The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]



"freeradius dot1x dynamic vlan assignment"
Вариант для распечатки  
Пред. тема | След. тема 
Форум Открытые системы на сервере (Система. проблемы, диагностика / Linux)
Изначальное сообщение [ Отслеживать ]

"freeradius dot1x dynamic vlan assignment"  +/
Сообщение от Kovrevskiiemail (ok), 07-Дек-22, 12:35 
Добрый день!
на форуме нашёл описание проблемы схожей с моей
https://www.opennet.dev/openforum/vsluhforumID6/19307.html

но у меня немного другая ситуация
Пытаюсь настроить Freeradius с интеграцией с AD и аутентификацией проводных пользователей по dot1x с назначением Vlan

Выполнил все необходимые настройки

Настроил раздел  post-auth файла /etc/raddb/sites-available/inner-tunnel
post-auth {
        if (0) {
                update reply {
                        User-Name !* ANY
                        Message-Authenticator !* ANY
                        EAP-Message !* ANY
                        Proxy-State !* ANY
                        MS-MPPE-Encryption-Types !* ANY
                        MS-MPPE-Encryption-Policy !* ANY
                        MS-MPPE-Send-Key !* ANY
                        MS-MPPE-Recv-Key !* ANY
                        Tunnel-Type = 13,
                        Tunnel-Medium-Type = 6,
                        Tunnel-Private-Group-Id = "150"
                }
                update {
                        &outer.session-state: += &reply:
                }
        }

аутентификация через dot1x работает, но назначение Vlan НЕ выполняется (атрибуты не срабатывают)

Если же указать  if (1), то аутентификация по dot1x не проходит и при выводе radiusd -X выходит ошибка:
update {
ERROR: Mapping "&reply:" -> "&outer.session-state:" invalid in this context ....
update outer.session-state {
ERROR: Mapping "&request:Module-Failure-Message" -> "&Module-Failure-Message" invalid in this context

Кто-нибудь настраивал подобную схему?
Что я делаю не так?

Ответить | Правка | Cообщить модератору

Оглавление

Сообщения [Сортировка по времени | RSS]


1. "freeradius dot1x dynamic vlan assignment"  +/
Сообщение от Kovrevskiiemail (ok), 07-Дек-22, 12:53 
добавляю вывод radiusd -X при попытке аутентификации пользовател

занчени if (0)


