reply to NAS not correct

T.Robers at heidelberg.de T.Robers at heidelberg.de
Thu Oct 29 14:25:57 CET 2009


Hi,

my Enterasys-switche need the filter-id for policy enforcement. I've got
a problem with 802.1X authentication. Here is the log:

rad_recv: Access-Request packet from host 172.16.255.101 port 49169,
id=171, length=190
        User-Name = "DNT1\\testtom"
        Service-Type = Framed-User
        Called-Station-Id = "00-1F-45-19-9C-68"
        Calling-Station-Id = "00-1C-25-9B-0E-EB"
        NAS-Identifier = "D2_Zi31_Tom"
        NAS-IP-Address = 172.16.255.101
        NAS-Port = 1
        NAS-Port-Id = "ge.1.1"
        Framed-MTU = 1500
        NAS-Port-Type = Ethernet
        State = 0x5a07edfa520df4edb36b506fccf290c2
        EAP-Message =
0x020a001d1900170301001291f098b2e763cf55403eff0840390a3d3413
        Message-Authenticator = 0xe6865e95c71f8c06d904dd297c05ee96
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]      expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/172.16.255.101/auth-detail-20091029
[auth_log]
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/radius/radacct/172.16.255.101/auth-detail-20091029
[auth_log]      expand: %t -> Thu Oct 29 10:37:21 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "DNT1\testtom", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "DNT1" for User-Name = "DNT1\testtom"
[ntdomain] No such realm "DNT1"
++[ntdomain] returns noop
[eap] EAP packet type response id 10 length 29
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
        EAP-Message = 0x020a00061a03
server  {
  PEAP: Setting User-Name to DNT1\testtom
Sending tunneled request
        EAP-Message = 0x020a00061a03
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "DNT1\\testtom"
        State = 0xeb8ce38fea86f9b39b0a9d7efe7aaa3e
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "DNT1\testtom", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "DNT1" for User-Name = "DNT1\testtom"
[ntdomain] No such realm "DNT1"
++[ntdomain] returns noop
[eap] EAP packet type response id 10 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
rlm_ldap: Entering ldap_groupcmp()
[files]         expand: OU=Abt11-2,OU=Amt11,OU=Stadt
Heidelberg,DC=heidelberg,DC=bw-online,DC=de ->
OU=Abt11-2,OU=Amt11,OU=Stadt Heidelberg,DC=heidelberg,DC=bw-online,DC=de
[files]         expand: sAMAccountName=%{mschap:User-Name} ->
sAMAccountName=testtom
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in OU=Abt11-2,OU=Amt11,OU=Stadt
Heidelberg,DC=heidelberg,DC=bw-online,DC=de, with filter
sAMAccountName=testtom
rlm_ldap: ldap_release_conn: Release Id: 0
[files]         expand:
(|(&(objectClass=Group)(member=%{control:Ldap-UserDn}))(&(objectClass=Gr
oupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) ->
(|(&(objectClass=Group)(member=CN\3dTest\5c\2c
Tom\2cOU\3dAbt11-2\2cOU\3dAmt11\2cOU\3dStadt
Heidelberg\2cDC\3dheidelberg\2cDC\3dbw-online\2cDC\3dde))(&(objectClass=
GroupOfUniqueNames)(uniquemember=CN\3dTest\5c\2c
Tom\2cOU\3dAbt11-2\2cOU\3dAmt11\2cOU\3dStadt
Heidelberg\2cDC\3dheidelberg\2cDC\3dbw-online\2cDC\3dde)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in OU=Abt11-2,OU=Amt11,OU=Stadt
Heidelberg,DC=heidelberg,DC=bw-online,DC=de, with filter
(&(cn=WWW)(|(&(objectClass=Group)(member=CN\3dTest\5c\2c
Tom\2cOU\3dAbt11-2\2cOU\3dAmt11\2cOU\3dStadt
Heidelberg\2cDC\3dheidelberg\2cDC\3dbw-online\2cDC\3dde))(&(objectClass=
GroupOfUniqueNames)(uniquemember=CN\3dTest\5c\2c
Tom\2cOU\3dAbt11-2\2cOU\3dAmt11\2cOU\3dStadt
Heidelberg\2cDC\3dheidelberg\2cDC\3dbw-online\2cDC\3dde))))
rlm_ldap: object not found
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in CN=Test\,
Tom,OU=Abt11-2,OU=Amt11,OU=Stadt
Heidelberg,DC=heidelberg,DC=bw-online,DC=de, with filter (objectclass=*)
rlm_ldap: performing search in
CN=WWW,CN=Users,DC=heidelberg,DC=bw-online,DC=de, with filter (cn=WWW)
