ldap attribute update
Anirudh Malhotra
8zero2ops at gmail.com
Thu Mar 31 06:29:41 CEST 2016
Hi Alan,
Sorry for making you angry, but I am looking at the debug logs very
carefully from the starting. I had to take permissions to post them here,
That is why I was asking those questions. Again I apologise for asking
probably wrong questions, I just thought the thing I posted was enough. But
here is the debug in which ldap module is called and unlang is called, if
you could please help me in finding my mistake, I have marked to relevant
information in red
Waking up in 4.9 seconds.
(8) Received Access-Request Id 150 from XXXXXXX:32769 to XXXXXXX:1812
length 337
(8) User-Name = "XXXXXXX"
(8) Chargeable-User-Identity = 0x00
(8) Location-Capable = Civix-Location
(8) Calling-Station-Id = "XXXXXXX"
(8) Called-Station-Id = "XXXXXXX"
(8) NAS-Port = 4
(8) Cisco-AVPair = "audit-session-id=0a40c60a002395c88e03fc56"
(8) Acct-Session-Id = "56fc038e/XXXXXXX/1349574"
(8) NAS-IP-Address = XXXXXXX
(8) NAS-Identifier = "XXXXXXX"
(8) Airespace-Wlan-Id = 34
(8) Service-Type = Framed-User
(8) Framed-MTU = 1300
(8) NAS-Port-Type = Wireless-802.11
(8) Tunnel-Type:0 = VLAN
(8) Tunnel-Medium-Type:0 = IEEE-802
(8) Tunnel-Private-Group-Id:0 = "XXXXXXX"
(8) EAP-Message =
0x0208002b1900170301002056f3330d56a405e14a56351e0016809d0fa578294eb6a15607f6e1b7d13d1fc8
(8) State = 0xe36bb03de563a931219d4aaf40ddcdc2
(8) Message-Authenticator = 0xbb491e6269085a6550c988322b7a5122
(8) session-state: No cached attributes
(8) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(8) authorize {
(8) policy filter_username {
(8) update control {
(8) linelogvar := "request_attrs"
(8) } # update control = noop
(8) linelog: EXPAND messages.%{%{control:linelogvar}:-default}
(8) linelog: --> messages.request_attrs
(8) linelog: EXPAND /usr/local/var/log/radius/linelog
(8) linelog: --> /usr/local/var/log/radius/linelog
(8) linelog: EXPAND
%{User-Name},%{Calling-Station-Id},%{Called-Station-Id},%{NAS-Port},%{Acct-Session-Id},%{NAS-IP-Address},%{NAS-Identifier},%{Airespace-Wlan-Id},%{Service-Type},%{Framed-MTU},%{NAS-Port-Type},%{Tunnel-Type:0},%{Tunnel-Medium-Type:0},%{Tunnel-Private-Group-Id:0},%T,%{md5:%T,%{Calling-Station-Id}}
(8) linelog: -->
XXXXXXX,XXXXXXX,XXXXXXX,4,56fc038e/XXXXXXX/1349574,XXXXXXX,XXXXXXX,34,Framed-User,1300,Wireless-802.11,VLAN,IEEE-802,XXXXXXX,2016-03-30-22.18.47.000000,e042f9def033579c3d4e304b73cd31db
(8) [linelog] = ok
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = ok
(8) if ((User-Name =~
/^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i)
&& (Service-Type == "Call-Check" )) {
(8) if ((User-Name =~
/^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i)
&& (Service-Type == "Call-Check" )) -> FALSE
(8) } # policy filter_username = ok
(8) [preprocess] = ok
(8) auth_log: EXPAND
/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(8) auth_log: -->
/usr/local/var/log/radius/radacct/XXXXXXX/auth-detail-20160330
(8) auth_log:
/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/XXXXXXX/auth-detail-20160330
(8) auth_log: EXPAND %t
(8) auth_log: --> Wed Mar 30 22:18:47 2016
(8) [auth_log] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "XXXXXXX", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 8 length 43
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(8) authenticate {
(8) eap: Expiring EAP session with state 0x1752f35a175af5a6
(8) eap: Finished EAP session with state 0xe36bb03de563a931
(8) eap: Previous EAP request found for state 0xe36bb03de563a931, released
from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP method GTC (6)
(8) eap_peap: Got tunneled request
(8) eap_peap: EAP-Message = 0x0208000f064b6170696c4031333839
(8) eap_peap: Setting User-Name to XXXXXXX
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap: EAP-Message = 0x0208000f064b6170696c4031333839
(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap: User-Name = "XXXXXXX"
(8) eap_peap: State = 0x1752f35a175af5a68cefacfb12f667e9
(8) Virtual server inner-tunnel received request
