Freeradius-Users Digest, Vol 84, Issue 96

Corey Jones cvjones360 at gmail.com
Wed Apr 25 22:07:33 CEST 2012


I was out if the office and in a meeting on my cell phone.  Sorry.. didn't
mean to offend.
On Apr 25, 2012 4:04 PM, <freeradius-users-request at lists.freeradius.org>
wrote:

> Send Freeradius-Users mailing list submissions to
>        freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
>        freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
>        freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
>   1. Re: Fwd: FreeRadius Dictionary Attributes (Alan DeKok)
>   2. Re: Assign VLAN from freeradius to Cisco 3550 switch.
>      (Wassim Zaarour)
>   3. Re: Assign VLAN from freeradius to Cisco 3550 switch. (alan buxey)
>   4. Cisco WLC - Freeradius Vlan assigment problem (Martin Silvero)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 25 Apr 2012 18:03:06 +0200
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
>        <freeradius-users at lists.freeradius.org>
> Subject: Re: Fwd: FreeRadius Dictionary Attributes
> Message-ID: <4F98203A.3080303 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Corey Jones wrote:
> > ---------- Forwarded message ----------
> ...
>
>  That's not nice.  Is it really that difficult to post the *original*
> message?  Why forward a bounce?
>
> > I'm trying to get a freeradius server up and running but I'm having
> > trouble with the attributes I've included in the master dictionary file
> > showing up in the detail file:
> >
> > ATTRIBUTE       client-mac-address       9001    string
>
>  This is wrong.
>
>  Read share/dictionary.  Use the numbers *it* recommends, rather than
> inventing your own.
>
> > The output of the detail-<date> file of the non-functioning server:
>
>  Which is... which version?  How did you configure it?
>
> > The output of the detail-<date> file for the functioning server:
>
>  Which is... which version?  How did you configure it?
>
> > If you compare the non-functioning server output file to the functioning
> > server output file, there are two fields that are missing that are
> > defined in the master dictionary file.
> >
> > disc-cause-ext = "PPP Receive Term"               <---------------HERE
> > client-mac-address = "0002.xxxx.xxxx"             <---------------HERE
>
>  If the two servers are identical, they will behave the same.
>
>  If they're different, find out what the differences are, and fix them.
>
> > I am having trouble with a different part of the server setup where that
> > file is pulled and those fields are read and needed by another
> application.
>
>  What does that mean?
>
> > Does anyone know why those two fields are not pulled or processed on the
> > non-functioning server's output file?
>
>  The fields are "pulled" from... where?
>
> > freeradius -X dump of non-functioning server:
>
>  In which it doesn't receive any packets.  So it's useless.
>
>  Good questions get good answers.
>
>  These questions are bad.  As a result, the only possible answer is
> unhelpful.  Along with the advice "ask good questions."
>
>  Alan DeKok.
>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 25 Apr 2012 19:05:26 +0300
> From: Wassim Zaarour <wassim.zaarour at navlink.com>
> To: FreeRadius users mailing list
>        <freeradius-users at lists.freeradius.org>
> Subject: Re: Assign VLAN from freeradius to Cisco 3550 switch.
> Message-ID: <CBBDFB26.EE39%wassim.zaarour at navlink.com>
> Content-Type: text/plain; CHARSET=US-ASCII
>
> Hi Brian,
>
> Thanks for your reply, where do I exactly need to put this configuration?
> In the users file?
>
> Do you have any experience with the 2960 switches?
>
>
> Wassim
>
>
>
>
>
> On 4/25/12 4:07 PM, "Brian Julin" <BJulin at clarku.edu> wrote:
>
> >
> >Wassim Zaarour wrote:
> >> Look at this
> >>
> >>
> http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg4016
> >>2.html
> >>
> >> The user says that it worked, I tried the attributes he used and still
> >>got
> >> the same error.
> >
> >I don't even know how this was ever working for that user.  On my wired
> >switch plant, which
> >includes some 3550s, wherever I have tested VLAN assignment I have had to
> >use Cisco's
> >cretinous hack:
> >
> >
> > if (Cisco-AVPair) { # Cisco switch.
