Fwd: Inner Tunnel User-Name - PEAP/MSCHAPV2
Hello FR Users, I'm currently using 3.0.x via github on RHEL 7. My issue is that I'm unable to get the User-Name attribute out of the inner tunnel. My setup is very simple, I'm proxying my authentication requests to an NPS server. It appears that part of my issue is spawning from the fact that NPS replies *without* a User-Name attribute. I've seen a couple of examples demonstrating how to update the reply or update outer.reply in the inner-tunnel post-auth section. After reading the debug output, that section doesn't seem to run. Instead, post-proxy is run which looks like a good alternative. This is what I've tried in the post-proxy section: update { &reply:User-Name += &User-Name } And this is what happens: (8) # Executing section post-proxy from file /etc/raddb/sites-enabled/inner-tunnel (8) post-proxy { (8) update { (8) &reply:User-Name += &User-Name -> 'mydomain\user000' (8) } # update = noop This is obviously wrong since it doesn't work. Any help would be greatly appreciated. Thanks, Chris --------------- *raddb/mods-enabled/eap* peap { tls = tls-common default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = no proxy_tunneled_request_as_eap = no virtual_server = "inner-tunnel" } --------------- *raddb/sites-enabled/inner-tunnel* server inner-tunnel { authorize { ntdomain suffix eap { ok = return } expiration logintime pap } authenticate { eap } post-auth { update { &outer.session-state: += &reply: &outer.session-state:User-Name += &User-Name } Post-Auth-Type REJECT { attr_filter.access_reject update outer.session-state { Module-Failure-Message := &request:Module-Failure-Message } } } post-proxy { update { &reply:User-Name += &User-Name } eap } --------------- *raddb/sites-enabled/default* server default { authorize { filter_username preprocess ntdomain suffix eap { ok = return } -ldap expiration logintime } authenticate { eap } preacct { preprocess acct_unique suffix files } accounting { detail unix exec attr_filter.accounting_response } post-auth { update { &reply: += &session-state: } exec remove_reply_message_if_eap Post-Auth-Type REJECT { attr_filter.access_reject eap remove_reply_message_if_eap } } post-proxy { eap } } --------------- *DEBUG* (7) Received Access-Request Id 28 from 172.23.242.165:1645 to 192.168.244.230:1812 length 276 (7) User-Name = 'anon1337' (7) Service-Type = Framed-User (7) Framed-IP-Address = 192.168.243.38 (7) Framed-MTU = 1500 (7) Called-Station-Id = '00-00-00-00-AA-AA' (7) Calling-Station-Id = '00-00-00-00-BB-BB' (7) EAP-Message = 0x026e0060190017030192.1680e6cb89aa98510fc404f1b7eb4933b8fc6042f461ca57ff5c3ac6d28f635e8367170301003003e93d2105ca95de4eb989a97f8beadb2ea20de1f5482dd4163a672bf875c413a29e3028b2e95d53c5b2856b29fe1deb (7) Message-Authenticator = 0xd5950daf85b25b80689292da899bdd86 (7) NAS-Port-Type = Ethernet (7) NAS-Port = 50002 (7) NAS-Port-Id = 'FastEthernet0/2' (7) Called-Station-Id = '00-00-00-00-AA-AA' (7) State = 0x2196d8c927f8c10ed58b5f9872208c8c (7) NAS-IP-Address = 172.23.242.165 (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/raddb/sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (!&User-Name) { (7) if (!&User-Name) -> FALSE (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@.*@/ ) { (7) if (&User-Name =~ /@.*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) ntdomain: Checking for prefix before "\" (7) ntdomain: No '\' in User-Name = "anon1337", looking up realm NULL (7) ntdomain: No such realm "NULL" (7) [ntdomain] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "anon1337", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) eap: Peer sent code Response (2) ID 110 length 96 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = EAP (7) # Executing group from file /etc/raddb/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0x2196d8c927f8c10e (7) eap: Finished EAP session with state 0x2196d8c927f8c10e (7) eap: Previous EAP request found for state 0x2196d8c927f8c10e, released from the list (7) eap: Peer sent method PEAP (25) (7) eap: EAP PEAP (25) (7) eap: Calling eap_peap to process EAP data (7) eap_peap: processing EAP-TLS (7) eap_peap: eaptls_verify returned 7 (7) eap_peap: Done initial handshake (7) eap_peap: eaptls_process returned 7 (7) eap_peap: FR_TLS_OK (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state WAITING FOR INNER IDENTITY (7) eap_peap: Identity - mydomain\user000 (7) eap_peap: Got inner identity 'mydomain\user000' (7) eap_peap: Setting default EAP type for tunneled EAP session (7) eap_peap: Got tunneled request (7) eap_peap: EAP-Message = 0x026e001201676c6f62616c5c636872697361 (7) eap_peap: Setting User-Name to mydomain\user000 (7) eap_peap: Sending tunneled request to inner-tunnel (7) eap_peap: EAP-Message = 0x026e001201676c6f62616c5c636872697361 (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (7) eap_peap: User-Name = 'mydomain\user000' (7) eap_peap: Service-Type = Framed-User (7) eap_peap: Framed-IP-Address = 192.168.243.38 (7) eap_peap: Framed-MTU = 1500 (7) eap_peap: Called-Station-Id = '00-00-00-00-AA-AA' (7) eap_peap: Called-Station-Id = '00-00-00-00-AA-AA' (7) eap_peap: Calling-Station-Id = '00-00-00-00-BB-BB' (7) eap_peap: NAS-Port-Type = Ethernet (7) eap_peap: NAS-Port = 50002 (7) eap_peap: NAS-Port-Id = 'FastEthernet0/2' (7) eap_peap: NAS-IP-Address = 172.23.242.165 (7) eap_peap: Event-Timestamp = 'Dec 11 2014 16:55:38 EST' (7) Virtual server received request (7) EAP-Message = 0x026e001201676c6f62616c5c636872697361 (7) FreeRADIUS-Proxied-To = 127.0.0.1 (7) User-Name = 'mydomain\user000' (7) Service-Type = Framed-User (7) Framed-IP-Address = 192.168.243.38 (7) Framed-MTU = 1500 (7) Called-Station-Id = '00-00-00-00-AA-AA' (7) Called-Station-Id = '00-00-00-00-AA-AA' (7) Calling-Station-Id = '00-00-00-00-BB-BB' (7) NAS-Port-Type = Ethernet (7) NAS-Port = 50002 (7) NAS-Port-Id = 'FastEthernet0/2' (7) NAS-IP-Address = 172.23.242.165 (7) Event-Timestamp = 'Dec 11 2014 16:55:38 EST' (7) server inner-tunnel { (7) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (7) authorize { (7) ntdomain: Checking for prefix before "\" (7) ntdomain: Looking up realm "mydomain" for User-Name = "mydomain\user000" (7) ntdomain: Found realm "mydomain" (7) ntdomain: Adding Realm = "mydomain" (7) ntdomain: Proxying request from user mydomain\user000 to realm mydomain (7) ntdomain: Preparing to proxy authentication request to realm "mydomain" (7) [ntdomain] = updated (7) suffix: Request already has destination realm set. Ignoring (7) [suffix] = noop (7) eap: Request is supposed to be proxied to Realm mydomain. Not doing EAP. (7) [eap] = noop (7) [expiration] = noop (7) [logintime] = noop (7) [pap] = noop (7) } # authorize = updated (7) } # server inner-tunnel (7) Virtual server sending reply (7) eap_peap: Got tunneled reply code 0 (7) eap_peap: Calling authenticate in order to initiate tunneled EAP session (7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (7) authenticate { (7) eap: Peer sent method Identity (1) (7) eap: Calling eap_mschapv2 to process EAP data (7) eap_mschapv2: Issuing Challenge (7) eap: EAP session adding &reply:State = 0xd948b86bd927a2af (7) [eap] = handled (7) } # authenticate = handled (7) eap_peap: Cancelling proxy to realm mydomain until the tunneled EAP session has been established (7) eap_peap: Got tunneled reply RADIUS code 11 (7) eap_peap: EAP-Message = 0x016f00271a016f002210909415ffc9c1692d6de6f744d7a31428676c6f62616c5c636872697361 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0xd948b86bd927a2af4aa0b84f98aa7925 (7) eap_peap: Got tunneled Access-Challenge (7) eap: EAP session adding &reply:State = 0x2196d8c926f9c10e (7) [eap] = handled (7) } # authenticate = handled (7) Sent Access-Challenge Id 28 from 192.168.244.230:1812 to 172.23.242.165:1645 length 133 (7) EAP-Message = 0x016f004b190017030100401cc068f51a055ef75f0322d45ae7db44e69bc57efebdde94cc83224d0ddc8f49c26e121d7bee4c248be63d944a02d3802b6e51e1c040b12040c57ef3e03ef1ff (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x2196d8c926f9c10ed58b5f9872208c8c (7) Finished request Waking up in 0.2 seconds. (8) Received Access-Request Id 29 from 172.23.242.165:1645 to 192.168.244.230:1812 length 324 (8) User-Name = 'anon1337' (8) Service-Type = Framed-User (8) Framed-IP-Address = 192.168.243.38 (8) Framed-MTU = 1500 (8) Called-Station-Id = '00-00-00-00-AA-AA' (8) Calling-Station-Id = '00-00-00-00-BB-BB' (8) EAP-Message = 0x026f0090190017030192.16805f6aa95b7c5dff8199c9f7ea839908b524917466ca42abdd8169c148bb2fad7d17030100609e65f129d587f058f9ad84b662ab933e21f1fdc8b1d06fc07a353ac69160d38fa1cea74279db7816d337173b79c195d37433626c4ed7aa543ade8ef91f341da2ddb4d7425c5173 (8) Message-Authenticator = 0xae08a4251146eef68e6aef5915fb17cb (8) NAS-Port-Type = Ethernet (8) NAS-Port = 50002 (8) NAS-Port-Id = 'FastEthernet0/2' (8) Called-Station-Id = '00-00-00-00-AA-AA' (8) State = 0x2196d8c926f9c10ed58b5f9872208c8c (8) NAS-IP-Address = 172.23.242.165 (8) session-state: No cached attributes (8) # Executing section authorize from file /etc/raddb/sites-enabled/default (8) authorize { (8) policy filter_username { (8) if (!