forum.opennet.ru - "freeradius dot1x dynamic vlan assignment" (4)

"freeradius dot1x dynamic vlan assignment"

Форум Открытые системы на сервере (Система. проблемы, диагностика / Linux)
Вариант для распечатки		Пред. тема \| След. тема
Изначальное сообщение		[ Отслеживать ]

"freeradius dot1x dynamic vlan assignment"	+/–
Сообщение от Kovrevskii (ok), 07-Дек-22, 12:35
Добрый день! на форуме нашёл описание проблемы схожей с моей https://www.opennet.ru/openforum/vsluhforumID6/19307.html но у меня немного другая ситуация Пытаюсь настроить Freeradius с интеграцией с AD и аутентификацией проводных пользователей по dot1x с назначением Vlan Выполнил все необходимые настройки Настроил раздел post-auth файла /etc/raddb/sites-available/inner-tunnel post-auth { if (0) { update reply { User-Name !* ANY Message-Authenticator !* ANY EAP-Message !* ANY Proxy-State !* ANY MS-MPPE-Encryption-Types !* ANY MS-MPPE-Encryption-Policy !* ANY MS-MPPE-Send-Key !* ANY MS-MPPE-Recv-Key !* ANY Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = "150" } update { &outer.session-state: += &reply: } } аутентификация через dot1x работает, но назначение Vlan НЕ выполняется (атрибуты не срабатывают) Если же указать if (1), то аутентификация по dot1x не проходит и при выводе radiusd -X выходит ошибка: update { ERROR: Mapping "&reply:" -> "&outer.session-state:" invalid in this context .... update outer.session-state { ERROR: Mapping "&request:Module-Failure-Message" -> "&Module-Failure-Message" invalid in this context Кто-нибудь настраивал подобную схему? Что я делаю не так?
Ответить \| Правка \| Cообщить модератору

Оглавление

добавляю вывод radiusd -X при попытке аутентификации пользователзанчени if 0 Re, Kovrevskii (ok), 12:53 , 07-Дек-22, (1)

продолжение 4 Received Access-Request Id 2 from 10 8 150 118 1645 to 10 70 42 7, Kovrevskii (ok), 12:56 , 07-Дек-22, (2)

7 Received Access-Request Id 5 from 10 8 150 118 1645 to 10 70 42 77 1645 leng, Kovrevskii (ok), 12:57 , 07-Дек-22, (3)

если в разделе post auth прописать if 1 то выходит ошибка 8 Received Access-, Kovrevskii (ok), 13:07 , 07-Дек-22, (4)

Сообщения [Сортировка по времени | RSS]

1. "freeradius dot1x dynamic vlan assignment" +/–

Сообщение от Kovrevskii (ok), 07-Дек-22, 12:53

добавляю вывод radiusd -X при попытке аутентификации пользовател
занчени if (0)

Ready to process requests
(0) Received Access-Request Id 254 from 10.8.150.118:1645 to 10.70.42.77:1645 length 178
(0)   User-Name = "host/WNAMTest.stand.ru"
(0)   Service-Type = Framed-User
(0)   Framed-MTU = 1504
(0)   Called-Station-Id = "00-17-E0-1C-15-87"
(0)   Calling-Station-Id = "00-E0-4C-31-0E-67"
(0)   EAP-Message = 0x0201001b01686f73742f574e414d546573742e7374616e642e7275
(0)   Message-Authenticator = 0x05f0beadc58cb570784f655631e40bff
(0)   NAS-Port-Type = Ethernet
(0)   NAS-Port = 50005
(0)   NAS-Port-Id = "FastEthernet0/5"
(0)   NAS-IP-Address = 10.8.150.118
(0) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [chap] = noop
(0)     [mschap] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0)     update control {
(0)       &Proxy-To-Realm := LOCAL
(0)     } # update control = noop
(0) eap: Peer sent EAP Response (code 2) ID 1 length 27
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0)     [eap] = ok
(0)   } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(0)   authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_peap to process data
(0) eap_peap: Initiating new TLS session
(0) eap_peap: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 2 length 6
(0) eap: EAP session adding &reply:State = 0x8e1144788e135d5a
(0)     [eap] = handled
(0)   } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found.  Ignoring.
(0) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(0) Sent Access-Challenge Id 254 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0
(0)   EAP-Message = 0x010200061920
(0)   Message-Authenticator = 0x00000000000000000000000000000000
(0)   State = 0x8e1144788e135d5aaaf63b261b53a370
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 255 from 10.8.150.118:1645 to 10.70.42.77:1645 length 373
(1)   User-Name = "host/WNAMTest.stand.ru"
(1)   Service-Type = Framed-User
(1)   Framed-MTU = 1504
(1)   Called-Station-Id = "00-17-E0-1C-15-87"
(1)   Calling-Station-Id = "00-E0-4C-31-0E-67"
(1)   EAP-Message = 0x020200cc1980000000c216030300bd010000b90303639061b3946a0116999001e2cec4eebcc744aa45dd6d3db2d7101612d3e71cf720813f3268239d3d77179cefc9e73f95ba89586d214ebee8e831a945798c53993a002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000046000500050100000000000a00080006001d00170018000b00020100000d001a00180804080508060401050102010403050302030202060106030023000000170000ff01000100
(1)   Message-Authenticator = 0x57980fece321d5b7e48eb9f464877726
(1)   NAS-Port-Type = Ethernet
(1)   NAS-Port = 50005
(1)   NAS-Port-Id = "FastEthernet0/5"
(1)   State = 0x8e1144788e135d5aaaf63b261b53a370
(1)   NAS-IP-Address = 10.8.150.118
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(1)   authorize {
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if (&User-Name =~ /\.\./ ) {
(1)         if (&User-Name =~ /\.\./ )  -> FALSE
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(1)         if (&User-Name =~ /\.$/)  {
(1)         if (&User-Name =~ /\.$/)   -> FALSE
(1)         if (&User-Name =~ /@\./)  {
(1)         if (&User-Name =~ /@\./)   -> FALSE
(1)       } # if (&User-Name)  = notfound
(1)     } # policy filter_username = notfound
(1)     [chap] = noop
(1)     [mschap] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1)     update control {
(1)       &Proxy-To-Realm := LOCAL
(1)     } # update control = noop
(1) eap: Peer sent EAP Response (code 2) ID 2 length 204
(1) eap: Continuing tunnel setup
(1)     [eap] = ok
(1)   } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(1)   authenticate {
(1) eap: Expiring EAP session with state 0x8e1144788e135d5a
(1) eap: Finished EAP session with state 0x8e1144788e135d5a
(1) eap: Previous EAP request found for state 0x8e1144788e135d5a, released from the list
(1) eap: Peer sent packet with method EAP PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Continuing EAP-TLS
(1) eap_peap: Peer indicated complete TLS record size will be 194 bytes
(1) eap_peap: Got complete TLS record (194 bytes)
(1) eap_peap: [eaptls verify] = length included
(1) eap_peap: (other): before SSL initialization
(1) eap_peap: TLS_accept: before SSL initialization
(1) eap_peap: TLS_accept: before SSL initialization
(1) eap_peap: <<< recv TLS 1.3  [length 00bd]
(1) eap_peap: TLS_accept: SSLv3/TLS read client hello
(1) eap_peap: >>> send TLS 1.2  [length 003d]
(1) eap_peap: TLS_accept: SSLv3/TLS write server hello
(1) eap_peap: >>> send TLS 1.2  [length 0903]
(1) eap_peap: TLS_accept: SSLv3/TLS write certificate
(1) eap_peap: >>> send TLS 1.2  [length 014d]
(1) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(1) eap_peap: >>> send TLS 1.2  [length 0004]
(1) eap_peap: TLS_accept: SSLv3/TLS write server done
(1) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done
(1) eap_peap: TLS - In Handshake Phase
(1) eap_peap: TLS - got 2725 bytes of data
(1) eap_peap: [eaptls process] = handled
(1) eap: Sending EAP Request (code 1) ID 3 length 1004
(1) eap: EAP session adding &reply:State = 0x8e1144788f125d5a
(1)     [eap] = handled
(1)   } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found.  Ignoring.
(1) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(1) Sent Access-Challenge Id 255 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0
(1)   EAP-Message = 0x010303ec19c000000aa5160303003d02000039030316a38bcccaf0c1f7195d6060cabc048b9ea13d100d40f6852eb16cf57da470ce00c030000011ff01000100000b0004030001020017000016030309030b0008ff0008fc0003f8308203f4308202dca003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3232313132383131333435385a170d3233303132373131333435385a307c310b3009060355040613024652310f300d06035504080c0652616469757331153013060355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d70
(1)   Message-Authenticator = 0x00000000000000000000000000000000
(1)   State = 0x8e1144788f125d5aaaf63b261b53a370
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 0 from 10.8.150.118:1645 to 10.70.42.77:1645 length 175
(2)   User-Name = "host/WNAMTest.stand.ru"
(2)   Service-Type = Framed-User
(2)   Framed-MTU = 1504
(2)   Called-Station-Id = "00-17-E0-1C-15-87"
(2)   Calling-Station-Id = "00-E0-4C-31-0E-67"
(2)   EAP-Message = 0x020300061900
(2)   Message-Authenticator = 0xaf565cd95e610e00b93fc948a081b99d
(2)   NAS-Port-Type = Ethernet
(2)   NAS-Port = 50005
(2)   NAS-Port-Id = "FastEthernet0/5"
(2)   State = 0x8e1144788f125d5aaaf63b261b53a370
(2)   NAS-IP-Address = 10.8.150.118
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(2)   authorize {
(2)     policy filter_username {
(2)       if (&User-Name) {
(2)       if (&User-Name)  -> TRUE
(2)       if (&User-Name)  {
(2)         if (&User-Name =~ / /) {
(2)         if (&User-Name =~ / /)  -> FALSE
(2)         if (&User-Name =~ /@[^@]*@/ ) {
(2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(2)         if (&User-Name =~ /\.\./ ) {
(2)         if (&User-Name =~ /\.\./ )  -> FALSE
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(2)         if (&User-Name =~ /\.$/)  {
(2)         if (&User-Name =~ /\.$/)   -> FALSE
(2)         if (&User-Name =~ /@\./)  {
(2)         if (&User-Name =~ /@\./)   -> FALSE
(2)       } # if (&User-Name)  = notfound
(2)     } # policy filter_username = notfound
(2)     [chap] = noop
(2)     [mschap] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(2) suffix: No such realm "NULL"
(2)     [suffix] = noop
(2)     update control {
(2)       &Proxy-To-Realm := LOCAL
(2)     } # update control = noop
(2) eap: Peer sent EAP Response (code 2) ID 3 length 6
(2) eap: Continuing tunnel setup
(2)     [eap] = ok
(2)   } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(2)   authenticate {
(2) eap: Expiring EAP session with state 0x8e1144788f125d5a
(2) eap: Finished EAP session with state 0x8e1144788f125d5a
(2) eap: Previous EAP request found for state 0x8e1144788f125d5a, released from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer ACKed our handshake fragment
(2) eap_peap: [eaptls verify] = request
(2) eap_peap: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 4 length 1000
(2) eap: EAP session adding &reply:State = 0x8e1144788c155d5a
(2)     [eap] = handled
(2)   } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found.  Ignoring.
(2) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(2) Sent Access-Challenge Id 0 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0
(2)   EAP-Message = 0x010403e819401fc7c5152c524cb8fae1e08afa965a924975fe798689c56b5f8ae875d147afe3077ed758c2804b1fd93d89c6b215d8195c9fb13218b78495e13bea9696902858d0ac9e091331e8078a7ef13799870cb0a0b1808c75e6ae1062eefc44d51f5410a3e9f84b4ccebd0004fe308204fa308203e2a0030201020214442cc1056ca0298b32cdbbe1cbe45e7490adc2eb300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3232313132383131333435385a170d3233303132373131333435385a308193310b3009060355040613024652310f300d06035504080c0652616469
(2)   Message-Authenticator = 0x00000000000000000000000000000000
(2)   State = 0x8e1144788c155d5aaaf63b261b53a370
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 1 from 10.8.150.118:1645 to 10.70.42.77:1645 length 175
(3)   User-Name = "host/WNAMTest.stand.ru"
(3)   Service-Type = Framed-User
(3)   Framed-MTU = 1504
(3)   Called-Station-Id = "00-17-E0-1C-15-87"
(3)   Calling-Station-Id = "00-E0-4C-31-0E-67"
(3)   EAP-Message = 0x020400061900
(3)   Message-Authenticator = 0x1f56bf12588e8191c2539fa98dc4746f
(3)   NAS-Port-Type = Ethernet
(3)   NAS-Port = 50005
(3)   NAS-Port-Id = "FastEthernet0/5"
(3)   State = 0x8e1144788c155d5aaaf63b261b53a370
(3)   NAS-IP-Address = 10.8.150.118
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(3)   authorize {
(3)     policy filter_username {
(3)       if (&User-Name) {
(3)       if (&User-Name)  -> TRUE
(3)       if (&User-Name)  {
(3)         if (&User-Name =~ / /) {
(3)         if (&User-Name =~ / /)  -> FALSE
(3)         if (&User-Name =~ /@[^@]*@/ ) {
(3)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(3)         if (&User-Name =~ /\.\./ ) {
(3)         if (&User-Name =~ /\.\./ )  -> FALSE
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(3)         if (&User-Name =~ /\.$/)  {
(3)         if (&User-Name =~ /\.$/)   -> FALSE
(3)         if (&User-Name =~ /@\./)  {
(3)         if (&User-Name =~ /@\./)   -> FALSE
(3)       } # if (&User-Name)  = notfound
(3)     } # policy filter_username = notfound
(3)     [chap] = noop
(3)     [mschap] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(3) suffix: No such realm "NULL"
(3)     [suffix] = noop
(3)     update control {
(3)       &Proxy-To-Realm := LOCAL
(3)     } # update control = noop
(3) eap: Peer sent EAP Response (code 2) ID 4 length 6
(3) eap: Continuing tunnel setup
(3)     [eap] = ok
(3)   } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(3)   authenticate {
(3) eap: Expiring EAP session with state 0x8e1144788c155d5a
(3) eap: Finished EAP session with state 0x8e1144788c155d5a
(3) eap: Previous EAP request found for state 0x8e1144788c155d5a, released from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer ACKed our handshake fragment
(3) eap_peap: [eaptls verify] = request
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 5 length 743
(3) eap: EAP session adding &reply:State = 0x8e1144788d145d5a
(3)     [eap] = handled
(3)   } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found.  Ignoring.
(3) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(3) Sent Access-Challenge Id 1 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0
(3)   EAP-Message = 0x010502e7190072746966696361746520417574686f726974798214442cc1056ca0298b32cdbbe1cbe45e7490adc2eb300f0603551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b050003820101000f90c9bfa58166e202db547a485080f43eeb496d974779be4682989ea1aa2ed4392ee7ba208464a95021a2d9019bdd276ad97b0d7680f9dce4db059f5d3aee20589a5787ceca5dc3f2bac77b7e21cf9b1f7242684fa62b5cd23c4c20d98bc73b3f641a8a89e77b7048f2661f46f7222b644a7a23968041c8fea3d0dea25fd658875a06e7bca59c2769deca0debe1bb9b274d90d25652b43fc2693562765604e9592757c2c624419b1226f07f0d8cb443a355c7cdaacb444e1b8a6a123c9aed7d8949e9937a404e85f6a98695cbadc77d80dcdcaf215b7eb0fd15b4de5b061208f78da50c8479cd2d4f1dfa
(3)   Message-Authenticator = 0x00000000000000000000000000000000
(3)   State = 0x8e1144788d145d5aaaf63b261b53a370
(3) Finished request
Waking up in 4.9 seconds.

