Certificate problem between 3.0.11 and 3.1.x

Jonathan Gazeley Jonathan.Gazeley at bristol.ac.uk
Tue Mar 15 16:14:01 CET 2016


I've been migrating our RADIUS estate from 2.2.9 and 3.0.11 to 3.1.x, 
built from git. Thanks to help from this list last week I've got eduroam 
working successfully. I'm now struggling to get another SSID (machine 
authentication for domain-joined Windows PCs) to work.

I can see that it is printing the warning:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! EAP session 0x2ab6bf0 did not finish!                          !!
!! See http://wiki.freeradius.org/guide/Certificate_Compatibility !!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

however the same certificate works properly on 3.0.11. Has there been a 
change of behaviour in the server?

Thanks,
Jonathan

FreeRADIUS Version 3.1.0
Copyright (C) 1999-2016 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including files in directory /etc/raddb/clients.d/
including configuration file /etc/raddb/clients.d/WISM7.conf
including configuration file /etc/raddb/clients.d/YEOVIL.conf
including configuration file /etc/raddb/clients.d/WISM8.conf
including configuration file /etc/raddb/clients.d/WISM2.conf
including configuration file /etc/raddb/clients.d/NHS-JA-GW.conf
including configuration file /etc/raddb/clients.d/WISM2-HA.conf
including configuration file /etc/raddb/clients.d/localhost.conf
including configuration file /etc/raddb/clients.d/WISM5-HA.conf
including configuration file /etc/raddb/clients.d/WISM6.conf
including configuration file /etc/raddb/clients.d/roaming2.ja.net.conf
including configuration file /etc/raddb/clients.d/WISM3.conf
including configuration file /etc/raddb/clients.d/WISM6-HA.conf
including configuration file /etc/raddb/clients.d/roaming1.ja.net-v6.conf
including configuration file /etc/raddb/clients.d/monitor.conf
including configuration file /etc/raddb/clients.d/roaming1.ja.net.conf
including configuration file /etc/raddb/clients.d/WISM4-HA.conf
including configuration file /etc/raddb/clients.d/ENGINE-SHED.conf
including configuration file /etc/raddb/clients.d/NBHT.conf
including configuration file /etc/raddb/clients.d/roaming0.ja.net.conf
including configuration file /etc/raddb/clients.d/WISM5.conf
including configuration file /etc/raddb/clients.d/BCC110.conf
including configuration file /etc/raddb/clients.d/WISM1-HA.conf
including configuration file /etc/raddb/clients.d/testswitch.conf
including configuration file /etc/raddb/clients.d/UBHT120.conf
including configuration file /etc/raddb/clients.d/WISM7-HA.conf
including configuration file /etc/raddb/clients.d/adminctrl.conf
including configuration file /etc/raddb/clients.d/monitor-dev.conf
including configuration file /etc/raddb/clients.d/WISM4.conf
including configuration file /etc/raddb/clients.d/UBHT169.conf
including configuration file /etc/raddb/clients.d/WISM1.conf
including configuration file /etc/raddb/clients.d/TAUNTON-NEW.conf
including configuration file /etc/raddb/clients.d/F5.conf
including configuration file /etc/raddb/clients.d/roaming2.ja.net-v6.conf
including configuration file /etc/raddb/clients.d/WISM3-HA.conf
including configuration file /etc/raddb/clients.d/WISM9.conf
including configuration file /etc/raddb/clients.d/roaming0.ja.net-v6.conf
including configuration file /etc/raddb/clients.d/WISM12.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/detail.log
including configuration file /etc/raddb/mods-enabled/rainbowpreprocess
including configuration file /etc/raddb/mods-enabled/uobdetail
including configuration file /etc/raddb/mods-enabled/rainbowmschap
including configuration file /etc/raddb/mods-enabled/mschap
including configuration file /etc/raddb/mods-enabled/files-eduroam
including configuration file /etc/raddb/mods-enabled/linelog
/etc/raddb/mods-enabled/linelog[114]: Reference "${..pool}" not found
/etc/raddb/mods-enabled/linelog[127]: Reference "${..pool}" not found
including configuration file /etc/raddb/mods-enabled/vpimschap
including configuration file /etc/raddb/mods-enabled/rainbowlog
including configuration file /etc/raddb/mods-enabled/replicate
including configuration file /etc/raddb/mods-enabled/files
including configuration file /etc/raddb/mods-enabled/eduroameap
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/dynamic_clients
including configuration file /etc/raddb/mods-enabled/digest
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/sradutmp
including configuration file /etc/raddb/mods-enabled/eduroamvlan
including configuration file /etc/raddb/mods-enabled/dhcp
including configuration file /etc/raddb/mods-enabled/uobldap
including configuration file /etc/raddb/mods-enabled/uobsql-write
including configuration file 
/etc/raddb/mods-config/uobsql-write-queries.conf
including configuration file /etc/raddb/mods-enabled/expiration
including configuration file /etc/raddb/mods-enabled/eduroamlioneap
including configuration file /etc/raddb/mods-enabled/logtofile
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/ntlm_auth
including configuration file /etc/raddb/mods-enabled/rainbowfiles
including configuration file /etc/raddb/mods-enabled/logtosyslog
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/utf8
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/passwd
including configuration file /etc/raddb/mods-enabled/soh
including configuration file /etc/raddb/mods-enabled/unix
including configuration file /etc/raddb/mods-enabled/cache_eap
including configuration file /etc/raddb/mods-enabled/eduroammschap
including configuration file /etc/raddb/mods-enabled/uobsql
including configuration file /etc/raddb/mods-config/uobsql-queries.conf
including configuration file /etc/raddb/mods-enabled/eduroaminfo
including configuration file /etc/raddb/mods-enabled/detail
including configuration file /etc/raddb/mods-enabled/vpieap
including configuration file /etc/raddb/mods-enabled/rainboweap
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/unpack
including configuration file /etc/raddb/mods-enabled/pap
including configuration file /etc/raddb/mods-enabled/logintime
including configuration file /etc/raddb/templates.conf
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/policies
including configuration file /etc/raddb/policy.d/normalization
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/eduroam-realm-checks.conf
including configuration file /etc/raddb/policy.d/debug
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/get-ssid
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/vendor
including configuration file /etc/raddb/policy.d/logchecker
including configuration file /etc/raddb/policy.d/cui
including configuration file /etc/raddb/policy.d/abfab-tr
including configuration file /etc/raddb/policy.d/operator-name
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/rainbowmacauth
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/eduroam-partners
including configuration file /etc/raddb/sites-enabled/bristolresearchnet
including configuration file /etc/raddb/sites-enabled/rainbow-inner
including configuration file /etc/raddb/sites-enabled/uobconsoles
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/vpi-inner
including configuration file /etc/raddb/sites-enabled/rainbow
including configuration file /etc/raddb/sites-enabled/eduroamalien
including configuration file /etc/raddb/sites-enabled/vpi
including configuration file /etc/raddb/sites-enabled/status
including files in directory /etc/raddb/statusclients.d/
including configuration file /etc/raddb/statusclients.d/localhost.conf
including configuration file /etc/raddb/statusclients.d/monitor-devv6.conf
including configuration file /etc/raddb/statusclients.d/monitor.conf
including configuration file /etc/raddb/statusclients.d/monitorv6.conf
including configuration file /etc/raddb/statusclients.d/monitor-dev.conf
including configuration file /etc/raddb/sites-enabled/eduroamlocal-acct
including configuration file /etc/raddb/sites-enabled/eduroamlocal-auth
including configuration file /etc/raddb/sites-enabled/eduroamlion-inner
including configuration file /etc/raddb/sites-enabled/rainboweap-tls
including configuration file /etc/raddb/sites-enabled/eduroam-inner
main {
  security {
  	user = "radiusd"
  	group = "radiusd"
  	allow_core_dumps = no
  }
	name = "radiusd"
	prefix = "/usr"
	localstatedir = "/var"
	logdir = "/var/log/radius"
	run_dir = "/var/run/radiusd"
}
main {
	name = "radiusd"
	prefix = "/usr"
	localstatedir = "/var"
	sbindir = "/usr/sbin"
	logdir = "/var/log/radius"
	run_dir = "/var/run/radiusd"
	libdir = "/usr/lib64/freeradius"
	radacctdir = "/var/log/radius/radacct"
	hostname_lookups = no
	max_request_time = 30
	cleanup_delay = 5
	continuation_timeout = 15
	max_requests = 4096
	pidfile = "/var/run/radiusd/radiusd.pid"
	checkrad = "/usr/sbin/checkrad"
	debug_level = 0
	proxy_requests = yes
  log {
  	stripped_names = no
  	auth = no
  	auth_badpass = no
  	auth_goodpass = no
  	colourise = yes
  	msg_denied = "You are already logged in - access denied"
  }
  resources {
  }
  security {
  	max_attributes = 200
  	reject_delay = 1.000000
  	status_server = yes
  	allow_vulnerable_openssl = "yes"
  }
}
radiusd: #### Loading Realms and Home Servers ####
  home_server jrs0 {
  	ipaddr = 194.82.174.185
  	port = 1812
  	type = "auth+acct"
  	proto = "udp"
  	secret = <<< secret >>>
  	response_window = 30.000000
  	response_timeouts = 1
  	max_outstanding = 65536
  	zombie_period = 40
  	status_check = "none"
  	ping_interval = 30
  	check_timeout = 4
  	num_answers_to_alive = 3
  	revive_interval = 300
   limit {
   	max_connections = 16
   	max_requests = 0
   	lifetime = 0
   	idle_timeout = 0
   }
   coa {
   	irt = 2
   	mrt = 16
   	mrc = 5
   	mrd = 30
   }
  }
  home_server jrs0v6 {
  	ipv6addr = 2001:630:1:128::185
  	port = 1812
  	type = "auth+acct"
  	proto = "udp"
  	secret = <<< secret >>>
  	response_window = 30.000000
  	response_timeouts = 1
  	max_outstanding = 65536
  	zombie_period = 40
  	status_check = "none"
  	ping_interval = 30
  	check_timeout = 4
  	num_answers_to_alive = 3
  	revive_interval = 300
   limit {
   	max_connections = 16
   	max_requests = 0
   	lifetime = 0
   	idle_timeout = 0
   }
   coa {
   	irt = 2
   	mrt = 16
   	mrc = 5
   	mrd = 30
   }
  }
  home_server jrs1 {
  	ipaddr = 194.83.56.233
  	port = 1812
  	type = "auth+acct"
  	proto = "udp"
  	secret = <<< secret >>>
  	response_window = 30.000000
  	response_timeouts = 1
  	max_outstanding = 65536
  	zombie_period = 40
  	status_check = "none"
  	ping_interval = 30
  	check_timeout = 4
  	num_answers_to_alive = 3
  	revive_interval = 300
   limit {
   	max_connections = 16
   	max_requests = 0
   	lifetime = 0
   	idle_timeout = 0
   }
   coa {
   	irt = 2
   	mrt = 16
   	mrc = 5
   	mrd = 30
   }
  }
  home_server jrs1v6 {
  	ipv6addr = 2001:630:1:12a::233
  	port = 1812
  	type = "auth+acct"
  	proto = "udp"
  	secret = <<< secret >>>
  	response_window = 30.000000
  	response_timeouts = 1
  	max_outstanding = 65536
  	zombie_period = 40
  	status_check = "none"
  	ping_interval = 30
  	check_timeout = 4
  	num_answers_to_alive = 3
  	revive_interval = 300
   limit {
   	max_connections = 16
   	max_requests = 0
   	lifetime = 0
   	idle_timeout = 0
   }
   coa {
   	irt = 2
   	mrt = 16
   	mrc = 5
   	mrd = 30
   }
  }
  home_server jrs2 {
  	ipaddr = 194.83.56.249
  	port = 1812
  	type = "auth+acct"
  	proto = "udp"
  	secret = <<< secret >>>
  	response_window = 30.000000
  	response_timeouts = 1
  	max_outstanding = 65536
  	zombie_period = 40
  	status_check = "none"
  	ping_interval = 30
  	check_timeout = 4
  	num_answers_to_alive = 3
  	revive_interval = 300
   limit {
   	max_connections = 16
   	max_requests = 0
   	lifetime = 0
   	idle_timeout = 0
   }
   coa {
   	irt = 2
   	mrt = 16
   	mrc = 5
   	mrd = 30
   }
  }
  home_server jrs2v6 {
  	ipv6addr = 2001:630:1:129::249
  	port = 1812
  	type = "auth+acct"
  	proto = "udp"
  	secret = <<< secret >>>
  	response_window = 30.000000
  	response_timeouts = 1
  	max_outstanding = 65536
  	zombie_period = 40
  	status_check = "none"
  	ping_interval = 30
  	check_timeout = 4
  	num_answers_to_alive = 3
  	revive_interval = 300
   limit {
   	max_connections = 16
   	max_requests = 0
   	lifetime = 0
   	idle_timeout = 0
   }
   coa {
   	irt = 2
   	mrt = 16
   	mrc = 5
   	mrd = 30
   }
  }
  home_server radius-dev {
  	ipaddr = 137.222.7.119
  	port = 16006
  	type = "auth+acct"
  	proto = "udp"
  	secret = <<< secret >>>
  	response_window = 30.000000
  	response_timeouts = 1
  	max_outstanding = 65536
  	zombie_period = 40
  	status_check = "none"
  	ping_interval = 30
  	check_timeout = 4
  	num_answers_to_alive = 3
  	revive_interval = 300
   limit {
   	max_connections = 16
   	max_requests = 0
   	lifetime = 0
   	idle_timeout = 0
   }
   coa {
   	irt = 2
   	mrt = 16
   	mrc = 5
   	mrd = 30
   }
  }
  home_server radius-dev-v6 {
  	ipv6addr = 2001:630:e4:81:137:222:7:119
  	port = 16006
  	type = "auth+acct"
  	proto = "udp"
  	secret = <<< secret >>>
  	response_window = 30.000000
  	response_timeouts = 1
  	max_outstanding = 65536
  	zombie_period = 40
  	status_check = "none"
  	ping_interval = 30
  	check_timeout = 4
  	num_answers_to_alive = 3
  	revive_interval = 300
   limit {
   	max_connections = 16
   	max_requests = 0
   	lifetime = 0
   	idle_timeout = 0
   }
   coa {
   	irt = 2
   	mrt = 16
   	mrc = 5
   	mrd = 30
   }
  }
  realm LOCAL {
  }
  realm bris.ac.uk {
  }
  realm bristol.ac.uk {
  }
  home_server_pool dev {
	type = fail-over
	home_server = radius-dev
	home_server = radius-dev-v6
  }
  realm dev {
	pool = dev
  }
  home_server_pool jrs {
	type = fail-over
	home_server = jrs1v6
	home_server = jrs2v6
	home_server = jrs1
	home_server = jrs0v6
	home_server = jrs2
	home_server = jrs0
  }
  realm jrs {
	pool = jrs
	nostrip
  }
  realm lion.bristol.ac.uk {
  }
  realm my.bristol.ac.uk {
  }
radiusd: #### Loading Clients ####
  client WISM7 {
  	ipaddr = 172.17.107.207
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "WISM7"
  	nas_type = "cisco"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client YEOVIL {
  	ipaddr = 195.171.105.146