Ready to process requests
(0) Received Access-Request Id 254 from 10.8.150.118:1645 to 10.70.42.77:1645 length 178
(0)   User-Name = "host/WNAMTest.stand.ru"
(0)   Service-Type = Framed-User
(0)   Framed-MTU = 1504
(0)   Called-Station-Id = "00-17-E0-1C-15-87"
(0)   Calling-Station-Id = "00-E0-4C-31-0E-67"
(0)   EAP-Message = 0x0201001b01686f73742f574e414d546573742e7374616e642e7275
(0)   Message-Authenticator = 0x05f0beadc58cb570784f655631e40bff
(0)   NAS-Port-Type = Ethernet
(0)   NAS-Port = 50005
(0)   NAS-Port-Id = "FastEthernet0/5"
(0)   NAS-IP-Address = 10.8.150.118
(0) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [chap] = noop
(0)     [mschap] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0)     update control {
(0)       &Proxy-To-Realm := LOCAL
(0)     } # update control = noop
(0) eap: Peer sent EAP Response (code 2) ID 1 length 27
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0)     [eap] = ok
(0)   } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(0)   authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_peap to process data
(0) eap_peap: Initiating new TLS session
(0) eap_peap: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 2 length 6
(0) eap: EAP session adding &reply:State = 0x8e1144788e135d5a
(0)     [eap] = handled
(0)   } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found.  Ignoring.
(0) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(0) Sent Access-Challenge Id 254 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0
(0)   EAP-Message = 0x010200061920
(0)   Message-Authenticator = 0x00000000000000000000000000000000
(0)   State = 0x8e1144788e135d5aaaf63b261b53a370
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 255 from 10.8.150.118:1645 to 10.70.42.77:1645 length 373
(1)   User-Name = "host/WNAMTest.stand.ru"
(1)   Service-Type = Framed-User
(1)   Framed-MTU = 1504
(1)   Called-Station-Id = "00-17-E0-1C-15-87"
(1)   Calling-Station-Id = "00-E0-4C-31-0E-67"
(1)   EAP-Message = 0x020200cc1980000000c216030300bd010000b90303639061b3946a0116999001e2cec4eebcc744aa45dd6d3db2d7101612d3e71cf720813f3268239d3d77179cefc9e73f95ba89586d214ebee8e831a945798c53993a002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000046000500050100000000000a00080006001d00170018000b00020100000d001a00180804080508060401050102010403050302030202060106030023000000170000ff01000100
(1)   Message-Authenticator = 0x57980fece321d5b7e48eb9f464877726
(1)   NAS-Port-Type = Ethernet
(1)   NAS-Port = 50005
(1)   NAS-Port-Id = "FastEthernet0/5"
(1)   State = 0x8e1144788e135d5aaaf63b261b53a370
(1)   NAS-IP-Address = 10.8.150.118
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(1)   authorize {
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if (&User-Name =~ /\.\./ ) {
(1)         if (&User-Name =~ /\.\./ )  -> FALSE
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(1)         if (&User-Name =~ /\.$/)  {
(1)         if (&User-Name =~ /\.$/)   -> FALSE
(1)         if (&User-Name =~ /@\./)  {
(1)         if (&User-Name =~ /@\./)   -> FALSE
(1)       } # if (&User-Name)  = notfound
(1)     } # policy filter_username = notfound
(1)     [chap] = noop
(1)     [mschap] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1)     update control {
(1)       &Proxy-To-Realm := LOCAL
(1)     } # update control = noop
(1) eap: Peer sent EAP Response (code 2) ID 2 length 204
(1) eap: Continuing tunnel setup
(1)     [eap] = ok
(1)   } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(1)   authenticate {
(1) eap: Expiring EAP session with state 0x8e1144788e135d5a
(1) eap: Finished EAP session with state 0x8e1144788e135d5a
(1) eap: Previous EAP request found for state 0x8e1144788e135d5a, released from the list
(1) eap: Peer sent packet with method EAP PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Continuing EAP-TLS
(1) eap_peap: Peer indicated complete TLS record size will be 194 bytes
(1) eap_peap: Got complete TLS record (194 bytes)
(1) eap_peap: [eaptls verify] = length included
(1) eap_peap: (other): before SSL initialization
(1) eap_peap: TLS_accept: before SSL initialization
(1) eap_peap: TLS_accept: before SSL initialization
(1) eap_peap: <<< recv TLS 1.3  [length 00bd]
(1) eap_peap: TLS_accept: SSLv3/TLS read client hello
(1) eap_peap: >>> send TLS 1.2  [length 003d]
(1) eap_peap: TLS_accept: SSLv3/TLS write server hello
(1) eap_peap: >>> send TLS 1.2  [length 0903]
(1) eap_peap: TLS_accept: SSLv3/TLS write certificate
(1) eap_peap: >>> send TLS 1.2  [length 014d]
(1) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(1) eap_peap: >>> send TLS 1.2  [length 0004]
(1) eap_peap: TLS_accept: SSLv3/TLS write server done
(1) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done
(1) eap_peap: TLS - In Handshake Phase
(1) eap_peap: TLS - got 2725 bytes of data
(1) eap_peap: [eaptls process] = handled
(1) eap: Sending EAP Request (code 1) ID 3 length 1004
(1) eap: EAP session adding &reply:State = 0x8e1144788f125d5a
(1)     [eap] = handled
(1)   } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found.  Ignoring.
(1) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(1) Sent Access-Challenge Id 255 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0
(1)   EAP-Message = 0x010303ec19c000000aa5160303003d02000039030316a38bcccaf0c1f7195d6060cabc048b9ea13d100d40f6852eb16cf57da470ce00c030000011ff01000100000b0004030001020017000016030309030b0008ff0008fc0003f8308203f4308202dca003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3232313132383131333435385a170d3233303132373131333435385a307c310b3009060355040613024652310f300d06035504080c0652616469757331153013060355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d70
(1)   Message-Authenticator = 0x00000000000000000000000000000000
(1)   State = 0x8e1144788f125d5aaaf63b261b53a370
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 0 from 10.8.150.118:1645 to 10.70.42.77:1645 length 175
(2)   User-Name = "host/WNAMTest.stand.ru"
(2)   Service-Type = Framed-User
(2)   Framed-MTU = 1504
(2)   Called-Station-Id = "00-17-E0-1C-15-87"
(2)   Calling-Station-Id = "00-E0-4C-31-0E-67"
(2)   EAP-Message = 0x020300061900
(2)   Message-Authenticator = 0xaf565cd95e610e00b93fc948a081b99d
(2)   NAS-Port-Type = Ethernet
(2)   NAS-Port = 50005
(2)   NAS-Port-Id = "FastEthernet0/5"
(2)   State = 0x8e1144788f125d5aaaf63b261b53a370
(2)   NAS-IP-Address = 10.8.150.118
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(2)   authorize {
(2)     policy filter_username {
(2)       if (&User-Name) {
(2)       if (&User-Name)  -> TRUE
(2)       if (&User-Name)  {
(2)         if (&User-Name =~ / /) {
(2)         if (&User-Name =~ / /)  -> FALSE
(2)         if (&User-Name =~ /@[^@]*@/ ) {
(2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(2)         if (&User-Name =~ /\.\./ ) {
(2)         if (&User-Name =~ /\.\./ )  -> FALSE
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(2)         if (&User-Name =~ /\.$/)  {
(2)         if (&User-Name =~ /\.$/)   -> FALSE
(2)         if (&User-Name =~ /@\./)  {
(2)         if (&User-Name =~ /@\./)   -> FALSE
(2)       } # if (&User-Name)  = notfound
(2)     } # policy filter_username = notfound
(2)     [chap] = noop
(2)     [mschap] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(2) suffix: No such realm "NULL"
(2)     [suffix] = noop
(2)     update control {
(2)       &Proxy-To-Realm := LOCAL
(2)     } # update control = noop
(2) eap: Peer sent EAP Response (code 2) ID 3 length 6
(2) eap: Continuing tunnel setup
(2)     [eap] = ok
(2)   } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(2)   authenticate {
(2) eap: Expiring EAP session with state 0x8e1144788f125d5a
(2) eap: Finished EAP session with state 0x8e1144788f125d5a
(2) eap: Previous EAP request found for state 0x8e1144788f125d5a, released from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer ACKed our handshake fragment
(2) eap_peap: [eaptls verify] = request
(2) eap_peap: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 4 length 1000
(2) eap: EAP session adding &reply:State = 0x8e1144788c155d5a
(2)     [eap] = handled
(2)   } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found.  Ignoring.
(2) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(2) Sent Access-Challenge Id 0 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0
(2)   EAP-Message = 0x010403e819401fc7c5152c524cb8fae1e08afa965a924975fe798689c56b5f8ae875d147afe3077ed758c2804b1fd93d89c6b215d8195c9fb13218b78495e13bea9696902858d0ac9e091331e8078a7ef13799870cb0a0b1808c75e6ae1062eefc44d51f5410a3e9f84b4ccebd0004fe308204fa308203e2a0030201020214442cc1056ca0298b32cdbbe1cbe45e7490adc2eb300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3232313132383131333435385a170d3233303132373131333435385a308193310b3009060355040613024652310f300d06035504080c0652616469
(2)   Message-Authenticator = 0x00000000000000000000000000000000
(2)   State = 0x8e1144788c155d5aaaf63b261b53a370
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 1 from 10.8.150.118:1645 to 10.70.42.77:1645 length 175
(3)   User-Name = "host/WNAMTest.stand.ru"
(3)   Service-Type = Framed-User
(3)   Framed-MTU = 1504
(3)   Called-Station-Id = "00-17-E0-1C-15-87"
(3)   Calling-Station-Id = "00-E0-4C-31-0E-67"
(3)   EAP-Message = 0x020400061900
(3)   Message-Authenticator = 0x1f56bf12588e8191c2539fa98dc4746f
(3)   NAS-Port-Type = Ethernet
(3)   NAS-Port = 50005
(3)   NAS-Port-Id = "FastEthernet0/5"
(3)   State = 0x8e1144788c155d5aaaf63b261b53a370
(3)   NAS-IP-Address = 10.8.150.118
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(3)   authorize {
(3)     policy filter_username {
(3)       if (&User-Name) {
(3)       if (&User-Name)  -> TRUE
(3)       if (&User-Name)  {
(3)         if (&User-Name =~ / /) {
(3)         if (&User-Name =~ / /)  -> FALSE
(3)         if (&User-Name =~ /@[^@]*@/ ) {
(3)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(3)         if (&User-Name =~ /\.\./ ) {
(3)         if (&User-Name =~ /\.\./ )  -> FALSE
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(3)         if (&User-Name =~ /\.$/)  {
(3)         if (&User-Name =~ /\.$/)   -> FALSE
(3)         if (&User-Name =~ /@\./)  {
(3)         if (&User-Name =~ /@\./)   -> FALSE
(3)       } # if (&User-Name)  = notfound
(3)     } # policy filter_username = notfound
(3)     [chap] = noop
(3)     [mschap] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(3) suffix: No such realm "NULL"
(3)     [suffix] = noop
(3)     update control {
(3)       &Proxy-To-Realm := LOCAL
(3)     } # update control = noop
(3) eap: Peer sent EAP Response (code 2) ID 4 length 6
(3) eap: Continuing tunnel setup
(3)     [eap] = ok
(3)   } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(3)   authenticate {
(3) eap: Expiring EAP session with state 0x8e1144788c155d5a
(3) eap: Finished EAP session with state 0x8e1144788c155d5a
(3) eap: Previous EAP request found for state 0x8e1144788c155d5a, released from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer ACKed our handshake fragment
(3) eap_peap: [eaptls verify] = request
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 5 length 743
(3) eap: EAP session adding &reply:State = 0x8e1144788d145d5a
(3)     [eap] = handled
(3)   } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found.  Ignoring.
(3) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(3) Sent Access-Challenge Id 1 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0
(3)   EAP-Message = 0x010502e7190072746966696361746520417574686f726974798214442cc1056ca0298b32cdbbe1cbe45e7490adc2eb300f0603551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b050003820101000f90c9bfa58166e202db547a485080f43eeb496d974779be4682989ea1aa2ed4392ee7ba208464a95021a2d9019bdd276ad97b0d7680f9dce4db059f5d3aee20589a5787ceca5dc3f2bac77b7e21cf9b1f7242684fa62b5cd23c4c20d98bc73b3f641a8a89e77b7048f2661f46f7222b644a7a23968041c8fea3d0dea25fd658875a06e7bca59c2769deca0debe1bb9b274d90d25652b43fc2693562765604e9592757c2c624419b1226f07f0d8cb443a355c7cdaacb444e1b8a6a123c9aed7d8949e9937a404e85f6a98695cbadc77d80dcdcaf215b7eb0fd15b4de5b061208f78da50c8479cd2d4f1dfa
(3)   Message-Authenticator = 0x00000000000000000000000000000000
(3)   State = 0x8e1144788d145d5aaaf63b261b53a370
(3) Finished request
Waking up in 4.9 seconds.

Ответить | Правка | Наверх | Cообщить модератору

2. "freeradius dot1x dynamic vlan assignment"  +/
Сообщение от Kovrevskiiemail (ok), 07-Дек-22, 12:56 
продолжение

