LDAP check attributes
Hallo, I have a problem with the LDAP attributes. I want set an ssid check in my radius authentication. If I do it with the user file all works fine. Now I want to insert this attribute in the ldap schema. I have inserted a new attribute radiusCisco-AVpair in my schema with value ssid=VLAN3 and in the ldap.attrmap file I have inserted the following row: checkItem Cisco-AVPair radiusCiscoAVpair and the ldap module is: ldap { server = "localhost" basedn = "dc=create-net,dc=org" password_attribute = userPassword start_tls = no ldap_connections_number = 5 } but with this configuration my LDAP user is always authenticate with any ssid. What is wrong? Thanks This is my log file: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: bind_address = 192.168.20.2 IP address [192.168.20.2] main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = yes main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded LDAP ldap: server = "localhost" ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = "" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "(null)" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "" ldap: basedn = "dc=create-net,dc=org" ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" ldap: base_filter = "(objectclass=radiusprofile)" ldap: default_profile = "(null)" ldap: profile_attribute = "(null)" ldap: password_header = "(null)" ldap: password_attribute = "userPassword" ldap: access_attr = "(null)" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" ldap: groupmembership_attribute = "(null)" ldap: dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap" ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes ldap: set_auth_type = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /usr/local/etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusCisco-AVpair mapped to RADIUS Cisco-AVPair rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message conns: 0x9730f88 Module: Instantiated ldap (ldap) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "/usr/local/etc/raddb/certs/masterkeys2/" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/masterkeys2/cert-srv.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/masterkeys2/cert-srv.pem" tls: CA_file = "/usr/local/etc/raddb/certs/masterkeys2/root.pem" tls: private_key_password = "whatever" tls: dh_file = "/usr/local/etc/raddb/certs/dh" tls: random_file = "/usr/local/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = yes tls: check_cert_cn = "%{User-Name}" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = yes peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = yes Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded radutmp radutmp: filename = "/usr/local/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication 192.168.20.2:1812 Listening on accounting 192.168.20.2:1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.20.4:1645, id=86, length=164 User-Name = "testradius" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0x8a43703112607b7280aeb5b4e4198e80 EAP-Message = 0x0201000f0174657374726164697573 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "289" NAS-Port = 289 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "testradius", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 1 length 15 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 modcall[authorize]: module "files" returns notfound for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testradius radius_xlat: '(uid=testradius)' radius_xlat: 'dc=create-net,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=create-net,dc=org, with filter (uid=testradius) rlm_ldap: Added password testradius in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusCisco-AVpair as Cisco-AVPair, value ssid=VLAN3 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user testradius authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 86 to 192.168.20.4 port 1645 EAP-Message = 0x010200060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaa71830b1f63ad0e089e958ae1747901 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=87, length=173 User-Name = "testradius" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0x7531829c87b90b64accabf5f409e414f EAP-Message = 0x020200060319 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "289" NAS-Port = 289 State = 0xaa71830b1f63ad0e089e958ae1747901 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "testradius", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 modcall[authorize]: module "files" returns notfound for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for testradius radius_xlat: '(uid=testradius)' radius_xlat: 'dc=create-net,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=create-net,dc=org, with filter (uid=testradius) rlm_ldap: Added password testradius in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusCisco-AVpair as Cisco-AVPair, value ssid=VLAN3 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user testradius authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 87 to 192.168.20.4 port 1645 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xca42865dfd4dc652e2dbb7797bb58dfe Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=88, length=273 User-Name = "testradius" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0x4ddfc31c44b93297b86317355163cef7 EAP-Message = 0x0203006a198000000060160301005b0100005703014468424202d927a51cba80f4ed1c4c6c915225855eac3333887cf4ddb8fbb55f00003000390038003500160013000a00330032002f0066000500040065006400630062006000150012000900140011000800030100 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "289" NAS-Port = 289 State = 0xca42865dfd4dc652e2dbb7797bb58dfe NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "testradius", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: EAP packet type response id 3 length 106 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 modcall[authorize]: module "files" returns notfound for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for testradius radius_xlat: '(uid=testradius)' radius_xlat: 'dc=create-net,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=create-net,dc=org, with filter (uid=testradius) rlm_ldap: Added password testradius in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusCisco-AVpair as Cisco-AVPair, value ssid=VLAN3 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user testradius authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 005b], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0673], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 88 to 192.168.20.4 port 1645 EAP-Message = 0x0104040a19c0000006d0160301004a0200004603014468421cd606fdf6d2884ee1929a642d6cf16a294f91cd1276014a2ce34e76bf207fdcc6c15ac3922d301d419b812c0d1a773845fc9db81baff1645e5ded4a9c5200350016030106730b00066f00066c0002bd308202b930820222a003020102020101300d06092a864886f70d0101050500308194310b3009060355040613024954310e300c060355040813054974616c79310f300d060355040713065472656e746f31133011060355040a130a4352454154452d4e455431133011060355040b130a4352454154452d4e4554310d300b06035504031304524f4f54312b302906092a864886f70d EAP-Message = 0x010901161c616e746f6e696f2e6d6174657261406372656174652d6e65742e6974301e170d3036303331353135313230345a170d3037303331353135313230345a308196310b3009060355040613024954310e300c060355040813054974616c79310f300d060355040713065472656e746f31133011060355040a130a4352454154452d4e455431133011060355040b130a4352454154452d4e4554310f300d06035504031306534552564552312b302906092a864886f70d010901161c616e746f6e696f2e6d6174657261406372656174652d6e65742e697430819f300d06092a864886f70d010101050003818d0030818902818100e81d9a2a8804 