(8) EAP-Message = 0x0208000f064b6170696c4031333839
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = "XXXXXXX"
(8) State = 0x1752f35a175af5a68cefacfb12f667e9
(8) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(8) server inner-tunnel {
(8) session-state: No cached attributes
(8) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(8) authorize {
(8) policy filter_username {
(8) update control {
(8) linelogvar := "request_attrs"
(8) } # update control = noop
(8) linelog: EXPAND messages.%{%{control:linelogvar}:-default}
(8) linelog: --> messages.request_attrs
(8) linelog: EXPAND /usr/local/var/log/radius/linelog
(8) linelog: --> /usr/local/var/log/radius/linelog
(8) linelog: EXPAND
%{User-Name},%{Calling-Station-Id},%{Called-Station-Id},%{NAS-Port},%{Acct-Session-Id},%{NAS-IP-Address},%{NAS-Identifier},%{Airespace-Wlan-Id},%{Service-Type},%{Framed-MTU},%{NAS-Port-Type},%{Tunnel-Type:0},%{Tunnel-Medium-Type:0},%{Tunnel-Private-Group-Id:0},%T,%{md5:%T,%{Calling-Station-Id}}
(8) linelog: -->
XXXXXXX,,,,,,,,,,,,,,2016-03-30-22.18.47.000000,c13a6b07eeffc487a39e58a748bcce06
(8) [linelog] = ok
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = ok
(8) if ((User-Name =~
/^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i)
&& (Service-Type == "Call-Check" )) {
(8) if ((User-Name =~
/^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i)
&& (Service-Type == "Call-Check" )) -> FALSE
(8) } # policy filter_username = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "XXXXXXX", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) update control {
(8) &Proxy-To-Realm := LOCAL
(8) } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 8 length 15
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8) [eap] = updated
(8) [files] = noop
(8) sql: EXPAND %{User-Name}
(8) sql: --> XXXXXXX
(8) sql: SQL-User-Name set to 'XXXXXXX'
rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 76
seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for 76
seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (3): Hit idle_timeout, was idle for 76
seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (4): Hit idle_timeout, was idle for 76
seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (0): Hit idle_timeout, was idle for 76
seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (5): Hit idle_timeout, was idle for 76
seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare"
rlm_sql (sql): Opening additional connection (6), 1 of 32 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket,
server version 5.5.48-MariaDB, protocol version 10
rlm_sql (sql): Reserved connection (6)
(8) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id
(8) sql: --> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'XXXXXXX' ORDER BY id
(8) sql: Executing select query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'XXXXXXX' ORDER BY id
(8) sql: EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority
(8) sql: --> SELECT groupname FROM radusergroup WHERE username =
'XXXXXXX' ORDER BY priority
(8) sql: Executing select query: SELECT groupname FROM radusergroup WHERE
username = 'XXXXXXX' ORDER BY priority
(8) sql: User not found in any groups
rlm_sql (sql): Released connection (6)
rlm_sql (sql): Need 2 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (7), 1 of 31 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket,
server version 5.5.48-MariaDB, protocol version 10
(8) [sql] = notfound
rlm_ldap (ldap): Closing connection (0): Hit idle_timeout, was idle for 76
seconds
rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for 76
seconds
rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 76
seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 76
seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (4): Hit idle_timeout, was idle for 76
seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase
"spare"
rlm_ldap (ldap): Opening additional connection (5), 1 of 32 pending slots
used
rlm_ldap (ldap): Connecting to XXXXXXX
rlm_ldap (ldap): Waiting for bind result...
ber_get_next failed.
