Connection issues with Android Marshmallow

Tod A. Sandman sandmant at rice.edu
Thu Oct 15 19:28:46 CEST 2015


Android users here who have upgraded to Marshmallow can no longer connect, even after I upgraded from freeradius-2.2.8 to freeradius-2.2.9.  My server is RHEL6.4 with "OpenSSL 1.0.1e-fips 11 Feb 2013".  We are using PEAP/EAP-MSCHAPv2.


>From the radius server the connection seems to work fine.  And our network guy says all looks fine from his view.  For instance:

  Oct 13 13:48:05 net3 radiusd[23302]: Login OK: [hm6] (from client wireless64a port 0 via TLS tunnel)
  Oct 13 13:48:05 net3 radiusd[23302]: Login OK: [hm6] (from client wireless64a port 13 cli 14-1a-a3-93-54-21)

  Time :2015-Oct-13, 13:48:05 CDT Severity :INFO Controller ID :10.64.76.100 Message :Client moved to associated state successfully.

But as a user described: No error message, it just hangs and times out. I'll get "Authenticating..." and "Scanning..." for a while then it will just say Disconnected.

I'm following https://code.google.com/p/android/issues/detail?id=188867 but am posting here in case ...

I've attached a radius debug session of the android connection (that is not working for a user) as well as one for a connection with the user's ipad, which is working for the same user.  They look quite the same to me.  I've also attached a few config files - let me know if more would be useful.

Thanks.



Tod Sandman
Sr. Systems Administrator
Middleware Development & Integration
Rice University
-------------- next part --------------
Wed Oct 14 10:38:17 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=196, length=285
Wed Oct 14 10:38:17 2015 : Debug: 	User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: 	Chargeable-User-Identity = ""
Wed Oct 14 10:38:17 2015 : Debug: 	Location-Capable = Civix-Location
Wed Oct 14 10:38:17 2015 : Debug: 	Calling-Station-Id = "14-1a-a3-93-54-21"
Wed Oct 14 10:38:17 2015 : Debug: 	Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-Port = 13
Wed Oct 14 10:38:17 2015 : Debug: 	Cisco-AVPair = "audit-session-id=0a404c640127ea43561e76e8"
Wed Oct 14 10:38:17 2015 : Debug: 	Acct-Session-Id = "561e76e8/14:1a:a3:93:54:21/10411163"
Wed Oct 14 10:38:17 2015 : Debug: 	Cisco-AVPair = "mDNS=true"
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-IP-Address = 10.64.76.100
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 10:38:17 2015 : Debug: 	Airespace-Wlan-Id = 1
Wed Oct 14 10:38:17 2015 : Debug: 	Service-Type = Framed-User
Wed Oct 14 10:38:17 2015 : Debug: 	Framed-MTU = 1300
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-Port-Type = Wireless-802.11
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Type:0 = VLAN
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Private-Group-Id:0 = "355"
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0x0201000801686d36
Wed Oct 14 10:38:17 2015 : Debug: 	Message-Authenticator = 0xc56b144a4d423f22243806045d10c4a9
Wed Oct 14 10:38:17 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authorize {
Wed Oct 14 10:38:17 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++[chap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[mschap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[digest] = noop
Wed Oct 14 10:38:17 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 10:38:17 2015 : Debug: ++[suffix] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP packet type response id 1 length 8
Wed Oct 14 10:38:17 2015 : Debug: [eap] No EAP Start, assuming it's an on-going EAP conversation
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = updated
Wed Oct 14 10:38:17 2015 : Debug: ++[unix] = notfound
Wed Oct 14 10:38:17 2015 : Debug: [files] users: Matched entry DEFAULT at line 92
Wed Oct 14 10:38:17 2015 : Debug: ++[files] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++? if (control:Auth-Type == Kerberos)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (control:Auth-Type == Kerberos) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (control:Auth-Type == Kerberos) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++[expiration] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[logintime] = noop
Wed Oct 14 10:38:17 2015 : Debug: [pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
Wed Oct 14 10:38:17 2015 : Debug: ++[pap] = noop
Wed Oct 14 10:38:17 2015 : Debug: +} # group authorize = updated
Wed Oct 14 10:38:17 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 10:38:17 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authenticate {
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP Identity
Wed Oct 14 10:38:17 2015 : Debug: [eap] processing type tls
Wed Oct 14 10:38:17 2015 : Debug: [tls] Requiring client certificate
Wed Oct 14 10:38:17 2015 : Debug: [tls] Initiate
Wed Oct 14 10:38:17 2015 : Debug: [tls] Start returned 1
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = handled
Wed Oct 14 10:38:17 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 10:38:17 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=196, length=0
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Type:0 = VLAN
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0x010200060d20
Wed Oct 14 10:38:17 2015 : Debug: 	Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 10:38:17 2015 : Debug: 	State = 0xd2bf52bbd2bd5fe7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: Finished request 8668982.
Wed Oct 14 10:38:17 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=197, length=301
Wed Oct 14 10:38:17 2015 : Debug: 	User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: 	Chargeable-User-Identity = ""
Wed Oct 14 10:38:17 2015 : Debug: 	Location-Capable = Civix-Location
Wed Oct 14 10:38:17 2015 : Debug: 	Calling-Station-Id = "14-1a-a3-93-54-21"
Wed Oct 14 10:38:17 2015 : Debug: 	Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-Port = 13
Wed Oct 14 10:38:17 2015 : Debug: 	Cisco-AVPair = "audit-session-id=0a404c640127ea43561e76e8"
Wed Oct 14 10:38:17 2015 : Debug: 	Acct-Session-Id = "561e76e8/14:1a:a3:93:54:21/10411163"
Wed Oct 14 10:38:17 2015 : Debug: 	Cisco-AVPair = "mDNS=true"
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-IP-Address = 10.64.76.100
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 10:38:17 2015 : Debug: 	Airespace-Wlan-Id = 1
Wed Oct 14 10:38:17 2015 : Debug: 	Service-Type = Framed-User
Wed Oct 14 10:38:17 2015 : Debug: 	Framed-MTU = 1300
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-Port-Type = Wireless-802.11
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Type:0 = VLAN
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Private-Group-Id:0 = "355"
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0x020200060319
Wed Oct 14 10:38:17 2015 : Debug: 	State = 0xd2bf52bbd2bd5fe7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: 	Message-Authenticator = 0xc91a03f12cddc0dff1efa1da4f2cad06
Wed Oct 14 10:38:17 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authorize {
Wed Oct 14 10:38:17 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++[chap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[mschap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[digest] = noop
Wed Oct 14 10:38:17 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 10:38:17 2015 : Debug: ++[suffix] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP packet type response id 2 length 6
Wed Oct 14 10:38:17 2015 : Debug: [eap] No EAP Start, assuming it's an on-going EAP conversation
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = updated
Wed Oct 14 10:38:17 2015 : Debug: ++[unix] = notfound
Wed Oct 14 10:38:17 2015 : Debug: [files] users: Matched entry DEFAULT at line 92
Wed Oct 14 10:38:17 2015 : Debug: ++[files] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++? if (control:Auth-Type == Kerberos)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (control:Auth-Type == Kerberos) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (control:Auth-Type == Kerberos) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++[expiration] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[logintime] = noop
Wed Oct 14 10:38:17 2015 : Debug: [pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
Wed Oct 14 10:38:17 2015 : Debug: ++[pap] = noop
Wed Oct 14 10:38:17 2015 : Debug: +} # group authorize = updated
Wed Oct 14 10:38:17 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 10:38:17 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authenticate {
Wed Oct 14 10:38:17 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP NAK
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP-NAK asked for EAP-Type/peap
Wed Oct 14 10:38:17 2015 : Debug: [eap] processing type tls
Wed Oct 14 10:38:17 2015 : Debug: [tls] Initiate
Wed Oct 14 10:38:17 2015 : Debug: [tls] Start returned 1
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = handled
Wed Oct 14 10:38:17 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 10:38:17 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=197, length=0
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Type:0 = VLAN
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0x010300061920
Wed Oct 14 10:38:17 2015 : Debug: 	Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 10:38:17 2015 : Debug: 	State = 0xd2bf52bbd3bc4be7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: Finished request 8668983.
Wed Oct 14 10:38:17 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=200, length=463
Wed Oct 14 10:38:17 2015 : Debug: 	User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: 	Chargeable-User-Identity = ""
Wed Oct 14 10:38:17 2015 : Debug: 	Location-Capable = Civix-Location
Wed Oct 14 10:38:17 2015 : Debug: 	Calling-Station-Id = "14-1a-a3-93-54-21"
Wed Oct 14 10:38:17 2015 : Debug: 	Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-Port = 13
Wed Oct 14 10:38:17 2015 : Debug: 	Cisco-AVPair = "audit-session-id=0a404c640127ea43561e76e8"
Wed Oct 14 10:38:17 2015 : Debug: 	Acct-Session-Id = "561e76e8/14:1a:a3:93:54:21/10411163"
Wed Oct 14 10:38:17 2015 : Debug: 	Cisco-AVPair = "mDNS=true"
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-IP-Address = 10.64.76.100
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 10:38:17 2015 : Debug: 	Airespace-Wlan-Id = 1
Wed Oct 14 10:38:17 2015 : Debug: 	Service-Type = Framed-User
Wed Oct 14 10:38:17 2015 : Debug: 	Framed-MTU = 1300
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-Port-Type = Wireless-802.11
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Type:0 = VLAN
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Private-Group-Id:0 = "355"
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0x020300a819800000009e160301009901000095030399003f89ceb614e8779deaf18bf16ef575108a8f296a3b6987f73e7ef5a00c2800003cc02cc030009fc02bc02f009ec00ac024c014c0280039006bc009c023c013c02700330067c007c011009d009c0035003d002f003c00050004000a00ff0100003000170000000d001600140601060305010503040104030301030302010203000b00020100000a00080006001700180019
Wed Oct 14 10:38:17 2015 : Debug: 	State = 0xd2bf52bbd3bc4be7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: 	Message-Authenticator = 0x6b636a15a47267852eb5f1e66555b77d
Wed Oct 14 10:38:17 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authorize {
Wed Oct 14 10:38:17 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++[chap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[mschap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[digest] = noop
Wed Oct 14 10:38:17 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 10:38:17 2015 : Debug: ++[suffix] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP packet type response id 3 length 168
Wed Oct 14 10:38:17 2015 : Debug: [eap] Continuing tunnel setup.
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = ok
Wed Oct 14 10:38:17 2015 : Debug: +} # group authorize = ok
Wed Oct 14 10:38:17 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 10:38:17 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authenticate {
Wed Oct 14 10:38:17 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP/peap
Wed Oct 14 10:38:17 2015 : Debug: [eap] processing type peap
Wed Oct 14 10:38:17 2015 : Debug: [peap] processing EAP-TLS
Wed Oct 14 10:38:17 2015 : Debug: [peap] Length Included
Wed Oct 14 10:38:17 2015 : Debug: [peap] eaptls_verify returned 11

Wed Oct 14 10:38:17 2015 : Debug: [peap]     (other): before/accept initialization
Wed Oct 14 10:38:17 2015 : Debug: [peap]     TLS_accept: before/accept initialization
Wed Oct 14 10:38:17 2015 : Debug: [peap]     TLS_accept: SSLv3 read client hello A
Wed Oct 14 10:38:17 2015 : Debug: [peap]     TLS_accept: SSLv3 write server hello A
Wed Oct 14 10:38:17 2015 : Debug: [peap]     TLS_accept: SSLv3 write certificate A
Wed Oct 14 10:38:17 2015 : Debug: [peap]     TLS_accept: SSLv3 write key exchange A
Wed Oct 14 10:38:17 2015 : Debug: [peap]     TLS_accept: SSLv3 write server done A
Wed Oct 14 10:38:17 2015 : Debug: [peap]     TLS_accept: SSLv3 flush data
Wed Oct 14 10:38:17 2015 : Debug: [peap]     TLS_accept: Need to read more data: SSLv3 read client certificate A
Wed Oct 14 10:38:17 2015 : Debug: [peap]     TLS_accept: Need to read more data: SSLv3 read client certificate A
Wed Oct 14 10:38:17 2015 : Debug: [peap] eaptls_process returned 13

Wed Oct 14 10:38:17 2015 : Debug: [peap] EAPTLS_HANDLED
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = handled
Wed Oct 14 10:38:17 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 10:38:17 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=200, length=0
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0x0104040019c00000127516030300510200004d0303561e76e95197ed406fd8149d26f490d27122bb9c77c5bab8154eeab3677a63a42006bfdc6efc5854cbf8e04d60fe89fe27c669d9c79a1a187ab3b12c8f00a97163009f000005ff010001001603030efd0b000ef9000ef60005ec308205e8308204d0a003020102021100d2214325afda98a298320a313910b0a7300d06092a864886f70d01010505003051310b300906035504061302555331123010060355040a1309496e7465726e6574323111300f060355040b1308496e436f6d6d6f6e311b301906035504031312496e436f6d6d6f6e20536572766572204341301e170d3134303832353030
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0x303030305a170d3137303832343233353935395a3081c0310b3009060355040613025553311330110603550411130a37373235312d31383932310e300c0603550408130554657861733110300e06035504071307486f7573746f6e311430120603550409130b504f20426f782031383932310f300d060355040913064d532031313931183016060355040a130f5269636520556e6976657273697479311f301d060355040b1316496e666f726d6174696f6e20546563686e6f6c6f6779311830160603550403130f7261646975732e726963652e65647530820122300d06092a864886f70d01010105000382010f003082010a0282010100c0abafe128
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0x6bc30df0a3c2d2819ae89a3c0e4784956c31ce16f7845b0f72b8dd7dcc63e31b61b3943179e74feeb4f674712104b873e21b03c024c1a92c322bc112e76ce4bf126a944f32fe70e72128cbe6688c2bd64e4b97107410d77d80bf40904621d19b5977aa0a2c6ff5097aa84c4d3863032007db7ba738833594f29547be596c8989f26824bc26024146e1b678d28fb18f3d7da5a8217529d9dcc51d67d2b6b79e89363050ed5e11f5ad64167d11ae80a9c8b0bb2bcf54974c2c4ddefe3bddafeee7b0848580c750c964b05bb9700044ebc77944bfafaed6270fcba7e5fa8821b15bc62e0137f8f40f6f5caf9c1c39912617acb6ae037ef812442e4ccd0203
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0x010001a382024930820245301f0603551d23041830168014484f5afa2f4a9a5ee050f36b7b55a5def5be345d301d0603551d0e04160414fca71db4ce69391b700243650721246bebc46497300e0603551d0f0101ff0404030205a0300c0603551d130101ff04023000301d0603551d250416301406082b0601050507030106082b0601050507030230670603551d200460305e3052060c2b06010401ae2301040301013042304006082b06010505070201163468747470733a2f2f7777772e696e636f6d6d6f6e2e6f72672f636572742f7265706f7369746f72792f6370735f73736c2e7064663008060667810c010202303d0603551d1f0436303430
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0x32a030a02e862c687474703a
Wed Oct 14 10:38:17 2015 : Debug: 	Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 10:38:17 2015 : Debug: 	State = 0xd2bf52bbd0bb4be7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: Finished request 8668986.
Wed Oct 14 10:38:17 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=203, length=301
Wed Oct 14 10:38:17 2015 : Debug: 	User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: 	Chargeable-User-Identity = ""
Wed Oct 14 10:38:17 2015 : Debug: 	Location-Capable = Civix-Location
Wed Oct 14 10:38:17 2015 : Debug: 	Calling-Station-Id = "14-1a-a3-93-54-21"
Wed Oct 14 10:38:17 2015 : Debug: 	Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-Port = 13
Wed Oct 14 10:38:17 2015 : Debug: 	Cisco-AVPair = "audit-session-id=0a404c640127ea43561e76e8"
Wed Oct 14 10:38:17 2015 : Debug: 	Acct-Session-Id = "561e76e8/14:1a:a3:93:54:21/10411163"
Wed Oct 14 10:38:17 2015 : Debug: 	Cisco-AVPair = "mDNS=true"
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-IP-Address = 10.64.76.100
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 10:38:17 2015 : Debug: 	Airespace-Wlan-Id = 1
Wed Oct 14 10:38:17 2015 : Debug: 	Service-Type = Framed-User
Wed Oct 14 10:38:17 2015 : Debug: 	Framed-MTU = 1300
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-Port-Type = Wireless-802.11
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Type:0 = VLAN
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Private-Group-Id:0 = "355"
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0x020400061900
Wed Oct 14 10:38:17 2015 : Debug: 	State = 0xd2bf52bbd0bb4be7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: 	Message-Authenticator = 0x11ee91de7b8e767c047be5d57bc04e2d
Wed Oct 14 10:38:17 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authorize {
Wed Oct 14 10:38:17 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++[chap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[mschap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[digest] = noop
Wed Oct 14 10:38:17 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 10:38:17 2015 : Debug: ++[suffix] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP packet type response id 4 length 6
Wed Oct 14 10:38:17 2015 : Debug: [eap] Continuing tunnel setup.
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = ok
Wed Oct 14 10:38:17 2015 : Debug: +} # group authorize = ok
Wed Oct 14 10:38:17 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 10:38:17 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authenticate {
Wed Oct 14 10:38:17 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP/peap
Wed Oct 14 10:38:17 2015 : Debug: [eap] processing type peap
Wed Oct 14 10:38:17 2015 : Debug: [peap] processing EAP-TLS
Wed Oct 14 10:38:17 2015 : Debug: [peap] Received TLS ACK
Wed Oct 14 10:38:17 2015 : Debug: [peap] ACK handshake fragment handler
Wed Oct 14 10:38:17 2015 : Debug: [peap] eaptls_verify returned 1

Wed Oct 14 10:38:17 2015 : Debug: [peap] eaptls_process returned 13

Wed Oct 14 10:38:17 2015 : Debug: [peap] EAPTLS_HANDLED
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = handled
Wed Oct 14 10:38:17 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 10:38:17 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=203, length=0
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0x010503fc19402f2f63726c2e696e636f6d6d6f6e2e6f72672f496e436f6d6d6f6e53657276657243412e63726c306f06082b0601050507010104633061303906082b06010505073002862d687474703a2f2f636572742e696e636f6d6d6f6e2e6f72672f496e436f6d6d6f6e53657276657243412e637274302406082b060105050730018618687474703a2f2f6f6373702e696e636f6d6d6f6e2e6f72673081ac0603551d110481a43081a1820f7261646975732e726963652e65647582186e65777261646975732d612e6e65742e726963652e65647582186e65777261646975732d622e6e65742e726963652e65647582157261646975732d612e6e
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0x65742e726963652e65647582157261646975732d622e6e65742e726963652e65647582157261646975732d632e6e65742e726963652e65647582157261646975732d642e6e65742e726963652e656475300d06092a864886f70d0101050500038201010024b8ca39f8c5c7f30b29b43b46d5a205a13cff521c12aa709dba4a38b2db77d20a727adcf7a1f9fbb14ba8ef4b42ff5a17d4a50afa0539284f32566b1aa6c4ce179ccaeb57849e15465a592e9a6687ea84ba8cfece9d5480911b6b1bf0e539707e8e47951fbb90dbcdce93548fa1a8a2e36444b878c84fbe52740039e794686cd81d29ac09fcb9fc397d5b5c47b4904dd54640d8709c42a9dd
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0x051695e9dfc9123a2f34881eb6888ff944bb0711cff3ea080287dbdd52811c91ea341f310e1ff2bd196b946d47264ec297d29eb65dba202b4309df303a2b8b80393aea3e914d7adfc9ad596a26d3866f221ef17e0db57a0573481457393ecd678788ce4afa12360004c7308204c3308203aba00302010202107f71c1d3a226b0d2b113f3e68167643e300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0x726e616c20434120526f6f74301e170d3130313230373030303030305a170d3230303533303130343833385a3051310b300906035504061302555331123010060355040a1309496e7465726e6574323111300f060355040b1308496e436f6d6d6f6e311b301906035504031312496e436f6d6d6f6e2053657276657220434130820122300d06092a864886f70d01010105000382010f003082010a0282010100977cc7c8feb3e9206aa3a44f8e8e345606b37a6caa109b48612b369069e3340a47a7bb7bdeaa6afbeb82958fca1d7faf75a6a84cda2067611a0d86c1cac187afac4ee4de621b2f9db198afc601fb1770dbac1459ec6f3f337fa6980be4
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0xe238aff57f856d0e
Wed Oct 14 10:38:17 2015 : Debug: 	Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 10:38:17 2015 : Debug: 	State = 0xd2bf52bbd1ba4be7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: Finished request 8668989.
Wed Oct 14 10:38:17 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=204, length=301
Wed Oct 14 10:38:17 2015 : Debug: 	User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: 	Chargeable-User-Identity = ""
Wed Oct 14 10:38:17 2015 : Debug: 	Location-Capable = Civix-Location
Wed Oct 14 10:38:17 2015 : Debug: 	Calling-Station-Id = "14-1a-a3-93-54-21"
Wed Oct 14 10:38:17 2015 : Debug: 	Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-Port = 13
Wed Oct 14 10:38:17 2015 : Debug: 	Cisco-AVPair = "audit-session-id=0a404c640127ea43561e76e8"
Wed Oct 14 10:38:17 2015 : Debug: 	Acct-Session-Id = "561e76e8/14:1a:a3:93:54:21/10411163"
Wed Oct 14 10:38:17 2015 : Debug: 	Cisco-AVPair = "mDNS=true"
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-IP-Address = 10.64.76.100
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 10:38:17 2015 : Debug: 	Airespace-Wlan-Id = 1
Wed Oct 14 10:38:17 2015 : Debug: 	Service-Type = Framed-User
Wed Oct 14 10:38:17 2015 : Debug: 	Framed-MTU = 1300
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-Port-Type = Wireless-802.11
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Type:0 = VLAN
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Private-Group-Id:0 = "355"
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0x020500061900
Wed Oct 14 10:38:17 2015 : Debug: 	State = 0xd2bf52bbd1ba4be7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: 	Message-Authenticator = 0xb89ed1560360ceca46a5f123d4a29060
Wed Oct 14 10:38:17 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authorize {
Wed Oct 14 10:38:17 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++[chap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[mschap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[digest] = noop
Wed Oct 14 10:38:17 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 10:38:17 2015 : Debug: ++[suffix] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP packet type response id 5 length 6
Wed Oct 14 10:38:17 2015 : Debug: [eap] Continuing tunnel setup.
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = ok
Wed Oct 14 10:38:17 2015 : Debug: +} # group authorize = ok
Wed Oct 14 10:38:17 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 10:38:17 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authenticate {
Wed Oct 14 10:38:17 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP/peap
Wed Oct 14 10:38:17 2015 : Debug: [eap] processing type peap
Wed Oct 14 10:38:17 2015 : Debug: [peap] processing EAP-TLS
Wed Oct 14 10:38:17 2015 : Debug: [peap] Received TLS ACK
Wed Oct 14 10:38:17 2015 : Debug: [peap] ACK handshake fragment handler
Wed Oct 14 10:38:17 2015 : Debug: [peap] eaptls_verify returned 1

Wed Oct 14 10:38:17 2015 : Debug: [peap] eaptls_process returned 13

Wed Oct 14 10:38:17 2015 : Debug: [peap] EAPTLS_HANDLED
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = handled
Wed Oct 14 10:38:17 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 10:38:17 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=204, length=0
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0x010603fc194074049df62786c79b8fe7712a08f403024063247d40578f54e0547eb6134861f1dece0ebdb6fa4d98b2d90d8d79a6e0aacd0c919aa5dfab73bbca14785c4729a1cac5ba9fc7da60f7ffe77ff2d9daa12d0f4916a7d30092cf8a47d94df8d59566d374f98063004f4c84161fb3f5241fa14edee895d6b20b098b2c6bc75c2f8c63c999cb52b1627b7301627f636cd868a0ee6aa88d1f29f3d018acad0203010001a382017730820173301f0603551d23041830168014adbd987a34b426f7fac42654ef03bde024cb541a301d0603551d0e04160414484f5afa2f4a9a5ee050f36b7b55a5def5be345d300e0603551d0f0101ff0404030201
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0x0630120603551d130101ff040830060101ff02010030110603551d20040a300830060604551d200030440603551d1f043d303b3039a037a0358633687474703a2f2f63726c2e7573657274727573742e636f6d2f416464547275737445787465726e616c4341526f6f742e63726c3081b306082b060105050701010481a63081a3303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f416464547275737445787465726e616c4341526f6f742e703763303906082b06010505073002862d687474703a2f2f6372742e7573657274727573742e636f6d2f416464547275737455544e53474343412e637274
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0x302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010505000382010100936621807445854bc2abce32b029fedddfd6245bbf036a6f503e0e1bb30d88a35beec4a4123b56ef067fcf7f2195563b4131fee1aa93d295f3950d3c47abca5c26ad3ef1f98c346e11bef467e30249f9a67c7b6425dd1746f250e3e30a213a4924cdc68465686768b0452d4799cd9cab86291172dcd69c364374f3d4979e56a0fe5f4058d2d5d77e7cc58e1ab2045c92660e85ad2e06cec8a3d8eb142791decf17308153b66612ad37e4f5ef965c200e36e9ac627d19818af59061a649abce3cdfe6
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0xca64ee826539459516ba41060098ba0c5661e4c6c68601cf66a9222902d63dcfc42a8d99defb09149e0ed1d5c6d781ddad24abac0705e21d68c370665fd300043a308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b3009060355040613
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0x0253453114301206
Wed Oct 14 10:38:17 2015 : Debug: 	Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 10:38:17 2015 : Debug: 	State = 0xd2bf52bbd6b94be7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: Finished request 8668990.
Wed Oct 14 10:38:17 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=205, length=301
Wed Oct 14 10:38:17 2015 : Debug: 	User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: 	Chargeable-User-Identity = ""
Wed Oct 14 10:38:17 2015 : Debug: 	Location-Capable = Civix-Location
Wed Oct 14 10:38:17 2015 : Debug: 	Calling-Station-Id = "14-1a-a3-93-54-21"
Wed Oct 14 10:38:17 2015 : Debug: 	Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-Port = 13
Wed Oct 14 10:38:17 2015 : Debug: 	Cisco-AVPair = "audit-session-id=0a404c640127ea43561e76e8"
Wed Oct 14 10:38:17 2015 : Debug: 	Acct-Session-Id = "561e76e8/14:1a:a3:93:54:21/10411163"
Wed Oct 14 10:38:17 2015 : Debug: 	Cisco-AVPair = "mDNS=true"
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-IP-Address = 10.64.76.100
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 10:38:17 2015 : Debug: 	Airespace-Wlan-Id = 1
Wed Oct 14 10:38:17 2015 : Debug: 	Service-Type = Framed-User
Wed Oct 14 10:38:17 2015 : Debug: 	Framed-MTU = 1300
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-Port-Type = Wireless-802.11
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Type:0 = VLAN
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Private-Group-Id:0 = "355"
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0x020600061900
Wed Oct 14 10:38:17 2015 : Debug: 	State = 0xd2bf52bbd6b94be7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: 	Message-Authenticator = 0x0a6f66bdee6d622f214ead9c712c5483
Wed Oct 14 10:38:17 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authorize {
Wed Oct 14 10:38:17 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++[chap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[mschap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[digest] = noop
Wed Oct 14 10:38:17 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 10:38:17 2015 : Debug: ++[suffix] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP packet type response id 6 length 6
Wed Oct 14 10:38:17 2015 : Debug: [eap] Continuing tunnel setup.
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = ok
Wed Oct 14 10:38:17 2015 : Debug: +} # group authorize = ok
Wed Oct 14 10:38:17 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 10:38:17 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authenticate {
Wed Oct 14 10:38:17 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP/peap
Wed Oct 14 10:38:17 2015 : Debug: [eap] processing type peap
Wed Oct 14 10:38:17 2015 : Debug: [peap] processing EAP-TLS
Wed Oct 14 10:38:17 2015 : Debug: [peap] Received TLS ACK
Wed Oct 14 10:38:17 2015 : Debug: [peap] ACK handshake fragment handler
Wed Oct 14 10:38:17 2015 : Debug: [peap] eaptls_verify returned 1

Wed Oct 14 10:38:17 2015 : Debug: [peap] eaptls_process returned 13

Wed Oct 14 10:38:17 2015 : Debug: [peap] EAPTLS_HANDLED
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = handled
Wed Oct 14 10:38:17 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 10:38:17 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=205, length=0
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0x010703fc19400355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b3
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0x50600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b3009
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0x06035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc51
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0x42a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604160303030f0c00030b0100ed62d54d0d16abdddbf775ef679af503cb1dcb2a0e46890f9335b92cfd62fcb5aeea94a4b269f6e2d87adfe9076ba5cdf9b4f0e4c3ad531cacb4aa5d94c732ba343ac7d6a70dee7681cc09cce6d387654dff6253af216b50c936e995074eabff87a53fe2b3d4f6fadf6440f821
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0x0c7d10e0f13cd6eb
Wed Oct 14 10:38:17 2015 : Debug: 	Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 10:38:17 2015 : Debug: 	State = 0xd2bf52bbd7b84be7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: Finished request 8668991.
Wed Oct 14 10:38:17 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=206, length=301
Wed Oct 14 10:38:17 2015 : Debug: 	User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: 	Chargeable-User-Identity = ""
Wed Oct 14 10:38:17 2015 : Debug: 	Location-Capable = Civix-Location
Wed Oct 14 10:38:17 2015 : Debug: 	Calling-Station-Id = "14-1a-a3-93-54-21"
Wed Oct 14 10:38:17 2015 : Debug: 	Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-Port = 13
Wed Oct 14 10:38:17 2015 : Debug: 	Cisco-AVPair = "audit-session-id=0a404c640127ea43561e76e8"
Wed Oct 14 10:38:17 2015 : Debug: 	Acct-Session-Id = "561e76e8/14:1a:a3:93:54:21/10411163"
Wed Oct 14 10:38:17 2015 : Debug: 	Cisco-AVPair = "mDNS=true"
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-IP-Address = 10.64.76.100
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 10:38:17 2015 : Debug: 	Airespace-Wlan-Id = 1
Wed Oct 14 10:38:17 2015 : Debug: 	Service-Type = Framed-User
Wed Oct 14 10:38:17 2015 : Debug: 	Framed-MTU = 1300
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-Port-Type = Wireless-802.11
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Type:0 = VLAN
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Private-Group-Id:0 = "355"
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0x020700061900
Wed Oct 14 10:38:17 2015 : Debug: 	State = 0xd2bf52bbd7b84be7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: 	Message-Authenticator = 0xda646618af8946d718d40f1e65fc1c51
Wed Oct 14 10:38:17 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authorize {
Wed Oct 14 10:38:17 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++[chap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[mschap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[digest] = noop
Wed Oct 14 10:38:17 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 10:38:17 2015 : Debug: ++[suffix] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP packet type response id 7 length 6
Wed Oct 14 10:38:17 2015 : Debug: [eap] Continuing tunnel setup.
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = ok
Wed Oct 14 10:38:17 2015 : Debug: +} # group authorize = ok
Wed Oct 14 10:38:17 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 10:38:17 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authenticate {
Wed Oct 14 10:38:17 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP/peap
Wed Oct 14 10:38:17 2015 : Debug: [eap] processing type peap
Wed Oct 14 10:38:17 2015 : Debug: [peap] processing EAP-TLS
Wed Oct 14 10:38:17 2015 : Debug: [peap] Received TLS ACK
Wed Oct 14 10:38:17 2015 : Debug: [peap] ACK handshake fragment handler
Wed Oct 14 10:38:17 2015 : Debug: [peap] eaptls_verify returned 1

