LDAP Groups to Freeradius and then Ruckus Wireless?
Enrique Sainz Baixauli
enriquesainz.beca at intef.educacion.es
Mon Jun 9 11:31:01 CEST 2014
>> In the meantime, I am trying to configure EAP-TLS for a more secure
>> authentication based on client certificates. I generated a CA
>> certificate and used it to sign server and client certificates, which
>> I installed where I needed. However, trying to associate a W7 machine
>> to the AP resulted in freeradius segfaulting:
>>
>> (5) # executing section post-auth from file
>> /etc/freeradius/sites-enabled/default
>> (5) cache: [... creating cache entry ...]
>> (5) [cache] = updated
>> (5) foreach &control:LDAP-Group
>> (5) update reply {
>> Segmentation fault
>>
>> In update reply {} there is only one line of code:
>>
>> &Ruckus-User-Groups += "%{Foreach-Variable-0}"
>>
>> And the call to the cache module was the only previous uncommented
>> line in post-auth. So I'm quite clueless about where the segfault
>> comes from, since that same line worked perfectly with MSCHAPv2 inside
>> of PEAP... If you need any more debug output feel free to ask :)
>
>I'm guessing you'd need to follow
>http://wiki.freeradius.org/project/bug-reports#Crashes-(Segmentation-violat
ions,-Memory-alignment-errors,-ASSERTs-etc...)
>or
http://lists.freeradius.org/pipermail/freeradius-devel/2014-January/009084.h
tml
Ok, so I installed the debug symbols from the PPA repository and uncommented
the panic_action line in radiusd.conf. This is the full debug output now:
(I have to say that I got a segfault last week that I could fix on my own,
but I have no idea where this one comes from. The previous one was about
setting outer.reply in default server's post-auth - there is no outer reply
in there. It doesn't look like that one though...)
Received Access-Request Id 39 from 192.168.60.1:1024 to 192.168.50.62:1812
length 190
User-Name = 'juan'
Calling-Station-Id = '00-26-C6-7C-C4-58'
NAS-IP-Address = 192.168.60.1
NAS-Port = 1
Called-Station-Id = '2C-E6-CC-1A-3E-5C:PROFESORES'
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
NAS-Identifier = '2C-E6-CC-1A-3E-5C'
Connect-Info = 'CONNECT 802.11a/n'
EAP-Message = 0x02000009016a75616e
Attr-26.25053.3 = 0x50524f4645534f524553
Message-Authenticator = 0x6ccb32c7b00d65c7617e787ee0f8862b
(0) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(0) authorize {
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix : No '@' in User-Name = "juan", looking up realm NULL
(0) suffix : No such realm "NULL"
(0) [suffix] = noop
(0) eap : EAP packet type response id 0 length 9
(0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) authenticate {
(0) eap : Peer sent Identity (1)
(0) eap : Calling eap_tls to process EAP data
(0) eap_tls : Flushing SSL sessions (of #0)
(0) eap_tls : Requiring client certificate
(0) eap_tls : Initiate
(0) eap_tls : Requiring client certificate
(0) eap_tls : Start returned 1
(0) eap : New EAP session, adding 'State' attribute to reply
0x4b06bc534b07b123
(0) [eap] = handled
(0) } # authenticate = handled
Sending Access-Challenge Id 39 from 192.168.50.62:1812 to 192.168.60.1:1024
EAP-Message = 0x010100060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4b06bc534b07b123a5815ce5986a7061
(0) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 40 from 192.168.60.1:1024 to 192.168.50.62:1812
length 304
User-Name = 'juan'
Calling-Station-Id = '00-26-C6-7C-C4-58'
NAS-IP-Address = 192.168.60.1
NAS-Port = 1
Called-Station-Id = '2C-E6-CC-1A-3E-5C:PROFESORES'
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
NAS-Identifier = '2C-E6-CC-1A-3E-5C'
Connect-Info = 'CONNECT 802.11a/n'
EAP-Message =
0x020100690d800000005f160301005a01000056030153957c5a9884652d6bb6c5d6bb19564d
4010cad78f6021d6f9bb42a26c6332a0000018002f00350005000ac013c014c009c00a003200
380013000401000015ff01000100000a0006000400170018000b00020100
State = 0x4b06bc534b07b123a5815ce5986a7061
Attr-26.25053.3 = 0x50524f4645534f524553
Message-Authenticator = 0x424c68d593e8b471a7168fa8f90c84aa
(1) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(1) authorize {
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix : No '@' in User-Name = "juan", looking up realm NULL
(1) suffix : No such realm "NULL"
(1) [suffix] = noop
(1) eap : EAP packet type response id 1 length 105
(1) eap : No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) [files] = noop
rlm_ldap (ldap): Reserved connection (4)
(1) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(1) ldap : --> (uid=juan)
(1) ldap : EXPAND dc=ejemplo,dc=org
(1) ldap : --> dc=ejemplo,dc=org
(1) ldap : Performing search in 'dc=ejemplo,dc=org' with filter
'(uid=juan)', scope 'sub'
(1) ldap : Waiting for search result...