EAP-Message = 0x4b630c0153075c2a1dc066c99392cc5af660adbbad91ef4eeff866c5f20fa2c5fb7965a3c12b674f90f04985eab710cd97852b1ce3e08f04aa06d4717254338f62a05d6344c311578a02f9fae0aca2aa336ed9121874c86c1124fd4a7f8832b652be20f2c3ad20951e1099300f4d6c27a695aeb757501c36383d0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505000381810026e9f99eee1bd9d0a221d725e9dad88ad2b9d1385db136076fda84de1ccfc1e2a5a3fa237fd9c88c4fb98267dd827f96418a007782246380e2c488310eb1df77e5fda4b05143777dcd627fe6f6a948be43e0 EAP-Message = 0x377fa815cd412cb80b442714852fe94cb9aae46c08f2e84cc7092bdf887d069e2ab1fd2cf56c9332b87e83990d670003a9308203a53082030ea003020102020900d6c51af184c17a13300d06092a864886f70d0101050500308194310b3009060355040613024954310e300c060355040813054974616c79310f300d060355040713065472656e746f31133011060355040a130a4352454154452d4e455431133011060355040b130a4352454154452d4e4554310d300b06035504031304524f4f54312b302906092a864886f70d010901161c616e746f6e696f2e6d6174657261406372656174652d6e65742e6974301e170d30363033313531353130 EAP-Message = 0x30305a170d3038303331343135313030305a30819431 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf0f16fc3f467b1f240f723dfa11b62f3 Finished request 2 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=89, length=173 User-Name = "testradius" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0xc86b8dcf602273235ee20371bf31cd64 EAP-Message = 0x020400061900 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "289" NAS-Port = 289 State = 0xf0f16fc3f467b1f240f723dfa11b62f3 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "testradius", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 modcall[authorize]: module "files" returns notfound for request 3 rlm_ldap: - authorize rlm_ldap: performing user authorization for testradius radius_xlat: '(uid=testradius)' radius_xlat: 'dc=create-net,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=create-net,dc=org, with filter (uid=testradius) rlm_ldap: Added password testradius in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusCisco-AVpair as Cisco-AVPair, value ssid=VLAN3 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user testradius authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 3 modcall: leaving group authorize (returns updated) for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 3 modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 89 to 192.168.20.4 port 1645 EAP-Message = 0x010502d619000b3009060355040613024954310e300c060355040813054974616c79310f300d060355040713065472656e746f31133011060355040a130a4352454154452d4e455431133011060355040b130a4352454154452d4e4554310d300b06035504031304524f4f54312b302906092a864886f70d010901161c616e746f6e696f2e6d6174657261406372656174652d6e65742e697430819f300d06092a864886f70d010101050003818d0030818902818100b9d2e4970beba1cac75125d76679fcede5da675985ae70ca7a7414cca08fa27f7de577e293ad03a5217d3d5c8f48a3d39ed4579e38ac4e7fbf650f80d3b80253683e15948edebf EAP-Message = 0x789e3379e90e8eb5690af994d98cc6d4e702e96db90bbb1bfc642b2ddbdd026812efdcd22664bf27ae6b5cd56737db61cf5b22c2eaa415ce0b0203010001a381fc3081f9301d0603551d0e04160414f877a449a82f70e28ff7d3238ed22fca5f76d7b43081c90603551d230481c13081be8014f877a449a82f70e28ff7d3238ed22fca5f76d7b4a1819aa48197308194310b3009060355040613024954310e300c060355040813054974616c79310f300d060355040713065472656e746f31133011060355040a130a4352454154452d4e455431133011060355040b130a4352454154452d4e4554310d300b06035504031304524f4f54312b30290609 EAP-Message = 0x2a864886f70d010901161c616e746f6e696f2e6d6174657261406372656174652d6e65742e6974820900d6c51af184c17a13300c0603551d13040530030101ff300d06092a864886f70d0101050500038181009afe6349178f51966293fa52eafafe825e9441722f5f86ebb1e995589569640a40f04f3c969ea63173a875d9f055a0b19dc2c463a1c5de3a447dc04f369d5fb56fdff6bca5ef16e785a46f3646e062ac0c7cacc7cbfd163ccbb314bc66e8bbc68ac6d594e47d0cd76d66aec45508952892553bbe957973f8e6c5ac901f86881b16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6e149fab9e804ff893086dc63288956c Finished request 3 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=90, length=375 User-Name = "testradius" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0x2b8da6bb902efbb45870bfb4ee8d4721 EAP-Message = 0x020500d01980000000c616030100861000008200809c9bc5e92e77cd8e43f601da17d92b70c3102f4177f73cdd2200af4fb429d2b9e6c89c04a11054b63541143bfd4df19f9abe4597ca56f06cf6384abce4342eb3c882515c6e7bd41c042390cb35f0a2e78023aecca90cdeb8ed53ce0329752e0dfbd145e0a60f5cde8b952f6b056f56fa50dfb9a09e09becd16790b8c5f5f744b1403010001011603010030493ada867a57f10f420cf922d875cd8252176dd386a93444f7db712fa0c130f2f6910c7d33f7d7d3639f8415ad40827b NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "289" NAS-Port = 289 State = 0x6e149fab9e804ff893086dc63288956c NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "testradius", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: EAP packet type response id 5 length 208 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 modcall[authorize]: module "files" returns notfound for request 4 rlm_ldap: - authorize rlm_ldap: performing user authorization for testradius radius_xlat: '(uid=testradius)' radius_xlat: 'dc=create-net,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=create-net,dc=org, with filter (uid=testradius) rlm_ldap: Added password testradius in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusCisco-AVpair as Cisco-AVPair, value ssid=VLAN3 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user testradius authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 4 modcall: leaving group authenticate (returns handled) for request 4 Sending Access-Challenge of id 90 to 192.168.20.4 port 1645 EAP-Message = 0x0106004119001403010001011603010030294ac923e9c7ee0c1317386255a5314fed93bdb0072dd4a1f17f415ae73c7fcf9cf766a41acbf5cfd2efb8c7175c7bcd Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9ce29ff8d1c3357e90aed9aa66af7cca Finished request 4 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=91, length=173 User-Name = "testradius" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0x63027bb2608f1b908972d531373bde2e EAP-Message = 0x020600061900 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "289" NAS-Port = 289 State = 0x9ce29ff8d1c3357e90aed9aa66af7cca NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "testradius", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 6 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 modcall[authorize]: module "files" returns notfound for request 5 rlm_ldap: - authorize rlm_ldap: performing user authorization for testradius radius_xlat: '(uid=testradius)' radius_xlat: 'dc=create-net,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=create-net,dc=org, with filter (uid=testradius) rlm_ldap: Added password testradius in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusCisco-AVpair as Cisco-AVPair, value ssid=VLAN3 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user testradius authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 Sending Access-Challenge of id 91 to 192.168.20.4 port 1645 EAP-Message = 0x010700501900170301002028b8b716334e409d6941093bd92fde78c605f610518815d093df4b5de567bc481703010020aa5243bab5bb677ac1248b22a3c3469d1069bfbb38d31d829a3eaeb438d708a3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb7f85f0bfdaf582686c515bef2f8e139 Finished request 5 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=92, length=247 User-Name = "testradius" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0xe6cf0d19621b9acd7ad16f3e000e0f57 EAP-Message = 0x02070050190017030100209c304a7e5af6573629b8effb46b67e30c4770ead531f3d76451253ff5318efaa17030100207cf3dd4e003a6ec8108e24b8838364fd51eebb2e92459f76d33071a1bde600f7 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "289" NAS-Port = 289 State = 0xb7f85f0bfdaf582686c515bef2f8e139 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "testradius", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 7 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 modcall[authorize]: module "files" returns notfound for request 6 rlm_ldap: - authorize rlm_ldap: performing user authorization for testradius radius_xlat: '(uid=testradius)' radius_xlat: 'dc=create-net,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=create-net,dc=org, with filter (uid=testradius) rlm_ldap: Added password testradius in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusCisco-AVpair as Cisco-AVPair, value ssid=VLAN3 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user testradius authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - testradius rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled identity of testradius PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to testradius Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "testradius", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 7 length 15 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 modcall[authorize]: module "files" returns notfound for request 6 rlm_ldap: - authorize rlm_ldap: performing user authorization for testradius radius_xlat: '(uid=testradius)' radius_xlat: 'dc=create-net,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=create-net,dc=org, with filter (uid=testradius) rlm_ldap: Added password testradius in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusCisco-AVpair as Cisco-AVPair, value ssid=VLAN3 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user testradius authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 Sending Access-Challenge of id 92 to 192.168.20.4 port 1645 EAP-Message = 0x01080070190017030100203d185202b13b4febb5cc464d0b36377b81c831095d55011f9b6421cd28f4a43217030100405c277680c403d05e9c33482b001a6bc8c0eb28e221aed09fa965843bf26d689bae1f84df2d3c276ce32be058a876a9ea89e779235df581de93d77bc360b5c50a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x41c9a9d8a10b154234a868b611c49edd Finished request 6 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=93, length=311 User-Name = "testradius" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0x54dbe70cf63e03e9b0e87a7ffb56f620 EAP-Message = 0x0208009019001703010020d57d28136594254ec829db59670b1142027f032a88e0ab4e339392d13036f97b170301006058d5a177e8bbd8b16da599810d51ee4032d4c9ffe4dc11c97015c32331df8aca4b8fb339af0377eafce00e7ee23dd7f3cf984d6af8a5a71162f3daecec2f1654852e1ecfec560aee33cb22c72b7a31d394456d9e1508051c75b1498e234182b7 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "289" NAS-Port = 289 State = 0x41c9a9d8a10b154234a868b611c49edd NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "testradius", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: EAP packet type response id 8 length 144 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 modcall[authorize]: module "files" returns notfound for request 7 rlm_ldap: - authorize rlm_ldap: performing user authorization for testradius radius_xlat: '(uid=testradius)' radius_xlat: 'dc=create-net,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=create-net,dc=org, with filter (uid=testradius) rlm_ldap: Added password testradius in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusCisco-AVpair as Cisco-AVPair, value ssid=VLAN3 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user testradius authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Setting User-Name to testradius PEAP: Adding old state with 0e 6d Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "testradius", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: EAP packet type response id 8 length 69 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 modcall[authorize]: module "files" returns notfound for request 7 rlm_ldap: - authorize rlm_ldap: performing user authorization for testradius radius_xlat: '(uid=testradius)' radius_xlat: 'dc=create-net,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=create-net,dc=org, with filter (uid=testradius) rlm_ldap: Added password testradius in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusCisco-AVpair as Cisco-AVPair, value ssid=VLAN3 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user testradius authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 7 rlm_mschap: Told to do MS-CHAPv2 for testradius with NT-Password rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module "mschap" returns ok for request 7 modcall: leaving group MS-CHAP (returns ok) for request 7 MSCHAP Success modcall[authenticate]: module "eap" returns handled for request 7 modcall: leaving group authenticate (returns handled) for request 7 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 7 modcall: leaving group authenticate (returns handled) for request 7 Sending Access-Challenge of id 93 to 192.168.20.4 port 1645 EAP-Message = 0x010900801900170301002008739fac8dfedd4813968370d0fc326c59a8e74d8db02be5127a4de5e1f8697b17030100509bc8996b8c9173e78fc71777ec3bd5d4865b28c1d637047803876e08e95d1cbaaab70917fdbdae3691e9b6ec36edcedd48cd74607e54dc80aefc5bb87474fc1740d64e3b3db8bc8a6f0846bea8659ceb Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe242737767a1d4a377058568d102c376 Finished request 7 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=94, length=247 User-Name = "testradius" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0xa84673f1253b4bb56d4067a2ee5a6007 EAP-Message = 0x0209005019001703010020b0205b783726a7e63c0dfbbc6e32dc9bf96f59dc53e711f8f5245fa3a767ca95170301002007f2dbd650ad2653a4b49a3006c8c7d977fd18e395d41732719fc83739aeedbe NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "289" NAS-Port = 289 State = 0xe242737767a1d4a377058568d102c376 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "mschap" returns noop for request 8 rlm_realm: No '@' in User-Name = "testradius", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 8 rlm_eap: EAP packet type response id 9 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 modcall[authorize]: module "files" returns notfound for request 8 rlm_ldap: - authorize rlm_ldap: performing user authorization for testradius radius_xlat: '(uid=testradius)' radius_xlat: 'dc=create-net,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=create-net,dc=org, with filter (uid=testradius) rlm_ldap: Added password testradius in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusCisco-AVpair as Cisco-AVPair, value ssid=VLAN3 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user testradius authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 8 modcall: leaving group authorize (returns updated) for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Setting User-Name to testradius PEAP: Adding old state with 34 97 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "mschap" returns noop for request 8 rlm_realm: No '@' in User-Name = "testradius", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 8 rlm_eap: EAP packet type response id 9 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 modcall[authorize]: module "files" returns notfound for request 8 rlm_ldap: - authorize rlm_ldap: performing user authorization for testradius