Hello! I am working on implementing *freeradius* with a cisco 3750 switch connected to *freeradius*, which then talks to AD. (The linux box is on the
AD domain) Anyway, we try to make vlan assignment by using the 'users' file . We create a user named 'test' on my AD server , and we created this section in the file users : test Auth-Type := MS-CHAP Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 2 The user is correctly authenticated by AD , but he is put in the default vlan ( id 1 ) and not in the vlan defined in the file 'users' ( id 2 ) . By the way, readind the radiusd output , i think that freeradius does not read my users file...i didn't see int he log anything about the Tunnel-Type or Tunnel-Private-Group-Id informations.... Anyone have any thoughts? Regards Bruno Message-Authenticator = 0xa309657e84ce8131d67aa64d9a491059 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 rlm_realm: No '@' in User-Name = "CSB\test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 users: Matched entry DEFAULT at line 165 users: Matched entry DEFAULT at line 184 modcall[authorize]: module "files" returns ok for request 6 rlm_eap: EAP packet type response id 6 length 90 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 modcall[authorize]: module "mschap" returns noop for request 6 modcall: group authorize returns updated for request 6 rad_check_password: Found Auth-Type MS-CHAP rad_check_password: Found Auth-Type EAP Warning: Found 2 auth-types on request for user 'CSB\test' auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Setting User-Name to CSB\test PEAP: Adding old state with 86 79 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 rlm_realm: No '@' in User-Name = "CSB\test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 users: Matched entry DEFAULT at line 165 modcall[authorize]: module "files" returns ok for request 6 rlm_eap: EAP packet type response id 6 length 67 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 modcall[authorize]: module "mschap" returns noop for request 6 modcall: group authorize returns updated for request 6 rad_check_password: Found Auth-Type MS-CHAP rad_check_password: Found Auth-Type EAP Warning: Found 2 auth-types on request for user 'CSB\test' auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'NT-Domain' radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: 9a radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --domain=CSB --username=test --challenge=0529c10bac22a3fa --nt-response=4b1e21679b85263858da26874073491971a58f8bfc024456' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=CSB --username=test --challenge=0529c10bac22a3fa --nt-response=4b1e21679b85263858da26874073491971a58f8bfc024456 Exec-Program output: NT_KEY: 2066656E05C22F3A995AD9ECFED913D6 Exec-Program-Wait: plaintext: NT_KEY: 2066656E05C22F3A995AD9ECFED913D6 Exec-Program: returned: 0 rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module "mschap" returns ok for request 6 modcall: group Auth-Type returns ok for request 6 MSCHAP Success modcall[authenticate]: module "eap" returns handled for request 6 modcall: group authenticate returns handled for request 6 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 6 modcall: group authenticate returns handled for request 6 Sending Access-Challenge of id 138 to 192.168.16.1:1645 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x0107004a1900170301003f58b6111cc333922058a5d79f63641e19ae7154e3504573da98346c88f080fe8ee04ad4b50f3cdc52fd02e8909b9f8f9a439730b7cee4654c18135432e651e7 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1f45be689bd5bd8a6d8ace2af886bb6c Finished request 6 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.16.1:1645, id=139, length=165 NAS-IP-Address = 192.168.16.1 NAS-Port = 50147 NAS-Port-Type = Ethernet User-Name = "CSB\\test" Called-Station-Id = "00-17-5A-1B-28-B3" Calling-Station-Id = "00-04-75-85-8F-61" Service-Type = Framed-User Framed-MTU = 1500 State = 0x1f45be689bd5bd8a6d8ace2af886bb6c EAP-Message = 0x0207001d19001703010012b8f868205426ef722e2433e5defa62455113 Message-Authenticator = 0x2e5a0be42b038b2404f5c93ea27d5387 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "chap" returns noop for request 7 rlm_realm: No '@' in User-Name = "CSB\test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 7 users: Matched entry DEFAULT at line 165 