problem fetching ldap attribute in inner tunnel
Anirudh Malhotra
8zero2ops at gmail.com
Mon Apr 11 20:46:14 CEST 2016
Hi,
So I used the cache section of eap and Cached-Session-Policy is getting
cached but somehow is not getting fetched in the subsequent packet.
used in default
update {
User-Name := &reply:User-Name
&session-state:wifi := &reply:Cached-Session-Policy
}
used in inner-tunnel
update reply {
User-Name = "%{request:User-Name}"
Cached-Session-Policy = "%{outer.session-state:wifi}"
}
(155) Received Access-Request Id 90 from XXXXX:32769 to XXXXX:1812 length
343
(155) User-Name = "XXXX"
(155) Chargeable-User-Identity = 0x00
(155) Location-Capable = Civix-Location
(155) Calling-Station-Id = "XXXXX"
(155) Called-Station-Id = "XXXXX"
(155) NAS-Port = 4
(155) Cisco-AVPair = "audit-session-id=0a40c60a0029fe92b5e20b57"
(155) Acct-Session-Id = "XXXXX"
(155) NAS-IP-Address = XXXXX
(155) NAS-Identifier = "XXXXX"
(155) Airespace-Wlan-Id = 34
(155) Service-Type = Framed-User
(155) Framed-MTU = 1300
(155) NAS-Port-Type = Wireless-802.11
(155) Tunnel-Type:0 = VLAN
(155) Tunnel-Medium-Type:0 = IEEE-802
(155) Tunnel-Private-Group-Id:0 = "807"
(155) EAP-Message =
0x0203004119001403010001011603010030a12e158d521c9b698161e9ea82f7b23143927840277f1830d0614bc27690aa72bbc32a104bb193ee0bfbe564d53e8f5a
(155) State = 0x83aa71c482a968d0320cb2daa34b3bf1
(155) Message-Authenticator = 0x96e37aa278e02cad4e0e8ed05e0bf13c
(155) Restoring &session-state
(155) &session-state:unique-session-id = 76144
(155) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(155) authorize {
(155) if (!&session-state:unique-session-id) {
(155) if (!&session-state:unique-session-id) -> FALSE
(155) policy filter_username {
(155) update control {
(155) linelogvar := "request_attrs"
(155) } # update control = noop
(155) [linelog] = ok
(155) if (&User-Name) {
(155) if (&User-Name) -> TRUE
(155) if (&User-Name) {
(155) if (&User-Name =~ /@[^@]*@/ ) {
(155) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(155) if (&User-Name =~ /\.\./ ) {
(155) if (&User-Name =~ /\.\./ ) -> FALSE
(155) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(155) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(155) if (&User-Name =~ /\.$/) {
(155) if (&User-Name =~ /\.$/) -> FALSE
(155) if (&User-Name =~ /@\./) {
(155) if (&User-Name =~ /@\./) -> FALSE
(155) } # if (&User-Name) = ok
(155) } # policy filter_username = ok
(155) eap: Peer sent EAP Response (code 2) ID 3 length 65
(155) eap: Continuing tunnel setup
(155) [eap] = ok
(155) } # authorize = ok
(155) Found Auth-Type = eap
(155) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(155) authenticate {
(155) eap: Expiring EAP session with state 0x83aa71c482a968d0
(155) eap: Finished EAP session with state 0x83aa71c482a968d0
(155) eap: Previous EAP request found for state 0x83aa71c482a968d0,
released from the list
(155) eap: Peer sent packet with method EAP PEAP (25)
(155) eap: Calling submodule eap_peap to process data
(155) eap_peap: Continuing EAP-TLS
(155) eap_peap: [eaptls verify] = ok
(155) eap_peap: Done initial handshake
(155) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
(155) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
(155) eap_peap: TLS_accept: SSLv3 read finished A
(155) eap_peap: (other): SSL negotiation finished successfully
(155) eap_peap: SSL Connection Established
(155) eap_peap: SSL Application Data
(155) eap_peap: Adding cached attributes from session
8693643200304c6dc4ac65acdcf863be1c9683ef191edf40f44e16a9575211a6
(155) eap_peap: reply:User-Name = "XXXX"
(155) eap_peap: reply:Cached-Session-Policy = "7"
(155) eap_peap: [eaptls process] = success
(155) eap_peap: Session established. Decoding tunneled attributes
(155) eap_peap: PEAP state TUNNEL ESTABLISHED
(155) eap_peap: Skipping Phase2 because of session resumption
(155) eap_peap: SUCCESS
(155) eap: Sending EAP Request (code 1) ID 4 length 43
(155) eap: EAP session adding &reply:State = 0x83aa71c481ae68d0
(155) [eap] = handled
(155) } # authenticate = handled
(155) Using Post-Auth-Type Challenge
(155) Post-Auth-Type sub-section not found. Ignoring.
