Hello friends! I need help
i am testing *local installed freeradius* configuration to work with
freeipa (ldap) on nthash via mschap-v2
what did i do for this:
1) yum install freeradius-ldap
2) ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldap
3) change /etc/raddb/mods-available/ldap
server = ''server.dmosk.local"
identity = 'uid=services,cn=users,cn=accounts,dc=test,dc=com'
password = my_password
base_dn = 'cn=users,cn=accounts,dc=test,dc=com'
update {
...
control:NT-Password := 'ipaNTHash'
...
4)change /etc/raddb/mods-available/eap
...
default_eap_type = mschapv2
...
5) reload freeradius
6) TESTING:
radtest -t mschap ldap_user test12345 localhost:1812 0 testing123
and get Received *Access-ACCEPT*
*Question:*
Can anyone tell me how to set up this configuration on packetfence?
I tried to do this, but it didn't work for me:
1. Create authentication source - LDAP - define server, identity, password,
base_dn, Username Attribute. And checked through the test button
2. add update control:NT-Password := 'ipaNTHash' to file
/usr/local/pf/raddb/mods-enabled/ldap_packetfence
3. change default_eap_type = mschapv2
in /usr/local/pf/raddb/mods-enabled/eap
4. add to Standard Connection Profile sources ldap
5. tried adding default and null in tab stripping to Realms - ldap source
6. TESTING:
radtest -t mschap ldap_user test12345 localhost:1812 0 testing123
and get:
Received Access-Reject Id 247 from 127.0.0.1:1812 to 127.0.0.1:56955 length
61
MS-CHAP-Error = "\000E=691 R=0 C=1cef2a7d250330ff V=2"
(0) -: Expected Access-Accept got Access-Reject
I do not understand what the problem is. I also attached the logs of
freeradius running in debug mode(/usr/sbin/freeradius -d
/usr/local/pf/raddb -n auth -fxx -l stdout). See attachment. Pleae help me
{\rtf1\ansi\ansicpg1251\cocoartf2580
\cocoatextscaling0\cocoaplatform0{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
{\colortbl;\red255\green255\blue255;}
{\*\expandedcolortbl;;}
\paperw11900\paperh16840\margl1440\margr1440\vieww17780\viewh12700\viewkind0
\pard\tx566\tx1133\tx1700\tx2267\tx2834\tx3401\tx3968\tx4535\tx5102\tx5669\tx6236\tx6803\pardirnatural\partightenfactor0
\f0\fs24 \cf0 (0) Received Access-Request Id 118 from 127.0.0.1:47847 to 127.0.0.1:1812 length 134\
(0) User-Name = "ldap_user"\
(0) NAS-IP-Address = 127.0.1.1\
(0) NAS-Port = 0\
(0) Message-Authenticator = 0x02f379c5a3927fcfac20ead4a324eb33\
(0) MS-CHAP-Challenge = 0x1e58cc9124b27dd8\
(0) MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000029f11b073e6e9fd40f3d537eae2d94804bc716880a57a4a6\
(0) # Executing section authorize from file /usr/local/pf/raddb/sites-enabled/packetfence\
(0) authorize \{\
(0) policy packetfence-nas-ip-address \{\
(0) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0")\{\
(0) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0") -> FALSE\
(0) \} # policy packetfence-nas-ip-address = notfound\
(0) update \{\
(0) EXPAND %\{Packet-Src-IP-Address\}\
(0) --> 127.0.0.1\
(0) &request:FreeRADIUS-Client-IP-Address := 127.0.0.1\
(0) EXPAND %\{Packet-Dst-IP-Address\}\
(0) --> 127.0.0.1\
(0) &request:PacketFence-Radius-Ip := 127.0.0.1\
(0) &control:PacketFence-RPC-Server = containers-gateway.internal\
(0) &control:PacketFence-RPC-Port = 7070\
