VLan affect based on ldap attribute freeradius v3
jehan procaccia INT
jehan.procaccia at int-evry.fr
Fri Aug 31 10:45:48 CEST 2018
unfortunatly it fails, User-Category attribute fetch from ldap
edupersonPrimaryAffiliation doesn't pass though different
states/modules apparently
even with the usage of session-state (replacing "reply") it fails
here's a new radiusd -X experiment :
1) ldap does find the attribute and associated value (here employee)
rlm_ldap (prod): Reserved connection (7)
(93) prod: reply:Reply-Message := 'employee'
(93) prod: reply:User-Category += 'employee'
2) eap-peap has it
(93) post-auth {
(93) if (0) {
(93) if (0) -> FALSE
(93) } # post-auth = noop
(93) Login OK: [radu/<via Auth-Type = eap>] (from client prod port 0
via TLS tunnel)
(93) } # server inner-tunnel
(93) Virtual server sending reply
(93) Reply-Message := "employee"
(93) *User-Category += "employee"*
(93) eap_peap: Got tunneled reply code 2
(93) eap_peap: Reply-Message := "employee"
(93) eap_peap: *User-Category += "employee"*
3) eap_peap is success
(94)*eap_peap: Success*
(94) eap: Sending EAP Success (code 3) ID 12 length 4
(94) eap: Freeing handler
(94) [eap] = ok
(94) } # authenticate = ok
(94) # Executing section post-auth from file
/etc/raddb/sites-enabled/default
(94) post-auth {
(94) update {
(94) No attributes updated
(94) } # update = noop
(94) reply_log: EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
(94) reply_log: -->
/var/log/radius/radacct/10.91.10.10/reply-detail-20180831
(94) reply_log:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
expands to /var/log/radius/radacct/10.91.10.10/reply-detail-20180831
(94) reply_log: EXPAND %t
(94) reply_log: --> Fri Aug 31 10:26:47 2018
(94) [reply_log] = ok
(94) [exec] = noop
(94) policy remove_reply_message_if_eap {
(94) if (&reply:EAP-Message && &reply:Reply-Message) {
(94) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
4) but when entering my vlan affectaction script included from
sites-enabled/default , with debug_reply and session-state here
(94) policy *debug_reply* {
(94) if ("%{debug_attr:reply:}" == '') {
(94) Attributes matching "reply:"
(94) &reply:MS-MPPE-Recv-Key =
0x6951a718ea2d0ce60f3f210a7d3bdf8d2bbc6f05a1efa5f48966ae507a7c8986
(94) &reply:MS-MPPE-Send-Key =
0x646babfc1284ac415770097bcfebd01a00a7fcaab056bbe3c28355dcf6e33b6e
(94) &reply:EAP-MSK =
0x6951a718ea2d0ce60f3f210a7d3bdf8d2bbc6f05a1efa5f48966ae507a7c8986646babfc1284ac415770097bcfebd01a00a7fcaab056bbe3c28355dcf6e33b6e
(94) &reply:EAP-EMSK =
0x839cec06f72c16eb9591871f4202ef7fa8a562c9584bc86284e00f6c96ba6bd87ec87a716e93b5d956272e23b960d02e2e13a78b26bca0c63dd8dce5b322fd2f
(94) &reply:EAP-Session-Id =
0x195b88fbc71b5d48c99581f08d4b9c8db9d6fffdc8bf6ff48d2f41072b54010f6458949fbe030ace473886247929495cea59c6c2c6ba7ea128f3766e4668b75529
(94) &reply:EAP-Message = 0x030c0004
(94) &reply:Message-Authenticator =
0x00000000000000000000000000000000
(94) &reply:Stripped-User-Name = radu
(94) EXPAND %{debug_attr:reply:}
(94) -->
should I see something like &reply:User-Category above ? not been
present means it's already lost ?
indeed, just after, when I test on it
(94) if ("%{debug_attr:reply:}" == '') -> TRUE
(94) if ("%{debug_attr:reply:}" == '') {
(94) [noop] = noop
(94) } # if ("%{debug_attr:reply:}" == '') = noop
(94) } # policy debug_reply = noop
(94) *if (( **&session-state:User-Category****== "employee"**)*
|| (&session-state:User-Category == "faculty") ||
(&session-state:User-Category == "staff" ) ||
(&session-state:User-Category == "researcher") ||
(&session-state:User-Category == "member")) {
(94) *ERROR: Failed retrieving values required to evaluate condition*
(94) elsif ( (&session-state:User-Category == "student" ) ||
(&session-state:User-Category == "affiliate") ) {
(94) ERROR: Failed retrieving values required to evaluate condition
(94) else {
(94) update reply {
(94) Tunnel-Private-Group-Id := 902
I am lost why this User-Category attribute desepearing in the process
do you have an idea , or another step forward to debug more ?
Thanks .
