FR 3.1 NAS-IP-Address
Scott Armitage
S.P.Armitage at lboro.ac.uk
Thu Jun 23 16:02:07 CEST 2016
> On 23 Jun 2016, at 14:31, Alan DeKok <aland at deployingradius.com> wrote:
>
> On Jun 23, 2016, at 7:58 AM, Scott Armitage <S.P.Armitage at lboro.ac.uk> wrote:
>>
>> I noticed an issue using the NAS-IP-Address. This bug (if it is one) did disappear for a while but now seems to be back. Is this a bug or should I retrieve the value in a different way?
>
> What's the bug?
using unlang %{NAS-IP-Address} returns an empty value. You have to use %{outer.request:NAS-IP-Address} to get the NAS-IP-Address value. This happened a few weeks ago but then a couple of days later the behaviour returned to normal. Then it returned again.
Also you can’t Ctrl+C in debug mode (something which also came, disappeared and is now back).
>
> The debug output shows that there's no NAS-IP-Address being expanded. Is there one in the packet?
>
Yes, the NAS-IP-Address appears to be in the Access-Request:
radiusd: FreeRADIUS Version 3.1.0 (git #fa0bec1), for host x86_64-unknown-linux-gnu, built on Jun 23 2016 at 07:59:51
FreeRADIUS Version 3.1.0
(14) Received Access-Request Id 37 from 10.53.253.21:40090 to 158.125.161.128:1812 via eno16777984 length 375
(14) User-Name = "itis at lboro.ac.uk"
(14) Chargeable-User-Identity = 0x15
(14) Operator-Name = "1lboro.ac.uk"
(14) Location-Capable = Civix-Location
(14) Calling-Station-Id = "ec-35-86-4d-29-54"
(14) Called-Station-Id = "fc-5b-39-c6-2c-30:wirefree"
(14) NAS-Port = 8
(14) Cisco-AVPair = "audit-session-id=15fd350a000ee49c6fea6b57"
(14) Acct-Session-Id = "576bea6f/ec:35:86:4d:29:54/934911"
(14) Cisco-AVPair = "mDNS=true"
(14) NAS-IP-Address = 10.53.253.21
(14) NAS-IPv6-Address = 2001:630:301:9101::21
(14) NAS-Identifier = "wlc-1"
(14) Airespace-Wlan-Id = 3
(14) Service-Type = Framed-User
(14) Framed-MTU = 1300
(14) NAS-Port-Type = Wireless-802.11
(14) Tunnel-Type:0 = VLAN
(14) Tunnel-Medium-Type:0 = IEEE-802
(14) Tunnel-Private-Group-Id:0 = "1122"
(14) EAP-Message = 0x020c002b19001703010020775a437edbe7a406b0f41ad9edd0c05d2f3c60e037fb06b2815c6524bc947b3b
(14) State = 0x0b010b004b820892082a0a220b36f2f3
(14) Message-Authenticator = 0x5eb283a6b026feff593cd417eeb8abfe
(14,3) Running section authorize from file /etc/raddb/sites-enabled/lboro
(14,3) authorize {
(14,3) nagios_check {
(14,3) if (User-Name == "nagios01aa" && "%{client:group}" == "nagios") {
(14,3) ...
(14,3) }
(14,3) } # nagios_check (notfound)
(14,3) wism_check {
(14,3) if (User-Name =~ /wism-check/ ) {
(14,3) ...
(14,3) }
(14,3) } # wism_check (notfound)
(14,3) switch_check {
(14,3) if (User-Name =~ /switch-test/ ) {
(14,3) ...
(14,3) }
(14,3) } # switch_check (notfound)
(14,3) filter_duff_realms {
(14,3) if (User-Name =~ /\\.ax\\.uk$/i ) {
(14,3) ...
(14,3) }
(14,3) elsif (User-Name =~ /\\.sc\\.uk$/i ) {
(14,3) ...
(14,3) }
(14,3) elsif (User-Name =~ /\\.ac\\.u$/i ) {
(14,3) ...
(14,3) }
(14,3) elsif (User-Name =~ /lboro$/i ) {
(14,3) ...
(14,3) }
(14,3) elsif (User-Name =~ /lboro\\.co\\.uk$/i ) {
(14,3) ...
(14,3) }
(14,3) elsif (User-Name =~ /ac\\.lboro\\.uk$/i ) {
(14,3) ...
(14,3) }
(14,3) elsif (User-Name =~ /unilboro\\.ac\\.uk$/i ) {
(14,3) ...
(14,3) }
(14,3) elsif (User-Name =~ /\\.a\\.c\\.uk$/i ) {
(14,3) ...
