Semantics of !~ operator
Gerald Vogt
vogt at spamcop.net
Tue Apr 28 19:18:35 CEST 2015
On 28.04.15 17:25, Stefan Paetow wrote:
>> Do you need me to test it with Called-Station-SSID as well to
>> verify that this syntax works unlike the other?
> Alan and Arran always request the *full* output of 'radiusd -X' for a
> good reason... just copying and pasting what you might consider
> relevant is not always necessarily what they need to diagnose whether
> this is a bug or not.
I thought it has been established it is a bug.
> So, suggestion is:
>
> 1. Run one radiusd -X output with the standard Called-Station-SSID
> that you believe does not work.
>
> 2. Run one radiusd -X output with your policy that you say works.
I don't need two runs for that. I can put all three ways to address the
outer Called-Station-SSID in a single section.
> Post both (and that includes *everything* from the version line at
> the top of the initial output to the return of the final
> Access-Accept or Access-Reject).
>
> If there are any passwords, radiusd -X usually removes them, but you
> might wish to grep for any passwords you know you are using and
> replace them with '<< password >>' or similar.
>
> That way Alan can look at your configuration and check whether
> something's wrong, and where he may need to start looking.
I have attached the full output of a test run of a eap-peap
authentication from a new CentOS 7 freeradius-3.0.4-6.el7.x86_64
installation.
As you can see outer.request:Called-Station-SSID and
outer.Called-Station-SSID don't return anything but
"%{outer.request:Called-Station-SSID}" does.
There are only three differences to the configuration files from the
distribution:
Added to the end of users -> ./mods-config/files/authorize:
bob Cleartext-Password := "hello"
Reply-Message := "Hello, %{User-Name}"
*** sites-available/default 2015-03-06 00:41:49.000000000 +0100
--- sites-enabled/default 2015-04-28 18:04:58.954102428 +0200
***************
*** 331,336 ****
--- 331,338 ----
suffix
# ntdomain
+ rewrite_called_station_id
+
#
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
# authentication.
***************
*** 517,522 ****
--- 519,526 ----
preacct {
preprocess
+ rewrite_called_station_id
+
#
# Merge Acct-[Input|Output]-Gigawords and Acct-[Input-Output]-Octets
# into a single 64bit counter Acct-[Input|Output]-Octets64.
*** sites-available/inner-tunnel 2015-03-06 00:41:49.000000000 +0100
--- sites-enabled/inner-tunnel 2015-04-28 18:09:32.427065903 +0200
***************
*** 46,51 ****
--- 46,76 ----
# Make *sure* that 'preprocess' comes before any realm if you
# need to setup hints for the remote radius server
authorize {
+ update request {
+ Called-Station-SSID := outer.request:Called-Station-SSID
+ }
+ if ( Called-Station-SSID ) {
+ update reply {
+ Reply-Message += "1: Called-Station-SSID = %{Called-Station-SSID}"
+ }
+ }
+ update request {
+ Called-Station-SSID := outer.Called-Station-SSID
+ }
+ if ( Called-Station-SSID ) {
+ update reply {
+ Reply-Message += "2: Called-Station-SSID = %{Called-Station-SSID}"
+ }
+ }
+ update request {
+ Called-Station-SSID := "%{outer.request:Called-Station-SSID}"
+ }
+ if ( Called-Station-SSID ) {
+ update reply {
+ Reply-Message += "3: Called-Station-SSID = %{Called-Station-SSID}"
+ }
+ }
+
#
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been set
-Gerald
-------------- next part --------------
radiusd: FreeRADIUS Version 3.0.4, for host x86_64-redhat-linux-gnu, built on Mar 5 2015 at 23:41:36
Copyright (C) 1999-2014 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/cache_eap
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/detail
including configuration file /etc/raddb/mods-enabled/detail.log
including configuration file /etc/raddb/mods-enabled/dhcp
including configuration file /etc/raddb/mods-enabled/digest
including configuration file /etc/raddb/mods-enabled/dynamic_clients
including configuration file /etc/raddb/mods-enabled/eap
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/expiration
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/files
including configuration file /etc/raddb/mods-enabled/linelog
including configuration file /etc/raddb/mods-enabled/logintime
including configuration file /etc/raddb/mods-enabled/mschap
including configuration file /etc/raddb/mods-enabled/ntlm_auth
including configuration file /etc/raddb/mods-enabled/pap
including configuration file /etc/raddb/mods-enabled/passwd
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/replicate
including configuration file /etc/raddb/mods-enabled/soh
including configuration file /etc/raddb/mods-enabled/sradutmp
including configuration file /etc/raddb/mods-enabled/unix
including configuration file /etc/raddb/mods-enabled/unpack
including configuration file /etc/raddb/mods-enabled/utf8
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/cui
including configuration file /etc/raddb/policy.d/debug
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/operator-name
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
main {
security {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
radiusd: #### Instantiating modules ####
instantiate {
}
modules {
# Loaded module rlm_always
# Instantiating module "reject" from file /etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Instantiating module "fail" from file /etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Instantiating module "ok" from file /etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Instantiating module "handled" from file /etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Instantiating module "noop" from file /etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Instantiating module "updated" from file /etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_attr_filter
# Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
# Loaded module rlm_cache
# Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
cache cache_eap {
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 16384
epoch = 0
add_stats = no
}
# Loaded module rlm_chap
# Instantiating module "chap" from file /etc/raddb/mods-enabled/chap
# Loaded module rlm_detail
# Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
detail {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
}
# Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log
detail auth_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
}
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /etc/raddb/mods-enabled/detail.log
detail reply_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
}
# Instantiating module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
}
# Instantiating module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
}
# Loaded module rlm_dhcp
# Instantiating module "dhcp" from file /etc/raddb/mods-enabled/dhcp
# Loaded module rlm_digest
# Instantiating module "digest" from file /etc/raddb/mods-enabled/digest
# Loaded module rlm_dynamic_clients
# Instantiating module "dynamic_clients" from file /etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_eap
# Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
mod_accounting_username_bug = no
max_sessions = 1024
}
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
ca_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
ca_file = "/etc/raddb/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = yes
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = yes
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_method = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Loaded module rlm_exec
# Instantiating module "echo" from file /etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Instantiating module "exec" from file /etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_expiration
# Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration
# Loaded module rlm_expr
# Instantiating module "expr" from file /etc/raddb/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
# Loaded module rlm_files
# Instantiating module "files" from file /etc/raddb/mods-enabled/files
files {
filename = "/etc/raddb/mods-config/files/authorize"
usersfile = "/etc/raddb/mods-config/files/authorize"
acctusersfile = "/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
compat = "cistron"
}
reading pairlist file /etc/raddb/mods-config/files/authorize
[/etc/raddb/mods-config/files/authorize]:184 Cistron compatibility checks for entry DEFAULT ...
[/etc/raddb/mods-config/files/authorize]:191 Cistron compatibility checks for entry DEFAULT ...
[/etc/raddb/mods-config/files/authorize]:198 Cistron compatibility checks for entry DEFAULT ...
[/etc/raddb/mods-config/files/authorize]:224 Cistron compatibility checks for entry bob ...
reading pairlist file /etc/raddb/mods-config/files/authorize
[/etc/raddb/mods-config/files/authorize]:184 Cistron compatibility checks for entry DEFAULT ...
[/etc/raddb/mods-config/files/authorize]:191 Cistron compatibility checks for entry DEFAULT ...
[/etc/raddb/mods-config/files/authorize]:198 Cistron compatibility checks for entry DEFAULT ...
[/etc/raddb/mods-config/files/authorize]:224 Cistron compatibility checks for entry bob ...
