problem with multiple ldap

Prateek Kumar er.prateek87 at gmail.com
Sat Jul 7 15:40:49 CEST 2012


Hi,
      I have configured freeradius to select ldap modules according to
NAS-IP-Address so clients (using PEAP/MSCHAPv2) associating to particular
AP should only get authenticated. For that I did changes as:

1. modules/ldap file
--------------------------
ldap HR {
              ou=HR,dc=prateek,dc=com
              ...
}

ldap dev {
              ou=dev,dc=prateek,dc=com
              ...
}

2. In ldap.attrmap
    -------------------
checkItem       Cleartext-Password              userPassword :=

3. In both sites-available/default & sites-available/inner-tunnel
               ------------------------------
--------------------------------------

a. in authorize section

if (NAS-IP-Address == 127.0.0.1) {
   HR
}
else {
   dev
}

b. in authenticate section have uncommented
              Auth-Type MS-CHAP {
                      mschap
             }


Now when I use eapol_test to test I get Success.. It first checks HR which
returns search failed as there is no user in ou=HR but when freeradius
processes the inner-tunnel I get the message

++? if (NAS-IP-Address == 127.0.0.1)
    (Attribute NAS-IP-Address was not found)
++- entering else else {...}

And after that user "dave" is getting authenticated who should not get
authenticated.

I want to know that why it didn't get NAS-IP-Adderss.

Is there some thing I have missed ?

Regards,
Prateek

radiusd -X    ( Deleating some EAP messages )