Ответить | Правка | Наверх | Cообщить модератору

2. "freeradius dot1x dynamic vlan assignment" +/–

Сообщение от Kovrevskii (ok), 07-Дек-22, 12:56

продолжение
(4) Received Access-Request Id 2 from 10.8.150.118:1645 to 10.70.42.77:1645 length 305
(4)   User-Name = "host/WNAMTest.stand.ru"
(4)   Service-Type = Framed-User
(4)   Framed-MTU = 1504
(4)   Called-Station-Id = "00-17-E0-1C-15-87"
(4)   Calling-Station-Id = "00-E0-4C-31-0E-67"
(4)   EAP-Message = 0x0205008819800000007e1603030046100000424104a7375d5a0b4cab49e9fec1125a800f8a23c26057dfd1f42d8ed06d30fc26a0ea775bafbe3e498651218316b113d020f7acf8c30b2a28774e6ca313eb61c6342714030300010116030300280000000000000000af23d74f75fbe62067fe01739e17ce88600ae6f610789121a25b0f666b425f6f
(4)   Message-Authenticator = 0x399081e9a1a5c11037d7dc6d3b08bc65
(4)   NAS-Port-Type = Ethernet
(4)   NAS-Port = 50005
(4)   NAS-Port-Id = "FastEthernet0/5"
(4)   State = 0x8e1144788d145d5aaaf63b261b53a370
(4)   NAS-IP-Address = 10.8.150.118
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(4)   authorize {
(4)     policy filter_username {
(4)       if (&User-Name) {
(4)       if (&User-Name)  -> TRUE
(4)       if (&User-Name)  {
(4)         if (&User-Name =~ / /) {
(4)         if (&User-Name =~ / /)  -> FALSE
(4)         if (&User-Name =~ /@[^@]*@/ ) {
(4)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(4)         if (&User-Name =~ /\.\./ ) {
(4)         if (&User-Name =~ /\.\./ )  -> FALSE
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(4)         if (&User-Name =~ /\.$/)  {
(4)         if (&User-Name =~ /\.$/)   -> FALSE
(4)         if (&User-Name =~ /@\./)  {
(4)         if (&User-Name =~ /@\./)   -> FALSE
(4)       } # if (&User-Name)  = notfound
(4)     } # policy filter_username = notfound
(4)     [chap] = noop
(4)     [mschap] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(4) suffix: No such realm "NULL"
(4)     [suffix] = noop
(4)     update control {
(4)       &Proxy-To-Realm := LOCAL
(4)     } # update control = noop
(4) eap: Peer sent EAP Response (code 2) ID 5 length 136
(4) eap: Continuing tunnel setup
(4)     [eap] = ok
(4)   } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(4)   authenticate {
(4) eap: Expiring EAP session with state 0x8e1144788d145d5a
(4) eap: Finished EAP session with state 0x8e1144788d145d5a
(4) eap: Previous EAP request found for state 0x8e1144788d145d5a, released from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(4) eap_peap: Got complete TLS record (126 bytes)
(4) eap_peap: [eaptls verify] = length included
(4) eap_peap: TLS_accept: SSLv3/TLS write server done
(4) eap_peap: <<< recv TLS 1.2  [length 0046]
(4) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(4) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(4) eap_peap: <<< recv TLS 1.2  [length 0010]
(4) eap_peap: TLS_accept: SSLv3/TLS read finished
(4) eap_peap: >>> send TLS 1.2  [length 0001]
(4) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(4) eap_peap: >>> send TLS 1.2  [length 0010]
(4) eap_peap: TLS_accept: SSLv3/TLS write finished
(4) eap_peap: (other): SSL negotiation finished successfully
(4) eap_peap: TLS - Connection Established
(4) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(4) eap_peap: TLS-Session-Version = "TLS 1.2"
(4) eap_peap: TLS - got 51 bytes of data
(4) eap_peap: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 6 length 57
(4) eap: EAP session adding &reply:State = 0x8e1144788a175d5a
(4)     [eap] = handled
(4)   } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found.  Ignoring.
(4) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(4) session-state: Saving cached attributes
(4)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(4)   TLS-Session-Version = "TLS 1.2"
(4) Sent Access-Challenge Id 2 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0
(4)   EAP-Message = 0x01060039190014030300010116030300289251a406bf3dbfb03724ace561a3dd1a3295ed2c4d17b05d85670ecad49cb5873a6f8eb092810370
(4)   Message-Authenticator = 0x00000000000000000000000000000000
(4)   State = 0x8e1144788a175d5aaaf63b261b53a370
(4) Finished request
Waking up in 4.8 seconds.
(5) Received Access-Request Id 3 from 10.8.150.118:1645 to 10.70.42.77:1645 length 175
(5)   User-Name = "host/WNAMTest.stand.ru"
(5)   Service-Type = Framed-User
(5)   Framed-MTU = 1504
(5)   Called-Station-Id = "00-17-E0-1C-15-87"
(5)   Calling-Station-Id = "00-E0-4C-31-0E-67"
(5)   EAP-Message = 0x020600061900
(5)   Message-Authenticator = 0x325b51a8e67ce86e0d4401a06a1cadba
(5)   NAS-Port-Type = Ethernet
(5)   NAS-Port = 50005
(5)   NAS-Port-Id = "FastEthernet0/5"
(5)   State = 0x8e1144788a175d5aaaf63b261b53a370
(5)   NAS-IP-Address = 10.8.150.118
(5) Restoring &session-state
(5)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(5)   &session-state:TLS-Session-Version = "TLS 1.2"
(5) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(5)   authorize {
(5)     policy filter_username {
(5)       if (&User-Name) {
(5)       if (&User-Name)  -> TRUE
(5)       if (&User-Name)  {
(5)         if (&User-Name =~ / /) {
(5)         if (&User-Name =~ / /)  -> FALSE
(5)         if (&User-Name =~ /@[^@]*@/ ) {
(5)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(5)         if (&User-Name =~ /\.\./ ) {
(5)         if (&User-Name =~ /\.\./ )  -> FALSE
(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(5)         if (&User-Name =~ /\.$/)  {
(5)         if (&User-Name =~ /\.$/)   -> FALSE
(5)         if (&User-Name =~ /@\./)  {
(5)         if (&User-Name =~ /@\./)   -> FALSE
(5)       } # if (&User-Name)  = notfound
(5)     } # policy filter_username = notfound
(5)     [chap] = noop
(5)     [mschap] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(5) suffix: No such realm "NULL"
(5)     [suffix] = noop
(5)     update control {
(5)       &Proxy-To-Realm := LOCAL
(5)     } # update control = noop
(5) eap: Peer sent EAP Response (code 2) ID 6 length 6
(5) eap: Continuing tunnel setup
(5)     [eap] = ok
(5)   } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(5)   authenticate {
(5) eap: Expiring EAP session with state 0x8e1144788a175d5a
(5) eap: Finished EAP session with state 0x8e1144788a175d5a
(5) eap: Previous EAP request found for state 0x8e1144788a175d5a, released from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer ACKed our handshake fragment.  handshake is finished
(5) eap_peap: [eaptls verify] = success
(5) eap_peap: [eaptls process] = success
(5) eap_peap: Session established.  Decoding tunneled attributes
(5) eap_peap: PEAP state TUNNEL ESTABLISHED
(5) eap: Sending EAP Request (code 1) ID 7 length 40
(5) eap: EAP session adding &reply:State = 0x8e1144788b165d5a
(5)     [eap] = handled
(5)   } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found.  Ignoring.
(5) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(5) session-state: Saving cached attributes
(5)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(5)   TLS-Session-Version = "TLS 1.2"
(5) Sent Access-Challenge Id 3 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0
(5)   EAP-Message = 0x010700281900170303001d9251a406bf3dbfb1c4883ad1165a072b12d250a2a4d4747b6748cd60ed
(5)   Message-Authenticator = 0x00000000000000000000000000000000
(5)   State = 0x8e1144788b165d5aaaf63b261b53a370
(5) Finished request
Waking up in 4.8 seconds.
(6) Received Access-Request Id 4 from 10.8.150.118:1645 to 10.70.42.77:1645 length 227
(6)   User-Name = "host/WNAMTest.stand.ru"
(6)   Service-Type = Framed-User
(6)   Framed-MTU = 1504
(6)   Called-Station-Id = "00-17-E0-1C-15-87"
(6)   Calling-Station-Id = "00-E0-4C-31-0E-67"
(6)   EAP-Message = 0x0207003a1900170303002f000000000000000155af9208b9017d53ad5ae04767876fbc5e85a534d96d067d5325b0772d3d76e28e379d081fb595
(6)   Message-Authenticator = 0xac48ac31824eed7ee4ef2c0c7cea5934
(6)   NAS-Port-Type = Ethernet
(6)   NAS-Port = 50005
(6)   NAS-Port-Id = "FastEthernet0/5"
(6)   State = 0x8e1144788b165d5aaaf63b261b53a370
(6)   NAS-IP-Address = 10.8.150.118
(6) Restoring &session-state
(6)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(6)   &session-state:TLS-Session-Version = "TLS 1.2"
(6) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(6)   authorize {
(6)     policy filter_username {
(6)       if (&User-Name) {
(6)       if (&User-Name)  -> TRUE
(6)       if (&User-Name)  {
(6)         if (&User-Name =~ / /) {
(6)         if (&User-Name =~ / /)  -> FALSE
(6)         if (&User-Name =~ /@[^@]*@/ ) {
(6)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(6)         if (&User-Name =~ /\.\./ ) {
(6)         if (&User-Name =~ /\.\./ )  -> FALSE
(6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(6)         if (&User-Name =~ /\.$/)  {
(6)         if (&User-Name =~ /\.$/)   -> FALSE
(6)         if (&User-Name =~ /@\./)  {
(6)         if (&User-Name =~ /@\./)   -> FALSE
(6)       } # if (&User-Name)  = notfound
(6)     } # policy filter_username = notfound
(6)     [chap] = noop
(6)     [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(6) suffix: No such realm "NULL"
(6)     [suffix] = noop
(6)     update control {
(6)       &Proxy-To-Realm := LOCAL
(6)     } # update control = noop
(6) eap: Peer sent EAP Response (code 2) ID 7 length 58
(6) eap: Continuing tunnel setup
(6)     [eap] = ok
(6)   } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(6)   authenticate {
(6) eap: Expiring EAP session with state 0x8e1144788b165d5a
(6) eap: Finished EAP session with state 0x8e1144788b165d5a
(6) eap: Previous EAP request found for state 0x8e1144788b165d5a, released from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: [eaptls verify] = ok
(6) eap_peap: Done initial handshake
(6) eap_peap: [eaptls process] = ok
(6) eap_peap: Session established.  Decoding tunneled attributes
(6) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(6) eap_peap: Identity - host/WNAMTest.stand.ru
(6) eap_peap: Got inner identity 'host/WNAMTest.stand.ru'
(6) eap_peap: Setting default EAP type for tunneled EAP session
(6) eap_peap: Got tunneled request
(6) eap_peap:   EAP-Message = 0x0207001b01686f73742f574e414d546573742e7374616e642e7275
(6) eap_peap: Setting User-Name to host/WNAMTest.stand.ru
(6) eap_peap: Sending tunneled request to inner-tunnel
(6) eap_peap:   EAP-Message = 0x0207001b01686f73742f574e414d546573742e7374616e642e7275
(6) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(6) eap_peap:   User-Name = "host/WNAMTest.stand.ru"
(6) Virtual server inner-tunnel received request
(6)   EAP-Message = 0x0207001b01686f73742f574e414d546573742e7374616e642e7275
(6)   FreeRADIUS-Proxied-To = 127.0.0.1
(6)   User-Name = "host/WNAMTest.stand.ru"
(6) WARNING: Outer and inner identities are the same.  User privacy is compromised.
(6) server inner-tunnel {
(6)   # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(6)     authorize {
(6)       policy filter_username {
(6)         if (&User-Name) {
(6)         if (&User-Name)  -> TRUE
(6)         if (&User-Name)  {
(6)           if (&User-Name =~ / /) {
(6)           if (&User-Name =~ / /)  -> FALSE
(6)           if (&User-Name =~ /@[^@]*@/ ) {
(6)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(6)           if (&User-Name =~ /\.\./ ) {
(6)           if (&User-Name =~ /\.\./ )  -> FALSE
(6)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(6)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(6)           if (&User-Name =~ /\.$/)  {
(6)           if (&User-Name =~ /\.$/)   -> FALSE
(6)           if (&User-Name =~ /@\./)  {
(6)           if (&User-Name =~ /@\./)   -> FALSE
(6)         } # if (&User-Name)  = notfound
(6)       } # policy filter_username = notfound
(6)       [chap] = noop
(6)       [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(6) suffix: No such realm "NULL"
(6)       [suffix] = noop
(6)       update control {
(6)         &Proxy-To-Realm := LOCAL
(6)       } # update control = noop
(6) eap: Peer sent EAP Response (code 2) ID 7 length 27
(6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(6)       [eap] = ok
(6)     } # authorize = ok
(6)   Found Auth-Type = eap
(6)   # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(6)     authenticate {
(6) eap: Peer sent packet with method EAP Identity (1)
(6) eap: Calling submodule eap_mschapv2 to process data
(6) eap_mschapv2: Issuing Challenge
(6) eap: Sending EAP Request (code 1) ID 8 length 43
(6) eap: EAP session adding &reply:State = 0x80bfe1b680b7fb9c
(6)       [eap] = handled
(6)     } # authenticate = handled
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6)   EAP-Message = 0x0108002b1a01080026106912a9030f5003beda5b4dec2f6730a8667265657261646975732d332e302e3231
(6)   Message-Authenticator = 0x00000000000000000000000000000000
(6)   State = 0x80bfe1b680b7fb9c548551106d70804b
(6) eap_peap: Got tunneled reply code 11
(6) eap_peap:   EAP-Message = 0x0108002b1a01080026106912a9030f5003beda5b4dec2f6730a8667265657261646975732d332e302e3231
(6) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap:   State = 0x80bfe1b680b7fb9c548551106d70804b
(6) eap_peap: Got tunneled reply RADIUS code 11
(6) eap_peap:   EAP-Message = 0x0108002b1a01080026106912a9030f5003beda5b4dec2f6730a8667265657261646975732d332e302e3231
(6) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap:   State = 0x80bfe1b680b7fb9c548551106d70804b
(6) eap_peap: Got tunneled Access-Challenge
(6) eap: Sending EAP Request (code 1) ID 8 length 74
(6) eap: EAP session adding &reply:State = 0x8e11447888195d5a
(6)     [eap] = handled
(6)   } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found.  Ignoring.
(6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(6) session-state: Saving cached attributes
(6)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(6)   TLS-Session-Version = "TLS 1.2"
(6) Sent Access-Challenge Id 4 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0
(6)   EAP-Message = 0x0108004a1900170303003f9251a406bf3dbfb21ba0d54fc4fb678471339bd905a4d1efe72a529fbfa57ac4d537c3a217957d3ece4e5b8b66b75ccc379346f106da70cb435a9a8260dd81
(6)   Message-Authenticator = 0x00000000000000000000000000000000
(6)   State = 0x8e11447888195d5aaaf63b261b53a370
(6) Finished request
Waking up in 4.4 seconds.

