Two issues with FR 3.1
Chris Howley
C.P.Howley at leeds.ac.uk
Fri Nov 25 17:04:59 CET 2016
Hi Alan,
Here's the debug information you requested.
Thanks, Chris
radiusd: #### Opening IP addresses and Ports ####
Listening on command file /var/run/radiusd/control/radiusd.sock
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address 127.0.0.1 port 18122 bound to server eduroam-inner-tunnel
Listening on auth address 127.0.0.1 port 28120 bound to server captive-portal
Listening on auth address X.X.X.X port 28120 bound to server captive-portal
Listening on status address 127.0.0.1 port 18121 bound to server status
Listening on proxy address * port 36322
Listening on proxy address :: port 57199
Ready to process requests
(1) Received Access-Request Id 77 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 292
(1) User-Name = "testuser at realm"
(1) Chargeable-User-Identity = 0x00
(1) Location-Capable = Civix-Location
(1) Calling-Station-Id = "a4-d1-8c-e4-9f-22"
(1) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST"
(1) NAS-Port = 13
(1) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e"
(1) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110"
(1) NAS-IP-Address = Y.Y.Y.Y
(1) NAS-Identifier = "WM13"
(1) Airespace-Wlan-Id = 8
(1) Service-Type = Framed-User
(1) Framed-MTU = 1300
(1) NAS-Port-Type = Wireless-802.11
(1) Tunnel-Type:0 = VLAN
(1) Tunnel-Medium-Type:0 = IEEE-802
(1) Tunnel-Private-Group-Id:0 = "446"
(1) EAP-Message = 0x020100170165636c366368406c656564732e61632e756b
(1) Message-Authenticator = 0x2f0eff9e4f79f94e7189010a34c8fffe
(1) Running section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) local_rewrite_called_station_id {
(1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(1) update request {
(1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(1) --> 64:AE:0C:91:42:60
(1) &Called-Station-Id := 64:AE:0C:91:42:60
(1) } # update request (noop)
(1) if ("%{8}") {
(1) EXPAND %{8}
(1) --> RADIUS-TEST
(1) update request {
(1) EXPAND %{8}
(1) --> RADIUS-TEST
(1) &Called-Station-SSID := RADIUS-TEST
(1) } # update request (noop)
(1) } # if ("%{8}") (noop)
(1) updated (updated)
(1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated)
(1) else {
(1) ... skipping else for request 1: Preceding "if" was taken
(1) }
(1) } # local_rewrite_called_station_id (updated)
(1) local_rewrite_calling_station_id {
(1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(1) update request {
(1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(1) --> A4:D1:8C:E4:9F:22
(1) &Calling-Station-Id := A4:D1:8C:E4:9F:22
(1) } # update request (noop)
(1) updated (updated)
(1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated)
(1) else {
(1) ... skipping else for request 1: Preceding "if" was taken
(1) }
(1) } # local_rewrite_calling_station_id (updated)
(1) filter_username {
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) ...
(1) }
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) ...
(1) }
(1) if (&User-Name =~ /\.\./ ) {
(1) ...
(1) }
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) {
(1) ...
(1) }
(1) if (&User-Name =~ /\.$/) {
(1) ...
(1) }
(1) if (&User-Name =~ /@\./) {
(1) ...
(1) }
(1) } # if (&User-Name) (updated)
(1) } # filter_username (updated)
(1) bad_realms {
(1) if (&User-Name =~ /\.ax\.uk$/i) {
(1) ...
(1) }
(1) if (&User-Name =~ /@ac\.uk$/i) {
(1) ...
(1) }
(1) if (&User-Name =~ /3gppnetwork\.org$/i) {
(1) ...
(1) }
(1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(1) ...
(1) }
(1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(1) ...
(1) }
(1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(1) ...
(1) }
(1) if (&User-Name =~ /myabc\.com$/i) {
(1) ...
(1) }
(1) } # bad_realms (updated)
(1) preprocess (ok)
(1) operator-name.authorize {
(1) if ("%{client:Operator-Name}") {
(1) EXPAND %{client:Operator-Name}
(1) --> 1realm.ac.uk
(1) update request {
(1) EXPAND %{client:Operator-Name}
(1) --> 1realm.ac.uk
(1) &Operator-Name = 1realm.ac.uk
(1) } # update request (noop)
(1) } # if ("%{client:Operator-Name}") (noop)
(1) } # operator-name.authorize (noop)
(1) suffix - Checking for suffix after "@"
(1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser at realm"
(1) suffix - Found realm "realm.ac.uk"
(1) suffix - Adding Stripped-User-Name = "testuser"
(1) suffix - Adding Realm = "realm.ac.uk"
(1) suffix - Authentication realm is LOCAL
(1) suffix (ok)
(1) if (&Realm) {
(1) update control {
(1) &control:Proxy-To-Realm := LOCAL
(1) } # update control (noop)
(1) } # if (&Realm) (noop)
(1) else {
(1) ... skipping else for request 1: Preceding "if" was taken
(1) }
(1) if (&Realm) {
(1) if (&Stripped-User-Name != "") {
(1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(1) EXPAND %{tolower:%{Stripped-User-Name}}
(1) --> testuser
(1) ...
(1) }
(1) group {
(1) check_blacklist (ok)
(1) if (&control:Local-Banned-User) {
(1) ...
(1) }
(1) else {
(1) noop (noop)
(1) } # else (noop)
(1) } # group (ok)
(1) } # if (&Stripped-User-Name != "") (ok)
(1) } # if (&Realm) (ok)
(1) eap - Peer sent EAP Response (code 2) ID 1 length 23
(1) eap - Peer sent EAP-Identity. Returning 'ok' so we can short-circuit the rest of authorize
(1) eap (ok)
(1) } # authorize (ok)
(1) Using 'Auth-Type = eap' for authenticate {...}
(1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default
(1) Auth-Type eap {
(1) eap - Peer sent packet with EAP method Identity (1)
(1) eap - Calling submodule eap_peap to process data
(1) eap_peap - Initiating new TLS session
(1) eap - Sending EAP Request (code 1) ID 2 length 6
(1) eap (handled)
(1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(1) EXPAND Response-Packet-Type
(1) --> Access-Challenge
(1) attr_filter.access_challenge - EXPAND %{User-Name}
(1) attr_filter.access_challenge - --> testuser at realm
(1) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(1) attr_filter.access_challenge.post-auth (updated)
(1) handled (handled)
(1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled)
(1) } # Auth-Type eap (handled)
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default
(1) Sent Access-Challenge Id 77 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0
(1) EAP-Message = 0x010200061920
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x010138003637b8d43b39393138ab9701
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 78 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 418
(2) User-Name = "testuser at realm"
(2) Chargeable-User-Identity = 0x00
(2) Location-Capable = Civix-Location
(2) Calling-Station-Id = "a4-d1-8c-e4-9f-22"
(2) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST"
(2) NAS-Port = 13
(2) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e"
(2) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110"
(2) NAS-IP-Address = Y.Y.Y.Y
(2) NAS-Identifier = "WM13"
(2) Airespace-Wlan-Id = 8
(2) Service-Type = Framed-User
(2) Framed-MTU = 1300
(2) NAS-Port-Type = Wireless-802.11
(2) Tunnel-Type:0 = VLAN
(2) Tunnel-Medium-Type:0 = IEEE-802
(2) Tunnel-Private-Group-Id:0 = "446"
(2) EAP-Message = 0x0202008319800000007916030100740100007003015838561f7c35db9df95d549eb9befc0ca9bbc9fbc9027794c6893d1c9b40e77000002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000ac007c011000500040100001f000a00080006001700180019000b0002010000050005010000000000120000
(2) State = 0x010138003637b8d43b39393138ab9701
(2) Message-Authenticator = 0xcf0cbabf5a3dcda1ac3c2f2c0a98eb8b
(2,1) Running section authorize from file /etc/raddb/sites-enabled/default
(2,1) authorize {
(2,1) local_rewrite_called_station_id {
(2,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(2,1) update request {
(2,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(2,1) --> 64:AE:0C:91:42:60
(2,1) &Called-Station-Id := 64:AE:0C:91:42:60
(2,1) } # update request (noop)
(2,1) if ("%{8}") {
(2,1) EXPAND %{8}
(2,1) --> RADIUS-TEST
(2,1) update request {
(2,1) EXPAND %{8}
(2,1) --> RADIUS-TEST
(2,1) &Called-Station-SSID := RADIUS-TEST
(2,1) } # update request (noop)
(2,1) } # if ("%{8}") (noop)
(2,1) updated (updated)
(2,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated)
(2,1) else {
(2,1) ... skipping else for request 2: Preceding "if" was taken
(2,1) }
(2,1) } # local_rewrite_called_station_id (updated)
(2,1) local_rewrite_calling_station_id {
(2,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(2,1) update request {
(2,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(2,1) --> A4:D1:8C:E4:9F:22
(2,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22
(2,1) } # update request (noop)
(2,1) updated (updated)
(2,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated)
(2,1) else {
(2,1) ... skipping else for request 2: Preceding "if" was taken
(2,1) }
(2,1) } # local_rewrite_calling_station_id (updated)
(2,1) filter_username {
(2,1) if (&User-Name) {
(2,1) if (&User-Name =~ / /) {
(2,1) ...
(2,1) }
(2,1) if (&User-Name =~ /@[^@]*@/ ) {
(2,1) ...
(2,1) }
(2,1) if (&User-Name =~ /\.\./ ) {
(2,1) ...
(2,1) }
(2,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) {
(2,1) ...
(2,1) }
(2,1) if (&User-Name =~ /\.$/) {
(2,1) ...
(2,1) }
(2,1) if (&User-Name =~ /@\./) {
(2,1) ...
(2,1) }
(2,1) } # if (&User-Name) (updated)
(2,1) } # filter_username (updated)
(2,1) bad_realms {
(2,1) if (&User-Name =~ /\.ax\.uk$/i) {
(2,1) ...
(2,1) }
(2,1) if (&User-Name =~ /@ac\.uk$/i) {
(2,1) ...
(2,1) }
(2,1) if (&User-Name =~ /3gppnetwork\.org$/i) {
(2,1) ...
(2,1) }
(2,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(2,1) ...
(2,1) }
(2,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(2,1) ...
(2,1) }
(2,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(2,1) ...
(2,1) }
(2,1) if (&User-Name =~ /myabc\.com$/i) {
(2,1) ...
(2,1) }
(2,1) } # bad_realms (updated)
(2,1) preprocess (ok)
(2,1) operator-name.authorize {
(2,1) if ("%{client:Operator-Name}") {
(2,1) EXPAND %{client:Operator-Name}
(2,1) --> 1realm.ac.uk
(2,1) update request {
(2,1) EXPAND %{client:Operator-Name}
(2,1) --> 1realm.ac.uk
(2,1) &Operator-Name = 1realm.ac.uk
(2,1) } # update request (noop)
(2,1) } # if ("%{client:Operator-Name}") (noop)
(2,1) } # operator-name.authorize (noop)
(2,1) suffix - Checking for suffix after "@"
(2,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser at realm"
(2,1) suffix - Found realm "realm.ac.uk"
(2,1) suffix - Adding Stripped-User-Name = "testuser"
(2,1) suffix - Adding Realm = "realm.ac.uk"
(2,1) suffix - Authentication realm is LOCAL
(2,1) suffix (ok)
(2,1) if (&Realm) {
(2,1) update control {
(2,1) &control:Proxy-To-Realm := LOCAL
(2,1) } # update control (noop)
(2,1) } # if (&Realm) (noop)
(2,1) else {
(2,1) ... skipping else for request 2: Preceding "if" was taken
(2,1) }
(2,1) if (&Realm) {
(2,1) if (&Stripped-User-Name != "") {
(2,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(2,1) EXPAND %{tolower:%{Stripped-User-Name}}
(2,1) --> testuser
(2,1) ...
(2,1) }
(2,1) group {
(2,1) check_blacklist (ok)
(2,1) if (&control:Local-Banned-User) {
(2,1) ...
(2,1) }
(2,1) else {
(2,1) noop (noop)
(2,1) } # else (noop)
(2,1) } # group (ok)
(2,1) } # if (&Stripped-User-Name != "") (ok)
(2,1) } # if (&Realm) (ok)
(2,1) eap - Peer sent EAP Response (code 2) ID 2 length 131
(2,1) eap - Continuing tunnel setup
(2,1) eap (ok)
(2,1) } # authorize (ok)
(2,1) Using 'Auth-Type = eap' for authenticate {...}
(2,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default
(2,1) Auth-Type eap {
(2,1) eap - Peer sent packet with EAP method PEAP (25)
(2,1) eap - Calling submodule eap_peap to process data
(2,1) eap_peap - Continuing EAP-TLS
(2,1) eap_peap - Peer indicated complete TLS record size will be 121 bytes
(2,1) eap_peap - Got complete TLS record, with length field (121 bytes)
(2,1) eap_peap - [eap-tls verify] = complete
(2,1) eap_peap - Handshake state - before/accept initialization
(2,1) eap_peap - Handshake state - Server before/accept initialization
(2,1) eap_peap - <<< recv handshake [length 116], client_hello
(2,1) eap_peap - Handshake state - Server SSLv3 read client hello A
(2,1) eap_peap - >>> send handshake [length 57], server_hello
(2,1) eap_peap - Handshake state - Server SSLv3 write server hello A
(2,1) eap_peap - >>> send handshake [length 2643], certificate
(2,1) eap_peap - Handshake state - Server SSLv3 write certificate A
(2,1) eap_peap - >>> send handshake [length 331], server_key_exchange
(2,1) eap_peap - Handshake state - Server SSLv3 write key exchange A
(2,1) eap_peap - >>> send handshake [length 4], server_hello_done
(2,1) eap_peap - Handshake state - Server SSLv3 write server done A
(2,1) eap_peap - Handshake state - Server SSLv3 flush data
(2,1) eap_peap - Need more data from client
(2,1) eap_peap - Need more data from client
(2,1) eap_peap - Complete TLS record (3055 bytes) larger than MTU (990 bytes), will fragment
(2,1) eap_peap - Sending first TLS record fragment (990 bytes), 2065 bytes remaining
(2,1) eap_peap - [eap-tls process] = handled
(2,1) eap - Sending EAP Request (code 1) ID 3 length 1000
(2,1) eap (handled)
(2,1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(2,1) EXPAND Response-Packet-Type
(2,1) --> Access-Challenge
(2,1) attr_filter.access_challenge - EXPAND %{User-Name}
(2,1) attr_filter.access_challenge - --> testuser at realm
(2,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(2,1) attr_filter.access_challenge.post-auth (updated)
(2,1) handled (handled)
(2,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled)
(2,1) } # Auth-Type eap (handled)
(2,1) Using Post-Auth-Type Challenge
(2,1) Post-Auth-Type sub-section not found. Ignoring.
