OpenLDAP Group membership to Filter-ID
Hello- I would like to make it so that the users in: ou=corp,ou=Users,dc=team,dc=company,dc=com Get mapped a Filter-ID of corp and the users in: ou=dev,ou=Users,dc=team,dc=company,dc=com Get mapped a Filter-ID of dev. I can then apply firewall rules to give them access to certain resources and not others. This will also make it so that if they access the wrong network they should not have the proper access without the correct group membership. In inner-tunnel I have: authorize { if ( Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=affirm,dc=com/ ) { update control { Tmp-String-1 := "corp" } } if ( Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=affirm,dc=com/ ) { update control { Tmp-String-1 := "dev" } } post-auth { update reply { Filter-Id := "%{control:Tmp-String-1}” } I can see in the log that its not matching which means I am not matching correctly. It ends up passing the Filter-ID which is blank. So I know the post auth section is working correctly. Here is the relevant log info: Tue Aug 12 22:50:47 2014 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel Tue Aug 12 22:50:47 2014 : Info: +- entering group authorize {...} Tue Aug 12 22:50:47 2014 : Info: ++? if (Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=company,dc=com/ ) Tue Aug 12 22:50:47 2014 : Debug: [ldap] Entering ldap_groupcmp() Tue Aug 12 22:50:47 2014 : Info: expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com Tue Aug 12 22:50:47 2014 : Info: expand: %{Stripped-User-Name} -> Tue Aug 12 22:50:47 2014 : Info: ... expanding second conditional Tue Aug 12 22:50:47 2014 : Info: expand: %{User-Name} -> joeuser Tue Aug 12 22:50:47 2014 : Info: expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=joeuser) Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] performing search in ou=Users,dc=team,dc=company,dc=com, with filter (uid=joeuser) Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0 Tue Aug 12 22:50:47 2014 : Info: expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] performing search in ou=corp,ou=Users,dc=team,dc=company,dc=com, with filter (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) Tue Aug 12 22:50:47 2014 : Debug: [ldap] object not found Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0 Tue Aug 12 22:50:47 2014 : Debug: rlm_ldap::ldap_groupcmp: Group ou=corp,ou=Users,dc=team,dc=company,dc=com not found or user is not a member. Tue Aug 12 22:50:47 2014 : Info: ? Evaluating (Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=company,dc=com/) -> FALSE Tue Aug 12 22:50:47 2014 : Info: ++? if (Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=company,dc=com/ ) -> FALSE Tue Aug 12 22:50:47 2014 : Info: ++? if (Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=company,dc=com/ ) Tue Aug 12 22:50:47 2014 : Debug: [ldap] Entering ldap_groupcmp() Tue Aug 12 22:50:47 2014 : Info: expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com Tue Aug 12 22:50:47 2014 : Info: expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] performing search in ou=dev,ou=Users,dc=team,dc=company,dc=com, with filter (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) Tue Aug 12 22:50:47 2014 : Debug: [ldap] object not found Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0 Tue Aug 12 22:50:47 2014 : Debug: rlm_ldap::ldap_groupcmp: Group ou=dev,ou=Users,dc=team,dc=company,dc=com not found or user is not a member. Tue Aug 12 22:50:47 2014 : Info: ? Evaluating (Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=company,dc=com/) -> FALSE Tue Aug 12 22:50:47 2014 : Info: ++? if (Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=company,dc=com/ ) -> FALSE Tue Aug 12 22:50:47 2014 : Info: ++[chap] returns noop Tue Aug 12 22:50:47 2014 : Info: ++[mschap] returns noop Tue Aug 12 22:50:47 2014 : Info: [suffix] No '@' in User-Name = "joeuser", looking up realm NULL Tue Aug 12 22:50:47 2014 : Info: [suffix] No such realm "NULL" Tue Aug 12 22:50:47 2014 : Info: ++[suffix] returns noop Tue Aug 12 22:50:47 2014 : Info: ++[control] returns noop Tue Aug 12 22:50:47 2014 : Info: [eap] No EAP-Message, not doing EAP Tue Aug 12 22:50:47 2014 : Info: ++[eap] returns noop Tue Aug 12 22:50:47 2014 : Info: ++[files] returns noop Tue Aug 12 22:50:47 2014 : Info: [ldap] performing user authorization for joeuser Tue Aug 12 22:50:47 2014 : Info: [ldap] expand: %{Stripped-User-Name} -> Tue Aug 12 22:50:47 2014 : Info: [ldap] ... expanding second conditional Tue Aug 12 22:50:47 2014 : Info: [ldap] expand: %{User-Name} -> joeuser Tue Aug 12 22:50:47 2014 : Info: [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=joeuser) Tue Aug 12 22:50:47 2014 : Info: [ldap] expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] performing search in ou=Users,dc=team,dc=company,dc=com, with filter (uid=joeuser) Tue Aug 12 22:50:47 2014 : Info: [ldap] No default NMAS login sequence Tue Aug 12 22:50:47 2014 : Info: [ldap] looking for check items in directory... Tue Aug 12 22:50:47 2014 : Debug: [ldap] userPassword -> Password-With-Header == "{MD5}hashreplaced" Tue Aug 12 22:50:47 2014 : Info: [ldap] looking for reply items in directory... Tue Aug 12 22:50:47 2014 : Info: [ldap] user joeuser authorized to use remote access Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0 Tue Aug 12 22:50:47 2014 : Info: ++[ldap] returns ok Tue Aug 12 22:50:47 2014 : Info: ++[expiration] returns noop Tue Aug 12 22:50:47 2014 : Info: ++[logintime] returns noop Tue Aug 12 22:50:47 2014 : Info: ++[pap] returns updated Tue Aug 12 22:50:47 2014 : Info: Found Auth-Type = PAP Tue Aug 12 22:50:47 2014 : Info: # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel Tue Aug 12 22:50:47 2014 : Info: +- entering group PAP {...} Tue Aug 12 22:50:47 2014 : Info: [pap] login attempt with password "password" Tue Aug 12 22:50:47 2014 : Info: [pap] Using MD5 encryption. Tue Aug 12 22:50:47 2014 : Info: [pap] Normalizing MD5-Password from base64 encoding Tue Aug 12 22:50:47 2014 : Info: [pap] User authenticated successfully Tue Aug 12 22:50:47 2014 : Info: ++[pap] returns ok Tue Aug 12 22:50:47 2014 : Info: # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel Tue Aug 12 22:50:47 2014 : Info: +- entering group post-auth {...} Tue Aug 12 22:50:47 2014 : Info: expand: %{control:Tmp-String-1} -> Tue Aug 12 22:50:47 2014 : Info: ++[reply] returns noop } # server inner-tunnel Tue Aug 12 22:50:47 2014 : Info: [ttls] Got tunneled reply code 2 Filter-Id = "" Tue Aug 12 22:50:47 2014 : Info: [ttls] Got tunneled Access-Accept Tue Aug 12 22:50:47 2014 : Info: [eap] Freeing handler Tue Aug 12 22:50:47 2014 : Info: ++[eap] returns ok Tue Aug 12 22:50:47 2014 : Info: # Executing section post-auth from file /etc/freeradius/sites-enabled/default Tue Aug 12 22:50:47 2014 : Info: +- entering group post-auth {...} Tue Aug 12 22:50:47 2014 : Info: ++[exec] returns noop Sending Access-Accept of id 16 to xxx.xxx.xxx.xxx port 32768 Filter-Id = "" MS-MPPE-Recv-Key = 0x85725d86e7ab1448510e48ba9b900cd3cbf3d7436f36f9b391dab4d35b3d69b1 MS-MPPE-Send-Key = 0x191e9e59df4f7108ac1542e48434330db030957911f7a3fb75ae40456057bf1f EAP-Message = 0x03050004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "joeuser" Tue Aug 12 22:50:47 2014 : Info: Finished request 9. Thank you for the help. I appreciate it. BTW if this does’t make sense I can provide more details as to what I am trying to do. I figured I would spare that unless needed. Thanks, Alex
According to the LDAP search, the user is not part of either the Corp or the Dev OUs. Which one of the two is 'joeuser' part of? What happens when you try using ldapsearch to search for 'joeuser' in your AD? Stefan -----Original Message----- From: freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org] On Behalf Of Alex Gregory Sent: 13 August 2014 00:32 To: FreeRadius users mailing list Subject: OpenLDAP Group membership to Filter-ID Hello- I would like to make it so that the users in: ou=corp,ou=Users,dc=team,dc=company,dc=com Get mapped a Filter-ID of corp and the users in: ou=dev,ou=Users,dc=team,dc=company,dc=com Get mapped a Filter-ID of dev. I can then apply firewall rules to give them access to certain resources and not others. This will also make it so that if they access the wrong network they should not have the proper access without the correct group membership. In inner-tunnel I have: authorize { if ( Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=affirm,dc=com/ ) { update control { Tmp-String-1 := "corp" } } if ( Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=affirm,dc=com/ ) { update control { Tmp-String-1 := "dev" } } post-auth { update reply { Filter-Id := "%{control:Tmp-String-1}" } I can see in the log that its not matching which means I am not matching correctly. It ends up passing the Filter-ID which is blank. So I know the post auth section is working correctly. Here is the relevant log info: Tue Aug 12 22:50:47 2014 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel Tue Aug 12 22:50:47 2014 : Info: +- entering group authorize {...} Tue Aug 12 22:50:47 2014 : Info: ++? if (Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=company,dc=com/ ) Tue Aug 12 22:50:47 2014 : Debug: [ldap] Entering ldap_groupcmp() Tue Aug 12 22:50:47 2014 : Info: expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com Tue Aug 12 22:50:47 2014 : Info: expand: %{Stripped-User-Name} -> Tue Aug 12 22:50:47 2014 : Info: ... expanding second conditional Tue Aug 12 22:50:47 2014 : Info: expand: %{User-Name} -> joeuser Tue Aug 12 22:50:47 2014 : Info: expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=joeuser) Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] performing search in ou=Users,dc=team,dc=company,dc=com, with filter (uid=joeuser) Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0 Tue Aug 12 22:50:47 2014 : Info: expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] performing search in ou=corp,ou=Users,dc=team,dc=company,dc=com, with filter (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) Tue Aug 12 22:50:47 2014 : Debug: [ldap] object not found Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0 Tue Aug 12 22:50:47 2014 : Debug: rlm_ldap::ldap_groupcmp: Group ou=corp,ou=Users,dc=team,dc=company,dc=com not found or user is not a member. Tue Aug 12 22:50:47 2014 : Info: ? Evaluating (Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=company,dc=com/) -> FALSE Tue Aug 12 22:50:47 2014 : Info: ++? if (Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=company,dc=com/ ) -> FALSE Tue Aug 12 22:50:47 2014 : Info: ++? if (Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=company,dc=com/ ) Tue Aug 12 22:50:47 2014 : Debug: [ldap] Entering ldap_groupcmp() Tue Aug 12 22:50:47 2014 : Info: expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com Tue Aug 12 22:50:47 2014 : Info: expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] performing search in ou=dev,ou=Users,dc=team,dc=company,dc=com, with filter (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) Tue Aug 12 22:50:47 2014 : Debug: [ldap] object not found Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0 Tue Aug 12 22:50:47 2014 : Debug: rlm_ldap::ldap_groupcmp: Group ou=dev,ou=Users,dc=team,dc=company,dc=com not found or user is not a member. Tue Aug 12 22:50:47 2014 : Info: ? Evaluating (Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=company,dc=com/) -> FALSE Tue Aug 12 22:50:47 2014 : Info: ++? if (Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=company,dc=com/ ) -> FALSE Tue Aug 12 22:50:47 2014 : Info: ++[chap] returns noop Tue Aug 12 22:50:47 2014 : Info: ++[mschap] returns noop Tue Aug 12 22:50:47 2014 : Info: [suffix] No '@' in User-Name = "joeuser", looking up realm NULL Tue Aug 12 22:50:47 2014 : Info: [suffix] No such realm "NULL" Tue Aug 12 22:50:47 2014 : Info: ++[suffix] returns noop Tue Aug 12 22:50:47 2014 : Info: ++[control] returns noop Tue Aug 12 22:50:47 2014 : Info: [eap] No EAP-Message, not doing EAP Tue Aug 12 22:50:47 2014 : Info: ++[eap] returns noop Tue Aug 12 22:50:47 2014 : Info: ++[files] returns noop Tue Aug 12 22:50:47 2014 : Info: [ldap] performing user authorization for joeuser Tue Aug 12 22:50:47 2014 : Info: [ldap] expand: %{Stripped-User-Name} -> Tue Aug 12 22:50:47 2014 : Info: [ldap] ... expanding second conditional Tue Aug 12 22:50:47 2014 : Info: [ldap] expand: %{User-Name} -> joeuser Tue Aug 12 22:50:47 2014 : Info: [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=joeuser) Tue Aug 12 22:50:47 2014 : Info: [ldap] expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] performing search in ou=Users,dc=team,dc=company,dc=com, with filter (uid=joeuser) Tue Aug 12 22:50:47 2014 : Info: [ldap] No default NMAS login sequence Tue Aug 12 22:50:47 2014 : Info: [ldap] looking for check items in directory... Tue Aug 12 22:50:47 2014 : Debug: [ldap] userPassword -> Password-With-Header == "{MD5}hashreplaced" Tue Aug 12 22:50:47 2014 : Info: [ldap] looking for reply items in directory... Tue Aug 12 22:50:47 2014 : Info: [ldap] user joeuser authorized to use remote access Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0 Tue Aug 12 22:50:47 2014 : Info: ++[ldap] returns ok Tue Aug 12 22:50:47 2014 : Info: ++[expiration] returns noop Tue Aug 12 22:50:47 2014 : Info: ++[logintime] returns noop Tue Aug 12 22:50:47 2014 : Info: ++[pap] returns updated Tue Aug 12 22:50:47 2014 : Info: Found Auth-Type = PAP Tue Aug 12 22:50:47 2014 : Info: # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel Tue Aug 12 22:50:47 2014 : Info: +- entering group PAP {...} Tue Aug 12 22:50:47 2014 : Info: [pap] login attempt with password "password" Tue Aug 12 22:50:47 2014 : Info: [pap] Using MD5 encryption. Tue Aug 12 22:50:47 2014 : Info: [pap] Normalizing MD5-Password from base64 encoding Tue Aug 12 22:50:47 2014 : Info: [pap] User authenticated successfully Tue Aug 12 22:50:47 2014 : Info: ++[pap] returns ok Tue Aug 12 22:50:47 2014 : Info: # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel Tue Aug 12 22:50:47 2014 : Info: +- entering group post-auth {...} Tue Aug 12 22:50:47 2014 : Info: expand: %{control:Tmp-String-1} -> Tue Aug 12 22:50:47 2014 : Info: ++[reply] returns noop } # server inner-tunnel Tue Aug 12 22:50:47 2014 : Info: [ttls] Got tunneled reply code 2 Filter-Id = "" Tue Aug 12 22:50:47 2014 : Info: [ttls] Got tunneled Access-Accept Tue Aug 12 22:50:47 2014 : Info: [eap] Freeing handler Tue Aug 12 22:50:47 2014 : Info: ++[eap] returns ok Tue Aug 12 22:50:47 2014 : Info: # Executing section post-auth from file /etc/freeradius/sites-enabled/default Tue Aug 12 22:50:47 2014 : Info: +- entering group post-auth {...} Tue Aug 12 22:50:47 2014 : Info: ++[exec] returns noop Sending Access-Accept of id 16 to xxx.xxx.xxx.xxx port 32768 Filter-Id = "" MS-MPPE-Recv-Key = 0x85725d86e7ab1448510e48ba9b900cd3cbf3d7436f36f9b391dab4d35b3d69b1 MS-MPPE-Send-Key = 0x191e9e59df4f7108ac1542e48434330db030957911f7a3fb75ae40456057bf1f EAP-Message = 0x03050004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "joeuser" Tue Aug 12 22:50:47 2014 : Info: Finished request 9. Thank you for the help. I appreciate it. BTW if this does't make sense I can provide more details as to what I am trying to do. I figured I would spare that unless needed. Thanks, Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
Joe User is a part of Corp (which is under Users - could nesting be the problem?): root@openldap ~# ldapsearch -x -h localhost -p 389 -b "ou=Users,dc=team,dc=company,dc=com" -s sub "cn=joe user" # extended LDIF # # LDAPv3 # base <ou=Users,dc=team,dc=company,dc=com> with scope subtree # filter: cn=joe user # requesting: ALL # # Joe User, corp, Users, team.company.com dn: cn=Joe User,ou=corp,ou=Users,dc=team,dc=company,dc=com givenName: Joe sn: User cn: Joe User uid: joeuser uidNumber: 1008 gidNumber: 500 homeDirectory: /home/users/joeuser loginShell: /bin/sh objectClass: inetOrgPerson objectClass: posixAccount objectClass: top # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Is my entry in the authorize section formatted correctly? Thanks, Alex On Aug 13, 2014, at 2:46 AM, Stefan Paetow <Stefan.Paetow@ja.net> wrote:
According to the LDAP search, the user is not part of either the Corp or the Dev OUs.
Which one of the two is 'joeuser' part of?
What happens when you try using ldapsearch to search for 'joeuser' in your AD?
Stefan
-----Original Message----- From: freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org] On Behalf Of Alex Gregory Sent: 13 August 2014 00:32 To: FreeRadius users mailing list Subject: OpenLDAP Group membership to Filter-ID
Hello-
I would like to make it so that the users in:
ou=corp,ou=Users,dc=team,dc=company,dc=com
Get mapped a Filter-ID of corp and the users in:
ou=dev,ou=Users,dc=team,dc=company,dc=com
Get mapped a Filter-ID of dev. I can then apply firewall rules to give them access to certain resources and not others. This will also make it so that if they access the wrong network they should not have the proper access without the correct group membership.
In inner-tunnel I have:
authorize { if ( Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=affirm,dc=com/ ) { update control { Tmp-String-1 := "corp" } } if ( Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=affirm,dc=com/ ) { update control { Tmp-String-1 := "dev" } }
post-auth { update reply { Filter-Id := "%{control:Tmp-String-1}" }
I can see in the log that its not matching which means I am not matching correctly. It ends up passing the Filter-ID which is blank. So I know the post auth section is working correctly.
Here is the relevant log info:
Tue Aug 12 22:50:47 2014 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel Tue Aug 12 22:50:47 2014 : Info: +- entering group authorize {...} Tue Aug 12 22:50:47 2014 : Info: ++? if (Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=company,dc=com/ ) Tue Aug 12 22:50:47 2014 : Debug: [ldap] Entering ldap_groupcmp() Tue Aug 12 22:50:47 2014 : Info: expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com Tue Aug 12 22:50:47 2014 : Info: expand: %{Stripped-User-Name} -> Tue Aug 12 22:50:47 2014 : Info: ... expanding second conditional Tue Aug 12 22:50:47 2014 : Info: expand: %{User-Name} -> joeuser Tue Aug 12 22:50:47 2014 : Info: expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=joeuser) Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] performing search in ou=Users,dc=team,dc=company,dc=com, with filter (uid=joeuser) Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0 Tue Aug 12 22:50:47 2014 : Info: expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] performing search in ou=corp,ou=Users,dc=team,dc=company,dc=com, with filter (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) Tue Aug 12 22:50:47 2014 : Debug: [ldap] object not found Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0 Tue Aug 12 22:50:47 2014 : Debug: rlm_ldap::ldap_groupcmp: Group ou=corp,ou=Users,dc=team,dc=company,dc=com not found or user is not a member. Tue Aug 12 22:50:47 2014 : Info: ? Evaluating (Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=company,dc=com/) -> FALSE Tue Aug 12 22:50:47 2014 : Info: ++? if (Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=company,dc=com/ ) -> FALSE Tue Aug 12 22:50:47 2014 : Info: ++? if (Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=company,dc=com/ ) Tue Aug 12 22:50:47 2014 : Debug: [ldap] Entering ldap_groupcmp() Tue Aug 12 22:50:47 2014 : Info: expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com Tue Aug 12 22:50:47 2014 : Info: expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] performing search in ou=dev,ou=Users,dc=team,dc=company,dc=com, with filter (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) Tue Aug 12 22:50:47 2014 : Debug: [ldap] object not found Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0 Tue Aug 12 22:50:47 2014 : Debug: rlm_ldap::ldap_groupcmp: Group ou=dev,ou=Users,dc=team,dc=company,dc=com not found or user is not a member. Tue Aug 12 22:50:47 2014 : Info: ? Evaluating (Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=company,dc=com/) -> FALSE Tue Aug 12 22:50:47 2014 : Info: ++? if (Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=company,dc=com/ ) -> FALSE Tue Aug 12 22:50:47 2014 : Info: ++[chap] returns noop Tue Aug 12 22:50:47 2014 : Info: ++[mschap] returns noop Tue Aug 12 22:50:47 2014 : Info: [suffix] No '@' in User-Name = "joeuser", looking up realm NULL Tue Aug 12 22:50:47 2014 : Info: [suffix] No such realm "NULL" Tue Aug 12 22:50:47 2014 : Info: ++[suffix] returns noop Tue Aug 12 22:50:47 2014 : Info: ++[control] returns noop Tue Aug 12 22:50:47 2014 : Info: [eap] No EAP-Message, not doing EAP Tue Aug 12 22:50:47 2014 : Info: ++[eap] returns noop Tue Aug 12 22:50:47 2014 : Info: ++[files] returns noop Tue Aug 12 22:50:47 2014 : Info: [ldap] performing user authorization for joeuser Tue Aug 12 22:50:47 2014 : Info: [ldap] expand: %{Stripped-User-Name} -> Tue Aug 12 22:50:47 2014 : Info: [ldap] ... expanding second conditional Tue Aug 12 22:50:47 2014 : Info: [ldap] expand: %{User-Name} -> joeuser Tue Aug 12 22:50:47 2014 : Info: [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=joeuser) Tue Aug 12 22:50:47 2014 : Info: [ldap] expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] performing search in ou=Users,dc=team,dc=company,dc=com, with filter (uid=joeuser) Tue Aug 12 22:50:47 2014 : Info: [ldap] No default NMAS login sequence Tue Aug 12 22:50:47 2014 : Info: [ldap] looking for check items in directory... Tue Aug 12 22:50:47 2014 : Debug: [ldap] userPassword -> Password-With-Header == "{MD5}hashreplaced" Tue Aug 12 22:50:47 2014 : Info: [ldap] looking for reply items in directory... Tue Aug 12 22:50:47 2014 : Info: [ldap] user joeuser authorized to use remote access Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0 Tue Aug 12 22:50:47 2014 : Info: ++[ldap] returns ok Tue Aug 12 22:50:47 2014 : Info: ++[expiration] returns noop Tue Aug 12 22:50:47 2014 : Info: ++[logintime] returns noop Tue Aug 12 22:50:47 2014 : Info: ++[pap] returns updated Tue Aug 12 22:50:47 2014 : Info: Found Auth-Type = PAP Tue Aug 12 22:50:47 2014 : Info: # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel Tue Aug 12 22:50:47 2014 : Info: +- entering group PAP {...} Tue Aug 12 22:50:47 2014 : Info: [pap] login attempt with password "password" Tue Aug 12 22:50:47 2014 : Info: [pap] Using MD5 encryption. Tue Aug 12 22:50:47 2014 : Info: [pap] Normalizing MD5-Password from base64 encoding Tue Aug 12 22:50:47 2014 : Info: [pap] User authenticated successfully Tue Aug 12 22:50:47 2014 : Info: ++[pap] returns ok Tue Aug 12 22:50:47 2014 : Info: # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel Tue Aug 12 22:50:47 2014 : Info: +- entering group post-auth {...} Tue Aug 12 22:50:47 2014 : Info: expand: %{control:Tmp-String-1} -> Tue Aug 12 22:50:47 2014 : Info: ++[reply] returns noop } # server inner-tunnel Tue Aug 12 22:50:47 2014 : Info: [ttls] Got tunneled reply code 2 Filter-Id = "" Tue Aug 12 22:50:47 2014 : Info: [ttls] Got tunneled Access-Accept Tue Aug 12 22:50:47 2014 : Info: [eap] Freeing handler Tue Aug 12 22:50:47 2014 : Info: ++[eap] returns ok Tue Aug 12 22:50:47 2014 : Info: # Executing section post-auth from file /etc/freeradius/sites-enabled/default Tue Aug 12 22:50:47 2014 : Info: +- entering group post-auth {...} Tue Aug 12 22:50:47 2014 : Info: ++[exec] returns noop Sending Access-Accept of id 16 to xxx.xxx.xxx.xxx port 32768 Filter-Id = "" MS-MPPE-Recv-Key = 0x85725d86e7ab1448510e48ba9b900cd3cbf3d7436f36f9b391dab4d35b3d69b1 MS-MPPE-Send-Key = 0x191e9e59df4f7108ac1542e48434330db030957911f7a3fb75ae40456057bf1f EAP-Message = 0x03050004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "joeuser" Tue Aug 12 22:50:47 2014 : Info: Finished request 9.
Thank you for the help. I appreciate it. BTW if this does't make sense I can provide more details as to what I am trying to do. I figured I would spare that unless needed.
