Now its time to configure to log into SQL :) Until now we uses cisco wireless controller and only allow two connection for all users. I wanted to implement Simultaneous-user based in student and staff. and want to use sql for it. My users are authenticate against AD (samb +ntml_auth). So here is what I did : 1. Created database radius. 2. Populated admin.sql into the mysql 3. Populated schema.sql into the radius database 4. Enabled sql.conf in /etc/raddb/radius.conf 5. Disabled radutmp and enabled sql in accounting section in /etc/raddb/site-enabled/default 6. So, added DEFAULT Simultaneous-Use := 2 in /etc/raddb/users file for testing 7. restarted radius - try logging few users But I do not see any tables in radius database been updated. I just wanted to use session for the simultaneous user for restrict user. if this works then I can write regex to query LDAP if x is staff or student. Point me if i am doing wrong or some docs where I can see more reading reading reading. K
On Feb 17, 2015, at 9:05 AM, Khapare Joshi <khapare77@gmail.com> wrote:
Now its time to configure to log into SQL :) Until now we uses cisco wireless controller and only allow two connection for all users.
I wanted to implement Simultaneous-user based in student and staff. and want to use sql for it.
My users are authenticate against AD (samb +ntml_auth).
So here is what I did :
1. Created database radius. 2. Populated admin.sql into the mysql 3. Populated schema.sql into the radius database 4. Enabled sql.conf in /etc/raddb/radius.conf 5. Disabled radutmp and enabled sql in accounting section in /etc/raddb/site-enabled/default 6. So, added DEFAULT Simultaneous-Use := 2 in /etc/raddb/users file for testing 7. restarted radius - try logging few users
That’s all good.
But I do not see any tables in radius database been updated.
Did you run the server in debugging mode to see what’s it’s doing?
I just wanted to use session for the simultaneous user for restrict user. if this works then I can write regex to query LDAP if x is staff or student.
Point me if i am doing wrong or some docs where I can see more reading reading reading.
Run the server in debugging mode as suggested in the FAQ, “man” page, web pages, and daily on this list. Alan DeKok.
My NAS was bad - it was not sending accounting data. Now NAS is sending data and radacct been populated. So as in FAQ I executed INSERT INTO radgroupcheck (GroupName, Attribute, op, Value) values("dialup", "Simultaneous-Use", ":=", "1"); I also tried adding in /etc/raddb/users file DEFAULT Simultaneous-Use := 1 But I am still allowed to same user (khapare) from two devices. Here are some SQL part ++[eap] = ok +} # group authenticate = ok # Executing section session from file /etc/raddb/sites-enabled/inner-tunnel +group session { [sql] expand: %{User-Name} -> khapare@realm.com [sql] sql_set_user escaped user --> 'khapare@realm.com' [sql] expand: SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL -> SELECT COUNT(*) FROM radacct WHERE username = 'khapare@realm.com' AND acctstoptime IS NULL rlm_sql (sql): Reserving sql socket id: 31 rlm_sql (sql): Released sql socket id: 31 ++[sql] = ok +} # group session = ok Login OK: [khapare@realm.com] (from client nas1.realm.com port 7174 cli 0021.5c5b.8ef3 via TLS tunnel) [detail] expand: %t -> Thu Mar 5 08:32:49 2015 ++[detail] = ok [sql] expand: %{User-Name} -> khapare [sql] sql_set_user escaped user --> 'khapare' [sql] expand: %{Acct-Delay-Time} -> 0 [sql] expand: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', rlm_sql (sql): Reserving sql socket id: 30 rlm_sql (sql): Released sql socket id: 30 ++[sql] = ok [attr_filter.accounting_response] expand: %{User-Name} -> khapare [root@radiusserver ~]# ./radwhosql +----------+---------------+-----------+-----------------+---------------------+ | username | acctsessionid | nasportid | nasporttype | acctstarttime | +----------+---------------+-----------+-----------------+---------------------+ | khapare | 00001B1D | 7172 | Wireless-802.11 | 2015-03-05 08:29:13 | | khapare | 00001B20 | 7174 | Wireless-802.11 | 2015-03-05 08:32:49 | +----------+---------------+-----------+-----------------+---------------------+ [root@radiusserver ~]# in radwhosql I just put this line /usr/bin/mysql -u radius -pBIL$ates radius -e "select username, acctsessionid, nasportid, nasporttype, acctstarttime from radacct where acctstoptime is NULL ;" Could it be when radius is exectuing the session section it is looking for khapare@realm.com but in the database username is only the username i.e khapare ? so it seem Then I changed in /etc/raddb/sql/mysql/dialup.conf From # sql_user_name = "%{User-Name}" TO sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}" After chaning this my Simultaneous-Use start working Now my question is: 1. Once I set INSERT INTO radgroupcheck (GroupName, Attribute, op, Value) values("dialup", "Simultaneous-Use", ":=", "1"); do I still have to define in /etc/raddb/users file as : DEFAULT Simultaneous-Use := 1 Because this how it worked in my testing e 2. or I am doing stupid here ? On Tue, Feb 17, 2015 at 2:34 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Feb 17, 2015, at 9:05 AM, Khapare Joshi <khapare77@gmail.com> wrote:
Now its time to configure to log into SQL :) Until now we uses cisco wireless controller and only allow two connection for all users.
I wanted to implement Simultaneous-user based in student and staff. and want to use sql for it.
My users are authenticate against AD (samb +ntml_auth).
So here is what I did :
1. Created database radius. 2. Populated admin.sql into the mysql 3. Populated schema.sql into the radius database 4. Enabled sql.conf in /etc/raddb/radius.conf 5. Disabled radutmp and enabled sql in accounting section in /etc/raddb/site-enabled/default 6. So, added DEFAULT Simultaneous-Use := 2 in /etc/raddb/users file for testing 7. restarted radius - try logging few users
That’s all good.
But I do not see any tables in radius database been updated.
Did you run the server in debugging mode to see what’s it’s doing?
I just wanted to use session for the simultaneous user for restrict user. if this works then I can write regex to query LDAP if x is staff or student.
Point me if i am doing wrong or some docs where I can see more reading reading reading.
Run the server in debugging mode as suggested in the FAQ, “man” page, web pages, and daily on this list.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Mar 5, 2015, at 4:16 AM, Khapare Joshi <khapare77@gmail.com> wrote:
My NAS was bad - it was not sending accounting data. Now NAS is sending data and radacct been populated.
That’s usually the problem.
Could it be when radius is exectuing the session section it is looking for khapare@realm.com but in the database username is only the username i.e khapare ?
Yes. If you run the server in debugging mode, you’ll see what it’s doing.
1. Once I set INSERT INTO radgroupcheck (GroupName, Attribute, op, Value) values("dialup", "Simultaneous-Use", ":=", "1"); do I still have to define in /etc/raddb/users file as :
No. The server doesn’t care where an attribute comes from.
2. or I am doing stupid here ?
No. Alan DeKok.
Thanks Alan, It looks Simualtaneous-use seem to be working in my test environment. I set DEFAULT Simultaneous-Use := 2 in users file and perform the test with the configuration. This works what it should be : ++[eap] = ok +} # group authenticate = ok # Executing section session from file /etc/raddb/sites-enabled/inner-tunnel +group session { [sql] expand: %{Stripped-User-Name} -> khapare [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> khapare [sql] sql_set_user escaped user --> 'khapare' [sql] expand: SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL -> SELECT COUNT(*) FROM radacct WHERE username = 'khapare' AND acctstoptime IS NULL rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_mysql: MYSQL check_error: 2006, returning SQL_DOWN rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): Released sql socket id: 3 ++[sql] = ok +} # group session = ok Multiple logins (max 2) : [khapare@realm.com] (from client nas1.realm.com port 7348 cli 2002.afd1.523e via TLS tunnel) Using Post-Auth-Type REJECT # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> khapare@realm.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated } # server inner-tunnel [peap] Got tunneled reply code 3 Reply-Message := "\r\nYou are already logged in 2 times - access denied\r\n\n" [peap] Got tunneled reply RADIUS code 3 Reply-Message := "\r\nYou are already logged in 2 times - access denied\r\n\n" [peap] Tunneled authentication was rejected. [peap] FAILURE This is good. Now I want to search users in ldap for their group membership and set the simulataneous-use if users is a student simualtaneous-use :=2 if uses is a staff Simualtaneous-Use :=5 rest others = 7 On Thu, Mar 5, 2015 at 12:56 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Mar 5, 2015, at 4:16 AM, Khapare Joshi <khapare77@gmail.com> wrote:
My NAS was bad - it was not sending accounting data. Now NAS is sending data and radacct been populated.
That’s usually the problem.
Could it be when radius is exectuing the session section it is looking for khapare@realm.com but in the database username is only the username i.e khapare ?
Yes. If you run the server in debugging mode, you’ll see what it’s doing.
1. Once I set INSERT INTO radgroupcheck (GroupName, Attribute, op, Value) values("dialup", "Simultaneous-Use", ":=", "1"); do I still have to define in /etc/raddb/users file as :
No. The server doesn’t care where an attribute comes from.
2. or I am doing stupid here ?
