Hi.... I am using freeradius 1.0.1 on a Red Hat Ent Linux v4 server as an authentication backend for our wireless network. Our wireless clients all use EAP/TTLS (via the SecureW2 client) and the access points are Cisco Aironet 1200's. I have noticed that if I run radwho, I seem to only see the name of the user from the 'outside' of the tunnel (in this case 'anonymous')....as a result its not possible to tell who is connected at any one time. Also I have noticed that the fields tend to get truncated: Login Name What TTY When From Location anonymous anonymous shell >999 Tue 16:00 10.10.2.9 The IP address above should be 10.10.2.96. I was just wondering if anyone might know how to fix either of these problems? TIA Chris Bradshaw.
Chris Bradshaw wrote:
I am using freeradius 1.0.1 on a Red Hat Ent Linux v4 server as an authentication backend for our wireless network.
You really should upgrade, but that's another story.
I have noticed that if I run radwho, I seem to only see the name of the user from the 'outside' of the tunnel (in this case 'anonymous')....as a result its not possible to tell who is connected at any one time.
The NAS is responsible for sending the "anonymous" user name. If you want the NAS to send something different, you have to send the inner tunnel user name back in the Access-Accept. See "use_tunneled_reply" in the configuration for the EAP module.
Also I have noticed that the fields tend to get truncated:
Login Name What TTY When From Location anonymous anonymous shell >999 Tue 16:00 10.10.2.9
The IP address above should be 10.10.2.96.
Change the format of the "printf" command in radwho. Alan DeKok.
Hi..... Thanx for the reply. I do have 'use_tunneled_reply = yes' in eap.conf, but I am still seeing the outer identity showing up when I use radwho. I have run radiusd -A -x and have appended the Access-Accept section to this email. The first line of the log shows the inner identity (my login, cwbshaw) successfully authenticating (via LDAP). I'd be grateful for any help you can offer. TIA Chris. rlm_ldap: user cwbshaw authenticated succesfully rlm_sql (sql): Processing sql_postauth rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Released sql socket id: 4 TTLS: Got tunneled reply RADIUS code 2 Tunnel-Private-Group-Id:1 = "90" Tunnel-Medium-Type:1 = IEEE-802 Tunnel-Type:1 = VLAN Session-Timeout = 900 rlm_sql (sql): Processing sql_postauth rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): Released sql socket id: 3 Sending Access-Accept of id 7 to 10.11.2.91:1645 Tunnel-Private-Group-Id:1 = "90" Tunnel-Medium-Type:1 = IEEE-802 Tunnel-Type:1 = VLAN Session-Timeout = 900 MS-MPPE-Recv-Key = 0xcbc7be67c93e3a3452f943380ee4e2c053fdf02f874781ecfbacf6788fed419d MS-MPPE-Send-Key = 0xfd4d541226142098174d3a748263b2790e59dec67e76fdcc16654357a73e084c EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "anonymous" rad_recv: Accounting-Request packet from host 10.11.2.91:1646, id=89, length=229 Acct-Session-Id = "00002149" Called-Station-Id = "0011.5cc7.1be0" Calling-Station-Id = "0090.4b28.86b0" Cisco-AVPair = "ssid=ittwlan" Cisco-AVPair = "vlan-id=90" Cisco-AVPair = "nas-location=unspecified" User-Name = "anonymous" Cisco-AVPair = "connect-progress=Call Up" Acct-Authentic = RADIUS Acct-Status-Type = Start NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "6965" NAS-Port = 6965 Service-Type = Framed-User NAS-IP-Address = 10.11.2.91 Acct-Delay-Time = 0 rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 Sending Accounting-Response of id 89 to 10.11.2.91:1646 On 02/10/2007, Alan DeKok <aland@deployingradius.com> wrote:
Chris Bradshaw wrote:
I am using freeradius 1.0.1 on a Red Hat Ent Linux v4 server as an authentication backend for our wireless network.
You really should upgrade, but that's another story.
I have noticed that if I run radwho, I seem to only see the name of the user from the 'outside' of the tunnel (in this case 'anonymous')....as a result its not possible to tell who is connected at any one time.
The NAS is responsible for sending the "anonymous" user name. If you want the NAS to send something different, you have to send the inner tunnel user name back in the Access-Accept.
See "use_tunneled_reply" in the configuration for the EAP module.
Also I have noticed that the fields tend to get truncated:
Login Name What TTY When From Location anonymous anonymous shell >999 Tue 16:00 10.10.2.9
The IP address above should be 10.10.2.96.
