Radius not giving VLAN after reconnect

Alan Buxey alan.buxey at gmail.com
Tue Sep 26 00:01:15 CEST 2017


Don't disable as that will have a big impact on performance. Instead config
the server so the cache is useful and works

Anonymous IDs? Not a problem as that's all part of the spec... In systems
like eduroam you get to see the real ID of the user in the inner tunnel
(where you make the vlan decision) , you don't get to see the real ID of
visitors, that's privacy

alan

On 25 Sep 2017 9:40 pm, "Matthew Pulis" <mpulis at gmail.com> wrote:

Dear Alan

Thanks for your suggestion. Indeed cache was on. I disabled it by enable =
no in /etc/freeradius/mods-enabled/eap

Anywhere else I need to disable it?

On another note, are those anonymous connections something which should
worry me please?

Pasting the log of me trying to connect from another client. First time it
connects it goes to VLAN 11 and second as you can see it goes haywire.

Thanks

Waking up in 4.9 seconds.
(96) Received Access-Request Id 240 from 192.168.100.109:39092 to
192.168.100.201:1812 length 317
(96)   User-Name = "anonymous"
(96)   NAS-IP-Address = 10.0.148.255
(96)   NAS-Identifier = "802aa849cbfe"
(96)   NAS-Port = 0
(96)   Called-Station-Id = "80-2A-A8-4A-CB-FE:SeminaryWiFi"
(96)   Calling-Station-Id = "08-11-96-10-3E-14"
(96)   Framed-MTU = 1400
(96)   NAS-Port-Type = Wireless-802.11
(96)   Connect-Info = "CONNECT 0Mbps 802.11b"
(96)   EAP-Message =
0x0280008815800000007e16030300461000004241044cb275f6fcf633ed
05fe8ff5ca6954298c28f0eca0d5f52a17fd3967828032bb591f8de9f740
fbc3503f15d22a1ee987f063ecf29b4ec20ab6df6a37b6eecc0514030300
0101160303002800000000000000004efd211e798f718ea73a96b4ead59e
(96)   State = 0x66755a3e65f54f6d39985201a18178d8
(96)   Message-Authenticator = 0x901592ede88efe274c6142b8f017adb2
(96) session-state: No cached attributes
(96) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(96)   authorize {
(96)     policy filter_username {
(96)       if (&User-Name) {
(96)       if (&User-Name)  -> TRUE
(96)       if (&User-Name)  {
(96)         if (&User-Name =~ /@[^@]*@/ ) {
(96)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(96)         if (&User-Name =~ /\.\./ ) {
(96)         if (&User-Name =~ /\.\./ )  -> FALSE
(96)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(96)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
 -> FALSE
(96)         if (&User-Name =~ /\.$/)  {
(96)         if (&User-Name =~ /\.$/)   -> FALSE
(96)         if (&User-Name =~ /@\./)  {
(96)         if (&User-Name =~ /@\./)   -> FALSE
(96)       } # if (&User-Name)  = notfound
(96)     } # policy filter_username = notfound
(96)     [preprocess] = ok
(96)     [chap] = noop
(96)     [mschap] = noop
(96) ntdomain: Checking for prefix before "\"
(96) ntdomain: No '\' in User-Name = "anonymous", looking up realm NULL
(96) ntdomain: No such realm "NULL"
(96)     [ntdomain] = noop
(96) eap: Peer sent EAP Response (code 2) ID 128 length 136
(96) eap: Continuing tunnel setup
(96)     [eap] = ok
(96)   } # authorize = ok
(96) Found Auth-Type = eap
(96) # Executing group from file /etc/freeradius/sites-enabled/default
(96)   authenticate {
(96) eap: Expiring EAP session with state 0x66755a3e65f54f6d
(96) eap: Finished EAP session with state 0x66755a3e65f54f6d
(96) eap: Previous EAP request found for state 0x66755a3e65f54f6d, released
from the list
(96) eap: Peer sent packet with method EAP TTLS (21)
(96) eap: Calling submodule eap_ttls to process data
(96) eap_ttls: Authenticate
(96) eap_ttls: Continuing EAP-TLS
(96) eap_ttls: Peer indicated complete TLS record size will be 126 bytes
(96) eap_ttls: Got complete TLS record (126 bytes)
(96) eap_ttls: [eaptls verify] = length included