> >              # We have to "Accept" it to the Registration VLAN manually
> >              # (because host-mode multi-auth is currently retarded.)
> >              update reply {
> >                Tunnel-Type = VLAN
> >                Tunnel-Medium-Type = 6
> >                # CISCO broke the IETF attribute...
> >                # Tunnel-Private-Group-Id = "Registration"
> >                # ... so use their proprietary method to get it in there.
> >                # NOTE: This is CaSe SeNsItIvE!!
> >                Cisco-AVPair += "tunnel-private-group-id=Registration"
> >              }
> >
> >This is of course extremely case-sensitive.  It also uses the vlan names,
> >not the numbers, though
> >you can use the automatically generated names just fine.
> >
> >Be warned the 3550s are old EOL switches and their latest software
> >version (the one that is only
> >supposed to be used for the 24 port switch but works on the 48 port one)
> >is still not current enough
> >to pick up the latest bugfixes to multi-auth mode.  Not that multi-auth
> >mode works sensibly in the
> >newest firmware either, but at least it has workarounds.
> >
> >(BTW, even I am starting to pull these 3550s from the net, and I tend to
> >try to bleed devices for every
> >minute they can manage to hack it.  Right now the only ones I have out
> >there are essentially
> >serving as lightening rods for this summer's thunder storms, and then
> >will be replaced by new
> >switches after that.)
> >
> >Typical switch port configuration (this is not from a 3550, sorry):
> >
> >
> >interface FastEthernet0/24
> > switchport access vlan XXX
> > switchport mode access
> > switchport block unicast
> > switchport port-security maximum 16
> > switchport port-security
> > switchport port-security aging time 240
> > switchport port-security violation restrict
> > switchport port-security aging type inactivity
> > ip arp inspection limit rate 100
> > authentication control-direction in
> > authentication event fail action authorize vlan YYY
> > authentication event server dead action authorize vlan XXX
> > authentication event no-response action authorize vlan XXX
> > authentication event server alive action reinitialize
> > authentication host-mode multi-auth
> > authentication order mab
> > authentication priority mab
> > authentication port-control auto
> > authentication periodic
> > authentication timer reauthenticate 1300
> > authentication timer inactivity 1200
> > authentication violation restrict
> > mab
> > no lldp transmit
> > no lldp receive
> > no cdp enable
> > no cdp tlv server-location
> > no cdp tlv app
> > spanning-tree portfast
> > spanning-tree bpduguard enable
> > ip verify source port-security
> > ip dhcp snooping limit rate 50
> >end
> >
> >
> >XXX and YYY above are actually decimals.
> >
> >Note that the auth-fail VLAN setting is not actually used, because in
> >order to get multi-auth to behave
> >sensibly (so you can handle VMs) you have to actually succeed every
> >authentication and just send
> >the  quaranteen VLAN from RADIUS when you want the user locked out.
> >-
> >List info/subscribe/unsubscribe? See
> >http://www.freeradius.org/list/users.html
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Wed, 25 Apr 2012 18:13:22 +0100
> From: alan buxey <A.L.M.Buxey at lboro.ac.uk>
> To: FreeRadius users mailing list
>        <freeradius-users at lists.freeradius.org>
> Subject: Re: Assign VLAN from freeradius to Cisco 3550 switch.
> Message-ID: <20120425171322.GB9623 at lboro.ac.uk>
> Content-Type: text/plain; charset=us-ascii
>
> Hi,
>
> > Thanks for your reply, where do I exactly need to put this configuration?
> > In the users file?
>
> I can tell you right now that you dont need that hack to assign VLANs on
> cisco
> switches (well, not if you are running reasonably up to date firmware on
> the
> cisco devices anyway - ie something less than 2 years old)
>
> we run an enterprise network of > 1500 cisco switches, most of them using
> FreeRADIUS as the AAA server in 802.1X mode (others still have VMPS - with
> FreeRADIUS
> of course). we certainly dont have that kind of configuration for VLAN
> assignment.
