OpenDirectory VLAN Assignment by Group
Greetings~ Previously using radius, we were able to assign VLAN based upon group membership using the following syntax in /etc/raddb/users : DEFAULT Group-Name == "testgroup" Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = "100", Fall-Through = no Now with FreeRADIUS Version 2.1.12, we are unable to make the above syntax work anymore. After some reading, we stumbled upon a someone with a similar issue who claimed that you now have to place the post-auth section of /etc/raddb/sites-enabled/default ... we had to make some modifications to the syntax as well: update reply { Tunnel-Private-Group-Id = 100 Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Preference = 0x000000 } While the above syntax does appear to properly assign the VLAN ... we are unable to match this against the Group-Name field (so the following does not work): if(Group-Name == "testgroup") { update reply { Tunnel-Private-Group-Id = 100 Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Preference = 0x000000 } } We are able to get the if syntax to expand upon User-Name like the following (just Group-Name doesn't work): if(User-Name == "testuser") { update reply { Tunnel-Private-Group-Id = 100 Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Preference = 0x000000 } } However ... we appear unable to get any variable to expand that relates to group. (we have tried Group Group-Name Ldap-Group LDAP-Group gid group all without success). It would be ideal to base VLAN membership off of group as opposed to individual user. Questions: 1) Is there a way to echo out *all* variables that radiusd -X has access to at the time of testing so we can perhaps see what field contains the valid group on? 2) Does anyone know what the variable for groups we should be using is? 3) Is there documentation that covers the change in syntax as I described above? (... I'm sure just not finding it but I have been looking) (This is on the latest version of Apple's deployment of freeradius that relies on OpenDirectory) (We will try and contact Apple as well... but I'm imaging this request will be beyond their capabilities... echoing out all variables may get us a solution faster???) Thank you in advance for any advice or pointers to relevant documentation.
Theparanoidone Theparanoidone wrote:
Previously using radius, we were able to assign VLAN based upon group membership using the following syntax in /etc/raddb/users :
That should still work.
Now with FreeRADIUS Version 2.1.12, we are unable to make the above syntax work anymore.
Nonsense. See the FAQ for "it doesn't work". It works People use that syntax. It's documented as working. It hasn't changed in about 10 years. Which version were you using? You didn't say...
After some reading, we stumbled upon a someone with a similar issue who claimed that you now have to place the post-auth section of /etc/raddb/sites-enabled/default ... we had to make some modifications to the syntax as well:
Why would that be?
While the above syntax does appear to properly assign the VLAN ... we are unable to match this against the Group-Name field (so the following does not work):
<sigh> See the FAQ for "it doesn't work".
However ... we appear unable to get any variable to expand that relates to group. (we have tried Group Group-Name Ldap-Group LDAP-Group gid group all without success). It would be ideal to base VLAN membership off of group as opposed to individual user.
Group-Name is Unix groups. You clearly changed something in your system. But you didn't say what. You didn't say which version you were using. You didn't say how you upgraded.
Questions:
1) Is there a way to echo out *all* variables that radiusd -X has access to at the time of testing so we can perhaps see what field contains the valid group on?
No. Many "variables" are pulled from external databases, or things like the Unix group file. Printing out all of them is impossible, because there may be hundreds.
2) Does anyone know what the variable for groups we should be using is?
Group-Name?
3) Is there documentation that covers the change in syntax as I described above? (... I'm sure just not finding it but I have been looking)
The "users" file documentation? Which hasn't changed in 10 years?
(This is on the latest version of Apple's deployment of freeradius that relies on OpenDirectory)
(We will try and contact Apple as well... but I'm imaging this request will be beyond their capabilities... echoing out all variables may get us a solution faster???)
Thank you in advance for any advice or pointers to relevant documentation.
What happened? What changed? You've been careful to avoid saying that. "Hi, stuff used to work. Then I tried 2.1.12, and now stuff doesn't work. Why?" How do you expect anyone to be able to answer that? Alan DeKok.
Hi Alan~ We have tried to copy all configuration settings from the old server to the new (so that nothing would change). We have no desire to change any of our configurations because they previously were working.
What happened? What changed? You've been careful to avoid saying that.
I suspect the biggest change is the default executable of freeradius that is currently shipping with Mountain Lion server (as opposed to Snow Leopard). (I'm guessing this version may have some Apple quirks to it???) radiusd -v radiusd: FreeRADIUS Version 2.1.12, for host i386-apple-darwin12.0, built on Jun 20 2012 at 16:50:26 So again... we've tried to keep all configuration files the same... if we /etc/raddb/users has the following ending entry... it does not appear to tag the VLAN anymore: DEFAULT Group-Name == "testgroup" Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = "101", Fall-Through = no However... if we try and set a VLAN based upon a specific user (and not a group) ... then this works: DEFAULT User-Name == "testuser" Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = "101", Fall-Through = no The following is radius -X showing what happens when we match upon User-Name (which does work): ----------------------------------------------------------------- rad_recv: Access-Request packet from host 10.0.11.3 port 54613, id=124, length=163 User-Name = "testuser" NAS-Port = 89 EAP-Message = 0x0200000d016c64656c61697265 Message-Authenticator = 0x80af8ac7a4c209107135c20240cb9ae8 Acct-Session-Id = "8O2.1x811200d0000c3d6d" NAS-Port-Id = "ge-0/0/19.0" Calling-Station-Id = "c4-2c-03-04-f1-04" Called-Station-Id = "2c-6b-f5-35-d4-c0" NAS-IP-Address = 10.0.11.3 NAS-Identifier = "hqsw1" NAS-Port-Type = Ethernet # Executing section authorize from file /private/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 13 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 212 ++[files] returns ok [opendirectory] The SACL group "com.apple.access_radius" does not exist on this system. [opendirectory] The host 10.0.11.3 does not have an access group. [opendirectory] User testuser exists in OD [opendirectory] no access control groups, all OD users allowed. ++[opendirectory] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /private/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 124 to 10.0.11.3 port 54613 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "101" EAP-Message = 0x010100061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4515d63c4514c3febcac6df877a3ee06 Finished request 24. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.11.3 port 54613, id=128, length=296 User-Name = "testuser" NAS-Port = 89 State = 0x4515d63c4514c3febcac6df877a3ee06 EAP-Message = 0x0201008015800000007616030100710100006d0301503321b0c4ea4cb804bf45bb9a47d475f21fd47aed7a8a7aef6b111e23f34d0c00003200ffc00ac009c007c008c014c013c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a00330039001601000012000a00080006001700180019000b00020100 Message-Authenticator = 0x5f7a0f13781541869077259423a93b89 Acct-Session-Id = "8O2.1x811200d0000c3d6d" NAS-Port-Id = "ge-0/0/19.0" Calling-Station-Id = "c4-2c-03-04-f1-04" Called-Station-Id = "2c-6b-f5-35-d4-c0" NAS-IP-Address = 10.0.11.3 NAS-Identifier = "hqsw1" NAS-Port-Type = Ethernet # Executing section authorize from file /private/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 128 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /private/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 118 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] <<< TLS 1.0 Handshake [length 0071], ClientHello [ttls] TLS_accept: SSLv3 read client hello A [ttls] >>> TLS 1.0 Handshake [length 0031], ServerHello [ttls] TLS_accept: SSLv3 write server hello A [ttls] >>> TLS 1.0 Handshake [length 1270], Certificate [ttls] TLS_accept: SSLv3 write certificate A [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [ttls] TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 128 to 10.0.11.3 port 54613 EAP-Message = 0x0102040015c0000012b416030100310200002d0301503321b0e022d14256714ddfbdf03d00aa348771404e7ccee59ff052385d79ed00002f000005ff0100010016030112700b00126c0012690005913082058d30820475a003020102020727bccde2fa9543300d06092a864886f70d01010505003081ca310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e31333031060355040b132a687474703a2f2f6365727469666963617465732e676f64616464792e636f6d2f7265706f7369746f727931 EAP-Message = 0x30302e06035504031327476f204461646479205365637572652043657274696669636174696f6e20417574686f726974793111300f060355040513083037393639323837301e170d3130303932393138313630315a170d3135303932393138313630315a306d31233021060355040a131a6f7065726174696f6e732e7061796a756e6374696f6e2e636f6d3121301f060355040b1318446f6d61696e20436f6e74726f6c2056616c696461746564312330210603550403131a6f7065726174696f6e732e7061796a756e6374696f6e2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100b3676ce4923f6ecc6d EAP-Message = 0x026be05c0d4b03362f4e22d1a486740477cfba062ea92b6e4550e61f6eb03de7ea4cc4a03b09e8d8ce6f22c49883928e6502a4f586d26f24f880e9e118bcaa5e678bd352b69851b91b5b6c6c8717b551969aef0f09bb4daccc5923f0fd38e5506b2134505bc1ba1a1d1374bb94377015f9d48c4f9ff12dc860af19a9ecdbb45d53c103243ad4baa62d39c9f44ea9d60943ab711637a1092f5c22d4762c831ed81dc2b9b886dee071c94dca4ea0461644944c05d0677714f2e0fb824490600585444533ecffe402b026f1b377241d68831ae04f7aaad97460d39e40afc35d4a16ad3c161d83cee119d925b119ba56f6aed2fb08861f32c30203010001a3 EAP-Message = 0x8201d2308201ce300f0603551d130101ff04053003010100301d0603551d250416301406082b0601050507030106082b06010505070302300e0603551d0f0101ff0404030205a030330603551d1f042c302a3028a026a0248622687474703a2f2f63726c2e676f64616464792e636f6d2f676473312d32342e63726c304d0603551d20044630443042060b6086480186fd6d010717013033303106082b06010505070201162568747470733a2f2f63657274732e676f64616464792e636f6d2f7265706f7369746f72792f30818006082b0601050507010104743072302406082b060105050730018618687474703a2f2f6f6373702e676f6461646479 EAP-Message = 0x2e636f6d2f304a06082b0601 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4515d63c4417c3febcac6df877a3ee06 Finished request 25. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.11.3 port 54613, id=173, length=174 User-Name = "testuser" NAS-Port = 89 State = 0x4515d63c4417c3febcac6df877a3ee06 EAP-Message = 0x020200061500 Message-Authenticator = 0x808bddd846dc791f01b4efe0361233b2 Acct-Session-Id = "8O2.1x811200d0000c3d6d" NAS-Port-Id = "ge-0/0/19.0" Calling-Station-Id = "c4-2c-03-04-f1-04" Called-Station-Id = "2c-6b-f5-35-d4-c0" NAS-IP-Address = 10.0.11.3 NAS-Identifier = "hqsw1" NAS-Port-Type = Ethernet # Executing section authorize from file /private/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /private/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 173 to 10.0.11.3 port 54613 EAP-Message = 0x0103040015c0000012b40505073002863e687474703a2f2f6365727469666963617465732e676f64616464792e636f6d2f7265706f7369746f72792f67645f696e7465726d6564696174652e637274301f0603551d23041830168014fdac6132936c45d6e2ee855f9abae7769968cce730450603551d11043e303c821a6f7065726174696f6e732e7061796a756e6374696f6e2e636f6d821e7777772e6f7065726174696f6e732e7061796a756e6374696f6e2e636f6d301d0603551d0e04160414320ac819541c624f368bb6b5c77da0363dd8ecf3300d06092a864886f70d0101050500038201010039d968e55f476c6f2edfb3af48dbdf8fac6980 EAP-Message = 0xdaeb5016514746f0463c0f39864a18215cdc58deb56e5838d11304e68388360cc2d1cda6b84828ecf5140bf2bb10280af03a0d2f6b3d391cbb16f85a647dd2bd94917d22d8787e1f18c8417f63b53f63767c44f13bb872e35e0e5c1b8ba384598bb59aa57394ce1644440fadb09d0d2a29285e99ad4aaa6b7b4abafc4dc522240e5e1310032f972283b96407192d9ff49384490f26ac4865c122a0d9a844430f0ae47f554507bc4cc617c6bc94c7b3a5b0d03acf638a6a89c421e5048e95f502aba18a7bf435721f1072e4e730fc28f93cd4d9051c249f151857ec82f8001ed8e21c2568910e0328a61aefc0bf0004e2308204de308203c6a003020102 EAP-Message = 0x02020301300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3036313131363031353433375a170d3236313131363031353433375a3081ca310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e31333031060355040b132a687474703a2f2f EAP-Message = 0x6365727469666963617465732e676f64616464792e636f6d2f7265706f7369746f72793130302e06035504031327476f204461646479205365637572652043657274696669636174696f6e20417574686f726974793111300f06035504051308303739363932383730820122300d06092a864886f70d01010105000382010f003082010a0282010100c42dd5158c9c264cec3235eb5fb859015aa66181593b7063abe3dc3dc72ab8c933d379e43aed3c3023848eb33014b6b287c33d9554049edf99dd0b251e21de65297e35a8a954ebf6f73239d4265595adeffbfe5886d79ef4008d8c2a0cbd4204cea73f04f6ee80f2aaef52a16966dabe1aad5dda EAP-Message = 0x2c66ea1a6bbbe51a514a002f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4515d63c4716c3febcac6df877a3ee06 Finished request 26. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.11.3 port 54613, id=10, length=174 User-Name = "testuser" NAS-Port = 89 State = 0x4515d63c4716c3febcac6df877a3ee06 EAP-Message = 0x020300061500 Message-Authenticator = 0x1f0b7f0fe9de1fdb006f22ab2f812f9f Acct-Session-Id = "8O2.1x811200d0000c3d6d" NAS-Port-Id = "ge-0/0/19.0" Calling-Station-Id = "c4-2c-03-04-f1-04" Called-Station-Id = "2c-6b-f5-35-d4-c0" NAS-IP-Address = 10.0.11.3 NAS-Identifier = "hqsw1" NAS-Port-Type = Ethernet # Executing section authorize from file /private/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /private/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 10 to 10.0.11.3 port 54613 EAP-Message = 0x0104040015c0000012b448c79875d8b929c8eef8666d0a9cb3f3fc787ca2f8a3f2b5c3f3b97a91c1a7e6252e9ca8ed12656e6af6124453703095c39c2b582b3d08744af2be51b0bf87d04c27586bb535c59daf1731f80b8feead813605890898cf3aaf2587c049eaa7fd67f7458e97cc1439e23685b57e1a37fd16f671119a743016fe1394a33f840d4f0203010001a38201323082012e301d0603551d0e04160414fdac6132936c45d6e2ee855f9abae7769968cce7301f0603551d23041830168014d2c4b0d291d44c1171b361cb3da1fedda86ad4e330120603551d130101ff040830060101ff020100303306082b06010505070101042730253023 EAP-Message = 0x06082b060105050730018617687474703a2f2f6f6373702e676f64616464792e636f6d30460603551d1f043f303d303ba039a0378635687474703a2f2f6365727469666963617465732e676f64616464792e636f6d2f7265706f7369746f72792f6764726f6f742e63726c304b0603551d200444304230400604551d20003038303606082b06010505070201162a687474703a2f2f6365727469666963617465732e676f64616464792e636f6d2f7265706f7369746f7279300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100d286c0ecbdf9a1b667ee660ba2063a04508e1572ac4a749553cb37cb4449ef0790 EAP-Message = 0x6b33d996f09456a51330053c8532217bc9c70aa824a490de46d32523140367c210d66f0f5d7b7acc9fc5582ac1c49e21a85af3aca446f39ee463cb2f90a4292901d9722c29df370127bc4fee68d3218fc0b3e4f509edd210aa53b4bef0cc590bd63b961c952449dfceecfda7489114450e3a366fda45b345a241c9d4d7444e3eb97476d5a213552cc687a3b599ac0684877f7506fcbf144c0ecc6ec4df3db71271f4e8f15140222849e01d4b87a834cc06a2dd125ad186366403356f6f776eebf28550985eab0353ad9123631f169ccdb9b205633ae1f4681b1705359553ee0004ff308204fb30820464a0030201020202010d300d06092a864886f70d EAP-Message = 0x01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3034303632393137303632305a170d3234303632393137303632305a3063310b30090603550406130255533121301f060355040a1318 EAP-Message = 0x54686520476f204461646479 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4515d63c4611c3febcac6df877a3ee06 Finished request 27. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.11.3 port 54613, id=190, length=174 User-Name = "testuser" NAS-Port = 89 State = 0x4515d63c4611c3febcac6df877a3ee06 EAP-Message = 0x020400061500 Message-Authenticator = 0x86c163d59b3a0e56734fd96efcb1c6a4 Acct-Session-Id = "8O2.1x811200d0000c3d6d" NAS-Port-Id = "ge-0/0/19.0" Calling-Station-Id = "c4-2c-03-04-f1-04" Called-Station-Id = "2c-6b-f5-35-d4-c0" NAS-IP-Address = 10.0.11.3 NAS-Identifier = "hqsw1" NAS-Port-Type = Ethernet # Executing section authorize from file /private/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /private/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 190 to 10.0.11.3 port 54613 EAP-Message = 0x0105040015c0000012b42047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da00805 EAP-Message = 0x08b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a38201e1308201dd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e33081d20603551d230481ca3081c7a181c1a481be3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c6943 EAP-Message = 0x65727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d820101300f0603551d130101ff040530030101ff303306082b0601050507010104273025302306082b060105050730018617687474703a2f2f6f6373702e676f64616464792e636f6d30440603551d1f043d303b3039a037a0358633687474703a2f2f6365727469666963617465732e676f64616464792e636f6d2f7265706f7369746f72792f726f6f742e63726c304b EAP-Message = 0x0603551d200444304230400604551d20003038303606082b06010505070201162a687474703a2f2f6365727469666963617465732e676f64616464792e636f6d2f7265706f7369746f7279300e0603551d0f0101ff040403020106300d06092a864886f70d010105050003818100b540f9a71df6eafea41a425a44f715d4854689c0be9ee3e3ebc5e358898f929f57a8712c48d181b2791fac063519b04e0e581b14b39881d1041ec807c9839f78440a180b98dc767a650d0d6d80c40b011ccbad473e71be774bcc0677d0f4566b1f4b139a148a8823a851f0834cab35bf467e39dc75a4aee829fbef398f4f55670002eb308202e73082025002010130 EAP-Message = 0x0d06092a864886f70d010105 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4515d63c4110c3febcac6df877a3ee06 Finished request 28. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.0.11.3 port 54613, id=82, length=174 User-Name = "testuser" NAS-Port = 89 State = 0x4515d63c4110c3febcac6df877a3ee06 EAP-Message = 0x020500061500 Message-Authenticator = 0x4410301a2dd8b830cac4def877a05167 Acct-Session-Id = "8O2.1x811200d0000c3d6d" NAS-Port-Id = "ge-0/0/19.0" Calling-Station-Id = "c4-2c-03-04-f1-04" Called-Station-Id = "2c-6b-f5-35-d4-c0" NAS-IP-Address = 10.0.11.3 NAS-Identifier = "hqsw1" NAS-Port-Type = Ethernet # Executing section authorize from file /private/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /private/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 82 to 10.0.11.3 port 54613 EAP-Message = 0x010602e61580000012b405003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c6943 EAP-Message = 0x6572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37c EAP-Message = 0xdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4515d63c4013c3febcac6df877a3ee06 Finished request 29. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.0.11.3 port 54613, id=6, length=506 User-Name = "testuser" NAS-Port = 89 State = 0x4515d63c4013c3febcac6df877a3ee06 EAP-Message = 0x0206015015800000014616030101061000010201006dac8c6fa17699c642676c8d6ad88f592a533736758d1797496051ca0923e542c90524451e26d610ee0b2b3ed8dbee519080db11c8b2817497c48f6cdd9c254f4d0ac1650b473ff8461ef37379f2fae772b4a340d6d915589eba965c46338450f921819ac4b1054bf261bc9dbe17e3c7a62a057d224a614bbc2bac720ca60c3641c80fd13f854754df51f6e19999c418c095defed9396cff90fcd59346bb679d0f91f588206d1caca3b2f6361a55b5944996e19039ac951819451da20e8fc68d0bf7b17ef60373040b2396ce6fb9b7b06e3efefbceb2e22ca20aa726e8dc253a5a6b178214f08539 EAP-Message = 0x4ee647227e6244a7293fcffa28d62291c320aa698ae9754c1403010001011603010030451287b5040a5f1d8e7e26aad5428397f48138e1992616ada492291f470501852105c5c44254b8cd71fd3ea29abcf427 Message-Authenticator = 0x411897122fa57e10d96bd5b97d3886a4 Acct-Session-Id = "8O2.1x811200d0000c3d6d" NAS-Port-Id = "ge-0/0/19.0" Calling-Station-Id = "c4-2c-03-04-f1-04" Called-Station-Id = "2c-6b-f5-35-d4-c0" NAS-IP-Address = 10.0.11.3 NAS-Identifier = "hqsw1" NAS-Port-Type = Ethernet # Executing section authorize from file /private/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /private/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 326 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [ttls] TLS_accept: SSLv3 read client key exchange A [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [ttls] <<< TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 read finished A [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS_accept: SSLv3 write change cipher spec A [ttls] >>> TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 write finished A [ttls] TLS_accept: SSLv3 flush data [ttls] (other): SSL negotiation finished successfully SSL Connection Established [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 6 to 10.0.11.3 port 54613 EAP-Message = 0x0107004515800000003b140301000101160301003007d8a3669a3bf7b2a983eefdbf3174ba778613d32be7466af5055d33b57509520c00f2dbab583c8aa900dfa621e7d5f8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4515d63c4312c3febcac6df877a3ee06 Finished request 30. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.0.11.3 port 54613, id=224, length=327 User-Name = "testuser" NAS-Port = 89 State = 0x4515d63c4312c3febcac6df877a3ee06 EAP-Message = 0x0207009f158000000095170301009013f12baf88e483f6a7e99a21587ff9140efa5b38c4150d0810beec57fea54f5b669adf3420e847e135ba2b6d66e25a3e20a48c96981a9532c713174adad2b27f5853db89499122a5117ddeca7877f6dc82661224977f790dce17e1925f768653db7336a0f8fcd3696b219ac720ac530c1b49a26dfe7809455d5d026059b576c4b9098baaa9c49c1f2930856c8b303c79 Message-Authenticator = 0x9eac09dc843575fb6169411e53fcd117 Acct-Session-Id = "8O2.1x811200d0000c3d6d" NAS-Port-Id = "ge-0/0/19.0" Calling-Station-Id = "c4-2c-03-04-f1-04" Called-Station-Id = "2c-6b-f5-35-d4-c0" NAS-IP-Address = 10.0.11.3 NAS-Identifier = "hqsw1" NAS-Port-Type = Ethernet # Executing section authorize from file /private/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 159 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /private/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 149 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request User-Name = "testuser" MS-CHAP-Challenge = 0x98f430a43599f957282310422e8669ca MS-CHAP2-Response = 0xfb0050a391b9a77fd794f7e4ad83c6781a540000000000000000865b0fcebda08a02e3c5d31e33d62294f08769a230ccbd24 FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request User-Name = "testuser" MS-CHAP-Challenge = 0x98f430a43599f957282310422e8669ca MS-CHAP2-Response = 0xfb0050a391b9a77fd794f7e4ad83c6781a540000000000000000865b0fcebda08a02e3c5d31e33d62294f08769a230ccbd24 FreeRADIUS-Proxied-To = 127.0.0.1 NAS-Port = 89 Acct-Session-Id = "8O2.1x811200d0000c3d6d" NAS-Port-Id = "ge-0/0/19.0" Calling-Station-Id = "c4-2c-03-04-f1-04" Called-Station-Id = "2c-6b-f5-35-d4-c0" NAS-IP-Address = 10.0.11.3 NAS-Identifier = "hqsw1" NAS-Port-Type = Ethernet server { # Executing section authorize from file /private/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 212 ++[files] returns ok [opendirectory] The SACL group "com.apple.access_radius" does not exist on this system. [opendirectory] The host 10.0.11.3 does not have an access group. [opendirectory] User testuser exists in OD [opendirectory] no access control groups, all OD users allowed. ++[opendirectory] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /private/etc/raddb/sites-enabled/default +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: testuser [mschap] Told to do MS-CHAPv2 for testuser with NT-Password [mschap] Using OpenDirectory to authenticate [mschap] Doing OD MSCHAPv2 auth [mschap] Successful authentication for testuser ++[mschap] returns ok # Executing section post-auth from file /private/etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop } # server [ttls] Got tunneled reply code 2 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "101" MS-CHAP2-Success = 0xfb533d41423831383844313944333842364137363241314430454644353931344634363734384138303836 [ttls] Got tunneled Access-Accept [ttls] Got MS-CHAP2-Success, tunneling it to the client in a challenge. ++[eap] returns handled Sending Access-Challenge of id 224 to 10.0.11.3 port 54613 EAP-Message = 0x0108008415800000007a1703010020724895cfa11745c963ab2a3d5b8b0e2b76ca7ebccc5b5d1af53ad9cf62f9bb6f1703010050db4f5296d1da8c4f613dbf48289cb5f5ca54c3fb24ca81be847b2f3f8c062c0a2491ae698dc9f69398313b065af863f75c13fd2995421532c88eadbc86447f9e01756148485dc84c64fb86ccad58b370 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4515d63c421dc3febcac6df877a3ee06 Finished request 31. Going to the next request Waking up in 4.6 seconds. rad_recv: Access-Request packet from host 10.0.11.3 port 54613, id=115, length=174 User-Name = "testuser" NAS-Port = 89 State = 0x4515d63c421dc3febcac6df877a3ee06 EAP-Message = 0x020800061500 Message-Authenticator = 0xfa1bae1ab9867108c1206f2ced983996 Acct-Session-Id = "8O2.1x811200d0000c3d6d" NAS-Port-Id = "ge-0/0/19.0" Calling-Station-Id = "c4-2c-03-04-f1-04" Called-Station-Id = "2c-6b-f5-35-d4-c0" NAS-IP-Address = 10.0.11.3 NAS-Identifier = "hqsw1" NAS-Port-Type = Ethernet # Executing section authorize from file /private/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /private/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake is finished [ttls] eaptls_verify returned 3 [ttls] eaptls_process returned 3 [ttls] Using saved attributes from the original Access-Accept Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "101" [eap] Freeing handler ++[eap] returns ok # Executing section post-auth from file /private/etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 115 to 10.0.11.3 port 54613 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "101" MS-MPPE-Recv-Key = 0xebc7e5ca22d86cac82bb0efebf66bdb6852b5cee5087969b02488e3628b13e57 MS-MPPE-Send-Key = 0x4468ab64e74186dbe09282296b582253f1324675fba1164fc1a6917c9cb79636 EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "testuser" Finished request 32. Going to the next request Waking up in 4.6 seconds. Cleaning up request 24 ID 124 with timestamp +157 Cleaning up request 25 ID 128 with timestamp +157 Cleaning up request 26 ID 173 with timestamp +157 Cleaning up request 27 ID 10 with timestamp +157 Cleaning up request 28 ID 190 with timestamp +157 Cleaning up request 29 ID 82 with timestamp +157 Cleaning up request 30 ID 6 with timestamp +158 Waking up in 0.1 seconds. Cleaning up request 31 ID 224 with timestamp +158 Cleaning up request 32 ID 115 with timestamp +158 Ready to process requests. ----------------------------------------------------------------- The following does not work if we try and match on Group-Name (which does not work): ----------------------------------------------------------------- rad_recv: Access-Request packet from host 10.0.11.3 port 54613, id=38, length=163 User-Name = "testuser" NAS-Port = 89 EAP-Message = 0x0201000d016c64656c61697265 Message-Authenticator = 0x8f7ff65e289a0572bc17bd1576fb5950 Acct-Session-Id = "8O2.1x811200dd000315d4" NAS-Port-Id = "ge-0/0/19.0" Calling-Station-Id = "c4-2c-03-04-f1-04" Called-Station-Id = "2c-6b-f5-35-d4-c0" NAS-IP-Address = 10.0.11.3 NAS-Identifier = "hqsw1" NAS-Port-Type = Ethernet # Executing section authorize from file /private/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 13 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [opendirectory] The SACL group "com.apple.access_radius" does not exist on this system. [opendirectory] The host 10.0.11.3 does not have an access group. [opendirectory] User testuser exists in OD [opendirectory] no access control groups, all OD users allowed. ++[opendirectory] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /private/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 38 to 10.0.11.3 port 54613 EAP-Message = 0x010200061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7376aa107374bfe2777048181a406d0c Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.11.3 port 54613, id=185, length=296 User-Name = "testuser" NAS-Port = 89 State = 0x7376aa107374bfe2777048181a406d0c EAP-Message = 0x0202008015800000007616030100710100006d0301503322f101ec417ed81232a4f0f75d7a4cd5c4fe93fa330292088fa8ed44b5f600003200ffc00ac009c007c008c014c013c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a00330039001601000012000a00080006001700180019000b00020100 Message-Authenticator = 0xd15b1455669c385df86958714dcbf048 Acct-Session-Id = "8O2.1x811200dd000315d4" NAS-Port-Id = "ge-0/0/19.0" Calling-Station-Id = "c4-2c-03-04-f1-04" Called-Station-Id = "2c-6b-f5-35-d4-c0" NAS-IP-Address = 10.0.11.3 NAS-Identifier = "hqsw1" NAS-Port-Type = Ethernet # Executing section authorize from file /private/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 128 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /private/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 118 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] <<< TLS 1.0 Handshake [length 0071], ClientHello [ttls] TLS_accept: SSLv3 read client hello A [ttls] >>> TLS 1.0 Handshake [length 0031], ServerHello [ttls] TLS_accept: SSLv3 write server hello A [ttls] >>> TLS 1.0 Handshake [length 1270], Certificate [ttls] TLS_accept: SSLv3 write certificate A [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [ttls] TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 185 to 10.0.11.3 port 54613 EAP-Message = 0x0103040015c0000012b416030100310200002d0301503322f18e2c1ea3ccf0fa3e00660b6946ce7786ce51d0f04026b39a78c765d700002f000005ff0100010016030112700b00126c0012690005913082058d30820475a003020102020727bccde2fa9543300d06092a864886f70d01010505003081ca310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e31333031060355040b132a687474703a2f2f6365727469666963617465732e676f64616464792e636f6d2f7265706f7369746f727931 EAP-Message = 0x30302e06035504031327476f204461646479205365637572652043657274696669636174696f6e20417574686f726974793111300f060355040513083037393639323837301e170d3130303932393138313630315a170d3135303932393138313630315a306d31233021060355040a131a6f7065726174696f6e732e7061796a756e6374696f6e2e636f6d3121301f060355040b1318446f6d61696e20436f6e74726f6c2056616c696461746564312330210603550403131a6f7065726174696f6e732e7061796a756e6374696f6e2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100b3676ce4923f6ecc6d EAP-Message = 