Change the format of the "printf" command in radwho.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Chris Bradshaw wrote:
Thanx for the reply. I do have 'use_tunneled_reply = yes' in eap.conf, but I am still seeing the outer identity showing up when I use radwho.
As I said, you also have to send the inner tunnel name back in the Access-Accept. ...
Sending Access-Accept of id 7 to 10.11.2.91:1645 ... User-Name = "anonymous"
See? You're telling the NAS to use "anonymous" for the accounting logs. Set the User-Name in the reply for the inner tunnel session, and it will be used in the outer session, too. Alan DeKok.
Hi.... Thanx for the reply. Firstly, I have just upgraded freeradius to the latest version, but it didn't make any difference. I have also looked thru the documentation, and also searched the web to see if I could find how this might be done. I found a thread on a similar subject at: http://www.nabble.com/EAP-TTLS-outer-identity---accounting-t3391290.html ....this looks similar to the issue I am seeing.....one of your replies to this thread seems particularly relevant: http://www.nabble.com/Re%3A-EAP-TTLS-outer-identity---accounting-p9573830.ht... However, I have tried the suggestions in this reply: * Enable use_tunneled_reply & copy_request_to_tunnel (I already had these enabled). * Have the following in the users file: DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1 User-Name := `%{User-Name}` ....but it still makes no difference.....radwho still returns 'anonymous' whenever I log in. Not sure where I can go from here..... Thanx in advance for any help. Chris. On 03/10/2007, Alan DeKok <aland@deployingradius.com> wrote:
Chris Bradshaw wrote:
Thanx for the reply. I do have 'use_tunneled_reply = yes' in eap.conf, but I am still seeing the outer identity showing up when I use radwho.
As I said, you also have to send the inner tunnel name back in the Access-Accept. ...
Sending Access-Accept of id 7 to 10.11.2.91:1645 ... User-Name = "anonymous"
See? You're telling the NAS to use "anonymous" for the accounting logs. Set the User-Name in the reply for the inner tunnel session, and it will be used in the outer session, too.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Chris Bradshaw wrote:
However, I have tried the suggestions in this reply:
* Enable use_tunneled_reply & copy_request_to_tunnel (I already had these enabled).
* Have the following in the users file: DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1 User-Name := `%{User-Name}`
And... what do you see in the Access-Accept when you run in debugging mode?
....but it still makes no difference.....radwho still returns 'anonymous' whenever I log in.
Stop looking at radwho. It's output is WAY down the chain of cause and effect. 1) ensure that the real user name is in the Access-Accept. If not, make it appear there. 2) ensure that the accounting request contains the real user name If it contains "anonymous", buy a real NAS. Your NAS is broken. After that, radwho *should* do the right thing. Alan DeKok.
Hi.... The debug output was pretty much the same as my first email. I have attached it below anyway. This debug output was taken with freeradius 1.1.7 and the following configured: * Enabled use_tunneled_reply & copy_request_to_tunnel. * Have the following in the users file: DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1 User-Name := `%{User-Name}` Am I correct in saying that the NAS will send an Accounting-Request using the User-Name it received in the previous Access-Accept? If so, how can it be the fault of the NAS if freeradius (in spite of trying the settings above) is still sending an Access-Accept with User-Name set to anonymous? TIA Chris. rlm_ldap: user t00037191 authenticated succesfully rlm_sql (sql): Processing sql_postauth rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Released sql socket id: 4 TTLS: Got tunneled reply RADIUS code 2 Tunnel-Private-Group-Id:1 = "90" Tunnel-Medium-Type:1 = IEEE-802 Tunnel-Type:1 = VLAN Session-Timeout = 900 rlm_sql (sql): Processing sql_postauth rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): Released sql socket id: 3 Sending Access-Accept of id 58 to 10.11.2.91 port 1645 Tunnel-Private-Group-Id:1 = "90" Tunnel-Medium-Type:1 = IEEE-802 Tunnel-Type:1 = VLAN Session-Timeout = 900 MS-MPPE-Recv-Key = 0x916f89b88b0096fa19178e281a02f35c1291005c5942e5a2c5e1257e45d0e658 MS-MPPE-Send-Key = 0x63d4685ca902be7473bcf3d62d730a77c5fe4648aab0834fac5f41178a424a7d EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "anonymous" rad_recv: Accounting-Request packet from host 10.11.2.91:1646, id=143, length=229 Acct-Session-Id = "00002246" Called-Station-Id = "0011.5cc7.1be0" Calling-Station-Id = "0090.4b28.86b0" Cisco-AVPair = "ssid=ittwlan" Cisco-AVPair = "vlan-id=90" Cisco-AVPair = "nas-location=unspecified" User-Name = "anonymous" Cisco-AVPair = "connect-progress=Call Up" Acct-Authentic = RADIUS Acct-Status-Type = Start NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "7190" NAS-Port = 7190 Service-Type = Framed-User NAS-IP-Address = 10.11.2.91 Acct-Delay-Time = 0 rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 On 03/10/2007, Alan DeKok <aland@deployingradius.com> wrote:
Chris Bradshaw wrote:
However, I have tried the suggestions in this reply:
* Enable use_tunneled_reply & copy_request_to_tunnel (I already had these enabled).
