Serving multiple groups of users - by SSID
Alex Gregory
alex at c2company.com
Tue Aug 19 21:08:55 CEST 2014
I have this working to the point where I have two virtual servers running on freeradius 3 with a different set of ports and each loading two different ldap modules. The problem is that all users can access still access both networks.
To get things to work I had to add in an entry into inner tunnel under the Authorize section (below ldap) for the other ldap module I configured (ldap_dev). This told me all of the virtual servers are using the same inner tunnel and the authentication and processing of inner tunnel is looking in both ldap locations.
So I tried to separate out them by copying the eap file to eap-dev and having it load that with its own inner-tunnel server value. The problem is I am just not sure I did it cleanly. I can still see the user get looked up in the dev OU and not be found which is great. But then it continues on to look into corp OU and be found and therefore authenticated which I don’t want when using the second virtual server.
Sorry for all the questions. I only started messing with Freeradius last week. I feel like I have come a long way but just need to get over this last hump.
Thanks,
Alex
---------------------------------------------------------
Here is the config as it loaded with radiusd -x and the authentication to the TestDev network
root at openldap freeradius/sbin# ./radiusd -X
radiusd: FreeRADIUS Version 3.0.3, for host x86_64-unknown-linux-gnu, built on Aug 18 2014 at 18:01:14
Copyright (C) 1999-2014 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /etc/freeradius/share/freeradius/dictionary
including dictionary file /etc/freeradius/share/freeradius/dictionary.dhcp
including dictionary file /etc/freeradius/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/etc/raddb/dictionary
including configuration file /etc/freeradius/etc/raddb/radiusd.conf
including configuration file /etc/freeradius/etc/raddb/proxy.conf
including configuration file /etc/freeradius/etc/raddb/clients.conf
including files in directory /etc/freeradius/etc/raddb/mods-enabled/
including configuration file /etc/freeradius/etc/raddb/mods-enabled/mschap
including configuration file /etc/freeradius/etc/raddb/mods-enabled/digest
including configuration file /etc/freeradius/etc/raddb/mods-enabled/detail.log
including configuration file /etc/freeradius/etc/raddb/mods-enabled/preprocess
including configuration file /etc/freeradius/etc/raddb/mods-enabled/ldap
including configuration file /etc/freeradius/etc/raddb/mods-enabled/radutmp
including configuration file /etc/freeradius/etc/raddb/mods-enabled/replicate
including configuration file /etc/freeradius/etc/raddb/mods-enabled/dhcp
including configuration file /etc/freeradius/etc/raddb/mods-enabled/attr_filter
including configuration file /etc/freeradius/etc/raddb/mods-enabled/utf8
including configuration file /etc/freeradius/etc/raddb/mods-enabled/eap
including configuration file /etc/freeradius/etc/raddb/mods-enabled/chap
including configuration file /etc/freeradius/etc/raddb/mods-enabled/ldap_dev
including configuration file /etc/freeradius/etc/raddb/mods-enabled/detail
including configuration file /etc/freeradius/etc/raddb/mods-enabled/exec
including configuration file /etc/freeradius/etc/raddb/mods-enabled/always
including configuration file /etc/freeradius/etc/raddb/mods-enabled/unpack
including configuration file /etc/freeradius/etc/raddb/mods-enabled/files
including configuration file /etc/freeradius/etc/raddb/mods-enabled/sradutmp
including configuration file /etc/freeradius/etc/raddb/mods-enabled/pap
including configuration file /etc/freeradius/etc/raddb/mods-enabled/linelog
including configuration file /etc/freeradius/etc/raddb/mods-enabled/unix
including configuration file /etc/freeradius/etc/raddb/mods-enabled/expiration
including configuration file /etc/freeradius/etc/raddb/mods-enabled/cache_eap
including configuration file /etc/freeradius/etc/raddb/mods-enabled/logintime
including configuration file /etc/freeradius/etc/raddb/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/etc/raddb/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/etc/raddb/mods-enabled/expr
including configuration file /etc/freeradius/etc/raddb/mods-enabled/realm
including configuration file /etc/freeradius/etc/raddb/mods-enabled/echo
including configuration file /etc/freeradius/etc/raddb/mods-enabled/eap-dev
including configuration file /etc/freeradius/etc/raddb/mods-enabled/soh
including configuration file /etc/freeradius/etc/raddb/mods-enabled/passwd
including files in directory /etc/freeradius/etc/raddb/policy.d/
including configuration file /etc/freeradius/etc/raddb/policy.d/canonicalization
including configuration file /etc/freeradius/etc/raddb/policy.d/operator-name
including configuration file /etc/freeradius/etc/raddb/policy.d/filter
including configuration file /etc/freeradius/etc/raddb/policy.d/dhcp
including configuration file /etc/freeradius/etc/raddb/policy.d/eap
including configuration file /etc/freeradius/etc/raddb/policy.d/control
including configuration file /etc/freeradius/etc/raddb/policy.d/accounting
including configuration file /etc/freeradius/etc/raddb/policy.d/cui
including files in directory /etc/freeradius/etc/raddb/sites-enabled/
including configuration file /etc/freeradius/etc/raddb/sites-enabled/inner-tunnel-dev
including configuration file /etc/freeradius/etc/raddb/sites-enabled/default-dev
including configuration file /etc/freeradius/etc/raddb/sites-enabled/default
including configuration file /etc/freeradius/etc/raddb/sites-enabled/inner-tunnel
main {
security {
allow_core_dumps = no
}
}
main {
name = "radiusd"
prefix = "/etc/freeradius"
localstatedir = "/etc/freeradius/var"
sbindir = "/etc/freeradius/sbin"
logdir = "/etc/freeradius/var/log/radius"
run_dir = "/etc/freeradius/var/run/radiusd"
libdir = "/etc/freeradius/lib"
radacctdir = "/etc/freeradius/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/etc/freeradius/var/run/radiusd/radiusd.pid"
checkrad = "/etc/freeradius/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
allow_vulnerable_openssl = "yes"
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 0.0.0.0/0 {
require_message_authenticator = no
secret = <<< secret >>>
shortname = "allusers"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
radiusd: #### Instantiating modules ####
instantiate {
}
modules {
# Loaded module rlm_mschap
# Instantiating module "mschap" from file /etc/freeradius/etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
}
