Troubleshooting EAP-TLS with External Certificates
Bogdan Rudas
brudas at exadel.com
Fri Sep 9 09:54:44 CEST 2016
On Fri, Sep 9, 2016 at 1:09 AM, Matthew West <matthew.t.west at gmail.com>
wrote:
> Alan, Alan, and FR Users,
>
> Thank you for your help and direction while figuring out configuration
> of FreeRADIUS. You've been very helpful.
>
> *** 1st Question: Are there any implications when removing the space
> filter from policy.d?
>
> In my attempts to get FreeRADIUS configured to work with e-mail/auth
> certificates (previously issued), I was given a new 'CA Cert' to use
> with our e-mail certificates. I am now successfully authenticating
> with the new CA file I was given and my e-mail certificate.
> Unfortunately, the 'User-Name' field was filled with 'User Name' with
> a space and failed the username field check. I removed the space
> filter from /etc/raddb/policy.d and I can now authenticate. (Output
> below).
>
> > If you use a public CA then anyone else can get a cert signed by that CA
> for small change, they can then do eg evil twin etc attacks and badly
> configured clients will auth against them. ..thus giving them the users
> password (or easily cloud cracked mschap challenge/response)... many
> clients have basic security...eg only trust the CA. So local CA is the one
> way to ensure lowest common denominator is secure.
>
> *** 2nd Question: If my company uses an internal CA certificate that
> was issued/signed by Verisign and is bundled with the public CA's
> chain, are there security implications with using the bundle? (Output
> below)
>
> Thank You,
>
> Matthew West
>
> PS - I have not started removing unwanted modules from /mods-enabled,
> will be doing that after confirming the working setup.
>
> ---
>
> [root at localhost ~]# radiusd -X
> radiusd: FreeRADIUS Version 3.0.4, for host x86_64-redhat-linux-gnu,
> built on Mar 5 2015 at 23:41:36
> Copyright (C) 1999-2014 The FreeRADIUS server project and contributors
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> PARTICULAR PURPOSE
> You may redistribute copies of FreeRADIUS under the terms of the
> GNU General Public License
> For more information about these matters, see the file named COPYRIGHT
> Starting - reading configuration files ...
> including dictionary file /usr/share/freeradius/dictionary
> including dictionary file /usr/share/freeradius/dictionary.dhcp
> including dictionary file /usr/share/freeradius/dictionary.vqp
> including dictionary file /etc/raddb/dictionary
> including configuration file /etc/raddb/radiusd.conf
> including configuration file /etc/raddb/proxy.conf
> including configuration file /etc/raddb/clients.conf
> including files in directory /etc/raddb/mods-enabled/
> including configuration file /etc/raddb/mods-enabled/always
> including configuration file /etc/raddb/mods-enabled/attr_filter
> including configuration file /etc/raddb/mods-enabled/cache_eap
> including configuration file /etc/raddb/mods-enabled/chap
> including configuration file /etc/raddb/mods-enabled/detail
> including configuration file /etc/raddb/mods-enabled/detail.log
> including configuration file /etc/raddb/mods-enabled/dhcp
> including configuration file /etc/raddb/mods-enabled/digest
> including configuration file /etc/raddb/mods-enabled/dynamic_clients
> including configuration file /etc/raddb/mods-enabled/eap
> including configuration file /etc/raddb/mods-enabled/echo
> including configuration file /etc/raddb/mods-enabled/exec
> including configuration file /etc/raddb/mods-enabled/expiration
> including configuration file /etc/raddb/mods-enabled/expr
> including configuration file /etc/raddb/mods-enabled/files
> including configuration file /etc/raddb/mods-enabled/linelog
> including configuration file /etc/raddb/mods-enabled/logintime
> including configuration file /etc/raddb/mods-enabled/mschap
> including configuration file /etc/raddb/mods-enabled/ntlm_auth
> including configuration file /etc/raddb/mods-enabled/pap
> including configuration file /etc/raddb/mods-enabled/passwd
> including configuration file /etc/raddb/mods-enabled/preprocess
> including configuration file /etc/raddb/mods-enabled/radutmp
> including configuration file /etc/raddb/mods-enabled/realm
> including configuration file /etc/raddb/mods-enabled/replicate
> including configuration file /etc/raddb/mods-enabled/soh
> including configuration file /etc/raddb/mods-enabled/sradutmp
> including configuration file /etc/raddb/mods-enabled/unix
> including configuration file /etc/raddb/mods-enabled/unpack
> including configuration file /etc/raddb/mods-enabled/utf8
> including files in directory /etc/raddb/policy.d/
> including configuration file /etc/raddb/policy.d/accounting
> including configuration file /etc/raddb/policy.d/canonicalization
> including configuration file /etc/raddb/policy.d/control
> including configuration file /etc/raddb/policy.d/cui
> including configuration file /etc/raddb/policy.d/debug
> including configuration file /etc/raddb/policy.d/dhcp
> including configuration file /etc/raddb/policy.d/eap
> including configuration file /etc/raddb/policy.d/filter
> including configuration file /etc/raddb/policy.d/operator-name
> including files in directory /etc/raddb/sites-enabled/
> including configuration file /etc/raddb/sites-enabled/default
> including configuration file /etc/raddb/sites-enabled/inner-tunnel
> main {
> security {
> user = "radiusd"
> group = "radiusd"
> allow_core_dumps = no
> }
> }
> main {
> name = "radiusd"
> prefix = "/usr"
> localstatedir = "/var"
> sbindir = "/usr/sbin"
> logdir = "/var/log/radius"
> run_dir = "/var/run/radiusd"
> libdir = "/usr/lib64/freeradius"
> radacctdir = "/var/log/radius/radacct"
> hostname_lookups = no
> max_request_time = 30
> cleanup_delay = 5
> max_requests = 1024
> pidfile = "/var/run/radiusd/radiusd.pid"
> checkrad = "/usr/sbin/checkrad"
> debug_level = 0
> proxy_requests = yes
> log {
> stripped_names = no
> auth = no
> auth_badpass = no
> auth_goodpass = no
> colourise = yes
> msg_denied = "You are already logged in - access denied"
> }
> security {
> max_attributes = 200
> reject_delay = 1
> status_server = yes
> }
> }
> radiusd: #### Loading Realms and Home Servers ####
> proxy server {
> retry_delay = 5
> retry_count = 3
> default_fallback = no
> dead_time = 120
> wake_all_if_all_dead = no
> }
> home_server localhost {
> ipaddr = 127.0.0.1
> port = 1812
> type = "auth"
> secret = <<< secret >>>
> response_window = 20.000000
> response_timeouts = 1
> max_outstanding = 65536
> zombie_period = 40
> status_check = "status-server"
> ping_interval = 30
> check_interval = 30
> check_timeout = 4
> num_answers_to_alive = 3
> revive_interval = 120
> coa {
> irt = 2
> mrt = 16
> mrc = 5
> mrd = 30
> }
> limit {
> max_connections = 16
> max_requests = 0
> lifetime = 0
> idle_timeout = 0
> }
> }
> home_server_pool my_auth_failover {
> type = fail-over
> home_server = localhost
> }
> realm example.com {
> auth_pool = my_auth_failover
> }
> realm LOCAL {
> }
> radiusd: #### Loading Clients ####
> client localhost {
> ipaddr = 127.0.0.1
> require_message_authenticator = no
> secret = <<< secret >>>
> nas_type = "other"
> proto = "*"
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> client localhost_ipv6 {
> ipv6addr = ::1
> require_message_authenticator = no
> secret = <<< secret >>>
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> client bea-corp-sw1 {
> ipaddr = 10.XX.XX.123
> require_message_authenticator = no
> secret = <<< secret >>>
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> radiusd: #### Instantiating modules ####
> instantiate {
> }
> modules {
> # Loaded module rlm_always
> # Instantiating module "reject" from file /etc/raddb/mods-enabled/always
> always reject {
> rcode = "reject"
> simulcount = 0
> mpp = no
> }
> # Instantiating module "fail" from file /etc/raddb/mods-enabled/always
> always fail {
> rcode = "fail"
> simulcount = 0
> mpp = no
> }
> # Instantiating module "ok" from file /etc/raddb/mods-enabled/always
> always ok {
> rcode = "ok"
> simulcount = 0
> mpp = no
> }
> # Instantiating module "handled" from file /etc/raddb/mods-enabled/always
> always handled {
> rcode = "handled"
> simulcount = 0
> mpp = no
> }
> # Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
> always invalid {
> rcode = "invalid"
> simulcount = 0
> mpp = no
> }
> # Instantiating module "userlock" from file
> /etc/raddb/mods-enabled/always
> always userlock {
> rcode = "userlock"
> simulcount = 0
> mpp = no
> }
> # Instantiating module "notfound" from file
> /etc/raddb/mods-enabled/always
> always notfound {
> rcode = "notfound"
> simulcount = 0
> mpp = no
> }
> # Instantiating module "noop" from file /etc/raddb/mods-enabled/always
> always noop {
> rcode = "noop"
> simulcount = 0
> mpp = no
> }
> # Instantiating module "updated" from file /etc/raddb/mods-enabled/always
> always updated {
> rcode = "updated"
> simulcount = 0
> mpp = no
> }
> # Loaded module rlm_attr_filter
> # Instantiating module "attr_filter.post-proxy" from file
> /etc/raddb/mods-enabled/attr_filter
> attr_filter attr_filter.post-proxy {
> filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
> key = "%{Realm}"
> relaxed = no
> }
> reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
> # Instantiating module "attr_filter.pre-proxy" from file
> /etc/raddb/mods-enabled/attr_filter
> attr_filter attr_filter.pre-proxy {
> filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
> key = "%{Realm}"
> relaxed = no
> }
> reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
> # Instantiating module "attr_filter.access_reject" from file
> /etc/raddb/mods-enabled/attr_filter
> attr_filter attr_filter.access_reject {
> filename = "/etc/raddb/mods-config/attr_filter/access_reject"
> key = "%{User-Name}"
> relaxed = no
> }
> reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
> # Instantiating module "attr_filter.access_challenge" from file
> /etc/raddb/mods-enabled/attr_filter
> attr_filter attr_filter.access_challenge {
> filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
> key = "%{User-Name}"
> relaxed = no
> }
> reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
> # Instantiating module "attr_filter.accounting_response" from file
> /etc/raddb/mods-enabled/attr_filter
> attr_filter attr_filter.accounting_response {
> filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
> key = "%{User-Name}"
> relaxed = no
> }
> reading pairlist file /etc/raddb/mods-config/attr_
> filter/accounting_response
> # Loaded module rlm_cache
> # Instantiating module "cache_eap" from file
> /etc/raddb/mods-enabled/cache_eap
> cache cache_eap {
> key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
> ttl = 15
> max_entries = 16384
> epoch = 0
> add_stats = no
> }
> # Loaded module rlm_chap
> # Instantiating module "chap" from file /etc/raddb/mods-enabled/chap
> # Loaded module rlm_detail
> # Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
> detail {
> filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{
> Packet-Src-IPv6-Address}}/detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> log_packet_header = no
> }
> # Instantiating module "auth_log" from file /etc/raddb/mods-enabled/
> detail.log
> detail auth_log {
> filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{
> Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> log_packet_header = no
> }
> rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
> detail output
> # Instantiating module "reply_log" from file
> /etc/raddb/mods-enabled/detail.log
> detail reply_log {
> filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{
> Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> log_packet_header = no
> }
> # Instantiating module "pre_proxy_log" from file
> /etc/raddb/mods-enabled/detail.log
> detail pre_proxy_log {
> filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{
> Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> log_packet_header = no
> }
> # Instantiating module "post_proxy_log" from file
> /etc/raddb/mods-enabled/detail.log
> detail post_proxy_log {
> filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{
> Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> log_packet_header = no
> }
> # Loaded module rlm_dhcp
> # Instantiating module "dhcp" from file /etc/raddb/mods-enabled/dhcp
> # Loaded module rlm_digest
> # Instantiating module "digest" from file /etc/raddb/mods-enabled/digest
> # Loaded module rlm_dynamic_clients
> # Instantiating module "dynamic_clients" from file
> /etc/raddb/mods-enabled/dynamic_clients
> # Loaded module rlm_eap
> # Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
> eap {
> default_eap_type = "md5"
> timer_expire = 60
> ignore_unknown_eap_types = no
> mod_accounting_username_bug = no
> max_sessions = 1024
> }
> # Linked to sub-module rlm_eap_md5
> # Linked to sub-module rlm_eap_leap
> # Linked to sub-module rlm_eap_gtc
> gtc {
> challenge = "Password: "
> auth_type = "PAP"
> }
> # Linked to sub-module rlm_eap_tls
> tls {
> tls = "tls-common"
> }
> tls-config tls-common {
> rsa_key_exchange = no
> dh_key_exchange = yes
> rsa_key_length = 512
> dh_key_length = 512
> verify_depth = 0
> ca_path = "/etc/raddb/certs"
> pem_file_type = yes
> private_key_file = "/etc/raddb/certs/server.pem"
> certificate_file = "/etc/raddb/certs/server.pem"
> ca_file = "/etc/raddb/certs/ACME_bundle.crt"
> private_key_password = <<< secret >>>
> dh_file = "/etc/raddb/certs/dh"
> fragment_size = 1024
> include_length = yes
> check_crl = no
> cipher_list = "DEFAULT"
> ecdh_curve = "prime256v1"
> cache {
> enable = yes
> lifetime = 24
> max_entries = 255
> }
> verify {
> }
> ocsp {
> enable = no
> override_cert_url = yes
> url = "http://127.0.0.1/ocsp/"
> use_nonce = yes
> timeout = 0
> softfail = yes
> }
> }
> # Linked to sub-module rlm_eap_ttls
> ttls {
> tls = "tls-common"
> default_eap_type = "md5"
> copy_request_to_tunnel = no
> use_tunneled_reply = no
> virtual_server = "inner-tunnel"
> include_length = yes
> require_client_cert = no
> }
> Using cached TLS configuration from previous invocation
> # Linked to sub-module rlm_eap_peap
> peap {
> tls = "tls-common"
> default_method = "mschapv2"
> copy_request_to_tunnel = no
> use_tunneled_reply = no
> proxy_tunneled_request_as_eap = yes
> virtual_server = "inner-tunnel"
> soh = no
> require_client_cert = no
> }
> Using cached TLS configuration from previous invocation
> # Linked to sub-module rlm_eap_mschapv2
> mschapv2 {
> with_ntdomain_hack = no
> send_error = no
> }
> # Loaded module rlm_exec
> # Instantiating module "echo" from file /etc/raddb/mods-enabled/echo
> exec echo {
> wait = yes
> program = "/bin/echo %{User-Name}"
> input_pairs = "request"
> output_pairs = "reply"
> shell_escape = yes
> }
> # Instantiating module "exec" from file /etc/raddb/mods-enabled/exec
> exec {
> wait = no
> input_pairs = "request"
> shell_escape = yes
> timeout = 10
> }
> # Loaded module rlm_expiration
> # Instantiating module "expiration" from file
> /etc/raddb/mods-enabled/expiration
> # Loaded module rlm_expr
> # Instantiating module "expr" from file /etc/raddb/mods-enabled/expr
> expr {
> safe_characters =
> "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
> /"
> }
> # Loaded module rlm_files
> # Instantiating module "files" from file /etc/raddb/mods-enabled/files
> files {
> filename = "/etc/raddb/mods-config/files/authorize"
> usersfile = "/etc/raddb/mods-config/files/authorize"
> acctusersfile = "/etc/raddb/mods-config/files/accounting"
> preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
> compat = "cistron"
> }
> reading pairlist file /etc/raddb/mods-config/files/authorize
> [/etc/raddb/mods-config/files/authorize]:87 Cistron compatibility
> checks for entry bob ...
