Freeradius External Script Auth.

Vertigo Altair vertigo.altair at gmail.com
Fri Feb 7 07:12:29 CET 2020


Thanks for helps.. I'm providing "Cleartext-Password" to Freeradius as an
output from my script. When I make tests in AP with EAP and MSCHAP, I'm
still getting "Cleartext-Password" require error. My
/etc/raddb/sites-enabled/default conf like this:
server default {
        listen{
                type = auth
                ipaddr = *
                port = 1812
        }
        listen{
                ipaddr = *
                type = acct
                port = 1813
        }
        authorize{
                update {
                        control: += `/usr/bin/myauthscript'%{User-Name}'
'%{User-Password}' -c`
                        reply: += `/usr/bin/ myauthscript '%{User-Name}'
'%{User-Password}' -v`
                }
                filter_username
                preprocess
                mschap
                digest
                suffix
                eap {
                        ok = return
                 }
                expiration
                logintime
                pap
        }
authenticate {
        Auth-Type PAP {
                pap
        }
        Auth-Type MS-CHAP {
                mschap
        }
        mschap
        digest
        eap
}
preacct {
        preprocess
        acct_unique
        suffix
}
accounting {
        detail
        unix
        exec
        attr_filter.accounting_response
}
session {
}
post-auth {
        update {
                &reply: += &session-state:
        }
        exec
        remove_reply_message_if_eap
        Post-Auth-Type REJECT {
                attr_filter.access_reject
                eap
                remove_reply_message_if_eap
        }
}
pre-proxy {
}
post-proxy {
        eap
}
}

And radiusd debug output:

(0) Received Access-Request Id 60 from 172.16.1.126:59647 to
10.10.12.37:1812 length 188
(0)   User-Name = "test"
(0)   Calling-Station-Id = "C4-9F-4C-E3-07-3A"
(0)   NAS-IP-Address = 172.16.1.126
(0)   NAS-Port = 76
(0)   Called-Station-Id = "60-D0-2C-57-EE-68:RuckusAP"
(0)   Service-Type = Framed-User
(0)   Framed-MTU = 1400
(0)   NAS-Port-Type = Wireless-802.11
(0)   NAS-Identifier = "60-D0-2C-57-EE-68"
(0)   Connect-Info = "CONNECT 802.11g/n"
(0)   EAP-Message = 0x0200000a0168616b616e
(0)   Ruckus-SSID = "RuckusAP"
(0)   Message-Authenticator = 0x580f830ed653d603981a32708ce72e05
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0)   authorize {
(0)     update {
(0)       Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -c:
(0)       EXPAND %{User-Name}
(0)          --> test
(0)       EXPAND %{User-Password}
(0)          -->
(0)       Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(0)       control::Cleartext-Password := test2020
(0)       Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -v:
(0)       EXPAND %{User-Name}
(0)          --> test
(0)       EXPAND %{User-Password}
(0)          -->
(0)       Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(0)       reply::Cleartext-Password := test2020
(0)     } # update = noop
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = noop
(0)     } # policy filter_username = noop
(0)     [preprocess] = ok
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "test", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 0 length 10
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0)     [eap] = ok
(0)   } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0)   authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_md5 to process data
(0) eap_md5: Issuing MD5 Challenge
(0) eap: Sending EAP Request (code 1) ID 1 length 22
(0) eap: EAP session adding &reply:State = 0x8222e2dd8223e612
(0)     [eap] = handled
(0)   } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found.  Ignoring.
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Sent Access-Challenge Id 60 from 10.10.12.37:1812 to 172.16.1.126:59647
length 0
(0)   EAP-Message = 0x010100160410466e0b654b138f4698b23b9abb790c5b
(0)   Message-Authenticator = 0x00000000000000000000000000000000
(0)   State = 0x8222e2dd8223e61204a77c7c67b196c6
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 61 from 172.16.1.126:59647 to
10.10.12.37:1812 length 202
(1)   User-Name = "test"
(1)   Calling-Station-Id = "C4-9F-4C-E3-07-3A"
(1)   NAS-IP-Address = 172.16.1.126
(1)   NAS-Port = 76
(1)   Called-Station-Id = "60-D0-2C-57-EE-68:RuckusAP"
(1)   Service-Type = Framed-User
(1)   Framed-MTU = 1400
(1)   NAS-Port-Type = Wireless-802.11
(1)   NAS-Identifier = "60-D0-2C-57-EE-68"
(1)   Connect-Info = "CONNECT 802.11g/n"
(1)   EAP-Message = 0x020100060315
(1)   State = 0x8222e2dd8223e61204a77c7c67b196c6
(1)   Ruckus-SSID = "RuckusAP"
(1)   Message-Authenticator = 0xaff5889a5755662c16961cde613cee41
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1)   authorize {
(1)     update {
(1)       Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -c:
(1)       EXPAND %{User-Name}
(1)          --> test
(1)       EXPAND %{User-Password}
(1)          -->
(1)       Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(1)       control::Cleartext-Password := test2020
(1)       Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -v:
(1)       EXPAND %{User-Name}
(1)          --> test
(1)       EXPAND %{User-Password}
(1)          -->
(1)       Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(1)       reply::Cleartext-Password := test2020
(1)     } # update = noop
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if (&User-Name =~ /\.\./ ) {
(1)         if (&User-Name =~ /\.\./ )  -> FALSE
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(1)         if (&User-Name =~ /\.$/)  {
(1)         if (&User-Name =~ /\.$/)   -> FALSE
(1)         if (&User-Name =~ /@\./)  {
(1)         if (&User-Name =~ /@\./)   -> FALSE
(1)       } # if (&User-Name)  = noop
(1)     } # policy filter_username = noop
(1)     [preprocess] = ok
(1)     [mschap] = noop
(1)     [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "test", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 1 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1)     [eap] = updated
(1)     [expiration] = noop
(1)     [logintime] = noop
(1) pap: WARNING: Auth-Type already set.  Not setting to PAP
(1)     [pap] = noop
(1)   } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1)   authenticate {
(1) eap: Expiring EAP session with state 0x8222e2dd8223e612
(1) eap: Finished EAP session with state 0x8222e2dd8223e612
(1) eap: Previous EAP request found for state 0x8222e2dd8223e612, released
from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type TTLS (21)
(1) eap: Calling submodule eap_ttls to process data
(1) eap_ttls: Initiating new TLS session
(1) eap_ttls: [eaptls start] = request
(1) eap: Sending EAP Request (code 1) ID 2 length 6
(1) eap: EAP session adding &reply:State = 0x8222e2dd8320f712
(1)     [eap] = handled
(1)   } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found.  Ignoring.
