Radius not giving VLAN after reconnect
Alan Buxey
alan.buxey at gmail.com
Tue Sep 26 17:01:09 CEST 2017
your issue is assigning VLAs in the outer-tunnel in post-auth - never
do that without extra logic as the outerDI is just something that can
be made up.
just assign the VLAN in the inner-tunnel and copy the details
through...or set an internal attribute in the inner and use that for
assignment in the outer.
alan
On 26 September 2017 at 15:56, Matthew Pulis <mpulis at gmail.com> wrote:
> Dear Alan
>
> Thanks for your prompt reply. Much appreciated.
>
> What I am trying to do is dynamically assigning users to the VLAN based on
> their LDAP OU. So if a user, such as test user abc is in the OU:
> cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local, he gets VLAN 11
> dynamically. As explained this works the first time, but the second time
> the authentication is accepted but the Tunnel-Private-Group is not given,
> thus no VLAN is assigned.
>
> Quoting from you:
>
> If so "search returned no results" explains why it's not working.
>
> I think here lies the issue, however I am not sure how to go about fixing it.
>
>
> This is my /etc/freeradius/mods-enabled/eap file:
>
> radius at radius:/etc/freeradius/mods-enabled$ cat eap | sed 's/^[ \t]*//;s/[
> \t]*$//' | sed -e '/^#/d' | sed '/^\s*$/d'
> eap {
> default_eap_type = ttls
> timer_expire = 60
> ignore_unknown_eap_types = no
> cisco_accounting_username_bug = no
> max_sessions = ${max_requests}
> md5 {
> }
> leap {
> }
> gtc {
> auth_type = PAP
> }
> tls-config tls-common {
> private_key_password = whatever
> private_key_file = ${certdir}/server.pem
> certificate_file = ${certdir}/server.pem
> ca_file = ${cadir}/ca.pem
> dh_file = ${certdir}/dh
> random_file = /dev/urandom
> ca_path = ${cadir}
> cipher_list = "DEFAULT"
> ecdh_curve = "prime256v1"
> cache {
> enable = yes
> lifetime = 24 # hours
> max_entries = 255
> }
> verify {
> }
> ocsp {
> enable = no
> override_cert_url = yes
> url = "http://127.0.0.1/ocsp/"
> }
> }
> tls {
> tls = tls-common
> }
> ttls {
> tls = tls-common
> default_eap_type = md5
> copy_request_to_tunnel = yes
> use_tunneled_reply = yes
> virtual_server = "inner-tunnel"
> }
> peap {
> tls = tls-common
> default_eap_type = mschapv2
> copy_request_to_tunnel = yes
> use_tunneled_reply = yes
> virtual_server = "inner-tunnel"
> }
> mschapv2 {
> }
> }
>
> My sites-enabled/default file:
>
> radius at radius:/etc/freeradius/sites-enabled$ cat default | sed 's/^[
> \t]*//;s/[ \t]*$//' | sed -e '/^#/d' | sed '/^\s*$/d'
> server default {
> listen {
> type = auth
> ipaddr = *
> port = 0
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> listen {
> ipaddr = *
> port = 0
> type = acct
> limit {
> }
> }
> listen {
> type = auth
> ipv6addr = :: # any. ::1 == localhost
> port = 0
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> listen {
> ipv6addr = ::
> port = 0
> type = acct
> limit {
> }
> }
> authorize {