(2,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default
(2,1) Sent Access-Challenge Id 78 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0
(2,1) EAP-Message = 0x010303e819c000000bef16030100390200003503015838561fbe318d85e54c607db0dc6d03c0b5e5d4d2266165638bd4fff41936b900c01400000dff01000100000b0004030001021603010a530b000a4f000a4c0004f6308204f2308203daa003020102021437ff648df0d47ee77e787cee2cab98c71324c34c300d06092a864886f70d01010b0500304d310b300906035504061302424d31193017060355040a131051756f5661646973204c696d69746564312330210603550403131a51756f566164697320476c6f62616c2053534c20494341204732301e170d3136303831313134353330385a170d3139303831313134353330355a307f310b3009060355040613024742311730150603550408130e5765737420596f726b7368697265310e300c060355040713054c45454453311c301a060355040a1313556e6976657273697479206f66204c65656473310c300a060355040b1303492e54311b3019060355040313127261646975732e6c656564732e61632e756b30820122300d06092a864886f70d01010105000382010f003082010a0282010100b05f6ffc1d8d9a1d6602e4e3fb505be1df826dbe0e8e2cd96127b2beeea934476f474d835388182926f52f7de4ef5dc0f0c439f59b88f0494c2f2f8724e69790e0c7f9379941b0524d7b74e95ae882f556a1f9df197fcbe00ef20677bb1bfaa66a575783594163b1efffda474b26101c56f6906d9434eab449a96f4d9aaa92d73bd83396f2fba04afb8fc92013d6ea56eb98ee202f87961616a391b33dbca45634aa899c9f5846b19935588fc6874c228bf01c4e5c930ed66feaacc52507d5753582dd7ac994ba1c067e1b22e6c72c1acdd141b4fa8a553f9acde4b6571bea31e280f298a5ace02370bff63b582325a3a8bcd10982f79059bac57a46f26949b70203010001a382019630820192307306082b0601050507010104673065302a06082b06010505073001861e687474703a2f2f6f6373702e71756f7661646973676c6f62616c2e636f6d303706082b06010505073002862b687474703a2f2f74727573742e71756f7661646973676c6f62616c2e636f6d2f717673736c67322e637274301d0603551d110416301482127261646975732e6c656564732e61632e756b30510603551d20044a30483046060c2b06010401be5800026401013036303406082b060105050702011628687474703a2f2f7777772e71756f7661646973676c6f62616c2e636f6d2f7265706f7369746f7279300e0603551d0f0101ff0404030205a0301d0603551d250416301406082b0601050507030106082b06010505070302301f0603551d23041830168014911962ad5b17a730fbf0de3925b1bd8cb9b85127303a0603551d1f043330
(2,1) Message-Authenticator = 0x00000000000000000000000000000000
(2,1) State = 0x02033800aecc10fa3b39393138ab9701
(2,1) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 79 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 293
(3) User-Name = "testuser at realm"
(3) Chargeable-User-Identity = 0x00
(3) Location-Capable = Civix-Location
(3) Calling-Station-Id = "a4-d1-8c-e4-9f-22"
(3) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST"
(3) NAS-Port = 13
(3) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e"
(3) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110"
(3) NAS-IP-Address = Y.Y.Y.Y
(3) NAS-Identifier = "WM13"
(3) Airespace-Wlan-Id = 8
(3) Service-Type = Framed-User
(3) Framed-MTU = 1300
(3) NAS-Port-Type = Wireless-802.11
(3) Tunnel-Type:0 = VLAN
(3) Tunnel-Medium-Type:0 = IEEE-802
(3) Tunnel-Private-Group-Id:0 = "446"
(3) EAP-Message = 0x020300061900
(3) State = 0x02033800aecc10fa3b39393138ab9701
(3) Message-Authenticator = 0x34efdefe25b8b008e5bac82e18ee94ff
(3,1) Running section authorize from file /etc/raddb/sites-enabled/default
(3,1) authorize {
(3,1) local_rewrite_called_station_id {
(3,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(3,1) update request {
(3,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(3,1) --> 64:AE:0C:91:42:60
(3,1) &Called-Station-Id := 64:AE:0C:91:42:60
(3,1) } # update request (noop)
(3,1) if ("%{8}") {
(3,1) EXPAND %{8}
(3,1) --> RADIUS-TEST
(3,1) update request {
(3,1) EXPAND %{8}
(3,1) --> RADIUS-TEST
(3,1) &Called-Station-SSID := RADIUS-TEST
(3,1) } # update request (noop)
(3,1) } # if ("%{8}") (noop)
(3,1) updated (updated)
(3,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated)
(3,1) else {
(3,1) ... skipping else for request 3: Preceding "if" was taken
(3,1) }
(3,1) } # local_rewrite_called_station_id (updated)
(3,1) local_rewrite_calling_station_id {
(3,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(3,1) update request {
(3,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(3,1) --> A4:D1:8C:E4:9F:22
(3,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22
(3,1) } # update request (noop)
(3,1) updated (updated)
(3,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated)
(3,1) else {
(3,1) ... skipping else for request 3: Preceding "if" was taken
(3,1) }
(3,1) } # local_rewrite_calling_station_id (updated)
(3,1) filter_username {
(3,1) if (&User-Name) {
(3,1) if (&User-Name =~ / /) {
(3,1) ...
(3,1) }
(3,1) if (&User-Name =~ /@[^@]*@/ ) {
(3,1) ...
(3,1) }
(3,1) if (&User-Name =~ /\.\./ ) {
(3,1) ...
(3,1) }
(3,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) {
(3,1) ...
(3,1) }
(3,1) if (&User-Name =~ /\.$/) {
(3,1) ...
(3,1) }
(3,1) if (&User-Name =~ /@\./) {
(3,1) ...
(3,1) }
(3,1) } # if (&User-Name) (updated)
(3,1) } # filter_username (updated)
(3,1) bad_realms {
(3,1) if (&User-Name =~ /\.ax\.uk$/i) {
(3,1) ...
(3,1) }
(3,1) if (&User-Name =~ /@ac\.uk$/i) {
(3,1) ...
(3,1) }
(3,1) if (&User-Name =~ /3gppnetwork\.org$/i) {
(3,1) ...
(3,1) }
(3,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(3,1) ...
(3,1) }
(3,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(3,1) ...
(3,1) }
(3,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(3,1) ...
(3,1) }
(3,1) if (&User-Name =~ /myabc\.com$/i) {
(3,1) ...
(3,1) }
(3,1) } # bad_realms (updated)
(3,1) preprocess (ok)
(3,1) operator-name.authorize {
(3,1) if ("%{client:Operator-Name}") {
(3,1) EXPAND %{client:Operator-Name}
(3,1) --> 1realm.ac.uk
(3,1) update request {
(3,1) EXPAND %{client:Operator-Name}
(3,1) --> 1realm.ac.uk
(3,1) &Operator-Name = 1realm.ac.uk
(3,1) } # update request (noop)
(3,1) } # if ("%{client:Operator-Name}") (noop)
(3,1) } # operator-name.authorize (noop)
(3,1) suffix - Checking for suffix after "@"
(3,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser at realm"
(3,1) suffix - Found realm "realm.ac.uk"
(3,1) suffix - Adding Stripped-User-Name = "testuser"
(3,1) suffix - Adding Realm = "realm.ac.uk"
(3,1) suffix - Authentication realm is LOCAL
(3,1) suffix (ok)
(3,1) if (&Realm) {
(3,1) update control {
(3,1) &control:Proxy-To-Realm := LOCAL
(3,1) } # update control (noop)
(3,1) } # if (&Realm) (noop)
(3,1) else {
(3,1) ... skipping else for request 3: Preceding "if" was taken
(3,1) }
(3,1) if (&Realm) {
(3,1) if (&Stripped-User-Name != "") {
(3,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(3,1) EXPAND %{tolower:%{Stripped-User-Name}}
(3,1) --> testuser
(3,1) ...
(3,1) }
(3,1) group {
(3,1) check_blacklist (ok)
(3,1) if (&control:Local-Banned-User) {
(3,1) ...
(3,1) }
(3,1) else {
(3,1) noop (noop)
(3,1) } # else (noop)
(3,1) } # group (ok)
(3,1) } # if (&Stripped-User-Name != "") (ok)
(3,1) } # if (&Realm) (ok)
(3,1) eap - Peer sent EAP Response (code 2) ID 3 length 6
(3,1) eap - Continuing tunnel setup
(3,1) eap (ok)
(3,1) } # authorize (ok)
(3,1) Using 'Auth-Type = eap' for authenticate {...}
(3,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default
(3,1) Auth-Type eap {
(3,1) eap - Peer sent packet with EAP method PEAP (25)
(3,1) eap - Calling submodule eap_peap to process data
(3,1) eap_peap - Continuing EAP-TLS
(3,1) eap_peap - Peer ACKed our handshake fragment
(3,1) eap_peap - [eap-tls verify] = request
(3,1) eap_peap - Sending additional TLS record fragment (994 bytes), 1071 bytes remaining
(3,1) eap_peap - [eap-tls process] = handled
(3,1) eap - Sending EAP Request (code 1) ID 4 length 1000
(3,1) eap (handled)
(3,1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(3,1) EXPAND Response-Packet-Type
(3,1) --> Access-Challenge
(3,1) attr_filter.access_challenge - EXPAND %{User-Name}
(3,1) attr_filter.access_challenge - --> testuser at realm
(3,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(3,1) attr_filter.access_challenge.post-auth (updated)
(3,1) handled (handled)
(3,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled)
(3,1) } # Auth-Type eap (handled)
(3,1) Using Post-Auth-Type Challenge
(3,1) Post-Auth-Type sub-section not found. Ignoring.
(3,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default
(3,1) Sent Access-Challenge Id 79 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0
(3,1) EAP-Message = 0x010403e8194031302fa02da02b8629687474703a2f2f63726c2e71756f7661646973676c6f62616c2e636f6d2f717673736c67322e63726c301d0603551d0e0416041431cc0012c0528beb4f3ff6c7fb7f8265057c0dd9300d06092a864886f70d01010b05000382010100a7d52e44c1f46b51a9d7395b2a3822ec0ebd0fb9f6af1fbd6f72ee6495c8a74c83db45fc958dad681d19859b9c8c6bc988c4b727276d669ac9945dee1cf9c7916e21175104d073a1c26c901ba390d68354fdd2296bde3526405803dc37b8df49525a563c2db126dba32be5e33f646624c1e675da984a6bfef13f69019afe7664874b04c9b4b64abd637a8ad66929f0d148e5f8efdb9b298bfcc2d083c67c1fa115dced735d0f184950cbb99c6cfdbebd9e18f57f8735f3b90787cfb1618e2c4bb3a5f54a5f83f5c2683e2c6dfd25c31675d046143c13b5c5fa72b39a93c2242e5308853a9361af20d5a0c5a441246b2255b75870d43c8b2ef14cc183018b6ad20005503082054c30820334a003020102021448982de2a92cb339e1c8f933358275d3e4f88255300d06092a864886f70d01010b05003045310b300906035504061302424d31193017060355040a131051756f5661646973204c696d69746564311b30190603550403131251756f566164697320526f6f742043412032301e170d3133303630313133333530355a170d3233303630313133333530355a304d310b300906035504061302424d31193017060355040a131051756f5661646973204c696d69746564312330210603550403131a51756f566164697320476c6f62616c2053534c2049434120473230820122300d06092a864886f70d01010105000382010f003082010a0282010100e1e1856994c08f57fa34fec1b868e49990a9887ace57b7d0e4b554c2187dd0c319e8a96380f7b7dcd219a35ab060d976b41d325635f16ca39c42a18b8a233597417b056984288ece1e4d8b6024f1b488fec050f6c28fae9774f940aa6ef686b3a4e9c75f746514f43ddcbe4ea398645fe3066cc18fb61f5c9996c657c2cbad94890eadbeffb80ba5b638fbb54781d40fca09f10a3b120d1c0fe185b01336c3cb287dfca5f8373aa4ab404663829540bb12ac963f457df79de5037e24b89665631c5d8208414e7f6b5a8690c3f2ebe459f45e077b7d84b7ff31a199762f56cb80c489fc1a4f9869ea0b67c1fdb54be70c3de5107cef22c30fc6ab5dec881c55a30203010001a382012a3082012630120603551d130101ff040830060101ff02010030110603551d20040a300830060604551d2000307206082b0601050507010104663064302a06082b06010505073001861e687474703a2f2f6f6373702e71756f7661646973676c6f62616c2e636f6d30
(3,1) Message-Authenticator = 0x00000000000000000000000000000000
(3,1) State = 0x030138003637b8d43b39393138ab9701
(3,1) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 80 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 293
(4) User-Name = "testuser at realm"
(4) Chargeable-User-Identity = 0x00
(4) Location-Capable = Civix-Location
(4) Calling-Station-Id = "a4-d1-8c-e4-9f-22"
(4) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST"
(4) NAS-Port = 13
(4) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e"
(4) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110"
(4) NAS-IP-Address = Y.Y.Y.Y
(4) NAS-Identifier = "WM13"
(4) Airespace-Wlan-Id = 8
(4) Service-Type = Framed-User
(4) Framed-MTU = 1300
(4) NAS-Port-Type = Wireless-802.11
(4) Tunnel-Type:0 = VLAN
(4) Tunnel-Medium-Type:0 = IEEE-802
(4) Tunnel-Private-Group-Id:0 = "446"
(4) EAP-Message = 0x020400061900
(4) State = 0x030138003637b8d43b39393138ab9701
(4) Message-Authenticator = 0x1443c965ed70ea0cdba34b15c0f14054
(4,1) Running section authorize from file /etc/raddb/sites-enabled/default
(4,1) authorize {
(4,1) local_rewrite_called_station_id {
(4,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(4,1) update request {
(4,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(4,1) --> 64:AE:0C:91:42:60
(4,1) &Called-Station-Id := 64:AE:0C:91:42:60
(4,1) } # update request (noop)
(4,1) if ("%{8}") {
(4,1) EXPAND %{8}
(4,1) --> RADIUS-TEST
(4,1) update request {
(4,1) EXPAND %{8}
(4,1) --> RADIUS-TEST
(4,1) &Called-Station-SSID := RADIUS-TEST
(4,1) } # update request (noop)
(4,1) } # if ("%{8}") (noop)
(4,1) updated (updated)
(4,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated)
(4,1) else {
(4,1) ... skipping else for request 4: Preceding "if" was taken
(4,1) }
(4,1) } # local_rewrite_called_station_id (updated)
(4,1) local_rewrite_calling_station_id {
(4,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(4,1) update request {
(4,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(4,1) --> A4:D1:8C:E4:9F:22
(4,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22
(4,1) } # update request (noop)
(4,1) updated (updated)
(4,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated)
(4,1) else {
(4,1) ... skipping else for request 4: Preceding "if" was taken
(4,1) }
(4,1) } # local_rewrite_calling_station_id (updated)
(4,1) filter_username {
(4,1) if (&User-Name) {
(4,1) if (&User-Name =~ / /) {
(4,1) ...
(4,1) }
(4,1) if (&User-Name =~ /@[^@]*@/ ) {
(4,1) ...
(4,1) }
(4,1) if (&User-Name =~ /\.\./ ) {
(4,1) ...
(4,1) }
(4,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) {
(4,1) ...
(4,1) }
(4,1) if (&User-Name =~ /\.$/) {
(4,1) ...
(4,1) }
(4,1) if (&User-Name =~ /@\./) {
(4,1) ...
(4,1) }
(4,1) } # if (&User-Name) (updated)
(4,1) } # filter_username (updated)
(4,1) bad_realms {
(4,1) if (&User-Name =~ /\.ax\.uk$/i) {
(4,1) ...
(4,1) }
(4,1) if (&User-Name =~ /@ac\.uk$/i) {
(4,1) ...
(4,1) }
(4,1) if (&User-Name =~ /3gppnetwork\.org$/i) {
(4,1) ...
(4,1) }
(4,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(4,1) ...
(4,1) }
(4,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(4,1) ...
(4,1) }
(4,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(4,1) ...
(4,1) }
(4,1) if (&User-Name =~ /myabc\.com$/i) {
(4,1) ...
(4,1) }
(4,1) } # bad_realms (updated)
(4,1) preprocess (ok)
(4,1) operator-name.authorize {
(4,1) if ("%{client:Operator-Name}") {
(4,1) EXPAND %{client:Operator-Name}
(4,1) --> 1realm.ac.uk
(4,1) update request {
(4,1) EXPAND %{client:Operator-Name}
(4,1) --> 1realm.ac.uk
(4,1) &Operator-Name = 1realm.ac.uk
(4,1) } # update request (noop)
(4,1) } # if ("%{client:Operator-Name}") (noop)
(4,1) } # operator-name.authorize (noop)
(4,1) suffix - Checking for suffix after "@"
(4,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser at realm"
(4,1) suffix - Found realm "realm.ac.uk"
(4,1) suffix - Adding Stripped-User-Name = "testuser"
(4,1) suffix - Adding Realm = "realm.ac.uk"
(4,1) suffix - Authentication realm is LOCAL
(4,1) suffix (ok)
(4,1) if (&Realm) {
(4,1) update control {
(4,1) &control:Proxy-To-Realm := LOCAL
(4,1) } # update control (noop)
(4,1) } # if (&Realm) (noop)
(4,1) else {
(4,1) ... skipping else for request 4: Preceding "if" was taken
(4,1) }
(4,1) if (&Realm) {
(4,1) if (&Stripped-User-Name != "") {
(4,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(4,1) EXPAND %{tolower:%{Stripped-User-Name}}
(4,1) --> testuser
(4,1) ...
