VSA cisco-avpair is missing from the final EAP reply

[drook]

Issue type

• [x] Defect - Unexpected behaviour (obvious or verified by project member).

Defect/Feature description

I'm trying to restrict a wireless user to a specific SSID. I have a freeradius 3.0.11 server that was configured some time ago when it was running a 2.x version, and this feature was working, then I ported the configs. Now it doesn't work for some reason, and I'm desperately trying to figure out why. It has an PgSQL backend configured and pretty much all of my tweaks are saved there.

So, now about what do I see. Seems like when using radtest sequence everything is working as intended:

# radtest -t eap-md5 foobar XXXXX localhost 666 s0m3s3cr3t
Loading input data...
Read 1 element(s) from input: stdin
Loaded: 1 input element(s).
Adding new socket: src: 0.0.0.0:0, dst: 127.0.0.1:1812
Added new socket: 6 (num sockets: 1)
Transaction: 0, sending packet: 0 (id: 54)...
Sent Access-Request Id 54 from 0.0.0.0:16248 to 127.0.0.1:1812 length 99
        User-Name = "foobar"
        User-Password = "XXXXX"
        NAS-IP-Address = 192.168.3.22
        NAS-Port = 666
        Message-Authenticator = 0x00
        EAP-Code = Response
        EAP-Type-Identity = 0x3839303238333234323133
        EAP-Message = 0x021f0010013839303238333234323133
Transaction: 0, received packet (id: 54).
Received Access-Challenge Id 54 from 127.0.0.1:1812 to 0.0.0.0:16248
length 80
        EAP-Message = 0x012000160410cc18e96bf6909c2fe2f185b7207c2811
        Message-Authenticator = 0x9cccd86e57512c5ebea735dd2c4b5766
        State = 0x95e1ebea95c1ef71bbd0a746eddfb07e
        EAP-Id = 32
        EAP-Code = Request
        EAP-Type-MD5-Challenge = 0x10cc18e96bf6909c2fe2f185b7207c2811
Transaction: 0, sending packet: 1 (id: 247)...
Sent Access-Request Id 247 from 0.0.0.0:16248 to 127.0.0.1:1812 length 123
        User-Name = "foobar"
        User-Password = "XXXXX"
        NAS-IP-Address = 192.168.3.22
        NAS-Port = 666
        Message-Authenticator = 0x00
        EAP-Code = Response
        EAP-Type-MD5-Challenge = 0x10ea04a9bf38cdd98629a7190157fc268b
        EAP-Id = 32
        State = 0x95e1ebea95c1ef71bbd0a746eddfb07e
        EAP-Message = 0x022000160410ea04a9bf38cdd98629a7190157fc268b
Transaction: 0, received packet (id: 247).
Received Access-Accept Id 247 from 127.0.0.1:1812 to 0.0.0.0:16248 length 75
        Cisco-AVPair = "ssid=vivat"
        EAP-Message = 0x03200004
        Message-Authenticator = 0x65764b79391e1dadd0ae0cab4a25d2a4
        User-Name = "foobar"
        EAP-Id = 32
        EAP-Code = Success
Main loop: done.

Everything is in place: Cisco-AVPair = "ssid=vivat" is present in Access-Accept message. But when it comes to the actual exchange with Cisco AP, it is present only in some messages, but not in the last Access-Accept message.

How to reproduce issue

Configure freeradius according to the https://wiki.freeradius.org/guide/SQL-HOWTO article. Add some users and groups. Try to restrict the user to join the specific SSID by setting the VSA cisco-avpair. Get the actual result: user is able to join just any SSID.

Output of [radiusd|freeradius] -X showing issue occurring

Final lines of the output below show that default site strips out the Cisco-AVPair message from a reply. It is unclear to me why. I asked in the mailing list but received no answer, so I think nobody know why this is happeningh, thus I am dealing with unexpected behaviour.

