FR 3.0 with eDir

Hubert Kupper kupper at uni-landau.de
Tue Dec 17 13:38:08 CET 2013


Am 17.12.2013 12:22, schrieb Arran Cudbard-Bell:
>> I know. But the password is ok and works with OpenSuse 12.3 and FR 2.x
>> The response seems to be triggered by a mismatch of FR and OpenSuse 13.1 and eDir.
> If you get packet captures of each then we can do a comparison and figure out what
> changes.
>
> -Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> FreeRADIUS Development Team
>
Here is a part of the result from radiusd -X. Do you want a wireshark 
capture too?


Listening on auth address * port 1812 as server default
Listening on acct address * port 1813 as server default
Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel
Opening new proxy address * port 1814
Listening on proxy address * port 1814
Ready to process requests
rad_recv: Access-Request packet from host 192.168.200.6 port 32770, 
id=87, length=215
         User-Name = 'foo'
         Calling-Station-Id = '84-4b-f5-39-8a-f8'
         Called-Station-Id = 'd8-24-bd-2e-4c-c0:test'
         NAS-Port = 1
         Cisco-AVPair = 'audit-session-id=8b0ec806000400e552b040e3'
         NAS-IP-Address = 192.168.200.6
         NAS-Identifier = 'xxx'
         Airespace-Wlan-Id = 5
         Service-Type = Framed-User
         Framed-MTU = 1300
         NAS-Port-Type = Wireless-802.11
         Tunnel-Type:0 = VLAN
         Tunnel-Medium-Type:0 = IEEE-802
         Tunnel-Private-Group-Id:0 = '150'
         EAP-Message = 0x0202000a0170726f6265
         Message-Authenticator = 0x918dcc4fcbdefa81607d26e56be961ad
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0)   authorize {
(0)   filter_username filter_username {
(0)    ? if (!User-Name)
(0)    ? if (!User-Name)  -> FALSE
(0)    ? if (User-Name != "%{tolower:%{User-Name}}")
(0)     expand: "%{tolower:%{User-Name}}" -> 'foo'
(0)    ? if (User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(0)    ? if (User-Name =~ / /)
(0)    ? if (User-Name =~ / /)  -> FALSE
(0)    ? if (User-Name =~ /@.*@/ )
(0)    ? if (User-Name =~ /@.*@/ )  -> FALSE
(0)    ? if (User-Name =~ /\\.\\./ )
(0)    ? if (User-Name =~ /\\.\\./ )  -> FALSE
(0)    ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(0)    ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))   -> 
FALSE
(0)    ? if (User-Name =~ /\\.$/)
(0)    ? if (User-Name =~ /\\.$/)   -> FALSE
(0)    ? if (User-Name =~ /@\\./)
(0)    ? if (User-Name =~ /@\\./)   -> FALSE
(0)   } # filter_username filter_username = notfound
(0)   [preprocess] = ok
(0)   [mschap] = noop
(0) suffix : No '@' in User-Name = "foo", looking up realm NULL
(0) suffix : Found realm "NULL"
(0) suffix : Adding Stripped-User-Name = "foo"
(0) suffix : Adding Realm = "NULL"
(0) suffix : Authentication realm is LOCAL
(0)   [suffix] = ok
(0) eap : EAP packet type response id 2 length 10
(0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the 
rest of authorize
(0)   [eap] = ok
(0)  } #  authorize = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0)   authenticate {
(0) eap : Peer sent Identity (1)
(0) eap : Calling eap_md5 to process EAP data
rlm_eap_md5: Issuing Challenge
(0) eap : New EAP session, adding 'State' attribute to reply 
0x2813582828105cdd
(0)   [eap] = handled
(0)  } #  authenticate = handled
Sending Access-Challenge of id 87 from 192.168.1.56 port 1812 to 
192.168.200.6 port 32770
         EAP-Message = 0x0103001604109fd6f971b8b39a9e70ac72f7924821d6
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0x2813582828105cdd2c29910179c66dfc
(0) Finished request 0.
Waking up in 0.3 seconds.
rad_recv: Access-Request packet from host 192.168.200.6 port 32770, 
id=88, length=229
         User-Name = 'foo'
         Calling-Station-Id = '84-4b-f5-39-8a-f8'
         Called-Station-Id = 'd8-24-bd-2e-4c-c0:test'