(4,1) }
(4,1) group {
(4,1) check_blacklist (ok)
(4,1) if (&control:Local-Banned-User) {
(4,1) ...
(4,1) }
(4,1) else {
(4,1) noop (noop)
(4,1) } # else (noop)
(4,1) } # group (ok)
(4,1) } # if (&Stripped-User-Name != "") (ok)
(4,1) } # if (&Realm) (ok)
(4,1) eap - Peer sent EAP Response (code 2) ID 4 length 6
(4,1) eap - Continuing tunnel setup
(4,1) eap (ok)
(4,1) } # authorize (ok)
(4,1) Using 'Auth-Type = eap' for authenticate {...}
(4,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default
(4,1) Auth-Type eap {
(4,1) eap - Peer sent packet with EAP method PEAP (25)
(4,1) eap - Calling submodule eap_peap to process data
(4,1) eap_peap - Continuing EAP-TLS
(4,1) eap_peap - Peer ACKed our handshake fragment
(4,1) eap_peap - [eap-tls verify] = request
(4,1) eap_peap - Sending additional TLS record fragment (994 bytes), 77 bytes remaining
(4,1) eap_peap - [eap-tls process] = handled
(4,1) eap - Sending EAP Request (code 1) ID 5 length 1000
(4,1) eap (handled)
(4,1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(4,1) EXPAND Response-Packet-Type
(4,1) --> Access-Challenge
(4,1) attr_filter.access_challenge - EXPAND %{User-Name}
(4,1) attr_filter.access_challenge - --> testuser at realm
(4,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(4,1) attr_filter.access_challenge.post-auth (updated)
(4,1) handled (handled)
(4,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled)
(4,1) } # Auth-Type eap (handled)
(4,1) Using Post-Auth-Type Challenge
(4,1) Post-Auth-Type sub-section not found. Ignoring.
(4,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default
(4,1) Sent Access-Challenge Id 80 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0
(4,1) EAP-Message = 0x010503e819403606082b06010505073002862a687474703a2f2f74727573742e71756f7661646973676c6f62616c2e636f6d2f7176726361322e637274300e0603551d0f0101ff040403020106301f0603551d230418301680141a8462bc484c332504d4eed0f603c41946d1946b30390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e71756f7661646973676c6f62616c2e636f6d2f7176726361322e63726c301d0603551d0e04160414911962ad5b17a730fbf0de3925b1bd8cb9b85127300d06092a864886f70d01010b050003820201007c0a60820041b52dcc39e5f4db6bce008a9c0c89e6727453b96dc221e54c975a0599e8e3f88dbffa2da89f10c2e34420b4994d781ba3eb3d4fa265088869eed7e446af866113100f096cb2028e20f873d63af9b80cb78b3310f899d9200b3908f5d01af81ca41fcbf3af6de7516cb6b1a7daa50c6e2a2604addee8a40c82526abc7a9a9804417bb4d1464d92211851f78ef215c65eb65bb439e4b9a8950ed33ab3dc98a5ca3217114eace46b120562688ecfdc425a0d8988e880d420f69204ce86ad532268835810c04bd6fda3662f2b5c3634c95b19ff40c021088204d36f4f53634394a7d44f8ef99062a830feac1bc1a0fb08eb275f74ab49babe582fe3a89092b678badc7bcdbcedac0871df053110dc670fcd5f56dcf2e2b27b9382b70a50d1de232f87a6b97c05bfc4ea51b661db1252872cb9edcab0dea5a804eb3f596cdadbdfc7ba7f0f5e442865ea7063fc5cfbd9c8d4d68a33c36a852a89353265bd78fbcdbde67696dedd847d0644973eba2537b97928ec79e2027b909eebeaa25826ec74dc7c8f335d4aa78c1f767d51b02d944396b00ba7e0ff75c4d87655932a898cac2a8789c56a22b910c57b0c7438a09c7d724983c3aa41bc36a83e8917cb375f27bda7fb525f1c63fec28ae472228d95d82a617e89e233eb08810806bb43b5ae10c4fd744f277d445bb5dd7984f12622fd55efadfde7ae241f019fe748160301014b0c0001470300174104356f9c0ffc364039f66ce9ba8838433a255ea2a399b34afbecaa477b7942a55279ca97694b8f9bf039e0cfb476d1d5b7addccdfb40abfd08e74a23a89104c93501002e556ff2c5c79a3c84eae2e8a77fcb7263c10644d4b699a1d5ea92aa93a2c37fb98d01b49885178ef67475a7bfa4c53029c5ff0d9ca42702cc6e7e8ba9cc7149442ed24e26f5ecb814be162323a3f86596628d2357842d946bfb18bcf0eef9421dbe502d58003cc6edfa496b89c0d24c5e04cb7006be2e797a17a603e9ed8d91bfdff22a264a12245e96a6538b148658affc8899f72a0cfd57ecde4d06fcb40957c6b416b686579c01f6415f69b7064f3fdd2e12d8ba96fe861c2c08
(4,1) Message-Authenticator = 0x00000000000000000000000000000000
(4,1) State = 0x04073800aecc10fa3b39393138ab9701
(4,1) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 81 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 293
(5) User-Name = "testuser at realm"
(5) Chargeable-User-Identity = 0x00
(5) Location-Capable = Civix-Location
(5) Calling-Station-Id = "a4-d1-8c-e4-9f-22"
(5) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST"
(5) NAS-Port = 13
(5) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e"
(5) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110"
(5) NAS-IP-Address = Y.Y.Y.Y
(5) NAS-Identifier = "WM13"
(5) Airespace-Wlan-Id = 8
(5) Service-Type = Framed-User
(5) Framed-MTU = 1300
(5) NAS-Port-Type = Wireless-802.11
(5) Tunnel-Type:0 = VLAN
(5) Tunnel-Medium-Type:0 = IEEE-802
(5) Tunnel-Private-Group-Id:0 = "446"
(5) EAP-Message = 0x020500061900
(5) State = 0x04073800aecc10fa3b39393138ab9701
(5) Message-Authenticator = 0x71120286c728aae1154c25c60db52811
(5,1) Running section authorize from file /etc/raddb/sites-enabled/default
(5,1) authorize {
(5,1) local_rewrite_called_station_id {
(5,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(5,1) update request {
(5,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(5,1) --> 64:AE:0C:91:42:60
(5,1) &Called-Station-Id := 64:AE:0C:91:42:60
(5,1) } # update request (noop)
(5,1) if ("%{8}") {
(5,1) EXPAND %{8}
(5,1) --> RADIUS-TEST
(5,1) update request {
(5,1) EXPAND %{8}
(5,1) --> RADIUS-TEST
(5,1) &Called-Station-SSID := RADIUS-TEST
(5,1) } # update request (noop)
(5,1) } # if ("%{8}") (noop)
(5,1) updated (updated)
(5,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated)
(5,1) else {
(5,1) ... skipping else for request 5: Preceding "if" was taken
(5,1) }
(5,1) } # local_rewrite_called_station_id (updated)
(5,1) local_rewrite_calling_station_id {
(5,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(5,1) update request {
(5,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(5,1) --> A4:D1:8C:E4:9F:22
(5,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22
(5,1) } # update request (noop)
(5,1) updated (updated)
(5,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated)
(5,1) else {
(5,1) ... skipping else for request 5: Preceding "if" was taken
(5,1) }
(5,1) } # local_rewrite_calling_station_id (updated)
(5,1) filter_username {
(5,1) if (&User-Name) {
(5,1) if (&User-Name =~ / /) {
(5,1) ...
(5,1) }
(5,1) if (&User-Name =~ /@[^@]*@/ ) {
(5,1) ...
(5,1) }
(5,1) if (&User-Name =~ /\.\./ ) {
(5,1) ...
(5,1) }
(5,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) {
(5,1) ...
(5,1) }
(5,1) if (&User-Name =~ /\.$/) {
(5,1) ...
(5,1) }
(5,1) if (&User-Name =~ /@\./) {
(5,1) ...
(5,1) }
(5,1) } # if (&User-Name) (updated)
(5,1) } # filter_username (updated)
(5,1) bad_realms {
(5,1) if (&User-Name =~ /\.ax\.uk$/i) {
(5,1) ...
(5,1) }
(5,1) if (&User-Name =~ /@ac\.uk$/i) {
(5,1) ...
(5,1) }
(5,1) if (&User-Name =~ /3gppnetwork\.org$/i) {
(5,1) ...
(5,1) }
(5,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(5,1) ...
(5,1) }
(5,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(5,1) ...
(5,1) }
(5,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(5,1) ...
(5,1) }
(5,1) if (&User-Name =~ /myabc\.com$/i) {
(5,1) ...
(5,1) }
(5,1) } # bad_realms (updated)
(5,1) preprocess (ok)
(5,1) operator-name.authorize {
(5,1) if ("%{client:Operator-Name}") {
(5,1) EXPAND %{client:Operator-Name}
(5,1) --> 1realm.ac.uk
(5,1) update request {
(5,1) EXPAND %{client:Operator-Name}
(5,1) --> 1realm.ac.uk
(5,1) &Operator-Name = 1realm.ac.uk
(5,1) } # update request (noop)
(5,1) } # if ("%{client:Operator-Name}") (noop)
(5,1) } # operator-name.authorize (noop)
(5,1) suffix - Checking for suffix after "@"
(5,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser at realm"
(5,1) suffix - Found realm "realm.ac.uk"
(5,1) suffix - Adding Stripped-User-Name = "testuser"
(5,1) suffix - Adding Realm = "realm.ac.uk"
(5,1) suffix - Authentication realm is LOCAL
(5,1) suffix (ok)
(5,1) if (&Realm) {
(5,1) update control {
(5,1) &control:Proxy-To-Realm := LOCAL
(5,1) } # update control (noop)
(5,1) } # if (&Realm) (noop)
(5,1) else {
(5,1) ... skipping else for request 5: Preceding "if" was taken
(5,1) }
(5,1) if (&Realm) {
(5,1) if (&Stripped-User-Name != "") {
(5,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(5,1) EXPAND %{tolower:%{Stripped-User-Name}}
(5,1) --> testuser
(5,1) ...
(5,1) }
(5,1) group {
(5,1) check_blacklist (ok)
(5,1) if (&control:Local-Banned-User) {
(5,1) ...
(5,1) }
(5,1) else {
(5,1) noop (noop)
(5,1) } # else (noop)
(5,1) } # group (ok)
(5,1) } # if (&Stripped-User-Name != "") (ok)
(5,1) } # if (&Realm) (ok)
(5,1) eap - Peer sent EAP Response (code 2) ID 5 length 6
(5,1) eap - Continuing tunnel setup
(5,1) eap (ok)
(5,1) } # authorize (ok)
(5,1) Using 'Auth-Type = eap' for authenticate {...}
(5,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default
(5,1) Auth-Type eap {
(5,1) eap - Peer sent packet with EAP method PEAP (25)
(5,1) eap - Calling submodule eap_peap to process data
(5,1) eap_peap - Continuing EAP-TLS
(5,1) eap_peap - Peer ACKed our handshake fragment
(5,1) eap_peap - [eap-tls verify] = request
(5,1) eap_peap - Sending final TLS record fragment (77 bytes)
(5,1) eap_peap - [eap-tls process] = handled
(5,1) eap - Sending EAP Request (code 1) ID 6 length 83
(5,1) eap (handled)
(5,1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(5,1) EXPAND Response-Packet-Type
(5,1) --> Access-Challenge
(5,1) attr_filter.access_challenge - EXPAND %{User-Name}
(5,1) attr_filter.access_challenge - --> testuser at realm
(5,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(5,1) attr_filter.access_challenge.post-auth (updated)
(5,1) handled (handled)
(5,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled)
(5,1) } # Auth-Type eap (handled)
(5,1) Using Post-Auth-Type Challenge
(5,1) Post-Auth-Type sub-section not found. Ignoring.
(5,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default
(5,1) Sent Access-Challenge Id 81 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0
(5,1) EAP-Message = 0x0106005319004e06bbcfa59586d7b2ff4301f7a4dced7726344b96c142ba4f7edda40388cd1960d4509a41a041f4a249841cb2d310f71b7289440659999943f6e9e8d339d98ba10c468116030100040e000000
(5,1) Message-Authenticator = 0x00000000000000000000000000000000
(5,1) State = 0x050138003637b8d43b39393138ab9701
(5,1) Finished request
Waking up in 4.9 seconds.
(6) Received Access-Request Id 82 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 431
(6) User-Name = "testuser at realm"
(6) Chargeable-User-Identity = 0x00
(6) Location-Capable = Civix-Location
(6) Calling-Station-Id = "a4-d1-8c-e4-9f-22"
(6) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST"
(6) NAS-Port = 13
(6) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e"
(6) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110"
(6) NAS-IP-Address = Y.Y.Y.Y
(6) NAS-Identifier = "WM13"
(6) Airespace-Wlan-Id = 8
(6) Service-Type = Framed-User
(6) Framed-MTU = 1300
(6) NAS-Port-Type = Wireless-802.11
(6) Tunnel-Type:0 = VLAN
(6) Tunnel-Medium-Type:0 = IEEE-802
(6) Tunnel-Private-Group-Id:0 = "446"
(6) EAP-Message = 0x0206009019800000008616030100461000004241042a5475e41a0623c852b7ef77add0a1b3f495bfe644190191922bd6567c29c76dd46784c71d47f29e9688a6fe7998febd4ebee0a3b1dd33fe0b604b4c3ec38308140301000101160301003048686a4b033d40f5f9526b1c98c9c4ea528ac0c54e84251ef82fb6efe6c197f662f7468f1631afe64f0846e6f63ad3bf
(6) State = 0x050138003637b8d43b39393138ab9701
(6) Message-Authenticator = 0x8c61c24db4bce0512a7cfd792ebe1ec6
(6,1) Running section authorize from file /etc/raddb/sites-enabled/default
(6,1) authorize {
(6,1) local_rewrite_called_station_id {
(6,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(6,1) update request {
(6,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(6,1) --> 64:AE:0C:91:42:60
(6,1) &Called-Station-Id := 64:AE:0C:91:42:60
(6,1) } # update request (noop)
(6,1) if ("%{8}") {
(6,1) EXPAND %{8}
(6,1) --> RADIUS-TEST
(6,1) update request {
(6,1) EXPAND %{8}
(6,1) --> RADIUS-TEST
(6,1) &Called-Station-SSID := RADIUS-TEST
(6,1) } # update request (noop)
(6,1) } # if ("%{8}") (noop)
(6,1) updated (updated)
(6,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated)
(6,1) else {
(6,1) ... skipping else for request 6: Preceding "if" was taken
(6,1) }
(6,1) } # local_rewrite_called_station_id (updated)
(6,1) local_rewrite_calling_station_id {
(6,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(6,1) update request {
(6,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(6,1) --> A4:D1:8C:E4:9F:22
(6,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22
(6,1) } # update request (noop)
(6,1) updated (updated)
(6,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated)
(6,1) else {
(6,1) ... skipping else for request 6: Preceding "if" was taken
(6,1) }
(6,1) } # local_rewrite_calling_station_id (updated)
(6,1) filter_username {
(6,1) if (&User-Name) {
(6,1) if (&User-Name =~ / /) {
(6,1) ...
(6,1) }
(6,1) if (&User-Name =~ /@[^@]*@/ ) {
(6,1) ...
(6,1) }
(6,1) if (&User-Name =~ /\.\./ ) {
(6,1) ...
(6,1) }
(6,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) {
(6,1) ...
(6,1) }
(6,1) if (&User-Name =~ /\.$/) {
(6,1) ...