radius_xlat: '(uid=testradius)' radius_xlat: 'dc=create-net,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=create-net,dc=org, with filter (uid=testradius) rlm_ldap: Added password testradius in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusCisco-AVpair as Cisco-AVPair, value ssid=VLAN3 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user testradius authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 8 modcall: leaving group authorize (returns updated) for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 8 modcall: leaving group authenticate (returns ok) for request 8 Login OK: [testradius/<no User-Password attribute>] (from client cn-radius port 289 cli 000c.f135.f1ba) PEAP: Tunneled authentication was successful. rlm_eap_peap: SUCCESS modcall[authenticate]: module "eap" returns handled for request 8 modcall: leaving group authenticate (returns handled) for request 8 Sending Access-Challenge of id 94 to 192.168.20.4 port 1645 EAP-Message = 0x010a005019001703010020dc74f623a748e6c82d95b4dc908f8831d572ebf662ebe3287f774a191d83c25717030100202b4207d67864ce764fe7fe0d17c29afc6da54a36fe11e961edde3c4f01ac4505 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xafb670111e339beb53b8dcaa76cbe11c Finished request 8 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=95, length=247 User-Name = "testradius" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0xc45e189222dd876003933eb16e724bc4 EAP-Message = 0x020a005019001703010020a740106e429d51742e3dfe82eeb24d4df3511b9f061d8bc0ccd297532bb6fd29170301002001e0cc2468fcaa795254710a0a7ad1ed8d2e7e3d27727e8501f87739b9ee017c NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "289" NAS-Port = 289 State = 0xafb670111e339beb53b8dcaa76cbe11c NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 9 modcall[authorize]: module "preprocess" returns ok for request 9 modcall[authorize]: module "mschap" returns noop for request 9 rlm_realm: No '@' in User-Name = "testradius", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 9 rlm_eap: EAP packet type response id 10 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 9 modcall[authorize]: module "files" returns notfound for request 9 rlm_ldap: - authorize rlm_ldap: performing user authorization for testradius radius_xlat: '(uid=testradius)' radius_xlat: 'dc=create-net,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=create-net,dc=org, with filter (uid=testradius) rlm_ldap: Added password testradius in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusCisco-AVpair as Cisco-AVPair, value ssid=VLAN3 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user testradius authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 9 modcall: leaving group authorize (returns updated) for request 9 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 9 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Success rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 9 modcall: leaving group authenticate (returns ok) for request 9 Login OK: [testradius/<no User-Password attribute>] (from client ap-test-ivan port 289 cli 000c.f135.f1ba) Sending Access-Accept of id 95 to 192.168.20.4 port 1645 MS-MPPE-Recv-Key = 0x0b16dbbed96d2863ebde1df32222e6a8930a6876e2ae7e2c85288ae313d2cdc1 MS-MPPE-Send-Key = 0x429669acf3e571f6fb7b6fbce51ef9bbb8cd9678885f5c52ab5355ce43727c9c EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "testradius" Finished request 9 Going to the next request Waking up in 6 seconds...
Anyone can help me? Thanks, bye Antonio on 15/05/2006 11.06 Antonio Matera said the following:
Hallo, I have a problem with the LDAP attributes. I want set an ssid check in my radius authentication. If I do it with the user file all works fine. Now I want to insert this attribute in the ldap schema. I have inserted a new attribute radiusCisco-AVpair in my schema with value ssid=VLAN3 and in the ldap.attrmap file I have inserted the following row:
checkItem Cisco-AVPair radiusCiscoAVpair
and the ldap module is:
ldap { server = "localhost" basedn = "dc=create-net,dc=org" password_attribute = userPassword start_tls = no ldap_connections_number = 5 }
but with this configuration my LDAP user is always authenticate with any ssid. What is wrong? Thanks
This is my log file:
Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: bind_address = 192.168.20.2 IP address [192.168.20.2] main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = yes main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded LDAP ldap: server = "localhost" ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = "" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "(null)" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "" ldap: basedn = "dc=create-net,dc=org" ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" ldap: base_filter = "(objectclass=radiusprofile)" ldap: default_profile = "(null)" ldap: profile_attribute = "(null)" ldap: password_header = "(null)" ldap: password_attribute = "userPassword" ldap: access_attr = "(null)" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
ldap: groupmembership_attribute = "(null)" ldap: dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap" ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes ldap: set_auth_type = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /usr/local/etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusCisco-AVpair mapped to RADIUS Cisco-AVPair rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message conns: 0x9730f88 Module: Instantiated ldap (ldap) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "/usr/local/etc/raddb/certs/masterkeys2/" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/masterkeys2/cert-srv.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/masterkeys2/cert-srv.pem" tls: CA_file = "/usr/local/etc/raddb/certs/masterkeys2/root.pem" tls: private_key_password = "whatever" tls: dh_file = "/usr/local/etc/raddb/certs/dh" tls: random_file = "/usr/local/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = yes tls: check_cert_cn = "%{User-Name}" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = yes peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = yes Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded radutmp radutmp: filename = "/usr/local/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication 192.168.20.2:1812 Listening on accounting 192.168.20.2:1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.20.4:1645, id=86, length=164 User-Name = "testradius" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0x8a43703112607b7280aeb5b4e4198e80 EAP-Message = 0x0201000f0174657374726164697573 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "289" NAS-Port = 289 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "testradius", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 1 length 15 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 modcall[authorize]: module "files" returns notfound for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testradius radius_xlat: '(uid=testradius)' radius_xlat: 'dc=create-net,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=create-net,dc=org, with filter (uid=testradius) rlm_ldap: Added password testradius in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusCisco-AVpair as Cisco-AVPair, value ssid=VLAN3 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user testradius authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 86 to 192.168.20.4 port 1645 EAP-Message = 0x010200060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaa71830b1f63ad0e089e958ae1747901 