> filter_username
> preprocess
> chap
> mschap
> ntdomain
> eap {
> ok = return
> }
> files
> -ldap
> -adldap #ACTIVEDIRECTORY-backldap
> expiration
> logintime
> pap
> }
> authenticate {
> Auth-Type PAP {
> pap
> ldap #skond ic ciniz
> adldap #ACTIVEDIRECTORY
> }
> Auth-Type CHAP {
> chap
> }
> Auth-Type MS-CHAP {
> mschap
> }
> Auth-Type LDAP {
> ldap
> }
> eap
> }
> preacct {
> preprocess
> acct_unique
> suffix
> files
> }
> accounting {
> detail
> unix
> exec
> attr_filter.accounting_response
> }
> session {
> }
> post-auth {
> update {
> &reply: += &session-state:
> }
> if (Ldap-Group == "cn=Teachers,ou=School,dc=seminary,dc=ad") {
> update reply {
> Tunnel-Type = 13,
> Tunnel-Medium-Type = 6,
> Tunnel-Private-Group-ID = "50"
> }
> }
> if (Ldap-Group == "cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=local") {
> update reply {
> Tunnel-Type = 13,
> Tunnel-Medium-Type = 6,
> Tunnel-Private-Group-ID = "12"
> }
> }
> if (Ldap-Group == "cn=Formators,ou=SeminaryOU,dc=seminary,dc=local") {
> update reply {
> Tunnel-Type = 13,
> Tunnel-Medium-Type = 6,
> Tunnel-Private-Group-ID = "10"
> }
> }
> if (Ldap-Group == "cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local") {
> update reply {
> Tunnel-Type = 13,
> Tunnel-Medium-Type = 6,
> Tunnel-Private-Group-ID = "11"
> }
> }
> if (Ldap-Group == "cn=Staff,ou=SeminaryOU,dc=seminary,dc=local") {
> update reply {
> Tunnel-Type = 13,
> Tunnel-Medium-Type = 6,
> Tunnel-Private-Group-ID = "13"
> }
> }
> if (Ldap-Group == "cn=School,ou=SeminaryOU,dc=seminary,dc=local") {
> update reply {
> Tunnel-Type = 13,
> Tunnel-Medium-Type = 6,
> Tunnel-Private-Group-ID := "50"
> }
> }
> ldap
> exec
> remove_reply_message_if_eap
> Post-Auth-Type REJECT {
> -sql
> attr_filter.access_reject
> eap
> remove_reply_message_if_eap
> }
> }
> pre-proxy {
> }
> post-proxy {
> eap
> }
> }
>
> my inner-tunnel (not sure this is needed but pasting just in case.
>
> radius at radius:/etc/freeradius/sites-enabled$ cat inner-tunnel | sed 's/^[
> \t]*//;s/[ \t]*$//' | sed -e '/^#/d' | sed '/^\s*$/d'
> server inner-tunnel {
> listen {
> ipaddr = 127.0.0.1
> port = 18120
> type = auth
> }
> authorize {
> filter_username
> chap
> mschap
> ntdomain
> update control {
> &Proxy-To-Realm := LOCAL
> }
> eap {
> ok = return
> }
> files
> ldap
> adldap #ACTIVE DIRECTORY
> expiration
> logintime
> pap
> }
> authenticate {
> Auth-Type PAP {
> pap
> }
> Auth-Type CHAP {
> chap
> }
> Auth-Type MS-CHAP {
> mschap
> }
> Auth-Type LDAP {
> ldap
> }
> eap
> }
> session {
> radutmp
> }
> post-auth {
> -sql
> -ldap
> Post-Auth-Type REJECT {
> -sql
> attr_filter.access_reject
> update outer.session-state {
> &Module-Failure-Message := &request:Module-Failure-Message
> }
> }
> }
> pre-proxy {
> }
> post-proxy {
> eap
> }
> } # inner-tunnel server block
>
>
> This is the server log of when the client gets assigned correctly to VLAN
> 11.
>
> Waking up in 4.2 seconds.
