Freeradius External Script Auth.
Vertigo Altair
vertigo.altair at gmail.com
Fri Feb 7 07:12:29 CET 2020
Thanks for helps.. I'm providing "Cleartext-Password" to Freeradius as an
output from my script. When I make tests in AP with EAP and MSCHAP, I'm
still getting "Cleartext-Password" require error. My
/etc/raddb/sites-enabled/default conf like this:
server default {
listen{
type = auth
ipaddr = *
port = 1812
}
listen{
ipaddr = *
type = acct
port = 1813
}
authorize{
update {
control: += `/usr/bin/myauthscript'%{User-Name}'
'%{User-Password}' -c`
reply: += `/usr/bin/ myauthscript '%{User-Name}'
'%{User-Password}' -v`
}
filter_username
preprocess
mschap
digest
suffix
eap {
ok = return
}
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type MS-CHAP {
mschap
}
mschap
digest
eap
}
preacct {
preprocess
acct_unique
suffix
}
accounting {
detail
unix
exec
attr_filter.accounting_response
}
session {
}
post-auth {
update {
&reply: += &session-state:
}
exec
remove_reply_message_if_eap
Post-Auth-Type REJECT {
attr_filter.access_reject
eap
remove_reply_message_if_eap
}
}
pre-proxy {
}
post-proxy {
eap
}
}
And radiusd debug output:
(0) Received Access-Request Id 60 from 172.16.1.126:59647 to
10.10.12.37:1812 length 188
(0) User-Name = "test"
(0) Calling-Station-Id = "C4-9F-4C-E3-07-3A"
(0) NAS-IP-Address = 172.16.1.126
(0) NAS-Port = 76
(0) Called-Station-Id = "60-D0-2C-57-EE-68:RuckusAP"
(0) Service-Type = Framed-User
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) NAS-Identifier = "60-D0-2C-57-EE-68"
(0) Connect-Info = "CONNECT 802.11g/n"
(0) EAP-Message = 0x0200000a0168616b616e
(0) Ruckus-SSID = "RuckusAP"
(0) Message-Authenticator = 0x580f830ed653d603981a32708ce72e05
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) update {
(0) Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -c:
(0) EXPAND %{User-Name}
(0) --> test
(0) EXPAND %{User-Password}
(0) -->
(0) Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(0) control::Cleartext-Password := test2020
(0) Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -v:
(0) EXPAND %{User-Name}
(0) --> test
(0) EXPAND %{User-Password}
(0) -->
(0) Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(0) reply::Cleartext-Password := test2020
(0) } # update = noop
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = noop
(0) } # policy filter_username = noop
(0) [preprocess] = ok
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "test", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 0 length 10
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_md5 to process data
(0) eap_md5: Issuing MD5 Challenge
(0) eap: Sending EAP Request (code 1) ID 1 length 22
(0) eap: EAP session adding &reply:State = 0x8222e2dd8223e612
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Sent Access-Challenge Id 60 from 10.10.12.37:1812 to 172.16.1.126:59647
length 0
(0) EAP-Message = 0x010100160410466e0b654b138f4698b23b9abb790c5b
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x8222e2dd8223e61204a77c7c67b196c6
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 61 from 172.16.1.126:59647 to
10.10.12.37:1812 length 202
(1) User-Name = "test"
(1) Calling-Station-Id = "C4-9F-4C-E3-07-3A"
(1) NAS-IP-Address = 172.16.1.126
(1) NAS-Port = 76
(1) Called-Station-Id = "60-D0-2C-57-EE-68:RuckusAP"
(1) Service-Type = Framed-User
(1) Framed-MTU = 1400
(1) NAS-Port-Type = Wireless-802.11
(1) NAS-Identifier = "60-D0-2C-57-EE-68"
(1) Connect-Info = "CONNECT 802.11g/n"
(1) EAP-Message = 0x020100060315
(1) State = 0x8222e2dd8223e61204a77c7c67b196c6
(1) Ruckus-SSID = "RuckusAP"
(1) Message-Authenticator = 0xaff5889a5755662c16961cde613cee41
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) update {
(1) Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -c:
(1) EXPAND %{User-Name}
(1) --> test
(1) EXPAND %{User-Password}
(1) -->
(1) Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(1) control::Cleartext-Password := test2020
(1) Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -v:
(1) EXPAND %{User-Name}
(1) --> test
(1) EXPAND %{User-Password}
(1) -->
(1) Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(1) reply::Cleartext-Password := test2020
(1) } # update = noop
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = noop
(1) } # policy filter_username = noop
(1) [preprocess] = ok
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "test", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 1 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) [expiration] = noop
(1) [logintime] = noop
(1) pap: WARNING: Auth-Type already set. Not setting to PAP
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0x8222e2dd8223e612
(1) eap: Finished EAP session with state 0x8222e2dd8223e612
