LDAP Groups to Freeradius and then Ruckus Wireless?
Hello there, I'm trying to deploy a FreeRadius server with OpenLDAP. To this end, both are working properly and communicate with each other successfully. I have LDAP groups set up so users belong to a group and I can check from freeradius' users file if a user belongs to a group (and, for example, deny access to all users belonging to a certain group). I must say that, if I enable group checking in users file, I can see rlm_ldap debug info about it searching for group information; but if it's not enabled it doesn't search for groups. The issue here is that the server will be used to authenticate wifi users from a Ruckus ZoneDirector device, which defines roles and assigns roles to the users depending on the groups that the users belong to. This works flawlessly when authenticating against LDAP itself, but if freeradius stands in the middle the group info gets lost somewhere. I know that freeradius can access Ldap-Group variable and know which group the user belongs to, but I'd like it to forward that info to the ZoneDirector (who is actually performing the authentication request against freeradius), so that it can assign the role properly. The LDAP database is set up with two OUs, users and groups, and users being of objectClass inetOrgPerson and groups being groupOfNames. In freeradius, ldap config is mostly default except for server, identity, etc, but with these group-related parameters: groupname_attribute = cn groupmembership_filter = (&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn})) groupmembership_attribute = member # (also tried with memberOf, radiusGroup, radiusGroupName and several others) And, about the server, it is running Debian 7.5, OpenLDAP 2.4.31 and freeradius 2.1.12 (default packages from debian). I can provide any other info that you need :) Thanks everyone in advance!
On 23 May 2014, at 11:23, Enrique Sainz Baixauli <enriquesainz.beca@intef.educacion.es> wrote:
Hello there,
I’m trying to deploy a FreeRadius server with OpenLDAP. To this end, both are working properly and communicate with each other successfully. I have LDAP groups set up so users belong to a group and I can check from freeradius’ users file if a user belongs to a group (and, for example, deny access to all users belonging to a certain group). I must say that, if I enable group checking in users file, I can see rlm_ldap debug info about it searching for group information; but if it’s not enabled it doesn’t search for groups.
The issue here is that the server will be used to authenticate wifi users from a Ruckus ZoneDirector device, which defines roles and assigns roles to the users depending on the groups that the users belong to. This works flawlessly when authenticating against LDAP itself, but if freeradius stands in the middle the group info gets lost somewhere. I know that freeradius can access Ldap-Group variable and know which group the user belongs to, but I’d like it to forward that info to the ZoneDirector (who is actually performing the authentication request against freeradius), so that it can assign the role properly.
There is no LDAP-Group attribute :). It's virtual, it'a actually translates to a function call in the rlm_ldap module, which runs a bunch of extra logic and queries to check whether a member is a particular group.
The LDAP database is set up with two OUs, users and groups, and users being of objectClass inetOrgPerson and groups being groupOfNames. In freeradius, ldap config is mostly default except for server, identity, etc, but with these group-related parameters: groupname_attribute = cn groupmembership_filter = (&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn})) groupmembership_attribute = member # (also tried with memberOf, radiusGroup, radiusGroupName and several others) And, about the server, it is running Debian 7.5, OpenLDAP 2.4.31 and freeradius 2.1.12 (default packages from debian). I can provide any other info that you need :)
You should be able to use the attrmap file to map memberOf or whatever membership attribute you use to a reply attribute. Else upgrade to 3.0.3 and use the cached group info toggles. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
You should be able to use the attrmap file to map memberOf or whatever membership attribute you use to a reply attribute.
So I included in /usr/share/freeradius/dictionary a new dictionary.ruckus file with vendor information for Ruckus that defines the attribute to be returned: [...] ATTRIBUTE Ruckus-User-Groups 1 string [...] And a new line in ldap.attrmap to reply that attribute: replyItem Ruckus-User-Groups member member being the groupmember_attribute set in modules/ldap, and also the attribute name in LDAP that makes membership effective. But the result is the same, no additional debug output in radiusd -XXX or when testing a user authentication with radtest. Am I doing anything wrong here?
Else upgrade to 3.0.3 and use the cached group info toggles.
I guess that would be easier, but requirements are stable version of everything installed on the server. Anyway, thank you very much and best regards!
On 23 May 2014, at 12:47, Enrique Sainz Baixauli <enriquesainz.beca@intef.educacion.es> wrote:
You should be able to use the attrmap file to map memberOf or whatever membership attribute you use to a reply attribute.
So I included in /usr/share/freeradius/dictionary a new dictionary.ruckus file with vendor information for Ruckus that defines the attribute to be returned: [...] ATTRIBUTE Ruckus-User-Groups 1 string [...]
And a new line in ldap.attrmap to reply that attribute: replyItem Ruckus-User-Groups member
member being the groupmember_attribute set in modules/ldap, and also the attribute name in LDAP that makes membership effective. But the result is the same, no additional debug output in radiusd -XXX or when testing a user authentication with radtest. Am I doing anything wrong here?
Nope, trace the LDAP conversation with wireshark and see what's being requested and returned. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
You should be able to use the attrmap file to map memberOf or whatever membership attribute you use to a reply attribute.
So I included in /usr/share/freeradius/dictionary a new dictionary.ruckus file with vendor information for Ruckus that defines the attribute to be returned: [...] ATTRIBUTE Ruckus-User-Groups 1 string [...]
And a new line in ldap.attrmap to reply that attribute: replyItem Ruckus-User-Groups member
member being the groupmember_attribute set in modules/ldap, and also the attribute name in LDAP that makes membership effective. But the result is the same, no additional debug output in radiusd -XXX or when testing a user authentication with radtest. Am I doing anything wrong here?
Nope, trace the LDAP conversation with wireshark and see what's being requested and returned.
So I'm capturing the whole conversation but I can't see anything useful: there is a first searchRequest for the user being authenticated, then a successful searchResEntry with the user's DN but no additional attributes and finally a successful searchResDone. Then there is another searchRequest for the group check that I have in the users file (but that is unrelated to the problem: it is only there to check that the group filter works correctly), its searchResEntry with info about the group that the user is being checked against and another successful searchResDone. Aside from those, bindRequests and such packets are also captured. All of that is happening with the additional entry in the dictionary and the additional line in ldap.attrmap that I described in my previous email, so I am kind of lost. What am I missing here? Should I configure anything else? Thanks again!
On 26 May 2014, at 10:53, Enrique Sainz Baixauli <enriquesainz.beca@intef.educacion.es> wrote:
You should be able to use the attrmap file to map memberOf or whatever membership attribute you use to a reply attribute.
So I included in /usr/share/freeradius/dictionary a new dictionary.ruckus file with vendor information for Ruckus that defines the attribute to be returned: [...] ATTRIBUTE Ruckus-User-Groups 1 string [...]
And a new line in ldap.attrmap to reply that attribute: replyItem Ruckus-User-Groups member
member being the groupmember_attribute set in modules/ldap, and also the attribute name in LDAP that makes membership effective. But the result is the same, no additional debug output in radiusd -XXX or when testing a user authentication with radtest. Am I doing anything wrong here?
Nope, trace the LDAP conversation with wireshark and see what's being requested and returned.
So I'm capturing the whole conversation but I can't see anything useful: there is a first searchRequest for the user being authenticated, then a successful searchResEntry with the user's DN
That should contain a request for the 'member' attribute. If it doesn't there's an issue with your config, or a bug in that version of rlm_ldap. My suggestion again is to try v3.0.3, or debug the v2.x.x code yourself. It was weeks of effort to rewrite the rlm_ldap module for version v3.0.x, it was done for a reason. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
My suggestion again is to try v3.0.3, or debug the v2.x.x code yourself.
It was weeks of effort to rewrite the rlm_ldap module for version v3.0.x, it was done for a reason.
-Arran
Ok, so I'm trying to build version 3.0.3 for debian and I'm stuck at dpkg-buildpackage because it looks like it's running the configure step for rlm_mschap over and over: CONFIGURE src/modules/rlm_mschap/ checking stuff... checking more stuff... [...] configure: creating ./config.status config.status: creating rlm_mschap.mk config.status: creating config.h config.status: config.h is unchanged make[1]: leaving directory '/path/to/freeradius-server-3.0.3' make[1]: entering directory '/path/to/freeradius-server-3.0.3' make[1]: warning: file 'raddb/all.mk' has a mtime 1.4e+05 in the future CONFIGURE src/modules/rlm_mschap/ Over and over for the last hour... but it shouldn't take so long to build, right? Thanks again!
On Tue, May 27, 2014 at 6:21 PM, Enrique Sainz Baixauli <enriquesainz.beca@intef.educacion.es> wrote:
My suggestion again is to try v3.0.3, or debug the v2.x.x code yourself.
It was weeks of effort to rewrite the rlm_ldap module for version v3.0.x, it was done for a reason.
-Arran
Ok, so I'm trying to build version 3.0.3 for debian and I'm stuck at dpkg-buildpackage because it looks like it's running the configure step for rlm_mschap over and over:
I'm actually surprised you were able to get that far. 3.0.3's debian build script is broken (to be accurate, a patch needs refresh), and needs one minor fix which is already in 3.0.x git branch. Try my test packages: http://software.opensuse.org/download.html?project=home%3Afreeradius%3A3.0.x... -- Fajar
My suggestion again is to try v3.0.3, or debug the v2.x.x code yourself.
It was weeks of effort to rewrite the rlm_ldap module for version v3.0.x, it was done for a reason.
-Arran
Ok, so I'm trying to build version 3.0.3 for debian and I'm stuck at dpkg-buildpackage because it looks like it's running the configure step for rlm_mschap over and over:
I'm actually surprised you were able to get that far. 3.0.3's debian build script is broken (to be accurate, a patch needs refresh), and needs one minor fix which is already in 3.0.x git branch.
Try my test packages: http://software.opensuse.org/download.html?project=home%3Afreeradius%3A3.0. x%3Adebian&package=freeradius
-- Fajar -
That's awesome, your repo should be easier to find ;) Thanks! @Alan and Arran: I'm not building on an NFS share, but the time is not right because the server is on a test network and is not connected to anything else (except when installing packages). Thanks anyway, as Fajar's packages solved this :D Cheers!
Hi again, So I'm now working with version 3.0.3 and I have moved all of my configs to the new format. I can do, as I did on v2.1.2, group checking in users file via the Ldap-Group virtual attribute. That's fine, but it's not what I need. I need the group info to be forwarded to the client, and I'm trying to do so in mods-available/ldap (symlinked to mods-enabled/). As there is no ldap.attrmap file and the update section in mods-available/ldap seems to be for that purpose, I'm mapping attributes there: reply:Ruckus-User-Groups := 'control:memberOf' Ruckus-User-Groups is defined in a dictionary file for vendor Ruckus. But any kind of attribute that I think may fit there I have already tried (memberOf, Ldap-Group, Ldap-Membership...), and no matter what I try I see a line like this in the debug output: ldap : Attribute 'control:memberOf' not found in LDAP Object So my question is: how can I have freeradius run the logic behind Ldap-Group and put that info in the reply? Because if I try it from users file Ldap-Group is recognized and run, but from ldap config it just doesn't find the attribute. Thanks everyone one more time! -----Mensaje original----- De: freeradius-users-bounces+enriquesainz.beca=intef.educacion.es@lists.freeradi us.org [mailto:freeradius-users-bounces+enriquesainz.beca=intef.educacion.es@lists. freeradius.org] En nombre de Enrique Sainz Baixauli Enviado el: martes, 27 de mayo de 2014 16:17 Para: 'FreeRadius users mailing list' Asunto: RE: LDAP Groups to Freeradius and then Ruckus Wireless?
My suggestion again is to try v3.0.3, or debug the v2.x.x code yourself.
It was weeks of effort to rewrite the rlm_ldap module for version v3.0.x, it was done for a reason.
-Arran
Ok, so I'm trying to build version 3.0.3 for debian and I'm stuck at dpkg-buildpackage because it looks like it's running the configure step for rlm_mschap over and over:
I'm actually surprised you were able to get that far. 3.0.3's debian build script is broken (to be accurate, a patch needs refresh), and needs one minor fix which is already in 3.0.x git branch.
Try my test packages: http://software.opensuse.org/download.html?project=home%3Afreeradius%3A3.0. x%3Adebian&package=freeradius
-- Fajar -
That's awesome, your repo should be easier to find ;) Thanks! @Alan and Arran: I'm not building on an NFS share, but the time is not right because the server is on a test network and is not connected to anything else (except when installing packages). Thanks anyway, as Fajar's packages solved this :D Cheers! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ---------------------------------------------------------------------------- ----------------------- Texto aqadido por Panda Security for Desktops: Este mensaje NO ha sido clasificado como SPAM. Si se trata de un mensaje de correo no solicitado (SPAM), haz clic en el siguiente vmnculo para reclasificarlo: http://localhost:6083/Panda?ID=pav_118&SPAM=true&path=C:\Windows\system32\co nfig\systemprofile\AppData\Local\Panda%20Software\AntiSpam ---------------------------------------------------------------------------- -----------------------
On 28 May 2014, at 11:10, Enrique Sainz Baixauli <enriquesainz.beca@intef.educacion.es> wrote:
Hi again,
So I'm now working with version 3.0.3 and I have moved all of my configs to the new format. I can do, as I did on v2.1.2, group checking in users file via the Ldap-Group virtual attribute. That's fine, but it's not what I need. I need the group info to be forwarded to the client, and I'm trying to do so in mods-available/ldap (symlinked to mods-enabled/). As there is no ldap.attrmap file and the update section in mods-available/ldap seems to be for that purpose, I'm mapping attributes there:
reply:Ruckus-User-Groups := 'control:memberOf'
Ruckus-User-Groups is defined in a dictionary file for vendor Ruckus. But any kind of attribute that I think may fit there I have already tried (memberOf, Ldap-Group, Ldap-Membership...), and no matter what I try I see a line like this in the debug output:
ldap : Attribute 'control:memberOf' not found in LDAP Object
*sigh* why could you add control: to the start of memberOf attribute? LDAP has no idea what lists are. Use: update { reply:Ruckus-User-Group += 'memberOf' } Add that and it should work, if it doesn't work post the debug output.
So my question is: how can I have freeradius run the logic behind Ldap-Group and put that info in the reply? Because if I try it from users file Ldap-Group is recognized and run, but from ldap config it just doesn't find the attribute.
Yes. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Hi again,
So I'm now working with version 3.0.3 and I have moved all of my configs to the new format. I can do, as I did on v2.1.2, group checking in users file via the Ldap-Group virtual attribute. That's fine, but it's not what I need. I need the group info to be forwarded to the client, and I'm trying to do so in mods-available/ldap (symlinked to mods-enabled/). As there is no ldap.attrmap file and the update section in mods-available/ldap seems to be for that purpose, I'm mapping attributes there:
reply:Ruckus-User-Groups := 'control:memberOf'
Ruckus-User-Groups is defined in a dictionary file for vendor Ruckus. But any kind of attribute that I think may fit there I have already tried (memberOf, Ldap-Group, Ldap-Membership...), and no matter what I try I see a line like this in the debug output:
ldap : Attribute 'control:memberOf' not found in LDAP Object
*sigh* why could you add control: to the start of memberOf attribute? LDAP has no idea what lists are.
Use:
update { reply:Ruckus-User-Group += 'memberOf' }
Add that and it should work, if it doesn't work post the debug output.
I guess I didn't explain myself enough: I tried with and without control:, I just posted that option because it was the last one I tried (not really very confident about getting it to work that way). The only difference between your line and the ones I tried before is that you used += and I used := (which I think should be correct, because that's the only attribute that should go into Ruckus-User-Group, but I may be wrong again). So now, with your line I get quite similar debug output: ldap : Attribute 'memberOf' not found in LDAP Object That line happens between processing the only previous attribute (Password-With-Header) and releasing the connection with OpenLDAP, so I think there is no more relevant debug output...
So my question is: how can I have freeradius run the logic behind Ldap-Group and put that info in the reply? Because if I try it from users file Ldap-Group is recognized and run, but from ldap config it just doesn't find the attribute.
Yes.
-Arran
And my question is still how to do it, not whether I can do it or not :) Thanks again!
On 28 May 2014, at 12:09, Enrique Sainz Baixauli <enriquesainz.beca@intef.educacion.es> wrote:
Hi again,
So I'm now working with version 3.0.3 and I have moved all of my configs to the new format. I can do, as I did on v2.1.2, group checking in users file via the Ldap-Group virtual attribute. That's fine, but it's not what I need. I need the group info to be forwarded to the client, and I'm trying to do so in mods-available/ldap (symlinked to mods-enabled/). As there is no ldap.attrmap file and the update section in mods-available/ldap seems to be for that purpose, I'm mapping attributes there:
reply:Ruckus-User-Groups := 'control:memberOf'
Ruckus-User-Groups is defined in a dictionary file for vendor Ruckus. But any kind of attribute that I think may fit there I have already tried (memberOf, Ldap-Group, Ldap-Membership...), and no matter what I try I see a line like this in the debug output:
ldap : Attribute 'control:memberOf' not found in LDAP Object
*sigh* why could you add control: to the start of memberOf attribute? LDAP has no idea what lists are.
Use:
update { reply:Ruckus-User-Group += 'memberOf' }
Add that and it should work, if it doesn't work post the debug output.
I guess I didn't explain myself enough: I tried with and without control:, I just posted that option because it was the last one I tried (not really very confident about getting it to work that way). The only difference between your line and the ones I tried before is that you used += and I used := (which I think should be correct, because that's the only attribute that should go into Ruckus-User-Group, but I may be wrong again). So now, with your line I get quite similar debug output:
ldap : Attribute 'memberOf' not found in LDAP Object
Then your user object contains no memberOf attributes, or your LDAP ACLs are incorrect and preventing the memberOf attributes of user objects from being accessed. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
ldap : Attribute 'memberOf' not found in LDAP Object
Then your user object contains no memberOf attributes, or your LDAP ACLs are incorrect and preventing the memberOf attributes of user objects from being accessed.
-Arran
That's right, my user doesn't contain any memberOf attributes because I got groups to work (via the users file) with member attributes in the groups, so the users themselves don't have any attributes referring to the groups: the groups contain attributes referring to the users. Would it be more correct to make the users belong to the group by adding memberOf attributes to the user objetcts, instead of using member attributes in the group objects? As per the LDAP ACLs, I don't think they should be a problem because first, I haven't set up any, and second, I'm authenticating against LDAP using the first admin user I created (which should have read access to the whole directory). Remember that this is a test deployment so it's quite simple: LDAP server with two group objects, two user objects and only one user with all the privileges, plus FR with (at the moment) only PAP working. Thanks again
On 28 May 2014, at 12:36, Enrique Sainz Baixauli <enriquesainz.beca@intef.educacion.es> wrote:
ldap : Attribute 'memberOf' not found in LDAP Object
Then your user object contains no memberOf attributes, or your LDAP ACLs are incorrect and preventing the memberOf attributes of user objects from being accessed.
-Arran
That's right, my user doesn't contain any memberOf attributes because I got groups to work (via the users file) with member attributes in the groups, so the users themselves don't have any attributes referring to the groups: the groups contain attributes referring to the users. Would it be more correct to make the users belong to the group by adding memberOf attributes to the user objetcts, instead of using member attributes in the group objects?
Ah OK, sorry somehow I missed that. In that case remove the update entry for Ruckus-User-Group Then set: group.cacheable_name = yes Uncomment: cache_attribute = 'LDAP-Cached-Membership' Then in authorize: ldap foreach &LDAP-Cached-Membership { update reply { Ruckus-User-Group += "%{Foreach-Variable-0}" } } In theory that should work. I'll be very interested to see if it does. You should see a bunch of debug scrolling by saying it's adding control:LDAP-Cached-Membership for each of the groups a user is a member of. As an added bonus you can also use the rlm_cache module to cache these memberships so you don't hit LDAP every time. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Uncomment:
cache_attribute = 'LDAP-Cached-Membership'
Then in authorize:
ldap
Sorry that's
foreach &control:LDAP-Cached-Membership { update reply { Ruckus-User-Group += "%{Foreach-Variable-0}" } }
Thank you very much, but trying to start the server resulted in a syntax error in '&control:LDAP-Cached-Membership': Unknown attribute "LDAP-Cached-Membership"
On 28 May 2014, at 14:38, Enrique Sainz Baixauli <enriquesainz.beca@intef.educacion.es> wrote:
Uncomment:
cache_attribute = 'LDAP-Cached-Membership'
Then in authorize:
ldap
Sorry that's
foreach &control:LDAP-Cached-Membership { update reply { Ruckus-User-Group += "%{Foreach-Variable-0}" } }
Thank you very much, but trying to start the server resulted in a syntax error in '&control:LDAP-Cached-Membership': Unknown attribute "LDAP-Cached-Membership"
Define it in the user dictionay as a string attribute. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Uncomment:
cache_attribute = 'LDAP-Cached-Membership'
Then in authorize:
ldap
Sorry that's
foreach &control:LDAP-Cached-Membership { update reply { Ruckus-User-Group += "%{Foreach-Variable-0}" } }
Thank you very much, but trying to start the server resulted in a syntax error in '&control:LDAP-Cached-Membership': Unknown attribute "LDAP-Cached-Membership"
Define it in the user dictionay as a string attribute.
That's awesome, now the debug output shows that FR finds out which group each user belongs to. Also, capturing local packets with wireshark (because LDAP and FR are on the same machine) shows two request-responses, first for the user and then for the group, between FR and LDAP. But on the Ethernet interface there is nothing else aside from an Access-Request and an Access-Accept, but nothing related to the group in the response. Maybe wireshark doesn't show every field, but the packet length is only 20 so I think it's just not being sent by FR. Is there anything else I may be missing? Btw, I am not using rlm_cache yet, I prefer to get it up and running and then try to optimize it. Thank you again and again! :D
On 28 May 2014, at 15:30, Enrique Sainz Baixauli <enriquesainz.beca@intef.educacion.es> wrote:
Uncomment:
cache_attribute = 'LDAP-Cached-Membership'
Then in authorize:
ldap
Sorry that's
foreach &control:LDAP-Cached-Membership { update reply { Ruckus-User-Group += "%{Foreach-Variable-0}" } }
Thank you very much, but trying to start the server resulted in a syntax error in '&control:LDAP-Cached-Membership': Unknown attribute "LDAP-Cached-Membership"
Define it in the user dictionay as a string attribute.
That's awesome, now the debug output shows that FR finds out which group each user belongs to. Also, capturing local packets with wireshark (because LDAP and FR are on the same machine) shows two request-responses, first for the user and then for the group, between FR and LDAP. But on the Ethernet interface there is nothing else aside from an Access-Request and an Access-Accept, but nothing related to the group in the response. Maybe wireshark doesn't show every field, but the packet length is only 20 so I think it's just not being sent by FR.
Hm, can you send over the output of -X. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Good that you can see debug. We can't though which isn't helpful. I'm going to guess that you've got attribute filtering on and haven't added that attribute to the attribute white list. I hate to guess though would be better if we were better informed. alan -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Hi again,
So I'm now working with version 3.0.3 and I have moved all of my configs to the new format. I can do, as I did on v2.1.2, group checking in users file via the Ldap-Group virtual attribute. That's fine, but it's not what I need. I need the group info to be forwarded to the client, and I'm trying to do so in mods-available/ldap (symlinked to mods-enabled/). As there is no ldap.attrmap file and the update section in mods-available/ldap seems to be for that purpose, I'm mapping attributes there:
reply:Ruckus-User-Groups := 'control:memberOf'
Ruckus-User-Groups is defined in a dictionary file for vendor Ruckus. But any kind of attribute that I think may fit there I have already tried (memberOf, Ldap-Group, Ldap-Membership...), and no matter what I try I see a line like this in the debug output:
ldap : Attribute 'control:memberOf' not found in LDAP Object
*sigh* why could you add control: to the start of memberOf attribute? LDAP has no idea what lists are.
Use:
update { reply:Ruckus-User-Group += 'memberOf' }
Add that and it should work, if it doesn't work post the debug output.
I guess I didn't explain myself enough: I tried with and without control:, I just posted that option because it was the last one I tried (not really very confident about getting it to work that way). The only difference between your line and the ones I tried before is that you used += and I used := (which I think should be correct, because that's the only attribute that should go into Ruckus-User-Group, but I may be wrong again). So now, with your line I get quite similar debug output: ldap : Attribute 'memberOf' not found in LDAP Object That line happens between processing the only previous attribute (Password-With-Header) and releasing the connection with OpenLDAP, so I think there is no more relevant debug output...
So my question is: how can I have freeradius run the logic behind Ldap-Group and put that info in the reply? Because if I try it from users file Ldap-Group is recognized and run, but from ldap config it just doesn't find the attribute.
Yes.
-Arran
And my question is still how to do it, not whether I can do it or not :) Thanks again! What attribute are you using for group membership? I'm getting reay to do something similar and it strikes me that if memberOF is not in your schema that won't work. If you're using RFC2307 you may have to set up a second filter condition for group membership resolution. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Jefferson K Davis Technology and Information Systems Manager Standard School District 1200 North Chester Ave Bakersfield, CA 93308 661.392.2110 ext 120 (office) http://district.standard.k12.ca.us District Users: Click here to report technology issues
What attribute are you using for group membership? I'm getting reay to do something similar and it strikes me that if memberOF is not in your schema that won't work.
Not with the update block no, but there are other ways in v3.0.x to do it without memberOf Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On 28 May 2014, at 17:05, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
What attribute are you using for group membership? I'm getting reay to do something similar and it strikes me that if memberOF is not in your schema that won't work.
Not with the update block no, but there are other ways in v3.0.x to do it without memberOf
Ok, OP. I suspect you've messed up and not uncommented group.cache_attribute Or got a typo in your config. I got no complaints from the server when I tried, and did not have to add a dictionary entry. So yes, it works perfectly on my system (thought I don't have the Ruckus attributes, could you send their dictionary over please?) Received Access-Request Id 134 from 127.0.0.1:53587 to 127.0.0.1:1812 length 29 User-Name = 'xxxxx' (0) # Executing section authorize from file /usr/local/freeradius/etc/raddb/sites-enabled/default (0) authorize { rlm_ldap (ldap): Reserved connection (4) (0) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (0) ldap : --> (uid=xxxxx) (0) ldap : EXPAND ou=people,dc=networkradius,dc=com (0) ldap : --> ou=people,dc=networkradius,dc=com (0) ldap : Performing search in 'ou=people,dc=networkradius,dc=com' with filter '(uid=xxxxx)', scope 'sub' (0) ldap : Waiting for search result... (0) ldap : User object found at DN "cn=Arran Cudbard-Bell,ou=people,dc=networkradius,dc=com" (0) ldap : No cacheable group memberships found in user object (0) ldap : EXPAND (&(objectClass=posixGroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))) (0) ldap : --> (&(objectClass=posixGroup)(|(member=cn\3dArran Cudbard-Bell\2cou\3dpeople\2cdc\3dnetworkradius\2cdc\3dcom)(memberUid=xxxxx))) (0) ldap : EXPAND ou=groups,dc=networkradius,dc=com (0) ldap : --> ou=groups,dc=networkradius,dc=com (0) ldap : Performing search in 'ou=groups,dc=networkradius,dc=com' with filter '(&(objectClass=posixGroup)(|(member=cn\3dArran Cudbard-Bell\2cou\3dpeople\2cdc\3dnetworkradius\2cdc\3dcom)(memberUid=xxxxx)))', scope 'sub' (0) ldap : Waiting for search result... (0) ldap : Added control:LDAP-Cached-Membership with value "admin" (0) ldap : Added control:LDAP-Cached-Membership with value "networkradius" (0) ldap : Processing user attributes (0) ldap : control:Password-With-Header += 'xxxxxx' rlm_ldap (ldap): Released connection (4) (0) [ldap] = ok (0) foreach &control:LDAP-Cached-Membership (0) # Foreach-Variable-0 = "admin" (0) update reply { (0) EXPAND %{Foreach-Variable-0} (0) --> admin (0) Reply-Message += "admin" (0) } # update reply = noop (0) # Foreach-Variable-0 = "networkradius" (0) update reply { (0) EXPAND %{Foreach-Variable-0} (0) --> networkradius (0) Reply-Message += "networkradius" (0) } # update reply = noop (0) } # foreach &control:LDAP-Cached-Membership = noop (0) update control { (0) Auth-Type := Accept (0) } # update control = noop (0) } # authorize = ok (0) Found Auth-Type = Accept (0) Auth-Type = Accept, accepting the user (0) # Executing section post-auth from file /usr/local/freeradius/etc/raddb/sites-enabled/default (0) post-auth { (0) [exec] = noop (0) remove_reply_message_if_eap remove_reply_message_if_eap { (0) if (reply:EAP-Message && reply:Reply-Message) (0) if (reply:EAP-Message && reply:Reply-Message) -> FALSE (0) else else { (0) [noop] = noop (0) } # else else = noop (0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (0) } # post-auth = noop Sending Access-Accept Id 134 from 127.0.0.1:1812 to 127.0.0.1:53587 Reply-Message += 'admin' Reply-Message += 'networkradius' (0) Finished request Note it's searching for group object as it is with your setup. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
What attribute are you using for group membership? I'm getting reay to do something similar and it strikes me that if memberOF is not in your schema that won't work.
Not with the update block no, but there are other ways in v3.0.x to do it without memberOf
Ok, OP.
I suspect you've messed up and not uncommented
group.cache_attribute
Or got a typo in your config. I got no complaints from the server when I tried, and did not have to add a dictionary entry.
So yes, it works perfectly on my system (thought I don't have the Ruckus attributes, could you send their dictionary over please?)
I am guessing you mean cache_attribute in section group {}, in mods-available/ldap. I uncommented it and set it to "LDAP-Cached-Membership". Besides, I set cacheable_name = "yes" and membership_attribute = "member". And dictionary.ruckus: VENDOR Ruckus 25053 BEGIN-VENDOR Ruckus ATTRIBUTE Ruckus-User-Groups 1 string END-VENDOR Ruckus
Good that you can see debug. We can't though which isn't helpful.
I'm going to guess that you've got attribute filtering on and haven't added that attribute to the attribute white list. I hate to guess though would be better if we were better informed.
alan
About this, I haven't set up attribute filtering (because I don't know where to do it), so if it's on by default, where is the whitelist? I have also changed the foreach line you guys suggested because of a warning in the debug output: I placed a & before Ruckus-User-Groups: Foreach &control:LDAP-Cached-Membership { update reply { &Ruckus-User-Groups += "%{Foreach-Variable-0}" } } And finally, the debug output for a PAP Access-Request of user 'juan', who belongs to group 'profesores': Received Access-Request Id 2 from 192.168.60.1:1024 to 192.168.50.62:1812 length 82 User-Name = 'juan' User-Password = 'juan' NAS-IP-Address = 192.168.60.1 Service-Type = Login-User NAS-Port-Type = Wireless-802.11 Message-Authenticator = 0x412aea7019095474eca935825f5f2c90 (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default (0) authorize { (0) filter_username filter_username { (0) if (User-Name != "%{tolower:%{User-Name}}") (0) EXPAND %{tolower:%{User-Name}} (0) --> juan (0) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (0) if (User-Name =~ / /) (0) if (User-Name =~ / /) -> FALSE (0) if (User-Name =~ /@.*@/ ) (0) if (User-Name =~ /@.*@/ ) -> FALSE (0) if (User-Name =~ /\\.\\./ ) (0) if (User-Name =~ /\\.\\./ ) -> FALSE (0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) if (User-Name =~ /\\.$/) (0) if (User-Name =~ /\\.$/) -> FALSE (0) if (User-Name =~ /@\\./) (0) if (User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix : No '@' in User-Name = "juan", looking up realm NULL (0) suffix : No such realm "NULL" (0) [suffix] = noop (0) eap : No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop rlm_ldap (ldap): Reserved connection (4) (0) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (0) ldap : --> (uid=juan) (0) ldap : EXPAND dc=ejemplo,dc=org (0) ldap : --> dc=ejemplo,dc=org (0) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(uid=juan)', scope 'sub' (0) ldap : Waiting for search result... (0) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org" (0) ldap : No cacheable group memberships found in user object (0) ldap : EXPAND (&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn})) (0) ldap : --> (&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejempl o\2cdc\3dorg)) (0) ldap : EXPAND dc=ejemplo,dc=org (0) ldap : --> dc=ejemplo,dc=org (0) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemp lo\2cdc\3dorg))', scope 'sub' (0) ldap : Waiting for search result... (0) ldap : Added control:Ldap-Group with value "profesores" (0) ldap : Processing user attributes (0) ldap : control:Password-With-Header += ''{SSHA}YvCZkmiUfoRuncod2Vm3Bnwr1ueIg3ew'' rlm_ldap (ldap): Released connection (4) (0) [ldap] = ok (0) foreach &control:LDAP-Cached-Membership { (0) } # foreach &control:LDAP-Cached-Membership = noop (0) [expiration] = noop (0) [logintime] = noop (0) [pap] = updated (0) } # authorize = updated (0) Found Auth-Type = PAP (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) Auth-Type PAP { (0) pap : Login attempt with password (0) pap : Comparing with "known-good" SSHA-Password (0) pap : Normalizing SSHA1-Password from base64 encoding, 32 bytes -> 24 bytes (0) pap : User authenticated successfully (0) [pap] = ok (0) } # Auth-Type PAP = ok (0) # Executing section post-auth from file /etc/freeradius/sites-enabled/default (0) post-auth { (0) [exec] = noop (0) remove_reply_message_if_eap remove_reply_message_if_eap { (0) if (reply:EAP-Message && reply:Reply-Message) (0) if (reply:EAP-Message && reply:Reply-Message) -> FALSE (0) else else { (0) [noop] = noop (0) } # else else = noop (0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (0) } # post-auth = noop Sending Access-Accept Id 2 from 192.168.50.62:1812 to 192.168.60.1:1024 (0) Finished request
Hi I placed a & before Ruckus-User-Groups: Foreach &control:LDAP-Cached-Membership { update reply { &Ruckus-User-Groups += "%{Foreach-Variable-0}" } } You can't make random changes and expect things to work. Have you read the unlang manual page? If you look at your debug output you'll see that the section being called exits with a 'noop' ie no operation ie no attributes were added to the reply alan -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
On Thu, May 29, 2014 at 5:15 PM, Enrique Sainz Baixauli < enriquesainz.beca@intef.educacion.es> wrote:
(0) ldap : Performing search in 'dc=ejemplo,dc=org' with filter
'(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemp lo\2cdc\3dorg))', scope 'sub' (0) ldap : Waiting for search result... (0) ldap : Added control:Ldap-Group with value "profesores"
That is odd. Arran's debug log does not have that line. Are you SURE you set group.cache_attribute correctly>
(0) foreach &control:LDAP-Cached-Membership { (0) } # foreach &control:LDAP-Cached-Membership = noop
What happens when you change it now to foreach &control:LDAP-Group (matching the debug output above)? -- Fajar
On 29 May 2014, at 11:32, Fajar A. Nugraha <list@fajar.net> wrote:
On Thu, May 29, 2014 at 5:15 PM, Enrique Sainz Baixauli <enriquesainz.beca@intef.educacion.es> wrote: (0) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemp lo\2cdc\3dorg))', scope 'sub' (0) ldap : Waiting for search result... (0) ldap : Added control:Ldap-Group with value "profesores"
That is odd. Arran's debug log does not have that line. Are you SURE you set group.cache_attribute correctly>
*sigh* Just use foreach &control:Ldap-Group { } It's probably easier. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
That is odd. Arran's debug log does not have that line. Are you SURE you set group.cache_attribute correctly>
(0) foreach &control:LDAP-Cached-Membership { (0) } # foreach &control:LDAP-Cached-Membership = noop
What happens when you change it now to foreach &control:LDAP-Group (matching the debug output above)?
-- Fajar
That's it. I was never sure what LDAP-Cached-Membership did, but changing it to LDAP-Group did make FR add the attribute to the reply and now my users are known to be part of their group in the Ruckus device. However, in the debug output those two lines are still there (saying LDAP-Group instead of LDAP-Cached-Membership) with that big noop that I hadn't noticed before but there is a new line after Sending Access-Accept that says Ruckus-User-Groups += ... :D @Alan: I did know what noop meant without reading the unlang manpage (not even knowing that it existed), but I hadn't noticed that line. However, I don't know where that noop is configured and I have just realized it doesn't really affect this issue. Thank you guys very much. Really. I will now move forward to configuring EAP-PEAP, PAP was just a test :) And, for the record, this is the current (working) debug output: Received Access-Request Id 6 from 192.168.60.1:1024 to 192.168.50.62:1812 length 82 User-Name = 'juan' User-Password = 'juan' NAS-IP-Address = 192.168.60.1 Service-Type = Login-User NAS-Port-Type = Wireless-802.11 Message-Authenticator = 0x5318e58e295f70f8c44c0dc21c2a919b (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default (0) authorize { (0) filter_username filter_username { (0) if (User-Name != "%{tolower:%{User-Name}}") (0) EXPAND %{tolower:%{User-Name}} (0) --> juan (0) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (0) if (User-Name =~ / /) (0) if (User-Name =~ / /) -> FALSE (0) if (User-Name =~ /@.*@/ ) (0) if (User-Name =~ /@.*@/ ) -> FALSE (0) if (User-Name =~ /\\.\\./ ) (0) if (User-Name =~ /\\.\\./ ) -> FALSE (0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) if (User-Name =~ /\\.$/) (0) if (User-Name =~ /\\.$/) -> FALSE (0) if (User-Name =~ /@\\./) (0) if (User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix : No '@' in User-Name = "juan", looking up realm NULL (0) suffix : No such realm "NULL" (0) [suffix] = noop (0) eap : No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop rlm_ldap (ldap): Reserved connection (4) (0) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (0) ldap : --> (uid=juan) (0) ldap : EXPAND dc=ejemplo,dc=org (0) ldap : --> dc=ejemplo,dc=org (0) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(uid=juan)', scope 'sub' (0) ldap : Waiting for search result... (0) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org" (0) ldap : No cacheable group memberships found in user object (0) ldap : EXPAND (&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn})) (0) ldap : --> (&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemplo\2cdc\3dorg)) (0) ldap : EXPAND dc=ejemplo,dc=org (0) ldap : --> dc=ejemplo,dc=org (0) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemplo\2cdc\3dorg))', scope 'sub' (0) ldap : Waiting for search result... (0) ldap : Added control:Ldap-Group with value "profesores" (0) ldap : Processing user attributes (0) ldap : control:Password-With-Header += ''{SSHA}YvCZkmiUfoRuncod2Vm3Bnwr1ueIg3ew'' rlm_ldap (ldap): Released connection (4) (0) [ldap] = ok (0) foreach &control:LDAP-Group (0) update reply { (0) EXPAND %{Foreach-Variable-0} (0) --> profesores (0) &Ruckus-User-Groups += '"profesores"' (0) } # update reply = noop (0) } # foreach &control:LDAP-Group = noop (0) [expiration] = noop (0) [logintime] = noop (0) [pap] = updated (0) } # authorize = updated (0) Found Auth-Type = PAP (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) Auth-Type PAP { (0) pap : Login attempt with password (0) pap : Comparing with "known-good" SSHA-Password (0) pap : Normalizing SSHA1-Password from base64 encoding, 32 bytes -> 24 bytes (0) pap : User authenticated successfully (0) [pap] = ok (0) } # Auth-Type PAP = ok (0) # Executing section post-auth from file /etc/freeradius/sites-enabled/default (0) post-auth { (0) [exec] = noop (0) remove_reply_message_if_eap remove_reply_message_if_eap { (0) if (reply:EAP-Message && reply:Reply-Message) (0) if (reply:EAP-Message && reply:Reply-Message) -> FALSE (0) else else { (0) [noop] = noop (0) } # else else = noop (0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (0) } # post-auth = noop Sending Access-Accept Id 6 from 192.168.50.62:1812 to 192.168.60.1:1024 Ruckus-User-Groups += 'profesores' (0) Finished request
Thank you guys very much. Really. I will now move forward to configuring
EAP-PEAP, PAP was just a test :)