# Loaded module rlm_digest
# Instantiating module "digest" from file /etc/freeradius/etc/raddb/mods-enabled/digest
# Loaded module rlm_detail
# Instantiating module "auth_log" from file /etc/freeradius/etc/raddb/mods-enabled/detail.log
detail auth_log {
filename = "/etc/freeradius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
}
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /etc/freeradius/etc/raddb/mods-enabled/detail.log
detail reply_log {
filename = "/etc/freeradius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
}
# Instantiating module "pre_proxy_log" from file /etc/freeradius/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/etc/freeradius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
}
# Instantiating module "post_proxy_log" from file /etc/freeradius/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename = "/etc/freeradius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
}
# Loaded module rlm_preprocess
# Instantiating module "preprocess" from file /etc/freeradius/etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/freeradius/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/etc/freeradius/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /etc/freeradius/etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/etc/raddb/mods-config/preprocess/hints
# Loaded module rlm_ldap
# Instantiating module "ldap" from file /etc/freeradius/etc/raddb/mods-enabled/ldap
ldap {
server = "ldap.team.affirm.com"
port = 389
password = <<< secret >>>
identity = "cn=admin,dc=team,dc=affirm,dc=com"
user {
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
scope = "sub"
base_dn = "ou=corp,ou=Users,dc=team,dc=affirm,dc=com"
access_positive = yes
}
group {
filter = "(objectClass=posixGroup)"
scope = "sub"
base_dn = "ou=corp,ou=Users,dc=team,dc=affirm,dc=com"
name_attribute = "cn"
membership_attribute = "memberOf"
cacheable_name = no
cacheable_dn = no
}
client {
filter = "(objectClass=frClient)"
scope = "sub"
base_dn = "ou=corp,ou=Users,dc=team,dc=affirm,dc=com"
attribute {
identifier = "radiusClientIdentifier"
shortname = "cn"
secret = "radiusClientSecret"
}
}
profile {
filter = "(&)"
}
options {
ldap_debug = 40
chase_referrals = yes
rebind = yes
net_timeout = 1
res_timeout = 20
srv_timelimit = 20
idle = 60
probes = 3
interval = 3
}
tls {
start_tls = no
}
}
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
}
post-auth {
reference = "."
}
rlm_ldap (ldap): Initialising connection pool
pool {
start = 5
min = 4
max = 32
spare = 3
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 1
spread = no
}
rlm_ldap (ldap): Opening additional connection (0)
rlm_ldap (ldap): Connecting to ldap.team.affirm.com:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (1)
rlm_ldap (ldap): Connecting to ldap.team.affirm.com:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (2)
rlm_ldap (ldap): Connecting to ldap.team.affirm.com:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (3)
rlm_ldap (ldap): Connecting to ldap.team.affirm.com:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (4)
rlm_ldap (ldap): Connecting to ldap.team.affirm.com:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
# Loaded module rlm_radutmp
# Instantiating module "radutmp" from file /etc/freeradius/etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/etc/freeradius/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_replicate
# Instantiating module "replicate" from file /etc/freeradius/etc/raddb/mods-enabled/replicate
# Loaded module rlm_dhcp
# Instantiating module "dhcp" from file /etc/freeradius/etc/raddb/mods-enabled/dhcp
# Loaded module rlm_attr_filter
# Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/freeradius/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /etc/freeradius/etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/freeradius/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /etc/freeradius/etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /etc/freeradius/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/freeradius/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/etc/raddb/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/freeradius/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/freeradius/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/etc/raddb/mods-config/attr_filter/accounting_response
# Loaded module rlm_utf8
# Instantiating module "utf8" from file /etc/freeradius/etc/raddb/mods-enabled/utf8
# Loaded module rlm_eap
# Instantiating module "eap" from file /etc/freeradius/etc/raddb/mods-enabled/eap
eap {
default_eap_type = "ttls"
timer_expire = 60
ignore_unknown_eap_types = no
mod_accounting_username_bug = no
max_sessions = 1024
}
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
ca_path = "/etc/freeradius/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/etc/raddb/certs/server.pem"
certificate_file = "/etc/freeradius/etc/raddb/certs/server.pem"
ca_file = "/etc/freeradius/etc/raddb/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/etc/freeradius/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = yes
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = yes
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_method = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Loaded module rlm_chap
# Instantiating module "chap" from file /etc/freeradius/etc/raddb/mods-enabled/chap
# Instantiating module "ldap_dev" from file /etc/freeradius/etc/raddb/mods-enabled/ldap_dev
ldap ldap_dev {
server = "ldap.team.affirm.com"
port = 389
password = <<< secret >>>
identity = "cn=admin,dc=team,dc=affirm,dc=com"
user {
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
scope = "sub"
base_dn = "ou=dev,ou=Users,dc=team,dc=affirm,dc=com"
access_positive = yes
}
group {
filter = "(objectClass=posixGroup)"
scope = "sub"
base_dn = "ou=dev,ou=Users,dc=team,dc=affirm,dc=com"
name_attribute = "cn"
membership_attribute = "memberOf"
cacheable_name = no
cacheable_dn = no
}
client {
filter = "(objectClass=frClient)"
scope = "sub"
base_dn = "ou=dev,ou=Users,dc=team,dc=affirm,dc=com"
attribute {
identifier = "radiusClientIdentifier"
shortname = "cn"
secret = "radiusClientSecret"
}
}
profile {
filter = "(&)"
}
options {
ldap_debug = 40
chase_referrals = yes
rebind = yes
net_timeout = 1
res_timeout = 20
srv_timelimit = 20
idle = 60
probes = 3
interval = 3
}
tls {
start_tls = no
}
}
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
}
post-auth {
reference = "."
