Active directory groups
I have looked on the list for this a few times but there doesn't appear to be a "how to", just an "it might work". We are wanting to use freeradius with our wireless controller for .1x termination. It will need to authenticate to AD and based on the returned group hand back different attributes to the wireless controller. I don't have any way to do a static group request because the options are rather large here. AD needs to pass it back and then i can probably do a match in the freeradius users file and pass the controller an attribute (I think). We are using PEAP/MSCHAPv2 for this currently. We were going to just proxy this to a microsoft NPS but it appears that that option hands back attributes in the "wrong" place and overall just seems terrible. So far I have the ldap component querying AD correctly and I have the ntlm_auth component doing the same and each individually passing from a radtest. My question now revolves around passing the groups in our setup and if this is even possible using the protocols listed above. Unfortunately, we don't have the option to move away from these protocols in our environment. I'm a bit of a freeradius noob so any help is appreciated.
So far I have the ldap component querying AD correctly and I have the ntlm_auth component doing the same and each individually passing from a radtest. My question now revolves around passing the groups in our setup and if this is even possible using the protocols listed above. Unfortunately, we don't have the option to move away from these protocols in our environment. I'm a bit of a freeradius noob so any help is appreciated.
I'm not using NTLM for auth, but I am enforcing AD Group access What I did was fairly simple. I wanted users to either be admins or not (and this is just an example usage): users: DEFAULT Ldap-Group == "grp-admin-admin", Auth-Type = pam Reply-Message = "Hello (admin), %{User-Name}", Fall-Through = No DEFAULT Ldap-Group == "Operator", Auth-Type = pam Reply-Message = "Hello (operator), %{User-Name}", Fall-Through = No DEFAULT Auth-Type := Reject Reply-Message = "you are not authorized" My ldap module config looks like (I have a patched version for exec callouts on string fields. The patch can be found posted to the list): ldap { server = "myDC" port = 636 identity = "exec:/path/to/passgetter LDAP.user" password = "exec:/path/to/passgetter LDAP.pwd" basedn = "dc=myorg,dc=myco,dc=org" filter = "(CN=%{%{Stripped-User-Name}:-%{User-Name}})" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls_mode= yes tls { start_tls = no cacertfile = /path/to/my/cacerts require_cert = "never" } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no groupmembership_filter = "(&(objectClass=group)(member=%{Ldap-UserDn}))" groupmembership_attribute = "memberOf" chase_referrals = no rebind = no set_auth_type = no ldap_debug = 0x8000 } And then my authorize config (in my site-enabled/default): authorize { preprocess auth_log files ldap } R. Marc
On 18/05/11 16:21, Doty, Seth wrote:
So far I have the ldap component querying AD correctly and I have the ntlm_auth component doing the same and each individually passing from a radtest. My question now revolves around passing the groups in our setup and if this is even possible using the protocols listed above. Unfortunately, we don't have the option to move away from these protocols in our environment. I'm a bit of a freeradius noob so any help is appreciated.
I don't really understand what you want, so I'm going to guess. You have multiple groups. You want to read those from AD via LDAP, and then set reply variables. The main way to do this is to use unlang or a files module to check each group in turn. For example, in /etc/raddb/sites-enabled/inner-tunnel: post-auth { ... if (Ldap-Group == staff) { update reply { Vlan-Attribute := 123 } } elsif (Ldap-Group == students) { .. } else { .. } } Is this what you want? If not, can you explain why not?
If one has (just for example) 1000 groups, this is a lot of overhead - checking every group. Also, what if they belong to several groups? The last group checked would be the only one that matters - unless of course you account for that somehow in your code. Is there a way to reference the users "primary" group - does LDAP / AD support such a concept? Or, "fetch" their full distinguished name using just their common / logon name, such that? - Login name is ggatten - Get DN for ggatten - DN is ggatten.neteng.msd.waddell.com Once I have DN I can write some code to extract the parent OU for the user, in this case "neteng". Then, can I do something like: Vlan-Attribute := "Ldap-group.neteng.someattribute" I realize the syntax herein is TOTALLY wrong, I'm just looking for some validation on the concept. G -----Original Message----- From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Wednesday, May 18, 2011 10:58 AM To: freeradius-users@lists.freeradius.org Subject: Re: Active directory groups On 18/05/11 16:21, Doty, Seth wrote:
So far I have the ldap component querying AD correctly and I have the ntlm_auth component doing the same and each individually passing from a radtest. My question now revolves around passing the groups in our setup and if this is even possible using the protocols listed above. Unfortunately, we don't have the option to move away from these protocols in our environment. I'm a bit of a freeradius noob so any help is appreciated.
