Ldap/freeradius gidnumber attribute check issue
David Francisco Rodriguez Perez
david.francisco.rodriguez at gmail.com
Fri Sep 4 06:06:17 CEST 2015
Hi
Sorry it was my first post and only one week with the openldap and
freeradius. Thanks for the feedback and patience.
So far what I can do at ldapsearch is to look using the gidNumber and I get:
$ ldapsearch -x -LLL -b ou=Groups,dc=testexample,dc=com
'(&(objectClass=posixGroup)(gidNumber=5000))'
dn: cn=students,ou=Groups,dc=testexample,dc=com
objectClass: posixGroup
cn: students
gidNumber: 5000
And if I search de attribute cn then I get
$ldapsearch -x -LLL -b ou=Groups,dc=testexample,dc=com
'(&(objectClass=posixGroup)(gidNumber=5000))' cn
dn: cn=students,ou=Groups,dc=testexample,dc=com
cn: students
So how can I populate Ldap-Group with "students" in this case?
Now going back to the output below (too big), where I put at the users file
DEFAULT GroupNumber == 5000
Filter-Id :="test"
I see that my GroupNumber gets populated with the gidNumber of the user
which in this case is 5000. that
[ldap] gidNumber -> GroupNumber == 5000
[ldap] userPassword -> Password-With-Header == "david"
[ldap] sambaNtPassword -> NT-Password ==
But I do not see nothing in the output below that shows the users file
being check. When I change that to Ldap-Group="student" I see on the output
that it tries to query for students but as I do not have objectclass
GroupofNames it does not work:
[ldap] performing search in dc=testexample,dc=com, with filter
(&(cn=students)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))))
[ldap] object not found
So bottom line. What could be my issue based on my Opendap directory info?
Thanks,
David
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.242.254.254 port 1069, id=123,
length=103
User-Name = "david"
NAS-IP-Address = 10.242.254.254
NAS-Port = 77
NAS-Port-Type = Ethernet
Calling-Station-Id = "e4115b3ef3b4"
EAP-Message = 0x0200000a016461766964
Message-Authenticator = 0x6eda8fb3569454ebd60c80a3764f2fe9
Service-Type = Framed-User
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "david", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 123 to 10.242.254.254 port 1069
EAP-Message = 0x0101001604108648bbc6295b42cac8b6b9c1e9cfa9df
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb6b75489b6b650ec2f9f110d6137b02e
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.242.254.254 port 1069, id=124,
length=117
User-Name = "david"
NAS-IP-Address = 10.242.254.254
State = 0xb6b75489b6b650ec2f9f110d6137b02e
NAS-Port = 77
NAS-Port-Type = Ethernet
Calling-Station-Id = "e4115b3ef3b4"
EAP-Message = 0x020100060319
Message-Authenticator = 0x3a4e1e5734dec88bc2fcff10c40f76d0
Service-Type = Framed-User
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "david", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 124 to 10.242.254.254 port 1069
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb6b75489b7b54dec2f9f110d6137b02e
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.242.254.254 port 1069, id=125,
length=218
User-Name = "david"
NAS-IP-Address = 10.242.254.254
State = 0xb6b75489b7b54dec2f9f110d6137b02e
NAS-Port = 77
NAS-Port-Type = Ethernet
Calling-Station-Id = "e4115b3ef3b4"
EAP-Message =
0x0202006b198000000061160301005c01000058030155e9110f3a5f4974f513b4b7fc2847aa5b7e993bb045cf0ecf6cc14b884ee3f4000018c014c013c00ac0090035002f00380032000a00130005000401000017000a00080006001900170018000b00020100ff01000100
Message-Authenticator = 0xf093511c80c5086894dbd4b245e1cb6c
Service-Type = Framed-User
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "david", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 97
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 005c], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 02ac], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 125 to 10.242.254.254 port 1069
EAP-Message =
0x010302f6190016030100310200002d030155e9110ff3b1d4e07998ff070e3fedd09b7a537a1657d1efde554643cef7c95c000035000005ff0100010016030102ac0b0002a80002a50002a23082029e30820186020900f110e01208f73412300d06092a864886f70d01010505003011310f300d060355040313067562756e7475301e170d3133303631353031353130335a170d3233303631333031353130335a3011310f300d060355040313067562756e747530820122300d06092a864886f70d01010105000382010f003082010a0282010100aa7bbf84790314288b6502a71473e60b430317330ed2f25d1522b93cc4fb4f43d85243cfcaeb8b7680
EAP-Message =
0x04eb7b41349f34b43b5e8f9af52fc49311b5b2fe08fc74b29db8015fe6f2a9896f63080a079aa779a62c64b962341acb140b7d2415bb67a93583fd1d340769103bb955dbf24ef36f07f0b1e227626b659e62ed0f487abef679edbce503fe7a53bd37db38f7290dd719bdcac5009450b5f1c6b448c1108c68b27adf3ddf4610d38054e2a09c2a3e622711150357388637de11fad849185f7742cd3ebf54125145a9a49d56a648c7e817649d14d65234ff2d927efb26321e79851fe5b631021fbc7a94b9d43f036476994c48afa98506ef41751d525fb04b0203010001300d06092a864886f70d0101050500038201010015eddb2e324a5e49273001d6f6