(1) eap: Previous EAP request found for state 0x8222e2dd8223e612, released
from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type TTLS (21)
(1) eap: Calling submodule eap_ttls to process data
(1) eap_ttls: Initiating new TLS session
(1) eap_ttls: [eaptls start] = request
(1) eap: Sending EAP Request (code 1) ID 2 length 6
(1) eap: EAP session adding &reply:State = 0x8222e2dd8320f712
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Sent Access-Challenge Id 61 from 10.10.12.37:1812 to 172.16.1.126:59647
length 0
(1) EAP-Message = 0x010200061520
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x8222e2dd8320f71204a77c7c67b196c6
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 62 from 172.16.1.126:59647 to
10.10.12.37:1812 length 353
(2) User-Name = "test"
(2) Calling-Station-Id = "C4-9F-4C-E3-07-3A"
(2) NAS-IP-Address = 172.16.1.126
(2) NAS-Port = 76
(2) Called-Station-Id = "60-D0-2C-57-EE-68:RuckusAP"
(2) Service-Type = Framed-User
(2) Framed-MTU = 1400
(2) NAS-Port-Type = Wireless-802.11
(2) NAS-Identifier = "60-D0-2C-57-EE-68"
(2) Connect-Info = "CONNECT 802.11g/n"
(2) EAP-Message =
0x0202009d150016030100920100008e03037eb720e6021d5dce53985cfd8c885920c7e89bb10fcecd778545e831928d3493000036c02bc02f009ec02cc030009fcca9cca8c009c023c013c02700330067c00ac024c014c0280039006b009c009d002f003c0035003d000a0100002fff0100010000170000000d0010000e0403040105030501060306010201000b00020100000a00080006001d00170018
(2) State = 0x8222e2dd8320f71204a77c7c67b196c6
(2) Ruckus-SSID = "RuckusAP"
(2) Message-Authenticator = 0x2e4f2d53d2b0202bbaa74a4c4c37e0dc
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2) authorize {
(2) update {
(2) Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -c:
(2) EXPAND %{User-Name}
(2) --> test
(2) EXPAND %{User-Password}
(2) -->
(2) Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(2) control::Cleartext-Password := test2020
(2) Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -v:
(2) EXPAND %{User-Name}
(2) --> test
(2) EXPAND %{User-Password}
(2) -->
(2) Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(2) reply::Cleartext-Password := test2020
(2) } # update = noop
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /@\./) {
(2) if (&User-Name =~ /@\./) -> FALSE
(2) } # if (&User-Name) = noop
(2) } # policy filter_username = noop
(2) [preprocess] = ok
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "test", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 2 length 157
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0x8222e2dd8320f712
(2) eap: Finished EAP session with state 0x8222e2dd8320f712
(2) eap: Previous EAP request found for state 0x8222e2dd8320f712, released
from the list
(2) eap: Peer sent packet with method EAP TTLS (21)
(2) eap: Calling submodule eap_ttls to process data
(2) eap_ttls: Authenticate
(2) eap_ttls: Continuing EAP-TLS
(2) eap_ttls: [eaptls verify] = ok
(2) eap_ttls: Done initial handshake
(2) eap_ttls: (other): before/accept initialization
(2) eap_ttls: TLS_accept: before/accept initialization
(2) eap_ttls: <<< recv TLS 1.2 [length 0092]
(2) eap_ttls: TLS_accept: SSLv3 read client hello A
(2) eap_ttls: >>> send TLS 1.2 [length 0037]
(2) eap_ttls: TLS_accept: SSLv3 write server hello A
(2) eap_ttls: >>> send TLS 1.2 [length 08d3]
(2) eap_ttls: TLS_accept: SSLv3 write certificate A
(2) eap_ttls: >>> send TLS 1.2 [length 014d]
(2) eap_ttls: TLS_accept: SSLv3 write key exchange A
(2) eap_ttls: >>> send TLS 1.2 [length 0004]
(2) eap_ttls: TLS_accept: SSLv3 write server done A
(2) eap_ttls: TLS_accept: SSLv3 flush data
(2) eap_ttls: TLS_accept: SSLv3 read client certificate A
(2) eap_ttls: TLS_accept: Need to read more data: SSLv3 read client key
exchange A
(2) eap_ttls: TLS - In Handshake Phase
(2) eap_ttls: TLS - got 2671 bytes of data
(2) eap_ttls: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 3 length 1004
(2) eap: EAP session adding &reply:State = 0x8222e2dd8021f712
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) Sent Access-Challenge Id 62 from 10.10.12.37:1812 to 172.16.1.126:59647
length 0
(2) EAP-Message =
0x010303ec15c000000a6f1603030037020000330303cf453002dac608edb99f397c10572866f2baee1c95e9a72e818a1bfe3987524e00c02f00000bff01000100000b0002010016030308d30b0008cf0008cc0003de308203da308202c2a003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3230303131323137313130385a170d3230303331323137313130385a307c310b3009060355040613024652310f300d06035504080c0652616469757331153013060355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d706c6520536572
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x8222e2dd8021f71204a77c7c67b196c6
(2) Finished request
Waking up in 4.8 seconds.
