Stripped-User-Name not set when using nostrip?
Júlíus Þór Bess Ríkharðsson wrote:
For some reason I cannot get Stripped-User-Name attribute to get populated when using nostrip for a realm. Is this normal behaviour or am I missing something?
That's how it works. If you don't strip the name, you don't get a stripped name.
I need the User-Name attribute unchanged for EAP but it gets stripped as expected when nostrip is unset.
Then set nostrip. What do you want it to do? You're talking about problems, not about goals. Alan DeKok.
On 03/07/13 16:24, Júlíus Þór Bess Ríkharðsson wrote:
Hi,
For some reason I cannot get Stripped-User-Name attribute to get populated when using nostrip for a realm. Is this normal behaviour or am I missing something?
Normal. "nostrip" means "don't populate Stripped-User-Name"
I need the User-Name attribute unchanged for EAP but it gets stripped as expected when nostrip is unset.
"strip" on the realm should not change User-Name; it just populates Stripped-User-Name. Also, your debug isn't EAP.
On 03/07/13 16:24, Júlíus Þór Bess Ríkharðsson wrote:
Hi,
For some reason I cannot get Stripped-User-Name attribute to get populated when using nostrip for a realm. Is this normal behaviour or am I missing something?
Normal. "nostrip" means "don't populate Stripped-User-Name"
Phil: When I unset nostrip the User-Name attribute gets stripped. So it made sense to me that nostrip would apply to User-Name but would still give the option of Stripped-User-Name. Alan: The goal is to be able to use EAP and still be able to authorize user using LDAP. The objects name is obviously not named realm\user. This is why I'm using nostrip: # You MUST also use the 'nostrip' option in the 'realm' # configuration. Otherwise, the User-Name attribute # in the proxied request will not match the user name # hidden inside of the EAP packet, and the end server will # reject the EAP request. # eap Does this not apply to virtual-servers?
I need the User-Name attribute unchanged for EAP but it gets stripped as expected when nostrip is unset.
"strip" on the realm should not change User-Name; it just populates Stripped-User-Name.
Also, your debug isn't EAP.
The behaviour is the same for EAP (just longer output :)), I don't get the option of Stripped-User-Name. And when I unset nostrip; User-Name gets stripped along with Stripped-User-Name being set and the tunnel doesn't work. Could it be because I'm using an older version? 2.1.12 Here is some EAP debug: nostrip: rad_recv: Access-Request packet from host 10.41.255.67 port 32769, id=82, length=260 User-Name = "umsja\\test.juliusbess" Calling-Station-Id = "00-24-d7-70-50-20" Called-Station-Id = "50-06-04-4b-8e-a0:wifitesting" NAS-Port = 1 Cisco-AVPair = "audit-session-id=0a29ff430000004d51d45b99" NAS-IP-Address = 10.41.255.67 NAS-Identifier = "testingwifi" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "666" EAP-Message = 0x0201001a01756d736a615c746573742e6a756c69757362657373 Message-Authenticator = 0xa37fbd1b7dd83f3241535949bca772eb # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop expand: %{Stripped-User-Name} -> ++[expand] returns noop [suffix] No '@' in User-Name = "umsja\test.juliusbess", skipping NULL due to config. ++[suffix] returns noop [ntdomain] Looking up realm "umsja" for User-Name = "umsja\test.juliusbess" [ntdomain] Found realm "umsja" [ntdomain] Adding Realm = "umsja" [ntdomain] Proxying request from user test.juliusbess to realm umsja [ntdomain] Preparing to proxy authentication request to realm "umsja" ++[ntdomain] returns updated expand: %{Stripped-User-Name} -> ++[expand] returns updated [eap] Request is supposed to be proxied to Realm umsja. Not doing EAP. ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} -> umsja\test.juliusbess [sql] sql_set_user escaped user --> 'umsja\test.juliusbess' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'umsja=5Ctest.juliusbess' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'umsja=5Ctest.juliusbess' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 [sql] User umsja\test.juliusbess not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: Empty pre-proxy section. Using default return values.
Sending proxied request internally to virtual server. server innra.umsja.is-srv { # Executing section authorize from file /etc/raddb/sites-enabled/innra.umsja.is +- entering group authorize {...} ++[preprocess] returns ok [eap] EAP packet type response id 1 length 26 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[mschap-innra.umsja.is] returns noop [ldap-innra.umsja.is] performing user authorization for umsja\test.juliusbess [ldap-innra.umsja.is] expand: %{Stripped-User-Name} -> [ldap-innra.umsja.is] ... expanding second conditional [ldap-innra.umsja.is] expand: %{User-Name} -> umsja\5ctest.juliusbess [ldap-innra.umsja.is] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=umsja\5ctest.juliusbess) [ldap-innra.umsja.is] expand: DC=innra,DC=umsja,DC=is -> DC=innra,DC=umsja,DC=is [ldap-innra.umsja.is] ldap_get_conn: Checking Id: 0 [ldap-innra.umsja.is] ldap_get_conn: Got Id: 0 [ldap-innra.umsja.is] attempting LDAP reconnection [ldap-innra.umsja.is] (re)connect to innra.umsja.is:389, authentication 0 [ldap-innra.umsja.is] bind as sa.ldapFreeRadius@innra.umsja.is/tBdPLjjmnri3R1xX to innra.umsja.is:389 [ldap-innra.umsja.is] waiting for bind result ... [ldap-innra.umsja.is] Bind was successful [ldap-innra.umsja.is] performing search in DC=innra,DC=umsja,DC=is, with filter (sAMAccountName=umsja\5ctest.juliusbess) [ldap-innra.umsja.is] rebind to URL ldap://DomainDnsZones.innra.umsja.is/DC=DomainDnsZones,DC=innra,DC=umsja,DC=is [ldap-innra.umsja.is] rebind to URL ldap://ForestDnsZones.innra.umsja.is/DC=ForestDnsZones,DC=innra,DC=umsja,DC=is [ldap-innra.umsja.is] object not found [ldap-innra.umsja.is] search failed [ldap-innra.umsja.is] ldap_release_conn: Release Id: 0 ++[ldap-innra.umsja.is] returns notfound expand: %{control:Ldap-UserDN} -> ++[expand] returns notfound expand: %{User-Name} -> umsja\test.juliusbess ++[expand] returns notfound expand: %{Stripped-User-Name} -> ++[expand] returns notfound ++? if (control:Ldap-UserDN =~ /^.+,OU=Users,OU=([^,]+),/i) (Attribute control:Ldap-UserDN was not found) ? Evaluating (control:Ldap-UserDN =~ /^.+,OU=Users,OU=([^,]+),/i) -> FALSE ++? if (control:Ldap-UserDN =~ /^.