Sending an attribute with the Access-Accept instead of Access-Challenge
Hi All, I am testing 802.1x support on our platform and I'm having trouble figuring out how to include some attributes with Access-Accept. I read the 'users' file man page but could not get the answer. So my user is as shown below in the users file qatester Cleartext-Password := "qatester" Session-Timeout = 20, Termination-Action = 1 Now the authorization works fine but the Session-Timeout attribute is ncluded in the Access-Challenge message as I understand. I want to send it with the Access-Accept message. I have copied debug information below. ############## Debug Infor Starts ################## rad_recv: Access-Request packet from host 192.168.0.159 port 4999, id=66, length=106 Calling-Station-Id = "00-1A-6B-66-DD-7E" NAS-Port = 1 User-Name = "qatester" NAS-IP-Address = 192.168.0.159 Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0202000d017161746573746572 Message-Authenticator = 0x29d87ac1ec4ca82352df5fe82cc5849e # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "qatester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 13 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry qatester at line 139 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 66 to 192.168.0.159 port 4999 Session-Timeout = 20 Termination-Action = RADIUS-Request EAP-Message = 0x0103001604109e9fffb0d5e6393e5ef410df900b8d2f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x68cd38bb68ce3cd51b0b4c1f6b1aa976 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.159 port 4999, id=67, length=117 Calling-Station-Id = "00-1A-6B-66-DD-7E" NAS-Port = 1 User-Name = "qatester" NAS-IP-Address = 192.168.0.159 Service-Type = Framed-User Framed-MTU = 1500 State = 0x68cd38bb68ce3cd51b0b4c1f6b1aa976 EAP-Message = 0x020300060319 Message-Authenticator = 0x7a4fba042bc71fbee8de9b56077c2ca8 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "qatester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry qatester at line 139 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 67 to 192.168.0.159 port 4999 Session-Timeout = 20 Termination-Action = RADIUS-Request EAP-Message = 0x010400061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x68cd38bb69c921d51b0b4c1f6b1aa976 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.159 port 4999, id=68, length=233 Calling-Station-Id = "00-1A-6B-66-DD-7E" NAS-Port = 1 User-Name = "qatester" NAS-IP-Address = 192.168.0.159 Service-Type = Framed-User Framed-MTU = 1500 State = 0x68cd38bb69c921d51b0b4c1f6b1aa976 EAP-Message = 0x0204007a198000000070160301006b0100006703014d2dbcb9a99cbfaf828b78feb5deaaf1ee341152fe91df965d169a89dee7048e000018002f00350005000ac013c014c009c00a003200380013000401000026ff010001000000000d000b0000087161746573746572000a0006000400170018000b00020100 Message-Authenticator = 0xa246d84f9ddb81f240afcf2e322c88c9 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "qatester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 122 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 112 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 006b], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 01c7], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 68 to 192.168.0.159 port 4999 EAP-Message = 0x01050211190016030100310200002d03014d2dbc97022caaaf6f23f7d5d4e29a0f9294e529db827c96c177be0d019bd6c100002f000005ff0100010016030101c70b0001c30001c00001bd308201b930820122020900bad757ba2ede8781300d06092a864886f70d01010505003021311f301d06035504031316766976656b756d6173757468616e2e656e672e6c616e301e170d3130303931363137313930315a170d3230303931333137313930315a3021311f301d06035504031316766976656b756d6173757468616e2e656e672e6c616e30819f300d06092a864886f70d010101050003818d0030818902818100d854b0ba17df1998fca8e87872 EAP-Message = 0xc937f5c12631f52874b71e65b035a7093b2039ca4b71e1692fc977d675d2b659cc9fa7a80c29c0defd5708afd9b2308d4088a7674eed45076bda8431628be016bda82783d9257d996e01287937e84110d1845029f8bd4a25d36ad2b9e4e9c2d37089512ce1d4b513d88d16f39879bbb955abfb0203010001300d06092a864886f70d01010505000381810050a6fbba9b6a9ed741a81d213d04f1d9dd2ad62d8653c48165019586c1a909e567d37c79300c82cc98945e4075dc8fb55c5cbf1aa2d2b50a8cb5f6b00c49704a9e7c72b9cbbb1bf5637a24450d0ff7a178b3eb679136a0af2374115cb12d8cbf40c7c982e6bc9e0538ca4a4f47c4eae0c2c6 EAP-Message = 0x28fe6ccf30d72506f8a836ce1ffa16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x68cd38bb6ac821d51b0b4c1f6b1aa976 