(96) eap_ttls: <<< recv TLS 1.2  [length 0046]
(96) eap_ttls: TLS_accept: unknown state
(96) eap_ttls: TLS_accept: unknown state
(96) eap_ttls: <<< recv TLS 1.2  [length 0001]
(96) eap_ttls: <<< recv TLS 1.2  [length 0010]
(96) eap_ttls: TLS_accept: unknown state
(96) eap_ttls: >>> send TLS 1.2  [length 0001]
(96) eap_ttls: TLS_accept: unknown state
(96) eap_ttls: >>> send TLS 1.2  [length 0010]
(96) eap_ttls: TLS_accept: unknown state
(96) eap_ttls: TLS_accept: unknown state
(96) eap_ttls: (other): SSL negotiation finished successfully
(96) eap_ttls: SSL Connection Established
(96) eap_ttls: [eaptls process] = handled
(96) eap: Sending EAP Request (code 1) ID 129 length 61
(96) eap: EAP session adding &reply:State = 0x66755a3e62f44f6d
(96)     [eap] = handled
(96)   } # authenticate = handled
(96) Using Post-Auth-Type Challenge
(96) Post-Auth-Type sub-section not found.  Ignoring.
(96) # Executing group from file /etc/freeradius/sites-enabled/default
(96) Sent Access-Challenge Id 240 from 192.168.100.201:1812 to
192.168.100.109:39092 length 0
(96)   EAP-Message =
0x0181003d15800000003314030300010116030300280e51a3e7a6798a4b
990b4ebfbbb4c12533451c5335012189ffca366de94f2c3d4e489f3a5be84620
(96)   Message-Authenticator = 0x00000000000000000000000000000000
(96)   State = 0x66755a3e62f44f6d39985201a18178d8
(96) Finished request
Waking up in 4.9 seconds.
(97) Received Access-Request Id 241 from 192.168.100.109:39092 to
192.168.100.201:1812 length 244
(97)   User-Name = "anonymous"
(97)   NAS-IP-Address = 10.0.148.255
(97)   NAS-Identifier = "802aa849cbfe"
(97)   NAS-Port = 0
(97)   Called-Station-Id = "80-2A-A8-4A-CB-FE:SeminaryWiFi"
(97)   Calling-Station-Id = "08-11-96-10-3E-14"
(97)   Framed-MTU = 1400
(97)   NAS-Port-Type = Wireless-802.11
(97)   Connect-Info = "CONNECT 0Mbps 802.11b"
(97)   EAP-Message =
0x0281003f15800000003517030300300000000000000001f4e09b67e72f
f9aa43f89f7257edbfa01cdd7ee13e6cda560d9c10100aa501139e1e87b046a845d7
(97)   State = 0x66755a3e62f44f6d39985201a18178d8
(97)   Message-Authenticator = 0x829057918936a78bb34ff9798347607c
(97) session-state: No cached attributes
(97) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(97)   authorize {
(97)     policy filter_username {
(97)       if (&User-Name) {
(97)       if (&User-Name)  -> TRUE
(97)       if (&User-Name)  {
(97)         if (&User-Name =~ /@[^@]*@/ ) {
(97)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(97)         if (&User-Name =~ /\.\./ ) {
(97)         if (&User-Name =~ /\.\./ )  -> FALSE
(97)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(97)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
 -> FALSE
(97)         if (&User-Name =~ /\.$/)  {
(97)         if (&User-Name =~ /\.$/)   -> FALSE
(97)         if (&User-Name =~ /@\./)  {
(97)         if (&User-Name =~ /@\./)   -> FALSE
(97)       } # if (&User-Name)  = notfound
(97)     } # policy filter_username = notfound
(97)     [preprocess] = ok
(97)     [chap] = noop
(97)     [mschap] = noop
(97) ntdomain: Checking for prefix before "\"
(97) ntdomain: No '\' in User-Name = "anonymous", looking up realm NULL
(97) ntdomain: No such realm "NULL"
(97)     [ntdomain] = noop
(97) eap: Peer sent EAP Response (code 2) ID 129 length 63
(97) eap: Continuing tunnel setup
(97)     [eap] = ok
(97)   } # authorize = ok
(97) Found Auth-Type = eap
(97) # Executing group from file /etc/freeradius/sites-enabled/default
(97)   authenticate {
(97) eap: Expiring EAP session with state 0x66755a3e62f44f6d
(97) eap: Finished EAP session with state 0x66755a3e62f44f6d
(97) eap: Previous EAP request found for state 0x66755a3e62f44f6d, released
from the list
(97) eap: Peer sent packet with method EAP TTLS (21)
(97) eap: Calling submodule eap_ttls to process data