+,OU=Users,OU=([^,]+),/i) -> FALSE ++? if (control:Jira-Key != "") (Attribute control:Jira-Key was not found) ? Evaluating (control:Jira-Key != "") -> FALSE ++? if (control:Jira-Key != "") -> FALSE ++? if (Huntgroup-Name == ppp-bidlarar) (Attribute Huntgroup-Name was not found) ? Evaluating (Huntgroup-Name == ppp-bidlarar) -> FALSE ++? if (Huntgroup-Name == ppp-bidlarar) -> FALSE ++? if (Huntgroup-Name == vpn-nas) (Attribute Huntgroup-Name was not found) ? Evaluating (Huntgroup-Name == vpn-nas) -> FALSE ++? if (Huntgroup-Name == vpn-nas) -> FALSE ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/innra.umsja.is +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled } # server innra.umsja.is-srv Going to the next request <<< Received proxied response code 11 from internal virtual server. # Executing section post-proxy from file /etc/raddb/sites-enabled/default +- entering group post-proxy {...} [eap] No pre-existing handler found ++[eap] returns noop Sending Access-Challenge of id 82 to 10.41.255.67 port 32769 EAP-Message = 0x010200160410a5026a49f060c3baebfbfde6b36fa795 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6065b4846067b0f403817d959797c4d5 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.41.255.67 port 32769, id=83, length=258 User-Name = "umsja\\test.juliusbess" Calling-Station-Id = "00-24-d7-70-50-20" Called-Station-Id = "50-06-04-4b-8e-a0:wifitesting" NAS-Port = 1 Cisco-AVPair = "audit-session-id=0a29ff430000004d51d45b99" NAS-IP-Address = 10.41.255.67 NAS-Identifier = "testingwifi" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "666" EAP-Message = 0x020200060319 State = 0x6065b4846067b0f403817d959797c4d5 Message-Authenticator = 0xd374c237e2d7cd2841388bd697536132 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop expand: %{Stripped-User-Name} -> ++[expand] returns noop [suffix] No '@' in User-Name = "umsja\test.juliusbess", skipping NULL due to config. ++[suffix] returns noop [ntdomain] Looking up realm "umsja" for User-Name = "umsja\test.juliusbess" [ntdomain] Found realm "umsja" [ntdomain] Adding Realm = "umsja" [ntdomain] Proxying request from user test.juliusbess to realm umsja [ntdomain] Preparing to proxy authentication request to realm "umsja" ++[ntdomain] returns updated expand: %{Stripped-User-Name} -> ++[expand] returns updated [eap] Request is supposed to be proxied to Realm umsja. Not doing EAP. ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} -> umsja\test.juliusbess [sql] sql_set_user escaped user --> 'umsja\test.juliusbess' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'umsja=5Ctest.juliusbess' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'umsja=5Ctest.juliusbess' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 [sql] User umsja\test.juliusbess not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: Empty pre-proxy section. Using default return values. Sending proxied request internally to virtual server. server innra.umsja.is-srv { # Executing section authorize from file /etc/raddb/sites-enabled/innra.umsja.is +- entering group authorize {...} ++[preprocess] returns ok [eap] EAP packet type response id 2 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[mschap-innra.umsja.is] returns noop [ldap-innra.umsja.is] performing user authorization for umsja\test.juliusbess [ldap-innra.umsja.is] expand: %{Stripped-User-Name} -> [ldap-innra.umsja.is] ... expanding second conditional [ldap-innra.umsja.is] expand: %{User-Name} -> umsja\5ctest.juliusbess [ldap-innra.umsja.is] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=umsja\5ctest.juliusbess) [ldap-innra.umsja.is] expand: DC=innra,DC=umsja,DC=is -> DC=innra,DC=umsja,DC=is [ldap-innra.umsja.is] ldap_get_conn: Checking Id: 0 [ldap-innra.umsja.is] ldap_get_conn: Got Id: 0 [ldap-innra.umsja.is] performing search in DC=innra,DC=umsja,DC=is, with filter (sAMAccountName=umsja\5ctest.juliusbess) [ldap-innra.umsja.is] rebind to URL ldap://DomainDnsZones.innra.umsja.is/DC=DomainDnsZones,DC=innra,DC=umsja,DC=is [ldap-innra.umsja.is] rebind to URL ldap://ForestDnsZones.innra.umsja.is/DC=ForestDnsZones,DC=innra,DC=umsja,DC=is [ldap-innra.umsja.is] object not found [ldap-innra.umsja.is] search failed [ldap-innra.umsja.is] ldap_release_conn: Release Id: 0 ++[ldap-innra.umsja.is] returns notfound expand: %{control:Ldap-UserDN} -> ++[expand] returns notfound expand: %{User-Name} -> umsja\test.juliusbess ++[expand] returns notfound expand: %{Stripped-User-Name} -> ++[expand] returns notfound ++? if (control:Ldap-UserDN =~ /^.+,OU=Users,OU=([^,]+),/i) (Attribute control:Ldap-UserDN was not found) ? Evaluating (control:Ldap-UserDN =~ /^.+,OU=Users,OU=([^,]+),/i) -> FALSE ++? if (control:Ldap-UserDN =~ /^.+,OU=Users,OU=([^,]+),/i) -> FALSE ++? if (control:Jira-Key != "") (Attribute control:Jira-Key was not found) ? Evaluating (control:Jira-Key != "") -> FALSE ++? if (control:Jira-Key != "") -> FALSE ++? if (Huntgroup-Name == ppp-bidlarar) (Attribute Huntgroup-Name was not found) ? Evaluating (Huntgroup-Name == ppp-bidlarar) -> FALSE ++? if (Huntgroup-Name == ppp-bidlarar) -> FALSE ++? if (Huntgroup-Name == vpn-nas) (Attribute Huntgroup-Name was not found) ? Evaluating (Huntgroup-Name == vpn-nas) -> FALSE ++? if (Huntgroup-Name == vpn-nas) -> FALSE ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/innra.umsja.is +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled } # server innra.umsja.is-srv Going to the next request <<< Received proxied response code 11 from internal virtual server. # Executing section post-proxy from file /etc/raddb/sites-enabled/default +- entering group post-proxy {...} [eap] No pre-existing handler found ++[eap] returns noop Sending Access-Challenge of id 83 to 10.41.255.67 port 32769 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6065b4846166adf403817d959797c4d5 Finished request 1. Going to the next request Waking up in 2.9 seconds. rad_recv: Access-Request packet from host 10.41.255.67 port 32769, id=83, length=258 Sending duplicate reply to client NYHB37WL01 port 32769 - ID: 83 Sending Access-Challenge of id 83 to 10.41.255.67 port 32769 Waking up in 2.9 seconds. rad_recv: Access-Request packet from host 10.41.255.67 port 32769, id=84, length=483 User-Name = "umsja\\test.juliusbess" Calling-Station-Id = "00-24-d7-70-50-20" Called-Station-Id = "50-06-04-4b-8e-a0:wifitesting" NAS-Port = 1 Cisco-AVPair = "audit-session-id=0a29ff430000004d51d45b99" NAS-IP-Address = 10.41.255.67 NAS-Identifier = "testingwifi" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "666" EAP-Message = 0x020300e71980000000dd16030100d8010000d4030151d45b9b8ea5a170f5ee4f3c83bcd9b4758b2d45a5cce528c199964a795d9c7b000066c014c00ac022c0210039003800880087c00fc00500350084c012c008c01cc01b00160013c00dc003000ac013c009c01fc01e00330032009a009900450044c00ec004002f00960041c011c007c00cc002000500040015001200090014001100080006000300ff01000045000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f00100011000f000101 State = 0x6065b4846166adf403817d959797c4d5 Message-Authenticator = 0x175b35c4376365e6d76c4b2c51900a55 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop expand: %{Stripped-User-Name} -> ++[expand] returns noop [suffix] No '@' in User-Name = "umsja\test.juliusbess", skipping NULL due to config. ++[suffix] returns noop [ntdomain] Looking up realm "umsja" for User-Name = "umsja\test.juliusbess" [ntdomain] Found realm "umsja" [ntdomain] Adding Realm = "umsja" [ntdomain] Proxying request from user test.juliusbess to realm umsja [ntdomain] Preparing to proxy authentication request to realm "umsja" ++[ntdomain] returns updated expand: %{Stripped-User-Name} -> ++[expand] returns updated [eap] Request is supposed to be proxied to Realm umsja. Not doing EAP. ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} -> umsja\test.juliusbess [sql] sql_set_user escaped user --> 'umsja\test.juliusbess' rlm_sql (sql): Reserving sql socket id: 2 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'umsja=5Ctest.juliusbess' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'umsja=5Ctest.juliusbess' ORDER BY priority rlm_sql (sql): Released sql socket id: 2 [sql] User umsja\test.juliusbess not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: Empty pre-proxy section. Using default return values. Sending proxied request internally to virtual server. server innra.umsja.is-srv { # Executing section authorize from file /etc/raddb/sites-enabled/innra.umsja.is +- entering group authorize {...} ++[preprocess] returns ok [eap] EAP packet type response id 3 length 231 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/innra.umsja.is +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 221 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 00d8], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled } # server innra.umsja.is-srv Going to the next request <<< Received proxied response code 11 from internal virtual server. # Executing section post-proxy from file /etc/raddb/sites-enabled/default +- entering group post-proxy {...} [eap] No pre-existing handler found ++[eap] returns noop Sending Access-Challenge of id 84 to 10.41.255.67 port 32769 EAP-Message = 0x0104040019c000000ab416030100310200002d030151d45b9c184850a887e5477bc744c74bca76f04854d24d6125b80731ae5c2e07000039000005ff01000100160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c65204365727469666963617465204175 EAP-Message = 0x74686f72697479301e170d3133303230353137353230375a170d3133303430363137353230375a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c44f973e152169e754d1551dbafcf17a32d31fdcde44f4eb665447abb0ff3eb3b6c92fd8a25d6bdac49af3c31f62f21bf5bae90a65c9f9 EAP-Message = 0xf66ea69955b2cc54e551cd56186cecb3404fe8b9cda3d5cc6b9f31b6c5a2c675911fc945c4c132dedb62ee0b11d3bf067997bfeb56d26cb3c7d8b433cd46f66b04d3b66d06243ca170f13732291669635ff1fb8d2f7d4faa5559620ab6313bc7393adac4e1cd3503f003082c6f5b274a71a2df2574b4173b4d45e656d7995b2c0c98eac7ae1bdf0caef8bd6bdb84f8e052d11679a3aad54044af54c082e13029842bf2e32fcc1522dfb114ec9010924995dd0d2dae0ea9916d05b503f61a47c6e61ae0e8c7ac23b4550203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505000382010100827f EAP-Message = 0xbea6631325bf6ec662a7c5f5678d832f5625dfb248c3966f875be18169ad30a99fd3fcaac6e8b10444b5766f46235295d86e7b676f1e23acb1b4d2937faeacb5d8fc357d4058d7cfdb92e36f27ae164b23a4b21ca69ef588a7d6897c7ac76557392c4f949c087d008296b534c7f87ef18408ac108918512ca9529cedf4cd7cef2f3ff7b488895abf44b75d47e6fa831c4463c41135e5aaf1ebe69655662df39c2fdbf529b8976c9f243a6f963f2b725a6507211184859b35071a30fdfcea10bed6bd8d33afaf96c7af52b55c69eb87126a601593594f9f7fdb73d7bbfd4aa018146c999e12ad1408df3b75ab77a597deec17346336bc3d3db143d3bc71 EAP-Message = 0x520004ab308204a73082038f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6065b4846261adf403817d959797c4d5 Finished request 2. Going to the next request Waking up in 2.9 seconds. rad_recv: Access-Request packet from host 10.41.255.67 port 32769, id=85, length=258 User-Name = "umsja\\test.juliusbess" Calling-Station-Id = "00-24-d7-70-50-20" Called-Station-Id = "50-06-04-4b-8e-a0:wifitesting" NAS-Port = 1 Cisco-AVPair = "audit-session-id=0a29ff430000004d51d45b99" NAS-IP-Address = 10.41.255.67 NAS-Identifier = "testingwifi" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "666" EAP-Message = 0x020400061900 State = 0x6065b4846261adf403817d959797c4d5 Message-Authenticator = 0x2f16decf6ee8a530cf750b9b6af28bf5 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop expand: %{Stripped-User-Name} -> ++[expand] returns noop [suffix] No '@' in User-Name = "umsja\test.juliusbess", skipping NULL due to config. ++[suffix] returns noop [ntdomain] Looking up realm "umsja" for User-Name = "umsja\test.juliusbess" [ntdomain] Found realm "umsja" [ntdomain] Adding Realm = "umsja" [ntdomain] Proxying request from user test.juliusbess to realm umsja [ntdomain] Preparing to proxy authentication request to realm "umsja" ++[ntdomain] returns updated expand: %{Stripped-User-Name} -> ++[expand] returns updated [eap] Request is supposed to be proxied to Realm umsja. Not doing EAP. ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} -> umsja\test.juliusbess [sql] sql_set_user escaped user --> 'umsja\test.juliusbess' rlm_sql (sql): Reserving sql socket id: 1 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'umsja=5Ctest.juliusbess' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'umsja=5Ctest.juliusbess' ORDER BY priority rlm_sql (sql): Released sql socket id: 1 [sql] User umsja\test.juliusbess not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: Empty pre-proxy section. Using default return values. Sending proxied request internally to virtual server. server innra.umsja.is-srv { # Executing section authorize from file /etc/raddb/sites-enabled/innra.umsja.is +- entering group authorize {...} ++[preprocess] returns ok [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/innra.umsja.is +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled } # server innra.umsja.is-srv Going to the next request <<< Received proxied response code 11 from internal virtual server. # Executing section post-proxy from file /etc/raddb/sites-enabled/default +- entering group post-proxy {...