&User-Name) { (8) if (!&User-Name) -> FALSE (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@.*@/ ) { (8) if (&User-Name =~ /@.*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # policy filter_username = notfound (8) [preprocess] = ok (8) ntdomain: Checking for prefix before "\" (8) ntdomain: No '\' in User-Name = "anon1337", looking up realm NULL (8) ntdomain: No such realm "NULL" (8) [ntdomain] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "anon1337", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) eap: Peer sent code Response (2) ID 111 length 144 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = EAP (8) # Executing group from file /etc/raddb/sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0xd948b86bd927a2af (8) eap: Finished EAP session with state 0x2196d8c926f9c10e (8) eap: Previous EAP request found for state 0x2196d8c926f9c10e, released from the list (8) eap: Peer sent method PEAP (25) (8) eap: EAP PEAP (25) (8) eap: Calling eap_peap to process EAP data (8) eap_peap: processing EAP-TLS (8) eap_peap: eaptls_verify returned 7 (8) eap_peap: Done initial handshake (8) eap_peap: eaptls_process returned 7 (8) eap_peap: FR_TLS_OK (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state phase2 (8) eap_peap: EAP type MSCHAPv2 (26) (8) eap_peap: Got tunneled request (8) eap_peap: EAP-Message = 0x026f00481a026f004331bce4b4548870ee6a96268e682a0e42560000000000000000f418c2cd895d3b885d533428bcd934bf8ebeadb11a9e889b00676c6f62616c5c636872697361 (8) eap_peap: Setting User-Name to mydomain\user000 (8) eap_peap: Sending tunneled request to inner-tunnel (8) eap_peap: EAP-Message = 0x026f00481a026f004331bce4b4548870ee6a96268e682a0e42560000000000000000f418c2cd895d3b885d533428bcd934bf8ebeadb11a9e889b00676c6f62616c5c636872697361 (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (8) eap_peap: User-Name = 'mydomain\user000' (8) eap_peap: State = 0xd948b86bd927a2af4aa0b84f98aa7925 (8) eap_peap: Service-Type = Framed-User (8) eap_peap: Framed-IP-Address = 192.168.243.38 (8) eap_peap: Framed-MTU = 1500 (8) eap_peap: Called-Station-Id = '00-00-00-00-AA-AA' (8) eap_peap: Called-Station-Id = '00-00-00-00-AA-AA' (8) eap_peap: Calling-Station-Id = '00-00-00-00-BB-BB' (8) eap_peap: NAS-Port-Type = Ethernet (8) eap_peap: NAS-Port = 50002 (8) eap_peap: NAS-Port-Id = 'FastEthernet0/2' (8) eap_peap: NAS-IP-Address = 172.23.242.165 (8) eap_peap: Event-Timestamp = 'Dec 11 2014 16:55:38 EST' (8) Virtual server received request (8) EAP-Message = 0x026f00481a026f004331bce4b4548870ee6a96268e682a0e42560000000000000000f418c2cd895d3b885d533428bcd934bf8ebeadb11a9e889b00676c6f62616c5c636872697361 (8) FreeRADIUS-Proxied-To = 127.0.0.1 (8) User-Name = 'mydomain\user000' (8) State = 0xd948b86bd927a2af4aa0b84f98aa7925 (8) Service-Type = Framed-User (8) Framed-IP-Address = 192.168.243.38 (8) Framed-MTU = 1500 (8) Called-Station-Id = '00-00-00-00-AA-AA' (8) Called-Station-Id = '00-00-00-00-AA-AA' (8) Calling-Station-Id = '00-00-00-00-BB-BB' (8) NAS-Port-Type = Ethernet (8) NAS-Port = 50002 (8) NAS-Port-Id = 'FastEthernet0/2' (8) NAS-IP-Address = 172.23.242.165 (8) Event-Timestamp = 'Dec 11 2014 16:55:38 EST' (8) server inner-tunnel { (8) session-state: No cached attributes (8) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (8) authorize { (8) ntdomain: Checking for prefix before "\" (8) ntdomain: Looking up realm "mydomain" for User-Name = "mydomain\user000" (8) ntdomain: Found realm "mydomain" (8) ntdomain: Adding Realm = "mydomain" (8) ntdomain: Proxying request from user mydomain\user000 to realm mydomain (8) ntdomain: Preparing to proxy authentication request to realm "mydomain" (8) [ntdomain] = updated (8) suffix: Request already has destination realm set. Ignoring (8) [suffix] = noop (8) eap: Request is supposed to be proxied to Realm mydomain. Not doing EAP. (8) [eap] = noop (8) [expiration] = noop (8) [logintime] = noop (8) [pap] = noop (8) } # authorize = updated (8) } # server inner-tunnel (8) Virtual server sending reply (8) eap_peap: Got tunneled reply code 0 (8) eap_peap: Calling authenticate in order to initiate tunneled EAP session (8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (8) authenticate { (8) eap: Expiring EAP session with state 0xd948b86bd927a2af (8) eap: Finished EAP session with state 0xd948b86bd927a2af (8) eap: Previous EAP request found for state 0xd948b86bd927a2af, released from the list (8) eap: Peer sent method MSCHAPv2 (26) (8) eap: EAP MSCHAPv2 (26) (8) eap: Calling eap_mschapv2 to process EAP data (8) eap_mschapv2: cancelling authentication and letting it be proxied (8) eap: No EAP proxy set. Not composing EAP (8) [eap] = handled (8) } # authenticate = handled (8) eap_peap: Tunnelled authentication will be proxied to mydomain (8) eap_peap: Remembering to do EAP-MS-CHAP-V2 post-proxy (8) eap: Tunneled session will be proxied. Not doing EAP (8) [eap] = handled (8) } # authenticate = handled Opening new proxy socket 'proxy address * port 0' Listening on proxy address * port 48355 (8) Proxying request to home server 192.168.1.103 port 1812 timeout 30.000000 (8) Sent Access-Request Id 198 from 0.0.0.0:48355 to 192.168.1.103:1812 length 255 (8) User-Name = 'mydomain\user000' (8) Service-Type = Framed-User (8) Framed-IP-Address = 192.168.243.38 (8) Framed-MTU = 1500 (8) Called-Station-Id = '00-00-00-00-AA-AA' (8) Called-Station-Id = '00-00-00-00-AA-AA' (8) Calling-Station-Id = '00-00-00-00-BB-BB' (8) NAS-Port-Type = Ethernet (8) NAS-Port = 50002 (8) NAS-Port-Id = 'FastEthernet0/2' (8) NAS-IP-Address = 172.23.242.165 (8) Event-Timestamp = 'Dec 11 2014 16:55:38 EST' (8) MS-CHAP-Challenge = 0x909415ffc9c1692d6de6f744d7a31428 (8) MS-CHAP2-Response = 0x6f6cbce4b4548870ee6a96268e682a0e42560000000000000000f418c2cd895d3b885d533428bcd934bf8ebeadb11a9e889b (8) Message-Authenticator := 0x00 (8) Proxy-State = 0x3239 (8) Received Access-Accept Id 198 from 192.168.1.103:1812 to 192.168.244.230:48355 length 256 (8) Proxy-State = 0x3239 (8) Framed-Protocol = PPP (8) Service-Type = Framed-User (8) Class = 0x3fc704f900000137000102000a02016700000000000000000000000001d006be3dc74c5b000000000004f90c (8) MS-MPPE-Recv-Key = 0xc91f6a04dccbaf84f7c206510152cae5 (8) MS-MPPE-Send-Key = 0xf2de36fbd643948f1f803fc4e177494f (8) MS-CHAP2-Success = 0x6f533d32453435313836344430354331393343313530383231384636304635433738463535413139383035 (8) MS-CHAP-Domain = 'oMYDOMAIN' (8) MS-Link-Utilization-Threshold = 50 (8) MS-Link-Drop-Time-Limit = 120 (8) # Executing section post-proxy from file /etc/raddb/sites-enabled/default (8) post-proxy { (8) eap: Doing post-proxy callback (8) eap: Passing reply from proxy back into the tunnel server inner-tunnel { (8) eap: Passing reply back for EAP-MS-CHAP-V2 (8) # Executing section post-proxy from file /etc/raddb/sites-enabled/inner-tunnel (8) post-proxy { (8) update { (8) &reply:User-Name += &User-Name -> 'mydomain\user000' (8) } # update = noop (8) eap: Doing post-proxy callback (8) eap: Passing reply from proxy back into the tunnel 2. (8) eap: Proxied authentication succeeded MSCHAP Success (8) eap: EAP session adding &reply:State = 0xd948b86bd838a2af (8) [eap] = ok (8) } # post-proxy = ok } # server inner-tunnel (8) eap: Final reply from tunneled session code 11 (8) eap: Proxy-State = 0x3239 (8) eap: Framed-Protocol = PPP (8) eap: Service-Type = Framed-User (8) eap: Class = 0x3fc704f900000137000102000a02016700000000000000000000000001d006be3dc74c5b000000000004f90c (8) eap: MS-CHAP-Domain = 'oMYDOMAIN' (8) eap: MS-Link-Utilization-Threshold = 50 (8) eap: MS-Link-Drop-Time-Limit = 120 (8) eap: User-Name += 'mydomain\user000' (8) eap: EAP-Message = 0x017000331a036f002e533d32453435313836344430354331393343313530383231384636304635433738463535413139383035 (8) eap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap: State = 0xd948b86bd838a2af4aa0b84f98aa7925 (8) eap: Got reply 11 (8) eap: Got tunneled reply RADIUS code 11 (8) eap: Proxy-State = 0x3239 (8) eap: Framed-Protocol = PPP (8) eap: Service-Type = Framed-User (8) eap: Class = 0x3fc704f900000137000102000a02016700000000000000000000000001d006be3dc74c5b000000000004f90c (8) eap: MS-CHAP-Domain = 'oMYDOMAIN' (8) eap: MS-Link-Utilization-Threshold = 50 (8) eap: MS-Link-Drop-Time-Limit = 120 (8) eap: User-Name += 'mydomain\user000' (8) eap: EAP-Message = 0x017000331a036f002e533d32453435313836344430354331393343313530383231384636304635433738463535413139383035 (8) eap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap: State = 0xd948b86bd838a2af4aa0b84f98aa7925 (8) eap: Got tunneled Access-Challenge (8) eap: Reply was handled (8) eap: EAP session adding &reply:State = 0x2196d8c929e6c10e (8) [eap] = ok (8) } # post-proxy = ok (8) Sent Access-Challenge Id 29 from 192.168.244.230:1812 to 172.23.242.165:1645 length 149 (8) EAP-Message = 0x0170005b19001703010050e4af81c9ecf1135b817b48ffecdbdfedb6922e5cfe1d463f7e8ef93564a8bdc26e5ae1ef16598d2dfa622c69a1408d9be0a0ddc629ee1dc6c28f94be0e7342f5bba962637645ef95bdec9fb40ad5f6ab (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0x2196d8c929e6c10ed58b5f9872208c8c (8) Finished request Waking up in 0.2 seconds. Waking up in 3.7 seconds. (9) Received Access-Request Id 30 from 172.23.242.165:1645 to 192.168.244.230:1812 length 260 (9) User-Name = 'anon1337' (9) Service-Type = Framed-User (9) Framed-IP-Address = 192.168.243.38 (9) Framed-MTU = 1500 (9) Called-Station-Id = '00-00-00-00-AA-AA' (9) Calling-Station-Id = '00-00-00-00-BB-BB' (9) EAP-Message = 0x02700050190017030192.1680ceb524c34f543d34a2114a5dc0162c1506dcb23023b799d1a6b01fd094a36bbe17030192.1680ac40f2c24559bd0245d1add229486b46e0ddc7e84ece128eed9af83704914517 (9) Message-Authenticator = 0x2db32972e884849ee872929fee306127 (9) NAS-Port-Type = Ethernet (9) NAS-Port = 50002 (9) NAS-Port-Id = 'FastEthernet0/2' (9) Called-Station-Id = '00-00-00-00-AA-AA' (9) State = 0x2196d8c929e6c10ed58b5f9872208c8c (9) NAS-IP-Address = 172.23.242.165 (9) session-state: No cached attributes (9) # Executing section authorize from file /etc/raddb/sites-enabled/default (9) authorize { (9) policy filter_username { (9) if (!&User-Name) { (9) if (!&User-Name) -> FALSE (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@.*@/ ) { (9) if (&User-Name =~ /@.*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # policy filter_username = notfound (9) [preprocess] = ok (9) ntdomain: Checking for prefix before "\" (9) ntdomain: No '\' in User-Name = "anon1337", looking up realm NULL (9) ntdomain: No such realm "NULL" (9) [ntdomain] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "anon1337", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) eap: Peer sent code Response (2) ID 112 length 80 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = EAP (9) # Executing group from file /etc/raddb/sites-enabled/default (9) authenticate { (9) eap: Expiring EAP session with state 0xd948b86bd838a2af (9) eap: Finished EAP session with state 0x2196d8c929e6c10e (9) eap: Previous EAP request found for state 0x2196d8c929e6c10e, released from the list (9) eap: Peer sent method PEAP (25) (9) eap: EAP PEAP (25) (9) eap: Calling eap_peap to process EAP data (9) eap_peap: processing EAP-TLS (9) eap_peap: eaptls_verify returned 7 (9) eap_peap: Done initial handshake (9) eap_peap: eaptls_process returned 7 (9) eap_peap: FR_TLS_OK (9) eap_peap: Session established. Decoding tunneled attributes (9) eap_peap: PEAP state phase2 (9) eap_peap: EAP type MSCHAPv2 (26) (9) eap_peap: Got tunneled request (9) eap_peap: EAP-Message = 0x027000061a03 (9) eap_peap: Setting User-Name to mydomain\user000 (9) eap_peap: Sending tunneled request to inner-tunnel (9) eap_peap: EAP-Message = 0x027000061a03 (9) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (9) eap_peap: User-Name = 'mydomain\user000' (9) eap_peap: State = 0xd948b86bd838a2af4aa0b84f98aa7925 (9) eap_peap: Service-Type = Framed-User (9) eap_peap: Framed-IP-Address = 192.168.243.38 (9) eap_peap: Framed-MTU = 1500 (9) eap_peap: Called-Station-Id = '00-00-00-00-AA-AA' (9) eap_peap: Called-Station-Id = '00-00-00-00-AA-AA' (9) eap_peap: Calling-Station-Id = '00-00-00-00-BB-BB' (9) eap_peap: NAS-Port-Type = Ethernet (9) eap_peap: NAS-Port = 50002 (9) eap_peap: NAS-Port-Id = 'FastEthernet0/2' (9) eap_peap: NAS-IP-Address = 172.23.242.165 (9) eap_peap: Event-Timestamp = 'Dec 11 2014 16:55:39 EST' (9) Virtual server received request (9) EAP-Message = 0x027000061a03 (9) FreeRADIUS-Proxied-To = 127.0.0.1 (9) User-Name = 'mydomain\user000' (9) State = 0xd948b86bd838a2af4aa0b84f98aa7925 (9) Service-Type = Framed-User (9) Framed-IP-Address = 192.168.243.38 (9) Framed-MTU = 1500 (9) Called-Station-Id = '00-00-00-00-AA-AA' (9) Called-Station-Id = '00-00-00-00-AA-AA' (9) Calling-Station-Id = '00-00-00-00-BB-BB' (9) NAS-Port-Type = Ethernet (9) NAS-Port = 50002 (9) NAS-Port-Id = 'FastEthernet0/2' (9) NAS-IP-Address = 172.23.242.165 (9) Event-Timestamp = 'Dec 11 2014 16:55:39 EST' (9) server inner-tunnel { (9) session-state: No cached attributes (9) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (9) authorize { (9) ntdomain: Checking for prefix before "\" (9) ntdomain: Looking up realm "mydomain" for User-Name = "mydomain\user000" (9) ntdomain: Found realm "mydomain" (9) ntdomain: Adding Realm = "mydomain" (9) ntdomain: Proxying request from user mydomain\user000 to realm mydomain (9) ntdomain: Preparing to proxy authentication request to realm "mydomain" (9) [ntdomain] = updated (9) suffix: Request already has destination realm set. Ignoring (9) [suffix] = noop (9) eap: Request is supposed to be proxied to Realm mydomain. Not doing EAP. (9) [eap] = noop (9) [expiration] = noop (9) [logintime] = noop (9) [pap] = noop (9) } # authorize = updated (9) } # server inner-tunnel (9) Virtual server sending reply (9) eap_peap: Got tunneled reply code 0 (9) eap_peap: Calling authenticate in order to initiate tunneled EAP session (9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (9) authenticate { (9) eap: Expiring EAP session with state 0xd948b86bd838a2af (9) eap: Finished EAP session with state 0xd948b86bd838a2af (9) eap: Previous EAP request found for state 0xd948b86bd838a2af, released from the list (9) eap: Peer sent method MSCHAPv2 (26) (9) eap: EAP MSCHAPv2 (26) (9) eap: Calling eap_mschapv2 to process EAP data (9) eap: Freeing handler (9) [eap] = ok (9) } # authenticate = ok (9) eap_peap: Got tunneled reply RADIUS code 2 (9) eap_peap: MS-MPPE-Send-Key = 0xf2de36fbd643948f1f803fc4e177494f (9) eap_peap: MS-MPPE-Recv-Key = 0xc91f6a04dccbaf84f7c206510152cae5 (9) eap_peap: Proxy-State = 0x3239 (9) eap_peap: Framed-Protocol = PPP (9) eap_peap: Service-Type = Framed-User (9) eap_peap: Class = 0x3fc704f900000137000102000a02016700000000000000000000000001d006be3dc74c5b000000000004f90c (9) eap_peap: MS-CHAP-Domain = 'oMYDOMAIN' (9) eap_peap: MS-Link-Utilization-Threshold = 50 (9) eap_peap: MS-Link-Drop-Time-Limit = 120 (9) eap_peap: User-Name += 'mydomain\user000' (9) eap_peap: EAP-Message = 0x03700004 (9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (9) eap_peap: Tunneled authentication was successful (9) eap_peap: SUCCESS (9) eap: EAP session adding &reply:State = 0x2196d8c928e7c10e (9) [eap] = handled (9) } # authenticate = handled (9) Sent Access-Challenge Id 30 from 192.168.244.230:1812 to 172.23.242.165:1645 length 101 (9) EAP-Message = 0x017192.168b190017030192.1680c6fab14adc6c0ced5f0317c798fa57aff8a040ecf4384af7e1490a42279ff4f7 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) State = 0x2196d8c928e7c10ed58b5f9872208c8c (9) Finished request Waking up in 0.3 seconds. (10) Received Access-Request Id 31 from 172.23.242.165:1645 to 192.168.244.230:1812 length 260 (10) User-Name = 'anon1337' (10) Service-Type = Framed-User (10) Framed-IP-Address = 192.168.243.38 (10) Framed-MTU = 1500 (10) Called-Station-Id = '00-00-00-00-AA-AA' (10) Calling-Station-Id = '00-00-00-00-BB-BB' (10) EAP-Message = 0x02710050190017030192.1680247750954f15ab3e1370c5f04879ba432f948b0645cc5fc91dc71a56f3a9023a17030192.168073c995b596d5ba2ad25adc110c3ab7125de7738c7273a6e7533fb295d897bc9b (10) Message-Authenticator = 0xabddfb24ce3d43a042ea662e5ac514ef (10) NAS-Port-Type = Ethernet (10) NAS-Port = 50002 (10) NAS-Port-Id = 'FastEthernet0/2' (10) Called-Station-Id = '00-00-00-00-AA-AA' (10) State = 0x2196d8c928e7c10ed58b5f9872208c8c (10) NAS-IP-Address = 172.23.242.165 (10) session-state: No cached attributes (10) # Executing section authorize from file /etc/raddb/sites-enabled/default (10) authorize { (10) policy filter_username { (10) if (!&User-Name) { (10) if (!&User-Name) -> FALSE (10) if (&User-Name =~ / /) { (10) if (&User-Name =~ / /) -> FALSE (10) if (&User-Name =~ /@.*@/ ) { (10) if (&User-Name =~ /@.*@/ ) -> FALSE (10) if (&User-Name =~ /\.\./ ) { (10) if (&User-Name =~ /\.\./ ) -> FALSE (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (10) if (&User-Name =~ /\.$/) { (10) if (&User-Name =~ /\.$/) -> FALSE (10) if (&User-Name =~ /@\./) { (10) if (&User-Name =~ /@\./) -> FALSE (10) } # policy filter_username = notfound (10) [preprocess] = ok (10) ntdomain: Checking for prefix before "\" (10) ntdomain: No '\' in User-Name = "anon1337", looking up realm NULL (10) ntdomain: No such realm "NULL" (10) [ntdomain] = noop (10) suffix: Checking for suffix after "@" (10) suffix: No '@' in User-Name = "anon1337", looking up realm NULL (10) suffix: No such realm "NULL" (10) [suffix] = noop (10) eap: Peer sent code Response (2) ID 113 length 80 (10) eap: Continuing tunnel setup (10) [eap] = ok (10) } # authorize = ok (10) Found Auth-Type = EAP (10) # Executing group from file /etc/raddb/sites-enabled/default (10) authenticate { (10) eap: Expiring EAP session with state 0x2196d8c928e7c10e (10) eap: Finished EAP session with state 0x2196d8c928e7c10e (10) eap: Previous EAP request found for state 0x2196d8c928e7c10e, released from the list (10) eap: Peer sent method PEAP (25) (10) eap: EAP PEAP (25) (10) eap: Calling eap_peap to process EAP data (10) eap_peap: processing EAP-TLS (10) eap_peap: eaptls_verify returned 7 (10) eap_peap: Done initial handshake (10) eap_peap: eaptls_process returned 7 (10) eap_peap: FR_TLS_OK (10) eap_peap: Session established. Decoding tunneled attributes (10) eap_peap: PEAP state send tlv success (10) eap_peap: Received EAP-TLV response (10) eap_peap: Success (10) eap_peap: No information to cache: session caching will be disabled for session 092599a5df0926e3e9440ae53c451e4b253e8e1516b2447e289ce1b5904239c5 SSL: Removing session 092599a5df0926e3e9440ae53c451e4b253e8e1516b2447e289ce1b5904239c5 from the cache (10) eap: Freeing handler (10) [eap] = ok (10) } # authenticate = ok (10) # Executing section post-auth from file /etc/raddb/sites-enabled/default (10) post-auth { (10) update { (10) No attributes updated (10) } # update = noop (10) [exec] = noop (10) policy remove_reply_message_if_eap { (10) if (&reply:EAP-Message && &reply:Reply-Message) { (10) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (10) else { (10) [noop] = noop (10) } # else = noop (10) } # policy remove_reply_message_if_eap = noop (10) } # post-auth = noop (10) Sent Access-Accept Id 31 from 192.168.244.230:1812 to 172.23.242.165:1645 length 170 (10) MS-MPPE-Recv-Key = 0xb5c9941fdf7d63b2f617b2faafb5552e075691a9b617df1da24c2cd77e86cbaa (10) MS-MPPE-Send-Key = 0xdd5153f339ed2bc1e6c3fd7b68b36d9070688f4700dda0170c2086fc24f99e8a (10) EAP-Message = 0x03710004 (10) Message-Authenticator = 0x00000000000000000000000000000000 (10) User-Name = 'anon1337' (10) Finished request Waking up in 0.3 seconds. Waking up in 2.7 seconds. (11) Received Accounting-Request Id 186 from 172.23.242.165:1646 to 192.168.244.230:1813 length 173 (11) Acct-Session-Id = '00018AE4' (11) Calling-Station-Id = '00-00-00-00-BB-BB' (11) Framed-IP-Address = 192.168.243.38 (11) User-Name = 'anon1337' (11) Acct-Session-Time = 6124 (11) Acct-Input-Octets = 572933 (11) Acct-Output-Octets = 1640076 (11) Acct-Input-Packets = 4773 (11) Acct-Output-Packets = 16442 (11) Acct-Authentic = RADIUS (11) Acct-Status-Type = Interim-Update (11) NAS-Port-Type = Ethernet (11) NAS-Port = 50002 (11) NAS-Port-Id = 'FastEthernet0/2' (11) Called-Station-Id = '00-00-00-00-AA-AA' (11) Service-Type = Framed-User (11) NAS-IP-Address = 172.23.242.165 (11) Acct-Delay-Time = 0 (11) # Executing section preacct from file /etc/raddb/sites-enabled/default (11) preacct { (11) [preprocess] = ok (11) policy acct_unique { (11) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) { (11) EXPAND %{string:Class} (11) --> (11) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) -> FALSE (11) else { (11) Acct-Session-Id = '00018AE4' (11) Calling-Station-Id = '00-00-00-00-BB-BB' (11) Framed-IP-Address = 192.168.243.38 (11) User-Name = 'anon1337' (11) Acct-Session-Time = 6124 (11) Acct-Input-Octets = 572933 (11) Acct-Output-Octets = 1640076 (11) Acct-Input-Packets = 4773 (11) Acct-Output-Packets = 16442 (11) Acct-Authentic = RADIUS (11) Acct-Status-Type = Interim-Update (11) NAS-Port-Type = Ethernet (11) NAS-Port = 50002 (11) NAS-Port-Id = 'FastEthernet0/2' (11) Called-Station-Id = '00-00-00-00-AA-AA' (11) Service-Type = Framed-User (11) NAS-IP-Address = 172.23.242.165 (11) Acct-Delay-Time = 0 (11) # Executing section preacct from file /etc/raddb/sites-enabled/default (11) preacct { (11) [preprocess] = ok (11) policy acct_unique { (11) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) { (11) EXPAND %{string:Class} (11) --> (11) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) -> FALSE (11) else { (11) update request { (11) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}} (11) --> 38f99589b6e9b39e24fcf277e9459a58 (11) &Acct-Unique-Session-Id := "38f99589b6e9b39e24fcf277e9459a58" (11) } # update request = noop (11) } # else = noop (11) } # policy acct_unique = noop (11) suffix: Checking for suffix after "@" (11) suffix: No '@' in User-Name = "anon1337", looking up realm NULL (11) suffix: No such realm "NULL" (11) [suffix] = noop (11) [files] = noop (11) } # preacct = ok (11) # Executing section accounting from file /etc/raddb/sites-enabled/default (11) accounting { (11) detail: EXPAND /var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d (11) detail: --> /var/log/radiusd/radacct/172.23.242.165/detail-20141211 (11) detail: /var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radiusd/radacct/172.23.242.165/detail-20141211 (11) detail: EXPAND %t (11) detail: --> Thu Dec 11 16:55:40 2014 (11) [detail] = ok (11) [unix] = noop (11) [exec] = noop (11) attr_filter.accounting_response: EXPAND %{User-Name} (11) attr_filter.accounting_response: --> anon1337 (11) attr_filter.accounting_response: Matched entry DEFAULT at line 12 (11) [attr_filter.accounting_response] = updated (11) } # accounting = updated (11) Sent Accounting-Response Id 186 from 192.168.244.230:1813 to 172.23.242.165:1646 length 20 (11) Finished request
On Dec 12, 2014, at 8:48 AM, Chris Arg <grkcharge@gmail.com> wrote:
I'm currently using 3.0.x via github on RHEL 7. My issue is that I'm unable to get the User-Name attribute out of the inner tunnel.