(4) Received Access-Request Id 2 from 10.8.150.118:1645 to 10.70.42.77:1645 length 305
(4)   User-Name = "host/WNAMTest.stand.ru"
(4)   Service-Type = Framed-User
(4)   Framed-MTU = 1504
(4)   Called-Station-Id = "00-17-E0-1C-15-87"
(4)   Calling-Station-Id = "00-E0-4C-31-0E-67"
(4)   EAP-Message = 0x0205008819800000007e1603030046100000424104a7375d5a0b4cab49e9fec1125a800f8a23c26057dfd1f42d8ed06d30fc26a0ea775bafbe3e498651218316b113d020f7acf8c30b2a28774e6ca313eb61c6342714030300010116030300280000000000000000af23d74f75fbe62067fe01739e17ce88600ae6f610789121a25b0f666b425f6f
(4)   Message-Authenticator = 0x399081e9a1a5c11037d7dc6d3b08bc65
(4)   NAS-Port-Type = Ethernet
(4)   NAS-Port = 50005
(4)   NAS-Port-Id = "FastEthernet0/5"
(4)   State = 0x8e1144788d145d5aaaf63b261b53a370
(4)   NAS-IP-Address = 10.8.150.118
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(4)   authorize {
(4)     policy filter_username {
(4)       if (&User-Name) {
(4)       if (&User-Name)  -> TRUE
(4)       if (&User-Name)  {
(4)         if (&User-Name =~ / /) {
(4)         if (&User-Name =~ / /)  -> FALSE
(4)         if (&User-Name =~ /@[^@]*@/ ) {
(4)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(4)         if (&User-Name =~ /\.\./ ) {
(4)         if (&User-Name =~ /\.\./ )  -> FALSE
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(4)         if (&User-Name =~ /\.$/)  {
(4)         if (&User-Name =~ /\.$/)   -> FALSE
(4)         if (&User-Name =~ /@\./)  {
(4)         if (&User-Name =~ /@\./)   -> FALSE
(4)       } # if (&User-Name)  = notfound
(4)     } # policy filter_username = notfound
(4)     [chap] = noop
(4)     [mschap] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(4) suffix: No such realm "NULL"
(4)     [suffix] = noop
(4)     update control {
(4)       &Proxy-To-Realm := LOCAL
(4)     } # update control = noop
(4) eap: Peer sent EAP Response (code 2) ID 5 length 136
(4) eap: Continuing tunnel setup
(4)     [eap] = ok
(4)   } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(4)   authenticate {
(4) eap: Expiring EAP session with state 0x8e1144788d145d5a
(4) eap: Finished EAP session with state 0x8e1144788d145d5a
(4) eap: Previous EAP request found for state 0x8e1144788d145d5a, released from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(4) eap_peap: Got complete TLS record (126 bytes)
(4) eap_peap: [eaptls verify] = length included
(4) eap_peap: TLS_accept: SSLv3/TLS write server done
(4) eap_peap: <<< recv TLS 1.2  [length 0046]
(4) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(4) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(4) eap_peap: <<< recv TLS 1.2  [length 0010]
(4) eap_peap: TLS_accept: SSLv3/TLS read finished
(4) eap_peap: >>> send TLS 1.2  [length 0001]
(4) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(4) eap_peap: >>> send TLS 1.2  [length 0010]
(4) eap_peap: TLS_accept: SSLv3/TLS write finished
(4) eap_peap: (other): SSL negotiation finished successfully
(4) eap_peap: TLS - Connection Established
(4) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(4) eap_peap: TLS-Session-Version = "TLS 1.2"
(4) eap_peap: TLS - got 51 bytes of data
(4) eap_peap: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 6 length 57
(4) eap: EAP session adding &reply:State = 0x8e1144788a175d5a
(4)     [eap] = handled
(4)   } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found.  Ignoring.
(4) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(4) session-state: Saving cached attributes
(4)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(4)   TLS-Session-Version = "TLS 1.2"
(4) Sent Access-Challenge Id 2 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0
(4)   EAP-Message = 0x01060039190014030300010116030300289251a406bf3dbfb03724ace561a3dd1a3295ed2c4d17b05d85670ecad49cb5873a6f8eb092810370
(4)   Message-Authenticator = 0x00000000000000000000000000000000
(4)   State = 0x8e1144788a175d5aaaf63b261b53a370
(4) Finished request
Waking up in 4.8 seconds.
(5) Received Access-Request Id 3 from 10.8.150.118:1645 to 10.70.42.77:1645 length 175
(5)   User-Name = "host/WNAMTest.stand.ru"
(5)   Service-Type = Framed-User
(5)   Framed-MTU = 1504
(5)   Called-Station-Id = "00-17-E0-1C-15-87"
(5)   Calling-Station-Id = "00-E0-4C-31-0E-67"
(5)   EAP-Message = 0x020600061900
(5)   Message-Authenticator = 0x325b51a8e67ce86e0d4401a06a1cadba
(5)   NAS-Port-Type = Ethernet
(5)   NAS-Port = 50005
(5)   NAS-Port-Id = "FastEthernet0/5"
(5)   State = 0x8e1144788a175d5aaaf63b261b53a370
(5)   NAS-IP-Address = 10.8.150.118
(5) Restoring &session-state
(5)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(5)   &session-state:TLS-Session-Version = "TLS 1.2"
(5) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(5)   authorize {
(5)     policy filter_username {
(5)       if (&User-Name) {
(5)       if (&User-Name)  -> TRUE
(5)       if (&User-Name)  {
(5)         if (&User-Name =~ / /) {
(5)         if (&User-Name =~ / /)  -> FALSE
(5)         if (&User-Name =~ /@[^@]*@/ ) {
(5)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(5)         if (&User-Name =~ /\.\./ ) {
(5)         if (&User-Name =~ /\.\./ )  -> FALSE
(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(5)         if (&User-Name =~ /\.$/)  {
(5)         if (&User-Name =~ /\.$/)   -> FALSE
(5)         if (&User-Name =~ /@\./)  {
(5)         if (&User-Name =~ /@\./)   -> FALSE
(5)       } # if (&User-Name)  = notfound
(5)     } # policy filter_username = notfound
(5)     [chap] = noop
(5)     [mschap] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(5) suffix: No such realm "NULL"
(5)     [suffix] = noop
(5)     update control {
(5)       &Proxy-To-Realm := LOCAL
(5)     } # update control = noop
(5) eap: Peer sent EAP Response (code 2) ID 6 length 6
(5) eap: Continuing tunnel setup
(5)     [eap] = ok
(5)   } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(5)   authenticate {
(5) eap: Expiring EAP session with state 0x8e1144788a175d5a
(5) eap: Finished EAP session with state 0x8e1144788a175d5a
(5) eap: Previous EAP request found for state 0x8e1144788a175d5a, released from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer ACKed our handshake fragment.  handshake is finished
(5) eap_peap: [eaptls verify] = success
(5) eap_peap: [eaptls process] = success
(5) eap_peap: Session established.  Decoding tunneled attributes
(5) eap_peap: PEAP state TUNNEL ESTABLISHED
(5) eap: Sending EAP Request (code 1) ID 7 length 40
(5) eap: EAP session adding &reply:State = 0x8e1144788b165d5a
(5)     [eap] = handled
(5)   } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found.  Ignoring.
(5) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(5) session-state: Saving cached attributes
(5)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(5)   TLS-Session-Version = "TLS 1.2"
(5) Sent Access-Challenge Id 3 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0
(5)   EAP-Message = 0x010700281900170303001d9251a406bf3dbfb1c4883ad1165a072b12d250a2a4d4747b6748cd60ed