Thanks,
Alex
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ok… If you are not using "scope='sub'" in the ldap module (a full output from 'freeradius -X' is specifically requested for the reason that we can see the complete config), then yes, the nesting could be the problem. Stefan ________________________________________ From: freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org [freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org] on behalf of Alex Gregory [alex@c2company.com] Sent: 13 August 2014 18:38 To: FreeRadius users mailing list Subject: Re: OpenLDAP Group membership to Filter-ID Joe User is a part of Corp (which is under Users - could nesting be the problem?): root@openldap ~# ldapsearch -x -h localhost -p 389 -b "ou=Users,dc=team,dc=company,dc=com" -s sub "cn=joe user" # extended LDIF # # LDAPv3 # base <ou=Users,dc=team,dc=company,dc=com> with scope subtree # filter: cn=joe user # requesting: ALL # # Joe User, corp, Users, team.company.com dn: cn=Joe User,ou=corp,ou=Users,dc=team,dc=company,dc=com givenName: Joe sn: User cn: Joe User uid: joeuser uidNumber: 1008 gidNumber: 500 homeDirectory: /home/users/joeuser loginShell: /bin/sh objectClass: inetOrgPerson objectClass: posixAccount objectClass: top # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Is my entry in the authorize section formatted correctly? Thanks, Alex On Aug 13, 2014, at 2:46 AM, Stefan Paetow <Stefan.Paetow@ja.net> wrote:
According to the LDAP search, the user is not part of either the Corp or the Dev OUs.
Which one of the two is 'joeuser' part of?
What happens when you try using ldapsearch to search for 'joeuser' in your AD?
Stefan
-----Original Message----- From: freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org] On Behalf Of Alex Gregory Sent: 13 August 2014 00:32 To: FreeRadius users mailing list Subject: OpenLDAP Group membership to Filter-ID
Hello-
I would like to make it so that the users in:
ou=corp,ou=Users,dc=team,dc=company,dc=com
Get mapped a Filter-ID of corp and the users in:
ou=dev,ou=Users,dc=team,dc=company,dc=com
Get mapped a Filter-ID of dev. I can then apply firewall rules to give them access to certain resources and not others. This will also make it so that if they access the wrong network they should not have the proper access without the correct group membership.
In inner-tunnel I have:
authorize { if ( Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=affirm,dc=com/ ) { update control { Tmp-String-1 := "corp" } } if ( Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=affirm,dc=com/ ) { update control { Tmp-String-1 := "dev" } }
post-auth { update reply { Filter-Id := "%{control:Tmp-String-1}" }
I can see in the log that its not matching which means I am not matching correctly. It ends up passing the Filter-ID which is blank. So I know the post auth section is working correctly.
Here is the relevant log info:
Tue Aug 12 22:50:47 2014 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel Tue Aug 12 22:50:47 2014 : Info: +- entering group authorize {...} Tue Aug 12 22:50:47 2014 : Info: ++? if (Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=company,dc=com/ ) Tue Aug 12 22:50:47 2014 : Debug: [ldap] Entering ldap_groupcmp() Tue Aug 12 22:50:47 2014 : Info: expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com Tue Aug 12 22:50:47 2014 : Info: expand: %{Stripped-User-Name} -> Tue Aug 12 22:50:47 2014 : Info: ... expanding second conditional Tue Aug 12 22:50:47 2014 : Info: expand: %{User-Name} -> joeuser Tue Aug 12 22:50:47 2014 : Info: expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=joeuser) Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] performing search in ou=Users,dc=team,dc=company,dc=com, with filter (uid=joeuser) Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0 Tue Aug 12 22:50:47 2014 : Info: expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] performing search in ou=corp,ou=Users,dc=team,dc=company,dc=com, with filter (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) Tue Aug 12 22:50:47 2014 : Debug: [ldap] object not found Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0 Tue Aug 12 22:50:47 2014 : Debug: rlm_ldap::ldap_groupcmp: Group ou=corp,ou=Users,dc=team,dc=company,dc=com not found or user is not a member. Tue Aug 12 22:50:47 2014 : Info: ? Evaluating (Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=company,dc=com/) -> FALSE Tue Aug 12 22:50:47 2014 : Info: ++? if (Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=company,dc=com/ ) -> FALSE Tue Aug 12 22:50:47 2014 : Info: ++? if (Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=company,dc=com/ ) Tue Aug 12 22:50:47 2014 : Debug: [ldap] Entering ldap_groupcmp() Tue Aug 12 22:50:47 2014 : Info: expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com Tue Aug 12 22:50:47 2014 : Info: expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] performing search in ou=dev,ou=Users,dc=team,dc=company,dc=com, with filter (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) Tue Aug 12 22:50:47 2014 : Debug: [ldap] object not found Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0 Tue Aug 12 22:50:47 2014 : Debug: rlm_ldap::ldap_groupcmp: Group ou=dev,ou=Users,dc=team,dc=company,dc=com not found or user is not a member. Tue Aug 12 22:50:47 2014 : Info: ? Evaluating (Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=company,dc=com/) -> FALSE Tue Aug 12 22:50:47 2014 : Info: ++? if (Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=company,dc=com/ ) -> FALSE Tue Aug 12 22:50:47 2014 : Info: ++[chap] returns noop Tue Aug 12 22:50:47 2014 : Info: ++[mschap] returns noop Tue Aug 12 22:50:47 2014 : Info: [suffix] No '@' in User-Name = "joeuser", looking up realm NULL Tue Aug 12 22:50:47 2014 : Info: [suffix] No such realm "NULL" Tue Aug 12 22:50:47 2014 : Info: ++[suffix] returns noop Tue Aug 12 22:50:47 2014 : Info: ++[control] returns noop Tue Aug 12 22:50:47 2014 : Info: [eap] No EAP-Message, not doing EAP Tue Aug 12 22:50:47 2014 : Info: ++[eap] returns noop Tue Aug 12 22:50:47 2014 : Info: ++[files] returns noop Tue Aug 12 22:50:47 2014 : Info: [ldap] performing user authorization for joeuser Tue Aug 12 22:50:47 2014 : Info: [ldap] expand: %{Stripped-User-Name} -> Tue Aug 12 22:50:47 2014 : Info: [ldap] ... expanding second conditional Tue Aug 12 22:50:47 2014 : Info: [ldap] expand: %{User-Name} -> joeuser Tue Aug 12 22:50:47 2014 : Info: [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=joeuser) Tue Aug 12 22:50:47 2014 : Info: [ldap] expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] performing search in ou=Users,dc=team,dc=company,dc=com, with filter (uid=joeuser) Tue Aug 12 22:50:47 2014 : Info: [ldap] No default NMAS login sequence Tue Aug 12 22:50:47 2014 : Info: [ldap] looking for check items in directory... Tue Aug 12 22:50:47 2014 : Debug: [ldap] userPassword -> Password-With-Header == "{MD5}hashreplaced" Tue Aug 12 22:50:47 2014 : Info: [ldap] looking for reply items in directory... Tue Aug 12 22:50:47 2014 : Info: [ldap] user joeuser authorized to use remote access Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0 Tue Aug 12 22:50:47 2014 : Info: ++[ldap] returns ok Tue Aug 12 22:50:47 2014 : Info: ++[expiration] returns noop Tue Aug 12 22:50:47 2014 : Info: ++[logintime] returns noop Tue Aug 12 22:50:47 2014 : Info: ++[pap] returns updated Tue Aug 12 22:50:47 2014 : Info: Found Auth-Type = PAP Tue Aug 12 22:50:47 2014 : Info: # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel Tue Aug 12 22:50:47 2014 : Info: +- entering group PAP {...} Tue Aug 12 22:50:47 2014 : Info: [pap] login attempt with password "password" Tue Aug 12 22:50:47 2014 : Info: [pap] Using MD5 encryption. Tue Aug 12 22:50:47 2014 : Info: [pap] Normalizing MD5-Password from base64 encoding Tue Aug 12 22:50:47 2014 : Info: [pap] User authenticated successfully Tue Aug 12 22:50:47 2014 : Info: ++[pap] returns ok Tue Aug 12 22:50:47 2014 : Info: # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel Tue Aug 12 22:50:47 2014 : Info: +- entering group post-auth {...} Tue Aug 12 22:50:47 2014 : Info: expand: %{control:Tmp-String-1} -> Tue Aug 12 22:50:47 2014 : Info: ++[reply] returns noop } # server inner-tunnel Tue Aug 12 22:50:47 2014 : Info: [ttls] Got tunneled reply code 2 Filter-Id = "" Tue Aug 12 22:50:47 2014 : Info: [ttls] Got tunneled Access-Accept Tue Aug 12 22:50:47 2014 : Info: [eap] Freeing handler Tue Aug 12 22:50:47 2014 : Info: ++[eap] returns ok Tue Aug 12 22:50:47 2014 : Info: # Executing section post-auth from file /etc/freeradius/sites-enabled/default Tue Aug 12 22:50:47 2014 : Info: +- entering group post-auth {...} Tue Aug 12 22:50:47 2014 : Info: ++[exec] returns noop Sending Access-Accept of id 16 to xxx.xxx.xxx.xxx port 32768 Filter-Id = "" MS-MPPE-Recv-Key = 0x85725d86e7ab1448510e48ba9b900cd3cbf3d7436f36f9b391dab4d35b3d69b1 MS-MPPE-Send-Key = 0x191e9e59df4f7108ac1542e48434330db030957911f7a3fb75ae40456057bf1f EAP-Message = 0x03050004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "joeuser" Tue Aug 12 22:50:47 2014 : Info: Finished request 9.
Thank you for the help. I appreciate it. BTW if this does't make sense I can provide more details as to what I am trying to do. I figured I would spare that unless needed.
Thanks,
Alex
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
I did not have that in there. I added it into the ldap module so my config now looks like: ldap { server = "localhost" identity = "cn=admin,dc=team,dc=company,dc=com" password = xxxxx basedn = "ou=Users,dc=team,dc=company,dc=com" scope = “sub” filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})” ... } Here is the output from -XXX rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx port 32768, id=101, length=215 User-Name = "joeuser" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "78-31-c1-be-89-a8" Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test" NAS-Port = 4 Cisco-AVPair = "audit-session-id=0a210082000006c453ebb861" NAS-IP-Address = 10.33.0.130 NAS-Identifier = "inWebo" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000c016a6f6575736572 Message-Authenticator = 0x882183e2a08a2bce65b1792c44079165 Wed Aug 13 19:11:30 2014 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default Wed Aug 13 19:11:30 2014 : Info: +- entering group authorize {...} Wed Aug 13 19:11:30 2014 : Info: ++[preprocess] returns ok Wed Aug 13 19:11:30 2014 : Info: ++[chap] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[mschap] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[digest] returns noop Wed Aug 13 19:11:30 2014 : Info: [suffix] No '@' in User-Name = "joeuser", looking up realm NULL Wed Aug 13 19:11:30 2014 : Info: [suffix] No such realm "NULL" Wed Aug 13 19:11:30 2014 : Info: ++[suffix] returns noop Wed Aug 13 19:11:30 2014 : Info: [eap] EAP packet type response id 1 length 12 Wed Aug 13 19:11:30 2014 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Wed Aug 13 19:11:30 2014 : Info: ++[eap] returns updated Wed Aug 13 19:11:30 2014 : Info: ++[files] returns noop Wed Aug 13 19:11:30 2014 : Info: [ldap] performing user authorization for joeuser Wed Aug 13 19:11:30 2014 : Info: [ldap] expand: %{Stripped-User-Name} -> Wed Aug 13 19:11:30 2014 : Info: [ldap] ... expanding second conditional Wed Aug 13 19:11:30 2014 : Info: [ldap] expand: %{User-Name} -> joeuser Wed Aug 13 19:11:30 2014 : Info: [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=joeuser) Wed Aug 13 19:11:30 2014 : Info: [ldap] expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0 Wed Aug 13 19:11:30 2014 : Debug: [ldap] attempting LDAP reconnection Wed Aug 13 19:11:30 2014 : Debug: [ldap] (re)connect to localhost:389, authentication 0 Wed Aug 13 19:11:30 2014 : Debug: [ldap] bind as cn=admin,dc=team,dc=company,dc=com/653776d05374 to localhost:389 Wed Aug 13 19:11:30 2014 : Debug: [ldap] waiting for bind result ... Wed Aug 13 19:11:30 2014 : Debug: [ldap] Bind was successful Wed Aug 13 19:11:30 2014 : Debug: [ldap] performing search in ou=Users,dc=team,dc=company,dc=com, with filter (uid=joeuser) Wed Aug 13 19:11:30 2014 : Info: [ldap] No default NMAS login sequence Wed Aug 13 19:11:30 2014 : Info: [ldap] looking for check items in directory... Wed Aug 13 19:11:30 2014 : Debug: [ldap] userPassword -> Password-With-Header == "{MD5}X03MO1qnZdYdgyfeuILPmQ==" Wed Aug 13 19:11:30 2014 : Info: [ldap] looking for reply items in directory... Wed Aug 13 19:11:30 2014 : Info: [ldap] user joeuser authorized to use remote access Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0 Wed Aug 13 19:11:30 2014 : Info: ++[ldap] returns ok Wed Aug 13 19:11:30 2014 : Info: ++[expiration] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[logintime] returns noop Wed Aug 13 19:11:30 2014 : Info: [pap] WARNING: Auth-Type already set. Not setting to PAP Wed Aug 13 19:11:30 2014 : Info: ++[pap] returns noop Wed Aug 13 19:11:30 2014 : Info: Found Auth-Type = EAP Wed Aug 13 19:11:30 2014 : Info: # Executing group from file /etc/freeradius/sites-enabled/default Wed Aug 13 19:11:30 2014 : Info: +- entering group authenticate {...} Wed Aug 13 19:11:30 2014 : Info: [eap] EAP Identity Wed Aug 13 19:11:30 2014 : Info: [eap] processing type tls Wed Aug 13 19:11:30 2014 : Info: [tls] Initiate Wed Aug 13 19:11:30 2014 : Info: [tls] Start returned 1 Wed Aug 13 19:11:30 2014 : Info: ++[eap] returns handled Sending Access-Challenge of id 101 to xxx.xxx.xxx.xxx port 32768 EAP-Message = 0x010200061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xce049ae9ce068f152ab18dd0a9f47460 Wed Aug 13 19:11:30 2014 : Info: Finished request 0. Wed Aug 13 19:11:30 2014 : Debug: Going to the next request Wed Aug 13 19:11:30 2014 : Debug: Waking up in 4.9 seconds. rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx port 32768, id=102, length=373 User-Name = "joeuser" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "78-31-c1-be-89-a8" Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test" NAS-Port = 4 Cisco-AVPair = "audit-session-id=0a210082000006c453ebb861" NAS-IP-Address = 10.33.0.130 NAS-Identifier = "inWebo" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0202009815800000008e160301008901000085030153ebb86267f54fc71b8caba32338c6ac7b304b74e7b8ea6d3121e26a2ed7c8d800004a00ffc024c023c00ac009c007c008c028c027c014c013c011c012c026c025c02ac029c005c004c002c003c00fc00ec00cc00d003d003c002f000500040035000a0067006b00330039001601000012000a00080006001700180019000b00020100 State = 0xce049ae9ce068f152ab18dd0a9f47460 Message-Authenticator = 0x5bde15e0f296c2eec38dd20a652cce44 Wed Aug 13 19:11:30 2014 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default Wed Aug 13 19:11:30 2014 : Info: +- entering group authorize {...} Wed Aug 13 19:11:30 2014 : Info: ++[preprocess] returns ok Wed Aug 13 19:11:30 2014 : Info: ++[chap] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[mschap] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[digest] returns noop Wed Aug 13 19:11:30 2014 : Info: [suffix] No '@' in User-Name = "joeuser", looking up realm NULL Wed Aug 13 19:11:30 2014 : Info: [suffix] No such realm "NULL" Wed Aug 13 19:11:30 2014 : Info: ++[suffix] returns noop Wed Aug 13 19:11:30 2014 : Info: [eap] EAP packet type response id 2 length 152 Wed Aug 13 19:11:30 2014 : Info: [eap] Continuing tunnel setup. Wed Aug 13 19:11:30 2014 : Info: ++[eap] returns ok Wed Aug 13 19:11:30 2014 : Info: Found Auth-Type = EAP Wed Aug 13 19:11:30 2014 : Info: # Executing group from file /etc/freeradius/sites-enabled/default Wed Aug 13 19:11:30 2014 : Info: +- entering group authenticate {...} Wed Aug 13 19:11:30 2014 : Info: [eap] Request found, released from the list Wed Aug 13 19:11:30 2014 : Info: [eap] EAP/ttls Wed Aug 13 19:11:30 2014 : Info: [eap] processing type ttls Wed Aug 13 19:11:30 2014 : Info: [ttls] Authenticate Wed Aug 13 19:11:30 2014 : Info: [ttls] processing EAP-TLS Wed Aug 13 19:11:30 2014 : Debug: TLS Length 142 Wed Aug 13 19:11:30 2014 : Info: [ttls] Length Included Wed Aug 13 19:11:30 2014 : Info: [ttls] eaptls_verify returned 11 Wed Aug 13 19:11:30 2014 : Info: [ttls] (other): before/accept initialization Wed Aug 13 19:11:30 2014 : Info: [ttls] TLS_accept: before/accept initialization Wed Aug 13 19:11:30 2014 : Info: [ttls] <<< TLS 1.0 Handshake [length 0089], ClientHello Wed Aug 13 19:11:30 2014 : Info: [ttls] TLS_accept: SSLv3 read client hello A Wed Aug 13 19:11:30 2014 : Info: [ttls] >>> TLS 1.0 Handshake [length 0039], ServerHello Wed Aug 13 19:11:30 2014 : Info: [ttls] TLS_accept: SSLv3 write server hello A Wed Aug 13 19:11:30 2014 : Info: [ttls] >>> TLS 1.0 Handshake [length 02c4], Certificate Wed Aug 13 19:11:30 2014 : Info: [ttls] TLS_accept: SSLv3 write certificate A Wed Aug 13 19:11:30 2014 : Info: [ttls] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange Wed Aug 13 19:11:30 2014 : Info: [ttls] TLS_accept: SSLv3 write key exchange A Wed Aug 13 19:11:30 2014 : Info: [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone Wed Aug 13 19:11:30 2014 : Info: [ttls] TLS_accept: SSLv3 write server done A Wed Aug 13 19:11:30 2014 : Info: [ttls] TLS_accept: SSLv3 flush data Wed Aug 13 19:11:30 2014 : Info: [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A Wed Aug 13 19:11:30 2014 : Debug: In SSL Handshake Phase Wed Aug 13 19:11:30 2014 : Debug: In SSL Accept mode Wed Aug 13 19:11:30 2014 : Info: [ttls] eaptls_process returned 13 Wed Aug 13 19:11:30 2014 : Info: ++[eap] returns handled Sending Access-Challenge of id 102 to xxx.xxx.xxx.xxx port 32768 EAP-Message = 0x0103040015c000000460160301003902000035030153ebb862012b65c4fb6e4f52554f17ee124440bd460ba5b87053e8744206bfc600c01400000dff01000100000b00040300010216030102c40b0002c00002bd0002ba308202b63082019ea003020102020900b507e231935d6b3f300d06092a864886f70d010105050030133111300f060355040313086f70656e6c646170301e170d3134303830373232333035385a170d3234303830343232333035385a30133111300f060355040313086f70656e6c64617030820122300d06092a864886f70d01010105000382010f003082010a0282010100bae7e24798efa862ea1659a17ac74864a297d09a EAP-Message = 0x249d8e467e1a40a3fc4fdcf36e73ac43cc11e5df4978020ae6af6c12d0a98f7c90d0352eae9c5b9c8364cffe115b833c52bfbcb43c292c303ee0f8cca82a3732ed53bcdba3905a9f030c9bf242e7482f28c0a30e5210afbf064e6129cef1358e30942581621b927da448fcea0fcca181c7ea6ac7385946513bd092e7ccf41df13f7a4f498533947d1f0451659c20977cfddeb5ffadef948b8f876a1bbba0f2a574e05daf8fe696a828973f21674abc246ca73279dcd5fe1720f1140b3f351427fc5be4a4158fb31d2b46643e0bbef9297b892cea88babfcb26e53bcc981bec71b84d0fb21760176f5d12adc90203010001a30d300b30090603551d1304 EAP-Message = 0x023000300d06092a864886f70d010105050003820101009a35e4dddb99265dfbe96dbd2dd5efcec97ebbb6111d42b313a0d7b6f29a4a4cc378c154afc028a986a118ddf1e611aa3fda9ed59c9f745663fcfd2655891584047b99042c2f7d3757ff92e86d008a55dac7e1e2a8f7e67711fec590812461e9de753eacf30285e44c3c7ecc31671d4ccbfdc6de65536e8b780cbf05ca5e0442748ccc7356f315baac1cc9bb528198bba1526d18213171b26e3676162be28056600762ed21df47ca64f29fb8b9853b8e84731708c7e7c5b0862c3d61aa07b37b89eb915e0fb7f5867a9eb9346574bfc112aa4ea45ae9bae8fdf44b9cedbd3ba5082046a7de23 EAP-Message = 0xc8fefa2502dad1e8da8bf54443bc2b061a301dd93689ce6867d9160301014b0c000147030017410435796b6c770b407c2ebab35a3d09b54da0cc51fc29e0127a4e712087f927a4ec66a4001d8e03338aca7c1dc10908145a3965b1b289246e63ea9af938293a140201008264e93ba4a0e00fe8a2a603aa05a33cdaf5c24318fc220ad64b624ef88b45fba17d3acc2c10d3e5637b914657ace3c36cab6a5f1c364cb4d73ada622674017ddaecbb02453a2b48ed183114904b75fd62beccbc2e9af4aebffb4914aab0ac1bb3c9e69c5b8556b8bb6d5144fcf81eb91ed845f3280442d546b1b4a5ab6867e9d5f50773d21d4f335f695b5fc386f0d37beefc EAP-Message = 0x56c2aca56a2c087629999c71 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xce049ae9cf078f152ab18dd0a9f47460 Wed Aug 13 19:11:30 2014 : Info: Finished request 1. Wed Aug 13 19:11:30 2014 : Debug: Going to the next request Wed Aug 13 19:11:30 2014 : Debug: Waking up in 4.9 seconds. rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx port 32768, id=103, length=227 User-Name = "joeuser" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "78-31-c1-be-89-a8" Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test" NAS-Port = 4 Cisco-AVPair = "audit-session-id=0a210082000006c453ebb861" NAS-IP-Address = 10.33.0.130 NAS-Identifier = "inWebo" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300061500 State = 0xce049ae9cf078f152ab18dd0a9f47460 Message-Authenticator = 0xb8e667ae4d70cf7ba99ff183a7a889cb Wed Aug 13 19:11:30 2014 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default Wed Aug 13 19:11:30 2014 : Info: +- entering group authorize {...} Wed Aug 13 19:11:30 2014 : Info: ++[preprocess] returns ok Wed Aug 13 19:11:30 2014 : Info: ++[chap] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[mschap] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[digest] returns noop Wed Aug 13 19:11:30 2014 : Info: [suffix] No '@' in User-Name = "joeuser", looking up realm NULL Wed Aug 13 19:11:30 2014 : Info: [suffix] No such realm "NULL" Wed Aug 13 19:11:30 2014 : Info: ++[suffix] returns noop Wed Aug 13 19:11:30 2014 : Info: [eap] EAP packet type response id 3 length 6 Wed Aug 13 19:11:30 2014 : Info: [eap] Continuing tunnel setup. Wed Aug 13 19:11:30 2014 : Info: ++[eap] returns ok Wed Aug 13 19:11:30 2014 : Info: Found Auth-Type = EAP Wed Aug 13 19:11:30 2014 : Info: # Executing group from file /etc/freeradius/sites-enabled/default Wed Aug 13 19:11:30 2014 : Info: +- entering group authenticate {...} Wed Aug 13 19:11:30 2014 : Info: [eap] Request found, released from the list Wed Aug 13 19:11:30 2014 : Info: [eap] EAP/ttls Wed Aug 13 19:11:30 2014 : Info: [eap] processing type ttls Wed Aug 13 19:11:30 2014 : Info: [ttls] Authenticate Wed Aug 13 19:11:30 2014 : Info: [ttls] processing EAP-TLS Wed Aug 13 19:11:30 2014 : Info: [ttls] Received TLS ACK Wed Aug 13 19:11:30 2014 : Info: [ttls] ACK handshake fragment handler Wed Aug 13 19:11:30 2014 : Info: [ttls] eaptls_verify returned 1 Wed Aug 13 19:11:30 2014 : Info: [ttls] eaptls_process returned 13 Wed Aug 13 19:11:30 2014 : Info: ++[eap] returns handled Sending Access-Challenge of id 103 to xxx.xxx.xxx.xxx port 32768 EAP-Message = 0x01040074158000000460f3411c40ef6cbf1635e4b4c7c71d18b883360ad6c27db542a4ffa0196c0b2ff8daca2101a3b4a35171415bdf6b68817425eb344c2e5e5a6794c0f1002aa59f631cb9c5135d716d9664afa8a76e9f2ee942decefd1b459b2dbb216aa655697391b416030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xce049ae9cc008f152ab18dd0a9f47460 Wed Aug 13 19:11:30 2014 : Info: Finished request 2. Wed Aug 13 19:11:30 2014 : Debug: Going to the next request Wed Aug 13 19:11:30 2014 : Debug: Waking up in 4.9 seconds. rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx port 32768, id=104, length=365 User-Name = "joeuser" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "78-31-c1-be-89-a8" Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test" NAS-Port = 4 Cisco-AVPair = "audit-session-id=0a210082000006c453ebb861" NAS-IP-Address = 10.33.0.130 NAS-Identifier = "inWebo" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020400901580000000861603010046100000424104004576a5ac3ee43c0112ce47d295aa54d21d71076fd64b293d0d59fff21795217e1ac2b3934427d9740a789cd8731e1bd52c246904d4414a1877b375e67df9f31403010001011603010030da43e9a2a8d1bb853ae1740aaf5964dc58b28263a25f1dbc40149b8d0aa0a62b22a690caf5fa2c9663e53591a55e3100 State = 0xce049ae9cc008f152ab18dd0a9f47460 Message-Authenticator = 0x9582ab96a0b46bdb12bc99449a415f67 Wed Aug 13 19:11:30 2014 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default Wed Aug 13 19:11:30 2014 : Info: +- entering group authorize {...