freeRadius dynamic vlan unifi AP

Jan-Christoph Fuchs jcfuchs at me.com
Sat Feb 11 18:01:36 CET 2017


Hi Forum,
i have setup a freeradius server with MySQL for Dynamic VLAN assignment. Everything works fine with TP-Link AP running openWRT.
Now I have changed to Unifi AP (Unifi Security Gateway Pro, Unifi Switch US-24 POE Unifi AP Pro) and the dynamic VLAN assignment will not work anymore. When I try to connect to the WPA2 Enterprise WLAN, credentials are accepted but I always been put to default VLAN.

I googled around and found the Link, but I had no success anyway.

http://freeradius.1045715.n5.nabble.com/Freeradius-and-Unifi-Vlan-td5743402.html <http://freeradius.1045715.n5.nabble.com/Freeradius-and-Unifi-Vlan-td5743402.html>

Anyone has any ideas to help me please?
Which further information do you need?

I have a full freeradius  -X

Thanks
Foxy


freeradius debug:

 
rad_recv: Access-Request packet from host 10.4.0.3 port 58475, id=0, length=162

       User-Name = "vlan2"

       NAS-Identifier = "802aa8c9b930"

       NAS-Port = 0

       Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius"

       Calling-Station-Id = "44-00-10-57-E4-82"

       Framed-MTU = 1400

       NAS-Port-Type = Wireless-802.11

       Connect-Info = "CONNECT 0Mbps 802.11b"

       EAP-Message = 0x0267000a01766c616e32

       Message-Authenticator = 0x06d999db3a89921c59829a06fc6a668c

# Executing section authorize from file /etc/freeradius/sites-enabled/default

+group authorize {

++[preprocess] = ok

++[chap] = noop

++[mschap] = noop

++[digest] = noop

[suffix] No '@' in User-Name = "vlan2", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] = noop

[eap] EAP packet type response id 103 length 10

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] = updated

++[files] = noop

[sql] expand: %{User-Name} -> vlan2

[sql] sql_set_user escaped user --> 'vlan2'

rlm_sql (sql): Reserving sql socket id: 31

[sql] expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'vlan2'           ORDER BY id

[sql] User found in radcheck table

[sql] expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'vlan2'           ORDER BY id

[sql] expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'vlan2'           ORDER BY priority

[sql] expand: SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = 'vlan2'           ORDER BY id

[sql] User found in group vlan2

[sql] expand: SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = 'vlan2'           ORDER BY id

rlm_sql (sql): Released sql socket id: 31

++[sql] = ok

++[expiration] = noop

++[logintime] = noop

[pap] WARNING: Auth-Type already set.  Not setting to PAP

++[pap] = noop

+} # group authorize = updated

Found Auth-Type = EAP

# Executing group from file /etc/freeradius/sites-enabled/default

+group authenticate {

[eap] EAP Identity

[eap] processing type md5

rlm_eap_md5: Issuing Challenge

++[eap] = handled

+} # group authenticate = handled

Sending Access-Challenge of id 0 to 10.4.0.3 port 58475

       Tunnel-Type:0 := VLAN

       Tunnel-Medium-Type:0 := IEEE-802

       Tunnel-Private-Group-Id:0 := "2"

       EAP-Message = 0x016800160410d4aaf5baf1249b0b9757e28baaeaaa5f

       Message-Authenticator = 0x00000000000000000000000000000000

       State = 0x5bbe2fd05bd62b4f6758a6e7768e6c4f

Finished request 0.

Going to the next request

Waking up in 4.9 seconds.

rad_recv: Access-Request packet from host 10.4.0.3 port 58475, id=1, length=178

       User-Name = "vlan2"

       NAS-Identifier = "802aa8c9b930"

       NAS-Port = 0

       Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius"

       Calling-Station-Id = "44-00-10-57-E4-82"

       Framed-MTU = 1400

       NAS-Port-Type = Wireless-802.11

       Connect-Info = "CONNECT 0Mbps 802.11b"

       EAP-Message = 0x026800080319152b

       State = 0x5bbe2fd05bd62b4f6758a6e7768e6c4f

       Message-Authenticator = 0x832e2a49ed7f71a89ddd64c031384e96

# Executing section authorize from file /etc/freeradius/sites-enabled/default

+group authorize {

++[preprocess] = ok

++[chap] = noop

++[mschap] = noop

++[digest] = noop

[suffix] No '@' in User-Name = "vlan2", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] = noop

[eap] EAP packet type response id 104 length 8

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] = updated

++[files] = noop

[sql] expand: %{User-Name} -> vlan2

[sql] sql_set_user escaped user --> 'vlan2'

rlm_sql (sql): Reserving sql socket id: 30

[sql] expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'vlan2'           ORDER BY id

[sql] User found in radcheck table

[sql] expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'vlan2'           ORDER BY id

[sql] expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'vlan2'           ORDER BY priority

[sql] expand: SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = 'vlan2'           ORDER BY id

