Class attribute in Reply message
Umut Arus
umuta at sabanciuniv.edu
Tue Oct 3 11:23:50 CEST 2017
Hello,
I need to reply an deniedServices ldap variable in Class attribute for a
controller. I added it
"replyItem Class deniedServices +=" at ldap.attrmap file.
and sites-available/default file includes it. But it override the Class
value to empty.
update reply {
Class += "%{Reply-Message}"
}
Where it is wrong?
FreeRADIUS Version 2.2.8
Output parts are:
[peap] Setting User-Name to tayfund
Sending tunneled request
EAP-Message =
0x020900421a0209003d3167738a93d83ed76e5251bbbaa183542f0000000000000000008955f2389888dbc3771d940bc5c9ade688b2ec3b08e4f80074617966756e64
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "tayfund"
State = 0xb024cc1cb02dd66832d4a5f6f46a2d5f
NAS-IP-Address = 10.200.0.2
NAS-Port = 0
NAS-Identifier = "10.200.0.5"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "748D08E39D7F"
Called-Station-Id = "001A1E0015F0"
Service-Type = Framed-User
Framed-MTU = 1100
Aruba-Essid-Name = "SABANCIUNIV"
Aruba-Location-Id = "BM_IT_NETSYS_7b:fe"
Aruba-AP-Group = "BM_binasi"
Aruba-Device-Type = "iPhone"
server inner-tunnel {
# Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[mschap] = noop
[suffix] No '@' in User-Name = "tayfund", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 9 length 66
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[ldap] performing user authorization for tayfund
[ldap] expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=tayfund)
[ldap] expand: o=sabanciuniv.edu -> o=sabanciuniv.edu
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in o=sabanciuniv.edu, with filter (uid=tayfund)
[ldap] Added User-Password = 5F479EB90623041F464CD3F4B685C80A in check items
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] userPassword -> Password-With-Header ==
"{SSHA}wM3CoVk5jYLVnHz8jyv6vHBlqv52bw=="
[ldap] sambaNtPassword -> NT-Password ==
0x3546343739454239303632333034314634363443443346344236383543383041
[ldap] sambaLmPassword -> LM-Password ==
0x3836413243354632393945434139444343313745393630323543414633314130
[ldap] radiusAuthType -> Auth-Type == EAP
[ldap] looking for reply items in directory...
* [ldap] deniedServices -> Class += 0x7375636f75727365*
[ldap] ou -> Operator-Name = "admin"
[ldap] ou -> Operator-Name = "IT"
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
+} # group authorize = updated
Found Auth-Type = EAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +group MS-CHAP {
[mschap] Found LM-Password
[mschap] Found NT-Password
[mschap] Creating challenge hash with username: tayfund
[mschap] Client is using MS-CHAPv2 for tayfund, we need NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] = ok
++update outer.request {
expand: %{User-Name} -> tayfund
++} # update outer.request = noop
++update outer.reply {
expand: %{User-Name} -> tayfund
++} # update outer.reply = noop
+} # group MS-CHAP = ok
MSCHAP Success
++[eap] = handled
+} # group authenticate = handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
Class += 0x7375636f75727365
Operator-Name = "admin"
EAP-Message =
0x010a00331a0309002e533d38384136303239324543424441413244303139424145343031363537393336353637364246453633
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb024cc1cb12ed66832d4a5f6f46a2d5f
[peap] Got tunneled reply RADIUS code Access-Challenge
* Class += 0x7375636f75727365*
Operator-Name = "admin"
EAP-Message =
0x010a00331a0309002e533d38384136303239324543424441413244303139424145343031363537393336353637364246453633
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb024cc1cb12ed66832d4a5f6f46a2d5f
[peap] Got tunneled Access-Challenge
[peap] >>> Unknown TLS version [length 0005]
++[eap] = handled
+} # group authenticate = handled
Going to the next request
rad_recv: Access-Request packet from host 10.200.0.5 port 52530, id=108,
length=259
User-Name = "tayfund"
NAS-IP-Address = 10.200.0.2
NAS-Port = 0
NAS-Identifier = "10.200.0.5"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "748D08E39D7F"
Called-Station-Id = "001A1E0015F0"
Service-Type = Framed-User
Framed-MTU = 1100
EAP-Message =
0x020b002e190017030300239b010c14db2db49adb4087eaadbbbcf3628daf65188a552fdc7d8fbeb850ded62316e3
State = 0x0f5a59a0065140db3a8c7af8ad4bf4cc
Aruba-Essid-Name = "SABANCIUNIV"
Aruba-Location-Id = "BM_IT_NETSYS_7b:fe"
Aruba-AP-Group = "BM_binasi"
Aruba-Device-Type = "iPhone"
Message-Authenticator = 0xa1cfe667210437f5f5eaf132bf431a90
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "tayfund", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 11 length 46
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] <<< Unknown TLS version [length 0005]
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
Login OK: [tayfund] (from client 10.200.0.0/24 port 0 cli 748D08E39D7F)
# Executing section post-auth from file
/etc/freeradius/sites-enabled/default
+group post-auth {
[reply_log] expand: %{Packet-Src-IP-Address} -> 10.200.0.5
[reply_log] expand:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
-> /var/log/freeradius/radacct/10.200.0.5/reply-detail-20171003
[reply_log]
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
expands to /var/log/freeradius/radacct/10.200.0.5/reply-detail-20171003
[reply_log] expand: %t -> Tue Oct 3 12:06:11 2017
++[reply_log] = ok
++[ldap] = noop
++[exec] = noop
++update reply {
expand: %{Reply-Message} ->
++} # update reply = noop
+} # group post-auth = ok
Sending Access-Accept of id 108 to 10.200.0.5 port 52530
MS-MPPE-Recv-Key =
0xfc792d0aa5a1ff4c6e90676c80c47b799958fb603caf17dc11b68eeb182f922f
MS-MPPE-Send-Key =
0x00176d351e6d75e96c0429fefa871f38022b851e2a897921fbc2ab0cc891ee5b
EAP-Message = 0x030b0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "tayfund"
Class = 0x
Finished request 785.
