Fwd: help

classic Classic list List threaded Threaded
6 messages Options
| Threaded
Open this post in threaded view
|

Fwd: help

valeriobaroni
HELP
Hi all, im trying to setup freeradius witch WLC cisco, but when i trying to
connect i cannot receive any IP from the vlan 102, can you help me?

 # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
   authorize {
     policy filter_username {
       if (&User-Name) {
       if (&User-Name)  -TRUE
       if (&User-Name)  {
         if (&User-Name =~ / /) {
         if (&User-Name =~ / /)  -FALSE
         if (&User-Name =~ /@[^@]*@/ ) {
         if (&User-Name =~ /@[^@]*@/ )  -FALSE
         if (&User-Name =~ /\.\./ ) {
         if (&User-Name =~ /\.\./ )  -FALSE
         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -FALSE
         if (&User-Name =~ /\.$/)  {
         if (&User-Name =~ /\.$/)   -FALSE
         if (&User-Name =~ /@\./)  {
         if (&User-Name =~ /@\./)   -FALSE
       } # if (&User-Name)  = notfound
     } # policy filter_username = notfound
     [preprocess] = ok
     [chap] = noop
     [mschap] = noop
     [digest] = noop
 suffix: Checking for suffix after "@"
 suffix: No '@' in User-Name = "antonio.spagnolo", looking up realm NULL
 suffix: No such realm "NULL"
     [suffix] = noop
 eap: Peer sent EAP Response (code 2) ID 8 length 46
 eap: Continuing tunnel setup
     [eap] = ok
   } # authorize = ok
 Found Auth-Type = eap
 # Executing group from file /etc/freeradius/3.0/sites-enabled/default
   authenticate {
 eap: Expiring EAP session with state 0x15e01da017e4042c
 eap: Finished EAP session with state 0xb7b3f30ab1bbeaee
 eap: Previous EAP request found for state 0xb7b3f30ab1bbeaee, released
from the list
 eap: Peer sent packet with method EAP PEAP (25)
 eap: Calling submodule eap_peap to process data
 eap_peap: Continuing EAP-TLS
 eap_peap: [eaptls verify] = ok
 eap_peap: Done initial handshake
 eap_peap: [eaptls process] = ok
 eap_peap: Session established.  Decoding tunneled attributes
 eap_peap: PEAP state send tlv success
 eap_peap: Received EAP-TLV response
 eap_peap: Success
 eap_peap: Using saved attributes from the original Access-Accept
 eap_peap:   Cleartext-Password = "l63dJ2Ye"
 eap_peap:   Tunnel-Type = VLAN
 eap_peap:   Tunnel-Medium-Type = IEEE-802
 eap_peap:   Tunnel-Private-Group-Id = "102"
 eap: Sending EAP Success (code 3) ID 8 length 4
 eap: Freeing handler
     [eap] = ok
   } # authenticate = ok
 # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/default
   post-auth {
     if (session-state:User-Name && reply:User-Name && request:User-Name &&
(reply:User-Name == request:User-Name)) {
     if (session-state:User-Name && reply:User-Name && request:User-Name &&
(reply:User-Name == request:User-Name))  -FALSE
     update {
       &reply::TLS-Session-Cipher-Suite +=
&session-state:TLS-Session-Cipher-Suite[*] -'ECDHE-RSA-AES256-GCM-SHA384'
       &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*]
-'TLS 1.2'
     } # update = noop
 sql: EXPAND .query
 sql:    --.query
 sql: Using query template 'query'
rlm_sql (sql): Reserved connection (14)
 sql: EXPAND %{User-Name}
 sql:    --antonio.spagnolo
 sql: SQL-User-Name set to 'antonio.spagnolo'
 sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S.%M')
 sql:    --INSERT INTO radpostauth (username, pass, reply, authdate) VALUES
( 'antonio.spagnolo', '', 'Access-Accept', '2021-01-21 16:11:14.451111')
 sql: EXPAND /var/log/freeradius/sqllog.sql
 sql:    --/var/log/freeradius/sqllog.sql
 sql: Executing query: INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES ( 'antonio.spagnolo', '', 'Access-Accept', '2021-01-21
16:11:14.451111')
 sql: SQL query returned: success
 sql: 1 record(s) updated
rlm_sql (sql): Released connection (14)
     [sql] = ok
     [exec] = noop
     policy remove_reply_message_if_eap {
       if (&reply:EAP-Message && &reply:Reply-Message) {
       if (&reply:EAP-Message && &reply:Reply-Message)  -FALSE
       else {
         [noop] = noop
       } # else = noop
     } # policy remove_reply_message_if_eap = noop
   } # post-auth = ok
 Sent Access-Accept Id 34 from 192.168.11.5:1812 to 192.168.14.250:50788
length 0
   Tunnel-Type = VLAN
   Tunnel-Medium-Type = IEEE-802
   Tunnel-Private-Group-Id = "102"
   MS-MPPE-Recv-Key =
0x7271712b4d569cfb7ca3339e0a7b56057fbb82f2d1c0571a16de929285a7b101
   MS-MPPE-Send-Key =
0x43dd9dbc85f67a42325568da028912e22fc1587cb3d2df3ed4c5b076731f8e85
   EAP-Message = 0x03080004
   Message-Authenticator = 0x00000000000000000000000000000000
   User-Name = "antonio.spagnolo"
 Finished request
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: help