(1) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org"
(1) ldap : No cacheable group memberships found in user object
(1) ldap : EXPAND
(&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn}))
(1) ldap : -->
(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejempl
o\2cdc\3dorg))
(1) ldap : EXPAND dc=ejemplo,dc=org
(1) ldap : --> dc=ejemplo,dc=org
(1) ldap : Performing search in 'dc=ejemplo,dc=org' with filter
'(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemp
lo\2cdc\3dorg))', scope 'sub'
(1) ldap : Waiting for search result...
(1) ldap : Added control:Ldap-Group with value "profesores"
(1) ldap : Processing user attributes
(1) ldap : control:Password-With-Header += ''1234''
rlm_ldap (ldap): Released connection (4)
(1) [ldap] = ok
(1) foreach &control:LDAP-Group
(1) update reply {
(1) EXPAND %{Foreach-Variable-0}
(1) --> profesores
(1) &Ruckus-User-Groups += '"profesores"'
(1) } # update reply = noop
(1) } # foreach &control:LDAP-Group = noop
(1) [expiration] = noop
(1) [logintime] = noop
(1) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password
(1) WARNING: pap : Auth-Type already set. Not setting to PAP
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = EAP
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1) authenticate {
(1) eap : Expiring EAP session with state 0x4b06bc534b07b123
(1) eap : Finished EAP session with state 0x4b06bc534b07b123
(1) eap : Previous EAP request found for state 0x4b06bc534b07b123, released
from the list
(1) eap : Peer sent TLS (13)
(1) eap : EAP TLS (13)
(1) eap : Calling eap_tls to process EAP data
(1) eap_tls : Authenticate
(1) eap_tls : processing EAP-TLS
TLS Length 95
(1) eap_tls : Length Included
(1) eap_tls : eaptls_verify returned 11
(1) eap_tls : (other): before/accept initialization
(1) eap_tls : TLS_accept: before/accept initialization
(1) eap_tls : <<< TLS 1.0 Handshake [length 005a], ClientHello
(1) eap_tls : TLS_accept: SSLv3 read client hello A
(1) eap_tls : >>> TLS 1.0 Handshake [length 0051], ServerHello
(1) eap_tls : TLS_accept: SSLv3 write server hello A
(1) eap_tls : >>> TLS 1.0 Handshake [length 0707], Certificate
(1) eap_tls : TLS_accept: SSLv3 write certificate A
(1) eap_tls : >>> TLS 1.0 Handshake [length 0056], CertificateRequest
(1) eap_tls : TLS_accept: SSLv3 write certificate request A
(1) eap_tls : TLS_accept: SSLv3 flush data
(1) eap_tls : TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
(1) eap_tls : eaptls_process returned 13
(1) eap : New EAP session, adding 'State' attribute to reply
0x4b06bc534a04b123
(1) [eap] = handled
(1) } # authenticate = handled
Sending Access-Challenge Id 40 from 192.168.50.62:1812 to 192.168.60.1:1024
Ruckus-User-Groups += 'profesores'
EAP-Message =
0x010203ec0dc0000007bd16030100510200004d030153800d41db8bc00fc64e65976eef8ad5
