Freeradius 3.0.7 regex check in module files doesn't work
Stabla, Daniel
dstabla at materna.de
Fri Mar 6 11:01:26 CET 2015
Hello,
we maybe found a bug in Freeradius 3.0.7.
We assign V-LAN's dynamically through the module files in the section
post-auth.
To assign the right VLAN, various attributes are checked like the
NAS-Identifier.
In 3.0.4 it works without problems, but in 3.0.7 the regex check doesn't
seem to work.
###################################
sites-enabled/default
###################################
server eap_server {
listen {
ipaddr = *
port = 1645
type = auth
limit {
}
}
authorize {
eap {
ok = return
}
}
authenticate {
Auth-Type PAP {
}
Auth-Type CHAP {
}
eap
Auth-Type eap {
eap {
handled = 1
}
if (handled && (Response-Packet-Type ==
Access-Challenge)) {
}
}
}
post-auth {
update request {
Stripped-User-Name := "%{mschap:User-Name}"
Realm := "%{mschap:NT-Domain}"
}
update reply {
Tunnel-Type := "13"
Tunnel-Medium-Type := "6"
}
rad-vlan.authorize
update reply {
Tunnel-Private-Group-Id="%{control:Tunnel-Private-Group-Id}"
}
Post-Auth-Type REJECT {
eap
}
}
pre-proxy {
update proxy-request {
proxy-request:User-Name :=
"%{proxy-request:MS-CHAP-User-Name}"
}
}
post-proxy {
post_proxy_log
eap
}
}
###################################
mods-enabled/files
###################################
files {
filename = ${confdir}/radius-station-mac
usersfile = ${confdir}/radius-station-mac
compat = no
EAP-TLS-Require-Client-Cert = yes
}
files radius-station-allow {
usersfile = ${confdir}/radius-station-allow
key = %{Stripped-User-Name}
compat = cistron
}
files radius-station-ids {
usersfile = ${confdir}/radius-station-ids
key = %{Stripped-User-Name}
compat = no
}
files radius-station-ids-test {
usersfile = ${confdir}/radius-station-ids-test
key = %{Stripped-User-Name}
compat = cistron
}
files rad-vlan {
usersfile = ${confdir}/rad-vlan
key = %{Calling-Station-Id}
compat = cistron
Fall-Through = Yes
}
###################################
raddb/rad-vlan
###################################
12-34-56-78-90-AB NAS-Identifier =~ "WPA-GG.*", Stripped-User-Name ==
"ldapsearch123", Tunnel-Private-Group-Id := "200"
12-34-56-78-90-AB NAS-Identifier =~ "WPA-GG.*", Stripped-User-Name ==
"ldapsearch", Tunnel-Private-Group-Id := "200"
12-34-56-78-90-AB NAS-Identifier =~ "WPA-GG.*", Tunnel-Private-Group-Id
:= "200"
DEFAULT Tunnel-Private-Group-Id := "001"
###################################
Debug 3.0.7:
###################################
(14) User-Name = 'materna\ldapsearch'
(14) NAS-IP-Address = 127.0.0.1
(14) Calling-Station-Id = '12-34-56-78-90-AB'
(14) Framed-MTU = 1400
(14) NAS-Port-Type = Wireless-802.11
(14) Connect-Info = 'CONNECT 11Mbps 802.11b'
(14) NAS-Identifier = 'WPA-GG'
(14) EAP-Message =
0x020e0050190017030100206d1d4cd5d01f3a7153236662e595c5daaaa6336c78322b05cc4c9fd9bc092eaf1703010020d37b532af4b18cb31b84ba696ea369a746e9f295e4f1e32a6d9081884be47bcd
(14) State = 0xbfb2fbdeb2bce21540db8fbcb8edd37b
(14) Message-Authenticator = 0x23a2fd8b9b2e1ade466b27c4b28100a3
(14) session-state: No cached attributes
(14) # Executing section authorize from file
./etc/radius-eap//sites-enabled/default
(14) authorize {
(14) eap: Peer sent code Response (2) ID 14 length 80
(14) eap: Continuing tunnel setup
(14) [eap] = ok
(14) } # authorize = ok
(14) Found Auth-Type = EAP
(14) # Executing group from file ./etc/radius-eap//sites-enabled/default
(14) authenticate {
(14) eap: Expiring EAP session with state 0xbfb2fbdeb2bce215
(14) eap: Finished EAP session with state 0xbfb2fbdeb2bce215
(14) eap: Previous EAP request found for state 0xbfb2fbdeb2bce215,
released from the list
(14) eap: Peer sent method PEAP (25)
(14) eap: EAP PEAP (25)
(14) eap: Calling eap_peap to process EAP data
(14) eap_peap: processing EAP-TLS