> [/etc/raddb/mods-config/files/authorize]:181 Cistron compatibility
> checks for entry DEFAULT ...
> [/etc/raddb/mods-config/files/authorize]:188 Cistron compatibility
> checks for entry DEFAULT ...
> [/etc/raddb/mods-config/files/authorize]:195 Cistron compatibility
> checks for entry DEFAULT ...
> reading pairlist file /etc/raddb/mods-config/files/authorize
> [/etc/raddb/mods-config/files/authorize]:87 Cistron compatibility
> checks for entry bob ...
> [/etc/raddb/mods-config/files/authorize]:181 Cistron compatibility
> checks for entry DEFAULT ...
> [/etc/raddb/mods-config/files/authorize]:188 Cistron compatibility
> checks for entry DEFAULT ...
> [/etc/raddb/mods-config/files/authorize]:195 Cistron compatibility
> checks for entry DEFAULT ...
> reading pairlist file /etc/raddb/mods-config/files/accounting
> reading pairlist file /etc/raddb/mods-config/files/pre-proxy
> # Loaded module rlm_linelog
> # Instantiating module "linelog" from file /etc/raddb/mods-enabled/
> linelog
> linelog {
> filename = "/var/log/radius/linelog"
> permissions = 384
> format = "This is a log message for %{User-Name}"
> reference = "messages.%{%{Packet-Type}:-default}"
> }
> # Instantiating module "log_accounting" from file
> /etc/raddb/mods-enabled/linelog
> linelog log_accounting {
> filename = "/var/log/radius/linelog-accounting"
> permissions = 384
> format = ""
> reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
> }
> # Loaded module rlm_logintime
> # Instantiating module "logintime" from file /etc/raddb/mods-enabled/
> logintime
> logintime {
> minimum_timeout = 60
> }
> # Loaded module rlm_mschap
> # Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
> mschap {
> use_mppe = yes
> require_encryption = no
> require_strong = no
> with_ntdomain_hack = yes
> passchange {
> }
> allow_retry = yes
> }
> # Instantiating module "ntlm_auth" from file
> /etc/raddb/mods-enabled/ntlm_auth
> exec ntlm_auth {
> wait = yes
> program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
> --username=%{mschap:User-Name} --password=%{User-Password}"
> shell_escape = yes
> }
> # Loaded module rlm_pap
> # Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
> pap {
> normalise = yes
> }
> # Loaded module rlm_passwd
> # Instantiating module "etc_passwd" from file
> /etc/raddb/mods-enabled/passwd
> passwd etc_passwd {
> filename = "/etc/passwd"
> format = "*User-Name:Crypt-Password:"
> delimiter = ":"
> ignore_nislike = no
> ignore_empty = yes
> allow_multiple_keys = no
> hash_size = 100
> }
> rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
> # Loaded module rlm_preprocess
> # Instantiating module "preprocess" from file
> /etc/raddb/mods-enabled/preprocess
> preprocess {
> huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
> hints = "/etc/raddb/mods-config/preprocess/hints"
> with_ascend_hack = no
> ascend_channels_per_line = 23
> with_ntdomain_hack = no
> with_specialix_jetstream_hack = no
> with_cisco_vsa_hack = no
> with_alvarion_vsa_hack = no
> }
> reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
> reading pairlist file /etc/raddb/mods-config/preprocess/hints
> # Loaded module rlm_radutmp
> # Instantiating module "radutmp" from file /etc/raddb/mods-enabled/
> radutmp
> radutmp {
> filename = "/var/log/radius/radutmp"
> username = "%{User-Name}"
> case_sensitive = yes
> check_with_nas = yes
> permissions = 384
> caller_id = yes
> }
> # Loaded module rlm_realm
> # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
> realm IPASS {
> format = "prefix"
> delimiter = "/"
> ignore_default = no
> ignore_null = no
> }
> # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
> realm suffix {
> format = "suffix"
> delimiter = "@"
> ignore_default = no
> ignore_null = no
> }
> # Instantiating module "realmpercent" from file
> /etc/raddb/mods-enabled/realm
> realm realmpercent {
> format = "suffix"
> delimiter = "%"
> ignore_default = no
> ignore_null = no
> }
> # Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
> realm ntdomain {
> format = "prefix"
> delimiter = "\"
> ignore_default = no
> ignore_null = no
> }
> # Loaded module rlm_replicate
> # Instantiating module "replicate" from file /etc/raddb/mods-enabled/
> replicate
> # Loaded module rlm_soh
> # Instantiating module "soh" from file /etc/raddb/mods-enabled/soh
> soh {
> dhcp = yes
> }
> # Instantiating module "sradutmp" from file /etc/raddb/mods-enabled/
> sradutmp
> radutmp sradutmp {
> filename = "/var/log/radius/sradutmp"
> username = "%{User-Name}"
> case_sensitive = yes
> check_with_nas = yes
> permissions = 420
> caller_id = no
> }
> # Loaded module rlm_unix
> # Instantiating module "unix" from file /etc/raddb/mods-enabled/unix
> unix {
> radwtmp = "/var/log/radius/radwtmp"
> }
> # Loaded module rlm_unpack
> # Instantiating module "unpack" from file /etc/raddb/mods-enabled/unpack
> # Loaded module rlm_utf8
> # Instantiating module "utf8" from file /etc/raddb/mods-enabled/utf8
> } # modules
> radiusd: #### Loading Virtual Servers ####
> server { # from file /etc/raddb/radiusd.conf
> } # server
> server default { # from file /etc/raddb/sites-enabled/default
> # Creating Auth-Type = digest
> # Loading authenticate {...}
> # Loading authorize {...}
> Ignoring "sql" (see raddb/mods-available/README.rst)
> Ignoring "ldap" (see raddb/mods-available/README.rst)
> # Loading preacct {...}
> # Loading accounting {...}
> # Loading post-proxy {...}
> # Loading post-auth {...}
> } # server default
> server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
> # Loading authenticate {...}
> # Loading authorize {...}
> # Loading session {...}
> # Loading post-proxy {...}
> # Loading post-auth {...}
> } # server inner-tunnel
> radiusd: #### Opening IP addresses and Ports ####
> listen {
> type = "auth"
> ipaddr = *
> port = 0
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> listen {
> type = "acct"
> ipaddr = *
> port = 0
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> listen {
> type = "auth"
> ipv6addr = ::
> port = 0
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> listen {
> type = "acct"
> ipv6addr = ::
> port = 0
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> listen {
> type = "auth"
> ipaddr = 127.0.0.1
> port = 18120
> }
> Listening on auth address * port 1812 as server default
> Listening on acct address * port 1813 as server default
> Listening on auth address :: port 1812 as server default
> Listening on acct address :: port 1813 as server default
> Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel
> Opening new proxy socket 'proxy address * port 0'
> Listening on proxy address * port 36241
> Ready to process requests
> Received Access-Request Id 252 from 10.XX.XX.123:1645 to
> 10.XX.1.122:1812 length 164
> User-Name = 'Matthew West'
> Service-Type = Framed-User
> Framed-MTU = 1500
> Called-Station-Id = '08-CC-68-D5-1F-1E'
> Calling-Station-Id = 'AC-87-A3-33-1A-79'
> EAP-Message = 0x02010011014d6174746865772057657374
> Message-Authenticator = 0xc8d04a388e3773fc85731ac1b373affb
> NAS-Port-Type = Ethernet
> NAS-Port = 50130
> NAS-Port-Id = 'GigabitEthernet1/0/30'
> NAS-IP-Address = 10.XX.XX.123
> (0) Received Access-Request packet from host 10.XX.XX.123 port 1645,
> id=252, length=164
> (0) User-Name = 'Matthew West'
> (0) Service-Type = Framed-User
> (0) Framed-MTU = 1500
> (0) Called-Station-Id = '08-CC-68-D5-1F-1E'
> (0) Calling-Station-Id = 'AC-87-A3-33-1A-79'
> (0) EAP-Message = 0x02010011014d6174746865772057657374
> (0) Message-Authenticator = 0xc8d04a388e3773fc85731ac1b373affb
> (0) NAS-Port-Type = Ethernet
> (0) NAS-Port = 50130
> (0) NAS-Port-Id = 'GigabitEthernet1/0/30'
> (0) NAS-IP-Address = 10.XX.XX.123
> (0) # Executing section authorize from file /etc/raddb/sites-enabled/
> default
> (0) authorize {
> (0) filter_username filter_username {
> (0) if (!&User-Name)
> (0) if (!&User-Name) -> FALSE
> (0) if (&User-Name =~ / /)
> (0) if (&User-Name =~ / /) -> TRUE
> (0) if (&User-Name =~ / /) {
> (0) update reply {
> (0) Reply-Message += 'Rejected: Username contains whitespace'
> (0) } # update reply = noop
> (0) [reject] = reject
> (0) } # if (&User-Name =~ / /) = reject
> (0) } # filter_username filter_username = reject
> (0) } # authorize = reject
> (0) Using Post-Auth-Type Reject
> (0) # Executing group from file /etc/raddb/sites-enabled/default
> (0) Post-Auth-Type REJECT {
> (0) attr_filter.access_reject : EXPAND %{User-Name}
> (0) attr_filter.access_reject : --> Matthew West
> (0) attr_filter.access_reject : Matched entry DEFAULT at line 11
> (0) [attr_filter.access_reject] = updated
> (0) eap : Request was previously rejected, inserting EAP-Failure
> (0) [eap] = updated
> (0) remove_reply_message_if_eap remove_reply_message_if_eap {
> (0) if (&reply:EAP-Message && &reply:Reply-Message)
> (0) if (&reply:EAP-Message && &reply:Reply-Message) -> TRUE
> (0) if (&reply:EAP-Message && &reply:Reply-Message) {
> (0) update reply {
> (0) Reply-Message !* ANY
> (0) } # update reply = noop
> (0) } # if (&reply:EAP-Message && &reply:Reply-Message) = noop
> (0) ... skipping else for request 0: Preceding "if" was taken
> (0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
> (0) } # Post-Auth-Type REJECT = updated
> (0) Delaying response for 1 seconds
> Waking up in 0.3 seconds.
> Waking up in 0.6 seconds.
> (0) Sending delayed response
> (0) Sending Access-Reject packet to host 10.XX.XX.123 port 1645,
> id=252, length=0
> (0) EAP-Message = 0x04010004
> (0) Message-Authenticator = 0x00000000000000000000000000000000
> Sending Access-Reject Id 252 from 10.XX.1.122:1812 to 10.XX.XX.123:1645
> EAP-Message = 0x04010004
> Message-Authenticator = 0x00000000000000000000000000000000
> Waking up in 3.9 seconds.
> (0) Cleaning up request packet ID 252 with timestamp +452
> Ready to process requests
> ^C
> [root at localhost ~]# radiusd -X
> radiusd: FreeRADIUS Version 3.0.4, for host x86_64-redhat-linux-gnu,
> built on Mar 5 2015 at 23:41:36
> Copyright (C) 1999-2014 The FreeRADIUS server project and contributors
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> PARTICULAR PURPOSE
> You may redistribute copies of FreeRADIUS under the terms of the
> GNU General Public License
> For more information about these matters, see the file named COPYRIGHT
> Starting - reading configuration files ...
