Freeradius + Alvarion 4Motion specify filter-id value inaccess-accept from value in user conf file ?
Hahusseau, Thomas
thomas.hahusseau at cassidian.com
Mon Jun 6 18:38:53 CEST 2011
Hello,
I tried using only "Framed-Filter-Id" and "Filter-Id" in users conf file and deleting the line Filter-Id = "Profile1" from my site-ennabled/default conf file but it doesn't work. When processing the post-authentication section it doesn't add atributes provided in users conf to the access-accept. I added the "files" line in post-authent section of default conf file (I suposed this way it parse the users conf file when processing the post authent section) but it doesn't work.
Could you give me a sample of your site-ennabled/default conf file ?
Here is the Radiusd -X output of my server :
FreeRADIUS Version 3.0.0, for host i686-pc-linux-gnu, built on May 31 2011 at 08:06:19
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/soh
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/redis
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/replicate
including configuration file /usr/local/etc/raddb/modules/opendirectory
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/eap
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/sql
including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf
including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/rediswho
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/sqlippool
including configuration file /usr/local/etc/raddb/sql/postgresql/ippool.conf
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/dynamic_clients
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/control-socket
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including configuration file /usr/local/etc/raddb/sites-enabled/default
main {
security {
allow_core_dumps = no
}
}
including dictionary file /usr/local/etc/raddb/dictionary
main {
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/usr/local/var"
sbindir = "/usr/local/sbin"
logdir = "/usr/local/var/log/radius"
run_dir = "/usr/local/var/run/radiusd"
libdir = "/usr/local/lib"
radacctdir = "/usr/local/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
proto = "*"
max_connections = 16
}
client 192.168.100.10 {
require_message_authenticator = no
secret = "wimaxeads"
max_connections = 16
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /usr/local/etc/raddb/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /usr/local/etc/raddb/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file /usr/local/etc/raddb/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file /usr/local/etc/raddb/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /usr/local/etc/raddb/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /usr/local/etc/raddb/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /usr/local/etc/raddb/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
passchange {
}
allow_retry = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file /usr/local/etc/raddb/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /usr/local/etc/raddb/modules/unix
unix {
radwtmp = "/usr/local/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /usr/local/etc/raddb/modules/eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/usr/local/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/server.pem"
certificate_file = "/usr/local/etc/raddb/certs/server.pem"
CA_file = "/usr/local/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/usr/local/etc/raddb/certs/dh"
random_file = "/usr/local/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/usr/local/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file /usr/local/etc/raddb/modules/preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/huntgroups"
hints = "/usr/local/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_wimax
Module: Instantiating module "wimax" from file /usr/local/etc/raddb/modules/wimax
wimax {
delete_mppe_keys = no
}
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /usr/local/etc/raddb/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /usr/local/etc/raddb/modules/files
files {
usersfile = "/usr/local/etc/raddb/users"
acctusersfile = "/usr/local/etc/raddb/acct_users"
preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file /usr/local/etc/raddb/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /usr/local/etc/raddb/modules/detail
detail {
detailfile = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /usr/local/etc/raddb/modules/radutmp
radutmp {
filename = "/usr/local/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/usr/local/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/usr/local/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/usr/local/var/run/radiusd/radiusd.sock"
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Opening new proxy address * port 1814
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.100.10 port 1812, id=87, length=161
User-Name = "{am=1}cpe4 at eads.com"
EAP-Message = 0x02010018017b616d3d317d6370653440656164732e636f6d
Message-Authenticator = 0xd4e62c828085e35dc5b8eab904862b64
NAS-Identifier = "NPU"
NAS-IP-Address = 192.168.100.10
Calling-Station-Id = "00-19-15-C8-99-9D"
WiMAX-BS-Id = 0x214e00010101
NAS-Port-Type = Wireless-802.16
Framed-MTU = 2000
Service-Type = Framed-User
WiMAX-GMT-Timezone-offset = 256
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0) group authorize {
(0) - entering group authorize {...}
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) [wimax] = ok
(0) suffix : Looking up realm "eads.com" for User-Name = "{am=1}cpe4 at eads.com"
(0) suffix : No such realm "eads.com"
(0) [suffix] = noop
(0) eap : EAP packet type response id 1 length 24
(0) eap : No EAP Start, assuming it's an on-going EAP conversation
(0) [eap] = updated
(0) [files] = noop
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap : WARNING! No "known good" password found for the user. Authentication may fail because of this.
(0) [pap] = noop
(0) Found Auth-Type = ?