I don't really understand what you want, so I'm going to guess. You have multiple groups. You want to read those from AD via LDAP, and then set reply variables. The main way to do this is to use unlang or a files module to check each group in turn. For example, in /etc/raddb/sites-enabled/inner-tunnel: post-auth { ... if (Ldap-Group == staff) { update reply { Vlan-Attribute := 123 } } elsif (Ldap-Group == students) { .. } else { .. } } Is this what you want? If not, can you explain why not? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
On 18/05/11 17:22, Gary Gatten wrote:
If one has (just for example) 1000 groups, this is a lot of overhead
Sure (I did see your query the other day - I just haven't had a chance to write up a reply, but see below)
- checking every group. Also, what if they belong to several groups?
Well, you have to decide some order of precedence. FreeRADIUS can't do that for you
The last group checked would be the only one that matters - unless of course you account for that somehow in your code.
Is there a way to reference the users "primary" group - does LDAP / AD support such a concept?
Yes, but it's got a list of caveats a mile long. I would avoid it. In brief: Primary group is encoded in LDAP in a really unhelpful manner: primaryGroupID: <number> ...the number is a RID. You need to find the domain SID, append the RID, encode the SID to binary, then do a lookup on objectSid. It's tedious. In addition, the tools to control which group is "primary" are (IMHO) weak because You've also got the problem that the "primary" group does NOT appear in the "memberOf" attribute for a user, and group members who are primary do not appear in the "member" attribute of the group, meaning you can't check them over LDAP using the "normal" route either. In most domains, the primary group of a user ends up being "Domain Users". My advice: don't fiddle with that, and avoid using primary group. We've had endless troubles with this.
Or, "fetch" their full distinguished name using just their common / logon name, such that?
The "ldap" module already extracts the DN for you: authorize { .. ldap if (control:Ldap-UserDN =~ /^CN=[^,]+,OU=([^,]+)/) { update control { Tmp-String-0 := "%{1}" } } switch (control:Tmp-String-0) { case "neteng" { update reply { .. } } } } The other option would be to pull *all* the LDAP groups into a radius attribute, like so: /etc/raddb/dictionary: ATTRIBUTE My-Groups 3001 string /etc/raddb/ldap.attrmap checkItem My-Groups memberOf /etc/raddb/sites-enabled/XXX: authorize { ldap if (control:My-Groups == CN=group,OU=bar,DC=domain,DC=com) { ... } } ...but it's messy, because memberOf is an LDAP DN, and LDAP DNs are messy. It also doesn't handle nested groups well, but nested groups over LDAP are a nightmare. Frankly, the best way to handle this might be a perl/python module/script. Or better yet, extract all the groups from AD/LDAP and put them into a user:group file and read it with rlm_passwd, or into an SQL group cache (we do this). Basically, extracting group data from AD over LDAP is a non-trivial amount of work for almost all non-trivial cases.
I must be doing something wrong in my filtering because it keeps dumping me into unclassified instead of passing the group I assigned. I have setup a security group specifically for this test and i am indeed in the group. I set it up like this in sites-enabled/inner-tunnel because it seemed this manner was a little more flexible for our needs: post-auth { if (Ldap-Group == "CN=STNE_Wireless_Authentication,ou=Security Groups,ou=test,ou=test,dc=AD,dc=ne,dc=gov") { update reply { Filter-Id := networking } } else { update reply { Filter-Id := secure-unclassified } } here is my radius -X: FreeRADIUS Version 2.1.7, for host x86_64-redhat-linux-gnu, built on Mar 31 2010 at 00:14:28 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/ldap.save including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel group = radiusd user = radiusd including dictionary file /etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = no zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 10.200.1.0/24 { require_message_authenticator = no secret = "testing321" shortname = "TestingNetwork" } client 10.175.255.11 { require_message_authenticator = no secret = "doomkey" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username= %{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-STN} --challenge=%{mschap:Challenge:-00} --nt-response= %{mschap:NT-Response:-00}" } Module: Instantiating ntlm_auth exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=STN --username= %{mschap:User-Name} --password=%{User-Password}" input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_ldap