On Mon, May 5, 2008 at 9:48 AM, Alan DeKok <[EMAIL PROTECTED]> wrote: > Andrew Olson wrote: > > Is it safe to assume that the config below is correct? If so, is FR > > just not behaving in the manner that I expect. > > I suggest tracing execution to see what it's doing, and why. >
Here is the pertinent part of the trace output. As you can see I am able to parse the Cert SN and put it back on the request. However, my perl module never gets called in authenticate. Is this because eap returns handled? If not, is this a bug/feature? Maybe someone can explain. Thanks again, Andrew Waking up in 4.6 seconds. User-Name = "anolson" Framed-MTU = 1400 Called-Station-Id = "0017.0fdf.c600" Calling-Station-Id = "0018.deb3.5e5c" Cisco-AVPair = "ssid=ANDREW_LAN" Service-Type = Login-User Message-Authenticator = 0x3eddf4e0408c74279b1bf0c90f17d90c EAP-Message = 0x020801280d00d40ed095ff30488b586a8ceda5f92ef0a9cb51fac92f1ac7dee807869e29da4df971734059acf05406af3ddc8df4153cba5ce44750c9343405bded491bb993ad2241d2d89a6f281e0f32d77cfb60219bf451ddd3d677bbfb8038767d7bc2d31e30e9db8d78eb26fcf56e7ff84ee52fd8870f00008200808b818f98f4b3cabdfc728e5666909742b8712f4584fb7d84863013462e11df9f4eed72584484e4670c0d65e0ee8a14ef9f85e07bc1d9df34bb47e5e1f43a27f625ffaa284c114edcb1727b0363d55205f350742de73c34533eddab02fcd5c2fc91e8fa0642e183343c879c4013621e96fa25b365a788b86b3d8ab6ddfbce28df EAP-Message = 0x140301000101160301002038b4b73a0064fffa192447f8343e4db08cfbb94092e8c7824af742a89102dc98 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "21961" NAS-Port = 21961 State = 0x20bb0b6025b30687e24095e89d3b3f84 NAS-IP-Address = 128.173.9.86 NAS-Identifier = "[EMAIL PROTECTED]" +- entering group authorize ++[mschap] returns noop rlm_eap: EAP packet type response id 8 length 253 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group EAP rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake rlm_eap_tls: <<< TLS 1.0 Handshake [length 0afa], Certificate chain-depth=2, error=0 --> User-Name = anolson --> BUF-Name = ô?ηf$Å¿??Å¿ý?Á·<?Å¿h?Å¿f$Å¿?%Å¿ô?η<?Å¿h?Å¿(?Å¿ô¤À·<?Å¿?!???%Å¿h?Å¿ --> subject = /DC=edu/DC=vt/DC=cns/C=US/ST=Virginia/L=Blacksburg/O=Virginia Tech Communications Network Services/OU=Research and Development Root CA --> issuer = /DC=edu/DC=vt/DC=cns/C=US/ST=Virginia/L=Blacksburg/O=Virginia Tech Communications Network Services/OU=Research and Development Root CA --> verify return:1 chain-depth=1, error=0 --> User-Name = anolson --> BUF-Name = ô?ηf$Å¿??Å¿ý?Á·<?Å¿h?Å¿f$Å¿?%Å¿ô?η<?Å¿h?Å¿(?Å¿ô¤À·<?Å¿?!???%Å¿h?Å¿ --> subject = /C=US/ST=Virginia/L=Blacksburg/O=Virginia Tech Communications Network Services/OU=Research and Development Remote Access CA/DC=edu/DC=vt/DC=cns/serialNumber=3 --> issuer = /DC=edu/DC=vt/DC=cns/C=US/ST=Virginia/L=Blacksburg/O=Virginia Tech Communications Network Services/OU=Research and Development Root CA --> verify return:1 Adding Cert SN to request -> 1 Added Cert SN to request expand: %{User-Name} -> anolson rlm_eap_tls: checking certificate CN (anolson) with xlat'ed value (anolson) chain-depth=0, error=0 --> User-Name = anolson --> BUF-Name = anolson --> subject = /CN=anolson --> issuer = /C=US/ST=Virginia/L=Blacksburg/O=Virginia Tech Communications Network Services/OU=Research and Development Remote Access CA/DC=edu/DC=vt/DC=cns/serialNumber=3 --> verify return:1 TLS_accept: SSLv3 read client certificate A rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], CertificateVerify TLS_accept: SSLv3 read certificate verify A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 ++[eap] returns handled EAP-Message = 0x010900350d800000002b140301000101160301002077887a2e41256c9e6b5b1af900d1da1b0cab25ba320348e52fe15c9a5ff56437 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x20bb0b6026b20687e24095e89d3b3f84 Finished request 7. Going to the next request > > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html