Retrieve 'Aruba-Location-Id' from RAD_REQUEST

Wang, Yu ywang10 at fsu.edu
Thu Apr 25 19:48:35 CEST 2013


Alan,

Here is the perl_dot1x.pl (a modified version of rlm_perl script). 

============================start of perl_dot1x.pl=================================
use strict;
use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK);
use vars qw($hash_chksum_username $chksum_username @rad_array);
use vars qw($ldap $mesg);
use Data::Dumper;

my %emp_map = (
        0 => 'employee1a',
        1 => 'employee2a',
        2 => 'employee3a',
        3 => 'employee4a',
        4 => 'employee1b',
        5 => 'employee2b',
        6 => 'employee3b',
        7 => 'employee4b');

sub authorize {
        $chksum_username = unpack("%32C*", $RAD_REQUEST{'Stripped-User-Name'});

        if (!$RAD_REPLY{'My-Local-employeeStatus'}) {
                $RAD_REPLY{'Service-Type'} = "Framed-User";
                $RAD_REPLY{'Tunnel-Type'} = "VLAN";
                $RAD_REPLY{'Tunnel-Medium-Type'} = "IEEE-802";

                if (($chksum_username % $svlanum + 1) eq $svlanum) {
                        $RAD_REPLY{'Tunnel-Private-Group-Id'} = "student".$svlanum;
                } else {
                        $RAD_REPLY{'Tunnel-Private-Group-Id'} = "student0".($chksum_username % $svlanum + 1);
                }
        } else {
                $RAD_REPLY{'Service-Type'} = "Framed-User";
                $RAD_REPLY{'Tunnel-Type'} = "VLAN";
                $RAD_REPLY{'Tunnel-Medium-Type'} = "IEEE-802";
                $RAD_REPLY{'Tunnel-Private-Group-Id'} = $emp_map{$chksum_username % $fvlanum};
        }
# this if clause does not work as $ RAD_REQUEST{'Aruba-Location-Id'} is empty
        if ($RAD_REQUEST{'Aruba-Location-Id'}) {
                &radiusd::radlog(3, "User $RAD_REQUEST{'Stripped-User-Name'} connected from $RAD_REQUEST{'Aruba-Location-Id'}.");
        }

# this one works
        &radiusd::radlog(3, "Assign $RAD_REQUEST{'Stripped-User-Name'} to VLAN $RAD_REPLY{'Tunnel-Private-Group-Id'}.");
        return RLM_MODULE_UPDATED;
        return RLM_MODULE_OK;
}

sub authenticate {
        if ($RAD_REQUEST{'User-Name'} =~ /^baduser/i) {
                $RAD_REPLY{'Reply-Message'} = "Denied access by rlm_perl function";
                return RLM_MODULE_REJECT;
        } else {
                $RAD_REPLY{'h323-credit-amount'} = "100";
                return RLM_MODULE_OK;
        }
}

sub preacct {
        return RLM_MODULE_OK;
}

sub accounting {
        return RLM_MODULE_OK;
}

sub checksimul {
        return RLM_MODULE_OK;
}

sub pre_proxy {
        return RLM_MODULE_OK;
}

sub post_proxy {
        return RLM_MODULE_OK;
}

sub post_auth {
        return RLM_MODULE_OK;
}

sub xlat {
        my ($filename,$a,$b,$c,$d) = @_;
        &radiusd::radlog(1, "From xlat $filename ");
        &radiusd::radlog(1,"From xlat $a $b $c $d ");
        local *FH;
        open FH, $filename or die "open '$filename' $!";
        local($/) = undef;
        my $sub = <FH>;
        close FH;
        my $eval = qq{ sub handler{ $sub;} };
        eval $eval;
        eval {main->handler;};
}

sub detach {
        &radiusd::radlog(0,"rlm_perl::Detaching. Reloading. Done.");
}

sub test_call {
}

sub log_request_attributes {
        for (keys %RAD_REQUEST) {
                &radiusd::radlog(1, "RAD_REQUEST: $_ = $RAD_REQUEST{$_}");
        }
}
================================end of perl_dot1x.pl=============================

