3.0.12 EAP-PEAP with OpenLDAP group membership and Packet-Src-IP-Address checking
Hi, we are running freeradius 3.0.12 which is authenticating against an openldap server with EAP PEAP MSCHAPv2 In future we want to enable VLAN assignment via LDAP so we want to use LDAP group membership comparison and combine it with Packet-Src-IP-Address checking. Users from LDAP group „Admins“ should be assigned to VLAN 10 (management) Users from LDAP group „Operators“ should be assigned to VLAN 20 (operator) Users from other LDAP groups „Group-X“ should be assigned to userspecific VLAN which is represented in the LDAP attribute „radiusTunnelPrivateGroupId“. With group membership and Packet-Src-IP-Address we want to authenticate users only if they try to connect from their *home POP*. What we have done: 1. according to Alan DeKoks suggestions here: http://lists.freeradius.org/pipermail/freeradius-users/2015-April/077171.htm... configured freeradius/mods-enabled/ldap „group“ section for group checking. In our case every LDAP user has an LDAP attribute 'gidNumber' which represents its group membership. group { base_dn = "${..base_dn}" groupmembership_attribute = 'gidNumber' } 2. configured /freeradius/users file # in LDAP: Admins gidNumber = 111, Operators gidNumber = 222, Users in POP1 gidNumber = 901 DEFAULT LDAP-Group == "111", Auth-Type = LDAP DEFAULT LDAP-Group == "222", Auth-Type = LDAP DEFAULT Packet-Src-IP-Address == 10.0.0.1, LDAP-Group == „901“, Auth-Type = LDAP ... DEFAULT Packet-Src-IP-Address == 10.0.0.15, LDAP-Group == „915“, Auth-Type = LDAP DEFAULT Auth-Type := Reject # 3. configured /freeradius/sites-enabled/default
no "ldap" in the "authorize" section so ldap gets commented here -> #ldap
be sure there's "Auth-Type LDAP" in the "authenticate" section so #Auth-Type LDAP { # ldap # } gets uncommented here -> Auth-Type LDAP { ldap }
4. configured /freeradius/sites-enabled/inner-tunnel authorize { ldap authenticate { #Auth-Type LDAP { # ldap # } Within testing the config seems to do what we desire. So my questions are: Is this implementation correct for our needs? Is there a more elegant way to implement it? Is it possible to reduce the LDAP queries exept from sorting the POP listing in users file? (there seems to be a change in 3.0.13 ?)
From my readings of the log I think authentication is done twice against the LDAP? Do you have other hints or suggestions?
Regards Moritz Ready to process requests (0) Received Access-Request Id 10 from 172.17.26.160:22492 to 172.17.28.67:1812 length 169 (0) User-Name = "Test-A" (0) NAS-Identifier = "44d9e7f96309" (0) NAS-Port = 0 (0) Called-Station-Id = "46-D9-E7-FA-63-09:SSID " (0) Calling-Station-Id = "60-A3-7D-2C-A2-19" (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) Connect-Info = "CONNECT 0Mbps 802.11b" (0) EAP-Message = 0x02ab000b01546573742d41 (0) Message-Authenticator = 0x40ce940b690d606fe714b004361dc50d (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "Test-A", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 171 length 11 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_peap to process data (0) eap_peap: Initiating new EAP-TLS session (0) eap_peap: Flushing SSL sessions (of #0) (0) eap_peap: [eaptls start] = request (0) eap: Sending EAP Request (code 1) ID 172 length 6 (0) eap: EAP session adding &reply:State = 0xe87b0b92e8d71203 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) Sent Access-Challenge Id 10 from 172.17.28.67:1812 to 172.17.26.160:22492 length 0 (0) EAP-Message = 0x01ac00061920 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0xe87b0b92e8d7120391ed7d921e46c093 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 11 from 172.17.26.160:22492 to 172.17.28.67:1812 length 303 (1) User-Name = "Test-A" (1) NAS-Identifier = "44d9e7f96309" (1) NAS-Port = 0 (1) Called-Station-Id = "46-D9-E7-FA-63-09:SSID" (1) Calling-Station-Id = "60-A3-7D-2C-A2-19" (1) Framed-MTU = 1400 (1) NAS-Port-Type = Wireless-802.11 (1) Connect-Info = "CONNECT 0Mbps 802.11b" (1) EAP-Message = 0x02ac007f19800000007516030100700100006c030158765972f4d9369be37fc8bb9981e44d884bd092457985f8cfa9746c7e4a07de00002000ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000a01000023000a00080006001700180019000b00020100000500050100000000 (1) State = 0xe87b0b92e8d7120391ed7d921e46c093 (1) Message-Authenticator = 0xc0e4bbed21698af0a845d633e7e1b98f (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/freeradius/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "Test-A", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 172 length 127 (1) eap: Continuing tunnel setup (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0xe87b0b92e8d71203 (1) eap: Finished EAP session with state 0xe87b0b92e8d71203 (1) eap: Previous EAP request found for state 0xe87b0b92e8d71203, released from the list (1) eap: Peer sent packet with method EAP PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: Continuing EAP-TLS (1) eap_peap: Peer indicated complete TLS record size will be 117 bytes (1) eap_peap: Got complete TLS record (117 bytes) (1) eap_peap: [eaptls verify] = length included (1) eap_peap: (other): before/accept initialization (1) eap_peap: TLS_accept: before/accept initialization (1) eap_peap: <<< recv TLS 1.0 Handshake [length 0070], ClientHello (1) eap_peap: TLS_accept: SSLv3 read client hello A (1) eap_peap: >>> send TLS 1.0 Handshake [length 0059], ServerHello (1) eap_peap: TLS_accept: SSLv3 write server hello A (1) eap_peap: >>> send TLS 1.0 Handshake [length 0973], Certificate (1) eap_peap: TLS_accept: SSLv3 write certificate A (1) eap_peap: >>> send TLS 1.0 Handshake [length 014b], ServerKeyExchange (1) eap_peap: TLS_accept: SSLv3 write key exchange A (1) eap_peap: >>> send TLS 1.0 Handshake [length 0004], ServerHelloDone (1) eap_peap: TLS_accept: SSLv3 write server done A (1) eap_peap: TLS_accept: SSLv3 flush data (1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A (1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A (1) eap_peap: In SSL Handshake Phase (1) eap_peap: In SSL Accept mode (1) eap_peap: [eaptls process] = handled (1) eap: Sending EAP Request (code 1) ID 173 length 1004 (1) eap: EAP session adding &reply:State = 0xe87b0b92e9d61203 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) Sent Access-Challenge Id 11 from 172.17.28.67:1812 to 172.17.26.160:22492 length 0 (1) EAP-Message = 0x01ad03ec19c000000b2f160301005902000055030146df3e492a751185c5d2365a274915dd496ab3909cfa2b581b8e0f058d35413e20d8f7784bdabc1d0f47bfe939b6a8b6ecf01f2acae83ea6f7a5a1dcff7b869c5fc01400000dff01000100000b00040300010216030109730b00096f00096c0004e9 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0xe87b0b92e9d6120391ed7d921e46c093 (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 12 from 172.17.26.160:22492 to 172.17.28.67:1812 length 182 (2) User-Name = "Test-A" (2) NAS-Identifier = "44d9e7f96309" (2) NAS-Port = 0 (2) Called-Station-Id = "46-D9-E7-FA-63-09:SSID" (2) Calling-Station-Id = "60-A3-7D-2C-A2-19" (2) Framed-MTU = 1400 (2) NAS-Port-Type = Wireless-802.11 (2) Connect-Info = "CONNECT 0Mbps 802.11b" (2) EAP-Message = 0x02ad00061900 (2) State = 0xe87b0b92e9d6120391ed7d921e46c093 (2) Message-Authenticator = 0xce185ed0b264fb9f6d3d1be7d6991ed9 (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/freeradius/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "Test-A", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 173 length 6 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0xe87b0b92e9d61203 (2) eap: Finished EAP session with state 0xe87b0b92e9d61203 (2) eap: Previous EAP request found for state 0xe87b0b92e9d61203, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: Continuing EAP-TLS (2) eap_peap: Peer ACKed our handshake fragment (2) eap_peap: [eaptls verify] = request (2) eap_peap: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 174 length 1000 (2) eap: EAP session adding &reply:State = 0xe87b0b92ead51203 (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) Post-Auth-Type sub-section not found. Ignoring. (2) # Executing group from file /etc/freeradius/sites-enabled/default (2) Sent Access-Challenge Id 12 from 172.17.28.67:1812 to 172.17.26.160:22492 length 0 (2) EAP-Message = 0x01ae03e81940864886f70d0109011613696e666f4064732d6e6574776f726b732e6465311c301a0603550403131344532d6e6574776f726b7320526f6f7420434182010030130603551d25040c300a06082b06010505070301300b0603551d0f0404030205a0300d06092a864886f70d01010b05000382 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0xe87b0b92ead5120391ed7d921e46c093 (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 13 from 172.17.26.160:22492 to 172.17.28.67:1812 length 182 (3) User-Name = "Test-A" (3) NAS-Identifier = "44d9e7f96309" (3) NAS-Port = 0 (3) Called-Station-Id = "46-D9-E7-FA-63-09:SSID" (3) Calling-Station-Id = "60-A3-7D-2C-A2-19" (3) Framed-MTU = 1400 (3) NAS-Port-Type = Wireless-802.11 (3) Connect-Info = "CONNECT 0Mbps 802.11b" (3) EAP-Message = 0x02ae00061900 (3) State = 0xe87b0b92ead5120391ed7d921e46c093 (3) Message-Authenticator = 0xd445aca761a3735e0e685c2dcc8fa971 (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/freeradius/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "Test-A", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 174 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /etc/freeradius/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0xe87b0b92ead51203 (3) eap: Finished EAP session with state 0xe87b0b92ead51203 (3) eap: Previous EAP request found for state 0xe87b0b92ead51203, released from the list (3) eap: Peer sent packet with method EAP PEAP (25) (3) eap: Calling submodule eap_peap to process data (3) eap_peap: Continuing EAP-TLS (3) eap_peap: Peer ACKed our handshake fragment (3) eap_peap: [eaptls verify] = request (3) eap_peap: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 175 length 881 (3) eap: EAP session adding &reply:State = 0xe87b0b92ebd41203 (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) Post-Auth-Type sub-section not found. Ignoring. (3) # Executing group from file /etc/freeradius/sites-enabled/default (3) Sent Access-Challenge Id 13 from 172.17.28.67:1812 to 172.17.26.160:22492 length 0 (3) EAP-Message = 0x01af03711900cd6b6a86ea145de10b316047370203010001a381e93081e6301d0603551d0e041604148cf1945262f33d0d656b8a1652dcfece15788e563081b60603551d230481ae3081ab80148cf1945262f33d0d656b8a1652dcfece15788e56a1818fa4818c308189310b3009060355040613024445 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0xe87b0b92ebd4120391ed7d921e46c093 (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 14 from 172.17.26.160:22492 to 172.17.28.67:1812 length 320 (4) User-Name = "Test-A" (4) NAS-Identifier = "44d9e7f96309" (4) NAS-Port = 0 (4) Called-Station-Id = "46-D9-E7-FA-63-09:SSID" (4) Calling-Station-Id = "60-A3-7D-2C-A2-19" (4) Framed-MTU = 1400 (4) NAS-Port-Type = Wireless-802.11 (4) Connect-Info = "CONNECT 0Mbps 802.11b" (4) EAP-Message = 0x02af0090198000000086160301004610000042410401cc455cf06611016d46d4588fdabcc9e63f1e6b14b1e4c3f8b2751c0877946e4c33f0e0d7d3e654085be67b994f906af4085c629f2bb6a42a6d4d2d76c3ed711403010001011603010030cae54345ff3c41b7b02f025f040509ce0debe78eeee8c1 (4) State = 0xe87b0b92ebd4120391ed7d921e46c093 (4) Message-Authenticator = 0x1c43bb71884d24ef2d421f8da92bb934 (4) session-state: No cached attributes (4) # Executing section authorize from file /etc/freeradius/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "Test-A", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 175 length 144 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/freeradius/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0xe87b0b92ebd41203 (4) eap: Finished EAP session with state 0xe87b0b92ebd41203 (4) eap: Previous EAP request found for state 0xe87b0b92ebd41203, released from the list (4) eap: Peer sent packet with method EAP PEAP (25) (4) eap: Calling submodule eap_peap to process data (4) eap_peap: Continuing EAP-TLS (4) eap_peap: Peer indicated complete TLS record size will be 134 bytes (4) eap_peap: Got complete TLS record (134 bytes) (4) eap_peap: [eaptls verify] = length included (4) eap_peap: <<< recv TLS 1.0 Handshake [length 0046], ClientKeyExchange (4) eap_peap: TLS_accept: SSLv3 read client key exchange A (4) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001] (4) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished (4) eap_peap: TLS_accept: SSLv3 read finished A (4) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001] (4) eap_peap: TLS_accept: SSLv3 write change cipher spec A (4) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished (4) eap_peap: TLS_accept: SSLv3 write finished A (4) eap_peap: TLS_accept: SSLv3 flush data (4) eap_peap: (other): SSL negotiation finished successfully (4) eap_peap: SSL Connection Established (4) eap_peap: [eaptls process] = handled (4) eap: Sending EAP Request (code 1) ID 176 length 65 (4) eap: EAP session adding &reply:State = 0xe87b0b92eccb1203 (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) Post-Auth-Type sub-section not found. Ignoring. (4) # Executing group from file /etc/freeradius/sites-enabled/default (4) Sent Access-Challenge Id 14 from 172.17.28.67:1812 to 172.17.26.160:22492 length 0 (4) EAP-Message = 0x01b00041190014030100010116030100304aa51dcb700d63eea2551558c6204ef8229c47b635353d30613a28fe2d4422ca909b5f2d831e17bba1c7a51b659e7f23 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0xe87b0b92eccb120391ed7d921e46c093 (4) Finished request Waking up in 4.8 seconds. (5) Received Access-Request Id 15 from 172.17.26.160:22492 to 172.17.28.67:1812 length 182 (5) User-Name = "Test-A" (5) NAS-Identifier = "44d9e7f96309" (5) NAS-Port = 0 (5) Called-Station-Id = "46-D9-E7-FA-63-09:SSID" (5) Calling-Station-Id = "60-A3-7D-2C-A2-19" (5) Framed-MTU = 1400 (5) NAS-Port-Type = Wireless-802.11 (5) Connect-Info = "CONNECT 0Mbps 802.11b" (5) EAP-Message = 0x02b000061900 (5) State = 0xe87b0b92eccb120391ed7d921e46c093 (5) Message-Authenticator = 0x8ab0a46258fcf64773c9b362e671f7ac (5) session-state: No cached attributes (5) # Executing section authorize from file /etc/freeradius/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "Test-A", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 176 length 6 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0xe87b0b92eccb1203 (5) eap: Finished EAP session with state 0xe87b0b92eccb1203 (5) eap: Previous EAP request found for state 0xe87b0b92eccb1203, released from the list (5) eap: Peer sent packet with method EAP PEAP (25) (5) eap: Calling submodule eap_peap to process data (5) eap_peap: Continuing EAP-TLS (5) eap_peap: Peer ACKed our handshake fragment. handshake is finished (5) eap_peap: [eaptls verify] = success (5) eap_peap: [eaptls process] = success (5) eap_peap: Session established. Decoding tunneled attributes (5) eap_peap: PEAP state TUNNEL ESTABLISHED (5) eap: Sending EAP Request (code 1) ID 177 length 43 (5) eap: EAP session adding &reply:State = 0xe87b0b92edca1203 (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) Post-Auth-Type sub-section not found. Ignoring. (5) # Executing group from file /etc/freeradius/sites-enabled/default (5) Sent Access-Challenge Id 15 from 172.17.28.67:1812 to 172.17.26.160:22492 length 0 (5) EAP-Message = 0x01b1002b19001703010020550050cf49a4170b4a5068088207c5f2a56e3f68e382a25e59ab3e8996402ab4 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0xe87b0b92edca120391ed7d921e46c093 (5) Finished request Waking up in 4.8 seconds. (6) Received Access-Request Id 16 from 172.17.26.160:22492 to 172.17.28.67:1812 length 219 (6) User-Name = "Test-A" (6) NAS-Identifier = "44d9e7f96309" (6) NAS-Port = 0 (6) Called-Station-Id = "46-D9-E7-FA-63-09:SSID" (6) Calling-Station-Id = "60-A3-7D-2C-A2-19" (6) Framed-MTU = 1400 (6) NAS-Port-Type = Wireless-802.11 (6) Connect-Info = "CONNECT 0Mbps 802.11b" (6) EAP-Message = 0x02b1002b19001703010020b565bc67f5cc3d10ece5c5da4177ef58267599d6b64681980823dbb0c1808b85 (6) State = 0xe87b0b92edca120391ed7d921e46c093 (6) Message-Authenticator = 0x714328f5012221ee7cdeab6006a4d7cc (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/freeradius/sites-enabled/default (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "Test-A", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) eap: Peer sent EAP Response (code 2) ID 177 length 43 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0xe87b0b92edca1203 (6) eap: Finished EAP session with state 0xe87b0b92edca1203 (6) eap: Previous EAP request found for state 0xe87b0b92edca1203, released from the list (6) eap: Peer sent packet with method EAP PEAP (25) (6) eap: Calling submodule eap_peap to process data (6) eap_peap: Continuing EAP-TLS (6) eap_peap: [eaptls verify] = ok (6) eap_peap: Done initial handshake (6) eap_peap: [eaptls process] = ok (6) eap_peap: Session established. Decoding tunneled attributes (6) eap_peap: PEAP state WAITING FOR INNER IDENTITY (6) eap_peap: Identity - Test-A (6) eap_peap: Got inner identity 'Test-A' (6) eap_peap: Setting default EAP type for tunneled EAP session (6) eap_peap: Got tunneled request (6) eap_peap: EAP-Message = 0x02b1000b01546573742d41 (6) eap_peap: Setting User-Name to Test-A (6) eap_peap: Sending tunneled request to inner-tunnel (6) eap_peap: EAP-Message = 0x02b1000b01546573742d41 (6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (6) eap_peap: User-Name = "Test-A" (6) Virtual server inner-tunnel received request (6) EAP-Message = 0x02b1000b01546573742d41 (6) FreeRADIUS-Proxied-To = 127.0.0.1 (6) User-Name = "Test-A" (6) WARNING: Outer and inner identities are the same. User privacy is compromised. (6) server inner-tunnel { (6) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [chap] = noop (6) [mschap] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "Test-A", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) update control { (6) &Proxy-To-Realm := LOCAL (6) } # update control = noop (6) eap: Peer sent EAP Response (code 2) ID 177 length 11 (6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (6) authenticate { (6) eap: Peer sent packet with method EAP Identity (1) (6) eap: Calling submodule eap_mschapv2 to process data (6) eap_mschapv2: Issuing Challenge (6) eap: Sending EAP Request (code 1) ID 178 length 43 (6) eap: EAP session adding &reply:State = 0xec7a3beaecc821b2 (6) [eap] = handled (6) } # authenticate = handled (6) } # server inner-tunnel (6) Virtual server sending reply (6) EAP-Message = 0x01b2002b1a01b2002610b6b7394c705a6ea01ef745eb87cbbf15667265657261646975732d332e302e3132 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0xec7a3beaecc821b29dbc50eda2d30e1d (6) eap_peap: Got tunneled reply code 11 (6) eap_peap: EAP-Message = 0x01b2002b1a01b2002610b6b7394c705a6ea01ef745eb87cbbf15667265657261646975732d332e302e3132 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: State = 0xec7a3beaecc821b29dbc50eda2d30e1d (6) eap_peap: Got tunneled reply RADIUS code 11 (6) eap_peap: EAP-Message = 0x01b2002b1a01b2002610b6b7394c705a6ea01ef745eb87cbbf15667265657261646975732d332e302e3132 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: State = 0xec7a3beaecc821b29dbc50eda2d30e1d (6) eap_peap: Got tunneled Access-Challenge (6) eap: Sending EAP Request (code 1) ID 178 length 75 (6) eap: EAP session adding &reply:State = 0xe87b0b92eec91203 (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) Post-Auth-Type sub-section not found. Ignoring. (6) # Executing group from file /etc/freeradius/sites-enabled/default (6) Sent Access-Challenge Id 16 from 172.17.28.67:1812 to 172.17.26.160:22492 length 0 (6) EAP-Message = 0x01b2004b19001703010040f6b8b1f8f68b3a43e03787d98680f81264a9a22945668477cd66d5742465b9b441aa72d6644170ed5baf4259d26fbaec1b1d82c2b7646a93bfe36d5fd569aa87 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0xe87b0b92eec9120391ed7d921e46c093 (6) Finished request Waking up in 4.8 seconds. (7) Received Access-Request Id 17 from 172.17.26.160:22492 to 172.17.28.67:1812 length 283 (7) User-Name = "Test-A" (7) NAS-Identifier = "44d9e7f96309" (7) NAS-Port = 0 (7) Called-Station-Id = "46-D9-E7-FA-63-09:SSID" (7) Calling-Station-Id = "60-A3-7D-2C-A2-19" (7) Framed-MTU = 1400 (7) NAS-Port-Type = Wireless-802.11 (7) Connect-Info = "CONNECT 0Mbps 802.11b" (7) EAP-Message = 0x02b2006b190017030100601be51d9a2c77ae2394716398c49829473527d582098388162a81d1816ffafebc692107a6083e06185c246a89e24dea141fe8b20fb1c70b88099c634417747fa15ab632014b1726a3c0ddb10ea805bdd74ee5adac6a731cd2a77215192fad8024 (7) State = 0xe87b0b92eec9120391ed7d921e46c093 (7) Message-Authenticator = 0x93493329818005c84c715c4ba53ffd49 (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/freeradius/sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "Test-A", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) eap: Peer sent EAP Response (code 2) ID 178 length 107 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0xec7a3beaecc821b2 (7) eap: Finished EAP session with state 0xe87b0b92eec91203 (7) eap: Previous EAP request found for state 0xe87b0b92eec91203, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: Continuing EAP-TLS (7) eap_peap: [eaptls verify] = ok (7) eap_peap: Done initial handshake (7) eap_peap: [eaptls process] = ok (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state phase2 (7) eap_peap: EAP method MSCHAPv2 (26) (7) eap_peap: Got tunneled request (7) eap_peap: EAP-Message = 0x02b200411a02b2003c314986e0f6871925a9900996f50368b8c30000000000000000170156e0b81df447dc98761a094eec647dbcdb8bfd2a54cc00546573742d41 (7) eap_peap: Setting User-Name to Test-A (7) eap_peap: Sending tunneled request to inner-tunnel (7) eap_peap: EAP-Message = 0x02b200411a02b2003c314986e0f6871925a9900996f50368b8c30000000000000000170156e0b81df447dc98761a094eec647dbcdb8bfd2a54cc00546573742d41 (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (7) eap_peap: User-Name = "Test-A" (7) eap_peap: State = 0xec7a3beaecc821b29dbc50eda2d30e1d (7) Virtual server inner-tunnel received request (7) EAP-Message = 0x02b200411a02b2003c314986e0f6871925a9900996f50368b8c30000000000000000170156e0b81df447dc98761a094eec647dbcdb8bfd2a54cc00546573742d41 (7) FreeRADIUS-Proxied-To = 127.0.0.1 (7) User-Name = "Test-A" (7) State = 0xec7a3beaecc821b29dbc50eda2d30e1d (7) WARNING: Outer and inner identities are the same. User privacy is compromised. (7) server inner-tunnel { (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [chap] = noop (7) [mschap] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "Test-A", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) update control { (7) &Proxy-To-Realm := LOCAL (7) } # update control = noop (7) eap: Peer sent EAP Response (code 2) ID 178 length 65 (7) eap: No EAP Start, assuming it's an on-going EAP conversation (7) [eap] = updated (7) files: Searching for user in group "601" rlm_ldap (ldap): Reserved connection (0) (7) files: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (7) files: --> (uid=Test-A) (7) files: Performing search in "cn=users,dc=domain,dc=de" with filter "(uid=Test-A)", scope "sub" (7) files: Waiting for search result... (7) files: User object found at DN "uid=Test-A,cn=Admins,cn=users,dc=domain,dc=de" (7) files: Checking user object's gidNumber attributes (7) files: Performing unfiltered search in "uid=Test-A,cn=Admins,cn=users,dc=domain,dc=de", scope "base" (7) files: Waiting for search result... (7) files: Processing gidNumber value "601" as a group name (7) files: User found in group "601". Comparison between membership: name, check: name rlm_ldap (ldap): Released connection (0) rlm_ldap (ldap): Need 5 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (ldap): Connecting to ldap://ldap.domain.de:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (7) files: users: Matched entry DEFAULT at line 93 (7) [files] = ok rlm_ldap (ldap): Reserved connection (1) (7) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (7) ldap: --> (uid=Test-A) (7) ldap: Performing search in "cn=users,dc=domain,dc=de" with filter "(uid=Test-A)", scope "sub" (7) ldap: Waiting for search result... (7) ldap: User object found at DN "uid=Test-A,cn=Admins,cn=users,dc=domains,dc=de" (7) ldap: Processing user attributes (7) ldap: control:Password-With-Header += 'passwd' (7) ldap: reply:Tunnel-Type := VLAN (7) ldap: reply:Tunnel-Medium-Type := IEEE-802 (7) ldap: reply:Tunnel-Private-Group-ID := '1006' rlm_ldap (ldap): Released connection (1) (7) [ldap] = updated (7) [expiration] = noop (7) [logintime] = noop (7) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (7) pap: Removing &control:Password-With-Header (7) pap: WARNING: Auth-Type already set. Not setting to PAP (7) [pap] = noop (7) } # authorize = updated (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (7) authenticate { (7) eap: Expiring EAP session with state 0xec7a3beaecc821b2 (7) eap: Finished EAP session with state 0xec7a3beaecc821b2 (7) eap: Previous EAP request found for state 0xec7a3beaecc821b2, released from the list (7) eap: Peer sent packet with method EAP MSCHAPv2 (26) (7) eap: Calling submodule eap_mschapv2 to process data (7) eap_mschapv2: # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (7) eap_mschapv2: authenticate { (7) mschap: Found Cleartext-Password, hashing to create NT-Password (7) mschap: Found Cleartext-Password, hashing to create LM-Password (7) mschap: Creating challenge hash with username: Test-A (7) mschap: Client is using MS-CHAPv2 (7) mschap: Adding MS-CHAPv2 MPPE keys (7) [mschap] = ok (7) } # authenticate = ok (7) MSCHAP Success (7) eap: Sending EAP Request (code 1) ID 179 length 51 (7) eap: EAP session adding &reply:State = 0xec7a3beaedc921b2 (7) [eap] = handled (7) } # authenticate = handled (7) } # server inner-tunnel (7) Virtual server sending reply (7) Tunnel-Type := VLAN (7) Tunnel-Medium-Type := IEEE-802 (7) Tunnel-Private-Group-Id := "1006" (7) EAP-Message = 0x01b300331a03b2002e533d30434644454436304345463344454633424543313439333738343531463242413030313242463032 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0xec7a3beaedc921b29dbc50eda2d30e1d (7) eap_peap: Got tunneled reply code 11 (7) eap_peap: Tunnel-Type := VLAN (7) eap_peap: Tunnel-Medium-Type := IEEE-802 (7) eap_peap: Tunnel-Private-Group-Id := "1006" (7) eap_peap: EAP-Message = 0x01b300331a03b2002e533d30434644454436304345463344454633424543313439333738343531463242413030313242463032 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0xec7a3beaedc921b29dbc50eda2d30e1d (7) eap_peap: Got tunneled reply RADIUS code 11 (7) eap_peap: Tunnel-Type := VLAN (7) eap_peap: Tunnel-Medium-Type := IEEE-802 (7) eap_peap: Tunnel-Private-Group-Id := "1006" (7) eap_peap: EAP-Message = 0x01b300331a03b2002e533d30434644454436304345463344454633424543313439333738343531463242413030313242463032 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0xec7a3beaedc921b29dbc50eda2d30e1d (7) eap_peap: Got tunneled Access-Challenge (7) eap: Sending EAP Request (code 1) ID 179 length 91 (7) eap: EAP session adding &reply:State = 0xe87b0b92efc81203 (7) [eap] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) Post-Auth-Type sub-section not found. Ignoring. (7) # Executing group from file /etc/freeradius/sites-enabled/default (7) Sent Access-Challenge Id 17 from 172.17.28.67:1812 to 172.17.26.160:22492 length 0 (7) EAP-Message = 0x01b3005b1900170301005085e76d76b7fd26ed339a2318366b5864e8da7bdf59ac3951a290d8098cd8ec1a1ee437eae651d55ef8440cc22c9f96f4a8cd676bea605c88b03571e8edc7cb94b8788a01842aa082aa9429c7640a8d3c (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0xe87b0b92efc8120391ed7d921e46c093 (7) Finished request Waking up in 4.6 seconds. (8) Received Access-Request Id 18 from 172.17.26.160:22492 to 172.17.28.67:1812 length 219 (8) User-Name = "Test-A" (8) NAS-Identifier = "44d9e7f96309" (8) NAS-Port = 0 (8) Called-Station-Id = "46-D9-E7-FA-63-09:SSID" (8) Calling-Station-Id = "60-A3-7D-2C-A2-19" (8) Framed-MTU = 1400 (8) NAS-Port-Type = Wireless-802.11 (8) Connect-Info = "CONNECT 0Mbps 802.11b" (8) EAP-Message = 0x02b3002b190017030100204c0ba5e15af0320dd9bdd0045a3219ec189d7f5989cd57eece0e8988224b22b8 (8) State = 0xe87b0b92efc8120391ed7d921e46c093 (8) Message-Authenticator = 0x1a853cc4e2cdbee13432326a5dd503b5 (8) session-state: No cached attributes (8) # Executing section authorize from file /etc/freeradius/sites-enabled/default (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "Test-A", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) eap: Peer sent EAP Response (code 2) ID 179 length 43 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /etc/freeradius/sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0xec7a3beaedc921b2 (8) eap: Finished EAP session with state 0xe87b0b92efc81203 (8) eap: Previous EAP request found for state 0xe87b0b92efc81203, released from the list (8) eap: Peer sent packet with method EAP PEAP (25) (8) eap: Calling submodule eap_peap to process data (8) eap_peap: Continuing EAP-TLS (8) eap_peap: [eaptls verify] = ok (8) eap_peap: Done initial handshake (8) eap_peap: [eaptls process] = ok (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state phase2 (8) eap_peap: EAP method MSCHAPv2 (26) (8) eap_peap: Got tunneled request (8) eap_peap: EAP-Message = 0x02b300061a03 (8) eap_peap: Setting User-Name to Test-A (8) eap_peap: Sending tunneled request to inner-tunnel (8) eap_peap: EAP-Message = 0x02b300061a03 (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (8) eap_peap: User-Name = "Test-A" (8) eap_peap: State = 0xec7a3beaedc921b29dbc50eda2d30e1d (8) Virtual server inner-tunnel received request (8) EAP-Message = 0x02b300061a03 (8) FreeRADIUS-Proxied-To = 127.0.0.1 (8) User-Name = "Test-A" (8) State = 0xec7a3beaedc921b29dbc50eda2d30e1d (8) WARNING: Outer and inner identities are the same. User privacy is compromised. (8) server inner-tunnel { (8) session-state: No cached attributes (8) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [chap] = noop (8) [mschap] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "Test-A", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) update control { (8) &Proxy-To-Realm := LOCAL (8) } # update control = noop (8) eap: Peer sent EAP Response (code 2) ID 179 length 6 (8) eap: No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) files: Searching for user in group "601" rlm_ldap (ldap): Reserved connection (2) (8) files: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (8) files: --> (uid=Test-A) (8) files: Performing search in "cn=users,dc=domain,dc=de" with filter "(uid=Test-A)", scope "sub" (8) files: Waiting for search result... (8) files: User object found at DN "uid=Test-A,cn=Admins,cn=users,dc=domain,dc=de" (8) files: Checking user object's gidNumber attributes (8) files: Performing unfiltered search in "uid=Test-A,cn=Admins,cn=users,dc=domain,dc=de", scope "base" (8) files: Waiting for search result... (8) files: Processing gidNumber value "601" as a group name (8) files: User found in group "601". Comparison between membership: name, check: name rlm_ldap (ldap): Released connection (2) rlm_ldap (ldap): Need 4 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (6), 1 of 26 pending slots used rlm_ldap (ldap): Connecting to ldap://ldap.domain.de:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (8) files: users: Matched entry DEFAULT at line 93 (8) [files] = ok rlm_ldap (ldap): Reserved connection (3) (8) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (8) ldap: --> (uid=Test-A) (8) ldap: Performing search in "cn=users,dc=domain,dc=de" with filter "(uid=Test-A)", scope "sub" (8) ldap: Waiting for search result... (8) ldap: User object found at DN "uid=Test-A,cn=Admins,cn=users,dc=domain,dc=de" (8) ldap: Processing user attributes (8) ldap: control:Password-With-Header += 'passwd' (8) ldap: reply:Tunnel-Type := VLAN (8) ldap: reply:Tunnel-Medium-Type := IEEE-802 (8) ldap: reply:Tunnel-Private-Group-ID := '1006' rlm_ldap (ldap): Released connection (3) (8) [ldap] = updated (8) [expiration] = noop (8) [logintime] = noop (8) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (8) pap: Removing &control:Password-With-Header (8) pap: WARNING: Auth-Type already set. Not setting to PAP (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = eap (8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (8) authenticate { (8) eap: Expiring EAP session with state 0xec7a3beaedc921b2 (8) eap: Finished EAP session with state 0xec7a3beaedc921b2 (8) eap: Previous EAP request found for state 0xec7a3beaedc921b2, released from the list (8) eap: Peer sent packet with method EAP MSCHAPv2 (26) (8) eap: Calling submodule eap_mschapv2 to process data (8) eap: Sending EAP Success (code 3) ID 179 length 4 (8) eap: Freeing handler (8) [eap] = ok (8) } # authenticate = ok (8) # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel (8) post-auth { (8) update { (8) &outer.session-state::Tunnel-Type += &reply:Tunnel-Type[*] -> VLAN (8) &outer.session-state::Tunnel-Medium-Type += &reply:Tunnel-Medium-Type[*] -> IEEE-802 (8) &outer.session-state::Tunnel-Private-Group-Id += &reply:Tunnel-Private-Group-Id[*] -> '1006' (8) &outer.session-state::MS-MPPE-Encryption-Policy += &reply:MS-MPPE-Encryption-Policy[*] -> Encryption-Allowed (8) &outer.session-state::MS-MPPE-Encryption-Types += &reply:MS-MPPE-Encryption-Types[*] -> RC4-40or128-bit-Allowed (8) &outer.session-state::MS-MPPE-Send-Key += &reply:MS-MPPE-Send-Key[*] -> 0xa850facd73abb0940518b842f0da51a0 (8) &outer.session-state::MS-MPPE-Recv-Key += &reply:MS-MPPE-Recv-Key[*] -> 0x171b0a416b36492d6c7389dd24ca27a2 (8) &outer.session-state::EAP-Message += &reply:EAP-Message[*] -> 0x03b30004 (8) &outer.session-state::Message-Authenticator += &reply:Message-Authenticator[*] -> 0x00000000000000000000000000000000 (8) &outer.session-state::User-Name += &reply:User-Name[*] -> 'Test-A' (8) } # update = noop (8) update outer.session-state { (8) MS-MPPE-Encryption-Policy !