rlm_perl added pairs disapear after eap authentication
Hi there list, After getting (p)eap an mschap working I'm faced with the following problem: The client gets authenticated through mschap and receives an Access-Accept but the rlm_perl added pair which where added in request 0 are not send to the client. Resulting in a client ending up in the wrong vlan. I've tried several things to resolve this but with no result. One of which was running the perl code in a post-auth event. This resulted in something like 250 requests and the client not connecting., Two things strike me as odd: - There is a warning about 2 auth-types - perl and eap - Why does the authorization run first? I would have thought authentication comes first. Below the trace and versions. Peter FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 24 2011 at 07:53:12 Ubuntu 64bit 12.04 (wheezy/sid) FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 24 2011 at 07:53:12 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client sysop-2 { ipaddr = 10.0.0.20 require_message_authenticator = no secret = "testing123" nastype = "other" } client ap { ipaddr = 10.0.9.48 require_message_authenticator = no secret = "testing123" nastype = "cisco" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Instantiating module "ntlm_auth" from file /etc/freeradius/modules/ntlm_auth exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=ATLAS --username=%{mschap:User-Name} --password=%{User-Password}" input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/freeradius/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/freeradius/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-ATLAS} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.key" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } verify { } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Linked to module rlm_perl Module: Instantiating module "perl" from file /etc/freeradius/modules/perl perl { module = "/etc/freeradius/example.pl" func_authorize = "authorize" func_authenticate = "authenticate" func_accounting = "accounting" func_preacct = "preacct" func_checksimul = "checksimul" func_detach = "detach" func_xlat = "xlat" func_pre_proxy = "pre_proxy" func_post_proxy = "post_proxy" func_post_auth = "post_auth" func_recv_coa = "recv_coa" func_send_coa = "send_coa" } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { # from file /etc/freeradius/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/freeradius/modules/digest Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/freeradius/modules/detail detail { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.0.9.48 port 1645, id=202, length=210 User-Name = "host/lt-pkn.atlas.atlascollege.nl" Framed-MTU = 1400 Called-Station-Id = "0019.070a.a011" Calling-Station-Id = "0016.eae4.d5aa" Cisco-AVPair = "ssid=geengast" Service-Type = Login-User Message-Authenticator = 0xe29cf9a9ecd3cbce938b7d4917ea7286 EAP-Message = 0x0202002601686f73742f6c742d706b6e2e61746c61732e61746c6173636f6c6c656765 2e6e6c NAS-Port-Type = Wireless-802.11 NAS-Port = 389 NAS-Port-Id = "389" NAS-IP-Address = 10.0.9.48 NAS-Identifier = "radtest" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = "host/lt-pkn.atlas.atlascollege.nl", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 38 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 209 ++[files] returns ok rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Service-Type = Login-User rlm_perl: Added pair Calling-Station-Id = 0016.eae4.d5aa rlm_perl: Added pair Called-Station-Id = 0019.070a.a011 rlm_perl: Added pair Message-Authenticator = 0xe29cf9a9ecd3cbce938b7d4917ea7286 rlm_perl: Added pair Cisco-AVPair = ssid=geengast rlm_perl: Added pair User-Name = host/lt-pkn.atlas.atlascollege.nl rlm_perl: Added pair NAS-Identifier = radtest rlm_perl: Added pair EAP-Message = 0x0202002601686f73742f6c742d706b6e2e61746c61732e61746c6173636f6c6c656765 2e6e6c rlm_perl: Added pair EAP-Type = Identity rlm_perl: Added pair NAS-IP-Address = 10.0.9.48 rlm_perl: Added pair NAS-Port = 389 rlm_perl: Added pair NAS-Port-Id = 389 rlm_perl: Added pair Framed-MTU = 1400 rlm_perl: Added pair Tunnel-Private-Group-ID = 101 rlm_perl: Added pair Session-Timeout = 250 rlm_perl: Added pair Tunnel-Type = 13 rlm_perl: Added pair Tunnel-Medium-Type = 6 rlm_perl: Added pair Auth-Type = EAP ++[perl] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 202 to 10.0.9.48 port 1645 Tunnel-Private-Group-Id:0 = "101" Session-Timeout = 250 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfa8b288efa8831bb8df0c9954079019a Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.9.48 port 1645, id=203, length=295 User-Name = "host/lt-pkn.atlas.atlascollege.nl" Framed-MTU = 1400 Called-Station-Id = "0019.070a.a011" Calling-Station-Id = "0016.eae4.d5aa" Cisco-AVPair = "ssid=geengast" Service-Type = Login-User Message-Authenticator = 0xb1f4bca9888d29b9737e493878e3d421 EAP-Message = 0x0203006919800000005f160301005a0100005603014fc73361cfa763a813cd492895c4 7eaa37aedcae0683cf4fad46d7cfdbfe1f5a000018002f00350005000ac013c014c009c0 0a003200380013000401000015ff01000100000a0006000400170018000b00020100 NAS-Port-Type = Wireless-802.11 NAS-Port = 389 NAS-Port-Id = "389" State = 0xfa8b288efa8831bb8df0c9954079019a NAS-IP-Address = 10.0.9.48 NAS-Identifier = "radtest" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = "host/lt-pkn.atlas.atlascollege.nl", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 105 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 95 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 005a], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 02ae], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 203 to 10.0.9.48 port 1645 EAP-Message = 0x010402f8190016030100310200002d03014fc7334922ea9802ba6fd82e47b9eb5abed5 e3075ad553d92a0502656236500000002f000005ff0100010016030102ae0b0002aa0002 a70002a4308202a03082018802090093612d39d755e4c6300d06092a864886f70d010105 050030123110300e0603550403130772616474657374301e170d31323035323231313430 33325a170d3232303532303131343033325a30123110300e060355040313077261647465 737430820122300d06092a864886f70d01010105000382010f003082010a0282010100ad 3ae0a6b058a19f697fd586bbbabf66f43779ad771cde66d4dbdbf2b824510c485ab969b8 8ac7 EAP-Message = 0x6a7ba5b8d15fd768890756ef6e606f27d21623f0fa9bfc07dc282a4db2de57fe048773 02e4d91bb921dba6fbafd77da8f8b5eb2082949a8b522092418771ff67d4a186c80b3bd7 d84a89da318eef50b16c931948ef882001269f33d39a0b3644b09125668e4423124eb7ca b5b85a6b92428edfe4ee1c789b9add3f478b718f4665737afe87a85a7f6580db9c42d204 6aa5263bba39ec6c455dbb80702244dfe3f50a361cb29b66eba17e668cfd860a0ec28f05 b70cc2cc5eea96c4520ea1dd5a237e26034e7ef0a3c82d42ae455c15c9d5a5149d568c13 346f0203010001300d06092a864886f70d010105050003820101000c9d1ae5dbcc0b4fae fe91 EAP-Message = 0x9f91d3e971823a0df53cf3783498064e1dbac81a510fcc1162bc2f3e7ab14958d208d1 4653a210430589233379b05bc27611322d9c636da1c6ba154e1f10d6bd4afadfed812e50 4811a8c0b9301a3303cce719f2f78828beaf92d08d21c43cbb001ddf6ea3e57c0c0e24c0 f1a11db8d2d90779dd4860af589161db5633cd1618a87e56500834601697b4eaab460907 d3305686421ab9912d14f33589f1ea98fe2da40497047c35a9436721d0a6703b0fd074c4 3d5673d48706ebd00aaf5efc94f31b5407b43278871a2e56822173ff21811f03657a640b