NAS-IP(v6)-Address = Packet-Src-IP(v6)-Address
Alexander Clouter
alex at digriz.org.uk
Mon Dec 13 23:30:50 CET 2010
Hi,
Since lighting up IPv6 on our FreeRADIUS infrastructure, I have noticed
behaviour that seems to result in the following logic kicking off:
----
authorize {
...
update request {
NAS-IPv6-Address = Packet-Src-IPv6-Address
NAS-IP-Address = Packet-Src-IP-Address
}
...
}
-----
So, when NAS-IP(v6)-Address already exists, nothing happens, however if
it does, then it an attribute with the contents of
Packet-Src-IP(v6)-Address is added; obviously depending on the socket
type the packet arrives over so I am guessing in practice you probably
really only see this when communicating with IPv6 proxies? The problem
is, I have not added this type of thing to my config.
Checking the raw packet captures show that the client is not setting
NAS-IPv6-Address but by the time I sql log it in post-auth, it's there,
set to Packet-Src-IPv6-Address :-/
Idea's and suggestions would be much obliged, comments regarding my use
of NAS-(IP(v6)?-Address|Identifier) to /dev/null though, unless you have
a better suggestion? ;)
Cheers
---- dot1x related virtual servers ----
listen {
type = auth
port = 1812
ipv6addr = ::
clients = dot1x
}
listen {
type = auth
port = 1812
ipaddr = *
clients = dot1x
}
listen {
type = acct
port = 1813
ipv6addr = ::
clients = dot1x
}
listen {
type = acct
port = 1813
ipaddr = *
clients = dot1x
}
server lanwarden {
....
}
server eduroam {
authorize {
preprocess
testers
# braindead JANET PAP test hook
if ((Hint) && Hint == test && !(EAP-Message)) {
update control {
Proxy-To-Realm := "auth.virtual"
}
handled
}
if (!(Hint) || Hint != test) {
# detail.eduroam
attr_filter.eduroam-auth
}
rewrite.called_station_id
rewrite.calling_station_id
client-info
# let people know *which* box did the auth
update reply {
NAS-Identifier := "%{config:local.MY.hostname}"
NAS-IP-Address := "%{config:local.MY.addr.v4}"
NAS-IPv6-Address := "%{config:local.MY.addr.v6}"
}
# Reject EAP-less authentications
if (!(EAP-Message)) {
update reply {
Reply-Message := "We only accept EAP requests"
}
reject
}
# Reject Calling-Station-Id-less authentications
if (!(Calling-Station-Id)) {
update reply {
Reply-Message := "No Calling-Station-Id"
}
reject
}
if (!(User-Name)) {
update reply {
Reply-Message := "No User-Name"
}
reject
}
validate_username
suffix
# Reject realm's authentications that are not for us early
if (Realm != "%{config:local.MY.realm}") {
update reply {
Reply-Message := "Not @%{config:local.MY.realm} User-Name"
}
reject
}
EAP {
ok = return
}
ldap-lanwarden
if (ok) {
if (control:LanWarden-Host-State != "enable") {
update reply {
Reply-Message := "LW: disabled"
}
reject
}
# if ((EAP-Message)) {
# cache_ldap-userdn
# }
}
Autz-Type Status-Server {
ok
}
}
authenticate {
Auth-Type EAP {
EAP
}
}
post-auth {
Post-Auth-Type Reject {
sql.dot1x
attr_filter.access_reject
eap-has-no-reply-message
# detail.eduroam
}
# if ((EAP-Message) && !(Ldap-UserDn)) {
# cache_ldap-userdn
# }
if (!(Hint) || Hint != test) {
sql.dot1x
}
update reply {
User-Name !* ANY
}
attr_filter.eduroam-auth
eap-has-no-reply-message
# if (!(Hint) || Hint != test) {
# detail.eduroam
# }
}
preacct {
preprocess
suffix
}
accounting {
# detail.eduroam
attr_filter.eduroam-acct
rewrite.called_station_id
rewrite.calling_station_id
# Reject Calling-Station-Id-less authentications
if (!(Calling-Station-Id)) {
update reply {
Reply-Message := "No Calling-Station-Id"
}
reject
}
if (!(User-Name)) {
update reply {
Reply-Message := "No User-Name"
}
reject
}
validate_username
# Reject realm's authentications that are not for us early
if (Realm != "%{config:local.MY.realm}") {
update reply {
Reply-Message := "Not @%{config:local.MY.realm} User-Name"
}
reject
}
detail.dot1x.acct
}
session {
ok
}
}
---------------------
---- policy.conf ----
policy {
mac-addr = ([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})
