AW: freeradius update attributes in access-accept reply
Kiefer, Jonas
jonas.kiefer at classen.de
Tue Feb 23 16:46:29 CET 2016
Hello Allan,
thanks for the fast answer.
Now it works fine.
In the section "Post-Auth-Type Reject {} i uncomment the sql string. After that it works finaly.
At next i upgrade the server.
Thx!
Best regards
Jonas
-----Ursprüngliche Nachricht-----
Von: Freeradius-Users [mailto:freeradius-users-bounces+jonas.kiefer=classen.de at lists.freeradius.org] Im Auftrag von Alan DeKok
Gesendet: Dienstag, 23. Februar 2016 16:34
An: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Betreff: Re: freeradius update attributes in access-accept reply
On Feb 23, 2016, at 10:27 AM, Kiefer, Jonas <jonas.kiefer at classen.de> wrote:
> Iam running freeradius on ubuntu 14.04 LTS with mysql and daloradius.
> Now i trie to authenticate a user via RADIUS on a Procurve Switch.
>
> But the problem is that the configured service-type attribute are not send in the Access-Accept message.
> Only in the Access-Challenge messages the attribute where send tot he procurve switch.
> I need it in the Access-Accept reply message.
That's typically because you're adding the Service-Type via the SQL module. And then you're not running the SQL module for the last packet.
> This is my logfile from the radiusserver:
> Tue Feb 23 15:45:33 2016 : Info: FreeRADIUS Version 2.1.12, for host
> x86_64-pc-linux-gnu, built on Aug 26 2015 at 14:47:03
You should really upgrade to a recent version of the server.
>
> Tue Feb 23 15:45:41 2016 : Info: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> Tue Feb 23 15:45:41 2016 : Info: !!! Replacing User-Password in config items with Cleartext-Password. !!!
> Tue Feb 23 15:45:41 2016 : Info: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> Tue Feb 23 15:45:41 2016 : Info: !!! Please update your configuration so that the "known good" !!!
> Tue Feb 23 15:45:41 2016 : Info: !!! clear text password is in Cleartext-Password, and not in User-Password. !!!
> Tue Feb 23 15:45:41 2016 : Info: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Fix that, too. Putting "User-Password" in the configuration has been wrong for 10 years.
And the final packet:
> rad_recv: Access-Request packet from host 192.168.6.211 port 1812, id=150, length=168
> User-Name = "1234"
> NAS-IP-Address = 211.6.168.192
> NAS-Identifier = "SWITCH01-TEST"
> NAS-Port-Type = Virtual
> Service-Type = NAS-Prompt-User
> State = 0x0d497f860a4166663cf1bfd5de864a48
> EAP-Message = 0x0208002b19001703010020358541ebeef1d422e9a8abf682c3ff01eccba593fee137a12c3d3fe651a8c471
> Message-Authenticator = 0xd046b2197cd82e8855887dbd74e9edd3
> MS-RAS-Vendor = 184549376
> Calling-Station-Id = "192.168.14.114"
> Tue Feb 23 15:45:42 2016 : Info: # Executing section authorize from
> file /etc/freeradius/sites-enabled/default
> Tue Feb 23 15:45:42 2016 : Info: +- entering group authorize {...} Tue
> Feb 23 15:45:42 2016 : Info: ++[preprocess] returns ok Tue Feb 23
> 15:45:42 2016 : Info: ++[chap] returns noop Tue Feb 23 15:45:42 2016 :
> Info: ++[mschap] returns noop Tue Feb 23 15:45:42 2016 : Info:
> ++[digest] returns noop Tue Feb 23 15:45:42 2016 : Info: [suffix] No
> '@' in User-Name = "1234", looking up realm NULL Tue Feb 23 15:45:42
> 2016 : Info: [suffix] No such realm "NULL"
> Tue Feb 23 15:45:42 2016 : Info: ++[suffix] returns noop Tue Feb 23
> 15:45:42 2016 : Info: [eap] EAP packet type response id 8 length 43
> Tue Feb 23 15:45:42 2016 : Info: [eap] Continuing tunnel setup.
> Tue Feb 23 15:45:42 2016 : Info: ++[eap] returns ok Tue Feb 23
> 15:45:42 2016 : Info: Found Auth-Type = EAP Tue Feb 23 15:45:42 2016 :
> Info: # Executing group from file
> /etc/freeradius/sites-enabled/default
> Tue Feb 23 15:45:42 2016 : Info: +- entering group authenticate {...}
> Tue Feb 23 15:45:42 2016 : Info: [eap] Request found, released from
> the list Tue Feb 23 15:45:42 2016 : Info: [eap] EAP/peap Tue Feb 23
> 15:45:42 2016 : Info: [eap] processing type peap Tue Feb 23 15:45:42
> 2016 : Info: [peap] processing EAP-TLS Tue Feb 23 15:45:42 2016 :
> Info: [peap] eaptls_verify returned 7 Tue Feb 23 15:45:42 2016 : Info:
> [peap] Done initial handshake Tue Feb 23 15:45:42 2016 : Info: [peap]
> eaptls_process returned 7 Tue Feb 23 15:45:42 2016 : Info: [peap]
> EAPTLS_OK Tue Feb 23 15:45:42 2016 : Info: [peap] Session established.
> Decoding tunneled attributes.
> Tue Feb 23 15:45:42 2016 : Info: [peap] Peap state send tlv success
> Tue Feb 23 15:45:42 2016 : Info: [peap] Received EAP-TLV response.
> Tue Feb 23 15:45:42 2016 : Info: [peap] Success Tue Feb 23 15:45:42
> 2016 : Info: [peap] Using saved attributes from the original Access-Accept
> User-Name = "1234"
> Tue Feb 23 15:45:42 2016 : Info: [eap] Freeing handler Tue Feb 23
> 15:45:42 2016 : Info: ++[eap] returns ok
You're not running SQL here. So, configure the server to run SQL before EAP, not after EAP.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list