d912d1b52f4844976c13658655ebab73bcc79299df2830a2f8b1a984d85716030100040e 0000 EAP-Message = 0x00 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfa8b288efb8f31bb8df0c9954079019a Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.9.48 port 1645, id=204, length=528 User-Name = "host/lt-pkn.atlas.atlascollege.nl" Framed-MTU = 1400 Called-Station-Id = "0019.070a.a011" Calling-Station-Id = "0016.eae4.d5aa" Cisco-AVPair = "ssid=geengast" Service-Type = Login-User Message-Authenticator = 0x8297464cc5d683623a7610651854dd3e EAP-Message = 0x0204015019800000014616030101061000010201003984f63af6565c1a71d6ca259f81 dbf2194e47cae6f46c5e3c802bea536c17bbad61ea61a89102f672aa22601466e46bb1a7 83d41759125f8ba1174ce7a55b0032997e2606cdfa1e6c015d51a2e1ac6e5751ca48a26c 33df07d8d3fa2327c5dbe2c39f09b688850a06a45ffb1dd46718cf620e5a583393b450fb 66e0a64bb618f84b45292940cceeb1a79907374125d7aed6070943cc9557613ee9bff5db c0efdc61145238e349b343bce6e8032fe69b9f769100b021819cd532e66a4dbab9decdd0 adec15598a86993cc9105aafcb937d62229d5b02d530d66e49875a6ce6b0061ffb20b2c1 13d8 EAP-Message = 0x465df29cbfb7867a6e326bc5833ab5619c421643e0976b8d1403010001011603010030 7409547395973a8f1dd53ca88878b699e118d5042d0ec13681f7bce17fd6af272e2053cf c663c966a8dd362722af3684 NAS-Port-Type = Wireless-802.11 NAS-Port = 389 NAS-Port-Id = "389" State = 0xfa8b288efb8f31bb8df0c9954079019a NAS-IP-Address = 10.0.9.48 NAS-Identifier = "radtest" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = "host/lt-pkn.atlas.atlascollege.nl", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 204 to 10.0.9.48 port 1645 EAP-Message = 0x0105004119001403010001011603010030b44fd787ae0d0ad9df11ad9e7c34e5309ff1 4efaaf30a8f24eccb23a628bde5320bbe9d461ce50186a0d260a5450d9e1 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfa8b288ef88e31bb8df0c9954079019a Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.9.48 port 1645, id=205, length=196 User-Name = "host/lt-pkn.atlas.atlascollege.nl" Framed-MTU = 1400 Called-Station-Id = "0019.070a.a011" Calling-Station-Id = "0016.eae4.d5aa" Cisco-AVPair = "ssid=geengast" Service-Type = Login-User Message-Authenticator = 0x43082862e1ec75cac73daf2685e9089a EAP-Message = 0x020500061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 389 NAS-Port-Id = "389" State = 0xfa8b288ef88e31bb8df0c9954079019a NAS-IP-Address = 10.0.9.48 NAS-Identifier = "radtest" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = "host/lt-pkn.atlas.atlascollege.nl", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 205 to 10.0.9.48 port 1645 EAP-Message = 0x0106002b19001703010020054299ee7054795987b8ffa05baf241e11bf2cfbd8a59fb7 dfa152855b2b9010 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfa8b288ef98d31bb8df0c9954079019a Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.9.48 port 1645, id=206, length=265 User-Name = "host/lt-pkn.atlas.atlascollege.nl" Framed-MTU = 1400 Called-Station-Id = "0019.070a.a011" Calling-Station-Id = "0016.eae4.d5aa" Cisco-AVPair = "ssid=geengast" Service-Type = Login-User Message-Authenticator = 0x68aa7f1b7c3e6edd8a86f5d00dbcf8a0 EAP-Message = 0x0206004b19001703010040e4a88b3269302d6cfce6b1a7989d18617e49499b98d34f06 845ebb556174a44eddc8752ae1709c96aa0501fdbb077d31f706ac32123100731f075910 02136df9 NAS-Port-Type = Wireless-802.11 NAS-Port = 389 NAS-Port-Id = "389" State = 0xfa8b288ef98d31bb8df0c9954079019a NAS-IP-Address = 10.0.9.48 NAS-Identifier = "radtest" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = "host/lt-pkn.atlas.atlascollege.nl", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 75 