Freeradius and vlan assignment

Bruno Mardirossian b.mardirossian at gmail.com
Fri Mar 9 03:48:49 CET 2007


Hello!

I am working on implementing *freeradius* with a cisco 3750 switch
connected to *freeradius*, which then talks to AD.  (The linux box is on the

AD domain)

Anyway, we try to make vlan assignment by using the 'users' file .

We create a user named 'test' on my AD server , and we created this section
in the file users :

test    Auth-Type := MS-CHAP
        Tunnel-Type = 13,
        Tunnel-Medium-Type = 6,
        Tunnel-Private-Group-Id = 2

The user is correctly authenticated by AD , but he is put in the default
vlan ( id 1 ) and not in the vlan defined in the file 'users' ( id 2 ) .

By the way, readind the radiusd output , i think that freeradius does not
read my users file...i didn't see int he log anything about the Tunnel-Type
or Tunnel-Private-Group-Id informations....

Anyone have any thoughts?

Regards

Bruno

Message-Authenticator = 0xa309657e84ce8131d67aa64d9a491059
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
  modcall[authorize]: module "preprocess" returns ok for request 6
  modcall[authorize]: module "chap" returns noop for request 6
    rlm_realm: No '@' in User-Name = "CSB\test", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 6
    users: Matched entry DEFAULT at line 165
    users: Matched entry DEFAULT at line 184
  modcall[authorize]: module "files" returns ok for request 6
  rlm_eap: EAP packet type response id 6 length 90
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 6
  modcall[authorize]: module "mschap" returns noop for request 6
modcall: group authorize returns updated for request 6
  rad_check_password:  Found Auth-Type MS-CHAP
  rad_check_password:  Found Auth-Type EAP
Warning:  Found 2 auth-types on request for user 'CSB\test'
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: EAP type mschapv2
  rlm_eap_peap: Tunneled data is valid.
  PEAP: Setting User-Name to CSB\test
  PEAP: Adding old state with 86 79
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
  modcall[authorize]: module "preprocess" returns ok for request 6
  modcall[authorize]: module "chap" returns noop for request 6
    rlm_realm: No '@' in User-Name = "CSB\test", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 6
    users: Matched entry DEFAULT at line 165
  modcall[authorize]: module "files" returns ok for request 6
  rlm_eap: EAP packet type response id 6 length 67
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 6
  modcall[authorize]: module "mschap" returns noop for request 6
modcall: group authorize returns updated for request 6
  rad_check_password:  Found Auth-Type MS-CHAP
  rad_check_password:  Found Auth-Type EAP
Warning:  Found 2 auth-types on request for user 'CSB\test'
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/mschapv2
  rlm_eap: processing type mschapv2
  Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 6
  rlm_mschap: No User-Password configured.  Cannot create LM-Password.
  rlm_mschap: No User-Password configured.  Cannot create NT-Password.
  rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password
radius_xlat: Running registered xlat function of module mschap for string
'NT-Domain'
radius_xlat: Running registered xlat function of module mschap for string
'User-Name'
radius_xlat: Running registered xlat function of module mschap for string
'Challenge'
 mschap2: 9a
radius_xlat: Running registered xlat function of module mschap for string
'NT-Response'
radius_xlat:  '/usr/bin/ntlm_auth --request-nt-key --domain=CSB
--username=test --challenge=0529c10bac22a3fa
--nt-response=4b1e21679b85263858da26874073491971a58f8bfc024456'
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=CSB
--username=test --challenge=0529c10bac22a3fa
--nt-response=4b1e21679b85263858da26874073491971a58f8bfc024456
Exec-Program output: NT_KEY: 2066656E05C22F3A995AD9ECFED913D6
Exec-Program-Wait: plaintext: NT_KEY: 2066656E05C22F3A995AD9ECFED913D6
Exec-Program: returned: 0
rlm_mschap: adding MS-CHAPv2 MPPE keys
  modcall[authenticate]: module "mschap" returns ok for request 6
modcall: group Auth-Type returns ok for request 6
MSCHAP Success
  modcall[authenticate]: module "eap" returns handled for request 6
modcall: group authenticate returns handled for request 6
  PEAP: Got tunneled Access-Challenge
  modcall[authenticate]: module "eap" returns handled for request 6
modcall: group authenticate returns handled for request 6
Sending Access-Challenge of id 138 to 192.168.16.1:1645
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 576
        Service-Type = Framed-User
        EAP-Message =
0x0107004a1900170301003f58b6111cc333922058a5d79f63641e19ae7154e3504573da98346c88f080fe8ee04ad4b50f3cdc52fd02e8909b9f8f9a439730b7cee4654c18135432e651e7
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x1f45be689bd5bd8a6d8ace2af886bb6c
Finished request 6
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.16.1:1645, id=139,
length=165
        NAS-IP-Address = 192.168.16.1
        NAS-Port = 50147
        NAS-Port-Type = Ethernet
        User-Name = "CSB\\test"
        Called-Station-Id = "00-17-5A-1B-28-B3"
        Calling-Station-Id = "00-04-75-85-8F-61"
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0x1f45be689bd5bd8a6d8ace2af886bb6c
        EAP-Message =
0x0207001d19001703010012b8f868205426ef722e2433e5defa62455113
        Message-Authenticator = 0x2e5a0be42b038b2404f5c93ea27d5387
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
  modcall[authorize]: module "preprocess" returns ok for request 7