* ANY (8) MS-MPPE-Encryption-Types !* ANY (8) MS-MPPE-Send-Key !* ANY (8) MS-MPPE-Recv-Key !* ANY (8) Message-Authenticator !* ANY (8) EAP-Message !* ANY (8) Proxy-State !* ANY (8) } # update outer.session-state = noop (8) } # post-auth = noop (8) } # server inner-tunnel (8) Virtual server sending reply (8) Tunnel-Type := VLAN (8) Tunnel-Medium-Type := IEEE-802 (8) Tunnel-Private-Group-Id := "1006" (8) MS-MPPE-Encryption-Policy = Encryption-Allowed (8) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (8) MS-MPPE-Send-Key = 0xa850facd73abb0940518b842f0da51a0 (8) MS-MPPE-Recv-Key = 0x171b0a416b36492d6c7389dd24ca27a2 (8) EAP-Message = 0x03b30004 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) User-Name = "Test-A" (8) eap_peap: Got tunneled reply code 2 (8) eap_peap: Tunnel-Type := VLAN (8) eap_peap: Tunnel-Medium-Type := IEEE-802 (8) eap_peap: Tunnel-Private-Group-Id := "1006" (8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (8) eap_peap: MS-MPPE-Send-Key = 0xa850facd73abb0940518b842f0da51a0 (8) eap_peap: MS-MPPE-Recv-Key = 0x171b0a416b36492d6c7389dd24ca27a2 (8) eap_peap: EAP-Message = 0x03b30004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: User-Name = "Test-A" (8) eap_peap: Got tunneled reply RADIUS code 2 (8) eap_peap: Tunnel-Type := VLAN (8) eap_peap: Tunnel-Medium-Type := IEEE-802 (8) eap_peap: Tunnel-Private-Group-Id := "1006" (8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (8) eap_peap: MS-MPPE-Send-Key = 0xa850facd73abb0940518b842f0da51a0 (8) eap_peap: MS-MPPE-Recv-Key = 0x171b0a416b36492d6c7389dd24ca27a2 (8) eap_peap: EAP-Message = 0x03b30004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: User-Name = "Test-A" (8) eap_peap: Tunneled authentication was successful (8) eap_peap: SUCCESS (8) eap: Sending EAP Request (code 1) ID 180 length 43 (8) eap: EAP session adding &reply:State = 0xe87b0b92e0cf1203 (8) [eap] = handled (8) } # authenticate = handled (8) Using Post-Auth-Type Challenge (8) Post-Auth-Type sub-section not found. Ignoring. (8) # Executing group from file /etc/freeradius/sites-enabled/default (8) session-state: Saving cached attributes (8) Tunnel-Type += VLAN (8) Tunnel-Medium-Type += IEEE-802 (8) Tunnel-Private-Group-Id += "1006" (8) User-Name += "Test-A" (8) Sent Access-Challenge Id 18 from 172.17.28.67:1812 to 172.17.26.160:22492 length 0 (8) EAP-Message = 0x01b4002b1900170301002043738395e9d352c0a39ba3320922dcad449fea594061a41e682dd8d7c80a8183 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0xe87b0b92e0cf120391ed7d921e46c093 (8) Finished request Waking up in 4.3 seconds. (9) Received Access-Request Id 19 from 172.17.26.160:22492 to 172.17.28.67:1812 length 219 (9) User-Name = "Test-A" (9) NAS-Identifier = "44d9e7f96309" (9) NAS-Port = 0 (9) Called-Station-Id = "46-D9-E7-FA-63-09:SSID" (9) Calling-Station-Id = "60-A3-7D-2C-A2-19" (9) Framed-MTU = 1400 (9) NAS-Port-Type = Wireless-802.11 (9) Connect-Info = "CONNECT 0Mbps 802.11b" (9) EAP-Message = 0x02b4002b190017030100207ef889c7d2622aacff178bc6c0873a2cebf20cdc694dc5d78309a6ea8d241204 (9) State = 0xe87b0b92e0cf120391ed7d921e46c093 (9) Message-Authenticator = 0x6a57e6e906d2f5c42685efd242e96e00 (9) Restoring &session-state (9) &session-state:Tunnel-Type += VLAN (9) &session-state:Tunnel-Medium-Type += IEEE-802 (9) &session-state:Tunnel-Private-Group-Id += "1006" (9) &session-state:User-Name += "Test-A" (9) # Executing section authorize from file /etc/freeradius/sites-enabled/default (9) authorize { (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = notfound (9) } # policy filter_username = notfound (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "Test-A", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) eap: Peer sent EAP Response (code 2) ID 180 length 43 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = eap (9) # Executing group from file /etc/freeradius/sites-enabled/default (9) authenticate { (9) eap: Expiring EAP session with state 0xe87b0b92e0cf1203 (9) eap: Finished EAP session with state 0xe87b0b92e0cf1203 (9) eap: Previous EAP request found for state 0xe87b0b92e0cf1203, released from the list (9) eap: Peer sent packet with method EAP PEAP (25) (9) eap: Calling submodule eap_peap to process data (9) eap_peap: Continuing EAP-TLS (9) eap_peap: [eaptls verify] = ok (9) eap_peap: Done initial handshake (9) eap_peap: [eaptls process] = ok (9) eap_peap: Session established. Decoding tunneled attributes (9) eap_peap: PEAP state send tlv success (9) eap_peap: Received EAP-TLV response (9) eap_peap: Success (9) eap_peap: No information to cache: session caching will be disabled for session d8f7784bdabc1d0f47bfe939b6a8b6ecf01f2acae83ea6f7a5a1dcff7b869c5f (9) eap: Sending EAP Success (code 3) ID 180 length 4 (9) eap: Freeing handler (9) [eap] = ok (9) } # authenticate = ok (9) # Executing section post-auth from file /etc/freeradius/sites-enabled/default (9) post-auth { (9) update { (9) &reply::Tunnel-Type += &session-state:Tunnel-Type[*] -> VLAN (9) &reply::Tunnel-Medium-Type += &session-state:Tunnel-Medium-Type[*] -> IEEE-802 (9) &reply::Tunnel-Private-Group-Id += &session-state:Tunnel-Private-Group-Id[*] -> '1006' (9) &reply::User-Name += &session-state:User-Name[*] -> 'Test-A' (9) } # update = noop (9) [exec] = noop (9) policy remove_reply_message_if_eap { (9) if (&reply:EAP-Message && &reply:Reply-Message) { (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (9) else { (9) [noop] = noop (9) } # else = noop (9) } # policy remove_reply_message_if_eap = noop (9) } # post-auth = noop (9) Sent Access-Accept Id 19 from 172.17.28.67:1812 to 172.17.26.160:22492 length 0 (9) MS-MPPE-Recv-Key = 0x494d4c1a1c11447875b167dffa41b23d04f888ca430351f2e79ae0a2a5d66cf4 (9) MS-MPPE-Send-Key = 0x76c071086f956bbf8bbd0e5aed6f552fa1df2caec39e8ea47448042dbad7ec73 (9) EAP-Message = 0x03b40004 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) User-Name = "Test-A" (9) Tunnel-Type += VLAN (9) Tunnel-Medium-Type += IEEE-802 (9) Tunnel-Private-Group-Id += "1006" (9) User-Name += "Test-A" (9) Finished request
On Jan 11, 2017, at 12:05 PM, Staiger, Moritz (RRZE) <moritz.staiger@fau.de> wrote:
we are running freeradius 3.0.12 which is authenticating against an openldap server with EAP PEAP MSCHAPv2
OK...
In future we want to enable VLAN assignment via LDAP so we want to use LDAP group membership comparison and combine it with Packet-Src-IP-Address checking.
Users from LDAP group „Admins“ should be assigned to VLAN 10 (management) Users from LDAP group „Operators“ should be assigned to VLAN 20 (operator) Users from other LDAP groups „Group-X“ should be assigned to userspecific VLAN which is represented in the LDAP attribute „radiusTunnelPrivateGroupId“.
With group membership and Packet-Src-IP-Address we want to authenticate users only if they try to connect from their *home POP*.
That's all easy enough to do.
What we have done:
1. according to Alan DeKoks suggestions here: http://lists.freeradius.org/pipermail/freeradius-users/2015-April/077171.htm... configured freeradius/mods-enabled/ldap „group“ section for group checking. In our case every LDAP user has an LDAP attribute 'gidNumber' which represents its group membership.
group { base_dn = "${..base_dn}" groupmembership_attribute = 'gidNumber' }
2. configured /freeradius/users file
# in LDAP: Admins gidNumber = 111, Operators gidNumber = 222, Users in POP1 gidNumber = 901 DEFAULT LDAP-Group == "111", Auth-Type = LDAP DEFAULT LDAP-Group == "222", Auth-Type = LDAP DEFAULT Packet-Src-IP-Address == 10.0.0.1, LDAP-Group == „901“, Auth-Type = LDAP ... DEFAULT Packet-Src-IP-Address == 10.0.0.15, LDAP-Group == „915“, Auth-Type = LDAP DEFAULT Auth-Type := Reject
No, don't do that. Setting Auth-Type is wrong and unnecessary. FreeRADIUS will reject people who aren't authenticated.
#
3. configured /freeradius/sites-enabled/default
no "ldap" in the "authorize" section so ldap gets commented here -> #ldap
be sure there's "Auth-Type LDAP" in the "authenticate" section so #Auth-Type LDAP { # ldap # } gets uncommented here -> Auth-Type LDAP { ldap }
That's the *outer* tunnel. Not the inner MS-CHAP. You don't need this here.
4. configured /freeradius/sites-enabled/inner-tunnel
authorize { ldap
authenticate { #Auth-Type LDAP { # ldap # }
You don't need to do this, either.
Within testing the config seems to do what we desire.
I'm not sure why
So my questions are:
Is this implementation correct for our needs?
If it works, perhaps.
Is there a more elegant way to implement it?
Yes.
Is it possible to reduce the LDAP queries exept from sorting the POP listing in users file? (there seems to be a change in 3.0.13 ?)
FreeRADIUS v3 caches LDAP group membership. So it should already do the minimal LDAP queries.
(8) update { (8) &outer.session-state::Tunnel-Type += &reply:Tunnel-Type[*] -> VLAN (8) &outer.session-state::Tunnel-Medium-Type += &reply:Tunnel-Medium-Type[*] -> IEEE-802 (8) &outer.session-state::Tunnel-Private-Group-Id += &reply:Tunnel-Private-Group-Id[*] -> '1006' (8) &outer.session-state::MS-MPPE-Encryption-Policy += &reply:MS-MPPE-Encryption-Policy[*] -> Encryption-Allowed (8) &outer.session-state::MS-MPPE-Encryption-Types += &reply:MS-MPPE-Encryption-Types[*] -> RC4-40or128-bit-Allowed (8) &outer.session-state::MS-MPPE-Send-Key += &reply:MS-MPPE-Send-Key[*] -> 0xa850facd73abb0940518b842f0da51a0 (8) &outer.session-state::MS-MPPE-Recv-Key += &reply:MS-MPPE-Recv-Key[*] -> 0x171b0a416b36492d6c7389dd24ca27a2 (8) &outer.session-state::EAP-Message += &reply:EAP-Message[*] -> 0x03b30004 (8) &outer.session-state::Message-Authenticator += &reply:Message-Authenticator[*] -> 0x00000000000000000000000000000000 (8) &outer.session-state::User-Name += &reply:User-Name[*] -> 'Test-A'
Don't cache MS-MPPE-Send-Key, MS-MPPE-Recv-Key, EAP-Message, or Message-Authenticator. If you read the debug output, you'll see that they are deleted immediately afterwards.
From my readings of the log I think authentication is done twice against the LDAP? Do you have other hints or suggestions?
Put all of the policies into the "inner-tunnel" virtual server. Delete the "users" file entries. Don't set "Auth-Type = LDAP". Separate the authentication rules from the VLAN policies. in "inner-tunnel" virtual server, "authorize" section: if ((&LDAP-Group == "901") && (Packet-Src-IP-Address != 10.0.0.1)) { reject } ... do the same for other LDAP groups and Packet-Src-IP-Address ... in "inner-tunnel" virtual server, "post-auth" section: if (&LDAP-Group == "admin") { ... assign VLAN 10 ... } else if (&LDAP-Group == "Operators") { ... assign VLAN 20 ... } # else VLAN is assigned from radiusTunnelPrivateGroupId update { &outer.session-state::Tunnel-Type += &reply:Tunnel-Type[*] &outer.session-state::Tunnel-Medium-Type += &reply:Tunnel-Medium-Type[*] &outer.session-state::Tunnel-Private-Group-Id += &reply:Tunnel-Private-Group-Id[*] outer.session-state::User-Name += &reply:User-Name[*] } in "default" virtual server, "post-auth" section: ] update { &reply::Tunnel-Type += &session-state:Tunnel-Type[*] &reply::Tunnel-Medium-Type += &session-state:Tunnel-Medium-Type[*] &reply::Tunnel-Private-Group-Id += &session-state:Tunnel-Private-Group-Id[*] &reply::User-Name += &session-state:User-Name[*] } That should be pretty simple, and should work. Alan DeKok.