> (36) Received Access-Request Id 134 from 192.168.100.112:43578 to
> 192.168.100.201:1812 length 238
> (36) User-Name = "abc"
> (36) NAS-IP-Address = 10.0.152.66
> (36) NAS-Identifier = "802aa84654f2"
> (36) NAS-Port = 0
> (36) Called-Station-Id = "80-2A-A8-47-54-F2:SeminaryWiFi"
> (36) Calling-Station-Id = "08-11-96-10-3E-14"
> (36) Framed-MTU = 1400
> (36) NAS-Port-Type = Wireless-802.11
> (36) Connect-Info = "CONNECT 0Mbps 802.11b"
> (36) EAP-Message =
> 0x02f3003f1580000000351703030030000000000000000188d6f04ed73463104a8a627456c7e888d8b95d71a34a21aab4724d66d06b041bdd7edbcdd4621d4b
> (36) State = 0xa61de71ea2eef24e8e3c6f3ed559ee72
> (36) Message-Authenticator = 0x1b19bc1f2f655c8f332822c15cd5f3a7
> (36) session-state: No cached attributes
> (36) # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> (36) authorize {
> (36) policy filter_username {
> (36) if (&User-Name) {
> (36) if (&User-Name) -> TRUE
> (36) if (&User-Name) {
> (36) if (&User-Name =~ /@[^@]*@/ ) {
> (36) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (36) if (&User-Name =~ /\.\./ ) {
> (36) if (&User-Name =~ /\.\./ ) -> FALSE
> (36) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (36) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
> -> FALSE
> (36) if (&User-Name =~ /\.$/) {
> (36) if (&User-Name =~ /\.$/) -> FALSE
> (36) if (&User-Name =~ /@\./) {
> (36) if (&User-Name =~ /@\./) -> FALSE
> (36) } # if (&User-Name) = notfound
> (36) } # policy filter_username = notfound
> (36) [preprocess] = ok
> (36) [chap] = noop
> (36) [mschap] = noop
> (36) ntdomain: Checking for prefix before "\"
> (36) ntdomain: No '\' in User-Name = "abc", looking up realm NULL
> (36) ntdomain: No such realm "NULL"
> (36) [ntdomain] = noop
> (36) eap: Peer sent EAP Response (code 2) ID 243 length 63
> (36) eap: Continuing tunnel setup
> (36) [eap] = ok
> (36) } # authorize = ok
> (36) Found Auth-Type = eap
> (36) # Executing group from file /etc/freeradius/sites-enabled/default
> (36) authenticate {
> (36) eap: Expiring EAP session with state 0xa61de71ea2eef24e
> (36) eap: Finished EAP session with state 0xa61de71ea2eef24e
> (36) eap: Previous EAP request found for state 0xa61de71ea2eef24e, released
> from the list
> (36) eap: Peer sent packet with method EAP TTLS (21)
> (36) eap: Calling submodule eap_ttls to process data
> (36) eap_ttls: Authenticate
> (36) eap_ttls: Continuing EAP-TLS
> (36) eap_ttls: Peer indicated complete TLS record size will be 53 bytes
> (36) eap_ttls: Got complete TLS record (53 bytes)
> (36) eap_ttls: [eaptls verify] = length included
> (36) eap_ttls: [eaptls process] = ok
> (36) eap_ttls: Session established. Proceeding to decode tunneled
> attributes
> (36) eap_ttls: Got tunneled request
> (36) eap_ttls: User-Name = "abc"
> (36) eap_ttls: User-Password = "abcd"
> (36) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
> (36) eap_ttls: Sending tunneled request
> (36) Virtual server inner-tunnel received request
> (36) User-Name = "abc"
> (36) User-Password = "abcd"
> (36) FreeRADIUS-Proxied-To = 127.0.0.1
> (36) WARNING: Outer and inner identities are the same. User privacy is
> compromised.