}
rlm_ldap (ldap_dev): Initialising connection pool
pool {
start = 5
min = 4
max = 32
spare = 3
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 1
spread = no
}
rlm_ldap (ldap_dev): Opening additional connection (0)
rlm_ldap (ldap_dev): Connecting to ldap.team.affirm.com:389
rlm_ldap (ldap_dev): Waiting for bind result...
rlm_ldap (ldap_dev): Bind successful
rlm_ldap (ldap_dev): Opening additional connection (1)
rlm_ldap (ldap_dev): Connecting to ldap.team.affirm.com:389
rlm_ldap (ldap_dev): Waiting for bind result...
rlm_ldap (ldap_dev): Bind successful
rlm_ldap (ldap_dev): Opening additional connection (2)
rlm_ldap (ldap_dev): Connecting to ldap.team.affirm.com:389
rlm_ldap (ldap_dev): Waiting for bind result...
rlm_ldap (ldap_dev): Bind successful
rlm_ldap (ldap_dev): Opening additional connection (3)
rlm_ldap (ldap_dev): Connecting to ldap.team.affirm.com:389
rlm_ldap (ldap_dev): Waiting for bind result...
rlm_ldap (ldap_dev): Bind successful
rlm_ldap (ldap_dev): Opening additional connection (4)
rlm_ldap (ldap_dev): Connecting to ldap.team.affirm.com:389
rlm_ldap (ldap_dev): Waiting for bind result...
rlm_ldap (ldap_dev): Bind successful
# Instantiating module "detail" from file /etc/freeradius/etc/raddb/mods-enabled/detail
detail {
filename = "/etc/freeradius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
}
# Loaded module rlm_exec
# Instantiating module "exec" from file /etc/freeradius/etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_always
# Instantiating module "reject" from file /etc/freeradius/etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Instantiating module "fail" from file /etc/freeradius/etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Instantiating module "ok" from file /etc/freeradius/etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Instantiating module "handled" from file /etc/freeradius/etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Instantiating module "invalid" from file /etc/freeradius/etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Instantiating module "userlock" from file /etc/freeradius/etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Instantiating module "notfound" from file /etc/freeradius/etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Instantiating module "noop" from file /etc/freeradius/etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Instantiating module "updated" from file /etc/freeradius/etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_unpack
# Instantiating module "unpack" from file /etc/freeradius/etc/raddb/mods-enabled/unpack
# Loaded module rlm_files
# Instantiating module "files" from file /etc/freeradius/etc/raddb/mods-enabled/files
files {
filename = "/etc/freeradius/etc/raddb/mods-config/files/authorize"
usersfile = "/etc/freeradius/etc/raddb/mods-config/files/authorize"
acctusersfile = "/etc/freeradius/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/etc/freeradius/etc/raddb/mods-config/files/pre-proxy"
compat = "cistron"
}
reading pairlist file /etc/freeradius/etc/raddb/mods-config/files/authorize
[/etc/freeradius/etc/raddb/mods-config/files/authorize]:181 Cistron compatibility checks for entry DEFAULT ...
[/etc/freeradius/etc/raddb/mods-config/files/authorize]:188 Cistron compatibility checks for entry DEFAULT ...
[/etc/freeradius/etc/raddb/mods-config/files/authorize]:195 Cistron compatibility checks for entry DEFAULT ...
reading pairlist file /etc/freeradius/etc/raddb/mods-config/files/authorize
[/etc/freeradius/etc/raddb/mods-config/files/authorize]:181 Cistron compatibility checks for entry DEFAULT ...
[/etc/freeradius/etc/raddb/mods-config/files/authorize]:188 Cistron compatibility checks for entry DEFAULT ...
[/etc/freeradius/etc/raddb/mods-config/files/authorize]:195 Cistron compatibility checks for entry DEFAULT ...
reading pairlist file /etc/freeradius/etc/raddb/mods-config/files/accounting
reading pairlist file /etc/freeradius/etc/raddb/mods-config/files/pre-proxy
# Instantiating module "sradutmp" from file /etc/freeradius/etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/etc/freeradius/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_pap
# Instantiating module "pap" from file /etc/freeradius/etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_linelog
# Instantiating module "linelog" from file /etc/freeradius/etc/raddb/mods-enabled/linelog
linelog {
filename = "/etc/freeradius/var/log/radius/linelog"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{Packet-Type}:-default}"
}
# Instantiating module "log_accounting" from file /etc/freeradius/etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/etc/freeradius/var/log/radius/linelog-accounting"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_unix
# Instantiating module "unix" from file /etc/freeradius/etc/raddb/mods-enabled/unix
unix {
radwtmp = "/etc/freeradius/var/log/radius/radwtmp"
}
# Loaded module rlm_expiration
# Instantiating module "expiration" from file /etc/freeradius/etc/raddb/mods-enabled/expiration
# Loaded module rlm_cache
# Instantiating module "cache_eap" from file /etc/freeradius/etc/raddb/mods-enabled/cache_eap
cache cache_eap {
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 16384
epoch = 0
add_stats = no
}
# Loaded module rlm_logintime
# Instantiating module "logintime" from file /etc/freeradius/etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_dynamic_clients
# Instantiating module "dynamic_clients" from file /etc/freeradius/etc/raddb/mods-enabled/dynamic_clients
# Instantiating module "ntlm_auth" from file /etc/freeradius/etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_expr
# Instantiating module "expr" from file /etc/freeradius/etc/raddb/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
# Loaded module rlm_realm
# Instantiating module "IPASS" from file /etc/freeradius/etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Instantiating module "suffix" from file /etc/freeradius/etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Instantiating module "realmpercent" from file /etc/freeradius/etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Instantiating module "ntdomain" from file /etc/freeradius/etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\"
ignore_default = no
ignore_null = no
}
# Instantiating module "echo" from file /etc/freeradius/etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_soh
# Instantiating module "soh" from file /etc/freeradius/etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_passwd
# Instantiating module "etc_passwd" from file /etc/freeradius/etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/etc/raddb/radiusd.conf
} # server
server inner-tunnel-dev { # from file /etc/freeradius/etc/raddb/sites-enabled/inner-tunnel-dev
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server inner-tunnel-dev
server default-dev { # from file /etc/freeradius/etc/raddb/sites-enabled/default-dev
# Creating Auth-Type = digest
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default-dev
server default { # from file /etc/freeradius/etc/raddb/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
server inner-tunnel { # from file /etc/freeradius/etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18121
}
listen {
type = "auth"
ipaddr = *
port = 1814
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 1815
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on auth address 127.0.0.1 port 18121 as server inner-tunnel-dev
Listening on auth address * port 1814 as server default-dev
Listening on acct address * port 1815 as server default-dev
Listening on auth address * port 1812 as server default
Listening on acct address * port 1813 as server default
Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel
Opening new proxy socket 'proxy address * port 0'
Listening on proxy address * port 45665
Ready to process requests.
