA-10" (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) Connect-Info = "CONNECT 0Mbps 802.11b" (0) EAP-Message = 0x02e20007017532 (0) Message-Authenticator = 0x6df4581814e8c5685f1821d6d50c6180 (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) policy rewrite_called_station_id { (0) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (0) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (0) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (0) update request { (0) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (0) --> 46-D9-E7-03-3A-D1 (0) &Called-Station-Id := 46-D9-E7-03-3A-D1 (0) } # update request = noop (0) if ("%{8}") { (0) EXPAND %{8} (0) --> TSSID1 (0) if ("%{8}") -> TRUE (0) if ("%{8}") { (0) update request { (0) EXPAND %{8} (0) --> TSSID1 (0) &Called-Station-SSID := TSSID1 (0) EXPAND %{Called-Station-SSID} (0) --> TSSID1 (0) &My-Called-Station-SSID := TSSID1 (0) } # update request = noop (0) } # if ("%{8}") = noop (0) [updated] = updated (0) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (0) ... skipping else: Preceding "if" was taken (0) } # policy rewrite_called_station_id = updated (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "u2", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 226 length 7 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_peap to process data (0) eap_peap: Initiating new EAP-TLS session (0) eap_peap: Flushing SSL sessions (of #0) (0) eap_peap: [eaptls start] = request (0) eap: Sending EAP Request (code 1) ID 227 length 6 (0) eap: EAP session adding &reply:State = 0x26e3acd92600b50e (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) Challenge { ... } # empty sub-section is ignored (0) Sent Access-Challenge Id 194 from 192.168.30.66:1812 to 192.168.30.206:42291 length 0 (0) EAP-Message = 0x01e300061920 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x26e3acd92600b50e9de8616e7140b5da (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 195 from 192.168.30.206:42291 to 192.168.30.66:1812 length 330 (1) User-Name = "u2" (1) NAS-Identifier = "44d9e7023ad1" (1) NAS-Port = 0 (1) Called-Station-Id = "46-D9-E7-03-3A-D1:TSSID1" (1) Calling-Station-Id = "C0-EE-FB-4B-FA-10" (1) Framed-MTU = 1400 (1) NAS-Port-Type = Wireless-802.11 (1) Connect-Info = "CONNECT 0Mbps 802.11b" (1) EAP-Message = 0x02e300a819800000009e1603010099010000950303b275ec6ca03d6c07079f0f5fd77bc702c544c56e69b4c7a9e3d595de38d5cd6200003cc02cc030009fc02bc02f009ec00ac024c014c0280039006bc009c023c013c02700330067c007c011009d009c0035003d002f003c00050004000a00ff010000 (1) State = 0x26e3acd92600b50e9de8616e7140b5da (1) Message-Authenticator = 0xf99f35009091fa6c60abe4f208c2805d (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/freeradius/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) policy rewrite_called_station_id { (1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (1) update request { (1) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (1) --> 46-D9-E7-03-3A-D1 (1) &Called-Station-Id := 46-D9-E7-03-3A-D1 (1) } # update request = noop (1) if ("%{8}") { (1) EXPAND %{8} (1) --> TSSID1 (1) if ("%{8}") -> TRUE (1) if ("%{8}") { (1) update request { (1) EXPAND %{8} (1) --> TSSID1 (1) &Called-Station-SSID := TSSID1 (1) EXPAND %{Called-Station-SSID} (1) --> TSSID1 (1) &My-Called-Station-SSID := TSSID1 (1) } # update request = noop (1) } # if ("%{8}") = noop (1) [updated] = updated (1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (1) ... skipping else: Preceding "if" was taken (1) } # policy rewrite_called_station_id = updated (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "u2", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 227 length 168 (1) eap: Continuing tunnel setup (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x26e3acd92600b50e (1) eap: Finished EAP session with state 0x26e3acd92600b50e (1) eap: Previous EAP request found for state 0x26e3acd92600b50e, released from the list (1) eap: Peer sent packet with method EAP PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: Continuing EAP-TLS (1) eap_peap: Peer indicated complete TLS record size will be 158 bytes (1) eap_peap: Got complete TLS record (158 bytes) (1) eap_peap: [eaptls verify] = length included (1) eap_peap: (other): before/accept initialization (1) eap_peap: TLS_accept: before/accept initialization (1) eap_peap: <<< recv TLS 1.2 [length 0099] (1) eap_peap: TLS_accept: unknown state (1) eap_peap: >>> send TLS 1.2 [length 0059] (1) eap_peap: TLS_accept: unknown state (1) eap_peap: >>> send TLS 1.2 [length 08d3] (1) eap_peap: TLS_accept: unknown state (1) eap_peap: >>> send TLS 1.2 [length 014d] (1) eap_peap: TLS_accept: unknown state (1) eap_peap: >>> send TLS 1.2 [length 0004] (1) eap_peap: TLS_accept: unknown state (1) eap_peap: TLS_accept: unknown state (1) eap_peap: TLS_accept: Need to read more data: unknown state (1) eap_peap: TLS_accept: Need to read more data: unknown state (1) eap_peap: In SSL Handshake Phase (1) eap_peap: In SSL Accept mode (1) eap_peap: [eaptls process] = handled (1) eap: Sending EAP Request (code 1) ID 228 length 1004 (1) eap: EAP session adding &reply:State = 0x26e3acd92707b50e (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) Challenge { ... } # empty sub-section is ignored (1) Sent Access-Challenge Id 195 from 192.168.30.66:1812 to 192.168.30.206:42291 length 0 (1) EAP-Message = 0x01e403ec19c000000a911603030059020000550303a1388d44dabe97aee61c3b20a7ab8fc1aec4ad52dee38fe3c7b26167a0dbc1bc201e612a6685965633b12ff0d4fcb41a265c0e72dbded7812586c0e3347a5b896cc03000000dff01000100000b00040300010216030308d30b0008cf0008cc0003de (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x26e3acd92707b50e9de8616e7140b5da (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 196 from 192.168.30.206:42291 to 192.168.30.66:1812 length 168 (2) User-Name = "u2" (2) NAS-Identifier = "44d9e7023ad1" (2) NAS-Port = 0 (2) Called-Station-Id = "46-D9-E7-03-3A-D1:TSSID1" (2) Calling-Station-Id = "C0-EE-FB-4B-FA-10" (2) Framed-MTU = 1400 (2) NAS-Port-Type = Wireless-802.11 (2) Connect-Info = "CONNECT 0Mbps 802.11b" (2) EAP-Message = 0x02e400061900 (2) State = 0x26e3acd92707b50e9de8616e7140b5da (2) Message-Authenticator = 0x8a1d94e2d52ec81230dc52382337ebde (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/freeradius/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) policy rewrite_called_station_id { (2) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (2) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (2) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (2) update request { (2) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (2) --> 46-D9-E7-03-3A-D1 (2) &Called-Station-Id := 46-D9-E7-03-3A-D1 (2) } # update request = noop (2) if ("%{8}") { (2) EXPAND %{8} (2) --> TSSID1 (2) if ("%{8}") -> TRUE (2) if ("%{8}") { (2) update request { (2) EXPAND %{8} (2) --> TSSID1 (2) &Called-Station-SSID := TSSID1 (2) EXPAND %{Called-Station-SSID} (2) --> TSSID1 (2) &My-Called-Station-SSID := TSSID1 (2) } # update request = noop (2) } # if ("%{8}") = noop (2) [updated] = updated (2) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (2) ... skipping else: Preceding "if" was taken (2) } # policy rewrite_called_station_id = updated (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "u2", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 228 length 6 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x26e3acd92707b50e (2) eap: Finished EAP session with state 0x26e3acd92707b50e (2) eap: Previous EAP request found for state 0x26e3acd92707b50e, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: Continuing EAP-TLS (2) eap_peap: Peer ACKed our handshake fragment (2) eap_peap: [eaptls verify] = request (2) eap_peap: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 229 length 1000 (2) eap: EAP session adding &reply:State = 0x26e3acd92406b50e (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) # Executing group from file /etc/freeradius/sites-enabled/default (2) Challenge { ... } # empty sub-section is ignored (2) Sent Access-Challenge Id 196 from 192.168.30.66:1812 to 192.168.30.206:42291 length 0 (2) EAP-Message = 0x01e503e81940ca12fabb7964d6cb47ff4dbc736cca7b619482c69523520dbb422565f5fe26b0a27fa749595187b23ae6cdf379898cc96d5538f5a0203165548e1402a0716da7e63fe3d1a6f4f4d80e6dadca36b1d34815cb792b0d55ff2aa0a05d77b2ecefd55cbb7d356e7fb6ce430004e8308204e430 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x26e3acd92406b50e9de8616e7140b5da (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 197 from 192.168.30.206:42291 to 192.168.30.66:1812 length 168 (3) User-Name = "u2" (3) NAS-Identifier = "44d9e7023ad1" (3) NAS-Port = 0 (3) Called-Station-Id = "46-D9-E7-03-3A-D1:TSSID1" (3) Calling-Station-Id = "C0-EE-FB-4B-FA-10" (3) Framed-MTU = 1400 (3) NAS-Port-Type = Wireless-802.11 (3) Connect-Info = "CONNECT 0Mbps 802.11b" (3) EAP-Message = 0x02e500061900 (3) State = 0x26e3acd92406b50e9de8616e7140b5da (3) Message-Authenticator = 0x69984560004ba33d4af83118efaf52e9 (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/freeradius/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) policy rewrite_called_station_id { (3) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (3) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (3) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (3) update request { (3) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (3) --> 46-D9-E7-03-3A-D1 (3) &Called-Station-Id := 46-D9-E7-03-3A-D1 (3) } # update request = noop (3) if ("%{8}") { (3) EXPAND %{8} (3) --> TSSID1 (3) if ("%{8}") -> TRUE (3) if ("%{8}") { (3) update request { (3) EXPAND %{8} (3) --> TSSID1 (3) &Called-Station-SSID := TSSID1 (3) EXPAND %{Called-Station-SSID} (3) --> TSSID1 (3) &My-Called-Station-SSID := TSSID1 (3) } # update request = noop (3) } # if ("%{8}") = noop (3) [updated] = updated (3) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (3) ... skipping else: Preceding "if" was taken (3) } # policy rewrite_called_station_id = updated (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "u2", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 229 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /etc/freeradius/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0x26e3acd92406b50e (3) eap: Finished EAP session with state 0x26e3acd92406b50e (3) eap: Previous EAP request found for state 0x26e3acd92406b50e, released from the list (3) eap: Peer sent packet with method EAP PEAP (25) (3) eap: Calling submodule eap_peap to process data (3) eap_peap: Continuing EAP-TLS (3) eap_peap: Peer ACKed our handshake fragment (3) eap_peap: [eaptls verify] = request (3) eap_peap: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 230 length 723 (3) eap: EAP session adding &reply:State = 0x26e3acd92505b50e (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) # Executing group from file /etc/freeradius/sites-enabled/default (3) Challenge { ... } # empty sub-section is ignored (3) Sent Access-Challenge Id 197 from 192.168.30.66:1812 to 192.168.30.206:42291 length 0 (3) EAP-Message = 0x01e602d3190020417574686f72697479820900f93d1298efaa0149300f0603551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b050003820101 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x26e3acd92505b50e9de8616e7140b5da (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 198 from 192.168.30.206:42291 to 192.168.30.66:1812 length 298 (4) User-Name = "u2" (4) NAS-Identifier = "44d9e7023ad1" (4) NAS-Port = 0 (4) Called-Station-Id = "46-D9-E7-03-3A-D1:TSSID1" (4) Calling-Station-Id = "C0-EE-FB-4B-FA-10" (4) Framed-MTU = 1400 (4) NAS-Port-Type = Wireless-802.11 (4) Connect-Info = "CONNECT 0Mbps 802.11b" (4) EAP-Message = 0x02e6008819800000007e1603030046100000424104041b7c41a3bd64a8a8a136b69913d4abc758ff6523448fa1ee5da8cba6d7fb812d9d38c80e1f33e0bb86f396168fdf04b86ad694122d1860aa66672d05e3acc61403030001011603030028000000000000000030d814976854b1841781e86747494b (4) State = 0x26e3acd92505b50e9de8616e7140b5da (4) Message-Authenticator = 0x71361b97fa00595f1c1e7e1b49674c86 (4) session-state: No cached attributes (4) # Executing section authorize from file /etc/freeradius/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) policy rewrite_called_station_id { (4) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (4) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (4) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (4) update request { (4) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (4) --> 46-D9-E7-03-3A-D1 (4) &Called-Station-Id := 46-D9-E7-03-3A-D1 (4) } # update request = noop (4) if ("%{8}") { (4) EXPAND %{8} (4) --> TSSID1 (4) if ("%{8}") -> TRUE (4) if ("%{8}") { (4) update request { (4) EXPAND %{8} (4) --> TSSID1 (4) &Called-Station-SSID := TSSID1 (4) EXPAND %{Called-Station-SSID} (4) --> TSSID1 (4) &My-Called-Station-SSID := TSSID1 (4) } # update request = noop (4) } # if ("%{8}") = noop (4) [updated] = updated (4) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (4) ... skipping else: Preceding "if" was taken (4) } # policy rewrite_called_station_id = updated (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "u2", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 230 length 136 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/freeradius/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0x26e3acd92505b50e (4) eap: Finished EAP session with state 0x26e3acd92505b50e (4) eap: Previous EAP request found for state 0x26e3acd92505b50e, released from the list (4) eap: Peer sent packet with method EAP PEAP (25) (4) eap: Calling submodule eap_peap to process data (4) eap_peap: Continuing EAP-TLS (4) eap_peap: Peer indicated complete TLS record size will be 126 bytes (4) eap_peap: Got complete TLS record (126 bytes) (4) eap_peap: [eaptls verify] = length included (4) eap_peap: <<< recv TLS 1.2 [length 0046] (4) eap_peap: TLS_accept: unknown state (4) eap_peap: TLS_accept: unknown state (4) eap_peap: <<< recv TLS 1.2 [length 0001] (4) eap_peap: <<< recv TLS 1.2 [length 0010] (4) eap_peap: TLS_accept: unknown state (4) eap_peap: >>> send TLS 1.2 [length 0001] (4) eap_peap: TLS_accept: unknown state (4) eap_peap: >>> send TLS 1.2 [length 0010] (4) eap_peap: TLS_accept: unknown state (4) eap_peap: TLS_accept: unknown state (4) eap_peap: (other): SSL negotiation finished successfully (4) eap_peap: SSL Connection Established (4) eap_peap: [eaptls process] = handled (4) eap: Sending EAP Request (code 1) ID 231 length 57 (4) eap: EAP session adding &reply:State = 0x26e3acd92204b50e (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) # Executing group from file /etc/freeradius/sites-enabled/default (4) Challenge { ... } # empty sub-section is ignored (4) Sent Access-Challenge Id 198 from 192.168.30.66:1812 to 192.168.30.206:42291 length 0 (4) EAP-Message = 0x01e7003919001403030001011603030028afdc310d6ec3ecf82929a0132b49427d16fa26597f15966113b9002b91d656814059fce9e456ede0 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x26e3acd92204b50e9de8616e7140b5da (4) Finished request Waking up in 4.9 seconds. (5) Received Access-Request Id 199 from 192.168.30.206:42291 to 192.168.30.66:1812 length 168 (5) User-Name = "u2" (5) NAS-Identifier = "44d9e7023ad1" (5) NAS-Port = 0 (5) Called-Station-Id = "46-D9-E7-03-3A-D1:TSSID1" (5) Calling-Station-Id = "C0-EE-FB-4B-FA-10" (5) Framed-MTU = 1400 (5) NAS-Port-Type = Wireless-802.11 (5) Connect-Info = "CONNECT 0Mbps 802.11b" (5) EAP-Message = 0x02e700061900 (5) State = 0x26e3acd92204b50e9de8616e7140b5da (5) Message-Authenticator = 0x4f8ea83811fddc3ef626018a5a3028fd (5) session-state: No cached attributes (5) # Executing section authorize from file /etc/freeradius/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) policy rewrite_called_station_id { (5) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (5) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (5) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (5) update request { (5) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (5) --> 46-D9-E7-03-3A-D1 (5) &Called-Station-Id := 46-D9-E7-03-3A-D1 (5) } # update request = noop (5) if ("%{8}") { (5) EXPAND %{8} (5) --> TSSID1 (5) if ("%{8}") -> TRUE (5) if ("%{8}") { (5) update request { (5) EXPAND %{8} (5) --> TSSID1 (5) &Called-Station-SSID := TSSID1 (5) EXPAND %{Called-Station-SSID} (5) --> TSSID1 (5) &My-Called-Station-SSID := TSSID1 (5) } # update request = noop (5) } # if ("%{8}") = noop (5) [updated] = updated (5) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (5) ... skipping else: Preceding "if" was taken (5) } # policy rewrite_called_station_id = updated (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "u2", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 231 length 6 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0x26e3acd92204b50e (5) eap: Finished EAP session with state 0x26e3acd92204b50e (5) eap: Previous EAP request found for state 0x26e3acd92204b50e, released from the list (5) eap: Peer sent packet with method EAP PEAP (25) (5) eap: Calling submodule eap_peap to process data (5) eap_peap: Continuing EAP-TLS (5) eap_peap: Peer ACKed our handshake fragment. handshake is finished (5) eap_peap: [eaptls verify] = success (5) eap_peap: [eaptls process] = success (5) eap_peap: Session established. Decoding tunneled attributes (5) eap_peap: PEAP state TUNNEL ESTABLISHED (5) eap: Sending EAP Request (code 1) ID 232 length 40 (5) eap: EAP session adding &reply:State = 0x26e3acd9230bb50e (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) # Executing group from file /etc/freeradius/sites-enabled/default (5) Challenge { ... } # empty sub-section is ignored (5) Sent Access-Challenge Id 199 from 192.168.30.66:1812 to 192.168.30.206:42291 length 0 (5) EAP-Message = 0x01e800281900170303001dafdc310d6ec3ecf911d9a53ca339359c7b7e5d1d31e2740ac7b3cc1fc8 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x26e3acd9230bb50e9de8616e7140b5da (5) Finished request Waking up in 4.9 seconds. (6) Received Access-Request Id 200 from 192.168.30.206:42291 to 192.168.30.66:1812 length 200 (6) User-Name = "u2" (6) NAS-Identifier = "44d9e7023ad1" (6) NAS-Port = 0 (6) Called-Station-Id = "46-D9-E7-03-3A-D1:TSSID1" (6) Calling-Station-Id = "C0-EE-FB-4B-FA-10" (6) Framed-MTU = 1400 (6) NAS-Port-Type = Wireless-802.11 (6) Connect-Info = "CONNECT 0Mbps 802.11b" (6) EAP-Message = 0x02e800261900170303001b0000000000000001a7d595fb1c1358287b3a2de65b1505c2800a8c (6) State = 0x26e3acd9230bb50e9de8616e7140b5da (6) Message-Authenticator = 0xfd38b6b4bced113086272427b1e47ec5 (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/freeradius/sites-enabled/default (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) policy rewrite_called_station_id { (6) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (6) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (6) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (6) update request { (6) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (6) --> 46-D9-E7-03-3A-D1 (6) &Called-Station-Id := 46-D9-E7-03-3A-D1 (6) } # update request = noop (6) if ("%{8}") { (6) EXPAND %{8} (6) --> TSSID1 (6) if ("%{8}") -> TRUE (6) if ("%{8}") { (6) update request { (6) EXPAND %{8} (6) --> TSSID1 (6) &Called-Station-SSID := TSSID1 (6) EXPAND %{Called-Station-SSID} (6) --> TSSID1 (6) &My-Called-Station-SSID := TSSID1 (6) } # update request = noop (6) } # if ("%{8}") = noop (6) [updated] = updated (6) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (6) ... skipping else: Preceding "if" was taken (6) } # policy rewrite_called_station_id = updated (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "u2", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) eap: Peer sent EAP Response (code 2) ID 232 length 38 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0x26e3acd9230bb50e (6) eap: Finished EAP session with state 0x26e3acd9230bb50e (6) eap: Previous EAP request found for state 0x26e3acd9230bb50e, released from the list (6) eap: Peer sent packet with method EAP PEAP (25) (6) eap: Calling submodule eap_peap to process data (6) eap_peap: Continuing EAP-TLS (6) eap_peap: [eaptls verify] = ok (6) eap_peap: Done initial handshake (6) eap_peap: [eaptls process] = ok (6) eap_peap: Session established. Decoding tunneled attributes (6) eap_peap: PEAP state WAITING FOR INNER IDENTITY (6) eap_peap: Identity - u2 (6) eap_peap: Got inner identity 'u2' (6) eap_peap: Setting default EAP type for tunneled EAP session (6) eap_peap: Got tunneled request (6) eap_peap: EAP-Message = 0x02e80007017532 (6) eap_peap: Setting User-Name to u2 (6) eap_peap: Sending tunneled request to inner-tunnel (6) eap_peap: EAP-Message = 0x02e80007017532 (6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (6) eap_peap: User-Name = "u2" (6) Virtual server inner-tunnel received request (6) EAP-Message = 0x02e80007017532 (6) FreeRADIUS-Proxied-To = 127.0.0.1 (6) User-Name = "u2" (6) WARNING: Outer and inner identities are the same. User privacy is compromised. (6) server inner-tunnel { (6) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [chap] = noop (6) [mschap] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "u2", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) update control { (6) &Proxy-To-Realm := LOCAL (6) } # update control = noop (6) eap: Peer sent EAP Response (code 2) ID 232 length 7 (6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (6) authenticate { (6) eap: Peer sent packet with method EAP Identity (1) (6) eap: Calling submodule eap_mschapv2 to process data (6) eap_mschapv2: Issuing Challenge (6) eap: Sending EAP Request (code 1) ID 233 length 43 (6) eap: EAP session adding &reply:State = 0xe964d6a3e98dccf7 (6) [eap] = handled (6) } # authenticate = handled (6) } # server inner-tunnel (6) Virtual server sending reply (6) EAP-Message = 0x01e9002b1a01e9002610da269c8e35bd6e35d1e82df925280719667265657261646975732d332e302e3133 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0xe964d6a3e98dccf7d9a7bb91d2128446 (6) eap_peap: Got tunneled reply code 11 (6) eap_peap: EAP-Message = 0x01e9002b1a01e9002610da269c8e35bd6e35d1e82df925280719667265657261646975732d332e302e3133 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: State = 0xe964d6a3e98dccf7d9a7bb91d2128446 (6) eap_peap: Got tunneled reply RADIUS code 11 (6) eap_peap: EAP-Message = 0x01e9002b1a01e9002610da269c8e35bd6e35d1e82df925280719667265657261646975732d332e302e3133 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: State = 0xe964d6a3e98dccf7d9a7bb91d2128446 (6) eap_peap: Got tunneled Access-Challenge (6) eap: Sending EAP Request (code 1) ID 233 length 74 (6) eap: EAP session adding &reply:State = 0x26e3acd9200ab50e (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) # Executing group from file /etc/freeradius/sites-enabled/default (6) Challenge { ... } # empty sub-section is ignored (6) Sent Access-Challenge Id 200 from 192.168.30.66:1812 to 192.168.30.206:42291 length 0 (6) EAP-Message = 0x01e9004a1900170303003fafdc310d6ec3ecfa6ad7b9bd7b5b3d632836005d9b48d843c30661e85ac54e7f84b5c8cd2cc6e05b9a0707af2f27b0a300ddb2b161bcf37c279ed789d753df (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x26e3acd9200ab50e9de8616e7140b5da (6) Finished request Waking up in 4.9 seconds. (7) Received Access-Request Id 201 from 192.168.30.206:42291 to 192.168.30.66:1812 length 254 (7) User-Name = "u2" (7) NAS-Identifier = "44d9e7023ad1" (7) NAS-Port = 0 (7) Called-Station-Id = "46-D9-E7-03-3A-D1:TSSID1" (7) Calling-Station-Id = "C0-EE-FB-4B-FA-10" (7) Framed-MTU = 1400 (7) NAS-Port-Type = Wireless-802.11 (7) Connect-Info = "CONNECT 0Mbps 802.11b" (7) EAP-Message = 0x02e9005c1900170303005100000000000000029d8c08242bcc95810a5b03538963ca587b615f552ddeec106afa23ac3a8d27adb88db9eeb117c104ece273d2b6fc96fdb2389f69a80ee3f417d1d98781ad9b31d22375b85325728ba4 (7) State = 0x26e3acd9200ab50e9de8616e7140b5da (7) Message-Authenticator = 0xb5acd68497179836600f3c0e5e91bffa (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/freeradius/sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) policy rewrite_called_station_id { (7) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (7) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (7) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (7) update request { (7) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (7) --> 46-D9-E7-03-3A-D1 (7) &Called-Station-Id := 46-D9-E7-03-3A-D1 (7) } # update request = noop (7) if ("%{8}") { (7) EXPAND %{8} (7) --> TSSID1 (7) if ("%{8}") -> TRUE (7) if ("%{8}") { (7) update request { (7) EXPAND %{8} (7) --> TSSID1 (7) &Called-Station-SSID := TSSID1 (7) EXPAND %{Called-Station-SSID} (7) --> TSSID1 (7) &My-Called-Station-SSID := TSSID1 (7) } # update request = noop (7) } # if ("%{8}") = noop (7) [updated] = updated (7) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (7) ... skipping else: Preceding "if" was taken (7) } # policy rewrite_called_station_id = updated (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "u2", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) eap: Peer sent EAP Response (code 2) ID 233 length 92 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0xe964d6a3e98dccf7 (7) eap: Finished EAP session with state 0x26e3acd9200ab50e (7) eap: Previous EAP request found for state 0x26e3acd9200ab50e, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: Continuing EAP-TLS (7) eap_peap: [eaptls verify] = ok (7) eap_peap: Done initial handshake (7) eap_peap: [eaptls process] = ok (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state phase2 (7) eap_peap: EAP method MSCHAPv2 (26) (7) eap_peap: Got tunneled request (7) eap_peap: EAP-Message = 0x02e9003d1a02e90038314f450d7d3778496ac408ec5ae22c5cf800000000000000007e8efaecb1519f66b99fda6c16258fac43cd7d2ab37ae22b007532 (7) eap_peap: Setting User-Name to u2 (7) eap_peap: Sending tunneled request to inner-tunnel (7) eap_peap: EAP-Message = 0x02e9003d1a02e90038314f450d7d3778496ac408ec5ae22c5cf800000000000000007e8efaecb1519f66b99fda6c16258fac43cd7d2ab37ae22b007532 (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (7) eap_peap: User-Name = "u2" (7) eap_peap: State = 0xe964d6a3e98dccf7d9a7bb91d2128446 (7) Virtual server inner-tunnel received request (7) EAP-Message = 0x02e9003d1a02e90038314f450d7d3778496ac408ec5ae22c5cf800000000000000007e8efaecb1519f66b99fda6c16258fac43cd7d2ab37ae22b007532 (7) FreeRADIUS-Proxied-To = 127.0.0.1 (7) User-Name = "u2" (7) State = 0xe964d6a3e98dccf7d9a7bb91d2128446 (7) WARNING: Outer and inner identities are the same. User privacy is compromised. (7) server inner-tunnel { (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [chap] = noop (7) [mschap] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "u2", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) update control { (7) &Proxy-To-Realm := LOCAL (7) } # update control = noop (7) eap: Peer sent EAP Response (code 2) ID 233 length 61 (7) eap: No EAP Start, assuming it's an on-going EAP conversation (7) [eap] = updated (7) [files] = noop rlm_ldap (ldap): Reserved connection (0) (7) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}}) (7) ldap: --> (samaccountname=u2) (7) ldap: Performing search in "dc=mt,dc=priv" with filter "(samaccountname=u2)", scope "sub" (7) ldap: Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldap://ForestDnsZones.mt.priv/DC=ForestDnsZones,DC=mt,DC=priv rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap://DomainDnsZones.mt.priv/DC=DomainDnsZones,DC=mt,DC=priv rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap://mt.priv/CN=Configuration,DC=mt,DC=priv rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (7) ldap: User object found at DN "CN=User2 last,OU=MT-Users,OU=MT-Objects,DC=mt,DC=priv" (7) ldap: Processing user attributes (7) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (7) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Deleting connection (0) Need 6 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (5), 1 of 28 pending slots used rlm_ldap (ldap): Connecting to ldap://192.168.30.64:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (7) [ldap] = ok (7) [expiration] = noop (7) [logintime] = noop (7) [pap] = noop (7) } # authorize = updated (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (7) authenticate { (7) eap: Expiring EAP session with state 0xe964d6a3e98dccf7 (7) eap: Finished EAP session with state 0xe964d6a3e98dccf7 (7) eap: Previous EAP request found for state 0xe964d6a3e98dccf7, released from the list (7) eap: Peer sent packet with method EAP MSCHAPv2 (26) (7) eap: Calling submodule eap_mschapv2 to process data (7) eap_mschapv2: # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (7) eap_mschapv2: authenticate { (7) mschap: Creating challenge hash with username: u2 (7) mschap: Client is using MS-CHAPv2 (7) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=%{%{mschap:NT-Domain}:-mt.priv} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (7) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (7) mschap: --> --username=u2 (7) mschap: ERROR: No NT-Domain was found in the User-Name (7) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-mt.priv} (7) mschap: --> --domain=mt.priv (7) mschap: Creating challenge hash with username: u2 (7) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (7) mschap: --> --challenge=fec47cb1e1e89ea6 (7) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (7) mschap: --> --nt-response=7e8efaecb1519f66b99fda6c16258fac43cd7d2ab37ae22b (7) mschap: Program returned code (0) and output 'NT_KEY: 9B2636A6B6FEB8B39BA0972EB1B4126F' (7) mschap: Adding MS-CHAPv2 MPPE keys (7) [mschap] = ok (7) } # authenticate = ok (7) MSCHAP Success (7) eap: Sending EAP Request (code 1) ID 234 length 51 (7) eap: EAP session adding &reply:State = 0xe964d6a3e88eccf7 (7) [eap] = handled (7) } # authenticate = handled (7) } # server inner-tunnel (7) Virtual server sending reply (7) EAP-Message = 0x01ea00331a03e9002e533d32324130423439373042463632383037453537374235344635323145393844463546344141383736 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0xe964d6a3e88eccf7d9a7bb91d2128446 (7) eap_peap: Got tunneled reply code 11 (7) eap_peap: EAP-Message = 0x01ea00331a03e9002e533d32324130423439373042463632383037453537374235344635323145393844463546344141383736 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0xe964d6a3e88eccf7d9a7bb91d2128446 (7) eap_peap: Got tunneled reply RADIUS code 11 (7) eap_peap: EAP-Message = 0x01ea00331a03e9002e533d32324130423439373042463632383037453537374235344635323145393844463546344141383736 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0xe964d6a3e88eccf7d9a7bb91d2128446 (7) eap_peap: Got tunneled Access-Challenge (7) eap: Sending EAP Request (code 1) ID 234 length 82 (7) eap: EAP session adding &reply:State = 0x26e3acd92109b50e (7) [eap] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) # Executing group from file /etc/freeradius/sites-enabled/default (7) Challenge { ... } # empty sub-section is ignored (7) Sent Access-Challenge Id 201 from 192.168.30.66:1812 to 192.168.30.206:42291 length 0 (7) EAP-Message = 0x01ea005219001703030047afdc310d6ec3ecfb9e6c30da4240048c4f730e520ea1adb199993e22a9af5b7974473effa782835f7aa711cfada821e84f3a1cabf0393f522379e3e9223b7418611722b9db7623 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x26e3acd92109b50e9de8616e7140b5da (7) Finished request Waking up in 4.8 seconds. (8) Received Access-Request Id 202 from 192.168.30.206:42291 to 192.168.30.66:1812 length 199 (8) User-Name = "u2" (8) NAS-Identifier = "44d9e7023ad1" (8) NAS-Port = 0 (8) Called-Station-Id = "46-D9-E7-03-3A-D1:TSSID1" (8) Calling-Station-Id = "C0-EE-FB-4B-FA-10" (8) Framed-MTU = 1400 (8) NAS-Port-Type = Wireless-802.11 (8) Connect-Info = "CONNECT 0Mbps 802.11b" (8) EAP-Message = 0x02ea00251900170303001a0000000000000003d92e7f5e0e434d437cc57a596fcb7e4d3177 (8) State = 0x26e3acd92109b50e9de8616e7140b5da (8) Message-Authenticator = 0x87b4b40497cd83d6c2bc7ff399ebbc67 (8) session-state: No cached attributes (8) # Executing section authorize from file /etc/freeradius/sites-enabled/default (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) policy rewrite_called_station_id { (8) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (8) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (8) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (8) update request { (8) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (8) --> 46-D9-E7-03-3A-D1 (8) &Called-Station-Id := 46-D9-E7-03-3A-D1 (8) } # update request = noop (8) if ("%{8}") { (8) EXPAND %{8} (8) --> TSSID1 (8) if ("%{8}") -> TRUE (8) if ("%{8}") { (8) update request { (8) EXPAND %{8} (8) --> TSSID1 (8) &Called-Station-SSID := TSSID1 (8) EXPAND %{Called-Station-SSID} (8) --> TSSID1 (8) &My-Called-Station-SSID := TSSID1 (8) } # update request = noop (8) } # if ("%{8}") = noop (8) [updated] = updated (8) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (8) ... skipping else: Preceding "if" was taken (8) } # policy rewrite_called_station_id = updated (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "u2", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) eap: Peer sent EAP Response (code 2) ID 234 length 37 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /etc/freeradius/sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0xe964d6a3e88eccf7 (8) eap: Finished EAP session with state 0x26e3acd92109b50e (8) eap: Previous EAP request found for state 0x26e3acd92109b50e, released from the list (8) eap: Peer sent packet with method EAP PEAP (25) (8) eap: Calling submodule eap_peap to process data (8) eap_peap: Continuing EAP-TLS (8) eap_peap: [eaptls verify] = ok (8) eap_peap: Done initial handshake (8) eap_peap: [eaptls process] = ok (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state phase2 (8) eap_peap: EAP method MSCHAPv2 (26) (8) eap_peap: Got tunneled request (8) eap_peap: EAP-Message = 0x02ea00061a03 (8) eap_peap: Setting User-Name to u2 (8) eap_peap: Sending tunneled request to inner-tunnel (8) eap_peap: EAP-Message = 0x02ea00061a03 (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (8) eap_peap: User-Name = "u2" (8) eap_peap: State = 0xe964d6a3e88eccf7d9a7bb91d2128446 (8) Virtual server inner-tunnel received request (8) EAP-Message = 0x02ea00061a03 (8) FreeRADIUS-Proxied-To = 127.0.0.1 (8) User-Name = "u2" (8) State = 0xe964d6a3e88eccf7d9a7bb91d2128446 (8) WARNING: Outer and inner identities are the same. User privacy is compromised. (8) server inner-tunnel { (8) session-state: No cached attributes (8) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [chap] = noop (8) [mschap] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "u2", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) update control { (8) &Proxy-To-Realm := LOCAL (8) } # update control = noop (8) eap: Peer sent EAP Response (code 2) ID 234 length 6 (8) eap: No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) [files] = noop rlm_ldap (ldap): Reserved connection (1) (8) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}}) (8) ldap: --> (samaccountname=u2) (8) ldap: Performing search in "dc=mt,dc=priv" with filter "(samaccountname=u2)", scope "sub" (8) ldap: Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldap://ForestDnsZones.mt.priv/DC=ForestDnsZones,DC=mt,DC=priv rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap://DomainDnsZones.mt.priv/DC=DomainDnsZones,DC=mt,DC=priv rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap://mt.priv/CN=Configuration,DC=mt,DC=priv rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (8) ldap: User object found at DN "CN=User2 last,OU=MT-Users,OU=MT-Objects,DC=mt,DC=priv" (8) ldap: Processing user attributes (8) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (8) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Deleting connection (1) (8) [ldap] = ok (8) [expiration] = noop (8) [logintime] = noop (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = eap (8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (8) authenticate { (8) eap: Expiring EAP session with state 0xe964d6a3e88eccf7 (8) eap: Finished EAP session with state 0xe964d6a3e88eccf7 (8) eap: Previous EAP request found for state 0xe964d6a3e88eccf7, released from the list (8) eap: Peer sent packet with method EAP MSCHAPv2 (26) (8) eap: Calling submodule eap_mschapv2 to process data (8) eap: Sending EAP Success (code 3) ID 234 length 4 (8) eap: Freeing handler (8) [eap] = ok (8) } # authenticate = ok (8) # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel (8) post-auth { (8) if (0) { (8) if (0) -> FALSE (8) } # post-auth = noop (8) EXPAND GOODPASS (8) --> GOODPASS (8) Login OK: [u2/<via Auth-Type = eap>] (from client vLan-Tech port 0 via TLS tunnel) GOODPASS (8) } # server inner-tunnel (8) Virtual server sending reply (8) MS-MPPE-Encryption-Policy = Encryption-Allowed (8) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (8) MS-MPPE-Send-Key = 0x5a63cb9a1d9e080f1d59d075194aaef7 (8) MS-MPPE-Recv-Key = 0x351a8649c506ccb5556cc2e2a6ad00dc (8) EAP-Message = 0x03ea0004 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) User-Name = "u2" (8) eap_peap: Got tunneled reply code 2 (8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (8) eap_peap: MS-MPPE-Send-Key = 0x5a63cb9a1d9e080f1d59d075194aaef7 (8) eap_peap: MS-MPPE-Recv-Key = 0x351a8649c506ccb5556cc2e2a6ad00dc (8) eap_peap: EAP-Message = 0x03ea0004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: User-Name = "u2" (8) eap_peap: Got tunneled reply RADIUS code 2 (8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (8) eap_peap: MS-MPPE-Send-Key = 0x5a63cb9a1d9e080f1d59d075194aaef7 (8) eap_peap: MS-MPPE-Recv-Key = 0x351a8649c506ccb5556cc2e2a6ad00dc (8) eap_peap: EAP-Message = 0x03ea0004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: User-Name = "u2" (8) eap_peap: Tunneled authentication was successful (8) eap_peap: SUCCESS (8) eap: Sending EAP Request (code 1) ID 235 length 46 (8) eap: EAP session adding &reply:State = 0x26e3acd92e08b50e (8) [eap] = handled (8) } # authenticate = handled (8) Using Post-Auth-Type Challenge (8) # Executing group from file /etc/freeradius/sites-enabled/default (8) Challenge { ... } # empty sub-section is ignored (8) Sent Access-Challenge Id 202 from 192.168.30.66:1812 to 192.168.30.206:42291 length 0 (8) EAP-Message = 0x01eb002e19001703030023afdc310d6ec3ecfc229ddfb0d67089decdf03a173fe43279508cff8728033097145447 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0x26e3acd92e08b50e9de8616e7140b5da (8) Finished request Waking up in 4.8 seconds. (9) Received Access-Request Id 203 from 192.168.30.206:42291 to 192.168.30.66:1812 length 208 (9) User-Name = "u2" (9) NAS-Identifier = "44d9e7023ad1" (9) NAS-Port = 0 (9) Called-Station-Id = "46-D9-E7-03-3A-D1:TSSID1" (9) Calling-Station-Id = "C0-EE-FB-4B-FA-10" (9) Framed-MTU = 1400 (9) NAS-Port-Type = Wireless-802.11 (9) Connect-Info = "CONNECT 0Mbps 802.11b" (9) EAP-Message = 0x02eb002e190017030300230000000000000004bbad0c85fff213c85c3df86106c8a96db5e13ddd612c77dee32bd2 (9) State = 0x26e3acd92e08b50e9de8616e7140b5da (9) Message-Authenticator = 0x8d03cc4904839e96543fb59eb8936d63 (9) session-state: No cached attributes (9) # Executing section authorize from file /etc/freeradius/sites-enabled/default (9) authorize { (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = notfound (9) } # policy filter_username = notfound (9) policy rewrite_called_station_id { (9) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (9) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (9) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (9) update request { (9) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (9) --> 46-D9-E7-03-3A-D1 (9) &Called-Station-Id := 46-D9-E7-03-3A-D1 (9) } # update request = noop (9) if ("%{8}") { (9) EXPAND %{8} (9) --> TSSID1 (9) if ("%{8}") -> TRUE (9) if ("%{8}") { (9) update request { (9) EXPAND %{8} (9) --> TSSID1 (9) &Called-Station-SSID := TSSID1 (9) EXPAND %{Called-Station-SSID} (9) --> TSSID1 (9) &My-Called-Station-SSID := TSSID1 (9) } # update request = noop (9) } # if ("%{8}") = noop (9) [updated] = updated (9) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (9) ... skipping else: Preceding "if" was taken (9) } # policy rewrite_called_station_id = updated (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "u2", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) eap: Peer sent EAP Response (code 2) ID 235 length 46 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = eap (9) # Executing group from file /etc/freeradius/sites-enabled/default (9) authenticate { (9) eap: Expiring EAP session with state 0x26e3acd92e08b50e (9) eap: Finished EAP session with state 