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Sent Access-Challenge Id 61 from 10.10.12.37:1812 to 172.16.1.126:59647
length 0
(1)   EAP-Message = 0x010200061520
(1)   Message-Authenticator = 0x00000000000000000000000000000000
(1)   State = 0x8222e2dd8320f71204a77c7c67b196c6
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 62 from 172.16.1.126:59647 to
10.10.12.37:1812 length 353
(2)   User-Name = "test"
(2)   Calling-Station-Id = "C4-9F-4C-E3-07-3A"
(2)   NAS-IP-Address = 172.16.1.126
(2)   NAS-Port = 76
(2)   Called-Station-Id = "60-D0-2C-57-EE-68:RuckusAP"
(2)   Service-Type = Framed-User
(2)   Framed-MTU = 1400
(2)   NAS-Port-Type = Wireless-802.11
(2)   NAS-Identifier = "60-D0-2C-57-EE-68"
(2)   Connect-Info = "CONNECT 802.11g/n"
(2)   EAP-Message =
0x0202009d150016030100920100008e03037eb720e6021d5dce53985cfd8c885920c7e89bb10fcecd778545e831928d3493000036c02bc02f009ec02cc030009fcca9cca8c009c023c013c02700330067c00ac024c014c0280039006b009c009d002f003c0035003d000a0100002fff0100010000170000000d0010000e0403040105030501060306010201000b00020100000a00080006001d00170018
(2)   State = 0x8222e2dd8320f71204a77c7c67b196c6
(2)   Ruckus-SSID = "RuckusAP"
(2)   Message-Authenticator = 0x2e4f2d53d2b0202bbaa74a4c4c37e0dc
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2)   authorize {
(2)     update {
(2)       Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -c:
(2)       EXPAND %{User-Name}
(2)          --> test
(2)       EXPAND %{User-Password}
(2)          -->
(2)       Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(2)       control::Cleartext-Password := test2020
(2)       Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -v:
(2)       EXPAND %{User-Name}
(2)          --> test
(2)       EXPAND %{User-Password}
(2)          -->
(2)       Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(2)       reply::Cleartext-Password := test2020
(2)     } # update = noop
(2)     policy filter_username {
(2)       if (&User-Name) {
(2)       if (&User-Name)  -> TRUE
(2)       if (&User-Name)  {
(2)         if (&User-Name =~ / /) {
(2)         if (&User-Name =~ / /)  -> FALSE
(2)         if (&User-Name =~ /@[^@]*@/ ) {
(2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(2)         if (&User-Name =~ /\.\./ ) {
(2)         if (&User-Name =~ /\.\./ )  -> FALSE
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(2)         if (&User-Name =~ /\.$/)  {
(2)         if (&User-Name =~ /\.$/)   -> FALSE
(2)         if (&User-Name =~ /@\./)  {
(2)         if (&User-Name =~ /@\./)   -> FALSE
(2)       } # if (&User-Name)  = noop
(2)     } # policy filter_username = noop
(2)     [preprocess] = ok
(2)     [mschap] = noop
(2)     [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "test", looking up realm NULL
(2) suffix: No such realm "NULL"
(2)     [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 2 length 157
(2) eap: Continuing tunnel setup
(2)     [eap] = ok
(2)   } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2)   authenticate {
(2) eap: Expiring EAP session with state 0x8222e2dd8320f712
(2) eap: Finished EAP session with state 0x8222e2dd8320f712
(2) eap: Previous EAP request found for state 0x8222e2dd8320f712, released
from the list
(2) eap: Peer sent packet with method EAP TTLS (21)
(2) eap: Calling submodule eap_ttls to process data
(2) eap_ttls: Authenticate
(2) eap_ttls: Continuing EAP-TLS
(2) eap_ttls: [eaptls verify] = ok
(2) eap_ttls: Done initial handshake
(2) eap_ttls: (other): before/accept initialization
(2) eap_ttls: TLS_accept: before/accept initialization
(2) eap_ttls: <<< recv TLS 1.2  [length 0092]
(2) eap_ttls: TLS_accept: SSLv3 read client hello A
(2) eap_ttls: >>> send TLS 1.2  [length 0037]
(2) eap_ttls: TLS_accept: SSLv3 write server hello A
(2) eap_ttls: >>> send TLS 1.2  [length 08d3]
(2) eap_ttls: TLS_accept: SSLv3 write certificate A
(2) eap_ttls: >>> send TLS 1.2  [length 014d]
(2) eap_ttls: TLS_accept: SSLv3 write key exchange A
(2) eap_ttls: >>> send TLS 1.2  [length 0004]
(2) eap_ttls: TLS_accept: SSLv3 write server done A
(2) eap_ttls: TLS_accept: SSLv3 flush data
(2) eap_ttls: TLS_accept: SSLv3 read client certificate A
(2) eap_ttls: TLS_accept: Need to read more data: SSLv3 read client key
exchange A
(2) eap_ttls: TLS - In Handshake Phase
(2) eap_ttls: TLS - got 2671 bytes of data
(2) eap_ttls: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 3 length 1004
(2) eap: EAP session adding &reply:State = 0x8222e2dd8021f712
(2)     [eap] = handled
(2)   } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found.  Ignoring.