* Have the following in the users file: DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1 User-Name := `%{User-Name}`
And... what do you see in the Access-Accept when you run in debugging mode?
....but it still makes no difference.....radwho still returns 'anonymous' whenever I log in.
Stop looking at radwho. It's output is WAY down the chain of cause and effect.
1) ensure that the real user name is in the Access-Accept. If not, make it appear there. 2) ensure that the accounting request contains the real user name If it contains "anonymous", buy a real NAS. Your NAS is broken.
After that, radwho *should* do the right thing.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The fact that you have added that entry to the users file doesn't mean that it will get matched and processed. You haven't posted the whole debug so it's hard to be sure, but my guess is that this is the problem (from users file): # When an authentication request is received from the comm server, # these values are tested. Only the first match is used unless the # "Fall-Through" variable is set to "Yes". # # A special user named "DEFAULT" matches on all usernames. # You can have several DEFAULT entries. All entries are processed # in the order they appear in this file. The first entry that # matches the login-request will stop processing unless you use # the Fall-Through variable. # Ivan Kalik Kalik Informatika ISP Dana 3/10/2007, "Chris Bradshaw" <cwbshaw@gmail.com> piše:
Hi....
The debug output was pretty much the same as my first email. I have attached it below anyway. This debug output was taken with freeradius 1.1.7 and the following configured:
* Enabled use_tunneled_reply & copy_request_to_tunnel.
* Have the following in the users file: DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1 User-Name := `%{User-Name}`
Am I correct in saying that the NAS will send an Accounting-Request using the User-Name it received in the previous Access-Accept?
If so, how can it be the fault of the NAS if freeradius (in spite of trying the settings above) is still sending an Access-Accept with User-Name set to anonymous?
TIA
Chris.
rlm_ldap: user t00037191 authenticated succesfully rlm_sql (sql): Processing sql_postauth rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Released sql socket id: 4 TTLS: Got tunneled reply RADIUS code 2 Tunnel-Private-Group-Id:1 = "90" Tunnel-Medium-Type:1 = IEEE-802 Tunnel-Type:1 = VLAN Session-Timeout = 900 rlm_sql (sql): Processing sql_postauth rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): Released sql socket id: 3 Sending Access-Accept of id 58 to 10.11.2.91 port 1645 Tunnel-Private-Group-Id:1 = "90" Tunnel-Medium-Type:1 = IEEE-802 Tunnel-Type:1 = VLAN Session-Timeout = 900 MS-MPPE-Recv-Key = 0x916f89b88b0096fa19178e281a02f35c1291005c5942e5a2c5e1257e45d0e658 MS-MPPE-Send-Key = 0x63d4685ca902be7473bcf3d62d730a77c5fe4648aab0834fac5f41178a424a7d EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "anonymous" rad_recv: Accounting-Request packet from host 10.11.2.91:1646, id=143, length=229 Acct-Session-Id = "00002246" Called-Station-Id = "0011.5cc7.1be0" Calling-Station-Id = "0090.4b28.86b0" Cisco-AVPair = "ssid=ittwlan" Cisco-AVPair = "vlan-id=90" Cisco-AVPair = "nas-location=unspecified" User-Name = "anonymous" Cisco-AVPair = "connect-progress=Call Up" Acct-Authentic = RADIUS Acct-Status-Type = Start NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "7190" NAS-Port = 7190 Service-Type = Framed-User NAS-IP-Address = 10.11.2.91 Acct-Delay-Time = 0 rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2
On 03/10/2007, Alan DeKok <aland@deployingradius.com> wrote:
Chris Bradshaw wrote:
However, I have tried the suggestions in this reply:
* Enable use_tunneled_reply & copy_request_to_tunnel (I already had these enabled).
* Have the following in the users file: DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1 User-Name := `%{User-Name}`
And... what do you see in the Access-Accept when you run in debugging mode?
....but it still makes no difference.....radwho still returns 'anonymous' whenever I log in.
Stop looking at radwho. It's output is WAY down the chain of cause and effect.