(14) eap_peap: eaptls_verify returned 7
(14) eap_peap: Done initial handshake
(14) eap_peap: eaptls_process returned 7
(14) eap_peap: FR_TLS_OK
(14) eap_peap: Session established. Decoding tunneled attributes
(14) eap_peap: PEAP state send tlv success
(14) eap_peap: Received EAP-TLV response
(14) eap_peap: Success
(14) eap_peap: Using saved attributes from the original Access-Accept
(14) eap_peap: User-Name = 'materna\ldapsearch'
(14) eap_peap: Saving session
b5f76169be377c4eb841c0ec3f4cc92488683fe647ffb81eb89abb1dbe84068f vps
0x7fab2c002200 in the cache
(14) eap: Freeing handler
(14) [eap] = ok
(14) } # authenticate = ok
(14) # Executing section post-auth from file
./etc/radius-eap//sites-enabled/default
(14) post-auth {
(14) update request {
(14) EXPAND %{mschap:User-Name}
(14) --> ldapsearch
(14) Stripped-User-Name := "ldapsearch"
(14) EXPAND %{mschap:NT-Domain}
(14) --> materna
(14) Realm := "materna"
(14) } # update request = noop
(14) update reply {
(14) Tunnel-Type := VLAN
(14) Tunnel-Medium-Type := IEEE-802
(14) } # update reply = noop
(14) rad-vlan: EXPAND %{Calling-Station-Id}
(14) rad-vlan: --> 12-34-56-78-90-AB
(14) rad-vlan: EXPAND WPA-GG.*
(14) rad-vlan: --> WPA-GG.*
(14) rad-vlan: EXPAND WPA-GG.*
(14) rad-vlan: --> WPA-GG.*
(14) rad-vlan: users: Matched entry DEFAULT at line 4
(14) [rad-vlan.authorize] = ok
(14) update reply {
(14) EXPAND %{control:Tunnel-Private-Group-Id}
(14) --> 001
(14) Tunnel-Private-Group-Id = "001"
(14) } # update reply = noop
(14) } # post-auth = ok
(14) Login OK: [materna\ldapsearch/<via Auth-Type = EAP>] (from client
sles11 port 0 cli 12-34-56-78-90-AB)
(14) Sent Access-Accept Id 14 from 139.2.35.240:1645 to
139.2.38.67:55213 length 197
(14) User-Name = 'materna\ldapsearch'
(14) MS-MPPE-Recv-Key =
0x106181fbc445a0ff2341792c573ab68ef78633d6308c7171c8a5db18d52fc33f
(14) MS-MPPE-Send-Key =
0x7de75e7f18cc057b55abc4f1c3e41cfebfa3e7d32ef85ba091b7b42a2fc193e5
(14) EAP-Message = 0x030e0004
(14) Message-Authenticator = 0x00000000000000000000000000000000
(14) Tunnel-Type = VLAN
(14) Tunnel-Medium-Type = IEEE-802
(14) Tunnel-Private-Group-Id = '001'
(14) Finished request
Thread 1 waiting to be assigned a request
Waking up in 0.2 seconds.
Waking up in 4.3 seconds.
###################################
Debug 3.0.4:
###################################
Thread 1 got semaphore
Thread 1 handling request 14, (3 handled so far)
User-Name = 'materna\ldapsearch'
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = '12-34-56-78-90-AB'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 11Mbps 802.11b'
NAS-Identifier = 'WPA-GG'
EAP-Message =
0x020e0050190017030100200178abd6cb94ebd3a457a0e14cebf41f0ddd572a3d7dfd5867087817f0d5966a1703010020b3483f13ae714a12e4fc5151018f0691a8555d9c76983af3fbe8cd112e63266d
State = 0xfc812f3df18f362cddee265392cf2627
Message-Authenticator = 0x500747f00648ebdd6ecce7c3770fe689
(14) Received Access-Request packet from host 139.2.38.67 port 41678,
id=14, length=220
(14)User-Name = 'materna\ldapsearch'
(14)NAS-IP-Address = 127.0.0.1
(14)Calling-Station-Id = '12-34-56-78-90-AB'
(14)Framed-MTU = 1400
(14)NAS-Port-Type = Wireless-802.11
(14)Connect-Info = 'CONNECT 11Mbps 802.11b'
(14)NAS-Identifier = 'WPA-GG'
(14)EAP-Message =
0x020e0050190017030100200178abd6cb94ebd3a457a0e14cebf41f0ddd572a3d7dfd5867087817f0d5966a1703010020b3483f13ae714a12e4fc5151018f0691a8555d9c76983af3fbe8cd112e63266d
(14)State = 0xfc812f3df18f362cddee265392cf2627
(14)Message-Authenticator = 0x500747f00648ebdd6ecce7c3770fe689
(14) # Executing section authorize from file
/etc/radiusd/sites-enabled/default
(14)authorize {
(14)eap : Peer sent code Response (2) ID 14 length 80
(14)eap : Continuing tunnel setup
(14)[eap] = ok
(14)} #authorize = ok
(14) Found Auth-Type = EAP
(14) # Executing group from file /etc/radiusd/sites-enabled/default