Hi again, So I managed to put the LDAP-Group attribute into the reply using PAP, but after configuring PEAP-MSCHAPv2 and getting it to work, of course there is no attribute in the reply :) I understand that, in EAP authentication, the eap module returns the authorize section before getting to ldap to avoid the overload of querying the ldap server on each packet that form the TLS conversation. So I thought of filling the reply in the postauth section. But, if I do it in the default server, it doesn't know about the groups (ie LDAP-Group is empty), and if I do it in the inner-tunnel server, the tunneled reply to the default server contains my attribute, but then I don't know how to put it into the Access-Accept response to the client. Am I understanding anything wrong? How can I send the attribute back to the client? This is the (huge) debug output, I hope it helps. The attribute in the tunneled reply is close to the end of processing request (9). Received Access-Request Id 57 from 192.168.60.1:1029 to 192.168.50.62:1812 length 190 User-Name = 'pepe' Calling-Station-Id = '60-BE-B5-98-BA-0B' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-58:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-58' Connect-Info = 'CONNECT 802.11g/n' EAP-Message = 0x020000090170657065 Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0x270ccc8fe82858ae31fc9d5a5694d683 (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default (0) authorize { (0) filter_username filter_username { (0) if (User-Name != "%{tolower:%{User-Name}}") (0) EXPAND %{tolower:%{User-Name}} (0) --> pepe (0) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (0) if (User-Name =~ / /) (0) if (User-Name =~ / /) -> FALSE (0) if (User-Name =~ /@.*@/ ) (0) if (User-Name =~ /@.*@/ ) -> FALSE (0) if (User-Name =~ /\\.\\./ ) (0) if (User-Name =~ /\\.\\./ ) -> FALSE (0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) if (User-Name =~ /\\.$/) (0) if (User-Name =~ /\\.$/) -> FALSE (0) if (User-Name =~ /@\\./) (0) if (User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix : No '@' in User-Name = "pepe", looking up realm NULL (0) suffix : No such realm "NULL" (0) [suffix] = noop (0) eap : EAP packet type response id 0 length 9 (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = EAP (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) authenticate { (0) eap : Peer sent Identity (1) (0) eap : Calling eap_md5 to process EAP data (0) eap_md5 : Issuing MD5 Challenge (0) eap : New EAP session, adding 'State' attribute to reply 0xca8f630eca8e6799 (0) [eap] = handled (0) } # authenticate = handled Sending Access-Challenge Id 57 from 192.168.50.62:1812 to 192.168.60.1:1029 EAP-Message = 0x0101001604109ed4c50cadd454cb460331c800fcad9e Message-Authenticator = 0x00000000000000000000000000000000 State = 0xca8f630eca8e6799cfb856ad0867eff6 (0) Finished request Waking up in 0.3 seconds. Received Access-Request Id 58 from 192.168.60.1:1029 to 192.168.50.62:1812 length 205 User-Name = 'pepe' Calling-Station-Id = '60-BE-B5-98-BA-0B' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-58:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-58' Connect-Info = 'CONNECT 802.11g/n' EAP-Message = 0x020100060319 State = 0xca8f630eca8e6799cfb856ad0867eff6 Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0x18795b931bfaf56efabdb28a3686c1a0 (1) # Executing section authorize from file /etc/freeradius/sites-enabled/default (1) authorize { (1) filter_username filter_username { (1) if (User-Name != "%{tolower:%{User-Name}}") (1) EXPAND %{tolower:%{User-Name}} (1) --> pepe (1) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (1) if (User-Name =~ / /) (1) if (User-Name =~ / /) -> FALSE (1) if (User-Name =~ /@.*@/ ) (1) if (User-Name =~ /@.*@/ ) -> FALSE (1) if (User-Name =~ /\\.\\./ ) (1) if (User-Name =~ /\\.\\./ ) -> FALSE (1) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (1) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (1) if (User-Name =~ /\\.$/) (1) if (User-Name =~ /\\.$/) -> FALSE (1) if (User-Name =~ /@\\./) (1) if (User-Name =~ /@\\./) -> FALSE (1) } # filter_username filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix : No '@' in User-Name = "pepe", looking up realm NULL (1) suffix : No such realm "NULL" (1) [suffix] = noop (1) eap : EAP packet type response id 1 length 6 (1) eap : No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) [files] = noop rlm_ldap (ldap): Reserved connection (4) (1) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (1) ldap : --> (uid=pepe) (1) ldap : EXPAND dc=ejemplo,dc=org (1) ldap : --> dc=ejemplo,dc=org (1) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(uid=pepe)', scope 'sub' (1) ldap : Waiting for search result... (1) ldap : User object found at DN "uid=pepe,ou=usuarios,dc=ejemplo,dc=org" (1) ldap : No cacheable group memberships found in user object (1) ldap : EXPAND (&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn})) (1) ldap : --> (&(objectClass=groupOfNames)(member=uid\3dpepe\2cou\3dusuarios\2cdc\3dejempl o\2cdc\3dorg)) (1) ldap : EXPAND dc=ejemplo,dc=org (1) ldap : --> dc=ejemplo,dc=org (1) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(&(objectClass=groupOfNames)(member=uid\3dpepe\2cou\3dusuarios\2cdc\3dejemp lo\2cdc\3dorg))', scope 'sub' (1) ldap : Waiting for search result... (1) ldap : Added control:Ldap-Group with value "alumnos" (1) ldap : Processing user attributes (1) ldap : control:Password-With-Header += ''1234'' rlm_ldap (ldap): Released connection (4) (1) [ldap] = ok (1) foreach &control:LDAP-Group (1) update reply { (1) EXPAND %{Foreach-Variable-0} (1) --> alumnos (1) &Ruckus-User-Groups += '"alumnos"' (1) } # update reply = noop (1) } # foreach &control:LDAP-Group = noop (1) [expiration] = noop (1) [logintime] = noop (1) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password (1) WARNING: pap : Auth-Type already set. Not setting to PAP (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = EAP (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) authenticate { (1) eap : Expiring EAP session with state 0xca8f630eca8e6799 (1) eap : Finished EAP session with state 0xca8f630eca8e6799 (1) eap : Previous EAP request found for state 0xca8f630eca8e6799, released from the list (1) eap : Peer sent NAK (3) (1) eap : Found mutually acceptable type PEAP (25) (1) eap : Calling eap_peap to process EAP data (1) eap_peap : Flushing SSL sessions (of #0) (1) eap_peap : Initiate (1) eap_peap : Start returned 1 (1) eap : New EAP session, adding 'State' attribute to reply 0xca8f630ecb8d7a99 (1) [eap] = handled (1) } # authenticate = handled Sending Access-Challenge Id 58 from 192.168.50.62:1812 to 192.168.60.1:1029 Ruckus-User-Groups += 'alumnos' EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xca8f630ecb8d7a99cfb856ad0867eff6 (1) Finished request Waking up in 0.3 seconds. Received Access-Request Id 59 from 192.168.60.1:1029 to 192.168.50.62:1812 length 439 User-Name = 'pepe' Calling-Station-Id = '60-BE-B5-98-BA-0B' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-58:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-58' Connect-Info = 'CONNECT 802.11g/n' EAP-Message = 0x020200f01980000000e616030100e1010000dd0301538da51e65239cb8a55acf5ff0eb03fd d8156b28e4af029cf2308a4915a336be2086b31f1ebc8b0665e550b08be38a3cc114343f316a 8200c02dac3c19dc43a6ce0054c014c00ac022c02100390038c00fc0050035c012c008c01cc0 1b00160013c00dc003000ac013c009c01fc01e00330032c00ec004002fc011c007c00cc00200 0500040015001200090014001100080006000300ff01000040000b000403000102000a003400 32000e000d0019000b000c00180009000a001600170008000600070014001500040005001200 13000100020003000f00100011 State = 0xca8f630ecb8d7a99cfb856ad0867eff6 Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0x4b8481af020203d0b05505729a042b74 (2) # Executing section authorize from file /etc/freeradius/sites-enabled/default (2) authorize { (2) filter_username filter_username { (2) if (User-Name != "%{tolower:%{User-Name}}") (2) EXPAND %{tolower:%{User-Name}} (2) --> pepe (2) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (2) if (User-Name =~ / /) (2) if (User-Name =~ / /) -> FALSE (2) if (User-Name =~ /@.*@/ ) (2) if (User-Name =~ /@.*@/ ) -> FALSE (2) if (User-Name =~ /\\.\\./ ) (2) if (User-Name =~ /\\.\\./ ) -> FALSE (2) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (2) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (2) if (User-Name =~ /\\.$/) (2) if (User-Name =~ /\\.$/) -> FALSE (2) if (User-Name =~ /@\\./) (2) if (User-Name =~ /@\\./) -> FALSE (2) } # filter_username filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix : No '@' in User-Name = "pepe", looking up realm NULL (2) suffix : No such realm "NULL" (2) [suffix] = noop (2) eap : EAP packet type response id 2 length 240 (2) eap : Continuing tunnel setup. (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = EAP (2) # Executing group from file /etc/freeradius/sites-enabled/default (2) authenticate { (2) eap : Expiring EAP session with state 0xca8f630ecb8d7a99 (2) eap : Finished EAP session with state 0xca8f630ecb8d7a99 (2) eap : Previous EAP request found for state 0xca8f630ecb8d7a99, released from the list (2) eap : Peer sent PEAP (25) (2) eap : EAP PEAP (25) (2) eap : Calling eap_peap to process EAP data (2) eap_peap : processing EAP-TLS TLS Length 230 (2) eap_peap : Length Included (2) eap_peap : eaptls_verify returned 11 (2) eap_peap : (other): before/accept initialization (2) eap_peap : TLS_accept: before/accept initialization (2) eap_peap : <<< TLS 1.0 Handshake [length 00e1], ClientHello SSL: Client requested cached session 86b31f1ebc8b0665e550b08be38a3cc114343f316a8200c02dac3c19dc43a6ce (2) eap_peap : TLS_accept: SSLv3 read client hello A (2) eap_peap : >>> TLS 1.0 Handshake [length 0059], ServerHello (2) eap_peap : TLS_accept: SSLv3 write server hello A (2) eap_peap : >>> TLS 1.0 Handshake [length 08d0], Certificate (2) eap_peap : TLS_accept: SSLv3 write certificate A (2) eap_peap : >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange (2) eap_peap : TLS_accept: SSLv3 write key exchange A (2) eap_peap : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone (2) eap_peap : TLS_accept: SSLv3 write server done A (2) eap_peap : TLS_accept: SSLv3 flush data (2) eap_peap : TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode (2) eap_peap : eaptls_process returned 13 (2) eap_peap : FR_TLS_HANDLED (2) eap : New EAP session, adding 'State' attribute to reply 0xca8f630ec88c7a99 (2) [eap] = handled (2) } # authenticate = handled Sending Access-Challenge Id 59 from 192.168.50.62:1812 to 192.168.60.1:1029 EAP-Message = 0x010303ec19c000000a8c16030100590200005503015378358f41d46bdc38e37cb7c6151d2c 2b6c72a3797f4a54e912d453a5e3d7f120c3af38d6dd50905c7ad47b7db409e605af5a4f5165 4183fd63bbe48598a79297c01400000dff01000100000b00040300010216030108d00b0008cc 0008c90003de308203da308202c2a003020102020101300d06092a864886f70d010105050030 8193310b3009060355040613024652310f300d06035504081306526164697573311230100603 5504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e31 20301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406 03550403131d4578616d706c6520436572746966696361746520417574686f72697479301e17 0d3134303532363039303731395a170d3134303732353039303731395a307c310b3009060355 040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d 706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274 696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e 636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100b4d9 2a9bd1b2b267aad680a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xca8f630ec88c7a99cfb856ad0867eff6 (2) Finished request Waking up in 0.2 seconds. Received Access-Request Id 60 from 192.168.60.1:1029 to 192.168.50.62:1812 length 205 User-Name = 'pepe' Calling-Station-Id = '60-BE-B5-98-BA-0B' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-58:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-58' Connect-Info = 'CONNECT 802.11g/n' EAP-Message = 0x020300061900 State = 0xca8f630ec88c7a99cfb856ad0867eff6 Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0x9dc6fad55ff41f34da41ec0bf1ec9f30 (3) # Executing section authorize from file /etc/freeradius/sites-enabled/default (3) authorize { (3) filter_username filter_username { (3) if (User-Name != "%{tolower:%{User-Name}}") (3) EXPAND %{tolower:%{User-Name}} (3) --> pepe (3) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (3) if (User-Name =~ / /) (3) if (User-Name =~ / /) -> FALSE (3) if (User-Name =~ /@.*@/ ) (3) if (User-Name =~ /@.*@/ ) -> FALSE (3) if (User-Name =~ /\\.\\./ ) (3) if (User-Name =~ /\\.\\./ ) -> FALSE (3) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (3) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (3) if (User-Name =~ /\\.$/) (3) if (User-Name =~ /\\.$/) -> FALSE (3) if (User-Name =~ /@\\./) (3) if (User-Name =~ /@\\./) -> FALSE (3) } # filter_username filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix : No '@' in User-Name = "pepe", looking up realm NULL (3) suffix : No such realm "NULL" (3) [suffix] = noop (3) eap : EAP packet type response id 3 length 6 (3) eap : Continuing tunnel setup. (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = EAP (3) # Executing group from file /etc/freeradius/sites-enabled/default (3) authenticate { (3) eap : Expiring EAP session with state 0xca8f630ec88c7a99 (3) eap : Finished EAP session with state 0xca8f630ec88c7a99 (3) eap : Previous EAP request found for state 0xca8f630ec88c7a99, released from the list (3) eap : Peer sent PEAP (25) (3) eap : EAP PEAP (25) (3) eap : Calling eap_peap to process EAP data (3) eap_peap : processing EAP-TLS (3) eap_peap : Received TLS ACK (3) eap_peap : Received TLS ACK (3) eap_peap : ACK handshake fragment handler (3) eap_peap : eaptls_verify returned 1 (3) eap_peap : eaptls_process returned 13 (3) eap_peap : FR_TLS_HANDLED (3) eap : New EAP session, adding 'State' attribute to reply 0xca8f630ec98b7a99 (3) [eap] = handled (3) } # authenticate = handled Sending Access-Challenge Id 60 from 192.168.50.62:1812 to 192.168.60.1:1029 EAP-Message = 0x010403e81940f08a7c1b2dd8c2953a42092c40256f3c95aead6ca24e42eb6c1922b09e14b1 acbecd87e846237acd2d2b9421114a92a0fece98830605e1b5299bda2f3c687c04b964250562 c495fda180e34903539504d24ed41219657467513bbee3da43aeceea7dc740779031ef400004 e5308204e1308203c9a003020102020900ae1eee72cb957415300d06092a864886f70d010105 0500308193310b3009060355040613024652310f300d06035504081306526164697573311230 1006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e 632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126 30240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 301e170d3134303532363039303731395a170d3134303732353039303731395a308193310b30 09060355040613024652310f300d060355040813065261646975733112301006035504071309 536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e0609 2a864886f70d010901161161646d696e406578616d706c652e636f6d31263024060355040313 1d4578616d706c6520436572746966696361746520417574686f7269747930820122300d0609 2a864886f70d0101010 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xca8f630ec98b7a99cfb856ad0867eff6 (3) Finished request Waking up in 0.2 seconds. Received Access-Request Id 61 from 192.168.60.1:1029 to 192.168.50.62:1812 length 205 User-Name = 'pepe' Calling-Station-Id = '60-BE-B5-98-BA-0B' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-58:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-58' Connect-Info = 'CONNECT 802.11g/n' EAP-Message = 0x020400061900 State = 0xca8f630ec98b7a99cfb856ad0867eff6 Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0xad6ec1846f682592550dc811527c5c54 (4) # Executing section authorize from file /etc/freeradius/sites-enabled/default (4) authorize { (4) filter_username filter_username { (4) if (User-Name != "%{tolower:%{User-Name}}") (4) EXPAND %{tolower:%{User-Name}} (4) --> pepe (4) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (4) if (User-Name =~ / /) (4) if (User-Name =~ / /) -> FALSE (4) if (User-Name =~ /@.*@/ ) (4) if (User-Name =~ /@.*@/ ) -> FALSE (4) if (User-Name =~ /\\.\\./ ) (4) if (User-Name =~ /\\.\\./ ) -> FALSE (4) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (4) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (4) if (User-Name =~ /\\.$/) (4) if (User-Name =~ /\\.$/) -> FALSE (4) if (User-Name =~ /@\\./) (4) if (User-Name =~ /@\\./) -> FALSE (4) } # filter_username filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix : No '@' in User-Name = "pepe", looking up realm NULL (4) suffix : No such realm "NULL" (4) [suffix] = noop (4) eap : EAP packet type response id 4 length 6 (4) eap : Continuing tunnel setup. (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = EAP (4) # Executing group from file /etc/freeradius/sites-enabled/default (4) authenticate { (4) eap : Expiring EAP session with state 0xca8f630ec98b7a99 (4) eap : Finished EAP session with state 0xca8f630ec98b7a99 (4) eap : Previous EAP request found for state 0xca8f630ec98b7a99, released from the list (4) eap : Peer sent PEAP (25) (4) eap : EAP PEAP (25) (4) eap : Calling eap_peap to process EAP data (4) eap_peap : processing EAP-TLS (4) eap_peap : Received TLS ACK (4) eap_peap : Received TLS ACK (4) eap_peap : ACK handshake fragment handler (4) eap_peap : eaptls_verify returned 1 (4) eap_peap : eaptls_process returned 13 (4) eap_peap : FR_TLS_HANDLED (4) eap : New EAP session, adding 'State' attribute to reply 0xca8f630ece8a7a99 (4) [eap] = handled (4) } # authenticate = handled Sending Access-Challenge Id 61 from 192.168.50.62:1812 to 192.168.60.1:1029 EAP-Message = 0x010502ce190020417574686f72697479820900ae1eee72cb957415300c0603551d13040530 030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d 706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d010105050003 820101003e5b89120dcee4dd3ad38d4e613703d4c2957b440e989041bbc0b2104fab41bc1711 4e7375667726228cdebdd991df6adbbf6acedfbcce2a3db0fbfd52c6d8651795cafd46b86aee ee792b917a8310520e406173fb9071650f734758316fd06c6087eacf393b241191332b5ef05a c25e91f0c80a7f387385718f077a1ee574bed2485c2f29b926f9a5239f0545883a8b8f713c8b cb1665b992027f88fd6112f30a4170b5151b86b36e837f6024d70e51dddaefbd8be228797820 17a7064bbc0dae176d5c5a3fb2db24c1da3162f9c8bb483e4e9c3e5f76cec3a49e9b43fd102d 447ecd12c1d9ee6df5a5b868bbefeb39d69430ff28323a319fdb076127784acb160301014b0c 0001470300174104fea48aea10507f3c75f6cb005ee1b4c4e2a4e786623cbb38de42515ee6b5 662d9077169a9410a493c39aab58eecb9e8de3543285de3d705827eb1db3f938badf01006d72 c4efb3261f9942aafdc842be559ec74dbe776adb63cefa3459b7cf267d903e22f3c041fa4b7b ae6785cafa79e0a786b Message-Authenticator = 0x00000000000000000000000000000000 State = 0xca8f630ece8a7a99cfb856ad0867eff6 (4) Finished request Waking up in 0.2 seconds. Received Access-Request Id 62 from 192.168.60.1:1029 to 192.168.50.62:1812 length 343 User-Name = 'pepe' Calling-Station-Id = '60-BE-B5-98-BA-0B' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-58:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-58' Connect-Info = 'CONNECT 802.11g/n' EAP-Message = 0x02050090198000000086160301004610000042410479b4717f31bae51b687e05b99075df4b b1856c96fbfe390a87b7d36b18ca41f60eb3d2a9d537258b7fa71640d853fcf6150b47dee2d3 0e98b69a5fb481c4534f140301000101160301003014ff0d8ac2076da83713e58258b5f99418 0fc44d461386be015f393b3035ad1171b6e5c57e874ff69a763dc81cb36ba7 State = 0xca8f630ece8a7a99cfb856ad0867eff6 Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0xa7191b4b593e3c54236169e6b5203703 (5) # Executing section authorize from file /etc/freeradius/sites-enabled/default (5) authorize { (5) filter_username filter_username { (5) if (User-Name != "%{tolower:%{User-Name}}") (5) EXPAND %{tolower:%{User-Name}} (5) --> pepe (5) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (5) if (User-Name =~ / /) (5) if (User-Name =~ / /) -> FALSE (5) if (User-Name =~ /@.*@/ ) (5) if (User-Name =~ /@.*@/ ) -> FALSE (5) if (User-Name =~ /\\.\\./ ) (5) if (User-Name =~ /\\.\\./ ) -> FALSE (5) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (5) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (5) if (User-Name =~ /\\.$/) (5) if (User-Name =~ /\\.$/) -> FALSE (5) if (User-Name =~ /@\\./) (5) if (User-Name =~ /@\\./) -> FALSE (5) } # filter_username filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix : No '@' in User-Name = "pepe", looking up realm NULL (5) suffix : No such realm "NULL" (5) [suffix] = noop (5) eap : EAP packet type response id 5 length 144 (5) eap : Continuing tunnel setup. (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = EAP (5) # Executing group from file /etc/freeradius/sites-enabled/default (5) authenticate { (5) eap : Expiring EAP session with state 0xca8f630ece8a7a99 (5) eap : Finished EAP session with state 0xca8f630ece8a7a99 (5) eap : Previous EAP request found for state 0xca8f630ece8a7a99, released from the list (5) eap : Peer sent PEAP (25) (5) eap : EAP PEAP (25) (5) eap : Calling eap_peap to process EAP data (5) eap_peap : processing EAP-TLS TLS Length 134 (5) eap_peap : Length Included (5) eap_peap : eaptls_verify returned 11 (5) eap_peap : <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange (5) eap_peap : TLS_accept: SSLv3 read client key exchange A (5) eap_peap : <<< TLS 1.0 ChangeCipherSpec [length 0001] (5) eap_peap : <<< TLS 1.0 Handshake [length 0010], Finished (5) eap_peap : TLS_accept: SSLv3 read finished A (5) eap_peap : >>> TLS 1.0 ChangeCipherSpec [length 0001] (5) eap_peap : TLS_accept: SSLv3 write change cipher spec A (5) eap_peap : >>> TLS 1.0 Handshake [length 0010], Finished (5) eap_peap : TLS_accept: SSLv3 write finished A (5) eap_peap : TLS_accept: SSLv3 flush data SSL: adding session c3af38d6dd50905c7ad47b7db409e605af5a4f51654183fd63bbe48598a79297 to cache (5) eap_peap : (other): SSL negotiation finished successfully SSL Connection Established (5) eap_peap : eaptls_process returned 13 (5) eap_peap : FR_TLS_HANDLED (5) eap : New EAP session, adding 'State' attribute to reply 0xca8f630ecf897a99 (5) [eap] = handled (5) } # authenticate = handled Sending Access-Challenge Id 62 from 192.168.50.62:1812 to 192.168.60.1:1029 EAP-Message = 0x0106004119001403010001011603010030e86c26fec297bf39788828c4589d7577e227b84a 5eb138420d6ef40e47e7e8cba3a6701ae4e5ffedf8a018753ef42ccd Message-Authenticator = 0x00000000000000000000000000000000 State = 0xca8f630ecf897a99cfb856ad0867eff6 (5) Finished request Waking up in 0.2 seconds. Received Access-Request Id 63 from 192.168.60.1:1029 to 192.168.50.62:1812 length 205 User-Name = 'pepe' Calling-Station-Id = '60-BE-B5-98-BA-0B' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-58:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-58' Connect-Info = 'CONNECT 802.11g/n' EAP-Message = 0x020600061900 State = 0xca8f630ecf897a99cfb856ad0867eff6 Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0xc0eadc0fa03eaeff5c483be15d22f364 (6) # Executing section authorize from file /etc/freeradius/sites-enabled/default (6) authorize { (6) filter_username filter_username { (6) if (User-Name != "%{tolower:%{User-Name}}") (6) EXPAND %{tolower:%{User-Name}} (6) --> pepe (6) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (6) if (User-Name =~ / /) (6) if (User-Name =~ / /) -> FALSE (6) if (User-Name =~ /@.*@/ ) (6) if (User-Name =~ /@.*@/ ) -> FALSE (6) if (User-Name =~ /\\.\\./ ) (6) if (User-Name =~ /\\.\\./ ) -> FALSE (6) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (6) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (6) if (User-Name =~ /\\.$/) (6) if (User-Name =~ /\\.$/) -> FALSE (6) if (User-Name =~ /@\\./) (6) if (User-Name =~ /@\\./) -> FALSE (6) } # filter_username filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix : No '@' in User-Name = "pepe", looking up realm NULL (6) suffix : No such realm "NULL" (6) [suffix] = noop (6) eap : EAP packet type response id 6 length 6 (6) eap : Continuing tunnel setup. (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = EAP (6) # Executing group from file /etc/freeradius/sites-enabled/default (6) authenticate { (6) eap : Expiring EAP session with state 0xca8f630ecf897a99 (6) eap : Finished EAP session with state 0xca8f630ecf897a99 (6) eap : Previous EAP request found for state 0xca8f630ecf897a99, released from the list (6) eap : Peer sent PEAP (25) (6) eap : EAP PEAP (25) (6) eap : Calling eap_peap to process EAP data (6) eap_peap : processing EAP-TLS (6) eap_peap : Received TLS ACK (6) eap_peap : Received TLS ACK (6) eap_peap : ACK handshake is finished (6) eap_peap : eaptls_verify returned 3 (6) eap_peap : eaptls_process returned 3 (6) eap_peap : FR_TLS_SUCCESS (6) eap_peap : Session established. Decoding tunneled attributes. (6) eap_peap : Peap state TUNNEL ESTABLISHED (6) eap : New EAP session, adding 'State' attribute to reply 0xca8f630ecc887a99 (6) [eap] = handled (6) } # authenticate = handled Sending Access-Challenge Id 63 from 192.168.50.62:1812 to 192.168.60.1:1029 EAP-Message = 0x0107002b19001703010020e0aa5b04d6aa89c3c3dff6c898c14e79f97226a9a4c4a2f022eb 6fb0211eddf5 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xca8f630ecc887a99cfb856ad0867eff6 (6) Finished request Waking up in 0.2 seconds. Received Access-Request Id 64 from 192.168.60.1:1029 to 192.168.50.62:1812 length 279 User-Name = 'pepe' Calling-Station-Id = '60-BE-B5-98-BA-0B' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-58:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-58' Connect-Info = 'CONNECT 802.11g/n' EAP-Message = 0x020700501900170301002052facbcbec6c260e7bb68e6a35007c6466738131cd920e082330 6467c90e0a0c1703010020b79cd0543dfeaca9f333a95ee6172dcedd22c3e48f21c123221486 35c70eabdb State = 0xca8f630ecc887a99cfb856ad0867eff6 Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0xe8b6f273a507fc0af2321e0350f85b33 (7) # Executing section authorize from file /etc/freeradius/sites-enabled/default (7) authorize { (7) filter_username filter_username { (7) if (User-Name != "%{tolower:%{User-Name}}") (7) EXPAND %{tolower:%{User-Name}} (7) --> pepe (7) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (7) if (User-Name =~ / /) (7) if (User-Name =~ / /) -> FALSE (7) if (User-Name =~ /@.*@/ ) (7) if (User-Name =~ /@.*@/ ) -> FALSE (7) if (User-Name =~ /\\.\\./ ) (7) if (User-Name =~ /\\.\\./ ) -> FALSE (7) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (7) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (7) if (User-Name =~ /\\.$/) (7) if (User-Name =~ /\\.$/) -> FALSE (7) if (User-Name =~ /@\\./) (7) if (User-Name =~ /@\\./) -> FALSE (7) } # filter_username filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix : No '@' in User-Name = "pepe", looking up realm NULL (7) suffix : No such realm "NULL" (7) [suffix] = noop (7) eap : EAP packet type response id 7 length 80 (7) eap : Continuing tunnel setup. (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = EAP (7) # Executing group from file /etc/freeradius/sites-enabled/default (7) authenticate { (7) eap : Expiring EAP session with state 0xca8f630ecc887a99 (7) eap : Finished EAP session with state 0xca8f630ecc887a99 (7) eap : Previous EAP request found for state 0xca8f630ecc887a99, released from the list (7) eap : Peer sent PEAP (25) (7) eap : EAP PEAP (25) (7) eap : Calling eap_peap to process EAP data (7) eap_peap : processing EAP-TLS (7) eap_peap : eaptls_verify returned 7 (7) eap_peap : Done initial handshake (7) eap_peap : eaptls_process returned 7 (7) eap_peap : FR_TLS_OK (7) eap_peap : Session established. Decoding tunneled attributes. (7) eap_peap : Peap state WAITING FOR INNER IDENTITY (7) eap_peap : Identity - pepe (7) eap_peap : Got inner identity 'pepe' (7) eap_peap : Setting default EAP type for tunneled EAP session. (7) eap_peap : Got tunneled request EAP-Message = 0x020700090170657065 server default { (7) eap_peap : Setting User-Name to pepe Sending tunneled request EAP-Message = 0x020700090170657065 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'pepe' server inner-tunnel { (7) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (7) authorize { (7) [chap] = noop (7) [mschap] = noop (7) suffix : No '@' in User-Name = "pepe", looking up realm NULL (7) suffix : No such realm "NULL" (7) [suffix] = noop (7) update control { (7) Proxy-To-Realm := 'LOCAL' (7) } # update control = noop (7) eap : EAP packet type response id 7 length 9 (7) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = EAP (7) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (7) authenticate { (7) eap : Peer sent Identity (1) (7) eap : Calling eap_mschapv2 to process EAP data (7) eap_mschapv2 : Issuing Challenge (7) eap : New EAP session, adding 'State' attribute to reply 0x1645b1d8164dab8d (7) [eap] = handled (7) } # authenticate = handled } # server inner-tunnel (7) eap_peap : Got tunneled reply code 11 EAP-Message = 0x0108001e1a0108001910bbd4fd9f1f0a5645beda85a017a0f3dc70657065 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1645b1d8164dab8dd6731ee8f2d6baee (7) eap_peap : Got tunneled reply RADIUS code 11 EAP-Message = 0x0108001e1a0108001910bbd4fd9f1f0a5645beda85a017a0f3dc70657065 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1645b1d8164dab8dd6731ee8f2d6baee (7) eap_peap : Got tunneled Access-Challenge (7) eap : New EAP session, adding 'State' attribute to reply 0xca8f630ecd877a99 (7) [eap] = handled (7) } # authenticate = handled Sending Access-Challenge Id 64 from 192.168.50.62:1812 to 192.168.60.1:1029 EAP-Message = 0x0108003b190017030100305f90b63728008ace293a7eea7acfd4ffacbfe34c9d563f14a92a 8a43346d37e0824fd6fe46cbc9055d4a134736848188 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xca8f630ecd877a99cfb856ad0867eff6 (7) Finished request Waking up in 0.2 seconds. Received Access-Request Id 65 from 192.168.60.1:1029 to 192.168.50.62:1812 length 279 User-Name = 'pepe' Calling-Station-Id = '60-BE-B5-98-BA-0B' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-58:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-58' Connect-Info = 'CONNECT 802.11g/n' EAP-Message = 0x02080050190017030100203473db8280b34a767ce26f397ff62cdc7cc7f0099a2d80ca1063 66d6d5caf5c017030100203c97bbd6a210c6828e4909146fb2b2691b7f080691a5bef688f0ba d376b6e868 State = 0xca8f630ecd877a99cfb856ad0867eff6 Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0x495d782bdbd78da86a4983c344e19fa9 (8) # Executing section authorize from file /etc/freeradius/sites-enabled/default (8) authorize { (8) filter_username filter_username { (8) if (User-Name != "%{tolower:%{User-Name}}") (8) EXPAND %{tolower:%{User-Name}} (8) --> pepe (8) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (8) if (User-Name =~ / /) (8) if (User-Name =~ / /) -> FALSE (8) if (User-Name =~ /@.*@/ ) (8) if (User-Name =~ /@.*@/ ) -> FALSE (8) if (User-Name =~ /\\.\\./ ) (8) if (User-Name =~ /\\.\\./ ) -> FALSE (8) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (8) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (8) if (User-Name =~ /\\.$/) (8) if (User-Name =~ /\\.$/) -> FALSE (8) if (User-Name =~ /@\\./) (8) if (User-Name =~ /@\\./) -> FALSE (8) } # filter_username filter_username = notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix : No '@' in User-Name = "pepe", looking up realm NULL (8) suffix : No such realm "NULL" (8) [suffix] = noop (8) eap : EAP packet type response id 8 length 80 (8) eap : Continuing tunnel setup. (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = EAP (8) # Executing group from file /etc/freeradius/sites-enabled/default (8) authenticate { (8) eap : Expiring EAP session with state 0x1645b1d8164dab8d (8) eap : Finished EAP session with state 0xca8f630ecd877a99 (8) eap : Previous EAP request found for state 0xca8f630ecd877a99, released from the list (8) eap : Peer sent PEAP (25) (8) eap : EAP PEAP (25) (8) eap : Calling eap_peap to process EAP data (8) eap_peap : processing EAP-TLS (8) eap_peap : eaptls_verify returned 7 (8) eap_peap : Done initial handshake (8) eap_peap : eaptls_process returned 7 (8) eap_peap : FR_TLS_OK (8) eap_peap : Session established. Decoding tunneled attributes. (8) eap_peap : Peap state phase2 (8) eap_peap : EAP type NAK (3) (8) eap_peap : Got tunneled request EAP-Message = 0x020800060306 server default { (8) eap_peap : Setting User-Name to pepe Sending tunneled request EAP-Message = 0x020800060306 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'pepe' State = 0x1645b1d8164dab8dd6731ee8f2d6baee server inner-tunnel { (8) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (8) authorize { (8) [chap] = noop (8) [mschap] = noop (8) suffix : No '@' in User-Name = "pepe", looking up realm NULL (8) suffix : No such realm "NULL" (8) [suffix] = noop (8) update control { (8) Proxy-To-Realm := 'LOCAL' (8) } # update control = noop (8) eap : EAP packet type response id 8 length 6 (8) eap : No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) [files] = noop rlm_ldap (ldap): Reserved connection (4) (8) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (8) ldap : --> (uid=pepe) (8) ldap : EXPAND dc=ejemplo,dc=org (8) ldap : --> dc=ejemplo,dc=org (8) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(uid=pepe)', scope 'sub' (8) ldap : Waiting for search result... (8) ldap : User object found at DN "uid=pepe,ou=usuarios,dc=ejemplo,dc=org" (8) ldap : No cacheable group memberships found in user object (8) ldap : EXPAND (&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn})) (8) ldap : --> (&(objectClass=groupOfNames)(member=uid\3dpepe\2cou\3dusuarios\2cdc\3dejempl o\2cdc\3dorg)) (8) ldap : EXPAND dc=ejemplo,dc=org (8) ldap : --> dc=ejemplo,dc=org (8) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(&(objectClass=groupOfNames)(member=uid\3dpepe\2cou\3dusuarios\2cdc\3dejemp lo\2cdc\3dorg))', scope 'sub' (8) ldap : Waiting for search result... (8) ldap : Added control:Ldap-Group with value "alumnos" (8) ldap : Processing user attributes (8) ldap : control:Password-With-Header += ''1234'' rlm_ldap (ldap): Released connection (4) (8) [ldap] = ok (8) [expiration] = noop (8) [logintime] = noop (8) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password (8) WARNING: pap : Auth-Type already set. Not setting to PAP (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = EAP (8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (8) authenticate { (8) eap : Expiring EAP session with state 0x1645b1d8164dab8d (8) eap : Finished EAP session with state 0x1645b1d8164dab8d (8) eap : Previous EAP request found for state 0x1645b1d8164dab8d, released from the list (8) eap : Peer sent NAK (3) (8) eap : Found mutually acceptable type GTC (6) (8) eap : Calling eap_gtc to process EAP data (8) eap_gtc : EXPAND Password: (8) eap_gtc : --> Password: (8) eap : New EAP session, adding 'State' attribute to reply 0x1645b1d8174cb78d (8) [eap] = handled (8) } # authenticate = handled } # server inner-tunnel (8) eap_peap : Got tunneled reply code 11 EAP-Message = 0x0109000f0650617373776f72643a20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1645b1d8174cb78dd6731ee8f2d6baee (8) eap_peap : Got tunneled reply RADIUS code 11 EAP-Message = 0x0109000f0650617373776f72643a20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1645b1d8174cb78dd6731ee8f2d6baee (8) eap_peap : Got tunneled Access-Challenge (8) eap : New EAP session, adding 'State' attribute to reply 0xca8f630ec2867a99 (8) [eap] = handled (8) } # authenticate = handled Sending Access-Challenge Id 65 from 192.168.50.62:1812 to 192.168.60.1:1029 EAP-Message = 0x0109002b19001703010020caf64314c5598dd575e14665e2a59335a049eb1b1bb027757785 8139c4f4ec75 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xca8f630ec2867a99cfb856ad0867eff6 (8) Finished request Waking up in 0.1 seconds. Received Access-Request Id 66 from 192.168.60.1:1029 to 192.168.50.62:1812 length 279 User-Name = 'pepe' Calling-Station-Id = '60-BE-B5-98-BA-0B' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-58:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-58' Connect-Info = 'CONNECT 802.11g/n' EAP-Message = 0x0209005019001703010020538fa0dc38c725a5913db62915e6c2abfec057b909e3690370b4 ab58378960f1170301002067278a7eee3f5ae726b5d57b88604a2aaea43ab9690c860123061f f69664eeb1 State = 0xca8f630ec2867a99cfb856ad0867eff6 Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0x487be75e55a52fa5f63ef7daf993adf7 (9) # Executing section authorize from file /etc/freeradius/sites-enabled/default (9) authorize { (9) filter_username filter_username { (9) if (User-Name != "%{tolower:%{User-Name}}") (9) EXPAND %{tolower:%{User-Name}} (9) --> pepe (9) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (9) if (User-Name =~ / /) (9) if (User-Name =~ / /) -> FALSE (9) if (User-Name =~ /@.*@/ ) (9) if (User-Name =~ /@.*@/ ) -> FALSE (9) if (User-Name =~ /\\.\\./ ) (9) if (User-Name =~ /\\.\\./ ) -> FALSE (9) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (9) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (9) if (User-Name =~ /\\.$/) (9) if (User-Name =~ /\\.$/) -> FALSE (9) if (User-Name =~ /@\\./) (9) if (User-Name =~ /@\\./) -> FALSE (9) } # filter_username filter_username = notfound (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix : No '@' in User-Name = "pepe", looking up realm NULL (9) suffix : No such realm "NULL" (9) [suffix] = noop (9) eap : EAP packet type response id 9 length 80 (9) eap : Continuing tunnel setup. (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = EAP (9) # Executing group from file /etc/freeradius/sites-enabled/default (9) authenticate { (9) eap : Expiring EAP session with state 0x1645b1d8174cb78d (9) eap : Finished EAP session with state 0xca8f630ec2867a99 (9) eap : Previous EAP request found for state 0xca8f630ec2867a99, released from the list (9) eap : Peer sent PEAP (25) (9) eap : EAP PEAP (25) (9) eap : Calling eap_peap to process EAP data (9) eap_peap : processing EAP-TLS (9) eap_peap : eaptls_verify returned 7 (9) eap_peap : Done initial handshake (9) eap_peap : eaptls_process returned 7 (9) eap_peap : FR_TLS_OK (9) eap_peap : Session established. Decoding tunneled attributes. (9) eap_peap : Peap state phase2 (9) eap_peap : EAP type GTC (6) (9) eap_peap : Got tunneled request EAP-Message = 0x020900090631323334 server default { (9) eap_peap : Setting User-Name to pepe Sending tunneled request EAP-Message = 0x020900090631323334 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'pepe' State = 0x1645b1d8174cb78dd6731ee8f2d6baee server inner-tunnel { (9) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (9) authorize { (9) [chap] = noop (9) [mschap] = noop (9) suffix : No '@' in User-Name = "pepe", looking up realm NULL (9) suffix : No such realm "NULL" (9) [suffix] = noop (9) update control { (9) Proxy-To-Realm := 'LOCAL' (9) } # update control = noop (9) eap : EAP packet type response id 9 length 9 (9) eap : No EAP Start, assuming it's an on-going EAP conversation (9) [eap] = updated (9) [files] = noop rlm_ldap (ldap): Reserved connection (4) (9) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (9) ldap : --> (uid=pepe) (9) ldap : EXPAND dc=ejemplo,dc=org (9) ldap : --> dc=ejemplo,dc=org (9) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(uid=pepe)', scope 'sub' (9) ldap : Waiting for search result... (9) ldap : User object found at DN "uid=pepe,ou=usuarios,dc=ejemplo,dc=org" (9) ldap : No cacheable group memberships found in user object (9) ldap : EXPAND (&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn})) (9) ldap : --> (&(objectClass=groupOfNames)(member=uid\3dpepe\2cou\3dusuarios\2cdc\3dejempl o\2cdc\3dorg)) (9) ldap : EXPAND dc=ejemplo,dc=org (9) ldap : --> dc=ejemplo,dc=org (9) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(&(objectClass=groupOfNames)(member=uid\3dpepe\2cou\3dusuarios\2cdc\3dejemp lo\2cdc\3dorg))', scope 'sub' (9) ldap : Waiting for search result... (9) ldap : Added control:Ldap-Group with value "alumnos" (9) ldap : Processing user attributes (9) ldap : control:Password-With-Header += ''1234'' rlm_ldap (ldap): Released connection (4) (9) [ldap] = ok (9) [expiration] = noop (9) [logintime] = noop (9) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password (9) WARNING: pap : Auth-Type already set. Not setting to PAP (9) [pap] = noop (9) } # authorize = updated (9) Found Auth-Type = EAP (9) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (9) authenticate { (9) eap : Expiring EAP session with state 0x1645b1d8174cb78d (9) eap : Finished EAP session with state 0x1645b1d8174cb78d (9) eap : Previous EAP request found for state 0x1645b1d8174cb78d, released from the list (9) eap : Peer sent GTC (6) (9) eap : EAP GTC (6) (9) eap : Calling eap_gtc to process EAP data (9) eap_gtc : # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (9) eap_gtc : Auth-Type PAP { (9) pap : Login attempt with password (9) pap : User authenticated successfully (9) [pap] = ok (9) } # Auth-Type PAP = ok (9) eap : Freeing handler (9) [eap] = ok (9) } # authenticate = ok (9) # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel (9) post-auth { (9) foreach &control:LDAP-Group (9) update reply { (9) EXPAND %{Foreach-Variable-0} (9) --> alumnos (9) &Ruckus-User-Groups += '"alumnos"' (9) } # update reply = noop (9) } # foreach &control:LDAP-Group = noop (9) } # post-auth = noop } # server inner-tunnel (9) eap_peap : Got tunneled reply code 2 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = 'pepe' Ruckus-User-Groups += 'alumnos' (9) eap_peap : Got tunneled reply RADIUS code 2 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = 'pepe' Ruckus-User-Groups += 'alumnos' (9) eap_peap : Tunneled authentication was successful. (9) eap_peap : SUCCESS (9) eap : New EAP session, adding 'State' attribute to reply 0xca8f630ec3857a99 (9) [eap] = handled (9) } # authenticate = handled Sending Access-Challenge Id 66 from 192.168.50.62:1812 to 192.168.60.1:1029 EAP-Message = 0x010a002b190017030100205b7ee12b0a2696b56c42f6c24918e3681785771399db07b1c8cf bad9ca62977d Message-Authenticator = 0x00000000000000000000000000000000 State = 0xca8f630ec3857a99cfb856ad0867eff6 (9) Finished request Waking up in 0.1 seconds. Received Access-Request Id 67 from 192.168.60.1:1029 to 192.168.50.62:1812 length 279 User-Name = 'pepe' Calling-Station-Id = '60-BE-B5-98-BA-0B' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-58:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-58' Connect-Info = 'CONNECT 802.11g/n' EAP-Message = 0x020a0050190017030100200c397c9591c1268bd7b814eb79866a0858805aecfc20fe0ac79b a7895de7c2f817030100204548f278bc7712088f9eaaf184f171da93e1739d06d6c2b0f1a289 81874b6d74 State = 0xca8f630ec3857a99cfb856ad0867eff6 Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0xb06ab02ab1591bf1b622790c69e22574 (10) # Executing section authorize from file /etc/freeradius/sites-enabled/default (10) authorize { (10) filter_username filter_username { (10) if (User-Name != "%{tolower:%{User-Name}}") (10) EXPAND %{tolower:%{User-Name}} (10) --> pepe (10) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (10) if (User-Name =~ / /) (10) if (User-Name =~ / /) -> FALSE (10) if (User-Name =~ /@.*@/ ) (10) if (User-Name =~ /@.*@/ ) -> FALSE (10) if (User-Name =~ /\\.\\./ ) (10) if (User-Name =~ /\\.\\./ ) -> FALSE (10) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (10) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (10) if (User-Name =~ /\\.$/) (10) if (User-Name =~ /\\.$/) -> FALSE (10) if (User-Name =~ /@\\./) (10) if (User-Name =~ /@\\./) -> FALSE (10) } # filter_username filter_username = notfound (10) [preprocess] = ok (10) [chap] = noop (10) [mschap] = noop (10) [digest] = noop (10) suffix : No '@' in User-Name = "pepe", looking up realm NULL (10) suffix : No such realm "NULL" (10) [suffix] = noop (10) eap : EAP packet type response id 10 length 80 (10) eap : Continuing tunnel setup. (10) [eap] = ok (10) } # authorize = ok (10) Found Auth-Type = EAP (10) # Executing group from file /etc/freeradius/sites-enabled/default (10) authenticate { (10) eap : Expiring EAP session with state 0xca8f630ec3857a99 (10) eap : Finished EAP session with state 0xca8f630ec3857a99 (10) eap : Previous EAP request found for state 0xca8f630ec3857a99, released from the list (10) eap : Peer sent PEAP (25) (10) eap : EAP PEAP (25) (10) eap : Calling eap_peap to process EAP data (10) eap_peap : processing EAP-TLS (10) eap_peap : eaptls_verify returned 7 (10) eap_peap : Done initial handshake (10) eap_peap : eaptls_process returned 7 (10) eap_peap : FR_TLS_OK (10) eap_peap : Session established. Decoding tunneled attributes. (10) eap_peap : Peap state send tlv success (10) eap_peap : Received EAP-TLV response. (10) eap_peap : Success (10) WARNING: eap_peap : No information to cache: session caching will be disabled for session c3af38d6dd50905c7ad47b7db409e605af5a4f51654183fd63bbe48598a79297 SSL: Removing session c3af38d6dd50905c7ad47b7db409e605af5a4f51654183fd63bbe48598a79297 from the cache (10) eap : Freeing handler (10) [eap] = ok (10) } # authenticate = ok (10) # Executing section post-auth from file /etc/freeradius/sites-enabled/default (10) post-auth { (10) [exec] = noop (10) remove_reply_message_if_eap remove_reply_message_if_eap { (10) if (reply:EAP-Message && reply:Reply-Message) (10) if (reply:EAP-Message && reply:Reply-Message) -> FALSE (10) else else { (10) [noop] = noop (10) } # else else = noop (10) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (10) } # post-auth = noop Sending Access-Accept Id 67 from 192.168.50.62:1812 to 192.168.60.1:1029 MS-MPPE-Recv-Key = 0xc9c36837fb4ba931d68c0c220281df76f734659afdaa1689de4da23226379ac9 MS-MPPE-Send-Key = 0x4337f2058e9c6e489945200a6f5f9a95330b36b4a386e491a03979e721635748 EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = 'pepe' (10) Finished request Waking up in 0.1 seconds. Waking up in 4.4 seconds. (0) Cleaning up request packet ID 57 with timestamp +9 (1) Cleaning up request packet ID 58 with timestamp +9 (2) Cleaning up request packet ID 59 with timestamp +9 (3) Cleaning up request packet ID 60 with timestamp +9 (4) Cleaning up request packet ID 61 with timestamp +9 (5) Cleaning up request packet ID 62 with timestamp +9 (6) Cleaning up request packet ID 63 with timestamp +9 (7) Cleaning up request packet ID 64 with timestamp +9 (8) Cleaning up request packet ID 65 with timestamp +9 (9) Cleaning up request packet ID 66 with timestamp +9 (10) Cleaning up request packet ID 67 with timestamp +9 Ready to process requests.
Hi Enrique, Can you show us what the inner-tunnel post-auth section looks like? By trimming down the debug output, we've lost that. If your inner-tunnel post-auth just uses "update reply {", then you may with to update it with "update outer.reply {", which should feed the attribute back. Stefan -----Original Message----- From: freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org] On Behalf Of Enrique Sainz Baixauli Sent: 03 June 2014 11:43 To: 'FreeRadius users mailing list' Subject: RE: LDAP Groups to Freeradius and then Ruckus Wireless?
Thank you guys very much. Really. I will now move forward to configuring
EAP-PEAP, PAP was just a test :)
Hi again, So I managed to put the LDAP-Group attribute into the reply using PAP, but after configuring PEAP-MSCHAPv2 and getting it to work, of course there is no attribute in the reply :) I understand that, in EAP authentication, the eap module returns the authorize section before getting to ldap to avoid the overload of querying the ldap server on each packet that form the TLS conversation. So I thought of filling the reply in the postauth section. But, if I do it in the default server, it doesn't know about the groups (ie LDAP-Group is empty), and if I do it in the inner-tunnel server, the tunneled reply to the default server contains my attribute, but then I don't know how to put it into the Access-Accept response to the client. Am I understanding anything wrong? How can I send the attribute back to the client? This is the (huge) debug output, I hope it helps. The attribute in the tunneled reply is close to the end of processing request (9). Received Access-Request Id 57 from 192.168.60.1:1029 to 192.168.50.62:1812 length 190 User-Name = 'pepe' Calling-Station-Id = '60-BE-B5-98-BA-0B' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-58:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-58' Connect-Info = 'CONNECT 802.11g/n' EAP-Message = 0x020000090170657065 Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0x270ccc8fe82858ae31fc9d5a5694d683 (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default (0) authorize { (0) filter_username filter_username { (0) if (User-Name != "%{tolower:%{User-Name}}") (0) EXPAND %{tolower:%{User-Name}} (0) --> pepe (0) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (0) if (User-Name =~ / /) (0) if (User-Name =~ / /) -> FALSE (0) if (User-Name =~ /@.*@/ ) (0) if (User-Name =~ /@.*@/ ) -> FALSE (0) if (User-Name =~ /\\.\\./ ) (0) if (User-Name =~ /\\.\\./ ) -> FALSE (0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) if (User-Name =~ /\\.$/) (0) if (User-Name =~ /\\.$/) -> FALSE (0) if (User-Name =~ /@\\./) (0) if (User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix : No '@' in User-Name = "pepe", looking up realm NULL (0) suffix : No such realm "NULL" (0) [suffix] = noop (0) eap : EAP packet type response id 0 length 9 (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = EAP (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) authenticate { (0) eap : Peer sent Identity (1) (0) eap : Calling eap_md5 to process EAP data (0) eap_md5 : Issuing MD5 Challenge (0) eap : New EAP session, adding 'State' attribute to reply 0xca8f630eca8e6799 (0) [eap] = handled (0) } # authenticate = handled Sending Access-Challenge Id 57 from 192.168.50.62:1812 to 192.168.60.1:1029 EAP-Message = 0x0101001604109ed4c50cadd454cb460331c800fcad9e Message-Authenticator = 0x00000000000000000000000000000000 State = 0xca8f630eca8e6799cfb856ad0867eff6 (0) Finished request Waking up in 0.3 seconds. Received Access-Request Id 58 from 192.168.60.1:1029 to 192.168.50.62:1812 length 205 User-Name = 'pepe' Calling-Station-Id = '60-BE-B5-98-BA-0B' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-58:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-58' Connect-Info = 'CONNECT 802.11g/n' EAP-Message = 0x020100060319 State = 0xca8f630eca8e6799cfb856ad0867eff6 Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0x18795b931bfaf56efabdb28a3686c1a0 (1) # Executing section authorize from file /etc/freeradius/sites-enabled/default (1) authorize { (1) filter_username filter_username { (1) if (User-Name != "%{tolower:%{User-Name}}") (1) EXPAND %{tolower:%{User-Name}} (1) --> pepe (1) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (1) if (User-Name =~ / /) (1) if (User-Name =~ / /) -> FALSE (1) if (User-Name =~ /@.*@/ ) (1) if (User-Name =~ /@.*@/ ) -> FALSE (1) if (User-Name =~ /\\.\\./ ) (1) if (User-Name =~ /\\.\\./ ) -> FALSE (1) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (1) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (1) if (User-Name =~ /\\.$/) (1) if (User-Name =~ /\\.$/) -> FALSE (1) if (User-Name =~ /@\\./) (1) if (User-Name =~ /@\\./) -> FALSE (1) } # filter_username filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix : No '@' in User-Name = "pepe", looking up realm NULL (1) suffix : No such realm "NULL" (1) [suffix] = noop (1) eap : EAP packet type response id 1 length 6 (1) eap : No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) [files] = noop rlm_ldap (ldap): Reserved connection (4) (1) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (1) ldap : --> (uid=pepe) (1) ldap : EXPAND dc=ejemplo,dc=org (1) ldap : --> dc=ejemplo,dc=org (1) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(uid=pepe)', scope 'sub' (1) ldap : Waiting for search result... (1) ldap : User object found at DN "uid=pepe,ou=usuarios,dc=ejemplo,dc=org" (1) ldap : No cacheable group memberships found in user object (1) ldap : EXPAND (&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn})) (1) ldap : --> (&(objectClass=groupOfNames)(member=uid\3dpepe\2cou\3dusuarios\2cdc\3dejempl o\2cdc\3dorg)) (1) ldap : EXPAND dc=ejemplo,dc=org (1) ldap : --> dc=ejemplo,dc=org (1) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(&(objectClass=groupOfNames)(member=uid\3dpepe\2cou\3dusuarios\2cdc\3dejemp lo\2cdc\3dorg))', scope 'sub' (1) ldap : Waiting for search result... (1) ldap : Added control:Ldap-Group with value "alumnos" (1) ldap : Processing user attributes (1) ldap : control:Password-With-Header += ''1234'' rlm_ldap (ldap): Released connection (4) (1) [ldap] = ok (1) foreach &control:LDAP-Group (1) update reply { (1) EXPAND %{Foreach-Variable-0} (1) --> alumnos (1) &Ruckus-User-Groups += '"alumnos"' (1) } # update reply = noop (1) } # foreach &control:LDAP-Group = noop (1) [expiration] = noop (1) [logintime] = noop (1) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password (1) WARNING: pap : Auth-Type already set. Not setting to PAP (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = EAP (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) authenticate { (1) eap : Expiring EAP session with state 0xca8f630eca8e6799 (1) eap : Finished EAP session with state 0xca8f630eca8e6799 (1) eap : Previous EAP request found for state 0xca8f630eca8e6799, released from the list (1) eap : Peer sent NAK (3) (1) eap : Found mutually acceptable type PEAP (25) (1) eap : Calling eap_peap to process EAP data (1) eap_peap : Flushing SSL sessions (of #0) (1) eap_peap : Initiate (1) eap_peap : Start returned 1 (1) eap : New EAP session, adding 'State' attribute to reply 0xca8f630ecb8d7a99 (1) [eap] = handled (1) } # authenticate = handled Sending Access-Challenge Id 58 from 192.168.50.62:1812 to 192.168.60.1:1029 Ruckus-User-Groups += 'alumnos' EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xca8f630ecb8d7a99cfb856ad0867eff6 (1) Finished request Waking up in 0.3 seconds. Received Access-Request Id 59 from 192.168.60.1:1029 to 192.168.50.62:1812 length 439 User-Name = 'pepe' Calling-Station-Id = '60-BE-B5-98-BA-0B' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-58:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-58' Connect-Info = 'CONNECT 802.11g/n' EAP-Message = 0x020200f01980000000e616030100e1010000dd0301538da51e65239cb8a55acf5ff0eb03fd d8156b28e4af029cf2308a4915a336be2086b31f1ebc8b0665e550b08be38a3cc114343f316a 8200c02dac3c19dc43a6ce0054c014c00ac022c02100390038c00fc0050035c012c008c01cc0 1b00160013c00dc003000ac013c009c01fc01e00330032c00ec004002fc011c007c00cc00200 0500040015001200090014001100080006000300ff01000040000b000403000102000a003400 32000e000d0019000b000c00180009000a001600170008000600070014001500040005001200 13000100020003000f00100011 State = 0xca8f630ecb8d7a99cfb856ad0867eff6 Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0x4b8481af020203d0b05505729a042b74 (2) # Executing section authorize from file /etc/freeradius/sites-enabled/default (2) authorize { (2) filter_username filter_username { (2) if (User-Name != "%{tolower:%{User-Name}}") (2) EXPAND %{tolower:%{User-Name}} (2) --> pepe (2) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (2) if (User-Name =~ / /) (2) if (User-Name =~ / /) -> FALSE (2) if (User-Name =~ /@.*@/ ) (2) if (User-Name =~ /@.*@/ ) -> FALSE (2) if (User-Name =~ /\\.\\./ ) (2) if (User-Name =~ /\\.\\./ ) -> FALSE (2) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (2) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (2) if (User-Name =~ /\\.$/) (2) if (User-Name =~ /\\.$/) -> FALSE (2) if (User-Name =~ /@\\./) (2) if (User-Name =~ /@\\./) -> FALSE (2) } # filter_username filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix : No '@' in User-Name = "pepe", looking up realm NULL (2) suffix : No such realm "NULL" (2) [suffix] = noop (2) eap : EAP packet type response id 2 length 240 (2) eap : Continuing tunnel setup. (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = EAP (2) # Executing group from file /etc/freeradius/sites-enabled/default (2) authenticate { (2) eap : Expiring EAP session with state 0xca8f630ecb8d7a99 (2) eap : Finished EAP session with state 0xca8f630ecb8d7a99 (2) eap : Previous EAP request found for state 0xca8f630ecb8d7a99, released from the list (2) eap : Peer sent PEAP (25) (2) eap : EAP PEAP (25) (2) eap : Calling eap_peap to process EAP data (2) eap_peap : processing EAP-TLS TLS Length 230 (2) eap_peap : Length Included (2) eap_peap : eaptls_verify returned 11 (2) eap_peap : (other): before/accept initialization (2) eap_peap : TLS_accept: before/accept initialization (2) eap_peap : <<< TLS 1.0 Handshake [length 00e1], ClientHello SSL: Client requested cached session 86b31f1ebc8b0665e550b08be38a3cc114343f316a8200c02dac3c19dc43a6ce (2) eap_peap : TLS_accept: SSLv3 read client hello A (2) eap_peap : >>> TLS 1.0 Handshake [length 0059], ServerHello (2) eap_peap : TLS_accept: SSLv3 write server hello A (2) eap_peap : >>> TLS 1.0 Handshake [length 08d0], Certificate (2) eap_peap : TLS_accept: SSLv3 write certificate A (2) eap_peap : >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange (2) eap_peap : TLS_accept: SSLv3 write key exchange A (2) eap_peap : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone (2) eap_peap : TLS_accept: SSLv3 write server done A (2) eap_peap : TLS_accept: SSLv3 flush data (2) eap_peap : TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode (2) eap_peap : eaptls_process returned 13 (2) eap_peap : FR_TLS_HANDLED (2) eap : New EAP session, adding 'State' attribute to reply 0xca8f630ec88c7a99 (2) [eap] = handled (2) } # authenticate = handled Sending Access-Challenge Id 59 from 192.168.50.62:1812 to 192.168.60.1:1029 EAP-Message = 0x010303ec19c000000a8c16030100590200005503015378358f41d46bdc38e37cb7c6151d2c 2b6c72a3797f4a54e912d453a5e3d7f120c3af38d6dd50905c7ad47b7db409e605af5a4f5165 4183fd63bbe48598a79297c01400000dff01000100000b00040300010216030108d00b0008cc 0008c90003de308203da308202c2a003020102020101300d06092a864886f70d010105050030 8193310b3009060355040613024652310f300d06035504081306526164697573311230100603 5504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e31 20301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406 03550403131d4578616d706c6520436572746966696361746520417574686f72697479301e17 0d3134303532363039303731395a170d3134303732353039303731395a307c310b3009060355 040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d 706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274 696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e 636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100b4d9 2a9bd1b2b267aad680a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xca8f630ec88c7a99cfb856ad0867eff6 (2) Finished request Waking up in 0.2 seconds. Received Access-Request Id 60 from 192.168.60.1:1029 to 192.168.50.62:1812 length 205 User-Name = 'pepe' Calling-Station-Id = '60-BE-B5-98-BA-0B' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-58:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-58' Connect-Info = 'CONNECT 802.11g/n' EAP-Message = 0x020300061900 State = 0xca8f630ec88c7a99cfb856ad0867eff6 Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0x9dc6fad55ff41f34da41ec0bf1ec9f30 (3) # Executing section authorize from file /etc/freeradius/sites-enabled/default (3) authorize { (3) filter_username filter_username { (3) if (User-Name != "%{tolower:%{User-Name}}") (3) EXPAND %{tolower:%{User-Name}} (3) --> pepe (3) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (3) if (User-Name =~ / /) (3) if (User-Name =~ / /) -> FALSE (3) if (User-Name =~ /@.*@/ ) (3) if (User-Name =~ /@.*@/ ) -> FALSE (3) if (User-Name =~ /\\.\\./ ) (3) if (User-Name =~ /\\.\\./ ) -> FALSE (3) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (3) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (3) if (User-Name =~ /\\.$/) (3) if (User-Name =~ /\\.