0x26e3acd92e08b50e (9) eap: Previous EAP request found for state 0x26e3acd92e08b50e, released from the list (9) eap: Peer sent packet with method EAP PEAP (25) (9) eap: Calling submodule eap_peap to process data (9) eap_peap: Continuing EAP-TLS (9) eap_peap: [eaptls verify] = ok (9) eap_peap: Done initial handshake (9) eap_peap: [eaptls process] = ok (9) eap_peap: Session established. Decoding tunneled attributes (9) eap_peap: PEAP state send tlv success (9) eap_peap: Received EAP-TLV response (9) eap_peap: Success (9) eap_peap: No information to cache: session caching will be disabled for session 1e612a6685965633b12ff0d4fcb41a265c0e72dbded7812586c0e3347a5b896c (9) eap: Sending EAP Success (code 3) ID 235 length 4 (9) eap: Freeing handler (9) [eap] = ok (9) } # authenticate = ok (9) # Executing section post-auth from file /etc/freeradius/sites-enabled/default (9) post-auth { (9) if (NAS-Port-Type == Wireless-802.11) { (9) if (NAS-Port-Type == Wireless-802.11) -> TRUE (9) if (NAS-Port-Type == Wireless-802.11) { (9) if (&LDAP-Group[*] == "grp-ssid-%{Called-Station-SSID}") { (9) EXPAND grp-ssid-%{Called-Station-SSID} (9) --> grp-ssid-TSSID1 (9) Searching for user in group "grp-ssid-TSSID1" rlm_ldap (ldap): Reserved connection (2) (9) EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}}) (9) --> (samaccountname=u2) (9) Performing search in "dc=mt,dc=priv" with filter "(samaccountname=u2)", scope "sub" (9) Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldap://ForestDnsZones.mt.priv/DC=ForestDnsZones,DC=mt,DC=priv rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap://DomainDnsZones.mt.priv/DC=DomainDnsZones,DC=mt,DC=priv rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap://mt.priv/CN=Configuration,DC=mt,DC=priv rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (9) User object found at DN "CN=User2 last,OU=MT-Users,OU=MT-Objects,DC=mt,DC=priv" (9) Checking user object's memberOf attributes (9) Waiting for bind result... (9) Bind successful (9) Performing unfiltered search in "CN=User2 last,OU=MT-Users,OU=MT-Objects,DC=mt,DC=priv", scope "base" (9) Waiting for search result... (9) Processing memberOf value "CN=grp-ssid-TSSID2,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv" as a DN (9) Resolving group DN "CN=grp-ssid-TSSID2,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv" to group name (9) Performing unfiltered search in "CN=grp-ssid-TSSID2,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv", scope "base" (9) Waiting for search result... (9) Group DN "CN=grp-ssid-TSSID2,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv" resolves to name "grp-ssid-TSSID2" (9) Processing memberOf value "CN=GRP-SEC-ALL-USERS,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv" as a DN (9) Resolving group DN "CN=GRP-SEC-ALL-USERS,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv" to group name (9) Performing unfiltered search in "CN=GRP-SEC-ALL-USERS,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv", scope "base" (9) Waiting for search result... (9) Group DN "CN=GRP-SEC-ALL-USERS,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv" resolves to name "GRP-SEC-ALL-USERS" (9) Processing memberOf value "CN=Profs,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv" as a DN (9) Resolving group DN "CN=Profs,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv" to group name (9) Performing unfiltered search in "CN=Profs,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv", scope "base" (9) Waiting for search result... (9) Group DN "CN=Profs,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv" resolves to name "Profs" (9) Processing memberOf value "CN=Mt-Folder-Redirection,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv" as a DN (9) Resolving group DN "CN=Mt-Folder-Redirection,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv" to group name (9) Performing unfiltered search in "CN=Mt-Folder-Redirection,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv", scope "base" (9) Waiting for search result... (9) Group DN "CN=Mt-Folder-Redirection,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv" resolves to name "Mt-Folder-Redirection" rlm_ldap (ldap): Deleting connection (2) (9) User is not a member of "grp-ssid-TSSID1" (9) if (&LDAP-Group[*] == "grp-ssid-%{Called-Station-SSID}") -> FALSE (9) else { (9) update reply { (9) EXPAND Hello %{User-Name}: Vous n'avez pas accès (9) --> Hello u2: Vous n'avez pas accès (9) Reply-Message = Hello u2: Vous n'avez pas accès (9) } # update reply = noop (9) [reject] = reject (9) } # else = reject (9) } # if (NAS-Port-Type == Wireless-802.11) = reject (9) } # post-auth = reject (9) Using Post-Auth-Type Reject (9) # Executing group from file /etc/freeradius/sites-enabled/default (9) Post-Auth-Type REJECT { (9) attr_filter.access_reject: EXPAND %{User-Name} (9) attr_filter.access_reject: --> u2 (9) attr_filter.access_reject: Matched entry DEFAULT at line 11 (9) [attr_filter.access_reject] = updated (9) [eap] = noop (9) policy remove_reply_message_if_eap { (9) if (&reply:EAP-Message && &reply:Reply-Message) { (9) if (&reply:EAP-Message && &reply:Reply-Message) -> TRUE (9) if (&reply:EAP-Message && &reply:Reply-Message) { (9) update reply { (9) &Reply-Message !* ANY (9) } # update reply = noop (9) } # if (&reply:EAP-Message && &reply:Reply-Message) = noop (9) ... skipping else: Preceding "if" was taken (9) } # policy remove_reply_message_if_eap = noop (9) } # Post-Auth-Type REJECT = updated (9) EXPAND BADPASS (9) --> BADPASS (9) Rejected in post-auth: [u2/<via Auth-Type = eap>] (from client vLan-Tech port 0 cli C0-EE-FB-4B-FA-10) BADPASS (9) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (9) Sending delayed response (9) Sent Access-Reject Id 203 from 192.168.30.66:1812 to 192.168.30.206:42291 length 44 (9) EAP-Message = 0x03eb0004 (9) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.7 seconds. (0) Cleaning up request packet ID 194 with timestamp +36 (1) Cleaning up request packet ID 195 with timestamp +36 (2) Cleaning up request packet ID 196 with timestamp +36 (3) Cleaning up request packet ID 197 with timestamp +36 (4) Cleaning up request packet ID 198 with timestamp +36 (5) Cleaning up request packet ID 199 with timestamp +36 (6) Cleaning up request packet ID 200 with timestamp +36 (7) Cleaning up request packet ID 201 with timestamp +36 (8) Cleaning up request packet ID 202 with timestamp +36 (9) Cleaning up request packet ID 203 with timestamp +36 Ready to process requests Pierre de Jong -.-.-.-.-.-.-.-.-.-.- 2017-04-04 14:38 GMT+02:00 Alan DeKok <aland@deployingradius.com>:
On Apr 4, 2017, at 7:47 AM, Pierre de Jong <pierredejong@gmail.com> wrote:
UNABLE to use "%{Called-Station-SSID}" (nor %Called-Station-SSID)
What do you mean by "unable to use"?