[sql] User found in group vlan2

[sql] expand: SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = 'vlan2'           ORDER BY id

rlm_sql (sql): Released sql socket id: 30

++[sql] = ok

++[expiration] = noop

++[logintime] = noop

[pap] WARNING: Auth-Type already set.  Not setting to PAP

++[pap] = noop

+} # group authorize = updated

Found Auth-Type = EAP

# Executing group from file /etc/freeradius/sites-enabled/default

+group authenticate {

[eap] Request found, released from the list

[eap] EAP NAK

[eap] EAP-NAK asked for EAP-Type/peap

[eap] processing type tls

[tls] Initiate

[tls] Start returned 1

++[eap] = handled

+} # group authenticate = handled

Sending Access-Challenge of id 1 to 10.4.0.3 port 58475

       Tunnel-Type:0 := VLAN

       Tunnel-Medium-Type:0 := IEEE-802

       Tunnel-Private-Group-Id:0 := "2"

       EAP-Message = 0x016900061920

       Message-Authenticator = 0x00000000000000000000000000000000

       State = 0x5bbe2fd05ad7364f6758a6e7768e6c4f

Finished request 1.

Going to the next request

Waking up in 4.9 seconds.

rad_recv: Access-Request packet from host 10.4.0.3 port 58475, id=2, length=297

       User-Name = "vlan2"

       NAS-Identifier = "802aa8c9b930"

       NAS-Port = 0

       Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius"

       Calling-Station-Id = "44-00-10-57-E4-82"

       Framed-MTU = 1400

       NAS-Port-Type = Wireless-802.11

       Connect-Info = "CONNECT 0Mbps 802.11b"

       EAP-Message = 0x0269007f19800000007516030100700100006c0301589ed44589c48a46cf539f29ccb55919d495885606f29ed44e2a6c29bd86d9eb00002000ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000a01000023000a00080006001700180019000b000201000005000501000000000012000000170000

       State = 0x5bbe2fd05ad7364f6758a6e7768e6c4f

       Message-Authenticator = 0x36c578d87de859f5bb186da5d12f866d

# Executing section authorize from file /etc/freeradius/sites-enabled/default

+group authorize {

++[preprocess] = ok

++[chap] = noop

++[mschap] = noop

++[digest] = noop

[suffix] No '@' in User-Name = "vlan2", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] = noop

[eap] EAP packet type response id 105 length 127

[eap] Continuing tunnel setup.

++[eap] = ok

+} # group authorize = ok

Found Auth-Type = EAP

# Executing group from file /etc/freeradius/sites-enabled/default

+group authenticate {

[eap] Request found, released from the list

[eap] EAP/peap

[eap] processing type peap

[peap] processing EAP-TLS

  TLS Length 117

[peap] Length Included

[peap] eaptls_verify returned 11 

[peap]     (other): before/accept initialization

[peap]     TLS_accept: before/accept initialization

[peap] <<< TLS 1.0 Handshake [length 0070], ClientHello  

[peap]     TLS_accept: unknown state

[peap] >>> TLS 1.0 Handshake [length 0039], ServerHello  

[peap]     TLS_accept: unknown state

[peap] >>> TLS 1.0 Handshake [length 02ca], Certificate  

[peap]     TLS_accept: unknown state

[peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange  

[peap]     TLS_accept: unknown state

[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  

[peap]     TLS_accept: unknown state

[peap]     TLS_accept: unknown state

[peap]     TLS_accept: Need to read more data: unknown state

In SSL Handshake Phase 

In SSL Accept mode  

[peap] eaptls_process returned 13 

[peap] EAPTLS_HANDLED

++[eap] = handled

+} # group authenticate = handled

Sending Access-Challenge of id 2 to 10.4.0.3 port 58475

       EAP-Message = 0x016a040019c0000004661603010039020000350301ca88fca516ec799abd1ac079f7dcde1a67301926aae2707dc648d90fad15555400c01400000dff01000100000b00040300010216030102ca0b0002c60002c30002c0308202bc308201a4a003020102020900a5fffa2bd980f52f300d06092a864886f70d01010b050030163114301206035504030c0b7261737062657272797069301e170d3136303531363039353930305a170d3236303531343039353930305a30163114301206035504030c0b726173706265727279706930820122300d06092a864886f70d01010105000382010f003082010a0282010100c3d09a5c1cf391c424a9db1c9546

       EAP-Message = 0xe2d0d56ef0c7992e58cc9fddfcca2e1e792de870f1b44732e39760c9be69d00bee75ebb6544ef6e7552cd6071cf42a0314dfcf5f6588403e82906d1bdc76e22d83d897f5822cc3ad4e8688b26a7e51272de8f12178c18eeef3736db12c082c610cf4ed064ca669a8502cd0b304f9b347e9b6e792d22b7477447b724fc1a5b8feaa5bc2dab89c47f61083f2ad2a713346a45779f64738f78e6c6b50dd9fba57b8c429d9130ffe2852ae300f0da67338d241c7f9ed1a3edfd9e60e4a204888db9e7c2b2c4b2720cac0bb75955fdc8dededdcd3005b33e3c3665cb56f8fea647fe98b100ac37981f6664b06baf77672578b49510203010001a30d300b3009

