Windows PEAP failure in FreeRADIUS 3.1
Scott Armitage
S.P.Armitage at lboro.ac.uk
Tue Mar 1 15:12:51 CET 2016
Hi,
When using FreeRADIUS v3.1 Windows devices fail to authenticate using PEAP. Other OS work fine but Windows fails. If I use a client cert and EAP-TLS windows succeeds.
It appears the Windows devices stop responding after the establishment of the PEAP tunnel. Can anyone point out where I am going wrong:
Ready to process requests
(0) - Received Access-Request Id 248 from 10.53.253.14:32770 to 158.125.161.128:1812 via ens160 length 316
(0) - User-Name = "anon at lboro.ac.uk"
(0) - Chargeable-User-Identity = 0x00
(0) - Location-Capable = Civix-Location
(0) - Calling-Station-Id = "18-cf-5e-12-75-c1"
(0) - Called-Station-Id = "b0-aa-77-57-cf-50:wirefree"
(0) - NAS-Port = 13
(0) - Cisco-AVPair = "audit-session-id=0a35fd0e000e790756d5a18b"
(0) - Acct-Session-Id = "56d5a18b/18:cf:5e:12:75:c1/766789"
(0) - NAS-IP-Address = 10.53.253.14
(0) - NAS-IPv6-Address = 2001:630:301:9101::14
(0) - NAS-Identifier = "wism-sport-park-3"
(0) - Airespace-Wlan-Id = 3
(0) - Service-Type = Framed-User
(0) - Framed-MTU = 1300
(0) - NAS-Port-Type = Wireless-802.11
(0) - Tunnel-Type:0 = VLAN
(0) - Tunnel-Medium-Type:0 = IEEE-802
(0) - Tunnel-Private-Group-Id:0 = "1112"
(0) - EAP-Message = 0x0202001501616e6f6e406c626f726f2e61632e756b
(0) - Message-Authenticator = 0x382df2f62c354bece72daa54ee2d5945
(0) - Running section authorize from file /etc/raddb/sites-enabled/lboro
(0) - authorize {
(0) - nagios_check {
(0) - if (User-Name == "nagios01aa" && "%{client:group}" == "nagios") {
(0) - ...
(0) - }
(0) - } # nagios_check (notfound)
(0) - wism_check {
(0) - if (User-Name =~ /wism-check/ ) {
(0) - ...
(0) - }
(0) - } # wism_check (notfound)
(0) - filter_duff_realms {
(0) - if (User-Name =~ /\\.ax\\.uk$/i ) {
(0) - ...
(0) - }
(0) - elsif (User-Name =~ /\\.sc\\.uk$/i ) {
(0) - ...
(0) - }
(0) - elsif (User-Name =~ /\\.ac\\.u$/i ) {
(0) - ...
(0) - }
(0) - elsif (User-Name =~ /lboro$/i ) {
(0) - ...
(0) - }
(0) - elsif (User-Name =~ /lboro\\.co\\.uk$/i ) {
(0) - ...
(0) - }
(0) - elsif (User-Name =~ /ac\\.lboro\\.uk$/i ) {
(0) - ...
(0) - }
(0) - elsif (User-Name =~ /unilboro\\.ac\\.uk$/i ) {
(0) - ...
(0) - }
(0) - elsif (User-Name =~ /\\.a\\.c\\.uk$/i ) {
(0) - ...
(0) - }
(0) - elsif (User-Name =~ /3gppnetwork\\.org$/i) {
(0) - ...
(0) - }
(0) - elsif (User-Name =~ /myabc\\.com$/i) {
(0) - ...
(0) - }
(0) - elsif (User-Name !~ /lboro\\.local$/i && User-Name =~ /\\.local$/i) {
(0) - ...
(0) - }
(0) - elsif (User-Name =~ /lbro\\.ac\\.uk$/i ) {
(0) - ...
(0) - }
(0) - elsif (User-Name =~ /lboro\\.student\\.ac\\.uk$/i ) {
(0) - ...
(0) - }
(0) - } # filter_duff_realms (notfound)
(0) - filter_username {
(0) - if (!&User-Name) {
(0) - ...
(0) - }
(0) - if (&User-Name =~ / /) {
(0) - ...
(0) - }
(0) - if (&User-Name =~ /@.*@/ ) {
(0) - ...
(0) - }
(0) - if (&User-Name =~ /\.\./ ) {
(0) - ...
(0) - }
(0) - if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) - ...
(0) - }
(0) - if (&User-Name =~ /\.$/) {
(0) - ...
(0) - }
(0) - if (&User-Name =~ /@\./) {
(0) - ...
(0) - }
(0) - } # filter_username (notfound)
(0) preprocess (ok)
(0) operator-name.authorize {
(0) if ("%{client:Operator-Name}") {
(0) EXPAND %{client:Operator-Name}
(0) -->
(0) ...
(0) }
(0) } # operator-name.authorize (ok)
(0) cui.authorize {
(0) if ("%{client:add_cui}" == 'yes') {
(0) EXPAND %{client:add_cui}
(0) --> yes
(0) update request {
(0) &Chargeable-User-Identity := 0x00
(0) } # update request (noop)
(0) } # if ("%{client:add_cui}" == 'yes') (noop)
(0) } # cui.authorize (noop)
(0) suffix - Checking for suffix after "@"
(0) suffix - Looking up realm "lboro.ac.uk" for User-Name = "anon at lboro.ac.uk"
(0) suffix - Found realm "lboro.ac.uk"
(0) suffix - Adding Stripped-User-Name = "anon"
(0) suffix - Adding Realm = "lboro.ac.uk"
(0) suffix - Authentication realm is LOCAL
(0) suffix (ok)
(0) ntdomain - Request already has destination realm set. Ignoring
(0) ntdomain (noop)
(0) if ( Called-Station-Id =~ /:eduroam$/ ) {
(0) ...
(0) }
(0) elsif ( Called-Station-Id =~ /.*:YST$/ ) {
(0) ...
(0) }
(0) elsif ( Called-Station-Id =~ /.*:ecb$/ || "%{client:group}" == "ecb" ) {
(0) EXPAND %{client:group}
(0) --> wireless
(0) ...
(0) }
(0) if ((User-Name =~ /youthsporttrust\\.org$/) || (User-Name =~ /^YOUTHSPORTTRUST\\\\/)) {
(0) ...
(0) }
(0) elsif (User-Name =~ /\@ecb\.co\.uk/i && "%{client:shortname}" == "dulcimer" ) {
(0) ...
(0) }
(0) elsif ( Realm == "ECB" || Realm == "ecb.co.uk" ) {
(0) ...
(0) }
(0) elsif (Service-Type == Call-Check && !EAP-Message && User-Name =~ /[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]/) {
(0) ...
(0) }
(0) elsif ( Realm == "lsu.co.uk" ) {
(0) ...
(0) }
(0) elsif (User-Name =~ /\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/) {
(0) ...
(0) }
(0) else {
(0) update request {
(0) &Realm := local
(0) } # update request (noop)
(0) } # else (noop)
(0) eap - Peer sent EAP Response (code 2) ID 2 length 21
(0) eap - Peer sent EAP-Identity. Returning 'ok' so we can short-circuit the rest of authorize
(0) eap (ok)
(0) } # authorize (ok)
(0) Using 'Auth-Type = eap' for authenticate {...}
(0) Running Auth-Type eap from file /etc/raddb/sites-enabled/lboro
(0) authenticate {
(0) eap - Peer sent packet with EAP method Identity (1)
(0) eap - Calling submodule eap_tls to process data
(0) eap_tls - Initiating new EAP-TLS session
(0) eap_tls - Setting verify mode to require certificate from client
(0) eap - Sending EAP Request (code 1) ID 3 length 6
(0) eap (handled)
(0) } # authenticate (handled)
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/lboro
(0) Sent Access-Challenge Id 248 from 158.125.161.128:1812 to 10.53.253.14:32770 via ens160 length 0
(0) EAP-Message = 0x010300060d20
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x01015100148ca6ec523c504e518c74e2
(0) Finished request
Waking up in 1.9 seconds.
