problem using eap-tls and calling-station-id with postgresql
Dear freeradius-users, we got freeradius working and are using only eap-tls. Now we are trying to check if the users MAC-Address is the right one. Each user gets one public IP-Address (via dhcp); to assure that they don't do mac-spoofing we need this feature. Right now our problem is, when using eap-tls, the sql module don't seem to check the calling-station-id in the radcheck-table against the calling-station-id in the request. For the user laptop sql return ok, although the calling-station-ip in the table is gibberish. When trying the same thing with the user blub (and using a incorrect MAC) sql returns user notfound (that is what we want) and the request gets rejected. So it don't seems to be a problem with our NAS. Any idea why this is not working with eap-tls? What have we done wrong? Best regards, Benjamin Our tables are: radcheck id | username | attribute | op | value ----+---------------+--------------------+----+------------------- 1 | laptop | Auth-Type | := | EAP 2 | RAT | Auth-Type | := | EAP 3 | laptop | Calling-Station-Id | == | aa-bb-cc-dd-ee-ff 4 | blub | Cleartext-Password | := | password 5 | blub | Calling-Station-Id | == | 00-1c-25-9e-33-05 radius=> select * from radgroupreply; id | groupname | attribute | op | value ----+-----------+--------------------+----+--------------------- 1 | test | Framed-Protocol | := | PPP 2 | test | Service-Type | := | Framed-User 3 | test | Framed-Compression | := | Van-Jacobsen-TCP-IP All users are in the group 'test'. FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Dec 16 2012 at 13:28:43 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/soh including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/replicate including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/redis including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/rediswho including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/sql.conf including configuration file /etc/freeradius/sql/postgresql/dialup.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "somesecret" nastype = "other" } client 192.168.0.201 { require_message_authenticator = no secret = "somesecret" login = "operator" password = "password" } client 192.168.0.240 { require_message_authenticator = no secret = "somesecret" login = "operator" password = "password" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/radiusd.conf modules { Module: Creating Auth-Type = digest Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/freeradius/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/freeradius/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/freeradius/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "tls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.key" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "secretpw" dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_sql Module: Instantiating module "sql" from file /etc/freeradius/sql.conf sql { driver = "rlm_sql_postgresql" server = "localhost" port = "" login = "radius" password = "password" radius_db = "radius" read_groups = yes sqltrace = no sqltracefile = "/var/log/freeradius/sqltrace.sql" readclients = no deletestalesessions = yes num_sql_socks = 5 lifetime = 0 max_queries = 0 sql_user_name = "%{User-Name}" default_user_profile = "" nas_query = "SELECT id, nasname, shortname, type, secret, server FROM nas" authorize_check_query = "SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, GroupName, Attribute, Value, op FROM radgroupcheck WHERE GroupName = '%{Sql-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, GroupName, Attribute, Value, op FROM radgroupreply WHERE GroupName = '%{Sql-Group}' ORDER BY id" accounting_onoff_query = "UPDATE radacct SET AcctStopTime = ('%S'::timestamp - '%{%{Acct-Delay-Time}:-0}'::interval), AcctSessionTime = (EXTRACT(EPOCH FROM ('%S'::timestamp with time zone - AcctStartTime::timestamp with time zone - '%{%{Acct-Delay-Time}:-0}'::interval)))::BIGINT, AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = 0 WHERE AcctStopTime IS NULL AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime <= '%S'::timestamp" accounting_update_query = "UPDATE radacct SET FramedIPAddress = NULLIF('%{Framed-IP-Address}', '')::inet, AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = (('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Input-Octets}:-0}'::bigint), AcctOutputOctets = (('%{%{Acct-Output-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Output-Octets}:-0}'::bigint) WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStopTime IS NULL" accounting_update_query_alt = "INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctSessionTime, AcctAuthentic, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, XAscendSessionSvrKey) VALUES('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', NULLIF('%{Realm}', ''), '%{NAS-IP-Address}', %{%{NAS-Port}:-NULL}, '%{NAS-Port-Type}', ('%S'::timestamp - '%{%{Acct-Delay-Time}:-0}'::interval - '%{%{Acct-Session-Time}:-0}'::interval), '%{Acct-Session-Time}', '%{Acct-Authentic}', (('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Input-Octets}:-0}'::bigint), (('%{%{Acct-Output-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Output-Octets}:-0}'::bigint), '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', NULLIF('%{Framed-IP-Address}', '')::inet, '%{X-Ascend-Session-Svr-Key}')" accounting_start_query = "INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctAuthentic, ConnectInfo_start, CalledStationId, CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, XAscendSessionSvrKey) VALUES('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', NULLIF('%{Realm}', ''), '%{NAS-IP-Address}', %{%{NAS-Port}:-NULL}, '%{NAS-Port-Type}', ('%S'::timestamp - '%{%{Acct-Delay-Time}:-0}'::interval), '%{Acct-Authentic}', '%{Connect-Info}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', NULLIF('%{Framed-IP-Address}', '')::inet, 0, '%{X-Ascend-Session-Svr-Key}')" accounting_start_query_alt = "UPDATE radacct SET AcctStartTime = ('%S'::timestamp - '%{%{Acct-Delay-Time}:-0}'::interval), AcctStartDelay = 0, ConnectInfo_start = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}' AND AcctStopTime IS NULL" accounting_stop_query = "UPDATE radacct SET AcctStopTime = ('%S'::timestamp - '%{%{Acct-Delay-Time}:-0}'::interval), AcctSessionTime = CASE WHEN '%{Acct-Session-Time}' = '' THEN (EXTRACT(EPOCH FROM ('%S'::TIMESTAMP WITH TIME ZONE - AcctStartTime::TIMESTAMP WITH TIME ZONE - '%{%{Acct-Delay-Time}:-0}'::INTERVAL)))::BIGINT ELSE NULLIF('%{Acct-Session-Time}','')::BIGINT END, AcctInputOctets = (('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Input-Octets}:-0}'::bigint), AcctOutputOctets = (('%{%{Acct-Output-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Output-Octets}:-0}'::bigint), AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = 0, FramedIPAddress = NULLIF('%{Framed-IP-Address}', '')::inet, ConnectInfo_stop = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}' AND AcctStopTime IS NULL" accounting_stop_query_alt = "INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', NULLIF('%{Realm}', ''), '%{NAS-IP-Address}', %{%{NAS-Port}:-NULL}, '%{NAS-Port-Type}', ('%S'::timestamp - '%{%{Acct-Delay-Time}:-0}'::interval - '%{%{Acct-Session-Time}:-0}'::interval), ('%S'::timestamp - '%{%{Acct-Delay-Time}:-0}'::interval), NULLIF('%{Acct-Session-Time}', '')::bigint, '%{Acct-Authentic}', '%{Connect-Info}', (('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Input-Octets}:-0}'::bigint), (('%{%{Acct-Output-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Output-Octets}:-0}'::bigint), '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', NULLIF('%{Framed-IP-Address}', '')::inet, 0)" group_membership_query = "SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority" connect_failure_retry_delay = 60 simul_count_query = "" simul_verify_query = "" postauth_query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('%{User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', NOW())" safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } rlm_sql (sql): Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked rlm_sql (sql): Attempting to connect to radius@localhost:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_postgresql #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_postgresql #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_postgresql #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_postgresql #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_postgresql #4 rlm_sql (sql): Connected new DB handle, #4 Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/freeradius/modules/detail detail { detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" relaxed = no } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" relaxed = no } } # modules } # server server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 36698 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.0.201 port 1024, id=35, length=209 Framed-MTU = 1480 NAS-IP-Address = 192.168.0.201 NAS-Identifier = "sw2" User-Name = "laptop" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 2 NAS-Port-Type = Ethernet NAS-Port-Id = "2" Called-Station-Id = "00-1b-3f-33-26-40" Calling-Station-Id = "00-1c-25-9e-33-05" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" EAP-Message = 0x02010012017369656c6e65746c6170746f70 Message-Authenticator = 0x0f86b899b3c80565b75a145e2e24cf1a # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "laptop", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 18 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [sql] expand: %{User-Name} -> laptop [sql] sql_set_user escaped user --> 'laptop' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'laptop' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 2 , fields = 5 [sql] expand: SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM radusergroup WHERE UserName='laptop' ORDER BY priority rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 1 [sql] expand: SELECT id, GroupName, Attribute, Value, op FROM radgroupcheck WHERE GroupName = '%{Sql-Group}' ORDER BY id -> SELECT id, GroupName, Attribute, Value, op FROM radgroupcheck WHERE GroupName = 'test' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 0 , fields = 5 [sql] User found in group test [sql] expand: SELECT id, GroupName, Attribute, Value, op FROM radgroupreply WHERE GroupName = '%{Sql-Group}' ORDER BY id -> SELECT id, GroupName, Attribute, Value, op FROM radgroupreply WHERE GroupName = 'test' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 3 , fields = 5 rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 35 to 192.168.0.201 port 1024 Framed-Protocol := PPP Service-Type := Framed-User Framed-Compression := Van-Jacobson-TCP-IP EAP-Message = 0x010200060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x07b3109207b11d36b09a0ff2df4e9786 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.201 port 1024, id=36, length=440 Framed-MTU = 1480 NAS-IP-Address = 192.168.0.201 NAS-Identifier = "sw2" User-Name = "laptop" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 2 NAS-Port-Type = Ethernet NAS-Port-Id = "2" Called-Station-Id = "00-1b-3f-33-26-40" Calling-Station-Id = "00-1c-25-9e-33-05" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0x07b3109207b11d36b09a0ff2df4e9786 