Freeradius External Script Auth.

classic Classic list List threaded Threaded
5 messages Options
| Threaded
Open this post in threaded view
|

Freeradius External Script Auth.

Vertigo Vertigo
Hi Freeradius people,
I want to authorize users that connect to AP with my external script.
Because I have multiple data source ( multiple Active Directory, another
API etc.) and I want to make authorization by using these data sources as I
want. That's why I'm using an external script to authorization. I updated
/etc/raddb/sites-enabled/default's authorize section;

authorize{

update {

control: += `/usr/bin/myauthscript '%{User-Name}' '%{User-Password}' -c`

reply: += `/usr/bin/myauthscript '%{User-Name}' '%{User-Password}' -v`

}


When I run "radtest" with PAP method, everything is OK, I have "User-Name"
and "User-Password" attributes,  I'm able to authorize users etc. However,
when I make tests with an AP with 802.1x EAP method, , there is no
cleartext password (User-Password) and I cannot make authorization. My
question is how can I make authorization without "User-Password" attribute.
As I said, I have cleartext passwords in my data sources, so I can hash
them and compare with other hash that a client sent. How can I perform this
operation with EAP, CHAP, MSCHAP etc. methods?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Freeradius External Script Auth.

Alan DeKok-2
On Feb 6, 2020, at 12:35 PM, Vertigo Vertigo <[hidden email]> wrote:
>
> I want to authorize users that connect to AP with my external script.
> Because I have multiple data source ( multiple Active Directory, another
> API etc.) and I want to make authorization by using these data sources as I
> want.

  FreeRADIUS can do some pretty complex things with unlang.  I'd really recommend using that.

> That's why I'm using an external script to authorization. I updated
> /etc/raddb/sites-enabled/default's authorize section;

  That's good.  But...

> When I run "radtest" with PAP method, everything is OK, I have "User-Name"
> and "User-Password" attributes,  I'm able to authorize users etc. However,
> when I make tests with an AP with 802.1x EAP method, , there is no
> cleartext password (User-Password) and I cannot make authorization.

  Exactly.

> My
> question is how can I make authorization without "User-Password" attribute.

  It's impossible.

> As I said, I have cleartext passwords in my data sources, so I can hash
> them and compare with other hash that a client sent. How can I perform this
> operation with EAP, CHAP, MSCHAP etc. methods?

  You will need to re-implement all of EAP, CHAP, and MS-CHAP in your data source.

  Or, treat the data source as a *database*.  And have it supply the clear text password to FreeRADIUS.  It will then do all of the necessary calculations.

  In short: FreeRADIUS is an authentication server, not a database.  And a database isn't an authentication server.  They do very different things.

  Alan DeKok.



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: Freeradius External Script Auth.

rlang
In reply to this post by Vertigo Vertigo
We used to do this, but moved away from it.  Our external program was a python script, and the startup time for each authentication for too long.

If you must do 802.1x EAP using this method, then note that EAP is handled by default site, while MSCHAP is handled by inner-tunnel site.  In the inner-tunnel, you can exec a program and give it the MSCHAP challenge and response, validate that against NT-Password that you have stored, and return the NT session key back to FreeRADIUS.  This involves implementing MSCHAP code that already exists in FreeRADIUS.

The simpler alternative that we are now using is to call a REST API from FreeRADIUS during authorisation (really pre-auth) and return the NT-Password, letting FreeRADIUS do all the EAP / PAP / MSCHAPv2 stuff during authentication.
See my previous emails to this list on rlm_rest, but note that some of the information I wrote I have now discovered wasn't correct.

Regards,
Russell Lang


-----Original Message-----
From: Freeradius-Users <freeradius-users-bounces+russell.lang=[hidden email]> On Behalf Of Vertigo Vertigo
Sent: Friday, 7 February 2020 04:36
To: [hidden email]
Subject: Freeradius External Script Auth.

[External Email] This email was sent from outside the organisation – be cautious, particularly with links and attachments.

Hi Freeradius people,
I want to authorize users that connect to AP with my external script.
Because I have multiple data source ( multiple Active Directory, another API etc.) and I want to make authorization by using these data sources as I want. That's why I'm using an external script to authorization. I updated /etc/raddb/sites-enabled/default's authorize section;

authorize{

update {

control: += `/usr/bin/myauthscript '%{User-Name}' '%{User-Password}' -c`

reply: += `/usr/bin/myauthscript '%{User-Name}' '%{User-Password}' -v`

}


When I run "radtest" with PAP method, everything is OK, I have "User-Name"
and "User-Password" attributes,  I'm able to authorize users etc. However, when I make tests with an AP with 802.1x EAP method, , there is no cleartext password (User-Password) and I cannot make authorization. My question is how can I make authorization without "User-Password" attribute.
As I said, I have cleartext passwords in my data sources, so I can hash them and compare with other hash that a client sent. How can I perform this operation with EAP, CHAP, MSCHAP etc. methods?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Freeradius External Script Auth.

Vertigo Vertigo
Thanks for helps.. I'm providing "Cleartext-Password" to Freeradius as an
output from my script. When I make tests in AP with EAP and MSCHAP, I'm
still getting "Cleartext-Password" require error. My
/etc/raddb/sites-enabled/default conf like this:
server default {
        listen{
                type = auth
                ipaddr = *
                port = 1812
        }
        listen{
                ipaddr = *
                type = acct
                port = 1813
        }
        authorize{
                update {
                        control: += `/usr/bin/myauthscript'%{User-Name}'
'%{User-Password}' -c`
                        reply: += `/usr/bin/ myauthscript '%{User-Name}'
'%{User-Password}' -v`
                }
                filter_username
                preprocess
                mschap
                digest
                suffix
                eap {
                        ok = return
                 }
                expiration
                logintime
                pap
        }
authenticate {
        Auth-Type PAP {
                pap
        }
        Auth-Type MS-CHAP {
                mschap
        }
        mschap
        digest
        eap
}
preacct {
        preprocess
        acct_unique
        suffix
}
accounting {
        detail
        unix
        exec
        attr_filter.accounting_response
}
session {
}
post-auth {
        update {
                &reply: += &session-state:
        }
        exec
        remove_reply_message_if_eap
        Post-Auth-Type REJECT {
                attr_filter.access_reject
                eap
                remove_reply_message_if_eap
        }
}
pre-proxy {
}
post-proxy {
        eap
}
}

And radiusd debug output:

