problems with dynamic vlan assignment
Hi i m using freeradius 2.1.9 and i have some problems with making dynamic vlan assignment based on vlan. here what i have in my users file DEFAULT User-Category == "student" Reply-Message = "Your a member of the student Group", Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 902, Fall-Through = No DEFAULT User-Category == "employee" Reply-Message = "Your a member of the employee Group", Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 903, Fall-Through = No But as you can see in the following debug file my user is authenticated his radius item User-Category is employee but he never get the attributes of vlan in the request i should have miss somzthing in the config but i really don't know what it would if someone could help it would be nice of him thanks in advance Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 157.159.21.100 port 54360, id=0, length=156 User-Name = "anonymous@it-sudparis.eu" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200001d01616e6f6e796d6f75734069742d73756470617269732e6575 Message-Authenticator = 0x655a4cf276129e501708baa724ba2f45 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "it-sudparis.eu" for User-Name = "anonymous@it-sudparis.eu" [suffix] Found realm "it-sudparis.eu" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "it-sudparis.eu" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 0 length 29 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 157.159.21.100 port 54360 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcad2c248cad3dbc77d62ac2477a6a4d7 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 157.159.21.100 port 54360, id=1, length=267 User-Name = "anonymous@it-sudparis.eu" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0201007a198000000070160301006b0100006703014c913a474dd515c94c7a11b6c82fb05b485f0fb7ad9e99eea7d57dae2727462b00003a00390038008800870035008400160013000a00330032009a009900450044002f00960041000500040015001200090014001100080006000300ff0100000400230000 State = 0xcad2c248cad3dbc77d62ac2477a6a4d7 Message-Authenticator = 0x82417f0f4dca6902ac81a953b6b49945 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "it-sudparis.eu" for User-Name = "anonymous@it-sudparis.eu" [suffix] Found realm "it-sudparis.eu" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "it-sudparis.eu" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 1 length 122 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 112 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 006b], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0501], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 018d], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 1 to 157.159.21.100 port 54360 EAP-Message = 0x0102040019c0000006d716030100310200002d03014c913a24c6bdba8fbaf1358e676eb8e8cd31103d42e65fcd42b43890a0cf78b9000039000005ff0100010016030105010b0004fd0004fa0004f7308204f3308203dba003020102021100e03d6494c48a6582b19e99ddbf443528300d06092a864886f70d01010505003036310b3009060355040613024e4c310f300d060355040a1306544552454e41311630140603550403130d544552454e412053534c204341301e170d3130303930393030303030305a170d3133303930383233353935395a3075310b3009060355040613024652310d300b060355040713044576727931283026060355040a EAP-Message = 0x0c1f54c3a96cc3a9636f6d2026204d616e6167656d656e74205375645061726973310d300b060355040b130444495349311e301c060355040313157261646975732e69742d73756470617269732e657530819f300d06092a864886f70d010101050003818d0030818902818100c55737ea4c14a7e16b93f65f6b9f672078e843bdbf1359e41f1a9dc14830eb2c1aeba9e90baa84a10ec41ccd24344f0b27d7ca8ca9580b7d0a41bcecf32b09ed5396b60c3fcbd9d0f386adee4d528bedeca7e5e5f497937966dcbbb0baeb703f9ca1e165c0cd713c8394eeac27108fa1d7d5abad255d50c7f886e56e067c4c2b0203010001a382023f3082023b301f06 EAP-Message = 0x03551d230418301680140cbd93680cf3deaba3496b2b375747ea90e3b9ed301d0603551d0e041604147380c4ebd5a0c9efd8be000147723c859656176b300e0603551d0f0101ff0404030205a0300c0603551d130101ff04023000301d0603551d250416301406082b0601050507030106082b0601050507030230180603551d200411300f300d060b2b06010401b2310102021d303a0603551d1f04333031302fa02da02b8629687474703a2f2f63726c2e7463732e746572656e612e6f72672f544552454e4153534c43412e63726c306d06082b060105050701010461305f303506082b060105050730028629687474703a2f2f6372742e7463732e EAP-Message = 0x746572656e612e6f72672f544552454e4153534c43412e637274302606082b06010505073001861a687474703a2f2f6f6373702e7463732e746572656e612e6f72673081f60603551d110481ee3081eb82157261646975732e69742d73756470617269732e65758213617574682e69742d73756470617269732e65758212617574682e74656c65636f6d2d656d2e65758218617574682e74656c65636f6d2d73756470617269732e65758216656475726f616d2e69742d73756470617269732e65758215656475726f616d2e74656c65636f6d2d656d2e6575821b656475726f616d2e74656c65636f6d2d73756470617269732e657582157261646669 EAP-Message = 0x6c7475782e696e742d657672 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcad2c248cbd0dbc77d62ac2477a6a4d7 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 157.159.21.100 port 54360, id=2, length=151 User-Name = "anonymous@it-sudparis.eu" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020200061900 State = 0xcad2c248cbd0dbc77d62ac2477a6a4d7 Message-Authenticator = 0xe739f49b077f5fe66833b1c06c6aa246 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "it-sudparis.eu" for User-Name = "anonymous@it-sudparis.eu" [suffix] Found realm "it-sudparis.eu" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "it-sudparis.eu" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 2 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 2 to 157.159.21.100 port 54360 EAP-Message = 0x010302e71900792e6672821872616466696c7475782e69742d73756470617269732e657582127261646975732e696e742d657672792e6672300d06092a864886f70d01010505000382010100981110a5a967ab5239ad83c6cc8a052e076b549711efbfd8a1849832633cc3c1d320e78b73df288e2be7e1db2849caea0d08447cb4d6a5c861a2e8f2c522388795b9e0c0a67cf23e28e6ede9ab76d61030fe4d4728ca4a2aa009f027ee71029f0ed72a124e4b0d6d5780eedeb7366b66a944f399d040652561bb82898163a273c8cc84f00c5ff323f3eeaefbf0901d889f88250f40ec69738d14807c44a0bcc1188849cd50ca19ab2b68f9b0a20b5f9e1d EAP-Message = 0xb494542aa9f68a6458324fe737befaad83e80dfe79accb5468b7a16add16b138ce64eca73c7b8bdc6ac7e509623dd1416e58e2e66b0eb20f581c69f8ab66daeb745ba875d98c2e9e5b4c9227cad3d7160301018d0c0001890080e65ec2fd868598b9e50b7a44362e8377790373dd047b7e26e1aee4c5fc8ec05662adb9fdef3963c5829b6d126c3f8c55e633e870b773163b4308aa305e3dc6cabcdc3e0133addd332b35b98f57e201174f1217e27ea2d3dad122897d90ae8df27cfee20a17880976f4bfda7aa37f97d80e3048d766a7c314e2d25611836b698300010200809d4a3e7def72f63446bc291600b35fd7866651354389b6dcbf96c787a6a4 EAP-Message = 0x66ecbe55ed6ba388aa4899548001a777f0a2faf056dafd96c46f2cec581c53c34dea87dc6dc8b2b67c871891044e2a8ab8e88e58b4126c59bb62f1085c1c332fbb3750970f7dd208c76cd69cf7a2fcd413fa55b091960d5c14d91f9dbd046353a4bc00804f3b061d2054dd3a82a28085b92cb1815b48323acdd863da4d6bd13014d7013e044a5a88feaa98d886d6d9619054c15f7e8b3d3dbc7d556f259b17993cc9834875223555107d0e3292f6b21a8e3f0072fadda38d5b644eba9a34e942b81a036e747875f369a9de4dad45b5c86a212ff6b8b11ba553c6317b17bc74c807a8635a16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcad2c248c8d1dbc77d62ac2477a6a4d7 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 157.159.21.100 port 54360, id=3, length=353 User-Name = "anonymous@it-sudparis.eu" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020300d01980000000c616030100861000008200801514cc8cef421b9251bf1f6f7c646d816d5b2254643002e1daba2843c2d9dbe6bebf083ab05ffbfc72928ad595a9ac8bba8e8265abfb5dcd92cadbcad419ada21df214eebc010828408f5000258dd841343c4f056d0135b7f4155368a7a71ee4a5d4f7ef974084404ccce579a2d04a6c59c5dc0944eedce2f45279c6739a927514030100010116030100304fcfcb5a0aaa9d0205a9a8a007488ffd1ca740968a757ec27fe5f91290ac662df2628e3545cdc6f8b91978a18c58799b State = 0xcad2c248c8d1dbc77d62ac2477a6a4d7 Message-Authenticator = 0x1cc3c284b278964dbab9cd7ad5709711 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "it-sudparis.eu" for User-Name = "anonymous@it-sudparis.eu" [suffix] Found realm "it-sudparis.eu" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "it-sudparis.eu" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 3 length 208 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 198 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 3 to 157.159.21.100 port 54360 EAP-Message = 0x0104004119001403010001011603010030482e3d1d05e8d58e4731a13bd683be33e5acb5d9407e5c200cdb7ee466c7d7a97a798b9ff29acef48814300adfc28d76 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcad2c248c9d6dbc77d62ac2477a6a4d7 Finished request 3. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 157.159.21.100 port 54360, id=4, length=151 User-Name = "anonymous@it-sudparis.eu" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020400061900 State = 0xcad2c248c9d6dbc77d62ac2477a6a4d7 Message-Authenticator = 0xab8b466de748a32884881aedd0cf14ef +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "it-sudparis.eu" for User-Name = "anonymous@it-sudparis.eu" [suffix] Found realm "it-sudparis.eu" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "it-sudparis.eu" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 4 to 157.159.21.100 port 54360 EAP-Message = 0x0105002b19001703010020b2fd227a527903cc82e50d617a832244f7311b1458336ee185e9d8ee80aa6253 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcad2c248ced7dbc77d62ac2477a6a4d7 Finished request 4. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 157.159.21.100 port 54360, id=5, length=225 User-Name = "anonymous@it-sudparis.eu" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020500501900170301002002602c7db9a8fef22b9476f78b9034f00ec1aa4a84ffd12bb66b175278593b6f1703010020da03a9cf77e5f9050a0ef374989e7dcd54d8a8b3f7e8df59f2d13889f7397836 State = 0xcad2c248ced7dbc77d62ac2477a6a4d7 Message-Authenticator = 0x7d1bb565a68021a8e14e1b76d6e05d4e +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "it-sudparis.eu" for User-Name = "anonymous@it-sudparis.eu" [suffix] Found realm "it-sudparis.eu" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "it-sudparis.eu" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 5 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - doutrele [peap] Got tunneled request EAP-Message = 0x0205000d01646f757472656c65 server { PEAP: Got tunneled identity of doutrele PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to doutrele Sending tunneled request EAP-Message = 0x0205000d01646f757472656c65 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "doutrele" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "doutrele", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "doutrele" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++[control] returns ok [eap] EAP packet type response id 5 length 13 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for doutrele [ldap] expand: %{Stripped-User-Name} -> doutrele [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=doutrele) [ldap] expand: dc=int-evry,dc=fr -> dc=int-evry,dc=fr [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to ldapdev.int-evry.fr:389, authentication 0 [ldap] bind as cn=admin,dc=int-evry,dc=fr/admldap to ldapdev.int-evry.fr:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=int-evry,dc=fr, with filter (uid=doutrele) [ldap] looking for check items in directory... [ldap] sambaNtPassword -> NT-Password == 0x3846343134354531463530334232353337443430363846343942363633434143 [ldap] sambaLmPassword -> LM-Password == 0x4434413632394242394536303843323438423045413541374446313335423033 [ldap] looking for reply items in directory... [ldap] eduPersonPrimaryAffiliation -> User-Category = "employee" WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user doutrele authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 User-Category = "employee" EAP-Message = 0x010600221a0106001d10772702eafa9c1ba832502c45eff3eb34646f757472656c65 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbd5ae7b1bd5cfd560e8d64f9174929bb [peap] Got tunneled reply RADIUS code 11 User-Category = "employee" EAP-Message = 0x010600221a0106001d10772702eafa9c1ba832502c45eff3eb34646f757472656c65 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbd5ae7b1bd5cfd560e8d64f9174929bb [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 5 to 157.159.21.100 port 54360 EAP-Message = 0x0106004b190017030100400c86e6dc207e2cc7603991c7a1ca4e9e4c93e74004010a6fb62efdaec1e55783fef484c83973c964c31d5ee8d31d773625345fab5aa74c4f53c6becd0f1dcbcf Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcad2c248cfd4dbc77d62ac2477a6a4d7 Finished request 5. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 157.159.21.100 port 54360, id=6, length=289 User-Name = "anonymous@it-sudparis.eu" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0206009019001703010020c49c71ba6a0ad62564b8a94ee33c3233374ee4e20affb6377e64d687bbc939b11703010060248cc1e2e0c15c8f8cc4500d3de900956d807d60cf18be6450c81a1998f59938229ed4130b8b70b590d382f72420941d775beb2d95db65aeb961c0e5b936fc801a7d6aa5ed180878c2f6f34cc69538fe90c72b9f40085fdcf23881d2201c2112 State = 0xcad2c248cfd4dbc77d62ac2477a6a4d7 Message-Authenticator = 0x748598f4105e6fd40ff0f2d220aa3eb9 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "it-sudparis.eu" for User-Name = "anonymous@it-sudparis.eu" [suffix] Found realm "it-sudparis.eu" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "it-sudparis.eu" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 6 length 144 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020600431a0206003e31ad80725308b05eb4b1a1c08cf773d7600000000000000000e09cf3637ec00ccc4fb3fc2ed07bdd7e96e434c654ebaf3a00646f757472656c65 server { PEAP: Setting User-Name to doutrele Sending tunneled request EAP-Message = 0x020600431a0206003e31ad80725308b05eb4b1a1c08cf773d7600000000000000000e09cf3637ec00ccc4fb3fc2ed07bdd7e96e434c654ebaf3a00646f757472656c65 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "doutrele" State = 0xbd5ae7b1bd5cfd560e8d64f9174929bb server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "doutrele", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "doutrele" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++[control] returns ok [eap] EAP packet type response id 6 length 67 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for doutrele [ldap] expand: %{Stripped-User-Name} -> doutrele [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=doutrele) [ldap] expand: dc=int-evry,dc=fr -> dc=int-evry,dc=fr [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=int-evry,dc=fr, with filter (uid=doutrele) [ldap] looking for check items in directory... [ldap] sambaNtPassword -> NT-Password == 0x3846343134354531463530334232353337443430363846343942363633434143 [ldap] sambaLmPassword -> LM-Password == 0x4434413632394242394536303843323438423045413541374446313335423033 [ldap] looking for reply items in directory... [ldap] eduPersonPrimaryAffiliation -> User-Category = "employee" WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user doutrele authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Found LM-Password [mschap] Found NT-Password [mschap] Told to do MS-CHAPv2 for doutrele with NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 User-Category = "employee" EAP-Message = 0x010700331a0306002e533d37424233333344414638344334353234373345434636363634343638453932333837444536463846 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbd5ae7b1bc5dfd560e8d64f9174929bb [peap] Got tunneled reply RADIUS code 11 User-Category = "employee" EAP-Message = 0x010700331a0306002e533d37424233333344414638344334353234373345434636363634343638453932333837444536463846 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbd5ae7b1bc5dfd560e8d64f9174929bb [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 6 to 157.159.21.100 port 54360 EAP-Message = 0x0107005b19001703010050ec249a0c4d32e6def6e9aeb3357a17a1d09b28cc525ab8723d6a2ae20fd7066a17d11f6659d0806edeea86ed0f931d84abdc0b63571700eada94ce21112c405cdbf3505898e13ac6648737fe3a98faf4 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcad2c248ccd5dbc77d62ac2477a6a4d7 Finished request 6. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 157.159.21.100 port 54360, id=7, length=225 User-Name = "anonymous@it-sudparis.eu" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0207005019001703010020dd3585a2fd072451d06cbff7c672598a7828eeb3ca9906009627abdd66e07bee170301002065a6b4951d3a3c4bf66102b8d2cded42880a5980ccbc9f6876b82f9d4b5f4c57 State = 0xcad2c248ccd5dbc77d62ac2477a6a4d7 Message-Authenticator = 0x0198edb8c100054204965aff380de732 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "it-sudparis.eu" for User-Name = "anonymous@it-sudparis.eu" [suffix] Found realm "it-sudparis.eu" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "it-sudparis.eu" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 7 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020700061a03 server { PEAP: Setting User-Name to doutrele Sending tunneled request EAP-Message = 0x020700061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "doutrele" State = 0xbd5ae7b1bc5dfd560e8d64f9174929bb server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "doutrele", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "doutrele" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++[control] returns ok [eap] EAP packet type response id 7 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for doutrele [ldap] expand: %{Stripped-User-Name} -> doutrele [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=doutrele) [ldap] expand: dc=int-evry,dc=fr -> dc=int-evry,dc=fr [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=int-evry,dc=fr, with filter (uid=doutrele) [ldap] looking for check items in directory... [ldap] sambaNtPassword -> NT-Password == 0x3846343134354531463530334232353337443430363846343942363633434143 [ldap] sambaLmPassword -> LM-Password == 0x4434413632394242394536303843323438423045413541374446313335423033 [ldap] looking for reply items in directory... [ldap] eduPersonPrimaryAffiliation -> User-Category = "employee" WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user doutrele authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok +- entering group post-auth {...