===================radiusd -X output for rad_recv===================================
Going to the next request
Waking up in 1.9 seconds.
rad_recv: Access-Request packet from host 128.186. port 32795, id=59, length=383
        User-Name = "xxxxxxxx"
        NAS-IP-Address = 128.186.
        NAS-Port = 0
        NAS-Identifier = "128.186. "
        NAS-Port-Type = Wireless-802.11
        Calling-Station-Id = "8C5877297602"
        Called-Station-Id = "000B860E2A80"
        Service-Type = Login-User
        Framed-MTU = 1100
        EAP-Message = 0x020200a619800000009c160301009701000093030151769f8025463951e084018c78c6be8732c306bd55ca10a736528363776bf21c00005800ffc024c023c00ac009c007c008c028c027c014c013c011c012c026c025c02ac029c004c005c002c003c00ec00fc00cc00d003d003c002f000500040035000a0067006b00356345006c010c001c00b003b0002000101000012000a00080006001700180019000b00020100
        State = 0xb82a743fb8286d6c4916635ce42c5399
        Aruba-Essid-Name = "FSUSecure"
        Aruba-Location-Id = "wg-a105-HRM.acf.fsu.edu" <<<<<<<<-------- this is the one I'd like to retrieve and log it so when a user has issue, we know what AP s/he was associated to.
        Aruba-Attr-10 = 0x416c756d6e69345356e746572
        Message-Authenticator = 0xf5a21c47bfsb78e7ce49265d3d48
server virtual.dot1x_1814 {
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/virtual.dot1x_1814
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "xxxxxxxxx", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "xxxxxxxxxx"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 2 length 166
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/virtual.dot1x_1814
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 156
[peap] Length Included
[peap] eaptls_verify returned 11
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0097], ClientHello
[peap]     TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello
[peap]     TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 0fb2], Certificate
[peap]     TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap]     TLS_accept: SSLv3 write server done A
[peap]     TLS_accept: SSLv3 flush data
[peap]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
} # server virtual.dot1x_1814
Sending Access-Challenge of id 59 to 128.186.255.233 port 32795
        EAP-Message = 0x0103040019c000000ff616030100310200002d030151769f818a45e612009f54955625fa7a80cbff2f7dbbd743d32a1940f105f3e200002f000005ff010001001603010fb20b000fae000fab0006233082061f30820507a0030201020210604c7ee9b4674748c62fe837fc2d7dcc300d06092a864886f70d0101050500308189310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312f302d06035504031326434f4d4f444f20486967682d4173737572616e63652053656375
        EAP-Message = 0x726520536572766572204341301e170d3132313031313030303030305a170d3134313031313233353935395a3082011e310b3009060355040613025553310e300c0603550411130533323330363110300e06035504081307466c6f72696461311430120603550407130b54616c6c616861737365653121301f06035504091318466c6f7269646120537461746520556e6976657273697479312830260603550409131f363130304320556e69766572736974792043656e746572204d5320323632303121301f060355040a1318466c6f7269646120537461746520556e6976657273697479310c300a060355040b1303495453312b3029060355040b13
        EAP-Message = 0x22486f7374656420627920466c6f7269646120537461746520556e69766572736974793110300e060355040b13075347432053534c311a30180603550403131161757468312e6974732e6673752e65647530820122300d06092a864886f70d01010105000382010f003082010a0282010100def16c15b51db6988481f489723015ca7a154ec60ff437b9eb6bed2114d2a92e565bc514c959248ba228dcf848b7408a1886e347a61341a35dea7636780318c4ecd7193ce99fab03ee43f6c3690f2b0d6ed32d12ad107ec7f8cce94d98493f61f3222228093121274b860013aa6b0c8d747255dd1ac5f6cd76384eb83408e1b1d37e5402a2404fceb659bc
        EAP-Message = 0x5f9eecb6ce9fc0691a304a0c83ea3bf0c09b63ba35ee5cbcec8817efe1cc336b00b586dd55ea8bfd47dd439bd10d56e76355d8bb1fcdf10b7be72f31b71580d0f45c17efdf41986b4316e4b5d51088900b28557a7769029505064e69367444be1bc6d956cb486d614208ae2a3059adab98b83e53910203010001a38201e9308201e5301f0603551d230418301680143fd5b5d0d64479504a17a39b8c4adcb8b022646b301d0603551d0e0416041420ec8ec2141bcef0e48cc94a036da908fb3b9912300e0603551d0f0101ff0404030205a0300c0603551d130101ff0402300030340603551d25042d302b06082b0601050507030106082b0601050507
        EAP-Message = 0x0302060a2b0601040182370a
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xb82a743fb9296d6c4916635ce42c5399
Finished request 5.
Going to the next request
Waking up in 1.9 seconds.
rad_recv: Access-Request packet from host 128.186   port 32794, id=248, length=204
        User-Name = "yyyyyyyyyyyy"
        NAS-IP-Address = 128.186.
        NAS-Port = 0
        NAS-Identifier = "128.186. "
        NAS-Port-Type = Wireless-802.11
        Calling-Station-Id = "20C9D0E93581"
        Called-Station-Id = "000B8611D5C0"
        Service-Type = Login-User
        Framed-MTU = 1100
        EAP-Message = 0x0201000b016a6a77313066
        Aruba-Essid-Name = "FSUSecure"
        Aruba-Location-Id = "Wg-a125-Rm.law.fsu.edu"  <<<<<<<<-------- this is the one I'd like to retrieve and log it.
        Aruba-Attr-10 = 0x4c61772d5363686f6f6c
        Message-Authenticator = 0x19062b2793784f2c83144cb1514e858
server virtual.dot1x_1814 {
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/virtual.dot1x_1814
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "yyyyyyyyyy", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "yyyyyyyyyy"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 1 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 8
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/virtual.dot1x_1814
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
} # server virtual.dot1x_1814
Sending Access-Challenge of id 248 to 128.186.255.231 port 32794
        EAP-Message = 0x010200061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x370e1a38370c03508cd2263659f4660a
Finished request 6.
Going to the next request
Waking up in 1.9 seconds.
===================end of radiusd -X=============================================

Please let me know if above contains information you would like to see. Thanks,

Yu Wang


-----Original Message-----
From: freeradius-users-bounces+ywang10=fsu.edu at lists.freeradius.org [mailto:freeradius-users-bounces+ywang10=fsu.edu at lists.freeradius.org] On Behalf Of A.L.M.Buxey at lboro.ac.uk
Sent: Thursday, April 25, 2013 12:51 PM
To: FreeRadius users mailing list
Subject: Re: Retrieve 'Aruba-Location-Id' from RAD_REQUEST

Hi,

>    I am trying to retrieve 'Aruba-Location-Id' from RAD_REQUEST forwarded
>    from Aruba wireless controllers. From radiusd -X output, I can see
>    `Aruba-Location-Id' contains wireless AP id value. But when I call it from
>    rlm_perl using $RAD_REQUEST{'Aruba-Location-Id'}, I got blank result. The
>    `Aruba-Location-Id' is in share/dictionary.aruba:

copy of your PERL and/or radiusd -X output please


alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list