PEAP/MSCHAPv2, Post-Auth-Type REJECT {} of inner-tunnel is neverentered for access reject

Fads Afds down101load at yahoo.com.hk
Wed Jul 21 12:10:07 CEST 2010


Dear Fellows,

   I tried to copy inner-tunnel control attribute to outer tunnel (i.e. default) using update in authorize {} of inner-tunnel. However, it still fail. The attribute value is still empty. 

  I think I have used wrong method of copy control attribute value from inner-tunnel to outer tunnel (i.e. default). Would you give me an example of how to copy the attribute from inner-tunnel to outer tunnel (i.e. default) so that I can access that value in Post-Auth-Type REJECT {} section of default using sql?

   Thanks in advance.



After your reply, I include:
1. authorize {} section of inner-tunnel to copy control attribute from inner-tunnel to default 
2. sql query for radpostauth
3. content of authorize section of file /etc/raddb/sites-available/default 
4. radiusd -X debug message for access-reject case

------------Alan's reply ---------------------------------------
Fads Afds wrote:
> I tried to get the error-message of inner-tunnel by running sql query in "Post-Auth-Type Reject {} of default. The message field in radpostauth table is empty. The query seems cannot access %{inner.control:My-Err-Message} attribute. 
> My question is: Can sql in default (outer session) access innner-server control attribute when the login is rejected? If the answer is no, would you hint me how I can get & log the error message of inner-session? 

No, unfortunately not. *But* the "inner tunnel" server can copy them
from the inner to outer tunnel.

Alan DeKok.

-----------Alan's reply ends ------------------------------

    
-------------1. authorize {} section of inner-tunnel to copy control attribute from inner-tunnel to default -----------
authorize{
     mschap
      suffix
     update control {
          Proxy-To-Realm := LOCAL
   }
      eap {
      ok = return
   }
      sql

 if (!(control:Cleartext-Password)) {
             update outer.control {
            My-Err-Message := "Username %{request:User-Name} not existed in db"
            Post-Auth-Type := "REJECT"
           }
          reject
   }
 ........
} 
-------------1. ends --------------------------

------2. sql query for radpostauth ------------------
postauth_query = "INSERT INTO ${postauth_table} \
                          (ID, username, password, nas_ip, auth_result, reply_message, authdate) \
                          VALUES (NULL,  \
                          '%{User-Name}', \
                          aes_encrypt('NA', 'abc123456def'), \
                          '%{NAS-IP-ADDRESS}',  \
                          '%{reply:Packet-Type}',  \
                          '%{control:My-Err-Message}', \ 
                          '%S')"
-----------------2. ends -----------------------------



-----3. content of Post-Auth-Type Reject{} section of file /etc/raddb/sites-available/default ---------------

Post-Auth-Type REJECT {
      sql
      reply_log
      attr_filter.access_reject
   }
----3. ends ------------------------------------------