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - host/lt-pkn.atlas.atlascollege.nl [peap] Got inner identity 'host/lt-pkn.atlas.atlascollege.nl' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0206002601686f73742f6c742d706b6e2e61746c61732e61746c6173636f6c6c656765 2e6e6c server { PEAP: Setting User-Name to host/lt-pkn.atlas.atlascollege.nl Sending tunneled request EAP-Message = 0x0206002601686f73742f6c742d706b6e2e61746c61732e61746c6173636f6c6c656765 2e6e6c FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "host/lt-pkn.atlas.atlascollege.nl" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/lt-pkn.atlas.atlascollege.nl", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [files] users: Matched entry DEFAULT at line 209 ++[files] returns ok rlm_perl: Added pair User-Name = host/lt-pkn.atlas.atlascollege.nl rlm_perl: Added pair EAP-Message = 0x0206002601686f73742f6c742d706b6e2e61746c61732e61746c6173636f6c6c656765 2e6e6c rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1 rlm_perl: Added pair Auth-Type = Perl rlm_perl: Added pair Proxy-To-Realm = LOCAL rlm_perl: Added pair EAP-Type = MS-CHAP-V2 ++[perl] returns noop [eap] EAP packet type response id 6 length 38 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = Perl Found Auth-Type = EAP Warning: Found 2 auth-types on request for user 'host/lt-pkn.atlas.atlascollege.nl' # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x0107003b1a010700361052c2c92bbd0e87883b4b4f0274aba0d2686f73742f6c742d70 6b6e2e61746c61732e61746c6173636f6c6c6567652e6e6c Message-Authenticator = 0x00000000000000000000000000000000 State = 0xed1f2576ed183f556982a467baafe64e [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x0107003b1a010700361052c2c92bbd0e87883b4b4f0274aba0d2686f73742f6c742d70 6b6e2e61746c61732e61746c6173636f6c6c6567652e6e6c Message-Authenticator = 0x00000000000000000000000000000000 State = 0xed1f2576ed183f556982a467baafe64e [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 206 to 10.0.9.48 port 1645 EAP-Message = 0x0107005b190017030100506963cc9b3e61da63080f3f4649e097ce960af7145c127858 b6e32f795b6a8768628888fc569f050c4e9ff7581b993f91c83610dcebc1f97097dd1385 520f0e66cd7d6c63c0b4afe5a0d526f13917e99e Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfa8b288efe8c31bb8df0c9954079019a Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.9.48 port 1645, id=207, length=313 User-Name = "host/lt-pkn.atlas.atlascollege.nl" Framed-MTU = 1400 Called-Station-Id = "0019.070a.a011" Calling-Station-Id = "0016.eae4.d5aa" Cisco-AVPair = "ssid=geengast" Service-Type = Login-User Message-Authenticator = 0xe33f0b004c2ca6563de0b3ad8040eed7 EAP-Message = 0x0207007b19001703010070beb17e8fe13c07a0d805fe4183f700b885c5f9204faa53ff 1cec4bc5774926082432d9443b371b83f91e3d73770c20a875836cad6a362464c52fd450 4f9522a09e6c2d7602f94a0130fce57149e9ba16f55da6cfe6a1946e4b9565975b423dc0 fd31defda2dcbeea261dcbd9faf9938e NAS-Port-Type = Wireless-802.11 NAS-Port = 389 NAS-Port-Id = "389" State = 0xfa8b288efe8c31bb8df0c9954079019a NAS-IP-Address = 10.0.9.48 NAS-Identifier = "radtest" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = "host/lt-pkn.atlas.atlascollege.nl", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 123 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x0207005c1a0207005731f4a74198ac9707e6d2e2de480af77ddc000000000000000074 9aed48b37215d879a819b543c8230fc1ea904c861be95000686f73742f6c742d706b6e2e 61746c61732e61746c6173636f6c6c6567652e6e6c server { PEAP: Setting User-Name to host/lt-pkn.atlas.atlascollege.nl Sending tunneled request EAP-Message = 0x0207005c1a0207005731f4a74198ac9707e6d2e2de480af77ddc000000000000000074 