> (36) server inner-tunnel {
> (36) # Executing section authorize from file
> /etc/freeradius/sites-enabled/inner-tunnel
> (36) authorize {
> (36) policy filter_username {
> (36) if (&User-Name) {
> (36) if (&User-Name) -> TRUE
> (36) if (&User-Name) {
> (36) if (&User-Name =~ /@[^@]*@/ ) {
> (36) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (36) if (&User-Name =~ /\.\./ ) {
> (36) if (&User-Name =~ /\.\./ ) -> FALSE
> (36) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (36) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
> -> FALSE
> (36) if (&User-Name =~ /\.$/) {
> (36) if (&User-Name =~ /\.$/) -> FALSE
> (36) if (&User-Name =~ /@\./) {
> (36) if (&User-Name =~ /@\./) -> FALSE
> (36) } # if (&User-Name) = notfound
> (36) } # policy filter_username = notfound
> (36) [chap] = noop
> (36) [mschap] = noop
> (36) ntdomain: Checking for prefix before "\"
> (36) ntdomain: No '\' in User-Name = "abc", looking up realm NULL
> (36) ntdomain: No such realm "NULL"
> (36) [ntdomain] = noop
> (36) update control {
> (36) &Proxy-To-Realm := LOCAL
> (36) } # update control = noop
> (36) eap: No EAP-Message, not doing EAP
> (36) [eap] = noop
> (36) [files] = noop
> rlm_ldap (ldap): Reserved connection (1)
> (36) ldap: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
> (36) ldap: --> (cn=abc)
> (36) ldap: Performing search in "ou=SeminaryOU,dc=seminary,dc=local" with
> filter "(cn=abc)", scope "sub"
> (36) ldap: Waiting for search result...
> (36) ldap: User object found at DN
> "cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local"
> (36) ldap: Processing user attributes
> (36) ldap: control:Password-With-Header +=
> '{ssha}dYlL9kdAZTjsDzkBHYg5bEJ6J+w6tm5V4pSR+A=='
> (36) ldap: control:Password-With-Header += 'abcd'
> rlm_ldap (ldap): Released connection (1)
> Need 2 more connections to reach 10 spares
> rlm_ldap (ldap): Opening additional connection (8), 1 of 24 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://localhost:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> (36) [ldap] = updated
> rlm_ldap (adldap): Reserved connection (0)
> (36) adldap: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
> (36) adldap: --> (cn=abc)
> (36) adldap: Performing search in "ou=School,dc=seminary,dc=ad" with filter
> "(cn=abc)", scope "sub"
> (36) adldap: Waiting for search result...
> (36) adldap: The specified DN wasn't found
> (36) adldap: Search returned no results
> rlm_ldap (adldap): Released connection (0)
> Need 2 more connections to reach 10 spares
> rlm_ldap (adldap): Opening additional connection (8), 1 of 24 pending slots
> used
> rlm_ldap (adldap): Connecting to ldap://localhost:389
> rlm_ldap (adldap): Waiting for bind result...
> rlm_ldap (adldap): Bind successful
> (36) [adldap] = notfound
> (36) [expiration] = noop
> (36) [logintime] = noop
> (36) pap: Converted: &control:Password-With-Header ->
> &control:SSHA1-Password
> (36) pap: Removing &control:Password-With-Header
> (36) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password
> (36) pap: Removing &control:Password-With-Header
> (36) pap: Normalizing SSHA1-Password from base64 encoding, 40 bytes -> 28
> bytes
> (36) [pap] = updated
> (36) } # authorize = updated
> (36) Found Auth-Type = PAP
> (36) # Executing group from file
> /etc/freeradius/sites-enabled/inner-tunnel
> (36) Auth-Type PAP {
> (36) pap: Login attempt with password
> (36) pap: Comparing with "known-good" SSHA-Password
> (36) pap: User authenticated successfully
> (36) [pap] = ok
> (36) } # Auth-Type PAP = ok
> (36) # Executing section post-auth from file
> /etc/freeradius/sites-enabled/inner-tunnel
> (36) post-auth {
> (36) ldap: EXPAND .
> (36) ldap: --> .