(0) Received Access-Request Id 60 from 172.16.1.126:59647 to
10.10.12.37:1812 length 188
(0)   User-Name = "test"
(0)   Calling-Station-Id = "C4-9F-4C-E3-07-3A"
(0)   NAS-IP-Address = 172.16.1.126
(0)   NAS-Port = 76
(0)   Called-Station-Id = "60-D0-2C-57-EE-68:RuckusAP"
(0)   Service-Type = Framed-User
(0)   Framed-MTU = 1400
(0)   NAS-Port-Type = Wireless-802.11
(0)   NAS-Identifier = "60-D0-2C-57-EE-68"
(0)   Connect-Info = "CONNECT 802.11g/n"
(0)   EAP-Message = 0x0200000a0168616b616e
(0)   Ruckus-SSID = "RuckusAP"
(0)   Message-Authenticator = 0x580f830ed653d603981a32708ce72e05
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0)   authorize {
(0)     update {
(0)       Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -c:
(0)       EXPAND %{User-Name}
(0)          --> test
(0)       EXPAND %{User-Password}
(0)          -->
(0)       Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(0)       control::Cleartext-Password := test2020
(0)       Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -v:
(0)       EXPAND %{User-Name}
(0)          --> test
(0)       EXPAND %{User-Password}
(0)          -->
(0)       Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(0)       reply::Cleartext-Password := test2020
(0)     } # update = noop
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = noop
(0)     } # policy filter_username = noop
(0)     [preprocess] = ok
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "test", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 0 length 10
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0)     [eap] = ok
(0)   } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0)   authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_md5 to process data
(0) eap_md5: Issuing MD5 Challenge
(0) eap: Sending EAP Request (code 1) ID 1 length 22
(0) eap: EAP session adding &reply:State = 0x8222e2dd8223e612
(0)     [eap] = handled
(0)   } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found.  Ignoring.
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Sent Access-Challenge Id 60 from 10.10.12.37:1812 to 172.16.1.126:59647
length 0
(0)   EAP-Message = 0x010100160410466e0b654b138f4698b23b9abb790c5b
(0)   Message-Authenticator = 0x00000000000000000000000000000000
(0)   State = 0x8222e2dd8223e61204a77c7c67b196c6
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 61 from 172.16.1.126:59647 to
10.10.12.37:1812 length 202
(1)   User-Name = "test"
(1)   Calling-Station-Id = "C4-9F-4C-E3-07-3A"
(1)   NAS-IP-Address = 172.16.1.126
(1)   NAS-Port = 76
(1)   Called-Station-Id = "60-D0-2C-57-EE-68:RuckusAP"
(1)   Service-Type = Framed-User
(1)   Framed-MTU = 1400
(1)   NAS-Port-Type = Wireless-802.11
(1)   NAS-Identifier = "60-D0-2C-57-EE-68"
(1)   Connect-Info = "CONNECT 802.11g/n"
(1)   EAP-Message = 0x020100060315
(1)   State = 0x8222e2dd8223e61204a77c7c67b196c6
(1)   Ruckus-SSID = "RuckusAP"
(1)   Message-Authenticator = 0xaff5889a5755662c16961cde613cee41
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1)   authorize {
(1)     update {
(1)       Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -c:
(1)       EXPAND %{User-Name}
(1)          --> test
(1)       EXPAND %{User-Password}
(1)          -->
(1)       Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(1)       control::Cleartext-Password := test2020
(1)       Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -v:
(1)       EXPAND %{User-Name}
(1)          --> test
(1)       EXPAND %{User-Password}
(1)          -->
(1)       Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(1)       reply::Cleartext-Password := test2020
(1)     } # update = noop
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if (&User-Name =~ /\.\./ ) {
(1)         if (&User-Name =~ /\.\./ )  -> FALSE
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(1)         if (&User-Name =~ /\.$/)  {
(1)         if (&User-Name =~ /\.$/)   -> FALSE
(1)         if (&User-Name =~ /@\./)  {
(1)         if (&User-Name =~ /@\./)   -> FALSE
(1)       } # if (&User-Name)  = noop
(1)     } # policy filter_username = noop
(1)     [preprocess] = ok
(1)     [mschap] = noop
(1)     [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "test", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 1 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1)     [eap] = updated
(1)     [expiration] = noop
(1)     [logintime] = noop
(1) pap: WARNING: Auth-Type already set.  Not setting to PAP
(1)     [pap] = noop
(1)   } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1)   authenticate {
(1) eap: Expiring EAP session with state 0x8222e2dd8223e612
(1) eap: Finished EAP session with state 0x8222e2dd8223e612
(1) eap: Previous EAP request found for state 0x8222e2dd8223e612, released
from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type TTLS (21)
(1) eap: Calling submodule eap_ttls to process data
(1) eap_ttls: Initiating new TLS session
(1) eap_ttls: [eaptls start] = request
(1) eap: Sending EAP Request (code 1) ID 2 length 6
(1) eap: EAP session adding &reply:State = 0x8222e2dd8320f712
(1)     [eap] = handled
(1)   } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found.  Ignoring.
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Sent Access-Challenge Id 61 from 10.10.12.37:1812 to 172.16.1.126:59647
length 0
(1)   EAP-Message = 0x010200061520
(1)   Message-Authenticator = 0x00000000000000000000000000000000
(1)   State = 0x8222e2dd8320f71204a77c7c67b196c6
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 62 from 172.16.1.126:59647 to
10.10.12.37:1812 length 353
(2)   User-Name = "test"
(2)   Calling-Station-Id = "C4-9F-4C-E3-07-3A"
(2)   NAS-IP-Address = 172.16.1.126
(2)   NAS-Port = 76
(2)   Called-Station-Id = "60-D0-2C-57-EE-68:RuckusAP"
(2)   Service-Type = Framed-User
(2)   Framed-MTU = 1400
(2)   NAS-Port-Type = Wireless-802.11
(2)   NAS-Identifier = "60-D0-2C-57-EE-68"
(2)   Connect-Info = "CONNECT 802.11g/n"
(2)   EAP-Message =
0x0202009d150016030100920100008e03037eb720e6021d5dce53985cfd8c885920c7e89bb10fcecd778545e831928d3493000036c02bc02f009ec02cc030009fcca9cca8c009c023c013c02700330067c00ac024c014c0280039006b009c009d002f003c0035003d000a0100002fff0100010000170000000d0010000e0403040105030501060306010201000b00020100000a00080006001d00170018
(2)   State = 0x8222e2dd8320f71204a77c7c67b196c6
(2)   Ruckus-SSID = "RuckusAP"
(2)   Message-Authenticator = 0x2e4f2d53d2b0202bbaa74a4c4c37e0dc
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2)   authorize {
