Fwd: Inner Tunnel User-Name - PEAP/MSCHAPV2

Chris Arg grkcharge at gmail.com
Fri Dec 12 14:48:05 CET 2014


Hello FR Users,

I'm currently using 3.0.x via github on RHEL 7. My issue is that I'm unable
to get the User-Name attribute out of the inner tunnel. My setup is very
simple, I'm proxying my authentication requests to an NPS server. It
appears that part of my issue is spawning from the fact that NPS replies
*without* a User-Name attribute.

I've seen a couple of examples demonstrating how to update the reply or
update outer.reply in the inner-tunnel post-auth section. After reading the
debug output, that section doesn't seem to run. Instead, post-proxy is run
which looks like a good alternative. This is what I've tried in the
post-proxy section:

        update {
                &reply:User-Name += &User-Name
        }

And this is what happens:

(8) # Executing section post-proxy from file
/etc/raddb/sites-enabled/inner-tunnel
(8)   post-proxy {
(8)     update {
(8)       &reply:User-Name += &User-Name -> 'mydomain\user000'
(8)     } # update = noop

This is obviously wrong since it doesn't work.

Any help would be greatly appreciated.

Thanks,
Chris

---------------
*raddb/mods-enabled/eap*

        peap {
                tls = tls-common

                default_eap_type = mschapv2

                copy_request_to_tunnel = yes

                use_tunneled_reply = no

                proxy_tunneled_request_as_eap = no

                virtual_server = "inner-tunnel"
        }

---------------
*raddb/sites-enabled/inner-tunnel*

server inner-tunnel {
authorize {
        ntdomain
        suffix
        eap {
                ok = return
        }
        expiration
        logintime
        pap
}

authenticate {
        eap
}

post-auth {
        update {
                &outer.session-state: += &reply:
                &outer.session-state:User-Name += &User-Name
        }

        Post-Auth-Type REJECT {
                attr_filter.access_reject

                update outer.session-state {
                        Module-Failure-Message :=
&request:Module-Failure-Message
                }
        }
}

post-proxy {
        update {
                &reply:User-Name += &User-Name
        }
        eap
}

---------------
*raddb/sites-enabled/default*

server default {
authorize {
        filter_username
        preprocess
        ntdomain
        suffix
        eap {
                ok = return
        }
        -ldap
        expiration
        logintime
}



authenticate {
        eap
}

preacct {
        preprocess
        acct_unique
        suffix
        files
}

accounting {
        detail
        unix
        exec
        attr_filter.accounting_response
}

post-auth {
        update {
                &reply: += &session-state:
        }
        exec
        remove_reply_message_if_eap
        Post-Auth-Type REJECT {
                attr_filter.access_reject
                eap
                remove_reply_message_if_eap
        }
}