(14)authenticate {
(14)eap : Expiring EAP session with state 0xfc812f3df18f362c
(14)eap : Finished EAP session with state 0xfc812f3df18f362c
(14)eap : Previous EAP request found for state 0xfc812f3df18f362c,
released from the list
(14)eap : Peer sent method PEAP (25)
(14)eap : EAP PEAP (25)
(14)eap : Calling eap_peap to process EAP data
(14)eap_peap : processing EAP-TLS
(14)eap_peap : eaptls_verify returned 7
(14)eap_peap : Done initial handshake
(14)eap_peap : eaptls_process returned 7
(14)eap_peap : FR_TLS_OK
(14)eap_peap : Session established.Decoding tunneled attributes
(14)eap_peap : Peap state send tlv success
(14)eap_peap : Received EAP-TLV response
(14)eap_peap : Success
(14)eap_peap : Using saved attributes from the original Access-Accept
User-Name = 'materna\ldapsearch'
(14)eap_peap : Saving session
467ec288d1ef3786548e67dd6ddc2493765cab9d520bef51307869c3cf86776a vps
0x7facbc003e90 in the cache
(14)eap : Freeing handler
(14)[eap] = ok
(14)} #authenticate = ok
(14) Login OK: [materna\ldapsearch/<via Auth-Type = EAP>] (from client
sles11 port 0 cli 12-34-56-78-90-AB)
(14) # Executing section post-auth from file
/etc/radiusd/sites-enabled/default
(14)post-auth {
(14)update request {
(14) EXPAND %{mschap:User-Name}
(14)--> ldapsearch
(14)Stripped-User-Name := "ldapsearch"
(14) EXPAND %{mschap:NT-Domain}
(14)--> materna
(14)Realm := "materna"
(14)} # update request = noop
(14)update reply {
(14)Tunnel-Type := VLAN
(14)Tunnel-Medium-Type := IEEE-802
(14)} # update reply = noop
(14)rad-vlan : EXPAND %{Calling-Station-Id}
(14)rad-vlan :--> 12-34-56-78-90-AB
(14)rad-vlan : EXPAND WPA-GG.*
(14)rad-vlan :--> WPA-GG.*
(14)rad-vlan : EXPAND WPA-GG.*
(14)rad-vlan :--> WPA-GG.*
(14)rad-vlan : EXPAND WPA-GG.*
(14)rad-vlan :--> WPA-GG.*
(14)rad-vlan : EXPAND WPA-GG.*
(14)rad-vlan :--> WPA-GG.*
(14)rad-vlan : users: Matched entry 12-34-56-78-90-AB at line 2
(14)[rad-vlan.authorize] = ok
(14)update reply {
(14) EXPAND %{control:Tunnel-Private-Group-Id}
(14)--> 200
(14) Tunnel-Private-Group-Id = "200"
(14)} # update reply = noop
(14)} #post-auth = ok
(14) Sending Access-Accept packet to host 139.2.38.67 port 41678, id=14,
length=0
(14)User-Name = 'materna\ldapsearch'
(14)MS-MPPE-Recv-Key =
0x8973d3f59b6ce58227550444df27760f7bd43151d1367444e1883aa5288a99dd
(14)MS-MPPE-Send-Key =
0x1cc9775a68f9ed8715f7e50510981ea04330364949c228eb58a227a27352a440
(14)EAP-MSK =
0x8973d3f59b6ce58227550444df27760f7bd43151d1367444e1883aa5288a99dd1cc9775a68f9ed8715f7e50510981ea04330364949c228eb58a227a27352a440
(14)EAP-EMSK =
0xa8fc008102830647de31e83c4091d01c4717d0785bb964ab682b87b47c00bfe17aa903f0aa969e000d1835b2623128d6b4d585184b977c884176d1e1dbc9e8ee
(14)EAP-Session-Id =
0x1954f85fa7840493a4abe8ee3c005b56ba8e198835115a1fef65c4e1ade3b674ac0ed3759d36b7b6033b489b000a4a6515eb1ec3ef719d7bf589cf8b132dba8b5c
(14)EAP-Message = 0x030e0004
(14)Message-Authenticator = 0x00000000000000000000000000000000
(14)Tunnel-Type = VLAN
(14)Tunnel-Medium-Type = IEEE-802
(14)Tunnel-Private-Group-Id = '200'
Sending Access-Accept Id 14 from 139.2.35.240:1645 to 139.2.38.67:41678
User-Name = 'materna\ldapsearch'
MS-MPPE-Recv-Key =
0x8973d3f59b6ce58227550444df27760f7bd43151d1367444e1883aa5288a99dd
MS-MPPE-Send-Key =
0x1cc9775a68f9ed8715f7e50510981ea04330364949c228eb58a227a27352a440
EAP-Message = 0x030e0004
Message-Authenticator = 0x00000000000000000000000000000000
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = '200'
(14) Finished request
Thread 1 waiting to be assigned a request
Waking up in 0.2 seconds.
Waking up in 4.3 seconds.
(0) Cleaning up request packet ID 0 with timestamp +2
(1) Cleaning up request packet ID 1 with timestamp +2
Kind regards.
D. Stabla
More information about the Freeradius-Users
mailing list