(5)   Message-Authenticator = 0x00000000000000000000000000000000
(5)   State = 0x8e1144788b165d5aaaf63b261b53a370
(5) Finished request
Waking up in 4.8 seconds.
(6) Received Access-Request Id 4 from 10.8.150.118:1645 to 10.70.42.77:1645 length 227
(6)   User-Name = "host/WNAMTest.stand.ru"
(6)   Service-Type = Framed-User
(6)   Framed-MTU = 1504
(6)   Called-Station-Id = "00-17-E0-1C-15-87"
(6)   Calling-Station-Id = "00-E0-4C-31-0E-67"
(6)   EAP-Message = 0x0207003a1900170303002f000000000000000155af9208b9017d53ad5ae04767876fbc5e85a534d96d067d5325b0772d3d76e28e379d081fb595
(6)   Message-Authenticator = 0xac48ac31824eed7ee4ef2c0c7cea5934
(6)   NAS-Port-Type = Ethernet
(6)   NAS-Port = 50005
(6)   NAS-Port-Id = "FastEthernet0/5"
(6)   State = 0x8e1144788b165d5aaaf63b261b53a370
(6)   NAS-IP-Address = 10.8.150.118
(6) Restoring &session-state
(6)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(6)   &session-state:TLS-Session-Version = "TLS 1.2"
(6) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(6)   authorize {
(6)     policy filter_username {
(6)       if (&User-Name) {
(6)       if (&User-Name)  -> TRUE
(6)       if (&User-Name)  {
(6)         if (&User-Name =~ / /) {
(6)         if (&User-Name =~ / /)  -> FALSE
(6)         if (&User-Name =~ /@[^@]*@/ ) {
(6)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(6)         if (&User-Name =~ /\.\./ ) {
(6)         if (&User-Name =~ /\.\./ )  -> FALSE
(6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(6)         if (&User-Name =~ /\.$/)  {
(6)         if (&User-Name =~ /\.$/)   -> FALSE
(6)         if (&User-Name =~ /@\./)  {
(6)         if (&User-Name =~ /@\./)   -> FALSE
(6)       } # if (&User-Name)  = notfound
(6)     } # policy filter_username = notfound
(6)     [chap] = noop
(6)     [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(6) suffix: No such realm "NULL"
(6)     [suffix] = noop
(6)     update control {
(6)       &Proxy-To-Realm := LOCAL
(6)     } # update control = noop
(6) eap: Peer sent EAP Response (code 2) ID 7 length 58
(6) eap: Continuing tunnel setup
(6)     [eap] = ok
(6)   } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(6)   authenticate {
(6) eap: Expiring EAP session with state 0x8e1144788b165d5a
(6) eap: Finished EAP session with state 0x8e1144788b165d5a
(6) eap: Previous EAP request found for state 0x8e1144788b165d5a, released from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: [eaptls verify] = ok
(6) eap_peap: Done initial handshake
(6) eap_peap: [eaptls process] = ok
(6) eap_peap: Session established.  Decoding tunneled attributes
(6) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(6) eap_peap: Identity - host/WNAMTest.stand.ru
(6) eap_peap: Got inner identity 'host/WNAMTest.stand.ru'
(6) eap_peap: Setting default EAP type for tunneled EAP session
(6) eap_peap: Got tunneled request
(6) eap_peap:   EAP-Message = 0x0207001b01686f73742f574e414d546573742e7374616e642e7275
(6) eap_peap: Setting User-Name to host/WNAMTest.stand.ru
(6) eap_peap: Sending tunneled request to inner-tunnel
(6) eap_peap:   EAP-Message = 0x0207001b01686f73742f574e414d546573742e7374616e642e7275
(6) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(6) eap_peap:   User-Name = "host/WNAMTest.stand.ru"
(6) Virtual server inner-tunnel received request
(6)   EAP-Message = 0x0207001b01686f73742f574e414d546573742e7374616e642e7275
(6)   FreeRADIUS-Proxied-To = 127.0.0.1
(6)   User-Name = "host/WNAMTest.stand.ru"
(6) WARNING: Outer and inner identities are the same.  User privacy is compromised.
(6) server inner-tunnel {
(6)   # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(6)     authorize {
(6)       policy filter_username {
(6)         if (&User-Name) {
(6)         if (&User-Name)  -> TRUE
(6)         if (&User-Name)  {
(6)           if (&User-Name =~ / /) {
(6)           if (&User-Name =~ / /)  -> FALSE
(6)           if (&User-Name =~ /@[^@]*@/ ) {
(6)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(6)           if (&User-Name =~ /\.\./ ) {
(6)           if (&User-Name =~ /\.\./ )  -> FALSE
(6)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(6)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(6)           if (&User-Name =~ /\.$/)  {
(6)           if (&User-Name =~ /\.$/)   -> FALSE
(6)           if (&User-Name =~ /@\./)  {
(6)           if (&User-Name =~ /@\./)   -> FALSE
(6)         } # if (&User-Name)  = notfound
(6)       } # policy filter_username = notfound
(6)       [chap] = noop
(6)       [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(6) suffix: No such realm "NULL"
(6)       [suffix] = noop
(6)       update control {
(6)         &Proxy-To-Realm := LOCAL
(6)       } # update control = noop
(6) eap: Peer sent EAP Response (code 2) ID 7 length 27
(6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(6)       [eap] = ok
(6)     } # authorize = ok
(6)   Found Auth-Type = eap
(6)   # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(6)     authenticate {
(6) eap: Peer sent packet with method EAP Identity (1)
(6) eap: Calling submodule eap_mschapv2 to process data
(6) eap_mschapv2: Issuing Challenge
(6) eap: Sending EAP Request (code 1) ID 8 length 43
(6) eap: EAP session adding &reply:State = 0x80bfe1b680b7fb9c
(6)       [eap] = handled
(6)     } # authenticate = handled
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6)   EAP-Message = 0x0108002b1a01080026106912a9030f5003beda5b4dec2f6730a8667265657261646975732d332e302e3231
(6)   Message-Authenticator = 0x00000000000000000000000000000000
(6)   State = 0x80bfe1b680b7fb9c548551106d70804b
(6) eap_peap: Got tunneled reply code 11
(6) eap_peap:   EAP-Message = 0x0108002b1a01080026106912a9030f5003beda5b4dec2f6730a8667265657261646975732d332e302e3231
(6) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap:   State = 0x80bfe1b680b7fb9c548551106d70804b
(6) eap_peap: Got tunneled reply RADIUS code 11
(6) eap_peap:   EAP-Message = 0x0108002b1a01080026106912a9030f5003beda5b4dec2f6730a8667265657261646975732d332e302e3231
(6) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap:   State = 0x80bfe1b680b7fb9c548551106d70804b
(6) eap_peap: Got tunneled Access-Challenge
(6) eap: Sending EAP Request (code 1) ID 8 length 74
(6) eap: EAP session adding &reply:State = 0x8e11447888195d5a
(6)     [eap] = handled
(6)   } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found.  Ignoring.
(6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(6) session-state: Saving cached attributes
(6)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(6)   TLS-Session-Version = "TLS 1.2"
(6) Sent Access-Challenge Id 4 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0
(6)   EAP-Message = 0x0108004a1900170303003f9251a406bf3dbfb21ba0d54fc4fb678471339bd905a4d1efe72a529fbfa57ac4d537c3a217957d3ece4e5b8b66b75ccc379346f106da70cb435a9a8260dd81
(6)   Message-Authenticator = 0x00000000000000000000000000000000
(6)   State = 0x8e11447888195d5aaaf63b261b53a370
(6) Finished request
Waking up in 4.4 seconds.