> (36) ldap: EXPAND Authenticated at %S
> (36) ldap: --> Authenticated at 2017-09-25 17:31:28
> rlm_ldap (ldap): Reserved connection (2)
> (36) ldap: Using user DN from request
> "cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local"
> (36) ldap: Modifying object with DN
> "cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local"
> (36) ldap: Waiting for modify result...
> rlm_ldap (ldap): Released connection (2)
> (36) [ldap] = ok
> (36) } # post-auth = ok
> (36) } # server inner-tunnel
> (36) Virtual server sending reply
> (36) eap_ttls: Got tunneled Access-Accept
> (36) eap_ttls: No information to cache: session caching will be disabled
> for session 2e7aac7106dabc6b230c2e692645fa699f7f7c6d5757c770ea48340202308f5b
> (36) eap: Sending EAP Success (code 3) ID 243 length 4
> (36) eap: Freeing handler
> (36) [eap] = ok
> (36) } # authenticate = ok
> (36) # Executing section post-auth from file
> /etc/freeradius/sites-enabled/default
> (36) post-auth {
> (36) update {
> (36) No attributes updated
> (36) } # update = noop
> (36) if (Ldap-Group == "cn=Teachers,ou=School,dc=seminary,dc=ad") {
> (36) Searching for user in group
> "cn=Teachers,ou=School,dc=seminary,dc=ad"
> rlm_ldap (ldap): Reserved connection (3)
> (36) EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
> (36) --> (cn=abc)
> (36) Performing search in "ou=SeminaryOU,dc=seminary,dc=local" with
> filter "(cn=abc)", scope "sub"
> (36) Waiting for search result...
> (36) User object found at DN
> "cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local"
> (36) Checking user object's memberOf attributes
> (36) Performing unfiltered search in
> "cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local", scope "base"
> (36) Waiting for search result...
> (36) Processing memberOf value
> "cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local" as a DN
> rlm_ldap (ldap): Released connection (3)
> (36) User is not a member of "cn=Teachers,ou=School,dc=seminary,dc=ad"
> (36) if (Ldap-Group == "cn=Teachers,ou=School,dc=seminary,dc=ad") ->
> FALSE
> (36) if (Ldap-Group ==
> "cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=local") {
> (36) Searching for user in group
> "cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=local"
> rlm_ldap (ldap): Reserved connection (4)
> (36) Using user DN from request
> "cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local"
> (36) Checking user object's memberOf attributes
> (36) Performing unfiltered search in
> "cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local", scope "base"
> (36) Waiting for search result...
> (36) Processing memberOf value
> "cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local" as a DN
> rlm_ldap (ldap): Released connection (4)
> (36) User is not a member of
> "cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=local"
> (36) if (Ldap-Group ==
> "cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=local") -> FALSE
> (36) if (Ldap-Group ==
> "cn=Formators,ou=SeminaryOU,dc=seminary,dc=local") {
> (36) Searching for user in group
> "cn=Formators,ou=SeminaryOU,dc=seminary,dc=local"
> rlm_ldap (ldap): Reserved connection (0)
> (36) Using user DN from request
> "cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local"
> (36) Checking user object's memberOf attributes
> (36) Performing unfiltered search in
> "cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local", scope "base"
> (36) Waiting for search result...
> (36) Processing memberOf value
> "cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local" as a DN
> rlm_ldap (ldap): Released connection (0)
> (36) User is not a member of
> "cn=Formators,ou=SeminaryOU,dc=seminary,dc=local"
> (36) if (Ldap-Group ==
> "cn=Formators,ou=SeminaryOU,dc=seminary,dc=local") -> FALSE
> (36) if (Ldap-Group ==
> "cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local") {
> (36) Searching for user in group
> "cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local"
> rlm_ldap (ldap): Reserved connection (6)
> (36) Using user DN from request
> "cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local"
> (36) Checking user object's memberOf attributes
> (36) Performing unfiltered search in
> "cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local", scope "base"
> (36) Waiting for search result...
