Retrieve 'Aruba-Location-Id' from RAD_REQUEST
Hello, I am trying to retrieve 'Aruba-Location-Id' from RAD_REQUEST forwarded from Aruba wireless controllers. From radiusd -X output, I can see 'Aruba-Location-Id' contains wireless AP id value. But when I call it from rlm_perl using $RAD_REQUEST{'Aruba-Location-Id'}, I got blank result. The 'Aruba-Location-Id' is in share/dictionary.aruba: ATTRIBUTE Aruba-Location-Id 6 string I would appreciate it if someone can point me what I did wrong and how to correct it. Here is a copy from radiusd -X: rad_recv: Access-Request packet from host 128.186.xxx.xxx port 32795, id=184, length=214 User-Name = "xxxxxxx" NAS-IP-Address = 128.186.xxx.xxx NAS-Port = 0 NAS-Identifier = "128.186.xxx.xxx" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "8C5557290002" Called-Station-Id = "000B860D1980" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x0201000f016d65678456c65747469 Aruba-Essid-Name = "FSUSecure" Aruba-Location-Id = "wg-a105-HRM.acf.fsu.edu" Aruba-Attr-10 = 0x416c753e544233453656e746572 Message-Authenticator = 0x1509982900acc34524353fc32fa Thanks, Yu Wang Network Architect, FSU
Hi,
I am trying to retrieve 'Aruba-Location-Id' from RAD_REQUEST forwarded from Aruba wireless controllers. From radiusd -X output, I can see `Aruba-Location-Id' contains wireless AP id value. But when I call it from rlm_perl using $RAD_REQUEST{'Aruba-Location-Id'}, I got blank result. The `Aruba-Location-Id' is in share/dictionary.aruba:
copy of your PERL and/or radiusd -X output please alan
Alan, Here is the perl_dot1x.pl (a modified version of rlm_perl script). ============================start of perl_dot1x.pl================================= use strict; use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK); use vars qw($hash_chksum_username $chksum_username @rad_array); use vars qw($ldap $mesg); use Data::Dumper; my %emp_map = ( 0 => 'employee1a', 1 => 'employee2a', 2 => 'employee3a', 3 => 'employee4a', 4 => 'employee1b', 5 => 'employee2b', 6 => 'employee3b', 7 => 'employee4b'); sub authorize { $chksum_username = unpack("%32C*", $RAD_REQUEST{'Stripped-User-Name'}); if (!$RAD_REPLY{'My-Local-employeeStatus'}) { $RAD_REPLY{'Service-Type'} = "Framed-User"; $RAD_REPLY{'Tunnel-Type'} = "VLAN"; $RAD_REPLY{'Tunnel-Medium-Type'} = "IEEE-802"; if (($chksum_username % $svlanum + 1) eq $svlanum) { $RAD_REPLY{'Tunnel-Private-Group-Id'} = "student".$svlanum; } else { $RAD_REPLY{'Tunnel-Private-Group-Id'} = "student0".($chksum_username % $svlanum + 1); } } else { $RAD_REPLY{'Service-Type'} = "Framed-User"; $RAD_REPLY{'Tunnel-Type'} = "VLAN"; $RAD_REPLY{'Tunnel-Medium-Type'} = "IEEE-802"; $RAD_REPLY{'Tunnel-Private-Group-Id'} = $emp_map{$chksum_username % $fvlanum}; } # this if clause does not work as $ RAD_REQUEST{'Aruba-Location-Id'} is empty if ($RAD_REQUEST{'Aruba-Location-Id'}) { &radiusd::radlog(3, "User $RAD_REQUEST{'Stripped-User-Name'} connected from $RAD_REQUEST{'Aruba-Location-Id'}."); } # this one works &radiusd::radlog(3, "Assign $RAD_REQUEST{'Stripped-User-Name'} to VLAN $RAD_REPLY{'Tunnel-Private-Group-Id'}."); return RLM_MODULE_UPDATED; return RLM_MODULE_OK; } sub authenticate { if ($RAD_REQUEST{'User-Name'} =~ /^baduser/i) { $RAD_REPLY{'Reply-Message'} = "Denied access by rlm_perl function"; return RLM_MODULE_REJECT; } else { $RAD_REPLY{'h323-credit-amount'} = "100"; return RLM_MODULE_OK; } } sub preacct { return RLM_MODULE_OK; } sub accounting { return RLM_MODULE_OK; } sub checksimul { return RLM_MODULE_OK; } sub pre_proxy { return RLM_MODULE_OK; } sub post_proxy { return RLM_MODULE_OK; } sub post_auth { return RLM_MODULE_OK; } sub xlat { my ($filename,$a,$b,$c,$d) = @_; &radiusd::radlog(1, "From xlat $filename "); &radiusd::radlog(1,"From xlat $a $b $c $d "); local *FH; open FH, $filename or die "open '$filename' $!"; local($/) = undef; my $sub = <FH>; close FH; my $eval = qq{ sub handler{ $sub;} }; eval $eval; eval {main->handler;}; } sub detach { &radiusd::radlog(0,"rlm_perl::Detaching. Reloading. Done."); } sub test_call { } sub log_request_attributes { for (keys %RAD_REQUEST) { &radiusd::radlog(1, "RAD_REQUEST: $_ = $RAD_REQUEST{$_}"); } } ================================end of perl_dot1x.pl============================= ===================radiusd -X output for rad_recv=================================== Going to the next request Waking up in 1.9 seconds. rad_recv: Access-Request packet from host 128.186. port 32795, id=59, length=383 User-Name = "xxxxxxxx" NAS-IP-Address = 128.186. NAS-Port = 0 NAS-Identifier = "128.186. " NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "8C5877297602" Called-Station-Id = "000B860E2A80" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020200a619800000009c160301009701000093030151769f8025463951e084018c78c6be8732c306bd55ca10a736528363776bf21c00005800ffc024c023c00ac009c007c008c028c027c014c013c011c012c026c025c02ac029c004c005c002c003c00ec00fc00cc00d003d003c002f000500040035000a0067006b00356345006c010c001c00b003b0002000101000012000a00080006001700180019000b00020100 State = 0xb82a743fb8286d6c4916635ce42c5399 Aruba-Essid-Name = "FSUSecure" Aruba-Location-Id = "wg-a105-HRM.acf.fsu.edu" <<<<<<<<-------- this is the one I'd like to retrieve and log it so when a user has issue, we know what AP s/he was associated to. Aruba-Attr-10 = 0x416c756d6e69345356e746572 Message-Authenticator = 0xf5a21c47bfsb78e7ce49265d3d48 server virtual.dot1x_1814 { # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/virtual.dot1x_1814 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "xxxxxxxxx", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "xxxxxxxxxx" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 2 length 166 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/virtual.dot1x_1814 +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 156 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0097], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0fb2], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled } # server virtual.dot1x_1814 Sending Access-Challenge of id 59 to 128.186.255.233 port 32795 EAP-Message = 0x0103040019c000000ff616030100310200002d030151769f818a45e612009f54955625fa7a80cbff2f7dbbd743d32a1940f105f3e200002f000005ff010001001603010fb20b000fae000fab0006233082061f30820507a0030201020210604c7ee9b4674748c62fe837fc2d7dcc300d06092a864886f70d0101050500308189310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312f302d06035504031326434f4d4f444f20486967682d4173737572616e63652053656375 EAP-Message = 0x726520536572766572204341301e170d3132313031313030303030305a170d3134313031313233353935395a3082011e310b3009060355040613025553310e300c0603550411130533323330363110300e06035504081307466c6f72696461311430120603550407130b54616c6c616861737365653121301f06035504091318466c6f7269646120537461746520556e6976657273697479312830260603550409131f363130304320556e69766572736974792043656e746572204d5320323632303121301f060355040a1318466c6f7269646120537461746520556e6976657273697479310c300a060355040b1303495453312b3029060355040b13 EAP-Message = 