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Reserved connection (5)
(8) ldap: EXPAND
(|(mail=%{%{Stripped-User-Name}:-%{User-Name}})(mailEquivalentAddress=%{%{Stripped-User-Name}:-%{User-Name}})(uid=%{%{Stripped-User-Name}:-%{User-Name}}))
(8) ldap: -->
(|(mail=XXXXXXX)(mailEquivalentAddress=XXXXXXX)(uid=XXXXXXX))
(8) ldap: Performing search in "o=nic.in,dc=nic,dc=in" with filter
"(|(mail=XXXXXXX)(mailEquivalentAddress=XXXXXXX)(uid=XXXXXXX))", scope "sub"
(8) ldap: Waiting for search result...
ber_get_next failed.
ber_get_next failed.
(8) ldap: User object found at DN "uid=XXXXXXX,ou=XXXXXXX"
(8) ldap: Processing user attributes
(8) ldap: control:wifi := '7'
(8) ldap: WARNING: No "known good" password added. Ensure the admin user
has permission to read the password attribute
(8) ldap: WARNING: PAP authentication will *NOT* work with Active Directory
(if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (5)
rlm_ldap (ldap): Need 2 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (6), 1 of 31 pending slots
used
rlm_ldap (ldap): Connecting to XXXXXXX
rlm_ldap (ldap): Waiting for bind result...
ber_get_next failed.
rlm_ldap (ldap): Bind successful
(8) [ldap] = updated
(8) [expiration] = noop
(8) [logintime] = noop
(8) [pap] = noop
(8) } # authorize = updated
(8) Found Auth-Type = eap
(8) # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap: Expiring EAP session with state 0x1752f35a175af5a6
(8) eap: Finished EAP session with state 0x1752f35a175af5a6
(8) eap: Previous EAP request found for state 0x1752f35a175af5a6, released
from the list
(8) eap: Peer sent packet with method EAP GTC (6)
(8) eap: Calling submodule eap_gtc to process data
(8) eap_gtc: # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(8) eap_gtc: Auth-Type LDAP {
rlm_ldap (ldap): Reserved connection (5)
(8) ldap: Login attempt by "XXXXXXX"
(8) ldap: Using user DN from request "uid=XXXXXXX,ou=XXXXXXX"
(8) ldap: Waiting for bind result...
ber_get_next failed.
(8) ldap: Bind successful
(8) ldap: Bind as user "uid=XXXXXXX,ou=XXXXXXX" was successful
rlm_ldap (ldap): Released connection (5)
(8) [ldap] = ok
(8) } # Auth-Type LDAP = ok
(8) eap: Sending EAP Success (code 3) ID 8 length 4
(8) eap: Freeing handler
(8) [eap] = ok
(8) } # authenticate = ok
(8) # Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(8) post-auth {
(8) sql: EXPAND .query
(8) sql: --> .query
(8) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (6)
(8) sql: EXPAND %{User-Name}
(8) sql: --> XXXXXXX
(8) sql: SQL-User-Name set to 'XXXXXXX'
(8) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S')
(8) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( 'XXXXXXX', 'XXXXXXX', 'Access-Accept', '2016-03-30 22:18:47')
(8) sql: Executing query: INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES ( 'XXXXXXX', 'XXXXXXX', 'Access-Accept', '2016-03-30
22:18:47')
(8) sql: SQL query returned: success
(8) sql: 1 record(s) updated
rlm_sql (sql): Released connection (6)
(8) [sql] = ok
(8) } # post-auth = ok
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8) EAP-Message = 0x03080004
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) User-Name = "XXXXXXX"
(8) eap_peap: Got tunneled reply code 2
(8) eap_peap: EAP-Message = 0x03080004
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: User-Name = "XXXXXXX"
(8) eap_peap: Got tunneled reply RADIUS code 2
(8) eap_peap: EAP-Message = 0x03080004
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: User-Name = "XXXXXXX"
(8) eap_peap: Tunneled authentication was successful
(8) eap_peap: SUCCESS
(8) eap: Sending EAP Request (code 1) ID 9 length 43
(8) eap: EAP session adding &reply:State = 0xe36bb03de462a931
(8) [eap] = handled
(8) } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found. Ignoring.