Ответить | Правка | Наверх | Cообщить модератору

3. "freeradius dot1x dynamic vlan assignment"  +/
Сообщение от Kovrevskiiemail (ok), 07-Дек-22, 12:57 
(7) Received Access-Request Id 5 from 10.8.150.118:1645 to 10.70.42.77:1645 length 281
(7)   User-Name = "host/WNAMTest.stand.ru"
(7)   Service-Type = Framed-User
(7)   Framed-MTU = 1504
(7)   Called-Station-Id = "00-17-E0-1C-15-87"
(7)   Calling-Station-Id = "00-E0-4C-31-0E-67"
(7)   EAP-Message = 0x0208007019001703030065000000000000000291ebbab1487f9c926b4c65fcadf4b6326ce17fc7ebb89a2a1a2682a48bfbc712b1fac98d617edb7965d3a64ada1db96804aea60b3741c85d5e0f7e68ca0f3581be104e79d3f916ad3a2ed8b7f23d05f4f1dd5e98cfa41d0822b087b016
(7)   Message-Authenticator = 0x97bb4e8bd14ce6352ab0262027368166
(7)   NAS-Port-Type = Ethernet
(7)   NAS-Port = 50005
(7)   NAS-Port-Id = "FastEthernet0/5"
(7)   State = 0x8e11447888195d5aaaf63b261b53a370
(7)   NAS-IP-Address = 10.8.150.118
(7) Restoring &session-state
(7)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(7)   &session-state:TLS-Session-Version = "TLS 1.2"
(7) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(7)   authorize {
(7)     policy filter_username {
(7)       if (&User-Name) {
(7)       if (&User-Name)  -> TRUE
(7)       if (&User-Name)  {
(7)         if (&User-Name =~ / /) {
(7)         if (&User-Name =~ / /)  -> FALSE
(7)         if (&User-Name =~ /@[^@]*@/ ) {
(7)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(7)         if (&User-Name =~ /\.\./ ) {
(7)         if (&User-Name =~ /\.\./ )  -> FALSE
(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(7)         if (&User-Name =~ /\.$/)  {
(7)         if (&User-Name =~ /\.$/)   -> FALSE
(7)         if (&User-Name =~ /@\./)  {
(7)         if (&User-Name =~ /@\./)   -> FALSE
(7)       } # if (&User-Name)  = notfound
(7)     } # policy filter_username = notfound
(7)     [chap] = noop
(7)     [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(7) suffix: No such realm "NULL"
(7)     [suffix] = noop
(7)     update control {
(7)       &Proxy-To-Realm := LOCAL
(7)     } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 8 length 112
(7) eap: Continuing tunnel setup
(7)     [eap] = ok
(7)   } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7)   authenticate {
(7) eap: Expiring EAP session with state 0x80bfe1b680b7fb9c
(7) eap: Finished EAP session with state 0x8e11447888195d5a
(7) eap: Previous EAP request found for state 0x8e11447888195d5a, released from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established.  Decoding tunneled attributes
(7) eap_peap: PEAP state phase2
(7) eap_peap: EAP method MSCHAPv2 (26)
(7) eap_peap: Got tunneled request
(7) eap_peap:   EAP-Message = 0x020800511a0208004c31a07a106f14b5a62cb6ecdc05ac5f18e30000000000000000ae7e258e4232de145bf4036973ba5257eccfddfc3a01a93e00686f73742f574e414d546573742e7374616e642e7275
(7) eap_peap: Setting User-Name to host/WNAMTest.stand.ru
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap:   EAP-Message = 0x020800511a0208004c31a07a106f14b5a62cb6ecdc05ac5f18e30000000000000000ae7e258e4232de145bf4036973ba5257eccfddfc3a01a93e00686f73742f574e414d546573742e7374616e642e7275
(7) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap:   User-Name = "host/WNAMTest.stand.ru"
(7) eap_peap:   State = 0x80bfe1b680b7fb9c548551106d70804b
(7) Virtual server inner-tunnel received request
(7)   EAP-Message = 0x020800511a0208004c31a07a106f14b5a62cb6ecdc05ac5f18e30000000000000000ae7e258e4232de145bf4036973ba5257eccfddfc3a01a93e00686f73742f574e414d546573742e7374616e642e7275
(7)   FreeRADIUS-Proxied-To = 127.0.0.1
(7)   User-Name = "host/WNAMTest.stand.ru"
(7)   State = 0x80bfe1b680b7fb9c548551106d70804b
(7) WARNING: Outer and inner identities are the same.  User privacy is compromised.
(7) server inner-tunnel {
(7)   session-state: No cached attributes
(7)   # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(7)     authorize {
(7)       policy filter_username {
(7)         if (&User-Name) {
(7)         if (&User-Name)  -> TRUE
(7)         if (&User-Name)  {
(7)           if (&User-Name =~ / /) {
(7)           if (&User-Name =~ / /)  -> FALSE
(7)           if (&User-Name =~ /@[^@]*@/ ) {
(7)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(7)           if (&User-Name =~ /\.\./ ) {
(7)           if (&User-Name =~ /\.\./ )  -> FALSE
(7)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(7)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(7)           if (&User-Name =~ /\.$/)  {
(7)           if (&User-Name =~ /\.$/)   -> FALSE
(7)           if (&User-Name =~ /@\./)  {
(7)           if (&User-Name =~ /@\./)   -> FALSE
(7)         } # if (&User-Name)  = notfound
(7)       } # policy filter_username = notfound
(7)       [chap] = noop
(7)       [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(7) suffix: No such realm "NULL"
(7)       [suffix] = noop
(7)       update control {
(7)         &Proxy-To-Realm := LOCAL
(7)       } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 8 length 81
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7)       [eap] = updated
(7)       [files] = noop
(7)       [expiration] = noop
(7)       [logintime] = noop
(7)       [pap] = noop
(7)     } # authorize = updated
(7)   Found Auth-Type = eap
(7)   # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7)     authenticate {
(7) eap: Expiring EAP session with state 0x80bfe1b680b7fb9c
(7) eap: Finished EAP session with state 0x80bfe1b680b7fb9c
(7) eap: Previous EAP request found for state 0x80bfe1b680b7fb9c, released from the list
(7) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(7) eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7) eap_mschapv2:   authenticate {
(7) mschap: Creating challenge hash with username: host/WNAMTest.stand.ru
(7) mschap: Client is using MS-CHAPv2
(7) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-STAND} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}:
(7) mschap: EXPAND --username=%{mschap:User-Name:-None}
(7) mschap:    --> --username=WNAMTest$
(7) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-STAND}
(7) mschap:    --> --domain=stand
(7) mschap: Creating challenge hash with username: host/WNAMTest.stand.ru
(7) mschap: EXPAND --challenge=%{mschap:Challenge:-00}
(7) mschap:    --> --challenge=d858ed797e668361
(7) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00}
(7) mschap:    --> --nt-response=ae7e258e4232de145bf4036973ba5257eccfddfc3a01a93e
added interface ens192 ip=10.70.42.77 bcast=10.70.42.255 netmask=255.255.255.0
added interface ens192 ip=10.70.42.77 bcast=10.70.42.255 netmask=255.255.255.0
added interface ens192 ip=10.70.42.77 bcast=10.70.42.255 netmask=255.255.255.0
(7) mschap: Program returned code (0) and output 'NT_KEY: 7720EA15121870B72DB8AEC247827D5B'
(7) mschap: Adding MS-CHAPv2 MPPE keys
(7) eap_mschapv2:     [mschap] = ok
(7) eap_mschapv2:   } # authenticate = ok
(7) eap_mschapv2: MSCHAP Success
(7) eap: Sending EAP Request (code 1) ID 9 length 51
(7) eap: EAP session adding &reply:State = 0x80bfe1b681b6fb9c
(7)       [eap] = handled
(7)     } # authenticate = handled
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7)   EAP-Message = 0x010900331a0308002e533d44314232383535354646394633443139353244354646323241464439334642423744433431454443
(7)   Message-Authenticator = 0x00000000000000000000000000000000
(7)   State = 0x80bfe1b681b6fb9c548551106d70804b
(7) eap_peap: Got tunneled reply code 11
(7) eap_peap:   EAP-Message = 0x010900331a0308002e533d44314232383535354646394633443139353244354646323241464439334642423744433431454443
(7) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap:   State = 0x80bfe1b681b6fb9c548551106d70804b
(7) eap_peap: Got tunneled reply RADIUS code 11
(7) eap_peap:   EAP-Message = 0x010900331a0308002e533d44314232383535354646394633443139353244354646323241464439334642423744433431454443
(7) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap:   State = 0x80bfe1b681b6fb9c548551106d70804b
(7) eap_peap: Got tunneled Access-Challenge
(7) eap: Sending EAP Request (code 1) ID 9 length 82
(7) eap: EAP session adding &reply:State = 0x8e11447889185d5a
(7)     [eap] = handled
(7)   } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) Post-Auth-Type sub-section not found.  Ignoring.
(7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7) session-state: Saving cached attributes
(7)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(7)   TLS-Session-Version = "TLS 1.2"
(7) Sent Access-Challenge Id 5 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0
(7)   EAP-Message = 0x01090052190017030300479251a406bf3dbfb3166d1b07af90422c9dbb30f717afcdb2ae4171be6c905619e570bc3dc857a60fea9d389487fd3ab7176e072cc2d7605a273cffb73134a07fc8807300df4c67
(7)   Message-Authenticator = 0x00000000000000000000000000000000
(7)   State = 0x8e11447889185d5aaaf63b261b53a370
(7) Finished request
Waking up in 2.6 seconds.
(8) Received Access-Request Id 6 from 10.8.150.118:1645 to 10.70.42.77:1645 length 206
(8)   User-Name = "host/WNAMTest.stand.ru"
(8)   Service-Type = Framed-User
(8)   Framed-MTU = 1504
(8)   Called-Station-Id = "00-17-E0-1C-15-87"
(8)   Calling-Station-Id = "00-E0-4C-31-0E-67"
(8)   EAP-Message = 0x020900251900170303001a000000000000000378eec0b094f6e356c114d3636da01d0302c8
(8)   Message-Authenticator = 0xe7e52adeeb798f38bd7c85806f6088a1
(8)   NAS-Port-Type = Ethernet
(8)   NAS-Port = 50005
(8)   NAS-Port-Id = "FastEthernet0/5"
(8)   State = 0x8e11447889185d5aaaf63b261b53a370
(8)   NAS-IP-Address = 10.8.150.118
(8) Restoring &session-state
(8)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(8)   &session-state:TLS-Session-Version = "TLS 1.2"
(8) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(8)   authorize {
(8)     policy filter_username {
(8)       if (&User-Name) {
(8)       if (&User-Name)  -> TRUE
(8)       if (&User-Name)  {
(8)         if (&User-Name =~ / /) {
(8)         if (&User-Name =~ / /)  -> FALSE
(8)         if (&User-Name =~ /@[^@]*@/ ) {
(8)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(8)         if (&User-Name =~ /\.\./ ) {