} ++[files] returns noop } # server inner-tunnel [peap] Got tunneled reply code 2 User-Category = "employee" EAP-Message = 0x03070004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "doutrele" [peap] Got tunneled reply RADIUS code 2 User-Category = "employee" EAP-Message = 0x03070004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "doutrele" [peap] Tunneled authentication was successful. [peap] SUCCESS ++[eap] returns handled Sending Access-Challenge of id 7 to 157.159.21.100 port 54360 EAP-Message = 0x0108002b19001703010020929b1abc3e1705cbf933e7e801a5354ae3a6f3399037480a464f2a2550b98f7f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcad2c248cddadbc77d62ac2477a6a4d7 Finished request 7. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 157.159.21.100 port 54360, id=8, length=225 User-Name = "anonymous@it-sudparis.eu" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02080050190017030100207ec1199edf4cf1834a3e8e7a858fff1a28c3ce3cf2b04ac072813cc2f3c90f67170301002030bcc0f7c0addcc364b1dbef6349769ec9e4200c23e3092502c65ec6c64f3ab4 State = 0xcad2c248cddadbc77d62ac2477a6a4d7 Message-Authenticator = 0x356e2d5f5a5a58689d1111a18270f65a +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "it-sudparis.eu" for User-Name = "anonymous@it-sudparis.eu" [suffix] Found realm "it-sudparis.eu" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "it-sudparis.eu" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 8 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 8 to 157.159.21.100 port 54360 MS-MPPE-Recv-Key = 0x22d62fec650e593576a03a40cbcad77e540cdd3ba53b4a757d5c469cb40d1d15 MS-MPPE-Send-Key = 0xc1d6f7b5504b2595ce899f1cb2e0abfb68fe5224695c9d3b7157cdd5727ed058 EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "anonymous" Finished request 8. Going to the next request Waking up in 4.6 seconds. rad_recv: Access-Request packet from host 157.159.21.100 port 54360, id=9, length=156 User-Name = "anonymous@it-sudparis.eu" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200001d01616e6f6e796d6f75734069742d73756470617269732e6575 Message-Authenticator = 0x209c9f1654d33cc3294474a7f994cfb7 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "it-sudparis.eu" for User-Name = "anonymous@it-sudparis.eu" [suffix] Found realm "it-sudparis.eu" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "it-sudparis.eu" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 0 length 29 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 9 to 157.159.21.100 port 54360 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x268659fd268740823ac0ee159d033676 Finished request 9. Going to the next request Waking up in 4.5 seconds. rad_recv: Access-Request packet from host 157.159.21.100 port 54360, id=10, length=267 User-Name = "anonymous@it-sudparis.eu" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0201007a198000000070160301006b0100006703014c913a477d4a75e0cddafcb5987734716c23a52fbbbcb4ba3c65ede4ef78fee800003a00390038008800870035008400160013000a00330032009a009900450044002f00960041000500040015001200090014001100080006000300ff0100000400230000 State = 0x268659fd268740823ac0ee159d033676 Message-Authenticator = 0x1a5b6f8f646acb964649c60dd57e8503 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "it-sudparis.eu" for User-Name = "anonymous@it-sudparis.eu" [suffix] Found realm "it-sudparis.eu" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "it-sudparis.eu" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 1 length 122 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 112 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 006b], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0501], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 018d], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 10 to 157.159.21.100 port 54360 EAP-Message = 0x0102040019c0000006d716030100310200002d03014c913a248cf8b802e852566db88e91550ceb93e3316b48d3f714169b2b013d83000039000005ff0100010016030105010b0004fd0004fa0004f7308204f3308203dba003020102021100e03d6494c48a6582b19e99ddbf443528300d06092a864886f70d01010505003036310b3009060355040613024e4c310f300d060355040a1306544552454e41311630140603550403130d544552454e412053534c204341301e170d3130303930393030303030305a170d3133303930383233353935395a3075310b3009060355040613024652310d300b060355040713044576727931283026060355040a EAP-Message = 0x0c1f54c3a96cc3a9636f6d2026204d616e6167656d656e74205375645061726973310d300b060355040b130444495349311e301c060355040313157261646975732e69742d73756470617269732e657530819f300d06092a864886f70d010101050003818d0030818902818100c55737ea4c14a7e16b93f65f6b9f672078e843bdbf1359e41f1a9dc14830eb2c1aeba9e90baa84a10ec41ccd24344f0b27d7ca8ca9580b7d0a41bcecf32b09ed5396b60c3fcbd9d0f386adee4d528bedeca7e5e5f497937966dcbbb0baeb703f9ca1e165c0cd713c8394eeac27108fa1d7d5abad255d50c7f886e56e067c4c2b0203010001a382023f3082023b301f06 EAP-Message = 0x03551d230418301680140cbd93680cf3deaba3496b2b375747ea90e3b9ed301d0603551d0e041604147380c4ebd5a0c9efd8be000147723c859656176b300e0603551d0f0101ff0404030205a0300c0603551d130101ff04023000301d0603551d250416301406082b0601050507030106082b0601050507030230180603551d200411300f300d060b2b06010401b2310102021d303a0603551d1f04333031302fa02da02b8629687474703a2f2f63726c2e7463732e746572656e612e6f72672f544552454e4153534c43412e63726c306d06082b060105050701010461305f303506082b060105050730028629687474703a2f2f6372742e7463732e EAP-Message = 0x746572656e612e6f72672f544552454e4153534c43412e637274302606082b06010505073001861a687474703a2f2f6f6373702e7463732e746572656e612e6f72673081f60603551d110481ee3081eb82157261646975732e69742d73756470617269732e65758213617574682e69742d73756470617269732e65758212617574682e74656c65636f6d2d656d2e65758218617574682e74656c65636f6d2d73756470617269732e65758216656475726f616d2e69742d73756470617269732e65758215656475726f616d2e74656c65636f6d2d656d2e6575821b656475726f616d2e74656c65636f6d2d73756470617269732e657582157261646669 EAP-Message = 0x6c7475782e696e742d657672 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x268659fd278440823ac0ee159d033676 Finished request 10. Going to the next request Waking up in 4.5 seconds. rad_recv: Access-Request packet from host 157.159.21.100 port 54360, id=11, length=151 User-Name = "anonymous@it-sudparis.eu" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020200061900 State = 0x268659fd278440823ac0ee159d033676 Message-Authenticator = 0x67328520e6fdbf6163942511315364f2 