       EAP-Message = 0x0603551d1304023000300d06092a864886f70d01010b0500038201010059f5ccb527a5c95bd585d481cf2c0d940a2100bfe19c781f8fc6c9fe6ecf9581cc11899915a4a4a76f93ce5d9a27a1377e9f5b595d0c91b85158b46264b6bbf53d663f5972a29bb9ee27f94fa19c0e10cb315bbfff1a0b9dada6af7b44055bde3a97fce3d03d0e3d9dd2ca98d02899654c38e978067be45716b8095b7eec985ed5766a840d768fde1384f8d70c2b2b62f3bf1ce577e8c7e55870217ef8101973e33c417108d7645823438b1b637bf66d11755e23ccceabf7256480a3ce55f410d5479aa862e7cd048a3661213131c38bdcfae6a8223dbc92e680e4e8feee2c86

       EAP-Message = 0xf60edf462d78a0cd61d0be2a807c82feddfb62a74cd23265bc34cf55c8de1296160301014b0c00014703001741049b8ce76c18bbad24703b1770055b370369335679cf94ea52ffcf0fb82725e6e4180acdba12d45dc91ce19392b2aeeb8af3081f8475a36236ad67689782d72840010035cfee51ff337f1eb937b5a66c75b726e96a2c585d4987a1cbda13df17060e3ae4791a5b09b611fab6be846494ba450248e1da4d1e693940510d3dd879dbe65927e90cd4d325b64514f1af880c2b8b6bd2b702f3315084069dadfde74e622f29654c3ba1862ec885bbf541858571ab5e12c1b9baf903ade005a27da49e31b4f80697c4901e100f61f6c093f751

       EAP-Message = 0xc33825db86cc5193821c21c0

       Message-Authenticator = 0x00000000000000000000000000000000

       State = 0x5bbe2fd059d4364f6758a6e7768e6c4f

Finished request 2.

Going to the next request

Waking up in 4.9 seconds.

rad_recv: Access-Request packet from host 10.4.0.3 port 58475, id=3, length=176

       User-Name = "vlan2"

       NAS-Identifier = "802aa8c9b930"

       NAS-Port = 0

       Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius"

       Calling-Station-Id = "44-00-10-57-E4-82"

       Framed-MTU = 1400

       NAS-Port-Type = Wireless-802.11

       Connect-Info = "CONNECT 0Mbps 802.11b"

       EAP-Message = 0x026a00061900

       State = 0x5bbe2fd059d4364f6758a6e7768e6c4f

       Message-Authenticator = 0x99a1d9d626da9befea61798a088dcaa5

# Executing section authorize from file /etc/freeradius/sites-enabled/default

+group authorize {

++[preprocess] = ok

++[chap] = noop

++[mschap] = noop

++[digest] = noop

[suffix] No '@' in User-Name = "vlan2", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] = noop

[eap] EAP packet type response id 106 length 6

[eap] Continuing tunnel setup.

++[eap] = ok

+} # group authorize = ok

Found Auth-Type = EAP

# Executing group from file /etc/freeradius/sites-enabled/default

+group authenticate {

[eap] Request found, released from the list

[eap] EAP/peap

[eap] processing type peap

[peap] processing EAP-TLS

[peap] Received TLS ACK

[peap] ACK handshake fragment handler

[peap] eaptls_verify returned 1 

[peap] eaptls_process returned 13 

[peap] EAPTLS_HANDLED

++[eap] = handled

+} # group authenticate = handled

Sending Access-Challenge of id 3 to 10.4.0.3 port 58475

       EAP-Message = 0x016b0076190084b8ddc47f9ae932aad390c476d83be799f4a0573ba9ffc44bb7ab4acd2aee1bf8c481909e6fb235ad5904953e0da13f76cab712d08f270272699821617e7c9bbbf02fe16724e3e118fb1544a1425a42b33d7627f1ac1a3ab6b40de72becd841b631813edf992c16030100040e000000

       Message-Authenticator = 0x00000000000000000000000000000000

       State = 0x5bbe2fd058d5364f6758a6e7768e6c4f

Finished request 3.

Going to the next request

Waking up in 4.8 seconds.

rad_recv: Access-Request packet from host 10.4.0.3 port 58475, id=4, length=314

       User-Name = "vlan2"

       NAS-Identifier = "802aa8c9b930"

       NAS-Port = 0

       Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius"

       Calling-Station-Id = "44-00-10-57-E4-82"

       Framed-MTU = 1400

       NAS-Port-Type = Wireless-802.11

       Connect-Info = "CONNECT 0Mbps 802.11b"

       EAP-Message = 0x026b0090198000000086160301004610000042410492699d0b4133e01f3077df1dd32450bb838549add65693b94f1403cc929899231cbad80effab16998dbc60b8de0238ddbe8fefdbbe3e770c3f662d37b37371771403010001011603010030164a6ac78696439e80a7b6e06d205e5a2a6b9a90d8531892b0a24de189284588156554a2a15cbbcb8cc0e9e8f87810c8

       State = 0x5bbe2fd058d5364f6758a6e7768e6c4f

       Message-Authenticator = 0xbd183035d6eb70e1cf4df33759a104a0

# Executing section authorize from file /etc/freeradius/sites-enabled/default

+group authorize {

++[preprocess] = ok

++[chap] = noop

++[mschap] = noop

++[digest] = noop

[suffix] No '@' in User-Name = "vlan2", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] = noop

[eap] EAP packet type response id 107 length 144

[eap] Continuing tunnel setup.