===Cut===
(89) session-state: No cached attributes
(89) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(89)   authorize {
(89)     policy filter_username {
(89)       if (!&User-Name) {
(89)       if (!&User-Name)  -> FALSE
(89)       if (&User-Name =~ / /) {
(89)       if (&User-Name =~ / /)  -> FALSE
(89)       if (&User-Name =~ /@.*@/ ) {
(89)       if (&User-Name =~ /@.*@/ )  -> FALSE
(89)       if (&User-Name =~ /\\.\\./ ) {
(89)       if (&User-Name =~ /\\.\\./ )  -> FALSE
(89)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))  {
(89)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))  
-> FALSE
(89)       if (&User-Name =~ /\\.$/)  {
(89)       if (&User-Name =~ /\\.$/)   -> FALSE
(89)       if (&User-Name =~ /@\\./)  {
(89)       if (&User-Name =~ /@\\./)   -> FALSE
(89)     } # policy filter_username = notfound
(89)     [preprocess] = ok
(89)     [chap] = noop
(89)     [mschap] = noop
(89)     [digest] = noop
(89) suffix: Checking for suffix after "@"
(89) suffix: No '@' in User-Name = "foobar", looking up realm NULL
(89) suffix: No such realm "NULL"
(89)     [suffix] = noop
(89) eap: Peer sent EAP Response (code 2) ID 10 length 107
(89) eap: Continuing tunnel setup
(89)     [eap] = ok
(89)   } # authorize = ok
(89) Found Auth-Type = eap
(89) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(89)   authenticate {
(89) eap: Expiring EAP session with state 0xe59bffd0e591e5ca
(89) eap: Finished EAP session with state 0x8fd58b5b87df9215
(89) eap: Previous EAP request found for state 0x8fd58b5b87df9215,
released from the list
(89) eap: Peer sent packet with method EAP PEAP (25)
(89) eap: Calling submodule eap_peap to process data
(89) eap_peap: Continuing EAP-TLS
(89) eap_peap: [eaptls verify] = ok
(89) eap_peap: Done initial handshake
(89) eap_peap: [eaptls process] = ok
(89) eap_peap: Session established.  Decoding tunneled attributes
(89) eap_peap: PEAP state phase2
(89) eap_peap: EAP method MSCHAPv2 (26)
(89) eap_peap: Got tunneled request
(89) eap_peap:   EAP-Message =
0x020a00461a020a00413164683e249719e1424a4f04aa609ee5610000000000000000d98c65626c0650346ebf7aa6c322f6bd97c564ad4a64afc1003839303238333234323133
(89) eap_peap: Setting User-Name to foobar
(89) eap_peap: Sending tunneled request to inner-tunnel
(89) eap_peap:   EAP-Message =
0x020a00461a020a00413164683e249719e1424a4f04aa609ee5610000000000000000d98c65626c0650346ebf7aa6c322f6bd97c564ad4a64afc1003839303238333234323133
(89) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(89) eap_peap:   User-Name = "foobar"
(89) eap_peap:   State = 0x6ba19a7c6bab8024eb49697d02fb30b2
(89) Virtual server inner-tunnel received request
(89)   EAP-Message =
0x020a00461a020a00413164683e249719e1424a4f04aa609ee5610000000000000000d98c65626c0650346ebf7aa6c322f6bd97c564ad4a64afc1003839303238333234323133
(89)   FreeRADIUS-Proxied-To = 127.0.0.1
(89)   User-Name = "foobar"
(89)   State = 0x6ba19a7c6bab8024eb49697d02fb30b2
(89) WARNING: Outer and inner identities are the same.  User privacy is
compromised.
(89) server inner-tunnel {
(89)   session-state: No cached attributes
(89)   # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(89)     authorize {
(89)       [chap] = noop
(89)       [mschap] = noop
(89) suffix: Checking for suffix after "@"
(89) suffix: No '@' in User-Name = "foobar", looking up realm NULL
(89) suffix: No such realm "NULL"
(89)       [suffix] = noop
(89)       update control {
(89)         Proxy-To-Realm := LOCAL
(89)       } # update control = noop
(89) eap: Peer sent EAP Response (code 2) ID 10 length 70
(89) eap: No EAP Start, assuming it's an on-going EAP conversation
(89)       [eap] = updated
(89)       [files] = noop
(89) sql: EXPAND %{User-Name}
(89) sql:    --> foobar
(89) sql: SQL-User-Name set to 'foobar'
rlm_sql (sql): Reserved connection (3)
(89) sql: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radcheck
WHERE Username = '%{SQL-User-Name}' ORDER BY id
(89) sql:    --> SELECT id, UserName, Attribute, Value, Op FROM radcheck
WHERE Username = 'foobar' ORDER BY id
(89) sql: Executing select query: SELECT id, UserName, Attribute, Value,
Op FROM radcheck WHERE Username = 'foobar' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 5
(89) sql: User found in radcheck table
(89) sql: Conditional check items matched, merging assignment check items
(89) sql:   Cleartext-Password := "XXXXX"
(89) sql: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radreply
WHERE Username = '%{SQL-User-Name}' ORDER BY id
(89) sql:    --> SELECT id, UserName, Attribute, Value, Op FROM radreply
WHERE Username = 'foobar' ORDER BY id
(89) sql: Executing select query: SELECT id, UserName, Attribute, Value,
Op FROM radreply WHERE Username = 'foobar' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
(89) sql: EXPAND SELECT GroupName FROM radusergroup WHERE
UserName='%{SQL-User-Name}' ORDER BY priority
(89) sql:    --> SELECT GroupName FROM radusergroup WHERE
UserName='foobar' ORDER BY priority
(89) sql: Executing select query: SELECT GroupName FROM radusergroup
WHERE UserName='foobar' ORDER BY priority
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 1
(89) sql: User found in the group table
(89) sql: EXPAND SELECT id, GroupName, Attribute, Value, op FROM
radgroupcheck WHERE GroupName = '%{Sql-Group}' ORDER BY id
(89) sql:    --> SELECT id, GroupName, Attribute, Value, op FROM
radgroupcheck WHERE GroupName = 'public-wifi' ORDER BY id
(89) sql: Executing select query: SELECT id, GroupName, Attribute,
Value, op FROM radgroupcheck WHERE GroupName = 'public-wifi' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
(89) sql: Group "public-wifi": Conditional check items matched
(89) sql: Group "public-wifi": Merging assignment check items
(89) sql: EXPAND SELECT id, GroupName, Attribute, Value, op FROM
radgroupreply WHERE GroupName = '%{Sql-Group}' ORDER BY id
(89) sql:    --> SELECT id, GroupName, Attribute, Value, op FROM
radgroupreply WHERE GroupName = 'public-wifi' ORDER BY id
(89) sql: Executing select query: SELECT id, GroupName, Attribute,
Value, op FROM radgroupreply WHERE GroupName = 'public-wifi' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 2 , fields = 5
(89) sql: Group "public-wifi": Merging reply items
(89) sql:   Cisco-AVPair = "ssid=vivat"
(89) sql:   Simultaneous-Use := 1
rlm_sql (sql): Released connection (3)
(89)       [sql] = ok
(89)       [expiration] = noop
(89)       [logintime] = noop
(89) noresetcounter: WARNING: Couldn't find check attribute,
control:Max-All-Session, doing nothing...
(89)       [noresetcounter] = noop
(89) pap: WARNING: Auth-Type already set.  Not setting to PAP
(89)       [pap] = noop
(89)     } # authorize = updated
(89)   Found Auth-Type = eap
(89)   # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(89)     authenticate {
(89) eap: Expiring EAP session with state 0xe59bffd0e591e5ca
(89) eap: Finished EAP session with state 0x6ba19a7c6bab8024
(89) eap: Previous EAP request found for state 0x6ba19a7c6bab8024,
released from the list
(89) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(89) eap: Calling submodule eap_mschapv2 to process data
(89) eap_mschapv2: # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(89) eap_mschapv2:   Auth-Type MS-CHAP {
(89) mschap: Found Cleartext-Password, hashing to create NT-Password
(89) mschap: Found Cleartext-Password, hashing to create LM-Password
(89) mschap: Creating challenge hash with username: foobar
(89) mschap: Client is using MS-CHAPv2
(89) mschap: Adding MS-CHAPv2 MPPE keys
(89)     [mschap] = ok
(89)   } # Auth-Type MS-CHAP = ok
(89) MSCHAP Success
(89) eap: Sending EAP Request (code 1) ID 11 length 51
(89) eap: EAP session adding &reply:State = 0x6ba19a7c6aaa8024
(89)       [eap] = handled
(89)     } # authenticate = handled
(89) } # server inner-tunnel
(89) Virtual server sending reply
(89)   Cisco-AVPair = "ssid=vivat"
(89)   Simultaneous-Use = 1
(89)   EAP-Message =
0x010b00331a030a002e533d41443344413037333132463933303143393530353131383337313442324445464131393430423343
(89)   Message-Authenticator = 0x00000000000000000000000000000000
(89)   State = 0x6ba19a7c6aaa8024eb49697d02fb30b2
(89) eap_peap: Got tunneled reply code 11
(89) eap_peap:   Cisco-AVPair = "ssid=vivat"
(89) eap_peap:   Simultaneous-Use = 1
(89) eap_peap:   EAP-Message =
0x010b00331a030a002e533d41443344413037333132463933303143393530353131383337313442324445464131393430423343
(89) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(89) eap_peap:   State = 0x6ba19a7c6aaa8024eb49697d02fb30b2
(89) eap_peap: Got tunneled reply RADIUS code 11
(89) eap_peap:   Cisco-AVPair = "ssid=vivat"
(89) eap_peap:   Simultaneous-Use = 1
(89) eap_peap:   EAP-Message =
0x010b00331a030a002e533d41443344413037333132463933303143393530353131383337313442324445464131393430423343
(89) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(89) eap_peap:   State = 0x6ba19a7c6aaa8024eb49697d02fb30b2
(89) eap_peap: Got tunneled Access-Challenge
(89) eap: Sending EAP Request (code 1) ID 11 length 91
(89) eap: EAP session adding &reply:State = 0x8fd58b5b86de9215
(89)     [eap] = handled
(89)   } # authenticate = handled
(89) Using Post-Auth-Type Challenge
(89) Post-Auth-Type sub-section not found.  Ignoring.
(89) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(89) Sent Access-Challenge Id 254 from 192.168.6.144:1812 to
192.168.6.150:1645 length 0
(89)   EAP-Message =
0x010b005b19001703010050656716e02838a7522fcd13490f1dba51f91b56e37051fa10585c76459287436e8c326917890fcf38cf35cc531b729d4224a90bd8f9cb2ca2cf5ddc799baa5035360f255734b399a66285f3e608b95092
(89)   Message-Authenticator = 0x00000000000000000000000000000000
(89)   State = 0x8fd58b5b86de92156a8b280739c58aaf
(89) Finished request
Waking up in 4.8 seconds.
(90) Received Access-Request Id 255 from 192.168.6.150:1645 to
192.168.6.144:1812 length 251
(90)   User-Name = "foobar"
(90)   Framed-MTU = 1400
(90)   Called-Station-Id = "001f.ca27.9ea0"
(90)   Calling-Station-Id = "2c20.0b2a.a0c2"
(90)   Cisco-AVPair = "ssid=irma"
(90)   WISPr-Location-Name = "First floor, Hyper, Perm"
(90)   Service-Type = Login-User
(90)   Message-Authenticator = 0x856525b7e21a444be06ff736c2a08952
(90)   EAP-Message =
0x020b002b19001703010020da2c83c5e5598f4a88b319137aec7e134578362f376c816596640bad33010fde
(90)   NAS-Port-Type = Wireless-802.11
(90)   NAS-Port = 859591
(90)   NAS-Port-Id = "859591"
(90)   State = 0x8fd58b5b86de92156a8b280739c58aaf
(90)   NAS-IP-Address = 192.168.6.150
(90)   NAS-Identifier = "kosm65-hyper-ap1"
(90) session-state: No cached attributes
(90) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(90)   authorize {
(90)     policy filter_username {
(90)       if (!&User-Name) {
(90)       if (!&User-Name)  -> FALSE
(90)       if (&User-Name =~ / /) {
(90)       if (&User-Name =~ / /)  -> FALSE
(90)       if (&User-Name =~ /@.*@/ ) {
(90)       if (&User-Name =~ /@.*@/ )  -> FALSE
(90)       if (&User-Name =~ /\\.\\./ ) {
(90)       if (&User-Name =~ /\\.\\./ )  -> FALSE
(90)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))  {
(90)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))  
-> FALSE
(90)       if (&User-Name =~ /\\.$/)  {
(90)       if (&User-Name =~ /\\.$/)   -> FALSE
(90)       if (&User-Name =~ /@\\./)  {
(90)       if (&User-Name =~ /@\\./)   -> FALSE
(90)     } # policy filter_username = notfound
(90)     [preprocess] = ok
(90)     [chap] = noop
(90)     [mschap] = noop
(90)     [digest] = noop
(90) suffix: Checking for suffix after "@"
(90) suffix: No '@' in User-Name = "foobar", looking up realm NULL
(90) suffix: No such realm "NULL"
(90)     [suffix] = noop
(90) eap: Peer sent EAP Response (code 2) ID 11 length 43
(90) eap: Continuing tunnel setup
(90)     [eap] = ok
(90)   } # authorize = ok
(90) Found Auth-Type = eap
(90) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(90)   authenticate {
(90) eap: Expiring EAP session with state 0xe59bffd0e591e5ca
(90) eap: Finished EAP session with state 0x8fd58b5b86de9215
(90) eap: Previous EAP request found for state 0x8fd58b5b86de9215,
released from the list
(90) eap: Peer sent packet with method EAP PEAP (25)
(90) eap: Calling submodule eap_peap to process data
(90) eap_peap: Continuing EAP-TLS
(90) eap_peap: [eaptls verify] = ok
(90) eap_peap: Done initial handshake
(90) eap_peap: [eaptls process] = ok
(90) eap_peap: Session established.  Decoding tunneled attributes
(90) eap_peap: PEAP state phase2
(90) eap_peap: EAP method MSCHAPv2 (26)
(90) eap_peap: Got tunneled request
(90) eap_peap:   EAP-Message = 0x020b00061a03
(90) eap_peap: Setting User-Name to foobar
(90) eap_peap: Sending tunneled request to inner-tunnel
(90) eap_peap:   EAP-Message = 0x020b00061a03
(90) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(90) eap_peap:   User-Name = "foobar"
(90) eap_peap:   State = 0x6ba19a7c6aaa8024eb49697d02fb30b2
(90) Virtual server inner-tunnel received request
(90)   EAP-Message = 0x020b00061a03
(90)   FreeRADIUS-Proxied-To = 127.0.0.1
(90)   User-Name = "foobar"
(90)   State = 0x6ba19a7c6aaa8024eb49697d02fb30b2
(90) WARNING: Outer and inner identities are the same.  User privacy is
compromised.
(90) server inner-tunnel {
(90)   session-state: No cached attributes
(90)   # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(90)     authorize {
(90)       [chap] = noop
(90)       [mschap] = noop
(90) suffix: Checking for suffix after "@"
(90) suffix: No '@' in User-Name = "foobar", looking up realm NULL
(90) suffix: No such realm "NULL"
(90)       [suffix] = noop
(90)       update control {
(90)         Proxy-To-Realm := LOCAL
(90)       } # update control = noop
(90) eap: Peer sent EAP Response (code 2) ID 11 length 6
(90) eap: No EAP Start, assuming it's an on-going EAP conversation
(90)       [eap] = updated
(90)       [files] = noop
(90) sql: EXPAND %{User-Name}
(90) sql:    --> foobar
(90) sql: SQL-User-Name set to 'foobar'
rlm_sql (sql): Reserved connection (4)
(90) sql: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radcheck
WHERE Username = '%{SQL-User-Name}' ORDER BY id
(90) sql:    --> SELECT id, UserName, Attribute, Value, Op FROM radcheck
WHERE Username = 'foobar' ORDER BY id
(90) sql: Executing select query: SELECT id, UserName, Attribute, Value,
Op FROM radcheck WHERE Username = 'foobar' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 5
(90) sql: User found in radcheck table
(90) sql: Conditional check items matched, merging assignment check items
(90) sql:   Cleartext-Password := "XXXXX"
(90) sql: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radreply
WHERE Username = '%{SQL-User-Name}' ORDER BY id
(90) sql:    --> SELECT id, UserName, Attribute, Value, Op FROM radreply
WHERE Username = 'foobar' ORDER BY id
(90) sql: Executing select query: SELECT id, UserName, Attribute, Value,
Op FROM radreply WHERE Username = 'foobar' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
(90) sql: EXPAND SELECT GroupName FROM radusergroup WHERE
UserName='%{SQL-User-Name}' ORDER BY priority
(90) sql:    --> SELECT GroupName FROM radusergroup WHERE
UserName='foobar' ORDER BY priority
(90) sql: Executing select query: SELECT GroupName FROM radusergroup
WHERE UserName='foobar' ORDER BY priority
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 1
(90) sql: User found in the group table
(90) sql: EXPAND SELECT id, GroupName, Attribute, Value, op FROM
radgroupcheck WHERE GroupName = '%{Sql-Group}' ORDER BY id
(90) sql:    --> SELECT id, GroupName, Attribute, Value, op FROM
radgroupcheck WHERE GroupName = 'public-wifi' ORDER BY id
(90) sql: Executing select query: SELECT id, GroupName, Attribute,
Value, op FROM radgroupcheck WHERE GroupName = 'public-wifi' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
(90) sql: Group "public-wifi": Conditional check items matched
(90) sql: Group "public-wifi": Merging assignment check items
(90) sql: EXPAND SELECT id, GroupName, Attribute, Value, op FROM
radgroupreply WHERE GroupName = '%{Sql-Group}' ORDER BY id
(90) sql:    --> SELECT id, GroupName, Attribute, Value, op FROM
radgroupreply WHERE GroupName = 'public-wifi' ORDER BY id
(90) sql: Executing select query: SELECT id, GroupName, Attribute,
Value, op FROM radgroupreply WHERE GroupName = 'public-wifi' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 2 , fields = 5
(90) sql: Group "public-wifi": Merging reply items
(90) sql:   Cisco-AVPair = "ssid=vivat"
(90) sql:   Simultaneous-Use := 1
rlm_sql (sql): Released connection (4)
(90)       [sql] = ok
(90)       [expiration] = noop
(90)       [logintime] = noop
(90) noresetcounter: WARNING: Couldn't find check attribute,
control:Max-All-Session, doing nothing...
(90)       [noresetcounter] = noop
(90) pap: WARNING: Auth-Type already set.  Not setting to PAP
(90)       [pap] = noop
(90)     } # authorize = updated
(90)   Found Auth-Type = eap
(90)   # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(90)     authenticate {
(90) eap: Expiring EAP session with state 0xe59bffd0e591e5ca
(90) eap: Finished EAP session with state 0x6ba19a7c6aaa8024
(90) eap: Previous EAP request found for state 0x6ba19a7c6aaa8024,
released from the list
(90) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(90) eap: Calling submodule eap_mschapv2 to process data
(90) eap: Sending EAP Success (code 3) ID 11 length 4
(90) eap: Freeing handler
(90)       [eap] = ok
(90)     } # authenticate = ok
(90)   # Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(90)     post-auth {
(90) sql: EXPAND .query
(90) sql:    --> .query
(90) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (0)
(90) sql: EXPAND %{User-Name}
(90) sql:    --> foobar
(90) sql: SQL-User-Name set to 'foobar'
(90) sql: EXPAND INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES('%{User-Name}', '%{%{User-Password}:-Chap-Password}',
'%{reply:Packet-Type}', NOW())
(90) sql:    --> INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES('foobar', 'Chap-Password', 'Access-Accept', NOW())
(90) sql: Executing query: INSERT INTO radpostauth (username, pass,
reply, authdate) VALUES('foobar', 'Chap-Password', 'Access-Accept', NOW())
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: query affected rows = 1
(90) sql: SQL query returned: success
(90) sql: 1 record(s) updated
rlm_sql (sql): Released connection (0)
(90)       [sql] = ok
(90)     } # post-auth = ok
(90)   Login OK: [foobar] (from client kosm65-hyper-ap1 port 0 via TLS
tunnel)
(90) } # server inner-tunnel
(90) Virtual server sending reply
(90)   Cisco-AVPair = "ssid=vivat"
(90)   Simultaneous-Use = 1
(90)   MS-MPPE-Encryption-Policy = Encryption-Allowed
(90)   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(90)   MS-MPPE-Send-Key = 0x06b51149dd60a7dd863fbdf63d4e5aae
(90)   MS-MPPE-Recv-Key = 0x2aa6f2b25652dbed7cc71d010c2ba3b0
(90)   EAP-Message = 0x030b0004
(90)   Message-Authenticator = 0x00000000000000000000000000000000
(90)   User-Name = "foobar"
(90) eap_peap: Got tunneled reply code 2
(90) eap_peap:   Cisco-AVPair = "ssid=vivat"
(90) eap_peap:   Simultaneous-Use = 1
(90) eap_peap:   MS-MPPE-Encryption-Policy = Encryption-Allowed
(90) eap_peap:   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(90) eap_peap:   MS-MPPE-Send-Key = 0x06b51149dd60a7dd863fbdf63d4e5aae
(90) eap_peap:   MS-MPPE-Recv-Key = 0x2aa6f2b25652dbed7cc71d010c2ba3b0
(90) eap_peap:   EAP-Message = 0x030b0004
(90) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(90) eap_peap:   User-Name = "foobar"
(90) eap_peap: Got tunneled reply RADIUS code 2
(90) eap_peap:   Cisco-AVPair = "ssid=vivat"
(90) eap_peap:   Simultaneous-Use = 1
(90) eap_peap:   MS-MPPE-Encryption-Policy = Encryption-Allowed
(90) eap_peap:   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(90) eap_peap:   MS-MPPE-Send-Key = 0x06b51149dd60a7dd863fbdf63d4e5aae
(90) eap_peap:   MS-MPPE-Recv-Key = 0x2aa6f2b25652dbed7cc71d010c2ba3b0
(90) eap_peap:   EAP-Message = 0x030b0004
(90) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(90) eap_peap:   User-Name = "foobar"
(90) eap_peap: Tunneled authentication was successful
(90) eap_peap: SUCCESS
(90) eap: Sending EAP Request (code 1) ID 12 length 43
(90) eap: EAP session adding &reply:State = 0x8fd58b5b85d99215
(90)     [eap] = handled
(90)   } # authenticate = handled
(90) Using Post-Auth-Type Challenge
(90) Post-Auth-Type sub-section not found.  Ignoring.
(90) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(90) Sent Access-Challenge Id 255 from 192.168.6.144:1812 to
192.168.6.150:1645 length 0
(90)   EAP-Message =
0x010c002b19001703010020e91613a106bb295cae7b0a87d027ebd712cc411de499bb18808b90b53cc2f15e
(90)   Message-Authenticator = 0x00000000000000000000000000000000
(90)   State = 0x8fd58b5b85d992156a8b280739c58aaf
(90) Finished request
Waking up in 4.7 seconds.
(91) Received Access-Request Id 0 from 192.168.6.150:1645 to
192.168.6.144:1812 length 251
(91)   User-Name = "foobar"
(91)   Framed-MTU = 1400
(91)   Called-Station-Id = "001f.ca27.9ea0"
(91)   Calling-Station-Id = "2c20.0b2a.a0c2"
(91)   Cisco-AVPair = "ssid=irma"
(91)   WISPr-Location-Name = "First floor, Hyper, Perm"
(91)   Service-Type = Login-User
(91)   Message-Authenticator = 0x3154a2b0721aee2ca63c2e6768d81709
(91)   EAP-Message =
0x020c002b19001703010020ff094574edca9264a4ba9029f063f398dab865c21940041c73d7f143fc9a963b
(91)   NAS-Port-Type = Wireless-802.11
(91)   NAS-Port = 859591
(91)   NAS-Port-Id = "859591"
(91)   State = 0x8fd58b5b85d992156a8b280739c58aaf
(91)   NAS-IP-Address = 192.168.6.150
(91)   NAS-Identifier = "kosm65-hyper-ap1"
(91) session-state: No cached attributes
(91) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(91)   authorize {
(91)     policy filter_username {
(91)       if (!&User-Name) {
(91)       if (!&User-Name)  -> FALSE
(91)       if (&User-Name =~ / /) {
(91)       if (&User-Name =~ / /)  -> FALSE
(91)       if (&User-Name =~ /@.*@/ ) {
(91)       if (&User-Name =~ /@.*@/ )  -> FALSE
(91)       if (&User-Name =~ /\\.\\./ ) {
(91)       if (&User-Name =~ /\\.\\./ )  -> FALSE
(91)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))  {
(91)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))  
-> FALSE
(91)       if (&User-Name =~ /\\.$/)  {
(91)       if (&User-Name =~ /\\.$/)   -> FALSE
(91)       if (&User-Name =~ /@\\./)  {
(91)       if (&User-Name =~ /@\\./)   -> FALSE
(91)     } # policy filter_username = notfound
(91)     [preprocess] = ok
(91)     [chap] = noop
(91)     [mschap] = noop
(91)     [digest] = noop
(91) suffix: Checking for suffix after "@"
(91) suffix: No '@' in User-Name = "foobar", looking up realm NULL
(91) suffix: No such realm "NULL"
(91)     [suffix] = noop
(91) eap: Peer sent EAP Response (code 2) ID 12 length 43
(91) eap: Continuing tunnel setup
(91)     [eap] = ok
(91)   } # authorize = ok
(91) Found Auth-Type = eap
(91) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(91)   authenticate {
(91) eap: Expiring EAP session with state 0xe59bffd0e591e5ca
(91) eap: Finished EAP session with state 0x8fd58b5b85d99215
(91) eap: Previous EAP request found for state 0x8fd58b5b85d99215,
released from the list
(91) eap: Peer sent packet with method EAP PEAP (25)
(91) eap: Calling submodule eap_peap to process data
(91) eap_peap: Continuing EAP-TLS
(91) eap_peap: [eaptls verify] = ok
(91) eap_peap: Done initial handshake
(91) eap_peap: [eaptls process] = ok
(91) eap_peap: Session established.  Decoding tunneled attributes
(91) eap_peap: PEAP state send tlv success
(91) eap_peap: Received EAP-TLV response
(91) eap_peap: Success
(91) eap_peap: No information to cache: session caching will be disabled
for session 85f521474efac4e2d92b4333ade31b11457b502efa6f66a4fe382c1035a654ca
(91) eap: Sending EAP Success (code 3) ID 12 length 4
(91) eap: Freeing handler
(91)     [eap] = ok
(91)   } # authenticate = ok
(91) # Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/default
(91)   post-auth {
(91) sql: EXPAND .query
(91) sql:    --> .query
(91) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (5)
(91) sql: EXPAND %{User-Name}
(91) sql:    --> foobar
(91) sql: SQL-User-Name set to 'foobar'
(91) sql: EXPAND INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES('%{User-Name}', '%{%{User-Password}:-Chap-Password}',
'%{reply:Packet-Type}', NOW())
(91) sql:    --> INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES('foobar', 'Chap-Password', 'Access-Accept', NOW())
(91) sql: Executing query: INSERT INTO radpostauth (username, pass,
reply, authdate) VALUES('foobar', 'Chap-Password', 'Access-Accept', NOW())
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: query affected rows = 1
(91) sql: SQL query returned: success
(91) sql: 1 record(s) updated
rlm_sql (sql): Released connection (5)
(91)     [sql] = ok
(91)     [exec] = noop
(91)     policy remove_reply_message_if_eap {
(91)       if (&reply:EAP-Message && &reply:Reply-Message) {
(91)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(91)       else {
(91)         [noop] = noop
(91)       } # else = noop
(91)     } # policy remove_reply_message_if_eap = noop
(91)   } # post-auth = ok
(91) Login OK: [foobar] (from client kosm65-hyper-ap1 port 859591 cli
2c20.0b2a.a0c2)
(91) Sent Access-Accept Id 0 from 192.168.6.144:1812 to
192.168.6.150:1645 length 0
(91)   MS-MPPE-Recv-Key =
0xc82a301b5b4493b1aea74d7f93996bec688a0dfe8c4858989d4dca2e2d8436f0
(91)   MS-MPPE-Send-Key =
0x1abe38ea076f9ba252e4bd2d42bb73aa9ad2ae4812b80b808e496b4c7e80e1aa
(91)   EAP-Message = 0x030c0004
(91)   Message-Authenticator = 0x00000000000000000000000000000000
(91)   User-Name = "foobar"
(91) Finished request
Waking up in 4.7 seconds.

[drook]

Just to prove that it's not my configs/unlang statements are broken, I've installed a freeradius 3.0.11 on a separated server, plugged it into the same database as the production one, configured it's files and this issue was reproduced. Seems like for some reason it affects only EAP exchange, at least I got this impression.

[alanbuxey]

1) you are testing with md5 - dont, its not what the client is doing, use eg eapol_test (part of wpa_supplicant) to do an PEAP test like your client.

2) the AVPair SSID is being set in inner-tunnel.... the reply the AP sees is the outer tunnel (inner tunnel goes back to client) - so you need to copy the inner-tunnel SSID attribute to the outer tunnel. read the inner-tunnel config and you will clearly see the 2 parts of the config that you need to enable for this - in the old server this was copy_request_to_outer or somesuch...thats old/dead, use the new method now.,

On 9 November 2016 at 09:07, drook notifications@github.com wrote:

Just to prove that it's not my configs/unlang statements are broken, I've installed a freeradius 3.0.11 on a separated server, plugged it into the same database as the production one, configured it's files and this issue was reproduced. Seems like for some reason it affects only EAP exchange, at least I got this impression.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/FreeRADIUS/freeradius-server/issues/1833#issuecomment-259365168, or mute the thread https://github.com/notifications/unsubscribe-auth/ACE-VfgESx4woAXyRIHxoFzzCmNLb5LMks5q8Y1AgaJpZM4KtL_S .

[drook]

@alanbuxey Google finds 0 (zero) occurences of _copy_request_toouter, and I don't see anything appropriate neither in inner-tunnel configuration, nor in default. Could you please demystify your comment and explicitly point me at the configuration directive that does the copying ?

[drook]

Found it. It's _use_tunneledreply, and it's in the eap module, not in the _innertunnel, or default site configuration. Thanks, but ... nah, nevermind. Just thanks.

[alanbuxey]

if you read the files (virtual server and eap module config) its all quite clear. you dont pay me for support so you get not 100% perfect replies.

in peap, you have copy_request_to_tunnel (to get things from outer to inner), and use_tunneled_reply (to copy from outer to inner). however, as noted, in 3.0.x you dont do this, instead, read inner-tunnel and enable these lines

#

Instead of "use_tunneled_reply", uncomment the

next two "update" blocks.

#

update {

&outer.session-state: += &reply:

}

#

These attributes are for the inner session only.

They MUST NOT be sent in the outer reply.

#

If you uncomment the previous block and leave

this one commented out, WiFi WILL NOT WORK,

because the client will get two MS-MPPE-keys

#

update outer.session-state {

MS-MPPE-Encryption-Policy !* ANY

MS-MPPE-Encryption-Types !* ANY

MS-MPPE-Send-Key !* ANY

MS-MPPE-Recv-Key !* ANY

Message-Authenticator !* ANY

EAP-Message !* ANY

Proxy-State !* ANY

}

On 10 November 2016 at 04:59, drook notifications@github.com wrote:

Found it. It's _use_tunneledreply, and it's in the eap module, not in the _innertunnel, or default site configuration. Thanks, but there's something wrong with your memory. Like really. :)

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/FreeRADIUS/freeradius-server/issues/1833#issuecomment-259601961, or mute the thread https://github.com/notifications/unsubscribe-auth/ACE-VQ_0atCfYCvSU5ezL1ye7z6bHkk9ks5q8qSygaJpZM4KtL_S .

[drook]

@alanbuxey

It also says, that

If you need to send a reply attribute in the outer session, the ONLY safe way is to set "use_tunneled_reply = yes", and then update the inner-tunnel reply.

[alanbuxey]

depends on what you want to do - the basic rule in the new method copies ALL the stuff from inner to outer....which is exactly what the old code does..... but anyone caring about security/safety would ensure that they are using the attribute filter anyway to strip out all but the required :)

On 11 November 2016 at 11:40, drook notifications@github.com wrote:

@alanbuxey https://github.com/alanbuxey

It also says, that

If you need to send a reply attribute in the outer session, the ONLY safe way is to set "use_tunneled_reply = yes", and then update the inner-tunnel reply.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/FreeRADIUS/freeradius-server/issues/1833#issuecomment-259940188, or mute the thread https://github.com/notifications/unsubscribe-auth/ACE-VYXt9vKUAmKVfxXTq4nmrYXzVq5bks5q9FQ0gaJpZM4KtL_S .