0x026be05c0d4b03362f4e22d1a486740477cfba062ea92b6e4550e61f6eb03de7ea4cc4a03b09e8d8ce6f22c49883928e6502a4f586d26f24f880e9e118bcaa5e678bd352b69851b91b5b6c6c8717b551969aef0f09bb4daccc5923f0fd38e5506b2134505bc1ba1a1d1374bb94377015f9d48c4f9ff12dc860af19a9ecdbb45d53c103243ad4baa62d39c9f44ea9d60943ab711637a1092f5c22d4762c831ed81dc2b9b886dee071c94dca4ea0461644944c05d0677714f2e0fb824490600585444533ecffe402b026f1b377241d68831ae04f7aaad97460d39e40afc35d4a16ad3c161d83cee119d925b119ba56f6aed2fb08861f32c30203010001a3 EAP-Message = 0x8201d2308201ce300f0603551d130101ff04053003010100301d0603551d250416301406082b0601050507030106082b06010505070302300e0603551d0f0101ff0404030205a030330603551d1f042c302a3028a026a0248622687474703a2f2f63726c2e676f64616464792e636f6d2f676473312d32342e63726c304d0603551d20044630443042060b6086480186fd6d010717013033303106082b06010505070201162568747470733a2f2f63657274732e676f64616464792e636f6d2f7265706f7369746f72792f30818006082b0601050507010104743072302406082b060105050730018618687474703a2f2f6f6373702e676f6461646479 EAP-Message = 0x2e636f6d2f304a06082b0601 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7376aa107275bfe2777048181a406d0c Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.11.3 port 54613, id=65, length=174 User-Name = "testuser" NAS-Port = 89 State = 0x7376aa107275bfe2777048181a406d0c EAP-Message = 0x020300061500 Message-Authenticator = 0xb2706ac2b20ebbc4044ca0ddb359a3a0 Acct-Session-Id = "8O2.1x811200dd000315d4" NAS-Port-Id = "ge-0/0/19.0" Calling-Station-Id = "c4-2c-03-04-f1-04" Called-Station-Id = "2c-6b-f5-35-d4-c0" NAS-IP-Address = 10.0.11.3 NAS-Identifier = "hqsw1" NAS-Port-Type = Ethernet # Executing section authorize from file /private/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /private/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 65 to 10.0.11.3 port 54613 EAP-Message = 0x0104040015c0000012b40505073002863e687474703a2f2f6365727469666963617465732e676f64616464792e636f6d2f7265706f7369746f72792f67645f696e7465726d6564696174652e637274301f0603551d23041830168014fdac6132936c45d6e2ee855f9abae7769968cce730450603551d11043e303c821a6f7065726174696f6e732e7061796a756e6374696f6e2e636f6d821e7777772e6f7065726174696f6e732e7061796a756e6374696f6e2e636f6d301d0603551d0e04160414320ac819541c624f368bb6b5c77da0363dd8ecf3300d06092a864886f70d0101050500038201010039d968e55f476c6f2edfb3af48dbdf8fac6980 EAP-Message = 0xdaeb5016514746f0463c0f39864a18215cdc58deb56e5838d11304e68388360cc2d1cda6b84828ecf5140bf2bb10280af03a0d2f6b3d391cbb16f85a647dd2bd94917d22d8787e1f18c8417f63b53f63767c44f13bb872e35e0e5c1b8ba384598bb59aa57394ce1644440fadb09d0d2a29285e99ad4aaa6b7b4abafc4dc522240e5e1310032f972283b96407192d9ff49384490f26ac4865c122a0d9a844430f0ae47f554507bc4cc617c6bc94c7b3a5b0d03acf638a6a89c421e5048e95f502aba18a7bf435721f1072e4e730fc28f93cd4d9051c249f151857ec82f8001ed8e21c2568910e0328a61aefc0bf0004e2308204de308203c6a003020102 EAP-Message = 0x02020301300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3036313131363031353433375a170d3236313131363031353433375a3081ca310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e31333031060355040b132a687474703a2f2f EAP-Message = 0x6365727469666963617465732e676f64616464792e636f6d2f7265706f7369746f72793130302e06035504031327476f204461646479205365637572652043657274696669636174696f6e20417574686f726974793111300f06035504051308303739363932383730820122300d06092a864886f70d01010105000382010f003082010a0282010100c42dd5158c9c264cec3235eb5fb859015aa66181593b7063abe3dc3dc72ab8c933d379e43aed3c3023848eb33014b6b287c33d9554049edf99dd0b251e21de65297e35a8a954ebf6f73239d4265595adeffbfe5886d79ef4008d8c2a0cbd4204cea73f04f6ee80f2aaef52a16966dabe1aad5dda EAP-Message = 0x2c66ea1a6bbbe51a514a002f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7376aa107172bfe2777048181a406d0c Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.11.3 port 54613, id=131, length=174 User-Name = "testuser" NAS-Port = 89 State = 0x7376aa107172bfe2777048181a406d0c EAP-Message = 0x020400061500 Message-Authenticator = 0xe80eacfe69775b297b14b61b803bd39d Acct-Session-Id = "8O2.1x811200dd000315d4" NAS-Port-Id = "ge-0/0/19.0" Calling-Station-Id = "c4-2c-03-04-f1-04" Called-Station-Id = "2c-6b-f5-35-d4-c0" NAS-IP-Address = 10.0.11.3 NAS-Identifier = "hqsw1" NAS-Port-Type = Ethernet # Executing section authorize from file /private/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /private/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 131 to 10.0.11.3 port 54613 EAP-Message = 0x0105040015c0000012b448c79875d8b929c8eef8666d0a9cb3f3fc787ca2f8a3f2b5c3f3b97a91c1a7e6252e9ca8ed12656e6af6124453703095c39c2b582b3d08744af2be51b0bf87d04c27586bb535c59daf1731f80b8feead813605890898cf3aaf2587c049eaa7fd67f7458e97cc1439e23685b57e1a37fd16f671119a743016fe1394a33f840d4f0203010001a38201323082012e301d0603551d0e04160414fdac6132936c45d6e2ee855f9abae7769968cce7301f0603551d23041830168014d2c4b0d291d44c1171b361cb3da1fedda86ad4e330120603551d130101ff040830060101ff020100303306082b06010505070101042730253023 EAP-Message = 0x06082b060105050730018617687474703a2f2f6f6373702e676f64616464792e636f6d30460603551d1f043f303d303ba039a0378635687474703a2f2f6365727469666963617465732e676f64616464792e636f6d2f7265706f7369746f72792f6764726f6f742e63726c304b0603551d200444304230400604551d20003038303606082b06010505070201162a687474703a2f2f6365727469666963617465732e676f64616464792e636f6d2f7265706f7369746f7279300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100d286c0ecbdf9a1b667ee660ba2063a04508e1572ac4a749553cb37cb4449ef0790 EAP-Message = 0x6b33d996f09456a51330053c8532217bc9c70aa824a490de46d32523140367c210d66f0f5d7b7acc9fc5582ac1c49e21a85af3aca446f39ee463cb2f90a4292901d9722c29df370127bc4fee68d3218fc0b3e4f509edd210aa53b4bef0cc590bd63b961c952449dfceecfda7489114450e3a366fda45b345a241c9d4d7444e3eb97476d5a213552cc687a3b599ac0684877f7506fcbf144c0ecc6ec4df3db71271f4e8f15140222849e01d4b87a834cc06a2dd125ad186366403356f6f776eebf28550985eab0353ad9123631f169ccdb9b205633ae1f4681b1705359553ee0004ff308204fb30820464a0030201020202010d300d06092a864886f70d EAP-Message = 0x01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3034303632393137303632305a170d3234303632393137303632305a3063310b30090603550406130255533121301f060355040a1318 EAP-Message = 0x54686520476f204461646479 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7376aa107073bfe2777048181a406d0c Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.11.3 port 54613, id=59, length=174 User-Name = "testuser" NAS-Port = 89 State = 0x7376aa107073bfe2777048181a406d0c EAP-Message = 0x020500061500 Message-Authenticator = 0xe3a9499075fdb6897cd7c1ebecc568dd Acct-Session-Id = "8O2.1x811200dd000315d4" NAS-Port-Id = "ge-0/0/19.0" Calling-Station-Id = "c4-2c-03-04-f1-04" Called-Station-Id = "2c-6b-f5-35-d4-c0" NAS-IP-Address = 10.0.11.3 NAS-Identifier = "hqsw1" NAS-Port-Type = Ethernet # Executing section authorize from file /private/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /private/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 59 to 10.0.11.3 port 54613 EAP-Message = 0x0106040015c0000012b42047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da00805 EAP-Message = 0x08b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a38201e1308201dd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e33081d20603551d230481ca3081c7a181c1a481be3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c6943 EAP-Message = 0x65727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d820101300f0603551d130101ff040530030101ff303306082b0601050507010104273025302306082b060105050730018617687474703a2f2f6f6373702e676f64616464792e636f6d30440603551d1f043d303b3039a037a0358633687474703a2f2f6365727469666963617465732e676f64616464792e636f6d2f7265706f7369746f72792f726f6f742e63726c304b EAP-Message = 0x0603551d200444304230400604551d20003038303606082b06010505070201162a687474703a2f2f6365727469666963617465732e676f64616464792e636f6d2f7265706f7369746f7279300e0603551d0f0101ff040403020106300d06092a864886f70d010105050003818100b540f9a71df6eafea41a425a44f715d4854689c0be9ee3e3ebc5e358898f929f57a8712c48d181b2791fac063519b04e0e581b14b39881d1041ec807c9839f78440a180b98dc767a650d0d6d80c40b011ccbad473e71be774bcc0677d0f4566b1f4b139a148a8823a851f0834cab35bf467e39dc75a4aee829fbef398f4f55670002eb308202e73082025002010130 EAP-Message = 0x0d06092a864886f70d010105 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7376aa107770bfe2777048181a406d0c Finished request 4. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.0.11.3 port 54613, id=150, length=174 User-Name = "testuser" NAS-Port = 89 State = 0x7376aa107770bfe2777048181a406d0c EAP-Message = 0x020600061500 Message-Authenticator = 0x7f92e4f61667f18c36a2b22fe08dcae2 Acct-Session-Id = "8O2.1x811200dd000315d4" NAS-Port-Id = "ge-0/0/19.0" Calling-Station-Id = "c4-2c-03-04-f1-04" Called-Station-Id = "2c-6b-f5-35-d4-c0" NAS-IP-Address = 10.0.11.3 NAS-Identifier = "hqsw1" NAS-Port-Type = Ethernet # Executing section authorize from file /private/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /private/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 150 to 10.0.11.3 port 54613 EAP-Message = 0x010702e61580000012b405003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c6943 EAP-Message = 0x6572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37c EAP-Message = 0xdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7376aa107671bfe2777048181a406d0c Finished request 5. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.0.11.3 port 54613, id=99, length=506 User-Name = "testuser" NAS-Port = 89 State = 0x7376aa107671bfe2777048181a406d0c EAP-Message = 0x0207015015800000014616030101061000010201000e38bcbb99bc024df880287f421ffc733f53c6d2783fe237bad3f73459f96b2f1b08cca5041e244d99d9630a10367b4d668f156c3511a1ad024b7cbae594096ffb0c2d434e8534c6757c45dd7d114ef315092023b2a723e4a33a886852aeb7b177ae287965a6633431bf1480654435f767c473b02e9e7e94da8c620e226173d3d6031ee80034ad516d83d63a558387689dee3fbe40b19985717da4b2816ecbcd0cda811b86a4e0ecd68f46051293c5ff47e61e83dc0fbb13789da56e79698972b27f292b3e58b4c76720457ed2b09ce2176662ef92e6297e537c240218f614e0b70a71da08c08192 EAP-Message = 0x35a333a42a0f29e8b04377204855a344a07c872f783d84831403010001011603010030596c41624945ac08ff0f637c891179bcbeb912306f74fee91eecc7b454792d0bf97f08e3afae3bba275fb8b514322100 Message-Authenticator = 0x3e22c0c5f61c577c44e58cc92c1e2504 Acct-Session-Id = "8O2.1x811200dd000315d4" NAS-Port-Id = "ge-0/0/19.0" Calling-Station-Id = "c4-2c-03-04-f1-04" Called-Station-Id = "2c-6b-f5-35-d4-c0" NAS-IP-Address = 10.0.11.3 NAS-Identifier = "hqsw1" NAS-Port-Type = Ethernet # Executing section authorize from file /private/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /private/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 326 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [ttls] TLS_accept: SSLv3 read client key exchange A [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [ttls] <<< TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 read finished A [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS_accept: SSLv3 write change cipher spec A [ttls] >>> TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 write finished A [ttls] TLS_accept: SSLv3 flush data [ttls] (other): SSL negotiation finished successfully SSL Connection Established [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 99 to 10.0.11.3 port 54613 EAP-Message = 0x0108004515800000003b1403010001011603010030498b97ea12669c760165ae5e461ac8f9985ff23afdc0851e1b9e5b5deb5fc621784648b522ee7a58896acdd8b7b9ee24 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7376aa10757ebfe2777048181a406d0c Finished request 6. Going to the next request Waking up in 4.4 seconds. rad_recv: Access-Request packet from host 10.0.11.3 port 54613, id=151, length=327 User-Name = "testuser" NAS-Port = 89 State = 0x7376aa10757ebfe2777048181a406d0c EAP-Message = 0x0208009f15800000009517030100909a5bc2fc0aa3e196e45a467a1ffcb4c685b2dcef5a45f54ba7a20f2a34131ada4c48cfe457774c25dd5a6b8b0830cc526ce54b5e164328b749b4c1215695ec4b1642536159dc71611fd4566edc98293c397d0329acf7e93c00b91bcea4ac41faa14c355455d5c627afe3115faa537909c0c67bd8cc6df715691d8f61513d8e0977852d11e196f6bd2ef6ad99445a3dd7 Message-Authenticator = 0x6fc895432c98cfdf25211e9c9fcdc4fe Acct-Session-Id = "8O2.1x811200dd000315d4" NAS-Port-Id = "ge-0/0/19.0" Calling-Station-Id = "c4-2c-03-04-f1-04" Called-Station-Id = "2c-6b-f5-35-d4-c0" NAS-IP-Address = 10.0.11.3 NAS-Identifier = "hqsw1" NAS-Port-Type = Ethernet # Executing section authorize from file /private/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 159 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /private/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 149 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request User-Name = "testuser" MS-CHAP-Challenge = 0x980b880e579ddf430d6a546c9208b8d3 MS-CHAP2-Response = 0xc600d9073bcb7d5c6f3da4805f9fdd0cd9080000000000000000bbc853afd7373a6a21f64a81fb6429e976994a46c89554d6 FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request User-Name = "testuser" MS-CHAP-Challenge = 0x980b880e579ddf430d6a546c9208b8d3 MS-CHAP2-Response = 0xc600d9073bcb7d5c6f3da4805f9fdd0cd9080000000000000000bbc853afd7373a6a21f64a81fb6429e976994a46c89554d6 FreeRADIUS-Proxied-To = 127.0.0.1 NAS-Port = 89 Acct-Session-Id = "8O2.1x811200dd000315d4" NAS-Port-Id = "ge-0/0/19.0" Calling-Station-Id = "c4-2c-03-04-f1-04" Called-Station-Id = "2c-6b-f5-35-d4-c0" NAS-IP-Address = 10.0.11.3 NAS-Identifier = "hqsw1" NAS-Port-Type = Ethernet server { # Executing section authorize from file /private/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [opendirectory] The SACL group "com.apple.access_radius" does not exist on this system. [opendirectory] The host 10.0.11.3 does not have an access group. [opendirectory] User testuser exists in OD [opendirectory] no access control groups, all OD users allowed. ++[opendirectory] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /private/etc/raddb/sites-enabled/default +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: testuser [mschap] Told to do MS-CHAPv2 for testuser with NT-Password [mschap] Using OpenDirectory to authenticate [mschap] Doing OD MSCHAPv2 auth [mschap] Successful authentication for testuser ++[mschap] returns ok # Executing section post-auth from file /private/etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop } # server [ttls] Got tunneled reply code 2 MS-CHAP2-Success = 0xc6533d37344337434145353137333237383734434439373730394332414545384545384230463944463639 [ttls] Got tunneled Access-Accept [ttls] Got MS-CHAP2-Success, tunneling it to the client in a challenge. ++[eap] returns handled Sending Access-Challenge of id 151 to 10.0.11.3 port 54613 EAP-Message = 0x0109008415800000007a17030100204ee1536a695f88f034580d0ed954ea1559043d5058c5a725d0ba4f14c421203e170301005020cc04fcd5018811246bb209f92c8d0784950b43f5c2fbc2845e6b28c469137eb7f2d2387c4a305119120aac1ce071b60662601a67dadc7be435f862831e33e0154697199527acd7c58f896840010d44 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7376aa10747fbfe2777048181a406d0c Finished request 7. Going to the next request Waking up in 4.4 seconds. rad_recv: Access-Request packet from host 10.0.11.3 port 54613, id=25, length=174 User-Name = "testuser" NAS-Port = 89 State = 0x7376aa10747fbfe2777048181a406d0c EAP-Message = 0x020900061500 Message-Authenticator = 0x9ebea890a54788a8c31cf9d46df1c5b6 Acct-Session-Id = "8O2.1x811200dd000315d4" NAS-Port-Id = "ge-0/0/19.0" Calling-Station-Id = "c4-2c-03-04-f1-04" Called-Station-Id = "2c-6b-f5-35-d4-c0" NAS-IP-Address = 10.0.11.3 