rlm_ldap::ldap_groupcmp: User found in group WWW
rlm_ldap: ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 215
++[files] returns ok
[ldap] performing user authorization for DNT1\testtom
[ldap]  expand: sAMAccountName=%{mschap:User-Name} ->
sAMAccountName=testtom
[ldap]  expand: OU=Abt11-2,OU=Amt11,OU=Stadt
Heidelberg,DC=heidelberg,DC=bw-online,DC=de ->
OU=Abt11-2,OU=Amt11,OU=Stadt Heidelberg,DC=heidelberg,DC=bw-online,DC=de
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in OU=Abt11-2,OU=Amt11,OU=Stadt
Heidelberg,DC=heidelberg,DC=bw-online,DC=de, with filter
sAMAccountName=testtom
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that
the user is configured correctly?
[ldap] user DNT1\testtom authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
Login OK: [DNT1\\testtom/<via Auth-Type = EAP>] (from client
172.16.255.101 port 0 via TLS tunnel)
} # server inner-tunnel
[peap] Got tunneled reply code 2
        Filter-Id = "Enterasys:version=1:policy=Mitarbeiter"
        EAP-Message = 0x030a0004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "DNT1\testtom"
[peap] Got tunneled reply RADIUS code 2
        Filter-Id = "Enterasys:version=1:policy=Mitarbeiter"
        EAP-Message = 0x030a0004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "DNT1\testtom"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 171 to 172.16.255.101 port 49169
        EAP-Message =
0x010b00261900170301001b0c226877915fee81581e5cdc61a6b02b5e53a364ba4d32a2
1da9bc
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x5a07edfa530cf4edb36b506fccf290c2
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.255.101 port 49169,
id=172, length=199
        User-Name = "DNT1\\testtom"
        Service-Type = Framed-User
        Called-Station-Id = "00-1F-45-19-9C-68"
        Calling-Station-Id = "00-1C-25-9B-0E-EB"
        NAS-Identifier = "D2_Zi31_Tom"
        NAS-IP-Address = 172.16.255.101
        NAS-Port = 1
        NAS-Port-Id = "ge.1.1"
        Framed-MTU = 1500
        NAS-Port-Type = Ethernet
        State = 0x5a07edfa530cf4edb36b506fccf290c2
        EAP-Message =
0x020b00261900170301001b5a6a60533756d32c9aab5a829fc0e0d05373ab92630a5ae1
12e1f0
        Message-Authenticator = 0x3292991eacc6e9d3d99d5deef6d8b813
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]      expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/172.16.255.101/auth-detail-20091029
[auth_log]
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/radius/radacct/172.16.255.101/auth-detail-20091029
[auth_log]      expand: %t -> Thu Oct 29 10:37:21 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "DNT1\testtom", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "DNT1" for User-Name = "DNT1\testtom"
[ntdomain] No such realm "DNT1"
++[ntdomain] returns noop
[eap] EAP packet type response id 11 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Success
[eap] Freeing handler
++[eap] returns ok
Login OK: [DNT1\\testtom/<via Auth-Type = EAP>] (from client
172.16.255.101 port 1 cli 00-1C-25-9B-0E-EB)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 172 to 172.16.255.101 port 49169
        MS-MPPE-Recv-Key =
0x2089d240da067af3cffeae5b2ae13568d1db0f6d9f4120a8680f3438d63b7a63
        MS-MPPE-Send-Key =
0xa991c884f9db4ae9b6cf6c5965d4c3ea46aa3b16a039a9a288c87413fe6cf4f6
        EAP-Message = 0x030b0004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "DNT1\testtom"
Finished request 10.
Going to the next request
Waking up in 4.9 seconds.


The correct Filter-ID "Enterasys:version=1:policy=Mitarbeiter" in [peap]
is pushed, but the switch got "invalid role".
Is the Filter-ID overridden by the next Accept ?

My users file contains 

DEFAULT          Ldap-Group == "WWW"
                 Framed-Filter-Id :=
"Enterasys:version=1:policy=Mitarbeiter"

Any ideas ?






More information about the Freeradius-Users mailing list