rad_recv: Access-Request packet from host 127.0.0.1 port 46032, id=0,
length=116
        User-Name = "dave"
        NAS-IP-Address = 127.0.0.1
        Calling-Station-Id = "02-00-00-00-00-01"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message = 0x020000090164617665
        Message-Authenticator = 0x1eb24decc31fcd482762d37920cb6f5d
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "dave", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++? if (NAS-IP-Address == 127.0.0.1)
? Evaluating (NAS-IP-Address == 127.0.0.1) -> TRUE
++? if (NAS-IP-Address == 127.0.0.1) -> TRUE
++- entering if (NAS-IP-Address == 127.0.0.1) {...}
[HR] performing user authorization for dave
[HR] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
[HR]    expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=dave)
[HR]    expand: ou=HR,dc=prateek,dc=com -> ou=HR,dc=prateek,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0
rlm_ldap: bind as cn=Administrator,dc=prateek,dc=com/mypass to 127.0.0.1:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=HR,dc=prateek,dc=com, with filter
(uid=dave)
rlm_ldap: object not found
[HR] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
+++[HR] returns notfound
++- if (NAS-IP-Address == 127.0.0.1) returns notfound
++ ... skipping else for request 0: Preceding "if" was taken
[eap] EAP packet type response id 0 length 9
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[daily] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 127.0.0.1 port 46032
        EAP-Message = 0x010100060d20
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xa098c2e9a099cf6a77937551a6a21d9f
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 46032, id=1,
length=131
        User-Name = "dave"
        NAS-IP-Address = 127.0.0.1
        Calling-Station-Id = "02-00-00-00-00-01"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message = 0x020100060319
        State = 0xa098c2e9a099cf6a77937551a6a21d9f
        Message-Authenticator = 0xb0f144be9973b7716b25f5b7a09ffd9c
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "dave", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++? if (NAS-IP-Address == 127.0.0.1)
? Evaluating (NAS-IP-Address == 127.0.0.1) -> TRUE
++? if (NAS-IP-Address == 127.0.0.1) -> TRUE
++- entering if (NAS-IP-Address == 127.0.0.1) {...}
[HR] performing user authorization for dave
[HR] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
[HR]    expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=dave)
[HR]    expand: ou=HR,dc=prateek,dc=com -> ou=HR,dc=prateek,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=HR,dc=prateek,dc=com, with filter
(uid=dave)
rlm_ldap: object not found
[HR] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
+++[HR] returns notfound
++- if (NAS-IP-Address == 127.0.0.1) returns notfound
++ ... skipping else for request 1: Preceding "if" was taken
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[daily] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 1 to 127.0.0.1 port 46032
        EAP-Message = 0x010200061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xa098c2e9a19adb6a77937551a6a21d9f
Finished request 1.
Going to the next request
rad_recv: Access-Request packet from host 127.0.0.1 port 46032, id=2,
length=242
        User-Name = "dave"
        NAS-IP-Address = 127.0.0.1
        Calling-Station-Id = "02-00-00-00-00-01"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message = some long value
        State = 0xa098c2e9a19adb6a77937551a6a21d9f
        Message-Authenticator = 0xabcfe03ec5688a184e25c56589ea8e2a
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "dave", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++? if (NAS-IP-Address == 127.0.0.1)
? Evaluating (NAS-IP-Address == 127.0.0.1) -> TRUE
++? if (NAS-IP-Address == 127.0.0.1) -> TRUE
++- entering if (NAS-IP-Address == 127.0.0.1) {...}
[HR] performing user authorization for dave
[HR] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
[HR]    expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=dave)
[HR]    expand: ou=HR,dc=prateek,dc=com -> ou=HR,dc=prateek,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=HR,dc=prateek,dc=com, with filter
(uid=dave)
rlm_ldap: object not found
[HR] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
+++[HR] returns notfound
++- if (NAS-IP-Address == 127.0.0.1) returns notfound
++ ... skipping else for request 2: Preceding "if" was taken
[eap] EAP packet type response id 2 length 117
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 107
[peap] Length Included
[peap] eaptls_verify returned 11
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0066], ClientHello
[peap]     TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0035], ServerHello
[peap]     TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 0870], Certificate
[peap]     TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
[peap]     TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap]     TLS_accept: SSLv3 write server done A
[peap]     TLS_accept: SSLv3 flush data
[peap]     TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 2 to 127.0.0.1 port 46032
        EAP-Message = some value
        EAP-Message =  "
        EAP-Message =  "
        EAP-Message =  "
        EAP-Message = 0xb70064119cfc40adfde72ecc
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xa098c2e9a29bdb6a77937551a6a21d9f
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 46032, id=3,
length=131
        User-Name = "dave"
        NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message = 0x020300061900
        State = 0xa098c2e9a29bdb6a77937551a6a21d9f
        Message-Authenticator = 0xc7a295a94c264c2b101dabae43ad8557
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "dave", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++? if (NAS-IP-Address == 127.0.0.1)
? Evaluating (NAS-IP-Address == 127.0.0.1) -> TRUE
++? if (NAS-IP-Address == 127.0.0.1) -> TRUE
++- entering if (NAS-IP-Address == 127.0.0.1) {...}
[HR] performing user authorization for dave
[HR] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
[HR]    expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=dave)
[HR]    expand: ou=HR,dc=prateek,dc=com -> ou=HR,dc=prateek,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=HR,dc=prateek,dc=com, with filter
(uid=dave)
rlm_ldap: object not found
[HR] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
+++[HR] returns notfound
++- if (NAS-IP-Address == 127.0.0.1) returns notfound
++ ... skipping else for request 3: Preceding "if" was taken
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 3 to 127.0.0.1 port 46032
        EAP-Message =
       EAP-Message =
        EAP-Message =
        EAP-Message =
        EAP-Message = 0x30c3456c19147657
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xa098c2e9a39cdb6a77937551a6a21d9f
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 46032, id=4,
length=131
        User-Name = "dave"
        NAS-IP-Address = 127.0.0.1
        Calling-Station-Id = "02-00-00-00-00-01"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message = 0x020400061900
        State = 0xa098c2e9a39cdb6a77937551a6a21d9f
        Message-Authenticator = 0x64a3ceaa178064f424d2830f6d59ade4
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "dave", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++? if (NAS-IP-Address == 127.0.0.1)
? Evaluating (NAS-IP-Address == 127.0.0.1) -> TRUE
++? if (NAS-IP-Address == 127.0.0.1) -> TRUE
++- entering if (NAS-IP-Address == 127.0.0.1) {...}
[HR] performing user authorization for dave
[HR] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
[HR]    expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=dave)
[HR]    expand: ou=HR,dc=prateek,dc=com -> ou=HR,dc=prateek,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=HR,dc=prateek,dc=com, with filter
(uid=dave)
rlm_ldap: object not found
[HR] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
+++[HR] returns notfound
++- if (NAS-IP-Address == 127.0.0.1) returns notfound
++ ... skipping else for request 4: Preceding "if" was taken
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 4 to 127.0.0.1 port 46032
        EAP-Message =
        EAP-Message =
        EAP-Message =
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xa098c2e9a49ddb6a77937551a6a21d9f
Finished request 4.

Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 46032, id=5,
length=333
        User-Name = "dave"
        NAS-IP-Address = 127.0.0.1
        Calling-Station-Id = "02-00-00-00-00-01"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message =
        State = 0xa098c2e9a49ddb6a77937551a6a21d9f
        Message-Authenticator = 0xa3cadaf5d585e4499d7e2d587f9924ae
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "dave", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++? if (NAS-IP-Address == 127.0.0.1)
? Evaluating (NAS-IP-Address == 127.0.0.1) -> TRUE
++? if (NAS-IP-Address == 127.0.0.1) -> TRUE
++- entering if (NAS-IP-Address == 127.0.0.1) {...}
[HR] performing user authorization for dave
[HR] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
[HR]    expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=dave)
[HR]    expand: ou=HR,dc=prateek,dc=com -> ou=HR,dc=prateek,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=HR,dc=prateek,dc=com, with filter
(uid=dave)
rlm_ldap: object not found
[HR] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
+++[HR] returns notfound
++- if (NAS-IP-Address == 127.0.0.1) returns notfound
++ ... skipping else for request 5: Preceding "if" was taken
[eap] EAP packet type response id 5 length 208
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 198
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[peap]     TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 Handshake [length 00aa]???
[peap]     TLS_accept: SSLv3 write session ticket A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap]     TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 write finished A
[peap]     TLS_accept: SSLv3 flush data
[peap]     (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 5 to 127.0.0.1 port 46032
        EAP-Message =
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xa098c2e9a59edb6a77937551a6a21d9f
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 46032, id=6,
length=131
        User-Name = "dave"
        NAS-IP-Address = 127.0.0.1
        Calling-Station-Id = "02-00-00-00-00-01"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message = 0x020600061900
        State = 0xa098c2e9a59edb6a77937551a6a21d9f
        Message-Authenticator = 0x7aeef64b2758737cbc8720c0dafbeca6
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "dave", looking up realm NULL
[suffix] No such realm "NULL"
rad_recv: Access-Request packet from host 127.0.0.1 port 46032, id=0,
length=116
        User-Name = "dave"
        NAS-IP-Address = 127.0.0.1
        Calling-Station-Id = "02-00-00-00-00-01"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message = 0x020000090164617665
        Message-Authenticator = 0x1eb24decc31fcd482762d37920cb6f5d
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "dave", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++? if (NAS-IP-Address == 127.0.0.1)
? Evaluating (NAS-IP-Address == 127.0.0.1) -> TRUE
++? if (NAS-IP-Address == 127.0.0.1) -> TRUE
++- entering if (NAS-IP-Address == 127.0.0.1) {...}
[HR] performing user authorization for dave
[HR] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
[HR]    expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=dave)
[HR]    expand: ou=HR,dc=prateek,dc=com -> ou=HR,dc=prateek,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0
rlm_ldap: bind as cn=Administrator,dc=prateek,dc=com/mypass to 127.0.0.1:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=HR,dc=prateek,dc=com, with filter
(uid=dave)
rlm_ldap: object not found
[HR] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
+++[HR] returns notfound
++- if (NAS-IP-Address == 127.0.0.1) returns notfound
++ ... skipping else for request 0: Preceding "if" was taken
[eap] EAP packet type response id 0 length 9
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
rlm_counter: Entering module authorize code
Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message =
        State = 0xa098c2e9a69fdb6a77937551a6a21d9f
        Message-Authenticator = 0x91d0e9b22d3e6b84caf5e58aeae97b9b
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "dave", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++? if (NAS-IP-Address == 127.0.0.1)
? Evaluating (NAS-IP-Address == 127.0.0.1) -> TRUE
++? if (NAS-IP-Address == 127.0.0.1) -> TRUE
++- entering if (NAS-IP-Address == 127.0.0.1) {...}
[HR] performing user authorization for dave
[HR] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
[HR]    expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=dave)
[HR]    expand: ou=HR,dc=prateek,dc=com -> ou=HR,dc=prateek,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=HR,dc=prateek,dc=com, with filter
(uid=dave)
rlm_ldap: object not found
[HR] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
+++[HR] returns notfound
++- if (NAS-IP-Address == 127.0.0.1) returns notfound
++ ... skipping else for request 7: Preceding "if" was taken