EAP-Message =
0xb2805a5578995f1ee22286f4a35e90823af81cd309da655f3373c7920de53673445afd95935f95151befea7b5007bcf7a9db41e0686ba4216ab979182929830fc0e44f8497873feb34e8c2d0503911d70d718ff63f1caa87226231f316ee3bd407457f0d40af68dbaf5313d471a774e7f66bc12e426e01b88c22c6ed7778bd55dbf99cd16cbf56871bf24de914af12355ce07841102a1b22b21d983f08973881faaa6fe293dcc2058b4da434a294ef225d1f1d1a6d1f4c1bbcb8a3eb742ebab0d6c81d3578b1b72081ea3a63be643bff8f5bd30f67698f04405a6fc03802e51a6805943a178f73fa6e01c18294004c1c12454c16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb6b75489b4b44dec2f9f110d6137b02e
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.242.254.254 port 1069, id=126,
length=449
User-Name = "david"
NAS-IP-Address = 10.242.254.254
State = 0xb6b75489b4b44dec2f9f110d6137b02e
NAS-Port = 77
NAS-Port-Type = Ethernet
Calling-Station-Id = "e4115b3ef3b4"
EAP-Message =
0x0203015019800000014616030101061000010201008fba534a1139afcf8cbe6260bf1226100554d8e54483500c043be6dcb570e5935fca4bd87add18d515a9c5304d975f2c3f552372d6f07e96828b0336b1c36f5cc45d0bc299677ce9eff5fec1722b8aadea200241125cd0b1b024c365c775786dd7bf5596ffda0829a2033efb020586435f4e291fec7dad0bfb43fc61eb667c6f67c7ad5754f1bff007fcd0493fa1f28f032f8d7678726a6318683bb1ecae7d4a7c252c6e06f8fe3c4cb557d5343dc774962079ecc2851e8fcc84bb57b055ca02ddb45220ae411dd1d01e609a6719e594cd1dd10bd9be108812b02540b51adde1cf2b9b4ba7616e92
EAP-Message =
0xd85c8ffcc24354a888ae2de39c82526945fdfa0e4e065dcd140301000101160301003066134c22605c9673dbb59626969081f39a7101a8e1f772768aba0d3bf514b89ef27b110a5803d95ec2cc4403d12179e7
Message-Authenticator = 0xece81e29182a141fa0588f8d36ed905f
Service-Type = Framed-User
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "david", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 326
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 126 to 10.242.254.254 port 1069
EAP-Message =
0x0104004119001403010001011603010030f73ed80f8b2925a75dfdda9dd090be391a302a60604cbed32bc61dd466cc0f4d9a2be5b8eb299437ec6b5bb7ec8729d2
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb6b75489b5b34dec2f9f110d6137b02e
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.242.254.254 port 1069, id=127,
length=117
User-Name = "david"
NAS-IP-Address = 10.242.254.254
State = 0xb6b75489b5b34dec2f9f110d6137b02e
NAS-Port = 77
NAS-Port-Type = Ethernet
Calling-Station-Id = "e4115b3ef3b4"
EAP-Message = 0x020400061900
Message-Authenticator = 0xda1f0c6a31393103b9c12ca0284e2c0f
Service-Type = Framed-User
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "david", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 127 to 10.242.254.254 port 1069
EAP-Message =
0x0105002b190017030100203ddde826ff0e1d216ca33b4442b819345118030e16fb68628173e22278ee98fc
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb6b75489b2b24dec2f9f110d6137b02e
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.242.254.254 port 1069, id=128,
length=154
User-Name = "david"
NAS-IP-Address = 10.242.254.254
State = 0xb6b75489b2b24dec2f9f110d6137b02e
NAS-Port = 77
NAS-Port-Type = Ethernet
Calling-Station-Id = "e4115b3ef3b4"
EAP-Message =
0x0205002b190017030100202965ee9c1a2e44a22e2fe1c8657434f166f76452400085e7c546d2afeb3151e2
Message-Authenticator = 0x84e872b5ee78e972767073a0cf897485
Service-Type = Framed-User
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "david", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - david
[peap] Got inner identity 'david'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x0205000a016461766964
server {
PEAP: Setting User-Name to david
Sending tunneled request
EAP-Message = 0x0205000a016461766964
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "david"
server inner-tunnel {
# Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[mschap] returns noop
[suffix] No '@' in User-Name = "david", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 5 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for david
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> david
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=david)
[ldap] expand: dc=testexample,dc=com -> dc=testexample,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to localhost:389, authentication 0
[ldap] bind as cn=admin,dc=testexample,dc=com/test2004 to localhost:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in dc=testexample,dc=com, with filter (uid=david)
[ldap] checking if remote access for david is allowed by dialupAccess
[ldap] Added User-Password = david in check items
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] gidNumber -> GroupNumber == 5000
[ldap] userPassword -> Password-With-Header == "david"
[ldap] sambaNtPassword -> NT-Password ==
0x3638313238334242334639314644463837444439343235374244314232364434
[ldap] sambaLmPassword -> LM-Password ==
0x3031384539333834334339423830303135303434323845323033343535353234
[ldap] looking for reply items in directory...