EAP-Message = 0x020200e70d0016030100dc010000d8030154240358e334928ae57349df5318f66758b4456a181c619a24a453bd387de2c8000066c014c00ac022c0210039003800880087c00fc00500350084c012c008c01cc01b00160013c00dc003000ac013c009c01fc01e00330032009a009900450044c00ec004002f00960041c011c007c00cc002000500040015001200090014001100080006000300ff01000049000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f0010001100230000000f000101 Message-Authenticator = 0xdeb315aa8319160ad3e0a8f45abcd622 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "laptop", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 231 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [sql] expand: %{User-Name} -> laptop [sql] sql_set_user escaped user --> 'laptop' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'laptop' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 2 , fields = 5 [sql] expand: SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM radusergroup WHERE UserName='laptop' ORDER BY priority rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 1 [sql] expand: SELECT id, GroupName, Attribute, Value, op FROM radgroupcheck WHERE GroupName = '%{Sql-Group}' ORDER BY id -> SELECT id, GroupName, Attribute, Value, op FROM radgroupcheck WHERE GroupName = 'test' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 0 , fields = 5 [sql] User found in group test [sql] expand: SELECT id, GroupName, Attribute, Value, op FROM radgroupreply WHERE GroupName = '%{Sql-Group}' ORDER BY id -> SELECT id, GroupName, Attribute, Value, op FROM radgroupreply WHERE GroupName = 'test' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 3 , fields = 5 rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] eaptls_verify returned 7 [tls] Done initial handshake [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< TLS 1.0 Handshake [length 00dc], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] >>> TLS 1.0 Handshake [length 003e], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] >>> TLS 1.0 Handshake [length 084e], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange [tls] TLS_accept: SSLv3 write key exchange A [tls] >>> TLS 1.0 Handshake [length 00a2], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 36 to 192.168.0.201 port 1024 Framed-Protocol := PPP Service-Type := Framed-User Framed-Compression := Van-Jacobson-TCP-IP EAP-Message = 0x010304000dc000000a8d160301003e0200003a03015424014593826c5e6a348da5db149e49c19028c000c97ef787bd5f6c99dcb0ff00c014000012ff01000100000b000403000102000f000101160301084e0b00084a0008470003a23082039e30820286a003020102020101300d06092a864886f70d010104050030818f310b3009060355040613024445311630140603550408130d4e69656465727361636873656e3111300f060355040713084272756e7376696731153013060355040a130c5369656c4e657420652e562e3121301f06092a864886f70d0109011612737570706f7274407369656c6e65742e6465311b3019060355040314126672 EAP-Message = 0x6565726164697573407369656c6e6574301e170d3134303630333231303935375a170d3135303532393231303935375a307c310b3009060355040613024445311630140603550408130d4e69656465727361636873656e31153013060355040a130c5369656c4e657420652e562e311b30190603550403141266726565726164697573407369656c6e65743121301f06092a864886f70d0109011612737570706f7274407369656c6e65742e646530820122300d06092a864886f70d01010105000382010f003082010a0282010100c9762cddafffc5c07cbda4837818a0bf2d8991d7d60ced34959b52919406ceea0976fcc3f93f827c18f21409e39d EAP-Message = 0x1f61fd0e3974c1244992c239ef5dc89a0068c6f0d94179bb344c764112b61cc7af3052ca44c271b2a51953897534bb08df8730f1cfeab65a80ce4d0d44ebbd5f9f8edb38a1aeb8239247889496fd44d88dcdf43d9bc690b5ef8c6d07c676de4f9884749c18d3678a6a0614cc14595c24da3080aa1fcff2a6e3b03a2653126519ffe87906b21d677c0bb8bbe7b8942d69f6f3579dfe6f38139035cc5f3cc0a770e6b6047ccb935f0d430b29f2bee21c488c4e16715383a2e44edf7487eccb3b275981329d3b61af17517803069718ec4e05d10203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104 EAP-Message = 0x050003820101005e31c1a5b1f0d98c53d27298feb3f2b205619f90eef1308b0da9d6de97e2595208ce64b3f0e70ba8a2679503e4c69634d704790107cd53e74ebde931b8bb378910f43c53e83fabe0b27e7cd8722029bb08d332fca5d78e80a5ca81537e882f3aa8af83c22476b35d0586793ae5cdbb787b5e47ec0457ca3ba9ac3b07c7d76c5585779e91428e30c3854f32565106fa01c36ad30febd8fb1fa9cdad0e18ab4a80c68ef295acb4debf1bc1badce44319b73686a608ecf8bfdcdc39ef672c7dd52b158896b2d82308301504cc1c691da03ca4b3b606a68765c28efb82de68bee26a12fba4d541df29d84a6b03407eb659e822cabfccc051 EAP-Message = 0x84987d4416bac3ce663a0004 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x07b3109206b01d36b09a0ff2df4e9786 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.201 port 1024, id=37, length=215 Framed-MTU = 1480 NAS-IP-Address = 192.168.0.201 NAS-Identifier = "sw2" User-Name = "laptop" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 2 NAS-Port-Type = Ethernet NAS-Port-Id = "2" Called-Station-Id = "00-1b-3f-33-26-40" Calling-Station-Id = "00-1c-25-9e-33-05" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0x07b3109206b01d36b09a0ff2df4e9786 EAP-Message = 0x020300060d00 Message-Authenticator = 0x6637ee5e9340fa991ee9045e8fffb4ef # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "laptop", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [sql] expand: %{User-Name} -> laptop [sql] sql_set_user escaped user --> 'laptop' rlm_sql (sql): Reserving sql socket id: 2 [sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'laptop' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 2 , fields = 5 [sql] expand: SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM radusergroup WHERE UserName='laptop' ORDER BY priority rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 1 [sql] expand: SELECT id, GroupName, Attribute, Value, op FROM radgroupcheck WHERE GroupName = '%{Sql-Group}' ORDER BY id -> SELECT id, GroupName, Attribute, Value, op FROM radgroupcheck WHERE GroupName = 'test' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 0 , fields = 5 [sql] User found in group test [sql] expand: SELECT id, GroupName, Attribute, Value, op FROM radgroupreply WHERE GroupName = '%{Sql-Group}' ORDER BY id -> SELECT id, GroupName, Attribute, Value, op FROM radgroupreply WHERE GroupName = 'test' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 3 , fields = 5 rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 37 to 192.168.0.201 port 1024 Framed-Protocol := PPP Service-Type := Framed-User Framed-Compression := Van-Jacobson-TCP-IP EAP-Message = 0x010404000dc000000a8d9f3082049b30820383a00302010202090097606b3e1c8bf851300d06092a864886f70d010105050030818f310b3009060355040613024445311630140603550408130d4e69656465727361636873656e3111300f060355040713084272756e7376696731153013060355040a130c5369656c4e657420652e562e3121301f06092a864886f70d0109011612737570706f7274407369656c6e65742e6465311b30190603550403141266726565726164697573407369656c6e6574301e170d3134303630333231303935375a170d3135303532393231303935375a30818f310b3009060355040613024445311630140603550408 EAP-Message = 0x130d4e69656465727361636873656e3111300f060355040713084272756e7376696731153013060355040a130c5369656c4e657420652e562e3121301f06092a864886f70d0109011612737570706f7274407369656c6e65742e6465311b30190603550403141266726565726164697573407369656c6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100a4e297c9714cfe6bda4dd3f3ea9f8f1d21e785bd6132b34a478366072b781909f7ac55f59e8a8d5fd79a9a5976b4e3066155a08e2d4627d8ea52833403ee9381470ae165bdc2e2cdd65405535c9a33d81c15c31a1f116e5a925e419e667dc7ab9edac0 EAP-Message = 0xfbc3edcc9413c0dd44c20058a463e12483304115a189cef5f4c1a9e39b79b9d4c9bd074be68fd5664d1b781561c30624136f0c1df37e56b976ead0ec00337e7fda306d434dce07c828dcbd4596f6c124764a39516f604aed5f967d452f1968b8c20e8e350241fe94f806a708ef08a00d52b966510b67a3ea1f1c86687b35b51eb70920eac263a23bcbdf7e3eabe4b51e7ff10431894e17c25c6b7874d30203010001a381f73081f4301d0603551d0e041604142f967e3138107f1b9738d2539cebe632c35045513081c40603551d230481bc3081b980142f967e3138107f1b9738d2539cebe632c3504551a18195a4819230818f310b30090603550406 EAP-Message = 0x13024445311630140603550408130d4e69656465727361636873656e3111300f060355040713084272756e7376696731153013060355040a130c5369656c4e657420652e562e3121301f06092a864886f70d0109011612737570706f7274407369656c6e65742e6465311b30190603550403141266726565726164697573407369656c6e657482090097606b3e1c8bf851300c0603551d13040530030101ff300d06092a864886f70d0101050500038201010031f4ac37eb4125a30827d22da0b7def59b77619ac322e4a518525f2292057853442634b46b7cb5f69b7944aa3eec90243ee2de1453bb7a2c7ab8fdd02880a21eb2097a382247ace38b95 EAP-Message = 0x2d89e524a87882e45098e69c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x07b3109205b71d36b09a0ff2df4e9786 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.201 port 1024, id=38, length=215 Framed-MTU = 1480 NAS-IP-Address = 192.168.0.201 NAS-Identifier = "sw2" User-Name = "laptop" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 2 NAS-Port-Type = Ethernet NAS-Port-Id = "2" Called-Station-Id = "00-1b-3f-33-26-40" Calling-Station-Id = "00-1c-25-9e-33-05" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0x07b3109205b71d36b09a0ff2df4e9786 EAP-Message = 0x020400060d00 Message-Authenticator = 0x67716a43b571a9813560079942dae9a7 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "laptop", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [sql] expand: %{User-Name} -> laptop [sql] sql_set_user escaped user --> 'laptop' rlm_sql (sql): Reserving sql socket id: 1 [sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'laptop' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 2 , fields = 5 [sql] expand: SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM radusergroup WHERE UserName='laptop' ORDER BY priority rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 1 [sql] expand: SELECT id, GroupName, Attribute, Value, op FROM radgroupcheck WHERE GroupName = '%{Sql-Group}' ORDER BY id -> SELECT id, GroupName, Attribute, Value, op FROM radgroupcheck WHERE GroupName = 'test' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 0 , fields = 5 [sql] User found in group test [sql] expand: SELECT id, GroupName, Attribute, Value, op FROM radgroupreply WHERE GroupName = '%{Sql-Group}' ORDER BY id -> SELECT id, GroupName, Attribute, Value, op FROM radgroupreply WHERE GroupName = 'test' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 3 , fields = 5 rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 38 to 192.168.0.201 port 1024 Framed-Protocol := PPP Service-Type := Framed-User Framed-Compression := Van-Jacobson-TCP-IP EAP-Message = 0x010502ab0d8000000a8d84121a48832ada64b740ceef48eb4f332e09d19fb4ac04376640c55242f655e13dc49bab876726a782cff2f8a3798415dbb2a427f070fa74de2cfb40b9b7b471df1301e61f188eae20ee1ba40d7768aead0d5343babad7217ed6abee27f1375f8f39651d6c4ff59953e1e1e0f30e705774d614e899e11f31ef7bda6e0a0bf1ae3659419ae9e6ee85024f257f577784e7de07537011f4be32f60559f09634ca3a9b8632a3e73e418d1a2b160301014b0c0001470300174104cc5a9a6ee2d2054a33392efd26743a913855ebc9dd2d92da44b3cee59db08692238af5dd9fb12e46f3928a1822b2c87c0397b0696c0fef3bc92707 EAP-Message = 0xdd4b8485ff01009971ac1185d37527b0e896c6bf25736c0e63ebc42194117bb39afafef61020374abe689e940e31c3159e5e999381b12a2894669e404a73680289034e3ef9c8f74114836670a1eafc18a20575c293ff85cd77de629e8660a1abfc51ecafb0f18420c99300d4035968b4c8e3aa00f35267598e3aa0844799779f9b83b9e3df5ad62afa39ece6328fc743de37124bd988cfe02dd6b0c85af8d9101a2261efffa70726e343bf697cff77720dae455edba0726538b3fb65785598402d5946c11b8fad4cc875f0c81e663a1f77ff7ccf707162ea7dfefb8a6640af8ce67b5d528c9daed9e22e57d05f62dcfbfa8f452df8df9c8ce13c35b9d7 