Hello, thanks for the replys and hints! I wanted to reach back to document for others and ask further questions. Am 11.01.17 um 19:03 schrieb Alan DeKok:
On Jan 11, 2017, at 12:05 PM, Staiger, Moritz (RRZE) <moritz.staiger@fau.de> wrote:
Do you have other hints or suggestions?
Put all of the policies into the "inner-tunnel" virtual server. Delete the "users" file entries. Don't set "Auth-Type = LDAP". Separate the authentication rules from the VLAN policies.
in "inner-tunnel" virtual server, "authorize" section:
if ((&LDAP-Group == "901") && (Packet-Src-IP-Address != 10.0.0.1)) { reject } ... do the same for other LDAP groups and Packet-Src-IP-Address ...
Ok that works.
in "inner-tunnel" virtual server, "post-auth" section:
if (&LDAP-Group == "admin") { ... assign VLAN 10 ... } else if (&LDAP-Group == "Operators") { ... assign VLAN 20 ... } # else VLAN is assigned from radiusTunnelPrivateGroupId
update { &outer.session-state::Tunnel-Type += &reply:Tunnel-Type[*] &outer.session-state::Tunnel-Medium-Type += &reply:Tunnel-Medium-Type[*] &outer.session-state::Tunnel-Private-Group-Id += &reply:Tunnel-Private-Group-Id[*] outer.session-state::User-Name += &reply:User-Name[*] }
I have implemented it like this (changed :: to : and += to := to replace the attribute) # LDAP group Admins if (&LDAP-Group == "admin") { update { &outer.session-state:Tunnel-Type := 13 &outer.session-state:Tunnel-Medium-Type := 6 &outer.session-state:Tunnel-Private-Group-Id := "10" &outer.session-state:User-Name := User-Name[*] } } # LDAP group Operators elsif (&LDAP-Group == "operators") { update { &outer.session-state:Tunnel-Type := 13 &outer.session-state:Tunnel-Medium-Type := 6 &outer.session-state:Tunnel-Private-Group-Id := "20" &outer.session-state:User-Name := User-Name[*] } } # else VLAN is assigned from radiusTunnelPrivateGroupId in LDAP update { &outer.session-state:Tunnel-Type := Tunnel-Type[*] &outer.session-state:Tunnel-Medium-Type := Tunnel-Medium-Type[*] &outer.session-state:Tunnel-Private-Group-Id := Tunnel-Private-Group-Id[*] &outer.session-state:User-Name := User-Name[*] }
in "default" virtual server, "post-auth" section: ] update { &reply::Tunnel-Type += &session-state:Tunnel-Type[*] &reply::Tunnel-Medium-Type += &session-state:Tunnel-Medium-Type[*] &reply::Tunnel-Private-Group-Id += &session-state:Tunnel-Private-Group-Id[*] &reply::User-Name += &session-state:User-Name[*] }
I had implemented this and got multiple replys (so I removed it): (19) Sent Access-Accept Id 52 from 172.17.27.78:1812 to 172.17.26.160:21085 length 0 (19) MS-MPPE-Recv-Key = 0xc408a678d27fc369bb16c3488131ae65a112f72a6f71d79273fb55212ae72e6f (19) MS-MPPE-Send-Key = 0x799b7d7c2ce08a059749af83bdd50777aa981f3b79ce4638df618b70866e9d0c (19) EAP-Message = 0x03470004 (19) Message-Authenticator = 0x00000000000000000000000000000000 (19) User-Name = "test-a" (19) Tunnel-Type += VLAN (19) Tunnel-Medium-Type += IEEE-802 (19) Tunnel-Private-Group-Id += "481" (19) User-Name += "test-a" (19) Tunnel-Type += VLAN (19) Tunnel-Medium-Type += IEEE-802 (19) User-Name += "test-a" (19) Finished request The current output is this and I think it works so far but I can't find where the last User-Name += "test-a" in Access Accept comes from. Any other hints are welcome! Ready to process requests (0) Received Access-Request Id 172 from 172.17.26.160:43297 to 172.17.27.78:1812 length 164 (0) User-Name = "test-a" (0) NAS-Identifier = "44d9e7f96309" (0) NAS-Port = 0 (0) Called-Station-Id = "44-D9-E7-FA-63-09:test-rad-a1" (0) Calling-Station-Id = "60-A3-7D-2C-A2-19" (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) Connect-Info = "CONNECT 0Mbps 802.11b" (0) EAP-Message = 0x02fd000b01746573742d61 (0) Message-Authenticator = 0xfc2e333af8adf8d61ff84782e34c3869 (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "test-a", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 253 length 11 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_peap to process data (0) eap_peap: Initiating new EAP-TLS session (0) eap_peap: Flushing SSL sessions (of #0) (0) eap_peap: [eaptls start] = request (0) eap: Sending EAP Request (code 1) ID 254 length 6 (0) eap: EAP session adding &reply:State = 0x9e07ab319ef9b214 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) Sent Access-Challenge Id 172 from 172.17.27.78:1812 to 172.17.26.160:43297 length 0 (0) EAP-Message = 0x01fe00061920 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x9e07ab319ef9b2147db0651e6ba99830 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 173 from 172.17.26.160:43297 to 172.17.27.78:1812 length 298 (1) User-Name = "test-a" (1) NAS-Identifier = "44d9e7f96309" (1) NAS-Port = 0 (1) Called-Station-Id = "44-D9-E7-FA-63-09:test-rad-a1" (1) Calling-Station-Id = "60-A3-7D-2C-A2-19" (1) Framed-MTU = 1400 (1) NAS-Port-Type = Wireless-802.11 (1) Connect-Info = "CONNECT 0Mbps 802.11b" (1) EAP-Message = 0x02fe007f19800000007516030100700100006c0301588c58cd99b33ba73b9586ef356ab0961c31db61e069c4dc9afde8f514bbdef200002000ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000a01000023000a00080006001700180019000b00020100000500050100000000 (1) State = 0x9e07ab319ef9b2147db0651e6ba99830 (1) Message-Authenticator = 0xa08f82b193165307e7621062607349f4 (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/freeradius/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "test-a", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 254 length 127 (1) eap: Continuing tunnel setup (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x9e07ab319ef9b214 (1) eap: Finished EAP session with state 0x9e07ab319ef9b214 (1) eap: Previous EAP request found for state 0x9e07ab319ef9b214, released from the list (1) eap: Peer sent packet with method EAP PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: Continuing EAP-TLS (1) eap_peap: Peer indicated complete TLS record size will be 117 bytes (1) eap_peap: Got complete TLS record (117 bytes) (1) eap_peap: [eaptls verify] = length included (1) eap_peap: (other): before/accept initialization (1) eap_peap: TLS_accept: before/accept initialization (1) eap_peap: <<< recv TLS 1.0 Handshake [length 0070], ClientHello (1) eap_peap: TLS_accept: SSLv3 read client hello A (1) eap_peap: >>> send TLS 1.0 Handshake [length 0059], ServerHello (1) eap_peap: TLS_accept: SSLv3 write server hello A (1) eap_peap: >>> send TLS 1.0 Handshake [length 0973], Certificate (1) eap_peap: TLS_accept: SSLv3 write certificate A (1) eap_peap: >>> send TLS 1.0 Handshake [length 014b], ServerKeyExchange (1) eap_peap: TLS_accept: SSLv3 write key exchange A (1) eap_peap: >>> send TLS 1.0 Handshake [length 0004], ServerHelloDone (1) eap_peap: TLS_accept: SSLv3 write server done A (1) eap_peap: TLS_accept: SSLv3 flush data (1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A (1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A (1) eap_peap: In SSL Handshake Phase (1) eap_peap: In SSL Accept mode (1) eap_peap: [eaptls process] = handled (1) eap: Sending EAP Request (code 1) ID 255 length 1004 (1) eap: EAP session adding &reply:State = 0x9e07ab319ff8b214 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) Sent Access-Challenge Id 173 from 172.17.27.78:1812 to 172.17.26.160:43297 length 0 (1) EAP-Message = 0x01ff03ec19c000000b2f16030100590200005503011a930dd22b7f13caf6b38eb87a81d3381a406c102872d07740657decbb3cb52d2046f9d2817aaeb9ce63792258fec8297b8df858ae69e871e406934c04f0bb5293c01400000dff01000100000b00040300010216030109730b00096f00096c0004e9 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x9e07ab319ff8b2147db0651e6ba99830 (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 174 from 172.17.26.160:43297 to 172.17.27.78:1812 length 177 (2) User-Name = "test-a" (2) NAS-Identifier = "44d9e7f96309" (2) NAS-Port = 0 (2) Called-Station-Id = "44-D9-E7-FA-63-09:test-rad-a1" (2) Calling-Station-Id = "60-A3-7D-2C-A2-19" (2) Framed-MTU = 1400 (2) NAS-Port-Type = Wireless-802.11 (2) Connect-Info = "CONNECT 0Mbps 802.11b" (2) EAP-Message = 0x02ff00061900 (2) State = 0x9e07ab319ff8b2147db0651e6ba99830 (2) Message-Authenticator = 0xc29e7499a7a02ba81bbd3ea99586b99e (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/freeradius/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "test-a", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 255 length 6 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x9e07ab319ff8b214 (2) eap: Finished EAP session with state 0x9e07ab319ff8b214 (2) eap: Previous EAP request found for state 0x9e07ab319ff8b214, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: Continuing EAP-TLS (2) eap_peap: Peer ACKed our handshake fragment (2) eap_peap: [eaptls verify] = request (2) eap_peap: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 0 length 1000 (2) eap: EAP session adding &reply:State = 0x9e07ab319c07b214 (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) Post-Auth-Type sub-section not found. Ignoring. (2) # Executing group from file /etc/freeradius/sites-enabled/default (2) Sent Access-Challenge Id 174 from 172.17.27.78:1812 to 172.17.26.160:43297 length 0 (2) EAP-Message = 0x010003e81940864886f70d0109011613696e666f4064732d6e6574776f726b732e6465311c301a0603550403131344532d6e6574776f726b7320526f6f7420434182010030130603551d25040c300a06082b06010505070301300b0603551d0f0404030205a0300d06092a864886f70d01010b05000382 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x9e07ab319c07b2147db0651e6ba99830 (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 175 from 172.17.26.160:43297 to 172.17.27.78:1812 length 177 (3) User-Name = "test-a" (3) NAS-Identifier = "44d9e7f96309" (3) NAS-Port = 0 (3) Called-Station-Id = "44-D9-E7-FA-63-09:test-rad-a1" (3) Calling-Station-Id = "60-A3-7D-2C-A2-19" (3) Framed-MTU = 1400 (3) NAS-Port-Type = Wireless-802.11 (3) Connect-Info = "CONNECT 0Mbps 802.11b" (3) EAP-Message = 0x020000061900 (3) State = 0x9e07ab319c07b2147db0651e6ba99830 (3) Message-Authenticator = 0x017fcea8b7fae5108d01a9c72b4cf0bd (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/freeradius/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "test-a", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 0 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /etc/freeradius/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0x9e07ab319c07b214 (3) eap: Finished EAP session with state 0x9e07ab319c07b214 (3) eap: Previous EAP request found for state 0x9e07ab319c07b214, released from the list (3) eap: Peer sent packet with method EAP PEAP (25) (3) eap: Calling submodule eap_peap to process data (3) eap_peap: Continuing EAP-TLS (3) eap_peap: Peer ACKed our handshake fragment (3) eap_peap: [eaptls verify] = request (3) eap_peap: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 1 length 881 (3) eap: EAP session adding &reply:State = 0x9e07ab319d06b214 (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) Post-Auth-Type sub-section not found. Ignoring. (3) # Executing group from file /etc/freeradius/sites-enabled/default (3) Sent Access-Challenge Id 175 from 172.17.27.78:1812 to 172.17.26.160:43297 length 0 (3) EAP-Message = 0x010103711900cd6b6a86ea145de10b316047370203010001a381e93081e6301d0603551d0e041604148cf1945262f33d0d656b8a1652dcfece15788e563081b60603551d230481ae3081ab80148cf1945262f33d0d656b8a1652dcfece15788e56a1818fa4818c308189310b3009060355040613024445 