post-proxy {
        eap
        }
}

---------------
*DEBUG*


(7) Received Access-Request Id 28 from 172.23.242.165:1645 to
192.168.244.230:1812 length 276
(7)   User-Name = 'anon1337'
(7)   Service-Type = Framed-User
(7)   Framed-IP-Address = 192.168.243.38
(7)   Framed-MTU = 1500
(7)   Called-Station-Id = '00-00-00-00-AA-AA'
(7)   Calling-Station-Id = '00-00-00-00-BB-BB'
(7)   EAP-Message =
0x026e0060190017030192.1680e6cb89aa98510fc404f1b7eb4933b8fc6042f461ca57ff5c3ac6d28f635e8367170301003003e93d2105ca95de4eb989a97f8beadb2ea20de1f5482dd4163a672bf875c413a29e3028b2e95d53c5b2856b29fe1deb
(7)   Message-Authenticator = 0xd5950daf85b25b80689292da899bdd86
(7)   NAS-Port-Type = Ethernet
(7)   NAS-Port = 50002
(7)   NAS-Port-Id = 'FastEthernet0/2'
(7)   Called-Station-Id = '00-00-00-00-AA-AA'
(7)   State = 0x2196d8c927f8c10ed58b5f9872208c8c
(7)   NAS-IP-Address = 172.23.242.165
(7) session-state: No cached attributes
(7) # Executing section authorize from file /etc/raddb/sites-enabled/default
(7)   authorize {
(7)     policy filter_username {
(7)       if (!&User-Name) {
(7)       if (!&User-Name)  -> FALSE
(7)       if (&User-Name =~ / /) {
(7)       if (&User-Name =~ / /)  -> FALSE
(7)       if (&User-Name =~ /@.*@/ ) {
(7)       if (&User-Name =~ /@.*@/ )  -> FALSE
(7)       if (&User-Name =~ /\.\./ ) {
(7)       if (&User-Name =~ /\.\./ )  -> FALSE
(7)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(7)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(7)       if (&User-Name =~ /\.$/)  {
(7)       if (&User-Name =~ /\.$/)   -> FALSE
(7)       if (&User-Name =~ /@\./)  {
(7)       if (&User-Name =~ /@\./)   -> FALSE
(7)     } # policy filter_username = notfound
(7)     [preprocess] = ok
(7) ntdomain: Checking for prefix before "\"
(7) ntdomain: No '\' in User-Name = "anon1337", looking up realm NULL
(7) ntdomain: No such realm "NULL"
(7)     [ntdomain] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "anon1337", looking up realm NULL
(7) suffix: No such realm "NULL"
(7)     [suffix] = noop
(7) eap: Peer sent code Response (2) ID 110 length 96
(7) eap: Continuing tunnel setup
(7)     [eap] = ok
(7)   } # authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7)   authenticate {
(7) eap: Expiring EAP session with state 0x2196d8c927f8c10e
(7) eap: Finished EAP session with state 0x2196d8c927f8c10e
(7) eap: Previous EAP request found for state 0x2196d8c927f8c10e, released
from the list
(7) eap: Peer sent method PEAP (25)
(7) eap: EAP PEAP (25)
(7) eap: Calling eap_peap to process EAP data
(7) eap_peap: processing EAP-TLS
(7) eap_peap: eaptls_verify returned 7
(7) eap_peap: Done initial handshake
(7) eap_peap: eaptls_process returned 7
(7) eap_peap: FR_TLS_OK
(7) eap_peap: Session established.  Decoding tunneled attributes
(7) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(7) eap_peap: Identity - mydomain\user000
(7) eap_peap: Got inner identity 'mydomain\user000'
(7) eap_peap: Setting default EAP type for tunneled EAP session
(7) eap_peap: Got tunneled request
(7) eap_peap:   EAP-Message = 0x026e001201676c6f62616c5c636872697361
(7) eap_peap: Setting User-Name to mydomain\user000
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap:   EAP-Message = 0x026e001201676c6f62616c5c636872697361
(7) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap:   User-Name = 'mydomain\user000'
(7) eap_peap:   Service-Type = Framed-User
(7) eap_peap:   Framed-IP-Address = 192.168.243.38
(7) eap_peap:   Framed-MTU = 1500
(7) eap_peap:   Called-Station-Id = '00-00-00-00-AA-AA'
(7) eap_peap:   Called-Station-Id = '00-00-00-00-AA-AA'
(7) eap_peap:   Calling-Station-Id = '00-00-00-00-BB-BB'
(7) eap_peap:   NAS-Port-Type = Ethernet
(7) eap_peap:   NAS-Port = 50002
(7) eap_peap:   NAS-Port-Id = 'FastEthernet0/2'
(7) eap_peap:   NAS-IP-Address = 172.23.242.165
(7) eap_peap:   Event-Timestamp = 'Dec 11 2014 16:55:38 EST'
(7) Virtual server received request
(7)   EAP-Message = 0x026e001201676c6f62616c5c636872697361
(7)   FreeRADIUS-Proxied-To = 127.0.0.1
(7)   User-Name = 'mydomain\user000'
(7)   Service-Type = Framed-User
(7)   Framed-IP-Address = 192.168.243.38
(7)   Framed-MTU = 1500
(7)   Called-Station-Id = '00-00-00-00-AA-AA'
(7)   Called-Station-Id = '00-00-00-00-AA-AA'
(7)   Calling-Station-Id = '00-00-00-00-BB-BB'
(7)   NAS-Port-Type = Ethernet
(7)   NAS-Port = 50002
(7)   NAS-Port-Id = 'FastEthernet0/2'
(7)   NAS-IP-Address = 172.23.242.165
(7)   Event-Timestamp = 'Dec 11 2014 16:55:38 EST'
(7) server inner-tunnel {
(7)   # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(7)     authorize {
(7) ntdomain: Checking for prefix before "\"
(7) ntdomain: Looking up realm "mydomain" for User-Name = "mydomain\user000"