9aed48b37215d879a819b543c8230fc1ea904c861be95000686f73742f6c742d706b6e2e 61746c61732e61746c6173636f6c6c6567652e6e6c FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "host/lt-pkn.atlas.atlascollege.nl" State = 0xed1f2576ed183f556982a467baafe64e server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/lt-pkn.atlas.atlascollege.nl", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [files] users: Matched entry DEFAULT at line 209 ++[files] returns ok rlm_perl: Added pair User-Name = host/lt-pkn.atlas.atlascollege.nl rlm_perl: Added pair EAP-Message = 0x0207005c1a0207005731f4a74198ac9707e6d2e2de480af77ddc000000000000000074 9aed48b37215d879a819b543c8230fc1ea904c861be95000686f73742f6c742d706b6e2e 61746c61732e61746c6173636f6c6c6567652e6e6c rlm_perl: Added pair State = 0xed1f2576ed183f556982a467baafe64e rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1 rlm_perl: Added pair Auth-Type = Perl rlm_perl: Added pair Proxy-To-Realm = LOCAL ++[perl] returns noop [eap] EAP packet type response id 7 length 92 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = Perl Found Auth-Type = EAP Warning: Found 2 auth-types on request for user 'host/lt-pkn.atlas.atlascollege.nl' # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: host/lt-pkn.atlas.atlascollege.nl [mschap] Told to do MS-CHAPv2 for host/lt-pkn.atlas.atlascollege.nl with NT-Password [mschap] expand: --username=%{mschap:User-Name:-None} -> --username=lt-pkn$ [mschap] expand: %{mschap:NT-Domain} -> atlas [mschap] expand: --domain=%{%{mschap:NT-Domain}:-ATLAS} -> --domain=atlas [mschap] mschap2: 52 [mschap] Creating challenge hash with username: host/lt-pkn.atlas.atlascollege.nl [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=2a115578878d4bc4 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=749aed48b37215d879a819b543c8230fc1ea904c861be950 Exec-Program output: NT_KEY: 0E4B3AC71048637A22E975629A7E708B Exec-Program-Wait: plaintext: NT_KEY: 0E4B3AC71048637A22E975629A7E708B Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010800331a0307002e533d333044303431353546324430383542393832454638463339 44443846343330393345394445304230 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xed1f2576ec173f556982a467baafe64e [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010800331a0307002e533d333044303431353546324430383542393832454638463339 44443846343330393345394445304230 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xed1f2576ec173f556982a467baafe64e [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 207 to 10.0.9.48 port 1645 EAP-Message = 0x0108005b190017030100502098e038ea3dda0988810bd213735cf28e6dc3a3d5669105 0ce3d24d50dd9e3c25b5dabc315f20b0c5cfdb599016c1875de725cd2c9be6206065cd5e 50d49ce05630243c395e4d6c8df6c9b770f41992 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfa8b288eff8331bb8df0c9954079019a Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.9.48 port 1645, id=208, length=233 User-Name = "host/lt-pkn.atlas.atlascollege.nl" Framed-MTU = 1400 Called-Station-Id = "0019.070a.a011" Calling-Station-Id = "0016.eae4.d5aa" Cisco-AVPair = "ssid=geengast" Service-Type = Login-User Message-Authenticator = 0x01f97cbd1a55a4b5d3c343a8bff50e32 EAP-Message = 0x0208002b19001703010020195414ca1d196ee92e32583f8298b7ea67f168be12401176 4e2561105941cb00 NAS-Port-Type = Wireless-802.11 NAS-Port = 389 NAS-Port-Id = "389" State = 0xfa8b288eff8331bb8df0c9954079019a NAS-IP-Address = 10.0.9.48 NAS-Identifier = "radtest" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = "host/lt-pkn.atlas.atlascollege.nl", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020800061a03 