rewrite.called_station_id {
if((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) {
update request {
Called-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
}
# SSID componment?
if ("%{7}") {
update request {
Called-Station-Id := "%{request:Called-Station-Id}%{7}"
}
}
updated
}
else {
noop
}
}
rewrite.calling_station_id {
if((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) {
update request {
Calling-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
}
update control {
Local-MAC-Address := "%{tolower:%{1}%{2}%{3}%{4}%{5}%{6}}"
}
updated
}
else {
noop
}
}
rewrite.quirk.wlc {
if (NAS-IP-Address == 172.16.3.124 && NAS-Identifier == "wlc-01") {
switch "%{Airespace-Wlan-Id}" {
case "1" {
update request {
NAS-Port-Id := "eduroam"
}
}
case "5" {
update request {
NAS-Port-Id := "UTILICOM"
}
}
case "6" {
update request {
NAS-Port-Id := "BTOpenzone"
}
}
case "7" {
update request {
NAS-Port-Id := "soas-wpa-psk"
}
}
case {
update request {
NAS-Port-Id := "UNKNOWN"
}
}
}
if (Packet-Type == "Accounting-Request") {
update request {
NAS-Port-Type := "Wireless-802.11"
Called-Station-Id := "%{Called-Station-Id}:%{NAS-Port-Id}"
}
switch "%{Tunnel-Private-Group-Id}" {
case "140" {
update request {
Tunnel-Private-Group-Id := "btopenzone"
}
}
case "128" {
update request {
Tunnel-Private-Group-Id := "eduroam"
}
}
case "127" {
update request {
Tunnel-Private-Group-Id := "unauthorised"
}
}
case "72" {
update request {
Tunnel-Private-Group-Id := "users-unmanaged"
}
}
case "153" {
update request {
Tunnel-Private-Group-Id := "utilicom"
}
}
case {
update request {
Tunnel-Private-Group-Id := "UNKNOWN"
}
}
}
}
updated
}
else {
noop
}
}
validate_username {
if (User-Name !~ /@/ && User-Name =~ /^[[:graph:]]+$/) {
ok
}
elsif (User-Name !~ /@.*@/ && User-Name =~ /^[[:graph:]]*@[[:alnum:]-]+(\\.[[:alnum:]-]+)+$/) {
ok
}
else {
update reply {
Reply-Message := "Invalid User-Name Syntax"
}
reject
}
}
ldap-login {
redundant-load-balance {
ldap_login1 {
$template ldap-failover
}
ldap_login2 {
$template ldap-failover
}
}
}
ldap-lanwarden {
redundant-load-balance {
ldap_lanwarden1 {
$template ldap-failover
}
ldap_lanwarden2 {
$template ldap-failover
}
}
}
# RFC compliance
eap-has-no-reply-message {
if ((reply:EAP-Message)) {
update reply {
Reply-Message !* ANY
}
}
}
mac_auth {
if (Realm == NULL && !(EAP-Message) && NAS-Port-Type == Ethernet \
&& Service-Type == Call-Check \
&& User-Name == "%{User-Password}" \
&& User-Name =~ /^[0-9a-f]{12}$/i \
&& Calling-Station-Id =~ /^([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})$/i \
&& User-Name =~ /^%{1}%{2}%{3}%{4}%{5}%{6}$/i) {
ok
}
else {
noop
}
}
lanwarden_vlan1 {
update control {
Tunnel-Private-Group-Id := "%{ldap_lanwarden1:ldap:///ou=Networks,ou=LanWarden,o=soas?cn?one?(&(objectClass=lanwardenNetwork)(member=%{control:Ldap-UserDn}))}"
}
if ((control:Tunnel-Private-Group-Id)) {
ok
}
else {
fail
}
}
lanwarden_vlan2 {
update control {
Tunnel-Private-Group-Id := "%{ldap_lanwarden2:ldap:///ou=Networks,ou=LanWarden,o=soas?cn?one?(&(objectClass=lanwardenNetwork)(member=%{control:Ldap-UserDn}))}"
}