----4. radiusd -X message for rejected case------------------------------
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 48700, id=0, length=118
        User-Name = "time2"
        NAS-IP-Address = 127.0.0.1
        Calling-Station-Id = "02-00-00-00-00-01"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message = 0x0200000a0174696d6532
        Message-Authenticator = 0xbf677b5406f4f2e4aaa8fdd622a90135
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "time2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[pap] WARNING! No "known good" password found for the user.  Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Flushing SSL sessions (of #0)
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 127.0.0.1 port 48700
        EAP-Message = 0x010100061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xc6f6f2e2c6f7eb894ef48dfece99fe9b
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 48700, id=1, length=235
        User-Name = "time2"
        NAS-IP-Address = 127.0.0.1
        Calling-Station-Id = "02-00-00-00-00-01"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message = 0x0201006d198000000063160301005e0100005a03014c46c6d409d37d
448568c6b9949492292a7794eff0dd6166992839432da8b297000032003900380035008800870084
00160013000a00330032002f00450044004100050004001500120009001400110008000600030201
00
        State = 0xc6f6f2e2c6f7eb894ef48dfece99fe9b
        Message-Authenticator = 0xc5a15c107e27de2e71efdf138e549b55
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "time2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 109
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 99
[peap] Length Included
[peap] eaptls_verify returned 11
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 005e], ClientHello
[peap]     TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 004a], ServerHello
[peap]     TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 084d], Certificate
[peap]     TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
[peap]     TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap]     TLS_accept: SSLv3 write server done A
[peap]     TLS_accept: SSLv3 flush data
[peap]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 1 to 127.0.0.1 port 48700
        EAP-Message = 0x0102040019c000000abc160301004a0200004603014c46c6d4c2384f
6b84afa69e698e9b20c99898d475aa86abee41e2fa89040310204387d2f0346c9170879501ac2448
3af389a0b701d29af0eb17a03ca2e96f983a003901160301084d0b0008490008460003a8308203a4
3082028ca003020102020101300d06092a864886f70d010104050030818c310b3009060355040613
02434e310b300906035504081302484b310c300a06035504071303656475310d300b060355040a13
04484b42553127302506092a864886f70d0109011618726f6f7440667267756573742e686b62752e
6564752e686b312a302806035504031321484b425520477565
        EAP-Message = 0x73742043412063657274202836346269742073657276657229302017
0d3130303632343033353835305a180f32303530303631343033353835305a308182310b30090603
5504061302434e310b300906035504081302484b310d300b060355040a1304484b4255312e302c06
035504031325484b4255204775657374207365727665722063657274696669636174652028363462
6974293127302506092a864886f70d0109011618726f6f7440667267756573742e686b62752e6564
752e686b30820122300d06092a864886f70d01010105000382010f003082010a0282010100c7649e
e337738ce465aec9a12a375bd4d76fc3c2f50ac701065d1433
        EAP-Message = 0x22c38dd78776d5ad0cb747a32f6b512dce6d26cccffefd49cf151767
0305c6cb6eee0b70c86cb259383ca439bf011e8d8689cd17c41e99498256f13e6f14282b8eeef46f
95e742d40254b69d7270d1d349e8cd41cff1dc98ea38fb494ea6007aed1575391d69e9f1c230fea9
125f09a28d544282e9520e4c5987f54ff43f94567991d6172f98bfd3a200aeb07e60345e40caff2f
1f34c52e77707e3321a774bc7601827ccbd723e044ee635de38dc174e37aea2640f5dbacb3454bd8
9bd2e03b81031365232fe8f014c069983950f75aa8fdcce7a9ee52d57dc7fec1512a57fabb3b993b
0203010001a317301530130603551d25040c300a06082b0601
        EAP-Message = 0x0505070301300d06092a864886f70d01010405000382010100192613