} [eap] No pre-existing handler found ++[eap] returns noop Sending Access-Challenge of id 85 to 10.41.255.67 port 32769 EAP-Message = 0x010503fc1940a00302010202090091e449f032dbca25300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3133303230353137353230375a170d3133303430363137353230375a308193310b3009060355040613024652310f300d0603550408130652616469757331 EAP-Message = 0x12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100a9cb9aa591e70f815330e7b69ad3537bea2b4559f2c67db55f225521ebdf68f6dc62a2012b96fd565add3dc95cb11d6c5a65e57be153ab37304564872e34ce043d5a04b0b534238bf2688d399f200b16969f4deb2a6434d5c5d0ec0976a93e0007d87edf99bf5da3 EAP-Message = 0x969b21f1a9c091e940c1f7e9652f5dc3c08a794e725b4b16549581c4e9ca702a92d9c4956a071de3557c7db7a1289e0e6c6ed133e5ed8043e1e43a2c0d037e9eea8a36eeb5b0c51fd64471dc1508d1495d55d3d3ac01e8856b1dd9cfe22f466b4246ff3251339856857165ebfc65a3bb763621e701d08cee56480f14cd7f53064a7cd8e6acd3bbf6848d8ee9c17f93cc232662583d098f3d0203010001a381fb3081f8301d0603551d0e04160414a569118904c5768fcddd8a86bab54a3259d0dc153081c80603551d230481c03081bd8014a569118904c5768fcddd8a86bab54a3259d0dc15a18199a48196308193310b300906035504061302465231 EAP-Message = 0x0f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747982090091e449f032dbca25300c0603551d13040530030101ff300d06092a864886f70d010105050003820101002a3c28567d3c00b884a0bd7c4c0bb321e9998d81a6a060c63c6d79b75edd8bbf249181857fac9da549c29e16ec9abca5ac206741b02dd6cc16760a209cd8c7f31daae8c41cf09cabbb30a9 EAP-Message = 0x023ee13376b0353f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6065b4846360adf403817d959797c4d5 Finished request 3. Going to the next request Waking up in 2.9 seconds. rad_recv: Access-Request packet from host 10.41.255.67 port 32769, id=86, length=258 User-Name = "umsja\\test.juliusbess" Calling-Station-Id = "00-24-d7-70-50-20" Called-Station-Id = "50-06-04-4b-8e-a0:wifitesting" NAS-Port = 1 Cisco-AVPair = "audit-session-id=0a29ff430000004d51d45b99" NAS-IP-Address = 10.41.255.67 NAS-Identifier = "testingwifi" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "666" EAP-Message = 0x020500061900 State = 0x6065b4846360adf403817d959797c4d5 Message-Authenticator = 0x405552f437fefb9e48fc0be764658d63 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop expand: %{Stripped-User-Name} -> ++[expand] returns noop [suffix] No '@' in User-Name = "umsja\test.juliusbess", skipping NULL due to config. ++[suffix] returns noop [ntdomain] Looking up realm "umsja" for User-Name = "umsja\test.juliusbess" [ntdomain] Found realm "umsja" [ntdomain] Adding Realm = "umsja" [ntdomain] Proxying request from user test.juliusbess to realm umsja [ntdomain] Preparing to proxy authentication request to realm "umsja" ++[ntdomain] returns updated expand: %{Stripped-User-Name} -> ++[expand] returns updated [eap] Request is supposed to be proxied to Realm umsja. Not doing EAP. ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} -> umsja\test.juliusbess [sql] sql_set_user escaped user --> 'umsja\test.juliusbess' rlm_sql (sql): Reserving sql socket id: 0 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'umsja=5Ctest.juliusbess' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'umsja=5Ctest.juliusbess' ORDER BY priority rlm_sql (sql): Released sql socket id: 0 [sql] User umsja\test.juliusbess not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: Empty pre-proxy section. Using default return values. Sending proxied request internally to virtual server. server innra.umsja.is-srv { # Executing section authorize from file /etc/raddb/sites-enabled/innra.umsja.is +- entering group authorize {...} ++[preprocess] returns ok [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/innra.umsja.is +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled } # server innra.umsja.is-srv Going to the next request <<< Received proxied response code 11 from internal virtual server. # Executing section post-proxy from file /etc/raddb/sites-enabled/default +- entering group post-proxy {...} [eap] No pre-existing handler found ++[eap] returns noop Sending Access-Challenge of id 86 to 10.41.255.67 port 32769 EAP-Message = 0x010602ce1900e06a92fd0b11ec061b21cda20a251c0711213bb7f98b5854f7d46c43be508c3f98b49d49e5992c6aa1f9c8ba4275ecd80c887164459c5490168ecae752bbff570ef2c6c51c58a4b1bc79aa43d90cce8dfe5855e4b22fcf934c93b6881f8608095107210412734ca8a305e78bfe10630b6ea64e2f710ded00edced92cdfe5d6c15e51fbbfdd32a35adaec3af42d77baf4a6b31f6e864275810afe0b5c7b8320e57f5f296fb65c225525948113e9160301020d0c0002090080f686f0066adbbed114d1c7eb3001393f511e48c91fa964a33d9c19ab5a3e2b10659d5af6d2488a3ef6255780a19f0bb7cdcef8999513e6f37295e3872e37a0 EAP-Message = 0x90586461519bef31171a6576187f9276fbc188a4cff6b6ac03c6cd397e3b059b7d4c58243245bbc43fcc37b0eefb9e40aebf1745d9685ce062c61aa64bd20d0df300010200800fb917ffb1c630a802e5091e6f9064a84a8096dc023d97ace122635d8fd3edda13a2ea1429351a809059bbe826388cb6d830d953935530e26d67110f08842c7b083b6a3ff5a664d2897483ee916b2db17d0a2bb54f15c7e57600784a7732e3a64ff5780b07d82c50b8e47589ffa6eda76aa047a1b611b577ec2b93c4c85f051901002e402353171f096353370c893e5a8961d76706f1f5566beb10495de71e82d259a8cc4cfbfc26faed4022ce8c088c0989f2a07e5156 EAP-Message = 0x55b7886210a8034f93ce89215272efa85a016cca311b9f265c0c15136ed9a8f341c0bb78bdb38ffd7c02762f8294b7b5d2a7d4085c1b947e06f38d000b8f6a385ceb46597758e5f2c3c9c76ebb0c9bb9885c3e02a0b54bca14f7fa4d016758524a993d18e1237bab6163321e34956ee345512247edcce69600f75bade260015dbe05a591d3859e853eaa5465c5a27e68e979a1ed2d9eed096a889f0e4607b6677b16fa07bd4b02ffb12c9595f62547e496431f1d903269b54d0b4780277779d1de8299c79d9f73bc18bcb616030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6065b4846463adf403817d959797c4d5 Finished request 4. Going to the next request Waking up in 2.9 seconds. rad_recv: Access-Request packet from host 10.41.255.67 port 32769, id=87, length=460 User-Name = "umsja\\test.juliusbess" Calling-Station-Id = "00-24-d7-70-50-20" Called-Station-Id = "50-06-04-4b-8e-a0:wifitesting" NAS-Port = 1 Cisco-AVPair = "audit-session-id=0a29ff430000004d51d45b99" NAS-IP-Address = 10.41.255.67 NAS-Identifier = "testingwifi" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "666" EAP-Message = 0x020600d01980000000c616030100861000008200808f70361600e6884b8b880628fdf7934e73c76e9d4529b3097098c3ab1ea7f11cf81bc2a42b66daef7945d1ba3f2dd381f67a6b8e0c20fdef3f2da061e6f9c92e1ac342513f802722437170545dd218d3b4012a4465e418bf41a4a53ea2d8c8b84fdf2bb3dbf1b17e62acfc94e9dc6bbf08c7659a73e622a089f5617bca54d94914030100010116030100304ab49873224a31a202761cce95d224bb7878f8f7a99ef683eb69842ffbf11feede537e4f4b307b13856187a1c120af81 State = 0x6065b4846463adf403817d959797c4d5 Message-Authenticator = 0xe18e3dae1a2336df0bc743acc319e194 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop expand: %{Stripped-User-Name} -> ++[expand] returns noop [suffix] No '@' in User-Name = "umsja\test.juliusbess", skipping NULL due to config. ++[suffix] returns noop [ntdomain] Looking up realm "umsja" for User-Name = "umsja\test.juliusbess" [ntdomain] Found realm "umsja" [ntdomain] Adding Realm = "umsja" [ntdomain] Proxying request from user test.juliusbess to realm umsja [ntdomain] Preparing to proxy authentication request to realm "umsja" ++[ntdomain] returns updated expand: %{Stripped-User-Name} -> ++[expand] returns updated [eap] Request is supposed to be proxied to Realm umsja. Not doing EAP. ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} -> umsja\test.juliusbess [sql] sql_set_user escaped user --> 'umsja\test.juliusbess' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'umsja=5Ctest.juliusbess' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'umsja=5Ctest.juliusbess' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 [sql] User umsja\test.juliusbess not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: Empty pre-proxy section. Using default return values. Sending proxied request internally to virtual server. server innra.umsja.is-srv { # Executing section authorize from file /etc/raddb/sites-enabled/innra.umsja.is +- entering group authorize {...} ++[preprocess] returns ok [eap] EAP packet type response id 6 length 208 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/innra.umsja.is +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 198 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled } # server innra.umsja.is-srv Going to the next request <<< Received proxied response code 11 from internal virtual server. # Executing section post-proxy from file /etc/raddb/sites-enabled/default +- entering group post-proxy {...} [eap] No pre-existing handler found ++[eap] returns noop Sending Access-Challenge of id 87 to 10.41.255.67 port 32769 EAP-Message = 0x010700411900140301000101160301003017e6caef5b9b7254a4725c893be7b4d5361f4ff9aadbee5f333bfaefeef6f575b310e22fab5294313091245ae175d2fe Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6065b4846562adf403817d959797c4d5 Finished request 5. Going to the next request Waking up in 2.9 seconds. rad_recv: Access-Request packet from host 10.41.255.67 port 32769, id=88, length=258 User-Name = "umsja\\test.juliusbess" Calling-Station-Id = "00-24-d7-70-50-20" Called-Station-Id = "50-06-04-4b-8e-a0:wifitesting" NAS-Port = 1 Cisco-AVPair = "audit-session-id=0a29ff430000004d51d45b99" NAS-IP-Address = 10.41.255.67 NAS-Identifier = "testingwifi" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "666" EAP-Message = 0x020700061900 State = 0x6065b4846562adf403817d959797c4d5 Message-Authenticator = 0xc0d4ea52ec3e687fe443fa366f41aaeb # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop expand: %{Stripped-User-Name} -> ++[expand] returns noop [suffix] No '@' in User-Name = "umsja\test.juliusbess", skipping NULL due to config. ++[suffix] returns noop [ntdomain] Looking up realm "umsja" for User-Name = "umsja\test.juliusbess" [ntdomain] Found realm "umsja" [ntdomain] Adding Realm = "umsja" [ntdomain] Proxying request from user test.juliusbess to realm umsja [ntdomain] Preparing to proxy authentication request to realm "umsja" ++[ntdomain] returns updated expand: %{Stripped-User-Name} -> ++[expand] returns updated [eap] Request is supposed to be proxied to Realm umsja. Not doing EAP. ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} -> umsja\test.juliusbess [sql] sql_set_user escaped user --> 'umsja\test.juliusbess' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'umsja=5Ctest.juliusbess' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'umsja=5Ctest.juliusbess' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 [sql] User umsja\test.juliusbess not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: Empty pre-proxy section. Using default return values. Sending proxied request internally to virtual server. server innra.umsja.is-srv { # Executing section authorize from file /etc/raddb/sites-enabled/innra.umsja.is +- entering group authorize {...} ++[preprocess] returns ok [eap] EAP packet type response id 7 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/innra.umsja.is +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled } # server innra.umsja.is-srv Going to the next request <<< Received proxied response code 11 from internal virtual server. # Executing section post-proxy from file /etc/raddb/sites-enabled/default +- entering group post-proxy {...} [eap] No pre-existing handler found ++[eap] returns noop Sending Access-Challenge of id 88 to 10.41.255.67 port 32769 EAP-Message = 0x0108002b19001703010020772c222c1fce326b0af116e8327332c0da551ea836590b36734191b014a5f1f6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6065b484666dadf403817d959797c4d5 Finished request 6. Going to the next request Waking up in 2.9 seconds. rad_recv: Access-Request packet from host 10.41.255.67 port 32769, id=89, length=348 User-Name = "umsja\\test.juliusbess" Calling-Station-Id = "00-24-d7-70-50-20" Called-Station-Id = "50-06-04-4b-8e-a0:wifitesting" NAS-Port = 1 Cisco-AVPair = "audit-session-id=0a29ff430000004d51d45b99" NAS-IP-Address = 10.41.255.67 NAS-Identifier = "testingwifi" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "666" EAP-Message = 0x0208006019001703010020bdfdff1470deb7f66018b90902da81491022ccfd403f062ed2841871543804b21703010030305696bfe3ca602b71ba4832195b21b5357b5e9978c2e77b49e51a85fc009ca210771f1349e1d92a0523f01aee54d3a3 State = 0x6065b484666dadf403817d959797c4d5 Message-Authenticator = 0x3f1ef4e25d5c0fe2b0b7f2202a442876 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop expand: %{Stripped-User-Name} -> ++[expand] returns noop [suffix] No '@' in User-Name = "umsja\test.juliusbess", skipping NULL due to config. ++[suffix] returns noop [ntdomain] Looking up realm "umsja" for User-Name = "umsja\test.juliusbess" [ntdomain] Found realm "umsja" [ntdomain] Adding Realm = "umsja" [ntdomain] Proxying request from user test.juliusbess to realm umsja [ntdomain] Preparing to proxy authentication request to realm "umsja" ++[ntdomain] returns updated expand: %{Stripped-User-Name} -> ++[expand] returns updated [eap] Request is supposed to be proxied to Realm umsja. Not doing EAP. ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} -> umsja\test.juliusbess [sql] sql_set_user escaped user --> 'umsja\test.juliusbess' rlm_sql (sql): Reserving sql socket id: 2 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'umsja=5Ctest.juliusbess' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'umsja=5Ctest.juliusbess' ORDER BY priority rlm_sql (sql): Released sql socket id: 2 [sql] User umsja\test.juliusbess not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: Empty pre-proxy section. Using default return values. Sending proxied request internally to virtual server. server innra.umsja.is-srv { # Executing section authorize from file /etc/raddb/sites-enabled/innra.umsja.is +- entering group authorize {...} ++[preprocess] returns ok [eap] EAP packet type response id 8 length 96 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/innra.umsja.is +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - umsja\test.juliusbess [peap] Got inner identity 'umsja\test.juliusbess' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0208001a01756d736a615c746573742e6a756c69757362657373 server innra.umsja.is-srv { [peap] Setting User-Name to umsja\test.juliusbess Sending tunneled request EAP-Message = 0x0208001a01756d736a615c746573742e6a756c69757362657373 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "umsja\\test.juliusbess" server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++? if (Realm == "innra.umsja.is" || "umsja") (Attribute Realm was not found) ? Evaluating (Realm == "innra.umsja.is" ) -> FALSE ? Evaluating ("umsja") -> TRUE ++? if (Realm == "innra.umsja.is" || "umsja") -> TRUE ++- entering if (Realm == "innra.umsja.is" || "umsja") {...} +++[mschap-innra.umsja.is] returns noop [ldap-innra.umsja.is] performing user authorization for umsja\test.juliusbess [ldap-innra.umsja.is] expand: %{Stripped-User-Name} -> [ldap-innra.umsja.is] ... expanding second conditional [ldap-innra.umsja.is] expand: %{User-Name} -> umsja\5ctest.juliusbess [ldap-innra.umsja.is] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=umsja\5ctest.juliusbess) [ldap-innra.umsja.is] expand: DC=innra,DC=umsja,DC=is -> DC=innra,DC=umsja,DC=is [ldap-innra.umsja.is] ldap_get_conn: Checking Id: 0 [ldap-innra.umsja.is] ldap_get_conn: Got Id: 0 [ldap-innra.umsja.is] performing search in DC=innra,DC=umsja,DC=is, with filter (sAMAccountName=umsja\5ctest.juliusbess) [ldap-innra.umsja.is] rebind to URL ldap://DomainDnsZones.innra.umsja.is/DC=DomainDnsZones,DC=innra,DC=umsja,DC=is [ldap-innra.umsja.is] rebind to URL ldap://ForestDnsZones.innra.umsja.is/DC=ForestDnsZones,DC=innra,DC=umsja,DC=is [ldap-innra.umsja.is] object not found [ldap-innra.umsja.is] search failed [ldap-innra.umsja.is] ldap_release_conn: Release Id: 0 +++[ldap-innra.umsja.is] returns notfound expand: %{Stripped-User-Name} -> +++[expand] returns notfound +++? if (outer.control:ldap-innra.umsja.is-Ldap-Group == "%{outer.control:Tmp-String-0}-WiFi-Allow") expand: %{outer.control:Tmp-String-0}-WiFi-Allow -> -WiFi-Allow (Attribute outer.control:ldap-innra.umsja.is-Ldap-Group was not found) ? Evaluating (outer.control:ldap-innra.umsja.is-Ldap-Group == "%{outer.control:Tmp-String-0}-WiFi-Allow") -> FALSE +++? if (outer.control:ldap-innra.umsja.is-Ldap-Group == "%{outer.control:Tmp-String-0}-WiFi-Allow") -> FALSE ++- if (Realm == "innra.umsja.is" || "umsja") returns notfound ++ ... skipping else for request 7: Preceding "if" was taken [suffix] No '@' in User-Name = "umsja\test.juliusbess", skipping NULL due to config. ++[suffix] returns noop [ntdomain] Looking up realm "umsja" for User-Name = "umsja\test.juliusbess" [ntdomain] Found realm "umsja" [ntdomain] Adding Realm = "umsja" [ntdomain] Proxying request from user test.juliusbess to realm umsja [ntdomain] Preparing to proxy authentication request to realm "umsja" ++[ntdomain] returns updated ++[control] returns updated [eap] EAP packet type response id 8 length 26 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Multiple levels of TLS nesting is invalid. [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled } # server innra.umsja.is-srv Going to the next request <<< Received proxied response code 11 from internal virtual server. # Executing section post-proxy from file /etc/raddb/sites-enabled/default +- entering group post-proxy {...} [eap] No pre-existing handler found ++[eap] returns noop Sending Access-Challenge of id 89 to 10.41.255.67 port 32769 EAP-Message = 0x0109002b19001703010020f20d45942f22ed3fa167e5585a2fa95db6fe991859bdb5f43d9495fdd4d899e9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6065b484676cadf403817d959797c4d5 Finished request 7. Going to the next request Waking up in 2.9 seconds. rad_recv: Access-Request packet from host 10.41.255.67 port 32769, id=90, length=332 User-Name = "umsja\\test.juliusbess" Calling-Station-Id = "00-24-d7-70-50-20" Called-Station-Id = "50-06-04-4b-8e-a0:wifitesting" NAS-Port = 1 Cisco-AVPair = "audit-session-id=0a29ff430000004d51d45b99" NAS-IP-Address = 10.41.255.67 NAS-Identifier = "testingwifi" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "666" EAP-Message = 0x0209005019001703010020f14d195b0edd328bcdc520e9f77e7303eae5cb2ea0496db5b804a3f17d0f2a3717030100207865dafd65dce078abc49fcb221a8727501b4ed9a3d1aebfb9fa7a73ba3f7643 State = 0x6065b484676cadf403817d959797c4d5 Message-Authenticator = 0x9dc5ed031427a9e0a4c23499bb0aa25e # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop expand: %{Stripped-User-Name} -> ++[expand] returns noop [suffix] No '@' in User-Name = "umsja\test.juliusbess", skipping NULL due to config. ++[suffix] returns noop [ntdomain] Looking up realm "umsja" for User-Name = "umsja\test.juliusbess" [ntdomain] Found realm "umsja" [ntdomain] Adding Realm = "umsja" [ntdomain] Proxying request from user test.juliusbess to realm umsja [ntdomain] Preparing to proxy authentication request to realm "umsja" ++[ntdomain] returns updated expand: %{Stripped-User-Name} -> ++[expand] returns updated [eap] Request is supposed to be proxied to Realm umsja. Not doing EAP. ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} -> umsja\test.juliusbess [sql] sql_set_user escaped user --> 'umsja\test.juliusbess' rlm_sql (sql): Reserving sql socket id: 1 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'umsja=5Ctest.juliusbess' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'umsja=5Ctest.juliusbess' ORDER BY priority rlm_sql (sql): Released sql socket id: 1 [sql] User umsja\test.juliusbess not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: Empty pre-proxy section. Using default return values. Sending proxied request internally to virtual server. server innra.umsja.is-srv { # Executing section authorize from file /etc/raddb/sites-enabled/innra.umsja.is +- entering group authorize {...} ++[preprocess] returns ok [eap] EAP packet type response id 9 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/innra.umsja.is +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. } # server innra.umsja.is-srv Going to the next request <<< Received proxied response code 3 from internal virtual server. # Executing section post-proxy from file /etc/raddb/sites-enabled/default +- entering group post-proxy {...} [eap] No pre-existing handler found ++[eap] returns noop Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> umsja\test.juliusbess attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 8 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 8 Sending Access-Reject of id 90 to 10.41.255.67 port 32769 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 1.9 seconds.