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) group authenticate {
(0) - entering group authenticate {...}
(0) eap : EAP Identity
(0) eap : processing type md5
rlm_eap_md5: Issuing Challenge
(0) [eap] = handled
Sending Access-Challenge of id 87 to 192.168.100.10 port 1812
EAP-Message = 0x0102001604106254767f35e41ca8d379aa26b1844710
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x88ac768388ae720233427f0cb1a81ea1
(0) Finished request 0.
rad_recv: Access-Request packet from host 192.168.100.10 port 1812, id=88, length=161
User-Name = "{am=1}cpe4 at eads.com"
EAP-Message = 0x020200060315
Message-Authenticator = 0x968d21ad084bd80cb7fd2b7b91f77643
NAS-Identifier = "NPU"
NAS-IP-Address = 192.168.100.10
Calling-Station-Id = "00-19-15-C8-99-9D"
WiMAX-BS-Id = 0x214e00010101
NAS-Port-Type = Wireless-802.16
Framed-MTU = 2000
Service-Type = Framed-User
WiMAX-GMT-Timezone-offset = 256
State = 0x88ac768388ae720233427f0cb1a81ea1
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(1) group authorize {
(1) - entering group authorize {...}
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) [wimax] = ok
(1) suffix : Looking up realm "eads.com" for User-Name = "{am=1}cpe4 at eads.com"
(1) suffix : No such realm "eads.com"
(1) [suffix] = noop
(1) eap : EAP packet type response id 2 length 6
(1) eap : No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) [files] = noop
(1) [expiration] = noop
(1) [logintime] = noop
(1) pap : WARNING! No "known good" password found for the user. Authentication may fail because of this.
(1) [pap] = noop
(1) Found Auth-Type = ?
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) group authenticate {
(1) - entering group authenticate {...}
(1) eap : Request found, released from the list
(1) eap : EAP NAK
(1) eap : EAP-NAK asked for EAP-Type/ttls
(1) eap : processing type tls
(1) tls : Initiate
(1) tls : Start returned 1
(1) [eap] = handled
Sending Access-Challenge of id 88 to 192.168.100.10 port 1812
EAP-Message = 0x010300061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x88ac768389af630233427f0cb1a81ea1
(1) Finished request 1.
rad_recv: Access-Request packet from host 192.168.100.10 port 1812, id=89, length=235
User-Name = "{am=1}cpe4 at eads.com"
EAP-Message = 0x0203005015001603010045010000410301587b2c9d26ea19e33cc96c713e27e86d48e7f90bba9078be4787a3b58865b7e000001a0015001600330009000a002f000700670039006b003c0035003d0100
Message-Authenticator = 0x900a66df9e8f1a8617b067c7e151f41d
NAS-Identifier = "NPU"
NAS-IP-Address = 192.168.100.10
Calling-Station-Id = "00-19-15-C8-99-9D"
WiMAX-BS-Id = 0x214e00010101
NAS-Port-Type = Wireless-802.16
Framed-MTU = 2000
Service-Type = Framed-User
WiMAX-GMT-Timezone-offset = 256
State = 0x88ac768389af630233427f0cb1a81ea1
(2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(2) group authorize {
(2) - entering group authorize {...}
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) [wimax] = ok
(2) suffix : Looking up realm "eads.com" for User-Name = "{am=1}cpe4 at eads.com"
(2) suffix : No such realm "eads.com"
(2) [suffix] = noop
(2) eap : EAP packet type response id 3 length 80
(2) eap : Continuing tunnel setup.
(2) [eap] = ok
(2) Found Auth-Type = ?
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(2) group authenticate {
(2) - entering group authenticate {...}
(2) eap : Request found, released from the list
(2) eap : EAP/ttls
(2) eap : processing type ttls
(2) ttls : Authenticate
(2) ttls : processing EAP-TLS
(2) ttls : eaptls_verify returned 7
(2) ttls : Done initial handshake
(2) ttls : (other): before/accept initialization
(2) ttls : TLS_accept: before/accept initialization
(2) ttls : <<< TLS 1.0 Handshake [length 0045], ClientHello
(2) ttls : TLS_accept: SSLv3 read client hello A
(2) ttls : >>> TLS 1.0 Handshake [length 002a], ServerHello
(2) ttls : TLS_accept: SSLv3 write server hello A
(2) ttls : >>> TLS 1.0 Handshake [length 085e], Certificate
(2) ttls : TLS_accept: SSLv3 write certificate A
(2) ttls : >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
(2) ttls : TLS_accept: SSLv3 write key exchange A
(2) ttls : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
(2) ttls : TLS_accept: SSLv3 write server done A
(2) ttls : TLS_accept: SSLv3 flush data
(2) ttls : TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
(2) ttls : eaptls_process returned 13
(2) [eap] = handled
Sending Access-Challenge of id 89 to 192.168.100.10 port 1812