} Wed Aug 13 19:11:30 2014 : Info: ++[preprocess] returns ok Wed Aug 13 19:11:30 2014 : Info: ++[chap] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[mschap] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[digest] returns noop Wed Aug 13 19:11:30 2014 : Info: [suffix] No '@' in User-Name = "joeuser", looking up realm NULL Wed Aug 13 19:11:30 2014 : Info: [suffix] No such realm "NULL" Wed Aug 13 19:11:30 2014 : Info: ++[suffix] returns noop Wed Aug 13 19:11:30 2014 : Info: [eap] EAP packet type response id 4 length 144 Wed Aug 13 19:11:30 2014 : Info: [eap] Continuing tunnel setup. Wed Aug 13 19:11:30 2014 : Info: ++[eap] returns ok Wed Aug 13 19:11:30 2014 : Info: Found Auth-Type = EAP Wed Aug 13 19:11:30 2014 : Info: # Executing group from file /etc/freeradius/sites-enabled/default Wed Aug 13 19:11:30 2014 : Info: +- entering group authenticate {...} Wed Aug 13 19:11:30 2014 : Info: [eap] Request found, released from the list Wed Aug 13 19:11:30 2014 : Info: [eap] EAP/ttls Wed Aug 13 19:11:30 2014 : Info: [eap] processing type ttls Wed Aug 13 19:11:30 2014 : Info: [ttls] Authenticate Wed Aug 13 19:11:30 2014 : Info: [ttls] processing EAP-TLS Wed Aug 13 19:11:30 2014 : Debug: TLS Length 134 Wed Aug 13 19:11:30 2014 : Info: [ttls] Length Included Wed Aug 13 19:11:30 2014 : Info: [ttls] eaptls_verify returned 11 Wed Aug 13 19:11:30 2014 : Info: [ttls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange Wed Aug 13 19:11:30 2014 : Info: [ttls] TLS_accept: SSLv3 read client key exchange A Wed Aug 13 19:11:30 2014 : Info: [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] Wed Aug 13 19:11:30 2014 : Info: [ttls] <<< TLS 1.0 Handshake [length 0010], Finished Wed Aug 13 19:11:30 2014 : Info: [ttls] TLS_accept: SSLv3 read finished A Wed Aug 13 19:11:30 2014 : Info: [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] Wed Aug 13 19:11:30 2014 : Info: [ttls] TLS_accept: SSLv3 write change cipher spec A Wed Aug 13 19:11:30 2014 : Info: [ttls] >>> TLS 1.0 Handshake [length 0010], Finished Wed Aug 13 19:11:30 2014 : Info: [ttls] TLS_accept: SSLv3 write finished A Wed Aug 13 19:11:30 2014 : Info: [ttls] TLS_accept: SSLv3 flush data Wed Aug 13 19:11:30 2014 : Info: [ttls] (other): SSL negotiation finished successfully Wed Aug 13 19:11:30 2014 : Debug: SSL Connection Established Wed Aug 13 19:11:30 2014 : Info: [ttls] eaptls_process returned 13 Wed Aug 13 19:11:30 2014 : Info: ++[eap] returns handled Sending Access-Challenge of id 104 to xxx.xxx.xxx.xxx port 32768 EAP-Message = 0x0105004515800000003b1403010001011603010030479426af6e1c12503738a32e262e84a4c666ea99fb6f5a80df674f2146e70be7e6187626844cccb9362ac032ee1b5de3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xce049ae9cd018f152ab18dd0a9f47460 Wed Aug 13 19:11:30 2014 : Info: Finished request 3. Wed Aug 13 19:11:30 2014 : Debug: Going to the next request Wed Aug 13 19:11:30 2014 : Debug: Waking up in 4.9 seconds. rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx port 32768, id=105, length=300 User-Name = "joeuser" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "78-31-c1-be-89-a8" Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test" NAS-Port = 4 Cisco-AVPair = "audit-session-id=0a210082000006c453ebb861" NAS-IP-Address = 10.33.0.130 NAS-Identifier = "inWebo" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0205004f15800000004517030100407bbbae1e3e6f6eee806cadf4038fc633b025b87de4bfe6c62065214c14dc49fba070a2a5ae82ba25538125ce60ed1e16eebeb7ad9c5eaa990c2be82e7b18f38e State = 0xce049ae9cd018f152ab18dd0a9f47460 Message-Authenticator = 0x641909bf4fd27987f4b839410ca1f707 Wed Aug 13 19:11:30 2014 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default Wed Aug 13 19:11:30 2014 : Info: +- entering group authorize {...} Wed Aug 13 19:11:30 2014 : Info: ++[preprocess] returns ok Wed Aug 13 19:11:30 2014 : Info: ++[chap] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[mschap] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[digest] returns noop Wed Aug 13 19:11:30 2014 : Info: [suffix] No '@' in User-Name = "joeuser", looking up realm NULL Wed Aug 13 19:11:30 2014 : Info: [suffix] No such realm "NULL" Wed Aug 13 19:11:30 2014 : Info: ++[suffix] returns noop Wed Aug 13 19:11:30 2014 : Info: [eap] EAP packet type response id 5 length 79 Wed Aug 13 19:11:30 2014 : Info: [eap] Continuing tunnel setup. Wed Aug 13 19:11:30 2014 : Info: ++[eap] returns ok Wed Aug 13 19:11:30 2014 : Info: Found Auth-Type = EAP Wed Aug 13 19:11:30 2014 : Info: # Executing group from file /etc/freeradius/sites-enabled/default Wed Aug 13 19:11:30 2014 : Info: +- entering group authenticate {...} Wed Aug 13 19:11:30 2014 : Info: [eap] Request found, released from the list Wed Aug 13 19:11:30 2014 : Info: [eap] EAP/ttls Wed Aug 13 19:11:30 2014 : Info: [eap] processing type ttls Wed Aug 13 19:11:30 2014 : Info: [ttls] Authenticate Wed Aug 13 19:11:30 2014 : Info: [ttls] processing EAP-TLS Wed Aug 13 19:11:30 2014 : Debug: TLS Length 69 Wed Aug 13 19:11:30 2014 : Info: [ttls] Length Included Wed Aug 13 19:11:30 2014 : Info: [ttls] eaptls_verify returned 11 Wed Aug 13 19:11:30 2014 : Info: [ttls] eaptls_process returned 7 Wed Aug 13 19:11:30 2014 : Info: [ttls] Session established. Proceeding to decode tunneled attributes. TTLS tunnel data in 0000: 00 00 00 01 00 00 00 0f 6a 6f 65 75 73 65 72 00 TTLS tunnel data in 0010: 00 00 00 02 00 00 00 18 70 61 73 73 77 6f 72 64 TTLS tunnel data in 0020: 00 00 00 00 00 00 00 00 Wed Aug 13 19:11:30 2014 : Info: [ttls] Got tunneled request User-Name = "joeuser" User-Password = "password" FreeRADIUS-Proxied-To = 127.0.0.1 Wed Aug 13 19:11:30 2014 : Info: [ttls] Sending tunneled request User-Name = "joeuser" User-Password = "password" FreeRADIUS-Proxied-To = 127.0.0.1 Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "78-31-c1-be-89-a8" Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test" NAS-Port = 4 Cisco-AVPair = "audit-session-id=0a210082000006c453ebb861" NAS-IP-Address = 10.33.0.130 NAS-Identifier = "inWebo" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 server inner-tunnel { Wed Aug 13 19:11:30 2014 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel Wed Aug 13 19:11:30 2014 : Info: +- entering group authorize {...} Wed Aug 13 19:11:30 2014 : Info: ++? if (Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=company,dc=com/ ) Wed Aug 13 19:11:30 2014 : Debug: [ldap] Entering ldap_groupcmp() Wed Aug 13 19:11:30 2014 : Info: expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com Wed Aug 13 19:11:30 2014 : Info: expand: %{Stripped-User-Name} -> Wed Aug 13 19:11:30 2014 : Info: ... expanding second conditional Wed Aug 13 19:11:30 2014 : Info: expand: %{User-Name} -> joeuser Wed Aug 13 19:11:30 2014 : Info: expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=joeuser) Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0 Wed Aug 13 19:11:30 2014 : Debug: [ldap] performing search in ou=Users,dc=team,dc=company,dc=com, with filter (uid=joeuser) Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0 Wed Aug 13 19:11:30 2014 : Info: expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0 Wed Aug 13 19:11:30 2014 : Debug: [ldap] performing search in ou=corp,ou=Users,dc=team,dc=company,dc=com, with filter (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) Wed Aug 13 19:11:30 2014 : Debug: [ldap] object not found Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0 Wed Aug 13 19:11:30 2014 : Debug: rlm_ldap::ldap_groupcmp: Group ou=corp,ou=Users,dc=team,dc=company,dc=com not found or user is not a member. Wed Aug 13 19:11:30 2014 : Info: ? Evaluating (Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=company,dc=com/) -> FALSE Wed Aug 13 19:11:30 2014 : Info: ++? if (Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=company,dc=com/ ) -> FALSE Wed Aug 13 19:11:30 2014 : Info: ++? if (Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=company,dc=com/ ) Wed Aug 13 19:11:30 2014 : Debug: [ldap] Entering ldap_groupcmp() Wed Aug 13 19:11:30 2014 : Info: expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com Wed Aug 13 19:11:30 2014 : Info: expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0 Wed Aug 13 19:11:30 2014 : Debug: [ldap] performing search in ou=dev,ou=Users,dc=team,dc=company,dc=com, with filter (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) Wed Aug 13 19:11:30 2014 : Debug: [ldap] object not found Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0 Wed Aug 13 19:11:30 2014 : Debug: rlm_ldap::ldap_groupcmp: Group ou=dev,ou=Users,dc=team,dc=company,dc=com not found or user is not a member. Wed Aug 13 19:11:30 2014 : Info: ? Evaluating (Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=company,dc=com/) -> FALSE Wed Aug 13 19:11:30 2014 : Info: ++? if (Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=company,dc=com/ ) -> FALSE Wed Aug 13 19:11:30 2014 : Info: ++[chap] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[mschap] returns noop Wed Aug 13 19:11:30 2014 : Info: [suffix] No '@' in User-Name = "joeuser", looking up realm NULL Wed Aug 13 19:11:30 2014 : Info: [suffix] No such realm "NULL" Wed Aug 13 19:11:30 2014 : Info: ++[suffix] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[control] returns noop Wed Aug 13 19:11:30 2014 : Info: [eap] No EAP-Message, not doing EAP Wed Aug 13 19:11:30 2014 : Info: ++[eap] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[files] returns noop Wed Aug 13 19:11:30 2014 : Info: [ldap] performing user authorization for joeuser Wed Aug 13 19:11:30 2014 : Info: [ldap] expand: %{Stripped-User-Name} -> Wed Aug 13 19:11:30 2014 : Info: [ldap] ... expanding second conditional Wed Aug 13 19:11:30 2014 : Info: [ldap] expand: %{User-Name} -> joeuser Wed Aug 13 19:11:30 2014 : Info: [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=joeuser) Wed Aug 13 19:11:30 2014 : Info: [ldap] expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0 Wed Aug 13 19:11:30 2014 : Debug: [ldap] performing search in ou=Users,dc=team,dc=company,dc=com, with filter (uid=joeuser) Wed Aug 13 19:11:30 2014 : Info: [ldap] No default NMAS login sequence Wed Aug 13 19:11:30 2014 : Info: [ldap] looking for check items in directory... Wed Aug 13 19:11:30 2014 : Debug: [ldap] userPassword -> Password-With-Header == "{MD5}X03MO1qnZdYdgyfeuILPmQ==" Wed Aug 13 19:11:30 2014 : Info: [ldap] looking for reply items in directory... Wed Aug 13 19:11:30 2014 : Info: [ldap] user joeuser authorized to use remote access Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0 Wed Aug 13 19:11:30 2014 : Info: ++[ldap] returns ok Wed Aug 13 19:11:30 2014 : Info: ++[expiration] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[logintime] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[pap] returns updated Wed Aug 13 19:11:30 2014 : Info: Found Auth-Type = PAP Wed Aug 13 19:11:30 2014 : Info: # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel Wed Aug 13 19:11:30 2014 : Info: +- entering group PAP {...} Wed Aug 13 19:11:30 2014 : Info: [pap] login attempt with password "password" Wed Aug 13 19:11:30 2014 : Info: [pap] Using MD5 encryption. Wed Aug 13 19:11:30 2014 : Info: [pap] Normalizing MD5-Password from base64 encoding Wed Aug 13 19:11:30 2014 : Info: [pap] User authenticated successfully Wed Aug 13 19:11:30 2014 : Info: ++[pap] returns ok Wed Aug 13 19:11:30 2014 : Info: # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel Wed Aug 13 19:11:30 2014 : Info: +- entering group post-auth {...} Wed Aug 13 19:11:30 2014 : Info: expand: %{control:Tmp-String-1} -> Wed Aug 13 19:11:30 2014 : Info: ++[reply] returns noop } # server inner-tunnel Wed Aug 13 19:11:30 2014 : Info: [ttls] Got tunneled reply code 2 Filter-Id = "" Wed Aug 13 19:11:30 2014 : Info: [ttls] Got tunneled Access-Accept Wed Aug 13 19:11:30 2014 : Info: [eap] Freeing handler Wed Aug 13 19:11:30 2014 : Info: ++[eap] returns ok Wed Aug 13 19:11:30 2014 : Info: # Executing section post-auth from file /etc/freeradius/sites-enabled/default Wed Aug 13 19:11:30 2014 : Info: +- entering group post-auth {...} Wed Aug 13 19:11:30 2014 : Info: ++[exec] returns noop Sending Access-Accept of id 105 to xxx.xxx.xxx.xxx port 32768 Filter-Id = "" MS-MPPE-Recv-Key = 0x973c07e31d3c62b129b86e8e3c753157d7d3fa68a4a77314fa71358e280a02a8 MS-MPPE-Send-Key = 0x4a82fcf322b22593fb75a29e51144d16c5698583f60d170a3fe559c800065eec EAP-Message = 0x03050004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "joeuser" Wed Aug 13 19:11:30 2014 : Info: Finished request 4. Wed Aug 13 19:11:30 2014 : Debug: Going to the next request Wed Aug 13 19:11:30 2014 : Debug: Waking up in 4.8 seconds. Wed Aug 13 19:11:35 2014 : Info: Cleaning up request 0 ID 101 with timestamp +40 Wed Aug 13 19:11:35 2014 : Info: Cleaning up request 1 ID 102 with timestamp +40 Wed Aug 13 19:11:35 2014 : Info: Cleaning up request 2 ID 103 with timestamp +40 Wed Aug 13 19:11:35 2014 : Info: Cleaning up request 3 ID 104 with timestamp +40 Wed Aug 13 19:11:35 2014 : Info: Cleaning up request 4 ID 105 with timestamp +40 Wed Aug 13 19:11:35 2014 : Info: Ready to process requests. On Aug 13, 2014, at 11:38 AM, Stefan Paetow <Stefan.Paetow@ja.net> wrote:
Ok…
If you are not using "scope='sub'" in the ldap module (a full output from 'freeradius -X' is specifically requested for the reason that we can see the complete config), then yes, the nesting could be the problem.
Stefan
________________________________________ From: freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org [freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org] on behalf of Alex Gregory [alex@c2company.com] Sent: 13 August 2014 18:38 To: FreeRadius users mailing list Subject: Re: OpenLDAP Group membership to Filter-ID
Joe User is a part of Corp (which is under Users - could nesting be the problem?):
root@openldap ~# ldapsearch -x -h localhost -p 389 -b "ou=Users,dc=team,dc=company,dc=com" -s sub "cn=joe user" # extended LDIF # # LDAPv3 # base <ou=Users,dc=team,dc=company,dc=com> with scope subtree # filter: cn=joe user # requesting: ALL #
# Joe User, corp, Users, team.company.com dn: cn=Joe User,ou=corp,ou=Users,dc=team,dc=company,dc=com givenName: Joe sn: User cn: Joe User uid: joeuser uidNumber: 1008 gidNumber: 500 homeDirectory: /home/users/joeuser loginShell: /bin/sh objectClass: inetOrgPerson objectClass: posixAccount objectClass: top
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
Is my entry in the authorize section formatted correctly?
Thanks,
Alex
On Aug 13, 2014, at 2:46 AM, Stefan Paetow <Stefan.Paetow@ja.net> wrote:
According to the LDAP search, the user is not part of either the Corp or the Dev OUs.
Which one of the two is 'joeuser' part of?
What happens when you try using ldapsearch to search for 'joeuser' in your AD?
Stefan
-----Original Message----- From: freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org] On Behalf Of Alex Gregory Sent: 13 August 2014 00:32 To: FreeRadius users mailing list Subject: OpenLDAP Group membership to Filter-ID
Hello-
I would like to make it so that the users in:
ou=corp,ou=Users,dc=team,dc=company,dc=com
Get mapped a Filter-ID of corp and the users in:
ou=dev,ou=Users,dc=team,dc=company,dc=com
Get mapped a Filter-ID of dev. I can then apply firewall rules to give them access to certain resources and not others. This will also make it so that if they access the wrong network they should not have the proper access without the correct group membership.
In inner-tunnel I have:
authorize { if ( Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=affirm,dc=com/ ) { update control { Tmp-String-1 := "corp" } } if ( Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=affirm,dc=com/ ) { update control { Tmp-String-1 := "dev" } }
post-auth { update reply { Filter-Id := "%{control:Tmp-String-1}" }
I can see in the log that its not matching which means I am not matching correctly. It ends up passing the Filter-ID which is blank. So I know the post auth section is working correctly.
Here is the relevant log info:
Tue Aug 12 22:50:47 2014 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel Tue Aug 12 22:50:47 2014 : Info: +- entering group authorize {...} Tue Aug 12 22:50:47 2014 : Info: ++? if (Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=company,dc=com/ ) Tue Aug 12 22:50:47 2014 : Debug: [ldap] Entering ldap_groupcmp() Tue Aug 12 22:50:47 2014 : Info: expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com Tue Aug 12 22:50:47 2014 : Info: expand: %{Stripped-User-Name} -> Tue Aug 12 22:50:47 2014 : Info: ... expanding second conditional Tue Aug 12 22:50:47 2014 : Info: expand: %{User-Name} -> joeuser Tue Aug 12 22:50:47 2014 : Info: expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=joeuser) Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] performing search in ou=Users,dc=team,dc=company,dc=com, with filter (uid=joeuser) Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0 Tue Aug 12 22:50:47 2014 : Info: expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] performing search in ou=corp,ou=Users,dc=team,dc=company,dc=com, with filter (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) Tue Aug 12 22:50:47 2014 : Debug: [ldap] object not found Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0 Tue Aug 12 22:50:47 2014 : Debug: rlm_ldap::ldap_groupcmp: Group ou=corp,ou=Users,dc=team,dc=company,dc=com not found or user is not a member. Tue Aug 12 22:50:47 2014 : Info: ? Evaluating (Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=company,dc=com/) -> FALSE Tue Aug 12 22:50:47 2014 : Info: ++? if (Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=company,dc=com/ ) -> FALSE Tue Aug 12 22:50:47 2014 : Info: ++? if (Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=company,dc=com/ ) Tue Aug 12 22:50:47 2014 : Debug: [ldap] Entering ldap_groupcmp() Tue Aug 12 22:50:47 2014 : Info: expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com Tue Aug 12 22:50:47 2014 : Info: expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] performing search in ou=dev,ou=Users,dc=team,dc=company,dc=com, with filter (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) Tue Aug 12 22:50:47 2014 : Debug: [ldap] object not found Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0 Tue Aug 12 22:50:47 2014 : Debug: rlm_ldap::ldap_groupcmp: Group ou=dev,ou=Users,dc=team,dc=company,dc=com not found or user is not a member. Tue Aug 12 22:50:47 2014 : Info: ? Evaluating (Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=company,dc=com/) -> FALSE Tue Aug 12 22:50:47 2014 : Info: ++? if (Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=company,dc=com/ ) -> FALSE Tue Aug 12 22:50:47 2014 : Info: ++[chap] returns noop Tue Aug 12 22:50:47 2014 : Info: ++[mschap] returns noop Tue Aug 12 22:50:47 2014 : Info: [suffix] No '@' in User-Name = "joeuser", looking up realm NULL Tue Aug 12 22:50:47 2014 : Info: [suffix] No such realm "NULL" Tue Aug 12 22:50:47 2014 : Info: ++[suffix] returns noop Tue Aug 12 22:50:47 2014 : Info: ++[control] returns noop Tue Aug 12 22:50:47 2014 : Info: [eap] No EAP-Message, not doing EAP Tue Aug 12 22:50:47 2014 : Info: ++[eap] returns noop Tue Aug 12 22:50:47 2014 : Info: ++[files] returns noop Tue Aug 12 22:50:47 2014 : Info: [ldap] performing user authorization for joeuser Tue Aug 12 22:50:47 2014 : Info: [ldap] expand: %{Stripped-User-Name} -> Tue Aug 12 22:50:47 2014 : Info: [ldap] ... expanding second conditional Tue Aug 12 22:50:47 2014 : Info: [ldap] expand: %{User-Name} -> joeuser Tue Aug 12 22:50:47 2014 : Info: [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=joeuser) Tue Aug 12 22:50:47 2014 : Info: [ldap] expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] performing search in ou=Users,dc=team,dc=company,dc=com, with filter (uid=joeuser) Tue Aug 12 22:50:47 2014 : Info: [ldap] No default NMAS login sequence Tue Aug 12 22:50:47 2014 : Info: [ldap] looking for check items in directory... Tue Aug 12 22:50:47 2014 : Debug: [ldap] userPassword -> Password-With-Header == "{MD5}hashreplaced" Tue Aug 12 22:50:47 2014 : Info: [ldap] looking for reply items in directory... Tue Aug 12 22:50:47 2014 : Info: [ldap] user joeuser authorized to use remote access Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0 Tue Aug 12 22:50:47 2014 : Info: ++[ldap] returns ok Tue Aug 12 22:50:47 2014 : Info: ++[expiration] returns noop Tue Aug 12 22:50:47 2014 : Info: ++[logintime] returns noop Tue Aug 12 22:50:47 2014 : Info: ++[pap] returns updated Tue Aug 12 22:50:47 2014 : Info: Found Auth-Type = PAP Tue Aug 12 22:50:47 2014 : Info: # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel Tue Aug 12 22:50:47 2014 : Info: +- entering group PAP {...} Tue Aug 12 22:50:47 2014 : Info: [pap] login attempt with password "password" Tue Aug 12 22:50:47 2014 : Info: [pap] Using MD5 encryption. Tue Aug 12 22:50:47 2014 : Info: [pap] Normalizing MD5-Password from base64 encoding Tue Aug 12 22:50:47 2014 : Info: [pap] User authenticated successfully Tue Aug 12 22:50:47 2014 : Info: ++[pap] returns ok Tue Aug 12 22:50:47 2014 : Info: # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel Tue Aug 12 22:50:47 2014 : Info: +- entering group post-auth {...} Tue Aug 12 22:50:47 2014 : Info: expand: %{control:Tmp-String-1} -> Tue Aug 12 22:50:47 2014 : Info: ++[reply] returns noop } # server inner-tunnel Tue Aug 12 22:50:47 2014 : Info: [ttls] Got tunneled reply code 2 Filter-Id = "" Tue Aug 12 22:50:47 2014 : Info: [ttls] Got tunneled Access-Accept Tue Aug 12 22:50:47 2014 : Info: [eap] Freeing handler Tue Aug 12 22:50:47 2014 : Info: ++[eap] returns ok Tue Aug 12 22:50:47 2014 : Info: # Executing section post-auth from file /etc/freeradius/sites-enabled/default Tue Aug 12 22:50:47 2014 : Info: +- entering group post-auth {...} Tue Aug 12 22:50:47 2014 : Info: ++[exec] returns noop Sending Access-Accept of id 16 to xxx.xxx.xxx.xxx port 32768 Filter-Id = "" MS-MPPE-Recv-Key = 0x85725d86e7ab1448510e48ba9b900cd3cbf3d7436f36f9b391dab4d35b3d69b1 MS-MPPE-Send-Key = 0x191e9e59df4f7108ac1542e48434330db030957911f7a3fb75ae40456057bf1f EAP-Message = 0x03050004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "joeuser" Tue Aug 12 22:50:47 2014 : Info: Finished request 9.