(2)     update {
(2)       Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -c:
(2)       EXPAND %{User-Name}
(2)          --> test
(2)       EXPAND %{User-Password}
(2)          -->
(2)       Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(2)       control::Cleartext-Password := test2020
(2)       Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -v:
(2)       EXPAND %{User-Name}
(2)          --> test
(2)       EXPAND %{User-Password}
(2)          -->
(2)       Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(2)       reply::Cleartext-Password := test2020
(2)     } # update = noop
(2)     policy filter_username {
(2)       if (&User-Name) {
(2)       if (&User-Name)  -> TRUE
(2)       if (&User-Name)  {
(2)         if (&User-Name =~ / /) {
(2)         if (&User-Name =~ / /)  -> FALSE
(2)         if (&User-Name =~ /@[^@]*@/ ) {
(2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(2)         if (&User-Name =~ /\.\./ ) {
(2)         if (&User-Name =~ /\.\./ )  -> FALSE
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(2)         if (&User-Name =~ /\.$/)  {
(2)         if (&User-Name =~ /\.$/)   -> FALSE
(2)         if (&User-Name =~ /@\./)  {
(2)         if (&User-Name =~ /@\./)   -> FALSE
(2)       } # if (&User-Name)  = noop
(2)     } # policy filter_username = noop
(2)     [preprocess] = ok
(2)     [mschap] = noop
(2)     [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "test", looking up realm NULL
(2) suffix: No such realm "NULL"
(2)     [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 2 length 157
(2) eap: Continuing tunnel setup
(2)     [eap] = ok
(2)   } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2)   authenticate {
(2) eap: Expiring EAP session with state 0x8222e2dd8320f712
(2) eap: Finished EAP session with state 0x8222e2dd8320f712
(2) eap: Previous EAP request found for state 0x8222e2dd8320f712, released
from the list
(2) eap: Peer sent packet with method EAP TTLS (21)
(2) eap: Calling submodule eap_ttls to process data
(2) eap_ttls: Authenticate
(2) eap_ttls: Continuing EAP-TLS
(2) eap_ttls: [eaptls verify] = ok
(2) eap_ttls: Done initial handshake
(2) eap_ttls: (other): before/accept initialization
(2) eap_ttls: TLS_accept: before/accept initialization
(2) eap_ttls: <<< recv TLS 1.2  [length 0092]
(2) eap_ttls: TLS_accept: SSLv3 read client hello A
(2) eap_ttls: >>> send TLS 1.2  [length 0037]
(2) eap_ttls: TLS_accept: SSLv3 write server hello A
(2) eap_ttls: >>> send TLS 1.2  [length 08d3]
(2) eap_ttls: TLS_accept: SSLv3 write certificate A
(2) eap_ttls: >>> send TLS 1.2  [length 014d]
(2) eap_ttls: TLS_accept: SSLv3 write key exchange A
(2) eap_ttls: >>> send TLS 1.2  [length 0004]
(2) eap_ttls: TLS_accept: SSLv3 write server done A
(2) eap_ttls: TLS_accept: SSLv3 flush data
(2) eap_ttls: TLS_accept: SSLv3 read client certificate A
(2) eap_ttls: TLS_accept: Need to read more data: SSLv3 read client key
exchange A
(2) eap_ttls: TLS - In Handshake Phase
(2) eap_ttls: TLS - got 2671 bytes of data
(2) eap_ttls: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 3 length 1004
(2) eap: EAP session adding &reply:State = 0x8222e2dd8021f712
(2)     [eap] = handled
(2)   } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found.  Ignoring.
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) Sent Access-Challenge Id 62 from 10.10.12.37:1812 to 172.16.1.126:59647
length 0
(2)   EAP-Message =
0x010303ec15c000000a6f1603030037020000330303cf453002dac608edb99f397c10572866f2baee1c95e9a72e818a1bfe3987524e00c02f00000bff01000100000b0002010016030308d30b0008cf0008cc0003de308203da308202c2a003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3230303131323137313130385a170d3230303331323137313130385a307c310b3009060355040613024652310f300d06035504080c0652616469757331153013060355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d706c6520536572
(2)   Message-Authenticator = 0x00000000000000000000000000000000
(2)   State = 0x8222e2dd8021f71204a77c7c67b196c6
(2) Finished request
Waking up in 4.8 seconds.
(3) Received Access-Request Id 63 from 172.16.1.126:59647 to
10.10.12.37:1812 length 202
(3)   User-Name = "test"
(3)   Calling-Station-Id = "C4-9F-4C-E3-07-3A"
(3)   NAS-IP-Address = 172.16.1.126
(3)   NAS-Port = 76
(3)   Called-Station-Id = "60-D0-2C-57-EE-68:RuckusAP"
(3)   Service-Type = Framed-User
(3)   Framed-MTU = 1400
(3)   NAS-Port-Type = Wireless-802.11
(3)   NAS-Identifier = "60-D0-2C-57-EE-68"
(3)   Connect-Info = "CONNECT 802.11g/n"
(3)   EAP-Message = 0x020300061500
(3)   State = 0x8222e2dd8021f71204a77c7c67b196c6
(3)   Ruckus-SSID = "RuckusAP"
(3)   Message-Authenticator = 0xb5e54eb6b4ea1b6ffe6c3f223fe1c187
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/raddb/sites-enabled/default
(3)   authorize {
(3)     update {
(3)       Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -c:
(3)       EXPAND %{User-Name}
(3)          --> test
(3)       EXPAND %{User-Password}
(3)          -->
(3)       Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(3)       control::Cleartext-Password := test2020
(3)       Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -v:
(3)       EXPAND %{User-Name}
(3)          --> test
(3)       EXPAND %{User-Password}
(3)          -->
(3)       Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(3)       reply::Cleartext-Password := test2020
(3)     } # update = noop
(3)     policy filter_username {
(3)       if (&User-Name) {
(3)       if (&User-Name)  -> TRUE
(3)       if (&User-Name)  {
(3)         if (&User-Name =~ / /) {
(3)         if (&User-Name =~ / /)  -> FALSE
(3)         if (&User-Name =~ /@[^@]*@/ ) {
(3)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(3)         if (&User-Name =~ /\.\./ ) {
(3)         if (&User-Name =~ /\.\./ )  -> FALSE
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(3)         if (&User-Name =~ /\.$/)  {
(3)         if (&User-Name =~ /\.$/)   -> FALSE
(3)         if (&User-Name =~ /@\./)  {
(3)         if (&User-Name =~ /@\./)   -> FALSE
(3)       } # if (&User-Name)  = noop
(3)     } # policy filter_username = noop
(3)     [preprocess] = ok
(3)     [mschap] = noop
(3)     [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "test", looking up realm NULL
(3) suffix: No such realm "NULL"
(3)     [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 3 length 6
(3) eap: Continuing tunnel setup
(3)     [eap] = ok
(3)   } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3)   authenticate {