(1) - Received Access-Request Id 249 from 10.53.253.14:32770 to 158.125.161.128:1812 via ens160 length 319
(1) - User-Name = "anon at lboro.ac.uk"
(1) - Chargeable-User-Identity = 0x00
(1) - Location-Capable = Civix-Location
(1) - Calling-Station-Id = "18-cf-5e-12-75-c1"
(1) - Called-Station-Id = "b0-aa-77-57-cf-50:wirefree"
(1) - NAS-Port = 13
(1) - Cisco-AVPair = "audit-session-id=0a35fd0e000e790756d5a18b"
(1) - Acct-Session-Id = "56d5a18b/18:cf:5e:12:75:c1/766789"
(1) - NAS-IP-Address = 10.53.253.14
(1) - NAS-IPv6-Address = 2001:630:301:9101::14
(1) - NAS-Identifier = "wism-sport-park-3"
(1) - Airespace-Wlan-Id = 3
(1) - Service-Type = Framed-User
(1) - Framed-MTU = 1300
(1) - NAS-Port-Type = Wireless-802.11
(1) - Tunnel-Type:0 = VLAN
(1) - Tunnel-Medium-Type:0 = IEEE-802
(1) - Tunnel-Private-Group-Id:0 = "1112"
(1) - EAP-Message = 0x020300060319
(1) - State = 0x01015100148ca6ec523c504e518c74e2
(1) - Message-Authenticator = 0x87079937708aa02274b90e7892aa4815
(1) - Running section authorize from file /etc/raddb/sites-enabled/lboro
(1) - authorize {
(1) - nagios_check {
(1) - if (User-Name == "nagios01aa" && "%{client:group}" == "nagios") {
(1) - ...
(1) - }
(1) - } # nagios_check (notfound)
(1) - wism_check {
(1) - if (User-Name =~ /wism-check/ ) {
(1) - ...
(1) - }
(1) - } # wism_check (notfound)
(1) - filter_duff_realms {
(1) - if (User-Name =~ /\\.ax\\.uk$/i ) {
(1) - ...
(1) - }
(1) - elsif (User-Name =~ /\\.sc\\.uk$/i ) {
(1) - ...
(1) - }
(1) - elsif (User-Name =~ /\\.ac\\.u$/i ) {
(1) - ...
(1) - }
(1) - elsif (User-Name =~ /lboro$/i ) {
(1) - ...
(1) - }
(1) - elsif (User-Name =~ /lboro\\.co\\.uk$/i ) {
(1) - ...
(1) - }
(1) - elsif (User-Name =~ /ac\\.lboro\\.uk$/i ) {
(1) - ...
(1) - }
(1) - elsif (User-Name =~ /unilboro\\.ac\\.uk$/i ) {
(1) - ...
(1) - }
(1) - elsif (User-Name =~ /\\.a\\.c\\.uk$/i ) {
(1) - ...
(1) - }
(1) - elsif (User-Name =~ /3gppnetwork\\.org$/i) {
(1) - ...
(1) - }
(1) - elsif (User-Name =~ /myabc\\.com$/i) {
(1) - ...
(1) - }
(1) - elsif (User-Name !~ /lboro\\.local$/i && User-Name =~ /\\.local$/i) {
(1) - ...
(1) - }
(1) - elsif (User-Name =~ /lbro\\.ac\\.uk$/i ) {
(1) - ...
(1) - }
(1) - elsif (User-Name =~ /lboro\\.student\\.ac\\.uk$/i ) {
(1) - ...
(1) - }
(1) - } # filter_duff_realms (notfound)
(1) - filter_username {
(1) - if (!&User-Name) {
(1) - ...
(1) - }
(1) - if (&User-Name =~ / /) {
(1) - ...
(1) - }
(1) - if (&User-Name =~ /@.*@/ ) {
(1) - ...
(1) - }
(1) - if (&User-Name =~ /\.\./ ) {
(1) - ...
(1) - }
(1) - if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) - ...
(1) - }
(1) - if (&User-Name =~ /\.$/) {
(1) - ...
(1) - }
(1) - if (&User-Name =~ /@\./) {
(1) - ...
(1) - }
(1) - } # filter_username (notfound)
(1) preprocess (ok)
(1) operator-name.authorize {
(1) if ("%{client:Operator-Name}") {
(1) EXPAND %{client:Operator-Name}
(1) -->
(1) ...
(1) }
(1) } # operator-name.authorize (ok)
(1) cui.authorize {
(1) if ("%{client:add_cui}" == 'yes') {
(1) EXPAND %{client:add_cui}
(1) --> yes
(1) update request {
(1) &Chargeable-User-Identity := 0x00
(1) } # update request (noop)
(1) } # if ("%{client:add_cui}" == 'yes') (noop)
(1) } # cui.authorize (noop)
(1) suffix - Checking for suffix after "@"
(1) suffix - Looking up realm "lboro.ac.uk" for User-Name = "anon at lboro.ac.uk"
(1) suffix - Found realm "lboro.ac.uk"
(1) suffix - Adding Stripped-User-Name = "anon"
(1) suffix - Adding Realm = "lboro.ac.uk"
(1) suffix - Authentication realm is LOCAL
(1) suffix (ok)
(1) ntdomain - Request already has destination realm set. Ignoring
(1) ntdomain (noop)
(1) if ( Called-Station-Id =~ /:eduroam$/ ) {
(1) ...
(1) }
(1) elsif ( Called-Station-Id =~ /.*:YST$/ ) {
(1) ...
(1) }
(1) elsif ( Called-Station-Id =~ /.*:ecb$/ || "%{client:group}" == "ecb" ) {
(1) EXPAND %{client:group}
(1) --> wireless
(1) ...
(1) }
(1) if ((User-Name =~ /youthsporttrust\\.org$/) || (User-Name =~ /^YOUTHSPORTTRUST\\\\/)) {
(1) ...
(1) }
(1) elsif (User-Name =~ /\@ecb\.co\.uk/i && "%{client:shortname}" == "dulcimer" ) {
(1) ...
(1) }
(1) elsif ( Realm == "ECB" || Realm == "ecb.co.uk" ) {
(1) ...
(1) }
(1) elsif (Service-Type == Call-Check && !EAP-Message && User-Name =~ /[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]/) {
(1) ...
(1) }
(1) elsif ( Realm == "lsu.co.uk" ) {
(1) ...
(1) }
(1) elsif (User-Name =~ /\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/) {
(1) ...
(1) }
(1) else {
(1) update request {
(1) &Realm := local
(1) } # update request (noop)
(1) } # else (noop)
(1) eap - Peer sent EAP Response (code 2) ID 3 length 6
(1) eap - Continuing on-going EAP conversation
(1) eap (updated)
(1) if (Realm != "SportPark") {
(1) files (noop)
(1) } # if (Realm != "SportPark") (noop)
(1) } # authorize (updated)
(1) Using 'Auth-Type = eap' for authenticate {...}
(1) Running Auth-Type eap from file /etc/raddb/sites-enabled/lboro
(1) authenticate {
(1) eap - Peer sent packet with EAP method NAK (3)
(1) eap - Found mutually acceptable type PEAP (25)
(1) eap - Calling submodule eap_peap to process data
(1) eap_peap - Initiating new EAP-TLS session
(1) eap - Sending EAP Request (code 1) ID 4 length 6
(1) eap (handled)
(1) } # authenticate (handled)
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/lboro
(1) Sent Access-Challenge Id 249 from 158.125.161.128:1812 to 10.53.253.14:32770 via ens160 length 0
(1) EAP-Message = 0x010400061920
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x020351002306bedc523c504e518c74e2
(1) Finished request
Waking up in 1.9 seconds.
(2) - Received Access-Request Id 250 from 10.53.253.14:32770 to 158.125.161.128:1812 via ens160 length 491
(2) - User-Name = "anon at lboro.ac.uk"
(2) - Chargeable-User-Identity = 0x00
(2) - Location-Capable = Civix-Location
(2) - Calling-Station-Id = "18-cf-5e-12-75-c1"
(2) - Called-Station-Id = "b0-aa-77-57-cf-50:wirefree"
(2) - NAS-Port = 13
(2) - Cisco-AVPair = "audit-session-id=0a35fd0e000e790756d5a18b"
(2) - Acct-Session-Id = "56d5a18b/18:cf:5e:12:75:c1/766789"
(2) - NAS-IP-Address = 10.53.253.14
(2) - NAS-IPv6-Address = 2001:630:301:9101::14
(2) - NAS-Identifier = "wism-sport-park-3"
(2) - Airespace-Wlan-Id = 3
(2) - Service-Type = Framed-User
(2) - Framed-MTU = 1300
(2) - NAS-Port-Type = Wireless-802.11
(2) - Tunnel-Type:0 = VLAN
(2) - Tunnel-Medium-Type:0 = IEEE-802
(2) - Tunnel-Private-Group-Id:0 = "1112"
(2) - EAP-Message = 0x020400b21980000000a816030300a30100009f030356d5a1d0b73b3ce7f8e814cc7bd174c70898c308769ae5cbf3b0a4fbd0895733000038c02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a006a0040003800320013000500040100003e000500
(2) - State = 0x020351002306bedc523c504e518c74e2
(2) - Message-Authenticator = 0x25df502901ee50b3554970e162bd935e
(2) - Running section authorize from file /etc/raddb/sites-enabled/lboro
(2) - authorize {
(2) - nagios_check {
(2) - if (User-Name == "nagios01aa" && "%{client:group}" == "nagios") {
(2) - ...