> including dictionary file /usr/share/freeradius/dictionary
> including dictionary file /usr/share/freeradius/dictionary.dhcp
> including dictionary file /usr/share/freeradius/dictionary.vqp
> including dictionary file /etc/raddb/dictionary
> including configuration file /etc/raddb/radiusd.conf
> including configuration file /etc/raddb/proxy.conf
> including configuration file /etc/raddb/clients.conf
> including files in directory /etc/raddb/mods-enabled/
> including configuration file /etc/raddb/mods-enabled/always
> including configuration file /etc/raddb/mods-enabled/attr_filter
> including configuration file /etc/raddb/mods-enabled/cache_eap
> including configuration file /etc/raddb/mods-enabled/chap
> including configuration file /etc/raddb/mods-enabled/detail
> including configuration file /etc/raddb/mods-enabled/detail.log
> including configuration file /etc/raddb/mods-enabled/dhcp
> including configuration file /etc/raddb/mods-enabled/digest
> including configuration file /etc/raddb/mods-enabled/dynamic_clients
> including configuration file /etc/raddb/mods-enabled/eap
> including configuration file /etc/raddb/mods-enabled/echo
> including configuration file /etc/raddb/mods-enabled/exec
> including configuration file /etc/raddb/mods-enabled/expiration
> including configuration file /etc/raddb/mods-enabled/expr
> including configuration file /etc/raddb/mods-enabled/files
> including configuration file /etc/raddb/mods-enabled/linelog
> including configuration file /etc/raddb/mods-enabled/logintime
> including configuration file /etc/raddb/mods-enabled/mschap
> including configuration file /etc/raddb/mods-enabled/ntlm_auth
> including configuration file /etc/raddb/mods-enabled/pap
> including configuration file /etc/raddb/mods-enabled/passwd
> including configuration file /etc/raddb/mods-enabled/preprocess
> including configuration file /etc/raddb/mods-enabled/radutmp
> including configuration file /etc/raddb/mods-enabled/realm
> including configuration file /etc/raddb/mods-enabled/replicate
> including configuration file /etc/raddb/mods-enabled/soh
> including configuration file /etc/raddb/mods-enabled/sradutmp
> including configuration file /etc/raddb/mods-enabled/unix
> including configuration file /etc/raddb/mods-enabled/unpack
> including configuration file /etc/raddb/mods-enabled/utf8
> including files in directory /etc/raddb/policy.d/
> including configuration file /etc/raddb/policy.d/accounting
> including configuration file /etc/raddb/policy.d/canonicalization
> including configuration file /etc/raddb/policy.d/control
> including configuration file /etc/raddb/policy.d/cui
> including configuration file /etc/raddb/policy.d/debug
> including configuration file /etc/raddb/policy.d/dhcp
> including configuration file /etc/raddb/policy.d/eap
> including configuration file /etc/raddb/policy.d/filter
> including configuration file /etc/raddb/policy.d/operator-name
> including configuration file /etc/raddb/policy.d/filter.org
> including files in directory /etc/raddb/sites-enabled/
> including configuration file /etc/raddb/sites-enabled/default
> including configuration file /etc/raddb/sites-enabled/inner-tunnel
> main {
> security {
> user = "radiusd"
> group = "radiusd"
> allow_core_dumps = no
> }
> }
> main {
> name = "radiusd"
> prefix = "/usr"
> localstatedir = "/var"
> sbindir = "/usr/sbin"
> logdir = "/var/log/radius"
> run_dir = "/var/run/radiusd"
> libdir = "/usr/lib64/freeradius"
> radacctdir = "/var/log/radius/radacct"
> hostname_lookups = no
> max_request_time = 30
> cleanup_delay = 5
> max_requests = 1024
> pidfile = "/var/run/radiusd/radiusd.pid"
> checkrad = "/usr/sbin/checkrad"
> debug_level = 0
> proxy_requests = yes
> log {
> stripped_names = no
> auth = no
> auth_badpass = no
> auth_goodpass = no
> colourise = yes
> msg_denied = "You are already logged in - access denied"
> }
> security {
> max_attributes = 200
> reject_delay = 1
> status_server = yes
> }
> }
> radiusd: #### Loading Realms and Home Servers ####
> proxy server {
> retry_delay = 5
> retry_count = 3
> default_fallback = no
> dead_time = 120
> wake_all_if_all_dead = no
> }
> home_server localhost {
> ipaddr = 127.0.0.1
> port = 1812
> type = "auth"
> secret = <<< secret >>>
> response_window = 20.000000
> response_timeouts = 1
> max_outstanding = 65536
> zombie_period = 40
> status_check = "status-server"
> ping_interval = 30
> check_interval = 30
> check_timeout = 4
> num_answers_to_alive = 3
> revive_interval = 120
> coa {
> irt = 2
> mrt = 16
> mrc = 5
> mrd = 30
> }
> limit {
> max_connections = 16
> max_requests = 0
> lifetime = 0
> idle_timeout = 0
> }
> }
> home_server_pool my_auth_failover {
> type = fail-over
> home_server = localhost
> }
> realm example.com {
> auth_pool = my_auth_failover
> }
> realm LOCAL {
> }
> radiusd: #### Loading Clients ####
> client localhost {
> ipaddr = 127.0.0.1
> require_message_authenticator = no
> secret = <<< secret >>>
> nas_type = "other"
> proto = "*"
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> client localhost_ipv6 {
> ipv6addr = ::1
> require_message_authenticator = no
> secret = <<< secret >>>
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> client bea-corp-sw1 {
> ipaddr = 10.XX.XX.123
> require_message_authenticator = no
> secret = <<< secret >>>
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> radiusd: #### Instantiating modules ####
> instantiate {
> }
> modules {
> # Loaded module rlm_always
> # Instantiating module "reject" from file /etc/raddb/mods-enabled/always
> always reject {
> rcode = "reject"
> simulcount = 0
> mpp = no
> }
> # Instantiating module "fail" from file /etc/raddb/mods-enabled/always
> always fail {
> rcode = "fail"
> simulcount = 0
> mpp = no
> }
> # Instantiating module "ok" from file /etc/raddb/mods-enabled/always
> always ok {
> rcode = "ok"
> simulcount = 0
> mpp = no
> }
> # Instantiating module "handled" from file /etc/raddb/mods-enabled/always
> always handled {
> rcode = "handled"
> simulcount = 0
> mpp = no
> }
> # Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
> always invalid {
> rcode = "invalid"
> simulcount = 0
> mpp = no
> }
> # Instantiating module "userlock" from file
> /etc/raddb/mods-enabled/always
> always userlock {
> rcode = "userlock"
> simulcount = 0
> mpp = no
> }
> # Instantiating module "notfound" from file
> /etc/raddb/mods-enabled/always
> always notfound {
> rcode = "notfound"
> simulcount = 0
> mpp = no
> }
> # Instantiating module "noop" from file /etc/raddb/mods-enabled/always
> always noop {
> rcode = "noop"
> simulcount = 0
> mpp = no
> }
> # Instantiating module "updated" from file /etc/raddb/mods-enabled/always
> always updated {
> rcode = "updated"
> simulcount = 0
> mpp = no
> }
> # Loaded module rlm_attr_filter
> # Instantiating module "attr_filter.post-proxy" from file
> /etc/raddb/mods-enabled/attr_filter
> attr_filter attr_filter.post-proxy {
> filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
> key = "%{Realm}"
> relaxed = no
> }
> reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
> # Instantiating module "attr_filter.pre-proxy" from file
> /etc/raddb/mods-enabled/attr_filter
> attr_filter attr_filter.pre-proxy {
> filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
> key = "%{Realm}"
> relaxed = no
> }
> reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
> # Instantiating module "attr_filter.access_reject" from file
> /etc/raddb/mods-enabled/attr_filter
> attr_filter attr_filter.access_reject {
> filename = "/etc/raddb/mods-config/attr_filter/access_reject"
> key = "%{User-Name}"
> relaxed = no
> }
> reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
> # Instantiating module "attr_filter.access_challenge" from file
> /etc/raddb/mods-enabled/attr_filter
> attr_filter attr_filter.access_challenge {
> filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
> key = "%{User-Name}"
> relaxed = no
> }
> reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
> # Instantiating module "attr_filter.accounting_response" from file
> /etc/raddb/mods-enabled/attr_filter
> attr_filter attr_filter.accounting_response {
> filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
> key = "%{User-Name}"
> relaxed = no
> }
> reading pairlist file /etc/raddb/mods-config/attr_
> filter/accounting_response
> # Loaded module rlm_cache
> # Instantiating module "cache_eap" from file
> /etc/raddb/mods-enabled/cache_eap
> cache cache_eap {
> key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
> ttl = 15
> max_entries = 16384
> epoch = 0
> add_stats = no
> }
> # Loaded module rlm_chap
> # Instantiating module "chap" from file /etc/raddb/mods-enabled/chap
> # Loaded module rlm_detail
> # Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
> detail {
> filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{
> Packet-Src-IPv6-Address}}/detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> log_packet_header = no
> }
> # Instantiating module "auth_log" from file /etc/raddb/mods-enabled/
> detail.log
> detail auth_log {
> filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{
> Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> log_packet_header = no
> }
> rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
> detail output
> # Instantiating module "reply_log" from file
> /etc/raddb/mods-enabled/detail.log
> detail reply_log {
> filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{
> Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> log_packet_header = no
> }
> # Instantiating module "pre_proxy_log" from file
> /etc/raddb/mods-enabled/detail.log
> detail pre_proxy_log {
> filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{
> Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> log_packet_header = no
> }
> # Instantiating module "post_proxy_log" from file
> /etc/raddb/mods-enabled/detail.log
> detail post_proxy_log {
> filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{
> Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> log_packet_header = no
> }
> # Loaded module rlm_dhcp
> # Instantiating module "dhcp" from file /etc/raddb/mods-enabled/dhcp
> # Loaded module rlm_digest
> # Instantiating module "digest" from file /etc/raddb/mods-enabled/digest
> # Loaded module rlm_dynamic_clients
> # Instantiating module "dynamic_clients" from file
> /etc/raddb/mods-enabled/dynamic_clients
> # Loaded module rlm_eap
> # Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
> eap {
> default_eap_type = "md5"
> timer_expire = 60
> ignore_unknown_eap_types = no
> mod_accounting_username_bug = no
> max_sessions = 1024
> }
> # Linked to sub-module rlm_eap_md5
> # Linked to sub-module rlm_eap_leap
> # Linked to sub-module rlm_eap_gtc
> gtc {
> challenge = "Password: "
> auth_type = "PAP"
> }
> # Linked to sub-module rlm_eap_tls
> tls {
> tls = "tls-common"
> }
> tls-config tls-common {
> rsa_key_exchange = no
> dh_key_exchange = yes
> rsa_key_length = 512
> dh_key_length = 512
> verify_depth = 0
> ca_path = "/etc/raddb/certs"
> pem_file_type = yes
> private_key_file = "/etc/raddb/certs/server.pem"
> certificate_file = "/etc/raddb/certs/server.pem"
> ca_file = "/etc/raddb/certs/ACME_bundle.crt"
> private_key_password = <<< secret >>>
> dh_file = "/etc/raddb/certs/dh"
> fragment_size = 1024
> include_length = yes
> check_crl = no
> cipher_list = "DEFAULT"
> ecdh_curve = "prime256v1"
> cache {
> enable = yes
> lifetime = 24
> max_entries = 255
> }
> verify {
> }
> ocsp {
> enable = no
> override_cert_url = yes
> url = "http://127.0.0.1/ocsp/"
> use_nonce = yes
> timeout = 0
> softfail = yes
> }
> }
> # Linked to sub-module rlm_eap_ttls
> ttls {
> tls = "tls-common"
> default_eap_type = "md5"
> copy_request_to_tunnel = no
> use_tunneled_reply = no
> virtual_server = "inner-tunnel"
> include_length = yes
> require_client_cert = no
> }
> Using cached TLS configuration from previous invocation
> # Linked to sub-module rlm_eap_peap
> peap {
> tls = "tls-common"
> default_method = "mschapv2"
> copy_request_to_tunnel = no
> use_tunneled_reply = no
> proxy_tunneled_request_as_eap = yes
> virtual_server = "inner-tunnel"
> soh = no
> require_client_cert = no
> }
> Using cached TLS configuration from previous invocation
> # Linked to sub-module rlm_eap_mschapv2
> mschapv2 {
> with_ntdomain_hack = no
> send_error = no
> }
> # Loaded module rlm_exec
> # Instantiating module "echo" from file /etc/raddb/mods-enabled/echo
> exec echo {
> wait = yes
> program = "/bin/echo %{User-Name}"
> input_pairs = "request"
> output_pairs = "reply"
> shell_escape = yes
> }
> # Instantiating module "exec" from file /etc/raddb/mods-enabled/exec
> exec {
> wait = no
> input_pairs = "request"
> shell_escape = yes
> timeout = 10
> }
> # Loaded module rlm_expiration
> # Instantiating module "expiration" from file
> /etc/raddb/mods-enabled/expiration
> # Loaded module rlm_expr
> # Instantiating module "expr" from file /etc/raddb/mods-enabled/expr
> expr {
> safe_characters =
> "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
> /"
> }
> # Loaded module rlm_files
> # Instantiating module "files" from file /etc/raddb/mods-enabled/files
> files {
> filename = "/etc/raddb/mods-config/files/authorize"
> usersfile = "/etc/raddb/mods-config/files/authorize"
> acctusersfile = "/etc/raddb/mods-config/files/accounting"
> preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
> compat = "cistron"
> }
> reading pairlist file /etc/raddb/mods-config/files/authorize
> [/etc/raddb/mods-config/files/authorize]:87 Cistron compatibility
> checks for entry bob ...
> [/etc/raddb/mods-config/files/authorize]:181 Cistron compatibility
> checks for entry DEFAULT ...
> [/etc/raddb/mods-config/files/authorize]:188 Cistron compatibility
> checks for entry DEFAULT ...
> [/etc/raddb/mods-config/files/authorize]:195 Cistron compatibility
> checks for entry DEFAULT ...
> reading pairlist file /etc/raddb/mods-config/files/authorize
> [/etc/raddb/mods-config/files/authorize]:87 Cistron compatibility
> checks for entry bob ...
> [/etc/raddb/mods-config/files/authorize]:181 Cistron compatibility
> checks for entry DEFAULT ...
> [/etc/raddb/mods-config/files/authorize]:188 Cistron compatibility
> checks for entry DEFAULT ...
> [/etc/raddb/mods-config/files/authorize]:195 Cistron compatibility
> checks for entry DEFAULT ...