Alan DeKok-2


> On Jan 22, 2021, at 4:46 AM, valeriobaroni <[hidden email]> wrote:
>
> HELP
> Hi all, im trying to setup freeradius witch WLC cisco, but when i trying to
> connect i cannot receive any IP from the vlan 102, can you help me?

  RADIUS doesn't do IP assignment.  So the problem could be elsewhere.

* did the NAS put the user into VLAN 102?

* did the user send a DHCP request on that VLAN?

* did the DHCP server receive that DHCP request?

* did the DHCP server assign an IP?

* did the DHCP reply make it back to the users system?

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: help

valeriobaroni
Hi Alan,
if i try it without using attributest like (Tunnel-Type Tunnel-Medium-Type
Tunnel-Private-Group-Id ) my dhcp server assigns me IP correctly and i can
navigate when i put newly those parameters nothing happens:

i
 freeradius -X

 # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(9)   authorize {
(9)     policy filter_username {
(9)       if (&User-Name) {
(9)       if (&User-Name)  -> TRUE
(9)       if (&User-Name)  {
(9)         if (&User-Name =~ / /) {
(9)         if (&User-Name =~ / /)  -> FALSE
(9)         if (&User-Name =~ /@[^@]*@/ ) {
(9)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(9)         if (&User-Name =~ /\.\./ ) {
(9)         if (&User-Name =~ /\.\./ )  -> FALSE
(9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(9)         if (&User-Name =~ /\.$/)  {
(9)         if (&User-Name =~ /\.$/)   -> FALSE
(9)         if (&User-Name =~ /@\./)  {
(9)         if (&User-Name =~ /@\./)   -> FALSE
(9)       } # if (&User-Name)  = notfound
(9)     } # policy filter_username = notfound
(9)     [preprocess] = ok
(9)     [chap] = noop
(9)     [mschap] = noop
(9)     [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "valerio", looking up realm NULL
(9) suffix: No such realm "NULL"
(9)     [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 2 length 8
(9) eap: No EAP Start, assuming it's an on-going EAP conversation
(9)     [eap] = updated
(9)     [files] = noop
(9) sql: EXPAND %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}
(9) sql:    --> valerio
(9) sql: SQL-User-Name set to 'valerio'
rlm_sql (sql): Reserved connection (8)
(9) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id
(9) sql:    --> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'valerio' ORDER BY id
(9) sql: Executing select query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'valerio' ORDER BY id
(9) sql: User found in radcheck table
(9) sql: Conditional check items matched, merging assignment check items
(9) sql:   Cleartext-Password := "valerio"
(9) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply
WHERE username = '%{SQL-User-Name}' ORDER BY id
(9) sql:    --> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'valerio' ORDER BY id
(9) sql: Executing select query: SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'valerio' ORDER BY id
rlm_sql (sql): Reserved connection (10)
rlm_sql (sql): Released connection (10)
Need 6 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (12), 1 of 27 pending slots
used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket,
server version 8.0.22-0ubuntu0.20.10.2, protocol version 10
(9) sql: EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority
(9) sql:    --> SELECT groupname FROM radusergroup WHERE username =
'valerio' ORDER BY priority
(9) sql: Executing select query: SELECT groupname FROM radusergroup WHERE
username = 'valerio' ORDER BY priority
(9) sql: User found in the group table
(9) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(9) sql:    --> SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = 'VLAN102' ORDER BY id
(9) sql: Executing select query: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'VLAN102' ORDER BY id
