freeradius update attributes in access-accept reply

Alan DeKok aland at deployingradius.com
Tue Feb 23 16:33:43 CET 2016 

On Feb 23, 2016, at 10:27 AM, Kiefer, Jonas <jonas.kiefer at classen.de> wrote:
> Iam running freeradius on ubuntu 14.04 LTS with mysql and daloradius.
> Now i trie to authenticate a user via RADIUS on a Procurve Switch.
> 
> But the problem is that the configured service-type attribute are not send in the Access-Accept message.
> Only in the Access-Challenge messages the attribute where send tot he procurve switch.
> I need it in the Access-Accept reply message.

  That's typically because you're adding the Service-Type via the SQL module.  And then you're not running the SQL module for the last packet.
> This is my logfile from the radiusserver:
> Tue Feb 23 15:45:33 2016 : Info: FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Aug 26 2015 at 14:47:03

  You should really upgrade to a recent version of the server.
> 
> Tue Feb 23 15:45:41 2016 : Info: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> Tue Feb 23 15:45:41 2016 : Info: !!!    Replacing User-Password in config items with Cleartext-Password.     !!!
> Tue Feb 23 15:45:41 2016 : Info: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> Tue Feb 23 15:45:41 2016 : Info: !!! Please update your configuration so that the "known good"               !!!
> Tue Feb 23 15:45:41 2016 : Info: !!! clear text password is in Cleartext-Password, and not in User-Password. !!!
> Tue Feb 23 15:45:41 2016 : Info: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

  Fix that, too.  Putting "User-Password" in the configuration has been wrong for 10 years.

  And the final packet:

> rad_recv: Access-Request packet from host 192.168.6.211 port 1812, id=150, length=168
>                User-Name = "1234"
>                NAS-IP-Address = 211.6.168.192
>                NAS-Identifier = "SWITCH01-TEST"
>                NAS-Port-Type = Virtual
>                Service-Type = NAS-Prompt-User
>                State = 0x0d497f860a4166663cf1bfd5de864a48
>                EAP-Message = 0x0208002b19001703010020358541ebeef1d422e9a8abf682c3ff01eccba593fee137a12c3d3fe651a8c471
>                Message-Authenticator = 0xd046b2197cd82e8855887dbd74e9edd3
>                MS-RAS-Vendor = 184549376
>                Calling-Station-Id = "192.168.14.114"
> Tue Feb 23 15:45:42 2016 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default
> Tue Feb 23 15:45:42 2016 : Info: +- entering group authorize {...}
> Tue Feb 23 15:45:42 2016 : Info: ++[preprocess] returns ok
> Tue Feb 23 15:45:42 2016 : Info: ++[chap] returns noop
> Tue Feb 23 15:45:42 2016 : Info: ++[mschap] returns noop
> Tue Feb 23 15:45:42 2016 : Info: ++[digest] returns noop
> Tue Feb 23 15:45:42 2016 : Info: [suffix] No '@' in User-Name = "1234", looking up realm NULL
> Tue Feb 23 15:45:42 2016 : Info: [suffix] No such realm "NULL"
> Tue Feb 23 15:45:42 2016 : Info: ++[suffix] returns noop
> Tue Feb 23 15:45:42 2016 : Info: [eap] EAP packet type response id 8 length 43
> Tue Feb 23 15:45:42 2016 : Info: [eap] Continuing tunnel setup.
> Tue Feb 23 15:45:42 2016 : Info: ++[eap] returns ok
> Tue Feb 23 15:45:42 2016 : Info: Found Auth-Type = EAP
> Tue Feb 23 15:45:42 2016 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
> Tue Feb 23 15:45:42 2016 : Info: +- entering group authenticate {...}
> Tue Feb 23 15:45:42 2016 : Info: [eap] Request found, released from the list
> Tue Feb 23 15:45:42 2016 : Info: [eap] EAP/peap
> Tue Feb 23 15:45:42 2016 : Info: [eap] processing type peap
> Tue Feb 23 15:45:42 2016 : Info: [peap] processing EAP-TLS
> Tue Feb 23 15:45:42 2016 : Info: [peap] eaptls_verify returned 7
> Tue Feb 23 15:45:42 2016 : Info: [peap] Done initial handshake
> Tue Feb 23 15:45:42 2016 : Info: [peap] eaptls_process returned 7
> Tue Feb 23 15:45:42 2016 : Info: [peap] EAPTLS_OK
> Tue Feb 23 15:45:42 2016 : Info: [peap] Session established.  Decoding tunneled attributes.
> Tue Feb 23 15:45:42 2016 : Info: [peap] Peap state send tlv success
> Tue Feb 23 15:45:42 2016 : Info: [peap] Received EAP-TLV response.
> Tue Feb 23 15:45:42 2016 : Info: [peap] Success
> Tue Feb 23 15:45:42 2016 : Info: [peap] Using saved attributes from the original Access-Accept
>                User-Name = "1234"
> Tue Feb 23 15:45:42 2016 : Info: [eap] Freeing handler
> Tue Feb 23 15:45:42 2016 : Info: ++[eap] returns ok

  You're not running SQL here.  So, configure the server to run SQL before EAP, not after EAP.

  Alan DeKok.

More information about the Freeradius-Users mailing list