Stripping the domain from the username

classic Classic list List threaded Threaded
6 messages Options
| Threaded
Open this post in threaded view
|

Stripping the domain from the username

Stuart Ramdeen
Hi all

I would be grateful for some pointers with an issue I am experiencing at a
customer's site.
I need to strip the domain part of the username that users are
authenticating with. For example, a user will type in [hidden email]
during authentication to the wireless network, but the username at the
backend in the directory system is just 'bob'. I know that this is a common
request of freeradius and I have tried to configure it in the conf files,
but clearly I am not doing something correctly. I can't seem to get the
'Stripped-User-Name' to be used where I expect it.

If someone can prod me in the right direction, I'd really appreciate it.

The actual domain name in the below text has been replaced with
example.co.uk.

sh-3.2# radiusd -X
radiusd: FreeRADIUS Version 2.2.9, for host i386-apple-darwin13.0, built on
Sep 15 2016 at 12:27:36
Copyright (C) 1999-2015 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /Library/Server/radius/raddb/radiusd.conf
including configuration file /Library/Server/radius/raddb/proxy.conf
including configuration file /Library/Server/radius/raddb/clients.conf
including files in directory /Library/Server/radius/raddb/modules/
including configuration file
/Library/Server/radius/raddb/modules/acct_unique
including configuration file /Library/Server/radius/raddb/modules/always
including configuration file
/Library/Server/radius/raddb/modules/attr_filter
including configuration file
/Library/Server/radius/raddb/modules/attr_rewrite
including configuration file /Library/Server/radius/raddb/modules/cache
including configuration file /Library/Server/radius/raddb/modules/chap
including configuration file /Library/Server/radius/raddb/modules/checkval
including configuration file /Library/Server/radius/raddb/modules/counter
including configuration file /Library/Server/radius/raddb/modules/cui
including configuration file /Library/Server/radius/raddb/modules/detail
including configuration file /Library/Server/radius/raddb/modules/
detail.example.com
including configuration file /Library/Server/radius/raddb/modules/detail.log
including configuration file
/Library/Server/radius/raddb/modules/dhcp_sqlippool
including configuration file
/Library/Server/radius/raddb/sql/mysql/ippool-dhcp.conf
including configuration file /Library/Server/radius/raddb/modules/digest
including configuration file
/Library/Server/radius/raddb/modules/dynamic_clients
including configuration file /Library/Server/radius/raddb/modules/echo
including configuration file /Library/Server/radius/raddb/modules/etc_group
including configuration file /Library/Server/radius/raddb/modules/exec
including configuration file /Library/Server/radius/raddb/modules/expiration
including configuration file /Library/Server/radius/raddb/modules/expr
including configuration file /Library/Server/radius/raddb/modules/files
including configuration file /Library/Server/radius/raddb/modules/inner-eap
including configuration file /Library/Server/radius/raddb/modules/ippool
including configuration file /Library/Server/radius/raddb/modules/krb5
including configuration file /Library/Server/radius/raddb/modules/ldap
including configuration file /Library/Server/radius/raddb/modules/linelog
including configuration file /Library/Server/radius/raddb/modules/logintime
including configuration file /Library/Server/radius/raddb/modules/mac2ip
including configuration file /Library/Server/radius/raddb/modules/mac2vlan
including configuration file /Library/Server/radius/raddb/modules/mschap
including configuration file /Library/Server/radius/raddb/modules/ntlm_auth
including configuration file
/Library/Server/radius/raddb/modules/opendirectory
including configuration file /Library/Server/radius/raddb/modules/otp
including configuration file /Library/Server/radius/raddb/modules/pam
including configuration file /Library/Server/radius/raddb/modules/pap
including configuration file /Library/Server/radius/raddb/modules/passwd
including configuration file /Library/Server/radius/raddb/modules/perl
including configuration file /Library/Server/radius/raddb/modules/policy
including configuration file /Library/Server/radius/raddb/modules/preprocess
including configuration file /Library/Server/radius/raddb/modules/radrelay
including configuration file /Library/Server/radius/raddb/modules/radutmp
including configuration file /Library/Server/radius/raddb/modules/realm
including configuration file /Library/Server/radius/raddb/modules/redis
including configuration file /Library/Server/radius/raddb/modules/rediswho
including configuration file /Library/Server/radius/raddb/modules/replicate
including configuration file /Library/Server/radius/raddb/modules/smbpasswd
including configuration file /Library/Server/radius/raddb/modules/smsotp
including configuration file /Library/Server/radius/raddb/modules/soh
including configuration file /Library/Server/radius/raddb/modules/sql_log
including configuration file
/Library/Server/radius/raddb/modules/sqlcounter_expire_on_login
including configuration file /Library/Server/radius/raddb/modules/sradutmp
including configuration file /Library/Server/radius/raddb/modules/unix
including configuration file /Library/Server/radius/raddb/modules/wimax
including configuration file /Library/Server/radius/raddb/eap.conf
including configuration file /Library/Server/radius/raddb/sql.conf
including configuration file
/Library/Server/radius/raddb/sql/sqlite/dialup.conf
including configuration file /Library/Server/radius/raddb/policy.conf
including files in directory /Library/Server/radius/raddb/sites-enabled/
including configuration file
/Library/Server/radius/raddb/sites-enabled/control-socket
including configuration file
/Library/Server/radius/raddb/sites-enabled/default
including configuration file
/Library/Server/radius/raddb/sites-enabled/inner-tunnel
main {
allow_core_dumps = no
}
including dictionary file /Library/Server/radius/raddb/dictionary
main {
name = "radiusd"
prefix = "/Applications/Server.app/Contents/ServerRoot/usr"
localstatedir = "/private/var"
sbindir = "/Applications/Server.app/Contents/ServerRoot/usr/sbin"
logdir = "/private/var/log/radius"
run_dir = "/private/var"
libdir = "/Applications/Server.app/Contents/ServerRoot/usr/lib/freeradius"
radacctdir = "/private/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/private/var/radiusd.pid"
checkrad = "/Applications/Server.app/Contents/ServerRoot/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
 log {
  stripped_names = no
  auth = yes
  auth_badpass = yes
  auth_goodpass = yes
 }
 security {
  max_attributes = 200
  reject_delay = 1
  status_server = yes
  allow_vulnerable_openssl = no
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
  retry_delay = 5
  retry_count = 3
  default_fallback = no
  dead_time = 120
  wake_all_if_all_dead = no
 }
 home_server localhost {
  ipaddr = 127.0.0.1
  port = 1812
  type = "auth"
  secret = "testing123"
  response_window = 20
  max_outstanding = 65536
  require_message_authenticator = yes
  zombie_period = 40
  status_check = "status-server"
  ping_interval = 30
  check_interval = 30
  num_answers_to_alive = 3
  num_pings_to_alive = 3
  revive_interval = 120
  status_check_timeout = 4
  coa {
  irt = 2
  mrt = 16
  mrc = 5
  mrd = 30
  }
 }
 home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
 }
 realm example.com {
auth_pool = my_auth_failover
 }
 realm example.co.uk {
auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
radiusd: #### Loading Clients ####
 client localhost {
  ipaddr = 127.0.0.1
  require_message_authenticator = no
  secret = "testing123"
  nastype = "other"
 }
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating module "exec" from file
/Library/Server/radius/raddb/modules/exec
  exec {
  wait = no
  input_pairs = "request"
  shell_escape = yes
  }
 Module: Linked to module rlm_expr
 Module: Instantiating module "expr" from file
/Library/Server/radius/raddb/modules/expr
 Module: Linked to module rlm_expiration
 Module: Instantiating module "expiration" from file
/Library/Server/radius/raddb/modules/expiration