Wed Oct 14 10:38:17 2015 : Debug: [peap] eaptls_process returned 13

Wed Oct 14 10:38:17 2015 : Debug: [peap] EAPTLS_HANDLED
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = handled
Wed Oct 14 10:38:17 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 10:38:17 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=206, length=0
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0x010802a31900235117f28a47b4795ecfe8c241d8cb16a3fbb155ef7bc9fe89f4db168e1771802cbb8cc407db26e80f26a0d6f603d389871936a47ad44c832a1f434a0dce681e4776baedd455ff6ab46be0e18bd0fdc968d099cc7bf196177a0528bc3fb3421c5c7e0a6750ed98c25168379f2d6072df0e479af6b79986830f9df1d233c20646276bcdc8f76bc0646774db000102010095d70de564ac6321b6f2fa34a8f6f0f881a28278460a98729ee48fa262a9ff76ab6fd8848cadb811f5a88cd0516bb19c9dd1be35f0a0723231324e39ee74308f2d6f560558e2ca09c384f806c8734d88a31bcfe7a6e0ab051267772ba2504c865984645bad4b33
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0x170c11a5694b7e11e6a965fc13ca2ff14f63a956fe5e63d9d5cc4c8e466a97afa8ed0a6000dce7b08a2a26c554a0f1c29b43cb79e36391138ce779f5d963eea55e15a9d40dd013508065d7c16439d753994353896fdfa07306b79f0b94ac90b73aaf0330f727d35a07b9157072a8b9afbebcfe218c70c1e045a9d4055304023b3ac96afdde3fc8d7abb202362c5922c736c7ea1b7e223caf630601010064fa03e822e949869f216967d54154e79350cbdd97b03baec66145e171347e7440efe4fe29c8ea3cb870eb3cd88dce15a6a33831e3e39e080be1f9c6ac4fd40fd7de1e9b18b36c25bce9826405cc779df170e3d9990845b83fc625cbf391f5c6
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0xe33e8fa52f7f0487095e0c9e7a8f72d25ae16df5a123349372db07aa3603f96aa8dd384d957bf99d28dc0b9de4ffd0f478faf8b89d1036c567a02d8562c1572ee7bbe117b7ebab5d7ba0a19294b83c3b85d684444410def483b6975ca3d3e5f9284961273ec26c6dd14462b2df7d787e413ccfd2abce7db78e67eac485a8c8b09faed036b20edcebe1179c15dd1622c00cb437ee43ba6d5aa911ff45625bb9c016030300040e000000
Wed Oct 14 10:38:17 2015 : Debug: 	Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 10:38:17 2015 : Debug: 	State = 0xd2bf52bbd4b74be7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: Finished request 8668992.
Wed Oct 14 10:38:17 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=225, length=625
Wed Oct 14 10:38:17 2015 : Debug: 	User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: 	Chargeable-User-Identity = ""
Wed Oct 14 10:38:17 2015 : Debug: 	Location-Capable = Civix-Location
Wed Oct 14 10:38:17 2015 : Debug: 	Calling-Station-Id = "14-1a-a3-93-54-21"
Wed Oct 14 10:38:17 2015 : Debug: 	Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-Port = 13
Wed Oct 14 10:38:17 2015 : Debug: 	Cisco-AVPair = "audit-session-id=0a404c640127ea43561e76e8"
Wed Oct 14 10:38:17 2015 : Debug: 	Acct-Session-Id = "561e76e8/14:1a:a3:93:54:21/10411163"
Wed Oct 14 10:38:17 2015 : Debug: 	Cisco-AVPair = "mDNS=true"
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-IP-Address = 10.64.76.100
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 10:38:17 2015 : Debug: 	Airespace-Wlan-Id = 1
Wed Oct 14 10:38:17 2015 : Debug: 	Service-Type = Framed-User
Wed Oct 14 10:38:17 2015 : Debug: 	Framed-MTU = 1300
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-Port-Type = Wireless-802.11
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Type:0 = VLAN
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Private-Group-Id:0 = "355"
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0x0208014819800000013e16030301061000010201004c30b626c500e80edb7c6aef9e28be6cb7d5657ea3e182f8c3968c9795abadd370162ad9d1e090e101f456906147450eeccd865497cf5d7272a1b5c1eb1429ac67f9ef08acf6c4ebcd6a495e0f8ae57473016f124c1ef73460fba53c75cdea439cfeafe43c075444a75a19eeaab98014df5b68ce50e6c0457c38183530e96d40ea130253a963308089cc5f8b9fbdd00588a998cef63cce5ce72201efb8d1f18fe87714ea7fdda56f993c5a30ad0a44ad3daa00d28dc4976d61219e69fbc939aad8fcf4148916a5f3b79d5ef0addf77daa13f58fe234f14d084c7eb9380c296e42b4624af60bb7435
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0xaebd84f2a507f3180f2a4f8a5e503fde2b95363debbb13b3140303000101160303002800000000000000003fa33a59a6eb8c323400781c7619aec325bc5284fb946ff309eeea8689967ca2
Wed Oct 14 10:38:17 2015 : Debug: 	State = 0xd2bf52bbd4b74be7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: 	Message-Authenticator = 0xbdf4a4494cf41792229408a2738ddad6
Wed Oct 14 10:38:17 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authorize {
Wed Oct 14 10:38:17 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++[chap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[mschap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[digest] = noop
Wed Oct 14 10:38:17 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 10:38:17 2015 : Debug: ++[suffix] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP packet type response id 8 length 253
Wed Oct 14 10:38:17 2015 : Debug: [eap] Continuing tunnel setup.
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = ok
Wed Oct 14 10:38:17 2015 : Debug: +} # group authorize = ok
Wed Oct 14 10:38:17 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 10:38:17 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authenticate {
Wed Oct 14 10:38:17 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP/peap
Wed Oct 14 10:38:17 2015 : Debug: [eap] processing type peap
Wed Oct 14 10:38:17 2015 : Debug: [peap] processing EAP-TLS
Wed Oct 14 10:38:17 2015 : Debug: [peap] Length Included
Wed Oct 14 10:38:17 2015 : Debug: [peap] eaptls_verify returned 11

Wed Oct 14 10:38:17 2015 : Debug: [peap]     TLS_accept: SSLv3 read client key exchange A
Wed Oct 14 10:38:17 2015 : Debug: [peap]     TLS_accept: SSLv3 read finished A
Wed Oct 14 10:38:17 2015 : Debug: [peap]     TLS_accept: SSLv3 write change cipher spec A
Wed Oct 14 10:38:17 2015 : Debug: [peap]     TLS_accept: SSLv3 write finished A
Wed Oct 14 10:38:17 2015 : Debug: [peap]     TLS_accept: SSLv3 flush data
Wed Oct 14 10:38:17 2015 : Debug: [peap]     (other): SSL negotiation finished successfully
Wed Oct 14 10:38:17 2015 : Debug: [peap] eaptls_process returned 13

Wed Oct 14 10:38:17 2015 : Debug: [peap] EAPTLS_HANDLED
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = handled
Wed Oct 14 10:38:17 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 10:38:17 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=225, length=0
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0x0109003919001403030001011603030028c0e818d89141685c9605de6806d749144022f7d80084d23e34d8159b1e814c240667437ed2e3fbe6
Wed Oct 14 10:38:17 2015 : Debug: 	Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 10:38:17 2015 : Debug: 	State = 0xd2bf52bbd5b64be7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: Finished request 8669026.
Wed Oct 14 10:38:17 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=228, length=301
Wed Oct 14 10:38:17 2015 : Debug: 	User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: 	Chargeable-User-Identity = ""
Wed Oct 14 10:38:17 2015 : Debug: 	Location-Capable = Civix-Location
Wed Oct 14 10:38:17 2015 : Debug: 	Calling-Station-Id = "14-1a-a3-93-54-21"
Wed Oct 14 10:38:17 2015 : Debug: 	Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-Port = 13
Wed Oct 14 10:38:17 2015 : Debug: 	Cisco-AVPair = "audit-session-id=0a404c640127ea43561e76e8"
Wed Oct 14 10:38:17 2015 : Debug: 	Acct-Session-Id = "561e76e8/14:1a:a3:93:54:21/10411163"
Wed Oct 14 10:38:17 2015 : Debug: 	Cisco-AVPair = "mDNS=true"
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-IP-Address = 10.64.76.100
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 10:38:17 2015 : Debug: 	Airespace-Wlan-Id = 1
Wed Oct 14 10:38:17 2015 : Debug: 	Service-Type = Framed-User
Wed Oct 14 10:38:17 2015 : Debug: 	Framed-MTU = 1300
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-Port-Type = Wireless-802.11
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Type:0 = VLAN
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Private-Group-Id:0 = "355"
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0x020900061900
Wed Oct 14 10:38:17 2015 : Debug: 	State = 0xd2bf52bbd5b64be7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: 	Message-Authenticator = 0xa9934d96f5b57462bb0b1574354a3b7e
Wed Oct 14 10:38:17 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authorize {
Wed Oct 14 10:38:17 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++[chap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[mschap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[digest] = noop
Wed Oct 14 10:38:17 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 10:38:17 2015 : Debug: ++[suffix] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP packet type response id 9 length 6
Wed Oct 14 10:38:17 2015 : Debug: [eap] Continuing tunnel setup.
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = ok
Wed Oct 14 10:38:17 2015 : Debug: +} # group authorize = ok
Wed Oct 14 10:38:17 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 10:38:17 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authenticate {
Wed Oct 14 10:38:17 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP/peap
Wed Oct 14 10:38:17 2015 : Debug: [eap] processing type peap
Wed Oct 14 10:38:17 2015 : Debug: [peap] processing EAP-TLS
Wed Oct 14 10:38:17 2015 : Debug: [peap] Received TLS ACK
Wed Oct 14 10:38:17 2015 : Debug: [peap] ACK handshake is finished
Wed Oct 14 10:38:17 2015 : Debug: [peap] eaptls_verify returned 3

Wed Oct 14 10:38:17 2015 : Debug: [peap] eaptls_process returned 3

Wed Oct 14 10:38:17 2015 : Debug: [peap] EAPTLS_SUCCESS
Wed Oct 14 10:38:17 2015 : Debug: [peap] Session established.  Decoding tunneled attributes.
Wed Oct 14 10:38:17 2015 : Debug: [peap] Peap state TUNNEL ESTABLISHED
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = handled
Wed Oct 14 10:38:17 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 10:38:17 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=228, length=0
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0x010a00281900170303001dc0e818d89141685d75d7043b62873453b0c5841147101884fb408bee25
Wed Oct 14 10:38:17 2015 : Debug: 	Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 10:38:17 2015 : Debug: 	State = 0xd2bf52bbdab54be7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: Finished request 8669030.
Wed Oct 14 10:38:17 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=229, length=334
Wed Oct 14 10:38:17 2015 : Debug: 	User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: 	Chargeable-User-Identity = ""
Wed Oct 14 10:38:17 2015 : Debug: 	Location-Capable = Civix-Location
Wed Oct 14 10:38:17 2015 : Debug: 	Calling-Station-Id = "14-1a-a3-93-54-21"
Wed Oct 14 10:38:17 2015 : Debug: 	Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-Port = 13
Wed Oct 14 10:38:17 2015 : Debug: 	Cisco-AVPair = "audit-session-id=0a404c640127ea43561e76e8"
Wed Oct 14 10:38:17 2015 : Debug: 	Acct-Session-Id = "561e76e8/14:1a:a3:93:54:21/10411163"
Wed Oct 14 10:38:17 2015 : Debug: 	Cisco-AVPair = "mDNS=true"
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-IP-Address = 10.64.76.100
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 10:38:17 2015 : Debug: 	Airespace-Wlan-Id = 1
Wed Oct 14 10:38:17 2015 : Debug: 	Service-Type = Framed-User
Wed Oct 14 10:38:17 2015 : Debug: 	Framed-MTU = 1300
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-Port-Type = Wireless-802.11
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Type:0 = VLAN
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Private-Group-Id:0 = "355"
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0x020a00271900170303001c00000000000000012c03ad1a53ceeacb87e4e9937cd769fc8dc8284a
Wed Oct 14 10:38:17 2015 : Debug: 	State = 0xd2bf52bbdab54be7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: 	Message-Authenticator = 0x43702d53a1130c3122b86e3d13da6954
Wed Oct 14 10:38:17 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authorize {
Wed Oct 14 10:38:17 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++[chap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[mschap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[digest] = noop
Wed Oct 14 10:38:17 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 10:38:17 2015 : Debug: ++[suffix] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP packet type response id 10 length 39
Wed Oct 14 10:38:17 2015 : Debug: [eap] Continuing tunnel setup.
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = ok
Wed Oct 14 10:38:17 2015 : Debug: +} # group authorize = ok
Wed Oct 14 10:38:17 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 10:38:17 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authenticate {
Wed Oct 14 10:38:17 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP/peap
Wed Oct 14 10:38:17 2015 : Debug: [eap] processing type peap
Wed Oct 14 10:38:17 2015 : Debug: [peap] processing EAP-TLS
Wed Oct 14 10:38:17 2015 : Debug: [peap] eaptls_verify returned 7

Wed Oct 14 10:38:17 2015 : Debug: [peap] Done initial handshake
Wed Oct 14 10:38:17 2015 : Debug: [peap] eaptls_process returned 7

Wed Oct 14 10:38:17 2015 : Debug: [peap] EAPTLS_OK
Wed Oct 14 10:38:17 2015 : Debug: [peap] Session established.  Decoding tunneled attributes.
Wed Oct 14 10:38:17 2015 : Debug: [peap] Peap state WAITING FOR INNER IDENTITY
Wed Oct 14 10:38:17 2015 : Debug: [peap] Identity - hm6
Wed Oct 14 10:38:17 2015 : Debug: [peap] Got inner identity 'hm6'
Wed Oct 14 10:38:17 2015 : Debug: [peap] Setting default EAP type for tunneled EAP session.
Wed Oct 14 10:38:17 2015 : Debug: [peap] Setting User-Name to hm6
Wed Oct 14 10:38:17 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/inner-tunnel
Wed Oct 14 10:38:17 2015 : Debug: +group authorize {
Wed Oct 14 10:38:17 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++[chap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[mschap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[unix] = notfound
Wed Oct 14 10:38:17 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 10:38:17 2015 : Debug: ++[suffix] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++update control {
Wed Oct 14 10:38:17 2015 : Debug: ++} # update control = noop
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP packet type response id 10 length 8
Wed Oct 14 10:38:17 2015 : Debug: [eap] No EAP Start, assuming it's an on-going EAP conversation
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = updated
Wed Oct 14 10:38:17 2015 : Debug: [files] users: Matched entry DEFAULT at line 92
Wed Oct 14 10:38:17 2015 : Debug: ++[files] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++? if (control:Auth-Type == Kerberos)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (control:Auth-Type == Kerberos) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (control:Auth-Type == Kerberos) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++load-balance redundant_ldap {
Wed Oct 14 10:38:17 2015 : Debug: ++redundant-load-balance group redundant_ldap {
Wed Oct 14 10:38:17 2015 : Debug: [ldap2] performing user authorization for hm6
Wed Oct 14 10:38:17 2015 : Debug: [ldap2] 	expand: %{Stripped-User-Name} -> hm6
Wed Oct 14 10:38:17 2015 : Debug: [ldap2] 	expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=hm6)
Wed Oct 14 10:38:17 2015 : Debug: [ldap2] 	expand: dc=rice,dc=edu -> dc=rice,dc=edu
Wed Oct 14 10:38:17 2015 : Debug: [ldap2] checking if remote access for hm6 is allowed by riceClass
Wed Oct 14 10:38:17 2015 : Debug: [ldap2] looking for check items in directory...
Wed Oct 14 10:38:17 2015 : Debug: [ldap2] looking for reply items in directory...
Wed Oct 14 10:38:17 2015 : Debug: [ldap2] user hm6 authorized to use remote access
Wed Oct 14 10:38:17 2015 : Debug: +++[ldap2] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++} # redundant-load-balance group redundant_ldap = ok
Wed Oct 14 10:38:17 2015 : Debug: ++? if (reply:Connect-Info =~ /[a-z]* student/)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (reply:Connect-Info =~ /[a-z]* student/) -> TRUE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (reply:Connect-Info =~ /[a-z]* student/) -> TRUE
Wed Oct 14 10:38:17 2015 : Debug: ++if (reply:Connect-Info =~ /[a-z]* student/) {
Wed Oct 14 10:38:17 2015 : Debug: +++update reply {
Wed Oct 14 10:38:17 2015 : Debug: +++} # update reply = noop
Wed Oct 14 10:38:17 2015 : Debug: ++} # if (reply:Connect-Info =~ /[a-z]* student/) = noop
Wed Oct 14 10:38:17 2015 : Debug: ++ ... skipping elsif for request 8669032: Preceding "if" was taken
Wed Oct 14 10:38:17 2015 : Debug: ++ ... skipping elsif for request 8669032: Preceding "if" was taken
Wed Oct 14 10:38:17 2015 : Debug: ++ ... skipping elsif for request 8669032: Preceding "if" was taken
Wed Oct 14 10:38:17 2015 : Debug: ++? if ((Hint == "JOINstudent" ) && (reply:Connect-Info == "staff"))
Wed Oct 14 10:38:17 2015 : Debug:     (Attribute Hint was not found)
Wed Oct 14 10:38:17 2015 : Debug: ?? Evaluating (Hint == "JOINstudent" ) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ?? Skipping (reply:Connect-Info == "staff")
Wed Oct 14 10:38:17 2015 : Debug: ++? if ((Hint == "JOINstudent" ) && (reply:Connect-Info == "staff")) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++[perl] = updated
Wed Oct 14 10:38:17 2015 : Debug: ++update reply {
Wed Oct 14 10:38:17 2015 : Debug: 	expand: %{reply:Tunnel-Private-Group-Id} -> student
Wed Oct 14 10:38:17 2015 : Debug: ++} # update reply = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[expiration] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[logintime] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[pap] = noop
Wed Oct 14 10:38:17 2015 : Debug: +} # group authorize = updated
Wed Oct 14 10:38:17 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 10:38:17 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/inner-tunnel
Wed Oct 14 10:38:17 2015 : Debug: +group authenticate {
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP Identity
Wed Oct 14 10:38:17 2015 : Debug: [eap] processing type mschapv2
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = handled
Wed Oct 14 10:38:17 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 10:38:17 2015 : Debug: [peap] Got tunneled Access-Challenge
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = handled
Wed Oct 14 10:38:17 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 10:38:17 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=229, length=0
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0x010b003c19001703030031c0e818d89141685ed4756a4de2576f89af4ea3e1cd4457df7b2cb560c00f3b77469425c491748bcac703d3c88837dd9ac2
Wed Oct 14 10:38:17 2015 : Debug: 	Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 10:38:17 2015 : Debug: 	State = 0xd2bf52bbdbb44be7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: Finished request 8669032.
Wed Oct 14 10:38:17 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=231, length=388
Wed Oct 14 10:38:17 2015 : Debug: 	User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: 	Chargeable-User-Identity = ""
Wed Oct 14 10:38:17 2015 : Debug: 	Location-Capable = Civix-Location
Wed Oct 14 10:38:17 2015 : Debug: 	Calling-Station-Id = "14-1a-a3-93-54-21"
Wed Oct 14 10:38:17 2015 : Debug: 	Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-Port = 13
Wed Oct 14 10:38:17 2015 : Debug: 	Cisco-AVPair = "audit-session-id=0a404c640127ea43561e76e8"
Wed Oct 14 10:38:17 2015 : Debug: 	Acct-Session-Id = "561e76e8/14:1a:a3:93:54:21/10411163"
Wed Oct 14 10:38:17 2015 : Debug: 	Cisco-AVPair = "mDNS=true"
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-IP-Address = 10.64.76.100
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 10:38:17 2015 : Debug: 	Airespace-Wlan-Id = 1
Wed Oct 14 10:38:17 2015 : Debug: 	Service-Type = Framed-User
Wed Oct 14 10:38:17 2015 : Debug: 	Framed-MTU = 1300
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-Port-Type = Wireless-802.11
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Type:0 = VLAN
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Private-Group-Id:0 = "355"
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0x020b005d190017030300520000000000000002a97c835bae8374ab8d8bbfd91999adda230ae387595070be5defc2bc7c78c6c2867f3c5894838cb7ae576426364a1404bfcf0eec8ab3061275d3d9652f81d645d6140181a52d4d4e88b5
Wed Oct 14 10:38:17 2015 : Debug: 	State = 0xd2bf52bbdbb44be7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: 	Message-Authenticator = 0x3c44d9b222e5b9dcea129094c75d2680
Wed Oct 14 10:38:17 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authorize {
Wed Oct 14 10:38:17 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++[chap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[mschap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[digest] = noop
Wed Oct 14 10:38:17 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 10:38:17 2015 : Debug: ++[suffix] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP packet type response id 11 length 93
Wed Oct 14 10:38:17 2015 : Debug: [eap] Continuing tunnel setup.
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = ok
Wed Oct 14 10:38:17 2015 : Debug: +} # group authorize = ok
Wed Oct 14 10:38:17 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 10:38:17 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authenticate {
Wed Oct 14 10:38:17 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP/peap
Wed Oct 14 10:38:17 2015 : Debug: [eap] processing type peap
Wed Oct 14 10:38:17 2015 : Debug: [peap] processing EAP-TLS
Wed Oct 14 10:38:17 2015 : Debug: [peap] eaptls_verify returned 7

Wed Oct 14 10:38:17 2015 : Debug: [peap] Done initial handshake
Wed Oct 14 10:38:17 2015 : Debug: [peap] eaptls_process returned 7

Wed Oct 14 10:38:17 2015 : Debug: [peap] EAPTLS_OK
Wed Oct 14 10:38:17 2015 : Debug: [peap] Session established.  Decoding tunneled attributes.
Wed Oct 14 10:38:17 2015 : Debug: [peap] Peap state phase2
Wed Oct 14 10:38:17 2015 : Debug: [peap] EAP type mschapv2
Wed Oct 14 10:38:17 2015 : Debug: [peap] Setting User-Name to hm6
Wed Oct 14 10:38:17 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/inner-tunnel
Wed Oct 14 10:38:17 2015 : Debug: +group authorize {
Wed Oct 14 10:38:17 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++[chap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[mschap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[unix] = notfound
Wed Oct 14 10:38:17 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 10:38:17 2015 : Debug: ++[suffix] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++update control {
Wed Oct 14 10:38:17 2015 : Debug: ++} # update control = noop
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP packet type response id 11 length 62
Wed Oct 14 10:38:17 2015 : Debug: [eap] No EAP Start, assuming it's an on-going EAP conversation
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = updated
Wed Oct 14 10:38:17 2015 : Debug: [files] users: Matched entry DEFAULT at line 92
Wed Oct 14 10:38:17 2015 : Debug: ++[files] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++? if (control:Auth-Type == Kerberos)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (control:Auth-Type == Kerberos) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (control:Auth-Type == Kerberos) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++load-balance redundant_ldap {
Wed Oct 14 10:38:17 2015 : Debug: ++redundant-load-balance group redundant_ldap {
Wed Oct 14 10:38:17 2015 : Debug: [ldap3] performing user authorization for hm6
Wed Oct 14 10:38:17 2015 : Debug: [ldap3] 	expand: %{Stripped-User-Name} -> hm6
Wed Oct 14 10:38:17 2015 : Debug: [ldap3] 	expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=hm6)
Wed Oct 14 10:38:17 2015 : Debug: [ldap3] 	expand: dc=rice,dc=edu -> dc=rice,dc=edu
Wed Oct 14 10:38:17 2015 : Debug: [ldap3] checking if remote access for hm6 is allowed by riceClass
Wed Oct 14 10:38:17 2015 : Debug: [ldap3] looking for check items in directory...
Wed Oct 14 10:38:17 2015 : Debug: [ldap3] looking for reply items in directory...
Wed Oct 14 10:38:17 2015 : Debug: [ldap3] user hm6 authorized to use remote access
Wed Oct 14 10:38:17 2015 : Debug: +++[ldap3] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++} # redundant-load-balance group redundant_ldap = ok
Wed Oct 14 10:38:17 2015 : Debug: ++? if (reply:Connect-Info =~ /[a-z]* student/)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (reply:Connect-Info =~ /[a-z]* student/) -> TRUE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (reply:Connect-Info =~ /[a-z]* student/) -> TRUE
Wed Oct 14 10:38:17 2015 : Debug: ++if (reply:Connect-Info =~ /[a-z]* student/) {
Wed Oct 14 10:38:17 2015 : Debug: +++update reply {
Wed Oct 14 10:38:17 2015 : Debug: +++} # update reply = noop
Wed Oct 14 10:38:17 2015 : Debug: ++} # if (reply:Connect-Info =~ /[a-z]* student/) = noop
Wed Oct 14 10:38:17 2015 : Debug: ++ ... skipping elsif for request 8669034: Preceding "if" was taken
Wed Oct 14 10:38:17 2015 : Debug: ++ ... skipping elsif for request 8669034: Preceding "if" was taken
Wed Oct 14 10:38:17 2015 : Debug: ++ ... skipping elsif for request 8669034: Preceding "if" was taken
Wed Oct 14 10:38:17 2015 : Debug: ++? if ((Hint == "JOINstudent" ) && (reply:Connect-Info == "staff"))
Wed Oct 14 10:38:17 2015 : Debug:     (Attribute Hint was not found)
Wed Oct 14 10:38:17 2015 : Debug: ?? Evaluating (Hint == "JOINstudent" ) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ?? Skipping (reply:Connect-Info == "staff")
Wed Oct 14 10:38:17 2015 : Debug: ++? if ((Hint == "JOINstudent" ) && (reply:Connect-Info == "staff")) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++[perl] = updated
Wed Oct 14 10:38:17 2015 : Debug: ++update reply {
Wed Oct 14 10:38:17 2015 : Debug: 	expand: %{reply:Tunnel-Private-Group-Id} -> student
Wed Oct 14 10:38:17 2015 : Debug: ++} # update reply = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[expiration] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[logintime] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[pap] = noop
Wed Oct 14 10:38:17 2015 : Debug: +} # group authorize = updated
Wed Oct 14 10:38:17 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 10:38:17 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/inner-tunnel
Wed Oct 14 10:38:17 2015 : Debug: +group authenticate {
Wed Oct 14 10:38:17 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP/mschapv2
Wed Oct 14 10:38:17 2015 : Debug: [eap] processing type mschapv2
Wed Oct 14 10:38:17 2015 : Debug: [mschapv2] # Executing group from file /etc/opt/freeradius/sites-enabled/inner-tunnel
Wed Oct 14 10:38:17 2015 : Debug: [mschapv2] +group MS-CHAP {
Wed Oct 14 10:38:17 2015 : Debug: [mschap] Creating challenge hash with username: hm6
Wed Oct 14 10:38:17 2015 : Debug: [mschap] Client is using MS-CHAPv2 for hm6, we need NT-Password
Wed Oct 14 10:38:17 2015 : Debug: [mschap] 	expand: %{Stripped-User-Name} -> hm6
Wed Oct 14 10:38:17 2015 : Debug: [mschap] 	expand: --username=%{%{Stripped-User-Name}:-%{%{mschap:User-Name}:-%{User-Name}}} -> --username=hm6
Wed Oct 14 10:38:17 2015 : Debug: [mschap] No NT-Domain was found in the User-Name.
Wed Oct 14 10:38:17 2015 : Debug: [mschap] 	expand: --domain=%{mschap:NT-Domain:-ADRICE} -> --domain=
Wed Oct 14 10:38:17 2015 : Debug: [mschap] Creating challenge hash with username: hm6
Wed Oct 14 10:38:17 2015 : Debug: [mschap] 	expand: --challenge=%{mschap:Challenge:-00} -> --challenge=c1b5930b981f7cb3
Wed Oct 14 10:38:17 2015 : Debug: [mschap] 	expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=c5ff0b2ee1fc6f01d9bbad2d31f4c082811f86363ec9d645
Wed Oct 14 10:38:17 2015 : Debug: [mschap] Exec: program returned: 0
Wed Oct 14 10:38:17 2015 : Debug: [mschap] adding MS-CHAPv2 MPPE keys
Wed Oct 14 10:38:17 2015 : Debug: ++[mschap] = ok
Wed Oct 14 10:38:17 2015 : Debug: +} # group MS-CHAP = ok
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = handled
Wed Oct 14 10:38:17 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 10:38:17 2015 : Debug: [peap] Got tunneled Access-Challenge
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = handled
Wed Oct 14 10:38:17 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 10:38:17 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=231, length=0
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0x010c005219001703030047c0e818d89141685fe8d226ad69155044d09e7d795326f1242391d7e11fe25aed69840fb7d0fdd3557f6fadbff7f2735e2ab95a70948061a52d783352cf181dd1a66d5c394bc989
Wed Oct 14 10:38:17 2015 : Debug: 	Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 10:38:17 2015 : Debug: 	State = 0xd2bf52bbd8b34be7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: Finished request 8669034.
Wed Oct 14 10:38:17 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=235, length=332
Wed Oct 14 10:38:17 2015 : Debug: 	User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: 	Chargeable-User-Identity = ""
Wed Oct 14 10:38:17 2015 : Debug: 	Location-Capable = Civix-Location
Wed Oct 14 10:38:17 2015 : Debug: 	Calling-Station-Id = "14-1a-a3-93-54-21"
Wed Oct 14 10:38:17 2015 : Debug: 	Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-Port = 13
Wed Oct 14 10:38:17 2015 : Debug: 	Cisco-AVPair = "audit-session-id=0a404c640127ea43561e76e8"
Wed Oct 14 10:38:17 2015 : Debug: 	Acct-Session-Id = "561e76e8/14:1a:a3:93:54:21/10411163"
Wed Oct 14 10:38:17 2015 : Debug: 	Cisco-AVPair = "mDNS=true"
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-IP-Address = 10.64.76.100
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 10:38:17 2015 : Debug: 	Airespace-Wlan-Id = 1
Wed Oct 14 10:38:17 2015 : Debug: 	Service-Type = Framed-User
Wed Oct 14 10:38:17 2015 : Debug: 	Framed-MTU = 1300
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-Port-Type = Wireless-802.11
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Type:0 = VLAN
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Private-Group-Id:0 = "355"
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0x020c00251900170303001a000000000000000373280432f973498aecaddcc6ca92bbba196f
Wed Oct 14 10:38:17 2015 : Debug: 	State = 0xd2bf52bbd8b34be7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: 	Message-Authenticator = 0x5ee7a4da527d81a3902218a6bab37f9f
Wed Oct 14 10:38:17 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authorize {
Wed Oct 14 10:38:17 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++[chap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[mschap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[digest] = noop
Wed Oct 14 10:38:17 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 10:38:17 2015 : Debug: ++[suffix] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP packet type response id 12 length 37
Wed Oct 14 10:38:17 2015 : Debug: [eap] Continuing tunnel setup.
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = ok
Wed Oct 14 10:38:17 2015 : Debug: +} # group authorize = ok
Wed Oct 14 10:38:17 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 10:38:17 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authenticate {
Wed Oct 14 10:38:17 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP/peap
Wed Oct 14 10:38:17 2015 : Debug: [eap] processing type peap
Wed Oct 14 10:38:17 2015 : Debug: [peap] processing EAP-TLS
Wed Oct 14 10:38:17 2015 : Debug: [peap] eaptls_verify returned 7