EAP-Message = 0x0104040015c000000aad160301002a0200002603014de628f49d0a58418112208d644ced77bf239b5cd0ac542da3e0f4e7c6389a7500001500160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
EAP-Message = 0x301e170d3131303533313132313032365a170d3132303533303132313032365a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100b6eec957d8b9ccf58cac8aca0c22e429e9e50bae985fbd09fa49ca80c296b255ab2ddcdc9604e5827097a4913e040ed16d2e03278ba495997d0970f0dc8a
EAP-Message = 0x3de2d19742df29ae5d8964b0eea69f8098cad478d47a1303ee0623059c9fdea155849921fef4896370ad551a4cb0c6907e3309da2fbd4c8464836f9dde6ad78724c8094dd74ec5aae4bdb656f9c2eba830148a8e3083af941e8a27ddf3e4dd76a6f380a82203e569e7033d9d11c5edd1e934dfdc59a79189264ab4092b59f25bf69a0a8270c5a4f60f46c4b4bac24efca3a3fba357e55ca82a54b9df7af4cc0a1334155ba14590039dcde4502cd0a65149613948e22af911de4f887f9773ee12b2070203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038201010001c18581de2951f923
EAP-Message = 0x6ecb42edc56b67eaff5f29f9d96350cc431fa58e575e5829b84e2d2d61ea4047b493d3ba028618067f191ab467414158fb41b0f33f9de13d48dd94c5f6d4060b687617532ba2e90814084708a895331416c460d709a97eb1125885244dce77795c064b9a2e3b0027bc02a629ccf2b6424af17318994415fffba3543ffefa6e06f17ec82c9ce722e901602cc2ce23b60ad1c4deed6959d7e912a21fecaad1547da914e046a9760eb70eb8426a65bf2b7d9d124d9365311ce78f9977af941f39d8c33a84b03e883cdad3e8645604f7d3e4c8fd840a9dade2258835ec2b44214c88d32be9f7137005fb07a42052f30e555fbcb20d3c76a3eb0004ab308204
EAP-Message = 0xa73082038fa0030201020209
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x88ac76838aa8630233427f0cb1a81ea1
(2) Finished request 2.
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.100.10 port 1812, id=90, length=161
User-Name = "{am=1}cpe4 at eads.com"
EAP-Message = 0x020400061500
Message-Authenticator = 0xbfc9c710af8c98f1b1ee9e248bdeb6ec
NAS-Identifier = "NPU"
NAS-IP-Address = 192.168.100.10
Calling-Station-Id = "00-19-15-C8-99-9D"
WiMAX-BS-Id = 0x214e00010101
NAS-Port-Type = Wireless-802.16
Framed-MTU = 2000
Service-Type = Framed-User
WiMAX-GMT-Timezone-offset = 256
State = 0x88ac76838aa8630233427f0cb1a81ea1
(3) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(3) group authorize {
(3) - entering group authorize {...}
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) [wimax] = ok
(3) suffix : Looking up realm "eads.com" for User-Name = "{am=1}cpe4 at eads.com"
(3) suffix : No such realm "eads.com"
(3) [suffix] = noop
(3) eap : EAP packet type response id 4 length 6
(3) eap : Continuing tunnel setup.
(3) [eap] = ok
(3) Found Auth-Type = ?
(3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(3) group authenticate {
(3) - entering group authenticate {...}
(3) eap : Request found, released from the list
(3) eap : EAP/ttls
(3) eap : processing type ttls
(3) ttls : Authenticate
(3) ttls : processing EAP-TLS
(3) ttls : Received TLS ACK
(3) ttls : Received TLS ACK
(3) ttls : ACK handshake fragment handler
(3) ttls : eaptls_verify returned 1
(3) ttls : eaptls_process returned 13
(3) [eap] = handled
Sending Access-Challenge of id 90 to 192.168.100.10 port 1812
EAP-Message = 0x0105040015c000000aad00e43e5f1a392e6ac9300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3131303533313132313032365a170d3132303533303132313032365a308193310b3009060355040613024652310f300d0603550408130652616469757331123010
EAP-Message = 0x06035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100cf346800f1aade9a56e7acd4ae20d6f4c442c2e02cb633731e046cba744d808e1b97dae3d524a3c631296cacaef6d729d828fa2a7d5ad929ddb8b8ac871207f85b8f514ceeb1c2771da86742b4badc5b5daf8ec60be1ea7050c3bb5987c14ead65a7ad3f06b4ebb09b922d
EAP-Message = 0x8cb8ca3531ce62c372f3adc0e7ad16dc9bb0062323edebd0555c7049d6bbf01fc5240d02693eddc5822905c6d53e930ee728fdb9ba2172138681a570bc34ab5de5064632ec1259008b75ddbac455c4c5760da9f3bcc3ab0d40cd431d22dcb1b6b11c168c3e4687dc7c19a5871760874fb50c3b27d4f28a74b9c669f786acbfd50c5c2a25ca08d606d05dda85df59825b33192a2ad50203010001a381fb3081f8301d0603551d0e041604142ff21cc1b61981cd1928a70ffb9dfd7ddaf1700e3081c80603551d230481c03081bd80142ff21cc1b61981cd1928a70ffb9dfd7ddaf1700ea18199a48196308193310b3009060355040613024652310f300d
EAP-Message = 0x060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900e43e5f1a392e6ac9300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100a903db5d9e4a396307c9589ace378d253014c5b561000c4bd057d2e430f9f5e91bf8ae3dbc2a689463af2a8bbf585fc17eebda0d5ab7e4a5d0d60a3b9b344ff413d81cff50e0245daaa2830ee2bf
EAP-Message = 0xea6af9fce68b957d225106a2
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x88ac76838ba9630233427f0cb1a81ea1
(3) Finished request 3.