(97) eap_ttls: Authenticate
(97) eap_ttls: Continuing EAP-TLS
(97) eap_ttls: Peer indicated complete TLS record size will be 53 bytes
(97) eap_ttls: Got complete TLS record (53 bytes)
(97) eap_ttls: [eaptls verify] = length included
(97) eap_ttls: [eaptls process] = ok
(97) eap_ttls: Session established.  Proceeding to decode tunneled
attributes
(97) eap_ttls: Got tunneled request
(97) eap_ttls:   User-Name = "abc"
(97) eap_ttls:   User-Password = "abcd"
(97) eap_ttls:   FreeRADIUS-Proxied-To = 127.0.0.1
(97) eap_ttls: Sending tunneled request
(97) Virtual server inner-tunnel received request
(97)   User-Name = "abc"
(97)   User-Password = "abcd"
(97)   FreeRADIUS-Proxied-To = 127.0.0.1
(97) server inner-tunnel {
(97)   # Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
(97)     authorize {
(97)       policy filter_username {
(97)         if (&User-Name) {
(97)         if (&User-Name)  -> TRUE
(97)         if (&User-Name)  {
(97)           if (&User-Name =~ /@[^@]*@/ ) {
(97)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(97)           if (&User-Name =~ /\.\./ ) {
(97)           if (&User-Name =~ /\.\./ )  -> FALSE
(97)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(97)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
 -> FALSE
(97)           if (&User-Name =~ /\.$/)  {
(97)           if (&User-Name =~ /\.$/)   -> FALSE
(97)           if (&User-Name =~ /@\./)  {
(97)           if (&User-Name =~ /@\./)   -> FALSE
(97)         } # if (&User-Name)  = notfound
(97)       } # policy filter_username = notfound
(97)       [chap] = noop
(97)       [mschap] = noop
(97) ntdomain: Checking for prefix before "\"
(97) ntdomain: No '\' in User-Name = "abc", looking up realm NULL
(97) ntdomain: No such realm "NULL"
(97)       [ntdomain] = noop
(97)       update control {
(97)         &Proxy-To-Realm := LOCAL
(97)       } # update control = noop
(97) eap: No EAP-Message, not doing EAP
(97)       [eap] = noop
(97)       [files] = noop
rlm_ldap (ldap): Closing connection (17): Hit idle_timeout, was idle for
240 seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (18): Hit idle_timeout, was idle for
240 seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): 0 of 0 connections in use.  You  may need to increase
"spare"
rlm_ldap (ldap): Opening additional connection (19), 1 of 32 pending slots
used
rlm_ldap (ldap): Connecting to ldap://localhost:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Reserved connection (19)
(97) ldap: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
(97) ldap:    --> (cn=abc)
(97) ldap: Performing search in "ou=SeminaryOU,dc=seminary,dc=local" with
filter "(cn=abc)", scope "sub"
(97) ldap: Waiting for search result...
(97) ldap: User object found at DN
"cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local"
(97) ldap: Processing user attributes
(97) ldap: control:Password-With-Header +=
'{ssha}dYlL9kdAZTjsDzkBHYg5bEJ6J+w6tm5V4pSR+A=='
(97) ldap: control:Password-With-Header += 'abcd'
rlm_ldap (ldap): Released connection (19)
Need 2 more connections to reach min connections (3)
rlm_ldap (ldap): Opening additional connection (20), 1 of 31 pending slots
used
rlm_ldap (ldap): Connecting to ldap://localhost:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(97)       [ldap] = updated
rlm_ldap (adldap): Closing connection (16): Hit idle_timeout, was idle for
240 seconds
rlm_ldap (adldap): You probably need to lower "min"
rlm_ldap (adldap): Closing connection (17): Hit idle_timeout, was idle for
240 seconds
rlm_ldap (adldap): You probably need to lower "min"
rlm_ldap (adldap): 0 of 0 connections in use.  You  may need to increase
"spare"
rlm_ldap (adldap): Opening additional connection (18), 1 of 32 pending