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=87, length=173 User-Name = "testradius" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0x7531829c87b90b64accabf5f409e414f EAP-Message = 0x020200060319 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "289" NAS-Port = 289 State = 0xaa71830b1f63ad0e089e958ae1747901 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "testradius", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 modcall[authorize]: module "files" returns notfound for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for testradius radius_xlat: '(uid=testradius)' radius_xlat: 'dc=create-net,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=create-net,dc=org, with filter (uid=testradius) rlm_ldap: Added password testradius in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusCisco-AVpair as Cisco-AVPair, value ssid=VLAN3 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user testradius authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 87 to 192.168.20.4 port 1645 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xca42865dfd4dc652e2dbb7797bb58dfe Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=88, length=273 User-Name = "testradius" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0x4ddfc31c44b93297b86317355163cef7 EAP-Message = 0x0203006a198000000060160301005b0100005703014468424202d927a51cba80f4ed1c4c6c915225855eac3333887cf4ddb8fbb55f00003000390038003500160013000a00330032002f0066000500040065006400630062006000150012000900140011000800030100
NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "289" NAS-Port = 289 State = 0xca42865dfd4dc652e2dbb7797bb58dfe NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "testradius", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: EAP packet type response id 3 length 106 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 modcall[authorize]: module "files" returns notfound for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for testradius radius_xlat: '(uid=testradius)' radius_xlat: 'dc=create-net,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=create-net,dc=org, with filter (uid=testradius) rlm_ldap: Added password testradius in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusCisco-AVpair as Cisco-AVPair, value ssid=VLAN3 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user testradius authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 005b], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0673], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 88 to 192.168.20.4 port 1645 EAP-Message = 0x0104040a19c0000006d0160301004a0200004603014468421cd606fdf6d2884ee1929a642d6cf16a294f91cd1276014a2ce34e76bf207fdcc6c15ac3922d301d419b812c0d1a773845fc9db81baff1645e5ded4a9c5200350016030106730b00066f00066c0002bd308202b930820222a003020102020101300d06092a864886f70d0101050500308194310b3009060355040613024954310e300c060355040813054974616c79310f300d060355040713065472656e746f31133011060355040a130a4352454154452d4e455431133011060355040b130a4352454154452d4e4554310d300b06035504031304524f4f54312b302906092a864886f70d
EAP-Message = 0x010901161c616e746f6e696f2e6d6174657261406372656174652d6e65742e6974301e170d3036303331353135313230345a170d3037303331353135313230345a308196310b3009060355040613024954310e300c060355040813054974616c79310f300d060355040713065472656e746f31133011060355040a130a4352454154452d4e455431133011060355040b130a4352454154452d4e4554310f300d06035504031306534552564552312b302906092a864886f70d010901161c616e746f6e696f2e6d6174657261406372656174652d6e65742e697430819f300d06092a864886f70d010101050003818d0030818902818100e81d9a2a8804
EAP-Message = 0x4b630c0153075c2a1dc066c99392cc5af660adbbad91ef4eeff866c5f20fa2c5fb7965a3c12b674f90f04985eab710cd97852b1ce3e08f04aa06d4717254338f62a05d6344c311578a02f9fae0aca2aa336ed9121874c86c1124fd4a7f8832b652be20f2c3ad20951e1099300f4d6c27a695aeb757501c36383d0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505000381810026e9f99eee1bd9d0a221d725e9dad88ad2b9d1385db136076fda84de1ccfc1e2a5a3fa237fd9c88c4fb98267dd827f96418a007782246380e2c488310eb1df77e5fda4b05143777dcd627fe6f6a948be43e0
EAP-Message = 0x377fa815cd412cb80b442714852fe94cb9aae46c08f2e84cc7092bdf887d069e2ab1fd2cf56c9332b87e83990d670003a9308203a53082030ea003020102020900d6c51af184c17a13300d06092a864886f70d0101050500308194310b3009060355040613024954310e300c060355040813054974616c79310f300d060355040713065472656e746f31133011060355040a130a4352454154452d4e455431133011060355040b130a4352454154452d4e4554310d300b06035504031304524f4f54312b302906092a864886f70d010901161c616e746f6e696f2e6d6174657261406372656174652d6e65742e6974301e170d30363033313531353130
EAP-Message = 0x30305a170d3038303331343135313030305a30819431 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf0f16fc3f467b1f240f723dfa11b62f3 Finished request 2 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=89, length=173 User-Name = "testradius" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0xc86b8dcf602273235ee20371bf31cd64 EAP-Message = 0x020400061900 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "289" NAS-Port = 289 State = 0xf0f16fc3f467b1f240f723dfa11b62f3 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "testradius", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 modcall[authorize]: module "files" returns notfound for request 3 rlm_ldap: - authorize rlm_ldap: performing user authorization for testradius radius_xlat: '(uid=testradius)' radius_xlat: 'dc=create-net,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=create-net,dc=org, with filter (uid=testradius) rlm_ldap: Added password testradius in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusCisco-AVpair as Cisco-AVPair, value ssid=VLAN3 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user testradius authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 3 modcall: leaving group authorize (returns updated) for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 3 modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 89 to 192.168.20.4 port 1645 EAP-Message = 0x010502d619000b3009060355040613024954310e300c060355040813054974616c79310f300d060355040713065472656e746f31133011060355040a130a4352454154452d4e455431133011060355040b130a4352454154452d4e4554310d300b06035504031304524f4f54312b302906092a864886f70d010901161c616e746f6e696f2e6d6174657261406372656174652d6e65742e697430819f300d06092a864886f70d010101050003818d0030818902818100b9d2e4970beba1cac75125d76679fcede5da675985ae70ca7a7414cca08fa27f7de577e293ad03a5217d3d5c8f48a3d39ed4579e38ac4e7fbf650f80d3b80253683e15948edebf
EAP-Message = 0x789e3379e90e8eb5690af994d98cc6d4e702e96db90bbb1bfc642b2ddbdd026812efdcd22664bf27ae6b5cd56737db61cf5b22c2eaa415ce0b0203010001a381fc3081f9301d0603551d0e04160414f877a449a82f70e28ff7d3238ed22fca5f76d7b43081c90603551d230481c13081be8014f877a449a82f70e28ff7d3238ed22fca5f76d7b4a1819aa48197308194310b3009060355040613024954310e300c060355040813054974616c79310f300d060355040713065472656e746f31133011060355040a130a4352454154452d4e455431133011060355040b130a4352454154452d4e4554310d300b06035504031304524f4f54312b30290609