$/) -> FALSE (3) if (User-Name =~ /@\\./) (3) if (User-Name =~ /@\\./) -> FALSE (3) } # filter_username filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix : No '@' in User-Name = "pepe", looking up realm NULL (3) suffix : No such realm "NULL" (3) [suffix] = noop (3) eap : EAP packet type response id 3 length 6 (3) eap : Continuing tunnel setup. (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = EAP (3) # Executing group from file /etc/freeradius/sites-enabled/default (3) authenticate { (3) eap : Expiring EAP session with state 0xca8f630ec88c7a99 (3) eap : Finished EAP session with state 0xca8f630ec88c7a99 (3) eap : Previous EAP request found for state 0xca8f630ec88c7a99, released from the list (3) eap : Peer sent PEAP (25) (3) eap : EAP PEAP (25) (3) eap : Calling eap_peap to process EAP data (3) eap_peap : processing EAP-TLS (3) eap_peap : Received TLS ACK (3) eap_peap : Received TLS ACK (3) eap_peap : ACK handshake fragment handler (3) eap_peap : eaptls_verify returned 1 (3) eap_peap : eaptls_process returned 13 (3) eap_peap : FR_TLS_HANDLED (3) eap : New EAP session, adding 'State' attribute to reply 0xca8f630ec98b7a99 (3) [eap] = handled (3) } # authenticate = handled Sending Access-Challenge Id 60 from 192.168.50.62:1812 to 192.168.60.1:1029 EAP-Message = 0x010403e81940f08a7c1b2dd8c2953a42092c40256f3c95aead6ca24e42eb6c1922b09e14b1 acbecd87e846237acd2d2b9421114a92a0fece98830605e1b5299bda2f3c687c04b964250562 c495fda180e34903539504d24ed41219657467513bbee3da43aeceea7dc740779031ef400004 e5308204e1308203c9a003020102020900ae1eee72cb957415300d06092a864886f70d010105 0500308193310b3009060355040613024652310f300d06035504081306526164697573311230 1006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e 632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126 30240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 301e170d3134303532363039303731395a170d3134303732353039303731395a308193310b30 09060355040613024652310f300d060355040813065261646975733112301006035504071309 536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e0609 2a864886f70d010901161161646d696e406578616d706c652e636f6d31263024060355040313 1d4578616d706c6520436572746966696361746520417574686f7269747930820122300d0609 2a864886f70d0101010 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xca8f630ec98b7a99cfb856ad0867eff6 (3) Finished request Waking up in 0.2 seconds. Received Access-Request Id 61 from 192.168.60.1:1029 to 192.168.50.62:1812 length 205 User-Name = 'pepe' Calling-Station-Id = '60-BE-B5-98-BA-0B' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-58:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-58' Connect-Info = 'CONNECT 802.11g/n' EAP-Message = 0x020400061900 State = 0xca8f630ec98b7a99cfb856ad0867eff6 Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0xad6ec1846f682592550dc811527c5c54 (4) # Executing section authorize from file /etc/freeradius/sites-enabled/default (4) authorize { (4) filter_username filter_username { (4) if (User-Name != "%{tolower:%{User-Name}}") (4) EXPAND %{tolower:%{User-Name}} (4) --> pepe (4) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (4) if (User-Name =~ / /) (4) if (User-Name =~ / /) -> FALSE (4) if (User-Name =~ /@.*@/ ) (4) if (User-Name =~ /@.*@/ ) -> FALSE (4) if (User-Name =~ /\\.\\./ ) (4) if (User-Name =~ /\\.\\./ ) -> FALSE (4) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (4) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (4) if (User-Name =~ /\\.$/) (4) if (User-Name =~ /\\.$/) -> FALSE (4) if (User-Name =~ /@\\./) (4) if (User-Name =~ /@\\./) -> FALSE (4) } # filter_username filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix : No '@' in User-Name = "pepe", looking up realm NULL (4) suffix : No such realm "NULL" (4) [suffix] = noop (4) eap : EAP packet type response id 4 length 6 (4) eap : Continuing tunnel setup. (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = EAP (4) # Executing group from file /etc/freeradius/sites-enabled/default (4) authenticate { (4) eap : Expiring EAP session with state 0xca8f630ec98b7a99 (4) eap : Finished EAP session with state 0xca8f630ec98b7a99 (4) eap : Previous EAP request found for state 0xca8f630ec98b7a99, released from the list (4) eap : Peer sent PEAP (25) (4) eap : EAP PEAP (25) (4) eap : Calling eap_peap to process EAP data (4) eap_peap : processing EAP-TLS (4) eap_peap : Received TLS ACK (4) eap_peap : Received TLS ACK (4) eap_peap : ACK handshake fragment handler (4) eap_peap : eaptls_verify returned 1 (4) eap_peap : eaptls_process returned 13 (4) eap_peap : FR_TLS_HANDLED (4) eap : New EAP session, adding 'State' attribute to reply 0xca8f630ece8a7a99 (4) [eap] = handled (4) } # authenticate = handled Sending Access-Challenge Id 61 from 192.168.50.62:1812 to 192.168.60.1:1029 EAP-Message = 0x010502ce190020417574686f72697479820900ae1eee72cb957415300c0603551d13040530 030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d 706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d010105050003 820101003e5b89120dcee4dd3ad38d4e613703d4c2957b440e989041bbc0b2104fab41bc1711 4e7375667726228cdebdd991df6adbbf6acedfbcce2a3db0fbfd52c6d8651795cafd46b86aee ee792b917a8310520e406173fb9071650f734758316fd06c6087eacf393b241191332b5ef05a c25e91f0c80a7f387385718f077a1ee574bed2485c2f29b926f9a5239f0545883a8b8f713c8b cb1665b992027f88fd6112f30a4170b5151b86b36e837f6024d70e51dddaefbd8be228797820 17a7064bbc0dae176d5c5a3fb2db24c1da3162f9c8bb483e4e9c3e5f76cec3a49e9b43fd102d 447ecd12c1d9ee6df5a5b868bbefeb39d69430ff28323a319fdb076127784acb160301014b0c 0001470300174104fea48aea10507f3c75f6cb005ee1b4c4e2a4e786623cbb38de42515ee6b5 662d9077169a9410a493c39aab58eecb9e8de3543285de3d705827eb1db3f938badf01006d72 c4efb3261f9942aafdc842be559ec74dbe776adb63cefa3459b7cf267d903e22f3c041fa4b7b ae6785cafa79e0a786b Message-Authenticator = 0x00000000000000000000000000000000 State = 0xca8f630ece8a7a99cfb856ad0867eff6 (4) Finished request Waking up in 0.2 seconds. Received Access-Request Id 62 from 192.168.60.1:1029 to 192.168.50.62:1812 length 343 User-Name = 'pepe' Calling-Station-Id = '60-BE-B5-98-BA-0B' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-58:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-58' Connect-Info = 'CONNECT 802.11g/n' EAP-Message = 0x02050090198000000086160301004610000042410479b4717f31bae51b687e05b99075df4b b1856c96fbfe390a87b7d36b18ca41f60eb3d2a9d537258b7fa71640d853fcf6150b47dee2d3 0e98b69a5fb481c4534f140301000101160301003014ff0d8ac2076da83713e58258b5f99418 0fc44d461386be015f393b3035ad1171b6e5c57e874ff69a763dc81cb36ba7 State = 0xca8f630ece8a7a99cfb856ad0867eff6 Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0xa7191b4b593e3c54236169e6b5203703 (5) # Executing section authorize from file /etc/freeradius/sites-enabled/default (5) authorize { (5) filter_username filter_username { (5) if (User-Name != "%{tolower:%{User-Name}}") (5) EXPAND %{tolower:%{User-Name}} (5) --> pepe (5) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (5) if (User-Name =~ / /) (5) if (User-Name =~ / /) -> FALSE (5) if (User-Name =~ /@.*@/ ) (5) if (User-Name =~ /@.*@/ ) -> FALSE (5) if (User-Name =~ /\\.\\./ ) (5) if (User-Name =~ /\\.\\./ ) -> FALSE (5) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (5) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (5) if (User-Name =~ /\\.$/) (5) if (User-Name =~ /\\.$/) -> FALSE (5) if (User-Name =~ /@\\./) (5) if (User-Name =~ /@\\./) -> FALSE (5) } # filter_username filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix : No '@' in User-Name = "pepe", looking up realm NULL (5) suffix : No such realm "NULL" (5) [suffix] = noop (5) eap : EAP packet type response id 5 length 144 (5) eap : Continuing tunnel setup. (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = EAP (5) # Executing group from file /etc/freeradius/sites-enabled/default (5) authenticate { (5) eap : Expiring EAP session with state 0xca8f630ece8a7a99 (5) eap : Finished EAP session with state 0xca8f630ece8a7a99 (5) eap : Previous EAP request found for state 0xca8f630ece8a7a99, released from the list (5) eap : Peer sent PEAP (25) (5) eap : EAP PEAP (25) (5) eap : Calling eap_peap to process EAP data (5) eap_peap : processing EAP-TLS TLS Length 134 (5) eap_peap : Length Included (5) eap_peap : eaptls_verify returned 11 (5) eap_peap : <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange (5) eap_peap : TLS_accept: SSLv3 read client key exchange A (5) eap_peap : <<< TLS 1.0 ChangeCipherSpec [length 0001] (5) eap_peap : <<< TLS 1.0 Handshake [length 0010], Finished (5) eap_peap : TLS_accept: SSLv3 read finished A (5) eap_peap : >>> TLS 1.0 ChangeCipherSpec [length 0001] (5) eap_peap : TLS_accept: SSLv3 write change cipher spec A (5) eap_peap : >>> TLS 1.0 Handshake [length 0010], Finished (5) eap_peap : TLS_accept: SSLv3 write finished A (5) eap_peap : TLS_accept: SSLv3 flush data SSL: adding session c3af38d6dd50905c7ad47b7db409e605af5a4f51654183fd63bbe48598a79297 to cache (5) eap_peap : (other): SSL negotiation finished successfully SSL Connection Established (5) eap_peap : eaptls_process returned 13 (5) eap_peap : FR_TLS_HANDLED (5) eap : New EAP session, adding 'State' attribute to reply 0xca8f630ecf897a99 (5) [eap] = handled (5) } # authenticate = handled Sending Access-Challenge Id 62 from 192.168.50.62:1812 to 192.168.60.1:1029 EAP-Message = 0x0106004119001403010001011603010030e86c26fec297bf39788828c4589d7577e227b84a 5eb138420d6ef40e47e7e8cba3a6701ae4e5ffedf8a018753ef42ccd Message-Authenticator = 0x00000000000000000000000000000000 State = 0xca8f630ecf897a99cfb856ad0867eff6 (5) Finished request Waking up in 0.2 seconds. Received Access-Request Id 63 from 192.168.60.1:1029 to 192.168.50.62:1812 length 205 User-Name = 'pepe' Calling-Station-Id = '60-BE-B5-98-BA-0B' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-58:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-58' Connect-Info = 'CONNECT 802.11g/n' EAP-Message = 0x020600061900 State = 0xca8f630ecf897a99cfb856ad0867eff6 Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0xc0eadc0fa03eaeff5c483be15d22f364 (6) # Executing section authorize from file /etc/freeradius/sites-enabled/default (6) authorize { (6) filter_username filter_username { (6) if (User-Name != "%{tolower:%{User-Name}}") (6) EXPAND %{tolower:%{User-Name}} (6) --> pepe (6) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (6) if (User-Name =~ / /) (6) if (User-Name =~ / /) -> FALSE (6) if (User-Name =~ /@.*@/ ) (6) if (User-Name =~ /@.*@/ ) -> FALSE (6) if (User-Name =~ /\\.\\./ ) (6) if (User-Name =~ /\\.\\./ ) -> FALSE (6) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (6) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (6) if (User-Name =~ /\\.$/) (6) if (User-Name =~ /\\.$/) -> FALSE (6) if (User-Name =~ /@\\./) (6) if (User-Name =~ /@\\./) -> FALSE (6) } # filter_username filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix : No '@' in User-Name = "pepe", looking up realm NULL (6) suffix : No such realm "NULL" (6) [suffix] = noop (6) eap : EAP packet type response id 6 length 6 (6) eap : Continuing tunnel setup. (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = EAP (6) # Executing group from file /etc/freeradius/sites-enabled/default (6) authenticate { (6) eap : Expiring EAP session with state 0xca8f630ecf897a99 (6) eap : Finished EAP session with state 0xca8f630ecf897a99 (6) eap : Previous EAP request found for state 0xca8f630ecf897a99, released from the list (6) eap : Peer sent PEAP (25) (6) eap : EAP PEAP (25) (6) eap : Calling eap_peap to process EAP data (6) eap_peap : processing EAP-TLS (6) eap_peap : Received TLS ACK (6) eap_peap : Received TLS ACK (6) eap_peap : ACK handshake is finished (6) eap_peap : eaptls_verify returned 3 (6) eap_peap : eaptls_process returned 3 (6) eap_peap : FR_TLS_SUCCESS (6) eap_peap : Session established. Decoding tunneled attributes. (6) eap_peap : Peap state TUNNEL ESTABLISHED (6) eap : New EAP session, adding 'State' attribute to reply 0xca8f630ecc887a99 (6) [eap] = handled (6) } # authenticate = handled Sending Access-Challenge Id 63 from 192.168.50.62:1812 to 192.168.60.1:1029 EAP-Message = 0x0107002b19001703010020e0aa5b04d6aa89c3c3dff6c898c14e79f97226a9a4c4a2f022eb 6fb0211eddf5 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xca8f630ecc887a99cfb856ad0867eff6 (6) Finished request Waking up in 0.2 seconds. Received Access-Request Id 64 from 192.168.60.1:1029 to 192.168.50.62:1812 length 279 User-Name = 'pepe' Calling-Station-Id = '60-BE-B5-98-BA-0B' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-58:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-58' Connect-Info = 'CONNECT 802.11g/n' EAP-Message = 0x020700501900170301002052facbcbec6c260e7bb68e6a35007c6466738131cd920e082330 6467c90e0a0c1703010020b79cd0543dfeaca9f333a95ee6172dcedd22c3e48f21c123221486 35c70eabdb State = 0xca8f630ecc887a99cfb856ad0867eff6 Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0xe8b6f273a507fc0af2321e0350f85b33 (7) # Executing section authorize from file /etc/freeradius/sites-enabled/default (7) authorize { (7) filter_username filter_username { (7) if (User-Name != "%{tolower:%{User-Name}}") (7) EXPAND %{tolower:%{User-Name}} (7) --> pepe (7) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (7) if (User-Name =~ / /) (7) if (User-Name =~ / /) -> FALSE (7) if (User-Name =~ /@.*@/ ) (7) if (User-Name =~ /@.*@/ ) -> FALSE (7) if (User-Name =~ /\\.\\./ ) (7) if (User-Name =~ /\\.\\./ ) -> FALSE (7) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (7) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (7) if (User-Name =~ /\\.$/) (7) if (User-Name =~ /\\.$/) -> FALSE (7) if (User-Name =~ /@\\./) (7) if (User-Name =~ /@\\./) -> FALSE (7) } # filter_username filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix : No '@' in User-Name = "pepe", looking up realm NULL (7) suffix : No such realm "NULL" (7) [suffix] = noop (7) eap : EAP packet type response id 7 length 80 (7) eap : Continuing tunnel setup. (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = EAP (7) # Executing group from file /etc/freeradius/sites-enabled/default (7) authenticate { (7) eap : Expiring EAP session with state 0xca8f630ecc887a99 (7) eap : Finished EAP session with state 0xca8f630ecc887a99 (7) eap : Previous EAP request found for state 0xca8f630ecc887a99, released from the list (7) eap : Peer sent PEAP (25) (7) eap : EAP PEAP (25) (7) eap : Calling eap_peap to process EAP data (7) eap_peap : processing EAP-TLS (7) eap_peap : eaptls_verify returned 7 (7) eap_peap : Done initial handshake (7) eap_peap : eaptls_process returned 7 (7) eap_peap : FR_TLS_OK (7) eap_peap : Session established. Decoding tunneled attributes. (7) eap_peap : Peap state WAITING FOR INNER IDENTITY (7) eap_peap : Identity - pepe (7) eap_peap : Got inner identity 'pepe' (7) eap_peap : Setting default EAP type for tunneled EAP session. (7) eap_peap : Got tunneled request EAP-Message = 0x020700090170657065 server default { (7) eap_peap : Setting User-Name to pepe Sending tunneled request EAP-Message = 0x020700090170657065 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'pepe' server inner-tunnel { (7) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (7) authorize { (7) [chap] = noop (7) [mschap] = noop (7) suffix : No '@' in User-Name = "pepe", looking up realm NULL (7) suffix : No such realm "NULL" (7) [suffix] = noop (7) update control { (7) Proxy-To-Realm := 'LOCAL' (7) } # update control = noop (7) eap : EAP packet type response id 7 length 9 (7) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = EAP (7) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (7) authenticate { (7) eap : Peer sent Identity (1) (7) eap : Calling eap_mschapv2 to process EAP data (7) eap_mschapv2 : Issuing Challenge (7) eap : New EAP session, adding 'State' attribute to reply 0x1645b1d8164dab8d (7) [eap] = handled (7) } # authenticate = handled } # server inner-tunnel (7) eap_peap : Got tunneled reply code 11 EAP-Message = 0x0108001e1a0108001910bbd4fd9f1f0a5645beda85a017a0f3dc70657065 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1645b1d8164dab8dd6731ee8f2d6baee (7) eap_peap : Got tunneled reply RADIUS code 11 EAP-Message = 0x0108001e1a0108001910bbd4fd9f1f0a5645beda85a017a0f3dc70657065 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1645b1d8164dab8dd6731ee8f2d6baee (7) eap_peap : Got tunneled Access-Challenge (7) eap : New EAP session, adding 'State' attribute to reply 0xca8f630ecd877a99 (7) [eap] = handled (7) } # authenticate = handled Sending Access-Challenge Id 64 from 192.168.50.62:1812 to 192.168.60.1:1029 EAP-Message = 0x0108003b190017030100305f90b63728008ace293a7eea7acfd4ffacbfe34c9d563f14a92a 8a43346d37e0824fd6fe46cbc9055d4a134736848188 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xca8f630ecd877a99cfb856ad0867eff6 (7) Finished request Waking up in 0.2 seconds. Received Access-Request Id 65 from 192.168.60.1:1029 to 192.168.50.62:1812 length 279 User-Name = 'pepe' Calling-Station-Id = '60-BE-B5-98-BA-0B' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-58:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-58' Connect-Info = 'CONNECT 802.11g/n' EAP-Message = 0x02080050190017030100203473db8280b34a767ce26f397ff62cdc7cc7f0099a2d80ca1063 66d6d5caf5c017030100203c97bbd6a210c6828e4909146fb2b2691b7f080691a5bef688f0ba d376b6e868 State = 0xca8f630ecd877a99cfb856ad0867eff6 Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0x495d782bdbd78da86a4983c344e19fa9 (8) # Executing section authorize from file /etc/freeradius/sites-enabled/default (8) authorize { (8) filter_username filter_username { (8) if (User-Name != "%{tolower:%{User-Name}}") (8) EXPAND %{tolower:%{User-Name}} (8) --> pepe (8) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (8) if (User-Name =~ / /) (8) if (User-Name =~ / /) -> FALSE (8) if (User-Name =~ /@.*@/ ) (8) if (User-Name =~ /@.*@/ ) -> FALSE (8) if (User-Name =~ /\\.\\./ ) (8) if (User-Name =~ /\\.\\./ ) -> FALSE (8) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (8) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (8) if (User-Name =~ /\\.$/) (8) if (User-Name =~ /\\.$/) -> FALSE (8) if (User-Name =~ /@\\./) (8) if (User-Name =~ /@\\./) -> FALSE (8) } # filter_username filter_username = notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix : No '@' in User-Name = "pepe", looking up realm NULL (8) suffix : No such realm "NULL" (8) [suffix] = noop (8) eap : EAP packet type response id 8 length 80 (8) eap : Continuing tunnel setup. (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = EAP (8) # Executing group from file /etc/freeradius/sites-enabled/default (8) authenticate { (8) eap : Expiring EAP session with state 0x1645b1d8164dab8d (8) eap : Finished EAP session with state 0xca8f630ecd877a99 (8) eap : Previous EAP request found for state 0xca8f630ecd877a99, released from the list (8) eap : Peer sent PEAP (25) (8) eap : EAP PEAP (25) (8) eap : Calling eap_peap to process EAP data (8) eap_peap : processing EAP-TLS (8) eap_peap : eaptls_verify returned 7 (8) eap_peap : Done initial handshake (8) eap_peap : eaptls_process returned 7 (8) eap_peap : FR_TLS_OK (8) eap_peap : Session established. Decoding tunneled attributes. (8) eap_peap : Peap state phase2 (8) eap_peap : EAP type NAK (3) (8) eap_peap : Got tunneled request EAP-Message = 0x020800060306 server default { (8) eap_peap : Setting User-Name to pepe Sending tunneled request EAP-Message = 0x020800060306 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'pepe' State = 0x1645b1d8164dab8dd6731ee8f2d6baee server inner-tunnel { (8) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (8) authorize { (8) [chap] = noop (8) [mschap] = noop (8) suffix : No '@' in User-Name = "pepe", looking up realm NULL (8) suffix : No such realm "NULL" (8) [suffix] = noop (8) update control { (8) Proxy-To-Realm := 'LOCAL' (8) } # update control = noop (8) eap : EAP packet type response id 8 length 6 (8) eap : No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) [files] = noop rlm_ldap (ldap): Reserved connection (4) (8) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (8) ldap : --> (uid=pepe) (8) ldap : EXPAND dc=ejemplo,dc=org (8) ldap : --> dc=ejemplo,dc=org (8) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(uid=pepe)', scope 'sub' (8) ldap : Waiting for search result... (8) ldap : User object found at DN "uid=pepe,ou=usuarios,dc=ejemplo,dc=org" (8) ldap : No cacheable group memberships found in user object (8) ldap : EXPAND (&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn})) (8) ldap : --> (&(objectClass=groupOfNames)(member=uid\3dpepe\2cou\3dusuarios\2cdc\3dejempl o\2cdc\3dorg)) (8) ldap : EXPAND dc=ejemplo,dc=org (8) ldap : --> dc=ejemplo,dc=org (8) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(&(objectClass=groupOfNames)(member=uid\3dpepe\2cou\3dusuarios\2cdc\3dejemp lo\2cdc\3dorg))', scope 'sub' (8) ldap : Waiting for search result... (8) ldap : Added control:Ldap-Group with value "alumnos" (8) ldap : Processing user attributes (8) ldap : control:Password-With-Header += ''1234'' rlm_ldap (ldap): Released connection (4) (8) [ldap] = ok (8) [expiration] = noop (8) [logintime] = noop (8) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password (8) WARNING: pap : Auth-Type already set. Not setting to PAP (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = EAP (8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (8) authenticate { (8) eap : Expiring EAP session with state 0x1645b1d8164dab8d (8) eap : Finished EAP session with state 0x1645b1d8164dab8d (8) eap : Previous EAP request found for state 0x1645b1d8164dab8d, released from the list (8) eap : Peer sent NAK (3) (8) eap : Found mutually acceptable type GTC (6) (8) eap : Calling eap_gtc to process EAP data (8) eap_gtc : EXPAND Password: (8) eap_gtc : --> Password: (8) eap : New EAP session, adding 'State' attribute to reply 0x1645b1d8174cb78d (8) [eap] = handled (8) } # authenticate = handled } # server inner-tunnel (8) eap_peap : Got tunneled reply code 11 EAP-Message = 0x0109000f0650617373776f72643a20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1645b1d8174cb78dd6731ee8f2d6baee (8) eap_peap : Got tunneled reply RADIUS code 11 EAP-Message = 0x0109000f0650617373776f72643a20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1645b1d8174cb78dd6731ee8f2d6baee (8) eap_peap : Got tunneled Access-Challenge (8) eap : New EAP session, adding 'State' attribute to reply 0xca8f630ec2867a99 (8) [eap] = handled (8) } # authenticate = handled Sending Access-Challenge Id 65 from 192.168.50.62:1812 to 192.168.60.1:1029 EAP-Message = 0x0109002b19001703010020caf64314c5598dd575e14665e2a59335a049eb1b1bb027757785 8139c4f4ec75 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xca8f630ec2867a99cfb856ad0867eff6 (8) Finished request Waking up in 0.1 seconds. Received Access-Request Id 66 from 192.168.60.1:1029 to 192.168.50.62:1812 length 279 User-Name = 'pepe' Calling-Station-Id = '60-BE-B5-98-BA-0B' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-58:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-58' Connect-Info = 'CONNECT 802.11g/n' EAP-Message = 0x0209005019001703010020538fa0dc38c725a5913db62915e6c2abfec057b909e3690370b4 ab58378960f1170301002067278a7eee3f5ae726b5d57b88604a2aaea43ab9690c860123061f f69664eeb1 State = 0xca8f630ec2867a99cfb856ad0867eff6 Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0x487be75e55a52fa5f63ef7daf993adf7 (9) # Executing section authorize from file /etc/freeradius/sites-enabled/default (9) authorize { (9) filter_username filter_username { (9) if (User-Name != "%{tolower:%{User-Name}}") (9) EXPAND %{tolower:%{User-Name}} (9) --> pepe (9) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (9) if (User-Name =~ / /) (9) if (User-Name =~ / /) -> FALSE (9) if (User-Name =~ /@.*@/ ) (9) if (User-Name =~ /@.*@/ ) -> FALSE (9) if (User-Name =~ /\\.\\./ ) (9) if (User-Name =~ /\\.\\./ ) -> FALSE (9) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (9) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (9) if (User-Name =~ /\\.$/) (9) if (User-Name =~ /\\.$/) -> FALSE (9) if (User-Name =~ /@\\./) (9) if (User-Name =~ /@\\./) -> FALSE (9) } # filter_username filter_username = notfound (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix : No '@' in User-Name = "pepe", looking up realm NULL (9) suffix : No such realm "NULL" (9) [suffix] = noop (9) eap : EAP packet type response id 9 length 80 (9) eap : Continuing tunnel setup. (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = EAP (9) # Executing group from file /etc/freeradius/sites-enabled/default (9) authenticate { (9) eap : Expiring EAP session with state 0x1645b1d8174cb78d (9) eap : Finished EAP session with state 0xca8f630ec2867a99 (9) eap : Previous EAP request found for state 0xca8f630ec2867a99, released from the list (9) eap : Peer sent PEAP (25) (9) eap : EAP PEAP (25) (9) eap : Calling eap_peap to process EAP data (9) eap_peap : processing EAP-TLS (9) eap_peap : eaptls_verify returned 7 (9) eap_peap : Done initial handshake (9) eap_peap : eaptls_process returned 7 (9) eap_peap : FR_TLS_OK (9) eap_peap : Session established. Decoding tunneled attributes. (9) eap_peap : Peap state phase2 (9) eap_peap : EAP type GTC (6) (9) eap_peap : Got tunneled request EAP-Message = 0x020900090631323334 server default { (9) eap_peap : Setting User-Name to pepe Sending tunneled request EAP-Message = 0x020900090631323334 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'pepe' State = 0x1645b1d8174cb78dd6731ee8f2d6baee server inner-tunnel { (9) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (9) authorize { (9) [chap] = noop (9) [mschap] = noop (9) suffix : No '@' in User-Name = "pepe", looking up realm NULL (9) suffix : No such realm "NULL" (9) [suffix] = noop (9) update control { (9) Proxy-To-Realm := 'LOCAL' (9) } # update control = noop (9) eap : EAP packet type response id 9 length 9 (9) eap : No EAP Start, assuming it's an on-going EAP conversation (9) [eap] = updated (9) [files] = noop rlm_ldap (ldap): Reserved connection (4) (9) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (9) ldap : --> (uid=pepe) (9) ldap : EXPAND dc=ejemplo,dc=org (9) ldap : --> dc=ejemplo,dc=org (9) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(uid=pepe)', scope 'sub' (9) ldap : Waiting for search result... (9) ldap : User object found at DN "uid=pepe,ou=usuarios,dc=ejemplo,dc=org" (9) ldap : No cacheable group memberships found in user object (9) ldap : EXPAND (&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn})) (9) ldap : --> (&(objectClass=groupOfNames)(member=uid\3dpepe\2cou\3dusuarios\2cdc\3dejempl o\2cdc\3dorg)) (9) ldap : EXPAND dc=ejemplo,dc=org (9) ldap : --> dc=ejemplo,dc=org (9) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(&(objectClass=groupOfNames)(member=uid\3dpepe\2cou\3dusuarios\2cdc\3dejemp lo\2cdc\3dorg))', scope 'sub' (9) ldap : Waiting for search result... (9) ldap : Added control:Ldap-Group with value "alumnos" (9) ldap : Processing user attributes (9) ldap : control:Password-With-Header += ''1234'' rlm_ldap (ldap): Released connection (4) (9) [ldap] = ok (9) [expiration] = noop (9) [logintime] = noop (9) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password (9) WARNING: pap : Auth-Type already set. Not setting to PAP (9) [pap] = noop (9) } # authorize = updated (9) Found Auth-Type = EAP (9) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (9) authenticate { (9) eap : Expiring EAP session with state 0x1645b1d8174cb78d (9) eap : Finished EAP session with state 0x1645b1d8174cb78d (9) eap : Previous EAP request found for state 0x1645b1d8174cb78d, released from the list (9) eap : Peer sent GTC (6) (9) eap : EAP GTC (6) (9) eap : Calling eap_gtc to process EAP data (9) eap_gtc : # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (9) eap_gtc : Auth-Type PAP { (9) pap : Login attempt with password (9) pap : User authenticated successfully (9) [pap] = ok (9) } # Auth-Type PAP = ok (9) eap : Freeing handler (9) [eap] = ok (9) } # authenticate = ok (9) # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel (9) post-auth { (9) foreach &control:LDAP-Group (9) update reply { (9) EXPAND %{Foreach-Variable-0} (9) --> alumnos (9) &Ruckus-User-Groups += '"alumnos"' (9) } # update reply = noop (9) } # foreach &control:LDAP-Group = noop (9) } # post-auth = noop } # server inner-tunnel (9) eap_peap : Got tunneled reply code 2 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = 'pepe' Ruckus-User-Groups += 'alumnos' (9) eap_peap : Got tunneled reply RADIUS code 2 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = 'pepe' Ruckus-User-Groups += 'alumnos' (9) eap_peap : Tunneled authentication was successful. (9) eap_peap : SUCCESS (9) eap : New EAP session, adding 'State' attribute to reply 0xca8f630ec3857a99 (9) [eap] = handled (9) } # authenticate = handled Sending Access-Challenge Id 66 from 192.168.50.62:1812 to 192.168.60.1:1029 EAP-Message = 0x010a002b190017030100205b7ee12b0a2696b56c42f6c24918e3681785771399db07b1c8cf bad9ca62977d Message-Authenticator = 0x00000000000000000000000000000000 State = 0xca8f630ec3857a99cfb856ad0867eff6 (9) Finished request Waking up in 0.1 seconds. Received Access-Request Id 67 from 192.168.60.1:1029 to 192.168.50.62:1812 length 279 User-Name = 'pepe' Calling-Station-Id = '60-BE-B5-98-BA-0B' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-58:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-58' Connect-Info = 'CONNECT 802.11g/n' EAP-Message = 0x020a0050190017030100200c397c9591c1268bd7b814eb79866a0858805aecfc20fe0ac79b a7895de7c2f817030100204548f278bc7712088f9eaaf184f171da93e1739d06d6c2b0f1a289 81874b6d74 State = 0xca8f630ec3857a99cfb856ad0867eff6 Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0xb06ab02ab1591bf1b622790c69e22574 (10) # Executing section authorize from file /etc/freeradius/sites-enabled/default (10) authorize { (10) filter_username filter_username { (10) if (User-Name != "%{tolower:%{User-Name}}") (10) EXPAND %{tolower:%{User-Name}} (10) --> pepe (10) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (10) if (User-Name =~ / /) (10) if (User-Name =~ / /) -> FALSE (10) if (User-Name =~ /@.*@/ ) (10) if (User-Name =~ /@.*@/ ) -> FALSE (10) if (User-Name =~ /\\.\\./ ) (10) if (User-Name =~ /\\.\\./ ) -> FALSE (10) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (10) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (10) if (User-Name =~ /\\.$/) (10) if (User-Name =~ /\\.$/) -> FALSE (10) if (User-Name =~ /@\\./) (10) if (User-Name =~ /@\\./) -> FALSE (10) } # filter_username filter_username = notfound (10) [preprocess] = ok (10) [chap] = noop (10) [mschap] = noop (10) [digest] = noop (10) suffix : No '@' in User-Name = "pepe", looking up realm NULL (10) suffix : No such realm "NULL" (10) [suffix] = noop (10) eap : EAP packet type response id 10 length 80 (10) eap : Continuing tunnel setup. (10) [eap] = ok (10) } # authorize = ok (10) Found Auth-Type = EAP (10) # Executing group from file /etc/freeradius/sites-enabled/default (10) authenticate { (10) eap : Expiring EAP session with state 0xca8f630ec3857a99 (10) eap : Finished EAP session with state 0xca8f630ec3857a99 (10) eap : Previous EAP request found for state 0xca8f630ec3857a99, released from the list (10) eap : Peer sent PEAP (25) (10) eap : EAP PEAP (25) (10) eap : Calling eap_peap to process EAP data (10) eap_peap : processing EAP-TLS (10) eap_peap : eaptls_verify returned 7 (10) eap_peap : Done initial handshake (10) eap_peap : eaptls_process returned 7 (10) eap_peap : FR_TLS_OK (10) eap_peap : Session established. Decoding tunneled attributes. (10) eap_peap : Peap state send tlv success (10) eap_peap : Received EAP-TLV response. (10) eap_peap : Success (10) WARNING: eap_peap : No information to cache: session caching will be disabled for session c3af38d6dd50905c7ad47b7db409e605af5a4f51654183fd63bbe48598a79297 SSL: Removing session c3af38d6dd50905c7ad47b7db409e605af5a4f51654183fd63bbe48598a79297 from the cache (10) eap : Freeing handler (10) [eap] = ok (10) } # authenticate = ok (10) # Executing section post-auth from file /etc/freeradius/sites-enabled/default (10) post-auth { (10) [exec] = noop (10) remove_reply_message_if_eap remove_reply_message_if_eap { (10) if (reply:EAP-Message && reply:Reply-Message) (10) if (reply:EAP-Message && reply:Reply-Message) -> FALSE (10) else else { (10) [noop] = noop (10) } # else else = noop (10) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (10) } # post-auth = noop Sending Access-Accept Id 67 from 192.168.50.62:1812 to 192.168.60.1:1029 MS-MPPE-Recv-Key = 0xc9c36837fb4ba931d68c0c220281df76f734659afdaa1689de4da23226379ac9 MS-MPPE-Send-Key = 0x4337f2058e9c6e489945200a6f5f9a95330b36b4a386e491a03979e721635748 EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = 'pepe' (10) Finished request Waking up in 0.1 seconds. Waking up in 4.4 seconds. (0) Cleaning up request packet ID 57 with timestamp +9 (1) Cleaning up request packet ID 58 with timestamp +9 (2) Cleaning up request packet ID 59 with timestamp +9 (3) Cleaning up request packet ID 60 with timestamp +9 (4) Cleaning up request packet ID 61 with timestamp +9 (5) Cleaning up request packet ID 62 with timestamp +9 (6) Cleaning up request packet ID 63 with timestamp +9 (7) Cleaning up request packet ID 64 with timestamp +9 (8) Cleaning up request packet ID 65 with timestamp +9 (9) Cleaning up request packet ID 66 with timestamp +9 (10) Cleaning up request packet ID 67 with timestamp +9 Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
Hi Enrique,
Can you show us what the inner-tunnel post-auth section looks like? By trimming down the debug output, we've lost that.
If your inner-tunnel post-auth just uses "update reply {", then you may with to update it with "update outer.reply {", which should feed the attribute back.
Stefan
Hi Stefan, I only added to postauth in inner-tunnel server configuration what I had in authorize in default server: foreach &control:LDAP-Group { update reply { &Ruckus-User-Groups += "%{Foreach-Variable-0}" } } Now I changed it into update outer.reply and, instead of the attribute being added to the tunneled reply to the default server, it was added to the Access-Challenge that the default server sent to the client. Then, the client sends one last Access-Request and the server sends Access-Accept without the attribute. I am guessing that this last reply was done only by the default server, so the inner-tunnel didn't get to add anything. But if that's so, how can I add the attribute in the default server without querying LDAP on every packet that the server sends to set up the TLS conversation? Thanks again!
Hi Enrique,
Can you show us what the inner-tunnel post-auth section looks like? By trimming down the debug output, we've lost that.
If your inner-tunnel post-auth just uses "update reply {", then you may with to update it with "update outer.reply {", which should feed the attribute back.
Stefan
Hi Stefan,
I only added to postauth in inner-tunnel server configuration what I had in authorize in default server:
foreach &control:LDAP-Group { update reply { &Ruckus-User-Groups += "%{Foreach-Variable-0}" } }
Now I changed it into update outer.reply and, instead of the attribute being added to the tunneled reply to the default server, it was added to the Access-Challenge that the default server sent to the client. Then, the client >sends one last Access-Request and the server sends Access-Accept without the attribute. I am guessing that this last reply was done only by the default server, so the inner-tunnel didn't get to add anything. But if that's so, >how can I add the attribute in the default server without querying LDAP on every packet that the server sends to set up the TLS conversation?
Thanks again!
Hello again, I am thinking that rlm_cache might be a good solution to my problem here. However, I have been looking at config extracts from [1] (especially the rlm_cache config and the virtual server config) and I still don't get to understand how and where to call the module. I would like it to cache group information (LDAP-Group, I guess) in the authorize inner-tunnel server, because that's when that info is available, and then retrieve it before sending the last Access-Accept response. The problem here is that (see below debug output) authorize in inner-tunnel is only executed for request number (8). And I actually add the group info to the attribute I need it in, but it gets sent to the client in the Access-Challenge that comes from request (8). Then, in request (9) EAP handles the authorize section, so group info is never available in inner-tunnel, and in request (10) (which is the one that sends the Access-Accept) inner-tunnel isn't even run, so group info is again never available. Is rlm_cache the answer to my problems? If so, should I just call it in authorize in inner-tunnel after ldap and then to retrieve in default server post-auth? Or when/how? And if not, any other solutions to this? Thanks very much! Here comes the debug output: Received Access-Request Id 44 from 192.168.60.1:1024 to 192.168.50.62:1812 length 184 User-Name = 'juan' Calling-Station-Id = '60-BE-B5-98-BA-0B' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-5A-3E-58:ALUMNOS' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-5A-3E-58' Connect-Info = 'CONNECT 802.11g/n' EAP-Message = 0x02000009016a75616e Attr-26.25053.3 = 0x414c554d4e4f53 Message-Authenticator = 0x551c607a199f01eb0d0e81738caf9fce (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default (0) authorize { (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix : No '@' in User-Name = "juan", looking up realm NULL (0) suffix : No such realm "NULL" (0) [suffix] = noop (0) eap : EAP packet type response id 0 length 9 (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = EAP (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) authenticate { (0) eap : Peer sent Identity (1) (0) eap : Calling eap_md5 to process EAP data (0) eap_md5 : Issuing MD5 Challenge (0) eap : New EAP session, adding 'State' attribute to reply 0xf2d34be6f2d24f6d (0) [eap] = handled (0) } # authenticate = handled Sending Access-Challenge Id 44 from 192.168.50.62:1812 to 192.168.60.1:1024 EAP-Message = 0x010100160410cb20de385d1d546bfc7008d3203aad16 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf2d34be6f2d24f6dba0219098c99f6b0 (0) Finished request Waking up in 0.3 seconds. Received Access-Request Id 45 from 192.168.60.1:1024 to 192.168.50.62:1812 length 199 User-Name = 'juan' Calling-Station-Id = '60-BE-B5-98-BA-0B' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-5A-3E-58:ALUMNOS' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-5A-3E-58' Connect-Info = 'CONNECT 802.11g/n' EAP-Message = 0x020100060319 State = 0xf2d34be6f2d24f6dba0219098c99f6b0 Attr-26.25053.3 = 0x414c554d4e4f53 Message-Authenticator = 0x5c681550b7e9d39a666e12cc187e7e41 (1) # Executing section authorize from file /etc/freeradius/sites-enabled/default (1) authorize { (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix : No '@' in User-Name = "juan", looking up realm NULL (1) suffix : No such realm "NULL" (1) [suffix] = noop (1) eap : EAP packet type response id 1 length 6 (1) eap : No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) [files] = noop rlm_ldap (ldap): Reserved connection (4) (1) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (1) ldap : --> (uid=juan) (1) ldap : EXPAND dc=ejemplo,dc=org (1) ldap : --> dc=ejemplo,dc=org (1) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(uid=juan)', scope 'sub' (1) ldap : Waiting for search result... (1) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org" (1) ldap : No cacheable group memberships found in user object (1) ldap : EXPAND (&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn})) (1) ldap : --> (&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejempl o\2cdc\3dorg)) (1) ldap : EXPAND dc=ejemplo,dc=org (1) ldap : --> dc=ejemplo,dc=org (1) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemp lo\2cdc\3dorg))', scope 'sub' (1) ldap : Waiting for search result... (1) ldap : Added control:Ldap-Group with value "profesores" (1) ldap : Processing user attributes (1) ldap : control:Password-With-Header += ''1234'' rlm_ldap (ldap): Released connection (4) (1) [ldap] = ok (1) foreach &control:LDAP-Group (1) update reply { (1) EXPAND %{Foreach-Variable-0} (1) --> profesores (1) &Ruckus-User-Groups += '"profesores"' (1) } # update reply = noop (1) } # foreach &control:LDAP-Group = noop (1) [expiration] = noop (1) [logintime] = noop (1) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password (1) WARNING: pap : Auth-Type already set. Not setting to PAP (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = EAP (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) authenticate { (1) eap : Expiring EAP session with state 0xf2d34be6f2d24f6d (1) eap : Finished EAP session with state 0xf2d34be6f2d24f6d (1) eap : Previous EAP request found for state 0xf2d34be6f2d24f6d, released from the list (1) eap : Peer sent NAK (3) (1) eap : Found mutually acceptable type PEAP (25) (1) eap : Calling eap_peap to process EAP data (1) eap_peap : Flushing SSL sessions (of #0) (1) eap_peap : Initiate (1) eap_peap : Start returned 1 (1) eap : New EAP session, adding 'State' attribute to reply 0xf2d34be6f3d1526d (1) [eap] = handled (1) } # authenticate = handled Sending Access-Challenge Id 45 from 192.168.50.62:1812 to 192.168.60.1:1024 Ruckus-User-Groups += 'profesores' EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf2d34be6f3d1526dba0219098c99f6b0 (1) Finished request Waking up in 0.3 seconds. Received Access-Request Id 46 from 192.168.60.1:1024 to 192.168.50.62:1812 length 433 User-Name = 'juan' Calling-Station-Id = '60-BE-B5-98-BA-0B' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-5A-3E-58:ALUMNOS' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-5A-3E-58' Connect-Info = 'CONNECT 802.11g/n' EAP-Message = 0x020200f01980000000e616030100e1010000dd0301539023c86aa69faf2c7106399473d0b7 5b15d8dc6e8f9ca40f683448a44eb5962081c93bdccf265b22049421297ff8f45a11aab6cfa5 a4db2f469fbd9d378533190054c014c00ac022c02100390038c00fc0050035c012c008c01cc0 1b00160013c00dc003000ac013c009c01fc01e00330032c00ec004002fc011c007c00cc00200 0500040015001200090014001100080006000300ff01000040000b000403000102000a003400 32000e000d0019000b000c00180009000a001600170008000600070014001500040005001200 13000100020003000f00100011 State = 0xf2d34be6f3d1526dba0219098c99f6b0 Attr-26.25053.3 = 0x414c554d4e4f53 Message-Authenticator = 0xa07d697dcd6a448d60b407c2f0c4c3c9 (2) # Executing section authorize from file /etc/freeradius/sites-enabled/default (2) authorize { (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix : No '@' in User-Name = "juan", looking up realm NULL (2) suffix : No such realm "NULL" (2) [suffix] = noop (2) eap : EAP packet type response id 2 length 240 (2) eap : Continuing tunnel setup. (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = EAP (2) # Executing group from file /etc/freeradius/sites-enabled/default (2) authenticate { (2) eap : Expiring EAP session with state 0xf2d34be6f3d1526d (2) eap : Finished EAP session with state 0xf2d34be6f3d1526d (2) eap : Previous EAP request found for state 0xf2d34be6f3d1526d, released from the list (2) eap : Peer sent PEAP (25) (2) eap : EAP PEAP (25) (2) eap : Calling eap_peap to process EAP data (2) eap_peap : processing EAP-TLS TLS Length 230 (2) eap_peap : Length Included (2) eap_peap : eaptls_verify returned 11 (2) eap_peap : (other): before/accept initialization (2) eap_peap : TLS_accept: before/accept initialization (2) eap_peap : <<< TLS 1.0 Handshake [length 00e1], ClientHello SSL: Client requested cached session 81c93bdccf265b22049421297ff8f45a11aab6cfa5a4db2f469fbd9d37853319 (2) eap_peap : TLS_accept: SSLv3 read client hello A (2) eap_peap : >>> TLS 1.0 Handshake [length 0059], ServerHello (2) eap_peap : TLS_accept: SSLv3 write server hello A (2) eap_peap : >>> TLS 1.0 Handshake [length 08d0], Certificate (2) eap_peap : TLS_accept: SSLv3 write certificate A (2) eap_peap : >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange (2) eap_peap : TLS_accept: SSLv3 write key exchange A (2) eap_peap : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone (2) eap_peap : TLS_accept: SSLv3 write server done A (2) eap_peap : TLS_accept: SSLv3 flush data (2) eap_peap : TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode (2) eap_peap : eaptls_process returned 13 (2) eap_peap : FR_TLS_HANDLED (2) eap : New EAP session, adding 'State' attribute to reply 0xf2d34be6f0d0526d (2) [eap] = handled (2) } # authenticate = handled Sending Access-Challenge Id 46 from 192.168.50.62:1812 to 192.168.60.1:1024 EAP-Message = 0x010303ec19c000000a8c1603010059020000550301537ab444850db3bb3136ea68af9bbafc 51f7770ffd02bcb00e393b3e88ff57de202a6565d47da8be010096c76ce138e64f1b9093d86f f4ebbf83fd0676ff503bcdc01400000dff01000100000b00040300010216030108d00b0008cc 0008c90003de308203da308202c2a003020102020101300d06092a864886f70d010105050030 8193310b3009060355040613024652310f300d06035504081306526164697573311230100603 5504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e31 20301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406 03550403131d4578616d706c6520436572746966696361746520417574686f72697479301e17 0d3134303532363039303731395a170d3134303732353039303731395a307c310b3009060355 040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d 706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274 696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e 636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100b4d9 2a9bd1b2b267aad680a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf2d34be6f0d0526dba0219098c99f6b0 (2) Finished request Waking up in 0.2 seconds. Received Access-Request Id 47 from 192.168.60.1:1024 to 192.168.50.62:1812 length 199 User-Name = 'juan' Calling-Station-Id = '60-BE-B5-98-BA-0B' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-5A-3E-58:ALUMNOS' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-5A-3E-58' Connect-Info = 'CONNECT 802.11g/n' EAP-Message = 0x020300061900 State = 0xf2d34be6f0d0526dba0219098c99f6b0 Attr-26.25053.3 = 0x414c554d4e4f53 Message-Authenticator = 0xe309d5e5cdae1c0bbfa623be11903ab5 (3) # Executing section authorize from file /etc/freeradius/sites-enabled/default (3) authorize { (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix : No '@' in User-Name = "juan", looking up realm NULL (3) suffix : No such realm "NULL" (3) [suffix] = noop (3) eap : EAP packet type response id 3 length 6 (3) eap : Continuing tunnel setup. (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = EAP (3) # Executing group from file /etc/freeradius/sites-enabled/default (3) authenticate { (3) eap : Expiring EAP session with state 0xf2d34be6f0d0526d (3) eap : Finished EAP session with state 0xf2d34be6f0d0526d (3) eap : Previous EAP request found for state 0xf2d34be6f0d0526d, released from the list (3) eap : Peer sent PEAP (25) (3) eap : EAP PEAP (25) (3) eap : Calling eap_peap to process EAP data (3) eap_peap : processing EAP-TLS (3) eap_peap : Received TLS ACK (3) eap_peap : Received TLS ACK (3) eap_peap : ACK handshake fragment handler (3) eap_peap : eaptls_verify returned 1 (3) eap_peap : eaptls_process returned 13 (3) eap_peap : FR_TLS_HANDLED (3) eap : New EAP session, adding 'State' attribute to reply 0xf2d34be6f1d7526d (3) [eap] = handled (3) } # authenticate = handled Sending Access-Challenge Id 47 from 192.168.50.62:1812 to 192.168.60.1:1024 EAP-Message = 0x010403e81940f08a7c1b2dd8c2953a42092c40256f3c95aead6ca24e42eb6c1922b09e14b1 acbecd87e846237acd2d2b9421114a92a0fece98830605e1b5299bda2f3c687c04b964250562 c495fda180e34903539504d24ed41219657467513bbee3da43aeceea7dc740779031ef400004 e5308204e1308203c9a003020102020900ae1eee72cb957415300d06092a864886f70d010105 0500308193310b3009060355040613024652310f300d06035504081306526164697573311230 1006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e 632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126 30240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 301e170d3134303532363039303731395a170d3134303732353039303731395a308193310b30 09060355040613024652310f300d060355040813065261646975733112301006035504071309 536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e0609 2a864886f70d010901161161646d696e406578616d706c652e636f6d31263024060355040313 1d4578616d706c6520436572746966696361746520417574686f7269747930820122300d0609 2a864886f70d0101010 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf2d34be6f1d7526dba0219098c99f6b0 (3) Finished request Waking up in 0.2 seconds. Received Access-Request Id 48 from 192.168.60.1:1024 to 192.168.50.62:1812 length 199 User-Name = 'juan' Calling-Station-Id = '60-BE-B5-98-BA-0B' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-5A-3E-58:ALUMNOS' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-5A-3E-58' Connect-Info = 'CONNECT 802.11g/n' EAP-Message = 0x020400061900 State = 0xf2d34be6f1d7526dba0219098c99f6b0 Attr-26.25053.3 = 0x414c554d4e4f53 Message-Authenticator = 0x4cf4e096457ca42b66f081ffe62c56a3 (4) # Executing section authorize from file /etc/freeradius/sites-enabled/default (4) authorize { (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix : No '@' in User-Name = "juan", looking up realm NULL (4) suffix : No such realm "NULL" (4) [suffix] = noop (4) eap : EAP packet type response id 4 length 6 (4) eap : Continuing tunnel setup. (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = EAP (4) # Executing group from file /etc/freeradius/sites-enabled/default (4) authenticate { (4) eap : Expiring EAP session with state 0xf2d34be6f1d7526d (4) eap : Finished EAP session with state 0xf2d34be6f1d7526d (4) eap : Previous EAP request found for state 0xf2d34be6f1d7526d, released from the list (4) eap : Peer sent PEAP (25) (4) eap : EAP PEAP (25) (4) eap : Calling eap_peap to process EAP data (4) eap_peap : processing EAP-TLS (4) eap_peap : Received TLS ACK (4) eap_peap : Received TLS ACK (4) eap_peap : ACK handshake fragment handler (4) eap_peap : eaptls_verify returned 1 (4) eap_peap : eaptls_process returned 13 (4) eap_peap : FR_TLS_HANDLED (4) eap : New EAP session, adding 'State' attribute to reply 0xf2d34be6f6d6526d (4) [eap] = handled (4) } # authenticate = handled Sending Access-Challenge Id 48 from 192.168.50.62:1812 to 192.168.60.1:1024 EAP-Message = 0x010502ce190020417574686f72697479820900ae1eee72cb957415300c0603551d13040530 030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d 706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d010105050003 820101003e5b89120dcee4dd3ad38d4e613703d4c2957b440e989041bbc0b2104fab41bc1711 4e7375667726228cdebdd991df6adbbf6acedfbcce2a3db0fbfd52c6d8651795cafd46b86aee ee792b917a8310520e406173fb9071650f734758316fd06c6087eacf393b241191332b5ef05a c25e91f0c80a7f387385718f077a1ee574bed2485c2f29b926f9a5239f0545883a8b8f713c8b cb1665b992027f88fd6112f30a4170b5151b86b36e837f6024d70e51dddaefbd8be228797820 17a7064bbc0dae176d5c5a3fb2db24c1da3162f9c8bb483e4e9c3e5f76cec3a49e9b43fd102d 447ecd12c1d9ee6df5a5b868bbefeb39d69430ff28323a319fdb076127784acb160301014b0c 000147030017410419d934713434dd24230ffad43111e2bfef9dd5657948bffa872bb594ce8d 14018e1319bd86c7b3dac03a66bfb00427b33eb856a705404f5c9c3698e7d0d32f5d01009ab4 07bae9b7b3d713700259aface19f0abd52ee93d0576038e3ce91fc6b9128cbde2ca0126a5dfb be21dfc58e4e7a15e2a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf2d34be6f6d6526dba0219098c99f6b0 (4) Finished request Waking up in 0.2 seconds. Received Access-Request Id 49 from 192.168.60.1:1024 to 192.168.50.62:1812 length 337 User-Name = 'juan' Calling-Station-Id = '60-BE-B5-98-BA-0B' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-5A-3E-58:ALUMNOS' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-5A-3E-58' Connect-Info = 'CONNECT 802.11g/n' EAP-Message = 0x020500901980000000861603010046100000424104160c81895c3d89fb344bb2e4235d88f5 a644a8dd981215a2895151d75ecc80abdf72f0c36bccddd3a313aba4a13f617bf209c8c3c3ab 6775877e878f6b94ab5c14030100010116030100304d156ceb95e04c21090a6054e72c32101a edf9bbd1615936f5c2a6633e9ba093d8c6ec6aead5b6f9139aede59a1085fe State = 0xf2d34be6f6d6526dba0219098c99f6b0 Attr-26.25053.3 = 0x414c554d4e4f53 Message-Authenticator = 