Thank you for the help. I appreciate it. BTW if this does't make sense I can provide more details as to what I am trying to do. I figured I would spare that unless needed.
Thanks,
Alex
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alex, this is not the full output of radiusd -X (or freeradius -X). You've only included the request, not the configuration that -X spits out beforehand. Please include that portion as well. Stefan -----Original Message----- From: freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org] On Behalf Of Alex Gregory Sent: 13 August 2014 20:23 To: FreeRadius users mailing list Subject: Re: OpenLDAP Group membership to Filter-ID I did not have that in there. I added it into the ldap module so my config now looks like: ldap { server = "localhost" identity = "cn=admin,dc=team,dc=company,dc=com" password = xxxxx basedn = "ou=Users,dc=team,dc=company,dc=com" scope = "sub" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" ... } Here is the output from -XXX rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx port 32768, id=101, length=215 User-Name = "joeuser" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "78-31-c1-be-89-a8" Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test" NAS-Port = 4 Cisco-AVPair = "audit-session-id=0a210082000006c453ebb861" NAS-IP-Address = 10.33.0.130 NAS-Identifier = "inWebo" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000c016a6f6575736572 Message-Authenticator = 0x882183e2a08a2bce65b1792c44079165 Wed Aug 13 19:11:30 2014 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default Wed Aug 13 19:11:30 2014 : Info: +- entering group authorize {...} Wed Aug 13 19:11:30 2014 : Info: ++[preprocess] returns ok Wed Aug 13 19:11:30 2014 : Info: ++[chap] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[mschap] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[digest] returns noop Wed Aug 13 19:11:30 2014 : Info: [suffix] No '@' in User-Name = "joeuser", looking up realm NULL Wed Aug 13 19:11:30 2014 : Info: [suffix] No such realm "NULL" Wed Aug 13 19:11:30 2014 : Info: ++[suffix] returns noop Wed Aug 13 19:11:30 2014 : Info: [eap] EAP packet type response id 1 length 12 Wed Aug 13 19:11:30 2014 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Wed Aug 13 19:11:30 2014 : Info: ++[eap] returns updated Wed Aug 13 19:11:30 2014 : Info: ++[files] returns noop Wed Aug 13 19:11:30 2014 : Info: [ldap] performing user authorization for joeuser Wed Aug 13 19:11:30 2014 : Info: [ldap] expand: %{Stripped-User-Name} -> Wed Aug 13 19:11:30 2014 : Info: [ldap] ... expanding second conditional Wed Aug 13 19:11:30 2014 : Info: [ldap] expand: %{User-Name} -> joeuser Wed Aug 13 19:11:30 2014 : Info: [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=joeuser) Wed Aug 13 19:11:30 2014 : Info: [ldap] expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0 Wed Aug 13 19:11:30 2014 : Debug: [ldap] attempting LDAP reconnection Wed Aug 13 19:11:30 2014 : Debug: [ldap] (re)connect to localhost:389, authentication 0 Wed Aug 13 19:11:30 2014 : Debug: [ldap] bind as cn=admin,dc=team,dc=company,dc=com/653776d05374 to localhost:389 Wed Aug 13 19:11:30 2014 : Debug: [ldap] waiting for bind result ... Wed Aug 13 19:11:30 2014 : Debug: [ldap] Bind was successful Wed Aug 13 19:11:30 2014 : Debug: [ldap] performing search in ou=Users,dc=team,dc=company,dc=com, with filter (uid=joeuser) Wed Aug 13 19:11:30 2014 : Info: [ldap] No default NMAS login sequence Wed Aug 13 19:11:30 2014 : Info: [ldap] looking for check items in directory... Wed Aug 13 19:11:30 2014 : Debug: [ldap] userPassword -> Password-With-Header == "{MD5}X03MO1qnZdYdgyfeuILPmQ==" Wed Aug 13 19:11:30 2014 : Info: [ldap] looking for reply items in directory... Wed Aug 13 19:11:30 2014 : Info: [ldap] user joeuser authorized to use remote access Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0 Wed Aug 13 19:11:30 2014 : Info: ++[ldap] returns ok Wed Aug 13 19:11:30 2014 : Info: ++[expiration] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[logintime] returns noop Wed Aug 13 19:11:30 2014 : Info: [pap] WARNING: Auth-Type already set. Not setting to PAP Wed Aug 13 19:11:30 2014 : Info: ++[pap] returns noop Wed Aug 13 19:11:30 2014 : Info: Found Auth-Type = EAP Wed Aug 13 19:11:30 2014 : Info: # Executing group from file /etc/freeradius/sites-enabled/default Wed Aug 13 19:11:30 2014 : Info: +- entering group authenticate {...} Wed Aug 13 19:11:30 2014 : Info: [eap] EAP Identity Wed Aug 13 19:11:30 2014 : Info: [eap] processing type tls Wed Aug 13 19:11:30 2014 : Info: [tls] Initiate Wed Aug 13 19:11:30 2014 : Info: [tls] Start returned 1 Wed Aug 13 19:11:30 2014 : Info: ++[eap] returns handled Sending Access-Challenge of id 101 to xxx.xxx.xxx.xxx port 32768 EAP-Message = 0x010200061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xce049ae9ce068f152ab18dd0a9f47460 Wed Aug 13 19:11:30 2014 : Info: Finished request 0. Wed Aug 13 19:11:30 2014 : Debug: Going to the next request Wed Aug 13 19:11:30 2014 : Debug: Waking up in 4.9 seconds. rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx port 32768, id=102, length=373 User-Name = "joeuser" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "78-31-c1-be-89-a8" Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test" NAS-Port = 4 Cisco-AVPair = "audit-session-id=0a210082000006c453ebb861" NAS-IP-Address = 10.33.0.130 NAS-Identifier = "inWebo" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0202009815800000008e160301008901000085030153ebb86267f54fc71b8caba32338c6ac7b304b74e7b8ea6d3121e26a2ed7c8d800004a00ffc024c023c00ac009c007c008c028c027c014c013c011c012c026c025c02ac029c005c004c002c003c00fc00ec00cc00d003d003c002f000500040035000a0067006b00330039001601000012000a00080006001700180019000b00020100 State = 0xce049ae9ce068f152ab18dd0a9f47460 Message-Authenticator = 0x5bde15e0f296c2eec38dd20a652cce44 Wed Aug 13 19:11:30 2014 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default Wed Aug 13 19:11:30 2014 : Info: +- entering group authorize {...} Wed Aug 13 19:11:30 2014 : Info: ++[preprocess] returns ok Wed Aug 13 19:11:30 2014 : Info: ++[chap] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[mschap] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[digest] returns noop Wed Aug 13 19:11:30 2014 : Info: [suffix] No '@' in User-Name = "joeuser", looking up realm NULL Wed Aug 13 19:11:30 2014 : Info: [suffix] No such realm "NULL" Wed Aug 13 19:11:30 2014 : Info: ++[suffix] returns noop Wed Aug 13 19:11:30 2014 : Info: [eap] EAP packet type response id 2 length 152 Wed Aug 13 19:11:30 2014 : Info: [eap] Continuing tunnel setup. Wed Aug 13 19:11:30 2014 : Info: ++[eap] returns ok Wed Aug 13 19:11:30 2014 : Info: Found Auth-Type = EAP Wed Aug 13 19:11:30 2014 : Info: # Executing group from file /etc/freeradius/sites-enabled/default Wed Aug 13 19:11:30 2014 : Info: +- entering group authenticate {...} Wed Aug 13 19:11:30 2014 : Info: [eap] Request found, released from the list Wed Aug 13 19:11:30 2014 : Info: [eap] EAP/ttls Wed Aug 13 19:11:30 2014 : Info: [eap] processing type ttls Wed Aug 13 19:11:30 2014 : Info: [ttls] Authenticate Wed Aug 13 19:11:30 2014 : Info: [ttls] processing EAP-TLS Wed Aug 13 19:11:30 2014 : Debug: TLS Length 142 Wed Aug 13 19:11:30 2014 : Info: [ttls] Length Included Wed Aug 13 19:11:30 2014 : Info: [ttls] eaptls_verify returned 11 Wed Aug 13 19:11:30 2014 : Info: [ttls] (other): before/accept initialization Wed Aug 13 19:11:30 2014 : Info: [ttls] TLS_accept: before/accept initialization Wed Aug 13 19:11:30 2014 : Info: [ttls] <<< TLS 1.0 Handshake [length 0089], ClientHello Wed Aug 13 19:11:30 2014 : Info: [ttls] TLS_accept: SSLv3 read client hello A Wed Aug 13 19:11:30 2014 : Info: [ttls] >>> TLS 1.0 Handshake [length 0039], ServerHello Wed Aug 13 19:11:30 2014 : Info: [ttls] TLS_accept: SSLv3 write server hello A Wed Aug 13 19:11:30 2014 : Info: [ttls] >>> TLS 1.0 Handshake [length 02c4], Certificate Wed Aug 13 19:11:30 2014 : Info: [ttls] TLS_accept: SSLv3 write certificate A Wed Aug 13 19:11:30 2014 : Info: [ttls] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange Wed Aug 13 19:11:30 2014 : Info: [ttls] TLS_accept: SSLv3 write key exchange A Wed Aug 13 19:11:30 2014 : Info: [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone Wed Aug 13 19:11:30 2014 : Info: [ttls] TLS_accept: SSLv3 write server done A Wed Aug 13 19:11:30 2014 : Info: [ttls] TLS_accept: SSLv3 flush data Wed Aug 13 19:11:30 2014 : Info: [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A Wed Aug 13 19:11:30 2014 : Debug: In SSL Handshake Phase Wed Aug 13 19:11:30 2014 : Debug: In SSL Accept mode Wed Aug 13 19:11:30 2014 : Info: [ttls] eaptls_process returned 13 Wed Aug 13 19:11:30 2014 : Info: ++[eap] returns handled Sending Access-Challenge of id 102 to xxx.xxx.xxx.xxx port 32768 EAP-Message = 0x0103040015c000000460160301003902000035030153ebb862012b65c4fb6e4f52554f17ee124440bd460ba5b87053e8744206bfc600c01400000dff01000100000b00040300010216030102c40b0002c00002bd0002ba308202b63082019ea003020102020900b507e231935d6b3f300d06092a864886f70d010105050030133111300f060355040313086f70656e6c646170301e170d3134303830373232333035385a170d3234303830343232333035385a30133111300f060355040313086f70656e6c64617030820122300d06092a864886f70d01010105000382010f003082010a0282010100bae7e24798efa862ea1659a17ac74864a297d09a EAP-Message = 0x249d8e467e1a40a3fc4fdcf36e73ac43cc11e5df4978020ae6af6c12d0a98f7c90d0352eae9c5b9c8364cffe115b833c52bfbcb43c292c303ee0f8cca82a3732ed53bcdba3905a9f030c9bf242e7482f28c0a30e5210afbf064e6129cef1358e30942581621b927da448fcea0fcca181c7ea6ac7385946513bd092e7ccf41df13f7a4f498533947d1f0451659c20977cfddeb5ffadef948b8f876a1bbba0f2a574e05daf8fe696a828973f21674abc246ca73279dcd5fe1720f1140b3f351427fc5be4a4158fb31d2b46643e0bbef9297b892cea88babfcb26e53bcc981bec71b84d0fb21760176f5d12adc90203010001a30d300b30090603551d1304 EAP-Message = 0x023000300d06092a864886f70d010105050003820101009a35e4dddb99265dfbe96dbd2dd5efcec97ebbb6111d42b313a0d7b6f29a4a4cc378c154afc028a986a118ddf1e611aa3fda9ed59c9f745663fcfd2655891584047b99042c2f7d3757ff92e86d008a55dac7e1e2a8f7e67711fec590812461e9de753eacf30285e44c3c7ecc31671d4ccbfdc6de65536e8b780cbf05ca5e0442748ccc7356f315baac1cc9bb528198bba1526d18213171b26e3676162be28056600762ed21df47ca64f29fb8b9853b8e84731708c7e7c5b0862c3d61aa07b37b89eb915e0fb7f5867a9eb9346574bfc112aa4ea45ae9bae8fdf44b9cedbd3ba5082046a7de23 EAP-Message = 0xc8fefa2502dad1e8da8bf54443bc2b061a301dd93689ce6867d9160301014b0c000147030017410435796b6c770b407c2ebab35a3d09b54da0cc51fc29e0127a4e712087f927a4ec66a4001d8e03338aca7c1dc10908145a3965b1b289246e63ea9af938293a140201008264e93ba4a0e00fe8a2a603aa05a33cdaf5c24318fc220ad64b624ef88b45fba17d3acc2c10d3e5637b914657ace3c36cab6a5f1c364cb4d73ada622674017ddaecbb02453a2b48ed183114904b75fd62beccbc2e9af4aebffb4914aab0ac1bb3c9e69c5b8556b8bb6d5144fcf81eb91ed845f3280442d546b1b4a5ab6867e9d5f50773d21d4f335f695b5fc386f0d37beefc EAP-Message = 0x56c2aca56a2c087629999c71 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xce049ae9cf078f152ab18dd0a9f47460 Wed Aug 13 19:11:30 2014 : Info: Finished request 1. Wed Aug 13 19:11:30 2014 : Debug: Going to the next request Wed Aug 13 19:11:30 2014 : Debug: Waking up in 4.9 seconds. rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx port 32768, id=103, length=227 User-Name = "joeuser" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "78-31-c1-be-89-a8" Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test" NAS-Port = 4 Cisco-AVPair = "audit-session-id=0a210082000006c453ebb861" NAS-IP-Address = 10.33.0.130 NAS-Identifier = "inWebo" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300061500 State = 0xce049ae9cf078f152ab18dd0a9f47460 Message-Authenticator = 0xb8e667ae4d70cf7ba99ff183a7a889cb Wed Aug 13 19:11:30 2014 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default Wed Aug 13 19:11:30 2014 : Info: +- entering group authorize {...} Wed Aug 13 19:11:30 2014 : Info: ++[preprocess] returns ok Wed Aug 13 19:11:30 2014 : Info: ++[chap] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[mschap] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[digest] returns noop Wed Aug 13 19:11:30 2014 : Info: [suffix] No '@' in User-Name = "joeuser", looking up realm NULL Wed Aug 13 19:11:30 2014 : Info: [suffix] No such realm "NULL" Wed Aug 13 19:11:30 2014 : Info: ++[suffix] returns noop Wed Aug 13 19:11:30 2014 : Info: [eap] EAP packet type response id 3 length 6 Wed Aug 13 19:11:30 2014 : Info: [eap] Continuing tunnel setup. Wed Aug 13 19:11:30 2014 : Info: ++[eap] returns ok Wed Aug 13 19:11:30 2014 : Info: Found Auth-Type = EAP Wed Aug 13 19:11:30 2014 : Info: # Executing group from file /etc/freeradius/sites-enabled/default Wed Aug 13 19:11:30 2014 : Info: +- entering group authenticate {...} Wed Aug 13 19:11:30 2014 : Info: [eap] Request found, released from the list Wed Aug 13 19:11:30 2014 : Info: [eap] EAP/ttls Wed Aug 13 19:11:30 2014 : Info: [eap] processing type ttls Wed Aug 13 19:11:30 2014 : Info: [ttls] Authenticate Wed Aug 13 19:11:30 2014 : Info: [ttls] processing EAP-TLS Wed Aug 13 19:11:30 2014 : Info: [ttls] Received TLS ACK Wed Aug 13 19:11:30 2014 : Info: [ttls] ACK handshake fragment handler Wed Aug 13 19:11:30 2014 : Info: [ttls] eaptls_verify returned 1 Wed Aug 13 19:11:30 2014 : Info: [ttls] eaptls_process returned 13 Wed Aug 13 19:11:30 2014 : Info: ++[eap] returns handled Sending Access-Challenge of id 103 to xxx.xxx.xxx.xxx port 32768 EAP-Message = 0x01040074158000000460f3411c40ef6cbf1635e4b4c7c71d18b883360ad6c27db542a4ffa0196c0b2ff8daca2101a3b4a35171415bdf6b68817425eb344c2e5e5a6794c0f1002aa59f631cb9c5135d716d9664afa8a76e9f2ee942decefd1b459b2dbb216aa655697391b416030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xce049ae9cc008f152ab18dd0a9f47460 Wed Aug 13 19:11:30 2014 : Info: Finished request 2. Wed Aug 13 19:11:30 2014 : Debug: Going to the next request Wed Aug 13 19:11:30 2014 : Debug: Waking up in 4.9 seconds. rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx port 32768, id=104, length=365 User-Name = "joeuser" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "78-31-c1-be-89-a8" Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test" NAS-Port = 4 Cisco-AVPair = "audit-session-id=0a210082000006c453ebb861" NAS-IP-Address = 10.33.0.130 NAS-Identifier = "inWebo" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020400901580000000861603010046100000424104004576a5ac3ee43c0112ce47d295aa54d21d71076fd64b293d0d59fff21795217e1ac2b3934427d9740a789cd8731e1bd52c246904d4414a1877b375e67df9f31403010001011603010030da43e9a2a8d1bb853ae1740aaf5964dc58b28263a25f1dbc40149b8d0aa0a62b22a690caf5fa2c9663e53591a55e3100 State = 0xce049ae9cc008f152ab18dd0a9f47460 Message-Authenticator = 0x9582ab96a0b46bdb12bc99449a415f67 Wed Aug 13 19:11:30 2014 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default Wed Aug 13 19:11:30 2014 : Info: +- entering group authorize {...} Wed Aug 13 19:11:30 2014 : Info: ++[preprocess] returns ok Wed Aug 13 19:11:30 2014 : Info: ++[chap] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[mschap] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[digest] returns noop Wed Aug 13 19:11:30 2014 : Info: [suffix] No '@' in User-Name = "joeuser", looking up realm NULL Wed Aug 13 19:11:30 2014 : Info: [suffix] No such realm "NULL" Wed Aug 13 19:11:30 2014 : Info: ++[suffix] returns noop Wed Aug 13 19:11:30 2014 : Info: [eap] EAP packet type response id 4 length 144 Wed Aug 13 19:11:30 2014 : Info: [eap] Continuing tunnel setup. Wed Aug 13 19:11:30 2014 : Info: ++[eap] returns ok Wed Aug 13 19:11:30 2014 : Info: Found Auth-Type = EAP Wed Aug 13 19:11:30 2014 : Info: # Executing group from file /etc/freeradius/sites-enabled/default Wed Aug 13 19:11:30 2014 : Info: +- entering group authenticate {...} Wed Aug 13 19:11:30 2014 : Info: [eap] Request found, released from the list Wed Aug 13 19:11:30 2014 : Info: [eap] EAP/ttls Wed Aug 13 19:11:30 2014 : Info: [eap] processing type ttls Wed Aug 13 19:11:30 2014 : Info: [ttls] Authenticate Wed Aug 13 19:11:30 2014 : Info: [ttls] processing EAP-TLS Wed Aug 13 19:11:30 2014 : Debug: TLS Length 134 Wed Aug 13 19:11:30 2014 : Info: [ttls] Length Included Wed Aug 13 19:11:30 2014 : Info: [ttls] eaptls_verify returned 11 Wed Aug 13 19:11:30 2014 : Info: [ttls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange Wed Aug 13 19:11:30 2014 : Info: [ttls] TLS_accept: SSLv3 read client key exchange A Wed Aug 13 19:11:30 2014 : Info: [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] Wed Aug 13 19:11:30 2014 : Info: [ttls] <<< TLS 1.0 Handshake [length 0010], Finished Wed Aug 13 19:11:30 2014 : Info: [ttls] TLS_accept: SSLv3 read finished A Wed Aug 13 19:11:30 2014 : Info: [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] Wed Aug 13 19:11:30 2014 : Info: [ttls] TLS_accept: SSLv3 write change cipher spec A Wed Aug 13 19:11:30 2014 : Info: [ttls] >>> TLS 1.0 Handshake [length 0010], Finished Wed Aug 13 19:11:30 2014 : Info: [ttls] TLS_accept: SSLv3 write finished A Wed Aug 13 19:11:30 2014 : Info: [ttls] TLS_accept: SSLv3 flush data Wed Aug 13 19:11:30 2014 : Info: [ttls] (other): SSL negotiation finished successfully Wed Aug 13 19:11:30 2014 : Debug: SSL Connection Established Wed Aug 13 19:11:30 2014 : Info: [ttls] eaptls_process returned 13 Wed Aug 13 19:11:30 2014 : Info: ++[eap] returns handled Sending Access-Challenge of id 104 to xxx.xxx.xxx.xxx port 32768 EAP-Message = 0x0105004515800000003b1403010001011603010030479426af6e1c12503738a32e262e84a4c666ea99fb6f5a80df674f2146e70be7e6187626844cccb9362ac032ee1b5de3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xce049ae9cd018f152ab18dd0a9f47460 Wed Aug 13 19:11:30 2014 : Info: Finished request 3. Wed Aug 13 19:11:30 2014 : Debug: Going to the next request Wed Aug 13 19:11:30 2014 : Debug: Waking up in 4.9 seconds. rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx port 32768, id=105, length=300 User-Name = "joeuser" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "78-31-c1-be-89-a8" Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test" NAS-Port = 4 Cisco-AVPair = "audit-session-id=0a210082000006c453ebb861" NAS-IP-Address = 10.33.0.130 NAS-Identifier = "inWebo" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0205004f15800000004517030100407bbbae1e3e6f6eee806cadf4038fc633b025b87de4bfe6c62065214c14dc49fba070a2a5ae82ba25538125ce60ed1e16eebeb7ad9c5eaa990c2be82e7b18f38e State = 0xce049ae9cd018f152ab18dd0a9f47460 Message-Authenticator = 0x641909bf4fd27987f4b839410ca1f707 Wed Aug 13 19:11:30 2014 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default Wed Aug 13 19:11:30 2014 : Info: +- entering group authorize {...} Wed Aug 13 19:11:30 2014 : Info: ++[preprocess] returns ok Wed Aug 13 19:11:30 2014 : Info: ++[chap] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[mschap] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[digest] returns noop Wed Aug 13 19:11:30 2014 : Info: [suffix] No '@' in User-Name = "joeuser", looking up realm NULL Wed Aug 13 19:11:30 2014 : Info: [suffix] No such realm "NULL" Wed Aug 13 19:11:30 2014 : Info: ++[suffix] returns noop Wed Aug 13 19:11:30 2014 : Info: [eap] EAP packet type response id 5 length 79 Wed Aug 13 19:11:30 2014 : Info: [eap] Continuing tunnel setup. Wed Aug 13 19:11:30 2014 : Info: ++[eap] returns ok Wed Aug 13 19:11:30 2014 : Info: Found Auth-Type = EAP Wed Aug 13 19:11:30 2014 : Info: # Executing group from file /etc/freeradius/sites-enabled/default Wed Aug 13 19:11:30 2014 : Info: +- entering group authenticate {...} Wed Aug 13 19:11:30 2014 : Info: [eap] Request found, released from the list Wed Aug 13 19:11:30 2014 : Info: [eap] EAP/ttls Wed Aug 13 19:11:30 2014 : Info: [eap] processing type ttls Wed Aug 13 19:11:30 2014 : Info: [ttls] Authenticate Wed Aug 13 19:11:30 2014 : Info: [ttls] processing EAP-TLS Wed Aug 13 19:11:30 2014 : Debug: TLS Length 69 Wed Aug 13 19:11:30 2014 : Info: [ttls] Length Included Wed Aug 13 19:11:30 2014 : Info: [ttls] eaptls_verify returned 11 Wed Aug 13 19:11:30 2014 : Info: [ttls] eaptls_process returned 7 Wed Aug 13 19:11:30 2014 : Info: [ttls] Session established. Proceeding to decode tunneled attributes. TTLS tunnel data in 0000: 00 00 00 01 00 00 00 0f 6a 6f 65 75 73 65 72 00 TTLS tunnel data in 0010: 00 00 00 02 00 00 00 18 70 61 73 73 77 6f 72 64 TTLS tunnel data in 0020: 00 00 00 00 00 00 00 00 Wed Aug 13 19:11:30 2014 : Info: [ttls] Got tunneled request User-Name = "joeuser" User-Password = "password" FreeRADIUS-Proxied-To = 127.0.0.1 Wed Aug 13 19:11:30 2014 : Info: [ttls] Sending tunneled request User-Name = "joeuser" User-Password = "password" FreeRADIUS-Proxied-To = 127.0.0.1 Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "78-31-c1-be-89-a8" Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test" NAS-Port = 4 Cisco-AVPair = "audit-session-id=0a210082000006c453ebb861" NAS-IP-Address = 10.33.0.130 NAS-Identifier = "inWebo" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 server inner-tunnel { Wed Aug 13 19:11:30 2014 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel Wed Aug 13 19:11:30 2014 : Info: +- entering group authorize {...