(3) Received Access-Request Id 63 from 172.16.1.126:59647 to
10.10.12.37:1812 length 202
(3) User-Name = "test"
(3) Calling-Station-Id = "C4-9F-4C-E3-07-3A"
(3) NAS-IP-Address = 172.16.1.126
(3) NAS-Port = 76
(3) Called-Station-Id = "60-D0-2C-57-EE-68:RuckusAP"
(3) Service-Type = Framed-User
(3) Framed-MTU = 1400
(3) NAS-Port-Type = Wireless-802.11
(3) NAS-Identifier = "60-D0-2C-57-EE-68"
(3) Connect-Info = "CONNECT 802.11g/n"
(3) EAP-Message = 0x020300061500
(3) State = 0x8222e2dd8021f71204a77c7c67b196c6
(3) Ruckus-SSID = "RuckusAP"
(3) Message-Authenticator = 0xb5e54eb6b4ea1b6ffe6c3f223fe1c187
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/raddb/sites-enabled/default
(3) authorize {
(3) update {
(3) Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -c:
(3) EXPAND %{User-Name}
(3) --> test
(3) EXPAND %{User-Password}
(3) -->
(3) Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(3) control::Cleartext-Password := test2020
(3) Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -v:
(3) EXPAND %{User-Name}
(3) --> test
(3) EXPAND %{User-Password}
(3) -->
(3) Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(3) reply::Cleartext-Password := test2020
(3) } # update = noop
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /@\./) {
(3) if (&User-Name =~ /@\./) -> FALSE
(3) } # if (&User-Name) = noop
(3) } # policy filter_username = noop
(3) [preprocess] = ok
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "test", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 3 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0x8222e2dd8021f712
(3) eap: Finished EAP session with state 0x8222e2dd8021f712
(3) eap: Previous EAP request found for state 0x8222e2dd8021f712, released
from the list
(3) eap: Peer sent packet with method EAP TTLS (21)
(3) eap: Calling submodule eap_ttls to process data
(3) eap_ttls: Authenticate
(3) eap_ttls: Continuing EAP-TLS
(3) eap_ttls: Peer ACKed our handshake fragment
(3) eap_ttls: [eaptls verify] = request
(3) eap_ttls: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 4 length 1004
(3) eap: EAP session adding &reply:State = 0x8222e2dd8126f712
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found. Ignoring.
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) Sent Access-Challenge Id 63 from 10.10.12.37:1812 to 172.16.1.126:59647
length 0
(3) EAP-Message =
0x010403ec15c000000a6f6a40103702f5af67cd0616db156bc7253d15c6896e4da49d81f43189a4b34dca5b42f3da6f87a631a4e83c3aa8c52cc48590f0b4a4ffa052520a652e69fc89cb80ce4cd906a6e60004e8308204e4308203cca003020102020900bc8e6ed6a96d96ab300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3230303131323137313130385a170d3230303331323137313130385a308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x8222e2dd8126f71204a77c7c67b196c6
(3) Finished request
Waking up in 4.7 seconds.
