problem fetching ldap attribute in inner tunnel

Anirudh Malhotra 8zero2ops at gmail.com
Wed Apr 13 03:47:52 CEST 2016


Hi,

Anybody has this working? Can suggest me what am I missing?

BR,
Anirudh Malhotra
8zero2
Mail: 8zero2.in at gmail.com
Facebook: www.facebook.com/8zero2
Twitter: @8zero2_in
Blog: blog.8zero2.in

On 12 Apr 2016, 00:16 +0530, Anirudh Malhotra<8zero2ops at gmail.com>, wrote:
> Hi,
> 
> So I used the cache section of eap and Cached-Session-Policy is getting cached but somehow is not getting fetched in the subsequent packet.
> 
> used in default
> update {
> User-Name :=&reply:User-Name
> &session-state:wifi :=&reply:Cached-Session-Policy
> }
> 
> used in inner-tunnel
> update reply {
> User-Name = "%{request:User-Name}"
> Cached-Session-Policy = "%{outer.session-state:wifi}"
> }
> 
> 
> (155) Received Access-Request Id 90 from XXXXX:32769 to XXXXX:1812 length 343
> (155)User-Name = "XXXX"
> (155)Chargeable-User-Identity = 0x00
> (155)Location-Capable = Civix-Location
> (155)Calling-Station-Id = "XXXXX"
> (155)Called-Station-Id = "XXXXX"
> (155)NAS-Port = 4
> (155)Cisco-AVPair = "audit-session-id=0a40c60a0029fe92b5e20b57"
> (155)Acct-Session-Id = "XXXXX"
> (155)NAS-IP-Address = XXXXX
> (155)NAS-Identifier = "XXXXX"
> (155)Airespace-Wlan-Id = 34
> (155)Service-Type = Framed-User
> (155)Framed-MTU = 1300
> (155)NAS-Port-Type = Wireless-802.11
> (155)Tunnel-Type:0 = VLAN
> (155)Tunnel-Medium-Type:0 = IEEE-802
> (155)Tunnel-Private-Group-Id:0 = "807"
> (155)EAP-Message = 0x0203004119001403010001011603010030a12e158d521c9b698161e9ea82f7b23143927840277f1830d0614bc27690aa72bbc32a104bb193ee0bfbe564d53e8f5a
> (155)State = 0x83aa71c482a968d0320cb2daa34b3bf1
> (155)Message-Authenticator = 0x96e37aa278e02cad4e0e8ed05e0bf13c
> (155) Restoring&session-state
> (155)&session-state:unique-session-id = 76144
> (155) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
> (155)authorize {
> (155)if (!&session-state:unique-session-id) {
> (155)if (!&session-state:unique-session-id)->FALSE
> (155)policy filter_username {
> (155)update control {
> (155)linelogvar := "request_attrs"
> (155)} # update control = noop
> (155)[linelog] = ok
> (155)if (&User-Name) {
> (155)if (&User-Name)->TRUE
> (155)if (&User-Name){
> (155)if (&User-Name =~ /@[^@]*@/ ) {
> (155)if (&User-Name =~ /@[^@]*@/ )->FALSE
> (155)if (&User-Name =~ /\.\./ ) {
> (155)if (&User-Name =~ /\.\./ )->FALSE
> (155)if ((&User-Name =~ /@/)&&(&User-Name !~ /@(.+)\.(.+)$/)){
> (155)if ((&User-Name =~ /@/)&&(&User-Name !~ /@(.+)\.(.+)$/))->FALSE
> (155)if (&User-Name =~ /\.$/){
> (155)if (&User-Name =~ /\.$/)->FALSE
> (155)if (&User-Name =~ /@\./){
> (155)if (&User-Name =~ /@\./)->FALSE
> (155)} # if (&User-Name)= ok
> (155)} # policy filter_username = ok
> (155) eap: Peer sent EAP Response (code 2) ID 3 length 65
> (155) eap: Continuing tunnel setup
> (155)[eap] = ok
> (155)} # authorize = ok
> (155) Found Auth-Type = eap
> (155) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> (155)authenticate {
> (155) eap: Expiring EAP session with state 0x83aa71c482a968d0
> (155) eap: Finished EAP session with state 0x83aa71c482a968d0
> (155) eap: Previous EAP request found for state 0x83aa71c482a968d0, released from the list
> (155) eap: Peer sent packet with method EAP PEAP (25)
> (155) eap: Calling submodule eap_peap to process data
> (155) eap_peap: Continuing EAP-TLS
