problem fetching ldap attribute in inner tunnel

Anirudh Malhotra 8zero2ops at gmail.com
Mon Apr 11 20:46:14 CEST 2016


Hi,

So I used the cache section of eap and Cached-Session-Policy is getting
cached but somehow is not getting fetched in the subsequent packet.

used in default
 update {
                User-Name := &reply:User-Name
                &session-state:wifi := &reply:Cached-Session-Policy
        }

used in inner-tunnel
update reply {
                User-Name = "%{request:User-Name}"
                Cached-Session-Policy = "%{outer.session-state:wifi}"
        }


(155) Received Access-Request Id 90 from XXXXX:32769 to XXXXX:1812 length
343
(155)   User-Name = "XXXX"
(155)   Chargeable-User-Identity = 0x00
(155)   Location-Capable = Civix-Location
(155)   Calling-Station-Id = "XXXXX"
(155)   Called-Station-Id = "XXXXX"
(155)   NAS-Port = 4
(155)   Cisco-AVPair = "audit-session-id=0a40c60a0029fe92b5e20b57"
(155)   Acct-Session-Id = "XXXXX"
(155)   NAS-IP-Address = XXXXX
(155)   NAS-Identifier = "XXXXX"
(155)   Airespace-Wlan-Id = 34
(155)   Service-Type = Framed-User
(155)   Framed-MTU = 1300
(155)   NAS-Port-Type = Wireless-802.11
(155)   Tunnel-Type:0 = VLAN
(155)   Tunnel-Medium-Type:0 = IEEE-802
(155)   Tunnel-Private-Group-Id:0 = "807"
(155)   EAP-Message =
0x0203004119001403010001011603010030a12e158d521c9b698161e9ea82f7b23143927840277f1830d0614bc27690aa72bbc32a104bb193ee0bfbe564d53e8f5a
(155)   State = 0x83aa71c482a968d0320cb2daa34b3bf1
(155)   Message-Authenticator = 0x96e37aa278e02cad4e0e8ed05e0bf13c
(155) Restoring &session-state
(155)   &session-state:unique-session-id = 76144
(155) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(155)   authorize {
(155)     if (!&session-state:unique-session-id) {
(155)     if (!&session-state:unique-session-id)  -> FALSE
(155)     policy filter_username {
(155)       update control {
(155)         linelogvar := "request_attrs"
(155)       } # update control = noop
(155)       [linelog] = ok
(155)       if (&User-Name) {
(155)       if (&User-Name)  -> TRUE
(155)       if (&User-Name)  {
(155)         if (&User-Name =~ /@[^@]*@/ ) {
(155)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(155)         if (&User-Name =~ /\.\./ ) {
(155)         if (&User-Name =~ /\.\./ )  -> FALSE
(155)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(155)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(155)         if (&User-Name =~ /\.$/)  {
(155)         if (&User-Name =~ /\.$/)   -> FALSE
(155)         if (&User-Name =~ /@\./)  {
(155)         if (&User-Name =~ /@\./)   -> FALSE
(155)       } # if (&User-Name)  = ok
(155)     } # policy filter_username = ok
(155) eap: Peer sent EAP Response (code 2) ID 3 length 65
(155) eap: Continuing tunnel setup
(155)     [eap] = ok
(155)   } # authorize = ok
(155) Found Auth-Type = eap
(155) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(155)   authenticate {
(155) eap: Expiring EAP session with state 0x83aa71c482a968d0
(155) eap: Finished EAP session with state 0x83aa71c482a968d0
(155) eap: Previous EAP request found for state 0x83aa71c482a968d0,
released from the list
(155) eap: Peer sent packet with method EAP PEAP (25)
(155) eap: Calling submodule eap_peap to process data
(155) eap_peap: Continuing EAP-TLS
(155) eap_peap: [eaptls verify] = ok
(155) eap_peap: Done initial handshake
(155) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
(155) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
(155) eap_peap: TLS_accept: SSLv3 read finished A
(155) eap_peap: (other): SSL negotiation finished successfully
(155) eap_peap: SSL Connection Established
(155) eap_peap: SSL Application Data
(155) eap_peap: Adding cached attributes from session
8693643200304c6dc4ac65acdcf863be1c9683ef191edf40f44e16a9575211a6
(155) eap_peap:   reply:User-Name = "XXXX"
(155) eap_peap:   reply:Cached-Session-Policy = "7"
(155) eap_peap: [eaptls process] = success
(155) eap_peap: Session established.  Decoding tunneled attributes
(155) eap_peap: PEAP state TUNNEL ESTABLISHED
(155) eap_peap: Skipping Phase2 because of session resumption
(155) eap_peap: SUCCESS
(155) eap: Sending EAP Request (code 1) ID 4 length 43
(155) eap: EAP session adding &reply:State = 0x83aa71c481ae68d0
(155)     [eap] = handled
(155)   } # authenticate = handled
(155) Using Post-Auth-Type Challenge
(155) Post-Auth-Type sub-section not found.  Ignoring.
(155) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(155) session-state: Saving cached attributes
