Dear list,
I'm trying to configure a radius 1.14 (radiusd: FreeRADIUS Version
1.1.4, with security changes through 1.1.7 OSX Leopard Server) in such
way that it doesn't authenticate users from a certain access point..
I have this entry in my users file
DEFAULT Called-Station-Id =~ ".*MMP"
Auth-Type := Reject
from the logs I see it's being matched:
users: Matched entry DEFAULT at line 220
but it has no effect on the authentication as I think (I'm a radius
newbie) that EAP module is processed before the users file and the EAP
module authenticates the user. I think I must process the
DEFAULT Called-Station-Id =~ ".*MMP"
Auth-Type := Reject
before the EAP module, how can I do that ? In the hints file maybe?
Thanks
Cristiano
rad_recv: Access-Request packet from host 192.168.2.31:2061, id=177,
length=143
User-Name = "cri"
NAS-IP-Address = 192.168.2.31
NAS-Port = 0
Called-Station-Id = "00-21-29-7C-AB-7B:MMP"
Calling-Station-Id = "00-19-E3-00- n-4F"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0201000801637269
Message-Authenticator = 0x5dbfc4d69e5f14b4a172f47575fdf842
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
hints: Matched DEFAULT at 78
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "cri", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 1 length 8
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched entry DEFAULT at line 220
modcall[authorize]: module "files" returns ok for request 0
rlm_opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
rlm_opendirectory: The host 192.168.2.31 does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
modcall[authorize]: module "opendirectory" returns ok for request 0
modcall: leaving group authorize (returns updated) for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 177 to 192.168.2.31 port 2061
EAP-Message = 0x010200061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x34c3e8f850f0bf36972e1df2a90487cd
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.2.31:2061, id=178,
length=297
User-Name = "cri"
NAS-IP-Address = 192.168.2.31
NAS-Port = 0
Called-Station-Id = "00-21-29-7C-AB-7B:MMP"
Calling-Station-Id = "00-19-E3-00-55-4F"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x0202009015800000008616030100810100007d030149a73723c89a6f08732f2687e4129ea4b5d0a774c90978664b86eeb2a05bbbc0202288bff5a023a17326bcbd7c54fffb96e226e27bd8b1ee5cb4c9e935bcaab9800036002f000500040035000a000900030008000600320033003800390016001500140013001200110034003a0018001b001a0017001900010100
State = 0x34c3e8f850f0bf36972e1df2a90487cd
Message-Authenticator = 0x34083894e97ffcc560a45722a9ea0f75
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
hints: Matched DEFAULT at 78
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "cri", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: EAP packet type response id 2 length 144
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
users: Matched entry DEFAULT at line 220
modcall[authorize]: module "files" returns ok for request 1
rlm_opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
rlm_opendirectory: The host 192.168.2.31 does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
modcall[authorize]: module "opendirectory" returns ok for request 1
modcall: leaving group authorize (returns updated) for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0081], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 035c], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 1
modcall: leaving group authenticate (returns handled) for request 1
Sending Access-Challenge of id 178 to 192.168.2.31 port 2061
EAP-Message =
0x010303c31580000003b9160301004a02000046030149a737233be77c3ca105b42a8a0d7b2484e366cecdfecd5b5aba727e1eec017120f63150f5cc916f5fd22442664f584e05f26b983b1b347a94cc3e39c2a9a921c1002f00160301035c0b0003580003550003523082034e308202b7a003020102020120300d06092a864886f70d01010405003068310b3009060355040613024954310b300906035504081302425a3110300e06035504071307426f6c7a616e6f310c300a060355040a13034d4d50310b3009060355040313026361311f301d06092a864886f70d0109011610637269737469616e6f406d6d702e6974301e170d3038303632333139
EAP-Message =
0x323232345a170d3138303632313139323232345a3063310b3009060355040613024954310b300906035504081302425a310c300a060355040a13034d4d50311d301b06035504031314787365727665312e7a656c696766696c6d2e6974311a301806092a864886f70d010901160b74656368406d6d702e697430819f300d06092a864886f70d010101050003818d0030818902818100ca15a262ecb6bbe89411dd24ea3700c03a5deb0057ce8be3dae436c049a1c3b524e60c78d1314d0c25e4bf460802e7cf2ba842b3d3d178cc94d8029e6cfe618864a97f5edb92546aea0560a4bc30009a77ef968c9a23059a66d9b242baf80c8b584e8420ba488d
EAP-Message =