> (155) eap_peap: [eaptls verify] = ok
> (155) eap_peap: Done initial handshake
> (155) eap_peap:<<<recv TLS 1.0 ChangeCipherSpec [length 0001]
> (155) eap_peap:<<<recv TLS 1.0 Handshake [length 0010], Finished
> (155) eap_peap: TLS_accept: SSLv3 read finished A
> (155) eap_peap: (other): SSL negotiation finished successfully
> (155) eap_peap: SSL Connection Established
> (155) eap_peap: SSL Application Data
> (155) eap_peap: Adding cached attributes from session 8693643200304c6dc4ac65acdcf863be1c9683ef191edf40f44e16a9575211a6
> (155) eap_peap:reply:User-Name = "XXXX"
> (155) eap_peap:reply:Cached-Session-Policy = "7"
> (155) eap_peap: [eaptls process] = success
> (155) eap_peap: Session established.Decoding tunneled attributes
> (155) eap_peap: PEAP state TUNNEL ESTABLISHED
> (155) eap_peap: Skipping Phase2 because of session resumption
> (155) eap_peap: SUCCESS
> (155) eap: Sending EAP Request (code 1) ID 4 length 43
> (155) eap: EAP session adding&reply:State = 0x83aa71c481ae68d0
> (155)[eap] = handled
> (155)} # authenticate = handled
> (155) Using Post-Auth-Type Challenge
> (155) Post-Auth-Type sub-section not found.Ignoring.
> (155) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> (155) session-state: Saving cached attributes
> (155)unique-session-id = 76144
> (155) Sent Access-Challenge Id 90 from XXXXX:1812 to XXXXX:32769 length 0
> (155)User-Name = "XXXX"
> (155)EAP-Message = 0x0104002b190017030100202e4258578386119f3d858e0645f2069e2908381a88e997d1eb2575fffaf7d455
> (155)Message-Authenticator = XXXXX
> (155)State = 0x83aa71c481ae68d0320cb2daa34b3bf1
> (155) Finished request
> (155) Cleaning up request packet ID 90 with timestamp +2221
> (156) Received Access-Request Id 91 from XXXXX:32769 to XXXXX:1812 length 321
> (156)User-Name = "XXXX"
> (156)Chargeable-User-Identity = 0x00
> (156)Location-Capable = Civix-Location
> (156)Calling-Station-Id = "XXXXX"
> (156)Called-Station-Id = "XXXXX"
> (156)NAS-Port = 4
> (156)Cisco-AVPair = "audit-session-id=0a40c60a0029fe92b5e20b57"
> (156)Acct-Session-Id = "XXXXX"
> (156)NAS-IP-Address = XXXXX
> (156)NAS-Identifier = "XXXXX"
> (156)Airespace-Wlan-Id = 34
> (156)Service-Type = Framed-User
> (156)Framed-MTU = 1300
> (156)NAS-Port-Type = Wireless-802.11
> (156)Tunnel-Type:0 = VLAN
> (156)Tunnel-Medium-Type:0 = IEEE-802
> (156)Tunnel-Private-Group-Id:0 = "807"
> (156)EAP-Message = 0x0204002b19001703010020984f9696f0740833946b2c86e0d217c282ae98378bbf9ad96a54e32024e88773
> (156)State = 0x83aa71c481ae68d0320cb2daa34b3bf1
> (156)Message-Authenticator = 0x67654e881210dd0d4ad47dda94080725
> (156) Restoring&session-state
> (156)&session-state:unique-session-id = 76144
> (156) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
> (156)authorize {
> (156)if (!&session-state:unique-session-id) {
> (156)if (!&session-state:unique-session-id)->FALSE
> (156)policy filter_username {
> (156)update control {
> (156)linelogvar := "request_attrs"
> (156)} # update control = noop
> (156)[linelog] = ok
> (156)if (&User-Name) {
> (156)if (&User-Name)->TRUE
> (156)if (&User-Name){
> (156)if (&User-Name =~ /@[^@]*@/ ) {
> (156)if (&User-Name =~ /@[^@]*@/ )->FALSE
> (156)if (&User-Name =~ /\.\./ ) {
> (156)if (&User-Name =~ /\.\./ )->FALSE
> (156)if ((&User-Name =~ /@/)&&(&User-Name !~ /@(.+)\.(.+)$/)){
> (156)if ((&User-Name =~ /@/)&&(&User-Name !~ /@(.+)\.(.+)$/))->FALSE