05728f175a82585bb671517fa25b004220e538ae19205137b530866cbe9c73fda07251b82edf
134c60a8556d5601036be8002f000005ff0100010016030107070b00070300070000039b3082
03973082027fa003020102020900c43f77feef6a22ef300d06092a864886f70d010105050030
44310b3009060355040613024553310f300d06035504080c064d6164726964310e300c060355
040a0c05494e5445463114301206035504030c0b656a656d706c6f2e6f7267301e170d313430
3532303037313134325a170d3135303532303037313134325a3055310b300906035504061302
4553310f300d06035504080c064d6164726964310f300d06035504070c064d6164726964310e
300c060355040a0c05494e5445463114301206035504030c0b656a656d706c6f2e6f72673082
0122300d06092a864886f70d01010105000382010f003082010a0282010100d86d13ea2fa99e
fe3982e0ceface40d345221a17f49a4cbdf8774fc1cea663192790995f1df5c32c30ea86fe51
90ff99a3012ff8e54e94de9d81e96fb282562e1264f059238606c51afebce65604a4902dcdfc
803041f6240e2c7a03cca18c70238e9c0fda027487bcb8868c95850aae68986c068f737434ee
cdbbbdaabfd83780ce9
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4b06bc534a04b123a5815ce5986a7061
(1) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 41 from 192.168.60.1:1024 to 192.168.50.62:1812
length 205
User-Name = 'juan'
Calling-Station-Id = '00-26-C6-7C-C4-58'
NAS-IP-Address = 192.168.60.1
NAS-Port = 1
Called-Station-Id = '2C-E6-CC-1A-3E-5C:PROFESORES'
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
NAS-Identifier = '2C-E6-CC-1A-3E-5C'
Connect-Info = 'CONNECT 802.11a/n'
EAP-Message = 0x020200060d00
State = 0x4b06bc534a04b123a5815ce5986a7061
Attr-26.25053.3 = 0x50524f4645534f524553
Message-Authenticator = 0x957db049fc1d0e94a5a57f9776395e30
(2) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(2) authorize {
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix : No '@' in User-Name = "juan", looking up realm NULL
(2) suffix : No such realm "NULL"
(2) [suffix] = noop
(2) eap : EAP packet type response id 2 length 6
(2) eap : No EAP Start, assuming it's an on-going EAP conversation
(2) [eap] = updated
(2) [files] = noop
rlm_ldap (ldap): Reserved connection (4)
(2) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(2) ldap : --> (uid=juan)
(2) ldap : EXPAND dc=ejemplo,dc=org
(2) ldap : --> dc=ejemplo,dc=org
(2) ldap : Performing search in 'dc=ejemplo,dc=org' with filter
'(uid=juan)', scope 'sub'
(2) ldap : Waiting for search result...
(2) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org"
(2) ldap : No cacheable group memberships found in user object
(2) ldap : EXPAND
(&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn}))
(2) ldap : -->
(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejempl
o\2cdc\3dorg))
(2) ldap : EXPAND dc=ejemplo,dc=org
(2) ldap : --> dc=ejemplo,dc=org
(2) ldap : Performing search in 'dc=ejemplo,dc=org' with filter
'(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemp
lo\2cdc\3dorg))', scope 'sub'
(2) ldap : Waiting for search result...