(3) eap: Expiring EAP session with state 0x8222e2dd8021f712
(3) eap: Finished EAP session with state 0x8222e2dd8021f712
(3) eap: Previous EAP request found for state 0x8222e2dd8021f712, released
from the list
(3) eap: Peer sent packet with method EAP TTLS (21)
(3) eap: Calling submodule eap_ttls to process data
(3) eap_ttls: Authenticate
(3) eap_ttls: Continuing EAP-TLS
(3) eap_ttls: Peer ACKed our handshake fragment
(3) eap_ttls: [eaptls verify] = request
(3) eap_ttls: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 4 length 1004
(3) eap: EAP session adding &reply:State = 0x8222e2dd8126f712
(3)     [eap] = handled
(3)   } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found.  Ignoring.
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) Sent Access-Challenge Id 63 from 10.10.12.37:1812 to 172.16.1.126:59647
length 0
(3)   EAP-Message =
0x010403ec15c000000a6f6a40103702f5af67cd0616db156bc7253d15c6896e4da49d81f43189a4b34dca5b42f3da6f87a631a4e83c3aa8c52cc48590f0b4a4ffa052520a652e69fc89cb80ce4cd906a6e60004e8308204e4308203cca003020102020900bc8e6ed6a96d96ab300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3230303131323137313130385a170d3230303331323137313130385a308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c
(3)   Message-Authenticator = 0x00000000000000000000000000000000
(3)   State = 0x8222e2dd8126f71204a77c7c67b196c6
(3) Finished request
Waking up in 4.7 seconds.
(4) Received Access-Request Id 64 from 172.16.1.126:59647 to
10.10.12.37:1812 length 202
(4)   User-Name = "test"
(4)   Calling-Station-Id = "C4-9F-4C-E3-07-3A"
(4)   NAS-IP-Address = 172.16.1.126
(4)   NAS-Port = 76
(4)   Called-Station-Id = "60-D0-2C-57-EE-68:RuckusAP"
(4)   Service-Type = Framed-User
(4)   Framed-MTU = 1400
(4)   NAS-Port-Type = Wireless-802.11
(4)   NAS-Identifier = "60-D0-2C-57-EE-68"
(4)   Connect-Info = "CONNECT 802.11g/n"
(4)   EAP-Message = 0x020400061500
(4)   State = 0x8222e2dd8126f71204a77c7c67b196c6
(4)   Ruckus-SSID = "RuckusAP"
(4)   Message-Authenticator = 0x093e1f727ca94afec6717f09bc43aee4
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/raddb/sites-enabled/default
(4)   authorize {
(4)     update {
(4)       Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -c:
(4)       EXPAND %{User-Name}
(4)          --> test
(4)       EXPAND %{User-Password}
(4)          -->
(4)       Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(4)       control::Cleartext-Password := test2020
(4)       Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -v:
(4)       EXPAND %{User-Name}
(4)          --> test
(4)       EXPAND %{User-Password}
(4)          -->
(4)       Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(4)       reply::Cleartext-Password := test2020
(4)     } # update = noop
(4)     policy filter_username {
(4)       if (&User-Name) {
(4)       if (&User-Name)  -> TRUE
(4)       if (&User-Name)  {
(4)         if (&User-Name =~ / /) {
(4)         if (&User-Name =~ / /)  -> FALSE
(4)         if (&User-Name =~ /@[^@]*@/ ) {
(4)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(4)         if (&User-Name =~ /\.\./ ) {
(4)         if (&User-Name =~ /\.\./ )  -> FALSE
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(4)         if (&User-Name =~ /\.$/)  {
(4)         if (&User-Name =~ /\.$/)   -> FALSE
(4)         if (&User-Name =~ /@\./)  {
(4)         if (&User-Name =~ /@\./)   -> FALSE
(4)       } # if (&User-Name)  = noop
(4)     } # policy filter_username = noop
(4)     [preprocess] = ok
(4)     [mschap] = noop
(4)     [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "test", looking up realm NULL
(4) suffix: No such realm "NULL"
(4)     [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 4 length 6
(4) eap: Continuing tunnel setup
(4)     [eap] = ok
(4)   } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4)   authenticate {
(4) eap: Expiring EAP session with state 0x8222e2dd8126f712
(4) eap: Finished EAP session with state 0x8222e2dd8126f712
(4) eap: Previous EAP request found for state 0x8222e2dd8126f712, released
from the list
(4) eap: Peer sent packet with method EAP TTLS (21)
(4) eap: Calling submodule eap_ttls to process data
(4) eap_ttls: Authenticate
(4) eap_ttls: Continuing EAP-TLS
(4) eap_ttls: Peer ACKed our handshake fragment
(4) eap_ttls: [eaptls verify] = request
(4) eap_ttls: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 5 length 693
(4) eap: EAP session adding &reply:State = 0x8222e2dd8627f712
(4)     [eap] = handled
(4)   } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found.  Ignoring.
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) Sent Access-Challenge Id 64 from 10.10.12.37:1812 to 172.16.1.126:59647
length 0
(4)   EAP-Message =
0x010502b5158000000a6f030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b050003820101003f2cba9a002008243cf59976e3a41a339e3d3b2ba560ed0147bbcea9e7988ec2b2c75a9531c0d582c5043304f3b74a02ca8645284f7101674edf52f04ce37a7159722c3e0dbe76b17f129278567104fdcefa3cc9ede4987bf83ffe7dc579aa0495ce4c4de6ab9825cc31fcd61ff9ce1b5258b78312d704024dbf7c88ecdcc7b65bebf61700b6317e4cc6bff0a492b7fc699990439aab51fb36555fc79a03104e1b705c2cda5175c486ac24300a7d40c49fc7ef08da167ff1a36013140fccc815cc930cfaeae1c8bd241428828e15cfda03ad4637f3f6a76bb0fc0d17b5afeab7329e99e1f19749690c1c82cd67b928e0850962b07300c0260f9cc01dcbb51760160303014d0c0001490300174104506ba9d2c4bf930faa52adb39acced
(4)   Message-Authenticator = 0x00000000000000000000000000000000
(4)   State = 0x8222e2dd8627f71204a77c7c67b196c6
(4) Finished request
Waking up in 4.6 seconds.
(5) Received Access-Request Id 65 from 172.16.1.126:59647 to
10.10.12.37:1812 length 328
(5)   User-Name = "test"
(5)   Calling-Station-Id = "C4-9F-4C-E3-07-3A"
(5)   NAS-IP-Address = 172.16.1.126
(5)   NAS-Port = 76
(5)   Called-Station-Id = "60-D0-2C-57-EE-68:RuckusAP"
(5)   Service-Type = Framed-User
(5)   Framed-MTU = 1400
(5)   NAS-Port-Type = Wireless-802.11
(5)   NAS-Identifier = "60-D0-2C-57-EE-68"
(5)   Connect-Info = "CONNECT 802.11g/n"
(5)   EAP-Message =
0x020500841500160303004610000042410461bc18599cd2f361905599c4636ac61727b555da6f37455d7d313e029edd9774b0eaaa6d3b08f7372c9aecc500cf84639a5b2fe4ad1c98ee25a0980ee8430629140303000101160303002800000000000000002af63b75129f24cd542b44457df4574b279ce8b0b746db09699c2950010b11ec
(5)   State = 0x8222e2dd8627f71204a77c7c67b196c6
(5)   Ruckus-SSID = "RuckusAP"
(5)   Message-Authenticator = 0x2c9ce0c4e8108f366296d2e408f7a4ef