(4) Received Access-Request Id 64 from 172.16.1.126:59647 to
10.10.12.37:1812 length 202
(4) User-Name = "test"
(4) Calling-Station-Id = "C4-9F-4C-E3-07-3A"
(4) NAS-IP-Address = 172.16.1.126
(4) NAS-Port = 76
(4) Called-Station-Id = "60-D0-2C-57-EE-68:RuckusAP"
(4) Service-Type = Framed-User
(4) Framed-MTU = 1400
(4) NAS-Port-Type = Wireless-802.11
(4) NAS-Identifier = "60-D0-2C-57-EE-68"
(4) Connect-Info = "CONNECT 802.11g/n"
(4) EAP-Message = 0x020400061500
(4) State = 0x8222e2dd8126f71204a77c7c67b196c6
(4) Ruckus-SSID = "RuckusAP"
(4) Message-Authenticator = 0x093e1f727ca94afec6717f09bc43aee4
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/raddb/sites-enabled/default
(4) authorize {
(4) update {
(4) Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -c:
(4) EXPAND %{User-Name}
(4) --> test
(4) EXPAND %{User-Password}
(4) -->
(4) Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(4) control::Cleartext-Password := test2020
(4) Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -v:
(4) EXPAND %{User-Name}
(4) --> test
(4) EXPAND %{User-Password}
(4) -->
(4) Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(4) reply::Cleartext-Password := test2020
(4) } # update = noop
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /@\./) {
(4) if (&User-Name =~ /@\./) -> FALSE
(4) } # if (&User-Name) = noop
(4) } # policy filter_username = noop
(4) [preprocess] = ok
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "test", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 4 length 6
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0x8222e2dd8126f712
(4) eap: Finished EAP session with state 0x8222e2dd8126f712
(4) eap: Previous EAP request found for state 0x8222e2dd8126f712, released
from the list
(4) eap: Peer sent packet with method EAP TTLS (21)
(4) eap: Calling submodule eap_ttls to process data
(4) eap_ttls: Authenticate
(4) eap_ttls: Continuing EAP-TLS
(4) eap_ttls: Peer ACKed our handshake fragment
(4) eap_ttls: [eaptls verify] = request
(4) eap_ttls: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 5 length 693
(4) eap: EAP session adding &reply:State = 0x8222e2dd8627f712
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) Sent Access-Challenge Id 64 from 10.10.12.37:1812 to 172.16.1.126:59647
length 0
(4) EAP-Message =
0x010502b5158000000a6f030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b050003820101003f2cba9a002008243cf59976e3a41a339e3d3b2ba560ed0147bbcea9e7988ec2b2c75a9531c0d582c5043304f3b74a02ca8645284f7101674edf52f04ce37a7159722c3e0dbe76b17f129278567104fdcefa3cc9ede4987bf83ffe7dc579aa0495ce4c4de6ab9825cc31fcd61ff9ce1b5258b78312d704024dbf7c88ecdcc7b65bebf61700b6317e4cc6bff0a492b7fc699990439aab51fb36555fc79a03104e1b705c2cda5175c486ac24300a7d40c49fc7ef08da167ff1a36013140fccc815cc930cfaeae1c8bd241428828e15cfda03ad4637f3f6a76bb0fc0d17b5afeab7329e99e1f19749690c1c82cd67b928e0850962b07300c0260f9cc01dcbb51760160303014d0c0001490300174104506ba9d2c4bf930faa52adb39acced
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x8222e2dd8627f71204a77c7c67b196c6
(4) Finished request
Waking up in 4.6 seconds.