NAS-Identifier = "hqsw1" NAS-Port-Type = Ethernet # Executing section authorize from file /private/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /private/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake is finished [ttls] eaptls_verify returned 3 [ttls] eaptls_process returned 3 [ttls] Using saved attributes from the original Access-Accept [eap] Freeing handler ++[eap] returns ok # Executing section post-auth from file /private/etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 25 to 10.0.11.3 port 54613 MS-MPPE-Recv-Key = 0x9851eef160f7deb5c2ceb8926e928834320f8c8ceec8ae32de0beb38768f3928 MS-MPPE-Send-Key = 0x18f20ab349a3dcb4f4476e33339d73247f3283b711342da21d08df70dce55e10 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "testuser" Finished request 8. Going to the next request Waking up in 4.4 seconds. Cleaning up request 0 ID 38 with timestamp +11 Cleaning up request 1 ID 185 with timestamp +11 Cleaning up request 2 ID 65 with timestamp +11 Cleaning up request 3 ID 131 with timestamp +11 Cleaning up request 4 ID 59 with timestamp +11 Cleaning up request 5 ID 150 with timestamp +11 Waking up in 0.3 seconds. Cleaning up request 6 ID 99 with timestamp +11 Cleaning up request 7 ID 151 with timestamp +11 Cleaning up request 8 ID 25 with timestamp +11 Ready to process requests. ----------------------------------------------------------------- Basically... it appears the Group-Name is no longer being returned... and therefore we cannot tag based upon groups. I would assume this relies on the OpenDirectory plugin that Apple provides... perhaps it does not function like it previously did? Since OpenDirectory relies open openldap, perhaps we need to query ldap? Any thoughts or suggestions would be appreciated. Thank you. ----- Original Message ----- From: Alan DeKok <aland@deployingradius.com> To: Theparanoidone Theparanoidone <theparanoidone@yahoo.com>; FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Cc: Sent: Monday, August 20, 2012 11:23 AM Subject: Re: OpenDirectory VLAN Assignment by Group Theparanoidone Theparanoidone wrote:
Previously using radius, we were able to assign VLAN based upon group membership using the following syntax in /etc/raddb/users :
That should still work.
Now with FreeRADIUS Version 2.1.12, we are unable to make the above syntax work anymore.
Nonsense. See the FAQ for "it doesn't work". It works People use that syntax. It's documented as working. It hasn't changed in about 10 years. Which version were you using? You didn't say...
After some reading, we stumbled upon a someone with a similar issue who claimed that you now have to place the post-auth section of /etc/raddb/sites-enabled/default ... we had to make some modifications to the syntax as well:
Why would that be?
While the above syntax does appear to properly assign the VLAN ... we are unable to match this against the Group-Name field (so the following does not work):
<sigh> See the FAQ for "it doesn't work".
However ... we appear unable to get any variable to expand that relates to group. (we have tried Group Group-Name Ldap-Group LDAP-Group gid group all without success). It would be ideal to base VLAN membership off of group as opposed to individual user.
Group-Name is Unix groups. You clearly changed something in your system. But you didn't say what. You didn't say which version you were using. You didn't say how you upgraded.
Questions:
1) Is there a way to echo out *all* variables that radiusd -X has access to at the time of testing so we can perhaps see what field contains the valid group on?
No. Many "variables" are pulled from external databases, or things like the Unix group file. Printing out all of them is impossible, because there may be hundreds.
2) Does anyone know what the variable for groups we should be using is?
Group-Name?
3) Is there documentation that covers the change in syntax as I described above? (... I'm sure just not finding it but I have been looking)
The "users" file documentation? Which hasn't changed in 10 years?
(This is on the latest version of Apple's deployment of freeradius that relies on OpenDirectory)
(We will try and contact Apple as well... but I'm imaging this request will be beyond their capabilities... echoing out all variables may get us a solution faster???)
Thank you in advance for any advice or pointers to relevant documentation.
What happened? What changed? You've been careful to avoid saying that. "Hi, stuff used to work. Then I tried 2.1.12, and now stuff doesn't work. Why?" How do you expect anyone to be able to answer that? Alan DeKok.
Theparanoidone Theparanoidone wrote:
We have tried to copy all configuration settings from the old server to the new (so that nothing would change). We have no desire to change any of our configurations because they previously were working.
You've already said it was working previously. You said it multiple times in your last message. You say it again multiple times in this message. Why are you repeating yourself?
What happened? What changed? You've been careful to avoid saying that.
I suspect the biggest change is the default executable of freeradius that is currently shipping with Mountain Lion server (as opposed to Snow Leopard). (I'm guessing this version may have some Apple quirks to it???) radiusd -v radiusd: FreeRADIUS Version 2.1.12, for host i386-apple-darwin12.0, built on Jun 20 2012 at 16:50:26
You already said you are now running 2.1.12. Why are you repeating yourself? Do you think we're stupid, and we don't understand your messages? What version WERE you using before this? I asked, and you didn't say that. Instead, you repeated yourself: We're now using 2.1.12! I managed to read your previous message. I *did* see that you were running 2.1.12. Repeating that information is rude.
So again... we've tried to keep all configuration files the same... if we /etc/raddb/users has the following ending entry... it does not appear to tag the VLAN anymore:
You already said that. Why are you repeating yourself?
DEFAULT Group-Name == "testgroup"
Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = "101", Fall-Through = no
You do realize that format is incorrect, right? The extra blank line is wrong.
However... if we try and set a VLAN based upon a specific user (and not a group) ... then this works:
You already said that. Why are you repeating yourself?
DEFAULT User-Name == "testuser" Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = "101", Fall-Through = no
The following is radius -X showing what happens when we match upon User-Name (which does work):
Which is useless. I didn't ask for this debug output. I didn't suggest you were lying about it. You already said REPEATEDLY that "it works with User-Name". Maybe you think it's helpful to repeat yourself, and post enough useless output? The problem here is NOT that something changed. The problem is that YOU are REFUSING to find out what changed. YOU are REFUSING to use simple debugging methods to track down what changed. Alan DeKok.
Hi Alan~
You already said you are now running 2.1.12. Why are you repeating yourself? Do you think we're stupid, and we don't understand your messages? What version WERE you using before this? I asked, and you didn't say that.
Current: radiusd: FreeRADIUS Version 2.1.12, for host i386-apple-darwin12.0, built on Jun 20 2012 at 16:50:26 (Mountain Lion) Previous: radiusd: FreeRADIUS Version 2.1.3, for host i386-apple-darwin10.0, built on Apr 11 2011 at 17:19:07 (Snow Leopard)
DEFAULT Group-Name == "testgroup"
Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = "101", Fall-Through = no You do realize that format is incorrect, right? The extra blank line is wrong.
