Hi, my Enterasys-switche need the filter-id for policy enforcement. I've got a problem with 802.1X authentication. Here is the log: rad_recv: Access-Request packet from host 172.16.255.101 port 49169, id=171, length=190 User-Name = "DNT1\\testtom" Service-Type = Framed-User Called-Station-Id = "00-1F-45-19-9C-68" Calling-Station-Id = "00-1C-25-9B-0E-EB" NAS-Identifier = "D2_Zi31_Tom" NAS-IP-Address = 172.16.255.101 NAS-Port = 1 NAS-Port-Id = "ge.1.1" Framed-MTU = 1500 NAS-Port-Type = Ethernet State = 0x5a07edfa520df4edb36b506fccf290c2 EAP-Message = 0x020a001d1900170301001291f098b2e763cf55403eff0840390a3d3413 Message-Authenticator = 0xe6865e95c71f8c06d904dd297c05ee96 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/172.16.255.101/auth-detail-20091029 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/172.16.255.101/auth-detail-20091029 [auth_log] expand: %t -> Thu Oct 29 10:37:21 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "DNT1\testtom", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "DNT1" for User-Name = "DNT1\testtom" [ntdomain] No such realm "DNT1" ++[ntdomain] returns noop [eap] EAP packet type response id 10 length 29 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020a00061a03 server { PEAP: Setting User-Name to DNT1\testtom Sending tunneled request EAP-Message = 0x020a00061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "DNT1\\testtom" State = 0xeb8ce38fea86f9b39b0a9d7efe7aaa3e server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "DNT1\testtom", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "DNT1" for User-Name = "DNT1\testtom" [ntdomain] No such realm "DNT1" ++[ntdomain] returns noop [eap] EAP packet type response id 10 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rlm_ldap: Entering ldap_groupcmp() [files] expand: OU=Abt11-2,OU=Amt11,OU=Stadt Heidelberg,DC=heidelberg,DC=bw-online,DC=de -> OU=Abt11-2,OU=Amt11,OU=Stadt Heidelberg,DC=heidelberg,DC=bw-online,DC=de [files] expand: sAMAccountName=%{mschap:User-Name} -> sAMAccountName=testtom rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in OU=Abt11-2,OU=Amt11,OU=Stadt Heidelberg,DC=heidelberg,DC=bw-online,DC=de, with filter sAMAccountName=testtom rlm_ldap: ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=Group)(member=%{control:Ldap-UserDn}))(&(objectClass=Gr oupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=Group)(member=CN\3dTest\5c\2c Tom\2cOU\3dAbt11-2\2cOU\3dAmt11\2cOU\3dStadt Heidelberg\2cDC\3dheidelberg\2cDC\3dbw-online\2cDC\3dde))(&(objectClass= GroupOfUniqueNames)(uniquemember=CN\3dTest\5c\2c Tom\2cOU\3dAbt11-2\2cOU\3dAmt11\2cOU\3dStadt Heidelberg\2cDC\3dheidelberg\2cDC\3dbw-online\2cDC\3dde))) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in OU=Abt11-2,OU=Amt11,OU=Stadt Heidelberg,DC=heidelberg,DC=bw-online,DC=de, with filter (&(cn=WWW)(|(&(objectClass=Group)(member=CN\3dTest\5c\2c Tom\2cOU\3dAbt11-2\2cOU\3dAmt11\2cOU\3dStadt Heidelberg\2cDC\3dheidelberg\2cDC\3dbw-online\2cDC\3dde))(&(objectClass= GroupOfUniqueNames)(uniquemember=CN\3dTest\5c\2c Tom\2cOU\3dAbt11-2\2cOU\3dAmt11\2cOU\3dStadt Heidelberg\2cDC\3dheidelberg\2cDC\3dbw-online\2cDC\3dde)))) rlm_ldap: object not found rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in CN=Test\, Tom,OU=Abt11-2,OU=Amt11,OU=Stadt Heidelberg,DC=heidelberg,DC=bw-online,DC=de, with filter (objectclass=*) rlm_ldap: performing search in CN=WWW,CN=Users,DC=heidelberg,DC=bw-online,DC=de, with filter (cn=WWW) rlm_ldap::ldap_groupcmp: User found in group WWW rlm_ldap: ldap_release_conn: Release Id: 0 [files] users: Matched entry DEFAULT at line 215 ++[files] returns ok [ldap] performing user authorization for DNT1\testtom [ldap] expand: sAMAccountName=%{mschap:User-Name} -> sAMAccountName=testtom [ldap] expand: OU=Abt11-2,OU=Amt11,OU=Stadt Heidelberg,DC=heidelberg,DC=bw-online,DC=de -> OU=Abt11-2,OU=Amt11,OU=Stadt Heidelberg,DC=heidelberg,DC=bw-online,DC=de rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in OU=Abt11-2,OU=Amt11,OU=Stadt Heidelberg,DC=heidelberg,DC=bw-online,DC=de, with filter sAMAccountName=testtom [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user DNT1\testtom authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok Login OK: [DNT1\\testtom/<via Auth-Type = EAP>] (from client 172.16.255.101 port 0 via TLS tunnel) } # server inner-tunnel [peap] Got tunneled reply code 2 Filter-Id = "Enterasys:version=1:policy=Mitarbeiter" EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "DNT1\testtom" [peap] Got tunneled reply RADIUS code 2 Filter-Id = "Enterasys:version=1:policy=Mitarbeiter" EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "DNT1\testtom" [peap] Tunneled authentication was successful. [peap] SUCCESS ++[eap] returns handled Sending Access-Challenge of id 171 to 172.16.255.101 port 49169 EAP-Message = 0x010b00261900170301001b0c226877915fee81581e5cdc61a6b02b5e53a364ba4d32a2 1da9bc Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5a07edfa530cf4edb36b506fccf290c2 Finished request 9. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.255.101 port 49169, id=172, length=199 User-Name = "DNT1\\testtom" Service-Type = Framed-User Called-Station-Id = "00-1F-45-19-9C-68" Calling-Station-Id = "00-1C-25-9B-0E-EB" NAS-Identifier = "D2_Zi31_Tom" NAS-IP-Address = 172.16.255.101 NAS-Port = 1 NAS-Port-Id = "ge.1.1" Framed-MTU = 1500 NAS-Port-Type = Ethernet State = 0x5a07edfa530cf4edb36b506fccf290c2 EAP-Message = 0x020b00261900170301001b5a6a60533756d32c9aab5a829fc0e0d05373ab92630a5ae1 12e1f0 Message-Authenticator = 0x3292991eacc6e9d3d99d5deef6d8b813 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/172.16.255.101/auth-detail-20091029 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/172.16.255.101/auth-detail-20091029 [auth_log] expand: %t -> Thu Oct 29 10:37:21 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "DNT1\testtom", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "DNT1" for User-Name = "DNT1\testtom" [ntdomain] No such realm "DNT1" ++[ntdomain] returns noop [eap] EAP packet type response id 11 length 38 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] returns ok Login OK: [DNT1\\testtom/<via Auth-Type = EAP>] (from client 172.16.255.101 port 1 cli 00-1C-25-9B-0E-EB) +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 172 to 172.16.255.101 port 49169 MS-MPPE-Recv-Key = 0x2089d240da067af3cffeae5b2ae13568d1db0f6d9f4120a8680f3438d63b7a63 MS-MPPE-Send-Key = 0xa991c884f9db4ae9b6cf6c5965d4c3ea46aa3b16a039a9a288c87413fe6cf4f6 EAP-Message = 0x030b0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "DNT1\testtom" Finished request 10. Going to the next request Waking up in 4.9 seconds. The correct Filter-ID "Enterasys:version=1:policy=Mitarbeiter" in [peap] is pushed, but the switch got "invalid role". Is the Filter-ID overridden by the next Accept ? My users file contains DEFAULT Ldap-Group == "WWW" Framed-Filter-Id := "Enterasys:version=1:policy=Mitarbeiter" Any ideas ?
T.Robers@heidelberg.de wrote:
The correct Filter-ID "Enterasys:version=1:policy=Mitarbeiter" in [peap] is pushed, but the switch got "invalid role". Is the Filter-ID overridden by the next Accept ?
My users file contains
DEFAULT Ldap-Group == "WWW" Framed-Filter-Id := "Enterasys:version=1:policy=Mitarbeiter"
Any ideas ?
Enable use_tunneled_reply in peap section of eap.conf. Ivan Kalik Kalik Informatika ISP
participants (2)
-
Ivan Kalik -
T.Robers@heidelberg.de