ffaf84004131ad7ce0d3da7b42d8a594371b96058ea7dc28554921dfd279076ad03cbf83ab81d7d3
ac909202e97a3c22fdad6eee38f2961ef4e9cc9398c5e4bd8a0f41c9174d4fa44a1e77e95c887c06
5197300ea90c8ffc1d32c898c4e137b6a74834c769d7be8008fea4b3ca9c5a33505b588fd93fa440
584d00f8c0c11d62bd886037289e5f27cec1039a4c311a04a7cf75b9ed578b840c66993dea65d31a
df591ffc290d98d6565e70a1d3d45ae3f0c877c5104d1def8c23a79f38c92731165bfb2a84759f2c
6c07e15ff75e4fe6f99e67dac4fc5ca7bf6cbdf849c44b77f6
        EAP-Message = 0x614977256b1dcde1b92a76f3
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xc6f6f2e2c7f4eb894ef48dfece99fe9b
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 48700, id=2, length=132
        User-Name = "time2"
        NAS-IP-Address = 127.0.0.1
        Calling-Station-Id = "02-00-00-00-00-01"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message = 0x020200061900
        State = 0xc6f6f2e2c7f4eb894ef48dfece99fe9b
        Message-Authenticator = 0x4ff1c2811b89fc72d1647ce0b8d2421a
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "time2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 2 to 127.0.0.1 port 48700
        EAP-Message = 0x010303fc1940d8d084a884e20a2a165c46af33618c22000498308204
943082037ca003020102020900a00b0c8b6ee723bb300d06092a864886f70d010105050030818c31
0b300906035504061302434e310b300906035504081302484b310c300a0603550407130365647531
0d300b060355040a1304484b42553127302506092a864886f70d0109011618726f6f744066726775
6573742e686b62752e6564752e686b312a302806035504031321484b425520477565737420434120
636572742028363462697420736572766572293020170d3130303632343033353833335a180f3230
3530303631343033353833335a30818c310b30090603550406
        EAP-Message = 0x1302434e310b300906035504081302484b310c300a06035504071303
656475310d300b060355040a1304484b42553127302506092a864886f70d0109011618726f6f7440
667267756573742e686b62752e6564752e686b312a302806035504031321484b4255204775657374
204341206365727420283634626974207365727665722930820122300d06092a864886f70d010101
05000382010f003082010a0282010100c001917da3c962085a616702fa98c2bd794c7edfa3a1f038
258e018a126e736e3a61ae5120b956ab0566a9258b889d66e616e2d702b1a0f5ec79b1b484a9a9ec
5ff3ba49d31895a6073ac132c9aa28f3e9906d0a6e3c24e852
        EAP-Message = 0x621586b8db41ce111ebf2befc143a5cc9d562d020594fe407135ec1c
068dd0303eca75e5c5dd9cab898af3e870072ea3eca78602644eea0bac0c5619925b56aba1b1c1fc
4c48fded87cdcf44d1b99a2c1f534e8b88e4a35f9d1ffa8a50cdb402743516a0cbce2a4796459501
875ec225357d4a362202e15ee12a0154f018e5b84a5e5884c268d3154ed41f7b78ea2f6df852e07b
dd50a55c26467bcaf75c41d393bc78b27fb5170203010001a381f43081f1301d0603551d0e041604
14c134ca58d9d8f09b9207417630a08266b192ef523081c10603551d230481b93081b68014c134ca
58d9d8f09b9207417630a08266b192ef52a18192a4818f3081
        EAP-Message = 0x8c310b300906035504061302434e310b300906035504081302484b31
0c300a06035504071303656475310d300b060355040a1304484b42553127302506092a864886f70d
0109011618726f6f7440667267756573742e686b62752e6564752e686b312a302806035504031321
484b42552047756573742043412063657274202836346269742073657276657229820900a00b0c8b
6ee723bb300c0603551d13040530030101ff300d06092a864886f70d010105050003820101000d81
bb75569e9ce10ee1cc274ce224d6d175d681f14079bdb2953b179dc9e15eedecd08f8d61f1759f3b
b4c97458573e0b9b6b6be66954fc48d713a54ad949e99d806a
        EAP-Message = 0x400957b5cd394c74
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xc6f6f2e2c4f5eb894ef48dfece99fe9b
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 48700, id=3, length=132
        User-Name = "time2"
        NAS-IP-Address = 127.0.0.1
        Calling-Station-Id = "02-00-00-00-00-01"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message = 0x020300061900
        State = 0xc6f6f2e2c4f5eb894ef48dfece99fe9b
        Message-Authenticator = 0xde14f263c2c7416dc6e76fe8790561f0
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "time2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 3 to 127.0.0.1 port 48700