(7) ntdomain: Found realm "mydomain"
(7) ntdomain: Adding Realm = "mydomain"
(7) ntdomain: Proxying request from user mydomain\user000 to realm mydomain
(7) ntdomain: Preparing to proxy authentication request to realm "mydomain"
(7)       [ntdomain] = updated
(7) suffix: Request already has destination realm set.  Ignoring
(7)       [suffix] = noop
(7) eap: Request is supposed to be proxied to Realm mydomain. Not doing EAP.
(7)       [eap] = noop
(7)       [expiration] = noop
(7)       [logintime] = noop
(7)       [pap] = noop
(7)     } # authorize = updated
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7) eap_peap: Got tunneled reply code 0
(7) eap_peap: Calling authenticate in order to initiate tunneled EAP session
(7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7)   authenticate {
(7) eap: Peer sent method Identity (1)
(7) eap: Calling eap_mschapv2 to process EAP data
(7) eap_mschapv2: Issuing Challenge
(7) eap: EAP session adding &reply:State = 0xd948b86bd927a2af
(7)     [eap] = handled
(7)   } # authenticate = handled
(7) eap_peap: Cancelling proxy to realm mydomain until the tunneled EAP
session has been established
(7) eap_peap: Got tunneled reply RADIUS code 11
(7) eap_peap:   EAP-Message =
0x016f00271a016f002210909415ffc9c1692d6de6f744d7a31428676c6f62616c5c636872697361
(7) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap:   State = 0xd948b86bd927a2af4aa0b84f98aa7925
(7) eap_peap: Got tunneled Access-Challenge
(7) eap: EAP session adding &reply:State = 0x2196d8c926f9c10e
(7)     [eap] = handled
(7)   } # authenticate = handled
(7) Sent Access-Challenge Id 28 from 192.168.244.230:1812 to
172.23.242.165:1645 length 133
(7)   EAP-Message =
0x016f004b190017030100401cc068f51a055ef75f0322d45ae7db44e69bc57efebdde94cc83224d0ddc8f49c26e121d7bee4c248be63d944a02d3802b6e51e1c040b12040c57ef3e03ef1ff
(7)   Message-Authenticator = 0x00000000000000000000000000000000
(7)   State = 0x2196d8c926f9c10ed58b5f9872208c8c
(7) Finished request
Waking up in 0.2 seconds.
(8) Received Access-Request Id 29 from 172.23.242.165:1645 to
192.168.244.230:1812 length 324
(8)   User-Name = 'anon1337'
(8)   Service-Type = Framed-User
(8)   Framed-IP-Address = 192.168.243.38
(8)   Framed-MTU = 1500
(8)   Called-Station-Id = '00-00-00-00-AA-AA'
(8)   Calling-Station-Id = '00-00-00-00-BB-BB'
(8)   EAP-Message =
0x026f0090190017030192.16805f6aa95b7c5dff8199c9f7ea839908b524917466ca42abdd8169c148bb2fad7d17030100609e65f129d587f058f9ad84b662ab933e21f1fdc8b1d06fc07a353ac69160d38fa1cea74279db7816d337173b79c195d37433626c4ed7aa543ade8ef91f341da2ddb4d7425c5173
(8)   Message-Authenticator = 0xae08a4251146eef68e6aef5915fb17cb
(8)   NAS-Port-Type = Ethernet
(8)   NAS-Port = 50002
(8)   NAS-Port-Id = 'FastEthernet0/2'
(8)   Called-Station-Id = '00-00-00-00-AA-AA'
(8)   State = 0x2196d8c926f9c10ed58b5f9872208c8c
(8)   NAS-IP-Address = 172.23.242.165
(8) session-state: No cached attributes
(8) # Executing section authorize from file /etc/raddb/sites-enabled/default
(8)   authorize {
(8)     policy filter_username {
(8)       if (!&User-Name) {
(8)       if (!&User-Name)  -> FALSE
(8)       if (&User-Name =~ / /) {
(8)       if (&User-Name =~ / /)  -> FALSE
(8)       if (&User-Name =~ /@.*@/ ) {
(8)       if (&User-Name =~ /@.*@/ )  -> FALSE
(8)       if (&User-Name =~ /\.\./ ) {
(8)       if (&User-Name =~ /\.\./ )  -> FALSE
(8)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(8)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(8)       if (&User-Name =~ /\.$/)  {
(8)       if (&User-Name =~ /\.$/)   -> FALSE
(8)       if (&User-Name =~ /@\./)  {
(8)       if (&User-Name =~ /@\./)   -> FALSE
(8)     } # policy filter_username = notfound
(8)     [preprocess] = ok
(8) ntdomain: Checking for prefix before "\"
(8) ntdomain: No '\' in User-Name = "anon1337", looking up realm NULL
(8) ntdomain: No such realm "NULL"
(8)     [ntdomain] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "anon1337", looking up realm NULL
(8) suffix: No such realm "NULL"
(8)     [suffix] = noop
(8) eap: Peer sent code Response (2) ID 111 length 144
(8) eap: Continuing tunnel setup
(8)     [eap] = ok
(8)   } # authorize = ok
(8) Found Auth-Type = EAP
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8)   authenticate {
(8) eap: Expiring EAP session with state 0xd948b86bd927a2af
(8) eap: Finished EAP session with state 0x2196d8c926f9c10e
(8) eap: Previous EAP request found for state 0x2196d8c926f9c10e, released
from the list
(8) eap: Peer sent method PEAP (25)
(8) eap: EAP PEAP (25)
(8) eap: Calling eap_peap to process EAP data
(8) eap_peap: processing EAP-TLS
(8) eap_peap: eaptls_verify returned 7