(155)   unique-session-id = 76144
(155) Sent Access-Challenge Id 90 from XXXXX:1812 to XXXXX:32769 length 0
(155)   User-Name = "XXXX"
(155)   EAP-Message =
0x0104002b190017030100202e4258578386119f3d858e0645f2069e2908381a88e997d1eb2575fffaf7d455
(155)   Message-Authenticator = XXXXX
(155)   State = 0x83aa71c481ae68d0320cb2daa34b3bf1
(155) Finished request
(155) Cleaning up request packet ID 90 with timestamp +2221
(156) Received Access-Request Id 91 from XXXXX:32769 to XXXXX:1812 length
321
(156)   User-Name = "XXXX"
(156)   Chargeable-User-Identity = 0x00
(156)   Location-Capable = Civix-Location
(156)   Calling-Station-Id = "XXXXX"
(156)   Called-Station-Id = "XXXXX"
(156)   NAS-Port = 4
(156)   Cisco-AVPair = "audit-session-id=0a40c60a0029fe92b5e20b57"
(156)   Acct-Session-Id = "XXXXX"
(156)   NAS-IP-Address = XXXXX
(156)   NAS-Identifier = "XXXXX"
(156)   Airespace-Wlan-Id = 34
(156)   Service-Type = Framed-User
(156)   Framed-MTU = 1300
(156)   NAS-Port-Type = Wireless-802.11
(156)   Tunnel-Type:0 = VLAN
(156)   Tunnel-Medium-Type:0 = IEEE-802
(156)   Tunnel-Private-Group-Id:0 = "807"
(156)   EAP-Message =
0x0204002b19001703010020984f9696f0740833946b2c86e0d217c282ae98378bbf9ad96a54e32024e88773
(156)   State = 0x83aa71c481ae68d0320cb2daa34b3bf1
(156)   Message-Authenticator = 0x67654e881210dd0d4ad47dda94080725
(156) Restoring &session-state
(156)   &session-state:unique-session-id = 76144
(156) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(156)   authorize {
(156)     if (!&session-state:unique-session-id) {
(156)     if (!&session-state:unique-session-id)  -> FALSE
(156)     policy filter_username {
(156)       update control {
(156)         linelogvar := "request_attrs"
(156)       } # update control = noop
(156)       [linelog] = ok
(156)       if (&User-Name) {
(156)       if (&User-Name)  -> TRUE
(156)       if (&User-Name)  {
(156)         if (&User-Name =~ /@[^@]*@/ ) {
(156)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(156)         if (&User-Name =~ /\.\./ ) {
(156)         if (&User-Name =~ /\.\./ )  -> FALSE
(156)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(156)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(156)         if (&User-Name =~ /\.$/)  {
(156)         if (&User-Name =~ /\.$/)   -> FALSE
(156)         if (&User-Name =~ /@\./)  {
(156)         if (&User-Name =~ /@\./)   -> FALSE
(156)       } # if (&User-Name)  = ok
(156)     } # policy filter_username = ok
(156) eap: Peer sent EAP Response (code 2) ID 4 length 43
(156) eap: Continuing tunnel setup
(156)     [eap] = ok
(156)   } # authorize = ok
(156) Found Auth-Type = eap
(156) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(156)   authenticate {
(156) eap: Expiring EAP session with state 0x83aa71c481ae68d0
(156) eap: Finished EAP session with state 0x83aa71c481ae68d0
(156) eap: Previous EAP request found for state 0x83aa71c481ae68d0,
released from the list
(156) eap: Peer sent packet with method EAP PEAP (25)
(156) eap: Calling submodule eap_peap to process data
(156) eap_peap: Continuing EAP-TLS
(156) eap_peap: [eaptls verify] = ok
(156) eap_peap: Done initial handshake
(156) eap_peap: [eaptls process] = ok
(156) eap_peap: Session established.  Decoding tunneled attributes
(156) eap_peap: PEAP state send tlv success
(156) eap_peap: Received EAP-TLV response
(156) eap_peap: Success
(156) eap_peap: No saved attributes in the original Access-Accept
(156) eap: Sending EAP Success (code 3) ID 4 length 4
(156) eap: Freeing handler
(156)     [eap] = ok
(156)   } # authenticate = ok
(156) # Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/default
(156)   post-auth {
(156)     update {
(156)       User-Name := &reply:User-Name -> 'XXXX'
------------------------------> username is update but not the other
attribute
(156)       No attributes updated
(156)     } # update = noop
(156)     if (&reply:Cached-Session-Policy) {
(156)     if (&reply:Cached-Session-Policy)  -> FALSE
(156) reply_log: EXPAND
/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
(156) reply_log:    -->
/usr/local/var/log/radius/radacct/XXXXX/reply-detail-20160411
(156) reply_log:
/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/XXXXX/reply-detail-20160411
(156) reply_log: EXPAND %t
(156) reply_log:    --> Mon Apr 11 23:45:36 2016
(156)     [reply_log] = ok
(156) sql: EXPAND .query
(156) sql:    --> .query
(156) sql: Using query template 'query'