(155) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(155) session-state: Saving cached attributes
(155) unique-session-id = 76144
(155) Sent Access-Challenge Id 90 from XXXXX:1812 to XXXXX:32769 length 0
(155) User-Name = "XXXX"
(155) EAP-Message =
0x0104002b190017030100202e4258578386119f3d858e0645f2069e2908381a88e997d1eb2575fffaf7d455
(155) Message-Authenticator = XXXXX
(155) State = 0x83aa71c481ae68d0320cb2daa34b3bf1
(155) Finished request
(155) Cleaning up request packet ID 90 with timestamp +2221
(156) Received Access-Request Id 91 from XXXXX:32769 to XXXXX:1812 length
321
(156) User-Name = "XXXX"
(156) Chargeable-User-Identity = 0x00
(156) Location-Capable = Civix-Location
(156) Calling-Station-Id = "XXXXX"
(156) Called-Station-Id = "XXXXX"
(156) NAS-Port = 4
(156) Cisco-AVPair = "audit-session-id=0a40c60a0029fe92b5e20b57"
(156) Acct-Session-Id = "XXXXX"
(156) NAS-IP-Address = XXXXX
(156) NAS-Identifier = "XXXXX"
(156) Airespace-Wlan-Id = 34
(156) Service-Type = Framed-User
(156) Framed-MTU = 1300
(156) NAS-Port-Type = Wireless-802.11
(156) Tunnel-Type:0 = VLAN
(156) Tunnel-Medium-Type:0 = IEEE-802
(156) Tunnel-Private-Group-Id:0 = "807"
(156) EAP-Message =
0x0204002b19001703010020984f9696f0740833946b2c86e0d217c282ae98378bbf9ad96a54e32024e88773
(156) State = 0x83aa71c481ae68d0320cb2daa34b3bf1
(156) Message-Authenticator = 0x67654e881210dd0d4ad47dda94080725
(156) Restoring &session-state
(156) &session-state:unique-session-id = 76144
(156) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(156) authorize {
(156) if (!&session-state:unique-session-id) {
(156) if (!&session-state:unique-session-id) -> FALSE
(156) policy filter_username {
(156) update control {
(156) linelogvar := "request_attrs"
(156) } # update control = noop
(156) [linelog] = ok
(156) if (&User-Name) {
(156) if (&User-Name) -> TRUE
(156) if (&User-Name) {
(156) if (&User-Name =~ /@[^@]*@/ ) {
(156) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(156) if (&User-Name =~ /\.\./ ) {
(156) if (&User-Name =~ /\.\./ ) -> FALSE
(156) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(156) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(156) if (&User-Name =~ /\.$/) {
(156) if (&User-Name =~ /\.$/) -> FALSE
(156) if (&User-Name =~ /@\./) {
(156) if (&User-Name =~ /@\./) -> FALSE
(156) } # if (&User-Name) = ok
(156) } # policy filter_username = ok
(156) eap: Peer sent EAP Response (code 2) ID 4 length 43
(156) eap: Continuing tunnel setup
(156) [eap] = ok
(156) } # authorize = ok
(156) Found Auth-Type = eap
(156) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(156) authenticate {
(156) eap: Expiring EAP session with state 0x83aa71c481ae68d0
(156) eap: Finished EAP session with state 0x83aa71c481ae68d0
(156) eap: Previous EAP request found for state 0x83aa71c481ae68d0,
released from the list
(156) eap: Peer sent packet with method EAP PEAP (25)
(156) eap: Calling submodule eap_peap to process data
(156) eap_peap: Continuing EAP-TLS
(156) eap_peap: [eaptls verify] = ok
(156) eap_peap: Done initial handshake
(156) eap_peap: [eaptls process] = ok
(156) eap_peap: Session established. Decoding tunneled attributes
(156) eap_peap: PEAP state send tlv success
(156) eap_peap: Received EAP-TLV response
(156) eap_peap: Success
(156) eap_peap: No saved attributes in the original Access-Accept
(156) eap: Sending EAP Success (code 3) ID 4 length 4
(156) eap: Freeing handler
(156) [eap] = ok
(156) } # authenticate = ok
(156) # Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/default
(156) post-auth {
(156) update {
(156) User-Name := &reply:User-Name -> 'XXXX'
------------------------------> username is update but not the other
attribute
(156) No attributes updated
(156) } # update = noop
(156) if (&reply:Cached-Session-Policy) {
(156) if (&reply:Cached-Session-Policy) -> FALSE
(156) reply_log: EXPAND
/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
(156) reply_log: -->
/usr/local/var/log/radius/radacct/XXXXX/reply-detail-20160411
(156) reply_log:
/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/XXXXX/reply-detail-20160411
(156) reply_log: EXPAND %t
(156) reply_log: --> Mon Apr 11 23:45:36 2016
(156) [reply_log] = ok
(156) sql: EXPAND .query
(156) sql: --> .query
(156) sql: Using query template 'query'