EAP-Message = 0x646b3c835635f1342d3516030100a20d00009a030102400094009230818f310b3009060355040613024445311630140603550408130d4e69656465727361636873656e3111300f060355040713084272756e7376696731153013060355040a130c5369656c4e657420652e562e3121301f06092a864886f70d0109011612737570706f7274407369656c6e65742e6465311b30190603550403141266726565726164697573407369656c6e65740e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x07b3109204b61d36b09a0ff2df4e9786 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.201 port 1024, id=39, length=1529 Framed-MTU = 1480 NAS-IP-Address = 192.168.0.201 NAS-Identifier = "sw2" User-Name = "laptop" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 2 NAS-Port-Type = Ethernet NAS-Port-Id = "2" Called-Station-Id = "00-1b-3f-33-26-40" Calling-Station-Id = "00-1c-25-9e-33-05" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0x07b3109204b61d36b09a0ff2df4e9786 EAP-Message = 0x0205051e0dc0000009e616030108500b00084c0008490003a4308203a030820288a003020102020102300d06092a864886f70d010104050030818f310b3009060355040613024445311630140603550408130d4e69656465727361636873656e3111300f060355040713084272756e7376696731153013060355040a130c5369656c4e657420652e562e3121301f06092a864886f70d0109011612737570706f7274407369656c6e65742e6465311b30190603550403141266726565726164697573407369656c6e6574301e170d3134303630353131343433355a170d3135303533313131343433355a307e310b300906035504061302444531163014 EAP-Message = 0x0603550408130d4e69656465727361636873656e31153013060355040a130c5369656c4e657420652e562e311630140603550403130d7369656c6e65746c6170746f703128302606092a864886f70d01090116197369656c6e65746c6170746f70406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c374bf92dc4db1db05191cde2aa1691c8184980fe05d0548b97c99777dcc808390d457f457e7c7e1af9616fad75875acfb5a8780a6a11e5ed65f5945c25354d9cd1d34411849d116e6366e3d1c657a0b1b579fd24f3b889662383611d038d36aba04373367c3be29870f24767fe4f3 EAP-Message = 0xd227fcedaff18e1776eadcfbc7aa78a0805cda6977658e875a2252cda92256ef0a6daec53526a9dc5851cf397acdaec2371c81b5ad164c704a5ff84fb811fb76b5cf8bdece9977bcf74cf346d9fa9cb1050dd91096f188866b00eb91616e023596eb1e5caa4586c0e5ac79ebc81d87892e013deef5c5fb2cb33bff9c38147e7b60889433e7d99588bb25ac8abd9698959b0203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d010104050003820101007ebb20e618f114a6f3c211afed8fae934b636cb44abdf36d9ffd07d6fe871c30680257fedad1732b8a503aedc43f97cd6c951f302e8c916a9fbe EAP-Message = 0x1c20b2750f1ff190a82cde9cae29e591c8da44c06fcfae3adfad3d84c02c1b50a032dc7962f5a8a544d0a7f61abc4d71f36a3b00c0f44ecb97ffcd95a9adb582b38c47ac1f74db023d25a3a6f863a81855888272b11c4cc305e29ea94f5ea35b83ee603b2e676023938e1273ad15b0249d73f12962dc4f4f83748c07ae07fdac8fec9e062785b86c77f62c35025bd60c023a9c94ec00bd7edf56979d249f431aaf564b23ebbe6cabcdd70b2d76c5515e96e694824cee61d7d92d980c8b518cecdb91f38ee50400049f3082049b30820383a00302010202090097606b3e1c8bf851300d06092a864886f70d010105050030818f310b3009060355040613 EAP-Message = 0x024445311630140603550408130d4e69656465727361636873656e3111300f060355040713084272756e7376696731153013060355040a130c5369656c4e657420652e562e3121301f06092a864886f70d0109011612737570706f7274407369656c6e65742e6465311b30190603550403141266726565726164697573407369656c6e6574301e170d3134303630333231303935375a170d3135303532393231303935375a30818f310b3009060355040613024445311630140603550408130d4e69656465727361636873656e3111300f060355040713084272756e7376696731153013060355040a130c5369656c4e657420652e562e3121301f0609 EAP-Message = 0x2a864886f70d0109011612737570706f7274407369656c6e65742e6465311b3019060355040314126672656572 Message-Authenticator = 0x37432280ddfc4e86dfffca14d5579f46 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "laptop", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 253 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [sql] expand: %{User-Name} -> laptop [sql] sql_set_user escaped user --> 'laptop' rlm_sql (sql): Reserving sql socket id: 0 [sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'laptop' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 2 , fields = 5 [sql] expand: SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM radusergroup WHERE UserName='laptop' ORDER BY priority rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 1 [sql] expand: SELECT id, GroupName, Attribute, Value, op FROM radgroupcheck WHERE GroupName = '%{Sql-Group}' ORDER BY id -> SELECT id, GroupName, Attribute, Value, op FROM radgroupcheck WHERE GroupName = 'test' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 0 , fields = 5 [sql] User found in group test [sql] expand: SELECT id, GroupName, Attribute, Value, op FROM radgroupreply WHERE GroupName = '%{Sql-Group}' ORDER BY id -> SELECT id, GroupName, Attribute, Value, op FROM radgroupreply WHERE GroupName = 'test' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 3 , fields = 5 rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 2534 [tls] Received EAP-TLS First Fragment of the message [tls] eaptls_verify returned 9 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 39 to 192.168.0.201 port 1024 Framed-Protocol := PPP Service-Type := Framed-User Framed-Compression := Van-Jacobson-TCP-IP EAP-Message = 0x010600060d00 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x07b3109203b51d36b09a0ff2df4e9786 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.201 port 1024, id=40, length=1457 Framed-MTU = 1480 NAS-IP-Address = 192.168.0.201 NAS-Identifier = "sw2" User-Name = "laptop" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 