0x5962e73ff0cb81ca848b8d4b1643bbfc (5) # Executing section authorize from file /etc/freeradius/sites-enabled/default (5) authorize { (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix : No '@' in User-Name = "juan", looking up realm NULL (5) suffix : No such realm "NULL" (5) [suffix] = noop (5) eap : EAP packet type response id 5 length 144 (5) eap : Continuing tunnel setup. (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = EAP (5) # Executing group from file /etc/freeradius/sites-enabled/default (5) authenticate { (5) eap : Expiring EAP session with state 0xf2d34be6f6d6526d (5) eap : Finished EAP session with state 0xf2d34be6f6d6526d (5) eap : Previous EAP request found for state 0xf2d34be6f6d6526d, released from the list (5) eap : Peer sent PEAP (25) (5) eap : EAP PEAP (25) (5) eap : Calling eap_peap to process EAP data (5) eap_peap : processing EAP-TLS TLS Length 134 (5) eap_peap : Length Included (5) eap_peap : eaptls_verify returned 11 (5) eap_peap : <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange (5) eap_peap : TLS_accept: SSLv3 read client key exchange A (5) eap_peap : <<< TLS 1.0 ChangeCipherSpec [length 0001] (5) eap_peap : <<< TLS 1.0 Handshake [length 0010], Finished (5) eap_peap : TLS_accept: SSLv3 read finished A (5) eap_peap : >>> TLS 1.0 ChangeCipherSpec [length 0001] (5) eap_peap : TLS_accept: SSLv3 write change cipher spec A (5) eap_peap : >>> TLS 1.0 Handshake [length 0010], Finished (5) eap_peap : TLS_accept: SSLv3 write finished A (5) eap_peap : TLS_accept: SSLv3 flush data SSL: adding session 2a6565d47da8be010096c76ce138e64f1b9093d86ff4ebbf83fd0676ff503bcd to cache (5) eap_peap : (other): SSL negotiation finished successfully SSL Connection Established (5) eap_peap : eaptls_process returned 13 (5) eap_peap : FR_TLS_HANDLED (5) eap : New EAP session, adding 'State' attribute to reply 0xf2d34be6f7d5526d (5) [eap] = handled (5) } # authenticate = handled Sending Access-Challenge Id 49 from 192.168.50.62:1812 to 192.168.60.1:1024 EAP-Message = 0x01060041190014030100010116030100305f1dd086b2fcda746ddd6675d050b616eb46f6c4 85ad33bcfb24708bea0b71f847df30874010c1109cf3718fccd5fb9c Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf2d34be6f7d5526dba0219098c99f6b0 (5) Finished request Waking up in 0.2 seconds. Received Access-Request Id 50 from 192.168.60.1:1024 to 192.168.50.62:1812 length 199 User-Name = 'juan' Calling-Station-Id = '60-BE-B5-98-BA-0B' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-5A-3E-58:ALUMNOS' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-5A-3E-58' Connect-Info = 'CONNECT 802.11g/n' EAP-Message = 0x020600061900 State = 0xf2d34be6f7d5526dba0219098c99f6b0 Attr-26.25053.3 = 0x414c554d4e4f53 Message-Authenticator = 0xe204536505984e24186fbdb38c7d72a7 (6) # Executing section authorize from file /etc/freeradius/sites-enabled/default (6) authorize { (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix : No '@' in User-Name = "juan", looking up realm NULL (6) suffix : No such realm "NULL" (6) [suffix] = noop (6) eap : EAP packet type response id 6 length 6 (6) eap : Continuing tunnel setup. (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = EAP (6) # Executing group from file /etc/freeradius/sites-enabled/default (6) authenticate { (6) eap : Expiring EAP session with state 0xf2d34be6f7d5526d (6) eap : Finished EAP session with state 0xf2d34be6f7d5526d (6) eap : Previous EAP request found for state 0xf2d34be6f7d5526d, released from the list (6) eap : Peer sent PEAP (25) (6) eap : EAP PEAP (25) (6) eap : Calling eap_peap to process EAP data (6) eap_peap : processing EAP-TLS (6) eap_peap : Received TLS ACK (6) eap_peap : Received TLS ACK (6) eap_peap : ACK handshake is finished (6) eap_peap : eaptls_verify returned 3 (6) eap_peap : eaptls_process returned 3 (6) eap_peap : FR_TLS_SUCCESS (6) eap_peap : Session established. Decoding tunneled attributes. (6) eap_peap : Peap state TUNNEL ESTABLISHED (6) eap : New EAP session, adding 'State' attribute to reply 0xf2d34be6f4d4526d (6) [eap] = handled (6) } # authenticate = handled Sending Access-Challenge Id 50 from 192.168.50.62:1812 to 192.168.60.1:1024 EAP-Message = 0x0107002b19001703010020e7dc197b9d445951f885b9272c9920eb0ccf2022d8dc5b84adb3 7eda224b2039 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf2d34be6f4d4526dba0219098c99f6b0 (6) Finished request Waking up in 0.2 seconds. Received Access-Request Id 51 from 192.168.60.1:1024 to 192.168.50.62:1812 length 273 User-Name = 'juan' Calling-Station-Id = '60-BE-B5-98-BA-0B' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-5A-3E-58:ALUMNOS' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-5A-3E-58' Connect-Info = 'CONNECT 802.11g/n' EAP-Message = 0x020700501900170301002035445b3148809e34a209ba4306150164c5972e03971a54a84a67 0e2444b4d81317030100200963d2867e367f7d0e82be8adad08264b5e0a0a5cb6c3060ea1c27 cb44f9cef2 State = 0xf2d34be6f4d4526dba0219098c99f6b0 Attr-26.25053.3 = 0x414c554d4e4f53 Message-Authenticator = 0x338da1d3c7e5c75bba182f7efefd8c31 (7) # Executing section authorize from file /etc/freeradius/sites-enabled/default (7) authorize { (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix : No '@' in User-Name = "juan", looking up realm NULL (7) suffix : No such realm "NULL" (7) [suffix] = noop (7) eap : EAP packet type response id 7 length 80 (7) eap : Continuing tunnel setup. (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = EAP (7) # Executing group from file /etc/freeradius/sites-enabled/default (7) authenticate { (7) eap : Expiring EAP session with state 0xf2d34be6f4d4526d (7) eap : Finished EAP session with state 0xf2d34be6f4d4526d (7) eap : Previous EAP request found for state 0xf2d34be6f4d4526d, released from the list (7) eap : Peer sent PEAP (25) (7) eap : EAP PEAP (25) (7) eap : Calling eap_peap to process EAP data (7) eap_peap : processing EAP-TLS (7) eap_peap : eaptls_verify returned 7 (7) eap_peap : Done initial handshake (7) eap_peap : eaptls_process returned 7 (7) eap_peap : FR_TLS_OK (7) eap_peap : Session established. Decoding tunneled attributes. (7) eap_peap : Peap state WAITING FOR INNER IDENTITY (7) eap_peap : Identity - juan (7) eap_peap : Got inner identity 'juan' (7) eap_peap : Setting default EAP type for tunneled EAP session. (7) eap_peap : Got tunneled request EAP-Message = 0x02070009016a75616e server default { (7) eap_peap : Setting User-Name to juan Sending tunneled request EAP-Message = 0x02070009016a75616e FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'juan' server inner-tunnel { (7) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (7) authorize { (7) [chap] = noop (7) [mschap] = noop (7) suffix : No '@' in User-Name = "juan", looking up realm NULL (7) suffix : No such realm "NULL" (7) [suffix] = noop (7) update control { (7) Proxy-To-Realm := 'LOCAL' (7) } # update control = noop (7) eap : EAP packet type response id 7 length 9 (7) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = EAP (7) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (7) authenticate { (7) eap : Peer sent Identity (1) (7) eap : Calling eap_mschapv2 to process EAP data (7) eap_mschapv2 : Issuing Challenge (7) eap : New EAP session, adding 'State' attribute to reply 0x0cb2efe70cbaf5a7 (7) [eap] = handled (7) } # authenticate = handled } # server inner-tunnel (7) eap_peap : Got tunneled reply code 11 EAP-Message = 0x0108001e1a0108001910efc88c501c83e7d1122c97cc3931a3466a75616e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0cb2efe70cbaf5a7fe78397182ecc493 (7) eap_peap : Got tunneled reply RADIUS code 11 EAP-Message = 0x0108001e1a0108001910efc88c501c83e7d1122c97cc3931a3466a75616e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0cb2efe70cbaf5a7fe78397182ecc493 (7) eap_peap : Got tunneled Access-Challenge (7) eap : New EAP session, adding 'State' attribute to reply 0xf2d34be6f5db526d (7) [eap] = handled (7) } # authenticate = handled Sending Access-Challenge Id 51 from 192.168.50.62:1812 to 192.168.60.1:1024 EAP-Message = 0x0108003b19001703010030c259dc6418a48f52880c52b4e53a9fd571e709543aea2228628e ed46695d0cb3edf2b15afcf810ff06db7fe5dafaa79b Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf2d34be6f5db526dba0219098c99f6b0 (7) Finished request Waking up in 0.2 seconds. Received Access-Request Id 52 from 192.168.60.1:1024 to 192.168.50.62:1812 length 321 User-Name = 'juan' Calling-Station-Id = '60-BE-B5-98-BA-0B' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-5A-3E-58:ALUMNOS' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-5A-3E-58' Connect-Info = 'CONNECT 802.11g/n' EAP-Message = 0x0208008019001703010020ca2297ddcdb80ca5c658810c20a1048a3b1fd4fda09e2586f096 e0c3c0ec1b8017030100500c5e41e36b65952fcc24d98040ba5b13bc777f27d94d75587bccda c9eae340d3ff56e5a80e44401b1b84f06048231da6d4de6c190653500f3ad3351748758ea14b 43868b6934d83b77e01bde5d27bf81 State = 0xf2d34be6f5db526dba0219098c99f6b0 Attr-26.25053.3 = 0x414c554d4e4f53 Message-Authenticator = 0xf005c1e2521b44d4635ea6f72e096598 (8) # Executing section authorize from file /etc/freeradius/sites-enabled/default (8) authorize { (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix : No '@' in User-Name = "juan", looking up realm NULL (8) suffix : No such realm "NULL" (8) [suffix] = noop (8) eap : EAP packet type response id 8 length 128 (8) eap : Continuing tunnel setup. (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = EAP (8) # Executing group from file /etc/freeradius/sites-enabled/default (8) authenticate { (8) eap : Expiring EAP session with state 0x0cb2efe70cbaf5a7 (8) eap : Finished EAP session with state 0xf2d34be6f5db526d (8) eap : Previous EAP request found for state 0xf2d34be6f5db526d, released from the list (8) eap : Peer sent PEAP (25) (8) eap : EAP PEAP (25) (8) eap : Calling eap_peap to process EAP data (8) eap_peap : processing EAP-TLS (8) eap_peap : eaptls_verify returned 7 (8) eap_peap : Done initial handshake (8) eap_peap : eaptls_process returned 7 (8) eap_peap : FR_TLS_OK (8) eap_peap : Session established. Decoding tunneled attributes. (8) eap_peap : Peap state phase2 (8) eap_peap : EAP type MSCHAPv2 (26) (8) eap_peap : Got tunneled request EAP-Message = 0x0208003f1a0208003a311405263ba16d3386f4c29edb366bd1140000000000000000312202 cc3292cab89b43f145649092513174d1ee90e90224006a75616e server default { (8) eap_peap : Setting User-Name to juan Sending tunneled request EAP-Message = 0x0208003f1a0208003a311405263ba16d3386f4c29edb366bd1140000000000000000312202 cc3292cab89b43f145649092513174d1ee90e90224006a75616e FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'juan' State = 0x0cb2efe70cbaf5a7fe78397182ecc493 server inner-tunnel { (8) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (8) authorize { (8) [chap] = noop (8) [mschap] = noop (8) suffix : No '@' in User-Name = "juan", looking up realm NULL (8) suffix : No such realm "NULL" (8) [suffix] = noop (8) update control { (8) Proxy-To-Realm := 'LOCAL' (8) } # update control = noop (8) eap : EAP packet type response id 8 length 63 (8) eap : No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) [files] = noop rlm_ldap (ldap): Reserved connection (4) (8) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (8) ldap : --> (uid=juan) (8) ldap : EXPAND dc=ejemplo,dc=org (8) ldap : --> dc=ejemplo,dc=org (8) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(uid=juan)', scope 'sub' (8) ldap : Waiting for search result... (8) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org" (8) ldap : No cacheable group memberships found in user object (8) ldap : EXPAND (&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn})) (8) ldap : --> (&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejempl o\2cdc\3dorg)) (8) ldap : EXPAND dc=ejemplo,dc=org (8) ldap : --> dc=ejemplo,dc=org (8) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemp lo\2cdc\3dorg))', scope 'sub' (8) ldap : Waiting for search result... (8) ldap : Added control:Ldap-Group with value "profesores" (8) ldap : Processing user attributes (8) ldap : control:Password-With-Header += ''1234'' rlm_ldap (ldap): Released connection (4) (8) [ldap] = ok (8) foreach &control:LDAP-Group (8) update outer.reply { (8) EXPAND %{Foreach-Variable-0} (8) --> profesores (8) &Ruckus-User-Groups += '"profesores"' (8) } # update outer.reply = noop (8) } # foreach &control:LDAP-Group = noop (8) [expiration] = noop (8) [logintime] = noop (8) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password (8) WARNING: pap : Auth-Type already set. Not setting to PAP (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = EAP (8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (8) authenticate { (8) eap : Expiring EAP session with state 0x0cb2efe70cbaf5a7 (8) eap : Finished EAP session with state 0x0cb2efe70cbaf5a7 (8) eap : Previous EAP request found for state 0x0cb2efe70cbaf5a7, released from the list (8) eap : Peer sent MSCHAPv2 (26) (8) eap : EAP MSCHAPv2 (26) (8) eap : Calling eap_mschapv2 to process EAP data (8) eap_mschapv2 : # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (8) eap_mschapv2 : Auth-Type MS-CHAP { (8) mschap : Found Cleartext-Password, hashing to create LM-Password (8) mschap : Found Cleartext-Password, hashing to create NT-Password (8) mschap : Creating challenge hash with username: juan (8) mschap : Client is using MS-CHAPv2 (8) mschap : Adding MS-CHAPv2 MPPE keys (8) [mschap] = ok (8) } # Auth-Type MS-CHAP = ok MSCHAP Success (8) eap : New EAP session, adding 'State' attribute to reply 0x0cb2efe70dbbf5a7 (8) [eap] = handled (8) } # authenticate = handled } # server inner-tunnel (8) eap_peap : Got tunneled reply code 11 EAP-Message = 0x010900331a0308002e533d4338424430343744353931323244333545373631353142433444 3743434346364534423341423236 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0cb2efe70dbbf5a7fe78397182ecc493 (8) eap_peap : Got tunneled reply RADIUS code 11 EAP-Message = 0x010900331a0308002e533d4338424430343744353931323244333545373631353142433444 3743434346364534423341423236 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0cb2efe70dbbf5a7fe78397182ecc493 (8) eap_peap : Got tunneled Access-Challenge (8) eap : New EAP session, adding 'State' attribute to reply 0xf2d34be6fada526d (8) [eap] = handled (8) } # authenticate = handled Sending Access-Challenge Id 52 from 192.168.50.62:1812 to 192.168.60.1:1024 Ruckus-User-Groups += 'profesores' EAP-Message = 0x0109005b190017030100501c6001565f58ad0148f0cde072e0eae03b6306c874c55d5c9599 d8581a68807b0ce0e02d471ccd40e82e99a7e9c93f8ed779ec42c3e802db9089ddbb64be4e0a 3317fb3a595a98ef1aafb878b93314c3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf2d34be6fada526dba0219098c99f6b0 (8) Finished request Waking up in 0.2 seconds. Received Access-Request Id 53 from 192.168.60.1:1024 to 192.168.50.62:1812 length 273 User-Name = 'juan' Calling-Station-Id = '60-BE-B5-98-BA-0B' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-5A-3E-58:ALUMNOS' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-5A-3E-58' Connect-Info = 'CONNECT 802.11g/n' EAP-Message = 0x0209005019001703010020ff5990044103107d4c1c6c0dcfd1592042bb616688995c8dd577 80afdee5290717030100206a03608ba19931e3be1f213f3f662169139b78345f3ae82edd9517 c9ac069de1 State = 0xf2d34be6fada526dba0219098c99f6b0 Attr-26.25053.3 = 0x414c554d4e4f53 Message-Authenticator = 0xa33a0c467259057dfa7938db9d7983eb (9) # Executing section authorize from file /etc/freeradius/sites-enabled/default (9) authorize { (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix : No '@' in User-Name = "juan", looking up realm NULL (9) suffix : No such realm "NULL" (9) [suffix] = noop (9) eap : EAP packet type response id 9 length 80 (9) eap : Continuing tunnel setup. (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = EAP (9) # Executing group from file /etc/freeradius/sites-enabled/default (9) authenticate { (9) eap : Expiring EAP session with state 0x0cb2efe70dbbf5a7 (9) eap : Finished EAP session with state 0xf2d34be6fada526d (9) eap : Previous EAP request found for state 0xf2d34be6fada526d, released from the list (9) eap : Peer sent PEAP (25) (9) eap : EAP PEAP (25) (9) eap : Calling eap_peap to process EAP data (9) eap_peap : processing EAP-TLS (9) eap_peap : eaptls_verify returned 7 (9) eap_peap : Done initial handshake (9) eap_peap : eaptls_process returned 7 (9) eap_peap : FR_TLS_OK (9) eap_peap : Session established. Decoding tunneled attributes. (9) eap_peap : Peap state phase2 (9) eap_peap : EAP type MSCHAPv2 (26) (9) eap_peap : Got tunneled request EAP-Message = 0x020900061a03 server default { (9) eap_peap : Setting User-Name to juan Sending tunneled request EAP-Message = 0x020900061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'juan' State = 0x0cb2efe70dbbf5a7fe78397182ecc493 server inner-tunnel { (9) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (9) authorize { (9) [chap] = noop (9) [mschap] = noop (9) suffix : No '@' in User-Name = "juan", looking up realm NULL (9) suffix : No such realm "NULL" (9) [suffix] = noop (9) update control { (9) Proxy-To-Realm := 'LOCAL' (9) } # update control = noop (9) eap : EAP packet type response id 9 length 6 (9) eap : EAP-MSCHAPV2 success, returning short-circuit ok (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = EAP (9) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (9) authenticate { (9) eap : Expiring EAP session with state 0x0cb2efe70dbbf5a7 (9) eap : Finished EAP session with state 0x0cb2efe70dbbf5a7 (9) eap : Previous EAP request found for state 0x0cb2efe70dbbf5a7, released from the list (9) eap : Peer sent MSCHAPv2 (26) (9) eap : EAP MSCHAPv2 (26) (9) eap : Calling eap_mschapv2 to process EAP data (9) eap : Freeing handler (9) [eap] = ok (9) } # authenticate = ok (9) # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel (9) (null) post-auth { ... } # empty sub-section is ignored } # server inner-tunnel (9) eap_peap : Got tunneled reply code 2 MS-MPPE-Encryption-Policy = Encryption-Allowed MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed MS-MPPE-Send-Key = 0xafb88407094b01fc005b3597058d8598 MS-MPPE-Recv-Key = 0x642cb4e62dc038e3896c5d673858b38c EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = 'juan' (9) eap_peap : Got tunneled reply RADIUS code 2 MS-MPPE-Encryption-Policy = Encryption-Allowed MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed MS-MPPE-Send-Key = 0xafb88407094b01fc005b3597058d8598 MS-MPPE-Recv-Key = 0x642cb4e62dc038e3896c5d673858b38c EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = 'juan' (9) eap_peap : Tunneled authentication was successful. (9) eap_peap : SUCCESS (9) eap : New EAP session, adding 'State' attribute to reply 0xf2d34be6fbd9526d (9) [eap] = handled (9) } # authenticate = handled Sending Access-Challenge Id 53 from 192.168.50.62:1812 to 192.168.60.1:1024 EAP-Message = 0x010a002b1900170301002059aab1d6a4c6ab0a57f24096d6d0aa80e9662d6a63ac66e96db8 a524d2085cc8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf2d34be6fbd9526dba0219098c99f6b0 (9) Finished request Waking up in 0.1 seconds. Received Access-Request Id 54 from 192.168.60.1:1024 to 192.168.50.62:1812 length 273 User-Name = 'juan' Calling-Station-Id = '60-BE-B5-98-BA-0B' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-5A-3E-58:ALUMNOS' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-5A-3E-58' Connect-Info = 'CONNECT 802.11g/n' EAP-Message = 0x020a005019001703010020bc5b6012ba4c6d4926636f89412299e03018b666ab58139c884e 1d8e301ad05617030100200b70dae1f629e3833f6be835eda0d221b722c8a2f4b347f3425229 f9cb872647 State = 0xf2d34be6fbd9526dba0219098c99f6b0 Attr-26.25053.3 = 0x414c554d4e4f53 Message-Authenticator = 0xdd12a7edfa22a09e90d59aba01b16498 (10) # Executing section authorize from file /etc/freeradius/sites-enabled/default (10) authorize { (10) [preprocess] = ok (10) [chap] = noop (10) [mschap] = noop (10) [digest] = noop (10) suffix : No '@' in User-Name = "juan", looking up realm NULL (10) suffix : No such realm "NULL" (10) [suffix] = noop (10) eap : EAP packet type response id 10 length 80 (10) eap : Continuing tunnel setup. (10) [eap] = ok (10) } # authorize = ok (10) Found Auth-Type = EAP (10) # Executing group from file /etc/freeradius/sites-enabled/default (10) authenticate { (10) eap : Expiring EAP session with state 0xf2d34be6fbd9526d (10) eap : Finished EAP session with state 0xf2d34be6fbd9526d (10) eap : Previous EAP request found for state 0xf2d34be6fbd9526d, released from the list (10) eap : Peer sent PEAP (25) (10) eap : EAP PEAP (25) (10) eap : Calling eap_peap to process EAP data (10) eap_peap : processing EAP-TLS (10) eap_peap : eaptls_verify returned 7 (10) eap_peap : Done initial handshake (10) eap_peap : eaptls_process returned 7 (10) eap_peap : FR_TLS_OK (10) eap_peap : Session established. Decoding tunneled attributes. (10) eap_peap : Peap state send tlv success (10) eap_peap : Received EAP-TLV response. (10) eap_peap : Success (10) WARNING: eap_peap : No information to cache: session caching will be disabled for session 2a6565d47da8be010096c76ce138e64f1b9093d86ff4ebbf83fd0676ff503bcd SSL: Removing session 2a6565d47da8be010096c76ce138e64f1b9093d86ff4ebbf83fd0676ff503bcd from the cache (10) eap : Freeing handler (10) [eap] = ok (10) } # authenticate = ok (10) # Executing section post-auth from file /etc/freeradius/sites-enabled/default (10) post-auth { (10) ldap : EXPAND . (10) ldap : --> . (10) ldap : EXPAND Authenticated at %S (10) ldap : --> Authenticated at 2014-05-20 03:47:48 rlm_ldap (ldap): Reserved connection (4) (10) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (10) ldap : --> (uid=juan) (10) ldap : EXPAND dc=ejemplo,dc=org (10) ldap : --> dc=ejemplo,dc=org (10) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(uid=juan)', scope 'sub' (10) ldap : Waiting for search result... (10) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org" (10) ldap : Modifying object with DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org" (10) ldap : Waiting for modify result... rlm_ldap (ldap): Released connection (4) (10) [ldap] = ok (10) foreach &control:LDAP-Group { (10) } # foreach &control:LDAP-Group = noop (10) [exec] = noop (10) remove_reply_message_if_eap remove_reply_message_if_eap { (10) if (reply:EAP-Message && reply:Reply-Message) (10) if (reply:EAP-Message && reply:Reply-Message) -> FALSE (10) else else { (10) [noop] = noop (10) } # else else = noop (10) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (10) } # post-auth = ok Sending Access-Accept Id 54 from 192.168.50.62:1812 to 192.168.60.1:1024 MS-MPPE-Recv-Key = 0x82502acb1a755aa3a2eba98e23e3f5796ccab96d124ff6198b32c78859edc7da MS-MPPE-Send-Key = 0x759dee2ef53c1423c8bd1d6412ab31963a14690b756a64237315aa0e8e3aa94f EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = 'juan' (10) Finished request Waking up in 0.1 seconds. Waking up in 4.5 seconds. (0) Cleaning up request packet ID 44 with timestamp +5 (1) Cleaning up request packet ID 45 with timestamp +5 (2) Cleaning up request packet ID 46 with timestamp +5 (3) Cleaning up request packet ID 47 with timestamp +5 (4) Cleaning up request packet ID 48 with timestamp +5 (5) Cleaning up request packet ID 49 with timestamp +5 (6) Cleaning up request packet ID 50 with timestamp +5 (7) Cleaning up request packet ID 51 with timestamp +5 (8) Cleaning up request packet ID 52 with timestamp +5 (9) Cleaning up request packet ID 53 with timestamp +5 (10) Cleaning up request packet ID 54 with timestamp +5 Ready to process requests.
However, I have been looking at config extracts from [1] (especially the rlm_cache config and the virtual server config
Sorry, I forgot the link. Please, don't answer this, answer my previous message :) [1] http://lists.freeradius.org/pipermail/freeradius-users/2014-April/071756.htm l Thanks!!
Is rlm_cache the answer to my problems? If so, should I just call it in authorize in inner-tunnel after ldap and then to retrieve in default server post-auth? Or when/how? And if not, any other solutions to this?
After a few trial-and-error runs, I've gotten it to work. For the record, this is my config: mods-enabled/cache: update { control:LDAP-Group += control:LDAP-Group } sites-enabled/default: post-auth { cache foreach &control:LDAP-Group { update reply { &Ruckus-User-Groups += "%{Foreach-Variable-0}" } } } sites-enabled/inner-tunnel: authorize { [...] ldap cache [...] } Thanks everybody who tried to help me, I hope this can help somebody in the future. Cheers!
On 5 Jun 2014, at 10:52, Enrique Sainz Baixauli <enriquesainz.beca@intef.educacion.es> wrote:
Is rlm_cache the answer to my problems? If so, should I just call it in authorize in inner-tunnel after ldap and then to retrieve in default server post-auth? Or when/how? And if not, any other solutions to this?
After a few trial-and-error runs, I've gotten it to work. For the record, this is my config:
mods-enabled/cache:
update {
}
If you upgrade to v3.0.x HEAD it can be made even simpler. mods-available/cache: update { control:LDAP-Group += &control:LDAP-Group <additional LDAP password attributes you need> } sites-enabled/inner-tunnel: authorize { [...] update control { Cache-Read-Only := yes } cache if (notfound) { ldap cache } [...] } That's actually significantly more efficient, as it guarantees there will only ever be one call out to LDAP for the entire EAP authentication. Well done for getting it working :) -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
If you upgrade to v3.0.x HEAD it can be made even simpler.
Well, thanks, but that's way too bleeding edge for this purpose :). Remember I was supposed to stick to stable software - ie v2.x.x Anyway, If I have time I will test it just to let you know. When is that feature expected to be released? I guess it's not 3.0.4, since it's already RC...
On 5 Jun 2014, at 12:57, Enrique Sainz Baixauli <enriquesainz.beca@intef.educacion.es> wrote:
If you upgrade to v3.0.x HEAD it can be made even simpler.
Well, thanks, but that's way too bleeding edge for this purpose :). Remember I was supposed to stick to stable software - ie v2.x.x Anyway, If I have time I will test it just to let you know. When is that feature expected to be released? I guess it's not 3.0.4, since it's already RC...
No, it'll be 3.0.4 it's in 3.0.4rc1. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
If you upgrade to v3.0.x HEAD it can be made even simpler.
Well, thanks, but that's way too bleeding edge for this purpose :). Remember I was supposed to stick to stable software - ie v2.x.x Anyway, If I have time I will test it just to let you know. When is that feature expected to be released? I guess it's not 3.0.4, since it's already RC...
No, it'll be 3.0.4 it's in 3.0.4rc1.
-Arran
Ok, then I'll try it when 3.0.4 is ready :) In the meantime, I am trying to configure EAP-TLS for a more secure authentication based on client certificates. I generated a CA certificate and used it to sign server and client certificates, which I installed where I needed. However, trying to associate a W7 machine to the AP resulted in freeradius segfaulting: (5) # executing section post-auth from file /etc/freeradius/sites-enabled/default (5) cache: [... creating cache entry ...] (5) [cache] = updated (5) foreach &control:LDAP-Group (5) update reply { Segmentation fault In update reply {} there is only one line of code: &Ruckus-User-Groups += "%{Foreach-Variable-0}" And the call to the cache module was the only previous uncommented line in post-auth. So I'm quite clueless about where the segfault comes from, since that same line worked perfectly with MSCHAPv2 inside of PEAP... If you need any more debug output feel free to ask :) Thanks again!!
On Mon, Jun 9, 2014 at 3:27 PM, Enrique Sainz Baixauli <enriquesainz.beca@intef.educacion.es> wrote:
If you upgrade to v3.0.x HEAD it can be made even simpler.
Well, thanks, but that's way too bleeding edge for this purpose :). Remember I was supposed to stick to stable software - ie v2.x.x Anyway, If I have time I will test it just to let you know. When is that feature expected to be released? I guess it's not 3.0.4, since it's already RC...
No, it'll be 3.0.4 it's in 3.0.4rc1.
-Arran
Ok, then I'll try it when 3.0.4 is ready :)
In the meantime, I am trying to configure EAP-TLS for a more secure authentication based on client certificates. I generated a CA certificate and used it to sign server and client certificates, which I installed where I needed. However, trying to associate a W7 machine to the AP resulted in freeradius segfaulting:
(5) # executing section post-auth from file /etc/freeradius/sites-enabled/default (5) cache: [... creating cache entry ...] (5) [cache] = updated (5) foreach &control:LDAP-Group (5) update reply { Segmentation fault
In update reply {} there is only one line of code:
&Ruckus-User-Groups += "%{Foreach-Variable-0}"
And the call to the cache module was the only previous uncommented line in post-auth. So I'm quite clueless about where the segfault comes from, since that same line worked perfectly with MSCHAPv2 inside of PEAP... If you need any more debug output feel free to ask :)
I'm guessing you'd need to follow http://wiki.freeradius.org/project/bug-reports#Crashes-(Segmentation-violati......) or http://lists.freeradius.org/pipermail/freeradius-devel/2014-January/009084.h... -- Fajar
In the meantime, I am trying to configure EAP-TLS for a more secure authentication based on client certificates. I generated a CA certificate and used it to sign server and client certificates, which I installed where I needed. However, trying to associate a W7 machine to the AP resulted in freeradius segfaulting:
(5) # executing section post-auth from file /etc/freeradius/sites-enabled/default (5) cache: [... creating cache entry ...] (5) [cache] = updated (5) foreach &control:LDAP-Group (5) update reply { Segmentation fault
In update reply {} there is only one line of code:
&Ruckus-User-Groups += "%{Foreach-Variable-0}"
And the call to the cache module was the only previous uncommented line in post-auth. So I'm quite clueless about where the segfault comes from, since that same line worked perfectly with MSCHAPv2 inside of PEAP... If you need any more debug output feel free to ask :)
I'm guessing you'd need to follow http://wiki.freeradius.org/project/bug-reports#Crashes-(Segmentation-violat ions,-Memory-alignment-errors,-ASSERTs-etc...) or http://lists.freeradius.org/pipermail/freeradius-devel/2014-January/009084.h tml
Ok, so I installed the debug symbols from the PPA repository and uncommented the panic_action line in radiusd.conf. This is the full debug output now: (I have to say that I got a segfault last week that I could fix on my own, but I have no idea where this one comes from. The previous one was about setting outer.reply in default server's post-auth - there is no outer reply in there. It doesn't look like that one though...) Received Access-Request Id 39 from 192.168.60.1:1024 to 192.168.50.62:1812 length 190 User-Name = 'juan' Calling-Station-Id = '00-26-C6-7C-C4-58' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-5C:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-5C' Connect-Info = 'CONNECT 802.11a/n' EAP-Message = 0x02000009016a75616e Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0x6ccb32c7b00d65c7617e787ee0f8862b (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default (0) authorize { (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix : No '@' in User-Name = "juan", looking up realm NULL (0) suffix : No such realm "NULL" (0) [suffix] = noop (0) eap : EAP packet type response id 0 length 9 (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = EAP (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) authenticate { (0) eap : Peer sent Identity (1) (0) eap : Calling eap_tls to process EAP data (0) eap_tls : Flushing SSL sessions (of #0) (0) eap_tls : Requiring client certificate (0) eap_tls : Initiate (0) eap_tls : Requiring client certificate (0) eap_tls : Start returned 1 (0) eap : New EAP session, adding 'State' attribute to reply 0x4b06bc534b07b123 (0) [eap] = handled (0) } # authenticate = handled Sending Access-Challenge Id 39 from 192.168.50.62:1812 to 192.168.60.1:1024 EAP-Message = 0x010100060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4b06bc534b07b123a5815ce5986a7061 (0) Finished request Waking up in 0.3 seconds. Received Access-Request Id 40 from 192.168.60.1:1024 to 192.168.50.62:1812 length 304 User-Name = 'juan' Calling-Station-Id = '00-26-C6-7C-C4-58' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-5C:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-5C' Connect-Info = 'CONNECT 802.11a/n' EAP-Message = 0x020100690d800000005f160301005a01000056030153957c5a9884652d6bb6c5d6bb19564d 4010cad78f6021d6f9bb42a26c6332a0000018002f00350005000ac013c014c009c00a003200 380013000401000015ff01000100000a0006000400170018000b00020100 State = 0x4b06bc534b07b123a5815ce5986a7061 Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0x424c68d593e8b471a7168fa8f90c84aa (1) # Executing section authorize from file /etc/freeradius/sites-enabled/default (1) authorize { (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix : No '@' in User-Name = "juan", looking up realm NULL (1) suffix : No such realm "NULL" (1) [suffix] = noop (1) eap : EAP packet type response id 1 length 105 (1) eap : No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) [files] = noop rlm_ldap (ldap): Reserved connection (4) (1) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (1) ldap : --> (uid=juan) (1) ldap : EXPAND dc=ejemplo,dc=org (1) ldap : --> dc=ejemplo,dc=org (1) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(uid=juan)', scope 'sub' (1) ldap : Waiting for search result... (1) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org" (1) ldap : No cacheable group memberships found in user object (1) ldap : EXPAND (&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn})) (1) ldap : --> (&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejempl o\2cdc\3dorg)) (1) ldap : EXPAND dc=ejemplo,dc=org (1) ldap : --> dc=ejemplo,dc=org (1) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemp lo\2cdc\3dorg))', scope 'sub' (1) ldap : Waiting for search result... (1) ldap : Added control:Ldap-Group with value "profesores" (1) ldap : Processing user attributes (1) ldap : control:Password-With-Header += ''1234'' rlm_ldap (ldap): Released connection (4) (1) [ldap] = ok (1) foreach &control:LDAP-Group (1) update reply { (1) EXPAND %{Foreach-Variable-0} (1) --> profesores (1) &Ruckus-User-Groups += '"profesores"' (1) } # update reply = noop (1) } # foreach &control:LDAP-Group = noop (1) [expiration] = noop (1) [logintime] = noop (1) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password (1) WARNING: pap : Auth-Type already set. Not setting to PAP (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = EAP (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) authenticate { (1) eap : Expiring EAP session with state 0x4b06bc534b07b123 (1) eap : Finished EAP session with state 0x4b06bc534b07b123 (1) eap : Previous EAP request found for state 0x4b06bc534b07b123, released from the list (1) eap : Peer sent TLS (13) (1) eap : EAP TLS (13) (1) eap : Calling eap_tls to process EAP data (1) eap_tls : Authenticate (1) eap_tls : processing EAP-TLS TLS Length 95 (1) eap_tls : Length Included (1) eap_tls : eaptls_verify returned 11 (1) eap_tls : (other): before/accept initialization (1) eap_tls : TLS_accept: before/accept initialization (1) eap_tls : <<< TLS 1.0 Handshake [length 005a], ClientHello (1) eap_tls : TLS_accept: SSLv3 read client hello A (1) eap_tls : >>> TLS 1.0 Handshake [length 0051], ServerHello (1) eap_tls : TLS_accept: SSLv3 write server hello A (1) eap_tls : >>> TLS 1.0 Handshake [length 0707], Certificate (1) eap_tls : TLS_accept: SSLv3 write certificate A (1) eap_tls : >>> TLS 1.0 Handshake [length 0056], CertificateRequest (1) eap_tls : TLS_accept: SSLv3 write certificate request A (1) eap_tls : TLS_accept: SSLv3 flush data (1) eap_tls : TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode (1) eap_tls : eaptls_process returned 13 (1) eap : New EAP session, adding 'State' attribute to reply 0x4b06bc534a04b123 (1) [eap] = handled (1) } # authenticate = handled Sending Access-Challenge Id 40 from 192.168.50.62:1812 to 192.168.60.1:1024 Ruckus-User-Groups += 'profesores' EAP-Message = 0x010203ec0dc0000007bd16030100510200004d030153800d41db8bc00fc64e65976eef8ad5 05728f175a82585bb671517fa25b004220e538ae19205137b530866cbe9c73fda07251b82edf 134c60a8556d5601036be8002f000005ff0100010016030107070b00070300070000039b3082 03973082027fa003020102020900c43f77feef6a22ef300d06092a864886f70d010105050030 44310b3009060355040613024553310f300d06035504080c064d6164726964310e300c060355 040a0c05494e5445463114301206035504030c0b656a656d706c6f2e6f7267301e170d313430 3532303037313134325a170d3135303532303037313134325a3055310b300906035504061302 4553310f300d06035504080c064d6164726964310f300d06035504070c064d6164726964310e 300c060355040a0c05494e5445463114301206035504030c0b656a656d706c6f2e6f72673082 0122300d06092a864886f70d01010105000382010f003082010a0282010100d86d13ea2fa99e fe3982e0ceface40d345221a17f49a4cbdf8774fc1cea663192790995f1df5c32c30ea86fe51 90ff99a3012ff8e54e94de9d81e96fb282562e1264f059238606c51afebce65604a4902dcdfc 803041f6240e2c7a03cca18c70238e9c0fda027487bcb8868c95850aae68986c068f737434ee cdbbbdaabfd83780ce9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4b06bc534a04b123a5815ce5986a7061 (1) Finished request Waking up in 0.3 seconds. Received Access-Request Id 41 from 192.168.60.1:1024 to 192.168.50.62:1812 length 205 User-Name = 'juan' Calling-Station-Id = '00-26-C6-7C-C4-58' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-5C:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-5C' Connect-Info = 'CONNECT 802.11a/n' EAP-Message = 0x020200060d00 State = 0x4b06bc534a04b123a5815ce5986a7061 Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0x957db049fc1d0e94a5a57f9776395e30 (2) # Executing section authorize from file /etc/freeradius/sites-enabled/default (2) authorize { (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix : No '@' in User-Name = "juan", looking up realm NULL (2) suffix : No such realm "NULL" (2) [suffix] = noop (2) eap : EAP packet type response id 2 length 6 (2) eap : No EAP Start, assuming it's an on-going EAP conversation (2) [eap] = updated (2) [files] = noop rlm_ldap (ldap): Reserved connection (4) (2) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (2) ldap : --> (uid=juan) (2) ldap : EXPAND dc=ejemplo,dc=org (2) ldap : --> dc=ejemplo,dc=org (2) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(uid=juan)', scope 'sub' (2) ldap : Waiting for search result... (2) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org" (2) ldap : No cacheable group memberships found in user object (2) ldap : EXPAND (&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn})) (2) ldap : --> (&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejempl o\2cdc\3dorg)) (2) ldap : EXPAND dc=ejemplo,dc=org (2) ldap : --> dc=ejemplo,dc=org (2) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemp lo\2cdc\3dorg))', scope 'sub' (2) ldap : Waiting for search result... (2) ldap : Added control:Ldap-Group with value "profesores" (2) ldap : Processing user attributes (2) ldap : control:Password-With-Header += ''1234'' rlm_ldap (ldap): Released connection (4) (2) [ldap] = ok (2) foreach &control:LDAP-Group (2) update reply { (2) EXPAND %{Foreach-Variable-0} (2) --> profesores (2) &Ruckus-User-Groups += '"profesores"' (2) } # update reply = noop (2) } # foreach &control:LDAP-Group = noop (2) [expiration] = noop (2) [logintime] = noop (2) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password (2) WARNING: pap : Auth-Type already set. Not setting to PAP (2) [pap] = noop (2) } # authorize = updated (2) Found Auth-Type = EAP (2) # Executing group from file /etc/freeradius/sites-enabled/default (2) authenticate { (2) eap : Expiring EAP session with state 0x4b06bc534a04b123 (2) eap : Finished EAP session with state 0x4b06bc534a04b123 (2) eap : Previous EAP request found for state 0x4b06bc534a04b123, released from the list (2) eap : Peer sent TLS (13) (2) eap : EAP TLS (13) (2) eap : Calling eap_tls to process EAP data (2) eap_tls : Authenticate (2) eap_tls : processing EAP-TLS (2) eap_tls : Received TLS ACK (2) eap_tls : Received TLS ACK (2) eap_tls : ACK handshake fragment handler (2) eap_tls : eaptls_verify returned 1 (2) eap_tls : eaptls_process returned 13 (2) eap : New EAP session, adding 'State' attribute to reply 0x4b06bc534905b123 (2) [eap] = handled (2) } # authenticate = handled Sending Access-Challenge Id 41 from 192.168.50.62:1812 to 192.168.60.1:1024 Ruckus-User-Groups += 'profesores' EAP-Message = 0x010303e50d80000007bd3849d248b1dfa322109bc7213dc7b995e11cf1ec9e393177e1d411 f1b83700035f3082035b30820243a003020102020900c43f77feef6a22ee300d06092a864886 f70d01010505003044310b3009060355040613024553310f300d06035504080c064d61647269 64310e300c060355040a0c05494e5445463114301206035504030c0b656a656d706c6f2e6f72 67301e170d3134303532303037303835355a170d3137303531393037303835355a3044310b30 09060355040613024553310f300d06035504080c064d6164726964310e300c060355040a0c05 494e5445463114301206035504030c0b656a656d706c6f2e6f726730820122300d06092a8648 86f70d01010105000382010f003082010a0282010100b34d31cc087201a6f5f91e1f411fbe7c 8175e68364d88e7bc6fb454918d40aca5f65cb2caf0496d4c7ef1b62379ab4ddfc60338d8785 d6f4b208091cda2f566d39b233c9a76cfcd2e14a21a5c1c1ad30c6c6734fb0024ef4511a7867 9f4b2e6085113cb24d3229fa288b7ae5a460348f253fa438172cfb0b2c66c005747d6b716d6e 221e492e793c17439a19d638bc84ecde2aaf864e1b22007c29b5aa056637d4dd4bde4783dd1b 2994b87522662742b8c5477ce8c39227a3bf8b71b2dce5323150b49cd27134e4a79f7f98d371 cad38b0e72363efbc62 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4b06bc534905b123a5815ce5986a7061 (2) Finished request Waking up in 0.2 seconds. Received Access-Request Id 42 from 192.168.60.1:1024 to 192.168.50.62:1812 length 1701 User-Name = 'juan' Calling-Station-Id = '00-26-C6-7C-C4-58' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-5C:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-5C' Connect-Info = 'CONNECT 802.11a/n' EAP-Message = 0x020305d40dc0000005d916030105990b0003890003860003833082037f30820267a0030201 02020900c43f77feef6a22f0300d06092a864886f70d01010505003044310b30090603550406 13024553310f300d06035504080c064d6164726964310e300c060355040a0c05494e54454631 14301206035504030c0b656a656d706c6f2e6f7267301e170d3134303532313035323130335a 170d3135303532313035323130335a303d310b3009060355040613024553310f300d06035504 080c064d6164726964310e300c060355040a0c05494e544546310d300b06035504030c046a75 616e30820122300d06092a864886f70d01010105000382010f003082010a0282010100d8fe45 c46e4743d7ecaf6c82f5206a6d1683234f11e54af93501eba03aaadf6c4a123bb2aeebce0717 b6930a3e550f9e75e38fb7f0057acebdeecb6d396c4547ed2cb496d887ae6973982c7b708898 d3d4e080c44679ffc2eeea7b707f3d03aacfd8544465a96f0988366c5c8a8fd9e84bd38006f7 1b572a526759eaf147a20c21f42ef7c8f8c37915768eec7e41402c3869e8c06a06d6d53a3fac 290b9db34a737a55ce6c3bc544396ee4f35ff28622c2318c57b0ce8b86aac710ed16e56960d4 a2fafbe851afb250256e5b03cf37f52ace63f3eb801d78d6e2e3ebdb4ac5493bbca5129d60cb ea4a1f7e96391a9216a State = 0x4b06bc534905b123a5815ce5986a7061 Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0x73f8a458222a4c6bb7eec10883f1b056 (3) # Executing section authorize from file /etc/freeradius/sites-enabled/default (3) authorize { (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix : No '@' in User-Name = "juan", looking up realm NULL (3) suffix : No such realm "NULL" (3) [suffix] = noop (3) eap : EAP packet type response id 3 length 1492 (3) eap : No EAP Start, assuming it's an on-going EAP conversation (3) [eap] = updated (3) [files] = noop rlm_ldap (ldap): Reserved connection (4) (3) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (3) ldap : --> (uid=juan) (3) ldap : EXPAND dc=ejemplo,dc=org (3) ldap : --> dc=ejemplo,dc=org (3) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(uid=juan)', scope 'sub' (3) ldap : Waiting for search result... (3) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org" (3) ldap : No cacheable group memberships found in user object (3) ldap : EXPAND (&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn})) (3) ldap : --> (&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejempl o\2cdc\3dorg)) (3) ldap : EXPAND dc=ejemplo,dc=org (3) ldap : --> dc=ejemplo,dc=org (3) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemp lo\2cdc\3dorg))', scope 'sub' (3) ldap : Waiting for search result... (3) ldap : Added control:Ldap-Group with value "profesores" (3) ldap : Processing user attributes (3) ldap : control:Password-With-Header += ''1234'' rlm_ldap (ldap): Released connection (4) (3) [ldap] = ok (3) foreach &control:LDAP-Group (3) update reply { (3) EXPAND %{Foreach-Variable-0} (3) --> profesores (3) &Ruckus-User-Groups += '"profesores"' (3) } # update reply = noop (3) } # foreach &control:LDAP-Group = noop (3) [expiration] = noop (3) [logintime] = noop (3) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password (3) WARNING: pap : Auth-Type already set. Not setting to PAP (3) [pap] = noop (3) } # authorize = updated (3) Found Auth-Type = EAP (3) # Executing group from file /etc/freeradius/sites-enabled/default (3) authenticate { (3) eap : Expiring EAP session with state 0x4b06bc534905b123 (3) eap : Finished EAP session with state 0x4b06bc534905b123 (3) eap : Previous EAP request found for state 0x4b06bc534905b123, released from the list (3) eap : Peer sent TLS (13) (3) eap : EAP TLS (13) (3) eap : Calling eap_tls to process EAP data (3) eap_tls : Authenticate (3) eap_tls : processing EAP-TLS TLS Length 1497 (3) eap_tls : Received EAP-TLS First Fragment of the message (3) eap_tls : eaptls_verify returned 9 (3) eap_tls : eaptls_process returned 13 (3) eap : New EAP session, adding 'State' attribute to reply 0x4b06bc534802b123 (3) [eap] = handled (3) } # authenticate = handled Sending Access-Challenge Id 42 from 192.168.50.62:1812 to 192.168.60.1:1024 Ruckus-User-Groups += 'profesores' EAP-Message = 0x010400060d00 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4b06bc534802b123a5815ce5986a7061 (3) Finished request Waking up in 0.2 seconds. Received Access-Request Id 43 from 192.168.60.1:1024 to 192.168.50.62:1812 length 220 User-Name = 'juan' Calling-Station-Id = '00-26-C6-7C-C4-58' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-5C:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-5C' Connect-Info = 'CONNECT 802.11a/n' EAP-Message = 0x020400150d003739040f9689b4ab4612f7dce2d48e State = 0x4b06bc534802b123a5815ce5986a7061 Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0x39dbec026a12ec8acebb4f68297652a0 (4) # Executing section authorize from file /etc/freeradius/sites-enabled/default (4) authorize { (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix : No '@' in User-Name = "juan", looking up realm NULL (4) suffix : No such realm "NULL" (4) [suffix] = noop (4) eap : EAP packet type response id 4 length 21 (4) eap : No EAP Start, assuming it's an on-going EAP conversation (4) [eap] = updated (4) [files] = noop rlm_ldap (ldap): Reserved connection (4) (4) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (4) ldap : --> (uid=juan) (4) ldap : EXPAND dc=ejemplo,dc=org (4) ldap : --> dc=ejemplo,dc=org (4) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(uid=juan)', scope 'sub' (4) ldap : Waiting for search result... (4) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org" (4) ldap : No cacheable group memberships found in user object (4) ldap : EXPAND (&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn})) (4) ldap : --> (&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejempl o\2cdc\3dorg)) (4) ldap : EXPAND dc=ejemplo,dc=org (4) ldap : --> dc=ejemplo,dc=org (4) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemp lo\2cdc\3dorg))', scope 'sub' (4) ldap : Waiting for search result... (4) ldap : Added control:Ldap-Group with value "profesores" (4) ldap : Processing user attributes (4) ldap : control:Password-With-Header += ''1234'' rlm_ldap (ldap): Released connection (4) (4) [ldap] = ok (4) foreach &control:LDAP-Group (4) update reply { (4) EXPAND %{Foreach-Variable-0} (4) --> profesores (4) &Ruckus-User-Groups += '"profesores"' (4) } # update reply = noop (4) } # foreach &control:LDAP-Group = noop (4) [expiration] = noop (4) [logintime] = noop (4) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password (4) WARNING: pap : Auth-Type already set. Not setting to PAP (4) [pap] = noop (4) } # authorize = updated (4) Found Auth-Type = EAP (4) # Executing group from file /etc/freeradius/sites-enabled/default (4) authenticate { (4) eap : Expiring EAP session with state 0x4b06bc534802b123 (4) eap : Finished EAP session with state 0x4b06bc534802b123 (4) eap : Previous EAP request found for state 0x4b06bc534802b123, released from the list (4) eap : Peer sent TLS (13) (4) eap : EAP TLS (13) (4) eap : Calling eap_tls to process EAP data (4) eap_tls : Authenticate (4) eap_tls : processing EAP-TLS (4) eap_tls : eaptls_verify returned 7 (4) eap_tls : Done initial handshake (4) eap_tls : <<< TLS 1.0 Handshake [length 038d], Certificate (4) eap_tls : chain-depth=1, (4) eap_tls : error=0 (4) eap_tls : --> User-Name = juan (4) eap_tls : --> BUF-Name = ejemplo.org (4) eap_tls : --> subject = /C=ES/ST=Madrid/O=INTEF/CN=ejemplo.org (4) eap_tls : --> issuer = /C=ES/ST=Madrid/O=INTEF/CN=ejemplo.org (4) eap_tls : --> verify return:1 (4) eap_tls : chain-depth=0, (4) eap_tls : error=0 (4) eap_tls : --> User-Name = juan (4) eap_tls : --> BUF-Name = juan (4) eap_tls : --> subject = /C=ES/ST=Madrid/O=INTEF/CN=juan (4) eap_tls : --> issuer = /C=ES/ST=Madrid/O=INTEF/CN=ejemplo.org (4) eap_tls : --> verify return:1 (4) eap_tls : TLS_accept: SSLv3 read client certificate A (4) eap_tls : <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange (4) eap_tls : TLS_accept: SSLv3 read client key exchange A (4) eap_tls : <<< TLS 1.0 Handshake [length 0106], CertificateVerify (4) eap_tls : TLS_accept: SSLv3 read certificate verify A (4) eap_tls : <<< TLS 1.0 ChangeCipherSpec [length 0001] (4) eap_tls : <<< TLS 1.0 Handshake [length 0010], Finished (4) eap_tls : TLS_accept: SSLv3 read finished A (4) eap_tls : >>> TLS 1.0 ChangeCipherSpec [length 0001] (4) eap_tls : TLS_accept: SSLv3 write change cipher spec A (4) eap_tls : >>> TLS 1.0 Handshake [length 0010], Finished (4) eap_tls : TLS_accept: SSLv3 write finished A (4) eap_tls : TLS_accept: SSLv3 flush data SSL: adding session e538ae19205137b530866cbe9c73fda07251b82edf134c60a8556d5601036be8 to cache (4) eap_tls : (other): SSL negotiation finished successfully SSL Connection Established (4) eap_tls : eaptls_process returned 13 (4) eap : New EAP session, adding 'State' attribute to reply 0x4b06bc534f03b123 (4) [eap] = handled (4) } # authenticate = handled Sending Access-Challenge Id 43 from 192.168.50.62:1812 to 192.168.60.1:1024 Ruckus-User-Groups += 'profesores' EAP-Message = 0x010500450d800000003b1403010001011603010030b6f41d63244fff84ccbe996ef0b09ff2 9df45c4049b85e335adae27b0653521c7719c521ec4e3b611d6c399e2458022b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4b06bc534f03b123a5815ce5986a7061 (4) Finished request Waking up in 0.2 seconds. Received Access-Request Id 44 from 192.168.60.1:1024 to 192.168.50.62:1812 length 205 User-Name = 'juan' Calling-Station-Id = '00-26-C6-7C-C4-58' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-5C:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-5C' Connect-Info = 'CONNECT 802.11a/n' EAP-Message = 0x020500060d00 State = 0x4b06bc534f03b123a5815ce5986a7061 Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0xe145b729ae7f53c07a05f6250273b5a5 (5) # Executing section authorize from file /etc/freeradius/sites-enabled/default (5) authorize { (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix : No '@' in User-Name = "juan", looking up realm NULL (5) suffix : No such realm "NULL" (5) [suffix] = noop (5) eap : EAP packet type response id 5 length 6 (5) eap : No EAP Start, assuming it's an on-going EAP conversation (5) [eap] = updated (5) [files] = noop rlm_ldap (ldap): Reserved connection (4) (5) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (5) ldap : --> (uid=juan) (5) ldap : EXPAND dc=ejemplo,dc=org (5) ldap : --> dc=ejemplo,dc=org (5) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(uid=juan)', scope 'sub' (5) ldap : Waiting for search result... (5) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org" (5) ldap : No cacheable group memberships found in user object (5) ldap : EXPAND (&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn})) (5) ldap : --> (&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejempl o\2cdc\3dorg)) (5) ldap : EXPAND dc=ejemplo,dc=org (5) ldap : --> dc=ejemplo,dc=org (5) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemp lo\2cdc\3dorg))', scope 'sub' (5) ldap : Waiting for search result... (5) ldap : Added control:Ldap-Group with value "profesores" (5) ldap : Processing user attributes (5) ldap : control:Password-With-Header += ''1234'' rlm_ldap (ldap): Released connection (4) (5) [ldap] = ok (5) foreach &control:LDAP-Group (5) update reply { (5) EXPAND %{Foreach-Variable-0} (5) --> profesores (5) &Ruckus-User-Groups += '"profesores"' (5) } # update reply = noop (5) } # foreach &control:LDAP-Group = noop (5) [expiration] = noop (5) [logintime] = noop (5) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password (5) WARNING: pap : Auth-Type already set. Not setting to PAP (5) [pap] = noop (5) } # authorize = updated (5) Found Auth-Type = EAP (5) # Executing group from file /etc/freeradius/sites-enabled/default (5) authenticate { (5) eap : Expiring EAP session with state 0x4b06bc534f03b123 (5) eap : Finished EAP session with state 0x4b06bc534f03b123 (5) eap : Previous EAP request found for state 0x4b06bc534f03b123, released from the list (5) eap : Peer sent TLS (13) (5) eap : EAP TLS (13) (5) eap : Calling eap_tls to process EAP data (5) eap_tls : Authenticate (5) eap_tls : processing EAP-TLS (5) eap_tls : Received TLS ACK (5) eap_tls : Received TLS ACK (5) eap_tls : ACK handshake is finished (5) eap_tls : eaptls_verify returned 3 (5) eap_tls : eaptls_process returned 3 (5) eap_tls : Saving session e538ae19205137b530866cbe9c73fda07251b82edf134c60a8556d5601036be8 vps 0x2886620 in the cache (5) eap : Freeing handler (5) [eap] = ok (5) } # authenticate = ok (5) # Executing section post-auth from file /etc/freeradius/sites-enabled/default (5) post-auth { (5) cache : EXPAND %{User-Name} (5) cache : --> juan (5) cache : Creating entry for "juan" (5) cache : control:LDAP-Group += &control:LDAP-Group (5) cache : Inserted entry, TTL 3600 seconds (5) [cache] = updated (5) foreach &control:LDAP-Group (5) update reply { CAUGHT SIGNAL: Segmentation fault Backtrace of last 25 frames: /usr/lib/freeradius/libfreeradius-radius.so(fr_fault+0x61)[0x7f56ae6cbc51] /lib/x86_64-linux-gnu/libpthread.so.0(+0xf030)[0x7f56ad415030] /usr/lib/freeradius/libfreeradius-radius.so(+0x1505e)[0x7f56ae6d605e] /usr/lib/freeradius/libfreeradius-server.so(+0x136b7)[0x7f56ae90a6b7] /usr/lib/freeradius/libfreeradius-server.so(+0x13998)[0x7f56ae90a998] /usr/lib/freeradius/libfreeradius-server.so(+0x144c4)[0x7f56ae90b4c4] /usr/lib/freeradius/libfreeradius-server.so(+0x14532)[0x7f56ae90b532] /usr/lib/freeradius/libfreeradius-server.so(radius_map2vp+0x1ef)[0x7f56ae905 def] /usr/lib/freeradius/libfreeradius-server.so(radius_map2request+0xa6)[0x7f56a e905386] freeradius[0x41f955] freeradius[0x41fd1a] freeradius[0x41f221] freeradius[0x41f3de] freeradius(modcall+0x3d)[0x4204fd] freeradius(indexed_modcall+0xb3)[0x41dc03] freeradius(rad_postauth+0x5e)[0x40f57e] freeradius[0x42ca9c] freeradius[0x429d05] freeradius(request_receive+0x247)[0x42af27] freeradius[0x4190a8] freeradius[0x42966d] /usr/lib/freeradius/libfreeradius-radius.so(fr_event_loop+0x2d9)[0x7f56ae6e5 629] freeradius(main+0x65a)[0x40eb2a] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd)[0x7f56acc1bead] freeradius[0x40ee85] Calling: gdb -silent -x /etc/freeradius/panic.gdb freeradius 3192 2>&1 | tee /var/log/freeradius/gdb-freeradius-3192.log Temporarily setting PR_DUMPABLE to 1 sh: 1: gdb: not found Resetting PR_DUMPABLE to 0 Panic action exited with 0