Module: Instantiating ldap ldap { server = "AD.ne.gov" port = 389 password = "XXXXXXXXXX" identity = "stn\seth.doty" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no require_cert = "allow" } basedn = "CN=STNE_Wireless_Authentication,ou=Security Groups,ou=test,ou=test,dc=AD,dc=ne,dc=gov" filter = "(CN=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(&(objectClass=group)(member= %{Ldap-UserDn}))" groupmembership_attribute = "memberOf" dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in the "authenticate" section. rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x1f3cc40 Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m% d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.175.255.11 port 32794, id=237, length=171 User-Name = "seth.doty" NAS-IP-Address = 10.200.3.252 NAS-Port = 0 NAS-Identifier = "10.200.3.252" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "C417FE62A790" Called-Station-Id = "000B8661628C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x0202000e01736574682e646f7479 Aruba-Essid-Name = "NEW_TEST" Aruba-Location-Id = "test-ap-41" Message-Authenticator = 0x0a5981cd35cccccec08916dd42a81088 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "seth.doty", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok [ldap] performing user authorization for seth.doty [ldap] expand: %{Stripped-User-Name} -> [ldap] expand: %{User-Name} -> seth.doty [ldap] expand: (CN=%{%{Stripped-User-Name}:-%{User-Name}}) -> (CN=seth.doty) [ldap] expand: CN=STNE_Wireless_Authentication,ou=Security Groups,ou=test,ou=test,dc=AD,dc=ne,dc=gov -> CN=STNE_Wireless_Authentication,ou=Security Groups,ou=test,ou=test,dc=AD,dc=ne,dc=gov rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to AD.ne.gov:389, authentication 0 rlm_ldap: bind as stn\seth.doty/XXXXXXXXXX to AD.ne.gov:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in CN=STNE_Wireless_Authentication,ou=Security Groups,ou=test,ou=test,dc=AD,dc=ne,dc=gov, with filter (CN=seth.doty) rlm_ldap: object not found [ldap] search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 237 to 10.175.255.11 port 32794 EAP-Message = 0x0103001604107a6ee0a2d4f6e763d8c1574a0cfc74b1 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9780c3129783c71452e59c48c6e32104 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.175.255.11 port 32794, id=238, length=181 User-Name = "seth.doty" NAS-IP-Address = 10.200.3.252 NAS-Port = 0 NAS-Identifier = "10.200.3.252" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "C417FE62A790" Called-Station-Id = "000B8661628C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020300060319 State = 0x9780c3129783c71452e59c48c6e32104 Aruba-Essid-Name = "NEW_TEST" Aruba-Location-Id = "test-ap-41" Message-Authenticator = 0xf1a25dd0282fb3e8789fdd1535a883e8 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "seth.doty", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok [ldap] performing user authorization for seth.doty [ldap] expand: %{Stripped-User-Name} -> [ldap] expand: %{User-Name} -> seth.doty [ldap] expand: (CN=%{%{Stripped-User-Name}:-%{User-Name}}) -> (CN=seth.doty) [ldap] expand: CN=STNE_Wireless_Authentication,ou=Security Groups,ou=test,ou=test,dc=AD,dc=ne,dc=gov -> CN=STNE_Wireless_Authentication,ou=Security Groups,ou=test,ou=test,dc=AD,dc=ne,dc=gov rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in CN=STNE_Wireless_Authentication,ou=Security Groups,ou=test,ou=test,dc=AD,dc=ne,dc=gov, with filter (CN=seth.doty) rlm_ldap: object not found [ldap] search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 238 to 10.175.255.11 port 32794 EAP-Message = 0x010400061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9780c3129684da1452e59c48c6e32104 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.175.255.11 port 32794, id=239, length=329 User-Name = "seth.doty" NAS-IP-Address = 10.200.3.252 NAS-Port = 0 NAS-Identifier = "10.200.3.252" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "C417FE62A790" Called-Station-Id = "000B8661628C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x0204009a198000000090160301008b0100008703014dd66ed50762ee33a7976c83e0756515c3ff0a4122274a986df878b78df1dbaa201a0f0000a2009ce306eae11299284ffcaef3f1d8b00911c239ea4ad50e8bd4f0003a00390038008800870035008400160013000a00330032009a009900450044002f00960041000500040015001200090014001100080006000300ff0100000400230000 State = 0x9780c3129684da1452e59c48c6e32104 Aruba-Essid-Name = "NEW_TEST" Aruba-Location-Id = "test-ap-41" Message-Authenticator = 0x7257f430f878922484dfd20a4d3340db +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "seth.doty", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 