slots used
rlm_ldap (adldap): Connecting to ldap://localhost:389
rlm_ldap (adldap): Waiting for bind result...
rlm_ldap (adldap): Bind successful
rlm_ldap (adldap): Reserved connection (18)
(97) adldap: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
(97) adldap:    --> (cn=abc)
(97) adldap: Performing search in "ou=School,dc=seminary,dc=ad" with filter
"(cn=abc)", scope "sub"
(97) adldap: Waiting for search result...
(97) adldap: The specified DN wasn't found
(97) adldap: Search returned no results
rlm_ldap (adldap): Released connection (18)
Need 2 more connections to reach min connections (3)
rlm_ldap (adldap): Opening additional connection (19), 1 of 31 pending
slots used
rlm_ldap (adldap): Connecting to ldap://localhost:389
rlm_ldap (adldap): Waiting for bind result...
rlm_ldap (adldap): Bind successful
(97)       [adldap] = notfound
(97)       [expiration] = noop
(97)       [logintime] = noop
(97) pap: Converted: &control:Password-With-Header ->
&control:SSHA1-Password
(97) pap: Removing &control:Password-With-Header
(97) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password
(97) pap: Removing &control:Password-With-Header
(97) pap: Normalizing SSHA1-Password from base64 encoding, 40 bytes -> 28
bytes
(97)       [pap] = updated
(97)     } # authorize = updated
(97)   Found Auth-Type = PAP
(97)   # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
(97)     Auth-Type PAP {
(97) pap: Login attempt with password
(97) pap: Comparing with "known-good" SSHA-Password
(97) pap: User authenticated successfully
(97)       [pap] = ok
(97)     } # Auth-Type PAP = ok
(97)   # Executing section post-auth from file
/etc/freeradius/sites-enabled/inner-tunnel
(97)     post-auth {
(97) ldap: EXPAND .
(97) ldap:    --> .
(97) ldap: EXPAND Authenticated at %S
(97) ldap:    --> Authenticated at 2017-09-25 22:21:49
rlm_ldap (ldap): Reserved connection (19)
(97) ldap: Using user DN from request
"cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local"
(97) ldap: Modifying object with DN
"cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local"
(97) ldap: Waiting for modify result...
rlm_ldap (ldap): Released connection (19)
(97)       [ldap] = ok
(97)     } # post-auth = ok
(97) } # server inner-tunnel
(97) Virtual server sending reply
(97) eap_ttls: Got tunneled Access-Accept
(97) eap: Sending EAP Success (code 3) ID 129 length 4
(97) eap: Freeing handler
(97)     [eap] = ok
(97)   } # authenticate = ok
(97) # Executing section post-auth from file
/etc/freeradius/sites-enabled/default
(97)   post-auth {
(97)     update {
(97)       No attributes updated
(97)     } # update = noop
(97)     if (Ldap-Group == "cn=Teachers,ou=School,dc=seminary,dc=ad") {
(97)     Searching for user in group
"cn=Teachers,ou=School,dc=seminary,dc=ad"
rlm_ldap (ldap): Reserved connection (20)
(97)     EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
(97)        --> (cn=anonymous)
(97)     Performing search in "ou=SeminaryOU,dc=seminary,dc=local" with
filter "(cn=anonymous)", scope "sub"
(97)     Waiting for search result...
(97)     Search returned no results
rlm_ldap (ldap): Released connection (20)
(97)     if (Ldap-Group == "cn=Teachers,ou=School,dc=seminary,dc=ad")  ->
FALSE
(97)     if (Ldap-Group ==
"cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=local") {
(97)     Searching for user in group
"cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=local"
rlm_ldap (ldap): Reserved connection (19)
(97)     EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
(97)        --> (cn=anonymous)
(97)     Performing search in "ou=SeminaryOU,dc=seminary,dc=local" with
filter "(cn=anonymous)", scope "sub"
(97)     Waiting for search result...