On 9 Jun 2014, at 10:31, Enrique Sainz Baixauli <enriquesainz.beca@intef.educacion.es> wrote:
Calling: gdb -silent -x /etc/freeradius/panic.gdb freeradius 3192 2>&1 | tee /var/log/freeradius/gdb-freeradius-3192.log Temporarily setting PR_DUMPABLE to 1 sh: 1: gdb: not found Resetting PR_DUMPABLE to 0 Panic action exited with 0
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
sh: 1: gdb: not found
I know, I noticed I didn't have gdb installed right after sending that email :) Now THIS is the full debug output: Received Access-Request Id 39 from 192.168.60.1:1024 to 192.168.50.62:1812 length 190 User-Name = 'juan' Calling-Station-Id = '00-26-C6-7C-C4-58' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-5C:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-5C' Connect-Info = 'CONNECT 802.11a/n' EAP-Message = 0x02000009016a75616e Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0x6ccb32c7b00d65c7617e787ee0f8862b (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default (0) authorize { (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix : No '@' in User-Name = "juan", looking up realm NULL (0) suffix : No such realm "NULL" (0) [suffix] = noop (0) eap : EAP packet type response id 0 length 9 (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = EAP (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) authenticate { (0) eap : Peer sent Identity (1) (0) eap : Calling eap_tls to process EAP data (0) eap_tls : Flushing SSL sessions (of #0) (0) eap_tls : Requiring client certificate (0) eap_tls : Initiate (0) eap_tls : Requiring client certificate (0) eap_tls : Start returned 1 (0) eap : New EAP session, adding 'State' attribute to reply 0x4b06bc534b07b123 (0) [eap] = handled (0) } # authenticate = handled Sending Access-Challenge Id 39 from 192.168.50.62:1812 to 192.168.60.1:1024 EAP-Message = 0x010100060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4b06bc534b07b123a5815ce5986a7061 (0) Finished request Waking up in 0.3 seconds. Received Access-Request Id 40 from 192.168.60.1:1024 to 192.168.50.62:1812 length 304 User-Name = 'juan' Calling-Station-Id = '00-26-C6-7C-C4-58' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-5C:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-5C' Connect-Info = 'CONNECT 802.11a/n' EAP-Message = 0x020100690d800000005f160301005a01000056030153957c5a9884652d6bb6c5d6bb19564d4010cad78f6021d6f9bb42a26c6332a0000018002f00350005000ac013c014c009c00a003200380013000401000015ff01000100000a0006000400170018000b00020100 State = 0x4b06bc534b07b123a5815ce5986a7061 Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0x424c68d593e8b471a7168fa8f90c84aa (1) # Executing section authorize from file /etc/freeradius/sites-enabled/default (1) authorize { (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix : No '@' in User-Name = "juan", looking up realm NULL (1) suffix : No such realm "NULL" (1) [suffix] = noop (1) eap : EAP packet type response id 1 length 105 (1) eap : No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) [files] = noop rlm_ldap (ldap): Reserved connection (4) (1) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (1) ldap : --> (uid=juan) (1) ldap : EXPAND dc=ejemplo,dc=org (1) ldap : --> dc=ejemplo,dc=org (1) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(uid=juan)', scope 'sub' (1) ldap : Waiting for search result... (1) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org" (1) ldap : No cacheable group memberships found in user object (1) ldap : EXPAND (&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn})) (1) ldap : --> (&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemplo\2cdc\3dorg)) (1) ldap : EXPAND dc=ejemplo,dc=org (1) ldap : --> dc=ejemplo,dc=org (1) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemplo\2cdc\3dorg))', scope 'sub' (1) ldap : Waiting for search result... (1) ldap : Added control:Ldap-Group with value "profesores" (1) ldap : Processing user attributes (1) ldap : control:Password-With-Header += ''1234'' rlm_ldap (ldap): Released connection (4) (1) [ldap] = ok (1) foreach &control:LDAP-Group (1) update reply { (1) EXPAND %{Foreach-Variable-0} (1) --> profesores (1) &Ruckus-User-Groups += '"profesores"' (1) } # update reply = noop (1) } # foreach &control:LDAP-Group = noop (1) [expiration] = noop (1) [logintime] = noop (1) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password (1) WARNING: pap : Auth-Type already set. Not setting to PAP (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = EAP (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) authenticate { (1) eap : Expiring EAP session with state 0x4b06bc534b07b123 (1) eap : Finished EAP session with state 0x4b06bc534b07b123 (1) eap : Previous EAP request found for state 0x4b06bc534b07b123, released from the list (1) eap : Peer sent TLS (13) (1) eap : EAP TLS (13) (1) eap : Calling eap_tls to process EAP data (1) eap_tls : Authenticate (1) eap_tls : processing EAP-TLS TLS Length 95 (1) eap_tls : Length Included (1) eap_tls : eaptls_verify returned 11 (1) eap_tls : (other): before/accept initialization (1) eap_tls : TLS_accept: before/accept initialization (1) eap_tls : <<< TLS 1.0 Handshake [length 005a], ClientHello (1) eap_tls : TLS_accept: SSLv3 read client hello A (1) eap_tls : >>> TLS 1.0 Handshake [length 0051], ServerHello (1) eap_tls : TLS_accept: SSLv3 write server hello A (1) eap_tls : >>> TLS 1.0 Handshake [length 0707], Certificate (1) eap_tls : TLS_accept: SSLv3 write certificate A (1) eap_tls : >>> TLS 1.0 Handshake [length 0056], CertificateRequest (1) eap_tls : TLS_accept: SSLv3 write certificate request A (1) eap_tls : TLS_accept: SSLv3 flush data (1) eap_tls : TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode (1) eap_tls : eaptls_process returned 13 (1) eap : New EAP session, adding 'State' attribute to reply 0x4b06bc534a04b123 (1) [eap] = handled (1) } # authenticate = handled Sending Access-Challenge Id 40 from 192.168.50.62:1812 to 192.168.60.1:1024 Ruckus-User-Groups += 'profesores' EAP-Message = 0x010203ec0dc0000007bd16030100510200004d030153800d41db8bc00fc64e65976eef8ad505728f175a82585bb671517fa25b004220e538ae19205137b530866cbe9c73fda07251b82edf134c60a8556d5601036be8002f000005ff0100010016030107070b00070300070000039b308203973082027fa003020102020900c43f77feef6a22ef300d06092a864886f70d01010505003044310b3009060355040613024553310f300d06035504080c064d6164726964310e300c060355040a0c05494e5445463114301206035504030c0b656a656d706c6f2e6f7267301e170d3134303532303037313134325a170d3135303532303037313134325a3055310b3009060355040613024553310f300d06035504080c064d6164726964310f300d06035504070c064d6164726964310e300c060355040a0c05494e5445463114301206035504030c0b656a656d706c6f2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100d86d13ea2fa99efe3982e0ceface40d345221a17f49a4cbdf8774fc1cea663192790995f1df5c32c30ea86fe5190ff99a3012ff8e54e94de9d81e96fb282562e1264f059238606c51afebce65604a4902dcdfc803041f6240e2c7a03cca18c70238e9c0fda027487bcb8868c95850aae68986c068f737434eecdbbbdaabfd83780ce9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4b06bc534a04b123a5815ce5986a7061 (1) Finished request Waking up in 0.3 seconds. Received Access-Request Id 41 from 192.168.60.1:1024 to 192.168.50.62:1812 length 205 User-Name = 'juan' Calling-Station-Id = '00-26-C6-7C-C4-58' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-5C:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-5C' Connect-Info = 'CONNECT 802.11a/n' EAP-Message = 0x020200060d00 State = 0x4b06bc534a04b123a5815ce5986a7061 Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0x957db049fc1d0e94a5a57f9776395e30 (2) # Executing section authorize from file /etc/freeradius/sites-enabled/default (2) authorize { (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix : No '@' in User-Name = "juan", looking up realm NULL (2) suffix : No such realm "NULL" (2) [suffix] = noop (2) eap : EAP packet type response id 2 length 6 (2) eap : No EAP Start, assuming it's an on-going EAP conversation (2) [eap] = updated (2) [files] = noop rlm_ldap (ldap): Reserved connection (4) (2) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (2) ldap : --> (uid=juan) (2) ldap : EXPAND dc=ejemplo,dc=org (2) ldap : --> dc=ejemplo,dc=org (2) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(uid=juan)', scope 'sub' (2) ldap : Waiting for search result... (2) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org" (2) ldap : No cacheable group memberships found in user object (2) ldap : EXPAND (&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn})) (2) ldap : --> (&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemplo\2cdc\3dorg)) (2) ldap : EXPAND dc=ejemplo,dc=org (2) ldap : --> dc=ejemplo,dc=org (2) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemplo\2cdc\3dorg))', scope 'sub' (2) ldap : Waiting for search result... (2) ldap : Added control:Ldap-Group with value "profesores" (2) ldap : Processing user attributes (2) ldap : control:Password-With-Header += ''1234'' rlm_ldap (ldap): Released connection (4) (2) [ldap] = ok (2) foreach &control:LDAP-Group (2) update reply { (2) EXPAND %{Foreach-Variable-0} (2) --> profesores (2) &Ruckus-User-Groups += '"profesores"' (2) } # update reply = noop (2) } # foreach &control:LDAP-Group = noop (2) [expiration] = noop (2) [logintime] = noop (2) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password (2) WARNING: pap : Auth-Type already set. Not setting to PAP (2) [pap] = noop (2) } # authorize = updated (2) Found Auth-Type = EAP (2) # Executing group from file /etc/freeradius/sites-enabled/default (2) authenticate { (2) eap : Expiring EAP session with state 0x4b06bc534a04b123 (2) eap : Finished EAP session with state 0x4b06bc534a04b123 (2) eap : Previous EAP request found for state 0x4b06bc534a04b123, released from the list (2) eap : Peer sent TLS (13) (2) eap : EAP TLS (13) (2) eap : Calling eap_tls to process EAP data (2) eap_tls : Authenticate (2) eap_tls : processing EAP-TLS (2) eap_tls : Received TLS ACK (2) eap_tls : Received TLS ACK (2) eap_tls : ACK handshake fragment handler (2) eap_tls : eaptls_verify returned 1 (2) eap_tls : eaptls_process returned 13 (2) eap : New EAP session, adding 'State' attribute to reply 0x4b06bc534905b123 (2) [eap] = handled (2) } # authenticate = handled Sending Access-Challenge Id 41 from 192.168.50.62:1812 to 192.168.60.1:1024 Ruckus-User-Groups += 'profesores' EAP-Message = 0x010303e50d80000007bd3849d248b1dfa322109bc7213dc7b995e11cf1ec9e393177e1d411f1b83700035f3082035b30820243a003020102020900c43f77feef6a22ee300d06092a864886f70d01010505003044310b3009060355040613024553310f300d06035504080c064d6164726964310e300c060355040a0c05494e5445463114301206035504030c0b656a656d706c6f2e6f7267301e170d3134303532303037303835355a170d3137303531393037303835355a3044310b3009060355040613024553310f300d06035504080c064d6164726964310e300c060355040a0c05494e5445463114301206035504030c0b656a656d706c6f2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100b34d31cc087201a6f5f91e1f411fbe7c8175e68364d88e7bc6fb454918d40aca5f65cb2caf0496d4c7ef1b62379ab4ddfc60338d8785d6f4b208091cda2f566d39b233c9a76cfcd2e14a21a5c1c1ad30c6c6734fb0024ef4511a78679f4b2e6085113cb24d3229fa288b7ae5a460348f253fa438172cfb0b2c66c005747d6b716d6e221e492e793c17439a19d638bc84ecde2aaf864e1b22007c29b5aa056637d4dd4bde4783dd1b2994b87522662742b8c5477ce8c39227a3bf8b71b2dce5323150b49cd27134e4a79f7f98d371cad38b0e72363efbc62 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4b06bc534905b123a5815ce5986a7061 (2) Finished request Waking up in 0.2 seconds. Received Access-Request Id 42 from 192.168.60.1:1024 to 192.168.50.62:1812 length 1701 User-Name = 'juan' Calling-Station-Id = '00-26-C6-7C-C4-58' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-5C:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-5C' Connect-Info = 'CONNECT 802.11a/n' EAP-Message = 0x020305d40dc0000005d916030105990b0003890003860003833082037f30820267a003020102020900c43f77feef6a22f0300d06092a864886f70d01010505003044310b3009060355040613024553310f300d06035504080c064d6164726964310e300c060355040a0c05494e5445463114301206035504030c0b656a656d706c6f2e6f7267301e170d3134303532313035323130335a170d3135303532313035323130335a303d310b3009060355040613024553310f300d06035504080c064d6164726964310e300c060355040a0c05494e544546310d300b06035504030c046a75616e30820122300d06092a864886f70d01010105000382010f003082010a0282010100d8fe45c46e4743d7ecaf6c82f5206a6d1683234f11e54af93501eba03aaadf6c4a123bb2aeebce0717b6930a3e550f9e75e38fb7f0057acebdeecb6d396c4547ed2cb496d887ae6973982c7b708898d3d4e080c44679ffc2eeea7b707f3d03aacfd8544465a96f0988366c5c8a8fd9e84bd38006f71b572a526759eaf147a20c21f42ef7c8f8c37915768eec7e41402c3869e8c06a06d6d53a3fac290b9db34a737a55ce6c3bc544396ee4f35ff28622c2318c57b0ce8b86aac710ed16e56960d4a2fafbe851afb250256e5b03cf37f52ace63f3eb801d78d6e2e3ebdb4ac5493bbca5129d60cbea4a1f7e96391a9216a State = 0x4b06bc534905b123a5815ce5986a7061 Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0x73f8a458222a4c6bb7eec10883f1b056 (3) # Executing section authorize from file /etc/freeradius/sites-enabled/default (3) authorize { (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix : No '@' in User-Name = "juan", looking up realm NULL (3) suffix : No such realm "NULL" (3) [suffix] = noop (3) eap : EAP packet type response id 3 length 1492 (3) eap : No EAP Start, assuming it's an on-going EAP conversation (3) [eap] = updated (3) [files] = noop rlm_ldap (ldap): Reserved connection (4) (3) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (3) ldap : --> (uid=juan) (3) ldap : EXPAND dc=ejemplo,dc=org (3) ldap : --> dc=ejemplo,dc=org (3) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(uid=juan)', scope 'sub' (3) ldap : Waiting for search result... (3) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org" (3) ldap : No cacheable group memberships found in user object (3) ldap : EXPAND (&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn})) (3) ldap : --> (&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemplo\2cdc\3dorg)) (3) ldap : EXPAND dc=ejemplo,dc=org (3) ldap : --> dc=ejemplo,dc=org (3) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemplo\2cdc\3dorg))', scope 'sub' (3) ldap : Waiting for search result... (3) ldap : Added control:Ldap-Group with value "profesores" (3) ldap : Processing user attributes (3) ldap : control:Password-With-Header += ''1234'' rlm_ldap (ldap): Released connection (4) (3) [ldap] = ok (3) foreach &control:LDAP-Group (3) update reply { (3) EXPAND %{Foreach-Variable-0} (3) --> profesores (3) &Ruckus-User-Groups += '"profesores"' (3) } # update reply = noop (3) } # foreach &control:LDAP-Group = noop (3) [expiration] = noop (3) [logintime] = noop (3) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password (3) WARNING: pap : Auth-Type already set. Not setting to PAP (3) [pap] = noop (3) } # authorize = updated (3) Found Auth-Type = EAP (3) # Executing group from file /etc/freeradius/sites-enabled/default (3) authenticate { (3) eap : Expiring EAP session with state 0x4b06bc534905b123 (3) eap : Finished EAP session with state 0x4b06bc534905b123 (3) eap : Previous EAP request found for state 0x4b06bc534905b123, released from the list (3) eap : Peer sent TLS (13) (3) eap : EAP TLS (13) (3) eap : Calling eap_tls to process EAP data (3) eap_tls : Authenticate (3) eap_tls : processing EAP-TLS TLS Length 1497 (3) eap_tls : Received EAP-TLS First Fragment of the message (3) eap_tls : eaptls_verify returned 9 (3) eap_tls : eaptls_process returned 13 (3) eap : New EAP session, adding 'State' attribute to reply 0x4b06bc534802b123 (3) [eap] = handled (3) } # authenticate = handled Sending Access-Challenge Id 42 from 192.168.50.62:1812 to 192.168.60.1:1024 Ruckus-User-Groups += 'profesores' EAP-Message = 0x010400060d00 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4b06bc534802b123a5815ce5986a7061 (3) Finished request Waking up in 0.2 seconds. Received Access-Request Id 43 from 192.168.60.1:1024 to 192.168.50.62:1812 length 220 User-Name = 'juan' Calling-Station-Id = '00-26-C6-7C-C4-58' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-5C:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-5C' Connect-Info = 'CONNECT 802.11a/n' EAP-Message = 0x020400150d003739040f9689b4ab4612f7dce2d48e State = 0x4b06bc534802b123a5815ce5986a7061 Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0x39dbec026a12ec8acebb4f68297652a0 (4) # Executing section authorize from file /etc/freeradius/sites-enabled/default (4) authorize { (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix : No '@' in User-Name = "juan", looking up realm NULL (4) suffix : No such realm "NULL" (4) [suffix] = noop (4) eap : EAP packet type response id 4 length 21 (4) eap : No EAP Start, assuming it's an on-going EAP conversation (4) [eap] = updated (4) [files] = noop rlm_ldap (ldap): Reserved connection (4) (4) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (4) ldap : --> (uid=juan) (4) ldap : EXPAND dc=ejemplo,dc=org (4) ldap : --> dc=ejemplo,dc=org (4) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(uid=juan)', scope 'sub' (4) ldap : Waiting for search result... (4) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org" (4) ldap : No cacheable group memberships found in user object (4) ldap : EXPAND (&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn})) (4) ldap : --> (&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemplo\2cdc\3dorg)) (4) ldap : EXPAND dc=ejemplo,dc=org (4) ldap : --> dc=ejemplo,dc=org (4) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemplo\2cdc\3dorg))', scope 'sub' (4) ldap : Waiting for search result... (4) ldap : Added control:Ldap-Group with value "profesores" (4) ldap : Processing user attributes (4) ldap : control:Password-With-Header += ''1234'' rlm_ldap (ldap): Released connection (4) (4) [ldap] = ok (4) foreach &control:LDAP-Group (4) update reply { (4) EXPAND %{Foreach-Variable-0} (4) --> profesores (4) &Ruckus-User-Groups += '"profesores"' (4) } # update reply = noop (4) } # foreach &control:LDAP-Group = noop (4) [expiration] = noop (4) [logintime] = noop (4) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password (4) WARNING: pap : Auth-Type already set. Not setting to PAP (4) [pap] = noop (4) } # authorize = updated (4) Found Auth-Type = EAP (4) # Executing group from file /etc/freeradius/sites-enabled/default (4) authenticate { (4) eap : Expiring EAP session with state 0x4b06bc534802b123 (4) eap : Finished EAP session with state 0x4b06bc534802b123 (4) eap : Previous EAP request found for state 0x4b06bc534802b123, released from the list (4) eap : Peer sent TLS (13) (4) eap : EAP TLS (13) (4) eap : Calling eap_tls to process EAP data (4) eap_tls : Authenticate (4) eap_tls : processing EAP-TLS (4) eap_tls : eaptls_verify returned 7 (4) eap_tls : Done initial handshake (4) eap_tls : <<< TLS 1.0 Handshake [length 038d], Certificate (4) eap_tls : chain-depth=1, (4) eap_tls : error=0 (4) eap_tls : --> User-Name = juan (4) eap_tls : --> BUF-Name = ejemplo.org (4) eap_tls : --> subject = /C=ES/ST=Madrid/O=INTEF/CN=ejemplo.org (4) eap_tls : --> issuer = /C=ES/ST=Madrid/O=INTEF/CN=ejemplo.org (4) eap_tls : --> verify return:1 (4) eap_tls : chain-depth=0, (4) eap_tls : error=0 (4) eap_tls : --> User-Name = juan (4) eap_tls : --> BUF-Name = juan (4) eap_tls : --> subject = /C=ES/ST=Madrid/O=INTEF/CN=juan (4) eap_tls : --> issuer = /C=ES/ST=Madrid/O=INTEF/CN=ejemplo.org (4) eap_tls : --> verify return:1 (4) eap_tls : TLS_accept: SSLv3 read client certificate A (4) eap_tls : <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange (4) eap_tls : TLS_accept: SSLv3 read client key exchange A (4) eap_tls : <<< TLS 1.0 Handshake [length 0106], CertificateVerify (4) eap_tls : TLS_accept: SSLv3 read certificate verify A (4) eap_tls : <<< TLS 1.0 ChangeCipherSpec [length 0001] (4) eap_tls : <<< TLS 1.0 Handshake [length 0010], Finished (4) eap_tls : TLS_accept: SSLv3 read finished A (4) eap_tls : >>> TLS 1.0 ChangeCipherSpec [length 0001] (4) eap_tls : TLS_accept: SSLv3 write change cipher spec A (4) eap_tls : >>> TLS 1.0 Handshake [length 0010], Finished (4) eap_tls : TLS_accept: SSLv3 write finished A (4) eap_tls : TLS_accept: SSLv3 flush data SSL: adding session e538ae19205137b530866cbe9c73fda07251b82edf134c60a8556d5601036be8 to cache (4) eap_tls : (other): SSL negotiation finished successfully SSL Connection Established (4) eap_tls : eaptls_process returned 13 (4) eap : New EAP session, adding 'State' attribute to reply 0x4b06bc534f03b123 (4) [eap] = handled (4) } # authenticate = handled Sending Access-Challenge Id 43 from 192.168.50.62:1812 to 192.168.60.1:1024 Ruckus-User-Groups += 'profesores' EAP-Message = 0x010500450d800000003b1403010001011603010030b6f41d63244fff84ccbe996ef0b09ff29df45c4049b85e335adae27b0653521c7719c521ec4e3b611d6c399e2458022b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4b06bc534f03b123a5815ce5986a7061 (4) Finished request Waking up in 0.2 seconds. Received Access-Request Id 44 from 192.168.60.1:1024 to 192.168.50.62:1812 length 205 User-Name = 'juan' Calling-Station-Id = '00-26-C6-7C-C4-58' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-5C:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-5C' Connect-Info = 'CONNECT 802.11a/n' EAP-Message = 0x020500060d00 State = 0x4b06bc534f03b123a5815ce5986a7061 Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0xe145b729ae7f53c07a05f6250273b5a5 (5) # Executing section authorize from file /etc/freeradius/sites-enabled/default (5) authorize { (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix : No '@' in User-Name = "juan", looking up realm NULL (5) suffix : No such realm "NULL" (5) [suffix] = noop (5) eap : EAP packet type response id 5 length 6 (5) eap : No EAP Start, assuming it's an on-going EAP conversation (5) [eap] = updated (5) [files] = noop rlm_ldap (ldap): Reserved connection (4) (5) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (5) ldap : --> (uid=juan) (5) ldap : EXPAND dc=ejemplo,dc=org (5) ldap : --> dc=ejemplo,dc=org (5) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(uid=juan)', scope 'sub' (5) ldap : Waiting for search result... (5) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org" (5) ldap : No cacheable group memberships found in user object (5) ldap : EXPAND (&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn})) (5) ldap : --> (&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemplo\2cdc\3dorg)) (5) ldap : EXPAND dc=ejemplo,dc=org (5) ldap : --> dc=ejemplo,dc=org (5) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemplo\2cdc\3dorg))', scope 'sub' (5) ldap : Waiting for search result... (5) ldap : Added control:Ldap-Group with value "profesores" (5) ldap : Processing user attributes (5) ldap : control:Password-With-Header += ''1234'' rlm_ldap (ldap): Released connection (4) (5) [ldap] = ok (5) foreach &control:LDAP-Group (5) update reply { (5) EXPAND %{Foreach-Variable-0} (5) --> profesores (5) &Ruckus-User-Groups += '"profesores"' (5) } # update reply = noop (5) } # foreach &control:LDAP-Group = noop (5) [expiration] = noop (5) [logintime] = noop (5) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password (5) WARNING: pap : Auth-Type already set. Not setting to PAP (5) [pap] = noop (5) } # authorize = updated (5) Found Auth-Type = EAP (5) # Executing group from file /etc/freeradius/sites-enabled/default (5) authenticate { (5) eap : Expiring EAP session with state 0x4b06bc534f03b123 (5) eap : Finished EAP session with state 0x4b06bc534f03b123 (5) eap : Previous EAP request found for state 0x4b06bc534f03b123, released from the list (5) eap : Peer sent TLS (13) (5) eap : EAP TLS (13) (5) eap : Calling eap_tls to process EAP data (5) eap_tls : Authenticate (5) eap_tls : processing EAP-TLS (5) eap_tls : Received TLS ACK (5) eap_tls : Received TLS ACK (5) eap_tls : ACK handshake is finished (5) eap_tls : eaptls_verify returned 3 (5) eap_tls : eaptls_process returned 3 (5) eap_tls : Saving session e538ae19205137b530866cbe9c73fda07251b82edf134c60a8556d5601036be8 vps 0x2886620 in the cache (5) eap : Freeing handler (5) [eap] = ok (5) } # authenticate = ok (5) # Executing section post-auth from file /etc/freeradius/sites-enabled/default (5) post-auth { (5) cache : EXPAND %{User-Name} (5) cache : --> juan (5) cache : Creating entry for "juan" (5) cache : control:LDAP-Group += &control:LDAP-Group (5) cache : Inserted entry, TTL 3600 seconds (5) [cache] = updated (5) foreach &control:LDAP-Group (5) update reply { CAUGHT SIGNAL: Segmentation fault Backtrace of last 25 frames: /usr/lib/freeradius/libfreeradius-radius.so(fr_fault+0x61)[0x7fbab66d2c51] /lib/x86_64-linux-gnu/libpthread.so.0(+0xf030)[0x7fbab541c030] /usr/lib/freeradius/libfreeradius-radius.so(+0x1505e)[0x7fbab66dd05e] /usr/lib/freeradius/libfreeradius-server.so(+0x136b7)[0x7fbab69116b7] /usr/lib/freeradius/libfreeradius-server.so(+0x13998)[0x7fbab6911998] /usr/lib/freeradius/libfreeradius-server.so(+0x144c4)[0x7fbab69124c4] /usr/lib/freeradius/libfreeradius-server.so(+0x14532)[0x7fbab6912532] /usr/lib/freeradius/libfreeradius-server.so(radius_map2vp+0x1ef)[0x7fbab690cdef] /usr/lib/freeradius/libfreeradius-server.so(radius_map2request+0xa6)[0x7fbab690c386] freeradius[0x41f955] freeradius[0x41fd1a] freeradius[0x41f221] freeradius[0x41f3de] freeradius(modcall+0x3d)[0x4204fd] freeradius(indexed_modcall+0xb3)[0x41dc03] freeradius(rad_postauth+0x5e)[0x40f57e] freeradius[0x42ca9c] freeradius[0x429d05] freeradius(request_receive+0x247)[0x42af27] freeradius[0x4190a8] freeradius[0x42966d] /usr/lib/freeradius/libfreeradius-radius.so(fr_event_loop+0x2d9)[0x7fbab66ec629] freeradius(main+0x65a)[0x40eb2a] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd)[0x7fbab4c22ead] freeradius[0x40ee85] Calling: gdb -silent -x /etc/freeradius/panic.gdb freeradius 3658 2>&1 | tee /var/log/freeradius/gdb-freeradius-3658.log Temporarily setting PR_DUMPABLE to 1 Reading symbols from /usr/sbin/freeradius...Reading symbols from /usr/lib/debug/usr/sbin/freeradius...done. done. Attaching to program: /usr/sbin/freeradius, process 3658 Reading symbols from /usr/lib/freeradius/libfreeradius-server.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/libfreeradius-server.so...done. done. Loaded symbols for /usr/lib/freeradius/libfreeradius-server.so Reading symbols from /usr/lib/freeradius/libfreeradius-radius.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/libfreeradius-radius.so...done. done. Loaded symbols for /usr/lib/freeradius/libfreeradius-radius.so Reading symbols from /usr/lib/freeradius/libfreeradius-eap.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/libfreeradius-eap.so...done. done. Loaded symbols for /usr/lib/freeradius/libfreeradius-eap.so Reading symbols from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0...(no debugging symbols found)...done. Loaded symbols for /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 Reading symbols from /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0...(no debugging symbols found)...done. Loaded symbols for /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 Reading symbols from /usr/lib/x86_64-linux-gnu/libtalloc.so.2...(no debugging symbols found)...done. Loaded symbols for /usr/lib/x86_64-linux-gnu/libtalloc.so.2 Reading symbols from /lib/x86_64-linux-gnu/libnsl.so.1...(no debugging symbols found)...done. Loaded symbols for /lib/x86_64-linux-gnu/libnsl.so.1 Reading symbols from /lib/x86_64-linux-gnu/libresolv.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/x86_64-linux-gnu/libresolv.so.2 Reading symbols from /lib/x86_64-linux-gnu/libdl.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/x86_64-linux-gnu/libdl.so.2 Reading symbols from /lib/x86_64-linux-gnu/libpthread.so.0...(no debugging symbols found)...done. [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Loaded symbols for /lib/x86_64-linux-gnu/libpthread.so.0 Reading symbols from /lib/x86_64-linux-gnu/libreadline.so.6...(no debugging symbols found)...done. Loaded symbols for /lib/x86_64-linux-gnu/libreadline.so.6 Reading symbols from /lib/x86_64-linux-gnu/libcrypt.so.1...(no debugging symbols found)...done. Loaded symbols for /lib/x86_64-linux-gnu/libcrypt.so.1 Reading symbols from /lib/x86_64-linux-gnu/libc.so.6...(no debugging symbols found)...done. Loaded symbols for /lib/x86_64-linux-gnu/libc.so.6 Reading symbols from /usr/lib/x86_64-linux-gnu/libpcap.so.0.8...(no debugging symbols found)...done. Loaded symbols for /usr/lib/x86_64-linux-gnu/libpcap.so.0.8 Reading symbols from /lib/x86_64-linux-gnu/libz.so.1...(no debugging symbols found)...done. Loaded symbols for /lib/x86_64-linux-gnu/libz.so.1 Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/ld-linux-x86-64.so.2 Reading symbols from /lib/x86_64-linux-gnu/libtinfo.so.5...(no debugging symbols found)...done. Loaded symbols for /lib/x86_64-linux-gnu/libtinfo.so.5 Reading symbols from /lib/x86_64-linux-gnu/libnss_compat.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/x86_64-linux-gnu/libnss_compat.so.2 Reading symbols from /lib/x86_64-linux-gnu/libnss_nis.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/x86_64-linux-gnu/libnss_nis.so.2 Reading symbols from /lib/x86_64-linux-gnu/libnss_files.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/x86_64-linux-gnu/libnss_files.so.2 Reading symbols from /usr/lib/freeradius/rlm_exec.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_exec.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_exec.so Reading symbols from /usr/lib/freeradius/rlm_preprocess.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_preprocess.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_preprocess.so Reading symbols from /usr/lib/freeradius/rlm_digest.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_digest.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_digest.so Reading symbols from /usr/lib/freeradius/rlm_cache.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_cache.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_cache.so Reading symbols from /usr/lib/freeradius/rlm_replicate.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_replicate.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_replicate.so Reading symbols from /usr/lib/freeradius/rlm_dhcp.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_dhcp.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_dhcp.so Reading symbols from /usr/lib/freeradius/rlm_detail.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_detail.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_detail.so Reading symbols from /usr/lib/freeradius/rlm_linelog.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_linelog.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_linelog.so Reading symbols from /usr/lib/freeradius/rlm_always.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_always.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_always.so Reading symbols from /usr/lib/freeradius/rlm_chap.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_chap.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_chap.so Reading symbols from /usr/lib/freeradius/rlm_mschap.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_mschap.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_mschap.so Reading symbols from /usr/lib/freeradius/rlm_pap.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_pap.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_pap.so Reading symbols from /usr/lib/freeradius/rlm_soh.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_soh.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_soh.so Reading symbols from /usr/lib/freeradius/rlm_attr_filter.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_attr_filter.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_attr_filter.so Reading symbols from /usr/lib/freeradius/rlm_eap.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_eap.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_eap.so Reading symbols from /usr/lib/freeradius/rlm_eap_tls.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_eap_tls.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_eap_tls.so Reading symbols from /usr/lib/freeradius/rlm_eap_ttls.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_eap_ttls.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_eap_ttls.so Reading symbols from /usr/lib/freeradius/rlm_eap_peap.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_eap_peap.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_eap_peap.so Reading symbols from /usr/lib/freeradius/rlm_eap_mschapv2.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_eap_mschapv2.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_eap_mschapv2.so Reading symbols from /usr/lib/freeradius/rlm_passwd.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_passwd.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_passwd.so Reading symbols from /usr/lib/freeradius/rlm_files.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_files.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_files.so Reading symbols from /usr/lib/freeradius/rlm_logintime.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_logintime.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_logintime.so Reading symbols from /usr/lib/freeradius/rlm_unix.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_unix.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_unix.so Reading symbols from /usr/lib/freeradius/rlm_realm.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_realm.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_realm.so Reading symbols from /usr/lib/freeradius/rlm_expiration.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_expiration.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_expiration.so Reading symbols from /usr/lib/freeradius/rlm_radutmp.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_radutmp.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_radutmp.so Reading symbols from /usr/lib/freeradius/rlm_ldap.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_ldap.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_ldap.so Reading symbols from /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2...(no debugging symbols found)...done. Loaded symbols for /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2 Reading symbols from /usr/lib/x86_64-linux-gnu/liblber-2.4.so.2...(no debugging symbols found)...done. Loaded symbols for /usr/lib/x86_64-linux-gnu/liblber-2.4.so.2 Reading symbols from /usr/lib/x86_64-linux-gnu/libsasl2.so.2...(no debugging symbols found)...done. Loaded symbols for /usr/lib/x86_64-linux-gnu/libsasl2.so.2 Reading symbols from /usr/lib/x86_64-linux-gnu/libgnutls.so.26...(no debugging symbols found)...done. Loaded symbols for /usr/lib/x86_64-linux-gnu/libgnutls.so.26 Reading symbols from /lib/x86_64-linux-gnu/libgcrypt.so.11...(no debugging symbols found)...done. Loaded symbols for /lib/x86_64-linux-gnu/libgcrypt.so.11 Reading symbols from /usr/lib/x86_64-linux-gnu/libtasn1.so.3...(no debugging symbols found)...done. Loaded symbols for /usr/lib/x86_64-linux-gnu/libtasn1.so.3 Reading symbols from /usr/lib/x86_64-linux-gnu/libp11-kit.so.0...(no debugging symbols found)...done. Loaded symbols for /usr/lib/x86_64-linux-gnu/libp11-kit.so.0 Reading symbols from /lib/x86_64-linux-gnu/libgpg-error.so.0...(no debugging symbols found)...done. Loaded symbols for /lib/x86_64-linux-gnu/libgpg-error.so.0 Reading symbols from /usr/lib/freeradius/rlm_utf8.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_utf8.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_utf8.so Reading symbols from /usr/lib/freeradius/rlm_dynamic_clients.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_dynamic_clients.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_dynamic_clients.so Reading symbols from /usr/lib/freeradius/rlm_unpack.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_unpack.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_unpack.so Reading symbols from /usr/lib/freeradius/rlm_expr.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_expr.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_expr.so Reading symbols from /lib/x86_64-linux-gnu/libgcc_s.so.1...(no debugging symbols found)...done. Loaded symbols for /lib/x86_64-linux-gnu/libgcc_s.so.1 0x00007fbab4cb01ee in waitpid () from /lib/x86_64-linux-gnu/libc.so.6 No symbol table info available. No symbol table info available. Thread 1 (Thread 0x7fbab6cf3700 (LWP 3658)): #0 0x00007fbab4cb01ee in waitpid () from /lib/x86_64-linux-gnu/libc.so.6 No symbol table info available. #1 0x00007fbab4c43c99 in ?? () from /lib/x86_64-linux-gnu/libc.so.6 No symbol table info available. #2 0x00007fbab66d2e10 in fr_fault (sig=11) at src/lib/debug.c:495 disable = true cmd = "gdb -silent -x /etc/freeradius/panic.gdb freeradius 3658 2>&1 | tee /var/log/freeradius/gdb-freeradius-3658.log\000\003\334A\000\000\000\000\000~\365@\000\000\000\000\000\234\312B\000\000\000\000\000\005\235B\000\000\000\000\000'\257B\000\000\000\000\000\250\220A\000\000\000\000\000m\226B\000\000\000\000\000)\306n\266\272\177\000\000*\353@\000\000\000\000\000\255.´\272\177\000\000\205\356@\000\000\000\000\000 %Զ\272\177\000\000\220h \233\377\177\000\000\340m϶\272\177\000\000\270h \233"... out = 0x7fff9b2066bb ".log" left = 425 ret = <optimized out> p = 0x7fbab68fcc67 ".log" q = 0x0 code = <optimized out> #3 <signal handler called> No symbol table info available. #4 vp_prints_value (out=out@entry=0x1aefbe0 "", outlen=outlen@entry=1024, vp=0x450, quote=quote@entry=0 '\000') at src/lib/print.c:329 v = <optimized out> buf = "\320\300l\266\272\177\000\000\220\262l\266\272\177\000\000\000\000\000\000\001\000\000\000(\001\000\000\001", '\000' <repeats 11 times>"\240, \375Ӷ\272\177\000\000\340p \233\377\177\000\000\000\000\000\000\000\000\000\000\bq \233\377\177\000\000H\372Ӷ\272\177\000\000[\257\300i\000\000\000\000\002\254\262\266\272\177", '\000' <repeats 18 times>, "\001", '\000' <repeats 15 times>, "\001\000\000\000\377\177\000\000H\372Ӷ\272\177\000\000`p \233\001\000\000\000xp \233\377\177\000\000pp \233\001\000\000\000\243\345浺\177\000\000\000\000\000\000\000\000\000\000\240\375Ӷ\272\177\000\000\220p \233\377\177\000\000\250p \233\377\177\000\000A\000\000\000\001\000\000\000mt@\000\000\000\000\000\r\000\000\000\000\000\000\000\203\321l\266\272\177\000\000gIo\266\272\177\000\000\200\212\256\001\000\000\000\000h<L\266\272\177\000\000\000\000\000\000\000\000\000\000\320\365\r\266"... a = <optimized out> t = <optimized out> s_tm = {tm_sec = 0, tm_min = 0, tm_hour = -1243180912, tm_mday = 32698, tm_mon = 1851880810, tm_year = 32512, tm_wday = 2239, tm_yday = 1, tm_isdst = 0, tm_gmtoff = 0, tm_zone = 0x7fbab6d3fa48 ""} len = <optimized out> freespace = <optimized out> #5 0x00007fbab66dd732 in vp_prints_value (out=out@entry=0x1aefbe0 "", outlen=outlen@entry=1024, vp=<optimized out>, quote=quote@entry=0 '\000') at src/lib/print.c:996 freespace = 1024 #6 0x00007fbab69116b7 in xlat_foreach (instance=<optimized out>, request=0x1aed770, fmt=<optimized out>, out=0x1aefbe0 "", outlen=1024) at src/main/xlat.c:387 pvp = <optimized out> len = <optimized out> #7 0x00007fbab6911998 in xlat_aprint (ctx=ctx@entry=0x1aed770, request=0x1aed770, node=0x1ab3b70, escape=escape@entry=0, escape_ctx=escape_ctx@entry=0x0, lvl=0) at src/main/xlat.c:1978 rcode = <optimized out> str = 0x1aefbe0 "" child = <optimized out> ref = <optimized out> #8 0x00007fbab69124c4 in xlat_process (out=0x7fff9b2074b8, request=0x1aed770, head=<optimized out>, escape=0, escape_ctx=0x0) at src/main/xlat.c:2075 i = <optimized out> list = <optimized out> total = <optimized out> array = <optimized out> answer = <optimized out> node = <optimized out> #9 0x00007fbab6912532 in xlat_expand_struct (out=0x7fff9b207508, outlen=0, request=<optimized out>, node=<optimized out>, escape=<optimized out>, escape_ctx=<optimized out>) at src/main/xlat.c:2147 buff = 0x0 len = <optimized out> #10 0x00007fbab690cdef in radius_map2vp (out=0x7fff9b207580, request=0x1aed770, map=0x1ab0530, ctx=<optimized out>) at src/main/valuepair.c:1384 slen = <optimized out> str = 0x0 rcode = 0 vp = 0x1af0830 found = <optimized out> from = 0x0 da = 0x197afe0 context = 0x1aed770 cursor = {first = 0x7fff9b207a40, found = 0x7fbab6913faf, last = 0x0, current = 0x3000000020, next = 0x7fff9b207600} #11 0x00007fbab690c386 in radius_map2request (request=request@entry=0x1aed770, map=map@entry=0x1ab0530, src=src@entry=0x4402d4 "update", func=func@entry=0x7fbab690cc00 <radius_map2vp>, ctx=ctx@entry=0x0) at src/main/valuepair.c:982 rcode = <optimized out> num = <optimized out> list = 0x1aed960 vp = <optimized out> head = 0x0 context = 0x1aed770 parent = 0x1aed8f0 cursor = {first = 0x7fbab4f897a0, found = 0x7fbab4c47870, last = 0x32, current = 0x1, next = 0x1} #12 0x000000000041f955 in modcall_recurse (request=request@entry=0x1aed770, component=component@entry=RLM_COMPONENT_POST_AUTH, depth=depth@entry=2, entry=entry@entry=0x7fff9b207a40) at src/main/modcall.c:593 rcode = <optimized out> map = 0x1ab0530 if_taken = false was_if = false c = <optimized out> priority = <optimized out> result = RLM_MODULE_UNKNOWN #13 0x000000000041fd1a in modcall_recurse (request=0x1aed770, component=RLM_COMPONENT_POST_AUTH, depth=1, entry=entry@entry=0x7fff9b207a28) at src/main/modcall.c:698 i = <optimized out> vps = 0x1af0700 tail = <optimized out> vp = 0x7fff9b207298 cursor = {first = 0x7fff9b2077a0, found = 0x0, last = 0x0, current = 0x1af0700, next = 0x0} foreach_depth = 1 next = 0x7fff9b207a40 if_taken = false was_if = false c = <optimized out> priority = <optimized out> result = RLM_MODULE_UPDATED #14 0x000000000041f221 in modcall_child (request=<optimized out>, component=<optimized out>, depth=<optimized out>, entry=0x7fff9b207a10, c=<optimized out>, result=0x7fff9b20790c) at src/main/modcall.c:409 next = 0x7fff9b207a28 #15 0x000000000041f3de in modcall_recurse (request=request@entry=0x1aed770, component=component@entry=RLM_COMPONENT_POST_AUTH, depth=depth@entry=0, entry=entry@entry=0x7fff9b207a10) at src/main/modcall.c:779 if_taken = false was_if = false c = <optimized out> priority = <optimized out> result = RLM_MODULE_UNKNOWN #16 0x00000000004204fd in modcall ( component=component@entry=RLM_COMPONENT_POST_AUTH, c=c@entry=0x1ab0260, request=request@entry=0x1aed770) at src/main/modcall.c:1089 stack = {{result = RLM_MODULE_NOOP, priority = 0, unwind = 0, c = 0x1ab0260}, {result = RLM_MODULE_UPDATED, priority = 4, unwind = 0, c = 0x1ab0450}, {result = RLM_MODULE_UPDATED, priority = 0, unwind = 0, c = 0x1ab0760}, {result = 34, priority = 0, unwind = 28256031, c = 0x67ed4b8300000003}, { result = 197336782, priority = -1996055297, unwind = -93018346, c = 0x80}, {result = RLM_MODULE_REJECT, priority = 0, unwind = 28256045, c = 0x0}, {result = 28255024, priority = 0, unwind = 25204016, c = 0x10}, {result = 16, priority = 0, unwind = -1692370200, c = 0xc}, {result = RLM_MODULE_REJECT, priority = 0, unwind = -1692370136, c = 0x10}, {result = 28223840, priority = 0, unwind = -1692369904, c = 0x7fff9b207cd0}, { result = 2602597584, priority = 32767, unwind = 27084624, c = 0xcd}, {result = 3060646811, priority = 32698, unwind = 640, c = 0x7fff9b207b70}, {result = 2602597584, priority = 32767, unwind = -1692369984, c = 0xb0}, {result = 3036196536, priority = 32698, unwind = -1258770744, c = 0x1af2670}, { result = 96, priority = 0, unwind = -1258770848, c = 0xd0}, { result = 909522437, priority = 11, unwind = 86, c = 0x1af2330}, { result = 3036196448, priority = 32698, unwind = 160, c = 0x7fbab66f4967}, {result = 28223024, priority = 0, unwind = -1258770848, c = 0x56}, {result = RLM_MODULE_NOTFOUND, priority = 0, unwind = 86, c = 0x1af273d}, {result = 3033005056, priority = 32698, unwind = -1234220697, c = 0x1aea630}, { result = 3060737701, priority = 32698, unwind = 0, c = 0x6}, { result = 28235632, priority = 0, unwind = 7, c = 0x7}, { result = 27974944, priority = 0, unwind = 27984480, c = 0x43b6da}, {result = 3062972335, priority = 32698, unwind = 16, c = 0x3000000020}, {result = 2602597664, priority = 32767, unwind = -1692369824, c = 0x0}, {result = 3060670126, priority = 32698, unwind = 0, c = 0x12}, {result = 4437722, priority = 0, unwind = 27298224, c = 0x1aea968}, { result = 3060670671, priority = 32698, unwind = 205, c = 0x1af2330}, {result = RLM_MODULE_REJECT, priority = 0, unwind = 27084624, c = 0x1aee4a0}, {result = RLM_MODULE_REJECT, priority = 0, unwind = -2050928176, c = 0x7fbab66e7c5a}, { result = 3036196552, priority = 32698, unwind = 28239008, c = 0x80}, {result = 4312016, priority = 0, unwind = -1692369688, c = 0x1aed770}} #17 0x000000000041dc03 in indexed_modcall ( comp=comp@entry=RLM_COMPONENT_POST_AUTH, idx=idx@entry=0, request=request@entry=0x1aed770) at src/main/modules.c:818 rcode = <optimized out> list = 0x1ab0260 server = 0x1aadd20 #18 0x000000000041e89f in process_post_auth ( postauth_type=postauth_type@entry=0, request=request@entry=0x1aed770) at src/main/modules.c:1864 No locals. #19 0x000000000040f57e in rad_postauth (request=request@entry=0x1aed770) at src/main/auth.c:303 result = <optimized out> postauth_type = 0 vp = <optimized out> #20 0x000000000042ca9c in request_finish (action=<optimized out>, request=0x1aed770) at src/main/process.c:1277 vp = <optimized out> #21 request_running (action=<optimized out>, request=0x1aed770) at src/main/process.c:1452 No locals. #22 request_running (request=0x1aed770, action=<optimized out>) at src/main/process.c:1373 No locals. #23 0x0000000000429d05 in request_queue_or_run (request=0x1aed770, process=process@entry=0x42c5c0 <request_running>) at src/main/process.c:965 No locals. #24 0x000000000042af27 in request_receive (listener=listener@entry=0x1ab2f10, packet=0x1af2330, client=client@entry=0x19d3f60, fun=fun@entry=0x40f5c0 <rad_authenticate>) at src/main/process.c:1632 count = <optimized out> packet_p = <optimized out> request = 0x1aed770 now = {tv_sec = 1400902544, tv_usec = 680450} sock = <optimized out> #25 0x00000000004190a8 in auth_socket_recv (listener=0x1ab2f10) at src/main/listen.c:1532 rcode = <optimized out> code = 1 src_port = 1024 packet = 0x1af2330 fun = 0x40f5c0 <rad_authenticate> client = 0x19d3f60 src_ipaddr = {af = 2, ipaddr = {ip4addr = {s_addr = 20752576}, ip6addr = {__in6_u = { __u6_addr8 = "\300\250<\001\036\304\374\003\000\000\000\000\\\222l\266", __u6_addr16 = {43200, 316, 50206, 1020, 0, 0, 37468, 46700}, __u6_addr32 = {20752576, 66896926, 0, 3060568668}}}}, scope = 32698} #26 0x000000000042966d in event_socket_handler (xel=<optimized out>, fd=<optimized out>, ctx=<optimized out>) at src/main/process.c:3842 listener = <optimized out> #27 0x00007fbab66ec629 in fr_event_loop (el=0x17fe190) at src/lib/event.c:495 ef = 0x17fe1f8 i = <optimized out> rcode = 1 maxfd = 16 when = {tv_sec = 1400902544, tv_usec = 887485} wake = <optimized out> read_fds = {fds_bits = {16384, 0 <repeats 15 times>}} master_fds = {fds_bits = {124928, 0 <repeats 15 times>}} #28 0x000000000042e2f1 in radius_event_process () at src/main/process.c:4726 No locals. #29 0x000000000040eb2a in main (argc=<optimized out>, argv=<optimized out>) at src/main/radiusd.c:544 rcode = 0 status = <optimized out> argval = <optimized out> spawn_flag = false write_pid = false flag = 0 from_child = {-1, -1} autofree = 0x17fe060 A debugging session is active. Inferior 1 [process 3658] will be detached. Quit anyway? (y or n) [answered Y; input not from terminal] Resetting PR_DUMPABLE to 0 Panic action exited with 0
On 9 Jun 2014, at 10:53, Enrique Sainz Baixauli <enriquesainz.beca@intef.educacion.es> wrote:
sh: 1: gdb: not found
I know, I noticed I didn't have gdb installed right after sending that email :) Now THIS is the full debug output:
Already fixed in v3.0.x HEAD. https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/doc/ChangeLog#L4... Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On 9 Jun 2014, at 11:01, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On 9 Jun 2014, at 10:53, Enrique Sainz Baixauli <enriquesainz.beca@intef.educacion.es> wrote:
sh: 1: gdb: not found
I know, I noticed I didn't have gdb installed right after sending that email :) Now THIS is the full debug output:
Already fixed in v3.0.x HEAD.