[ldap] user david authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x0106001f1a0106001a104924a874610ee8126c1451aa24aaa2996461766964
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf10600a5f1001ace9b23ed19368cfb3c
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x0106001f1a0106001a104924a874610ee8126c1451aa24aaa2996461766964
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf10600a5f1001ace9b23ed19368cfb3c
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 128 to 10.242.254.254 port 1069
EAP-Message =
0x0106003b19001703010030f553bf6ff5317d92dd3a8320a0c2851c7290522d2dc7d87a112377ab73fd1605b3175b2e15cb1d98cda54362d1e2d4b8
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb6b75489b3b14dec2f9f110d6137b02e
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.242.254.254 port 1069, id=129,
length=218
User-Name = "david"
NAS-IP-Address = 10.242.254.254
State = 0xb6b75489b3b14dec2f9f110d6137b02e
NAS-Port = 77
NAS-Port-Type = Ethernet
Calling-Station-Id = "e4115b3ef3b4"
EAP-Message =
0x0206006b19001703010060773bc9cffe95a263db94999ffaf2afd9e09c2dd343ac717a65137a5bfa566952b6c06d5dbc569350f95bc2d2b5a2598a2a0d2d0d26f919283602ba0cfa44278e20ddd7a073df92b8d56f66a7391f64d46ee67e730cfd1cc5aa2f50926896d8f5
Message-Authenticator = 0x91fdd4860b03ae1025d6e73ecdf84066
Service-Type = Framed-User
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "david", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x020600401a0206003b3112b4209f124984f92b075546de073933000000000000000039ed468ed39b9ea9c80c36f27352837de7188490d5e2bb0f006461766964
server {
PEAP: Setting User-Name to david
Sending tunneled request
EAP-Message =
0x020600401a0206003b3112b4209f124984f92b075546de073933000000000000000039ed468ed39b9ea9c80c36f27352837de7188490d5e2bb0f006461766964
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "david"
State = 0xf10600a5f1001ace9b23ed19368cfb3c
server inner-tunnel {
# Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[mschap] returns noop
[suffix] No '@' in User-Name = "david", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 6 length 64
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for david
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> david
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=david)
[ldap] expand: dc=testexample,dc=com -> dc=testexample,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=testexample,dc=com, with filter (uid=david)
[ldap] checking if remote access for david is allowed by dialupAccess
[ldap] Added User-Password = david in check items
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] gidNumber -> GroupNumber == 5000
[ldap] userPassword -> Password-With-Header == "david"
[ldap] sambaNtPassword -> NT-Password ==
0x3638313238334242334639314644463837444439343235374244314232364434
[ldap] sambaLmPassword -> LM-Password ==
0x3031384539333834334339423830303135303434323845323033343535353234
[ldap] looking for reply items in directory...