EAP-Message = 0x2a864886f70d010901161c616e746f6e696f2e6d6174657261406372656174652d6e65742e6974820900d6c51af184c17a13300c0603551d13040530030101ff300d06092a864886f70d0101050500038181009afe6349178f51966293fa52eafafe825e9441722f5f86ebb1e995589569640a40f04f3c969ea63173a875d9f055a0b19dc2c463a1c5de3a447dc04f369d5fb56fdff6bca5ef16e785a46f3646e062ac0c7cacc7cbfd163ccbb314bc66e8bbc68ac6d594e47d0cd76d66aec45508952892553bbe957973f8e6c5ac901f86881b16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6e149fab9e804ff893086dc63288956c Finished request 3 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=90, length=375 User-Name = "testradius" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0x2b8da6bb902efbb45870bfb4ee8d4721 EAP-Message = 0x020500d01980000000c616030100861000008200809c9bc5e92e77cd8e43f601da17d92b70c3102f4177f73cdd2200af4fb429d2b9e6c89c04a11054b63541143bfd4df19f9abe4597ca56f06cf6384abce4342eb3c882515c6e7bd41c042390cb35f0a2e78023aecca90cdeb8ed53ce0329752e0dfbd145e0a60f5cde8b952f6b056f56fa50dfb9a09e09becd16790b8c5f5f744b1403010001011603010030493ada867a57f10f420cf922d875cd8252176dd386a93444f7db712fa0c130f2f6910c7d33f7d7d3639f8415ad40827b
NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "289" NAS-Port = 289 State = 0x6e149fab9e804ff893086dc63288956c NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "testradius", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: EAP packet type response id 5 length 208 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 modcall[authorize]: module "files" returns notfound for request 4 rlm_ldap: - authorize rlm_ldap: performing user authorization for testradius radius_xlat: '(uid=testradius)' radius_xlat: 'dc=create-net,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=create-net,dc=org, with filter (uid=testradius) rlm_ldap: Added password testradius in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusCisco-AVpair as Cisco-AVPair, value ssid=VLAN3 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user testradius authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 4 modcall: leaving group authenticate (returns handled) for request 4 Sending Access-Challenge of id 90 to 192.168.20.4 port 1645 EAP-Message = 0x0106004119001403010001011603010030294ac923e9c7ee0c1317386255a5314fed93bdb0072dd4a1f17f415ae73c7fcf9cf766a41acbf5cfd2efb8c7175c7bcd
Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9ce29ff8d1c3357e90aed9aa66af7cca Finished request 4 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=91, length=173 User-Name = "testradius" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0x63027bb2608f1b908972d531373bde2e EAP-Message = 0x020600061900 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "289" NAS-Port = 289 State = 0x9ce29ff8d1c3357e90aed9aa66af7cca NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "testradius", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 6 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 modcall[authorize]: module "files" returns notfound for request 5 rlm_ldap: - authorize rlm_ldap: performing user authorization for testradius radius_xlat: '(uid=testradius)' radius_xlat: 'dc=create-net,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=create-net,dc=org, with filter (uid=testradius) rlm_ldap: Added password testradius in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusCisco-AVpair as Cisco-AVPair, value ssid=VLAN3 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user testradius authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 Sending Access-Challenge of id 91 to 192.168.20.4 port 1645 EAP-Message = 0x010700501900170301002028b8b716334e409d6941093bd92fde78c605f610518815d093df4b5de567bc481703010020aa5243bab5bb677ac1248b22a3c3469d1069bfbb38d31d829a3eaeb438d708a3
Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb7f85f0bfdaf582686c515bef2f8e139 Finished request 5 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=92, length=247 User-Name = "testradius" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0xe6cf0d19621b9acd7ad16f3e000e0f57 EAP-Message = 0x02070050190017030100209c304a7e5af6573629b8effb46b67e30c4770ead531f3d76451253ff5318efaa17030100207cf3dd4e003a6ec8108e24b8838364fd51eebb2e92459f76d33071a1bde600f7
NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "289" NAS-Port = 289 State = 0xb7f85f0bfdaf582686c515bef2f8e139 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "testradius", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 7 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 modcall[authorize]: module "files" returns notfound for request 6 rlm_ldap: - authorize rlm_ldap: performing user authorization for testradius radius_xlat: '(uid=testradius)' radius_xlat: 'dc=create-net,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=create-net,dc=org, with filter (uid=testradius) rlm_ldap: Added password testradius in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusCisco-AVpair as Cisco-AVPair, value ssid=VLAN3 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user testradius authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - testradius rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled identity of testradius PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to testradius Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "testradius", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 7 length 15 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 modcall[authorize]: module "files" returns notfound for request 6 rlm_ldap: - authorize rlm_ldap: performing user authorization for testradius radius_xlat: '(uid=testradius)' radius_xlat: 'dc=create-net,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=create-net,dc=org, with filter (uid=testradius) rlm_ldap: Added password testradius in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusCisco-AVpair as Cisco-AVPair, value ssid=VLAN3 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user testradius authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 Sending Access-Challenge of id 92 to 192.168.20.4 port 1645 EAP-Message = 0x01080070190017030100203d185202b13b4febb5cc464d0b36377b81c831095d55011f9b6421cd28f4a43217030100405c277680c403d05e9c33482b001a6bc8c0eb28e221aed09fa965843bf26d689bae1f84df2d3c276ce32be058a876a9ea89e779235df581de93d77bc360b5c50a
Message-Authenticator = 0x00000000000000000000000000000000 State = 0x41c9a9d8a10b154234a868b611c49edd Finished request 6 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=93, length=311 User-Name = "testradius" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0x54dbe70cf63e03e9b0e87a7ffb56f620 EAP-Message = 0x0208009019001703010020d57d28136594254ec829db59670b1142027f032a88e0ab4e339392d13036f97b170301006058d5a177e8bbd8b16da599810d51ee4032d4c9ffe4dc11c97015c32331df8aca4b8fb339af0377eafce00e7ee23dd7f3cf984d6af8a5a71162f3daecec2f1654852e1ecfec560aee33cb22c72b7a31d394456d9e1508051c75b1498e234182b7
NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "289" NAS-Port = 289 State = 0x41c9a9d8a10b154234a868b611c49edd NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "testradius", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: EAP packet type response id 8 length 144 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 modcall[authorize]: module "files" returns notfound for request 7 rlm_ldap: - authorize rlm_ldap: performing user authorization for testradius radius_xlat: '(uid=testradius)' radius_xlat: 'dc=create-net,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=create-net,dc=org, with filter (uid=testradius) rlm_ldap: Added password testradius in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusCisco-AVpair as Cisco-AVPair, value ssid=VLAN3 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user testradius authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Setting User-Name to testradius PEAP: Adding old state with 0e 6d Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "testradius", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: EAP packet type response id 8 length 69 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 modcall[authorize]: module "files" returns notfound for request 7 rlm_ldap: - authorize rlm_ldap: performing user authorization for testradius radius_xlat: '(uid=testradius)' radius_xlat: 'dc=create-net,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=create-net,dc=org, with filter (uid=testradius) rlm_ldap: Added password testradius in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusCisco-AVpair as Cisco-AVPair, value ssid=VLAN3 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user testradius authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 7 rlm_mschap: Told to do MS-CHAPv2 for testradius with NT-Password rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module "mschap" returns ok for request 7 modcall: leaving group MS-CHAP (returns ok) for request 7 MSCHAP Success modcall[authenticate]: module "eap" returns handled for request 7 modcall: leaving group authenticate (returns handled) for request 7 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 7 modcall: leaving group authenticate (returns handled) for request 7 Sending Access-Challenge of id 93 to 192.168.20.4 port 1645 EAP-Message = 0x010900801900170301002008739fac8dfedd4813968370d0fc326c59a8e74d8db02be5127a4de5e1f8697b17030100509bc8996b8c9173e78fc71777ec3bd5d4865b28c1d637047803876e08e95d1cbaaab70917fdbdae3691e9b6ec36edcedd48cd74607e54dc80aefc5bb87474fc1740d64e3b3db8bc8a6f0846bea8659ceb
Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe242737767a1d4a377058568d102c376 Finished request 7 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=94, length=247 User-Name = "testradius" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0xa84673f1253b4bb56d4067a2ee5a6007 EAP-Message = 0x0209005019001703010020b0205b783726a7e63c0dfbbc6e32dc9bf96f59dc53e711f8f5245fa3a767ca95170301002007f2dbd650ad2653a4b49a3006c8c7d977fd18e395d41732719fc83739aeedbe
NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "289" NAS-Port = 289 State = 0xe242737767a1d4a377058568d102c376 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "mschap" returns noop for request 8 rlm_realm: No '@' in User-Name = "testradius", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 8 rlm_eap: EAP packet type response id 9 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 modcall[authorize]: module "files" returns notfound for request 8 rlm_ldap: - authorize rlm_ldap: performing user authorization for testradius radius_xlat: '(uid=testradius)' radius_xlat: 'dc=create-net,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=create-net,dc=org, with filter (uid=testradius) rlm_ldap: Added password testradius in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusCisco-AVpair as Cisco-AVPair, value ssid=VLAN3 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user testradius authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 8 modcall: leaving group authorize (returns updated) for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Setting User-Name to testradius PEAP: Adding old state with 34 97 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "mschap" returns noop for request 8 rlm_realm: No '@' in User-Name = "testradius", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 8 rlm_eap: EAP packet type response id 9 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 modcall[authorize]: module "files" returns notfound for request 8 rlm_ldap: - authorize rlm_ldap: performing user authorization for testradius radius_xlat: '(uid=testradius)' radius_xlat: 'dc=create-net,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=create-net,dc=org, with filter (uid=testradius) rlm_ldap: Added password testradius in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusCisco-AVpair as Cisco-AVPair, value ssid=VLAN3 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user testradius authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 8 modcall: leaving group authorize (returns updated) for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 8 modcall: leaving group authenticate (returns ok) for request 8 Login OK: [testradius/<no User-Password attribute>] (from client cn-radius port 289 cli 000c.f135.f1ba) PEAP: Tunneled authentication was successful. rlm_eap_peap: SUCCESS modcall[authenticate]: module "eap" returns handled for request 8 modcall: leaving group authenticate (returns handled) for request 8 Sending Access-Challenge of id 94 to 192.168.20.4 port 1645 EAP-Message = 0x010a005019001703010020dc74f623a748e6c82d95b4dc908f8831d572ebf662ebe3287f774a191d83c25717030100202b4207d67864ce764fe7fe0d17c29afc6da54a36fe11e961edde3c4f01ac4505
Message-Authenticator = 0x00000000000000000000000000000000 State = 0xafb670111e339beb53b8dcaa76cbe11c Finished request 8 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=95, length=247 User-Name = "testradius" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0xc45e189222dd876003933eb16e724bc4 EAP-Message = 0x020a005019001703010020a740106e429d51742e3dfe82eeb24d4df3511b9f061d8bc0ccd297532bb6fd29170301002001e0cc2468fcaa795254710a0a7ad1ed8d2e7e3d27727e8501f87739b9ee017c
NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "289" NAS-Port = 289 State = 0xafb670111e339beb53b8dcaa76cbe11c NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 9 modcall[authorize]: module "preprocess" returns ok for request 9 modcall[authorize]: module "mschap" returns noop for request 9 rlm_realm: No '@' in User-Name = "testradius", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 9 rlm_eap: EAP packet type response id 10 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 9 modcall[authorize]: module "files" returns notfound for request 9 rlm_ldap: - authorize rlm_ldap: performing user authorization for testradius radius_xlat: '(uid=testradius)' radius_xlat: 'dc=create-net,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=create-net,dc=org, with filter (uid=testradius) rlm_ldap: Added password testradius in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusCisco-AVpair as Cisco-AVPair, value ssid=VLAN3 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user testradius authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 9 modcall: leaving group authorize (returns updated) for request 9 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 9 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Success rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 9 modcall: leaving group authenticate (returns ok) for request 9 Login OK: [testradius/<no User-Password attribute>] (from client ap-test-ivan port 289 cli 000c.f135.f1ba) Sending Access-Accept of id 95 to 192.168.20.4 port 1645 MS-MPPE-Recv-Key = 0x0b16dbbed96d2863ebde1df32222e6a8930a6876e2ae7e2c85288ae313d2cdc1 MS-MPPE-Send-Key = 0x429669acf3e571f6fb7b6fbce51ef9bbb8cd9678885f5c52ab5355ce43727c9c EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "testradius" Finished request 9 Going to the next request Waking up in 6 seconds...
Antonio Matera <antonio.matera@create-net.it> a écrit :
ldap { server = "localhost" basedn = "dc=create-net,dc=org" password_attribute = userPassword start_tls = no ldap_connections_number = 5 }
You must use filter in Ldap module if you want check SSID. Youll make filter with uid and Cisco-AVPair. --------------------------------- Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services préférés : vérifiez vos nouveaux mails, lancez vos recherches et suivez l'actualité en temps réel. Cliquez ici.