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/raddb/sites-enabled/default
(5)   authorize {
(5)     update {
(5)       Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -c:
(5)       EXPAND %{User-Name}
(5)          --> test
(5)       EXPAND %{User-Password}
(5)          -->
(5)       Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(5)       control::Cleartext-Password := test2020
(5)       Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -v:
(5)       EXPAND %{User-Name}
(5)          --> test
(5)       EXPAND %{User-Password}
(5)          -->
(5)       Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(5)       reply::Cleartext-Password := test2020
(5)     } # update = noop
(5)     policy filter_username {
(5)       if (&User-Name) {
(5)       if (&User-Name)  -> TRUE
(5)       if (&User-Name)  {
(5)         if (&User-Name =~ / /) {
(5)         if (&User-Name =~ / /)  -> FALSE
(5)         if (&User-Name =~ /@[^@]*@/ ) {
(5)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(5)         if (&User-Name =~ /\.\./ ) {
(5)         if (&User-Name =~ /\.\./ )  -> FALSE
(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(5)         if (&User-Name =~ /\.$/)  {
(5)         if (&User-Name =~ /\.$/)   -> FALSE
(5)         if (&User-Name =~ /@\./)  {
(5)         if (&User-Name =~ /@\./)   -> FALSE
(5)       } # if (&User-Name)  = noop
(5)     } # policy filter_username = noop
(5)     [preprocess] = ok
(5)     [mschap] = noop
(5)     [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "test", looking up realm NULL
(5) suffix: No such realm "NULL"
(5)     [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 5 length 132
(5) eap: Continuing tunnel setup
(5)     [eap] = ok
(5)   } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5)   authenticate {
(5) eap: Expiring EAP session with state 0x8222e2dd8627f712
(5) eap: Finished EAP session with state 0x8222e2dd8627f712
(5) eap: Previous EAP request found for state 0x8222e2dd8627f712, released
from the list
(5) eap: Peer sent packet with method EAP TTLS (21)
(5) eap: Calling submodule eap_ttls to process data
(5) eap_ttls: Authenticate
(5) eap_ttls: Continuing EAP-TLS
(5) eap_ttls: [eaptls verify] = ok
(5) eap_ttls: Done initial handshake
(5) eap_ttls: <<< recv TLS 1.2  [length 0046]
(5) eap_ttls: TLS_accept: SSLv3 read client key exchange A
(5) eap_ttls: <<< recv TLS 1.2  [length 0001]
(5) eap_ttls: <<< recv TLS 1.2  [length 0010]
(5) eap_ttls: TLS_accept: SSLv3 read finished A
(5) eap_ttls: >>> send TLS 1.2  [length 0001]
(5) eap_ttls: TLS_accept: SSLv3 write change cipher spec A
(5) eap_ttls: >>> send TLS 1.2  [length 0010]
(5) eap_ttls: TLS_accept: SSLv3 write finished A
(5) eap_ttls: TLS_accept: SSLv3 flush data
(5) eap_ttls: (other): SSL negotiation finished successfully
(5) eap_ttls: TLS - Connection Established
(5) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
(5) eap_ttls: TLS-Session-Version = "TLS 1.2"
(5) eap_ttls: TLS - got 51 bytes of data
(5) eap_ttls: [eaptls process] = handled
(5) eap: Sending EAP Request (code 1) ID 6 length 61
(5) eap: EAP session adding &reply:State = 0x8222e2dd8724f712
(5)     [eap] = handled
(5)   } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found.  Ignoring.
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) session-state: Saving cached attributes
(5)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
(5)   TLS-Session-Version = "TLS 1.2"
(5) Sent Access-Challenge Id 65 from 10.10.12.37:1812 to 172.16.1.126:59647
length 0
(5)   EAP-Message =
0x0106003d158000000033140303000101160303002800000000000000000c85e97e31aa73051034e9862337dff0e87a52b73b047946e186ec08db0bab8d
(5)   Message-Authenticator = 0x00000000000000000000000000000000
(5)   State = 0x8222e2dd8724f71204a77c7c67b196c6
(5) Finished request
Waking up in 4.5 seconds.
(6) Received Access-Request Id 66 from 172.16.1.126:59647 to
10.10.12.37:1812 length 251
(6)   User-Name = "test"
(6)   Calling-Station-Id = "C4-9F-4C-E3-07-3A"
(6)   NAS-IP-Address = 172.16.1.126
(6)   NAS-Port = 76
(6)   Called-Station-Id = "60-D0-2C-57-EE-68:RuckusAP"
(6)   Service-Type = Framed-User
(6)   Framed-MTU = 1400
(6)   NAS-Port-Type = Wireless-802.11
(6)   NAS-Identifier = "60-D0-2C-57-EE-68"
(6)   Connect-Info = "CONNECT 802.11g/n"
(6)   EAP-Message =
0x020600371500170303002c00000000000000011c71cc3b155bab267a828307af32bc709dbaeaecc6b80fd05aa8e97cb2c6432b1795ee8d
(6)   State = 0x8222e2dd8724f71204a77c7c67b196c6
(6)   Ruckus-SSID = "RuckusAP"
(6)   Message-Authenticator = 0x9150701e62a079eebbe877e7e4a9c89f
(6) Restoring &session-state
(6)   &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES128-GCM-SHA256"
(6)   &session-state:TLS-Session-Version = "TLS 1.2"
(6) # Executing section authorize from file /etc/raddb/sites-enabled/default
(6)   authorize {
(6)     update {
(6)       Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -c:
(6)       EXPAND %{User-Name}
(6)          --> test
(6)       EXPAND %{User-Password}
(6)          -->
(6)       Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(6)       control::Cleartext-Password := test2020
(6)       Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -v:
(6)       EXPAND %{User-Name}
(6)          --> test
(6)       EXPAND %{User-Password}
(6)          -->
(6)       Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(6)       reply::Cleartext-Password := test2020
(6)     } # update = noop
(6)     policy filter_username {
(6)       if (&User-Name) {
(6)       if (&User-Name)  -> TRUE
(6)       if (&User-Name)  {
(6)         if (&User-Name =~ / /) {
(6)         if (&User-Name =~ / /)  -> FALSE
(6)         if (&User-Name =~ /@[^@]*@/ ) {
(6)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(6)         if (&User-Name =~ /\.\./ ) {
(6)         if (&User-Name =~ /\.\./ )  -> FALSE
(6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(6)         if (&User-Name =~ /\.$/)  {
(6)         if (&User-Name =~ /\.$/)   -> FALSE
(6)         if (&User-Name =~ /@\./)  {
(6)         if (&User-Name =~ /@\./)   -> FALSE
(6)       } # if (&User-Name)  = noop
(6)     } # policy filter_username = noop
(6)     [preprocess] = ok
(6)     [mschap] = noop
(6)     [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "test", looking up realm NULL
(6) suffix: No such realm "NULL"
(6)     [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 6 length 55
(6) eap: Continuing tunnel setup
(6)     [eap] = ok
(6)   } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6)   authenticate {