Ответить | Правка | Наверх | Cообщить модератору

3. "freeradius dot1x dynamic vlan assignment" +/–

Сообщение от Kovrevskii (ok), 07-Дек-22, 12:57

(7) Received Access-Request Id 5 from 10.8.150.118:1645 to 10.70.42.77:1645 length 281
(7)   User-Name = "host/WNAMTest.stand.ru"
(7)   Service-Type = Framed-User
(7)   Framed-MTU = 1504
(7)   Called-Station-Id = "00-17-E0-1C-15-87"
(7)   Calling-Station-Id = "00-E0-4C-31-0E-67"
(7)   EAP-Message = 0x0208007019001703030065000000000000000291ebbab1487f9c926b4c65fcadf4b6326ce17fc7ebb89a2a1a2682a48bfbc712b1fac98d617edb7965d3a64ada1db96804aea60b3741c85d5e0f7e68ca0f3581be104e79d3f916ad3a2ed8b7f23d05f4f1dd5e98cfa41d0822b087b016
(7)   Message-Authenticator = 0x97bb4e8bd14ce6352ab0262027368166
(7)   NAS-Port-Type = Ethernet
(7)   NAS-Port = 50005
(7)   NAS-Port-Id = "FastEthernet0/5"
(7)   State = 0x8e11447888195d5aaaf63b261b53a370
(7)   NAS-IP-Address = 10.8.150.118
(7) Restoring &session-state
(7)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(7)   &session-state:TLS-Session-Version = "TLS 1.2"
(7) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(7)   authorize {
(7)     policy filter_username {
(7)       if (&User-Name) {
(7)       if (&User-Name)  -> TRUE
(7)       if (&User-Name)  {
(7)         if (&User-Name =~ / /) {
(7)         if (&User-Name =~ / /)  -> FALSE
(7)         if (&User-Name =~ /@[^@]*@/ ) {
(7)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(7)         if (&User-Name =~ /\.\./ ) {
(7)         if (&User-Name =~ /\.\./ )  -> FALSE
(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(7)         if (&User-Name =~ /\.$/)  {
(7)         if (&User-Name =~ /\.$/)   -> FALSE
(7)         if (&User-Name =~ /@\./)  {
(7)         if (&User-Name =~ /@\./)   -> FALSE
(7)       } # if (&User-Name)  = notfound
(7)     } # policy filter_username = notfound
(7)     [chap] = noop
(7)     [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(7) suffix: No such realm "NULL"
(7)     [suffix] = noop
(7)     update control {
(7)       &Proxy-To-Realm := LOCAL
(7)     } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 8 length 112
(7) eap: Continuing tunnel setup
(7)     [eap] = ok
(7)   } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7)   authenticate {
(7) eap: Expiring EAP session with state 0x80bfe1b680b7fb9c
(7) eap: Finished EAP session with state 0x8e11447888195d5a
(7) eap: Previous EAP request found for state 0x8e11447888195d5a, released from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established.  Decoding tunneled attributes
(7) eap_peap: PEAP state phase2
(7) eap_peap: EAP method MSCHAPv2 (26)
(7) eap_peap: Got tunneled request
(7) eap_peap:   EAP-Message = 0x020800511a0208004c31a07a106f14b5a62cb6ecdc05ac5f18e30000000000000000ae7e258e4232de145bf4036973ba5257eccfddfc3a01a93e00686f73742f574e414d546573742e7374616e642e7275
(7) eap_peap: Setting User-Name to host/WNAMTest.stand.ru
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap:   EAP-Message = 0x020800511a0208004c31a07a106f14b5a62cb6ecdc05ac5f18e30000000000000000ae7e258e4232de145bf4036973ba5257eccfddfc3a01a93e00686f73742f574e414d546573742e7374616e642e7275
(7) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap:   User-Name = "host/WNAMTest.stand.ru"
(7) eap_peap:   State = 0x80bfe1b680b7fb9c548551106d70804b
(7) Virtual server inner-tunnel received request
(7)   EAP-Message = 0x020800511a0208004c31a07a106f14b5a62cb6ecdc05ac5f18e30000000000000000ae7e258e4232de145bf4036973ba5257eccfddfc3a01a93e00686f73742f574e414d546573742e7374616e642e7275
(7)   FreeRADIUS-Proxied-To = 127.0.0.1
(7)   User-Name = "host/WNAMTest.stand.ru"
(7)   State = 0x80bfe1b680b7fb9c548551106d70804b
(7) WARNING: Outer and inner identities are the same.  User privacy is compromised.
(7) server inner-tunnel {
(7)   session-state: No cached attributes
(7)   # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(7)     authorize {
(7)       policy filter_username {
(7)         if (&User-Name) {
(7)         if (&User-Name)  -> TRUE
(7)         if (&User-Name)  {
(7)           if (&User-Name =~ / /) {
(7)           if (&User-Name =~ / /)  -> FALSE
(7)           if (&User-Name =~ /@[^@]*@/ ) {
(7)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(7)           if (&User-Name =~ /\.\./ ) {
(7)           if (&User-Name =~ /\.\./ )  -> FALSE
(7)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(7)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(7)           if (&User-Name =~ /\.$/)  {
(7)           if (&User-Name =~ /\.$/)   -> FALSE
(7)           if (&User-Name =~ /@\./)  {
(7)           if (&User-Name =~ /@\./)   -> FALSE
(7)         } # if (&User-Name)  = notfound
(7)       } # policy filter_username = notfound
(7)       [chap] = noop
(7)       [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(7) suffix: No such realm "NULL"
(7)       [suffix] = noop
(7)       update control {
(7)         &Proxy-To-Realm := LOCAL
(7)       } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 8 length 81
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7)       [eap] = updated
(7)       [files] = noop
(7)       [expiration] = noop
(7)       [logintime] = noop
(7)       [pap] = noop
(7)     } # authorize = updated
(7)   Found Auth-Type = eap
(7)   # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7)     authenticate {
(7) eap: Expiring EAP session with state 0x80bfe1b680b7fb9c
(7) eap: Finished EAP session with state 0x80bfe1b680b7fb9c
(7) eap: Previous EAP request found for state 0x80bfe1b680b7fb9c, released from the list
(7) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(7) eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7) eap_mschapv2:   authenticate {
(7) mschap: Creating challenge hash with username: host/WNAMTest.stand.ru
(7) mschap: Client is using MS-CHAPv2
(7) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-STAND} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}:
(7) mschap: EXPAND --username=%{mschap:User-Name:-None}
(7) mschap:    --> --username=WNAMTest$
(7) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-STAND}
(7) mschap:    --> --domain=stand
(7) mschap: Creating challenge hash with username: host/WNAMTest.stand.ru
(7) mschap: EXPAND --challenge=%{mschap:Challenge:-00}
(7) mschap:    --> --challenge=d858ed797e668361
(7) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00}
(7) mschap:    --> --nt-response=ae7e258e4232de145bf4036973ba5257eccfddfc3a01a93e
added interface ens192 ip=10.70.42.77 bcast=10.70.42.255 netmask=255.255.255.0
added interface ens192 ip=10.70.42.77 bcast=10.70.42.255 netmask=255.255.255.0
added interface ens192 ip=10.70.42.77 bcast=10.70.42.255 netmask=255.255.255.0
(7) mschap: Program returned code (0) and output 'NT_KEY: 7720EA15121870B72DB8AEC247827D5B'
(7) mschap: Adding MS-CHAPv2 MPPE keys
(7) eap_mschapv2:     [mschap] = ok
(7) eap_mschapv2:   } # authenticate = ok
(7) eap_mschapv2: MSCHAP Success
(7) eap: Sending EAP Request (code 1) ID 9 length 51
(7) eap: EAP session adding &reply:State = 0x80bfe1b681b6fb9c
(7)       [eap] = handled
(7)     } # authenticate = handled
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7)   EAP-Message = 0x010900331a0308002e533d44314232383535354646394633443139353244354646323241464439334642423744433431454443
(7)   Message-Authenticator = 0x00000000000000000000000000000000
(7)   State = 0x80bfe1b681b6fb9c548551106d70804b
(7) eap_peap: Got tunneled reply code 11
(7) eap_peap:   EAP-Message = 0x010900331a0308002e533d44314232383535354646394633443139353244354646323241464439334642423744433431454443
(7) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap:   State = 0x80bfe1b681b6fb9c548551106d70804b
(7) eap_peap: Got tunneled reply RADIUS code 11
(7) eap_peap:   EAP-Message = 0x010900331a0308002e533d44314232383535354646394633443139353244354646323241464439334642423744433431454443
(7) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap:   State = 0x80bfe1b681b6fb9c548551106d70804b
(7) eap_peap: Got tunneled Access-Challenge
(7) eap: Sending EAP Request (code 1) ID 9 length 82
(7) eap: EAP session adding &reply:State = 0x8e11447889185d5a
(7)     [eap] = handled
(7)   } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) Post-Auth-Type sub-section not found.  Ignoring.
(7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7) session-state: Saving cached attributes
(7)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(7)   TLS-Session-Version = "TLS 1.2"
(7) Sent Access-Challenge Id 5 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0
(7)   EAP-Message = 0x01090052190017030300479251a406bf3dbfb3166d1b07af90422c9dbb30f717afcdb2ae4171be6c905619e570bc3dc857a60fea9d389487fd3ab7176e072cc2d7605a273cffb73134a07fc8807300df4c67
(7)   Message-Authenticator = 0x00000000000000000000000000000000
(7)   State = 0x8e11447889185d5aaaf63b261b53a370
(7) Finished request
Waking up in 2.6 seconds.
(8) Received Access-Request Id 6 from 10.8.150.118:1645 to 10.70.42.77:1645 length 206
(8)   User-Name = "host/WNAMTest.stand.ru"
(8)   Service-Type = Framed-User
(8)   Framed-MTU = 1504
(8)   Called-Station-Id = "00-17-E0-1C-15-87"
(8)   Calling-Station-Id = "00-E0-4C-31-0E-67"
(8)   EAP-Message = 0x020900251900170303001a000000000000000378eec0b094f6e356c114d3636da01d0302c8
(8)   Message-Authenticator = 0xe7e52adeeb798f38bd7c85806f6088a1
(8)   NAS-Port-Type = Ethernet
(8)   NAS-Port = 50005
(8)   NAS-Port-Id = "FastEthernet0/5"
(8)   State = 0x8e11447889185d5aaaf63b261b53a370
(8)   NAS-IP-Address = 10.8.150.118
(8) Restoring &session-state
(8)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(8)   &session-state:TLS-Session-Version = "TLS 1.2"
(8) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(8)   authorize {
(8)     policy filter_username {
(8)       if (&User-Name) {
(8)       if (&User-Name)  -> TRUE
(8)       if (&User-Name)  {
(8)         if (&User-Name =~ / /) {
(8)         if (&User-Name =~ / /)  -> FALSE
(8)         if (&User-Name =~ /@[^@]*@/ ) {
(8)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(8)         if (&User-Name =~ /\.\./ ) {