if ((control:Tunnel-Private-Group-Id)) {
ok
}
else {
fail
}
}
lanwarden_vlan {
if ((control:Ldap-UserDn)) {
redundant-load-balance {
lanwarden_vlan1
lanwarden_vlan2
}
if (ok && control:Tunnel-Private-Group-Id != "") {
update reply {
Tunnel-Private-Group-Id := "%{control:Tunnel-Private-Group-Id}"
}
}
else {
noop
}
}
else {
noop
}
}
client-info {
if ((client:shortname)) {
update request {
NAS-Identifier := "%{client:shortname}"
}
}
if ((client:vendor)) {
update request {
Huntgroup-Name := "%{client:vendor}"
}
}
}
testers {
if ((User-Name == "testauth at soas.ac.uk" \
&& NAS-IP-Address == 193.60.199.62 \
&& NAS-Port == 1812) \
|| (Connect-Info == "JANET Roaming test" \
&& NAS-IP-Address == 127.0.0.1 \
&& Calling-Station-Id == "02-00-00-00-00-01" \
&& NAS-Port-Type == Wireless-802.11)) {
update request {
Hint := test
Cleartext-Password := "%{config:local.test.password}"
}
}
}
}
---------------------
----- debug -X ------
rad_recv: Access-Request packet from host 2001:630:1:129::249 port 63536, id=88, length=212
User-Name = "foobar at soas.ac.uk"
NAS-IP-Address = 10.6.0.12
NAS-Port = 2
NAS-Identifier = "10.6.0.11"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "001122334455"
Called-Station-Id = "554433221100"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x020900061500
State = 0xd53f4a5ed2365f22247722c7299e5713
Vendor-14823-Attr-5 = 0x656475726f616d
Vendor-14823-Attr-6 = 0x426564666f7264537175617265415033
Message-Authenticator = 0x26f56bb65ab36c9e1e997b7abd6ff3a9
Proxy-State = 0x4f53432d457874656e6465642d49643d363030
server eduroam {
# Executing section authorize from file /etc/freeradius/sites-enabled/dot1x
+- entering group authorize {...}
++[preprocess] returns ok
++- entering policy testers {...}
+++? if ((User-Name == "testauth at soas.ac.uk" && NAS-IP-Address == 193.60.199.62 && NAS-Port == 1812) || (Connect-Info == "JANET Roaming test" && NAS-IP-Address == 127.0.0.1 && Calling-Station-Id == "02-00-00-00-00-01" && NAS-Port-Type == Wireless-802.11))
?? Evaluating (User-Name == "testauth at soas.ac.uk" ) -> FALSE
?? Skipping (NAS-IP-Address == 193.60.199.62 )
?? Skipping (NAS-Port == 1812)
(Attribute Connect-Info was not found)
?? Evaluating (Connect-Info == "JANET Roaming test" ) -> FALSE
?? Skipping (NAS-IP-Address == 127.0.0.1 )
?? Skipping (Calling-Station-Id == "02-00-00-00-00-01" )
?? Skipping (NAS-Port-Type == Wireless-802.11)
+++? if ((User-Name == "testauth at soas.ac.uk" && NAS-IP-Address == 193.60.199.62 && NAS-Port == 1812) || (Connect-Info == "JANET Roaming test" && NAS-IP-Address == 127.0.0.1 && Calling-Station-Id == "02-00-00-00-00-01" && NAS-Port-Type == Wireless-802.11)) -> FALSE
++- policy testers returns ok
++? if ((Hint) && Hint == test && !(EAP-Message))
?? Evaluating (Hint) -> FALSE
? Skipping (Hint == test )
?? Skipping (EAP-Message)
++? if ((Hint) && Hint == test && !(EAP-Message)) -> FALSE
++? if (!(Hint) || Hint != test)
?? Evaluating (Hint) -> FALSE
? Converting !FALSE -> TRUE
? Skipping (Hint != test)
++? if (!(Hint) || Hint != test) -> TRUE
++- entering if (!(Hint) || Hint != test) {...}
[attr_filter.eduroam-auth] expand: %{Realm} ->