> straight simple reply values are all that are needed.
> as already said, the issue looks like its your Cisco config - and the cisco
> guides tell you exactly how to configure the cisco switches, its not a
> freeRADIUS
> question.
>
> alan
>
>
> ------------------------------
>
> Message: 4
> Date: Wed, 25 Apr 2012 16:49:29 -0300
> From: Martin Silvero <silvero.martin at gmail.com>
> To: freeradius-users at lists.freeradius.org
> Subject: Cisco WLC - Freeradius Vlan assigment problem
> Message-ID:
>        <CALmvTSSRrfx9eyOoXxcwYjtxF6oEKHS8MNtewGBONG_wxP9cTQ at mail.gmail.com
> >
> Content-Type: text/plain; charset="iso-8859-1"
>
> We are modifying the Wireless acccess to our LAN.
> We are trying to use a Cisco WLC and our freeradius. We've been using this
> same freeradius for authenticating users against the corporate  LDAP. Now
> we want WLC to talk to the radius server without losing any functionality
> like user authentication or vlan assignment.
>
> Our main problem is that the vlan assingment is not working when we use the
> WLC. The scenario with the APs talking to the radius directly works fine,
> but when we use lightweight AP and the WLC we can see that the vlan
> assignment part is skipped by the authentication process and all the users
> are sent to the same vlan.
>
> The following is the output of the two cases. One of them is a user
> authenticating without WLC, the AP talks directly to the Radius Server, and
> the other is an authentication where WLC talks to the Radius Server (the
> one that is not working)
>
> - 10.32.2.81 is the WLC IP address.
>
> - 10.32.2.39 is the AP IP address.
>
> WLC Soft Version: 7.0.116.0
>
> These are the  outputs:
>
> 1) AP - RADIUS (No WLC)
>
> *****************************************************
> rad_recv: Access-Request packet from host 10.32.2.39 port 1645, id=205,
> length=184
>        User-Name = "fcanales"
>        Framed-MTU = 1400
>        Called-Station-Id = "001d.4551.7da0"
>        Calling-Station-Id = "5894.6b0d.e86c"
>        Service-Type = Login-User
>        Message-Authenticator = 0x46192e9a5e4720bd6c721e03d8e6c3b4
>        EAP-Message =
>
> 0x0208002b19001703010020f7e5545e9d9e05ecff5f8be2d1bc992eeddba82eb4adef509bded9dd6c132712
>        NAS-Port-Type = Wireless-802.11
>        NAS-Port = 59460
>        State = 0xf4160a33f11e13898255a02243c509d6
>        NAS-IP-Address = 10.32.2.39
>        NAS-Identifier = "ap-Reco32"
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "fcanales", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 8 length 43
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
> [peap] Done initial handshake
> [peap] eaptls_process returned 7
> [peap] EAPTLS_OK
> [peap] Session established.  Decoding tunneled attributes.
> [peap] Identity - fcanales
> [peap] Got tunneled request
>        EAP-Message = 0x0208000d016663616e616c6573
> server  {
>  PEAP: Got tunneled identity of fcanales
>  PEAP: Setting default EAP type for tunneled EAP session.