(14,3) }
(14,3) elsif (User-Name =~ /3gppnetwork\\.org$/i) {
(14,3) ...
(14,3) }
(14,3) elsif (User-Name =~ /myabc\\.com$/i) {
(14,3) ...
(14,3) }
(14,3) elsif (User-Name !~ /lboro\\.local$/i && User-Name =~ /\\.local$/i) {
(14,3) ...
(14,3) }
(14,3) elsif (User-Name =~ /lbro\\.ac\\.uk$/i ) {
(14,3) ...
(14,3) }
(14,3) elsif (User-Name =~ /lboro\\.student\\.ac\\.uk$/i ) {
(14,3) ...
(14,3) }
(14,3) } # filter_duff_realms (notfound)
(14,3) filter_username {
(14,3) if (!&User-Name) {
(14,3) ...
(14,3) }
(14,3) if (&User-Name =~ / /) {
(14,3) ...
(14,3) }
(14,3) if (&User-Name =~ /@.*@/ ) {
(14,3) ...
(14,3) }
(14,3) if (&User-Name =~ /\.\./ ) {
(14,3) ...
(14,3) }
(14,3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(14,3) ...
(14,3) }
(14,3) if (&User-Name =~ /\.$/) {
(14,3) ...
(14,3) }
(14,3) if (&User-Name =~ /@\./) {
(14,3) ...
(14,3) }
(14,3) } # filter_username (notfound)
(14,3) preprocess (ok)
(14,3) operator-name.authorize {
(14,3) if ("%{client:Operator-Name}") {
(14,3) EXPAND %{client:Operator-Name}
(14,3) -->
(14,3) ...
(14,3) }
(14,3) } # operator-name.authorize (ok)
(14,3) cui.authorize {
(14,3) if ("%{client:add_cui}" == 'yes') {
(14,3) EXPAND %{client:add_cui}
(14,3) --> yes
(14,3) update request {
(14,3) &Chargeable-User-Identity := 0x00
(14,3) } # update request (noop)
(14,3) } # if ("%{client:add_cui}" == 'yes') (noop)
(14,3) } # cui.authorize (noop)
(14,3) suffix - Checking for suffix after "@"
(14,3) suffix - Looking up realm "lboro.ac.uk" for User-Name = "itis at lboro.ac.uk"
(14,3) suffix - Found realm "lboro.ac.uk"
(14,3) suffix - Adding Stripped-User-Name = "itis"
(14,3) suffix - Adding Realm = "lboro.ac.uk"
(14,3) suffix - Authentication realm is LOCAL
(14,3) suffix (ok)
(14,3) ntdomain - Request already has destination realm set. Ignoring
(14,3) ntdomain (noop)
(14,3) if ( Called-Station-Id =~ /:eduroam$/ ) {
(14,3) ...
(14,3) }
(14,3) elsif ( Called-Station-Id =~ /.*:YST$/ ) {
(14,3) ...
(14,3) }
(14,3) elsif ( Called-Station-Id =~ /.*:ecb$/ || "%{client:group}" == "ecb" ) {
(14,3) EXPAND %{client:group}
(14,3) --> wireless
(14,3) ...
(14,3) }
(14,3) if ((User-Name =~ /youthsporttrust\\.org$/) || (User-Name =~ /^YOUTHSPORTTRUST\\\\/)) {
(14,3) ...
(14,3) }
(14,3) elsif (User-Name =~ /\@ecb\.co\.uk/i && "%{client:shortname}" == "dulcimer" ) {
(14,3) ...
(14,3) }
(14,3) elsif ( Realm == "ECB" || Realm == "ecb.co.uk" ) {
(14,3) ...
(14,3) }
(14,3) elsif (Service-Type == Call-Check && !EAP-Message && User-Name =~ /[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]/) {
(14,3) ...
(14,3) }
(14,3) elsif ( Realm == "lsu.co.uk" ) {
(14,3) ...
(14,3) }
(14,3) elsif (User-Name =~ /\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/) {
(14,3) ...