0x22486f7374656420627920466c6f7269646120537461746520556e69766572736974793110300e060355040b13075347432053534c311a30180603550403131161757468312e6974732e6673752e65647530820122300d06092a864886f70d01010105000382010f003082010a0282010100def16c15b51db6988481f489723015ca7a154ec60ff437b9eb6bed2114d2a92e565bc514c959248ba228dcf848b7408a1886e347a61341a35dea7636780318c4ecd7193ce99fab03ee43f6c3690f2b0d6ed32d12ad107ec7f8cce94d98493f61f3222228093121274b860013aa6b0c8d747255dd1ac5f6cd76384eb83408e1b1d37e5402a2404fceb659bc EAP-Message = 0x5f9eecb6ce9fc0691a304a0c83ea3bf0c09b63ba35ee5cbcec8817efe1cc336b00b586dd55ea8bfd47dd439bd10d56e76355d8bb1fcdf10b7be72f31b71580d0f45c17efdf41986b4316e4b5d51088900b28557a7769029505064e69367444be1bc6d956cb486d614208ae2a3059adab98b83e53910203010001a38201e9308201e5301f0603551d230418301680143fd5b5d0d64479504a17a39b8c4adcb8b022646b301d0603551d0e0416041420ec8ec2141bcef0e48cc94a036da908fb3b9912300e0603551d0f0101ff0404030205a0300c0603551d130101ff0402300030340603551d25042d302b06082b0601050507030106082b0601050507 EAP-Message = 0x0302060a2b0601040182370a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb82a743fb9296d6c4916635ce42c5399 Finished request 5. Going to the next request Waking up in 1.9 seconds. rad_recv: Access-Request packet from host 128.186 port 32794, id=248, length=204 User-Name = "yyyyyyyyyyyy" NAS-IP-Address = 128.186. NAS-Port = 0 NAS-Identifier = "128.186. " NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "20C9D0E93581" Called-Station-Id = "000B8611D5C0" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x0201000b016a6a77313066 Aruba-Essid-Name = "FSUSecure" Aruba-Location-Id = "Wg-a125-Rm.law.fsu.edu" <<<<<<<<-------- this is the one I'd like to retrieve and log it. Aruba-Attr-10 = 0x4c61772d5363686f6f6c Message-Authenticator = 0x19062b2793784f2c83144cb1514e858 server virtual.dot1x_1814 { # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/virtual.dot1x_1814 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "yyyyyyyyyy", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "yyyyyyyyyy" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 1 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 8 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/virtual.dot1x_1814 +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled } # server virtual.dot1x_1814 Sending Access-Challenge of id 248 to 128.186.255.231 port 32794 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x370e1a38370c03508cd2263659f4660a Finished request 6. Going to the next request Waking up in 1.9 seconds. ===================end of radiusd -X============================================= Please let me know if above contains information you would like to see. Thanks, Yu Wang -----Original Message----- From: freeradius-users-bounces+ywang10=fsu.edu@lists.freeradius.org [mailto:freeradius-users-bounces+ywang10=fsu.edu@lists.freeradius.org] On Behalf Of A.L.M.Buxey@lboro.ac.uk Sent: Thursday, April 25, 2013 12:51 PM To: FreeRadius users mailing list Subject: Re: Retrieve 'Aruba-Location-Id' from RAD_REQUEST Hi,
I am trying to retrieve 'Aruba-Location-Id' from RAD_REQUEST forwarded from Aruba wireless controllers. From radiusd -X output, I can see `Aruba-Location-Id' contains wireless AP id value. But when I call it from rlm_perl using $RAD_REQUEST{'Aruba-Location-Id'}, I got blank result. The `Aruba-Location-Id' is in share/dictionary.aruba:
copy of your PERL and/or radiusd -X output please alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hi, tired eyes so might have missed something obvious...but can you add the following into your authorise subroutine at the top &log_request_attributes; and ensure you have the following at the bottom sub log_request_attributes { for (keys %RAD_REQUEST) { &radiusd::radlog(L_DBG, "RAD_REQUEST: $_ = $RAD_REQUEST{$_}"); } } ..then run FR is debug mode again and see what comes out. cheers alan
Hi, Alan, Thanks for the suggestion. I added "&log_request_attributes;" in authorize function and it already has sub log_request_attributes in the perl script. When run FR in debug mode, the Aruba-Location-ID does present but when I call $ RAD_REQUEST{'Aruba-Location-Id'} from rlm_perl, it came up empty. Any more suggestions? Thanks again. Yu Wang -----Original Message----- From: freeradius-users-bounces+ywang10=fsu.edu@lists.freeradius.org [mailto:freeradius-users-bounces+ywang10=fsu.edu@lists.freeradius.org] On Behalf Of A.L.M.Buxey@lboro.ac.uk Sent: Thursday, April 25, 2013 5:44 PM To: FreeRadius users mailing list Subject: Re: Retrieve 'Aruba-Location-Id' from RAD_REQUEST hi, tired eyes so might have missed something obvious...but can you add the following into your authorise subroutine at the top &log_request_attributes; and ensure you have the following at the bottom sub log_request_attributes { for (keys %RAD_REQUEST) { &radiusd::radlog(L_DBG, "RAD_REQUEST: $_ = $RAD_REQUEST{$_}"); } } ..then run FR is debug mode again and see what comes out. cheers alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Be nice to hear true solution to this as the same thing happens to me for the nas-ip-address attribute A On 26 Apr 2013, at 15:41, "Wang, Yu" <ywang10@fsu.edu> wrote:
Hi, Alan,
Thanks for the suggestion. I added "&log_request_attributes;" in authorize function and it already has sub log_request_attributes in the perl script. When run FR in debug mode, the Aruba-Location-ID does present but when I call $ RAD_REQUEST{'Aruba-Location-Id'} from rlm_perl, it came up empty.
Any more suggestions? Thanks again.
Yu Wang
-----Original Message----- From: freeradius-users-bounces+ywang10=fsu.edu@lists.freeradius.org [mailto:freeradius-users-bounces+ywang10=fsu.edu@lists.freeradius.org] On Behalf Of A.L.M.Buxey@lboro.ac.uk Sent: Thursday, April 25, 2013 5:44 PM To: FreeRadius users mailing list Subject: Re: Retrieve 'Aruba-Location-Id' from RAD_REQUEST
hi,
tired eyes so might have missed something obvious...but can you add the following into your authorise subroutine at the top
&log_request_attributes;
and ensure you have the following at the bottom
sub log_request_attributes { for (keys %RAD_REQUEST) { &radiusd::radlog(L_DBG, "RAD_REQUEST: $_ = $RAD_REQUEST{$_}"); } }
..then run FR is debug mode again and see what comes out.
cheers
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Thanks for the suggestion. I added "&log_request_attributes;" in authorize function and it already has sub log_request_attributes in the perl script. When run FR in debug mode, the Aruba-Location-ID does present but when I call $ RAD_REQUEST{'Aruba-Location-Id'} from rlm_perl, it came up empty.
logs? alan
Hi,
Thanks for the suggestion. I added "&log_request_attributes;" in authorize function and it already has sub log_request_attributes in the perl script. When run FR in debug mode, the Aruba-Location-ID does present but when I call $ RAD_REQUEST{'Aruba-Location-Id'} from rlm_perl, it came up empty.
and logs (radiusd -X) from this too. :-) alan
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Alex Sharaz -
Wang, Yu