rad_recv: Access-Request packet from host 192.168.100.10 port 1812, id=91, length=161
User-Name = "{am=1}cpe4 at eads.com"
EAP-Message = 0x020500061500
Message-Authenticator = 0xf19ff52dcaff5594d6d2d0e8cf99d0a5
NAS-Identifier = "NPU"
NAS-IP-Address = 192.168.100.10
Calling-Station-Id = "00-19-15-C8-99-9D"
WiMAX-BS-Id = 0x214e00010101
NAS-Port-Type = Wireless-802.16
Framed-MTU = 2000
Service-Type = Framed-User
WiMAX-GMT-Timezone-offset = 256
State = 0x88ac76838ba9630233427f0cb1a81ea1
(4) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(4) group authorize {
(4) - entering group authorize {...}
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) [wimax] = ok
(4) suffix : Looking up realm "eads.com" for User-Name = "{am=1}cpe4 at eads.com"
(4) suffix : No such realm "eads.com"
(4) [suffix] = noop
(4) eap : EAP packet type response id 5 length 6
(4) eap : Continuing tunnel setup.
(4) [eap] = ok
(4) Found Auth-Type = ?
(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(4) group authenticate {
(4) - entering group authenticate {...}
(4) eap : Request found, released from the list
(4) eap : EAP/ttls
(4) eap : processing type ttls
(4) ttls : Authenticate
(4) ttls : processing EAP-TLS
(4) ttls : Received TLS ACK
(4) ttls : Received TLS ACK
(4) ttls : ACK handshake fragment handler
(4) ttls : eaptls_verify returned 1
(4) ttls : eaptls_process returned 13
(4) [eap] = handled
Sending Access-Challenge of id 91 to 192.168.100.10 port 1812
EAP-Message = 0x010602cb158000000aadb869abceda0becac1d49627234002680125f5c23d91fb12fc57f5fb7be4628aa24f9f9e7cb78622962b56a3163be5c57ee2cca8fecfc9934e88a730d936bbe302a401dad2d5bc6f8a7a9a892f180a41d765ca260f362686f3663f43630c84972f19c528213a96135f0a4252f8da9f302b566173642c000b0a86a8761ce46127162624b7f0c28d93ab2f3cb56f8b79aa98a0c41c2100c313bd175e0d390464073f1067ed5e189160301020d0c0002090080e185943179de0da8ba01aaa3bc08b2c683e10e9826a0394bd9eb4058162d1d215bf969738cbe13f1cf86db0473474bd9c888ac4c88e289330af9ed8ec45af8d0f1e0
EAP-Message = 0x4ebdc684ec29bc0f91052ca6c7efd0b92edd4e399023cf62d09050018ea64b1130c705b9e742d73947972e2b4694109b43e66d858bdc8f7eac3737ebbcd300010200800c932aecbabc428714e8461a9fb6e20f20ff475d8b2f5d4d81713181158f19cfc814dd7d04d94cec3e4ec8a83c4c298a33c89cedaec13d13e4606971bdf94d3d9b84d38bf4515f405122896527ba163bde1031d3a307e5dcfafad7cc3c08cafe4c53882ea682264698d7c0cda10ce698f3fd8d5fddfe4f55e6f92ad230c5c6420100872b25ec64264c5a3f5ffea79b8e52d54f63d4ff23b4422ff105e8aeff5be7d94fe92fa3c865aacb8d7fb46a76080caef24b07a13b330fed
EAP-Message = 0x0076acca2294ffaee380bbdc9746fca807f085fb9b6d3971438a8688c901b75b31e8897f55642e7b9acfbf90119ae796f7a557b5c0100660545fcbd6874729c3e7dd3e47eb9ec8124628721429836af9317cda8e2ce5779b1893c511c0dc3fc223d3d8caf69d84277c4251aef8e6cc5f568782aa211094b1e06b46991c5c951c5f87a9f7efc705a66f8ae53d48343523eddabe2626ce77976602f75749665cc525a04fb14ffd1323f013f9c29120a67c03fcc396199cf2cf382ea4cf0ccb1e80164fea44bf35e97916030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x88ac76838caa630233427f0cb1a81ea1
(4) Finished request 4.