> (156)if (&User-Name =~ /\.$/){
> (156)if (&User-Name =~ /\.$/)->FALSE
> (156)if (&User-Name =~ /@\./){
> (156)if (&User-Name =~ /@\./)->FALSE
> (156)} # if (&User-Name)= ok
> (156)} # policy filter_username = ok
> (156) eap: Peer sent EAP Response (code 2) ID 4 length 43
> (156) eap: Continuing tunnel setup
> (156)[eap] = ok
> (156)} # authorize = ok
> (156) Found Auth-Type = eap
> (156) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> (156)authenticate {
> (156) eap: Expiring EAP session with state 0x83aa71c481ae68d0
> (156) eap: Finished EAP session with state 0x83aa71c481ae68d0
> (156) eap: Previous EAP request found for state 0x83aa71c481ae68d0, released from the list
> (156) eap: Peer sent packet with method EAP PEAP (25)
> (156) eap: Calling submodule eap_peap to process data
> (156) eap_peap: Continuing EAP-TLS
> (156) eap_peap: [eaptls verify] = ok
> (156) eap_peap: Done initial handshake
> (156) eap_peap: [eaptls process] = ok
> (156) eap_peap: Session established.Decoding tunneled attributes
> (156) eap_peap: PEAP state send tlv success
> (156) eap_peap: Received EAP-TLV response
> (156) eap_peap: Success
> (156) eap_peap: No saved attributes in the original Access-Accept
> (156) eap: Sending EAP Success (code 3) ID 4 length 4
> (156) eap: Freeing handler
> (156)[eap] = ok
> (156)} # authenticate = ok
> (156) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
> (156)post-auth {
> (156)update {
> (156)User-Name :=&reply:User-Name ->'XXXX'------------------------------>username is update but not the other attribute
> (156)No attributes updated
> (156)} # update = noop
> (156)if (&reply:Cached-Session-Policy) {
> (156)if (&reply:Cached-Session-Policy)->FALSE
> (156) reply_log: EXPAND /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
> (156) reply_log:-->/usr/local/var/log/radius/radacct/XXXXX/reply-detail-20160411
> (156) reply_log: /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/XXXXX/reply-detail-20160411
> (156) reply_log: EXPAND %t
> (156) reply_log:-->Mon Apr 11 23:45:36 2016
> (156)[reply_log] = ok
> (156) sql: EXPAND .query
> (156) sql:-->.query
> (156) sql: Using query template 'query'
> (156) sql: EXPAND %{User-Name}
> (156) sql:-->XXXX
> (156) sql: SQL-User-Name set to 'XXXX'
> (156) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '', '%{reply:Packet-Type}', '%S')
> (156) sql:-->INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'XXXX', '', 'Access-Accept', '2016-04-11 23:45:36')
> (156) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'XXXX', '', 'Access-Accept', '2016-04-11 23:45:36')
> (156) sql: SQL query returned: success
> (156) sql: 1 record(s) updated
> (156)[sql] = ok
> (156)[exec] = noop
> (156)update control {
> (156)linelogvar := "request_attrs"
> (156)} # update control = noop
> (156)if (&EAP-Type == "TLS") {
> (156)if (&EAP-Type == "TLS")->FALSE
> (156)policy remove_reply_message_if_eap {
> (156)if (&reply:EAP-Message&&&reply:Reply-Message) {
> (156)if (&reply:EAP-Message&&&reply:Reply-Message)->FALSE
> (156)else {
> (156)[noop] = noop
> (156)} # else = noop
> (156)} # policy remove_reply_message_if_eap = noop
> (156)update control {
> (156)linelogvar := "Access-Accept"
> (156)} # update control = noop
> (156) linelog: EXPAND messages.%{%{control:linelogvar}:-default}
> (156) linelog:-->messages.Access-Accept