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) Sent Access-Challenge Id 62 from 10.10.12.37:1812 to 172.16.1.126:59647
length 0
(2)   EAP-Message =
0x010303ec15c000000a6f1603030037020000330303cf453002dac608edb99f397c10572866f2baee1c95e9a72e818a1bfe3987524e00c02f00000bff01000100000b0002010016030308d30b0008cf0008cc0003de308203da308202c2a003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3230303131323137313130385a170d3230303331323137313130385a307c310b3009060355040613024652310f300d06035504080c0652616469757331153013060355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d706c6520536572
(2)   Message-Authenticator = 0x00000000000000000000000000000000
(2)   State = 0x8222e2dd8021f71204a77c7c67b196c6
(2) Finished request
Waking up in 4.8 seconds.
(3) Received Access-Request Id 63 from 172.16.1.126:59647 to
10.10.12.37:1812 length 202
(3)   User-Name = "test"
(3)   Calling-Station-Id = "C4-9F-4C-E3-07-3A"
(3)   NAS-IP-Address = 172.16.1.126
(3)   NAS-Port = 76
(3)   Called-Station-Id = "60-D0-2C-57-EE-68:RuckusAP"
(3)   Service-Type = Framed-User
(3)   Framed-MTU = 1400
(3)   NAS-Port-Type = Wireless-802.11
(3)   NAS-Identifier = "60-D0-2C-57-EE-68"
(3)   Connect-Info = "CONNECT 802.11g/n"
(3)   EAP-Message = 0x020300061500
(3)   State = 0x8222e2dd8021f71204a77c7c67b196c6
(3)   Ruckus-SSID = "RuckusAP"
(3)   Message-Authenticator = 0xb5e54eb6b4ea1b6ffe6c3f223fe1c187
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/raddb/sites-enabled/default
(3)   authorize {
(3)     update {
(3)       Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -c:
(3)       EXPAND %{User-Name}
(3)          --> test
(3)       EXPAND %{User-Password}
(3)          -->
(3)       Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(3)       control::Cleartext-Password := test2020
(3)       Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -v:
(3)       EXPAND %{User-Name}
(3)          --> test
(3)       EXPAND %{User-Password}
(3)          -->
(3)       Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(3)       reply::Cleartext-Password := test2020
(3)     } # update = noop
(3)     policy filter_username {
(3)       if (&User-Name) {
(3)       if (&User-Name)  -> TRUE
(3)       if (&User-Name)  {
(3)         if (&User-Name =~ / /) {
(3)         if (&User-Name =~ / /)  -> FALSE
(3)         if (&User-Name =~ /@[^@]*@/ ) {
(3)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(3)         if (&User-Name =~ /\.\./ ) {
(3)         if (&User-Name =~ /\.\./ )  -> FALSE
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(3)         if (&User-Name =~ /\.$/)  {
(3)         if (&User-Name =~ /\.$/)   -> FALSE
(3)         if (&User-Name =~ /@\./)  {
(3)         if (&User-Name =~ /@\./)   -> FALSE
(3)       } # if (&User-Name)  = noop
(3)     } # policy filter_username = noop
(3)     [preprocess] = ok
(3)     [mschap] = noop
(3)     [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "test", looking up realm NULL
(3) suffix: No such realm "NULL"
(3)     [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 3 length 6
(3) eap: Continuing tunnel setup
(3)     [eap] = ok
(3)   } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3)   authenticate {
(3) eap: Expiring EAP session with state 0x8222e2dd8021f712
(3) eap: Finished EAP session with state 0x8222e2dd8021f712
(3) eap: Previous EAP request found for state 0x8222e2dd8021f712, released
from the list
(3) eap: Peer sent packet with method EAP TTLS (21)
(3) eap: Calling submodule eap_ttls to process data
(3) eap_ttls: Authenticate
(3) eap_ttls: Continuing EAP-TLS
(3) eap_ttls: Peer ACKed our handshake fragment
(3) eap_ttls: [eaptls verify] = request
(3) eap_ttls: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 4 length 1004
(3) eap: EAP session adding &reply:State = 0x8222e2dd8126f712
(3)     [eap] = handled
(3)   } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found.  Ignoring.
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) Sent Access-Challenge Id 63 from 10.10.12.37:1812 to 172.16.1.126:59647
length 0
(3)   EAP-Message =
0x010403ec15c000000a6f6a40103702f5af67cd0616db156bc7253d15c6896e4da49d81f43189a4b34dca5b42f3da6f87a631a4e83c3aa8c52cc48590f0b4a4ffa052520a652e69fc89cb80ce4cd906a6e60004e8308204e4308203cca003020102020900bc8e6ed6a96d96ab300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3230303131323137313130385a170d3230303331323137313130385a308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c
(3)   Message-Authenticator = 0x00000000000000000000000000000000
(3)   State = 0x8222e2dd8126f71204a77c7c67b196c6
(3) Finished request
Waking up in 4.7 seconds.