154 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 144 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 008b], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 239 to 10.175.255.11 port 32794 EAP-Message = 0x0105040019c000000ab416030100310200002d03014dd66d8b275b1943f63378135507aee60b0c76455aecd715912137ef1b5ba8c7000039000005ff01000100160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c65204365727469666963617465204175 EAP-Message = 0x74686f72697479301e170d3131303530343135333734365a170d3132303530333135333734365a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100ba51dfeaa0e694984adbd379eeb8d714f564a5cda8c964b6876be6eea84b5bd383dea5aa665fe538bb3afddb5422a42b78c390002369e8 EAP-Message = 0x0ebc106cc115d6fe402791fd1f85984032be6de2d6c009ee6ebbdbecf2cd8770954af6e6a53cc4a70025fbf8a6ecbdc0da9ddb59d5936ca40c266d9f771ace1143b703fd3b1224ed62cb7e0af09e535400721104a3962bfc8326d35791cbaaa2139e13c25a1f1bbf7f56143874eb38f9c457f4b486b75759a7df825b2a9876c2bc9c710a389f8b6b6ba075a5f2626c3a3101e2024bd316bdcf93ac5b774fdaa0e4571ff2e7eaa7302edf4f354a1d4fdffeb310a54bae83c92e769f5cb698e82d8b0d81b16b69ddda210203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100298b EAP-Message = 0x7ba7aad7e4a264f9fdbfa1948e45890fa22b0f972da2b171dcf75abbfc4ec7abc4489bb51dbc5567a96ba67ca1521a5a5517e425b7dccd8dc99949707fa70f0291e383d08ae2d4cf9bc2a685407643b8833884aedaf85fa30382712b7825df924ad85a29349b6ce3fd94c1f41d58a3b03ab2376881aa167b0c4949665391808389c694c458f52d23e8b06a4abb5d73e1f12795ce4d45eab6b23c4a0746af074d9c794bb134f2e58a8c3e94dffcb74405d3ef873afee46642f8a9d8a8106c745c8f5824fc5d978b6aedecf6e60aaea1d72fb945f39d9a172b770b130d811497db106506756f0a9571be4e3594e5e07c6cb2626043b7b408fdb9ec47acea EAP-Message = 0xd60004ab308204a73082038f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9780c3129585da1452e59c48c6e32104 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.175.255.11 port 32794, id=240, length=181 User-Name = "seth.doty" NAS-IP-Address = 10.200.3.252 NAS-Port = 0 NAS-Identifier = "10.200.3.252" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "C417FE62A790" Called-Station-Id = "000B8661628C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020500061900 State = 0x9780c3129585da1452e59c48c6e32104 Aruba-Essid-Name = "NEW_TEST" Aruba-Location-Id = "test-ap-41" Message-Authenticator = 0x441273cb354ca32d27b088777c92f92c +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "seth.doty", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 240 to 10.175.255.11 port 32794 EAP-Message = 0x010603fc1940a003020102020900e1797e341d7647f0300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3131303530343135333734365a170d3132303530333135333734365a308193310b3009060355040613024652310f300d0603550408130652616469757331 EAP-Message = 0x12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c541964f0b7edd9eb6eb30d8a4e3e705d04883f87a4b9781915c5c1eec3d57bf199083571cb73f4a79f0feabec036986e06df29a731a1ff7b2f63540116c4d819c58d3fb478da985170fa7b9e29c5911f10deed8f1515f349ed8f0d485bd367a0158ef9c957354d9 EAP-Message = 0x297bdc576e11ded0b556de5f713dd4b2f74f393952c73beabf05f04b5bb67651199303ae0220608cb6299b1c4ebd6b5db3c4193a3e400977ea7a7b94f0d5819044c6d8858f79e024c73ed18d69b92907ea0753ad9043d9209e527bfd7f125c5897045476c9f9d7ff7cb81b1d40833315f8505db055dff86aa8ffdc4d2089e562b43a1214ede86e9b778d97c19af6efbe851f1104f43774170203010001a381fb3081f8301d0603551d0e04160414033a2d25cc1a31fa79331f903b38dccc6f7579ce3081c80603551d230481c03081bd8014033a2d25cc1a31fa79331f903b38dccc6f7579cea18199a48196308193310b300906035504061302465231 EAP-Message = 0x0f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900e1797e341d7647f0300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100a9344eeaacc42d6dfe1d9581432318dc8565dbd0c83984a32df5a043b7cd2452cd928cca0ae28c335264d4cca0f3f8e1a9d73ebe78345aadbea604a67fb433983647bff1bccbae5965611f EAP-Message = 0xab093a6369691c7f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9780c3129486da1452e59c48c6e32104 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.175.255.11 port 32794, id=241, length=181 User-Name = "seth.doty" NAS-IP-Address = 10.200.3.252 NAS-Port = 0 NAS-Identifier = "10.200.3.252" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "C417FE62A790" Called-Station-Id = "000B8661628C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020600061900 State = 0x9780c3129486da1452e59c48c6e32104 Aruba-Essid-Name = "NEW_TEST" Aruba-Location-Id = "test-ap-41" Message-Authenticator = 0xc41800b8f9423e2c1cb0e0211f015223 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "seth.doty", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 241 to 10.175.255.11 port 32794 EAP-Message = 0x010702ce190009f92939f065236be103eca09ccef89c594a5feecab3530d8831838d04078bff07e92f1818bea39bcd5ef87f4012bb956d83f9115d163ce560dc643195e21b92905268eb331182a38977cab87f5f7276f6e03fcd6969b4e7dd74f4dba308a368be4775fc9e5e296fea95635a557d531afcb4a76db16eed9cd1768021fd480947ddfab8a514ec99d74319f2a5ff5adc2716b1397d0b296207568f0749f85c3b22f108bdfe6155fac712d443af91160301020d0c0002090080b25f99ce7aef446d59e7ae66080f5f026c11e7d739695298b525f718983bdcc86f3a4ddc36d96595b332e8b70b4a63cc7edb011892efdcbd69517617027114 EAP-Message = 0x8f0d81bef71309b48beae5e0469ee27eff4f2f2ced3b86b9971d4df37e54b038dbd98e8cfdaf78dfaae9b9cf6c55bd75c89d49f4ee993f47005100af3cd3b5447b0001020080774c91e11e5648fc7fcd3ccecbe1e6ef9f6b439a618480032bf4879b10cbc368986ecffbded8c62087167bd3f1ebcfd95e416a918191592f975774a6b6e1242b91901f62503cd05ed8305e93ddd8af2e8d06579f8d3140e9318e63cdc358bcb40af1b3e6bd7ef0cb9683baaa9b5af8795dbbbddfd014205471327cb076a61da70100b4cb00bd78b087ac6cf032891a713e92deb3137d19ced8dd30631ae4e9d3e0930fa1f4adf1c7bca7b7df46f0aa19d0d8f3b7db668f EAP-Message = 0x187851f1cc89c646eb38751c6288c891b07ed01d7d888fb2d50d153517f854c9114504088092dcd2c32faba168e66f59b51dc4e718e96618019789c33a4ef2ad76929d8c6fc945710aa350c22dce3f21fc81a2023eaf0ae906fc748dc2e47e2c5894eb49a6f206a3d326438fc8b7bde52f9675f8f1594a350bc040495fd96e46317e760d3d7d879ecc4d16602095e442262defbc9e63ee0dc28c491eaad9a8b310f1262c982faf8840a5f5ef377e61a8b0632b58f17ad6f4c900c13661549f5143f48a1f65ef4e6ca37c8e16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9780c3129387da1452e59c48c6e32104 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.175.255.11 port 32794, id=242, length=383 User-Name = "seth.doty" NAS-IP-Address = 10.200.3.252 NAS-Port = 0 NAS-Identifier = "10.200.3.252" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "C417FE62A790" Called-Station-Id = "000B8661628C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020700d01980000000c616030100861000008200802107622ebf4b8c5e63e4520592841ea7d4b52fd0ded2de0c70b7102e112455b3f03bd63f3ef0698f373d6769f891aedd9a745f2c52c85f3460031c3c873013c8b8ec7cbb65dbc7421bde06575e73193afbaf37f56abf6de0008dd11fae7d2f0c5543ae5223426ff7c7629345e550398fc6c73720654ef83e7e3106822315c2fc1403010001011603010030fb8d5afaf87b62d13d80b6e7121b59458c56b273735d0ba915104b608ade2e4ff2420e9055bcad9f8524104ad5205faa State = 0x9780c3129387da1452e59c48c6e32104 Aruba-Essid-Name = "NEW_TEST" Aruba-Location-Id = "test-ap-41" Message-Authenticator = 0x61ca90433840534121034f7e04373532 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "seth.doty", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 208 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 198 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 242 to 10.175.255.11 port 32794 EAP-Message = 0x01080041190014030100010116030100306e78d4a3fbc91bee1e1d5d532e0d3972f792abab0a29cc96e47d1b9db8576c9df490e8d5bc9692995826b8bce70f77fb Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9780c3129288da1452e59c48c6e32104 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.175.255.11 port 32794, id=243, length=181 User-Name = "seth.doty" NAS-IP-Address = 10.200.3.252 NAS-Port = 0 NAS-Identifier = "10.200.3.252" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "C417FE62A790" Called-Station-Id = "000B8661628C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020800061900 State = 0x9780c3129288da1452e59c48c6e32104 Aruba-Essid-Name = "NEW_TEST" Aruba-Location-Id = "test-ap-41" Message-Authenticator = 0xe3c222fec06228e6c36609c8e43e8117 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "seth.doty", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 243 to 10.175.255.11 port 32794 EAP-Message = 0x0109002b1900170301002026d6755b4b91f4b56e47ccb8af04efb3f5064beeb03dd375e1a737fe69b97f7e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9780c3129189da1452e59c48c6e32104 Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.175.255.11 port 32794, id=244, length=255 User-Name = "seth.doty" NAS-IP-Address = 10.200.3.252 NAS-Port = 0 NAS-Identifier = "10.200.3.252" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "C417FE62A790" Called-Station-Id = "000B8661628C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x02090050190017030100202a153e005d218c64bac4c6ae60a4a47ae0b7eb863a243ae455402455c8d1a0da1703010020e05e87b384eb1cf4b7dfcf67aba1a804182ab45e8ec023c90a97af98d5d774c5 State = 0x9780c3129189da1452e59c48c6e32104 Aruba-Essid-Name = "NEW_TEST" Aruba-Location-Id = "test-ap-41" Message-Authenticator = 0x609e26344fc806d31db36b5a883c6da2 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "seth.doty", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - seth.doty [peap] Got tunneled request