>  PEAP: Setting User-Name to fcanales
> Sending tunneled request
>        EAP-Message = 0x0208000d016663616e616c6573
>        FreeRADIUS-Proxied-To = 127.0.0.1
>        User-Name = "fcanales"
>        Framed-MTU = 1400
>        Called-Station-Id = "001d.4551.7da0"
>        Calling-Station-Id = "5894.6b0d.e86c"
>        Service-Type = Login-User
>        NAS-Port-Type = Wireless-802.11
>        NAS-Port = 59460
>        NAS-IP-Address = 10.32.2.39
>        NAS-Identifier = "ap-Reco32"
> server inner-tunnel {
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++? if (!Huntgroup-Name)
> ? Evaluating !(Huntgroup-Name) -> FALSE
> ++? if (!Huntgroup-Name) -> FALSE
> ++? if (Huntgroup-Name == "list")
> ? Evaluating (Huntgroup-Name == "list") -> TRUE
> ++? if (Huntgroup-Name == "list") -> TRUE
> ++- entering if (Huntgroup-Name == "list") {...}
> +++? if (Ldap-Group == "WIFI-Direccion")
> rlm_ldap: Entering ldap_groupcmp()
>        expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar
>        expand: (uid=%u) -> (uid=fcanales)
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter
> (uid=fcanales)
> rlm_ldap: ldap_release_conn: Release Id: 0
> WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
> details
>        expand:
> (&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))
> -> (&(objectClass=posixGroup)(memberUid=fcanales))
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter
> (&(cn=WIFI-Direccion)(&(objectClass=posixGroup)(memberUid=fcanales)))
> rlm_ldap: object not found
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap::ldap_groupcmp: Group WIFI-Direccion not found or user is not a
> member.
> +++? if (Ldap-Group == "WIFI-MKTyCC")
> rlm_ldap: Entering ldap_groupcmp()
>        expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar
>
> WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
> details
>        expand:
> (&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))
> -> (&(objectClass=posixGroup)(memberUid=fcanales))
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter
> (&(cn=WIFI-Finanzas)(&(objectClass=posixGroup)(memberUid=fcanales)))
> rlm_ldap: object not found
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap::ldap_groupcmp: Group WIFI-Finanzas not found or user is not a
> member.
> +++? if (Ldap-Group == "WIFI-TyO")
> rlm_ldap: Entering ldap_groupcmp()
>        expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar
> WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
> details
>        expand:
> (&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))
> -> (&(objectClass=posixGroup)(memberUid=fcanales))
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter
> (&(cn=WIFI-TyO)(&(objectClass=posixGroup)(memberUid=fcanales)))
> rlm_ldap::ldap_groupcmp: User found in group WIFI-TyO
> rlm_ldap: ldap_release_conn: Release Id: 0
> ? Evaluating (Ldap-Group == "WIFI-TyO") -> TRUE
> +++? if (Ldap-Group == "WIFI-TyO") -> TRUE
> +++- entering if (Ldap-Group == "WIFI-TyO") {...}
> ++++[reply] returns ok
> +++- if (Ldap-Group == "WIFI-TyO") returns ok
> +++? if (Ldap-Group == "WIFI-ITfuncional")
> rlm_ldap: Entering ldap_groupcmp()
>        expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar
> WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
> details
>        expand:
> (&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))
> -> (&(objectClass=posixGroup)(memberUid=fcanales))
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter
> (&(cn=WIFI-Monit)(&(objectClass=posixGroup)(memberUid=fcanales)))
> rlm_ldap: object not found
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap::ldap_groupcmp: Group WIFI-Monit not found or user is not a
> member.
> ++- if (Huntgroup-Name == "list") returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[unix] returns updated
> [suffix] No '@' in User-Name = "fcanales", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> ++[control] returns noop
> [eap] EAP packet type response id 8 length 13
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[files] returns noop
> [ldap] performing user authorization for fcanales
> [ldap]  expand: (uid=%u) -> (uid=fcanales)
> [ldap]  expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter
> (uid=fcanales)
> [ldap] looking for check items in directory...
> rlm_ldap: sambaNtPassword -> NT-Password ==
> 0x3441313536383141373845384430414446424135364139373343343736374646
> rlm_ldap: sambaLmPassword -> LM-Password ==
> 0x4446323634314431373041414432333739433530313441453437313841374545
> [ldap] looking for reply items in directory...
> WARNING: No "known good" password was found in LDAP.  Are you sure that the
> user is configured correctly?
> [ldap] user fcanales authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] Normalizing NT-Password from hex encoding
> [pap] Normalizing LM-Password from hex encoding
> [pap] Found existing Auth-Type, not changing it.