I mean that when i try to "show" the %{Called-Station-SSID} ..... like,
in
a message, we do a" ## %{user} - %{Called-Station-SSID} ## --> it returns: ## username - ##
That is what I mean.
Then at the Called-Station-Id isn't available at that point.
I will send and radiusd -X output soon...
But YES, in the radiusd -X, I can see that Called-Station-SSID is set to a "RIGHT" value.... but we do not seem to be able to use it "anywhere".
I doubt that very much.
Put that check at the start of the "authorize" section, in the default virtual server. You *will* see it.
My guess is that you're trying to expand it in the "inner-tunnel" virtual server, where it's not available. There are solutions for that.
Again, as always... a *careful* reading of the debug output will show this. The server tells you what attributes are received, and what attributes are sent to the inner-tunnel virtual server.
Alan DeKok.
On Apr 5, 2017, at 10:27 AM, Pierre de Jong <pierredejong@gmail.com> wrote:
As promised, I send you an radiusd -X output. complete. I see that straight at the beginning, policy rewrite_called_station_id is done.
--> EXPAND %{Called-Station-SSID} (0) --> TSSID1
even with that, as I said, I cannot use that "%{Called-Station-SSID} anywhere else than in "post-auth"...
That's just not true. If Called-Station-SSID exists, you can use it. If it doesn't exist, you can't use it. The debug log shows when and where it exists.
Is that normal?
Do you see "horror" in those logs ? :-D
The debug log shows: 1) Called-Station-SSID being used by the rewrite_called_station_id policy 2) Called-Station-SSID being used in post-auth If you want to show that it's not available elsewhere, you have to post a debug log where you try to USE IT elsewhere, and then show it doesn't work. Right now, the debug log shows nothing useful. Please also go back and read my previous message. You need to READ the debug log, and you need to understand what you're editing. I said: * My guess is that you're trying to expand it in the "inner-tunnel" virtual server, * Are you doing that? WHERE are you trying to use it? Again, all you're doing is saying "it works here", and posting debug logs showing it works there. You're not saying where else it doesn't work (other than "everywhere", which is unhelpful), and you're not showing the debug logs of you trying to use it elsewhere. This is basic debug methods. Ask good questions, tell people what you're doing, compare what you've done to what happens... Alan DeKok.
Hello Alan, You are absolutely correct, and I would like to appologies... Indeed, between two "mailing list" messages, we worked on the project, and you are right, my "radiusd -X" output was not showing "wrong" things... thus, not giving any ways to go "forward"... again, appologies. Meanwhile, and juste if someone is "following" this, I was trying to use, from memory (again, we "had" to go on that project, and conf changed a lot) we where trying to use it in the "user" file. (authorize) but there, it was not working, And just to let "the mailing list" know, we (mostly my collegue who did a great job) worked out what we needed... We had quite some "reflexion" about the way to put in place the user - user@dom.priv - dom\user - dom.priv\user to be able to connect... And the "AD nested group" check needed also some "time" to found the right modification in the ldap group So, Alan, I know you know you are, but I want to tell anyway: you were totally right, and I thank you for the "slap in my face" ... If anyone has questions, or is "interested" on what has been put in place, do not hesitate ... IF i can, It will be a pleasure to help. Wish you all a great day. Pierre de Jong -.-.-.-.-.-.-.-.-.-.- 2017-04-05 16:54 GMT+02:00 Alan DeKok <aland@deployingradius.com>:
On Apr 5, 2017, at 10:27 AM, Pierre de Jong <pierredejong@gmail.com> wrote:
As promised, I send you an radiusd -X output. complete. I see that straight at the beginning, policy rewrite_called_station_id
is
done.
--> EXPAND %{Called-Station-SSID} (0) --> TSSID1
even with that, as I said, I cannot use that "%{Called-Station-SSID} anywhere else than in "post-auth"...
That's just not true. If Called-Station-SSID exists, you can use it. If it doesn't exist, you can't use it. The debug log shows when and where it exists.
Is that normal?
Do you see "horror" in those logs ? :-D
The debug log shows:
1) Called-Station-SSID being used by the rewrite_called_station_id policy
2) Called-Station-SSID being used in post-auth
If you want to show that it's not available elsewhere, you have to post a debug log where you try to USE IT elsewhere, and then show it doesn't work.
Right now, the debug log shows nothing useful.
Please also go back and read my previous message. You need to READ the debug log, and you need to understand what you're editing.
I said: * My guess is that you're trying to expand it in the "inner-tunnel" virtual server, *
Are you doing that? WHERE are you trying to use it?
Again, all you're doing is saying "it works here", and posting debug logs showing it works there. You're not saying where else it doesn't work (other than "everywhere", which is unhelpful), and you're not showing the debug logs of you trying to use it elsewhere.
This is basic debug methods. Ask good questions, tell people what you're doing, compare what you've done to what happens...
Alan DeKok.
participants (3)
-
Alan DeKok -
Brian Candler -
Pierre de Jong