1) ensure that the real user name is in the Access-Accept. If not, make it appear there. 2) ensure that the accounting request contains the real user name If it contains "anonymous", buy a real NAS. Your NAS is broken.
After that, radwho *should* do the right thing.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Chris Bradshaw wrote:
The debug output was pretty much the same as my first email. I have attached it below anyway. This debug output was taken with freeradius 1.1.7 and the following configured:
* Enabled use_tunneled_reply & copy_request_to_tunnel.
* Have the following in the users file: DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1 User-Name := `%{User-Name}`
You still have it sending "anonymous" in the Access-Accept. Fix that. Stop doing anything else until it sends the real user name.
Am I correct in saying that the NAS will send an Accounting-Request using the User-Name it received in the previous Access-Accept?
Yes.
If so, how can it be the fault of the NAS if freeradius (in spite of trying the settings above) is still sending an Access-Accept with User-Name set to anonymous?
It's not. You're not configuring FreeRADIUS properly. Put this at the TOP of the "users" file: # test DEFAULT User-Name := "bob" # end of test verify that the final Access-Accept contains the user name "bob", and the accounting request contains the user name "bob". Then, delete that entry, and READ THE DEBUG LOG to see why the other entry you have isn't being used. Alan DeKok.
Hi.... OK....I tried using a User-Name of Bob as suggested, but still no joy. I have attached a complete log of everything from the moment I click OK on my Windoze laptop until the laptop says it has authenticated successfully...... Thanx in advance for any help. Chris. rad_recv: Access-Request packet from host 10.11.2.97:1645, id=15, length=147 User-Name = "anonymous" Framed-MTU = 1400 Called-Station-Id = "0019.a90e.f490" Calling-Station-Id = "0090.4b28.86b0" Service-Type = Login-User Message-Authenticator = 0x6c0296cf0997502a20b91d0ab5c7d475 EAP-Message = 0x0202000e01616e6f6e796d6f7573 NAS-Port-Type = Wireless-802.11 NAS-Port = 262 NAS-Port-Id = "262" NAS-IP-Address = 10.11.2.97 NAS-Identifier = "d106-ap1240-1" rlm_ldap: - authorize rlm_ldap: performing user authorization for anonymous radius_xlat: Running registered xlat function of module mschap for string 'User-Name' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 Sending Access-Challenge of id 15 to 10.11.2.97 port 1645 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6d038dc21b4b7ccc8be83157ba7f8d5d rad_recv: Access-Request packet from host 10.11.2.97:1645, id=16, length=157 User-Name = "anonymous" Framed-MTU = 1400 Called-Station-Id = "0019.a90e.f490" Calling-Station-Id = "0090.4b28.86b0" Service-Type = Login-User Message-Authenticator = 0xd9d6ade7b49bf14e276219d11e1ee016 EAP-Message = 0x020300060315 NAS-Port-Type = Wireless-802.11 NAS-Port = 262 NAS-Port-Id = "262" State = 0x6d038dc21b4b7ccc8be83157ba7f8d5d NAS-IP-Address = 10.11.2.97 NAS-Identifier = "d106-ap1240-1" rlm_ldap: - authorize rlm_ldap: performing user authorization for anonymous radius_xlat: Running registered xlat function of module mschap for string 'User-Name' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 Sending Access-Challenge of id 16 to 10.11.2.97 port 1645 EAP-Message = 0x010400061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3fb35d32290c24764e9db533206bc16a rad_recv: Access-Request packet from host 10.11.2.97:1645, id=17, length=243 User-Name = "anonymous" Framed-MTU = 1400 Called-Station-Id = "0019.a90e.f490" Calling-Station-Id = "0090.4b28.86b0" Service-Type = Login-User Message-Authenticator = 0x933c7e115f5fde84cf641744c34d90b0 EAP-Message = 0x0204005c158000000052160301004d01000049030197874f93537273cc884c9764aade2de3d77fc2b7cb525ef666b7c6f2e654e0c320e7dfeb3f9185ff7a30f69ffdb50509b95586c30a3edef6c771e5ba95508d9b620002000a0100 NAS-Port-Type = Wireless-802.11 NAS-Port = 262 