Hello, I have a problem with vlan assignment on the group. If user is in group wi-fi should get ip with vlan 200 if it is in another group should get ip with vlan 216. I attach file witch freeradius -X. Users and group are in SAMBA4. If i login to wifi i get allways ip on vlan 216. I use login@mydomain.pl to connect wifi. I try add in users but this is ignored root@LDAP1 /etc/freeradius # cat users DEFAULT LDAP-Group != "wi-fi", Auth-Type:=Reject Reply-Message="You are not allowed to connnect" DEFAULT Realm == Null Auth-Type := Reject DEFAULT Realm == NULL, Client-IP-Address == 14x.xxx.x.40 Auth-Type := Reject DEFAULT Realm == NULL, Client-IP-Address == 14x.xxx.x.66 Auth-Type := Reject DEFAULT LDAP-Group == "wi-fi" Reply-Message="XXXX HIT: wi-fi", Tunnel-Private-Group-Id := 200, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Please help -- Z poważaniem / Yours sincerely Zenon Matuszyk mobile: 00 48 797 004 938 e-mail: zenon.matuszyk@networkers.pl www: http://www.networkers.pl
On Aug 24, 2017, at 3:38 PM, Zenon Matuszyk <zenon.matuszyk@networkers.pl> wrote:
I have a problem with vlan assignment on the group. If user is in group wi-fi should get ip with vlan 200 if it is in another group should get ip with vlan 216. I attach file witch freeradius -X. Users and group are in SAMBA4. If i login to wifi i get allways ip on vlan 216. I use login@mydomain.pl to connect wifi.
I try add in users but this is ignored
What does that mean?
root@LDAP1 /etc/freeradius # cat users
We always ask for the debug output, because that's what we need.
DEFAULT LDAP-Group != "wi-fi", Auth-Type:=Reject Reply-Message="You are not allowed to connnect" DEFAULT Realm == Null Auth-Type := Reject
If you run the server in debug mode and read the output, it will tell you that this entry is wrong. The "Auth-Type" belongs on the first line of the "users" file entry.
Please help
Following the documentation helps. Alan DeKok.
Hi, Debug below I have a problem with vlan assignment on the group. If user is in group wi-fi should get ip with vlan 200 if it is in another group should get ip with vlan 216. I attach file witch freeradius -X. Users and group are in SAMBA4. If i login to wifi i get allways ip on vlan 216. I use login@mydomain.pl to connect wifi. In file users I add: DEFAULT LDAP-Group == "wi-fi" Reply-Message="XXXX HIT: wi-fi", Tunnel-Private-Group-Id := 200, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, freeradius: FreeRADIUS Version 2.2.5, for host x86_64-pc-linux-gnu, built on Aug 10 2017 at 07:25:15 Copyright (C) 1999-2013 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/radrelay including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/rediswho including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/replicate including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/redis including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/dhcp_sqlippool including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/soh including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/cache including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/default.orig main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes allow_vulnerable_openssl = no } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server radius14x.xxx.x.40 { ipaddr = 14x.xxx.x.40 port = 1812 type = "auth" secret = "xxxxxxxx" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 300 status_check_timeout = 4 } home_server radius14x.xxx.x.66 { ipaddr = 14x.xxx.x.66 port = 1812 type = "auth" secret = "Cxxxxxx" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 300 status_check_timeout = 4 } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 no_response_fail = no max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } realm NULL { } realm LOCAL { } realm mydomain.pl { authhost = LOCAL accthost = LOCAL } realm DEFAULT { nostrip } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 netmask = 32 require_message_authenticator = no secret = "testing123" shortname = "localhost" nastype = "other" } client 10.xxx.xxx.xxx { ipaddr = 10.xx.xxx.xxx netmask = 32 require_message_authenticator = no secret = "vxxxxxxx" nastype = "cisco" } client 14x.xxx.x.xx { require_message_authenticator = no secret = "Cxxxxxx" nastype = "other" } client 14x.xxx.xx.xxx { require_message_authenticator = no secret = "Cxxxxx" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file ? modules { Module: Creating Auth-Type = digest Module: Creating Auth-Type = LDAP Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/freeradius/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/freeradius/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = no require_encryption = no require_strong = no with_ntdomain_hack = no ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" allow_retry = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/freeradius/modules/digest Module: Linked to module rlm_ldap Module: Instantiating module "ldap" from file /etc/freeradius/modules/ldap ldap { server = "ldap1.xxxxxxxxxxx" port = 389 password = "xxxxxxx" expect_password = yes identity = "cn=freeradius,ou=services,dc=xxx,dc=pan,dc=local" net_timeout = 1 timeout = 4 timelimit = 3 max_uses = 0 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no require_cert = "allow" } basedn = "dc=xxx,dc=xxx,dc=local" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" auto_header = no access_attr_used_for_allow = yes chase_referrals = yes rebind = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" groupmembership_attribute = "memberOf" dictionary_mapping = "/etc/freeradius/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes edir_account_policy_check = no set_auth_type = yes keepalive { idle = 60 probes = 3 interval = 3 } } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x2172c00 Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 1024 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.key" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "si7lkweflefkoi" dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /etc/freeradius/huntgroups reading pairlist file /etc/freeradius/hints Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } reading pairlist file /etc/freeradius/users reading pairlist file /etc/freeradius/acct_users reading pairlist file /etc/freeradius/preproxy_users Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/freeradius/modules/detail detail { detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.accounting_response Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.access_reject } # modules } # server server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 43178 ... adding new socket proxy address * port 41263 ... adding new socket proxy address * port 39874 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.24.100.41 port 32773, id=81, length=291 User-Name = "zmatuszyk@mydomain.pl" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "08-ed-b9-92-1e-85" Called-Station-Id = "7c-0e-ce-ea-b7-20:eduroam" NAS-Port = 13 Cisco-AVPair = "audit-session-id=0a18642900002534599d72da" Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138" NAS-IP-Address = 10.24.100.41 NAS-Identifier = "eduroam" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "216" EAP-Message = 0x02020019017a6d617475737a796b40696a702e70616e2e706c Message-Authenticator = 0xfec018116a180d4d864c9f139585d5da # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "xxx.pan.pl" for User-Name = "zmatuszyk@xxx.pan.pl" [suffix] Found realm "xxx.pan.pl" [suffix] Adding Stripped-User-Name = "zmatuszyk" [suffix] Adding Realm = "mydomain.pl" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 2 length 25 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [ldap] Entering ldap_groupcmp() [files] expand: dc=xxx,dc=pan,dc=local -> dc=xxx,dc=pan,dc=local [files] expand: %{Stripped-User-Name} -> zmatuszyk [files] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=zmatuszyk) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to ldap1.mydomain.local:389, authentication 0 [ldap] bind as cn=freeradius,ou=services,dc=xxx,dc=pan,dc=local/rad--xxx--02 to ldap1.mydomain.local:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=xxx,dc=pan,dc=local, with filter (sAMAccountName=zmatuszyk) [ldap] rebind to URL ldap://mydomain.local/CN=Configuration,DC=xxx,DC=pan,DC=local [ldap] ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=xxx,dc=pan,dc=local, with filter (&(cn=eduroam)(|(&(objectClass=GroupOfNames)(member=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal)))) [ldap] rebind to URL ldap://mydomain.local/CN=Configuration,DC=xxx,DC=pan,DC=local [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in CN=Zenon Matuszyk,CN=Users,DC=xxx,DC=pan,DC=local, with filter (objectclass=*) [ldap] performing search in CN=eduroam,CN=Users,DC=xxx,DC=pan,DC=local, with filter (cn=wi-fi) rlm_ldap::ldap_groupcmp: User found in group wi-fi [ldap] ldap_release_conn: Release Id: 0 [ldap] Entering ldap_groupcmp() [files] expand: dc=xxx,dc=pan,dc=local -> dc=xxx,dc=pan,dc=local [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=xxx,dc=pan,dc=local, with filter (&(cn=wi-fi)(|(&(objectClass=GroupOfNames)(member=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal)))) [ldap] rebind to URL ldap://mydomain.local/CN=Configuration,DC=xxx,DC=pan,DC=local [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in CN=Zenon Matuszyk,CN=Users,DC=xxx,DC=pan,DC=local, with filter (objectclass=*) [ldap] performing search in CN=wi-fi,CN=Users,DC=xxx,DC=pan,DC=local, with filter (cn=wi-fi) rlm_ldap::ldap_groupcmp: User found in group wi-fi [ldap] ldap_release_conn: Release Id: 0 [files] users: Matched entry DEFAULT at line 11 ++[files] = ok [ldap] performing user authorization for zmatuszyk [ldap] expand: %{Stripped-User-Name} -> zmatuszyk [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=zmatuszyk) [ldap] expand: dc=xxx,dc=pan,dc=local -> dc=xxx,dc=pan,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=xxx,dc=pan,dc=local, with filter (sAMAccountName=zmatuszyk) [ldap] rebind to URL ldap://mydomain.local/CN=Configuration,DC=xxx,DC=pan,DC=local [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 81 to 10.24.100.41 port 32773 Reply-Message = "XXXX HIT: wi-fi" EAP-Message = 0x010300160410b04415eae4f0496023757b62a9129028 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe11c2bc5e11f2fea6e5ad9dc9448f6dd Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.24.100.41 port 32773, id=82, length=290 User-Name = "zmatuszyk@mydomain.pl" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "08-ed-b9-92-1e-85" Called-Station-Id = "7c-0e-ce-ea-b7-20:wi-fi" NAS-Port = 13 Cisco-AVPair = "audit-session-id=0a18642900002534599d72da" Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138" NAS-IP-Address = 10.24.100.41 NAS-Identifier = "wi-fi" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "216" EAP-Message = 0x020300060319 State = 0xe11c2bc5e11f2fea6e5ad9dc9448f6dd Message-Authenticator = 0x7846d5ea8b4236193a892abe92bbbe07 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "mydomain.pl" for User-Name = "zmatuszyk@mydomain.pl" [suffix] Found realm "mydomain.pl" [suffix] Adding Stripped-User-Name = "zmatuszyk" [suffix] Adding Realm = "mydomain.pl" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 3 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [ldap] Entering ldap_groupcmp() [files] expand: dc=xxx,dc=pan,dc=local -> dc=xxx,dc=pan,dc=local [files] expand: %{Stripped-User-Name} -> zmatuszyk [files] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=zmatuszyk) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=xxx,dc=pan,dc=local, with filter (sAMAccountName=zmatuszyk) [ldap] rebind to URL ldap://mydomain.local/CN=Configuration,DC=xxx,DC=pan,DC=local [ldap] ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=xxx,dc=pan,dc=local, with filter (&(cn=wi-fi)(|(&(objectClass=GroupOfNames)(member=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal)))) [ldap] rebind to URL ldap://mydomain.local/CN=Configuration,DC=xxx,DC=pan,DC=local [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in CN=Zenon Matuszyk,CN=Users,DC=xxx,DC=pan,DC=local, with filter (objectclass=*) [ldap] performing search in CN=wi-fi,CN=Users,DC=xxx,DC=pan,DC=local, with filter (cn=wi-fi) rlm_ldap::ldap_groupcmp: User found in group wi-fi [ldap] ldap_release_conn: Release Id: 0 [ldap] Entering ldap_groupcmp() [files] expand: dc=xxx,dc=pan,dc=local -> dc=xxx,dc=pan,dc=local [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=xxx,dc=pan,dc=local, with filter (&(cn=wi-fi)(|(&(objectClass=GroupOfNames)(member=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal)))) [ldap] rebind to URL ldap://mydomain.local/CN=Configuration,DC=xxx,DC=pan,DC=local [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in CN=Zenon Matuszyk,CN=Users,DC=xxx,DC=pan,DC=local, with filter (objectclass=*) [ldap] performing search in CN=wi-fi,CN=Users,DC=xxx,DC=pan,DC=local, with filter (cn=wi-fi) rlm_ldap::ldap_groupcmp: User found in group wi-fi [ldap] ldap_release_conn: Release Id: 0 [files] users: Matched entry DEFAULT at line 11 ++[files] = ok [ldap] performing user authorization for zmatuszyk [ldap] expand: %{Stripped-User-Name} -> zmatuszyk [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=zmatuszyk) [ldap] expand: dc=xxx,dc=pan,dc=local -> dc=xxx,dc=pan,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=xxx,dc=pan,dc=local, with filter (sAMAccountName=zmatuszyk) [ldap] rebind to URL ldap://mydomain.local/CN=Configuration,DC=xxx,DC=pan,DC=local [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 82 to 10.24.100.41 port 32773 Reply-Message = "XXXX HIT: wi-fi" EAP-Message = 0x010400061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe11c2bc5e01832ea6e5ad9dc9448f6dd Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.24.100.41 port 32773, id=83, length=397 User-Name = "zmatuszyk@mydomain.pl" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "08-ed-b9-92-1e-85" Called-Station-Id = "7c-0e-ce-ea-b7-20:wi-fi" NAS-Port = 13 Cisco-AVPair = "audit-session-id=0a18642900002534599d72da" Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138" NAS-IP-Address = 10.24.100.41 NAS-Identifier = "wi-fi" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "216" EAP-Message = 0x0204007119800000006716030100620100005e0301599d761e186b3ad71bc1d662fd93d93ce1aae50e891e7afbb65d8eec636f2af100001cc014c013003900330035002fc00ac00900380032000a00130005000401000019000a0006000400170018000b0002010000170000ff01000100 State = 0xe11c2bc5e01832ea6e5ad9dc9448f6dd Message-Authenticator = 0x588bfa32eeab12189b35da5d3ac1e404 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "mydomain.pl" for User-Name = "zmatuszyk@mydomain.pl" [suffix] Found realm "mydomain.pl" [suffix] Adding Stripped-User-Name = "zmatuszyk" [suffix] Adding Realm = "mydomain.pl" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 4 length 113 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 103 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0062], ClientHello [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 Handshake [length 0039], ServerHello [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 Handshake [length 08a6], Certificate [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: unknown state [peap] TLS_accept: unknown state [peap] TLS_accept: Need to read more data: unknown state In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 83 to 10.24.100.41 port 32773 EAP-Message = 0x0105040019c000000a421603010039020000350301047843db1e15511c9d10280a115edaabc49d922bdeae71891afb67c4d7c6ddaa00c01400000dff01000100000b00040300010216030108a60b0008a200089f000488308204843082036ca003020102020100300d06092a864886f70d0101050500308188310b300906035504061302504c3114301206035504080c0b4d616c6f706f6c736b6965310f300d06035504070c064b72616b6f7731263024060355040a0c1d496e737479747574204a657a796b6120506f6c736b6965676f2050414e310b3009060355040b0c024954311d301b06035504030c147375626361312e696a702e70616e2e6c EAP-Message = 0x6f63616c301e170d3137303832313131303233355a170d3332303831373131303233355a308187310b300906035504061302504c3114301206035504080c0b4d616c6f706f6c736b6965310f300d06035504070c064b72616b6f7731263024060355040a0c1d496e737479747574204a657a796b6120506f6c736b6965676f2050414e310b3009060355040b0c024954311c301a06035504030c136c646170312e696a702e70616e2e6c6f63616c30820122300d06092a864886f70d01010105000382010f003082010a0282010100bf2015679983021d7e971d84ea7c7f5ba06e4b4808b7674f687fc0880cf4635a2db718cb22982ddd8822afe970ec