(8) eap_peap: Done initial handshake
(8) eap_peap: eaptls_process returned 7
(8) eap_peap: FR_TLS_OK
(8) eap_peap: Session established.  Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP type MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap:   EAP-Message =
0x026f00481a026f004331bce4b4548870ee6a96268e682a0e42560000000000000000f418c2cd895d3b885d533428bcd934bf8ebeadb11a9e889b00676c6f62616c5c636872697361
(8) eap_peap: Setting User-Name to mydomain\user000
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap:   EAP-Message =
0x026f00481a026f004331bce4b4548870ee6a96268e682a0e42560000000000000000f418c2cd895d3b885d533428bcd934bf8ebeadb11a9e889b00676c6f62616c5c636872697361
(8) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap:   User-Name = 'mydomain\user000'
(8) eap_peap:   State = 0xd948b86bd927a2af4aa0b84f98aa7925
(8) eap_peap:   Service-Type = Framed-User
(8) eap_peap:   Framed-IP-Address = 192.168.243.38
(8) eap_peap:   Framed-MTU = 1500
(8) eap_peap:   Called-Station-Id = '00-00-00-00-AA-AA'
(8) eap_peap:   Called-Station-Id = '00-00-00-00-AA-AA'
(8) eap_peap:   Calling-Station-Id = '00-00-00-00-BB-BB'
(8) eap_peap:   NAS-Port-Type = Ethernet
(8) eap_peap:   NAS-Port = 50002
(8) eap_peap:   NAS-Port-Id = 'FastEthernet0/2'
(8) eap_peap:   NAS-IP-Address = 172.23.242.165
(8) eap_peap:   Event-Timestamp = 'Dec 11 2014 16:55:38 EST'
(8) Virtual server received request
(8)   EAP-Message =
0x026f00481a026f004331bce4b4548870ee6a96268e682a0e42560000000000000000f418c2cd895d3b885d533428bcd934bf8ebeadb11a9e889b00676c6f62616c5c636872697361
(8)   FreeRADIUS-Proxied-To = 127.0.0.1
(8)   User-Name = 'mydomain\user000'
(8)   State = 0xd948b86bd927a2af4aa0b84f98aa7925
(8)   Service-Type = Framed-User
(8)   Framed-IP-Address = 192.168.243.38
(8)   Framed-MTU = 1500
(8)   Called-Station-Id = '00-00-00-00-AA-AA'
(8)   Called-Station-Id = '00-00-00-00-AA-AA'
(8)   Calling-Station-Id = '00-00-00-00-BB-BB'
(8)   NAS-Port-Type = Ethernet
(8)   NAS-Port = 50002
(8)   NAS-Port-Id = 'FastEthernet0/2'
(8)   NAS-IP-Address = 172.23.242.165
(8)   Event-Timestamp = 'Dec 11 2014 16:55:38 EST'
(8) server inner-tunnel {
(8)   session-state: No cached attributes
(8)   # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(8)     authorize {
(8) ntdomain: Checking for prefix before "\"
(8) ntdomain: Looking up realm "mydomain" for User-Name = "mydomain\user000"
(8) ntdomain: Found realm "mydomain"
(8) ntdomain: Adding Realm = "mydomain"
(8) ntdomain: Proxying request from user mydomain\user000 to realm mydomain
(8) ntdomain: Preparing to proxy authentication request to realm "mydomain"
(8)       [ntdomain] = updated
(8) suffix: Request already has destination realm set.  Ignoring
(8)       [suffix] = noop
(8) eap: Request is supposed to be proxied to Realm mydomain. Not doing EAP.
(8)       [eap] = noop
(8)       [expiration] = noop
(8)       [logintime] = noop
(8)       [pap] = noop
(8)     } # authorize = updated
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8) eap_peap: Got tunneled reply code 0
(8) eap_peap: Calling authenticate in order to initiate tunneled EAP session
(8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8)   authenticate {
(8) eap: Expiring EAP session with state 0xd948b86bd927a2af
(8) eap: Finished EAP session with state 0xd948b86bd927a2af
(8) eap: Previous EAP request found for state 0xd948b86bd927a2af, released
from the list
(8) eap: Peer sent method MSCHAPv2 (26)
(8) eap: EAP MSCHAPv2 (26)
(8) eap: Calling eap_mschapv2 to process EAP data
(8) eap_mschapv2: cancelling authentication and letting it be proxied
(8) eap: No EAP proxy set.  Not composing EAP
(8)     [eap] = handled
(8)   } # authenticate = handled
(8) eap_peap: Tunnelled authentication will be proxied to mydomain
(8) eap_peap: Remembering to do EAP-MS-CHAP-V2 post-proxy
(8) eap: Tunneled session will be proxied.  Not doing EAP
(8)     [eap] = handled
(8)   } # authenticate = handled
Opening new proxy socket 'proxy address * port 0'
Listening on proxy address * port 48355
(8) Proxying request to home server 192.168.1.103 port 1812 timeout
30.000000
(8) Sent Access-Request Id 198 from 0.0.0.0:48355 to 192.168.1.103:1812
length 255
(8)   User-Name = 'mydomain\user000'
(8)   Service-Type = Framed-User
(8)   Framed-IP-Address = 192.168.243.38
(8)   Framed-MTU = 1500
(8)   Called-Station-Id = '00-00-00-00-AA-AA'
(8)   Called-Station-Id = '00-00-00-00-AA-AA'
(8)   Calling-Station-Id = '00-00-00-00-BB-BB'
(8)   NAS-Port-Type = Ethernet
(8)   NAS-Port = 50002
(8)   NAS-Port-Id = 'FastEthernet0/2'
(8)   NAS-IP-Address = 172.23.242.165
(8)   Event-Timestamp = 'Dec 11 2014 16:55:38 EST'