(2) ldap : Added control:Ldap-Group with value "profesores"
(2) ldap : Processing user attributes
(2) ldap : control:Password-With-Header += ''1234''
rlm_ldap (ldap): Released connection (4)
(2) [ldap] = ok
(2) foreach &control:LDAP-Group
(2) update reply {
(2) EXPAND %{Foreach-Variable-0}
(2) --> profesores
(2) &Ruckus-User-Groups += '"profesores"'
(2) } # update reply = noop
(2) } # foreach &control:LDAP-Group = noop
(2) [expiration] = noop
(2) [logintime] = noop
(2) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password
(2) WARNING: pap : Auth-Type already set. Not setting to PAP
(2) [pap] = noop
(2) } # authorize = updated
(2) Found Auth-Type = EAP
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2) authenticate {
(2) eap : Expiring EAP session with state 0x4b06bc534a04b123
(2) eap : Finished EAP session with state 0x4b06bc534a04b123
(2) eap : Previous EAP request found for state 0x4b06bc534a04b123, released
from the list
(2) eap : Peer sent TLS (13)
(2) eap : EAP TLS (13)
(2) eap : Calling eap_tls to process EAP data
(2) eap_tls : Authenticate
(2) eap_tls : processing EAP-TLS
(2) eap_tls : Received TLS ACK
(2) eap_tls : Received TLS ACK
(2) eap_tls : ACK handshake fragment handler
(2) eap_tls : eaptls_verify returned 1
(2) eap_tls : eaptls_process returned 13
(2) eap : New EAP session, adding 'State' attribute to reply
0x4b06bc534905b123
(2) [eap] = handled
(2) } # authenticate = handled
Sending Access-Challenge Id 41 from 192.168.50.62:1812 to 192.168.60.1:1024
Ruckus-User-Groups += 'profesores'
EAP-Message =
0x010303e50d80000007bd3849d248b1dfa322109bc7213dc7b995e11cf1ec9e393177e1d411
f1b83700035f3082035b30820243a003020102020900c43f77feef6a22ee300d06092a864886
f70d01010505003044310b3009060355040613024553310f300d06035504080c064d61647269
64310e300c060355040a0c05494e5445463114301206035504030c0b656a656d706c6f2e6f72
67301e170d3134303532303037303835355a170d3137303531393037303835355a3044310b30
09060355040613024553310f300d06035504080c064d6164726964310e300c060355040a0c05
494e5445463114301206035504030c0b656a656d706c6f2e6f726730820122300d06092a8648
86f70d01010105000382010f003082010a0282010100b34d31cc087201a6f5f91e1f411fbe7c
8175e68364d88e7bc6fb454918d40aca5f65cb2caf0496d4c7ef1b62379ab4ddfc60338d8785
d6f4b208091cda2f566d39b233c9a76cfcd2e14a21a5c1c1ad30c6c6734fb0024ef4511a7867
9f4b2e6085113cb24d3229fa288b7ae5a460348f253fa438172cfb0b2c66c005747d6b716d6e
221e492e793c17439a19d638bc84ecde2aaf864e1b22007c29b5aa056637d4dd4bde4783dd1b
2994b87522662742b8c5477ce8c39227a3bf8b71b2dce5323150b49cd27134e4a79f7f98d371
cad38b0e72363efbc62
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4b06bc534905b123a5815ce5986a7061
(2) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 42 from 192.168.60.1:1024 to 192.168.50.62:1812
length 1701
User-Name = 'juan'
Calling-Station-Id = '00-26-C6-7C-C4-58'
NAS-IP-Address = 192.168.60.1
NAS-Port = 1
Called-Station-Id = '2C-E6-CC-1A-3E-5C:PROFESORES'
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
NAS-Identifier = '2C-E6-CC-1A-3E-5C'
Connect-Info = 'CONNECT 802.11a/n'
EAP-Message =
0x020305d40dc0000005d916030105990b0003890003860003833082037f30820267a0030201
02020900c43f77feef6a22f0300d06092a864886f70d01010505003044310b30090603550406
13024553310f300d06035504080c064d6164726964310e300c060355040a0c05494e54454631
14301206035504030c0b656a656d706c6f2e6f7267301e170d3134303532313035323130335a
170d3135303532313035323130335a303d310b3009060355040613024553310f300d06035504
080c064d6164726964310e300c060355040a0c05494e544546310d300b06035504030c046a75
616e30820122300d06092a864886f70d01010105000382010f003082010a0282010100d8fe45
c46e4743d7ecaf6c82f5206a6d1683234f11e54af93501eba03aaadf6c4a123bb2aeebce0717
b6930a3e550f9e75e38fb7f0057acebdeecb6d396c4547ed2cb496d887ae6973982c7b708898
d3d4e080c44679ffc2eeea7b707f3d03aacfd8544465a96f0988366c5c8a8fd9e84bd38006f7
1b572a526759eaf147a20c21f42ef7c8f8c37915768eec7e41402c3869e8c06a06d6d53a3fac
290b9db34a737a55ce6c3bc544396ee4f35ff28622c2318c57b0ce8b86aac710ed16e56960d4
a2fafbe851afb250256e5b03cf37f52ace63f3eb801d78d6e2e3ebdb4ac5493bbca5129d60cb
ea4a1f7e96391a9216a
State = 0x4b06bc534905b123a5815ce5986a7061
Attr-26.25053.3 = 0x50524f4645534f524553
Message-Authenticator = 0x73f8a458222a4c6bb7eec10883f1b056