EAP-Message = 0x2d745deac6e6acf21e7330b77cd86fdb28ab4e04eda8789771a6e30890e6b67c3e111bcd017b12856072c19afefc1d07fcd1a6c53e66cdd8008e8766a1e7dbce66966e07814e08c6bbc2399cae3694dba14c021b588a967cbf5e23197c8593cf28bd84f44a03ecfdfc4e34000e07e9edf676b57633787cb5c3a7b4406c8f4d535c2ffe08f5ce60756500f3887c62b1c34c1088b27de433a9aef286b914e38f6bb307d322586bb33dcd74352dfc37e28eae33f4299d5d120a521a6c691a0980a22ad63ed220331210383ee14edd24be3088b90203010001a381f73081f430090603551d1304023000302c06096086480186f842010d041f161d4f70656e EAP-Message = 0x53534c2047656e657261746564204365727469666963617465301d0603551d0e041604143b1a3710cdf72a3288cc76cc3d5ad3e9b2384503301f0603551d23041830168014c1d62dd5cd9967b990856c18acc7f2e64f40a29c304106082b0601050507010104353033303106082b060105050730028625687474703a2f2f6b302e696a702e70616e2e6c6f63616c2f63612f7375626361312e63727430360603551d1f042f302d302ba029a0278625687474703a2f2f6b312e696a702e70616e2e6c6f63616c2f63612f7375626361312e63726c300d06092a864886f70d0101050500038201010062dae87f130c1ab3ef0acf5bd31aed2b4f524b4a84 EAP-Message = 0xaf5192d4e9d1c6301ce43d01 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe11c2bc5e31932ea6e5ad9dc9448f6dd Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.24.100.41 port 32773, id=84, length=290 User-Name = "zmatuszyk@mydomain.pl" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "08-ed-b9-92-1e-85" Called-Station-Id = "7c-0e-ce-ea-b7-20:wi-fi" NAS-Port = 13 Cisco-AVPair = "audit-session-id=0a18642900002534599d72da" Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138" NAS-IP-Address = 10.24.100.41 NAS-Identifier = "wi-fi" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "216" EAP-Message = 0x020500061900 State = 0xe11c2bc5e31932ea6e5ad9dc9448f6dd Message-Authenticator = 0x6b9e5fe560487a1d133a50f9f8522760 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "mydomain.pl" for User-Name = "zmatuszyk@mydomain.pl" [suffix] Found realm "mydomain.pl" [suffix] Adding Stripped-User-Name = "zmatuszyk" [suffix] Adding Realm = "mydomain.pl" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 84 to 10.24.100.41 port 32773 EAP-Message = 0x010603fc1940b01e45053cb5d289d8a07c691f42babbaf4150ea36d712beb08a0c1eaa301b5df2b9d6975f9dfecbe42c847567bd961d58a520d68fb34854326b7dba525597e4ac0b1a5a66b9d677be1f5e0adfd325311af927356634a7f8aee2770898b4044daf46d89745f7262026f2e1b81caa53a4aebd5310ba988cd6364fd6b79795f38e23d047ad0af23bbcd5407317cb01b49b61eac8d67cf784948797aba3968b094cdfb93c2177da70b000f1797bf3bd979b8317daec32cd87cfa3a471d891abdacea5776581fb2416c93b2f01ba6b6728099d7e26d7974eec099035ee212077e70004113082040d308202f5a003020102020900fda7ea2091 EAP-Message = 0x83fda3300d06092a864886f70d01010505003077310b300906035504061302504c3114301206035504080c0b4d616c6f706f6c736b696531263024060355040a0c1d496e737479747574204a657a796b6120506f6c736b6965676f2050414e310b3009060355040b0c024954311d301b06035504030c14726f6f7463612e696a702e70616e2e6c6f63616c301e170d3137303832313130343434315a170d3337303831363130343434315a308188310b300906035504061302504c3114301206035504080c0b4d616c6f706f6c736b6965310f300d06035504070c064b72616b6f7731263024060355040a0c1d496e737479747574204a657a796b6120 EAP-Message = 0x506f6c736b6965676f2050414e310b3009060355040b0c024954311d301b06035504030c147375626361312e696a702e70616e2e6c6f63616c30820122300d06092a864886f70d01010105000382010f003082010a0282010100cec338083565b45728e1f8176ba4daabda4ea88555201f503e3977492e85b49759cd232e7934acd16194ca3889d6975a29f68017427738b2fe57db0951e879afb9f5eae6a75a8d8b96cc12acb9686227322a555ec7e298b77b139874e9c0935d52117991a27281644f351bbacf3f804a1da86f26e784a507ec21e3aacfaf5e686fc01e570397f2dcc5822edd7c0b59f20dc48c408453ba7e9ea170a72c175ca352818c EAP-Message = 0xf095d192d42cf58272c00c477f2e1755104ced45567186bd44f7b3ab6c947a427e0f3e54c5d88e544c349f16737de5c8191785c2a5af1be735466dff6bdb08682494b1b54c25429014c59437925c441f4c1e42ceb12b7d060b7159f5350203010001a38189308186301d0603551d0e04160414c1d62dd5cd9967b990856c18acc7f2e64f40a29c301f0603551d230418301680148ae199d104b425c1279d439e0b0d2487dfda236c300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f6b312e696a702e70616e2e6c6f63616c2f63612f726f6f7463612e63726c300d06092a864886f70d0101050500 EAP-Message = 0x0382010100a7ba01 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe11c2bc5e21a32ea6e5ad9dc9448f6dd Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.24.100.41 port 32773, id=85, length=290 User-Name = "zmatuszyk@mydomain.pl" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "08-ed-b9-92-1e-85" Called-Station-Id = "7c-0e-ce-ea-b7-20:wi-fi" NAS-Port = 13 Cisco-AVPair = "audit-session-id=0a18642900002534599d72da" Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138" NAS-IP-Address = 10.24.100.41 NAS-Identifier = "wi-fi" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "216" EAP-Message = 0x020600061900 State = 0xe11c2bc5e21a32ea6e5ad9dc9448f6dd Message-Authenticator = 0xd86ea26576af50657802f55266ec0d29 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "mydomain.pl" for User-Name = "zmatuszyk@mydomain.pl" [suffix] Found realm "mydomain.pl" [suffix] Adding Stripped-User-Name = "zmatuszyk" [suffix] Adding Realm = "mydomain.pl" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 85 to 10.24.100.41 port 32773 EAP-Message = 0x0107025c19004d16d1c7a4c127b06c3974533a055af202e7fe05f13dc5f78bf50eb852b25913965c85f981b45b174003af43ddbb5d8754406a26645dd06a9d4ce4b1622de1b4cec8a3d91f973b6332ba5fd78ff18e6feb1b87e664ee981c68523c4d9517a9c8f97abbefd1d76ba66dbeee1fe4e8d4420f6606ff280119897d3026e466910f5ebb892ce764e60fc8d7e4eb2f1609348a405b6e92133d1f4a6f612f4a6eee9c1c04677bcf3e574dc88d64e8972be7d01a080968f189d9258bca3419feff11a7409ae6471a32eab899837f79f8c8116f27ecf63daf802cd7b0df1b3a767d46bb4a40f07b0ead84f31ba36292b6df736e38d9b2f25e2e1483 EAP-Message = 0x6e854d35643c160301014b0c0001470300174104e5c14a72735c1214b4413beb253acba89b44b8add08ec59f1cbf2ce5b5f985981a889150d763c45becf8351e787375aa8dabc2f695b23d38a0c3ed1a76ec37d201001e96c40801443b9bdc6c0fe6e2841a26c83fcfb18071173df60364b6f1c86cd430fdc35a964ac4a7071754e2ac9176b72f675281a72e703ace3daabae10f29482bccba3b77b291220c53f3ccf9a4e5e3835ac9aa71b7603d3c2ed915a107d894d5363ae544b316922a23858fe2bdcade941aefe142c74a662979a74426b745e4788eaa83f66edd616196281cfa750f19ec6d0f8760d2e914a0af7858120ba01fe8bd49dd269bdd EAP-Message = 0xdf99f9e6ee6bdb7e85bfc054ade219758d9ea980090c3ba4ac092f54b63698d1a367c3440c26973240a13acab7d5aade92ef8aed0151254763f94fe7500b14a26e048c7b908cd42ec9cdf009ebaaf19e07a744b0a4d0629d0916030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe11c2bc5e51b32ea6e5ad9dc9448f6dd Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.24.100.41 port 32773, id=86, length=428 User-Name = "zmatuszyk@mydomain.pl" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "08-ed-b9-92-1e-85" Called-Station-Id = "7c-0e-ce-ea-b7-20:wi-fi" NAS-Port = 13 Cisco-AVPair = "audit-session-id=0a18642900002534599d72da" Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138" NAS-IP-Address = 10.24.100.41 NAS-Identifier = "wi-fi" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "216" EAP-Message = 0x02070090198000000086160301004610000042410441d4e9da4f0dee00258330e7eefe26437faf3977c86bc6bcda3f9ae4a38dbc9fb97559b0d16d481add56d34dc07eb79b0d94b57f87e8e2eb1b7fa7bd199c5f7b14030100010116030100303462633e66f7c5a81bd94bbfa5a129c0eb6389859ce33c5219d80a4440f5fe25568da27a97a234bcf06f1d18b9dc3c5d State = 0xe11c2bc5e51b32ea6e5ad9dc9448f6dd Message-Authenticator = 0xdb6f802835872c23130041fc4007ac52 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "mydomain.pl" for User-Name = "zmatuszyk@mydomain.pl" [suffix] Found realm "mydomain.pl" [suffix] Adding Stripped-User-Name = "zmatuszyk" [suffix] Adding Realm = "mydomain.pl" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 7 length 144 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 134 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: unknown state [peap] TLS_accept: unknown state [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: unknown state [peap] TLS_accept: unknown state [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 86 to 10.24.100.41 port 32773 EAP-Message = 0x01080041190014030100010116030100305bf3edc257025b940387d79d9c795ae0343d8cc5394b7f07b731f51b3de87d29fa187a2c8cab69927ee6e532cdbf7935 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe11c2bc5e41432ea6e5ad9dc9448f6dd Finished request 5. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.24.100.41 port 32773, id=87, length=290 User-Name = "zmatuszyk@mydomain.pl" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "08-ed-b9-92-1e-85" Called-Station-Id = "7c-0e-ce-ea-b7-20:wi-fi" NAS-Port = 13 Cisco-AVPair = "audit-session-id=0a18642900002534599d72da" Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138" NAS-IP-Address = 10.24.100.41 NAS-Identifier = "wi-fi" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "216" EAP-Message = 0x020800061900 State = 0xe11c2bc5e41432ea6e5ad9dc9448f6dd Message-Authenticator = 0x9e81fefac2ae2908717fef6b4932bb38 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "mydomain.pl" for User-Name = "zmatuszyk@mydomain.pl" [suffix] Found realm "mydomain.pl" [suffix] Adding Stripped-User-Name = "zmatuszyk" [suffix] Adding Realm = "mydomain.pl" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 8 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 87 to 10.24.100.41 port 32773 EAP-Message = 0x0109002b1900170301002077f01fd17d3f22ade23d7192c53d1b88a27b9b2ffd8f55337be8bd4d38a42968 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe11c2bc5e71532ea6e5ad9dc9448f6dd Finished request 6. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.24.100.41 port 32773, id=88, length=343 User-Name = "zmatuszyk@mydomain.pl" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "08-ed-b9-92-1e-85" Called-Station-Id = "7c-0e-ce-ea-b7-20:wi-fi" NAS-Port = 13 Cisco-AVPair = "audit-session-id=0a18642900002534599d72da" Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138" NAS-IP-Address = 10.24.100.41 NAS-Identifier = "wi-fi" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "216" EAP-Message = 0x0209003b19001703010030578da54b82482dfe9cfd000bfc23dcce4d8e1bca2eef46f681216a29d8c2c311152fae08d97aa2225fc0d47b8a1a3ef7 State = 0xe11c2bc5e71532ea6e5ad9dc9448f6dd Message-Authenticator = 0x9f5437d3e3d6aac993010c1ce5f1b29c # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "mydomain.pl" for User-Name = "zmatuszyk@mydomain.pl" [suffix] Found realm "mydomain.pl" [suffix] Adding Stripped-User-Name = "zmatuszyk" [suffix] Adding Realm = "mydomain.pl" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 9 length 59 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - zmatuszyk@mydomain.pl [peap] Got inner identity 