(8)         if (&User-Name =~ /\.\./ )  -> FALSE
(8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(8)         if (&User-Name =~ /\.$/)  {
(8)         if (&User-Name =~ /\.$/)   -> FALSE
(8)         if (&User-Name =~ /@\./)  {
(8)         if (&User-Name =~ /@\./)   -> FALSE
(8)       } # if (&User-Name)  = notfound
(8)     } # policy filter_username = notfound
(8)     [chap] = noop
(8)     [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(8) suffix: No such realm "NULL"
(8)     [suffix] = noop
(8)     update control {
(8)       &Proxy-To-Realm := LOCAL
(8)     } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 9 length 37
(8) eap: Continuing tunnel setup
(8)     [eap] = ok
(8)   } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8)   authenticate {
(8) eap: Expiring EAP session with state 0x80bfe1b681b6fb9c
(8) eap: Finished EAP session with state 0x8e11447889185d5a
(8) eap: Previous EAP request found for state 0x8e11447889185d5a, released from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established.  Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP method MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap:   EAP-Message = 0x020900061a03
(8) eap_peap: Setting User-Name to host/WNAMTest.stand.ru
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap:   EAP-Message = 0x020900061a03
(8) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap:   User-Name = "host/WNAMTest.stand.ru"
(8) eap_peap:   State = 0x80bfe1b681b6fb9c548551106d70804b
(8) Virtual server inner-tunnel received request
(8)   EAP-Message = 0x020900061a03
(8)   FreeRADIUS-Proxied-To = 127.0.0.1
(8)   User-Name = "host/WNAMTest.stand.ru"
(8)   State = 0x80bfe1b681b6fb9c548551106d70804b
(8) WARNING: Outer and inner identities are the same.  User privacy is compromised.
(8) server inner-tunnel {
(8)   session-state: No cached attributes
(8)   # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(8)     authorize {
(8)       policy filter_username {
(8)         if (&User-Name) {
(8)         if (&User-Name)  -> TRUE
(8)         if (&User-Name)  {
(8)           if (&User-Name =~ / /) {
(8)           if (&User-Name =~ / /)  -> FALSE
(8)           if (&User-Name =~ /@[^@]*@/ ) {
(8)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(8)           if (&User-Name =~ /\.\./ ) {
(8)           if (&User-Name =~ /\.\./ )  -> FALSE
(8)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(8)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(8)           if (&User-Name =~ /\.$/)  {
(8)           if (&User-Name =~ /\.$/)   -> FALSE
(8)           if (&User-Name =~ /@\./)  {
(8)           if (&User-Name =~ /@\./)   -> FALSE
(8)         } # if (&User-Name)  = notfound
(8)       } # policy filter_username = notfound
(8)       [chap] = noop
(8)       [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(8) suffix: No such realm "NULL"
(8)       [suffix] = noop
(8)       update control {
(8)         &Proxy-To-Realm := LOCAL
(8)       } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 9 length 6
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8)       [eap] = updated
(8)       [files] = noop
(8)       [expiration] = noop
(8)       [logintime] = noop
(8)       [pap] = noop
(8)     } # authorize = updated
(8)   Found Auth-Type = eap
(8)   # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8)     authenticate {
(8) eap: Expiring EAP session with state 0x80bfe1b681b6fb9c
(8) eap: Finished EAP session with state 0x80bfe1b681b6fb9c
(8) eap: Previous EAP request found for state 0x80bfe1b681b6fb9c, released from the list
(8) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap: Sending EAP Success (code 3) ID 9 length 4
(8) eap: Freeing handler
(8)       [eap] = ok
(8)     } # authenticate = ok
(8)   # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel
(8)     post-auth {
(8)       if (0) {
(8)       if (0)  -> FALSE
(8)     } # post-auth = noop
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8)   MS-MPPE-Encryption-Policy = Encryption-Required
(8)   MS-MPPE-Encryption-Types = 4
(8)   MS-MPPE-Send-Key = 0xe444906440d09dcefe30e65f8a455ffe
(8)   MS-MPPE-Recv-Key = 0xdf0ca8f806b3a21c299fcfc99f87791b
(8)   EAP-Message = 0x03090004
(8)   Message-Authenticator = 0x00000000000000000000000000000000
(8)   User-Name = "host/WNAMTest.stand.ru"
(8) eap_peap: Got tunneled reply code 2
(8) eap_peap:   MS-MPPE-Encryption-Policy = Encryption-Required
(8) eap_peap:   MS-MPPE-Encryption-Types = 4
(8) eap_peap:   MS-MPPE-Send-Key = 0xe444906440d09dcefe30e65f8a455ffe
(8) eap_peap:   MS-MPPE-Recv-Key = 0xdf0ca8f806b3a21c299fcfc99f87791b
(8) eap_peap:   EAP-Message = 0x03090004
(8) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap:   User-Name = "host/WNAMTest.stand.ru"
(8) eap_peap: Got tunneled reply RADIUS code 2
(8) eap_peap:   MS-MPPE-Encryption-Policy = Encryption-Required
(8) eap_peap:   MS-MPPE-Encryption-Types = 4
(8) eap_peap:   MS-MPPE-Send-Key = 0xe444906440d09dcefe30e65f8a455ffe
(8) eap_peap:   MS-MPPE-Recv-Key = 0xdf0ca8f806b3a21c299fcfc99f87791b
(8) eap_peap:   EAP-Message = 0x03090004
(8) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap:   User-Name = "host/WNAMTest.stand.ru"
(8) eap_peap: Tunneled authentication was successful
(8) eap_peap: SUCCESS
(8) eap_peap: Saving tunneled attributes for later
(8) eap: Sending EAP Request (code 1) ID 10 length 46
(8) eap: EAP session adding &reply:State = 0x8e114478861b5d5a
(8)     [eap] = handled
(8)   } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found.  Ignoring.
(8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8) session-state: Saving cached attributes
(8)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(8)   TLS-Session-Version = "TLS 1.2"
(8) Sent Access-Challenge Id 6 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0
(8)   EAP-Message = 0x010a002e190017030300239251a406bf3dbfb461f9265352132b6168ac7357152cb9b634037994ebe332a9110348
(8)   Message-Authenticator = 0x00000000000000000000000000000000
(8)   State = 0x8e114478861b5d5aaaf63b261b53a370
(8) Finished request
Waking up in 1.1 seconds.
(9) Received Access-Request Id 7 from 10.8.150.118:1645 to 10.70.42.77:1645 length 215
(9)   User-Name = "host/WNAMTest.stand.ru"
(9)   Service-Type = Framed-User
(9)   Framed-MTU = 1504
(9)   Called-Station-Id = "00-17-E0-1C-15-87"
(9)   Calling-Station-Id = "00-E0-4C-31-0E-67"
(9)   EAP-Message = 0x020a002e190017030300230000000000000004927ddd170135351a86f47838145a40afaf72f135003b599166820a
(9)   Message-Authenticator = 0x341162108426d80f1a33e359b5f4e4ec
(9)   NAS-Port-Type = Ethernet
(9)   NAS-Port = 50005
(9)   NAS-Port-Id = "FastEthernet0/5"
(9)   State = 0x8e114478861b5d5aaaf63b261b53a370
(9)   NAS-IP-Address = 10.8.150.118
(9) Restoring &session-state
(9)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(9)   &session-state:TLS-Session-Version = "TLS 1.2"
(9) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(9)   authorize {
(9)     policy filter_username {
(9)       if (&User-Name) {
(9)       if (&User-Name)  -> TRUE
(9)       if (&User-Name)  {
(9)         if (&User-Name =~ / /) {
(9)         if (&User-Name =~ / /)  -> FALSE
(9)         if (&User-Name =~ /@[^@]*@/ ) {
(9)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(9)         if (&User-Name =~ /\.\./ ) {
(9)         if (&User-Name =~ /\.\./ )  -> FALSE
(9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(9)         if (&User-Name =~ /\.$/)  {
(9)         if (&User-Name =~ /\.$/)   -> FALSE
(9)         if (&User-Name =~ /@\./)  {
(9)         if (&User-Name =~ /@\./)   -> FALSE
(9)       } # if (&User-Name)  = notfound
(9)     } # policy filter_username = notfound
(9)     [chap] = noop
(9)     [mschap] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(9) suffix: No such realm "NULL"
(9)     [suffix] = noop
(9)     update control {
(9)       &Proxy-To-Realm := LOCAL
(9)     } # update control = noop
(9) eap: Peer sent EAP Response (code 2) ID 10 length 46
(9) eap: Continuing tunnel setup
(9)     [eap] = ok
(9)   } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(9)   authenticate {
(9) eap: Expiring EAP session with state 0x8e114478861b5d5a
(9) eap: Finished EAP session with state 0x8e114478861b5d5a
(9) eap: Previous EAP request found for state 0x8e114478861b5d5a, released from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established.  Decoding tunneled attributes
(9) eap_peap: PEAP state send tlv success
(9) eap_peap: Received EAP-TLV response
(9) eap_peap: Success
(9) eap_peap: Using saved attributes from the original Access-Accept
(9) eap_peap:   User-Name = "host/WNAMTest.stand.ru"
(9) eap: Sending EAP Success (code 3) ID 10 length 4
(9) eap: Freeing handler
(9)     [eap] = ok
(9)   } # authenticate = ok
(9) # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel
(9)   post-auth {
(9)     if (0) {
(9)     if (0)  -> FALSE
(9)   } # post-auth = noop
(9) Sent Access-Accept Id 7 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0
(9)   User-Name = "host/WNAMTest.stand.ru"
(9)   MS-MPPE-Recv-Key = 0xaca43fa253ab9317739a3fb461cbcbe7135a0e64c859ba294d13521ab23900e5
(9)   MS-MPPE-Send-Key = 0x7a13c3ceca352d8324a687be674add16c6b032682308cfc6859ea2974fe41e3e
(9)   EAP-Message = 0x030a0004
(9)   Message-Authenticator = 0x00000000000000000000000000000000
(9) Finished request
Waking up in 0.2 seconds.
(0) Cleaning up request packet ID 254 with timestamp +286
(1) Cleaning up request packet ID 255 with timestamp +286
(2) Cleaning up request packet ID 0 with timestamp +286
(3) Cleaning up request packet ID 1 with timestamp +286
(4) Cleaning up request packet ID 2 with timestamp +286
(5) Cleaning up request packet ID 3 with timestamp +286
Waking up in 0.4 seconds.
(6) Cleaning up request packet ID 4 with timestamp +286
Waking up in 1.7 seconds.
(7) Cleaning up request packet ID 5 with timestamp +288
Waking up in 1.5 seconds.
(8) Cleaning up request packet ID 6 with timestamp +289
Waking up in 0.8 seconds.
(9) Cleaning up request packet ID 7 with timestamp +290
Ответить | Правка | Наверх | Cообщить модератору