Going to the next request
Cleaning up request 596 ID 154 with timestamp +11
Waking up in 0.1 seconds.
rad_recv: Access-Request packet from host 10.200.0.5 port 52530, id=101,
length=211
User-Name = "dbostan"
NAS-IP-Address = 10.200.0.2
NAS-Port = 0
NAS-Identifier = "10.200.0.5"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "E0C767163B2F"
Called-Station-Id = "001A1E0015F0"
Service-Type = Framed-User
Framed-MTU = 1100
EAP-Message = 0x020500061900
State = 0xf8fdecb8fbf8f57eaba961c2ded7fb6f
Aruba-Essid-Name = "SABANCIUNIV"
Aruba-Location-Id = "Yurt_A5_Kat1_AP4_60:6c"
Aruba-AP-Group = "Yurt_Binasi"
Message-Authenticator = 0xb071cd65a32ccfd350f5f7349f570df5
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "dbostan", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[reply_log] expand: %{Packet-Src-IP-Address} -> 10.200.0.5
[reply_log] expand:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
-> /var/log/freeradius/radacct/10.200.0.5/reply-detail-20171003
[reply_log]
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
expands to /var/log/freeradius/radacct/10.200.0.5/reply-detail-20171003
[reply_log] expand: %t -> Tue Oct 3 12:06:11 2017
++[reply_log] = ok
++[ldap] = noop
++[exec] = noop
++update reply {
* expand: %{Reply-Message} -> *
++} # update reply = noop
+} # group post-auth = ok
Sending Access-Accept of id 108 to 10.200.0.5 port 52530
MS-MPPE-Recv-Key =
0xfc792d0aa5a1ff4c6e90676c80c47b799958fb603caf17dc11b68eeb182f922f
MS-MPPE-Send-Key =
0x00176d351e6d75e96c0429fefa871f38022b851e2a897921fbc2ab0cc891ee5b
EAP-Message = 0x030b0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "tayfund"
* Class = 0x*
Finished request 785.
Going to the next request
Cleaning up request 596 ID 154 with timestamp +11
Waking up in 0.1 seconds.
rad_recv: Access-Request packet from host 10.200.0.5 port 52530, id=101,
length=211
User-Name = "dbostan"
NAS-IP-Address = 10.200.0.2
NAS-Port = 0
NAS-Identifier = "10.200.0.5"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "E0C767163B2F"
Called-Station-Id = "001A1E0015F0"
Service-Type = Framed-User
Framed-MTU = 1100
EAP-Message = 0x020500061900
State = 0xf8fdecb8fbf8f57eaba961c2ded7fb6f
Aruba-Essid-Name = "SABANCIUNIV"
Aruba-Location-Id = "Yurt_A5_Kat1_AP4_60:6c"
Aruba-AP-Group = "Yurt_Binasi"
Message-Authenticator = 0xb071cd65a32ccfd350f5f7349f570df5
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "dbostan", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 101 to 10.200.0.5 port 52530
EAP-Message =
0x010601d31900b69aa50fb8b93f207dae4ab5b89ce41db6abe694a5c1c783addbf527870e046cd5ffdda05ded8752b72b1502ae39a66a74e9dac4e7bc4d341ea95c4d335f92092f88665d7797c71d7613a9d5e5f116091135d5acdb2471702c98560bd917b4d1e3512b5e75e8d5d0dc4f34edc2056680a1cbe633160301014b0c000147030017410475fb60921d74cf2365a6e0348d653613d6e5d1222e87ed4d9b572cb9402e0429049ec55655bf436673431b9c907c0181d6b68feeb9f350adc2dccee8f376d53d01005606850c2d8755fc048572396aaee257a555261ad7deaa9d4d1983db0ddc0b26679e7a3aeab13623ff652de806acd87337d63a
EAP-Message =
0x55b131ca32435839495c0a854ab8507fdf5c7a420c64e3f205ef607f2df152265f4544b6b1a5673e05417a38f1e10b63c28438bda216249aff502a43efc8a154ce646da60df5da11d182a059f010c082389b4ad9f901113c159cfd4a0653583ea745983ba8ef9aae665699c04d3a9b642a33ba7bdb9d8960948823747e88e115f41d2114d4cb5f63aec906b7c53c45fb117bccf41276015597025d295aed742520a5bfd019b54e91c4986655fee8f7832ac166433b1f9897eb02f307bae930dc01b8cd0edd0d526d8bd201a8b416030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf8fdecb8fcfbf57eaba961c2ded7fb6f
Finished request 786.
thanks..
--
*Umut A*
System Specialist
Information Technology
Sabancı University
More information about the Freeradius-Users
mailing list