> (156) linelog: EXPAND /usr/local/var/log/radius/linelog
> (156) linelog:-->/usr/local/var/log/radius/linelog
> (156) linelog: EXPAND %{md5:%{Acct-Session-Id},%{session-state:unique-session-id}} Result: Authentication Passed,Access-Accept
> (156) linelog:-->8feb837cb2dce75e588bbf56c457d4fa Result: Authentication Passed,Access-Accept
> (156)[linelog] = ok
> (156)update control {
> (156)linelogvar := "auth_result_accept_log"
> (156)} # update control = noop
> (156) linelog: EXPAND messages.%{%{control:linelogvar}:-default}
> (156) linelog:-->messages.auth_result_accept_log
> (156) linelog: EXPAND /usr/local/var/log/radius/linelog
> (156) linelog:-->/usr/local/var/log/radius/linelog
> (156) linelog: EXPAND Access-Request,%T,%{User-Name},%{Calling-Station-Id},%{NAS-IP-Address},%{NAS-Identifier},%{md5:%{Acct-Session-Id},%{session-state:unique-session-id}},Authentication Passed,%{Called-Station-Id}
> (156) linelog:-->Access-Request,2016-04-11-23.45.36.000000,XXXX,XXXXX,XXXXX,XXXXX,8feb837cb2dce75e588bbf56c457d4fa,Authentication Passed,XXXXX
> (156)[linelog] = ok
> (156)update control {
> (156)linelogvar := "empty_line"
> (156)} # update control = noop
> (156) linelog: EXPAND messages.%{%{control:linelogvar}:-default}
> (156) linelog:-->messages.empty_line
> (156) linelog: EXPAND /usr/local/var/log/radius/linelog
> (156) linelog:-->/usr/local/var/log/radius/linelog
> (156) linelog: EXPAND
> (156) linelog:-->
> (156)[linelog] = ok
> (156)update {
> (156)session-state:unique-session-id !* ANY
> (156)} # update = noop
> (156)} # post-auth = ok
> (156) Sent Access-Accept Id 91 from XXXXX:1812 to XXXXX:32769 length 0
> (156)MS-MPPE-Recv-Key = 0x33c5031d6ac9c255a095a57164047d9b16e490c6545a9fb4bd09ad37d619a592
> (156)MS-MPPE-Send-Key = 0x0a338ad1dd02e2fbcfb2580a541db5f70acf7b30a2fc947b7ec3b7fbde7eb96d
> (156)EAP-Message = 0x03040004
> (156)Message-Authenticator = XXXXX
> (156)User-Name := "XXXX"
> (156) Finished request
> (156) Cleaning up request packet ID 91 with timestamp +2221
> 
> 
> BR,
> Anirudh Malhotra
> Mail:8zero2.in at gmail.com(mailto:8zero2.in at gmail.com)
> Facebook:www.facebook.com/8zero2(http://www.facebook.com/8zero2)
> Twitter: @8zero2_in
> Blog:blog.8zero2.in(http://blog.8zero2.in/)
> 
> On Mon, Apr 11, 2016 at 4:04 AM, Alan DeKok<aland at deployingradius.com(mailto:aland at deployingradius.com)>wrote:
> > On Apr 9, 2016, at 9:54 PM, Anirudh Malhotra<8zero2ops at gmail.com(mailto:8zero2ops at gmail.com)>wrote:
> > >I am doing PEAP with GTC authenticate my LDAP clients, I fetch some
> > >attribute in LDAP module and is store it in session-state and later check
> > >them in outer post-auth.
> > 
> > That's good.
> > 
> > >I am facing this problem in which when client is re-authenticating and the
> > >Phase2 is skipped with'Skipping Phase2 because of session resumption',
> > >for expediting the process. The LDAP attribute value is not fetched and
> > >hence post-auth doesn't get that value which then fails the
> > >authentication(configured like that by me, Set of rules which check value
> > >of the attribute and fails by default if none condition is matched or
> > >attribute is not fetched)
> > 
> > You will need to cache those attributes.See the "cache" section of the "eap" module.
> > 
> > Alan DeKok.
> > 
> > 
> > -
> > List info/subscribe/unsubscribe? Seehttp://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list