2 NAS-Port-Type = Ethernet NAS-Port-Id = "2" Called-Station-Id = "00-1b-3f-33-26-40" Calling-Station-Id = "00-1c-25-9e-33-05" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0x07b3109203b51d36b09a0ff2df4e9786 EAP-Message = 0x020604d80d006164697573407369656c6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100a4e297c9714cfe6bda4dd3f3ea9f8f1d21e785bd6132b34a478366072b781909f7ac55f59e8a8d5fd79a9a5976b4e3066155a08e2d4627d8ea52833403ee9381470ae165bdc2e2cdd65405535c9a33d81c15c31a1f116e5a925e419e667dc7ab9edac0fbc3edcc9413c0dd44c20058a463e12483304115a189cef5f4c1a9e39b79b9d4c9bd074be68fd5664d1b781561c30624136f0c1df37e56b976ead0ec00337e7fda306d434dce07c828dcbd4596f6c124764a39516f604aed5f967d452f1968b8c20e8e350241 EAP-Message = 0xfe94f806a708ef08a00d52b966510b67a3ea1f1c86687b35b51eb70920eac263a23bcbdf7e3eabe4b51e7ff10431894e17c25c6b7874d30203010001a381f73081f4301d0603551d0e041604142f967e3138107f1b9738d2539cebe632c35045513081c40603551d230481bc3081b980142f967e3138107f1b9738d2539cebe632c3504551a18195a4819230818f310b3009060355040613024445311630140603550408130d4e69656465727361636873656e3111300f060355040713084272756e7376696731153013060355040a130c5369656c4e657420652e562e3121301f06092a864886f70d0109011612737570706f7274407369656c6e6574 EAP-Message = 0x2e6465311b30190603550403141266726565726164697573407369656c6e657482090097606b3e1c8bf851300c0603551d13040530030101ff300d06092a864886f70d0101050500038201010031f4ac37eb4125a30827d22da0b7def59b77619ac322e4a518525f2292057853442634b46b7cb5f69b7944aa3eec90243ee2de1453bb7a2c7ab8fdd02880a21eb2097a382247ace38b952d89e524a87882e45098e69c84121a48832ada64b740ceef48eb4f332e09d19fb4ac04376640c55242f655e13dc49bab876726a782cff2f8a3798415dbb2a427f070fa74de2cfb40b9b7b471df1301e61f188eae20ee1ba40d7768aead0d5343babad7217ed6 EAP-Message = 0xabee27f1375f8f39651d6c4ff59953e1e1e0f30e705774d614e899e11f31ef7bda6e0a0bf1ae3659419ae9e6ee85024f257f577784e7de07537011f4be32f60559f09634ca3a9b8632a3e73e418d1a2b160301004610000042410458338c8f6ed148bd88111afe2fce8e96c8810dc3853b0725e9c07207bfce9282138d5dd8805b243a0c333d0061f9a15ab8e6b3be248f07cb3438826253079a8e16030101060f000102010006b65fd648dfbf608fb6d55ccb4b5bdf02d7ddc26a2a37d304c0fb1a9a02f31931f3190259a5066bbcabd8c20dc9a63d86a48a9cf5855f24a743070b1eeb1e7a61db43ec3e74a50bf6c06e96119ac524e3e1fe12b10200 EAP-Message = 0xa4323f26bf5088cb5b0bd9fe3ac41737e14c748d81b70f1493f35b59c4227ebae48a9ee9f4d133980dbebb66b454c0d5dbf73b6555e2ef6cb5835b894e8102307c2323176e0382a78bb6bb01c7ea88148b22f8e190f8c1d588c90405af7a9457c777986addd30438de612c9ab2d53cf4043f225f8bec7eb348e46d7ef615540c619d1a208de221f493bdb9ee5600e473d8ef652fed27be896fdbbcde1629a4970b61fce18458a305111403010001011603010030dd6ddbede57e7b1c9abcca921bd85e522c673a43539cc2c782bd7a52dcc4b2559dd21e5af0653b8eb7df85eae00557ad Message-Authenticator = 0xfe25690b8aebdd6f45be8b812b12775b # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "laptop", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 253 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [sql] expand: %{User-Name} -> laptop [sql] sql_set_user escaped user --> 'laptop' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'laptop' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 2 , fields = 5 [sql] expand: SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM radusergroup WHERE UserName='laptop' ORDER BY priority rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 1 [sql] expand: SELECT id, GroupName, Attribute, Value, op FROM radgroupcheck WHERE GroupName = '%{Sql-Group}' ORDER BY id -> SELECT id, GroupName, Attribute, Value, op FROM radgroupcheck WHERE GroupName = 'test' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 0 , fields = 5 [sql] User found in group test [sql] expand: SELECT id, GroupName, Attribute, Value, op FROM radgroupreply WHERE GroupName = '%{Sql-Group}' ORDER BY id -> SELECT id, GroupName, Attribute, Value, op FROM radgroupreply WHERE GroupName = 'test' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 3 , fields = 5 rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] eaptls_verify returned 7 [tls] Done initial handshake [tls] <<< TLS 1.0 Handshake [length 0850], Certificate [tls] chain-depth=1, [tls] error=0 [tls] --> User-Name = laptop [tls] --> BUF-Name = freeradius@sielnet [tls] --> subject = /C=DE/ST=Niedersachsen/L=Brunsvig/O=SielNet e.V./emailAddress=support@sielnet.de/CN=freeradius@sielnet [tls] --> issuer = /C=DE/ST=Niedersachsen/L=Brunsvig/O=SielNet e.V./emailAddress=support@sielnet.de/CN=freeradius@sielnet [tls] --> verify return:1 [tls] chain-depth=0, [tls] error=0 [tls] --> User-Name = laptop [tls] --> BUF-Name = laptop [tls] --> subject = /C=DE/ST=Niedersachsen/O=SielNet e.V./CN=laptop/emailAddress=laptop@example.com [tls] --> issuer = /C=DE/ST=Niedersachsen/L=Brunsvig/O=SielNet e.V./emailAddress=support@sielnet.de/CN=freeradius@sielnet [tls] --> verify return:1 [tls] TLS_accept: SSLv3 read client certificate A [tls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [tls] TLS_accept: SSLv3 read client key exchange A [tls] <<< TLS 1.0 Handshake [length 0106], CertificateVerify [tls] TLS_accept: SSLv3 read certificate verify A [tls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [tls] <<< TLS 1.0 Handshake [length 0010], Finished [tls] TLS_accept: SSLv3 read finished A [tls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [tls] TLS_accept: SSLv3 write change cipher spec A [tls] >>> TLS 1.0 Handshake [length 0010], Finished [tls] TLS_accept: SSLv3 write finished A [tls] TLS_accept: SSLv3 flush data [tls] (other): SSL negotiation finished successfully SSL Connection Established [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 40 