(2) - }
(2) - } # nagios_check (notfound)
(2) - wism_check {
(2) - if (User-Name =~ /wism-check/ ) {
(2) - ...
(2) - }
(2) - } # wism_check (notfound)
(2) - filter_duff_realms {
(2) - if (User-Name =~ /\\.ax\\.uk$/i ) {
(2) - ...
(2) - }
(2) - elsif (User-Name =~ /\\.sc\\.uk$/i ) {
(2) - ...
(2) - }
(2) - elsif (User-Name =~ /\\.ac\\.u$/i ) {
(2) - ...
(2) - }
(2) - elsif (User-Name =~ /lboro$/i ) {
(2) - ...
(2) - }
(2) - elsif (User-Name =~ /lboro\\.co\\.uk$/i ) {
(2) - ...
(2) - }
(2) - elsif (User-Name =~ /ac\\.lboro\\.uk$/i ) {
(2) - ...
(2) - }
(2) - elsif (User-Name =~ /unilboro\\.ac\\.uk$/i ) {
(2) - ...
(2) - }
(2) - elsif (User-Name =~ /\\.a\\.c\\.uk$/i ) {
(2) - ...
(2) - }
(2) - elsif (User-Name =~ /3gppnetwork\\.org$/i) {
(2) - ...
(2) - }
(2) - elsif (User-Name =~ /myabc\\.com$/i) {
(2) - ...
(2) - }
(2) - elsif (User-Name !~ /lboro\\.local$/i && User-Name =~ /\\.local$/i) {
(2) - ...
(2) - }
(2) - elsif (User-Name =~ /lbro\\.ac\\.uk$/i ) {
(2) - ...
(2) - }
(2) - elsif (User-Name =~ /lboro\\.student\\.ac\\.uk$/i ) {
(2) - ...
(2) - }
(2) - } # filter_duff_realms (notfound)
(2) - filter_username {
(2) - if (!&User-Name) {
(2) - ...
(2) - }
(2) - if (&User-Name =~ / /) {
(2) - ...
(2) - }
(2) - if (&User-Name =~ /@.*@/ ) {
(2) - ...
(2) - }
(2) - if (&User-Name =~ /\.\./ ) {
(2) - ...
(2) - }
(2) - if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(2) - ...
(2) - }
(2) - if (&User-Name =~ /\.$/) {
(2) - ...
(2) - }
(2) - if (&User-Name =~ /@\./) {
(2) - ...
(2) - }
(2) - } # filter_username (notfound)
(2) preprocess (ok)
(2) operator-name.authorize {
(2) if ("%{client:Operator-Name}") {
(2) EXPAND %{client:Operator-Name}
(2) -->
(2) ...
(2) }
(2) } # operator-name.authorize (ok)
(2) cui.authorize {
(2) if ("%{client:add_cui}" == 'yes') {
(2) EXPAND %{client:add_cui}
(2) --> yes
(2) update request {
(2) &Chargeable-User-Identity := 0x00
(2) } # update request (noop)
(2) } # if ("%{client:add_cui}" == 'yes') (noop)
(2) } # cui.authorize (noop)
(2) suffix - Checking for suffix after "@"
(2) suffix - Looking up realm "lboro.ac.uk" for User-Name = "anon at lboro.ac.uk"
(2) suffix - Found realm "lboro.ac.uk"
(2) suffix - Adding Stripped-User-Name = "anon"
(2) suffix - Adding Realm = "lboro.ac.uk"
(2) suffix - Authentication realm is LOCAL
(2) suffix (ok)
(2) ntdomain - Request already has destination realm set. Ignoring
(2) ntdomain (noop)
(2) if ( Called-Station-Id =~ /:eduroam$/ ) {
(2) ...
(2) }
(2) elsif ( Called-Station-Id =~ /.*:YST$/ ) {
(2) ...
(2) }
(2) elsif ( Called-Station-Id =~ /.*:ecb$/ || "%{client:group}" == "ecb" ) {
(2) EXPAND %{client:group}
(2) --> wireless
(2) ...
(2) }
(2) if ((User-Name =~ /youthsporttrust\\.org$/) || (User-Name =~ /^YOUTHSPORTTRUST\\\\/)) {
(2) ...
(2) }
(2) elsif (User-Name =~ /\@ecb\.co\.uk/i && "%{client:shortname}" == "dulcimer" ) {
(2) ...
(2) }
(2) elsif ( Realm == "ECB" || Realm == "ecb.co.uk" ) {
(2) ...
(2) }
(2) elsif (Service-Type == Call-Check && !EAP-Message && User-Name =~ /[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]/) {
(2) ...
(2) }
(2) elsif ( Realm == "lsu.co.uk" ) {
(2) ...
(2) }
(2) elsif (User-Name =~ /\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/) {
(2) ...
(2) }
(2) else {
(2) update request {
(2) &Realm := local
(2) } # update request (noop)
(2) } # else (noop)
(2) eap - Peer sent EAP Response (code 2) ID 4 length 178
(2) eap - Continuing tunnel setup
(2) eap (ok)
(2) } # authorize (ok)
(2) Using 'Auth-Type = eap' for authenticate {...}
(2) Running Auth-Type eap from file /etc/raddb/sites-enabled/lboro
(2) authenticate {
(2) eap - Peer sent packet with EAP method PEAP (25)
(2) eap - Calling submodule eap_peap to process data
(2) eap_peap - Continuing EAP-TLS
(2) eap_peap - Peer indicated complete TLS record size will be 168 bytes
(2) eap_peap - Got complete TLS record, with length field (168 bytes)
(2) eap_peap - [eap-tls verify] = ok
(2) eap_peap - before/accept initialization
(2) eap_peap - TLS Accept: before/accept initialization
(2) eap_peap - <<< recv handshake [length 163], client_hello
(2) eap_peap - TLS Accept: SSLv3 read client hello A
(2) eap_peap - >>> send handshake [length 89], server_hello
(2) eap_peap - TLS Accept: SSLv3 write server hello A
(2) eap_peap - >>> send handshake [length 2457], certificate
(2) eap_peap - TLS Accept: SSLv3 write certificate A
(2) eap_peap - >>> send handshake [length 331], server_key_exchange
(2) eap_peap - TLS Accept: SSLv3 write key exchange A
(2) eap_peap - >>> send handshake [length 4], server_hello_done
(2) eap_peap - TLS Accept: SSLv3 write server done A
(2) eap_peap - TLS Accept: SSLv3 flush data
(2) eap_peap - TLS Accept: Need to read more data: SSLv3 read client certificate A
(2) eap_peap - TLS Accept: Need to read more data: SSLv3 read client certificate A
(2) eap_peap - In TLS handshake phase
(2) eap_peap - In TLS accept mode
(2) eap_peap - Complete TLS record (2901 bytes) larger than MTU (990 bytes), will fragment
(2) eap_peap - Sending first TLS record fragment (990 bytes), 1911 bytes remaining
(2) eap_peap - [eap-tls process] = handled
(2) eap - Sending EAP Request (code 1) ID 5 length 1000
(2) eap (handled)
(2) } # authenticate (handled)
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/lboro
(2) Sent Access-Challenge Id 250 from 158.125.161.128:1812 to 10.53.253.14:32770 via ens160 length 0
(2) EAP-Message = 0x010503e819c000000b55160302005902000055030256d5a18b0261059d716b941222cf3855ea00c34b5e728dc7be087afa7d75606d2076d5549bfc2e548e73d1176bbe9daa36dc0d0a1d16dc467e8a51b4989a04fd65c01400000dff01000100000b00040300010216030209990b000995000992000427
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x03015100148ca6ec523c504e518c74e2
(2) Finished request
Waking up in 1.9 seconds.