############################################################### ############################################################### Without nostrip: rad_recv: Access-Request packet from host 10.41.255.67 port 32769, id=81, length=260 User-Name = "umsja\\test.juliusbess" Calling-Station-Id = "00-24-d7-70-50-20" Called-Station-Id = "50-06-04-4b-8e-a0:wifitesting" NAS-Port = 1 Cisco-AVPair = "audit-session-id=0a29ff430000004c51d45858" NAS-IP-Address = 10.41.255.67 NAS-Identifier = "testingwifi" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "666" EAP-Message = 0x0201001a01756d736a615c746573742e6a756c69757362657373 Message-Authenticator = 0xbf9b0ad3aaaaa4fbb3b96a2a6d61b6f8 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop expand: %{Stripped-User-Name} -> ++[expand] returns noop [suffix] No '@' in User-Name = "umsja\test.juliusbess", skipping NULL due to config. ++[suffix] returns noop [ntdomain] Looking up realm "umsja" for User-Name = "umsja\test.juliusbess" [ntdomain] Found realm "umsja" [ntdomain] Adding Stripped-User-Name = "test.juliusbess" [ntdomain] Adding Realm = "umsja" [ntdomain] Proxying request from user test.juliusbess to realm umsja [ntdomain] Preparing to proxy authentication request to realm "umsja" ++[ntdomain] returns updated expand: %{Stripped-User-Name} -> test.juliusbess ++[expand] returns updated [eap] Request is supposed to be proxied to Realm umsja. Not doing EAP. ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} -> umsja\test.juliusbess [sql] sql_set_user escaped user --> 'umsja\test.juliusbess' rlm_sql (sql): Reserving sql socket id: 2 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'umsja=5Ctest.juliusbess' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'umsja=5Ctest.juliusbess' ORDER BY priority rlm_sql (sql): Released sql socket id: 2 [sql] User umsja\test.juliusbess not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: Empty pre-proxy section. Using default return values.
Sending proxied request internally to virtual server. server innra.umsja.is-srv { # Executing section authorize from file /etc/raddb/sites-enabled/innra.umsja.is +- entering group authorize {...} ++[preprocess] returns ok [eap] EAP packet type response id 1 length 26 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[mschap-innra.umsja.is] returns noop [ldap-innra.umsja.is] performing user authorization for test.juliusbess [ldap-innra.umsja.is] expand: %{Stripped-User-Name} -> test.juliusbess [ldap-innra.umsja.is] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=test.juliusbess) [ldap-innra.umsja.is] expand: DC=innra,DC=umsja,DC=is -> DC=innra,DC=umsja,DC=is [ldap-innra.umsja.is] ldap_get_conn: Checking Id: 0 [ldap-innra.umsja.is] ldap_get_conn: Got Id: 0 [ldap-innra.umsja.is] performing search in DC=innra,DC=umsja,DC=is, with filter (sAMAccountName=test.juliusbess) [ldap-innra.umsja.is] rebind to URL ldap://ForestDnsZones.innra.umsja.is/DC=ForestDnsZones,DC=innra,DC=umsja,DC=is [ldap-innra.umsja.is] rebind to URL ldap://DomainDnsZones.innra.umsja.is/DC=DomainDnsZones,DC=innra,DC=umsja,DC=is [ldap-innra.umsja.is] looking for check items in directory... [ldap-innra.umsja.is] extensionAttribute10 -> Jira-Key == "MEF" [ldap-innra.umsja.is] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap-innra.umsja.is] user test.juliusbess authorized to use remote access [ldap-innra.umsja.is] ldap_release_conn: Release Id: 0 ++[ldap-innra.umsja.is] returns ok expand: %{control:Ldap-UserDN} -> CN=Júlíus �?ór Bess - Test,OU=Test Accounts,OU=Users,OU=NYH,OU=Nyherji Group,DC=innra,DC=umsja,DC=is ++[expand] returns ok expand: %{User-Name} -> test.juliusbess <<<--------------- ++[expand] returns ok expand: %{Stripped-User-Name} -> test.juliusbess <<<--------------- ++[expand] returns ok ++? if (control:Ldap-UserDN =~ /^.+,OU=Users,OU=([^,]+),/i) ? Evaluating (control:Ldap-UserDN =~ /^.+,OU=Users,OU=([^,]+),/i) -> TRUE ++? if (control:Ldap-UserDN =~ /^.+,OU=Users,OU=([^,]+),/i) -> TRUE ++- entering if (control:Ldap-UserDN =~ /^.+,OU=Users,OU=([^,]+),/i) {...} expand: %{1} -> NYH +++[control] returns ok expand: %{control:Tmp-String-0} -> NYH +++[expand] returns ok ++- if (control:Ldap-UserDN =~ /^.+,OU=Users,OU=([^,]+),/i) returns ok ++? if (control:Jira-Key != "") ? Evaluating (control:Jira-Key != "") -> TRUE ++? if (control:Jira-Key != "") -> TRUE ++- entering if (control:Jira-Key != "") {...} expand: %{control:Jira-Key} -> MEF +++[expand] returns ok ++- if (control:Jira-Key != "") returns ok ++? if (Huntgroup-Name == ppp-bidlarar) (Attribute Huntgroup-Name was not found) ? Evaluating (Huntgroup-Name == ppp-bidlarar) -> FALSE ++? if (Huntgroup-Name == ppp-bidlarar) -> FALSE ++? if (Huntgroup-Name == vpn-nas) (Attribute Huntgroup-Name was not found) ? Evaluating (Huntgroup-Name == vpn-nas) -> FALSE ++? if (Huntgroup-Name == vpn-nas) -> FALSE ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/innra.umsja.is +- entering group authenticate {...} [eap] Identity does not match User-Name, setting from EAP Identity. <<<---- without nostrip [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. } # server innra.umsja.is-srv Going to the next request <<< Received proxied response code 3 from internal virtual server. # Executing section post-proxy from file /etc/raddb/sites-enabled/default +- entering group post-proxy {...} [eap] No pre-existing handler found ++[eap] returns noop Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> umsja\test.juliusbess attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 2 Sending Access-Reject of id 81 to 10.41.255.67 port 32769 Waking up in 4.9 seconds. Cleaning up request 2 ID 81 with timestamp +76 Ready to process requests.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Júlíus Þór Bess Ríkharðsson wrote:
Alan: The goal is to be able to use EAP and still be able to authorize user using LDAP. The objects name is obviously not named realm\user.