No.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I have tried today with simualtaneous-Use with gidnumber, here are what I did. Added in /etc/raddb/ldap.attrmap checkItem gidNumber gidnumber I also had to add in /etc/raddb/dictionary ATTRIBUTE gidnumber 3003 integer commented these two lines in users file #DEFAULT Simultaneous-Use := 2 # Fall-Through = 1 in /etc/raddb/sites-enables/default right ldap section, I added these #DEFAULT Simultaneous-Use := 2 # Fall-Through = 1 Reject if users is not in LDAP ldap if (notfound){ reject } # check gid for simultaneous use if ("%{gidnumber}" < 200){ update request { Simultaneous-Use := 1 } else{ update request { Simultaneous-Use := 2 } } } the regex checking returns true for user testsim who has gid less than 200 but testsim still able to login 2nd and 3rd login. can anyone see what I am missing ? here is the debug output Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.128.5.1 port 1645, id=221, length=143 User-Name = "testsim@example.com" Framed-MTU = 1400 Called-Station-Id = "001d.a282.dda0" Calling-Station-Id = "0021.5c5b.8ef3" Service-Type = Login-User Message-Authenticator = 0x02aa50ca6938abf111e98eb999837890 EAP-Message = 0x02020012016e656d616e64694068692e6973 NAS-Port-Type = Wireless-802.11 NAS-Port = 7524 NAS-IP-Address = 10.128.5.1 NAS-Identifier = "nas1" # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) ?? Evaluating (User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE ++else else { +++update request { expand: %{1} -> testsim expand: %{2} -> example.com +++} # update request = noop +++? if (Realm == "example.com") ? Evaluating (Realm == "example.com") -> TRUE +++? if (Realm == "example.com") -> TRUE +++if (Realm == "example.com") { ++++update control { ++++} # update control = noop +++} # if (Realm == "example.com") = noop +++ ... skipping else for request 0: Preceding "if" was taken ++} # else else = noop ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 10.128.5.1 [auth_log] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.128.5.1/auth-detail-20150407 [auth_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.128.5.1/auth-detail-20150407 [auth_log] expand: %t -> Tue Apr 7 15:03:37 2015 ++[auth_log] = ok ++[mschap] = noop [eap] EAP packet type response id 2 length 18 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [ldap] performing user authorization for testsim [ldap] expand: %{Stripped-User-Name} -> testsim [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=testsim) [ldap] expand: dc=example,dc=com -> dc=example,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to ldapserver:389, authentication 0 [ldap] bind as cn=ldapusername,ou=user,dc=example,dc=com/Wum8dili to ldapserver:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=example,dc=com, with filter (uid=testsim) [ldap] looking for check items in directory... [ldap] gidnumber -> gidnumber == 151 [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok ++? if (notfound) ? Evaluating (notfound) -> FALSE ++? if (notfound) -> FALSE ++? if ("%{gidnumber}" < 200) expand: %{gidnumber} -> ? Evaluating ("%{gidnumber}" < 200) -> TRUE ++? if ("%{gidnumber}" < 200) -> TRUE ++if ("%{gidnumber}" < 200) { +++update request { +++} # update request = noop +++ ... skipping else for request 0: No preceding "if" ++} # if ("%{gidnumber}" < 200) = noop ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 221 to 10.128.5.1 port 1645 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa2b83fc5a2bb2612134a7040a4f7c7f0 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.128.5.1 port 1645, id=222, length=250 User-Name = "testsim@example.com" Framed-MTU = 1400 Called-Station-Id = "001d.a282.dda0" Calling-Station-Id = "0021.5c5b.8ef3" Service-Type = Login-User Message-Authenticator = 0xfd419fe8a45bd6e0774f49ec6275fb5b EAP-Message = 0x0203006b198000000061160301005c0100005803015523f1cc76277ea93a499680dff35585086bd083bf539087c3d3ca6d0053824b000018c014c013c00ac0090035002f00380032000a00130005000401000017000a00080006001900170018000b00020100ff01000100 NAS-Port-Type = Wireless-802.11 NAS-Port = 7524 State = 0xa2b83fc5a2bb2612134a7040a4f7c7f0 NAS-IP-Address = 10.128.5.1 NAS-Identifier = "nas1" # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) ?? Evaluating (User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE ++else else { +++update request { expand: %{1} -> testsim expand: %{2} -> example.com +++} # update request = noop +++? if (Realm == "example.com") ? Evaluating (Realm == "example.com") -> TRUE +++? if (Realm == "example.com") -> TRUE +++if (Realm == "example.com") { ++++update control { ++++} # update control = noop +++} # if (Realm == "example.com") = noop +++ ... skipping else for request 1: Preceding "if" was taken ++} # else else = noop ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 10.128.5.1 [auth_log] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.128.5.1/auth-detail-20150407 [auth_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.128.5.1/auth-detail-20150407 [auth_log] expand: %t -> Tue Apr 7 15:03:37 2015 ++[auth_log] = ok ++[mschap] = noop [eap] EAP packet type response id 3 length 107 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 97 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 005c], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 222 to 10.128.5.1 port 1645 EAP-Message = 0x0104040019c0000008a216030100310200002d03015523f1c91bc5f2eea2a5dbdd0698cb42a8a48c9fccdcc1e9d91e5e8c7c541b57000035000005ff01000100160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c65204365727469666963617465204175 EAP-Message = 0x74686f72697479301e170d3134313130353231353435345a170d3135303130343231353435345a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d257278bcb3d80351c6c39a144f9ee55accaf13aa2bdc5e78c1191b6126542cdb0b8edf81f72bc80e905d30fe95d9f54200778bff7e808 EAP-Message = 0xd3008941f8b7da00b5d9cf77bed1c1d2accd8f2aac95f6c4c549a0e64d0fffb372ee90b5e1752c7450c1fc302fcd9122cbb63e3d2f8400a5a2071690238d5133b80e96eaac6fa15e185dd390c51255309adac0be363f5e626ae745f05eeed35f3997c05377c2291ea6df65a6d6cc56ab9880776317cc9894557344f92eb982673e07ed5c027687eb46d2167c0cd7756404587c37319482497afd9bffe114ef64a2b0640add64df47d92e37f32d94720451964ce39276ae8fb94fdf2f3fba10b51ab2e84fb2804986a30203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505000382010100359a EAP-Message = 0xd6555994880868e54137c4d487acaeccded09ea5d265a1b2faa142dc0e8214b112cea1077f91d8e77a0516ad66524e964fc108774fa3538f4d8de1cbd41a08d4f356ccebb3a1fabcfd2b40d3ab12ff487995b42176e9201c165c4e00ac79be6379578bfa1109299015652b9c9160abff3ab2b87027590f6f46bd817cac00b168a06203959212727cec0bcb8555ff7c47e05bf459bee769989ba4c15619ab4256ed025b5c93e2f4316ad86167b1186e71aa407ad5e3e283ab0d3637b189f0ab5a0c9cbf73446230f511cc2b60da090f6c46842b61437c8e841f44b32d01b6d4e676cb23c7b5c9bfd20e6df238342e7de3596789f62dd5b3fd77f76654b2 EAP-Message = 0x3f0004ab308204a73082038f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa2b83fc5a3bc2612134a7040a4f7c7f0 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.128.5.1 port 1645, id=223, length=149 User-Name = "testsim@example.com" Framed-MTU = 1400 Called-Station-Id = "001d.a282.dda0" Calling-Station-Id = "0021.5c5b.8ef3" Service-Type = Login-User Message-Authenticator = 0xcdf001eb09d55ebe49a413ac8258de09 EAP-Message = 0x020400061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 7524 State = 0xa2b83fc5a3bc2612134a7040a4f7c7f0 NAS-IP-Address = 10.128.5.1 NAS-Identifier = "nas1" # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) ?? Evaluating (User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE ++else else { +++update request { expand: %{1} -> testsim expand: %{2} -> example.com +++} # update request = noop +++? if (Realm == "example.com") ? Evaluating (Realm == "example.com") -> TRUE +++? if (Realm == "example.com") -> TRUE +++if (Realm == "example.com") { ++++update control { ++++} # update control = noop +++} # if (Realm == "example.com") = noop +++ ... skipping else for request 2: Preceding "if" was taken ++} # else else = noop ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 10.128.5.1 [auth_log] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.128.5.1/auth-detail-20150407 [auth_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.128.5.1/auth-detail-20150407 [auth_log] expand: %t -> Tue Apr 7 15:03:37 2015 ++[auth_log] = ok ++[mschap] = noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 223 to 10.128.5.1 port 1645 EAP-Message = 0x010503fc1940a003020102020900ebf6479ecc13e59d300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3134313130353231353435345a170d3135303130343231353435345a308193310b3009060355040613024652310f300d0603550408130652616469757331 EAP-Message = 0x12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100b88d97967839058840e9074fde6afe5d23f7b77bb5d4c6c062c222f085626de7db03eed8672e37d56e7c7bbfbd1e68481bc526f5a0a0c88fb66eca809822cdd8cf6af8ca055f8a68f5ef4564d02f3bf64cf993ac3c3d295892f6307e88c7be325f8e295ec12610e3 EAP-Message = 0xf442768063f2c53a36a82ce16bca9bbdf35bdba6b20073d159543d7e179817db0a67737df59b88add8091a8bb44c3278e74c08f81d1a24c45a1707d09c76cd190460958b62197f8a1bf548f5f9aeb57f7ad52761f4716ab4c0dfb2afd6c80fd90fc437e6c0db15bc2b6cdfcde709b7b1c6e9759e1e7fd546d0d271e0f8b1ff825aac83857fa1ea7e4b8f5faa691751067923655c88964fcb0203010001a381fb3081f8301d0603551d0e0416041465a61d270505d0f4781e56c2ebf2d1ddc92a82063081c80603551d230481c03081bd801465a61d270505d0f4781e56c2ebf2d1ddc92a8206a18199a48196308193310b300906035504061302465231 EAP-Message = 0x0f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900ebf6479ecc13e59d300c0603551d13040530030101ff300d06092a864886f70d010105050003820101004c80773db9ef6312a280163ccfb62080bed265fd1d611fa2a065c5943f1db7ca42e4191f219277ad506c7c3d30f35a190cc5bd1ccbb67022488c049d79f4e8202e11678b49ee69dd76bee6 EAP-Message = 0x0419550efe88be07 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa2b83fc5a0bd2612134a7040a4f7c7f0 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.128.5.1 port 1645, id=224, length=149 User-Name = "testsim@example.com" Framed-MTU = 1400 Called-Station-Id = "001d.a282.dda0" Calling-Station-Id = "0021.5c5b.8ef3" Service-Type = Login-User Message-Authenticator = 0xbacc4317b1136b351cc1cc6039e0d89d EAP-Message = 0x020500061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 7524 State = 0xa2b83fc5a0bd2612134a7040a4f7c7f0 NAS-IP-Address = 10.128.5.1 NAS-Identifier = "nas1" # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) ?? Evaluating (User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE ++else else { +++update request { expand: %{1} -> testsim expand: %{2} -> example.com +++} # update request = noop +++? if (Realm == "example.com") ? Evaluating (Realm == "example.com") -> TRUE +++? if (Realm == "example.com") -> TRUE +++if (Realm == "example.com") { ++++update control { ++++} # update control = noop +++} # if (Realm == "example.com") = noop +++ ... skipping else for request 3: Preceding "if" was taken ++} # else else = noop ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 10.128.5.1 [auth_log] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.128.5.1/auth-detail-20150407 [auth_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.128.5.1/auth-detail-20150407 [auth_log] expand: %t -> Tue Apr 7 15:03:37 2015 ++[auth_log] = ok ++[mschap] = noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 224 to 10.128.5.1 port 1645 EAP-Message = 0x010600bc190041272a2350e3d6c24837dc0dbeb6e38b25a4ef6a30dd86b675003ab0caf1e67a8fd59bf978b5a7a7cfd80884010333063b092a16ba58e339ddaffe55a835f75524219202ab6440731dafebb7c70dc3c4a49fe5302bf993adefb6e23a00619553a65807db09b4c3ca67d12fa32d6dc1f307ab4b39ac8a7b3bb4dc7a20d43d08feef956d5f96c50612ad5b7e90e305b2d42d29305e7a4c8ee180574730b0baa1fff7ddaa8ea5cf2d7abda4972f1f16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa2b83fc5a1be2612134a7040a4f7c7f0 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.128.5.1 port 1645, id=225, length=481 User-Name = "testsim@example.com" Framed-MTU = 1400 Called-Station-Id = "001d.a282.dda0" Calling-Station-Id = "0021.5c5b.8ef3" Service-Type = Login-User Message-Authenticator = 0x1b6a04acc1ac9f7562cc21cdd235b803 EAP-Message = 0x020601501980000001461603010106100001020100952dc780436e3543fa58f8d6dda32342595018adde4558631e13b2364c04dc5d9ad70a7d6f913570452a35324131e4598e24d6c5a9055bab78a70ea7a05d71dbe0fde7ae5bf96e11fb931f87173edbdf05b274924cea338cf6485546b3c5e22619ac8c9b6250f2837c0aef6751df11aadd2f1c1fb6af38a3f0674eab82e3a3bb0a0be74feed8298c1260b9828869e5038814a9e0aed1b7478660f4d886482fd0e638ff66772b7b7b47d4797706e7c7eaea05bd4a1e35972e12826358116e9399e352d8e1d5404d1b9311946275b2e5a1a0e016ca338194c4bf926741aa98d211841ded4878e6e456 