(8)         if (&User-Name =~ /\.\./ )  -> FALSE
(8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(8)         if (&User-Name =~ /\.$/)  {
(8)         if (&User-Name =~ /\.$/)   -> FALSE
(8)         if (&User-Name =~ /@\./)  {
(8)         if (&User-Name =~ /@\./)   -> FALSE
(8)       } # if (&User-Name)  = notfound
(8)     } # policy filter_username = notfound
(8)     [chap] = noop
(8)     [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(8) suffix: No such realm "NULL"
(8)     [suffix] = noop
(8)     update control {
(8)       &Proxy-To-Realm := LOCAL
(8)     } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 9 length 37
(8) eap: Continuing tunnel setup
(8)     [eap] = ok
(8)   } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8)   authenticate {
(8) eap: Expiring EAP session with state 0x80bfe1b681b6fb9c
(8) eap: Finished EAP session with state 0x8e11447889185d5a
(8) eap: Previous EAP request found for state 0x8e11447889185d5a, released from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established.  Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP method MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap:   EAP-Message = 0x020900061a03
(8) eap_peap: Setting User-Name to host/WNAMTest.stand.ru
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap:   EAP-Message = 0x020900061a03
(8) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap:   User-Name = "host/WNAMTest.stand.ru"
(8) eap_peap:   State = 0x80bfe1b681b6fb9c548551106d70804b
(8) Virtual server inner-tunnel received request
(8)   EAP-Message = 0x020900061a03
(8)   FreeRADIUS-Proxied-To = 127.0.0.1
(8)   User-Name = "host/WNAMTest.stand.ru"
(8)   State = 0x80bfe1b681b6fb9c548551106d70804b
(8) WARNING: Outer and inner identities are the same.  User privacy is compromised.
(8) server inner-tunnel {
(8)   session-state: No cached attributes
(8)   # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(8)     authorize {
(8)       policy filter_username {
(8)         if (&User-Name) {
(8)         if (&User-Name)  -> TRUE
(8)         if (&User-Name)  {
(8)           if (&User-Name =~ / /) {
(8)           if (&User-Name =~ / /)  -> FALSE
(8)           if (&User-Name =~ /@[^@]*@/ ) {
(8)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(8)           if (&User-Name =~ /\.\./ ) {
(8)           if (&User-Name =~ /\.\./ )  -> FALSE
(8)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(8)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(8)           if (&User-Name =~ /\.$/)  {
(8)           if (&User-Name =~ /\.$/)   -> FALSE
(8)           if (&User-Name =~ /@\./)  {
(8)           if (&User-Name =~ /@\./)   -> FALSE
(8)         } # if (&User-Name)  = notfound
(8)       } # policy filter_username = notfound
(8)       [chap] = noop
(8)       [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(8) suffix: No such realm "NULL"
(8)       [suffix] = noop
(8)       update control {
(8)         &Proxy-To-Realm := LOCAL
(8)       } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 9 length 6
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8)       [eap] = updated
(8)       [files] = noop
(8)       [expiration] = noop
(8)       [logintime] = noop
(8)       [pap] = noop
(8)     } # authorize = updated
(8)   Found Auth-Type = eap
(8)   # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8)     authenticate {
(8) eap: Expiring EAP session with state 0x80bfe1b681b6fb9c
(8) eap: Finished EAP session with state 0x80bfe1b681b6fb9c
(8) eap: Previous EAP request found for state 0x80bfe1b681b6fb9c, released from the list
(8) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap: Sending EAP Success (code 3) ID 9 length 4
(8) eap: Freeing handler
(8)       [eap] = ok
(8)     } # authenticate = ok
(8)   # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel
(8)     post-auth {
(8)       if (0) {
(8)       if (0)  -> FALSE
(8)     } # post-auth = noop
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8)   MS-MPPE-Encryption-Policy = Encryption-Required
(8)   MS-MPPE-Encryption-Types = 4
(8)   MS-MPPE-Send-Key = 0xe444906440d09dcefe30e65f8a455ffe
(8)   MS-MPPE-Recv-Key = 0xdf0ca8f806b3a21c299fcfc99f87791b
(8)   EAP-Message = 0x03090004
(8)   Message-Authenticator = 0x00000000000000000000000000000000
(8)   User-Name = "host/WNAMTest.stand.ru"
(8) eap_peap: Got tunneled reply code 2
(8) eap_peap:   MS-MPPE-Encryption-Policy = Encryption-Required
(8) eap_peap:   MS-MPPE-Encryption-Types = 4
(8) eap_peap:   MS-MPPE-Send-Key = 0xe444906440d09dcefe30e65f8a455ffe
(8) eap_peap:   MS-MPPE-Recv-Key = 0xdf0ca8f806b3a21c299fcfc99f87791b
(8) eap_peap:   EAP-Message = 0x03090004
(8) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap:   User-Name = "host/WNAMTest.stand.ru"
(8) eap_peap: Got tunneled reply RADIUS code 2
(8) eap_peap:   MS-MPPE-Encryption-Policy = Encryption-Required
(8) eap_peap:   MS-MPPE-Encryption-Types = 4
(8) eap_peap:   MS-MPPE-Send-Key = 0xe444906440d09dcefe30e65f8a455ffe
(8) eap_peap:   MS-MPPE-Recv-Key = 0xdf0ca8f806b3a21c299fcfc99f87791b
(8) eap_peap:   EAP-Message = 0x03090004
(8) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap:   User-Name = "host/WNAMTest.stand.ru"
(8) eap_peap: Tunneled authentication was successful
(8) eap_peap: SUCCESS
(8) eap_peap: Saving tunneled attributes for later
(8) eap: Sending EAP Request (code 1) ID 10 length 46
(8) eap: EAP session adding &reply:State = 0x8e114478861b5d5a
(8)     [eap] = handled
(8)   } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found.  Ignoring.
(8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8) session-state: Saving cached attributes
(8)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(8)   TLS-Session-Version = "TLS 1.2"
(8) Sent Access-Challenge Id 6 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0
(8)   EAP-Message = 0x010a002e190017030300239251a406bf3dbfb461f9265352132b6168ac7357152cb9b634037994ebe332a9110348
(8)   Message-Authenticator = 0x00000000000000000000000000000000
(8)   State = 0x8e114478861b5d5aaaf63b261b53a370
(8) Finished request
Waking up in 1.1 seconds.
(9) Received Access-Request Id 7 from 10.8.150.118:1645 to 10.70.42.77:1645 length 215
(9)   User-Name = "host/WNAMTest.stand.ru"
(9)   Service-Type = Framed-User
(9)   Framed-MTU = 1504
(9)   Called-Station-Id = "00-17-E0-1C-15-87"
(9)   Calling-Station-Id = "00-E0-4C-31-0E-67"
(9)   EAP-Message = 0x020a002e190017030300230000000000000004927ddd170135351a86f47838145a40afaf72f135003b599166820a
(9)   Message-Authenticator = 0x341162108426d80f1a33e359b5f4e4ec
(9)   NAS-Port-Type = Ethernet
(9)   NAS-Port = 50005
(9)   NAS-Port-Id = "FastEthernet0/5"
(9)   State = 0x8e114478861b5d5aaaf63b261b53a370
(9)   NAS-IP-Address = 10.8.150.118
(9) Restoring &session-state
(9)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(9)   &session-state:TLS-Session-Version = "TLS 1.2"
(9) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(9)   authorize {
(9)     policy filter_username {
(9)       if (&User-Name) {
(9)       if (&User-Name)  -> TRUE
(9)       if (&User-Name)  {
(9)         if (&User-Name =~ / /) {
(9)         if (&User-Name =~ / /)  -> FALSE
(9)         if (&User-Name =~ /@[^@]*@/ ) {
(9)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(9)         if (&User-Name =~ /\.\./ ) {
(9)         if (&User-Name =~ /\.\./ )  -> FALSE
(9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(9)         if (&User-Name =~ /\.$/)  {
(9)         if (&User-Name =~ /\.$/)   -> FALSE
(9)         if (&User-Name =~ /@\./)  {
(9)         if (&User-Name =~ /@\./)   -> FALSE
(9)       } # if (&User-Name)  = notfound
(9)     } # policy filter_username = notfound
(9)     [chap] = noop
(9)     [mschap] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(9) suffix: No such realm "NULL"
(9)     [suffix] = noop
(9)     update control {
(9)       &Proxy-To-Realm := LOCAL
(9)     } # update control = noop
(9) eap: Peer sent EAP Response (code 2) ID 10 length 46
(9) eap: Continuing tunnel setup
(9)     [eap] = ok
(9)   } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(9)   authenticate {
(9) eap: Expiring EAP session with state 0x8e114478861b5d5a
(9) eap: Finished EAP session with state 0x8e114478861b5d5a
(9) eap: Previous EAP request found for state 0x8e114478861b5d5a, released from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established.  Decoding tunneled attributes
(9) eap_peap: PEAP state send tlv success
(9) eap_peap: Received EAP-TLV response
(9) eap_peap: Success
(9) eap_peap: Using saved attributes from the original Access-Accept
(9) eap_peap:   User-Name = "host/WNAMTest.stand.ru"
(9) eap: Sending EAP Success (code 3) ID 10 length 4
(9) eap: Freeing handler
(9)     [eap] = ok
(9)   } # authenticate = ok
(9) # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel
(9)   post-auth {
(9)     if (0) {
(9)     if (0)  -> FALSE
(9)   } # post-auth = noop
(9) Sent Access-Accept Id 7 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0
(9)   User-Name = "host/WNAMTest.stand.ru"
(9)   MS-MPPE-Recv-Key = 0xaca43fa253ab9317739a3fb461cbcbe7135a0e64c859ba294d13521ab23900e5
(9)   MS-MPPE-Send-Key = 0x7a13c3ceca352d8324a687be674add16c6b032682308cfc6859ea2974fe41e3e
(9)   EAP-Message = 0x030a0004
(9)   Message-Authenticator = 0x00000000000000000000000000000000
(9) Finished request
Waking up in 0.2 seconds.
(0) Cleaning up request packet ID 254 with timestamp +286
(1) Cleaning up request packet ID 255 with timestamp +286
(2) Cleaning up request packet ID 0 with timestamp +286
(3) Cleaning up request packet ID 1 with timestamp +286
(4) Cleaning up request packet ID 2 with timestamp +286
(5) Cleaning up request packet ID 3 with timestamp +286
Waking up in 0.4 seconds.
(6) Cleaning up request packet ID 4 with timestamp +286
Waking up in 1.7 seconds.
(7) Cleaning up request packet ID 5 with timestamp +288
Waking up in 1.5 seconds.
(8) Cleaning up request packet ID 6 with timestamp +289
Waking up in 0.8 seconds.
(9) Cleaning up request packet ID 7 with timestamp +290