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "YEOVIL"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client WISM8 {
  	ipaddr = 172.17.107.208
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "WISM8"
  	nas_type = "cisco"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client WISM2 {
  	ipaddr = 172.17.107.202
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "WISM2"
  	nas_type = "cisco"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client NHS-JA-GW {
  	ipaddr = 194.176.105.96/28
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "NHS-JA-GW"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client WISM2-HA {
  	ipaddr = 172.17.107.102
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "WISM2-HA"
  	nas_type = "cisco"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client localhost {
  	ipaddr = 127.0.0.1
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "localhost"
  	nas_type = "other"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client WISM5-HA {
  	ipaddr = 172.17.107.105
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "WISM5-HA"
  	nas_type = "cisco"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client WISM6 {
  	ipaddr = 172.17.107.206
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "WISM6"
  	nas_type = "cisco"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client roaming2.ja.net {
  	ipaddr = 194.83.56.249
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "roaming2.ja.net"
  	virtual_server = "eduroamalien"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client WISM3 {
  	ipaddr = 172.17.107.203
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "WISM3"
  	nas_type = "cisco"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client WISM6-HA {
  	ipaddr = 172.17.107.106
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "WISM6-HA"
  	nas_type = "cisco"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client roaming1.ja.net-v6 {
  	ipv6addr = 2001:630:1:12a::233
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "roaming1.ja.net-v6"
  	virtual_server = "eduroamalien"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client monitor {
  	ipaddr = 137.222.7.147
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "monitor"
  	nas_type = "other"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client roaming1.ja.net {
  	ipaddr = 194.83.56.233
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "roaming1.ja.net"
  	virtual_server = "eduroamalien"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client WISM4-HA {
  	ipaddr = 172.17.107.104
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "WISM4-HA"
  	nas_type = "cisco"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client ENGINE-SHED {
  	ipaddr = 172.21.120.253
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "ENGINE-SHED"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client NBHT {
  	ipaddr = 82.33.242.34
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "NBHT"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client roaming0.ja.net {
  	ipaddr = 194.82.174.185
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "roaming0.ja.net"
  	virtual_server = "eduroamalien"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client WISM5 {
  	ipaddr = 172.17.107.205
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "WISM5"
  	nas_type = "cisco"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client BCC110 {
  	ipaddr = 193.35.235.110
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "BCC110"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client WISM1-HA {
  	ipaddr = 172.17.107.101
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "WISM1-HA"
  	nas_type = "cisco"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client testswitch {
  	ipaddr = 172.17.51.30
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "testswitch"
  	nas_type = "cisco"
  	virtual_server = "rainbow"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client UBHT120 {
  	ipaddr = 10.160.155.120
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "UBHT120"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client WISM7-HA {
  	ipaddr = 172.17.107.107
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "WISM7-HA"
  	nas_type = "cisco"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client adminctrl {
  	ipaddr = 172.17.0.0/16
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "adminctrl"
  	nas_type = "cisco"
  	virtual_server = "rainbow"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client monitor-dev {
  	ipaddr = 137.222.8.103
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "monitor-dev"
  	nas_type = "other"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client WISM4 {
  	ipaddr = 172.17.107.204
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "WISM4"
  	nas_type = "cisco"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client UBHT169 {
  	ipaddr = 10.160.156.169
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "UBHT169"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client WISM1 {
  	ipaddr = 172.17.107.201
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "WISM1"
  	nas_type = "cisco"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client TAUNTON-NEW {
  	ipaddr = 109.176.101.162
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "TAUNTON-NEW"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client F5 {
  	ipaddr = 137.222.250.0/24
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "F5"
  	nas_type = "other"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client roaming2.ja.net-v6 {
  	ipv6addr = 2001:630:1:129::249
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "roaming2.ja.net-v6"
  	virtual_server = "eduroamalien"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client WISM3-HA {
  	ipaddr = 172.17.107.103
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "WISM3-HA"
  	nas_type = "cisco"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client WISM9 {
  	ipaddr = 172.17.107.209
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "WISM9"
  	nas_type = "cisco"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client roaming0.ja.net-v6 {
  	ipv6addr = 2001:630:1:128::185
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "roaming0.ja.net-v6"
  	virtual_server = "eduroamalien"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client WISM12 {
  	ipaddr = 172.17.107.212
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "WISM12"
  	nas_type = "cisco"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
Debugger not attached
  thread pool {
  	start_servers = 5
  	max_servers = 256
  	min_spare_servers = 3
  	max_spare_servers = 10
  	max_requests_per_server = 0
  	cleanup_delay = 5
  	max_queue_size = 65536
  	auto_limit_acct = no
  }
WARNING: Ignoring "max_spare_servers = 10", forcing to 
"max_spare_servers = 3"
listen {
  	type = "control"
  listen {
  	socket = "/var/run/radiusd/control/radiusd.sock"
  	mode = "rw"
  	peercred = yes
  }
}
listen {
   	type = "auth"
   	ipaddr = *
   	port = 1645
   	recv_buff = 0
}
listen {
   	type = "acct"
   	ipaddr = *
   	port = 1646
   	recv_buff = 0
}
listen {
   	type = "auth"
   	ipaddr = *
   	port = 16061
   	recv_buff = 0
}
listen {
   	type = "acct"
   	ipaddr = *
   	port = 16062
   	recv_buff = 0
}
listen {
   	type = "auth"
   	ipaddr = *
   	port = 16063
   	recv_buff = 0
}
listen {
   	type = "acct"
   	ipaddr = *
   	port = 16064
   	recv_buff = 0
}
   # Creating Autz-Type = Status-Server
   # Creating Auth-Type = eduroameap
   # Creating Auth-Type = eduroamlioneap
   # Creating Acct-Type = Status-Server
listen {
   	type = "auth"
   	ipaddr = *
   	port = 16014
   	recv_buff = 0
}
listen {
   	type = "acct"
   	ipaddr = *
   	port = 16015
   	recv_buff = 0
}
   # Creating Auth-Type = PAP
   # Creating Auth-Type = MS-CHAP
   # Creating Auth-Type = rainboweap
listen {
   	type = "auth"
   	ipaddr = *
   	port = 16018
   	recv_buff = 0
}
   # Creating Auth-Type = vpieap
listen {
   	type = "auth"
   	ipaddr = *
   	port = 16028
   	recv_buff = 0
}
listen {
   	type = "acct"
   	ipaddr = *
   	port = 16029
   	recv_buff = 0
}
listen {
   	type = "auth"
   	ipaddr = *
   	port = 1812
   	recv_buff = 0
}
listen {
   	type = "auth"
   	ipv6addr = ::
   	port = 1812
   	recv_buff = 0
}
listen {
   	type = "auth"
   	ipaddr = *
   	port = 16020
   	recv_buff = 0
}
listen {
   	type = "acct"
   	ipaddr = *
   	port = 16021
   	recv_buff = 0
}
listen {
   	type = "status"
   	ipaddr = *
   	port = 18120
   	recv_buff = 0
   client localhost {
   	ipaddr = 127.0.0.1
   	require_message_authenticator = no
   	secret = <<< secret >>>
   	shortname = "localhost"
    limit {
    	max_connections = 16
    	lifetime = 0
    	idle_timeout = 30
    }
   }
   client monitor-devv6 {
   	ipv6addr = 2001:630:e4:81:137:222:8:103
   	require_message_authenticator = no
   	secret = <<< secret >>>
   	shortname = "monitor-devv6"
    limit {
    	max_connections = 16
    	lifetime = 0
    	idle_timeout = 30
    }
   }
   client monitor {
   	ipaddr = 137.222.7.147
   	require_message_authenticator = no
   	secret = <<< secret >>>
   	shortname = "monitor"
    limit {
    	max_connections = 16
    	lifetime = 0
    	idle_timeout = 30
    }
   }
   client monitorv6 {
   	ipv6addr = 2001:630:e4:81:137:222:7:147
   	require_message_authenticator = no
   	secret = <<< secret >>>
   	shortname = "monitorv6"
    limit {
    	max_connections = 16
    	lifetime = 0
    	idle_timeout = 30
    }
   }
   client monitor-dev {
   	ipaddr = 137.222.8.103
   	require_message_authenticator = no
   	secret = <<< secret >>>
   	shortname = "monitor-dev"
    limit {
    	max_connections = 16
    	lifetime = 0
    	idle_timeout = 30
    }
   }
}
/etc/raddb/statusclients.d/localhost.conf[1]: Ignoring unknown 
sub-section "client"
/etc/raddb/statusclients.d/monitor-devv6.conf[1]: Ignoring unknown 
sub-section "client"
/etc/raddb/statusclients.d/monitor.conf[1]: Ignoring unknown sub-section 
"client"
/etc/raddb/statusclients.d/monitorv6.conf[1]: Ignoring unknown 
sub-section "client"
/etc/raddb/statusclients.d/monitor-dev.conf[1]: Ignoring unknown 
sub-section "client"
listen {
   	type = "acct"
   	ipaddr = *
   	port = 16007
   	recv_buff = 0
}
listen {
   	type = "auth"
   	ipaddr = *
   	port = 16006
   	recv_buff = 0
}
   # Creating Auth-Type = files-eduroam
radiusd: #### Loading modules ####
  modules {
   # Loaded module "rlm_detail"
   # Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log
   detail auth_log {
   	filename = 
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
   	header = "%t"
   	permissions = 384
   	locking = no
   	escape_filenames = no
   	log_packet_header = no
   }
   # Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log
   detail reply_log {
   	filename = 
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
   	header = "%t"
   	permissions = 384
   	locking = no
   	escape_filenames = no
   	log_packet_header = no
   }
   # Loading module "pre_proxy_log" from file 
/etc/raddb/mods-enabled/detail.log
   detail pre_proxy_log {
   	filename = 
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
   	header = "%t"
   	permissions = 384
   	locking = no
   	escape_filenames = no
   	log_packet_header = no
   }
   # Loading module "post_proxy_log" from file 
/etc/raddb/mods-enabled/detail.log
   detail post_proxy_log {
   	filename = 
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
   	header = "%t"
   	permissions = 384
   	locking = no
   	escape_filenames = no
   	log_packet_header = no
   }
   # Loaded module "rlm_preprocess"
   # Loading module "rainbowpreprocess" from file 
/etc/raddb/mods-enabled/rainbowpreprocess
   preprocess rainbowpreprocess {
   	with_ascend_hack = no
   	ascend_channels_per_line = 23
   	with_ntdomain_hack = no
   	with_specialix_jetstream_hack = no
   	with_cisco_vsa_hack = yes
   	with_alvarion_vsa_hack = no
   }
   # Loading module "uob_detail" from file /etc/raddb/mods-enabled/uobdetail
   detail uob_detail {
   	filename = 
"/var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/detail.log"
   	header = "%t"
   	permissions = 416
   	locking = no
   	escape_filenames = no
   	log_packet_header = no
   }
   # Loading module "uob_auth_log" from file 
/etc/raddb/mods-enabled/uobdetail
   detail uob_auth_log {
   	filename = 
"/var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log"
   	header = "%t"
   	permissions = 384
   	locking = no
   	escape_filenames = no
   	log_packet_header = yes
   }
   # Loading module "uob_auth_log_password" from file 
/etc/raddb/mods-enabled/uobdetail
   detail uob_auth_log_password {
   	filename = 
"/var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log"
   	header = "%t"
   	permissions = 384
   	locking = no
   	escape_filenames = no
   	log_packet_header = no
   }
   # Loading module "uob_reply_log" from file 
/etc/raddb/mods-enabled/uobdetail
   detail uob_reply_log {
   	filename = 
"/var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/reply-detail.log"
   	header = "%t"
   	permissions = 384
   	locking = no
   	escape_filenames = no
   	log_packet_header = no
   }
   # Loading module "uob_pre_proxy_log" from file 
/etc/raddb/mods-enabled/uobdetail
   detail uob_pre_proxy_log {
   	filename = 
"/var/log/radius/radacct/%{%{Virtual-Server}:-DEFAULT}/pre-proxy-detail.log"
   	header = "%t"
   	permissions = 384
   	locking = no
   	escape_filenames = no
   	log_packet_header = no
   }
   # Loading module "uob_post_proxy_log" from file 
/etc/raddb/mods-enabled/uobdetail
   detail uob_post_proxy_log {
   	filename = 
"/var/log/radius/radacct/%{%{Virtual-Server}:-DEFAULT}/post-proxy-detail.log"
   	header = "%t"
   	permissions = 384
   	locking = no
   	escape_filenames = no
   	log_packet_header = no
   }
   # Loaded module "rlm_mschap"
   # Loading module "rainbowmschap" from file 
/etc/raddb/mods-enabled/rainbowmschap
   mschap rainbowmschap {
   	use_mppe = yes
   	require_encryption = no
   	require_strong = no
   	with_ntdomain_hack = yes
   	ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key 
--username=%{%{Stripped-User-Name}:-%{rainbowmschap:User-Name}} 