'zmatuszyk@mydomain.pl' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x02090019017a6d617475737a796b40696a702e70616e2e706c server { [peap] Setting User-Name to zmatuszyk@mydomain.pl Sending tunneled request EAP-Message = 0x02090019017a6d617475737a796b40696a702e70616e2e706c FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "zmatuszyk@mydomain.pl" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "08-ed-b9-92-1e-85" Called-Station-Id = "7c-0e-ce-ea-b7-20:wi-fi" NAS-Port = 13 Cisco-AVPair = "audit-session-id=0a18642900002534599d72da" Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138" NAS-IP-Address = 10.24.100.41 NAS-Identifier = "wi-fi" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "216" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++[mschap] = noop [suffix] Looking up realm "mydomain.pl" for User-Name = "zmatuszyk@mydomain.pl" [suffix] Found realm "mydomain.pl" [suffix] Adding Stripped-User-Name = "zmatuszyk" [suffix] Adding Realm = "mydomain.pl" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 9 length 25 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [ldap] performing user authorization for zmatuszyk [ldap] expand: %{Stripped-User-Name} -> zmatuszyk [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=zmatuszyk) [ldap] expand: dc=xxx,dc=pan,dc=local -> dc=xxx,dc=pan,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=xxx,dc=pan,dc=local, with filter (sAMAccountName=zmatuszyk) [ldap] rebind to URL ldap://mydomain.local/CN=Configuration,DC=xxx,DC=pan,DC=local [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010a002e1a010a002910a51fcc532a18ba94e33e5859fda0807b7a6d617475737a796b40696a702e70616e2e706c Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa04d94bba0478e21869b454cf59410b2 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010a002e1a010a002910a51fcc532a18ba94e33e5859fda0807b7a6d617475737a796b40696a702e70616e2e706c Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa04d94bba0478e21869b454cf59410b2 [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 88 to 10.24.100.41 port 32773 EAP-Message = 0x010a004b1900170301004034bb429d07c6d6099ca3460f19f8e3b57922184a863f462430677150b9f81d8b2657a2a06a00fb03e5708c4b89f2b3fa91a26e3ef432f933c1afae4a1846a69b Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe11c2bc5e61632ea6e5ad9dc9448f6dd Finished request 7. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.24.100.41 port 32773, id=89, length=391 User-Name = "zmatuszyk@mydomain.pl" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "08-ed-b9-92-1e-85" Called-Station-Id = "7c-0e-ce-ea-b7-20:wi-fi" NAS-Port = 13 Cisco-AVPair = "audit-session-id=0a18642900002534599d72da" Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138" NAS-IP-Address = 10.24.100.41 NAS-Identifier = "wi-fi" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "216" EAP-Message = 0x020a006b190017030100606e38a934794212cf6a918b10fcc5607d7bdc487faa8d2b75bee77b0dba7dff21eff091d59e0ce5b4eace425fe7679182b8c9a3cdcdd97b78542bfd2021517af23a835314a873fa4899d4094adf06ca1ebb6d4439b1a73b610b83fe181a355223 State = 0xe11c2bc5e61632ea6e5ad9dc9448f6dd Message-Authenticator = 0x3cfff3760e60e4d6d060697d4f9e7c55 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "mydomain.pl" for User-Name = "zmatuszyk@mydomain.pl" [suffix] Found realm "mydomain.pl" [suffix] Adding Stripped-User-Name = "zmatuszyk" [suffix] Adding Realm = "mydomain.pl" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 10 length 107 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020a004f1a020a004a31d4ce15bfa36520a198e503dd32dae5ac0000000000000000b349595743a15b250c5196ae0a8b999906041d39f5b6e39f007a6d617475737a796b40696a702e70616e2e706c server { [peap] Setting User-Name to zmatuszyk@mydomain.pl Sending tunneled request EAP-Message = 0x020a004f1a020a004a31d4ce15bfa36520a198e503dd32dae5ac0000000000000000b349595743a15b250c5196ae0a8b999906041d39f5b6e39f007a6d617475737a796b40696a702e70616e2e706c FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "zmatuszyk@mydomain.pl" State = 0xa04d94bba0478e21869b454cf59410b2 Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "08-ed-b9-92-1e-85" Called-Station-Id = "7c-0e-ce-ea-b7-20:wi-fi" NAS-Port = 13 Cisco-AVPair = "audit-session-id=0a18642900002534599d72da" Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138" NAS-IP-Address = 10.24.100.41 NAS-Identifier = "wi-fi" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "216" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++[mschap] = noop [suffix] Looking up realm "mydomain.pl" for User-Name = "zmatuszyk@mydomain.pl" [suffix] Found realm "mydomain.pl" [suffix] Adding Stripped-User-Name = "zmatuszyk" [suffix] Adding Realm = "mydomain.pl" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 10 length 79 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [ldap] performing user authorization for zmatuszyk [ldap] expand: %{Stripped-User-Name} -> zmatuszyk [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=zmatuszyk) [ldap] expand: dc=xxx,dc=pan,dc=local -> dc=xxx,dc=pan,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=xxx,dc=pan,dc=local, with filter (sAMAccountName=zmatuszyk) [ldap] rebind to URL ldap://mydomain.local/CN=Configuration,DC=xxx,DC=pan,DC=local [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +group MS-CHAP { [mschap] Creating challenge hash with username: zmatuszyk@mydomain.pl [mschap] Client is using MS-CHAPv2 for zmatuszyk@mydomain.pl, we