Hi, thanks for the answer. I forgot my filter line in ldap module: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" How I have to insert in this string to add the ssid check? Where I insert the Cisco-AVPair check? Thanks, bye Antonio on 16/05/2006 14.06 ludovic cailleau said the following:
*/Antonio Matera <antonio.matera@create-net.it>/* a écrit :
ldap { server = "localhost" basedn = "dc=create-net,dc=org" password_attribute = userPassword start_tls = no ldap_connections_number = 5 }
You must use filter in Ldap module if you want check SSID. You’ll make filter with uid and Cisco-AVPair.
Hi fillter = "(&(uid=%{Stripped-User-Name:-%{User-Name}})(radiusCiscoAVpair=%{Cisco-AVPair}))" regards Antonio Matera <antonio.matera@create-net.it> a écrit : Hi, thanks for the answer. I forgot my filter line in ldap module: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" How I have to insert in this string to add the ssid check? Where I insert the Cisco-AVPair check? Thanks, bye Antonio Ludovic Cailleau --------------------------------- Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services préférés : vérifiez vos nouveaux mails, lancez vos recherches et suivez l'actualité en temps réel. Cliquez ici.
Hi, thanks a lot for your answer. Your solution works fine but I don't understand some things: 1 - If I insert the Cisco-AVPair in the filter and I haven't this attribute in my ldap user, I can't authenticate it. Is it possible to check the ssid only if it is in the list of the ldap user attributes? 2 - With this solution the following row in the ldap.attrmap is not necessary: checkItem Cisco-AVPair radiusCiscoAVPair whitout it the filter authentication works. It is not possible to use the ldap.attrmap file to inser a check item? In this file I have inserted 3 replyItem: replyItem Tunnel-Medium-Type radiusTunnelMediumType replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId replyItem Tunnel-Type radiusTunnelType if I insert these three attribute in my ldap user they work without other configuration. Why the checkItem doesn't work? 3 - the last question is a little different: if I insert in the user file this row: DEFAULT Auth-Type := LDAP the authentication doesn't work. It is normal or I have some mistakes in my configuration? Thanks a lot Bye Antonio on 17/05/2006 9.02 ludovic cailleau said the following:
Hi
fillter = "(&(uid=%{Stripped-User-Name:-%{User-Name}})(radiusCiscoAVpair=%{Cisco-AVPair}))"
regards
Ok, I dont be clear. The solution that I your given does not use the replyItem Tunnel-Medium-Type, Tunnel-Private-Group-Id, Tunnel-Type. My Ldap base contains attributes SSID for each users. Because my NAS sends its vendor-specific containing the SSID where wants to connect the users. And at each request for authentification, the module authorize (radiusd.conf) call Ldap (with the filter) to compare the `uid' and `SSID'. If the SSID sent by the NAS corresponds at the SSID stored in Ldap: freeradius sends accept, if not it sends a reject. But you want that it is the switch Cisco which redirects the user in such or such SSID according to SSID'S corresponding to the attributes Tunnel-Medium-Type, Tunnel-Private-Group-Id, Tunnel-Type.? I am sorry, but I had not understood this. Wat does it solution wish you? Ludovic Cailleau Antonio Matera <antonio.matera@create-net.it> a écrit : Hi, thanks a lot for your answer. Your solution works fine but I don't understand some things: 1 - If I insert the Cisco-AVPair in the filter and I haven't this attribute in my ldap user, I can't authenticate it. Is it possible to check the ssid only if it is in the list of the ldap user attributes? 2 - With this solution the following row in the ldap.attrmap is not necessary: checkItem Cisco-AVPair radiusCiscoAVPair whitout it the filter authentication works. It is not possible to use the ldap.attrmap file to inser a check item? In this file I have inserted 3 replyItem: replyItem Tunnel-Medium-Type radiusTunnelMediumType replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId replyItem Tunnel-Type radiusTunnelType if I insert these three attribute in my ldap user they work without other configuration. Why the checkItem doesn't work? 3 - the last question is a little different: if I insert in the user file this row: DEFAULT Auth-Type := LDAP the authentication doesn't work. It is normal or I have some mistakes in my configuration? Thanks a lot Bye Antonio Ludovic Cailleau --------------------------------- Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services préférés : vérifiez vos nouveaux mails, lancez vos recherches et suivez l'actualité en temps réel. Cliquez ici.
My Ldap base contains attributes SSID for each users. Because my NAS sends its vendor-specific containing the SSID where wants to connect the users. And at each request for authentification, the module authorize (radiusd.conf) call Ldap (with the filter) to compare the `uid' and `SSID'. If the SSID sent by the NAS corresponds at the SSID stored in Ldap: freeradius sends ‘accept’, if not it sends a ‘reject’.
But you want that it is the switch Cisco which redirects the user in such or such SSID according to SSID'S corresponding to the attributes Tunnel-Medium-Type, Tunnel-Private-Group-Id, Tunnel-Type.?
My solution is similar to yours, but I haven't SSID attributes for each users. I use the replyItem to redirect the user connection to the correct VLAN. But if the replyItem works, why I can't do a check of one attribute with the checkItem? what is wrong in my configuration? For example, if I use the user file authentication without ldap with this users: test2 Cisco-AVPair == "ssid=VLAN2", User-Password == "passwd2" Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN test3 User-Password == "passwd3" Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 3, Tunnel-Type = VLAN test2 can connect to vlan2 only with ssid=VLAN2. test3 can connect to vlan3 with any ssid. This configuration works ed I want the same using only ldap module without user file. I hope that my explanation is clear. Bye Antonio
Yes, your explanation is clear. But I think that you must affect a default vlan at each user. Because the filter of ldap module is the same for each request and for your example the filter works for test2 but for test3 the Cisco-AVpair attributes is vacuum and its normal if he dont works. Sorry, but I have not other solution. Ludovic Cailleau Antonio Matera <antonio.matera@create-net.it> a écrit : test2 Cisco-AVPair == "ssid=VLAN2", User-Password == "passwd2" Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN test3 User-Password == "passwd3" Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 3, Tunnel-Type = VLAN test2 can connect to vlan2 only with ssid=VLAN2. test3 can connect to vlan3 with any ssid. This configuration works ed I want the same using only ldap module without user file. I hope that my explanation is clear. Bye Antonio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ludovic Cailleau --------------------------------- Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services préférés : vérifiez vos nouveaux mails, lancez vos recherches et suivez l'actualité en temps réel. Cliquez ici.
participants (2)
-
Antonio Matera -
ludovic cailleau