(6,1) }
(6,1) if (&User-Name =~ /@\./) {
(6,1) ...
(6,1) }
(6,1) } # if (&User-Name) (updated)
(6,1) } # filter_username (updated)
(6,1) bad_realms {
(6,1) if (&User-Name =~ /\.ax\.uk$/i) {
(6,1) ...
(6,1) }
(6,1) if (&User-Name =~ /@ac\.uk$/i) {
(6,1) ...
(6,1) }
(6,1) if (&User-Name =~ /3gppnetwork\.org$/i) {
(6,1) ...
(6,1) }
(6,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(6,1) ...
(6,1) }
(6,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(6,1) ...
(6,1) }
(6,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(6,1) ...
(6,1) }
(6,1) if (&User-Name =~ /myabc\.com$/i) {
(6,1) ...
(6,1) }
(6,1) } # bad_realms (updated)
(6,1) preprocess (ok)
(6,1) operator-name.authorize {
(6,1) if ("%{client:Operator-Name}") {
(6,1) EXPAND %{client:Operator-Name}
(6,1) --> 1realm.ac.uk
(6,1) update request {
(6,1) EXPAND %{client:Operator-Name}
(6,1) --> 1realm.ac.uk
(6,1) &Operator-Name = 1realm.ac.uk
(6,1) } # update request (noop)
(6,1) } # if ("%{client:Operator-Name}") (noop)
(6,1) } # operator-name.authorize (noop)
(6,1) suffix - Checking for suffix after "@"
(6,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser at realm"
(6,1) suffix - Found realm "realm.ac.uk"
(6,1) suffix - Adding Stripped-User-Name = "testuser"
(6,1) suffix - Adding Realm = "realm.ac.uk"
(6,1) suffix - Authentication realm is LOCAL
(6,1) suffix (ok)
(6,1) if (&Realm) {
(6,1) update control {
(6,1) &control:Proxy-To-Realm := LOCAL
(6,1) } # update control (noop)
(6,1) } # if (&Realm) (noop)
(6,1) else {
(6,1) ... skipping else for request 6: Preceding "if" was taken
(6,1) }
(6,1) if (&Realm) {
(6,1) if (&Stripped-User-Name != "") {
(6,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(6,1) EXPAND %{tolower:%{Stripped-User-Name}}
(6,1) --> testuser
(6,1) ...
(6,1) }
(6,1) group {
(6,1) check_blacklist (ok)
(6,1) if (&control:Local-Banned-User) {
(6,1) ...
(6,1) }
(6,1) else {
(6,1) noop (noop)
(6,1) } # else (noop)
(6,1) } # group (ok)
(6,1) } # if (&Stripped-User-Name != "") (ok)
(6,1) } # if (&Realm) (ok)
(6,1) eap - Peer sent EAP Response (code 2) ID 6 length 144
(6,1) eap - Continuing tunnel setup
(6,1) eap (ok)
(6,1) } # authorize (ok)
(6,1) Using 'Auth-Type = eap' for authenticate {...}
(6,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default
(6,1) Auth-Type eap {
(6,1) eap - Peer sent packet with EAP method PEAP (25)
(6,1) eap - Calling submodule eap_peap to process data
(6,1) eap_peap - Continuing EAP-TLS
(6,1) eap_peap - Peer indicated complete TLS record size will be 134 bytes
(6,1) eap_peap - Got complete TLS record, with length field (134 bytes)
(6,1) eap_peap - [eap-tls verify] = complete
(6,1) eap_peap - <<< recv handshake [length 70], client_key_exchange
(6,1) eap_peap - Handshake state - Server SSLv3 read client key exchange A
(6,1) eap_peap - <<< recv change_cipher_spec [length 1]
(6,1) eap_peap - <<< recv handshake [length 16], finished
(6,1) eap_peap - Handshake state - Server SSLv3 read finished A
(6,1) eap_peap - >>> send change_cipher_spec [length 1]
(6,1) eap_peap - Handshake state - Server SSLv3 write change cipher spec A
(6,1) eap_peap - >>> send handshake [length 16], finished
(6,1) eap_peap - Handshake state - Server SSLv3 write finished A
(6,1) eap_peap - Handshake state - Server SSLv3 flush data
(6,1) eap_peap - Handshake state - SSL negotiation finished successfully
(6,1) eap_peap - Cipher suite: CDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
(6,1) eap_peap - Sending complete TLS record (59 bytes)
(6,1) eap_peap - [eap-tls process] = handled
(6,1) eap - Sending EAP Request (code 1) ID 7 length 65
(6,1) eap (handled)
(6,1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(6,1) EXPAND Response-Packet-Type
(6,1) --> Access-Challenge
(6,1) attr_filter.access_challenge - EXPAND %{User-Name}
(6,1) attr_filter.access_challenge - --> testuser at realm
(6,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(6,1) attr_filter.access_challenge.post-auth (updated)
(6,1) handled (handled)
(6,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled)
(6,1) } # Auth-Type eap (handled)
(6,1) Using Post-Auth-Type Challenge
(6,1) Post-Auth-Type sub-section not found. Ignoring.
(6,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default
(6,1) Sent Access-Challenge Id 82 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0
(6,1) EAP-Message = 0x01070041190014030100010116030100306c8dcb9afcb8f73b414f202b96d6efd0bab2bd9ad150291d1ce462a9f4c7055f7c55a31447a4b2d6e724095cfc6c65d1
(6,1) Message-Authenticator = 0x00000000000000000000000000000000
(6,1) State = 0x06033800aecc10fa3b39393138ab9701
(6,1) Finished request
Waking up in 4.8 seconds.
(7) Received Access-Request Id 83 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 293
(7) User-Name = "testuser at realm"
(7) Chargeable-User-Identity = 0x00
(7) Location-Capable = Civix-Location
(7) Calling-Station-Id = "a4-d1-8c-e4-9f-22"
(7) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST"
(7) NAS-Port = 13
(7) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e"
(7) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110"
(7) NAS-IP-Address = Y.Y.Y.Y
(7) NAS-Identifier = "WM13"
(7) Airespace-Wlan-Id = 8
(7) Service-Type = Framed-User
(7) Framed-MTU = 1300
(7) NAS-Port-Type = Wireless-802.11
(7) Tunnel-Type:0 = VLAN
(7) Tunnel-Medium-Type:0 = IEEE-802
(7) Tunnel-Private-Group-Id:0 = "446"
(7) EAP-Message = 0x020700061900
(7) State = 0x06033800aecc10fa3b39393138ab9701
(7) Message-Authenticator = 0x555162762d19bd82d35f798dba8e28aa
(7,1) Running section authorize from file /etc/raddb/sites-enabled/default
(7,1) authorize {
(7,1) local_rewrite_called_station_id {
(7,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(7,1) update request {
(7,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(7,1) --> 64:AE:0C:91:42:60
(7,1) &Called-Station-Id := 64:AE:0C:91:42:60
(7,1) } # update request (noop)
(7,1) if ("%{8}") {
(7,1) EXPAND %{8}
(7,1) --> RADIUS-TEST
(7,1) update request {
(7,1) EXPAND %{8}
(7,1) --> RADIUS-TEST
(7,1) &Called-Station-SSID := RADIUS-TEST
(7,1) } # update request (noop)
(7,1) } # if ("%{8}") (noop)
(7,1) updated (updated)
(7,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated)
(7,1) else {
(7,1) ... skipping else for request 7: Preceding "if" was taken
(7,1) }
(7,1) } # local_rewrite_called_station_id (updated)
(7,1) local_rewrite_calling_station_id {
(7,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(7,1) update request {
(7,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(7,1) --> A4:D1:8C:E4:9F:22
(7,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22
(7,1) } # update request (noop)
(7,1) updated (updated)
(7,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated)
(7,1) else {
(7,1) ... skipping else for request 7: Preceding "if" was taken
(7,1) }
(7,1) } # local_rewrite_calling_station_id (updated)
(7,1) filter_username {
(7,1) if (&User-Name) {
(7,1) if (&User-Name =~ / /) {
(7,1) ...
(7,1) }
(7,1) if (&User-Name =~ /@[^@]*@/ ) {
(7,1) ...
(7,1) }
(7,1) if (&User-Name =~ /\.\./ ) {
(7,1) ...
(7,1) }
(7,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) {
(7,1) ...
(7,1) }
(7,1) if (&User-Name =~ /\.$/) {
(7,1) ...
(7,1) }
(7,1) if (&User-Name =~ /@\./) {
(7,1) ...
(7,1) }
(7,1) } # if (&User-Name) (updated)
(7,1) } # filter_username (updated)
(7,1) bad_realms {
(7,1) if (&User-Name =~ /\.ax\.uk$/i) {
(7,1) ...
(7,1) }
(7,1) if (&User-Name =~ /@ac\.uk$/i) {
(7,1) ...
(7,1) }
(7,1) if (&User-Name =~ /3gppnetwork\.org$/i) {
(7,1) ...
(7,1) }
(7,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(7,1) ...
(7,1) }
(7,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(7,1) ...
(7,1) }
(7,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(7,1) ...
(7,1) }
(7,1) if (&User-Name =~ /myabc\.com$/i) {
(7,1) ...
(7,1) }
(7,1) } # bad_realms (updated)
(7,1) preprocess (ok)
(7,1) operator-name.authorize {
(7,1) if ("%{client:Operator-Name}") {
(7,1) EXPAND %{client:Operator-Name}
(7,1) --> 1realm.ac.uk
(7,1) update request {
(7,1) EXPAND %{client:Operator-Name}
(7,1) --> 1realm.ac.uk
(7,1) &Operator-Name = 1realm.ac.uk
(7,1) } # update request (noop)
(7,1) } # if ("%{client:Operator-Name}") (noop)
(7,1) } # operator-name.authorize (noop)
(7,1) suffix - Checking for suffix after "@"
(7,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser at realm"
(7,1) suffix - Found realm "realm.ac.uk"
(7,1) suffix - Adding Stripped-User-Name = "testuser"
(7,1) suffix - Adding Realm = "realm.ac.uk"
(7,1) suffix - Authentication realm is LOCAL
(7,1) suffix (ok)
(7,1) if (&Realm) {
(7,1) update control {
(7,1) &control:Proxy-To-Realm := LOCAL
(7,1) } # update control (noop)
(7,1) } # if (&Realm) (noop)
(7,1) else {
(7,1) ... skipping else for request 7: Preceding "if" was taken
(7,1) }
(7,1) if (&Realm) {
(7,1) if (&Stripped-User-Name != "") {
(7,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(7,1) EXPAND %{tolower:%{Stripped-User-Name}}
(7,1) --> testuser
(7,1) ...
(7,1) }
(7,1) group {
(7,1) check_blacklist (ok)
(7,1) if (&control:Local-Banned-User) {
(7,1) ...
(7,1) }
(7,1) else {
(7,1) noop (noop)
(7,1) } # else (noop)
(7,1) } # group (ok)
(7,1) } # if (&Stripped-User-Name != "") (ok)
(7,1) } # if (&Realm) (ok)
(7,1) eap - Peer sent EAP Response (code 2) ID 7 length 6
(7,1) eap - Continuing tunnel setup
(7,1) eap (ok)
(7,1) } # authorize (ok)
(7,1) Using 'Auth-Type = eap' for authenticate {...}
(7,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default
(7,1) Auth-Type eap {
(7,1) eap - Peer sent packet with EAP method PEAP (25)
(7,1) eap - Calling submodule eap_peap to process data
(7,1) eap_peap - Continuing EAP-TLS
(7,1) eap_peap - Peer ACKed our handshake fragment. handshake is finished
(7,1) eap_peap - [eap-tls verify] = established
(7,1) eap_peap - [eap-tls process] = established
(7,1) eap_peap - Session established. Decoding tunneled data
(7,1) eap_peap - PEAP state TUNNEL ESTABLISHED
(7,1) eap_peap - TLS application data to encrypt (5 bytes)
(7,1) eap_peap - Sending complete TLS record (37 bytes)
(7,1) eap - Sending EAP Request (code 1) ID 8 length 43
(7,1) eap (handled)
(7,1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(7,1) EXPAND Response-Packet-Type
(7,1) --> Access-Challenge
(7,1) attr_filter.access_challenge - EXPAND %{User-Name}
(7,1) attr_filter.access_challenge - --> testuser at realm
(7,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(7,1) attr_filter.access_challenge.post-auth (updated)
(7,1) handled (handled)
(7,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled)
(7,1) } # Auth-Type eap (handled)
(7,1) Using Post-Auth-Type Challenge
(7,1) Post-Auth-Type sub-section not found. Ignoring.
(7,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default
(7,1) Sent Access-Challenge Id 83 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0
(7,1) EAP-Message = 0x0108002b1900170301002029a24f1d8456037b9aeceb8fbc4df51362f49d1b863dae0ea1e7e356cad48d55
(7,1) Message-Authenticator = 0x00000000000000000000000000000000
(7,1) State = 0x070138003637b8d43b39393138ab9701
(7,1) Finished request
Waking up in 4.8 seconds.
(8) Received Access-Request Id 84 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 346
(8) User-Name = "testuser at realm"
(8) Chargeable-User-Identity = 0x00
(8) Location-Capable = Civix-Location
(8) Calling-Station-Id = "a4-d1-8c-e4-9f-22"
(8) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST"
(8) NAS-Port = 13
(8) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e"
(8) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110"
(8) NAS-IP-Address = Y.Y.Y.Y
(8) NAS-Identifier = "WM13"
(8) Airespace-Wlan-Id = 8
(8) Service-Type = Framed-User
(8) Framed-MTU = 1300
(8) NAS-Port-Type = Wireless-802.11
(8) Tunnel-Type:0 = VLAN
(8) Tunnel-Medium-Type:0 = IEEE-802
(8) Tunnel-Private-Group-Id:0 = "446"
(8) EAP-Message = 0x0208003b1900170301003012630f02d6ebc7a949180390128f6ca3bd2643ce89f12b1ea709648094fa2265ecdef69755c881656faf5d6debdb50f2
(8) State = 0x070138003637b8d43b39393138ab9701
(8) Message-Authenticator = 0x19dac562b9479efa42ea2766dc140211
(8,1) Running section authorize from file /etc/raddb/sites-enabled/default
(8,1) authorize {
(8,1) local_rewrite_called_station_id {
(8,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(8,1) update request {
(8,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(8,1) --> 64:AE:0C:91:42:60
(8,1) &Called-Station-Id := 64:AE:0C:91:42:60
(8,1) } # update request (noop)
(8,1) if ("%{8}") {
(8,1) EXPAND %{8}
(8,1) --> RADIUS-TEST
(8,1) update request {
(8,1) EXPAND %{8}
(8,1) --> RADIUS-TEST
(8,1) &Called-Station-SSID := RADIUS-TEST
(8,1) } # update request (noop)
(8,1) } # if ("%{8}") (noop)
(8,1) updated (updated)
(8,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated)
(8,1) else {
(8,1) ... skipping else for request 8: Preceding "if" was taken
(8,1) }
(8,1) } # local_rewrite_called_station_id (updated)
(8,1) local_rewrite_calling_station_id {
(8,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(8,1) update request {
(8,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(8,1) --> A4:D1:8C:E4:9F:22
(8,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22
(8,1) } # update request (noop)
(8,1) updated (updated)
(8,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated)
(8,1) else {
(8,1) ... skipping else for request 8: Preceding "if" was taken
(8,1) }
(8,1) } # local_rewrite_calling_station_id (updated)
(8,1) filter_username {
(8,1) if (&User-Name) {
(8,1) if (&User-Name =~ / /) {
(8,1) ...
(8,1) }
(8,1) if (&User-Name =~ /@[^@]*@/ ) {
(8,1) ...
(8,1) }
(8,1) if (&User-Name =~ /\.\./ ) {
(8,1) ...
(8,1) }
(8,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) {
(8,1) ...
(8,1) }
(8,1) if (&User-Name =~ /\.$/) {
(8,1) ...