} Wed Aug 13 19:11:30 2014 : Info: ++? if (Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=company,dc=com/ ) Wed Aug 13 19:11:30 2014 : Debug: [ldap] Entering ldap_groupcmp() Wed Aug 13 19:11:30 2014 : Info: expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com Wed Aug 13 19:11:30 2014 : Info: expand: %{Stripped-User-Name} -> Wed Aug 13 19:11:30 2014 : Info: ... expanding second conditional Wed Aug 13 19:11:30 2014 : Info: expand: %{User-Name} -> joeuser Wed Aug 13 19:11:30 2014 : Info: expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=joeuser) Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0 Wed Aug 13 19:11:30 2014 : Debug: [ldap] performing search in ou=Users,dc=team,dc=company,dc=com, with filter (uid=joeuser) Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0 Wed Aug 13 19:11:30 2014 : Info: expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0 Wed Aug 13 19:11:30 2014 : Debug: [ldap] performing search in ou=corp,ou=Users,dc=team,dc=company,dc=com, with filter (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) Wed Aug 13 19:11:30 2014 : Debug: [ldap] object not found Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0 Wed Aug 13 19:11:30 2014 : Debug: rlm_ldap::ldap_groupcmp: Group ou=corp,ou=Users,dc=team,dc=company,dc=com not found or user is not a member. Wed Aug 13 19:11:30 2014 : Info: ? Evaluating (Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=company,dc=com/) -> FALSE Wed Aug 13 19:11:30 2014 : Info: ++? if (Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=company,dc=com/ ) -> FALSE Wed Aug 13 19:11:30 2014 : Info: ++? if (Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=company,dc=com/ ) Wed Aug 13 19:11:30 2014 : Debug: [ldap] Entering ldap_groupcmp() Wed Aug 13 19:11:30 2014 : Info: expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com Wed Aug 13 19:11:30 2014 : Info: expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0 Wed Aug 13 19:11:30 2014 : Debug: [ldap] performing search in ou=dev,ou=Users,dc=team,dc=company,dc=com, with filter (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) Wed Aug 13 19:11:30 2014 : Debug: [ldap] object not found Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0 Wed Aug 13 19:11:30 2014 : Debug: rlm_ldap::ldap_groupcmp: Group ou=dev,ou=Users,dc=team,dc=company,dc=com not found or user is not a member. Wed Aug 13 19:11:30 2014 : Info: ? Evaluating (Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=company,dc=com/) -> FALSE Wed Aug 13 19:11:30 2014 : Info: ++? if (Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=company,dc=com/ ) -> FALSE Wed Aug 13 19:11:30 2014 : Info: ++[chap] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[mschap] returns noop Wed Aug 13 19:11:30 2014 : Info: [suffix] No '@' in User-Name = "joeuser", looking up realm NULL Wed Aug 13 19:11:30 2014 : Info: [suffix] No such realm "NULL" Wed Aug 13 19:11:30 2014 : Info: ++[suffix] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[control] returns noop Wed Aug 13 19:11:30 2014 : Info: [eap] No EAP-Message, not doing EAP Wed Aug 13 19:11:30 2014 : Info: ++[eap] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[files] returns noop Wed Aug 13 19:11:30 2014 : Info: [ldap] performing user authorization for joeuser Wed Aug 13 19:11:30 2014 : Info: [ldap] expand: %{Stripped-User-Name} -> Wed Aug 13 19:11:30 2014 : Info: [ldap] ... expanding second conditional Wed Aug 13 19:11:30 2014 : Info: [ldap] expand: %{User-Name} -> joeuser Wed Aug 13 19:11:30 2014 : Info: [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=joeuser) Wed Aug 13 19:11:30 2014 : Info: [ldap] expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0 Wed Aug 13 19:11:30 2014 : Debug: [ldap] performing search in ou=Users,dc=team,dc=company,dc=com, with filter (uid=joeuser) Wed Aug 13 19:11:30 2014 : Info: [ldap] No default NMAS login sequence Wed Aug 13 19:11:30 2014 : Info: [ldap] looking for check items in directory... Wed Aug 13 19:11:30 2014 : Debug: [ldap] userPassword -> Password-With-Header == "{MD5}X03MO1qnZdYdgyfeuILPmQ==" Wed Aug 13 19:11:30 2014 : Info: [ldap] looking for reply items in directory... Wed Aug 13 19:11:30 2014 : Info: [ldap] user joeuser authorized to use remote access Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0 Wed Aug 13 19:11:30 2014 : Info: ++[ldap] returns ok Wed Aug 13 19:11:30 2014 : Info: ++[expiration] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[logintime] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[pap] returns updated Wed Aug 13 19:11:30 2014 : Info: Found Auth-Type = PAP Wed Aug 13 19:11:30 2014 : Info: # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel Wed Aug 13 19:11:30 2014 : Info: +- entering group PAP {...} Wed Aug 13 19:11:30 2014 : Info: [pap] login attempt with password "password" Wed Aug 13 19:11:30 2014 : Info: [pap] Using MD5 encryption. Wed Aug 13 19:11:30 2014 : Info: [pap] Normalizing MD5-Password from base64 encoding Wed Aug 13 19:11:30 2014 : Info: [pap] User authenticated successfully Wed Aug 13 19:11:30 2014 : Info: ++[pap] returns ok Wed Aug 13 19:11:30 2014 : Info: # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel Wed Aug 13 19:11:30 2014 : Info: +- entering group post-auth {...} Wed Aug 13 19:11:30 2014 : Info: expand: %{control:Tmp-String-1} -> Wed Aug 13 19:11:30 2014 : Info: ++[reply] returns noop } # server inner-tunnel Wed Aug 13 19:11:30 2014 : Info: [ttls] Got tunneled reply code 2 Filter-Id = "" Wed Aug 13 19:11:30 2014 : Info: [ttls] Got tunneled Access-Accept Wed Aug 13 19:11:30 2014 : Info: [eap] Freeing handler Wed Aug 13 19:11:30 2014 : Info: ++[eap] returns ok Wed Aug 13 19:11:30 2014 : Info: # Executing section post-auth from file /etc/freeradius/sites-enabled/default Wed Aug 13 19:11:30 2014 : Info: +- entering group post-auth {...} Wed Aug 13 19:11:30 2014 : Info: ++[exec] returns noop Sending Access-Accept of id 105 to xxx.xxx.xxx.xxx port 32768 Filter-Id = "" MS-MPPE-Recv-Key = 0x973c07e31d3c62b129b86e8e3c753157d7d3fa68a4a77314fa71358e280a02a8 MS-MPPE-Send-Key = 0x4a82fcf322b22593fb75a29e51144d16c5698583f60d170a3fe559c800065eec EAP-Message = 0x03050004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "joeuser" Wed Aug 13 19:11:30 2014 : Info: Finished request 4. Wed Aug 13 19:11:30 2014 : Debug: Going to the next request Wed Aug 13 19:11:30 2014 : Debug: Waking up in 4.8 seconds. Wed Aug 13 19:11:35 2014 : Info: Cleaning up request 0 ID 101 with timestamp +40 Wed Aug 13 19:11:35 2014 : Info: Cleaning up request 1 ID 102 with timestamp +40 Wed Aug 13 19:11:35 2014 : Info: Cleaning up request 2 ID 103 with timestamp +40 Wed Aug 13 19:11:35 2014 : Info: Cleaning up request 3 ID 104 with timestamp +40 Wed Aug 13 19:11:35 2014 : Info: Cleaning up request 4 ID 105 with timestamp +40 Wed Aug 13 19:11:35 2014 : Info: Ready to process requests. Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
My apologies. I went ahead and captured it now. The config has not changed. Here you go. root@openldap ~# freeradius -XXX Thu Aug 14 14:47:30 2014 : Info: FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Dec 16 2012 at 13:28:43 Thu Aug 14 14:47:30 2014 : Info: Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. Thu Aug 14 14:47:30 2014 : Info: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A Thu Aug 14 14:47:30 2014 : Info: PARTICULAR PURPOSE. Thu Aug 14 14:47:30 2014 : Info: You may redistribute copies of FreeRADIUS under the terms of the Thu Aug 14 14:47:30 2014 : Info: GNU General Public License v2. Thu Aug 14 14:47:30 2014 : Info: Starting - reading configuration files ... Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/radiusd.conf Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/proxy.conf Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/clients.conf Thu Aug 14 14:47:30 2014 : Debug: including files in directory /etc/freeradius/modules/ Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/mschap Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/pam Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/digest Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/etc_group Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/detail.log Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/preprocess Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/ldap Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/smsotp Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/checkval Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/mac2ip Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/inner-eap Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/radutmp Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/replicate Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/attr_filter Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/otp Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/ippool Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/krb5 Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/chap Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/detail Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/exec Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/always Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/opendirectory Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/files Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/sradutmp Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/attr_rewrite Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/pap Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/linelog Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/unix Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/sql_log Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/expiration Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/detail.example.com Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/logintime Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/mac2vlan Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/dynamic_clients Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/perl Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/acct_unique Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/rediswho Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/ntlm_auth Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/expr Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/policy Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/realm Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/echo Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/cui Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/wimax Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/smbpasswd Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/counter Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/soh Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/passwd Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/modules/redis Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/eap.conf Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/policy.conf Thu Aug 14 14:47:30 2014 : Debug: including files in directory /etc/freeradius/sites-enabled/ Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/sites-enabled/default Thu Aug 14 14:47:30 2014 : Debug: including configuration file /etc/freeradius/sites-enabled/inner-tunnel Thu Aug 14 14:47:30 2014 : Debug: main { Thu Aug 14 14:47:30 2014 : Debug: user = "freerad" Thu Aug 14 14:47:30 2014 : Debug: group = "freerad" Thu Aug 14 14:47:30 2014 : Debug: allow_core_dumps = no Thu Aug 14 14:47:30 2014 : Debug: } Thu Aug 14 14:47:30 2014 : Debug: including dictionary file /etc/freeradius/dictionary Thu Aug 14 14:47:30 2014 : Debug: main { Thu Aug 14 14:47:30 2014 : Debug: name = "freeradius" Thu Aug 14 14:47:30 2014 : Debug: prefix = "/usr" Thu Aug 14 14:47:30 2014 : Debug: localstatedir = "/var" Thu Aug 14 14:47:30 2014 : Debug: sbindir = "/usr/sbin" Thu Aug 14 14:47:30 2014 : Debug: logdir = "/var/log/freeradius" Thu Aug 14 14:47:30 2014 : Debug: run_dir = "/var/run/freeradius" Thu Aug 14 14:47:30 2014 : Debug: libdir = "/usr/lib/freeradius" Thu Aug 14 14:47:30 2014 : Debug: radacctdir = "/var/log/freeradius/radacct" Thu Aug 14 14:47:30 2014 : Debug: hostname_lookups = no Thu Aug 14 14:47:30 2014 : Debug: max_request_time = 30 Thu Aug 14 14:47:30 2014 : Debug: cleanup_delay = 5 Thu Aug 14 14:47:30 2014 : Debug: max_requests = 1024 Thu Aug 14 14:47:30 2014 : Debug: pidfile = "/var/run/freeradius/freeradius.pid" Thu Aug 14 14:47:30 2014 : Debug: checkrad = "/usr/sbin/checkrad" Thu Aug 14 14:47:30 2014 : Debug: debug_level = 0 Thu Aug 14 14:47:30 2014 : Debug: proxy_requests = yes Thu Aug 14 14:47:30 2014 : Debug: log { Thu Aug 14 14:47:30 2014 : Debug: stripped_names = no Thu Aug 14 14:47:30 2014 : Debug: auth = no Thu Aug 14 14:47:30 2014 : Debug: auth_badpass = no Thu Aug 14 14:47:30 2014 : Debug: auth_goodpass = no Thu Aug 14 14:47:30 2014 : Debug: } Thu Aug 14 14:47:30 2014 : Debug: security { Thu Aug 14 14:47:30 2014 : Debug: max_attributes = 200 Thu Aug 14 14:47:30 2014 : Debug: reject_delay = 1 Thu Aug 14 14:47:30 2014 : Debug: status_server = yes Thu Aug 14 14:47:30 2014 : Debug: } Thu Aug 14 14:47:30 2014 : Debug: } Thu Aug 14 14:47:30 2014 : Debug: radiusd: #### Loading Realms and Home Servers #### Thu Aug 14 14:47:30 2014 : Debug: proxy server { Thu Aug 14 14:47:30 2014 : Debug: retry_delay = 5 Thu Aug 14 14:47:30 2014 : Debug: retry_count = 3 Thu Aug 14 14:47:30 2014 : Debug: default_fallback = no Thu Aug 14 14:47:30 2014 : Debug: dead_time = 120 Thu Aug 14 14:47:30 2014 : Debug: wake_all_if_all_dead = no Thu Aug 14 14:47:30 2014 : Debug: } Thu Aug 14 14:47:30 2014 : Debug: home_server localhost { Thu Aug 14 14:47:30 2014 : Debug: ipaddr = 127.0.0.1 Thu Aug 14 14:47:30 2014 : Debug: port = 1812 Thu Aug 14 14:47:30 2014 : Debug: type = "auth" Thu Aug 14 14:47:30 2014 : Debug: secret = "testing123" Thu Aug 14 14:47:30 2014 : Debug: response_window = 20 Thu Aug 14 14:47:30 2014 : Debug: max_outstanding = 65536 Thu Aug 14 14:47:30 2014 : Debug: require_message_authenticator = yes Thu Aug 14 14:47:30 2014 : Debug: zombie_period = 40 Thu Aug 14 14:47:30 2014 : Debug: status_check = "status-server" Thu Aug 14 14:47:30 2014 : Debug: ping_interval = 30 Thu Aug 14 14:47:30 2014 : Debug: check_interval = 30 Thu Aug 14 14:47:30 2014 : Debug: num_answers_to_alive = 3 Thu Aug 14 14:47:30 2014 : Debug: num_pings_to_alive = 3 Thu Aug 14 14:47:30 2014 : Debug: revive_interval = 120 Thu Aug 14 14:47:30 2014 : Debug: status_check_timeout = 4 Thu Aug 14 14:47:30 2014 : Debug: coa { Thu Aug 14 14:47:30 2014 : Debug: irt = 2 Thu Aug 14 14:47:30 2014 : Debug: mrt = 16 Thu Aug 14 14:47:30 2014 : Debug: mrc = 5 Thu Aug 14 14:47:30 2014 : Debug: mrd = 30 Thu Aug 14 14:47:30 2014 : Debug: } Thu Aug 14 14:47:30 2014 : Debug: } Thu Aug 14 14:47:30 2014 : Debug: home_server_pool my_auth_failover { Thu Aug 14 14:47:30 2014 : Debug: type = fail-over Thu Aug 14 14:47:30 2014 : Debug: home_server = localhost Thu Aug 14 14:47:30 2014 : Debug: } Thu Aug 14 14:47:30 2014 : Debug: realm example.com { Thu Aug 14 14:47:30 2014 : Debug: auth_pool = my_auth_failover Thu Aug 14 14:47:30 2014 : Debug: } Thu Aug 14 14:47:30 2014 : Debug: realm LOCAL { Thu Aug 14 14:47:30 2014 : Debug: } Thu Aug 14 14:47:30 2014 : Debug: radiusd: #### Loading Clients #### Thu Aug 14 14:47:30 2014 : Debug: client 0.0.0.0/0 { Thu Aug 14 14:47:30 2014 : Debug: require_message_authenticator = no Thu Aug 14 14:47:30 2014 : Debug: secret = "supersecretsecret" Thu Aug 14 14:47:30 2014 : Debug: nastype = "other" Thu Aug 14 14:47:30 2014 : Debug: } Thu Aug 14 14:47:30 2014 : Debug: client localhost { Thu Aug 14 14:47:30 2014 : Debug: ipaddr = 127.0.0.1 Thu Aug 14 14:47:30 2014 : Debug: require_message_authenticator = no Thu Aug 14 14:47:30 2014 : Debug: secret = "supersecretsecret" Thu Aug 14 14:47:30 2014 : Debug: nastype = "other" Thu Aug 14 14:47:30 2014 : Debug: } Thu Aug 14 14:47:30 2014 : Debug: radiusd: #### Instantiating modules #### Thu Aug 14 14:47:30 2014 : Debug: instantiate { Thu Aug 14 14:47:30 2014 : Debug: (Loaded rlm_exec, checking if it's valid) Thu Aug 14 14:47:30 2014 : Debug: Module: Linked to module rlm_exec Thu Aug 14 14:47:30 2014 : Debug: Module: Instantiating module "exec" from file /etc/freeradius/modules/exec Thu Aug 14 14:47:30 2014 : Debug: exec { Thu Aug 14 14:47:30 2014 : Debug: wait = no Thu Aug 14 14:47:30 2014 : Debug: input_pairs = "request" Thu Aug 14 14:47:30 2014 : Debug: shell_escape = yes Thu Aug 14 14:47:30 2014 : Debug: } Thu Aug 14 14:47:30 2014 : Debug: (Loaded rlm_expr, checking if it's valid) Thu Aug 14 14:47:30 2014 : Debug: Module: Linked to module rlm_expr Thu Aug 14 14:47:30 2014 : Debug: Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Thu Aug 14 14:47:30 2014 : Debug: (Loaded rlm_expiration, checking if it's valid) Thu Aug 14 14:47:30 2014 : Debug: Module: Linked to module rlm_expiration Thu Aug 14 14:47:30 2014 : Debug: Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration Thu Aug 14 14:47:30 2014 : Debug: expiration { Thu Aug 14 14:47:30 2014 : Debug: reply-message = "Password Has Expired " Thu Aug 14 14:47:30 2014 : Debug: } Thu Aug 14 14:47:30 2014 : Debug: (Loaded rlm_logintime, checking if it's valid) Thu Aug 14 14:47:30 2014 : Debug: Module: Linked to module rlm_logintime Thu Aug 14 14:47:30 2014 : Debug: Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime Thu Aug 14 14:47:30 2014 : Debug: logintime { Thu Aug 14 14:47:30 2014 : Debug: reply-message = "You are calling outside your allowed timespan " Thu Aug 14 14:47:30 2014 : Debug: minimum-timeout = 60 Thu Aug 14 14:47:30 2014 : Debug: } Thu Aug 14 14:47:30 2014 : Debug: } Thu Aug 14 14:47:30 2014 : Debug: radiusd: #### Loading Virtual Servers #### Thu Aug 14 14:47:30 2014 : Debug: server { # from file /etc/freeradius/radiusd.conf Thu Aug 14 14:47:30 2014 : Debug: modules { Thu Aug 14 14:47:30 2014 : Debug: Module: Creating Auth-Type = digest Thu Aug 14 14:47:30 2014 : Debug: Module: Creating Post-Auth-Type = REJECT Thu Aug 14 14:47:30 2014 : Debug: Module: Checking authenticate {...