Le 31/08/2018 à 00:49, jehan procaccia INT a écrit :
> Le 30/08/2018 à 23:12, Matthew Newton a écrit :
>> On Thu, 2018-08-30 at 22:55 +0200, jehan procaccia int wrote:
>>> I did that , but still fails with now the error :
>>>
>>> (30) if (( &reply:User-Category == "employee") || (&reply:User-
>>> Category == "faculty") || (&reply:User-Category == "staff" ) ||
>>> (&reply:User-Category == "researcher") || (&reply:User-Category ==
>>> "member")) {
>>> (30) ERROR: Failed retrieving values required to evaluate
>>> condition
>>> (30) elsif ( (&reply:User-Category == "student" ) ||
>>> (&reply:User-Category == "affiliate") ) {
>>> (30) ERROR: Failed retrieving values required to evaluate
>>> condition
>>> (30) else {
>>> (30) update reply {
>>> (30) Tunnel-Private-Group-Id := 902
>> So put
>>
>> debug_reply
>>
>> above that line and see if the attribute has been set there.
> ok did that, radiusd -X tells now :
>
>
> (30) Login OK: [barnabot/<via Auth-Type = eap>] (from client prod
> port 0 via TLS tunnel)
> (30) } # server inner-tunnel
> (30) Virtual server sending reply
> (30) Reply-Message := "student"
> (30) User-Category += "student"
>
>
> (31) # Executing section post-auth from file
> /etc/raddb/sites-enabled/default
> (31) post-auth {
> (31) update {
> (31) No attributes updated
> (31) } # update = noop
> (31) reply_log: EXPAND
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
> (31) reply_log: -->
> /var/log/radius/radacct/10.91.10.10/reply-detail-20180831
> (31) reply_log:
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
> expands to /var/log/radius/radacct/10.91.10.10/reply-detail-20180831
> (31) reply_log: EXPAND %t
> (31) reply_log: --> Fri Aug 31 00:17:54 2018
> (31) [reply_log] = ok
> (31) [exec] = noop
> (31) policy remove_reply_message_if_eap {
> (31) if (&reply:EAP-Message && &reply:Reply-Message) {
> (31) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (31) else {
> (31) [noop] = noop
> (31) } # else = noop
> (31) } # policy remove_reply_message_if_eap = noop
>
> (31) policy debug_reply {
> (31) if ("%{debug_attr:reply:}" == '') {
> (31) Attributes matching "reply:"
> (31) &reply:MS-MPPE-Recv-Key =
> 0x6e1bcf8ea79f6d06a6dce39f4aadf79dfbd946f7ca2438a30d68f176073aa595
> (31) &reply:MS-MPPE-Send-Key =
> 0xf482d9f73fb33affff0a965215b2135921b3800f4aa1424e26dae3359fdd6085
> (31) &reply:EAP-MSK =
> 0x6e1bcf8ea79f6d06a6dce39f4aadf79dfbd946f7ca2438a30d68f176073aa595f482d9f73fb33affff0a965215b2135921b3800f4aa1424e26dae3359fdd6085
> (31) &reply:EAP-EMSK =
> 0x7bd50d3a425c00863320ed8dcaf30139a70d382d510676d6daa81356f3f7d35e3dd4440c3c69f0ffc565c7669084e73975bef6b48c070b04aa49078ef0896939
> (31) &reply:EAP-Session-Id =
> 0x192ca3956f79a7c3273beefed12454cddbc3402f348227b76d8faf4afcaac233e1d2a4d4993d3e3b6be9a674182fd4da47dc086e505b65ffe9233cb93974cd930e
> (31) &reply:EAP-Message = 0x030c0004
> (31) &reply:Message-Authenticator =
> 0x00000000000000000000000000000000
> (31) &reply:Stripped-User-Name = barnabot
> (31) EXPAND %{debug_attr:reply:}
> (31) -->
> (31) if ("%{debug_attr:reply:}" == '') -> TRUE
> (31) if ("%{debug_attr:reply:}" == '') {
> (31) [noop] = noop
> (31) } # if ("%{debug_attr:reply:}" == '') = noop
> (31) } # policy debug_reply = noop
> (31) if (( &reply:User-Category == "employee") ||
> (&reply:User-Category == "faculty") || (&reply:User-Category ==
> "staff" ) || (&reply:User-Category == "researcher") ||
> (&reply:User-Category == "member")) {
> (31) ERROR: Failed retrieving values required to evaluate
> condition
> (31) elsif ( (&reply:User-Category == "student" ) ||
> (&reply:User-Category == "affiliate") ) {
> (31) ERROR: Failed retrieving values required to evaluate
> condition
> (31) else {
> (31) update reply {
> (31) Tunnel-Private-Group-Id := 902
>
> I don't see new information regarding my User-Category attribute ,
> perhaps because it is not set at this stage !?
>
>
>>> I use eduroam with peap mschapv2 (inner-tunnel) , maybe different
>>> radius packets are involved, it would be in my vlanaffec script that
>>> I would change reply with session-state ?
>> Change all reply:User-Category to session-state:User-Category.
>>
>> But find out whether it's set or not first.
>>
> That's my next step , it's getting late here in France, I'll try that
> on site tomorrow .
>
> thanks .
>
More information about the Freeradius-Users
mailing list