> reading pairlist file /etc/raddb/mods-config/files/accounting
> reading pairlist file /etc/raddb/mods-config/files/pre-proxy
> # Loaded module rlm_linelog
> # Instantiating module "linelog" from file /etc/raddb/mods-enabled/
> linelog
> linelog {
> filename = "/var/log/radius/linelog"
> permissions = 384
> format = "This is a log message for %{User-Name}"
> reference = "messages.%{%{Packet-Type}:-default}"
> }
> # Instantiating module "log_accounting" from file
> /etc/raddb/mods-enabled/linelog
> linelog log_accounting {
> filename = "/var/log/radius/linelog-accounting"
> permissions = 384
> format = ""
> reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
> }
> # Loaded module rlm_logintime
> # Instantiating module "logintime" from file /etc/raddb/mods-enabled/
> logintime
> logintime {
> minimum_timeout = 60
> }
> # Loaded module rlm_mschap
> # Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
> mschap {
> use_mppe = yes
> require_encryption = no
> require_strong = no
> with_ntdomain_hack = yes
> passchange {
> }
> allow_retry = yes
> }
> # Instantiating module "ntlm_auth" from file
> /etc/raddb/mods-enabled/ntlm_auth
> exec ntlm_auth {
> wait = yes
> program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
> --username=%{mschap:User-Name} --password=%{User-Password}"
> shell_escape = yes
> }
> # Loaded module rlm_pap
> # Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
> pap {
> normalise = yes
> }
> # Loaded module rlm_passwd
> # Instantiating module "etc_passwd" from file
> /etc/raddb/mods-enabled/passwd
> passwd etc_passwd {
> filename = "/etc/passwd"
> format = "*User-Name:Crypt-Password:"
> delimiter = ":"
> ignore_nislike = no
> ignore_empty = yes
> allow_multiple_keys = no
> hash_size = 100
> }
> rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
> # Loaded module rlm_preprocess
> # Instantiating module "preprocess" from file
> /etc/raddb/mods-enabled/preprocess
> preprocess {
> huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
> hints = "/etc/raddb/mods-config/preprocess/hints"
> with_ascend_hack = no
> ascend_channels_per_line = 23
> with_ntdomain_hack = no
> with_specialix_jetstream_hack = no
> with_cisco_vsa_hack = no
> with_alvarion_vsa_hack = no
> }
> reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
> reading pairlist file /etc/raddb/mods-config/preprocess/hints
> # Loaded module rlm_radutmp
> # Instantiating module "radutmp" from file /etc/raddb/mods-enabled/
> radutmp
> radutmp {
> filename = "/var/log/radius/radutmp"
> username = "%{User-Name}"
> case_sensitive = yes
> check_with_nas = yes
> permissions = 384
> caller_id = yes
> }
> # Loaded module rlm_realm
> # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
> realm IPASS {
> format = "prefix"
> delimiter = "/"
> ignore_default = no
> ignore_null = no
> }
> # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
> realm suffix {
> format = "suffix"
> delimiter = "@"
> ignore_default = no
> ignore_null = no
> }
> # Instantiating module "realmpercent" from file
> /etc/raddb/mods-enabled/realm
> realm realmpercent {
> format = "suffix"
> delimiter = "%"
> ignore_default = no
> ignore_null = no
> }
> # Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
> realm ntdomain {
> format = "prefix"
> delimiter = "\"
> ignore_default = no
> ignore_null = no
> }
> # Loaded module rlm_replicate
> # Instantiating module "replicate" from file /etc/raddb/mods-enabled/
> replicate
> # Loaded module rlm_soh
> # Instantiating module "soh" from file /etc/raddb/mods-enabled/soh
> soh {
> dhcp = yes
> }
> # Instantiating module "sradutmp" from file /etc/raddb/mods-enabled/
> sradutmp
> radutmp sradutmp {
> filename = "/var/log/radius/sradutmp"
> username = "%{User-Name}"
> case_sensitive = yes
> check_with_nas = yes
> permissions = 420
> caller_id = no
> }
> # Loaded module rlm_unix
> # Instantiating module "unix" from file /etc/raddb/mods-enabled/unix
> unix {
> radwtmp = "/var/log/radius/radwtmp"
> }
> # Loaded module rlm_unpack
> # Instantiating module "unpack" from file /etc/raddb/mods-enabled/unpack
> # Loaded module rlm_utf8
> # Instantiating module "utf8" from file /etc/raddb/mods-enabled/utf8
> } # modules
> radiusd: #### Loading Virtual Servers ####
> server { # from file /etc/raddb/radiusd.conf
> } # server
> server default { # from file /etc/raddb/sites-enabled/default
> # Creating Auth-Type = digest
> # Loading authenticate {...}
> # Loading authorize {...}
> Ignoring "sql" (see raddb/mods-available/README.rst)
> Ignoring "ldap" (see raddb/mods-available/README.rst)
> # Loading preacct {...}
> # Loading accounting {...}
> # Loading post-proxy {...}
> # Loading post-auth {...}
> } # server default
> server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
> # Loading authenticate {...}
> # Loading authorize {...}
> # Loading session {...}
> # Loading post-proxy {...}
> # Loading post-auth {...}
> } # server inner-tunnel
> radiusd: #### Opening IP addresses and Ports ####
> listen {
> type = "auth"
> ipaddr = *
> port = 0
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> listen {
> type = "acct"
> ipaddr = *
> port = 0
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> listen {
> type = "auth"
> ipv6addr = ::
> port = 0
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> listen {
> type = "acct"
> ipv6addr = ::
> port = 0
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> listen {
> type = "auth"
> ipaddr = 127.0.0.1
> port = 18120
> }
> Listening on auth address * port 1812 as server default
> Listening on acct address * port 1813 as server default
> Listening on auth address :: port 1812 as server default
> Listening on acct address :: port 1813 as server default
> Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel
> Opening new proxy socket 'proxy address * port 0'
> Listening on proxy address * port 40645
> Ready to process requests
> Received Access-Request Id 253 from 10.XX.XX.123:1645 to
> 10.XX.1.122:1812 length 164
> User-Name = 'Matthew West'
> Service-Type = Framed-User
> Framed-MTU = 1500
> Called-Station-Id = '08-CC-68-D5-1F-1E'
> Calling-Station-Id = 'AC-87-A3-33-1A-79'
> EAP-Message = 0x02010011014d6174746865772057657374
> Message-Authenticator = 0xc7fe26226e97047711b491c9d8bd0d26
> NAS-Port-Type = Ethernet
> NAS-Port = 50130
> NAS-Port-Id = 'GigabitEthernet1/0/30'
> NAS-IP-Address = 10.XX.XX.123
> (0) Received Access-Request packet from host 10.XX.XX.123 port 1645,
> id=253, length=164
> (0) User-Name = 'Matthew West'
> (0) Service-Type = Framed-User
> (0) Framed-MTU = 1500
> (0) Called-Station-Id = '08-CC-68-D5-1F-1E'
> (0) Calling-Station-Id = 'AC-87-A3-33-1A-79'
> (0) EAP-Message = 0x02010011014d6174746865772057657374
> (0) Message-Authenticator = 0xc7fe26226e97047711b491c9d8bd0d26
> (0) NAS-Port-Type = Ethernet
> (0) NAS-Port = 50130
> (0) NAS-Port-Id = 'GigabitEthernet1/0/30'
> (0) NAS-IP-Address = 10.XX.XX.123
> (0) # Executing section authorize from file /etc/raddb/sites-enabled/
> default
> (0) authorize {
> (0) filter_username filter_username {
> (0) if (!&User-Name)
> (0) if (!&User-Name) -> FALSE
> (0) if (&User-Name =~ /@.*@/ )
> (0) if (&User-Name =~ /@.*@/ ) -> FALSE
> (0) if (&User-Name =~ /\\.\\./ )
> (0) if (&User-Name =~ /\\.\\./ ) -> FALSE
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) ->
> FALSE
> (0) if (&User-Name =~ /\\.$/)
> (0) if (&User-Name =~ /\\.$/) -> FALSE
> (0) if (&User-Name =~ /@\\./)
> (0) if (&User-Name =~ /@\\./) -> FALSE
> (0) } # filter_username filter_username = notfound
> (0) [preprocess] = ok
> (0) [chap] = noop
> (0) [mschap] = noop
> (0) [digest] = noop
> (0) suffix : Checking for suffix after "@"
> (0) suffix : No '@' in User-Name = "Matthew West", looking up realm NULL
> (0) suffix : No such realm "NULL"
> (0) [suffix] = noop
> (0) eap : Peer sent code Response (2) ID 1 length 17
> (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit
> the rest of authorize
> (0) [eap] = ok
> (0) } # authorize = ok
> (0) Found Auth-Type = EAP
> (0) # Executing group from file /etc/raddb/sites-enabled/default
> (0) authenticate {
> (0) eap : Peer sent method Identity (1)
> (0) eap : Calling eap_md5 to process EAP data
> (0) eap_md5 : Issuing MD5 Challenge
> (0) eap : New EAP session, adding 'State' attribute to reply
> 0xf04fa9faf04dad23
> (0) [eap] = handled
> (0) } # authenticate = handled
> (0) Sending Access-Challenge packet to host 10.XX.XX.123 port 1645,
> id=253, length=0
> (0) EAP-Message = 0x0102001604107696cc35fda607f796d9f56764633c0a
> (0) Message-Authenticator = 0x00000000000000000000000000000000
> (0) State = 0xf04fa9faf04dad23abe4e4c6bbb3ee47
> Sending Access-Challenge Id 253 from 10.XX.1.122:1812 to 10.XX.XX.123:1645
> EAP-Message = 0x0102001604107696cc35fda607f796d9f56764633c0a
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xf04fa9faf04dad23abe4e4c6bbb3ee47
> (0) Finished request
> Waking up in 0.3 seconds.
> Received Access-Request Id 254 from 10.XX.XX.123:1645 to
> 10.XX.1.122:1812 length 171
> User-Name = 'Matthew West'
> Service-Type = Framed-User
> Framed-MTU = 1500
> Called-Station-Id = '08-CC-68-D5-1F-1E'
> Calling-Station-Id = 'AC-87-A3-33-1A-79'
> EAP-Message = 0x02020006030d
> Message-Authenticator = 0xacd6de673336f50f0d2c8815f239ed86
> NAS-Port-Type = Ethernet
> NAS-Port = 50130
> NAS-Port-Id = 'GigabitEthernet1/0/30'
> State = 0xf04fa9faf04dad23abe4e4c6bbb3ee47
> NAS-IP-Address = 10.XX.XX.123
> (1) Received Access-Request packet from host 10.XX.XX.123 port 1645,
> id=254, length=171
> (1) User-Name = 'Matthew West'
> (1) Service-Type = Framed-User
> (1) Framed-MTU = 1500
> (1) Called-Station-Id = '08-CC-68-D5-1F-1E'
> (1) Calling-Station-Id = 'AC-87-A3-33-1A-79'
> (1) EAP-Message = 0x02020006030d
> (1) Message-Authenticator = 0xacd6de673336f50f0d2c8815f239ed86
> (1) NAS-Port-Type = Ethernet
> (1) NAS-Port = 50130
> (1) NAS-Port-Id = 'GigabitEthernet1/0/30'
> (1) State = 0xf04fa9faf04dad23abe4e4c6bbb3ee47
> (1) NAS-IP-Address = 10.XX.XX.123
> (1) # Executing section authorize from file /etc/raddb/sites-enabled/
> default
> (1) authorize {
> (1) filter_username filter_username {
> (1) if (!&User-Name)
> (1) if (!&User-Name) -> FALSE
> (1) if (&User-Name =~ /@.*@/ )
> (1) if (&User-Name =~ /@.*@/ ) -> FALSE
> (1) if (&User-Name =~ /\\.\\./ )
> (1) if (&User-Name =~ /\\.\\./ ) -> FALSE
> (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
> (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) ->
> FALSE
> (1) if (&User-Name =~ /\\.$/)
> (1) if (&User-Name =~ /\\.$/) -> FALSE
> (1) if (&User-Name =~ /@\\./)
> (1) if (&User-Name =~ /@\\./) -> FALSE
> (1) } # filter_username filter_username = notfound
> (1) [preprocess] = ok
> (1) [chap] = noop
> (1) [mschap] = noop
> (1) [digest] = noop
> (1) suffix : Checking for suffix after "@"
> (1) suffix : No '@' in User-Name = "Matthew West", looking up realm NULL
> (1) suffix : No such realm "NULL"
> (1) [suffix] = noop
> (1) eap : Peer sent code Response (2) ID 2 length 6
> (1) eap : No EAP Start, assuming it's an on-going EAP conversation
> (1) [eap] = updated
> (1) [files] = noop
> (1) [expiration] = noop
> (1) [logintime] = noop
> (1) WARNING: pap : No "known good" password found for the user. Not
> setting Auth-Type
> (1) WARNING: pap : Authentication will fail unless a "known good"
> password is available
> (1) [pap] = noop
> (1) } # authorize = updated
> (1) Found Auth-Type = EAP
> (1) # Executing group from file /etc/raddb/sites-enabled/default
> (1) authenticate {
> (1) eap : Expiring EAP session with state 0xf04fa9faf04dad23
> (1) eap : Finished EAP session with state 0xf04fa9faf04dad23
> (1) eap : Previous EAP request found for state 0xf04fa9faf04dad23,
> released from the list
> (1) eap : Peer sent method NAK (3)
> (1) eap : Found mutually acceptable type TLS (13)
> (1) eap : Calling eap_tls to process EAP data
> (1) eap_tls : Flushing SSL sessions (of #0)
> (1) eap_tls : Requiring client certificate
> (1) eap_tls : Initiate
> (1) eap_tls : Requiring client certificate
> (1) eap_tls : Start returned 1
> (1) eap : New EAP session, adding 'State' attribute to reply
> 0xf04fa9faf14ca423
> (1) [eap] = handled
> (1) } # authenticate = handled
> (1) Sending Access-Challenge packet to host 10.XX.XX.123 port 1645,
> id=254, length=0
> (1) EAP-Message = 0x010300060d20
> (1) Message-Authenticator = 0x00000000000000000000000000000000
> (1) State = 0xf04fa9faf14ca423abe4e4c6bbb3ee47
> Sending Access-Challenge Id 254 from 10.XX.1.122:1812 to 10.XX.XX.123:1645
> EAP-Message = 0x010300060d20
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xf04fa9faf14ca423abe4e4c6bbb3ee47
> (1) Finished request
> Waking up in 0.3 seconds.