NAS-Port-Id = "262" State = 0x3fb35d32290c24764e9db533206bc16a NAS-IP-Address = 10.11.2.97 NAS-Identifier = "d106-ap1240-1" rlm_ldap: - authorize rlm_ldap: performing user authorization for anonymous radius_xlat: Running registered xlat function of module mschap for string 'User-Name' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 Sending Access-Challenge of id 17 to 10.11.2.97 port 1645 EAP-Message = 0x0105040a15c00000097b160301004a0200004603014704ce66e2b903fed180ce086543967f9c57c961badbd56be7b080c80000000020177e053b5926050f37c369b4a610ca7ec09f31298036a35ab209957e7050a3ad000a00160301091e0b00091a00091700040830820404308202eca003020102020103300d06092a864886f70d01010405003081b7310b3009060355040613024945311530130603550408130c436f756e7479204b65727279310f300d060355040713065472616c65653120301e060355040a1317496e73746974757465206f6620546563686e6f6c6f6779311b3019060355040b1312436f6d707574696e672053657276696365 EAP-Message = 0x73311b301906035504031312776c616e63612e69747472616c65652e69653124302206092a864886f70d010901161574656368406c6973742e69747472616c65652e6965301e170d3035313030363039333734375a170d3135313030343039333734375a3081b9310b3009060355040613024945311530130603550408130c436f756e7479204b65727279310f300d060355040713065472616c65653120301e060355040a1317496e73746974757465206f6620546563686e6f6c6f6779311b3019060355040b1312436f6d707574696e67205365727669636573311d301b06035504031314776c616e74746c732e69747472616c65652e6965312430 EAP-Message = 0x2206092a864886f70d010901161574656368406c6973742e69747472616c65652e696530820122300d06092a864886f70d01010105000382010f003082010a0282010100e8b055796ce1bfc203326ff6dd538b09d4b736679081c4fb3523e587c18b0299556a15f58a9dbeaad6449ac0bdb1e008578a28aecd790bfc4df20ada8fd89034430902823ec0164a83a024f40c4044d6c97c94df6a19e3511827496507626eab85cd09d49632312e43ce514b3092597d3d703ce11e18cc74ec8eb3d34f63b576ee69e4a47797ef0f84a10e44ca8ec5b65d6e9ccd03b9d0f478d13fff717543c1bc765067639779c462f5d5ea8b90e0ab553412fefc07d7133f EAP-Message = 0x2daf0e0d7eda6722cc5de7d2eb72bd8b32e53af42f8f1ada6315a0c6329c7a63b78eb5a1eb01410db77886daa1a533b53de25d8c16f56587ae7a540efe372cb842335ccf4ac2b70203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038201010013bedbf669d282401ef1d4e8f4ceeab5d9a165277b23a4d904883e599934667f2e3c1582895ad060f2ba2fa25891d35981cd9e0c5f495ab33194a4a91335c6def96ea83f73e7b06ae35fd9ed5ec566a4620a1a8aaac6384ef732a5ae67b258c3445aeb4d04be225c97479d1cfa6a901cb4c0ab90c26561c4bb023fe92d8aff746742ede1 EAP-Message = 0x3f9249e8a3f87cdf0ba7a9ddda0287c2beb887c1133a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc9aaf7babacd5449bc2c4dfe415c2ffc rad_recv: Access-Request packet from host 10.11.2.97:1645, id=18, length=157 User-Name = "anonymous" Framed-MTU = 1400 Called-Station-Id = "0019.a90e.f490" Calling-Station-Id = "0090.4b28.86b0" Service-Type = Login-User Message-Authenticator = 0xcc603ff0e1ef9af8540cf19e69be6d4e EAP-Message = 0x020500061500 NAS-Port-Type = Wireless-802.11 NAS-Port = 262 NAS-Port-Id = "262" State = 0xc9aaf7babacd5449bc2c4dfe415c2ffc NAS-IP-Address = 10.11.2.97 NAS-Identifier = "d106-ap1240-1" rlm_ldap: - authorize rlm_ldap: performing user authorization for anonymous radius_xlat: Running registered xlat function of module mschap for string 'User-Name' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 Sending Access-Challenge of id 18 to 10.11.2.97 port 1645 EAP-Message = 0x0106040a15c00000097b8c1812bcb59a4dcabfc30f1be566787d627365f58d90e2b2c4b3f8f39fd36a3d4bb985416615a1c95ee9933d0959edce8a97a0b920c65c10b7020bd85b16beeefcbd029e59ce4a7bcadb48683196dee4e418e33366ab749781191b00a6dea40841463a12ef2700050930820505308203eda003020102020100300d06092a864886f70d01010405003081b7310b3009060355040613024945311530130603550408130c436f756e7479204b65727279310f300d060355040713065472616c65653120301e060355040a1317496e73746974757465206f6620546563686e6f6c6f6779311b3019060355040b1312436f6d707574 EAP-Message = 