to 192.168.0.201 port 1024 Framed-Protocol := PPP Service-Type := Framed-User Framed-Compression := Van-Jacobson-TCP-IP EAP-Message = 0x010700450d800000003b1403010001011603010030df5e27c36aacfb68feb2beb793bf67e6e9e2fd751c9d56352aa0b4ff37cde26aa321a29631f1791ec6885f516199fe2d Message-Authenticator = 0x00000000000000000000000000000000 State = 0x07b3109202b41d36b09a0ff2df4e9786 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.201 port 1024, id=41, length=215 Framed-MTU = 1480 NAS-IP-Address = 192.168.0.201 NAS-Identifier = "sw2" User-Name = "laptop" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 2 NAS-Port-Type = Ethernet NAS-Port-Id = "2" Called-Station-Id = "00-1b-3f-33-26-40" Calling-Station-Id = "00-1c-25-9e-33-05" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0x07b3109202b41d36b09a0ff2df4e9786 EAP-Message = 0x020700060d00 Message-Authenticator = 0xa8ca96dceba238a2bc333ced9c87b158 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "laptop", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [sql] expand: %{User-Name} -> laptop [sql] sql_set_user escaped user --> 'laptop' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'laptop' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 2 , fields = 5 [sql] expand: SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM radusergroup WHERE UserName='laptop' ORDER BY priority rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 1 [sql] expand: SELECT id, GroupName, Attribute, Value, op FROM radgroupcheck WHERE GroupName = '%{Sql-Group}' ORDER BY id -> SELECT id, GroupName, Attribute, Value, op FROM radgroupcheck WHERE GroupName = 'test' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 0 , fields = 5 [sql] User found in group test [sql] expand: SELECT id, GroupName, Attribute, Value, op FROM radgroupreply WHERE GroupName = '%{Sql-Group}' ORDER BY id -> SELECT id, GroupName, Attribute, Value, op FROM radgroupreply WHERE GroupName = 'test' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 3 , fields = 5 rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake is finished [tls] eaptls_verify returned 3 [tls] eaptls_process returned 3 [tls] Adding user data to cached session [eap] Freeing handler ++[eap] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 41 to 192.168.0.201 port 1024 Framed-Protocol := PPP Service-Type := Framed-User Framed-Compression := Van-Jacobson-TCP-IP MS-MPPE-Recv-Key = 0x95cb3bc08bbc313b973d2ff15bc144a70044889a430a974d04c3fc86b45f87e0 MS-MPPE-Send-Key = 0x155a60ec14c5bc8b6761a39b0edc9c029f95d039179095e2aa695dd8615fd345 EAP-Message = 0x03070004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "laptop" Finished request 6. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 35 with timestamp +7 Cleaning up request 1 ID 36 with timestamp +7 Cleaning up request 2 ID 37 with timestamp +7 Cleaning up request 3 ID 38 with timestamp +7 Cleaning up request 4 ID 39 with timestamp +7 Cleaning up request 5 ID 40 with timestamp +7 Cleaning up request 6 ID 41 with timestamp +7 Ready to process requests. rad_recv: Accounting-Request packet from host 192.168.0.201 port 1025, id=42, length=115 Acct-Session-Id = "006A00000004" Acct-Status-Type = Start Service-Type = Framed-User Acct-Authentic = RADIUS NAS-Port = 2 Calling-Station-Id = "00-1C-25-9E-33-05" NAS-IP-Address = 192.168.0.201 NAS-Identifier = "sw2" Framed-IP-Address = 192.168.0.12 User-Name = "laptop" Acct-Delay-Time = 0 # Executing section preacct from file /etc/freeradius/sites-enabled/default +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 2,Client-IP-Address = 192.168.0.201,NAS-IP-Address = 192.168.0.201,Acct-Session-Id = "006A00000004",User-Name = "laptop"' [acct_unique] Acct-Unique-Session-ID = "0cae66a72b0dac43". ++[acct_unique] returns ok [suffix] No '@' in User-Name = "laptop", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /etc/freeradius/sites-enabled/default +- entering group accounting {...} [detail] expand: %{Packet-Src-IP-Address} -> 192.168.0.201 [detail] expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.0.201/detail-20140925 [detail] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.0.201/detail-20140925 [detail] expand: %t -> Thu Sep 25 13:50:10 2014 ++[detail] returns ok ++[unix] returns ok [radutmp] expand: /var/log/freeradius/radutmp -> /var/log/freeradius/radutmp [radutmp] expand: %{User-Name} -> laptop ++[radutmp] returns ok [sql] expand: %{User-Name} -> laptop [sql] sql_set_user escaped user --> 'laptop' [sql] expand: %{NAS-Port} -> 2 [sql] expand: %{Acct-Delay-Time} -> 0 [sql] expand: INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctAuthentic, ConnectInfo_start, CalledStationId, CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, XAscendSessionSvrKey) VALUES('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', NULLIF('%{Realm}', ''), '%{NAS-IP-Address}', %{%{NAS-Port}:-NULL}, '%{NAS-Port-Type}', ('%S'::timestamp - '%{%{Acct-Delay-Time}:-0}'::interval), '%{Acct-Authentic}', '%{Connect-Info}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', NULLIF('%{Framed-IP-Address}', '')::inet, 0, '%{X-Ascend-Session-Svr-Key}') -> INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctAuthentic, ConnectInfo_start, CalledStationId, CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, rlm_sql (sql): Reserving sql socket id: 2 rlm_sql_postgresql: Status: PGRES_COMMAND_OK rlm_sql_postgresql: query affected rows = 1 rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[exec] returns noop [attr_filter.accounting_response] expand: %{User-Name} -> laptop attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 42 to 192.168.0.201 port 1025 Finished request 7. Cleaning up