--challenge=%{%{rainbowmschap:Challenge}:-00} 
--nt-response=%{%{rainbowmschap:NT-Response}:-00}"
    passchange {
    }
   	allow_retry = yes
   }
   # Loading module "rainbowmachinemschap" from file 
/etc/raddb/mods-enabled/rainbowmschap
   mschap rainbowmachinemschap {
   	use_mppe = yes
   	require_encryption = no
   	require_strong = no
   	with_ntdomain_hack = yes
   	ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key 
--username=%{%{Stripped-User-Name}:-%{rainbowmschap:User-Name}} 
--challenge=%{%{rainbowmschap:Challenge}:-00} 
--nt-response=%{%{rainbowmschap:NT-Response}:-00} 
--require-membership-of=S-1-5-21-1117850145-1682116191-196506527-515"
    passchange {
    }
   	allow_retry = yes
   }
   # Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
   mschap {
   	use_mppe = yes
   	require_encryption = no
   	require_strong = no
   	with_ntdomain_hack = yes
    passchange {
    }
   	allow_retry = yes
   }
   # Loaded module "rlm_files"
   # Loading module "files-eduroam" from file 
/etc/raddb/mods-enabled/files-eduroam
   files files-eduroam {
   	usersfile = "/etc/raddb/users.d/users-eduroam"
   }
   # Loaded module "rlm_linelog"
   # Loading module "linelog" from file /etc/raddb/mods-enabled/linelog
   linelog {
   	destination = "file"
   	delimiter = " "
    file {
    	filename = "/var/log/radius/linelog"
    	permissions = 384
    	escape_filenames = no
    }
    syslog {
    	severity = "info"
    }
    unix {
    }
    tcp {
    	port = 514
    	timeout = 2.000000
    }
    udp {
    	port = 514
    	timeout = 2.000000
    }
   }
   # Loading module "log_accounting" from file 
/etc/raddb/mods-enabled/linelog
   linelog log_accounting {
   	destination = "file"
   	delimiter = " "
    file {
    	filename = "/var/log/radius/linelog-accounting"
    	permissions = 384
    	escape_filenames = no
    }
    syslog {
    	severity = "info"
    }
    unix {
    }
    tcp {
    	timeout = 1000.000000
    }
    udp {
    	timeout = 1000.000000
    }
   }
   # Loading module "vpimschap" from file /etc/raddb/mods-enabled/vpimschap
   mschap vpimschap {
   	use_mppe = yes
   	require_encryption = no
   	require_strong = no
   	with_ntdomain_hack = yes
   	ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key 
--username=%{%{Stripped-User-Name}:-%{vpimschap:User-Name}} 
--challenge=%{vpimschap:Challenge} 
--nt-response=%{vpimschap:NT-Response} 
--require-membership-of=S-1-5-21-1117850145-1682116191-196506527-149178"
    passchange {
    }
   	allow_retry = yes
   }
   # Loading module "rainbowlogsyslog" from file 
/etc/raddb/mods-enabled/rainbowlog
   linelog rainbowlogsyslog {
   	destination = "syslog"
   	delimiter = " "
    file {
    	permissions = 384
    	escape_filenames = no
    }
    syslog {
    	facility = "local5"
    	severity = "info"
    }
    unix {
    }
    tcp {
    	timeout = 1000.000000
    }
    udp {
    	timeout = 1000.000000
    }
   }
   # Loading module "rainbowlogfiles" from file 
/etc/raddb/mods-enabled/rainbowlog
   linelog rainbowlogfiles {
   	destination = "file"
   	delimiter = " "
    file {
    	filename = "/var/log/radius/radiusd-%{%{Virtual-Server}:-DEFAULT}.log"
    	permissions = 384
    	escape_filenames = no
    }
    syslog {
    	severity = "info"
    }
    unix {
    }
    tcp {
    	timeout = 1000.000000
    }
    udp {
    	timeout = 1000.000000
    }
   }
   # Loading module "rainbowacclog" from file 
/etc/raddb/mods-enabled/rainbowlog
   linelog rainbowacclog {
   	destination = "syslog"
   	delimiter = " "
    file {
    	permissions = 384
    	escape_filenames = no
    }
    syslog {
    	facility = "local5"
    	severity = "info"
    }
    unix {
    }
    tcp {
    	timeout = 1000.000000
    }
    udp {
    	timeout = 1000.000000
    }
   }
   # Loaded module "rlm_replicate"
   # Loading module "replicate" from file /etc/raddb/mods-enabled/replicate
   # Loading module "files" from file /etc/raddb/mods-enabled/files
   files {
   	filename = "/etc/raddb/mods-config/files/authorize"
   	acctusersfile = "/etc/raddb/mods-config/files/accounting"
   	preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
   }
   # Loaded module "rlm_eap"
   # Loading module "eduroameap" from file 
/etc/raddb/mods-enabled/eduroameap
   eap eduroameap {
   	default_eap_type = "peap"
   	ignore_unknown_eap_types = no
   	cisco_accounting_username_bug = no
   }
    # Linked to sub-module rlm_eap_tls
    tls {
    	tls = "tls-common"
    	require_client_cert = yes
    }
    tls-config tls-common {
    	verify_depth = 0
    	ca_path = "/etc/raddb/certs"
    	pem_file_type = yes
    	private_key_file = "/etc/raddb/certs/eduroam.wireless.bris.ac.uk.key"
    	certificate_file = 
"/etc/raddb/certs/eduroam.wireless.bris.ac.uk-cert.pem"
    	ca_file = "/etc/raddb/certs/uob-net-ca.pem"
    	dh_file = "/etc/raddb/certs/dh"
    	fragment_size = 1024
    	include_length = yes
    	auto_chain = yes
    	check_crl = no
    	check_all_crl = no
    	cipher_list = "DEFAULT:!ADH:!SSLv2"
    	ecdh_curve = "prime256v1"
     cache {
     }
     verify {
     }
     ocsp {
     	enable = no
     	override_cert_url = yes
     	url = "http://127.0.0.1/ocsp/"
     	use_nonce = yes
     	timeout = 0
     	softfail = no
     }
    }
    # Linked to sub-module rlm_eap_ttls
    ttls {
    	tls = "tls-common"
    	default_eap_type = "mschapv2"
    	copy_request_to_tunnel = yes
    	use_tunneled_reply = yes
    	virtual_server = "eduroam-inner"
    	include_length = yes
    	require_client_cert = no
    }
tls - Using cached TLS configuration from previous invocation
    # Linked to sub-module rlm_eap_peap
    peap {
    	tls = "tls-common"
    	default_eap_type = "mschapv2"
    	copy_request_to_tunnel = yes
    	use_tunneled_reply = yes
    	proxy_tunneled_request_as_eap = yes
    	virtual_server = "eduroam-inner"
    	soh = no
    	require_client_cert = no
    }
tls - Using cached TLS configuration from previous invocation
rlm_eap_peap - Failed to find 'Auth-Type eap' section in virtual server 
eduroam-inner.  The server cannot proxy inner-tunnel EAP packets.
    # Linked to sub-module rlm_eap_mschapv2
    mschapv2 {
    	with_ntdomain_hack = no
    	send_error = no
    }
   # Loaded module "rlm_chap"
   # Loading module "chap" from file /etc/raddb/mods-enabled/chap
   # Loaded module "rlm_exec"
   # Loading module "exec" from file /etc/raddb/mods-enabled/exec
   exec {
   	wait = no
   	input_pairs = "request"
   	shell_escape = yes
   	timeout = 10
   }
   # Loaded module "rlm_realm"
   # Loading module "IPASS" from file /etc/raddb/mods-enabled/realm
   realm IPASS {
   	format = "prefix"
   	delimiter = "/"
   	ignore_default = no
   	ignore_null = no
   }
   # Loading module "suffix" from file /etc/raddb/mods-enabled/realm
   realm suffix {
   	format = "suffix"
   	delimiter = "@"
   	ignore_default = no
   	ignore_null = no
   }
   # Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm
   realm realmpercent {
   	format = "suffix"
   	delimiter = "%"
   	ignore_default = no
   	ignore_null = no
   }
   # Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm
   realm ntdomain {
   	format = "prefix"
   	delimiter = "\\"
   	ignore_default = no
   	ignore_null = no
   }
   # Loaded module "rlm_dynamic_clients"
   # Loading module "dynamic_clients" from file 
/etc/raddb/mods-enabled/dynamic_clients
   # Loaded module "rlm_digest"
   # Loading module "digest" from file /etc/raddb/mods-enabled/digest
   # Loaded module "rlm_expr"
   # Loading module "expr" from file /etc/raddb/mods-enabled/expr
   expr {
   	safe_characters = 
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: 
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
   }
   # Loaded module "rlm_radutmp"
   # Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp
   radutmp sradutmp {
   	filename = "/var/log/radius/sradutmp"
   	username = "%{User-Name}"
   	case_sensitive = yes
   	check_with_nas = yes
   	permissions = 420
   	caller_id = no
   }
   # Loaded module "rlm_cache"
   # Loading module "eduroamvlan" from file 
/etc/raddb/mods-enabled/eduroamvlan
   cache eduroamvlan {
   	driver = "rlm_cache_rbtree"
   	ttl = 600
   	max_entries = 0
   	epoch = 0
   	add_stats = no
   }
   # Loaded module "rlm_dhcp"
   # Loading module "dhcp" from file /etc/raddb/mods-enabled/dhcp
   # Loaded module "rlm_ldap"
   # Loading module "uobldap" from file /etc/raddb/mods-enabled/uobldap
   ldap uobldap {
   	server = "cse-lox.ads.bris.ac.uk"
   	port = 636
   	identity = "CN=iser-linauth,OU=ISER - Special Purpose 
Accounts,OU=ISER,DC=ads,DC=bris,DC=ac,DC=uk"
   	password = <<< secret >>>
    sasl {
    }
    user {
    	scope = "sub"
    	access_positive = yes
     sasl {
     }
    }
    group {
    	filter = "(objectClass=posixGroup)"
    	scope = "sub"
    	name_attribute = "cn"
    	membership_attribute = "memberOf"
    	cacheable_name = no
    	cacheable_dn = no
    }
    client {
    	filter = "(objectClass=radiusClient)"
    	scope = "sub"
    	base_dn = "DC=ads,DC=bris,DC=ac,DC=uk"
    }
    profile {
    }
    options {
    	ldap_debug = 40
    	chase_referrals = yes
    	use_referral_credentials = no
    	rebind = yes
    	session_tracking = no
    	res_timeout = 10
    	srv_timelimit = 3
    	idle = 60
    	probes = 3
    	interval = 3
    }
    tls {
    	start_tls = no
    	require_cert = "allow"
    }
   }
Creating attribute uobldap-LDAP-Group
   # Loaded module "rlm_sql"
   # Loading module "uobsql-write" from file 
/etc/raddb/mods-enabled/uobsql-write
   sql uobsql-write {
   	driver = "rlm_sql_mysql"
   	server = "db-write.nomadic-core.bris.ac.uk"
   	port = 3306
   	login = "radiusd"
   	password = <<< secret >>>
   	radius_db = "radius"
   	read_groups = yes
   	read_profiles = yes
   	read_clients = no
   	delete_stale_sessions = yes
   	sql_user_name = "%{%{Stripped-User-Name}:-%{User-Name}}"
   	group_attribute = "uobsql-write-sql-Group"
   	default_user_profile = ""
   	client_query = "SELECT id, nasname, shortname, type, secret, server 
FROM nas"
   	authorize_check_query = "SELECT id, username, attribute, value, op 
FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
   	authorize_reply_query = "SELECT id, username, attribute, value, op 
FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
   	authorize_group_check_query = "SELECT id, groupname, attribute, 
Value, op FROM radgroupcheck WHERE groupname = 
'%{uobsql-write-sql-Group}' ORDER BY id"
   	authorize_group_reply_query = "SELECT id, groupname, attribute, 
value, op FROM radgroupreply WHERE groupname = 
'%{uobsql-write-sql-Group}' ORDER BY id"
   	group_membership_query = "SELECT groupname FROM radusergroup WHERE 
username = '%{SQL-User-Name}' ORDER BY priority"
   	simul_verify_query = "SELECT radacctid, acctsessionid, username, 
nasipaddress, nasportid, framedipaddress, callingstationid, 
framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND 
acctstoptime IS NULL"
   	safe_characters = 
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
    accounting {
    	reference = "%{tolower:type.%{Acct-Status-Type}.query}"
     type {
      accounting-on {
      	query = "UPDATE radacct SET acctstoptime = '%S', acctsessiontime 
= '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), 
acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE 
acctstoptime IS NULL AND nasipaddress   = '%{NAS-IP-Address}' AND 
acctstarttime <= '%S'"
      }
      accounting-off {
      	query = "UPDATE radacct SET acctstoptime = '%S', acctsessiontime 
= '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), 
acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE 
acctstoptime IS NULL AND nasipaddress   = '%{NAS-IP-Address}' AND 
acctstarttime <= '%S'"
      }
      start {
      	query = "INSERT INTO radacct (acctsessionid,		acctuniqueid,	 
username, realm,			nasipaddress,		nasportid, nasporttype,	 
acctstarttime,		acctupdatetime, acctstoptime,		acctsessiontime, 
acctauthentic, connectinfo_start,	connectinfo_stop, 	acctinputoctets, 
acctoutputoctets,	calledstationid, 	callingstationid, 
acctterminatecause,	servicetype,		framedprotocol, framedipaddress, 
virtual_server,		radius_server, vlan,			strippedusername) VALUES 
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', 
'%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', 
'%{NAS-Port-Type}', '%S', '%S', NULL, '0', '%{Acct-Authentic}', 
'%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', 
'%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', 
'%{Framed-IP-Address}', '%{Virtual-Server}', '%{Packet-Dst-IP-Address}', 
'%{Tunnel-Private-Group-Id}', SUBSTRING_INDEX('%{SQL-User-Name}', '@', 1))"
      	query = "UPDATE radacct SET acctstarttime	= '%S', acctupdatetime 
= '%S', connectinfo_start = '%{Connect-Info}' WHERE AcctUniqueId = 
'%{Acct-Unique-Session-Id}'"
      }
      interim-update {
      	query = "UPDATE radacct SET acctupdatetime  = 
(@acctupdatetime_old:=acctupdatetime), acctupdatetime  = '%S', 
acctinterval    = %{integer:Event-Timestamp} - 
UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = 
'%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, 
acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | 
'%{%{Acct-Input-Octets}:-0}', acctoutputoctets = 
'%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' 
WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
      	query = "INSERT INTO radacct (acctsessionid,		acctuniqueid,	 
username, realm,			nasipaddress,		nasportid, nasporttype,	 
acctstarttime,		acctupdatetime, acctstoptime,		acctsessiontime, 
acctauthentic, connectinfo_start,	connectinfo_stop, 	acctinputoctets, 
acctoutputoctets,	calledstationid, 	callingstationid, 
acctterminatecause,	servicetype,		framedprotocol, framedipaddress, 
virtual_server,		radius_server, vlan,			strippedusername) VALUES 
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', 
'%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', 
'%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp} - 
%{%{Acct-Session-Time}:-0}), '%S', NULL, %{%{Acct-Session-Time}:-NULL}, 
'%{Acct-Authentic}', '%{Connect-Info}', '', 
'%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', 