++[eap] = ok

+} # group authorize = ok

Found Auth-Type = EAP

# Executing group from file /etc/freeradius/sites-enabled/default

+group authenticate {

[eap] Request found, released from the list

[eap] EAP/peap

[eap] processing type peap

[peap] processing EAP-TLS

  TLS Length 134

[peap] Length Included

[peap] eaptls_verify returned 11 

[peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange  

[peap]     TLS_accept: unknown state

[peap]     TLS_accept: unknown state

[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]  

[peap] <<< TLS 1.0 Handshake [length 0010], Finished  

[peap]     TLS_accept: unknown state

[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]  

[peap]     TLS_accept: unknown state

[peap] >>> TLS 1.0 Handshake [length 0010], Finished  

[peap]     TLS_accept: unknown state

[peap]     TLS_accept: unknown state

[peap]     (other): SSL negotiation finished successfully

SSL Connection Established 

[peap] eaptls_process returned 13 

[peap] EAPTLS_HANDLED

++[eap] = handled

+} # group authenticate = handled

Sending Access-Challenge of id 4 to 10.4.0.3 port 58475

       EAP-Message = 0x016c0041190014030100010116030100302db38c5a4a30e8a20e40e33ea5c90ffc4390aa26733fa055d9e44df2df3fe2efec91ee64752fbaa81952491f4de66b73

       Message-Authenticator = 0x00000000000000000000000000000000

       State = 0x5bbe2fd05fd2364f6758a6e7768e6c4f

Finished request 4.

Going to the next request

Waking up in 2.2 seconds.

rad_recv: Access-Request packet from host 10.4.0.3 port 58475, id=5, length=176

       User-Name = "vlan2"

       NAS-Identifier = "802aa8c9b930"

       NAS-Port = 0

       Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius"

       Calling-Station-Id = "44-00-10-57-E4-82"

       Framed-MTU = 1400

       NAS-Port-Type = Wireless-802.11

       Connect-Info = "CONNECT 0Mbps 802.11b"

       EAP-Message = 0x026c00061900

       State = 0x5bbe2fd05fd2364f6758a6e7768e6c4f

       Message-Authenticator = 0xfe48702c915ce42bd6857c1c98c2ad33

# Executing section authorize from file /etc/freeradius/sites-enabled/default

+group authorize {

++[preprocess] = ok

++[chap] = noop

++[mschap] = noop

++[digest] = noop

[suffix] No '@' in User-Name = "vlan2", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] = noop

[eap] EAP packet type response id 108 length 6

[eap] Continuing tunnel setup.

++[eap] = ok

+} # group authorize = ok

Found Auth-Type = EAP

# Executing group from file /etc/freeradius/sites-enabled/default

+group authenticate {

[eap] Request found, released from the list

[eap] EAP/peap

[eap] processing type peap

[peap] processing EAP-TLS

[peap] Received TLS ACK

[peap] ACK handshake is finished

[peap] eaptls_verify returned 3 

[peap] eaptls_process returned 3 

[peap] EAPTLS_SUCCESS

[peap] Session established.  Decoding tunneled attributes.

[peap] Peap state TUNNEL ESTABLISHED

++[eap] = handled

+} # group authenticate = handled

Sending Access-Challenge of id 5 to 10.4.0.3 port 58475

       EAP-Message = 0x016d002b19001703010020720525055a03208c8942699fac52371c34564e69c8ad2dca9670eb2ad7d7990b

       Message-Authenticator = 0x00000000000000000000000000000000

       State = 0x5bbe2fd05ed3364f6758a6e7768e6c4f

Finished request 5.

Going to the next request

Waking up in 2.2 seconds.

rad_recv: Access-Request packet from host 10.4.0.3 port 58475, id=6, length=213

       User-Name = "vlan2"

       NAS-Identifier = "802aa8c9b930"

       NAS-Port = 0

       Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius"

       Calling-Station-Id = "44-00-10-57-E4-82"

       Framed-MTU = 1400

       NAS-Port-Type = Wireless-802.11

       Connect-Info = "CONNECT 0Mbps 802.11b"

       EAP-Message = 0x026d002b1900170301002047bc3b02b2b161c69c407fcc9499570fc44846071487cddd3238a74a6f1b5486

       State = 0x5bbe2fd05ed3364f6758a6e7768e6c4f

       Message-Authenticator = 0x3043fa8c67010675ab157c9b041ec8e0

# Executing section authorize from file /etc/freeradius/sites-enabled/default

+group authorize {

++[preprocess] = ok

++[chap] = noop

++[mschap] = noop

++[digest] = noop

[suffix] No '@' in User-Name = "vlan2", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] = noop

[eap] EAP packet type response id 109 length 43

[eap] Continuing tunnel setup.