(97)     Search returned no results
rlm_ldap (ldap): Released connection (19)
(97)     if (Ldap-Group ==
"cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=local")  -> FALSE
(97)     if (Ldap-Group ==
"cn=Formators,ou=SeminaryOU,dc=seminary,dc=local") {
(97)     Searching for user in group
"cn=Formators,ou=SeminaryOU,dc=seminary,dc=local"
rlm_ldap (ldap): Reserved connection (20)
(97)     EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
(97)        --> (cn=anonymous)
(97)     Performing search in "ou=SeminaryOU,dc=seminary,dc=local" with
filter "(cn=anonymous)", scope "sub"
(97)     Waiting for search result...
(97)     Search returned no results
rlm_ldap (ldap): Released connection (20)
(97)     if (Ldap-Group ==
"cn=Formators,ou=SeminaryOU,dc=seminary,dc=local")  -> FALSE
(97)     if (Ldap-Group ==
"cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local") {
(97)     Searching for user in group
"cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local"
rlm_ldap (ldap): Reserved connection (19)
(97)     EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
(97)        --> (cn=anonymous)
(97)     Performing search in "ou=SeminaryOU,dc=seminary,dc=local" with
filter "(cn=anonymous)", scope "sub"
(97)     Waiting for search result...
(97)     Search returned no results
rlm_ldap (ldap): Released connection (19)
(97)     if (Ldap-Group ==
"cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local")  -> FALSE
(97)     if (Ldap-Group == "cn=Staff,ou=SeminaryOU,dc=seminary,dc=local") {
(97)     Searching for user in group
"cn=Staff,ou=SeminaryOU,dc=seminary,dc=local"
rlm_ldap (ldap): Reserved connection (20)
(97)     EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
(97)        --> (cn=anonymous)
(97)     Performing search in "ou=SeminaryOU,dc=seminary,dc=local" with
filter "(cn=anonymous)", scope "sub"
(97)     Waiting for search result...
(97)     Search returned no results
rlm_ldap (ldap): Released connection (20)
(97)     if (Ldap-Group == "cn=Staff,ou=SeminaryOU,dc=seminary,dc=local")
-> FALSE
(97)     if (Ldap-Group == "cn=School,ou=SeminaryOU,dc=seminary,dc=local") {
(97)     Searching for user in group
"cn=School,ou=SeminaryOU,dc=seminary,dc=local"
rlm_ldap (ldap): Reserved connection (19)
(97)     EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
(97)        --> (cn=anonymous)
(97)     Performing search in "ou=SeminaryOU,dc=seminary,dc=local" with
filter "(cn=anonymous)", scope "sub"
(97)     Waiting for search result...
(97)     Search returned no results
rlm_ldap (ldap): Released connection (19)
(97)     if (Ldap-Group == "cn=School,ou=SeminaryOU,dc=seminary,dc=local")
-> FALSE
(97) ldap: EXPAND .
(97) ldap:    --> .
(97) ldap: EXPAND Authenticated at %S
(97) ldap:    --> Authenticated at 2017-09-25 22:21:49
rlm_ldap (ldap): Reserved connection (20)
(97) ldap: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
(97) ldap:    --> (cn=anonymous)
(97) ldap: Performing search in "ou=SeminaryOU,dc=seminary,dc=local" with
filter "(cn=anonymous)", scope "sub"
(97) ldap: Waiting for search result...
(97) ldap: Search returned no results
rlm_ldap (ldap): Released connection (20)
(97)     [ldap] = notfound
(97)     [exec] = noop
(97)     policy remove_reply_message_if_eap {
(97)       if (&reply:EAP-Message && &reply:Reply-Message) {
(97)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(97)       else {
(97)         [noop] = noop
(97)       } # else = noop
(97)     } # policy remove_reply_message_if_eap = noop
(97)   } # post-auth = noop
(97) Sent Access-Accept Id 241 from 192.168.100.201:1812 to
192.168.100.109:39092 length 0
(97)   MS-MPPE-Recv-Key =
0x95225afb6e71050f5c7671c0bf4f4dba41a04c22193da51689b298ddd7d8512b