> Received Access-Request Id 255 from 10.XX.XX.123:1645 to
> 10.XX.1.122:1812 length 296
> User-Name = 'Matthew West'
> Service-Type = Framed-User
> Framed-MTU = 1500
> Called-Station-Id = '08-CC-68-D5-1F-1E'
> Calling-Station-Id = 'AC-87-A3-33-1A-79'
> EAP-Message = 0x020300830d8000000079160301007401000070030157d1d43ecd441f11
> 5e1ec3d0d32af15b2732f7a02aa95c91b6a650966deab46b00002800ffc0
> 24c023c00ac009c008c028c027c014c013c012003d003c0035002f000ac0
> 07c011000500040100001f000a00080006001700180019000b0002010000
> 050005010000000000120000
> Message-Authenticator = 0x17619e18afe17fe418be4de2dc0e6b6c
> NAS-Port-Type = Ethernet
> NAS-Port = 50130
> NAS-Port-Id = 'GigabitEthernet1/0/30'
> State = 0xf04fa9faf14ca423abe4e4c6bbb3ee47
> NAS-IP-Address = 10.XX.XX.123
> (2) Received Access-Request packet from host 10.XX.XX.123 port 1645,
> id=255, length=296
> (2) User-Name = 'Matthew West'
> (2) Service-Type = Framed-User
> (2) Framed-MTU = 1500
> (2) Called-Station-Id = '08-CC-68-D5-1F-1E'
> (2) Calling-Station-Id = 'AC-87-A3-33-1A-79'
> (2) EAP-Message =
> 0x020300830d8000000079160301007401000070030157d1d43ecd441f11
> 5e1ec3d0d32af15b2732f7a02aa95c91b6a650966deab46b00002800ffc0
> 24c023c00ac009c008c028c027c014c013c012003d003c0035002f000ac0
> 07c011000500040100001f000a00080006001700180019000b0002010000
> 050005010000000000120000
> (2) Message-Authenticator = 0x17619e18afe17fe418be4de2dc0e6b6c
> (2) NAS-Port-Type = Ethernet
> (2) NAS-Port = 50130
> (2) NAS-Port-Id = 'GigabitEthernet1/0/30'
> (2) State = 0xf04fa9faf14ca423abe4e4c6bbb3ee47
> (2) NAS-IP-Address = 10.XX.XX.123
> (2) # Executing section authorize from file /etc/raddb/sites-enabled/
> default
> (2) authorize {
> (2) filter_username filter_username {
> (2) if (!&User-Name)
> (2) if (!&User-Name) -> FALSE
> (2) if (&User-Name =~ /@.*@/ )
> (2) if (&User-Name =~ /@.*@/ ) -> FALSE
> (2) if (&User-Name =~ /\\.\\./ )
> (2) if (&User-Name =~ /\\.\\./ ) -> FALSE
> (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
> (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) ->
> FALSE
> (2) if (&User-Name =~ /\\.$/)
> (2) if (&User-Name =~ /\\.$/) -> FALSE
> (2) if (&User-Name =~ /@\\./)
> (2) if (&User-Name =~ /@\\./) -> FALSE
> (2) } # filter_username filter_username = notfound
> (2) [preprocess] = ok
> (2) [chap] = noop
> (2) [mschap] = noop
> (2) [digest] = noop
> (2) suffix : Checking for suffix after "@"
> (2) suffix : No '@' in User-Name = "Matthew West", looking up realm NULL
> (2) suffix : No such realm "NULL"
> (2) [suffix] = noop
> (2) eap : Peer sent code Response (2) ID 3 length 131
> (2) eap : No EAP Start, assuming it's an on-going EAP conversation
> (2) [eap] = updated
> (2) [files] = noop
> (2) [expiration] = noop
> (2) [logintime] = noop
> (2) [pap] = noop
> (2) } # authorize = updated
> (2) Found Auth-Type = EAP
> (2) # Executing group from file /etc/raddb/sites-enabled/default
> (2) authenticate {
> (2) eap : Expiring EAP session with state 0xf04fa9faf14ca423
> (2) eap : Finished EAP session with state 0xf04fa9faf14ca423
> (2) eap : Previous EAP request found for state 0xf04fa9faf14ca423,
> released from the list
> (2) eap : Peer sent method TLS (13)
> (2) eap : EAP TLS (13)
> (2) eap : Calling eap_tls to process EAP data
> (2) eap_tls : Authenticate
> (2) eap_tls : processing EAP-TLS
> TLS Length 121
> (2) eap_tls : Length Included
> (2) eap_tls : eaptls_verify returned 11
> (2) eap_tls : (other): before/accept initialization
> (2) eap_tls : TLS_accept: before/accept initialization
> (2) eap_tls : <<< TLS 1.0 Handshake [length 0074], ClientHello
> (2) eap_tls : TLS_accept: SSLv3 read client hello A
> (2) eap_tls : >>> TLS 1.0 Handshake [length 0059], ServerHello
> (2) eap_tls : TLS_accept: SSLv3 write server hello A
> (2) eap_tls : >>> TLS 1.0 Handshake [length 0402], Certificate
> (2) eap_tls : TLS_accept: SSLv3 write certificate A
> (2) eap_tls : >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
> (2) eap_tls : TLS_accept: SSLv3 write key exchange A
> (2) eap_tls : >>> TLS 1.0 Handshake [length 0271], CertificateRequest
> (2) eap_tls : TLS_accept: SSLv3 write certificate request A
> (2) eap_tls : TLS_accept: SSLv3 flush data
> (2) eap_tls : TLS_accept: Need to read more data: SSLv3 read client
> certificate A
> In SSL Handshake Phase
> In SSL Accept mode
> (2) eap_tls : eaptls_process returned 13
> (2) eap : New EAP session, adding 'State' attribute to reply
> 0xf04fa9faf24ba423
> (2) [eap] = handled
> (2) } # authenticate = handled
> (2) Sending Access-Challenge packet to host 10.XX.XX.123 port 1645,
> id=255, length=0
> (2) EAP-Message =
> 0x010403ec0dc00000082b160301005902000055030157d1dd45939c6a0d
> ee55299d21b5463464981d5fb34fdd834e6e335f1d61832320f334a09695
> 57e364415cbfb4ba2bd54f418d1da5490524c1d394b8b9317942b4c01400
> 000dff01000100000b00040300010216030104020b0003fe0003fb0003f8
> 308203f4308202dca003020102020105300d06092a864886f70d01010b05
> 003081aa310b3009060355040613025553310f300d060355040813064f72
> 65676f6e3112301006035504071309426561766572746f6e311b30190603
> 55040a13125961616e6120546563686e6f6c6f676965733122302006092a
> 864886f70d010901161361646d696e407961616e61746563682e6e657431
> 3530330603550403132c5961616e61205465737420436572746966696361
> 746520417574686f72697479202d20426561766572746f6e301e170d3136
> 303930373232353732345a170d3136313130363232353732345a307f310b
> 3009060355040613025553310f300d060355040813064f7265676f6e311b
> 3019060355040a13125961616e6120546563686e6f6c6f67696573311e30
> 1c06035504031315546573742052414449555320426561766572746f6e31
> 22302006092a864886f70d010901161361646d696e407961616e61746563
> 682e6e657430820122300d06092a864886f70d0101010500
> (2) Message-Authenticator = 0x00000000000000000000000000000000
> (2) State = 0xf04fa9faf24ba423abe4e4c6bbb3ee47
> Sending Access-Challenge Id 255 from 10.XX.1.122:1812 to 10.XX.XX.123:1645
> EAP-Message = 0x010403ec0dc00000082b160301005902000055030157d1dd45939c6a0d
> ee55299d21b5463464981d5fb34fdd834e6e335f1d61832320f334a09695
> 57e364415cbfb4ba2bd54f418d1da5490524c1d394b8b9317942b4c01400
> 000dff01000100000b00040300010216030104020b0003fe0003fb0003f8
> 308203f4308202dca003020102020105300d06092a864886f70d01010b05
> 003081aa310b3009060355040613025553310f300d060355040813064f72
> 65676f6e3112301006035504071309426561766572746f6e311b30190603
> 55040a13125961616e6120546563686e6f6c6f676965733122302006092a
> 864886f70d010901161361646d696e407961616e61746563682e6e657431
> 3530330603550403132c5961616e61205465737420436572746966696361
> 746520417574686f72697479202d20426561766572746f6e301e170d3136
> 303930373232353732345a170d3136313130363232353732345a307f310b
> 3009060355040613025553310f300d060355040813064f7265676f6e311b
> 3019060355040a13125961616e6120546563686e6f6c6f67696573311e30
> 1c06035504031315546573742052414449555320426561766572746f6e31
> 22302006092a864886f70d010901161361646d696e407961616e61746563
> 682e6e657430820122300d06092a864886f70d010101050
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xf04fa9faf24ba423abe4e4c6bbb3ee47
> (2) Finished request
> Waking up in 0.2 seconds.
> Received Access-Request Id 0 from 10.XX.XX.123:1645 to
> 10.XX.1.122:1812 length 171
> User-Name = 'Matthew West'
> Service-Type = Framed-User
> Framed-MTU = 1500
> Called-Station-Id = '08-CC-68-D5-1F-1E'
> Calling-Station-Id = 'AC-87-A3-33-1A-79'
> EAP-Message = 0x020400060d00
> Message-Authenticator = 0x16b86af565c700bc0d41743b8488b786
> NAS-Port-Type = Ethernet
> NAS-Port = 50130
> NAS-Port-Id = 'GigabitEthernet1/0/30'
> State = 0xf04fa9faf24ba423abe4e4c6bbb3ee47
> NAS-IP-Address = 10.XX.XX.123
> (3) Received Access-Request packet from host 10.XX.XX.123 port 1645,
> id=0, length=171
> (3) User-Name = 'Matthew West'
> (3) Service-Type = Framed-User
> (3) Framed-MTU = 1500
> (3) Called-Station-Id = '08-CC-68-D5-1F-1E'
> (3) Calling-Station-Id = 'AC-87-A3-33-1A-79'
> (3) EAP-Message = 0x020400060d00
> (3) Message-Authenticator = 0x16b86af565c700bc0d41743b8488b786
> (3) NAS-Port-Type = Ethernet
> (3) NAS-Port = 50130
> (3) NAS-Port-Id = 'GigabitEthernet1/0/30'
> (3) State = 0xf04fa9faf24ba423abe4e4c6bbb3ee47
> (3) NAS-IP-Address = 10.XX.XX.123
> (3) # Executing section authorize from file /etc/raddb/sites-enabled/
> default
> (3) authorize {
> (3) filter_username filter_username {
> (3) if (!&User-Name)
> (3) if (!&User-Name) -> FALSE
> (3) if (&User-Name =~ /@.*@/ )
> (3) if (&User-Name =~ /@.*@/ ) -> FALSE
> (3) if (&User-Name =~ /\\.\\./ )
> (3) if (&User-Name =~ /\\.\\./ ) -> FALSE
> (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
> (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) ->
> FALSE
> (3) if (&User-Name =~ /\\.$/)
> (3) if (&User-Name =~ /\\.$/) -> FALSE
> (3) if (&User-Name =~ /@\\./)
> (3) if (&User-Name =~ /@\\./) -> FALSE
> (3) } # filter_username filter_username = notfound
> (3) [preprocess] = ok
> (3) [chap] = noop
> (3) [mschap] = noop
> (3) [digest] = noop
> (3) suffix : Checking for suffix after "@"
> (3) suffix : No '@' in User-Name = "Matthew West", looking up realm NULL
> (3) suffix : No such realm "NULL"
> (3) [suffix] = noop
> (3) eap : Peer sent code Response (2) ID 4 length 6
> (3) eap : No EAP Start, assuming it's an on-going EAP conversation
> (3) [eap] = updated
> (3) [files] = noop
> (3) [expiration] = noop
> (3) [logintime] = noop
> (3) [pap] = noop
> (3) } # authorize = updated
> (3) Found Auth-Type = EAP
> (3) # Executing group from file /etc/raddb/sites-enabled/default
> (3) authenticate {
> (3) eap : Expiring EAP session with state 0xf04fa9faf24ba423
> (3) eap : Finished EAP session with state 0xf04fa9faf24ba423
> (3) eap : Previous EAP request found for state 0xf04fa9faf24ba423,
> released from the list
> (3) eap : Peer sent method TLS (13)
> (3) eap : EAP TLS (13)
> (3) eap : Calling eap_tls to process EAP data
> (3) eap_tls : Authenticate
> (3) eap_tls : processing EAP-TLS
> (3) eap_tls : Received TLS ACK
> (3) eap_tls : Received TLS ACK
> (3) eap_tls : ACK handshake fragment handler
> (3) eap_tls : eaptls_verify returned 1
> (3) eap_tls : eaptls_process returned 13
> (3) eap : New EAP session, adding 'State' attribute to reply
> 0xf04fa9faf34aa423
> (3) [eap] = handled
> (3) } # authenticate = handled
> (3) Sending Access-Challenge packet to host 10.XX.XX.123 port 1645,
> id=0, length=0
> (3) EAP-Message =
> 0x010503ec0dc00000082b5ee1c1ab239ed57b2f29a51baf9fbfe11b4ebd
> 5bc986dc68e3b1fcebc84871c519bc6347fbdb68e28e9acd35ce8c320f66
> f5cb8c6d1a7aed531bdd6530de8526ff4ff9ee80e56a3f06c9cc0bfef80a
> f9b7d8d8f6f9fa3bc4b2b50d3cd7f2fbd779eaf073f825ff380eecbde5ee
> e5a2894df8951bba9fd60efc4607dd44c38cceaeafa5160301014b0c0001
> 470300174104a7f3beccef41cd20bee3a8a252e95b3ab602b93b01baa9ba
> 5c67a159fda5c425c838227afc8452a03da60e05fac53cac088982f9a76d
> c45b64fce41a5a267b4d01008eceb7a7da1ee40ce5617fc94e869e7985be
> ec747fbcffc58b5e8bb89cd351c446bc0cdb4f3bcc3f8e630c92a6159fa4
> 12243dc0850ea3581e8089b9a1f70bc4cc26b3add6a14eb2d8b1bccb24d3
> 348b5a45fa66218f663d53d37baf7150c75eaf73e73e6552bb92feb392c1
> 2b8feb8fb102ebf20078d9c9b0f3cef84d366586c9378ff17ffdd144c973
> d1f31056719919722e2c258d06a8a75b9871cbaa34e352f99b24d46f4e61
> 2f928255af17ed4e8906610b7ad1cff4ada2a9bd1145b478a2de7c8d0336
> 7c709c2a02077899822a7cde6f025ffb542e76dfe9be99ce43f9217d553f
> 0484f9442b5e6a0e56f002ee768eb8849183983e63aa047d8b30f6281603
> 0102710d00026903010240026300cd3081ca310b30090603
> (3) Message-Authenticator = 0x00000000000000000000000000000000
> (3) State = 0xf04fa9faf34aa423abe4e4c6bbb3ee47
> Sending Access-Challenge Id 0 from 10.XX.1.122:1812 to 10.XX.XX.123:1645
> EAP-Message = 0x010503ec0dc00000082b5ee1c1ab239ed57b2f29a51baf9fbfe11b4ebd
> 5bc986dc68e3b1fcebc84871c519bc6347fbdb68e28e9acd35ce8c320f66
> f5cb8c6d1a7aed531bdd6530de8526ff4ff9ee80e56a3f06c9cc0bfef80a
> f9b7d8d8f6f9fa3bc4b2b50d3cd7f2fbd779eaf073f825ff380eecbde5ee
> e5a2894df8951bba9fd60efc4607dd44c38cceaeafa5160301014b0c0001
> 470300174104a7f3beccef41cd20bee3a8a252e95b3ab602b93b01baa9ba
> 5c67a159fda5c425c838227afc8452a03da60e05fac53cac088982f9a76d
> c45b64fce41a5a267b4d01008eceb7a7da1ee40ce5617fc94e869e7985be
> ec747fbcffc58b5e8bb89cd351c446bc0cdb4f3bcc3f8e630c92a6159fa4
> 12243dc0850ea3581e8089b9a1f70bc4cc26b3add6a14eb2d8b1bccb24d3
> 348b5a45fa66218f663d53d37baf7150c75eaf73e73e6552bb92feb392c1
> 2b8feb8fb102ebf20078d9c9b0f3cef84d366586c9378ff17ffdd144c973
> d1f31056719919722e2c258d06a8a75b9871cbaa34e352f99b24d46f4e61
> 2f928255af17ed4e8906610b7ad1cff4ada2a9bd1145b478a2de7c8d0336
> 7c709c2a02077899822a7cde6f025ffb542e76dfe9be99ce43f9217d553f
> 0484f9442b5e6a0e56f002ee768eb8849183983e63aa047d8b30f6281603
> 0102710d00026903010240026300cd3081ca310b3009060
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xf04fa9faf34aa423abe4e4c6bbb3ee47
> (3) Finished request
> Waking up in 0.2 seconds.