EAP-Message = 0xd2c542547236d0816e9c2087ef8ff3d200948c9c0d9072cc1403010001011603010030e8f84acc73fa965b426e046f4ce672449970041f141f5a8a863abde5ee84ff7b74608693bc6dd24f992f88995d3359a8 NAS-Port-Type = Wireless-802.11 NAS-Port = 7524 State = 0xa2b83fc5a1be2612134a7040a4f7c7f0 NAS-IP-Address = 10.128.5.1 NAS-Identifier = "nas1" # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) ?? Evaluating (User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE ++else else { +++update request { expand: %{1} -> testsim expand: %{2} -> example.com +++} # update request = noop +++? if (Realm == "example.com") ? Evaluating (Realm == "example.com") -> TRUE +++? if (Realm == "example.com") -> TRUE +++if (Realm == "example.com") { ++++update control { ++++} # update control = noop +++} # if (Realm == "example.com") = noop +++ ... skipping else for request 4: Preceding "if" was taken ++} # else else = noop ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 10.128.5.1 [auth_log] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.128.5.1/auth-detail-20150407 [auth_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.128.5.1/auth-detail-20150407 [auth_log] expand: %t -> Tue Apr 7 15:03:37 2015 ++[auth_log] = ok ++[mschap] = noop [eap] EAP packet type response id 6 length 253 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 225 to 10.128.5.1 port 1645 EAP-Message = 0x01070041190014030100010116030100308b7010b2ebd53202917c6c335fd911d59440f1ff7f0e4b0111af3f6ea07f618a346ee62af231d63642ddaf85fb80366c Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa2b83fc5a6bf2612134a7040a4f7c7f0 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.128.5.1 port 1645, id=226, length=149 User-Name = "testsim@example.com" Framed-MTU = 1400 Called-Station-Id = "001d.a282.dda0" Calling-Station-Id = "0021.5c5b.8ef3" Service-Type = Login-User Message-Authenticator = 0xd5e9682a9907090b414098c537246c61 EAP-Message = 0x020700061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 7524 State = 0xa2b83fc5a6bf2612134a7040a4f7c7f0 NAS-IP-Address = 10.128.5.1 NAS-Identifier = "nas1" # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) ?? Evaluating (User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE ++else else { +++update request { expand: %{1} -> testsim expand: %{2} -> example.com +++} # update request = noop +++? if (Realm == "example.com") ? Evaluating (Realm == "example.com") -> TRUE +++? if (Realm == "example.com") -> TRUE +++if (Realm == "example.com") { ++++update control { ++++} # update control = noop +++} # if (Realm == "example.com") = noop +++ ... skipping else for request 5: Preceding "if" was taken ++} # else else = noop ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 10.128.5.1 [auth_log] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.128.5.1/auth-detail-20150407 [auth_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.128.5.1/auth-detail-20150407 [auth_log] expand: %t -> Tue Apr 7 15:03:37 2015 ++[auth_log] = ok ++[mschap] = noop [eap] EAP packet type response id 7 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 226 to 10.128.5.1 port 1645 EAP-Message = 0x0108002b1900170301002048607d38300123d55551449d7188425122d57218a0f0625d7ae1ab21816151ef Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa2b83fc5a7b02612134a7040a4f7c7f0 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.128.5.1 port 1645, id=227, length=202 User-Name = "testsim@example.com" Framed-MTU = 1400 Called-Station-Id = "001d.a282.dda0" Calling-Station-Id = "0021.5c5b.8ef3" Service-Type = Login-User Message-Authenticator = 0x6d9a70ff8d3c93157f29870a4b997e71 EAP-Message = 0x0208003b190017030100301daac43e2727962799048843bab2749321d10f3e23964b80fec66c95e835965505f86b4c2e99f396b384d04ef3793804 NAS-Port-Type = Wireless-802.11 NAS-Port = 7524 State = 0xa2b83fc5a7b02612134a7040a4f7c7f0 NAS-IP-Address = 10.128.5.1 NAS-Identifier = "nas1" # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) ?? Evaluating (User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE ++else else { +++update request { expand: %{1} -> testsim expand: %{2} -> example.com +++} # update request = noop +++? if (Realm == "example.com") ? Evaluating (Realm == "example.com") -> TRUE +++? if (Realm == "example.com") -> TRUE +++if (Realm == "example.com") { ++++update control { ++++} # update control = noop +++} # if (Realm == "example.com") = noop +++ ... skipping else for request 6: Preceding "if" was taken ++} # else else = noop ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 10.128.5.1 [auth_log] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.128.5.1/auth-detail-20150407 [auth_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.128.5.1/auth-detail-20150407 [auth_log] expand: %t -> Tue Apr 7 15:03:37 2015 ++[auth_log] = ok ++[mschap] = noop [eap] EAP packet type response id 8 length 59 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - testsim@example.com [peap] Got inner identity 'testsim@example.com' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x02080012016e656d616e64694068692e6973 server { [peap] Setting User-Name to testsim@example.com Sending tunneled request EAP-Message = 0x02080012016e656d616e64694068692e6973 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "testsim@example.com" Framed-MTU = 1400 Called-Station-Id = "001d.a282.dda0" Calling-Station-Id = "0021.5c5b.8ef3" Service-Type = Login-User NAS-Port-Type = Wireless-802.11 NAS-Port = 7524 NAS-IP-Address = 10.128.5.1 NAS-Identifier = "nas1" server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +group authorize { ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) ?? Evaluating (User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE ++else else { +++update request { expand: %{1} -> testsim expand: %{2} -> example.com +++} # update request = noop +++? if (Realm == "example.com") ? Evaluating (Realm == "example.com") -> TRUE +++? if (Realm == "example.com") -> TRUE +++if (Realm == "example.com") { ++++update control { ++++} # update control = noop +++} # if (Realm == "example.com") = noop +++ ... skipping else for request 6: Preceding "if" was taken ++} # else else = noop ++[chap] = noop ++[mschap] = noop ++update control { ++} # update control = noop [eap] EAP packet type response id 8 length 18 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [ldap] performing user authorization for testsim [ldap] expand: %{Stripped-User-Name} -> testsim [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=testsim) [ldap] expand: dc=example,dc=com -> dc=example,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=example,dc=com, with filter (uid=testsim) [ldap] looking for check items in directory... [ldap] gidnumber -> gidnumber == 151 [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +group authenticate { [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010900271a01090022100ee31f36566c997c191098769afa79246e656d616e64694068692e6973 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4dae11ad4da70b1e038f24cf8612d4dc [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010900271a01090022100ee31f36566c997c191098769afa79246e656d616e64694068692e6973 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4dae11ad4da70b1e038f24cf8612d4dc [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 227 to 10.128.5.1 port 1645 EAP-Message = 0x0109004b1900170301004021a9ac287e38573ff649fa0fc5592eefbfcf61a411d757f1a5be38136975a2d725a5b953fcd4b3c9c8e61a7d4176235314a8f7d9c68402b6a8646c5428d8f8dc Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa2b83fc5a4b12612134a7040a4f7c7f0 Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.128.5.1 port 1645, id=228, length=250 User-Name = "testsim@example.com" Framed-MTU = 1400 Called-Station-Id = "001d.a282.dda0" Calling-Station-Id = "0021.5c5b.8ef3" Service-Type = Login-User Message-Authenticator = 0xd30b4ca2d8985460f35e371c5525ebf8 EAP-Message = 0x0209006b1900170301006057219e51b1c64730179efd42c63c537a6bcb10b316ab72fd3a06c1097a05197962444babc5c393f3ff253b393ae185a64aaaf6f0b1b2bb5b8284664dc6b15c94b2a733cd82a84d8693cd9307ca900fea86362c300c8535fa5c15a49ea1bf1109 NAS-Port-Type = Wireless-802.11 NAS-Port = 7524 State = 0xa2b83fc5a4b12612134a7040a4f7c7f0 NAS-IP-Address = 10.128.5.1 NAS-Identifier = "nas1" # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) ?? Evaluating (User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE ++else else { +++update request { expand: %{1} -> testsim expand: %{2} -> example.com +++} # update request = noop +++? if (Realm == "example.com") ? Evaluating (Realm == "example.com") -> TRUE +++? if (Realm == "example.com") -> TRUE +++if (Realm == "example.com") { ++++update control { ++++} # update control = noop +++} # if (Realm == "example.com") = noop +++ ... skipping else for request 7: Preceding "if" was taken ++} # else else = noop ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 10.128.5.1 [auth_log] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.128.5.1/auth-detail-20150407 [auth_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.128.5.1/auth-detail-20150407 [auth_log] expand: %t -> Tue Apr 7 15:03:37 2015 ++[auth_log] = ok ++[mschap] = noop [eap] EAP packet type response id 9 length 107 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020900481a02090043311447d092a75d7e42efccd07a8d1ba65c00000000000000006db4bd32c1d9119b1ae07df7d54b8fb17d1b55cf89be5f3b006e656d616e64694068692e6973 server { [peap] Setting User-Name to testsim@example.com Sending tunneled request EAP-Message = 0x020900481a02090043311447d092a75d7e42efccd07a8d1ba65c00000000000000006db4bd32c1d9119b1ae07df7d54b8fb17d1b55cf89be5f3b006e656d616e64694068692e6973 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "testsim@example.com" State = 0x4dae11ad4da70b1e038f24cf8612d4dc Framed-MTU = 1400 Called-Station-Id = "001d.a282.dda0" Calling-Station-Id = "0021.5c5b.8ef3" Service-Type = Login-User NAS-Port-Type = Wireless-802.11 NAS-Port = 7524 NAS-IP-Address = 10.128.5.1 NAS-Identifier = "nas1" server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +group authorize { ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) ?? Evaluating (User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE ++else else { +++update request { expand: %{1} -> testsim expand: %{2} -> example.com +++} # update request = noop +++? if (Realm == "example.com") ? Evaluating (Realm == "example.com") -> TRUE +++? if (Realm == "example.com") -> TRUE +++if (Realm == "example.com") { ++++update control { ++++} # update control = noop +++} # if (Realm == "example.com") = noop +++ ... skipping else for request 7: Preceding "if" was taken ++} # else else = noop ++[chap] = noop ++[mschap] = noop ++update control { ++} # update control = noop [eap] EAP packet type response id 9 length 72 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [ldap] performing user authorization for testsim [ldap] expand: %{Stripped-User-Name} -> testsim [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=testsim) [ldap] expand: dc=example,dc=com -> dc=example,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=example,dc=com, with filter (uid=testsim) [ldap] looking for check items in directory... [ldap] gidnumber -> gidnumber == 151 [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel [mschapv2] +group MS-CHAP { [mschap] Creating challenge hash with username: testsim@example.com [mschap] Client is using MS-CHAPv2 for testsim@example.com, we need NT-Password [mschap] expand: %{Stripped-User-Name} -> testsim [mschap] expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> --username=testsim [mschap] Creating challenge hash with username: testsim@example.com [mschap] expand: %{mschap:Challenge} -> fd1acc5e260d5490 [mschap] expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=fd1acc5e260d5490 [mschap] expand: %{mschap:NT-Response} -> 6db4bd32c1d9119b1ae07df7d54b8fb17d1b55cf89be5f3b [mschap] expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-response=6db4bd32c1d9119b1ae07df7d54b8fb17d1b55cf89be5f3b Exec output: NT_KEY: 04066C8C6B0E8CFCABBB0AB6760971F7 Exec plaintext: NT_KEY: 04066C8C6B0E8CFCABBB0AB6760971F7 [mschap] Exec: program returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] = ok +} # group MS-CHAP = ok MSCHAP Success ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010a00331a0309002e533d41324338374637394630463542313436334446373932463543423134323631463038344238313446 