Waking up in 4.5 seconds.
rad_recv: Access-Request packet from host 192.168.100.10 port 1812, id=92, length=351
User-Name = "{am=1}cpe4 at eads.com"
EAP-Message = 0x020600c41500160301008610000082008001455425498d4e781bd0c39a4e506674a7025212fc72155fe8fd97090665dca0ba0b5e2f4d1154a7f8503627c074a0eee463d1bfd472ed04adb091136688948c02061fa969179f5e6073802554260a1da1993f421bf1c0bb5bc56e4e12ae0b2d825d17915ca089244c7643e5d5538b609bfbca8e657cbb3bca2801fe1e575d971403010001011603010028d4dd4af67d9ca7167cc8f634677f8ea78b2236861684655711098fb54fc26cc28166d0525f30f9a0
Message-Authenticator = 0x32f7680d343e93a36d54cf2ffe5b5637
NAS-Identifier = "NPU"
NAS-IP-Address = 192.168.100.10
Calling-Station-Id = "00-19-15-C8-99-9D"
WiMAX-BS-Id = 0x214e00010101
NAS-Port-Type = Wireless-802.16
Framed-MTU = 2000
Service-Type = Framed-User
WiMAX-GMT-Timezone-offset = 256
State = 0x88ac76838caa630233427f0cb1a81ea1
(5) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(5) group authorize {
(5) - entering group authorize {...}
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) [wimax] = ok
(5) suffix : Looking up realm "eads.com" for User-Name = "{am=1}cpe4 at eads.com"
(5) suffix : No such realm "eads.com"
(5) [suffix] = noop
(5) eap : EAP packet type response id 6 length 196
(5) eap : Continuing tunnel setup.
(5) [eap] = ok
(5) Found Auth-Type = ?
(5) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(5) group authenticate {
(5) - entering group authenticate {...}
(5) eap : Request found, released from the list
(5) eap : EAP/ttls
(5) eap : processing type ttls
(5) ttls : Authenticate
(5) ttls : processing EAP-TLS
(5) ttls : eaptls_verify returned 7
(5) ttls : Done initial handshake
(5) ttls : <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
(5) ttls : TLS_accept: SSLv3 read client key exchange A
(5) ttls : <<< TLS 1.0 ChangeCipherSpec [length 0001]
(5) ttls : <<< TLS 1.0 Handshake [length 0010], Finished
(5) ttls : TLS_accept: SSLv3 read finished A
(5) ttls : >>> TLS 1.0 ChangeCipherSpec [length 0001]
(5) ttls : TLS_accept: SSLv3 write change cipher spec A
(5) ttls : >>> TLS 1.0 Handshake [length 0010], Finished
(5) ttls : TLS_accept: SSLv3 write finished A
(5) ttls : TLS_accept: SSLv3 flush data
(5) ttls : (other): SSL negotiation finished successfully
SSL Connection Established
(5) ttls : eaptls_process returned 13
(5) [eap] = handled
Sending Access-Challenge of id 92 to 192.168.100.10 port 1812
EAP-Message = 0x0107003d15800000003314030100010116030100280fffe283805736eb626decd011756e22b5496fe15710da0d7dc8c7207a32289778b92d5885e652b5
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x88ac76838dab630233427f0cb1a81ea1
(5) Finished request 5.
Waking up in 4.1 seconds.
rad_recv: Access-Request packet from host 192.168.100.10 port 1812, id=93, length=310
User-Name = "{am=1}cpe4 at eads.com"
EAP-Message = 0x0207009b150017030100909f84a66746c7cf3974afd8ab6157301d4c97f00339053b36c9a59fe819dfcd482a3d72823753dff7ab3f791a526df518c81ccaa49f7e8fd40a3d297d9093f08a58c0fd480f26509a9388336da43929d15921a211eae621619bb965904f2ee3e87efbb8f49674c61f203110abadf99c11afda6a0e490f9130597067ea549496cefeb2118c76dea0203f80737a9e7417cd
Message-Authenticator = 0xe81dfa7d5f4d3996555392a68d3f04d7
NAS-Identifier = "NPU"
NAS-IP-Address = 192.168.100.10
Calling-Station-Id = "00-19-15-C8-99-9D"
WiMAX-BS-Id = 0x214e00010101
NAS-Port-Type = Wireless-802.16
Framed-MTU = 2000
Service-Type = Framed-User
WiMAX-GMT-Timezone-offset = 256
State = 0x88ac76838dab630233427f0cb1a81ea1
(6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(6) group authorize {
(6) - entering group authorize {...}
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) [wimax] = ok
(6) suffix : Looking up realm "eads.com" for User-Name = "{am=1}cpe4 at eads.com"
(6) suffix : No such realm "eads.com"
(6) [suffix] = noop
(6) eap : EAP packet type response id 7 length 155
(6) eap : Continuing tunnel setup.
(6) [eap] = ok
(6) Found Auth-Type = ?
(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(6) group authenticate {
(6) - entering group authenticate {...}
(6) eap : Request found, released from the list
(6) eap : EAP/ttls
(6) eap : processing type ttls
(6) ttls : Authenticate
(6) ttls : processing EAP-TLS
(6) ttls : eaptls_verify returned 7
(6) ttls : Done initial handshake
(6) ttls : eaptls_process returned 7
(6) ttls : Session established. Proceeding to decode tunneled attributes.