(8,1) }
(8,1) if (&User-Name =~ /@\./) {
(8,1) ...
(8,1) }
(8,1) } # if (&User-Name) (updated)
(8,1) } # filter_username (updated)
(8,1) bad_realms {
(8,1) if (&User-Name =~ /\.ax\.uk$/i) {
(8,1) ...
(8,1) }
(8,1) if (&User-Name =~ /@ac\.uk$/i) {
(8,1) ...
(8,1) }
(8,1) if (&User-Name =~ /3gppnetwork\.org$/i) {
(8,1) ...
(8,1) }
(8,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(8,1) ...
(8,1) }
(8,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(8,1) ...
(8,1) }
(8,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(8,1) ...
(8,1) }
(8,1) if (&User-Name =~ /myabc\.com$/i) {
(8,1) ...
(8,1) }
(8,1) } # bad_realms (updated)
(8,1) preprocess (ok)
(8,1) operator-name.authorize {
(8,1) if ("%{client:Operator-Name}") {
(8,1) EXPAND %{client:Operator-Name}
(8,1) --> 1realm.ac.uk
(8,1) update request {
(8,1) EXPAND %{client:Operator-Name}
(8,1) --> 1realm.ac.uk
(8,1) &Operator-Name = 1realm.ac.uk
(8,1) } # update request (noop)
(8,1) } # if ("%{client:Operator-Name}") (noop)
(8,1) } # operator-name.authorize (noop)
(8,1) suffix - Checking for suffix after "@"
(8,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser at realm"
(8,1) suffix - Found realm "realm.ac.uk"
(8,1) suffix - Adding Stripped-User-Name = "testuser"
(8,1) suffix - Adding Realm = "realm.ac.uk"
(8,1) suffix - Authentication realm is LOCAL
(8,1) suffix (ok)
(8,1) if (&Realm) {
(8,1) update control {
(8,1) &control:Proxy-To-Realm := LOCAL
(8,1) } # update control (noop)
(8,1) } # if (&Realm) (noop)
(8,1) else {
(8,1) ... skipping else for request 8: Preceding "if" was taken
(8,1) }
(8,1) if (&Realm) {
(8,1) if (&Stripped-User-Name != "") {
(8,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(8,1) EXPAND %{tolower:%{Stripped-User-Name}}
(8,1) --> testuser
(8,1) ...
(8,1) }
(8,1) group {
(8,1) check_blacklist (ok)
(8,1) if (&control:Local-Banned-User) {
(8,1) ...
(8,1) }
(8,1) else {
(8,1) noop (noop)
(8,1) } # else (noop)
(8,1) } # group (ok)
(8,1) } # if (&Stripped-User-Name != "") (ok)
(8,1) } # if (&Realm) (ok)
(8,1) eap - Peer sent EAP Response (code 2) ID 8 length 59
(8,1) eap - Continuing tunnel setup
(8,1) eap (ok)
(8,1) } # authorize (ok)
(8,1) Using 'Auth-Type = eap' for authenticate {...}
(8,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default
(8,1) Auth-Type eap {
(8,1) eap - Peer sent packet with EAP method PEAP (25)
(8,1) eap - Calling submodule eap_peap to process data
(8,1) eap_peap - Continuing EAP-TLS
(8,1) eap_peap - Got complete TLS record (53 bytes)
(8,1) eap_peap - [eap-tls verify] = complete
(8,1) eap_peap - Decrypted TLS application data (19 bytes)
(8,1) eap_peap - [eap-tls process] = complete
(8,1) eap_peap - Session established. Decoding tunneled data
(8,1) eap_peap - PEAP state WAITING FOR INNER IDENTITY
(8,1) eap_peap - Received EAP-Identity-Response
(8,1) eap_peap - Got inner identity 'testuser at realm'
(8,1) eap_peap - Got tunneled request
(8,1) eap_peap - &EAP-Message = 0x020800170165636c366368406c656564732e61632e756b
(8,1) eap_peap - Setting &request:User-Name from tunnel (protected) identity "testuser at realm"
(8,1) eap_peap - Proxying tunneled request to virtual server "inner-tunnel"
(8,1) Virtual server inner-tunnel received request
(8,1) &EAP-Message = 0x020800170165636c366368406c656564732e61632e756b
(8,1) &FreeRADIUS-Proxied-To = 127.0.0.1
(8,1) &User-Name = "testuser at realm"
(8,1) WARNING: Outer and inner identities are the same. User privacy is compromised.
(8,1) server inner-tunnel {
(8,1) Running section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(8,1) authorize {
(8,1) filter_username {
(8,1) if (&User-Name) {
(8,1) if (&User-Name =~ / /) {
(8,1) ...
(8,1) }
(8,1) if (&User-Name =~ /@[^@]*@/ ) {
(8,1) ...
(8,1) }
(8,1) if (&User-Name =~ /\.\./ ) {
(8,1) ...
(8,1) }
(8,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) {
(8,1) ...
(8,1) }
(8,1) if (&User-Name =~ /\.$/) {
(8,1) ...
(8,1) }
(8,1) if (&User-Name =~ /@\./) {
(8,1) ...
(8,1) }
(8,1) } # if (&User-Name) (notfound)
(8,1) } # filter_username (notfound)
(8,1) local_filter_inner_identity {
(8,1) if (!&outer.request:User-Name || !&User-Name) {
(8,1) ...
(8,1) }
(8,1) if (&outer.request:User-Name != &User-Name) {
(8,1) ...
(8,1) }
(8,1) } # local_filter_inner_identity (notfound)
(8,1) chap (noop)
(8,1) if (&outer.request:User-Name =~ /@realm\.ac\.uk$/i) {
(8,1) mschap-ds (noop)
(8,1) } # if (&outer.request:User-Name =~ /@realm\.ac\.uk$/i) (noop)
(8,1) elsif (&outer.request:User-Name =~ /@admin\.realm\.ac\.uk$/i) {
(8,1) ... skipping elsif for request 8: Preceding "if" was taken
(8,1) }
(8,1) suffix - Checking for suffix after "@"
(8,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser at realm"
(8,1) suffix - Found realm "realm.ac.uk"
(8,1) suffix - Adding Stripped-User-Name = "testuser"
(8,1) suffix - Adding Realm = "realm.ac.uk"
(8,1) suffix - Authentication realm is LOCAL
(8,1) suffix (ok)
(8,1) if (&User-Name =~ /^@/) {
(8,1) ...
(8,1) }
(8,1) if (!(&Stripped-User-Name)) {
(8,1) ...
(8,1) }
(8,1) else {
(8,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(8,1) EXPAND %{tolower:%{Stripped-User-Name}}
(8,1) --> testuser
(8,1) ...
(8,1) }
(8,1) } # else (ok)
(8,1) group {
(8,1) check_blacklist (ok)
(8,1) if (&control:Local-Banned-User) {
(8,1) ...
(8,1) }
(8,1) else {
(8,1) noop (noop)
(8,1) } # else (noop)
(8,1) } # group (ok)
(8,1) update control {
(8,1) &control:Proxy-To-Realm := LOCAL
(8,1) } # update control (noop)
(8,1) eap - Peer sent EAP Response (code 2) ID 8 length 23
(8,1) eap - Peer sent EAP-Identity. Returning 'ok' so we can short-circuit the rest of authorize
(8,1) eap (ok)
(8,1) } # authorize (ok)
(8,1) Using 'Auth-Type = eap' for authenticate {...}
(8,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/inner-tunnel
(8,1) Auth-Type eap {
(8,1) eap - Peer sent packet with EAP method Identity (1)
(8,1) eap - Calling submodule eap_peap to process data
(8,1) eap_peap - Initiating new TLS session
(8,1) eap - Sending EAP Request (code 1) ID 9 length 6
(8,1) eap (handled)
(8,1) } # Auth-Type eap (handled)
(8,1) } # server inner-tunnel
(8,1) Virtual server sending reply
(8,1) &EAP-Message = 0x010900061920
(8,1) &Message-Authenticator = 0x00000000000000000000000000000000
(8,1) eap_peap - Got tunneled reply Access-Challenge
(8,1) eap_peap - &EAP-Message = 0x010900061920
(8,1) eap_peap - &Message-Authenticator = 0x00000000000000000000000000000000
(8,1) eap_peap - Got tunneled Access-Challenge
(8,1) eap_peap - TLS application data to encrypt (2 bytes)
(8,1) eap_peap - Sending complete TLS record (37 bytes)
(8,1) eap - Sending EAP Request (code 1) ID 9 length 43
(8,1) eap (handled)
(8,1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(8,1) EXPAND Response-Packet-Type
(8,1) --> Access-Challenge
(8,1) attr_filter.access_challenge - EXPAND %{User-Name}
(8,1) attr_filter.access_challenge - --> testuser at realm
(8,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(8,1) attr_filter.access_challenge.post-auth (updated)
(8,1) handled (handled)
(8,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled)
(8,1) } # Auth-Type eap (handled)
(8,1) Using Post-Auth-Type Challenge
(8,1) Post-Auth-Type sub-section not found. Ignoring.
(8,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default
(8,1) Sent Access-Challenge Id 84 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0
(8,1) EAP-Message = 0x0109002b1900170301002082145b33c41958c36bec8f18c2f9da22934d020d4e6d14b2a45a7258b2f336af
(8,1) Message-Authenticator = 0x00000000000000000000000000000000
(8,1) State = 0x080f3800aecc10fa3b39393138ab9701
(8,1) Finished request
Waking up in 4.8 seconds.
(9) Received Access-Request Id 85 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 330
(9) User-Name = "testuser at realm"
(9) Chargeable-User-Identity = 0x00
(9) Location-Capable = Civix-Location
(9) Calling-Station-Id = "a4-d1-8c-e4-9f-22"
(9) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST"
(9) NAS-Port = 13
(9) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e"
(9) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110"
(9) NAS-IP-Address = Y.Y.Y.Y
(9) NAS-Identifier = "WM13"
(9) Airespace-Wlan-Id = 8
(9) Service-Type = Framed-User
(9) Framed-MTU = 1300
(9) NAS-Port-Type = Wireless-802.11
(9) Tunnel-Type:0 = VLAN
(9) Tunnel-Medium-Type:0 = IEEE-802
(9) Tunnel-Private-Group-Id:0 = "446"
(9) EAP-Message = 0x0209002b19001703010020b5d3b91965958352c3a2297f539ee8f56616a107a36423c6b065b5bf73f4c0de
(9) State = 0x080f3800aecc10fa3b39393138ab9701
(9) Message-Authenticator = 0x1e0662ee3ffb7f6c36d8f70ecd544acf
(9,1) Running section authorize from file /etc/raddb/sites-enabled/default
(9,1) authorize {
(9,1) local_rewrite_called_station_id {
(9,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(9,1) update request {
(9,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(9,1) --> 64:AE:0C:91:42:60
(9,1) &Called-Station-Id := 64:AE:0C:91:42:60
(9,1) } # update request (noop)
(9,1) if ("%{8}") {
(9,1) EXPAND %{8}
(9,1) --> RADIUS-TEST
(9,1) update request {
(9,1) EXPAND %{8}
(9,1) --> RADIUS-TEST
(9,1) &Called-Station-SSID := RADIUS-TEST
(9,1) } # update request (noop)
(9,1) } # if ("%{8}") (noop)
(9,1) updated (updated)
(9,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated)
(9,1) else {
(9,1) ... skipping else for request 9: Preceding "if" was taken
(9,1) }
(9,1) } # local_rewrite_called_station_id (updated)
(9,1) local_rewrite_calling_station_id {
(9,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(9,1) update request {
(9,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(9,1) --> A4:D1:8C:E4:9F:22
(9,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22
(9,1) } # update request (noop)
(9,1) updated (updated)
(9,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated)
(9,1) else {
(9,1) ... skipping else for request 9: Preceding "if" was taken
(9,1) }
(9,1) } # local_rewrite_calling_station_id (updated)
(9,1) filter_username {
(9,1) if (&User-Name) {
(9,1) if (&User-Name =~ / /) {
(9,1) ...
(9,1) }
(9,1) if (&User-Name =~ /@[^@]*@/ ) {
(9,1) ...
(9,1) }
(9,1) if (&User-Name =~ /\.\./ ) {
(9,1) ...
(9,1) }
(9,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) {
(9,1) ...
(9,1) }
(9,1) if (&User-Name =~ /\.$/) {
(9,1) ...
(9,1) }
(9,1) if (&User-Name =~ /@\./) {
(9,1) ...
(9,1) }
(9,1) } # if (&User-Name) (updated)
(9,1) } # filter_username (updated)
(9,1) bad_realms {
(9,1) if (&User-Name =~ /\.ax\.uk$/i) {
(9,1) ...
(9,1) }
(9,1) if (&User-Name =~ /@ac\.uk$/i) {
(9,1) ...
(9,1) }
(9,1) if (&User-Name =~ /3gppnetwork\.org$/i) {
(9,1) ...
(9,1) }
(9,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(9,1) ...
(9,1) }
(9,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(9,1) ...
(9,1) }
(9,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(9,1) ...
(9,1) }
(9,1) if (&User-Name =~ /myabc\.com$/i) {
(9,1) ...
(9,1) }
(9,1) } # bad_realms (updated)
(9,1) preprocess (ok)
(9,1) operator-name.authorize {
(9,1) if ("%{client:Operator-Name}") {
(9,1) EXPAND %{client:Operator-Name}
(9,1) --> 1realm.ac.uk
(9,1) update request {
(9,1) EXPAND %{client:Operator-Name}
(9,1) --> 1realm.ac.uk
(9,1) &Operator-Name = 1realm.ac.uk
(9,1) } # update request (noop)
(9,1) } # if ("%{client:Operator-Name}") (noop)
(9,1) } # operator-name.authorize (noop)
(9,1) suffix - Checking for suffix after "@"
(9,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser at realm"
(9,1) suffix - Found realm "realm.ac.uk"
(9,1) suffix - Adding Stripped-User-Name = "testuser"
(9,1) suffix - Adding Realm = "realm.ac.uk"
(9,1) suffix - Authentication realm is LOCAL
(9,1) suffix (ok)
(9,1) if (&Realm) {
(9,1) update control {
(9,1) &control:Proxy-To-Realm := LOCAL
(9,1) } # update control (noop)
(9,1) } # if (&Realm) (noop)
(9,1) else {
(9,1) ... skipping else for request 9: Preceding "if" was taken
(9,1) }
(9,1) if (&Realm) {
(9,1) if (&Stripped-User-Name != "") {
(9,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(9,1) EXPAND %{tolower:%{Stripped-User-Name}}
(9,1) --> testuser
(9,1) ...
(9,1) }
(9,1) group {
(9,1) check_blacklist (ok)
(9,1) if (&control:Local-Banned-User) {
(9,1) ...
(9,1) }
(9,1) else {
(9,1) noop (noop)
(9,1) } # else (noop)
(9,1) } # group (ok)
(9,1) } # if (&Stripped-User-Name != "") (ok)
(9,1) } # if (&Realm) (ok)
(9,1) eap - Peer sent EAP Response (code 2) ID 9 length 43
(9,1) eap - Continuing tunnel setup
(9,1) eap (ok)
(9,1) } # authorize (ok)
(9,1) Using 'Auth-Type = eap' for authenticate {...}
(9,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default
(9,1) Auth-Type eap {
(9,1) eap - Peer sent packet with EAP method PEAP (25)
(9,1) eap - Calling submodule eap_peap to process data
(9,1) eap_peap - Continuing EAP-TLS
(9,1) eap_peap - Got complete TLS record (37 bytes)
(9,1) eap_peap - [eap-tls verify] = complete
(9,1) eap_peap - Decrypted TLS application data (2 bytes)
(9,1) eap_peap - [eap-tls process] = complete
(9,1) eap_peap - Session established. Decoding tunneled data
(9,1) eap_peap - PEAP state phase2
(9,1) eap_peap - EAP method NAK (3)
(9,1) eap_peap - Got tunneled request
(9,1) eap_peap - &EAP-Message = 0x02090006031a
(9,1) eap_peap - Setting &request:User-Name from tunnel (protected) identity "testuser at realm"
(9,1) eap_peap - Proxying tunneled request to virtual server "inner-tunnel"
(9,1) Virtual server inner-tunnel received request
(9,1) &EAP-Message = 0x02090006031a
(9,1) &FreeRADIUS-Proxied-To = 127.0.0.1
(9,1) &User-Name = "testuser at realm"
(9,1) WARNING: Outer and inner identities are the same. User privacy is compromised.