'%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', 
'%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', 
'%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Virtual-Server}', 
'%{Packet-Dst-IP-Address}', '%{Tunnel-Private-Group-Id}', 
SUBSTRING_INDEX('%{SQL-User-Name}', '@', 1))"
      }
      stop {
      	query = "UPDATE radacct SET acctstoptime	= '%S', acctsessiontime 
= %{%{Acct-Session-Time}:-NULL}, acctinputoctets	= 
'%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', 
acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | 
'%{%{Acct-Output-Octets}:-0}', acctterminatecause = 
'%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE 
AcctUniqueId = '%{Acct-Unique-Session-Id}'"
      	query = "INSERT INTO radacct (acctsessionid,		acctuniqueid,	 
username, realm,			nasipaddress,		nasportid, nasporttype,	 
acctstarttime,		acctupdatetime, acctstoptime,		acctsessiontime, 
acctauthentic, connectinfo_start,	connectinfo_stop, 	acctinputoctets, 
acctoutputoctets,	calledstationid, 	callingstationid, 
acctterminatecause,	servicetype,		framedprotocol, framedipaddress, 
virtual_server,		radius_server, vlan,			strippedusername) VALUES 
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', 
'%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', 
'%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp} - 
%{%{Acct-Session-Time}:-0}), '%S', '%S', %{%{Acct-Session-Time}:-NULL}, 
'%{Acct-Authentic}', '', '%{Connect-Info}', 
'%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', 
'%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', 
'%{Called-Station-Id}', '%{Calling-Station-Id}', 
'%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', 
'%{Framed-IP-Address}', '%{Virtual-Server}', '%{Packet-Dst-IP-Address}', 
'%{Tunnel-Private-Group-Id}', SUBSTRING_INDEX('%{SQL-User-Name}', '@', 1))"
      }
     }
    }
    post-auth {
    	reference = ".query"
    	query = "INSERT INTO radpostauth (username, pass, reply, authdate) 
VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', 
'%{reply:Packet-Type}', '%S')"
    }
   }
rlm_sql (uobsql-write) - Driver rlm_sql_mysql (module rlm_sql_mysql) 
loaded and linked
Creating attribute uobsql-write-sql-Group
   # Loaded module "rlm_expiration"
   # Loading module "expiration" from file 
/etc/raddb/mods-enabled/expiration
   # Loading module "eduroamlioneap" from file 
/etc/raddb/mods-enabled/eduroamlioneap
   eap eduroamlioneap {
   	default_eap_type = "peap"
   	ignore_unknown_eap_types = no
   	cisco_accounting_username_bug = no
   }
    # Linked to sub-module rlm_eap_tls
    tls {
    	tls = "tls-common"
    	require_client_cert = yes
    }
    tls-config tls-common {
    	verify_depth = 0
    	ca_path = "/etc/raddb/certs"
    	pem_file_type = yes
    	private_key_file = "/etc/raddb/certs/eduroam.wireless.bris.ac.uk.key"
    	certificate_file = 
"/etc/raddb/certs/eduroam.wireless.bris.ac.uk-cert.pem"
    	ca_file = "/etc/raddb/certs/uob-net-ca.pem"
    	dh_file = "/etc/raddb/certs/dh"
    	fragment_size = 1024
    	include_length = yes
    	auto_chain = yes
    	check_crl = no
    	check_all_crl = no
    	cipher_list = "DEFAULT:!ADH:!SSLv2"
    	ecdh_curve = "prime256v1"
     cache {
     }
     verify {
     }
     ocsp {
     	enable = no
     	override_cert_url = yes
     	url = "http://127.0.0.1/ocsp/"
     	use_nonce = yes
     	timeout = 0
     	softfail = no
     }
    }
    # Linked to sub-module rlm_eap_ttls
    ttls {
    	tls = "tls-common"
    	default_eap_type = "mschapv2"
    	copy_request_to_tunnel = yes
    	use_tunneled_reply = yes
    	virtual_server = "eduroamlion-inner"
    	include_length = yes
    	require_client_cert = no
    }
tls - Using cached TLS configuration from previous invocation
    # Linked to sub-module rlm_eap_peap
    peap {
    	tls = "tls-common"
    	default_eap_type = "mschapv2"
    	copy_request_to_tunnel = yes
    	use_tunneled_reply = yes
    	proxy_tunneled_request_as_eap = yes
    	virtual_server = "eduroamlion-inner"
    	soh = no
    	require_client_cert = no
    }
tls - Using cached TLS configuration from previous invocation
rlm_eap_peap - Failed to find 'Auth-Type eap' section in virtual server 
eduroamlion-inner.  The server cannot proxy inner-tunnel EAP packets.
    # Linked to sub-module rlm_eap_mschapv2
    mschapv2 {
    	with_ntdomain_hack = no
    	send_error = no
    }
   # Loading module "logtofile" from file /etc/raddb/mods-enabled/logtofile
   linelog logtofile {
   	destination = "file"
   	delimiter = " "
    file {
    	filename = "/var/log/radius/radiusd-%{%{Virtual-Server}:-DEFAULT}.log"
    	permissions = 384
    	escape_filenames = no
    }
    syslog {
    	severity = "info"
    }
    unix {
    }
    tcp {
    	timeout = 1000.000000
    }
    udp {
    	timeout = 1000.000000
    }
   }
   # Loaded module "rlm_always"
   # Loading module "reject" from file /etc/raddb/mods-enabled/always
   always reject {
   	rcode = "reject"
   	simulcount = 0
   	mpp = no
   }
   # Loading module "fail" from file /etc/raddb/mods-enabled/always
   always fail {
   	rcode = "fail"
   	simulcount = 0
   	mpp = no
   }
   # Loading module "ok" from file /etc/raddb/mods-enabled/always
   always ok {
   	rcode = "ok"
   	simulcount = 0
   	mpp = no
   }
   # Loading module "handled" from file /etc/raddb/mods-enabled/always
   always handled {
   	rcode = "handled"
   	simulcount = 0
   	mpp = no
   }
   # Loading module "invalid" from file /etc/raddb/mods-enabled/always
   always invalid {
   	rcode = "invalid"
   	simulcount = 0
   	mpp = no
   }
   # Loading module "userlock" from file /etc/raddb/mods-enabled/always
   always userlock {
   	rcode = "userlock"
   	simulcount = 0
   	mpp = no
   }
   # Loading module "notfound" from file /etc/raddb/mods-enabled/always
   always notfound {
   	rcode = "notfound"
   	simulcount = 0
   	mpp = no
   }
   # Loading module "noop" from file /etc/raddb/mods-enabled/always
   always noop {
   	rcode = "noop"
   	simulcount = 0
   	mpp = no
   }
   # Loading module "updated" from file /etc/raddb/mods-enabled/always
   always updated {
   	rcode = "updated"
   	simulcount = 0
   	mpp = no
   }
   # Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth
   exec ntlm_auth {
   	wait = yes
   	program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN 
--username=%{mschap:User-Name} --password=%{User-Password}"
   	shell_escape = yes
   }
   # Loading module "rainbowfiles" from file 
/etc/raddb/mods-enabled/rainbowfiles
   files rainbowfiles {
   	usersfile = "/etc/raddb/users.d/users-rainbow"
   }
   # Loading module "logtosyslog" from file 
/etc/raddb/mods-enabled/logtosyslog
   linelog logtosyslog {
   	destination = "syslog"
   	delimiter = " "
    file {
    	permissions = 384
    	escape_filenames = no
    }
    syslog {
    	facility = "local5"
    	severity = "info"
    }
    unix {
    }
    tcp {
    	timeout = 1000.000000
    }
    udp {
    	timeout = 1000.000000
    }
   }
   # Loaded module "rlm_attr_filter"
   # Loading module "attr_filter.post-proxy" from file 
/etc/raddb/mods-enabled/attr_filter
   attr_filter attr_filter.post-proxy {
   	filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
   	relaxed = no
   }
   # Loading module "attr_filter.pre-proxy" from file 
/etc/raddb/mods-enabled/attr_filter
   attr_filter attr_filter.pre-proxy {
   	filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
   	relaxed = no
   }
   # Loading module "attr_filter.access_reject" from file 
/etc/raddb/mods-enabled/attr_filter
   attr_filter attr_filter.access_reject {
   	filename = "/etc/raddb/mods-config/attr_filter/access_reject"
   	relaxed = no
   }
   # Loading module "attr_filter.access_challenge" from file 
/etc/raddb/mods-enabled/attr_filter
   attr_filter attr_filter.access_challenge {
   	filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
   	relaxed = no
   }
   # Loading module "attr_filter.accounting_response" from file 
/etc/raddb/mods-enabled/attr_filter
   attr_filter attr_filter.accounting_response {
   	filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
   	relaxed = no
   }
   # Loading module "filter.attrs.accounting_response" from file 
/etc/raddb/mods-enabled/attr_filter
   attr_filter filter.attrs.accounting_response {
   	filename = 
"/etc/raddb/mods-config/attr_filter/attrs.accounting_response"
   	relaxed = no
   }
   # Loading module "filter.bristolresearchnet-a_reject" from file 
/etc/raddb/mods-enabled/attr_filter
   attr_filter filter.bristolresearchnet-a_reject {
   	filename = 
"/etc/raddb/mods-config/attr_filter/bristolresearchnet-a_reject"
   	relaxed = no
   }
   # Loading module "filter.eduroamalien-a_accept" from file 
/etc/raddb/mods-enabled/attr_filter
   attr_filter filter.eduroamalien-a_accept {
   	filename = "/etc/raddb/mods-config/attr_filter/eduroamalien-a_accept"
   	relaxed = no
   }
   # Loading module "filter.eduroamalien-a_challenge" from file 
/etc/raddb/mods-enabled/attr_filter
   attr_filter filter.eduroamalien-a_challenge {
   	filename = "/etc/raddb/mods-config/attr_filter/eduroamalien-a_challenge"
   	relaxed = no
   }
   # Loading module "filter.eduroamalien-a_reject" from file 
/etc/raddb/mods-enabled/attr_filter
   attr_filter filter.eduroamalien-a_reject {
   	filename = "/etc/raddb/mods-config/attr_filter/eduroamalien-a_reject"
   	relaxed = no
   }
   # Loading module "filter.eduroamlocal-a_accept" from file 
/etc/raddb/mods-enabled/attr_filter
   attr_filter filter.eduroamlocal-a_accept {
   	filename = "/etc/raddb/mods-config/attr_filter/eduroamlocal-a_accept"
   	relaxed = no
   }
   # Loading module "filter.eduroamlocal-a_challenge" from file 
/etc/raddb/mods-enabled/attr_filter
   attr_filter filter.eduroamlocal-a_challenge {
   	filename = "/etc/raddb/mods-config/attr_filter/eduroamlocal-a_challenge"
   	relaxed = no
   }
   # Loading module "filter.eduroamlocal-a_reject" from file 
/etc/raddb/mods-enabled/attr_filter
   attr_filter filter.eduroamlocal-a_reject {
   	filename = "/etc/raddb/mods-config/attr_filter/eduroamlocal-a_reject"
   	relaxed = no
   }
   # Loading module "filter.eduroamlocal-post_proxy" from file 
/etc/raddb/mods-enabled/attr_filter
   attr_filter filter.eduroamlocal-post_proxy {
   	filename = "/etc/raddb/mods-config/attr_filter/eduroamlocal-post_proxy"
   	relaxed = no
   }
   # Loading module "filter.eduroamlocal-pre_proxy" from file 
/etc/raddb/mods-enabled/attr_filter
   attr_filter filter.eduroamlocal-pre_proxy {
   	filename = "/etc/raddb/mods-config/attr_filter/eduroamlocal-pre_proxy"
   	relaxed = no
   }
   # Loading module "filter.vpi-a_accept" from file 
/etc/raddb/mods-enabled/attr_filter
   attr_filter filter.vpi-a_accept {
   	filename = "/etc/raddb/mods-config/attr_filter/vpi-a_accept"
   	relaxed = no
   }
   # Loading module "filter.vpi-a_challenge" from file 
/etc/raddb/mods-enabled/attr_filter
   attr_filter filter.vpi-a_challenge {
   	filename = "/etc/raddb/mods-config/attr_filter/vpi-a_challenge"
   	relaxed = no
   }
   # Loading module "filter.vpi-a_reject" from file 
/etc/raddb/mods-enabled/attr_filter
   attr_filter filter.vpi-a_reject {
   	filename = "/etc/raddb/mods-config/attr_filter/vpi-a_reject"
   	relaxed = no
   }
   # Loaded module "rlm_utf8"
   # Loading module "utf8" from file /etc/raddb/mods-enabled/utf8
   # Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp
   radutmp {
   	filename = "/var/log/radius/radutmp"
   	username = "%{User-Name}"
   	case_sensitive = yes
   	check_with_nas = yes
   	permissions = 384
   	caller_id = yes
   }
   # Loaded module "rlm_passwd"
   # Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
   passwd etc_passwd {
   	filename = "/etc/passwd"
   	format = "*User-Name:Crypt-Password:"
   	delimiter = ":"
   	ignore_nislike = no
   	ignore_empty = yes
   	allow_multiple_keys = no
   	hash_size = 100
   }
   # Loaded module "rlm_soh"
   # Loading module "soh" from file /etc/raddb/mods-enabled/soh
   soh {
   	dhcp = yes
   }
   # Loaded module "rlm_unix"
   # Loading module "unix" from file /etc/raddb/mods-enabled/unix
   unix {
   	radwtmp = "/var/log/radius/radwtmp"
   }
Creating attribute Unix-Group
   # Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
   cache cache_eap {
   	driver = "rlm_cache_rbtree"
   	ttl = 15
   	max_entries = 0
   	epoch = 0
   	add_stats = no
   }
   # Loading module "eduroammschap" from file 
/etc/raddb/mods-enabled/eduroammschap
   mschap eduroammschap {
   	use_mppe = yes
   	require_encryption = no
   	require_strong = no
   	with_ntdomain_hack = yes
    passchange {
    }
   	allow_retry = no
   	retry_msg = "Verify username and re-enter your password"
   }
   # Loading module "uobsql" from file /etc/raddb/mods-enabled/uobsql
   sql uobsql {
   	driver = "rlm_sql_mysql"
   	server = "db.nomadic-core.bris.ac.uk"
   	port = 3306
   	login = "radiusd"
   	password = <<< secret >>>
   	radius_db = "radius"
   	read_groups = yes
   	read_profiles = yes
   	read_clients = no
   	delete_stale_sessions = yes
   	sql_user_name = "%{%{Stripped-User-Name}:-%{User-Name}}"
   	group_attribute = "uobsql-sql-Group"
   	default_user_profile = ""
   	client_query = "SELECT id, nasname, shortname, type, secret, server 
FROM nas"
   	authorize_check_query = "SELECT id, username, attribute, value, op 
FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
   	authorize_reply_query = "SELECT id, username, attribute, value, op 
FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
   	authorize_group_check_query = "SELECT id, groupname, attribute, 
Value, op FROM radgroupcheck WHERE groupname = '%{uobsql-sql-Group}' 
ORDER BY id"
   	authorize_group_reply_query = "SELECT id, groupname, attribute, 
value, op FROM radgroupreply WHERE groupname = '%{uobsql-sql-Group}' 
ORDER BY id"
   	group_membership_query = "SELECT groupname FROM radusergroup WHERE 
username = '%{SQL-User-Name}' ORDER BY priority"
   	simul_verify_query = "SELECT radacctid, acctsessionid, username, 
nasipaddress, nasportid, framedipaddress, callingstationid, 
framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND 
acctstoptime IS NULL"
   	safe_characters = 
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