  modcall[authorize]: module "chap" returns noop for request 7
    rlm_realm: No '@' in User-Name = "CSB\test", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 7
    users: Matched entry DEFAULT at line 165
    users: Matched entry DEFAULT at line 184
  modcall[authorize]: module "files" returns ok for request 7
  rlm_eap: EAP packet type response id 7 length 29
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 7
  modcall[authorize]: module "mschap" returns noop for request 7
modcall: group authorize returns updated for request 7
  rad_check_password:  Found Auth-Type MS-CHAP
  rad_check_password:  Found Auth-Type EAP
Warning:  Found 2 auth-types on request for user 'CSB\test'
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: EAP type mschapv2
  rlm_eap_peap: Tunneled data is valid.
  PEAP: Setting User-Name to CSB\test
  PEAP: Adding old state with a8 0f
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
  modcall[authorize]: module "preprocess" returns ok for request 7
  modcall[authorize]: module "chap" returns noop for request 7
    rlm_realm: No '@' in User-Name = "CSB\test", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 7
    users: Matched entry DEFAULT at line 165
  modcall[authorize]: module "files" returns ok for request 7
  rlm_eap: EAP packet type response id 7 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 7
  modcall[authorize]: module "mschap" returns noop for request 7
modcall: group authorize returns updated for request 7
  rad_check_password:  Found Auth-Type MS-CHAP
  rad_check_password:  Found Auth-Type EAP
Warning:  Found 2 auth-types on request for user 'CSB\test'
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/mschapv2
  rlm_eap: processing type mschapv2
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns ok for request 7
modcall: group authenticate returns ok for request 7
Trying to look up name of unknown client 127.0.0.1.
Login OK: [CSB\\test/<no User-Password attribute>] (from client
UNKNOWN-CLIENT port 0)
  PEAP: Tunneled authentication was successful.
  rlm_eap_peap: SUCCESS
  modcall[authenticate]: module "eap" returns handled for request 7
modcall: group authenticate returns handled for request 7
Sending Access-Challenge of id 139 to 192.168.16.1:1645
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 576
        Service-Type = Framed-User
        EAP-Message =
0x010800261900170301001b8d03a63c700234ed33060b7b6b9274d27b9e872a002e885ab9ebf3
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x5a28f8fd3d7fde4a88411d022625e022
Finished request 7
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.16.1:1645, id=140,
length=174
        NAS-IP-Address = 192.168.16.1
        NAS-Port = 50147
        NAS-Port-Type = Ethernet
        User-Name = "CSB\\test"
        Called-Station-Id = "00-17-5A-1B-28-B3"
        Calling-Station-Id = "00-04-75-85-8F-61"
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0x5a28f8fd3d7fde4a88411d022625e022
        EAP-Message =
0x020800261900170301001b44c1c9880e33cd6e472ba624ff53ee4f53e1588d0da394c02c0522
        Message-Authenticator = 0x50fd41edb7beeee318cfd915201602f4
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 8
  modcall[authorize]: module "preprocess" returns ok for request 8
  modcall[authorize]: module "chap" returns noop for request 8
    rlm_realm: No '@' in User-Name = "CSB\test", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 8
    users: Matched entry DEFAULT at line 165
    users: Matched entry DEFAULT at line 184
  modcall[authorize]: module "files" returns ok for request 8
  rlm_eap: EAP packet type response id 8 length 38
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 8
  modcall[authorize]: module "mschap" returns noop for request 8
modcall: group authorize returns updated for request 8
  rad_check_password:  Found Auth-Type MS-CHAP
  rad_check_password:  Found Auth-Type EAP
Warning:  Found 2 auth-types on request for user 'CSB\test'
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 8
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: Received EAP-TLV response.
  rlm_eap_peap: Tunneled data is valid.
  rlm_eap_peap: Success
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns ok for request 8
modcall: group authenticate returns ok for request 8
Login OK: [CSB\\test/<no User-Password attribute>] (from client reseau16
port 50147 cli 00-04-75-85-8F-61)
Sending Access-Accept of id 140 to 192.168.16.1:1645
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 576
        Service-Type = Framed-User
        MS-MPPE-Recv-Key =
0xf1a6b62d3814b8fc8f3ac5601a89ddacc1c47c4387e21b35fe33bdbffaf15486
        MS-MPPE-Send-Key =
0x1ba3df6508e8c7f03112980ae8e1255bfec5c05ab397c927a9b56be7335714fd
        EAP-Message = 0x03080004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "CSB\\test"
Finished request 8
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 132 with timestamp 45f0c882
Cleaning up request 1 ID 133 with timestamp 45f0c882
Cleaning up request 2 ID 134 with timestamp 45f0c882
Cleaning up request 3 ID 135 with timestamp 45f0c882
Cleaning up request 4 ID 136 with timestamp 45f0c882
Cleaning up request 5 ID 137 with timestamp 45f0c882
Cleaning up request 6 ID 138 with timestamp 45f0c882
Cleaning up request 7 ID 139 with timestamp 45f0c882
Cleaning up request 8 ID 140 with timestamp 45f0c882
Nothing to do.  Sleeping until we see a request.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070309/cb0b3095/attachment.html>


More information about the Freeradius-Users mailing list