(3) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(3) authorize {
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix : No '@' in User-Name = "juan", looking up realm NULL
(3) suffix : No such realm "NULL"
(3) [suffix] = noop
(3) eap : EAP packet type response id 3 length 1492
(3) eap : No EAP Start, assuming it's an on-going EAP conversation
(3) [eap] = updated
(3) [files] = noop
rlm_ldap (ldap): Reserved connection (4)
(3) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(3) ldap : --> (uid=juan)
(3) ldap : EXPAND dc=ejemplo,dc=org
(3) ldap : --> dc=ejemplo,dc=org
(3) ldap : Performing search in 'dc=ejemplo,dc=org' with filter
'(uid=juan)', scope 'sub'
(3) ldap : Waiting for search result...
(3) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org"
(3) ldap : No cacheable group memberships found in user object
(3) ldap : EXPAND
(&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn}))
(3) ldap : -->
(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejempl
o\2cdc\3dorg))
(3) ldap : EXPAND dc=ejemplo,dc=org
(3) ldap : --> dc=ejemplo,dc=org
(3) ldap : Performing search in 'dc=ejemplo,dc=org' with filter
'(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemp
lo\2cdc\3dorg))', scope 'sub'
(3) ldap : Waiting for search result...
(3) ldap : Added control:Ldap-Group with value "profesores"
(3) ldap : Processing user attributes
(3) ldap : control:Password-With-Header += ''1234''
rlm_ldap (ldap): Released connection (4)
(3) [ldap] = ok
(3) foreach &control:LDAP-Group
(3) update reply {
(3) EXPAND %{Foreach-Variable-0}
(3) --> profesores
(3) &Ruckus-User-Groups += '"profesores"'
(3) } # update reply = noop
(3) } # foreach &control:LDAP-Group = noop
(3) [expiration] = noop
(3) [logintime] = noop
(3) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password
(3) WARNING: pap : Auth-Type already set. Not setting to PAP
(3) [pap] = noop
(3) } # authorize = updated
(3) Found Auth-Type = EAP
(3) # Executing group from file /etc/freeradius/sites-enabled/default
(3) authenticate {
(3) eap : Expiring EAP session with state 0x4b06bc534905b123
(3) eap : Finished EAP session with state 0x4b06bc534905b123
(3) eap : Previous EAP request found for state 0x4b06bc534905b123, released
from the list
(3) eap : Peer sent TLS (13)
(3) eap : EAP TLS (13)
(3) eap : Calling eap_tls to process EAP data
(3) eap_tls : Authenticate
(3) eap_tls : processing EAP-TLS
TLS Length 1497
(3) eap_tls : Received EAP-TLS First Fragment of the message
(3) eap_tls : eaptls_verify returned 9
(3) eap_tls : eaptls_process returned 13
(3) eap : New EAP session, adding 'State' attribute to reply
0x4b06bc534802b123
(3) [eap] = handled
(3) } # authenticate = handled
Sending Access-Challenge Id 42 from 192.168.50.62:1812 to 192.168.60.1:1024
Ruckus-User-Groups += 'profesores'
EAP-Message = 0x010400060d00
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4b06bc534802b123a5815ce5986a7061
(3) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 43 from 192.168.60.1:1024 to 192.168.50.62:1812
length 220
User-Name = 'juan'
Calling-Station-Id = '00-26-C6-7C-C4-58'
NAS-IP-Address = 192.168.60.1
NAS-Port = 1
Called-Station-Id = '2C-E6-CC-1A-3E-5C:PROFESORES'
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
NAS-Identifier = '2C-E6-CC-1A-3E-5C'
Connect-Info = 'CONNECT 802.11a/n'
EAP-Message = 0x020400150d003739040f9689b4ab4612f7dce2d48e
State = 0x4b06bc534802b123a5815ce5986a7061
Attr-26.25053.3 = 0x50524f4645534f524553
Message-Authenticator = 0x39dbec026a12ec8acebb4f68297652a0
(4) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(4) authorize {
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix : No '@' in User-Name = "juan", looking up realm NULL
(4) suffix : No such realm "NULL"
(4) [suffix] = noop
(4) eap : EAP packet type response id 4 length 21
(4) eap : No EAP Start, assuming it's an on-going EAP conversation
(4) [eap] = updated
(4) [files] = noop
rlm_ldap (ldap): Reserved connection (4)
(4) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(4) ldap : --> (uid=juan)
(4) ldap : EXPAND dc=ejemplo,dc=org
(4) ldap : --> dc=ejemplo,dc=org
(4) ldap : Performing search in 'dc=ejemplo,dc=org' with filter
'(uid=juan)', scope 'sub'
(4) ldap : Waiting for search result...