(156) sql: EXPAND %{User-Name}
(156) sql: --> XXXX
(156) sql: SQL-User-Name set to 'XXXX'
(156) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( '%{SQL-User-Name}', '', '%{reply:Packet-Type}', '%S')
(156) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( 'XXXX', '', 'Access-Accept', '2016-04-11 23:45:36')
(156) sql: Executing query: INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES ( 'XXXX', '', 'Access-Accept', '2016-04-11 23:45:36')
(156) sql: SQL query returned: success
(156) sql: 1 record(s) updated
(156) [sql] = ok
(156) [exec] = noop
(156) update control {
(156) linelogvar := "request_attrs"
(156) } # update control = noop
(156) if (&EAP-Type == "TLS") {
(156) if (&EAP-Type == "TLS") -> FALSE
(156) policy remove_reply_message_if_eap {
(156) if (&reply:EAP-Message && &reply:Reply-Message) {
(156) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(156) else {
(156) [noop] = noop
(156) } # else = noop
(156) } # policy remove_reply_message_if_eap = noop
(156) update control {
(156) linelogvar := "Access-Accept"
(156) } # update control = noop
(156) linelog: EXPAND messages.%{%{control:linelogvar}:-default}
(156) linelog: --> messages.Access-Accept
(156) linelog: EXPAND /usr/local/var/log/radius/linelog
(156) linelog: --> /usr/local/var/log/radius/linelog
(156) linelog: EXPAND
%{md5:%{Acct-Session-Id},%{session-state:unique-session-id}} Result:
Authentication Passed,Access-Accept
(156) linelog: --> 8feb837cb2dce75e588bbf56c457d4fa Result:
Authentication Passed,Access-Accept
(156) [linelog] = ok
(156) update control {
(156) linelogvar := "auth_result_accept_log"
(156) } # update control = noop
(156) linelog: EXPAND messages.%{%{control:linelogvar}:-default}
(156) linelog: --> messages.auth_result_accept_log
(156) linelog: EXPAND /usr/local/var/log/radius/linelog
(156) linelog: --> /usr/local/var/log/radius/linelog
(156) linelog: EXPAND
Access-Request,%T,%{User-Name},%{Calling-Station-Id},%{NAS-IP-Address},%{NAS-Identifier},%{md5:%{Acct-Session-Id},%{session-state:unique-session-id}},Authentication
Passed,%{Called-Station-Id}
(156) linelog: -->
Access-Request,2016-04-11-23.45.36.000000,XXXX,XXXXX,XXXXX,XXXXX,8feb837cb2dce75e588bbf56c457d4fa,Authentication
Passed,XXXXX
(156) [linelog] = ok
(156) update control {
(156) linelogvar := "empty_line"
(156) } # update control = noop
(156) linelog: EXPAND messages.%{%{control:linelogvar}:-default}
(156) linelog: --> messages.empty_line
(156) linelog: EXPAND /usr/local/var/log/radius/linelog
(156) linelog: --> /usr/local/var/log/radius/linelog
(156) linelog: EXPAND
(156) linelog: -->
(156) [linelog] = ok
(156) update {
(156) session-state:unique-session-id !* ANY
(156) } # update = noop
(156) } # post-auth = ok
(156) Sent Access-Accept Id 91 from XXXXX:1812 to XXXXX:32769 length 0
(156) MS-MPPE-Recv-Key =
0x33c5031d6ac9c255a095a57164047d9b16e490c6545a9fb4bd09ad37d619a592
(156) MS-MPPE-Send-Key =
0x0a338ad1dd02e2fbcfb2580a541db5f70acf7b30a2fc947b7ec3b7fbde7eb96d
(156) EAP-Message = 0x03040004
(156) Message-Authenticator = XXXXX
(156) User-Name := "XXXX"
(156) Finished request
(156) Cleaning up request packet ID 91 with timestamp +2221
BR,
Anirudh Malhotra
Mail: 8zero2.in at gmail.com
Facebook: www.facebook.com/8zero2
Twitter: @8zero2_in
Blog: blog.8zero2.in
On Mon, Apr 11, 2016 at 4:04 AM, Alan DeKok <aland at deployingradius.com>
wrote:
> On Apr 9, 2016, at 9:54 PM, Anirudh Malhotra <8zero2ops at gmail.com> wrote:
> > I am doing PEAP with GTC authenticate my LDAP clients, I fetch some
> > attribute in LDAP module and is store it in session-state and later check
> > them in outer post-auth.
>
> That's good.
>
> > I am facing this problem in which when client is re-authenticating and
> the
> > Phase2 is skipped with 'Skipping Phase2 because of session resumption',
> > for expediting the process. The LDAP attribute value is not fetched and
> > hence post-auth doesn't get that value which then fails the
> > authentication(configured like that by me, Set of rules which check value
> > of the attribute and fails by default if none condition is matched or
> > attribute is not fetched)
>
> You will need to cache those attributes. See the "cache" section of the
> "eap" module.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list