Finished request 2. Going to the next request Waking up in 4.4 seconds. rad_recv: Access-Request packet from host 192.168.0.159 port 4999, id=69, length=319 Calling-Station-Id = "00-1A-6B-66-DD-7E" NAS-Port = 1 User-Name = "qatester" NAS-IP-Address = 192.168.0.159 Service-Type = Framed-User Framed-MTU = 1500 State = 0x68cd38bb6ac821d51b0b4c1f6b1aa976 EAP-Message = 0x020500d01980000000c6160301008610000082008034f094933081749819a81c8fc561c2ef8a60263d6acf6360211b5ae43c840a0f74e7392817971a93c55bbf9e76443b1500fc80031616f4991ddd18dc6917b02e0a4e5ddfa781c99d7f46025694de47cf7f3df537b78ea541b395b749fbece93ea68e0ef09d913a59215b1a73e3d2917b3cd65d2e4fafa57084f19a33ad3cc9a6140301000101160301003004981ccf99aada36e602deaff108ab6754718d2795fbdb47cb4aef2a266e9129956f2f6816bdb11c99e69cdeb356f95f Message-Authenticator = 0x43bb361280528e5b0bb8ffeaa6066664 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "qatester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 208 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 198 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 69 to 192.168.0.159 port 4999 EAP-Message = 0x01060041190014030100010116030100307f0fc86e3f93a5310b3546c6dc6a9ff101bd3fac208a68e94852b0e862a0185c93e84bd423a01047b3a71b584c95e305 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x68cd38bb6bcb21d51b0b4c1f6b1aa976 Finished request 3. Going to the next request Waking up in 3.8 seconds. rad_recv: Access-Request packet from host 192.168.0.159 port 4999, id=70, length=117 Calling-Station-Id = "00-1A-6B-66-DD-7E" NAS-Port = 1 User-Name = "qatester" NAS-IP-Address = 192.168.0.159 Service-Type = Framed-User Framed-MTU = 1500 State = 0x68cd38bb6bcb21d51b0b4c1f6b1aa976 EAP-Message = 0x020600061900 Message-Authenticator = 0x55a47ca2aa8532afc337360c4d4ea55b # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "qatester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 70 to 192.168.0.159 port 4999 EAP-Message = 0x0107002b190017030100205302a790bac2f45d29df768df9b13962d86effcc264c8bc1cca510c72513b6ec Message-Authenticator = 0x00000000000000000000000000000000 State = 0x68cd38bb6cca21d51b0b4c1f6b1aa976 Finished request 4. Going to the next request Waking up in 3.4 seconds. rad_recv: Access-Request packet from host 192.168.0.159 port 4999, id=71, length=154 Calling-Station-Id = "00-1A-6B-66-DD-7E" NAS-Port = 1 User-Name = "qatester" NAS-IP-Address = 192.168.0.159 Service-Type = Framed-User Framed-MTU = 1500 State = 0x68cd38bb6cca21d51b0b4c1f6b1aa976 EAP-Message = 0x0207002b190017030100209decffdfd6c00699e24cd793265f30028937c7c50808936f717fa81d148593ce Message-Authenticator = 0x257a80aa49d86acb1f3112cfa102da7e # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "qatester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - qatester [peap] Got inner identity 'qatester' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0207000d017161746573746572 server { PEAP: Setting User-Name to qatester Sending tunneled request EAP-Message = 0x0207000d017161746573746572 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "qatester" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "qatester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 7 length 13 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry qatester at line 139 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 Session-Timeout = 20 Termination-Action = RADIUS-Request EAP-Message = 0x010800221a0108001d106ef613ff24d68155ebabf27c814008277161746573746572 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x45767b5d457e612613612e72d3be89f8 [peap] Got tunneled reply RADIUS code 11 Session-Timeout = 20 Termination-Action = RADIUS-Request EAP-Message = 0x010800221a0108001d106ef613ff24d68155ebabf27c814008277161746573746572 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x45767b5d457e612613612e72d3be89f8 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 71 to 192.168.0.159 port 4999 EAP-Message = 0x0108004b19001703010040e22d2314e64447e30cfe5df1f66c8391a523f942bc14beec164f6793729ebfb63bcaa3b43194b5c505d3c0f33e7bd905c52a608bac1b1dd45550b8a8a56a308a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x68cd38bb6dc521d51b0b4c1f6b1aa976 Finished request 5. Going to the next request Waking up in 2.8 seconds. rad_recv: Access-Request packet from host 192.168.0.159 port 4999, id=72, length=218 Calling-Station-Id = "00-1A-6B-66-DD-7E" NAS-Port = 1 User-Name = "qatester" NAS-IP-Address = 192.168.0.159 Service-Type = Framed-User Framed-MTU = 1500 State = 0x68cd38bb6dc521d51b0b4c1f6b1aa976 EAP-Message = 0x0208006b19001703010060c71b73411e3216a7308b5d4572da3a1c384b630541eec6dd6988ca61eb2c379fe85e31dc56ac14c694e32d0ccbefe65ec892a307d2e45e30fd1f8164ac7289717daebc94eca9e36ac18e13febf45ef974774b1f08a7426a56c482d2deed5a966 Message-Authenticator = 0xb2002fa406169f6f73889c6d9d1cec50 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "qatester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020800431a0208003e31744787c6cd670c93abf03715268692ca00000000000000000d103f579e41477a49f40c4793ce60099c480ff0a423c097007161746573746572 server { PEAP: Setting User-Name to qatester Sending tunneled request EAP-Message = 0x020800431a0208003e31744787c6cd670c93abf03715268692ca00000000000000000d103f579e41477a49f40c4793ce60099c480ff0a423c097007161746573746572 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "qatester" State = 0x45767b5d457e612613612e72d3be89f8 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "qatester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 8 length 67 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry qatester at line 139 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: qatester [mschap] Told to do MS-CHAPv2 for qatester with NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 Session-Timeout = 20 Termination-Action = RADIUS-Request EAP-Message = 0x010900331a0308002e533d42414242313046414244344530424136373936393141433033334636383132353043414142383734 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x45767b5d447f612613612e72d3be89f8 [peap] Got tunneled reply RADIUS code 11 Session-Timeout = 20 Termination-Action = RADIUS-Request EAP-Message = 0x010900331a0308002e533d42414242313046414244344530424136373936393141433033334636383132353043414142383734 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x45767b5d447f612613612e72d3be89f8 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 72 to 192.168.0.159 port 4999 EAP-Message = 0x0109005b19001703010050f89f3653bfbac15816fac0abbf255ae7afe338b35de7b934b9ce3c84d4c67f24f4f8768a7433bb41fbcf164c5c4cd2511fdd798fee758f69a1a10b04740f5337155c3cb5a687e5ec73bd8aa936d941bd Message-Authenticator = 0x00000000000000000000000000000000 State = 0x68cd38bb6ec421d51b0b4c1f6b1aa976 Finished request 6. Going to the next request Waking up in 2.3 seconds. rad_recv: Access-Request packet from host 192.168.0.159 port 4999, id=73, length=154 Calling-Station-Id = "00-1A-6B-66-DD-7E" NAS-Port = 1 User-Name = "qatester" NAS-IP-Address = 192.168.0.159 Service-Type = Framed-User Framed-MTU = 1500 State = 0x68cd38bb6ec421d51b0b4c1f6b1aa976 EAP-Message = 0x0209002b190017030100202573df7fb9bf03b8ccab9c0809819fe243d5fa88d1bb02e8da133f894de24698 Message-Authenticator = 0x40a32142c983f273e58599f32177233d # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "qatester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020900061a03 server { PEAP: Setting User-Name to qatester Sending tunneled request EAP-Message = 0x020900061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "qatester" State = 0x45767b5d447f612613612e72d3be89f8 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "qatester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 9 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry qatester at line 139 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok WARNING: Empty post-auth section. Using default return values. # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel } # server inner-tunnel [peap] Got tunneled reply code 2 Session-Timeout = 20 Termination-Action = RADIUS-Request MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0xba82eb99732d9db96c70b08d7bdafddc MS-MPPE-Recv-Key = 0xb4088afb08704fb8ca64720c6fcbc77c EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "qatester" [peap] Got tunneled reply RADIUS code 2 Session-Timeout = 20 Termination-Action = RADIUS-Request MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0xba82eb99732d9db96c70b08d7bdafddc MS-MPPE-Recv-Key = 0xb4088afb08704fb8ca64720c6fcbc77c EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "qatester" [peap] Tunneled authentication was successful. [peap] SUCCESS ++[eap] returns handled Sending Access-Challenge of id 73 to 192.168.0.159 port 4999 EAP-Message = 