        EAP-Message = 0x010402d6190012c062cd3163799ab42c262a3b39ee4aadeba8ca0584
510b5f850ecbe4afc188b998b5b79ebc112998a4791842e212835761d44b5202634a16bdc8886be5
a2a6ddef1becbbaa64117a58fd73726f412c140197da3a29fc44aa1b67361c18f9f72312826067f6
4edc638e6a8b5511cd2c9eff129e700e0d88cb6de9ef5c6c909025dc37b4abdc9fdc643561bb06b1
e07e30de728a7e8a4dc07dda92896b8975d7907b85b66fedf2623b70b61a7757012cb421a8c76616
0301020d0c00020900808fcc5daaf65ec4b9ed53a13aa5563c3a857d7b01a0935ce18302cbbd8117
bdcee617438d810d33e6737c2b63ad1b1e728d85e9aa9c155d
        EAP-Message = 0x84c5499240de4a0574ca81181dd71a196f1dccceee978f8380d16b7e
6019d903f2d5ed2428b8649b958dbd4a5c52b8f99989c064eb651266552a0b7eab32727454b2eee7
89c78aee3b000102008084956c57a4a4b141554f2c86380c3f57fec3e34f8088703c2413a397374c
f9431f25f4679341df14aec581da079636e09df48d3db90e91c660f93d90c8d8e1f0fe1ae32a2e4e
1e1ad215d59f5b6572dc9adf243cbd19227ea6f225c136065861f039bfde75f0d95e5275c6beb2d8
c7179aa173a8924a34a4796a106befd300e301007caa0de5898f20a777fcce5ba0db9d58bace9248
e9ce9ba09cba932b1211d99b8b61adb7855639a5488d697384
        EAP-Message = 0x7f8cc48dfcdfc8b9e6388c07f12c0a45e41970ea85b0a7cbc3c2bdb2
c3046a866a923b4f775d0de4d30479d7540b541f56165210868611b0059298560b7f96353be1997a
24b6a952df65c72a1ef9486dc0d01b6c27aa746f03987035a881a7712ca6a51a5df2922b85f5705d
c9df28a9c6eaa78eedc4f06eaa695ebf7b2320915dffd6b9dfb482f6854450caf7d25a259bbba459
090921be037eede2969271895b48ad7ffd2da5f32c3b788e08b6b818071d4dd87c1372f17316c7ff
a41014fca5e72c763052be8315ddb965775e63f871fc3e16030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xc6f6f2e2c5f2eb894ef48dfece99fe9b
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 48700, id=4, length=334
        User-Name = "time2"
        NAS-IP-Address = 127.0.0.1
        Calling-Station-Id = "02-00-00-00-00-01"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message = 0x020400d01980000000c61603010086100000820080836b607053d520
2b0e9a082661805bfd4efcd151dadc769209b259fb5f655e3e2add8e777afb53d4ef0fb317d06595
0cce5a1d51bec91f36b0abf776241812264c62ba6bd05d460e584ae18f6dc5dca8a113e0d192d506
5521e785314d8ebbaeece1eb8270fb236e95d66bd448050ccad4fbecde9cdd64cbed8c1dd64ff7bd
6114030100010116030100301d6b888f742b258994cff559a60927f34ca3963e68c1a9e8171f89c6
950e075722bbf60d7ca9c95c74f5d97b489f4b5c
        State = 0xc6f6f2e2c5f2eb894ef48dfece99fe9b
        Message-Authenticator = 0x7fd003ee51ed5a56b66b51463e5447c7
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "time2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 208
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 198
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[peap]     TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap]     TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 write finished A
[peap]     TLS_accept: SSLv3 flush data
  SSL: adding session 4387d2f0346c9170879501ac24483af389a0b701d29af0eb17a03ca2e9
6f983a to cache
[peap]     (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 4 to 127.0.0.1 port 48700
        EAP-Message = 0x0105004119001403010001011603010030e6a153c430183fb786c452
5c7cbfc7c125546b1244a9f8fed714e6be7eff0e26ee8fb143158876317d8073de8a7847b5
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xc6f6f2e2c2f3eb894ef48dfece99fe9b
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 48700, id=5, length=132
        User-Name = "time2"
        NAS-IP-Address = 127.0.0.1
        Calling-Station-Id = "02-00-00-00-00-01"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message = 0x020500061900
        State = 0xc6f6f2e2c2f3eb894ef48dfece99fe9b
        Message-Authenticator = 0x5a5c79e12214769c5c4ca90b358d4f85
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "time2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 5 to 127.0.0.1 port 48700
        EAP-Message = 0x0106002b19001703010020aec315f53e1e8847c53a4264738a8acbe3