(4) Received Access-Request Id 64 from 172.16.1.126:59647 to
10.10.12.37:1812 length 202
(4)   User-Name = "test"
(4)   Calling-Station-Id = "C4-9F-4C-E3-07-3A"
(4)   NAS-IP-Address = 172.16.1.126
(4)   NAS-Port = 76
(4)   Called-Station-Id = "60-D0-2C-57-EE-68:RuckusAP"
(4)   Service-Type = Framed-User
(4)   Framed-MTU = 1400
(4)   NAS-Port-Type = Wireless-802.11
(4)   NAS-Identifier = "60-D0-2C-57-EE-68"
(4)   Connect-Info = "CONNECT 802.11g/n"
(4)   EAP-Message = 0x020400061500
(4)   State = 0x8222e2dd8126f71204a77c7c67b196c6
(4)   Ruckus-SSID = "RuckusAP"
(4)   Message-Authenticator = 0x093e1f727ca94afec6717f09bc43aee4
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/raddb/sites-enabled/default
(4)   authorize {
(4)     update {
(4)       Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -c:
(4)       EXPAND %{User-Name}
(4)          --> test
(4)       EXPAND %{User-Password}
(4)          -->
(4)       Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(4)       control::Cleartext-Password := test2020
(4)       Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -v:
(4)       EXPAND %{User-Name}
(4)          --> test
(4)       EXPAND %{User-Password}
(4)          -->
(4)       Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(4)       reply::Cleartext-Password := test2020
(4)     } # update = noop
(4)     policy filter_username {
(4)       if (&User-Name) {
(4)       if (&User-Name)  -> TRUE
(4)       if (&User-Name)  {
(4)         if (&User-Name =~ / /) {
(4)         if (&User-Name =~ / /)  -> FALSE
(4)         if (&User-Name =~ /@[^@]*@/ ) {
(4)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(4)         if (&User-Name =~ /\.\./ ) {
(4)         if (&User-Name =~ /\.\./ )  -> FALSE
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(4)         if (&User-Name =~ /\.$/)  {
(4)         if (&User-Name =~ /\.$/)   -> FALSE
(4)         if (&User-Name =~ /@\./)  {
(4)         if (&User-Name =~ /@\./)   -> FALSE
(4)       } # if (&User-Name)  = noop
(4)     } # policy filter_username = noop
(4)     [preprocess] = ok
(4)     [mschap] = noop
(4)     [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "test", looking up realm NULL
(4) suffix: No such realm "NULL"
(4)     [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 4 length 6
(4) eap: Continuing tunnel setup
(4)     [eap] = ok
(4)   } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4)   authenticate {
(4) eap: Expiring EAP session with state 0x8222e2dd8126f712
(4) eap: Finished EAP session with state 0x8222e2dd8126f712
(4) eap: Previous EAP request found for state 0x8222e2dd8126f712, released
from the list
(4) eap: Peer sent packet with method EAP TTLS (21)
(4) eap: Calling submodule eap_ttls to process data
(4) eap_ttls: Authenticate
(4) eap_ttls: Continuing EAP-TLS
(4) eap_ttls: Peer ACKed our handshake fragment
(4) eap_ttls: [eaptls verify] = request
(4) eap_ttls: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 5 length 693
(4) eap: EAP session adding &reply:State = 0x8222e2dd8627f712
(4)     [eap] = handled
(4)   } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found.  Ignoring.
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) Sent Access-Challenge Id 64 from 10.10.12.37:1812 to 172.16.1.126:59647
length 0
(4)   EAP-Message =
0x010502b5158000000a6f030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b050003820101003f2cba9a002008243cf59976e3a41a339e3d3b2ba560ed0147bbcea9e7988ec2b2c75a9531c0d582c5043304f3b74a02ca8645284f7101674edf52f04ce37a7159722c3e0dbe76b17f129278567104fdcefa3cc9ede4987bf83ffe7dc579aa0495ce4c4de6ab9825cc31fcd61ff9ce1b5258b78312d704024dbf7c88ecdcc7b65bebf61700b6317e4cc6bff0a492b7fc699990439aab51fb36555fc79a03104e1b705c2cda5175c486ac24300a7d40c49fc7ef08da167ff1a36013140fccc815cc930cfaeae1c8bd241428828e15cfda03ad4637f3f6a76bb0fc0d17b5afeab7329e99e1f19749690c1c82cd67b928e0850962b07300c0260f9cc01dcbb51760160303014d0c0001490300174104506ba9d2c4bf930faa52adb39acced
(4)   Message-Authenticator = 0x00000000000000000000000000000000
(4)   State = 0x8222e2dd8627f71204a77c7c67b196c6
(4) Finished request
Waking up in 4.6 seconds.
(5) Received Access-Request Id 65 from 172.16.1.126:59647 to
10.10.12.37:1812 length 328
(5)   User-Name = "test"
(5)   Calling-Station-Id = "C4-9F-4C-E3-07-3A"
(5)   NAS-IP-Address = 172.16.1.126
(5)   NAS-Port = 76
(5)   Called-Station-Id = "60-D0-2C-57-EE-68:RuckusAP"
(5)   Service-Type = Framed-User
(5)   Framed-MTU = 1400
(5)   NAS-Port-Type = Wireless-802.11
(5)   NAS-Identifier = "60-D0-2C-57-EE-68"
(5)   Connect-Info = "CONNECT 802.11g/n"
(5)   EAP-Message =
0x020500841500160303004610000042410461bc18599cd2f361905599c4636ac61727b555da6f37455d7d313e029edd9774b0eaaa6d3b08f7372c9aecc500cf84639a5b2fe4ad1c98ee25a0980ee8430629140303000101160303002800000000000000002af63b75129f24cd542b44457df4574b279ce8b0b746db09699c2950010b11ec
(5)   State = 0x8222e2dd8627f71204a77c7c67b196c6
(5)   Ruckus-SSID = "RuckusAP"
(5)   Message-Authenticator = 0x2c9ce0c4e8108f366296d2e408f7a4ef
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/raddb/sites-enabled/default
(5)   authorize {
(5)     update {
(5)       Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -c:
(5)       EXPAND %{User-Name}
(5)          --> test
(5)       EXPAND %{User-Password}
(5)          -->
(5)       Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(5)       control::Cleartext-Password := test2020
(5)       Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -v:
(5)       EXPAND %{User-Name}
(5)          --> test
(5)       EXPAND %{User-Password}
(5)          -->
(5)       Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(5)       reply::Cleartext-Password := test2020
(5)     } # update = noop
(5)     policy filter_username {
(5)       if (&User-Name) {
(5)       if (&User-Name)  -> TRUE
(5)       if (&User-Name)  {
(5)         if (&User-Name =~ / /) {
(5)         if (&User-Name =~ / /)  -> FALSE
(5)         if (&User-Name =~ /@[^@]*@/ ) {
(5)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(5)         if (&User-Name =~ /\.\./ ) {
(5)         if (&User-Name =~ /\.\./ )  -> FALSE
(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(5)         if (&User-Name =~ /\.$/)  {
(5)         if (&User-Name =~ /\.$/)   -> FALSE
(5)         if (&User-Name =~ /@\./)  {
(5)         if (&User-Name =~ /@\./)   -> FALSE
(5)       } # if (&User-Name)  = noop
(5)     } # policy filter_username = noop
(5)     [preprocess] = ok
(5)     [mschap] = noop
(5)     [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "test", looking up realm NULL
(5) suffix: No such realm "NULL"
(5)     [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 5 length 132
(5) eap: Continuing tunnel setup
(5)     [eap] = ok
(5)   } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5)   authenticate {
(5) eap: Expiring EAP session with state 0x8222e2dd8627f712
(5) eap: Finished EAP session with state 0x8222e2dd8627f712
(5) eap: Previous EAP request found for state 0x8222e2dd8627f712, released
from the list
(5) eap: Peer sent packet with method EAP TTLS (21)
(5) eap: Calling submodule eap_ttls to process data
(5) eap_ttls: Authenticate
(5) eap_ttls: Continuing EAP-TLS
(5) eap_ttls: [eaptls verify] = ok
(5) eap_ttls: Done initial handshake
(5) eap_ttls: <<< recv TLS 1.2  [length 0046]
(5) eap_ttls: TLS_accept: SSLv3 read client key exchange A
(5) eap_ttls: <<< recv TLS 1.2  [length 0001]
(5) eap_ttls: <<< recv TLS 1.2  [length 0010]
(5) eap_ttls: TLS_accept: SSLv3 read finished A
(5) eap_ttls: >>> send TLS 1.2  [length 0001]
(5) eap_ttls: TLS_accept: SSLv3 write change cipher spec A
(5) eap_ttls: >>> send TLS 1.2  [length 0010]
(5) eap_ttls: TLS_accept: SSLv3 write finished A
(5) eap_ttls: TLS_accept: SSLv3 flush data
(5) eap_ttls: (other): SSL negotiation finished successfully
(5) eap_ttls: TLS - Connection Established
(5) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
(5) eap_ttls: TLS-Session-Version = "TLS 1.2"
(5) eap_ttls: TLS - got 51 bytes of data
(5) eap_ttls: [eaptls process] = handled
(5) eap: Sending EAP Request (code 1) ID 6 length 61
(5) eap: EAP session adding &reply:State = 0x8222e2dd8724f712
(5)     [eap] = handled
(5)   } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found.  Ignoring.
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) session-state: Saving cached attributes
(5)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
(5)   TLS-Session-Version = "TLS 1.2"
(5) Sent Access-Challenge Id 65 from 10.10.12.37:1812 to 172.16.1.126:59647
length 0
(5)   EAP-Message =
0x0106003d158000000033140303000101160303002800000000000000000c85e97e31aa73051034e9862337dff0e87a52b73b047946e186ec08db0bab8d
(5)   Message-Authenticator = 0x00000000000000000000000000000000
(5)   State = 0x8222e2dd8724f71204a77c7c67b196c6
(5) Finished request
Waking up in 4.5 seconds.
(6) Received Access-Request Id 66 from 172.16.1.126:59647 to
10.10.12.37:1812 length 251
(6)   User-Name = "test"
(6)   Calling-Station-Id = "C4-9F-4C-E3-07-3A"
(6)   NAS-IP-Address = 172.16.1.126
(6)   NAS-Port = 76
(6)   Called-Station-Id = "60-D0-2C-57-EE-68:RuckusAP"
(6)   Service-Type = Framed-User
(6)   Framed-MTU = 1400
(6)   NAS-Port-Type = Wireless-802.11
(6)   NAS-Identifier = "60-D0-2C-57-EE-68"
(6)   Connect-Info = "CONNECT 802.11g/n"
(6)   EAP-Message =
0x020600371500170303002c00000000000000011c71cc3b155bab267a828307af32bc709dbaeaecc6b80fd05aa8e97cb2c6432b1795ee8d
(6)   State = 0x8222e2dd8724f71204a77c7c67b196c6
(6)   Ruckus-SSID = "RuckusAP"
(6)   Message-Authenticator = 0x9150701e62a079eebbe877e7e4a9c89f
(6) Restoring &session-state
(6)   &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES128-GCM-SHA256"
(6)   &session-state:TLS-Session-Version = "TLS 1.2"
(6) # Executing section authorize from file /etc/raddb/sites-enabled/default
(6)   authorize {
(6)     update {
(6)       Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -c:
(6)       EXPAND %{User-Name}
(6)          --> test
(6)       EXPAND %{User-Password}
(6)          -->
(6)       Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(6)       control::Cleartext-Password := test2020
(6)       Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -v:
(6)       EXPAND %{User-Name}
(6)          --> test
(6)       EXPAND %{User-Password}
(6)          -->
