Problem to copy attribute Tunnel-Private-Group-ID to inner-tunnel (eap) - freeradius 3.0.7
joaocdc at gmail.com
joaocdc at gmail.com
Mon Mar 2 14:11:38 CET 2015
Hello guys,
In the last version freeradius (3.0.7), some attributes are not visible
inside the inner-tunnel, like as Tunnel-Private-Group-ID, this attribute
have de VLAN ID from client.
Before I was using freeradius version 3.0.1 and always work fine, in 3.0.7
version this attribute is visible in default server, but it not is copied
to inner-tunnel.
In EAP configuration session, when I upgrade from 3.0.1 to 3.0.7, I changed
the configs to:
in eap module:
use_tunneled_reply = no
And uncomment in inner-tunnel post-auth from:
update {
&outer.session-state: += &reply:
}
and
update outer.session-state {
MS-MPPE-Encryption-Policy !* ANY
MS-MPPE-Encryption-Types !* ANY
MS-MPPE-Send-Key !* ANY
MS-MPPE-Recv-Key !* ANY
Message-Authenticator !* ANY
EAP-Message !* ANY
Proxy-State !* ANY
}
In accord with documentation, this replace use_tunneled_reply = yes in
3.0.5 version
In debug below we can see the missing attribute Tunnel-Private-Group-ID in
EAP check, this produce de error: “ERROR: Failed retrieving values required
to evaluate condition”
(8) server inner-tunnel {
(8) session-state: No cached attributes
(8) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(8) authorize {
(8) if (User-Name !~ /@/){
(8) if (User-Name !~ /@/) -> TRUE
(8) if (User-Name !~ /@/) {
(8) update request {
(8) Realm := 'pti'
(8) } # update request = noop
(8) } # if (User-Name !~ /@/) = noop
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) suffix: Request already has destination realm set. Ignoring
(8) [suffix] = noop
(8) update control {
(8) &Proxy-To-Realm := 'LOCAL'
(8) } # update control = noop
(8) eap: Peer sent code Response (2) ID 10 length 66
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8) [eap] = updated
(8) [files] = noop
*(8) if (Tunnel-Private-Group-ID == "5"){(8) ERROR: Failed
retrieving values required to evaluate condition(8) if
(Tunnel-Private-Group-ID == "81"){(8) ERROR: Failed retrieving values
required to evaluate condition(8) if (Tunnel-Private-Group-ID ==
"62"){(8) ERROR: Failed retrieving values required to evaluate
condition*
(8) [expiration] = noop
(8) [logintime] = noop
(8) [pap] = noop
(8) } # authorize = updated
(8) Found Auth-Type = EAP
(8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap: Expiring EAP session with state 0xdf2cb347df26a950
(8) eap: Finished EAP session with state 0xdf2cb347df26a950
(8) eap: Previous EAP request found for state 0xdf2cb347df26a950, released
from the list
(8) eap: Peer sent method MSCHAPv2 (26)
(8) eap: EAP MSCHAPv2 (26)
(8) eap: Calling eap_mschapv2 to process EAP data
(8) eap_mschapv2: # Executing group from file
/etc/raddb/sites-enabled/inner-tunnel
(8) eap_mschapv2: Auth-Type MS-CHAP {
(8) mschap: WARNING: No Cleartext-Password configured. Cannot create
NT-Password
(8) mschap: WARNING: No Cleartext-Password configured. Cannot create
LM-Password
(8) mschap: Creating challenge hash with username: 0013006
(8) mschap: Client is using MS-CHAPv2
(8) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
(8) mschap: ERROR: MS-CHAP2-Response is incorrect
(8) [mschap] = reject
(8) } # Auth-Type MS-CHAP = reject
(8) eap: Freeing handler
(8) [eap] = reject
(8) } # authenticate = reject
(8) Failed to authenticate the user
(8) Login incorrect (Failed retrieving values required to evaluate
condition): [0013006] (from client controladora-wlan-1 port 4 cli
e0-f8-47-30-8d-82 via TLS tunnel)
(8) Using Post-Auth-Type Reject
(8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8) Post-Auth-Type REJECT {
(8) if ( Realm == "vst" ) {
(8) if ( Realm == "vst" ) -> FALSE
(8) if ( Realm == "srv" ) {
(8) if ( Realm == "srv" ) -> FALSE
Thanks for help
--
João Paulo de Lima Barbosa
"Para chegar aonde a maioria não chega, você precisa fazer o que a maioria
não faz."
More information about the Freeradius-Users
mailing list