Ответить | Правка | Наверх | Cообщить модератору

4. "freeradius dot1x dynamic vlan assignment" +/–

Сообщение от Kovrevskii (ok), 07-Дек-22, 13:07

если в разделе post auth прописать if (1)
то выходит ошибка
(8) Received Access-Request Id 16 from 10.8.150.118:1645 to 10.70.42.77:1645 length 206
(8)   User-Name = "host/WNAMTest.stand.ru"
(8)   Service-Type = Framed-User
(8)   Framed-MTU = 1504
(8)   Called-Station-Id = "00-17-E0-1C-15-87"
(8)   Calling-Station-Id = "00-E0-4C-31-0E-67"
(8)   EAP-Message = 0x020900251900170303001a0000000000000003bfc49b79f8e6a33b3dbb7bd7c40602262192
(8)   Message-Authenticator = 0x85293261230a81879ef33b04ef76807d
(8)   NAS-Port-Type = Ethernet
(8)   NAS-Port = 50005
(8)   NAS-Port-Id = "FastEthernet0/5"
(8)   State = 0x35db708332d269e6230a007503c37627
(8)   NAS-IP-Address = 10.8.150.118
(8) Restoring &session-state
(8)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(8)   &session-state:TLS-Session-Version = "TLS 1.2"
(8) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(8)   authorize {
(8)     policy filter_username {
(8)       if (&User-Name) {
(8)       if (&User-Name)  -> TRUE
(8)       if (&User-Name)  {
(8)         if (&User-Name =~ / /) {
(8)         if (&User-Name =~ / /)  -> FALSE
(8)         if (&User-Name =~ /@[^@]*@/ ) {
(8)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(8)         if (&User-Name =~ /\.\./ ) {
(8)         if (&User-Name =~ /\.\./ )  -> FALSE
(8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(8)         if (&User-Name =~ /\.$/)  {
(8)         if (&User-Name =~ /\.$/)   -> FALSE
(8)         if (&User-Name =~ /@\./)  {
(8)         if (&User-Name =~ /@\./)   -> FALSE
(8)       } # if (&User-Name)  = notfound
(8)     } # policy filter_username = notfound
(8)     [chap] = noop
(8)     [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(8) suffix: No such realm "NULL"
(8)     [suffix] = noop
(8)     update control {
(8)       &Proxy-To-Realm := LOCAL
(8)     } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 9 length 37
(8) eap: Continuing tunnel setup
(8)     [eap] = ok
(8)   } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8)   authenticate {
(8) eap: Expiring EAP session with state 0xe0803171e1892b17
(8) eap: Finished EAP session with state 0x35db708332d269e6
(8) eap: Previous EAP request found for state 0x35db708332d269e6, released from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established.  Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP method MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap:   EAP-Message = 0x020900061a03
(8) eap_peap: Setting User-Name to host/WNAMTest.stand.ru
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap:   EAP-Message = 0x020900061a03
(8) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap:   User-Name = "host/WNAMTest.stand.ru"
(8) eap_peap:   State = 0xe0803171e1892b17e57438631f9978dd
(8) Virtual server inner-tunnel received request
(8)   EAP-Message = 0x020900061a03
(8)   FreeRADIUS-Proxied-To = 127.0.0.1
(8)   User-Name = "host/WNAMTest.stand.ru"
(8)   State = 0xe0803171e1892b17e57438631f9978dd
(8) WARNING: Outer and inner identities are the same.  User privacy is compromised.
(8) server inner-tunnel {
(8)   session-state: No cached attributes
(8)   # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(8)     authorize {
(8)       policy filter_username {
(8)         if (&User-Name) {
(8)         if (&User-Name)  -> TRUE
(8)         if (&User-Name)  {
(8)           if (&User-Name =~ / /) {
(8)           if (&User-Name =~ / /)  -> FALSE
(8)           if (&User-Name =~ /@[^@]*@/ ) {
(8)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(8)           if (&User-Name =~ /\.\./ ) {
(8)           if (&User-Name =~ /\.\./ )  -> FALSE
(8)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(8)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(8)           if (&User-Name =~ /\.$/)  {
(8)           if (&User-Name =~ /\.$/)   -> FALSE
(8)           if (&User-Name =~ /@\./)  {
(8)           if (&User-Name =~ /@\./)   -> FALSE
(8)         } # if (&User-Name)  = notfound
(8)       } # policy filter_username = notfound
(8)       [chap] = noop
(8)       [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(8) suffix: No such realm "NULL"
(8)       [suffix] = noop
(8)       update control {
(8)         &Proxy-To-Realm := LOCAL
(8)       } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 9 length 6
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8)       [eap] = updated
(8)       [files] = noop
(8)       [expiration] = noop
(8)       [logintime] = noop
(8)       [pap] = noop
(8)     } # authorize = updated
(8)   Found Auth-Type = eap
(8)   # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8)     authenticate {
(8) eap: Expiring EAP session with state 0xe0803171e1892b17
(8) eap: Finished EAP session with state 0xe0803171e1892b17
(8) eap: Previous EAP request found for state 0xe0803171e1892b17, released from the list
(8) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap: Sending EAP Success (code 3) ID 9 length 4
(8) eap: Freeing handler
(8)       [eap] = ok
(8)     } # authenticate = ok
(8)   # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel
(8)     post-auth {
(8)       if (1) {
(8)       if (1)  -> TRUE
(8)       if (1)  {
(8)         update reply {
(8)           User-Name !* ANY
(8)           Message-Authenticator !* ANY
(8)           EAP-Message !* ANY
(8)           Proxy-State !* ANY
(8)           MS-MPPE-Encryption-Types !* ANY
(8)           MS-MPPE-Encryption-Policy !* ANY
(8)           MS-MPPE-Send-Key !* ANY
(8)           MS-MPPE-Recv-Key !* ANY
(8)           Tunnel-Type = VLAN
(8)           Tunnel-Medium-Type = IEEE-802
(8)           Tunnel-Private-Group-Id = "150"
(8)         } # update reply = noop
(8)         update {
(8)           &outer.session-state::Tunnel-Type += &reply:Tunnel-Type[*] -> VLAN
(8)           &outer.session-state::Tunnel-Medium-Type += &reply:Tunnel-Medium-Type[*] -> IEEE-802
(8)           &outer.session-state::Tunnel-Private-Group-Id += &reply:Tunnel-Private-Group-Id[*] -> '150'
(8)         } # update = noop
(8)       } # if (1)  = noop
(8)     } # post-auth = noop
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8)   Tunnel-Type = VLAN
(8)   Tunnel-Medium-Type = IEEE-802
(8)   Tunnel-Private-Group-Id = "150"
(8) eap_peap: Got tunneled reply code 2
(8) eap_peap:   Tunnel-Type = VLAN
(8) eap_peap:   Tunnel-Medium-Type = IEEE-802
(8) eap_peap:   Tunnel-Private-Group-Id = "150"
(8) eap_peap: Got tunneled reply RADIUS code 2
(8) eap_peap:   Tunnel-Type = VLAN
(8) eap_peap:   Tunnel-Medium-Type = IEEE-802
(8) eap_peap:   Tunnel-Private-Group-Id = "150"
(8) eap_peap: Tunneled authentication was successful
(8) eap_peap: SUCCESS
(8) eap_peap: Saving tunneled attributes for later
(8) eap: Sending EAP Request (code 1) ID 10 length 46
(8) eap: EAP session adding &reply:State = 0x35db70833dd169e6
(8)     [eap] = handled
(8)   } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found.  Ignoring.
(8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8) session-state: Saving cached attributes
(8)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(8)   TLS-Session-Version = "TLS 1.2"
(8)   Tunnel-Type += VLAN
(8)   Tunnel-Medium-Type += IEEE-802
(8)   Tunnel-Private-Group-Id += "150"
(8) Sent Access-Challenge Id 16 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0
(8)   EAP-Message = 0x010a002e190017030300239656895d9d047f0c62289e622c8e69d1d72d7d601c1981ec4514bfc83655820d0b7eae
(8)   Message-Authenticator = 0x00000000000000000000000000000000
(8)   State = 0x35db70833dd169e6230a007503c37627
(8) Finished request
Waking up in 2.0 seconds.
(9) Received Access-Request Id 17 from 10.8.150.118:1645 to 10.70.42.77:1645 length 215
(9)   User-Name = "host/WNAMTest.stand.ru"
(9)   Service-Type = Framed-User
(9)   Framed-MTU = 1504
(9)   Called-Station-Id = "00-17-E0-1C-15-87"
(9)   Calling-Station-Id = "00-E0-4C-31-0E-67"
(9)   EAP-Message = 0x020a002e1900170303002300000000000000042f9e214e97dbecd34987e322d107aee761efe52b96b406123d7d9f
(9)   Message-Authenticator = 0x85051369b1f749095a19433c21200733
(9)   NAS-Port-Type = Ethernet
(9)   NAS-Port = 50005
(9)   NAS-Port-Id = "FastEthernet0/5"
(9)   State = 0x35db70833dd169e6230a007503c37627
(9)   NAS-IP-Address = 10.8.150.118
(9) Restoring &session-state
(9)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(9)   &session-state:TLS-Session-Version = "TLS 1.2"
(9)   &session-state:Tunnel-Type += VLAN
(9)   &session-state:Tunnel-Medium-Type += IEEE-802
(9)   &session-state:Tunnel-Private-Group-Id += "150"
(9) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(9)   authorize {
(9)     policy filter_username {
(9)       if (&User-Name) {
(9)       if (&User-Name)  -> TRUE
(9)       if (&User-Name)  {
(9)         if (&User-Name =~ / /) {
(9)         if (&User-Name =~ / /)  -> FALSE
(9)         if (&User-Name =~ /@[^@]*@/ ) {
(9)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(9)         if (&User-Name =~ /\.\./ ) {
(9)         if (&User-Name =~ /\.\./ )  -> FALSE
(9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(9)         if (&User-Name =~ /\.$/)  {
(9)         if (&User-Name =~ /\.$/)   -> FALSE
(9)         if (&User-Name =~ /@\./)  {
(9)         if (&User-Name =~ /@\./)   -> FALSE
(9)       } # if (&User-Name)  = notfound
(9)     } # policy filter_username = notfound
(9)     [chap] = noop
(9)     [mschap] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(9) suffix: No such realm "NULL"
(9)     [suffix] = noop
(9)     update control {
(9)       &Proxy-To-Realm := LOCAL
(9)     } # update control = noop
(9) eap: Peer sent EAP Response (code 2) ID 10 length 46
(9) eap: Continuing tunnel setup
(9)     [eap] = ok
(9)   } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(9)   authenticate {
(9) eap: Expiring EAP session with state 0x35db70833dd169e6
(9) eap: Finished EAP session with state 0x35db70833dd169e6
(9) eap: Previous EAP request found for state 0x35db70833dd169e6, released from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established.  Decoding tunneled attributes
(9) eap_peap: PEAP state send tlv success
(9) eap_peap: Received EAP-TLV response
(9) eap_peap: Success
(9) eap_peap: Using saved attributes from the original Access-Accept
(9) eap_peap:   Tunnel-Type = VLAN
(9) eap_peap:   Tunnel-Medium-Type = IEEE-802
(9) eap_peap:   Tunnel-Private-Group-Id = "150"
(9) eap: Sending EAP Success (code 3) ID 10 length 4
(9) eap: Freeing handler
(9)     [eap] = ok
(9)   } # authenticate = ok
(9) # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel
(9)   post-auth {
(9)     if (1) {
(9)     if (1)  -> TRUE
(9)     if (1)  {
(9)       update reply {
(9)         User-Name !* ANY
(9)         Message-Authenticator !* ANY
(9)         EAP-Message !* ANY
(9)         Proxy-State !* ANY
(9)         MS-MPPE-Encryption-Types !* ANY
(9)         MS-MPPE-Encryption-Policy !* ANY
(9)         MS-MPPE-Send-Key !* ANY
(9)         MS-MPPE-Recv-Key !* ANY
(9)         Tunnel-Type = VLAN
(9)         Tunnel-Medium-Type = IEEE-802
(9)         Tunnel-Private-Group-Id = "150"
(9)       } # update reply = noop
(9)       update {
(9)         ERROR: Mapping "&reply:" -> "&outer.session-state:" invalid in this context
(9)       } # update = invalid
(9)     } # if (1)  = invalid
(9)   } # post-auth = invalid
(9) Using Post-Auth-Type Reject
(9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(9)   Post-Auth-Type REJECT {
(9) attr_filter.access_reject: EXPAND %{User-Name}
(9) attr_filter.access_reject:    --> host/WNAMTest.stand.ru
(9) attr_filter.access_reject: Matched entry DEFAULT at line 11
(9)     [attr_filter.access_reject] = updated
(9)     update outer.session-state {
(9)       ERROR: Mapping "&request:Module-Failure-Message" -> "&Module-Failure-Message" invalid in this context
(9)     } # update outer.session-state = invalid
(9)   } # Post-Auth-Type REJECT = invalid
(9) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.1 seconds.
(0) Cleaning up request packet ID 8 with timestamp +147
(1) Cleaning up request packet ID 9 with timestamp +147
(2) Cleaning up request packet ID 10 with timestamp +147
(3) Cleaning up request packet ID 11 with timestamp +147
(4) Cleaning up request packet ID 12 with timestamp +147
(5) Cleaning up request packet ID 13 with timestamp +147
Waking up in 0.2 seconds.
(9) Sending delayed response
(9) Sent Access-Reject Id 17 from 10.70.42.77:1645 to 10.8.150.118:1645 length 20
(6) Cleaning up request packet ID 14 with timestamp +148
Waking up in 0.7 seconds.
(7) Cleaning up request packet ID 15 with timestamp +148
Waking up in 1.6 seconds.
(8) Cleaning up request packet ID 16 with timestamp +150
Waking up in 1.5 seconds.
(9) Cleaning up request packet ID 17 with timestamp +152
Ready to process requests