++[eap] = ok

+} # group authorize = ok

Found Auth-Type = EAP

# Executing group from file /etc/freeradius/sites-enabled/default

+group authenticate {

[eap] Request found, released from the list

[eap] EAP/peap

[eap] processing type peap

[peap] processing EAP-TLS

[peap] eaptls_verify returned 7 

[peap] Done initial handshake

[peap] eaptls_process returned 7 

[peap] EAPTLS_OK

[peap] Session established.  Decoding tunneled attributes.

[peap] Peap state WAITING FOR INNER IDENTITY

[peap] Identity - vlan2

[peap] Got inner identity 'vlan2'

[peap] Setting default EAP type for tunneled EAP session.

[peap] Got tunneled request

       EAP-Message = 0x026d000a01766c616e32

server  {

[peap] Setting User-Name to vlan2

Sending tunneled request

       EAP-Message = 0x026d000a01766c616e32

       FreeRADIUS-Proxied-To = 127.0.0.1

       User-Name = "vlan2"

       NAS-Identifier = "802aa8c9b930"

       NAS-Port = 0

       Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius"

       Calling-Station-Id = "44-00-10-57-E4-82"

       Framed-MTU = 1400

       NAS-Port-Type = Wireless-802.11

       Connect-Info = "CONNECT 0Mbps 802.11b"

       NAS-IP-Address = 10.4.0.3

server inner-tunnel {

# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel

+group authorize {

++[chap] = noop

++[mschap] = noop

[suffix] No '@' in User-Name = "vlan2", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] = noop

++update control {

++} # update control = noop

[eap] EAP packet type response id 109 length 10

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] = updated

++[files] = noop

[sql] expand: %{User-Name} -> vlan2

[sql] sql_set_user escaped user --> 'vlan2'

rlm_sql (sql): Reserving sql socket id: 29

[sql] expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'vlan2'           ORDER BY id

[sql] User found in radcheck table

[sql] expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'vlan2'           ORDER BY id

[sql] expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'vlan2'           ORDER BY priority

[sql] expand: SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = 'vlan2'           ORDER BY id

[sql] User found in group vlan2

[sql] expand: SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = 'vlan2'           ORDER BY id

rlm_sql (sql): Released sql socket id: 29

++[sql] = ok

++[expiration] = noop

++[logintime] = noop

[pap] WARNING: Auth-Type already set.  Not setting to PAP

++[pap] = noop

+} # group authorize = updated

Found Auth-Type = EAP

# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel

+group authenticate {

[eap] EAP Identity

[eap] processing type mschapv2

rlm_eap_mschapv2: Issuing Challenge

++[eap] = handled

+} # group authenticate = handled

} # server inner-tunnel

[peap] Got tunneled reply code 11

       Tunnel-Type:0 := VLAN

       Tunnel-Medium-Type:0 := IEEE-802

       Tunnel-Private-Group-Id:0 := "2"

       EAP-Message = 0x016e001f1a016e001a10e77e02f329ceda823151bee45600a691766c616e32

       Message-Authenticator = 0x00000000000000000000000000000000

       State = 0xbf69de36bf07c49c7fdd6a5522e854fb

[peap] Got tunneled reply RADIUS code 11

       Tunnel-Type:0 := VLAN

       Tunnel-Medium-Type:0 := IEEE-802

       Tunnel-Private-Group-Id:0 := "2"

       EAP-Message = 0x016e001f1a016e001a10e77e02f329ceda823151bee45600a691766c616e32

       Message-Authenticator = 0x00000000000000000000000000000000

       State = 0xbf69de36bf07c49c7fdd6a5522e854fb

[peap] Got tunneled Access-Challenge

++[eap] = handled

+} # group authenticate = handled

Sending Access-Challenge of id 6 to 10.4.0.3 port 58475

       EAP-Message = 0x016e003b19001703010030273a2344da33da6bd4f07a68939b2d6fe8f074d5c8fc5d3bd995b603066ecf0ebadaa7b9c6bb0857de06eb1732da1372

       Message-Authenticator = 0x00000000000000000000000000000000

       State = 0x5bbe2fd05dd0364f6758a6e7768e6c4f

Finished request 6.