Wed Oct 14 10:38:17 2015 : Debug: [peap] Done initial handshake
Wed Oct 14 10:38:17 2015 : Debug: [peap] eaptls_process returned 7

Wed Oct 14 10:38:17 2015 : Debug: [peap] EAPTLS_OK
Wed Oct 14 10:38:17 2015 : Debug: [peap] Session established.  Decoding tunneled attributes.
Wed Oct 14 10:38:17 2015 : Debug: [peap] Peap state phase2
Wed Oct 14 10:38:17 2015 : Debug: [peap] EAP type mschapv2
Wed Oct 14 10:38:17 2015 : Debug: [peap] Setting User-Name to hm6
Wed Oct 14 10:38:17 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/inner-tunnel
Wed Oct 14 10:38:17 2015 : Debug: +group authorize {
Wed Oct 14 10:38:17 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++[chap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[mschap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[unix] = notfound
Wed Oct 14 10:38:17 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 10:38:17 2015 : Debug: ++[suffix] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++update control {
Wed Oct 14 10:38:17 2015 : Debug: ++} # update control = noop
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP packet type response id 12 length 6
Wed Oct 14 10:38:17 2015 : Debug: [eap] No EAP Start, assuming it's an on-going EAP conversation
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = updated
Wed Oct 14 10:38:17 2015 : Debug: [files] users: Matched entry DEFAULT at line 92
Wed Oct 14 10:38:17 2015 : Debug: ++[files] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++? if (control:Auth-Type == Kerberos)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (control:Auth-Type == Kerberos) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (control:Auth-Type == Kerberos) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++load-balance redundant_ldap {
Wed Oct 14 10:38:17 2015 : Debug: ++redundant-load-balance group redundant_ldap {
Wed Oct 14 10:38:17 2015 : Debug: [ldap3] performing user authorization for hm6
Wed Oct 14 10:38:17 2015 : Debug: [ldap3] 	expand: %{Stripped-User-Name} -> hm6
Wed Oct 14 10:38:17 2015 : Debug: [ldap3] 	expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=hm6)
Wed Oct 14 10:38:17 2015 : Debug: [ldap3] 	expand: dc=rice,dc=edu -> dc=rice,dc=edu
Wed Oct 14 10:38:17 2015 : Debug: [ldap3] checking if remote access for hm6 is allowed by riceClass
Wed Oct 14 10:38:17 2015 : Debug: [ldap3] looking for check items in directory...
Wed Oct 14 10:38:17 2015 : Debug: [ldap3] looking for reply items in directory...
Wed Oct 14 10:38:17 2015 : Debug: [ldap3] user hm6 authorized to use remote access
Wed Oct 14 10:38:17 2015 : Debug: +++[ldap3] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++} # redundant-load-balance group redundant_ldap = ok
Wed Oct 14 10:38:17 2015 : Debug: ++? if (reply:Connect-Info =~ /[a-z]* student/)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (reply:Connect-Info =~ /[a-z]* student/) -> TRUE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (reply:Connect-Info =~ /[a-z]* student/) -> TRUE
Wed Oct 14 10:38:17 2015 : Debug: ++if (reply:Connect-Info =~ /[a-z]* student/) {
Wed Oct 14 10:38:17 2015 : Debug: +++update reply {
Wed Oct 14 10:38:17 2015 : Debug: +++} # update reply = noop
Wed Oct 14 10:38:17 2015 : Debug: ++} # if (reply:Connect-Info =~ /[a-z]* student/) = noop
Wed Oct 14 10:38:17 2015 : Debug: ++ ... skipping elsif for request 8669041: Preceding "if" was taken
Wed Oct 14 10:38:17 2015 : Debug: ++ ... skipping elsif for request 8669041: Preceding "if" was taken
Wed Oct 14 10:38:17 2015 : Debug: ++ ... skipping elsif for request 8669041: Preceding "if" was taken
Wed Oct 14 10:38:17 2015 : Debug: ++? if ((Hint == "JOINstudent" ) && (reply:Connect-Info == "staff"))
Wed Oct 14 10:38:17 2015 : Debug:     (Attribute Hint was not found)
Wed Oct 14 10:38:17 2015 : Debug: ?? Evaluating (Hint == "JOINstudent" ) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ?? Skipping (reply:Connect-Info == "staff")
Wed Oct 14 10:38:17 2015 : Debug: ++? if ((Hint == "JOINstudent" ) && (reply:Connect-Info == "staff")) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++[perl] = updated
Wed Oct 14 10:38:17 2015 : Debug: ++update reply {
Wed Oct 14 10:38:17 2015 : Debug: 	expand: %{reply:Tunnel-Private-Group-Id} -> student
Wed Oct 14 10:38:17 2015 : Debug: ++} # update reply = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[expiration] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[logintime] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[pap] = noop
Wed Oct 14 10:38:17 2015 : Debug: +} # group authorize = updated
Wed Oct 14 10:38:17 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 10:38:17 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/inner-tunnel
Wed Oct 14 10:38:17 2015 : Debug: +group authenticate {
Wed Oct 14 10:38:17 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP/mschapv2
Wed Oct 14 10:38:17 2015 : Debug: [eap] processing type mschapv2
Wed Oct 14 10:38:17 2015 : Debug: [eap] Freeing handler
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = ok
Wed Oct 14 10:38:17 2015 : Debug: +} # group authenticate = ok
Wed Oct 14 10:38:17 2015 : Debug: # Executing section post-auth from file /etc/opt/freeradius/sites-enabled/inner-tunnel
Wed Oct 14 10:38:17 2015 : Debug: +group post-auth {
Wed Oct 14 10:38:17 2015 : Debug: [reply_log] 	expand: /var/opt/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /var/opt/freeradius/radacct/10.64.76.100/reply-detail-20151014
Wed Oct 14 10:38:17 2015 : Debug: [reply_log] /var/opt/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/opt/freeradius/radacct/10.64.76.100/reply-detail-20151014
Wed Oct 14 10:38:17 2015 : Debug: [reply_log] 	expand: %t -> Wed Oct 14 10:38:17 2015
Wed Oct 14 10:38:17 2015 : Debug: ++[reply_log] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++update outer.reply {
Wed Oct 14 10:38:17 2015 : Debug: 	expand: %{request:User-Name} -> hm6
Wed Oct 14 10:38:17 2015 : Debug: ++} # update outer.reply = noop
Wed Oct 14 10:38:17 2015 : Debug: ++? if (! reply:Cached-Session-Policy)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating !(reply:Cached-Session-Policy) -> TRUE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (! reply:Cached-Session-Policy) -> TRUE
Wed Oct 14 10:38:17 2015 : Debug: ++if (! reply:Cached-Session-Policy) {
Wed Oct 14 10:38:17 2015 : Debug: +++update reply {
Wed Oct 14 10:38:17 2015 : Debug: 	expand: TPG=%{reply:Tunnel-Private-Group-Id},CI=%{reply:Connect-Info} -> TPG=student,CI=student
Wed Oct 14 10:38:17 2015 : Debug: +++} # update reply = noop
Wed Oct 14 10:38:17 2015 : Debug: ++} # if (! reply:Cached-Session-Policy) = noop
Wed Oct 14 10:38:17 2015 : Debug: +} # group post-auth = ok
Wed Oct 14 10:38:17 2015 : Debug: [peap] Tunneled authentication was successful.
Wed Oct 14 10:38:17 2015 : Debug: [peap] SUCCESS
Wed Oct 14 10:38:17 2015 : Debug: [peap] Saving tunneled attributes for later
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = handled
Wed Oct 14 10:38:17 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 10:38:17 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=235, length=0
Wed Oct 14 10:38:17 2015 : Debug: 	User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0x010d002e19001703030023c0e818d8914168600522a03fe9268f7877bd85d4ec70f5a81c2f2e8c76993cab8b3c72
Wed Oct 14 10:38:17 2015 : Debug: 	Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 10:38:17 2015 : Debug: 	State = 0xd2bf52bbd9b24be7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: Finished request 8669041.
Wed Oct 14 10:38:17 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=236, length=341
Wed Oct 14 10:38:17 2015 : Debug: 	User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: 	Chargeable-User-Identity = ""
Wed Oct 14 10:38:17 2015 : Debug: 	Location-Capable = Civix-Location
Wed Oct 14 10:38:17 2015 : Debug: 	Calling-Station-Id = "14-1a-a3-93-54-21"
Wed Oct 14 10:38:17 2015 : Debug: 	Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-Port = 13
Wed Oct 14 10:38:17 2015 : Debug: 	Cisco-AVPair = "audit-session-id=0a404c640127ea43561e76e8"
Wed Oct 14 10:38:17 2015 : Debug: 	Acct-Session-Id = "561e76e8/14:1a:a3:93:54:21/10411163"
Wed Oct 14 10:38:17 2015 : Debug: 	Cisco-AVPair = "mDNS=true"
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-IP-Address = 10.64.76.100
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 10:38:17 2015 : Debug: 	Airespace-Wlan-Id = 1
Wed Oct 14 10:38:17 2015 : Debug: 	Service-Type = Framed-User
Wed Oct 14 10:38:17 2015 : Debug: 	Framed-MTU = 1300
Wed Oct 14 10:38:17 2015 : Debug: 	NAS-Port-Type = Wireless-802.11
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Type:0 = VLAN
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Private-Group-Id:0 = "355"
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0x020d002e190017030300230000000000000004bba91b3a334d6a4076622f2294653030df6080f73dfbe7fbc28ded
Wed Oct 14 10:38:17 2015 : Debug: 	State = 0xd2bf52bbd9b24be7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: 	Message-Authenticator = 0xca71508c36a2309050ea8cb81f0b1095
Wed Oct 14 10:38:17 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authorize {
Wed Oct 14 10:38:17 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++[chap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[mschap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[digest] = noop
Wed Oct 14 10:38:17 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 10:38:17 2015 : Debug: ++[suffix] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP packet type response id 13 length 46
Wed Oct 14 10:38:17 2015 : Debug: [eap] Continuing tunnel setup.
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = ok
Wed Oct 14 10:38:17 2015 : Debug: +} # group authorize = ok
Wed Oct 14 10:38:17 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 10:38:17 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authenticate {
Wed Oct 14 10:38:17 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP/peap
Wed Oct 14 10:38:17 2015 : Debug: [eap] processing type peap
Wed Oct 14 10:38:17 2015 : Debug: [peap] processing EAP-TLS
Wed Oct 14 10:38:17 2015 : Debug: [peap] eaptls_verify returned 7

Wed Oct 14 10:38:17 2015 : Debug: [peap] Done initial handshake
Wed Oct 14 10:38:17 2015 : Debug: [peap] eaptls_process returned 7

Wed Oct 14 10:38:17 2015 : Debug: [peap] EAPTLS_OK
Wed Oct 14 10:38:17 2015 : Debug: [peap] Session established.  Decoding tunneled attributes.
Wed Oct 14 10:38:17 2015 : Debug: [peap] Peap state send tlv success
Wed Oct 14 10:38:17 2015 : Debug: [peap] Received EAP-TLV response.
Wed Oct 14 10:38:17 2015 : Debug: [peap] Success
Wed Oct 14 10:38:17 2015 : Debug: [peap] Using saved attributes from the original Access-Accept
Wed Oct 14 10:38:17 2015 : Debug: [peap] Saving response in the cache
Wed Oct 14 10:38:17 2015 : Debug: [eap] Freeing handler
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = ok
Wed Oct 14 10:38:17 2015 : Debug: +} # group authenticate = ok
Wed Oct 14 10:38:17 2015 : Debug: # Executing section post-auth from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group post-auth {
Wed Oct 14 10:38:17 2015 : Debug: [reply_log] 	expand: /var/opt/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /var/opt/freeradius/radacct/10.64.76.100/reply-detail-20151014
Wed Oct 14 10:38:17 2015 : Debug: [reply_log] /var/opt/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/opt/freeradius/radacct/10.64.76.100/reply-detail-20151014
Wed Oct 14 10:38:17 2015 : Debug: [reply_log] 	expand: %t -> Wed Oct 14 10:38:17 2015
Wed Oct 14 10:38:17 2015 : Debug: ++[reply_log] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++[exec] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++? if (reply:Cached-Session-Policy =~ /TPG=(.+),CI=(.+)/)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (reply:Cached-Session-Policy =~ /TPG=(.+),CI=(.+)/) -> TRUE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (reply:Cached-Session-Policy =~ /TPG=(.+),CI=(.+)/) -> TRUE
Wed Oct 14 10:38:17 2015 : Debug: ++if (reply:Cached-Session-Policy =~ /TPG=(.+),CI=(.+)/) {
Wed Oct 14 10:38:17 2015 : Debug: +++update reply {
Wed Oct 14 10:38:17 2015 : Debug: 	expand: %{1} -> student
Wed Oct 14 10:38:17 2015 : Debug: 	expand: %{2} -> student
Wed Oct 14 10:38:17 2015 : Debug: +++} # update reply = noop
Wed Oct 14 10:38:17 2015 : Debug: ++} # if (reply:Cached-Session-Policy =~ /TPG=(.+),CI=(.+)/) = noop
Wed Oct 14 10:38:17 2015 : Debug: +} # group post-auth = ok
Wed Oct 14 10:38:17 2015 : Debug: Sending Access-Accept packet to host 10.64.76.100 port 32770, id=236, length=0
Wed Oct 14 10:38:17 2015 : Debug: 	Connect-Info = "student"
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Type:0 = VLAN
Wed Oct 14 10:38:17 2015 : Debug: 	Tunnel-Private-Group-Id:0 = "student"
Wed Oct 14 10:38:17 2015 : Debug: 	User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: 	Cached-Session-Policy = "TPG=student,CI=student"
Wed Oct 14 10:38:17 2015 : Debug: 	MS-MPPE-Recv-Key = 0x44b548185372c8a886dcc1126f6223f71d6df51507c61a3ecc63d101fbb63151
Wed Oct 14 10:38:17 2015 : Debug: 	MS-MPPE-Send-Key = 0xfb088233dc414a36129de240105954054ef16417bfa5b5022ee01dde562c16e3
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-MSK = 0x44b548185372c8a886dcc1126f6223f71d6df51507c61a3ecc63d101fbb63151fb088233dc414a36129de240105954054ef16417bfa5b5022ee01dde562c16e3
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-EMSK = 0x54c09152b3e71253db345017c99e5c0141050fbfcf65edc514b76adbc471c9ad7f30272e7780368e5e6305e6071f031d72fe08ad43ebcf64e4e35b396e36de96
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Session-Id = 0x1999003f89ceb614e8779deaf18bf16ef575108a8f296a3b6987f73e7ef5a00c28561e76e95197ed406fd8149d26f490d27122bb9c77c5bab8154eeab3677a63a4
Wed Oct 14 10:38:17 2015 : Debug: 	EAP-Message = 0x030d0004
Wed Oct 14 10:38:17 2015 : Debug: 	Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 10:38:17 2015 : Debug: Finished request 8669042.
Wed Oct 14 10:38:21 2015 : Debug: Cleaning up request 8668982 ID 196 with timestamp +103464
Wed Oct 14 10:38:21 2015 : Debug: Cleaning up request 8668983 ID 197 with timestamp +103464
Wed Oct 14 10:38:21 2015 : Debug: Cleaning up request 8668986 ID 200 with timestamp +103464
Wed Oct 14 10:38:21 2015 : Debug: Cleaning up request 8668989 ID 203 with timestamp +103464
Wed Oct 14 10:38:21 2015 : Debug: Cleaning up request 8668990 ID 204 with timestamp +103464
Wed Oct 14 10:38:21 2015 : Debug: Cleaning up request 8668991 ID 205 with timestamp +103464
Wed Oct 14 10:38:21 2015 : Debug: Cleaning up request 8668992 ID 206 with timestamp +103464
Wed Oct 14 10:38:21 2015 : Debug: Cleaning up request 8669026 ID 225 with timestamp +103464
Wed Oct 14 10:38:21 2015 : Debug: Cleaning up request 8669030 ID 228 with timestamp +103464
Wed Oct 14 10:38:21 2015 : Debug: Cleaning up request 8669032 ID 229 with timestamp +103464
Wed Oct 14 10:38:21 2015 : Debug: Cleaning up request 8669034 ID 231 with timestamp +103464
Wed Oct 14 10:38:21 2015 : Debug: Cleaning up request 8669041 ID 235 with timestamp +103464
Wed Oct 14 10:38:21 2015 : Debug: Cleaning up request 8669042 ID 236 with timestamp +103464
-------------- next part --------------
Wed Oct 14 11:06:35 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=207, length=285
Wed Oct 14 11:06:35 2015 : Debug: 	User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: 	Chargeable-User-Identity = ""
Wed Oct 14 11:06:35 2015 : Debug: 	Location-Capable = Civix-Location
Wed Oct 14 11:06:35 2015 : Debug: 	Calling-Station-Id = "14-99-e2-bf-24-70"
Wed Oct 14 11:06:35 2015 : Debug: 	Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-Port = 13
Wed Oct 14 11:06:35 2015 : Debug: 	Cisco-AVPair = "audit-session-id=0a404c640127a12a561e621e"
Wed Oct 14 11:06:35 2015 : Debug: 	Acct-Session-Id = "561e621e/14:99:e2:bf:24:70/10398428"
Wed Oct 14 11:06:35 2015 : Debug: 	Cisco-AVPair = "mDNS=true"
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-IP-Address = 10.64.76.100
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 11:06:35 2015 : Debug: 	Airespace-Wlan-Id = 1
Wed Oct 14 11:06:35 2015 : Debug: 	Service-Type = Framed-User
Wed Oct 14 11:06:35 2015 : Debug: 	Framed-MTU = 1300
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-Port-Type = Wireless-802.11
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Type:0 = VLAN
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Private-Group-Id:0 = "345"
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0x0201000801686d36
Wed Oct 14 11:06:35 2015 : Debug: 	Message-Authenticator = 0xa29c55e08457085f2f34d996d5338aa0
Wed Oct 14 11:06:35 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authorize {
Wed Oct 14 11:06:35 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++[chap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[mschap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[digest] = noop
Wed Oct 14 11:06:35 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 11:06:35 2015 : Debug: ++[suffix] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP packet type response id 1 length 8
Wed Oct 14 11:06:35 2015 : Debug: [eap] No EAP Start, assuming it's an on-going EAP conversation
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = updated
Wed Oct 14 11:06:35 2015 : Debug: ++[unix] = notfound
Wed Oct 14 11:06:35 2015 : Debug: [files] users: Matched entry DEFAULT at line 92
Wed Oct 14 11:06:35 2015 : Debug: ++[files] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++? if (control:Auth-Type == Kerberos)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (control:Auth-Type == Kerberos) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (control:Auth-Type == Kerberos) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++[expiration] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[logintime] = noop
Wed Oct 14 11:06:35 2015 : Debug: [pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
Wed Oct 14 11:06:35 2015 : Debug: ++[pap] = noop
Wed Oct 14 11:06:35 2015 : Debug: +} # group authorize = updated
Wed Oct 14 11:06:35 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 11:06:35 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authenticate {
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP Identity
Wed Oct 14 11:06:35 2015 : Debug: [eap] processing type tls
Wed Oct 14 11:06:35 2015 : Debug: [tls] Requiring client certificate
Wed Oct 14 11:06:35 2015 : Debug: [tls] Initiate
Wed Oct 14 11:06:35 2015 : Debug: [tls] Start returned 1
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = handled
Wed Oct 14 11:06:35 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 11:06:35 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=207, length=0
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Type:0 = VLAN
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0x010200060d20
Wed Oct 14 11:06:35 2015 : Debug: 	Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 11:06:35 2015 : Debug: 	State = 0x73e0c7cb73e2caa1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: Finished request 9057415.
Wed Oct 14 11:06:35 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=209, length=301
Wed Oct 14 11:06:35 2015 : Debug: 	User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: 	Chargeable-User-Identity = ""
Wed Oct 14 11:06:35 2015 : Debug: 	Location-Capable = Civix-Location
Wed Oct 14 11:06:35 2015 : Debug: 	Calling-Station-Id = "14-99-e2-bf-24-70"
Wed Oct 14 11:06:35 2015 : Debug: 	Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-Port = 13
Wed Oct 14 11:06:35 2015 : Debug: 	Cisco-AVPair = "audit-session-id=0a404c640127a12a561e621e"
Wed Oct 14 11:06:35 2015 : Debug: 	Acct-Session-Id = "561e621e/14:99:e2:bf:24:70/10398428"
Wed Oct 14 11:06:35 2015 : Debug: 	Cisco-AVPair = "mDNS=true"
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-IP-Address = 10.64.76.100
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 11:06:35 2015 : Debug: 	Airespace-Wlan-Id = 1
Wed Oct 14 11:06:35 2015 : Debug: 	Service-Type = Framed-User
Wed Oct 14 11:06:35 2015 : Debug: 	Framed-MTU = 1300
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-Port-Type = Wireless-802.11
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Type:0 = VLAN
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Private-Group-Id:0 = "345"
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0x020200060319
Wed Oct 14 11:06:35 2015 : Debug: 	State = 0x73e0c7cb73e2caa1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: 	Message-Authenticator = 0xc9cf5b1bc7fa1852acd956b6df896e82
Wed Oct 14 11:06:35 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authorize {
Wed Oct 14 11:06:35 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++[chap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[mschap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[digest] = noop
Wed Oct 14 11:06:35 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 11:06:35 2015 : Debug: ++[suffix] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP packet type response id 2 length 6
Wed Oct 14 11:06:35 2015 : Debug: [eap] No EAP Start, assuming it's an on-going EAP conversation
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = updated
Wed Oct 14 11:06:35 2015 : Debug: ++[unix] = notfound
Wed Oct 14 11:06:35 2015 : Debug: [files] users: Matched entry DEFAULT at line 92
Wed Oct 14 11:06:35 2015 : Debug: ++[files] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++? if (control:Auth-Type == Kerberos)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (control:Auth-Type == Kerberos) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (control:Auth-Type == Kerberos) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++[expiration] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[logintime] = noop
Wed Oct 14 11:06:35 2015 : Debug: [pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
Wed Oct 14 11:06:35 2015 : Debug: ++[pap] = noop
Wed Oct 14 11:06:35 2015 : Debug: +} # group authorize = updated
Wed Oct 14 11:06:35 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 11:06:35 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authenticate {
Wed Oct 14 11:06:35 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP NAK
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP-NAK asked for EAP-Type/peap
Wed Oct 14 11:06:35 2015 : Debug: [eap] processing type tls
Wed Oct 14 11:06:35 2015 : Debug: [tls] Initiate
Wed Oct 14 11:06:35 2015 : Debug: [tls] Start returned 1
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = handled
Wed Oct 14 11:06:35 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 11:06:35 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=209, length=0
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Type:0 = VLAN
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0x010300061920
Wed Oct 14 11:06:35 2015 : Debug: 	Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 11:06:35 2015 : Debug: 	State = 0x73e0c7cb72e3dea1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: Finished request 9057420.
Wed Oct 14 11:06:35 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=210, length=447
Wed Oct 14 11:06:35 2015 : Debug: 	User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: 	Chargeable-User-Identity = ""
Wed Oct 14 11:06:35 2015 : Debug: 	Location-Capable = Civix-Location
Wed Oct 14 11:06:35 2015 : Debug: 	Calling-Station-Id = "14-99-e2-bf-24-70"
Wed Oct 14 11:06:35 2015 : Debug: 	Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-Port = 13
Wed Oct 14 11:06:35 2015 : Debug: 	Cisco-AVPair = "audit-session-id=0a404c640127a12a561e621e"
Wed Oct 14 11:06:35 2015 : Debug: 	Acct-Session-Id = "561e621e/14:99:e2:bf:24:70/10398428"
Wed Oct 14 11:06:35 2015 : Debug: 	Cisco-AVPair = "mDNS=true"
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-IP-Address = 10.64.76.100
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 11:06:35 2015 : Debug: 	Airespace-Wlan-Id = 1
Wed Oct 14 11:06:35 2015 : Debug: 	Service-Type = Framed-User
Wed Oct 14 11:06:35 2015 : Debug: 	Framed-MTU = 1300
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-Port-Type = Wireless-802.11
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Type:0 = VLAN
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Private-Group-Id:0 = "345"
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0x0203009819800000008e1603010089010000850301561e7d8ceb6b159381eb964528005513132c4b913cf9958ac64937c507e9774000004a00ffc024c023c00ac009c008c028c027c014c013c012c026c025c005c004c003c02ac029c00fc00ec00d006b0067003900330016003d003c0035002f000ac007c011c002c00c0005000401000012000a00080006001700180019000b00020100
Wed Oct 14 11:06:35 2015 : Debug: 	State = 0x73e0c7cb72e3dea1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: 	Message-Authenticator = 0x6496bde2f2c4fb94ed2a87f7fa69f30c
Wed Oct 14 11:06:35 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authorize {
Wed Oct 14 11:06:35 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++[chap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[mschap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[digest] = noop
Wed Oct 14 11:06:35 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 11:06:35 2015 : Debug: ++[suffix] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP packet type response id 3 length 152
Wed Oct 14 11:06:35 2015 : Debug: [eap] Continuing tunnel setup.
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = ok
Wed Oct 14 11:06:35 2015 : Debug: +} # group authorize = ok
Wed Oct 14 11:06:35 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 11:06:35 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authenticate {
Wed Oct 14 11:06:35 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP/peap
Wed Oct 14 11:06:35 2015 : Debug: [eap] processing type peap
Wed Oct 14 11:06:35 2015 : Debug: [peap] processing EAP-TLS
Wed Oct 14 11:06:35 2015 : Debug: [peap] Length Included
Wed Oct 14 11:06:35 2015 : Debug: [peap] eaptls_verify returned 11

Wed Oct 14 11:06:35 2015 : Debug: [peap]     (other): before/accept initialization
Wed Oct 14 11:06:35 2015 : Debug: [peap]     TLS_accept: before/accept initialization
Wed Oct 14 11:06:35 2015 : Debug: [peap]     TLS_accept: SSLv3 read client hello A
Wed Oct 14 11:06:35 2015 : Debug: [peap]     TLS_accept: SSLv3 write server hello A
Wed Oct 14 11:06:35 2015 : Debug: [peap]     TLS_accept: SSLv3 write certificate A
Wed Oct 14 11:06:35 2015 : Debug: [peap]     TLS_accept: SSLv3 write key exchange A
Wed Oct 14 11:06:35 2015 : Debug: [peap]     TLS_accept: SSLv3 write server done A
Wed Oct 14 11:06:35 2015 : Debug: [peap]     TLS_accept: SSLv3 flush data
Wed Oct 14 11:06:35 2015 : Debug: [peap]     TLS_accept: Need to read more data: SSLv3 read client certificate A
Wed Oct 14 11:06:35 2015 : Debug: [peap]     TLS_accept: Need to read more data: SSLv3 read client certificate A
Wed Oct 14 11:06:35 2015 : Debug: [peap] eaptls_process returned 13

Wed Oct 14 11:06:35 2015 : Debug: [peap] EAPTLS_HANDLED
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = handled
Wed Oct 14 11:06:35 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 11:06:35 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=210, length=0
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0x0104040019c00000127316030100510200004d0301561e7d8be4a39e0ba6cd482c0f70ec79000e3385cfbfb6217470e77130ee8d1e2018f5770292e626ce9e6943812b2252a0511c8dfe79d49224e24cb61c6a58ccc30039000005ff010001001603010efd0b000ef9000ef60005ec308205e8308204d0a003020102021100d2214325afda98a298320a313910b0a7300d06092a864886f70d01010505003051310b300906035504061302555331123010060355040a1309496e7465726e6574323111300f060355040b1308496e436f6d6d6f6e311b301906035504031312496e436f6d6d6f6e20536572766572204341301e170d3134303832353030
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0x303030305a170d3137303832343233353935395a3081c0310b3009060355040613025553311330110603550411130a37373235312d31383932310e300c0603550408130554657861733110300e06035504071307486f7573746f6e311430120603550409130b504f20426f782031383932310f300d060355040913064d532031313931183016060355040a130f5269636520556e6976657273697479311f301d060355040b1316496e666f726d6174696f6e20546563686e6f6c6f6779311830160603550403130f7261646975732e726963652e65647530820122300d06092a864886f70d01010105000382010f003082010a0282010100c0abafe128
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0x6bc30df0a3c2d2819ae89a3c0e4784956c31ce16f7845b0f72b8dd7dcc63e31b61b3943179e74feeb4f674712104b873e21b03c024c1a92c322bc112e76ce4bf126a944f32fe70e72128cbe6688c2bd64e4b97107410d77d80bf40904621d19b5977aa0a2c6ff5097aa84c4d3863032007db7ba738833594f29547be596c8989f26824bc26024146e1b678d28fb18f3d7da5a8217529d9dcc51d67d2b6b79e89363050ed5e11f5ad64167d11ae80a9c8b0bb2bcf54974c2c4ddefe3bddafeee7b0848580c750c964b05bb9700044ebc77944bfafaed6270fcba7e5fa8821b15bc62e0137f8f40f6f5caf9c1c39912617acb6ae037ef812442e4ccd0203
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0x010001a382024930820245301f0603551d23041830168014484f5afa2f4a9a5ee050f36b7b55a5def5be345d301d0603551d0e04160414fca71db4ce69391b700243650721246bebc46497300e0603551d0f0101ff0404030205a0300c0603551d130101ff04023000301d0603551d250416301406082b0601050507030106082b0601050507030230670603551d200460305e3052060c2b06010401ae2301040301013042304006082b06010505070201163468747470733a2f2f7777772e696e636f6d6d6f6e2e6f72672f636572742f7265706f7369746f72792f6370735f73736c2e7064663008060667810c010202303d0603551d1f0436303430
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0x32a030a02e862c687474703a
Wed Oct 14 11:06:35 2015 : Debug: 	Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 11:06:35 2015 : Debug: 	State = 0x73e0c7cb71e4dea1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: Finished request 9057421.
Wed Oct 14 11:06:35 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=211, length=301
Wed Oct 14 11:06:35 2015 : Debug: 	User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: 	Chargeable-User-Identity = ""
Wed Oct 14 11:06:35 2015 : Debug: 	Location-Capable = Civix-Location
Wed Oct 14 11:06:35 2015 : Debug: 	Calling-Station-Id = "14-99-e2-bf-24-70"
Wed Oct 14 11:06:35 2015 : Debug: 	Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-Port = 13
Wed Oct 14 11:06:35 2015 : Debug: 	Cisco-AVPair = "audit-session-id=0a404c640127a12a561e621e"
Wed Oct 14 11:06:35 2015 : Debug: 	Acct-Session-Id = "561e621e/14:99:e2:bf:24:70/10398428"
Wed Oct 14 11:06:35 2015 : Debug: 	Cisco-AVPair = "mDNS=true"
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-IP-Address = 10.64.76.100
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 11:06:35 2015 : Debug: 	Airespace-Wlan-Id = 1
Wed Oct 14 11:06:35 2015 : Debug: 	Service-Type = Framed-User
Wed Oct 14 11:06:35 2015 : Debug: 	Framed-MTU = 1300
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-Port-Type = Wireless-802.11
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Type:0 = VLAN
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Private-Group-Id:0 = "345"
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0x020400061900
Wed Oct 14 11:06:35 2015 : Debug: 	State = 0x73e0c7cb71e4dea1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: 	Message-Authenticator = 0xbe167059ca1392112fa2e7920c899151
Wed Oct 14 11:06:35 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authorize {
Wed Oct 14 11:06:35 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++[chap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[mschap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[digest] = noop
Wed Oct 14 11:06:35 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 11:06:35 2015 : Debug: ++[suffix] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP packet type response id 4 length 6
Wed Oct 14 11:06:35 2015 : Debug: [eap] Continuing tunnel setup.
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = ok
Wed Oct 14 11:06:35 2015 : Debug: +} # group authorize = ok
Wed Oct 14 11:06:35 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 11:06:35 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authenticate {
Wed Oct 14 11:06:35 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP/peap
Wed Oct 14 11:06:35 2015 : Debug: [eap] processing type peap
Wed Oct 14 11:06:35 2015 : Debug: [peap] processing EAP-TLS
Wed Oct 14 11:06:35 2015 : Debug: [peap] Received TLS ACK
Wed Oct 14 11:06:35 2015 : Debug: [peap] ACK handshake fragment handler
Wed Oct 14 11:06:35 2015 : Debug: [peap] eaptls_verify returned 1