need NT-Password [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [mschap] expand: --username=%{Stripped-User-Name:-%{User-Name:-None}} -> --username=zmatuszyk [mschap] Creating challenge hash with username: zmatuszyk@mydomain.pl [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=014e29ddb376815b [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=b349595743a15b250c5196ae0a8b999906041d39f5b6e39f Exec output: NT_KEY: 9D8185FBD8D2FC1E80FD215E29B3A6F8 Exec plaintext: NT_KEY: 9D8185FBD8D2FC1E80FD215E29B3A6F8 [mschap] Exec: program returned: 0 ++[mschap] = ok +} # group MS-CHAP = ok MSCHAP Success ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010b00331a030a002e533d42443237464535383534333036334537454446394545374538463544323938373339323131454441 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa04d94bba1468e21869b454cf59410b2 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010b00331a030a002e533d42443237464535383534333036334537454446394545374538463544323938373339323131454441 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa04d94bba1468e21869b454cf59410b2 [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 89 to 10.24.100.41 port 32773 EAP-Message = 0x010b005b1900170301005053f6ddaa68148f5c294833d49ba96ddc9f05676626dc587b248f4eccf1b21a3e666688ce5b46358bbc5539b5c419a0583c7efcf24d0e5f586a46f2142db1edec536b302e5b4d9148cc9b3ddd8f250bbf Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe11c2bc5e91732ea6e5ad9dc9448f6dd Finished request 8. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.24.100.41 port 32773, id=90, length=327 User-Name = "zmatuszyk@mydomain.pl" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "08-ed-b9-92-1e-85" Called-Station-Id = "7c-0e-ce-ea-b7-20:wi-fi" NAS-Port = 13 Cisco-AVPair = "audit-session-id=0a18642900002534599d72da" Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138" NAS-IP-Address = 10.24.100.41 NAS-Identifier = "wi-fi" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "216" EAP-Message = 0x020b002b1900170301002012cb0cf8ac5719f1b57d2c2346df5c1987fc4cdcbd934bf36cd287f84b738340 State = 0xe11c2bc5e91732ea6e5ad9dc9448f6dd Message-Authenticator = 0x1b0fb418df527a97d3986e4a40acfec9 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "mydomain.pl" for User-Name = "zmatuszyk@mydomain.pl" [suffix] Found realm "mydomain.pl" [suffix] Adding Stripped-User-Name = "zmatuszyk" [suffix] Adding Realm = "mydomain.pl" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 11 length 43 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020b00061a03 server { [peap] Setting User-Name to zmatuszyk@mydomain.pl Sending tunneled request EAP-Message = 0x020b00061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "zmatuszyk@mydomain.pl" State = 0xa04d94bba1468e21869b454cf59410b2 Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "08-ed-b9-92-1e-85" Called-Station-Id = "7c-0e-ce-ea-b7-20:wi-fi" NAS-Port = 13 Cisco-AVPair = "audit-session-id=0a18642900002534599d72da" Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138" NAS-IP-Address = 10.24.100.41 NAS-Identifier = "wi-fi" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "216" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++[mschap] = noop [suffix] Looking up realm "mydomain.pl" for User-Name = "zmatuszyk@mydomain.pl" [suffix] Found realm "mydomain.pl" [suffix] Adding Stripped-User-Name = "zmatuszyk" [suffix] Adding Realm = "mydomain.pl" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 11 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [ldap] performing user authorization for zmatuszyk [ldap] expand: %{Stripped-User-Name} -> zmatuszyk [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=zmatuszyk) [ldap] expand: dc=xxx,dc=pan,dc=local -> dc=xxx,dc=pan,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=xxx,dc=pan,dc=local, with filter (sAMAccountName=zmatuszyk) [ldap] rebind to URL ldap://mydomain.local/CN=Configuration,DC=xxx,DC=pan,DC=local [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok WARNING: Empty post-auth section. Using default return values. # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel } # server inner-tunnel [peap] Got tunneled reply code 2 EAP-Message = 0x030b0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "zmatuszyk" [peap] Got tunneled reply RADIUS code 2 EAP-Message = 0x030b0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "zmatuszyk" [peap] Tunneled authentication was successful. [peap] SUCCESS [peap] Saving tunneled attributes for later ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 90 to 10.24.100.41 port 32773 EAP-Message = 0x010c002b190017030100200d545dc56da8a11537b3736476c057d46722da9da13ac68c59701a572f68bc77 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe11c2bc5e81032ea6e5ad9dc9448f6dd Finished request 9. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.24.100.41 port 32773, id=91, length=327 User-Name = "zmatuszyk@mydomain.pl" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "08-ed-b9-92-1e-85" Called-Station-Id = "7c-0e-ce-ea-b7-20:wi-fi" NAS-Port = 13 Cisco-AVPair = "audit-session-id=0a18642900002534599d72da" Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138" NAS-IP-Address = 10.24.100.41 NAS-Identifier = "wi-fi" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "216" EAP-Message = 0x020c002b1900170301002027762168802a383047205d36d9061db6c143af20fa4230f13373e378a0990659 State = 0xe11c2bc5e81032ea6e5ad9dc9448f6dd Message-Authenticator = 0x5f9ba3b7bf1a0baba21da915e0511b49 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "mydomain.pl" for User-Name = "zmatuszyk@mydomain.pl" [suffix] Found realm "mydomain.pl" [suffix] Adding Stripped-User-Name = "zmatuszyk" [suffix] Adding Realm = "mydomain.pl" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 12 length 43 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [peap] Using saved attributes from the original Access-Accept User-Name = "zmatuszyk" [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok # Executing section post-auth from file /etc/freeradius/sites-enabled/default +group post-auth { ++[ldap] = noop ++[exec] = noop +} # group post-auth = noop Sending Access-Accept of id 91 to 10.24.100.41 port 32773 User-Name = "zmatuszyk" MS-MPPE-Recv-Key = 0x00fad5b684fa871101e3f02fad3de6103205c5bb4a356047fa51b1325eeb471b MS-MPPE-Send-Key = 0x3b67a98e0c9eb2a082c0353d8cc09532580e90ecc9b752cb4a626a4b779b04cb EAP-Message = 0x030c0004 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 10. Going to the next request Waking up in 4.7 seconds. rad_recv: Accounting-Request packet from host 10.24.100.41 port 32773, id=36, length=306 User-Name = "zmatuszyk" NAS-Port = 13 NAS-IP-Address = 10.24.100.41 Framed-IP-Address = 10.24.216.185 Framed-IPv6-Prefix = fe80::/64 NAS-Identifier = "wi-fi" Airespace-Wlan-Id = 3 Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138" NAS-Port-Type = Wireless-802.11 Cisco-AVPair = "audit-session-id=0a18642900002534599d72da" Acct-Authentic = RADIUS Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "216" Event-Timestamp = "Aug 23 2017 14:33:27 CEST" Acct-Status-Type = Interim-Update Acct-Input-Octets = 40891 Acct-Input-Gigawords = 0 Acct-Output-Octets = 6787 Acct-Output-Gigawords = 0 Acct-Input-Packets = 212 Acct-Output-Packets = 50 Acct-Session-Time = 823 Acct-Delay-Time = 0 Calling-Station-Id = "08-ed-b9-92-1e-85" Called-Station-Id = "7c-0e-ce-ea-b7-20:wi-fi" # Executing section preacct from file /etc/freeradius/sites-enabled/default +group preacct { ++[preprocess] = ok [acct_unique] Hashing 'NAS-Port = 13,NAS-Identifier = "wi-fi",NAS-IP-Address = 10.24.100.41,Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138",User-Name = "zmatuszyk"' [acct_unique] Acct-Unique-Session-ID = "e8bd33a710179400". ++[acct_unique] = ok [suffix] No '@' in User-Name = "zmatuszyk", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "zmatuszyk" [suffix] Adding Realm = "NULL" [suffix] Accounting realm is LOCAL. ++[suffix] = ok ++[files] = noop +} # group preacct = ok # Executing section accounting from file /etc/freeradius/sites-enabled/default +group accounting { [detail] expand: %{Packet-Src-IP-Address} -> 10.24.100.41 [detail] expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/freeradius/radacct/10.24.100.41/detail-20170823 [detail] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/10.24.100.41/detail-20170823 [detail] expand: %t -> Wed Aug 23 14:33:27 2017 ++[detail] = ok ++[unix] = noop ++[exec] = noop [attr_filter.accounting_response] expand: %{User-Name} -> zmatuszyk attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] = updated +} # group accounting = updated Sending Accounting-Response of id 36 to 10.24.100.41 port 32773 Finished request 11. Cleaning up request 11 ID 36 with timestamp +23 Going to the next request Waking up in 4.7 seconds. W dniu 24.08.2017 o 22:31, Alan DeKok pisze:
On Aug 24, 2017, at 3:38 PM, Zenon Matuszyk <zenon.matuszyk@networkers.pl> wrote:
I have a problem with vlan assignment on the group. If user is in group wi-fi should get ip with vlan 200 if it is in another group should get ip with vlan 216. I attach file witch freeradius -X. Users and group are in SAMBA4. If i login to wifi i get allways ip on vlan 216. I use login@mydomain.pl to connect wifi.
I try add in users but this is ignored What does that mean?
root@LDAP1 /etc/freeradius # cat users We always ask for the debug output, because that's what we need.
DEFAULT LDAP-Group != "wi-fi", Auth-Type:=Reject Reply-Message="You are not allowed to connnect" DEFAULT Realm == Null Auth-Type := Reject If you run the server in debug mode and read the output, it will tell you that this entry is wrong. The "Auth-Type" belongs on the first line of the "users" file entry.
Please help Following the documentation helps.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Z poważaniem / Yours sincerely Zenon Matuszyk mobile: 00 48 797 004 938 e-mail: zenon.matuszyk@networkers.pl www: http://www.networkers.pl
On Aug 25, 2017, at 5:02 AM, Zenon Matuszyk <zenon.matuszyk@networkers.pl> wrote:
Debug below
Which shows you what's going on. I know there's a lot of information, but if you pay attention and READ it, you will see what's happening.
I have a problem with vlan assignment on the group. If user is in group wi-fi should get ip with vlan 200 if it is in another group should get ip with vlan 216. I attach file witch freeradius -X. Users and group are in SAMBA4. If i login to wifi i get allways ip on vlan 216. I use login@mydomain.pl to connect wifi.
In file users I add:
DEFAULT LDAP-Group == "wi-fi" Reply-Message="XXXX HIT: wi-fi", Tunnel-Private-Group-Id := 200, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802,
The debug output shows you're doing EAP... which changes things. You should edit raddb/modules/eap, and set "use_tunneled_reply = yes". It should work. Alan DeKok.
participants (2)
-
Alan DeKok -
Zenon Matuszyk