  expiration {
  reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating module "logintime" from file
/Library/Server/radius/raddb/modules/logintime
  logintime {
  reply-message = "You are calling outside your allowed timespan  "
  minimum-timeout = 60
  }
 Module: Linked to module rlm_sql
 Module: Instantiating module "sql" from file
/Library/Server/radius/raddb/sql.conf
  sql {
  driver = "rlm_sql_sqlite"
  server = "localhost"
  port = ""
  login = "radius"
  password = "radpass"
  radius_db = "radius"
  read_groups = yes
  sqltrace = no
  sqltracefile = "/private/var/log/radius/sqltrace.sql"
  readclients = yes
  deletestalesessions = yes
  num_sql_socks = 5
  lifetime = 0
  max_queries = 0
  sql_user_name = "%{User-Name}"
  default_user_profile = ""
  nas_query = "SELECT id,nasname,shortname,type,secret FROM nas"
  authorize_check_query = ""
  authorize_group_check_query = ""
  authorize_group_reply_query = ""
  accounting_onoff_query = ""
  accounting_update_query = ""
  accounting_update_query_alt = ""
  accounting_start_query = ""
  accounting_start_query_alt = ""
  accounting_stop_query = ""
  accounting_stop_query_alt = ""
  connect_failure_retry_delay = 60
  simul_count_query = ""
  simul_verify_query = ""
  postauth_query = ""
  safe-characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
  }
rlm_sql (sql): Driver rlm_sql_sqlite (module rlm_sql_sqlite) loaded and
linked
rlm_sql (sql): Attempting to connect to radius@localhost:/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_sqlite #0
rlm_sql_sqlite: Opening sqlite database
/Library/Server/radius/raddb/sqlite_radius_client_database for #0
rlm_sql_sqlite: sqlite3_open() = 0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_sqlite #1
rlm_sql_sqlite: Opening sqlite database
/Library/Server/radius/raddb/sqlite_radius_client_database for #1
rlm_sql_sqlite: sqlite3_open() = 0
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_sqlite #2
rlm_sql_sqlite: Opening sqlite database
/Library/Server/radius/raddb/sqlite_radius_client_database for #2
rlm_sql_sqlite: sqlite3_open() = 0
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_sqlite #3
rlm_sql_sqlite: Opening sqlite database
/Library/Server/radius/raddb/sqlite_radius_client_database for #3
rlm_sql_sqlite: sqlite3_open() = 0
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_sqlite #4
rlm_sql_sqlite: Opening sqlite database
/Library/Server/radius/raddb/sqlite_radius_client_database for #4
rlm_sql_sqlite: sqlite3_open() = 0
rlm_sql (sql): Connected new DB handle, #4
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT
id,nasname,shortname,type,secret FROM nas
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_sqlite: sqlite3_prepare() = 0
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.40.92.126,shortname=SCH-WAP-02,secret=testing123
rlm_sql (sql): Adding client 10.40.92.126 (SCH-WAP-02, server=<none>) to
clients list
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.40.92.127,shortname=SCH-WAP-01,secret=testing123
rlm_sql (sql): Adding client 10.40.92.127 (SCH-WAP-01, server=<none>) to
clients list
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.40.92.125,shortname=SCH-WAP-03,secret=testing123
rlm_sql (sql): Adding client 10.40.92.125 (SCH-WAP-03, server=<none>) to
clients list
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.40.92.179,shortname=Test-SG300,secret=testing123
rlm_sql (sql): Adding client 10.40.92.179 (Test-SG300, server=<none>) to
clients list
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.40.92.121,shortname=SCH-SWI-04-T13,secret=testing123
rlm_sql (sql): Adding client 10.40.92.121 (SCH-SWI-04-T13, server=<none>)
to clients list
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.40.92.122,shortname=SCH-SWI-03-T12,secret=testing123
rlm_sql (sql): Adding client 10.40.92.122 (SCH-SWI-03-T12, server=<none>)
to clients list
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.40.92.124,shortname=SCH-SWI-01-T11,secret=testing123
rlm_sql (sql): Adding client 10.40.92.124 (SCH-SWI-01-T11, server=<none>)
to clients list
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.40.92.123,shortname=SCH-SWI-02-T12,secret=testing123
rlm_sql (sql): Adding client 10.40.92.123 (SCH-SWI-02-T12, server=<none>)
to clients list
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry nasname=
192.168.236.32/28,shortname=clearpass,secret=HHNueA8LTj
rlm_sql (sql): Adding client 192.168.236.32 (clearpass, server=<none>) to
clients list
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry
nasname=10.40.92.251,shortname=nana,secret=HHNueA8LTj
rlm_sql (sql): Adding client 10.40.92.251 (nana, server=<none>) to clients
list
rlm_sql_sqlite: sqlite3_step = 101
rlm_sql_sqlite: sqlite3_finalize() = 0
rlm_sql (sql): Released sql socket id: 4
 }
radiusd: #### Loading Virtual Servers ####
server { # from file /Library/Server/radius/raddb/radiusd.conf
 modules {
  Module: Creating Auth-Type = digest
  Module: Creating Auth-Type = opendirectory
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating module "pap" from file
/Library/Server/radius/raddb/modules/pap
  pap {
  encryption_scheme = "auto"
  auto_header = no
  }
 Module: Linked to module rlm_chap
 Module: Instantiating module "chap" from file
/Library/Server/radius/raddb/modules/chap
 Module: Linked to module rlm_mschap
 Module: Instantiating module "mschap" from file
/Library/Server/radius/raddb/modules/mschap
  mschap {
  use_mppe = yes
  require_encryption = no
  require_strong = no
  with_ntdomain_hack = no
  allow_retry = yes
  use_open_directory = yes
  }
 Module: Linked to module rlm_digest
 Module: Instantiating module "digest" from file
/Library/Server/radius/raddb/modules/digest
 Module: Linked to module rlm_opendirectory
 Module: Instantiating module "opendirectory" from file
/Library/Server/radius/raddb/modules/opendirectory
 Module: Linked to module rlm_unix
 Module: Instantiating module "unix" from file
/Library/Server/radius/raddb/modules/unix
  unix {
  radwtmp = "/private/var/log/radius/radwtmp"
  }
 Module: Linked to module rlm_eap
 Module: Instantiating module "eap" from file
/Library/Server/radius/raddb/eap.conf
  eap {
  default_eap_type = "ttls"
  timer_expire = 60
  ignore_unknown_eap_types = no
  cisco_accounting_username_bug = no
  max_sessions = 4096
  }
 Module: Linked to sub-module rlm_eap_md5
 Module: Instantiating eap-md5
 Module: Linked to sub-module rlm_eap_leap
 Module: Instantiating eap-leap
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
   gtc {
    challenge = "Password: "
    auth_type = "PAP"
   }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
    rsa_key_exchange = no
    dh_key_exchange = yes
    rsa_key_length = 512
    dh_key_length = 512
    verify_depth = 0
    CA_path = "/Library/Server/radius/raddb/certs"
    pem_file_type = yes
    private_key_file = "/Library/Server/radius/raddb/certs/server.key"
    certificate_file = "/Library/Server/radius/raddb/certs/server.crt"
    CA_file = "/Library/Server/radius/raddb/certs/server.crt"
    private_key_password = "whatever"
    dh_file = "/Library/Server/radius/raddb/certs/dh"
    random_file = "/Library/Server/radius/raddb/certs/random"
    fragment_size = 1024
    include_length = yes
    check_crl = no
    check_all_crl = no
    cipher_list = "DEFAULT"
    make_cert_command = "/Library/Server/radius/raddb/certs/bootstrap"
    ecdh_curve = "prime256v1"
    cache {
    enable = no
    lifetime = 24
    max_entries = 255
    }
    verify {
    }
    ocsp {
    enable = no
    override_cert_url = yes
    url = "http://127.0.0.1/ocsp/"
    use_nonce = yes
    timeout = 0
    softfail = no
    }
   }
 Module: Linked to sub-module rlm_eap_ttls
 Module: Instantiating eap-ttls
   ttls {
    default_eap_type = "mschapv2"
    copy_request_to_tunnel = no
    use_tunneled_reply = no
    virtual_server = "inner-tunnel"
    include_length = yes
   }
 Module: Linked to sub-module rlm_eap_peap
 Module: Instantiating eap-peap
   peap {
    default_eap_type = "mschapv2"
    copy_request_to_tunnel = no
    use_tunneled_reply = no
    proxy_tunneled_request_as_eap = yes
    virtual_server = "inner-tunnel"
    soh = no
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