} for more modules to load Thu Aug 14 14:47:30 2014 : Debug: (Loaded rlm_pap, checking if it's valid) Thu Aug 14 14:47:30 2014 : Debug: Module: Linked to module rlm_pap Thu Aug 14 14:47:30 2014 : Debug: Module: Instantiating module "pap" from file /etc/freeradius/modules/pap Thu Aug 14 14:47:30 2014 : Debug: pap { Thu Aug 14 14:47:30 2014 : Debug: encryption_scheme = "auto" Thu Aug 14 14:47:30 2014 : Debug: auto_header = no Thu Aug 14 14:47:30 2014 : Debug: } Thu Aug 14 14:47:30 2014 : Debug: (Loaded rlm_chap, checking if it's valid) Thu Aug 14 14:47:30 2014 : Debug: Module: Linked to module rlm_chap Thu Aug 14 14:47:30 2014 : Debug: Module: Instantiating module "chap" from file /etc/freeradius/modules/chap Thu Aug 14 14:47:30 2014 : Debug: (Loaded rlm_mschap, checking if it's valid) Thu Aug 14 14:47:30 2014 : Debug: Module: Linked to module rlm_mschap Thu Aug 14 14:47:30 2014 : Debug: Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap Thu Aug 14 14:47:30 2014 : Debug: mschap { Thu Aug 14 14:47:30 2014 : Debug: use_mppe = yes Thu Aug 14 14:47:30 2014 : Debug: require_encryption = no Thu Aug 14 14:47:30 2014 : Debug: require_strong = no Thu Aug 14 14:47:30 2014 : Debug: with_ntdomain_hack = no Thu Aug 14 14:47:30 2014 : Debug: allow_retry = yes Thu Aug 14 14:47:30 2014 : Debug: } Thu Aug 14 14:47:30 2014 : Debug: (Loaded rlm_digest, checking if it's valid) Thu Aug 14 14:47:30 2014 : Debug: Module: Linked to module rlm_digest Thu Aug 14 14:47:30 2014 : Debug: Module: Instantiating module "digest" from file /etc/freeradius/modules/digest Thu Aug 14 14:47:30 2014 : Debug: (Loaded rlm_unix, checking if it's valid) Thu Aug 14 14:47:30 2014 : Debug: Module: Linked to module rlm_unix Thu Aug 14 14:47:30 2014 : Debug: Module: Instantiating module "unix" from file /etc/freeradius/modules/unix Thu Aug 14 14:47:30 2014 : Debug: unix { Thu Aug 14 14:47:30 2014 : Debug: radwtmp = "/var/log/freeradius/radwtmp" Thu Aug 14 14:47:30 2014 : Debug: } Thu Aug 14 14:47:30 2014 : Debug: (Loaded rlm_eap, checking if it's valid) Thu Aug 14 14:47:30 2014 : Debug: Module: Linked to module rlm_eap Thu Aug 14 14:47:30 2014 : Debug: Module: Instantiating module "eap" from file /etc/freeradius/eap.conf Thu Aug 14 14:47:30 2014 : Debug: eap { Thu Aug 14 14:47:30 2014 : Debug: default_eap_type = "ttls" Thu Aug 14 14:47:30 2014 : Debug: timer_expire = 60 Thu Aug 14 14:47:30 2014 : Debug: ignore_unknown_eap_types = no Thu Aug 14 14:47:30 2014 : Debug: cisco_accounting_username_bug = no Thu Aug 14 14:47:30 2014 : Debug: max_sessions = 4096 Thu Aug 14 14:47:30 2014 : Debug: } Thu Aug 14 14:47:30 2014 : Debug: Module: Linked to sub-module rlm_eap_md5 Thu Aug 14 14:47:30 2014 : Debug: Module: Instantiating eap-md5 Thu Aug 14 14:47:30 2014 : Debug: Module: Linked to sub-module rlm_eap_leap Thu Aug 14 14:47:30 2014 : Debug: Module: Instantiating eap-leap Thu Aug 14 14:47:30 2014 : Debug: Module: Linked to sub-module rlm_eap_gtc Thu Aug 14 14:47:30 2014 : Debug: Module: Instantiating eap-gtc Thu Aug 14 14:47:30 2014 : Debug: gtc { Thu Aug 14 14:47:30 2014 : Debug: challenge = "Password: " Thu Aug 14 14:47:30 2014 : Debug: auth_type = "PAP" Thu Aug 14 14:47:30 2014 : Debug: } Thu Aug 14 14:47:30 2014 : Debug: Module: Linked to sub-module rlm_eap_tls Thu Aug 14 14:47:30 2014 : Debug: Module: Instantiating eap-tls Thu Aug 14 14:47:30 2014 : Debug: tls { Thu Aug 14 14:47:30 2014 : Debug: rsa_key_exchange = no Thu Aug 14 14:47:30 2014 : Debug: dh_key_exchange = yes Thu Aug 14 14:47:30 2014 : Debug: rsa_key_length = 512 Thu Aug 14 14:47:30 2014 : Debug: dh_key_length = 512 Thu Aug 14 14:47:30 2014 : Debug: verify_depth = 0 Thu Aug 14 14:47:30 2014 : Debug: CA_path = "/etc/freeradius/certs" Thu Aug 14 14:47:30 2014 : Debug: pem_file_type = yes Thu Aug 14 14:47:30 2014 : Debug: private_key_file = "/etc/freeradius/certs/server.key" Thu Aug 14 14:47:30 2014 : Debug: certificate_file = "/etc/freeradius/certs/server.pem" Thu Aug 14 14:47:30 2014 : Debug: CA_file = "/etc/freeradius/certs/ca.pem" Thu Aug 14 14:47:30 2014 : Debug: private_key_password = "whatever" Thu Aug 14 14:47:30 2014 : Debug: dh_file = "/etc/freeradius/certs/dh" Thu Aug 14 14:47:30 2014 : Debug: random_file = "/dev/urandom" Thu Aug 14 14:47:30 2014 : Debug: fragment_size = 1024 Thu Aug 14 14:47:30 2014 : Debug: include_length = yes Thu Aug 14 14:47:30 2014 : Debug: check_crl = no Thu Aug 14 14:47:30 2014 : Debug: cipher_list = "DEFAULT" Thu Aug 14 14:47:30 2014 : Debug: make_cert_command = "/etc/freeradius/certs/bootstrap" Thu Aug 14 14:47:30 2014 : Debug: ecdh_curve = "prime256v1" Thu Aug 14 14:47:30 2014 : Debug: cache { Thu Aug 14 14:47:30 2014 : Debug: enable = no Thu Aug 14 14:47:30 2014 : Debug: lifetime = 24 Thu Aug 14 14:47:30 2014 : Debug: max_entries = 255 Thu Aug 14 14:47:30 2014 : Debug: } Thu Aug 14 14:47:30 2014 : Debug: verify { Thu Aug 14 14:47:30 2014 : Debug: } Thu Aug 14 14:47:30 2014 : Debug: ocsp { Thu Aug 14 14:47:30 2014 : Debug: enable = no Thu Aug 14 14:47:30 2014 : Debug: override_cert_url = yes Thu Aug 14 14:47:30 2014 : Debug: url = "http://127.0.0.1/ocsp/" Thu Aug 14 14:47:30 2014 : Debug: } Thu Aug 14 14:47:30 2014 : Debug: } Thu Aug 14 14:47:30 2014 : Debug: Module: Linked to sub-module rlm_eap_ttls Thu Aug 14 14:47:30 2014 : Debug: Module: Instantiating eap-ttls Thu Aug 14 14:47:30 2014 : Debug: ttls { Thu Aug 14 14:47:30 2014 : Debug: default_eap_type = "md5" Thu Aug 14 14:47:30 2014 : Debug: copy_request_to_tunnel = yes Thu Aug 14 14:47:30 2014 : Debug: use_tunneled_reply = yes Thu Aug 14 14:47:30 2014 : Debug: virtual_server = "inner-tunnel" Thu Aug 14 14:47:30 2014 : Debug: include_length = yes Thu Aug 14 14:47:30 2014 : Debug: } Thu Aug 14 14:47:30 2014 : Debug: Module: Linked to sub-module rlm_eap_peap Thu Aug 14 14:47:30 2014 : Debug: Module: Instantiating eap-peap Thu Aug 14 14:47:30 2014 : Debug: peap { Thu Aug 14 14:47:30 2014 : Debug: default_eap_type = "mschapv2" Thu Aug 14 14:47:30 2014 : Debug: copy_request_to_tunnel = no Thu Aug 14 14:47:30 2014 : Debug: use_tunneled_reply = no Thu Aug 14 14:47:30 2014 : Debug: proxy_tunneled_request_as_eap = yes Thu Aug 14 14:47:30 2014 : Debug: virtual_server = "inner-tunnel" Thu Aug 14 14:47:30 2014 : Debug: soh = no Thu Aug 14 14:47:30 2014 : Debug: } Thu Aug 14 14:47:30 2014 : Debug: Module: Linked to sub-module rlm_eap_mschapv2 Thu Aug 14 14:47:30 2014 : Debug: Module: Instantiating eap-mschapv2 Thu Aug 14 14:47:30 2014 : Debug: mschapv2 { Thu Aug 14 14:47:30 2014 : Debug: with_ntdomain_hack = no Thu Aug 14 14:47:30 2014 : Debug: send_error = no Thu Aug 14 14:47:30 2014 : Debug: } Thu Aug 14 14:47:30 2014 : Debug: Module: Checking authorize {...} for more modules to load Thu Aug 14 14:47:30 2014 : Debug: (Loaded rlm_preprocess, checking if it's valid) Thu Aug 14 14:47:30 2014 : Debug: Module: Linked to module rlm_preprocess Thu Aug 14 14:47:30 2014 : Debug: Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess Thu Aug 14 14:47:30 2014 : Debug: preprocess { Thu Aug 14 14:47:30 2014 : Debug: huntgroups = "/etc/freeradius/huntgroups" Thu Aug 14 14:47:30 2014 : Debug: hints = "/etc/freeradius/hints" Thu Aug 14 14:47:30 2014 : Debug: with_ascend_hack = no Thu Aug 14 14:47:30 2014 : Debug: ascend_channels_per_line = 23 Thu Aug 14 14:47:30 2014 : Debug: with_ntdomain_hack = no Thu Aug 14 14:47:30 2014 : Debug: with_specialix_jetstream_hack = no Thu Aug 14 14:47:30 2014 : Debug: with_cisco_vsa_hack = no Thu Aug 14 14:47:30 2014 : Debug: with_alvarion_vsa_hack = no Thu Aug 14 14:47:30 2014 : Debug: } Thu Aug 14 14:47:30 2014 : Debug: (Loaded rlm_realm, checking if it's valid) Thu Aug 14 14:47:30 2014 : Debug: Module: Linked to module rlm_realm Thu Aug 14 14:47:30 2014 : Debug: Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm Thu Aug 14 14:47:30 2014 : Debug: realm suffix { Thu Aug 14 14:47:30 2014 : Debug: format = "suffix" Thu Aug 14 14:47:30 2014 : Debug: delimiter = "@" Thu Aug 14 14:47:30 2014 : Debug: ignore_default = no Thu Aug 14 14:47:30 2014 : Debug: ignore_null = no Thu Aug 14 14:47:30 2014 : Debug: } Thu Aug 14 14:47:30 2014 : Debug: (Loaded rlm_files, checking if it's valid) Thu Aug 14 14:47:30 2014 : Debug: Module: Linked to module rlm_files Thu Aug 14 14:47:30 2014 : Debug: Module: Instantiating module "files" from file /etc/freeradius/modules/files Thu Aug 14 14:47:30 2014 : Debug: files { Thu Aug 14 14:47:30 2014 : Debug: usersfile = "/etc/freeradius/users" Thu Aug 14 14:47:30 2014 : Debug: acctusersfile = "/etc/freeradius/acct_users" Thu Aug 14 14:47:30 2014 : Debug: preproxy_usersfile = "/etc/freeradius/preproxy_users" Thu Aug 14 14:47:30 2014 : Debug: compat = "no" Thu Aug 14 14:47:30 2014 : Debug: } Thu Aug 14 14:47:30 2014 : Debug: (Loaded rlm_ldap, checking if it's valid) Thu Aug 14 14:47:30 2014 : Debug: Module: Linked to module rlm_ldap Thu Aug 14 14:47:30 2014 : Debug: Module: Instantiating module "ldap" from file /etc/freeradius/modules/ldap Thu Aug 14 14:47:30 2014 : Debug: ldap { Thu Aug 14 14:47:30 2014 : Debug: server = "localhost" Thu Aug 14 14:47:30 2014 : Debug: port = 389 Thu Aug 14 14:47:30 2014 : Debug: password = “supersecretsecret" Thu Aug 14 14:47:30 2014 : Debug: identity = "cn=admin,dc=team,dc=company,dc=com" Thu Aug 14 14:47:30 2014 : Debug: net_timeout = 1 Thu Aug 14 14:47:30 2014 : Debug: timeout = 4 Thu Aug 14 14:47:30 2014 : Debug: timelimit = 3 Thu Aug 14 14:47:30 2014 : Debug: tls_mode = no Thu Aug 14 14:47:30 2014 : Debug: start_tls = no Thu Aug 14 14:47:30 2014 : Debug: tls_require_cert = "allow" Thu Aug 14 14:47:30 2014 : Debug: tls { Thu Aug 14 14:47:30 2014 : Debug: start_tls = no Thu Aug 14 14:47:30 2014 : Debug: require_cert = "allow" Thu Aug 14 14:47:30 2014 : Debug: } Thu Aug 14 14:47:30 2014 : Debug: basedn = "ou=Users,dc=team,dc=company,dc=com" Thu Aug 14 14:47:30 2014 : Debug: filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" Thu Aug 14 14:47:30 2014 : Debug: base_filter = "(objectclass=radiusprofile)" Thu Aug 14 14:47:30 2014 : Debug: auto_header = no Thu Aug 14 14:47:30 2014 : Debug: access_attr_used_for_allow = yes Thu Aug 14 14:47:30 2014 : Debug: groupname_attribute = "cn" Thu Aug 14 14:47:30 2014 : Debug: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" Thu Aug 14 14:47:30 2014 : Debug: dictionary_mapping = "/etc/freeradius/ldap.attrmap" Thu Aug 14 14:47:30 2014 : Debug: ldap_debug = 0 Thu Aug 14 14:47:30 2014 : Debug: ldap_connections_number = 5 Thu Aug 14 14:47:30 2014 : Debug: compare_check_items = no Thu Aug 14 14:47:30 2014 : Debug: do_xlat = yes Thu Aug 14 14:47:30 2014 : Debug: edir_account_policy_check = no Thu Aug 14 14:47:30 2014 : Debug: set_auth_type = yes Thu Aug 14 14:47:30 2014 : Debug: keepalive { Thu Aug 14 14:47:30 2014 : Debug: idle = 60 Thu Aug 14 14:47:30 2014 : Debug: probes = 3 Thu Aug 14 14:47:30 2014 : Debug: interval = 3 Thu Aug 14 14:47:30 2014 : Debug: } Thu Aug 14 14:47:30 2014 : Debug: } Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: Registering ldap_groupcmp for Ldap-Group Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: Registering ldap_xlat with xlat_name ldap Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in the "authenticate" section. Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP radiusClass mapped to RADIUS Class Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type Thu Aug 14 14:47:30 2014 : Debug: rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id Thu Aug 14 14:47:30 2014 : Debug: conns: 0x1c9c0c0 Thu Aug 14 14:47:30 2014 : Debug: Module: Checking preacct {...} for more modules to load Thu Aug 14 14:47:30 2014 : Debug: (Loaded rlm_acct_unique, checking if it's valid) Thu Aug 14 14:47:30 2014 : Debug: Module: Linked to module rlm_acct_unique Thu Aug 14 14:47:30 2014 : Debug: Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique Thu Aug 14 14:47:30 2014 : Debug: acct_unique { Thu Aug 14 14:47:30 2014 : Debug: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Thu Aug 14 14:47:30 2014 : Debug: } Thu Aug 14 14:47:30 2014 : Debug: Module: Checking accounting {...} for more modules to load Thu Aug 14 14:47:30 2014 : Debug: (Loaded rlm_detail, checking if it's valid) Thu Aug 14 14:47:30 2014 : Debug: Module: Linked to module rlm_detail Thu Aug 14 14:47:30 2014 : Debug: Module: Instantiating module "detail" from file /etc/freeradius/modules/detail Thu Aug 14 14:47:30 2014 : Debug: detail { Thu Aug 14 14:47:30 2014 : Debug: detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" Thu Aug 14 14:47:30 2014 : Debug: header = "%t" Thu Aug 14 14:47:30 2014 : Debug: detailperm = 384 Thu Aug 14 14:47:30 2014 : Debug: dirperm = 493 Thu Aug 14 14:47:30 2014 : Debug: locking = no Thu Aug 14 14:47:30 2014 : Debug: log_packet_header = no Thu Aug 14 14:47:30 2014 : Debug: } Thu Aug 14 14:47:30 2014 : Debug: (Loaded rlm_radutmp, checking if it's valid) Thu Aug 14 14:47:30 2014 : Debug: Module: Linked to module rlm_radutmp Thu Aug 14 14:47:30 2014 : Debug: Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp Thu Aug 14 14:47:30 2014 : Debug: radutmp { Thu Aug 14 14:47:30 2014 : Debug: filename = "/var/log/freeradius/radutmp" Thu Aug 14 14:47:30 2014 : Debug: username = "%{User-Name}" Thu Aug 14 14:47:30 2014 : Debug: case_sensitive = yes Thu Aug 14 14:47:30 2014 : Debug: check_with_nas = yes Thu Aug 14 14:47:30 2014 : Debug: perm = 384 Thu Aug 14 14:47:30 2014 : Debug: callerid = yes Thu Aug 14 14:47:30 2014 : Debug: } Thu Aug 14 14:47:30 2014 : Debug: (Loaded rlm_attr_filter, checking if it's valid) Thu Aug 14 14:47:30 2014 : Debug: Module: Linked to module rlm_attr_filter Thu Aug 14 14:47:30 2014 : Debug: Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter Thu Aug 14 14:47:30 2014 : Debug: attr_filter attr_filter.accounting_response { Thu Aug 14 14:47:30 2014 : Debug: attrsfile = "/etc/freeradius/attrs.accounting_response" Thu Aug 14 14:47:30 2014 : Debug: key = "%{User-Name}" Thu Aug 14 14:47:30 2014 : Debug: relaxed = no Thu Aug 14 14:47:30 2014 : Debug: } Thu Aug 14 14:47:30 2014 : Debug: Module: Checking session {...} for more modules to load Thu Aug 14 14:47:30 2014 : Debug: Module: Checking post-proxy {...} for more modules to load Thu Aug 14 14:47:30 2014 : Debug: Module: Checking post-auth {...} for more modules to load Thu Aug 14 14:47:30 2014 : Debug: Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter Thu Aug 14 14:47:30 2014 : Debug: attr_filter attr_filter.access_reject { Thu Aug 14 14:47:30 2014 : Debug: attrsfile = "/etc/freeradius/attrs.access_reject" Thu Aug 14 14:47:30 2014 : Debug: key = "%{User-Name}" Thu Aug 14 14:47:30 2014 : Debug: relaxed = no Thu Aug 14 14:47:30 2014 : Debug: } Thu Aug 14 14:47:30 2014 : Debug: } # modules Thu Aug 14 14:47:30 2014 : Debug: } # server Thu Aug 14 14:47:30 2014 : Debug: server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel Thu Aug 14 14:47:30 2014 : Debug: modules { Thu Aug 14 14:47:30 2014 : Debug: Module: Checking authenticate {...} for more modules to load Thu Aug 14 14:47:30 2014 : Debug: Module: Checking authorize {...} for more modules to load Thu Aug 14 14:47:30 2014 : Debug: Module: Checking session {...} for more modules to load Thu Aug 14 14:47:30 2014 : Debug: Module: Checking post-proxy {...} for more modules to load Thu Aug 14 14:47:30 2014 : Debug: Module: Checking post-auth {...} for more modules to load Thu Aug 14 14:47:30 2014 : Debug: } # modules Thu Aug 14 14:47:30 2014 : Debug: } # server Thu Aug 14 14:47:30 2014 : Debug: radiusd: #### Opening IP addresses and Ports #### Thu Aug 14 14:47:30 2014 : Debug: listen { Thu Aug 14 14:47:30 2014 : Debug: type = "auth" Thu Aug 14 14:47:30 2014 : Debug: ipaddr = * Thu Aug 14 14:47:30 2014 : Debug: port = 0 Thu Aug 14 14:47:30 2014 : Debug: } Thu Aug 14 14:47:30 2014 : Debug: listen { Thu Aug 14 14:47:30 2014 : Debug: type = "acct" Thu Aug 14 14:47:30 2014 : Debug: ipaddr = * Thu Aug 14 14:47:30 2014 : Debug: port = 0 Thu Aug 14 14:47:30 2014 : Debug: } Thu Aug 14 14:47:30 2014 : Debug: listen { Thu Aug 14 14:47:30 2014 : Debug: type = "auth" Thu Aug 14 14:47:30 2014 : Debug: ipaddr = 127.0.0.1 Thu Aug 14 14:47:30 2014 : Debug: port = 18120 Thu Aug 14 14:47:30 2014 : Debug: } Thu Aug 14 14:47:30 2014 : Info: ... adding new socket proxy address * port 45207 Thu Aug 14 14:47:30 2014 : Debug: Listening on authentication address * port 1812 Thu Aug 14 14:47:30 2014 : Debug: Listening on accounting address * port 1813 Thu Aug 14 14:47:30 2014 : Debug: Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Thu Aug 14 14:47:30 2014 : Debug: Listening on proxy address * port 1814 Thu Aug 14 14:47:30 2014 : Info: Ready to process requests. On Aug 14, 2014, at 2:51 AM, Stefan Paetow <Stefan.Paetow@ja.net> wrote:
Alex, this is not the full output of radiusd -X (or freeradius -X). You've only included the request, not the configuration that -X spits out beforehand. Please include that portion as well.
Stefan
-----Original Message----- From: freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org] On Behalf Of Alex Gregory Sent: 13 August 2014 20:23 To: FreeRadius users mailing list Subject: Re: OpenLDAP Group membership to Filter-ID
I did not have that in there. I added it into the ldap module so my config now looks like:
ldap { server = "localhost" identity = "cn=admin,dc=team,dc=company,dc=com" password = xxxxx basedn = "ou=Users,dc=team,dc=company,dc=com" scope = "sub" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" ... }
Here is the output from -XXX
rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx port 32768, id=101, length=215 User-Name = "joeuser" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "78-31-c1-be-89-a8" Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test" NAS-Port = 4 Cisco-AVPair = "audit-session-id=0a210082000006c453ebb861" NAS-IP-Address = 10.33.0.130 NAS-Identifier = "inWebo" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000c016a6f6575736572 Message-Authenticator = 0x882183e2a08a2bce65b1792c44079165 Wed Aug 13 19:11:30 2014 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default Wed Aug 13 19:11:30 2014 : Info: +- entering group authorize {...} Wed Aug 13 19:11:30 2014 : Info: ++[preprocess] returns ok Wed Aug 13 19:11:30 2014 : Info: ++[chap] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[mschap] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[digest] returns noop Wed Aug 13 19:11:30 2014 : Info: [suffix] No '@' in User-Name = "joeuser", looking up realm NULL Wed Aug 13 19:11:30 2014 : Info: [suffix] No such realm "NULL" Wed Aug 13 19:11:30 2014 : Info: ++[suffix] returns noop Wed Aug 13 19:11:30 2014 : Info: [eap] EAP packet type response id 1 length 12 Wed Aug 13 19:11:30 2014 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Wed Aug 13 19:11:30 2014 : Info: ++[eap] returns updated Wed Aug 13 19:11:30 2014 : Info: ++[files] returns noop Wed Aug 13 19:11:30 2014 : Info: [ldap] performing user authorization for joeuser Wed Aug 13 19:11:30 2014 : Info: [ldap] expand: %{Stripped-User-Name} -> Wed Aug 13 19:11:30 2014 : Info: [ldap] ... expanding second conditional Wed Aug 13 19:11:30 2014 : Info: [ldap] expand: %{User-Name} -> joeuser Wed Aug 13 19:11:30 2014 : Info: [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=joeuser) Wed Aug 13 19:11:30 2014 : Info: [ldap] expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0 Wed Aug 13 19:11:30 2014 : Debug: [ldap] attempting LDAP reconnection Wed Aug 13 19:11:30 2014 : Debug: [ldap] (re)connect to localhost:389, authentication 0 Wed Aug 13 19:11:30 2014 : Debug: [ldap] bind as cn=admin,dc=team,dc=company,dc=com/653776d05374 to localhost:389 Wed Aug 13 19:11:30 2014 : Debug: [ldap] waiting for bind result ... Wed Aug 13 19:11:30 2014 : Debug: [ldap] Bind was successful Wed Aug 13 19:11:30 2014 : Debug: [ldap] performing search in ou=Users,dc=team,dc=company,dc=com, with filter (uid=joeuser) Wed Aug 13 19:11:30 2014 : Info: [ldap] No default NMAS login sequence Wed Aug 13 19:11:30 2014 : Info: [ldap] looking for check items in directory... Wed Aug 13 19:11:30 2014 : Debug: [ldap] userPassword -> Password-With-Header == "{MD5}X03MO1qnZdYdgyfeuILPmQ==" Wed Aug 13 19:11:30 2014 : Info: [ldap] looking for reply items in directory... Wed Aug 13 19:11:30 2014 : Info: [ldap] user joeuser authorized to use remote access Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0 Wed Aug 13 19:11:30 2014 : Info: ++[ldap] returns ok Wed Aug 13 19:11:30 2014 : Info: ++[expiration] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[logintime] returns noop Wed Aug 13 19:11:30 2014 : Info: [pap] WARNING: Auth-Type already set. Not setting to PAP Wed Aug 13 19:11:30 2014 : Info: ++[pap] returns noop Wed Aug 13 19:11:30 2014 : Info: Found Auth-Type = EAP Wed Aug 13 19:11:30 2014 : Info: # Executing group from file /etc/freeradius/sites-enabled/default Wed Aug 13 19:11:30 2014 : Info: +- entering group authenticate {...} Wed Aug 13 19:11:30 2014 : Info: [eap] EAP Identity Wed Aug 13 19:11:30 2014 : Info: [eap] processing type tls Wed Aug 13 19:11:30 2014 : Info: [tls] Initiate Wed Aug 13 19:11:30 2014 : Info: [tls] Start returned 1 Wed Aug 13 19:11:30 2014 : Info: ++[eap] returns handled Sending Access-Challenge of id 101 to xxx.xxx.xxx.xxx port 32768 EAP-Message = 0x010200061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xce049ae9ce068f152ab18dd0a9f47460 Wed Aug 13 19:11:30 2014 : Info: Finished request 0. Wed Aug 13 19:11:30 2014 : Debug: Going to the next request Wed Aug 13 19:11:30 2014 : Debug: Waking up in 4.9 seconds. rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx port 32768, id=102, length=373 User-Name = "joeuser" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "78-31-c1-be-89-a8" Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test" NAS-Port = 4 Cisco-AVPair = "audit-session-id=0a210082000006c453ebb861" NAS-IP-Address = 10.33.0.130 NAS-Identifier = "inWebo" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0202009815800000008e160301008901000085030153ebb86267f54fc71b8caba32338c6ac7b304b74e7b8ea6d3121e26a2ed7c8d800004a00ffc024c023c00ac009c007c008c028c027c014c013c011c012c026c025c02ac029c005c004c002c003c00fc00ec00cc00d003d003c002f000500040035000a0067006b00330039001601000012000a00080006001700180019000b00020100 State = 0xce049ae9ce068f152ab18dd0a9f47460 Message-Authenticator = 0x5bde15e0f296c2eec38dd20a652cce44 Wed Aug 13 19:11:30 2014 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default Wed Aug 13 19:11:30 2014 : Info: +- entering group authorize {...} Wed Aug 13 19:11:30 2014 : Info: ++[preprocess] returns ok Wed Aug 13 19:11:30 2014 : Info: ++[chap] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[mschap] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[digest] returns noop Wed Aug 13 19:11:30 2014 : Info: [suffix] No '@' in User-Name = "joeuser", looking up realm NULL Wed Aug 13 19:11:30 2014 : Info: [suffix] No such realm "NULL" Wed Aug 13 19:11:30 2014 : Info: ++[suffix] returns noop Wed Aug 13 19:11:30 2014 : Info: [eap] EAP packet type response id 2 length 152 Wed Aug 13 19:11:30 2014 : Info: [eap] Continuing tunnel setup. Wed Aug 13 19:11:30 2014 : Info: ++[eap] returns ok Wed Aug 13 19:11:30 2014 : Info: Found Auth-Type = EAP Wed Aug 13 19:11:30 2014 : Info: # Executing group from file /etc/freeradius/sites-enabled/default Wed Aug 13 19:11:30 2014 : Info: +- entering group authenticate {...