    accounting {
    	reference = "%{tolower:type.%{Acct-Status-Type}.query}"
     type {
      accounting-on {
      	query = "UPDATE radacct SET acctstoptime = '%S', acctsessiontime 
= '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), 
acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE 
acctstoptime IS NULL AND nasipaddress   = '%{NAS-IP-Address}' AND 
acctstarttime <= '%S'"
      }
      accounting-off {
      	query = "UPDATE radacct SET acctstoptime = '%S', acctsessiontime 
= '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), 
acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE 
acctstoptime IS NULL AND nasipaddress   = '%{NAS-IP-Address}' AND 
acctstarttime <= '%S'"
      }
      start {
      	query = "INSERT INTO radacct (acctsessionid,		acctuniqueid,	 
username, realm,			nasipaddress,		nasportid, nasporttype,	 
acctstarttime,		acctupdatetime, acctstoptime,		acctsessiontime, 
acctauthentic, connectinfo_start,	connectinfo_stop, 	acctinputoctets, 
acctoutputoctets,	calledstationid, 	callingstationid, 
acctterminatecause,	servicetype,		framedprotocol, framedipaddress, 
virtual_server,		radius_server, vlan,			strippedusername) VALUES 
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', 
'%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', 
'%{NAS-Port-Type}', '%S', '%S', NULL, '0', '%{Acct-Authentic}', 
'%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', 
'%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', 
'%{Framed-IP-Address}', '%{Virtual-Server}', '%{Packet-Dst-IP-Address}', 
'%{Tunnel-Private-Group-Id}', SUBSTRING_INDEX('%{SQL-User-Name}', '@', 1))"
      	query = "UPDATE radacct SET acctstarttime	= '%S', acctupdatetime 
= '%S', connectinfo_start = '%{Connect-Info}' WHERE AcctUniqueId = 
'%{Acct-Unique-Session-Id}'"
      }
      interim-update {
      	query = "UPDATE radacct SET acctupdatetime  = 
(@acctupdatetime_old:=acctupdatetime), acctupdatetime  = '%S', 
acctinterval    = %{integer:Event-Timestamp} - 
UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = 
'%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, 
acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | 
'%{%{Acct-Input-Octets}:-0}', acctoutputoctets = 
'%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' 
WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
      	query = "INSERT INTO radacct (acctsessionid,		acctuniqueid,	 
username, realm,			nasipaddress,		nasportid, nasporttype,	 
acctstarttime,		acctupdatetime, acctstoptime,		acctsessiontime, 
acctauthentic, connectinfo_start,	connectinfo_stop, 	acctinputoctets, 
acctoutputoctets,	calledstationid, 	callingstationid, 
acctterminatecause,	servicetype,		framedprotocol, framedipaddress, 
virtual_server,		radius_server, vlan,			strippedusername) VALUES 
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', 
'%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', 
'%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp} - 
%{%{Acct-Session-Time}:-0}), '%S', NULL, %{%{Acct-Session-Time}:-NULL}, 
'%{Acct-Authentic}', '%{Connect-Info}', '', 
'%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', 
'%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', 
'%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', 
'%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Virtual-Server}', 
'%{Packet-Dst-IP-Address}', '%{Tunnel-Private-Group-Id}', 
SUBSTRING_INDEX('%{SQL-User-Name}', '@', 1))"
      }
      stop {
      	query = "UPDATE radacct SET acctstoptime	= '%S', acctsessiontime 
= %{%{Acct-Session-Time}:-NULL}, acctinputoctets	= 
'%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', 
acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | 
'%{%{Acct-Output-Octets}:-0}', acctterminatecause = 
'%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE 
AcctUniqueId = '%{Acct-Unique-Session-Id}'"
      	query = "INSERT INTO radacct (acctsessionid,		acctuniqueid,	 
username, realm,			nasipaddress,		nasportid, nasporttype,	 
acctstarttime,		acctupdatetime, acctstoptime,		acctsessiontime, 
acctauthentic, connectinfo_start,	connectinfo_stop, 	acctinputoctets, 
acctoutputoctets,	calledstationid, 	callingstationid, 
acctterminatecause,	servicetype,		framedprotocol, framedipaddress, 
virtual_server,		radius_server, vlan,			strippedusername) VALUES 
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', 
'%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', 
'%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp} - 
%{%{Acct-Session-Time}:-0}), '%S', '%S', %{%{Acct-Session-Time}:-NULL}, 
'%{Acct-Authentic}', '', '%{Connect-Info}', 
'%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', 
'%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', 
'%{Called-Station-Id}', '%{Calling-Station-Id}', 
'%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', 
'%{Framed-IP-Address}', '%{Virtual-Server}', '%{Packet-Dst-IP-Address}', 
'%{Tunnel-Private-Group-Id}', SUBSTRING_INDEX('%{SQL-User-Name}', '@', 1))"
      }
     }
    }
    post-auth {
    	reference = ".query"
    	query = "INSERT INTO radpostauth (username, pass, reply, authdate) 
VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', 
'%{reply:Packet-Type}', '%S')"
    }
   }
rlm_sql (uobsql) - Driver rlm_sql_mysql (module rlm_sql_mysql) loaded 
and linked
Creating attribute uobsql-sql-Group
   # Loading module "eduroaminfo" from file 
/etc/raddb/mods-enabled/eduroaminfo
   linelog eduroaminfo {
   	destination = "syslog"
   	delimiter = " "
    file {
    	permissions = 384
    	escape_filenames = no
    }
    syslog {
    	facility = "user"
    	severity = "info"
    }
    unix {
    }
    tcp {
    	timeout = 1000.000000
    }
    udp {
    	timeout = 1000.000000
    }
   }
   # Loading module "detail" from file /etc/raddb/mods-enabled/detail
   detail {
   	filename = 
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
   	header = "%t"
   	permissions = 384
   	locking = no
   	escape_filenames = no
   	log_packet_header = no
   }
   # Loading module "vpieap" from file /etc/raddb/mods-enabled/vpieap
   eap vpieap {
   	default_eap_type = "peap"
   	ignore_unknown_eap_types = no
   	cisco_accounting_username_bug = no
   }
    # Linked to sub-module rlm_eap_tls
    tls {
    	tls = "tls-common"
    	require_client_cert = yes
    }
    tls-config tls-common {
    	verify_depth = 0
    	ca_path = "/etc/raddb/certs"
    	pem_file_type = yes
    	private_key_file = "/etc/raddb/certs/2016-vpi.wireless.bris.ac.uk.key"
    	certificate_file = "/etc/raddb/certs/2016-vpi.wireless.bris.ac.uk.pem"
    	ca_file = "/etc/raddb/certs/University-of-Bristol-Windows-CA.pem"
    	dh_file = "/etc/raddb/certs/dh"
    	fragment_size = 1024
    	include_length = yes
    	auto_chain = yes
    	check_crl = no
    	check_all_crl = no
    	cipher_list = "DEFAULT"
    	ecdh_curve = "prime256v1"
    	disable_tlsv1_2 = yes
     cache {
     }
     verify {
     }
     ocsp {
     	enable = no
     	override_cert_url = yes
     	url = "http://127.0.0.1/ocsp/"
     	use_nonce = yes
     	timeout = 0
     	softfail = no
     }
    }
    # Linked to sub-module rlm_eap_peap
    peap {
    	tls = "tls-common"
    	default_eap_type = "mschapv2"
    	copy_request_to_tunnel = yes
    	use_tunneled_reply = yes
    	proxy_tunneled_request_as_eap = yes
    	virtual_server = "vpi-inner"
    	soh = no
    	require_client_cert = no
    }
tls - Using cached TLS configuration from previous invocation
rlm_eap_peap - Failed to find 'Auth-Type eap' section in virtual server 
vpi-inner.  The server cannot proxy inner-tunnel EAP packets.
    # Linked to sub-module rlm_eap_mschapv2
    mschapv2 {
    	with_ntdomain_hack = no
    	send_error = no
    }
   # Loading module "rainboweap" from file 
/etc/raddb/mods-enabled/rainboweap
   eap rainboweap {
   	default_eap_type = "peap"
   	ignore_unknown_eap_types = no
   	cisco_accounting_username_bug = no
   }
    # Linked to sub-module rlm_eap_tls
    tls {
    	require_client_cert = yes
    	virtual_server = "rainboweap-tls"
    }
TLS section "tls" missing, trying to use legacy configuration
    tls {
    	verify_depth = 0
    	ca_path = "/etc/raddb/certs"
    	pem_file_type = yes
    	private_key_file = "/etc/raddb/certs/The-Rainbow-Edge.key"
    	certificate_file = "/etc/raddb/certs/The-Rainbow-Edge-cert.pem"
    	ca_file = "/etc/raddb/certs/uob-net-ca.pem"
    	dh_file = "/etc/raddb/certs/dh"
    	random_file = "/dev/urandom"
    	fragment_size = 1024
    	include_length = yes
    	auto_chain = yes
    	check_crl = no
    	check_all_crl = no
    	cipher_list = "DEFAULT"
    	require_client_cert = yes
    	ecdh_curve = "prime256v1"
     cache {
     }
     verify {
     }
     ocsp {
     	enable = no
     	override_cert_url = yes
     	url = "http://127.0.0.1/ocsp/"
     	use_nonce = yes
     	timeout = 0
     	softfail = no
     }
    }
    # Linked to sub-module rlm_eap_ttls
    ttls {
    	default_eap_type = "mschapv2"
    	copy_request_to_tunnel = yes
    	use_tunneled_reply = yes
    	virtual_server = "rainbow-inner"
    	include_length = yes
    	require_client_cert = no
    }
TLS section "tls" missing, trying to use legacy configuration
tls - Using cached TLS configuration from previous invocation
    # Linked to sub-module rlm_eap_peap
    peap {
    	default_eap_type = "mschapv2"
    	copy_request_to_tunnel = yes
    	use_tunneled_reply = yes
    	proxy_tunneled_request_as_eap = yes
    	virtual_server = "rainbow-inner"
    	soh = no
    	require_client_cert = no
    }
TLS section "tls" missing, trying to use legacy configuration
tls - Using cached TLS configuration from previous invocation
rlm_eap_peap - Failed to find 'Auth-Type eap' section in virtual server 
rainbow-inner.  The server cannot proxy inner-tunnel EAP packets.
    # Linked to sub-module rlm_eap_mschapv2
    mschapv2 {
    	with_ntdomain_hack = no
    	send_error = no
    }
   # Loading module "echo" from file /etc/raddb/mods-enabled/echo
   exec echo {
   	wait = yes
   	program = "/bin/echo %{User-Name}"
   	input_pairs = "request"
   	output_pairs = "reply"
   	shell_escape = yes
   }
   # Loading module "preprocess" from file 
/etc/raddb/mods-enabled/preprocess
   preprocess {
   	huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
   	hints = "/etc/raddb/mods-config/preprocess/hints"
   	with_ascend_hack = no
   	ascend_channels_per_line = 23
   	with_ntdomain_hack = no
   	with_specialix_jetstream_hack = no
   	with_cisco_vsa_hack = no
   	with_alvarion_vsa_hack = no
   }
   # Loaded module "rlm_unpack"
   # Loading module "unpack" from file /etc/raddb/mods-enabled/unpack
   # Loaded module "rlm_pap"
   # Loading module "pap" from file /etc/raddb/mods-enabled/pap
   pap {
   	normalise = yes
   }
   # Loaded module "rlm_logintime"
   # Loading module "logintime" from file /etc/raddb/mods-enabled/logintime
   logintime {
   	minimum_timeout = 60
   }
   instantiate {
   }
  } # modules
   # Instantiating module "auth_log" from file 
/etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log) - 'User-Password' suppressed, will not appear in 
detail output
   # Instantiating module "reply_log" from file 
/etc/raddb/mods-enabled/detail.log
   # Instantiating module "pre_proxy_log" from file 
/etc/raddb/mods-enabled/detail.log
   # Instantiating module "post_proxy_log" from file 
/etc/raddb/mods-enabled/detail.log
   # Instantiating module "rainbowpreprocess" from file 
/etc/raddb/mods-enabled/rainbowpreprocess
   # Instantiating module "uob_detail" from file 
/etc/raddb/mods-enabled/uobdetail
rlm_detail (uob_detail) - 'User-Password' suppressed, will not appear in 
detail output
   # Instantiating module "uob_auth_log" from file 
/etc/raddb/mods-enabled/uobdetail
rlm_detail (uob_auth_log) - 'User-Password' suppressed, will not appear 
in detail output
   # Instantiating module "uob_auth_log_password" from file 
/etc/raddb/mods-enabled/uobdetail
   # Instantiating module "uob_reply_log" from file 
/etc/raddb/mods-enabled/uobdetail
   # Instantiating module "uob_pre_proxy_log" from file 
/etc/raddb/mods-enabled/uobdetail
   # Instantiating module "uob_post_proxy_log" from file 
/etc/raddb/mods-enabled/uobdetail
   # Instantiating module "rainbowmschap" from file 
/etc/raddb/mods-enabled/rainbowmschap
rainbowmschap : authenticating by calling 'ntlm_auth'
   # Instantiating module "rainbowmachinemschap" from file 
/etc/raddb/mods-enabled/rainbowmschap
rainbowmachinemschap : authenticating by calling 'ntlm_auth'
   # Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
mschap: using internal authentication
   # Instantiating module "files-eduroam" from file 
/etc/raddb/mods-enabled/files-eduroam
       reading file /etc/raddb/users.d/users-eduroam
   # Instantiating module "linelog" from file 
/etc/raddb/mods-enabled/linelog
   # Instantiating module "log_accounting" from file 
/etc/raddb/mods-enabled/linelog
   # Instantiating module "vpimschap" from file 
/etc/raddb/mods-enabled/vpimschap
vpimschap : authenticating by calling 'ntlm_auth'
   # Instantiating module "rainbowlogsyslog" from file 
/etc/raddb/mods-enabled/rainbowlog
   # Instantiating module "rainbowlogfiles" from file 
/etc/raddb/mods-enabled/rainbowlog
   # Instantiating module "rainbowacclog" from file 
/etc/raddb/mods-enabled/rainbowlog
   # Instantiating module "files" from file /etc/raddb/mods-enabled/files
       reading file /etc/raddb/mods-config/files/authorize
       reading file /etc/raddb/mods-config/files/accounting
       reading file /etc/raddb/mods-config/files/pre-proxy
   # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
   # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
   # Instantiating module "realmpercent" from file 
/etc/raddb/mods-enabled/realm
   # Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
   # Instantiating module "eduroamvlan" from file 
/etc/raddb/mods-enabled/eduroamvlan
eduroamvlan - Driver rlm_cache_rbtree loaded and linked
   # Instantiating module "uobldap" from file 
/etc/raddb/mods-enabled/uobldap
rlm_ldap (uobldap) - libldap vendor: OpenLDAP, version: 20440
    accounting {
    	reference = "%{tolower:type.%{Acct-Status-Type}}"
    }
    post-auth {
    	reference = "."
