FW: "authentication" sub in perl
Ok, openSLL is installed on my server. No more issue on EAP. However, my debug line in sub authenticate still is not being called: #example.pl # Function to handle authorize sub authorize { print "TEST-authorize: username=$RAD_REQUEST{'User-Name'}\n"; # For debugging purposes only # &log_request_attributes; # Here's where your authorization code comes # You can call another function from here: &test_call; return RLM_MODULE_OK; } # Function to handle authenticate sub authenticate { print "TEST-authenticate\n"; # For debugging purposes only # &log_request_attributes; if ($RAD_REQUEST{'User-Name'} =~ /^baduser/i) { # Reject user and tell him why $RAD_REPLY{'Reply-Message'} = "Denied access by rlm_perl function"; return RLM_MODULE_REJECT; } else { # Accept user and set some attribute $RAD_REPLY{'h323-credit-amount'} = "100"; return RLM_MODULE_OK; } } and here is the debug: Cleaning up request 9 ID 9 with timestamp +7 Ready to process requests. rad_recv: Access-Request packet from host 10.0.0.31 port 50071, id=19, length=169 User-Name = "abc" NAS-IP-Address = 10.0.0.31 NAS-Identifier = "belair" NAS-Port = 0 Called-Station-Id = "00-0D-67-12-15-80:SSO_BelAir-PMIP-8021x" Calling-Station-Id = "5C-59-48-F0-34-8B" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200000801616263 Message-Authenticator = 0xb952dcdfcec1e39a79c029ccdc94c2ca +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "abc", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 8 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [sql] expand: %{User-Name} -> abc [sql] sql_set_user escaped user --> 'abc' rlm_sql (sql): Reserving sql socket id: 1 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'abc' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'abc' ORDER BY priority rlm_sql (sql): Released sql socket id: 1 [sql] User abc not found ++[sql] returns notfound TEST-authorize: username=abc rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Calling-Station-Id = 5C-59-48-F0-34-8B rlm_perl: Added pair Called-Station-Id = 00-0D-67-12-15-80:SSO_BelAir-PMIP-8021x rlm_perl: Added pair Message-Authenticator = 0xb952dcdfcec1e39a79c029ccdc94c2ca rlm_perl: Added pair User-Name = abc rlm_perl: Added pair NAS-Identifier = belair rlm_perl: Added pair EAP-Message = 0x0200000801616263 rlm_perl: Added pair Connect-Info = CONNECT 11Mbps 802.11b rlm_perl: Added pair EAP-Type = Identity rlm_perl: Added pair NAS-IP-Address = 10.0.0.31 rlm_perl: Added pair NAS-Port = 0 rlm_perl: Added pair Framed-MTU = 1400 rlm_perl: Added pair Auth-Type = EAP ++[perl] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 19 to 10.0.0.31 port 50071 EAP-Message = 0x0101001604108bc56309ea2103957c2aee6450696f68 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2c81558c2c8051de6687486c2848c067 Finished request 10. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.31 port 50071, id=20, length=185 User-Name = "abc" NAS-IP-Address = 10.0.0.31 NAS-Identifier = "belair" NAS-Port = 0 Called-Station-Id = "00-0D-67-12-15-80:SSO_BelAir-PMIP-8021x" Calling-Station-Id = "5C-59-48-F0-34-8B" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020100060319 State = 0x2c81558c2c8051de6687486c2848c067 Message-Authenticator = 0x959b11a51401f767f5b52bc58298d730 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "abc", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [sql] expand: %{User-Name} -> abc [sql] sql_set_user escaped user --> 'abc' rlm_sql (sql): Reserving sql socket id: 0 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'abc' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'abc' ORDER BY priority rlm_sql (sql): Released sql socket id: 0 [sql] User abc not found ++[sql] returns notfound TEST-authorize: username=abc rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair State = 0x2c81558c2c8051de6687486c2848c067 rlm_perl: Added pair Calling-Station-Id = 5C-59-48-F0-34-8B rlm_perl: Added pair Called-Station-Id = 00-0D-67-12-15-80:SSO_BelAir-PMIP-8021x rlm_perl: Added pair Message-Authenticator = 0x959b11a51401f767f5b52bc58298d730 rlm_perl: Added pair User-Name = abc rlm_perl: Added pair NAS-Identifier = belair rlm_perl: Added pair EAP-Message = 0x020100060319 rlm_perl: Added pair Connect-Info = CONNECT 11Mbps 802.11b rlm_perl: Added pair EAP-Type = NAK rlm_perl: Added pair NAS-IP-Address = 10.0.0.31 rlm_perl: Added pair NAS-Port = 0 rlm_perl: Added pair Framed-MTU = 1400 rlm_perl: Added pair Auth-Type = EAP ++[perl] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 20 to 10.0.0.31 port 50071 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2c81558c2d834cde6687486c2848c067 Finished request 11. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.31 port 50071, id=21, length=315 User-Name = "abc" NAS-IP-Address = 10.0.0.31 NAS-Identifier = "belair" NAS-Port = 0 Called-Station-Id = "00-0D-67-12-15-80:SSO_BelAir-PMIP-8021x" Calling-Station-Id = "5C-59-48-F0-34-8B" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0202008819800000007e16030100790100007503014e8a158f57cc1fc7dc587b4d0f71db7fe7535bd8d558d366554b98ffea94d54e00003ac00ac009c007c008c013c014c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a0009000300080033003900160015001401000012000a00080006001700180019000b00020100 State = 0x2c81558c2d834cde6687486c2848c067 Message-Authenticator = 0xbc890b747815cfe2a522b36ce4298072 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "abc", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 136 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 126 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0079], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 035d], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 21 to 10.0.0.31 port 50071 EAP-Message = 0x010303a01900160301002a0200002603014e8a15900e786bf596f3aacf0a8613466bde700fd2039caa47f40e4e6ff7eebf00002f00160301035d0b0003590003560003533082034f308202b8020900c4503b0d3db1eb6a300d06092a864886f70d01010505003081eb310b3009060355040613025858312a3028060355040813215468657265206973206e6f2073756368207468696e67206f757473696465205553311330110603550407130a45766572797768657265310e300c060355040a13054f434f5341313c303a060355040b13334f666669636520666f7220436f6d706c69636174696f6e206f66204f74686572776973652053696d706c65 EAP-Message = 0x20416666616972733120301e060355040313176c61622d7375706572686f73742e62686e69732e6e6574312b302906092a864886f70d010901161c726f6f74406c61622d7375706572686f73742e62686e69732e6e6574301e170d3130303432323230333833355a170d3130303532323230333833355a3081eb310b3009060355040613025858312a3028060355040813215468657265206973206e6f2073756368207468696e67206f757473696465205553311330110603550407130a45766572797768657265310e300c060355040a13054f434f5341313c303a060355040b13334f666669636520666f7220436f6d706c69636174696f6e206f66 EAP-Message = 0x204f74686572776973652053696d706c6520416666616972733120301e060355040313176c61622d7375706572686f73742e62686e69732e6e6574312b302906092a864886f70d010901161c726f6f74406c61622d7375706572686f73742e62686e69732e6e657430819f300d06092a864886f70d010101050003818d0030818902818100a8095e7a92fe7feabe7940d9ba51310a55bba6c96949d67a1798a515961ab951cfe04d4234251d36e6854920ced26224b1d6ae09fa4e793c14d464b53e2faa9606b4f785c63f270a3c1a18fee3abfc1985e86e19d86fbe775c6171c952b3bd88dc6659099d07a84ac6d360d7cd23745031635d9093ea91d4 EAP-Message = 0x8108b36edcb15eb10203010001300d06092a864886f70d0101050500038181002ac5e5a95601c5d650cf06ab8b89bde90ff4435de070cb80076e7f0e25411dc2826996807af37acccfe9ada9a1f41c90be7301fda6bf6f1e9282c57e4a4923ae6c33b827032b0691cf516299f084f128c6631e3e80a6b7e77bc214ee36b3861a39819fae257557a2a023482750e50a19755919348bcb32d83e6cf0be37e0281716030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2c81558c2e824cde6687486c2848c067 Finished request 12. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 10.0.0.31 port 50071, id=22, length=387 User-Name = "abc" NAS-IP-Address = 10.0.0.31 NAS-Identifier = "belair" NAS-Port = 0 Called-Station-Id = "00-0D-67-12-15-80:SSO_BelAir-PMIP-8021x" Calling-Station-Id = "5C-59-48-F0-34-8B" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020300d01980000000c61603010086100000820080371b287b2a288bb51773c591b925c51dc9dd35e78e31ca6572ba50103ff255b33f8f8d50222d2a360a84f9a626651502fce20b21dd5fd14a59094f2b1655bb2a2d11332b186fc5a94438859f67ec287724f63519e5cc82820cf91b5a9a9c4c26f33e31a74bddb88d1cb3b0b64ebf82e98fa1c5d1bd12b88a6774889fd868140d14030100010116030100304dcd33a4d2301013eb09a3e10798b8b1f5a6321a50a5b0ca6bd7c16c43fa7f1a4d442c1d5b5ab7421a7aa42b715abce2 State = 0x2c81558c2e824cde6687486c2848c067 Message-Authenticator = 0xa0a47b0b334f107a54ff4e9abac2969a +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "abc", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 208 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 198 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 22 to 10.0.0.31 port 50071 EAP-Message = 0x0104004119001403010001011603010030b7da9f1ff65aa82945313f6e0b13f88565316368755ae23680a9a60583941b0aacfc3e71103a1e5eec9da651ae5a9d2d Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2c81558c2f854cde6687486c2848c067 Finished request 13. Going to the next request Waking up in 4.6 seconds.
Date: Mon, 3 Oct 2011 18:55:42 +0100 From: A.L.M.Buxey@lboro.ac.uk To: alex-rsm@hotmail.com Subject: Re: "authentication" sub in perl
Hi,
hint: https://help.ubuntu.com/community/OpenSSL
alan
Alex rsm wrote:
openSLL is installed on my server. No more issue on EAP. However, my debug line in sub authenticate still is not being called:
Read the debug output. The "perl" module isn't being called in the "authenticate" section. Why? Because the "eap" module is being called. Why? Because "Auth-Type := EAP" is set. Why? Because the EAP module saw EAP-Message, and decided to do Auth-Type := EAP It's doing exactly what it's supposed to be doing, and what you told it to do. You didn't tell it to call the Perl module during the "authenticate" section. So it didn't do that. Alan DeKok.
On Tue, Oct 4, 2011 at 3:45 AM, Alex rsm <alex-rsm@hotmail.com> wrote:
Ok, openSLL is installed on my server. No more issue on EAP. However, my debug line in sub authenticate still is not being called:
Found Auth-Type = EAP
As Alan said, "the EAP module saw EAP-Message, and decided to do Auth-Type := EAP". I highly suggest you try simple test first (e.g. with radtest and pap). Most modifications will be on sites-available/default. Once that works, applying it to EAP should be easy enough: you just need to adapt sites-available/inner-tunnel to use your perl module. PS: While not related to your perl problem, your previous post says you're using 2.1.11, which has some known bugs fixed in later version. 2.1.12 was released some time ago, so you should upgrade. -- Fajar
participants (3)
-
Alan DeKok -
Alex rsm -
Fajar A. Nugraha