[eap] EAP packet type response id 7 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Identity - dave
[peap] Got tunneled request
        EAP-Message = 0x020700090164617665
server  {
  PEAP: Got tunneled identity of dave
  PEAP: Setting default EAP type for tunneled EAP session.
  PEAP: Setting User-Name to dave
Sending tunneled request
        EAP-Message = 0x020700090164617665
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "dave"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "dave", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
++? if (NAS-IP-Address == 127.0.0.1)
    (Attribute NAS-IP-Address was not found)
<-----------------------------------------------------------------
++- entering else else {...}
[dev] performing user authorization for dave
[dev] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
[dev]   expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=dave)
[dev]   expand: ou=development,dc=prateek,dc=com ->
ou=development,dc=prateek,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0
rlm_ldap: bind as cn=Administrator,dc=prateek,dc=com/mypass to 127.0.0.1:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=development,dc=prateek,dc=com, with
filter (uid=dave)
[dev] No default NMAS login sequence
[dev] looking for check items in directory...
rlm_ldap: userPassword -> Cleartext-Password := "davesecret"
[dev] looking for reply items in directory...
[dev] user dave authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
+++[dev] returns ok
++- else else returns ok
[eap] EAP packet type response id 7 length 9
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
        EAP-Message =
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x1b9d7bc71b9561595ab9d2c73552e623
[peap] Got tunneled reply RADIUS code 11
        EAP-Message =
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x1b9d7bc71b9561595ab9d2c73552e623
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 7 to 127.0.0.1 port 46032
        EAP-Message =
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xa098c2e9a790db6a77937551a6a21d9f
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 46032, id=8,
length=269
        User-Name = "dave"
        NAS-IP-Address = 127.0.0.1
        Calling-Station-Id = "02-00-00-00-00-01"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message =
        State = 0xa098c2e9a790db6a77937551a6a21d9f
        Message-Authenticator = 0x5b313677254c02c3556f0d2067e4922d
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "dave", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++? if (NAS-IP-Address == 127.0.0.1)
? Evaluating (NAS-IP-Address == 127.0.0.1) -> TRUE
++? if (NAS-IP-Address == 127.0.0.1) -> TRUE
++- entering if (NAS-IP-Address == 127.0.0.1) {...}
[HR] performing user authorization for dave
[HR] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
[HR]    expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=dave)
[HR]    expand: ou=HR,dc=prateek,dc=com -> ou=HR,dc=prateek,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=HR,dc=prateek,dc=com, with filter
(uid=dave)
rlm_ldap: object not found
[HR] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
+++[HR] returns notfound
++- if (NAS-IP-Address == 127.0.0.1) returns notfound
++ ... skipping else for request 8: Preceding "if" was taken
[eap] EAP packet type response id 8 length 144
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
        EAP-Message =
server  {
  PEAP: Setting User-Name to dave
Sending tunneled request
        EAP-Message =
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "dave"
        State = 0x1b9d7bc71b9561595ab9d2c73552e623
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "dave", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
++? if (NAS-IP-Address == 127.0.0.1)
    (Attribute NAS-IP-Address was not found)
<-------------------------------------------------------------------------------------------
++- entering else else {...}
[dev] performing user authorization for dave
[dev] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
[dev]   expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=dave)
[dev]   expand: ou=development,dc=prateek,dc=com ->
ou=development,dc=prateek,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=development,dc=prateek,dc=com, with
filter (uid=dave)
[dev] No default NMAS login sequence
[dev] looking for check items in directory...
rlm_ldap: userPassword -> Cleartext-Password := "davesecret"
[dev] looking for reply items in directory...
[dev] user dave authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
+++[dev] returns ok
++- else else returns ok
[eap] EAP packet type response id 8 length 63
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for dave with NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
        EAP-Message =
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x1b9d7bc71a9461595ab9d2c73552e623
[peap] Got tunneled reply RADIUS code 11
        EAP-Message =
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x1b9d7bc71a9461595ab9d2c73552e623