         NAS-Port = 1
         Cisco-AVPair = 'audit-session-id=8b0ec806000400e552b040e3'
         NAS-IP-Address = 192.168.200.6
         NAS-Identifier = 'xxx'
         Airespace-Wlan-Id = 5
         Service-Type = Framed-User
         Framed-MTU = 1300
         NAS-Port-Type = Wireless-802.11
         Tunnel-Type:0 = VLAN
         Tunnel-Medium-Type:0 = IEEE-802
         Tunnel-Private-Group-Id:0 = '150'
         EAP-Message = 0x020300060319
         State = 0x2813582828105cdd2c29910179c66dfc
         Message-Authenticator = 0x3225e79c9679af40be71f2f6c951c86a
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1)   authorize {
(1)   filter_username filter_username {
(1)    ? if (!User-Name)
(1)    ? if (!User-Name)  -> FALSE
(1)    ? if (User-Name != "%{tolower:%{User-Name}}")
(1)     expand: "%{tolower:%{User-Name}}" -> 'foo'
(1)    ? if (User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(1)    ? if (User-Name =~ / /)
(1)    ? if (User-Name =~ / /)  -> FALSE
(1)    ? if (User-Name =~ /@.*@/ )
(1)    ? if (User-Name =~ /@.*@/ )  -> FALSE
(1)    ? if (User-Name =~ /\\.\\./ )
(1)    ? if (User-Name =~ /\\.\\./ )  -> FALSE
(1)    ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(1)    ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))   -> 
FALSE
(1)    ? if (User-Name =~ /\\.$/)
(1)    ? if (User-Name =~ /\\.$/)   -> FALSE
(1)    ? if (User-Name =~ /@\\./)
(1)    ? if (User-Name =~ /@\\./)   -> FALSE
(1)   } # filter_username filter_username = notfound
(1)   [preprocess] = ok
(1)   [mschap] = noop
(1) suffix : No '@' in User-Name = "foo", looking up realm NULL
(1) suffix : Found realm "NULL"
(1) suffix : Adding Stripped-User-Name = "foo"
(1) suffix : Adding Realm = "NULL"
(1) suffix : Authentication realm is LOCAL
(1)   [suffix] = ok
(1) eap : EAP packet type response id 3 length 6
(1) eap : No EAP Start, assuming it's an on-going EAP conversation
(1)   [eap] = updated
(1)   [files] = noop
rlm_ldap (ldap): Reserved connection (0)
(1) ldap :      expand: "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" -> 
'(cn=foo)'
(1) ldap :      expand: "o=org" -> 'o=org'
(1) ldap : Performing search in 'o=org' with filter '(cn=foo)'
(1) ldap : Waiting for search result...
(1) ldap : User object found at DN "cn=foo,ou=test,o=org"
(1) ERROR: ldap : Failed to retrieve eDirectory password: (80) Other 
(e.g., implementation specific) error
rlm_ldap (ldap): Released connection (0)
rlm_ldap (ldap): Opening additional connection (1)
rlm_ldap (ldap): Connecting to 192.168.1.35:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(1)   [ldap] = fail
(1)  } #  authorize = fail
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1)  Post-Auth-Type REJECT {
(1) attr_filter.access_reject :         expand: "%{User-Name}" -> 'foo'
(1) attr_filter.access_reject : Matched entry DEFAULT at line 11
(1)   [attr_filter.access_reject] = updated
(1) ldap :      expand: "." -> '.'
(1) ldap :      expand: "Authenticated at %S" -> 'Authenticated at 
2013-12-17 13:22:30'
rlm_ldap (ldap): Reserved connection (1)
(1) ldap : Using user DN from request "cn=foo,ou=test,o=org"
(1) ldap : Modifying object with DN "cn=foo,ou=test,o=org"
(1) ldap : Waiting for modify result...
rlm_ldap (ldap): Released connection (1)
(1)   [ldap] = reject
(1)  } # Post-Auth-Type REJECT = reject
(1) Finished request 1.
Waking up in 0.2 seconds.
Waking up in 0.7 seconds.
(1) Sending delayed reject
Sending Access-Reject of id 88 from 192.168.1.56 port 1812 to 
192.168.200.6 port 32770
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 87 with timestamp +28
Waking up in 1.0 seconds.
(1) Cleaning up request packet ID 88 with timestamp +28
Ready to process requests



More information about the Freeradius-Users mailing list