why is Called-Station-SSID not processed?

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

why is Called-Station-SSID not processed?

Zeus Panchenko
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

hi,

I configured FR v.3.0.9 against LDAP and can successfully auth with EAPMD5/TLS/TTLS+PAP

now I want to add check for Called-Station-SSID and am failing ...

please, help me to understand what I miss?

as you can see from debug bellow, configured in LDAP Called-Station-SSID
(via radiusCheckItem as well as via mapped attribute) is ignored, and
client is granted access

I hoped if I set radiusCheckItem: Called-Station-SSID := 'SSID_ALLOWED'
then check will be performed against Called-Station-SSID value processed
- From Called-Station-Id

what is wrong?

here is debug:

- ---[ quotation start ]-------------------------------------------
(6) Received Access-Request Id 16 from 192.168.0.1:46326 to 192.168.0.254:1812 length 314
(6)   User-Name = "jdoe"
(6)   NAS-Identifier = "jdoe.wrt"
(6)   Called-Station-Id = "9A-46-5E-3B-A1-0E:SSID_REQUESTED"
(6)   NAS-Port-Type = Wireless-802.11
(6)   NAS-Port = 1
(6)   Calling-Station-Id = "73-62-0A-DA-7C-5A"
(6)   Connect-Info = "CONNECT 54Mbps 802.11g"
(6)   Acct-Session-Id = "55BE1E6B-0000001C"
(6)   Framed-MTU = 1400
(6)   EAP-Message = 0x0223008015001703010020b9f3cc80bf61ea3ab2b9ad0e3d5492f814652d30a19f2a0d562832d6db02468f1703010050e426680ec3a1a7db12904734432af8744492e725b6689affce7e093ed666bc0c3338fb8d3fd12d2eaca8b304c373e8e1d42f14db0683b1f4de08004
67ff2d302e44d864249a30d
(6)   State = 0x1df02c2d18d339202ca9dbdadeae133a
(6)   Message-Authenticator = 0x7e5712cf45d3b99b42e4b80452950d1a
(6) session-state: No cached attributes
(6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(6)   authorize {
(6)     [preprocess] = ok
(6)     policy rewrite_calling_station_id {
(6)       if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {
(6)       if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)  -> TRUE
(6)       if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)  {
(6)         update request {
(6)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(6)              --> 73-62-0A-DA-7C-5A
(6)           &Calling-Station-Id := 73-62-0A-DA-7C-5A
(6)         } # update request = noop
(6)         [updated] = updated
(6)       } # if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)  = updated
(6)       ... skipping else for request 6: Preceding "if" was taken
(6)     } # policy rewrite_calling_station_id = updated
(6) auth_log: EXPAND /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(6) auth_log:    --> /var/log/radacct/192.168.0.1/auth-detail-20150803
(6) auth_log: /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radacct/192.168.0.1/auth-detail-20150803
(6) auth_log: EXPAND %t
(6) auth_log:    --> Mon Aug  3 23:46:13 2015
(6)     [auth_log] = ok
(6)     [chap] = noop
(6)     [mschap] = noop
(6)     [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "jdoe", looking up realm NULL
(6) suffix: No such realm "NULL"
(6)     [suffix] = noop
(6) ntdomain: Checking for prefix before "\"
(6) ntdomain: No '\' in User-Name = "jdoe", looking up realm NULL
(6) ntdomain: No such realm "NULL"
(6)     [ntdomain] = noop
(6)     policy rewrite_called_station_id {
(6)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(6)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  -> TRUE
(6)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  {
(6)         update request {
(6)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(6)              --> 9A-46-5E-3B-A1-0E
(6)           &Called-Station-Id := 9A-46-5E-3B-A1-0E
(6)         } # update request = noop
(6)         if ("%{8}") {
(6)            --> SSID_REQUESTED
(6)         if ("%{8}")  -> TRUE
(6)         if ("%{8}")  {
(6)           update request {
(6)             EXPAND %{8}
(6)                --> SSID_REQUESTED
(6)             &Called-Station-SSID := SSID_REQUESTED
(6)           } # update request = noop
(6)         } # if ("%{8}")  = noop
(6)         [updated] = updated
(6)       } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  = updated
(6)       ... skipping else for request 6: Preceding "if" was taken
(6)     } # policy rewrite_called_station_id = updated
(6) eap: Peer sent EAP Response (code 2) ID 35 length 128
(6) eap: Continuing tunnel setup
(6)     [eap] = ok
(6)   } # authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(6)   authenticate {
(6) eap: Expiring EAP session with state 0x1df02c2d18d33920
(6) eap: Finished EAP session with state 0x1df02c2d18d33920
(6) eap: Previous EAP request found for state 0x1df02c2d18d33920, released from the list
(6) eap: Peer sent packet with method EAP TTLS (21)
(6) eap: Calling submodule eap_ttls to process data
(6) eap_ttls: Authenticate
(6) eap_ttls: Continuing EAP-TLS
(6) eap_ttls: Done initial handshake