4. "freeradius dot1x dynamic vlan assignment"  +/
Сообщение от Kovrevskiiemail (ok), 07-Дек-22, 13:07 
если в разделе post auth прописать if (1)

то выходит ошибка

(8) Received Access-Request Id 16 from 10.8.150.118:1645 to 10.70.42.77:1645 length 206
(8)   User-Name = "host/WNAMTest.stand.ru"
(8)   Service-Type = Framed-User
(8)   Framed-MTU = 1504
(8)   Called-Station-Id = "00-17-E0-1C-15-87"
(8)   Calling-Station-Id = "00-E0-4C-31-0E-67"
(8)   EAP-Message = 0x020900251900170303001a0000000000000003bfc49b79f8e6a33b3dbb7bd7c40602262192
(8)   Message-Authenticator = 0x85293261230a81879ef33b04ef76807d
(8)   NAS-Port-Type = Ethernet
(8)   NAS-Port = 50005
(8)   NAS-Port-Id = "FastEthernet0/5"
(8)   State = 0x35db708332d269e6230a007503c37627
(8)   NAS-IP-Address = 10.8.150.118
(8) Restoring &session-state
(8)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(8)   &session-state:TLS-Session-Version = "TLS 1.2"
(8) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(8)   authorize {
(8)     policy filter_username {
(8)       if (&User-Name) {
(8)       if (&User-Name)  -> TRUE
(8)       if (&User-Name)  {
(8)         if (&User-Name =~ / /) {
(8)         if (&User-Name =~ / /)  -> FALSE
(8)         if (&User-Name =~ /@[^@]*@/ ) {
(8)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(8)         if (&User-Name =~ /\.\./ ) {
(8)         if (&User-Name =~ /\.\./ )  -> FALSE
(8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(8)         if (&User-Name =~ /\.$/)  {
(8)         if (&User-Name =~ /\.$/)   -> FALSE
(8)         if (&User-Name =~ /@\./)  {
(8)         if (&User-Name =~ /@\./)   -> FALSE
(8)       } # if (&User-Name)  = notfound
(8)     } # policy filter_username = notfound
(8)     [chap] = noop
(8)     [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(8) suffix: No such realm "NULL"
(8)     [suffix] = noop
(8)     update control {
(8)       &Proxy-To-Realm := LOCAL
(8)     } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 9 length 37
(8) eap: Continuing tunnel setup
(8)     [eap] = ok
(8)   } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8)   authenticate {
(8) eap: Expiring EAP session with state 0xe0803171e1892b17
(8) eap: Finished EAP session with state 0x35db708332d269e6
(8) eap: Previous EAP request found for state 0x35db708332d269e6, released from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established.  Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP method MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap:   EAP-Message = 0x020900061a03
(8) eap_peap: Setting User-Name to host/WNAMTest.stand.ru
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap:   EAP-Message = 0x020900061a03
(8) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap:   User-Name = "host/WNAMTest.stand.ru"
(8) eap_peap:   State = 0xe0803171e1892b17e57438631f9978dd
(8) Virtual server inner-tunnel received request
(8)   EAP-Message = 0x020900061a03
(8)   FreeRADIUS-Proxied-To = 127.0.0.1
(8)   User-Name = "host/WNAMTest.stand.ru"
(8)   State = 0xe0803171e1892b17e57438631f9978dd
(8) WARNING: Outer and inner identities are the same.  User privacy is compromised.
(8) server inner-tunnel {
(8)   session-state: No cached attributes
(8)   # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(8)     authorize {
(8)       policy filter_username {
(8)         if (&User-Name) {
(8)         if (&User-Name)  -> TRUE
(8)         if (&User-Name)  {
(8)           if (&User-Name =~ / /) {
(8)           if (&User-Name =~ / /)  -> FALSE
(8)           if (&User-Name =~ /@[^@]*@/ ) {
(8)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(8)           if (&User-Name =~ /\.\./ ) {
(8)           if (&User-Name =~ /\.\./ )  -> FALSE
(8)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(8)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(8)           if (&User-Name =~ /\.$/)  {
(8)           if (&User-Name =~ /\.$/)   -> FALSE
(8)           if (&User-Name =~ /@\./)  {
(8)           if (&User-Name =~ /@\./)   -> FALSE
(8)         } # if (&User-Name)  = notfound
(8)       } # policy filter_username = notfound
(8)       [chap] = noop
(8)       [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(8) suffix: No such realm "NULL"
(8)       [suffix] = noop
(8)       update control {
(8)         &Proxy-To-Realm := LOCAL
(8)       } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 9 length 6
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8)       [eap] = updated
(8)       [files] = noop
(8)       [expiration] = noop
(8)       [logintime] = noop
(8)       [pap] = noop
(8)     } # authorize = updated
(8)   Found Auth-Type = eap
(8)   # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8)     authenticate {
(8) eap: Expiring EAP session with state 0xe0803171e1892b17
(8) eap: Finished EAP session with state 0xe0803171e1892b17
(8) eap: Previous EAP request found for state 0xe0803171e1892b17, released from the list
(8) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap: Sending EAP Success (code 3) ID 9 length 4
(8) eap: Freeing handler
(8)       [eap] = ok
(8)     } # authenticate = ok
(8)   # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel
(8)     post-auth {
(8)       if (1) {
(8)       if (1)  -> TRUE
(8)       if (1)  {
(8)         update reply {
(8)           User-Name !* ANY
(8)           Message-Authenticator !* ANY
(8)           EAP-Message !* ANY
(8)           Proxy-State !* ANY
(8)           MS-MPPE-Encryption-Types !* ANY
(8)           MS-MPPE-Encryption-Policy !* ANY
(8)           MS-MPPE-Send-Key !* ANY
(8)           MS-MPPE-Recv-Key !* ANY
(8)           Tunnel-Type = VLAN
(8)           Tunnel-Medium-Type = IEEE-802
(8)           Tunnel-Private-Group-Id = "150"
(8)         } # update reply = noop
(8)         update {
(8)           &outer.session-state::Tunnel-Type += &reply:Tunnel-Type[*] -> VLAN
(8)           &outer.session-state::Tunnel-Medium-Type += &reply:Tunnel-Medium-Type[*] -> IEEE-802
(8)           &outer.session-state::Tunnel-Private-Group-Id += &reply:Tunnel-Private-Group-Id[*] -> '150'
(8)         } # update = noop
(8)       } # if (1)  = noop
(8)     } # post-auth = noop
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8)   Tunnel-Type = VLAN
(8)   Tunnel-Medium-Type = IEEE-802
(8)   Tunnel-Private-Group-Id = "150"
(8) eap_peap: Got tunneled reply code 2
(8) eap_peap:   Tunnel-Type = VLAN
(8) eap_peap:   Tunnel-Medium-Type = IEEE-802
(8) eap_peap:   Tunnel-Private-Group-Id = "150"
(8) eap_peap: Got tunneled reply RADIUS code 2