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(8) Sent Access-Challenge Id 150 from XXXXXXX:1812 to XXXXXXX:32769 length 0
(8) EAP-Message =
0x0109002b19001703010020a745019fca4818ea30f0e0f6e52566ddef61d8e0063d7cd291953cce65163e37
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0xe36bb03de462a931219d4aaf40ddcdc2
(8) Finished request
Waking up in 4.8 seconds.
(9) Received Access-Request Id 151 from XXXXXXX:32769 to XXXXXXX:1812
length 337
(9) User-Name = "XXXXXXX"
(9) Chargeable-User-Identity = 0x00
(9) Location-Capable = Civix-Location
(9) Calling-Station-Id = "XXXXXXX"
(9) Called-Station-Id = "XXXXXXX"
(9) NAS-Port = 4
(9) Cisco-AVPair = "audit-session-id=0a40c60a002395c88e03fc56"
(9) Acct-Session-Id = "56fc038e/XXXXXXX/1349574"
(9) NAS-IP-Address = XXXXXXX
(9) NAS-Identifier = "XXXXXXX"
(9) Airespace-Wlan-Id = 34
(9) Service-Type = Framed-User
(9) Framed-MTU = 1300
(9) NAS-Port-Type = Wireless-802.11
(9) Tunnel-Type:0 = VLAN
(9) Tunnel-Medium-Type:0 = IEEE-802
(9) Tunnel-Private-Group-Id:0 = "XXXXXXX"
(9) EAP-Message =
0x0209002b19001703010020aa02bff51b2622bd8427c864799bae941f9eda6e20db96dbfe5192cbcd424504
(9) State = 0xe36bb03de462a931219d4aaf40ddcdc2
(9) Message-Authenticator = 0x56d99d69897d457fa7537c194a490584
(9) session-state: No cached attributes
(9) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(9) authorize {
(9) policy filter_username {
(9) update control {
(9) linelogvar := "request_attrs"
(9) } # update control = noop
(9) linelog: EXPAND messages.%{%{control:linelogvar}:-default}
(9) linelog: --> messages.request_attrs
(9) linelog: EXPAND /usr/local/var/log/radius/linelog
(9) linelog: --> /usr/local/var/log/radius/linelog
(9) linelog: EXPAND
%{User-Name},%{Calling-Station-Id},%{Called-Station-Id},%{NAS-Port},%{Acct-Session-Id},%{NAS-IP-Address},%{NAS-Identifier},%{Airespace-Wlan-Id},%{Service-Type},%{Framed-MTU},%{NAS-Port-Type},%{Tunnel-Type:0},%{Tunnel-Medium-Type:0},%{Tunnel-Private-Group-Id:0},%T,%{md5:%T,%{Calling-Station-Id}}
(9) linelog: -->
XXXXXXX,XXXXXXX,XXXXXXX,4,56fc038e/XXXXXXX/1349574,XXXXXXX,XXXXXXX,34,Framed-User,1300,Wireless-802.11,VLAN,IEEE-802,XXXXXXX,2016-03-30-22.18.47.000000,e042f9def033579c3d4e304b73cd31db
(9) [linelog] = ok
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /@\./) {
(9) if (&User-Name =~ /@\./) -> FALSE
(9) } # if (&User-Name) = ok
(9) if ((User-Name =~
/^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i)
&& (Service-Type == "Call-Check" )) {
(9) if ((User-Name =~
/^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i)
&& (Service-Type == "Call-Check" )) -> FALSE
(9) } # policy filter_username = ok
(9) [preprocess] = ok
(9) auth_log: EXPAND
/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(9) auth_log: -->
/usr/local/var/log/radius/radacct/XXXXXXX/auth-detail-20160330
(9) auth_log:
/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/XXXXXXX/auth-detail-20160330
(9) auth_log: EXPAND %t
(9) auth_log: --> Wed Mar 30 22:18:47 2016
(9) [auth_log] = ok
(9) [chap] = noop
(9) [mschap] = noop
(9) [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "XXXXXXX", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 9 length 43
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(9) authenticate {
(9) eap: Expiring EAP session with state 0xe36bb03de462a931
(9) eap: Finished EAP session with state 0xe36bb03de462a931