Going to the next request

Waking up in 2.2 seconds.

rad_recv: Access-Request packet from host 10.4.0.3 port 58475, id=7, length=277

       User-Name = "vlan2"

       NAS-Identifier = "802aa8c9b930"

       NAS-Port = 0

       Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius"

       Calling-Station-Id = "44-00-10-57-E4-82"

       Framed-MTU = 1400

       NAS-Port-Type = Wireless-802.11

       Connect-Info = "CONNECT 0Mbps 802.11b"

       EAP-Message = 0x026e006b190017030100609d599b8771f229409a0c80966b2d47df23ee2d458e0aa22554971c8dcbff5c8d6fd24841ac1f33f77b523ad33f435410bd3b5061388f389cf35852f2bbe989d6e79c80c01fa06efa1ac48960c28057604e2d52eaf27fcb9592b15bd81b9d9352

       State = 0x5bbe2fd05dd0364f6758a6e7768e6c4f

       Message-Authenticator = 0x49a65641575dbc71665aa3a24ed858d4

# Executing section authorize from file /etc/freeradius/sites-enabled/default

+group authorize {

++[preprocess] = ok

++[chap] = noop

++[mschap] = noop

++[digest] = noop

[suffix] No '@' in User-Name = "vlan2", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] = noop

[eap] EAP packet type response id 110 length 107

[eap] Continuing tunnel setup.

++[eap] = ok

+} # group authorize = ok

Found Auth-Type = EAP

# Executing group from file /etc/freeradius/sites-enabled/default

+group authenticate {

[eap] Request found, released from the list

[eap] EAP/peap

[eap] processing type peap

[peap] processing EAP-TLS

[peap] eaptls_verify returned 7 

[peap] Done initial handshake

[peap] eaptls_process returned 7 

[peap] EAPTLS_OK

[peap] Session established.  Decoding tunneled attributes.

[peap] Peap state phase2

[peap] EAP type mschapv2

[peap] Got tunneled request

       EAP-Message = 0x026e00401a026e003b315e0f62a689f025e1df998ee87babf9de00000000000000007564685ceec9262c6ebfe53b4108d24ae06e720a0fe08a6c00766c616e32

server  {

[peap] Setting User-Name to vlan2

Sending tunneled request

       EAP-Message = 0x026e00401a026e003b315e0f62a689f025e1df998ee87babf9de00000000000000007564685ceec9262c6ebfe53b4108d24ae06e720a0fe08a6c00766c616e32

       FreeRADIUS-Proxied-To = 127.0.0.1

       User-Name = "vlan2"

       State = 0xbf69de36bf07c49c7fdd6a5522e854fb

       NAS-Identifier = "802aa8c9b930"

       NAS-Port = 0

       Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius"

       Calling-Station-Id = "44-00-10-57-E4-82"

       Framed-MTU = 1400

       NAS-Port-Type = Wireless-802.11

       Connect-Info = "CONNECT 0Mbps 802.11b"

       NAS-IP-Address = 10.4.0.3

server inner-tunnel {

# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel

+group authorize {

++[chap] = noop

++[mschap] = noop

[suffix] No '@' in User-Name = "vlan2", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] = noop

++update control {

++} # update control = noop

[eap] EAP packet type response id 110 length 64

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] = updated

++[files] = noop

[sql] expand: %{User-Name} -> vlan2

[sql] sql_set_user escaped user --> 'vlan2'

rlm_sql (sql): Reserving sql socket id: 28

[sql] expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'vlan2'           ORDER BY id

[sql] User found in radcheck table

[sql] expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'vlan2'           ORDER BY id

[sql] expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'vlan2'           ORDER BY priority

[sql] expand: SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = 'vlan2'           ORDER BY id

[sql] User found in group vlan2

[sql] expand: SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = 'vlan2'           ORDER BY id

rlm_sql (sql): Released sql socket id: 28

++[sql] = ok

++[expiration] = noop

++[logintime] = noop

[pap] WARNING: Auth-Type already set.  Not setting to PAP

++[pap] = noop

+} # group authorize = updated

Found Auth-Type = EAP

# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel

+group authenticate {

[eap] Request found, released from the list

[eap] EAP/mschapv2

[eap] processing type mschapv2

[mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel

[mschapv2] +group MS-CHAP {

[mschap] Creating challenge hash with username: vlan2

[mschap] Client is using MS-CHAPv2 for vlan2, we need NT-Password

++[mschap] = ok

+} # group MS-CHAP = ok

MSCHAP Success 

++[eap] = handled

+} # group authenticate = handled

} # server inner-tunnel

[peap] Got tunneled reply code 11

       Tunnel-Type:0 := VLAN

       Tunnel-Medium-Type:0 := IEEE-802

       Tunnel-Private-Group-Id:0 := "2"

       EAP-Message = 0x016f00331a036e002e533d41463237344142313833423934363930354534383236463136343338333230333744323432413432

       Message-Authenticator = 0x00000000000000000000000000000000

       State = 0xbf69de36be06c49c7fdd6a5522e854fb

[peap] Got tunneled reply RADIUS code 11

       Tunnel-Type:0 := VLAN

       Tunnel-Medium-Type:0 := IEEE-802

       Tunnel-Private-Group-Id:0 := "2"

       EAP-Message = 0x016f00331a036e002e533d41463237344142313833423934363930354534383236463136343338333230333744323432413432

       Message-Authenticator = 0x00000000000000000000000000000000

       State = 0xbf69de36be06c49c7fdd6a5522e854fb

[peap] Got tunneled Access-Challenge

++[eap] = handled

+} # group authenticate = handled

Sending Access-Challenge of id 7 to 10.4.0.3 port 58475

       EAP-Message = 0x016f005b19001703010050379671a1652397822077c4939f603c0697b5ad4acda69af23684b69747b835bc2eee51061ba9de8736ee1a212c16986b4976389fe0080d8f0d71a892795b124f8bcb4cf473180414321ba05012d9c804

       Message-Authenticator = 0x00000000000000000000000000000000

       State = 0x5bbe2fd05cd1364f6758a6e7768e6c4f

Finished request 7.