(156) sql: EXPAND %{User-Name}
(156) sql:    --> XXXX
(156) sql: SQL-User-Name set to 'XXXX'
(156) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( '%{SQL-User-Name}', '', '%{reply:Packet-Type}', '%S')
(156) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( 'XXXX', '', 'Access-Accept', '2016-04-11 23:45:36')
(156) sql: Executing query: INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES ( 'XXXX', '', 'Access-Accept', '2016-04-11 23:45:36')
(156) sql: SQL query returned: success
(156) sql: 1 record(s) updated
(156)     [sql] = ok
(156)     [exec] = noop
(156)     update control {
(156)       linelogvar := "request_attrs"
(156)     } # update control = noop
(156)     if (&EAP-Type == "TLS") {
(156)     if (&EAP-Type == "TLS")  -> FALSE
(156)     policy remove_reply_message_if_eap {
(156)       if (&reply:EAP-Message && &reply:Reply-Message) {
(156)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(156)       else {
(156)         [noop] = noop
(156)       } # else = noop
(156)     } # policy remove_reply_message_if_eap = noop
(156)     update control {
(156)       linelogvar := "Access-Accept"
(156)     } # update control = noop
(156) linelog: EXPAND messages.%{%{control:linelogvar}:-default}
(156) linelog:    --> messages.Access-Accept
(156) linelog: EXPAND /usr/local/var/log/radius/linelog
(156) linelog:    --> /usr/local/var/log/radius/linelog
(156) linelog: EXPAND
%{md5:%{Acct-Session-Id},%{session-state:unique-session-id}} Result:
Authentication Passed,Access-Accept
(156) linelog:    --> 8feb837cb2dce75e588bbf56c457d4fa Result:
Authentication Passed,Access-Accept
(156)     [linelog] = ok
(156)     update control {
(156)       linelogvar := "auth_result_accept_log"
(156)     } # update control = noop
(156) linelog: EXPAND messages.%{%{control:linelogvar}:-default}
(156) linelog:    --> messages.auth_result_accept_log
(156) linelog: EXPAND /usr/local/var/log/radius/linelog
(156) linelog:    --> /usr/local/var/log/radius/linelog
(156) linelog: EXPAND
Access-Request,%T,%{User-Name},%{Calling-Station-Id},%{NAS-IP-Address},%{NAS-Identifier},%{md5:%{Acct-Session-Id},%{session-state:unique-session-id}},Authentication
Passed,%{Called-Station-Id}
(156) linelog:    -->
Access-Request,2016-04-11-23.45.36.000000,XXXX,XXXXX,XXXXX,XXXXX,8feb837cb2dce75e588bbf56c457d4fa,Authentication
Passed,XXXXX
(156)     [linelog] = ok
(156)     update control {
(156)       linelogvar := "empty_line"
(156)     } # update control = noop
(156) linelog: EXPAND messages.%{%{control:linelogvar}:-default}
(156) linelog:    --> messages.empty_line
(156) linelog: EXPAND /usr/local/var/log/radius/linelog
(156) linelog:    --> /usr/local/var/log/radius/linelog
(156) linelog: EXPAND
(156) linelog:    -->
(156)     [linelog] = ok
(156)     update {
(156)       session-state:unique-session-id !* ANY
(156)     } # update = noop
(156)   } # post-auth = ok
(156) Sent Access-Accept Id 91 from XXXXX:1812 to XXXXX:32769 length 0
(156)   MS-MPPE-Recv-Key =
0x33c5031d6ac9c255a095a57164047d9b16e490c6545a9fb4bd09ad37d619a592
(156)   MS-MPPE-Send-Key =
0x0a338ad1dd02e2fbcfb2580a541db5f70acf7b30a2fc947b7ec3b7fbde7eb96d
(156)   EAP-Message = 0x03040004
(156)   Message-Authenticator = XXXXX
(156)   User-Name := "XXXX"
(156) Finished request
(156) Cleaning up request packet ID 91 with timestamp +2221


BR,
Anirudh Malhotra
Mail: 8zero2.in at gmail.com
Facebook: www.facebook.com/8zero2
Twitter: @8zero2_in
Blog: blog.8zero2.in

On Mon, Apr 11, 2016 at 4:04 AM, Alan DeKok <aland at deployingradius.com>
wrote:

> On Apr 9, 2016, at 9:54 PM, Anirudh Malhotra <8zero2ops at gmail.com> wrote:
> > I am doing PEAP with GTC authenticate my LDAP clients, I fetch some
> > attribute in LDAP module and is store it in session-state and later check
> > them in outer post-auth.
>
>   That's good.
>
> > I am facing this problem in which when client is re-authenticating and
> the
> > Phase2 is skipped with  'Skipping Phase2 because of session resumption',
> > for expediting the process. The LDAP attribute value is not fetched and
> > hence post-auth doesn't get that value which then fails the
> > authentication(configured like that by me, Set of rules which check value
> > of the attribute and fails by default if none condition is matched or
> > attribute is not fetched)
>
>   You will need to cache those attributes.  See the "cache" section of the
> "eap" module.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list