    }
rlm_ldap (uobldap) - Initialising connection pool
    pool {
    	start = 5
    	min = 3
    	max = 5
    	spare = 10
    	uses = 0
    	lifetime = 0
    	cleanup_interval = 30
    	idle_timeout = 60
    	connect_timeout = 3.000000
    	held_trigger_min = 0.000000
    	held_trigger_max = 0.500000
    	retry_delay = 30
    	spread = no
    }
rlm_ldap (uobldap) - WARNING: Ignoring "spare = 10", forcing to "spare = 2"
rlm_ldap (uobldap) - Opening additional connection (0), 1 of 5 pending 
slots used
rlm_ldap (uobldap) - Connecting to ldap://cse-lox.ads.bris.ac.uk:636
rlm_ldap (uobldap) - Waiting for bind result...
rlm_ldap (uobldap) - Bind successful
rlm_ldap (uobldap) - Performing search in "" with filter 
"(objectclass=*)", scope "base"
rlm_ldap (uobldap) - Waiting for search result...
rlm_ldap (uobldap) - Directory type: Active Directory
rlm_ldap (uobldap) - Opening additional connection (1), 1 of 4 pending 
slots used
rlm_ldap (uobldap) - Connecting to ldap://cse-lox.ads.bris.ac.uk:636
rlm_ldap (uobldap) - Waiting for bind result...
rlm_ldap (uobldap) - Bind successful
rlm_ldap (uobldap) - Opening additional connection (2), 1 of 3 pending 
slots used
rlm_ldap (uobldap) - Connecting to ldap://cse-lox.ads.bris.ac.uk:636
rlm_ldap (uobldap) - Waiting for bind result...
rlm_ldap (uobldap) - Bind successful
rlm_ldap (uobldap) - Opening additional connection (3), 1 of 2 pending 
slots used
rlm_ldap (uobldap) - Connecting to ldap://cse-lox.ads.bris.ac.uk:636
rlm_ldap (uobldap) - Waiting for bind result...
rlm_ldap (uobldap) - Bind successful
rlm_ldap (uobldap) - Opening additional connection (4), 1 of 1 pending 
slots used
rlm_ldap (uobldap) - Connecting to ldap://cse-lox.ads.bris.ac.uk:636
rlm_ldap (uobldap) - Waiting for bind result...
rlm_ldap (uobldap) - Bind successful
   # Instantiating module "uobsql-write" from file 
/etc/raddb/mods-enabled/uobsql-write
rlm_sql_mysql - libmysql version: 5.5.44-MariaDB
    mysql {
     tls {
     }
    	warnings = "auto"
    }
rlm_sql (uobsql-write) - Attempting to connect to database "radius"
rlm_sql (uobsql-write) - Initialising connection pool
    pool {
    	start = 1
    	min = 1
    	max = 2
    	spare = 1
    	uses = 10000
    	lifetime = 300
    	cleanup_interval = 30
    	idle_timeout = 60
    	connect_timeout = 3.000000
    	held_trigger_min = 0.000000
    	held_trigger_max = 0.500000
    	retry_delay = 2
    	spread = no
    }
rlm_sql (uobsql-write) - Opening additional connection (0), 1 of 2 
pending slots used
rlm_sql_mysql - Starting connect to MySQL server
rlm_sql_mysql - Connected to database 'radius' on 
db-write.nomadic-core.bris.ac.uk via TCP/IP, server version 
5.5.48-MariaDB-wsrep, protocol version 10
   # Instantiating module "expiration" from file 
/etc/raddb/mods-enabled/expiration
   # Instantiating module "logtofile" from file 
/etc/raddb/mods-enabled/logtofile
   # Instantiating module "reject" from file /etc/raddb/mods-enabled/always
   # Instantiating module "fail" from file /etc/raddb/mods-enabled/always
   # Instantiating module "ok" from file /etc/raddb/mods-enabled/always
   # Instantiating module "handled" from file /etc/raddb/mods-enabled/always
   # Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
   # Instantiating module "userlock" from file 
/etc/raddb/mods-enabled/always
   # Instantiating module "notfound" from file 
/etc/raddb/mods-enabled/always
   # Instantiating module "noop" from file /etc/raddb/mods-enabled/always
   # Instantiating module "updated" from file /etc/raddb/mods-enabled/always
   # Instantiating module "rainbowfiles" from file 
/etc/raddb/mods-enabled/rainbowfiles
       reading file /etc/raddb/users.d/users-rainbow
   # Instantiating module "logtosyslog" from file 
/etc/raddb/mods-enabled/logtosyslog
   # Instantiating module "attr_filter.post-proxy" from file 
/etc/raddb/mods-enabled/attr_filter
       reading file /etc/raddb/mods-config/attr_filter/post-proxy
   # Instantiating module "attr_filter.pre-proxy" from file 
/etc/raddb/mods-enabled/attr_filter
       reading file /etc/raddb/mods-config/attr_filter/pre-proxy
   # Instantiating module "attr_filter.access_reject" from file 
/etc/raddb/mods-enabled/attr_filter
       reading file /etc/raddb/mods-config/attr_filter/access_reject
[/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item 
"FreeRADIUS-Response-Delay" 	found in filter list for realm "DEFAULT".
[/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item 
"FreeRADIUS-Response-Delay-USec" 	found in filter list for realm "DEFAULT".
   # Instantiating module "attr_filter.access_challenge" from file 
/etc/raddb/mods-enabled/attr_filter
       reading file /etc/raddb/mods-config/attr_filter/access_challenge
   # Instantiating module "attr_filter.accounting_response" from file 
/etc/raddb/mods-enabled/attr_filter
       reading file /etc/raddb/mods-config/attr_filter/accounting_response
   # Instantiating module "filter.attrs.accounting_response" from file 
/etc/raddb/mods-enabled/attr_filter
       reading file 
/etc/raddb/mods-config/attr_filter/attrs.accounting_response
   # Instantiating module "filter.bristolresearchnet-a_reject" from file 
/etc/raddb/mods-enabled/attr_filter
       reading file 
/etc/raddb/mods-config/attr_filter/bristolresearchnet-a_reject
   # Instantiating module "filter.eduroamalien-a_accept" from file 
/etc/raddb/mods-enabled/attr_filter
       reading file /etc/raddb/mods-config/attr_filter/eduroamalien-a_accept
   # Instantiating module "filter.eduroamalien-a_challenge" from file 
/etc/raddb/mods-enabled/attr_filter
       reading file 
/etc/raddb/mods-config/attr_filter/eduroamalien-a_challenge
   # Instantiating module "filter.eduroamalien-a_reject" from file 
/etc/raddb/mods-enabled/attr_filter
       reading file /etc/raddb/mods-config/attr_filter/eduroamalien-a_reject
   # Instantiating module "filter.eduroamlocal-a_accept" from file 
/etc/raddb/mods-enabled/attr_filter
       reading file /etc/raddb/mods-config/attr_filter/eduroamlocal-a_accept
   # Instantiating module "filter.eduroamlocal-a_challenge" from file 
/etc/raddb/mods-enabled/attr_filter
       reading file 
/etc/raddb/mods-config/attr_filter/eduroamlocal-a_challenge
   # Instantiating module "filter.eduroamlocal-a_reject" from file 
/etc/raddb/mods-enabled/attr_filter
       reading file /etc/raddb/mods-config/attr_filter/eduroamlocal-a_reject
   # Instantiating module "filter.eduroamlocal-post_proxy" from file 
/etc/raddb/mods-enabled/attr_filter
       reading file 
/etc/raddb/mods-config/attr_filter/eduroamlocal-post_proxy
   # Instantiating module "filter.eduroamlocal-pre_proxy" from file 
/etc/raddb/mods-enabled/attr_filter
       reading file 
/etc/raddb/mods-config/attr_filter/eduroamlocal-pre_proxy
   # Instantiating module "filter.vpi-a_accept" from file 
/etc/raddb/mods-enabled/attr_filter
       reading file /etc/raddb/mods-config/attr_filter/vpi-a_accept
   # Instantiating module "filter.vpi-a_challenge" from file 
/etc/raddb/mods-enabled/attr_filter
       reading file /etc/raddb/mods-config/attr_filter/vpi-a_challenge
   # Instantiating module "filter.vpi-a_reject" from file 
/etc/raddb/mods-enabled/attr_filter
       reading file /etc/raddb/mods-config/attr_filter/vpi-a_reject
   # Instantiating module "etc_passwd" from file 
/etc/raddb/mods-enabled/passwd
   # Instantiating module "cache_eap" from file 
/etc/raddb/mods-enabled/cache_eap
cache_eap - Driver rlm_cache_rbtree loaded and linked
   # Instantiating module "eduroammschap" from file 
/etc/raddb/mods-enabled/eduroammschap
rlm_mschap (eduroammschap) - Initialising connection pool
    pool {
    	start = 5
    	min = 3
    	max = 256
    	spare = 10
    	uses = 0
    	lifetime = 86400
    	cleanup_interval = 300
    	idle_timeout = 600
    	connect_timeout = 3.000000
    	held_trigger_min = 0.000000
    	held_trigger_max = 0.500000
    	retry_delay = 30
    	spread = no
    }
rlm_mschap (eduroammschap) - Opening additional connection (0), 1 of 256 
pending slots used
rlm_mschap (eduroammschap) - Opening additional connection (1), 1 of 255 
pending slots used
rlm_mschap (eduroammschap) - Opening additional connection (2), 1 of 254 
pending slots used
rlm_mschap (eduroammschap) - Opening additional connection (3), 1 of 253 
pending slots used
rlm_mschap (eduroammschap) - Opening additional connection (4), 1 of 252 
pending slots used
eduroammschap : authenticating directly to winbind
   # Instantiating module "uobsql" from file /etc/raddb/mods-enabled/uobsql
    mysql {
     tls {
     }
    	warnings = "auto"
    }
rlm_sql (uobsql) - Attempting to connect to database "radius"
rlm_sql (uobsql) - Initialising connection pool
    pool {
    	start = 1
    	min = 1
    	max = 8
    	spare = 1
    	uses = 10000
    	lifetime = 300
    	cleanup_interval = 30
    	idle_timeout = 60
    	connect_timeout = 3.000000
    	held_trigger_min = 0.000000
    	held_trigger_max = 0.500000
    	retry_delay = 2
    	spread = no
    }
rlm_sql (uobsql) - Opening additional connection (0), 1 of 8 pending 
slots used
rlm_sql_mysql - Starting connect to MySQL server
rlm_sql_mysql - Connected to database 'radius' on 
db.nomadic-core.bris.ac.uk via TCP/IP, server version 
5.5.48-MariaDB-wsrep, protocol version 10
   # Instantiating module "eduroaminfo" from file 
/etc/raddb/mods-enabled/eduroaminfo
   # Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
   # Instantiating module "preprocess" from file 
/etc/raddb/mods-enabled/preprocess
       reading file /etc/raddb/mods-config/preprocess/huntgroups
       reading file /etc/raddb/mods-config/preprocess/hints
   # Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
   # Instantiating module "logintime" from file 
/etc/raddb/mods-enabled/logintime
radiusd: #### Loading Virtual Servers ####
server eduroam-partners { # from file 
/etc/raddb/sites-enabled/eduroam-partners
} # server eduroam-partners
server bristolresearchnet { # from file 
/etc/raddb/sites-enabled/bristolresearchnet
} # server bristolresearchnet
server rainbow-inner { # from file /etc/raddb/sites-enabled/rainbow-inner
} # server rainbow-inner
server uobconsoles { # from file /etc/raddb/sites-enabled/uobconsoles
} # server uobconsoles
server vpi-inner { # from file /etc/raddb/sites-enabled/vpi-inner
} # server vpi-inner
server rainbow { # from file /etc/raddb/sites-enabled/rainbow
} # server rainbow
server eduroamalien { # from file /etc/raddb/sites-enabled/eduroamalien
} # server eduroamalien
server vpi { # from file /etc/raddb/sites-enabled/vpi
} # server vpi
server status { # from file /etc/raddb/sites-enabled/status
} # server status
server eduroamlocal-acct { # from file 
/etc/raddb/sites-enabled/eduroamlocal-acct
} # server eduroamlocal-acct
server eduroamlocal-auth { # from file 
/etc/raddb/sites-enabled/eduroamlocal-auth
} # server eduroamlocal-auth
server eduroamlion-inner { # from file 
/etc/raddb/sites-enabled/eduroamlion-inner
} # server eduroamlion-inner
server rainboweap-tls { # from file /etc/raddb/sites-enabled/rainboweap-tls
} # server rainboweap-tls
server eduroam-inner { # from file /etc/raddb/sites-enabled/eduroam-inner
} # server eduroam-inner
radiusd: #### Opening IP addresses and Ports ####
Listening on command file /var/run/radiusd/control/radiusd.sock
Listening on auth address * port 1645 bound to server eduroam-partners
Listening on acct address * port 1646 bound to server eduroam-partners
Listening on auth address * port 16061 bound to server eduroam-partners
Listening on acct address * port 16062 bound to server eduroam-partners
Listening on auth address * port 16063 bound to server eduroam-partners
Listening on acct address * port 16064 bound to server eduroam-partners
Listening on auth address * port 16014 bound to server bristolresearchnet
Listening on acct address * port 16015 bound to server bristolresearchnet
Listening on auth address * port 16018 bound to server uobconsoles
Listening on auth address * port 16028 bound to server rainbow
Listening on acct address * port 16029 bound to server rainbow
Listening on auth address * port 1812 bound to server eduroamalien
Listening on auth address :: port 1812 bound to server eduroamalien
Listening on auth address * port 16020 bound to server vpi
Listening on acct address * port 16021 bound to server vpi
Listening on status address * port 18120 bound to server status
Listening on acct address * port 16007 bound to server eduroamlocal-acct
Listening on auth address * port 16006 bound to server eduroamlocal-auth
Listening on proxy address * port 48159
Listening on proxy address :: port 46124
Ready to process requests
(0)  Received Access-Request Id 156 from 172.17.107.208:32770 to 
137.222.8.134:16020 via ens192 length 322
(0)    User-Name = "host/IT051252.users.bris.ac.uk"
(0)    Chargeable-User-Identity = 0x00
(0)    Location-Capable = Civix-Location
(0)    Calling-Station-Id = "c4:85:08:a9:05:24"
(0)    Called-Station-Id = "88:f0:31:b2:be:70:Bristol-ManagedPCs"
(0)    NAS-Port = 13
(0)    Cisco-AVPair = "audit-session-id=ac116bd000015f4456e81e35"
(0)    Acct-Session-Id = "56e81e35/c4:85:08:a9:05:24/87627"
(0)    NAS-IP-Address = 172.17.107.208
(0)    NAS-Identifier = "wism8"
(0)    Airespace-Wlan-Id = 3
(0)    Service-Type = Framed-User
(0)    Framed-MTU = 1300
(0)    NAS-Port-Type = Wireless-802.11
(0)    Tunnel-Type:0 = VLAN
(0)    Tunnel-Medium-Type:0 = IEEE-802
(0)    Tunnel-Private-Group-Id:0 = "547"
(0)    EAP-Message = 
0x0202002301686f73742f49543035313235322e75736572732e627269732e61632e756b
(0)    Message-Authenticator = 0x210eb8a98c17341f7b1831b8224f1ca9
(0)  Running section authorize from file /etc/raddb/sites-enabled/vpi
(0)    authorize {
(0)      wism-checks {
(0)        if (Service-Type == "NAS-Prompt-User") {
(0)          ...