(9) sql: Group "VLAN102": Conditional check items matched
(9) sql: Group "VLAN102": Merging assignment check items
(9) sql:   Auth-Type := Accept
(9) sql: EXPAND SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(9) sql:    --> SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = 'VLAN102' ORDER BY id
(9) sql: Executing select query: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = 'VLAN102' ORDER BY id
(9) sql: Group "VLAN102": Merging reply items
(9) sql:   Tunnel-Type = VLAN
(9) sql:   Tunnel-Medium-Type = IEEE-802
(9) sql:   Tunnel-Private-Group-Id = "103"
(9) sql: Checking profile DEFAULT
(9) sql: EXPAND DEFAULT
(9) sql:    --> DEFAULT
(9) sql: SQL-User-Name set to 'DEFAULT'
rlm_sql (sql): Reserved connection (11)
rlm_sql (sql): Released connection (11)
(9) sql: EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority
(9) sql:    --> SELECT groupname FROM radusergroup WHERE username =
'DEFAULT' ORDER BY priority
(9) sql: Executing select query: SELECT groupname FROM radusergroup WHERE
username = 'DEFAULT' ORDER BY priority
(9) sql: User found in the group table
(9) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(9) sql:    --> SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = 'VLAN102' ORDER BY id
(9) sql: Executing select query: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'VLAN102' ORDER BY id
(9) sql: Group "VLAN102": Conditional check items matched
(9) sql: Group "VLAN102": Merging assignment check items
(9) sql:   Auth-Type := Accept
(9) sql: EXPAND SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(9) sql:    --> SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = 'VLAN102' ORDER BY id
(9) sql: Executing select query: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = 'VLAN102' ORDER BY id
(9) sql: Group "VLAN102": Merging reply items
(9) sql:   Tunnel-Type = VLAN
(9) sql:   Tunnel-Medium-Type = IEEE-802
(9) sql:   Tunnel-Private-Group-Id = "103"
rlm_sql (sql): Released connection (8)
(9)     [sql] = ok
(9)     [expiration] = noop
(9)     [logintime] = noop
(9) pap: WARNING: Auth-Type already set.  Not setting to PAP
(9)     [pap] = noop
(9)   } # authorize = updated
(9) Found Auth-Type = Accept
(9) Auth-Type = Accept, accepting the user
(9) # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/default
(9)   post-auth {
(9)     if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) {
(9)     if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name))  -> FALSE
(9)     update {
(9)       No attributes updated for RHS &session-state:
(9)     } # update = noop
(9) sql: EXPAND .query
(9) sql:    --> .query
(9) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (7)
(9) sql: EXPAND %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}
(9) sql:    --> valerio
(9) sql: SQL-User-Name set to 'valerio'
(9) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S.%M')
(9) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( 'valerio', '', 'Access-Accept', '2021-01-27 12:53:54.144905')
(9) sql: Executing query: INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES ( 'valerio', '', 'Access-Accept', '2021-01-27
12:53:54.144905')
(9) sql: SQL query returned: success
(9) sql: 1 record(s) updated
rlm_sql (sql): Released connection (7)
(9)     [sql] = ok
(9)     [exec] = noop
(9)     policy remove_reply_message_if_eap {
(9)       if (&reply:EAP-Message && &reply:Reply-Message) {
(9)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(9)       else {
(9)         [noop] = noop
(9)       } # else = noop
(9)     } # policy remove_reply_message_if_eap = noop
(9)   } # post-auth = ok
(9) Sent Access-Accept Id 122 from 192.168.11.5:1812 to 192.168.14.250:50788
length 0
(9)   Tunnel-Type = VLAN
(9)   Tunnel-Medium-Type = IEEE-802
(9)   Tunnel-Private-Group-Id = "103"
(9) Finished request