request 7 ID 42 with timestamp +52 Going to the next request Ready to process requests. rad_recv: Accounting-Request packet from host 192.168.0.201 port 1025, id=43, length=145 Acct-Session-Id = "006A00000004" Acct-Status-Type = Interim-Update Service-Type = Framed-User Acct-Authentic = RADIUS NAS-Port = 2 Calling-Station-Id = "00-1C-25-9E-33-05" NAS-IP-Address = 192.168.0.201 NAS-Identifier = "sw2" Framed-IP-Address = 192.168.0.12 User-Name = "laptop" Acct-Session-Time = 105 Acct-Input-Octets = 12900 Acct-Output-Octets = 4756 Acct-Input-Packets = 60 Acct-Output-Packets = 18 Acct-Delay-Time = 0 # Executing section preacct from file /etc/freeradius/sites-enabled/default +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 2,Client-IP-Address = 192.168.0.201,NAS-IP-Address = 192.168.0.201,Acct-Session-Id = "006A00000004",User-Name = "laptop"' [acct_unique] Acct-Unique-Session-ID = "0cae66a72b0dac43". ++[acct_unique] returns ok [suffix] No '@' in User-Name = "laptop", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /etc/freeradius/sites-enabled/default +- entering group accounting {...} [detail] expand: %{Packet-Src-IP-Address} -> 192.168.0.201 [detail] expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.0.201/detail-20140925 [detail] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.0.201/detail-20140925 [detail] expand: %t -> Thu Sep 25 13:51:10 2014 ++[detail] returns ok ++[unix] returns noop [radutmp] expand: /var/log/freeradius/radutmp -> /var/log/freeradius/radutmp [radutmp] expand: %{User-Name} -> laptop ++[radutmp] returns ok [sql] expand: %{User-Name} -> laptop [sql] sql_set_user escaped user --> 'laptop' [sql] expand: %{Acct-Input-Gigawords} -> [sql] ... expanding second conditional [sql] expand: %{Acct-Input-Octets} -> 12900 [sql] expand: %{Acct-Output-Gigawords} -> [sql] ... expanding second conditional [sql] expand: %{Acct-Output-Octets} -> 4756 [sql] expand: UPDATE radacct SET FramedIPAddress = NULLIF('%{Framed-IP-Address}', '')::inet, AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = (('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Input-Octets}:-0}'::bigint), AcctOutputOctets = (('%{%{Acct-Output-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Output-Octets}:-0}'::bigint) WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStopTime IS NULL -> UPDATE radacct SET FramedIPAddress = NULLIF('192.168.0.12', '')::inet, AcctSessionTime = '105', AcctInputOctets = (('0'::bigint << 32) + '12900'::bigint), AcctOutputOctets = (('0'::bigint << 32) + '4756'::bigint) WHERE AcctSessionId = '006A00000004' AND UserName = 'laptop' AND NASIPAddress= '192.168.0.201' AND AcctStopTime IS NULL rlm_sql (sql): Reserving sql socket id: 1 rlm_sql_postgresql: Status: PGRES_COMMAND_OK rlm_sql_postgresql: query affected rows = 1 rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok ++[exec] returns noop [attr_filter.accounting_response] expand: %{User-Name} -> laptop attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 43 to 192.168.0.201 port 1025 Finished request 8. Cleaning up request 8 ID 43 with timestamp +112 Going to the next request Ready to process requests.
Bode Benjamin wrote:
we got freeradius working and are using only eap-tls. Now we are trying to check if the users MAC-Address is the right one. Each user gets one public IP-Address (via dhcp); to assure that they don't do mac-spoofing we need this feature.
That's pretty standard.
Right now our problem is, when using eap-tls, the sql module don't seem to check the calling-station-id in the radcheck-table against the calling-station-id in the request.
Please read doc/rlm_sql, or the same file on the Wiki. Simply *checking* for a Calling-Station-Id does nothing. You have to tell the server what to *do*, also. The SQL module doesn't return reject if the entry doesn't match. Another module may authenticate the user, and therefore accept them.
When trying the same thing with the user blub (and using a incorrect MAC) sql returns user notfound (that is what we want) and the request gets rejected. So it don't seems to be a problem with our NAS.
The server is the one sending Access-Accept or Access-Reject. So to change the return packet type, change the server. The NAS has nothing to do with it.
Any idea why this is not working with eap-tls? What have we done wrong?
You're not telling the server to *reject* the user when the Calling-Station-Id fails to match.
Our tables are: radcheck id | username | attribute | op | value ----+---------------+--------------------+----+------------------- 1 | laptop | Auth-Type | := | EAP 2 | RAT | Auth-Type | := | EAP
There's no need to set Auth-Type. And in 99% of situations, it's wrong
3 | laptop | Calling-Station-Id | == | aa-bb-cc-dd-ee-ff
Read the rlm_sql docs. The "laptop" entries say: if Calling-Station-Id == aa-bb-cc-dd-ee-ff then set Auth-Type := EAP That doesn't match, but the user isn't rejected. (For good reasons). The EAP module *also* sets Auth-Type := EAP, so EAP-TLS ends up working. You have to update the tables to do what you want. The problem here is you're thinking "check Calling-Station-Id in the table against the one in the request". Yes, it's doing that. Exactly that. But you want it to do *more*. What you want is the following: if the calling station Id DOESN'T match, reject. Which should be simple enough to do: id | username | attribute | op | value ----+---------------+--------------------+----+------------------- 1 | laptop | Auth-Type | := | Reject 3 | laptop | Calling-Station-Id | != | aa-bb-cc-dd-ee-ff Forcing a Reject is about the only time you need to set Auth-Type. Alan DeKok.
participants (2)
-
Alan DeKok -
Bode Benjamin