(9,1) server inner-tunnel {
(9,1) Running section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(9,1) authorize {
(9,1) filter_username {
(9,1) if (&User-Name) {
(9,1) if (&User-Name =~ / /) {
(9,1) ...
(9,1) }
(9,1) if (&User-Name =~ /@[^@]*@/ ) {
(9,1) ...
(9,1) }
(9,1) if (&User-Name =~ /\.\./ ) {
(9,1) ...
(9,1) }
(9,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) {
(9,1) ...
(9,1) }
(9,1) if (&User-Name =~ /\.$/) {
(9,1) ...
(9,1) }
(9,1) if (&User-Name =~ /@\./) {
(9,1) ...
(9,1) }
(9,1) } # if (&User-Name) (notfound)
(9,1) } # filter_username (notfound)
(9,1) local_filter_inner_identity {
(9,1) if (!&outer.request:User-Name || !&User-Name) {
(9,1) ...
(9,1) }
(9,1) if (&outer.request:User-Name != &User-Name) {
(9,1) ...
(9,1) }
(9,1) } # local_filter_inner_identity (notfound)
(9,1) chap (noop)
(9,1) if (&outer.request:User-Name =~ /@realm\.ac\.uk$/i) {
(9,1) mschap-ds (noop)
(9,1) } # if (&outer.request:User-Name =~ /@realm\.ac\.uk$/i) (noop)
(9,1) elsif (&outer.request:User-Name =~ /@admin\.realm\.ac\.uk$/i) {
(9,1) ... skipping elsif for request 9: Preceding "if" was taken
(9,1) }
(9,1) suffix - Checking for suffix after "@"
(9,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser at realm"
(9,1) suffix - Found realm "realm.ac.uk"
(9,1) suffix - Adding Stripped-User-Name = "testuser"
(9,1) suffix - Adding Realm = "realm.ac.uk"
(9,1) suffix - Authentication realm is LOCAL
(9,1) suffix (ok)
(9,1) if (&User-Name =~ /^@/) {
(9,1) ...
(9,1) }
(9,1) if (!(&Stripped-User-Name)) {
(9,1) ...
(9,1) }
(9,1) else {
(9,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(9,1) EXPAND %{tolower:%{Stripped-User-Name}}
(9,1) --> testuser
(9,1) ...
(9,1) }
(9,1) } # else (ok)
(9,1) group {
(9,1) check_blacklist (ok)
(9,1) if (&control:Local-Banned-User) {
(9,1) ...
(9,1) }
(9,1) else {
(9,1) noop (noop)
(9,1) } # else (noop)
(9,1) } # group (ok)
(9,1) update control {
(9,1) &control:Proxy-To-Realm := LOCAL
(9,1) } # update control (noop)
(9,1) eap - Peer sent EAP Response (code 2) ID 9 length 6
(9,1) eap - Continuing on-going EAP conversation
(9,1) eap (updated)
(9,1) files (noop)
(9,1) expiration (noop)
(9,1) logintime (noop)
(9,1) pap (noop)
(9,1) } # authorize (updated)
(9,1) Using 'Auth-Type = eap' for authenticate {...}
(9,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/inner-tunnel
(9,1) Auth-Type eap {
(9,1) eap - Peer sent packet with EAP method NAK (3)
(9,1) eap - Found mutually acceptable type MSCHAPv2 (26)
(9,1) eap - Calling submodule eap_mschapv2 to process data
(9,1) eap_mschapv2 - Issuing Challenge
(9,1) eap - Sending EAP Request (code 1) ID 10 length 47
(9,1) eap (handled)
(9,1) } # Auth-Type eap (handled)
(9,1) } # server inner-tunnel
(9,1) Virtual server sending reply
(9,1) &EAP-Message = 0x010a002f1a010a002a101591d608560c5c63a1d6f9157feba6cf667265657261646975732d332e312e302d64656164
(9,1) &Message-Authenticator = 0x00000000000000000000000000000000
(9,1) eap_peap - Got tunneled reply Access-Challenge
(9,1) eap_peap - &EAP-Message = 0x010a002f1a010a002a101591d608560c5c63a1d6f9157feba6cf667265657261646975732d332e312e302d64656164
(9,1) eap_peap - &Message-Authenticator = 0x00000000000000000000000000000000
(9,1) eap_peap - Got tunneled Access-Challenge
(9,1) eap_peap - TLS application data to encrypt (43 bytes)
(9,1) eap_peap - Sending complete TLS record (69 bytes)
(9,1) eap - Sending EAP Request (code 1) ID 10 length 75
(9,1) eap (handled)
(9,1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(9,1) EXPAND Response-Packet-Type
(9,1) --> Access-Challenge
(9,1) attr_filter.access_challenge - EXPAND %{User-Name}
(9,1) attr_filter.access_challenge - --> testuser at realm
(9,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(9,1) attr_filter.access_challenge.post-auth (updated)
(9,1) handled (handled)
(9,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled)
(9,1) } # Auth-Type eap (handled)
(9,1) Using Post-Auth-Type Challenge
(9,1) Post-Auth-Type sub-section not found. Ignoring.
(9,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default
(9,1) Sent Access-Challenge Id 85 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0
(9,1) EAP-Message = 0x010a004b19001703010040fd1adfa6152afb79c1fa0529c132191cc6180186595d874f715ef0b31bf5417fd2acb727f784d6ae580609b6434fb822695b8a0db91b849dbd55cd39f83f1b56
(9,1) Message-Authenticator = 0x00000000000000000000000000000000
(9,1) State = 0x090138003637b8d43b39393138ab9701
(9,1) Finished request
Waking up in 4.8 seconds.
(10) Received Access-Request Id 86 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 394
(10) User-Name = "testuser at realm"
(10) Chargeable-User-Identity = 0x00
(10) Location-Capable = Civix-Location
(10) Calling-Station-Id = "a4-d1-8c-e4-9f-22"
(10) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST"
(10) NAS-Port = 13
(10) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e"
(10) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110"
(10) NAS-IP-Address = Y.Y.Y.Y
(10) NAS-Identifier = "WM13"
(10) Airespace-Wlan-Id = 8
(10) Service-Type = Framed-User
(10) Framed-MTU = 1300
(10) NAS-Port-Type = Wireless-802.11
(10) Tunnel-Type:0 = VLAN
(10) Tunnel-Medium-Type:0 = IEEE-802
(10) Tunnel-Private-Group-Id:0 = "446"
(10) EAP-Message = 0x020a006b19001703010060fb7b84dad699698f8e133528ec8b1ef0f8199de9c6170fb4c86582a647d47520ec17b41fc65471c47ceb60d9a206b2b54936ec02000e6b4894b77cf2a1c4f99e2747be80011ff04e7304a9ed47826067966d1318fd9ef8f95697e149a3355eea
(10) State = 0x090138003637b8d43b39393138ab9701
(10) Message-Authenticator = 0x431e4c764049d08fa9567dfadb9ac07f
(10,1) Running section authorize from file /etc/raddb/sites-enabled/default
(10,1) authorize {
(10,1) local_rewrite_called_station_id {
(10,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(10,1) update request {
(10,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(10,1) --> 64:AE:0C:91:42:60
(10,1) &Called-Station-Id := 64:AE:0C:91:42:60
(10,1) } # update request (noop)
(10,1) if ("%{8}") {
(10,1) EXPAND %{8}
(10,1) --> RADIUS-TEST
(10,1) update request {
(10,1) EXPAND %{8}
(10,1) --> RADIUS-TEST
(10,1) &Called-Station-SSID := RADIUS-TEST
(10,1) } # update request (noop)
(10,1) } # if ("%{8}") (noop)
(10,1) updated (updated)
(10,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated)
(10,1) else {
(10,1) ... skipping else for request 10: Preceding "if" was taken
(10,1) }
(10,1) } # local_rewrite_called_station_id (updated)
(10,1) local_rewrite_calling_station_id {
(10,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(10,1) update request {
(10,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(10,1) --> A4:D1:8C:E4:9F:22
(10,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22
(10,1) } # update request (noop)
(10,1) updated (updated)
(10,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated)
(10,1) else {
(10,1) ... skipping else for request 10: Preceding "if" was taken
(10,1) }
(10,1) } # local_rewrite_calling_station_id (updated)
(10,1) filter_username {
(10,1) if (&User-Name) {
(10,1) if (&User-Name =~ / /) {
(10,1) ...
(10,1) }
(10,1) if (&User-Name =~ /@[^@]*@/ ) {
(10,1) ...
(10,1) }
(10,1) if (&User-Name =~ /\.\./ ) {
(10,1) ...
(10,1) }
(10,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) {
(10,1) ...
(10,1) }
(10,1) if (&User-Name =~ /\.$/) {
(10,1) ...
(10,1) }
(10,1) if (&User-Name =~ /@\./) {
(10,1) ...
(10,1) }
(10,1) } # if (&User-Name) (updated)
(10,1) } # filter_username (updated)
(10,1) bad_realms {
(10,1) if (&User-Name =~ /\.ax\.uk$/i) {
(10,1) ...
(10,1) }
(10,1) if (&User-Name =~ /@ac\.uk$/i) {
(10,1) ...
(10,1) }
(10,1) if (&User-Name =~ /3gppnetwork\.org$/i) {
(10,1) ...
(10,1) }
(10,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(10,1) ...
(10,1) }
(10,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(10,1) ...
(10,1) }
(10,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(10,1) ...
(10,1) }
(10,1) if (&User-Name =~ /myabc\.com$/i) {
(10,1) ...
(10,1) }
(10,1) } # bad_realms (updated)
(10,1) preprocess (ok)
(10,1) operator-name.authorize {
(10,1) if ("%{client:Operator-Name}") {
(10,1) EXPAND %{client:Operator-Name}
(10,1) --> 1realm.ac.uk
(10,1) update request {
(10,1) EXPAND %{client:Operator-Name}
(10,1) --> 1realm.ac.uk
(10,1) &Operator-Name = 1realm.ac.uk
(10,1) } # update request (noop)
(10,1) } # if ("%{client:Operator-Name}") (noop)
(10,1) } # operator-name.authorize (noop)
(10,1) suffix - Checking for suffix after "@"
(10,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser at realm"
(10,1) suffix - Found realm "realm.ac.uk"
(10,1) suffix - Adding Stripped-User-Name = "testuser"
(10,1) suffix - Adding Realm = "realm.ac.uk"
(10,1) suffix - Authentication realm is LOCAL
(10,1) suffix (ok)
(10,1) if (&Realm) {
(10,1) update control {
(10,1) &control:Proxy-To-Realm := LOCAL
(10,1) } # update control (noop)
(10,1) } # if (&Realm) (noop)
(10,1) else {
(10,1) ... skipping else for request 10: Preceding "if" was taken
(10,1) }
(10,1) if (&Realm) {
(10,1) if (&Stripped-User-Name != "") {
(10,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(10,1) EXPAND %{tolower:%{Stripped-User-Name}}
(10,1) --> testuser
(10,1) ...
(10,1) }
(10,1) group {
(10,1) check_blacklist (ok)
(10,1) if (&control:Local-Banned-User) {
(10,1) ...
(10,1) }
(10,1) else {
(10,1) noop (noop)
(10,1) } # else (noop)
(10,1) } # group (ok)
(10,1) } # if (&Stripped-User-Name != "") (ok)
(10,1) } # if (&Realm) (ok)
(10,1) eap - Peer sent EAP Response (code 2) ID 10 length 107
(10,1) eap - Continuing tunnel setup
(10,1) eap (ok)
(10,1) } # authorize (ok)
(10,1) Using 'Auth-Type = eap' for authenticate {...}
(10,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default
(10,1) Auth-Type eap {
(10,1) eap - Peer sent packet with EAP method PEAP (25)
(10,1) eap - Calling submodule eap_peap to process data
(10,1) eap_peap - Continuing EAP-TLS
(10,1) eap_peap - Got complete TLS record (101 bytes)
(10,1) eap_peap - [eap-tls verify] = complete
(10,1) eap_peap - Decrypted TLS application data (73 bytes)
(10,1) eap_peap - [eap-tls process] = complete
(10,1) eap_peap - Session established. Decoding tunneled data
(10,1) eap_peap - PEAP state phase2
(10,1) eap_peap - EAP method MSCHAPv2 (26)
(10,1) eap_peap - Got tunneled request
(10,1) eap_peap - &EAP-Message = 0x020a004d1a020a004831329616f5f88860d55df21c3a71f27e040000000000000000f283736acdd6b31ecc9bdf0c7b021c5232c4bf8f5aa26a620065636c366368406c656564732e61632e756b
(10,1) eap_peap - Setting &request:User-Name from tunnel (protected) identity "testuser at realm"
(10,1) eap_peap - Proxying tunneled request to virtual server "inner-tunnel"
(10,1) Virtual server inner-tunnel received request
(10,1) &EAP-Message = 0x020a004d1a020a004831329616f5f88860d55df21c3a71f27e040000000000000000f283736acdd6b31ecc9bdf0c7b021c5232c4bf8f5aa26a620065636c366368406c656564732e61632e756b
(10,1) &FreeRADIUS-Proxied-To = 127.0.0.1
(10,1) &User-Name = "testuser at realm"
(10,1) WARNING: Outer and inner identities are the same. User privacy is compromised.
(10,1) server inner-tunnel {
(10,1) Running section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(10,1) authorize {
(10,1) filter_username {
(10,1) if (&User-Name) {
(10,1) if (&User-Name =~ / /) {
(10,1) ...
(10,1) }
(10,1) if (&User-Name =~ /@[^@]*@/ ) {
(10,1) ...
(10,1) }
(10,1) if (&User-Name =~ /\.\./ ) {
(10,1) ...
(10,1) }
(10,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) {
(10,1) ...
(10,1) }
(10,1) if (&User-Name =~ /\.$/) {
(10,1) ...
(10,1) }
(10,1) if (&User-Name =~ /@\./) {
(10,1) ...
(10,1) }
(10,1) } # if (&User-Name) (notfound)
(10,1) } # filter_username (notfound)
(10,1) local_filter_inner_identity {
(10,1) if (!&outer.request:User-Name || !&User-Name) {
(10,1) ...
(10,1) }
(10,1) if (&outer.request:User-Name != &User-Name) {
(10,1) ...
(10,1) }
(10,1) } # local_filter_inner_identity (notfound)
(10,1) chap (noop)
(10,1) if (&outer.request:User-Name =~ /@realm\.ac\.uk$/i) {
(10,1) mschap-ds (noop)
(10,1) } # if (&outer.request:User-Name =~ /@realm\.ac\.uk$/i) (noop)
(10,1) elsif (&outer.request:User-Name =~ /@admin\.realm\.ac\.uk$/i) {
(10,1) ... skipping elsif for request 10: Preceding "if" was taken
(10,1) }
(10,1) suffix - Checking for suffix after "@"
(10,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser at realm"
(10,1) suffix - Found realm "realm.ac.uk"
(10,1) suffix - Adding Stripped-User-Name = "testuser"
(10,1) suffix - Adding Realm = "realm.ac.uk"
(10,1) suffix - Authentication realm is LOCAL
(10,1) suffix (ok)
(10,1) if (&User-Name =~ /^@/) {
(10,1) ...
(10,1) }
(10,1) if (!(&Stripped-User-Name)) {
(10,1) ...
(10,1) }
(10,1) else {
(10,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(10,1) EXPAND %{tolower:%{Stripped-User-Name}}
(10,1) --> testuser
(10,1) ...