0x010a002b190017030100208045b3ae000c06c0abbe9948be6d301bd29b591b723b0edcd2a2d6e9c49c2558 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x68cd38bb6fc721d51b0b4c1f6b1aa976 Finished request 7. Going to the next request Waking up in 1.8 seconds. rad_recv: Access-Request packet from host 192.168.0.159 port 4999, id=74, length=154 Calling-Station-Id = "00-1A-6B-66-DD-7E" NAS-Port = 1 User-Name = "qatester" NAS-IP-Address = 192.168.0.159 Service-Type = Framed-User Framed-MTU = 1500 State = 0x68cd38bb6fc721d51b0b4c1f6b1aa976 EAP-Message = 0x020a002b190017030100202a8bde6d671d1e7f8012e74ef38a2dccefc668364f730701c793ced2e0f3736a Message-Authenticator = 0x5101b1681c2454098b702a833e4cdc7e # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "qatester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 10 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 74 to 192.168.0.159 port 4999 MS-MPPE-Recv-Key = 0x21bfe2d7387e3b7cbabb239220361ad29d9930221ad77fb58301d592f56b2fce MS-MPPE-Send-Key = 0x2a1c63b2a37cb6d46334461bf0bc561c90cf310e7f9d226e9b33b203975b274b EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "qatester" Finished request 8. Going to the next request Waking up in 1.3 seconds. Cleaning up request 0 ID 66 with timestamp +6 Cleaning up request 1 ID 67 with timestamp +6 Waking up in 0.5 seconds. Cleaning up request 2 ID 68 with timestamp +7 Waking up in 0.5 seconds. Cleaning up request 3 ID 69 with timestamp +7 Waking up in 0.4 seconds. Cleaning up request 4 ID 70 with timestamp +8 Waking up in 0.5 seconds. Cleaning up request 5 ID 71 with timestamp +8 Waking up in 0.5 seconds. Cleaning up request 6 ID 72 with timestamp +9 Waking up in 0.5 seconds. Cleaning up request 7 ID 73 with timestamp +9 Waking up in 0.5 seconds. Cleaning up request 8 ID 74 with timestamp +10 Ready to process requests. ############# Debug info Ends ################
From what I see above I do not think the Access-Accept message has the Session timeout attribute. What am I doing wrong?
Thanks, Vivek Umasuthan
On 12/01/11 16:33, Vivek Umasuthan wrote:
Hi All, I am testing 802.1x support on our platform and I'm having trouble figuring out how to include some attributes with Access-Accept. I read the 'users' file man page but could not get the answer.
You need to add the attribute in the "inner-tunnel" virtual server, and ensure you've set: use_tunneled_reply = yes ...in the "peap {}" section of "eap.conf"
Thanks for the reply.
use_tunneled_reply = yes ...in the "peap {}" section of "eap.conf"
I did this after you mentioned it. Just some more clarification...
You need to add the attribute in the "inner-tunnel" virtual server,
Do you mean I edit the 'inner-tunnel' file in /etc/freeradius/sites-available and add the attribute there? In there should it be added under "update outer.reply {}" section under "post-auth{}"? When I tried that, the server complains as shown below upon start.... /etc/freeradius/sites-enabled/inner-tunnel[340]: ERROR: Unknown vendor name in attribute name "Session-Timout" /etc/freeradius/sites-enabled/inner-tunnel[262]: Errors parsing post-auth section. Vivek Umasuthan
/etc/freeradius/sites-enabled/inner-tunnel[340]: ERROR: Unknown vendor name in attribute name "Session-Timout" /etc/freeradius/sites-enabled/inner-tunnel[262]: Errors parsing post-auth section.
Sorry there was a spelling mistake in the attribute as can be seen above. It works fine now. Let me try it out and see if its doing what I need. Thanks for the help. Vivek
On 01/12/2011 06:50 PM, Vivek Umasuthan wrote:
Thanks for the reply.
use_tunneled_reply = yes ...in the "peap {}" section of "eap.conf"
I did this after you mentioned it. Just some more clarification...
You need to add the attribute in the "inner-tunnel" virtual server,
Do you mean I edit the 'inner-tunnel' file in /etc/freeradius/sites-available and add the attribute there? In there should it be added under "update outer.reply {}" section under "post-auth{}"?
No. That's what "use_tunneled_reply" does. You just need to return the attributes to the inner request.
When I tried that, the server complains as shown below upon start....
/etc/freeradius/sites-enabled/inner-tunnel[340]: ERROR: Unknown vendor name in attribute name "Session-Timout"
Read what it says carefully... You've typo-ed "Timeout" as "Timout"
/etc/freeradius/sites-enabled/inner-tunnel[262]: Errors parsing post-auth section.
participants (2)
-
Phil Mayers -
Vivek Umasuthan