(6)       Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(6)       reply::Cleartext-Password := test2020
(6)     } # update = noop
(6)     policy filter_username {
(6)       if (&User-Name) {
(6)       if (&User-Name)  -> TRUE
(6)       if (&User-Name)  {
(6)         if (&User-Name =~ / /) {
(6)         if (&User-Name =~ / /)  -> FALSE
(6)         if (&User-Name =~ /@[^@]*@/ ) {
(6)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(6)         if (&User-Name =~ /\.\./ ) {
(6)         if (&User-Name =~ /\.\./ )  -> FALSE
(6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(6)         if (&User-Name =~ /\.$/)  {
(6)         if (&User-Name =~ /\.$/)   -> FALSE
(6)         if (&User-Name =~ /@\./)  {
(6)         if (&User-Name =~ /@\./)   -> FALSE
(6)       } # if (&User-Name)  = noop
(6)     } # policy filter_username = noop
(6)     [preprocess] = ok
(6)     [mschap] = noop
(6)     [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "test", looking up realm NULL
(6) suffix: No such realm "NULL"
(6)     [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 6 length 55
(6) eap: Continuing tunnel setup
(6)     [eap] = ok
(6)   } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6)   authenticate {
(6) eap: Expiring EAP session with state 0x8222e2dd8724f712
(6) eap: Finished EAP session with state 0x8222e2dd8724f712
(6) eap: Previous EAP request found for state 0x8222e2dd8724f712, released
from the list
(6) eap: Peer sent packet with method EAP TTLS (21)
(6) eap: Calling submodule eap_ttls to process data
(6) eap_ttls: Authenticate
(6) eap_ttls: Continuing EAP-TLS
(6) eap_ttls: [eaptls verify] = ok
(6) eap_ttls: Done initial handshake
(6) eap_ttls: [eaptls process] = ok
(6) eap_ttls: Session established.  Proceeding to decode tunneled attributes
(6) eap_ttls: Got tunneled request
(6) eap_ttls:   EAP-Message = 0x0200000a0168616b616e
(6) eap_ttls:   FreeRADIUS-Proxied-To = 127.0.0.1
(6) eap_ttls: Got tunneled identity of test
(6) eap_ttls: Setting default EAP type for tunneled EAP session
(6) eap_ttls: Sending tunneled request
(6) Virtual server inner-tunnel received request
(6)   EAP-Message = 0x0200000a0168616b616e
(6)   FreeRADIUS-Proxied-To = 127.0.0.1
(6)   User-Name = "test"
(6) WARNING: Outer and inner identities are the same.  User privacy is
compromised.
(6) server inner-tunnel {
(6)   # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(6)     authorize {
(6)       policy filter_username {
(6)         if (&User-Name) {
(6)         if (&User-Name)  -> TRUE
(6)         if (&User-Name)  {
(6)           if (&User-Name =~ / /) {
(6)           if (&User-Name =~ / /)  -> FALSE
(6)           if (&User-Name =~ /@[^@]*@/ ) {
(6)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(6)           if (&User-Name =~ /\.\./ ) {
(6)           if (&User-Name =~ /\.\./ )  -> FALSE
(6)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(6)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(6)           if (&User-Name =~ /\.$/)  {
(6)           if (&User-Name =~ /\.$/)   -> FALSE
(6)           if (&User-Name =~ /@\./)  {
(6)           if (&User-Name =~ /@\./)   -> FALSE
(6)         } # if (&User-Name)  = notfound
(6)       } # policy filter_username = notfound
(6)       [chap] = noop
(6)       [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "test", looking up realm NULL
(6) suffix: No such realm "NULL"
(6)       [suffix] = noop
(6)       update control {
(6)         &Proxy-To-Realm := LOCAL
(6)       } # update control = noop
(6) eap: Peer sent EAP Response (code 2) ID 0 length 10
(6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(6)       [eap] = ok
(6)     } # authorize = ok
(6)   Found Auth-Type = eap
(6)   # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(6)     authenticate {
(6) eap: Peer sent packet with method EAP Identity (1)
(6) eap: Calling submodule eap_md5 to process data
(6) eap_md5: Issuing MD5 Challenge
(6) eap: Sending EAP Request (code 1) ID 1 length 22
(6) eap: EAP session adding &reply:State = 0xfb738c1efb7288f2
(6)       [eap] = handled
(6)     } # authenticate = handled
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6)   EAP-Message = 0x010100160410039a74cbba1e0639cb6ef0d5de63f3d5
(6)   Message-Authenticator = 0x00000000000000000000000000000000
(6)   State = 0xfb738c1efb7288f2701021cb605e5eb7
(6) eap_ttls: Got tunneled Access-Challenge
(6) eap: Sending EAP Request (code 1) ID 7 length 71
(6) eap: EAP session adding &reply:State = 0x8222e2dd8425f712
(6)     [eap] = handled
(6)   } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found.  Ignoring.
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) session-state: Saving cached attributes
(6)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
(6)   TLS-Session-Version = "TLS 1.2"
(6) Sent Access-Challenge Id 66 from 10.10.12.37:1812 to 172.16.1.126:59647
length 0
(6)   EAP-Message =
0x0107004715800000003d170303003800000000000000014b15de3a7cc2f3cc4f87e27dd20fb5b5e4c7abfce216cee56b856d7e1c3fc11180402063e9c315c3dd28e602e84772a5
(6)   Message-Authenticator = 0x00000000000000000000000000000000
(6)   State = 0x8222e2dd8425f71204a77c7c67b196c6
(6) Finished request
Waking up in 4.4 seconds.