server { PEAP: Setting User-Name to host/lt-pkn.atlas.atlascollege.nl Sending tunneled request EAP-Message = 0x020800061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "host/lt-pkn.atlas.atlascollege.nl" State = 0xed1f2576ec173f556982a467baafe64e server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/lt-pkn.atlas.atlascollege.nl", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [files] users: Matched entry DEFAULT at line 209 ++[files] returns ok rlm_perl: Added pair User-Name = host/lt-pkn.atlas.atlascollege.nl rlm_perl: Added pair EAP-Message = 0x020800061a03 rlm_perl: Added pair State = 0xed1f2576ec173f556982a467baafe64e rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1 rlm_perl: Added pair Auth-Type = Perl rlm_perl: Added pair Proxy-To-Realm = LOCAL ++[perl] returns noop [eap] EAP packet type response id 8 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = Perl Found Auth-Type = EAP Warning: Found 2 auth-types on request for user 'host/lt-pkn.atlas.atlascollege.nl' # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok WARNING: Empty post-auth section. Using default return values. # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel } # server inner-tunnel [peap] Got tunneled reply code 2 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0xa2a8dbf6f2cfb9fdbd0b000663af7c62 MS-MPPE-Recv-Key = 0x2288dd50426a86ee2dca3737658de57c EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "host/lt-pkn.atlas.atlascollege.nl" [peap] Got tunneled reply RADIUS code 2 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0xa2a8dbf6f2cfb9fdbd0b000663af7c62 MS-MPPE-Recv-Key = 0x2288dd50426a86ee2dca3737658de57c EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "host/lt-pkn.atlas.atlascollege.nl" [peap] Tunneled authentication was successful. [peap] SUCCESS ++[eap] returns handled Sending Access-Challenge of id 208 to 10.0.9.48 port 1645 EAP-Message = 0x0109002b19001703010020dc05ca7cb6357d0b606833914286d4570c9be8b49d0fb0e5 5712e1f7d1ee6020 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfa8b288efc8231bb8df0c9954079019a Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.9.48 port 1645, id=209, length=233 User-Name = "host/lt-pkn.atlas.atlascollege.nl" Framed-MTU = 1400 Called-Station-Id = "0019.070a.a011" Calling-Station-Id = "0016.eae4.d5aa" Cisco-AVPair = "ssid=geengast" Service-Type = Login-User Message-Authenticator = 0x810f84840491233963bd54edd7cd489d EAP-Message = 0x0209002b190017030100209393b67c4b83a3c60c318cbe352bac2f864b5fb9a1fe6a37 34b682ea4f6fa775 NAS-Port-Type = Wireless-802.11 NAS-Port = 389 NAS-Port-Id = "389" State = 0xfa8b288efc8231bb8df0c9954079019a NAS-IP-Address = 10.0.9.48 NAS-Identifier = "radtest" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = "host/lt-pkn.atlas.atlascollege.nl", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 209 to 10.0.9.48 port 1645 MS-MPPE-Recv-Key = 0x33ecfbf5652ce567309f5f2b1710989bd8c1c1ef2e68386139e7c94f2eb06a75 MS-MPPE-Send-Key = 0x5c0639908bded95e2a61821743bf72ea714a6acc829016d7c4ce07edfdba4223 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "host/lt-pkn.atlas.atlascollege.nl" Finished request 7. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 202 with timestamp +10 Cleaning up request 1 ID 203 with timestamp +10 Cleaning up request 2 ID 204 with timestamp +10 Cleaning up request 3 ID 205 with timestamp +10 Cleaning up request 4 ID 206 with timestamp +10 Cleaning up request 5 ID 207 with timestamp +10 Cleaning up request 6 ID 208 with timestamp +10 Cleaning up request 7 ID 209 with timestamp +10 Ready to process requests.