Ответить | Правка | Наверх | Cообщить модератору

Архив | Удалить

Рекомендовать для помещения в FAQ | Индекс форумов | Темы | Пред. тема | След. тема

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру

1. "freeradius dot1x dynamic vlan assignment"	+/–
Сообщение от Kovrevskii (ok), 07-Дек-22, 12:53
добавляю вывод radiusd -X при попытке аутентификации пользовател занчени if (0) Ready to process requests (0) Received Access-Request Id 254 from 10.8.150.118:1645 to 10.70.42.77:1645 length 178 (0) User-Name = "host/WNAMTest.stand.ru" (0) Service-Type = Framed-User (0) Framed-MTU = 1504 (0) Called-Station-Id = "00-17-E0-1C-15-87" (0) Calling-Station-Id = "00-E0-4C-31-0E-67" (0) EAP-Message = 0x0201001b01686f73742f574e414d546573742e7374616e642e7275 (0) Message-Authenticator = 0x05f0beadc58cb570784f655631e40bff (0) NAS-Port-Type = Ethernet (0) NAS-Port = 50005 (0) NAS-Port-Id = "FastEthernet0/5" (0) NAS-IP-Address = 10.8.150.118 (0) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]@/ ) { (0) if (&User-Name =~ /@[^@]@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [chap] = noop (0) [mschap] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) update control { (0) &Proxy-To-Realm := LOCAL (0) } # update control = noop (0) eap: Peer sent EAP Response (code 2) ID 1 length 27 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_peap to process data (0) eap_peap: Initiating new TLS session (0) eap_peap: [eaptls start] = request (0) eap: Sending EAP Request (code 1) ID 2 length 6 (0) eap: EAP session adding &reply:State = 0x8e1144788e135d5a (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (0) Sent Access-Challenge Id 254 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0 (0) EAP-Message = 0x010200061920 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x8e1144788e135d5aaaf63b261b53a370 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 255 from 10.8.150.118:1645 to 10.70.42.77:1645 length 373 (1) User-Name = "host/WNAMTest.stand.ru" (1) Service-Type = Framed-User (1) Framed-MTU = 1504 (1) Called-Station-Id = "00-17-E0-1C-15-87" (1) Calling-Station-Id = "00-E0-4C-31-0E-67" (1) EAP-Message = 0x020200cc1980000000c216030300bd010000b90303639061b3946a0116999001e2cec4eebcc744aa45dd6d3db2d7101612d3e71cf720813f3268239d3d77179cefc9e73f95ba89586d214ebee8e831a945798c53993a002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000046000500050100000000000a00080006001d00170018000b00020100000d001a00180804080508060401050102010403050302030202060106030023000000170000ff01000100 (1) Message-Authenticator = 0x57980fece321d5b7e48eb9f464877726 (1) NAS-Port-Type = Ethernet (1) NAS-Port = 50005 (1) NAS-Port-Id = "FastEthernet0/5" (1) State = 0x8e1144788e135d5aaaf63b261b53a370 (1) NAS-IP-Address = 10.8.150.118 (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]@/ ) { (1) if (&User-Name =~ /@[^@]@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [chap] = noop (1) [mschap] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) update control { (1) &Proxy-To-Realm := LOCAL (1) } # update control = noop (1) eap: Peer sent EAP Response (code 2) ID 2 length 204 (1) eap: Continuing tunnel setup (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = eap (1) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (1) authenticate { (1) eap: Expiring EAP session with state 0x8e1144788e135d5a (1) eap: Finished EAP session with state 0x8e1144788e135d5a (1) eap: Previous EAP request found for state 0x8e1144788e135d5a, released from the list (1) eap: Peer sent packet with method EAP PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: Continuing EAP-TLS (1) eap_peap: Peer indicated complete TLS record size will be 194 bytes (1) eap_peap: Got complete TLS record (194 bytes) (1) eap_peap: [eaptls verify] = length included (1) eap_peap: (other): before SSL initialization (1) eap_peap: TLS_accept: before SSL initialization (1) eap_peap: TLS_accept: before SSL initialization (1) eap_peap: <<< recv TLS 1.3 [length 00bd] (1) eap_peap: TLS_accept: SSLv3/TLS read client hello (1) eap_peap: >>> send TLS 1.2 [length 003d] (1) eap_peap: TLS_accept: SSLv3/TLS write server hello (1) eap_peap: >>> send TLS 1.2 [length 0903] (1) eap_peap: TLS_accept: SSLv3/TLS write certificate (1) eap_peap: >>> send TLS 1.2 [length 014d] (1) eap_peap: TLS_accept: SSLv3/TLS write key exchange (1) eap_peap: >>> send TLS 1.2 [length 0004] (1) eap_peap: TLS_accept: SSLv3/TLS write server done (1) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done (1) eap_peap: TLS - In Handshake Phase (1) eap_peap: TLS - got 2725 bytes of data (1) eap_peap: [eaptls process] = handled (1) eap: Sending EAP Request (code 1) ID 3 length 1004 (1) eap: EAP session adding &reply:State = 0x8e1144788f125d5a (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (1) Sent Access-Challenge Id 255 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0 (1) EAP-Message = 0x010303ec19c000000aa5160303003d02000039030316a38bcccaf0c1f7195d6060cabc048b9ea13d100d40f6852eb16cf57da470ce00c030000011ff01000100000b0004030001020017000016030309030b0008ff0008fc0003f8308203f4308202dca003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3232313132383131333435385a170d3233303132373131333435385a307c310b3009060355040613024652310f300d06035504080c0652616469757331153013060355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d70 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x8e1144788f125d5aaaf63b261b53a370 (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 0 from 10.8.150.118:1645 to 10.70.42.77:1645 length 175 (2) User-Name = "host/WNAMTest.stand.ru" (2) Service-Type = Framed-User (2) Framed-MTU = 1504 (2) Called-Station-Id = "00-17-E0-1C-15-87" (2) Calling-Station-Id = "00-E0-4C-31-0E-67" (2) EAP-Message = 0x020300061900 (2) Message-Authenticator = 0xaf565cd95e610e00b93fc948a081b99d (2) NAS-Port-Type = Ethernet (2) NAS-Port = 50005 (2) NAS-Port-Id = "FastEthernet0/5" (2) State = 0x8e1144788f125d5aaaf63b261b53a370 (2) NAS-IP-Address = 10.8.150.118 (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]@/ ) { (2) if (&User-Name =~ /@[^@]@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [chap] = noop (2) [mschap] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) update control { (2) &Proxy-To-Realm := LOCAL (2) } # update control = noop (2) eap: Peer sent EAP Response (code 2) ID 3 length 6 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (2) authenticate { (2) eap: Expiring EAP session with state 0x8e1144788f125d5a (2) eap: Finished EAP session with state 0x8e1144788f125d5a (2) eap: Previous EAP request found for state 0x8e1144788f125d5a, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: Continuing EAP-TLS (2) eap_peap: Peer ACKed our handshake fragment (2) eap_peap: [eaptls verify] = request (2) eap_peap: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 4 length 1000 (2) eap: EAP session adding &reply:State = 0x8e1144788c155d5a (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) Post-Auth-Type sub-section not found. Ignoring. (2) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (2) Sent Access-Challenge Id 0 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0 (2) EAP-Message = 0x010403e819401fc7c5152c524cb8fae1e08afa965a924975fe798689c56b5f8ae875d147afe3077ed758c2804b1fd93d89c6b215d8195c9fb13218b78495e13bea9696902858d0ac9e091331e8078a7ef13799870cb0a0b1808c75e6ae1062eefc44d51f5410a3e9f84b4ccebd0004fe308204fa308203e2a0030201020214442cc1056ca0298b32cdbbe1cbe45e7490adc2eb300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3232313132383131333435385a170d3233303132373131333435385a308193310b3009060355040613024652310f300d06035504080c0652616469 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x8e1144788c155d5aaaf63b261b53a370 (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 1 from 10.8.150.118:1645 to 10.70.42.77:1645 length 175 (3) User-Name = "host/WNAMTest.stand.ru" (3) Service-Type = Framed-User (3) Framed-MTU = 1504 (3) Called-Station-Id = "00-17-E0-1C-15-87" (3) Calling-Station-Id = "00-E0-4C-31-0E-67" (3) EAP-Message = 0x020400061900 (3) Message-Authenticator = 0x1f56bf12588e8191c2539fa98dc4746f (3) NAS-Port-Type = Ethernet (3) NAS-Port = 50005 (3) NAS-Port-Id = "FastEthernet0/5" (3) State = 0x8e1144788c155d5aaaf63b261b53a370 (3) NAS-IP-Address = 10.8.150.118 (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]@/ ) { (3) if (&User-Name =~ /@[^@]@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [chap] = noop (3) [mschap] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) update control { (3) &Proxy-To-Realm := LOCAL (3) } # update control = noop (3) eap: Peer sent EAP Response (code 2) ID 4 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (3) authenticate { (3) eap: Expiring EAP session with state 0x8e1144788c155d5a (3) eap: Finished EAP session with state 0x8e1144788c155d5a (3) eap: Previous EAP request found for state 0x8e1144788c155d5a, released from the list (3) eap: Peer sent packet with method EAP PEAP (25) (3) eap: Calling submodule eap_peap to process data (3) eap_peap: Continuing EAP-TLS (3) eap_peap: Peer ACKed our handshake fragment (3) eap_peap: [eaptls verify] = request (3) eap_peap: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 5 length 743 (3) eap: EAP session adding &reply:State = 0x8e1144788d145d5a (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) Post-Auth-Type sub-section not found. Ignoring. (3) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (3) Sent Access-Challenge Id 1 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0 (3) EAP-Message = 0x010502e7190072746966696361746520417574686f726974798214442cc1056ca0298b32cdbbe1cbe45e7490adc2eb300f0603551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b050003820101000f90c9bfa58166e202db547a485080f43eeb496d974779be4682989ea1aa2ed4392ee7ba208464a95021a2d9019bdd276ad97b0d7680f9dce4db059f5d3aee20589a5787ceca5dc3f2bac77b7e21cf9b1f7242684fa62b5cd23c4c20d98bc73b3f641a8a89e77b7048f2661f46f7222b644a7a23968041c8fea3d0dea25fd658875a06e7bca59c2769deca0debe1bb9b274d90d25652b43fc2693562765604e9592757c2c624419b1226f07f0d8cb443a355c7cdaacb444e1b8a6a123c9aed7d8949e9937a404e85f6a98695cbadc77d80dcdcaf215b7eb0fd15b4de5b061208f78da50c8479cd2d4f1dfa (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x8e1144788d145d5aaaf63b261b53a370 (3) Finished request Waking up in 4.9 seconds.
Ответить \| Правка \| Наверх \| Cообщить модератору