(5) Received Access-Request Id 65 from 172.16.1.126:59647 to
10.10.12.37:1812 length 328
(5) User-Name = "test"
(5) Calling-Station-Id = "C4-9F-4C-E3-07-3A"
(5) NAS-IP-Address = 172.16.1.126
(5) NAS-Port = 76
(5) Called-Station-Id = "60-D0-2C-57-EE-68:RuckusAP"
(5) Service-Type = Framed-User
(5) Framed-MTU = 1400
(5) NAS-Port-Type = Wireless-802.11
(5) NAS-Identifier = "60-D0-2C-57-EE-68"
(5) Connect-Info = "CONNECT 802.11g/n"
(5) EAP-Message =
0x020500841500160303004610000042410461bc18599cd2f361905599c4636ac61727b555da6f37455d7d313e029edd9774b0eaaa6d3b08f7372c9aecc500cf84639a5b2fe4ad1c98ee25a0980ee8430629140303000101160303002800000000000000002af63b75129f24cd542b44457df4574b279ce8b0b746db09699c2950010b11ec
(5) State = 0x8222e2dd8627f71204a77c7c67b196c6
(5) Ruckus-SSID = "RuckusAP"
(5) Message-Authenticator = 0x2c9ce0c4e8108f366296d2e408f7a4ef
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/raddb/sites-enabled/default
(5) authorize {
(5) update {
(5) Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -c:
(5) EXPAND %{User-Name}
(5) --> test
(5) EXPAND %{User-Password}
(5) -->
(5) Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(5) control::Cleartext-Password := test2020
(5) Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -v:
(5) EXPAND %{User-Name}
(5) --> test
(5) EXPAND %{User-Password}
(5) -->
(5) Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(5) reply::Cleartext-Password := test2020
(5) } # update = noop
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # if (&User-Name) = noop
(5) } # policy filter_username = noop
(5) [preprocess] = ok
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "test", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 5 length 132
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0x8222e2dd8627f712
(5) eap: Finished EAP session with state 0x8222e2dd8627f712
(5) eap: Previous EAP request found for state 0x8222e2dd8627f712, released
from the list
(5) eap: Peer sent packet with method EAP TTLS (21)
(5) eap: Calling submodule eap_ttls to process data
(5) eap_ttls: Authenticate
(5) eap_ttls: Continuing EAP-TLS
(5) eap_ttls: [eaptls verify] = ok
(5) eap_ttls: Done initial handshake
(5) eap_ttls: <<< recv TLS 1.2 [length 0046]
(5) eap_ttls: TLS_accept: SSLv3 read client key exchange A
(5) eap_ttls: <<< recv TLS 1.2 [length 0001]
(5) eap_ttls: <<< recv TLS 1.2 [length 0010]
(5) eap_ttls: TLS_accept: SSLv3 read finished A
(5) eap_ttls: >>> send TLS 1.2 [length 0001]
(5) eap_ttls: TLS_accept: SSLv3 write change cipher spec A
(5) eap_ttls: >>> send TLS 1.2 [length 0010]
(5) eap_ttls: TLS_accept: SSLv3 write finished A
(5) eap_ttls: TLS_accept: SSLv3 flush data
(5) eap_ttls: (other): SSL negotiation finished successfully
(5) eap_ttls: TLS - Connection Established
(5) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
(5) eap_ttls: TLS-Session-Version = "TLS 1.2"
(5) eap_ttls: TLS - got 51 bytes of data
(5) eap_ttls: [eaptls process] = handled
(5) eap: Sending EAP Request (code 1) ID 6 length 61
(5) eap: EAP session adding &reply:State = 0x8222e2dd8724f712
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found. Ignoring.
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) session-state: Saving cached attributes
(5) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
(5) TLS-Session-Version = "TLS 1.2"
(5) Sent Access-Challenge Id 65 from 10.10.12.37:1812 to 172.16.1.126:59647
length 0
(5) EAP-Message =
0x0106003d158000000033140303000101160303002800000000000000000c85e97e31aa73051034e9862337dff0e87a52b73b047946e186ec08db0bab8d
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x8222e2dd8724f71204a77c7c67b196c6
(5) Finished request
Waking up in 4.5 seconds.