+++[attr_filter.eduroam-auth] returns noop
++- if (!(Hint) || Hint != test) returns noop
++- entering policy rewrite.called_station_id {...}
+++? if ((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i)
?? Evaluating (Called-Station-Id) -> TRUE
expand: %{Called-Station-Id} -> 554433221100
expand: policy.mac-addr -> policy.mac-addr
expand: ^%{config:policy.mac-addr}(:(.+))?$ -> ^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$
? Evaluating ("%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) -> TRUE
+++? if ((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) -> TRUE
+++- entering if ((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) {...}
expand: %{1}-%{2}-%{3}-%{4}-%{5}-%{6} -> 55-44-33-22-11-00
expand: %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} -> 55-44-33-22-11-00
++++[request] returns noop
++++? if ("%{7}")
expand: %{7} ->
? Evaluating ("%{7}") -> FALSE
++++? if ("%{7}") -> FALSE
++++[updated] returns updated
+++- if ((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) returns updated
+++ ... skipping else for request 105: Preceding "if" was taken
++- policy rewrite.called_station_id returns updated
++- entering policy rewrite.calling_station_id {...}
+++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i)
?? Evaluating (Calling-Station-Id) -> TRUE
expand: %{Calling-Station-Id} -> 001122334455
expand: policy.mac-addr -> policy.mac-addr
expand: ^%{config:policy.mac-addr}$ -> ^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$
? Evaluating ("%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE
+++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE
+++- entering if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) {...}
expand: %{1}-%{2}-%{3}-%{4}-%{5}-%{6} -> 00-11-22-33-44-55
expand: %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} -> 00-11-22-33-44-55
++++[request] returns updated
expand: %{1}%{2}%{3}%{4}%{5}%{6} -> 001122334455
expand: %{tolower:%{1}%{2}%{3}%{4}%{5}%{6}} -> 001122334455
++++[control] returns updated
++++[updated] returns updated
+++- if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) returns updated
+++ ... skipping else for request 105: Preceding "if" was taken
++- policy rewrite.calling_station_id returns updated
++- entering policy client-info {...}
+++? if ((client:shortname))
?? Evaluating (client:shortname) -> TRUE
+++? if ((client:shortname)) -> TRUE
+++- entering if ((client:shortname)) {...}
expand: %{client:shortname} -> jrs.2.v6
++++[request] returns updated
+++- if ((client:shortname)) returns updated
+++? if ((client:vendor))
?? Evaluating (client:vendor) -> TRUE
+++? if ((client:vendor)) -> TRUE
+++- entering if ((client:vendor)) {...}
expand: %{client:vendor} ->
++++[request] returns updated
+++- if ((client:vendor)) returns updated
++- policy client-info returns updated
expand: local.MY.hostname -> local.MY.hostname
expand: %{config:local.MY.hostname} -> chlorine.it.soas.ac.uk
expand: local.MY.addr.v4 -> local.MY.addr.v4
expand: %{config:local.MY.addr.v4} -> 212.219.238.70
expand: local.MY.addr.v6 -> local.MY.addr.v6