Peter Kaagman wrote:
After getting (p)eap an mschap working I'm faced with the following problem: The client gets authenticated through mschap and receives an Access-Accept but the rlm_perl added pair which where added in request 0 are not send to the client.
That's how the server works. It doesn't cache attributes across multiple packets. You'll need to set the VLAN in the post-auth section. That's what it's for. Setting VLANs in the authorize section won't work.
I've tried several things to resolve this but with no result. One of which was running the perl code in a post-auth event. This resulted in something like 250 requests and the client not connecting.,
Uh.. it *will* work if you do it correctly. There's no magic. The client doesn't know about post-auth versus authorize.
Two things strike me as odd: - There is a warning about 2 auth-types - perl and eap
Do NOT set "Auth-Type = Perl". Why are you doing that?
- Why does the authorization run first? I would have thought authentication comes first.
The server runs authorize, authenticate, and then post-auth. The reasons are historical.
rlm_perl: Added pair User-Name = host/lt-pkn.atlas.atlascollege.nl rlm_perl: Added pair EAP-Message = 0x020800061a03 rlm_perl: Added pair State = 0xed1f2576ec173f556982a467baafe64e rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1 rlm_perl: Added pair Auth-Type = Perl
Don't set that.
[peap] Got tunneled reply code 2 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0xa2a8dbf6f2cfb9fdbd0b000663af7c62 MS-MPPE-Recv-Key = 0x2288dd50426a86ee2dca3737658de57c EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "host/lt-pkn.atlas.atlascollege.nl"
In which you don't set any additional attributes.
Sending Access-Accept of id 209 to 10.0.9.48 port 1645 MS-MPPE-Recv-Key = 0x33ecfbf5652ce567309f5f2b1710989bd8c1c1ef2e68386139e7c94f2eb06a75 MS-MPPE-Send-Key = 0x5c0639908bded95e2a61821743bf72ea714a6acc829016d7c4ce07edfdba4223 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "host/lt-pkn.atlas.atlascollege.nl"
And you don't set any additional attributes here. Set the attributes in the post-auth section. It *will* work. If it doesn't, you did something wrong. Show *what* you did, what happened, and what you expected to see. Alan DeKok.
If it doesn't, you did something wrong. Show *what* you did, what happened, and what you expected to see.
Alan DeKok.
Thanks for the reply Alan. Haven't got a lab available at the moment will give it a shot tomorrow and get back to you. Off course I did something wrong.... no discussion there :D Funny thing is though... the attributes you tell me not to set in rlm_perl are set automagicly (at least to me it looks like magic at the moment)... I did not make them up ;) Neither do I manually set an auth-type other than a default one in the users file as instructed by the rlm_perl wiki page. But I will get back to you tomorrow with details on what I did and am trying to achieve. Peter
Peter Kaagman wrote:
Funny thing is though... the attributes you tell me not to set in rlm_perl are set automagicly (at least to me it looks like magic at the moment)... I did not make them up ;)
They're not set in the default configuration. Someone changed them. And it's local to you.
Neither do I manually set an auth-type other than a default one in the users file as instructed by the rlm_perl wiki page.
So... you DID change them. In case the Wiki doesn't make it clear, you ONLY set "Auth-Type = Perl" if you want the Perl module to be called during the authentication phase. So... don't set it. Delete that entry from the "users" file. Alan DeKok.