(6) ttls : Got tunneled request
User-Name = "cpe4 at eads.com"
MS-CHAP-Challenge = 0x524783588ddc1bb5df1da04af1ee2d5d
MS-CHAP2-Response = 0x1600e0e47d06ce97ea0a60567c9e7d640bc600000000000000003b46f4aca33bc647209dab6d064d7b623a5df0c8fab3c2f3
FreeRADIUS-Proxied-To = 127.0.0.1
(6) ttls : Sending tunneled request
User-Name = "cpe4 at eads.com"
MS-CHAP-Challenge = 0x524783588ddc1bb5df1da04af1ee2d5d
MS-CHAP2-Response = 0x1600e0e47d06ce97ea0a60567c9e7d640bc600000000000000003b46f4aca33bc647209dab6d064d7b623a5df0c8fab3c2f3
FreeRADIUS-Proxied-To = 127.0.0.1
server inner-tunnel {
(6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(6) group authorize {
(6) - entering group authorize {...}
(6) [chap] = noop
(6) mschap : Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
(6) [mschap] = ok
(6) suffix : Looking up realm "eads.com" for User-Name = "cpe4 at eads.com"
(6) suffix : No such realm "eads.com"
(6) [suffix] = noop
(6) update control {
(6) } # update control = noop
(6) eap : No EAP-Message, not doing EAP
(6) [eap] = noop
(6) files : users: Matched entry cpe4 at eads.com at line 91
(6) [files] = ok
(6) [expiration] = noop
(6) [logintime] = noop
(6) pap : WARNING: Auth-Type already set. Not setting to PAP
(6) [pap] = noop
(6) Found Auth-Type = ?
(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(6) group MS-CHAP {
(6) - entering group MS-CHAP {...}
(6) mschap : Creating challenge hash with username: cpe4 at eads.com
(6) mschap : Told to do MS-CHAPv2 for cpe4 at eads.com with NT-Password
(6) mschap : adding MS-CHAPv2 MPPE keys
(6) [mschap] = ok
(6) WARNING: Empty post-auth section. Using default return values.
(6) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
} # server inner-tunnel
(6) ttls : Got tunneled reply code 2
Session-Timeout = 3600
Filter-Id = "test"
MS-CHAP2-Success = 0x16533d41324545333844363945383731384645363242384535453837444134433345383237333134303442
MS-MPPE-Recv-Key = 0x5ac2e372bf3085350ea9e377e10fa0b6
MS-MPPE-Send-Key = 0xd77e84ffdba7c7c94aaedf504955c3c7
MS-MPPE-Encryption-Policy = Encryption-Allowed
MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(6) ttls : Got tunneled Access-Accept
(6) ttls : Got MS-CHAP2-Success, tunneling it to the client in a challenge.
(6) [eap] = handled
Sending Access-Challenge of id 93 to 192.168.100.10 port 1812
EAP-Message = 0x0108005f15800000005517030100501665535a9fbbb9d91b0116452b2c92ca86fec3e26123d3fd0f2c90b430a6c352d48a3a8eec084e20666296a57b63c157f4a969930fc7ac3f016592b9b9e9fc20e4fc0fb1f65ef70de45d8e8f9d02be6a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x88ac76838ea4630233427f0cb1a81ea1
(6) Finished request 6.
rad_recv: Access-Request packet from host 192.168.100.10 port 1812, id=94, length=161
User-Name = "{am=1}cpe4 at eads.com"
EAP-Message = 0x020800061500
Message-Authenticator = 0x01c1e4c8092af309452a074fbf85d797
NAS-Identifier = "NPU"
NAS-IP-Address = 192.168.100.10
Calling-Station-Id = "00-19-15-C8-99-9D"
WiMAX-BS-Id = 0x214e00010101
NAS-Port-Type = Wireless-802.16
Framed-MTU = 2000
Service-Type = Framed-User
WiMAX-GMT-Timezone-offset = 256
State = 0x88ac76838ea4630233427f0cb1a81ea1
(7) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(7) group authorize {
(7) - entering group authorize {...}
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) [wimax] = ok
(7) suffix : Looking up realm "eads.com" for User-Name = "{am=1}cpe4 at eads.com"
(7) suffix : No such realm "eads.com"
(7) [suffix] = noop
(7) eap : EAP packet type response id 8 length 6
(7) eap : Continuing tunnel setup.
(7) [eap] = ok
(7) Found Auth-Type = ?
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(7) group authenticate {
(7) - entering group authenticate {...}
(7) eap : Request found, released from the list
(7) eap : EAP/ttls
(7) eap : processing type ttls
(7) ttls : Authenticate
(7) ttls : processing EAP-TLS
(7) ttls : Received TLS ACK
(7) ttls : Received TLS ACK
(7) ttls : ACK handshake is finished
(7) ttls : eaptls_verify returned 3
(7) ttls : eaptls_process returned 3
(7) ttls : Using saved attributes from the original Access-Accept
(7) eap : Freeing handler
(7) [eap] = ok
(7) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(7) group post-auth {
(7) - entering group post-auth {...}
(7) [exec] = noop
(7) update request {
(7) expand: %{User-Name} -> {am=1}cpe4 at eads.com
(7) } # update request = noop
(7) update reply {
(7) expand: %{reply:EAP-MSK} -> 0x136e9f4e17d5d9c152c761683b9ff583dad202cf52ff3eb015875fac682c3b3e6a513e57ca1c54f30f765467a88dc959ad9b5fa8e209a9d99b27ddad51e8b619
(7) } # update reply = noop
(7) wimax : MIP-RK = 0xfe49ecf2e917155067c599b3fccb51beb0fcec8d8546f48d2d64bcd7fe600ee1fffc1bc29818070a6e9a6a344ae5cafcf9fbba52de6098bb0e2aaf17fc63937c
(7) wimax : MIP-SPI = 67d71c9b
(7) wimax : WARNING: WiMAX-IP-Technology not found in reply.