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x9e07ab319d06b2147db0651e6ba99830 (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 176 from 172.17.26.160:43297 to 172.17.27.78:1812 length 315 (4) User-Name = "test-a" (4) NAS-Identifier = "44d9e7f96309" (4) NAS-Port = 0 (4) Called-Station-Id = "44-D9-E7-FA-63-09:test-rad-a1" (4) Calling-Station-Id = "60-A3-7D-2C-A2-19" (4) Framed-MTU = 1400 (4) NAS-Port-Type = Wireless-802.11 (4) Connect-Info = "CONNECT 0Mbps 802.11b" (4) EAP-Message = 0x020100901980000000861603010046100000424104e09676402090684dadae03a9e096e3d5a332ca26564283afe7e24b382a26d35f7a458bcb1a2fce5e93d98757c9da93096eeef85a93ef9686afafd0f3f041ff4414030100010116030100302329036ca75de430697f8bb907e812cef99329be76d18e (4) State = 0x9e07ab319d06b2147db0651e6ba99830 (4) Message-Authenticator = 0x235bdacff5a34ffafef1e57928386b62 (4) session-state: No cached attributes (4) # Executing section authorize from file /etc/freeradius/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "test-a", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 1 length 144 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/freeradius/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0x9e07ab319d06b214 (4) eap: Finished EAP session with state 0x9e07ab319d06b214 (4) eap: Previous EAP request found for state 0x9e07ab319d06b214, released from the list (4) eap: Peer sent packet with method EAP PEAP (25) (4) eap: Calling submodule eap_peap to process data (4) eap_peap: Continuing EAP-TLS (4) eap_peap: Peer indicated complete TLS record size will be 134 bytes (4) eap_peap: Got complete TLS record (134 bytes) (4) eap_peap: [eaptls verify] = length included (4) eap_peap: <<< recv TLS 1.0 Handshake [length 0046], ClientKeyExchange (4) eap_peap: TLS_accept: SSLv3 read client key exchange A (4) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001] (4) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished (4) eap_peap: TLS_accept: SSLv3 read finished A (4) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001] (4) eap_peap: TLS_accept: SSLv3 write change cipher spec A (4) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished (4) eap_peap: TLS_accept: SSLv3 write finished A (4) eap_peap: TLS_accept: SSLv3 flush data (4) eap_peap: (other): SSL negotiation finished successfully (4) eap_peap: SSL Connection Established (4) eap_peap: [eaptls process] = handled (4) eap: Sending EAP Request (code 1) ID 2 length 65 (4) eap: EAP session adding &reply:State = 0x9e07ab319a05b214 (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) Post-Auth-Type sub-section not found. Ignoring. (4) # Executing group from file /etc/freeradius/sites-enabled/default (4) Sent Access-Challenge Id 176 from 172.17.27.78:1812 to 172.17.26.160:43297 length 0 (4) EAP-Message = 0x01020041190014030100010116030100307e559e502e2de3ff55e8cb73bc3d24db53d8b334e98b749e48c4b85870e4517dc655357d734a39609b1de09136450a7c (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x9e07ab319a05b2147db0651e6ba99830 (4) Finished request Waking up in 4.8 seconds. (5) Received Access-Request Id 177 from 172.17.26.160:43297 to 172.17.27.78:1812 length 177 (5) User-Name = "test-a" (5) NAS-Identifier = "44d9e7f96309" (5) NAS-Port = 0 (5) Called-Station-Id = "44-D9-E7-FA-63-09:test-rad-a1" (5) Calling-Station-Id = "60-A3-7D-2C-A2-19" (5) Framed-MTU = 1400 (5) NAS-Port-Type = Wireless-802.11 (5) Connect-Info = "CONNECT 0Mbps 802.11b" (5) EAP-Message = 0x020200061900 (5) State = 0x9e07ab319a05b2147db0651e6ba99830 (5) Message-Authenticator = 0x729222fc52023352762fed3d36b6bc29 (5) session-state: No cached attributes (5) # Executing section authorize from file /etc/freeradius/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "test-a", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 2 length 6 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0x9e07ab319a05b214 (5) eap: Finished EAP session with state 0x9e07ab319a05b214 (5) eap: Previous EAP request found for state 0x9e07ab319a05b214, released from the list (5) eap: Peer sent packet with method EAP PEAP (25) (5) eap: Calling submodule eap_peap to process data (5) eap_peap: Continuing EAP-TLS (5) eap_peap: Peer ACKed our handshake fragment. handshake is finished (5) eap_peap: [eaptls verify] = success (5) eap_peap: [eaptls process] = success (5) eap_peap: Session established. Decoding tunneled attributes (5) eap_peap: PEAP state TUNNEL ESTABLISHED (5) eap: Sending EAP Request (code 1) ID 3 length 43 (5) eap: EAP session adding &reply:State = 0x9e07ab319b04b214 (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) Post-Auth-Type sub-section not found. Ignoring. (5) # Executing group from file /etc/freeradius/sites-enabled/default (5) Sent Access-Challenge Id 177 from 172.17.27.78:1812 to 172.17.26.160:43297 length 0 (5) EAP-Message = 0x0103002b19001703010020a49cad063111d3a3a30e1c579f4fd7939fe0e73fa3a81015d4bec721174f0b15 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x9e07ab319b04b2147db0651e6ba99830 (5) Finished request Waking up in 4.7 seconds. (6) Received Access-Request Id 178 from 172.17.26.160:43297 to 172.17.27.78:1812 length 214 (6) User-Name = "test-a" (6) NAS-Identifier = "44d9e7f96309" (6) NAS-Port = 0 (6) Called-Station-Id = "44-D9-E7-FA-63-09:test-rad-a1" (6) Calling-Station-Id = "60-A3-7D-2C-A2-19" (6) Framed-MTU = 1400 (6) NAS-Port-Type = Wireless-802.11 (6) Connect-Info = "CONNECT 0Mbps 802.11b" (6) EAP-Message = 0x0203002b19001703010020679c390d5c5667e92801880c21150ee32dc5ca4c651168a71da271fc5d6c58de (6) State = 0x9e07ab319b04b2147db0651e6ba99830 (6) Message-Authenticator = 0xcaf7f66ffdc42cbe2a2a4c72a00ebd7e (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/freeradius/sites-enabled/default (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "test-a", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) eap: Peer sent EAP Response (code 2) ID 3 length 43 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0x9e07ab319b04b214 (6) eap: Finished EAP session with state 0x9e07ab319b04b214 (6) eap: Previous EAP request found for state 0x9e07ab319b04b214, released from the list (6) eap: Peer sent packet with method EAP PEAP (25) (6) eap: Calling submodule eap_peap to process data (6) eap_peap: Continuing EAP-TLS (6) eap_peap: [eaptls verify] = ok (6) eap_peap: Done initial handshake (6) eap_peap: [eaptls process] = ok (6) eap_peap: Session established. Decoding tunneled attributes (6) eap_peap: PEAP state WAITING FOR INNER IDENTITY (6) eap_peap: Identity - test-a (6) eap_peap: Got inner identity 'test-a' (6) eap_peap: Setting default EAP type for tunneled EAP session (6) eap_peap: Got tunneled request (6) eap_peap: EAP-Message = 0x0203000b01746573742d61 (6) eap_peap: Setting User-Name to test-a (6) eap_peap: Sending tunneled request to inner-tunnel (6) eap_peap: EAP-Message = 0x0203000b01746573742d61 (6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (6) eap_peap: User-Name = "test-a" (6) Virtual server inner-tunnel received request (6) EAP-Message = 0x0203000b01746573742d61 (6) FreeRADIUS-Proxied-To = 127.0.0.1 (6) User-Name = "test-a" (6) WARNING: Outer and inner identities are the same. User privacy is compromised. (6) server inner-tunnel { (6) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) if ((&LDAP-Group == "616") && (Packet-Src-IP-Address != 172.17.26.160)) { (6) Searching for user in group "616" rlm_ldap (ldap): Closing connection (0): Hit idle_timeout, was idle for 415 seconds rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for 415 seconds rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 415 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 415 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (4): Hit idle_timeout, was idle for 415 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare" rlm_ldap (ldap): Opening additional connection (5), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldap://rad.domain.com:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Reserved connection (5) (6) EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (6) --> (uid=test-a) (6) Performing search in "cn=users,dc=domain,dc=de" with filter "(uid=test-a)", scope "sub" (6) Waiting for search result... (6) User object found at DN "uid=Test-A,cn=Admins,cn=users,dc=domain,dc=de" (6) Checking user object's gidNumber attributes (6) Performing unfiltered search in "uid=Test-A,cn=Admins,cn=users,dc=domain,dc=de", scope "base" (6) Waiting for search result... (6) Processing gidNumber value "admins" as a group name rlm_ldap (ldap): Released connection (5) rlm_ldap (ldap): Need 2 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (6), 1 of 31 pending slots used rlm_ldap (ldap): Connecting to ldap://rad.domain.com:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (6) User is not a member of "616" (6) if ((&LDAP-Group == "616") && (Packet-Src-IP-Address != 172.17.26.160)) -> FALSE (6) [chap] = noop (6) [mschap] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "test-a", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) update control { (6) &Proxy-To-Realm := LOCAL (6) } # update control = noop (6) eap: Peer sent EAP Response (code 2) ID 3 length 11 (6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (6) authenticate { (6) eap: Peer sent packet with method EAP Identity (1) (6) eap: Calling submodule eap_mschapv2 to process data (6) eap_mschapv2: Issuing Challenge (6) eap: Sending EAP Request (code 1) ID 4 length 43 (6) eap: EAP session adding &reply:State = 0x762e1ad9762a0093 (6) [eap] = handled (6) } # authenticate = handled (6) } # server inner-tunnel (6) Virtual server sending reply (6) EAP-Message = 0x0104002b1a0104002610b2a919c34a7095e9ef681ecc9a36595d667265657261646975732d332e302e3132 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x762e1ad9762a0093ae5cb8ff36bceb39 (6) eap_peap: Got tunneled reply code 11 (6) eap_peap: EAP-Message = 0x0104002b1a0104002610b2a919c34a7095e9ef681ecc9a36595d667265657261646975732d332e302e3132 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: State = 0x762e1ad9762a0093ae5cb8ff36bceb39 (6) eap_peap: Got tunneled reply RADIUS code 11 (6) eap_peap: EAP-Message = 0x0104002b1a0104002610b2a919c34a7095e9ef681ecc9a36595d667265657261646975732d332e302e3132 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: State = 0x762e1ad9762a0093ae5cb8ff36bceb39 (6) eap_peap: Got tunneled Access-Challenge (6) eap: Sending EAP Request (code 1) ID 4 length 75 (6) eap: EAP session adding &reply:State = 0x9e07ab319803b214 (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) Post-Auth-Type sub-section not found. Ignoring. (6) # Executing group from file /etc/freeradius/sites-enabled/default (6) Sent Access-Challenge Id 178 from 172.17.27.78:1812 to 172.17.26.160:43297 length 0 (6) EAP-Message = 0x0104004b19001703010040894f3af8d03bacd177be628df80bdd454933fa0b923535c57c57d1ae9989b27bddf790aee37be4e0946a99ed871628fbc365a11af144a0c19d9a6e58ceeda6ac (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x9e07ab319803b2147db0651e6ba99830 (6) Finished request Waking up in 4.6 seconds. (7) Received Access-Request Id 179 from 172.17.26.160:43297 to 172.17.27.78:1812 length 278 (7) User-Name = "test-a" (7) NAS-Identifier = "44d9e7f96309" (7) NAS-Port = 0 (7) Called-Station-Id = "44-D9-E7-FA-63-09:test-rad-a1" (7) Calling-Station-Id = "60-A3-7D-2C-A2-19" (7) Framed-MTU = 1400 (7) NAS-Port-Type = Wireless-802.11 (7) Connect-Info = "CONNECT 0Mbps 802.11b" (7) EAP-Message = 0x0204006b190017030100602d4c3e90ccb7e84329224cc04420eb55b46a9250b234b9cd6e2f469abba35b31a8a06f5549dd9e04e0d1682bcd9a1d6f77b51f9ba7931bd678d4c1cd212eb73ee67b5ebb59cca09d954cd5cdfc14fefd30dee4bb791aee00d0351cba83a281cd (7) State = 0x9e07ab319803b2147db0651e6ba99830 (7) Message-Authenticator = 0x8f0e0809a4e4935967e7b75f7001fdef (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/freeradius/sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "test-a", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) eap: Peer sent EAP Response (code 2) ID 4 length 107 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0x762e1ad9762a0093 (7) eap: Finished EAP session with state 0x9e07ab319803b214 (7) eap: Previous EAP request found for state 0x9e07ab319803b214, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: Continuing EAP-TLS (7) eap_peap: [eaptls verify] = ok (7) eap_peap: Done initial handshake (7) eap_peap: [eaptls process] = ok (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state phase2 (7) eap_peap: EAP method MSCHAPv2 (26) (7) eap_peap: Got tunneled request (7) eap_peap: EAP-Message = 0x020400411a0204003c31e41e98e6ed53c8cd1b2dca96b04da1c800000000000000009a09d5bfff0bb8f9741638c1109c60f9c2d7030068db76ce00746573742d61 (7) eap_peap: Setting User-Name to test-a (7) eap_peap: Sending tunneled request to inner-tunnel (7) eap_peap: EAP-Message = 0x020400411a0204003c31e41e98e6ed53c8cd1b2dca96b04da1c800000000000000009a09d5bfff0bb8f9741638c1109c60f9c2d7030068db76ce00746573742d61 (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (7) eap_peap: User-Name = "test-a" (7) eap_peap: State = 0x762e1ad9762a0093ae5cb8ff36bceb39 (7) Virtual server inner-tunnel received request (7) EAP-Message = 0x020400411a0204003c31e41e98e6ed53c8cd1b2dca96b04da1c800000000000000009a09d5bfff0bb8f9741638c1109c60f9c2d7030068db76ce00746573742d61 (7) FreeRADIUS-Proxied-To = 127.0.0.1 (7) User-Name = "test-a" (7) State = 0x762e1ad9762a0093ae5cb8ff36bceb39 (7) WARNING: Outer and inner identities are the same. User privacy is compromised. (7) server inner-tunnel { (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) if ((&LDAP-Group == "616") && (Packet-Src-IP-Address != 172.17.26.160)) { (7) Searching for user in group "616" rlm_ldap (ldap): Reserved connection (5) (7) EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (7) --> (uid=test-a) (7) Performing search in "cn=users,dc=domain,dc=de" with filter "(uid=test-a)", scope "sub" (7) Waiting for search result... (7) User object found at DN "uid=Test-A,cn=Admins,cn=users,dc=domain,dc=de" (7) Checking user object's gidNumber attributes (7) Performing unfiltered search in "uid=Test-A,cn=Admins,cn=users,dc=domain,dc=de", scope "base" (7) Waiting for search result... (7) Processing gidNumber value "admins" as a group name rlm_ldap (ldap): Released connection (5) (7) User is not a member of "616" (7) if ((&LDAP-Group == "616") && (Packet-Src-IP-Address != 172.17.26.160)) -> FALSE (7) [chap] = noop (7) [mschap] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "test-a", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) update control { (7) &Proxy-To-Realm := LOCAL (7) } # update control = noop (7) eap: Peer sent EAP Response (code 2) ID 4 length 65 (7) eap: No EAP Start, assuming it's an on-going EAP conversation (7) [eap] = updated (7) [files] = noop rlm_ldap (ldap): Reserved connection (6) (7) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (7) ldap: --> (uid=test-a) (7) ldap: Performing search in "cn=users,dc=domain,dc=de" with filter "(uid=test-a)", scope "sub" (7) ldap: Waiting for search result... (7) ldap: User object found at DN "uid=Test-A,cn=Admins,cn=users,dc=domain,dc=de" (7) ldap: Processing user attributes (7) ldap: control:Password-With-Header += 'passwd' (7) ldap: reply:Tunnel-Type := VLAN (7) ldap: reply:Tunnel-Medium-Type := IEEE-802 rlm_ldap (ldap): Released connection (6) (7) [ldap] = updated (7) [expiration] = noop (7) [logintime] = noop (7) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (7) pap: Removing &control:Password-With-Header (7) pap: WARNING: Auth-Type already set. Not setting to PAP (7) [pap] = noop (7) } # authorize = updated (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (7) authenticate { (7) eap: Expiring EAP session with state 0x762e1ad9762a0093 (7) eap: Finished EAP session with state 0x762e1ad9762a0093 (7) eap: Previous EAP request found for state 0x762e1ad9762a0093, released from the list (7) eap: Peer sent packet with method EAP MSCHAPv2 (26) (7) eap: Calling submodule eap_mschapv2 to process data (7) eap_mschapv2: # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (7) eap_mschapv2: authenticate { (7) mschap: Found Cleartext-Password, hashing to create NT-Password (7) mschap: Found Cleartext-Password, hashing to create LM-Password (7) mschap: Creating challenge hash with username: test-a (7) mschap: Client is using MS-CHAPv2 (7) mschap: Adding MS-CHAPv2 MPPE keys (7) [mschap] = ok (7) } # authenticate = ok (7) MSCHAP Success (7) eap: Sending EAP Request (code 1) ID 5 length 51 (7) eap: EAP session adding &reply:State = 0x762e1ad9772b0093 (7) [eap] = handled (7) } # authenticate = handled (7) } # server inner-tunnel (7) Virtual server sending reply (7) Tunnel-Type := VLAN (7) Tunnel-Medium-Type := IEEE-802 (7) EAP-Message = 0x010500331a0304002e533d41303335384346363634313841413935453142384537353232393930393135344343353230383731 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x762e1ad9772b0093ae5cb8ff36bceb39 (7) eap_peap: Got tunneled reply code 11 (7) eap_peap: Tunnel-Type := VLAN (7) eap_peap: Tunnel-Medium-Type := IEEE-802 (7) eap_peap: EAP-Message = 0x010500331a0304002e533d41303335384346363634313841413935453142384537353232393930393135344343353230383731 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0x762e1ad9772b0093ae5cb8ff36bceb39 (7) eap_peap: Got tunneled reply RADIUS code 11 (7) eap_peap: Tunnel-Type := VLAN (7) eap_peap: Tunnel-Medium-Type := IEEE-802 (7) eap_peap: EAP-Message = 0x010500331a0304002e533d41303335384346363634313841413935453142384537353232393930393135344343353230383731 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0x762e1ad9772b0093ae5cb8ff36bceb39 (7) eap_peap: Got tunneled Access-Challenge (7) eap: Sending EAP Request (code 1) ID 5 length 91 (7) eap: EAP session adding &reply:State = 0x9e07ab319902b214 (7) [eap] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) Post-Auth-Type sub-section not found. Ignoring. (7) # Executing group from file /etc/freeradius/sites-enabled/default (7) Sent Access-Challenge Id 179 from 172.17.27.78:1812 to 172.17.26.160:43297 length 0 (7) EAP-Message = 0x0105005b19001703010050505b7fe2ff5d8e3b8d66e2cfedfd47348f574952ef522b8df5e606dac261e49adf73b071906a4b49c6bdbd34f55bdb91f678b43cd2c7210778190899d38e7963037a94bdd306a4a7cb6f89281afcfd9e (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x9e07ab319902b2147db0651e6ba99830 (7) Finished request Waking up in 4.5 seconds. (8) Received Access-Request Id 180 from 172.17.26.160:43297 to 172.17.27.78:1812 length 214 (8) User-Name = "test-a" (8) NAS-Identifier = "44d9e7f96309" (8) NAS-Port = 0 (8) Called-Station-Id = "44-D9-E7-FA-63-09:test-rad-a1" (8) Calling-Station-Id = "60-A3-7D-2C-A2-19" (8) Framed-MTU = 1400 (8) NAS-Port-Type = Wireless-802.11 (8) Connect-Info = "CONNECT 0Mbps 802.11b" (8) EAP-Message = 0x0205002b190017030100201d239c709600f904a8a007daa0913a346f637b5f0897d83e3e63c0d56b79ea7e (8) State = 0x9e07ab319902b2147db0651e6ba99830 (8) Message-Authenticator = 0x493ad04a8467c7ff2af23accafd9f4f4 (8) session-state: No cached attributes (8) # Executing section authorize from file /etc/freeradius/sites-enabled/default (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "test-a", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) eap: Peer sent EAP Response (code 2) ID 5 length 43 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /etc/freeradius/sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0x762e1ad9772b0093 (8) eap: Finished EAP session with state 0x9e07ab319902b214 (8) eap: Previous EAP request found for state 0x9e07ab319902b214, released from the list (8) eap: Peer sent packet with method EAP PEAP (25) (8) eap: Calling submodule eap_peap to process data (8) eap_peap: Continuing EAP-TLS (8) eap_peap: [eaptls verify] = ok (8) eap_peap: Done initial handshake (8) eap_peap: [eaptls process] = ok (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state phase2 (8) eap_peap: EAP method MSCHAPv2 (26) (8) eap_peap: Got tunneled request (8) eap_peap: EAP-Message = 0x020500061a03 (8) eap_peap: Setting User-Name to test-a (8) eap_peap: Sending tunneled request to inner-tunnel (8) eap_peap: EAP-Message = 0x020500061a03 (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (8) eap_peap: User-Name = "test-a" (8) eap_peap: State = 0x762e1ad9772b0093ae5cb8ff36bceb39 (8) Virtual server inner-tunnel received request (8) EAP-Message = 0x020500061a03 (8) FreeRADIUS-Proxied-To = 127.0.0.1 (8) User-Name = "test-a" (8) State = 0x762e1ad9772b0093ae5cb8ff36bceb39 (8) WARNING: Outer and inner identities are the same. User privacy is compromised. (8) server inner-tunnel { (8) session-state: No cached attributes (8) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) if ((&LDAP-Group == "616") && (Packet-Src-IP-Address != 172.17.26.160)) { (8) Searching for user in group "616" rlm_ldap (ldap): Reserved connection (5) (8) EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (8) --> (uid=test-a) (8) Performing search in "cn=users,dc=domain,dc=de" with filter "(uid=test-a)", scope "sub" (8) Waiting for search result... (8) User object found at DN "uid=Test-A,cn=Admins,cn=users,dc=domain,dc=de" (8) Checking user object's gidNumber attributes (8) Performing unfiltered search in "uid=Test-A,cn=Admins,cn=users,dc=domain,dc=de", scope "base" (8) Waiting for search result... (8) Processing gidNumber value "admins" as a group name rlm_ldap (ldap): Released connection (5) (8) User is not a member of "616" (8) if ((&LDAP-Group == "616") && (Packet-Src-IP-Address != 172.17.26.160)) -> FALSE (8) [chap] = noop (8) [mschap] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "test-a", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) update control { (8) &Proxy-To-Realm := LOCAL (8) } # update control = noop (8) eap: Peer sent EAP Response (code 2) ID 5 length 6 (8) eap: No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) [files] = noop rlm_ldap (ldap): Reserved connection (6) (8) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (8) ldap: --> (uid=test-a) (8) ldap: Performing search in "cn=users,dc=domain,dc=de" with filter "(uid=test-a)", scope "sub" (8) ldap: Waiting for search result... (8) ldap: User object found at DN "uid=Test-A,cn=Admins,cn=users,dc=domain,dc=de" (8) ldap: Processing user attributes (8) ldap: control:Password-With-Header += 'passwd' (8) ldap: reply:Tunnel-Type := VLAN (8) ldap: reply:Tunnel-Medium-Type := IEEE-802 rlm_ldap (ldap): Released connection (6) (8) [ldap] = updated (8) [expiration] = noop (8) [logintime] = noop (8) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (8) pap: Removing &control:Password-With-Header (8) pap: WARNING: Auth-Type