Le 13/06/2012 10:55, Alan DeKok a écrit :
rs do*not* have this feature. The
"inner-tunnel" authentication is handled by various special-purpose
magic. That makes the configuration more complex a
Thanks a lot for the time you spent on this request.
I will not understand all, but i think (i hope) i can roughly follow the
mechanism. I often try to known what a product do for configuring it.
Maybe it is a mistake...
Here are the last lines of a successful connexion. It begins with the
last outside tunnel authenticate section, just before entering
inner-tunnel parsing.
I obviously believe you about all what you said, but i can't find an
explicite authenticate section between * ldap authorization and *
entering LDAP.
It's quite possible (likely) that i don't read correctly the output,
please don't be offended about my questions. I only try to understand.
...
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
TLS Length 61
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
User-Name = "user1"
User-Password = "toutou"
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
User-Name = "user1"
User-Password = "toutou"
FreeRADIUS-Proxied-To = 127.0.0.1
server inner-tunnel
{************************************************************* entering
tunnel ?
# Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "user1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[ldap] performing user authorization for
user1*********************************************************** ldap
authorization
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> user1
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> user1
[ldap] expand:
(|(uid=%{%{Stripped-User-Name}:-%{User-Name}})(mail=%{%{Stripped-User-Name}:-%{User-Name}}))
-> (|(uid=user1)(mail=user1))
[ldap] expand: ou=ac-orleans-tours,ou=education,o=gouv,c=fr ->
ou=ac-orleans-tours,ou=education,o=gouv,c=fr
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to replica.in.ac-orleans-tours.fr:389,
authentication 0
[ldap] bind as / to replica.in.ac-orleans-tours.fr:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in
ou=ac-orleans-tours,ou=education,o=gouv,c=fr, with filter
(|(uid=user1)(mail=user1))
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that
the user is configured correctly?
[ldap] Setting Auth-Type =
LDAP***********************************************************************
ldap authorization successful
[ldap] user user1 authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = LDAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group LDAP
{...}*************************************************************
entering LDAP
[ldap] login attempt by "user1" with password "toutou"
[ldap] user DN: uid=user1,ou=personnels
EN,ou=ac-orleans-tours,ou=education,o=gouv,c=fr
[ldap] (re)connect to replica.in.ac-orleans-tours.fr:389,
authentication 1
[ldap] bind as uid=user1,ou=personnels
EN,ou=ac-orleans-tours,ou=education,o=gouv,c=fr/toutou to
replica.in.ac-orleans-tours.fr:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] user user1 authenticated succesfully
++[ldap] returns ok
WARNING: Empty post-auth section. Using default return values.
# Executing section post-auth from file
/etc/raddb/sites-enabled/inner-tunnel
} # server inner-tunnel
[ttls] Got tunneled reply code 2
[ttls] Got tunneled Access-Accept
[eap] Freeing handler
++[eap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 230 to 172.30.145.70 port 32769
MS-MPPE-Recv-Key =
0xffc75d74e5bf1ac3d87ad519d6717eb47335013ecdf9d90b911054432b3a14f9
MS-MPPE-Send-Key =
0xc56881775c6929ffb64a59e4f9cbac06d99eb03ab5925f182555d2ec3af2b91e
EAP-Message = 0x03080004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "user1"
Finished request 6.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Accounting-Request packet from host 172.30.145.70 port 32769,
id=249, length=192
User-Name = "user1"
NAS-Port = 2
NAS-IP-Address = 172.30.145.70
NAS-Identifier = "wifi-admin"
Airespace-Wlan-Id = 1
Acct-Session-Id = "4fd83d9f/00:1d:e0:21:7b:31/94"
Acct-Authentic = RADIUS
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "164"
Acct-Status-Type = Interim-Update
Acct-Input-Octets = 16133
Acct-Output-Octets = 21904
Acct-Input-Packets = 458
Acct-Output-Packets = 238
Acct-Session-Time = 47
Acct-Delay-Time = 0
Calling-Station-Id = "192.168.234.10"
Called-Station-Id = "172.30.145.70"
# Executing section preacct from file /etc/raddb/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 2,Client-IP-Address =
172.30.145.70,NAS-IP-Address = 172.30.145.70,Acct-Session-Id =
"4fd83d9f/00:1d:e0:21:7b:31/94",User-Name = "user1"'
[acct_unique] Acct-Unique-Session-ID = "9fcc14215b25e276".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "user1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file /etc/raddb/sites-enabled/default
+- entering group accounting {...}
[detail] expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/radius/radacct/172.30.145.70/detail-20120613
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /var/log/radius/radacct/172.30.145.70/detail-20120613
[detail] expand: %t -> Wed Jun 13 09:14:29 2012
++[detail] returns ok
++[unix] returns noop
[radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> user1
++[radutmp] returns ok
++[exec] returns noop
[attr_filter.accounting_response] expand: %{User-Name} -> user1
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 249 to 172.30.145.70 port 32769
Finished request 7.
Cleaning up request 7 ID 249 with timestamp +40
Going to the next request
Waking up in 4.6 seconds.
Cleaning up request 0 ID 224 with timestamp +39
Cleaning up request 1 ID 225 with timestamp +39
Cleaning up request 2 ID 226 with timestamp +39
Cleaning up request 3 ID 227 with timestamp +39
Cleaning up request 4 ID 228 with timestamp +39
Waking up in 0.3 seconds.
Cleaning up request 5 ID 229 with timestamp +40
Cleaning up request 6 ID 230 with timestamp +40
Ready to process requests.
--
Emmanuel BILLOT
CATEL - Dpt. Système et Réseaux
Rectorat - Académie d'Orléans-Tours
10, rue Molière - 45000 Orléans
Tél : 02 38 79 45 57
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