(10,1) }
(10,1) } # else (ok)
(10,1) group {
(10,1) check_blacklist (ok)
(10,1) if (&control:Local-Banned-User) {
(10,1) ...
(10,1) }
(10,1) else {
(10,1) noop (noop)
(10,1) } # else (noop)
(10,1) } # group (ok)
(10,1) update control {
(10,1) &control:Proxy-To-Realm := LOCAL
(10,1) } # update control (noop)
(10,1) eap - Peer sent EAP Response (code 2) ID 10 length 77
(10,1) eap - Continuing on-going EAP conversation
(10,1) eap (updated)
(10,1) files (noop)
(10,1) expiration (noop)
(10,1) logintime (noop)
(10,1) pap (noop)
(10,1) } # authorize (updated)
(10,1) Using 'Auth-Type = eap' for authenticate {...}
(10,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/inner-tunnel
(10,1) Auth-Type eap {
(10,1) eap - Peer sent packet with EAP method MSCHAPv2 (26)
(10,1) eap - Calling submodule eap_mschapv2 to process data
(10,1) eap_mschapv2 - Running Auth-Type MS-CHAP from file /etc/raddb/sites-enabled/inner-tunnel
(10,1) Auth-Type MS-CHAP {
(10,1) if (&outer.request:User-Name =~ /@realm\.ac\.uk$/i) {
(10,1) mschap-ds - Creating challenge hash with username: testuser at realm
(10,1) mschap-ds - Client is using MS-CHAPv2
(10,1) mschap-ds - EXPAND %{%{Stripped-User-Name}:-%{mschap-ds:User-Name}}
(10,1) mschap-ds - --> testuser
(10,1) mschap-ds - Reserved connection (0)
(10,1) mschap-ds - sending authentication request user='testuser' domain='DS'
(10,1) mschap-ds - Released connection (0)
(10,1) mschap-ds - Need 10 more connections to reach 20 spares
(10,1) mschap-ds - Opening additional connection (10), 1 of 54 pending slots used
(10,1) mschap-ds - Authenticated successfully
(10,1) mschap-ds - Adding MS-CHAPv2 MPPE keys
(10,1) mschap-ds (ok)
(10,1) } # if (&outer.request:User-Name =~ /@realm\.ac\.uk$/i) (ok)
(10,1) elsif (&outer.request:User-Name =~ /@admin\.realm\.ac\.uk$/i) {
(10,1) ... skipping elsif for request 10: Preceding "if" was taken
(10,1) }
(10,1) } # Auth-Type MS-CHAP (ok)
(10,1) eap_mschapv2 - MSCHAP Success
(10,1) eap - Sending EAP Request (code 1) ID 11 length 51
(10,1) eap (handled)
(10,1) } # Auth-Type eap (handled)
(10,1) } # server inner-tunnel
(10,1) Virtual server sending reply
(10,1) &EAP-Message = 0x010b00331a030a002e533d35453739463637393739354343374436383233434142313433353737364643414246384539373932
(10,1) &Message-Authenticator = 0x00000000000000000000000000000000
(10,1) eap_peap - Got tunneled reply Access-Challenge
(10,1) eap_peap - &EAP-Message = 0x010b00331a030a002e533d35453739463637393739354343374436383233434142313433353737364643414246384539373932
(10,1) eap_peap - &Message-Authenticator = 0x00000000000000000000000000000000
(10,1) eap_peap - Got tunneled Access-Challenge
(10,1) eap_peap - TLS application data to encrypt (47 bytes)
(10,1) eap_peap - Sending complete TLS record (85 bytes)
(10,1) eap - Sending EAP Request (code 1) ID 11 length 91
(10,1) eap (handled)
(10,1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(10,1) EXPAND Response-Packet-Type
(10,1) --> Access-Challenge
(10,1) attr_filter.access_challenge - EXPAND %{User-Name}
(10,1) attr_filter.access_challenge - --> testuser at realm
(10,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(10,1) attr_filter.access_challenge.post-auth (updated)
(10,1) handled (handled)
(10,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled)
(10,1) } # Auth-Type eap (handled)
(10,1) Using Post-Auth-Type Challenge
(10,1) Post-Auth-Type sub-section not found. Ignoring.
(10,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default
(10,1) Sent Access-Challenge Id 86 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0
(10,1) EAP-Message = 0x010b005b19001703010050434a180e3726928b4d1485ba6b2897630e9165184c8e7b1b32265ba04908704d15ee8673ef1b5f4b1cb58c229d9ca96c31528959c7f338b7d83c0deca515c327d242225f1874037a58481664fc1f1360
(10,1) Message-Authenticator = 0x00000000000000000000000000000000
(10,1) State = 0x0a033800aecc10fa3b39393138ab9701
(10,1) Finished request
Waking up in 4.8 seconds.
(11) Received Access-Request Id 87 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 330
(11) User-Name = "testuser at realm"
(11) Chargeable-User-Identity = 0x00
(11) Location-Capable = Civix-Location
(11) Calling-Station-Id = "a4-d1-8c-e4-9f-22"
(11) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST"
(11) NAS-Port = 13
(11) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e"
(11) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110"
(11) NAS-IP-Address = Y.Y.Y.Y
(11) NAS-Identifier = "WM13"
(11) Airespace-Wlan-Id = 8
(11) Service-Type = Framed-User
(11) Framed-MTU = 1300
(11) NAS-Port-Type = Wireless-802.11
(11) Tunnel-Type:0 = VLAN
(11) Tunnel-Medium-Type:0 = IEEE-802
(11) Tunnel-Private-Group-Id:0 = "446"
(11) EAP-Message = 0x020b002b19001703010020b5ec1928d5a22217345c5344b5ea9e8a35fa15ad8681bfb8c9873d10febf5798
(11) State = 0x0a033800aecc10fa3b39393138ab9701
(11) Message-Authenticator = 0x62328bab8c9d2ffc5877e080f63230c8
(11,1) Running section authorize from file /etc/raddb/sites-enabled/default
(11,1) authorize {
(11,1) local_rewrite_called_station_id {
(11,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(11,1) update request {
(11,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(11,1) --> 64:AE:0C:91:42:60
(11,1) &Called-Station-Id := 64:AE:0C:91:42:60
(11,1) } # update request (noop)
(11,1) if ("%{8}") {
(11,1) EXPAND %{8}
(11,1) --> RADIUS-TEST
(11,1) update request {
(11,1) EXPAND %{8}
(11,1) --> RADIUS-TEST
(11,1) &Called-Station-SSID := RADIUS-TEST
(11,1) } # update request (noop)
(11,1) } # if ("%{8}") (noop)
(11,1) updated (updated)
(11,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated)
(11,1) else {
(11,1) ... skipping else for request 11: Preceding "if" was taken
(11,1) }
(11,1) } # local_rewrite_called_station_id (updated)
(11,1) local_rewrite_calling_station_id {
(11,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(11,1) update request {
(11,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(11,1) --> A4:D1:8C:E4:9F:22
(11,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22
(11,1) } # update request (noop)
(11,1) updated (updated)
(11,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated)
(11,1) else {
(11,1) ... skipping else for request 11: Preceding "if" was taken
(11,1) }
(11,1) } # local_rewrite_calling_station_id (updated)
(11,1) filter_username {
(11,1) if (&User-Name) {
(11,1) if (&User-Name =~ / /) {
(11,1) ...
(11,1) }
(11,1) if (&User-Name =~ /@[^@]*@/ ) {
(11,1) ...
(11,1) }
(11,1) if (&User-Name =~ /\.\./ ) {
(11,1) ...
(11,1) }
(11,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) {
(11,1) ...
(11,1) }
(11,1) if (&User-Name =~ /\.$/) {
(11,1) ...
(11,1) }
(11,1) if (&User-Name =~ /@\./) {
(11,1) ...
(11,1) }
(11,1) } # if (&User-Name) (updated)
(11,1) } # filter_username (updated)
(11,1) bad_realms {
(11,1) if (&User-Name =~ /\.ax\.uk$/i) {
(11,1) ...
(11,1) }
(11,1) if (&User-Name =~ /@ac\.uk$/i) {
(11,1) ...
(11,1) }
(11,1) if (&User-Name =~ /3gppnetwork\.org$/i) {
(11,1) ...
(11,1) }
(11,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(11,1) ...
(11,1) }
(11,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(11,1) ...
(11,1) }
(11,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(11,1) ...
(11,1) }
(11,1) if (&User-Name =~ /myabc\.com$/i) {
(11,1) ...
(11,1) }
(11,1) } # bad_realms (updated)
(11,1) preprocess (ok)
(11,1) operator-name.authorize {
(11,1) if ("%{client:Operator-Name}") {
(11,1) EXPAND %{client:Operator-Name}
(11,1) --> 1realm.ac.uk
(11,1) update request {
(11,1) EXPAND %{client:Operator-Name}
(11,1) --> 1realm.ac.uk
(11,1) &Operator-Name = 1realm.ac.uk
(11,1) } # update request (noop)
(11,1) } # if ("%{client:Operator-Name}") (noop)
(11,1) } # operator-name.authorize (noop)
(11,1) suffix - Checking for suffix after "@"
(11,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser at realm"
(11,1) suffix - Found realm "realm.ac.uk"
(11,1) suffix - Adding Stripped-User-Name = "testuser"
(11,1) suffix - Adding Realm = "realm.ac.uk"
(11,1) suffix - Authentication realm is LOCAL
(11,1) suffix (ok)
(11,1) if (&Realm) {
(11,1) update control {
(11,1) &control:Proxy-To-Realm := LOCAL
(11,1) } # update control (noop)
(11,1) } # if (&Realm) (noop)
(11,1) else {
(11,1) ... skipping else for request 11: Preceding "if" was taken
(11,1) }
(11,1) if (&Realm) {
(11,1) if (&Stripped-User-Name != "") {
(11,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(11,1) EXPAND %{tolower:%{Stripped-User-Name}}
(11,1) --> testuser
(11,1) ...
(11,1) }
(11,1) group {
(11,1) check_blacklist (ok)
(11,1) if (&control:Local-Banned-User) {
(11,1) ...
(11,1) }
(11,1) else {
(11,1) noop (noop)
(11,1) } # else (noop)
(11,1) } # group (ok)
(11,1) } # if (&Stripped-User-Name != "") (ok)
(11,1) } # if (&Realm) (ok)
(11,1) eap - Peer sent EAP Response (code 2) ID 11 length 43
(11,1) eap - Continuing tunnel setup
(11,1) eap (ok)
(11,1) } # authorize (ok)
(11,1) Using 'Auth-Type = eap' for authenticate {...}
(11,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default
(11,1) Auth-Type eap {
(11,1) eap - Peer sent packet with EAP method PEAP (25)
(11,1) eap - Calling submodule eap_peap to process data
(11,1) eap_peap - Continuing EAP-TLS
(11,1) eap_peap - Got complete TLS record (37 bytes)
(11,1) eap_peap - [eap-tls verify] = complete
(11,1) eap_peap - Decrypted TLS application data (2 bytes)
(11,1) eap_peap - [eap-tls process] = complete
(11,1) eap_peap - Session established. Decoding tunneled data
(11,1) eap_peap - PEAP state phase2
(11,1) eap_peap - EAP method MSCHAPv2 (26)
(11,1) eap_peap - Got tunneled request
(11,1) eap_peap - &EAP-Message = 0x020b00061a03
(11,1) eap_peap - Setting &request:User-Name from tunnel (protected) identity "testuser at realm"
(11,1) eap_peap - Proxying tunneled request to virtual server "inner-tunnel"
(11,1) Virtual server inner-tunnel received request
(11,1) &EAP-Message = 0x020b00061a03
(11,1) &FreeRADIUS-Proxied-To = 127.0.0.1
(11,1) &User-Name = "testuser at realm"
(11,1) WARNING: Outer and inner identities are the same. User privacy is compromised.
(11,1) server inner-tunnel {
(11,1) Running section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(11,1) authorize {
(11,1) filter_username {
(11,1) if (&User-Name) {
(11,1) if (&User-Name =~ / /) {
(11,1) ...
(11,1) }
(11,1) if (&User-Name =~ /@[^@]*@/ ) {
(11,1) ...
(11,1) }
(11,1) if (&User-Name =~ /\.\./ ) {
(11,1) ...
(11,1) }
(11,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) {
(11,1) ...
(11,1) }
(11,1) if (&User-Name =~ /\.$/) {
(11,1) ...
(11,1) }
(11,1) if (&User-Name =~ /@\./) {
(11,1) ...
(11,1) }
(11,1) } # if (&User-Name) (notfound)
(11,1) } # filter_username (notfound)
(11,1) local_filter_inner_identity {
(11,1) if (!&outer.request:User-Name || !&User-Name) {
(11,1) ...
(11,1) }
(11,1) if (&outer.request:User-Name != &User-Name) {
(11,1) ...
(11,1) }
(11,1) } # local_filter_inner_identity (notfound)
(11,1) chap (noop)
(11,1) if (&outer.request:User-Name =~ /@realm\.ac\.uk$/i) {
(11,1) mschap-ds (noop)
(11,1) } # if (&outer.request:User-Name =~ /@realm\.ac\.uk$/i) (noop)
(11,1) elsif (&outer.request:User-Name =~ /@admin\.realm\.ac\.uk$/i) {
(11,1) ... skipping elsif for request 11: Preceding "if" was taken
(11,1) }
(11,1) suffix - Checking for suffix after "@"
(11,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser at realm"
(11,1) suffix - Found realm "realm.ac.uk"
(11,1) suffix - Adding Stripped-User-Name = "testuser"
(11,1) suffix - Adding Realm = "realm.ac.uk"
(11,1) suffix - Authentication realm is LOCAL
(11,1) suffix (ok)
(11,1) if (&User-Name =~ /^@/) {
(11,1) ...
(11,1) }
(11,1) if (!(&Stripped-User-Name)) {
(11,1) ...
(11,1) }
(11,1) else {
(11,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(11,1) EXPAND %{tolower:%{Stripped-User-Name}}
(11,1) --> testuser
(11,1) ...
(11,1) }
(11,1) } # else (ok)
(11,1) group {
(11,1) check_blacklist (ok)
(11,1) if (&control:Local-Banned-User) {
(11,1) ...