    with_ntdomain_hack = no
    send_error = no
   }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_preprocess
 Module: Instantiating module "preprocess" from file
/Library/Server/radius/raddb/modules/preprocess
  preprocess {
  huntgroups = "/Library/Server/radius/raddb/huntgroups"
  hints = "/Library/Server/radius/raddb/hints"
  with_ascend_hack = no
  ascend_channels_per_line = 23
  with_ntdomain_hack = no
  with_specialix_jetstream_hack = no
  with_cisco_vsa_hack = no
  with_alvarion_vsa_hack = no
  }
reading pairlist file /Library/Server/radius/raddb/huntgroups
reading pairlist file /Library/Server/radius/raddb/hints
 Module: Linked to module rlm_realm
 Module: Instantiating module "suffix" from file
/Library/Server/radius/raddb/modules/realm
  realm suffix {
  format = "suffix"
  delimiter = "@"
  ignore_default = no
  ignore_null = no
  }
 Module: Linked to module rlm_files
 Module: Instantiating module "files" from file
/Library/Server/radius/raddb/modules/files
  files {
  usersfile = "/Library/Server/radius/raddb/users"
  acctusersfile = "/Library/Server/radius/raddb/acct_users"
  preproxy_usersfile = "/Library/Server/radius/raddb/preproxy_users"
  compat = "no"
  }
reading pairlist file /Library/Server/radius/raddb/users
reading pairlist file /Library/Server/radius/raddb/acct_users
reading pairlist file /Library/Server/radius/raddb/preproxy_users
 Module: Checking preacct {...} for more modules to load
 Module: Linked to module rlm_acct_unique
 Module: Instantiating module "acct_unique" from file
/Library/Server/radius/raddb/modules/acct_unique
  acct_unique {
  key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier,
NAS-Port"
  }
 Module: Checking accounting {...} for more modules to load
 Module: Linked to module rlm_detail
 Module: Instantiating module "detail" from file
/Library/Server/radius/raddb/modules/detail
  detail {
  detailfile =
"/private/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
  header = "%t"
  detailperm = 384
  dirperm = 493
  locking = no
  log_packet_header = no
  escape_filenames = no
  }
 Module: Linked to module rlm_attr_filter
 Module: Instantiating module "attr_filter.accounting_response" from file
/Library/Server/radius/raddb/modules/attr_filter
  attr_filter attr_filter.accounting_response {
  attrsfile = "/Library/Server/radius/raddb/attrs.accounting_response"
  key = "%{User-Name}"
  relaxed = no
  }
reading pairlist file /Library/Server/radius/raddb/attrs.accounting_response
 Module: Checking session {...} for more modules to load
 Module: Linked to module rlm_radutmp
 Module: Instantiating module "radutmp" from file
/Library/Server/radius/raddb/modules/radutmp
  radutmp {
  filename = "/private/var/log/radius/radutmp"
  username = "%{User-Name}"
  case_sensitive = yes
  check_with_nas = yes
  perm = 384
  callerid = yes
  }
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 Module: Instantiating module "attr_filter.access_reject" from file
/Library/Server/radius/raddb/modules/attr_filter
  attr_filter attr_filter.access_reject {
  attrsfile = "/Library/Server/radius/raddb/attrs.access_reject"
  key = "%{User-Name}"
  relaxed = no
  }
reading pairlist file /Library/Server/radius/raddb/attrs.access_reject
 } # modules
} # server
server inner-tunnel { # from file
/Library/Server/radius/raddb/sites-enabled/inner-tunnel
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Checking authorize {...} for more modules to load
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
  type = "auth"
  ipaddr = *
  port = 0
}
listen {
  type = "acct"
  ipaddr = *
  port = 0
}
listen {
  type = "control"
 listen {
  socket = "/private/var/radiusd.sock"
 }
}
listen {
  type = "auth"
  ipaddr = 127.0.0.1
  port = 18120
}
 ... adding new socket proxy address * port 53788
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /private/var/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.236.44 port 1815, id=240,
length=225
User-Name = "[hidden email]"
NAS-IP-Address = 192.168.236.28
NAS-Port = 0
NAS-Identifier = "192.168.236.26"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "109ADDC49B75"
Called-Station-Id = "001A1E04AB58"
Service-Type = Framed-User
Framed-MTU = 1100
EAP-Message =
0x02010022017261646975737465737440676f73682e63616d64656e2e7363682e756b
Aruba-Essid-Name = "school"
Aruba-Location-Id = "ICT-TEST"
Aruba-AP-Group = "test"
Message-Authenticator = 0xcb3673c30e1a008614b794492d7bdc13
Proxy-State = 0x3230
# Executing section authorize from file
/Library/Server/radius/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "example.co.uk" for User-Name = "
[hidden email]"
[suffix] Found realm "example.co.uk"
[suffix] Adding Stripped-User-Name = "radiustest"
[suffix] Adding Realm = "example.co.uk"
[suffix] Proxying request from user radiustest to realm example.co.uk
[suffix] Preparing to proxy authentication request to realm "example.co.uk"
++[suffix] = updated
[eap] Request is supposed to be proxied to Realm example.co.uk.  Not doing
EAP.
++[eap] = noop
++[files] = noop
[opendirectory] The host 192.168.236.44 does not have an access group.
[opendirectory] User radiustest exists in OD
[opendirectory] User radiustest is a member of the RADUIS SACL
[opendirectory] Setting Auth-Type = opendirectory
++[opendirectory] = ok
++[expiration] = noop
++[logintime] = noop
++[pap] = noop
+} # group authorize = updated
  WARNING: Empty pre-proxy section.  Using default return values.
Sending Access-Request of id 175 to 127.0.0.1 port 1812
User-Name = "radiustest"
NAS-IP-Address = 192.168.236.28
NAS-Port = 0
NAS-Identifier = "192.168.236.26"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "109ADDC49B75"
Called-Station-Id = "001A1E04AB58"
Service-Type = Framed-User
Framed-MTU = 1100
EAP-Message =
0x02010022017261646975737465737440676f73682e63616d64656e2e7363682e756b
Aruba-Essid-Name = "school"
Aruba-Location-Id = "ICT-TEST"
Aruba-AP-Group = "test"
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x3230
Proxy-State = 0x323430
Proxying request 0 to home server 127.0.0.1 port 1812
Sending Access-Request of id 175 to 127.0.0.1 port 1812
User-Name = "radiustest"
NAS-IP-Address = 192.168.236.28
NAS-Port = 0
NAS-Identifier = "192.168.236.26"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "109ADDC49B75"
Called-Station-Id = "001A1E04AB58"
Service-Type = Framed-User
Framed-MTU = 1100
EAP-Message =
0x02010022017261646975737465737440676f73682e63616d64656e2e7363682e756b
Aruba-Essid-Name = "school"
Aruba-Location-Id = "ICT-TEST"
Aruba-AP-Group = "test"
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x3230
Proxy-State = 0x323430
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=175,
length=211
User-Name = "radiustest"
NAS-IP-Address = 192.168.236.28
NAS-Port = 0
NAS-Identifier = "192.168.236.26"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "109ADDC49B75"
Called-Station-Id = "001A1E04AB58"
Service-Type = Framed-User
Framed-MTU = 1100
EAP-Message =
0x02010022017261646975737465737440676f73682e63616d64656e2e7363682e756b
Aruba-Essid-Name = "school"
Aruba-Location-Id = "ICT-TEST"
Aruba-AP-Group = "test"
Message-Authenticator = 0x3501877b8486b13298815dbd61d54947
Proxy-State = 0x3230
Proxy-State = 0x323430
# Executing section authorize from file
/Library/Server/radius/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "radiustest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 1 length 34
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[opendirectory] The host 127.0.0.1 does not have an access group.
[opendirectory] User radiustest exists in OD
[opendirectory] User radiustest is a member of the RADUIS SACL
++[opendirectory] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file
/Library/Server/radius/raddb/sites-enabled/default
+group authenticate {
[eap] Identity ([hidden email]) does not match User-Name
(radiustest).  Authentication failed.
[eap] Failed in handler
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Login incorrect: [radiustest/<via Auth-Type = EAP>] (from client localhost
port 0 cli 109ADDC49B75)
Using Post-Auth-Type Reject
# Executing group from file
/Library/Server/radius/raddb/sites-enabled/default
+group REJECT {
++? if ("%{EAP-Message}")
expand: %{EAP-Message} ->
0x02010022017261646975737465737440676f73682e63616d64656e2e7363682e756b