Wed Oct 14 11:06:35 2015 : Debug: [peap] eaptls_process returned 13

Wed Oct 14 11:06:35 2015 : Debug: [peap] EAPTLS_HANDLED
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = handled
Wed Oct 14 11:06:35 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 11:06:35 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=211, length=0
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0x010503fc19402f2f63726c2e696e636f6d6d6f6e2e6f72672f496e436f6d6d6f6e53657276657243412e63726c306f06082b0601050507010104633061303906082b06010505073002862d687474703a2f2f636572742e696e636f6d6d6f6e2e6f72672f496e436f6d6d6f6e53657276657243412e637274302406082b060105050730018618687474703a2f2f6f6373702e696e636f6d6d6f6e2e6f72673081ac0603551d110481a43081a1820f7261646975732e726963652e65647582186e65777261646975732d612e6e65742e726963652e65647582186e65777261646975732d622e6e65742e726963652e65647582157261646975732d612e6e
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0x65742e726963652e65647582157261646975732d622e6e65742e726963652e65647582157261646975732d632e6e65742e726963652e65647582157261646975732d642e6e65742e726963652e656475300d06092a864886f70d0101050500038201010024b8ca39f8c5c7f30b29b43b46d5a205a13cff521c12aa709dba4a38b2db77d20a727adcf7a1f9fbb14ba8ef4b42ff5a17d4a50afa0539284f32566b1aa6c4ce179ccaeb57849e15465a592e9a6687ea84ba8cfece9d5480911b6b1bf0e539707e8e47951fbb90dbcdce93548fa1a8a2e36444b878c84fbe52740039e794686cd81d29ac09fcb9fc397d5b5c47b4904dd54640d8709c42a9dd
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0x051695e9dfc9123a2f34881eb6888ff944bb0711cff3ea080287dbdd52811c91ea341f310e1ff2bd196b946d47264ec297d29eb65dba202b4309df303a2b8b80393aea3e914d7adfc9ad596a26d3866f221ef17e0db57a0573481457393ecd678788ce4afa12360004c7308204c3308203aba00302010202107f71c1d3a226b0d2b113f3e68167643e300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0x726e616c20434120526f6f74301e170d3130313230373030303030305a170d3230303533303130343833385a3051310b300906035504061302555331123010060355040a1309496e7465726e6574323111300f060355040b1308496e436f6d6d6f6e311b301906035504031312496e436f6d6d6f6e2053657276657220434130820122300d06092a864886f70d01010105000382010f003082010a0282010100977cc7c8feb3e9206aa3a44f8e8e345606b37a6caa109b48612b369069e3340a47a7bb7bdeaa6afbeb82958fca1d7faf75a6a84cda2067611a0d86c1cac187afac4ee4de621b2f9db198afc601fb1770dbac1459ec6f3f337fa6980be4
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0xe238aff57f856d0e
Wed Oct 14 11:06:35 2015 : Debug: 	Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 11:06:35 2015 : Debug: 	State = 0x73e0c7cb70e5dea1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: Finished request 9057422.
Wed Oct 14 11:06:35 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=213, length=301
Wed Oct 14 11:06:35 2015 : Debug: 	User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: 	Chargeable-User-Identity = ""
Wed Oct 14 11:06:35 2015 : Debug: 	Location-Capable = Civix-Location
Wed Oct 14 11:06:35 2015 : Debug: 	Calling-Station-Id = "14-99-e2-bf-24-70"
Wed Oct 14 11:06:35 2015 : Debug: 	Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-Port = 13
Wed Oct 14 11:06:35 2015 : Debug: 	Cisco-AVPair = "audit-session-id=0a404c640127a12a561e621e"
Wed Oct 14 11:06:35 2015 : Debug: 	Acct-Session-Id = "561e621e/14:99:e2:bf:24:70/10398428"
Wed Oct 14 11:06:35 2015 : Debug: 	Cisco-AVPair = "mDNS=true"
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-IP-Address = 10.64.76.100
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 11:06:35 2015 : Debug: 	Airespace-Wlan-Id = 1
Wed Oct 14 11:06:35 2015 : Debug: 	Service-Type = Framed-User
Wed Oct 14 11:06:35 2015 : Debug: 	Framed-MTU = 1300
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-Port-Type = Wireless-802.11
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Type:0 = VLAN
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Private-Group-Id:0 = "345"
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0x020500061900
Wed Oct 14 11:06:35 2015 : Debug: 	State = 0x73e0c7cb70e5dea1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: 	Message-Authenticator = 0x65b8bc2b9f221054fd434b23d071df41
Wed Oct 14 11:06:35 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authorize {
Wed Oct 14 11:06:35 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++[chap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[mschap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[digest] = noop
Wed Oct 14 11:06:35 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 11:06:35 2015 : Debug: ++[suffix] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP packet type response id 5 length 6
Wed Oct 14 11:06:35 2015 : Debug: [eap] Continuing tunnel setup.
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = ok
Wed Oct 14 11:06:35 2015 : Debug: +} # group authorize = ok
Wed Oct 14 11:06:35 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 11:06:35 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authenticate {
Wed Oct 14 11:06:35 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP/peap
Wed Oct 14 11:06:35 2015 : Debug: [eap] processing type peap
Wed Oct 14 11:06:35 2015 : Debug: [peap] processing EAP-TLS
Wed Oct 14 11:06:35 2015 : Debug: [peap] Received TLS ACK
Wed Oct 14 11:06:35 2015 : Debug: [peap] ACK handshake fragment handler
Wed Oct 14 11:06:35 2015 : Debug: [peap] eaptls_verify returned 1

Wed Oct 14 11:06:35 2015 : Debug: [peap] eaptls_process returned 13

Wed Oct 14 11:06:35 2015 : Debug: [peap] EAPTLS_HANDLED
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = handled
Wed Oct 14 11:06:35 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 11:06:35 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=213, length=0
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0x010603fc194074049df62786c79b8fe7712a08f403024063247d40578f54e0547eb6134861f1dece0ebdb6fa4d98b2d90d8d79a6e0aacd0c919aa5dfab73bbca14785c4729a1cac5ba9fc7da60f7ffe77ff2d9daa12d0f4916a7d30092cf8a47d94df8d59566d374f98063004f4c84161fb3f5241fa14edee895d6b20b098b2c6bc75c2f8c63c999cb52b1627b7301627f636cd868a0ee6aa88d1f29f3d018acad0203010001a382017730820173301f0603551d23041830168014adbd987a34b426f7fac42654ef03bde024cb541a301d0603551d0e04160414484f5afa2f4a9a5ee050f36b7b55a5def5be345d300e0603551d0f0101ff0404030201
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0x0630120603551d130101ff040830060101ff02010030110603551d20040a300830060604551d200030440603551d1f043d303b3039a037a0358633687474703a2f2f63726c2e7573657274727573742e636f6d2f416464547275737445787465726e616c4341526f6f742e63726c3081b306082b060105050701010481a63081a3303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f416464547275737445787465726e616c4341526f6f742e703763303906082b06010505073002862d687474703a2f2f6372742e7573657274727573742e636f6d2f416464547275737455544e53474343412e637274
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0x302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010505000382010100936621807445854bc2abce32b029fedddfd6245bbf036a6f503e0e1bb30d88a35beec4a4123b56ef067fcf7f2195563b4131fee1aa93d295f3950d3c47abca5c26ad3ef1f98c346e11bef467e30249f9a67c7b6425dd1746f250e3e30a213a4924cdc68465686768b0452d4799cd9cab86291172dcd69c364374f3d4979e56a0fe5f4058d2d5d77e7cc58e1ab2045c92660e85ad2e06cec8a3d8eb142791decf17308153b66612ad37e4f5ef965c200e36e9ac627d19818af59061a649abce3cdfe6
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0xca64ee826539459516ba41060098ba0c5661e4c6c68601cf66a9222902d63dcfc42a8d99defb09149e0ed1d5c6d781ddad24abac0705e21d68c370665fd300043a308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b3009060355040613
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0x0253453114301206
Wed Oct 14 11:06:35 2015 : Debug: 	Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 11:06:35 2015 : Debug: 	State = 0x73e0c7cb77e6dea1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: Finished request 9057425.
Wed Oct 14 11:06:35 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=216, length=301
Wed Oct 14 11:06:35 2015 : Debug: 	User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: 	Chargeable-User-Identity = ""
Wed Oct 14 11:06:35 2015 : Debug: 	Location-Capable = Civix-Location
Wed Oct 14 11:06:35 2015 : Debug: 	Calling-Station-Id = "14-99-e2-bf-24-70"
Wed Oct 14 11:06:35 2015 : Debug: 	Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-Port = 13
Wed Oct 14 11:06:35 2015 : Debug: 	Cisco-AVPair = "audit-session-id=0a404c640127a12a561e621e"
Wed Oct 14 11:06:35 2015 : Debug: 	Acct-Session-Id = "561e621e/14:99:e2:bf:24:70/10398428"
Wed Oct 14 11:06:35 2015 : Debug: 	Cisco-AVPair = "mDNS=true"
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-IP-Address = 10.64.76.100
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 11:06:35 2015 : Debug: 	Airespace-Wlan-Id = 1
Wed Oct 14 11:06:35 2015 : Debug: 	Service-Type = Framed-User
Wed Oct 14 11:06:35 2015 : Debug: 	Framed-MTU = 1300
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-Port-Type = Wireless-802.11
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Type:0 = VLAN
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Private-Group-Id:0 = "345"
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0x020600061900
Wed Oct 14 11:06:35 2015 : Debug: 	State = 0x73e0c7cb77e6dea1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: 	Message-Authenticator = 0xf5dd9a6b00f45e88a716beb498941a1d
Wed Oct 14 11:06:35 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authorize {
Wed Oct 14 11:06:35 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++[chap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[mschap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[digest] = noop
Wed Oct 14 11:06:35 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 11:06:35 2015 : Debug: ++[suffix] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP packet type response id 6 length 6
Wed Oct 14 11:06:35 2015 : Debug: [eap] Continuing tunnel setup.
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = ok
Wed Oct 14 11:06:35 2015 : Debug: +} # group authorize = ok
Wed Oct 14 11:06:35 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 11:06:35 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authenticate {
Wed Oct 14 11:06:35 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP/peap
Wed Oct 14 11:06:35 2015 : Debug: [eap] processing type peap
Wed Oct 14 11:06:35 2015 : Debug: [peap] processing EAP-TLS
Wed Oct 14 11:06:35 2015 : Debug: [peap] Received TLS ACK
Wed Oct 14 11:06:35 2015 : Debug: [peap] ACK handshake fragment handler
Wed Oct 14 11:06:35 2015 : Debug: [peap] eaptls_verify returned 1

Wed Oct 14 11:06:35 2015 : Debug: [peap] eaptls_process returned 13

Wed Oct 14 11:06:35 2015 : Debug: [peap] EAPTLS_HANDLED
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = handled
Wed Oct 14 11:06:35 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 11:06:35 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=216, length=0
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0x010703fc19400355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b3
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0x50600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b3009
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0x06035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc51
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0x42a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604160301030d0c0003090100ed62d54d0d16abdddbf775ef679af503cb1dcb2a0e46890f9335b92cfd62fcb5aeea94a4b269f6e2d87adfe9076ba5cdf9b4f0e4c3ad531cacb4aa5d94c732ba343ac7d6a70dee7681cc09cce6d387654dff6253af216b50c936e995074eabff87a53fe2b3d4f6fadf6440f821
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0x0c7d10e0f13cd6eb
Wed Oct 14 11:06:35 2015 : Debug: 	Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 11:06:35 2015 : Debug: 	State = 0x73e0c7cb76e7dea1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: Finished request 9057429.
Wed Oct 14 11:06:35 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=218, length=301
Wed Oct 14 11:06:35 2015 : Debug: 	User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: 	Chargeable-User-Identity = ""
Wed Oct 14 11:06:35 2015 : Debug: 	Location-Capable = Civix-Location
Wed Oct 14 11:06:35 2015 : Debug: 	Calling-Station-Id = "14-99-e2-bf-24-70"
Wed Oct 14 11:06:35 2015 : Debug: 	Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-Port = 13
Wed Oct 14 11:06:35 2015 : Debug: 	Cisco-AVPair = "audit-session-id=0a404c640127a12a561e621e"
Wed Oct 14 11:06:35 2015 : Debug: 	Acct-Session-Id = "561e621e/14:99:e2:bf:24:70/10398428"
Wed Oct 14 11:06:35 2015 : Debug: 	Cisco-AVPair = "mDNS=true"
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-IP-Address = 10.64.76.100
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 11:06:35 2015 : Debug: 	Airespace-Wlan-Id = 1
Wed Oct 14 11:06:35 2015 : Debug: 	Service-Type = Framed-User
Wed Oct 14 11:06:35 2015 : Debug: 	Framed-MTU = 1300
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-Port-Type = Wireless-802.11
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Type:0 = VLAN
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Private-Group-Id:0 = "345"
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0x020700061900
Wed Oct 14 11:06:35 2015 : Debug: 	State = 0x73e0c7cb76e7dea1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: 	Message-Authenticator = 0x9b176e9332770f69134f7b7ed457ee15
Wed Oct 14 11:06:35 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authorize {
Wed Oct 14 11:06:35 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++[chap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[mschap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[digest] = noop
Wed Oct 14 11:06:35 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 11:06:35 2015 : Debug: ++[suffix] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP packet type response id 7 length 6
Wed Oct 14 11:06:35 2015 : Debug: [eap] Continuing tunnel setup.
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = ok
Wed Oct 14 11:06:35 2015 : Debug: +} # group authorize = ok
Wed Oct 14 11:06:35 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 11:06:35 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authenticate {
Wed Oct 14 11:06:35 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP/peap
Wed Oct 14 11:06:35 2015 : Debug: [eap] processing type peap
Wed Oct 14 11:06:35 2015 : Debug: [peap] processing EAP-TLS
Wed Oct 14 11:06:35 2015 : Debug: [peap] Received TLS ACK
Wed Oct 14 11:06:35 2015 : Debug: [peap] ACK handshake fragment handler
Wed Oct 14 11:06:35 2015 : Debug: [peap] eaptls_verify returned 1

Wed Oct 14 11:06:35 2015 : Debug: [peap] eaptls_process returned 13

Wed Oct 14 11:06:35 2015 : Debug: [peap] EAPTLS_HANDLED
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = handled
Wed Oct 14 11:06:35 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 11:06:35 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=218, length=0
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0x010802a11900235117f28a47b4795ecfe8c241d8cb16a3fbb155ef7bc9fe89f4db168e1771802cbb8cc407db26e80f26a0d6f603d389871936a47ad44c832a1f434a0dce681e4776baedd455ff6ab46be0e18bd0fdc968d099cc7bf196177a0528bc3fb3421c5c7e0a6750ed98c25168379f2d6072df0e479af6b79986830f9df1d233c20646276bcdc8f76bc0646774db0001020100a50d494e8b203e36ac82a8e7cc5719fd9b2f38c73a7beeb1ff1fc16765a393b35de612abd209c1013ec4cf5db0840438ded55835120e3f16fae7bd9508f5bca865de9055229a00e2c494fa185590cff47b35b2f95ae77dcf65301500fa67850726dedc6283ea0e
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0xb4ba67015bedf84a0166cef4a7f0090a3d73535e17d816de399da68c21801db816421fb3a41ac823e404482a214b09386ebfd230a73f298d0fc409c645f0d920962ab0998fe92c44dff5fa83811c82c0888978d9c86382cee4774f7bf5e2ad3279d6fba6592d4ad1d7b586aebf2ad60b59ab8ca72a9d167c0a9be03f7a26f8c954ad78fc7b34da830adce58f3f8836e9a66790a243373c1991010089d57ddefc37cb6deabd5364db65d79b26b0e84264d7f3b9778c067d4d495301d288e2ae6df7a39915933fdcc674d1fd2a607d0a7ae91b6ec54df3b279405c71e6bd7ef4d3a75b155f9fcc39e96c7d7bb3cf299118f1b60d446c023c643b24593056
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0x4fd534b7852fcfd2ebb32b1339ad958705aec660590775119d368d39c688431f54104a5f41ed4224993f16b55467117386436b4dcb0856877d3e0065556b1507177b838947d27a555e0233ba7924d6d067f31113959dcaf97f23a621f1135054aa48aac08a7f4836c430300dd44aff813611bfa2a2543a10a57449cf52163ca3605aabc986a9c12e2950c834a4034b9d79532426f43e5a5a2cb63550e13416030100040e000000
Wed Oct 14 11:06:35 2015 : Debug: 	Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 11:06:35 2015 : Debug: 	State = 0x73e0c7cb75e8dea1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: Finished request 9057431.
Wed Oct 14 11:06:35 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=242, length=633
Wed Oct 14 11:06:35 2015 : Debug: 	User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: 	Chargeable-User-Identity = ""
Wed Oct 14 11:06:35 2015 : Debug: 	Location-Capable = Civix-Location
Wed Oct 14 11:06:35 2015 : Debug: 	Calling-Station-Id = "14-99-e2-bf-24-70"
Wed Oct 14 11:06:35 2015 : Debug: 	Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-Port = 13
Wed Oct 14 11:06:35 2015 : Debug: 	Cisco-AVPair = "audit-session-id=0a404c640127a12a561e621e"
Wed Oct 14 11:06:35 2015 : Debug: 	Acct-Session-Id = "561e621e/14:99:e2:bf:24:70/10398428"
Wed Oct 14 11:06:35 2015 : Debug: 	Cisco-AVPair = "mDNS=true"
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-IP-Address = 10.64.76.100
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 11:06:35 2015 : Debug: 	Airespace-Wlan-Id = 1
Wed Oct 14 11:06:35 2015 : Debug: 	Service-Type = Framed-User
Wed Oct 14 11:06:35 2015 : Debug: 	Framed-MTU = 1300
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-Port-Type = Wireless-802.11
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Type:0 = VLAN
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Private-Group-Id:0 = "345"
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0x0208015019800000014616030101061000010201003ce2e6ab8ba7bbcf40053c71323c7ad52028a669d8b35e005ffa84f08697d90cb999af9f4dd0f52de9545c9a2886232c3e41dce36eeb03d805afc68aaac576489303220338bd04c2f9d399fd368580eb69bd4d52fc3df96af24a051e6053cf1aab0509f03d998fe9f1b43babde319ebeb84edb7c02653882b3d30738064bafbc7bd295f50f2acd573653b6c5565b8f63b967ba8668934c2719357ba3759420228be55c5ae4ecaf4480b8bb1a4546a6e2007a5807a7c5c3bcc35f6257c0c15d2c7fe9c88b9c665464e2d6c515bdbe9dc62b0bc3b780df70e1b85197626cb55980bbefe8ccbf5bdd03
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0xff6ab6dd6c81aa7bfc67790725b45516722c18425a87887d1403010001011603010030e8711af27bcdabc15db30c320998bc420c326daf5df8f5acb78bcfc6ad7d068f51f42965f89795ca55b7505dcdcb5e23
Wed Oct 14 11:06:35 2015 : Debug: 	State = 0x73e0c7cb75e8dea1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: 	Message-Authenticator = 0xe914b0a35421cf2417c0780f57544a19
Wed Oct 14 11:06:35 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authorize {
Wed Oct 14 11:06:35 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++[chap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[mschap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[digest] = noop
Wed Oct 14 11:06:35 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 11:06:35 2015 : Debug: ++[suffix] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP packet type response id 8 length 253
Wed Oct 14 11:06:35 2015 : Debug: [eap] Continuing tunnel setup.
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = ok
Wed Oct 14 11:06:35 2015 : Debug: +} # group authorize = ok
Wed Oct 14 11:06:35 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 11:06:35 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authenticate {
Wed Oct 14 11:06:35 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP/peap
Wed Oct 14 11:06:35 2015 : Debug: [eap] processing type peap
Wed Oct 14 11:06:35 2015 : Debug: [peap] processing EAP-TLS
Wed Oct 14 11:06:35 2015 : Debug: [peap] Length Included
Wed Oct 14 11:06:35 2015 : Debug: [peap] eaptls_verify returned 11

Wed Oct 14 11:06:35 2015 : Debug: [peap]     TLS_accept: SSLv3 read client key exchange A
Wed Oct 14 11:06:35 2015 : Debug: [peap]     TLS_accept: SSLv3 read finished A
Wed Oct 14 11:06:35 2015 : Debug: [peap]     TLS_accept: SSLv3 write change cipher spec A
Wed Oct 14 11:06:35 2015 : Debug: [peap]     TLS_accept: SSLv3 write finished A
Wed Oct 14 11:06:35 2015 : Debug: [peap]     TLS_accept: SSLv3 flush data
Wed Oct 14 11:06:35 2015 : Debug: [peap]     (other): SSL negotiation finished successfully
Wed Oct 14 11:06:35 2015 : Debug: [peap] eaptls_process returned 13

Wed Oct 14 11:06:35 2015 : Debug: [peap] EAPTLS_HANDLED
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = handled
Wed Oct 14 11:06:35 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 11:06:35 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=242, length=0
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0x01090041190014030100010116030100307662a63f3c56e363ae0ba6c6cfc3bb228e30c9e53bdc89b160377579730b189dde7a410bace015576b769ffe1e6cfc5f
Wed Oct 14 11:06:35 2015 : Debug: 	Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 11:06:35 2015 : Debug: 	State = 0x73e0c7cb74e9dea1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: Finished request 9057460.
Wed Oct 14 11:06:35 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=245, length=301
Wed Oct 14 11:06:35 2015 : Debug: 	User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: 	Chargeable-User-Identity = ""
Wed Oct 14 11:06:35 2015 : Debug: 	Location-Capable = Civix-Location
Wed Oct 14 11:06:35 2015 : Debug: 	Calling-Station-Id = "14-99-e2-bf-24-70"
Wed Oct 14 11:06:35 2015 : Debug: 	Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-Port = 13
Wed Oct 14 11:06:35 2015 : Debug: 	Cisco-AVPair = "audit-session-id=0a404c640127a12a561e621e"
Wed Oct 14 11:06:35 2015 : Debug: 	Acct-Session-Id = "561e621e/14:99:e2:bf:24:70/10398428"
Wed Oct 14 11:06:35 2015 : Debug: 	Cisco-AVPair = "mDNS=true"
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-IP-Address = 10.64.76.100
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 11:06:35 2015 : Debug: 	Airespace-Wlan-Id = 1
Wed Oct 14 11:06:35 2015 : Debug: 	Service-Type = Framed-User
Wed Oct 14 11:06:35 2015 : Debug: 	Framed-MTU = 1300
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-Port-Type = Wireless-802.11
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Type:0 = VLAN
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Private-Group-Id:0 = "345"
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0x020900061900
Wed Oct 14 11:06:35 2015 : Debug: 	State = 0x73e0c7cb74e9dea1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: 	Message-Authenticator = 0xd34aeac8bcbf7eed7fac47d00972a9e6
Wed Oct 14 11:06:35 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authorize {
Wed Oct 14 11:06:35 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++[chap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[mschap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[digest] = noop
Wed Oct 14 11:06:35 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 11:06:35 2015 : Debug: ++[suffix] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP packet type response id 9 length 6
Wed Oct 14 11:06:35 2015 : Debug: [eap] Continuing tunnel setup.
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = ok
Wed Oct 14 11:06:35 2015 : Debug: +} # group authorize = ok
Wed Oct 14 11:06:35 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 11:06:35 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authenticate {
Wed Oct 14 11:06:35 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP/peap
Wed Oct 14 11:06:35 2015 : Debug: [eap] processing type peap
Wed Oct 14 11:06:35 2015 : Debug: [peap] processing EAP-TLS
Wed Oct 14 11:06:35 2015 : Debug: [peap] Received TLS ACK
Wed Oct 14 11:06:35 2015 : Debug: [peap] ACK handshake is finished
Wed Oct 14 11:06:35 2015 : Debug: [peap] eaptls_verify returned 3

Wed Oct 14 11:06:35 2015 : Debug: [peap] eaptls_process returned 3

Wed Oct 14 11:06:35 2015 : Debug: [peap] EAPTLS_SUCCESS
Wed Oct 14 11:06:35 2015 : Debug: [peap] Session established.  Decoding tunneled attributes.
Wed Oct 14 11:06:35 2015 : Debug: [peap] Peap state TUNNEL ESTABLISHED
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = handled
Wed Oct 14 11:06:35 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 11:06:35 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=245, length=0
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0x010a002b19001703010020ec9929c081653f2d761ea9fc99c531ac00f25f54024307c0b3d44ee320cabaed
Wed Oct 14 11:06:35 2015 : Debug: 	Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 11:06:35 2015 : Debug: 	State = 0x73e0c7cb7beadea1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: Finished request 9057464.
Wed Oct 14 11:06:35 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=246, length=338
Wed Oct 14 11:06:35 2015 : Debug: 	User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: 	Chargeable-User-Identity = ""
Wed Oct 14 11:06:35 2015 : Debug: 	Location-Capable = Civix-Location
Wed Oct 14 11:06:35 2015 : Debug: 	Calling-Station-Id = "14-99-e2-bf-24-70"
Wed Oct 14 11:06:35 2015 : Debug: 	Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-Port = 13
Wed Oct 14 11:06:35 2015 : Debug: 	Cisco-AVPair = "audit-session-id=0a404c640127a12a561e621e"
Wed Oct 14 11:06:35 2015 : Debug: 	Acct-Session-Id = "561e621e/14:99:e2:bf:24:70/10398428"
Wed Oct 14 11:06:35 2015 : Debug: 	Cisco-AVPair = "mDNS=true"
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-IP-Address = 10.64.76.100
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 11:06:35 2015 : Debug: 	Airespace-Wlan-Id = 1
Wed Oct 14 11:06:35 2015 : Debug: 	Service-Type = Framed-User
Wed Oct 14 11:06:35 2015 : Debug: 	Framed-MTU = 1300
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-Port-Type = Wireless-802.11
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Type:0 = VLAN
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Private-Group-Id:0 = "345"
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0x020a002b19001703010020ce55956ebf5b9b20c665c479712bd7520e8ea1beaf28d20983bab2da85fcc0a7
Wed Oct 14 11:06:35 2015 : Debug: 	State = 0x73e0c7cb7beadea1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: 	Message-Authenticator = 0x54e5615d85a4b330ce7437c0a33767b9
Wed Oct 14 11:06:35 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authorize {
Wed Oct 14 11:06:35 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++[chap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[mschap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[digest] = noop
Wed Oct 14 11:06:35 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 11:06:35 2015 : Debug: ++[suffix] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP packet type response id 10 length 43
Wed Oct 14 11:06:35 2015 : Debug: [eap] Continuing tunnel setup.
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = ok
Wed Oct 14 11:06:35 2015 : Debug: +} # group authorize = ok
Wed Oct 14 11:06:35 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 11:06:35 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authenticate {
Wed Oct 14 11:06:35 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP/peap
Wed Oct 14 11:06:35 2015 : Debug: [eap] processing type peap
Wed Oct 14 11:06:35 2015 : Debug: [peap] processing EAP-TLS
Wed Oct 14 11:06:35 2015 : Debug: [peap] eaptls_verify returned 7

Wed Oct 14 11:06:35 2015 : Debug: [peap] Done initial handshake
Wed Oct 14 11:06:35 2015 : Debug: [peap] eaptls_process returned 7

