AW: freeradius update attributes in access-accept reply

Kiefer, Jonas jonas.kiefer at classen.de
Tue Feb 23 16:46:29 CET 2016


Hello Allan,

thanks for the fast answer.
Now it works fine.

In the section "Post-Auth-Type Reject {} i uncomment the sql string. After that it works finaly.
At next i upgrade the server.
Thx!

Best regards
Jonas

-----Urspr√ľngliche Nachricht-----
Von: Freeradius-Users [mailto:freeradius-users-bounces+jonas.kiefer=classen.de at lists.freeradius.org] Im Auftrag von Alan DeKok
Gesendet: Dienstag, 23. Februar 2016 16:34
An: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Betreff: Re: freeradius update attributes in access-accept reply

On Feb 23, 2016, at 10:27 AM, Kiefer, Jonas <jonas.kiefer at classen.de> wrote:
> Iam running freeradius on ubuntu 14.04 LTS with mysql and daloradius.
> Now i trie to authenticate a user via RADIUS on a Procurve Switch.
> 
> But the problem is that the configured service-type attribute are not send in the Access-Accept message.
> Only in the Access-Challenge messages the attribute where send tot he procurve switch.
> I need it in the Access-Accept reply message.

  That's typically because you're adding the Service-Type via the SQL module.  And then you're not running the SQL module for the last packet.
> This is my logfile from the radiusserver:
> Tue Feb 23 15:45:33 2016 : Info: FreeRADIUS Version 2.1.12, for host 
> x86_64-pc-linux-gnu, built on Aug 26 2015 at 14:47:03

  You should really upgrade to a recent version of the server.
> 
> Tue Feb 23 15:45:41 2016 : Info: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> Tue Feb 23 15:45:41 2016 : Info: !!!    Replacing User-Password in config items with Cleartext-Password.     !!!
> Tue Feb 23 15:45:41 2016 : Info: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> Tue Feb 23 15:45:41 2016 : Info: !!! Please update your configuration so that the "known good"               !!!
> Tue Feb 23 15:45:41 2016 : Info: !!! clear text password is in Cleartext-Password, and not in User-Password. !!!
> Tue Feb 23 15:45:41 2016 : Info: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

  Fix that, too.  Putting "User-Password" in the configuration has been wrong for 10 years.

  And the final packet:

> rad_recv: Access-Request packet from host 192.168.6.211 port 1812, id=150, length=168
>                User-Name = "1234"
>                NAS-IP-Address = 211.6.168.192
>                NAS-Identifier = "SWITCH01-TEST"
>                NAS-Port-Type = Virtual
>                Service-Type = NAS-Prompt-User
>                State = 0x0d497f860a4166663cf1bfd5de864a48
>                EAP-Message = 0x0208002b19001703010020358541ebeef1d422e9a8abf682c3ff01eccba593fee137a12c3d3fe651a8c471
>                Message-Authenticator = 0xd046b2197cd82e8855887dbd74e9edd3
>                MS-RAS-Vendor = 184549376
>                Calling-Station-Id = "192.168.14.114"
> Tue Feb 23 15:45:42 2016 : Info: # Executing section authorize from 
> file /etc/freeradius/sites-enabled/default
> Tue Feb 23 15:45:42 2016 : Info: +- entering group authorize {...} Tue 
> Feb 23 15:45:42 2016 : Info: ++[preprocess] returns ok Tue Feb 23 
> 15:45:42 2016 : Info: ++[chap] returns noop Tue Feb 23 15:45:42 2016 : 
> Info: ++[mschap] returns noop Tue Feb 23 15:45:42 2016 : Info: 
> ++[digest] returns noop Tue Feb 23 15:45:42 2016 : Info: [suffix] No 
> '@' in User-Name = "1234", looking up realm NULL Tue Feb 23 15:45:42 
> 2016 : Info: [suffix] No such realm "NULL"
> Tue Feb 23 15:45:42 2016 : Info: ++[suffix] returns noop Tue Feb 23 
> 15:45:42 2016 : Info: [eap] EAP packet type response id 8 length 43 
> Tue Feb 23 15:45:42 2016 : Info: [eap] Continuing tunnel setup.
> Tue Feb 23 15:45:42 2016 : Info: ++[eap] returns ok Tue Feb 23 
> 15:45:42 2016 : Info: Found Auth-Type = EAP Tue Feb 23 15:45:42 2016 : 
> Info: # Executing group from file 
> /etc/freeradius/sites-enabled/default
> Tue Feb 23 15:45:42 2016 : Info: +- entering group authenticate {...} 
> Tue Feb 23 15:45:42 2016 : Info: [eap] Request found, released from 
> the list Tue Feb 23 15:45:42 2016 : Info: [eap] EAP/peap Tue Feb 23 
> 15:45:42 2016 : Info: [eap] processing type peap Tue Feb 23 15:45:42 
> 2016 : Info: [peap] processing EAP-TLS Tue Feb 23 15:45:42 2016 : 
> Info: [peap] eaptls_verify returned 7 Tue Feb 23 15:45:42 2016 : Info: 
> [peap] Done initial handshake Tue Feb 23 15:45:42 2016 : Info: [peap] 
> eaptls_process returned 7 Tue Feb 23 15:45:42 2016 : Info: [peap] 
> EAPTLS_OK Tue Feb 23 15:45:42 2016 : Info: [peap] Session established.  
> Decoding tunneled attributes.
> Tue Feb 23 15:45:42 2016 : Info: [peap] Peap state send tlv success 
> Tue Feb 23 15:45:42 2016 : Info: [peap] Received EAP-TLV response.
> Tue Feb 23 15:45:42 2016 : Info: [peap] Success Tue Feb 23 15:45:42 
> 2016 : Info: [peap] Using saved attributes from the original Access-Accept
>                User-Name = "1234"
> Tue Feb 23 15:45:42 2016 : Info: [eap] Freeing handler Tue Feb 23 
> 15:45:42 2016 : Info: ++[eap] returns ok

  You're not running SQL here.  So, configure the server to run SQL before EAP, not after EAP.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list