> (36) Processing memberOf value
> "cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local" as a DN
> (36) User found in group DN
> "cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local". Comparison between
> membership: dn, check: dn
> rlm_ldap (ldap): Released connection (6)
> (36) if (Ldap-Group ==
> "cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local") -> TRUE
> (36) if (Ldap-Group ==
> "cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local") {
> (36) update reply {
> (36) Tunnel-Type = VLAN
> (36) Tunnel-Medium-Type = IEEE-802
> (36) Tunnel-Private-Group-ID = "11"
> (36) } # update reply = noop
> (36) } # if (Ldap-Group ==
> "cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local") = noop
> (36) if (Ldap-Group == "cn=Staff,ou=SeminaryOU,dc=seminary,dc=local") {
> (36) Searching for user in group
> "cn=Staff,ou=SeminaryOU,dc=seminary,dc=local"
> rlm_ldap (ldap): Reserved connection (5)
> (36) Using user DN from request
> "cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local"
> (36) Checking user object's memberOf attributes
> (36) Performing unfiltered search in
> "cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local", scope "base"
> (36) Waiting for search result...
> (36) Processing memberOf value
> "cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local" as a DN
> rlm_ldap (ldap): Released connection (5)
> (36) User is not a member of
> "cn=Staff,ou=SeminaryOU,dc=seminary,dc=local"
> (36) if (Ldap-Group == "cn=Staff,ou=SeminaryOU,dc=seminary,dc=local")
> -> FALSE
> (36) if (Ldap-Group == "cn=School,ou=SeminaryOU,dc=seminary,dc=local") {
> (36) Searching for user in group
> "cn=School,ou=SeminaryOU,dc=seminary,dc=local"
> rlm_ldap (ldap): Reserved connection (7)
> (36) Using user DN from request
> "cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local"
> (36) Checking user object's memberOf attributes
> (36) Performing unfiltered search in
> "cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local", scope "base"
> (36) Waiting for search result...
> (36) Processing memberOf value
> "cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local" as a DN
> rlm_ldap (ldap): Released connection (7)
> (36) User is not a member of
> "cn=School,ou=SeminaryOU,dc=seminary,dc=local"
> (36) if (Ldap-Group == "cn=School,ou=SeminaryOU,dc=seminary,dc=local")
> -> FALSE
> (36) ldap: EXPAND .
> (36) ldap: --> .
> (36) ldap: EXPAND Authenticated at %S
> (36) ldap: --> Authenticated at 2017-09-25 17:31:28
> rlm_ldap (ldap): Reserved connection (1)
> (36) ldap: Using user DN from request
> "cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local"
> (36) ldap: Modifying object with DN
> "cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local"
> (36) ldap: Waiting for modify result...
> rlm_ldap (ldap): Released connection (1)
> (36) [ldap] = ok
> (36) [exec] = noop
> (36) policy remove_reply_message_if_eap {
> (36) if (&reply:EAP-Message && &reply:Reply-Message) {
> (36) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (36) else {
> (36) [noop] = noop
> (36) } # else = noop
> (36) } # policy remove_reply_message_if_eap = noop
> (36) } # post-auth = ok
> (36) Sent Access-Accept Id 134 from 192.168.100.201:1812 to
> 192.168.100.112:43578 length 0
> (36) MS-MPPE-Recv-Key =
> 0x1f09c87d9c6e4761e1e2c4ae95c1773d9eaabb1020e146b71648faef7be7f449
> (36) MS-MPPE-Send-Key =
> 0xd82966c83116ad0ab06a985ffe7a4a24704fe3bbfc772c8a547f0df9b67cc765
> (36) EAP-Message = 0x03f30004
> (36) Message-Authenticator = 0x00000000000000000000000000000000
> (36) User-Name = "abc"
> (36) Tunnel-Type = VLAN
> (36) Tunnel-Medium-Type = IEEE-802
> (36) Tunnel-Private-Group-Id = "11"
> (36) Finished request
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list