Wed Oct 14 11:06:35 2015 : Debug: [peap] EAPTLS_OK
Wed Oct 14 11:06:35 2015 : Debug: [peap] Session established.  Decoding tunneled attributes.
Wed Oct 14 11:06:35 2015 : Debug: [peap] Peap state WAITING FOR INNER IDENTITY
Wed Oct 14 11:06:35 2015 : Debug: [peap] Identity - hm6
Wed Oct 14 11:06:35 2015 : Debug: [peap] Got inner identity 'hm6'
Wed Oct 14 11:06:35 2015 : Debug: [peap] Setting default EAP type for tunneled EAP session.
Wed Oct 14 11:06:35 2015 : Debug: [peap] Setting User-Name to hm6
Wed Oct 14 11:06:35 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/inner-tunnel
Wed Oct 14 11:06:35 2015 : Debug: +group authorize {
Wed Oct 14 11:06:35 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++[chap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[mschap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[unix] = notfound
Wed Oct 14 11:06:35 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 11:06:35 2015 : Debug: ++[suffix] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++update control {
Wed Oct 14 11:06:35 2015 : Debug: ++} # update control = noop
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP packet type response id 10 length 8
Wed Oct 14 11:06:35 2015 : Debug: [eap] No EAP Start, assuming it's an on-going EAP conversation
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = updated
Wed Oct 14 11:06:35 2015 : Debug: [files] users: Matched entry DEFAULT at line 92
Wed Oct 14 11:06:35 2015 : Debug: ++[files] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++? if (control:Auth-Type == Kerberos)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (control:Auth-Type == Kerberos) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (control:Auth-Type == Kerberos) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++load-balance redundant_ldap {
Wed Oct 14 11:06:35 2015 : Debug: ++redundant-load-balance group redundant_ldap {
Wed Oct 14 11:06:35 2015 : Debug: [ldap2] performing user authorization for hm6
Wed Oct 14 11:06:35 2015 : Debug: [ldap2] 	expand: %{Stripped-User-Name} -> hm6
Wed Oct 14 11:06:35 2015 : Debug: [ldap2] 	expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=hm6)
Wed Oct 14 11:06:35 2015 : Debug: [ldap2] 	expand: dc=rice,dc=edu -> dc=rice,dc=edu
Wed Oct 14 11:06:35 2015 : Debug: [ldap2] checking if remote access for hm6 is allowed by riceClass
Wed Oct 14 11:06:35 2015 : Debug: [ldap2] looking for check items in directory...
Wed Oct 14 11:06:35 2015 : Debug: [ldap2] looking for reply items in directory...
Wed Oct 14 11:06:35 2015 : Debug: [ldap2] user hm6 authorized to use remote access
Wed Oct 14 11:06:35 2015 : Debug: +++[ldap2] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++} # redundant-load-balance group redundant_ldap = ok
Wed Oct 14 11:06:35 2015 : Debug: ++? if (reply:Connect-Info =~ /[a-z]* student/)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (reply:Connect-Info =~ /[a-z]* student/) -> TRUE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (reply:Connect-Info =~ /[a-z]* student/) -> TRUE
Wed Oct 14 11:06:35 2015 : Debug: ++if (reply:Connect-Info =~ /[a-z]* student/) {
Wed Oct 14 11:06:35 2015 : Debug: +++update reply {
Wed Oct 14 11:06:35 2015 : Debug: +++} # update reply = noop
Wed Oct 14 11:06:35 2015 : Debug: ++} # if (reply:Connect-Info =~ /[a-z]* student/) = noop
Wed Oct 14 11:06:35 2015 : Debug: ++ ... skipping elsif for request 9057465: Preceding "if" was taken
Wed Oct 14 11:06:35 2015 : Debug: ++ ... skipping elsif for request 9057465: Preceding "if" was taken
Wed Oct 14 11:06:35 2015 : Debug: ++ ... skipping elsif for request 9057465: Preceding "if" was taken
Wed Oct 14 11:06:35 2015 : Debug: ++? if ((Hint == "JOINstudent" ) && (reply:Connect-Info == "staff"))
Wed Oct 14 11:06:35 2015 : Debug:     (Attribute Hint was not found)
Wed Oct 14 11:06:35 2015 : Debug: ?? Evaluating (Hint == "JOINstudent" ) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ?? Skipping (reply:Connect-Info == "staff")
Wed Oct 14 11:06:35 2015 : Debug: ++? if ((Hint == "JOINstudent" ) && (reply:Connect-Info == "staff")) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++[perl] = updated
Wed Oct 14 11:06:35 2015 : Debug: ++update reply {
Wed Oct 14 11:06:35 2015 : Debug: 	expand: %{reply:Tunnel-Private-Group-Id} -> student
Wed Oct 14 11:06:35 2015 : Debug: ++} # update reply = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[expiration] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[logintime] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[pap] = noop
Wed Oct 14 11:06:35 2015 : Debug: +} # group authorize = updated
Wed Oct 14 11:06:35 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 11:06:35 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/inner-tunnel
Wed Oct 14 11:06:35 2015 : Debug: +group authenticate {
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP Identity
Wed Oct 14 11:06:35 2015 : Debug: [eap] processing type mschapv2
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = handled
Wed Oct 14 11:06:35 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 11:06:35 2015 : Debug: [peap] Got tunneled Access-Challenge
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = handled
Wed Oct 14 11:06:35 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 11:06:35 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=246, length=0
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0x010b003b1900170301003049d8728f2df8f7cc708214c08c1945ca8c14a7c6b8fdef8d35742122d5e14ca7e0464ddd319c24f09bf1e81b33d4fd0b
Wed Oct 14 11:06:35 2015 : Debug: 	Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 11:06:35 2015 : Debug: 	State = 0x73e0c7cb7aebdea1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: Finished request 9057465.
Wed Oct 14 11:06:35 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=248, length=386
Wed Oct 14 11:06:35 2015 : Debug: 	User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: 	Chargeable-User-Identity = ""
Wed Oct 14 11:06:35 2015 : Debug: 	Location-Capable = Civix-Location
Wed Oct 14 11:06:35 2015 : Debug: 	Calling-Station-Id = "14-99-e2-bf-24-70"
Wed Oct 14 11:06:35 2015 : Debug: 	Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-Port = 13
Wed Oct 14 11:06:35 2015 : Debug: 	Cisco-AVPair = "audit-session-id=0a404c640127a12a561e621e"
Wed Oct 14 11:06:35 2015 : Debug: 	Acct-Session-Id = "561e621e/14:99:e2:bf:24:70/10398428"
Wed Oct 14 11:06:35 2015 : Debug: 	Cisco-AVPair = "mDNS=true"
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-IP-Address = 10.64.76.100
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 11:06:35 2015 : Debug: 	Airespace-Wlan-Id = 1
Wed Oct 14 11:06:35 2015 : Debug: 	Service-Type = Framed-User
Wed Oct 14 11:06:35 2015 : Debug: 	Framed-MTU = 1300
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-Port-Type = Wireless-802.11
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Type:0 = VLAN
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Private-Group-Id:0 = "345"
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0x020b005b19001703010050e914c55f667f3fc177ef910567dd74dd7c6b3be9c954a26b8c82a1d982237052a2ab687f9baaf73cd44d1adde1bf238e0f41bc8c8d7d6b49c95a5eb168c61d45ee229da0613c2d77e08cff12f05fe0a1
Wed Oct 14 11:06:35 2015 : Debug: 	State = 0x73e0c7cb7aebdea1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: 	Message-Authenticator = 0x4bec218eb833a573f94413c2d44f68cc
Wed Oct 14 11:06:35 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authorize {
Wed Oct 14 11:06:35 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++[chap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[mschap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[digest] = noop
Wed Oct 14 11:06:35 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 11:06:35 2015 : Debug: ++[suffix] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP packet type response id 11 length 91
Wed Oct 14 11:06:35 2015 : Debug: [eap] Continuing tunnel setup.
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = ok
Wed Oct 14 11:06:35 2015 : Debug: +} # group authorize = ok
Wed Oct 14 11:06:35 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 11:06:35 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authenticate {
Wed Oct 14 11:06:35 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP/peap
Wed Oct 14 11:06:35 2015 : Debug: [eap] processing type peap
Wed Oct 14 11:06:35 2015 : Debug: [peap] processing EAP-TLS
Wed Oct 14 11:06:35 2015 : Debug: [peap] eaptls_verify returned 7

Wed Oct 14 11:06:35 2015 : Debug: [peap] Done initial handshake
Wed Oct 14 11:06:35 2015 : Debug: [peap] eaptls_process returned 7

Wed Oct 14 11:06:35 2015 : Debug: [peap] EAPTLS_OK
Wed Oct 14 11:06:35 2015 : Debug: [peap] Session established.  Decoding tunneled attributes.
Wed Oct 14 11:06:35 2015 : Debug: [peap] Peap state phase2
Wed Oct 14 11:06:35 2015 : Debug: [peap] EAP type mschapv2
Wed Oct 14 11:06:35 2015 : Debug: [peap] Setting User-Name to hm6
Wed Oct 14 11:06:35 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/inner-tunnel
Wed Oct 14 11:06:35 2015 : Debug: +group authorize {
Wed Oct 14 11:06:35 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++[chap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[mschap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[unix] = notfound
Wed Oct 14 11:06:35 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 11:06:35 2015 : Debug: ++[suffix] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++update control {
Wed Oct 14 11:06:35 2015 : Debug: ++} # update control = noop
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP packet type response id 11 length 62
Wed Oct 14 11:06:35 2015 : Debug: [eap] No EAP Start, assuming it's an on-going EAP conversation
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = updated
Wed Oct 14 11:06:35 2015 : Debug: [files] users: Matched entry DEFAULT at line 92
Wed Oct 14 11:06:35 2015 : Debug: ++[files] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++? if (control:Auth-Type == Kerberos)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (control:Auth-Type == Kerberos) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (control:Auth-Type == Kerberos) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++load-balance redundant_ldap {
Wed Oct 14 11:06:35 2015 : Debug: ++redundant-load-balance group redundant_ldap {
Wed Oct 14 11:06:35 2015 : Debug: [ldap2] performing user authorization for hm6
Wed Oct 14 11:06:35 2015 : Debug: [ldap2] 	expand: %{Stripped-User-Name} -> hm6
Wed Oct 14 11:06:35 2015 : Debug: [ldap2] 	expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=hm6)
Wed Oct 14 11:06:35 2015 : Debug: [ldap2] 	expand: dc=rice,dc=edu -> dc=rice,dc=edu
Wed Oct 14 11:06:35 2015 : Debug: [ldap2] checking if remote access for hm6 is allowed by riceClass
Wed Oct 14 11:06:35 2015 : Debug: [ldap2] looking for check items in directory...
Wed Oct 14 11:06:35 2015 : Debug: [ldap2] looking for reply items in directory...
Wed Oct 14 11:06:35 2015 : Debug: [ldap2] user hm6 authorized to use remote access
Wed Oct 14 11:06:35 2015 : Debug: +++[ldap2] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++} # redundant-load-balance group redundant_ldap = ok
Wed Oct 14 11:06:35 2015 : Debug: ++? if (reply:Connect-Info =~ /[a-z]* student/)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (reply:Connect-Info =~ /[a-z]* student/) -> TRUE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (reply:Connect-Info =~ /[a-z]* student/) -> TRUE
Wed Oct 14 11:06:35 2015 : Debug: ++if (reply:Connect-Info =~ /[a-z]* student/) {
Wed Oct 14 11:06:35 2015 : Debug: +++update reply {
Wed Oct 14 11:06:35 2015 : Debug: +++} # update reply = noop
Wed Oct 14 11:06:35 2015 : Debug: ++} # if (reply:Connect-Info =~ /[a-z]* student/) = noop
Wed Oct 14 11:06:35 2015 : Debug: ++ ... skipping elsif for request 9057467: Preceding "if" was taken
Wed Oct 14 11:06:35 2015 : Debug: ++ ... skipping elsif for request 9057467: Preceding "if" was taken
Wed Oct 14 11:06:35 2015 : Debug: ++ ... skipping elsif for request 9057467: Preceding "if" was taken
Wed Oct 14 11:06:35 2015 : Debug: ++? if ((Hint == "JOINstudent" ) && (reply:Connect-Info == "staff"))
Wed Oct 14 11:06:35 2015 : Debug:     (Attribute Hint was not found)
Wed Oct 14 11:06:35 2015 : Debug: ?? Evaluating (Hint == "JOINstudent" ) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ?? Skipping (reply:Connect-Info == "staff")
Wed Oct 14 11:06:35 2015 : Debug: ++? if ((Hint == "JOINstudent" ) && (reply:Connect-Info == "staff")) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++[perl] = updated
Wed Oct 14 11:06:35 2015 : Debug: ++update reply {
Wed Oct 14 11:06:35 2015 : Debug: 	expand: %{reply:Tunnel-Private-Group-Id} -> student
Wed Oct 14 11:06:35 2015 : Debug: ++} # update reply = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[expiration] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[logintime] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[pap] = noop
Wed Oct 14 11:06:35 2015 : Debug: +} # group authorize = updated
Wed Oct 14 11:06:35 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 11:06:35 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/inner-tunnel
Wed Oct 14 11:06:35 2015 : Debug: +group authenticate {
Wed Oct 14 11:06:35 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP/mschapv2
Wed Oct 14 11:06:35 2015 : Debug: [eap] processing type mschapv2
Wed Oct 14 11:06:35 2015 : Debug: [mschapv2] # Executing group from file /etc/opt/freeradius/sites-enabled/inner-tunnel
Wed Oct 14 11:06:35 2015 : Debug: [mschapv2] +group MS-CHAP {
Wed Oct 14 11:06:35 2015 : Debug: [mschap] Creating challenge hash with username: hm6
Wed Oct 14 11:06:35 2015 : Debug: [mschap] Client is using MS-CHAPv2 for hm6, we need NT-Password
Wed Oct 14 11:06:35 2015 : Debug: [mschap] 	expand: %{Stripped-User-Name} -> hm6
Wed Oct 14 11:06:35 2015 : Debug: [mschap] 	expand: --username=%{%{Stripped-User-Name}:-%{%{mschap:User-Name}:-%{User-Name}}} -> --username=hm6
Wed Oct 14 11:06:35 2015 : Debug: [mschap] No NT-Domain was found in the User-Name.
Wed Oct 14 11:06:35 2015 : Debug: [mschap] 	expand: --domain=%{mschap:NT-Domain:-ADRICE} -> --domain=
Wed Oct 14 11:06:35 2015 : Debug: [mschap] Creating challenge hash with username: hm6
Wed Oct 14 11:06:35 2015 : Debug: [mschap] 	expand: --challenge=%{mschap:Challenge:-00} -> --challenge=c6b6be6394fb80be
Wed Oct 14 11:06:35 2015 : Debug: [mschap] 	expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=c93bab6136a2420593d3dd328dbda3d5bf887ce07b3887bb
Wed Oct 14 11:06:35 2015 : Debug: [mschap] Exec: program returned: 0
Wed Oct 14 11:06:35 2015 : Debug: [mschap] adding MS-CHAPv2 MPPE keys
Wed Oct 14 11:06:35 2015 : Debug: ++[mschap] = ok
Wed Oct 14 11:06:35 2015 : Debug: +} # group MS-CHAP = ok
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = handled
Wed Oct 14 11:06:35 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 11:06:35 2015 : Debug: [peap] Got tunneled Access-Challenge
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = handled
Wed Oct 14 11:06:35 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 11:06:35 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=248, length=0
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0x010c005b190017030100500e527fefe8b2ef735b397f33660e0a46f0587eb4809f047fe575068e013b42bbcf7f18c2a2fe1c440d3380e4babf39811441fd5814761722b160bc0cd5851dcd1d8df9d87063c9d0ba38fc1f2ed2592d
Wed Oct 14 11:06:35 2015 : Debug: 	Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 11:06:35 2015 : Debug: 	State = 0x73e0c7cb79ecdea1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: Finished request 9057467.
Wed Oct 14 11:06:35 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=255, length=338
Wed Oct 14 11:06:35 2015 : Debug: 	User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: 	Chargeable-User-Identity = ""
Wed Oct 14 11:06:35 2015 : Debug: 	Location-Capable = Civix-Location
Wed Oct 14 11:06:35 2015 : Debug: 	Calling-Station-Id = "14-99-e2-bf-24-70"
Wed Oct 14 11:06:35 2015 : Debug: 	Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-Port = 13
Wed Oct 14 11:06:35 2015 : Debug: 	Cisco-AVPair = "audit-session-id=0a404c640127a12a561e621e"
Wed Oct 14 11:06:35 2015 : Debug: 	Acct-Session-Id = "561e621e/14:99:e2:bf:24:70/10398428"
Wed Oct 14 11:06:35 2015 : Debug: 	Cisco-AVPair = "mDNS=true"
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-IP-Address = 10.64.76.100
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 11:06:35 2015 : Debug: 	Airespace-Wlan-Id = 1
Wed Oct 14 11:06:35 2015 : Debug: 	Service-Type = Framed-User
Wed Oct 14 11:06:35 2015 : Debug: 	Framed-MTU = 1300
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-Port-Type = Wireless-802.11
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Type:0 = VLAN
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Private-Group-Id:0 = "345"
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0x020c002b19001703010020ef40d3f6b32d3c0667bfbe62768fb20209c755b908c286191a3d9ec491646db5
Wed Oct 14 11:06:35 2015 : Debug: 	State = 0x73e0c7cb79ecdea1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: 	Message-Authenticator = 0x6ed39cb5049e3132b5ebdf02704a4102
Wed Oct 14 11:06:35 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authorize {
Wed Oct 14 11:06:35 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++[chap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[mschap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[digest] = noop
Wed Oct 14 11:06:35 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 11:06:35 2015 : Debug: ++[suffix] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP packet type response id 12 length 43
Wed Oct 14 11:06:35 2015 : Debug: [eap] Continuing tunnel setup.
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = ok
Wed Oct 14 11:06:35 2015 : Debug: +} # group authorize = ok
Wed Oct 14 11:06:35 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 11:06:35 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authenticate {
Wed Oct 14 11:06:35 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP/peap
Wed Oct 14 11:06:35 2015 : Debug: [eap] processing type peap
Wed Oct 14 11:06:35 2015 : Debug: [peap] processing EAP-TLS
Wed Oct 14 11:06:35 2015 : Debug: [peap] eaptls_verify returned 7

Wed Oct 14 11:06:35 2015 : Debug: [peap] Done initial handshake
Wed Oct 14 11:06:35 2015 : Debug: [peap] eaptls_process returned 7

Wed Oct 14 11:06:35 2015 : Debug: [peap] EAPTLS_OK
Wed Oct 14 11:06:35 2015 : Debug: [peap] Session established.  Decoding tunneled attributes.
Wed Oct 14 11:06:35 2015 : Debug: [peap] Peap state phase2
Wed Oct 14 11:06:35 2015 : Debug: [peap] EAP type mschapv2
Wed Oct 14 11:06:35 2015 : Debug: [peap] Setting User-Name to hm6
Wed Oct 14 11:06:35 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/inner-tunnel
Wed Oct 14 11:06:35 2015 : Debug: +group authorize {
Wed Oct 14 11:06:35 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++[chap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[mschap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[unix] = notfound
Wed Oct 14 11:06:35 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 11:06:35 2015 : Debug: ++[suffix] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++update control {
Wed Oct 14 11:06:35 2015 : Debug: ++} # update control = noop
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP packet type response id 12 length 6
Wed Oct 14 11:06:35 2015 : Debug: [eap] No EAP Start, assuming it's an on-going EAP conversation
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = updated
Wed Oct 14 11:06:35 2015 : Debug: [files] users: Matched entry DEFAULT at line 92
Wed Oct 14 11:06:35 2015 : Debug: ++[files] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++? if (control:Auth-Type == Kerberos)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (control:Auth-Type == Kerberos) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (control:Auth-Type == Kerberos) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++load-balance redundant_ldap {
Wed Oct 14 11:06:35 2015 : Debug: ++redundant-load-balance group redundant_ldap {
Wed Oct 14 11:06:35 2015 : Debug: [ldap1] performing user authorization for hm6
Wed Oct 14 11:06:35 2015 : Debug: [ldap1] 	expand: %{Stripped-User-Name} -> hm6
Wed Oct 14 11:06:35 2015 : Debug: [ldap1] 	expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=hm6)
Wed Oct 14 11:06:35 2015 : Debug: [ldap1] 	expand: dc=rice,dc=edu -> dc=rice,dc=edu
Wed Oct 14 11:06:35 2015 : Debug: [ldap1] checking if remote access for hm6 is allowed by riceClass
Wed Oct 14 11:06:35 2015 : Debug: [ldap1] looking for check items in directory...
Wed Oct 14 11:06:35 2015 : Debug: [ldap1] looking for reply items in directory...
Wed Oct 14 11:06:35 2015 : Debug: [ldap1] user hm6 authorized to use remote access
Wed Oct 14 11:06:35 2015 : Debug: +++[ldap1] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++} # redundant-load-balance group redundant_ldap = ok
Wed Oct 14 11:06:35 2015 : Debug: ++? if (reply:Connect-Info =~ /[a-z]* student/)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (reply:Connect-Info =~ /[a-z]* student/) -> TRUE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (reply:Connect-Info =~ /[a-z]* student/) -> TRUE
Wed Oct 14 11:06:35 2015 : Debug: ++if (reply:Connect-Info =~ /[a-z]* student/) {
Wed Oct 14 11:06:35 2015 : Debug: +++update reply {
Wed Oct 14 11:06:35 2015 : Debug: +++} # update reply = noop
Wed Oct 14 11:06:35 2015 : Debug: ++} # if (reply:Connect-Info =~ /[a-z]* student/) = noop
Wed Oct 14 11:06:35 2015 : Debug: ++ ... skipping elsif for request 9057483: Preceding "if" was taken
Wed Oct 14 11:06:35 2015 : Debug: ++ ... skipping elsif for request 9057483: Preceding "if" was taken
Wed Oct 14 11:06:35 2015 : Debug: ++ ... skipping elsif for request 9057483: Preceding "if" was taken
Wed Oct 14 11:06:35 2015 : Debug: ++? if ((Hint == "JOINstudent" ) && (reply:Connect-Info == "staff"))
Wed Oct 14 11:06:35 2015 : Debug:     (Attribute Hint was not found)
Wed Oct 14 11:06:35 2015 : Debug: ?? Evaluating (Hint == "JOINstudent" ) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ?? Skipping (reply:Connect-Info == "staff")
Wed Oct 14 11:06:35 2015 : Debug: ++? if ((Hint == "JOINstudent" ) && (reply:Connect-Info == "staff")) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++[perl] = updated
Wed Oct 14 11:06:35 2015 : Debug: ++update reply {
Wed Oct 14 11:06:35 2015 : Debug: 	expand: %{reply:Tunnel-Private-Group-Id} -> student
Wed Oct 14 11:06:35 2015 : Debug: ++} # update reply = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[expiration] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[logintime] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[pap] = noop
Wed Oct 14 11:06:35 2015 : Debug: +} # group authorize = updated
Wed Oct 14 11:06:35 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 11:06:35 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/inner-tunnel
Wed Oct 14 11:06:35 2015 : Debug: +group authenticate {
Wed Oct 14 11:06:35 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP/mschapv2
Wed Oct 14 11:06:35 2015 : Debug: [eap] processing type mschapv2
Wed Oct 14 11:06:35 2015 : Debug: [eap] Freeing handler
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = ok
Wed Oct 14 11:06:35 2015 : Debug: +} # group authenticate = ok
Wed Oct 14 11:06:35 2015 : Debug: # Executing section post-auth from file /etc/opt/freeradius/sites-enabled/inner-tunnel
Wed Oct 14 11:06:35 2015 : Debug: +group post-auth {
Wed Oct 14 11:06:35 2015 : Debug: [reply_log] 	expand: /var/opt/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /var/opt/freeradius/radacct/10.64.76.100/reply-detail-20151014
Wed Oct 14 11:06:35 2015 : Debug: [reply_log] /var/opt/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/opt/freeradius/radacct/10.64.76.100/reply-detail-20151014
Wed Oct 14 11:06:35 2015 : Debug: [reply_log] 	expand: %t -> Wed Oct 14 11:06:35 2015
Wed Oct 14 11:06:35 2015 : Debug: ++[reply_log] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++update outer.reply {
Wed Oct 14 11:06:35 2015 : Debug: 	expand: %{request:User-Name} -> hm6
Wed Oct 14 11:06:35 2015 : Debug: ++} # update outer.reply = noop
Wed Oct 14 11:06:35 2015 : Debug: ++? if (! reply:Cached-Session-Policy)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating !(reply:Cached-Session-Policy) -> TRUE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (! reply:Cached-Session-Policy) -> TRUE
Wed Oct 14 11:06:35 2015 : Debug: ++if (! reply:Cached-Session-Policy) {
Wed Oct 14 11:06:35 2015 : Debug: +++update reply {
Wed Oct 14 11:06:35 2015 : Debug: 	expand: TPG=%{reply:Tunnel-Private-Group-Id},CI=%{reply:Connect-Info} -> TPG=student,CI=student
Wed Oct 14 11:06:35 2015 : Debug: +++} # update reply = noop
Wed Oct 14 11:06:35 2015 : Debug: ++} # if (! reply:Cached-Session-Policy) = noop
Wed Oct 14 11:06:35 2015 : Debug: +} # group post-auth = ok
Wed Oct 14 11:06:35 2015 : Debug: [peap] Tunneled authentication was successful.
Wed Oct 14 11:06:35 2015 : Debug: [peap] SUCCESS
Wed Oct 14 11:06:35 2015 : Debug: [peap] Saving tunneled attributes for later
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = handled
Wed Oct 14 11:06:35 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 11:06:35 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=255, length=0
Wed Oct 14 11:06:35 2015 : Debug: 	User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0x010d002b19001703010020d68d7d314369e1b1dc19347c66be477be80485fabcfcc62f6e6e489eea754605
Wed Oct 14 11:06:35 2015 : Debug: 	Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 11:06:35 2015 : Debug: 	State = 0x73e0c7cb78eddea1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: Finished request 9057483.
Wed Oct 14 11:06:35 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=0, length=338
Wed Oct 14 11:06:35 2015 : Debug: 	User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: 	Chargeable-User-Identity = ""
Wed Oct 14 11:06:35 2015 : Debug: 	Location-Capable = Civix-Location
Wed Oct 14 11:06:35 2015 : Debug: 	Calling-Station-Id = "14-99-e2-bf-24-70"
Wed Oct 14 11:06:35 2015 : Debug: 	Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-Port = 13
Wed Oct 14 11:06:35 2015 : Debug: 	Cisco-AVPair = "audit-session-id=0a404c640127a12a561e621e"
Wed Oct 14 11:06:35 2015 : Debug: 	Acct-Session-Id = "561e621e/14:99:e2:bf:24:70/10398428"
Wed Oct 14 11:06:35 2015 : Debug: 	Cisco-AVPair = "mDNS=true"
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-IP-Address = 10.64.76.100
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 11:06:35 2015 : Debug: 	Airespace-Wlan-Id = 1
Wed Oct 14 11:06:35 2015 : Debug: 	Service-Type = Framed-User
Wed Oct 14 11:06:35 2015 : Debug: 	Framed-MTU = 1300
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-Port-Type = Wireless-802.11
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Type:0 = VLAN
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Private-Group-Id:0 = "345"
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0x020d002b190017030100207fe9dd32300c88353767ed4bffbab3e279fa3258403e2f50d7e8a4a286124c91
Wed Oct 14 11:06:35 2015 : Debug: 	State = 0x73e0c7cb78eddea1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: 	Message-Authenticator = 0x7f3735fa881fa91fe2550706f3825d88
Wed Oct 14 11:06:35 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authorize {
Wed Oct 14 11:06:35 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++[chap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[mschap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[digest] = noop
Wed Oct 14 11:06:35 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 11:06:35 2015 : Debug: ++[suffix] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP packet type response id 13 length 43
Wed Oct 14 11:06:35 2015 : Debug: [eap] Continuing tunnel setup.
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = ok
Wed Oct 14 11:06:35 2015 : Debug: +} # group authorize = ok
Wed Oct 14 11:06:35 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 11:06:35 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authenticate {
Wed Oct 14 11:06:35 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP/peap
Wed Oct 14 11:06:35 2015 : Debug: [eap] processing type peap
Wed Oct 14 11:06:35 2015 : Debug: [peap] processing EAP-TLS
Wed Oct 14 11:06:35 2015 : Debug: [peap] eaptls_verify returned 7

Wed Oct 14 11:06:35 2015 : Debug: [peap] Done initial handshake
Wed Oct 14 11:06:35 2015 : Debug: [peap] eaptls_process returned 7