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "it-sudparis.eu" for User-Name = "anonymous@it-sudparis.eu" [suffix] Found realm "it-sudparis.eu" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "it-sudparis.eu" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 2 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 11 to 157.159.21.100 port 54360 EAP-Message = 0x010302e71900792e6672821872616466696c7475782e69742d73756470617269732e657582127261646975732e696e742d657672792e6672300d06092a864886f70d01010505000382010100981110a5a967ab5239ad83c6cc8a052e076b549711efbfd8a1849832633cc3c1d320e78b73df288e2be7e1db2849caea0d08447cb4d6a5c861a2e8f2c522388795b9e0c0a67cf23e28e6ede9ab76d61030fe4d4728ca4a2aa009f027ee71029f0ed72a124e4b0d6d5780eedeb7366b66a944f399d040652561bb82898163a273c8cc84f00c5ff323f3eeaefbf0901d889f88250f40ec69738d14807c44a0bcc1188849cd50ca19ab2b68f9b0a20b5f9e1d EAP-Message = 0xb494542aa9f68a6458324fe737befaad83e80dfe79accb5468b7a16add16b138ce64eca73c7b8bdc6ac7e509623dd1416e58e2e66b0eb20f581c69f8ab66daeb745ba875d98c2e9e5b4c9227cad3d7160301018d0c0001890080e65ec2fd868598b9e50b7a44362e8377790373dd047b7e26e1aee4c5fc8ec05662adb9fdef3963c5829b6d126c3f8c55e633e870b773163b4308aa305e3dc6cabcdc3e0133addd332b35b98f57e201174f1217e27ea2d3dad122897d90ae8df27cfee20a17880976f4bfda7aa37f97d80e3048d766a7c314e2d25611836b698300010200806312b064d432faa984ffa915f8cb2088a7285974a96135d68dce37a85701 EAP-Message = 0x357443dafae946cb8583e130e0352ebc0209678bd9615b4ea9b19c9f3300d86087c38a2e32f9ace7053804c11b9639ee62a32642357df913fad79ee9f8767d3101f039c272436c0d9fd6f0127a36bfa3f15c1f7c05e5964dc49edccbc07e430fdc86008096ff6f76a0017fcdcd2b9f49571f9329f5e2646407cd5ca2ad5a107f40fce50309a4bfd7f301bd26da8e7a287862684c06a5c5d91bf179a6652676f55f51d8303361a3b5c06acc228f0c1a88b5c8d85e159d9c769c5fe3db2c365d26ddfbe63acca015129d6d4f3441ca010c5f48e6f626e3456fd5ee90231cfd9eeb46c2996f16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x268659fd248540823ac0ee159d033676 Finished request 11. Going to the next request Waking up in 4.4 seconds. rad_recv: Access-Request packet from host 157.159.21.100 port 54360, id=12, length=353 User-Name = "anonymous@it-sudparis.eu" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020300d01980000000c61603010086100000820080a532d539c23b716fd99967cca03ca383b4a9964c07b863f5fecfc9cb854a72e079b4d045665f5675f4dc03d8565282bad8fef82e912a5b031f148cf90234bbc92e5ffcacbbfc4d7e91477bae66bd95e22f465b530fbb0017da53cfb69b8c95da7114ad1900cab4e19e4cbcad18209735266a33114bf75efc04082f5d23239a55140301000101160301003098dc3a9750d9b3e46edeabed8465d9f021a3de531ebd757475c7720e075e003bdb6601a68070fdd3a9d24a01210a255c State = 0x268659fd248540823ac0ee159d033676 Message-Authenticator = 0xe7361cb0dcb8744cd2e3c79a1e3397e3 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "it-sudparis.eu" for User-Name = "anonymous@it-sudparis.eu" [suffix] Found realm "it-sudparis.eu" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "it-sudparis.eu" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 3 length 208 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 198 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 12 to 157.159.21.100 port 54360 EAP-Message = 0x01040041190014030100010116030100305434b4505f9e38783bce6ccd9077ed706c6136fb44420c636820a7462bdce7ea959c6ea9c4fb093604e78cb213722a2c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x268659fd258240823ac0ee159d033676 Finished request 12. Going to the next request Waking up in 4.4 seconds. rad_recv: Access-Request packet from host 157.159.21.100 port 54360, id=13, length=151 User-Name = "anonymous@it-sudparis.eu" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020400061900 State = 0x268659fd258240823ac0ee159d033676 Message-Authenticator = 0x71d88f3eff06b67f64686e7dd6fb475b +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "it-sudparis.eu" for User-Name = "anonymous@it-sudparis.eu" [suffix] Found realm "it-sudparis.eu" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "it-sudparis.eu" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 13 to 157.159.21.100 port 54360 EAP-Message = 0x0105002b19001703010020c27c36e26c7a210558ff69f8b13b888aef215bbf2ce97d69f4cb0521433b0a6d Message-Authenticator = 0x00000000000000000000000000000000 State = 0x268659fd228340823ac0ee159d033676 Finished request 13. Going to the next request Waking up in 4.4 seconds. rad_recv: Access-Request packet from host 157.159.21.100 port 54360, id=14, length=225 User-Name = "anonymous@it-sudparis.eu" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020500501900170301002068a3b06ae07eae4e0dc0a06ed9af4fc0cdebf4128489b7e45bab1c7f20cf79691703010020ab74a837a52917a8caafedeae7a26271f80d3d9c97e539eddc779d2c7b0ab546 State = 0x268659fd228340823ac0ee159d033676 Message-Authenticator = 0xbc0903a9455d85bc3717e62e28cc713a +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "it-sudparis.eu" for User-Name = "anonymous@it-sudparis.eu" [suffix] Found realm "it-sudparis.eu" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "it-sudparis.eu" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 5 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - doutrele [peap] Got tunneled request EAP-Message = 0x0205000d01646f757472656c65 server { PEAP: Got tunneled identity of doutrele PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to doutrele Sending tunneled request EAP-Message = 0x0205000d01646f757472656c65 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "doutrele" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "doutrele", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "doutrele" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++[control] returns ok [eap] EAP packet type response id 5 length 13 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for doutrele [ldap] expand: %{Stripped-User-Name} -> doutrele [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=doutrele) [ldap] expand: dc=int-evry,dc=fr -> dc=int-evry,dc=fr [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=int-evry,dc=fr, with filter (uid=doutrele) [ldap] looking for check items in directory... [ldap] sambaNtPassword -> NT-Password == 