(4) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org"
(4) ldap : No cacheable group memberships found in user object
(4) ldap : EXPAND
(&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn}))
(4) ldap : -->
(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejempl
o\2cdc\3dorg))
(4) ldap : EXPAND dc=ejemplo,dc=org
(4) ldap : --> dc=ejemplo,dc=org
(4) ldap : Performing search in 'dc=ejemplo,dc=org' with filter
'(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemp
lo\2cdc\3dorg))', scope 'sub'
(4) ldap : Waiting for search result...
(4) ldap : Added control:Ldap-Group with value "profesores"
(4) ldap : Processing user attributes
(4) ldap : control:Password-With-Header += ''1234''
rlm_ldap (ldap): Released connection (4)
(4) [ldap] = ok
(4) foreach &control:LDAP-Group
(4) update reply {
(4) EXPAND %{Foreach-Variable-0}
(4) --> profesores
(4) &Ruckus-User-Groups += '"profesores"'
(4) } # update reply = noop
(4) } # foreach &control:LDAP-Group = noop
(4) [expiration] = noop
(4) [logintime] = noop
(4) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password
(4) WARNING: pap : Auth-Type already set. Not setting to PAP
(4) [pap] = noop
(4) } # authorize = updated
(4) Found Auth-Type = EAP
(4) # Executing group from file /etc/freeradius/sites-enabled/default
(4) authenticate {
(4) eap : Expiring EAP session with state 0x4b06bc534802b123
(4) eap : Finished EAP session with state 0x4b06bc534802b123
(4) eap : Previous EAP request found for state 0x4b06bc534802b123, released
from the list
(4) eap : Peer sent TLS (13)
(4) eap : EAP TLS (13)
(4) eap : Calling eap_tls to process EAP data
(4) eap_tls : Authenticate
(4) eap_tls : processing EAP-TLS
(4) eap_tls : eaptls_verify returned 7
(4) eap_tls : Done initial handshake
(4) eap_tls : <<< TLS 1.0 Handshake [length 038d], Certificate
(4) eap_tls : chain-depth=1,
(4) eap_tls : error=0
(4) eap_tls : --> User-Name = juan
(4) eap_tls : --> BUF-Name = ejemplo.org
(4) eap_tls : --> subject = /C=ES/ST=Madrid/O=INTEF/CN=ejemplo.org
(4) eap_tls : --> issuer = /C=ES/ST=Madrid/O=INTEF/CN=ejemplo.org
(4) eap_tls : --> verify return:1
(4) eap_tls : chain-depth=0,
(4) eap_tls : error=0
(4) eap_tls : --> User-Name = juan
(4) eap_tls : --> BUF-Name = juan
(4) eap_tls : --> subject = /C=ES/ST=Madrid/O=INTEF/CN=juan
(4) eap_tls : --> issuer = /C=ES/ST=Madrid/O=INTEF/CN=ejemplo.org
(4) eap_tls : --> verify return:1
(4) eap_tls : TLS_accept: SSLv3 read client certificate A
(4) eap_tls : <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
(4) eap_tls : TLS_accept: SSLv3 read client key exchange A
(4) eap_tls : <<< TLS 1.0 Handshake [length 0106], CertificateVerify
(4) eap_tls : TLS_accept: SSLv3 read certificate verify A
(4) eap_tls : <<< TLS 1.0 ChangeCipherSpec [length 0001]
(4) eap_tls : <<< TLS 1.0 Handshake [length 0010], Finished
(4) eap_tls : TLS_accept: SSLv3 read finished A
(4) eap_tls : >>> TLS 1.0 ChangeCipherSpec [length 0001]
(4) eap_tls : TLS_accept: SSLv3 write change cipher spec A
(4) eap_tls : >>> TLS 1.0 Handshake [length 0010], Finished
(4) eap_tls : TLS_accept: SSLv3 write finished A
(4) eap_tls : TLS_accept: SSLv3 flush data
SSL: adding session
e538ae19205137b530866cbe9c73fda07251b82edf134c60a8556d5601036be8 to cache
(4) eap_tls : (other): SSL negotiation finished successfully
SSL Connection Established
(4) eap_tls : eaptls_process returned 13
(4) eap : New EAP session, adding 'State' attribute to reply
0x4b06bc534f03b123
(4) [eap] = handled
(4) } # authenticate = handled
Sending Access-Challenge Id 43 from 192.168.50.62:1812 to 192.168.60.1:1024
Ruckus-User-Groups += 'profesores'
EAP-Message =
0x010500450d800000003b1403010001011603010030b6f41d63244fff84ccbe996ef0b09ff2
9df45c4049b85e335adae27b0653521c7719c521ec4e3b611d6c399e2458022b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4b06bc534f03b123a5815ce5986a7061
(4) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 44 from 192.168.60.1:1024 to 192.168.50.62:1812
length 205
User-Name = 'juan'
Calling-Station-Id = '00-26-C6-7C-C4-58'
NAS-IP-Address = 192.168.60.1
NAS-Port = 1
Called-Station-Id = '2C-E6-CC-1A-3E-5C:PROFESORES'
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
NAS-Identifier = '2C-E6-CC-1A-3E-5C'
Connect-Info = 'CONNECT 802.11a/n'
EAP-Message = 0x020500060d00
State = 0x4b06bc534f03b123a5815ce5986a7061
Attr-26.25053.3 = 0x50524f4645534f524553
Message-Authenticator = 0xe145b729ae7f53c07a05f6250273b5a5
(5) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(5) authorize {
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix : No '@' in User-Name = "juan", looking up realm NULL
(5) suffix : No such realm "NULL"
(5) [suffix] = noop
(5) eap : EAP packet type response id 5 length 6
(5) eap : No EAP Start, assuming it's an on-going EAP conversation
(5) [eap] = updated
(5) [files] = noop
rlm_ldap (ldap): Reserved connection (4)
(5) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(5) ldap : --> (uid=juan)
(5) ldap : EXPAND dc=ejemplo,dc=org
(5) ldap : --> dc=ejemplo,dc=org
(5) ldap : Performing search in 'dc=ejemplo,dc=org' with filter
'(uid=juan)', scope 'sub'
(5) ldap : Waiting for search result...
(5) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org"
(5) ldap : No cacheable group memberships found in user object
(5) ldap : EXPAND
(&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn}))
(5) ldap : -->
(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejempl
o\2cdc\3dorg))
(5) ldap : EXPAND dc=ejemplo,dc=org
(5) ldap : --> dc=ejemplo,dc=org
(5) ldap : Performing search in 'dc=ejemplo,dc=org' with filter
'(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemp
lo\2cdc\3dorg))', scope 'sub'
(5) ldap : Waiting for search result...
(5) ldap : Added control:Ldap-Group with value "profesores"
(5) ldap : Processing user attributes
(5) ldap : control:Password-With-Header += ''1234''
rlm_ldap (ldap): Released connection (4)
(5) [ldap] = ok
(5) foreach &control:LDAP-Group
(5) update reply {
(5) EXPAND %{Foreach-Variable-0}
(5) --> profesores
(5) &Ruckus-User-Groups += '"profesores"'
(5) } # update reply = noop
(5) } # foreach &control:LDAP-Group = noop
(5) [expiration] = noop
(5) [logintime] = noop
(5) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password
(5) WARNING: pap : Auth-Type already set. Not setting to PAP
(5) [pap] = noop
(5) } # authorize = updated
(5) Found Auth-Type = EAP
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5) authenticate {
(5) eap : Expiring EAP session with state 0x4b06bc534f03b123
(5) eap : Finished EAP session with state 0x4b06bc534f03b123
(5) eap : Previous EAP request found for state 0x4b06bc534f03b123, released
from the list
(5) eap : Peer sent TLS (13)
(5) eap : EAP TLS (13)
(5) eap : Calling eap_tls to process EAP data
(5) eap_tls : Authenticate
(5) eap_tls : processing EAP-TLS
(5) eap_tls : Received TLS ACK
(5) eap_tls : Received TLS ACK
(5) eap_tls : ACK handshake is finished
(5) eap_tls : eaptls_verify returned 3
(5) eap_tls : eaptls_process returned 3
(5) eap_tls : Saving session
e538ae19205137b530866cbe9c73fda07251b82edf134c60a8556d5601036be8 vps
0x2886620 in the cache
(5) eap : Freeing handler
(5) [eap] = ok
(5) } # authenticate = ok
(5) # Executing section post-auth from file
/etc/freeradius/sites-enabled/default
(5) post-auth {
(5) cache : EXPAND %{User-Name}
(5) cache : --> juan
(5) cache : Creating entry for "juan"
(5) cache : control:LDAP-Group += &control:LDAP-Group
(5) cache : Inserted entry, TTL 3600 seconds
(5) [cache] = updated
(5) foreach &control:LDAP-Group
(5) update reply {
CAUGHT SIGNAL: Segmentation fault
Backtrace of last 25 frames:
/usr/lib/freeradius/libfreeradius-radius.so(fr_fault+0x61)[0x7f56ae6cbc51]
/lib/x86_64-linux-gnu/libpthread.so.0(+0xf030)[0x7f56ad415030]
/usr/lib/freeradius/libfreeradius-radius.so(+0x1505e)[0x7f56ae6d605e]
/usr/lib/freeradius/libfreeradius-server.so(+0x136b7)[0x7f56ae90a6b7]
/usr/lib/freeradius/libfreeradius-server.so(+0x13998)[0x7f56ae90a998]
/usr/lib/freeradius/libfreeradius-server.so(+0x144c4)[0x7f56ae90b4c4]
/usr/lib/freeradius/libfreeradius-server.so(+0x14532)[0x7f56ae90b532]
/usr/lib/freeradius/libfreeradius-server.so(radius_map2vp+0x1ef)[0x7f56ae905
def]
/usr/lib/freeradius/libfreeradius-server.so(radius_map2request+0xa6)[0x7f56a
e905386]
freeradius[0x41f955]
freeradius[0x41fd1a]
freeradius[0x41f221]
freeradius[0x41f3de]
freeradius(modcall+0x3d)[0x4204fd]
freeradius(indexed_modcall+0xb3)[0x41dc03]
freeradius(rad_postauth+0x5e)[0x40f57e]
freeradius[0x42ca9c]
freeradius[0x429d05]
freeradius(request_receive+0x247)[0x42af27]
freeradius[0x4190a8]
freeradius[0x42966d]
/usr/lib/freeradius/libfreeradius-radius.so(fr_event_loop+0x2d9)[0x7f56ae6e5
629]
freeradius(main+0x65a)[0x40eb2a]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd)[0x7f56acc1bead]
freeradius[0x40ee85]
Calling: gdb -silent -x /etc/freeradius/panic.gdb freeradius 3192 2>&1 | tee
/var/log/freeradius/gdb-freeradius-3192.log
Temporarily setting PR_DUMPABLE to 1
sh: 1: gdb: not found
Resetting PR_DUMPABLE to 0
Panic action exited with 0
More information about the Freeradius-Users
mailing list