(7) wimax : WARNING: Not calculating MN-HA keys
(7) [wimax] = updated
Sending Access-Accept of id 94 to 192.168.100.10 port 1812
MS-MPPE-Recv-Key = 0x136e9f4e17d5d9c152c761683b9ff583dad202cf52ff3eb015875fac682c3b3e
MS-MPPE-Send-Key = 0x6a513e57ca1c54f30f765467a88dc959ad9b5fa8e209a9d99b27ddad51e8b619
EAP-Message = 0x03080004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "{am=1}cpe4 at eads.com"
WiMAX-FA-RK-Key = 0xecc5305cab2138e96974262acfd5e80e9eb5000a
WiMAX-MSK = 0x136e9f4e17d5d9c152c761683b9ff583dad202cf52ff3eb015875fac682c3b3e6a513e57ca1c54f30f765467a88dc959ad9b5fa8e209a9d99b27ddad51e8b619
WiMAX-FA-RK-SPI = 2602358631
(7) Finished request 7.
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 87 with timestamp +5
(1) Cleaning up request packet ID 88 with timestamp +5
Waking up in 0.1 seconds.
(2) Cleaning up request packet ID 89 with timestamp +5
(3) Cleaning up request packet ID 90 with timestamp +5
(4) Cleaning up request packet ID 91 with timestamp +6
Waking up in 0.4 seconds.
(5) Cleaning up request packet ID 92 with timestamp +6
(6) Cleaning up request packet ID 93 with timestamp +6
(7) Cleaning up request packet ID 94 with timestamp +6
Ready to process requests.
-----Message d'origine-----
De : freeradius-users-bounces+thomas.hahusseau=cassidian.com at lists.freeradius.org [mailto:freeradius-users-bounces+thomas.hahusseau=cassidian.com at lists.freeradius.org] De la part de David Peterson
Envoyé : mercredi 1 juin 2011 14:07
À : FreeRadius users mailing list
Objet : RE: Freeradius + Alvarion 4Motion specify filter-id value inaccess-accept from value in user conf file ?
I just use Framed-Filter-Id = "profilename" in the reply.
When you added:
update reply {
WiMAX-FA-RK-Key = 0x00
WiMAX-MSK = "%{reply:EAP-MSK}"
Filter-Id = "Profile1"
}
That replies with only 1 filter ID. Take the Filter-Id out and keep it in the users file:
cpe1 at eads.com Cleartext-Password := "cpe1"
Session-Timeout = 3600,
Termination-Action = Radius-Request,
Filter-Id = "Profile1"
David
-----Original Message-----
From: Hahusseau, Thomas [mailto:thomas.hahusseau at cassidian.com]
Sent: Wednesday, June 01, 2011 5:12 AM
To: David Peterson-WirelessConnections; FreeRadius users mailing list
Subject: RE: Freeradius + Alvarion 4Motion specify filter-id value in access-accept from value in user conf file ?
Hello,
My Wimax device require MPPE keys to be sent in access accept if I change that setting in module/wimax from no to yes the wimax don't connect anymore.
My problem is not getting my Wimax device connected it's already done.
My problem is that I want specific values of "Filter-Id" attribute sent in access-accept according to the user-name sent in access-request.
Filter-ID = "Profile1" when user CPE1 at eads.com is trying to connect.
Filter-ID = "Profile2" when user CPE2 at eads.com is trying to connect.
Regards,
Thomas
PS : Uncomment "wimax" lines in site-enable and inner-tunnel conf files already done.
-----Message d'origine-----
De :
freeradius-users-bounces+thomas.hahusseau=cassidian.com at lists.freeradius
freeradius-users-bounces+.org
[mailto:freeradius-users-bounces+thomas.hahusseau=cassidian.com at lists.freera
dius.org] De la part de David Peterson Envoyé : mardi 31 mai 2011 19:31 À :
'FreeRadius users mailing list'
Objet : RE: Freeradius + Alvarion 4Motion specify filter-id valueinaccess-accept from value in user conf file ?
Make sure you configure FR to delete the MPPE keys. This can be found in the /modules/wimax file. Set the value from No to Yes.
As well, you need to configure the server to use the inner-tunnel. I would start from the default FR settings, uncomment the wimax entries you see in sites-available/default and sites-available/inner-tunnel, make the change in the /modules/wimax file and make sure your profile names match as this is case sensitive.