0x3846343134354531463530334232353337443430363846343942363633434143 [ldap] sambaLmPassword -> LM-Password == 0x4434413632394242394536303843323438423045413541374446313335423033 [ldap] looking for reply items in directory... [ldap] eduPersonPrimaryAffiliation -> User-Category = "employee" WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user doutrele authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 User-Category = "employee" EAP-Message = 0x010600221a0106001d10a246c3c6516b9d77ea1d3015a7a84abb646f757472656c65 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb69c907bb69a8aaa3577bd2d0d1d3df6 [peap] Got tunneled reply RADIUS code 11 User-Category = "employee" EAP-Message = 0x010600221a0106001d10a246c3c6516b9d77ea1d3015a7a84abb646f757472656c65 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb69c907bb69a8aaa3577bd2d0d1d3df6 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 14 to 157.159.21.100 port 54360 EAP-Message = 0x0106004b19001703010040c9ce0f68b431ebd559ed9175c87b80c001d5c5c4269aa5a0da2615fa72da470cf0641e9f5505789cd55c146b11b90bc11cae625a450a5b5cadc16e3540b1e52c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x268659fd238040823ac0ee159d033676 Finished request 14. Going to the next request Waking up in 4.3 seconds. rad_recv: Access-Request packet from host 157.159.21.100 port 54360, id=15, length=289 User-Name = "anonymous@it-sudparis.eu" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0206009019001703010020597cb64242f127a633edf6d83d9f753ad475e95f379a7a1efdc0d7dd62776011170301006090b9ad6ba6fa6c3042576000705030c6afed7e1d1dec688985936692dedd820826a1ceb87fa6867d05c7b7bc67f49c73338f2309f538172daddaf15656cef2172c77db8da21d259b53e7e8f9dbbab4282754f556c079b04defe4c92ce4374818 State = 0x268659fd238040823ac0ee159d033676 Message-Authenticator = 0x7d1093b42b7c313f5eb3aaad4e29921e +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "it-sudparis.eu" for User-Name = "anonymous@it-sudparis.eu" [suffix] Found realm "it-sudparis.eu" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "it-sudparis.eu" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 6 length 144 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020600431a0206003e310cc550d72183ae211d145eb7177df37000000000000000002fcfa8c1e0adf00cb92ed7a9aa47cc7b5f28dc099c500ad500646f757472656c65 server { PEAP: Setting User-Name to doutrele Sending tunneled request EAP-Message = 0x020600431a0206003e310cc550d72183ae211d145eb7177df37000000000000000002fcfa8c1e0adf00cb92ed7a9aa47cc7b5f28dc099c500ad500646f757472656c65 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "doutrele" State = 0xb69c907bb69a8aaa3577bd2d0d1d3df6 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "doutrele", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "doutrele" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++[control] returns ok [eap] EAP packet type response id 6 length 67 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for doutrele [ldap] expand: %{Stripped-User-Name} -> doutrele [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=doutrele) [ldap] expand: dc=int-evry,dc=fr -> dc=int-evry,dc=fr [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=int-evry,dc=fr, with filter (uid=doutrele) [ldap] looking for check items in directory... [ldap] sambaNtPassword -> NT-Password == 0x3846343134354531463530334232353337443430363846343942363633434143 [ldap] sambaLmPassword -> LM-Password == 0x4434413632394242394536303843323438423045413541374446313335423033 [ldap] looking for reply items in directory... [ldap] eduPersonPrimaryAffiliation -> User-Category = "employee" WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user doutrele authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Found LM-Password [mschap] Found NT-Password [mschap] Told to do MS-CHAPv2 for doutrele with NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 User-Category = "employee" EAP-Message = 0x010700331a0306002e533d33303532464242454231393239443232383846343545353937433343453944383146344642363543 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb69c907bb79b8aaa3577bd2d0d1d3df6 [peap] Got tunneled reply RADIUS code 11 User-Category = "employee" EAP-Message = 0x010700331a0306002e533d33303532464242454231393239443232383846343545353937433343453944383146344642363543 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb69c907bb79b8aaa3577bd2d0d1d3df6 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 15 to 157.159.21.100 port 54360 EAP-Message = 0x0107005b19001703010050e632c5330ad9f069d55ce38adf081de60ffff8938c3878638e7f5099feb365b46747f065e913f9aa378b80d67149abad23532bc66a0b54fb9cdfb6c1d55deb1315b640f0bff8492abc792a5f3e6c36a1 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x268659fd208140823ac0ee159d033676 Finished request 15. Going to the next request Waking up in 4.3 seconds. rad_recv: Access-Request packet from host 157.159.21.100 port 54360, id=16, length=225 User-Name = "anonymous@it-sudparis.eu" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02070050190017030100205537c71649b782859d409fc6d9470580de6ea4ff25c7d8f29b7b3474d87f4e9a17030100203bc3e97a5dab221d36cfef355c2e12f1397b296ca95c9eca15bdf19251ff5f2a State = 0x268659fd208140823ac0ee159d033676 Message-Authenticator = 0xb76c598918241bc7970283f80dae8b9f +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "it-sudparis.eu" for User-Name = "anonymous@it-sudparis.eu" [suffix] Found realm "it-sudparis.eu" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "it-sudparis.eu" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 7 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020700061a03 server { PEAP: Setting User-Name to doutrele Sending tunneled request EAP-Message = 0x020700061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "doutrele" State = 0xb69c907bb79b8aaa3577bd2d0d1d3df6 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "doutrele", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "doutrele" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++[control] returns ok [eap] EAP packet type response id 7 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for doutrele [ldap] expand: %{Stripped-User-Name} -> doutrele [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=doutrele) [ldap] expand: dc=int-evry,dc=fr -> dc=int-evry,dc=fr [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=int-evry,dc=fr, with filter (uid=doutrele) [ldap] looking for check items in directory... [ldap] sambaNtPassword -> NT-Password == 0x3846343134354531463530334232353337443430363846343942363633434143 [ldap] sambaLmPassword -> LM-Password == 0x4434413632394242394536303843323438423045413541374446313335423033 [ldap] looking for reply items in directory... [ldap] eduPersonPrimaryAffiliation -> User-Category = "employee" WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user doutrele authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok +- entering group post-auth {...