(0) &control:PacketFence-RPC-User = system\
(0) &control:PacketFence-RPC-Pass = ZjVmM2YyODQ5NTU1NGE5NmU5ZWJkOTU3\
(0) &control:PacketFence-RPC-Proto = http\
(0) EXPAND %l\
(0) --> 1667235861\
(0) &control:Tmp-Integer-0 := 1667235861\
(0) &control:PacketFence-Request-Time := 0\
(0) \} # update = noop\
(0) policy packetfence-set-realm-if-machine \{\
(0) if (User-Name =~ /host\\/([a-z0-9_-]*)[\\.](.*)/i) \{\
(0) if (User-Name =~ /host\\/([a-z0-9_-]*)[\\.](.*)/i) -> FALSE\
(0) \} # policy packetfence-set-realm-if-machine = noop\
(0) policy packetfence-balanced-key-policy \{\
(0) if (&PacketFence-KeyBalanced && (&PacketFence-KeyBalanced =~ /^(.*)(.)$/i)) \{\
(0) if (&PacketFence-KeyBalanced && (&PacketFence-KeyBalanced =~ /^(.*)(.)$/i)) -> FALSE\
(0) else \{\
(0) update \{\
(0) EXPAND %\{md5:%\{Calling-Station-Id\}%\{User-Name\}\}\
(0) --> 1934ba9a62efd74276c9f7dc99fef249\
(0) &request:PacketFence-KeyBalanced := 1934ba9a62efd74276c9f7dc99fef249\
(0) EXPAND %\{md5:%\{Calling-Station-Id\}%\{User-Name\}\}\
(0) --> 1934ba9a62efd74276c9f7dc99fef249\
(0) &control:Load-Balance-Key := 1934ba9a62efd74276c9f7dc99fef249\
(0) \} # update = noop\
(0) \} # else = noop\
(0) \} # policy packetfence-balanced-key-policy = noop\
(0) policy rewrite_calling_station_id \{\
(0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]\{2\})[^0-9a-f]?([0-9a-f]\{2\})[^0-9a-f]?([0-9a-f]\{2\})[^0-9a-f]?([0-9a-f]\{2\})[^0-9a-f]?([0-9a-f]\{2\})[^0-9a-f]?([0-9a-f]\{2\})$/i)) \{\
(0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]\{2\})[^0-9a-f]?([0-9a-f]\{2\})[^0-9a-f]?([0-9a-f]\{2\})[^0-9a-f]?([0-9a-f]\{2\})[^0-9a-f]?([0-9a-f]\{2\})[^0-9a-f]?([0-9a-f]\{2\})$/i)) -> FALSE\
(0) else \{\
(0) [noop] = noop\
(0) \} # else = noop\
(0) \} # policy rewrite_calling_station_id = noop\
(0) policy rewrite_called_station_id \{\
(0) if ((&Called-Station-Id) && (&Called-Station-Id =~ /^([0-9a-f]\{2\})[^0-9a-f]?([0-9a-f]\{2\})[^0-9a-f]?([0-9a-f]\{2\})[^0-9a-f]?([0-9a-f]\{2\})[^0-9a-f]?([0-9a-f]\{2\})[^0-9a-f]?([0-9a-f]\{2\})(:(.+))?$/i)) \{\
(0) if ((&Called-Station-Id) && (&Called-Station-Id =~ /^([0-9a-f]\{2\})[^0-9a-f]?([0-9a-f]\{2\})[^0-9a-f]?([0-9a-f]\{2\})[^0-9a-f]?([0-9a-f]\{2\})[^0-9a-f]?([0-9a-f]\{2\})[^0-9a-f]?([0-9a-f]\{2\})(:(.+))?$/i)) -> FALSE\
(0) else \{\
(0) [noop] = noop\
(0) \} # else = noop\
(0) \} # policy rewrite_called_station_id = noop\
(0) if ( "%\{client:shortname\}" =~ /eduroam_tlrs/ ) \{\
(0) EXPAND %\{client:shortname\}\
(0) --> localhost\
(0) if ( "%\{client:shortname\}" =~ /eduroam_tlrs/ ) -> FALSE\
(0) policy filter_username \{\
(0) if (&User-Name) \{\
(0) if (&User-Name) -> TRUE\
(0) if (&User-Name) \{\
(0) if (&User-Name =~ / /) \{\
(0) if (&User-Name =~ / /) -> FALSE\
(0) if (&User-Name =~ /@[^@]*@/ ) \{\
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE\
(0) if (&User-Name =~ /\\.\\./ ) \{\
(0) if (&User-Name =~ /\\.\\./ ) -> FALSE\
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) \{\
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE\
(0) if (&User-Name =~ /\\.$/) \{\
(0) if (&User-Name =~ /\\.$/) -> FALSE\
(0) if (&User-Name =~ /@\\./) \{\
(0) if (&User-Name =~ /@\\./) -> FALSE\
(0) \} # if (&User-Name) = noop\
(0) \} # policy filter_username = noop\
(0) policy filter_password \{\