(6) eap: Expiring EAP session with state 0x8222e2dd8724f712
(6) eap: Finished EAP session with state 0x8222e2dd8724f712
(6) eap: Previous EAP request found for state 0x8222e2dd8724f712, released
from the list
(6) eap: Peer sent packet with method EAP TTLS (21)
(6) eap: Calling submodule eap_ttls to process data
(6) eap_ttls: Authenticate
(6) eap_ttls: Continuing EAP-TLS
(6) eap_ttls: [eaptls verify] = ok
(6) eap_ttls: Done initial handshake
(6) eap_ttls: [eaptls process] = ok
(6) eap_ttls: Session established.  Proceeding to decode tunneled attributes
(6) eap_ttls: Got tunneled request
(6) eap_ttls:   EAP-Message = 0x0200000a0168616b616e
(6) eap_ttls:   FreeRADIUS-Proxied-To = 127.0.0.1
(6) eap_ttls: Got tunneled identity of test
(6) eap_ttls: Setting default EAP type for tunneled EAP session
(6) eap_ttls: Sending tunneled request
(6) Virtual server inner-tunnel received request
(6)   EAP-Message = 0x0200000a0168616b616e
(6)   FreeRADIUS-Proxied-To = 127.0.0.1
(6)   User-Name = "test"
(6) WARNING: Outer and inner identities are the same.  User privacy is
compromised.
(6) server inner-tunnel {
(6)   # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(6)     authorize {
(6)       policy filter_username {
(6)         if (&User-Name) {
(6)         if (&User-Name)  -> TRUE
(6)         if (&User-Name)  {
(6)           if (&User-Name =~ / /) {
(6)           if (&User-Name =~ / /)  -> FALSE
(6)           if (&User-Name =~ /@[^@]*@/ ) {
(6)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(6)           if (&User-Name =~ /\.\./ ) {
(6)           if (&User-Name =~ /\.\./ )  -> FALSE
(6)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(6)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(6)           if (&User-Name =~ /\.$/)  {
(6)           if (&User-Name =~ /\.$/)   -> FALSE
(6)           if (&User-Name =~ /@\./)  {
(6)           if (&User-Name =~ /@\./)   -> FALSE
(6)         } # if (&User-Name)  = notfound
(6)       } # policy filter_username = notfound
(6)       [chap] = noop
(6)       [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "test", looking up realm NULL
(6) suffix: No such realm "NULL"
(6)       [suffix] = noop
(6)       update control {
(6)         &Proxy-To-Realm := LOCAL
(6)       } # update control = noop
(6) eap: Peer sent EAP Response (code 2) ID 0 length 10
(6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(6)       [eap] = ok
(6)     } # authorize = ok
(6)   Found Auth-Type = eap
(6)   # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(6)     authenticate {
(6) eap: Peer sent packet with method EAP Identity (1)
(6) eap: Calling submodule eap_md5 to process data
(6) eap_md5: Issuing MD5 Challenge
(6) eap: Sending EAP Request (code 1) ID 1 length 22
(6) eap: EAP session adding &reply:State = 0xfb738c1efb7288f2
(6)       [eap] = handled
(6)     } # authenticate = handled
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6)   EAP-Message = 0x010100160410039a74cbba1e0639cb6ef0d5de63f3d5
(6)   Message-Authenticator = 0x00000000000000000000000000000000
(6)   State = 0xfb738c1efb7288f2701021cb605e5eb7
(6) eap_ttls: Got tunneled Access-Challenge
(6) eap: Sending EAP Request (code 1) ID 7 length 71
(6) eap: EAP session adding &reply:State = 0x8222e2dd8425f712
(6)     [eap] = handled
(6)   } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found.  Ignoring.
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) session-state: Saving cached attributes
(6)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
(6)   TLS-Session-Version = "TLS 1.2"
(6) Sent Access-Challenge Id 66 from 10.10.12.37:1812 to 172.16.1.126:59647
length 0
(6)   EAP-Message =
0x0107004715800000003d170303003800000000000000014b15de3a7cc2f3cc4f87e27dd20fb5b5e4c7abfce216cee56b856d7e1c3fc11180402063e9c315c3dd28e602e84772a5
(6)   Message-Authenticator = 0x00000000000000000000000000000000
(6)   State = 0x8222e2dd8425f71204a77c7c67b196c6
(6) Finished request
Waking up in 4.4 seconds.
(7) Received Access-Request Id 67 from 172.16.1.126:59647 to
10.10.12.37:1812 length 263
(7)   User-Name = "test"
(7)   Calling-Station-Id = "C4-9F-4C-E3-07-3A"
(7)   NAS-IP-Address = 172.16.1.126
(7)   NAS-Port = 76
(7)   Called-Station-Id = "60-D0-2C-57-EE-68:RuckusAP"
(7)   Service-Type = Framed-User
(7)   Framed-MTU = 1400
(7)   NAS-Port-Type = Wireless-802.11
(7)   NAS-Identifier = "60-D0-2C-57-EE-68"
(7)   Connect-Info = "CONNECT 802.11g/n"
(7)   EAP-Message =
0x02070043150017030300380000000000000002bb5188202ca0c38e9b84b7ed3bbbf8c789809017277b71168ce763db7f64153917cf809269f593d158e21be543b3cc41
(7)   State = 0x8222e2dd8425f71204a77c7c67b196c6
(7)   Ruckus-SSID = "RuckusAP"
(7)   Message-Authenticator = 0xf78013ae60f9b978a588b0e3b0ea7b28
(7) Restoring &session-state
(7)   &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES128-GCM-SHA256"
(7)   &session-state:TLS-Session-Version = "TLS 1.2"
(7) # Executing section authorize from file /etc/raddb/sites-enabled/default
(7)   authorize {
(7)     update {
(7)       Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -c:
(7)       EXPAND %{User-Name}
(7)          --> test
(7)       EXPAND %{User-Password}
(7)          -->
(7)       Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(7)       control::Cleartext-Password := test2020
(7)       Executing: /usr/bin/myauthscript '%{User-Name}'
'%{User-Password}' -v:
(7)       EXPAND %{User-Name}
(7)          --> test
(7)       EXPAND %{User-Password}
(7)          -->
(7)       Program returned code (0) and output 'Cleartext-Password :=
"test2020"'
(7)       reply::Cleartext-Password := test2020
(7)     } # update = noop
(7)     policy filter_username {
(7)       if (&User-Name) {
(7)       if (&User-Name)  -> TRUE
(7)       if (&User-Name)  {
(7)         if (&User-Name =~ / /) {
(7)         if (&User-Name =~ / /)  -> FALSE
(7)         if (&User-Name =~ /@[^@]*@/ ) {
(7)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(7)         if (&User-Name =~ /\.\./ ) {
(7)         if (&User-Name =~ /\.\./ )  -> FALSE
(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(7)         if (&User-Name =~ /\.$/)  {
(7)         if (&User-Name =~ /\.$/)   -> FALSE
(7)         if (&User-Name =~ /@\./)  {
(7)         if (&User-Name =~ /@\./)   -> FALSE
(7)       } # if (&User-Name)  = noop
(7)     } # policy filter_username = noop
(7)     [preprocess] = ok
(7)     [mschap] = noop
(7)     [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "test", looking up realm NULL