f14d22ea7cd7500c99cb39f39296c5
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xc6f6f2e2c3f0eb894ef48dfece99fe9b
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 48700, id=6, length=222
        User-Name = "time2"
        NAS-IP-Address = 127.0.0.1
        Calling-Station-Id = "02-00-00-00-00-01"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message = 0x02060060190017030100203f6b5f574cbe7adebedea1dfaab8b98023
def490681f0ba0228cfd700d81a18f1703010030cd8923af00f93c5760b032e8160701a1add2fed2
692be5bb2f290544e1675c6a4ef7ac2dc1c27afbe1858a8b22d52bf6
        State = 0xc6f6f2e2c3f0eb894ef48dfece99fe9b
        Message-Authenticator = 0x6bd17dea90eb6f46972ccfc8f532a219
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "time2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 96
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Identity - time2
[peap] Got tunnled request
        EAP-Message = 0x0206000a0174696d6532
server (null) {
  PEAP: Got tunneled identity of time2
  PEAP: Setting default EAP type for tunneled EAP session.
  PEAP: Setting User-Name to time2
Sending tunneled request
        EAP-Message = 0x0206000a0174696d6532
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "time2"
        NAS-IP-Address = 127.0.0.1
        Calling-Station-Id = "02-00-00-00-00-01"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 11Mbps 802.11b"
server inner-tunnel {
+- entering group authorize {...}
++[mschap] returns noop
[suffix] No '@' in User-Name = "time2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 6 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[auth_log]      expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail
-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/auth-detail-20100721
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expan
ds to /var/log/radius/radacct/127.0.0.1/auth-detail-20100721
[auth_log]      expand: %t -> Wed Jul 21 18:07:16 2010
++[auth_log] returns ok
[sql]   expand: %{User-Name} -> time2
[sql] sql_set_user escaped user --> 'time2'
rlm_sql (sql): Reserving sql socket id: 4
[sql]   expand: (SELECT id, username, attribute, value, op  FROM radcheck  WHERE
 username = '%{SQL-User-Name}' and attribute != 'Cleartext-Password') UNION (SEL
ECT id, username, attribute, aes_decrypt(value,'abc123456def'), op FROM radcheck
 WHERE username = '%{SQL-User-Name}' and attribute = 'Cleartext-Password') ORDER
 BY id -> (SELECT id, username, attribute, value, op  FROM radcheck  WHERE usern
ame = 'time2' and attribute != 'Cleartext-Password') UNION (SELECT id, username,
 attribute, aes_decrypt(value,'abc123456def'), op FROM radcheck WHERE username =
 'time2' and attribute = 'Cleartext-Password') ORDER BY id
rlm_sql_mysql: query:  (SELECT id, username, attribute, value, op  FROM radcheck
  WHERE username = 'time2' and attribute != 'Cleartext-Password') UNION (SELECT
id, username, attribute, aes_decrypt(value,'abc123456def'), op FROM radcheck WHE
RE username = 'time2' and attribute = 'Cleartext-Password') ORDER BY id
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op           FROM radrepl
y           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT
id, username, attribute, value, op           FROM radreply           WHERE usern
ame = 'time2'           ORDER BY id
rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM
radreply           WHERE username = 'time2'           ORDER BY id
[sql]   expand: SELECT groupname          FROM radusergroup           WHERE user
name = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname
   FROM radusergroup           WHERE username = 'time2'           ORDER BY prior
ity
rlm_sql_mysql: query:  SELECT groupname          FROM radusergroup           WHE
RE username = 'time2'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++? if (!(control:Cleartext-Password))
?? Evaluating (control:Cleartext-Password) -> TRUE
? Converting !TRUE -> FALSE
