Additional reply attributes via eap-pwd possible?
I am currently configuring my freeradius server with mysql to implement authentication via eap-pwd. Later it should be possible to log in to an access point by username/password. The login works without any problems. As access point i use devices from lancom which support additional attributes like "LCS-RxRateLimit" and "LCS-TxRateLimit" to throttle the bandwidth of the client. I have added these two attributes to the user in the radreply table. However, after successful authentication, the two attributes are not transmitted. (checked with wireshark) Is this possible at all via eap-pwd?
On Jan 26, 2021, at 5:14 AM, nightcore500 via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I am currently configuring my freeradius server with mysql to implement authentication via eap-pwd.
Later it should be possible to log in to an access point by username/password.
That should be possible/
The login works without any problems. As access point i use devices from lancom which support additional attributes like "LCS-RxRateLimit" and "LCS-TxRateLimit" to throttle the bandwidth of the client.
I have added these two attributes to the user in the radreply table.
However, after successful authentication, the two attributes are not transmitted. (checked with wireshark)
Read http://wiki.freeradius.org/list-help And http://wiki.freeradius.org/radiusd-X
Is this possible at all via eap-pwd?
Yes. Alan DeKok.
Yes. Alan DeKok.
Thank you for your answer. I am still stuck with the problem. The radius server just does not want to send me the attributes. I suspect a problem with the inner-tunnel. Maybe you could help me here? Ready to process requests (0) Received Access-Request Id 131 from 10.30.156.65:37368 to 10.15.0.136:1812 length 217 (0) User-Name = "5001" (0) NAS-IP-Address = 10.30.156.65 (0) NAS-Identifier = "c0e4000b1733" (0) Called-Station-Id = "C0-E4-00-0B-17-33:TestAuth" (0) NAS-Port-Type = Wireless-802.11 (0) Service-Type = Framed-User (0) Calling-Station-Id = "F6-1C-00-0B-07-03" (0) Connect-Info = "CONNECT 0Mbps 802.11b" (0) Acct-Session-Id = "212F019475EE742B" (0) Acct-Multi-Session-Id = "140719517FC880F8" (0) WLAN-Pairwise-Cipher = 1027076 (0) WLAN-Group-Cipher = 1027076 (0) WLAN-AKM-Suite = 1027073 (0) Framed-MTU = 1400 (0) EAP-Message = 0x026200090135303031 (0) Message-Authenticator = 0x40c853e732061fe7ef8b834200e86e85 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "5001", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) policy rewrite_calling_station_id { (0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (0) update request { (0) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (0) --> F6-1C-00-0B-07-03 (0) &Calling-Station-Id := F6-1C-00-0B-07-03 (0) } # update request = noop (0) [updated] = updated (0) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (0) ... skipping else: Preceding "if" was taken (0) } # policy rewrite_calling_station_id = updated (0) eap: Peer sent EAP Response (code 2) ID 98 length 9 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_pwd to process data (0) eap: Sending EAP Request (code 1) ID 99 length 46 (0) eap: EAP session adding &reply:State = 0x7746780c77254c9b (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Challenge { ... } # empty sub-section is ignored (0) Sent Access-Challenge Id 131 from 10.15.0.136:1812 to 10.30.156.65:37368 length 0 (0) EAP-Message = 0x0163002e340100130101f04ae61e0066726565726164697573407372762d667265657261646975732d7664686f74 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x7746780c77254c9bc64706082ad8092a (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 132 from 10.30.156.65:37368 to 10.15.0.136:1812 length 245 (1) User-Name = "5001" (1) NAS-IP-Address = 10.30.156.65 (1) NAS-Identifier = "c0e4000b1733" (1) Called-Station-Id = "C0-E4-00-0B-17-33:TestAuth" (1) NAS-Port-Type = Wireless-802.11 (1) Service-Type = Framed-User (1) Calling-Station-Id = "F6-1C-00-0B-07-03" (1) Connect-Info = "CONNECT 0Mbps 802.11b" (1) Acct-Session-Id = "212F019475EE742B" (1) Acct-Multi-Session-Id = "140719517FC880F8" (1) WLAN-Pairwise-Cipher = 1027076 (1) WLAN-Group-Cipher = 1027076 (1) WLAN-AKM-Suite = 1027073 (1) Framed-MTU = 1400 (1) EAP-Message = 0x02630013340100130101f04ae61e0035303031 (1) State = 0x7746780c77254c9bc64706082ad8092a (1) Message-Authenticator = 0x7b79b35ea1f61596294cd984d984b446 (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "5001", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) policy rewrite_calling_station_id { (1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (1) update request { (1) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (1) --> F6-1C-00-0B-07-03 (1) &Calling-Station-Id := F6-1C-00-0B-07-03 (1) } # update request = noop (1) [updated] = updated (1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (1) ... skipping else: Preceding "if" was taken (1) } # policy rewrite_calling_station_id = updated (1) eap: Peer sent EAP Response (code 2) ID 99 length 19 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x7746780c77254c9b (1) eap: Finished EAP session with state 0x7746780c77254c9b (1) eap: Previous EAP request found for state 0x7746780c77254c9b, released from the list (1) eap: Peer sent packet with method EAP PWD (52) (1) eap: Calling submodule eap_pwd to process data (1) eap_pwd: Sending tunneled request (1) eap_pwd: User-Name = "5001" (1) eap_pwd: server inner-tunnel { (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "5001", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) update control { (1) &Proxy-To-Realm := LOCAL (1) } # update control = noop (1) eap: No EAP-Message, not doing EAP (1) [eap] = noop (1) sql: EXPAND %{User-Name} (1) sql: --> 5001 (1) sql: SQL-User-Name set to '5001' rlm_sql (sql): Reserved connection (0) (1) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (1) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '5001' ORDER BY id (1) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '5001' ORDER BY id (1) sql: User found in radcheck table (1) sql: Conditional check items matched, merging assignment check items (1) sql: Cleartext-Password := "abc123" (1) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (1) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = '5001' ORDER BY id (1) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = '5001' ORDER BY id (1) sql: User found in radreply table, merging reply items (1) sql: LCS-TxRateLimit = 10500 (1) sql: LCS-RxRateLimit = 3600 (1) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (1) sql: --> SELECT groupname FROM radusergroup WHERE username = '5001' ORDER BY priority (1) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = '5001' ORDER BY priority (1) sql: User not found in any groups rlm_sql (sql): Released connection (0) Need 5 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on 10.15.0.134 via TCP/IP, server version 5.7.30-log, protocol version 10 (1) [sql] = ok (1) [logintime] = noop (1) pap: No User-Password attribute in the request. Cannot do PAP (1) [pap] = noop (1) } # authorize = ok (1) eap_pwd: } # server inner-tunnel (1) eap_pwd: Got tunneled reply code 0 (1) eap_pwd: LCS-TxRateLimit = 10500 (1) eap_pwd: LCS-RxRateLimit = 3600 (1) eap: Sending EAP Request (code 1) ID 100 length 102 (1) eap: EAP session adding &reply:State = 0x7746780c76224c9b (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) Challenge { ... } # empty sub-section is ignored (1) Sent Access-Challenge Id 132 from 10.15.0.136:1812 to 10.30.156.65:37368 length 0 (1) EAP-Message = 0x016400663402c2210083a3269c8fdc7a59bd8f948c417cf16e9e0766b4ffbb3cebffa97df893a7561900ca1e1919da6a33fa8a92339ec8010b44accf6c9d4a01e427fee1f152720b5b45d4f710ff0996339038c280c217db7061d1b6337ced479ecde0815022 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x7746780c76224c9bc64706082ad8092a (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 133 from 10.30.156.65:37368 to 10.15.0.136:1812 length 328 (2) User-Name = "5001" (2) NAS-IP-Address = 10.30.156.65 (2) NAS-Identifier = "c0e4000b1733" (2) Called-Station-Id = "C0-E4-00-0B-17-33:TestAuth" (2) NAS-Port-Type = Wireless-802.11 (2) Service-Type = Framed-User (2) Calling-Station-Id = "F6-1C-00-0B-07-03" (2) Connect-Info = "CONNECT 0Mbps 802.11b" (2) Acct-Session-Id = "212F019475EE742B" (2) Acct-Multi-Session-Id = "140719517FC880F8" (2) WLAN-Pairwise-Cipher = 1027076 (2) WLAN-Group-Cipher = 1027076 (2) WLAN-AKM-Suite = 1027073 (2) Framed-MTU = 1400 (2) EAP-Message = 0x026400663402e5ff4eb08991c163fd5128ce39375ab5aacf1e10cbc62d289e9cdec763bd51be0391bf4a4a550cefbd37564819fbee344376feaba44f726566f2f655b714c314c544af8bc9d0149f7fb6565ecbd5083d2f9c57f51431dce45488765ba1c987ea (2) State = 0x7746780c76224c9bc64706082ad8092a (2) Message-Authenticator = 0xa9f3aced80dc79fc22b8af1713a940e0 (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "5001", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) policy rewrite_calling_station_id { (2) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (2) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (2) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (2) update request { (2) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (2) --> F6-1C-00-0B-07-03 (2) &Calling-Station-Id := F6-1C-00-0B-07-03 (2) } # update request = noop (2) [updated] = updated (2) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (2) ... skipping else: Preceding "if" was taken (2) } # policy rewrite_calling_station_id = updated (2) eap: Peer sent EAP Response (code 2) ID 100 length 102 (2) eap: No EAP Start, assuming it's an on-going EAP conversation (2) [eap] = updated (2) } # authorize = updated (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x7746780c76224c9b (2) eap: Finished EAP session