} ++[files] returns noop } # server inner-tunnel [peap] Got tunneled reply code 2 User-Category = "employee" EAP-Message = 0x03070004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "doutrele" [peap] Got tunneled reply RADIUS code 2 User-Category = "employee" EAP-Message = 0x03070004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "doutrele" [peap] Tunneled authentication was successful. [peap] SUCCESS ++[eap] returns handled Sending Access-Challenge of id 16 to 157.159.21.100 port 54360 EAP-Message = 0x0108002b190017030100201bc2994f26ea599852815a48852b623a8a708485dfd96258e03a85adf942b362 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x268659fd218e40823ac0ee159d033676 Finished request 16. Going to the next request Waking up in 4.3 seconds. rad_recv: Access-Request packet from host 157.159.21.100 port 54360, id=17, length=225 User-Name = "anonymous@it-sudparis.eu" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02080050190017030100201b6bb71d045bbd397aab6948baac2fb2b76c4195d9654d7f29ff68628e26524b1703010020090ab9ed9dcd6032948f868e18f79c4e4befd935c4bf295f70ad0370772a986e State = 0x268659fd218e40823ac0ee159d033676 Message-Authenticator = 0x77d82030e53af4f2c9b848972bae2188 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "it-sudparis.eu" for User-Name = "anonymous@it-sudparis.eu" [suffix] Found realm "it-sudparis.eu" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "it-sudparis.eu" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 8 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 17 to 157.159.21.100 port 54360 MS-MPPE-Recv-Key = 0x4dd99a0dc82263a2c33055682f321f5c8f87b27b19da448cf0854ded5f242689 MS-MPPE-Send-Key = 0x996340b45c88e53f2dd54aff5270ad77d58d66b608cfb312c7c824dfe0dcef65 EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "anonymous" Finished request 17. Going to the next request Waking up in 4.2 seconds.
Hi,
vlan assignment based on vlan.
here what i have in my users file
DEFAULT User-Category == "student" Reply-Message = "Your a member of the student Group", Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 902, Fall-Through = No
DEFAULT User-Category == "employee" Reply-Message = "Your a member of the employee Group", Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 903, Fall-Through = No
your example was employee, which is the second on this list. just a hunch but I think you need to have Fall-Through = Yes for DEFAULT entries to fall through to other DEFAULT options. the doc: # Note that DEFAULT entries can also Fall-Through (see first entry). # A name-value pair from a DEFAULT entry will _NEVER_ override # an already existing name-value pair. alan
Eric Doutreleau <Eric.Doutreleau@it-sudparis.eu> wrote:
i m using freeradius 2.1.9 and i have some problems with making dynamic vlan assignment based on vlan.
here what i have in my users file
DEFAULT User-Category == "student" Reply-Message = "Your a member of the student Group", Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 902, Fall-Through = No
DEFAULT User-Category == "employee" Reply-Message = "Your a member of the employee Group", Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 903, Fall-Through = No
Eugh, do not do this, use the following sort of thing instead: ---- DEFAULT Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private-Group-Id = 901, <---- 'unauthorised' Fall-Through = Yes DEFAULT User-Category == "student" Tunnel-Private-Group-Id = 902 <---- 'student' DEFAULT User-Category == "employee" Tunnel-Private-Group-Id = 903 <---- 'employee' ----
But as you can see in the following debug file my user is authenticated his radius item User-Category is employee but he never get the attributes of vlan in the request
Looks like you need to flip the order of 'files' and 'eap' around as it is your eap (from the PEAP method) module that sets 'User-Category' however you are calling 'files' *before* User-Category is set. Remember that the 'inner-auth' virtual server is a *unique* instance to your outer layer so 'User-Category' might be defined but only on the outside whilst it looks like you are calling 'files' *inside*. Cheers -- Alexander Clouter .sigmonster says: Preserve Wildlife! Throw a party today!
Hi alexander Le 16/09/2010 00:31, Alexander Clouter a écrit :
Remember that the 'inner-auth' virtual server is a *unique* instance to your outer layer so 'User-Category' might be defined but only on the outside whilst it looks like you are calling 'files' *inside*.
Cheers
Well I understand what you mean but i have some difficulties to traduce that in my configuration file. Yes i m have in my inner-tunnel file the lines authorize { chap mschap unix suffix update control { Proxy-To-Realm := LOCAL } eap { ok = return } ldap files expiration logintime pap } but how can i call it "outside"? i m a bit lost
well i though i have found the answer i m not sure if it s the right way to do in the section of peap of the eap file i had use_tunneled_reply = yes Le 16/09/2010 13:22, Eric Doutreleau a écrit :
Hi alexander
Le 16/09/2010 00:31, Alexander Clouter a écrit :
Remember that the 'inner-auth' virtual server is a *unique* instance to your outer layer so 'User-Category' might be defined but only on the outside whilst it looks like you are calling 'files' *inside*.
Cheers
Well I understand what you mean but i have some difficulties to traduce that in my configuration file.