already set. Not setting to PAP (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = eap (8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (8) authenticate { (8) eap: Expiring EAP session with state 0x762e1ad9772b0093 (8) eap: Finished EAP session with state 0x762e1ad9772b0093 (8) eap: Previous EAP request found for state 0x762e1ad9772b0093, released from the list (8) eap: Peer sent packet with method EAP MSCHAPv2 (26) (8) eap: Calling submodule eap_mschapv2 to process data (8) eap: Sending EAP Success (code 3) ID 5 length 4 (8) eap: Freeing handler (8) [eap] = ok (8) } # authenticate = ok (8) # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel (8) post-auth { (8) if (&LDAP-Group == "admins") { (8) Searching for user in group "admins" rlm_ldap (ldap): Reserved connection (5) (8) Using user DN from request "uid=Test-A,cn=Admins,cn=users,dc=domain,dc=de" (8) Checking user object's gidNumber attributes (8) Performing unfiltered search in "uid=Test-A,cn=Admins,cn=users,dc=domain,dc=de", scope "base" (8) Waiting for search result... (8) Processing gidNumber value "admins" as a group name (8) User found in group "admins". Comparison between membership: name, check: name rlm_ldap (ldap): Released connection (5) (8) if (&LDAP-Group == "admins") -> TRUE (8) if (&LDAP-Group == "admins") { (8) update { (8) &outer.session-state:Tunnel-Type := VLAN (8) &outer.session-state:Tunnel-Medium-Type := IEEE-802 (8) &outer.session-state:Tunnel-Private-Group-Id := "10" (8) &outer.session-state:User-Name := User-Name[*] -> 'test-a' (8) } # update = noop (8) } # if (&LDAP-Group == "admins") = noop (8) ... skipping elsif: Preceding "if" was taken (8) update { (8) No attributes updated (8) No attributes updated (8) No attributes updated (8) &outer.session-state:User-Name := User-Name[*] -> 'test-a' (8) } # update = noop (8) } # post-auth = noop (8) } # server inner-tunnel (8) Virtual server sending reply (8) Tunnel-Type := VLAN (8) Tunnel-Medium-Type := IEEE-802 (8) MS-MPPE-Encryption-Policy = Encryption-Allowed (8) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (8) MS-MPPE-Send-Key = 0x148f248ff006938f098805d60b5eaa48 (8) MS-MPPE-Recv-Key = 0x3609377d8cc73d2824d0e370e3c4b85f (8) EAP-Message = 0x03050004 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) User-Name = "test-a" (8) eap_peap: Got tunneled reply code 2 (8) eap_peap: Tunnel-Type := VLAN (8) eap_peap: Tunnel-Medium-Type := IEEE-802 (8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (8) eap_peap: MS-MPPE-Send-Key = 0x148f248ff006938f098805d60b5eaa48 (8) eap_peap: MS-MPPE-Recv-Key = 0x3609377d8cc73d2824d0e370e3c4b85f (8) eap_peap: EAP-Message = 0x03050004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: User-Name = "test-a" (8) eap_peap: Got tunneled reply RADIUS code 2 (8) eap_peap: Tunnel-Type := VLAN (8) eap_peap: Tunnel-Medium-Type := IEEE-802 (8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (8) eap_peap: MS-MPPE-Send-Key = 0x148f248ff006938f098805d60b5eaa48 (8) eap_peap: MS-MPPE-Recv-Key = 0x3609377d8cc73d2824d0e370e3c4b85f (8) eap_peap: EAP-Message = 0x03050004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: User-Name = "test-a" (8) eap_peap: Tunneled authentication was successful (8) eap_peap: SUCCESS (8) eap: Sending EAP Request (code 1) ID 6 length 43 (8) eap: EAP session adding &reply:State = 0x9e07ab319601b214 (8) [eap] = handled (8) } # authenticate = handled (8) Using Post-Auth-Type Challenge (8) Post-Auth-Type sub-section not found. Ignoring. (8) # Executing group from file /etc/freeradius/sites-enabled/default (8) session-state: Saving cached attributes (8) Tunnel-Type := VLAN (8) Tunnel-Medium-Type := IEEE-802 (8) Tunnel-Private-Group-Id := "10" (8) User-Name := "test-a" (8) Sent Access-Challenge Id 180 from 172.17.27.78:1812 to 172.17.26.160:43297 length 0 (8) EAP-Message = 0x0106002b19001703010020d8ba2aae2a1ab16b8c9d00b8a74443688cd4ce135bfc081974dd0237b3ce5cc4 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0x9e07ab319601b2147db0651e6ba99830 (8) Finished request Waking up in 4.4 seconds. (9) Received Access-Request Id 181 from 172.17.26.160:43297 to 172.17.27.78:1812 length 214 (9) User-Name = "test-a" (9) NAS-Identifier = "44d9e7f96309" (9) NAS-Port = 0 (9) Called-Station-Id = "44-D9-E7-FA-63-09:test-rad-a1" (9) Calling-Station-Id = "60-A3-7D-2C-A2-19" (9) Framed-MTU = 1400 (9) NAS-Port-Type = Wireless-802.11 (9) Connect-Info = "CONNECT 0Mbps 802.11b" (9) EAP-Message = 0x0206002b1900170301002030062f654aaee5093e0df236f375b81c9f2f906d8e8733c40d46fd6d2113219d (9) State = 0x9e07ab319601b2147db0651e6ba99830 (9) Message-Authenticator = 0x8d180b2adacb28cf9294b573d3968248 (9) Restoring &session-state (9) &session-state:Tunnel-Type := VLAN (9) &session-state:Tunnel-Medium-Type := IEEE-802 (9) &session-state:Tunnel-Private-Group-Id := "10" (9) &session-state:User-Name := "test-a" (9) # Executing section authorize from file /etc/freeradius/sites-enabled/default (9) authorize { (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = notfound (9) } # policy filter_username = notfound (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "test-a", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) eap: Peer sent EAP Response (code 2) ID 6 length 43 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = eap (9) # Executing group from file /etc/freeradius/sites-enabled/default (9) authenticate { (9) eap: Expiring EAP session with state 0x9e07ab319601b214 (9) eap: Finished EAP session with state 0x9e07ab319601b214 (9) eap: Previous EAP request found for state 0x9e07ab319601b214, released from the list (9) eap: Peer sent packet with method EAP PEAP (25) (9) eap: Calling submodule eap_peap to process data (9) eap_peap: Continuing EAP-TLS (9) eap_peap: [eaptls verify] = ok (9) eap_peap: Done initial handshake (9) eap_peap: [eaptls process] = ok (9) eap_peap: Session established. Decoding tunneled attributes (9) eap_peap: PEAP state send tlv success (9) eap_peap: Received EAP-TLV response (9) eap_peap: Success (9) eap_peap: No information to cache: session caching will be disabled for session 46f9d2817aaeb9ce63792258fec8297b8df858ae69e871e406934c04f0bb5293 (9) eap: Sending EAP Success (code 3) ID 6 length 4 (9) eap: Freeing handler (9) [eap] = ok (9) } # authenticate = ok (9) # Executing section post-auth from file /etc/freeradius/sites-enabled/default (9) post-auth { (9) update { (9) &reply::Tunnel-Type += &session-state:Tunnel-Type[*] -> VLAN (9) &reply::Tunnel-Medium-Type += &session-state:Tunnel-Medium-Type[*] -> IEEE-802 (9) &reply::Tunnel-Private-Group-Id += &session-state:Tunnel-Private-Group-Id[*] -> '10' (9) &reply::User-Name += &session-state:User-Name[*] -> 'test-a' (9) } # update = noop (9) [exec] = noop (9) policy remove_reply_message_if_eap { (9) if (&reply:EAP-Message && &reply:Reply-Message) { (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (9) else { (9) [noop] = noop (9) } # else = noop (9) } # policy remove_reply_message_if_eap = noop (9) } # post-auth = noop (9) Sent Access-Accept Id 181 from 172.17.27.78:1812 to 172.17.26.160:43297 length 0 (9) MS-MPPE-Recv-Key = 0x67b8193ef1743a40baf927ad9c8e8e51015ff006a15d65ab2bb16de2cb5cfc05 (9) MS-MPPE-Send-Key = 0x20fef0c28e2ac5390ee5ab1f0143ae7c634ad3004970710794513e60b83552bf (9) EAP-Message = 0x03060004 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) User-Name = "test-a" (9) Tunnel-Type += VLAN (9) Tunnel-Medium-Type += IEEE-802 (9) Tunnel-Private-Group-Id += "10" (9) User-Name += "test-a" (9) Finished request Thanks Moritz
Hi,
In future we want to enable VLAN assignment via LDAP so we want to use LDAP group membership comparison and combine it with Packet-Src-IP-Address checking.
Users from LDAP group „Admins“ should be assigned to VLAN 10 (management) Users from LDAP group „Operators“ should be assigned to VLAN 20 (operator) Users from other LDAP groups „Group-X“ should be assigned to userspecific VLAN which is represented in the LDAP attribute „radiusTunnelPrivateGroupId“.
okay. simple policy
1. according to Alan DeKoks suggestions here: http://lists.freeradius.org/pipermail/freeradius-users/2015-April/077171.htm... configured freeradius/mods-enabled/ldap „group“ section for group checking. In our case every LDAP user has an LDAP attribute 'gidNumber' which represents its group membership.
okay
2. configured /freeradius/users file
# in LDAP: Admins gidNumber = 111, Operators gidNumber = 222, Users in POP1 gidNumber = 901 DEFAULT LDAP-Group == "111", Auth-Type = LDAP DEFAULT LDAP-Group == "222", Auth-Type = LDAP DEFAULT Packet-Src-IP-Address == 10.0.0.1, LDAP-Group == „901“, Auth-Type = LDAP ... DEFAULT Packet-Src-IP-Address == 10.0.0.15, LDAP-Group == „915“, Auth-Type = LDAP DEFAULT Auth-Type := Reject
eugh. none of that old rubbish. just use a policy written in unlang in the post-auth section of your inner-tunnel. ensure that the return attributes are in the outer tunnel (so the NAS can read that info)
3. configured /freeradius/sites-enabled/default
no "ldap" in the "authorize" section so ldap gets commented here -> #ldap
be sure there's "Auth-Type LDAP" in the "authenticate" section so #Auth-Type LDAP { # ldap # } gets uncommented here -> Auth-Type LDAP { ldap }
no. you cannot trust the outer ID...anything can be in there dont enable anything apart from the EAP in the outer
4. configured /freeradius/sites-enabled/inner-tunnel
authorize { ldap
authenticate { #Auth-Type LDAP { # ldap # }
LDAP should be enabled for authentication in inner tunnel
Is there a more elegant way to implement it?
unlang
Is it possible to reduce the LDAP queries exept from sorting the POP listing in users file? (there seems to be a change in 3.0.13 ?)
there was another addition so handle the occasional 'updated' return...the default pre 3.0.13 has served most people ...i guess the reason you are seeing 2 requests is the authenticate and the authorise.....or its a side effect of the authenticate in outer tunnel (default) which might lead to another try - if you only auth in inner tunnel then things will be cleaner. alan
On 11/01/2017 17:05, Staiger, Moritz (RRZE) wrote:
we are running freeradius 3.0.12 which is authenticating against an openldap server with EAP PEAP MSCHAPv2 When you say "is authenticating against an openldap server", I wonder if you mean "is reading a cleartext password or NTLM password hash out of an openldap server"
When people say "authenticating against LDAP" they usually mean "using LDAP as a password oracle by doing an LDAP BIND with the user-supplied password". But if you are using MSCHAPv2 this is impossible, since you don't receive the cleartext password.
In future we want to enable VLAN assignment via LDAP so we want to use LDAP group membership comparison and combine it with Packet-Src-IP-Address checking.
Users from LDAP group „Admins“ should be assigned to VLAN 10 (management) Users from LDAP group „Operators“ should be assigned to VLAN 20 (operator) Users from other LDAP groups „Group-X“ should be assigned to userspecific VLAN which is represented in the LDAP attribute „radiusTunnelPrivateGroupId“. This might help as a starting point. http://lists.freeradius.org/pipermail/freeradius-users/2016-December/085977....
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Brian Candler -
Moritz Staiger -
Staiger, Moritz (RRZE)