(6) Received Access-Request Id 66 from 172.16.1.126:59647 to
10.10.12.37:1812 length 251
(6) User-Name = "test"
(6) Calling-Station-Id = "C4-9F-4C-E3-07-3A"
(6) NAS-IP-Address = 172.16.1.126
(6) NAS-Port = 76
(6) Called-Station-Id = "60-D0-2C-57-EE-68:RuckusAP"
(6) Service-Type = Framed-User
(6) Framed-MTU = 1400
(6) NAS-Port-Type = Wireless-802.11
(6) NAS-Identifier = "60-D0-2C-57-EE-68"
(6) Connect-Info = "CONNECT 802.11g/n"
(6) EAP-Message =
0x020600371500170303002c00000000000000011c71cc3b155bab267a828307af32bc709dbaeaecc6b80fd05aa8e97cb2c6432b1795ee8d
(6) State = 0x8222e2dd8724f71204a77c7c67b196c6
(6) Ruckus-SSID = "RuckusAP"
(6) Message-Authenticator = 0x9150701e62a079eebbe877e7e4a9c89f
(6) Restoring &session-state
(6) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES128-GCM-SHA256"
(6) &session-state:TLS-Session-Version = "TLS 1.2"
(6) # Executing section authorize from file /etc/raddb/sites-enabled/default
(6) authorize {
(6) update {
(6) Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -c:
(6) EXPAND %{User-Name}
(6) --> test
(6) EXPAND %{User-Password}
(6) -->
(6) Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(6) control::Cleartext-Password := test2020
(6) Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -v:
(6) EXPAND %{User-Name}
(6) --> test
(6) EXPAND %{User-Password}
(6) -->
(6) Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(6) reply::Cleartext-Password := test2020
(6) } # update = noop
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = noop
(6) } # policy filter_username = noop
(6) [preprocess] = ok
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "test", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 6 length 55
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0x8222e2dd8724f712
(6) eap: Finished EAP session with state 0x8222e2dd8724f712
(6) eap: Previous EAP request found for state 0x8222e2dd8724f712, released
from the list
(6) eap: Peer sent packet with method EAP TTLS (21)
(6) eap: Calling submodule eap_ttls to process data
(6) eap_ttls: Authenticate
(6) eap_ttls: Continuing EAP-TLS
(6) eap_ttls: [eaptls verify] = ok
(6) eap_ttls: Done initial handshake
(6) eap_ttls: [eaptls process] = ok
(6) eap_ttls: Session established. Proceeding to decode tunneled attributes
(6) eap_ttls: Got tunneled request
(6) eap_ttls: EAP-Message = 0x0200000a0168616b616e
(6) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(6) eap_ttls: Got tunneled identity of test
(6) eap_ttls: Setting default EAP type for tunneled EAP session
(6) eap_ttls: Sending tunneled request
(6) Virtual server inner-tunnel received request
(6) EAP-Message = 0x0200000a0168616b616e
(6) FreeRADIUS-Proxied-To = 127.0.0.1
(6) User-Name = "test"
(6) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(6) server inner-tunnel {
(6) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [chap] = noop
(6) [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "test", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) update control {
(6) &Proxy-To-Realm := LOCAL
(6) } # update control = noop
(6) eap: Peer sent EAP Response (code 2) ID 0 length 10
(6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(6) authenticate {
(6) eap: Peer sent packet with method EAP Identity (1)
(6) eap: Calling submodule eap_md5 to process data
(6) eap_md5: Issuing MD5 Challenge
(6) eap: Sending EAP Request (code 1) ID 1 length 22
(6) eap: EAP session adding &reply:State = 0xfb738c1efb7288f2
(6) [eap] = handled
(6) } # authenticate = handled
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6) EAP-Message = 0x010100160410039a74cbba1e0639cb6ef0d5de63f3d5
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0xfb738c1efb7288f2701021cb605e5eb7
(6) eap_ttls: Got tunneled Access-Challenge
(6) eap: Sending EAP Request (code 1) ID 7 length 71
(6) eap: EAP session adding &reply:State = 0x8222e2dd8425f712
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found. Ignoring.
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) session-state: Saving cached attributes
(6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
(6) TLS-Session-Version = "TLS 1.2"
(6) Sent Access-Challenge Id 66 from 10.10.12.37:1812 to 172.16.1.126:59647
length 0
(6) EAP-Message =
0x0107004715800000003d170303003800000000000000014b15de3a7cc2f3cc4f87e27dd20fb5b5e4c7abfce216cee56b856d7e1c3fc11180402063e9c315c3dd28e602e84772a5
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x8222e2dd8425f71204a77c7c67b196c6
(6) Finished request
Waking up in 4.4 seconds.