(0) if (&User-Password && (&User-Password != "%\{string:User-Password\}")) \{\
(0) if (&User-Password && (&User-Password != "%\{string:User-Password\}")) -> FALSE\
(0) \} # policy filter_password = noop\
(0) [preprocess] = ok\
(0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'\
(0) [mschap] = ok\
(0) suffix: Checking for suffix after "@"\
(0) suffix: No '@' in User-Name = "ldap_user", skipping NULL due to config.\
(0) [suffix] = noop\
(0) ntdomain: Checking for prefix before "\\"\
(0) ntdomain: No '\\' in User-Name = "ldap_user", looking up realm NULL\
(0) ntdomain: Found realm "null"\
(0) ntdomain: Adding Stripped-User-Name = "ldap_user"\
(0) ntdomain: Adding Realm = "null"\
(0) ntdomain: Authentication realm is LOCAL\
(0) [ntdomain] = ok\
(0) eap: No EAP-Message, not doing EAP\
(0) [eap] = noop\
(0) if ( !EAP-Message && "%\{%\{Control:Auth-type\}:-No-MS_CHAP\}" != "MS-CHAP") \{\
(0) EXPAND %\{%\{Control:Auth-type\}:-No-MS_CHAP\}\
(0) --> MS-CHAP\
(0) if ( !EAP-Message && "%\{%\{Control:Auth-type\}:-No-MS_CHAP\}" != "MS-CHAP") -> FALSE\
(0) if ("%\{%\{Control:Auth-type\}:-No-MS_CHAP\}" == "MS-CHAP") \{\
(0) EXPAND %\{%\{Control:Auth-type\}:-No-MS_CHAP\}\
(0) --> MS-CHAP\
(0) if ("%\{%\{Control:Auth-type\}:-No-MS_CHAP\}" == "MS-CHAP") -> TRUE\
(0) if ("%\{%\{Control:Auth-type\}:-No-MS_CHAP\}" == "MS-CHAP") \{\
(0) packetfence-multi-domain: $RAD_REQUEST\{'User-Name'\} = &request:User-Name -> 'ldap_user'\
(0) packetfence-multi-domain: $RAD_REQUEST\{'NAS-IP-Address'\} = &request:NAS-IP-Address -> '127.0.1.1'\
(0) packetfence-multi-domain: $RAD_REQUEST\{'NAS-Port'\} = &request:NAS-Port -> '0'\
(0) packetfence-multi-domain: $RAD_REQUEST\{'Event-Timestamp'\} = &request:Event-Timestamp -> 'Oct 31 2022 20:04:21 MSK'\
(0) packetfence-multi-domain: $RAD_REQUEST\{'Message-Authenticator'\} = &request:Message-Authenticator -> '0x02f379c5a3927fcfac20ead4a324eb33'\
(0) packetfence-multi-domain: $RAD_REQUEST\{'MS-CHAP-Response'\} = &request:MS-CHAP-Response -> '0x000100000000000000000000000000000000000000000000000029f11b073e6e9fd40f3d537eae2d94804bc716880a57a4a6'\
(0) packetfence-multi-domain: $RAD_REQUEST\{'MS-CHAP-Challenge'\} = &request:MS-CHAP-Challenge -> '0x1e58cc9124b27dd8'\
(0) packetfence-multi-domain: $RAD_REQUEST\{'Stripped-User-Name'\} = &request:Stripped-User-Name -> 'ldap_user'\
(0) packetfence-multi-domain: $RAD_REQUEST\{'Realm'\} = &request:Realm -> 'null'\
(0) packetfence-multi-domain: $RAD_REQUEST\{'FreeRADIUS-Client-IP-Address'\} = &request:FreeRADIUS-Client-IP-Address -> '127.0.0.1'\
(0) packetfence-multi-domain: $RAD_REQUEST\{'PacketFence-KeyBalanced'\} = &request:PacketFence-KeyBalanced -> '1934ba9a62efd74276c9f7dc99fef249'\
(0) packetfence-multi-domain: $RAD_REQUEST\{'PacketFence-Radius-Ip'\} = &request:PacketFence-Radius-Ip -> '127.0.0.1'\
(0) packetfence-multi-domain: $RAD_CHECK\{'Auth-Type'\} = &control:Auth-Type -> 'MS-CHAP'\
(0) packetfence-multi-domain: $RAD_CHECK\{'Load-Balance-Key'\} = &control:Load-Balance-Key -> '1934ba9a62efd74276c9f7dc99fef249'\
(0) packetfence-multi-domain: $RAD_CHECK\{'Tmp-Integer-0'\} = &control:Tmp-Integer-0 -> '1667235861'\
(0) packetfence-multi-domain: $RAD_CHECK\{'PacketFence-RPC-Server'\} = &control:PacketFence-RPC-Server -> 'containers-gateway.internal'\