0x696e67205365727669636573311b301906035504031312776c616e63612e69747472616c65652e69653124302206092a864886f70d010901161574656368406c6973742e69747472616c65652e6965301e170d3034303832333136333434305a170d3134303832313136333434305a3081b7310b3009060355040613024945311530130603550408130c436f756e7479204b65727279310f300d060355040713065472616c65653120301e060355040a1317496e73746974757465206f6620546563686e6f6c6f6779311b3019060355040b1312436f6d707574696e67205365727669636573311b301906035504031312776c616e63612e6974747261 EAP-Message = 0x6c65652e69653124302206092a864886f70d010901161574656368406c6973742e69747472616c65652e696530820122300d06092a864886f70d01010105000382010f003082010a0282010100ba05dcb9abeec7bf8f46f1a9462b6179c36182869de493a2af9b4c4e3fb31e016472bf4fcdefcde889cc4f24f8434fc920b51cc885e7a76a3f648418d1bcfbee3b8e672285aeef03555f57930bfc658a5121e63d554e4d1f131bdfa69fea2f6b7b5c9d1f28ff58fc6eb53cf608fa7603e490cd11bad38d117d39fd647e863b82195a71ad6cd3917a39f900c1cb6b12b2d9b668bf5889e075b1eddff7da5947e951cba54c3336dfc7e7f50fe29c2f9bb3 EAP-Message = 0x1ffd96e696bdb1d3e7a3873b59080e0a4f00f918b62812eca614f2777c1706130186988db012d36de28510dde560b62b17a4ec460e6e4403b1ff156bfb0665cc23fc223c0338f215e558e64b7bb9a8d10203010001a382011830820114301d0603551d0e04160414603564bf3709eb94a9ae18e343fe950827d83a5b3081e40603551d230481dc3081d98014603564bf3709eb94a9ae18e343fe950827d83a5ba181bda481ba3081b7310b3009060355040613024945311530130603550408130c436f756e7479204b65727279310f300d060355040713065472616c65653120301e060355040a1317496e73746974757465206f6620546563686e6f6c EAP-Message = 0x6f6779311b3019060355040b1312436f6d707574696e Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb182e73eaf239ef456fca727c18f5345 rad_recv: Access-Request packet from host 10.11.2.97:1645, id=19, length=157 User-Name = "anonymous" Framed-MTU = 1400 Called-Station-Id = "0019.a90e.f490" Calling-Station-Id = "0090.4b28.86b0" Service-Type = Login-User Message-Authenticator = 0x485cfc0d0d4b9fe547285454f1d0a902 EAP-Message = 0x020600061500 NAS-Port-Type = Wireless-802.11 NAS-Port = 262 NAS-Port-Id = "262" State = 0xb182e73eaf239ef456fca727c18f5345 NAS-IP-Address = 10.11.2.97 NAS-Identifier = "d106-ap1240-1" rlm_ldap: - authorize rlm_ldap: performing user authorization for anonymous radius_xlat: Running registered xlat function of module mschap for string 'User-Name' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 Sending Access-Challenge of id 19 to 10.11.2.97 port 1645 EAP-Message = 0x0107018515800000097b67205365727669636573311b301906035504031312776c616e63612e69747472616c65652e69653124302206092a864886f70d010901161574656368406c6973742e69747472616c65652e6965820100300c0603551d13040530030101ff300d06092a864886f70d0101040500038201010086b42675c76e6a74a6858ae10803f1dd0da3737ad355ff5b0d55eb9e06d2f50df342841c38c531ab357563920ef1d5da6b2b0022ba20c2170aea199a615440fdcbec5347c3d928903d5c5f0878fa5e0dc46ef1bb53e745e591e44e074a014b059d95db139383ad2506e20d13772aa037284f2d0a352562a0f2404a74b11fc939e7 EAP-Message = 0x79c80a8b82c93b8259d76594068e601b669a0394b8b43e75ce3c686535f559fbe7659c1a43071d7d6413b0f6398ec578ccd15718bad1ddd870fcdbdd4f3f6ba74c263f57a3ad493c29980c32273247a947aa753eeed2b083a73d111ba02f18b1fcbb8ad3da9bf3315c029448377626971071236c92469db1cba47a0b86bca916030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x09b7545f98e47e43026236e0eab8a38b rad_recv: Access-Request packet from host 10.11.2.97:1645, id=20, length=481 User-Name = "anonymous" Framed-MTU = 1400 Called-Station-Id = "0019.a90e.f490" Calling-Station-Id = "0090.4b28.86b0" Service-Type = Login-User Message-Authenticator = 0x86ec324b39f48b51de271f5cd0fec16b EAP-Message = 0x0207014815800000013e1603010106100001020100b95dee019dc0ceffbc091bc890093da4c1775efbf7828d372ba5d2bd345b4b02af6b448accf2afd7c896444456ea08e617be150b9902bb68cafba84f4a9398802472ef5dee5e58800591dcf87ef0bc1c8ce1055cc6fdc230f4d887b7ab63dd64544488881028a08574203fd2607db93040b106e893e9d609115f51c7a12c80c7addffbf8da87eeb293b276f2cc6d0fdfd9d7fb67519c05edc960e32ceeddcafb2b2597637ef50b20beadd9655a15f4a45191d9203c30d1feb5e4549909cabc50a355708d54a651d27aef01dad90ea1e5604d1eb5f9e273f2aff23609c1bbbbbb0eeba4e24dac9072 