with state 0x7746780c76224c9b (2) eap: Previous EAP request found for state 0x7746780c76224c9b, released from the list (2) eap: Peer sent packet with method EAP PWD (52) (2) eap: Calling submodule eap_pwd to process data (2) eap: Sending EAP Request (code 1) ID 101 length 38 (2) eap: EAP session adding &reply:State = 0x7746780c75234c9b (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) Challenge { ... } # empty sub-section is ignored (2) Sent Access-Challenge Id 133 from 10.15.0.136:1812 to 10.30.156.65:37368 length 0 (2) EAP-Message = 0x0165002634037466e2384d2efd73818f0e4cdcc666a769a4bc85fe6895a78b0f5fc853d4e5cd (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x7746780c75234c9bc64706082ad8092a (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 134 from 10.30.156.65:37368 to 10.15.0.136:1812 length 264 (3) User-Name = "5001" (3) NAS-IP-Address = 10.30.156.65 (3) NAS-Identifier = "c0e4000b1733" (3) Called-Station-Id = "C0-E4-00-0B-17-33:TestAuth" (3) NAS-Port-Type = Wireless-802.11 (3) Service-Type = Framed-User (3) Calling-Station-Id = "F6-1C-00-0B-07-03" (3) Connect-Info = "CONNECT 0Mbps 802.11b" (3) Acct-Session-Id = "212F019475EE742B" (3) Acct-Multi-Session-Id = "140719517FC880F8" (3) WLAN-Pairwise-Cipher = 1027076 (3) WLAN-Group-Cipher = 1027076 (3) WLAN-AKM-Suite = 1027073 (3) Framed-MTU = 1400 (3) EAP-Message = 0x026500263403bb6184d17965cbf286f91ab7a6bce8af297c878e5d4ef27995065b48833e06ce (3) State = 0x7746780c75234c9bc64706082ad8092a (3) Message-Authenticator = 0x68727675cf8809530dd137abdfbb4589 (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "5001", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) policy rewrite_calling_station_id { (3) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (3) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (3) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (3) update request { (3) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (3) --> F6-1C-00-0B-07-03 (3) &Calling-Station-Id := F6-1C-00-0B-07-03 (3) } # update request = noop (3) [updated] = updated (3) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (3) ... skipping else: Preceding "if" was taken (3) } # policy rewrite_calling_station_id = updated (3) eap: Peer sent EAP Response (code 2) ID 101 length 38 (3) eap: No EAP Start, assuming it's an on-going EAP conversation (3) [eap] = updated (3) } # authorize = updated (3) Found Auth-Type = eap (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0x7746780c75234c9b (3) eap: Finished EAP session with state 0x7746780c75234c9b (3) eap: Previous EAP request found for state 0x7746780c75234c9b, released from the list (3) eap: Peer sent packet with method EAP PWD (52) (3) eap: Calling submodule eap_pwd to process data (3) eap: Sending EAP Success (code 3) ID 101 length 4 (3) eap: Freeing handler (3) [eap] = ok (3) } # authenticate = ok (3) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (3) post-auth { (3) update { (3) No attributes updated (3) } # update = noop (3) sql: EXPAND .query (3) sql: --> .query (3) sql: Using query template 'query' rlm_sql (sql): Reserved connection (1) (3) sql: EXPAND %{User-Name} (3) sql: --> 5001 (3) sql: SQL-User-Name set to '5001' (3) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (3) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '5001', '', 'Access-Accept', '2021-01-26 14:21:40') (3) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '5001', '', 'Access-Accept', '2021-01-26 14:21:40') (3) sql: SQL query returned: success (3) sql: 1 record(s) updated rlm_sql (sql): Released connection (1) (3) [sql] = ok (3) [exec] = noop (3) } # post-auth = ok (3) Sent Access-Accept Id 134 from 10.15.0.136:1812 to 10.30.156.65:37368 length 0 (3) MS-MPPE-Recv-Key = 0x54f1496249a0aeed71eebb1a9b0e0cff5a1f1992fb46553c655f308b108591cd (3) MS-MPPE-Send-Key = 0x6fc7161e06565a9b0c1bb0d85559807aba0a65aa8accc2bec14a2fffa6835be4 (3) EAP-Message = 0x03650004 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) User-Name = "5001" (3) Finished request Waking up in 4.8 seconds.
On Jan 26, 2021, at 9:54 AM, nightcore500 via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote
Thank you for your answer. I am still stuck with the problem. The radius server just does not want to send me the attributes. I suspect a problem with the inner-tunnel. Maybe you could help me here?
You've added the attributes in the inner-tunnel, but you haven't told the server to send them to the client. You need to copy the inner tunnel attributes to the outer tunnel. See sites-available/inner-tunnel: # # Instead of "use_tunneled_reply", change this "if (0)" to an # "if (1)". # Then also see sites-available/default: # # For EAP-TTLS and PEAP, add the cached attributes to the reply. this comment applies to EAP-PWD, too. Follow the instructions there. Alan DeKok.
participants (2)
-
Alan DeKok -
denny.friebe@icera-network.de