(97)   MS-MPPE-Send-Key =
0x77ab817b4619d5edf30293d205ed2d9f78ad3316cfb18cd600f338b6dcd99d94
(97)   EAP-Message = 0x03810004
(97)   Message-Authenticator = 0x00000000000000000000000000000000
(97)   User-Name = "anonymous"
(97) Finished request
Waking up in 4.8 seconds.
(93) Cleaning up request packet ID 237 with timestamp +610
(94) Cleaning up request packet ID 238 with timestamp +610
(95) Cleaning up request packet ID 239 with timestamp +610
(96) Cleaning up request packet ID 240 with timestamp +610
(97) Cleaning up request packet ID 241 with timestamp +610
Waking up in 5.8 seconds.
(98) Received Accounting-Request Id 242 from 192.168.100.109:38125 to
192.168.100.201:1813 length 174
(98)   Acct-Session-Id = "00000012-000000ED"
(98)   Acct-Status-Type = Start
(98)   Acct-Authentic = RADIUS
(98)   User-Name = "anonymous"
(98)   NAS-IP-Address = 10.0.148.255
(98)   Framed-IP-Address = 192.168.100.36
(98)   NAS-Identifier = "802aa849cbfe"
(98)   NAS-Port = 0
(98)   Called-Station-Id = "80-2A-A8-4A-CB-FE:SeminaryWiFi"
(98)   Calling-Station-Id = "08-11-96-10-3E-14"
(98)   NAS-Port-Type = Wireless-802.11
(98)   Connect-Info = "CONNECT 0Mbps 802.11b"
(98) # Executing section preacct from file
/etc/freeradius/sites-enabled/default
(98)   preacct {
(98)     [preprocess] = ok
(98)     policy acct_unique {
(98)       update request {
(98)         &Tmp-String-9 := "ai:"
(98)       } # update request = noop
(98)       if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(98)       EXPAND %{hex:&Class}
(98)          -->
(98)       EXPAND ^%{hex:&Tmp-String-9}
(98)          --> ^61693a
(98)       if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i))  -> FALSE
(98)       else {
(98)         update request {
(98)           EXPAND
%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-
Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(98)              --> f6e43b70ba6c919feabc2c5ea73ddbe2
(98)           &Acct-Unique-Session-Id := f6e43b70ba6c919feabc2c5ea73ddbe2
(98)         } # update request = noop
(98)       } # else = noop
(98)     } # policy acct_unique = noop
(98) suffix: Checking for suffix after "@"
(98) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(98) suffix: No such realm "NULL"
(98)     [suffix] = noop
(98)     [files] = noop
(98)   } # preacct = ok
(98) # Executing section accounting from file
/etc/freeradius/sites-enabled/default
(98)   accounting {
(98) detail: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{
Packet-Src-IPv6-Address}}/detail-%Y%m%d
(98) detail:    --> /var/log/freeradius/radacct/
192.168.100.109/detail-20170925
(98) detail:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{
Packet-Src-IPv6-Address}}/detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.100.109/detail-20170925
(98) detail: EXPAND %t
(98) detail:    --> Mon Sep 25 22:21:59 2017
(98)     [detail] = ok
(98)     [unix] = ok
(98)     [exec] = noop
(98) attr_filter.accounting_response: EXPAND %{User-Name}
(98) attr_filter.accounting_response:    --> anonymous
(98) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(98)     [attr_filter.accounting_response] = updated
(98)   } # accounting = updated
(98) Sent Accounting-Response Id 242 from 192.168.100.201:1813 to
192.168.100.109:38125 length 0
(98) Finished request
(98) Cleaning up request packet ID 242 with timestamp +620
Waking up in 0.8 seconds.



--

Hi

Sounds like you've got the EAP caching enabled but are not populating the
vlan number you are returning in the cache object thus the next re-auth
uses cache but has no vlan value to reply with so you get the default vlan.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/
list/users.html


More information about the Freeradius-Users mailing list