} Wed Aug 13 19:11:30 2014 : Info: [eap] Request found, released from the list Wed Aug 13 19:11:30 2014 : Info: [eap] EAP/ttls Wed Aug 13 19:11:30 2014 : Info: [eap] processing type ttls Wed Aug 13 19:11:30 2014 : Info: [ttls] Authenticate Wed Aug 13 19:11:30 2014 : Info: [ttls] processing EAP-TLS Wed Aug 13 19:11:30 2014 : Debug: TLS Length 142 Wed Aug 13 19:11:30 2014 : Info: [ttls] Length Included Wed Aug 13 19:11:30 2014 : Info: [ttls] eaptls_verify returned 11 Wed Aug 13 19:11:30 2014 : Info: [ttls] (other): before/accept initialization Wed Aug 13 19:11:30 2014 : Info: [ttls] TLS_accept: before/accept initialization Wed Aug 13 19:11:30 2014 : Info: [ttls] <<< TLS 1.0 Handshake [length 0089], ClientHello Wed Aug 13 19:11:30 2014 : Info: [ttls] TLS_accept: SSLv3 read client hello A Wed Aug 13 19:11:30 2014 : Info: [ttls] >>> TLS 1.0 Handshake [length 0039], ServerHello Wed Aug 13 19:11:30 2014 : Info: [ttls] TLS_accept: SSLv3 write server hello A Wed Aug 13 19:11:30 2014 : Info: [ttls] >>> TLS 1.0 Handshake [length 02c4], Certificate Wed Aug 13 19:11:30 2014 : Info: [ttls] TLS_accept: SSLv3 write certificate A Wed Aug 13 19:11:30 2014 : Info: [ttls] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange Wed Aug 13 19:11:30 2014 : Info: [ttls] TLS_accept: SSLv3 write key exchange A Wed Aug 13 19:11:30 2014 : Info: [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone Wed Aug 13 19:11:30 2014 : Info: [ttls] TLS_accept: SSLv3 write server done A Wed Aug 13 19:11:30 2014 : Info: [ttls] TLS_accept: SSLv3 flush data Wed Aug 13 19:11:30 2014 : Info: [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A Wed Aug 13 19:11:30 2014 : Debug: In SSL Handshake Phase Wed Aug 13 19:11:30 2014 : Debug: In SSL Accept mode Wed Aug 13 19:11:30 2014 : Info: [ttls] eaptls_process returned 13 Wed Aug 13 19:11:30 2014 : Info: ++[eap] returns handled Sending Access-Challenge of id 102 to xxx.xxx.xxx.xxx port 32768 EAP-Message = 0x0103040015c000000460160301003902000035030153ebb862012b65c4fb6e4f52554f17ee124440bd460ba5b87053e8744206bfc600c01400000dff01000100000b00040300010216030102c40b0002c00002bd0002ba308202b63082019ea003020102020900b507e231935d6b3f300d06092a864886f70d010105050030133111300f060355040313086f70656e6c646170301e170d3134303830373232333035385a170d3234303830343232333035385a30133111300f060355040313086f70656e6c64617030820122300d06092a864886f70d01010105000382010f003082010a0282010100bae7e24798efa862ea1659a17ac74864a297d09a EAP-Message = 0x249d8e467e1a40a3fc4fdcf36e73ac43cc11e5df4978020ae6af6c12d0a98f7c90d0352eae9c5b9c8364cffe115b833c52bfbcb43c292c303ee0f8cca82a3732ed53bcdba3905a9f030c9bf242e7482f28c0a30e5210afbf064e6129cef1358e30942581621b927da448fcea0fcca181c7ea6ac7385946513bd092e7ccf41df13f7a4f498533947d1f0451659c20977cfddeb5ffadef948b8f876a1bbba0f2a574e05daf8fe696a828973f21674abc246ca73279dcd5fe1720f1140b3f351427fc5be4a4158fb31d2b46643e0bbef9297b892cea88babfcb26e53bcc981bec71b84d0fb21760176f5d12adc90203010001a30d300b30090603551d1304 EAP-Message = 0x023000300d06092a864886f70d010105050003820101009a35e4dddb99265dfbe96dbd2dd5efcec97ebbb6111d42b313a0d7b6f29a4a4cc378c154afc028a986a118ddf1e611aa3fda9ed59c9f745663fcfd2655891584047b99042c2f7d3757ff92e86d008a55dac7e1e2a8f7e67711fec590812461e9de753eacf30285e44c3c7ecc31671d4ccbfdc6de65536e8b780cbf05ca5e0442748ccc7356f315baac1cc9bb528198bba1526d18213171b26e3676162be28056600762ed21df47ca64f29fb8b9853b8e84731708c7e7c5b0862c3d61aa07b37b89eb915e0fb7f5867a9eb9346574bfc112aa4ea45ae9bae8fdf44b9cedbd3ba5082046a7de23 EAP-Message = 0xc8fefa2502dad1e8da8bf54443bc2b061a301dd93689ce6867d9160301014b0c000147030017410435796b6c770b407c2ebab35a3d09b54da0cc51fc29e0127a4e712087f927a4ec66a4001d8e03338aca7c1dc10908145a3965b1b289246e63ea9af938293a140201008264e93ba4a0e00fe8a2a603aa05a33cdaf5c24318fc220ad64b624ef88b45fba17d3acc2c10d3e5637b914657ace3c36cab6a5f1c364cb4d73ada622674017ddaecbb02453a2b48ed183114904b75fd62beccbc2e9af4aebffb4914aab0ac1bb3c9e69c5b8556b8bb6d5144fcf81eb91ed845f3280442d546b1b4a5ab6867e9d5f50773d21d4f335f695b5fc386f0d37beefc EAP-Message = 0x56c2aca56a2c087629999c71 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xce049ae9cf078f152ab18dd0a9f47460 Wed Aug 13 19:11:30 2014 : Info: Finished request 1. Wed Aug 13 19:11:30 2014 : Debug: Going to the next request Wed Aug 13 19:11:30 2014 : Debug: Waking up in 4.9 seconds. rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx port 32768, id=103, length=227 User-Name = "joeuser" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "78-31-c1-be-89-a8" Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test" NAS-Port = 4 Cisco-AVPair = "audit-session-id=0a210082000006c453ebb861" NAS-IP-Address = 10.33.0.130 NAS-Identifier = "inWebo" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300061500 State = 0xce049ae9cf078f152ab18dd0a9f47460 Message-Authenticator = 0xb8e667ae4d70cf7ba99ff183a7a889cb Wed Aug 13 19:11:30 2014 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default Wed Aug 13 19:11:30 2014 : Info: +- entering group authorize {...} Wed Aug 13 19:11:30 2014 : Info: ++[preprocess] returns ok Wed Aug 13 19:11:30 2014 : Info: ++[chap] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[mschap] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[digest] returns noop Wed Aug 13 19:11:30 2014 : Info: [suffix] No '@' in User-Name = "joeuser", looking up realm NULL Wed Aug 13 19:11:30 2014 : Info: [suffix] No such realm "NULL" Wed Aug 13 19:11:30 2014 : Info: ++[suffix] returns noop Wed Aug 13 19:11:30 2014 : Info: [eap] EAP packet type response id 3 length 6 Wed Aug 13 19:11:30 2014 : Info: [eap] Continuing tunnel setup. Wed Aug 13 19:11:30 2014 : Info: ++[eap] returns ok Wed Aug 13 19:11:30 2014 : Info: Found Auth-Type = EAP Wed Aug 13 19:11:30 2014 : Info: # Executing group from file /etc/freeradius/sites-enabled/default Wed Aug 13 19:11:30 2014 : Info: +- entering group authenticate {...} Wed Aug 13 19:11:30 2014 : Info: [eap] Request found, released from the list Wed Aug 13 19:11:30 2014 : Info: [eap] EAP/ttls Wed Aug 13 19:11:30 2014 : Info: [eap] processing type ttls Wed Aug 13 19:11:30 2014 : Info: [ttls] Authenticate Wed Aug 13 19:11:30 2014 : Info: [ttls] processing EAP-TLS Wed Aug 13 19:11:30 2014 : Info: [ttls] Received TLS ACK Wed Aug 13 19:11:30 2014 : Info: [ttls] ACK handshake fragment handler Wed Aug 13 19:11:30 2014 : Info: [ttls] eaptls_verify returned 1 Wed Aug 13 19:11:30 2014 : Info: [ttls] eaptls_process returned 13 Wed Aug 13 19:11:30 2014 : Info: ++[eap] returns handled Sending Access-Challenge of id 103 to xxx.xxx.xxx.xxx port 32768 EAP-Message = 0x01040074158000000460f3411c40ef6cbf1635e4b4c7c71d18b883360ad6c27db542a4ffa0196c0b2ff8daca2101a3b4a35171415bdf6b68817425eb344c2e5e5a6794c0f1002aa59f631cb9c5135d716d9664afa8a76e9f2ee942decefd1b459b2dbb216aa655697391b416030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xce049ae9cc008f152ab18dd0a9f47460 Wed Aug 13 19:11:30 2014 : Info: Finished request 2. Wed Aug 13 19:11:30 2014 : Debug: Going to the next request Wed Aug 13 19:11:30 2014 : Debug: Waking up in 4.9 seconds. rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx port 32768, id=104, length=365 User-Name = "joeuser" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "78-31-c1-be-89-a8" Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test" NAS-Port = 4 Cisco-AVPair = "audit-session-id=0a210082000006c453ebb861" NAS-IP-Address = 10.33.0.130 NAS-Identifier = "inWebo" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020400901580000000861603010046100000424104004576a5ac3ee43c0112ce47d295aa54d21d71076fd64b293d0d59fff21795217e1ac2b3934427d9740a789cd8731e1bd52c246904d4414a1877b375e67df9f31403010001011603010030da43e9a2a8d1bb853ae1740aaf5964dc58b28263a25f1dbc40149b8d0aa0a62b22a690caf5fa2c9663e53591a55e3100 State = 0xce049ae9cc008f152ab18dd0a9f47460 Message-Authenticator = 0x9582ab96a0b46bdb12bc99449a415f67 Wed Aug 13 19:11:30 2014 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default Wed Aug 13 19:11:30 2014 : Info: +- entering group authorize {...} Wed Aug 13 19:11:30 2014 : Info: ++[preprocess] returns ok Wed Aug 13 19:11:30 2014 : Info: ++[chap] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[mschap] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[digest] returns noop Wed Aug 13 19:11:30 2014 : Info: [suffix] No '@' in User-Name = "joeuser", looking up realm NULL Wed Aug 13 19:11:30 2014 : Info: [suffix] No such realm "NULL" Wed Aug 13 19:11:30 2014 : Info: ++[suffix] returns noop Wed Aug 13 19:11:30 2014 : Info: [eap] EAP packet type response id 4 length 144 Wed Aug 13 19:11:30 2014 : Info: [eap] Continuing tunnel setup. Wed Aug 13 19:11:30 2014 : Info: ++[eap] returns ok Wed Aug 13 19:11:30 2014 : Info: Found Auth-Type = EAP Wed Aug 13 19:11:30 2014 : Info: # Executing group from file /etc/freeradius/sites-enabled/default Wed Aug 13 19:11:30 2014 : Info: +- entering group authenticate {...} Wed Aug 13 19:11:30 2014 : Info: [eap] Request found, released from the list Wed Aug 13 19:11:30 2014 : Info: [eap] EAP/ttls Wed Aug 13 19:11:30 2014 : Info: [eap] processing type ttls Wed Aug 13 19:11:30 2014 : Info: [ttls] Authenticate Wed Aug 13 19:11:30 2014 : Info: [ttls] processing EAP-TLS Wed Aug 13 19:11:30 2014 : Debug: TLS Length 134 Wed Aug 13 19:11:30 2014 : Info: [ttls] Length Included Wed Aug 13 19:11:30 2014 : Info: [ttls] eaptls_verify returned 11 Wed Aug 13 19:11:30 2014 : Info: [ttls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange Wed Aug 13 19:11:30 2014 : Info: [ttls] TLS_accept: SSLv3 read client key exchange A Wed Aug 13 19:11:30 2014 : Info: [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] Wed Aug 13 19:11:30 2014 : Info: [ttls] <<< TLS 1.0 Handshake [length 0010], Finished Wed Aug 13 19:11:30 2014 : Info: [ttls] TLS_accept: SSLv3 read finished A Wed Aug 13 19:11:30 2014 : Info: [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] Wed Aug 13 19:11:30 2014 : Info: [ttls] TLS_accept: SSLv3 write change cipher spec A Wed Aug 13 19:11:30 2014 : Info: [ttls] >>> TLS 1.0 Handshake [length 0010], Finished Wed Aug 13 19:11:30 2014 : Info: [ttls] TLS_accept: SSLv3 write finished A Wed Aug 13 19:11:30 2014 : Info: [ttls] TLS_accept: SSLv3 flush data Wed Aug 13 19:11:30 2014 : Info: [ttls] (other): SSL negotiation finished successfully Wed Aug 13 19:11:30 2014 : Debug: SSL Connection Established Wed Aug 13 19:11:30 2014 : Info: [ttls] eaptls_process returned 13 Wed Aug 13 19:11:30 2014 : Info: ++[eap] returns handled Sending Access-Challenge of id 104 to xxx.xxx.xxx.xxx port 32768 EAP-Message = 0x0105004515800000003b1403010001011603010030479426af6e1c12503738a32e262e84a4c666ea99fb6f5a80df674f2146e70be7e6187626844cccb9362ac032ee1b5de3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xce049ae9cd018f152ab18dd0a9f47460 Wed Aug 13 19:11:30 2014 : Info: Finished request 3. Wed Aug 13 19:11:30 2014 : Debug: Going to the next request Wed Aug 13 19:11:30 2014 : Debug: Waking up in 4.9 seconds. rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx port 32768, id=105, length=300 User-Name = "joeuser" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "78-31-c1-be-89-a8" Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test" NAS-Port = 4 Cisco-AVPair = "audit-session-id=0a210082000006c453ebb861" NAS-IP-Address = 10.33.0.130 NAS-Identifier = "inWebo" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0205004f15800000004517030100407bbbae1e3e6f6eee806cadf4038fc633b025b87de4bfe6c62065214c14dc49fba070a2a5ae82ba25538125ce60ed1e16eebeb7ad9c5eaa990c2be82e7b18f38e State = 0xce049ae9cd018f152ab18dd0a9f47460 Message-Authenticator = 0x641909bf4fd27987f4b839410ca1f707 Wed Aug 13 19:11:30 2014 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default Wed Aug 13 19:11:30 2014 : Info: +- entering group authorize {...} Wed Aug 13 19:11:30 2014 : Info: ++[preprocess] returns ok Wed Aug 13 19:11:30 2014 : Info: ++[chap] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[mschap] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[digest] returns noop Wed Aug 13 19:11:30 2014 : Info: [suffix] No '@' in User-Name = "joeuser", looking up realm NULL Wed Aug 13 19:11:30 2014 : Info: [suffix] No such realm "NULL" Wed Aug 13 19:11:30 2014 : Info: ++[suffix] returns noop Wed Aug 13 19:11:30 2014 : Info: [eap] EAP packet type response id 5 length 79 Wed Aug 13 19:11:30 2014 : Info: [eap] Continuing tunnel setup. Wed Aug 13 19:11:30 2014 : Info: ++[eap] returns ok Wed Aug 13 19:11:30 2014 : Info: Found Auth-Type = EAP Wed Aug 13 19:11:30 2014 : Info: # Executing group from file /etc/freeradius/sites-enabled/default Wed Aug 13 19:11:30 2014 : Info: +- entering group authenticate {...} Wed Aug 13 19:11:30 2014 : Info: [eap] Request found, released from the list Wed Aug 13 19:11:30 2014 : Info: [eap] EAP/ttls Wed Aug 13 19:11:30 2014 : Info: [eap] processing type ttls Wed Aug 13 19:11:30 2014 : Info: [ttls] Authenticate Wed Aug 13 19:11:30 2014 : Info: [ttls] processing EAP-TLS Wed Aug 13 19:11:30 2014 : Debug: TLS Length 69 Wed Aug 13 19:11:30 2014 : Info: [ttls] Length Included Wed Aug 13 19:11:30 2014 : Info: [ttls] eaptls_verify returned 11 Wed Aug 13 19:11:30 2014 : Info: [ttls] eaptls_process returned 7 Wed Aug 13 19:11:30 2014 : Info: [ttls] Session established. Proceeding to decode tunneled attributes. TTLS tunnel data in 0000: 00 00 00 01 00 00 00 0f 6a 6f 65 75 73 65 72 00 TTLS tunnel data in 0010: 00 00 00 02 00 00 00 18 70 61 73 73 77 6f 72 64 TTLS tunnel data in 0020: 00 00 00 00 00 00 00 00 Wed Aug 13 19:11:30 2014 : Info: [ttls] Got tunneled request User-Name = "joeuser" User-Password = "password" FreeRADIUS-Proxied-To = 127.0.0.1 Wed Aug 13 19:11:30 2014 : Info: [ttls] Sending tunneled request User-Name = "joeuser" User-Password = "password" FreeRADIUS-Proxied-To = 127.0.0.1 Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "78-31-c1-be-89-a8" Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test" NAS-Port = 4 Cisco-AVPair = "audit-session-id=0a210082000006c453ebb861" NAS-IP-Address = 10.33.0.130 NAS-Identifier = "inWebo" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 server inner-tunnel { Wed Aug 13 19:11:30 2014 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel Wed Aug 13 19:11:30 2014 : Info: +- entering group authorize {...} Wed Aug 13 19:11:30 2014 : Info: ++? if (Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=company,dc=com/ ) Wed Aug 13 19:11:30 2014 : Debug: [ldap] Entering ldap_groupcmp() Wed Aug 13 19:11:30 2014 : Info: expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com Wed Aug 13 19:11:30 2014 : Info: expand: %{Stripped-User-Name} -> Wed Aug 13 19:11:30 2014 : Info: ... expanding second conditional Wed Aug 13 19:11:30 2014 : Info: expand: %{User-Name} -> joeuser Wed Aug 13 19:11:30 2014 : Info: expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=joeuser) Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0 Wed Aug 13 19:11:30 2014 : Debug: [ldap] performing search in ou=Users,dc=team,dc=company,dc=com, with filter (uid=joeuser) Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0 Wed Aug 13 19:11:30 2014 : Info: expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0 Wed Aug 13 19:11:30 2014 : Debug: [ldap] performing search in ou=corp,ou=Users,dc=team,dc=company,dc=com, with filter (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) Wed Aug 13 19:11:30 2014 : Debug: [ldap] object not found Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0 Wed Aug 13 19:11:30 2014 : Debug: rlm_ldap::ldap_groupcmp: Group ou=corp,ou=Users,dc=team,dc=company,dc=com not found or user is not a member. Wed Aug 13 19:11:30 2014 : Info: ? Evaluating (Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=company,dc=com/) -> FALSE Wed Aug 13 19:11:30 2014 : Info: ++? if (Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=company,dc=com/ ) -> FALSE Wed Aug 13 19:11:30 2014 : Info: ++? if (Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=company,dc=com/ ) Wed Aug 13 19:11:30 2014 : Debug: [ldap] Entering ldap_groupcmp() Wed Aug 13 19:11:30 2014 : Info: expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com Wed Aug 13 19:11:30 2014 : Info: expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0 Wed Aug 13 19:11:30 2014 : Debug: [ldap] performing search in ou=dev,ou=Users,dc=team,dc=company,dc=com, with filter (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) Wed Aug 13 19:11:30 2014 : Debug: [ldap] object not found Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0 Wed Aug 13 19:11:30 2014 : Debug: rlm_ldap::ldap_groupcmp: Group ou=dev,ou=Users,dc=team,dc=company,dc=com not found or user is not a member. Wed Aug 13 19:11:30 2014 : Info: ? Evaluating (Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=company,dc=com/) -> FALSE Wed Aug 13 19:11:30 2014 : Info: ++? if (Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=company,dc=com/ ) -> FALSE Wed Aug 13 19:11:30 2014 : Info: ++[chap] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[mschap] returns noop Wed Aug 13 19:11:30 2014 : Info: [suffix] No '@' in User-Name = "joeuser", looking up realm NULL Wed Aug 13 19:11:30 2014 : Info: [suffix] No such realm "NULL" Wed Aug 13 19:11:30 2014 : Info: ++[suffix] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[control] returns noop Wed Aug 13 19:11:30 2014 : Info: [eap] No EAP-Message, not doing EAP Wed Aug 13 19:11:30 2014 : Info: ++[eap] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[files] returns noop Wed Aug 13 19:11:30 2014 : Info: [ldap] performing user authorization for joeuser Wed Aug 13 19:11:30 2014 : Info: [ldap] expand: %{Stripped-User-Name} -> Wed Aug 13 19:11:30 2014 : Info: [ldap] ... expanding second conditional Wed Aug 13 19:11:30 2014 : Info: [ldap] expand: %{User-Name} -> joeuser Wed Aug 13 19:11:30 2014 : Info: [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=joeuser) Wed Aug 13 19:11:30 2014 : Info: [ldap] expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0 Wed Aug 13 19:11:30 2014 : Debug: [ldap] performing search in ou=Users,dc=team,dc=company,dc=com, with filter (uid=joeuser) Wed Aug 13 19:11:30 2014 : Info: [ldap] No default NMAS login sequence Wed Aug 13 19:11:30 2014 : Info: [ldap] looking for check items in directory... Wed Aug 13 19:11:30 2014 : Debug: [ldap] userPassword -> Password-With-Header == "{MD5}X03MO1qnZdYdgyfeuILPmQ==" Wed Aug 13 19:11:30 2014 : Info: [ldap] looking for reply items in directory... Wed Aug 13 19:11:30 2014 : Info: [ldap] user joeuser authorized to use remote access Wed Aug 13 19:11:30 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0 Wed Aug 13 19:11:30 2014 : Info: ++[ldap] returns ok Wed Aug 13 19:11:30 2014 : Info: ++[expiration] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[logintime] returns noop Wed Aug 13 19:11:30 2014 : Info: ++[pap] returns updated Wed Aug 13 19:11:30 2014 : Info: Found Auth-Type = PAP Wed Aug 13 19:11:30 2014 : Info: # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel Wed Aug 13 19:11:30 2014 : Info: +- entering group PAP {...} Wed Aug 13 19:11:30 2014 : Info: [pap] login attempt with password "password" Wed Aug 13 19:11:30 2014 : Info: [pap] Using MD5 encryption. Wed Aug 13 19:11:30 2014 : Info: [pap] Normalizing MD5-Password from base64 encoding Wed Aug 13 19:11:30 2014 : Info: [pap] User authenticated successfully Wed Aug 13 19:11:30 2014 : Info: ++[pap] returns ok Wed Aug 13 19:11:30 2014 : Info: # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel Wed Aug 13 19:11:30 2014 : Info: +- entering group post-auth {...} Wed Aug 13 19:11:30 2014 : Info: expand: %{control:Tmp-String-1} -> Wed Aug 13 19:11:30 2014 : Info: ++[reply] returns noop } # server inner-tunnel Wed Aug 13 19:11:30 2014 : Info: [ttls] Got tunneled reply code 2 Filter-Id = "" Wed Aug 13 19:11:30 2014 : Info: [ttls] Got tunneled Access-Accept Wed Aug 13 19:11:30 2014 : Info: [eap] Freeing handler Wed Aug 13 19:11:30 2014 : Info: ++[eap] returns ok Wed Aug 13 19:11:30 2014 : Info: # Executing section post-auth from file /etc/freeradius/sites-enabled/default Wed Aug 13 19:11:30 2014 : Info: +- entering group post-auth {...} Wed Aug 13 19:11:30 2014 : Info: ++[exec] returns noop Sending Access-Accept of id 105 to xxx.xxx.xxx.xxx port 32768 Filter-Id = "" MS-MPPE-Recv-Key = 0x973c07e31d3c62b129b86e8e3c753157d7d3fa68a4a77314fa71358e280a02a8 MS-MPPE-Send-Key = 0x4a82fcf322b22593fb75a29e51144d16c5698583f60d170a3fe559c800065eec EAP-Message = 0x03050004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "joeuser" Wed Aug 13 19:11:30 2014 : Info: Finished request 4. Wed Aug 13 19:11:30 2014 : Debug: Going to the next request Wed Aug 13 19:11:30 2014 : Debug: Waking up in 4.8 seconds. Wed Aug 13 19:11:35 2014 : Info: Cleaning up request 0 ID 101 with timestamp +40 Wed Aug 13 19:11:35 2014 : Info: Cleaning up request 1 ID 102 with timestamp +40 Wed Aug 13 19:11:35 2014 : Info: Cleaning up request 2 ID 103 with timestamp +40 Wed Aug 13 19:11:35 2014 : Info: Cleaning up request 3 ID 104 with timestamp +40 Wed Aug 13 19:11:35 2014 : Info: Cleaning up request 4 ID 105 with timestamp +40 Wed Aug 13 19:11:35 2014 : Info: Ready to process requests.