(14,3) }
(14,3) else {
(14,3) update request {
(14,3) &Realm := local
(14,3) } # update request (noop)
(14,3) } # else (noop)
(14,3) eap - Peer sent EAP Response (code 2) ID 12 length 43
(14,3) eap - Continuing tunnel setup
(14,3) eap (ok)
(14,3) Using 'Auth-Type = eap' for authenticate {...}
(14,3) Running Auth-Type eap from file <internal>
(14,3) Auth-Type eap {
(14,3) eap - Peer sent packet with EAP method PEAP (25)
(14,3) eap - Calling submodule eap_peap to process data
(14,3) eap_peap - Continuing EAP-TLS
(14,3) eap_peap - Got complete TLS record (37 bytes)
(14,3) eap_peap - [eap-tls verify] = complete
(14,3) eap_peap - Decrypted TLS application data (2 bytes)
(14,3) eap_peap - [eap-tls process] = complete
(14,3) eap_peap - Session established. Decoding tunneled data
(14,3) eap_peap - PEAP state phase2
(14,3) eap_peap - EAP method MSCHAPv2 (26)
(14,3) eap_peap - Got tunneled request
(14,3) eap_peap - &EAP-Message = 0x020c00061a03
(14,3) eap_peap - Setting &request:User-Name from tunnel (protected) identity "itis at lboro.ac.uk"
(14,3) eap_peap - Proxying tunneled request to virtual server "inner-tunnel"
(14,3) Virtual server inner-tunnel received request
(14,3) &EAP-Message = 0x020c00061a03
(14,3) &FreeRADIUS-Proxied-To = 127.0.0.1
(14,3) &User-Name = "itis at lboro.ac.uk"
(14,3) WARNING: Outer and inner identities are the same. User privacy is compromised.
(14,3) server inner-tunnel {
(14,3) Running section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(14,3) authorize {
(14,3) mschap (noop)
(14,3) suffix - Checking for suffix after "@"
(14,3) suffix - Looking up realm "lboro.ac.uk" for User-Name = "itis at lboro.ac.uk"
(14,3) suffix - Found realm "lboro.ac.uk"
(14,3) suffix - Adding Stripped-User-Name = "itis"
(14,3) suffix - Adding Realm = "lboro.ac.uk"
(14,3) suffix - Authentication realm is LOCAL
(14,3) suffix (ok)
(14,3) update control {
(14,3) &control:Proxy-To-Realm := LOCAL
(14,3) } # update control (noop)
(14,3) eap - Peer sent EAP Response (code 2) ID 12 length 6
(14,3) eap - Continuing on-going EAP conversation
(14,3) eap (updated)
(14,3) files (noop)
(14,3) convertEmailToUser {
(14,3) if ( &User-Name =~ /.+\..+\@.*lboro\.ac\.uk$/i ) {
(14,3) ...
(14,3) }
(14,3) } # convertEmailToUser (updated)
(14,3) pap (noop)
(14,3) Using 'Auth-Type = eap' for authenticate {...}
(14,3) Running Auth-Type eap from file <internal>
(14,3) Auth-Type eap {
(14,3) eap - Peer sent packet with EAP method MSCHAPv2 (26)
(14,3) eap - Calling submodule eap_mschapv2 to process data
(14,3) eap - Sending EAP Success (code 3) ID 12 length 4
(14,3) eap - Cleaning up EAP session
(14,3) eap (ok)
(14,3) Login OK: [itis at lboro.ac.uk] (from client wlc-1 port 0 via TLS tunnel)
(14,3) Running section post-auth from file /etc/raddb/sites-enabled/inner-tunnel
(14,3) post-auth {
(14,3) cui-inner.post-auth {
(14,3) if (&outer.request:Chargeable-User-Identity && (&outer.request:Operator-Name || ('yes' != 'yes'))) {
(14,3) update reply {
<SNIP>
(14,3) } # update reply (noop)
(14,3) } # if (&outer.request:Chargeable-User-Identity && (&outer.request:Operator-Name || ('yes' != 'yes'))) (noop)
(14,3) } # cui-inner.post-auth (noop)
(14,3) reply_log - EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
(14,3) reply_log - --> /var/log/radius/radacct/10.53.253.21/reply-detail-20160623
(14,3) reply_log - /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/10.53.253.21/reply-detail-20160623
(14,3) reply_log - EXPAND %t
(14,3) reply_log - --> Thu Jun 23 13:55:59 2016
(14,3) reply_log (ok)
(14,3) update reply {
(14,3) EXPAND %{request:User-Name}
(14,3) --> itis at lboro.ac.uk
(14,3) &reply:User-Name := itis at lboro.ac.uk
(14,3) EXPAND %{request:Stripped-User-Name}
(14,3) --> itis
(14,3) &reply:Stripped-User-Name := itis
(14,3) } # update reply (noop)
(14,3) lboro-inner {
(14,3) innerGetUserType {
(14,3) if ( &User-Name =~ /^host\/(.*)\.lunet\.lboro\.ac\.uk$/i ) {
(14,3) ...