(3) - Received Access-Request Id 251 from 10.53.253.14:32770 to 158.125.161.128:1812 via ens160 length 319
(3) - User-Name = "anon at lboro.ac.uk"
(3) - Chargeable-User-Identity = 0x00
(3) - Location-Capable = Civix-Location
(3) - Calling-Station-Id = "18-cf-5e-12-75-c1"
(3) - Called-Station-Id = "b0-aa-77-57-cf-50:wirefree"
(3) - NAS-Port = 13
(3) - Cisco-AVPair = "audit-session-id=0a35fd0e000e790756d5a18b"
(3) - Acct-Session-Id = "56d5a18b/18:cf:5e:12:75:c1/766789"
(3) - NAS-IP-Address = 10.53.253.14
(3) - NAS-IPv6-Address = 2001:630:301:9101::14
(3) - NAS-Identifier = "wism-sport-park-3"
(3) - Airespace-Wlan-Id = 3
(3) - Service-Type = Framed-User
(3) - Framed-MTU = 1300
(3) - NAS-Port-Type = Wireless-802.11
(3) - Tunnel-Type:0 = VLAN
(3) - Tunnel-Medium-Type:0 = IEEE-802
(3) - Tunnel-Private-Group-Id:0 = "1112"
(3) - EAP-Message = 0x020500061900
(3) - State = 0x03015100148ca6ec523c504e518c74e2
(3) - Message-Authenticator = 0xc2308e039d2d27171a1a80d5fa914f3e
(3) - Running section authorize from file /etc/raddb/sites-enabled/lboro
(3) - authorize {
(3) - nagios_check {
(3) - if (User-Name == "nagios01aa" && "%{client:group}" == "nagios") {
(3) - ...
(3) - }
(3) - } # nagios_check (notfound)
(3) - wism_check {
(3) - if (User-Name =~ /wism-check/ ) {
(3) - ...
(3) - }
(3) - } # wism_check (notfound)
(3) - filter_duff_realms {
(3) - if (User-Name =~ /\\.ax\\.uk$/i ) {
(3) - ...
(3) - }
(3) - elsif (User-Name =~ /\\.sc\\.uk$/i ) {
(3) - ...
(3) - }
(3) - elsif (User-Name =~ /\\.ac\\.u$/i ) {
(3) - ...
(3) - }
(3) - elsif (User-Name =~ /lboro$/i ) {
(3) - ...
(3) - }
(3) - elsif (User-Name =~ /lboro\\.co\\.uk$/i ) {
(3) - ...
(3) - }
(3) - elsif (User-Name =~ /ac\\.lboro\\.uk$/i ) {
(3) - ...
(3) - }
(3) - elsif (User-Name =~ /unilboro\\.ac\\.uk$/i ) {
(3) - ...
(3) - }
(3) - elsif (User-Name =~ /\\.a\\.c\\.uk$/i ) {
(3) - ...
(3) - }
(3) - elsif (User-Name =~ /3gppnetwork\\.org$/i) {
(3) - ...
(3) - }
(3) - elsif (User-Name =~ /myabc\\.com$/i) {
(3) - ...
(3) - }
(3) - elsif (User-Name !~ /lboro\\.local$/i && User-Name =~ /\\.local$/i) {
(3) - ...
(3) - }
(3) - elsif (User-Name =~ /lbro\\.ac\\.uk$/i ) {
(3) - ...
(3) - }
(3) - elsif (User-Name =~ /lboro\\.student\\.ac\\.uk$/i ) {
(3) - ...
(3) - }
(3) - } # filter_duff_realms (notfound)
(3) - filter_username {
(3) - if (!&User-Name) {
(3) - ...
(3) - }
(3) - if (&User-Name =~ / /) {
(3) - ...
(3) - }
(3) - if (&User-Name =~ /@.*@/ ) {
(3) - ...
(3) - }
(3) - if (&User-Name =~ /\.\./ ) {
(3) - ...
(3) - }
(3) - if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(3) - ...
(3) - }
(3) - if (&User-Name =~ /\.$/) {
(3) - ...
(3) - }
(3) - if (&User-Name =~ /@\./) {
(3) - ...
(3) - }
(3) - } # filter_username (notfound)
(3) preprocess (ok)
(3) operator-name.authorize {
(3) if ("%{client:Operator-Name}") {
(3) EXPAND %{client:Operator-Name}
(3) -->
(3) ...
(3) }
(3) } # operator-name.authorize (ok)
(3) cui.authorize {
(3) if ("%{client:add_cui}" == 'yes') {
(3) EXPAND %{client:add_cui}
(3) --> yes
(3) update request {
(3) &Chargeable-User-Identity := 0x00
(3) } # update request (noop)
(3) } # if ("%{client:add_cui}" == 'yes') (noop)
(3) } # cui.authorize (noop)
(3) suffix - Checking for suffix after "@"
(3) suffix - Looking up realm "lboro.ac.uk" for User-Name = "anon at lboro.ac.uk"
(3) suffix - Found realm "lboro.ac.uk"
(3) suffix - Adding Stripped-User-Name = "anon"
(3) suffix - Adding Realm = "lboro.ac.uk"
(3) suffix - Authentication realm is LOCAL
(3) suffix (ok)
(3) ntdomain - Request already has destination realm set. Ignoring
(3) ntdomain (noop)
(3) if ( Called-Station-Id =~ /:eduroam$/ ) {
(3) ...
(3) }
(3) elsif ( Called-Station-Id =~ /.*:YST$/ ) {
(3) ...
(3) }
(3) elsif ( Called-Station-Id =~ /.*:ecb$/ || "%{client:group}" == "ecb" ) {
(3) EXPAND %{client:group}
(3) --> wireless
(3) ...
(3) }
(3) if ((User-Name =~ /youthsporttrust\\.org$/) || (User-Name =~ /^YOUTHSPORTTRUST\\\\/)) {
(3) ...
(3) }
(3) elsif (User-Name =~ /\@ecb\.co\.uk/i && "%{client:shortname}" == "dulcimer" ) {
(3) ...
(3) }
(3) elsif ( Realm == "ECB" || Realm == "ecb.co.uk" ) {
(3) ...
(3) }
(3) elsif (Service-Type == Call-Check && !EAP-Message && User-Name =~ /[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]/) {
(3) ...
(3) }
(3) elsif ( Realm == "lsu.co.uk" ) {
(3) ...
(3) }
(3) elsif (User-Name =~ /\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/) {
(3) ...
(3) }
(3) else {
(3) update request {
(3) &Realm := local
(3) } # update request (noop)
(3) } # else (noop)
(3) eap - Peer sent EAP Response (code 2) ID 5 length 6
(3) eap - Continuing tunnel setup
(3) eap (ok)
(3) } # authorize (ok)
(3) Using 'Auth-Type = eap' for authenticate {...}
(3) Running Auth-Type eap from file /etc/raddb/sites-enabled/lboro
(3) authenticate {
(3) eap - Peer sent packet with EAP method PEAP (25)
(3) eap - Calling submodule eap_peap to process data
(3) eap_peap - Continuing EAP-TLS
(3) eap_peap - Peer ACKed our handshake fragment
(3) eap_peap - [eap-tls verify] = request
(3) eap_peap - Sending additional TLS record fragment (994 bytes), 917 bytes remaining
(3) eap_peap - [eap-tls process] = handled
(3) eap - Sending EAP Request (code 1) ID 6 length 1000
(3) eap (handled)
(3) } # authenticate (handled)
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found. Ignoring.
(3) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/lboro
(3) Sent Access-Challenge Id 251 from 158.125.161.128:1812 to 10.53.253.14:32770 via ens160 length 0
(3) EAP-Message = 0x010603e81940c11f90d2b74ee65a1109bc0009cc59bb16b11c4d981df09929ef3b97d4d9c5040db5321c087b14c214be61a7ff6eb953828ff106bb4180f20d7ba5a7781ef72b286dbe7d9b98dd2c43a67d4e87108d1d22a3253b103f2b5daf5115457e670fcc117461e793aef0eb01f72340aa8042b007
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x040751002306bedc523c504e518c74e2
(3) Finished request
Waking up in 1.9 seconds.