reading pairlist file /etc/raddb/mods-config/files/accounting
reading pairlist file /etc/raddb/mods-config/files/pre-proxy
# Loaded module rlm_linelog
# Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog
linelog {
filename = "/var/log/radius/linelog"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{Packet-Type}:-default}"
}
# Instantiating module "log_accounting" from file /etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/radius/linelog-accounting"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_logintime
# Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_mschap
# Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
}
# Instantiating module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_pap
# Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_passwd
# Instantiating module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Loaded module rlm_preprocess
# Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb/mods-config/preprocess/hints
# Loaded module rlm_radutmp
# Instantiating module "radutmp" from file /etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_realm
# Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_replicate
# Instantiating module "replicate" from file /etc/raddb/mods-enabled/replicate
# Loaded module rlm_soh
# Instantiating module "soh" from file /etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Instantiating module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_unix
# Instantiating module "unix" from file /etc/raddb/mods-enabled/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
# Loaded module rlm_unpack
# Instantiating module "unpack" from file /etc/raddb/mods-enabled/unpack
# Loaded module rlm_utf8
# Instantiating module "utf8" from file /etc/raddb/mods-enabled/utf8
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
} # server
server default { # from file /etc/raddb/sites-enabled/default
# Creating Auth-Type = digest
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on auth address * port 1812 as server default
Listening on acct address * port 1813 as server default
Listening on auth address :: port 1812 as server default
Listening on acct address :: port 1813 as server default
Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel
Opening new proxy socket 'proxy address * port 0'
Listening on proxy address * port 43735
Ready to process requests
Received Access-Request Id 0 from 127.0.0.1:49928 to 127.0.0.1:1812 length 176
User-Name = 'anonymous at example.org'
Calling-Station-Id = '02-00-00-00-00-01'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 11Mbps 802.11b'
Called-Station-Id = '11-22-33-44-55-66:MYSSID'
NAS-IP-Address = 10.25.1.111
EAP-Message = 0x0200001a01616e6f6e796d6f7573406578616d706c652e6f7267
Message-Authenticator = 0x328f4a5ee0acfda22ead0492a609ce10
(0) Received Access-Request packet from host 127.0.0.1 port 49928, id=0, length=176
(0) User-Name = 'anonymous at example.org'
(0) Calling-Station-Id = '02-00-00-00-00-01'
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Connect-Info = 'CONNECT 11Mbps 802.11b'
(0) Called-Station-Id = '11-22-33-44-55-66:MYSSID'
(0) NAS-IP-Address = 10.25.1.111
(0) EAP-Message = 0x0200001a01616e6f6e796d6f7573406578616d706c652e6f7267
(0) Message-Authenticator = 0x328f4a5ee0acfda22ead0492a609ce10
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) filter_username filter_username {
(0) if (!&User-Name)
(0) if (!&User-Name) -> FALSE
(0) if (&User-Name =~ / /)
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@.*@/ )
(0) if (&User-Name =~ /@.*@/ ) -> FALSE
(0) if (&User-Name =~ /\\.\\./ )
(0) if (&User-Name =~ /\\.\\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\\.$/)
(0) if (&User-Name =~ /\\.$/) -> FALSE
(0) if (&User-Name =~ /@\\./)
(0) if (&User-Name =~ /@\\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix : Checking for suffix after "@"
(0) suffix : Looking up realm "example.org" for User-Name = "anonymous at example.org"
(0) suffix : No such realm "example.org"
(0) [suffix] = noop
(0) rewrite_called_station_id rewrite_called_station_id {
(0) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)
(0) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) -> TRUE
(0) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) {
(0) update request {
(0) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(0) --> 11-22-33-44-55-66
(0) Called-Station-Id := "11-22-33-44-55-66"
(0) } # update request = noop
(0) if ("%{8}")
(0) EXPAND %{8}
(0) --> MYSSID
(0) if ("%{8}") -> TRUE
(0) if ("%{8}") {
(0) update request {
(0) EXPAND %{8}
(0) --> MYSSID
(0) Called-Station-SSID := "MYSSID"
(0) } # update request = noop
(0) } # if ("%{8}") = noop
(0) [updated] = updated
(0) } # if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) = updated
(0) ... skipping else for request 0: Preceding "if" was taken
(0) } # rewrite_called_station_id rewrite_called_station_id = updated
(0) eap : Peer sent code Response (2) ID 0 length 26
(0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap : Peer sent method Identity (1)
(0) eap : Calling eap_md5 to process EAP data
(0) eap_md5 : Issuing MD5 Challenge
(0) eap : New EAP session, adding 'State' attribute to reply 0x3d62e2663d63e649
(0) [eap] = handled
(0) } # authenticate = handled
(0) Sending Access-Challenge packet to host 127.0.0.1 port 49928, id=0, length=0
(0) EAP-Message = 0x01010016041014288be64eb5cef0bd1a70e979060a18
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x3d62e2663d63e649fb970e950ea563ac
Sending Access-Challenge Id 0 from 127.0.0.1:1812 to 127.0.0.1:49928
EAP-Message = 0x01010016041014288be64eb5cef0bd1a70e979060a18
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3d62e2663d63e649fb970e950ea563ac
(0) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 1 from 127.0.0.1:49928 to 127.0.0.1:1812 length 174
User-Name = 'anonymous at example.org'
Calling-Station-Id = '02-00-00-00-00-01'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 11Mbps 802.11b'
Called-Station-Id = '11-22-33-44-55-66:MYSSID'
NAS-IP-Address = 10.25.1.111
EAP-Message = 0x020100060319
State = 0x3d62e2663d63e649fb970e950ea563ac
Message-Authenticator = 0xcb7ff3993c4e8d75286f7aa8030ba75f
(1) Received Access-Request packet from host 127.0.0.1 port 49928, id=1, length=174
(1) User-Name = 'anonymous at example.org'
(1) Calling-Station-Id = '02-00-00-00-00-01'
(1) Framed-MTU = 1400
(1) NAS-Port-Type = Wireless-802.11
(1) Connect-Info = 'CONNECT 11Mbps 802.11b'
(1) Called-Station-Id = '11-22-33-44-55-66:MYSSID'
(1) NAS-IP-Address = 10.25.1.111
(1) EAP-Message = 0x020100060319
(1) State = 0x3d62e2663d63e649fb970e950ea563ac
(1) Message-Authenticator = 0xcb7ff3993c4e8d75286f7aa8030ba75f
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) filter_username filter_username {
(1) if (!&User-Name)
(1) if (!&User-Name) -> FALSE
(1) if (&User-Name =~ / /)
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@.*@/ )
(1) if (&User-Name =~ /@.*@/ ) -> FALSE
(1) if (&User-Name =~ /\\.\\./ )
(1) if (&User-Name =~ /\\.\\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\\.$/)
(1) if (&User-Name =~ /\\.$/) -> FALSE
(1) if (&User-Name =~ /@\\./)
(1) if (&User-Name =~ /@\\./) -> FALSE
(1) } # filter_username filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix : Checking for suffix after "@"
(1) suffix : Looking up realm "example.org" for User-Name = "anonymous at example.org"
(1) suffix : No such realm "example.org"
(1) [suffix] = noop
(1) rewrite_called_station_id rewrite_called_station_id {
(1) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)
(1) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) -> TRUE
(1) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) {
(1) update request {
(1) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(1) --> 11-22-33-44-55-66
(1) Called-Station-Id := "11-22-33-44-55-66"
(1) } # update request = noop
(1) if ("%{8}")
(1) EXPAND %{8}
(1) --> MYSSID
(1) if ("%{8}") -> TRUE
(1) if ("%{8}") {
(1) update request {
(1) EXPAND %{8}
(1) --> MYSSID
(1) Called-Station-SSID := "MYSSID"
(1) } # update request = noop
(1) } # if ("%{8}") = noop
(1) [updated] = updated
(1) } # if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) = updated
(1) ... skipping else for request 1: Preceding "if" was taken
(1) } # rewrite_called_station_id rewrite_called_station_id = updated
(1) eap : Peer sent code Response (2) ID 1 length 6
(1) eap : No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) [files] = noop
(1) [expiration] = noop
(1) [logintime] = noop
(1) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type
(1) WARNING: pap : Authentication will fail unless a "known good" password is available
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = EAP
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap : Expiring EAP session with state 0x3d62e2663d63e649
(1) eap : Finished EAP session with state 0x3d62e2663d63e649
(1) eap : Previous EAP request found for state 0x3d62e2663d63e649, released from the list
(1) eap : Peer sent method NAK (3)
(1) eap : Found mutually acceptable type PEAP (25)
(1) eap : Calling eap_peap to process EAP data
(1) eap_peap : Flushing SSL sessions (of #0)
(1) eap_peap : Initiate
(1) eap_peap : Start returned 1
(1) eap : New EAP session, adding 'State' attribute to reply 0x3d62e2663c60fb49
(1) [eap] = handled
(1) } # authenticate = handled
(1) Sending Access-Challenge packet to host 127.0.0.1 port 49928, id=1, length=0
(1) EAP-Message = 0x010200061920
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x3d62e2663c60fb49fb970e950ea563ac
Sending Access-Challenge Id 1 from 127.0.0.1:1812 to 127.0.0.1:49928
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3d62e2663c60fb49fb970e950ea563ac
(1) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 2 from 127.0.0.1:49928 to 127.0.0.1:1812 length 329
User-Name = 'anonymous at example.org'
Calling-Station-Id = '02-00-00-00-00-01'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 11Mbps 802.11b'
Called-Station-Id = '11-22-33-44-55-66:MYSSID'
NAS-IP-Address = 10.25.1.111
EAP-Message = 0x020200a119800000009716030100920100008e0301553fbd3c23a94c33030a3fea1a032c4a6b182e938fedec4284730281a896e8bc00004cc014c00a0039003800880087c00fc00500350084c013c00900330032c012c008009a00990045004400160013c00ec004c00dc003002f00960041000a0007c011c007c00cc0020005000400ff01000019000b000403000102000a00080006001900180017000f000101
State = 0x3d62e2663c60fb49fb970e950ea563ac
Message-Authenticator = 0xcf26165d10c2fc89d83c14c043c717dc
(2) Received Access-Request packet from host 127.0.0.1 port 49928, id=2, length=329
(2) User-Name = 'anonymous at example.org'
(2) Calling-Station-Id = '02-00-00-00-00-01'
(2) Framed-MTU = 1400
(2) NAS-Port-Type = Wireless-802.11
(2) Connect-Info = 'CONNECT 11Mbps 802.11b'
(2) Called-Station-Id = '11-22-33-44-55-66:MYSSID'
(2) NAS-IP-Address = 10.25.1.111
(2) EAP-Message = 0x020200a119800000009716030100920100008e0301553fbd3c23a94c33030a3fea1a032c4a6b182e938fedec4284730281a896e8bc00004cc014c00a0039003800880087c00fc00500350084c013c00900330032c012c008009a00990045004400160013c00ec004c00dc003002f00960041000a0007c011c007c00cc0020005000400ff01000019000b000403000102000a00080006001900180017000f000101
(2) State = 0x3d62e2663c60fb49fb970e950ea563ac
(2) Message-Authenticator = 0xcf26165d10c2fc89d83c14c043c717dc
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2) authorize {
(2) filter_username filter_username {
(2) if (!&User-Name)
(2) if (!&User-Name) -> FALSE
(2) if (&User-Name =~ / /)
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@.*@/ )
(2) if (&User-Name =~ /@.*@/ ) -> FALSE
(2) if (&User-Name =~ /\\.\\./ )
(2) if (&User-Name =~ /\\.\\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\\.$/)
(2) if (&User-Name =~ /\\.$/) -> FALSE
(2) if (&User-Name =~ /@\\./)
(2) if (&User-Name =~ /@\\./) -> FALSE
(2) } # filter_username filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix : Checking for suffix after "@"
(2) suffix : Looking up realm "example.org" for User-Name = "anonymous at example.org"
(2) suffix : No such realm "example.org"
(2) [suffix] = noop
(2) rewrite_called_station_id rewrite_called_station_id {
(2) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)
(2) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) -> TRUE
(2) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) {
(2) update request {
(2) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(2) --> 11-22-33-44-55-66
(2) Called-Station-Id := "11-22-33-44-55-66"
(2) } # update request = noop
(2) if ("%{8}")
(2) EXPAND %{8}
(2) --> MYSSID
(2) if ("%{8}") -> TRUE
(2) if ("%{8}") {
(2) update request {
(2) EXPAND %{8}
(2) --> MYSSID
(2) Called-Station-SSID := "MYSSID"
(2) } # update request = noop
(2) } # if ("%{8}") = noop
(2) [updated] = updated
(2) } # if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) = updated
(2) ... skipping else for request 2: Preceding "if" was taken
(2) } # rewrite_called_station_id rewrite_called_station_id = updated
(2) eap : Peer sent code Response (2) ID 2 length 161
(2) eap : Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = EAP
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) authenticate {
(2) eap : Expiring EAP session with state 0x3d62e2663c60fb49
(2) eap : Finished EAP session with state 0x3d62e2663c60fb49
(2) eap : Previous EAP request found for state 0x3d62e2663c60fb49, released from the list
(2) eap : Peer sent method PEAP (25)
(2) eap : EAP PEAP (25)
(2) eap : Calling eap_peap to process EAP data
(2) eap_peap : processing EAP-TLS
TLS Length 151
(2) eap_peap : Length Included
(2) eap_peap : eaptls_verify returned 11
(2) eap_peap : (other): before/accept initialization
(2) eap_peap : TLS_accept: before/accept initialization
(2) eap_peap : <<< TLS 1.0 Handshake [length 0092], ClientHello
(2) eap_peap : TLS_accept: SSLv3 read client hello A
(2) eap_peap : >>> TLS 1.0 Handshake [length 005e], ServerHello
(2) eap_peap : TLS_accept: SSLv3 write server hello A
(2) eap_peap : >>> TLS 1.0 Handshake [length 08d0], Certificate
(2) eap_peap : TLS_accept: SSLv3 write certificate A
(2) eap_peap : >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
(2) eap_peap : TLS_accept: SSLv3 write key exchange A
(2) eap_peap : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
(2) eap_peap : TLS_accept: SSLv3 write server done A
(2) eap_peap : TLS_accept: SSLv3 flush data
(2) eap_peap : TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
(2) eap_peap : eaptls_process returned 13
(2) eap_peap : FR_TLS_HANDLED
(2) eap : New EAP session, adding 'State' attribute to reply 0x3d62e2663f61fb49
(2) [eap] = handled
(2) } # authenticate = handled
(2) Sending Access-Challenge packet to host 127.0.0.1 port 49928, id=2, length=0
(2) EAP-Message = 0x010303ec19c000000a91160301005e0200005a0301553fbd3c43081aa9ae73af57b004ce19a3507ec94d3a4b538d832c6f66999bf2201adc6b3a3533d5aeac66d7621b9a27d4590629dfbc0e557456184e66fd5cf6d2c014000012ff01000100000b000403000102000f00010116030108d00b0008cc0008c90003de308203da308202c2a003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3135303432383135353533305a170d3135303632373135353533305a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c92eb9f81d6610
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x3d62e2663f61fb49fb970e950ea563ac
Sending Access-Challenge Id 2 from 127.0.0.1:1812 to 127.0.0.1:49928
EAP-Message = 0x010303ec19c000000a91160301005e0200005a0301553fbd3c43081aa9ae73af57b004ce19a3507ec94d3a4b538d832c6f66999bf2201adc6b3a3533d5aeac66d7621b9a27d4590629dfbc0e557456184e66fd5cf6d2c014000012ff01000100000b000403000102000f00010116030108d00b0008cc0008c90003de308203da308202c2a003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3135303432383135353533305a170d3135303632373135353533305a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c92eb9f81d661
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3d62e2663f61fb49fb970e950ea563ac
(2) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 3 from 127.0.0.1:49928 to 127.0.0.1:1812 length 174
User-Name = 'anonymous at example.org'
Calling-Station-Id = '02-00-00-00-00-01'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 11Mbps 802.11b'
Called-Station-Id = '11-22-33-44-55-66:MYSSID'
NAS-IP-Address = 10.25.1.111
EAP-Message = 0x020300061900
State = 0x3d62e2663f61fb49fb970e950ea563ac
Message-Authenticator = 0x1fa2923634d00fef99dea11ba9c426f9
(3) Received Access-Request packet from host 127.0.0.1 port 49928, id=3, length=174
(3) User-Name = 'anonymous at example.org'
(3) Calling-Station-Id = '02-00-00-00-00-01'
(3) Framed-MTU = 1400
(3) NAS-Port-Type = Wireless-802.11
(3) Connect-Info = 'CONNECT 11Mbps 802.11b'
(3) Called-Station-Id = '11-22-33-44-55-66:MYSSID'
(3) NAS-IP-Address = 10.25.1.111
(3) EAP-Message = 0x020300061900
(3) State = 0x3d62e2663f61fb49fb970e950ea563ac
(3) Message-Authenticator = 0x1fa2923634d00fef99dea11ba9c426f9
(3) # Executing section authorize from file /etc/raddb/sites-enabled/default
(3) authorize {
(3) filter_username filter_username {
(3) if (!&User-Name)
(3) if (!&User-Name) -> FALSE
(3) if (&User-Name =~ / /)
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@.*@/ )
(3) if (&User-Name =~ /@.*@/ ) -> FALSE
(3) if (&User-Name =~ /\\.\\./ )
(3) if (&User-Name =~ /\\.\\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(3) if (&User-Name =~ /\\.$/)
(3) if (&User-Name =~ /\\.$/) -> FALSE
(3) if (&User-Name =~ /@\\./)
(3) if (&User-Name =~ /@\\./) -> FALSE
(3) } # filter_username filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix : Checking for suffix after "@"
(3) suffix : Looking up realm "example.org" for User-Name = "anonymous at example.org"
(3) suffix : No such realm "example.org"
(3) [suffix] = noop
(3) rewrite_called_station_id rewrite_called_station_id {
(3) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)
(3) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) -> TRUE
(3) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) {
(3) update request {
(3) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(3) --> 11-22-33-44-55-66
(3) Called-Station-Id := "11-22-33-44-55-66"
(3) } # update request = noop
(3) if ("%{8}")
(3) EXPAND %{8}
(3) --> MYSSID
(3) if ("%{8}") -> TRUE
(3) if ("%{8}") {
(3) update request {
(3) EXPAND %{8}
(3) --> MYSSID
(3) Called-Station-SSID := "MYSSID"
(3) } # update request = noop
(3) } # if ("%{8}") = noop
(3) [updated] = updated
(3) } # if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) = updated
(3) ... skipping else for request 3: Preceding "if" was taken
(3) } # rewrite_called_station_id rewrite_called_station_id = updated
(3) eap : Peer sent code Response (2) ID 3 length 6
(3) eap : Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = EAP
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) authenticate {
(3) eap : Expiring EAP session with state 0x3d62e2663f61fb49
(3) eap : Finished EAP session with state 0x3d62e2663f61fb49
(3) eap : Previous EAP request found for state 0x3d62e2663f61fb49, released from the list
(3) eap : Peer sent method PEAP (25)
(3) eap : EAP PEAP (25)
(3) eap : Calling eap_peap to process EAP data
(3) eap_peap : processing EAP-TLS
(3) eap_peap : Received TLS ACK
(3) eap_peap : Received TLS ACK
(3) eap_peap : ACK handshake fragment handler
(3) eap_peap : eaptls_verify returned 1
(3) eap_peap : eaptls_process returned 13
(3) eap_peap : FR_TLS_HANDLED
(3) eap : New EAP session, adding 'State' attribute to reply 0x3d62e2663e66fb49
(3) [eap] = handled
(3) } # authenticate = handled
(3) Sending Access-Challenge packet to host 127.0.0.1 port 49928, id=3, length=0
(3) EAP-Message = 0x010403e819408db908a889047f5402ecc68bba25d7f79d371de8cc1dcb2f06ae312184096654ea7648bd72476d3a3330449de24cb4a5a9218841d0d940ad85fbe96ee8e6ea4b76a40e5b52f058adad941722e7d4e7c4c61e16ccf0e11a39654ed149c65575572e53b29b7d32f7715e18ae209d7b0004e5308204e1308203c9a003020102020900fa7f9d18e5180a3a300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3135303432383135353533305a170d3135303632373135353533305a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f7
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x3d62e2663e66fb49fb970e950ea563ac
Sending Access-Challenge Id 3 from 127.0.0.1:1812 to 127.0.0.1:49928
EAP-Message = 0x010403e819408db908a889047f5402ecc68bba25d7f79d371de8cc1dcb2f06ae312184096654ea7648bd72476d3a3330449de24cb4a5a9218841d0d940ad85fbe96ee8e6ea4b76a40e5b52f058adad941722e7d4e7c4c61e16ccf0e11a39654ed149c65575572e53b29b7d32f7715e18ae209d7b0004e5308204e1308203c9a003020102020900fa7f9d18e5180a3a300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3135303432383135353533305a170d3135303632373135353533305a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3d62e2663e66fb49fb970e950ea563ac
(3) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 4 from 127.0.0.1:49928 to 127.0.0.1:1812 length 174
User-Name = 'anonymous at example.org'
Calling-Station-Id = '02-00-00-00-00-01'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 11Mbps 802.11b'
Called-Station-Id = '11-22-33-44-55-66:MYSSID'
NAS-IP-Address = 10.25.1.111
EAP-Message = 0x020400061900
State = 0x3d62e2663e66fb49fb970e950ea563ac
Message-Authenticator = 0x9538bcd7d906f28c29f18980182bd674
(4) Received Access-Request packet from host 127.0.0.1 port 49928, id=4, length=174
(4) User-Name = 'anonymous at example.org'
(4) Calling-Station-Id = '02-00-00-00-00-01'
(4) Framed-MTU = 1400
(4) NAS-Port-Type = Wireless-802.11
(4) Connect-Info = 'CONNECT 11Mbps 802.11b'
(4) Called-Station-Id = '11-22-33-44-55-66:MYSSID'
(4) NAS-IP-Address = 10.25.1.111
(4) EAP-Message = 0x020400061900
(4) State = 0x3d62e2663e66fb49fb970e950ea563ac
(4) Message-Authenticator = 0x9538bcd7d906f28c29f18980182bd674
(4) # Executing section authorize from file /etc/raddb/sites-enabled/default
(4) authorize {
(4) filter_username filter_username {
(4) if (!&User-Name)
(4) if (!&User-Name) -> FALSE
(4) if (&User-Name =~ / /)
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@.*@/ )
(4) if (&User-Name =~ /@.*@/ ) -> FALSE
(4) if (&User-Name =~ /\\.\\./ )
(4) if (&User-Name =~ /\\.\\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\\.$/)
(4) if (&User-Name =~ /\\.$/) -> FALSE
(4) if (&User-Name =~ /@\\./)
(4) if (&User-Name =~ /@\\./) -> FALSE
(4) } # filter_username filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix : Checking for suffix after "@"
(4) suffix : Looking up realm "example.org" for User-Name = "anonymous at example.org"
(4) suffix : No such realm "example.org"
(4) [suffix] = noop
(4) rewrite_called_station_id rewrite_called_station_id {
(4) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)
(4) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) -> TRUE
(4) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) {
(4) update request {
(4) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(4) --> 11-22-33-44-55-66
(4) Called-Station-Id := "11-22-33-44-55-66"
(4) } # update request = noop
(4) if ("%{8}")
(4) EXPAND %{8}
(4) --> MYSSID
(4) if ("%{8}") -> TRUE
(4) if ("%{8}") {
(4) update request {
(4) EXPAND %{8}
(4) --> MYSSID
(4) Called-Station-SSID := "MYSSID"
(4) } # update request = noop
(4) } # if ("%{8}") = noop
(4) [updated] = updated
(4) } # if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) = updated
(4) ... skipping else for request 4: Preceding "if" was taken
(4) } # rewrite_called_station_id rewrite_called_station_id = updated
(4) eap : Peer sent code Response (2) ID 4 length 6
(4) eap : Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = EAP
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) authenticate {
(4) eap : Expiring EAP session with state 0x3d62e2663e66fb49
(4) eap : Finished EAP session with state 0x3d62e2663e66fb49
(4) eap : Previous EAP request found for state 0x3d62e2663e66fb49, released from the list
(4) eap : Peer sent method PEAP (25)
(4) eap : EAP PEAP (25)
(4) eap : Calling eap_peap to process EAP data
(4) eap_peap : processing EAP-TLS
(4) eap_peap : Received TLS ACK
(4) eap_peap : Received TLS ACK
(4) eap_peap : ACK handshake fragment handler
(4) eap_peap : eaptls_verify returned 1
(4) eap_peap : eaptls_process returned 13
(4) eap_peap : FR_TLS_HANDLED
(4) eap : New EAP session, adding 'State' attribute to reply 0x3d62e2663967fb49
(4) [eap] = handled
(4) } # authenticate = handled
(4) Sending Access-Challenge packet to host 127.0.0.1 port 49928, id=4, length=0
(4) EAP-Message = 0x010502d31900696361746520417574686f72697479820900fa7f9d18e5180a3a300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010505000382010100248718c6bfe7de889d8256e62f16c7e8b0f694e686775c3330fc20b1f3a22e9e4a04f7085f5947cd8a4874641071f24c8f3b34092e4c8702102a9f071330d8e07d2d401404205a187cf283af2eae8db0ffb98868da6397d291e4b292090dffded974daf2a08e74dd8fc18acc919dbd2e9e752e2ec23f625e485f456396ba36eb90cd8a1da9e95233738ea64992a791302c68f0b94acc794d9c87e05d354a0629381c8d941c658a7811a97cf442466f3d762376d284e858f650db0bcf266bad573ab977cbd96ac53ea7abeca0b386c686bfe2ba9ad450a0dcfec8f066326440460031bef753fc74a5ca80cb129fef1bf45577f8f7c980c64d1a1de6b62fbd4082160301014b0c00014703001741048bd81adca86673f0205161a73bbf0f541430094e2bff6c4ec8fd5b72e36ef8ab27ff31fff8d6ab04671fd0c60fb8f6a3347c54aeea29ac1328d863d4a3b88fea01004ea1e08eb048d7982f3d70c75bd4aeaed9bc01932b5e5fb69edd496b31edeb7bc91cda13b4cbae412ae7ef48fb
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x3d62e2663967fb49fb970e950ea563ac
Sending Access-Challenge Id 4 from 127.0.0.1:1812 to 127.0.0.1:49928
EAP-Message = 0x010502d31900696361746520417574686f72697479820900fa7f9d18e5180a3a300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010505000382010100248718c6bfe7de889d8256e62f16c7e8b0f694e686775c3330fc20b1f3a22e9e4a04f7085f5947cd8a4874641071f24c8f3b34092e4c8702102a9f071330d8e07d2d401404205a187cf283af2eae8db0ffb98868da6397d291e4b292090dffded974daf2a08e74dd8fc18acc919dbd2e9e752e2ec23f625e485f456396ba36eb90cd8a1da9e95233738ea64992a791302c68f0b94acc794d9c87e05d354a0629381c8d941c658a7811a97cf442466f3d762376d284e858f650db0bcf266bad573ab977cbd96ac53ea7abeca0b386c686bfe2ba9ad450a0dcfec8f066326440460031bef753fc74a5ca80cb129fef1bf45577f8f7c980c64d1a1de6b62fbd4082160301014b0c00014703001741048bd81adca86673f0205161a73bbf0f541430094e2bff6c4ec8fd5b72e36ef8ab27ff31fff8d6ab04671fd0c60fb8f6a3347c54aeea29ac1328d863d4a3b88fea01004ea1e08eb048d7982f3d70c75bd4aeaed9bc01932b5e5fb69edd496b31edeb7bc91cda13b4cbae412ae7ef48f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3d62e2663967fb49fb970e950ea563ac
(4) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 5 from 127.0.0.1:49928 to 127.0.0.1:1812 length 312
User-Name = 'anonymous at example.org'
Calling-Station-Id = '02-00-00-00-00-01'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 11Mbps 802.11b'
Called-Station-Id = '11-22-33-44-55-66:MYSSID'
NAS-IP-Address = 10.25.1.111
EAP-Message = 0x020500901980000000861603010046100000424104bc1c875bbd26e5382231184ef29477262723ee509e368be5b19b8c6b4125ba7662b4fb439940ecfdb7b323dd98e7588a569228782498a89d2b23e516fd64ebe714030100010116030100305d5c9c81b5928a666699a0fcca9d7909701949754f3b6897de6b9a2d7ad83c36915554ccdb495a9834e425d7633eccee
State = 0x3d62e2663967fb49fb970e950ea563ac
Message-Authenticator = 0x337044d38447838ba56f1403094eeca2
(5) Received Access-Request packet from host 127.0.0.1 port 49928, id=5, length=312
(5) User-Name = 'anonymous at example.org'
(5) Calling-Station-Id = '02-00-00-00-00-01'
(5) Framed-MTU = 1400
(5) NAS-Port-Type = Wireless-802.11
(5) Connect-Info = 'CONNECT 11Mbps 802.11b'
(5) Called-Station-Id = '11-22-33-44-55-66:MYSSID'
(5) NAS-IP-Address = 10.25.1.111
(5) EAP-Message = 0x020500901980000000861603010046100000424104bc1c875bbd26e5382231184ef29477262723ee509e368be5b19b8c6b4125ba7662b4fb439940ecfdb7b323dd98e7588a569228782498a89d2b23e516fd64ebe714030100010116030100305d5c9c81b5928a666699a0fcca9d7909701949754f3b6897de6b9a2d7ad83c36915554ccdb495a9834e425d7633eccee
(5) State = 0x3d62e2663967fb49fb970e950ea563ac
(5) Message-Authenticator = 0x337044d38447838ba56f1403094eeca2
(5) # Executing section authorize from file /etc/raddb/sites-enabled/default
(5) authorize {
(5) filter_username filter_username {
(5) if (!&User-Name)
(5) if (!&User-Name) -> FALSE
(5) if (&User-Name =~ / /)
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@.*@/ )
(5) if (&User-Name =~ /@.*@/ ) -> FALSE
(5) if (&User-Name =~ /\\.\\./ )
(5) if (&User-Name =~ /\\.\\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\\.$/)
(5) if (&User-Name =~ /\\.$/) -> FALSE
(5) if (&User-Name =~ /@\\./)
(5) if (&User-Name =~ /@\\./) -> FALSE
(5) } # filter_username filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix : Checking for suffix after "@"
(5) suffix : Looking up realm "example.org" for User-Name = "anonymous at example.org"
(5) suffix : No such realm "example.org"
(5) [suffix] = noop
(5) rewrite_called_station_id rewrite_called_station_id {
(5) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)
(5) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) -> TRUE
(5) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) {
(5) update request {
(5) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(5) --> 11-22-33-44-55-66
(5) Called-Station-Id := "11-22-33-44-55-66"
(5) } # update request = noop
(5) if ("%{8}")
(5) EXPAND %{8}
(5) --> MYSSID
(5) if ("%{8}") -> TRUE
(5) if ("%{8}") {
(5) update request {
(5) EXPAND %{8}
(5) --> MYSSID
(5) Called-Station-SSID := "MYSSID"
(5) } # update request = noop
(5) } # if ("%{8}") = noop
(5) [updated] = updated
(5) } # if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) = updated
(5) ... skipping else for request 5: Preceding "if" was taken
(5) } # rewrite_called_station_id rewrite_called_station_id = updated
(5) eap : Peer sent code Response (2) ID 5 length 144
(5) eap : Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = EAP
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) authenticate {
(5) eap : Expiring EAP session with state 0x3d62e2663967fb49
(5) eap : Finished EAP session with state 0x3d62e2663967fb49
(5) eap : Previous EAP request found for state 0x3d62e2663967fb49, released from the list
(5) eap : Peer sent method PEAP (25)
(5) eap : EAP PEAP (25)
(5) eap : Calling eap_peap to process EAP data
(5) eap_peap : processing EAP-TLS
TLS Length 134
(5) eap_peap : Length Included
(5) eap_peap : eaptls_verify returned 11
(5) eap_peap : <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
(5) eap_peap : TLS_accept: SSLv3 read client key exchange A
(5) eap_peap : <<< TLS 1.0 ChangeCipherSpec [length 0001]
(5) eap_peap : <<< TLS 1.0 Handshake [length 0010], Finished
(5) eap_peap : TLS_accept: SSLv3 read finished A
(5) eap_peap : >>> TLS 1.0 ChangeCipherSpec [length 0001]
(5) eap_peap : TLS_accept: SSLv3 write change cipher spec A
(5) eap_peap : >>> TLS 1.0 Handshake [length 0010], Finished
(5) eap_peap : TLS_accept: SSLv3 write finished A
(5) eap_peap : TLS_accept: SSLv3 flush data
SSL: adding session 1adc6b3a3533d5aeac66d7621b9a27d4590629dfbc0e557456184e66fd5cf6d2 to cache
(5) eap_peap : (other): SSL negotiation finished successfully
SSL Connection Established
(5) eap_peap : eaptls_process returned 13
(5) eap_peap : FR_TLS_HANDLED
(5) eap : New EAP session, adding 'State' attribute to reply 0x3d62e2663864fb49
(5) [eap] = handled
(5) } # authenticate = handled
(5) Sending Access-Challenge packet to host 127.0.0.1 port 49928, id=5, length=0
(5) EAP-Message = 0x0106004119001403010001011603010030f194f340195d3f32de855bb597d059258a03594ab667356f5ccbcf95138bd2dc0356b50487d83250dece870977fe33de
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x3d62e2663864fb49fb970e950ea563ac
Sending Access-Challenge Id 5 from 127.0.0.1:1812 to 127.0.0.1:49928
EAP-Message = 0x0106004119001403010001011603010030f194f340195d3f32de855bb597d059258a03594ab667356f5ccbcf95138bd2dc0356b50487d83250dece870977fe33de
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3d62e2663864fb49fb970e950ea563ac
(5) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 6 from 127.0.0.1:49928 to 127.0.0.1:1812 length 174
User-Name = 'anonymous at example.org'
Calling-Station-Id = '02-00-00-00-00-01'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 11Mbps 802.11b'
Called-Station-Id = '11-22-33-44-55-66:MYSSID'
NAS-IP-Address = 10.25.1.111
EAP-Message = 0x020600061900
State = 0x3d62e2663864fb49fb970e950ea563ac
Message-Authenticator = 0x85bbbcad4a1c34f4852a429d733324c7
(6) Received Access-Request packet from host 127.0.0.1 port 49928, id=6, length=174
(6) User-Name = 'anonymous at example.org'
(6) Calling-Station-Id = '02-00-00-00-00-01'
(6) Framed-MTU = 1400
(6) NAS-Port-Type = Wireless-802.11
(6) Connect-Info = 'CONNECT 11Mbps 802.11b'
(6) Called-Station-Id = '11-22-33-44-55-66:MYSSID'
(6) NAS-IP-Address = 10.25.1.111
(6) EAP-Message = 0x020600061900
(6) State = 0x3d62e2663864fb49fb970e950ea563ac
(6) Message-Authenticator = 0x85bbbcad4a1c34f4852a429d733324c7
(6) # Executing section authorize from file /etc/raddb/sites-enabled/default
(6) authorize {
(6) filter_username filter_username {
(6) if (!&User-Name)
(6) if (!&User-Name) -> FALSE
(6) if (&User-Name =~ / /)
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@.*@/ )
(6) if (&User-Name =~ /@.*@/ ) -> FALSE
(6) if (&User-Name =~ /\\.\\./ )
(6) if (&User-Name =~ /\\.\\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\\.$/)
(6) if (&User-Name =~ /\\.$/) -> FALSE
(6) if (&User-Name =~ /@\\./)
(6) if (&User-Name =~ /@\\./) -> FALSE
(6) } # filter_username filter_username = notfound
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix : Checking for suffix after "@"
(6) suffix : Looking up realm "example.org" for User-Name = "anonymous at example.org"
(6) suffix : No such realm "example.org"
(6) [suffix] = noop
(6) rewrite_called_station_id rewrite_called_station_id {
(6) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)
(6) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) -> TRUE
(6) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) {
(6) update request {
(6) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(6) --> 11-22-33-44-55-66
(6) Called-Station-Id := "11-22-33-44-55-66"
(6) } # update request = noop
(6) if ("%{8}")
(6) EXPAND %{8}
(6) --> MYSSID
(6) if ("%{8}") -> TRUE
(6) if ("%{8}") {
(6) update request {
(6) EXPAND %{8}
(6) --> MYSSID
(6) Called-Station-SSID := "MYSSID"
(6) } # update request = noop
(6) } # if ("%{8}") = noop
(6) [updated] = updated
(6) } # if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) = updated
(6) ... skipping else for request 6: Preceding "if" was taken
(6) } # rewrite_called_station_id rewrite_called_station_id = updated
(6) eap : Peer sent code Response (2) ID 6 length 6
(6) eap : Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) authenticate {
(6) eap : Expiring EAP session with state 0x3d62e2663864fb49
(6) eap : Finished EAP session with state 0x3d62e2663864fb49
(6) eap : Previous EAP request found for state 0x3d62e2663864fb49, released from the list
(6) eap : Peer sent method PEAP (25)
(6) eap : EAP PEAP (25)
(6) eap : Calling eap_peap to process EAP data
(6) eap_peap : processing EAP-TLS
(6) eap_peap : Received TLS ACK
(6) eap_peap : Received TLS ACK
(6) eap_peap : ACK handshake is finished
(6) eap_peap : eaptls_verify returned 3
(6) eap_peap : eaptls_process returned 3
(6) eap_peap : FR_TLS_SUCCESS
(6) eap_peap : Session established. Decoding tunneled attributes
(6) eap_peap : Peap state TUNNEL ESTABLISHED
(6) eap : New EAP session, adding 'State' attribute to reply 0x3d62e2663b65fb49
(6) [eap] = handled
(6) } # authenticate = handled
(6) Sending Access-Challenge packet to host 127.0.0.1 port 49928, id=6, length=0
(6) EAP-Message = 0x0107002b190017030100204e47abcfaa334238f9050a50c9e2c19c11a6827989527f290e6d5be9b77ac931
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x3d62e2663b65fb49fb970e950ea563ac
Sending Access-Challenge Id 6 from 127.0.0.1:1812 to 127.0.0.1:49928
EAP-Message = 0x0107002b190017030100204e47abcfaa334238f9050a50c9e2c19c11a6827989527f290e6d5be9b77ac931
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3d62e2663b65fb49fb970e950ea563ac
(6) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 7 from 127.0.0.1:49928 to 127.0.0.1:1812 length 248
User-Name = 'anonymous at example.org'
Calling-Station-Id = '02-00-00-00-00-01'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 11Mbps 802.11b'
Called-Station-Id = '11-22-33-44-55-66:MYSSID'
NAS-IP-Address = 10.25.1.111
EAP-Message = 0x0207005019001703010020763ad4ee3fc3a86240176cee8c034b87e1b62c2a8613606703575170738d751a1703010020fb4cb8824d10849a464d1f70af429873629ce750aca5a6d54dc75be2587dc4a2
State = 0x3d62e2663b65fb49fb970e950ea563ac
Message-Authenticator = 0x88afe81ab5fa70a396b388f051e9a4b2
(7) Received Access-Request packet from host 127.0.0.1 port 49928, id=7, length=248
(7) User-Name = 'anonymous at example.org'
(7) Calling-Station-Id = '02-00-00-00-00-01'
(7) Framed-MTU = 1400
(7) NAS-Port-Type = Wireless-802.11
(7) Connect-Info = 'CONNECT 11Mbps 802.11b'
(7) Called-Station-Id = '11-22-33-44-55-66:MYSSID'
(7) NAS-IP-Address = 10.25.1.111
(7) EAP-Message = 0x0207005019001703010020763ad4ee3fc3a86240176cee8c034b87e1b62c2a8613606703575170738d751a1703010020fb4cb8824d10849a464d1f70af429873629ce750aca5a6d54dc75be2587dc4a2
(7) State = 0x3d62e2663b65fb49fb970e950ea563ac
(7) Message-Authenticator = 0x88afe81ab5fa70a396b388f051e9a4b2
(7) # Executing section authorize from file /etc/raddb/sites-enabled/default
(7) authorize {
(7) filter_username filter_username {
(7) if (!&User-Name)
(7) if (!&User-Name) -> FALSE
(7) if (&User-Name =~ / /)
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@.*@/ )
(7) if (&User-Name =~ /@.*@/ ) -> FALSE
(7) if (&User-Name =~ /\\.\\./ )
(7) if (&User-Name =~ /\\.\\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\\.$/)
(7) if (&User-Name =~ /\\.$/) -> FALSE
(7) if (&User-Name =~ /@\\./)
(7) if (&User-Name =~ /@\\./) -> FALSE
(7) } # filter_username filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix : Checking for suffix after "@"
(7) suffix : Looking up realm "example.org" for User-Name = "anonymous at example.org"
(7) suffix : No such realm "example.org"
(7) [suffix] = noop
(7) rewrite_called_station_id rewrite_called_station_id {
(7) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)
(7) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) -> TRUE
(7) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) {
(7) update request {
(7) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(7) --> 11-22-33-44-55-66
(7) Called-Station-Id := "11-22-33-44-55-66"
(7) } # update request = noop
(7) if ("%{8}")
(7) EXPAND %{8}
(7) --> MYSSID
(7) if ("%{8}") -> TRUE
(7) if ("%{8}") {
(7) update request {
(7) EXPAND %{8}
(7) --> MYSSID
(7) Called-Station-SSID := "MYSSID"
(7) } # update request = noop
(7) } # if ("%{8}") = noop
(7) [updated] = updated
(7) } # if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) = updated
(7) ... skipping else for request 7: Preceding "if" was taken
(7) } # rewrite_called_station_id rewrite_called_station_id = updated
(7) eap : Peer sent code Response (2) ID 7 length 80
(7) eap : Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) authenticate {
(7) eap : Expiring EAP session with state 0x3d62e2663b65fb49
(7) eap : Finished EAP session with state 0x3d62e2663b65fb49
(7) eap : Previous EAP request found for state 0x3d62e2663b65fb49, released from the list
(7) eap : Peer sent method PEAP (25)
(7) eap : EAP PEAP (25)
(7) eap : Calling eap_peap to process EAP data
(7) eap_peap : processing EAP-TLS
(7) eap_peap : eaptls_verify returned 7
(7) eap_peap : Done initial handshake
(7) eap_peap : eaptls_process returned 7
(7) eap_peap : FR_TLS_OK
(7) eap_peap : Session established. Decoding tunneled attributes
(7) eap_peap : Peap state WAITING FOR INNER IDENTITY
(7) eap_peap : Identity - bob
(7) eap_peap : Got inner identity 'bob'
(7) eap_peap : Setting default EAP type for tunneled EAP session
(7) eap_peap : Got tunneled request
EAP-Message = 0x0207000801626f62
server default {
(7) eap_peap : Setting User-Name to bob
Sending tunneled request
EAP-Message = 0x0207000801626f62
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'bob'
server inner-tunnel {
(7) server inner-tunnel {
(7) Request:
EAP-Message = 0x0207000801626f62
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'bob'
(7) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(7) authorize {
(7) update request {
(7) } # update request = noop
(7) if ( Called-Station-SSID )
(7) if ( Called-Station-SSID ) -> FALSE
(7) update request {
(7) } # update request = noop
(7) if ( Called-Station-SSID )
(7) if ( Called-Station-SSID ) -> FALSE
(7) update request {
(7) EXPAND %{outer.request:Called-Station-SSID}
(7) --> MYSSID
(7) Called-Station-SSID := "MYSSID"
(7) } # update request = noop
(7) if ( Called-Station-SSID )
(7) if ( Called-Station-SSID ) -> TRUE
(7) if ( Called-Station-SSID ) {
(7) update reply {
(7) EXPAND 3: Called-Station-SSID = %{Called-Station-SSID}
(7) --> 3: Called-Station-SSID = MYSSID
(7) Reply-Message += "3: Called-Station-SSID = MYSSID"
(7) } # update reply = noop
(7) } # if ( Called-Station-SSID ) = noop
(7) [chap] = noop
(7) [mschap] = noop
(7) suffix : Checking for suffix after "@"
(7) suffix : No '@' in User-Name = "bob", looking up realm NULL
(7) suffix : No such realm "NULL"
(7) [suffix] = noop
(7) update control {
(7) Proxy-To-Realm := 'LOCAL'
(7) } # update control = noop
(7) eap : Peer sent code Response (2) ID 7 length 8
(7) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap : Peer sent method Identity (1)
(7) eap : Calling eap_mschapv2 to process EAP data
(7) eap_mschapv2 : Issuing Challenge
(7) eap : New EAP session, adding 'State' attribute to reply 0xc6089b8cc6008187
(7) [eap] = handled
(7) } # authenticate = handled
(7) Reply:
Reply-Message += '3: Called-Station-SSID = MYSSID'
EAP-Message = 0x0108001d1a0108001810a31666a9b0dbc1fd11a3517ff4d53853626f62
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc6089b8cc6008187247e6085738a6593
(7) } # server inner-tunnel
} # server inner-tunnel
(7) eap_peap : Got tunneled reply code 11
Reply-Message += '3: Called-Station-SSID = MYSSID'
EAP-Message = 0x0108001d1a0108001810a31666a9b0dbc1fd11a3517ff4d53853626f62
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc6089b8cc6008187247e6085738a6593
(7) eap_peap : Got tunneled reply RADIUS code 11
Reply-Message += '3: Called-Station-SSID = MYSSID'
EAP-Message = 0x0108001d1a0108001810a31666a9b0dbc1fd11a3517ff4d53853626f62
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc6089b8cc6008187247e6085738a6593
(7) eap_peap : Got tunneled Access-Challenge
(7) eap : New EAP session, adding 'State' attribute to reply 0x3d62e2663a6afb49
(7) [eap] = handled
(7) } # authenticate = handled
(7) Sending Access-Challenge packet to host 127.0.0.1 port 49928, id=7, length=0
(7) EAP-Message = 0x0108003b1900170301003076a63dd60207693a11e4e215e7fbd0e30ee413b458c3bb89c0528535907026f86b97daed5ad679401ba88f0c937e2e46
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x3d62e2663a6afb49fb970e950ea563ac
Sending Access-Challenge Id 7 from 127.0.0.1:1812 to 127.0.0.1:49928
EAP-Message = 0x0108003b1900170301003076a63dd60207693a11e4e215e7fbd0e30ee413b458c3bb89c0528535907026f86b97daed5ad679401ba88f0c937e2e46
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3d62e2663a6afb49fb970e950ea563ac
(7) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 8 from 127.0.0.1:49928 to 127.0.0.1:1812 length 296
User-Name = 'anonymous at example.org'
Calling-Station-Id = '02-00-00-00-00-01'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 11Mbps 802.11b'
Called-Station-Id = '11-22-33-44-55-66:MYSSID'
NAS-IP-Address = 10.25.1.111
EAP-Message = 0x02080080190017030100209898e735ad7863612bb795e3d0a471f70a43c3575c7753ef8898a6d92bfd760817030100508cecdc5c5d5da59b2d7f5ae66a50e176f253224d7e310a37eb5f0672c4c70db68c6801ef2c9eae60c2d7d0ff477bc3c6f1e39f1e18a58b1fb6fda0cc5c417cb3cccb002f9e4aabfc714f4273c3ce51d7
State = 0x3d62e2663a6afb49fb970e950ea563ac
Message-Authenticator = 0x6c839fa34a0d4cc93c6dc78065a96ed0
(8) Received Access-Request packet from host 127.0.0.1 port 49928, id=8, length=296
(8) User-Name = 'anonymous at example.org'
(8) Calling-Station-Id = '02-00-00-00-00-01'
(8) Framed-MTU = 1400
(8) NAS-Port-Type = Wireless-802.11
(8) Connect-Info = 'CONNECT 11Mbps 802.11b'
(8) Called-Station-Id = '11-22-33-44-55-66:MYSSID'
(8) NAS-IP-Address = 10.25.1.111
(8) EAP-Message = 0x02080080190017030100209898e735ad7863612bb795e3d0a471f70a43c3575c7753ef8898a6d92bfd760817030100508cecdc5c5d5da59b2d7f5ae66a50e176f253224d7e310a37eb5f0672c4c70db68c6801ef2c9eae60c2d7d0ff477bc3c6f1e39f1e18a58b1fb6fda0cc5c417cb3cccb002f9e4aabfc714f4273c3ce51d7
(8) State = 0x3d62e2663a6afb49fb970e950ea563ac
(8) Message-Authenticator = 0x6c839fa34a0d4cc93c6dc78065a96ed0
(8) # Executing section authorize from file /etc/raddb/sites-enabled/default
(8) authorize {
(8) filter_username filter_username {
(8) if (!&User-Name)
(8) if (!&User-Name) -> FALSE
(8) if (&User-Name =~ / /)
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@.*@/ )
(8) if (&User-Name =~ /@.*@/ ) -> FALSE
(8) if (&User-Name =~ /\\.\\./ )
(8) if (&User-Name =~ /\\.\\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\\.$/)
(8) if (&User-Name =~ /\\.$/) -> FALSE
(8) if (&User-Name =~ /@\\./)
(8) if (&User-Name =~ /@\\./) -> FALSE
(8) } # filter_username filter_username = notfound
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix : Checking for suffix after "@"
(8) suffix : Looking up realm "example.org" for User-Name = "anonymous at example.org"
(8) suffix : No such realm "example.org"
(8) [suffix] = noop
(8) rewrite_called_station_id rewrite_called_station_id {
(8) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)
(8) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) -> TRUE
(8) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) {
(8) update request {
(8) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(8) --> 11-22-33-44-55-66
(8) Called-Station-Id := "11-22-33-44-55-66"
(8) } # update request = noop
(8) if ("%{8}")
(8) EXPAND %{8}
(8) --> MYSSID
(8) if ("%{8}") -> TRUE
(8) if ("%{8}") {
(8) update request {
(8) EXPAND %{8}
(8) --> MYSSID
(8) Called-Station-SSID := "MYSSID"
(8) } # update request = noop
(8) } # if ("%{8}") = noop
(8) [updated] = updated
(8) } # if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) = updated
(8) ... skipping else for request 8: Preceding "if" was taken
(8) } # rewrite_called_station_id rewrite_called_station_id = updated
(8) eap : Peer sent code Response (2) ID 8 length 128
(8) eap : Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = EAP
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8) authenticate {
(8) eap : Expiring EAP session with state 0xc6089b8cc6008187
(8) eap : Finished EAP session with state 0x3d62e2663a6afb49
(8) eap : Previous EAP request found for state 0x3d62e2663a6afb49, released from the list
(8) eap : Peer sent method PEAP (25)
(8) eap : EAP PEAP (25)
(8) eap : Calling eap_peap to process EAP data
(8) eap_peap : processing EAP-TLS
(8) eap_peap : eaptls_verify returned 7
(8) eap_peap : Done initial handshake
(8) eap_peap : eaptls_process returned 7
(8) eap_peap : FR_TLS_OK
(8) eap_peap : Session established. Decoding tunneled attributes
(8) eap_peap : Peap state phase2
(8) eap_peap : EAP type MSCHAPv2 (26)
(8) eap_peap : Got tunneled request
EAP-Message = 0x0208003e1a0208003931ed49e24a3cec2f40ad2df4e3f606e7da00000000000000009ab93e2e044eb49cd299ffc52e17e23cff3ad875a511014900626f62
server default {
(8) eap_peap : Setting User-Name to bob
Sending tunneled request
EAP-Message = 0x0208003e1a0208003931ed49e24a3cec2f40ad2df4e3f606e7da00000000000000009ab93e2e044eb49cd299ffc52e17e23cff3ad875a511014900626f62
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'bob'
State = 0xc6089b8cc6008187247e6085738a6593
server inner-tunnel {
(8) server inner-tunnel {
(8) Request:
EAP-Message = 0x0208003e1a0208003931ed49e24a3cec2f40ad2df4e3f606e7da00000000000000009ab93e2e044eb49cd299ffc52e17e23cff3ad875a511014900626f62
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'bob'
State = 0xc6089b8cc6008187247e6085738a6593
(8) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(8) authorize {
(8) update request {
(8) } # update request = noop
(8) if ( Called-Station-SSID )
(8) if ( Called-Station-SSID ) -> FALSE
(8) update request {
(8) } # update request = noop
(8) if ( Called-Station-SSID )
(8) if ( Called-Station-SSID ) -> FALSE
(8) update request {
(8) EXPAND %{outer.request:Called-Station-SSID}
(8) --> MYSSID
(8) Called-Station-SSID := "MYSSID"
(8) } # update request = noop
(8) if ( Called-Station-SSID )
(8) if ( Called-Station-SSID ) -> TRUE
(8) if ( Called-Station-SSID ) {
(8) update reply {
(8) EXPAND 3: Called-Station-SSID = %{Called-Station-SSID}
(8) --> 3: Called-Station-SSID = MYSSID
(8) Reply-Message += "3: Called-Station-SSID = MYSSID"
(8) } # update reply = noop
(8) } # if ( Called-Station-SSID ) = noop
(8) [chap] = noop
(8) [mschap] = noop
(8) suffix : Checking for suffix after "@"
(8) suffix : No '@' in User-Name = "bob", looking up realm NULL
(8) suffix : No such realm "NULL"
(8) [suffix] = noop
(8) update control {
(8) Proxy-To-Realm := 'LOCAL'
(8) } # update control = noop
(8) eap : Peer sent code Response (2) ID 8 length 62
(8) eap : No EAP Start, assuming it's an on-going EAP conversation
(8) [eap] = updated
(8) files : users: Matched entry bob at line 224
(8) files : EXPAND Hello, %{User-Name}
(8) files : --> Hello, bob
(8) [files] = ok
(8) [expiration] = noop
(8) [logintime] = noop
(8) WARNING: pap : Auth-Type already set. Not setting to PAP
(8) [pap] = noop
(8) } # authorize = updated
(8) Found Auth-Type = EAP
(8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap : Expiring EAP session with state 0xc6089b8cc6008187
(8) eap : Finished EAP session with state 0xc6089b8cc6008187
(8) eap : Previous EAP request found for state 0xc6089b8cc6008187, released from the list
(8) eap : Peer sent method MSCHAPv2 (26)
(8) eap : EAP MSCHAPv2 (26)
(8) eap : Calling eap_mschapv2 to process EAP data
(8) eap_mschapv2 : # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8) eap_mschapv2 : Auth-Type MS-CHAP {
(8) mschap : Found Cleartext-Password, hashing to create LM-Password
(8) mschap : Found Cleartext-Password, hashing to create NT-Password
(8) mschap : Creating challenge hash with username: bob
(8) mschap : Client is using MS-CHAPv2
(8) mschap : Adding MS-CHAPv2 MPPE keys
(8) [mschap] = ok
(8) } # Auth-Type MS-CHAP = ok
MSCHAP Success
(8) eap : New EAP session, adding 'State' attribute to reply 0xc6089b8cc7018187
(8) [eap] = handled
(8) } # authenticate = handled
(8) Reply:
Reply-Message = 'Hello, bob'
EAP-Message = 0x010900331a0308002e533d35344146344135434142453645394531323339333442324346324434353834313231434145343446
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc6089b8cc7018187247e6085738a6593
(8) } # server inner-tunnel
} # server inner-tunnel
(8) eap_peap : Got tunneled reply code 11
Reply-Message = 'Hello, bob'
EAP-Message = 0x010900331a0308002e533d35344146344135434142453645394531323339333442324346324434353834313231434145343446
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc6089b8cc7018187247e6085738a6593
(8) eap_peap : Got tunneled reply RADIUS code 11
Reply-Message = 'Hello, bob'
EAP-Message = 0x010900331a0308002e533d35344146344135434142453645394531323339333442324346324434353834313231434145343446
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc6089b8cc7018187247e6085738a6593
(8) eap_peap : Got tunneled Access-Challenge
(8) eap : New EAP session, adding 'State' attribute to reply 0x3d62e266356bfb49
(8) [eap] = handled
(8) } # authenticate = handled
(8) Sending Access-Challenge packet to host 127.0.0.1 port 49928, id=8, length=0
(8) EAP-Message = 0x0109005b190017030100507f5942e10d64775e2532899b336653df5af56ad135c74ea390dad841338d9a5b2800180072b4b93c358f4707935c4e0c0ac18bf89377f4059331681d3d10ae6a533cce6a4d18e88b9146bfb9554c4785
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x3d62e266356bfb49fb970e950ea563ac
Sending Access-Challenge Id 8 from 127.0.0.1:1812 to 127.0.0.1:49928
EAP-Message = 0x0109005b190017030100507f5942e10d64775e2532899b336653df5af56ad135c74ea390dad841338d9a5b2800180072b4b93c358f4707935c4e0c0ac18bf89377f4059331681d3d10ae6a533cce6a4d18e88b9146bfb9554c4785
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3d62e266356bfb49fb970e950ea563ac
(8) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 9 from 127.0.0.1:49928 to 127.0.0.1:1812 length 248
User-Name = 'anonymous at example.org'
Calling-Station-Id = '02-00-00-00-00-01'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 11Mbps 802.11b'
Called-Station-Id = '11-22-33-44-55-66:MYSSID'
NAS-IP-Address = 10.25.1.111
EAP-Message = 0x02090050190017030100209e0c4474f50fec2719fe6a771ddaebe29741e8593239614c24bfb5f8bf99615117030100205852029de0fdd4ccf4c560ff2ec7982087ca9b2dbc0def389a4141cabf9070a5
State = 0x3d62e266356bfb49fb970e950ea563ac
Message-Authenticator = 0x621706a244762ca85f67db3393d93622
(9) Received Access-Request packet from host 127.0.0.1 port 49928, id=9, length=248
(9) User-Name = 'anonymous at example.org'
(9) Calling-Station-Id = '02-00-00-00-00-01'
(9) Framed-MTU = 1400
(9) NAS-Port-Type = Wireless-802.11
(9) Connect-Info = 'CONNECT 11Mbps 802.11b'
(9) Called-Station-Id = '11-22-33-44-55-66:MYSSID'
(9) NAS-IP-Address = 10.25.1.111
(9) EAP-Message = 0x02090050190017030100209e0c4474f50fec2719fe6a771ddaebe29741e8593239614c24bfb5f8bf99615117030100205852029de0fdd4ccf4c560ff2ec7982087ca9b2dbc0def389a4141cabf9070a5
(9) State = 0x3d62e266356bfb49fb970e950ea563ac
(9) Message-Authenticator = 0x621706a244762ca85f67db3393d93622
(9) # Executing section authorize from file /etc/raddb/sites-enabled/default
(9) authorize {
(9) filter_username filter_username {
(9) if (!&User-Name)
(9) if (!&User-Name) -> FALSE
(9) if (&User-Name =~ / /)
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@.*@/ )
(9) if (&User-Name =~ /@.*@/ ) -> FALSE
(9) if (&User-Name =~ /\\.\\./ )
(9) if (&User-Name =~ /\\.\\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(9) if (&User-Name =~ /\\.$/)
(9) if (&User-Name =~ /\\.$/) -> FALSE
(9) if (&User-Name =~ /@\\./)
(9) if (&User-Name =~ /@\\./) -> FALSE
(9) } # filter_username filter_username = notfound
(9) [preprocess] = ok
(9) [chap] = noop
(9) [mschap] = noop
(9) [digest] = noop
(9) suffix : Checking for suffix after "@"
(9) suffix : Looking up realm "example.org" for User-Name = "anonymous at example.org"
(9) suffix : No such realm "example.org"
(9) [suffix] = noop
(9) rewrite_called_station_id rewrite_called_station_id {
(9) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)
(9) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) -> TRUE
(9) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) {
(9) update request {
(9) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(9) --> 11-22-33-44-55-66
(9) Called-Station-Id := "11-22-33-44-55-66"
(9) } # update request = noop
(9) if ("%{8}")
(9) EXPAND %{8}
(9) --> MYSSID
(9) if ("%{8}") -> TRUE
(9) if ("%{8}") {
(9) update request {
(9) EXPAND %{8}
(9) --> MYSSID
(9) Called-Station-SSID := "MYSSID"
(9) } # update request = noop
(9) } # if ("%{8}") = noop
(9) [updated] = updated
(9) } # if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) = updated
(9) ... skipping else for request 9: Preceding "if" was taken
(9) } # rewrite_called_station_id rewrite_called_station_id = updated
(9) eap : Peer sent code Response (2) ID 9 length 80
(9) eap : Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = EAP
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9) authenticate {
(9) eap : Expiring EAP session with state 0xc6089b8cc7018187
(9) eap : Finished EAP session with state 0x3d62e266356bfb49
(9) eap : Previous EAP request found for state 0x3d62e266356bfb49, released from the list
(9) eap : Peer sent method PEAP (25)
(9) eap : EAP PEAP (25)
(9) eap : Calling eap_peap to process EAP data
(9) eap_peap : processing EAP-TLS
(9) eap_peap : eaptls_verify returned 7
(9) eap_peap : Done initial handshake
(9) eap_peap : eaptls_process returned 7
(9) eap_peap : FR_TLS_OK
(9) eap_peap : Session established. Decoding tunneled attributes
(9) eap_peap : Peap state phase2
(9) eap_peap : EAP type MSCHAPv2 (26)
(9) eap_peap : Got tunneled request
EAP-Message = 0x020900061a03
server default {
(9) eap_peap : Setting User-Name to bob
Sending tunneled request
EAP-Message = 0x020900061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'bob'
State = 0xc6089b8cc7018187247e6085738a6593
server inner-tunnel {
(9) server inner-tunnel {
(9) Request:
EAP-Message = 0x020900061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'bob'
State = 0xc6089b8cc7018187247e6085738a6593
(9) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(9) authorize {
(9) update request {
(9) } # update request = noop
(9) if ( Called-Station-SSID )
(9) if ( Called-Station-SSID ) -> FALSE
(9) update request {
(9) } # update request = noop
(9) if ( Called-Station-SSID )
(9) if ( Called-Station-SSID ) -> FALSE
(9) update request {
(9) EXPAND %{outer.request:Called-Station-SSID}
(9) --> MYSSID
(9) Called-Station-SSID := "MYSSID"
(9) } # update request = noop
(9) if ( Called-Station-SSID )
(9) if ( Called-Station-SSID ) -> TRUE
(9) if ( Called-Station-SSID ) {
(9) update reply {
(9) EXPAND 3: Called-Station-SSID = %{Called-Station-SSID}
(9) --> 3: Called-Station-SSID = MYSSID
(9) Reply-Message += "3: Called-Station-SSID = MYSSID"
(9) } # update reply = noop
(9) } # if ( Called-Station-SSID ) = noop
(9) [chap] = noop
(9) [mschap] = noop
(9) suffix : Checking for suffix after "@"
(9) suffix : No '@' in User-Name = "bob", looking up realm NULL
(9) suffix : No such realm "NULL"
(9) [suffix] = noop
(9) update control {
(9) Proxy-To-Realm := 'LOCAL'
(9) } # update control = noop
(9) eap : Peer sent code Response (2) ID 9 length 6
(9) eap : No EAP Start, assuming it's an on-going EAP conversation
(9) [eap] = updated
(9) files : users: Matched entry bob at line 224
(9) files : EXPAND Hello, %{User-Name}
(9) files : --> Hello, bob
(9) [files] = ok
(9) [expiration] = noop
(9) [logintime] = noop
(9) WARNING: pap : Auth-Type already set. Not setting to PAP
(9) [pap] = noop
(9) } # authorize = updated
(9) Found Auth-Type = EAP
(9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(9) authenticate {
(9) eap : Expiring EAP session with state 0xc6089b8cc7018187
(9) eap : Finished EAP session with state 0xc6089b8cc7018187
(9) eap : Previous EAP request found for state 0xc6089b8cc7018187, released from the list
(9) eap : Peer sent method MSCHAPv2 (26)
(9) eap : EAP MSCHAPv2 (26)
(9) eap : Calling eap_mschapv2 to process EAP data
(9) eap : Freeing handler
(9) [eap] = ok
(9) } # authenticate = ok
(9) # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel
(9) post-auth { ... } # empty sub-section is ignored
(9) Reply:
Reply-Message = 'Hello, bob'
MS-MPPE-Encryption-Policy = Encryption-Allowed
MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
MS-MPPE-Send-Key = 0xb6ef6056a7180c436bc0b82b547d7f2e
MS-MPPE-Recv-Key = 0x4feaae6f2f92b86c706567ccb2c881f2
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = 'bob'
(9) } # server inner-tunnel
} # server inner-tunnel
(9) eap_peap : Got tunneled reply code 2
Reply-Message = 'Hello, bob'
MS-MPPE-Encryption-Policy = Encryption-Allowed
MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
MS-MPPE-Send-Key = 0xb6ef6056a7180c436bc0b82b547d7f2e
MS-MPPE-Recv-Key = 0x4feaae6f2f92b86c706567ccb2c881f2
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = 'bob'
(9) eap_peap : Got tunneled reply RADIUS code 2
Reply-Message = 'Hello, bob'
MS-MPPE-Encryption-Policy = Encryption-Allowed
MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
MS-MPPE-Send-Key = 0xb6ef6056a7180c436bc0b82b547d7f2e
MS-MPPE-Recv-Key = 0x4feaae6f2f92b86c706567ccb2c881f2
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = 'bob'
(9) eap_peap : Tunneled authentication was successful
(9) eap_peap : SUCCESS
(9) eap : New EAP session, adding 'State' attribute to reply 0x3d62e2663468fb49
(9) [eap] = handled
(9) } # authenticate = handled
(9) Sending Access-Challenge packet to host 127.0.0.1 port 49928, id=9, length=0
(9) EAP-Message = 0x010a002b190017030100207957ea2ec640d1e6a44e652d07a995e448d6c8d30933f4a2c13eaf159acf9d73
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) State = 0x3d62e2663468fb49fb970e950ea563ac
Sending Access-Challenge Id 9 from 127.0.0.1:1812 to 127.0.0.1:49928
EAP-Message = 0x010a002b190017030100207957ea2ec640d1e6a44e652d07a995e448d6c8d30933f4a2c13eaf159acf9d73
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3d62e2663468fb49fb970e950ea563ac
(9) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 10 from 127.0.0.1:49928 to 127.0.0.1:1812 length 248
User-Name = 'anonymous at example.org'
Calling-Station-Id = '02-00-00-00-00-01'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 11Mbps 802.11b'
Called-Station-Id = '11-22-33-44-55-66:MYSSID'
NAS-IP-Address = 10.25.1.111
EAP-Message = 0x020a005019001703010020611d0bd18d91508ba503fec10ee54af13aadabd740a3969ccbf4bb44fe19c9da1703010020f3407dd44ad4ee6d331aef8cbb8895ad7e6c5a6d32db239e8a92ac79863b62e9
State = 0x3d62e2663468fb49fb970e950ea563ac
Message-Authenticator = 0x878e8418f4fcce6fd64c0ce390f0010b
(10) Received Access-Request packet from host 127.0.0.1 port 49928, id=10, length=248
(10) User-Name = 'anonymous at example.org'
(10) Calling-Station-Id = '02-00-00-00-00-01'
(10) Framed-MTU = 1400
(10) NAS-Port-Type = Wireless-802.11
(10) Connect-Info = 'CONNECT 11Mbps 802.11b'
(10) Called-Station-Id = '11-22-33-44-55-66:MYSSID'
(10) NAS-IP-Address = 10.25.1.111
(10) EAP-Message = 0x020a005019001703010020611d0bd18d91508ba503fec10ee54af13aadabd740a3969ccbf4bb44fe19c9da1703010020f3407dd44ad4ee6d331aef8cbb8895ad7e6c5a6d32db239e8a92ac79863b62e9
(10) State = 0x3d62e2663468fb49fb970e950ea563ac
(10) Message-Authenticator = 0x878e8418f4fcce6fd64c0ce390f0010b
(10) # Executing section authorize from file /etc/raddb/sites-enabled/default
(10) authorize {
(10) filter_username filter_username {
(10) if (!&User-Name)
(10) if (!&User-Name) -> FALSE
(10) if (&User-Name =~ / /)
(10) if (&User-Name =~ / /) -> FALSE
(10) if (&User-Name =~ /@.*@/ )
(10) if (&User-Name =~ /@.*@/ ) -> FALSE
(10) if (&User-Name =~ /\\.\\./ )
(10) if (&User-Name =~ /\\.\\./ ) -> FALSE
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(10) if (&User-Name =~ /\\.$/)
(10) if (&User-Name =~ /\\.$/) -> FALSE
(10) if (&User-Name =~ /@\\./)
(10) if (&User-Name =~ /@\\./) -> FALSE
(10) } # filter_username filter_username = notfound
(10) [preprocess] = ok
(10) [chap] = noop
(10) [mschap] = noop
(10) [digest] = noop
(10) suffix : Checking for suffix after "@"
(10) suffix : Looking up realm "example.org" for User-Name = "anonymous at example.org"
(10) suffix : No such realm "example.org"
(10) [suffix] = noop
(10) rewrite_called_station_id rewrite_called_station_id {
(10) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)
(10) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) -> TRUE
(10) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) {
(10) update request {
(10) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(10) --> 11-22-33-44-55-66
(10) Called-Station-Id := "11-22-33-44-55-66"
(10) } # update request = noop
(10) if ("%{8}")
(10) EXPAND %{8}
(10) --> MYSSID
(10) if ("%{8}") -> TRUE
(10) if ("%{8}") {
(10) update request {
(10) EXPAND %{8}
(10) --> MYSSID
(10) Called-Station-SSID := "MYSSID"
(10) } # update request = noop
(10) } # if ("%{8}") = noop
(10) [updated] = updated
(10) } # if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) = updated
(10) ... skipping else for request 10: Preceding "if" was taken
(10) } # rewrite_called_station_id rewrite_called_station_id = updated
(10) eap : Peer sent code Response (2) ID 10 length 80
(10) eap : Continuing tunnel setup
(10) [eap] = ok
(10) } # authorize = ok
(10) Found Auth-Type = EAP
(10) # Executing group from file /etc/raddb/sites-enabled/default
(10) authenticate {
(10) eap : Expiring EAP session with state 0x3d62e2663468fb49
(10) eap : Finished EAP session with state 0x3d62e2663468fb49
(10) eap : Previous EAP request found for state 0x3d62e2663468fb49, released from the list
(10) eap : Peer sent method PEAP (25)
(10) eap : EAP PEAP (25)
(10) eap : Calling eap_peap to process EAP data
(10) eap_peap : processing EAP-TLS
(10) eap_peap : eaptls_verify returned 7
(10) eap_peap : Done initial handshake
(10) eap_peap : eaptls_process returned 7
(10) eap_peap : FR_TLS_OK
(10) eap_peap : Session established. Decoding tunneled attributes
(10) eap_peap : Peap state send tlv success
(10) eap_peap : Received EAP-TLV response
(10) eap_peap : Success
(10) WARNING: eap_peap : No information to cache: session caching will be disabled for session 1adc6b3a3533d5aeac66d7621b9a27d4590629dfbc0e557456184e66fd5cf6d2
SSL: Removing session 1adc6b3a3533d5aeac66d7621b9a27d4590629dfbc0e557456184e66fd5cf6d2 from the cache
(10) eap : Freeing handler
(10) [eap] = ok
(10) } # authenticate = ok
(10) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(10) post-auth {
(10) [exec] = noop
(10) remove_reply_message_if_eap remove_reply_message_if_eap {
(10) if (&reply:EAP-Message && &reply:Reply-Message)
(10) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(10) else else {
(10) [noop] = noop
(10) } # else else = noop
(10) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(10) } # post-auth = noop
(10) Sending Access-Accept packet to host 127.0.0.1 port 49928, id=10, length=0
(10) MS-MPPE-Recv-Key = 0x9fce95c6020e84b10c480dfbcb034462b6552a34ba82c4e5658e9f92ab1ccf85
(10) MS-MPPE-Send-Key = 0x4c9075d8b241ed6fd2cd685ed5e787f7e48a4f19c1abe1f01de86bb672b7f784
(10) EAP-MSK = 0x9fce95c6020e84b10c480dfbcb034462b6552a34ba82c4e5658e9f92ab1ccf854c9075d8b241ed6fd2cd685ed5e787f7e48a4f19c1abe1f01de86bb672b7f784
(10) EAP-EMSK = 0x26eab32d2c5007b6c948a9cf85967f3286e245b88bea1f8d39889ae04cba3d11c04e7840996640c935c80aee08553ef2025b2fa2f75b108510b821afd6816f9f
(10) EAP-Session-Id = 0x19553fbd3c23a94c33030a3fea1a032c4a6b182e938fedec4284730281a896e8bc553fbd3c43081aa9ae73af57b004ce19a3507ec94d3a4b538d832c6f66999bf2
(10) EAP-Message = 0x030a0004
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) User-Name = 'anonymous at example.org'
Sending Access-Accept Id 10 from 127.0.0.1:1812 to 127.0.0.1:49928
MS-MPPE-Recv-Key = 0x9fce95c6020e84b10c480dfbcb034462b6552a34ba82c4e5658e9f92ab1ccf85
MS-MPPE-Send-Key = 0x4c9075d8b241ed6fd2cd685ed5e787f7e48a4f19c1abe1f01de86bb672b7f784
EAP-Message = 0x030a0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = 'anonymous at example.org'
(10) Finished request
Waking up in 0.2 seconds.
Waking up in 4.6 seconds.
More information about the Freeradius-Users
mailing list