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4dae11ad4ca40b1e038f24cf8612d4dc [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010a00331a0309002e533d41324338374637394630463542313436334446373932463543423134323631463038344238313446 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4dae11ad4ca40b1e038f24cf8612d4dc [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 228 to 10.128.5.1 port 1645 EAP-Message = 0x010a005b19001703010050c419eda1954c1ed1e82d748c94d1a63753c1ac8edfc3b66232ca1887f954a98a630e93e27a38eb5daad0b6e3cea181f8595504a8d23574b3427bd9f2b23763e92477b382be6ae942f9ecf49915c14076 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa2b83fc5a5b22612134a7040a4f7c7f0 Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.128.5.1 port 1645, id=229, length=186 User-Name = "testsim@example.com" Framed-MTU = 1400 Called-Station-Id = "001d.a282.dda0" Calling-Station-Id = "0021.5c5b.8ef3" Service-Type = Login-User Message-Authenticator = 0x51ae9679910cecd0d58916829fb30ba0 EAP-Message = 0x020a002b19001703010020d06b0b26fb835b35cec729cc1f8251ce14ccb043b4b12d08d9407fa39c033675 NAS-Port-Type = Wireless-802.11 NAS-Port = 7524 State = 0xa2b83fc5a5b22612134a7040a4f7c7f0 NAS-IP-Address = 10.128.5.1 NAS-Identifier = "nas1" # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) ?? Evaluating (User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE ++else else { +++update request { expand: %{1} -> testsim expand: %{2} -> example.com +++} # update request = noop +++? if (Realm == "example.com") ? Evaluating (Realm == "example.com") -> TRUE +++? if (Realm == "example.com") -> TRUE +++if (Realm == "example.com") { ++++update control { ++++} # update control = noop +++} # if (Realm == "example.com") = noop +++ ... skipping else for request 8: Preceding "if" was taken ++} # else else = noop ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 10.128.5.1 [auth_log] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.128.5.1/auth-detail-20150407 [auth_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.128.5.1/auth-detail-20150407 [auth_log] expand: %t -> Tue Apr 7 15:03:37 2015 ++[auth_log] = ok ++[mschap] = noop [eap] EAP packet type response id 10 length 43 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020a00061a03 server { [peap] Setting User-Name to testsim@example.com Sending tunneled request EAP-Message = 0x020a00061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "testsim@example.com" State = 0x4dae11ad4ca40b1e038f24cf8612d4dc Framed-MTU = 1400 Called-Station-Id = "001d.a282.dda0" Calling-Station-Id = "0021.5c5b.8ef3" Service-Type = Login-User NAS-Port-Type = Wireless-802.11 NAS-Port = 7524 NAS-IP-Address = 10.128.5.1 NAS-Identifier = "nas1" server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +group authorize { ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) ?? Evaluating (User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE ++else else { +++update request { expand: %{1} -> testsim expand: %{2} -> example.com +++} # update request = noop +++? if (Realm == "example.com") ? Evaluating (Realm == "example.com") -> TRUE +++? if (Realm == "example.com") -> TRUE +++if (Realm == "example.com") { ++++update control { ++++} # update control = noop +++} # if (Realm == "example.com") = noop +++ ... skipping else for request 8: Preceding "if" was taken ++} # else else = noop ++[chap] = noop ++[mschap] = noop ++update control { ++} # update control = noop [eap] EAP packet type response id 10 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [ldap] performing user authorization for testsim [ldap] expand: %{Stripped-User-Name} -> testsim [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=testsim) [ldap] expand: dc=example,dc=com -> dc=example,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=example,dc=com, with filter (uid=testsim) [ldap] looking for check items in directory... [ldap] gidnumber -> gidnumber == 151 [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok Login OK: [testsim@example.com] (from client nas1.example.com port 7524 cli 0021.5c5b.8ef3 via TLS tunnel) WARNING: Empty post-auth section. Using default return values. # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel } # server inner-tunnel [peap] Got tunneled reply code 2 MS-MPPE-Encryption-Policy = 0x00000002 MS-MPPE-Encryption-Types = 0x00000004 MS-MPPE-Send-Key = 0x95cb302970f87e49cfdda581f5f2003e MS-MPPE-Recv-Key = 0xd386b1496936c2393ec7852e420b419d EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "testsim" [peap] Got tunneled reply RADIUS code 2 MS-MPPE-Encryption-Policy = 0x00000002 MS-MPPE-Encryption-Types = 0x00000004 MS-MPPE-Send-Key = 0x95cb302970f87e49cfdda581f5f2003e MS-MPPE-Recv-Key = 0xd386b1496936c2393ec7852e420b419d EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "testsim" [peap] Tunneled authentication was successful. [peap] SUCCESS [peap] Saving tunneled attributes for later ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 229 to 10.128.5.1 port 1645 EAP-Message = 0x010b002b19001703010020363e2a4cd330a0c844f2214030ef8221a42c61ed1c69b43ccbdd225b62bf6a63 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa2b83fc5aab32612134a7040a4f7c7f0 Finished request 8. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.128.5.1 port 1645, id=230, length=186 User-Name = "testsim@example.com" Framed-MTU = 1400 Called-Station-Id = "001d.a282.dda0" Calling-Station-Id = "0021.5c5b.8ef3" Service-Type = Login-User Message-Authenticator = 0xa7197dffc2a77251f453e7369cee4c78 EAP-Message = 0x020b002b1900170301002016250e0ba43693e71a364e24e63acf17627766966ff911935cdf1b35606c5e71 NAS-Port-Type = Wireless-802.11 NAS-Port = 7524 State = 0xa2b83fc5aab32612134a7040a4f7c7f0 NAS-IP-Address = 10.128.5.1 NAS-Identifier = "nas1" # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) ?? Evaluating (User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE ++else else { +++update request { expand: %{1} -> testsim expand: %{2} -> example.com +++} # update request = noop +++? if (Realm == "example.com") ? Evaluating (Realm == "example.com") -> TRUE +++? if (Realm == "example.com") -> TRUE +++if (Realm == "example.com") { ++++update control { ++++} # update control = noop +++} # if (Realm == "example.com") = noop +++ ... skipping else for request 9: Preceding "if" was taken ++} # else else = noop ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 10.128.5.1 [auth_log] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.128.5.1/auth-detail-20150407 [auth_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.128.5.1/auth-detail-20150407 [auth_log] expand: %t -> Tue Apr 7 15:03:37 2015 ++[auth_log] = ok ++[mschap] = noop [eap] EAP packet type response id 11 length 43 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [peap] Using saved attributes from the original Access-Accept User-Name = "testsim" [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok Login OK: [testsim@example.com] (from client nas1.example.com port 7524 cli 0021.5c5b.8ef3) # Executing section post-auth from file /etc/raddb/sites-enabled/default +group post-auth { [reply_log] expand: %{Packet-Src-IP-Address} -> 10.128.5.1 [reply_log] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d -> /var/log/radius/radacct/10.128.5.1/reply-detail-20150407 [reply_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/10.128.5.1/reply-detail-20150407 [reply_log] expand: %t -> Tue Apr 7 15:03:37 2015 ++[reply_log] = ok +} # group post-auth = ok Sending Access-Accept of id 230 to 10.128.5.1 port 1645 User-Name = "testsim" MS-MPPE-Recv-Key = 0x32be352f485e290265607f4ffff0e8d5ee25ea070d5344a615826c46e69a32df MS-MPPE-Send-Key = 0x47d8439137a5e8b35b3e50583b7cd72b78a6a7568c491cc6d3ab2016bb3d3222 EAP-Message = 0x030b0004 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 9. Going to the next request Waking up in 4.9 seconds. rad_recv: Accounting-Request packet from host 10.128.5.1 port 1646, id=244, length=113 Acct-Session-Id = "00001D42" Called-Station-Id = "001d.a282.dda0" Calling-Station-Id = "0021.5c5b.8ef3" User-Name = "testsim" Acct-Authentic = RADIUS Acct-Status-Type = Start NAS-Port-Type = Wireless-802.11 NAS-Port = 7524 Service-Type = Framed-User NAS-IP-Address = 10.128.5.1 Acct-Delay-Time = 0 # Executing section preacct from file /etc/raddb/sites-enabled/default +group preacct { ++[preprocess] = ok [acct_unique] WARNING: Attribute NAS-Identifier was not found in request, unique ID MAY be inconsistent [acct_unique] Hashing 'NAS-Port = 7524,,NAS-IP-Address = 10.128.5.1,Acct-Session-Id = "00001D42",User-Name = "testsim"' [acct_unique] Acct-Unique-Session-ID = "74d9ace36de7e57c". ++[acct_unique] = ok ++[files] = noop +} # group preacct = ok # Executing section accounting from file /etc/raddb/sites-enabled/default +group accounting { [detail] expand: %{Packet-Src-IP-Address} -> 10.128.5.1 [detail] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/radius/radacct/10.128.5.1/detail-20150407 [detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/10.128.5.1/detail-20150407 [detail] expand: %t -> Tue Apr 7 15:03:37 2015 ++[detail] = ok [sql] expand: %{Stripped-User-Name} -> [sql] ... expanding second conditional [sql] expand: %{User-Name} -> testsim [sql] expand: %{%{User-Name}:-DEFAULT} -> testsim [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> testsim [sql] sql_set_user escaped user --> 'testsim' [sql] expand: %{Acct-Delay-Time} -> 0 [sql] expand: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', rlm_sql (sql): Reserving sql socket id: 31 rlm_sql (sql): Released sql socket id: 31 ++[sql] = ok [attr_filter.accounting_response] expand: %{User-Name} -> testsim attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] = updated +} # group accounting = updated Sending Accounting-Res On Wed, Mar 18, 2015 at 1:06 PM, Khapare Joshi <khapare77@gmail.com> wrote:
Thanks Alan,
It looks Simualtaneous-use seem to be working in my test environment.
I set DEFAULT Simultaneous-Use := 2 in users file and perform the test with the configuration. This works what it should be :
++[eap] = ok +} # group authenticate = ok # Executing section session from file /etc/raddb/sites-enabled/inner-tunnel +group session { [sql] expand: %{Stripped-User-Name} -> khapare [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> khapare [sql] sql_set_user escaped user --> 'khapare' [sql] expand: SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL -> SELECT COUNT(*) FROM radacct WHERE username = 'khapare' AND acctstoptime IS NULL rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_mysql: MYSQL check_error: 2006, returning SQL_DOWN rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): Released sql socket id: 3 ++[sql] = ok +} # group session = ok Multiple logins (max 2) : [khapare@realm.com] (from client nas1.realm.com port 7348 cli 2002.afd1.523e via TLS tunnel) Using Post-Auth-Type REJECT # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> khapare@realm.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated } # server inner-tunnel [peap] Got tunneled reply code 3 Reply-Message := "\r\nYou are already logged in 2 times - access denied\r\n\n" [peap] Got tunneled reply RADIUS code 3 Reply-Message := "\r\nYou are already logged in 2 times - access denied\r\n\n" [peap] Tunneled authentication was rejected. [peap] FAILURE
This is good. Now I want to search users in ldap for their group membership and set the simulataneous-use
if users is a student simualtaneous-use :=2 if uses is a staff Simualtaneous-Use :=5 rest others = 7
On Thu, Mar 5, 2015 at 12:56 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Mar 5, 2015, at 4:16 AM, Khapare Joshi <khapare77@gmail.com> wrote:
My NAS was bad - it was not sending accounting data. Now NAS is sending data and radacct been populated.
That’s usually the problem.
Could it be when radius is exectuing the session section it is looking for khapare@realm.com but in the database username is only the username i.e khapare ?
Yes. If you run the server in debugging mode, you’ll see what it’s doing.
1. Once I set INSERT INTO radgroupcheck (GroupName, Attribute, op, Value) values("dialup", "Simultaneous-Use", ":=", "1"); do I still have to define in /etc/raddb/users file as :
No. The server doesn’t care where an attribute comes from.
2. or I am doing stupid here ?
No.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Apr 7, 2015, at 11:16 AM, Khapare Joshi <khapare77@gmail.com> wrote:
I have tried today with simualtaneous-Use with gidnumber, here are what I did.
That all looks fine.