(7) Received Access-Request Id 67 from 172.16.1.126:59647 to
10.10.12.37:1812 length 263
(7) User-Name = "test"
(7) Calling-Station-Id = "C4-9F-4C-E3-07-3A"
(7) NAS-IP-Address = 172.16.1.126
(7) NAS-Port = 76
(7) Called-Station-Id = "60-D0-2C-57-EE-68:RuckusAP"
(7) Service-Type = Framed-User
(7) Framed-MTU = 1400
(7) NAS-Port-Type = Wireless-802.11
(7) NAS-Identifier = "60-D0-2C-57-EE-68"
(7) Connect-Info = "CONNECT 802.11g/n"
(7) EAP-Message =
0x02070043150017030300380000000000000002bb5188202ca0c38e9b84b7ed3bbbf8c789809017277b71168ce763db7f64153917cf809269f593d158e21be543b3cc41
(7) State = 0x8222e2dd8425f71204a77c7c67b196c6
(7) Ruckus-SSID = "RuckusAP"
(7) Message-Authenticator = 0xf78013ae60f9b978a588b0e3b0ea7b28
(7) Restoring &session-state
(7) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES128-GCM-SHA256"
(7) &session-state:TLS-Session-Version = "TLS 1.2"
(7) # Executing section authorize from file /etc/raddb/sites-enabled/default
(7) authorize {
(7) update {
(7) Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -c:
(7) EXPAND %{User-Name}
(7) --> test
(7) EXPAND %{User-Password}
(7) -->
(7) Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(7) control::Cleartext-Password := test2020
(7) Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -v:
(7) EXPAND %{User-Name}
(7) --> test
(7) EXPAND %{User-Password}
(7) -->
(7) Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(7) reply::Cleartext-Password := test2020
(7) } # update = noop
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = noop
(7) } # policy filter_username = noop
(7) [preprocess] = ok
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "test", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 7 length 67
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) authenticate {
(7) eap: Expiring EAP session with state 0xfb738c1efb7288f2
(7) eap: Finished EAP session with state 0x8222e2dd8425f712
(7) eap: Previous EAP request found for state 0x8222e2dd8425f712, released
from the list
(7) eap: Peer sent packet with method EAP TTLS (21)
(7) eap: Calling submodule eap_ttls to process data
(7) eap_ttls: Authenticate
(7) eap_ttls: Continuing EAP-TLS
(7) eap_ttls: [eaptls verify] = ok
(7) eap_ttls: Done initial handshake
(7) eap_ttls: [eaptls process] = ok
(7) eap_ttls: Session established. Proceeding to decode tunneled attributes
(7) eap_ttls: Got tunneled request
(7) eap_ttls: EAP-Message = 0x020100160410afb4be13e0362d8e30108e61c594b759
(7) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_ttls: Sending tunneled request
(7) Virtual server inner-tunnel received request
(7) EAP-Message = 0x020100160410afb4be13e0362d8e30108e61c594b759
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) User-Name = "test"
(7) State = 0xfb738c1efb7288f2701021cb605e5eb7
(7) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(7) server inner-tunnel {
(7) session-state: No cached attributes
(7) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [chap] = noop
(7) [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "test", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) update control {
(7) &Proxy-To-Realm := LOCAL
(7) } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 1 length 22
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7) [eap] = updated
(7) [files] = noop
(7) [expiration] = noop
(7) [logintime] = noop
(7) [pap] = noop
(7) } # authorize = updated
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap: Expiring EAP session with state 0xfb738c1efb7288f2
(7) eap: Finished EAP session with state 0xfb738c1efb7288f2
(7) eap: Previous EAP request found for state 0xfb738c1efb7288f2, released
from the list
(7) eap: Peer sent packet with method EAP MD5 (4)
(7) eap: Calling submodule eap_md5 to process data
(7) eap_md5: ERROR: Cleartext-Password is required for EAP-MD5
authentication
(7) eap: ERROR: Failed continuing EAP MD5 (4) session. EAP sub-module
failed
(7) eap: Sending EAP Failure (code 4) ID 1 length 4
(7) eap: Failed in EAP select
(7) [eap] = invalid
(7) } # authenticate = invalid
(7) Failed to authenticate the user
(7) Using Post-Auth-Type Reject
(7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7) Post-Auth-Type REJECT {
(7) attr_filter.access_reject: EXPAND %{User-Name}
(7) attr_filter.access_reject: --> test
(7) attr_filter.access_reject: Matched entry DEFAULT at line 11
(7) [attr_filter.access_reject] = updated
(7) update outer.session-state {
(7) &Module-Failure-Message := &request:Module-Failure-Message ->
'eap_md5: Cleartext-Password is required for EAP-MD5 authentication'
(7) } # update outer.session-state = noop
(7) } # Post-Auth-Type REJECT = updated
(7) EXPAND LOGIN_FAILED
(7) --> LOGIN_FAILED
(7) Login incorrect (eap_md5: Cleartext-Password is required for EAP-MD5
authentication): [test] (from client ruckus port 0 via TLS tunnel)
LOGIN_FAILED
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7) EAP-Message = 0x04010004
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_ttls: Got tunneled Access-Reject
(7) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module
failed
(7) eap: Sending EAP Failure (code 4) ID 7 length 4
(7) eap: Failed in EAP select
(7) [eap] = invalid
(7) } # authenticate = invalid
(7) Failed to authenticate the user
(7) Using Post-Auth-Type Reject
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) Post-Auth-Type REJECT {
(7) attr_filter.access_reject: EXPAND %{User-Name}
(7) attr_filter.access_reject: --> test
(7) attr_filter.access_reject: Matched entry DEFAULT at line 11
(7) [attr_filter.access_reject] = updated
(7) [eap] = noop
(7) policy remove_reply_message_if_eap {
(7) if (&reply:EAP-Message && &reply:Reply-Message) {
(7) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(7) else {
(7) [noop] = noop
(7) } # else = noop
(7) } # policy remove_reply_message_if_eap = noop
(7) } # Post-Auth-Type REJECT = updated
(7) EXPAND LOGIN_FAILED
(7) --> LOGIN_FAILED
(7) Login incorrect (eap: Failed continuing EAP TTLS (21) session. EAP
sub-module failed): [test] (from client ruckus port 76 cli
C4-9F-4C-E3-07-3A) LOGIN_FAILED
(7) Delaying response for 1.000000 seconds
Waking up in 0.2 seconds.