	2. "freeradius dot1x dynamic vlan assignment"	+/–
	Сообщение от Kovrevskii (ok), 07-Дек-22, 12:56
	продолжение (4) Received Access-Request Id 2 from 10.8.150.118:1645 to 10.70.42.77:1645 length 305 (4) User-Name = "host/WNAMTest.stand.ru" (4) Service-Type = Framed-User (4) Framed-MTU = 1504 (4) Called-Station-Id = "00-17-E0-1C-15-87" (4) Calling-Station-Id = "00-E0-4C-31-0E-67" (4) EAP-Message = 0x0205008819800000007e1603030046100000424104a7375d5a0b4cab49e9fec1125a800f8a23c26057dfd1f42d8ed06d30fc26a0ea775bafbe3e498651218316b113d020f7acf8c30b2a28774e6ca313eb61c6342714030300010116030300280000000000000000af23d74f75fbe62067fe01739e17ce88600ae6f610789121a25b0f666b425f6f (4) Message-Authenticator = 0x399081e9a1a5c11037d7dc6d3b08bc65 (4) NAS-Port-Type = Ethernet (4) NAS-Port = 50005 (4) NAS-Port-Id = "FastEthernet0/5" (4) State = 0x8e1144788d145d5aaaf63b261b53a370 (4) NAS-IP-Address = 10.8.150.118 (4) session-state: No cached attributes (4) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]@/ ) { (4) if (&User-Name =~ /@[^@]@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [chap] = noop (4) [mschap] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) update control { (4) &Proxy-To-Realm := LOCAL (4) } # update control = noop (4) eap: Peer sent EAP Response (code 2) ID 5 length 136 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (4) authenticate { (4) eap: Expiring EAP session with state 0x8e1144788d145d5a (4) eap: Finished EAP session with state 0x8e1144788d145d5a (4) eap: Previous EAP request found for state 0x8e1144788d145d5a, released from the list (4) eap: Peer sent packet with method EAP PEAP (25) (4) eap: Calling submodule eap_peap to process data (4) eap_peap: Continuing EAP-TLS (4) eap_peap: Peer indicated complete TLS record size will be 126 bytes (4) eap_peap: Got complete TLS record (126 bytes) (4) eap_peap: [eaptls verify] = length included (4) eap_peap: TLS_accept: SSLv3/TLS write server done (4) eap_peap: <<< recv TLS 1.2 [length 0046] (4) eap_peap: TLS_accept: SSLv3/TLS read client key exchange (4) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec (4) eap_peap: <<< recv TLS 1.2 [length 0010] (4) eap_peap: TLS_accept: SSLv3/TLS read finished (4) eap_peap: >>> send TLS 1.2 [length 0001] (4) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec (4) eap_peap: >>> send TLS 1.2 [length 0010] (4) eap_peap: TLS_accept: SSLv3/TLS write finished (4) eap_peap: (other): SSL negotiation finished successfully (4) eap_peap: TLS - Connection Established (4) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (4) eap_peap: TLS-Session-Version = "TLS 1.2" (4) eap_peap: TLS - got 51 bytes of data (4) eap_peap: [eaptls process] = handled (4) eap: Sending EAP Request (code 1) ID 6 length 57 (4) eap: EAP session adding &reply:State = 0x8e1144788a175d5a (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) Post-Auth-Type sub-section not found. Ignoring. (4) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (4) session-state: Saving cached attributes (4) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (4) TLS-Session-Version = "TLS 1.2" (4) Sent Access-Challenge Id 2 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0 (4) EAP-Message = 0x01060039190014030300010116030300289251a406bf3dbfb03724ace561a3dd1a3295ed2c4d17b05d85670ecad49cb5873a6f8eb092810370 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x8e1144788a175d5aaaf63b261b53a370 (4) Finished request Waking up in 4.8 seconds. (5) Received Access-Request Id 3 from 10.8.150.118:1645 to 10.70.42.77:1645 length 175 (5) User-Name = "host/WNAMTest.stand.ru" (5) Service-Type = Framed-User (5) Framed-MTU = 1504 (5) Called-Station-Id = "00-17-E0-1C-15-87" (5) Calling-Station-Id = "00-E0-4C-31-0E-67" (5) EAP-Message = 0x020600061900 (5) Message-Authenticator = 0x325b51a8e67ce86e0d4401a06a1cadba (5) NAS-Port-Type = Ethernet (5) NAS-Port = 50005 (5) NAS-Port-Id = "FastEthernet0/5" (5) State = 0x8e1144788a175d5aaaf63b261b53a370 (5) NAS-IP-Address = 10.8.150.118 (5) Restoring &session-state (5) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (5) &session-state:TLS-Session-Version = "TLS 1.2" (5) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]@/ ) { (5) if (&User-Name =~ /@[^@]@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [chap] = noop (5) [mschap] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) update control { (5) &Proxy-To-Realm := LOCAL (5) } # update control = noop (5) eap: Peer sent EAP Response (code 2) ID 6 length 6 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (5) authenticate { (5) eap: Expiring EAP session with state 0x8e1144788a175d5a (5) eap: Finished EAP session with state 0x8e1144788a175d5a (5) eap: Previous EAP request found for state 0x8e1144788a175d5a, released from the list (5) eap: Peer sent packet with method EAP PEAP (25) (5) eap: Calling submodule eap_peap to process data (5) eap_peap: Continuing EAP-TLS (5) eap_peap: Peer ACKed our handshake fragment. handshake is finished (5) eap_peap: [eaptls verify] = success (5) eap_peap: [eaptls process] = success (5) eap_peap: Session established. Decoding tunneled attributes (5) eap_peap: PEAP state TUNNEL ESTABLISHED (5) eap: Sending EAP Request (code 1) ID 7 length 40 (5) eap: EAP session adding &reply:State = 0x8e1144788b165d5a (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) Post-Auth-Type sub-section not found. Ignoring. (5) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (5) session-state: Saving cached attributes (5) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (5) TLS-Session-Version = "TLS 1.2" (5) Sent Access-Challenge Id 3 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0 (5) EAP-Message = 0x010700281900170303001d9251a406bf3dbfb1c4883ad1165a072b12d250a2a4d4747b6748cd60ed (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x8e1144788b165d5aaaf63b261b53a370 (5) Finished request Waking up in 4.8 seconds. (6) Received Access-Request Id 4 from 10.8.150.118:1645 to 10.70.42.77:1645 length 227 (6) User-Name = "host/WNAMTest.stand.ru" (6) Service-Type = Framed-User (6) Framed-MTU = 1504 (6) Called-Station-Id = "00-17-E0-1C-15-87" (6) Calling-Station-Id = "00-E0-4C-31-0E-67" (6) EAP-Message = 0x0207003a1900170303002f000000000000000155af9208b9017d53ad5ae04767876fbc5e85a534d96d067d5325b0772d3d76e28e379d081fb595 (6) Message-Authenticator = 0xac48ac31824eed7ee4ef2c0c7cea5934 (6) NAS-Port-Type = Ethernet (6) NAS-Port = 50005 (6) NAS-Port-Id = "FastEthernet0/5" (6) State = 0x8e1144788b165d5aaaf63b261b53a370 (6) NAS-IP-Address = 10.8.150.118 (6) Restoring &session-state (6) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (6) &session-state:TLS-Session-Version = "TLS 1.2" (6) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]@/ ) { (6) if (&User-Name =~ /@[^@]@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [chap] = noop (6) [mschap] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) update control { (6) &Proxy-To-Realm := LOCAL (6) } # update control = noop (6) eap: Peer sent EAP Response (code 2) ID 7 length 58 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (6) authenticate { (6) eap: Expiring EAP session with state 0x8e1144788b165d5a (6) eap: Finished EAP session with state 0x8e1144788b165d5a (6) eap: Previous EAP request found for state 0x8e1144788b165d5a, released from the list (6) eap: Peer sent packet with method EAP PEAP (25) (6) eap: Calling submodule eap_peap to process data (6) eap_peap: Continuing EAP-TLS (6) eap_peap: [eaptls verify] = ok (6) eap_peap: Done initial handshake (6) eap_peap: [eaptls process] = ok (6) eap_peap: Session established. Decoding tunneled attributes (6) eap_peap: PEAP state WAITING FOR INNER IDENTITY (6) eap_peap: Identity - host/WNAMTest.stand.ru (6) eap_peap: Got inner identity 'host/WNAMTest.stand.ru' (6) eap_peap: Setting default EAP type for tunneled EAP session (6) eap_peap: Got tunneled request (6) eap_peap: EAP-Message = 0x0207001b01686f73742f574e414d546573742e7374616e642e7275 (6) eap_peap: Setting User-Name to host/WNAMTest.stand.ru (6) eap_peap: Sending tunneled request to inner-tunnel (6) eap_peap: EAP-Message = 0x0207001b01686f73742f574e414d546573742e7374616e642e7275 (6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (6) eap_peap: User-Name = "host/WNAMTest.stand.ru" (6) Virtual server inner-tunnel received request (6) EAP-Message = 0x0207001b01686f73742f574e414d546573742e7374616e642e7275 (6) FreeRADIUS-Proxied-To = 127.0.0.1 (6) User-Name = "host/WNAMTest.stand.ru" (6) WARNING: Outer and inner identities are the same. User privacy is compromised. (6) server inner-tunnel { (6) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]@/ ) { (6) if (&User-Name =~ /@[^@]@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [chap] = noop (6) [mschap] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) update control { (6) &Proxy-To-Realm := LOCAL (6) } # update control = noop (6) eap: Peer sent EAP Response (code 2) ID 7 length 27 (6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (6) authenticate { (6) eap: Peer sent packet with method EAP Identity (1) (6) eap: Calling submodule eap_mschapv2 to process data (6) eap_mschapv2: Issuing Challenge (6) eap: Sending EAP Request (code 1) ID 8 length 43 (6) eap: EAP session adding &reply:State = 0x80bfe1b680b7fb9c (6) [eap] = handled (6) } # authenticate = handled (6) } # server inner-tunnel (6) Virtual server sending reply (6) EAP-Message = 0x0108002b1a01080026106912a9030f5003beda5b4dec2f6730a8667265657261646975732d332e302e3231 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x80bfe1b680b7fb9c548551106d70804b (6) eap_peap: Got tunneled reply code 11 (6) eap_peap: EAP-Message = 0x0108002b1a01080026106912a9030f5003beda5b4dec2f6730a8667265657261646975732d332e302e3231 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: State = 0x80bfe1b680b7fb9c548551106d70804b (6) eap_peap: Got tunneled reply RADIUS code 11 (6) eap_peap: EAP-Message = 0x0108002b1a01080026106912a9030f5003beda5b4dec2f6730a8667265657261646975732d332e302e3231 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: State = 0x80bfe1b680b7fb9c548551106d70804b (6) eap_peap: Got tunneled Access-Challenge (6) eap: Sending EAP Request (code 1) ID 8 length 74 (6) eap: EAP session adding &reply:State = 0x8e11447888195d5a (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) Post-Auth-Type sub-section not found. Ignoring. (6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (6) session-state: Saving cached attributes (6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (6) TLS-Session-Version = "TLS 1.2" (6) Sent Access-Challenge Id 4 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0 (6) EAP-Message = 0x0108004a1900170303003f9251a406bf3dbfb21ba0d54fc4fb678471339bd905a4d1efe72a529fbfa57ac4d537c3a217957d3ece4e5b8b66b75ccc379346f106da70cb435a9a8260dd81 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x8e11447888195d5aaaf63b261b53a370 (6) Finished request Waking up in 4.4 seconds.
	Ответить \| Правка \| Наверх \| Cообщить модератору