# check gid for simultaneous use
if ("%{gidnumber}" < 200){
That's not necessary. You should just do: if (gidnumber < 200) { ... And PLEASE cut & paste these examples in the email. Do NOT rewrite them. The example you gave has syntax errors. It should be: if (gidnumber < 200){ update request { Simultaneous-Use := 1 } } else{ update request { Simultaneous-Use := 2 } }
the regex checking returns true for user testsim who has gid less than 200
It's not a regex check. This MATTERS. If you don't use the right terminology, you'll never understand what's going on, and you'll never be able to fix it.
but testsim still able to login 2nd and 3rd login.
can anyone see what I am missing ?
here is the debug output
Which includes: (1) a long EAP session. Users can log in. We don't need to see this. (2) ONE accounting packet. We already know that users can log in once. It does NOT include a login session where the user CAN log in, but should not be able to. Since you're not looking at that, you don't really know what's going wrong. And you'll never be able to solve the problem. You need to take a methodical approach to solve this issue. Have a user log in once, and save that debug output. Have them log in again. Save that debug output. Then, compare the two to see why they differ. Be sure that users can login when they're supposed to, and are rejected when they should be rejected. Alan DeKok.
Thanks alan, I did mistake on regex thing because I was also testing same with affiliation and had this lines before I turn to test gid thing. sorry for this if (affiliation =~ /^staff/) { update control { Simultaneous-Use := 2 } } else { update control { Simultaneous-Use := 1 } } This did not work either. My problem is : If I add, in users file and remove those gid check in /etc/radd/site-enabled/default authorize section, it works DEFAULT Simultaneous-Use := 1 Fall-Through = 1 But when I comment those line in users file and add the gid checking statement in /etc/radd/site-enabled/default section it does not. if (gidnumber < 200){ update request { Simultaneous-Use := 1 } } else{ update request { Simultaneous-Use := 2 } } I checked both debug output, the first one (DEFAULT Simultaneous-Use := 1 Fall-Through = 1) actually executes session but i don't see these lines when i perform test with gidnumber check statement. I don't know why session section is not executed when doing gidnumber check. is there otherway to do this from users file ? } # group authenticate = ok # Executing section session from file /etc/raddb/sites-enabled/inner-tunnel +group session { [sql] expand: %{Stripped-User-Name} -> testsim [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> testsim [sql] sql_set_user escaped user --> 'testsim' [sql] expand: SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL -> SELECT COUNT(*) FROM radacct WHERE username = 'testsim' AND acctstoptime IS NULL rlm_sql (sql): Reserving sql socket id: 31 rlm_sql (sql): Released sql socket id: 31 ++[sql] = ok Full debug log from enabling gidnumber checking. in debug output below, user testsim has guid number less than 200 and he should be rejected the second attempt [root@radiusserver ~]# ./radwhosql +----------+---------------+-----------+-----------------+---------------------+ | username | acctsessionid | nasportid | nasporttype | acctstarttime | +----------+---------------+-----------+-----------------+---------------------+ | testsim | 00001D62 | 7538 | Wireless-802.11 | 2015-04-08 09:11:33 | | testsim | 00001D63 | 7539 | Wireless-802.11 | 2015-04-08 09:12:45 | +----------+---------------+-----------+-----------------+---------------------+ ... adding new socket proxy address * port 36092 ... adding new socket proxy address * port 41887 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.128.5.1 port 1645, id=105, length=143 User-Name = "testsim" Framed-MTU = 1400 Called-Station-Id = "001d.a282.dda0" Calling-Station-Id = "0021.5c5b.8ef3" Service-Type = Login-User Message-Authenticator = 0x809bb623f79781b2743705c61882eaea EAP-Message = 0x02020012016e656d616e64694068692e6973 NAS-Port-Type = Wireless-802.11 NAS-Port = 7538 NAS-IP-Address = 10.128.5.1 NAS-Identifier = "nas1" # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) ?? Evaluating (User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE ++else else { +++update request { expand: %{1} -> testsim expand: %{2} -> example.com +++} # update request = noop +++? if (Realm == "example.com") ? Evaluating (Realm == "example.com") -> TRUE +++? if (Realm == "example.com") -> TRUE +++if (Realm == "example.com") { ++++update control { ++++} # update control = noop +++} # if (Realm == "example.com") = noop +++ ... skipping else for request 0: Preceding "if" was taken ++} # else else = noop ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 10.128.5.1 [auth_log] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.128.5.1/auth-detail-20150408 [auth_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.128.5.1/auth-detail-20150408 [auth_log] expand: %t -> Wed Apr 8 09:11:33 2015 ++[auth_log] = ok ++[mschap] = noop [eap] EAP packet type response id 2 length 18 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [ldap] performing user authorization for testsim [ldap] expand: %{Stripped-User-Name} -> testsim [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=testsim) [ldap] expand: dc=example,dc=com -> dc=example,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to ldap.example.com:389, authentication 0 [ldap] bind as cn=radius,ou=RT,dc=example,dc=com/radiuspass to ldap.example.com:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=example,dc=com, with filter (uid=testsim) [ldap] looking for check items in directory... [ldap] gidnumber -> gidnumber == 151 [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok ++? if (notfound) ? Evaluating (notfound) -> FALSE ++? if (notfound) -> FALSE ++? if (gidnumber < 200) (Attribute gidnumber was not found) ? Evaluating (gidnumber < 200) -> FALSE ++? if (gidnumber < 200) -> FALSE ++else else { +++update request { +++} # update request = noop ++} # else else = noop ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 105 to 10.128.5.1 port 1645 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x38b5088238b6118958da8558fbdf02b8 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.128.5.1 port 1645, id=106, length=250 User-Name = "testsim" Framed-MTU = 1400 Called-Station-Id = "001d.a282.dda0" Calling-Station-Id = "0021.5c5b.8ef3" Service-Type = Login-User Message-Authenticator = 0x185aaf022bec98d76bd695425cc3d049 EAP-Message = 0x0203006b198000000061160301005c0100005803015524f0c79d36fe5ef15e2fdf4bc55c87462bb4819f6e4c7996013507046c4587000018c014c013c00ac0090035002f00380032000a00130005000401000017000a00080006001900170018000b00020100ff01000100 NAS-Port-Type = Wireless-802.11 NAS-Port = 7538 State = 0x38b5088238b6118958da8558fbdf02b8 NAS-IP-Address = 10.128.5.1 NAS-Identifier = "nas1" # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) ?? Evaluating (User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE ++else else { +++update request { expand: %{1} -> testsim expand: %{2} -> example.com +++} # update request = noop +++? if (Realm == "example.com") ? Evaluating (Realm == "example.com") -> TRUE +++? if (Realm == "example.com") -> TRUE +++if (Realm == "example.com") { ++++update control { ++++} # update control = noop +++} # if (Realm == "example.com") = noop +++ ... skipping else for request 1: Preceding "if" was taken ++} # else else = noop ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 10.128.5.1 [auth_log] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.128.5.1/auth-detail-20150408 [auth_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.128.5.1/auth-detail-20150408 [auth_log] expand: %t -> Wed Apr 8 09:11:33 2015 ++[auth_log] = ok ++[mschap] = noop [eap] EAP packet type response id 3 length 107 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 97 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 005c], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 106 to 10.128.5.1 port 1645 EAP-Message = 0x0104040019c0000008a216030100310200002d03015524f0c502a93602ded979bafcbae841e9054d84246fc2e44f22e3ea5986474b000035000005ff01000100160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c65204365727469666963617465204175 EAP-Message = 0x74686f72697479301e170d3134313130353231353435345a170d3135303130343231353435345a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d257278bcb3d80351c6c39a144f9ee55accaf13aa2bdc5e78c1191b6126542cdb0b8edf81f72bc80e905d30fe95d9f54200778bff7e808 EAP-Message = 0xd3008941f8b7da00b5d9cf77bed1c1d2accd8f2aac95f6c4c549a0e64d0fffb372ee90b5e1752c7450c1fc302fcd9122cbb63e3d2f8400a5a2071690238d5133b80e96eaac6fa15e185dd390c51255309adac0be363f5e626ae745f05eeed35f3997c05377c2291ea6df65a6d6cc56ab9880776317cc9894557344f92eb982673e07ed5c027687eb46d2167c0cd7756404587c37319482497afd9bffe114ef64a2b0640add64df47d92e37f32d94720451964ce39276ae8fb94fdf2f3fba10b51ab2e84fb2804986a30203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505000382010100359a EAP-Message = 0xd6555994880868e54137c4d487acaeccded09ea5d265a1b2faa142dc0e8214b112cea1077f91d8e77a0516ad66524e964fc108774fa3538f4d8de1cbd41a08d4f356ccebb3a1fabcfd2b40d3ab12ff487995b42176e9201c165c4e00ac79be6379578bfa1109299015652b9c9160abff3ab2b87027590f6f46bd817cac00b168a06203959212727cec0bcb8555ff7c47e05bf459bee769989ba4c15619ab4256ed025b5c93e2f4316ad86167b1186e71aa407ad5e3e283ab0d3637b189f0ab5a0c9cbf73446230f511cc2b60da090f6c46842b61437c8e841f44b32d01b6d4e676cb23c7b5c9bfd20e6df238342e7de3596789f62dd5b3fd77f76654b2 EAP-Message = 0x3f0004ab308204a73082038f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x38b5088239b1118958da8558fbdf02b8 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.128.5.1 port 1645, id=107, length=149 User-Name = "testsim" Framed-MTU = 1400 Called-Station-Id = "001d.a282.dda0" Calling-Station-Id = "0021.5c5b.8ef3" Service-Type = Login-User Message-Authenticator = 0x357bfabbbad97573632a2cb4094fceef EAP-Message = 0x020400061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 7538 State = 0x38b5088239b1118958da8558fbdf02b8 NAS-IP-Address = 10.128.5.1 NAS-Identifier = "nas1" # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) ?? Evaluating (User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE ++else else { +++update request { expand: %{1} -> testsim expand: %{2} -> example.com +++} # update request = noop +++? if (Realm == "example.com") ? Evaluating (Realm == "example.com") -> TRUE +++? if (Realm == "example.com") -> TRUE +++if (Realm == "example.com") { ++++update control { ++++} # update control = noop +++} # if (Realm == "example.com") = noop +++ ... skipping else for request 2: Preceding "if" was taken ++} # else else = noop ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 10.128.5.1 [auth_log] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.128.5.1/auth-detail-20150408 [auth_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.128.5.1/auth-detail-20150408 [auth_log] expand: %t -> Wed Apr 8 09:11:33 2015 ++[auth_log] = ok ++[mschap] = noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 107 to 10.128.5.1 port 1645 EAP-Message = 0x010503fc1940a003020102020900ebf6479ecc13e59d300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3134313130353231353435345a170d3135303130343231353435345a308193310b3009060355040613024652310f300d0603550408130652616469757331 EAP-Message = 0x12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100b88d97967839058840e9074fde6afe5d23f7b77bb5d4c6c062c222f085626de7db03eed8672e37d56e7c7bbfbd1e68481bc526f5a0a0c88fb66eca809822cdd8cf6af8ca055f8a68f5ef4564d02f3bf64cf993ac3c3d295892f6307e88c7be325f8e295ec12610e3 EAP-Message = 0xf442768063f2c53a36a82ce16bca9bbdf35bdba6b20073d159543d7e179817db0a67737df59b88add8091a8bb44c3278e74c08f81d1a24c45a1707d09c76cd190460958b62197f8a1bf548f5f9aeb57f7ad52761f4716ab4c0dfb2afd6c80fd90fc437e6c0db15bc2b6cdfcde709b7b1c6e9759e1e7fd546d0d271e0f8b1ff825aac83857fa1ea7e4b8f5faa691751067923655c88964fcb0203010001a381fb3081f8301d0603551d0e0416041465a61d270505d0f4781e56c2ebf2d1ddc92a82063081c80603551d230481c03081bd801465a61d270505d0f4781e56c2ebf2d1ddc92a8206a18199a48196308193310b300906035504061302465231 EAP-Message = 0x0f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900ebf6479ecc13e59d300c0603551d13040530030101ff300d06092a864886f70d010105050003820101004c80773db9ef6312a280163ccfb62080bed265fd1d611fa2a065c5943f1db7ca42e4191f219277ad506c7c3d30f35a190cc5bd1ccbb67022488c049d79f4e8202e11678b49ee69dd76bee6 EAP-Message = 0x0419550efe88be07 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x38b508823ab0118958da8558fbdf02b8 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.128.5.1 port 1645, id=108, length=149 User-Name = "testsim" Framed-MTU = 1400 Called-Station-Id = "001d.a282.dda0" Calling-Station-Id = "0021.5c5b.8ef3" Service-Type = Login-User Message-Authenticator = 0xd144adfadde8e4cce83c013d1698e37b EAP-Message = 0x020500061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 7538 State = 0x38b508823ab0118958da8558fbdf02b8 NAS-IP-Address = 10.128.5.1 NAS-Identifier = "nas1" # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) ?? Evaluating (User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE ++else else { +++update request { expand: %{1} -> testsim expand: %{2} -> example.com +++} # update request = noop +++? if (Realm == "example.com") ? Evaluating (Realm == "example.com") -> TRUE +++? if (Realm == "example.com") -> TRUE +++if (Realm == "example.com") { ++++update control { ++++} # update control = noop +++} # if (Realm == "example.com") = noop +++ ... skipping else for request 3: Preceding "if" was taken ++} # else else = noop ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 10.128.5.1 [auth_log] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.128.5.1/auth-detail-20150408 [auth_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.128.5.1/auth-detail-20150408 [auth_log] expand: %t -> Wed Apr 8 09:11:33 2015 ++[auth_log] = ok ++[mschap] = noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 108 to 10.128.5.1 port 1645 EAP-Message = 0x010600bc190041272a2350e3d6c24837dc0dbeb6e38b25a4ef6a30dd86b675003ab0caf1e67a8fd59bf978b5a7a7cfd80884010333063b092a16ba58e339ddaffe55a835f75524219202ab6440731dafebb7c70dc3c4a49fe5302bf993adefb6e23a00619553a65807db09b4c3ca67d12fa32d6dc1f307ab4b39ac8a7b3bb4dc7a20d43d08feef956d5f96c50612ad5b7e90e305b2d42d29305e7a4c8ee180574730b0baa1fff7ddaa8ea5cf2d7abda4972f1f16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x38b508823bb3118958da8558fbdf02b8 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.128.5.1 port 1645, id=109, length=481 User-Name = "testsim" Framed-MTU = 1400 Called-Station-Id = "001d.a282.dda0" Calling-Station-Id = "0021.5c5b.8ef3" Service-Type = Login-User Message-Authenticator = 0x6ad947dafb13c1fd077732298e4b7d37 EAP-Message = 0x020601501980000001461603010106100001020100c0855ad6963944aaac282dba4a7aa1393c10fd0ce3a968b68e50f742ec856a77c5fc907b48b9692a91493885eedc113cb99bfe4bf501a98d45ef499e6c563c852f14c1c422d61e105fdb7f0eb8ce30e1738bd47973e20fefa688bd4a5b41073ade45e6de36a557e18a24b158b636c5addd373e137b102a9a34ca0d75766009090eb179c521b4d4250753f6d47c1b42cf873ff1b22ae582a1e8a1f7d346880cff7226ee433de818f90d4350f8e64d7ba35b17ecad97d5e2b08e7332046756f31adf0b2b40f98cbd63c597cc490e3d2cc915ba85605e45ec7bc5db76fedea5ee1500c216daba9fa6e1 EAP-Message = 0x6611a42bd84401f6b8d0015d9be898e9f1bce6b61bfc644f14030100010116030100301b0ab35d319a145bcab24beacd84bcced373bea44e18c153308d1406399b3df4098de3ad73546fd1554dfd99c1ad61ee NAS-Port-Type = Wireless-802.11 NAS-Port = 7538 State = 0x38b508823bb3118958da8558fbdf02b8 NAS-IP-Address = 10.128.5.1 NAS-Identifier = "nas1" # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) ?? Evaluating (User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE ++else else { +++update request { expand: %{1} -> testsim expand: %{2} -> example.com +++} # update request = noop +++? if (Realm == "example.com") ? Evaluating (Realm == "example.com") -> TRUE +++? if (Realm == "example.com") -> TRUE +++if (Realm == "example.com") { ++++update control { ++++} # update control = noop +++} # if (Realm == "example.com") = noop +++ ... skipping else for request 4: Preceding "if" was taken ++} # else else = noop ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 10.128.5.1 [auth_log] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.128.5.1/auth-detail-20150408 [auth_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.128.5.1/auth-detail-20150408 [auth_log] expand: %t -> Wed Apr 8 09:11:33 2015 ++[auth_log] = ok ++[mschap] = noop [eap] EAP packet type response id 6 length 253 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 109 to 10.128.5.1 port 1645 EAP-Message = 0x0107004119001403010001011603010030accff4ce315827419d06c207ba18d8d916a0fa11515675cd49d414e420a9a0930d9fe9688ae81d7a0155be33b0e58838 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x38b508823cb2118958da8558fbdf02b8 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.128.5.1 port 1645, id=110, length=149 User-Name = "testsim" Framed-MTU = 1400 Called-Station-Id = "001d.a282.dda0" Calling-Station-Id = "0021.5c5b.8ef3" Service-Type = Login-User Message-Authenticator = 0xc6ab797fd11fdd05ae4e2a11bc2e4446 EAP-Message = 0x020700061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 7538 State = 0x38b508823cb2118958da8558fbdf02b8 NAS-IP-Address = 10.128.5.1 NAS-Identifier = "nas1" # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) ?? Evaluating (User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE ++else else { +++update request { expand: %{1} -> testsim expand: %{2} -> example.com +++} # update request = noop +++? if (Realm == "example.com") ? Evaluating (Realm == "example.com") -> TRUE +++? if (Realm == "example.com") -> TRUE +++if (Realm == "example.com") { ++++update control { ++++} # update control = noop +++} # if (Realm == "example.com") = noop +++ ... skipping else for request 5: Preceding "if" was taken ++} # else else = noop ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 10.128.5.1 [auth_log] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.128.5.1/auth-detail-20150408 [auth_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.128.5.1/auth-detail-20150408 [auth_log] expand: %t -> Wed Apr 8 09:11:33 2015 ++[auth_log] = ok ++[mschap] = noop [eap] EAP packet type response id 7 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 110 to 10.128.5.1 port 1645 EAP-Message = 0x0108002b190017030100207f5076412d840b25df942b4ea7ed02615832f1f49b6c178a85694c3a983ef7b2 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x38b508823dbd118958da8558fbdf02b8 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.128.5.1 port 1645, id=111, length=202 User-Name = "testsim" Framed-MTU = 1400 Called-Station-Id = "001d.a282.dda0" Calling-Station-Id = "0021.5c5b.8ef3" Service-Type = Login-User Message-Authenticator = 0x4f00c3e5a991cb5c653be0c2e7e65ae3 EAP-Message = 0x0208003b190017030100304090b9f5a031fc57489937019704d46ec9509371b82f6a394a0f0b8688d6f5b47cf5d89d7c611cc240a5cd1fb426c2f8 NAS-Port-Type = Wireless-802.11 NAS-Port = 7538 State = 0x38b508823dbd118958da8558fbdf02b8 NAS-IP-Address = 10.128.5.1 NAS-Identifier = "nas1" # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) ?? Evaluating (User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE ++else else { +++update request { expand: %{1} -> testsim expand: %{2} -> example.com +++} # update request = noop +++? if (Realm == "example.com") ? Evaluating (Realm == "example.com") -> TRUE +++? if (Realm == "example.com") -> TRUE +++if (Realm == "example.com") { ++++update control { ++++} # update control = noop +++} # if (Realm == "example.com") = noop +++ ... skipping else for request 6: Preceding "if" was taken ++} # else else = noop ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 10.128.5.1 [auth_log] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.128.5.1/auth-detail-20150408 [auth_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.128.5.1/auth-detail-20150408 [auth_log] expand: %t -> Wed Apr 8 09:11:33 2015 ++[auth_log] = ok ++[mschap] = noop [eap] EAP packet type response id 8 length 59 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - testsim [peap] Got inner identity 'testsim' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x02080012016e656d616e64694068692e6973 server { [peap] Setting User-Name to testsim Sending tunneled request EAP-Message = 0x02080012016e656d616e64694068692e6973 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "testsim" Framed-MTU = 1400 Called-Station-Id = "001d.a282.dda0" Calling-Station-Id = "0021.5c5b.8ef3" Service-Type = Login-User NAS-Port-Type = Wireless-802.11 NAS-Port = 7538 NAS-IP-Address = 10.128.5.1 NAS-Identifier = "nas1" server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +group authorize { ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) ?? Evaluating (User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE ++else else { +++update request { expand: %{1} -> testsim expand: %{2} -> example.com +++} # update request = noop +++? if (Realm == "example.com") ? Evaluating (Realm == "example.com") -> TRUE +++? if (Realm == "example.com") -> TRUE +++if (Realm == "example.com") { ++++update control { ++++} # update control = noop +++} # if (Realm == "example.com") = noop +++ ... skipping else for request 6: Preceding "if" was taken ++} # else else = noop ++[chap] = noop ++[mschap] = noop ++update control { ++} # update control = noop [eap] EAP packet type response id 8 length 18 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [ldap] performing user authorization for testsim [ldap] expand: %{Stripped-User-Name} -> testsim [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=testsim) [ldap] expand: dc=example,dc=com -> dc=example,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=example,dc=com, with filter (uid=testsim) [ldap] looking for check items in directory... [ldap] gidnumber -> gidnumber == 151 [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +group authenticate { [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010900271a0109002210f41316a03b1084792a800927517e5cba6e656d616e64694068692e6973 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x416c26a841653c1af7524cb85ac3e0bd [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010900271a0109002210f41316a03b1084792a800927517e5cba6e656d616e64694068692e6973 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x416c26a841653c1af7524cb85ac3e0bd [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 111 to 10.128.5.1 port 1645 EAP-Message = 0x0109004b190017030100401f6d43ea2501dbe7c50242a48134e0ebb8e6caaa214b21f300eeea5729ebd08306607fa84d197690f7c1e9f89f8cef38c4c67eaa77ee402f86a60de0eca33936 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x38b508823ebc118958da8558fbdf02b8 Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.128.5.1 port 1645, id=112, length=250 User-Name = "testsim" Framed-MTU = 1400 Called-Station-Id = "001d.a282.dda0" Calling-Station-Id = "0021.5c5b.8ef3" Service-Type = Login-User Message-Authenticator = 0xc2e0f0d369e12690595070cd22bc2cfe EAP-Message = 0x0209006b190017030100609e2f696eba76c538a37b5b364171b7179dab8f6436f7bd8691bd05979845f428aa324fc782fddec20f292c940a14dc4d95a66b8348fbb7092eb2f014b6d020d5c3dd178e93104bf0013b58f6a30ee4321f0a46e7516bce33180622acac46aed3 NAS-Port-Type = Wireless-802.11 NAS-Port = 7538 State = 0x38b508823ebc118958da8558fbdf02b8 NAS-IP-Address = 10.128.5.1 NAS-Identifier = "nas1" # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) ?? Evaluating (User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE ++else else { +++update request { expand: %{1} -> testsim expand: %{2} -> example.com +++} # update request = noop +++? if (Realm == "example.com") ? Evaluating (Realm == "example.com") -> TRUE +++? if (Realm == "example.com") -> TRUE +++if (Realm == "example.com") { ++++update control { ++++} # update control = noop +++} # if (Realm == "example.com") = noop +++ ... skipping else for request 7: Preceding "if" was taken ++} # else else = noop ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 10.128.5.1 [auth_log] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.128.5.1/auth-detail-20150408 [auth_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.128.5.1/auth-detail-20150408 [auth_log] expand: %t -> Wed Apr 8 09:11:33 2015 ++[auth_log] = ok ++[mschap] = noop [eap] EAP packet type response id 9 length 107 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020900481a020900433102417b34194b892881043d74d81bbe870000000000000000dff0f77ea75a032abba8482ab53f3675f8566c47b63a6767006e656d616e64694068692e6973 server { [peap] Setting User-Name to testsim Sending tunneled request EAP-Message = 0x020900481a020900433102417b34194b892881043d74d81bbe870000000000000000dff0f77ea75a032abba8482ab53f3675f8566c47b63a6767006e656d616e64694068692e6973 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "testsim" State = 0x416c26a841653c1af7524cb85ac3e0bd Framed-MTU = 1400 Called-Station-Id = "001d.a282.dda0" Calling-Station-Id = "0021.5c5b.8ef3" Service-Type = Login-User NAS-Port-Type = Wireless-802.11 NAS-Port = 7538 NAS-IP-Address = 10.128.5.1 NAS-Identifier = "nas1" server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +group authorize { ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) ?? Evaluating (User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE ++else else { +++update request { expand: %{1} -> testsim expand: %{2} -> example.com +++} # update request = noop +++? if (Realm == "example.com") ? Evaluating (Realm == "example.com") -> TRUE +++? if (Realm == "example.com") -> TRUE +++if (Realm == "example.com") { ++++update control { ++++} # update control = noop +++} # if (Realm == "example.com") = noop +++ ... skipping else for request 7: Preceding "if" was taken ++} # else else = noop ++[chap] = noop ++[mschap] = noop ++update control { ++} # update control = noop [eap] EAP packet type response id 9 length 72 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [ldap] performing user authorization for testsim [ldap] expand: %{Stripped-User-Name} -> testsim [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=testsim) [ldap] expand: dc=example,dc=com -> dc=example,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=example,dc=com, with filter (uid=testsim) [ldap] looking for check items in directory... [ldap] gidnumber -> gidnumber == 151 [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel [mschapv2] +group MS-CHAP { [mschap] Creating challenge hash with username: testsim [mschap] Client is using MS-CHAPv2 for testsim, we need NT-Password [mschap] expand: %{Stripped-User-Name} -> testsim [mschap] expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> --username=testsim [mschap] Creating challenge hash with username: testsim [mschap] expand: %{mschap:Challenge} -> 54bd58af35832bf5 [mschap] expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=54bd58af35832bf5 [mschap] expand: %{mschap:NT-Response} -> dff0f77ea75a032abba8482ab53f3675f8566c47b63a6767 [mschap] expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-response=dff0f77ea75a032abba8482ab53f3675f8566c47b63a6767 Exec output: NT_KEY: 04066C8C6B0E8CFCABBB0AB6760971F7 Exec plaintext: NT_KEY: 04066C8C6B0E8CFCABBB0AB6760971F7 [mschap] Exec: program returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] = ok +} # group MS-CHAP = ok MSCHAP Success ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010a00331a0309002e533d41434442323243414238463344393845454537463933353439423239364630393539393732413544 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x416c26a840663c1af7524cb85ac3e0bd [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010a00331a0309002e533d41434442323243414238463344393845454537463933353439423239364630393539393732413544 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x416c26a840663c1af7524cb85ac3e0bd [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 112 to 10.128.5.1 port 1645 EAP-Message = 0x010a005b190017030100505abc7015e99f48aeb8a4a7fd49b81aeb80d0c2c5b24f5e2bcf0124c825dc26adb87cb1a9adf3a7762daad9825cf61016bdc1796482135a1cf7d3fdb6feb5bab4e6537baaee9dfc1a4edc7bc3693f39dc Message-Authenticator = 0x00000000000000000000000000000000 State = 0x38b508823fbf118958da8558fbdf02b8 Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.128.5.1 port 1645, id=113, length=186 User-Name = "testsim" Framed-MTU = 1400 Called-Station-Id = "001d.a282.dda0" Calling-Station-Id = "0021.5c5b.8ef3" Service-Type = Login-User Message-Authenticator = 0x0c417235948f2727bfc124946e33ab5f EAP-Message = 0x020a002b19001703010020184a94d5a7fa577e45fe61025a1a551b2d0b42f5f65d7f48b2cc50309cbd2d0f NAS-Port-Type = Wireless-802.11 NAS-Port = 7538 State = 0x38b508823fbf118958da8558fbdf02b8 NAS-IP-Address = 10.128.5.1 NAS-Identifier = "nas1" # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) ?? Evaluating (User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE ++else else { +++update request { expand: %{1} -> testsim expand: %{2} -> example.com +++} # update request = noop +++? if (Realm == "example.com") ? Evaluating (Realm == "example.com") -> TRUE +++? if (Realm == "example.com") -> TRUE +++if (Realm == "example.com") { ++++update control { ++++} # update control = noop +++} # if (Realm == "example.com") = noop +++ ... skipping else for request 8: Preceding "if" was taken ++} # else else = noop ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 10.128.5.1 [auth_log] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.128.5.1/auth-detail-20150408 [auth_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.128.5.1/auth-detail-20150408 [auth_log] expand: %t -> Wed Apr 8 09:11:33 2015 ++[auth_log] = ok ++[mschap] = noop [eap] EAP packet type response id 10 length 43 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020a00061a03 server { [peap] Setting User-Name to testsim Sending tunneled request EAP-Message = 0x020a00061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "testsim" State = 0x416c26a840663c1af7524cb85ac3e0bd Framed-MTU = 1400 Called-Station-Id = "001d.a282.dda0" Calling-Station-Id = "0021.5c5b.8ef3" Service-Type = Login-User NAS-Port-Type = Wireless-802.11 NAS-Port = 7538 NAS-IP-Address = 10.128.5.1 NAS-Identifier = "nas1" server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +group authorize { ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) ?? Evaluating (User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE ++else else { +++update request { expand: %{1} -> testsim expand: %{2} -> example.com +++} # update request = noop +++? if (Realm == "example.com") ? Evaluating (Realm == "example.com") -> TRUE +++? if (Realm == "example.com") -> TRUE +++if (Realm == "example.com") { ++++update control { ++++} # update control = noop +++} # if (Realm == "example.com") = noop +++ ... skipping else for request 8: Preceding "if" was taken ++} # else else = noop ++[chap] = noop ++[mschap] = noop ++update control { ++} # update control = noop [eap] EAP packet type response id 10 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [ldap] performing user authorization for testsim [ldap] expand: %{Stripped-User-Name} -> testsim [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=testsim) [ldap] expand: dc=example,dc=com -> dc=example,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=example,dc=com, with filter (uid=testsim) [ldap] looking for check items in directory... [ldap] gidnumber -> gidnumber == 151 [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok Login OK: [testsim] (from client nas1.example.com port 7538 cli 0021.5c5b.8ef3 via TLS tunnel) WARNING: Empty post-auth section. Using default return values. # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel } # server inner-tunnel [peap] Got tunneled reply code 2 MS-MPPE-Encryption-Policy = 0x00000002 MS-MPPE-Encryption-Types = 0x00000004 MS-MPPE-Send-Key = 0x3199860568d097ec0b8089069fb5610b MS-MPPE-Recv-Key = 0x8ed3b05bfc604db44626a58eec554bac EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "testsim" [peap] Got tunneled reply RADIUS code 2 MS-MPPE-Encryption-Policy = 0x00000002 MS-MPPE-Encryption-Types = 0x00000004 MS-MPPE-Send-Key = 0x3199860568d097ec0b8089069fb5610b MS-MPPE-Recv-Key = 0x8ed3b05bfc604db44626a58eec554bac EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "testsim" [peap] Tunneled authentication was successful. [peap] SUCCESS [peap] Saving tunneled attributes for later ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 113 to 10.128.5.1 port 1645 EAP-Message = 0x010b002b19001703010020c6185b12fc87f757a8b064b9f14e1c7ee918a599af74dfe8a6538464604a64c4 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x38b5088230be118958da8558fbdf02b8 Finished request 8. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.128.5.1 port 1645, id=114, length=186 User-Name = "testsim" Framed-MTU = 1400 Called-Station-Id = "001d.a282.dda0" Calling-Station-Id = "0021.5c5b.8ef3" Service-Type = Login-User Message-Authenticator = 0xeea79801da2d8743312b860108e7be4f EAP-Message = 0x020b002b19001703010020d22b7fe9d88a5884d38d8278f349c6bac9511d9f5a0bbe7367174d10bb1d0029 NAS-Port-Type = Wireless-802.11 NAS-Port = 7538 State = 0x38b5088230be118958da8558fbdf02b8 NAS-IP-Address = 10.128.5.1 NAS-Identifier = "nas1" # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) ?? Evaluating (User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) -> TRUE ? Converting !TRUE -> FALSE ++? if (!(User-Name =~ /^([^@]*)@(([-A-Z0-9]+\.)*[-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i)) -> FALSE ++else else { +++update request { expand: %{1} -> testsim expand: %{2} -> example.com +++} # update request = noop +++? if (Realm == "example.com") ? Evaluating (Realm == "example.com") -> TRUE +++? if (Realm == "example.com") -> TRUE +++if (Realm == "example.com") { ++++update control { ++++} # update control = noop +++} # if (Realm == "example.com") = noop +++ ... skipping else for request 9: Preceding "if" was taken ++} # else else = noop ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 10.128.5.1 [auth_log] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.128.5.1/auth-detail-20150408 [auth_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.128.5.1/auth-detail-20150408 [auth_log] expand: %t -> Wed Apr 8 09:11:33 2015 ++[auth_log] = ok ++[mschap] = noop [eap] EAP packet type response id 11 length 43 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [peap] Using saved attributes from the original Access-Accept User-Name = "testsim" [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok Login OK: [testsim] (from client nas1.example.com port 7538 cli 0021.5c5b.8ef3) # Executing section post-auth from file /etc/raddb/sites-enabled/default +group post-auth { [reply_log] expand: %{Packet-Src-IP-Address} -> 10.128.5.1 [reply_log] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d -> /var/log/radius/radacct/10.128.5.1/reply-detail-20150408 [reply_log] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/10.128.5.1/reply-detail-20150408 [reply_log] expand: %t -> Wed Apr 8 09:11:33 2015 ++[reply_log] = ok +} # group post-auth = ok Sending Access-Accept of id 114 to 10.128.5.1 port 1645 User-Name = "testsim" MS-MPPE-Recv-Key = 0xc5724eecd3d9ebd751e4bae7d4f070f3264a20196e19181964da1fff44e79f99 MS-MPPE-Send-Key = 0x8fd0954dc019958a63e488fb2005626af52042e7dd3e762921b5f2e154bab542 EAP-Message = 0x030b0004 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 9. Going to the next request Waking up in 4.9 seconds. rad_recv: Accounting-Request packet from host 10.128.5.1 port 1646, id=196, length=113 Acct-Session-Id = "00001D62" Called-Station-Id = "001d.a282.dda0" Calling-Station-Id = "0021.5c5b.8ef3" User-Name = "testsim" Acct-Authentic = RADIUS Acct-Status-Type = Start NAS-Port-Type = Wireless-802.11 NAS-Port = 7538 Service-Type = Framed-User NAS-IP-Address = 10.128.5.1 Acct-Delay-Time = 0 # Executing section preacct from file /etc/raddb/sites-enabled/default +group preacct { ++[preprocess] = ok [acct_unique] WARNING: Attribute NAS-Identifier was not found in request, unique ID MAY be inconsistent [acct_unique] Hashing 'NAS-Port = 7538,,NAS-IP-Address = 10.128.5.1,Acct-Session-Id = "00001D62",User-Name = "testsim"' [acct_unique] Acct-Unique-Session-ID = "6eae5b5c386e2bcd". ++[acct_unique] = ok ++[files] = noop +} # group preacct = ok # Executing section accounting from file /etc/raddb/sites-enabled/default +group accounting { [detail] expand: %{Packet-Src-IP-Address} -> 10.128.5.1 [detail] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/radius/radacct/10.128.5.1/detail-20150408 [detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/10.128.5.1/detail-20150408 [detail] expand: %t -> Wed Apr 8 09:11:33 2015 ++[detail] = ok [sql] expand: %{Stripped-User-Name} -> [sql] ... expanding second conditional [sql] expand: %{User-Name} -> testsim [sql] expand: %{%{User-Name}:-DEFAULT} -> testsim [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> testsim [sql] sql_set_user escaped user --> 'testsim' [sql] expand: %{Acct-Delay-Time} -> 0 [sql] expand: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', rlm_sql (sql): Reserving sql socket id: 31 rlm_sql (sql): Released sql socket id: 31 ++[sql] = ok [attr_filter.accounting_response] expand: %{User-Name} -> testsim attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] = updated +} # group accounting = updated Sending Accounting-Response of id 196 to 10.128.5.1 port 1646 Finished request 10. Cleaning up request 10 ID 196 with timestamp +7 Going to the next request Waking up in 4.8 seconds. Cleaning up request 0 ID 105 with timestamp +7 Cleaning up request 1 ID 106 with timestamp +7 Cleaning up request 2 ID 107 with timestamp +7 Cleaning up request 3 ID 108 with timestamp +7 Cleaning up request 4 ID 109 with timestamp +7 Cleaning up request 5 ID 110 with timestamp +7 Cleaning up request 6 ID 111 with timestamp +7 Cleaning up request 7 ID 112 with timestamp +7 Cleaning up request 8 ID 113 with timestamp +7 Cleaning up request 9 ID 114 with timestamp +7 Ready to process requests. On Tue, Apr 7, 2015 at 3:41 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Apr 7, 2015, at 11:16 AM, Khapare Joshi <khapare77@gmail.com> wrote:
I have tried today with simualtaneous-Use with gidnumber, here are what I did.