? Evaluating ("%{EAP-Message}") -> TRUE
++? if ("%{EAP-Message}") -> TRUE
++if ("%{EAP-Message}") {
+++update reply {
expand: %{Message-Authenticator} -> 0x3501877b8486b13298815dbd61d54947
+++} # update reply = noop
++} # if ("%{EAP-Message}") = noop
[attr_filter.access_reject] expand: %{User-Name} -> radiustest
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 175 to 127.0.0.1 port 1814
Proxy-State = 0x3230
Proxy-State = 0x323430
EAP-Message = 0x04040004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 4.9 seconds.
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=175,
length=53
Proxy-State = 0x3230
Proxy-State = 0x323430
EAP-Message = 0x04040004
Message-Authenticator = 0xe9f8dcb50c101f38f7426e72c427df74
# Executing section post-proxy from file
/Library/Server/radius/raddb/sites-enabled/default
+group post-proxy {
[eap] No pre-existing handler found
++[eap] = noop
+} # group post-proxy = noop
Login incorrect (Home Server says so): [[hidden email]/<via
Auth-Type = opendirectory>] (from client clearpass port 0 cli 109ADDC49B75)
Using Post-Auth-Type Reject
# Executing group from file
/Library/Server/radius/raddb/sites-enabled/default
+group REJECT {
++? if ("%{EAP-Message}")
expand: %{EAP-Message} ->
0x02010022017261646975737465737440676f73682e63616d64656e2e7363682e756b
? Evaluating ("%{EAP-Message}") -> TRUE
++? if ("%{EAP-Message}") -> TRUE
++if ("%{EAP-Message}") {
+++update reply {
expand: %{Message-Authenticator} -> 0xcb3673c30e1a008614b794492d7bdc13
+++} # update reply = noop
++} # if ("%{EAP-Message}") = noop
[attr_filter.access_reject] expand: %{User-Name} -> [hidden email]
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Sending Access-Reject of id 240 to 192.168.236.44 port 1815
EAP-Message = 0x04040004
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x3230
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.236.44 port 1815, id=241,
length=225
User-Name = "[hidden email]"
NAS-IP-Address = 192.168.236.28
NAS-Port = 0
NAS-Identifier = "192.168.236.26"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "109ADDC49B75"
Called-Station-Id = "001A1E04AB58"
Service-Type = Framed-User
Framed-MTU = 1100
EAP-Message =
0x02020022017261646975737465737440676f73682e63616d64656e2e7363682e756b
Aruba-Essid-Name = "school"
Aruba-Location-Id = "ICT-TEST"
Aruba-AP-Group = "test"
Message-Authenticator = 0xf8eff948324a373824b6eeb749b7a675
Proxy-State = 0x3231
# Executing section authorize from file
/Library/Server/radius/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "example.co.uk" for User-Name = "
[hidden email]"
[suffix] Found realm "example.co.uk"
[suffix] Adding Stripped-User-Name = "radiustest"
[suffix] Adding Realm = "example.co.uk"
[suffix] Proxying request from user radiustest to realm example.co.uk
[suffix] Preparing to proxy authentication request to realm "example.co.uk"
++[suffix] = updated
[eap] Request is supposed to be proxied to Realm example.co.uk.  Not doing
EAP.
++[eap] = noop
++[files] = noop
[opendirectory] The host 192.168.236.44 does not have an access group.
[opendirectory] User radiustest exists in OD
[opendirectory] User radiustest is a member of the RADUIS SACL
[opendirectory] Setting Auth-Type = opendirectory
++[opendirectory] = ok
++[expiration] = noop
++[logintime] = noop
++[pap] = noop
+} # group authorize = updated
  WARNING: Empty pre-proxy section.  Using default return values.
Sending Access-Request of id 193 to 127.0.0.1 port 1812
User-Name = "radiustest"
NAS-IP-Address = 192.168.236.28
NAS-Port = 0
NAS-Identifier = "192.168.236.26"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "109ADDC49B75"
Called-Station-Id = "001A1E04AB58"
Service-Type = Framed-User
Framed-MTU = 1100
EAP-Message =
0x02020022017261646975737465737440676f73682e63616d64656e2e7363682e756b
Aruba-Essid-Name = "school"
Aruba-Location-Id = "ICT-TEST"
Aruba-AP-Group = "test"
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x3231
Proxy-State = 0x323431
Proxying request 2 to home server 127.0.0.1 port 1812
Sending Access-Request of id 193 to 127.0.0.1 port 1812
User-Name = "radiustest"
NAS-IP-Address = 192.168.236.28
NAS-Port = 0
NAS-Identifier = "192.168.236.26"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "109ADDC49B75"
Called-Station-Id = "001A1E04AB58"
Service-Type = Framed-User
Framed-MTU = 1100
EAP-Message =
0x02020022017261646975737465737440676f73682e63616d64656e2e7363682e756b
Aruba-Essid-Name = "school"
Aruba-Location-Id = "ICT-TEST"
Aruba-AP-Group = "test"
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x3231
Proxy-State = 0x323431
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=193,
length=211
User-Name = "radiustest"
NAS-IP-Address = 192.168.236.28
NAS-Port = 0
NAS-Identifier = "192.168.236.26"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "109ADDC49B75"
Called-Station-Id = "001A1E04AB58"
Service-Type = Framed-User
Framed-MTU = 1100
EAP-Message =
0x02020022017261646975737465737440676f73682e63616d64656e2e7363682e756b
Aruba-Essid-Name = "school"
Aruba-Location-Id = "ICT-TEST"
Aruba-AP-Group = "test"
Message-Authenticator = 0xebdffca338692d279cfd1828df9606fe
Proxy-State = 0x3231
Proxy-State = 0x323431
# Executing section authorize from file
/Library/Server/radius/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "radiustest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 2 length 34
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[opendirectory] The host 127.0.0.1 does not have an access group.
[opendirectory] User radiustest exists in OD
[opendirectory] User radiustest is a member of the RADUIS SACL
++[opendirectory] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file
/Library/Server/radius/raddb/sites-enabled/default
+group authenticate {
[eap] Identity ([hidden email]) does not match User-Name
(radiustest).  Authentication failed.
[eap] Failed in handler
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Login incorrect: [radiustest/<via Auth-Type = EAP>] (from client localhost
port 0 cli 109ADDC49B75)
Using Post-Auth-Type Reject
# Executing group from file
/Library/Server/radius/raddb/sites-enabled/default
+group REJECT {
++? if ("%{EAP-Message}")
expand: %{EAP-Message} ->
0x02020022017261646975737465737440676f73682e63616d64656e2e7363682e756b
? Evaluating ("%{EAP-Message}") -> TRUE
++? if ("%{EAP-Message}") -> TRUE
++if ("%{EAP-Message}") {
+++update reply {
expand: %{Message-Authenticator} -> 0xebdffca338692d279cfd1828df9606fe
+++} # update reply = noop
++} # if ("%{EAP-Message}") = noop
[attr_filter.access_reject] expand: %{User-Name} -> radiustest
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 3 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 3
Sending Access-Reject of id 193 to 127.0.0.1 port 1814
Proxy-State = 0x3231
Proxy-State = 0x323431
EAP-Message = 0x04040004
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=193,
length=53
Proxy-State = 0x3231
Proxy-State = 0x323431
EAP-Message = 0x04040004
Message-Authenticator = 0xee1e8865c1c3badd0ed55be65dc5dbe9
# Executing section post-proxy from file
/Library/Server/radius/raddb/sites-enabled/default
+group post-proxy {
[eap] No pre-existing handler found
++[eap] = noop
+} # group post-proxy = noop
Login incorrect (Home Server says so): [[hidden email]/<via
Auth-Type = opendirectory>] (from client clearpass port 0 cli 109ADDC49B75)
Using Post-Auth-Type Reject
# Executing group from file
/Library/Server/radius/raddb/sites-enabled/default
+group REJECT {
++? if ("%{EAP-Message}")
expand: %{EAP-Message} ->
0x02020022017261646975737465737440676f73682e63616d64656e2e7363682e756b
? Evaluating ("%{EAP-Message}") -> TRUE
++? if ("%{EAP-Message}") -> TRUE
++if ("%{EAP-Message}") {
+++update reply {
expand: %{Message-Authenticator} -> 0xf8eff948324a373824b6eeb749b7a675
+++} # update reply = noop
++} # if ("%{EAP-Message}") = noop
[attr_filter.access_reject] expand: %{User-Name} -> [hidden email]
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Sending Access-Reject of id 241 to 192.168.236.44 port 1815
EAP-Message = 0x04040004
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x3231
Finished request 2.
Going to the next request
Cleaning up request 1 ID 175 with timestamp +43
Cleaning up request 0 ID 240 with timestamp +43
Waking up in 4.9 seconds.