Received Access-Request Id 78 from 173.167.113.17:32768 to 10.11.1.226:1814 length 226
User-Name = 'alexgregory'
Chargeable-User-Identity = ''
Location-Capable = Civix-Location
Calling-Station-Id = '78-31-c1-be-89-a8'
Called-Station-Id = 'd4-a0-2a-15-7f-00:C2_TestDev'
NAS-Port = 4
Cisco-AVPair = 'audit-session-id=0a21008200000a4953f39ed1'
NAS-IP-Address = 10.33.0.130
NAS-Identifier = 'isewlc'
Airespace-Wlan-Id = 7
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0201001001616c6578677265676f7279
Message-Authenticator = 0xb1cd95b8f697ff1c73116aa558be2582
(0) # Executing section authorize from file /etc/freeradius/etc/raddb/sites-enabled/default-dev
(0) authorize {
(0) filter_username filter_username {
(0) if (User-Name != "%{tolower:%{User-Name}}")
(0) EXPAND %{tolower:%{User-Name}}
(0) --> alexgregory
(0) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(0) if (User-Name =~ / /)
(0) if (User-Name =~ / /) -> FALSE
(0) if (User-Name =~ /@.*@/ )
(0) if (User-Name =~ /@.*@/ ) -> FALSE
(0) if (User-Name =~ /\\.\\./ )
(0) if (User-Name =~ /\\.\\./ ) -> FALSE
(0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(0) if (User-Name =~ /\\.$/)
(0) if (User-Name =~ /\\.$/) -> FALSE
(0) if (User-Name =~ /@\\./)
(0) if (User-Name =~ /@\\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix : No '@' in User-Name = "alexgregory", looking up realm NULL
(0) suffix : No such realm "NULL"
(0) [suffix] = noop
(0) eap : EAP packet type response id 1 length 16
(0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /etc/freeradius/etc/raddb/sites-enabled/default-dev
(0) authenticate {
(0) eap : Peer sent Identity (1)
(0) eap : Calling eap_ttls to process EAP data
(0) eap_ttls : Flushing SSL sessions (of #0)
(0) eap_ttls : Initiate
(0) eap_ttls : Start returned 1
(0) eap : New EAP session, adding 'State' attribute to reply 0xab9abd32ab98a8ac
(0) [eap] = handled
(0) } # authenticate = handled
Sending Access-Challenge Id 78 from 10.11.1.226:1814 to 173.167.113.17:32768
EAP-Message = 0x010200061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xab9abd32ab98a8ac741821f2101db97e
(0) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 79 from 173.167.113.17:32768 to 10.11.1.226:1814 length 380
User-Name = 'alexgregory'
Chargeable-User-Identity = ''
Location-Capable = Civix-Location
Calling-Station-Id = '78-31-c1-be-89-a8'
Called-Station-Id = 'd4-a0-2a-15-7f-00:C2_TestDev'
NAS-Port = 4
Cisco-AVPair = 'audit-session-id=0a21008200000a4953f39ed1'
NAS-IP-Address = 10.33.0.130
NAS-Identifier = 'isewlc'
Airespace-Wlan-Id = 7
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0202009815800000008e160301008901000085030153f39edc897e9b9af41b964ac8ca11f4b6db2904b6ff25d49303b0c28c19e18200004a00ffc024c023c00ac009c007c008c028c027c014c013c011c012c026c025c02ac029c005c004c002c003c00fc00ec00cc00d003d003c002f000500040035000a0067006b00330039001601000012000a00080006001700180019000b00020100
State = 0xab9abd32ab98a8ac741821f2101db97e
Message-Authenticator = 0x1ba4bee298cd99b66176abf918a2e47c
(1) # Executing section authorize from file /etc/freeradius/etc/raddb/sites-enabled/default-dev
(1) authorize {
(1) filter_username filter_username {
(1) if (User-Name != "%{tolower:%{User-Name}}")
(1) EXPAND %{tolower:%{User-Name}}
(1) --> alexgregory
(1) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(1) if (User-Name =~ / /)
(1) if (User-Name =~ / /) -> FALSE
(1) if (User-Name =~ /@.*@/ )
(1) if (User-Name =~ /@.*@/ ) -> FALSE
(1) if (User-Name =~ /\\.\\./ )
(1) if (User-Name =~ /\\.\\./ ) -> FALSE
(1) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(1) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(1) if (User-Name =~ /\\.$/)
(1) if (User-Name =~ /\\.$/) -> FALSE
(1) if (User-Name =~ /@\\./)
(1) if (User-Name =~ /@\\./) -> FALSE
(1) } # filter_username filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix : No '@' in User-Name = "alexgregory", looking up realm NULL
(1) suffix : No such realm "NULL"
(1) [suffix] = noop
(1) eap : EAP packet type response id 2 length 152
(1) eap : Continuing tunnel setup.
