Re[8]: semulteneius-use with cisco nas

2011-12-14 Thread Толик Шавловский 
Dear Fajar,

here is the debug:
=
rad_recv: Access-Request packet from host 10.169.33.11 port 1645, id=242, 
length=168
User-Name = user
Framed-MTU = 1400
Called-Station-Id = 0013.1a08.9340
Calling-Station-Id = 001b.7770.9159
Service-Type = Login-User
Message-Authenticator = 0x1b9f8a18ab599eb355a6b95009ad3876
EAP-Message = 
0x020c00261900170301001bb38d66eaaca02000d41d031c3b819c732c2073d8ae808cdf61d43a
NAS-Port-Type = Wireless-802.11
NAS-Port = 13495
State = 0xc9003ff4c00c263b902065cf0bcf43fd
NAS-IP-Address = 10.169.33.11
NAS-Identifier = ap
(49) # Executing section authorize from file 
/usr/local/etc/raddb/sites-enabled/default
(49)   group authorize {
(49)  - entering group authorize {...}
(49)   [preprocess] = ok
(49)   [chap] = noop
(49)   [mschap] = noop
(49)   [digest] = noop
(49) suffix : No '@' in User-Name = user, looking up realm NULL
(49) suffix : No such realm NULL
(49)   [suffix] = noop
(49) eap : EAP packet type response id 12 length 38
(49) eap : Continuing tunnel setup.
(49)   [eap] = ok
(49) Found Auth-Type = ?
(49) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(49)   group authenticate {
(49)  - entering group authenticate {...}
(49) eap : Request found, released from the list
(49) eap : EAP/peap
(49) eap : processing type peap
(49) peap : processing EAP-TLS
(49) peap : eaptls_verify returned 7 
(49) peap : Done initial handshake
(49) peap : eaptls_process returned 7 
(49) peap : FR_TLS_OK
(49) peap : Session established.  Decoding tunneled attributes.
(49) peap : Peap state send tlv success
(49) peap : Received EAP-TLV response.
(49) peap : Success
(49) peap : Using saved attributes from the original Access-Accept
User-Name = user
(49) eap : Freeing handler
(49)   [eap] = ok
(49) Login OK: [user/via Auth-Type = ?] (from client 10.169.33.11/24 port 
13495 cli 001b.7770.9159)
(49) # Executing section post-auth from file 
/usr/local/etc/raddb/sites-enabled/default
(49)   group post-auth {
(49)  - entering group post-auth {...}
(49) sql :  expand: %{User-Name} - user
(49) sql : sql_set_user escaped user -- 'user'
(49) sql :  expand: %{User-Password} - 
(49) sql :  ... expanding second conditional
(49) sql :  expand: %{Chap-Password} - 
(49) sql :  expand: INSERT INTO radpostauth (username, 
pass, reply, authdate)  VALUES ( '%{SQL-User-Name}', 
'%{%{User-Password}:-%{Chap-Password}}','%{reply:Packet-Type}', '%S') 
-INSERT INTO radpostauth (username, pass, reply, authdate)   
VALUES ('user', '', 'Access-Accept', '2011-12-14 10:59:49')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth 
(username, pass, reply, authdate)   VALUES ('user', '', 
'Access-Accept', '2011-12-14 10:59:49')
rlm_sql (sql): Reserved connection (12)
rlm_sql (sql): Released connection (12)
(49)   [sql] = ok
(49) sql_log : Processing sql_log_postauth
(49) sql_log :  expand: %{User-Name} - user
(49) sql_log :  expand: %{%{User-Name}:-DEFAULT} - user
(49) sql_log : sql_set_user escaped user -- 'user'
(49) sql_log : WARNING: Deprecated conditional expansion :-.  See man 
unlang for details
(49) sql_log :  ... expanding second conditional
(49) sql_log :  expand: Chap-Password - Chap-Password
(49) sql_log :  expand: INSERT INTO radpostauth  
(username, pass, reply, authdate) VALUES
('%{User-Name}', '%{User-Password:-Chap-Password}', 
'%{reply:Packet-Type}', '%S'); - INSERT INTO radpostauth   
(username, pass, reply, authdate) VALUES('user', 
'Chap-Password',   'Access-Accept', '2011-12-14 10:59:49');
(49) sql_log :  expand: /usr/local/var/log/radius/radacct/sql-relay - 
/usr/local/var/log/radius/radacct/sql-relay
(49)   [sql_log] = ok
(49)   [exec] = noop
(49)policy remove_reply_message_if_eap {
(49)   - entering policy remove_reply_message_if_eap {...}
(49)? if (reply:EAP-Message  reply:Reply-Message)
(49) ? Evaluating (reply:EAP-Message ) - TRUE
(49) ? Evaluating (reply:Reply-Message) - FALSE
(49)? if (reply:EAP-Message  reply:Reply-Message) - FALSE
(49) else else {
(49)- entering else else {...}
(49) [noop] = noop
(49)- else else returns noop
(49)   - policy remove_reply_message_if_eap returns noop
Sending Access-Accept of id 242 to 10.169.33.11 port 1645
User-Name = user
MS-MPPE-Recv-Key = 
0xffb3f4f01af8ea5b71cfe309205a5436aad8c57caf0cf40d6b37fbd193df34f6
MS-MPPE-Send-Key = 
0x500ebf88f7a74a9095d357c31ac48010e62b655ebd53573d2d418a1e1332c732
EAP-Message = 0x030c0004
Message-Authenticator = 0x
(49) Finished request 49.
Waking up in 0.1 seconds.
rad_recv: Accounting-Request packet from host 10.169.33.11 port 1646, id=204,

Re: Re[8]: semulteneius-use with cisco nas

2011-12-14 Thread Fajar A. Nugraha 
2011/12/14 Толик Шавловский tolik_shavlov...@mail.ru:
 Dear Fajar,

 here is the debug:

Why on earth did you cut down the log?

As Alan said, you need the output of 'radius -X' - to show what
happens when 1 client connects and then tries to connect
simultaneously.

Your log only show ONE user connecting. And even from that limited
log, something is wrong as you don't have any lines that say

+- entering group session {...}

Did you REALLY do what I said earlier? DId you REALLY have sql in
session section?
Some of which can be seen from the complete debug log. But you've cut
the beginning.

-- 
Fajar

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html