Thank you
Stuart

--
Crossover Solutions Ltd
Pound House, 62A Highgate High Street, London, N6
5HX
www.crossover.solutions <http://crossover.solutions> • 020 3637 4655

Registered in England and Wales No: 9593204  Registered address as stated



Members of the Apple Consultants Network
<https://consultants.apple.com/uk/988258>


Please submit new support
requests to [hidden email]
<mailto:[hidden email]>




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Stripping the domain from the username

Alan DeKok-2
On Jan 12, 2020, at 5:48 AM, Stuart Ramdeen <[hidden email]> wrote:
>
> I would be grateful for some pointers with an issue I am experiencing at a
> customer's site.
> I need to strip the domain part of the username that users are
> authenticating with.

  Note: do NOT change the User-Name.  It WILL break everything.

> For example, a user will type in [hidden email]
> during authentication to the wireless network, but the username at the
> backend in the directory system is just 'bob'. I know that this is a common
> request of freeradius and I have tried to configure it in the conf files,
> but clearly I am not doing something correctly. I can't seem to get the
> 'Stripped-User-Name' to be used where I expect it.

  The default configuration works.  All you do is add "example.com" in proxy.conf as a LOCAL realm, and everything will just work.

> sh-3.2# radiusd -X
> radiusd: FreeRADIUS Version 2.2.9, for host i386-apple-darwin13.0, built on

  That's been EOL for many, many, years.  I suggest moving to v3.  Or at least 2.2.10.

> Ready to process requests.
> rad_recv: Access-Request packet from host 192.168.236.44 port 1815, id=240,
> length=225
> User-Name = "[hidden email]"

  Note: this is the full name.

> EAP-Message =
> 0x02010022017261646975737465737440676f73682e63616d64656e2e7363682e756b

  And EAP.  The above line *also* contains the full user name.

> Aruba-Essid-Name = "school"
> Aruba-Location-Id = "ICT-TEST"
> Aruba-AP-Group = "test"
> Message-Authenticator = 0xcb3673c30e1a008614b794492d7bdc13
> Proxy-State = 0x3230
> # Executing section authorize from file
> /Library/Server/radius/raddb/sites-enabled/default
> +group authorize {
> ++[preprocess] = ok
> ++[chap] = noop
> ++[mschap] = noop
> ++[digest] = noop
> [suffix] Looking up realm "example.co.uk" for User-Name = "
> [hidden email]"
> [suffix] Found realm "example.co.uk"
> [suffix] Adding Stripped-User-Name = "radiustest"
> [suffix] Adding Realm = "example.co.uk"
> [suffix] Proxying request from user radiustest to realm example.co.uk
> [suffix] Preparing to proxy authentication request to realm "example.co.uk"
> ++[suffix] = updated

  That's all fine, except for the proxying bit.

> [eap] Request is supposed to be proxied to Realm example.co.uk.  Not doing
> EAP.
> ++[eap] = noop
> ++[files] = noop
> [opendirectory] The host 192.168.236.44 does not have an access group.
> [opendirectory] User radiustest exists in OD
> [opendirectory] User radiustest is a member of the RADUIS SACL
> [opendirectory] Setting Auth-Type = opendirectory
> ++[opendirectory] = ok
> ++[expiration] = noop
> ++[logintime] = noop
> ++[pap] = noop
> +} # group authorize = updated
>  WARNING: Empty pre-proxy section.  Using default return values.
> Sending Access-Request of id 175 to 127.0.0.1 port 1812
> User-Name = "radiustest"

   There's the issue.  The User-Name shouldn't be mangled during proxying.

> ...
> Proxying request 0 to home server 127.0.0.1 port 1812
> Sending Access-Request of id 175 to 127.0.0.1 port 1812
> ...
> Waking up in 0.9 seconds.
> rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=175,
> length=211
> User-Name = "radiustest"

  Uh... what?  Why are is the server proxying the packet to itself?  This isn't necessary.  There's just no need to make the configuration this complex.

  Change the proxy.conf config to have:

realm example.co.uk {
}

  The server will treat "example.co.uk" as a local realm, and do authentication itself.  It will work.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Stripping the domain from the username

Stuart Ramdeen
Hi Alan

Thank you for your reply. I have made the change you suggested and (in
my novice view) there now appears to be more progress than before.

I completely appreciate that it's an old build, but it was included
with an older version of macOS Server and I'm trying to get things
working before I attempt to update anything. It relies on an Apple
module 'opendirectory', which is responsible for querying the
directory service running on the Mac server, and so I don't want to
change anything yet until I can get things going. I certainly take
your point on board though and will look to update to 2.2.10 as soon
as possible.

Here is the latest debug output after making the change you suggested.
If I am interpreting this correctly, the '[hidden email]'
username is being stripped and passed to the directory server during
request 0:

[opendirectory] User radiustest exists in OD
[opendirectory] User radiustest is a member of the RADUIS SACL

but by the time it gets to request 6 it is using the full username
rather than the portion before the @:

[mschap] Creating challenge hash with username: [hidden email]
[mschap] Client is using MS-CHAPv2 for [hidden email], we
need NT-Password
[mschap] Using OpenDirectory to authenticate
[mschap] Unable to find record [hidden email] in OD
[mschap] Authentication failed for [hidden email]
++[mschap] = fail

At this point the directory server is seeing a request for
[hidden email] and rejecting it because of course the
username in that format does not exist. Do I need to change anything
so that the mschap module is creating the challenge hash with
'radiustest' rather than '[hidden email]', or am I barking
up the wrong tree?