That all looks fine.
# check gid for simultaneous use
if ("%{gidnumber}" < 200){
That's not necessary. You should just do:
if (gidnumber < 200) { ...
And PLEASE cut & paste these examples in the email. Do NOT rewrite them. The example you gave has syntax errors. It should be:
if (gidnumber < 200){ update request { Simultaneous-Use := 1 } } else{ update request { Simultaneous-Use := 2 } }
the regex checking returns true for user testsim who has gid less than 200
It's not a regex check. This MATTERS. If you don't use the right terminology, you'll never understand what's going on, and you'll never be able to fix it.
but testsim still able to login 2nd and 3rd login.
can anyone see what I am missing ?
here is the debug output
Which includes:
(1) a long EAP session. Users can log in. We don't need to see this.
(2) ONE accounting packet. We already know that users can log in once.
It does NOT include a login session where the user CAN log in, but should not be able to. Since you're not looking at that, you don't really know what's going wrong. And you'll never be able to solve the problem.
You need to take a methodical approach to solve this issue. Have a user log in once, and save that debug output. Have them log in again. Save that debug output. Then, compare the two to see why they differ. Be sure that users can login when they're supposed to, and are rejected when they should be rejected.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Apr 8, 2015, at 6:22 AM, Khapare Joshi <khapare77@gmail.com> wrote:
I did mistake on regex thing because I was also testing same with affiliation and had this lines before I turn to test gid thing. sorry for this
If you can't keep track of what you're doing, you will never solve the problem.
This did not work either.
Probably for the same reason. You want one thing from the server, and you've configured it to do something else.
I checked both debug output, the first one (DEFAULT Simultaneous-Use := 1 Fall-Through = 1) actually executes session but i don't see these lines when i perform test with gidnumber check statement.
So read the debug output to see why.
++? if (gidnumber < 200) (Attribute gidnumber was not found)
Doesn't that tell you anything? You've configured the LDAP module to add the attribute to the CHECK items, and you're then looking for it in the REQUEST items. This is all documented, and it's all available in the debug output. I get the feeling that 3/4 of my posts here are just convincing people to READ the messages that they post to the list. Alan DeKok.
well, I have done this way and it seem to work. Why it did not work before - I don't know. Added in /etc/raddb/ldap.attr checkItem affiliation eduPersonPrimaryAffiliation In /etc/raddb/dictonary ATTRIBUTE affiliation 3004 string enabled ldap module in /etc/raddb/site-enabled/default then in /etc/raddb/stie-enable/inner-tunnel update request { affiliation := "%{ldap:ldap:///dc=example,dc=IcomeduPersonPrimaryAffiliation?sub?uid=%{Stripped-User-Name}}" } if (affiliation == "student") { update control { Simultaneous-Use := 1 } } if (affiliation == "staff") { update control { Simultaneous-Use := 3 } } This works as it should be. But why this did not work before I have no clue. the 4th attempt actually get rejected In radius -X, I can see this has been rejected [ldap] - ldap_xlat expand: ldap:///dc=example,dc=com?eduPersonPrimaryAffiliation?sub?uid=%{Stripped-User-Name} -> ldap:///dc=example,dc=com?eduPersonPrimaryAffiliation?sub?uid=testsim [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=example,dc=com, with filter uid=testsim [ldap] Adding attribute eduPersonPrimaryAffiliation, value: staff [ldap] ldap_release_conn: Release Id: 0 [ldap] - ldap_xlat end expand: %{ldap:ldap:///dc=example,dc=com?eduPersonPrimaryAffiliation?sub?uid=%{Stripped-User-Name}} -> staff ++} # update request = noop ++? if (affiliation == "student") ? Evaluating (affiliation == "student") -> FALSE ++? if (affiliation == "student") -> FALSE ++? if (affiliation == "staff") ? Evaluating (affiliation == "staff") -> TRUE ++? if (affiliation == "staff") -> TRUE ++if (affiliation == "staff") { +++update control { +++} # update control = noop ++} # if (affiliation == "staff") = noop ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok # Executing section session from file /etc/raddb/sites-enabled/inner-tunnel +group session { [sql] expand: %{Stripped-User-Name} -> testsim [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> testsim [sql] sql_set_user escaped user --> 'testsim' [sql] expand: SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL -> SELECT COUNT(*) FROM radacct WHERE username = 'testsim' AND acctstoptime IS NULL rlm_sql (sql): Reserving sql socket id: 14 rlm_sql (sql): Released sql socket id: 14 ++[sql] = ok +} # group session = ok Multiple logins (max 3) : [testsim@example.com] (from client nas1.example.com port 7705 cli 2064.3261.6d2d via TLS tunnel) Using Post-Auth-Type REJECT # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> testsim@example.com attr_filter: Matched entry DEFAULT at line 11 It still says +++} # update control = noop but works :) On Wed, Apr 8, 2015 at 3:56 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Apr 8, 2015, at 6:22 AM, Khapare Joshi <khapare77@gmail.com> wrote:
I did mistake on regex thing because I was also testing same with affiliation and had this lines before I turn to test gid thing. sorry for this
If you can't keep track of what you're doing, you will never solve the problem.
This did not work either.
Probably for the same reason. You want one thing from the server, and you've configured it to do something else.
I checked both debug output, the first one (DEFAULT Simultaneous-Use := 1 Fall-Through = 1) actually executes session but i don't see these lines when i perform test with gidnumber check statement.
So read the debug output to see why.
++? if (gidnumber < 200) (Attribute gidnumber was not found)
Doesn't that tell you anything?
You've configured the LDAP module to add the attribute to the CHECK items, and you're then looking for it in the REQUEST items.
This is all documented, and it's all available in the debug output.
I get the feeling that 3/4 of my posts here are just convincing people to READ the messages that they post to the list.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous -use is working fine on all my stand alone wireless access points. But now there are 100 of these WAPs are under the cisco WLC it does not seem to work. Just wondering what people are doing with WLC and simualtaneous -use. One way I could do is set globally in the WLC i.e 4 connection for everyone no matter what -- but in my case we needed to separate student and staff. Thanks, K On 04/20/2015 06:28 PM, Khapare Joshi wrote:
well, I have done this way and it seem to work. Why it did not work before - I don't know.
Added in /etc/raddb/ldap.attr checkItem affiliation eduPersonPrimaryAffiliation
In /etc/raddb/dictonary
ATTRIBUTE affiliation 3004 string
enabled ldap module in /etc/raddb/site-enabled/default
then in /etc/raddb/stie-enable/inner-tunnel update request { affiliation := "%{ldap:ldap:///dc=example,dc=IcomeduPersonPrimaryAffiliation?sub?uid=%{Stripped-User-Name}}" }
if (affiliation == "student") { update control { Simultaneous-Use := 1 } }
if (affiliation == "staff") { update control { Simultaneous-Use := 3 } }
This works as it should be. But why this did not work before I have no clue. the 4th attempt actually get rejected
In radius -X, I can see this has been rejected
[ldap] - ldap_xlat expand: ldap:///dc=example,dc=com?eduPersonPrimaryAffiliation?sub?uid=%{Stripped-User-Name} -> ldap:///dc=example,dc=com?eduPersonPrimaryAffiliation?sub?uid=testsim [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=example,dc=com, with filter uid=testsim [ldap] Adding attribute eduPersonPrimaryAffiliation, value: staff [ldap] ldap_release_conn: Release Id: 0 [ldap] - ldap_xlat end expand: %{ldap:ldap:///dc=example,dc=com?eduPersonPrimaryAffiliation?sub?uid=%{Stripped-User-Name}} -> staff ++} # update request = noop ++? if (affiliation == "student") ? Evaluating (affiliation == "student") -> FALSE ++? if (affiliation == "student") -> FALSE ++? if (affiliation == "staff") ? Evaluating (affiliation == "staff") -> TRUE ++? if (affiliation == "staff") -> TRUE ++if (affiliation == "staff") { +++update control { +++} # update control = noop ++} # if (affiliation == "staff") = noop ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok # Executing section session from file /etc/raddb/sites-enabled/inner-tunnel +group session { [sql] expand: %{Stripped-User-Name} -> testsim [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> testsim [sql] sql_set_user escaped user --> 'testsim' [sql] expand: SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL -> SELECT COUNT(*) FROM radacct WHERE username = 'testsim' AND acctstoptime IS NULL rlm_sql (sql): Reserving sql socket id: 14 rlm_sql (sql): Released sql socket id: 14 ++[sql] = ok +} # group session = ok Multiple logins (max 3) : [testsim@example.com] (from client nas1.example.com port 7705 cli 2064.3261.6d2d via TLS tunnel) Using Post-Auth-Type REJECT # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> testsim@example.com attr_filter: Matched entry DEFAULT at line 11
It still says +++} # update control = noop
but works :)
On Wed, Apr 8, 2015 at 3:56 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Apr 8, 2015, at 6:22 AM, Khapare Joshi <khapare77@gmail.com> wrote:
I did mistake on regex thing because I was also testing same with affiliation and had this lines before I turn to test gid thing. sorry for this If you can't keep track of what you're doing, you will never solve the problem.
This did not work either. Probably for the same reason. You want one thing from the server, and you've configured it to do something else.
I checked both debug output, the first one (DEFAULT Simultaneous-Use := 1 Fall-Through = 1) actually executes session but i don't see these lines when i perform test with gidnumber check statement. So read the debug output to see why.
++? if (gidnumber < 200) (Attribute gidnumber was not found) Doesn't that tell you anything?
You've configured the LDAP module to add the attribute to the CHECK items, and you're then looking for it in the REQUEST items.
This is all documented, and it's all available in the debug output.
I get the feeling that 3/4 of my posts here are just convincing people to READ the messages that they post to the list.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Khapare Joshi