EAP-Message = 0x0209000e01736574682e646f7479 server { PEAP: Got tunneled identity of seth.doty PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to seth.doty Sending tunneled request EAP-Message = 0x0209000e01736574682e646f7479 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "seth.doty" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "seth.doty", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 9 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010a00231a010a001e10d6b726f89e7c1dc2455dcb969bffefb1736574682e646f7479 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc020639cc02a799f2402da1e2bf686a2 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010a00231a010a001e10d6b726f89e7c1dc2455dcb969bffefb1736574682e646f7479 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc020639cc02a799f2402da1e2bf686a2 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 244 to 10.175.255.11 port 32794 EAP-Message = 0x010a004b190017030100404b9e4baea80d1d20ab90eeab01cf3501d752cbd5549687f3922f255fe49c5ca0fd2cc0bebf23656ddce51502dd83713f5748451cdcfe245ef8ba92e2a4741811 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9780c312908ada1452e59c48c6e32104 Finished request 7. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.175.255.11 port 32794, id=245, length=319 User-Name = "seth.doty" NAS-IP-Address = 10.200.3.252 NAS-Port = 0 NAS-Identifier = "10.200.3.252" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "C417FE62A790" Called-Station-Id = "000B8661628C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020a0090190017030100208c10c1ba2871d2d5e20afef609ddcf4d74fecb1af44a5e8b96d13b04b9f098481703010060468f6eb13698dd642845884bade0b9281b10ec721e078fa0b360fe5a9c0f7a571dfb8ab1ff5d4c8520bd15a7eac8f904428537ed2e897f4f1355f2572d45b3832296cda77b86b38e7625e8b79df1caa1a564b22bc0d4fb655a54a532dd4387c4 State = 0x9780c312908ada1452e59c48c6e32104 Aruba-Essid-Name = "NEW_TEST" Aruba-Location-Id = "test-ap-41" Message-Authenticator = 0xe1dac00b193956d298b5db160cbe61c4 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "seth.doty", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 10 length 144 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020a00441a020a003f3180cd1ba748241f27f3b6d138e34e5022000000000000000020d0bdcfe838860d435e92ce6dee7d6ee83a61639f30852600736574682e646f7479 server { PEAP: Setting User-Name to seth.doty Sending tunneled request EAP-Message = 0x020a00441a020a003f3180cd1ba748241f27f3b6d138e34e5022000000000000000020d0bdcfe838860d435e92ce6dee7d6ee83a61639f30852600736574682e646f7479 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "seth.doty" State = 0xc020639cc02a799f2402da1e2bf686a2 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "seth.doty", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 10 length 68 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for seth.doty with NT-Password [mschap] expand: --username=%{mschap:User-Name:-None} -> --username=seth.doty [mschap] No NT-Domain was found in the User-Name. [mschap] expand: %{mschap:NT-Domain} -> [mschap] expand: --domain=%{%{mschap:NT-Domain}:-STN} -> --domain=STN [mschap] mschap2: d6 [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=48fb695c32de49e3 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=20d0bdcfe838860d435e92ce6dee7d6ee83a61639f308526 Exec-Program output: NT_KEY: 7D06A715A9FD45DB57D634E70486CDEB Exec-Program-Wait: plaintext: NT_KEY: 7D06A715A9FD45DB57D634E70486CDEB Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010b00331a030a002e533d46334433334145443433344541303143313836434644343539464337424130373636464339444638 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc020639cc12b799f2402da1e2bf686a2 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010b00331a030a002e533d46334433334145443433344541303143313836434644343539464337424130373636464339444638 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc020639cc12b799f2402da1e2bf686a2 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 245 to 10.175.255.11 port 32794 EAP-Message = 0x010b005b1900170301005024162ce85f39c2256bf2754dc6ffe339f37849a4f2bb127618172a0b431aa09821f11a0547dd875555bd24498706bb0375123e584219ee9678b993363cac4b343b5c428ce257d4275349df839762572b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9780c3129f8bda1452e59c48c6e32104 Finished request 8. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.175.255.11 port 32794, id=246, length=255 User-Name = "seth.doty" NAS-IP-Address = 10.200.3.252 NAS-Port = 0 NAS-Identifier = "10.200.3.252" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "C417FE62A790" Called-Station-Id = "000B8661628C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020b005019001703010020f46c4aa9b900c096bbe02e439cca2ee2bc60aa24eeb2913dcf7a08178e21d46d1703010020551fbf04f9dc4dedbf509014d6153eb6a11ede632045982a84af03243bf94b45 State = 0x9780c3129f8bda1452e59c48c6e32104 Aruba-Essid-Name = "NEW_TEST" Aruba-Location-Id = "test-ap-41" Message-Authenticator = 0x74a755dd934383272d0713bb75b75851 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "seth.doty", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 11 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020b00061a03 server { PEAP: Setting User-Name to seth.doty Sending tunneled request EAP-Message = 0x020b00061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "seth.doty" State = 0xc020639cc12b799f2402da1e2bf686a2 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "seth.doty", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 11 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok +- entering group post-auth {...} ++? if (Ldap-Group == "CN=STNE_Wireless_Authentication,ou=Security Groups,ou=test,ou=test,dc=AD,dc=ne,dc=gov") rlm_ldap: Entering ldap_groupcmp() expand: CN=STNE_Wireless_Authentication,ou=Security Groups,ou=test,ou=test,dc=AD,dc=ne,dc=gov -> CN=STNE_Wireless_Authentication,ou=Security Groups,ou=test,ou=test,dc=AD,dc=ne,dc=gov expand: %{Stripped-User-Name} -> expand: %{User-Name} -> seth.doty expand: (CN=%{%{Stripped-User-Name}:-%{User-Name}}) -> (CN=seth.doty) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in CN=STNE_Wireless_Authentication,ou=Security Groups,ou=test,ou=test,dc=AD,dc=ne,dc=gov, with filter (CN=seth.doty) rlm_ldap: object not found rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ? Evaluating (Ldap-Group == "CN=STNE_Wireless_Authentication,ou=Security Groups,ou=test,ou=test,dc=AD,dc=ne,dc=gov") -> FALSE ++? if (Ldap-Group == "CN=STNE_Wireless_Authentication,ou=Security Groups,ou=test,ou=test,dc=AD,dc=ne,dc=gov") -> FALSE ++- entering else else {...} +++[reply] returns noop ++- else else returns noop } # server inner-tunnel [peap] Got tunneled reply code 2 EAP-Message = 0x030b0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "seth.doty" Filter-Id = "secure-unclassified" [peap] Got tunneled reply RADIUS code 2 EAP-Message = 0x030b0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "seth.doty" Filter-Id = "secure-unclassified" [peap] Tunneled authentication was successful. [peap] SUCCESS ++[eap] returns handled Sending Access-Challenge of id 246 to 10.175.255.11 port 32794 EAP-Message = 0x010c002b1900170301002056502beade5135038021ed5d2f0d10e78a91e501c5d58a96af0fcdb3310726fc Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9780c3129e8cda1452e59c48c6e32104 Finished request 9. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.175.255.11 port 32794, id=247, length=255 User-Name = "seth.doty" NAS-IP-Address = 10.200.3.252 NAS-Port = 0 NAS-Identifier = "10.200.3.252" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "C417FE62A790" Called-Station-Id = "000B8661628C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020c0050190017030100208011c6fbb25eeb4e04454b45afc64844f4781f5599cd67c45edf61c5820f03f21703010020c5bf37365af4f1c5dd2bda857e262cd94c871bfce6454aa1c643cf2fe1343630 State = 0x9780c3129e8cda1452e59c48c6e32104 Aruba-Essid-Name = "NEW_TEST" Aruba-Location-Id = "test-ap-41" Message-Authenticator = 0xc3017bd2df835a35b048be614209c833 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "seth.doty", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 12 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 247 to 10.175.255.11 port 32794 MS-MPPE-Recv-Key = 0x250a9d4675dee09162bf7de49a5a94f97186120e1cc8448f2fcfc134b7a1323e MS-MPPE-Send-Key = 0xab393dc3cdf464673e9189ccb1910bb3469472970ab4c92f6d5ccd4eb102efa4 EAP-Message = 0x030c0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "seth.doty" Finished request 10. Going to the next request Waking up in 4.8 seconds. Cleaning up request 0 ID 237 with timestamp +246 Cleaning up request 1 ID 238 with timestamp +246 Cleaning up request 2 ID 239 with timestamp +246 Cleaning up request 3 ID 240 with timestamp +246 Cleaning up request 4 ID 241 with timestamp +246 Cleaning up request 5 ID 242 with timestamp +246 Cleaning up request 6 ID 243 with timestamp +246 Cleaning up request 7 ID 244 with timestamp +246 Cleaning up request 8 ID 245 with timestamp +246 Cleaning up request 9 ID 246 with timestamp +246 Cleaning up request 10 ID 247 with timestamp +246 Ready to process requests.
On 20/05/11 15:14, Doty, Seth wrote:
I must be doing something wrong in my filtering because it keeps dumping me into unclassified instead of passing the group I assigned. I have setup a security group specifically for this test and i am indeed in the group.