EAP-Message = 0xc9bd5d8d86674c3f0f93e98c576e12fadda6d0beb113d22c14030100010116030100284e4a7a51f65e3803eb6fe4d538efa8351ae9cfafdfc4442b6574693d2e8bd413af3c252bd298e614 NAS-Port-Type = Wireless-802.11 NAS-Port = 262 NAS-Port-Id = "262" State = 0x09b7545f98e47e43026236e0eab8a38b NAS-IP-Address = 10.11.2.97 NAS-Identifier = "d106-ap1240-1" rlm_ldap: - authorize rlm_ldap: performing user authorization for anonymous radius_xlat: Running registered xlat function of module mschap for string 'User-Name' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 Sending Access-Challenge of id 20 to 10.11.2.97 port 1645 EAP-Message = 0x0108003d15800000003314030100010116030100289c60651f87bdd417674bbf7beda36626fa1e4afba008323dae5cb00512052ef8180887999e46a541 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x73994dee99fc258300f5da4fc1612c1b rad_recv: Access-Request packet from host 10.11.2.97:1645, id=21, length=230 User-Name = "anonymous" Framed-MTU = 1400 Called-Station-Id = "0019.a90e.f490" Calling-Station-Id = "0090.4b28.86b0" Service-Type = Login-User Message-Authenticator = 0x1e9c712a8d2dc8fa960a785e06e7951e EAP-Message = 0x0208004f15800000004517030100400bc9845a01daea62c31bdc16a97bd4390e16ffac8ff05fb7e4f73ff86b2a2f2bb193cf3fd7a3fdd1310f5241cbc69bc9f1e95a1a889bb5c7fca2c868095fb598 NAS-Port-Type = Wireless-802.11 NAS-Port = 262 NAS-Port-Id = "262" State = 0x73994dee99fc258300f5da4fc1612c1b NAS-IP-Address = 10.11.2.97 NAS-Identifier = "d106-ap1240-1" rlm_ldap: - authorize rlm_ldap: performing user authorization for anonymous radius_xlat: Running registered xlat function of module mschap for string 'User-Name' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 TTLS: Got tunneled request User-Name = "cwbshaw" User-Password = "BLAHBLAH" FreeRADIUS-Proxied-To = 127.0.0.1 TTLS: Sending tunneled request User-Name = "cwbshaw" User-Password = "BLAHBLAH" FreeRADIUS-Proxied-To = 127.0.0.1 Framed-MTU = 1400 Called-Station-Id = "0019.a90e.f490" Calling-Station-Id = "0090.4b28.86b0" Service-Type = Login-User NAS-Port-Type = Wireless-802.11 NAS-Port = 262 NAS-Port-Id = "262" NAS-IP-Address = 10.11.2.97 NAS-Identifier = "d106-ap1240-1" rlm_ldap: - authorize rlm_ldap: performing user authorization for cwbshaw radius_xlat: Running registered xlat function of module mschap for string 'User-Name' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusTunnelPrivateGroupId as Tunnel-Private-Group-Id:1 = "90" rlm_ldap: Adding radiusTunnelMediumType as Tunnel-Medium-Type:1 = IEEE-802 rlm_ldap: Adding radiusTunnelType as Tunnel-Type:1 = VLAN rlm_ldap: Adding radiusSessionTimeout as Session-Timeout = 900 rlm_ldap: Setting Auth-Type = ldap rlm_ldap: user cwbshaw authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "cwbshaw" with password "BLAHBLAH" rlm_ldap: user DN: uid=cwbshaw,ou=SomeOrg,dc=somename,dc=somename rlm_ldap: (re)connect to ldapserv:389, authentication 1 rlm_ldap: bind as uid=cwbshaw,ou=People,ou=SomeOrg,dc=somename,dc=somename/BLAHBLAH to ldapserv:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user cwbshaw authenticated succesfully rlm_sql (sql): Processing sql_postauth rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): Released sql socket id: 3 TTLS: Got tunneled reply RADIUS code 2 Tunnel-Private-Group-Id:1 = "90" Tunnel-Medium-Type:1 = IEEE-802 Tunnel-Type:1 = VLAN Session-Timeout = 900 rlm_sql (sql): Processing sql_postauth rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 Sending Access-Accept of id 21 to 10.11.2.97 port 1645 Tunnel-Private-Group-Id:1 = "90" Tunnel-Medium-Type:1 = IEEE-802 Tunnel-Type:1 = VLAN Session-Timeout = 900 MS-MPPE-Recv-Key = 0xb11824885701a83036b3eed97340ee970847a981b575644b530650b8af16ac28 MS-MPPE-Send-Key = 0xa437c5995ead3c724e67ed1649916a8e9acebc59f796ae0790654da555aa4193 EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "anonymous" rad_recv: Accounting-Request packet from host 