t...@kalik.net írta:
now I have just one output, this:
Exec-Program output: Tunnel-Private-Group-Id = vlan20
no need "/n"
That is OK.
and the users file contains:
DEFAULT auth-type = Accept
Tunnel-Type = VLAN, #both are fix, send everytime, when accepted
Tunnel-Medium-Type = IEEE-802
That is fine as well.
What have to change, cos the Group-Id is not sent.
Can you post the configuration of exec module that calls you script.
There should be output = reply in it.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
okay let's see:
here is the first settings which is not works: (Group-Id is not sent)
debug log:
+- entering group post-auth {...}
[get-vlan] expand: %{mschap:User-Name} -> Hege
Exec-Program output: Tunnel-Private-Group-Id = 999
Exec-Program-Wait: value-pairs: Tunnel-Private-Group-Id = 999
Exec-Program: returned: 0
++[get-vlan] returns ok
} # server inner-tunnel
[peap] Got tunneled reply code 2
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "TEST\\Hege"
[peap] Got tunneled reply RADIUS code 2
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "TEST\\Hege"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
[peap] Saving tunneled attributes for later
++[eap] returns handled
Sending Access-Challenge of id 33 to 192.168.2.2 port 1812
EAP-Message =
0x010a00261900170301001bb32c77d09f7f70675ba4f6ef975008f2807a19c9950a8bee9ea770
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfa60c880f36ad1ad83e4969de6c343b6
Finished request 9.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 192.168.2.2 port 1812, id=34,
length=175
NAS-IP-Address = 192.168.2.2
NAS-Port = 50019
NAS-Port-Type = Ethernet
User-Name = "TEST\\Hege"
Called-Station-Id = "00-0A-F4-2E-DF-13"
Calling-Station-Id = "00-80-C8-CD-4F-31"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0xfa60c880f36ad1ad83e4969de6c343b6
EAP-Message =
0x020a00261900170301001b21c0560fc73a5ff63ec05c899069439c4e57f7de1252f65f1ce21b
Message-Authenticator = 0x90917ce085fc882aa837e4d65415423f
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "TEST\Hege", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 10 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Success
[peap] Using saved attributes from the original Access-Accept
[eap] Freeing handler
++[eap] returns ok
Sending Access-Accept of id 34 to 192.168.2.2 port 1812
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
User-Name = "TEST\\Hege"
MS-MPPE-Recv-Key =
0x525851a76af3aa5f59c6553b06a540b05d248b43865ec9da0e1a0a94191ced5b
MS-MPPE-Send-Key =
0x62a6b9ec702b2819c7d80448239213ea432ee86d9d2ad084cc775bcc3724fe42
EAP-Message = 0x030a0004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 10.
Going to the next request
Waking up in 4.6 seconds.
users file:
DEFAULT Auth-Type = Accept
Tunnel-type = VLAN,
Tunnel-Medium-Type = IEEE-802
exec file:
exec {
wait = yes
input-pairs = request
shell-escape = yes
output = reply
}
exec get-vlan{
wait = yes
program = "/usr/local/etc/raddb/scripts/getvlan.php %{mschap:User-Name}"
input-pairs = request
output = reply
}
@inner-tunnel file:
post-auth{
#exec # if remove comment nothing change
get-vlan
}
Why not send the Tunnel-Private-Group-Id in tunneled, accept packet?
------------------------------------------------------------------------------------------------------------------------
here is the another settings which is works: (get-vlan is not used)
debug log:
[files] users: Matched entry DEFAULT at line 90
[files] expand: /usr/local/etc/raddb/scripts/getvlan.php %{mschap:User-Name}
-> /usr/local/etc/raddb/scripts/getvlan.php Hege
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
+- entering group post-auth {...}
Exec-Program output: Tunnel-Private-Group-Id = 999
Exec-Program-Wait: value-pairs: Tunnel-Private-Group-Id = 999
Exec-Program: returned: 0
++[exec] returns noop
} # server inner-tunnel
[peap] Got tunneled reply code 2
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Exec-Program-Wait = "/usr/local/etc/raddb/scripts/getvlan.php Hege"
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "TEST\\Hege"
Tunnel-Private-Group-Id:0 = "999"
[peap] Got tunneled reply RADIUS code 2
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Exec-Program-Wait = "/usr/local/etc/raddb/scripts/getvlan.php Hege"
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "TEST\\Hege"
Tunnel-Private-Group-Id:0 = "999"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
[peap] Saving tunneled attributes for later
++[eap] returns handled
Sending Access-Challenge of id 55 to 192.168.2.2 port 1812
EAP-Message =
0x010a00261900170301001bbbb9779ffa1a57519ffc0b1e5689d56ddf63842cceb1f476d904f2
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x949108639d9b110fb7de5c9587f53d99
Finished request 9.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 192.168.2.2 port 1812, id=56,
length=175
NAS-IP-Address = 192.168.2.2
NAS-Port = 50019
NAS-Port-Type = Ethernet
User-Name = "TEST\\Hege"
Called-Station-Id = "00-0A-F4-2E-DF-13"
Calling-Station-Id = "00-80-C8-CD-4F-31"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x949108639d9b110fb7de5c9587f53d99
EAP-Message =
0x020a00261900170301001bee552239ad4c65254d4eac839cb1bcfc7dd6f9cfaa48b9c46f271a
Message-Authenticator = 0xf6d00154ddd920c66013bb0fc048ddbe
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "TEST\Hege", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 10 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Success
[peap] Using saved attributes from the original Access-Accept
[eap] Freeing handler
++[eap] returns ok
Sending Access-Accept of id 56 to 192.168.2.2 port 1812
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
User-Name = "TEST\\Hege"
Tunnel-Private-Group-Id:0 = "999"
MS-MPPE-Recv-Key =
0xbfeee80dc26c96454c660e3eb112b242a92baeaca68f5b0454951f75a269b6ce
MS-MPPE-Send-Key =
0xf6352b55b8cc2b48a4a2080ad0751048fae1d756fbbeb58ad504c7f01c4ae1cf
EAP-Message = 0x030a0004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 10.
users file:
DEFAULT Auth-Type = Accept
Tunnel-type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Exec-Program-Wait = "/usr/local/etc/raddb/scripts/getvlan.php
%{mschap:User-Name}"
exec file:
exec {
wait = yes
input-pairs = request
shell-escape = yes
output = reply
}
#exec get-vlan{
# wait = yes
# program = "/usr/local/etc/raddb/scripts/getvlan.php %{mschap:User-Name}"
# input-pairs = request
# output = reply
# packet-type = Access-Accept
# shell-escape = yes
#}
@inner-tunnel file:
post-auth{
exec
# get-vlan
}
I will use the second settings but i want to know why the first settins is
wrong...
ideas?
thank you, Gabor
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