Yes i m have in my inner-tunnel file the lines authorize { chap mschap unix suffix update control { Proxy-To-Realm := LOCAL } eap { ok = return } ldap files expiration logintime pap }
but how can i call it "outside"? i m a bit lost - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[ldap] expand: dc=int-evry,dc=fr -> dc=int-evry,dc=fr [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to ldapdev.int-evry.fr:389, authentication 0 [ldap] bind as cn=admin,dc=int-evry,dc=fr/admldap to ldapdev.int-evry.fr:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=int-evry,dc=fr, with filter (uid=doutrele) [ldap] looking for check items in directory... [ldap] sambaNtPassword -> NT-Password == 0x3846343134354531463530334232353337443430363846343942363633434143 [ldap] sambaLmPassword -> LM-Password == 0x4434413632394242394536303843323438423045413541374446313335423033 [ldap] looking for reply items in directory... [ldap] eduPersonPrimaryAffiliation -> User-Category = "employee"
Two issues; first, as above you're adding the User-Category item from LDAP into the reply list, but the "files" syntax doesn't (can't) match items in the reply this. This: DEFAULT User-Category == "employee" means "match all request with the attribute User-Category == employee in the *request* items" Secondly, I think you're running LDAP after "files", so even if it could match, it would not. Try something like this in sites-available/inner-tunnel: authorize { ... ldap if (reply:User-Category == employee) { update reply { Tunnel-Private-Group-Id := 1234 } } elsif (reply:User-Category == ...) { } } Or, modify your ldap.attrmap to put the User-Category into the request items (assuming your NAS doesn't need it) then move the files module after the ldap one.
thanks for your replay here what i did in the ldap.attrmap i put checkItem User-Category eduPersonPrimaryAffiliation in the user file i did DEFAULT Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private-Group-Id = 901, Fall-Through = Yes DEFAULT User-Category == "student" Reply-Message = "Your a member of the student Group", Tunnel-Private-Group-Id = 902 DEFAULT User-Category == "employee" Reply-Message = "Your a member of the employee Group", Tunnel-Private-Group-Id = 903 in the inner-tunnel file i have authorize { chap mschap uni suffix update control { Proxy-To-Realm := LOCAL } eap { ok = return } ldap files expiration logintime pap } i got the following logs ........ [eap] EAP packet type response id 7 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [ldap] performing user authorization for doutrele [ldap] expand: %{Stripped-User-Name} -> doutrele [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=doutrele) [ldap] expand: dc=int-evry,dc=fr -> dc=int-evry,dc=fr [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=int-evry,dc=fr, with filter (uid=doutrele) [ldap] looking for check items in directory... [ldap] eduPersonPrimaryAffiliation -> User-Category == "employee" [ldap] sambaNtPassword -> NT-Password == 0x3846343134354531463530334232353337443430363846343942363633434143 [ldap] sambaLmPassword -> LM-Password == 0x4434413632394242394536303843323438423045413541374446313335423033 [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user doutrele authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok [files] users: Matched entry DEFAULT at line 166 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok ...... THe line 166 in my users file is these ones DEFAULT Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private-Group-Id = 901, Fall-Through = Yes and i don't match the following entries DEFAULT User-Category == "employee" Reply-Message = "Your a member of the employee Group", Tunnel-Private-Group-Id = 903 and i really don't know why Le 16/09/2010 09:44, Phil Mayers a écrit :
[ldap] expand: dc=int-evry,dc=fr -> dc=int-evry,dc=fr [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to ldapdev.int-evry.fr:389, authentication 0 [ldap] bind as cn=admin,dc=int-evry,dc=fr/admldap to ldapdev.int-evry.fr:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=int-evry,dc=fr, with filter (uid=doutrele) [ldap] looking for check items in directory... [ldap] sambaNtPassword -> NT-Password == 0x3846343134354531463530334232353337443430363846343942363633434143 [ldap] sambaLmPassword -> LM-Password == 0x4434413632394242394536303843323438423045413541374446313335423033 [ldap] looking for reply items in directory... [ldap] eduPersonPrimaryAffiliation -> User-Category = "employee"
Two issues; first, as above you're adding the User-Category item from LDAP into the reply list, but the "files" syntax doesn't (can't) match items in the reply this. This:
DEFAULT User-Category == "employee"
means "match all request with the attribute User-Category == employee in the *request* items"
Secondly, I think you're running LDAP after "files", so even if it could match, it would not.
Try something like this in sites-available/inner-tunnel:
authorize { ... ldap if (reply:User-Category == employee) { update reply { Tunnel-Private-Group-Id := 1234 } } elsif (reply:User-Category == ...) { }
}
Or, modify your ldap.attrmap to put the User-Category into the request items (assuming your NAS doesn't need it) then move the files module after the ldap one.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 16/09/10 10:16, Eric Doutreleau wrote:
thanks for your replay
here what i did
in the ldap.attrmap i put checkItem User-Category eduPersonPrimaryAffiliation
checkItem means "put the attribute into the check/config items list". Looking at the source code, I see that rlm_ldap can't update the request item list.
in the user file i did DEFAULT Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private-Group-Id = 901, Fall-Through = Yes
DEFAULT User-Category == "student" Reply-Message = "Your a member of the student Group", Tunnel-Private-Group-Id = 902
This means "match User-Category in the request items list", which is not the list you've put it in. "files" syntax cannot do comparisons against check/config or reply items, and LDAP can only put items into check/config or reply. You will therefore have to use an "unlang" syntax as per my previous email: authorize { ... ldap if (control:User-Category == ...) { ... } }
Le 16/09/2010 15:34, Phil Mayers a écrit :
On 16/09/10 10:16, Eric Doutreleau wrote:
thanks for your replay
here what i did
in the ldap.attrmap i put checkItem User-Category eduPersonPrimaryAffiliation
checkItem means "put the attribute into the check/config items list".
Looking at the source code, I see that rlm_ldap can't update the request item list.
in the user file i did DEFAULT Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private-Group-Id = 901, Fall-Through = Yes
DEFAULT User-Category == "student" Reply-Message = "Your a member of the student Group", Tunnel-Private-Group-Id = 902
This means "match User-Category in the request items list", which is not the list you've put it in.
"files" syntax cannot do comparisons against check/config or reply items, and LDAP can only put items into check/config or reply. You will therefore have to use an "unlang" syntax as per my previous email:
authorize { ... ldap if (control:User-Category == ...) { ... } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks Phil that s what i will do
participants (4)
-
Alan Buxey -
Alexander Clouter -
Eric Doutreleau -
Phil Mayers