rad_recv: Access-Request packet from host 192.168.236.45 port 1814,
id=139, length=238
User-Name = "[hidden email]"
NAS-IP-Address = 192.168.236.28
NAS-Port = 0
NAS-Identifier = "192.168.236.26"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "109ADDC49B75"
Called-Station-Id = "001A1E04AB58"
Service-Type = Framed-User
Framed-MTU = 1100
EAP-Message = 0x02010022017261646975737465737440676f73682e63616d64656e2e7363682e756b
Aruba-Essid-Name = "school"
Aruba-Location-Id = "ICT-TEST"
Aruba-AP-Group = "test"
Aruba-Device-Type = "Apple"
Message-Authenticator = 0x2577b12b1827b2d1f2a6a2b4f41b74c5
Proxy-State = 0x3635
# Executing section authorize from file
/Library/Server/radius/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "example.co.uk" for User-Name =
"[hidden email]"
[suffix] Found realm "example.co.uk"
[suffix] Adding Stripped-User-Name = "radiustest"
[suffix] Adding Realm = "example.co.uk"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 1 length 34
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[opendirectory] The host 192.168.236.45 does not have an access group.
[opendirectory] User radiustest exists in OD
[opendirectory] User radiustest is a member of the RADUIS SACL
++[opendirectory] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /Library/Server/radius/raddb/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 139 to 192.168.236.45 port 1814
EAP-Message = 0x010200061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa2d10e0fa2d31bd8fb902e08f9c31ec3
Proxy-State = 0x3635
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.236.45 port 1814,
id=140, length=353
User-Name = "[hidden email]"
NAS-IP-Address = 192.168.236.28
NAS-Port = 0
NAS-Identifier = "192.168.236.26"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "109ADDC49B75"
Called-Station-Id = "001A1E04AB58"
Service-Type = Framed-User
Framed-MTU = 1100
EAP-Message = 0x0202008315800000007916030100740100007003015e1baa8d3cb0084332627d1fd466f39541f629dc3248b4d4771d23ad28bd3a1800002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000ac007c011000500040100001f000a00080006001700180019000b0002010000050005010000000000120000
Aruba-Essid-Name = "school"
Aruba-Location-Id = "ICT-TEST"
Aruba-AP-Group = "test"
Aruba-Device-Type = "Apple"
Message-Authenticator = 0x9e28ec7582c40e3e92a115082a8f054a
Proxy-State = 0x3636
State = 0xa2d10e0fa2d31bd8fb902e08f9c31ec3
# Executing section authorize from file
/Library/Server/radius/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "example.co.uk" for User-Name =
"[hidden email]"
[suffix] Found realm "example.co.uk"
[suffix] Adding Stripped-User-Name = "radiustest"
[suffix] Adding Realm = "example.co.uk"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 2 length 131
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /Library/Server/radius/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
  TLS Length 121
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls]     (other): before/accept initialization
[ttls]     TLS_accept: before/accept initialization
[ttls] <<< TLS 1.0 Handshake [length 0074], ClientHello
[ttls]     TLS_accept: SSLv3 read client hello A
[ttls] >>> TLS 1.0 Handshake [length 0039], ServerHello
[ttls]     TLS_accept: SSLv3 write server hello A
[ttls] >>> TLS 1.0 Handshake [length 0665], Certificate
[ttls]     TLS_accept: SSLv3 write certificate A
[ttls] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
[ttls]     TLS_accept: SSLv3 write key exchange A
[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[ttls]     TLS_accept: SSLv3 write server done A
[ttls]     TLS_accept: SSLv3 flush data
[ttls]     TLS_accept: SSLv3 read client certificate A
[ttls]     TLS_accept: Need to read more data: SSLv3 read client key exchange A
[ttls]     TLS_accept: Need to read more data: SSLv3 read client key exchange A
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 140 to 192.168.236.45 port 1814
EAP-Message = 0x0103040015c0000008011603010039020000350301b48378abbf7494e069a915f1a572a970e6394437deb9b6fcfba966858aa4697900c01400000dff01000100000b00040300010216030106650b00066100065e00032c3082032830820210a003020102020101300b06092a864886f70d01010b302e311f301d06035504030c16706574657270616e2e676f73682e696e7465726e616c310b3009060355040613024742301e170d3134303832373132313431355a170d3334303832323132313431355a302e311f301d06035504030c16706574657270616e2e676f73682e696e7465726e616c310b300906035504061302474230820122300d06092a
EAP-Message = 0x864886f70d01010105000382010f003082010a0282010100a77252a7791bb62f2b8123027ad8cbc388283bee0e334f72e1ca133ebc9b22b84e05b44db7056bcbe8cb4030ff756f91ae48ac7455c6b062c1009301e68847860ab9d642c6ad5990ee7edc417d7dedc3507246ab2ff72afd4160bbe9e0389b20d830082cf91439c344537294b34d78a485df9a8234fe82371c1e16d64cfcce85307216d6517061719f78192f576dd747d805bfa099ed386cbc0ad934b27b311d293aa72af0b7890038ab339df22f70d032ace28ab07d14306232a6a38cfa685afe8bff98f3bddc97cf4389aa0b5f6fa21f7386b72fd14a0879663b618acae7eca2ad59d1d8
EAP-Message = 0x5d927df217427226e7085981260b2f3c7d11bed5808be9333240c10203010001a3533051300e0603551d0f0101ff04040302078030160603551d250101ff040c300a06082b0601050507030130270603551d110420301e8216706574657270616e2e676f73682e696e7465726e616c87040a285cfe300d06092a864886f70d01010b05000382010100407dcb7982c1ec5523ba0b0012255c1d9a11e749b64f2fc121c82529faa3a23fe0fdc53e13004e301fd589ed13f31ca5d63f7cbbce08e211774b6a7ed2b55eed07ab4814046390e8cb22cc47eddd4846c6a709379572875b93dc87a5fe6c54c9a04b6dff791669df38a076ddbd2e718d123fcec7
EAP-Message = 0xe5797635ce17913c9960ba6d82aa46e460bc0abe7384d06d5499d42939f2c72e706e8dbc9cac22dc315f5539af9662461f1f85a5dbd5a892f0ec10c3578ef8c1bf5d2d8150df94eb034146ec458654dd1740c1707f86bb4203a549b9d0d98ab19788238717c1140842ae944d4c2dc50ddf1d4adf6d61d932f892495a264a8b87629bb0a7d76f1b7187a2118200032c3082032830820210a003020102020101300b06092a864886f70d01010b302e311f301d06035504030c16706574657270616e2e676f73682e696e7465726e616c310b3009060355040613024742301e170d3134303832373132313431355a170d3334303832323132313431355a30
EAP-Message = 0x2e311f301d06035504030c16
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa2d10e0fa3d21bd8fb902e08f9c31ec3
Proxy-State = 0x3636
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.236.45 port 1814,
id=141, length=228
User-Name = "[hidden email]"
NAS-IP-Address = 192.168.236.28
NAS-Port = 0
NAS-Identifier = "192.168.236.26"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "109ADDC49B75"
Called-Station-Id = "001A1E04AB58"
Service-Type = Framed-User
Framed-MTU = 1100
EAP-Message = 0x020300061500
Aruba-Essid-Name = "school"
Aruba-Location-Id = "ICT-TEST"
Aruba-AP-Group = "test"
Aruba-Device-Type = "Apple"
Message-Authenticator = 0xe4c9628a13844ea439eb4d01e968ed8c
Proxy-State = 0x3637
State = 0xa2d10e0fa3d21bd8fb902e08f9c31ec3
# Executing section authorize from file
/Library/Server/radius/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "example.co.uk" for User-Name =
"[hidden email]"
[suffix] Found realm "example.co.uk"
[suffix] Adding Stripped-User-Name = "radiustest"
[suffix] Adding Realm = "example.co.uk"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /Library/Server/radius/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 141 to 192.168.236.45 port 1814
EAP-Message = 0x0104040015c000000801706574657270616e2e676f73682e696e7465726e616c310b300906035504061302474230820122300d06092a864886f70d01010105000382010f003082010a0282010100a77252a7791bb62f2b8123027ad8cbc388283bee0e334f72e1ca133ebc9b22b84e05b44db7056bcbe8cb4030ff756f91ae48ac7455c6b062c1009301e68847860ab9d642c6ad5990ee7edc417d7dedc3507246ab2ff72afd4160bbe9e0389b20d830082cf91439c344537294b34d78a485df9a8234fe82371c1e16d64cfcce85307216d6517061719f78192f576dd747d805bfa099ed386cbc0ad934b27b311d293aa72af0b7890038ab339df22f70
EAP-Message = 0xd032ace28ab07d14306232a6a38cfa685afe8bff98f3bddc97cf4389aa0b5f6fa21f7386b72fd14a0879663b618acae7eca2ad59d1d85d927df217427226e7085981260b2f3c7d11bed5808be9333240c10203010001a3533051300e0603551d0f0101ff04040302078030160603551d250101ff040c300a06082b0601050507030130270603551d110420301e8216706574657270616e2e676f73682e696e7465726e616c87040a285cfe300d06092a864886f70d01010b05000382010100407dcb7982c1ec5523ba0b0012255c1d9a11e749b64f2fc121c82529faa3a23fe0fdc53e13004e301fd589ed13f31ca5d63f7cbbce08e211774b6a7ed2b5
EAP-Message = 0x5eed07ab4814046390e8cb22cc47eddd4846c6a709379572875b93dc87a5fe6c54c9a04b6dff791669df38a076ddbd2e718d123fcec7e5797635ce17913c9960ba6d82aa46e460bc0abe7384d06d5499d42939f2c72e706e8dbc9cac22dc315f5539af9662461f1f85a5dbd5a892f0ec10c3578ef8c1bf5d2d8150df94eb034146ec458654dd1740c1707f86bb4203a549b9d0d98ab19788238717c1140842ae944d4c2dc50ddf1d4adf6d61d932f892495a264a8b87629bb0a7d76f1b7187a21182160301014b0c00014703001741048d722a0b65270892e9bc75ac1f1878571255941d4b8abaed393150566d0825d54eaa1b976720593172fa05575d
EAP-Message = 0x93e38a901481b6bf8c6b160cfa68e176d2b873010040ee1d51f30a3fbe39eb5378d2dc0922e18af5a76a55055036a18ecf84a8935a29f89c2b397a655bee4a613a6fdbc955890061dc2534b37a3d5d61a189f27dded1401addc29706f7abbdbb7e761d62a9a9a88411ac32061423a1660fb4db6fdf46ea2706778337476fe961a5cb0319284962c0d40397fc21e97cca94a6360540e51eb2137ebb4675c5cee9ef6473900a10d3a0a35e1dfab899237d996d40341df170cd8f10cc3b511eece77dea00ec3b779de982dec5d4cc664407ec59455e220d9a09438e870c413f4964eb05f043ac9acaa7937e8f7b448aed3123d2600bc471092aa7dafc2d32
EAP-Message = 0x6bc8be0bf5a6db8e5df2c928
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa2d10e0fa0d51bd8fb902e08f9c31ec3
Proxy-State = 0x3637
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.236.45 port 1814,
id=142, length=228
User-Name = "[hidden email]"
NAS-IP-Address = 192.168.236.28
NAS-Port = 0
NAS-Identifier = "192.168.236.26"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "109ADDC49B75"
Called-Station-Id = "001A1E04AB58"
Service-Type = Framed-User
Framed-MTU = 1100
EAP-Message = 0x020400061500
Aruba-Essid-Name = "school"
Aruba-Location-Id = "ICT-TEST"
Aruba-AP-Group = "test"
Aruba-Device-Type = "Apple"
Message-Authenticator = 0x5721d8a0eb68e0f1a13a0125c7c3a987
Proxy-State = 0x3639
State = 0xa2d10e0fa0d51bd8fb902e08f9c31ec3
# Executing section authorize from file
/Library/Server/radius/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "example.co.uk" for User-Name =
"[hidden email]"
[suffix] Found realm "example.co.uk"
[suffix] Adding Stripped-User-Name = "radiustest"
[suffix] Adding Realm = "example.co.uk"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /Library/Server/radius/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 142 to 192.168.236.45 port 1814
EAP-Message = 0x0105001f1580000008014456b73978ff61a3af0ca4ba16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa2d10e0fa1d41bd8fb902e08f9c31ec3
Proxy-State = 0x3639
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.236.45 port 1814,
id=143, length=366