(11,1) }
(11,1) else {
(11,1) noop (noop)
(11,1) } # else (noop)
(11,1) } # group (ok)
(11,1) update control {
(11,1) &control:Proxy-To-Realm := LOCAL
(11,1) } # update control (noop)
(11,1) eap - Peer sent EAP Response (code 2) ID 11 length 6
(11,1) eap - Continuing on-going EAP conversation
(11,1) eap (updated)
(11,1) files (noop)
(11,1) expiration (noop)
(11,1) logintime (noop)
(11,1) pap (noop)
(11,1) } # authorize (updated)
(11,1) Using 'Auth-Type = eap' for authenticate {...}
(11,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/inner-tunnel
(11,1) Auth-Type eap {
(11,1) eap - Peer sent packet with EAP method MSCHAPv2 (26)
(11,1) eap - Calling submodule eap_mschapv2 to process data
(11,1) eap - Sending EAP Success (code 3) ID 11 length 4
(11,1) eap - Cleaning up EAP session
(11,1) eap (ok)
(11,1) } # Auth-Type eap (ok)
(11,1) Login OK: [testuser at realm] (from client wism13 port 0 via TLS tunnel)
(11,1) Running section post-auth from file /etc/raddb/sites-enabled/inner-tunnel
(11,1) post-auth {
(11,1) update reply {
(11,1) &reply:Reply-Message := successful authentication
(11,1) } # update reply (noop)
(11,1) inner-tunnel-accept-log - Using default message
(11,1) inner-tunnel-accept-log - EXPAND %S (%l) id %I INNER ACCEPT %{User-Name} cli %{%{outer.request:Calling-Station-Id}:--} outer-id %{outer.request:User-Name} auth-type %{outer.control:Auth-Type}/%{outer.request:EAP-Type} realm %{Realm} operator %{%{outer.request:Operator-Name}:--} client %{%{Packet-Src-IP-Address}:-%{%{Packet-Src-IPv6-Address}:--}} (%{Client-Shortname}) essid (%{%{outer.request:Called-Station-SSID}:--}) reply-msg '%{reply:Reply-Message}'
(11,1) inner-tunnel-accept-log - --> 2016-11-25 15:17:51 (1480087071) id 11 INNER ACCEPT testuser at realm cli A4:D1:8C:E4:9F:22 outer-id testuser at realm.ac.uk auth-type eap/PEAP realm realm.ac.uk operator 1realm.ac.uk client Y.Y.Y.Y (wism13) essid (RADIUS-TEST) reply-msg 'successful authentication'
(11,1) inner-tunnel-accept-log - EXPAND /var/log/radius/auth.log
(11,1) inner-tunnel-accept-log - --> /var/log/radius/auth.log
(11,1) inner-tunnel-accept-log (ok)
(11,1) update {
(11,1) &outer.session-state: += &reply:MS-MPPE-Encryption-Policy -> Encryption-Required
(11,1) &outer.session-state: += &reply:MS-MPPE-Encryption-Types -> 4
(11,1) &outer.session-state: += &reply:MS-MPPE-Send-Key -> 0xd8d3d48df0050ef926fee45a7025a880
(11,1) &outer.session-state: += &reply:MS-MPPE-Recv-Key -> 0x1d3a468cf7a531c07677d5c70e683dd0
(11,1) &outer.session-state: += &reply:EAP-Message -> 0x030b0004
(11,1) &outer.session-state: += &reply:Message-Authenticator -> 0x00000000000000000000000000000000
(11,1) &outer.session-state: += &reply:Stripped-User-Name -> "testuser"
(11,1) &outer.session-state: += &reply:Reply-Message -> "successful authentication"
(11,1) } # update (noop)
(11,1) update outer.session-state {
(11,1) &outer.session-state:MS-MPPE-Encryption-Policy !* ANY
(11,1) &outer.session-state:MS-MPPE-Encryption-Types !* ANY
(11,1) &outer.session-state:MS-MPPE-Send-Key !* ANY
(11,1) &outer.session-state:MS-MPPE-Recv-Key !* ANY
(11,1) &outer.session-state:Message-Authenticator !* ANY
(11,1) &outer.session-state:EAP-Message !* ANY
(11,1) &outer.session-state:Proxy-State !* ANY
(11,1) } # update outer.session-state (noop)
(11,1) } # post-auth (ok)
(11,1) } # server inner-tunnel
(11,1) Virtual server sending reply
(11,1) &MS-MPPE-Encryption-Policy = Encryption-Required
(11,1) &MS-MPPE-Encryption-Types = 4
(11,1) &MS-MPPE-Send-Key = 0xd8d3d48df0050ef926fee45a7025a880
(11,1) &MS-MPPE-Recv-Key = 0x1d3a468cf7a531c07677d5c70e683dd0
(11,1) &EAP-Message = 0x030b0004
(11,1) &Message-Authenticator = 0x00000000000000000000000000000000
(11,1) &Stripped-User-Name = "testuser"
(11,1) &Reply-Message := "successful authentication"
(11,1) eap_peap - Got tunneled reply Access-Accept
(11,1) eap_peap - &MS-MPPE-Encryption-Policy = Encryption-Required
(11,1) eap_peap - &MS-MPPE-Encryption-Types = 4
(11,1) eap_peap - &MS-MPPE-Send-Key = 0xd8d3d48df0050ef926fee45a7025a880
(11,1) eap_peap - &MS-MPPE-Recv-Key = 0x1d3a468cf7a531c07677d5c70e683dd0
(11,1) eap_peap - &EAP-Message = 0x030b0004
(11,1) eap_peap - &Message-Authenticator = 0x00000000000000000000000000000000
(11,1) eap_peap - &Stripped-User-Name = "testuser"
(11,1) eap_peap - &Reply-Message := "successful authentication"
(11,1) eap_peap - Tunneled authentication was successful
(11,1) eap_peap - SUCCESS
(11,1) eap_peap - TLS application data to encrypt (11 bytes)
(11,1) eap_peap - Sending complete TLS record (37 bytes)
(11,1) eap - Sending EAP Request (code 1) ID 12 length 43
(11,1) eap (handled)
(11,1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(11,1) EXPAND Response-Packet-Type
(11,1) --> Access-Challenge
(11,1) attr_filter.access_challenge - EXPAND %{User-Name}
(11,1) attr_filter.access_challenge - --> testuser at realm
(11,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(11,1) attr_filter.access_challenge.post-auth (updated)
(11,1) handled (handled)
(11,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled)
(11,1) } # Auth-Type eap (handled)
(11,1) Using Post-Auth-Type Challenge
(11,1) Post-Auth-Type sub-section not found. Ignoring.
(11,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default
(11,1) Saving &session-state
(11,1) &session-state:Stripped-User-Name += "testuser"
(11,1) &session-state:Reply-Message += "successful authentication"
(11,1) Sent Access-Challenge Id 87 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0
(11,1) EAP-Message = 0x010c002b1900170301002075fcd60b064f8189f89cd88d8ea3821c5e02316d81a985ae28e6772c0f91527a
(11,1) Message-Authenticator = 0x00000000000000000000000000000000
(11,1) State = 0x0b0138003637b8d43b39393138ab9701
(11,1) Finished request
Waking up in 4.8 seconds.
(12) Received Access-Request Id 88 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 330
(12) User-Name = "testuser at realm"
(12) Chargeable-User-Identity = 0x00
(12) Location-Capable = Civix-Location
(12) Calling-Station-Id = "a4-d1-8c-e4-9f-22"
(12) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST"
(12) NAS-Port = 13
(12) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e"
(12) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110"
(12) NAS-IP-Address = Y.Y.Y.Y
(12) NAS-Identifier = "WM13"
(12) Airespace-Wlan-Id = 8
(12) Service-Type = Framed-User
(12) Framed-MTU = 1300
(12) NAS-Port-Type = Wireless-802.11
(12) Tunnel-Type:0 = VLAN
(12) Tunnel-Medium-Type:0 = IEEE-802
(12) Tunnel-Private-Group-Id:0 = "446"
(12) EAP-Message = 0x020c002b190017030100205260e734aa19b0c57421ab4de8ee9119c043f03f0751f165dc6cc2a0f5157a8c
(12) State = 0x0b0138003637b8d43b39393138ab9701
(12) Message-Authenticator = 0xa330d14becbcd2b557c3aeb3deb98ff4
(12,1) Restored &session-state
(12,1) &session-state:Stripped-User-Name += "testuser"
(12,1) &session-state:Reply-Message += "successful authentication"
(12,1) Running section authorize from file /etc/raddb/sites-enabled/default
(12,1) authorize {
(12,1) local_rewrite_called_station_id {
(12,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(12,1) update request {
(12,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(12,1) --> 64:AE:0C:91:42:60
(12,1) &Called-Station-Id := 64:AE:0C:91:42:60
(12,1) } # update request (noop)
(12,1) if ("%{8}") {
(12,1) EXPAND %{8}
(12,1) --> RADIUS-TEST
(12,1) update request {
(12,1) EXPAND %{8}
(12,1) --> RADIUS-TEST
(12,1) &Called-Station-SSID := RADIUS-TEST
(12,1) } # update request (noop)
(12,1) } # if ("%{8}") (noop)
(12,1) updated (updated)
(12,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated)
(12,1) else {
(12,1) ... skipping else for request 12: Preceding "if" was taken
(12,1) }
(12,1) } # local_rewrite_called_station_id (updated)
(12,1) local_rewrite_calling_station_id {
(12,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(12,1) update request {
(12,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(12,1) --> A4:D1:8C:E4:9F:22
(12,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22
(12,1) } # update request (noop)
(12,1) updated (updated)
(12,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated)
(12,1) else {
(12,1) ... skipping else for request 12: Preceding "if" was taken
(12,1) }
(12,1) } # local_rewrite_calling_station_id (updated)
(12,1) filter_username {
(12,1) if (&User-Name) {
(12,1) if (&User-Name =~ / /) {
(12,1) ...
(12,1) }
(12,1) if (&User-Name =~ /@[^@]*@/ ) {
(12,1) ...
(12,1) }
(12,1) if (&User-Name =~ /\.\./ ) {
(12,1) ...
(12,1) }
(12,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) {
(12,1) ...
(12,1) }
(12,1) if (&User-Name =~ /\.$/) {
(12,1) ...
(12,1) }
(12,1) if (&User-Name =~ /@\./) {
(12,1) ...
(12,1) }
(12,1) } # if (&User-Name) (updated)
(12,1) } # filter_username (updated)
(12,1) bad_realms {
(12,1) if (&User-Name =~ /\.ax\.uk$/i) {
(12,1) ...
(12,1) }
(12,1) if (&User-Name =~ /@ac\.uk$/i) {
(12,1) ...
(12,1) }
(12,1) if (&User-Name =~ /3gppnetwork\.org$/i) {
(12,1) ...
(12,1) }
(12,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(12,1) ...
(12,1) }
(12,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(12,1) ...
(12,1) }
(12,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(12,1) ...
(12,1) }
(12,1) if (&User-Name =~ /myabc\.com$/i) {
(12,1) ...
(12,1) }
(12,1) } # bad_realms (updated)
(12,1) preprocess (ok)
(12,1) operator-name.authorize {
(12,1) if ("%{client:Operator-Name}") {
(12,1) EXPAND %{client:Operator-Name}
(12,1) --> 1realm.ac.uk
(12,1) update request {
(12,1) EXPAND %{client:Operator-Name}
(12,1) --> 1realm.ac.uk
(12,1) &Operator-Name = 1realm.ac.uk
(12,1) } # update request (noop)
(12,1) } # if ("%{client:Operator-Name}") (noop)
(12,1) } # operator-name.authorize (noop)
(12,1) suffix - Checking for suffix after "@"
(12,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser at realm"
(12,1) suffix - Found realm "realm.ac.uk"
(12,1) suffix - Adding Stripped-User-Name = "testuser"
(12,1) suffix - Adding Realm = "realm.ac.uk"
(12,1) suffix - Authentication realm is LOCAL
(12,1) suffix (ok)
(12,1) if (&Realm) {
(12,1) update control {
(12,1) &control:Proxy-To-Realm := LOCAL
(12,1) } # update control (noop)
(12,1) } # if (&Realm) (noop)
(12,1) else {
(12,1) ... skipping else for request 12: Preceding "if" was taken
(12,1) }
(12,1) if (&Realm) {
(12,1) if (&Stripped-User-Name != "") {
(12,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(12,1) EXPAND %{tolower:%{Stripped-User-Name}}
(12,1) --> testuser
(12,1) ...
(12,1) }
(12,1) group {
(12,1) check_blacklist (ok)
(12,1) if (&control:Local-Banned-User) {
(12,1) ...
(12,1) }
(12,1) else {
(12,1) noop (noop)
(12,1) } # else (noop)
(12,1) } # group (ok)
(12,1) } # if (&Stripped-User-Name != "") (ok)
(12,1) } # if (&Realm) (ok)
(12,1) eap - Peer sent EAP Response (code 2) ID 12 length 43
(12,1) eap - Continuing tunnel setup
(12,1) eap (ok)
(12,1) } # authorize (ok)
(12,1) Using 'Auth-Type = eap' for authenticate {...}
(12,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default
(12,1) Auth-Type eap {
(12,1) eap - Peer sent packet with EAP method PEAP (25)
(12,1) eap - Calling submodule eap_peap to process data
(12,1) eap_peap - Continuing EAP-TLS
(12,1) eap_peap - Got complete TLS record (37 bytes)
(12,1) eap_peap - [eap-tls verify] = complete
(12,1) eap_peap - Decrypted TLS application data (11 bytes)
(12,1) eap_peap - [eap-tls process] = complete
(12,1) eap_peap - Session established. Decoding tunneled data
(12,1) eap_peap - PEAP state send tlv success
(12,1) eap_peap - Received EAP-TLV response
(12,1) eap_peap - Success
(12,1) eap_peap - Adding session keys
(12,1) eap_peap - &reply:MS-MPPE-Recv-Key = 0xc2b1108d6edcbaab7acbc6cb02381f392e459fecfbd849f9ec05ed541dcbd8ec
(12,1) eap_peap - &reply:MS-MPPE-Send-Key = 0x71011003ab851c697e371755227994e8ab1ff5a15b2a5e4433273ac6b71b363e
(12,1) eap_peap - &reply:EAP-MSK = 0xc2b1108d6edcbaab7acbc6cb02381f392e459fecfbd849f9ec05ed541dcbd8ec71011003ab851c697e371755227994e8ab1ff5a15b2a5e4433273ac6b71b363e
(12,1) eap_peap - &reply:EAP-EMSK = 0x4d4889f2308cc16ca2dfb5c43fd14af93e7a927a9ab73d43433258508c312fa5d2774e063dd8d0ceb56bea3134b9fb99691718545b00139d8dc9e61bf277a526
(12,1) eap - Sending EAP Success (code 3) ID 12 length 4
(12,1) eap - Cleaning up EAP session
(12,1) eap (ok)
(12,1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(12,1) ...
(12,1) }
(12,1) } # Auth-Type eap (ok)
(12,1) Login OK: [testuser at realm] (from client wism13 port 13 cli A4:D1:8C:E4:9F:22)
(12,1) Running section post-auth from file /etc/raddb/sites-enabled/default
(12,1) post-auth {
(12,1) update {
(12,1) &reply: += &session-state:Stripped-User-Name -> "testuser"
(12,1) &reply: += &session-state:Reply-Message -> "successful authentication"
(12,1) } # update (noop)
(12,1) update reply {
(12,1) &reply:Reply-Message := successful authentication
(12,1) } # update reply (noop)
(12,1) default-accept-log - Using default message
(12,1) default-accept-log - EXPAND %S (%l) id %I DEFAULT ACCEPT %{User-Name} cli %{%{Calling-Station-Id}:--} auth-type %{control:Auth-Type}/%{EAP-Type} realm %{Realm} operator %{%{Operator-Name}:--} client %{%{Packet-Src-IP-Address}:-%{%{Packet-Src-IPv6-Address}:--}} (%{Client-Shortname}) essid (%{%{Called-Station-SSID}:--}) reply-msg '%{reply:Reply-Message}'
(12,1) default-accept-log - --> 2016-11-25 15:17:51 (1480087071) id 88 DEFAULT ACCEPT testuser at realm cli A4:D1:8C:E4:9F:22 auth-type eap/PEAP realm realm.ac.uk operator 1realm.ac.uk client Y.Y.Y.Y (wism13) essid (RADIUS-TEST) reply-msg 'successful authentication'
(12,1) default-accept-log - EXPAND /var/log/radius/auth.log
(12,1) default-accept-log - --> /var/log/radius/auth.log
(12,1) default-accept-log (ok)
(12,1) exec (noop)
(12,1) remove_reply_message_if_eap {
(12,1) if (&reply:EAP-Message && &reply:Reply-Message) {
(12,1) update reply {
(12,1) &reply:Reply-Message !* ANY
(12,1) } # update reply (noop)
(12,1) } # if (&reply:EAP-Message && &reply:Reply-Message) (noop)
(12,1) else {
(12,1) ... skipping else for request 12: Preceding "if" was taken
(12,1) }
(12,1) } # remove_reply_message_if_eap (noop)
(12,1) } # post-auth (ok)
(12,1) Sent Access-Accept Id 88 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0
(12,1) MS-MPPE-Recv-Key = 0xc2b1108d6edcbaab7acbc6cb02381f392e459fecfbd849f9ec05ed541dcbd8ec
(12,1) MS-MPPE-Send-Key = 0x71011003ab851c697e371755227994e8ab1ff5a15b2a5e4433273ac6b71b363e
(12,1) EAP-Message = 0x030c0004
(12,1) Message-Authenticator = 0x00000000000000000000000000000000
(12,1) Finished request
Waking up in 4.8 seconds.
^CWaking up in 3.1 seconds.
More information about the Freeradius-Users
mailing list