(0) packetfence-multi-domain: $RAD_CHECK\{'PacketFence-RPC-Port'\} = &control:PacketFence-RPC-Port -> '7070'\
(0) packetfence-multi-domain: $RAD_CHECK\{'PacketFence-RPC-User'\} = &control:PacketFence-RPC-User -> 'system'\
(0) packetfence-multi-domain: $RAD_CHECK\{'PacketFence-RPC-Pass'\} = &control:PacketFence-RPC-Pass -> 'ZjVmM2YyODQ5NTU1NGE5NmU5ZWJkOTU3'\
(0) packetfence-multi-domain: $RAD_CHECK\{'PacketFence-RPC-Proto'\} = &control:PacketFence-RPC-Proto -> 'http'\
(0) packetfence-multi-domain: $RAD_CHECK\{'PacketFence-Request-Time'\} = &control:PacketFence-Request-Time -> '0'\
(0) packetfence-multi-domain: $RAD_CONFIG\{'Auth-Type'\} = &control:Auth-Type -> 'MS-CHAP'\
(0) packetfence-multi-domain: $RAD_CONFIG\{'Load-Balance-Key'\} = &control:Load-Balance-Key -> '1934ba9a62efd74276c9f7dc99fef249'\
(0) packetfence-multi-domain: $RAD_CONFIG\{'Tmp-Integer-0'\} = &control:Tmp-Integer-0 -> '1667235861'\
(0) packetfence-multi-domain: $RAD_CONFIG\{'PacketFence-RPC-Server'\} = &control:PacketFence-RPC-Server -> 'containers-gateway.internal'\
(0) packetfence-multi-domain: $RAD_CONFIG\{'PacketFence-RPC-Port'\} = &control:PacketFence-RPC-Port -> '7070'\
(0) packetfence-multi-domain: $RAD_CONFIG\{'PacketFence-RPC-User'\} = &control:PacketFence-RPC-User -> 'system'\
(0) packetfence-multi-domain: $RAD_CONFIG\{'PacketFence-RPC-Pass'\} = &control:PacketFence-RPC-Pass -> 'ZjVmM2YyODQ5NTU1NGE5NmU5ZWJkOTU3'\
(0) packetfence-multi-domain: $RAD_CONFIG\{'PacketFence-RPC-Proto'\} = &control:PacketFence-RPC-Proto -> 'http'\
(0) packetfence-multi-domain: $RAD_CONFIG\{'PacketFence-Request-Time'\} = &control:PacketFence-Request-Time -> '0'\
(0) packetfence-multi-domain: &request:NAS-Port = $RAD_REQUEST\{'NAS-Port'\} -> '0'\
(0) packetfence-multi-domain: &request:Event-Timestamp = $RAD_REQUEST\{'Event-Timestamp'\} -> 'Oct 31 2022 20:04:21 MSK'\
(0) packetfence-multi-domain: &request:User-Name = $RAD_REQUEST\{'User-Name'\} -> 'ldap_user'\
(0) packetfence-multi-domain: &request:PacketFence-Radius-Ip = $RAD_REQUEST\{'PacketFence-Radius-Ip'\} -> '127.0.0.1'\
(0) packetfence-multi-domain: &request:PacketFence-NTLMv2-Only = $RAD_REQUEST\{'PacketFence-NTLMv2-Only'\} -> ''\
(0) packetfence-multi-domain: &request:Stripped-User-Name = $RAD_REQUEST\{'Stripped-User-Name'\} -> 'ldap_user'\
(0) packetfence-multi-domain: &request:Realm = $RAD_REQUEST\{'Realm'\} -> 'null'\
(0) packetfence-multi-domain: &request:MS-CHAP-Challenge = $RAD_REQUEST\{'MS-CHAP-Challenge'\} -> '0x1e58cc9124b27dd8'\
(0) packetfence-multi-domain: &request:MS-CHAP-Response = $RAD_REQUEST\{'MS-CHAP-Response'\} -> '0x000100000000000000000000000000000000000000000000000029f11b073e6e9fd40f3d537eae2d94804bc716880a57a4a6'\
(0) packetfence-multi-domain: &request:FreeRADIUS-Client-IP-Address = $RAD_REQUEST\{'FreeRADIUS-Client-IP-Address'\} -> '127.0.0.1'\
(0) packetfence-multi-domain: &request:PacketFence-KeyBalanced = $RAD_REQUEST\{'PacketFence-KeyBalanced'\} -> '1934ba9a62efd74276c9f7dc99fef249'\
(0) packetfence-multi-domain: &request:Message-Authenticator = $RAD_REQUEST\{'Message-Authenticator'\} -> '0x02f379c5a3927fcfac20ead4a324eb33'\
(0) packetfence-multi-domain: &request:NAS-IP-Address = $RAD_REQUEST\{'NAS-IP-Address'\} -> '127.0.1.1'\