(0)        }
(0)      } # wism-checks (notfound)
(0)      preprocess (ok)
(0)      uob_auth_log - EXPAND 
/var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log
(0)      uob_auth_log - --> /var/log/radius/radacct/vpi/auth-detail.log
(0)      uob_auth_log - 
/var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log 
expands to /var/log/radius/radacct/vpi/auth-detail.log
(0)      uob_auth_log - EXPAND %t
(0)      uob_auth_log - --> Tue Mar 15 14:59:02 2016
(0)      uob_auth_log (ok)
(0)      if (User-Name !~ /^host\/.+\.bris(tol)?\.ac\.uk$/i) {
(0)        ...
(0)      }
(0)      vpieap - Peer sent EAP Response (code 2) ID 2 length 35
(0)      vpieap - Peer sent EAP-Identity.  Returning 'ok' so we can 
short-circuit the rest of authorize
(0)      vpieap (ok)
(0)    } # authorize (ok)
(0)  Using 'Auth-Type = vpieap' for authenticate {...}
(0)  Running Auth-Type vpieap from file /etc/raddb/sites-enabled/vpi
(0)    authenticate {
(0)      vpieap - Peer sent packet with EAP method Identity (1)
(0)      vpieap - Calling submodule eap_peap to process data
(0)      eap_peap - Initiating new EAP-TLS session
(0)      vpieap - Sending EAP Request (code 1) ID 3 length 6
(0)      vpieap (handled)
(0)    } # authenticate (handled)
(0)  Using Post-Auth-Type Challenge
(0)  Post-Auth-Type sub-section not found.  Ignoring.
(0)  Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/vpi
(0)  Sent Access-Challenge Id 156 from 137.222.8.134:16020 to 
172.17.107.208:32770 via ens192 length 0
(0)    EAP-Message = 0x010300061920
(0)    Message-Authenticator = 0x00000000000000000000000000000000
(0)    State = 0x01016e00b7ba0f346d696f996ec2a586
(0)  Finished request
Waking up in 4.9 seconds.
(1)  Received Access-Request Id 157 from 172.17.107.208:32770 to 
137.222.8.134:16020 via ens192 length 412
(1)    User-Name = "host/IT051252.users.bris.ac.uk"
(1)    Chargeable-User-Identity = 0x00
(1)    Location-Capable = Civix-Location
(1)    Calling-Station-Id = "c4:85:08:a9:05:24"
(1)    Called-Station-Id = "88:f0:31:b2:be:70:Bristol-ManagedPCs"
(1)    NAS-Port = 13
(1)    Cisco-AVPair = "audit-session-id=ac116bd000015f4456e81e35"
(1)    Acct-Session-Id = "56e81e35/c4:85:08:a9:05:24/87627"
(1)    NAS-IP-Address = 172.17.107.208
(1)    NAS-Identifier = "wism8"
(1)    Airespace-Wlan-Id = 3
(1)    Service-Type = Framed-User
(1)    Framed-MTU = 1300
(1)    NAS-Port-Type = Wireless-802.11
(1)    Tunnel-Type:0 = VLAN
(1)    Tunnel-Medium-Type:0 = IEEE-802
(1)    Tunnel-Private-Group-Id:0 = "547"
(1)    EAP-Message = 
0x0203006b198000000061160301005c01000058030156e82335df750bf907213b69795c99dd0e5a0fd9cafa4e22e72034f7067ec9cb000018c014c013c00ac0090035002f00380032000a00130005000401000017000a00080006001900170018000b00020100ff01000100
(1)    State = 0x01016e00b7ba0f346d696f996ec2a586
(1)    Message-Authenticator = 0x8ce96eef1c29f0f8b418aa5516a813f4
(1)  Running section authorize from file /etc/raddb/sites-enabled/vpi
(1)    authorize {
(1)      wism-checks {
(1)        if (Service-Type == "NAS-Prompt-User") {
(1)          ...
(1)        }
(1)      } # wism-checks (notfound)
(1)      preprocess (ok)
(1)      uob_auth_log - EXPAND 
/var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log
(1)      uob_auth_log - --> /var/log/radius/radacct/vpi/auth-detail.log
(1)      uob_auth_log - 
/var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log 
expands to /var/log/radius/radacct/vpi/auth-detail.log
(1)      uob_auth_log - EXPAND %t
(1)      uob_auth_log - --> Tue Mar 15 14:59:02 2016
(1)      uob_auth_log (ok)
(1)      if (User-Name !~ /^host\/.+\.bris(tol)?\.ac\.uk$/i) {
(1)        ...
(1)      }
(1)      vpieap - Peer sent EAP Response (code 2) ID 3 length 107
(1)      vpieap - Continuing tunnel setup
(1)      vpieap (ok)
(1)    } # authorize (ok)
(1)  Using 'Auth-Type = vpieap' for authenticate {...}
(1)  Running Auth-Type vpieap from file /etc/raddb/sites-enabled/vpi
(1)    authenticate {
(1)      vpieap - Peer sent packet with EAP method PEAP (25)
(1)      vpieap - Calling submodule eap_peap to process data
(1)      eap_peap - Continuing EAP-TLS
(1)      eap_peap - Peer indicated complete TLS record size will be 97 bytes
(1)      eap_peap - Got complete TLS record, with length field (97 bytes)
(1)      eap_peap - [eap-tls verify] = ok
(1)      eap_peap - before/accept initialization
(1)      eap_peap - TLS Accept: before/accept initialization
(1)      eap_peap - <<< recv handshake [length 92], client_hello
(1)      eap_peap - TLS Accept: SSLv3 read client hello A
(1)      eap_peap - >>> send handshake [length 57], server_hello
(1)      eap_peap - TLS Accept: SSLv3 write server hello A
(1)      eap_peap - >>> send handshake [length 1833], certificate
(1)      eap_peap - TLS Accept: SSLv3 write certificate A
(1)      eap_peap - >>> send handshake [length 331], server_key_exchange
(1)      eap_peap - TLS Accept: SSLv3 write key exchange A
(1)      eap_peap - >>> send handshake [length 4], server_hello_done
(1)      eap_peap - TLS Accept: SSLv3 write server done A
(1)      eap_peap - TLS Accept: SSLv3 flush data
(1)      eap_peap - TLS Accept: Need to read more data: SSLv3 read 
client certificate A
(1)      eap_peap - TLS Accept: Need to read more data: SSLv3 read 
client certificate A
(1)      eap_peap - In TLS handshake phase
(1)      eap_peap - In TLS accept mode
(1)      eap_peap - Complete TLS record (2245 bytes) larger than MTU 
(1000 bytes), will fragment
(1)      eap_peap - Sending first TLS record fragment (1000 bytes), 1245 
bytes remaining
(1)      eap_peap - [eap-tls process] = handled
(1)      vpieap - Sending EAP Request (code 1) ID 4 length 1010
(1)      vpieap (handled)
(1)    } # authenticate (handled)
(1)  Using Post-Auth-Type Challenge
(1)  Post-Auth-Type sub-section not found.  Ignoring.
(1)  Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/vpi
(1)  Sent Access-Challenge Id 157 from 137.222.8.134:16020 to 
172.17.107.208:32770 via ens192 length 0
(1)    EAP-Message = 
0x010403f219c0000008c5160301003902000035030156e823361b5cba1ccb77c8d1c2d294e5648fa5293f6acb6c7e0b210e9899de6e00c01400000dff01000100000b00040300010216030107290b0007250007220002dc308202d830820282020410456227300d06092a864886f70d01010b05003081bf
(1)    Message-Authenticator = 0x00000000000000000000000000000000
(1)    State = 0x02036e003ffa67036d696f996ec2a586
(1)  Finished request
Waking up in 4.9 seconds.
(2)  Received Access-Request Id 158 from 172.17.107.208:32770 to 
137.222.8.134:16020 via ens192 length 311
(2)    User-Name = "host/IT051252.users.bris.ac.uk"
(2)    Chargeable-User-Identity = 0x00
(2)    Location-Capable = Civix-Location
(2)    Calling-Station-Id = "c4:85:08:a9:05:24"
(2)    Called-Station-Id = "88:f0:31:b2:be:70:Bristol-ManagedPCs"
(2)    NAS-Port = 13
(2)    Cisco-AVPair = "audit-session-id=ac116bd000015f4456e81e35"
(2)    Acct-Session-Id = "56e81e35/c4:85:08:a9:05:24/87627"
(2)    NAS-IP-Address = 172.17.107.208
(2)    NAS-Identifier = "wism8"
(2)    Airespace-Wlan-Id = 3
(2)    Service-Type = Framed-User
(2)    Framed-MTU = 1300
(2)    NAS-Port-Type = Wireless-802.11
(2)    Tunnel-Type:0 = VLAN
(2)    Tunnel-Medium-Type:0 = IEEE-802
(2)    Tunnel-Private-Group-Id:0 = "547"
(2)    EAP-Message = 0x020400061900
(2)    State = 0x02036e003ffa67036d696f996ec2a586
(2)    Message-Authenticator = 0x2973017c64efccc5305299b5fdd47e3d
(2)  Running section authorize from file /etc/raddb/sites-enabled/vpi
(2)    authorize {
(2)      wism-checks {
(2)        if (Service-Type == "NAS-Prompt-User") {
(2)          ...
(2)        }
(2)      } # wism-checks (notfound)
(2)      preprocess (ok)
(2)      uob_auth_log - EXPAND 
/var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log
(2)      uob_auth_log - --> /var/log/radius/radacct/vpi/auth-detail.log
(2)      uob_auth_log - 
/var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log 
expands to /var/log/radius/radacct/vpi/auth-detail.log
(2)      uob_auth_log - EXPAND %t
(2)      uob_auth_log - --> Tue Mar 15 14:59:02 2016
(2)      uob_auth_log (ok)
(2)      if (User-Name !~ /^host\/.+\.bris(tol)?\.ac\.uk$/i) {
(2)        ...
(2)      }
(2)      vpieap - Peer sent EAP Response (code 2) ID 4 length 6
(2)      vpieap - Continuing tunnel setup
(2)      vpieap (ok)
(2)    } # authorize (ok)
(2)  Using 'Auth-Type = vpieap' for authenticate {...}
(2)  Running Auth-Type vpieap from file /etc/raddb/sites-enabled/vpi
(2)    authenticate {
(2)      vpieap - Peer sent packet with EAP method PEAP (25)
(2)      vpieap - Calling submodule eap_peap to process data
(2)      eap_peap - Continuing EAP-TLS
(2)      eap_peap - Peer ACKed our handshake fragment
(2)      eap_peap - [eap-tls verify] = request
(2)      eap_peap - Sending additional TLS record fragment (1004 bytes), 
241 bytes remaining
(2)      eap_peap - [eap-tls process] = handled
(2)      vpieap - Sending EAP Request (code 1) ID 5 length 1010
(2)      vpieap (handled)
(2)    } # authenticate (handled)
(2)  Using Post-Auth-Type Challenge
(2)  Post-Auth-Type sub-section not found.  Ignoring.
(2)  Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/vpi
(2)  Sent Access-Challenge Id 158 from 137.222.8.134:16020 to 
172.17.107.208:32770 via ens192 length 0
(2)    EAP-Message = 
0x010503f219402053657276696365733129302706035504031320556e6976657273697479206f662042726973746f6c2057696e646f7773204341301e170d3033303131303130323733375a170d3233303131303130333531315a3081bf3125302306092a864886f70d010901161663612d61646d696e40
(2)    Message-Authenticator = 0x00000000000000000000000000000000
(2)    State = 0x03016e00b7ba0f346d696f996ec2a586
(2)  Finished request
Waking up in 4.9 seconds.