++? if (!(control:Cleartext-Password)) -> FALSE
++? elsif ((reply:acct_expiration) &&  ("%{reply:acct_expiration}" < "%D") )
?? Evaluating (reply:acct_expiration) -> TRUE
        expand: %{reply:acct_expiration} -> 29991231
        expand: %D -> 20100721
?? Evaluating ("%{reply:acct_expiration}" < "%D") -> FALSE
++? elsif ((reply:acct_expiration) &&  ("%{reply:acct_expiration}" < "%D") ) ->
FALSE
++? elsif ((reply:acct_expiration) && (reply:1st_login_date)  && (reply:ticket_e
xpiration) && ("%{reply:1st_login_date}" != "29991231") && ("%{reply:ticket_expi
ration}" < "%D") )
?? Evaluating (reply:acct_expiration) -> TRUE
?? Evaluating (reply:1st_login_date) -> TRUE
?? Evaluating (reply:ticket_expiration) -> TRUE
        expand: %{reply:1st_login_date} -> 20100619
?? Evaluating ("%{reply:1st_login_date}" != "29991231") -> TRUE
        expand: %{reply:ticket_expiration} -> 20100917
        expand: %D -> 20100721
?? Evaluating ("%{reply:ticket_expiration}" < "%D") -> FALSE
++? elsif ((reply:acct_expiration) && (reply:1st_login_date)  && (reply:ticket_e
xpiration) && ("%{reply:1st_login_date}" != "29991231") && ("%{reply:ticket_expi
ration}" < "%D") ) -> FALSE
rlm_sqlcounter: Entering module authorize code
sqlcounter_expand:  'SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{
User-Name}''
[noreset_time_counter]  expand: SELECT SUM(AcctSessionTime) FROM radacct WHERE U
serName='%{User-Name}' -> SELECT SUM(AcctSessionTime) FROM radacct WHERE UserNam
e='time2'
sqlcounter_expand:  '%{sql:SELECT SUM(AcctSessionTime) FROM radacct WHERE UserNa
me='time2'}'
[noreset_time_counter] sql_xlat
[noreset_time_counter]  expand: %{User-Name} -> time2
[noreset_time_counter] sql_set_user escaped user --> 'time2'
[noreset_time_counter]  expand: SELECT SUM(AcctSessionTime) FROM radacct WHERE U
serName='time2' -> SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='time
2'
[noreset_time_counter]  expand: /var/log/radius/sqltrace.sql -> /var/log/radius/
sqltrace.sql
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql_mysql: query:  SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='
time2'
[noreset_time_counter] sql_xlat finished
rlm_sql (sql): Released sql socket id: 3
[noreset_time_counter]  expand: %{sql:SELECT SUM(AcctSessionTime) FROM radacct W
HERE UserName='time2'} -> 876
rlm_sqlcounter: (Check item - counter) is less than zero
rlm_sqlcounter: Rejected user time2, check_item=600, counter=876
++[noreset_time_counter] returns reject
++? if (reject)
? Evaluating (reject) -> TRUE
++? if (reject) -> TRUE
++- entering if (reject) {...}
+++[outer.control] returns reject
++- if (reject) returns reject
Invalid user (rlm_sqlcounter: Maximum never usage time reached): [time2/<via Aut
h-Type = EAP>] (from client localhost port 0 cli 02-00-00-00-00-01 via TLS tunne
l)
} # server inner-tunnel
[peap] Got tunneled reply code 3
        1st_login_date := "20100619"
        acct_expiration := "29991231"
        ticket_days := "90"
        ticket_expiration := "20100917"
        Reply-Message = "Your maximum never usage time has been reached"
[peap] Got tunneled reply RADIUS code 3
        1st_login_date := "20100619"
        acct_expiration := "29991231"
        ticket_days := "90"
        ticket_expiration := "20100917"
        Reply-Message = "Your maximum never usage time has been reached"
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 6 to 127.0.0.1 port 48700
        EAP-Message = 0x0107003b190017030100307c3d0849e67e324f5c4dc05f3057f29608
2f681afe3ea6afbbaf7401626f790dfdaf578b170dec9d10a8940db452bc56
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xc6f6f2e2c0f1eb894ef48dfece99fe9b
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 48700, id=7, length=222
        User-Name = "time2"
        NAS-IP-Address = 127.0.0.1
        Calling-Station-Id = "02-00-00-00-00-01"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message = 0x02070060190017030100205a84d4054297caf70cfd919519a7a826b6