(7) Received Access-Request Id 67 from 172.16.1.126:59647 to
10.10.12.37:1812 length 263
(7)   User-Name = "test"
(7)   Calling-Station-Id = "C4-9F-4C-E3-07-3A"
(7)   NAS-IP-Address = 172.16.1.126
(7)   NAS-Port = 76
(7)   Called-Station-Id = "60-D0-2C-57-EE-68:RuckusAP"
(7)   Service-Type = Framed-User
(7)   Framed-MTU = 1400
(7)   NAS-Port-Type = Wireless-802.11
(7)   NAS-Identifier = "60-D0-2C-57-EE-68"
(7)   Connect-Info = "CONNECT 802.11g/n"
(7)   EAP-Message =
0x02070043150017030300380000000000000002bb5188202ca0c38e9b84b7ed3bbbf8c789809017277b71168ce763db7f64153917cf809269f593d158e21be543b3cc41
(7)   State = 0x8222e2dd8425f71204a77c7c67b196c6
(7)   Ruckus-SSID = "RuckusAP"
(7)   Message-Authenticator = 0xf78013ae60f9b978a588b0e3b0ea7b28
(7) Restoring &session-state
(7)   &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES128-GCM-SHA256"
(7)   &session-state:TLS-Session-Version = "TLS 1.2"
(7) # Executing section authorize from file /etc/raddb/sites-enabled/default
(7)   authorize {
(7)     update {
(7)       Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -c:
(7)       EXPAND %{User-Name}
(7)          --> test
(7)       EXPAND %{User-Password}
(7)          -->
(7)       Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(7)       control::Cleartext-Password := test2020
(7)       Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -v:
(7)       EXPAND %{User-Name}
(7)          --> test
(7)       EXPAND %{User-Password}
(7)          -->
(7)       Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(7)       reply::Cleartext-Password := test2020
(7)     } # update = noop
(7)     policy filter_username {
(7)       if (&User-Name) {
(7)       if (&User-Name)  -> TRUE
(7)       if (&User-Name)  {
(7)         if (&User-Name =~ / /) {
(7)         if (&User-Name =~ / /)  -> FALSE
(7)         if (&User-Name =~ /@[^@]*@/ ) {
(7)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(7)         if (&User-Name =~ /\.\./ ) {
(7)         if (&User-Name =~ /\.\./ )  -> FALSE
(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(7)         if (&User-Name =~ /\.$/)  {
(7)         if (&User-Name =~ /\.$/)   -> FALSE
(7)         if (&User-Name =~ /@\./)  {
(7)         if (&User-Name =~ /@\./)   -> FALSE
(7)       } # if (&User-Name)  = noop
(7)     } # policy filter_username = noop
(7)     [preprocess] = ok
(7)     [mschap] = noop
(7)     [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "test", looking up realm NULL
(7) suffix: No such realm "NULL"
(7)     [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 7 length 67
(7) eap: Continuing tunnel setup
(7)     [eap] = ok
(7)   } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7)   authenticate {
(7) eap: Expiring EAP session with state 0xfb738c1efb7288f2
(7) eap: Finished EAP session with state 0x8222e2dd8425f712
(7) eap: Previous EAP request found for state 0x8222e2dd8425f712, released
from the list
(7) eap: Peer sent packet with method EAP TTLS (21)
(7) eap: Calling submodule eap_ttls to process data
(7) eap_ttls: Authenticate
(7) eap_ttls: Continuing EAP-TLS
(7) eap_ttls: [eaptls verify] = ok
(7) eap_ttls: Done initial handshake
(7) eap_ttls: [eaptls process] = ok
(7) eap_ttls: Session established.  Proceeding to decode tunneled attributes
(7) eap_ttls: Got tunneled request
(7) eap_ttls:   EAP-Message = 0x020100160410afb4be13e0362d8e30108e61c594b759
(7) eap_ttls:   FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_ttls: Sending tunneled request
(7) Virtual server inner-tunnel received request
(7)   EAP-Message = 0x020100160410afb4be13e0362d8e30108e61c594b759
(7)   FreeRADIUS-Proxied-To = 127.0.0.1
(7)   User-Name = "test"
(7)   State = 0xfb738c1efb7288f2701021cb605e5eb7
(7) WARNING: Outer and inner identities are the same.  User privacy is
compromised.
(7) server inner-tunnel {
(7)   session-state: No cached attributes
(7)   # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(7)     authorize {
(7)       policy filter_username {
(7)         if (&User-Name) {
(7)         if (&User-Name)  -> TRUE
(7)         if (&User-Name)  {
(7)           if (&User-Name =~ / /) {
(7)           if (&User-Name =~ / /)  -> FALSE
(7)           if (&User-Name =~ /@[^@]*@/ ) {
(7)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(7)           if (&User-Name =~ /\.\./ ) {
(7)           if (&User-Name =~ /\.\./ )  -> FALSE
(7)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(7)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(7)           if (&User-Name =~ /\.$/)  {
(7)           if (&User-Name =~ /\.$/)   -> FALSE
(7)           if (&User-Name =~ /@\./)  {
(7)           if (&User-Name =~ /@\./)   -> FALSE
(7)         } # if (&User-Name)  = notfound
(7)       } # policy filter_username = notfound
(7)       [chap] = noop
(7)       [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "test", looking up realm NULL
(7) suffix: No such realm "NULL"
(7)       [suffix] = noop
(7)       update control {
(7)         &Proxy-To-Realm := LOCAL
(7)       } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 1 length 22
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7)       [eap] = updated
(7)       [files] = noop
(7)       [expiration] = noop
(7)       [logintime] = noop
(7)       [pap] = noop
(7)     } # authorize = updated
(7)   Found Auth-Type = eap
(7)   # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7)     authenticate {
(7) eap: Expiring EAP session with state 0xfb738c1efb7288f2
(7) eap: Finished EAP session with state 0xfb738c1efb7288f2
(7) eap: Previous EAP request found for state 0xfb738c1efb7288f2, released
from the list
(7) eap: Peer sent packet with method EAP MD5 (4)
(7) eap: Calling submodule eap_md5 to process data
(7) eap_md5: ERROR: Cleartext-Password is required for EAP-MD5
authentication