David
-----Original Message-----
From:
freeradius-users-bounces+david.peterson=acc-corp.net at lists.freeradius.or
freeradius-users-bounces+g
[mailto:freeradius-users-bounces+david.peterson=acc-corp.net at lists.freeradiu
s.org] On Behalf Of Hahusseau, Thomas
Sent: Tuesday, May 31, 2011 1:18 PM
To: freeradius-users at lists.freeradius.org
Subject: Freeradius + Alvarion 4Motion specify filter-id value inaccess-accept from value in user conf file ?
Hello,
I'm running latest version form Master Branch of Freeradius. I managed to connect an Alvarion CPE to an Alvarion 4M BS with Freeradius server as authenticator. Everything works well except that I directly specified in my /site-enable/default configuration file the value of "Filter-Id" attribute required by the base station.
----------- /site-enabled/default
post-auth {
exec
update request {
WiMAX-MN-NAI = "%{User-Name}"
}
update reply {
WiMAX-FA-RK-Key = 0x00
WiMAX-MSK = "%{reply:EAP-MSK}"
Filter-Id = "Profile1"
}
wimax
Post-Auth-Type REJECT {
# log failed authentications in SQL, too.
# sql
attr_filter.access_reject
}
}
-----------
I would like to use different value of attribute "Filter-Id" for different users (specific QoS setting in Alvarion ASN-GW for each Filter-Id). I would like to use the "Filter-ID"'s value specified in my users conf file :
----------- users
#standard customer
cpe1 at eads.com Cleartext-Password := "cpe1"
Session-Timeout = 3600,
Termination-Action = Radius-Request,
Filter-Id = "Profile1"
#VIP customer
cpe2 at eads.com Cleartext-Password := "cpe2"
Session-Timeout = 3600,
Termination-Action = Radius-Request,
Filter-Id = "Profile2"
-----------
I tried to use the same syntax as for WiMAX-MSK attribute: Filter-ID ="%{Filter-Id}" but it doesn't work (Filter-ID value in access-accept is empty). I googled "Filter-Id freeradius" and found nothing relevant.
Is it possible to use Filter-ID value form users conf file in access-accept ?
Here is an example on access-accept message with filter-id specified directly in site-enable/default conf file.
----------- radiusd -X
(7) Found Auth-Type = ?
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(7) group authenticate {
(7) - entering group authenticate {...}
(7) eap : Request found, released from the list
(7) eap : EAP/ttls
(7) eap : processing type ttls
(7) ttls : Authenticate
(7) ttls : processing EAP-TLS
(7) ttls : Received TLS ACK
(7) ttls : Received TLS ACK
(7) ttls : ACK handshake is finished
(7) ttls : eaptls_verify returned 3
(7) ttls : eaptls_process returned 3
(7) ttls : Using saved attributes from the original Access-Accept
(7) eap : Freeing handler
(7) [eap] = ok
(7) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(7) group post-auth {
(7) - entering group post-auth {...}
(7) [exec] = noop
(7) update request {
(7) expand: %{User-Name} ->
{am=1}791d05915a25400ca9d1a3cb1a2c7ffa at eads.com
(7) } # update request = noop
(7) update reply {
(7) expand: %{reply:EAP-MSK} ->
0x0473dcd65638bc4ef089945467f25e24f252b53f34e4d2f220d157c3d1192528cb185a0437
d0a641fd5434d28738eae8f013d4b0308662a0e1b365d8ad542ce0
(7) } # update reply = noop
(7) wimax : MIP-RK =
0x9ec871a65c3033e03c0d77ed55a1517d4b7dbbbeb2d782bcf369635861e64925c5db13c362
86e2032c789ad6fe2c09cd21eda782a9a4758e9ce73f8f384c46b6
(7) wimax : MIP-SPI = bb9d949a
(7) wimax : WARNING: WiMAX-IP-Technology not found in reply.
(7) wimax : WARNING: Not calculating MN-HA keys
(7) [wimax] = updated
Sending Access-Accept of id 246 to 192.168.100.10 port 1812
MS-MPPE-Recv-Key =
0x0473dcd65638bc4ef089945467f25e24f252b53f34e4d2f220d157c3d1192528
MS-MPPE-Send-Key =
0xcb185a0437d0a641fd5434d28738eae8f013d4b0308662a0e1b365d8ad542ce0
EAP-Message = 0x03080004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "{am=1}791d05915a25400ca9d1a3cb1a2c7ffa at eads.com"
WiMAX-FA-RK-Key = 0xb37b0b5832687e02c31b94319b2ba3077479411f
WiMAX-MSK =
0x0473dcd65638bc4ef089945467f25e24f252b53f34e4d2f220d157c3d1192528cb185a0437
d0a641fd5434d28738eae8f013d4b0308662a0e1b365d8ad542ce0
Filter-Id = "Profile1"
WiMAX-FA-RK-SPI = 2593430971
(7) Finished request 7.
-----------
Regards,
Mr Thomas Hahusseau,
Ingénieur réseau
Cassidian (EADS)
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list