(8)   MS-CHAP-Challenge = 0x909415ffc9c1692d6de6f744d7a31428
(8)   MS-CHAP2-Response =
0x6f6cbce4b4548870ee6a96268e682a0e42560000000000000000f418c2cd895d3b885d533428bcd934bf8ebeadb11a9e889b
(8)   Message-Authenticator := 0x00
(8)   Proxy-State = 0x3239
(8) Received Access-Accept Id 198 from 192.168.1.103:1812 to
192.168.244.230:48355 length 256
(8)   Proxy-State = 0x3239
(8)   Framed-Protocol = PPP
(8)   Service-Type = Framed-User
(8)   Class =
0x3fc704f900000137000102000a02016700000000000000000000000001d006be3dc74c5b000000000004f90c
(8)   MS-MPPE-Recv-Key = 0xc91f6a04dccbaf84f7c206510152cae5
(8)   MS-MPPE-Send-Key = 0xf2de36fbd643948f1f803fc4e177494f
(8)   MS-CHAP2-Success =
0x6f533d32453435313836344430354331393343313530383231384636304635433738463535413139383035
(8)   MS-CHAP-Domain = 'oMYDOMAIN'
(8)   MS-Link-Utilization-Threshold = 50
(8)   MS-Link-Drop-Time-Limit = 120
(8) # Executing section post-proxy from file
/etc/raddb/sites-enabled/default
(8)   post-proxy {
(8) eap: Doing post-proxy callback
(8) eap: Passing reply from proxy back into the tunnel
server inner-tunnel {
(8) eap: Passing reply back for EAP-MS-CHAP-V2
(8) # Executing section post-proxy from file
/etc/raddb/sites-enabled/inner-tunnel
(8)   post-proxy {
(8)     update {
(8)       &reply:User-Name += &User-Name -> 'mydomain\user000'
(8)     } # update = noop
(8) eap: Doing post-proxy callback
(8) eap: Passing reply from proxy back into the tunnel 2.
(8) eap: Proxied authentication succeeded
MSCHAP Success
(8) eap: EAP session adding &reply:State = 0xd948b86bd838a2af
(8)     [eap] = ok
(8)   } # post-proxy = ok
} # server inner-tunnel
(8) eap: Final reply from tunneled session code 11
(8) eap:   Proxy-State = 0x3239
(8) eap:   Framed-Protocol = PPP
(8) eap:   Service-Type = Framed-User
(8) eap:   Class =
0x3fc704f900000137000102000a02016700000000000000000000000001d006be3dc74c5b000000000004f90c
(8) eap:   MS-CHAP-Domain = 'oMYDOMAIN'
(8) eap:   MS-Link-Utilization-Threshold = 50
(8) eap:   MS-Link-Drop-Time-Limit = 120
(8) eap:   User-Name += 'mydomain\user000'
(8) eap:   EAP-Message =
0x017000331a036f002e533d32453435313836344430354331393343313530383231384636304635433738463535413139383035
(8) eap:   Message-Authenticator = 0x00000000000000000000000000000000
(8) eap:   State = 0xd948b86bd838a2af4aa0b84f98aa7925
(8) eap: Got reply 11
(8) eap: Got tunneled reply RADIUS code 11
(8) eap:   Proxy-State = 0x3239
(8) eap:   Framed-Protocol = PPP
(8) eap:   Service-Type = Framed-User
(8) eap:   Class =
0x3fc704f900000137000102000a02016700000000000000000000000001d006be3dc74c5b000000000004f90c
(8) eap:   MS-CHAP-Domain = 'oMYDOMAIN'
(8) eap:   MS-Link-Utilization-Threshold = 50
(8) eap:   MS-Link-Drop-Time-Limit = 120
(8) eap:   User-Name += 'mydomain\user000'
(8) eap:   EAP-Message =
0x017000331a036f002e533d32453435313836344430354331393343313530383231384636304635433738463535413139383035
(8) eap:   Message-Authenticator = 0x00000000000000000000000000000000
(8) eap:   State = 0xd948b86bd838a2af4aa0b84f98aa7925
(8) eap: Got tunneled Access-Challenge
(8) eap: Reply was handled
(8) eap: EAP session adding &reply:State = 0x2196d8c929e6c10e
(8)     [eap] = ok
(8)   } # post-proxy = ok
(8) Sent Access-Challenge Id 29 from 192.168.244.230:1812 to
172.23.242.165:1645 length 149
(8)   EAP-Message =
0x0170005b19001703010050e4af81c9ecf1135b817b48ffecdbdfedb6922e5cfe1d463f7e8ef93564a8bdc26e5ae1ef16598d2dfa622c69a1408d9be0a0ddc629ee1dc6c28f94be0e7342f5bba962637645ef95bdec9fb40ad5f6ab
(8)   Message-Authenticator = 0x00000000000000000000000000000000
(8)   State = 0x2196d8c929e6c10ed58b5f9872208c8c
(8) Finished request
Waking up in 0.2 seconds.
Waking up in 3.7 seconds.
(9) Received Access-Request Id 30 from 172.23.242.165:1645 to
192.168.244.230:1812 length 260
(9)   User-Name = 'anon1337'
(9)   Service-Type = Framed-User
(9)   Framed-IP-Address = 192.168.243.38
(9)   Framed-MTU = 1500
(9)   Called-Station-Id = '00-00-00-00-AA-AA'
(9)   Calling-Station-Id = '00-00-00-00-BB-BB'
(9)   EAP-Message =
0x02700050190017030192.1680ceb524c34f543d34a2114a5dc0162c1506dcb23023b799d1a6b01fd094a36bbe17030192.1680ac40f2c24559bd0245d1add229486b46e0ddc7e84ece128eed9af83704914517
(9)   Message-Authenticator = 0x2db32972e884849ee872929fee306127
(9)   NAS-Port-Type = Ethernet
(9)   NAS-Port = 50002
(9)   NAS-Port-Id = 'FastEthernet0/2'
(9)   Called-Station-Id = '00-00-00-00-AA-AA'
(9)   State = 0x2196d8c929e6c10ed58b5f9872208c8c
(9)   NAS-IP-Address = 172.23.242.165
(9) session-state: No cached attributes
(9) # Executing section authorize from file /etc/raddb/sites-enabled/default
(9)   authorize {
(9)     policy filter_username {
(9)       if (!&User-Name) {
(9)       if (!&User-Name)  -> FALSE