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/doc/ChangeLog#L4...
Use https://github.com/FreeRADIUS/freeradius-server/archive/release_3_0_4_rc1.ta... -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
sh: 1: gdb: not found
I know, I noticed I didn't have gdb installed right after sending that email :) Now THIS is the full debug output:
Already fixed in v3.0.x HEAD.
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/doc/Change Log#L41
Use https://github.com/FreeRADIUS/freeradius-server/archive/release_3_0_4_rc1.ta r.gz
-Arran
Thanks, I've downloaded it and started compiling using the debian rules with dpkg-buildpackage, but it looks like they're still broken and it runs into an infinite loop. Is there another build script for debian somewhere? Or, will 3.0.4 be available in the repository for Debian 7 soon? Thanks again!
On 9 Jun 2014, at 12:33, Enrique Sainz Baixauli <enriquesainz.beca@intef.educacion.es> wrote:
sh: 1: gdb: not found
I know, I noticed I didn't have gdb installed right after sending that email :) Now THIS is the full debug output:
Already fixed in v3.0.x HEAD.
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/doc/Change Log#L41
Use https://github.com/FreeRADIUS/freeradius-server/archive/release_3_0_4_rc1.ta r.gz
-Arran
Thanks, I've downloaded it and started compiling using the debian rules with dpkg-buildpackage, but it looks like they're still broken and it runs into an infinite loop.
*sigh*
Is there another build script for debian somewhere? Or, will 3.0.4 be available in the repository for Debian 7 soon?
You should just be able to do make deb from the top level directory. I've never seen the issue you're seeing. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Use https://github.com/FreeRADIUS/freeradius-server/archive/release_3_0_4_ rc1.ta r.gz
-Arran
Thanks, I've downloaded it and started compiling using the debian rules with dpkg-buildpackage, but it looks like they're still broken and it runs into an infinite loop.
*sigh*
Well, I was just following http://wiki.freeradius.org/building/Build#Building-Debian-packages
Is there another build script for debian somewhere? Or, will 3.0.4 be available in the repository for Debian 7 soon?
You should just be able to do make deb from the top level directory.
I've never seen the issue you're seeing.
-Arran
Now I downloaded the package again, extracted it, cd'ed into it extracted and ran 'make deb'... twenty minutes later it's still running ./configure for each freeradius module over and over... If I look carefully, after a bunch of checking lines there are a few config.status lines (creating all.mk, creating config.h, config.h is unchanged) and right after that some warnings about several unrecognized options: --disable-developer, --with-raddbdir, --with-logdir, --with-large-files, etc (in total, 11 options were unrecognized when running configure for rlm_python, which is the only one I can see now that I hit ^C) Then it goes on to another module and prints those messages again. So I wonder why this fails (or doesn't get to end) in my system but runs peacefully in yours :S Anyway, thanks for all the help :)
On Mon, Jun 9, 2014 at 7:17 PM, Enrique Sainz Baixauli <enriquesainz.beca@intef.educacion.es> wrote:
Then it goes on to another module and prints those messages again. So I wonder why this fails (or doesn't get to end) in my system but runs peacefully in yours :S
IIRC your last issue was incorrect server time, causing the build system to behave erratic (due to files with timestamp in the future). Have you fixed that? -- Fajar
Then it goes on to another module and prints those messages again. So I wonder why this fails (or doesn't get to end) in my system but runs peacefully in yours :S
IIRC your last issue was incorrect server time, causing the build system to behave erratic (due to files with timestamp in the future). Have you fixed that?
Thanks guys, I totally forgot about the time issue... there were no warnings about that though (but they were there last time I tried, right?), but now it's already CCing everything into place :)
Then it goes on to another module and prints those messages again. So I wonder why this fails (or doesn't get to end) in my system but runs peacefully in yours :S
IIRC your last issue was incorrect server time, causing the build system to behave erratic (due to files with timestamp in the future). Have you fixed that?
Thanks guys, I totally forgot about the time issue... there were no warnings about that though (but they were there last time I tried, right?), but now it's already CCing everything into place :)
So I built it, installed the packages I needed and got a new segfault... now it happens on request (6) instead of (5), but I'm not sure if that's relevant. Anyway, this is the debug output: Received Access-Request Id 5 from 192.168.60.1:1024 to 192.168.50.62:1812 length 205 User-Name = 'juan' Calling-Station-Id = '00-26-C6-7C-C4-58' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-5C:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-5C' Connect-Info = 'CONNECT 802.11a/n' EAP-Message = 0x020500060d00 State = 0xa4cbf168a0cefc9b914d34b0ba196cbd Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0xecdfd4ad623a552db1db005ac3852121 (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default (0) authorize { (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix : No '@' in User-Name = "juan", looking up realm NULL (0) suffix : No such realm "NULL" (0) [suffix] = noop SOFT ASSERT FAILED src/lib/valuepair.c[235]: vp (0) eap : EAP packet type response id 5 length 6 (0) eap : No EAP Start, assuming it's an on-going EAP conversation SOFT ASSERT FAILED src/lib/valuepair.c[235]: vp (0) [eap] = updated (0) [files] = noop rlm_ldap (ldap): Reserved connection (4) (0) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (0) ldap : --> (uid=juan) (0) ldap : EXPAND dc=ejemplo,dc=org (0) ldap : --> dc=ejemplo,dc=org (0) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(uid=juan)', scope 'sub' (0) ldap : Waiting for search result... (0) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org" (0) ldap : No cacheable group memberships found in user object (0) ldap : EXPAND (&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn})) (0) ldap : --> (&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemplo\2cdc\3dorg)) (0) ldap : EXPAND dc=ejemplo,dc=org (0) ldap : --> dc=ejemplo,dc=org (0) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemplo\2cdc\3dorg))', scope 'sub' (0) ldap : Waiting for search result... (0) ldap : Added control:Ldap-Group with value "profesores" (0) ldap : Processing user attributes (0) ldap : control:Password-With-Header += '1234' rlm_ldap (ldap): Released connection (4) (0) [ldap] = ok (0) foreach &control:LDAP-Group (0) update reply { (0) EXPAND %{Foreach-Variable-0} (0) --> profesores (0) &Ruckus-User-Groups += "profesores" (0) } # update reply = noop (0) } # foreach &control:LDAP-Group = noop (0) [expiration] = noop (0) [logintime] = noop (0) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password (0) WARNING: pap : Auth-Type already set. Not setting to PAP (0) [pap] = noop (0) } # authorize = updated (0) Found Auth-Type = EAP (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) authenticate { rlm_eap (EAP): No EAP session matching state 0xa4cbf168a0cefc9b (0) eap : Either EAP-request timed out OR EAP-response to an unknown EAP-request (0) eap : Failed in handler (0) [eap] = invalid (0) } # authenticate = invalid (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject : EXPAND %{User-Name} (0) attr_filter.access_reject : --> juan (0) attr_filter.access_reject : Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated SOFT ASSERT FAILED src/lib/valuepair.c[235]: vp rlm_eap (EAP): No EAP session matching state 0xa4cbf168a0cefc9b (0) eap : Either EAP-request timed out OR EAP-response to an unknown EAP-request (0) eap : Failed to get handler, probably already removed, not inserting EAP-Failure (0) [eap] = noop (0) remove_reply_message_if_eap remove_reply_message_if_eap { (0) if (reply:EAP-Message && reply:Reply-Message) SOFT ASSERT FAILED src/lib/valuepair.c[235]: vp (0) if (reply:EAP-Message && reply:Reply-Message) -> FALSE (0) else else { (0) [noop] = noop (0) } # else else = noop (0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1 seconds Waking up in 0.3 seconds. Received Access-Request Id 7 from 192.168.60.1:1024 to 192.168.50.62:1812 length 190 User-Name = 'juan' Calling-Station-Id = '00-26-C6-7C-C4-58' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-5C:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-5C' Connect-Info = 'CONNECT 802.11a/n' EAP-Message = 0x02080009016a75616e Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0x9430d795753bf83410e56c2415fc6d37 (1) # Executing section authorize from file /etc/freeradius/sites-enabled/default (1) authorize { (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix : No '@' in User-Name = "juan", looking up realm NULL (1) suffix : No such realm "NULL" (1) [suffix] = noop SOFT ASSERT FAILED src/lib/valuepair.c[235]: vp (1) eap : EAP packet type response id 8 length 9 (1) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize SOFT ASSERT FAILED src/lib/valuepair.c[235]: vp (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = EAP SOFT ASSERT FAILED src/lib/valuepair.c[235]: vp (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) authenticate { (1) eap : Peer sent Identity (1) (1) eap : Calling eap_tls to process EAP data (1) eap_tls : Flushing SSL sessions (of #0) (1) eap_tls : Requiring client certificate (1) eap_tls : Initiate (1) eap_tls : Requiring client certificate (1) eap_tls : Start returned 1 (1) eap : New EAP session, adding 'State' attribute to reply 0x39f9f21739f0ff37 (1) [eap] = handled (1) } # authenticate = handled Sending Access-Challenge Id 7 from 192.168.50.62:1812 to 192.168.60.1:1024 EAP-Message = 0x010900060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x39f9f21739f0ff379b07374ed4d5dd35 (1) Finished request Waking up in 0.3 seconds. Received Access-Request Id 8 from 192.168.60.1:1024 to 192.168.50.62:1812 length 304 User-Name = 'juan' Calling-Station-Id = '00-26-C6-7C-C4-58' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-5C:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-5C' Connect-Info = 'CONNECT 802.11a/n' EAP-Message = 0x020900690d800000005f160301005a0100005603015395bdf89d5eff13d69d9cc15d945142971cdc6712658d56fe4931cc4abf8d66000018002f00350005000ac013c014c009c00a003200380013000401000015ff01000100000a0006000400170018000b00020100 State = 0x39f9f21739f0ff379b07374ed4d5dd35 Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0xe03f497cea2f738954c8b4904ebc2131 (2) # Executing section authorize from file /etc/freeradius/sites-enabled/default (2) authorize { (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix : No '@' in User-Name = "juan", looking up realm NULL (2) suffix : No such realm "NULL" (2) [suffix] = noop SOFT ASSERT FAILED src/lib/valuepair.c[235]: vp: Unknown value 'Challenge' for attribute 'Post-Auth-Type' (2) eap : EAP packet type response id 9 length 105 (2) eap : No EAP Start, assuming it's an on-going EAP conversation SOFT ASSERT FAILED src/lib/valuepair.c[235]: vp (2) [eap] = updated (2) [files] = noop rlm_ldap (ldap): Reserved connection (4) (2) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (2) ldap : --> (uid=juan) (2) ldap : EXPAND dc=ejemplo,dc=org (2) ldap : --> dc=ejemplo,dc=org (2) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(uid=juan)', scope 'sub' (2) ldap : Waiting for search result... (2) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org" (2) ldap : No cacheable group memberships found in user object (2) ldap : EXPAND (&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn})) (2) ldap : --> (&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemplo\2cdc\3dorg)) (2) ldap : EXPAND dc=ejemplo,dc=org (2) ldap : --> dc=ejemplo,dc=org (2) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemplo\2cdc\3dorg))', scope 'sub' (2) ldap : Waiting for search result... (2) ldap : Added control:Ldap-Group with value "profesores" (2) ldap : Processing user attributes (2) ldap : control:Password-With-Header += '1234' rlm_ldap (ldap): Released connection (4) (2) [ldap] = ok (2) foreach &control:LDAP-Group (2) update reply { (2) EXPAND %{Foreach-Variable-0} (2) --> profesores (2) &Ruckus-User-Groups += "profesores" (2) } # update reply = noop (2) } # foreach &control:LDAP-Group = noop (2) [expiration] = noop (2) [logintime] = noop (2) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password (2) WARNING: pap : Auth-Type already set. Not setting to PAP (2) [pap] = noop (2) } # authorize = updated (2) Found Auth-Type = EAP (2) # Executing group from file /etc/freeradius/sites-enabled/default (2) authenticate { (2) eap : Expiring EAP session with state 0x39f9f21739f0ff37 (2) eap : Finished EAP session with state 0x39f9f21739f0ff37 (2) eap : Previous EAP request found for state 0x39f9f21739f0ff37, released from the list (2) eap : Peer sent TLS (13) (2) eap : EAP TLS (13) (2) eap : Calling eap_tls to process EAP data (2) eap_tls : Authenticate (2) eap_tls : processing EAP-TLS TLS Length 95 (2) eap_tls : Length Included (2) eap_tls : eaptls_verify returned 11 (2) eap_tls : (other): before/accept initialization (2) eap_tls : TLS_accept: before/accept initialization (2) eap_tls : <<< TLS 1.0 Handshake [length 005a], ClientHello (2) eap_tls : TLS_accept: SSLv3 read client hello A (2) eap_tls : >>> TLS 1.0 Handshake [length 0051], ServerHello (2) eap_tls : TLS_accept: SSLv3 write server hello A (2) eap_tls : >>> TLS 1.0 Handshake [length 0707], Certificate (2) eap_tls : TLS_accept: SSLv3 write certificate A (2) eap_tls : >>> TLS 1.0 Handshake [length 0056], CertificateRequest (2) eap_tls : TLS_accept: SSLv3 write certificate request A (2) eap_tls : TLS_accept: SSLv3 flush data (2) eap_tls : TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode (2) eap_tls : eaptls_process returned 13 (2) eap : New EAP session, adding 'State' attribute to reply 0x39f9f21738f3ff37 (2) [eap] = handled (2) } # authenticate = handled Sending Access-Challenge Id 8 from 192.168.50.62:1812 to 192.168.60.1:1024 Ruckus-User-Groups += 'profesores' EAP-Message = 0x010a03ec0dc0000007bd16030100510200004d03015395be552852ff94c141362425e0b8dfb7a8843166dec9db1214d731e433ac922044c0607deceaeaaf33012e8dae4e7fc6e6fc860ad2551162f2dd2648060e2e87002f000005ff0100010016030107070b00070300070000039b308203973082027fa003020102020900c43f77feef6a22ef300d06092a864886f70d01010505003044310b3009060355040613024553310f300d06035504080c064d6164726964310e300c060355040a0c05494e5445463114301206035504030c0b656a656d706c6f2e6f7267301e170d3134303532303037313134325a170d3135303532303037313134325a3055310b3009060355040613024553310f300d06035504080c064d6164726964310f300d06035504070c064d6164726964310e300c060355040a0c05494e5445463114301206035504030c0b656a656d706c6f2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100d86d13ea2fa99efe3982e0ceface40d345221a17f49a4cbdf8774fc1cea663192790995f1df5c32c30ea86fe5190ff99a3012ff8e54e94de9d81e96fb282562e1264f059238606c51afebce65604a4902dcdfc803041f6240e2c7a03cca18c70238e9c0fda027487bcb8868c95850aae68986c068f737434eecdbbbdaabfd83780ce9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x39f9f21738f3ff379b07374ed4d5dd35 (2) Finished request Waking up in 0.3 seconds. Received Access-Request Id 9 from 192.168.60.1:1024 to 192.168.50.62:1812 length 205 User-Name = 'juan' Calling-Station-Id = '00-26-C6-7C-C4-58' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-5C:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-5C' Connect-Info = 'CONNECT 802.11a/n' EAP-Message = 0x020a00060d00 State = 0x39f9f21738f3ff379b07374ed4d5dd35 Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0xbf22d41890a45c48318aad0ec1d13877 (3) # Executing section authorize from file /etc/freeradius/sites-enabled/default (3) authorize { (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix : No '@' in User-Name = "juan", looking up realm NULL (3) suffix : No such realm "NULL" (3) [suffix] = noop SOFT ASSERT FAILED src/lib/valuepair.c[235]: vp: Unknown value 'Challenge' for attribute 'Post-Auth-Type' (3) eap : EAP packet type response id 10 length 6 (3) eap : No EAP Start, assuming it's an on-going EAP conversation SOFT ASSERT FAILED src/lib/valuepair.c[235]: vp (3) [eap] = updated (3) [files] = noop rlm_ldap (ldap): Reserved connection (4) (3) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (3) ldap : --> (uid=juan) (3) ldap : EXPAND dc=ejemplo,dc=org (3) ldap : --> dc=ejemplo,dc=org (3) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(uid=juan)', scope 'sub' (3) ldap : Waiting for search result... (3) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org" (3) ldap : No cacheable group memberships found in user object (3) ldap : EXPAND (&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn})) (3) ldap : --> (&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemplo\2cdc\3dorg)) (3) ldap : EXPAND dc=ejemplo,dc=org (3) ldap : --> dc=ejemplo,dc=org (3) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemplo\2cdc\3dorg))', scope 'sub' (3) ldap : Waiting for search result... (3) ldap : Added control:Ldap-Group with value "profesores" (3) ldap : Processing user attributes (3) ldap : control:Password-With-Header += '1234' rlm_ldap (ldap): Released connection (4) (3) [ldap] = ok (3) foreach &control:LDAP-Group (3) update reply { (3) EXPAND %{Foreach-Variable-0} (3) --> profesores (3) &Ruckus-User-Groups += "profesores" (3) } # update reply = noop (3) } # foreach &control:LDAP-Group = noop (3) [expiration] = noop (3) [logintime] = noop (3) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password (3) WARNING: pap : Auth-Type already set. Not setting to PAP (3) [pap] = noop (3) } # authorize = updated (3) Found Auth-Type = EAP (3) # Executing group from file /etc/freeradius/sites-enabled/default (3) authenticate { (3) eap : Expiring EAP session with state 0x39f9f21738f3ff37 (3) eap : Finished EAP session with state 0x39f9f21738f3ff37 (3) eap : Previous EAP request found for state 0x39f9f21738f3ff37, released from the list (3) eap : Peer sent TLS (13) (3) eap : EAP TLS (13) (3) eap : Calling eap_tls to process EAP data (3) eap_tls : Authenticate (3) eap_tls : processing EAP-TLS (3) eap_tls : Received TLS ACK (3) eap_tls : Received TLS ACK (3) eap_tls : ACK handshake fragment handler (3) eap_tls : eaptls_verify returned 1 (3) eap_tls : eaptls_process returned 13 (3) eap : New EAP session, adding 'State' attribute to reply 0x39f9f2173bf2ff37 (3) [eap] = handled (3) } # authenticate = handled Sending Access-Challenge Id 9 from 192.168.50.62:1812 to 192.168.60.1:1024 Ruckus-User-Groups += 'profesores' EAP-Message = 0x010b03e50d80000007bd3849d248b1dfa322109bc7213dc7b995e11cf1ec9e393177e1d411f1b83700035f3082035b30820243a003020102020900c43f77feef6a22ee300d06092a864886f70d01010505003044310b3009060355040613024553310f300d06035504080c064d6164726964310e300c060355040a0c05494e5445463114301206035504030c0b656a656d706c6f2e6f7267301e170d3134303532303037303835355a170d3137303531393037303835355a3044310b3009060355040613024553310f300d06035504080c064d6164726964310e300c060355040a0c05494e5445463114301206035504030c0b656a656d706c6f2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100b34d31cc087201a6f5f91e1f411fbe7c8175e68364d88e7bc6fb454918d40aca5f65cb2caf0496d4c7ef1b62379ab4ddfc60338d8785d6f4b208091cda2f566d39b233c9a76cfcd2e14a21a5c1c1ad30c6c6734fb0024ef4511a78679f4b2e6085113cb24d3229fa288b7ae5a460348f253fa438172cfb0b2c66c005747d6b716d6e221e492e793c17439a19d638bc84ecde2aaf864e1b22007c29b5aa056637d4dd4bde4783dd1b2994b87522662742b8c5477ce8c39227a3bf8b71b2dce5323150b49cd27134e4a79f7f98d371cad38b0e72363efbc62 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x39f9f2173bf2ff379b07374ed4d5dd35 (3) Finished request Waking up in 0.2 seconds. Received Access-Request Id 10 from 192.168.60.1:1024 to 192.168.50.62:1812 length 1701 User-Name = 'juan' Calling-Station-Id = '00-26-C6-7C-C4-58' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-5C:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-5C' Connect-Info = 'CONNECT 802.11a/n' EAP-Message = 0x020b05d40dc0000005d916030105990b0003890003860003833082037f30820267a003020102020900c43f77feef6a22f0300d06092a864886f70d01010505003044310b3009060355040613024553310f300d06035504080c064d6164726964310e300c060355040a0c05494e5445463114301206035504030c0b656a656d706c6f2e6f7267301e170d3134303532313035323130335a170d3135303532313035323130335a303d310b3009060355040613024553310f300d06035504080c064d6164726964310e300c060355040a0c05494e544546310d300b06035504030c046a75616e30820122300d06092a864886f70d01010105000382010f003082010a0282010100d8fe45c46e4743d7ecaf6c82f5206a6d1683234f11e54af93501eba03aaadf6c4a123bb2aeebce0717b6930a3e550f9e75e38fb7f0057acebdeecb6d396c4547ed2cb496d887ae6973982c7b708898d3d4e080c44679ffc2eeea7b707f3d03aacfd8544465a96f0988366c5c8a8fd9e84bd38006f71b572a526759eaf147a20c21f42ef7c8f8c37915768eec7e41402c3869e8c06a06d6d53a3fac290b9db34a737a55ce6c3bc544396ee4f35ff28622c2318c57b0ce8b86aac710ed16e56960d4a2fafbe851afb250256e5b03cf37f52ace63f3eb801d78d6e2e3ebdb4ac5493bbca5129d60cbea4a1f7e96391a9216a State = 0x39f9f2173bf2ff379b07374ed4d5dd35 Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0x0e14e13b59dc144435645c484cb0e448 (4) # Executing section authorize from file /etc/freeradius/sites-enabled/default (4) authorize { (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix : No '@' in User-Name = "juan", looking up realm NULL (4) suffix : No such realm "NULL" (4) [suffix] = noop SOFT ASSERT FAILED src/lib/valuepair.c[235]: vp: Unknown value 'Challenge' for attribute 'Post-Auth-Type' (4) eap : EAP packet type response id 11 length 1492 (4) eap : No EAP Start, assuming it's an on-going EAP conversation SOFT ASSERT FAILED src/lib/valuepair.c[235]: vp (4) [eap] = updated (4) [files] = noop rlm_ldap (ldap): Reserved connection (4) (4) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (4) ldap : --> (uid=juan) (4) ldap : EXPAND dc=ejemplo,dc=org (4) ldap : --> dc=ejemplo,dc=org (4) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(uid=juan)', scope 'sub' (4) ldap : Waiting for search result... (4) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org" (4) ldap : No cacheable group memberships found in user object (4) ldap : EXPAND (&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn})) (4) ldap : --> (&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemplo\2cdc\3dorg)) (4) ldap : EXPAND dc=ejemplo,dc=org (4) ldap : --> dc=ejemplo,dc=org (4) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemplo\2cdc\3dorg))', scope 'sub' (4) ldap : Waiting for search result... (4) ldap : Added control:Ldap-Group with value "profesores" (4) ldap : Processing user attributes (4) ldap : control:Password-With-Header += '1234' rlm_ldap (ldap): Released connection (4) (4) [ldap] = ok (4) foreach &control:LDAP-Group (4) update reply { (4) EXPAND %{Foreach-Variable-0} (4) --> profesores (4) &Ruckus-User-Groups += "profesores" (4) } # update reply = noop (4) } # foreach &control:LDAP-Group = noop (4) [expiration] = noop (4) [logintime] = noop (4) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password (4) WARNING: pap : Auth-Type already set. Not setting to PAP (4) [pap] = noop (4) } # authorize = updated (4) Found Auth-Type = EAP (4) # Executing group from file /etc/freeradius/sites-enabled/default (4) authenticate { (4) eap : Expiring EAP session with state 0x39f9f2173bf2ff37 (4) eap : Finished EAP session with state 0x39f9f2173bf2ff37 (4) eap : Previous EAP request found for state 0x39f9f2173bf2ff37, released from the list (4) eap : Peer sent TLS (13) (4) eap : EAP TLS (13) (4) eap : Calling eap_tls to process EAP data (4) eap_tls : Authenticate (4) eap_tls : processing EAP-TLS TLS Length 1497 (4) eap_tls : Received EAP-TLS First Fragment of the message (4) eap_tls : eaptls_verify returned 9 (4) eap_tls : eaptls_process returned 13 (4) eap : New EAP session, adding 'State' attribute to reply 0x39f9f2173af5ff37 (4) [eap] = handled (4) } # authenticate = handled Sending Access-Challenge Id 10 from 192.168.50.62:1812 to 192.168.60.1:1024 Ruckus-User-Groups += 'profesores' EAP-Message = 0x010c00060d00 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x39f9f2173af5ff379b07374ed4d5dd35 (4) Finished request Waking up in 0.2 seconds. Received Access-Request Id 11 from 192.168.60.1:1024 to 192.168.50.62:1812 length 220 User-Name = 'juan' Calling-Station-Id = '00-26-C6-7C-C4-58' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-5C:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-5C' Connect-Info = 'CONNECT 802.11a/n' EAP-Message = 0x020c00150d0056857ad842f31a556f416db6e7a853 State = 0x39f9f2173af5ff379b07374ed4d5dd35 Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0x5e640531cb070698807ff86d2c05343b (5) # Executing section authorize from file /etc/freeradius/sites-enabled/default (5) authorize { (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix : No '@' in User-Name = "juan", looking up realm NULL (5) suffix : No such realm "NULL" (5) [suffix] = noop SOFT ASSERT FAILED src/lib/valuepair.c[235]: vp: Unknown value 'Challenge' for attribute 'Post-Auth-Type' (5) eap : EAP packet type response id 12 length 21 (5) eap : No EAP Start, assuming it's an on-going EAP conversation SOFT ASSERT FAILED src/lib/valuepair.c[235]: vp (5) [eap] = updated (5) [files] = noop rlm_ldap (ldap): Reserved connection (4) (5) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (5) ldap : --> (uid=juan) (5) ldap : EXPAND dc=ejemplo,dc=org (5) ldap : --> dc=ejemplo,dc=org (5) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(uid=juan)', scope 'sub' (5) ldap : Waiting for search result... (5) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org" (5) ldap : No cacheable group memberships found in user object (5) ldap : EXPAND (&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn})) (5) ldap : --> (&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemplo\2cdc\3dorg)) (5) ldap : EXPAND dc=ejemplo,dc=org (5) ldap : --> dc=ejemplo,dc=org (5) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemplo\2cdc\3dorg))', scope 'sub' (5) ldap : Waiting for search result... (5) ldap : Added control:Ldap-Group with value "profesores" (5) ldap : Processing user attributes (5) ldap : control:Password-With-Header += '1234' rlm_ldap (ldap): Released connection (4) (5) [ldap] = ok (5) foreach &control:LDAP-Group (5) update reply { (5) EXPAND %{Foreach-Variable-0} (5) --> profesores (5) &Ruckus-User-Groups += "profesores" (5) } # update reply = noop (5) } # foreach &control:LDAP-Group = noop (5) [expiration] = noop (5) [logintime] = noop (5) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password (5) WARNING: pap : Auth-Type already set. Not setting to PAP (5) [pap] = noop (5) } # authorize = updated (5) Found Auth-Type = EAP (5) # Executing group from file /etc/freeradius/sites-enabled/default (5) authenticate { (5) eap : Expiring EAP session with state 0x39f9f2173af5ff37 (5) eap : Finished EAP session with state 0x39f9f2173af5ff37 (5) eap : Previous EAP request found for state 0x39f9f2173af5ff37, released from the list (5) eap : Peer sent TLS (13) (5) eap : EAP TLS (13) (5) eap : Calling eap_tls to process EAP data (5) eap_tls : Authenticate (5) eap_tls : processing EAP-TLS (5) eap_tls : eaptls_verify returned 7 (5) eap_tls : Done initial handshake (5) eap_tls : <<< TLS 1.0 Handshake [length 038d], Certificate (5) eap_tls : chain-depth=1, (5) eap_tls : error=0 (5) eap_tls : --> User-Name = juan (5) eap_tls : --> BUF-Name = ejemplo.org (5) eap_tls : --> subject = /C=ES/ST=Madrid/O=INTEF/CN=ejemplo.org (5) eap_tls : --> issuer = /C=ES/ST=Madrid/O=INTEF/CN=ejemplo.org (5) eap_tls : --> verify return:1 (5) eap_tls : chain-depth=0, (5) eap_tls : error=0 (5) eap_tls : --> User-Name = juan (5) eap_tls : --> BUF-Name = juan (5) eap_tls : --> subject = /C=ES/ST=Madrid/O=INTEF/CN=juan (5) eap_tls : --> issuer = /C=ES/ST=Madrid/O=INTEF/CN=ejemplo.org (5) eap_tls : --> verify return:1 (5) eap_tls : TLS_accept: SSLv3 read client certificate A (5) eap_tls : <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange (5) eap_tls : TLS_accept: SSLv3 read client key exchange A (5) eap_tls : <<< TLS 1.0 Handshake [length 0106], CertificateVerify (5) eap_tls : TLS_accept: SSLv3 read certificate verify A (5) eap_tls : <<< TLS 1.0 ChangeCipherSpec [length 0001] (5) eap_tls : <<< TLS 1.0 Handshake [length 0010], Finished (5) eap_tls : TLS_accept: SSLv3 read finished A (5) eap_tls : >>> TLS 1.0 ChangeCipherSpec [length 0001] (5) eap_tls : TLS_accept: SSLv3 write change cipher spec A (5) eap_tls : >>> TLS 1.0 Handshake [length 0010], Finished (5) eap_tls : TLS_accept: SSLv3 write finished A (5) eap_tls : TLS_accept: SSLv3 flush data SSL: adding session 44c0607deceaeaaf33012e8dae4e7fc6e6fc860ad2551162f2dd2648060e2e87 to cache (5) eap_tls : (other): SSL negotiation finished successfully SSL Connection Established (5) eap_tls : eaptls_process returned 13 (5) eap : New EAP session, adding 'State' attribute to reply 0x39f9f2173df4ff37 (5) [eap] = handled (5) } # authenticate = handled Sending Access-Challenge Id 11 from 192.168.50.62:1812 to 192.168.60.1:1024 Ruckus-User-Groups += 'profesores' EAP-Message = 0x010d00450d800000003b1403010001011603010030b9ad085afe5cbe4f82fa1f3e9d5b764c811772c14bcfaa360f96f9e9796adbe2ce2c5ab23ee9b802d59c2d37f893e73c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x39f9f2173df4ff379b07374ed4d5dd35 (5) Finished request Waking up in 0.2 seconds. Received Access-Request Id 12 from 192.168.60.1:1024 to 192.168.50.62:1812 length 205 User-Name = 'juan' Calling-Station-Id = '00-26-C6-7C-C4-58' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-5C:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-5C' Connect-Info = 'CONNECT 802.11a/n' EAP-Message = 0x020d00060d00 State = 0x39f9f2173df4ff379b07374ed4d5dd35 Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0xe13f28cf718772b7a359a695064f6119 (6) # Executing section authorize from file /etc/freeradius/sites-enabled/default (6) authorize { (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix : No '@' in User-Name = "juan", looking up realm NULL (6) suffix : No such realm "NULL" (6) [suffix] = noop SOFT ASSERT FAILED src/lib/valuepair.c[235]: vp: Unknown value 'Challenge' for attribute 'Post-Auth-Type' (6) eap : EAP packet type response id 13 length 6 (6) eap : No EAP Start, assuming it's an on-going EAP conversation SOFT ASSERT FAILED src/lib/valuepair.c[235]: vp (6) [eap] = updated (6) [files] = noop rlm_ldap (ldap): Reserved connection (4) (6) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (6) ldap : --> (uid=juan) (6) ldap : EXPAND dc=ejemplo,dc=org (6) ldap : --> dc=ejemplo,dc=org (6) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(uid=juan)', scope 'sub' (6) ldap : Waiting for search result... (6) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org" (6) ldap : No cacheable group memberships found in user object (6) ldap : EXPAND (&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn})) (6) ldap : --> (&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemplo\2cdc\3dorg)) (6) ldap : EXPAND dc=ejemplo,dc=org (6) ldap : --> dc=ejemplo,dc=org (6) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemplo\2cdc\3dorg))', scope 'sub' (6) ldap : Waiting for search result... (6) ldap : Added control:Ldap-Group with value "profesores" (6) ldap : Processing user attributes (6) ldap : control:Password-With-Header += '1234' rlm_ldap (ldap): Released connection (4) (6) [ldap] = ok (6) foreach &control:LDAP-Group (6) update reply { (6) EXPAND %{Foreach-Variable-0} (6) --> profesores (6) &Ruckus-User-Groups += "profesores" (6) } # update reply = noop (6) } # foreach &control:LDAP-Group = noop (6) [expiration] = noop (6) [logintime] = noop (6) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password (6) WARNING: pap : Auth-Type already set. Not setting to PAP (6) [pap] = noop (6) } # authorize = updated (6) Found Auth-Type = EAP (6) # Executing group from file /etc/freeradius/sites-enabled/default (6) authenticate { (6) eap : Expiring EAP session with state 0x39f9f2173df4ff37 (6) eap : Finished EAP session with state 0x39f9f2173df4ff37 (6) eap : Previous EAP request found for state 0x39f9f2173df4ff37, released from the list (6) eap : Peer sent TLS (13) (6) eap : EAP TLS (13) (6) eap : Calling eap_tls to process EAP data (6) eap_tls : Authenticate (6) eap_tls : processing EAP-TLS (6) eap_tls : Received TLS ACK (6) eap_tls : Received TLS ACK (6) eap_tls : ACK handshake is finished (6) eap_tls : eaptls_verify returned 3 (6) eap_tls : eaptls_process returned 3 (6) eap_tls : Saving session 44c0607deceaeaaf33012e8dae4e7fc6e6fc860ad2551162f2dd2648060e2e87 vps 0xa99350 in the cache (6) eap : Freeing handler (6) [eap] = ok (6) } # authenticate = ok (6) # Executing section post-auth from file /etc/freeradius/sites-enabled/default (6) post-auth { (6) cache : EXPAND %{User-Name} (6) cache : --> juan (6) cache : Creating entry for "juan" (6) cache : Adding to cache entry: (6) cache : control:LDAP-Group += &Ldap-Group -> 'profesores' (6) cache : Inserted entry, TTL 3600 seconds (6) [cache] = updated (6) foreach &control:LDAP-Group (6) update reply { CAUGHT SIGNAL: Segmentation fault Backtrace of last 26 frames: /usr/lib/freeradius/libfreeradius-radius.so(fr_fault+0x81)[0x7ff7121b40a1] /lib/x86_64-linux-gnu/libpthread.so.0(+0xf030)[0x7ff710efd030] /usr/lib/freeradius/libfreeradius-radius.so(+0x1488e)[0x7ff7121bd88e] /usr/lib/freeradius/libfreeradius-server.so(+0x14277)[0x7ff7123f4277] /usr/lib/freeradius/libfreeradius-server.so(+0x14558)[0x7ff7123f4558] /usr/lib/freeradius/libfreeradius-server.so(+0x15024)[0x7ff7123f5024] /usr/lib/freeradius/libfreeradius-server.so(+0x15092)[0x7ff7123f5092] /usr/lib/freeradius/libfreeradius-server.so(radius_map2vp+0x1cf)[0x7ff7123ef9bf] /usr/lib/freeradius/libfreeradius-server.so(radius_map2request+0xbe)[0x7ff7123eeb5e] freeradius[0x42017d] freeradius[0x42053a] freeradius[0x41fa61] freeradius[0x41fc18] freeradius(modcall+0x3d)[0x420d3d] freeradius(indexed_modcall+0xb3)[0x41e363] freeradius(rad_postauth+0x5e)[0x40fb3e] freeradius[0x42912c] freeradius[0x42ddbf] freeradius[0x42a7b7] freeradius(request_receive+0x253)[0x42c103] freeradius[0x419822] freeradius[0x42a0bd] /usr/lib/freeradius/libfreeradius-radius.so(fr_event_loop+0x2d9)[0x7ff7121cd7d9] freeradius(main+0x64a)[0x40f0ca] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd)[0x7ff710703ead] freeradius[0x40f439] Calling: gdb -silent -x /etc/freeradius/panic.gdb freeradius 12135 2>&1 | tee /var/log/freeradius/gdb-freeradius-12135.log Temporarily setting PR_DUMPABLE to 1 Reading symbols from /usr/sbin/freeradius...Reading symbols from /usr/lib/debug/usr/sbin/freeradius...done. done. Attaching to program: /usr/sbin/freeradius, process 12135 Reading symbols from /usr/lib/freeradius/libfreeradius-server.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/libfreeradius-server.so...done. done. Loaded symbols for /usr/lib/freeradius/libfreeradius-server.so Reading symbols from /usr/lib/freeradius/libfreeradius-radius.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/libfreeradius-radius.so...done. done. Loaded symbols for /usr/lib/freeradius/libfreeradius-radius.so Reading symbols from /usr/lib/freeradius/libfreeradius-eap.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/libfreeradius-eap.so...done. done. Loaded symbols for /usr/lib/freeradius/libfreeradius-eap.so Reading symbols from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0...(no debugging symbols found)...done. Loaded symbols for /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 Reading symbols from /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0...(no debugging symbols found)...done. Loaded symbols for /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 Reading symbols from /usr/lib/x86_64-linux-gnu/libtalloc.so.2...(no debugging symbols found)...done. Loaded symbols for /usr/lib/x86_64-linux-gnu/libtalloc.so.2 Reading symbols from /lib/x86_64-linux-gnu/libnsl.so.1...(no debugging symbols found)...done. Loaded symbols for /lib/x86_64-linux-gnu/libnsl.so.1 Reading symbols from /lib/x86_64-linux-gnu/libresolv.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/x86_64-linux-gnu/libresolv.so.2 Reading symbols from /lib/x86_64-linux-gnu/libdl.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/x86_64-linux-gnu/libdl.so.2 Reading symbols from /lib/x86_64-linux-gnu/libpthread.so.0...(no debugging symbols found)...done. [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Loaded symbols for /lib/x86_64-linux-gnu/libpthread.so.0 Reading symbols from /lib/x86_64-linux-gnu/libreadline.so.6...(no debugging symbols found)...done. Loaded symbols for /lib/x86_64-linux-gnu/libreadline.so.6 Reading symbols from /lib/x86_64-linux-gnu/libcrypt.so.1...(no debugging symbols found)...done. Loaded symbols for /lib/x86_64-linux-gnu/libcrypt.so.1 Reading symbols from /lib/x86_64-linux-gnu/libc.so.6...(no debugging symbols found)...done. Loaded symbols for /lib/x86_64-linux-gnu/libc.so.6 Reading symbols from /usr/lib/x86_64-linux-gnu/libpcap.so.0.8...(no debugging symbols found)...done. Loaded symbols for /usr/lib/x86_64-linux-gnu/libpcap.so.0.8 Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/ld-linux-x86-64.so.2 Reading symbols from /lib/x86_64-linux-gnu/libz.so.1...(no debugging symbols found)...done. Loaded symbols for /lib/x86_64-linux-gnu/libz.so.1 Reading symbols from /lib/x86_64-linux-gnu/libtinfo.so.5...(no debugging symbols found)...done. Loaded symbols for /lib/x86_64-linux-gnu/libtinfo.so.5 Reading symbols from /lib/x86_64-linux-gnu/libnss_compat.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/x86_64-linux-gnu/libnss_compat.so.2 Reading symbols from /lib/x86_64-linux-gnu/libnss_nis.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/x86_64-linux-gnu/libnss_nis.so.2 Reading symbols from /lib/x86_64-linux-gnu/libnss_files.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/x86_64-linux-gnu/libnss_files.so.2 Reading symbols from /usr/lib/freeradius/rlm_exec.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_exec.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_exec.so Reading symbols from /usr/lib/freeradius/rlm_preprocess.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_preprocess.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_preprocess.so Reading symbols from /usr/lib/freeradius/rlm_digest.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_digest.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_digest.so Reading symbols from /usr/lib/freeradius/rlm_cache.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_cache.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_cache.so Reading symbols from /usr/lib/freeradius/rlm_replicate.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_replicate.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_replicate.so Reading symbols from /usr/lib/freeradius/rlm_dhcp.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_dhcp.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_dhcp.so Reading symbols from /usr/lib/freeradius/rlm_detail.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_detail.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_detail.so Reading symbols from /usr/lib/freeradius/rlm_linelog.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_linelog.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_linelog.so Reading symbols from /usr/lib/freeradius/rlm_always.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_always.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_always.so Reading symbols from /usr/lib/freeradius/rlm_chap.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_chap.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_chap.so Reading symbols from /usr/lib/freeradius/rlm_mschap.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_mschap.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_mschap.so Reading symbols from /usr/lib/freeradius/rlm_pap.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_pap.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_pap.so Reading symbols from /usr/lib/freeradius/rlm_soh.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_soh.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_soh.so Reading symbols from /usr/lib/freeradius/rlm_attr_filter.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_attr_filter.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_attr_filter.so Reading symbols from /usr/lib/freeradius/rlm_eap.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_eap.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_eap.so Reading symbols from /usr/lib/freeradius/rlm_eap_tls.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_eap_tls.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_eap_tls.so Reading symbols from /usr/lib/freeradius/rlm_eap_ttls.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_eap_ttls.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_eap_ttls.so Reading symbols from /usr/lib/freeradius/rlm_eap_peap.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_eap_peap.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_eap_peap.so Reading symbols from /usr/lib/freeradius/rlm_eap_mschapv2.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_eap_mschapv2.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_eap_mschapv2.so Reading symbols from /usr/lib/freeradius/rlm_passwd.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_passwd.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_passwd.so Reading symbols from /usr/lib/freeradius/rlm_files.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_files.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_files.so Reading symbols from /usr/lib/freeradius/rlm_logintime.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_logintime.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_logintime.so Reading symbols from /usr/lib/freeradius/rlm_unix.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_unix.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_unix.so Reading symbols from /usr/lib/freeradius/rlm_realm.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_realm.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_realm.so Reading symbols from /usr/lib/freeradius/rlm_expiration.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_expiration.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_expiration.so Reading symbols from /usr/lib/freeradius/rlm_radutmp.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_radutmp.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_radutmp.so Reading symbols from /usr/lib/freeradius/rlm_ldap.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_ldap.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_ldap.so Reading symbols from /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2...(no debugging symbols found)...done. Loaded symbols for /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2 Reading symbols from /usr/lib/x86_64-linux-gnu/liblber-2.4.so.2...(no debugging symbols found)...done. Loaded symbols for /usr/lib/x86_64-linux-gnu/liblber-2.4.so.2 Reading symbols from /usr/lib/x86_64-linux-gnu/libsasl2.so.2...(no debugging symbols found)...done. Loaded symbols for /usr/lib/x86_64-linux-gnu/libsasl2.so.2 Reading symbols from /usr/lib/x86_64-linux-gnu/libgnutls.so.26...(no debugging symbols found)...done. Loaded symbols for /usr/lib/x86_64-linux-gnu/libgnutls.so.26 Reading symbols from /lib/x86_64-linux-gnu/libgcrypt.so.11...(no debugging symbols found)...done. Loaded symbols for /lib/x86_64-linux-gnu/libgcrypt.so.11 Reading symbols from /usr/lib/x86_64-linux-gnu/libtasn1.so.3...(no debugging symbols found)...done. Loaded symbols for /usr/lib/x86_64-linux-gnu/libtasn1.so.3 Reading symbols from /usr/lib/x86_64-linux-gnu/libp11-kit.so.0...(no debugging symbols found)...done. Loaded symbols for /usr/lib/x86_64-linux-gnu/libp11-kit.so.0 Reading symbols from /lib/x86_64-linux-gnu/libgpg-error.so.0...(no debugging symbols found)...done. Loaded symbols for /lib/x86_64-linux-gnu/libgpg-error.so.0 Reading symbols from /usr/lib/freeradius/rlm_utf8.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_utf8.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_utf8.so Reading symbols from /usr/lib/freeradius/rlm_dynamic_clients.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_dynamic_clients.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_dynamic_clients.so Reading symbols from /usr/lib/freeradius/rlm_unpack.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_unpack.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_unpack.so Reading symbols from /usr/lib/freeradius/rlm_expr.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_expr.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_expr.so Reading symbols from /lib/x86_64-linux-gnu/libgcc_s.so.1...(no debugging symbols found)...done. Loaded symbols for /lib/x86_64-linux-gnu/libgcc_s.so.1 0x00007ff7107911ee in waitpid () from /lib/x86_64-linux-gnu/libc.so.6 No symbol table info available. No symbol table info available. Thread 1 (Thread 0x7ff7127d5720 (LWP 12135)): #0 0x00007ff7107911ee in waitpid () from /lib/x86_64-linux-gnu/libc.so.6 No symbol table info available. #1 0x00007ff710724c99 in ?? () from /lib/x86_64-linux-gnu/libc.so.6 No symbol table info available. #2 0x00007ff7121b425e in fr_fault (sig=11) at src/lib/debug.c:525 disable = true cmd = "gdb -silent -x /etc/freeradius/panic.gdb freeradius 12135 2>&1 | tee /var/log/freeradius/gdb-freeradius-12135.log", '\000' <repeats 418 times> out = 0x7fffdc102c4d ".log" left = 423 ret = <optimized out> p = 0x7ff7123de8c7 ".log" q = 0x0 code = <optimized out> #3 <signal handler called> No symbol table info available. #4 vp_prints_value (out=out@entry=0xaa0640 "", outlen=outlen@entry=1024, vp=0x4600000000, quote=quote@entry=0 '\000') at src/lib/print.c:329 v = <optimized out> buf = "l\242\032\022\367\177\000\000\260\070\020\334\377\177\000\000(\247\032\022\367\177\000\000\300\070\020\334\006\000\000\000\260\265\032\022\367\177\000\000\220\240\224\021\367\177", '\000' <repeats 18 times>, "H*\202\022\367\177\000\000\352:>\022\367\177\000\000\000\322\032\022\367\177\000\000\b\036>\022\367\177\000\000\000\000\000\000\001\000\000\000\233\000\000\000\001\000\000\000\000\000\000\000\001\000\000\000\240(\202\022\367\177\000\000\000\071\020\334\377\177\000\000\000\000\000\000\000\000\000\000(9\020\334\377\177\000\000H%\202\022\367\177\000\000,\273\036o\000\000\000\000\002\334`\022\367\177", '\000' <repeats 18 times>, "\001", '\000' <repeats 15 times>, "\001\000\000\000\377\177\000\000H%\202\022\367\177\000\000\001\000\000\000\000\000\000\000\343\204\034\022\367\177\000\000P\035\252\000\000\000\000\000`ݩ", '\000' <repeats 13 times>"\240, (\202\022\367\177\000\000\260"... a = <optimized out> t = <optimized out> s_tm = {tm_sec = 310222032, tm_min = 32759, tm_hour = 18, tm_mday = 0, tm_mon = 1864284972, tm_year = 0, tm_wday = 308336659, tm_yday = 32759, tm_isdst = 1774235483, tm_gmtoff = 0, tm_zone = 0x2c <Address 0x2c out of bounds>} len = <optimized out> freespace = <optimized out> #5 0x00007ff7121bdfc5 in vp_prints_value (out=out@entry=0xaa0640 "", outlen=outlen@entry=1024, vp=<optimized out>, quote=quote@entry=0 '\000') at src/lib/print.c:532 freespace = <optimized out> #6 0x00007ff7123f4277 in xlat_foreach (instance=<optimized out>, request=0xa9df10, fmt=<optimized out>, out=0xaa0640 "", outlen=1024) at src/main/xlat.c:405 pvp = <optimized out> len = <optimized out> #7 0x00007ff7123f4558 in xlat_aprint (ctx=ctx@entry=0xa9df10, request=0xa9df10, node=0xa64e60, escape=escape@entry=0, escape_ctx=escape_ctx@entry=0x0, lvl=0) at src/main/xlat.c:2004 rcode = <optimized out> str = 0xaa0640 "" child = <optimized out> ref = <optimized out> #8 0x00007ff7123f5024 in xlat_process (out=0x7fffdc103c98, request=0xa9df10, head=<optimized out>, escape=0, escape_ctx=0x0) at src/main/xlat.c:2101 i = <optimized out> list = <optimized out> total = <optimized out> array = <optimized out> answer = <optimized out> node = <optimized out> #9 0x00007ff7123f5092 in xlat_expand_struct (out=0x7fffdc103cd8, outlen=0, request=<optimized out>, node=<optimized out>, escape=<optimized out>, escape_ctx=<optimized out>) at src/main/xlat.c:2173 buff = 0x0 len = <optimized out> #10 0x00007ff7123ef9bf in radius_map2vp (out=0x7fffdc103d60, request=0xa9df10, map=0xa618e0, ctx=<optimized out>) at src/main/valuepair.c:1456 slen = <optimized out> str = 0x0 rcode = 0 vp = 0xaa1c20 found = <optimized out> from = 0x0 da = 0x9494d0 context = 0xa9df10 cursor = {first = 0x7fffdc1040f8, found = 0x0, last = 0x7ff710833420, current = 0xa61b10, next = 0xa9df10} #11 0x00007ff7123eeb5e in radius_map2request (request=request@entry=0xa9df10, map=map@entry=0xa618e0, func=func@entry=0x7ff7123ef7f0 <radius_map2vp>, ctx=ctx@entry=0x0) at src/main/valuepair.c:1003 rcode = 0 num = <optimized out> list = 0xaa40d8 vp = <optimized out> dst = <optimized out> head = 0x0 found = false context = 0xa9df10 parent = 0xaa4060 dst_list = {first = 0x3, found = 0x441b08, last = 0xa76b90, current = 0x7ff710a6a7a0, next = 0x7fffdc104430} src_list = {first = 0x7fffdc104448, found = 0x7ff7121d47f0, last = 0x7ff710a6a7a0, current = 0x7ff710728870, next = 0x9b2980} #12 0x000000000042017d in modcall_recurse (request=request@entry=0xa9df10, component=component@entry=RLM_COMPONENT_POST_AUTH, depth=depth@entry=2, entry=entry@entry=0x7fffdc104250) at src/main/modcall.c:596 rcode = <optimized out> map = 0xa618e0 if_taken = false was_if = false c = <optimized out> priority = <optimized out> result = RLM_MODULE_UNKNOWN #13 0x000000000042053a in modcall_recurse (request=0xa9df10, component=RLM_COMPONENT_POST_AUTH, depth=1, entry=entry@entry=0x7fffdc104238) at src/main/modcall.c:704 i = <optimized out> vps = 0xaa2500 vp = 0x1 cursor = {first = 0x7fffdc103fb8, found = 0xaa3930, last = 0x0, current = 0x0, next = 0x0} foreach_depth = 1 next = 0x7fffdc104250 copy = {first = 0x7fffdc103fb0, found = 0x0, last = 0x0, current = 0xaa2500, next = 0x0} if_taken = false was_if = false c = <optimized out> priority = <optimized out> result = RLM_MODULE_UPDATED #14 0x000000000041fa61 in modcall_child (request=<optimized out>, component=<optimized out>, depth=<optimized out>, entry=0x7fffdc104220, c=<optimized out>, result=0x7fffdc10411c) at src/main/modcall.c:412 next = 0x7fffdc104238 #15 0x000000000041fc18 in modcall_recurse (request=request@entry=0xa9df10, component=component@entry=RLM_COMPONENT_POST_AUTH, depth=depth@entry=0, entry=entry@entry=0x7fffdc104220) at src/main/modcall.c:783 if_taken = false was_if = false c = <optimized out> priority = <optimized out> result = RLM_MODULE_UNKNOWN #16 0x0000000000420d3d in modcall ( component=component@entry=RLM_COMPONENT_POST_AUTH, c=c@entry=0xa61610, request=request@entry=0xa9df10) at src/main/modcall.c:1092 stack = {{result = RLM_MODULE_NOOP, priority = 0, unwind = 0, c = 0xa61610}, {result = RLM_MODULE_UPDATED, priority = 4, unwind = 0, c = 0xa61800}, {result = RLM_MODULE_UPDATED, priority = 0, unwind = 0, c = 0xa61b10}, {result = 10975040, priority = 0, unwind = 16, c = 0x7ff7121c15cd}, { result = RLM_MODULE_UNKNOWN, priority = 0, unwind = -602914008, c = 0x0}, {result = 34, priority = 0, unwind = 11141487, c = 0x3}, {result = RLM_MODULE_REJECT, priority = 0, unwind = 0, c = 0x0}, { result = RLM_MODULE_REJECT, priority = 0, unwind = 11141501, c = 0x0}, {result = 10975040, priority = 0, unwind = 8223328, c = 0x10}, {result = 16, priority = 0, unwind = -602914008, c = 0xc}, {result = RLM_MODULE_REJECT, priority = 0, unwind = 0, c = 0x10}, {result = 11138512, priority = 0, unwind = 9, c = 0xcd}, {result = 3692053592, priority = 32767, unwind = -602913728, c = 0x7fffdc104500}, {result = 297950210, priority = 32759, unwind = -602913808, c = 0x7fffdc1043a0}, { result = 3692053760, priority = 32767, unwind = 303800625, c = 0xb0}, {result = 279363256, priority = 32759, unwind = 279363272, c = 0xa8}, {result = 96, priority = 0, unwind = 909522437, c = 0xd0}, {result = 909522486, priority = 11, unwind = 86, c = 0xa77740}, {result = 279363168, priority = 32759, unwind = 160, c = 0x7ff7121d5c25}, {result = 11137984, priority = 0, unwind = 279363168, c = 0x56}, { result = RLM_MODULE_NOTFOUND, priority = 0, unwind = 86, c = 0xaa018d}, {result = 11132688, priority = 0, unwind = 7, c = 0x7}, {result = 10875088, priority = 0, unwind = 10884624, c = 0x43c915}, {result = 306146127, priority = 32759, unwind = 0, c = 0x3000000020}, {result = 3692053808, priority = 32767, unwind = -602913680, c = 0x10}, {result = 303834342, priority = 32759, unwind = 16, c = 0x7fffdc1044f8}, { result = 4442389, priority = 0, unwind = 10317072, c = 0x0}, { result = 303835214, priority = 32759, unwind = 0, c = 0x12}, { result = 11141517, priority = 0, unwind = 11138520, c = 0x7fffdc104510}, {result = 303774288, priority = 32759, unwind = 11113024, c = 0x7ff7121cb7ea}, {result = 11132256, priority = 0, unwind = 11132256, c = 0x7fffdc104530}, { result = 4313904, priority = 0, unwind = 1014, c = 0xa9df10}} #17 0x000000000041e363 in indexed_modcall ( comp=comp@entry=RLM_COMPONENT_POST_AUTH, idx=idx@entry=0, request=request@entry=0xa9df10) at src/main/modules.c:818 rcode = <optimized out> list = 0xa61610 server = 0xa5f0d0 #18 0x000000000041efff in process_post_auth ( postauth_type=postauth_type@entry=0, request=request@entry=0xa9df10) at src/main/modules.c:1865 No locals. #19 0x000000000040fb3e in rad_postauth (request=request@entry=0xa9df10) at src/main/auth.c:303 result = <optimized out> postauth_type = 0 vp = <optimized out> #20 0x000000000042912c in request_finish (request=request@entry=0xa9df10, action=action@entry=1) at src/main/process.c:1274 vp = <optimized out> #21 0x000000000042ddbf in request_running (action=1, request=0xa9df10) at src/main/process.c:1461 No locals. #22 request_running (request=0xa9df10, action=<optimized out>) at src/main/process.c:1381 No locals. #23 0x000000000042a7b7 in request_queue_or_run (request=0xa9df10, process=process@entry=0x42dc70 <request_running>) at src/main/process.c:999 No locals. #24 0x000000000042c103 in request_receive (listener=listener@entry=0xa64090, packet=0xa77740, client=client@entry=0x9a2620, fun=fun@entry=0x40fb80 <rad_authenticate>) at src/main/process.c:1639 count = <optimized out> packet_p = <optimized out> request = 0xa9df10 now = {tv_sec = 1402322517, tv_usec = 877630} sock = <optimized out> #25 0x0000000000419822 in auth_socket_recv (listener=0xa64090) at src/main/listen.c:1507 rcode = <optimized out> code = 1 src_port = <optimized out> packet = 0xa77740 fun = 0x40fb80 <rad_authenticate> client = 0x9a2620 src_ipaddr = {af = 2, ipaddr = {ip4addr = {s_addr = 20752576}, ip6addr = {__in6_u = { __u6_addr8 = "\300\250<\001\036\304\374\003\000\000\000\000\260\242\032\022", __u6_addr16 = {43200, 316, 50206, 1020, 0, 0, 41648, 4634}, __u6_addr32 = {20752576, 66896926, 0, 303735472}}}}, prefix = 32 ' ', scope = 3692054640} #26 0x000000000042a0bd in event_socket_handler (xel=<optimized out>, fd=<optimized out>, ctx=<optimized out>) at src/main/process.c:3924 listener = <optimized out> #27 0x00007ff7121cd7d9 in fr_event_loop (el=0x7cc9a0) at src/lib/event.c:495 ef = 0x7cca08 i = <optimized out> rcode = 1 maxfd = 16 when = {tv_sec = 1402322518, tv_usec = 99350} wake = <optimized out> read_fds = {fds_bits = {16384, 0 <repeats 15 times>}} master_fds = {fds_bits = {124928, 0 <repeats 15 times>}} #28 0x000000000042ee91 in radius_event_process () at src/main/process.c:4785 No locals. #29 0x000000000040f0ca in main (argc=<optimized out>, argv=<optimized out>) at src/main/radiusd.c:565 rcode = 0 status = <optimized out> argval = <optimized out> spawn_flag = false write_pid = false display_version = false flag = 0 from_child = {-1, -1} autofree = 0x7af060 A debugging session is active. Inferior 1 [process 12135] will be detached. Quit anyway? (y or n) [answered Y; input not from terminal] Resetting PR_DUMPABLE to 0 Panic action exited with 0 If running under a debugger it should break <<here>>
On 9 Jun 2014, at 15:09, Enrique Sainz Baixauli <enriquesainz.beca@intef.educacion.es> wrote:
Then it goes on to another module and prints those messages again. So I wonder why this fails (or doesn't get to end) in my system but runs peacefully in yours :S
IIRC your last issue was incorrect server time, causing the build system to behave erratic (due to files with timestamp in the future). Have you fixed that?