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = EAP
(1) # Executing group from file /etc/freeradius/etc/raddb/sites-enabled/default-dev
(1) authenticate {
(1) eap : Expiring EAP session with state 0xab9abd32ab98a8ac
(1) eap : Finished EAP session with state 0xab9abd32ab98a8ac
(1) eap : Previous EAP request found for state 0xab9abd32ab98a8ac, released from the list
(1) eap : Peer sent TTLS (21)
(1) eap : EAP TTLS (21)
(1) eap : Calling eap_ttls to process EAP data
(1) eap_ttls : Authenticate
(1) eap_ttls : processing EAP-TLS
TLS Length 142
(1) eap_ttls : Length Included
(1) eap_ttls : eaptls_verify returned 11
(1) eap_ttls : (other): before/accept initialization
(1) eap_ttls : TLS_accept: before/accept initialization
(1) eap_ttls : <<< TLS 1.0 Handshake [length 0089], ClientHello
(1) eap_ttls : TLS_accept: SSLv3 read client hello A
(1) eap_ttls : >>> TLS 1.0 Handshake [length 0059], ServerHello
(1) eap_ttls : TLS_accept: SSLv3 write server hello A
(1) eap_ttls : >>> TLS 1.0 Handshake [length 08d0], Certificate
(1) eap_ttls : TLS_accept: SSLv3 write certificate A
(1) eap_ttls : >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
(1) eap_ttls : TLS_accept: SSLv3 write key exchange A
(1) eap_ttls : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
(1) eap_ttls : TLS_accept: SSLv3 write server done A
(1) eap_ttls : TLS_accept: SSLv3 flush data
(1) eap_ttls : TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
(1) eap_ttls : eaptls_process returned 13
(1) eap : New EAP session, adding 'State' attribute to reply 0xab9abd32aa99a8ac
(1) [eap] = handled
(1) } # authenticate = handled
Sending Access-Challenge Id 79 from 10.11.1.226:1814 to 173.167.113.17:32768
EAP-Message = 0x010303ec15c000000a8c160301005902000055030153f39ee257c7ecdbf1bad3ebdd839be1d6240c158f37eb66fbec441f39416d1b202a78b875b458319d49921894fd1f4395aacb747d99dfb9c1de2eb3ffbd1afadac01400000dff01000100000b00040300010216030108d00b0008cc0008c90003de308203da308202c2a003020102020101300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3134303831383138303135305a170d3134313031373138303135305a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100a51b1248268198d67c6a314
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xab9abd32aa99a8ac741821f2101db97e
(1) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 80 from 173.167.113.17:32768 to 10.11.1.226:1814 length 234
User-Name = 'alexgregory'
Chargeable-User-Identity = ''
Location-Capable = Civix-Location
Calling-Station-Id = '78-31-c1-be-89-a8'
Called-Station-Id = 'd4-a0-2a-15-7f-00:C2_TestDev'
NAS-Port = 4
Cisco-AVPair = 'audit-session-id=0a21008200000a4953f39ed1'
NAS-IP-Address = 10.33.0.130
NAS-Identifier = 'isewlc'
Airespace-Wlan-Id = 7
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020300061500
State = 0xab9abd32aa99a8ac741821f2101db97e
Message-Authenticator = 0xaad4f97bb7933faa75f24f353aab668a
(2) # Executing section authorize from file /etc/freeradius/etc/raddb/sites-enabled/default-dev
(2) authorize {
(2) filter_username filter_username {
(2) if (User-Name != "%{tolower:%{User-Name}}")
(2) EXPAND %{tolower:%{User-Name}}
(2) --> alexgregory
(2) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(2) if (User-Name =~ / /)
(2) if (User-Name =~ / /) -> FALSE
(2) if (User-Name =~ /@.*@/ )
(2) if (User-Name =~ /@.*@/ ) -> FALSE
(2) if (User-Name =~ /\\.\\./ )
(2) if (User-Name =~ /\\.\\./ ) -> FALSE
(2) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(2) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(2) if (User-Name =~ /\\.$/)
(2) if (User-Name =~ /\\.$/) -> FALSE
(2) if (User-Name =~ /@\\./)
(2) if (User-Name =~ /@\\./) -> FALSE
(2) } # filter_username filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix : No '@' in User-Name = "alexgregory", looking up realm NULL
(2) suffix : No such realm "NULL"
(2) [suffix] = noop
(2) eap : EAP packet type response id 3 length 6
(2) eap : Continuing tunnel setup.
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = EAP
(2) # Executing group from file /etc/freeradius/etc/raddb/sites-enabled/default-dev
(2) authenticate {
(2) eap : Expiring EAP session with state 0xab9abd32aa99a8ac
(2) eap : Finished EAP session with state 0xab9abd32aa99a8ac
(2) eap : Previous EAP request found for state 0xab9abd32aa99a8ac, released from the list
(2) eap : Peer sent TTLS (21)
(2) eap : EAP TTLS (21)
(2) eap : Calling eap_ttls to process EAP data
(2) eap_ttls : Authenticate
(2) eap_ttls : processing EAP-TLS
(2) eap_ttls : Received TLS ACK
(2) eap_ttls : Received TLS ACK
(2) eap_ttls : ACK handshake fragment handler
(2) eap_ttls : eaptls_verify returned 1
(2) eap_ttls : eaptls_process returned 13
(2) eap : New EAP session, adding 'State' attribute to reply 0xab9abd32a99ea8ac
(2) [eap] = handled
(2) } # authenticate = handled
Sending Access-Challenge Id 80 from 10.11.1.226:1814 to 173.167.113.17:32768
EAP-Message = 0x010403ec15c000000a8c09e505a7328c127e38be69a5a6bc60303b5949df47a838037fbdeee874c83ac6997a66a5f31f9ecd19de0a9530ac3bcf76399646c8893c443ddafc3b3fe23f59c09d04bce114d67208b0e18cabe6d6c4677e82d1bfbb14b034eafce57a077e6a7060b17cf063eb5f290004e5308204e1308203c9a003020102020900ac51a3debf06a870300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3134303831383138303135305a170d3134313031373138303135305a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xab9abd32a99ea8ac741821f2101db97e
(2) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 81 from 173.167.113.17:32768 to 10.11.1.226:1814 length 234
User-Name = 'alexgregory'
Chargeable-User-Identity = ''
Location-Capable = Civix-Location
Calling-Station-Id = '78-31-c1-be-89-a8'
Called-Station-Id = 'd4-a0-2a-15-7f-00:C2_TestDev'
NAS-Port = 4
Cisco-AVPair = 'audit-session-id=0a21008200000a4953f39ed1'
NAS-IP-Address = 10.33.0.130
NAS-Identifier = 'isewlc'
Airespace-Wlan-Id = 7
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020400061500
State = 0xab9abd32a99ea8ac741821f2101db97e
Message-Authenticator = 0xecffe1b7ab9282aeffd32b5b4160b5f5
(3) # Executing section authorize from file /etc/freeradius/etc/raddb/sites-enabled/default-dev
(3) authorize {
(3) filter_username filter_username {
(3) if (User-Name != "%{tolower:%{User-Name}}")
(3) EXPAND %{tolower:%{User-Name}}
(3) --> alexgregory
(3) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(3) if (User-Name =~ / /)
(3) if (User-Name =~ / /) -> FALSE
(3) if (User-Name =~ /@.*@/ )
(3) if (User-Name =~ /@.*@/ ) -> FALSE
(3) if (User-Name =~ /\\.\\./ )
(3) if (User-Name =~ /\\.\\./ ) -> FALSE
(3) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(3) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(3) if (User-Name =~ /\\.$/)
(3) if (User-Name =~ /\\.$/) -> FALSE
(3) if (User-Name =~ /@\\./)
(3) if (User-Name =~ /@\\./) -> FALSE
(3) } # filter_username filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix : No '@' in User-Name = "alexgregory", looking up realm NULL
(3) suffix : No such realm "NULL"
(3) [suffix] = noop
(3) eap : EAP packet type response id 4 length 6
(3) eap : Continuing tunnel setup.