expand: %{config:local.MY.addr.v6} -> 2001:630:1b:6003:90c0:802a:d873:c284
++[reply] returns updated
++? if (!(EAP-Message))
?? Evaluating (EAP-Message) -> TRUE
? Converting !TRUE -> FALSE
++? if (!(EAP-Message)) -> FALSE
++? if (!(Calling-Station-Id))
?? Evaluating (Calling-Station-Id) -> TRUE
? Converting !TRUE -> FALSE
++? if (!(Calling-Station-Id)) -> FALSE
++? if (!(User-Name))
?? Evaluating (User-Name) -> TRUE
? Converting !TRUE -> FALSE
++? if (!(User-Name)) -> FALSE
++- entering policy validate_username {...}
+++? if (User-Name !~ /@/ && User-Name =~ /^[[:graph:]]+$/)
? Evaluating (User-Name !~ /@/) -> FALSE
? Skipping (User-Name =~ /^[[:graph:]]+$/)
+++? if (User-Name !~ /@/ && User-Name =~ /^[[:graph:]]+$/) -> FALSE
+++? elsif (User-Name !~ /@.*@/ && User-Name =~ /^[[:graph:]]*@[[:alnum:]-]+(\\.[[:alnum:]-]+)+$/)
? Evaluating (User-Name !~ /@.*@/) -> TRUE
? Evaluating (User-Name =~ /^[[:graph:]]*@[[:alnum:]-]+(\\.[[:alnum:]-]+)+$/) -> TRUE
+++? elsif (User-Name !~ /@.*@/ && User-Name =~ /^[[:graph:]]*@[[:alnum:]-]+(\\.[[:alnum:]-]+)+$/) -> TRUE
+++- entering elsif (User-Name !~ /@.*@/ && User-Name =~ /^[[:graph:]]*@[[:alnum:]-]+(\\.[[:alnum:]-]+)+$/) {...}
++++[ok] returns ok
+++- elsif (User-Name !~ /@.*@/ && User-Name =~ /^[[:graph:]]*@[[:alnum:]-]+(\\.[[:alnum:]-]+)+$/) returns ok
+++ ... skipping else for request 105: Preceding "if" was taken
++- policy validate_username returns ok
[suffix] Looking up realm "soas.ac.uk" for User-Name = "foobar at soas.ac.uk"
[suffix] Found realm "soas.ac.uk"
[suffix] Adding Stripped-User-Name = "foobar"
[suffix] Adding Realm = "soas.ac.uk"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++? if (Realm != "%{config:local.MY.realm}")
expand: local.MY.realm -> local.MY.realm
expand: %{config:local.MY.realm} -> soas.ac.uk
? Evaluating (Realm != "%{config:local.MY.realm}") -> FALSE
++? if (Realm != "%{config:local.MY.realm}") -> FALSE
[EAP] EAP packet type response id 9 length 6
[EAP] Continuing tunnel setup.
++[EAP] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/dot1x
+- entering group EAP {...}
[EAP] Request found, released from the list
[EAP] EAP/ttls
[EAP] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake is finished
[ttls] eaptls_verify returned 3
[ttls] eaptls_process returned 3
[ttls] Using saved attributes from the original Access-Accept
User-Name = "foobar at soas.ac.uk"
Auth-Type = MSCHAP
[ttls] Saving response in the cache
[EAP] Freeing handler
++[EAP] returns ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/dot1x
+- entering group post-auth {...}
++? if (!(Hint) || Hint != test)
?? Evaluating (Hint) -> FALSE
? Converting !FALSE -> TRUE
? Skipping (Hint != test)
++? if (!(Hint) || Hint != test) -> TRUE
++- entering if (!(Hint) || Hint != test) {...}
[sql.dot1x] expand: %{reply:User-Name} -> foobar at soas.ac.uk
[sql.dot1x] expand: %{%{reply:User-Name}:-%{request:User-Name}} -> foobar at soas.ac.uk
[sql.dot1x] sql_set_user escaped user --> 'foobar at soas.ac.uk'
[sql.dot1x] expand: %{request:Packet-Src-IPv6-Address} -> 2001:630:1:129::249
[sql.dot1x] expand: %{NAS-Port} -> 2