(9)       if (&User-Name =~ / /) {
(9)       if (&User-Name =~ / /)  -> FALSE
(9)       if (&User-Name =~ /@.*@/ ) {
(9)       if (&User-Name =~ /@.*@/ )  -> FALSE
(9)       if (&User-Name =~ /\.\./ ) {
(9)       if (&User-Name =~ /\.\./ )  -> FALSE
(9)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(9)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(9)       if (&User-Name =~ /\.$/)  {
(9)       if (&User-Name =~ /\.$/)   -> FALSE
(9)       if (&User-Name =~ /@\./)  {
(9)       if (&User-Name =~ /@\./)   -> FALSE
(9)     } # policy filter_username = notfound
(9)     [preprocess] = ok
(9) ntdomain: Checking for prefix before "\"
(9) ntdomain: No '\' in User-Name = "anon1337", looking up realm NULL
(9) ntdomain: No such realm "NULL"
(9)     [ntdomain] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "anon1337", looking up realm NULL
(9) suffix: No such realm "NULL"
(9)     [suffix] = noop
(9) eap: Peer sent code Response (2) ID 112 length 80
(9) eap: Continuing tunnel setup
(9)     [eap] = ok
(9)   } # authorize = ok
(9) Found Auth-Type = EAP
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9)   authenticate {
(9) eap: Expiring EAP session with state 0xd948b86bd838a2af
(9) eap: Finished EAP session with state 0x2196d8c929e6c10e
(9) eap: Previous EAP request found for state 0x2196d8c929e6c10e, released
from the list
(9) eap: Peer sent method PEAP (25)
(9) eap: EAP PEAP (25)
(9) eap: Calling eap_peap to process EAP data
(9) eap_peap: processing EAP-TLS
(9) eap_peap: eaptls_verify returned 7
(9) eap_peap: Done initial handshake
(9) eap_peap: eaptls_process returned 7
(9) eap_peap: FR_TLS_OK
(9) eap_peap: Session established.  Decoding tunneled attributes
(9) eap_peap: PEAP state phase2
(9) eap_peap: EAP type MSCHAPv2 (26)
(9) eap_peap: Got tunneled request
(9) eap_peap:   EAP-Message = 0x027000061a03
(9) eap_peap: Setting User-Name to mydomain\user000
(9) eap_peap: Sending tunneled request to inner-tunnel
(9) eap_peap:   EAP-Message = 0x027000061a03
(9) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(9) eap_peap:   User-Name = 'mydomain\user000'
(9) eap_peap:   State = 0xd948b86bd838a2af4aa0b84f98aa7925
(9) eap_peap:   Service-Type = Framed-User
(9) eap_peap:   Framed-IP-Address = 192.168.243.38
(9) eap_peap:   Framed-MTU = 1500
(9) eap_peap:   Called-Station-Id = '00-00-00-00-AA-AA'
(9) eap_peap:   Called-Station-Id = '00-00-00-00-AA-AA'
(9) eap_peap:   Calling-Station-Id = '00-00-00-00-BB-BB'
(9) eap_peap:   NAS-Port-Type = Ethernet
(9) eap_peap:   NAS-Port = 50002
(9) eap_peap:   NAS-Port-Id = 'FastEthernet0/2'
(9) eap_peap:   NAS-IP-Address = 172.23.242.165
(9) eap_peap:   Event-Timestamp = 'Dec 11 2014 16:55:39 EST'
(9) Virtual server received request
(9)   EAP-Message = 0x027000061a03
(9)   FreeRADIUS-Proxied-To = 127.0.0.1
(9)   User-Name = 'mydomain\user000'
(9)   State = 0xd948b86bd838a2af4aa0b84f98aa7925
(9)   Service-Type = Framed-User
(9)   Framed-IP-Address = 192.168.243.38
(9)   Framed-MTU = 1500
(9)   Called-Station-Id = '00-00-00-00-AA-AA'
(9)   Called-Station-Id = '00-00-00-00-AA-AA'
(9)   Calling-Station-Id = '00-00-00-00-BB-BB'
(9)   NAS-Port-Type = Ethernet
(9)   NAS-Port = 50002
(9)   NAS-Port-Id = 'FastEthernet0/2'
(9)   NAS-IP-Address = 172.23.242.165
(9)   Event-Timestamp = 'Dec 11 2014 16:55:39 EST'
(9) server inner-tunnel {
(9)   session-state: No cached attributes
(9)   # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(9)     authorize {
(9) ntdomain: Checking for prefix before "\"
(9) ntdomain: Looking up realm "mydomain" for User-Name = "mydomain\user000"
(9) ntdomain: Found realm "mydomain"
(9) ntdomain: Adding Realm = "mydomain"
(9) ntdomain: Proxying request from user mydomain\user000 to realm mydomain
(9) ntdomain: Preparing to proxy authentication request to realm "mydomain"
(9)       [ntdomain] = updated
(9) suffix: Request already has destination realm set.  Ignoring
(9)       [suffix] = noop
(9) eap: Request is supposed to be proxied to Realm mydomain. Not doing EAP.
(9)       [eap] = noop
(9)       [expiration] = noop
(9)       [logintime] = noop
(9)       [pap] = noop
(9)     } # authorize = updated
(9) } # server inner-tunnel
(9) Virtual server sending reply
(9) eap_peap: Got tunneled reply code 0
(9) eap_peap: Calling authenticate in order to initiate tunneled EAP session
(9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(9)   authenticate {
(9) eap: Expiring EAP session with state 0xd948b86bd838a2af
(9) eap: Finished EAP session with state 0xd948b86bd838a2af
(9) eap: Previous EAP request found for state 0xd948b86bd838a2af, released
from the list
(9) eap: Peer sent method MSCHAPv2 (26)
(9) eap: EAP MSCHAPv2 (26)