(9) eap: Previous EAP request found for state 0xe36bb03de462a931, released
from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state send tlv success
(9) eap_peap: Received EAP-TLV response
(9) eap_peap: Success
(9) eap_peap: No information to cache: session caching will be disabled for
session 189621f6108cf110e1734e2e6926c30fac3d3204884d0327242e3ab13243de13
(9) eap: Sending EAP Success (code 3) ID 9 length 4
(9) eap: Freeing handler
(9) [eap] = ok
(9) } # authenticate = ok
(9) # Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/default
(9) post-auth {
(9) update {
(9) No attributes updated
(9) } # update = noop
(9) if ((User-Name =~
/^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i)
&& (Service-Type == "Call-Check")) {
(9) if ((User-Name =~
/^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i)
&& (Service-Type == "Call-Check")) -> FALSE
(9) elsif ((Called-Station-Id =~ /XXXXXXX$/) && (("%{control:wifi}" ==
"7") || ("%{control:wifi}" == "5"))) {
(9) ERROR: Failed retrieving values required to evaluate condition
(9) else {
(9) [reject] = reject
(9) } # else = reject
(9) } # post-auth = reject
(9) Using Post-Auth-Type Reject
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(9) Post-Auth-Type REJECT {
(9) if ("%{control:linelogvar}" == "auth_type_pap"){
(9) if ("%{control:linelogvar}" == "auth_type_pap") -> FALSE
(9) update control {
(9) linelogvar := "Access-Reject"
(9) } # update control = noop
(9) linelog: EXPAND messages.%{%{control:linelogvar}:-default}
(9) linelog: --> messages.Access-Reject
(9) linelog: EXPAND /usr/local/var/log/radius/linelog
(9) linelog: --> /usr/local/var/log/radius/linelog
(9) linelog: EXPAND %{md5:%T,%{Calling-Station-Id}} Result: Authentication
Failed,Access-Reject
(9) linelog: --> e042f9def033579c3d4e304b73cd31db Result: Authentication
Failed,Access-Reject
(9) [linelog] = ok
(9) update control {
(9) linelogvar := "auth_result_reject_log"
(9) } # update control = noop
(9) linelog: EXPAND messages.%{%{control:linelogvar}:-default}
(9) linelog: --> messages.auth_result_reject_log
(9) linelog: EXPAND /usr/local/var/log/radius/linelog
(9) linelog: --> /usr/local/var/log/radius/linelog
(9) linelog: EXPAND
Access-Request,%T,%{User-Name},%{Calling-Station-Id},%{NAS-IP-Address},%{NAS-Identifier},%{md5:%T,%{Calling-Station-Id}},Authentication
Failed,%{Called-Station-Id}
(9) linelog: -->
Access-Request,2016-03-30-22.18.47.000000,XXXXXXX,XXXXXXX,XXXXXXX,XXXXXXX,e042f9def033579c3d4e304b73cd31db,Authentication
Failed,XXXXXXX
(9) [linelog] = ok
(9) update control {
(9) linelogvar := "empty_line"
(9) } # update control = noop
(9) linelog: EXPAND messages.%{%{control:linelogvar}:-default}
(9) linelog: --> messages.empty_line
(9) linelog: EXPAND /usr/local/var/log/radius/linelog
(9) linelog: --> /usr/local/var/log/radius/linelog
(9) linelog: EXPAND
(9) linelog: -->
(9) [linelog] = ok
(9) sql: EXPAND .query
(9) sql: --> .query
(9) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (7)
(9) sql: EXPAND %{User-Name}
(9) sql: --> XXXXXXX
(9) sql: SQL-User-Name set to 'XXXXXXX'
(9) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S')
(9) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( 'XXXXXXX', '', 'Access-Accept', '2016-03-30 22:18:47')
(9) sql: Executing query: INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES ( 'XXXXXXX', '', 'Access-Accept', '2016-03-30 22:18:47')