(7) eap: ERROR: Failed continuing EAP MD5 (4) session.  EAP sub-module
failed
(7) eap: Sending EAP Failure (code 4) ID 1 length 4
(7) eap: Failed in EAP select
(7)       [eap] = invalid
(7)     } # authenticate = invalid
(7)   Failed to authenticate the user
(7)   Using Post-Auth-Type Reject
(7)   # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7)     Post-Auth-Type REJECT {
(7) attr_filter.access_reject: EXPAND %{User-Name}
(7) attr_filter.access_reject:    --> test
(7) attr_filter.access_reject: Matched entry DEFAULT at line 11
(7)       [attr_filter.access_reject] = updated
(7)       update outer.session-state {
(7)         &Module-Failure-Message := &request:Module-Failure-Message ->
'eap_md5: Cleartext-Password is required for EAP-MD5 authentication'
(7)       } # update outer.session-state = noop
(7)     } # Post-Auth-Type REJECT = updated
(7)   EXPAND LOGIN_FAILED
(7)      --> LOGIN_FAILED
(7)   Login incorrect (eap_md5: Cleartext-Password is required for EAP-MD5
authentication): [test] (from client ruckus port 0 via TLS tunnel)
LOGIN_FAILED
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7)   EAP-Message = 0x04010004
(7)   Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_ttls: Got tunneled Access-Reject
(7) eap: ERROR: Failed continuing EAP TTLS (21) session.  EAP sub-module
failed
(7) eap: Sending EAP Failure (code 4) ID 7 length 4
(7) eap: Failed in EAP select
(7)     [eap] = invalid
(7)   } # authenticate = invalid
(7) Failed to authenticate the user
(7) Using Post-Auth-Type Reject
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7)   Post-Auth-Type REJECT {
(7) attr_filter.access_reject: EXPAND %{User-Name}
(7) attr_filter.access_reject:    --> test
(7) attr_filter.access_reject: Matched entry DEFAULT at line 11
(7)     [attr_filter.access_reject] = updated
(7)     [eap] = noop
(7)     policy remove_reply_message_if_eap {
(7)       if (&reply:EAP-Message && &reply:Reply-Message) {
(7)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(7)       else {
(7)         [noop] = noop
(7)       } # else = noop
(7)     } # policy remove_reply_message_if_eap = noop
(7)   } # Post-Auth-Type REJECT = updated
(7) EXPAND LOGIN_FAILED
(7)    --> LOGIN_FAILED
(7) Login incorrect (eap: Failed continuing EAP TTLS (21) session.  EAP
sub-module failed): [test] (from client ruckus port 76 cli
C4-9F-4C-E3-07-3A) LOGIN_FAILED
(7) Delaying response for 1.000000 seconds
Waking up in 0.2 seconds.
Waking up in 0.7 seconds.
(7) Sending delayed response
(7) Sent Access-Reject Id 67 from 10.10.12.37:1812 to 172.16.1.126:59647
length 44
(7)   EAP-Message = 0x04070004
(7)   Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.3 seconds.
(0) Cleaning up request packet ID 60 with timestamp +3
(1) Cleaning up request packet ID 61 with timestamp +3
(2) Cleaning up request packet ID 62 with timestamp +3
(3) Cleaning up request packet ID 63 with timestamp +3
(4) Cleaning up request packet ID 64 with timestamp +3
(5) Cleaning up request packet ID 65 with timestamp +3
(6) Cleaning up request packet ID 66 with timestamp +4
(7) Cleaning up request packet ID 67 with timestamp +4

Lang, Russell <Russell.Lang at team.telstra.com>, 7 Şub 2020 Cum, 08:12
tarihinde şunu yazdı:

> We used to do this, but moved away from it.  Our external program was a
> python script, and the startup time for each authentication for too long.
>
> If you must do 802.1x EAP using this method, then note that EAP is handled
> by default site, while MSCHAP is handled by inner-tunnel site.  In the
> inner-tunnel, you can exec a program and give it the MSCHAP challenge and
> response, validate that against NT-Password that you have stored, and
> return the NT session key back to FreeRADIUS.  This involves implementing
> MSCHAP code that already exists in FreeRADIUS.
>
> The simpler alternative that we are now using is to call a REST API from
> FreeRADIUS during authorisation (really pre-auth) and return the
> NT-Password, letting FreeRADIUS do all the EAP / PAP / MSCHAPv2 stuff
> during authentication.
> See my previous emails to this list on rlm_rest, but note that some of the
> information I wrote I have now discovered wasn't correct.
>
> Regards,
> Russell Lang
>
>
> -----Original Message-----
> From: Freeradius-Users <freeradius-users-bounces+russell.lang=
> team.telstra.com at lists.freeradius.org> On Behalf Of Vertigo Vertigo
> Sent: Friday, 7 February 2020 04:36
> To: freeradius-users at lists.freeradius.org
> Subject: Freeradius External Script Auth.
>
> [External Email] This email was sent from outside the organisation – be
> cautious, particularly with links and attachments.
>
> Hi Freeradius people,
> I want to authorize users that connect to AP with my external script.
> Because I have multiple data source ( multiple Active Directory, another
> API etc.) and I want to make authorization by using these data sources as I
> want. That's why I'm using an external script to authorization. I updated
> /etc/raddb/sites-enabled/default's authorize section;
>
> authorize{
>
> update {
>
> control: += `/usr/bin/myauthscript '%{User-Name}' '%{User-Password}' -c`
>
> reply: += `/usr/bin/myauthscript '%{User-Name}' '%{User-Password}' -v`
>
> }
>
>
> When I run "radtest" with PAP method, everything is OK, I have "User-Name"
> and "User-Password" attributes,  I'm able to authorize users etc. However,
> when I make tests with an AP with 802.1x EAP method, , there is no
> cleartext password (User-Password) and I cannot make authorization. My
> question is how can I make authorization without "User-Password" attribute.
> As I said, I have cleartext passwords in my data sources, so I can hash
> them and compare with other hash that a client sent. How can I perform this
> operation with EAP, CHAP, MSCHAP etc. methods?
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list