Read raddb/sites-available/inner-tunnel. Look at the “post-auth” section: # # Instead of "use_tunneled_reply", do this: # # update { # &outer.session-state: += &reply: # } Uncomment that block.
I've seen a couple of examples demonstrating how to update the reply or update outer.reply in the inner-tunnel post-auth section. After reading the debug output, that section doesn't seem to run. Instead, post-proxy is run which looks like a good alternative. This is what I've tried in the post-proxy section:
update { &reply:User-Name += &User-Name }
That won’t work. That’s updating the inner-tunnel reply, which is not what you want.
--------------- raddb/mods-enabled/eap
Don’t send configuration files to the list. The documentation says to post the debug output. ONLY the debug output. And you’ve butchered the configuration files. Don’t do that. There’s no additional cost to leave the comments, etc. Leaving the comments there helps explain what the files are doing, and why. Alan DeKok.
Thanks for the prompt reply Alan.
Read raddb/sites-available/inner-tunnel. Look at the “post-auth” section:
# Instead of "use_tunneled_reply", do this: # # update { # &outer.session-state: += &reply: # }
Uncomment that block.
That is enabled in my configuration, but the post-auth section within the inner-tunnel is never run. Here's a grep of my debug showing that only sites-enabled/defaults post-auth is getting executed: *grep -i post-auth /tmp/fr_dump.txt * post-auth { # Loading post-auth {...} # Loading post-auth {...} (10) # Executing section post-auth from file /etc/raddb/sites-enabled/default (10) post-auth { (10) } # post-auth = noop On Fri, Dec 12, 2014 at 9:38 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Dec 12, 2014, at 8:48 AM, Chris Arg <grkcharge@gmail.com> wrote:
I'm currently using 3.0.x via github on RHEL 7. My issue is that I'm unable to get the User-Name attribute out of the inner tunnel.
Read raddb/sites-available/inner-tunnel. Look at the “post-auth” section:
# # Instead of "use_tunneled_reply", do this: # # update { # &outer.session-state: += &reply: # }
Uncomment that block.
I've seen a couple of examples demonstrating how to update the reply or update outer.reply in the inner-tunnel post-auth section. After reading the debug output, that section doesn't seem to run. Instead, post-proxy is run which looks like a good alternative. This is what I've tried in the post-proxy section:
update { &reply:User-Name += &User-Name }
That won’t work. That’s updating the inner-tunnel reply, which is not what you want.
--------------- raddb/mods-enabled/eap
Don’t send configuration files to the list. The documentation says to post the debug output. ONLY the debug output.
And you’ve butchered the configuration files. Don’t do that. There’s no additional cost to leave the comments, etc. Leaving the comments there helps explain what the files are doing, and why.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Dec 12, 2014, at 10:08 AM, Chris Arg <grkcharge@gmail.com> wrote:
That is enabled in my configuration, but the post-auth section within the inner-tunnel is never run.
Hmm… I’ll have to look into that. You can also put that block into the post-proxy section of the inner-tunnel. It should do the same thing. Alan DeKok.
You can also put that block into the post-proxy section of the inner-tunnel. It should do the same thing.
Just tried this, for whatever reason update = noop which I believe means nothing was updated. (8) # Executing section post-proxy from file /etc/raddb/sites-enabled/inner-tunnel (8) post-proxy { (8) update { (8) &outer.session-state:Proxy-State += &reply:Proxy-State -> 0x3730 (8) &outer.session-state:Framed-Protocol += &reply:Framed-Protocol -> PPP (8) &outer.session-state:Service-Type += &reply:Service-Type -> Framed-User (8) &outer.session-state:Class += &reply:Class -> 0x3e5d044100000137000102000a02016700000000000000000000000001d006be3dc74c5b0000000000054507 (8) &outer.session-state:MS-MPPE-Recv-Key += &reply:MS-MPPE-Recv-Key -> 0x6f6da555aa52c08a69f1d40 (8) &outer.session-state:MS-MPPE-Send-Key += &reply:MS-MPPE-Send-Key -> 0xd848d864c43408713a143c1 (8) &outer.session-state:MS-CHAP2-Success += &reply:MS-CHAP2-Success -> 0x85533d433231414331363443343037333931383833433532353546434146453633303 (8) &outer.session-state:MS-CHAP-Domain += &reply:MS-CHAP-Domain -> '\205MYDOMAIN' (8) &outer.session-state:MS-Link-Utilization-Threshold += &reply:MS-Link-Utilization-Threshold -> 50 (8) &outer.session-state:MS-Link-Drop-Time-Limit += &reply:MS-Link-Drop-Time-Limit -> 120 (8) } # update = noop (8) eap: Doing post-proxy callback (8) eap: Passing reply from proxy back into the tunnel 2. (8) eap: Proxied authentication succeeded
On Dec 12, 2014, at 11:41 AM, Chris Arg <grkcharge@gmail.com> wrote:
You can also put that block into the post-proxy section of the inner-tunnel. It should do the same thing.
Just tried this, for whatever reason update = noop which I believe means nothing was updated.
No. You have to look at the rest of the debug output to see what’s going on. The update blocks don’t return any code. They just pass through the code which was there before the update block was run. Alan DeKok.
No. You have to look at the rest of the debug output to see what’s going on. The update blocks don’t return any code. They just pass through the code which was there before the update block was run.