(0) packetfence-multi-domain: &control:Tmp-Integer-0 = $RAD_CHECK\{'Tmp-Integer-0'\} -> '1667235861'\
(0) packetfence-multi-domain: &control:PacketFence-Request-Time = $RAD_CHECK\{'PacketFence-Request-Time'\} -> '0'\
(0) packetfence-multi-domain: &control:PacketFence-RPC-Pass = $RAD_CHECK\{'PacketFence-RPC-Pass'\} -> 'ZjVmM2YyODQ5NTU1NGE5NmU5ZWJkOTU3'\
(0) packetfence-multi-domain: &control:Load-Balance-Key = $RAD_CHECK\{'Load-Balance-Key'\} -> '1934ba9a62efd74276c9f7dc99fef249'\
(0) packetfence-multi-domain: &control:PacketFence-RPC-User = $RAD_CHECK\{'PacketFence-RPC-User'\} -> 'system'\
(0) packetfence-multi-domain: &control:PacketFence-RPC-Proto = $RAD_CHECK\{'PacketFence-RPC-Proto'\} -> 'http'\
(0) packetfence-multi-domain: &control:PacketFence-RPC-Port = $RAD_CHECK\{'PacketFence-RPC-Port'\} -> '7070'\
(0) packetfence-multi-domain: &control:PacketFence-RPC-Server = $RAD_CHECK\{'PacketFence-RPC-Server'\} -> 'containers-gateway.internal'\
(0) packetfence-multi-domain: &control:Auth-Type = $RAD_CHECK\{'Auth-Type'\} -> 'MS-CHAP'\
(0) [packetfence-multi-domain] = updated\
(0) \} # if ("%\{%\{Control:Auth-type\}:-No-MS_CHAP\}" == "MS-CHAP") = updated\
(0) policy packetfence-eap-mac-policy \{\
(0) if ( &EAP-Type ) \{\
(0) if ( &EAP-Type ) -> FALSE\
(0) [noop] = noop\
(0) \} # policy packetfence-eap-mac-policy = noop\
(0) pap: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\
(0) pap: WARNING: !!! Ignoring control:User-Password. Update your !!!\
(0) pap: WARNING: !!! configuration so that the "known good" clear text !!!\
(0) pap: WARNING: !!! password is in Cleartext-Password and NOT in !!!\
(0) pap: WARNING: !!! User-Password. !!!\
(0) pap: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\
Not doing PAP as Auth-Type is already set.\
(0) [pap] = noop\
(0) \} # authorize = updated\
(0) Found Auth-Type = MS-CHAP\
(0) # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence\
(0) Auth-Type MS-CHAP \{\
(0) if (NAS-Port-Type =~ /^Wireless/ || NAS-Port-Type =~ /^Ethernet/) \{\
(0) ERROR: Failed retrieving values required to evaluate condition\
(0) else \{\
(0) policy packetfence-mschap-authenticate \{\
(0) if (PacketFence-Domain) \{\
(0) if (PacketFence-Domain) -> FALSE\
(0) else \{\
(0) if ( "%\{User-Name\}" =~ /^host\\/.*/) \{\
(0) EXPAND %\{User-Name\}\
(0) --> ldap_user\
(0) if ( "%\{User-Name\}" =~ /^host\\/.*/) -> FALSE\
(0) else \{\
(0) mschap: Client is using MS-CHAPv1 with NT-Password\
(0) mschap: Executing: /usr/local/pf/bin/ntlm_auth_wrapper -p 8125 -- \'a0 \'a0 \'a0 \'a0 --request-nt-key --username=%\{%\{control:AD-Samaccountname\}:-%\{%\{Stripped-User-Name\}:-%\{mschap:User-Name:-None\}\}\} --challenge=%\{mschap:Challenge:-00\} --nt-response=%\{mschap:NT-Response:-00\}:\
(0) mschap: EXPAND --username=%\{%\{control:AD-Samaccountname\}:-%\{%\{Stripped-User-Name\}:-%\{mschap:User-Name:-None\}\}\}\
(0) mschap: --> --username=ldap_user\
(0) mschap: mschap1: 1e\
(0) mschap: EXPAND --challenge=%\{mschap:Challenge:-00\}\
(0) mschap: --> --challenge=1e58cc9124b27dd8\
(0) mschap: EXPAND --nt-response=%\{mschap:NT-Response:-00\}\
(0) mschap: --> --nt-response=29f11b073e6e9fd40f3d537eae2d94804bc716880a57a4a6\
(0) mschap: ERROR: Program returned code (1) and output 'Reading winbind reply failed! (0xc0000001)'\