0x0347e112305903f10e0fe10d470a72cb9f37723c48c417cf9f0203010001a382010b3082010730090603551d1304023000301106096086480186f8420101040403020640303306096086480186f842010d042616244f70656e53534c2047656e65726174656420536572766572204365727469666963617465301d0603551d0e041604145558696c681a63dccb9f188428b4f134f9905cd63081920603551d2304818a30818780140fe9c37a309830caa1d3160ce4761381a140f07fa16ca46a3068310b3009060355040613024954310b300906035504081302425a3110300e06035504071307426f6c7a616e6f310c300a060355040a13034d4d5031
EAP-Message =
0x0b3009060355040313026361311f301d06092a864886f70d0109011610637269737469616e6f406d6d702e6974820100300d06092a864886f70d0101040500038181007cb6d0a86535805629183fe530940e285969afbd2870835982185152f6a951144a8bcaf1928e681325cf5a3804da48c60450022b059750cef706298a063a27c2991501930ca18ed9acffbde1e2872dcf7c306dda5b0d38ca752865bd9998e108128a8686d0dc55060c22029870a68755ea08fe82fa47deaff69373c5565605d716030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x939aa97763146ddbdd239e658360f03e
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.2.31:2061, id=179,
length=361
User-Name = "cri"
NAS-IP-Address = 192.168.2.31
NAS-Port = 0
Called-Station-Id = "00-21-29-7C-AB-7B:MMP"
Calling-Station-Id = "00-19-E3-00-55-4F"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x020300d01580000000c6160301008610000082008084ee2c3608616ce6eba4d00c29044351d16e12f685ae7f3b681c6dab7d82305beee402988ed382fa4bd470c168bdc0a965a109d5c77248ac0ed4a80132dd2137ec4e6f465e3b87b652840a9a159b955a1b1295071845a7d8eb644d23035913d6d14a4e3129c2b34ae491a56023a4945687c73590065cab6655c6751556d3ce1014030100010116030100301e3574dc99e3fb202d0cab8eef90cb10d573d7cd1bf7f2293f6f60c82dacd3a7a6859bb080b5c2afc066f4f6e671b8da
State = 0x939aa97763146ddbdd239e658360f03e
Message-Authenticator = 0xc745a0eba4da1470bc9051537c608ae5
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
hints: Matched DEFAULT at 78
modcall[authorize]: module "preprocess" returns ok for request 2
modcall[authorize]: module "chap" returns noop for request 2
modcall[authorize]: module "mschap" returns noop for request 2
rlm_realm: No '@' in User-Name = "cri", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 2
rlm_eap: EAP packet type response id 3 length 208
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
users: Matched entry DEFAULT at line 220
modcall[authorize]: module "files" returns ok for request 2
rlm_opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
rlm_opendirectory: The host 192.168.2.31 does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
modcall[authorize]: module "opendirectory" returns ok for request 2
modcall: leaving group authorize (returns updated) for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 2
modcall: leaving group authenticate (returns handled) for request 2
Sending Access-Challenge of id 179 to 192.168.2.31 port 2061
EAP-Message =
0x0104004515800000003b1403010001011603010030724efe5892209f79ab0be929e2bcbf8e8b59a64d8dcbea3802424703b09caafead87b56b4e73d613a0cbe8630d9ecf3a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9bb6f2bd09a30769727417518278b1c6
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.2.31:2061, id=180,
length=296
User-Name = "cri"
NAS-IP-Address = 192.168.2.31
NAS-Port = 0
Called-Station-Id = "00-21-29-7C-AB-7B:MMP"
Calling-Station-Id = "00-19-E3-00-55-4F"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x0204008f15800000008517030100800d661d7c92bd96e81b9d59d94e07128c9f7819bcf142363d1effff4c19ff685b0325afdf5ee8982c3ac3c83fc773e6405afeacb014e655072689bf86e5e81c8caf19449932f280d02c8ee99c6f454a017c9058efcb2edb73704d287d03d419f3fb411d316618c3909096fbacdd2731a2f930c9c07d9347ff468940280e0d3a50
State = 0x9bb6f2bd09a30769727417518278b1c6
Message-Authenticator = 0x9d4d0299131dca34d8fcec115e162981
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
hints: Matched DEFAULT at 78
modcall[authorize]: module "preprocess" returns ok for request 3
modcall[authorize]: module "chap" returns noop for request 3
modcall[authorize]: module "mschap" returns noop for request 3
rlm_realm: No '@' in User-Name = "cri", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 3
rlm_eap: EAP packet type response id 4 length 143
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 3
users: Matched entry DEFAULT at line 220
modcall[authorize]: module "files" returns ok for request 3
rlm_opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
rlm_opendirectory: The host 192.168.2.31 does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
modcall[authorize]: module "opendirectory" returns ok for request 3
modcall: leaving group authorize (returns updated) for request 3
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
eaptls_process returned 7
rlm_eap_ttls: Session established. Proceeding to decode tunneled
attributes.