Thanks guys, I totally forgot about the time issue... there were no warnings about that though (but they were there last time I tried, right?), but now it's already CCing everything into place :)
So I built it, installed the packages I needed and got a new segfault... now it happens on request (6) instead of (5), but I'm not sure if that's relevant. Anyway, this is the debug output:
./configure --enable-developer It's hitting a bunch of soft asserts in the freeradius library which would launch the debugger if --enable-developer were set. If we can get the backtrace from one of those we might have a better idea about what's going on. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On Mon, Jun 9, 2014 at 9:43 PM, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On 9 Jun 2014, at 15:09, Enrique Sainz Baixauli <enriquesainz.beca@intef.educacion.es> wrote:
Then it goes on to another module and prints those messages again. So I wonder why this fails (or doesn't get to end) in my system but runs peacefully in yours :S
IIRC your last issue was incorrect server time, causing the build system to behave erratic (due to files with timestamp in the future). Have you fixed that?
Thanks guys, I totally forgot about the time issue... there were no warnings about that though (but they were there last time I tried, right?), but now it's already CCing everything into place :)
So I built it, installed the packages I needed and got a new segfault... now it happens on request (6) instead of (5), but I'm not sure if that's relevant. Anyway, this is the debug output:
./configure --enable-developer
It's hitting a bunch of soft asserts in the freeradius library which would launch the debugger if --enable-developer were set.
If we can get the backtrace from one of those we might have a better idea about what's going on.
Would it make sense to enable the flag on all bundled package recipes? IIRC 2.x debian/rules has it (official debian/ubuntu package has it as well), but 3.0.x doesn't. Haven't checked others though. -- Fajar
On 10 Jun 2014, at 06:36, Fajar A. Nugraha <list@fajar.net> wrote:
On Mon, Jun 9, 2014 at 9:43 PM, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On 9 Jun 2014, at 15:09, Enrique Sainz Baixauli <enriquesainz.beca@intef.educacion.es> wrote:
Then it goes on to another module and prints those messages again. So I wonder why this fails (or doesn't get to end) in my system but runs peacefully in yours :S
IIRC your last issue was incorrect server time, causing the build system to behave erratic (due to files with timestamp in the future). Have you fixed that?
Thanks guys, I totally forgot about the time issue... there were no warnings about that though (but they were there last time I tried, right?), but now it's already CCing everything into place :)
So I built it, installed the packages I needed and got a new segfault... now it happens on request (6) instead of (5), but I'm not sure if that's relevant. Anyway, this is the debug output:
./configure --enable-developer
It's hitting a bunch of soft asserts in the freeradius library which would launch the debugger if --enable-developer were set.
If we can get the backtrace from one of those we might have a better idea about what's going on.
Would it make sense to enable the flag on all bundled package recipes? IIRC 2.x debian/rules has it (official debian/ubuntu package has it as well), but 3.0.x doesn't. Haven't checked others though.
No, there's a noticeable performance impact. One of the other users said it was as much as 15%. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
./configure --enable-developer
It's hitting a bunch of soft asserts in the freeradius library which would launch the debugger if --enable-developer were set.
If we can get the backtrace from one of those we might have a better idea about what's going on.
-Arran
You got it :) (sorry for the broken lines, they're too many to fix them by hand) Received Access-Request Id 0 from 192.168.60.1:1024 to 192.168.50.62:1812 length 190 User-Name = 'juan' Calling-Station-Id = '00-26-C6-7C-C4-58' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-5C:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-5C' Connect-Info = 'CONNECT 802.11a/n' EAP-Message = 0x02000009016a75616e Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0x3efe33ca51c0208284178dd3aef14db6 (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default (0) authorize { (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix : No '@' in User-Name = "juan", looking up realm NULL (0) suffix : No such realm "NULL" (0) [suffix] = noop (0) eap : EAP packet type response id 0 length 9 (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = EAP (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) authenticate { (0) eap : Peer sent Identity (1) (0) eap : Calling eap_tls to process EAP data (0) eap_tls : Flushing SSL sessions (of #0) (0) eap_tls : Requiring client certificate (0) eap_tls : Initiate (0) eap_tls : Requiring client certificate (0) eap_tls : Start returned 1 (0) eap : New EAP session, adding 'State' attribute to reply 0x00fd4c1700fc41e0 (0) [eap] = handled (0) } # authenticate = handled Sending Access-Challenge Id 0 from 192.168.50.62:1812 to 192.168.60.1:1024 EAP-Message = 0x010100060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x00fd4c1700fc41e024238a16d8cdd2f7 (0) Finished request Waking up in 0.3 seconds. Received Access-Request Id 1 from 192.168.60.1:1024 to 192.168.50.62:1812 length 304 User-Name = 'juan' Calling-Station-Id = '00-26-C6-7C-C4-58' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-5C:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-5C' Connect-Info = 'CONNECT 802.11a/n' EAP-Message = 0x020100690d800000005f160301005a0100005603015396b55c93922b259b39f8d912916e47 3f3d2b12527dae7df54b5d3dadf68f08000018002f00350005000ac013c014 c009c00a003200380013000401000015ff01000100000a0006000400170018000b00020100 State = 0x00fd4c1700fc41e024238a16d8cdd2f7 Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0xb561c819708f28f71e9390a39d2c44e1 (1) # Executing section authorize from file /etc/freeradius/sites-enabled/default (1) authorize { (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix : No '@' in User-Name = "juan", looking up realm NULL (1) suffix : No such realm "NULL" (1) [suffix] = noop (1) eap : EAP packet type response id 1 length 105 (1) eap : No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) [files] = noop rlm_ldap (ldap): Reserved connection (4) (1) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (1) ldap : --> (uid=juan) (1) ldap : EXPAND dc=ejemplo,dc=org (1) ldap : --> dc=ejemplo,dc=org (1) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(uid=juan)', scope 'sub' (1) ldap : Waiting for search result... (1) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org" (1) ldap : No cacheable group memberships found in user object (1) ldap : EXPAND (&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn})) (1) ldap : --> (&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuario s\2cdc\3dejemplo\2cdc\3dorg)) (1) ldap : EXPAND dc=ejemplo,dc=org (1) ldap : --> dc=ejemplo,dc=org (1) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(&(objectClass =groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemplo\2cdc\3dorg)) ', s cope 'sub' (1) ldap : Waiting for search result... (1) ldap : Added control:Ldap-Group with value "profesores" (1) ldap : Processing user attributes (1) ldap : control:Password-With-Header += '1234' rlm_ldap (ldap): Released connection (4) (1) [ldap] = ok (1) foreach &control:LDAP-Group (1) # Foreach-Variable-0 = "profesores" (1) update reply { (1) EXPAND %{Foreach-Variable-0} (1) --> profesores (1) &Ruckus-User-Groups += "profesores" (1) } # update reply = noop (1) } # foreach &control:LDAP-Group = noop (1) [expiration] = noop (1) [logintime] = noop (1) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password (1) WARNING: pap : Auth-Type already set. Not setting to PAP (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = EAP (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) authenticate { (1) eap : Expiring EAP session with state 0x00fd4c1700fc41e0 (1) eap : Finished EAP session with state 0x00fd4c1700fc41e0 (1) eap : Previous EAP request found for state 0x00fd4c1700fc41e0, released fro m the list (1) eap : Peer sent TLS (13) (1) eap : EAP TLS (13) (1) eap : Calling eap_tls to process EAP data (1) eap_tls : Authenticate (1) eap_tls : processing EAP-TLS TLS Length 95 (1) eap_tls : Length Included (1) eap_tls : eaptls_verify returned 11 (1) eap_tls : (other): before/accept initialization (1) eap_tls : TLS_accept: before/accept initialization (1) eap_tls : <<< TLS 1.0 Handshake [length 005a], ClientHello (1) eap_tls : TLS_accept: SSLv3 read client hello A (1) eap_tls : >>> TLS 1.0 Handshake [length 0051], ServerHello (1) eap_tls : TLS_accept: SSLv3 write server hello A (1) eap_tls : >>> TLS 1.0 Handshake [length 0707], Certificate (1) eap_tls : TLS_accept: SSLv3 write certificate A (1) eap_tls : >>> TLS 1.0 Handshake [length 0056], CertificateRequest (1) eap_tls : TLS_accept: SSLv3 write certificate request A (1) eap_tls : TLS_accept: SSLv3 flush data (1) eap_tls : TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode (1) eap_tls : eaptls_process returned 13 (1) eap : New EAP session, adding 'State' attribute to reply 0x00fd4c1701ff41e0 (1) [eap] = handled (1) } # authenticate = handled Sending Access-Challenge Id 1 from 192.168.50.62:1812 to 192.168.60.1:1024 Ruckus-User-Groups += 'profesores' EAP-Message = 0x010203ec0dc0000007bd16030100510200004d03015396b5bb5127ae 2ded900dee3ee029ee75cf4cdc80461cea0c199f23c00ac886206d20cc13ea954dfc5a871a3c a033 877860fdeb811c3c90a090d67fe82e10d4a1002f000005ff0100010016030107070b00070300 0700 00039b308203973082027fa003020102020900c43f77feef6a22ef300d06092a864886f70d01 0105 05003044310b3009060355040613024553310f300d06035504080c064d6164726964310e300c 0603 55040a0c05494e5445463114301206035504030c0b656a656d706c6f2e6f7267301e170d3134 3035 32303037313134325a170d3135303532303037313134325a3055310b30090603550406130245 5331 0f300d06035504080c064d6164726964310f300d06035504070c064d6164726964310e300c06 0355 040a0c05494e5445463114301206035504030c0b656a656d706c6f2e6f726730820122300d06 092a 864886f70d01010105000382010f003082010a0282010100d86d13ea2fa99efe3982e0ceface 40d3 45221a17f49a4cbdf8774fc1cea663192790995f1df5c32c30ea86fe5190ff99a3012ff8e54e 94de 9d81e96fb282562e1264f059238606c51afebce65604a4902dcdfc803041f6240e2c7a03cca1 8c70 238e9c0fda027487bcb8868c95850aae68986c068f737434eecdbbbdaabfd83780ce9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x00fd4c1701ff41e024238a16d8cdd2f7 (1) Finished request Waking up in 0.1 seconds. Received Access-Request Id 2 from 192.168.60.1:1024 to 192.168.50.62:1812 length 205 User-Name = 'juan' Calling-Station-Id = '00-26-C6-7C-C4-58' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-5C:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-5C' Connect-Info = 'CONNECT 802.11a/n' EAP-Message = 0x020200060d00 State = 0x00fd4c1701ff41e024238a16d8cdd2f7 Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0xafc5da6d1f9ffb1582a031cf7de5401d (2) # Executing section authorize from file /etc/freeradius/sites-enabled/defaul t (2) authorize { (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix : No '@' in User-Name = "juan", looking up realm NULL (2) suffix : No such realm "NULL" (2) [suffix] = noop (2) eap : EAP packet type response id 2 length 6 (2) eap : No EAP Start, assuming it's an on-going EAP conversation (2) [eap] = updated (2) [files] = noop rlm_ldap (ldap): Reserved connection (4) (2) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (2) ldap : --> (uid=juan) (2) ldap : EXPAND dc=ejemplo,dc=org (2) ldap : --> dc=ejemplo,dc=org (2) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(uid=juan)', s cope 'sub' (2) ldap : Waiting for search result... (2) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org" (2) ldap : No cacheable group memberships found in user object (2) ldap : EXPAND (&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn})) (2) ldap : --> (&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuario s\2cdc\3dejemplo\2cdc\3dorg)) (2) ldap : EXPAND dc=ejemplo,dc=org (2) ldap : --> dc=ejemplo,dc=org (2) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(&(objectClass =groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemplo\2cdc\3dorg)) ', s cope 'sub' (2) ldap : Waiting for search result... (2) ldap : Added control:Ldap-Group with value "profesores" (2) ldap : Processing user attributes (2) ldap : control:Password-With-Header += '1234' rlm_ldap (ldap): Released connection (4) (2) [ldap] = ok (2) foreach &control:LDAP-Group (2) # Foreach-Variable-0 = "profesores" (2) update reply { (2) EXPAND %{Foreach-Variable-0} (2) --> profesores (2) &Ruckus-User-Groups += "profesores" (2) } # update reply = noop (2) } # foreach &control:LDAP-Group = noop (2) [expiration] = noop (2) [logintime] = noop (2) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password (2) WARNING: pap : Auth-Type already set. Not setting to PAP (2) [pap] = noop (2) } # authorize = updated (2) Found Auth-Type = EAP (2) # Executing group from file /etc/freeradius/sites-enabled/default (2) authenticate { (2) eap : Expiring EAP session with state 0x00fd4c1701ff41e0 (2) eap : Finished EAP session with state 0x00fd4c1701ff41e0 (2) eap : Previous EAP request found for state 0x00fd4c1701ff41e0, released fro m the list (2) eap : Peer sent TLS (13) (2) eap : EAP TLS (13) (2) eap : Calling eap_tls to process EAP data (2) eap_tls : Authenticate (2) eap_tls : processing EAP-TLS (2) eap_tls : Received TLS ACK (2) eap_tls : Received TLS ACK (2) eap_tls : ACK handshake fragment handler (2) eap_tls : eaptls_verify returned 1 (2) eap_tls : eaptls_process returned 13 (2) eap : New EAP session, adding 'State' attribute to reply 0x00fd4c1702fe41e0 (2) [eap] = handled (2) } # authenticate = handled Sending Access-Challenge Id 2 from 192.168.50.62:1812 to 192.168.60.1:1024 Ruckus-User-Groups += 'profesores' EAP-Message = 0x010303e50d80000007bd3849d248b1dfa322109bc7213dc7b995e11c f1ec9e393177e1d411f1b83700035f3082035b30820243a003020102020900c43f77feef6a22 ee30 0d06092a864886f70d01010505003044310b3009060355040613024553310f300d0603550408 0c06 4d6164726964310e300c060355040a0c05494e5445463114301206035504030c0b656a656d70 6c6f 2e6f7267301e170d3134303532303037303835355a170d3137303531393037303835355a3044 310b 3009060355040613024553310f300d06035504080c064d6164726964310e300c060355040a0c 0549 4e5445463114301206035504030c0b656a656d706c6f2e6f726730820122300d06092a864886 f70d 01010105000382010f003082010a0282010100b34d31cc087201a6f5f91e1f411fbe7c8175e6 8364 d88e7bc6fb454918d40aca5f65cb2caf0496d4c7ef1b62379ab4ddfc60338d8785d6f4b20809 1cda 2f566d39b233c9a76cfcd2e14a21a5c1c1ad30c6c6734fb0024ef4511a78679f4b2e6085113c b24d 3229fa288b7ae5a460348f253fa438172cfb0b2c66c005747d6b716d6e221e492e793c17439a 19d6 38bc84ecde2aaf864e1b22007c29b5aa056637d4dd4bde4783dd1b2994b87522662742b8c547 7ce8 c39227a3bf8b71b2dce5323150b49cd27134e4a79f7f98d371cad38b0e72363efbc62 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x00fd4c1702fe41e024238a16d8cdd2f7 (2) Finished request Waking up in 0.1 seconds. Received Access-Request Id 3 from 192.168.60.1:1024 to 192.168.50.62:1812 length 1701 User-Name = 'juan' Calling-Station-Id = '00-26-C6-7C-C4-58' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-5C:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-5C' Connect-Info = 'CONNECT 802.11a/n' EAP-Message = 0x020305d40dc0000005d916030105990b000389000386000383308203 7f30820267a003020102020900c43f77feef6a22f0300d06092a864886f70d01010505003044 310b 3009060355040613024553310f300d06035504080c064d6164726964310e300c060355040a0c 0549 4e5445463114301206035504030c0b656a656d706c6f2e6f7267301e170d3134303532313035 3231 30335a170d3135303532313035323130335a303d310b3009060355040613024553310f300d06 0355 04080c064d6164726964310e300c060355040a0c05494e544546310d300b06035504030c046a 7561 6e30820122300d06092a864886f70d01010105000382010f003082010a0282010100d8fe45c4 6e47 43d7ecaf6c82f5206a6d1683234f11e54af93501eba03aaadf6c4a123bb2aeebce0717b6930a 3e55 0f9e75e38fb7f0057acebdeecb6d396c4547ed2cb496d887ae6973982c7b708898d3d4e080c4 4679 ffc2eeea7b707f3d03aacfd8544465a96f0988366c5c8a8fd9e84bd38006f71b572a526759ea f147 a20c21f42ef7c8f8c37915768eec7e41402c3869e8c06a06d6d53a3fac290b9db34a737a55ce 6c3b c544396ee4f35ff28622c2318c57b0ce8b86aac710ed16e56960d4a2fafbe851afb250256e5b 03cf 37f52ace63f3eb801d78d6e2e3ebdb4ac5493bbca5129d60cbea4a1f7e96391a9216a State = 0x00fd4c1702fe41e024238a16d8cdd2f7 Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0x7a153d76d7b2744ca31fb2b68216dedf (3) # Executing section authorize from file /etc/freeradius/sites-enabled/defaul t (3) authorize { (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix : No '@' in User-Name = "juan", looking up realm NULL (3) suffix : No such realm "NULL" (3) [suffix] = noop (3) eap : EAP packet type response id 3 length 1492 (3) eap : No EAP Start, assuming it's an on-going EAP conversation (3) [eap] = updated (3) [files] = noop rlm_ldap (ldap): Reserved connection (4) (3) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (3) ldap : --> (uid=juan) (3) ldap : EXPAND dc=ejemplo,dc=org (3) ldap : --> dc=ejemplo,dc=org (3) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(uid=juan)', s cope 'sub' (3) ldap : Waiting for search result... (3) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org" (3) ldap : No cacheable group memberships found in user object (3) ldap : EXPAND (&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn})) (3) ldap : --> (&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuario s\2cdc\3dejemplo\2cdc\3dorg)) (3) ldap : EXPAND dc=ejemplo,dc=org (3) ldap : --> dc=ejemplo,dc=org (3) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(&(objectClass =groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemplo\2cdc\3dorg)) ', s cope 'sub' (3) ldap : Waiting for search result... (3) ldap : Added control:Ldap-Group with value "profesores" (3) ldap : Processing user attributes (3) ldap : control:Password-With-Header += '1234' rlm_ldap (ldap): Released connection (4) (3) [ldap] = ok (3) foreach &control:LDAP-Group (3) # Foreach-Variable-0 = "profesores" (3) update reply { (3) EXPAND %{Foreach-Variable-0} (3) --> profesores (3) &Ruckus-User-Groups += "profesores" (3) } # update reply = noop (3) } # foreach &control:LDAP-Group = noop (3) [expiration] = noop (3) [logintime] = noop (3) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password (3) WARNING: pap : Auth-Type already set. Not setting to PAP (3) [pap] = noop (3) } # authorize = updated (3) Found Auth-Type = EAP (3) # Executing group from file /etc/freeradius/sites-enabled/default (3) authenticate { (3) eap : Expiring EAP session with state 0x00fd4c1702fe41e0 (3) eap : Finished EAP session with state 0x00fd4c1702fe41e0 (3) eap : Previous EAP request found for state 0x00fd4c1702fe41e0, released fro m the list (3) eap : Peer sent TLS (13) (3) eap : EAP TLS (13) (3) eap : Calling eap_tls to process EAP data (3) eap_tls : Authenticate (3) eap_tls : processing EAP-TLS TLS Length 1497 (3) eap_tls : Received EAP-TLS First Fragment of the message (3) eap_tls : eaptls_verify returned 9 (3) eap_tls : eaptls_process returned 13 (3) eap : New EAP session, adding 'State' attribute to reply 0x00fd4c1703f941e0 (3) [eap] = handled (3) } # authenticate = handled Sending Access-Challenge Id 3 from 192.168.50.62:1812 to 192.168.60.1:1024 Ruckus-User-Groups += 'profesores' EAP-Message = 0x010400060d00 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x00fd4c1703f941e024238a16d8cdd2f7 (3) Finished request Waking up in 0.1 seconds. Received Access-Request Id 4 from 192.168.60.1:1024 to 192.168.50.62:1812 length 220 User-Name = 'juan' Calling-Station-Id = '00-26-C6-7C-C4-58' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-5C:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-5C' Connect-Info = 'CONNECT 802.11a/n' EAP-Message = 0x020400150d00e01b879ad8ef587fe7ccfa117c55be State = 0x00fd4c1703f941e024238a16d8cdd2f7 Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0xa8c975397e2ee0a2cc04124ef2b9fba2 (4) # Executing section authorize from file /etc/freeradius/sites-enabled/defaul t (4) authorize { (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix : No '@' in User-Name = "juan", looking up realm NULL (4) suffix : No such realm "NULL" (4) [suffix] = noop (4) eap : EAP packet type response id 4 length 21 (4) eap : No EAP Start, assuming it's an on-going EAP conversation (4) [eap] = updated (4) [files] = noop rlm_ldap (ldap): Reserved connection (4) (4) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (4) ldap : --> (uid=juan) (4) ldap : EXPAND dc=ejemplo,dc=org (4) ldap : --> dc=ejemplo,dc=org (4) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(uid=juan)', s cope 'sub' (4) ldap : Waiting for search result... (4) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org" (4) ldap : No cacheable group memberships found in user object (4) ldap : EXPAND (&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn})) (4) ldap : --> (&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuario s\2cdc\3dejemplo\2cdc\3dorg)) (4) ldap : EXPAND dc=ejemplo,dc=org (4) ldap : --> dc=ejemplo,dc=org (4) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(&(objectClass =groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemplo\2cdc\3dorg)) ', s cope 'sub' (4) ldap : Waiting for search result... (4) ldap : Added control:Ldap-Group with value "profesores" (4) ldap : Processing user attributes (4) ldap : control:Password-With-Header += '1234' rlm_ldap (ldap): Released connection (4) (4) [ldap] = ok (4) foreach &control:LDAP-Group (4) # Foreach-Variable-0 = "profesores" (4) update reply { (4) EXPAND %{Foreach-Variable-0} (4) --> profesores (4) &Ruckus-User-Groups += "profesores" (4) } # update reply = noop (4) } # foreach &control:LDAP-Group = noop (4) [expiration] = noop (4) [logintime] = noop (4) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password (4) WARNING: pap : Auth-Type already set. Not setting to PAP (4) [pap] = noop (4) } # authorize = updated (4) Found Auth-Type = EAP (4) # Executing group from file /etc/freeradius/sites-enabled/default (4) authenticate { (4) eap : Expiring EAP session with state 0x00fd4c1703f941e0 (4) eap : Finished EAP session with state 0x00fd4c1703f941e0 (4) eap : Previous EAP request found for state 0x00fd4c1703f941e0, released fro m the list (4) eap : Peer sent TLS (13) (4) eap : EAP TLS (13) (4) eap : Calling eap_tls to process EAP data (4) eap_tls : Authenticate (4) eap_tls : processing EAP-TLS (4) eap_tls : eaptls_verify returned 7 (4) eap_tls : Done initial handshake (4) eap_tls : <<< TLS 1.0 Handshake [length 038d], Certificate (4) eap_tls : chain-depth=1, (4) eap_tls : error=0 (4) eap_tls : --> User-Name = juan (4) eap_tls : --> BUF-Name = ejemplo.org (4) eap_tls : --> subject = /C=ES/ST=Madrid/O=INTEF/CN=ejemplo.org (4) eap_tls : --> issuer = /C=ES/ST=Madrid/O=INTEF/CN=ejemplo.org (4) eap_tls : --> verify return:1 (4) eap_tls : chain-depth=0, (4) eap_tls : error=0 (4) eap_tls : --> User-Name = juan (4) eap_tls : --> BUF-Name = juan (4) eap_tls : --> subject = /C=ES/ST=Madrid/O=INTEF/CN=juan (4) eap_tls : --> issuer = /C=ES/ST=Madrid/O=INTEF/CN=ejemplo.org (4) eap_tls : --> verify return:1 (4) eap_tls : TLS_accept: SSLv3 read client certificate A (4) eap_tls : <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange (4) eap_tls : TLS_accept: SSLv3 read client key exchange A (4) eap_tls : <<< TLS 1.0 Handshake [length 0106], CertificateVerify (4) eap_tls : TLS_accept: SSLv3 read certificate verify A (4) eap_tls : <<< TLS 1.0 ChangeCipherSpec [length 0001] (4) eap_tls : <<< TLS 1.0 Handshake [length 0010], Finished (4) eap_tls : TLS_accept: SSLv3 read finished A (4) eap_tls : >>> TLS 1.0 ChangeCipherSpec [length 0001] (4) eap_tls : TLS_accept: SSLv3 write change cipher spec A (4) eap_tls : >>> TLS 1.0 Handshake [length 0010], Finished (4) eap_tls : TLS_accept: SSLv3 write finished A (4) eap_tls : TLS_accept: SSLv3 flush data SSL: adding session 6d20cc13ea954dfc5a871a3ca033877860fdeb811c3c90a090d67fe82e 10d4a1 to cache (4) eap_tls : (other): SSL negotiation finished successfully SSL Connection Established (4) eap_tls : eaptls_process returned 13 (4) eap : New EAP session, adding 'State' attribute to reply 0x00fd4c1704f841e0 (4) [eap] = handled (4) } # authenticate = handled Sending Access-Challenge Id 4 from 192.168.50.62:1812 to 192.168.60.1:1024 Ruckus-User-Groups += 'profesores' EAP-Message = 0x010500450d800000003b14030100010116030100307de5ae6078318d 4c60d99d5318aea5bd210bff31b1923eb6d1bbe3668728130330234b5efbc02b30f92cfcab30 abf3 21 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x00fd4c1704f841e024238a16d8cdd2f7 (4) Finished request Received Access-Request Id 5 from 192.168.60.1:1024 to 192.168.50.62:1812 length 205 User-Name = 'juan' Calling-Station-Id = '00-26-C6-7C-C4-58' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-1A-3E-5C:PROFESORES' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-1A-3E-5C' Connect-Info = 'CONNECT 802.11a/n' EAP-Message = 0x020500060d00 State = 0x00fd4c1704f841e024238a16d8cdd2f7 Attr-26.25053.3 = 0x50524f4645534f524553 Message-Authenticator = 0x7790bdb7d581acba7f3d7804e460fa78 (5) # Executing section authorize from file /etc/freeradius/sites-enabled/defaul t (5) authorize { (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix : No '@' in User-Name = "juan", looking up realm NULL (5) suffix : No such realm "NULL" (5) [suffix] = noop (5) eap : EAP packet type response id 5 length 6 (5) eap : No EAP Start, assuming it's an on-going EAP conversation (5) [eap] = updated (5) [files] = noop rlm_ldap (ldap): Reserved connection (4) (5) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (5) ldap : --> (uid=juan) (5) ldap : EXPAND dc=ejemplo,dc=org (5) ldap : --> dc=ejemplo,dc=org (5) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(uid=juan)', s cope 'sub' (5) ldap : Waiting for search result... (5) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org" (5) ldap : No cacheable group memberships found in user object (5) ldap : EXPAND (&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn})) (5) ldap : --> (&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuario s\2cdc\3dejemplo\2cdc\3dorg)) (5) ldap : EXPAND dc=ejemplo,dc=org (5) ldap : --> dc=ejemplo,dc=org (5) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(&(objectClass =groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemplo\2cdc\3dorg)) ', s cope 'sub' (5) ldap : Waiting for search result... (5) ldap : Added control:Ldap-Group with value "profesores" (5) ldap : Processing user attributes (5) ldap : control:Password-With-Header += '1234' rlm_ldap (ldap): Released connection (4) (5) [ldap] = ok (5) foreach &control:LDAP-Group (5) # Foreach-Variable-0 = "profesores" (5) update reply { (5) EXPAND %{Foreach-Variable-0} (5) --> profesores (5) &Ruckus-User-Groups += "profesores" (5) } # update reply = noop (5) } # foreach &control:LDAP-Group = noop (5) [expiration] = noop (5) [logintime] = noop (5) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password (5) WARNING: pap : Auth-Type already set. Not setting to PAP (5) [pap] = noop (5) } # authorize = updated (5) Found Auth-Type = EAP (5) # Executing group from file /etc/freeradius/sites-enabled/default (5) authenticate { (5) eap : Expiring EAP session with state 0x00fd4c1704f841e0 (5) eap : Finished EAP session with state 0x00fd4c1704f841e0 (5) eap : Previous EAP request found for state 0x00fd4c1704f841e0, released fro m the list (5) eap : Peer sent TLS (13) (5) eap : EAP TLS (13) (5) eap : Calling eap_tls to process EAP data (5) eap_tls : Authenticate (5) eap_tls : processing EAP-TLS (5) eap_tls : Received TLS ACK (5) eap_tls : Received TLS ACK (5) eap_tls : ACK handshake is finished (5) eap_tls : eaptls_verify returned 3 (5) eap_tls : eaptls_process returned 3 (5) eap_tls : Saving session 6d20cc13ea954dfc5a871a3ca033877860fdeb811c3c90a090 d67fe82e10d4a1 vps 0x176e900 in the cache (5) eap : Freeing handler (5) [eap] = ok (5) } # authenticate = ok (5) # Executing section post-auth from file /etc/freeradius/sites-enabled/defaul t (5) post-auth { (5) cache : EXPAND %{User-Name} (5) cache : --> juan (5) cache : Creating entry for "juan" (5) cache : Adding to cache entry: (5) cache : control:LDAP-Group += &Ldap-Group -> 'profesores' (5) cache : Inserted entry, TTL 3600 seconds (5) [cache] = updated (5) foreach &control:LDAP-Group (5) # Foreach-Variable-1 = "profesores" (5) update reply { Bad talloc magic value - unknown value talloc abort: Bad talloc magic value - unknown value CAUGHT SIGNAL: Aborted Backtrace of last 32 frames: /usr/lib/freeradius/libfreeradius-radius.so(fr_fault+0xd2)[0x7f6304078b58] /usr/lib/freeradius/libfreeradius-radius.so(+0xbe97)[0x7f6304078e97] /usr/lib/x86_64-linux-gnu/libtalloc.so.2(talloc_get_name+0x70)[0x7f6303602ed 0] /usr/lib/x86_64-linux-gnu/libtalloc.so.2(_talloc_get_type_abort+0x2b)[0x7f63 0360 519b] /usr/lib/freeradius/libfreeradius-radius.so(fr_verify_vp+0x26)[0x7f630407946 e] /usr/lib/freeradius/libfreeradius-radius.so(vp_prints_value+0x66)[0x7f630408 63ca ] /usr/lib/freeradius/libfreeradius-server.so(+0x18f3b)[0x7f63042c7f3b] /usr/lib/freeradius/libfreeradius-server.so(+0x1ca15)[0x7f63042cba15] /usr/lib/freeradius/libfreeradius-server.so(+0x1cd89)[0x7f63042cbd89] /usr/lib/freeradius/libfreeradius-server.so(+0x1d092)[0x7f63042cc092] /usr/lib/freeradius/libfreeradius-server.so(radius_axlat_struct+0x43)[0x7f63 042c c44d] /usr/lib/freeradius/libfreeradius-server.so(radius_map2vp+0x2dc)[0x7f63042c2 526] /usr/lib/freeradius/libfreeradius-server.so(radius_map2request+0x265)[0x7f63 042c 1459] freeradius[0x42491a] freeradius[0x424fb0] freeradius[0x42432b] freeradius[0x425375] freeradius(modcall+0x9c)[0x426013] freeradius(indexed_modcall+0x24d)[0x421c7c] freeradius(process_post_auth+0x22)[0x423bdb] freeradius(rad_postauth+0x94)[0x40ebca] freeradius[0x435a82] freeradius[0x435f6e] freeradius[0x43511c] freeradius(request_receive+0x701)[0x4366ba] freeradius[0x415ff0] freeradius[0x43c1fe] /usr/lib/freeradius/libfreeradius-radius.so(fr_event_loop+0x5ba)[0x7f630409c 35f] freeradius(radius_event_process+0x26)[0x43d8e5] freeradius(main+0xbf1)[0x42b131] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd)[0x7f63025c6ead] freeradius[0x40e089] Calling: gdb -silent -x /etc/freeradius/panic.gdb freeradius 2512 2>&1 | tee /va r/log/freeradius/gdb-freeradius-2512.log Temporarily setting PR_DUMPABLE to 1 Reading symbols from /usr/sbin/freeradius...Reading symbols from /usr/lib/debug/ usr/sbin/freeradius...done. done. Attaching to program: /usr/sbin/freeradius, process 2512 Reading symbols from /usr/lib/freeradius/libfreeradius-server.so...Reading symbo ls from /usr/lib/debug/usr/lib/freeradius/libfreeradius-server.so...done. done. Loaded symbols for /usr/lib/freeradius/libfreeradius-server.so Reading symbols from /usr/lib/freeradius/libfreeradius-radius.so...Reading symbo ls from /usr/lib/debug/usr/lib/freeradius/libfreeradius-radius.so...done. done. Loaded symbols for /usr/lib/freeradius/libfreeradius-radius.so Reading symbols from /usr/lib/freeradius/libfreeradius-eap.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/libfreeradius-eap.so...done. done. Loaded symbols for /usr/lib/freeradius/libfreeradius-eap.so Reading symbols from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0...(no debuggin g symbols found)...done. Loaded symbols for /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 Reading symbols from /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0...(no debugging s ymbols found)...done. Loaded symbols for /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 Reading symbols from /usr/lib/x86_64-linux-gnu/libtalloc.so.2...(no debugging sy mbols found)...done. Loaded symbols for /usr/lib/x86_64-linux-gnu/libtalloc.so.2 Reading symbols from /lib/x86_64-linux-gnu/libnsl.so.1...(no debugging symbols f ound)...done. Loaded symbols for /lib/x86_64-linux-gnu/libnsl.so.1 Reading symbols from /lib/x86_64-linux-gnu/libresolv.so.2...(no debugging symbol s found)...done. Loaded symbols for /lib/x86_64-linux-gnu/libresolv.so.2 Reading symbols from /lib/x86_64-linux-gnu/libdl.so.2...(no debugging symbols fo und)...done. Loaded symbols for /lib/x86_64-linux-gnu/libdl.so.2 Reading symbols from /lib/x86_64-linux-gnu/libpthread.so.0...(no debugging symbo ls found)...done. [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Loaded symbols for /lib/x86_64-linux-gnu/libpthread.so.0 Reading symbols from /lib/x86_64-linux-gnu/libreadline.so.6...(no debugging symbols found)...done. Loaded symbols for /lib/x86_64-linux-gnu/libreadline.so.6 Reading symbols from /lib/x86_64-linux-gnu/libcrypt.so.1...(no debugging symbols found)...done. Loaded symbols for /lib/x86_64-linux-gnu/libcrypt.so.1 Reading symbols from /lib/x86_64-linux-gnu/libc.so.6...(no debugging symbols found)...done. Loaded symbols for /lib/x86_64-linux-gnu/libc.so.6 Reading symbols from /usr/lib/x86_64-linux-gnu/libpcap.so.0.8...(no debugging symbols found)...done. Loaded symbols for /usr/lib/x86_64-linux-gnu/libpcap.so.0.8 Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/ld-linux-x86-64.so.2 Reading symbols from /lib/x86_64-linux-gnu/libz.so.1...(no debugging symbols found)...done. Loaded symbols for /lib/x86_64-linux-gnu/libz.so.1 Reading symbols from /lib/x86_64-linux-gnu/libtinfo.so.5...(no debugging symbols found)...done. Loaded symbols for /lib/x86_64-linux-gnu/libtinfo.so.5 Reading symbols from /lib/x86_64-linux-gnu/libnss_compat.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/x86_64-linux-gnu/libnss_compat.so.2 Reading symbols from /lib/x86_64-linux-gnu/libnss_nis.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/x86_64-linux-gnu/libnss_nis.so.2 Reading symbols from /lib/x86_64-linux-gnu/libnss_files.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/x86_64-linux-gnu/libnss_files.so.2 Reading symbols from /usr/lib/freeradius/rlm_exec.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_exec.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_exec.so Reading symbols from /usr/lib/freeradius/rlm_preprocess.so...Reading symbols fro m /usr/lib/debug/usr/lib/freeradius/rlm_preprocess.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_preprocess.so Reading symbols from /usr/lib/freeradius/rlm_digest.so...Reading symbols from /u sr/lib/debug/usr/lib/freeradius/rlm_digest.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_digest.so Reading symbols from /usr/lib/freeradius/rlm_cache.so...Reading symbols from /us r/lib/debug/usr/lib/freeradius/rlm_cache.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_cache.so Reading symbols from /usr/lib/freeradius/rlm_replicate.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_replicate.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_replicate.so Reading symbols from /usr/lib/freeradius/rlm_dhcp.so...Reading symbols from /usr /lib/debug/usr/lib/freeradius/rlm_dhcp.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_dhcp.so Reading symbols from /usr/lib/freeradius/rlm_detail.so...Reading symbols from /u sr/lib/debug/usr/lib/freeradius/rlm_detail.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_detail.so Reading symbols from /usr/lib/freeradius/rlm_linelog.so...Reading symbols from / usr/lib/debug/usr/lib/freeradius/rlm_linelog.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_linelog.so Reading symbols from /usr/lib/freeradius/rlm_always.so...Reading symbols from /u sr/lib/debug/usr/lib/freeradius/rlm_always.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_always.so Reading symbols from /usr/lib/freeradius/rlm_chap.so...Reading symbols from /usr /lib/debug/usr/lib/freeradius/rlm_chap.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_chap.so Reading symbols from /usr/lib/freeradius/rlm_mschap.so...Reading symbols from /u sr/lib/debug/usr/lib/freeradius/rlm_mschap.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_mschap.so Reading symbols from /usr/lib/freeradius/rlm_pap.so...Reading symbols from /usr/ lib/debug/usr/lib/freeradius/rlm_pap.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_pap.so Reading symbols from /usr/lib/freeradius/rlm_soh.so...Reading symbols from /usr/ lib/debug/usr/lib/freeradius/rlm_soh.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_soh.so Reading symbols from /usr/lib/freeradius/rlm_attr_filter.so...Reading symbols fr om /usr/lib/debug/usr/lib/freeradius/rlm_attr_filter.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_attr_filter.so Reading symbols from /usr/lib/freeradius/rlm_eap.so...Reading symbols from /usr/ lib/debug/usr/lib/freeradius/rlm_eap.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_eap.so Reading symbols from /usr/lib/freeradius/rlm_eap_tls.so...Reading symbols from / usr/lib/debug/usr/lib/freeradius/rlm_eap_tls.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_eap_tls.so Reading symbols from /usr/lib/freeradius/rlm_eap_ttls.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_eap_ttls.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_eap_ttls.so Reading symbols from /usr/lib/freeradius/rlm_eap_peap.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_eap_peap.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_eap_peap.so Reading symbols from /usr/lib/freeradius/rlm_eap_mschapv2.so...Reading symbols f rom /usr/lib/debug/usr/lib/freeradius/rlm_eap_mschapv2.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_eap_mschapv2.so Reading symbols from /usr/lib/freeradius/rlm_passwd.so...Reading symbols from /u sr/lib/debug/usr/lib/freeradius/rlm_passwd.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_passwd.so Reading symbols from /usr/lib/freeradius/rlm_files.so...Reading symbols from /us r/lib/debug/usr/lib/freeradius/rlm_files.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_files.so Reading symbols from /usr/lib/freeradius/rlm_logintime.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/rlm_logintime.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_logintime.so Reading symbols from /usr/lib/freeradius/rlm_unix.so...Reading symbols from /usr /lib/debug/usr/lib/freeradius/rlm_unix.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_unix.so Reading symbols from /usr/lib/freeradius/rlm_realm.so...Reading symbols from /us r/lib/debug/usr/lib/freeradius/rlm_realm.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_realm.so Reading symbols from /usr/lib/freeradius/rlm_expiration.so...Reading symbols fro m /usr/lib/debug/usr/lib/freeradius/rlm_expiration.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_expiration.so Reading symbols from /usr/lib/freeradius/rlm_radutmp.so...Reading symbols from / usr/lib/debug/usr/lib/freeradius/rlm_radutmp.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_radutmp.so Reading symbols from /usr/lib/freeradius/rlm_ldap.so...Reading symbols from /usr /lib/debug/usr/lib/freeradius/rlm_ldap.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_ldap.so Reading symbols from /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2...(no debuggin g symbols found)...done. Loaded symbols for /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2 Reading symbols from /usr/lib/x86_64-linux-gnu/liblber-2.4.so.2...(no debugging symbols found)...done. Loaded symbols for /usr/lib/x86_64-linux-gnu/liblber-2.4.so.2 Reading symbols from /usr/lib/x86_64-linux-gnu/libsasl2.so.2...(no debugging sym bols found)...done. Loaded symbols for /usr/lib/x86_64-linux-gnu/libsasl2.so.2 Reading symbols from /usr/lib/x86_64-linux-gnu/libgnutls.so.26...(no debugging s ymbols found)...done. Loaded symbols for /usr/lib/x86_64-linux-gnu/libgnutls.so.26 Reading symbols from /lib/x86_64-linux-gnu/libgcrypt.so.11...(no debugging symbo ls found)...done. Loaded symbols for /lib/x86_64-linux-gnu/libgcrypt.so.11 Reading symbols from /usr/lib/x86_64-linux-gnu/libtasn1.so.3...(no debugging sym bols found)...done. Loaded symbols for /usr/lib/x86_64-linux-gnu/libtasn1.so.3 Reading symbols from /usr/lib/x86_64-linux-gnu/libp11-kit.so.0...(no debugging s ymbols found)...done. Loaded symbols for /usr/lib/x86_64-linux-gnu/libp11-kit.so.0 Reading symbols from /lib/x86_64-linux-gnu/libgpg-error.so.0...(no debugging sym bols found)...done. Loaded symbols for /lib/x86_64-linux-gnu/libgpg-error.so.0 Reading symbols from /usr/lib/freeradius/rlm_utf8.so...Reading symbols from /usr /lib/debug/usr/lib/freeradius/rlm_utf8.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_utf8.so Reading symbols from /usr/lib/freeradius/rlm_dynamic_clients.so...Reading symbol s from /usr/lib/debug/usr/lib/freeradius/rlm_dynamic_clients.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_dynamic_clients.so Reading symbols from /usr/lib/freeradius/rlm_unpack.so...Reading symbols from /u sr/lib/debug/usr/lib/freeradius/rlm_unpack.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_unpack.so Reading symbols from /usr/lib/freeradius/rlm_expr.so...Reading symbols from /usr /lib/debug/usr/lib/freeradius/rlm_expr.so...done. done. Loaded symbols for /usr/lib/freeradius/rlm_expr.so Reading symbols from /lib/x86_64-linux-gnu/libgcc_s.so.1...(no debugging symbols found)...done. Loaded symbols for /lib/x86_64-linux-gnu/libgcc_s.so.1 0x00007f63026541ee in waitpid () from /lib/x86_64-linux-gnu/libc.so.6 No symbol table info available. No symbol table info available. Thread 1 (Thread 0x7f63046ad720 (LWP 2512)): #0 0x00007f63026541ee in waitpid () from /lib/x86_64-linux-gnu/libc.so.6 No symbol table info available. #1 0x00007f63025e7c99 in ?? () from /lib/x86_64-linux-gnu/libc.so.6 No symbol table info available. #2 0x00007f6304078dab in fr_fault (sig=6) at src/lib/debug.c:525 disable = true cmd = "gdb -silent -x /etc/freeradius/panic.gdb freeradius 2512 2>&1 | tee /var/log/freeradius/gdb-freeradius-2512.log", '\000' <repeats 420 times> out = 0x7fff248a6d1b ".log" left = 425 ret = 51 p = 0x7f63042adaa7 ".log" q = 0x0 code = 32767 #3 0x00007f6304078e97 in _fr_talloc_fault ( reason=0x7f6303608678 "Bad talloc magic value - unknown value") at src/lib/debug.c:561 No locals. #4 0x00007f6303602ed0 in talloc_get_name () from /usr/lib/x86_64-linux-gnu/libtalloc.so.2 No symbol table info available. #5 0x00007f630360519b in _talloc_get_type_abort () from /usr/lib/x86_64-linux-gnu/libtalloc.so.2 No symbol table info available. #6 0x00007f630407946e in fr_verify_vp (vp=0x7fff248a7e40) at src/lib/debug.c:788 No locals. #7 0x00007f63040863ca in vp_prints_value ( out=0x1776ed0 "\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\ 275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\ 275\ 275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\ 275\ 275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\ 275\ 275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\ 275\ 275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\ 275\ 275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\ 275\ 275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\ 275\ 275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\ 275\ 275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\ 275\ 275\275\275\275\275"..., outlen=1024, vp=0x7fff248a7e40, quote=0 '\000') at src/lib/print.c:323 v = 0x400 buf = "\320q\212$\377\177\000\000\000\000\000\000\000\000\000\000\370q\2 12$\377\177\000\000\000\200o\004c\177\000\000E;\032;\000\000\000\000\002\\N\ 004c \177", '\000' <repeats 18 times>, "\001\000\000\000\377\177\000\000\000\000\000\ 000\000\000\000\000\001\000\000\000\377\177\000\000\000\200o\004c\177\000\00 0Ķ&Z \000\000\000\000\002\\N\004c\177", '\000' <repeats 26 times>, "DQN\004c\177\000\ 000\200q\212$\377\177\000\000@q\212$\377\177\000\000\020\337t\001\000\000\00 0\00 0\060r\212$\377\177\000\000\310\067-\004c\177\000\000\240r\212$\377\177\000\ 000\ 033\000\000\000\000\000\000\000l\000\000\000\000\000\000\000\020\337t\001\00 0\00 0\000\000\242Fa\002c\177\000\000\001\200\255\373\000\000\000\000\020\337t\00 1\00 0\000\000\000\020\337t\001\000\000\000\000\020\337t\001\000\000\000\000"... a = 0x0 t = 140063252906840 s_tm = {tm_sec = 16, tm_min = 48, tm_hour = 613053424, tm_mday = 32767, tm_mon = 613053232, tm_year = 32767, tm_wday = 65415808, tm_yday = 32611, tm_isdst = 0, tm_gmtoff = 4294967634, tm_zone = 0x0} len = 0 freespace = 1024 #8 0x00007f63042c7f3b in xlat_foreach (instance=0x7f63044db1e0, request=0x1779680, fmt=0x0, out=0x1776ed0 "\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\ 275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\ 275\ 275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\ 275\ 275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\ 275\ 275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\ 275\ 275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\ 275\ 275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\ 275\ 275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\ 275\ 275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\ 275\ 275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\ 275\ 275\275\275\275\275"..., outlen=1024) at src/main/xlat.c:405 pvp = 0x7fff248a7dd8 len = 0 #9 0x00007f63042cba15 in xlat_aprint (ctx=0x1779680, request=0x1779680, node=0x173af70, escape=0, escape_ctx=0x0, lvl=0) at src/main/xlat.c:2004 rcode = 140063252915528 str = 0x1776ed0 "\275\275\275\275\275\275\275\275\275\275\275\275\275\27 5\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\27 5\27 5\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\27 5\27 5\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\27 5\27 5\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\27 5\27 5\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\27 5\27 5\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\27 5\27 5\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\27 5\27 5\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\27 5\27 5\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\275\27 5\27 5\275\275\275\275\275\275"... child = 0x0 ref = 0x7fff248a76f0 #10 0x00007f63042cbd89 in xlat_process (out=0x7fff248a7680, request=0x1779680, head=0x173af70, escape=0, escape_ctx=0x0) at src/main/xlat.c:2101 i = 0 list = 160 total = 140063221673568 array = 0xb046fa8a0 answer = 0x7fff248a76a0 "" node = 0x1779680 #11 0x00007f63042cc092 in xlat_expand_struct (out=0x7fff248a7708, outlen=0, request=0x1779680, node=0x173af70, escape=0, escape_ctx=0x0) at src/main/xlat.c:2173 buff = 0x0 len = 140733806442192 #12 0x00007f63042cc44d in radius_axlat_struct (out=0x7fff248a7708, request=0x1779680, xlat=0x173af70, escape=0, ctx=0x0) at src/main/xlat.c:2280 No locals. #13 0x00007f63042c2526 in radius_map2vp (out=0x7fff248a7810, request=0x1779680, map=0x17379f0, ctx=0x0) at src/main/valuepair.c:1456 slen = 140063248575007 str = 0x0 rcode = 0 vp = 0x1777ac0 found = 0x7fff248a7840 from = 0x0 da = 0x161f5f0 context = 0x1779680 cursor = {first = 0x7f63042d6a1f, found = 0x0, last = 0x0, current = 0x8, next = 0x78} #14 0x00007f63042c1459 in radius_map2request (request=0x1779680, map=0x17379f0, func=0x7f63042c224a <radius_map2vp>, ctx=0x0) at src/main/valuepair.c:1003 rcode = 0 num = 0 list = 0x1779888 vp = 0x1779680 dst = 0x7f630409c590 head = 0x0 found = false context = 0x1779680 parent = 0x1779810 dst_list = {first = 0x7fff248a7820, found = 0x7f6304091073, last = 0x3, current = 0x4552f0, next = 0x174df10} src_list = {first = 0xe10, found = 0x3000000020, last = 0x7fff248a7890, current = 0x7fff248a77d0, next = 0x0} #15 0x000000000042491a in modcall_recurse (request=0x1779680, component=RLM_COMPONENT_POST_AUTH, depth=2, entry=0x7fff248a8a70) at src/main/modcall.c:596 rcode = 0 g = 0x1737c20 map = 0x17379f0 if_taken = false was_if = false c = 0x1737c20 priority = -1 result = RLM_MODULE_UNKNOWN #16 0x0000000000424fb0 in modcall_recurse (request=0x1779680, component=RLM_COMPONENT_POST_AUTH, depth=1, entry=0x7fff248a8a58) at src/main/modcall.c:704 i = 1 vps = 0x1777990 vp = 0x1777990 cursor = {first = 0x7fff248a82f8, found = 0x1779a70, last = 0x0, current = 0x0, next = 0x0} g = 0x1737910 foreach_depth = 1 next = 0x7fff248a8a70 copy = {first = 0x7fff248a8300, found = 0x0, last = 0x0, current = 0x1777990, next = 0x0} if_taken = false was_if = false c = 0x1737910 priority = -1 result = RLM_MODULE_UPDATED #17 0x000000000042432b in modcall_child (request=0x1779680, component=RLM_COMPONENT_POST_AUTH, depth=1, entry=0x7fff248a8a40, c=0x17377b0, result=0x7fff248a891c) at src/main/modcall.c:412 next = 0x7fff248a8a58 #18 0x0000000000425375 in modcall_recurse (request=0x1779680, component=RLM_COMPONENT_POST_AUTH, depth=0, entry=0x7fff248a8a40) at src/main/modcall.c:783 g = 0x1737720 if_taken = false was_if = false c = 0x1737720 priority = -1 result = RLM_MODULE_UNKNOWN #19 0x0000000000426013 in modcall (component=RLM_COMPONENT_POST_AUTH, c=0x1737720, request=0x1779680) at src/main/modcall.c:1092 stack = {{result = RLM_MODULE_NOOP, priority = 0, unwind = 0, c = 0x1737720}, {result = RLM_MODULE_UPDATED, priority = 4, unwind = 0, c = 0x1737910}, {result = RLM_MODULE_UPDATED, priority = 0, unwind = 0, c = 0x1737c20}, { result = RLM_MODULE_REJECT, priority = 0, unwind = 0, c = 0x0} <repeats 29 times>} #20 0x0000000000421c7c in indexed_modcall (comp=RLM_COMPONENT_POST_AUTH, idx=0, request=0x1779680) at src/main/modules.c:818 rcode = 1014 list = 0x1737720 server = 0x17351e0 #21 0x0000000000423bdb in process_post_auth (postauth_type=0, request=0x1779680) at src/main/modules.c:1865 No locals. #22 0x000000000040ebca in rad_postauth (request=0x1779680) at src/main/auth.c:303 result = 0 postauth_type = 0 vp = 0x0 #23 0x0000000000435a82 in request_finish (request=0x1779680, action=1) at src/main/process.c:1274 vp = 0x0 #24 0x0000000000435f6e in request_running (request=0x1779680, action=1) at src/main/process.c:1461 __FUNCTION__ = "request_running" #25 0x000000000043511c in request_queue_or_run (request=0x1779680, process=0x435e05 <request_running>) at src/main/process.c:999 No locals. #26 0x00000000004366ba in request_receive (listener=0x173a080, packet=0x1772eb0, client=0x1678740, fun=0x40ec10 <rad_authenticate>) at src/main/process.c:1639 count = 5 packet_p = 0x0 request = 0x1779680 now = {tv_sec = 1402385851, tv_usec = 442131} sock = 0x173a1a0 #27 0x0000000000415ff0 in auth_socket_recv (listener=0x173a080) at src/main/listen.c:1507 rcode = 205 code = 1 src_port = 1024 packet = 0x1772eb0 fun = 0x40ec10 <rad_authenticate> client = 0x1678740 src_ipaddr = {af = 2, ipaddr = {ip4addr = {s_addr = 20752576}, ip6addr = {__in6_u = { __u6_addr8 = "\300\250<\001\340\317t\001\000\000\000\000\060\217\212$", __u6_addr16 = {43200, 316, 53216, 372, 0, 0, 36656, 9354}, __u6_addr32 = {20752576, 24432608, 0, 613060400}}}}, prefix = 32 ' ', scope = 67749368} #28 0x000000000043c1fe in event_socket_handler (xel=0x14a2ac0, fd=14, ctx=0x173a080) at src/main/process.c:3924 listener = 0x173a080 #29 0x00007f630409c35f in fr_event_loop (el=0x14a2ac0) at src/lib/event.c:495 ef = 0x14a2b28 i = 2 rcode = 1 maxfd = 16 when = {tv_sec = 1402385851, tv_usec = 528156} wake = 0x7fff248a91a0 read_fds = {fds_bits = {16384, 0 <repeats 15 times>}} master_fds = {fds_bits = {124928, 0 <repeats 15 times>}} #30 0x000000000043d8e5 in radius_event_process () at src/main/process.c:4785 No locals. #31 0x000000000042b131 in main (argc=2, argv=0x7fff248a9378) at src/main/radiusd.c:565 rcode = 0 status = 32767 argval = -1 spawn_flag = false write_pid = false display_version = false flag = 0 from_child = {-1, -1} autofree = 0x1485060 A debugging session is active. Inferior 1 [process 2512] will be detached. Quit anyway? (y or n) [answered Y; input not from terminal] Resetting PR_DUMPABLE to 0 Panic action exited with 0 _EXIT(1) CALLED src/lib/debug.c[550]. Last error was: Unknown value 'Challenge' for attribute 'Post-Auth-Type' If running under a debugger it should break <<here>>
Today I realized this about the error I got:
(5) foreach &control:LDAP-Group (5) # Foreach-Variable-1 = "profesores" (5) update reply { Bad talloc magic value - unknown value talloc abort: Bad talloc magic value - unknown value CAUGHT SIGNAL: Aborted
In the second line, the variable containing the group name is Foreach-Variable-1, but I was accessing Foreach-Variable-0 inside the update reply {}. I changed it to Foreach-Variable-1 and the error vanished, everything worked perfectly and FR returned to the client this Access-Accept: Sending Access-Accept Id 17 from 192.168.50.62:1812 to 192.168.60.1:1024 Ruckus-User-Groups += 'profesores' MS-MPPE-Recv-Key = 0xc404bde0c6ee79a3f4664284f0f50f4d79c0e4d813f8054eb85ca706f6bd827d MS-MPPE-Send-Key = 0xe5e783a3df73eb314335cc2cc0a855f886336766c0fdf826b9b69d461de87df8 EAP-Message = 0x03060004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = 'juan' Ruckus-User-Groups += 'profesores' (Ruckus-User-Groups is there twice because I add it in both authorize and in post-auth in default server, but it doesn't do any harm) And the debug part referring to the foreach loop looks like this: (6) foreach &control:LDAP-Group (6) # Foreach-Variable-1 = "profesores" (6) update reply { (6) EXPAND %{Foreach-Variable-1} (6) --> profesores (6) Ruckus-User-Groups += "profesores" (6) } # update reply = noop (6) } # foreach &control:LDAP-Group = noop However, if I try to authenticate a user via PEAP with that config, the group name is in Foreach-Variable-0, as it was before, and the Access-Accept lacks the group info: Sending Access-Accept Id 23 from 192.168.50.62:1812 to 192.168.60.1:1028 MS-MPPE-Recv-Key = 0xc139d6ab71743cb1cc6b8ff635207b82e102b646bbd6988df2c044fc7a9217db MS-MPPE-Send-Key = 0x61f3d096f5e3924bc006f36fb88fd590d55705c1fe77f105b0abaa81ccb34539 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = 'juan' Ruckus-User-Groups += '' The loop part looks like this: (11) foreach &control:LDAP-Group (11) # Foreach-Variable-0 = "profesores" (11) update reply { (11) EXPAND %{Foreach-Variable-1} (11) --> (11) Ruckus-User-Groups += "" (11) } # update reply = noop (11) } # foreach &control:LDAP-Group = noop And my task is to get both PEAP and TLS working in the same server, so that I can let students in via PEAP but keep teachers using TLS for a more secure network (but that comes later). Is there a way to put the group info into the Access-Accept packet no matter which method was used? Thanks!