Wed Oct 14 11:06:35 2015 : Debug: [peap] EAPTLS_OK
Wed Oct 14 11:06:35 2015 : Debug: [peap] Session established.  Decoding tunneled attributes.
Wed Oct 14 11:06:35 2015 : Debug: [peap] Peap state send tlv success
Wed Oct 14 11:06:35 2015 : Debug: [peap] Received EAP-TLV response.
Wed Oct 14 11:06:35 2015 : Debug: [peap] Success
Wed Oct 14 11:06:35 2015 : Debug: [peap] Using saved attributes from the original Access-Accept
Wed Oct 14 11:06:35 2015 : Debug: [peap] Saving response in the cache
Wed Oct 14 11:06:35 2015 : Debug: [eap] Freeing handler
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = ok
Wed Oct 14 11:06:35 2015 : Debug: +} # group authenticate = ok
Wed Oct 14 11:06:35 2015 : Debug: # Executing section post-auth from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group post-auth {
Wed Oct 14 11:06:35 2015 : Debug: [reply_log] 	expand: /var/opt/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /var/opt/freeradius/radacct/10.64.76.100/reply-detail-20151014
Wed Oct 14 11:06:35 2015 : Debug: [reply_log] /var/opt/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/opt/freeradius/radacct/10.64.76.100/reply-detail-20151014
Wed Oct 14 11:06:35 2015 : Debug: [reply_log] 	expand: %t -> Wed Oct 14 11:06:35 2015
Wed Oct 14 11:06:35 2015 : Debug: ++[reply_log] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++[exec] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++? if (reply:Cached-Session-Policy =~ /TPG=(.+),CI=(.+)/)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (reply:Cached-Session-Policy =~ /TPG=(.+),CI=(.+)/) -> TRUE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (reply:Cached-Session-Policy =~ /TPG=(.+),CI=(.+)/) -> TRUE
Wed Oct 14 11:06:35 2015 : Debug: ++if (reply:Cached-Session-Policy =~ /TPG=(.+),CI=(.+)/) {
Wed Oct 14 11:06:35 2015 : Debug: +++update reply {
Wed Oct 14 11:06:35 2015 : Debug: 	expand: %{1} -> student
Wed Oct 14 11:06:35 2015 : Debug: 	expand: %{2} -> student
Wed Oct 14 11:06:35 2015 : Debug: +++} # update reply = noop
Wed Oct 14 11:06:35 2015 : Debug: ++} # if (reply:Cached-Session-Policy =~ /TPG=(.+),CI=(.+)/) = noop
Wed Oct 14 11:06:35 2015 : Debug: +} # group post-auth = ok
Wed Oct 14 11:06:35 2015 : Debug: Sending Access-Accept packet to host 10.64.76.100 port 32770, id=0, length=0
Wed Oct 14 11:06:35 2015 : Debug: 	Connect-Info = "student"
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Type:0 = VLAN
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Private-Group-Id:0 = "student"
Wed Oct 14 11:06:35 2015 : Debug: 	User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: 	Cached-Session-Policy = "TPG=student,CI=student"
Wed Oct 14 11:06:35 2015 : Debug: 	MS-MPPE-Recv-Key = 0xd6fc61507727f965242767e2951fa31390772d22397eda27f20ad3eda77f17f0
Wed Oct 14 11:06:35 2015 : Debug: 	MS-MPPE-Send-Key = 0x0a3aeaa6bd45ca7c59120616d94d8bbbde1a3bd3584aa1c747317378d29f2abc
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-MSK = 0xd6fc61507727f965242767e2951fa31390772d22397eda27f20ad3eda77f17f00a3aeaa6bd45ca7c59120616d94d8bbbde1a3bd3584aa1c747317378d29f2abc
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-EMSK = 0xc871c16e062585ab146537669c11f929e0dc78daf334f1796eddebe6052822f0093f71095873686c05bb1612d3d76aa1cbbde9ddd33be02e428862a6e80ef16f
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Session-Id = 0x19561e7d8ceb6b159381eb964528005513132c4b913cf9958ac64937c507e97740561e7d8be4a39e0ba6cd482c0f70ec79000e3385cfbfb6217470e77130ee8d1e
Wed Oct 14 11:06:35 2015 : Debug: 	EAP-Message = 0x030d0004
Wed Oct 14 11:06:35 2015 : Debug: 	Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 11:06:35 2015 : Debug: Finished request 9057486.
Wed Oct 14 11:06:35 2015 : Debug: Received Accounting-Request packet from host 10.64.76.100 port 32770, id=131, length=281
Wed Oct 14 11:06:35 2015 : Debug: 	User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-Port = 13
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-IP-Address = 10.64.76.100
Wed Oct 14 11:06:35 2015 : Debug: 	Framed-IP-Address = 10.116.79.74
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 11:06:35 2015 : Debug: 	Airespace-Wlan-Id = 1
Wed Oct 14 11:06:35 2015 : Debug: 	Acct-Session-Id = "561e621e/14:99:e2:bf:24:70/10398428"
Wed Oct 14 11:06:35 2015 : Debug: 	NAS-Port-Type = Wireless-802.11
Wed Oct 14 11:06:35 2015 : Debug: 	Cisco-AVPair = "audit-session-id=0a404c640127a12a561e621e"
Wed Oct 14 11:06:35 2015 : Debug: 	Acct-Authentic = RADIUS
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Type:0 = VLAN
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 11:06:35 2015 : Debug: 	Tunnel-Private-Group-Id:0 = "343"
Wed Oct 14 11:06:35 2015 : Debug: 	Event-Timestamp = "Oct 14 2015 11:06:35 CDT"
Wed Oct 14 11:06:35 2015 : Debug: 	Acct-Status-Type = Interim-Update
Wed Oct 14 11:06:35 2015 : Debug: 	Acct-Input-Octets = 4472429
Wed Oct 14 11:06:35 2015 : Debug: 	Acct-Input-Gigawords = 0
Wed Oct 14 11:06:35 2015 : Debug: 	Acct-Output-Octets = 4299801
Wed Oct 14 11:06:35 2015 : Debug: 	Acct-Output-Gigawords = 0
Wed Oct 14 11:06:35 2015 : Debug: 	Acct-Input-Packets = 52431
Wed Oct 14 11:06:35 2015 : Debug: 	Acct-Output-Packets = 34784
Wed Oct 14 11:06:35 2015 : Debug: 	Acct-Session-Time = 7014
Wed Oct 14 11:06:35 2015 : Debug: 	Acct-Delay-Time = 0
Wed Oct 14 11:06:35 2015 : Debug: 	Calling-Station-Id = "14-99-e2-bf-24-70"
Wed Oct 14 11:06:35 2015 : Debug: 	Called-Station-Id = "6c-20-56-2c-20-80"
Wed Oct 14 11:06:35 2015 : Debug: # Executing section preacct from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group preacct {
Wed Oct 14 11:06:35 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 11:06:35 2015 : Debug: [acct_unique] Hashing 'NAS-Port = 13,NAS-Identifier = "WiSM2-HA1-1",NAS-IP-Address = 10.64.76.100,Acct-Session-Id = "561e621e/14:99:e2:bf:24:70/10398428",User-Name = "hm6"'
Wed Oct 14 11:06:35 2015 : Debug: [acct_unique] Acct-Unique-Session-ID = "d8afff7ef8dc3708".
Wed Oct 14 11:06:35 2015 : Debug: ++[acct_unique] = ok
Wed Oct 14 11:06:35 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Accounting realm is LOCAL.
Wed Oct 14 11:06:35 2015 : Debug: ++[suffix] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++[files] = noop
Wed Oct 14 11:06:35 2015 : Debug: +} # group preacct = ok
Wed Oct 14 11:06:35 2015 : Debug: # Executing section accounting from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group accounting {
Wed Oct 14 11:06:35 2015 : Debug: [detail] 	expand: /var/opt/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/opt/freeradius/radacct/10.64.76.100/detail-20151014
Wed Oct 14 11:06:35 2015 : Debug: [detail] /var/opt/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/opt/freeradius/radacct/10.64.76.100/detail-20151014
Wed Oct 14 11:06:35 2015 : Debug: [detail] 	expand: %t -> Wed Oct 14 11:06:35 2015
Wed Oct 14 11:06:35 2015 : Debug: ++[detail] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++[unix] = noop
Wed Oct 14 11:06:35 2015 : Debug: [radutmp] 	expand: /var/opt/freeradius/radutmp -> /var/opt/freeradius/radutmp
Wed Oct 14 11:06:35 2015 : Debug: [radutmp] 	expand: %{User-Name} -> hm6
Wed Oct 14 11:06:35 2015 : Debug: ++[radutmp] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++[exec] = noop
Wed Oct 14 11:06:35 2015 : Debug: [attr_filter.accounting_response] 	expand: %{User-Name} -> hm6
Wed Oct 14 11:06:35 2015 : Debug: ++[attr_filter.accounting_response] = updated
Wed Oct 14 11:06:35 2015 : Debug: +} # group accounting = updated
Wed Oct 14 11:06:35 2015 : Debug: Sending Accounting-Response packet to host 10.64.76.100 port 32770, id=131, length=0
Wed Oct 14 11:06:35 2015 : Debug: Finished request 9057490.
Wed Oct 14 11:06:36 2015 : Debug: Cleaning up request 9057490 ID 131 with timestamp +105162
Wed Oct 14 11:06:37 2015 : Debug: Cleaning up request 9057415 ID 207 with timestamp +105162
Wed Oct 14 11:06:37 2015 : Debug: Cleaning up request 9057420 ID 209 with timestamp +105162
Wed Oct 14 11:06:37 2015 : Debug: Cleaning up request 9057421 ID 210 with timestamp +105162
Wed Oct 14 11:06:37 2015 : Debug: Cleaning up request 9057422 ID 211 with timestamp +105162
Wed Oct 14 11:06:37 2015 : Debug: Cleaning up request 9057425 ID 213 with timestamp +105162
Wed Oct 14 11:06:37 2015 : Debug: Cleaning up request 9057429 ID 216 with timestamp +105162
Wed Oct 14 11:06:37 2015 : Debug: Cleaning up request 9057431 ID 218 with timestamp +105162
Wed Oct 14 11:06:37 2015 : Debug: Cleaning up request 9057460 ID 242 with timestamp +105162
Wed Oct 14 11:06:37 2015 : Debug: Cleaning up request 9057464 ID 245 with timestamp +105162
Wed Oct 14 11:06:37 2015 : Debug: Cleaning up request 9057465 ID 246 with timestamp +105162
Wed Oct 14 11:06:37 2015 : Debug: Cleaning up request 9057467 ID 248 with timestamp +105162
Wed Oct 14 11:06:38 2015 : Debug: Cleaning up request 9057483 ID 255 with timestamp +105162
Wed Oct 14 11:06:38 2015 : Debug: Cleaning up request 9057486 ID 0 with timestamp +105162
-------------- next part --------------
# -*- text -*-
##
## radiusd.conf	-- FreeRADIUS server configuration file.
##
##	http://www.freeradius.org/
##	$Id: 81a565ed4e970318914f4c7798215a04d9ca8c15 $
##

######################################################################
#
#	Read "man radiusd" before editing this file.  See the section
#	titled DEBUGGING.  It outlines a method where you can quickly
#	obtain the configuration you want, without running into
#	trouble.
#
#	Run the server in debugging mode, and READ the output.
#
#		$ radiusd -X
#
#	We cannot emphasize this point strongly enough.  The vast
#	majority of problems can be solved by carefully reading the
#	debugging output, which includes warnings about common issues,
#	and suggestions for how they may be fixed.
#
#	There may be a lot of output, but look carefully for words like:
#	"warning", "error", "reject", or "failure".  The messages there
#	will usually be enough to guide you to a solution.
#
#	If you are going to ask a question on the mailing list, then
#	explain what you are trying to do, and include the output from
#	debugging mode (radiusd -X).  Failure to do so means that all
#	of the responses to your question will be people telling you
#	to "post the output of radiusd -X".

######################################################################
#
#  	The location of other config files and logfiles are declared
#  	in this file.
#
#  	Also general configuration for modules can be done in this
#  	file, it is exported through the API to modules that ask for
#  	it.
#
#	See "man radiusd.conf" for documentation on the format of this
#	file.  Note that the individual configuration items are NOT
#	documented in that "man" page.  They are only documented here,
#	in the comments.
#
#	As of 2.0.0, FreeRADIUS supports a simple processing language
#	in the "authorize", "authenticate", "accounting", etc. sections.
#	See "man unlang" for details.
#

prefix = /usr/site/freeradius
exec_prefix = ${prefix}
sysconfdir = /etc/opt/freeradius
localstatedir = /var/opt/freeradius
sbindir = ${exec_prefix}/sbin
logdir = /var/opt/freeradius
raddbdir = /etc/opt/freeradius
radacctdir = ${logdir}/radacct

#
#  name of the running server.  See also the "-n" command-line option.
name = radiusd

#  Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}

# Should likely be ${localstatedir}/lib/radiusd
db_dir = ${raddbdir}

#
# libdir: Where to find the rlm_* modules.
#
#   This should be automatically set at configuration time.
#
#   If the server builds and installs, but fails at execution time
#   with an 'undefined symbol' error, then you can use the libdir
#   directive to work around the problem.
#
#   The cause is usually that a library has been installed on your
#   system in a place where the dynamic linker CANNOT find it.  When
#   executing as root (or another user), your personal environment MAY
#   be set up to allow the dynamic linker to find the library.  When
#   executing as a daemon, FreeRADIUS MAY NOT have the same
#   personalized configuration.
#
#   To work around the problem, find out which library contains that symbol,
#   and add the directory containing that library to the end of 'libdir',
#   with a colon separating the directory names.  NO spaces are allowed.
#
#   e.g. libdir = /usr/local/lib:/opt/package/lib
#
#   You can also try setting the LD_LIBRARY_PATH environment variable
#   in a script which starts the server.
#
#   If that does not work, then you can re-configure and re-build the
#   server to NOT use shared libraries, via:
#
#	./configure --disable-shared
#	make
#	make install
#
libdir = ${exec_prefix}/lib

#  pidfile: Where to place the PID of the RADIUS server.
#
#  The server may be signalled while it's running by using this
#  file.
#
#  This file is written when ONLY running in daemon mode.
#
#  e.g.:  kill -HUP `cat /var/run/radiusd/radiusd.pid`
#
pidfile = ${run_dir}/${name}.pid

#  chroot: directory where the server does "chroot".
#
#  The chroot is done very early in the process of starting the server.
#  After the chroot has been performed it switches to the "user" listed
#  below (which MUST be specified).  If "group" is specified, it switchs
#  to that group, too.  Any other groups listed for the specified "user"
#  in "/etc/group" are also added as part of this process.
#
#  The current working directory (chdir / cd) is left *outside* of the
#  chroot until all of the modules have been initialized.  This allows
#  the "raddb" directory to be left outside of the chroot.  Once the
#  modules have been initialized, it does a "chdir" to ${logdir}.  This
#  means that it should be impossible to break out of the chroot.
#
#  If you are worried about security issues related to this use of chdir,
#  then simply ensure that the "raddb" directory is inside of the chroot,
#  end be sure to do "cd raddb" BEFORE starting the server.
#
#  If the server is statically linked, then the only files that have
#  to exist in the chroot are ${run_dir} and ${logdir}.  If you do the
#  "cd raddb" as discussed above, then the "raddb" directory has to be
#  inside of the chroot directory, too.
#
#chroot = /path/to/chroot/directory

# user/group: The name (or #number) of the user/group to run radiusd as.
#
#   If these are commented out, the server will run as the user/group
#   that started it.  In order to change to a different user/group, you
#   MUST be root ( or have root privleges ) to start the server.
#
#   We STRONGLY recommend that you run the server with as few permissions
#   as possible.  That is, if you're not using shadow passwords, the
#   user and group items below should be set to radius'.
#
#  NOTE that some kernels refuse to setgid(group) when the value of
#  (unsigned)group is above 60000; don't use group nobody on these systems!
#
#  On systems with shadow passwords, you might have to set 'group = shadow'
#  for the server to be able to read the shadow password file.  If you can
#  authenticate users while in debug mode, but not in daemon mode, it may be
#  that the debugging mode server is running as a user that can read the
#  shadow info, and the user listed below can not.
#
#  The server will also try to use "initgroups" to read /etc/groups.
#  It will join all groups where "user" is a member.  This can allow
#  for some finer-grained access controls.
#
user = radius
group = radius

#  panic_action: Command to execute if the server dies unexpectedly.
#
#  FOR PRODUCTION SYSTEMS, ACTIONS SHOULD ALWAYS EXIT.
#  AN INTERACTIVE ACTION MEANS THE SERVER IS NOT RESPONDING TO REQUESTS.
#  AN INTERACTICE ACTION MEANS THE SERVER WILL NOT RESTART.
#
#  The panic action is a command which will be executed if the server
#  receives a fatal, non user generated signal, i.e. SIGSEGV, SIGBUS,
#  SIGABRT or SIGFPE.
#
#  This can be used to start an interactive debugging session so
#  that information regarding the current state of the server can
#  be acquired.
#
#  The following string substitutions are available:
#  - %e   The currently executing program e.g. /sbin/radiusd
#  - %p   The PID of the currently executing program e.g. 12345
#
#  Standard ${} substitutions are also allowed.
#
#  An example panic action for opening an interactive session in GDB would be:
#
#panic_action = "gdb %e %p"
#
#  Again, don't use that on a production system.
#
#  An example panic action for opening an automated session in GDB would be:
#
#panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p > ${logdir}/gdb-%e-%p.log 2>&1"
#
#  That command can be used on a production system.
#

#  max_request_time: The maximum time (in seconds) to handle a request.
#
#  Requests which take more time than this to process may be killed, and
#  a REJECT message is returned.
#
#  WARNING: If you notice that requests take a long time to be handled,
#  then this MAY INDICATE a bug in the server, in one of the modules
#  used to handle a request, OR in your local configuration.
#
#  This problem is most often seen when using an SQL database.  If it takes
#  more than a second or two to receive an answer from the SQL database,
#  then it probably means that you haven't indexed the database.  See your
#  SQL server documentation for more information.
#
#  Useful range of values: 5 to 120
#
max_request_time = 30

#  cleanup_delay: The time to wait (in seconds) before cleaning up
#  a reply which was sent to the NAS.
#
#  The RADIUS request is normally cached internally for a short period
#  of time, after the reply is sent to the NAS.  The reply packet may be
#  lost in the network, and the NAS will not see it.  The NAS will then
#  re-send the request, and the server will respond quickly with the
#  cached reply.
#
#  If this value is set too low, then duplicate requests from the NAS
#  MAY NOT be detected, and will instead be handled as seperate requests.
#
#  If this value is set too high, then the server will cache too many
#  requests, and some new requests may get blocked.  (See 'max_requests'.)
#
#  Useful range of values: 2 to 10
#
cleanup_delay = 5

#  max_requests: The maximum number of requests which the server keeps
#  track of.  This should be 256 multiplied by the number of clients.
#  e.g. With 4 clients, this number should be 1024.
#
#  If this number is too low, then when the server becomes busy,
#  it will not respond to any new requests, until the 'cleanup_delay'
#  time has passed, and it has removed the old requests.
#
#  If this number is set too high, then the server will use a bit more
#  memory for no real benefit.
#
#  If you aren't sure what it should be set to, it's better to set it
#  too high than too low.  Setting it to 1000 per client is probably
#  the highest it should be.
#
#  Useful range of values: 256 to infinity
#
max_requests = 10240

#  listen: Make the server listen on a particular IP address, and send
#  replies out from that address. This directive is most useful for
#  hosts with multiple IP addresses on one interface.
#
#  If you want the server to listen on additional addresses, or on
#  additionnal ports, you can use multiple "listen" sections.
#
#  Each section make the server listen for only one type of packet,
#  therefore authentication and accounting have to be configured in
#  different sections.
#
#  The server ignore all "listen" section if you are using '-i' and '-p'
#  on the command line.
#
listen {
	#  Type of packets to listen for.
	#  Allowed values are:
	#	auth	listen for authentication packets
	#	acct	listen for accounting packets
	#	proxy   IP to use for sending proxied packets
	#	detail  Read from the detail file.  For examples, see
	#               raddb/sites-available/copy-acct-to-home-server
	#	status  listen for Status-Server packets.  For examples,
	#		see raddb/sites-available/status
	#	coa     listen for CoA-Request and Disconnect-Request
	#		packets.  For examples, see the file
	#		raddb/sites-available/coa
	#
	type = auth

	#  Note: "type = proxy" lets you control the source IP used for
	#        proxying packets, with some limitations:
	#
	#    * A proxy listener CANNOT be used in a virtual server section.
	#    * You should probably set "port = 0".
	#    * Any "clients" configuration will be ignored.
	#
	#  See also proxy.conf, and the "src_ipaddr" configuration entry
	#  in the sample "home_server" section.  When you specify the
	#  source IP address for packets sent to a home server, the
	#  proxy listeners are automatically created.

	#  IP address on which to listen.
	#  Allowed values are:
	#	dotted quad (1.2.3.4)
	#       hostname    (radius.example.com)
	#       wildcard    (*)
	ipaddr = 10.137.93.19

	#  OR, you can use an IPv6 address, but not both
	#  at the same time.
#	ipv6addr = ::	# any.  ::1 == localhost

	#  Port on which to listen.
	#  Allowed values are:
	#	integer port number (1812)
	#	0 means "use /etc/services for the proper port"
	port = 0

	#  Some systems support binding to an interface, in addition
	#  to the IP address.  This feature isn't strictly necessary,
	#  but for sites with many IP addresses on one interface,
	#  it's useful to say "listen on all addresses for eth0".
	#
	#  If your system does not support this feature, you will
	#  get an error if you try to use it.
	#
#	interface = eth0

	#  Per-socket lists of clients.  This is a very useful feature.
	#
	#  The name here is a reference to a section elsewhere in
	#  radiusd.conf, or clients.conf.  Having the name as
	#  a reference allows multiple sockets to use the same
	#  set of clients.
	#
	#  If this configuration is used, then the global list of clients
	#  is IGNORED for this "listen" section.  Take care configuring
	#  this feature, to ensure you don't accidentally disable a
	#  client you need.
	#
	#  See clients.conf for the configuration of "per_socket_clients".
	#
#	clients = per_socket_clients
}

#  This second "listen" section is for listening on the accounting
#  port, too.
#
listen {
	ipaddr = 10.137.93.19
#	ipv6addr = ::
	port = 0
	type = acct
#	interface = eth0
#	clients = per_socket_clients
}

#  hostname_lookups: Log the names of clients or just their IP addresses
#  e.g., www.freeradius.org (on) or 206.47.27.232 (off).
#
#  The default is 'off' because it would be overall better for the net
#  if people had to knowingly turn this feature on, since enabling it
#  means that each client request will result in AT LEAST one lookup
#  request to the nameserver.   Enabling hostname_lookups will also
#  mean that your server may stop randomly for 30 seconds from time
#  to time, if the DNS requests take too long.
#
#  Turning hostname lookups off also means that the server won't block
#  for 30 seconds, if it sees an IP address which has no name associated
#  with it.
#
#  allowed values: {no, yes}
#
hostname_lookups = no

#  Core dumps are a bad thing.  This should only be set to 'yes'
#  if you're debugging a problem with the server.
#
#  allowed values: {no, yes}
#
allow_core_dumps = no

#  Regular expressions
#
#  These items are set at configure time.  If they're set to "yes",
#  then setting them to "no" turns off regular expression support.
#
#  If they're set to "no" at configure time, then setting them to "yes"
#  WILL NOT WORK.  It will give you an error.
#
regular_expressions	= yes
extended_expressions	= yes

#
#  Logging section.  The various "log_*" configuration items
#  will eventually be moved here.
#
log {
	#
	#  Destination for log messages.  This can be one of:
	#
	#	files - log to "file", as defined below.
	#	syslog - to syslog (see also the "syslog_facility", below.
	#	stdout - standard output
	#	stderr - standard error.
	#
	#  The command-line option "-X" over-rides this option, and forces
	#  logging to go to stdout.
	#
	destination = syslog

	#
	#  The logging messages for the server are appended to the
	#  tail of this file if destination == "files"
	#
	#  If the server is running in debugging mode, this file is
	#  NOT used.
	#
	file = ${logdir}/radius.log

	#
	#  If this configuration parameter is set, then log messages for
	#  a *request* go to this file, rather than to radius.log.
	#
	#  i.e. This is a log file per request, once the server has accepted
	#  the request as being from a valid client.  Messages that are
	#  not associated with a request still go to radius.log.
	#
	#  Not all log messages in the server core have been updated to use
	#  this new internal API.  As a result, some messages will still
	#  go to radius.log.  Please submit patches to fix this behavior.
	#
	#  The file name is expanded dynamically.  You should ONLY user
	#  server-side attributes for the filename (e.g. things you control).
	#  Using this feature MAY also slow down the server substantially,
	#  especially if you do thinks like SQL calls as part of the
	#  expansion of the filename.
	#
	#  The name of the log file should use attributes that don't change
	#  over the lifetime of a request, such as User-Name,
	#  Virtual-Server or Packet-Src-IP-Address.  Otherwise, the log
	#  messages will be distributed over multiple files.
	#
	#  Logging can be enabled for an individual request by a special
	#  dynamic expansion macro:  %{debug: 1}, where the debug level
	#  for this request is set to '1' (or 2, 3, etc.).  e.g.
	#
	#	...
	#	update control {
	#	       Tmp-String-0 = "%{debug:1}"
	#	}
	#	...
	#
	#  The attribute that the value is assigned to is unimportant,
	#  and should be a "throw-away" attribute with no side effects.
	#
	#requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log

	#
	#  Which syslog facility to use, if ${destination} == "syslog"
	#
	#  The exact values permitted here are OS-dependent.  You probably
	#  don't want to change this.
	#
	syslog_facility = local6

	#  Log the full User-Name attribute, as it was found in the request.
	#
	# allowed values: {no, yes}
	#
	stripped_names = no

	#  Log authentication requests to the log file.
	#
	#  allowed values: {no, yes}
	#
	auth = yes

	#  Log passwords with the authentication requests.
	#  auth_badpass  - logs password if it's rejected
	#  auth_goodpass - logs password if it's correct
	#
	#  allowed values: {no, yes}
	#
	auth_badpass = no
	auth_goodpass = no

	#  Log additional text at the end of the "Login OK" messages.
	#  for these to work, the "auth" and "auth_goopass" or "auth_badpass"
	#  configurations above have to be set to "yes".
	#
	#  The strings below are dynamically expanded, which means that
	#  you can put anything you want in them.  However, note that
	#  this expansion can be slow, and can negatively impact server
	#  performance.
	#
#	msg_goodpass = ""
#	msg_badpass = ""
}

#  The program to execute to do concurrency checks.
checkrad = ${sbindir}/checkrad

# SECURITY CONFIGURATION
#
#  There may be multiple methods of attacking on the server.  This
#  section holds the configuration items which minimize the impact
#  of those attacks
#
security {
	#
	#  max_attributes: The maximum number of attributes
	#  permitted in a RADIUS packet.  Packets which have MORE
	#  than this number of attributes in them will be dropped.
	#
	#  If this number is set too low, then no RADIUS packets
	#  will be accepted.
	#
	#  If this number is set too high, then an attacker may be
	#  able to send a small number of packets which will cause
	#  the server to use all available memory on the machine.
	#
	#  Setting this number to 0 means "allow any number of attributes"
	max_attributes = 200

	#
	#  reject_delay: When sending an Access-Reject, it can be
	#  delayed for a few seconds.  This may help slow down a DoS
	#  attack.  It also helps to slow down people trying to brute-force
	#  crack a users password.
	#
	#  Setting this number to 0 means "send rejects immediately"
	#
	#  If this number is set higher than 'cleanup_delay', then the
	#  rejects will be sent at 'cleanup_delay' time, when the request
	#  is deleted from the internal cache of requests.
	#
	#  Useful ranges: 1 to 5
	reject_delay = 1

	#
	#  status_server: Whether or not the server will respond
	#  to Status-Server requests.
	#
	#  When sent a Status-Server message, the server responds with
	#  an Access-Accept or Accounting-Response packet.
	#
	#  This is mainly useful for administrators who want to "ping"
	#  the server, without adding test users, or creating fake
	#  accounting packets.
	#
	#  It's also useful when a NAS marks a RADIUS server "dead".
	#  The NAS can periodically "ping" the server with a Status-Server
	#  packet.  If the server responds, it must be alive, and the
	#  NAS can start using it for real requests.
	#
	#  See also raddb/sites-available/status
	#
	status_server = yes

	#
	#  allow_vulnerable_openssl: Allow the server to start with
	#  versions of OpenSSL known to have critical vulnerabilities.
	#
	#  This check is based on the version number reported by libssl
	#  and may not reflect patches applied to libssl by
	#  distribution maintainers.
	#
	allow_vulnerable_openssl = no
}

# PROXY CONFIGURATION
#
#  proxy_requests: Turns proxying of RADIUS requests on or off.
#
#  The server has proxying turned on by default.  If your system is NOT
#  set up to proxy requests to another server, then you can turn proxying
#  off here.  This will save a small amount of resources on the server.
#
#  If you have proxying turned off, and your configuration files say
#  to proxy a request, then an error message will be logged.
#
#  To disable proxying, change the "yes" to "no", and comment the
#  $INCLUDE line.
#
#  allowed values: {no, yes}
#
proxy_requests  = yes
$INCLUDE proxy.conf


# CLIENTS CONFIGURATION
#
#  Client configuration is defined in "clients.conf".
#

#  The 'clients.conf' file contains all of the information from the old
#  'clients' and 'naslist' configuration files.  We recommend that you
#  do NOT use 'client's or 'naslist', although they are still
#  supported.
#
#  Anything listed in 'clients.conf' will take precedence over the
#  information from the old-style configuration files.
#
$INCLUDE clients.conf


# THREAD POOL CONFIGURATION
#
#  The thread pool is a long-lived group of threads which
#  take turns (round-robin) handling any incoming requests.
#
#  You probably want to have a few spare threads around,
#  so that high-load situations can be handled immediately.  If you
#  don't have any spare threads, then the request handling will
#  be delayed while a new thread is created, and added to the pool.
#
#  You probably don't want too many spare threads around,
#  otherwise they'll be sitting there taking up resources, and
#  not doing anything productive.
#
#  The numbers given below should be adequate for most situations.
#
thread pool {
	#  Number of servers to start initially --- should be a reasonable
	#  ballpark figure.
	start_servers = 16

	#  Limit on the total number of servers running.
	#
	#  If this limit is ever reached, clients will be LOCKED OUT, so it
	#  should NOT BE SET TOO LOW.  It is intended mainly as a brake to
	#  keep a runaway server from taking the system with it as it spirals
	#  down...
	#
	#  You may find that the server is regularly reaching the
	#  'max_servers' number of threads, and that increasing
	#  'max_servers' doesn't seem to make much difference.
	#
	#  If this is the case, then the problem is MOST LIKELY that
	#  your back-end databases are taking too long to respond, and
	#  are preventing the server from responding in a timely manner.
	#
	#  The solution is NOT do keep increasing the 'max_servers'
	#  value, but instead to fix the underlying cause of the
	#  problem: slow database, or 'hostname_lookups=yes'.
	#
	#  For more information, see 'max_request_time', above.
	#
	max_servers = 64

	#  Server-pool size regulation.  Rather than making you guess
	#  how many servers you need, FreeRADIUS dynamically adapts to
	#  the load it sees, that is, it tries to maintain enough
	#  servers to handle the current load, plus a few spare
	#  servers to handle transient load spikes.
	#
	#  It does this by periodically checking how many servers are
	#  waiting for a request.  If there are fewer than
	#  min_spare_servers, it creates a new spare.  If there are
	#  more than max_spare_servers, some of the spares die off.
	#  The default values are probably OK for most sites.
	#
	min_spare_servers = 3
	max_spare_servers = 10

	#  When the server receives a packet, it places it onto an
	#  internal queue, where the worker threads (configured above)
	#  pick it up for processing.  The maximum size of that queue
	#  is given here.
	#
	#  When the queue is full, any new packets will be silently
	#  discarded.
	#
	#  The most common cause of the queue being full is that the
	#  server is dependent on a slow database, and it has received
	#  a large "spike" of traffic.  When that happens, there is
	#  very little you can do other than make sure the server
	#  receives less traffic, or make sure that the database can
	#  handle the load.
	#
#	max_queue_size = 65536

	#  There may be memory leaks or resource allocation problems with
	#  the server.  If so, set this value to 300 or so, so that the
	#  resources will be cleaned up periodically.
	#
	#  This should only be necessary if there are serious bugs in the
	#  server which have not yet been fixed.
	#
	#  '0' is a special value meaning 'infinity', or 'the servers never
	#  exit'
	max_requests_per_server = 0
}

# MODULE CONFIGURATION
#
#  The names and configuration of each module is located in this section.
#
#  After the modules are defined here, they may be referred to by name,
#  in other sections of this configuration file.
#
modules {
	#
	#  Each module has a configuration as follows:
	#
	#	name [ instance ] {
	#		config_item = value
	#		...
	#	}
	#
	#  The 'name' is used to load the 'rlm_name' library
	#  which implements the functionality of the module.
	#
	#  The 'instance' is optional.  To have two different instances
	#  of a module, it first must be referred to by 'name'.
	#  The different copies of the module are then created by
	#  inventing two 'instance' names, e.g. 'instance1' and 'instance2'
	#
	#  The instance names can then be used in later configuration
	#  INSTEAD of the original 'name'.  See the 'radutmp' configuration
	#  for an example.
	#

	#
	#  As of 2.0.5, most of the module configurations are in a
	#  sub-directory.  Files matching the regex /[a-zA-Z0-9_.]+/
	#  are loaded.  The modules are initialized ONLY if they are
	#  referenced in a processing section, such as authorize,
	#  authenticate, accounting, pre/post-proxy, etc.
	#
	$INCLUDE ${confdir}/modules/