[sql.dot1x] expand: %{reply:Auth-Type} -> MSCHAP
[sql.dot1x] expand: INSERT INTO dot1x_auth ( timestamp, packet_src_address, user_name, realm, operator_name, nas_ip_address, nas_ipv6_address, nas_identifier, nas_port, nas_port_type, nas_port_id, called_station_id, calling_station_id, packet_type, eap_type, auth_type, tunnel_private_group_id, reply_message ) VALUES ( '%S'::timestamp, '%{%{request:Packet-Src-IPv6-Address}:-%{request:Packet-Src-IP-Address}}', '%{SQL-User-Name}', '%{request:Realm}', NULLIF('%{request:Operator-Name}', ''), NULLIF('%{request:NAS-IP-Address}', '')::inet, NULLIF('%{request:NAS-IPv6-Address}', '')::inet, '%{request:NAS-Identifier}', %{%{NAS-Port}:-NULL}::integer, '%{request:NAS-Port-Type}', NULLIF('%{request:NAS-Port-Id}',''), lower('%{request:Called-Station-Id}'), lower('%{request:Calling-Station-Id}'), '%{reply:Packet-Type}', '%{EAP-Type}', '%{%{reply:Auth-Type}:-%{control:Auth-Type}}', '%{reply:Tunnel-Private-Group-Id}', '%{reply:Reply-Message}' ) -> INSERT INTO!
dot1x_auth ( timestamp, packet
rlm_sql (sql.dot1x) in sql_postauth: query is INSERT INTO dot1x_auth ( timestamp, packet_src_address, user_name, realm, operator_name, nas_ip_address, nas_ipv6_address, nas_identifier, nas_port, nas_port_type, nas_port_id, called_station_id, calling_station_id, packet_type, eap_type, auth_type, tunnel_private_group_id, reply_message ) VALUES ( '2010-12-13 19:58:37'::timestamp, '2001:630:1:129::249', 'foobar at soas.ac.uk', 'soas.ac.uk', NULLIF('', ''), NULLIF('10.6.0.12', '')::inet, NULLIF('2001:630:1:129::249', '')::inet, 'jrs.2.v6', 2::integer, 'Wireless-802.11', NULLIF('',''), lower('55-44-33-22-11-00'), lower('00-11-22-33-44-55'), 'Access-Accept', 'EAP-TTLS', 'MSCHAP', '', '' )
rlm_sql (sql.dot1x): Reserving sql socket id: 4
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: query affected rows = 1
rlm_sql (sql.dot1x): Released sql socket id: 4
+++[sql.dot1x] returns ok
++- if (!(Hint) || Hint != test) returns ok
++[reply] returns ok
[attr_filter.eduroam-auth] expand: %{Realm} -> soas.ac.uk
attr_filter: Matched entry DEFAULT at line 1
++[attr_filter.eduroam-auth] returns updated
++- entering policy eap-has-no-reply-message {...}
+++? if ((reply:EAP-Message))
?? Evaluating (reply:EAP-Message) -> TRUE
+++? if ((reply:EAP-Message)) -> TRUE
+++- entering if ((reply:EAP-Message)) {...}
++++[reply] returns updated
+++- if ((reply:EAP-Message)) returns updated
++- policy eap-has-no-reply-message returns updated
} # server eduroam
Sending Access-Accept of id 88 to 2001:630:1:129::249 port 63536
NAS-IP-Address = 212.219.238.70
NAS-IPv6-Address = 2001:630:1b:6003:90c0:802a:d873:c284
MS-MPPE-Recv-Key = 0xfc5dc29f224e5ee815ece548d5df7442e12427c0b0bb8a8dc12ad8c16aeef0e8
MS-MPPE-Send-Key = 0xd092db1e188db46ba35491c99a7f0f9634b3de43e992a4fa3b56f64e75a3eaa1
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x4f53432d457874656e6465642d49643d363030
Finished request 105.
Going to the next request
---------------------
--
Alexander Clouter
.sigmonster says: Bo Derek ruined my life!
More information about the Freeradius-Users
mailing list