(6) eap_ttls: [eaptls process] = ok
(6) eap_ttls: Session established.  Proceeding to decode tunneled attributes
(6) eap_ttls: Got tunneled request
(6) eap_ttls:   User-Name = "jdoe"
(6) eap_ttls:   User-Password = "jdoe"
(6) eap_ttls: Sending tunneled request
(6) Virtual server inner-tunnel received request
(6)   User-Name = "jdoe"
(6)   User-Password = "jdoe"
(6) server inner-tunnel {
(6)   # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(6)     authorize {
(6)       [chap] = noop
(6)       [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "jdoe", looking up realm NULL
(6) suffix: No such realm "NULL"
(6)       [suffix] = noop
(6) ntdomain: Checking for prefix before "\"
(6) ntdomain: No '\' in User-Name = "jdoe", looking up realm NULL
(6) ntdomain: No such realm "NULL"
(6)       [ntdomain] = noop
(6)       update control {
(6)         &Proxy-To-Realm := LOCAL
(6)       } # update control = noop
(6) eap: No EAP-Message, not doing EAP
(6) files: EXPAND %{%{Stripped-User-Name}:-%{User-Name}:-%{Calling-Station-Id}}
(6) files:    --> jdoe
(6)       [files] = noop
rlm_ldap (ldap): Reserved connection (2)
(6) ldap: EXPAND (|(&(cn=%{%{Stripped-User-Name}:-%{User-Name}})(|(authorizedService=802.1x@xyz)(authorizedService=802.1x-mac@xyz)))(&(cn=%{User-Name})(authorizedService=802.1x-eap-tls@xyz)))
(6) ldap:    --> (|(&(cn=jdoe)(|(authorizedService=802.1x@xyz)(authorizedService=802.1x-mac@xyz)))(&(cn=jdoe)(authorizedService=802.1x-eap-tls@xyz)))
(6) ldap: Performing search in "ou=People,dc=xyz" with filter "(|(&(cn=jdoe)(|(authorizedService=802.1x@xyz)(authorizedService=802.1x-mac@xyz)))(&(cn=jdoe)(authorizedService=802.1x-eap-tls@xyz)))", scope "sub"
(6) ldap: Waiting for search result...
(6) ldap: User object found at DN "uid=jdoe,authorizedService=802.1x-eap-tls@xyz,uid=jdoe,ou=People,dc=xyz"
(6) ldap: Performing search in "cn=wifi-xyz,ou=profiles,ou=RADIUS,dc=xyz" with filter "(objectclass=radiusprofile)", scope "base"
(6) ldap: Waiting for search result...
(6) ldap: Processing profile attributes
(6) ldap:   control:Called-Station-SSID := 'SSID_ALLOWED'
(6) ldap:   reply:Session-Timeout := 900
(6) ldap:   reply:Reply-Message := 'You have entered SSID: SSID_ALLOWED.'
(6) ldap:   reply:Tunnel-Type := VLAN
(6) ldap:   reply:Tunnel-Medium-Type := IEEE-802
(6) ldap:   reply:Tunnel-Private-Group-Id := '3481'
(6) ldap: Processing user attributes
(6) ldap:   control:Cleartext-Password := 'jdoe'
(6) ldap:   control:Password-With-Header += 'jdoe'
rlm_ldap (ldap): Released connection (2)
(6)       [ldap] = updated
(6)       [expiration] = noop
(6)       [logintime] = noop
(6) pap: WARNING: Config already contains a "known good" password (&control:Cleartext-Password).  Ignoring &config:Password-With-Header
(6)       [pap] = updated
(6)     } # authorize = updated
(6)   Found Auth-Type = PAP
(6)   # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(6)     Auth-Type PAP {
(6) pap: Login attempt with password
(6) pap: Comparing with "known good" Cleartext-Password
(6) pap: User authenticated successfully
(6)       [pap] = ok
(6)     } # Auth-Type PAP = ok
(6)   # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(6)   Login OK: [jdoe] (from client office021.xyz port 0 via TLS tunnel)
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6)   Session-Timeout := 900
(6)   Reply-Message := "You have entered SSID: SSID_ALLOWED."
(6)   Tunnel-Type := VLAN
(6)   Tunnel-Medium-Type := IEEE-802
(6)   Tunnel-Private-Group-Id := "3481"
(6) eap_ttls: Got tunneled Access-Accept
(6) eap_ttls: No information to cache: session caching will be disabled for session e5b5fc820be72baebe838286f4df80848a5bfadd06493077391aec818504665c
(6) eap: Sending EAP Success (code 3) ID 35 length 4
(6) eap: Freeing handler
(6)     [eap] = ok
(6)   } # authenticate = ok
(6) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(6)   post-auth {
(6)     update {
(6)       No attributes updated
(6)     } # update = noop
(6)     [exec] = noop
(6)     policy remove_reply_message_if_eap {
(6)       if (&reply:EAP-Message && &reply:Reply-Message) {
(6)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(6)       else {
(6)         [noop] = noop
(6)       } # else = noop
(6)     } # policy remove_reply_message_if_eap = noop
(6)   } # post-auth = noop
(6) Login OK: [jdoe] (from client office021.xyz port 1 cli 73-62-0A-DA-7C-5A)
(6) Sent Access-Accept Id 16 from 192.168.0.254:1812 to 192.168.0.1:46326 length 0
(6)   MS-MPPE-Recv-Key = 0x27eec264980471ed15d7d03785d
- ---[ quotation end   ]-------------------------------------------

- --
Zeus V. Panchenko jid:[hidden email]
IT Dpt., I.B.S. LLC  GMT+2 (EET)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlW/2d4ACgkQr3jpPg/3oyqEzACfUULFrfgIzzcthj1sFXAMRRyO
88wAn3BMNcG+3d+1F9EMiomikUXuydbY
=tj42
-----END PGP SIGNATURE-----
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users