(7) suffix: No such realm "NULL"
(7)     [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 7 length 67
(7) eap: Continuing tunnel setup
(7)     [eap] = ok
(7)   } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7)   authenticate {
(7) eap: Expiring EAP session with state 0xfb738c1efb7288f2
(7) eap: Finished EAP session with state 0x8222e2dd8425f712
(7) eap: Previous EAP request found for state 0x8222e2dd8425f712, released
from the list
(7) eap: Peer sent packet with method EAP TTLS (21)
(7) eap: Calling submodule eap_ttls to process data
(7) eap_ttls: Authenticate
(7) eap_ttls: Continuing EAP-TLS
(7) eap_ttls: [eaptls verify] = ok
(7) eap_ttls: Done initial handshake
(7) eap_ttls: [eaptls process] = ok
(7) eap_ttls: Session established.  Proceeding to decode tunneled attributes
(7) eap_ttls: Got tunneled request
(7) eap_ttls:   EAP-Message = 0x020100160410afb4be13e0362d8e30108e61c594b759
(7) eap_ttls:   FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_ttls: Sending tunneled request
(7) Virtual server inner-tunnel received request
(7)   EAP-Message = 0x020100160410afb4be13e0362d8e30108e61c594b759
(7)   FreeRADIUS-Proxied-To = 127.0.0.1
(7)   User-Name = "test"
(7)   State = 0xfb738c1efb7288f2701021cb605e5eb7
(7) WARNING: Outer and inner identities are the same.  User privacy is
compromised.
(7) server inner-tunnel {
(7)   session-state: No cached attributes
(7)   # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(7)     authorize {
(7)       policy filter_username {
(7)         if (&User-Name) {
(7)         if (&User-Name)  -> TRUE
(7)         if (&User-Name)  {
(7)           if (&User-Name =~ / /) {
(7)           if (&User-Name =~ / /)  -> FALSE
(7)           if (&User-Name =~ /@[^@]*@/ ) {
(7)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(7)           if (&User-Name =~ /\.\./ ) {
(7)           if (&User-Name =~ /\.\./ )  -> FALSE
(7)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(7)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(7)           if (&User-Name =~ /\.$/)  {
(7)           if (&User-Name =~ /\.$/)   -> FALSE
(7)           if (&User-Name =~ /@\./)  {
(7)           if (&User-Name =~ /@\./)   -> FALSE
(7)         } # if (&User-Name)  = notfound
(7)       } # policy filter_username = notfound
(7)       [chap] = noop
(7)       [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "test", looking up realm NULL
(7) suffix: No such realm "NULL"
(7)       [suffix] = noop
(7)       update control {
(7)         &Proxy-To-Realm := LOCAL
(7)       } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 1 length 22
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7)       [eap] = updated
(7)       [files] = noop
(7)       [expiration] = noop
(7)       [logintime] = noop
(7)       [pap] = noop
(7)     } # authorize = updated
(7)   Found Auth-Type = eap
(7)   # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7)     authenticate {
(7) eap: Expiring EAP session with state 0xfb738c1efb7288f2
(7) eap: Finished EAP session with state 0xfb738c1efb7288f2
(7) eap: Previous EAP request found for state 0xfb738c1efb7288f2, released
from the list
(7) eap: Peer sent packet with method EAP MD5 (4)
(7) eap: Calling submodule eap_md5 to process data
(7) eap_md5: ERROR: Cleartext-Password is required for EAP-MD5
authentication
(7) eap: ERROR: Failed continuing EAP MD5 (4) session.  EAP sub-module
failed
(7) eap: Sending EAP Failure (code 4) ID 1 length 4
(7) eap: Failed in EAP select
(7)       [eap] = invalid
(7)     } # authenticate = invalid
(7)   Failed to authenticate the user
(7)   Using Post-Auth-Type Reject
(7)   # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7)     Post-Auth-Type REJECT {
(7) attr_filter.access_reject: EXPAND %{User-Name}
(7) attr_filter.access_reject:    --> test
(7) attr_filter.access_reject: Matched entry DEFAULT at line 11
(7)       [attr_filter.access_reject] = updated
(7)       update outer.session-state {
(7)         &Module-Failure-Message := &request:Module-Failure-Message ->
'eap_md5: Cleartext-Password is required for EAP-MD5 authentication'
(7)       } # update outer.session-state = noop
(7)     } # Post-Auth-Type REJECT = updated
(7)   EXPAND LOGIN_FAILED
(7)      --> LOGIN_FAILED
(7)   Login incorrect (eap_md5: Cleartext-Password is required for EAP-MD5
authentication): [test] (from client ruckus port 0 via TLS tunnel)
LOGIN_FAILED
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7)   EAP-Message = 0x04010004
(7)   Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_ttls: Got tunneled Access-Reject
(7) eap: ERROR: Failed continuing EAP TTLS (21) session.  EAP sub-module
failed
(7) eap: Sending EAP Failure (code 4) ID 7 length 4
(7) eap: Failed in EAP select
(7)     [eap] = invalid
(7)   } # authenticate = invalid
(7) Failed to authenticate the user
(7) Using Post-Auth-Type Reject
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7)   Post-Auth-Type REJECT {
(7) attr_filter.access_reject: EXPAND %{User-Name}
(7) attr_filter.access_reject:    --> test
(7) attr_filter.access_reject: Matched entry DEFAULT at line 11
(7)     [attr_filter.access_reject] = updated
(7)     [eap] = noop
(7)     policy remove_reply_message_if_eap {
(7)       if (&reply:EAP-Message && &reply:Reply-Message) {
(7)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(7)       else {
(7)         [noop] = noop
(7)       } # else = noop
(7)     } # policy remove_reply_message_if_eap = noop
(7)   } # Post-Auth-Type REJECT = updated
(7) EXPAND LOGIN_FAILED
(7)    --> LOGIN_FAILED
(7) Login incorrect (eap: Failed continuing EAP TTLS (21) session.  EAP
sub-module failed): [test] (from client ruckus port 76 cli
C4-9F-4C-E3-07-3A) LOGIN_FAILED
(7) Delaying response for 1.000000 seconds
Waking up in 0.2 seconds.
Waking up in 0.7 seconds.
(7) Sending delayed response
(7) Sent Access-Reject Id 67 from 10.10.12.37:1812 to 172.16.1.126:59647
length 44
(7)   EAP-Message = 0x04070004
(7)   Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.3 seconds.
(0) Cleaning up request packet ID 60 with timestamp +3
(1) Cleaning up request packet ID 61 with timestamp +3
(2) Cleaning up request packet ID 62 with timestamp +3
(3) Cleaning up request packet ID 63 with timestamp +3
(4) Cleaning up request packet ID 64 with timestamp +3
(5) Cleaning up request packet ID 65 with timestamp +3
(6) Cleaning up request packet ID 66 with timestamp +4
(7) Cleaning up request packet ID 67 with timestamp +4