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 8 to 127.0.0.1 port 46032
        EAP-Message =
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xa098c2e9a891db6a77937551a6a21d9f
Finished request 8.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 46032, id=9,
length=205
        User-Name = "dave"
        NAS-IP-Address = 127.0.0.1
        Calling-Station-Id = "02-00-00-00-00-01"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message =
        Message-Authenticator = 0x1e2153de29daf702780bb061ae5a1281
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "dave", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++? if (NAS-IP-Address == 127.0.0.1)
? Evaluating (NAS-IP-Address == 127.0.0.1) -> TRUE
++? if (NAS-IP-Address == 127.0.0.1) -> TRUE
++- entering if (NAS-IP-Address == 127.0.0.1) {...}
[HR] performing user authorization for dave
[HR] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
[HR]    expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=dave)
[HR]    expand: ou=HR,dc=prateek,dc=com -> ou=HR,dc=prateek,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=HR,dc=prateek,dc=com, with filter
(uid=dave)
rlm_ldap: object not found
[HR] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
+++[HR] returns notfound
++- if (NAS-IP-Address == 127.0.0.1) returns notfound
++ ... skipping else for request 9: Preceding "if" was taken
[eap] EAP packet type response id 9 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
        EAP-Message = 0x020900061a03
server  {
  PEAP: Setting User-Name to dave
Sending tunneled request
        EAP-Message = 0x020900061a03
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "dave"
        State = 0x1b9d7bc71a9461595ab9d2c73552e623
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "dave", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
++? if (NAS-IP-Address == 127.0.0.1)
    (Attribute NAS-IP-Address was not found)
<-----------------------------------------------------------------------------------------------------
++- entering else else {...}
[dev] performing user authorization for dave
[dev] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
[dev]   expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=dave)
[dev]   expand: ou=development,dc=prateek,dc=com ->
ou=development,dc=prateek,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=development,dc=prateek,dc=com, with
filter (uid=dave)
[dev] No default NMAS login sequence
[dev] looking for check items in directory...
rlm_ldap: userPassword -> Cleartext-Password := "davesecret"
[dev] looking for reply items in directory...
[dev] user dave authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
+++[dev] returns ok
++- else else returns ok
[eap] EAP packet type response id 9 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
} # server inner-tunnel
[peap] Got tunneled reply code 2
        EAP-Message = 0x03090004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "dave"
[peap] Got tunneled reply RADIUS code 2
        EAP-Message = 0x03090004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "dave"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 9 to 127.0.0.1 port 46032
        EAP-Message =
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xa098c2e9a992db6a77937551a6a21d9f
Finished request 9
rad_recv: Access-Request packet from host 127.0.0.1 port 46032, id=10,
length=221
        User-Name = "dave"
        NAS-IP-Address = 127.0.0.1
        Calling-Station-Id = "02-00-00-00-00-01"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message =
        Message-Authenticator = 0x8ab3c117c8c59031dd6294781bd2de68
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "dave", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++? if (NAS-IP-Address == 127.0.0.1)
? Evaluating (NAS-IP-Address == 127.0.0.1) -> TRUE
++? if (NAS-IP-Address == 127.0.0.1) -> TRUE
++- entering if (NAS-IP-Address == 127.0.0.1) {...}
[HR] performing user authorization for dave
[HR] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
[HR]    expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=dave)
[HR]    expand: ou=HR,dc=prateek,dc=com -> ou=HR,dc=prateek,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=HR,dc=prateek,dc=com, with filter
(uid=dave)
rlm_ldap: object not found
[HR] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
+++[HR] returns notfound
++- if (NAS-IP-Address == 127.0.0.1) returns notfound
++ ... skipping else for request 10: Preceding "if" was taken
[eap] EAP packet type response id 10 length 96
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type p[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Success
[eap] Freeing handler
++[eap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 10 to 127.0.0.1 port 46032eap
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120707/35d23b12/attachment-0001.html>


More information about the Freeradius-Users mailing list