> Received Access-Request Id 1 from 10.XX.XX.123:1645 to
> 10.XX.1.122:1812 length 171
> User-Name = 'Matthew West'
> Service-Type = Framed-User
> Framed-MTU = 1500
> Called-Station-Id = '08-CC-68-D5-1F-1E'
> Calling-Station-Id = 'AC-87-A3-33-1A-79'
> EAP-Message = 0x020500060d00
> Message-Authenticator = 0x133f34dea4e06a2142cd418cecc88484
> NAS-Port-Type = Ethernet
> NAS-Port = 50130
> NAS-Port-Id = 'GigabitEthernet1/0/30'
> State = 0xf04fa9faf34aa423abe4e4c6bbb3ee47
> NAS-IP-Address = 10.XX.XX.123
> (4) Received Access-Request packet from host 10.XX.XX.123 port 1645,
> id=1, length=171
> (4) User-Name = 'Matthew West'
> (4) Service-Type = Framed-User
> (4) Framed-MTU = 1500
> (4) Called-Station-Id = '08-CC-68-D5-1F-1E'
> (4) Calling-Station-Id = 'AC-87-A3-33-1A-79'
> (4) EAP-Message = 0x020500060d00
> (4) Message-Authenticator = 0x133f34dea4e06a2142cd418cecc88484
> (4) NAS-Port-Type = Ethernet
> (4) NAS-Port = 50130
> (4) NAS-Port-Id = 'GigabitEthernet1/0/30'
> (4) State = 0xf04fa9faf34aa423abe4e4c6bbb3ee47
> (4) NAS-IP-Address = 10.XX.XX.123
> (4) # Executing section authorize from file /etc/raddb/sites-enabled/
> default
> (4) authorize {
> (4) filter_username filter_username {
> (4) if (!&User-Name)
> (4) if (!&User-Name) -> FALSE
> (4) if (&User-Name =~ /@.*@/ )
> (4) if (&User-Name =~ /@.*@/ ) -> FALSE
> (4) if (&User-Name =~ /\\.\\./ )
> (4) if (&User-Name =~ /\\.\\./ ) -> FALSE
> (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
> (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) ->
> FALSE
> (4) if (&User-Name =~ /\\.$/)
> (4) if (&User-Name =~ /\\.$/) -> FALSE
> (4) if (&User-Name =~ /@\\./)
> (4) if (&User-Name =~ /@\\./) -> FALSE
> (4) } # filter_username filter_username = notfound
> (4) [preprocess] = ok
> (4) [chap] = noop
> (4) [mschap] = noop
> (4) [digest] = noop
> (4) suffix : Checking for suffix after "@"
> (4) suffix : No '@' in User-Name = "Matthew West", looking up realm NULL
> (4) suffix : No such realm "NULL"
> (4) [suffix] = noop
> (4) eap : Peer sent code Response (2) ID 5 length 6
> (4) eap : No EAP Start, assuming it's an on-going EAP conversation
> (4) [eap] = updated
> (4) [files] = noop
> (4) [expiration] = noop
> (4) [logintime] = noop
> (4) [pap] = noop
> (4) } # authorize = updated
> (4) Found Auth-Type = EAP
> (4) # Executing group from file /etc/raddb/sites-enabled/default
> (4) authenticate {
> (4) eap : Expiring EAP session with state 0xf04fa9faf34aa423
> (4) eap : Finished EAP session with state 0xf04fa9faf34aa423
> (4) eap : Previous EAP request found for state 0xf04fa9faf34aa423,
> released from the list
> (4) eap : Peer sent method TLS (13)
> (4) eap : EAP TLS (13)
> (4) eap : Calling eap_tls to process EAP data
> (4) eap_tls : Authenticate
> (4) eap_tls : processing EAP-TLS
> (4) eap_tls : Received TLS ACK
> (4) eap_tls : Received TLS ACK
> (4) eap_tls : ACK handshake fragment handler
> (4) eap_tls : eaptls_verify returned 1
> (4) eap_tls : eaptls_process returned 13
> (4) eap : New EAP session, adding 'State' attribute to reply
> 0xf04fa9faf449a423
> (4) [eap] = handled
> (4) } # authenticate = handled
> (4) Sending Access-Challenge packet to host 10.XX.XX.123 port 1645,
> id=1, length=0
> (4) EAP-Message =
> 0x010600710d800000082b6563686e6f6c6f676965732c204c4c43204341
> 004e304c3120301e060355040a13175961616e6120546563686e6f6c6f67
> 6965732c204c4c43312830260603550403131f5961616e6120546563686e
> 6f6c6f676965732c204c4c43204341202d2047320e000000
> (4) Message-Authenticator = 0x00000000000000000000000000000000
> (4) State = 0xf04fa9faf449a423abe4e4c6bbb3ee47
> Sending Access-Challenge Id 1 from 10.XX.1.122:1812 to 10.XX.XX.123:1645
> EAP-Message = 0x010600710d800000082b6563686e6f6c6f676965732c204c4c43204341
> 004e304c3120301e060355040a13175961616e6120546563686e6f6c6f67
> 6965732c204c4c43312830260603550403131f5961616e6120546563686e
> 6f6c6f676965732c204c4c43204341202d2047320e000000
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xf04fa9faf449a423abe4e4c6bbb3ee47
> (4) Finished request
> Waking up in 0.2 seconds.
> Received Access-Request Id 2 from 10.XX.XX.123:1645 to
> 10.XX.1.122:1812 length 1451
> User-Name = 'Matthew West'
> Service-Type = Framed-User
> Framed-MTU = 1500
> Called-Station-Id = '08-CC-68-D5-1F-1E'
> Calling-Station-Id = 'AC-87-A3-33-1A-79'
> EAP-Message = 0x020604fc0dc00000139016030111fa0b0011f60011f300076930820765
> 3082064da0030201020210181ddca644a326886c48039b989b0ef3300d06
> 092a864886f70d01010505003081c9310b3009060355040613025553311d
> 301b060355040a131453796d616e74656320436f72706f726174696f6e31
> 1f301d060355040b131653796d616e746563205472757374204e6574776f
> 726b31353033060355040b132c436c6173732032204d616e616765642050
> 4b4920496e646976696475616c2053756273637269626572204341314330
> 410603550403133a53796d616e74656320436c6173732032205368617265
> 6420496e7465726d65646961746520436572746966696361746520417574
> 686f72697479301e170d3136303230323030303030305a170d3138303230
> 313233353935395a30753115301306035504030c0c4d6174746865772057
> 657374310f300d060355040b0c06532f4d494d453120301e060355040a0c
> 175961616e6120546563686e6f6c6f676965732c204c4c43312930270609
> 2a864886f70d010901161a6d6174746865772e77657374407961616e6174
> 6563682e636f6d30820122300d06092a864886f70d01010105000382010f
> 003082010a0282010100d029e7e78636ab2bb56a797b548157f0b2854628
> 20c2c4e9e40e0d01bd6c9e94bdada6d32526d452f3511c6
> Message-Authenticator = 0x94f42e70e2a693a04a98916fa170e48c
> NAS-Port-Type = Ethernet
> NAS-Port = 50130
> NAS-Port-Id = 'GigabitEthernet1/0/30'
> State = 0xf04fa9faf449a423abe4e4c6bbb3ee47
> NAS-IP-Address = 10.XX.XX.123
> (5) Received Access-Request packet from host 10.XX.XX.123 port 1645,
> id=2, length=1451
> (5) User-Name = 'Matthew West'
> (5) Service-Type = Framed-User
> (5) Framed-MTU = 1500
> (5) Called-Station-Id = '08-CC-68-D5-1F-1E'
> (5) Calling-Station-Id = 'AC-87-A3-33-1A-79'
> (5) EAP-Message =
> 0x020604fc0dc00000139016030111fa0b0011f60011f300076930820765
> 3082064da0030201020210181ddca644a326886c48039b989b0ef3300d06
> 092a864886f70d01010505003081c9310b3009060355040613025553311d
> 301b060355040a131453796d616e74656320436f72706f726174696f6e31
> 1f301d060355040b131653796d616e746563205472757374204e6574776f
> 726b31353033060355040b132c436c6173732032204d616e616765642050
> 4b4920496e646976696475616c2053756273637269626572204341314330
> 410603550403133a53796d616e74656320436c6173732032205368617265
> 6420496e7465726d65646961746520436572746966696361746520417574
> 686f72697479301e170d3136303230323030303030305a170d3138303230
> 313233353935395a30753115301306035504030c0c4d6174746865772057
> 657374310f300d060355040b0c06532f4d494d453120301e060355040a0c
> 175961616e6120546563686e6f6c6f676965732c204c4c43312930270609
> 2a864886f70d010901161a6d6174746865772e77657374407961616e6174
> 6563682e636f6d30820122300d06092a864886f70d01010105000382010f
> 003082010a0282010100d029e7e78636ab2bb56a797b548157f0b2854628
> 20c2c4e9e40e0d01bd6c9e94bdada6d32526d452f3511c62
> (5) Message-Authenticator = 0x94f42e70e2a693a04a98916fa170e48c
> (5) NAS-Port-Type = Ethernet
> (5) NAS-Port = 50130
> (5) NAS-Port-Id = 'GigabitEthernet1/0/30'
> (5) State = 0xf04fa9faf449a423abe4e4c6bbb3ee47
> (5) NAS-IP-Address = 10.XX.XX.123
> (5) # Executing section authorize from file /etc/raddb/sites-enabled/
> default
> (5) authorize {
> (5) filter_username filter_username {
> (5) if (!&User-Name)
> (5) if (!&User-Name) -> FALSE
> (5) if (&User-Name =~ /@.*@/ )
> (5) if (&User-Name =~ /@.*@/ ) -> FALSE
> (5) if (&User-Name =~ /\\.\\./ )
> (5) if (&User-Name =~ /\\.\\./ ) -> FALSE
> (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
> (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) ->
> FALSE
> (5) if (&User-Name =~ /\\.$/)
> (5) if (&User-Name =~ /\\.$/) -> FALSE
> (5) if (&User-Name =~ /@\\./)
> (5) if (&User-Name =~ /@\\./) -> FALSE
> (5) } # filter_username filter_username = notfound
> (5) [preprocess] = ok
> (5) [chap] = noop
> (5) [mschap] = noop
> (5) [digest] = noop
> (5) suffix : Checking for suffix after "@"
> (5) suffix : No '@' in User-Name = "Matthew West", looking up realm NULL
> (5) suffix : No such realm "NULL"
> (5) [suffix] = noop
> (5) eap : Peer sent code Response (2) ID 6 length 1276
> (5) eap : No EAP Start, assuming it's an on-going EAP conversation
> (5) [eap] = updated
> (5) [files] = noop
> (5) [expiration] = noop
> (5) [logintime] = noop
> (5) [pap] = noop
> (5) } # authorize = updated
> (5) Found Auth-Type = EAP
> (5) # Executing group from file /etc/raddb/sites-enabled/default
> (5) authenticate {
> (5) eap : Expiring EAP session with state 0xf04fa9faf449a423
> (5) eap : Finished EAP session with state 0xf04fa9faf449a423
> (5) eap : Previous EAP request found for state 0xf04fa9faf449a423,
> released from the list
> (5) eap : Peer sent method TLS (13)
> (5) eap : EAP TLS (13)
> (5) eap : Calling eap_tls to process EAP data
> (5) eap_tls : Authenticate
> (5) eap_tls : processing EAP-TLS
> TLS Length 5008
> (5) eap_tls : Received EAP-TLS First Fragment of the message
> (5) eap_tls : eaptls_verify returned 9
> (5) eap_tls : eaptls_process returned 13
> (5) eap : New EAP session, adding 'State' attribute to reply
> 0xf04fa9faf548a423
> (5) [eap] = handled
> (5) } # authenticate = handled
> (5) Sending Access-Challenge packet to host 10.XX.XX.123 port 1645,
> id=2, length=0
> (5) EAP-Message = 0x010700060d00
> (5) Message-Authenticator = 0x00000000000000000000000000000000
> (5) State = 0xf04fa9faf548a423abe4e4c6bbb3ee47
> Sending Access-Challenge Id 2 from 10.XX.1.122:1812 to 10.XX.XX.123:1645
> EAP-Message = 0x010700060d00
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xf04fa9faf548a423abe4e4c6bbb3ee47
> (5) Finished request
> Waking up in 0.2 seconds.