On Thu, May 31, 2012 at 01:51:43PM +0200, Peter Kaagman wrote:
I've tried several things to resolve this but with no result. One of which was running the perl code in a post-auth event. This resulted in something like 250 requests and the client not connecting.,
On the understanding (from above) that everything is working except your perl code that is not setting the VLAN correctly, you could try - 1. Remove everything related to the perl code, so the server authenticates users correctly, but no VLAN is set. 2. Add something like update reply { Tunnel-Type := 13 Tunnel-Medium-Type := 6 Tunnel-Private-Group-Id := 999 } to the outer post-auth section. 3. Verify that the server a) works, and b) sends the above attributes in the Access-Accept (check the debug output). 4. Only after all the above, replace the update reply {} with rlm_perl, and work on that. At this stage you know that setting the AVPs there works, so if it's broken it must be your perl code or rlm_perl settings :-) Cheers, Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
-----Oorspronkelijk bericht----- Van: freeradius-users- bounces+p.kaagman=atlascollege.nl@lists.freeradius.org [mailto:freeradius-users- bounces+p.kaagman=atlascollege.nl@lists.freeradius.org] Namens Peter Kaagman Verzonden: donderdag 31 mei 2012 13:52 Aan: freeradius-users@lists.freeradius.org Onderwerp: rlm_perl added pairs disapear after eap authentication
Hi there list,
After getting (p)eap an mschap working I'm faced with the following problem: The client gets authenticated through mschap and receives an Access-Accept but the rlm_perl added pair which where added in request 0 are not send to the client. Resulting in a client ending up in the wrong vlan.
I've tried several things to resolve this but with no result. One of which was running the perl code in a post-auth event. This resulted in something like 250 requests and the client not connecting.,
Two things strike me as odd: - There is a warning about 2 auth-types - perl and eap - Why does the authorization run first? I would have thought authentication comes first.
Did some more debugging as you guys suggested... and sure enough there was an error. A messed up regex which caused the NAS to resend the request over and over.... solved... But it seems to be a bumpy road and ran into yet another problem: rlm_perl will not let me load modules. I found reference to this problem on the list in December 2009 in which Alan replied: ====quote===== Коньков Евгений wrote:
Can't load '/usr/local/lib/perl5/5.10.1/mach/auto/Data/Dumper/Dumper.so' for module Data::Dumper: /usr/local/lib/perl5/5.10.1/mach/auto/Data/Dumper/Dumper.so: Undefined symbol "PL_sv_undef" at /usr/local/lib/perl5/5.10.1/mach/XSLoader.pm line 70. at /usr/local/lib/perl5/5.10.1/mach/Data/Dumper.pm line 36
It turns out this is largely a bug in libltl. (Of course). We won't be able to address it directly in 2.1.8, but you should be able to do minor modifications to 2.1.8 that will fix it. ====end quote===== I'm using 2.1.10 and am getting : Can't load '/usr/local/lib/perl/5.14.2/auto/Data/Dumper/Dumper.so' for module Data::Dumper: /usr/local/lib/perl/5.14.2/auto/Data/Dumper/Dumper.so: undefined symbol: PL_charclass at /usr/share/perl/5.14/XSLoader.pm line 71. at /usr/local/lib/perl/5.14.2/Data/Dumper.pm line 36 whenever I try to use Data::Dumper, and Can't load '/usr/lib/perl5/auto/DBI/DBI.so' for module DBI: /usr/lib/perl5/auto/DBI/DBI.so: undefined symbol: PL_thr_key at /usr/lib/perl/5.14/DynaLoader.pm line 184. at /usr/lib/perl5/DBI.pm line 268 whenever I try to use DBI. Looking at het examples on the Wiki it seems other people do not experience the same problems. Any suggestions on how to get this working? Peter
On 06/01/2012 09:08 AM, Peter Kaagman wrote:
But it seems to be a bumpy road and ran into yet another problem: rlm_perl will not let me load modules.
I found reference to this problem on the list in December 2009 in which Alan replied:
Looking at het examples on the Wiki it seems other people do not experience the same problems. Any suggestions on how to get this working?
I forget the details but I know we patched our packages to fix this a while ago (2 years?). -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
participants (4)
-
Alan DeKok -
John Dennis -
Matthew Newton -
Peter Kaagman