Is there something that is missing?

Thanks




Il giorno ven 22 gen 2021 alle ore 15:30 Alan DeKok <
[hidden email]> ha scritto:

>
>
> > On Jan 22, 2021, at 4:46 AM, valeriobaroni <[hidden email]>
> wrote:
> >
> > HELP
> > Hi all, im trying to setup freeradius witch WLC cisco, but when i trying
> to
> > connect i cannot receive any IP from the vlan 102, can you help me?
>
>   RADIUS doesn't do IP assignment.  So the problem could be elsewhere.
>
> * did the NAS put the user into VLAN 102?
>
> * did the user send a DHCP request on that VLAN?
>
> * did the DHCP server receive that DHCP request?
>
> * did the DHCP server assign an IP?
>
> * did the DHCP reply make it back to the users system?
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: help

Alan DeKok-2


> On Jan 27, 2021, at 6:56 AM, valeriobaroni <[hidden email]> wrote:
>
> Hi Alan,
> if i try it without using attributest like (Tunnel-Type Tunnel-Medium-Type
> Tunnel-Private-Group-Id ) my dhcp server assigns me IP correctly and i can
> navigate when i put newly those parameters nothing happens:

  Then the NAS is ignoring the VLAN assignment from FreeRADIUS.

a) configure FreeRADIUS to send whatever magic the NAS wants to see.  We don't know what that is.  The standard Tunnel attributes *should* work

b) throw the NAS in the garbage, and replace it with one that works.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: help

Alan Buxey
In reply to this post by valeriobaroni
hi,

you've got to ensure that the WLC and wireless infrastructure has all
the relevant plumbing in place - is that VLAN reaching the kit (the
WLC controller if APs are in thin mode, the APs themselves via trunk
links if they are autonomous/fat etc). is wireless domain on the WLC
configured to deal with that VLAN - the SSID has relevant allocation
etc?   FRis doing its job here - authentication and authorization
response look good

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: help

Maarten Carels
> On Jan 30, 2021, at 12:18 , Alan Buxey <[hidden email]> wrote:

>
> hi,
>
> you've got to ensure that the WLC and wireless infrastructure has all
> the relevant plumbing in place - is that VLAN reaching the kit (the
> WLC controller if APs are in thin mode, the APs themselves via trunk
> links if they are autonomous/fat etc). is wireless domain on the WLC
> configured to deal with that VLAN - the SSID has relevant allocation
> etc?   FRis doing its job here - authentication and authorization
> response look good
In the Cisco WLC, allow FreeRADIUS to override the vlan assignment from the WLC.

In the top menu, selecty WLAN, then on the left side of the window, select WLANs. Edit the WLAN of your choice, in the Advanced tab you will find a 'Allow AAA Override.

Unchecked the WLC ignores vlan assignment from RADIUS, checked it honors vlan assignment.

Hope this helps

--maarten

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

signature.asc (569 bytes) Download Attachment