User-Name = "[hidden email]"
NAS-IP-Address = 192.168.236.28
NAS-Port = 0
NAS-Identifier = "192.168.236.26"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "109ADDC49B75"
Called-Station-Id = "001A1E04AB58"
Service-Type = Framed-User
Framed-MTU = 1100
EAP-Message = 0x020500901580000000861603010046100000424104210a608054c8ddd857c4896c9107fbe88964d18caf4ad086cee42cda06ea5d685038f7ca5521bfa175227cca875345b6c9e0c6445a4e4f23d362eab64360d9e41403010001011603010030941a8535af0b548685d350fc4433c7ef5cad07647d29bd43f42191382861f4391c2f9198dfe9f4e8863ef7c875ce53a5
Aruba-Essid-Name = "school"
Aruba-Location-Id = "ICT-TEST"
Aruba-AP-Group = "test"
Aruba-Device-Type = "Apple"
Message-Authenticator = 0x3038ce0ef15655a7fe33028aaa671617
Proxy-State = 0x3730
State = 0xa2d10e0fa1d41bd8fb902e08f9c31ec3
# Executing section authorize from file
/Library/Server/radius/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "example.co.uk" for User-Name =
"[hidden email]"
[suffix] Found realm "example.co.uk"
[suffix] Adding Stripped-User-Name = "radiustest"
[suffix] Adding Realm = "example.co.uk"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 5 length 144
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /Library/Server/radius/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
  TLS Length 134
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[ttls]     TLS_accept: SSLv3 read client key exchange A
[ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] <<< TLS 1.0 Handshake [length 0010], Finished
[ttls]     TLS_accept: SSLv3 read finished A
[ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[ttls]     TLS_accept: SSLv3 write change cipher spec A
[ttls] >>> TLS 1.0 Handshake [length 0010], Finished
[ttls]     TLS_accept: SSLv3 write finished A
[ttls]     TLS_accept: SSLv3 flush data
[ttls]     (other): SSL negotiation finished successfully
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 143 to 192.168.236.45 port 1814
EAP-Message = 0x0106004515800000003b140301000101160301003002a2021500d744536bcfcf1b18ab41d9b3dbdeb95b34c6589d07ed092183aeb8f4ce37bcc6bd820084049674e9820ccb
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa2d10e0fa6d71bd8fb902e08f9c31ec3
Proxy-State = 0x3730
Finished request 4.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.236.45 port 1814,
id=144, length=317
User-Name = "[hidden email]"
NAS-IP-Address = 192.168.236.28
NAS-Port = 0
NAS-Identifier = "192.168.236.26"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "109ADDC49B75"
Called-Station-Id = "001A1E04AB58"
Service-Type = Framed-User
Framed-MTU = 1100
EAP-Message = 0x0206005f158000000055170301005005b067f60adac124a184ecc57e6ecc32a8221bbb603ee5924bb79b3ff765334f5cc0c61e0bdd250711ce7888313e6aa003d960b2b9f6843f1a3a94e5e21b7421540dd7f1d2336dc9cbe0bbf664ca1a08
Aruba-Essid-Name = "school"
Aruba-Location-Id = "ICT-TEST"
Aruba-AP-Group = "test"
Aruba-Device-Type = "Apple"
Message-Authenticator = 0x20dd42545594cfbe970274ddab52a1d6
Proxy-State = 0x3731
State = 0xa2d10e0fa6d71bd8fb902e08f9c31ec3
# Executing section authorize from file
/Library/Server/radius/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "example.co.uk" for User-Name =
"[hidden email]"
[suffix] Found realm "example.co.uk"
[suffix] Adding Stripped-User-Name = "radiustest"
[suffix] Adding Realm = "example.co.uk"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 6 length 95
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /Library/Server/radius/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
  TLS Length 85
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] eaptls_process returned 7
[ttls] Session established.  Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
EAP-Message = 0x02000022017261646975737465737440676f73682e63616d64656e2e7363682e756b
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Got tunneled identity of [hidden email]
[ttls] Setting default EAP type for tunneled EAP session.
[ttls] Sending tunneled request
EAP-Message = 0x02000022017261646975737465737440676f73682e63616d64656e2e7363682e756b
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "[hidden email]"
server inner-tunnel {
# Executing section authorize from file
/Library/Server/radius/raddb/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++[mschap] = noop
[suffix] Looking up realm "example.co.uk" for User-Name =
"[hidden email]"
[suffix] Found realm "example.co.uk"
[suffix] Adding Stripped-User-Name = "radiustest"
[suffix] Adding Realm = "example.co.uk"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
++update control {
++} # update control = noop
[eap] EAP packet type response id 0 length 34
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file
/Library/Server/radius/raddb/sites-enabled/inner-tunnel
+group authenticate {
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
} # server inner-tunnel
[ttls] Got tunneled reply code Access-Challenge
EAP-Message = 0x010100371a0101003210006815de0f512aa5e084a9c577c5aef27261646975737465737440676f73682e63616d64656e2e7363682e756b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6d27f3ae6d26e9777944e6ecebb16dd4
[ttls] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 144 to 192.168.236.45 port 1814
EAP-Message = 0x0107009415800000008a17030100201e23f0c8900a7e96509629eb6ee466d25f4ad0e738cf60f9715db3766bd3435a1703010060712a160f13ed9d92772dee8895efb7918e93bd920ee8204bc2d5c89a30a08551f9e4a480fcc024f50ca4d16cb7dd0cf5594e88ffcfe0415d46c1d79c317675af2fcc8a32a1eb0e1686adf3c006ed894e174e4eefb10dd7d158fcf8a2c9bb736a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa2d10e0fa7d61bd8fb902e08f9c31ec3
Proxy-State = 0x3731
Finished request 5.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.236.45 port 1814,
id=145, length=365
User-Name = "[hidden email]"
NAS-IP-Address = 192.168.236.28
NAS-Port = 0
NAS-Identifier = "192.168.236.26"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "109ADDC49B75"
Called-Station-Id = "001A1E04AB58"
Service-Type = Framed-User
Framed-MTU = 1100
EAP-Message = 0x0207008f1580000000851703010080271f7fdade241a0c58e453a885367d4a60ed1ff1569ac5ae6157a339509575b444fb0cd29369a63bc9b2c148cb3e9a8b8806c557ac9be0955c149262709898b4eff18819206df5f98590494f9c4ad8824d6d586540d365f00ab52f6c82604a4f8e4188ca3733a3fbfe70121824006bdd47a2fed015d775560c16e6c8e39de6a2
Aruba-Essid-Name = "school"
Aruba-Location-Id = "ICT-TEST"
Aruba-AP-Group = "test"
Aruba-Device-Type = "Apple"
Message-Authenticator = 0xb5e0114d038530bdd5213c43186c635c
Proxy-State = 0x3732
State = 0xa2d10e0fa7d61bd8fb902e08f9c31ec3
# Executing section authorize from file
/Library/Server/radius/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "example.co.uk" for User-Name =
"[hidden email]"
[suffix] Found realm "example.co.uk"
[suffix] Adding Stripped-User-Name = "radiustest"
[suffix] Adding Realm = "example.co.uk"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 7 length 143
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /Library/Server/radius/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
  TLS Length 133
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] eaptls_process returned 7
[ttls] Session established.  Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
EAP-Message = 0x020100581a0201005331a8ee034419131e7f9fddd19a5a0ba426000000000000000077e94ca004cea6e84942642ad7a244ac8bba9b32193bbfd1007261646975737465737440676f73682e63616d64656e2e7363682e756b
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
EAP-Message = 0x020100581a0201005331a8ee034419131e7f9fddd19a5a0ba426000000000000000077e94ca004cea6e84942642ad7a244ac8bba9b32193bbfd1007261646975737465737440676f73682e63616d64656e2e7363682e756b
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "[hidden email]"
State = 0x6d27f3ae6d26e9777944e6ecebb16dd4
server inner-tunnel {
# Executing section authorize from file
/Library/Server/radius/raddb/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++[mschap] = noop
[suffix] Looking up realm "example.co.uk" for User-Name =
"[hidden email]"
[suffix] Found realm "example.co.uk"
[suffix] Adding Stripped-User-Name = "radiustest"
[suffix] Adding Realm = "example.co.uk"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
++update control {
++} # update control = noop
[eap] EAP packet type response id 1 length 88
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file
/Library/Server/radius/raddb/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file
/Library/Server/radius/raddb/sites-enabled/inner-tunnel
[mschapv2] +group MS-CHAP {
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Creating challenge hash with username: [hidden email]
[mschap] Client is using MS-CHAPv2 for [hidden email], we
need NT-Password
[mschap] Using OpenDirectory to authenticate
[mschap] Unable to find record [hidden email] in OD
[mschap] Authentication failed for [hidden email]
++[mschap] = fail
+} # group MS-CHAP = fail
[eap] Freeing handler
++[eap] = reject
+} # group authenticate = reject
Failed to authenticate the user.
Login incorrect: [[hidden email]/<via Auth-Type = EAP>]
(from client clearpass port 0 via TLS tunnel)
Using Post-Auth-Type Reject
# Executing group from file
/Library/Server/radius/raddb/sites-enabled/inner-tunnel
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> [hidden email]
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
} # server inner-tunnel
[ttls] Got tunneled reply code Access-Reject
MS-CHAP-Error = "\001E=691 R=1"
EAP-Message = 0x04010004
Message-Authenticator = 0x00000000000000000000000000000000
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
rlm_eap_ttls: Freeing handler for user [hidden email]
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Login incorrect: [[hidden email]/<via Auth-Type = EAP>]
(from client clearpass port 0 cli 109ADDC49B75)
Using Post-Auth-Type Reject
# Executing group from file /Library/Server/radius/raddb/sites-enabled/default
+group REJECT {
++? if ("%{EAP-Message}")
expand: %{EAP-Message} ->
0x0207008f1580000000851703010080271f7fdade241a0c58e453a885367d4a60ed1ff1569ac5ae6157a339509575b444fb0cd29369a63bc9b2c148cb3e9a8b8806c557ac9be0955c149262709898b4eff18819206df5f98590494f9c4ad8824d6d586540d365f00ab52f6c82604a4f8e4188ca3733a3fbfe70121824006bdd47a2fed015d775560c16e6c8e39de6a2
? Evaluating ("%{EAP-Message}") -> TRUE
++? if ("%{EAP-Message}") -> TRUE
++if ("%{EAP-Message}") {
+++update reply {
expand: %{Message-Authenticator} -> 0xb5e0114d038530bdd5213c43186c635c
+++} # update reply = noop
++} # if ("%{EAP-Message}") = noop
[attr_filter.access_reject] expand: %{User-Name} -> [hidden email]
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 6 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 6
Sending Access-Reject of id 145 to 192.168.236.45 port 1814
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x3732
Waking up in 3.8 seconds.