Do to email pasting mistake. Actual config does not have blank line.
You already said that. Why are you repeating yourself? I didn't ask for this debug output. I didn't suggest you were lying about it. You already said REPEATEDLY that "it works with User-Name". Maybe you think it's helpful to repeat yourself, and post enough useless output? The problem here is NOT that something changed. The problem is that YOU are REFUSING to find out what changed. YOU are REFUSING to use simple debugging methods to track down what changed.
Only tried to re-state the issue more clearly as I assumed my explanation was unclear. I have no doubt that this forum knows far more about freeradius than I do. I realize the explanation "nothing changed / it doesn't work" get's old... but I don't know what to tell you. I'm assuming that the Group-Name field is not being set anymore via the OpenDirectory module included in Apple's latest freeradius deployment? maybe so, maybe not? (I don't know) In the meantime... assuming the group is no longer passed back via OpenDirectory... I've attempted to perform an LDAP query via the authorize section /etc/raddb/sites-enabled/default to help retrieve the Group-Name. I have now made the following modifications: #################### /etc/raddb/sites-enabled/default #################### authorize { ... # uncomment ldap ldap ... } #################### /etc/raddb/modules/ldap #################### ldap { ... server = "myserver.mydomain.com" basedn = "dc=myserver,dc=mydomain,dc=com" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=posixAccount)" ... groupname_attribute = cn groupmembership_filter = "(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})" ... ldap_debug = 0x0028 ... } #################### /etc/raddb/users #################### ... DEFAULT Ldap-Group == "testgroup" Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = "101", Fall-Through = no DEFAULT Ldap-Group == "testgroup2" Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = "102", Fall-Through = no Preliminary testing of the above appears to work. The server appears to allow authentication via OpenDirectory, and group VLAN tagging via LDAP queries to OpenDirectory for group membership tracking. I will continue to test. I realize that the Apple platform for freeradius probably represents a minority user base. My hope is that anyone else encountering a similar issue may be helped by these posts. We have found that Apple's default OpenDirectory/OpenLDAP attribute mappings for memberUid (and etc) are slightly different than other linux distributions (so perhaps someone else can benefit from the rough draft above). Feedback and questions are welcome if any of the above configurations look blatantly wrong or could be made better. I appreciate the help and patience.
Am 21.08.2012 11:07, schrieb Theparanoidone Theparanoidone:
DEFAULT Group-Name == "testgroup"
Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = "101", Fall-Through = no You do realize that format is incorrect, right? The extra blank line is wrong.
Do to email pasting mistake. Actual config does not have blank line.
It seems it just happened again. Could you make sure the Line DEFAULT Group-Name == "testgroup" is only terminated with 0x0a and not with 0x0d 0x0a You can verify that by hd /etc/raddb/users | less and looking for the 'testgroup' entry Correct: 0000xxxx 74 65 73 74 67 72 6f 75 70 0a 09 .. .. .. .. .. |testgroup.... Wrong: 0000xxxx 74 65 73 74 67 72 6f 75 70 0d 0a 09 .. .. .. .. |testgroup.... ^^ ^^ Cheers Klaus
Hi Klaus~
DEFAULT Group-Name == "testgroup"
Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = "101", Fall-Through = no You do realize that format is incorrect, right? The extra blank line is wrong.
Do to email pasting mistake. Actual config does not have blank line.
It seems it just happened again. Could you make sure the Line DEFAULT Group-Name == "testgroup" is only terminated with 0x0a and not with 0x0d 0x0a
Good eye... I believe this yahoo web mail pasting related. But this is a valid point (if it pastes wrong into a browser, maybe it is wrong?). However, I checked it with xxd and can confirm the lines only end in 0x0a From Phil's prior post, it looks like we have narrowed in on a different handling of OpenDirectory groups in old Snow Leopard versus new Mountain Lion ... the output of python -c '\ > import grp;\ > print "testuser" in grp.getgrnam("testgroup").gr_mem' is different between the two machines. If I can locate what is causing the different behavior in nsswitch/directoryservice (or some other core config) ... I'll post it back. Thank you Klaus, Phil, and Alan for you help.
On 08/21/2012 07:08 AM, Theparanoidone Theparanoidone wrote:
Hi Alan~
We have tried to copy all configuration settings from the old server to the new (so that nothing would change). We have no desire to change any of our configurations because they previously were working.
What happened? What changed? You've been careful to avoid saying that.
I suspect the biggest change is the default executable of freeradius that is currently shipping with Mountain Lion server (as opposed to Snow Leopard). (I'm guessing this version may have some Apple quirks to it???) radiusd -v radiusd: FreeRADIUS Version 2.1.12, for host i386-apple-darwin12.0, built on Jun 20 2012 at 16:50:26
So again... we've tried to keep all configuration files the same... if we /etc/raddb/users has the following ending entry... it does not appear to tag the VLAN anymore:
You are aware how "Group-Name" works, and which groups it is referring to, right? Specifically, it is not a real attribute, and doesn't exist in a concrete form. Rather, when you perform a comparison, a real-time search is done against the relevant database using the value on the right-hand side. Group-Name queries the POSIX "getgrnam" APIs, which are normally backed by /etc/group, but can be supplemented/replaced by nsswitch. Assuming you have it installed, what does: python -c '\ import grp;\ print "testuser" in grp.getgrnam("testgroup").gr_mem' ...say? This fragment uses the same APIs as "Group-Name". If this says "True" then you've mis-configured FreeRADIUS somehow. If it says "False", then the user isn't in the group as reported by those APIs, and you'll need to query your group database another way. It might be the latter - maybe your new OS X machine isn't pulling Unix group from OpenDirectory, but the old one was? Usually, using "Group-Name" is a bad choice; if there is a backend database (LDAP, SQL, text files) you are better off querying it directly, rather than interposing the get*nam APIs.
Hi Phil~
You are aware how "Group-Name" works, and which groups it is referring to, right? Specifically, it is not a real attribute, and doesn't exist in a concrete form. Rather, when you perform a comparison, a real-time search is done against the relevant database using the value on the right-hand side. Group-Name queries the POSIX "getgrnam" APIs, which are normally backed by /etc/group, but can be supplemented/replaced by nsswitch.
Thank you, this is helpful information. Since the groups we are testing are not actual unix groups but openldap/OpenDirectory groups... I'm assuming there must have been some nsswitch configurations on the old server that helped with this. Apple appears to use the directory service utils to handle this as there is no nsswitch.conf. I'm currently looking into nsswitch equivlants for apple (things like dscl localhost -read /Search)
Assuming you have it installed, what does: python -c '\ import grp;\ print "testuser" in grp.getgrnam("testgroup").gr_mem' ...say? This fragment uses the same APIs as "Group-Name".If this says "True" then you've mis-configured FreeRADIUS somehow. If it says "False", then the user isn't in the group as reported by those APIs, and you'll need to query your group database another way. It might be the latter - maybe your new OS X machine isn't pulling Unix group from OpenDirectory, but the old one was?
Thank you for that test code, that is extremely helpful. The output on the NEW server returns: "False" The output on the OLD server returns: "True" From the behavior observed, plus the information you provided above... I agree that it looks like I will have to pull this information in another way. I just missed your email late last night... in my prior reply I have a working prototype that queries opendirectory for the user authentication ... and queries the group via openldap (via opendirectory). It appears to be working; I plan to test it more today.
Usually, using "Group-Name" is a bad choice; if there is a backend database (LDAP, SQL, text files) you are better off querying it directly, rather than interposing the get*nam APIs.
Thank you for this... I did not know that Group-Name is not always the best choice. I seem to be missing an obvious piece of documentation... but neither http://freeradius.org/rfc/attributes.html or http://freeradius.org/radiusd/man/users.html or http://freeradius.org/radiusd/man/rlm_unix.html mention anything about Group-Name. Can you point me towards a document describing this? (tried searching, I must be missing it) Thanks again.
participants (4)
-
Alan DeKok -
Klaus Klein -
Phil Mayers -
Theparanoidone Theparanoidone