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = EAP
(3) # Executing group from file /etc/freeradius/etc/raddb/sites-enabled/default-dev
(3) authenticate {
(3) eap : Expiring EAP session with state 0xab9abd32a99ea8ac
(3) eap : Finished EAP session with state 0xab9abd32a99ea8ac
(3) eap : Previous EAP request found for state 0xab9abd32a99ea8ac, released from the list
(3) eap : Peer sent TTLS (21)
(3) eap : EAP TTLS (21)
(3) eap : Calling eap_ttls to process EAP data
(3) eap_ttls : Authenticate
(3) eap_ttls : processing EAP-TLS
(3) eap_ttls : Received TLS ACK
(3) eap_ttls : Received TLS ACK
(3) eap_ttls : ACK handshake fragment handler
(3) eap_ttls : eaptls_verify returned 1
(3) eap_ttls : eaptls_process returned 13
(3) eap : New EAP session, adding 'State' attribute to reply 0xab9abd32a89fa8ac
(3) [eap] = handled
(3) } # authenticate = handled
Sending Access-Challenge Id 81 from 10.11.1.226:1814 to 173.167.113.17:32768
EAP-Message = 0x010502d2158000000a8c20417574686f72697479820900ac51a3debf06a870300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d010105050003820101007dbd1249f758293cac0cd10624070f5553dced4662ef0e89924120a01b9ee10dd1f471e17915d0bdebf5f758300bd4d1825814082682cf8ac0c30953900fa6caa84bb209a00c1131ac6f63ef009fc6725a6120265c1a285a78de52167b65230d0d9832b7f36d7ac3d3f81e68b0ff9f5d308b394a3e9490cd7e1bafc2801632aeb16d88813cebc873f9f3e8cb86e8c5e4f8eaf3478803a5df76b8c6dd52fc958e7917612b49d24dce0706c579c1d308abc2cd38bff381ecb0cdc9109c34e37797d0b548f53d5f0f770f4a0a874aab2f628c220c90f527fae6986e75186c45d6e60dda93717ea8f95bf87c32afad5d68b6106b83a32b21742a59b26782622baac3160301014b0c00014703001741047d59741ff9274da5e3cefdeadb64c78c2dffd5b668a1086801375f703338b7eb9e7d5c6f494cbef5342da63bf036cbc72628db240f34c89ab3ddfa20b143e584010086c44a791140f09113675cd5cd82328323f1a9057c92adfb53b79406cc89d359f6029eff5f37b3d78725dcd8f12
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xab9abd32a89fa8ac741821f2101db97e
(3) Finished request
Waking up in 0.2 seconds.
Waking up in 4.5 seconds.
Received Access-Request Id 82 from 173.167.113.17:32768 to 10.11.1.226:1814 length 372
User-Name = 'alexgregory'
Chargeable-User-Identity = ''
Location-Capable = Civix-Location
Calling-Station-Id = '78-31-c1-be-89-a8'
Called-Station-Id = 'd4-a0-2a-15-7f-00:C2_TestDev'
NAS-Port = 4
Cisco-AVPair = 'audit-session-id=0a21008200000a4953f39ed1'
NAS-IP-Address = 10.33.0.130
NAS-Identifier = 'isewlc'
Airespace-Wlan-Id = 7
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x02050090158000000086160301004610000042410478067100bf2940906fb7ba16c20289a2949414995e0171b6bafd8dc447a444622712522b58e5c8b1ed2d9083c5a3d5cc2d1f1c5a198aae60853388fb8b10f87a1403010001011603010030e8e5d0fb0369686a6694928e6ec51bd4f19a8762113bfb1c1070e9013f9ef02aa7af631b1f6b33c939826249f7c2db0c
State = 0xab9abd32a89fa8ac741821f2101db97e
Message-Authenticator = 0xbe24b53b9d38761b96900c1078de42ee
(4) # Executing section authorize from file /etc/freeradius/etc/raddb/sites-enabled/default-dev
(4) authorize {
(4) filter_username filter_username {
(4) if (User-Name != "%{tolower:%{User-Name}}")
(4) EXPAND %{tolower:%{User-Name}}
(4) --> alexgregory
(4) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(4) if (User-Name =~ / /)
(4) if (User-Name =~ / /) -> FALSE
(4) if (User-Name =~ /@.*@/ )
(4) if (User-Name =~ /@.*@/ ) -> FALSE
(4) if (User-Name =~ /\\.\\./ )
(4) if (User-Name =~ /\\.\\./ ) -> FALSE
(4) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(4) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(4) if (User-Name =~ /\\.$/)
(4) if (User-Name =~ /\\.$/) -> FALSE
(4) if (User-Name =~ /@\\./)
(4) if (User-Name =~ /@\\./) -> FALSE
(4) } # filter_username filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix : No '@' in User-Name = "alexgregory", looking up realm NULL
(4) suffix : No such realm "NULL"
(4) [suffix] = noop
(4) eap : EAP packet type response id 5 length 144
(4) eap : Continuing tunnel setup.