Going to the next request

Waking up in 2.1 seconds.

rad_recv: Access-Request packet from host 10.4.0.3 port 58475, id=8, length=213

       User-Name = "vlan2"

       NAS-Identifier = "802aa8c9b930"

       NAS-Port = 0

       Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius"

       Calling-Station-Id = "44-00-10-57-E4-82"

       Framed-MTU = 1400

       NAS-Port-Type = Wireless-802.11

       Connect-Info = "CONNECT 0Mbps 802.11b"

       EAP-Message = 0x026f002b190017030100204e389e032c31ad1db1e6708b6e4b9d959b44e97a2133228df869f8852f589e6b

       State = 0x5bbe2fd05cd1364f6758a6e7768e6c4f

       Message-Authenticator = 0x931630aa75d0a3402894d50d928802c2

# Executing section authorize from file /etc/freeradius/sites-enabled/default

+group authorize {

++[preprocess] = ok

++[chap] = noop

++[mschap] = noop

++[digest] = noop

[suffix] No '@' in User-Name = "vlan2", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] = noop

[eap] EAP packet type response id 111 length 43

[eap] Continuing tunnel setup.

++[eap] = ok

+} # group authorize = ok

Found Auth-Type = EAP

# Executing group from file /etc/freeradius/sites-enabled/default

+group authenticate {

[eap] Request found, released from the list

[eap] EAP/peap

[eap] processing type peap

[peap] processing EAP-TLS

[peap] eaptls_verify returned 7 

[peap] Done initial handshake

[peap] eaptls_process returned 7 

[peap] EAPTLS_OK

[peap] Session established.  Decoding tunneled attributes.

[peap] Peap state phase2

[peap] EAP type mschapv2

[peap] Got tunneled request

       EAP-Message = 0x026f00061a03

server  {

[peap] Setting User-Name to vlan2

Sending tunneled request

       EAP-Message = 0x026f00061a03

       FreeRADIUS-Proxied-To = 127.0.0.1

       User-Name = "vlan2"

       State = 0xbf69de36be06c49c7fdd6a5522e854fb

       NAS-Identifier = "802aa8c9b930"

       NAS-Port = 0

       Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius"

       Calling-Station-Id = "44-00-10-57-E4-82"

       Framed-MTU = 1400

       NAS-Port-Type = Wireless-802.11

       Connect-Info = "CONNECT 0Mbps 802.11b"

       NAS-IP-Address = 10.4.0.3

server inner-tunnel {

# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel

+group authorize {

++[chap] = noop

++[mschap] = noop

[suffix] No '@' in User-Name = "vlan2", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] = noop

++update control {

++} # update control = noop

[eap] EAP packet type response id 111 length 6

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] = updated

++[files] = noop

[sql] expand: %{User-Name} -> vlan2

[sql] sql_set_user escaped user --> 'vlan2'

rlm_sql (sql): Reserving sql socket id: 27

[sql] expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'vlan2'           ORDER BY id

[sql] User found in radcheck table

[sql] expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'vlan2'           ORDER BY id

[sql] expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'vlan2'           ORDER BY priority

[sql] expand: SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = 'vlan2'           ORDER BY id

[sql] User found in group vlan2

[sql] expand: SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = 'vlan2'           ORDER BY id

rlm_sql (sql): Released sql socket id: 27

++[sql] = ok

++[expiration] = noop

++[logintime] = noop

[pap] WARNING: Auth-Type already set.  Not setting to PAP

++[pap] = noop

+} # group authorize = updated

Found Auth-Type = EAP

# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel

+group authenticate {

[eap] Request found, released from the list

[eap] EAP/mschapv2

[eap] processing type mschapv2

[eap] Freeing handler

++[eap] = ok

+} # group authenticate = ok

  WARNING: Empty post-auth section.  Using default return values.

# Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel

} # server inner-tunnel

[peap] Got tunneled reply code 2

       Tunnel-Type:0 := VLAN

       Tunnel-Medium-Type:0 := IEEE-802

       Tunnel-Private-Group-Id:0 := "2"

       EAP-Message = 0x036f0004

       Message-Authenticator = 0x00000000000000000000000000000000

       User-Name = "vlan2"

[peap] Got tunneled reply RADIUS code 2

       Tunnel-Type:0 := VLAN

       Tunnel-Medium-Type:0 := IEEE-802

       Tunnel-Private-Group-Id:0 := "2"

       EAP-Message = 0x036f0004

       Message-Authenticator = 0x00000000000000000000000000000000

       User-Name = "vlan2"

[peap] Tunneled authentication was successful.