(14,3) }
(14,3) else {
(14,3) update session-state {
(14,3) EXPAND %{ldap1:ldaps:///dc=lunet,dc=lboro,dc=ac,dc=uk?distinguishedName?sub?sAMAccountName=%{Stripped-User-Name}}
(14,3) Reserved connection (0)
(14,3) Performing search in "dc=lunet,dc=lboro,dc=ac,dc=uk" with filter "sAMAccountName=itis", scope "sub"
(14,3) Waiting for search result...
rlm_ldap (ldap1) - Rebinding to URL ldaps://DomainDnsZones.lunet.lboro.ac.uk/DC=DomainDnsZones,DC=lunet,DC=lboro,DC=ac,DC=uk
rlm_ldap (ldap1) - Waiting for bind result...
rlm_ldap (ldap1) - Rebinding to URL ldaps://ForestDnsZones.lunet.lboro.ac.uk/DC=ForestDnsZones,DC=lunet,DC=lboro,DC=ac,DC=uk
rlm_ldap (ldap1) - Waiting for bind result...
rlm_ldap (ldap1) - Rebinding to URL ldaps://lunet.lboro.ac.uk/CN=Configuration,DC=lunet,DC=lboro,DC=ac,DC=uk
rlm_ldap (ldap1) - Waiting for bind result...
rlm_ldap (ldap1) - Bind successful
rlm_ldap (ldap1) - Bind successful
rlm_ldap (ldap1) - Bind successful
(14,3) Deleting connection (0)
(14,3) --> CN=itis,OU=Students,DC=lunet,DC=lboro,DC=ac,DC=uk
(14,3) &session-state:User-DN := CN=itis,OU=Students,DC=lunet,DC=lboro,DC=ac,DC=uk
(14,3) } # update session-state (noop)
(14,3) } # else (noop)
(14,3) if ( "%{session-state:User-DN}" =~ /OU\=Staff/ || "%{session-state:User-DN}" =~ /OU\=Partners/ ) {
(14,3) EXPAND %{session-state:User-DN}
(14,3) --> CN=itis,OU=Students,DC=lunet,DC=lboro,DC=ac,DC=uk
(14,3) EXPAND %{session-state:User-DN}
(14,3) --> CN=itis,OU=Students,DC=lunet,DC=lboro,DC=ac,DC=uk
(14,3) ...
(14,3) }
(14,3) elsif ( "%{session-state:User-DN}" =~ /OU\=Student/ ) {
(14,3) EXPAND %{session-state:User-DN}
(14,3) --> CN=itis,OU=Students,DC=lunet,DC=lboro,DC=ac,DC=uk
(14,3) update session-state {
(14,3) &session-state:User-Type := student
(14,3) } # update session-state (noop)
(14,3) } # elsif ( "%{session-state:User-DN}" =~ /OU\=Student/ ) (noop)
(14,3) else {
(14,3) ... skipping else for request 14: Preceding "if" was taken
(14,3) }
(14,3) } # innerGetUserType (noop)
(14,3) innerGetPartnerDept {
(14,3) if (&session-state:User-DN =~ /OU\=Partners/ ) {
(14,3) ...
(14,3) }
(14,3) } # innerGetPartnerDept (noop)
(14,3) getWlanUserVlan {
(14,3) if ("%{client:group}" == "wireless" && !&reply:Tunnel-Private-Group-Id ) {
(14,3) EXPAND %{client:group}
(14,3) --> wireless
(14,3) switch &session-state:User-Type {
(14,3) update reply {
(14,3) &reply:Tunnel-Private-Group-Id := eduroam-student-pool
(14,3) } # update reply (noop)
(14,3) } # switch &session-state:User-Type (noop)
(14,3) } # if ("%{client:group}" == "wireless" && !&reply:Tunnel-Private-Group-Id ) (noop)
(14,3) } # getWlanUserVlan (noop)
(14,3) getUserGroupVlan {
(14,3) if (!&session-state:Nas-Group) {
(14,3) update session-state {
(14,3) EXPAND %{sql:SELECT groupid from staffbaseschema.nas where ipaddress = '%{NAS-IP-Address}'::inet}
(14,3) Reserved connection (2)
(14,3) Executing select query: SELECT groupid from staffbaseschema.nas where ipaddress = ''::inet
rlm_sql_postgresql - Status: PGRES_FATAL_ERROR
rlm_sql_postgresql - 22P02: INVALID TEXT REPRESENTATION
(14,3) ERROR: rlm_sql_postgresql: ERROR: invalid input syntax for type inet: ""
(14,3) ERROR: rlm_sql_postgresql: LINE 1: ... groupid from staffbaseschema.nas where ipaddress = ''::inet
(14,3) ERROR: rlm_sql_postgresql: ^
(14,3) ERROR: SQL query failed: server error
(14,3) Released connection (2)
(14,3) -->
(14,3) &session-state:Nas-Group := 0
Thanks
Scott
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160623/f79c65d0/attachment-0001.sig>
More information about the Freeradius-Users
mailing list