(9) sql: SQL query returned: success
(9) sql: 1 record(s) updated
rlm_sql (sql): Released connection (7)
(9) [sql] = ok
(9) attr_filter.access_reject: EXPAND %{User-Name}
(9) attr_filter.access_reject: --> XXXXXXX
(9) attr_filter.access_reject: Matched entry DEFAULT at line 11
(9) [attr_filter.access_reject] = updated
(9) [eap] = noop
(9) policy remove_reply_message_if_eap {
(9) if (&reply:EAP-Message && &reply:Reply-Message) {
(9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(9) else {
(9) [noop] = noop
(9) } # else = noop
(9) } # policy remove_reply_message_if_eap = noop
(9) } # Post-Auth-Type REJECT = updated
(9) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(9) Sending delayed response
(9) Sent Access-Reject Id 151 from XXXXXXX:1812 to XXXXXXX:32769 length 44
(9) EAP-Message = 0x03090004
(9) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.7 seconds.
(1) Cleaning up request packet ID 143 with timestamp +76
(2) Cleaning up request packet ID 144 with timestamp +76
(3) Cleaning up request packet ID 145 with timestamp +76
(4) Cleaning up request packet ID 146 with timestamp +76
(5) Cleaning up request packet ID 147 with timestamp +76
(6) Cleaning up request packet ID 148 with timestamp +76
(7) Cleaning up request packet ID 149 with timestamp +76
Waking up in 0.1 seconds.
(8) Cleaning up request packet ID 150 with timestamp +76
(9) Cleaning up request packet ID 151 with timestamp +76
ldap config
ldap {
update {
control:Password-With-Header += 'userPassword'
control:wifi := 'wifi'
# control:NT-Password := 'ntPassword'
# reply:Reply-Message := 'radiusReplyMessage'
# reply:Tunnel-Type := 'radiusTunnelType'
# reply:Tunnel-Medium-Type := 'radiusTunnelMediumType'
# reply:Tunnel-Private-Group-ID :=
'radiusTunnelPrivategroupId'
# Where only a list is specified as the RADIUS attribute,
# the value of the LDAP attribute is parsed as a valuepair
# in the same format as the 'valuepair_attribute' (above).
control: += 'radiusControlAttribute'
request: += 'radiusRequestAttribute'
reply: += 'radiusReplyAttribute'
}
}
I tried using xlat also but that also is not helping.
BR,
Anirudh Malhotra
Mail: 8zero2.in at gmail.com
Facebook: www.facebook.com/8zero2
Twitter: @8zero2_in
Blog: blog.8zero2.in
On Thu, Mar 31, 2016 at 1:56 AM, Alan DeKok <aland at deployingradius.com>
wrote:
> On Mar 30, 2016, at 11:47 AM, Anirudh Malhotra <8zero2ops at gmail.com>
> wrote:
> > when using eap inner tunned would be used right?
>
> It depends on the EAP method.
>
> > so ldap module when called and some control attributes are updated these
> > are going to updated in the inner control or the outer control(or there
> is
> > no such thing) and attributes are copied?
>
> If you configured it that way.
>
> > Also the unlang which i ran was in post auth so that is the end of the
> > request and ldap is parsed above it, so could that be a problem which u
> > suggested in your previous reply.
>
> No, that's not what I said.
>
> > Secondly could the data type of ldap attribute(integer or string) affect
> > the unlang would treat the attribute?
>
> No.
>
> You're doing everything *except* looking at the debug output.
>
> You need to either follow instructions, or to stop asking questions on
> this list.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list