(0) mschap: ERROR: Reading winbind reply failed! (0xc0000001)\
(0) mschap: Authentication failed\
(0) [mschap] = fail\
(0) \} # else = fail\
(0) \} # else = fail\
(0) \} # policy packetfence-mschap-authenticate = fail\
(0) \} # else = fail\
(0) \} # Auth-Type MS-CHAP = fail\
(0) Failed to authenticate the user\
(0) Using Post-Auth-Type Reject\
(0) # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence\
(0) Post-Auth-Type REJECT \{\
(0) update \{\
(0) &request:User-Password := "******"\
(0) \} # update = noop\
(0) if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) ) \{\
(0) if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) ) -> TRUE\
(0) if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) ) \{\
(0) policy packetfence-audit-log-reject \{\
(0) if (&User-Name && (&User-Name == "dummy")) \{\
(0) if (&User-Name && (&User-Name == "dummy")) -> FALSE\
(0) else \{\
(0) policy request-timing \{\
(0) if ("%\{%\{control:PacketFence-Request-Time\}:-0\}" != 0) \{\
(0) EXPAND %\{%\{control:PacketFence-Request-Time\}:-0\}\
(0) --> 0\
(0) if ("%\{%\{control:PacketFence-Request-Time\}:-0\}" != 0) -> FALSE\
(0) \} # policy request-timing = noop\
(0) sql_reject: EXPAND type.reject.query\
(0) sql_reject: --> type.reject.query\
(0) sql_reject: Using query template 'query'\
rlm_sql (sql): Reserved connection (0)\
(0) sql_reject: EXPAND %\{User-Name\}\
(0) sql_reject: --> ldap_user\
(0) sql_reject: SQL-User-Name set to 'ldap_user'\
(0) sql_reject: EXPAND INSERT INTO radius_audit_log ( mac, ip, computer_name, user_name, stripped_user_name, realm, event_type, switch_id, switch_mac, switch_ip_address, radius_source_ip_address, called_station_id, calling_station_id, nas_port_type, ssid, nas_port_id, ifindex, nas_port, connection_type, nas_ip_address, nas_identifier, auth_status, reason, auth_type, eap_type, role, node_status, profile, source, auto_reg, is_phone, pf_domain, uuid, radius_request, radius_reply, request_time, radius_ip) VALUES ( '%\{request:Calling-Station-Id\}', '%\{request:Framed-IP-Address\}', '%\{%\{control:PacketFence-Computer-Name\}:-N/A\}', '%\{request:User-Name\}', '%\{request:Stripped-User-Name\}', '%\{request:Realm\}', 'Radius-Access-Request', '%\{%\{control:PacketFence-Switch-Id\}:-N/A\}', '%\{%\{control:PacketFence-Switch-Mac\}:-N/A\}', '%\{%\{control:PacketFence-Switch-Ip-Address\}:-N/A\}', '%\{Packet-Src-IP-Address\}', '%\{request:Called-Station-Id\}', '%\{request:Calling-Station-Id\}', '%\{request:NAS-Port-Type\}', '%\{request:Called-Station-SSID\}', '%\{request:NAS-Port-Id\}', '%\{%\{control:PacketFence-IfIndex\}:-N/A\}', '%\{request:NAS-Port\}', '%\{%\{control:PacketFence-Connection-Type\}:-N/A\}', '%\{request:NAS-IP-Address\}', '%\{request:NAS-Identifier\}', 'Reject', '%\{request:Module-Failure-Message\}', '%\{control:Auth-Type\}', '%\{request:EAP-Type\}', '%\{%\{control:PacketFence-Role\}:-N/A\}', '%\{%\{control:PacketFence-Status\}:-N/A\}', '%\{%\{control:PacketFence-Profile\}:-N/A\}', '%\{%\{control:PacketFence-Source\}:-N/A\}', '%\{%\{control:PacketFence-AutoReg\}:-0\}', '%\{%\{control:PacketFence-IsPhone\}:-0\}', '%\{request:PacketFence-Domain\}', '', '%\{pairs:&request:[*]\}','%\{pairs:&reply:[*]\}', '%\{%\{control:PacketFence-Request-Time\}:-0\}', '%\{request:PacketFence-Radius-Ip\}')\
(0) sql_reject: --> INSERT INTO radius_audit_log ( mac, ip, computer_name, user_name, stripped_user_name, realm, event_type, switch_id, switch_mac, switch_ip_address, radius_source_ip_address, called_station_id, calling_station_id, nas_port_type, ssid, nas_port_id, ifindex, nas_port, connection_type, nas_ip_address, nas_identifier, auth_status, reason, auth_type, eap_type, role, node_status, profile, source, auto_reg, is_phone, pf_domain, uuid, radius_request, radius_reply, request_time, radius_ip) VALUES ( '', '', 'N/A', 'ldap_user', 'ldap_user', 'null', 'Radius-Access-Request', 'N/A', 'N/A', 'N/A', '127.0.0.1', '', '', '', '', '', 'N/A', '0', 'N/A', '127.0.1.1', '', 'Reject', 'Failed retrieving values required to evaluate condition', 'MS-CHAP', '', 'N/A', 'N/A', 'N/A', 'N/A', '0', '0', '', '', 'NAS-Port =3D 0, Event-Timestamp =3D =22Oct 31 2022 20:04:21 MSK=22, User-Name =3D =22ldap_user=22, PacketFence-Radius-Ip =3D =22127.0.0.1=22, PacketFence-NTLMv2-Only =3D =22=22, Stripped-User-Name =3D =22ldap_user=22, Realm =3D =22null=22, MS-CHAP-Challenge =3D 0x1e58cc9124b27dd8, MS-CHAP-Response =3D 0x000100000000000000000000000000000000000000000000000029f11b073e6e9fd40f3d537eae2d94804bc716880a57a4a6, FreeRADIUS-Client-IP-Address =3D 127.0.0.1, PacketFence-KeyBalanced =3D =221934ba9a62efd74276c9f7dc99fef249=22, Message-Authenticator =3D 0x02f379c5a3927fcfac20ead4a324eb33, NAS-IP-Address =3D 127.0.1.1, Module-Failure-Message =3D =22Failed retrieving values required to evaluate condition=22, Module-Failure-Message =3D =22mschap: Program returned code (1) and output =27Reading winbind reply failed=21 (0xc0000001)=27=22, Module-Failure-Message =3D =22mschap: Reading winbind reply failed=21 (0xc0000001)=22, User-Password =3D =22=2A=2A=2A=2A=2A=2A=22, SQL-User-Name =3D =22ldap_user=22','MS-CHAP-Error =3D =22=5C000E=3D691 R=3D0 C=3D9196cb1ee8dd6f48 V=3D2=22', '0', '127.0.0.1')\
(0) sql_reject: Executing query: INSERT INTO radius_audit_log ( mac, ip, computer_name, user_name, stripped_user_name, realm, event_type, switch_id, switch_mac, switch_ip_address, radius_source_ip_address, called_station_id, calling_station_id, nas_port_type, ssid, nas_port_id, ifindex, nas_port, connection_type, nas_ip_address, nas_identifier, auth_status, reason, auth_type, eap_type, role, node_status, profile, source, auto_reg, is_phone, pf_domain, uuid, radius_request, radius_reply, request_time, radius_ip) VALUES ( '', '', 'N/A', 'ldap_user', 'ldap_user', 'null', 'Radius-Access-Request', 'N/A', 'N/A', 'N/A', '127.0.0.1', '', '', '', '', '', 'N/A', '0', 'N/A', '127.0.1.1', '', 'Reject', 'Failed retrieving values required to evaluate condition', 'MS-CHAP', '', 'N/A', 'N/A', 'N/A', 'N/A', '0', '0', '', '', 'NAS-Port =3D 0, Event-Timestamp =3D =22Oct 31 2022 20:04:21 MSK=22, User-Name =3D =22ldap_user=22, PacketFence-Radius-Ip =3D =22127.0.0.1=22, PacketFence-NTLMv2-Only =3D =22=22, Stripped-User-Name =3D =22ldap_user=22, Realm =3D =22null=22, MS-CHAP-Challenge =3D 0x1e58cc9124b27dd8, MS-CHAP-Response =3D 0x000100000000000000000000000000000000000000000000000029f11b073e6e9fd40f3d537eae2d94804bc716880a57a4a6, FreeRADIUS-Client-IP-Address =3D 127.0.0.1, PacketFence-KeyBalanced =3D =221934ba9a62efd74276c9f7dc99fef249=22, Message-Authenticator =3D 0x02f379c5a3927fcfac20ead4a324eb33, NAS-IP-Address =3D 127.0.1.1, Module-Failure-Message =3D =22Failed retrieving values required to evaluate condition=22, Module-Failure-Message =3D =22mschap: Program returned code (1) and output =27Reading winbind reply failed=21 (0xc0000001)=27=22, Module-Failure-Message =3D =22mschap: Reading winbind reply failed=21 (0xc0000001)=22, User-Password =3D =22=2A=2A=2A=2A=2A=2A=22, SQL-User-Name =3D =22ldap_user=22','MS-CHAP-Error =3D =22=5C000E=3D691 R=3D0 C=3D9196cb1ee8dd6f48 V=3D2=22', '0', '127.0.0.1')\
(0) sql_reject: SQL query returned: success\
(0) sql_reject: 1 record(s) updated\
rlm_sql (sql): Released connection (0)\
Need 1 more connections to reach min connections (3)\
Need more connections to reach 10 spares\
rlm_sql (sql): Opening additional connection (2), 1 of 62 pending slots used\
rlm_sql_mysql: Starting connect to MySQL server\
rlm_sql_mysql: Connected to database 'pf' on Localhost via UNIX socket, server version 10.5.15-MariaDB-1:10.5.15+maria~bullseye, protocol version 10\
(0) [sql_reject] = ok\
(0) \} # else = ok\
(0) \} # policy packetfence-audit-log-reject = ok\
(0) \} # if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) ) = ok\
(0) if ("%\{%\{control:PacketFence-Proxied-From\}:-False\}" == "True") \{\
(0) EXPAND %\{%\{control:PacketFence-Proxied-From\}:-False\}\
(0) --> False\
(0) if ("%\{%\{control:PacketFence-Proxied-From\}:-False\}" == "True") -> FALSE\
(0) attr_filter.access_reject: EXPAND %\{User-Name\}\
(0) attr_filter.access_reject: --> ldap_user\
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11\
(0) [attr_filter.access_reject] = updated\
(0) attr_filter.packetfence_post_auth: EXPAND %\{User-Name\}\
(0) attr_filter.packetfence_post_auth: --> ldap_user\
(0) attr_filter.packetfence_post_auth: Matched entry DEFAULT at line 10\
(0) [attr_filter.packetfence_post_auth] = updated\
(0) [eap] = noop\
(0) policy remove_reply_message_if_eap \{\
(0) if (&reply:EAP-Message && &reply:Reply-Message) \{\
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE\
(0) else \{\
(0) [noop] = noop\
(0) \} # else = noop\
(0) \} # policy remove_reply_message_if_eap = noop\
(0) linelog: EXPAND messages.%\{%\{reply:Packet-Type\}:-default\}\
(0) linelog: --> messages.Access-Reject\
(0) linelog: EXPAND [mac:%\{Calling-Station-Id\}] Rejected user: %\{User-Name\}\
(0) linelog: --> [mac:] Rejected user: ldap_user\
(0) linelog: EXPAND stdout\
(0) linelog: --> stdout\
(0) [linelog] = ok\
(0) \} # Post-Auth-Type REJECT = updated\
(0) Login incorrect (Failed retrieving values required to evaluate condition): [ldap_user] (from client localhost port 0)\
(0) Delaying response for 1.000000 seconds\
Thread 1 waiting to be assigned a request\
Waking up in 0.8 seconds.\
(0) Sending delayed response\
(0) Sent Access-Reject Id 118 from 127.0.0.1:1812 to 127.0.0.1:47847 length 61\
(0) MS-CHAP-Error = "\\000E=691 R=0 C=9196cb1ee8dd6f48 V=2"\
Waking up in 3.9 seconds.\
(0) Cleaning up request packet ID 118 with timestamp +4 due to cleanup_delay was reached\
Ready to process requests}_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