aeccb463a63a6912dd35ac6c71be831703010030fa26f87fcfea5b33edf93ee1820f5f6ff3420ae7
1191726eac788bbc21d8d006e3d3b0f1ff130bb8bb32dd014ea83086
        State = 0xc6f6f2e2c0f1eb894ef48dfece99fe9b
        Message-Authenticator = 0xe1e536bac5897a5941106620a6ecdd33
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "time2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 96
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap]  Had sent TLV failure.  User was rejected earlier in this session.
  SSL: Removing session 4387d2f0346c9170879501ac24483af389a0b701d29af0eb17a03ca2
e96f983a from the cache
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [time2/<via Auth-Type = EAP>] (from client localhost port 0 cli
 02-00-00-00-00-01)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[sql]   expand: %{User-Name} -> time2
[sql] sql_set_user escaped user --> 'time2'
[sql]   expand: INSERT INTO radpostauth                           (ID, username,
 password, nas_ip, auth_result, reply_message, authdate)
   VALUES (NULL,                            '%{User-Name}',
      aes_encrypt('NA', 'abc123456def'),                           '%{NAS-IP-ADD
RESS}',                            '%{reply:Packet-Type}',
      '%{control:My-Err-Message}',
 '%S') -> INSERT INTO radpostauth                           (ID, username, passw
ord, nas_ip, auth_result, reply_message, authdate)                           VAL
UES (NULL,                            'time2',                           aes_enc
rypt('NA', 'abc123456def'),                           '127.0.0.1',
              'Access-Reject',                            '',
 '2010-07-21 18:07:16')
[sql]   expand: /var/log/radius/sqltrace.sql -> /var/log/radius/sqltrace.sql
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
          (ID, username, password, nas_ip, auth_result, reply_message, authdate)
                           VALUES (NULL,                            'time2',
                       aes_encrypt('NA', 'abc123456def'),
    '127.0.0.1',                            'Access-Reject',
        '',                                                               '2010-
07-21 18:07:16')
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql_mysql: query:  INSERT INTO radpostauth                           (ID, us
ername, password, nas_ip, auth_result, reply_message, authdate)
          VALUES (NULL,                            'time2',
      aes_encrypt('NA', 'abc123456def'),                           '127.0.0.1',
                           'Access-Reject',                            '',
 '2010-07-21 18:07:16')
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
[reply_log]     expand: /var/log/radius/radacct/%{Client-IP-Address}/reply-detai
l-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/reply-detail-20100721
[reply_log] /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d exp
ands to /var/log/radius/radacct/127.0.0.1/reply-detail-20100721
[reply_log]     expand: %t -> Wed Jul 21 18:07:16 2010
++[reply_log] returns ok
[attr_filter.access_reject]     expand: %{User-Name} -> time2
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 7 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 7
Sending Access-Reject of id 7 to 127.0.0.1 port 48700
        EAP-Message = 0x04070004
        Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 0 ID 0 with timestamp +4
Cleaning up request 1 ID 1 with timestamp +4
Cleaning up request 2 ID 2 with timestamp +4
Cleaning up request 3 ID 3 with timestamp +4
Cleaning up request 4 ID 4 with timestamp +4
Cleaning up request 5 ID 5 with timestamp +4
Cleaning up request 6 ID 6 with timestamp +4
Waking up in 1.0 seconds.
Cleaning up request 7 ID 7 with timestamp +4
Ready to process requests.

----4. ends -------------------------



      





More information about the Freeradius-Users mailing list