[peap] SUCCESS

[peap] Saving tunneled attributes for later

++[eap] = handled

+} # group authenticate = handled

Sending Access-Challenge of id 8 to 10.4.0.3 port 58475

       EAP-Message = 0x0170002b1900170301002016ca7fa553aa22f428b1cc092d8c0edce568f4304d792dc1e4f3ee96aee7dbf4

       Message-Authenticator = 0x00000000000000000000000000000000

       State = 0x5bbe2fd053ce364f6758a6e7768e6c4f

Finished request 8.

Going to the next request

Waking up in 2.0 seconds.

rad_recv: Access-Request packet from host 10.4.0.3 port 58475, id=9, length=213

       User-Name = "vlan2"

       NAS-Identifier = "802aa8c9b930"

       NAS-Port = 0

       Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius"

       Calling-Station-Id = "44-00-10-57-E4-82"

       Framed-MTU = 1400

       NAS-Port-Type = Wireless-802.11

       Connect-Info = "CONNECT 0Mbps 802.11b"

       EAP-Message = 0x0270002b19001703010020f1fad92ca1690eeab1fd596f4e05814f52fe6ca28544b4fa55eee6ea9709ba21

       State = 0x5bbe2fd053ce364f6758a6e7768e6c4f

       Message-Authenticator = 0xdb9f0883a110094183004dd28a6f5261

# Executing section authorize from file /etc/freeradius/sites-enabled/default

+group authorize {

++[preprocess] = ok

++[chap] = noop

++[mschap] = noop

++[digest] = noop

[suffix] No '@' in User-Name = "vlan2", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] = noop

[eap] EAP packet type response id 112 length 43

[eap] Continuing tunnel setup.

++[eap] = ok

+} # group authorize = ok

Found Auth-Type = EAP

# Executing group from file /etc/freeradius/sites-enabled/default

+group authenticate {

[eap] Request found, released from the list

[eap] EAP/peap

[eap] processing type peap

[peap] processing EAP-TLS

[peap] eaptls_verify returned 7 

[peap] Done initial handshake

[peap] eaptls_process returned 7 

[peap] EAPTLS_OK

[peap] Session established.  Decoding tunneled attributes.

[peap] Peap state send tlv success

[peap] Received EAP-TLV response.

[peap] Success

[peap] Using saved attributes from the original Access-Accept

       Tunnel-Type:0 := VLAN

       Tunnel-Medium-Type:0 := IEEE-802

       Tunnel-Private-Group-Id:0 := "2"

       User-Name = "vlan2"

[eap] Freeing handler

++[eap] = ok

+} # group authenticate = ok

# Executing section post-auth from file /etc/freeradius/sites-enabled/default

+group post-auth {

[sql] expand: %{User-Name} -> vlan2

[sql] sql_set_user escaped user --> 'vlan2'

[sql] expand: %{User-Password} -> 

[sql] ... expanding second conditional

[sql] expand: %{Chap-Password} -> 

[sql] expand: INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           '%{User-Name}',                           '%{%{User-Password}:-%{Chap-Password}}',                           '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           'vlan2',                           '',                           'Access-Accept', '2017-02-11 09:54:40')

rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           'vlan2',                           '',                           'Access-Accept', '2017-02-11 09:54:40')

rlm_sql (sql): Reserving sql socket id: 26

rlm_sql (sql): Released sql socket id: 26

++[sql] = ok

++[exec] = noop

+} # group post-auth = ok

Sending Access-Accept of id 9 to 10.4.0.3 port 58475

       Tunnel-Type:0 := VLAN

       Tunnel-Medium-Type:0 := IEEE-802

       Tunnel-Private-Group-Id:0 := "2"

       User-Name = "vlan2"

       MS-MPPE-Recv-Key = 0xc42271ac1c9ce5bd6fd9be65a9eaf0b2c9512de5a0561888d8c4443a42a3ea0e

       MS-MPPE-Send-Key = 0xe57e91b287bd2e2d536e08176c9a61fdaa9ae60687e59db5310af032b8c3e430

       EAP-Message = 0x03700004

       Message-Authenticator = 0x00000000000000000000000000000000

Finished request 9.

Going to the next request

Waking up in 2.0 seconds.

Cleaning up request 0 ID 0 with timestamp +47

Cleaning up request 1 ID 1 with timestamp +47

Cleaning up request 2 ID 2 with timestamp +47

Cleaning up request 3 ID 3 with timestamp +47

Waking up in 2.6 seconds.

Cleaning up request 4 ID 4 with timestamp +49

Cleaning up request 5 ID 5 with timestamp +49

Cleaning up request 6 ID 6 with timestamp +49

Cleaning up request 7 ID 7 with timestamp +49

Cleaning up request 8 ID 8 with timestamp +50

Cleaning up request 9 ID 9 with timestamp +50

Ready to process requests.

 


More information about the Freeradius-Users mailing list