I set it up like this in sites-enabled/inner-tunnel because it seemed this manner was a little more flexible for our needs:
post-auth { if (Ldap-Group == "CN=STNE_Wireless_Authentication,ou=Security Groups,ou=test,ou=test,dc=AD,dc=ne,dc=gov") {
This is wrong. You don't give the group DN. You give the value of "groupname_attribute" in the ldap module, defaults to "cn", i.e. post-auth { if (Ldap-Group == STNS_Wireless_Authentication) { .. } }
I changed my baseDN to: basedn = ou=test,dc=AD,dc=ne,dc=gov and this results in the same failure in the group section. rlm_ldap: object not found rlm_ldap::ldap_groupcmp: search failed I cant remove the ou=test portion or authentication fails completely and i get a reject: [ldap] performing user authorization for seth.doty [ldap] expand: %{Stripped-User-Name} -> [ldap] expand: %{User-Name} -> seth.doty [ldap] expand: (CN=%{%{Stripped-User-Name}:-%{User-Name}}) -> (CN=seth.doty) [ldap] expand: dc=ad,dc=ne,dc=gov -> dc=ad,dc=ne,dc=gov rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: closing existing LDAP connection rlm_ldap: (re)connect to ad.ne.gov:389, authentication 0 rlm_ldap: bind as stn\seth.doty/ to stone.ne.gov:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=ad,dc=ne,dc=gov, with filter (CN=seth.doty) rlm_ldap: ldap_search() failed: Operations error [ldap] search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns fail On Fri, 2011-05-20 at 15:26 +0100, Phil Mayers wrote:
On 20/05/11 15:14, Doty, Seth wrote:
I must be doing something wrong in my filtering because it keeps dumping me into unclassified instead of passing the group I assigned. I have setup a security group specifically for this test and i am indeed in the group.
I set it up like this in sites-enabled/inner-tunnel because it seemed this manner was a little more flexible for our needs:
post-auth { if (Ldap-Group == "CN=STNE_Wireless_Authentication,ou=Security Groups,ou=test,ou=test,dc=AD,dc=ne,dc=gov") {
This is wrong. You don't give the group DN. You give the value of "groupname_attribute" in the ldap module, defaults to "cn", i.e.
post-auth { if (Ldap-Group == STNS_Wireless_Authentication) { .. } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 20/05/11 16:27, Doty, Seth wrote:
I changed my baseDN to: basedn = ou=test,dc=AD,dc=ne,dc=gov and this results in the same failure in the group section. rlm_ldap: object not found rlm_ldap::ldap_groupcmp: search failed
I cant remove the ou=test portion or authentication fails completely and i get a reject: [ldap] performing user authorization for seth.doty [ldap] expand: %{Stripped-User-Name} -> [ldap] expand: %{User-Name} -> seth.doty [ldap] expand: (CN=%{%{Stripped-User-Name}:-%{User-Name}}) -> (CN=seth.doty) [ldap] expand: dc=ad,dc=ne,dc=gov -> dc=ad,dc=ne,dc=gov rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: closing existing LDAP connection rlm_ldap: (re)connect to ad.ne.gov:389, authentication 0 rlm_ldap: bind as stn\seth.doty/ to stone.ne.gov:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=ad,dc=ne,dc=gov, with filter (CN=seth.doty) rlm_ldap: ldap_search() failed: Operations error
You're just putting random things into the ldap config and hoping it will work. Go and speak to the people who run your LDAP service. Ask them for the correct base DN, bind DN and credentials, group filters and so forth. Try these LDAP parameters from the command line using ldapsearch. When it's working, try them with FreeRADIUS.
That is the fun i am having. The baseDN of dc=AD,dc=ne,dc=gov DOES work from ldapsearch and these are actually the credentials i have received from our LDAP admins. One of the more specific options I received must be wrong That all being said though you are responding with an answer that at least lets me know that my syntax is correct, even if the information I am receiving from the local LDAP folks is not. Thanks for your help. On Fri, 2011-05-20 at 17:03 +0100, Phil Mayers wrote:
On 20/05/11 16:27, Doty, Seth wrote:
I changed my baseDN to: basedn = ou=test,dc=AD,dc=ne,dc=gov and this results in the same failure in the group section. rlm_ldap: object not found rlm_ldap::ldap_groupcmp: search failed
I cant remove the ou=test portion or authentication fails completely and i get a reject: [ldap] performing user authorization for seth.doty [ldap] expand: %{Stripped-User-Name} -> [ldap] expand: %{User-Name} -> seth.doty [ldap] expand: (CN=%{%{Stripped-User-Name}:-%{User-Name}}) -> (CN=seth.doty) [ldap] expand: dc=ad,dc=ne,dc=gov -> dc=ad,dc=ne,dc=gov rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: closing existing LDAP connection rlm_ldap: (re)connect to ad.ne.gov:389, authentication 0 rlm_ldap: bind as stn\seth.doty/ to stone.ne.gov:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=ad,dc=ne,dc=gov, with filter (CN=seth.doty) rlm_ldap: ldap_search() failed: Operations error
You're just putting random things into the ldap config and hoping it will work.
Go and speak to the people who run your LDAP service. Ask them for the correct base DN, bind DN and credentials, group filters and so forth.
Try these LDAP parameters from the command line using ldapsearch. When it's working, try them with FreeRADIUS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
Doty, Seth -
Gary Gatten -
Marc Phillips -
Phil Mayers