> ++[pap] returns noop
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] EAP Identity
> [eap] processing type mschapv2
> rlm_eap_mschapv2: Issuing Challenge
> ++[eap] returns handled
> } # server inner-tunnel
> [peap] Got tunneled reply code 11
>        Tunnel-Type:0 = VLAN
>        Tunnel-Medium-Type:0 = IEEE-802
>        Tunnel-Private-Group-Id:0 = "212"
>        EAP-Message =
> 0x010900221a0109001d108279970f23460b83f1fffcc6e09626c56663616e616c6573
>        Message-Authenticator = 0x00000000000000000000000000000000
>        State = 0x158baf111582b5a1fb3a126781117cd4
> [peap] Got tunneled reply RADIUS code 11
>        Tunnel-Type:0 = VLAN
>        Tunnel-Medium-Type:0 = IEEE-802
>        Tunnel-Private-Group-Id:0 = "212"
>        EAP-Message =
> 0x010900221a0109001d108279970f23460b83f1fffcc6e09626c56663616e616c6573
>        Message-Authenticator = 0x00000000000000000000000000000000
>        State = 0x158baf111582b5a1fb3a126781117cd4
> [peap] Got tunneled Access-Challenge
> ++[eap] returns handled
> Sending Access-Challenge of id 205 to 10.32.2.39 port 1645
>        EAP-Message =
>
> 0x0109004b19001703010040640c0cb308474b42ecc083db0b3f47c66731a31c01801dde9b162f50d5bde13456412ab71e4d7d0e743b50cc42e91bba22dabeb375116f48b625e9691a3d3932
>        Message-Authenticator = 0x00000000000000000000000000000000
>        State = 0xf4160a33f21f13898255a02243c509d6
> Finished request 38.
>
> *****************************************************
>
>
>
>
> 2) WLC - RADIUS
>
> *****************************************************
>
> rad_recv: Access-Request packet from host 10.32.2.81 port 32768, id=119,
> length=280
>        User-Name = "fcanales"
>        Calling-Station-Id = "58-94-6b-0d-e8-6c"
>        Called-Station-Id = "30-37-a6-4b-9f-90:IReconquista"
>        NAS-Port = 1
>        Cisco-AVPair = "audit-session-id=0a2002510000000f4eaaf051"
>        NAS-IP-Address = 10.32.2.81
>        NAS-Identifier = "Iplan_wcs"
>        Airespace-Wlan-Id = 1
>        Service-Type = Framed-User
>        Framed-MTU = 1300
>        NAS-Port-Type = Wireless-802.11
>        Tunnel-Type:0 = VLAN
>        Tunnel-Medium-Type:0 = IEEE-802
>        Tunnel-Private-Group-Id:0 = "60"
>        EAP-Message =
>
> 0x0208002b190017030100200c857843d879e361aad79c8a2dccee6de8b04225d90b753a81b636a8090f0193
>        State = 0xcb0bb3aace03aab2864a9aacb255d323
>        Message-Authenticator = 0x62ca91e9e88fbba794e6e51db7aa67ec
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "fcanales", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 8 length 43
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
> [peap] Done initial handshake
> [peap] eaptls_process returned 7
> [peap] EAPTLS_OK
> [peap] Session established.  Decoding tunneled attributes.
> [peap] Identity - fcanales
> [peap] Got tunneled request
>        EAP-Message = 0x0208000d016663616e616c6573
> server  {
>  PEAP: Got tunneled identity of fcanales
>  PEAP: Setting default EAP type for tunneled EAP session.