10.11.2.97:1646, id=6, length=222 Acct-Session-Id = "00000008" Called-Station-Id = "0019.a90e.f490" Calling-Station-Id = "0090.4b28.86b0" Cisco-AVPair = "ssid=ittwlan" Cisco-AVPair = "vlan-id=90" Cisco-AVPair = "nas-location=unspecified" User-Name = "anonymous" Cisco-AVPair = "connect-progress=Call Up" Acct-Authentic = RADIUS Acct-Status-Type = Start NAS-Port-Type = Wireless-802.11 NAS-Port = 262 NAS-Port-Id = "262" Service-Type = Framed-User NAS-IP-Address = 10.11.2.97 Acct-Delay-Time = 0 rlm_sql (sql): Reserving sql socket id: 1 rlm_sql (sql): Released sql socket id: 1 Sending Accounting-Response of id 6 to 10.11.2.97 port 1646 On 04/10/2007, Alan DeKok <aland@deployingradius.com> wrote:
Chris Bradshaw wrote:
The debug output was pretty much the same as my first email. I have attached it below anyway. This debug output was taken with freeradius 1.1.7 and the following configured:
* Enabled use_tunneled_reply & copy_request_to_tunnel.
* Have the following in the users file: DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1 User-Name := `%{User-Name}`
You still have it sending "anonymous" in the Access-Accept. Fix that. Stop doing anything else until it sends the real user name.
Am I correct in saying that the NAS will send an Accounting-Request using the User-Name it received in the previous Access-Accept?
Yes.
If so, how can it be the fault of the NAS if freeradius (in spite of trying the settings above) is still sending an Access-Accept with User-Name set to anonymous?
It's not. You're not configuring FreeRADIUS properly.
Put this at the TOP of the "users" file:
# test DEFAULT User-Name := "bob" # end of test
verify that the final Access-Accept contains the user name "bob", and the accounting request contains the user name "bob".
Then, delete that entry, and READ THE DEBUG LOG to see why the other entry you have isn't being used.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Chris Bradshaw wrote:
OK....I tried using a User-Name of Bob as suggested,
Maybe. The debug log you posted is either NOT the full debug log (-X). OR, you have deleted all references to the "files" module from radiusd.conf. If you tell the server to NOT look at the "users" file, then do NOT be surprised when it doesn't look at the "users" file. I am just astonished at how much effort people put into breaking the configuration, and then doing even *more* work trying to fix it again. If you've put huge efforts into destroying the default configuration, then most of the suggestions here WILL NOT WORK, because they presume you haven't butchered the configuration to make it useless. Start off with the default configuration. Add the LDAP config, and EAP configuration for certificates. MAKE SURE IT USES THE "users" file. THEN try my suggestion. Odds are that it will work. Alan DeKok.
Hi.... Thanx for your help. Its working now. I did have the files module commented out in the authorize section....apologies. Thanx again. Chris. On 04/10/2007, Alan DeKok <aland@deployingradius.com> wrote:
Chris Bradshaw wrote:
OK....I tried using a User-Name of Bob as suggested,
Maybe.
The debug log you posted is either NOT the full debug log (-X). OR, you have deleted all references to the "files" module from radiusd.conf.
If you tell the server to NOT look at the "users" file, then do NOT be surprised when it doesn't look at the "users" file.
I am just astonished at how much effort people put into breaking the configuration, and then doing even *more* work trying to fix it again. If you've put huge efforts into destroying the default configuration, then most of the suggestions here WILL NOT WORK, because they presume you haven't butchered the configuration to make it useless.
Start off with the default configuration. Add the LDAP config, and EAP configuration for certificates. MAKE SURE IT USES THE "users" file.
THEN try my suggestion. Odds are that it will work.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Chris Bradshaw -
tnt@kalik.co.yu