TTLS: Got tunneled request
User-Name = "cri"
MS-CHAP-Challenge = 0xaac5cd367c8c6514065b78a2565af005
MS-CHAP2-Response =
0x4b006a5d287a775c2f4ec2dc8d5ee478803400000000000000003785e19f894564ea925070dd285bb53c762f75138e04eef0
FreeRADIUS-Proxied-To = 127.0.0.1
TTLS: Sending tunneled request
User-Name = "cri"
MS-CHAP-Challenge = 0xaac5cd367c8c6514065b78a2565af005
MS-CHAP2-Response =
0x4b006a5d287a775c2f4ec2dc8d5ee478803400000000000000003785e19f894564ea925070dd285bb53c762f75138e04eef0
FreeRADIUS-Proxied-To = 127.0.0.1
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
modcall[authorize]: module "preprocess" returns ok for request 3
modcall[authorize]: module "chap" returns noop for request 3
rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
modcall[authorize]: module "mschap" returns ok for request 3
rlm_realm: No '@' in User-Name = "cri", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 3
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 3
modcall[authorize]: module "files" returns notfound for request 3
rlm_opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
rlm_opendirectory: The host 127.0.0.1 does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
modcall[authorize]: module "opendirectory" returns ok for request 3
modcall: leaving group authorize (returns ok) for request 3
rad_check_password: Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 3
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for cri with NT-Password
rlm_mschap: No NT-Password configured. Trying DirectoryService
Authentication.
?rlm_mschap:username_string = cri, shortUserName=cristianoc (length =
10)
?rlm_mschap: stepbuf server challenge:?
aac5cd367c8c6514065b78a2565af005
?rlm_mschap: stepbuf peer challenge:??
6a5d287a775c2f4ec2dc8d5ee4788034
?rlm_mschap stepbuf p24:??
3785e19f894564ea925070dd285bb53c762f75138e04eef0
rlm_mschap: dsDoDirNodeAuth returns stepbuff:
S=94B97D6D9ECB538F5BC19670191AA6C539961B90?<?W ??M????? (len=40)
modcall[authenticate]: module "mschap" returns ok for request 3
modcall: leaving group MS-CHAP (returns ok) for request 3
Login OK: [cri/<no User-Password attribute>] (from client localhost
port 0)
TTLS: Got tunneled reply RADIUS code 2
MS-CHAP2-Success =
0x4b533d39344239374436443945434235333846354243313936373031393141413643353339393631423930
TTLS: Got tunneled Access-Accept
TTLS: Got MS-CHAP2-Success, tunneling it to the client in a
challenge.
modcall[authenticate]: module "eap" returns handled for request 3
modcall: leaving group authenticate (returns handled) for request 3
Sending Access-Challenge of id 180 to 192.168.2.31 port 2061
EAP-Message =
0x0105005f15800000005517030100503d6bd35427103f31bd94fa61ded8e896daedf6fe82701d2d835ce1a0877797591fe2eefb0a839ac3e8a7b5dfcc9be6f361f002c0e30308cac5867f397e5ba6aaf5920ad41e2a0bd17a3198b773a66086
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xadaf96b5d3dfb8d5cbfb414029557575
Finished request 3
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.2.31:2061, id=181,
length=159
User-Name = "cri"
NAS-IP-Address = 192.168.2.31
NAS-Port = 0
Called-Station-Id = "00-21-29-7C-AB-7B:MMP"
Calling-Station-Id = "00-19-E3-00-55-4F"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020500061500
State = 0xadaf96b5d3dfb8d5cbfb414029557575
Message-Authenticator = 0x4511af0f520283314c0820b2448124b4
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
hints: Matched DEFAULT at 78
modcall[authorize]: module "preprocess" returns ok for request 4
modcall[authorize]: module "chap" returns noop for request 4
modcall[authorize]: module "mschap" returns noop for request 4
rlm_realm: No '@' in User-Name = "cri", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 4
rlm_eap: EAP packet type response id 5 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 4
users: Matched entry DEFAULT at line 220
modcall[authorize]: module "files" returns ok for request 4
rlm_opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
rlm_opendirectory: The host 192.168.2.31 does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
modcall[authorize]: module "opendirectory" returns ok for request 4
modcall: leaving group authorize (returns updated) for request 4
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake is finished
eaptls_verify returned 3
eaptls_process returned 3
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns ok for request 4
modcall: leaving group authenticate (returns ok) for request 4
Login OK: [cri/<no User-Password attribute>] (from client ap1 port 0
cli 00-19-E3-00-55-4F)
Sending Access-Accept of id 181 to 192.168.2.31 port 2061
MS-MPPE-Recv-Key =
0xebfef0baec2d46597caf6ca28d858fe6f5817944f42b00e9716049bad5ed0bd5
MS-MPPE-Send-Key =
0xd23487bdcbe1da395589674f0733646244d69600d3733ff8b6e4e816334d11e5
EAP-Message = 0x03050004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "cri"
Finished request 4
Going to the next request
--- Walking the entire request list ---
Waking up in 5 seconds...
-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