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = EAP
(4) # Executing group from file /etc/freeradius/etc/raddb/sites-enabled/default-dev
(4) authenticate {
(4) eap : Expiring EAP session with state 0xab9abd32a89fa8ac
(4) eap : Finished EAP session with state 0xab9abd32a89fa8ac
(4) eap : Previous EAP request found for state 0xab9abd32a89fa8ac, released from the list
(4) eap : Peer sent TTLS (21)
(4) eap : EAP TTLS (21)
(4) eap : Calling eap_ttls to process EAP data
(4) eap_ttls : Authenticate
(4) eap_ttls : processing EAP-TLS
TLS Length 134
(4) eap_ttls : Length Included
(4) eap_ttls : eaptls_verify returned 11
(4) eap_ttls : <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
(4) eap_ttls : TLS_accept: SSLv3 read client key exchange A
(4) eap_ttls : <<< TLS 1.0 ChangeCipherSpec [length 0001]
(4) eap_ttls : <<< TLS 1.0 Handshake [length 0010], Finished
(4) eap_ttls : TLS_accept: SSLv3 read finished A
(4) eap_ttls : >>> TLS 1.0 ChangeCipherSpec [length 0001]
(4) eap_ttls : TLS_accept: SSLv3 write change cipher spec A
(4) eap_ttls : >>> TLS 1.0 Handshake [length 0010], Finished
(4) eap_ttls : TLS_accept: SSLv3 write finished A
(4) eap_ttls : TLS_accept: SSLv3 flush data
SSL: adding session 2a78b875b458319d49921894fd1f4395aacb747d99dfb9c1de2eb3ffbd1afada to cache
(4) eap_ttls : (other): SSL negotiation finished successfully
SSL Connection Established
(4) eap_ttls : eaptls_process returned 13
(4) eap : New EAP session, adding 'State' attribute to reply 0xab9abd32af9ca8ac
(4) [eap] = handled
(4) } # authenticate = handled
Sending Access-Challenge Id 82 from 10.11.1.226:1814 to 173.167.113.17:32768
EAP-Message = 0x0106004515800000003b14030100010116030100301ce4349d2d72f20414b8e1a551dbf7d2f038f41619836393eb097433516964bef61240839e7c7bb63a90b052b1454545
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xab9abd32af9ca8ac741821f2101db97e
(4) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 83 from 173.167.113.17:32768 to 10.11.1.226:1814 length 323
User-Name = 'alexgregory'
Chargeable-User-Identity = ''
Location-Capable = Civix-Location
Calling-Station-Id = '78-31-c1-be-89-a8'
Called-Station-Id = 'd4-a0-2a-15-7f-00:C2_TestDev'
NAS-Port = 4
Cisco-AVPair = 'audit-session-id=0a21008200000a4953f39ed1'
NAS-IP-Address = 10.33.0.130
NAS-Identifier = 'isewlc'
Airespace-Wlan-Id = 7
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0206005f158000000055170301005020ca3fd6b7f6ce799bf5ab14f2005a7019cb4e95df72f2895ab4b8d227c717242339ca2a39ef1fe236afc8257029d260e862bd14906693541851f357835ad27af6735c7e8205e16be1df7688dd03ea64
State = 0xab9abd32af9ca8ac741821f2101db97e
Message-Authenticator = 0xc3ca7e80e03d8ca8cc645cd7d37b898b
(5) # Executing section authorize from file /etc/freeradius/etc/raddb/sites-enabled/default-dev
(5) authorize {
(5) filter_username filter_username {
(5) if (User-Name != "%{tolower:%{User-Name}}")
(5) EXPAND %{tolower:%{User-Name}}
(5) --> alexgregory
(5) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(5) if (User-Name =~ / /)
(5) if (User-Name =~ / /) -> FALSE
(5) if (User-Name =~ /@.*@/ )
(5) if (User-Name =~ /@.*@/ ) -> FALSE
(5) if (User-Name =~ /\\.\\./ )
(5) if (User-Name =~ /\\.\\./ ) -> FALSE
(5) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(5) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(5) if (User-Name =~ /\\.$/)
(5) if (User-Name =~ /\\.$/) -> FALSE
(5) if (User-Name =~ /@\\./)
(5) if (User-Name =~ /@\\./) -> FALSE
(5) } # filter_username filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix : No '@' in User-Name = "alexgregory", looking up realm NULL
(5) suffix : No such realm "NULL"
(5) [suffix] = noop
(5) eap : EAP packet type response id 6 length 95
(5) eap : Continuing tunnel setup.
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = EAP
(5) # Executing group from file /etc/freeradius/etc/raddb/sites-enabled/default-dev
(5) authenticate {
(5) eap : Expiring EAP session with state 0xab9abd32af9ca8ac
(5) eap : Finished EAP session with state 0xab9abd32af9ca8ac
(5) eap : Previous EAP request found for state 0xab9abd32af9ca8ac, released from the list
(5) eap : Peer sent TTLS (21)
(5) eap : EAP TTLS (21)
(5) eap : Calling eap_ttls to process EAP data
(5) eap_ttls : Authenticate
(5) eap_ttls : processing EAP-TLS
TLS Length 85
(5) eap_ttls : Length Included
(5) eap_ttls : eaptls_verify returned 11
(5) eap_ttls : eaptls_process returned 7
(5) eap_ttls : Session established. Proceeding to decode tunneled attributes.
(5) eap_ttls : Got tunneled request
User-Name = 'alexgregory'
User-Password = 'bigal76!'
(5) eap_ttls : Sending tunneled request
User-Name = 'alexgregory'
User-Password = 'bigal76!'
server inner-tunnel {
(5) # Executing section authorize from file /etc/freeradius/etc/raddb/sites-enabled/inner-tunnel
(5) authorize {
(5) [chap] = noop
(5) [mschap] = noop
(5) suffix : No '@' in User-Name = "alexgregory", looking up realm NULL
(5) suffix : No such realm "NULL"
(5) [suffix] = noop
(5) update control {
(5) Proxy-To-Realm := 'LOCAL'
(5) } # update control = noop
(5) eap : No EAP-Message, not doing EAP
(5) [eap] = noop
(5) [files] = noop
rlm_ldap (ldap): Reserved connection (4)
(5) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(5) ldap : --> (uid=alexgregory)
(5) ldap : EXPAND ou=corp,ou=Users,dc=team,dc=affirm,dc=com
(5) ldap : --> ou=corp,ou=Users,dc=team,dc=affirm,dc=com
(5) ldap : Performing search in 'ou=corp,ou=Users,dc=team,dc=affirm,dc=com' with filter '(uid=alexgregory)', scope 'sub'
(5) ldap : Waiting for search result...