(9) eap: Calling eap_mschapv2 to process EAP data
(9) eap: Freeing handler
(9)     [eap] = ok
(9)   } # authenticate = ok
(9) eap_peap: Got tunneled reply RADIUS code 2
(9) eap_peap:   MS-MPPE-Send-Key = 0xf2de36fbd643948f1f803fc4e177494f
(9) eap_peap:   MS-MPPE-Recv-Key = 0xc91f6a04dccbaf84f7c206510152cae5
(9) eap_peap:   Proxy-State = 0x3239
(9) eap_peap:   Framed-Protocol = PPP
(9) eap_peap:   Service-Type = Framed-User
(9) eap_peap:   Class =
0x3fc704f900000137000102000a02016700000000000000000000000001d006be3dc74c5b000000000004f90c
(9) eap_peap:   MS-CHAP-Domain = 'oMYDOMAIN'
(9) eap_peap:   MS-Link-Utilization-Threshold = 50
(9) eap_peap:   MS-Link-Drop-Time-Limit = 120
(9) eap_peap:   User-Name += 'mydomain\user000'
(9) eap_peap:   EAP-Message = 0x03700004
(9) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap: Tunneled authentication was successful
(9) eap_peap: SUCCESS
(9) eap: EAP session adding &reply:State = 0x2196d8c928e7c10e
(9)     [eap] = handled
(9)   } # authenticate = handled
(9) Sent Access-Challenge Id 30 from 192.168.244.230:1812 to
172.23.242.165:1645 length 101
(9)   EAP-Message =
0x017192.168b190017030192.1680c6fab14adc6c0ced5f0317c798fa57aff8a040ecf4384af7e1490a42279ff4f7
(9)   Message-Authenticator = 0x00000000000000000000000000000000
(9)   State = 0x2196d8c928e7c10ed58b5f9872208c8c
(9) Finished request
Waking up in 0.3 seconds.
(10) Received Access-Request Id 31 from 172.23.242.165:1645 to
192.168.244.230:1812 length 260
(10)   User-Name = 'anon1337'
(10)   Service-Type = Framed-User
(10)   Framed-IP-Address = 192.168.243.38
(10)   Framed-MTU = 1500
(10)   Called-Station-Id = '00-00-00-00-AA-AA'
(10)   Calling-Station-Id = '00-00-00-00-BB-BB'
(10)   EAP-Message =
0x02710050190017030192.1680247750954f15ab3e1370c5f04879ba432f948b0645cc5fc91dc71a56f3a9023a17030192.168073c995b596d5ba2ad25adc110c3ab7125de7738c7273a6e7533fb295d897bc9b
(10)   Message-Authenticator = 0xabddfb24ce3d43a042ea662e5ac514ef
(10)   NAS-Port-Type = Ethernet
(10)   NAS-Port = 50002
(10)   NAS-Port-Id = 'FastEthernet0/2'
(10)   Called-Station-Id = '00-00-00-00-AA-AA'
(10)   State = 0x2196d8c928e7c10ed58b5f9872208c8c
(10)   NAS-IP-Address = 172.23.242.165
(10) session-state: No cached attributes
(10) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(10)   authorize {
(10)     policy filter_username {
(10)       if (!&User-Name) {
(10)       if (!&User-Name)  -> FALSE
(10)       if (&User-Name =~ / /) {
(10)       if (&User-Name =~ / /)  -> FALSE
(10)       if (&User-Name =~ /@.*@/ ) {
(10)       if (&User-Name =~ /@.*@/ )  -> FALSE
(10)       if (&User-Name =~ /\.\./ ) {
(10)       if (&User-Name =~ /\.\./ )  -> FALSE
(10)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(10)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(10)       if (&User-Name =~ /\.$/)  {
(10)       if (&User-Name =~ /\.$/)   -> FALSE
(10)       if (&User-Name =~ /@\./)  {
(10)       if (&User-Name =~ /@\./)   -> FALSE
(10)     } # policy filter_username = notfound
(10)     [preprocess] = ok
(10) ntdomain: Checking for prefix before "\"
(10) ntdomain: No '\' in User-Name = "anon1337", looking up realm NULL
(10) ntdomain: No such realm "NULL"
(10)     [ntdomain] = noop
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "anon1337", looking up realm NULL
(10) suffix: No such realm "NULL"
(10)     [suffix] = noop
(10) eap: Peer sent code Response (2) ID 113 length 80
(10) eap: Continuing tunnel setup
(10)     [eap] = ok
(10)   } # authorize = ok
(10) Found Auth-Type = EAP
(10) # Executing group from file /etc/raddb/sites-enabled/default
(10)   authenticate {
(10) eap: Expiring EAP session with state 0x2196d8c928e7c10e
(10) eap: Finished EAP session with state 0x2196d8c928e7c10e
(10) eap: Previous EAP request found for state 0x2196d8c928e7c10e, released
from the list
(10) eap: Peer sent method PEAP (25)
(10) eap: EAP PEAP (25)
(10) eap: Calling eap_peap to process EAP data
(10) eap_peap: processing EAP-TLS
(10) eap_peap: eaptls_verify returned 7
(10) eap_peap: Done initial handshake
(10) eap_peap: eaptls_process returned 7
(10) eap_peap: FR_TLS_OK
(10) eap_peap: Session established.  Decoding tunneled attributes
(10) eap_peap: PEAP state send tlv success
(10) eap_peap: Received EAP-TLV response
(10) eap_peap: Success
(10) eap_peap: No information to cache: session caching will be disabled
for session 092599a5df0926e3e9440ae53c451e4b253e8e1516b2447e289ce1b5904239c5
  SSL: Removing session
092599a5df0926e3e9440ae53c451e4b253e8e1516b2447e289ce1b5904239c5 from the
cache
(10) eap: Freeing handler
(10)     [eap] = ok
(10)   } # authenticate = ok
(10) # Executing section post-auth from file
