why is Called-Station-SSID not processed?
Zeus Panchenko
zeus at ibs.dn.ua
Tue Aug 4 14:05:31 CEST 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
hi,
I configured FR v.3.0.9 against LDAP and can successfully auth with EAPMD5/TLS/TTLS+PAP
now I want to add check for Called-Station-SSID and am failing ...
please, help me to understand what I miss?
as you can see from debug bellow, configured in LDAP Called-Station-SSID
(via radiusCheckItem as well as via mapped attribute) is ignored, and
client is granted access
I hoped if I set radiusCheckItem: Called-Station-SSID := 'SSID_ALLOWED'
then check will be performed against Called-Station-SSID value processed
- From Called-Station-Id
what is wrong?
here is debug:
- ----[ quotation start ]-------------------------------------------
(6) Received Access-Request Id 16 from 192.168.0.1:46326 to 192.168.0.254:1812 length 314
(6) User-Name = "jdoe"
(6) NAS-Identifier = "jdoe.wrt"
(6) Called-Station-Id = "9A-46-5E-3B-A1-0E:SSID_REQUESTED"
(6) NAS-Port-Type = Wireless-802.11
(6) NAS-Port = 1
(6) Calling-Station-Id = "73-62-0A-DA-7C-5A"
(6) Connect-Info = "CONNECT 54Mbps 802.11g"
(6) Acct-Session-Id = "55BE1E6B-0000001C"
(6) Framed-MTU = 1400
(6) EAP-Message = 0x0223008015001703010020b9f3cc80bf61ea3ab2b9ad0e3d5492f814652d30a19f2a0d562832d6db02468f1703010050e426680ec3a1a7db12904734432af8744492e725b6689affce7e093ed666bc0c3338fb8d3fd12d2eaca8b304c373e8e1d42f14db0683b1f4de08004
67ff2d302e44d864249a30d
(6) State = 0x1df02c2d18d339202ca9dbdadeae133a
(6) Message-Authenticator = 0x7e5712cf45d3b99b42e4b80452950d1a
(6) session-state: No cached attributes
(6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(6) authorize {
(6) [preprocess] = ok
(6) policy rewrite_calling_station_id {
(6) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {
(6) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) -> TRUE
(6) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {
(6) update request {
(6) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(6) --> 73-62-0A-DA-7C-5A
(6) &Calling-Station-Id := 73-62-0A-DA-7C-5A
(6) } # update request = noop
(6) [updated] = updated
(6) } # if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) = updated
(6) ... skipping else for request 6: Preceding "if" was taken
(6) } # policy rewrite_calling_station_id = updated
(6) auth_log: EXPAND /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(6) auth_log: --> /var/log/radacct/192.168.0.1/auth-detail-20150803
(6) auth_log: /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radacct/192.168.0.1/auth-detail-20150803
(6) auth_log: EXPAND %t
(6) auth_log: --> Mon Aug 3 23:46:13 2015
(6) [auth_log] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "jdoe", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) ntdomain: Checking for prefix before "\"
(6) ntdomain: No '\' in User-Name = "jdoe", looking up realm NULL
(6) ntdomain: No such realm "NULL"
(6) [ntdomain] = noop
(6) policy rewrite_called_station_id {
(6) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(6) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(6) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(6) update request {
(6) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(6) --> 9A-46-5E-3B-A1-0E
(6) &Called-Station-Id := 9A-46-5E-3B-A1-0E
(6) } # update request = noop
(6) if ("%{8}") {
(6) --> SSID_REQUESTED
(6) if ("%{8}") -> TRUE
(6) if ("%{8}") {
(6) update request {
(6) EXPAND %{8}
(6) --> SSID_REQUESTED
(6) &Called-Station-SSID := SSID_REQUESTED
(6) } # update request = noop
(6) } # if ("%{8}") = noop
(6) [updated] = updated
(6) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(6) ... skipping else for request 6: Preceding "if" was taken
(6) } # policy rewrite_called_station_id = updated
(6) eap: Peer sent EAP Response (code 2) ID 35 length 128
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0x1df02c2d18d33920
(6) eap: Finished EAP session with state 0x1df02c2d18d33920
(6) eap: Previous EAP request found for state 0x1df02c2d18d33920, released from the list
(6) eap: Peer sent packet with method EAP TTLS (21)
(6) eap: Calling submodule eap_ttls to process data
(6) eap_ttls: Authenticate
(6) eap_ttls: Continuing EAP-TLS
(6) eap_ttls: Done initial handshake
(6) eap_ttls: [eaptls process] = ok
(6) eap_ttls: Session established. Proceeding to decode tunneled attributes
(6) eap_ttls: Got tunneled request
(6) eap_ttls: User-Name = "jdoe"
(6) eap_ttls: User-Password = "jdoe"
(6) eap_ttls: Sending tunneled request
(6) Virtual server inner-tunnel received request
(6) User-Name = "jdoe"
(6) User-Password = "jdoe"
(6) server inner-tunnel {
(6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(6) authorize {
(6) [chap] = noop
(6) [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "jdoe", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) ntdomain: Checking for prefix before "\"
(6) ntdomain: No '\' in User-Name = "jdoe", looking up realm NULL
(6) ntdomain: No such realm "NULL"
(6) [ntdomain] = noop
(6) update control {
(6) &Proxy-To-Realm := LOCAL
(6) } # update control = noop
(6) eap: No EAP-Message, not doing EAP
(6) files: EXPAND %{%{Stripped-User-Name}:-%{User-Name}:-%{Calling-Station-Id}}
(6) files: --> jdoe
(6) [files] = noop
rlm_ldap (ldap): Reserved connection (2)
(6) ldap: EXPAND (|(&(cn=%{%{Stripped-User-Name}:-%{User-Name}})(|(authorizedService=802.1x at xyz)(authorizedService=802.1x-mac at xyz)))(&(cn=%{User-Name})(authorizedService=802.1x-eap-tls at xyz)))
(6) ldap: --> (|(&(cn=jdoe)(|(authorizedService=802.1x at xyz)(authorizedService=802.1x-mac at xyz)))(&(cn=jdoe)(authorizedService=802.1x-eap-tls at xyz)))
(6) ldap: Performing search in "ou=People,dc=xyz" with filter "(|(&(cn=jdoe)(|(authorizedService=802.1x at xyz)(authorizedService=802.1x-mac at xyz)))(&(cn=jdoe)(authorizedService=802.1x-eap-tls at xyz)))", scope "sub"
(6) ldap: Waiting for search result...
(6) ldap: User object found at DN "uid=jdoe,authorizedService=802.1x-eap-tls at xyz,uid=jdoe,ou=People,dc=xyz"
(6) ldap: Performing search in "cn=wifi-xyz,ou=profiles,ou=RADIUS,dc=xyz" with filter "(objectclass=radiusprofile)", scope "base"
(6) ldap: Waiting for search result...
(6) ldap: Processing profile attributes
(6) ldap: control:Called-Station-SSID := 'SSID_ALLOWED'
(6) ldap: reply:Session-Timeout := 900
(6) ldap: reply:Reply-Message := 'You have entered SSID: SSID_ALLOWED.'
(6) ldap: reply:Tunnel-Type := VLAN
(6) ldap: reply:Tunnel-Medium-Type := IEEE-802
(6) ldap: reply:Tunnel-Private-Group-Id := '3481'
(6) ldap: Processing user attributes
(6) ldap: control:Cleartext-Password := 'jdoe'
(6) ldap: control:Password-With-Header += 'jdoe'
rlm_ldap (ldap): Released connection (2)
(6) [ldap] = updated
(6) [expiration] = noop
(6) [logintime] = noop
(6) pap: WARNING: Config already contains a "known good" password (&control:Cleartext-Password). Ignoring &config:Password-With-Header
(6) [pap] = updated
(6) } # authorize = updated
(6) Found Auth-Type = PAP
(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(6) Auth-Type PAP {
(6) pap: Login attempt with password
(6) pap: Comparing with "known good" Cleartext-Password
(6) pap: User authenticated successfully
(6) [pap] = ok
(6) } # Auth-Type PAP = ok
(6) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(6) Login OK: [jdoe] (from client office021.xyz port 0 via TLS tunnel)
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6) Session-Timeout := 900
(6) Reply-Message := "You have entered SSID: SSID_ALLOWED."
(6) Tunnel-Type := VLAN
(6) Tunnel-Medium-Type := IEEE-802
(6) Tunnel-Private-Group-Id := "3481"
(6) eap_ttls: Got tunneled Access-Accept
(6) eap_ttls: No information to cache: session caching will be disabled for session e5b5fc820be72baebe838286f4df80848a5bfadd06493077391aec818504665c
(6) eap: Sending EAP Success (code 3) ID 35 length 4
(6) eap: Freeing handler
(6) [eap] = ok
(6) } # authenticate = ok
(6) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(6) post-auth {
(6) update {
(6) No attributes updated
(6) } # update = noop
(6) [exec] = noop
(6) policy remove_reply_message_if_eap {
(6) if (&reply:EAP-Message && &reply:Reply-Message) {
(6) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(6) else {
(6) [noop] = noop
(6) } # else = noop
(6) } # policy remove_reply_message_if_eap = noop
(6) } # post-auth = noop
(6) Login OK: [jdoe] (from client office021.xyz port 1 cli 73-62-0A-DA-7C-5A)
(6) Sent Access-Accept Id 16 from 192.168.0.254:1812 to 192.168.0.1:46326 length 0
(6) MS-MPPE-Recv-Key = 0x27eec264980471ed15d7d03785d
- ----[ quotation end ]-------------------------------------------
- --
Zeus V. Panchenko jid:zeus at im.ibs.dn.ua
IT Dpt., I.B.S. LLC GMT+2 (EET)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlXAqooACgkQr3jpPg/3oypphACg/KT1YUFx9s3c7ay0iX6TYhUe
rt8AoOAQNtaSkKj6Kna7EzjHJEl7sKSt
=jM5p
-----END PGP SIGNATURE-----
More information about the Freeradius-Users
mailing list