(3)  Received Access-Request Id 159 from 172.17.107.208:32770 to 
137.222.8.134:16020 via ens192 length 311
(3)    User-Name = "host/IT051252.users.bris.ac.uk"
(3)    Chargeable-User-Identity = 0x00
(3)    Location-Capable = Civix-Location
(3)    Calling-Station-Id = "c4:85:08:a9:05:24"
(3)    Called-Station-Id = "88:f0:31:b2:be:70:Bristol-ManagedPCs"
(3)    NAS-Port = 13
(3)    Cisco-AVPair = "audit-session-id=ac116bd000015f4456e81e35"
(3)    Acct-Session-Id = "56e81e35/c4:85:08:a9:05:24/87627"
(3)    NAS-IP-Address = 172.17.107.208
(3)    NAS-Identifier = "wism8"
(3)    Airespace-Wlan-Id = 3
(3)    Service-Type = Framed-User
(3)    Framed-MTU = 1300
(3)    NAS-Port-Type = Wireless-802.11
(3)    Tunnel-Type:0 = VLAN
(3)    Tunnel-Medium-Type:0 = IEEE-802
(3)    Tunnel-Private-Group-Id:0 = "547"
(3)    EAP-Message = 0x020500061900
(3)    State = 0x03016e00b7ba0f346d696f996ec2a586
(3)    Message-Authenticator = 0x98cabe8901eb9b85dccb9e16a30658c2
(3)  Running section authorize from file /etc/raddb/sites-enabled/vpi
(3)    authorize {
(3)      wism-checks {
(3)        if (Service-Type == "NAS-Prompt-User") {
(3)          ...
(3)        }
(3)      } # wism-checks (notfound)
(3)      preprocess (ok)
(3)      uob_auth_log - EXPAND 
/var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log
(3)      uob_auth_log - --> /var/log/radius/radacct/vpi/auth-detail.log
(3)      uob_auth_log - 
/var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log 
expands to /var/log/radius/radacct/vpi/auth-detail.log
(3)      uob_auth_log - EXPAND %t
(3)      uob_auth_log - --> Tue Mar 15 14:59:02 2016
(3)      uob_auth_log (ok)
(3)      if (User-Name !~ /^host\/.+\.bris(tol)?\.ac\.uk$/i) {
(3)        ...
(3)      }
(3)      vpieap - Peer sent EAP Response (code 2) ID 5 length 6
(3)      vpieap - Continuing tunnel setup
(3)      vpieap (ok)
(3)    } # authorize (ok)
(3)  Using 'Auth-Type = vpieap' for authenticate {...}
(3)  Running Auth-Type vpieap from file /etc/raddb/sites-enabled/vpi
(3)    authenticate {
(3)      vpieap - Peer sent packet with EAP method PEAP (25)
(3)      vpieap - Calling submodule eap_peap to process data
(3)      eap_peap - Continuing EAP-TLS
(3)      eap_peap - Peer ACKed our handshake fragment
(3)      eap_peap - [eap-tls verify] = request
(3)      eap_peap - Sending final TLS record fragment (241 bytes)
(3)      eap_peap - [eap-tls process] = handled
(3)      vpieap - Sending EAP Request (code 1) ID 6 length 247
(3)      vpieap (handled)
(3)    } # authenticate (handled)
(3)  Using Post-Auth-Type Challenge
(3)  Post-Auth-Type sub-section not found.  Ignoring.
(3)  Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/vpi
(3)  Sent Access-Challenge Id 159 from 137.222.8.134:16020 to 
172.17.107.208:32770 via ens192 length 0
(3)    EAP-Message = 
0x010600f71900ebe0344cb4e5d4ac912e10789408d80c66f81fd27cddd89c4c4a4dc3ae440f0cc86f59ca46e8ff75376eb7910a0af3153626fe0cf81027c02f568b1e56e2656a4191c98103f0da0f1ff061a21c81756cc2aec65066916bda86078229a217c291a4cb982853454ddb46b5e54200d5fd06d4
(3)    Message-Authenticator = 0x00000000000000000000000000000000
(3)    State = 0x04076e003ffa67036d696f996ec2a586
(3)  Finished request
Waking up in 4.9 seconds.
(4)  Received Access-Request Id 160 from 172.17.107.208:32770 to 
137.222.8.134:16020 via ens192 length 449
(4)    User-Name = "host/IT051252.users.bris.ac.uk"
(4)    Chargeable-User-Identity = 0x00
(4)    Location-Capable = Civix-Location
(4)    Calling-Station-Id = "c4:85:08:a9:05:24"
(4)    Called-Station-Id = "88:f0:31:b2:be:70:Bristol-ManagedPCs"
(4)    NAS-Port = 13
(4)    Cisco-AVPair = "audit-session-id=ac116bd000015f4456e81e35"
(4)    Acct-Session-Id = "56e81e35/c4:85:08:a9:05:24/87627"
(4)    NAS-IP-Address = 172.17.107.208
(4)    NAS-Identifier = "wism8"
(4)    Airespace-Wlan-Id = 3
(4)    Service-Type = Framed-User
(4)    Framed-MTU = 1300
(4)    NAS-Port-Type = Wireless-802.11
(4)    Tunnel-Type:0 = VLAN
(4)    Tunnel-Medium-Type:0 = IEEE-802
(4)    Tunnel-Private-Group-Id:0 = "547"
(4)    EAP-Message = 
0x020600901980000000861603010046100000424104647ecb7be9097a5ded8a15cad2f20782f73ac6dc656b780709999a57827e73a8fe8e6a1b0e84a16922438dc84d05ae35ea7a5ea9a0dde79187142978e52f2b8a14030100010116030100306891fee4d9c9dc571d75c0f76b02e5725a63f2d65a9a70
(4)    State = 0x04076e003ffa67036d696f996ec2a586
(4)    Message-Authenticator = 0x88fc7f16291a306da34adbcad2b075d8
(4)  Running section authorize from file /etc/raddb/sites-enabled/vpi
(4)    authorize {
(4)      wism-checks {
(4)        if (Service-Type == "NAS-Prompt-User") {
(4)          ...
(4)        }
(4)      } # wism-checks (notfound)
(4)      preprocess (ok)
(4)      uob_auth_log - EXPAND 
/var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log
(4)      uob_auth_log - --> /var/log/radius/radacct/vpi/auth-detail.log
(4)      uob_auth_log - 
/var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log 
expands to /var/log/radius/radacct/vpi/auth-detail.log
(4)      uob_auth_log - EXPAND %t
(4)      uob_auth_log - --> Tue Mar 15 14:59:02 2016
(4)      uob_auth_log (ok)
(4)      if (User-Name !~ /^host\/.+\.bris(tol)?\.ac\.uk$/i) {
(4)        ...
(4)      }
(4)      vpieap - Peer sent EAP Response (code 2) ID 6 length 144
(4)      vpieap - Continuing tunnel setup
(4)      vpieap (ok)
(4)    } # authorize (ok)
(4)  Using 'Auth-Type = vpieap' for authenticate {...}
(4)  Running Auth-Type vpieap from file /etc/raddb/sites-enabled/vpi
(4)    authenticate {
(4)      vpieap - Peer sent packet with EAP method PEAP (25)
(4)      vpieap - Calling submodule eap_peap to process data
(4)      eap_peap - Continuing EAP-TLS
(4)      eap_peap - Peer indicated complete TLS record size will be 134 
bytes
(4)      eap_peap - Got complete TLS record, with length field (134 bytes)
(4)      eap_peap - [eap-tls verify] = ok
(4)      eap_peap - <<< recv handshake [length 70], client_key_exchange
(4)      eap_peap - TLS Accept: SSLv3 read client key exchange A
(4)      eap_peap - <<< recv change_cipher_spec [length 1]
(4)      eap_peap - <<< recv handshake [length 16], finished
(4)      eap_peap - TLS Accept: SSLv3 read finished A
(4)      eap_peap - >>> send change_cipher_spec [length 1]
(4)      eap_peap - TLS Accept: SSLv3 write change cipher spec A
(4)      eap_peap - >>> send handshake [length 16], finished
(4)      eap_peap - TLS Accept: SSLv3 write finished A
(4)      eap_peap - TLS Accept: SSLv3 flush data
(4)      eap_peap - SSL negotiation finished successfully
(4)      eap_peap - TLS established with cipher suite: 
ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
(4)      eap_peap - Sending complete TLS record (59 bytes)
(4)      eap_peap - [eap-tls process] = handled
(4)      vpieap - Sending EAP Request (code 1) ID 7 length 69
(4)      vpieap (handled)
(4)    } # authenticate (handled)
(4)  Using Post-Auth-Type Challenge
(4)  Post-Auth-Type sub-section not found.  Ignoring.
(4)  Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/vpi
(4)  Sent Access-Challenge Id 160 from 137.222.8.134:16020 to 
172.17.107.208:32770 via ens192 length 0
(4)    EAP-Message = 
0x0107004519800000003b14030100010116030100306fdc388f829843e06f869eeae13afdf94ba2efe759a91d60b7a147cb1663ee604ab474b08aaf072259723668fe0c447b
(4)    Message-Authenticator = 0x00000000000000000000000000000000
(4)    State = 0x05016e00b7ba0f346d696f996ec2a586
(4)  Finished request
Waking up in 4.9 seconds.
(5)  Received Access-Request Id 161 from 172.17.107.208:32770 to 
137.222.8.134:16020 via ens192 length 311
(5)    User-Name = "host/IT051252.users.bris.ac.uk"
(5)    Chargeable-User-Identity = 0x00
(5)    Location-Capable = Civix-Location
(5)    Calling-Station-Id = "c4:85:08:a9:05:24"
(5)    Called-Station-Id = "88:f0:31:b2:be:70:Bristol-ManagedPCs"
(5)    NAS-Port = 13
(5)    Cisco-AVPair = "audit-session-id=ac116bd000015f4456e81e35"
(5)    Acct-Session-Id = "56e81e35/c4:85:08:a9:05:24/87627"
(5)    NAS-IP-Address = 172.17.107.208
(5)    NAS-Identifier = "wism8"
(5)    Airespace-Wlan-Id = 3
(5)    Service-Type = Framed-User
(5)    Framed-MTU = 1300
(5)    NAS-Port-Type = Wireless-802.11
(5)    Tunnel-Type:0 = VLAN
(5)    Tunnel-Medium-Type:0 = IEEE-802
(5)    Tunnel-Private-Group-Id:0 = "547"
(5)    EAP-Message = 0x020700061900
(5)    State = 0x05016e00b7ba0f346d696f996ec2a586
(5)    Message-Authenticator = 0x96dc59cdbca6df009be0b9cbd5443481
(5)  Running section authorize from file /etc/raddb/sites-enabled/vpi
(5)    authorize {
(5)      wism-checks {
(5)        if (Service-Type == "NAS-Prompt-User") {
(5)          ...
(5)        }
(5)      } # wism-checks (notfound)
(5)      preprocess (ok)
(5)      uob_auth_log - EXPAND 
/var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log
(5)      uob_auth_log - --> /var/log/radius/radacct/vpi/auth-detail.log
(5)      uob_auth_log - 
/var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log 
expands to /var/log/radius/radacct/vpi/auth-detail.log
(5)      uob_auth_log - EXPAND %t
(5)      uob_auth_log - --> Tue Mar 15 14:59:02 2016
(5)      uob_auth_log (ok)
(5)      if (User-Name !~ /^host\/.+\.bris(tol)?\.ac\.uk$/i) {
(5)        ...
(5)      }
(5)      vpieap - Peer sent EAP Response (code 2) ID 7 length 6
(5)      vpieap - Continuing tunnel setup
(5)      vpieap (ok)
(5)    } # authorize (ok)
(5)  Using 'Auth-Type = vpieap' for authenticate {...}
(5)  Running Auth-Type vpieap from file /etc/raddb/sites-enabled/vpi
(5)    authenticate {
(5)      vpieap - Peer sent packet with EAP method PEAP (25)
(5)      vpieap - Calling submodule eap_peap to process data
(5)      eap_peap - Continuing EAP-TLS
(5)      eap_peap - Peer ACKed our handshake fragment.  handshake is 
finished
(5)      eap_peap - [eap-tls verify] = success
(5)      eap_peap - [eap-tls process] = success
(5)      eap_peap - Session established.  Decoding tunneled data
(5)      eap_peap - PEAP state TUNNEL ESTABLISHED
(5)      eap_peap - Sending complete TLS record (37 bytes)
(5)      vpieap - Sending EAP Request (code 1) ID 8 length 47
(5)      vpieap (handled)
(5)    } # authenticate (handled)
(5)  Using Post-Auth-Type Challenge
(5)  Post-Auth-Type sub-section not found.  Ignoring.
(5)  Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/vpi
(5)  Sent Access-Challenge Id 161 from 137.222.8.134:16020 to 
172.17.107.208:32770 via ens192 length 0
(5)    EAP-Message = 
0x0108002f19800000002517030100205f34f3a684a6f8a6c27272a92b19c76ee8552b4ea7b442e2ff9d4c5027a36f41
(5)    Message-Authenticator = 0x00000000000000000000000000000000
(5)    State = 0x06036e003ffa67036d696f996ec2a586
(5)  Finished request
Waking up in 4.9 seconds.
(0)  Cleaning up request packet ID 156 with timestamp +3
(1)  Cleaning up request packet ID 157 with timestamp +3
(2)  Cleaning up request packet ID 158 with timestamp +3
(3)  Cleaning up request packet ID 159 with timestamp +3
(4)  Cleaning up request packet ID 160 with timestamp +3
(5)  Cleaning up request packet ID 161 with timestamp +3
Ready to process requests
Ready to process requests
Signalled to terminate
Exiting normally
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! EAP session 0x2ab6bf0 did not finish!                                 !!
!! See http://wiki.freeradius.org/guide/Certificate_Compatibility !!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
rlm_sql (uobsql) - Removing connection pool
rlm_sql (uobsql) - Closing connection (0)
rlm_sql_mysql - Socket destructor called, closing socket
rlm_mschap (eduroammschap) - Removing connection pool
rlm_mschap (eduroammschap) - Closing connection (4)
rlm_mschap (eduroammschap) - Closing connection (3)
rlm_mschap (eduroammschap) - Closing connection (2)
rlm_mschap (eduroammschap) - Closing connection (1)
rlm_mschap (eduroammschap) - Closing connection (0)
rlm_sql (uobsql-write) - Removing connection pool
rlm_sql (uobsql-write) - Closing connection (0)
rlm_sql_mysql - Socket destructor called, closing socket
rlm_ldap (uobldap) - Removing connection pool
rlm_ldap (uobldap) - Closing connection (4)
rlm_ldap (uobldap) - Closing connection (3)
rlm_ldap (uobldap) - Closing connection (2)
rlm_ldap (uobldap) - Closing connection (1)
rlm_ldap (uobldap) - Closing connection (0)

-- 
Jonathan Gazeley
Senior Systems Administrator
IT Services
University of Bristol


More information about the Freeradius-Users mailing list