(4) - Received Access-Request Id 252 from 10.53.253.14:32770 to 158.125.161.128:1812 via ens160 length 319
(4) - User-Name = "anon at lboro.ac.uk"
(4) - Chargeable-User-Identity = 0x00
(4) - Location-Capable = Civix-Location
(4) - Calling-Station-Id = "18-cf-5e-12-75-c1"
(4) - Called-Station-Id = "b0-aa-77-57-cf-50:wirefree"
(4) - NAS-Port = 13
(4) - Cisco-AVPair = "audit-session-id=0a35fd0e000e790756d5a18b"
(4) - Acct-Session-Id = "56d5a18b/18:cf:5e:12:75:c1/766789"
(4) - NAS-IP-Address = 10.53.253.14
(4) - NAS-IPv6-Address = 2001:630:301:9101::14
(4) - NAS-Identifier = "wism-sport-park-3"
(4) - Airespace-Wlan-Id = 3
(4) - Service-Type = Framed-User
(4) - Framed-MTU = 1300
(4) - NAS-Port-Type = Wireless-802.11
(4) - Tunnel-Type:0 = VLAN
(4) - Tunnel-Medium-Type:0 = IEEE-802
(4) - Tunnel-Private-Group-Id:0 = "1112"
(4) - EAP-Message = 0x020600061900
(4) - State = 0x040751002306bedc523c504e518c74e2
(4) - Message-Authenticator = 0x9e01e0203a757d408a33b0e6da2d6371
(4) - Running section authorize from file /etc/raddb/sites-enabled/lboro
(4) - authorize {
(4) - nagios_check {
(4) - if (User-Name == "nagios01aa" && "%{client:group}" == "nagios") {
(4) - ...
(4) - }
(4) - } # nagios_check (notfound)
(4) - wism_check {
(4) - if (User-Name =~ /wism-check/ ) {
(4) - ...
(4) - }
(4) - } # wism_check (notfound)
(4) - filter_duff_realms {
(4) - if (User-Name =~ /\\.ax\\.uk$/i ) {
(4) - ...
(4) - }
(4) - elsif (User-Name =~ /\\.sc\\.uk$/i ) {
(4) - ...
(4) - }
(4) - elsif (User-Name =~ /\\.ac\\.u$/i ) {
(4) - ...
(4) - }
(4) - elsif (User-Name =~ /lboro$/i ) {
(4) - ...
(4) - }
(4) - elsif (User-Name =~ /lboro\\.co\\.uk$/i ) {
(4) - ...
(4) - }
(4) - elsif (User-Name =~ /ac\\.lboro\\.uk$/i ) {
(4) - ...
(4) - }
(4) - elsif (User-Name =~ /unilboro\\.ac\\.uk$/i ) {
(4) - ...
(4) - }
(4) - elsif (User-Name =~ /\\.a\\.c\\.uk$/i ) {
(4) - ...
(4) - }
(4) - elsif (User-Name =~ /3gppnetwork\\.org$/i) {
(4) - ...
(4) - }
(4) - elsif (User-Name =~ /myabc\\.com$/i) {
(4) - ...
(4) - }
(4) - elsif (User-Name !~ /lboro\\.local$/i && User-Name =~ /\\.local$/i) {
(4) - ...
(4) - }
(4) - elsif (User-Name =~ /lbro\\.ac\\.uk$/i ) {
(4) - ...
(4) - }
(4) - elsif (User-Name =~ /lboro\\.student\\.ac\\.uk$/i ) {
(4) - ...
(4) - }
(4) - } # filter_duff_realms (notfound)
(4) - filter_username {
(4) - if (!&User-Name) {
(4) - ...
(4) - }
(4) - if (&User-Name =~ / /) {
(4) - ...
(4) - }
(4) - if (&User-Name =~ /@.*@/ ) {
(4) - ...
(4) - }
(4) - if (&User-Name =~ /\.\./ ) {
(4) - ...
(4) - }
(4) - if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) - ...
(4) - }
(4) - if (&User-Name =~ /\.$/) {
(4) - ...
(4) - }
(4) - if (&User-Name =~ /@\./) {
(4) - ...
(4) - }
(4) - } # filter_username (notfound)
(4) preprocess (ok)
(4) operator-name.authorize {
(4) if ("%{client:Operator-Name}") {
(4) EXPAND %{client:Operator-Name}
(4) -->
(4) ...
(4) }
(4) } # operator-name.authorize (ok)
(4) cui.authorize {
(4) if ("%{client:add_cui}" == 'yes') {
(4) EXPAND %{client:add_cui}
(4) --> yes
(4) update request {
(4) &Chargeable-User-Identity := 0x00
(4) } # update request (noop)
(4) } # if ("%{client:add_cui}" == 'yes') (noop)
(4) } # cui.authorize (noop)
(4) suffix - Checking for suffix after "@"
(4) suffix - Looking up realm "lboro.ac.uk" for User-Name = "anon at lboro.ac.uk"
(4) suffix - Found realm "lboro.ac.uk"
(4) suffix - Adding Stripped-User-Name = "anon"
(4) suffix - Adding Realm = "lboro.ac.uk"
(4) suffix - Authentication realm is LOCAL
(4) suffix (ok)
(4) ntdomain - Request already has destination realm set. Ignoring
(4) ntdomain (noop)
(4) if ( Called-Station-Id =~ /:eduroam$/ ) {
(4) ...
(4) }
(4) elsif ( Called-Station-Id =~ /.*:YST$/ ) {
(4) ...
(4) }
(4) elsif ( Called-Station-Id =~ /.*:ecb$/ || "%{client:group}" == "ecb" ) {
(4) EXPAND %{client:group}
(4) --> wireless
(4) ...
(4) }
(4) if ((User-Name =~ /youthsporttrust\\.org$/) || (User-Name =~ /^YOUTHSPORTTRUST\\\\/)) {
(4) ...
(4) }
(4) elsif (User-Name =~ /\@ecb\.co\.uk/i && "%{client:shortname}" == "dulcimer" ) {
(4) ...
(4) }
(4) elsif ( Realm == "ECB" || Realm == "ecb.co.uk" ) {
(4) ...
(4) }
(4) elsif (Service-Type == Call-Check && !EAP-Message && User-Name =~ /[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]/) {
(4) ...
(4) }
(4) elsif ( Realm == "lsu.co.uk" ) {
(4) ...
(4) }
(4) elsif (User-Name =~ /\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/) {
(4) ...
(4) }
(4) else {
(4) update request {
(4) &Realm := local
(4) } # update request (noop)
(4) } # else (noop)
(4) eap - Peer sent EAP Response (code 2) ID 6 length 6
(4) eap - Continuing tunnel setup
(4) eap (ok)
(4) } # authorize (ok)
(4) Using 'Auth-Type = eap' for authenticate {...}
(4) Running Auth-Type eap from file /etc/raddb/sites-enabled/lboro
(4) authenticate {
(4) eap - Peer sent packet with EAP method PEAP (25)
(4) eap - Calling submodule eap_peap to process data
(4) eap_peap - Continuing EAP-TLS
(4) eap_peap - Peer ACKed our handshake fragment
(4) eap_peap - [eap-tls verify] = request
(4) eap_peap - Sending final TLS record fragment (917 bytes)
(4) eap_peap - [eap-tls process] = handled
(4) eap - Sending EAP Request (code 1) ID 7 length 923
(4) eap (handled)
(4) } # authenticate (handled)
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/lboro
(4) Sent Access-Challenge Id 252 from 158.125.161.128:1812 to 10.53.253.14:32770 via ens160 length 0
(4) EAP-Message = 0x0107039b19007d6e67ce70384eded3ef06352db77da33a308201050603551d230481fd3081fa80140cf5aa7d6e67ce70384eded3ef06352db77da33aa181d6a481d33081d0310b3009060355040613024742311730150603550408130e4c65696365737465727368697265311530130603550407130c4c
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x05015100148ca6ec523c504e518c74e2
(4) Finished request
Waking up in 1.9 seconds.
(5) - Received Access-Request Id 253 from 10.53.253.14:32770 to 158.125.161.128:1812 via ens160 length 473
(5) - User-Name = "anon at lboro.ac.uk"
(5) - Chargeable-User-Identity = 0x00
(5) - Location-Capable = Civix-Location
(5) - Calling-Station-Id = "18-cf-5e-12-75-c1"
(5) - Called-Station-Id = "b0-aa-77-57-cf-50:wirefree"
(5) - NAS-Port = 13
(5) - Cisco-AVPair = "audit-session-id=0a35fd0e000e790756d5a18b"
(5) - Acct-Session-Id = "56d5a18b/18:cf:5e:12:75:c1/766789"
(5) - NAS-IP-Address = 10.53.253.14
(5) - NAS-IPv6-Address = 2001:630:301:9101::14
(5) - NAS-Identifier = "wism-sport-park-3"
(5) - Airespace-Wlan-Id = 3
(5) - Service-Type = Framed-User
(5) - Framed-MTU = 1300
(5) - NAS-Port-Type = Wireless-802.11
(5) - Tunnel-Type:0 = VLAN
(5) - Tunnel-Medium-Type:0 = IEEE-802
(5) - Tunnel-Private-Group-Id:0 = "1112"
(5) - EAP-Message = 0x020700a01980000000961603020046100000424104a1568ed754dd3f72a95e77cd1df1c55abf297742c6079bb39cdecf1f53cf855797776f56e08eacd682c5125da973f5f90ae119460d913d6b4757b78f288010651403020001011603020040fda3db9fe7afd24c7177fcafd292f1419d55de5910015b
(5) - State = 0x05015100148ca6ec523c504e518c74e2
(5) - Message-Authenticator = 0xe49aaca6ee4e0e1119ed3410ae02cb7d
(5) - Running section authorize from file /etc/raddb/sites-enabled/lboro
(5) - authorize {
(5) - nagios_check {
(5) - if (User-Name == "nagios01aa" && "%{client:group}" == "nagios") {
(5) - ...
(5) - }
(5) - } # nagios_check (notfound)
(5) - wism_check {
(5) - if (User-Name =~ /wism-check/ ) {
(5) - ...
(5) - }
(5) - } # wism_check (notfound)
(5) - filter_duff_realms {
(5) - if (User-Name =~ /\\.ax\\.uk$/i ) {
(5) - ...
(5) - }
(5) - elsif (User-Name =~ /\\.sc\\.uk$/i ) {
(5) - ...
(5) - }
(5) - elsif (User-Name =~ /\\.ac\\.u$/i ) {
(5) - ...
(5) - }
(5) - elsif (User-Name =~ /lboro$/i ) {
(5) - ...
(5) - }
(5) - elsif (User-Name =~ /lboro\\.co\\.uk$/i ) {
(5) - ...
(5) - }
(5) - elsif (User-Name =~ /ac\\.lboro\\.uk$/i ) {
(5) - ...
(5) - }
(5) - elsif (User-Name =~ /unilboro\\.ac\\.uk$/i ) {
(5) - ...
(5) - }
(5) - elsif (User-Name =~ /\\.a\\.c\\.uk$/i ) {
(5) - ...
(5) - }
(5) - elsif (User-Name =~ /3gppnetwork\\.org$/i) {
(5) - ...
(5) - }
(5) - elsif (User-Name =~ /myabc\\.com$/i) {
(5) - ...
(5) - }
(5) - elsif (User-Name !~ /lboro\\.local$/i && User-Name =~ /\\.local$/i) {
(5) - ...
(5) - }
(5) - elsif (User-Name =~ /lbro\\.ac\\.uk$/i ) {
(5) - ...
(5) - }
(5) - elsif (User-Name =~ /lboro\\.student\\.ac\\.uk$/i ) {
(5) - ...
(5) - }
(5) - } # filter_duff_realms (notfound)
(5) - filter_username {
(5) - if (!&User-Name) {
(5) - ...
(5) - }
(5) - if (&User-Name =~ / /) {
(5) - ...
(5) - }
(5) - if (&User-Name =~ /@.*@/ ) {
(5) - ...
(5) - }
(5) - if (&User-Name =~ /\.\./ ) {
(5) - ...
(5) - }
(5) - if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) - ...
(5) - }
(5) - if (&User-Name =~ /\.$/) {
(5) - ...
(5) - }
(5) - if (&User-Name =~ /@\./) {
(5) - ...
(5) - }
(5) - } # filter_username (notfound)
(5) preprocess (ok)
(5) operator-name.authorize {
(5) if ("%{client:Operator-Name}") {
(5) EXPAND %{client:Operator-Name}
(5) -->
(5) ...
(5) }
(5) } # operator-name.authorize (ok)
(5) cui.authorize {
(5) if ("%{client:add_cui}" == 'yes') {
(5) EXPAND %{client:add_cui}
(5) --> yes
(5) update request {
(5) &Chargeable-User-Identity := 0x00
(5) } # update request (noop)
(5) } # if ("%{client:add_cui}" == 'yes') (noop)
(5) } # cui.authorize (noop)
(5) suffix - Checking for suffix after "@"
(5) suffix - Looking up realm "lboro.ac.uk" for User-Name = "anon at lboro.ac.uk"
(5) suffix - Found realm "lboro.ac.uk"
(5) suffix - Adding Stripped-User-Name = "anon"
(5) suffix - Adding Realm = "lboro.ac.uk"
(5) suffix - Authentication realm is LOCAL
(5) suffix (ok)
(5) ntdomain - Request already has destination realm set. Ignoring
(5) ntdomain (noop)
(5) if ( Called-Station-Id =~ /:eduroam$/ ) {
(5) ...
(5) }
(5) elsif ( Called-Station-Id =~ /.*:YST$/ ) {
(5) ...
(5) }
(5) elsif ( Called-Station-Id =~ /.*:ecb$/ || "%{client:group}" == "ecb" ) {
(5) EXPAND %{client:group}
(5) --> wireless
(5) ...
(5) }
(5) if ((User-Name =~ /youthsporttrust\\.org$/) || (User-Name =~ /^YOUTHSPORTTRUST\\\\/)) {
(5) ...
(5) }
(5) elsif (User-Name =~ /\@ecb\.co\.uk/i && "%{client:shortname}" == "dulcimer" ) {
(5) ...
(5) }
(5) elsif ( Realm == "ECB" || Realm == "ecb.co.uk" ) {
(5) ...
(5) }
(5) elsif (Service-Type == Call-Check && !EAP-Message && User-Name =~ /[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]/) {
(5) ...
(5) }
(5) elsif ( Realm == "lsu.co.uk" ) {
(5) ...
(5) }
(5) elsif (User-Name =~ /\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/) {
(5) ...
(5) }
(5) else {
(5) update request {
(5) &Realm := local
(5) } # update request (noop)
(5) } # else (noop)
(5) eap - Peer sent EAP Response (code 2) ID 7 length 160
(5) eap - Continuing tunnel setup
(5) eap (ok)
(5) } # authorize (ok)
(5) Using 'Auth-Type = eap' for authenticate {...}
(5) Running Auth-Type eap from file /etc/raddb/sites-enabled/lboro
(5) authenticate {
(5) eap - Peer sent packet with EAP method PEAP (25)
(5) eap - Calling submodule eap_peap to process data
(5) eap_peap - Continuing EAP-TLS
(5) eap_peap - Peer indicated complete TLS record size will be 150 bytes
(5) eap_peap - Got complete TLS record, with length field (150 bytes)
(5) eap_peap - [eap-tls verify] = ok
(5) eap_peap - <<< recv handshake [length 70], client_key_exchange
(5) eap_peap - TLS Accept: SSLv3 read client key exchange A
(5) eap_peap - <<< recv change_cipher_spec [length 1]
(5) eap_peap - <<< recv handshake [length 16], finished
(5) eap_peap - TLS Accept: SSLv3 read finished A
(5) eap_peap - >>> send change_cipher_spec [length 1]
(5) eap_peap - TLS Accept: SSLv3 write change cipher spec A
(5) eap_peap - >>> send handshake [length 16], finished
(5) eap_peap - TLS Accept: SSLv3 write finished A
(5) eap_peap - TLS Accept: SSLv3 flush data
(5) eap_peap - &TLS-Session-Id = 0x76d5549bfc2e548e73d1176bbe9daa36dc0d0a1d16dc467e8a51b4989a04fd65
(5) eap_peap - &config:TLS-Session-Cache-Action = Write
(5) eap_peap - &session-state:TLS-Session-Data = 0x308181020101020203020402c014042076d5549bfc2e548e73d1176bbe9daa36dc0d0a1d16dc467e8a51b4989a04fd650430c180225ce975cca326ffd8557be08a6827c3c8b8f1010231e9160c29a7e8b14285cdd2956228049c70c3494a7d0ed6bda106020456d5a18ba2040202012ca412041046
(5) Running Autz-Type Session-Cache-Write from file /etc/raddb/sites-enabled/tls-cache
(5) Autz-Type Session-Cache-Write {
(5) update control {
(5) &control:Cache-TTL := 0
(5) } # update control (noop)
(5) cache_tls_session - Key "v\325T\233\374.T\216s\321\027k\276\235\2526\334\r\n\035\026\334F~\212Q\264\230\232\004\375e" -> slot 6093
(5) cache_tls_session - Reserved connection (0)
(5) cache_tls_session - [3] >>> Sending command(s) to 158.125.160.61:6379
(5) cache_tls_session - [3] <<< Returned: success
(5) cache_tls_session - Released connection (0)
(5) cache_tls_session - No cache entry found for "v\325T\233\374.T\216s\321\027k\276\235\2526\334\r\n\035\026\334F~\212Q\264\230\232\004\375e"
(5) cache_tls_session - Creating new cache entry
(5) cache_tls_session - &session-state:TLS-Session-Data := &session-state:TLS-Session-Data -> 0x308181020101020203020402c014042076d5549bfc2e548e73d1176bbe9daa36dc0d0a1d16dc467e8a51b4989a04fd650430c180225ce975cca326ffd8557be08a6827c3c8b8f1010231e9160c29a7e8b14285cdd2956228049c70c3494a7d0ed6bda106020456d5a18ba2040202012ca412041046522065617020307832386434353130
(5) cache_tls_session - Key "v\325T\233\374.T\216s\321\027k\276\235\2526\334\r\n\035\026\334F~\212Q\264\230\232\004\375e" -> slot 6093
(5) cache_tls_session - Reserved connection (1)
(5) cache_tls_session - [3] >>> Sending command(s) to 158.125.160.61:6379
(5) cache_tls_session - [3] <<< Returned: success
(5) cache_tls_session - Released connection (1)
(5) cache_tls_session - Committed entry, TTL 3600 seconds
(5) cache_tls_session - Removing &control:Cache-TTL
(5) cache_tls_session (ok)
(5) } # Autz-Type Session-Cache-Write (ok)
(5) eap_peap - SSL negotiation finished successfully
(5) eap_peap - TLS established with cipher suite: ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
(5) eap_peap - Sending complete TLS record (75 bytes)
(5) eap_peap - [eap-tls process] = handled
(5) eap - Sending EAP Request (code 1) ID 8 length 85
(5) eap (handled)
(5) } # authenticate (handled)
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found. Ignoring.
(5) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/lboro
(5) Sent Access-Challenge Id 253 from 158.125.161.128:1812 to 10.53.253.14:32770 via ens160 length 0
(5) EAP-Message = 0x0108005519800000004b1403020001011603020040c4d3afd74b9a05f561d6b102b9650cfbedd82c0fbec9829aedc29f7522df2d1eaf21e1521aee2dbea62ed8ccfd75b59c28289fddff69b2a7b403ed50e789fec1
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x060351002306bedc523c504e518c74e2
(5) Finished request
Waking up in 1.9 seconds.
(6) - Received Accounting-Request Id 72 from 10.51.2.44:1646 to 158.125.161.128:1813 via ens160 length 127
(6) - Acct-Session-Id = "00001ED6"
(6) - Calling-Station-Id = "E8-94-F6-E3-73-EC"
(6) - Acct-Authentic = Local
(6) - Acct-Status-Type = Start
(6) - NAS-Port-Type = Ethernet
(6) - NAS-Port = 50002
(6) - NAS-Port-Id = "FastEthernet0/2"
(6) - Called-Station-Id = "00-1B-8F-1A-17-82"
(6) - Service-Type = Framed-User
(6) - NAS-IP-Address = 10.51.2.44
(6) - Acct-Delay-Time = 20
(6) - Running section preacct from file /etc/raddb/sites-enabled/lboro
(6) - preacct {
(6) preprocess (ok)
(6) acct_counters64.preacct {
(6) update request {
(6) EXPAND %{expr:(&Acct-Input-Gigawords << 32) | &Acct-Input-Octets}
(6) WARNING: Can't find &Acct-Input-Gigawords. Using 0 as operand value
(6) WARNING: Can't find &Acct-Input-Octets. Using 0 as operand value
(6) --> 0
(6) &Acct-Input-Octets64 = 0
(6) EXPAND %{expr:(&Acct-Output-Gigawords << 32) | &Acct-Output-Octets}
(6) WARNING: Can't find &Acct-Output-Gigawords. Using 0 as operand value
(6) WARNING: Can't find &Acct-Output-Octets. Using 0 as operand value
(6) --> 0
(6) &Acct-Output-Octets64 = 0
(6) } # update request (noop)
(6) } # acct_counters64.preacct (noop)
(6) update request {
(6) EXPAND %{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}
(6) --> 1456841080
(6) &FreeRADIUS-Acct-Session-Start-Time = Mar 1 2016 14:04:40 GMT
(6) } # update request (noop)
(6) acct_unique {
(6) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) {
(6) EXPAND %{string:Class}
(6) -->
(6) ...
(6) }
(6) else {
(6) update request {
(6) EXPAND %{md5:%{User-Name},%{Acct-Multi-Session-ID},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(6) --> 0da3dd9e2370ee8eb568667ef3bea757
(6) &Acct-Unique-Session-Id := 0da3dd9e2370ee8eb568667ef3bea757
(6) } # update request (noop)
(6) } # else (noop)
(6) } # acct_unique (noop)
(6) suffix (noop)
(6) ntdomain (noop)
(6) files (noop)
(6) } # preacct (ok)
(6) Running section accounting from file /etc/raddb/sites-enabled/lboro
(6) accounting {
(6) if (Acct-Session-Time != 0) {
(6) ERROR: Condition evaluation failed because the value of an operand could not be determined
(6) ...
(6) }
(6) sql - EXPAND %{tolower:type.%{%{Acct-Status-Type}:-none}.query}
(6) sql - --> type.start.query
(6) sql - Using query template 'query'
(6) sql - Reserved connection (0)
(6) sql - EXPAND %{User-Name}
(6) sql - -->
(6) sql - SQL-User-Name set to ''
(6) sql - EXPAND INSERT INTO staffbaseschema.radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', NULLIF('%{Realm}', ''), '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}', NULLIF('%{%{NAS-Port-ID}:-%{NAS-Port}}', ''), '%{NAS-Port-Type}', TO_TIMESTAMP(%{integer:Event-Timestamp}), TO_TIMESTAMP(%{integer:Event-Timestamp}), NULL, 0, '%{Acct-Authentic}', '%{Connect-Info}', NULL, 0, 0, '%{Called-Station-Id}', '%{Calling-Station-Id}', NULL, '%{Service-Type}', '%{Framed-Protocol}', NULLIF('%{Framed-IP-Address}', '')::inet)
(6) sql - --> INSERT INTO staffbaseschema.radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('00001ED6', '0da3dd9e2370ee8eb568667ef3bea757', '', NULLIF('', ''), '10.51.2.44', NULLIF('FastEthernet0/2', ''), 'Ethernet', TO_TIMESTAMP(1456841080), TO_TIMESTAMP(1456841080), NULL, 0, 'Local', '', NULL, 0, 0, '00-1B-8F-1A-17-82', 'E8-94-F6-E3-73-EC', NULL, 'Framed-User', '', NULLIF('', '')::inet)
(6) sql - Executing query: INSERT INTO staffbaseschema.radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('00001ED6', '0da3dd9e2370ee8eb568667ef3bea757', '', NULLIF('', ''), '10.51.2.44', NULLIF('FastEthernet0/2', ''), 'Ethernet', TO_TIMESTAMP(1456841080), TO_TIMESTAMP(1456841080), NULL, 0, 'Local', '', NULL, 0, 0, '00-1B-8F-1A-17-82', 'E8-94-F6-E3-73-EC', NULL, 'Framed-User', '', NULLIF('', '')::inet)
rlm_sql_postgresql - Status: PGRES_COMMAND_OK
rlm_sql_postgresql - query affected rows = 1
(6) sql - SQL query returned: success
(6) sql - 1 record(s) updated
(6) sql - Released connection (0)
(6) sql (ok)
(6) if (noop) {
(6) ...
(6) }
(6) attr_filter.accounting_response - EXPAND %{User-Name}
(6) attr_filter.accounting_response - -->
(6) attr_filter.accounting_response - Matched entry DEFAULT at line 12
(6) attr_filter.accounting_response (updated)
(6) } # accounting (updated)
(6) Sent Accounting-Response Id 72 from 158.125.161.128:1813 to 10.51.2.44:1646 via ens160 length 0
(6) Finished request
(6) Cleaning up request packet ID 72 with timestamp +4
Waking up in 1.6 seconds.