/etc/raddb/sites-enabled/default
(10)   post-auth {
(10)     update {
(10)       No attributes updated
(10)     } # update = noop
(10)     [exec] = noop
(10)     policy remove_reply_message_if_eap {
(10)       if (&reply:EAP-Message && &reply:Reply-Message) {
(10)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(10)       else {
(10)         [noop] = noop
(10)       } # else = noop
(10)     } # policy remove_reply_message_if_eap = noop
(10)   } # post-auth = noop
(10) Sent Access-Accept Id 31 from 192.168.244.230:1812 to
172.23.242.165:1645 length 170
(10)   MS-MPPE-Recv-Key =
0xb5c9941fdf7d63b2f617b2faafb5552e075691a9b617df1da24c2cd77e86cbaa
(10)   MS-MPPE-Send-Key =
0xdd5153f339ed2bc1e6c3fd7b68b36d9070688f4700dda0170c2086fc24f99e8a
(10)   EAP-Message = 0x03710004
(10)   Message-Authenticator = 0x00000000000000000000000000000000
(10)   User-Name = 'anon1337'
(10) Finished request
Waking up in 0.3 seconds.
Waking up in 2.7 seconds.
(11) Received Accounting-Request Id 186 from 172.23.242.165:1646 to
192.168.244.230:1813 length 173
(11)   Acct-Session-Id = '00018AE4'
(11)   Calling-Station-Id = '00-00-00-00-BB-BB'
(11)   Framed-IP-Address = 192.168.243.38
(11)   User-Name = 'anon1337'
(11)   Acct-Session-Time = 6124
(11)   Acct-Input-Octets = 572933
(11)   Acct-Output-Octets = 1640076
(11)   Acct-Input-Packets = 4773
(11)   Acct-Output-Packets = 16442
(11)   Acct-Authentic = RADIUS
(11)   Acct-Status-Type = Interim-Update
(11)   NAS-Port-Type = Ethernet
(11)   NAS-Port = 50002
(11)   NAS-Port-Id = 'FastEthernet0/2'
(11)   Called-Station-Id = '00-00-00-00-AA-AA'
(11)   Service-Type = Framed-User
(11)   NAS-IP-Address = 172.23.242.165
(11)   Acct-Delay-Time = 0
(11) # Executing section preacct from file /etc/raddb/sites-enabled/default
(11)   preacct {
(11)     [preprocess] = ok
(11)     policy acct_unique {
(11)       if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) {
(11)       EXPAND %{string:Class}
(11)          -->
(11)       if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i)  -> FALSE
(11)       else {
(11)   Acct-Session-Id = '00018AE4'
(11)   Calling-Station-Id = '00-00-00-00-BB-BB'
(11)   Framed-IP-Address = 192.168.243.38
(11)   User-Name = 'anon1337'
(11)   Acct-Session-Time = 6124
(11)   Acct-Input-Octets = 572933
(11)   Acct-Output-Octets = 1640076
(11)   Acct-Input-Packets = 4773
(11)   Acct-Output-Packets = 16442
(11)   Acct-Authentic = RADIUS
(11)   Acct-Status-Type = Interim-Update
(11)   NAS-Port-Type = Ethernet
(11)   NAS-Port = 50002
(11)   NAS-Port-Id = 'FastEthernet0/2'
(11)   Called-Station-Id = '00-00-00-00-AA-AA'
(11)   Service-Type = Framed-User
(11)   NAS-IP-Address = 172.23.242.165
(11)   Acct-Delay-Time = 0
(11) # Executing section preacct from file /etc/raddb/sites-enabled/default
(11)   preacct {
(11)     [preprocess] = ok
(11)     policy acct_unique {
(11)       if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) {
(11)       EXPAND %{string:Class}
(11)          -->
(11)       if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i)  -> FALSE
(11)       else {
(11)         update request {
(11)           EXPAND
%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(11)              --> 38f99589b6e9b39e24fcf277e9459a58
(11)           &Acct-Unique-Session-Id := "38f99589b6e9b39e24fcf277e9459a58"
(11)         } # update request = noop
(11)       } # else = noop
(11)     } # policy acct_unique = noop
(11) suffix: Checking for suffix after "@"
(11) suffix: No '@' in User-Name = "anon1337", looking up realm NULL
(11) suffix: No such realm "NULL"
(11)     [suffix] = noop
(11)     [files] = noop
(11)   } # preacct = ok
(11) # Executing section accounting from file
/etc/raddb/sites-enabled/default
(11)   accounting {
(11) detail: EXPAND
/var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
(11) detail:    --> /var/log/radiusd/radacct/172.23.242.165/detail-20141211
(11) detail:
/var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
expands to /var/log/radiusd/radacct/172.23.242.165/detail-20141211
(11) detail: EXPAND %t
(11) detail:    --> Thu Dec 11 16:55:40 2014
(11)     [detail] = ok
(11)     [unix] = noop
(11)     [exec] = noop
(11) attr_filter.accounting_response: EXPAND %{User-Name}
(11) attr_filter.accounting_response:    --> anon1337
(11) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(11)     [attr_filter.accounting_response] = updated
(11)   } # accounting = updated
(11) Sent Accounting-Response Id 186 from 192.168.244.230:1813 to
172.23.242.165:1646 length 20
(11) Finished request
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20141212/560ce078/attachment-0001.html>


More information about the Freeradius-Users mailing list