(8) eap_peap:   Tunnel-Type = VLAN
(8) eap_peap:   Tunnel-Medium-Type = IEEE-802
(8) eap_peap:   Tunnel-Private-Group-Id = "150"
(8) eap_peap: Tunneled authentication was successful
(8) eap_peap: SUCCESS
(8) eap_peap: Saving tunneled attributes for later
(8) eap: Sending EAP Request (code 1) ID 10 length 46
(8) eap: EAP session adding &reply:State = 0x35db70833dd169e6
(8)     [eap] = handled
(8)   } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found.  Ignoring.
(8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8) session-state: Saving cached attributes
(8)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(8)   TLS-Session-Version = "TLS 1.2"
(8)   Tunnel-Type += VLAN
(8)   Tunnel-Medium-Type += IEEE-802
(8)   Tunnel-Private-Group-Id += "150"
(8) Sent Access-Challenge Id 16 from 10.70.42.77:1645 to 10.8.150.118:1645 length 0
(8)   EAP-Message = 0x010a002e190017030300239656895d9d047f0c62289e622c8e69d1d72d7d601c1981ec4514bfc83655820d0b7eae
(8)   Message-Authenticator = 0x00000000000000000000000000000000
(8)   State = 0x35db70833dd169e6230a007503c37627
(8) Finished request
Waking up in 2.0 seconds.
(9) Received Access-Request Id 17 from 10.8.150.118:1645 to 10.70.42.77:1645 length 215
(9)   User-Name = "host/WNAMTest.stand.ru"
(9)   Service-Type = Framed-User
(9)   Framed-MTU = 1504
(9)   Called-Station-Id = "00-17-E0-1C-15-87"
(9)   Calling-Station-Id = "00-E0-4C-31-0E-67"
(9)   EAP-Message = 0x020a002e1900170303002300000000000000042f9e214e97dbecd34987e322d107aee761efe52b96b406123d7d9f
(9)   Message-Authenticator = 0x85051369b1f749095a19433c21200733
(9)   NAS-Port-Type = Ethernet
(9)   NAS-Port = 50005
(9)   NAS-Port-Id = "FastEthernet0/5"
(9)   State = 0x35db70833dd169e6230a007503c37627
(9)   NAS-IP-Address = 10.8.150.118
(9) Restoring &session-state
(9)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(9)   &session-state:TLS-Session-Version = "TLS 1.2"
(9)   &session-state:Tunnel-Type += VLAN
(9)   &session-state:Tunnel-Medium-Type += IEEE-802
(9)   &session-state:Tunnel-Private-Group-Id += "150"
(9) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(9)   authorize {
(9)     policy filter_username {
(9)       if (&User-Name) {
(9)       if (&User-Name)  -> TRUE
(9)       if (&User-Name)  {
(9)         if (&User-Name =~ / /) {
(9)         if (&User-Name =~ / /)  -> FALSE
(9)         if (&User-Name =~ /@[^@]*@/ ) {
(9)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(9)         if (&User-Name =~ /\.\./ ) {
(9)         if (&User-Name =~ /\.\./ )  -> FALSE
(9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(9)         if (&User-Name =~ /\.$/)  {
(9)         if (&User-Name =~ /\.$/)   -> FALSE
(9)         if (&User-Name =~ /@\./)  {
(9)         if (&User-Name =~ /@\./)   -> FALSE
(9)       } # if (&User-Name)  = notfound
(9)     } # policy filter_username = notfound
(9)     [chap] = noop
(9)     [mschap] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "host/WNAMTest.stand.ru", looking up realm NULL
(9) suffix: No such realm "NULL"
(9)     [suffix] = noop
(9)     update control {
(9)       &Proxy-To-Realm := LOCAL
(9)     } # update control = noop
(9) eap: Peer sent EAP Response (code 2) ID 10 length 46
(9) eap: Continuing tunnel setup
(9)     [eap] = ok
(9)   } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(9)   authenticate {
(9) eap: Expiring EAP session with state 0x35db70833dd169e6
(9) eap: Finished EAP session with state 0x35db70833dd169e6
(9) eap: Previous EAP request found for state 0x35db70833dd169e6, released from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established.  Decoding tunneled attributes
(9) eap_peap: PEAP state send tlv success
(9) eap_peap: Received EAP-TLV response
(9) eap_peap: Success
(9) eap_peap: Using saved attributes from the original Access-Accept
(9) eap_peap:   Tunnel-Type = VLAN
(9) eap_peap:   Tunnel-Medium-Type = IEEE-802
(9) eap_peap:   Tunnel-Private-Group-Id = "150"
(9) eap: Sending EAP Success (code 3) ID 10 length 4
(9) eap: Freeing handler
(9)     [eap] = ok
(9)   } # authenticate = ok
(9) # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel
(9)   post-auth {
(9)     if (1) {
(9)     if (1)  -> TRUE
(9)     if (1)  {
(9)       update reply {
(9)         User-Name !* ANY
(9)         Message-Authenticator !* ANY
(9)         EAP-Message !* ANY
(9)         Proxy-State !* ANY
(9)         MS-MPPE-Encryption-Types !* ANY
(9)         MS-MPPE-Encryption-Policy !* ANY
(9)         MS-MPPE-Send-Key !* ANY
(9)         MS-MPPE-Recv-Key !* ANY
(9)         Tunnel-Type = VLAN
(9)         Tunnel-Medium-Type = IEEE-802
(9)         Tunnel-Private-Group-Id = "150"
(9)       } # update reply = noop
(9)       update {
(9)         ERROR: Mapping "&reply:" -> "&outer.session-state:" invalid in this context
(9)       } # update = invalid
(9)     } # if (1)  = invalid
(9)   } # post-auth = invalid
(9) Using Post-Auth-Type Reject
(9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(9)   Post-Auth-Type REJECT {
(9) attr_filter.access_reject: EXPAND %{User-Name}
(9) attr_filter.access_reject:    --> host/WNAMTest.stand.ru
(9) attr_filter.access_reject: Matched entry DEFAULT at line 11
(9)     [attr_filter.access_reject] = updated
(9)     update outer.session-state {
(9)       ERROR: Mapping "&request:Module-Failure-Message" -> "&Module-Failure-Message" invalid in this context
(9)     } # update outer.session-state = invalid
(9)   } # Post-Auth-Type REJECT = invalid
(9) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.1 seconds.
(0) Cleaning up request packet ID 8 with timestamp +147
(1) Cleaning up request packet ID 9 with timestamp +147
(2) Cleaning up request packet ID 10 with timestamp +147
(3) Cleaning up request packet ID 11 with timestamp +147
(4) Cleaning up request packet ID 12 with timestamp +147
(5) Cleaning up request packet ID 13 with timestamp +147
Waking up in 0.2 seconds.
(9) Sending delayed response
(9) Sent Access-Reject Id 17 from 10.70.42.77:1645 to 10.8.150.118:1645 length 20
(6) Cleaning up request packet ID 14 with timestamp +148
Waking up in 0.7 seconds.
(7) Cleaning up request packet ID 15 with timestamp +148
Waking up in 1.6 seconds.
(8) Cleaning up request packet ID 16 with timestamp +150
Waking up in 1.5 seconds.
(9) Cleaning up request packet ID 17 with timestamp +152
Ready to process requests

Ответить | Правка | Наверх | Cообщить модератору

Архив | Удалить

Рекомендовать для помещения в FAQ | Индекс форумов | Темы | Пред. тема | След. тема




Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру