Evaluate Ldap-Group and SSID for WiFi authorization
People, good morning...I have a Freeradius with AD authentication and LDAP authorization working OK. Now I have to authorize users that belong to GROUP1 and have SSID = Free, I have these definitions: - GROUP1 is a group defined in the AD - SSID comes with Called-Station-Id in the form MAC Address:SSID, for example "51:bc:11:e1:34:70:Free", and it's not defined i the AD - The clause defined in default and inner-tunnel files is: if (LDAP-Group == "GROUP1" && Called-Station-Id == "*:Free") { update reply { Reply-Message = "Hello %{User-Name}: Access allowed" } ok } else { reject After testing, I fail and this is the debug: Wed Aug 23 09:34:58 2017 : Debug: rlm_ldap::ldap_groupcmp: User found in group GROUP1 Wed Aug 23 09:34:58 2017 : Debug: [ldap] ldap_release_conn: Release Id: 0 Wed Aug 23 09:34:58 2017 : Info: ? Evaluating (LDAP-Group == "GROUP1" ) -> TRUE Wed Aug 23 09:34:58 2017 : Info: (Attribute Called-Station-Id was not found) Wed Aug 23 09:34:58 2017 : Info: ? Evaluating (Called-Station-Id == "*:Free") -> FALSE Wed Aug 23 09:34:58 2017 : Info: ++? if (LDAP-Group == "GROUP1" && Called-Station-Id == "*:Free") -> FALSE Wed Aug 23 09:34:58 2017 : Info: ++else else { Wed Aug 23 09:34:58 2017 : Info: +++[reject] = reject Wed Aug 23 09:34:58 2017 : Info: ++} # else else = reject Wed Aug 23 09:34:58 2017 : Info: +} # group authorize = reject Wed Aug 23 09:34:58 2017 : Info: Using Post-Auth-Type REJECT Wed Aug 23 09:34:58 2017 : Info: # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel Wed Aug 23 09:34:58 2017 : Info: +group REJECT { Can you help me please? Thanks in advance. ADAM
On Aug 23, 2017, at 9:06 AM, Adam Cage <adamcage27@gmail.com> wrote:
People, good morning...I have a Freeradius with AD authentication and LDAP authorization working OK.
That's good.
Now I have to authorize users that belong to GROUP1 and have SSID = Free, I have these definitions:
- GROUP1 is a group defined in the AD
- SSID comes with Called-Station-Id in the form MAC Address:SSID, for example "51:bc:11:e1:34:70:Free", and it's not defined i the AD
That's the standard way it's received, yes.
- The clause defined in default and inner-tunnel files is:
if (LDAP-Group == "GROUP1" && Called-Station-Id == "*:Free") {
No, that won't work. See "man unlang". The equality comparison == tests for *equality*. And the string "51:bc:11:e1:34:70:Free" isn't equal to the string ":Free" You should use regular expressions instead: See the =~ operator.
After testing, I fail and this is the debug:
Wed Aug 23 09:34:58 2017 : Debug: rlm_ldap::ldap_groupcmp: User found in group GROUP1 Wed Aug 23 09:34:58 2017 : Debug: [ldap] ldap_release_conn: Release Id: 0 Wed Aug 23 09:34:58 2017 : Info: ? Evaluating (LDAP-Group == "GROUP1" ) -> TRUE Wed Aug 23 09:34:58 2017 : Info: (Attribute Called-Station-Id was not found)
That's a different error. It means that the Called-Station-ID attribute wasn't found... so you can't do matches on it. Fix that problem first. You probably want: if (LDAP-Group == "GROUP1" && outer:Called-Station-Id =~ /:Free$/ ) { Alan DeKok.
Dear Alan, i've done what you say and this too: if (LDAP-Group == "GROUP1" && Called-Station-Id =~ /:Free$/) But I fail again, below is the debug..... Maybe I have to add a new attribute "Called-Station-Id" for each AD username ??? Because I've never add it at all in AD and in debug I can red *Attribute Called-Station-Id was not found:* Debug: rlm_ldap::ldap_groupcmp: User found in group GROUP1 Wed Aug 23 14:01:16 2017 : Debug: [ldap] ldap_release_conn: Release Id: 0 Wed Aug 23 14:01:16 2017 : Info: ? Evaluating (LDAP-Group == "GROUP1" ) -> TRUE Wed Aug 23 14:01:16 2017 : Info: *(Attribute Called-Station-Id was not found)* Wed Aug 23 14:01:16 2017 : Info: ? Evaluating (Called-Station-Id =~ /:Free$/) -> FALSE Wed Aug 23 14:01:16 2017 : Info: ++? if (LDAP-Group == "GROUP1" && Called-Station-Id =~ /:Free$/) -> FALSE Wed Aug 23 14:01:16 2017 : Info: ++else else { Wed Aug 23 14:01:16 2017 : Info: +++[reject] = reject Wed Aug 23 14:01:16 2017 : Info: ++} # else else = reject Wed Aug 23 14:01:16 2017 : Info: +} # group authorize = reject Thanks again, regards!!! 2017-08-23 10:59 GMT-03:00 Alan DeKok <aland@deployingradius.com>:
On Aug 23, 2017, at 9:06 AM, Adam Cage <adamcage27@gmail.com> wrote:
People, good morning...I have a Freeradius with AD authentication and
LDAP
authorization working OK.
That's good.
Now I have to authorize users that belong to GROUP1 and have SSID = Free, I have these definitions:
- GROUP1 is a group defined in the AD
- SSID comes with Called-Station-Id in the form MAC Address:SSID, for example "51:bc:11:e1:34:70:Free", and it's not defined i the AD
That's the standard way it's received, yes.
- The clause defined in default and inner-tunnel files is:
if (LDAP-Group == "GROUP1" && Called-Station-Id == "*:Free") {
No, that won't work. See "man unlang". The equality comparison == tests for *equality*. And the string "51:bc:11:e1:34:70:Free" isn't equal to the string ":Free"
You should use regular expressions instead: See the =~ operator.
After testing, I fail and this is the debug:
Wed Aug 23 09:34:58 2017 : Debug: rlm_ldap::ldap_groupcmp: User found in group GROUP1 Wed Aug 23 09:34:58 2017 : Debug: [ldap] ldap_release_conn: Release Id: 0 Wed Aug 23 09:34:58 2017 : Info: ? Evaluating (LDAP-Group == "GROUP1" ) -> TRUE Wed Aug 23 09:34:58 2017 : Info: (Attribute Called-Station-Id was not found)
That's a different error.
It means that the Called-Station-ID attribute wasn't found... so you can't do matches on it.
Fix that problem first. You probably want:
if (LDAP-Group == "GROUP1" && outer:Called-Station-Id =~ /:Free$/ ) {
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On Wed, 2017-08-23 at 14:09 -0300, Adam Cage wrote:
Maybe I have to add a new attribute "Called-Station-Id" for each AD username ???
The NAS should add that, so if it's not there then you need to look at the NAS and see if there is an option to add it. Otherwise there might be another attribute with the SSID in it that you can use.
Because I've never add it at all in AD and in debug I can red *Attribute Called-Station-Id was not found:*
Debug: rlm_ldap::ldap_groupcmp: User found in group GROUP1 Wed Aug 23 14:01:16 2017 : Debug: [ldap] ldap_release_conn: Release Id: 0 ...
It makes it *really* hard to tell what's happening without the full debug output. Please can you start the server with -X (only -X, not -Xx or similar) and capture all the debug, right from the FreeRADIUS banner down to the final Access-Accept or Access-Reject, and post that to the list, rather than just small bits of it. -- Matthew
Dear Alan and Mattheu....I really appreciate your help. Following Alan's unlang clause, I've defined in default and inner-tunnel files: if (LDAP-Group == "GROUP1" && outer:Called-Station-Id =~ /:Free$/) { update reply { Reply-Message = "Hello %{User-Name}: you can access now" } ok } else { reject } But I see a this false evaluation line: ? Evaluating (outer:Called-Station-Id =~ /:Free$/) -> FALSE Taking into account that the NAS is sending the Called-Station-Id attribute: Called-Station-Id = "44:ad:d9:0e:dd:40:Free" as you can see in the following complete debug....can you help me please ??? Thanks again. root@hostA# freeradius -X freeradius: freeRADIUS Version 2.2.5, for host x86_64-pc-linux-gnu, built on Oct 24 2014 at 02:05:28 Copyright (C) 1999-2013 The FREERADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FREERADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/dhcp_sqlippool including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/cache including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/radrelay including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/soh including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/replicate including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/redis including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/rediswho including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes allow_vulnerable_openssl = no } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 10.10.1.100 { require_message_authenticator = no secret = "d3ll4m4n0" shortname = "WLC" nastype = "cisco" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file ? modules { Module: Creating Auth-Type = digest Module: Creating Auth-Type = ntlm_auth Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/freeradius/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/freeradius/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-company} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" allow_retry = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/freeradius/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 1024 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.key" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Instantiating module "ntlm_auth" from file /etc/freeradius/modules/ntlm_auth exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=company --username=%{mschap:User-Name} --password=%{User-Password}" input_pairs = "request" shell_escape = yes } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /etc/freeradius/huntgroups reading pairlist file /etc/freeradius/hints Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } reading pairlist file /etc/freeradius/users reading pairlist file /etc/freeradius/acct_users reading pairlist file /etc/freeradius/preproxy_users Module: Linked to module rlm_ldap Module: Instantiating module "ldap" from file /etc/freeradius/modules/ldap ldap { server = "dc.company.net" port = 389 password = "xjjxta123" expect_password = yes identity = "cn=query,ou=My Company,dc=company,dc=net" net_timeout = 1 timeout = 4 timelimit = 3 max_uses = 0 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no require_cert = "allow" } basedn = "OU=My Company,DC=company,DC=net" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" auto_header = no access_attr_used_for_allow = yes chase_referrals = yes rebind = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=group)(member=%{control:Ldap-UserDn})))" groupmembership_attribute = "memberOf" dictionary_mapping = "/etc/freeradius/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes edir_account_policy_check = no set_auth_type = no keepalive { idle = 60 probes = 3 interval = 3 } } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x1146420 Module: Linked to module rlm_always Module: Instantiating module "ok" from file /etc/freeradius/modules/always always ok { rcode = "ok" simulcount = 0 mpp = no } Module: Instantiating module "reject" from file /etc/freeradius/modules/always always reject { rcode = "reject" simulcount = 0 mpp = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/freeradius/modules/detail detail { detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.accounting_response Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.access_reject } # modules } # server server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 46029 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.10.1.100 port 32769, id=132, length=246 User-Name = "adam" Calling-Station-Id = "54:27:1e:0c:0b:fc" Called-Station-Id = "44:ad:d9:0e:dd:40:Free" NAS-Port = 13 Cisco-AVPair = "audit-session-id=ac1f0c62000001b759a01dda" NAS-IP-Address = 10.10.1.100 NAS-Identifier = "WLC" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "5" EAP-Message = 0x0202000f0165616c6d6f6e61636964 Message-Authenticator = 0xdcb2ca58cc8c16674776ee538ce439cc # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "adam", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 2 length 15 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [ldap] performing user authorization for adam [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> adam [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=adam) [ldap] expand: OU=My Company,DC=company,DC=net -> OU=My Company,DC=company,DC=net [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in OU=My Company,DC=company,DC=net, with filter (sAMAccountName=adam) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop ++? if (LDAP-Group == "GROUP1" && outer:Called-Station-Id =~ /:Free$/) [ldap] Entering ldap_groupcmp() expand: OU=My Company,DC=company,DC=net -> OU=My Company,DC=company,DC=net expand: (|(&(objectClass=group)(member=%{control:Ldap-UserDn}))) -> (|(&(objectClass=group)(member=CN\3dAdam Cage\2cOU\3dInfra\2cOU\3dG. Infra\2cOU\3dTech\2cOU\3dUsers\2cOU\3dMy Company\2cDC\3dcompany\2cDC\3dnet))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in OU=My Company,DC=company,DC=net, with filter (&(cn=free)(|(&(objectClass=group)(member=CN\3dAdam Cage\2cOU\3dInfra\2cOU\3dG. Infra\2cOU\3dTech\2cOU\3dUsers\2cOU\3dMy Company\2cDC\3dcompany\2cDC\3dnet)))) rlm_ldap::ldap_groupcmp: User found in group GROUP1 [ldap] ldap_release_conn: Release Id: 0 ? Evaluating (LDAP-Group == "GROUP1" ) -> TRUE ? Evaluating (outer:Called-Station-Id =~ /:Free$/) -> FALSE ++? if (LDAP-Group == "GROUP1" && outer:Called-Station-Id =~ /:Free$/) -> FALSE ++else else { +++[reject] = reject ++} # else else = reject +} # group authorize = reject Using Post-Auth-Type REJECT # Executing group from file /etc/freeradius/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> adam attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 132 to 10.10.1.100 port 32769 Waking up in 4.9 seconds. Cleaning up request 1 ID 132 with timestamp +69 Ready to process requests. 2017-08-23 15:55 GMT-03:00 Alan DeKok <aland@deployingradius.com>:
On Aug 23, 2017, at 1:09 PM, Adam Cage <adamcage27@gmail.com> wrote:
Dear Alan, i've done what you say
No.
and this too:
if (LDAP-Group == "GROUP1" && Called-Station-Id =~ /:Free$/)
That's not what I said to do.
Please read instructions, and follow instructions.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On Aug 25, 2017, at 9:36 AM, Adam Cage <adamcage27@gmail.com> wrote:
Dear Alan and Mattheu....I really appreciate your help.
Following Alan's unlang clause, I've defined in default and inner-tunnel files:
if (LDAP-Group == "GROUP1" && outer:Called-Station-Id =~ /:Free$/) {
<sigh> I think you're not really paying attention. You don't understand how the server works, which is fine. The worse bit is you're not trying to understand how the server works. You're either not following instructions, or you're doing more than suggested without thinking about what's going on. Read "man unlang" to see what "outer" refers to. Then, think of the difference between the "default" server, and the "inner-tunnel" server. Which one is likely to allow "outer", and which one isn't likely to allow "outer"? Alan DeKok.
Dear, I've tried to understand the outer condition uses. I think it has to be used only in the inner-tunnel file, in order to evaluate the outer session. In my case I have now: *default file:* if (LDAP-Group == "GROUP1" && NAS-Identifier == "WLC01") { update reply { Reply-Message = "Hello %{User-Name}: access accept" } ok } else { reject } } *inner-tunnel file:* if (LDAP-Group == "GROUP1" && *outer*:NAS-Identifier == "WLC01") { update reply { Reply-Message = "Hello %{User-Name}: access accept" } ok } else { reject } } But I fail again, obtaining this error and being that this attribute is presenta: *? Evaluating (outer:NAS-Identifier == "WLC01") -> FALSE* Please can you explain me more in detail please??? Maybe I can't understand the use of defaut and inner-tunnel files, or the freeradius service in this case. Here is the debug output for "freeradius -X"....Special thanks. Ready to process requests. rad_recv: Access-Request packet from host 10.10.1.100 port 32769, id=228, length=393 User-Name = "adam" Calling-Station-Id = "54:27:1e:0c:0b:fc" Called-Station-Id = "44:ad:d9:0e:dd:40:Free" NAS-Port = 13 Cisco-AVPair = "audit-session-id=ac1f0c62000001c459a0487f" NAS-IP-Address = 10.10.1.100 NAS-Identifier = "WLC01" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "5" EAP-Message = 0x02050090198000000086160301004610000042410432792b036bc1709157e9445300659df8e6cf018b852670087cb1872e45d8761d642753670fff9f0f4b2ace10852d4bcab684b4d631b0b3fb4d3471a3e4512f3914030100010116030100300552e45342d366c067ee5176b2c0e9082d5eb83c62dc7d9de87f6b25f0c47b3172a486bfad09e4925648e1208251f27b State = 0x1dbde0c41fb8f982d90bece46c6e4509 Message-Authenticator = 0x8a2a7ce59d3a714c2798ff5a6d0b272d # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "adam", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 5 length 144 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 134 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: unknown state [peap] TLS_accept: unknown state [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: unknown state [peap] TLS_accept: unknown state [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 228 to 10.10.1.100 port 32769 EAP-Message = 0x01060041190014030100010116030100306d19383a9faaa50c050b9d84368783de27c6c838e42614994a241d335fa33d920410bc9c618e3a65c753c7d35f0e8ecb Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1dbde0c41ebbf982d90bece46c6e4509 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.1.100 port 32769, id=229, length=255 User-Name = "adam" Calling-Station-Id = "54:27:1e:0c:0b:fc" Called-Station-Id = "44:ad:d9:0e:dd:40:Free" NAS-Port = 13 Cisco-AVPair = "audit-session-id=ac1f0c62000001c459a0487f" NAS-IP-Address = 10.10.1.100 NAS-Identifier = "WLC01" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "5" EAP-Message = 0x020600061900 State = 0x1dbde0c41ebbf982d90bece46c6e4509 Message-Authenticator = 0x03765dcebe56926425508b7d393479fc # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "adam", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 229 to 10.10.1.100 port 32769 EAP-Message = 0x0107002b190017030100204c55bea2a6991c719a753f19dc13e87d872edd5639901eb0181643885baa89c9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1dbde0c419baf982d90bece46c6e4509 Finished request 5. Going to the next request Waking up in 3.7 seconds. rad_recv: Access-Request packet from host 10.10.1.100 port 32769, id=230, length=292 User-Name = "adam" Calling-Station-Id = "54:27:1e:0c:0b:fc" Called-Station-Id = "44:ad:d9:0e:dd:40:Free" NAS-Port = 13 Cisco-AVPair = "audit-session-id=ac1f0c62000001c459a0487f" NAS-IP-Address = 10.10.1.100 NAS-Identifier = "WLC01" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "5" EAP-Message = 0x0207002b19001703010020033da24f215ff6770592352ee0baf65289e6783f14fc951694bfcf523340d15e State = 0x1dbde0c419baf982d90bece46c6e4509 Message-Authenticator = 0x25023a51868485812fdf968ca7c2ac85 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "adam", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 7 length 43 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - adam [peap] Got inner identity 'adam' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0207000f0165616c6d6f6e61636964 server { [peap] Setting User-Name to adam Sending tunneled request EAP-Message = 0x0207000f0165616c6d6f6e61636964 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "adam" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++[mschap] = noop [suffix] No '@' in User-Name = "adam", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop ++update control { ++} # update control = noop [eap] EAP packet type response id 7 length 15 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [ldap] performing user authorization for adam [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> adam [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=adam) [ldap] expand: OU=Bapro Pagos,DC=g-bapro,DC=net -> OU=Bapro Pagos,DC=g-bapro,DC=net [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in OU=Bapro Pagos,DC=g-bapro,DC=net, with filter (sAMAccountName=adam) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok ++[expiration] = noop ++[logintime] = noop ++[pap] = noop ++? if (LDAP-Group == "GROUP1" && outer:NAS-Identifier == "WLC01") [ldap] Entering ldap_groupcmp() expand: OU=My Company,DC=company,DC=net -> OU=My Company,DC=company,DC=net expand: (|(&(objectClass=group)(member=%{control:Ldap-UserDn}))) -> (|(&(objectClass=group)(member=CN\3dAdam Cage\2cOU\3dInfra\2cOU\3dG. Infra\2cOU\3dTech\2cOU\3dUsers\2cOU\3dMy Company\2cDC\3dcompany\2cDC\3dnet))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in OU=My Company,DC=company,DC=net, with filter (&(cn=GROUP1)(|(&(objectClass=group)(member=CN\3dAdam Cage\2cOU\3dInfra\2cOU\3dG. Infra\2cOU\3dTech\2cOU\3dUsers\2cOU\3dMy Company\2cDC\3dcompany\2cDC\3dnet)))) rlm_ldap::ldap_groupcmp: User found in group GROUP1 [ldap] ldap_release_conn: Release Id: 0 ? Evaluating (LDAP-Group == "GROUP1" ) -> TRUE *? Evaluating (outer:NAS-Identifier == "WLC01") -> FALSE* *++? if (LDAP-Group == "GROUP1" && outer:NAS-Identifier == "WLC01") -> FALSE* ++else else { +++[reject] = reject ++} # else else = reject +} # group authorize = reject Using Post-Auth-Type REJECT # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> adam attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated } # server inner-tunnel [peap] Got tunneled reply code 3 [peap] Got tunneled reply RADIUS code 3 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 230 to 10.10.1.100 port 32769 EAP-Message = 0x0108002b190017030100200110bb6389cea250a4fc8af36ccb735d15113f987e1111157885061c0ca49f7e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1dbde0c418b5f982d90bece46c6e4509 Finished request 6. Going to the next request Waking up in 3.7 seconds. rad_recv: Access-Request packet from host 10.10.1.100 port 32769, id=231, length=292 User-Name = "adam" Calling-Station-Id = "54:27:1e:0c:0b:fc" Called-Station-Id = "44:ad:d9:0e:dd:40:Free" NAS-Port = 13 Cisco-AVPair = "audit-session-id=ac1f0c62000001c459a0487f" NAS-IP-Address = 10.10.1.100 NAS-Identifier = "WLC01" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "5" EAP-Message = 0x0208002b190017030100209e06e7779f2ee5fa88ec212fd2bfefd507fe3c35fa6307e630725297878cfb69 State = 0x1dbde0c418b5f982d90bece46c6e4509 Message-Authenticator = 0xfd7de78469c2187df23354803c7deef3 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "adam", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 8 length 43 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. Using Post-Auth-Type REJECT # Executing group from file /etc/freeradius/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> adam attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 7 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 7 Sending Access-Reject of id 231 to 10.10.1.100 port 32769 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 2017-08-25 11:37 GMT-03:00 Alan DeKok <aland@deployingradius.com>:
On Aug 25, 2017, at 9:36 AM, Adam Cage <adamcage27@gmail.com> wrote:
Dear Alan and Mattheu....I really appreciate your help.
Following Alan's unlang clause, I've defined in default and inner-tunnel files:
if (LDAP-Group == "GROUP1" && outer:Called-Station-Id =~ /:Free$/) {
<sigh>
I think you're not really paying attention. You don't understand how the server works, which is fine. The worse bit is you're not trying to understand how the server works.
You're either not following instructions, or you're doing more than suggested without thinking about what's going on.
Read "man unlang" to see what "outer" refers to. Then, think of the difference between the "default" server, and the "inner-tunnel" server. Which one is likely to allow "outer", and which one isn't likely to allow "outer"?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
Hi, I am not sure but have you tried to use: outer.request:Called-Station-Id in place of outer:Called-Station-Id People: does this clauses work in Freeradius 2.2.x or does Adam have to use Freeradkius 3.X ? 2017-08-25 13:13 GMT-03:00 Adam Cage <adamcage27@gmail.com>:
Dear, I've tried to understand the outer condition uses. I think it has to be used only in the inner-tunnel file, in order to evaluate the outer session. In my case I have now:
*default file:*
if (LDAP-Group == "GROUP1" && NAS-Identifier == "WLC01") { update reply { Reply-Message = "Hello %{User-Name}: access accept" } ok } else { reject } }
*inner-tunnel file:*
if (LDAP-Group == "GROUP1" && *outer*:NAS-Identifier == "WLC01") { update reply { Reply-Message = "Hello %{User-Name}: access accept" } ok } else { reject } }
But I fail again, obtaining this error and being that this attribute is presenta:
*? Evaluating (outer:NAS-Identifier == "WLC01") -> FALSE*
Please can you explain me more in detail please??? Maybe I can't understand the use of defaut and inner-tunnel files, or the freeradius service in this case. Here is the debug output for "freeradius -X"....Special thanks.
Ready to process requests.
rad_recv: Access-Request packet from host 10.10.1.100 port 32769, id=228, length=393 User-Name = "adam" Calling-Station-Id = "54:27:1e:0c:0b:fc" Called-Station-Id = "44:ad:d9:0e:dd:40:Free" NAS-Port = 13 Cisco-AVPair = "audit-session-id=ac1f0c62000001c459a0487f" NAS-IP-Address = 10.10.1.100 NAS-Identifier = "WLC01" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "5" EAP-Message = 0x02050090198000000086160301004610000042410432792b036bc17091 57e9445300659df8e6cf018b852670087cb1872e45d8761d642753670fff 9f0f4b2ace10852d4bcab684b4d631b0b3fb4d3471a3e4512f3914030100 010116030100300552e45342d366c067ee5176b2c0e9082d5eb83c62dc7d 9de87f6b25f0c47b3172a486bfad09e4925648e1208251f27b State = 0x1dbde0c41fb8f982d90bece46c6e4509 Message-Authenticator = 0x8a2a7ce59d3a714c2798ff5a6d0b272d # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "adam", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 5 length 144 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 134 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: unknown state [peap] TLS_accept: unknown state [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: unknown state [peap] TLS_accept: unknown state [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 228 to 10.10.1.100 port 32769 EAP-Message = 0x01060041190014030100010116030100306d19383a9faaa50c050b9d84 368783de27c6c838e42614994a241d335fa33d920410bc9c618e3a65c753c7d35f0e8ecb Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1dbde0c41ebbf982d90bece46c6e4509 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.1.100 port 32769, id=229, length=255 User-Name = "adam" Calling-Station-Id = "54:27:1e:0c:0b:fc" Called-Station-Id = "44:ad:d9:0e:dd:40:Free" NAS-Port = 13 Cisco-AVPair = "audit-session-id=ac1f0c62000001c459a0487f" NAS-IP-Address = 10.10.1.100 NAS-Identifier = "WLC01" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "5" EAP-Message = 0x020600061900 State = 0x1dbde0c41ebbf982d90bece46c6e4509 Message-Authenticator = 0x03765dcebe56926425508b7d393479fc # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "adam", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 229 to 10.10.1.100 port 32769 EAP-Message = 0x0107002b190017030100204c55bea2a6991c719a753f19dc13e87d872e dd5639901eb0181643885baa89c9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1dbde0c419baf982d90bece46c6e4509 Finished request 5. Going to the next request Waking up in 3.7 seconds. rad_recv: Access-Request packet from host 10.10.1.100 port 32769, id=230, length=292 User-Name = "adam" Calling-Station-Id = "54:27:1e:0c:0b:fc" Called-Station-Id = "44:ad:d9:0e:dd:40:Free" NAS-Port = 13 Cisco-AVPair = "audit-session-id=ac1f0c62000001c459a0487f" NAS-IP-Address = 10.10.1.100 NAS-Identifier = "WLC01" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "5" EAP-Message = 0x0207002b19001703010020033da24f215ff6770592352ee0baf65289e6 783f14fc951694bfcf523340d15e State = 0x1dbde0c419baf982d90bece46c6e4509 Message-Authenticator = 0x25023a51868485812fdf968ca7c2ac85 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "adam", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 7 length 43 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - adam [peap] Got inner identity 'adam' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0207000f0165616c6d6f6e61636964 server { [peap] Setting User-Name to adam Sending tunneled request EAP-Message = 0x0207000f0165616c6d6f6e61636964 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "adam" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++[mschap] = noop [suffix] No '@' in User-Name = "adam", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop ++update control { ++} # update control = noop [eap] EAP packet type response id 7 length 15 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [ldap] performing user authorization for adam [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> adam [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=adam) [ldap] expand: OU=Bapro Pagos,DC=g-bapro,DC=net -> OU=Bapro Pagos,DC=g-bapro,DC=net [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in OU=Bapro Pagos,DC=g-bapro,DC=net, with filter (sAMAccountName=adam) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok ++[expiration] = noop ++[logintime] = noop ++[pap] = noop ++? if (LDAP-Group == "GROUP1" && outer:NAS-Identifier == "WLC01") [ldap] Entering ldap_groupcmp() expand: OU=My Company,DC=company,DC=net -> OU=My Company,DC=company,DC=net expand: (|(&(objectClass=group)(member=%{control:Ldap-UserDn}))) -> (|(&(objectClass=group)(member=CN\3dAdam Cage\2cOU\3dInfra\2cOU\3dG. Infra\2cOU\3dTech\2cOU\3dUsers\2cOU\3dMy Company\2cDC\3dcompany\2cDC\3dnet))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in OU=My Company,DC=company,DC=net, with filter (&(cn=GROUP1)(|(&(objectClass=group)(member=CN\3dAdam Cage\2cOU\3dInfra\2cOU\3dG. Infra\2cOU\3dTech\2cOU\3dUsers\2cOU\3dMy Company\2cDC\3dcompany\2cDC\3dnet)))) rlm_ldap::ldap_groupcmp: User found in group GROUP1 [ldap] ldap_release_conn: Release Id: 0 ? Evaluating (LDAP-Group == "GROUP1" ) -> TRUE *? Evaluating (outer:NAS-Identifier == "WLC01") -> FALSE* *++? if (LDAP-Group == "GROUP1" && outer:NAS-Identifier == "WLC01") -> FALSE* ++else else { +++[reject] = reject ++} # else else = reject +} # group authorize = reject Using Post-Auth-Type REJECT # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> adam attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated } # server inner-tunnel [peap] Got tunneled reply code 3 [peap] Got tunneled reply RADIUS code 3 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 230 to 10.10.1.100 port 32769 EAP-Message = 0x0108002b190017030100200110bb6389cea250a4fc8af36ccb735d1511 3f987e1111157885061c0ca49f7e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1dbde0c418b5f982d90bece46c6e4509 Finished request 6. Going to the next request Waking up in 3.7 seconds. rad_recv: Access-Request packet from host 10.10.1.100 port 32769, id=231, length=292 User-Name = "adam" Calling-Station-Id = "54:27:1e:0c:0b:fc" Called-Station-Id = "44:ad:d9:0e:dd:40:Free" NAS-Port = 13 Cisco-AVPair = "audit-session-id=ac1f0c62000001c459a0487f" NAS-IP-Address = 10.10.1.100 NAS-Identifier = "WLC01" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "5" EAP-Message = 0x0208002b190017030100209e06e7779f2ee5fa88ec212fd2bfefd507fe 3c35fa6307e630725297878cfb69 State = 0x1dbde0c418b5f982d90bece46c6e4509 Message-Authenticator = 0xfd7de78469c2187df23354803c7deef3 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "adam", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 8 length 43 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. Using Post-Auth-Type REJECT # Executing group from file /etc/freeradius/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> adam attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 7 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 7 Sending Access-Reject of id 231 to 10.10.1.100 port 32769 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000
2017-08-25 11:37 GMT-03:00 Alan DeKok <aland@deployingradius.com>:
On Aug 25, 2017, at 9:36 AM, Adam Cage <adamcage27@gmail.com> wrote:
Dear Alan and Mattheu....I really appreciate your help.
Following Alan's unlang clause, I've defined in default and
inner-tunnel
files:
if (LDAP-Group == "GROUP1" && outer:Called-Station-Id =~ /:Free$/) {
<sigh>
I think you're not really paying attention. You don't understand how the server works, which is fine. The worse bit is you're not trying to understand how the server works.
You're either not following instructions, or you're doing more than suggested without thinking about what's going on.
Read "man unlang" to see what "outer" refers to. Then, think of the difference between the "default" server, and the "inner-tunnel" server. Which one is likely to allow "outer", and which one isn't likely to allow "outer"?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On Aug 25, 2017, at 3:48 PM, Tom Yard <tomyyard@gmail.com> wrote:
Hi, I am not sure but have you tried to use:
outer.request:Called-Station-Id in place of outer:Called-Station-Id
Hmm, yes. That was a typo on my end.
People: does this clauses work in Freeradius 2.2.x or does Adam have to use Freeradkius 3.X ?
It works in v2 also. Alan DeKok.
Dear, thank you, LDAP authorization works OK now. Using outer.request was the solution!!! At the moment I have this scenario: AD authentication --> OK LDAP group and SSID authorization --> OK Is it possible to add and SQL authorization in order to query a remote MySQL DB searching for MAC Addresses defined in a whitelist table ??? If the MAC Address is in the table, and the group and SSID are OK with the LDAP authorization section, finally the user can access the WiFi network. In the affirmative case, do I have to install a new freeradius package? And which extra files do I have to edit ? Thanks again, regards!!! ADAM 2017-08-25 16:55 GMT-03:00 Alan DeKok <aland@deployingradius.com>:
On Aug 25, 2017, at 3:48 PM, Tom Yard <tomyyard@gmail.com> wrote:
Hi, I am not sure but have you tried to use:
outer.request:Called-Station-Id in place of outer:Called-Station-Id
Hmm, yes. That was a typo on my end.
People: does this clauses work in Freeradius 2.2.x or does Adam have to use Freeradkius 3.X ?
It works in v2 also.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On Sep 1, 2017, at 8:58 AM, Adam Cage <adamcage27@gmail.com> wrote:
Dear, thank you, LDAP authorization works OK now. Using outer.request was the solution!!!
That's good.
At the moment I have this scenario:
AD authentication --> OK LDAP group and SSID authorization --> OK
Is it possible to add and SQL authorization in order to query a remote MySQL DB searching for MAC Addresses defined in a whitelist table ???
Sure. Just add an SQL query to the configuration: if ("%{sql:SELECT ... }") { ... } Run the SELECT manually. Use Calling-Station-ID for the MAC address, or if that attribute has the SSID in it, add "rewrite_called_station_id" in the "authorize" section, before the SQL SELECT.
If the MAC Address is in the table, and the group and SSID are OK with the LDAP authorization section, finally the user can access the WiFi network.
In the affirmative case, do I have to install a new freeradius package?
You will need to be sure that rlm_sql is installed. You may need to install v3. Honestly, just install 3.0.15, and go with that.
And which extra files do I have to edit ?
You will need to edit raddb/sites-enabled/default, and also the raddb/mods-enabled/sql Alan DeKok.
Dear Alan, thanks for your response....just two things for the moment:
You may need to install v3. Honestly, just install 3.0.15, and go with that.
Ok, but can I use my current server with version 2.2.5 in order to test the SQL authorization or the use of version 3.x is mandatory ???
You will need to edit raddb/sites-enabled/default, and also the raddb/mods-enabled/sql
Now I have edited default and inner-tunnel files, but you tell me to edit just default (and also sql module)...inner-tunel is not necessary??? Really thanks, regards! ADAM 2017-09-01 10:23 GMT-03:00 Alan DeKok <aland@deployingradius.com>:
On Sep 1, 2017, at 8:58 AM, Adam Cage <adamcage27@gmail.com> wrote:
Dear, thank you, LDAP authorization works OK now. Using outer.request was the solution!!!
That's good.
At the moment I have this scenario:
AD authentication --> OK LDAP group and SSID authorization --> OK
Is it possible to add and SQL authorization in order to query a remote MySQL DB searching for MAC Addresses defined in a whitelist table ???
Sure. Just add an SQL query to the configuration:
if ("%{sql:SELECT ... }") { ... }
Run the SELECT manually. Use Calling-Station-ID for the MAC address, or if that attribute has the SSID in it, add "rewrite_called_station_id" in the "authorize" section, before the SQL SELECT.
If the MAC Address is in the table, and the group and SSID are OK with the LDAP authorization section, finally the user can access the WiFi network.
In the affirmative case, do I have to install a new freeradius package?
You will need to be sure that rlm_sql is installed.
You may need to install v3. Honestly, just install 3.0.15, and go with that.
And which extra files do I have to edit ?
You will need to edit raddb/sites-enabled/default, and also the raddb/mods-enabled/sql
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On Sep 4, 2017, at 9:09 AM, Adam Cage <adamcage27@gmail.com> wrote:
Dear Alan, thanks for your response....just two things for the moment:
You may need to install v3. Honestly, just install 3.0.15, and go with that.
Ok, but can I use my current server with version 2.2.5 in order to test the SQL authorization or the use of version 3.x is mandatory ???
It's easier with v3.
You will need to edit raddb/sites-enabled/default, and also the raddb/mods-enabled/sql
Now I have edited default and inner-tunnel files, but you tell me to edit just default (and also sql module)...inner-tunel is not necessary???
It may be. Some amount of thinking for yourself is useful, too. Alan DeKok.
Dear Alan and people, I tell you again I succeeded in authorize with LDAP and authenticate against AD. But when I add the SQL authorization check to the existing LDAP check, I fail. I've followed Alan's suggestion, and I did these settings: 1- Installed the freeradius-mysql Debian package 2- Edited /etc/freeradius/sql.conf with the remote DB MySQL parameters (IP, user, pass, DB name, port). When I start Freeradius, and I execute tcpdump, I can see traffic to the remote DB on port 3306) 3- Uncommented $INCLUDE sql.conf in /etc/freeradius/radiusd.conf 4- Edited /etc/freeradius/sites-available/default file in this manner: authorize { if (LDAP-Group == "GROUP1" && Called-Station-Id =~ /:Free/ && "%{sql:SELECT COUNT(MacAddress) FROM FILTERS WHERE MacAddress = '%{Calling-Station-Id}'}" > 0) { update reply { Reply-Message = "Access enabled to WiFi" } ok } else { reject } } 5- Edited /etc/freeradius/sites-available/inner-tunnel file in this manner: authorize { if (LDAP-Group == "GROUP1" && Called-Station-Id =~ /:Free/ && "%{sql:SELECT COUNT(MacAddress) FROM FILTERS WHERE MacAddress = '%{outer.request:Calling-Station-Id}'}" > 0) { update reply { Reply-Message = "Access enabled to WiFi" } ok } else { reject } } Finally, the debug is this....Can you help me please ??? Thanks!!! # freeradius -X freeradius: FreeRADIUS Version 2.2.5, for host x86_64-pc-linux-gnu, built on Oct 24 2014 at 02:05:28 Copyright (C) 1999-2013 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/dhcp_sqlippool including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/cache including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/radrelay including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/soh including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/replicate including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/redis including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/rediswho including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/sql.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes allow_vulnerable_openssl = no } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 10.12.1.1 { require_message_authenticator = no secret = "xxxxx" shortname = "WLC" nastype = "cisco" radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file ? modules { Module: Creating Auth-Type = digest Module: Creating Auth-Type = ntlm_auth Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/freeradius/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/freeradius/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-COMPANY} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" allow_retry = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/freeradius/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 1024 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.key" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Instantiating module "ntlm_auth" from file /etc/freeradius/modules/ntlm_auth exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=COMPANY --username=%{mschap:User-Name} --password=%{User-Password}" input_pairs = "request" shell_escape = yes } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /etc/freeradius/huntgroups reading pairlist file /etc/freeradius/hints Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } reading pairlist file /etc/freeradius/users reading pairlist file /etc/freeradius/acct_users reading pairlist file /etc/freeradius/preproxy_users Module: Linked to module rlm_sql Module: Instantiating module "sql" from file /etc/freeradius/sql.conf sql { driver = "rlm_sql_mysql" server = "172.31.18.19" port = "3306" login = "usrFiltradoMac" password = "xxxx" radius_db = "filtromac" read_groups = yes sqltrace = no sqltracefile = "/var/log/freeradius/sqltrace.sql" readclients = no deletestalesessions = yes num_sql_socks = 32 lifetime = 0 max_queries = 0 sql_user_name = "" default_user_profile = "" nas_query = "SELECT id,nasname,shortname,type,secret FROM nas" authorize_check_query = "" authorize_group_check_query = "" authorize_group_reply_query = "" accounting_onoff_query = "" accounting_update_query = "" accounting_update_query_alt = "" accounting_start_query = "" accounting_start_query_alt = "" accounting_stop_query = "" accounting_stop_query_alt = "" connect_failure_retry_delay = 60 simul_count_query = "" simul_verify_query = "" postauth_query = "" safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to usrFiltradoMac@172.31.28.79:3306/filtromac rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 rlm_sql (sql): starting 5 rlm_sql (sql): Attempting to connect rlm_sql_mysql #5 rlm_sql_mysql: Starting connect to MySQL server for #5 rlm_sql (sql): Connected new DB handle, #5 rlm_sql (sql): starting 6 rlm_sql (sql): Attempting to connect rlm_sql_mysql #6 rlm_sql_mysql: Starting connect to MySQL server for #6 rlm_sql (sql): Connected new DB handle, #6 rlm_sql (sql): starting 7 rlm_sql (sql): Attempting to connect rlm_sql_mysql #7 rlm_sql_mysql: Starting connect to MySQL server for #7 rlm_sql (sql): Connected new DB handle, #7 rlm_sql (sql): starting 8 rlm_sql (sql): Attempting to connect rlm_sql_mysql #8 rlm_sql_mysql: Starting connect to MySQL server for #8 rlm_sql (sql): Connected new DB handle, #8 rlm_sql (sql): starting 9 rlm_sql (sql): Attempting to connect rlm_sql_mysql #9 rlm_sql_mysql: Starting connect to MySQL server for #9 rlm_sql (sql): Connected new DB handle, #9 rlm_sql (sql): starting 10 rlm_sql (sql): Attempting to connect rlm_sql_mysql #10 rlm_sql_mysql: Starting connect to MySQL server for #10 rlm_sql (sql): Connected new DB handle, #10 rlm_sql (sql): starting 11 rlm_sql (sql): Attempting to connect rlm_sql_mysql #11 rlm_sql_mysql: Starting connect to MySQL server for #11 rlm_sql (sql): Connected new DB handle, #11 rlm_sql (sql): starting 12 rlm_sql (sql): Attempting to connect rlm_sql_mysql #12 rlm_sql_mysql: Starting connect to MySQL server for #12 rlm_sql (sql): Connected new DB handle, #12 rlm_sql (sql): starting 13 rlm_sql (sql): Attempting to connect rlm_sql_mysql #13 rlm_sql_mysql: Starting connect to MySQL server for #13 rlm_sql (sql): Connected new DB handle, #13 rlm_sql (sql): starting 14 rlm_sql (sql): Attempting to connect rlm_sql_mysql #14 rlm_sql_mysql: Starting connect to MySQL server for #14 rlm_sql (sql): Connected new DB handle, #14 rlm_sql (sql): starting 15 rlm_sql (sql): Attempting to connect rlm_sql_mysql #15 rlm_sql_mysql: Starting connect to MySQL server for #15 rlm_sql (sql): Connected new DB handle, #15 rlm_sql (sql): starting 16 rlm_sql (sql): Attempting to connect rlm_sql_mysql #16 rlm_sql_mysql: Starting connect to MySQL server for #16 rlm_sql (sql): Connected new DB handle, #16 rlm_sql (sql): starting 17 rlm_sql (sql): Attempting to connect rlm_sql_mysql #17 rlm_sql_mysql: Starting connect to MySQL server for #17 rlm_sql (sql): Connected new DB handle, #17 rlm_sql (sql): starting 18 rlm_sql (sql): Attempting to connect rlm_sql_mysql #18 rlm_sql_mysql: Starting connect to MySQL server for #18 rlm_sql (sql): Connected new DB handle, #18 rlm_sql (sql): starting 19 rlm_sql (sql): Attempting to connect rlm_sql_mysql #19 rlm_sql_mysql: Starting connect to MySQL server for #19 rlm_sql (sql): Connected new DB handle, #19 rlm_sql (sql): starting 20 rlm_sql (sql): Attempting to connect rlm_sql_mysql #20 rlm_sql_mysql: Starting connect to MySQL server for #20 rlm_sql (sql): Connected new DB handle, #20 rlm_sql (sql): starting 21 rlm_sql (sql): Attempting to connect rlm_sql_mysql #21 rlm_sql_mysql: Starting connect to MySQL server for #21 rlm_sql (sql): Connected new DB handle, #21 rlm_sql (sql): starting 22 rlm_sql (sql): Attempting to connect rlm_sql_mysql #22 rlm_sql_mysql: Starting connect to MySQL server for #22 rlm_sql (sql): Connected new DB handle, #22 rlm_sql (sql): starting 23 rlm_sql (sql): Attempting to connect rlm_sql_mysql #23 rlm_sql_mysql: Starting connect to MySQL server for #23 rlm_sql (sql): Connected new DB handle, #23 rlm_sql (sql): starting 24 rlm_sql (sql): Attempting to connect rlm_sql_mysql #24 rlm_sql_mysql: Starting connect to MySQL server for #24 rlm_sql (sql): Connected new DB handle, #24 rlm_sql (sql): starting 25 rlm_sql (sql): Attempting to connect rlm_sql_mysql #25 rlm_sql_mysql: Starting connect to MySQL server for #25 rlm_sql (sql): Connected new DB handle, #25 rlm_sql (sql): starting 26 rlm_sql (sql): Attempting to connect rlm_sql_mysql #26 rlm_sql_mysql: Starting connect to MySQL server for #26 rlm_sql (sql): Connected new DB handle, #26 rlm_sql (sql): starting 27 rlm_sql (sql): Attempting to connect rlm_sql_mysql #27 rlm_sql_mysql: Starting connect to MySQL server for #27 rlm_sql (sql): Connected new DB handle, #27 rlm_sql (sql): starting 28 rlm_sql (sql): Attempting to connect rlm_sql_mysql #28 rlm_sql_mysql: Starting connect to MySQL server for #28 rlm_sql (sql): Connected new DB handle, #28 rlm_sql (sql): starting 29 rlm_sql (sql): Attempting to connect rlm_sql_mysql #29 rlm_sql_mysql: Starting connect to MySQL server for #29 rlm_sql (sql): Connected new DB handle, #29 rlm_sql (sql): starting 30 rlm_sql (sql): Attempting to connect rlm_sql_mysql #30 rlm_sql_mysql: Starting connect to MySQL server for #30 rlm_sql (sql): Connected new DB handle, #30 rlm_sql (sql): starting 31 rlm_sql (sql): Attempting to connect rlm_sql_mysql #31 rlm_sql_mysql: Starting connect to MySQL server for #31 rlm_sql (sql): Connected new DB handle, #31 Module: Linked to module rlm_ldap Module: Instantiating module "ldap" from file /etc/freeradius/modules/ldap ldap { server = "ldap.company.net" port = 636 password = "xxx" expect_password = yes identity = "cn=connect,ou=Company,dc=company,dc=net" net_timeout = 1 timeout = 4 timelimit = 3 max_uses = 0 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no require_cert = "allow" } basedn = "OU=Company,DC=company,DC=net" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" auto_header = no access_attr_used_for_allow = yes chase_referrals = yes rebind = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=group)(member=%{control:Ldap-UserDn})))" groupmembership_attribute = "memberOf" dictionary_mapping = "/etc/freeradius/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes edir_account_policy_check = no set_auth_type = no keepalive { idle = 60 probes = 3 interval = 3 } } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x10e9b30 Module: Linked to module rlm_always Module: Instantiating module "ok" from file /etc/freeradius/modules/always always ok { rcode = "ok" simulcount = 0 mpp = no } Module: Instantiating module "reject" from file /etc/freeradius/modules/always always reject { rcode = "reject" simulcount = 0 mpp = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/freeradius/modules/detail detail { detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.accounting_response Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.access_reject } # modules } # server server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 51567 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.12.1.1 port 32769, id=238, length=246 User-Name = "adam" Calling-Station-Id = "54:27:1e:0c:0b:fc" Called-Station-Id = "44:ad:d9:0e:dd:40:Free" NAS-Port = 13 Cisco-AVPair = "audit-session-id=ac1f0c620000023159aecc35" NAS-IP-Address = 10.12.1.1 NAS-Identifier = "WLC" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "5" EAP-Message = 0x0203000f0165616c6d6f6e61636964 Message-Authenticator = 0x501b12ce48af68714f1030855775ae2a # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "adam", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 3 length 15 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop rlm_sql (sql): Reserving sql socket id: 30 [sql] expand: -> [sql] Error generating query; rejecting user rlm_sql (sql): Released sql socket id: 30 ++[sql] = fail +} # group authorize = fail Using Post-Auth-Type REJECT # Executing group from file /etc/freeradius/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> adam attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 238 to 10.12.1.1 port 32769 Waking up in 4.9 seconds. Cleaning up request 1 ID 238 with timestamp +52 Ready to process requests. 2017-09-04 10:28 GMT-03:00 Alan DeKok <aland@deployingradius.com>:
On Sep 4, 2017, at 9:09 AM, Adam Cage <adamcage27@gmail.com> wrote:
Dear Alan, thanks for your response....just two things for the moment:
You may need to install v3. Honestly, just install 3.0.15, and go with that.
Ok, but can I use my current server with version 2.2.5 in order to test
the
SQL authorization or the use of version 3.x is mandatory ???
It's easier with v3.
You will need to edit raddb/sites-enabled/default, and also the raddb/mods-enabled/sql
Now I have edited default and inner-tunnel files, but you tell me to edit just default (and also sql module)...inner-tunel is not necessary???
It may be. Some amount of thinking for yourself is useful, too.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
participants (4)
-
Adam Cage -
Alan DeKok -
Matthew Newton -
Tom Yard