users: Matched entry DEFAULT at line 184 modcall[authorize]: module "files" returns ok for request 7 rlm_eap: EAP packet type response id 7 length 29 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 modcall[authorize]: module "mschap" returns noop for request 7 modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type MS-CHAP rad_check_password: Found Auth-Type EAP Warning: Found 2 auth-types on request for user 'CSB\test' auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Setting User-Name to CSB\test PEAP: Adding old state with a8 0f Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "chap" returns noop for request 7 rlm_realm: No '@' in User-Name = "CSB\test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 7 users: Matched entry DEFAULT at line 165 modcall[authorize]: module "files" returns ok for request 7 rlm_eap: EAP packet type response id 7 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 modcall[authorize]: module "mschap" returns noop for request 7 modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type MS-CHAP rad_check_password: Found Auth-Type EAP Warning: Found 2 auth-types on request for user 'CSB\test' auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 7 modcall: group authenticate returns ok for request 7 Trying to look up name of unknown client 127.0.0.1. Login OK: [CSB\\test/<no User-Password attribute>] (from client UNKNOWN-CLIENT port 0) PEAP: Tunneled authentication was successful. rlm_eap_peap: SUCCESS modcall[authenticate]: module "eap" returns handled for request 7 modcall: group authenticate returns handled for request 7 Sending Access-Challenge of id 139 to 192.168.16.1:1645 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010800261900170301001b8d03a63c700234ed33060b7b6b9274d27b9e872a002e885ab9ebf3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5a28f8fd3d7fde4a88411d022625e022 Finished request 7 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.16.1:1645, id=140, length=174 NAS-IP-Address = 192.168.16.1 NAS-Port = 50147 NAS-Port-Type = Ethernet User-Name = "CSB\\test" Called-Station-Id = "00-17-5A-1B-28-B3" Calling-Station-Id = "00-04-75-85-8F-61" Service-Type = Framed-User Framed-MTU = 1500 State = 0x5a28f8fd3d7fde4a88411d022625e022 EAP-Message = 0x020800261900170301001b44c1c9880e33cd6e472ba624ff53ee4f53e1588d0da394c02c0522 Message-Authenticator = 0x50fd41edb7beeee318cfd915201602f4 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "chap" returns noop for request 8 rlm_realm: No '@' in User-Name = "CSB\test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 8 users: Matched entry DEFAULT at line 165 users: Matched entry DEFAULT at line 184 modcall[authorize]: module "files" returns ok for request 8 rlm_eap: EAP packet type response id 8 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 modcall[authorize]: module "mschap" returns noop for request 8 modcall: group authorize returns updated for request 8 rad_check_password: Found Auth-Type MS-CHAP rad_check_password: Found Auth-Type EAP Warning: Found 2 auth-types on request for user 'CSB\test' auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Success rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 8 modcall: group authenticate returns ok for request 8 Login OK: [CSB\\test/<no User-Password attribute>] (from client reseau16 port 50147 cli 00-04-75-85-8F-61) Sending Access-Accept of id 140 to 192.168.16.1:1645 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User MS-MPPE-Recv-Key = 0xf1a6b62d3814b8fc8f3ac5601a89ddacc1c47c4387e21b35fe33bdbffaf15486 MS-MPPE-Send-Key = 0x1ba3df6508e8c7f03112980ae8e1255bfec5c05ab397c927a9b56be7335714fd EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "CSB\\test" Finished request 8 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 132 with timestamp 45f0c882 Cleaning up request 1 ID 133 with timestamp 45f0c882 Cleaning up request 2 ID 134 with timestamp 45f0c882 Cleaning up request 3 ID 135 with timestamp 45f0c882 Cleaning up request 4 ID 136 with timestamp 45f0c882 Cleaning up request 5 ID 137 with timestamp 45f0c882 Cleaning up request 6 ID 138 with timestamp 45f0c882 Cleaning up request 7 ID 139 with timestamp 45f0c882 Cleaning up request 8 ID 140 with timestamp 45f0c882 Nothing to do. Sleeping until we see a request.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html