Okay, that makes sense. Quick overview of what I think/see is happening. I'm sure it's wrong so please correct me. Packet 8 comes in. Post-Proxy is run and the update to outer.session-state happens. Access-Challenge is sent and the state is cached. Packet 9 comes in. It's an Access-Request packet which triggers the previously cached information to be retrieved. This packet only gets to the authenticate section before a new Access-Challenge is sent causing the current state to be cached. Packet 10 comes in. It's an Access-Request which retrieves the previous state information. Post-Auth in sites-enabled/default is ran which executes update for &reply: += &session-state:. This results in a No attributes updated because the previous state didn't have any. (8) Received Access-Request Id 70 from 172.23.242.165:1645 to 192.168.244.230:1812 length 324 (8) User-Name = 'anon1337' (8) Service-Type = Framed-User (8) Framed-IP-Address = 192.168.243.38 (8) Framed-MTU = 1500 (8) Called-Station-Id = '00-00-00-00-AA-AA' (8) Calling-Station-Id = '00-00-00-00-BB-BB' (8) EAP-Message = 0x02850090190017030100202521e17eceb019efb0902fa8d72d8a2ab02ee389663711a72de20381703010060063a3571bfc98199485cf8b5551527d58e1b7a9a751e7038a60a127be872aeae13bd67e7a165c1c52406b3ee64c85566d8e621cbfb38969e243d9e34bae87fb1f5b (8) Message-Authenticator = 0xe39116b3135152d0ee52e3258 (8) NAS-Port-Type = Ethernet (8) NAS-Port = 50002 (8) NAS-Port-Id = 'FastEthernet0/2' (8) Called-Station-Id = '00-00-00-00-AA-AA' (8) State = 0x0fd7c6d30852dfc3c063e5767e205a4d (8) NAS-IP-Address = 172.23.242.165 (8) session-state: No cached attributes (8) # Executing section authorize from file /etc/raddb/sites-enabled/default (8) authorize { (8) ntdomain: Checking for prefix before "\" (8) ntdomain: No '\' in User-Name = "anon1337", looking up realm NULL (8) ntdomain: No such realm "NULL" (8) [ntdomain] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "anon1337", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) eap: Peer sent code Response (2) ID 133 length 144 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = EAP (8) # Executing group from file /etc/raddb/sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0xd3877aa8d3026065 (8) eap: Finished EAP session with state 0x0fd7c6d30852dfc3 (8) eap: Previous EAP request found for state 0x0fd7c6d30852dfc3, released from the list (8) eap: Peer sent method PEAP (25) (8) eap: EAP PEAP (25) (8) eap: Calling eap_peap to process EAP data (8) eap_peap: processing EAP-TLS (8) eap_peap: eaptls_verify returned 7 (8) eap_peap: Done initial handshake (8) eap_peap: eaptls_process returned 7 (8) eap_peap: FR_TLS_OK (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state phase2 (8) eap_peap: EAP type MSCHAPv2 (26) (8) eap_peap: Got tunneled request (8) eap_peap: EAP-Message = 0x028500481a02850043312e31704e23166e02ecec68b8b34d2e400000000000000000ed732d4aae8a94fa2b2afbfdd05b5c78e9dc7b3b9dbb99b400676c6f6 (8) eap_peap: Setting User-Name to mydomain\user000 (8) eap_peap: Sending tunneled request to inner-tunnel (8) eap_peap: EAP-Message = 0x028500481a02850043312e31704e23166e02ecec68b8b34d2e400000000000000000ed732d4aae8a94fa2b2afbfdd05b5c78e9dc7b3b9dbb99b400676c6f6 (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (8) eap_peap: User-Name = 'mydomain\user000' (8) eap_peap: State = 0xd3877aa8d30260658703aed2f073d630 (8) eap_peap: Service-Type = Framed-User (8) eap_peap: Framed-IP-Address = 192.168.243.38 (8) eap_peap: Framed-MTU = 1500 (8) eap_peap: Called-Station-Id = '00-00-00-00-AA-AA' (8) eap_peap: Called-Station-Id = '00-00-00-00-AA-AA' (8) eap_peap: Calling-Station-Id = '00-00-00-00-BB-BB' (8) eap_peap: NAS-Port-Type = Ethernet (8) eap_peap: NAS-Port = 50002 (8) eap_peap: NAS-Port-Id = 'FastEthernet0/2' (8) eap_peap: NAS-IP-Address = 172.23.242.165 (8) eap_peap: Event-Timestamp = 'Dec 12 2014 11:27:58 EST' (8) Virtual server received request (8) EAP-Message = 0x028500481a02850043312e31704e23166e02ecec68b8b34d2e400000000000000000ed732d4aae8a94fa2b2afbfdd05b5c78e9dc7b3b9dbb99b400 (8) FreeRADIUS-Proxied-To = 127.0.0.1 (8) User-Name = 'mydomain\user000' (8) State = 0xd3877aa8d30260658703aed2f073d630 (8) Service-Type = Framed-User (8) Framed-IP-Address = 192.168.243.38 (8) Framed-MTU = 1500 (8) Called-Station-Id = '00-00-00-00-AA-AA' (8) Called-Station-Id = '00-00-00-00-AA-AA' (8) Calling-Station-Id = '00-00-00-00-BB-BB' (8) NAS-Port-Type = Ethernet (8) NAS-Port = 50002 (8) NAS-Port-Id = 'FastEthernet0/2' (8) NAS-IP-Address = 172.23.242.165 (8) Event-Timestamp = 'Dec 12 2014 11:27:58 EST' (8) server inner-tunnel { (8) session-state: No cached attributes (8) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (8) authorize { (8) ntdomain: Checking for prefix before "\" (8) ntdomain: Looking up realm "mydomain" for User-Name = "mydomain\user000" (8) ntdomain: Found realm "mydomain" (8) ntdomain: Adding Realm = "mydomain" (8) ntdomain: Proxying request from user mydomain\user000 to realm mydomain (8) ntdomain: Preparing to proxy authentication request to realm "mydomain" (8) [ntdomain] = updated (8) suffix: Request already has destination realm set. Ignoring (8) [suffix] = noop (8) eap: Request is supposed to be proxied to Realm mydomain. Not doing EAP. (8) [eap] = noop (8) [expiration] = noop (8) [logintime] = noop (8) [pap] = noop (8) } # authorize = updated (8) } # server inner-tunnel (8) Virtual server sending reply (8) eap_peap: Got tunneled reply code 0 (8) eap_peap: Calling authenticate in order to initiate tunneled EAP session (8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (8) authenticate { (8) eap: Expiring EAP session with state 0xd3877aa8d3026065 (8) eap: Finished EAP session with state 0xd3877aa8d3026065 (8) eap: Previous EAP request found for state 0xd3877aa8d3026065, released from the list (8) eap: Peer sent method MSCHAPv2 (26) (8) eap: EAP MSCHAPv2 (26) (8) eap: Calling eap_mschapv2 to process EAP data (8) eap_mschapv2: cancelling authentication and letting it be proxied (8) eap: No EAP proxy set. Not composing EAP (8) [eap] = handled (8) } # authenticate = handled (8) eap_peap: Tunnelled authentication will be proxied to mydomain (8) eap_peap: Remembering to do EAP-MS-CHAP-V2 post-proxy (8) eap: Tunneled session will be proxied. Not doing EAP (8) [eap] = handled (8) } # authenticate = handled Opening new proxy socket 'proxy address * port 0' Listening on proxy address * port 57020 (8) Proxying request to home server 192.168.1.103 port 1812 timeout 30.000000 (8) Sent Access-Request Id 247 from 0.0.0.0:57020 to 192.168.1.103:1812 length 255 (8) User-Name = 'mydomain\user000' (8) Service-Type = Framed-User (8) Framed-IP-Address = 192.168.243.38 (8) Framed-MTU = 1500 (8) Called-Station-Id = '00-00-00-00-AA-AA' (8) Called-Station-Id = '00-00-00-00-AA-AA' (8) Calling-Station-Id = '00-00-00-00-BB-BB' (8) NAS-Port-Type = Ethernet (8) NAS-Port = 50002 (8) NAS-Port-Id = 'FastEthernet0/2' (8) NAS-IP-Address = 172.23.242.165 (8) Event-Timestamp = 'Dec 12 2014 11:27:58 EST' (8) MS-CHAP-Challenge = 0xc3ecc897daed3f010d860fe7ae1331c3 (8) MS-CHAP2-Response = 0x856c2e31704e23166e02ecec68b8b34d2e400000000000000000ed732d4aae8a94fa2b2afbfdd05b5c78e9dc7b3b9dbb99b4 (8) Message-Authenticator := 0x00 (8) Proxy-State = 0x3730 (8) Received Access-Accept Id 247 from 192.168.1.103:1812 to 192.168.244.230:57020 length 256 (8) Proxy-State = 0x3730 (8) Framed-Protocol = PPP (8) Service-Type = Framed-User (8) Class = 0x3e5d044100000137000102000a02016700000000000000000000000001d006be3dc74c5b0000000000054507 (8) MS-MPPE-Recv-Key = 0x6f6da555aa52c08a69f1d40ab379f27d (8) MS-MPPE-Send-Key = 0xd848d864c43408713a143c15f3c9344c (8) MS-CHAP2-Success = 0x85533d43323141433136344334303733393138383343353235354643414645363330314630384133343839 (8) MS-CHAP-Domain = '\205MYDOMAIN' (8) MS-Link-Utilization-Threshold = 50 (8) MS-Link-Drop-Time-Limit = 120 (8) # Executing section post-proxy from file /etc/raddb/sites-enabled/default (8) post-proxy { (8) eap: Doing post-proxy callback (8) eap: Passing reply from proxy back into the tunnel server inner-tunnel { (8) eap: Passing reply back for EAP-MS-CHAP-V2 (8) # Executing section post-proxy from file /etc/raddb/sites-enabled/inner-tunnel (8) post-proxy { (8) update { (8) &outer.session-state:Proxy-State += &reply:Proxy-State -> 0x3730 (8) &outer.session-state:Framed-Protocol += &reply:Framed-Protocol -> PPP (8) &outer.session-state:Service-Type += &reply:Service-Type -> Framed-User (8) &outer.session-state:Class += &reply:Class -> 0x3e5d044100000137000102000a02016700000000000000000000000001d006be3dc (8) &outer.session-state:MS-MPPE-Recv-Key += &reply:MS-MPPE-Recv-Key -> 0x6f6da555aa52c08a69 (8) &outer.session-state:MS-MPPE-Send-Key += &reply:MS-MPPE-Send-Key -> 0xd848d864c4340871 (8) &outer.session-state:MS-CHAP2-Success += &reply:MS-CHAP2-Success -> 0x85533d433231414331363443343037333931383833433532353546434146453 (8) &outer.session-state:MS-CHAP-Domain += &reply:MS-CHAP-Domain -> '\205MYDOMAIN' (8) &outer.session-state:MS-Link-Utilization-Threshold += &reply:MS-Link-Utilization-Threshold -> 50 (8) &outer.session-state:MS-Link-Drop-Time-Limit += &reply:MS-Link-Drop-Time-Limit -> 120 (8) } # update = noop (8) eap: Doing post-proxy callback (8) eap: Passing reply from proxy back into the tunnel 2. (8) eap: Proxied authentication succeeded MSCHAP Success (8) eap: EAP session adding &reply:State = 0xd3877aa8d2016065 (8) [eap] = ok (8) } # post-proxy = ok } # server inner-tunnel (8) eap: Final reply from tunneled session code 11 (8) eap: Proxy-State = 0x3730 (8) eap: Framed-Protocol = PPP (8) eap: Service-Type = Framed-User (8) eap: Class = 0x3e5d044100000137000102000a02016700000000000000000000000001d006be3dc74c5b (8) eap: MS-CHAP-Domain = '\205MYDOMAIN' (8) eap: MS-Link-Utilization-Threshold = 50 (8) eap: MS-Link-Drop-Time-Limit = 120 (8) eap: EAP-Message = 0x018600331a0385002e533d4332314143313634433430373339313838334335323535464341464536333 (8) eap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap: State = 0xd3877aa8d20160658703aed2f073d630 (8) eap: Got reply 11 (8) eap: Got tunneled reply RADIUS code 11 (8) eap: Proxy-State = 0x3730 (8) eap: Framed-Protocol = PPP (8) eap: Service-Type = Framed-User (8) eap: Class = 0x3e5d044100000137000102000a02016700000000000000000000000001d006be3dc74c5b (8) eap: MS-CHAP-Domain = '\205MYDOMAIN' (8) eap: MS-Link-Utilization-Threshold = 50 (8) eap: MS-Link-Drop-Time-Limit = 120 (8) eap: EAP-Message = 0x018600331a0385002e533d4332314143313634433430373339313838334335323535464341464536 (8) eap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap: State = 0xd3877aa8d20160658703aed2f073d630 (8) eap: Got tunneled Access-Challenge (8) eap: Reply was handled (8) eap: EAP session adding &reply:State = 0x0fd7c6d30751dfc3 (8) [eap] = ok (8) } # post-proxy = ok (8) Sent Access-Challenge Id 70 from 192.168.244.230:1812 to 172.23.242.165:1645 length 149 (8) EAP-Message = 0x0186005b19001703010050d842dac4be474e61feb49b428f0dc15cb5b2dea5ae2a1d770b9905700a90190eb47cb97044cfadb837fc0e4cccfa20ac359de5e222fed03aa7a55e7e283d600dbe28cd55d6d9cde6cc552d7a571665b4 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0x0fd7c6d30751dfc3c063e5767e205a4d (8) Finished request Waking up in 0.2 seconds. Waking up in 3.3 seconds. (9) Received Access-Request Id 71 from 172.23.242.165:1645 to 192.168.244.230:1812 length 260 (9) User-Name = 'anon1337' (9) Service-Type = Framed-User (9) Framed-IP-Address = 192.168.243.38 (9) Framed-MTU = 1500 (9) Called-Station-Id = '00-00-00-00-AA-AA' (9) Calling-Station-Id = '00-00-00-00-BB-BB' (9) EAP-Message = 0x0286005019001703010020942518f712e6644f26f85fbfe31548d38134a0beeddd00eda1355955a6524eba17030100201e10596c0804a765b2a43e3d627d6c0c87a8d524dd6e100d373d45e0a172046f (9) Message-Authenticator = 0x5cf80e7b5e5a27c09ad086ac15db2aac (9) NAS-Port-Type = Ethernet (9) NAS-Port = 50002 (9) NAS-Port-Id = 'FastEthernet0/2' (9) Called-Station-Id = '00-00-00-00-AA-AA' (9) State = 0x0fd7c6d30751dfc3c063e5767e205a4d (9) NAS-IP-Address = 172.23.242.165 (9) session-state: No cached attributes (9) # Executing section authorize from file /etc/raddb/sites-enabled/default (9) authorize { (9) [preprocess] = ok (9) ntdomain: Checking for prefix before "\" (9) ntdomain: No '\' in User-Name = "anon1337", looking up realm NULL (9) ntdomain: No such realm "NULL" (9) [ntdomain] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "anon1337", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) eap: Peer sent code Response (2) ID 134 length 80 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = EAP (9) # Executing group from file /etc/raddb/sites-enabled/default (9) authenticate { (9) eap: Expiring EAP session with state 0xd3877aa8d2016065 (9) eap: Finished EAP session with state 0x0fd7c6d30751dfc3 (9) eap: Previous EAP request found for state 0x0fd7c6d30751dfc3, released from the list (9) eap: Peer sent method PEAP (25) (9) eap: EAP PEAP (25) (9) eap: Calling eap_peap to process EAP data (9) eap_peap: processing EAP-TLS (9) eap_peap: eaptls_verify returned 7 (9) eap_peap: Done initial handshake (9) eap_peap: eaptls_process returned 7 (9) eap_peap: FR_TLS_OK (9) eap_peap: Session established. Decoding tunneled attributes (9) eap_peap: PEAP state phase2 (9) eap_peap: EAP type MSCHAPv2 (26) (9) eap_peap: Got tunneled request (9) eap_peap: EAP-Message = 0x028600061a03 (9) eap_peap: Setting User-Name to mydomain\user000 (9) eap_peap: Sending tunneled request to inner-tunnel (9) eap_peap: EAP-Message = 0x028600061a03 (9) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (9) eap_peap: User-Name = 'mydomain\user000' (9) eap_peap: State = 0xd3877aa8d20160658703aed2f073d630 (9) eap_peap: Service-Type = Framed-User (9) eap_peap: Framed-IP-Address = 192.168.243.38 (9) eap_peap: Framed-MTU = 1500 (9) eap_peap: Called-Station-Id = '00-00-00-00-AA-AA' (9) eap_peap: Called-Station-Id = '00-00-00-00-AA-AA' (9) eap_peap: Calling-Station-Id = '00-00-00-00-BB-BB' (9) eap_peap: NAS-Port-Type = Ethernet (9) eap_peap: NAS-Port = 50002 (9) eap_peap: NAS-Port-Id = 'FastEthernet0/2' (9) eap_peap: NAS-IP-Address = 172.23.242.165 (9) eap_peap: Event-Timestamp = 'Dec 12 2014 11:27:59 EST' (9) Virtual server received request (9) EAP-Message = 0x028600061a03 (9) FreeRADIUS-Proxied-To = 127.0.0.1 (9) User-Name = 'mydomain\user000' (9) State = 0xd3877aa8d20160658703aed2f073d630 (9) Service-Type = Framed-User (9) Framed-IP-Address = 192.168.243.38 (9) Framed-MTU = 1500 (9) Called-Station-Id = '00-00-00-00-AA-AA' (9) Called-Station-Id = '00-00-00-00-AA-AA' (9) Calling-Station-Id = '00-00-00-00-BB-BB' (9) NAS-Port-Type = Ethernet (9) NAS-Port = 50002 (9) NAS-Port-Id = 'FastEthernet0/2' (9) NAS-IP-Address = 172.23.242.165 (9) Event-Timestamp = 'Dec 12 2014 11:27:59 EST' (9) server inner-tunnel { (9) session-state: No cached attributes (9) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (9) authorize { (9) ntdomain: Checking for prefix before "\" (9) ntdomain: Looking up realm "mydomain" for User-Name = "mydomain\user000" (9) ntdomain: Found realm "mydomain" (9) ntdomain: Adding Realm = "mydomain" (9) ntdomain: Proxying request from user mydomain\user000 to realm mydomain (9) ntdomain: Preparing to proxy authentication request to realm "mydomain" (9) [ntdomain] = updated (9) suffix: Request already has destination realm set. Ignoring (9) [suffix] = noop (9) eap: Request is supposed to be proxied to Realm mydomain. Not doing EAP. (9) [eap] = noop (9) [expiration] = noop (9) [logintime] = noop (9) [pap] = noop (9) } # authorize = updated (9) } # server inner-tunnel (9) Virtual server sending reply (9) eap_peap: Got tunneled reply code 0 (9) eap_peap: Calling authenticate in order to initiate tunneled EAP session (9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (9) authenticate { (9) eap: Expiring EAP session with state 0xd3877aa8d2016065 (9) eap: Finished EAP session with state 0xd3877aa8d2016065 (9) eap: Previous EAP request found for state 0xd3877aa8d2016065, released from the list (9) eap: Peer sent method MSCHAPv2 (26) (9) eap: EAP MSCHAPv2 (26) (9) eap: Calling eap_mschapv2 to process EAP data (9) eap: Freeing handler (9) [eap] = ok (9) } # authenticate = ok (9) eap_peap: Got tunneled reply RADIUS code 2 (9) eap_peap: MS-MPPE-Send-Key = 0xd848d864c43408713a143c15f3c9344c (9) eap_peap: MS-MPPE-Recv-Key = 0x6f6da555aa52c08a69f1d40ab379f27d (9) eap_peap: Proxy-State = 0x3730 (9) eap_peap: Framed-Protocol = PPP (9) eap_peap: Service-Type = Framed-User (9) eap_peap: Class = 0x3e5d044100000137000102000a02016700000000000000000000000001d006be3dc74c 5b0000000000054507 (9) eap_peap: MS-CHAP-Domain = '\205MYDOMAIN' (9) eap_peap: MS-Link-Utilization-Threshold = 50 (9) eap_peap: MS-Link-Drop-Time-Limit = 120 (9) eap_peap: EAP-Message = 0x03860004 (9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (9) eap_peap: User-Name = 'mydomain\user000' (9) eap_peap: Tunneled authentication was successful (9) eap_peap: SUCCESS (9) eap: EAP session adding &reply:State = 0x0fd7c6d30650dfc3 (9) [eap] = handled (9) } # authenticate = handled (9) Sent Access-Challenge Id 71 from 192.168.244.230:1812 to 172.23.242.165:1645 length 101 (9) EAP-Message = 0x0187002b19001703010020b3abef85cebb3db0803d642e026b9f7004abecc69886888bb234 ec4bb9f1dfbf (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) State = 0x0fd7c6d30650dfc3c063e5767e205a4d (9) Finished request Waking up in 0.3 seconds. (10) Received Access-Request Id 72 from 172.23.242.165:1645 to 192.168.244.230:1812 length 260 (10) User-Name = 'anon1337' (10) Service-Type = Framed-User (10) Framed-IP-Address = 192.168.243.38 (10) Framed-MTU = 1500 (10) Called-Station-Id = '00-00-00-00-AA-AA' (10) Calling-Station-Id = '00-00-00-00-BB-BB' (10) EAP-Message = 0x028700501900170301002027b611569c3ac21656ebff7c931c6330b260d9c7685df6afe4d 631e191ef65641703010020277137daef7aa622436b04c068134830a1cf8c671d81b6c743bea4f440ebd25d (10) Message-Authenticator = 0xcae72c0f0b1bf4edc223132d46c7f042 (10) NAS-Port-Type = Ethernet (10) NAS-Port = 50002 (10) NAS-Port-Id = 'FastEthernet0/2' (10) Called-Station-Id = '00-00-00-00-AA-AA' (10) State = 0x0fd7c6d30650dfc3c063e5767e205a4d (10) NAS-IP-Address = 172.23.242.165 (10) session-state: No cached attributes (10) # Executing section authorize from file /etc/raddb/sites-enabled/default (10) authorize { (10) suffix: Checking for suffix after "@" (10) suffix: No '@' in User-Name = "anon1337", looking up realm NULL (10) suffix: No such realm "NULL" (10) [suffix] = noop (10) eap: Peer sent code Response (2) ID 135 length 80 (10) eap: Continuing tunnel setup (10) [eap] = ok (10) } # authorize = ok (10) Found Auth-Type = EAP (10) # Executing group from file /etc/raddb/sites-enabled/default (10) authenticate { (10) eap: Expiring EAP session with state 0x0fd7c6d30650dfc3 (10) eap: Finished EAP session with state 0x0fd7c6d30650dfc3 (10) eap: Previous EAP request found for state 0x0fd7c6d30650dfc3, released from the list (10) eap: Peer sent method PEAP (25) (10) eap: EAP PEAP (25) (10) eap: Calling eap_peap to process EAP data (10) eap_peap: processing EAP-TLS (10) eap_peap: eaptls_verify returned 7 (10) eap_peap: Done initial handshake (10) eap_peap: eaptls_process returned 7 (10) eap_peap: FR_TLS_OK (10) eap_peap: Session established. Decoding tunneled attributes (10) eap_peap: PEAP state send tlv success (10) eap_peap: Received EAP-TLV response (10) eap_peap: Success (10) eap_peap: No information to cache: session caching will be disabled for session 7f3018ef052 364931aa2fc8b559a5cac5f8c7f4d7c81fa96d7848f7fa3ac77b3 SSL: Removing session 7f3018ef052364931aa2fc8b559a5cac5f8c7f4d7c81fa96d7848f7fa3ac77b3 from th e cache (10) eap: Freeing handler (10) [eap] = ok (10) } # authenticate = ok (10) # Executing section post-auth from file /etc/raddb/sites-enabled/default (10) post-auth { (10) update { (10) No attributes updated (10) } # update = noop (10) [exec] = noop (10) policy remove_reply_message_if_eap { (10) if (&reply:EAP-Message && &reply:Reply-Message) { (10) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (10) else { (10) [noop] = noop (10) } # else = noop (10) } # policy remove_reply_message_if_eap = noop (10) } # post-auth = noop (10) Sent Access-Accept Id 72 from 192.168.244.230:1812 to 172.23.242.165:1645 length 170 (10) MS-MPPE-Recv-Key = 0xffe49f5506d33369f1e22b38cd618e47ef03fbc24 (10) MS-MPPE-Send-Key = 0xefc13185a69d26a600f7da511b76ef00c6d5d6ac5 (10) EAP-Message = 0x03870004 (10) Message-Authenticator = 0x00000000000000000000000000000000 (10) User-Name = 'anon1337' (10) Finished request
On Dec 12, 2014, at 12:23 PM, Chris Arg <grkcharge@gmail.com> wrote:
Quick overview of what I think/see is happening. I'm sure it's wrong so please correct me.
Packet 8 comes in. Post-Proxy is run and the update to outer.session-state happens. Access-Challenge is sent and the state is cached. Packet 9 comes in. It's an Access-Request packet which triggers the previously cached information to be retrieved. This packet only gets to the authenticate section before a new Access-Challenge is sent causing the current state to be cached. Packet 10 comes in. It's an Access-Request which retrieves the previous state information. Post-Auth in sites-enabled/default is ran which executes update for &reply: += &session-state:. This results in a No attributes updated because the previous state didn't have any.
No. The “session-state” attributes are tracked across multiple packets. They are NOT tied to a particular “State” attribute. Please read the comments about “session-state” in the configuration files. If there are no attributes cached in the “session-state” list, then there may be a bug in the code. The debug output looks suspicious. It runs the inner-tunnel EAP method, and then *nothing* else before it sends the Access-Challenge. I’ll take a look. I don’t have time to reproduce this test now. But the session-state code was tested to work... Alan DeKok.
Thanks Alan. Should I turn this into a ticket on github? On Fri, Dec 12, 2014 at 12:59 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Dec 12, 2014, at 12:23 PM, Chris Arg <grkcharge@gmail.com> wrote:
Quick overview of what I think/see is happening. I'm sure it's wrong so please correct me.
Packet 8 comes in. Post-Proxy is run and the update to outer.session-state happens. Access-Challenge is sent and the state is cached. Packet 9 comes in. It's an Access-Request packet which triggers the previously cached information to be retrieved. This packet only gets to the authenticate section before a new Access-Challenge is sent causing the current state to be cached. Packet 10 comes in. It's an Access-Request which retrieves the previous state information. Post-Auth in sites-enabled/default is ran which executes update for &reply: += &session-state:. This results in a No attributes updated because the previous state didn't have any.
No. The “session-state” attributes are tracked across multiple packets. They are NOT tied to a particular “State” attribute.
Please read the comments about “session-state” in the configuration files.
If there are no attributes cached in the “session-state” list, then there may be a bug in the code.
The debug output looks suspicious. It runs the inner-tunnel EAP method, and then *nothing* else before it sends the Access-Challenge.
I’ll take a look. I don’t have time to reproduce this test now. But the session-state code was tested to work...
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Chris Arg