Lang, Russell <[hidden email]>, 7 Şub 2020 Cum, 08:12
tarihinde şunu yazdı:

> We used to do this, but moved away from it.  Our external program was a
> python script, and the startup time for each authentication for too long.
>
> If you must do 802.1x EAP using this method, then note that EAP is handled
> by default site, while MSCHAP is handled by inner-tunnel site.  In the
> inner-tunnel, you can exec a program and give it the MSCHAP challenge and
> response, validate that against NT-Password that you have stored, and
> return the NT session key back to FreeRADIUS.  This involves implementing
> MSCHAP code that already exists in FreeRADIUS.
>
> The simpler alternative that we are now using is to call a REST API from
> FreeRADIUS during authorisation (really pre-auth) and return the
> NT-Password, letting FreeRADIUS do all the EAP / PAP / MSCHAPv2 stuff
> during authentication.
> See my previous emails to this list on rlm_rest, but note that some of the
> information I wrote I have now discovered wasn't correct.
>
> Regards,
> Russell Lang
>
>
> -----Original Message-----
> From: Freeradius-Users <freeradius-users-bounces+russell.lang=
> [hidden email]> On Behalf Of Vertigo Vertigo
> Sent: Friday, 7 February 2020 04:36
> To: [hidden email]
> Subject: Freeradius External Script Auth.
>
> [External Email] This email was sent from outside the organisation – be
> cautious, particularly with links and attachments.
>
> Hi Freeradius people,
> I want to authorize users that connect to AP with my external script.
> Because I have multiple data source ( multiple Active Directory, another
> API etc.) and I want to make authorization by using these data sources as I
> want. That's why I'm using an external script to authorization. I updated
> /etc/raddb/sites-enabled/default's authorize section;
>
> authorize{
>
> update {
>
> control: += `/usr/bin/myauthscript '%{User-Name}' '%{User-Password}' -c`
>
> reply: += `/usr/bin/myauthscript '%{User-Name}' '%{User-Password}' -v`
>
> }
>
>
> When I run "radtest" with PAP method, everything is OK, I have "User-Name"
> and "User-Password" attributes,  I'm able to authorize users etc. However,
> when I make tests with an AP with 802.1x EAP method, , there is no
> cleartext password (User-Password) and I cannot make authorization. My
> question is how can I make authorization without "User-Password" attribute.
> As I said, I have cleartext passwords in my data sources, so I can hash
> them and compare with other hash that a client sent. How can I perform this
> operation with EAP, CHAP, MSCHAP etc. methods?
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Freeradius External Script Auth.

Matthew Newton-3
On Fri, 2020-02-07 at 09:12 +0300, Vertigo Altair wrote:
> Thanks for helps.. I'm providing "Cleartext-Password" to Freeradius
> as an output from my script.

You need to call your script in the inner-tunnel virtual server, not in
the default (outer) server.

And, as previously mentioned, running external scripts to do this isn't
recommended.

--
Matthew


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html