>  PEAP: Setting User-Name to fcanales
> Sending tunneled request
>        EAP-Message = 0x0208000d016663616e616c6573
>        FreeRADIUS-Proxied-To = 127.0.0.1
>        User-Name = "fcanales"
>        Calling-Station-Id = "58-94-6b-0d-e8-6c"
>        Called-Station-Id = "30-37-a6-4b-9f-90:IReconquista"
>        NAS-Port = 1
>        Cisco-AVPair = "audit-session-id=0a2002510000000f4eaaf051"
>        NAS-IP-Address = 10.32.2.81
>        NAS-Identifier = "Iplan_wcs"
>        Airespace-Wlan-Id = 1
>        Service-Type = Framed-User
>        Framed-MTU = 1300
>        NAS-Port-Type = Wireless-802.11
>        Tunnel-Type:0 = VLAN
>        Tunnel-Medium-Type:0 = IEEE-802
>        Tunnel-Private-Group-Id:0 = "60"
> server inner-tunnel {
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++? if (!Huntgroup-Name)
> ? Evaluating !(Huntgroup-Name) -> TRUE
> ++? if (!Huntgroup-Name) -> TRUE
> ++- entering if (!Huntgroup-Name) {...}
> +++[reply] returns ok
> ++- if (!Huntgroup-Name) returns ok
> ++? if (Huntgroup-Name == "list")
>    (Attribute Huntgroup-Name was not found)
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[unix] returns updated
> [suffix] No '@' in User-Name = "fcanales", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> ++[control] returns noop
> [eap] EAP packet type response id 8 length 13
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[files] returns noop
> [ldap] performing user authorization for fcanales
> [ldap]  expand: (uid=%u) -> (uid=fcanales)
> [ldap]  expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter
> (uid=fcanales)
> [ldap] looking for check items in directory...
> rlm_ldap: sambaNtPassword -> NT-Password ==
> 0x3441313536383141373845384430414446424135364139373343343736374646
> rlm_ldap: sambaLmPassword -> LM-Password ==
> 0x4446323634314431373041414432333739433530313441453437313841374545
> [ldap] looking for reply items in directory...
> WARNING: No "known good" password was found in LDAP.  Are you sure that the
> user is configured correctly?
> [ldap] user fcanales authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] Normalizing NT-Password from hex encoding
> [pap] Normalizing LM-Password from hex encoding
> [pap] Found existing Auth-Type, not changing it.
> ++[pap] returns noop
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] EAP Identity
> [eap] processing type mschapv2
> rlm_eap_mschapv2: Issuing Challenge
> ++[eap] returns handled
> } # server inner-tunnel
> [peap] Got tunneled reply code 11
>        Tunnel-Type:0 = VLAN
>        Tunnel-Medium-Type:0 = IEEE-802
>        Tunnel-Private-Group-Id:0 = "249"
>        EAP-Message =
> 0x010900221a0109001d10cc9cc5bb2b5812cf48051342472ad3af6663616e616c6573
>        Message-Authenticator = 0x00000000000000000000000000000000
>        State = 0xab42e29bab4bf81ef23bc50dea94c334
> [peap] Got tunneled reply RADIUS code 11
>        Tunnel-Type:0 = VLAN
>        Tunnel-Medium-Type:0 = IEEE-802
>        Tunnel-Private-Group-Id:0 = "249"
>        EAP-Message =
> 0x010900221a0109001d10cc9cc5bb2b5812cf48051342472ad3af6663616e616c6573
>        Message-Authenticator = 0x00000000000000000000000000000000
>        State = 0xab42e29bab4bf81ef23bc50dea94c334
> [peap] Got tunneled Access-Challenge
> ++[eap] returns handled
> Sending Access-Challenge of id 119 to 10.32.2.81 port 32768
>        EAP-Message =
>
> 0x0109004b1900170301004075cf3c75c7a8311c01bc5581aac330e49586ce6e0001e8add345d7773aeeacba61b235c462fe0966e565d9e6279f111bf94fa3d8a4bff8a4ce82ab24d65f9c31
>        Message-Authenticator = 0x00000000000000000000000000000000
>        State = 0xcb0bb3aacd02aab2864a9aacb255d323
> Finished request 48.
> Going to the next request
> Waking up in 4.9 seconds.
>
> *****************************************************
>
> Thanks for all.
>
>
> --
> --
>
> Silvero Martin
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120425/4200c3a7/attachment.html
> >
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> End of Freeradius-Users Digest, Vol 84, Issue 96
> ************************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120425/4f48f8cb/attachment-0001.html>


More information about the Freeradius-Users mailing list