> Received Access-Request Id 3 from 10.XX.XX.123:1645 to
> 10.XX.1.122:1812 length 1451
> User-Name = 'Matthew West'
> Service-Type = Framed-User
> Framed-MTU = 1500
> Called-Station-Id = '08-CC-68-D5-1F-1E'
> Calling-Station-Id = 'AC-87-A3-33-1A-79'
> EAP-Message = 0x020704fc0d405630543052a050a04e864c687474703a2f2f706b692d63
> 726c2e73796d617574682e636f6d2f63615f303762623764363437376366
> 34663662653936616631623336636162643331362f4c617465737443524c
> 2e63726c306c0603551d20046530633061060b6086480186f84501071702
> 3052302606082b06010505070201161a687474703a2f2f7777772e73796d
> 617574682e636f6d2f637073302806082b06010505070202301c1a1a6874
> 74703a2f2f7777772e73796d617574682e636f6d2f727061304206092a86
> 4886f70d01090f04353033300a06082a864886f70d0307300b0609608648
> 016503040102300b0609608648016503040116300b060960864801650304
> 012a302c060a6086480186f845011003041e301c06126086480186f84501
> 100102020101869ba76e16063138373230393039060a6086480186f84501
> 1005042b302902010016246148523063484d364c79397761326b74636d45
> 7563336c74595856306143356a6232303d300d06092a864886f70d010105
> 050003820101005cd4d282900ef55d349cabf167608c0e5fcc699e6e23a7
> e443642d394b5f7c96416df805734d9064f5b538c1515929b6291d796a5f
> 2b7ecec9a702e047fff88f81692c0b9c2553dcae9bed8fc234f3300fe129
> e79589b3c5779e88412082d68c765420ba86733fa2dcceb
> Message-Authenticator = 0x953d6feb75b9e9aa0de007ccf402c872
> NAS-Port-Type = Ethernet
> NAS-Port = 50130
> NAS-Port-Id = 'GigabitEthernet1/0/30'
> State = 0xf04fa9faf548a423abe4e4c6bbb3ee47
> NAS-IP-Address = 10.XX.XX.123
> (6) Received Access-Request packet from host 10.XX.XX.123 port 1645,
> id=3, length=1451
> (6) User-Name = 'Matthew West'
> (6) Service-Type = Framed-User
> (6) Framed-MTU = 1500
> (6) Called-Station-Id = '08-CC-68-D5-1F-1E'
> (6) Calling-Station-Id = 'AC-87-A3-33-1A-79'
> (6) EAP-Message =
> 0x020704fc0d405630543052a050a04e864c687474703a2f2f706b692d63
> 726c2e73796d617574682e636f6d2f63615f303762623764363437376366
> 34663662653936616631623336636162643331362f4c617465737443524c
> 2e63726c306c0603551d20046530633061060b6086480186f84501071702
> 3052302606082b06010505070201161a687474703a2f2f7777772e73796d
> 617574682e636f6d2f637073302806082b06010505070202301c1a1a6874
> 74703a2f2f7777772e73796d617574682e636f6d2f727061304206092a86
> 4886f70d01090f04353033300a06082a864886f70d0307300b0609608648
> 016503040102300b0609608648016503040116300b060960864801650304
> 012a302c060a6086480186f845011003041e301c06126086480186f84501
> 100102020101869ba76e16063138373230393039060a6086480186f84501
> 1005042b302902010016246148523063484d364c79397761326b74636d45
> 7563336c74595856306143356a6232303d300d06092a864886f70d010105
> 050003820101005cd4d282900ef55d349cabf167608c0e5fcc699e6e23a7
> e443642d394b5f7c96416df805734d9064f5b538c1515929b6291d796a5f
> 2b7ecec9a702e047fff88f81692c0b9c2553dcae9bed8fc234f3300fe129
> e79589b3c5779e88412082d68c765420ba86733fa2dccebd
> (6) Message-Authenticator = 0x953d6feb75b9e9aa0de007ccf402c872
> (6) NAS-Port-Type = Ethernet
> (6) NAS-Port = 50130
> (6) NAS-Port-Id = 'GigabitEthernet1/0/30'
> (6) State = 0xf04fa9faf548a423abe4e4c6bbb3ee47
> (6) NAS-IP-Address = 10.XX.XX.123
> (6) # Executing section authorize from file /etc/raddb/sites-enabled/
> default
> (6) authorize {
> (6) filter_username filter_username {
> (6) if (!&User-Name)
> (6) if (!&User-Name) -> FALSE
> (6) if (&User-Name =~ /@.*@/ )
> (6) if (&User-Name =~ /@.*@/ ) -> FALSE
> (6) if (&User-Name =~ /\\.\\./ )
> (6) if (&User-Name =~ /\\.\\./ ) -> FALSE
> (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
> (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) ->
> FALSE
> (6) if (&User-Name =~ /\\.$/)
> (6) if (&User-Name =~ /\\.$/) -> FALSE
> (6) if (&User-Name =~ /@\\./)
> (6) if (&User-Name =~ /@\\./) -> FALSE
> (6) } # filter_username filter_username = notfound
> (6) [preprocess] = ok
> (6) [chap] = noop
> (6) [mschap] = noop
> (6) [digest] = noop
> (6) suffix : Checking for suffix after "@"
> (6) suffix : No '@' in User-Name = "Matthew West", looking up realm NULL
> (6) suffix : No such realm "NULL"
> (6) [suffix] = noop
> (6) eap : Peer sent code Response (2) ID 7 length 1276
> (6) eap : No EAP Start, assuming it's an on-going EAP conversation
> (6) [eap] = updated
> (6) [files] = noop
> (6) [expiration] = noop
> (6) [logintime] = noop
> (6) [pap] = noop
> (6) } # authorize = updated
> (6) Found Auth-Type = EAP
> (6) # Executing group from file /etc/raddb/sites-enabled/default
> (6) authenticate {
> (6) eap : Expiring EAP session with state 0xf04fa9faf548a423
> (6) eap : Finished EAP session with state 0xf04fa9faf548a423
> (6) eap : Previous EAP request found for state 0xf04fa9faf548a423,
> released from the list
> (6) eap : Peer sent method TLS (13)
> (6) eap : EAP TLS (13)
> (6) eap : Calling eap_tls to process EAP data
> (6) eap_tls : Authenticate
> (6) eap_tls : processing EAP-TLS
> (6) eap_tls : More fragments to follow
> (6) eap_tls : eaptls_verify returned 10
> (6) eap_tls : eaptls_process returned 13
> (6) eap : New EAP session, adding 'State' attribute to reply
> 0xf04fa9faf647a423
> (6) [eap] = handled
> (6) } # authenticate = handled
> (6) Sending Access-Challenge packet to host 10.XX.XX.123 port 1645,
> id=3, length=0
> (6) EAP-Message = 0x010800060d00
> (6) Message-Authenticator = 0x00000000000000000000000000000000
> (6) State = 0xf04fa9faf647a423abe4e4c6bbb3ee47
> Sending Access-Challenge Id 3 from 10.XX.1.122:1812 to 10.XX.XX.123:1645
> EAP-Message = 0x010800060d00
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xf04fa9faf647a423abe4e4c6bbb3ee47
> (6) Finished request
> Waking up in 0.2 seconds.
> Received Access-Request Id 4 from 10.XX.XX.123:1645 to
> 10.XX.1.122:1812 length 1451
> User-Name = 'Matthew West'
> Service-Type = Framed-User
> Framed-MTU = 1500
> Called-Station-Id = '08-CC-68-D5-1F-1E'
> Calling-Station-Id = 'AC-87-A3-33-1A-79'
> EAP-Message = 0x020804fc0d409d2d2cb02e3f18f329cd1a36898492c757705b7085e638
> a17c50e3373888655b6bcb392a04b182aa1904ffa07f3fa3db91457666a3
> 6bf385235e4ed9855d75a7a015f7c10074e0e5ca9442659ac2377a8ba850
> acbf97746777d132a7af8dcb93a92542b4301a740ae2251010cb7467550f
> cb14fc41500aa47c4d0b0bf905a935f945a731f180bba2c93ece7639e12a
> ff7650e7e85122df2dcfb8330203010001a382023f3082023b3012060355
> 1d130101ff040830060101ff02010030340603551d1f042d302b3029a027
> a0258623687474703a2f2f63726c2e766572697369676e2e636f6d2f7063
> 61322d67332e63726c300e0603551d0f0101ff0404030201063029060355
> 1d1104223020a41e301c311a301806035504031311566572695369676e4d
> 504b492d322d3536301d0603551d0e04160414d84829a85f2a1792e2fa9e
> 7bef6f6083f8b8b8dc3081f00603551d230481e83081e5a181d0a481cd30
> 81ca310b300906035504061302555331173015060355040a130e56657269
> 5369676e2c20496e632e311f301d060355040b1316566572695369676e20
> 5472757374204e6574776f726b313a3038060355040b1331286329203139
> 393920566572695369676e2c20496e632e202d20466f7220617574686f72
> 697a656420757365206f6e6c79314530430603550403133
> Message-Authenticator = 0xc1c5b9d576679e82e9b9d17928f09712
> NAS-Port-Type = Ethernet
> NAS-Port = 50130
> NAS-Port-Id = 'GigabitEthernet1/0/30'
> State = 0xf04fa9faf647a423abe4e4c6bbb3ee47
> NAS-IP-Address = 10.XX.XX.123
> (7) Received Access-Request packet from host 10.XX.XX.123 port 1645,
> id=4, length=1451
> (7) User-Name = 'Matthew West'
> (7) Service-Type = Framed-User
> (7) Framed-MTU = 1500
> (7) Called-Station-Id = '08-CC-68-D5-1F-1E'
> (7) Calling-Station-Id = 'AC-87-A3-33-1A-79'
> (7) EAP-Message =
> 0x020804fc0d409d2d2cb02e3f18f329cd1a36898492c757705b7085e638
> a17c50e3373888655b6bcb392a04b182aa1904ffa07f3fa3db91457666a3
> 6bf385235e4ed9855d75a7a015f7c10074e0e5ca9442659ac2377a8ba850
> acbf97746777d132a7af8dcb93a92542b4301a740ae2251010cb7467550f
> cb14fc41500aa47c4d0b0bf905a935f945a731f180bba2c93ece7639e12a
> ff7650e7e85122df2dcfb8330203010001a382023f3082023b3012060355
> 1d130101ff040830060101ff02010030340603551d1f042d302b3029a027
> a0258623687474703a2f2f63726c2e766572697369676e2e636f6d2f7063
> 61322d67332e63726c300e0603551d0f0101ff0404030201063029060355
> 1d1104223020a41e301c311a301806035504031311566572695369676e4d
> 504b492d322d3536301d0603551d0e04160414d84829a85f2a1792e2fa9e
> 7bef6f6083f8b8b8dc3081f00603551d230481e83081e5a181d0a481cd30
> 81ca310b300906035504061302555331173015060355040a130e56657269
> 5369676e2c20496e632e311f301d060355040b1316566572695369676e20
> 5472757374204e6574776f726b313a3038060355040b1331286329203139
> 393920566572695369676e2c20496e632e202d20466f7220617574686f72
> 697a656420757365206f6e6c79314530430603550403133c
> (7) Message-Authenticator = 0xc1c5b9d576679e82e9b9d17928f09712
> (7) NAS-Port-Type = Ethernet
> (7) NAS-Port = 50130
> (7) NAS-Port-Id = 'GigabitEthernet1/0/30'
> (7) State = 0xf04fa9faf647a423abe4e4c6bbb3ee47
> (7) NAS-IP-Address = 10.XX.XX.123
> (7) # Executing section authorize from file /etc/raddb/sites-enabled/
> default
> (7) authorize {
> (7) filter_username filter_username {
> (7) if (!&User-Name)
> (7) if (!&User-Name) -> FALSE
> (7) if (&User-Name =~ /@.*@/ )
> (7) if (&User-Name =~ /@.*@/ ) -> FALSE
> (7) if (&User-Name =~ /\\.\\./ )
> (7) if (&User-Name =~ /\\.\\./ ) -> FALSE
> (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
> (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) ->
> FALSE
> (7) if (&User-Name =~ /\\.$/)
> (7) if (&User-Name =~ /\\.$/) -> FALSE
> (7) if (&User-Name =~ /@\\./)
> (7) if (&User-Name =~ /@\\./) -> FALSE
> (7) } # filter_username filter_username = notfound
> (7) [preprocess] = ok
> (7) [chap] = noop
> (7) [mschap] = noop
> (7) [digest] = noop
> (7) suffix : Checking for suffix after "@"
> (7) suffix : No '@' in User-Name = "Matthew West", looking up realm NULL
> (7) suffix : No such realm "NULL"
> (7) [suffix] = noop
> (7) eap : Peer sent code Response (2) ID 8 length 1276
> (7) eap : No EAP Start, assuming it's an on-going EAP conversation
> (7) [eap] = updated
> (7) [files] = noop
> (7) [expiration] = noop
> (7) [logintime] = noop
> (7) [pap] = noop
> (7) } # authorize = updated
> (7) Found Auth-Type = EAP
> (7) # Executing group from file /etc/raddb/sites-enabled/default
> (7) authenticate {
> (7) eap : Expiring EAP session with state 0xf04fa9faf647a423
> (7) eap : Finished EAP session with state 0xf04fa9faf647a423
> (7) eap : Previous EAP request found for state 0xf04fa9faf647a423,
> released from the list
> (7) eap : Peer sent method TLS (13)
> (7) eap : EAP TLS (13)
> (7) eap : Calling eap_tls to process EAP data
> (7) eap_tls : Authenticate
> (7) eap_tls : processing EAP-TLS
> (7) eap_tls : More fragments to follow
> (7) eap_tls : eaptls_verify returned 10
> (7) eap_tls : eaptls_process returned 13
> (7) eap : New EAP session, adding 'State' attribute to reply
> 0xf04fa9faf746a423
> (7) [eap] = handled
> (7) } # authenticate = handled
> (7) Sending Access-Challenge packet to host 10.XX.XX.123 port 1645,
> id=4, length=0
> (7) EAP-Message = 0x010900060d00
> (7) Message-Authenticator = 0x00000000000000000000000000000000
> (7) State = 0xf04fa9faf746a423abe4e4c6bbb3ee47
> Sending Access-Challenge Id 4 from 10.XX.1.122:1812 to 10.XX.XX.123:1645
> EAP-Message = 0x010900060d00
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xf04fa9faf746a423abe4e4c6bbb3ee47
> (7) Finished request
> Waking up in 0.2 seconds.