(5) ldap : User object found at DN "cn=Alex Gregory,ou=corp,ou=Users,dc=team,dc=affirm,dc=com"
(5) ldap : Processing user attributes
(5) ldap : control:Password-With-Header += ''{MD5}5sN8Kr+y8smlk0QpJmerOg==''
rlm_ldap (ldap): Released connection (4)
rlm_ldap (ldap): Closing connection (0), from 1 unused connections
rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 160 seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 160 seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for 160 seconds
rlm_ldap (ldap): You probably need to lower "min"
(5) [ldap] = ok
(5) [expiration] = noop
(5) [logintime] = noop
(5) [pap] = updated
(5) } # authorize = updated
(5) Found Auth-Type = PAP
(5) # Executing group from file /etc/freeradius/etc/raddb/sites-enabled/inner-tunnel
(5) Auth-Type PAP {
(5) pap : Login attempt with password
(5) pap : Comparing with "known-good" MD5-Password
(5) pap : Normalizing MD5-Password from base64 encoding, 24 bytes -> 16 bytes
(5) pap : User authenticated successfully
(5) [pap] = ok
(5) } # Auth-Type PAP = ok
(5) # Executing section post-auth from file /etc/freeradius/etc/raddb/sites-enabled/inner-tunnel
(5) (null) post-auth { ... } # empty sub-section is ignored
} # server inner-tunnel
(5) eap_ttls : Got tunneled reply code 2
(5) eap_ttls : Got tunneled Access-Accept
(5) WARNING: eap_ttls : No information to cache: session caching will be disabled for session 2a78b875b458319d49921894fd1f4395aacb747d99dfb9c1de2eb3ffbd1afada
SSL: Removing session 2a78b875b458319d49921894fd1f4395aacb747d99dfb9c1de2eb3ffbd1afada from the cache
(5) eap : Freeing handler
(5) [eap] = ok
(5) } # authenticate = ok
(5) # Executing section post-auth from file /etc/freeradius/etc/raddb/sites-enabled/default-dev
(5) post-auth {
(5) [exec] = noop
(5) remove_reply_message_if_eap remove_reply_message_if_eap {
(5) if (reply:EAP-Message && reply:Reply-Message)
(5) if (reply:EAP-Message && reply:Reply-Message) -> FALSE
(5) else else {
(5) [noop] = noop
(5) } # else else = noop
(5) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(5) } # post-auth = noop
Sending Access-Accept Id 83 from 10.11.1.226:1814 to 173.167.113.17:32768
MS-MPPE-Recv-Key = 0x8e7690411ac0a69a872d52e91005ede4292c2ddc6ef954e0f4e0604ba2d39492
MS-MPPE-Send-Key = 0xa7e6d36ef6cd14440f4d960dcec2653d1574750be45a12d86c9ee1c12871e8f8
EAP-Message = 0x03060004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = 'alexgregory'
(5) Finished request
Waking up in 0.3 seconds.
Waking up in 4.2 seconds.
(0) Cleaning up request packet ID 78 with timestamp +160
(1) Cleaning up request packet ID 79 with timestamp +160
(2) Cleaning up request packet ID 80 with timestamp +160
(3) Cleaning up request packet ID 81 with timestamp +160
Waking up in 0.3 seconds.
(4) Cleaning up request packet ID 82 with timestamp +160
(5) Cleaning up request packet ID 83 with timestamp +160
Ready to process requests.
On Aug 18, 2014, at 2:39 PM, Alex Gregory <alex at c2company.com> wrote:
> This caught my eye on how I am trying to things and that my approach might be incorrect.
>
> Might this practice be better than I am trying to do with post auth and passing filter-id variable based on LDAP group?
>
> Marcus, in his example, has different AP’s with certain users being able to access each. I have an AP with two SSID’s being served from it. Similar need but slightly different implementation.
>
> I have two groups of users and two LDAP groups:
>
> SSID - Company_Corp
> with users in "ou=corp,ou=Users,dc=team,dc=company,dc=com"
>
> and
>
> SSID - Company_Dev
> with users in "ou=dev,ou=Users,dc=team,dc=company,dc=com"
>
> I was going to LDAP group match and pass that down in a variable to the Meraki to apply firewall filters. Is it better to do this with virtual servers and more than one LDAP lookup?
>
> Could I have two LDAP modules with two virtual servers with each looking at a specific group without the sub flag enabled? Then I could just point each network at a different port for Radius lookups on the same host.
>
> What is the proper way to configure this with 3.x?
>
> Thanks,
>
> Alex
>
>
>
>
> On Aug 17, 2014, at 3:24 PM, <A.L.M.Buxey at lboro.ac.uk> <A.L.M.Buxey at lboro.ac.uk> wrote:
>
>> Hi,
>>
>>> This is my use case. I have 2 dept: A & B. I want to provide WPA2-Enterprise
>>> to both dept A & B, who have different groups of end users. But I do not
>>> want them to mix, i.e.
>>>
>>> If a end user from dept A tries to connect to a Wifi AP that belongs to dept
>>> A, the authentication would be successful.
>>> If a end user from dept A tries to connect to a Wifi AP that belongs to dept
>>> B, the authentication would fail.
>>
>> yes, this is very common
>>
>>> I can create 2 virtual servers and point the group of Wifi AP from Dept A to
>>> virtual server 1 and dept B to Virtual Server 2. But how would the virtual
>>> server knows which authentication to allow and which to block? From what I
>>> understand, the 2 virtual servers will share the same sql module. That is my
>>> dilemma.
>>
>> errr. nope. they can have totally different logic - and you need to look
>> at named instances of eg SQL module - you've just got sql - you can have 'groupA-sql' and 'groupB-sql' each looking at a different database
>>
>>> Method 1. Taking advantage of the fact that all wifi AP of a dept will point
>>> to a particular virtual server, I modify the authorize_check_query to use
>>> the listening address/port of the virtual server as a selection criteria
>>
>> in fact, you dont need to listen on different ports - use the 'virtual_server'
>> directive in clients.conf so requests from those APs (based on IP address)
>> go to a different virtual server.
>>
>> alan
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list