	#  Extensible Authentication Protocol
	#
	#  For all EAP related authentications.
	#  Now in another file, because it is very large.
	#
	$INCLUDE eap.conf

	#  Include another file that has the SQL-related configuration.
	#  This is another file only because it tends to be big.
	#
#	$INCLUDE sql.conf

	#
	#  This module is an SQL enabled version of the counter module.
	#
	#  Rather than maintaining seperate (GDBM) databases of
	#  accounting info for each counter, this module uses the data
	#  stored in the raddacct table by the sql modules. This
	#  module NEVER does any database INSERTs or UPDATEs.  It is
	#  totally dependent on the SQL module to process Accounting
	#  packets.
	#
#	$INCLUDE sql/mysql/counter.conf

	#
	#  IP addresses managed in an SQL table.
	#
#	$INCLUDE sqlippool.conf
}

# Instantiation
#
#  This section orders the loading of the modules.  Modules
#  listed here will get loaded BEFORE the later sections like
#  authorize, authenticate, etc. get examined.
#
#  This section is not strictly needed.  When a section like
#  authorize refers to a module, it's automatically loaded and
#  initialized.  However, some modules may not be listed in any
#  of the following sections, so they can be listed here.
#
#  Also, listing modules here ensures that you have control over
#  the order in which they are initalized.  If one module needs
#  something defined by another module, you can list them in order
#  here, and ensure that the configuration will be OK.
#
instantiate {
	#
	#  Allows the execution of external scripts.
	#  The entire command line (and output) must fit into 253 bytes.
	#
	#  e.g. Framed-Pool = `%{exec:/bin/echo foo}`
	exec

	#
	#  The expression module doesn't do authorization,
	#  authentication, or accounting.  It only does dynamic
	#  translation, of the form:
	#
	#	Session-Timeout = `%{expr:2 + 3}`
	#
	#  This module needs to be instantiated, but CANNOT be
	#  listed in any other section.  See 'doc/rlm_expr' for
	#  more information.
	#
	#  rlm_expr is also responsible for registering many
	#  other xlat functions such as md5, sha1 and lc.
	#
	#  We do not recommend removing it's listing here.
	expr

	#
	# We add the counter module here so that it registers
	# the check-name attribute before any module which sets
	# it
#	daily
	expiration
	logintime

	# subsections here can be thought of as "virtual" modules.
	#
	# e.g. If you have two redundant SQL servers, and you want to
	# use them in the authorize and accounting sections, you could
	# place a "redundant" block in each section, containing the
	# exact same text.  Or, you could uncomment the following
	# lines, and list "redundant_sql" in the authorize and
	# accounting sections.
	#
	#redundant redundant_sql {
	#	sql1
	#	sql2
	#}
}

######################################################################
#
#	Policies that can be applied in multiple places are listed
#	globally.  That way, they can be defined once, and referred
#	to multiple times.
#
######################################################################
$INCLUDE policy.conf

######################################################################
#
#	Load virtual servers.
#
#	This next $INCLUDE line loads files in the directory that
#	match the regular expression: /[a-zA-Z0-9_.]+/
#
#	It allows you to define new virtual servers simply by placing
#	a file into the raddb/sites-enabled/ directory.
#
$INCLUDE sites-enabled/

######################################################################
#
#	All of the other configuration sections like "authorize {}",
#	"authenticate {}", "accounting {}", have been moved to the
#	the file:
#
#		raddb/sites-available/default
#
#	This is the "default" virtual server that has the same
#	configuration as in version 1.0.x and 1.1.x.  The default
#	installation enables this virtual server.  You should
#	edit it to create policies for your local site.
#
#	For more documentation on virtual servers, see:
#
#		raddb/sites-available/README
#
######################################################################
-------------- next part --------------
######################################################################
#
#	As of 2.0.0, FreeRADIUS supports virtual hosts using the
#	"server" section, and configuration directives.
#
#	Virtual hosts should be put into the "sites-available"
#	directory.  Soft links should be created in the "sites-enabled"
#	directory to these files.  This is done in a normal installation.
#
#	If you are using 802.1X (EAP) authentication, please see also
#	the "inner-tunnel" virtual server.  You wll likely have to edit
#	that, too, for authentication to work.
#
#	$Id: 099f7f05a679af0d5577e39671ee8ad1e5abf407 $
#
######################################################################
#
#	Read "man radiusd" before editing this file.  See the section
#	titled DEBUGGING.  It outlines a method where you can quickly
#	obtain the configuration you want, without running into
#	trouble.  See also "man unlang", which documents the format
#	of this file.
#
#	This configuration is designed to work in the widest possible
#	set of circumstances, with the widest possible number of
#	authentication methods.  This means that in general, you should
#	need to make very few changes to this file.
#
#	The best way to configure the server for your local system
#	is to CAREFULLY edit this file.  Most attempts to make large
#	edits to this file will BREAK THE SERVER.  Any edits should
#	be small, and tested by running the server with "radiusd -X".
#	Once the edits have been verified to work, save a copy of these
#	configuration files somewhere.  (e.g. as a "tar" file).  Then,
#	make more edits, and test, as above.
#
#	There are many "commented out" references to modules such
#	as ldap, sql, etc.  These references serve as place-holders.
#	If you need the functionality of that module, then configure
#	it in radiusd.conf, and un-comment the references to it in
#	this file.  In most cases, those small changes will result
#	in the server being able to connect to the DB, and to
#	authenticate users.
#
######################################################################

#
#	In 1.x, the "authorize", etc. sections were global in
#	radiusd.conf.  As of 2.0, they SHOULD be in a server section.
#
#	The server section with no virtual server name is the "default"
#	section.  It is used when no server name is specified.
#
#	We don't indent the rest of this file, because doing so
#	would make it harder to read.
#

#  Authorization. First preprocess (hints and huntgroups files),
#  then realms, and finally look in the "users" file.
#
#  Any changes made here should also be made to the "inner-tunnel"
#  virtual server.
#
#  The order of the realm modules will determine the order that
#  we try to find a matching realm.
#
#  Make *sure* that 'preprocess' comes before any realm if you 
#  need to setup hints for the remote radius server
authorize {
	#
	#  Security settings.  Take a User-Name, and do some simple
	#  checks on it, for spaces and other invalid characters.  If
	#  it looks like the user is trying to play games, reject it.
	#
	#  This should probably be enabled by default.
	#
	#  See policy.conf for the definition of the filter_username policy.
	#
#	filter_username

	#
	#  The preprocess module takes care of sanitizing some bizarre
	#  attributes in the request, and turning them into attributes
	#  which are more standard.
	#
	#  It takes care of processing the 'raddb/hints' and the
	#  'raddb/huntgroups' files.
	preprocess

	#
	#  If you want to have a log of authentication requests,
	#  un-comment the following line, and the 'detail auth_log'
	#  section, above.
	## 09/16/2013 sandmant: EduRoam requires logging the inner ID.
	## 09/26/2013 sandmant: hopefully not!  Too much logging!
#	auth_log

	#
	#  The chap module will set 'Auth-Type := CHAP' if we are
	#  handling a CHAP request and Auth-Type has not already been set
	chap

	#
	#  If the users are logging in with an MS-CHAP-Challenge
	#  attribute for authentication, the mschap module will find
	#  the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
	#  to the request, which will cause the server to then use
	#  the mschap module for authentication.
	mschap

	#
	#  If you have a Cisco SIP server authenticating against
	#  FreeRADIUS, uncomment the following line, and the 'digest'
	#  line in the 'authenticate' section.
	digest

	#
	#  The WiMAX specification says that the Calling-Station-Id
	#  is 6 octets of the MAC.  This definition conflicts with
	#  RFC 3580, and all common RADIUS practices.  Un-commenting
	#  the "wimax" module here means that it will fix the
	#  Calling-Station-Id attribute to the normal format as
	#  specified in RFC 3580 Section 3.21
#	wimax

	#
	#  Look for IPASS style 'realm/', and if not found, look for
	#  '@realm', and decide whether or not to proxy, based on
	#  that.
#	IPASS

	#
	#  If you are using multiple kinds of realms, you probably
	#  want to set "ignore_null = yes" for all of them.
	#  Otherwise, when the first style of realm doesn't match,
	#  the other styles won't be checked.
	#
	suffix

	## Bogus account login attempts are annoying when trying to debug
	## the EduRoam proxy; reject them instead of proxying them over.

	if (Realm =~ /wlan.*gppnetwork\.org/) {
		reject
	}

	if (Realm == "WiFi.sktelecom.com") {
		reject
	}

#	ntdomain

	#
	#  This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
	#  authentication.
	#
	#  It also sets the EAP-Type attribute in the request
	#  attribute list to the EAP type from the packet.
	#
	#  As of 2.0, the EAP module returns "ok" in the authorize stage
	#  for TTLS and PEAP.  In 1.x, it never returned "ok" here, so
	#  this change is compatible with older configurations.
	#
	#  The example below uses module failover to avoid querying all
	#  of the following modules if the EAP module returns "ok".
	#  Therefore, your LDAP and/or SQL servers will not be queried
	#  for the many packets that go back and forth to set up TTLS
	#  or PEAP.  The load on those servers will therefore be reduced.
	#
	eap {
		ok = return
	}

	#
	#  Pull crypt'd passwords from /etc/passwd or /etc/shadow,
	#  using the system API's to get the password.  If you want
	#  to read /etc/passwd or /etc/shadow directly, see the
	#  passwd module in radiusd.conf.
	#
	unix

	#
	#  Read the 'users' file
	files

	## For Kerberos, we must strip off @rice.edu if present.
	if (control:Auth-Type == Kerberos) {
		update request {
			User-Name := "%{%{Stripped-User-Name}:-%{User-Name}}"
		}
	}

	#
	#  Look in an SQL database.  The schema of the database
	#  is meant to mirror the "users" file.
	#
	#  See "Authorization Queries" in sql.conf
#	sql

	#
	#  If you are using /etc/smbpasswd, and are also doing
	#  mschap authentication, the un-comment this line, and
	#  configure the 'smbpasswd' module.
#	smbpasswd

	#
	#  The ldap module will set Auth-Type to LDAP if it has not
	#  already been set
#	ldap

	#
	#  Enforce daily limits on time spent logged in.
#	daily

	#
	# Use the checkval module
#	checkval

	expiration
	logintime

	#
	#  If no other module has claimed responsibility for
	#  authentication, then try to use PAP.  This allows the
	#  other modules listed above to add a "known good" password
	#  to the request, and to do nothing else.  The PAP module
	#  will then see that password, and use it to do PAP
	#  authentication.
	#
	#  This module should be listed last, so that the other modules
	#  get a chance to set Auth-Type for themselves.
	#
	pap

	#
	#  If "status_server = yes", then Status-Server messages are passed
	#  through the following section, and ONLY the following section.
	#  This permits you to do DB queries, for example.  If the modules
	#  listed here return "fail", then NO response is sent.
	#
#	Autz-Type Status-Server {
#
#	}
}


#  Authentication.
#
#
#  This section lists which modules are available for authentication.
#  Note that it does NOT mean 'try each module in order'.  It means
#  that a module from the 'authorize' section adds a configuration
#  attribute 'Auth-Type := FOO'.  That authentication type is then
#  used to pick the apropriate module from the list below.
#

#  In general, you SHOULD NOT set the Auth-Type attribute.  The server
#  will figure it out on its own, and will do the right thing.  The
#  most common side effect of erroneously setting the Auth-Type
#  attribute is that one authentication method will work, but the
#  others will not.
#
#  The common reasons to set the Auth-Type attribute by hand
#  is to either forcibly reject the user (Auth-Type := Reject),
#  or to or forcibly accept the user (Auth-Type := Accept).
#
#  Note that Auth-Type := Accept will NOT work with EAP.
#
#  Please do not put "unlang" configurations into the "authenticate"
#  section.  Put them in the "post-auth" section instead.  That's what
#  the post-auth section is for.
#
authenticate {

	Auth-Type Kerberos {
		krb5
	}

	Auth-Type MOTP {
		otpverify
	}

	Auth-Type NTLM {
		ntlm_auth
	}

	#
	#  PAP authentication, when a back-end database listed
	#  in the 'authorize' section supplies a password.  The
	#  password can be clear-text, or encrypted.
	Auth-Type PAP {
		pap
	}

	#
	#  Most people want CHAP authentication
	#  A back-end database listed in the 'authorize' section
	#  MUST supply a CLEAR TEXT password.  Encrypted passwords
	#  won't work.
	Auth-Type CHAP {
		chap
	}

	#
	#  MSCHAP authentication.
	Auth-Type MS-CHAP {
		mschap
	}

	#
	#  If you have a Cisco SIP server authenticating against
	#  FreeRADIUS, uncomment the following line, and the 'digest'
	#  line in the 'authorize' section.
	digest

	#
	#  Pluggable Authentication Modules.
#	pam

	#
	#  See 'man getpwent' for information on how the 'unix'
	#  module checks the users password.  Note that packets
	#  containing CHAP-Password attributes CANNOT be authenticated
	#  against /etc/passwd!  See the FAQ for details.
	#
	#  For normal "crypt" authentication, the "pap" module should
	#  be used instead of the "unix" module.  The "unix" module should
	#  be used for authentication ONLY for compatibility with legacy
	#  FreeRADIUS configurations.
	#
	unix

	# Uncomment it if you want to use ldap for authentication
	#
	# Note that this means "check plain-text password against
	# the ldap database", which means that EAP won't work,
	# as it does not supply a plain-text password.
#	Auth-Type LDAP {
#		ldap
#	}

	#
	#  Allow EAP authentication.
	eap

	#
	#  The older configurations sent a number of attributes in
	#  Access-Challenge packets, which wasn't strictly correct.
	#  If you want to filter out these attributes, uncomment
	#  the following lines.
	#
#	Auth-Type eap {
#		eap {
#			handled = 1  
#		}
#		if (handled && (Response-Packet-Type == Access-Challenge)) {
#			attr_filter.access_challenge.post-auth
#			handled  # override the "updated" code from attr_filter
#		}
#	}
}


#
#  Pre-accounting.  Decide which accounting type to use.
#
preacct {
	preprocess

	#
	#  Session start times are *implied* in RADIUS.
	#  The NAS never sends a "start time".  Instead, it sends
	#  a start packet, *possibly* with an Acct-Delay-Time.
	#  The server is supposed to conclude that the start time
	#  was "Acct-Delay-Time" seconds in the past.
	#
	#  The code below creates an explicit start time, which can
	#  then be used in other modules.
	#
	#  The start time is: NOW - delay - session_length
	#

#	  update request {
#	  	FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
#	}


	#
	#  Ensure that we have a semi-unique identifier for every
	#  request, and many NAS boxes are broken.
	acct_unique

	#
	#  Look for IPASS-style 'realm/', and if not found, look for
	#  '@realm', and decide whether or not to proxy, based on
	#  that.
	#
	#  Accounting requests are generally proxied to the same
	#  home server as authentication requests.
#	IPASS
	suffix
#	ntdomain

	#
	#  Read the 'acct_users' file
	files
}

#
#  Accounting.  Log the accounting data.
#
accounting {
	#
	#  Create a 'detail'ed log of the packets.
	#  Note that accounting requests which are proxied
	#  are also logged in the detail file.
	detail
#	daily

	#  Update the wtmp file
	#
	#  If you don't use "radlast", you can delete this line.
	unix

	#
	#  For Simultaneous-Use tracking.
	#
	#  Due to packet losses in the network, the data here
	#  may be incorrect.  There is little we can do about it.
	radutmp
#	sradutmp

	#  Return an address to the IP Pool when we see a stop record.
#	main_pool

	#
	#  Log traffic to an SQL database.
	#
	#  See "Accounting queries" in sql.conf
#	sql

	#
	#  If you receive stop packets with zero session length,
	#  they will NOT be logged in the database.  The SQL module
	#  will print a message (only in debugging mode), and will
	#  return "noop".
	#
	#  You can ignore these packets by uncommenting the following
	#  three lines.  Otherwise, the server will not respond to the
	#  accounting request, and the NAS will retransmit.
	#
#	if (noop) {
#		ok
#	}

	#
	#  Instead of sending the query to the SQL server,
	#  write it into a log file.
	#
#	sql_log

	#  Cisco VoIP specific bulk accounting
#	pgsql-voip

	# For Exec-Program and Exec-Program-Wait
	exec

	#  Filter attributes from the accounting response.
	attr_filter.accounting_response

	#
	#  See "Autz-Type Status-Server" for how this works.
	#
#	Acct-Type Status-Server {
#
#	}
}


#  Session database, used for checking Simultaneous-Use. Either the radutmp 
#  or rlm_sql module can handle this.
#  The rlm_sql module is *much* faster
session {
	radutmp

	#
	#  See "Simultaneous Use Checking Queries" in sql.conf
#	sql
}


#  Post-Authentication
#  Once we KNOW that the user has been authenticated, there are
#  additional steps we can take.
post-auth {
	#  Get an address from the IP Pool.
#	main_pool

	#
	#  If you want to have a log of authentication replies,
	#  un-comment the following line, and the 'detail reply_log'
	#  section, above.
	reply_log

	#
	#  After authenticating the user, do another SQL query.
	#
	#  See "Authentication Logging Queries" in sql.conf
#	sql

	#
	#  Instead of sending the query to the SQL server,
	#  write it into a log file.
	#
#	sql_log

	#
	#  Un-comment the following if you have set
	#  'edir_account_policy_check = yes' in the ldap module sub-section of
	#  the 'modules' section.
	#
#	ldap

	# For Exec-Program and Exec-Program-Wait
	exec

	#
	#  Calculate the various WiMAX keys.  In order for this to work,
	#  you will need to define the WiMAX NAI, usually via
	#
	#	update request {
	#	       WiMAX-MN-NAI = "%{User-Name}"
	#	}
	#
	#  If you want various keys to be calculated, you will need to
	#  update the reply with "template" values.  The module will see
	#  this, and replace the template values with the correct ones
	#  taken from the cryptographic calculations.  e.g.
	#
	# 	update reply {
	#		WiMAX-FA-RK-Key = 0x00
	#		WiMAX-MSK = "%{EAP-MSK}"
	#	}
	#
	#  You may want to delete the MS-MPPE-*-Keys from the reply,
	#  as some WiMAX clients behave badly when those attributes
	#  are included.  See "raddb/modules/wimax", configuration
	#  entry "delete_mppe_keys" for more information.
	#
#	wimax

	#  If there is a client certificate (EAP-TLS, sometimes PEAP
	#  and TTLS), then some attributes are filled out after the
	#  certificate verification has been performed.  These fields
	#  MAY be available during the authentication, or they may be
	#  available only in the "post-auth" section.
	#
	#  The first set of attributes contains information about the
	#  issuing certificate which is being used.  The second
	#  contains information about the client certificate (if
	#  available).
#
#	update reply {
#	       Reply-Message += "%{TLS-Cert-Serial}"
#	       Reply-Message += "%{TLS-Cert-Expiration}"
#	       Reply-Message += "%{TLS-Cert-Subject}"
#	       Reply-Message += "%{TLS-Cert-Issuer}"
#	       Reply-Message += "%{TLS-Cert-Common-Name}"
#	       Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}"
#
#	       Reply-Message += "%{TLS-Client-Cert-Serial}"
#	       Reply-Message += "%{TLS-Client-Cert-Expiration}"
#	       Reply-Message += "%{TLS-Client-Cert-Subject}"
#	       Reply-Message += "%{TLS-Client-Cert-Issuer}"
#	       Reply-Message += "%{TLS-Client-Cert-Common-Name}"
#	       Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}"
#	}

	#  MacSEC requires the use of EAP-Key-Name.  However, we don't
	#  want to send it for all EAP sessions.  Therefore, the EAP
	#  modules put required data into the EAP-Session-Id attribute.
	#  This attribute is never put into a request or reply packet.
	#
	#  Uncomment the next few lines to copy the required data into
	#  the EAP-Key-Name attribute
#	if (reply:EAP-Session-Id) {
#		update reply {
#			EAP-Key-Name := "%{reply:EAP-Session-Id}"
#		}
#	}

	#  If the WiMAX module did it's work, you may want to do more
	#  things here, like delete the MS-MPPE-*-Key attributes.
	#
	#	if (updated) {
	#		update reply {
	#			MS-MPPE-Recv-Key !* 0x00
	#			MS-MPPE-Send-Key !* 0x00
	#		}
	#	}

	#
	#  Access-Reject packets are sent through the REJECT sub-section of the
	#  post-auth section.
	#
	#  Add the ldap module name (or instance) if you have set 
	#  'edir_account_policy_check = yes' in the ldap module configuration
	#
	Post-Auth-Type REJECT {
		# log failed authentications in SQL, too.
#		sql

		# Insert EAP-Failure message if the request was
		# rejected by policy instead of because of an
		# authentication failure
		eap

		attr_filter.access_reject
	}

	if (reply:Cached-Session-Policy =~ /TPG=(.+),CI=(.+)/) {
		update reply {
			Tunnel-Private-Group-Id = "%{1}"
			Connect-Info = "%{2}"
		}
	}

}

#
#  When the server decides to proxy a request to a home server,
#  the proxied request is first passed through the pre-proxy
#  stage.  This stage can re-write the request, or decide to
#  cancel the proxy.
#
#  Only a few modules currently have this method.
#
pre-proxy {
#	attr_rewrite

	#  Uncomment the following line if you want to change attributes
	#  as defined in the preproxy_users file.
#	files

	#  Uncomment the following line if you want to filter requests
	#  sent to remote servers based on the rules defined in the
	#  'attrs.pre-proxy' file.
#	attr_filter.pre-proxy

	#  If you want to have a log of packets proxied to a home
	#  server, un-comment the following line, and the
	#  'detail pre_proxy_log' section, above.
#	pre_proxy_log
}

#
#  When the server receives a reply to a request it proxied
#  to a home server, the request may be massaged here, in the
#  post-proxy stage.
#
post-proxy {

	#  If you want to have a log of replies from a home server,
	#  un-comment the following line, and the 'detail post_proxy_log'
	#  section, above.
#	post_proxy_log

#	attr_rewrite

	#  Uncomment the following line if you want to filter replies from
	#  remote proxies based on the rules defined in the 'attrs' file.
#	attr_filter.post-proxy

	#
	#  If you are proxying LEAP, you MUST configure the EAP
	#  module, and you MUST list it here, in the post-proxy
	#  stage.
	#
	#  You MUST also use the 'nostrip' option in the 'realm'
	#  configuration.  Otherwise, the User-Name attribute
	#  in the proxied request will not match the user name
	#  hidden inside of the EAP packet, and the end server will
	#  reject the EAP request.
	#
	eap

	#
	#  If the server tries to proxy a request and fails, then the
	#  request is processed through the modules in this section.
	#
	#  The main use of this section is to permit robust proxying
	#  of accounting packets.  The server can be configured to
	#  proxy accounting packets as part of normal processing.
	#  Then, if the home server goes down, accounting packets can
	#  be logged to a local "detail" file, for processing with
	#  radrelay.  When the home server comes back up, radrelay
	#  will read the detail file, and send the packets to the
	#  home server.
	#
	#  With this configuration, the server always responds to
	#  Accounting-Requests from the NAS, but only writes
	#  accounting packets to disk if the home server is down.
	#
#	Post-Proxy-Type Fail {
#			detail
#	}
}

-------------- next part --------------
# -*- text -*-
######################################################################
#
#	This is a virtual server that handles *only* inner tunnel
#	requests for EAP-TTLS and PEAP types.
#
#	$Id: bb0b93bc9cc9ade4e78725ea113d6f228937fef7 $
#
######################################################################

server inner-tunnel {

#
#  This next section is here to allow testing of the "inner-tunnel"
#  authentication methods, independently from the "default" server.
#  It is listening on "localhost", so that it can only be used from
#  the same machine.
#
#	$ radtest USER PASSWORD 127.0.0.1:18120 0 testing123
#
#  If it works, you have configured the inner tunnel correctly.  To check
#  if PEAP will work, use:
#
#	$ radtest -t mschap USER PASSWORD 127.0.0.1:18120 0 testing123
#
#  If that works, PEAP should work.  If that command doesn't work, then
#
#	FIX THE INNER TUNNEL CONFIGURATION SO THAT IT WORKS.
#
#  Do NOT do any PEAP tests.  It won't help.  Instead, concentrate
#  on fixing the inner tunnel configuration.  DO NOTHING ELSE.
#
listen {
       ipaddr = 127.0.0.1
       port = 18120
       type = auth
}


#  Authorization. First preprocess (hints and huntgroups files),
#  then realms, and finally look in the "users" file.
#
#  The order of the realm modules will determine the order that
#  we try to find a matching realm.
#
#  Make *sure* that 'preprocess' comes before any realm if you 
#  need to setup hints for the remote radius server
authorize {

	preprocess

	#
	#  The chap module will set 'Auth-Type := CHAP' if we are
	#  handling a CHAP request and Auth-Type has not already been set
	chap

	#
	#  If the users are logging in with an MS-CHAP-Challenge
	#  attribute for authentication, the mschap module will find
	#  the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
	#  to the request, which will cause the server to then use
	#  the mschap module for authentication.
	mschap

	#
	#  Pull crypt'd passwords from /etc/passwd or /etc/shadow,
	#  using the system API's to get the password.  If you want
	#  to read /etc/passwd or /etc/shadow directly, see the
	#  passwd module, above.
	#
	unix

	#
	#  Look for IPASS style 'realm/', and if not found, look for
	#  '@realm', and decide whether or not to proxy, based on
	#  that.
#	IPASS

	#
	#  If you are using multiple kinds of realms, you probably
	#  want to set "ignore_null = yes" for all of them.
	#  Otherwise, when the first style of realm doesn't match,
	#  the other styles won't be checked.
	#
	#  Note that proxying the inner tunnel authentication means
	#  that the user MAY use one identity in the outer session
	#  (e.g. "anonymous", and a different one here
	#  (e.g. "user at example.com").  The inner session will then be
	#  proxied elsewhere for authentication.  If you are not
	#  careful, this means that the user can cause you to forward
	#  the authentication to another RADIUS server, and have the
	#  accounting logs *not* sent to the other server.  This makes
	#  it difficult to bill people for their network activity.
	#
	suffix
#	ntdomain

	#
	#  The "suffix" module takes care of stripping the domain
	#  (e.g. "@example.com") from the User-Name attribute, and the
	#  next few lines ensure that the request is not proxied.
	#
	#  If you want the inner tunnel request to be proxied, delete
	#  the next few lines.
	#
	update control {
	       Proxy-To-Realm := LOCAL
	}

	#
	#  This module takes care of EAP-MSCHAPv2 authentication.
	#
	#  It also sets the EAP-Type attribute in the request
	#  attribute list to the EAP type from the packet.
	#
	#  The example below uses module failover to avoid querying all
	#  of the following modules if the EAP module returns "ok".
	#  Therefore, your LDAP and/or SQL servers will not be queried
	#  for the many packets that go back and forth to set up TTLS
	#  or PEAP.  The load on those servers will therefore be reduced.
	#
	eap {
		ok = return
	}

	#
	#  Read the 'users' file
	files

	## For Kerberos, we must strip off @rice.edu if present.
	if (control:Auth-Type == Kerberos) {
		update request {
			User-Name := "%{%{Stripped-User-Name}:-%{User-Name}}"
		}
	}

	#
	#  Look in an SQL database.  The schema of the database
	#  is meant to mirror the "users" file.
	#
	#  See "Authorization Queries" in sql.conf
#	sql

	#
	#  If you are using /etc/smbpasswd, and are also doing
	#  mschap authentication, the un-comment this line, and
	#  configure the 'etc_smbpasswd' module, above.
#	etc_smbpasswd

	#
	#  The ldap module will set Auth-Type to LDAP if it has not
	#  already been set
#	ldap

	redundant-load-balance redundant_ldap {
		ldap1
		ldap2
		ldap3
		#ldap4
		#directory
	}


	## Tweak the Class and Connect-Info attributes a bit:

	if (reply:Connect-Info =~ /[a-z]* student/) {
		update reply {
			Connect-Info := "student"
		}
	}
	elsif (reply:Connect-Info  == "faculty") {
		update reply {
			Connect-Info := "staff"
		}
	}
	elsif (reply:Connect-Info  =~ /emeritus/) {
		update reply {
			Connect-Info := "staff"
		}
	}
	elsif (reply:Connect-Info  =~ /guest_/) {
		update reply {
			Connect-Info := "guest"
		}
	}

	if ((Hint == "JOINstudent" ) && (reply:Connect-Info == "staff")) {
		update reply {
			Connect-Info := "student"
		}
		if (control:Auth-Type == Kerberos) {
			update request {
				User-Name := "%{%{Stripped-User-Name}:-%{User-Name}}"
			}
		}
	}

	perl

	update  reply {
		Tunnel-Private-Group-Id := "%{reply:Tunnel-Private-Group-Id}"
	}

	#
	#  Enforce daily limits on time spent logged in.
#	daily

	#
	# Use the checkval module
#	checkval

	expiration
	logintime

	#
	#  If no other module has claimed responsibility for
	#  authentication, then try to use PAP.  This allows the
	#  other modules listed above to add a "known good" password
	#  to the request, and to do nothing else.  The PAP module
	#  will then see that password, and use it to do PAP
	#  authentication.
	#
	#  This module should be listed last, so that the other modules
	#  get a chance to set Auth-Type for themselves.
	#
	pap
}


#  Authentication.
#
#
#  This section lists which modules are available for authentication.
#  Note that it does NOT mean 'try each module in order'.  It means
#  that a module from the 'authorize' section adds a configuration
#  attribute 'Auth-Type := FOO'.  That authentication type is then
#  used to pick the apropriate module from the list below.
#

#  In general, you SHOULD NOT set the Auth-Type attribute.  The server
#  will figure it out on its own, and will do the right thing.  The
#  most common side effect of erroneously setting the Auth-Type
#  attribute is that one authentication method will work, but the
#  others will not.
#
#  The common reasons to set the Auth-Type attribute by hand
#  is to either forcibly reject the user, or forcibly accept him.
#
authenticate {
	#
	#  PAP authentication, when a back-end database listed
	#  in the 'authorize' section supplies a password.  The
	#  password can be clear-text, or encrypted.
	Auth-Type PAP {
		pap
	}

	#
	#  Most people want CHAP authentication
	#  A back-end database listed in the 'authorize' section
	#  MUST supply a CLEAR TEXT password.  Encrypted passwords
	#  won't work.
	Auth-Type CHAP {
		chap
	}

	#
	#  MSCHAP authentication.
	Auth-Type MS-CHAP {
		mschap
	}

	#
	#  Pluggable Authentication Modules.
#	pam

	#
	#  See 'man getpwent' for information on how the 'unix'
	#  module checks the users password.  Note that packets
	#  containing CHAP-Password attributes CANNOT be authenticated
	#  against /etc/passwd!  See the FAQ for details.
	#  
	unix

	# Uncomment it if you want to use ldap for authentication
	#
	# Note that this means "check plain-text password against
	# the ldap database", which means that EAP won't work,
	# as it does not supply a plain-text password.
#	Auth-Type LDAP {
#		ldap
#	}

	Auth-Type Kerberos {
		krb5
	}

	Auth-Type MOTP {
		otpverify
	}

	Auth-Type NTLM {
		ntlm_auth
	}

	#
	#  Allow EAP authentication.
	eap
}

######################################################################
#
#	There are no accounting requests inside of EAP-TTLS or PEAP
#	tunnels.
#
######################################################################


#  Session database, used for checking Simultaneous-Use. Either the radutmp 
#  or rlm_sql module can handle this.
#  The rlm_sql module is *much* faster
session {
	radutmp

	#
	#  See "Simultaneous Use Checking Queries" in sql.conf
#	sql
}


#  Post-Authentication
#  Once we KNOW that the user has been authenticated, there are
#  additional steps we can take.
post-auth {
	# Note that we do NOT assign IP addresses here.
	# If you try to assign IP addresses for EAP authentication types,
	# it WILL NOT WORK.  You MUST use DHCP.