On 11 Jun 2014, at 09:11, Enrique Sainz Baixauli <enriquesainz.beca@intef.educacion.es> wrote:
Today I realized this about the error I got:
(5) foreach &control:LDAP-Group (5) # Foreach-Variable-1 = "profesores" (5) update reply { Bad talloc magic value - unknown value talloc abort: Bad talloc magic value - unknown value CAUGHT SIGNAL: Aborted
In the second line, the variable containing the group name is Foreach-Variable-1, but I was accessing Foreach-Variable-0 inside the update reply {}. I changed it to Foreach-Variable-1 and the error vanished, everything worked perfectly and FR returned to the client this Access-Accept:
Sending Access-Accept Id 17 from 192.168.50.62:1812 to 192.168.60.1:1024 Ruckus-User-Groups += 'profesores' MS-MPPE-Recv-Key = 0xc404bde0c6ee79a3f4664284f0f50f4d79c0e4d813f8054eb85ca706f6bd827d MS-MPPE-Send-Key = 0xe5e783a3df73eb314335cc2cc0a855f886336766c0fdf826b9b69d461de87df8 EAP-Message = 0x03060004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = 'juan' Ruckus-User-Groups += 'profesores'
I've completely lost track of what's going on here... if you're still experiencing issues can you open a ticket on https://bugs.freeradius.org with a test case. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On Wed, Jun 11, 2014 at 3:11 PM, Enrique Sainz Baixauli <enriquesainz.beca@intef.educacion.es> wrote:
Today I realized this about the error I got:
(5) foreach &control:LDAP-Group (5) # Foreach-Variable-1 = "profesores" (5) update reply { Bad talloc magic value - unknown value talloc abort: Bad talloc magic value - unknown value CAUGHT SIGNAL: Aborted
In the second line, the variable containing the group name is Foreach-Variable-1, but I was accessing Foreach-Variable-0 inside the update reply {}. I changed it to Foreach-Variable-1 and the error vanished, everything worked perfectly and FR returned to the client this Access-Accept:
Sending Access-Accept Id 17 from 192.168.50.62:1812 to 192.168.60.1:1024 Ruckus-User-Groups += 'profesores' MS-MPPE-Recv-Key = 0xc404bde0c6ee79a3f4664284f0f50f4d79c0e4d813f8054eb85ca706f6bd827d MS-MPPE-Send-Key = 0xe5e783a3df73eb314335cc2cc0a855f886336766c0fdf826b9b69d461de87df8 EAP-Message = 0x03060004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = 'juan' Ruckus-User-Groups += 'profesores'
(Ruckus-User-Groups is there twice because I add it in both authorize and in post-auth in default server, but it doesn't do any harm)
And the debug part referring to the foreach loop looks like this:
(6) foreach &control:LDAP-Group (6) # Foreach-Variable-1 = "profesores" (6) update reply { (6) EXPAND %{Foreach-Variable-1} (6) --> profesores (6) Ruckus-User-Groups += "profesores" (6) } # update reply = noop (6) } # foreach &control:LDAP-Group = noop
However, if I try to authenticate a user via PEAP with that config, the group name is in Foreach-Variable-0, as it was before, and the Access-Accept lacks the group info:
Sending Access-Accept Id 23 from 192.168.50.62:1812 to 192.168.60.1:1028 MS-MPPE-Recv-Key = 0xc139d6ab71743cb1cc6b8ff635207b82e102b646bbd6988df2c044fc7a9217db MS-MPPE-Send-Key = 0x61f3d096f5e3924bc006f36fb88fd590d55705c1fe77f105b0abaa81ccb34539 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = 'juan' Ruckus-User-Groups += ''
The loop part looks like this:
(11) foreach &control:LDAP-Group (11) # Foreach-Variable-0 = "profesores" (11) update reply { (11) EXPAND %{Foreach-Variable-1} (11) --> (11) Ruckus-User-Groups += "" (11) } # update reply = noop (11) } # foreach &control:LDAP-Group = noop
And my task is to get both PEAP and TLS working in the same server, so that I can let students in via PEAP but keep teachers using TLS for a more secure network (but that comes later). Is there a way to put the group info into the Access-Accept packet no matter which method was used?
From "man unlang" (or https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/man/man5/unlang....):
" Inside of the "foreach" block, the attribute which is being looped over can be referenced as "Foreach-Variable-#". Where "#" is the depth of the loop, starting at "0". e.g. "Foreach-Variable-0". The loops can be nested up to eight (8) deep, though this is not recommended. " Does your tls config somehow has nested foreach, so that Foreach-Variable-1 is used instead Foreach-Variable-0? -- Fajar
From "man unlang" (or
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/man/man5/unlang. 5):
" Inside of the "foreach" block, the attribute which is being looped over
can be referenced as "Foreach-Variable-#". Where "#" is the depth of the loop, starting at "0". e.g. "Foreach-Variable-0". The loops can be nested up to > eight (8) deep, though this is not recommended.
"
Does your tls config somehow has nested foreach, so that Foreach-Variable-1 is used instead Foreach-Variable-0?
No, my foreach {} is right inside post-auth {} (in default server config). Actually, it's the second uncommented line, after a call to cache. In eap module config, tls section only contains "tls = tls-common", and there are no loops in tls-config tls-common {}. There is no foreach at all in eap mod config. The thing is that, in an EAP-PEAP authentication process with MSCHAPv2, the variable I need to use is Foreach-Variable-0. However, in EAP-TLS that should be Foreach-Variable-1. My only guess is that there is a foreach loop in the TLS conversation (without it being in the config, maybe?), inside which post-auth is called. But I know nothing about the internals...
I am totally unsure what was going on with that Foreach-Variable-# thing, but it seems to be working fine now. I was following Arran's advice in [1] to try to minimize calls to ldap when Foreach-Variable-1 was empty all of a sudden, so I switched to Foreach-Variable-0 and everything started working fine. I did not add or remove any loops, only update sections for Cache-Status-Only and calls to ldap and/or cache, so I find it even weirder. Anyway, it is working now, so I am pasting config snippets here for the record: ## sites-enabled/default authorize { [...] update control { Cache-Status-Only := yes } cache If (notfound) { ldap update control { Cache-Status-Only := no } cache } [...] } post-auth { update control { Cache-Status-Only := no } cache foreach &control:LDAP-Group { update reply { &Ruckus-User-Groups += "%{Foreach-Variable-0}" } } } # sites-enabled/inner-tunnel authorize { [...] update control { Cache-Status-Only := yes } cache If (notfound) { ldap update control { Cache-Status-Only := no } cache } [...] } # mods-enabled/cache cache { ttl = 3600 add_stats = no update { control:LDAP-Group += control:LDAP-Group control:Password-With-Header += control:Password-With-Header } } With this config there is only one call to ldap in the entire authentication process and the group attribute is set in the final Access-Accept. The authorize section is the same in both default and inner-tunnel servers because the former is needed for TTL and the latter for PEAP (and I need both methods). Feel free to ask or suggest anything you can think of :) Thanks everyone one more time! [1] http://lists.freeradius.org/pipermail/freeradius-users/2014-June/072430.html
Enrique Sainz Baixauli wrote:
I am totally unsure what was going on with that Foreach-Variable-# thing, but it seems to be working fine now. I was following Arran's advice in [1] to try to minimize calls to ldap when Foreach-Variable-1 was empty all of a sudden, so I switched to Foreach-Variable-0 and everything started working fine.
I'm really not sure what that means. You are aware that Foreach-Variable-0 and Foreach-Variable-1 are different, right? Foreach-Variable-0 is for the FIRST loop. Foreach-Variable-1 is for the second NESTED loop. If you use Foreach-Variable-1 inside of one loop, it won't refer to anything, and it won't exist. Alan DeKok.
I am totally unsure what was going on with that Foreach-Variable-# thing, but it seems to be working fine now. I was following Arran's advice in [1] to try to minimize calls to ldap when Foreach-Variable-1 was empty all of a sudden, so I switched to Foreach-Variable-0 and everything started working fine.
I'm really not sure what that means. You are aware that Foreach-Variable-0 and Foreach-Variable-1 are different, right?
Foreach-Variable-0 is for the FIRST loop. Foreach-Variable-1 is for the second NESTED loop.
If you use Foreach-Variable-1 inside of one loop, it won't refer to anything, and it won't exist.
Alan DeKok.
That's what I mean. I had to use Foreach-Variable-1 (and it worked) but I wasn't nesting loops. I had only one loop in post-auth, but when authenticating with EAP-PEAP the group info was in Foreach-Variable-0 and when I used EAP-TLS it was in Foreach-Variable-1 (and segfaulted if I tried to access Foreach-Variable-0). Now, after optimizing ldap calls with cache, it's always in Foreach-Variable-0 (where it should have always been). If you can make any sense out of it, please explain because I have absolutely no idea.
Hello, I've tried to rebuild the FreeRADIUS server I was using to perform EAP-SIM authentication with the latest commit from FreeRADIUS 3.0.x HEAD. It doesn't seem to work anymore, I'm not sure what's going on... I've noticed some changes to eapsimlib.c (not sure if it's linked...) in the following commit : https://github.com/FreeRADIUS/freeradius-server/commit/39df09e42d80a96363be0... So I tried a prior commit : https://github.com/FreeRADIUS/freeradius-server/tree/7edb8dd4a91d0111da0950e... With this version I don't have the problem. (For both, I use the same configuration and the same EAP-SIM triplets.) Anyway, here is my problem: When sending back the Access-Challenge, the EAP-Message attribute is too short. (0x01330008120a0000 instead of something like 0x01160014120a00000f02000200010000110101bd) The client then complains that it can't use it... Here is the debug output I got from FreeRADIUS head (not working): Received Access-Request Id 224 from 10.67.106.10:58041 to 10.67.141.74:31812 length 188 Code: 1 Id: 224 Length: 188 Vector: dcfdcece0b9e4e4e0201b61669befbd5 Data: 01 35 31 32 30 38 30 31 30 30 30 30 30 30 30 30 30 32 40 77 6c 61 6e 2e 6d 6e 63 30 30 31 2e 6d 63 63 32 30 38 2e 33 67 70 70 6e 65 74 77 6f 72 6b 2e 6f 72 67 50 12 bc 8d b4 d3 e3 4e 76 10 e1 83 c2 45 10 65 ff 14 04 06 0a 14 00 00 20 0a 4c 69 76 65 42 6f 78 31 1f 13 46 37 3a 42 42 3a 43 38 3a 32 45 3a 42 36 3a 36 31 4f 3a 02 07 00 38 01 31 32 30 38 30 31 30 30 30 30 30 30 30 30 30 32 40 77 6c 61 6e 2e 6d 6e 63 30 30 31 2e 6d 63 63 32 30 38 2e 33 67 70 70 6e 65 74 77 6f 72 6b 2e 6f 72 67 21 04 37 34 User-Name = '1208010000000002@wlan.mnc001.mcc208.3gppnetwork.org' Message-Authenticator = 0xbc8db4d3e34e7610e183c2451065ff14 NAS-IP-Address = 10.20.0.0 NAS-Identifier = 'LiveBox1' Calling-Station-Id = 'F7:BB:C8:2E:B6:61' EAP-Message = 0x02070038013132303830313030303030303030303240776c616e2e6d6e633030312e6d63633230382e336770706e6574776f726b2e6f7267 Proxy-State = 0x3734 Wed Jun 11 17:39:31 2014 : Debug: (0) # Executing section authorize from file /opt/application/sim3gppb/current/etc/raddb/sites-enabled/server-sim3gpp-b Wed Jun 11 17:39:31 2014 : Debug: (0) authorize { Wed Jun 11 17:39:31 2014 : Debug: (0) modsingle[authorize]: calling files (rlm_files) for request 0 Wed Jun 11 17:39:31 2014 : Debug: (0) files : users: Matched entry DEFAULT at line 1 Wed Jun 11 17:39:31 2014 : Debug: (0) files : ::: FROM 0 TO 0 MAX 0 Wed Jun 11 17:39:31 2014 : Debug: (0) files : ::: TO in 0 out 0 Wed Jun 11 17:39:31 2014 : Debug: (0) modsingle[authorize]: returned from files (rlm_files) for request 0 Wed Jun 11 17:39:31 2014 : Debug: (0) [files] = ok Wed Jun 11 17:39:31 2014 : Debug: (0) modsingle[authorize]: calling eap (rlm_eap) for request 0 Wed Jun 11 17:39:31 2014 : Debug: (0) eap : EAP packet type response id 7 length 56 Wed Jun 11 17:39:31 2014 : Debug: (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize Wed Jun 11 17:39:31 2014 : Debug: (0) modsingle[authorize]: returned from eap (rlm_eap) for request 0 Wed Jun 11 17:39:31 2014 : Debug: (0) [eap] = ok Wed Jun 11 17:39:31 2014 : Debug: (0) } # authorize = ok Wed Jun 11 17:39:31 2014 : Debug: (0) Found Auth-Type = EAP Wed Jun 11 17:39:31 2014 : Debug: (0) # Executing group from file /opt/application/sim3gppb/current/etc/raddb/sites-enabled/server-sim3gpp-b Wed Jun 11 17:39:31 2014 : Debug: (0) authenticate { Wed Jun 11 17:39:31 2014 : Debug: (0) modsingle[authenticate]: calling eap (rlm_eap) for request 0 Wed Jun 11 17:39:31 2014 : Debug: (0) eap : Peer sent Identity (1) Wed Jun 11 17:39:31 2014 : Debug: (0) eap : Calling eap_sim to process EAP data Wed Jun 11 17:39:31 2014 : Debug: (0) eap : Underlying EAP-Type set EAP ID to 51 Wed Jun 11 17:39:31 2014 : Debug: (0) eap : New EAP session, adding 'State' attribute to reply 0xbefde769becef5c4 Wed Jun 11 17:39:31 2014 : Debug: (0) modsingle[authenticate]: returned from eap (rlm_eap) for request 0 Wed Jun 11 17:39:31 2014 : Debug: (0) [eap] = handled Wed Jun 11 17:39:31 2014 : Debug: (0) } # authenticate = handled Sending Access-Challenge Id 224 from 10.67.141.74:31812 to 10.67.106.10:58041 EAP-Message = 0x01330008120a0000 4f 0a 01 33 00 08 12 0a 00 00 Message-Authenticator = 0x00000000000000000000000000000000 50 12 ... State = 0xbefde769becef5c4fed48348b17e5f33 18 12 be fd e7 69 be ce f5 c4 fe d4 83 48 b1 7e 5f 33 Proxy-State = 0x3734 21 04 37 34 Code: 11 Id: 224 Length: 70 Vector: eedd54e7cb408773ed0592f29c79366a Data: 4f 0a 01 33 00 08 12 0a 00 00 50 12 c2 7b 71 a9 21 27 d9 a8 ac c9 ee 7f 66 b5 1a 3b 18 12 be fd e7 69 be ce f5 c4 fe d4 83 48 b1 7e 5f 33 21 04 37 34 Wed Jun 11 17:39:31 2014 : Debug: (0) Finished request And the debug output of the version which works: Received Access-Request Id 133 from 10.67.106.10:58041 to 10.67.141.74:31812 length 189 Code: 1 Id: 133 Length: 189 Vector: f10dc73217b1a3f43ce8dd257f974fab Data: 01 35 31 32 30 38 30 31 30 30 30 30 30 30 30 30 30 32 40 77 6c 61 6e 2e 6d 6e 63 30 30 31 2e 6d 63 63 32 30 38 2e 33 67 70 70 6e 65 74 77 6f 72 6b 2e 6f 72 67 50 12 7a a1 76 b9 ad c5 60 a9 07 2f 81 bd 62 82 e0 34 04 06 0a 14 00 00 20 0a 4c 69 76 65 42 6f 78 31 1f 13 46 37 3a 42 42 3a 43 38 3a 32 45 3a 42 36 3a 36 31 4f 3a 02 2f 00 38 01 31 32 30 38 30 31 30 30 30 30 30 30 30 30 30 32 40 77 6c 61 6e 2e 6d 6e 63 30 30 31 2e 6d 63 63 32 30 38 2e 33 67 70 70 6e 65 74 77 6f 72 6b 2e 6f 72 67 21 05 32 30 32 User-Name = '1208010000000002@wlan.mnc001.mcc208.3gppnetwork.org' Message-Authenticator = 0x7aa176b9adc560a9072f81bd6282e034 NAS-IP-Address = 10.20.0.0 NAS-Identifier = 'LiveBox1' Calling-Station-Id = 'F7:BB:C8:2E:B6:61' EAP-Message = 0x022f0038013132303830313030303030303030303240776c616e2e6d6e633030312e6d63633230382e336770706e6574776f726b2e6f7267 Proxy-State = 0x323032 Wed Jun 11 18:55:50 2014 : Debug: (0) # Executing section authorize from file /opt/application/sim3gppb/current/etc/raddb/sites-enabled/server-sim3gpp-b Wed Jun 11 18:55:50 2014 : Debug: (0) authorize { Wed Jun 11 18:55:50 2014 : Debug: (0) modsingle[authorize]: calling files (rlm_files) for request 0 Wed Jun 11 18:55:50 2014 : Debug: (0) files : users: Matched entry DEFAULT at line 1 Wed Jun 11 18:55:50 2014 : Debug: (0) files : ::: FROM 0 TO 0 MAX 0 Wed Jun 11 18:55:50 2014 : Debug: (0) files : ::: TO in 0 out 0 Wed Jun 11 18:55:50 2014 : Debug: (0) modsingle[authorize]: returned from files (rlm_files) for request 0 Wed Jun 11 18:55:50 2014 : Debug: (0) [files] = ok Wed Jun 11 18:55:50 2014 : Debug: (0) modsingle[authorize]: calling eap (rlm_eap) for request 0 Wed Jun 11 18:55:50 2014 : Debug: (0) eap : EAP packet type response id 47 length 56 Wed Jun 11 18:55:50 2014 : Debug: (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize Wed Jun 11 18:55:50 2014 : Debug: (0) modsingle[authorize]: returned from eap (rlm_eap) for request 0 Wed Jun 11 18:55:50 2014 : Debug: (0) [eap] = ok Wed Jun 11 18:55:50 2014 : Debug: (0) } # authorize = ok Wed Jun 11 18:55:50 2014 : Debug: (0) Found Auth-Type = EAP Wed Jun 11 18:55:50 2014 : Debug: (0) # Executing group from file /opt/application/sim3gppb/current/etc/raddb/sites-enabled/server-sim3gpp-b Wed Jun 11 18:55:50 2014 : Debug: (0) authenticate { Wed Jun 11 18:55:50 2014 : Debug: (0) modsingle[authenticate]: calling eap (rlm_eap) for request 0 Wed Jun 11 18:55:50 2014 : Debug: (0) eap : Peer sent Identity (1) Wed Jun 11 18:55:50 2014 : Debug: (0) eap : Calling eap_sim to process EAP data Wed Jun 11 18:55:50 2014 : Debug: (0) eap : Underlying EAP-Type set EAP ID to 22 Wed Jun 11 18:55:50 2014 : Debug: (0) eap : New EAP session, adding 'State' attribute to reply 0xa0e39a96a0f58828 Wed Jun 11 18:55:50 2014 : Debug: (0) modsingle[authenticate]: returned from eap (rlm_eap) for request 0 Wed Jun 11 18:55:50 2014 : Debug: (0) [eap] = handled Wed Jun 11 18:55:50 2014 : Debug: (0) } # authenticate = handled Sending Access-Challenge Id 133 from 10.67.141.74:31812 to 10.67.106.10:58041 EAP-Message = 0x01160014120a00000f02000200010000110101bd 4f 16 01 16 00 14 12 0a 00 00 0f 02 00 02 00 01 00 00 11 01 01 bd Message-Authenticator = 0x00000000000000000000000000000000 50 12 ... State = 0xa0e39a96a0f588286d14f17f1bb6a974 18 12 a0 e3 9a 96 a0 f5 88 28 6d 14 f1 7f 1b b6 a9 74 Proxy-State = 0x323032 21 05 32 30 32 Code: 11 Id: 133 Length: 83 Vector: e51a3a64a9b0ba2d9df6ddd978b09a36 Data: 4f 16 01 16 00 14 12 0a 00 00 0f 02 00 02 00 01 00 00 11 01 01 bd 50 12 a6 57 63 1b 50 56 40 da f8 7e 5b 45 cd 23 a3 c7 18 12 a0 e3 9a 96 a0 f5 88 28 6d 14 f1 7f 1b b6 a9 74 21 05 32 30 32 Wed Jun 11 18:55:50 2014 : Debug: (0) Finished request Regards, Nicolas. This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
Chaigneau, Nicolas wrote:
I've noticed some changes to eapsimlib.c (not sure if it's linked...) in the following commit : https://github.com/FreeRADIUS/freeradius-server/commit/39df09e42d80a96363be0...
So I tried a prior commit : https://github.com/FreeRADIUS/freeradius-server/tree/7edb8dd4a91d0111da0950e... With this version I don't have the problem.
The only differences in eapsimlib are to change some header definitions: .... $ git diff 7edb8dd4a91..39df09e42d80 src/modules/rlm_eap/libeap/eapsimlib.c diff --git a/src/modules/rlm_eap/libeap/eapsimlib.c b/src/modules/rlm_eap/libeap/eapsimlib.c index 8afed40..c2975ed 100644 --- a/src/modules/rlm_eap/libeap/eapsimlib.c +++ b/src/modules/rlm_eap/libeap/eapsimlib.c @@ -408,7 +408,7 @@ int eapsim_checkmac(TALLOC_CTX *ctx, VALUE_PAIR *rvps, uint8_t key[EAPSIM_AUTH_S */ attr = buffer+8; while(attr < (buffer+elen)) { - if(attr[0] == PW_EAP_SIM_MAC) { + if (attr[0] == (PW_EAP_SIM_MAC - PW_EAP_SIM_BASE)) { /* zero the data portion, after making sure * the size is >=5. Maybe future versions. * will use more bytes, so be liberal. .... That shouldn't affect anything. Can you confirm that the commit before 39df09e42d works? If so, the fix should be simple. Alan DeKok.
On 11 Jun 2014, at 18:42, Alan DeKok <aland@deployingradius.com> wrote:
Chaigneau, Nicolas wrote:
I've noticed some changes to eapsimlib.c (not sure if it's linked...) in the following commit : https://github.com/FreeRADIUS/freeradius-server/commit/39df09e42d80a96363be0...
So I tried a prior commit : https://github.com/FreeRADIUS/freeradius-server/tree/7edb8dd4a91d0111da0950e... With this version I don't have the problem.
The only differences in eapsimlib are to change some header definitions:
.... $ git diff 7edb8dd4a91..39df09e42d80 src/modules/rlm_eap/libeap/eapsimlib.c diff --git a/src/modules/rlm_eap/libeap/eapsimlib.c b/src/modules/rlm_eap/libeap/eapsimlib.c index 8afed40..c2975ed 100644 --- a/src/modules/rlm_eap/libeap/eapsimlib.c +++ b/src/modules/rlm_eap/libeap/eapsimlib.c @@ -408,7 +408,7 @@ int eapsim_checkmac(TALLOC_CTX *ctx, VALUE_PAIR *rvps, uint8_t key[EAPSIM_AUTH_S */ attr = buffer+8; while(attr < (buffer+elen)) { - if(attr[0] == PW_EAP_SIM_MAC) { + if (attr[0] == (PW_EAP_SIM_MAC - PW_EAP_SIM_BASE)) { /* zero the data portion, after making sure * the size is >=5. Maybe future versions. * will use more bytes, so be liberal. ....
That shouldn't affect anything.
Can you confirm that the commit before 39df09e42d works? If so, the fix should be simple.
Or try the latest head... we still had a bunch of duplicate c preprocessor macros for the attribute numbers, and i'd messed up the fallback to searching in the reply list. That broke between v3.0.2 and v3.0.3, though it could be worked around by putting the triplets in the control list, which i'm guessing is what you're doing... Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
I've rebuilt with the latest 3.0.x HEAD commit. I still have the same issue: Received Access-Request Id 193 from 10.67.106.10:58041 to 10.67.141.74:31812 length 189 Code: 1 Id: 193 Length: 189 Vector: 35d595e426b9322bff64f012f33e1119 Data: 01 35 31 32 30 38 30 31 30 30 30 30 30 30 30 30 30 32 40 77 6c 61 6e 2e 6d 6e 63 30 30 31 2e 6d 63 63 32 30 38 2e 33 67 70 70 6e 65 74 77 6f 72 6b 2e 6f 72 67 50 12 60 1c 1a fe 28 fd b9 c9 0e 36 49 1f 51 09 13 cb 04 06 0a 14 00 00 20 0a 4c 69 76 65 42 6f 78 31 1f 13 46 37 3a 42 42 3a 43 38 3a 32 45 3a 42 36 3a 36 31 4f 3a 02 3f 00 38 01 31 32 30 38 30 31 30 30 30 30 30 30 30 30 30 32 40 77 6c 61 6e 2e 6d 6e 63 30 30 31 2e 6d 63 63 32 30 38 2e 33 67 70 70 6e 65 74 77 6f 72 6b 2e 6f 72 67 21 05 31 36 31 User-Name = '1208010000000002@wlan.mnc001.mcc208.3gppnetwork.org' Message-Authenticator = 0x601c1afe28fdb9c90e36491f510913cb NAS-IP-Address = 10.20.0.0 NAS-Identifier = 'LiveBox1' Calling-Station-Id = 'F7:BB:C8:2E:B6:61' EAP-Message = 0x023f0038013132303830313030303030303030303240776c616e2e6d6e633030312e6d63633230382e336770706e6574776f726b2e6f7267 Proxy-State = 0x313631 Thu Jun 12 10:19:05 2014 : Debug: (0) # Executing section authorize from file /opt/application/sim3gppb/current/etc/raddb/sites-enabled/server-sim3gpp-b Thu Jun 12 10:19:05 2014 : Debug: (0) authorize { Thu Jun 12 10:19:05 2014 : Debug: (0) modsingle[authorize]: calling files (rlm_files) for request 0 Thu Jun 12 10:19:05 2014 : Debug: (0) files : users: Matched entry DEFAULT at line 1 Thu Jun 12 10:19:05 2014 : Debug: (0) files : ::: FROM 0 TO 0 MAX 0 Thu Jun 12 10:19:05 2014 : Debug: (0) files : ::: TO in 0 out 0 Thu Jun 12 10:19:05 2014 : Debug: (0) modsingle[authorize]: returned from files (rlm_files) for request 0 Thu Jun 12 10:19:05 2014 : Debug: (0) [files] = ok Thu Jun 12 10:19:05 2014 : Debug: (0) modsingle[authorize]: calling eap (rlm_eap) for request 0 Thu Jun 12 10:19:05 2014 : Debug: (0) eap : EAP packet type response id 63 length 56 Thu Jun 12 10:19:05 2014 : Debug: (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize Thu Jun 12 10:19:05 2014 : Debug: (0) modsingle[authorize]: returned from eap (rlm_eap) for request 0 Thu Jun 12 10:19:05 2014 : Debug: (0) [eap] = ok Thu Jun 12 10:19:05 2014 : Debug: (0) } # authorize = ok Thu Jun 12 10:19:05 2014 : Debug: (0) Found Auth-Type = EAP Thu Jun 12 10:19:05 2014 : Debug: (0) # Executing group from file /opt/application/sim3gppb/current/etc/raddb/sites-enabled/server-sim3gpp-b Thu Jun 12 10:19:05 2014 : Debug: (0) authenticate { Thu Jun 12 10:19:05 2014 : Debug: (0) modsingle[authenticate]: calling eap (rlm_eap) for request 0 Thu Jun 12 10:19:05 2014 : Debug: (0) eap : Peer sent Identity (1) Thu Jun 12 10:19:05 2014 : Debug: (0) eap : Calling eap_sim to process EAP data Thu Jun 12 10:19:05 2014 : Debug: (0) eap : Underlying EAP-Type set EAP ID to 121 Thu Jun 12 10:19:05 2014 : Debug: (0) eap : New EAP session, adding 'State' attribute to reply 0xa8ab2afea8d238ec Thu Jun 12 10:19:05 2014 : Debug: (0) modsingle[authenticate]: returned from eap (rlm_eap) for request 0 Thu Jun 12 10:19:05 2014 : Debug: (0) [eap] = handled Thu Jun 12 10:19:05 2014 : Debug: (0) } # authenticate = handled Sending Access-Challenge Id 193 from 10.67.141.74:31812 to 10.67.106.10:58041 EAP-Message = 0x01790008120a0000 4f 0a 01 79 00 08 12 0a 00 00 Message-Authenticator = 0x00000000000000000000000000000000 50 12 ... State = 0xa8ab2afea8d238ec4956f8ce757a9e32 18 12 a8 ab 2a fe a8 d2 38 ec 49 56 f8 ce 75 7a 9e 32 Proxy-State = 0x313631 21 05 31 36 31 Code: 11 Id: 193 Length: 71 Vector: 0e34bd79e3526936947128728e3576b1 Data: 4f 0a 01 79 00 08 12 0a 00 00 50 12 12 8a 55 2f a5 f5 61 bd ef e8 85 a4 e2 2a 97 83 18 12 a8 ab 2a fe a8 d2 38 ec 49 56 f8 ce 75 7a 9e 32 21 05 31 36 31 Thu Jun 12 10:19:05 2014 : Debug: (0) Finished request Thu Jun 12 10:19:05 2014 : Debug: Waking up in 0.3 seconds. Thu Jun 12 10:19:05 2014 : Debug: (0) Cleaning up request packet ID 193 with timestamp +76 Thu Jun 12 10:19:05 2014 : Info: Ready to process requests -----Message d'origine----- De : freeradius-users-bounces+nicolas.chaigneau=capgemini.com@lists.freeradius.org [mailto:freeradius-users-bounces+nicolas.chaigneau=capgemini.com@lists.freeradius.org] De la part de Arran Cudbard-Bell Envoyé : mercredi 11 juin 2014 19:58 À : FreeRadius users mailing list Objet : Re: 3.0.x - Issue with EAP-SIM - EAP-Message too short in Challenge On 11 Jun 2014, at 18:42, Alan DeKok <aland@deployingradius.com> wrote:
Chaigneau, Nicolas wrote:
I've noticed some changes to eapsimlib.c (not sure if it's linked...) in the following commit : https://github.com/FreeRADIUS/freeradius-server/commit/39df09e42d80a9 6363be0bddee2ff0ba97fdb035
So I tried a prior commit : https://github.com/FreeRADIUS/freeradius-server/tree/7edb8dd4a91d0111 da0950e21c113cfc3e4d2a28 With this version I don't have the problem.
The only differences in eapsimlib are to change some header definitions:
.... $ git diff 7edb8dd4a91..39df09e42d80 src/modules/rlm_eap/libeap/eapsimlib.c diff --git a/src/modules/rlm_eap/libeap/eapsimlib.c b/src/modules/rlm_eap/libeap/eapsimlib.c index 8afed40..c2975ed 100644 --- a/src/modules/rlm_eap/libeap/eapsimlib.c +++ b/src/modules/rlm_eap/libeap/eapsimlib.c @@ -408,7 +408,7 @@ int eapsim_checkmac(TALLOC_CTX *ctx, VALUE_PAIR *rvps, uint8_t key[EAPSIM_AUTH_S */ attr = buffer+8; while(attr < (buffer+elen)) { - if(attr[0] == PW_EAP_SIM_MAC) { + if (attr[0] == (PW_EAP_SIM_MAC - + PW_EAP_SIM_BASE)) { /* zero the data portion, after making sure * the size is >=5. Maybe future versions. * will use more bytes, so be liberal. ....
That shouldn't affect anything.
Can you confirm that the commit before 39df09e42d works? If so, the fix should be simple.
Or try the latest head... we still had a bunch of duplicate c preprocessor macros for the attribute numbers, and i'd messed up the fallback to searching in the reply list. That broke between v3.0.2 and v3.0.3, though it could be worked around by putting the triplets in the control list, which i'm guessing is what you're doing... Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2 This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
-----Message d'origine-----
Or try the latest head... we still had a bunch of duplicate c preprocessor macros for the attribute numbers, and i'd messed up the fallback to searching in the reply list.
That broke between v3.0.2 and v3.0.3, though it could be worked around by putting the triplets in the control list, which i'm guessing is what you're doing...
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
I assumed putting them in the control list was the correct way to do it in FreeRADIUS 3... Is the following syntax for a "files" entry still correct ? 1208010000000002@wlan.mnc001.mcc208.3gppnetwork.org EAP-Type := SIM, EAP-Sim-Rand1 += 0x00000000000000000000000000000001, EAP-Sim-SRES1 += 0x527802AC, EAP-Sim-KC1 += 0x1D360B8913989912, EAP-Sim-Rand2 += 0x00000000000000000000000000000002, EAP-Sim-SRES2 += 0x373CE2FD, EAP-Sim-KC2 += 0x9D78B5507500483E, EAP-Sim-Rand3 += 0x00000000000000000000000000000003, EAP-Sim-SRES3 += 0xBA83404A, EAP-Sim-KC3 += 0xE79E10D04CFC08FE Or should I put the SIM triplets in "reply" instead of "control" ? This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
On 12 Jun 2014, at 09:41, Chaigneau, Nicolas <nicolas.chaigneau@capgemini.com> wrote:
-----Message d'origine-----
Or try the latest head... we still had a bunch of duplicate c preprocessor macros for the attribute numbers, and i'd messed up the fallback to searching in the reply list.
That broke between v3.0.2 and v3.0.3, though it could be worked around by putting the triplets in the control list, which i'm guessing is what you're doing...
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
I assumed putting them in the control list was the correct way to do it in FreeRADIUS 3...
Is the following syntax for a "files" entry still correct ?
1208010000000002@wlan.mnc001.mcc208.3gppnetwork.org EAP-Type := SIM, EAP-Sim-Rand1 += 0x00000000000000000000000000000001, EAP-Sim-SRES1 += 0x527802AC, EAP-Sim-KC1 += 0x1D360B8913989912, EAP-Sim-Rand2 += 0x00000000000000000000000000000002, EAP-Sim-SRES2 += 0x373CE2FD, EAP-Sim-KC2 += 0x9D78B5507500483E, EAP-Sim-Rand3 += 0x00000000000000000000000000000003, EAP-Sim-SRES3 += 0xBA83404A, EAP-Sim-KC3 += 0xE79E10D04CFC08FE
Or should I put the SIM triplets in "reply" instead of "control" ?
no, keep them in control. This is just weird *sigh*. I'm guessing radeapclient can be used to test this locally? Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Yes. I'm using my own version, but radeapclient should be fine to test this.
I'm guessing radeapclient can be used to test this locally?
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
Hello, Did you have time to look into this ? (note that this is not blocking for me, for now I'm using an older FreeRADIUS version for my simulator) Regards, Nicolas. -----Message d'origine----- De : freeradius-users-bounces+nicolas.chaigneau=capgemini.com@lists.freeradius.org [mailto:freeradius-users-bounces+nicolas.chaigneau=capgemini.com@lists.freeradius.org] De la part de Arran Cudbard-Bell Envoyé : jeudi 12 juin 2014 11:22 À : FreeRadius users mailing list Objet : Re: 3.0.x - Issue with EAP-SIM - EAP-Message too short in Challenge On 12 Jun 2014, at 09:41, Chaigneau, Nicolas <nicolas.chaigneau@capgemini.com> wrote:
-----Message d'origine-----
Or try the latest head... we still had a bunch of duplicate c preprocessor macros for the attribute numbers, and i'd messed up the fallback to searching in the reply list.
That broke between v3.0.2 and v3.0.3, though it could be worked around by putting the triplets in the control list, which i'm guessing is what you're doing...
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
I assumed putting them in the control list was the correct way to do it in FreeRADIUS 3...
Is the following syntax for a "files" entry still correct ?
1208010000000002@wlan.mnc001.mcc208.3gppnetwork.org EAP-Type := SIM, EAP-Sim-Rand1 += 0x00000000000000000000000000000001, EAP-Sim-SRES1 += 0x527802AC, EAP-Sim-KC1 += 0x1D360B8913989912, EAP-Sim-Rand2 += 0x00000000000000000000000000000002, EAP-Sim-SRES2 += 0x373CE2FD, EAP-Sim-KC2 += 0x9D78B5507500483E, EAP-Sim-Rand3 += 0x00000000000000000000000000000003, EAP-Sim-SRES3 += 0xBA83404A, EAP-Sim-KC3 += 0xE79E10D04CFC08FE
Or should I put the SIM triplets in "reply" instead of "control" ?
no, keep them in control. This is just weird *sigh*. I'm guessing radeapclient can be used to test this locally? Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2 This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
Yes, I confirm it works on a build with the following commit (2014/06/01): 7edb8dd4a91d0111da0950e21c113cfc3e4d2a28 But I don't know exactly on which commit it stopped working since... -----Message d'origine----- De : freeradius-users-bounces+nicolas.chaigneau=capgemini.com@lists.freeradius.org [mailto:freeradius-users-bounces+nicolas.chaigneau=capgemini.com@lists.freeradius.org] De la part de Alan DeKok Envoyé : mercredi 11 juin 2014 19:43 À : FreeRadius users mailing list Objet : Re: 3.0.x - Issue with EAP-SIM - EAP-Message too short in Challenge Chaigneau, Nicolas wrote:
I've noticed some changes to eapsimlib.c (not sure if it's linked...) in the following commit : https://github.com/FreeRADIUS/freeradius-server/commit/39df09e42d80a96 363be0bddee2ff0ba97fdb035
So I tried a prior commit : https://github.com/FreeRADIUS/freeradius-server/tree/7edb8dd4a91d0111d a0950e21c113cfc3e4d2a28 With this version I don't have the problem.
The only differences in eapsimlib are to change some header definitions: .... $ git diff 7edb8dd4a91..39df09e42d80 src/modules/rlm_eap/libeap/eapsimlib.c diff --git a/src/modules/rlm_eap/libeap/eapsimlib.c b/src/modules/rlm_eap/libeap/eapsimlib.c index 8afed40..c2975ed 100644 --- a/src/modules/rlm_eap/libeap/eapsimlib.c +++ b/src/modules/rlm_eap/libeap/eapsimlib.c @@ -408,7 +408,7 @@ int eapsim_checkmac(TALLOC_CTX *ctx, VALUE_PAIR *rvps, uint8_t key[EAPSIM_AUTH_S */ attr = buffer+8; while(attr < (buffer+elen)) { - if(attr[0] == PW_EAP_SIM_MAC) { + if (attr[0] == (PW_EAP_SIM_MAC - + PW_EAP_SIM_BASE)) { /* zero the data portion, after making sure * the size is >=5. Maybe future versions. * will use more bytes, so be liberal. .... That shouldn't affect anything. Can you confirm that the commit before 39df09e42d works? If so, the fix should be simple. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
Enrique Sainz Baixauli wrote:
Now I downloaded the package again, extracted it, cd'ed into it extracted and ran 'make deb'... twenty minutes later it's still running ./configure for each freeradius module over and over...
It doesn't do that on normal systems. I don't even see why it would do that on systems with a broken time / file system.
Then it goes on to another module and prints those messages again. So I wonder why this fails (or doesn't get to end) in my system but runs peacefully in yours :S
Our systems aren't broken. The "make" tool has been around for 30 years now. If it doesn't work on your system, then (a) "make" is broken, or (b) your system is broken. Alan DeKok.
On Mon, Jun 9, 2014 at 3:27 PM, Enrique Sainz Baixauli <enriquesainz.beca@intef.educacion.es> wrote:
(5) foreach &control:LDAP-Group (5) update reply { Segmentation fault
In update reply {} there is only one line of code:
&Ruckus-User-Groups += "%{Foreach-Variable-0}"
Just in case this is something simple, I noticed that Arran's previous suggestion was update reply { Ruckus-User-Group += "%{Foreach-Variable-0}" } Have you tried that (i.e. without the "&" sign)? -- Fajar
In update reply {} there is only one line of code:
&Ruckus-User-Groups += "%{Foreach-Variable-0}"
Just in case this is something simple, I noticed that Arran's previous suggestion was
update reply { Ruckus-User-Group += "%{Foreach-Variable-0}" }
Have you tried that (i.e. without the "&" sign)?
Tried that, segfaults anyway. The error looks the same (bad talloc magic value - unknown value), but if you want I can paste another bunch of output :) Thanks anyway!
On 27 May 2014, at 12:21, Enrique Sainz Baixauli <enriquesainz.beca@intef.educacion.es> wrote:
My suggestion again is to try v3.0.3, or debug the v2.x.x code yourself.
It was weeks of effort to rewrite the rlm_ldap module for version v3.0.x, it was done for a reason.
-Arran
Ok, so I'm trying to build version 3.0.3 for debian and I'm stuck at dpkg-buildpackage because it looks like it's running the configure step for rlm_mschap over and over:
CONFIGURE src/modules/rlm_mschap/ checking stuff... checking more stuff... [...] configure: creating ./config.status config.status: creating rlm_mschap.mk config.status: creating config.h config.status: config.h is unchanged make[1]: leaving directory '/path/to/freeradius-server-3.0.3' make[1]: entering directory '/path/to/freeradius-server-3.0.3' make[1]: warning: file 'raddb/all.mk' has a mtime 1.4e+05 in the future CONFIGURE src/modules/rlm_mschap/
Over and over for the last hour... but it shouldn't take so long to build, right? Thanks again!
You're trying to build it in an NFS mounted directory? Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Enrique Sainz Baixauli wrote:
Ok, so I'm trying to build version 3.0.3 for debian and I'm stuck at dpkg-buildpackage because it looks like it's running the configure step for rlm_mschap over and over:
Probably because your system is broken. "make" depends on timestamps. If the timestamps are wrong, "make" doesn't do the right thing. Don't use NFS for builds. Or, ensure that all of the systems have the same time. Alan DeKok.
participants (8)
-
Alan Buxey -
Alan DeKok -
Arran Cudbard-Bell -
Chaigneau, Nicolas -
Enrique Sainz Baixauli -
Fajar A. Nugraha -
Jefferson Davis -
Stefan Paetow