(7) - Received Access-Request Id 254 from 10.53.253.14:32770 to 158.125.161.128:1812 via ens160 length 319
(7) - User-Name = "anon at lboro.ac.uk"
(7) - Chargeable-User-Identity = 0x00
(7) - Location-Capable = Civix-Location
(7) - Calling-Station-Id = "18-cf-5e-12-75-c1"
(7) - Called-Station-Id = "b0-aa-77-57-cf-50:wirefree"
(7) - NAS-Port = 13
(7) - Cisco-AVPair = "audit-session-id=0a35fd0e000e790756d5a18b"
(7) - Acct-Session-Id = "56d5a18b/18:cf:5e:12:75:c1/766789"
(7) - NAS-IP-Address = 10.53.253.14
(7) - NAS-IPv6-Address = 2001:630:301:9101::14
(7) - NAS-Identifier = "wism-sport-park-3"
(7) - Airespace-Wlan-Id = 3
(7) - Service-Type = Framed-User
(7) - Framed-MTU = 1300
(7) - NAS-Port-Type = Wireless-802.11
(7) - Tunnel-Type:0 = VLAN
(7) - Tunnel-Medium-Type:0 = IEEE-802
(7) - Tunnel-Private-Group-Id:0 = "1112"
(7) - EAP-Message = 0x020800061900
(7) - State = 0x060351002306bedc523c504e518c74e2
(7) - Message-Authenticator = 0xf70d79e724c5206f4b6e87dbae453927
(7) - Running section authorize from file /etc/raddb/sites-enabled/lboro
(7) - authorize {
(7) - nagios_check {
(7) - if (User-Name == "nagios01aa" && "%{client:group}" == "nagios") {
(7) - ...
(7) - }
(7) - } # nagios_check (notfound)
(7) - wism_check {
(7) - if (User-Name =~ /wism-check/ ) {
(7) - ...
(7) - }
(7) - } # wism_check (notfound)
(7) - filter_duff_realms {
(7) - if (User-Name =~ /\\.ax\\.uk$/i ) {
(7) - ...
(7) - }
(7) - elsif (User-Name =~ /\\.sc\\.uk$/i ) {
(7) - ...
(7) - }
(7) - elsif (User-Name =~ /\\.ac\\.u$/i ) {
(7) - ...
(7) - }
(7) - elsif (User-Name =~ /lboro$/i ) {
(7) - ...
(7) - }
(7) - elsif (User-Name =~ /lboro\\.co\\.uk$/i ) {
(7) - ...
(7) - }
(7) - elsif (User-Name =~ /ac\\.lboro\\.uk$/i ) {
(7) - ...
(7) - }
(7) - elsif (User-Name =~ /unilboro\\.ac\\.uk$/i ) {
(7) - ...
(7) - }
(7) - elsif (User-Name =~ /\\.a\\.c\\.uk$/i ) {
(7) - ...
(7) - }
(7) - elsif (User-Name =~ /3gppnetwork\\.org$/i) {
(7) - ...
(7) - }
(7) - elsif (User-Name =~ /myabc\\.com$/i) {
(7) - ...
(7) - }
(7) - elsif (User-Name !~ /lboro\\.local$/i && User-Name =~ /\\.local$/i) {
(7) - ...
(7) - }
(7) - elsif (User-Name =~ /lbro\\.ac\\.uk$/i ) {
(7) - ...
(7) - }
(7) - elsif (User-Name =~ /lboro\\.student\\.ac\\.uk$/i ) {
(7) - ...
(7) - }
(7) - } # filter_duff_realms (notfound)
(7) - filter_username {
(7) - if (!&User-Name) {
(7) - ...
(7) - }
(7) - if (&User-Name =~ / /) {
(7) - ...
(7) - }
(7) - if (&User-Name =~ /@.*@/ ) {
(7) - ...
(7) - }
(7) - if (&User-Name =~ /\.\./ ) {
(7) - ...
(7) - }
(7) - if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) - ...
(7) - }
(7) - if (&User-Name =~ /\.$/) {
(7) - ...
(7) - }
(7) - if (&User-Name =~ /@\./) {
(7) - ...
(7) - }
(7) - } # filter_username (notfound)
(7) preprocess (ok)
(7) operator-name.authorize {
(7) if ("%{client:Operator-Name}") {
(7) EXPAND %{client:Operator-Name}
(7) -->
(7) ...
(7) }
(7) } # operator-name.authorize (ok)
(7) cui.authorize {
(7) if ("%{client:add_cui}" == 'yes') {
(7) EXPAND %{client:add_cui}
(7) --> yes
(7) update request {
(7) &Chargeable-User-Identity := 0x00
(7) } # update request (noop)
(7) } # if ("%{client:add_cui}" == 'yes') (noop)
(7) } # cui.authorize (noop)
(7) suffix - Checking for suffix after "@"
(7) suffix - Looking up realm "lboro.ac.uk" for User-Name = "anon at lboro.ac.uk"
(7) suffix - Found realm "lboro.ac.uk"
(7) suffix - Adding Stripped-User-Name = "anon"
(7) suffix - Adding Realm = "lboro.ac.uk"
(7) suffix - Authentication realm is LOCAL
(7) suffix (ok)
(7) ntdomain - Request already has destination realm set. Ignoring
(7) ntdomain (noop)
(7) if ( Called-Station-Id =~ /:eduroam$/ ) {
(7) ...
(7) }
(7) elsif ( Called-Station-Id =~ /.*:YST$/ ) {
(7) ...
(7) }
(7) elsif ( Called-Station-Id =~ /.*:ecb$/ || "%{client:group}" == "ecb" ) {
(7) EXPAND %{client:group}
(7) --> wireless
(7) ...
(7) }
(7) if ((User-Name =~ /youthsporttrust\\.org$/) || (User-Name =~ /^YOUTHSPORTTRUST\\\\/)) {
(7) ...
(7) }
(7) elsif (User-Name =~ /\@ecb\.co\.uk/i && "%{client:shortname}" == "dulcimer" ) {
(7) ...
(7) }
(7) elsif ( Realm == "ECB" || Realm == "ecb.co.uk" ) {
(7) ...
(7) }
(7) elsif (Service-Type == Call-Check && !EAP-Message && User-Name =~ /[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]/) {
(7) ...
(7) }
(7) elsif ( Realm == "lsu.co.uk" ) {
(7) ...
(7) }
(7) elsif (User-Name =~ /\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/) {
(7) ...
(7) }
(7) else {
(7) update request {
(7) &Realm := local
(7) } # update request (noop)
(7) } # else (noop)
(7) eap - Peer sent EAP Response (code 2) ID 8 length 6
(7) eap - Continuing tunnel setup
(7) eap (ok)
(7) } # authorize (ok)
(7) Using 'Auth-Type = eap' for authenticate {...}
(7) Running Auth-Type eap from file /etc/raddb/sites-enabled/lboro
(7) authenticate {
(7) eap - Peer sent packet with EAP method PEAP (25)
(7) eap - Calling submodule eap_peap to process data
(7) eap_peap - Continuing EAP-TLS
(7) eap_peap - Peer ACKed our handshake fragment. handshake is finished
(7) eap_peap - [eap-tls verify] = success
(7) eap_peap - [eap-tls process] = success
(7) eap_peap - Session established. Decoding tunneled data
(7) eap_peap - PEAP state TUNNEL ESTABLISHED
(7) eap_peap - Sending complete TLS record (53 bytes)
(7) eap - Sending EAP Request (code 1) ID 9 length 63
(7) eap (handled)
(7) } # authenticate (handled)
(7) Using Post-Auth-Type Challenge
(7) Post-Auth-Type sub-section not found. Ignoring.
(7) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/lboro
(7) Sent Access-Challenge Id 254 from 158.125.161.128:1812 to 10.53.253.14:32770 via ens160 length 0
(7) EAP-Message = 0x0109003f198000000035170302003094eda224ed5bd67356b6b9e5e9cb3f4e402a8774515ad7ff767acd2a8960e9fa58e5020503986828312b7c8b944a0e61
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x07015100148ca6ec523c504e518c74e2
(7) Finished request
Waking up in 0.8 seconds.
(0) Cleaning up request packet ID 248 with timestamp +3
(1) Cleaning up request packet ID 249 with timestamp +3
(2) Cleaning up request packet ID 250 with timestamp +3
(3) Cleaning up request packet ID 251 with timestamp +3
(4) Cleaning up request packet ID 252 with timestamp +3
(5) Cleaning up request packet ID 253 with timestamp +3
Waking up in 1.0 seconds.
(7) Cleaning up request packet ID 254 with timestamp +5
Ready to process requests
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160301/f7d1b26d/attachment-0001.sig>
More information about the Freeradius-Users
mailing list