	#
	#  If you want to have a log of authentication replies,
	#  un-comment the following line, and the 'detail reply_log'
	#  section, above.
	reply_log

	#
	#  After authenticating the user, do another SQL query.
	#
	#  See "Authentication Logging Queries" in sql.conf
#	sql

	#
	#  Instead of sending the query to the SQL server,
	#  write it into a log file.
	#
#	sql_log

	#
	#  Un-comment the following if you have set
	#  'edir_account_policy_check = yes' in the ldap module sub-section of
	#  the 'modules' section.
	#
#	ldap

	#
	#  Access-Reject packets are sent through the REJECT sub-section of the
	#  post-auth section.
	#
	#  Add the ldap module name (or instance) if you have set 
	#  'edir_account_policy_check = yes' in the ldap module configuration
	#
	Post-Auth-Type REJECT {
		# log failed authentications in SQL, too.
#		sql
		attr_filter.access_reject
	}

	#
	#  The example policy below updates the outer tunnel reply
	#  (usually Access-Accept) with the User-Name from the inner
	#  tunnel User-Name.  Since this section is processed in the
	#  context of the inner tunnel, "request" here means "inner
	#  tunnel request", and "outer.reply" means "outer tunnel
	#  reply attributes".
	#
	#  This example is most useful when the outer session contains
	#  a User-Name of "anonymous at ....", or a MAC address.  If it
	#  is enabled, the NAS SHOULD use the inner tunnel User-Name
	#  in subsequent accounting packets.  This makes it easier to
	#  track user sessions, as they will all be based on the real
	#  name, and not on "anonymous".
	#
	#  The problem with doing this is that it ALSO exposes the
	#  real user name to any intermediate proxies.  People use
	#  "anonymous" identifiers outside of the tunnel for a very
	#  good reason: it gives them more privacy.  Setting the reply
	#  to contain the real user name removes ALL privacy from
	#  their session.
	#
	#  If you want privacy to remain, see the
	#  Chargeable-User-Identity attribute from RFC 4372.  In order
	#  to use that attribute, you will have to allocate a
	#  per-session identifier for the user, and store it in a
	#  long-term database (e.g. SQL).  You should also use that
	#  attribute INSTEAD of the configuration below.
	#
	update outer.reply {
		User-Name = "%{request:User-Name}"
	}

	if (! reply:Cached-Session-Policy) {
		## If I update the outer.reply instead of reply here, ttls_pap works, but PEAP
		## does not: in outer tunnel get: Attribute reply:Cached-Session-Policy was not found
		update reply {
			Cached-Session-Policy := "TPG=%{reply:Tunnel-Private-Group-Id},CI=%{reply:Connect-Info}"
		}
	}
}

#
#  When the server decides to proxy a request to a home server,
#  the proxied request is first passed through the pre-proxy
#  stage.  This stage can re-write the request, or decide to
#  cancel the proxy.
#
#  Only a few modules currently have this method.
#
pre-proxy {
#	attr_rewrite

	#  Uncomment the following line if you want to change attributes
	#  as defined in the preproxy_users file.
#	files

	#  Uncomment the following line if you want to filter requests
	#  sent to remote servers based on the rules defined in the
	#  'attrs.pre-proxy' file.
#	attr_filter.pre-proxy

	#  If you want to have a log of packets proxied to a home
	#  server, un-comment the following line, and the
	#  'detail pre_proxy_log' section, above.
#	pre_proxy_log
}

#
#  When the server receives a reply to a request it proxied
#  to a home server, the request may be massaged here, in the
#  post-proxy stage.
#
post-proxy {

	#  If you want to have a log of replies from a home server,
	#  un-comment the following line, and the 'detail post_proxy_log'
	#  section, above.
#	post_proxy_log

#	attr_rewrite

	#  Uncomment the following line if you want to filter replies from
	#  remote proxies based on the rules defined in the 'attrs' file.
#	attr_filter.post-proxy

	#
	#  If you are proxying LEAP, you MUST configure the EAP
	#  module, and you MUST list it here, in the post-proxy
	#  stage.
	#
	#  You MUST also use the 'nostrip' option in the 'realm'
	#  configuration.  Otherwise, the User-Name attribute
	#  in the proxied request will not match the user name
	#  hidden inside of the EAP packet, and the end server will
	#  reject the EAP request.
	#
	eap

	#
	#  If the server tries to proxy a request and fails, then the
	#  request is processed through the modules in this section.
	#
	#  The main use of this section is to permit robust proxying
	#  of accounting packets.  The server can be configured to
	#  proxy accounting packets as part of normal processing.
	#  Then, if the home server goes down, accounting packets can
	#  be logged to a local "detail" file, for processing with
	#  radrelay.  When the home server comes back up, radrelay
	#  will read the detail file, and send the packets to the
	#  home server.
	#
	#  With this configuration, the server always responds to
	#  Accounting-Requests from the NAS, but only writes
	#  accounting packets to disk if the home server is down.
	#
#	Post-Proxy-Type Fail {
#			detail
#	}

}

} # inner-tunnel server block
-------------- next part --------------
# -*- text -*-
##
##  eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
##
##	$Id: ac93fd22252126325c474cb59ac013a57644d12e $

#######################################################################
#
#  Whatever you do, do NOT set 'Auth-Type := EAP'.  The server
#  is smart enough to figure this out on its own.  The most
#  common side effect of setting 'Auth-Type := EAP' is that the
#  users then cannot use ANY other authentication method.
#
#  EAP types NOT listed here may be supported via the "eap2" module.
#  See experimental.conf for documentation.
#
	eap {
		#  Invoke the default supported EAP type when
		#  EAP-Identity response is received.
		#
		#  The incoming EAP messages DO NOT specify which EAP
		#  type they will be using, so it MUST be set here.
		#
		#  For now, only one default EAP type may be used at a time.
		#
		#  If the EAP-Type attribute is set by another module,
		#  then that EAP type takes precedence over the
		#  default type configured here.
		#
		default_eap_type = tls

		#  A list is maintained to correlate EAP-Response
		#  packets with EAP-Request packets.  After a
		#  configurable length of time, entries in the list
		#  expire, and are deleted.
		#
		timer_expire     = 120

		#  There are many EAP types, but the server has support
		#  for only a limited subset.  If the server receives
		#  a request for an EAP type it does not support, then
		#  it normally rejects the request.  By setting this
		#  configuration to "yes", you can tell the server to
		#  instead keep processing the request.  Another module
		#  MUST then be configured to proxy the request to
		#  another RADIUS server which supports that EAP type.
		#
		#  If another module is NOT configured to handle the
		#  request, then the request will still end up being
		#  rejected.
		ignore_unknown_eap_types = no

		# Cisco AP1230B firmware 12.2(13)JA1 has a bug.  When given
		# a User-Name attribute in an Access-Accept, it copies one
		# more byte than it should.
		#
		# We can work around it by configurably adding an extra
		# zero byte.
		cisco_accounting_username_bug = no

		#
		#  Help prevent DoS attacks by limiting the number of
		#  sessions that the server is tracking.  For simplicity,
		#  this is taken from the "max_requests" directive in
		#  radiusd.conf.
		max_sessions = ${max_requests}

		# Supported EAP-types

		#
		#  We do NOT recommend using EAP-MD5 authentication
		#  for wireless connections.  It is insecure, and does
		#  not provide for dynamic WEP keys.
		#
		md5 {
		}

		# Cisco LEAP
		#
		#  We do not recommend using LEAP in new deployments.  See:
		#  http://www.securiteam.com/tools/5TP012ACKE.html
		#
		#  Cisco LEAP uses the MS-CHAP algorithm (but not
		#  the MS-CHAP attributes) to perform it's authentication.
		#
		#  As a result, LEAP *requires* access to the plain-text
		#  User-Password, or the NT-Password attributes.
		#  'System' authentication is impossible with LEAP.
		#
		leap {
		}

		#  Generic Token Card.
		#
		#  Currently, this is only permitted inside of EAP-TTLS,
		#  or EAP-PEAP.  The module "challenges" the user with
		#  text, and the response from the user is taken to be
		#  the User-Password.
		#
		#  Proxying the tunneled EAP-GTC session is a bad idea,
		#  the users password will go over the wire in plain-text,
		#  for anyone to see.
		#
		gtc {
			#  The default challenge, which many clients
			#  ignore..
			#challenge = "Password: "

			#  The plain-text response which comes back
			#  is put into a User-Password attribute,
			#  and passed to another module for
			#  authentication.  This allows the EAP-GTC
			#  response to be checked against plain-text,
			#  or crypt'd passwords.
			#
			#  If you say "Local" instead of "PAP", then
			#  the module will look for a User-Password
			#  configured for the request, and do the
			#  authentication itself.
			#
			auth_type = PAP
		}

		## EAP-TLS
		#
		#  See raddb/certs/README for additional comments
		#  on certificates.
		#
		#  If OpenSSL was not found at the time the server was
		#  built, the "tls", "ttls", and "peap" sections will
		#  be ignored.
		#
		#  Otherwise, when the server first starts in debugging
		#  mode, test certificates will be created.  See the
		#  "make_cert_command" below for details, and the README
		#  file in raddb/certs
		#
		#  These test certificates SHOULD NOT be used in a normal
		#  deployment.  They are created only to make it easier
		#  to install the server, and to perform some simple
		#  tests with EAP-TLS, TTLS, or PEAP.
		#
		#  See also:
		#
		#  http://www.dslreports.com/forum/remark,9286052~mode=flat
		#
		#  Note that you should NOT use a globally known CA here!
		#  e.g. using a Verisign cert as a "known CA" means that
		#  ANYONE who has a certificate signed by them can
		#  authenticate via EAP-TLS!  This is likely not what you want.
		tls {
			#
			#  These is used to simplify later configurations.
			#
			certdir = ${confdir}/certs
			cadir = ${confdir}/certs

#			private_key_password = whatever
			private_key_file = ${certdir}/radius_rice_edu.key

			#  If Private key & Certificate are located in
			#  the same file, then private_key_file &
			#  certificate_file must contain the same file
			#  name.
			#
			#  If CA_file (below) is not used, then the
			#  certificate_file below MUST include not
			#  only the server certificate, but ALSO all
			#  of the CA certificates used to sign the
			#  server certificate.
			certificate_file = ${certdir}/radius_rice_edu.crt

			#  Trusted Root CA list
			#
			#  ALL of the CA's in this list will be trusted
			#  to issue client certificates for authentication.
			#
			#  In general, you should use self-signed
			#  certificates for 802.1x (EAP) authentication.
			#  In that case, this CA file should contain
			#  *one* CA certificate.
			#
			#  This parameter is used only for EAP-TLS,
			#  when you issue client certificates.  If you do
			#  not use client certificates, and you do not want
			#  to permit EAP-TLS authentication, then delete
			#  this configuration item.
			CA_file = ${cadir}/radius_rice_edu_ca.crt

			#
			#  For DH cipher suites to work, you have to
			#  run OpenSSL to create the DH file first:
			#
			#  	openssl dhparam -out certs/dh 1024
			#
			dh_file = ${certdir}/dh

			#
			#  If your system doesn't have /dev/urandom,
			#  you will need to create this file, and
			#  periodically change its contents.
			#
			#  For security reasons, FreeRADIUS doesn't
			#  write to files in its configuration
			#  directory.
			#
#			random_file = ${certdir}/random

			#
			#  This can never exceed the size of a RADIUS
			#  packet (4096 bytes), and is preferably half
			#  that, to accomodate other attributes in
			#  RADIUS packet.  On most APs the MAX packet
			#  length is configured between 1500 - 1600
			#  In these cases, fragment size should be
			#  1024 or less.
			#
		#	fragment_size = 1024

			#  include_length is a flag which is
			#  by default set to yes If set to
			#  yes, Total Length of the message is
			#  included in EVERY packet we send.
			#  If set to no, Total Length of the
			#  message is included ONLY in the
			#  First packet of a fragment series.
			#
		#	include_length = yes

			#  Check the Certificate Revocation List
			#
			#  1) Copy CA certificates and CRLs to same directory.
			#  2) Execute 'c_rehash <CA certs&CRLs Directory>'.
			#    'c_rehash' is OpenSSL's command.
			#  3) uncomment the lines below.
			#  5) Restart radiusd
		#	check_crl = yes

			# Check if intermediate CAs have been revoked.
		#	check_all_crl = yes

			CA_path = ${cadir}

		       #
		       #  If check_cert_issuer is set, the value will
		       #  be checked against the DN of the issuer in
		       #  the client certificate.  If the values do not
		       #  match, the cerficate verification will fail,
		       #  rejecting the user.
		       #
		       #  In 2.1.10 and later, this check can be done
		       #  more generally by checking the value of the
		       #  TLS-Client-Cert-Issuer attribute.  This check
		       #  can be done via any mechanism you choose.
		       #
		#       check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"

		       #
		       #  If check_cert_cn is set, the value will
		       #  be xlat'ed and checked against the CN
		       #  in the client certificate.  If the values
		       #  do not match, the certificate verification
		       #  will fail rejecting the user.
		       #
		       #  This check is done only if the previous
		       #  "check_cert_issuer" is not set, or if
		       #  the check succeeds.
		       #
		       #  In 2.1.10 and later, this check can be done
		       #  more generally by checking the value of the
		       #  TLS-Client-Cert-CN attribute.  This check
		       #  can be done via any mechanism you choose.
		       #
		#	check_cert_cn = %{User-Name}
		#
			# Set this option to specify the allowed
			# TLS cipher suites.  The format is listed
			# in "man 1 ciphers".
			cipher_list = "DEFAULT"

			#
			# As part of checking a client certificate, the EAP-TLS
			# sets some attributes such as TLS-Client-Cert-CN. This
			# virtual server has access to these attributes, and can
			# be used to accept or reject the request.
			#
		#	virtual_server = check-eap-tls

			# This command creates the initial "snake oil"
			# certificates when the server is run as root,
			# and via "radiusd -X".
			#
			# As of 2.1.11, it *also* checks the server
			# certificate for validity, including expiration.
			# This means that radiusd will refuse to start
			# when the certificate has expired.  The alternative
			# is to have the 802.1X clients refuse to connect
			# when they discover the certificate has expired.
			#
			# Debugging client issues is hard, so it's better
			# for the server to print out an error message,
			# and refuse to start.
			#
			make_cert_command = "${certdir}/bootstrap"

			#
			#  Elliptical cryptography configuration
			#
			#  Only for OpenSSL >= 0.9.8.f
			#
			ecdh_curve = "prime256v1"

			#
			#  Session resumption / fast reauthentication
			#  cache.
			#
			#  The cache contains the following information:
			#
			#  session Id - unique identifier, managed by SSL
			#  User-Name  - from the Access-Accept
			#  Stripped-User-Name - from the Access-Request
			#  Cached-Session-Policy - from the Access-Accept
			#
			#  The "Cached-Session-Policy" is the name of a
			#  policy which should be applied to the cached
			#  session.  This policy can be used to assign
			#  VLANs, IP addresses, etc.  It serves as a useful
			#  way to re-apply the policy from the original
			#  Access-Accept to the subsequent Access-Accept
			#  for the cached session.
			#
			#  On session resumption, these attributes are
			#  copied from the cache, and placed into the
			#  reply list.
			#
			#  You probably also want "use_tunneled_reply = yes"
			#  when using fast session resumption.
			#
			cache {
			      #
			      #  Enable it.  The default is "no".
			      #  Deleting the entire "cache" subsection
			      #  Also disables caching.
			      #
			      #  You can disallow resumption for a
			      #  particular user by adding the following
			      #  attribute to the control item list:
			      #
			      #		Allow-Session-Resumption = No
			      #
			      #  If "enable = no" below, you CANNOT
			      #  enable resumption for just one user
			      #  by setting the above attribute to "yes".
			      #
			      enable = yes

			      #
			      #  Lifetime of the cached entries, in hours.
			      #  The sessions will be deleted after this
			      #  time.
			      #
			      lifetime = 24 # hours

			      #
			      #  The maximum number of entries in the
			      #  cache.  Set to "0" for "infinite".
			      #
			      #  This could be set to the number of users
			      #  who are logged in... which can be a LOT.
			      #
			      max_entries = 20000
			}

			#
			#  As of version 2.1.10, client certificates can be
			#  validated via an external command.  This allows
			#  dynamic CRLs or OCSP to be used.
			#
			#  This configuration is commented out in the
			#  default configuration.  Uncomment it, and configure
			#  the correct paths below to enable it.
			#
			verify {
				#  A temporary directory where the client
				#  certificates are stored.  This directory
				#  MUST be owned by the UID of the server,
				#  and MUST not be accessible by any other
				#  users.  When the server starts, it will do
				#  "chmod go-rwx" on the directory, for
				#  security reasons.  The directory MUST
				#  exist when the server starts.
				#
				#  You should also delete all of the files
				#  in the directory when the server starts.
		#     		tmpdir = /tmp/radiusd

				#  The command used to verify the client cert.
				#  We recommend using the OpenSSL command-line
				#  tool.
				#
				#  The ${..CA_path} text is a reference to
				#  the CA_path variable defined above.
				#
				#  The %{TLS-Client-Cert-Filename} is the name
				#  of the temporary file containing the cert
				#  in PEM format.  This file is automatically
				#  deleted by the server when the command
				#  returns.
		#    		client = "/path/to/openssl verify -CApath ${..CA_path} %{TLS-Client-Cert-Filename}"
			}

			#
			#  OCSP Configuration
			#  Certificates can be verified against an OCSP
			#  Responder. This makes it possible to immediately
			#  revoke certificates without the distribution of
			#  new Certificate Revokation Lists (CRLs).
			#
			ocsp {
			      #
			      #  Enable it.  The default is "no".
			      #  Deleting the entire "ocsp" subsection
			      #  Also disables ocsp checking
			      #
			      enable = no

			      #
			      #  The OCSP Responder URL can be automatically
			      #  extracted from the certificate in question.
			      #  To override the OCSP Responder URL set
			      #  "override_cert_url = yes". 
			      #
			      override_cert_url = yes

			      #
			      #  If the OCSP Responder address is not
			      #  extracted from the certificate, the
			      #  URL can be defined here.

			      #
			      #  Limitation: Currently the HTTP
			      #  Request is not sending the "Host: "
			      #  information to the web-server.  This
			      #  can be a problem if the OCSP
			      #  Responder is running as a vhost.
			      #
			      url = "http://127.0.0.1/ocsp/"

			      #
			      # If the OCSP Responder can not cope with nonce
			      # in the request, then it can be disabled here.
			      #
			      # For security reasons, disabling this option
			      # is not recommended as nonce protects against
			      # replay attacks.
			      #
			      # Note that Microsoft AD Certificate Services OCSP
			      # Responder does not enable nonce by default. It is
			      # more secure to enable nonce on the responder than
			      # to disable it in the query here.
			      # See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx
			      #
			      # use_nonce = yes

			      #
			      # Number of seconds before giving up waiting
			      # for OCSP response. 0 uses system default.
			      #
			      # timeout = 0

			      #
			      # Normally an error in querying the OCSP
			      # responder (no response from server, server did
			      # not understand the request, etc) will result in
			      # a validation failure.
			      #
			      # To treat these errors as 'soft' failures and
			      # still accept the certificate, enable this
			      # option.
			      # 
			      # Warning: this may enable clients with revoked
			      # certificates to connect if the OCSP responder
			      # is not available. Use with caution.
			      #
			      # softfail = no
			}
		}

		#  The TTLS module implements the EAP-TTLS protocol,
		#  which can be described as EAP inside of Diameter,
		#  inside of TLS, inside of EAP, inside of RADIUS...
		#
		#  Surprisingly, it works quite well.
		#
		#  The TTLS module needs the TLS module to be installed
		#  and configured, in order to use the TLS tunnel
		#  inside of the EAP packet.  You will still need to
		#  configure the TLS module, even if you do not want
		#  to deploy EAP-TLS in your network.  Users will not
		#  be able to request EAP-TLS, as it requires them to
		#  have a client certificate.  EAP-TTLS does not
		#  require a client certificate.
		#
		#  You can make TTLS require a client cert by setting
		#
		#	EAP-TLS-Require-Client-Cert = Yes
		#
		#  in the control items for a request.
		#
		ttls {
			#  The tunneled EAP session needs a default
			#  EAP type which is separate from the one for
			#  the non-tunneled EAP module.  Inside of the
			#  TTLS tunnel, we recommend using EAP-MD5.
			#  If the request does not contain an EAP
			#  conversation, then this configuration entry
			#  is ignored.
			default_eap_type = md5

			#  The tunneled authentication request does
			#  not usually contain useful attributes
			#  like 'Calling-Station-Id', etc.  These
			#  attributes are outside of the tunnel,
			#  and normally unavailable to the tunneled
			#  authentication request.
			#
			#  By setting this configuration entry to
			#  'yes', any attribute which NOT in the
			#  tunneled authentication request, but
			#  which IS available outside of the tunnel,
			#  is copied to the tunneled request.
			#
			# allowed values: {no, yes}
			copy_request_to_tunnel = no

			#  The reply attributes sent to the NAS are
			#  usually based on the name of the user
			#  'outside' of the tunnel (usually
			#  'anonymous').  If you want to send the
			#  reply attributes based on the user name
			#  inside of the tunnel, then set this
			#  configuration entry to 'yes', and the reply
			#  to the NAS will be taken from the reply to
			#  the tunneled request.
			#
			# allowed values: {no, yes}
			use_tunneled_reply = yes

			#
			#  The inner tunneled request can be sent
			#  through a virtual server constructed
			#  specifically for this purpose.
			#
			#  If this entry is commented out, the inner
			#  tunneled request will be sent through
			#  the virtual server that processed the
			#  outer requests.
			#
			virtual_server = "inner-tunnel"

			#  This has the same meaning as the
			#  same field in the "tls" module, above.
			#  The default value here is "yes".
		#	include_length = yes
		}

		##################################################
		#
		#  !!!!! WARNINGS for Windows compatibility  !!!!!
		#
		##################################################
		#
		#  If you see the server send an Access-Challenge,
		#  and the client never sends another Access-Request,
		#  then
		#
		#		STOP!
		#
		#  The server certificate has to have special OID's
		#  in it, or else the Microsoft clients will silently
		#  fail.  See the "scripts/xpextensions" file for
		#  details, and the following page:
		#
		#	http://support.microsoft.com/kb/814394/en-us
		#
		#  For additional Windows XP SP2 issues, see:
		#
		#	http://support.microsoft.com/kb/885453/en-us
		#
		#
		#  If is still doesn't work, and you're using Samba,
		#  you may be encountering a Samba bug.  See:
		#
		#	https://bugzilla.samba.org/show_bug.cgi?id=6563
		#
		#  Note that we do not necessarily agree with their
		#  explanation... but the fix does appear to work.
		#
		##################################################

		#
		#  The tunneled EAP session needs a default EAP type
		#  which is separate from the one for the non-tunneled
		#  EAP module.  Inside of the TLS/PEAP tunnel, we
		#  recommend using EAP-MS-CHAPv2.
		#
		#  The PEAP module needs the TLS module to be installed
		#  and configured, in order to use the TLS tunnel
		#  inside of the EAP packet.  You will still need to
		#  configure the TLS module, even if you do not want
		#  to deploy EAP-TLS in your network.  Users will not
		#  be able to request EAP-TLS, as it requires them to
		#  have a client certificate.  EAP-PEAP does not
		#  require a client certificate.
		#
		#
		#  You can make PEAP require a client cert by setting
		#
		#	EAP-TLS-Require-Client-Cert = Yes
		#
		#  in the control items for a request.
		#
		peap {
			#  The tunneled EAP session needs a default
			#  EAP type which is separate from the one for
			#  the non-tunneled EAP module.  Inside of the
			#  PEAP tunnel, we recommend using MS-CHAPv2,
			#  as that is the default type supported by
			#  Windows clients.
			default_eap_type = mschapv2

			#  the PEAP module also has these configuration
			#  items, which are the same as for TTLS.
			copy_request_to_tunnel = no
			use_tunneled_reply = yes

			#  When the tunneled session is proxied, the
			#  home server may not understand EAP-MSCHAP-V2.
			#  Set this entry to "no" to proxy the tunneled
			#  EAP-MSCHAP-V2 as normal MSCHAPv2.
		#	proxy_tunneled_request_as_eap = yes

			#
			#  The inner tunneled request can be sent
			#  through a virtual server constructed
			#  specifically for this purpose.
			#
			#  If this entry is commented out, the inner
			#  tunneled request will be sent through
			#  the virtual server that processed the
			#  outer requests.
			#
			virtual_server = "inner-tunnel"

			# This option enables support for MS-SoH
			# see doc/SoH.txt for more info.
			# It is disabled by default.
			#
#			soh = yes

			#
			# The SoH reply will be turned into a request which
			# can be sent to a specific virtual server:
			#
#			soh_virtual_server = "soh-server"
		}

		#
		#  This takes no configuration.
		#
		#  Note that it is the EAP MS-CHAPv2 sub-module, not
		#  the main 'mschap' module.
		#
		#  Note also that in order for this sub-module to work,
		#  the main 'mschap' module MUST ALSO be configured.
		#
		#  This module is the *Microsoft* implementation of MS-CHAPv2
		#  in EAP.  There is another (incompatible) implementation
		#  of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
		#  currently support.
		#
		mschapv2 {
			#  Prior to version 2.1.11, the module never
			#  sent the MS-CHAP-Error message to the
			#  client.  This worked, but it had issues
			#  when the cached password was wrong.  The
			#  server *should* send "E=691 R=0" to the
			#  client, which tells it to prompt the user
			#  for a new password.
			#
			#  The default is to behave as in 2.1.10 and
			#  earlier, which is known to work.  If you
			#  set "send_error = yes", then the error
			#  message will be sent back to the client.
			#  This *may* help some clients work better,
			#  but *may* also cause other clients to stop
			#  working.
			#
#			send_error = no
		}
	}
-------------- next part --------------
######################################################################
#
#	Make file to be installed in /etc/raddb/certs to enable
#	the easy creation of certificates.
#
#	See the README file in this directory for more information.
#	
#	$Id: 6c3dccc174bf0f995bb7930711ee81d22088ca70 $
#
######################################################################

DH_KEY_SIZE	= 2048

#
#  Set the passwords
#
-include passwords.mk

######################################################################
#
#  Make the necessary files, but not client certificates.
#
######################################################################
.PHONY: all
all: index.txt serial dh random server ca

.PHONY: client
client: client.pem

.PHONY: ca
ca: ca.der

.PHONY: server
server: server.pem server.vrfy

passwords.mk: server.cnf ca.cnf client.cnf
	@echo "PASSWORD_SERVER	= '$(shell grep output_password server.cnf | sed 's/.*=//;s/^ *//')'"		> $@
	@echo "PASSWORD_CA	= '$(shell grep output_password ca.cnf | sed 's/.*=//;s/^ *//')'"		>> $@
	@echo "PASSWORD_CLIENT	= '$(shell grep output_password client.cnf | sed 's/.*=//;s/^ *//')'"		>> $@
	@echo "USER_NAME	= '$(shell grep emailAddress client.cnf | grep '@' | sed 's/.*=//;s/^ *//')'"	>> $@
	@echo "CA_DEFAULT_DAYS  = '$(shell grep default_days ca.cnf | sed 's/.*=//;s/^ *//')'"			>> $@

######################################################################
#
#  Diffie-Hellman parameters
#
######################################################################
dh:
	openssl gendh -out dh -2 $(DH_KEY_SIZE)

######################################################################
#
#  Create a new self-signed CA certificate
#
######################################################################
ca.key ca.pem: ca.cnf
	@[ -f index.txt ] || $(MAKE) index.txt
	@[ -f serial ] || $(MAKE) serial
	openssl req -new -x509 -keyout ca.key -out ca.pem \
		-days $(CA_DEFAULT_DAYS) -config ./ca.cnf

ca.der: ca.pem
	openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der

######################################################################
#
#  Create a new server certificate, signed by the above CA.
#
######################################################################
server.csr server.key: server.cnf
	openssl req -new  -out server.csr -keyout server.key -config ./server.cnf

server.crt: server.csr ca.key ca.pem
	openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr  -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf

server.p12: server.crt
	openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12  -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)

server.pem: server.p12
	openssl pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)

.PHONY: server.vrfy
server.vrfy: ca.pem
	openssl verify -CAfile ca.pem server.pem

######################################################################
#
#  Create a new client certificate, signed by the the above CA
#
######################################################################
client.csr client.key: client.cnf
	openssl req -new  -out client.csr -keyout client.key -config ./client.cnf

client.crt: client.csr ca.pem ca.key
	openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr  -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf

client.p12: client.crt
	openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12  -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)

client.pem: client.p12
	openssl pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
	cp client.pem $(USER_NAME).pem

.PHONY: client.vrfy
client.vrfy: ca.pem client.pem 
	c_rehash .
	openssl verify -CApath . client.pem

######################################################################
#
#  Miscellaneous rules.
#
######################################################################
index.txt:
	@touch index.txt

serial:
	@echo '01' > serial

random:
	@if [ -c /dev/urandom ] ; then \
		dd if=/dev/urandom of=./random count=10 >/dev/null 2>&1; \
	else \
		date > ./random; \
	fi

print:
	openssl x509 -text -in server.crt

printca:
	openssl x509 -text -in ca.pem

clean:
	@rm -f *~ *old client.csr client.key client.crt client.p12 client.pem

#
#	Make a target that people won't run too often.
#
destroycerts:
	rm -f *~ dh *.csr *.crt *.p12 *.der *.pem *.key index.txt* \
			serial* random *\.0 *\.1


More information about the Freeradius-Users mailing list