[ldap] user david authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Found LM-Password
[mschap] Found NT-Password
[mschap] Creating challenge hash with username: david
[mschap] Told to do MS-CHAPv2 for david with NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x010700331a0306002e533d34384638433434424438354337434438443833464435443646434239433937343436443436464643
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf10600a5f0011ace9b23ed19368cfb3c
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010700331a0306002e533d34384638433434424438354337434438443833464435443646434239433937343436443436464643
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf10600a5f0011ace9b23ed19368cfb3c
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 129 to 10.242.254.254 port 1069
EAP-Message =
0x0107005b1900170301005048bf91fd1327fb8314e6d4c07e038702cfaa8814ab83581ae483bf1b611144a20ba892611b0c118043162b5c542a7fbde58dc11426692b35f1122abb22eef0b82c1041c29227473101d66d65436cb76b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb6b75489b0b04dec2f9f110d6137b02e
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.242.254.254 port 1069, id=130,
length=154
User-Name = "david"
NAS-IP-Address = 10.242.254.254
State = 0xb6b75489b0b04dec2f9f110d6137b02e
NAS-Port = 77
NAS-Port-Type = Ethernet
Calling-Station-Id = "e4115b3ef3b4"
EAP-Message =
0x0207002b19001703010020d202256d3c2bb0891a99efec94d3da6bb09d478633c902ddfadf54e75bd4c7df
Message-Authenticator = 0x8ebc91b8aea6c5c3638b7beac5e2b893
Service-Type = Framed-User
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "david", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020700061a03
server {
PEAP: Setting User-Name to david
Sending tunneled request
EAP-Message = 0x020700061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "david"
State = 0xf10600a5f0011ace9b23ed19368cfb3c
server inner-tunnel {
# Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[mschap] returns noop
[suffix] No '@' in User-Name = "david", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 7 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for david
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> david
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=david)
[ldap] expand: dc=testexample,dc=com -> dc=testexample,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=testexample,dc=com, with filter (uid=david)
[ldap] checking if remote access for david is allowed by dialupAccess
[ldap] Added User-Password = david in check items
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] gidNumber -> GroupNumber == 5000
[ldap] userPassword -> Password-With-Header == "david"
[ldap] sambaNtPassword -> NT-Password ==
0x3638313238334242334639314644463837444439343235374244314232364434
[ldap] sambaLmPassword -> LM-Password ==
0x3031384539333834334339423830303135303434323845323033343535353234
[ldap] looking for reply items in directory...
[ldap] user david authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
WARNING: Empty post-auth section. Using default return values.
# Executing section post-auth from file
/etc/freeradius/sites-enabled/inner-tunnel
} # server inner-tunnel
[peap] Got tunneled reply code 2
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Send-Key = 0xd5768a9870471c51047fe28f1b3229d9
MS-MPPE-Recv-Key = 0x46decfc90869e2d2f79633f605ca06d9
EAP-Message = 0x03070004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "david"
[peap] Got tunneled reply RADIUS code 2
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Send-Key = 0xd5768a9870471c51047fe28f1b3229d9
MS-MPPE-Recv-Key = 0x46decfc90869e2d2f79633f605ca06d9
EAP-Message = 0x03070004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "david"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 130 to 10.242.254.254 port 1069
EAP-Message =
0x0108002b190017030100201e7ba200cffbbd72acfcd0eb6d2577e97787a44f710efcf3b32a02ac50491694
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb6b75489b1bf4dec2f9f110d6137b02e
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.242.254.254 port 1069, id=131,
length=154
User-Name = "david"
NAS-IP-Address = 10.242.254.254
State = 0xb6b75489b1bf4dec2f9f110d6137b02e
NAS-Port = 77
NAS-Port-Type = Ethernet
Calling-Station-Id = "e4115b3ef3b4"
EAP-Message =
0x0208002b19001703010020de6323900253dc104b02e2c016917d42b1cb751a820a5ad79a0564d2608c6ec0
Message-Authenticator = 0x9cdec88377cb87eadaf2a69ba0e0253f
Service-Type = Framed-User
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "david", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[eap] Freeing handler
++[eap] returns ok
# Executing section post-auth from file
/etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 131 to 10.242.254.254 port 1069
MS-MPPE-Recv-Key =
0xe992d730dbcbd150254770ade371e94428d89cea4b07b0b417c1b84f516c32e7
MS-MPPE-Send-Key =
0x7aaeeead2c715622376d59e22b6c1fa8ff322ebc53d14635e23f24fe72115cc2
EAP-Message = 0x03080004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "david"
Finished request 8.
Going to the next request
Waking up in 4.8 seconds.
Cleaning up request 0 ID 123 with timestamp +15
Cleaning up request 1 ID 124 with timestamp +15
Cleaning up request 2 ID 125 with timestamp +15
Cleaning up request 3 ID 126 with timestamp +15
Cleaning up request 4 ID 127 with timestamp +15
Cleaning up request 5 ID 1
>
>
More information about the Freeradius-Users
mailing list