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What's with all the XXXs ? Just freeradius -X (for a start its easier to read as eye can scan the output easier) alan
Extra verbose… but too Verbose? ;) Here is an all new output with just “freeradius -X” as well as an auth with the Filter-ID with just “” (because its not matching). Thanks for being patient. I am learning to grab all the info you guys need. I appreciate the help as well. root@openldap ~# freeradius -X FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Dec 16 2012 at 13:28:43 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/replicate including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/rediswho including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/soh including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/redis including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client 0.0.0.0/0 { require_message_authenticator = no secret = "supersecretsecret" nastype = "other" } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "supersecretsecret" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/radiusd.conf modules { Module: Creating Auth-Type = digest Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/freeradius/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/freeradius/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/freeradius/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "ttls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.key" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Linked to module rlm_ldap Module: Instantiating module "ldap" from file /etc/freeradius/modules/ldap ldap { server = "localhost" port = 389 password = "supersecretpassword" identity = "cn=admin,dc=team,dc=company,dc=com" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no require_cert = "allow" } basedn = "ou=Users,dc=team,dc=company,dc=com" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/etc/freeradius/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes edir_account_policy_check = no set_auth_type = yes keepalive { idle = 60 probes = 3 interval = 3 } } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in the "authenticate" section. rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x207f070 Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/freeradius/modules/detail detail { detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" relaxed = no } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" relaxed = no } } # modules } # server server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 38044 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx port 32768, id=203, length=215 User-Name = "joeuser" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "78-31-c1-be-89-a8" Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test" NAS-Port = 4 Cisco-AVPair = "audit-session-id=0a210082000007b553ece16c" NAS-IP-Address = 10.33.0.130 NAS-Identifier = "inWebo" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000c016a6f6575736572 Message-Authenticator = 0xed1a3c2663f703572e4c8e1bfd7d2556 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "joeuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 12 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for joeuser [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> joeuser [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=joeuser) [ldap] expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to localhost:389, authentication 0 [ldap] bind as cn=admin,dc=team,dc=company,dc=com/653776d05374 to localhost:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in ou=Users,dc=team,dc=company,dc=com, with filter (uid=joeuser) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{MD5}X03MO1qnZdYdgyfeuILPmQ==" [ldap] looking for reply items in directory... [ldap] user joeuser authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 203 to xxx.xxx.xxx.xxx port 32768 EAP-Message = 0x010200061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0c2f506e0c2d4502a78fc67383837c82 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx port 32768, id=204, length=373 User-Name = "joeuser" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "78-31-c1-be-89-a8" Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test" NAS-Port = 4 Cisco-AVPair = "audit-session-id=0a210082000007b553ece16c" NAS-IP-Address = 10.33.0.130 NAS-Identifier = "inWebo" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0202009815800000008e160301008901000085030153ece174fce89b7e46bf59830fe91b2fd781eb2e62a90e15c9596a53b051d4ee00004a00ffc024c023c00ac009c007c008c028c027c014c013c011c012c026c025c02ac029c005c004c002c003c00fc00ec00cc00d003d003c002f000500040035000a0067006b00330039001601000012000a00080006001700180019000b00020100 State = 0x0c2f506e0c2d4502a78fc67383837c82 Message-Authenticator = 0xc74ecffa644ec5ddc035a6ced484f0c0 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "joeuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 152 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 142 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] <<< TLS 1.0 Handshake [length 0089], ClientHello [ttls] TLS_accept: SSLv3 read client hello A [ttls] >>> TLS 1.0 Handshake [length 0039], ServerHello [ttls] TLS_accept: SSLv3 write server hello A [ttls] >>> TLS 1.0 Handshake [length 02c4], Certificate [ttls] TLS_accept: SSLv3 write certificate A [ttls] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange [ttls] TLS_accept: SSLv3 write key exchange A [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [ttls] TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 204 to xxx.xxx.xxx.xxx port 32768 EAP-Message = 0x0103040015c000000460160301003902000035030153ece17487b15b4c814320dad2b170575c53685386acc50bbb05d824f6ca8bc900c01400000dff01000100000b00040300010216030102c40b0002c00002bd0002ba308202b63082019ea003020102020900b507e231935d6b3f300d06092a864886f70d010105050030133111300f060355040313086f70656e6c646170301e170d3134303830373232333035385a170d3234303830343232333035385a30133111300f060355040313086f70656e6c64617030820122300d06092a864886f70d01010105000382010f003082010a0282010100bae7e24798efa862ea1659a17ac74864a297d09a EAP-Message = 0x249d8e467e1a40a3fc4fdcf36e73ac43cc11e5df4978020ae6af6c12d0a98f7c90d0352eae9c5b9c8364cffe115b833c52bfbcb43c292c303ee0f8cca82a3732ed53bcdba3905a9f030c9bf242e7482f28c0a30e5210afbf064e6129cef1358e30942581621b927da448fcea0fcca181c7ea6ac7385946513bd092e7ccf41df13f7a4f498533947d1f0451659c20977cfddeb5ffadef948b8f876a1bbba0f2a574e05daf8fe696a828973f21674abc246ca73279dcd5fe1720f1140b3f351427fc5be4a4158fb31d2b46643e0bbef9297b892cea88babfcb26e53bcc981bec71b84d0fb21760176f5d12adc90203010001a30d300b30090603551d1304 EAP-Message = 0x023000300d06092a864886f70d010105050003820101009a35e4dddb99265dfbe96dbd2dd5efcec97ebbb6111d42b313a0d7b6f29a4a4cc378c154afc028a986a118ddf1e611aa3fda9ed59c9f745663fcfd2655891584047b99042c2f7d3757ff92e86d008a55dac7e1e2a8f7e67711fec590812461e9de753eacf30285e44c3c7ecc31671d4ccbfdc6de65536e8b780cbf05ca5e0442748ccc7356f315baac1cc9bb528198bba1526d18213171b26e3676162be28056600762ed21df47ca64f29fb8b9853b8e84731708c7e7c5b0862c3d61aa07b37b89eb915e0fb7f5867a9eb9346574bfc112aa4ea45ae9bae8fdf44b9cedbd3ba5082046a7de23 EAP-Message = 0xc8fefa2502dad1e8da8bf54443bc2b061a301dd93689ce6867d9160301014b0c0001470300174104f9994a58b158af4d2c3ee46ef7ea56a32f73b9dd6482594dffec761c588692dd56bd3e841741bd6790a213d93a7fec133ae884a606d280b40fb2ad30113f6bc001005f141bb7e7850f0e0bc66ab636af8522ee1f197553db890bbe28ed8af621e9c8ed6c16c9022e12ea474c06d3ea32193f9c6e87a9dc1638f404027442f150a83a94b1a5f25740724efcdc4c58b8ccd2bb169ffd64cdaf59aeb93559327f7bfef6a40f811915b4e6a242d933c45e9c751af100e85bffb9dd5c7994a44dcb155443e6341d819c5a04817c796e352c59260385d645 EAP-Message = 0xd7a4041ace0dc838fae881f4 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0c2f506e0d2c4502a78fc67383837c82 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx port 32768, id=205, length=227 User-Name = "joeuser" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "78-31-c1-be-89-a8" Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test" NAS-Port = 4 Cisco-AVPair = "audit-session-id=0a210082000007b553ece16c" NAS-IP-Address = 10.33.0.130 NAS-Identifier = "inWebo" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300061500 State = 0x0c2f506e0d2c4502a78fc67383837c82 Message-Authenticator = 0xa968599a7a07d6a7c81622a2ec595527 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "joeuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 205 to xxx.xxx.xxx.xxx port 32768 EAP-Message = 0x01040074158000000460b51de76044e35a3b23d67f02c8ca04ac25c576cabc8c37415259eac0af3c1adb76cafd3519552d7bc7ae15d0084efbcd72e56efc9d86a6ca37f777cd75596a44a5bbc2c49528d473714602586ff9a5392efa2f5064d16b6c420e90ffdd26281b0e16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0c2f506e0e2b4502a78fc67383837c82 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx port 32768, id=206, length=365 User-Name = "joeuser" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "78-31-c1-be-89-a8" Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test" NAS-Port = 4 Cisco-AVPair = "audit-session-id=0a210082000007b553ece16c" NAS-IP-Address = 10.33.0.130 NAS-Identifier = "inWebo" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020400901580000000861603010046100000424104f51dae99b0e06268f98d50498ab6214e9d8a3cb58d2470588a512dc34896d2788b058b9ac82e103bf3f1584e09f5524914a657be9096df53b46ed5a4e7cfae1414030100010116030100305013d1b946bd01cd551b780afe506aad419745cca2e768f5ebab8b513d8d51bd46d68d927e5f39212665da333bbe8a91 State = 0x0c2f506e0e2b4502a78fc67383837c82 Message-Authenticator = 0x3e404d0d65c81594a55f64d9b4cc469a # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "joeuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 144 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 134 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [ttls] TLS_accept: SSLv3 read client key exchange A [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [ttls] <<< TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 read finished A [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS_accept: SSLv3 write change cipher spec A [ttls] >>> TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 write finished A [ttls] TLS_accept: SSLv3 flush data [ttls] (other): SSL negotiation finished successfully SSL Connection Established [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 206 to xxx.xxx.xxx.xxx port 32768 EAP-Message = 0x0105004515800000003b14030100010116030100304ec4b1d21be1ac992329da92ae70cf50d45053ff078d33904281b3177bc687cf1310081e2bdebf2b61d2babed9e7387c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0c2f506e0f2a4502a78fc67383837c82 Finished request 3. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx port 32768, id=207, length=300 User-Name = "joeuser" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "78-31-c1-be-89-a8" Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test" NAS-Port = 4 Cisco-AVPair = "audit-session-id=0a210082000007b553ece16c" NAS-IP-Address = 10.33.0.130 NAS-Identifier = "inWebo" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0205004f15800000004517030100400fdf4eec300b3605d60d1f5dcf6538d6f8c78b44bad0d935413e98b7badc12ed366447be383cd443ffc7dfe6d1f4caded3755e5a28dff2f852b930504806b87e State = 0x0c2f506e0f2a4502a78fc67383837c82 Message-Authenticator = 0x6385d923f43bfd71057d6355e375bea7 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "joeuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 79 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 69 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request User-Name = "joeuser" User-Password = "password" FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request User-Name = "joeuser" User-Password = "password" FreeRADIUS-Proxied-To = 127.0.0.1 Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "78-31-c1-be-89-a8" Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test" NAS-Port = 4 Cisco-AVPair = "audit-session-id=0a210082000007b553ece16c" NAS-IP-Address = 10.33.0.130 NAS-Identifier = "inWebo" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++? if (Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=company,dc=com/ ) [ldap] Entering ldap_groupcmp() expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com expand: %{Stripped-User-Name} -> ... expanding second conditional expand: %{User-Name} -> joeuser expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=joeuser) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=Users,dc=team,dc=company,dc=com, with filter (uid=joeuser) [ldap] ldap_release_conn: Release Id: 0 expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=corp,ou=Users,dc=team,dc=company,dc=com, with filter (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group ou=corp,ou=Users,dc=team,dc=company,dc=com not found or user is not a member. ? Evaluating (Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=company,dc=com/) -> FALSE ++? if (Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=company,dc=com/ ) -> FALSE ++? if (Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=company,dc=com/ ) [ldap] Entering ldap_groupcmp() expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=dev,ou=Users,dc=team,dc=company,dc=com, with filter (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group ou=dev,ou=Users,dc=team,dc=company,dc=com not found or user is not a member. ? Evaluating (Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=company,dc=com/) -> FALSE ++? if (Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=company,dc=com/ ) -> FALSE ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "joeuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [ldap] performing user authorization for joeuser [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> joeuser [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=joeuser) [ldap] expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=Users,dc=team,dc=company,dc=com, with filter (uid=joeuser) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{MD5}X03MO1qnZdYdgyfeuILPmQ==" [ldap] looking for reply items in directory... [ldap] user joeuser authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group PAP {...} [pap] login attempt with password "password" [pap] Using MD5 encryption. [pap] Normalizing MD5-Password from base64 encoding [pap] User authenticated successfully ++[pap] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group post-auth {...} expand: %{control:Tmp-String-1} -> ++[reply] returns noop } # server inner-tunnel [ttls] Got tunneled reply code 2 Filter-Id = "" [ttls] Got tunneled Access-Accept [eap] Freeing handler ++[eap] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 207 to xxx.xxx.xxx.xxx port 32768 Filter-Id = "" MS-MPPE-Recv-Key = 0xf6afe55fa791b111d65ae79b8b8fc26fab9390d489056f94ccfa8cfbafc5f145 MS-MPPE-Send-Key = 0x36463beba6eb14106636e5bcf6faa6e5c210eec08a4bdd2f062a9c746c97d621 EAP-Message = 0x03050004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "joeuser" Finished request 4. Going to the next request Waking up in 4.8 seconds. Cleaning up request 0 ID 203 with timestamp +13 Cleaning up request 1 ID 204 with timestamp +13 Cleaning up request 2 ID 205 with timestamp +13 Cleaning up request 3 ID 206 with timestamp +13 Cleaning up request 4 ID 207 with timestamp +13 Ready to process requests. On Aug 14, 2014, at 9:12 AM, Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
What's with all the XXXs ?
Just freeradius -X
(for a start its easier to read as eye can scan the output easier)
alan
Hi All- Does this config seem right to not pass up the filter-ID based on the below output, or could this be due to the fact that I am running a version that is almost 2 years old? ldap { server = "localhost" identity = "cn=admin,dc=team,dc=company,dc=com" password = xxxxx basedn = "ou=Users,dc=team,dc=company,dc=com" scope = “sub” filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})” … } Thanks, Alex On Aug 14, 2014, at 9:24 AM, Alex Gregory <alex@c2company.com> wrote:
Extra verbose… but too Verbose? ;) Here is an all new output with just “freeradius -X” as well as an auth with the Filter-ID with just “” (because its not matching). Thanks for being patient. I am learning to grab all the info you guys need. I appreciate the help as well.
root@openldap ~# freeradius -X FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Dec 16 2012 at 13:28:43 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/replicate including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/rediswho including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/soh including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/redis including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client 0.0.0.0/0 { require_message_authenticator = no secret = "supersecretsecret" nastype = "other" } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "supersecretsecret" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/radiusd.conf modules { Module: Creating Auth-Type = digest Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/freeradius/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/freeradius/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/freeradius/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "ttls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.key" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Linked to module rlm_ldap Module: Instantiating module "ldap" from file /etc/freeradius/modules/ldap ldap { server = "localhost" port = 389 password = "supersecretpassword" identity = "cn=admin,dc=team,dc=company,dc=com" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no require_cert = "allow" } basedn = "ou=Users,dc=team,dc=company,dc=com" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/etc/freeradius/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes edir_account_policy_check = no set_auth_type = yes keepalive { idle = 60 probes = 3 interval = 3 } } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in the "authenticate" section. rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x207f070 Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/freeradius/modules/detail detail { detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" relaxed = no } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" relaxed = no } } # modules } # server server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 38044 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests.
rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx port 32768, id=203, length=215 User-Name = "joeuser" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "78-31-c1-be-89-a8" Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test" NAS-Port = 4 Cisco-AVPair = "audit-session-id=0a210082000007b553ece16c" NAS-IP-Address = 10.33.0.130 NAS-Identifier = "inWebo" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000c016a6f6575736572 Message-Authenticator = 0xed1a3c2663f703572e4c8e1bfd7d2556 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "joeuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 12 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for joeuser [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> joeuser [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=joeuser) [ldap] expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to localhost:389, authentication 0 [ldap] bind as cn=admin,dc=team,dc=company,dc=com/653776d05374 to localhost:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in ou=Users,dc=team,dc=company,dc=com, with filter (uid=joeuser) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{MD5}X03MO1qnZdYdgyfeuILPmQ==" [ldap] looking for reply items in directory... [ldap] user joeuser authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 203 to xxx.xxx.xxx.xxx port 32768 EAP-Message = 0x010200061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0c2f506e0c2d4502a78fc67383837c82 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx port 32768, id=204, length=373 User-Name = "joeuser" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "78-31-c1-be-89-a8" Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test" NAS-Port = 4 Cisco-AVPair = "audit-session-id=0a210082000007b553ece16c" NAS-IP-Address = 10.33.0.130 NAS-Identifier = "inWebo" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0202009815800000008e160301008901000085030153ece174fce89b7e46bf59830fe91b2fd781eb2e62a90e15c9596a53b051d4ee00004a00ffc024c023c00ac009c007c008c028c027c014c013c011c012c026c025c02ac029c005c004c002c003c00fc00ec00cc00d003d003c002f000500040035000a0067006b00330039001601000012000a00080006001700180019000b00020100 State = 0x0c2f506e0c2d4502a78fc67383837c82 Message-Authenticator = 0xc74ecffa644ec5ddc035a6ced484f0c0 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "joeuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 152 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 142 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] <<< TLS 1.0 Handshake [length 0089], ClientHello [ttls] TLS_accept: SSLv3 read client hello A [ttls] >>> TLS 1.0 Handshake [length 0039], ServerHello [ttls] TLS_accept: SSLv3 write server hello A [ttls] >>> TLS 1.0 Handshake [length 02c4], Certificate [ttls] TLS_accept: SSLv3 write certificate A [ttls] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange [ttls] TLS_accept: SSLv3 write key exchange A [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [ttls] TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 204 to xxx.xxx.xxx.xxx port 32768 EAP-Message = 0x0103040015c000000460160301003902000035030153ece17487b15b4c814320dad2b170575c53685386acc50bbb05d824f6ca8bc900c01400000dff01000100000b00040300010216030102c40b0002c00002bd0002ba308202b63082019ea003020102020900b507e231935d6b3f300d06092a864886f70d010105050030133111300f060355040313086f70656e6c646170301e170d3134303830373232333035385a170d3234303830343232333035385a30133111300f060355040313086f70656e6c64617030820122300d06092a864886f70d01010105000382010f003082010a0282010100bae7e24798efa862ea1659a17ac74864a297d09a EAP-Message = 0x249d8e467e1a40a3fc4fdcf36e73ac43cc11e5df4978020ae6af6c12d0a98f7c90d0352eae9c5b9c8364cffe115b833c52bfbcb43c292c303ee0f8cca82a3732ed53bcdba3905a9f030c9bf242e7482f28c0a30e5210afbf064e6129cef1358e30942581621b927da448fcea0fcca181c7ea6ac7385946513bd092e7ccf41df13f7a4f498533947d1f0451659c20977cfddeb5ffadef948b8f876a1bbba0f2a574e05daf8fe696a828973f21674abc246ca73279dcd5fe1720f1140b3f351427fc5be4a4158fb31d2b46643e0bbef9297b892cea88babfcb26e53bcc981bec71b84d0fb21760176f5d12adc90203010001a30d300b30090603551d1304 EAP-Message = 0x023000300d06092a864886f70d010105050003820101009a35e4dddb99265dfbe96dbd2dd5efcec97ebbb6111d42b313a0d7b6f29a4a4cc378c154afc028a986a118ddf1e611aa3fda9ed59c9f745663fcfd2655891584047b99042c2f7d3757ff92e86d008a55dac7e1e2a8f7e67711fec590812461e9de753eacf30285e44c3c7ecc31671d4ccbfdc6de65536e8b780cbf05ca5e0442748ccc7356f315baac1cc9bb528198bba1526d18213171b26e3676162be28056600762ed21df47ca64f29fb8b9853b8e84731708c7e7c5b0862c3d61aa07b37b89eb915e0fb7f5867a9eb9346574bfc112aa4ea45ae9bae8fdf44b9cedbd3ba5082046a7de23 EAP-Message = 0xc8fefa2502dad1e8da8bf54443bc2b061a301dd93689ce6867d9160301014b0c0001470300174104f9994a58b158af4d2c3ee46ef7ea56a32f73b9dd6482594dffec761c588692dd56bd3e841741bd6790a213d93a7fec133ae884a606d280b40fb2ad30113f6bc001005f141bb7e7850f0e0bc66ab636af8522ee1f197553db890bbe28ed8af621e9c8ed6c16c9022e12ea474c06d3ea32193f9c6e87a9dc1638f404027442f150a83a94b1a5f25740724efcdc4c58b8ccd2bb169ffd64cdaf59aeb93559327f7bfef6a40f811915b4e6a242d933c45e9c751af100e85bffb9dd5c7994a44dcb155443e6341d819c5a04817c796e352c59260385d645 EAP-Message = 0xd7a4041ace0dc838fae881f4 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0c2f506e0d2c4502a78fc67383837c82 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx port 32768, id=205, length=227 User-Name = "joeuser" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "78-31-c1-be-89-a8" Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test" NAS-Port = 4 Cisco-AVPair = "audit-session-id=0a210082000007b553ece16c" NAS-IP-Address = 10.33.0.130 NAS-Identifier = "inWebo" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300061500 State = 0x0c2f506e0d2c4502a78fc67383837c82 Message-Authenticator = 0xa968599a7a07d6a7c81622a2ec595527 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "joeuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 205 to xxx.xxx.xxx.xxx port 32768 EAP-Message = 0x01040074158000000460b51de76044e35a3b23d67f02c8ca04ac25c576cabc8c37415259eac0af3c1adb76cafd3519552d7bc7ae15d0084efbcd72e56efc9d86a6ca37f777cd75596a44a5bbc2c49528d473714602586ff9a5392efa2f5064d16b6c420e90ffdd26281b0e16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0c2f506e0e2b4502a78fc67383837c82 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx port 32768, id=206, length=365 User-Name = "joeuser" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "78-31-c1-be-89-a8" Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test" NAS-Port = 4 Cisco-AVPair = "audit-session-id=0a210082000007b553ece16c" NAS-IP-Address = 10.33.0.130 NAS-Identifier = "inWebo" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020400901580000000861603010046100000424104f51dae99b0e06268f98d50498ab6214e9d8a3cb58d2470588a512dc34896d2788b058b9ac82e103bf3f1584e09f5524914a657be9096df53b46ed5a4e7cfae1414030100010116030100305013d1b946bd01cd551b780afe506aad419745cca2e768f5ebab8b513d8d51bd46d68d927e5f39212665da333bbe8a91 State = 0x0c2f506e0e2b4502a78fc67383837c82 Message-Authenticator = 0x3e404d0d65c81594a55f64d9b4cc469a # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "joeuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 144 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 134 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [ttls] TLS_accept: SSLv3 read client key exchange A [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [ttls] <<< TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 read finished A [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS_accept: SSLv3 write change cipher spec A [ttls] >>> TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 write finished A [ttls] TLS_accept: SSLv3 flush data [ttls] (other): SSL negotiation finished successfully SSL Connection Established [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 206 to xxx.xxx.xxx.xxx port 32768 EAP-Message = 0x0105004515800000003b14030100010116030100304ec4b1d21be1ac992329da92ae70cf50d45053ff078d33904281b3177bc687cf1310081e2bdebf2b61d2babed9e7387c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0c2f506e0f2a4502a78fc67383837c82 Finished request 3. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx port 32768, id=207, length=300 User-Name = "joeuser" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "78-31-c1-be-89-a8" Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test" NAS-Port = 4 Cisco-AVPair = "audit-session-id=0a210082000007b553ece16c" NAS-IP-Address = 10.33.0.130 NAS-Identifier = "inWebo" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0205004f15800000004517030100400fdf4eec300b3605d60d1f5dcf6538d6f8c78b44bad0d935413e98b7badc12ed366447be383cd443ffc7dfe6d1f4caded3755e5a28dff2f852b930504806b87e State = 0x0c2f506e0f2a4502a78fc67383837c82 Message-Authenticator = 0x6385d923f43bfd71057d6355e375bea7 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "joeuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 79 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 69 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request User-Name = "joeuser" User-Password = "password" FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request User-Name = "joeuser" User-Password = "password" FreeRADIUS-Proxied-To = 127.0.0.1 Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "78-31-c1-be-89-a8" Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test" NAS-Port = 4 Cisco-AVPair = "audit-session-id=0a210082000007b553ece16c" NAS-IP-Address = 10.33.0.130 NAS-Identifier = "inWebo" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++? if (Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=company,dc=com/ ) [ldap] Entering ldap_groupcmp() expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com expand: %{Stripped-User-Name} -> ... expanding second conditional expand: %{User-Name} -> joeuser expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=joeuser) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=Users,dc=team,dc=company,dc=com, with filter (uid=joeuser) [ldap] ldap_release_conn: Release Id: 0 expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=corp,ou=Users,dc=team,dc=company,dc=com, with filter (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group ou=corp,ou=Users,dc=team,dc=company,dc=com not found or user is not a member. ? Evaluating (Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=company,dc=com/) -> FALSE ++? if (Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=company,dc=com/ ) -> FALSE ++? if (Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=company,dc=com/ ) [ldap] Entering ldap_groupcmp() expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=dev,ou=Users,dc=team,dc=company,dc=com, with filter (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group ou=dev,ou=Users,dc=team,dc=company,dc=com not found or user is not a member. ? Evaluating (Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=company,dc=com/) -> FALSE ++? if (Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=company,dc=com/ ) -> FALSE ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "joeuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [ldap] performing user authorization for joeuser [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> joeuser [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=joeuser) [ldap] expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=Users,dc=team,dc=company,dc=com, with filter (uid=joeuser) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{MD5}X03MO1qnZdYdgyfeuILPmQ==" [ldap] looking for reply items in directory... [ldap] user joeuser authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group PAP {...} [pap] login attempt with password "password" [pap] Using MD5 encryption. [pap] Normalizing MD5-Password from base64 encoding [pap] User authenticated successfully ++[pap] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group post-auth {...} expand: %{control:Tmp-String-1} -> ++[reply] returns noop } # server inner-tunnel [ttls] Got tunneled reply code 2 Filter-Id = "" [ttls] Got tunneled Access-Accept [eap] Freeing handler ++[eap] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 207 to xxx.xxx.xxx.xxx port 32768 Filter-Id = "" MS-MPPE-Recv-Key = 0xf6afe55fa791b111d65ae79b8b8fc26fab9390d489056f94ccfa8cfbafc5f145 MS-MPPE-Send-Key = 0x36463beba6eb14106636e5bcf6faa6e5c210eec08a4bdd2f062a9c746c97d621 EAP-Message = 0x03050004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "joeuser" Finished request 4. Going to the next request Waking up in 4.8 seconds. Cleaning up request 0 ID 203 with timestamp +13 Cleaning up request 1 ID 204 with timestamp +13 Cleaning up request 2 ID 205 with timestamp +13 Cleaning up request 3 ID 206 with timestamp +13 Cleaning up request 4 ID 207 with timestamp +13 Ready to process requests.
On Aug 14, 2014, at 9:12 AM, Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
What's with all the XXXs ?
Just freeradius -X
(for a start its easier to read as eye can scan the output easier)
alan
On 15 Aug 2014, at 12:45, Alex Gregory <alex@c2company.com> wrote:
Hi All-
Does this config seem right to not pass up the filter-ID based on the below output, or could this be due to the fact that I am running a version that is almost 2 years old?
ldap { server = "localhost" identity = "cn=admin,dc=team,dc=company,dc=com" password = xxxxx basedn = "ou=Users,dc=team,dc=company,dc=com" scope = “sub” filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})” … }
The LDAP in FreeRADIUS v3.0.x make significantly more sense. If you're trying to do anything complex then I recommend using that. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Thank you for the advice, Arran. I will move to 3.x and do the upgrade tomorrow. I think I might just remove the packages I installed via apt and just do the config over on 3.x after making a backup. Alex On Aug 16, 2014, at 8:52 AM, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On 15 Aug 2014, at 12:45, Alex Gregory <alex@c2company.com> wrote:
Hi All-
Does this config seem right to not pass up the filter-ID based on the below output, or could this be due to the fact that I am running a version that is almost 2 years old?
ldap { server = "localhost" identity = "cn=admin,dc=team,dc=company,dc=com" password = xxxxx basedn = "ou=Users,dc=team,dc=company,dc=com" scope = “sub” filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})” … }
The LDAP in FreeRADIUS v3.0.x make significantly more sense. If you're trying to do anything complex then I recommend using that.
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
participants (4)
-
Alan Buxey -
Alex Gregory -
Arran Cudbard-Bell -
Stefan Paetow