	4. "freeradius dot1x dynamic vlan assignment"	+/–
	Сообщение от Kovrevskii (ok), 07-Дек-22, 13:07
	если в разделе post auth прописать if (1) то выходит ошибка (8) Received Access-Request Id 16 from 10.8.150.118:1645 to 10.70.42.77:1645 length 206 (8) User-Name = "host/WNAMTest.stand.ru" (8) Service-Type = Framed-User (8) Framed-MTU = 1504 (8) Called-Station-Id = "00-17-E0-1C-15-87" (8) Calling-Station-Id = "00-E0-4C-31-0E-67" (8) EAP-Message = 0x020900251900170303001a0000000000000003bfc49b79f8e6a33b3dbb7bd7c40602262192 (8) Message-Authenticator = 0x85293261230a81879ef33b04ef76807d (8) NAS-Port-Type = Ethernet (8) NAS-Port = 50005 (8) NAS-Port-Id = "FastEthernet0/5" (8) State = 0x35db708332d269e6230a007503c37627 (8) NAS-IP-Address = 10.8.150.118 (8) Restoring &session-state (8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (8) &session-state:TLS-Session-Version = "TLS 1.2" (8) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]@/ ) { (8) if (&User-Name =~ /@[^@]@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [chap] = noop (8) [mschap] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) update control { (8) &Proxy-To-Realm := LOCAL (8) } # update control = noop (8) eap: Peer sent EAP Response (code 2) ID 9 length 37 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (8) authenticate { (8) eap: Expiring EAP session with state 0xe0803171e1892b17 (8) eap: Finished EAP session with state 0x35db708332d269e6 (8) eap: Previous EAP request found for state 0x35db708332d269e6, released from the list (8) eap: Peer sent packet with method EAP PEAP (25) (8) eap: Calling submodule eap_peap to process data (8) eap_peap: Continuing EAP-TLS (8) eap_peap: [eaptls verify] = ok (8) eap_peap: Done initial handshake (8) eap_peap: [eaptls process] = ok (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state phase2 (8) eap_peap: EAP method MSCHAPv2 (26) (8) eap_peap: Got tunneled request (8) eap_peap: EAP-Message = 0x020900061a03 (8) eap_peap: Setting User-Name to host/WNAMTest.stand.ru (8) eap_peap: Sending tunneled request to inner-tunnel (8) eap_peap: EAP-Message = 0x020900061a03 (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (8) eap_peap: User-Name = "host/WNAMTest.stand.ru" (8) eap_peap: State = 0xe0803171e1892b17e57438631f9978dd (8) Virtual server inner-tunnel received request (8) EAP-Message = 0x020900061a03 (8) FreeRADIUS-Proxied-To = 127.0.0.1 (8) User-Name = "host/WNAMTest.stand.ru" (8) State = 0xe0803171e1892b17e57438631f9978dd (8) WARNING: Outer and inner identities are the same. User privacy is compromised. (8) server inner-tunnel { (8) session-state: No cached attributes (8) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]@/ ) { (8) if (&User-Name =~ /@[^@]@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [chap] = noop (8) [mschap] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) update control { (8) &Proxy-To-Realm := LOCAL (8) } # update control = noop (8) eap: Peer sent EAP Response (code 2) ID 9 length 6 (8) eap: No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) [files] = noop (8) [expiration] = noop (8) [logintime] = noop (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = eap (8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (8) authenticate { (8) eap: Expiring EAP session with state 0xe0803171e1892b17 (8) eap: Finished EAP session with state 0xe0803171e1892b17 (8) eap: Previous EAP request found for state 0xe0803171e1892b17, released from the list (8) eap: Peer sent packet with method EAP MSCHAPv2 (26) (8) eap: Calling submodule eap_mschapv2 to process data (8) eap: Sending EAP Success (code 3) ID 9 length 4 (8) eap: Freeing handler (8) [eap] = ok (8) } # authenticate = ok (8) # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel (8) post-auth { (8) if (1) { (8) if (1) -> TRUE (8) if (1) { (8) update reply { (8) User-Name !* ANY (8) Message-Authenticator !* ANY (8) EAP-Message !* ANY (8) Proxy-State !* ANY (8) MS-MPPE-Encryption-Types !* ANY (8) MS-MPPE-Encryption-Policy !* ANY (8) MS-MPPE-Send-Key !* ANY (8) MS-MPPE-Recv-Key !* ANY (8) Tunnel-Type = VLAN (8) Tunnel-Medium-Type = IEEE-802 (8) Tunnel-Private-Group-Id = "150" (8) } # update reply = noop (8) update { (8) &outer.session-state::Tunnel-Type += &reply:Tunnel-Type[] -> VLAN (8) &outer.session-state::Tunnel-Medium-Type += &reply:Tunnel-Medium-Type[] -> IEEE-802 (8) &outer.session-state::Tunnel-Private-Group-Id += &reply:Tunnel-Private-Group-Id[] -> '150' (8) } # update = noop (8) } # if (1) = noop (8) } # post-auth = noop (8) } # server inner-tunnel (8) Virtual server sending reply (8) Tunnel-Type = VLAN (8) Tunnel-Medium-Type = IEEE-802 (8) Tunnel-Private-Group-Id = "150" (8) eap_peap: Got tunneled reply code 2 (8) eap_peap: Tunnel-Type = VLAN (8) eap_peap: Tunnel-Medium-Type = IEEE-802 (8) eap_peap: Tunnel-Private-Group-Id = "150" (8) eap_peap: Got tunneled reply RADIUS code 2 (8) eap_peap: Tunnel-Type = VLAN (8) eap_peap: Tunnel-Medium-Type = IEEE-802 (8) eap_peap: Tunnel-Private-Group-Id = "150" (8) eap_peap: Tunneled authentication was successful (8) eap_peap: SUCCESS (8) eap_peap: Saving tunneled attributes for later (8) eap: Sending EAP Request (code 1) ID 10 length 46 (8) eap: EAP session adding &reply:State = 0x35db70833dd169e6 (8) [eap] = handled (8) } # authenticate = handled (8) Using Post-Auth-Type Challenge (8) Post-Auth-Type sub-section not found. Ignoring. (8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (8) session-state: Saving cached attributes (8) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (8) TLS-Session-Version = "TLS 1.2" (8) Tunnel-Type += VLAN (8) Tunnel-Medium-Type += IEEE-802 (8) Tunnel-Private-Group-Id += "150" (8) Sent Access-Challenge Id 16 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0 (8) EAP-Message = 0x010a002e190017030300239656895d9d047f0c62289e622c8e69d1d72d7d601c1981ec4514bfc83655820d0b7eae (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0x35db70833dd169e6230a007503c37627 (8) Finished request Waking up in 2.0 seconds. (9) Received Access-Request Id 17 from 10.8.150.118:1645 to 10.70.42.77:1645 length 215 (9) User-Name = "host/WNAMTest.stand.ru" (9) Service-Type = Framed-User (9) Framed-MTU = 1504 (9) Called-Station-Id = "00-17-E0-1C-15-87" (9) Calling-Station-Id = "00-E0-4C-31-0E-67" (9) EAP-Message = 0x020a002e1900170303002300000000000000042f9e214e97dbecd34987e322d107aee761efe52b96b406123d7d9f (9) Message-Authenticator = 0x85051369b1f749095a19433c21200733 (9) NAS-Port-Type = Ethernet (9) NAS-Port = 50005 (9) NAS-Port-Id = "FastEthernet0/5" (9) State = 0x35db70833dd169e6230a007503c37627 (9) NAS-IP-Address = 10.8.150.118 (9) Restoring &session-state (9) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (9) &session-state:TLS-Session-Version = "TLS 1.2" (9) &session-state:Tunnel-Type += VLAN (9) &session-state:Tunnel-Medium-Type += IEEE-802 (9) &session-state:Tunnel-Private-Group-Id += "150" (9) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (9) authorize { (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]@/ ) { (9) if (&User-Name =~ /@[^@]@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = notfound (9) } # policy filter_username = notfound (9) [chap] = noop (9) [mschap] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) update control { (9) &Proxy-To-Realm := LOCAL (9) } # update control = noop (9) eap: Peer sent EAP Response (code 2) ID 10 length 46 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = eap (9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (9) authenticate { (9) eap: Expiring EAP session with state 0x35db70833dd169e6 (9) eap: Finished EAP session with state 0x35db70833dd169e6 (9) eap: Previous EAP request found for state 0x35db70833dd169e6, released from the list (9) eap: Peer sent packet with method EAP PEAP (25) (9) eap: Calling submodule eap_peap to process data (9) eap_peap: Continuing EAP-TLS (9) eap_peap: [eaptls verify] = ok (9) eap_peap: Done initial handshake (9) eap_peap: [eaptls process] = ok (9) eap_peap: Session established. Decoding tunneled attributes (9) eap_peap: PEAP state send tlv success (9) eap_peap: Received EAP-TLV response (9) eap_peap: Success (9) eap_peap: Using saved attributes from the original Access-Accept (9) eap_peap: Tunnel-Type = VLAN (9) eap_peap: Tunnel-Medium-Type = IEEE-802 (9) eap_peap: Tunnel-Private-Group-Id = "150" (9) eap: Sending EAP Success (code 3) ID 10 length 4 (9) eap: Freeing handler (9) [eap] = ok (9) } # authenticate = ok (9) # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel (9) post-auth { (9) if (1) { (9) if (1) -> TRUE (9) if (1) { (9) update reply { (9) User-Name ! ANY (9) Message-Authenticator !* ANY (9) EAP-Message !* ANY (9) Proxy-State !* ANY (9) MS-MPPE-Encryption-Types !* ANY (9) MS-MPPE-Encryption-Policy !* ANY (9) MS-MPPE-Send-Key !* ANY (9) MS-MPPE-Recv-Key !* ANY (9) Tunnel-Type = VLAN (9) Tunnel-Medium-Type = IEEE-802 (9) Tunnel-Private-Group-Id = "150" (9) } # update reply = noop (9) update { (9) ERROR: Mapping "&reply:" -> "&outer.session-state:" invalid in this context (9) } # update = invalid (9) } # if (1) = invalid (9) } # post-auth = invalid (9) Using Post-Auth-Type Reject (9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (9) Post-Auth-Type REJECT { (9) attr_filter.access_reject: EXPAND %{User-Name} (9) attr_filter.access_reject: --> host/WNAMTest.stand.ru (9) attr_filter.access_reject: Matched entry DEFAULT at line 11 (9) [attr_filter.access_reject] = updated (9) update outer.session-state { (9) ERROR: Mapping "&request:Module-Failure-Message" -> "&Module-Failure-Message" invalid in this context (9) } # update outer.session-state = invalid (9) } # Post-Auth-Type REJECT = invalid (9) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.1 seconds. (0) Cleaning up request packet ID 8 with timestamp +147 (1) Cleaning up request packet ID 9 with timestamp +147 (2) Cleaning up request packet ID 10 with timestamp +147 (3) Cleaning up request packet ID 11 with timestamp +147 (4) Cleaning up request packet ID 12 with timestamp +147 (5) Cleaning up request packet ID 13 with timestamp +147 Waking up in 0.2 seconds. (9) Sending delayed response (9) Sent Access-Reject Id 17 from 10.70.42.77:1645 to 10.8.150.118:1645 length 20 (6) Cleaning up request packet ID 14 with timestamp +148 Waking up in 0.7 seconds. (7) Cleaning up request packet ID 15 with timestamp +148 Waking up in 1.6 seconds. (8) Cleaning up request packet ID 16 with timestamp +150 Waking up in 1.5 seconds. (9) Cleaning up request packet ID 17 with timestamp +152 Ready to process requests
	Ответить \| Правка \| Наверх \| Cообщить модератору