Thank you
Stuart

--
Crossover Solutions Ltd
Pound House, 62A Highgate High Street, London, N6
5HX
www.crossover.solutions <http://crossover.solutions> • 020 3637 4655

Registered in England and Wales No: 9593204  Registered address as stated



Members of the Apple Consultants Network
<https://consultants.apple.com/uk/988258>


Please submit new support
requests to [hidden email]
<mailto:[hidden email]>





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Stripping the domain from the username

Alan DeKok-2
On Jan 12, 2020, at 6:42 PM, Stuart Ramdeen <[hidden email]> wrote:
>
> Thank you for your reply. I have made the change you suggested and (in
> my novice view) there now appears to be more progress than before.

  That's good, but...

> I completely appreciate that it's an old build, but it was included
> with an older version of macOS Server and I'm trying to get things
> working before I attempt to update anything. It relies on an Apple
> module 'opendirectory', which is responsible for querying the
> directory service running on the Mac server, and so I don't want to
> change anything yet until I can get things going. I certainly take
> your point on board though and will look to update to 2.2.10 as soon
> as possible.

  OK.

> Here is the latest debug output after making the change you suggested.
> If I am interpreting this correctly, the '[hidden email]'
> username is being stripped and passed to the directory server during
> request 0:

  The User-Name is used to create a Stripped-User-Name attribute.  The User-Name is *not* edited.  This is important.

  Also, the "opendirectory" module is looking at Stripped-User-Name for user lookups.  This is fine.

> [opendirectory] User radiustest exists in OD
> [opendirectory] User radiustest is a member of the RADUIS SACL
>
> but by the time it gets to request 6 it is using the full username
> rather than the portion before the @:
>
> [mschap] Creating challenge hash with username: [hidden email]
> [mschap] Client is using MS-CHAPv2 for [hidden email], we
> need NT-Password
> [mschap] Using OpenDirectory to authenticate
> [mschap] Unable to find record [hidden email] in OD
> [mschap] Authentication failed for [hidden email]
> ++[mschap] = fail

  Yes.  "[hidden email]" doesn't exist in OD.

  However, you should know that the MS-CHAP calculations are done on the full User-Name that is passed to FreeRADIUS.  You *cannot* pass just a portion of the User-Name to OpenDirectory and expect the MS-CHAP calculations to work.  They won't.

> At this point the directory server is seeing a request for
> [hidden email] and rejecting it because of course the
> username in that format does not exist. Do I need to change anything
> so that the mschap module is creating the challenge hash with
> 'radiustest' rather than '[hidden email]', or am I barking
> up the wrong tree?

  What you want to do is impossible.

  OpenDirectory won't give FreeRADIUS the users password, so that FreeRADIUS can do the MS-CHAP calculations.

  OpenDirectory won't automatically look up just the "radiustest" portion of the users name, BUT use the whole "[hidden email]" for the MS-CHAP calculations.

  Your options are:

a) do PEAP with plain usernames, i.e. "radiustest" and not "[hidden email]"

b) put the users password into a database that FreeRADIUS can read.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Stripping the domain from the username

Stuart Ramdeen
Hi Alan

Thanks for confirming that what we're trying to do just isn't possible. I
think I'm going to look into adding an alias to every user in the directory
that contains the username formatted as an email address so that OD is able
to successfully authenticate the user and the MS-CHAP calculations complete
successfully.

Best wishes,
Stuart


On Sun, 12 Jan 2020 at 23:56, Alan DeKok <[hidden email]> wrote:

> On Jan 12, 2020, at 6:42 PM, Stuart Ramdeen <[hidden email]>
> wrote:
> >
> > Thank you for your reply. I have made the change you suggested and (in
> > my novice view) there now appears to be more progress than before.
>
>   That's good, but...
>
> > I completely appreciate that it's an old build, but it was included
> > with an older version of macOS Server and I'm trying to get things
> > working before I attempt to update anything. It relies on an Apple
> > module 'opendirectory', which is responsible for querying the
> > directory service running on the Mac server, and so I don't want to
> > change anything yet until I can get things going. I certainly take
> > your point on board though and will look to update to 2.2.10 as soon
> > as possible.
>
>   OK.
>
> > Here is the latest debug output after making the change you suggested.
> > If I am interpreting this correctly, the '[hidden email]'
> > username is being stripped and passed to the directory server during
> > request 0:
>
>   The User-Name is used to create a Stripped-User-Name attribute.  The
> User-Name is *not* edited.  This is important.
>
>   Also, the "opendirectory" module is looking at Stripped-User-Name for
> user lookups.  This is fine.
>
> > [opendirectory] User radiustest exists in OD
> > [opendirectory] User radiustest is a member of the RADUIS SACL
> >
> > but by the time it gets to request 6 it is using the full username
> > rather than the portion before the @:
> >
> > [mschap] Creating challenge hash with username: [hidden email]
> > [mschap] Client is using MS-CHAPv2 for [hidden email], we
> > need NT-Password
> > [mschap] Using OpenDirectory to authenticate
> > [mschap] Unable to find record [hidden email] in OD
> > [mschap] Authentication failed for [hidden email]
> > ++[mschap] = fail
>
>   Yes.  "[hidden email]" doesn't exist in OD.
>
>   However, you should know that the MS-CHAP calculations are done on the
> full User-Name that is passed to FreeRADIUS.  You *cannot* pass just a
> portion of the User-Name to OpenDirectory and expect the MS-CHAP
> calculations to work.  They won't.
>
> > At this point the directory server is seeing a request for
> > [hidden email] and rejecting it because of course the
> > username in that format does not exist. Do I need to change anything
> > so that the mschap module is creating the challenge hash with
> > 'radiustest' rather than '[hidden email]', or am I barking
> > up the wrong tree?
>
>   What you want to do is impossible.
>
>   OpenDirectory won't give FreeRADIUS the users password, so that
> FreeRADIUS can do the MS-CHAP calculations.
>
>   OpenDirectory won't automatically look up just the "radiustest" portion
> of the users name, BUT use the whole "[hidden email]" for the
> MS-CHAP calculations.
>
>   Your options are:
>
> a) do PEAP with plain usernames, i.e. "radiustest" and not "
> [hidden email]"
>
> b) put the users password into a database that FreeRADIUS can read.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

--
Crossover Solutions Ltd
Pound House, 62A Highgate High Street, London, N6
5HX
www.crossover.solutions <http://crossover.solutions> • 020 3637 4655

Registered in England and Wales No: 9593204  Registered address as stated



Members of the Apple Consultants Network
<https://consultants.apple.com/uk/988258>


Please submit new support
requests to [hidden email]
<mailto:[hidden email]>




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Stripping the domain from the username

Alan DeKok-2


> On Jan 14, 2020, at 4:59 PM, Stuart Ramdeen <[hidden email]> wrote:
>
> Hi Alan
>
> Thanks for confirming that what we're trying to do just isn't possible. I
> think I'm going to look into adding an alias to every user in the directory
> that contains the username formatted as an email address so that OD is able
> to successfully authenticate the user and the MS-CHAP calculations complete
> successfully.

  That's the best approach.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html