Yes. Plenty of other people get this to work.
The behaviour is the same for EAP (just longer output :)), I don't get the option of Stripped-User-Name. And when I unset nostrip; User-Name gets stripped along with Stripped-User-Name being set and the tunnel doesn't work.
You've set the request to be proxied. Why? What's wrong with just processing the request in the inner-tunnel virtual server? i.e. configure raddb/sites-available/inner-tunnel to do LDAP lookups for the user. If you're not sure how the server works, you shouldn't be creating a complicated configuration.
[ldap-innra.umsja.is] performing search in DC=innra,DC=umsja,DC=is, with filter (sAMAccountName=umsja\5ctest.juliusbess) [ldap-innra.umsja.is] rebind to URL ldap://DomainDnsZones.innra.umsja.is/DC=DomainDnsZones,DC=innra,DC=umsja,DC=is [ldap-innra.umsja.is] rebind to URL ldap://ForestDnsZones.innra.umsja.is/DC=ForestDnsZones,DC=innra,DC=umsja,DC=is [ldap-innra.umsja.is] object not found [ldap-innra.umsja.is] search failed
So... what is hard to understand about that?
Without nostrip:
[ldap-innra.umsja.is] performing search in DC=innra,DC=umsja,DC=is, with filter (sAMAccountName=test.juliusbess) [ldap-innra.umsja.is] rebind to URL ldap://ForestDnsZones.innra.umsja.is/DC=ForestDnsZones,DC=innra,DC=umsja,DC=is [ldap-innra.umsja.is] rebind to URL ldap://DomainDnsZones.innra.umsja.is/DC=DomainDnsZones,DC=innra,DC=umsja,DC=is [ldap-innra.umsja.is] looking for check items in directory... [ldap-innra.umsja.is] extensionAttribute10 -> Jira-Key == "MEF" [ldap-innra.umsja.is] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
And that should be useful, too. You've butchered the default configuration. Why? Just... why? - stsrt with the default configuration - ensure that LDAP works for non-EAP - ensure that LDAP works with the inner-tunnel use v2.2.0 for this. Really. Read raddb/sites-available/inner-tunnel - configure the realm as a LOCAL realm. - it WILL WORK. Whatever you've done is four times the work, more complicated, and fragile. And the LDAP lookups aren't working at *all*. So even if you fix the EAP / User-Name issue, the system STILL won't work. Alan DeKok.
On 03/07/2013 18:17, Júlíus Þór Bess Ríkharðsson wrote:
On 03/07/13 16:24, Júlíus Þór Bess Ríkharðsson wrote:
Hi,
For some reason I cannot get Stripped-User-Name attribute to get populated when using nostrip for a realm. Is this normal behaviour or am I missing something?
Normal. "nostrip" means "don't populate Stripped-User-Name"
Phil: When I unset nostrip the User-Name attribute gets stripped. So it made sense to me that nostrip would apply to User-Name but would still give the option of Stripped-User-Name.
I don't understand this. The source code is pretty clear: https://github.com/FreeRADIUS/freeradius-server/blob/v2.x.x/src/modules/rlm_... The "User-Name" attribute isn't touched; a new Stripped-User-Name attribute is used. As I said, request->username is updated, but I'm pretty sure nothing much uses this; I'm sure the EAP "identity == username" check doesn't: https://github.com/FreeRADIUS/freeradius-server/blob/v2.x.x/src/modules/rlm_... ...explicitly compares to User-Name, not Stripped-User-Name. Have you actually *tried* this, because it should work. If it doesn't, it's likely a problem in your local config.
Phil Mayers wrote:
Have you actually *tried* this, because it should work. If it doesn't, it's likely a problem in your local config.
He's *proxying* the request after stripping the User-Name. That's the immediate source of the issue. If he had just used the default config, it wouldn't be an issue. And his LDAP lookups don't return anything. So even fixing the proxying issues won't help. That has to be fixed, too. Alan DeKok.
Júlíus Þór Bess Ríkharðsson wrote:
I'm not sure why you say that my LDAP is not working because in the second debug output you can see that I find the object and use it's DN and also extract an attribute from the object. There is no known good password however because AD doesn't store clear-text passwords.
Then you're not really using an LDAP server. See my web page for instructions on getting FreeRADIUS to work with AD: http://deployingradius.com/documents/configuration/active_directory.html
I made this setup so that I could keep things separated. I wanted everything for that domain to be handled in it's own virtual-server. I thought that was your idea? Am I misunderstanding virtual-servers?
No. But you're PROXYING the tunneled request. Why? The "inner-tunnel" virtual server already handles the tunneled request.
So... is the conclusion that; this is the behaviour of User-Name when proxied?
Follow the instructions in my previous message. DON'T proxy the inner tunnel data. It's that easy. You're ignoring my instructions. You're asking irrelevant questions. You can try to figure out *why* it's going wrong. Or, you can follow instructions and have it work. Which one do you prefer? Alan DeKok.
participants (3)
-
Alan DeKok -
Júlíus Þór Bess Ríkharðsson -
Phil Mayers