Waking up in 0.7 seconds.
(7) Sending delayed response
(7) Sent Access-Reject Id 67 from 10.10.12.37:1812 to 172.16.1.126:59647
length 44
(7) EAP-Message = 0x04070004
(7) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.3 seconds.
(0) Cleaning up request packet ID 60 with timestamp +3
(1) Cleaning up request packet ID 61 with timestamp +3
(2) Cleaning up request packet ID 62 with timestamp +3
(3) Cleaning up request packet ID 63 with timestamp +3
(4) Cleaning up request packet ID 64 with timestamp +3
(5) Cleaning up request packet ID 65 with timestamp +3
(6) Cleaning up request packet ID 66 with timestamp +4
(7) Cleaning up request packet ID 67 with timestamp +4
Lang, Russell <Russell.Lang at team.telstra.com>, 7 Şub 2020 Cum, 08:12
tarihinde şunu yazdı:
> We used to do this, but moved away from it. Our external program was a
> python script, and the startup time for each authentication for too long.
>
> If you must do 802.1x EAP using this method, then note that EAP is handled
> by default site, while MSCHAP is handled by inner-tunnel site. In the
> inner-tunnel, you can exec a program and give it the MSCHAP challenge and
> response, validate that against NT-Password that you have stored, and
> return the NT session key back to FreeRADIUS. This involves implementing
> MSCHAP code that already exists in FreeRADIUS.
>
> The simpler alternative that we are now using is to call a REST API from
> FreeRADIUS during authorisation (really pre-auth) and return the
> NT-Password, letting FreeRADIUS do all the EAP / PAP / MSCHAPv2 stuff
> during authentication.
> See my previous emails to this list on rlm_rest, but note that some of the
> information I wrote I have now discovered wasn't correct.
>
> Regards,
> Russell Lang
>
>
> -----Original Message-----
> From: Freeradius-Users <freeradius-users-bounces+russell.lang=
> team.telstra.com at lists.freeradius.org> On Behalf Of Vertigo Vertigo
> Sent: Friday, 7 February 2020 04:36
> To: freeradius-users at lists.freeradius.org
> Subject: Freeradius External Script Auth.
>
> [External Email] This email was sent from outside the organisation – be
> cautious, particularly with links and attachments.
>
> Hi Freeradius people,
> I want to authorize users that connect to AP with my external script.
> Because I have multiple data source ( multiple Active Directory, another
> API etc.) and I want to make authorization by using these data sources as I
> want. That's why I'm using an external script to authorization. I updated
> /etc/raddb/sites-enabled/default's authorize section;
>
> authorize{
>
> update {
>
> control: += `/usr/bin/myauthscript '%{User-Name}' '%{User-Password}' -c`
>
> reply: += `/usr/bin/myauthscript '%{User-Name}' '%{User-Password}' -v`
>
> }
>
>
> When I run "radtest" with PAP method, everything is OK, I have "User-Name"
> and "User-Password" attributes, I'm able to authorize users etc. However,
> when I make tests with an AP with 802.1x EAP method, , there is no
> cleartext password (User-Password) and I cannot make authorization. My
> question is how can I make authorization without "User-Password" attribute.
> As I said, I have cleartext passwords in my data sources, so I can hash
> them and compare with other hash that a client sent. How can I perform this
> operation with EAP, CHAP, MSCHAP etc. methods?
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list