> Received Access-Request Id 5 from 10.XX.XX.123:1645 to
> 10.XX.1.122:1812 length 1381
> User-Name = 'Matthew West'
> Service-Type = Framed-User
> Framed-MTU = 1500
> Called-Station-Id = '08-CC-68-D5-1F-1E'
> Calling-Station-Id = 'AC-87-A3-33-1A-79'
> EAP-Message = 0x020904b80d00313030313030303030305a170d33363037313632333539
> 35395a3081ca310b300906035504061302555331173015060355040a130e
> 566572695369676e2c20496e632e311f301d060355040b13165665726953
> 69676e205472757374204e6574776f726b313a3038060355040b13312863
> 29203139393920566572695369676e2c20496e632e202d20466f72206175
> 74686f72697a656420757365206f6e6c79314530430603550403133c5665
> 72695369676e20436c6173732032205075626c6963205072696d61727920
> 43657274696669636174696f6e20417574686f72697479202d2047333082
> 0122300d06092a864886f70d01010105000382010f003082010a02820101
> 00af0a0dc2d52cdb67b92de59427dda5bee0b04d8fb361563cd67cc3f4cd
> 3e86cba288e2e1d8a469c5b5e2bfc1a647505e46398bd596bab56f14bf10
> ce27139e05479b317a13d81fd9d302378bad2c47f08e8106a70d300cebf7
> 3c0f201ddc7246eea502c85bc3c956694cc518c1917b0bd513009bbcefc3
> 483e466020852ad590b6cd8ba0cc32ddb7fd4055b2501c56aecc8d774dc7
> 204da73176ef68928a901e088156b2ad69a352d0cb1cc4233d1f99fe4ce8
> 16638ec6088ef631f6d2fae576ddb51c92a349cdcd01cd68cda969baa3eb
> 1d0d9ca420a6c1a0c5d1464c176dd2ac663f968ce084d43
> Message-Authenticator = 0xb5bed396e8075f3e329a22154cbf2c28
> NAS-Port-Type = Ethernet
> NAS-Port = 50130
> NAS-Port-Id = 'GigabitEthernet1/0/30'
> State = 0xf04fa9faf746a423abe4e4c6bbb3ee47
> NAS-IP-Address = 10.XX.XX.123
> (8) Received Access-Request packet from host 10.XX.XX.123 port 1645,
> id=5, length=1381
> (8) User-Name = 'Matthew West'
> (8) Service-Type = Framed-User
> (8) Framed-MTU = 1500
> (8) Called-Station-Id = '08-CC-68-D5-1F-1E'
> (8) Calling-Station-Id = 'AC-87-A3-33-1A-79'
> (8) EAP-Message =
> 0x020904b80d00313030313030303030305a170d33363037313632333539
> 35395a3081ca310b300906035504061302555331173015060355040a130e
> 566572695369676e2c20496e632e311f301d060355040b13165665726953
> 69676e205472757374204e6574776f726b313a3038060355040b13312863
> 29203139393920566572695369676e2c20496e632e202d20466f72206175
> 74686f72697a656420757365206f6e6c79314530430603550403133c5665
> 72695369676e20436c6173732032205075626c6963205072696d61727920
> 43657274696669636174696f6e20417574686f72697479202d2047333082
> 0122300d06092a864886f70d01010105000382010f003082010a02820101
> 00af0a0dc2d52cdb67b92de59427dda5bee0b04d8fb361563cd67cc3f4cd
> 3e86cba288e2e1d8a469c5b5e2bfc1a647505e46398bd596bab56f14bf10
> ce27139e05479b317a13d81fd9d302378bad2c47f08e8106a70d300cebf7
> 3c0f201ddc7246eea502c85bc3c956694cc518c1917b0bd513009bbcefc3
> 483e466020852ad590b6cd8ba0cc32ddb7fd4055b2501c56aecc8d774dc7
> 204da73176ef68928a901e088156b2ad69a352d0cb1cc4233d1f99fe4ce8
> 16638ec6088ef631f6d2fae576ddb51c92a349cdcd01cd68cda969baa3eb
> 1d0d9ca420a6c1a0c5d1464c176dd2ac663f968ce084d436
> (8) Message-Authenticator = 0xb5bed396e8075f3e329a22154cbf2c28
> (8) NAS-Port-Type = Ethernet
> (8) NAS-Port = 50130
> (8) NAS-Port-Id = 'GigabitEthernet1/0/30'
> (8) State = 0xf04fa9faf746a423abe4e4c6bbb3ee47
> (8) NAS-IP-Address = 10.XX.XX.123
> (8) # Executing section authorize from file /etc/raddb/sites-enabled/
> default
> (8) authorize {
> (8) filter_username filter_username {
> (8) if (!&User-Name)
> (8) if (!&User-Name) -> FALSE
> (8) if (&User-Name =~ /@.*@/ )
> (8) if (&User-Name =~ /@.*@/ ) -> FALSE
> (8) if (&User-Name =~ /\\.\\./ )
> (8) if (&User-Name =~ /\\.\\./ ) -> FALSE
> (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
> (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) ->
> FALSE
> (8) if (&User-Name =~ /\\.$/)
> (8) if (&User-Name =~ /\\.$/) -> FALSE
> (8) if (&User-Name =~ /@\\./)
> (8) if (&User-Name =~ /@\\./) -> FALSE
> (8) } # filter_username filter_username = notfound
> (8) [preprocess] = ok
> (8) [chap] = noop
> (8) [mschap] = noop
> (8) [digest] = noop
> (8) suffix : Checking for suffix after "@"
> (8) suffix : No '@' in User-Name = "Matthew West", looking up realm NULL
> (8) suffix : No such realm "NULL"
> (8) [suffix] = noop
> (8) eap : Peer sent code Response (2) ID 9 length 1208
> (8) eap : No EAP Start, assuming it's an on-going EAP conversation
> (8) [eap] = updated
> (8) [files] = noop
> (8) [expiration] = noop
> (8) [logintime] = noop
> (8) [pap] = noop
> (8) } # authorize = updated
> (8) Found Auth-Type = EAP
> (8) # Executing group from file /etc/raddb/sites-enabled/default
> (8) authenticate {
> (8) eap : Expiring EAP session with state 0xf04fa9faf746a423
> (8) eap : Finished EAP session with state 0xf04fa9faf746a423
> (8) eap : Previous EAP request found for state 0xf04fa9faf746a423,
> released from the list
> (8) eap : Peer sent method TLS (13)
> (8) eap : EAP TLS (13)
> (8) eap : Calling eap_tls to process EAP data
> (8) eap_tls : Authenticate
> (8) eap_tls : processing EAP-TLS
> (8) eap_tls : eaptls_verify returned 7
> (8) eap_tls : Done initial handshake
> (8) eap_tls : <<< TLS 1.0 Handshake [length 11fa], Certificate
> (8) eap_tls : chain-depth=2,
> (8) eap_tls : error=0
> (8) eap_tls : --> User-Name = Matthew West
> (8) eap_tls : --> BUF-Name = VeriSign Class 2 Public Primary
> Certification Authority - G3
> (8) eap_tls : --> subject = /C=US/O=VeriSign, Inc./OU=VeriSign Trust
> Network/OU=(c) 1999 VeriSign, Inc. - For authorized use
> only/CN=VeriSign Class 2 Public Primary Certification Authority - G3
> (8) eap_tls : --> issuer = /C=US/O=VeriSign, Inc./OU=VeriSign Trust
> Network/OU=(c) 1999 VeriSign, Inc. - For authorized use
> only/CN=VeriSign Class 2 Public Primary Certification Authority - G3
> (8) eap_tls : --> verify return:1
> (8) eap_tls : chain-depth=1,
> (8) eap_tls : error=0
> (8) eap_tls : --> User-Name = Matthew West
> (8) eap_tls : --> BUF-Name = Symantec Class 2 Shared Intermediate
> Certificate Authority
> (8) eap_tls : --> subject = /C=US/O=Symantec Corporation/OU=Symantec
> Trust Network/OU=Class 2 Managed PKI Individual Subscriber
> CA/CN=Symantec Class 2 Shared Intermediate Certificate Authority
> (8) eap_tls : --> issuer = /C=US/O=VeriSign, Inc./OU=VeriSign Trust
> Network/OU=(c) 1999 VeriSign, Inc. - For authorized use
> only/CN=VeriSign Class 2 Public Primary Certification Authority - G3
> (8) eap_tls : --> verify return:1
> (8) eap_tls : chain-depth=0,
> (8) eap_tls : error=0
> (8) eap_tls : --> User-Name = Matthew West
> (8) eap_tls : --> BUF-Name = Matthew West
> (8) eap_tls : --> subject = /CN=Matthew West/OU=S/MIME/O=ACME
> Technologies, LLC/emailAddress=matthew.west at ACMEtech.com
> (8) eap_tls : --> issuer = /C=US/O=Symantec Corporation/OU=Symantec
> Trust Network/OU=Class 2 Managed PKI Individual Subscriber
> CA/CN=Symantec Class 2 Shared Intermediate Certificate Authority
> (8) eap_tls : --> verify return:1
> (8) eap_tls : TLS_accept: SSLv3 read client certificate A
> (8) eap_tls : <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
> (8) eap_tls : TLS_accept: SSLv3 read client key exchange A
> (8) eap_tls : <<< TLS 1.0 Handshake [length 0106], CertificateVerify
> (8) eap_tls : TLS_accept: SSLv3 read certificate verify A
> (8) eap_tls : <<< TLS 1.0 ChangeCipherSpec [length 0001]
> (8) eap_tls : <<< TLS 1.0 Handshake [length 0010], Finished
> (8) eap_tls : TLS_accept: SSLv3 read finished A
> (8) eap_tls : >>> TLS 1.0 ChangeCipherSpec [length 0001]
> (8) eap_tls : TLS_accept: SSLv3 write change cipher spec A
> (8) eap_tls : >>> TLS 1.0 Handshake [length 0010], Finished
> (8) eap_tls : TLS_accept: SSLv3 write finished A
> (8) eap_tls : TLS_accept: SSLv3 flush data
> SSL: adding session
> f334a0969557e364415cbfb4ba2bd54f418d1da5490524c1d394b8b9317942b4 to
> cache
> (8) eap_tls : (other): SSL negotiation finished successfully
> SSL Connection Established
> (8) eap_tls : eaptls_process returned 13
> (8) eap : New EAP session, adding 'State' attribute to reply
> 0xf04fa9faf845a423
> (8) [eap] = handled
> (8) } # authenticate = handled
> (8) Sending Access-Challenge packet to host 10.XX.XX.123 port 1645,
> id=5, length=0
> (8) EAP-Message =
> 0x010a00450d800000003b1403010001011603010030972b5880fa61a3a0
> 4063157ce9904c92c768a459de9a5c78d88c35317fef6da0ac3fb8387b9c
> f365713237487d6b08c9
> (8) Message-Authenticator = 0x00000000000000000000000000000000
> (8) State = 0xf04fa9faf845a423abe4e4c6bbb3ee47
> Sending Access-Challenge Id 5 from 10.XX.1.122:1812 to 10.XX.XX.123:1645
> EAP-Message = 0x010a00450d800000003b1403010001011603010030972b5880fa61a3a0
> 4063157ce9904c92c768a459de9a5c78d88c35317fef6da0ac3fb8387b9c
> f365713237487d6b08c9
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xf04fa9faf845a423abe4e4c6bbb3ee47
> (8) Finished request
> Waking up in 0.2 seconds.
> Received Access-Request Id 6 from 10.XX.XX.123:1645 to
> 10.XX.1.122:1812 length 171
> User-Name = 'Matthew West'
> Service-Type = Framed-User
> Framed-MTU = 1500
> Called-Station-Id = '08-CC-68-D5-1F-1E'
> Calling-Station-Id = 'AC-87-A3-33-1A-79'
> EAP-Message = 0x020a00060d00
> Message-Authenticator = 0x850755b28e3e4d3e4817c69f85326117
> NAS-Port-Type = Ethernet
> NAS-Port = 50130
> NAS-Port-Id = 'GigabitEthernet1/0/30'
> State = 0xf04fa9faf845a423abe4e4c6bbb3ee47
> NAS-IP-Address = 10.XX.XX.123
> (9) Received Access-Request packet from host 10.XX.XX.123 port 1645,
> id=6, length=171
> (9) User-Name = 'Matthew West'
> (9) Service-Type = Framed-User
> (9) Framed-MTU = 1500
> (9) Called-Station-Id = '08-CC-68-D5-1F-1E'
> (9) Calling-Station-Id = 'AC-87-A3-33-1A-79'
> (9) EAP-Message = 0x020a00060d00
> (9) Message-Authenticator = 0x850755b28e3e4d3e4817c69f85326117
> (9) NAS-Port-Type = Ethernet
> (9) NAS-Port = 50130
> (9) NAS-Port-Id = 'GigabitEthernet1/0/30'
> (9) State = 0xf04fa9faf845a423abe4e4c6bbb3ee47
> (9) NAS-IP-Address = 10.XX.XX.123
> (9) # Executing section authorize from file /etc/raddb/sites-enabled/
> default
> (9) authorize {
> (9) filter_username filter_username {
> (9) if (!&User-Name)
> (9) if (!&User-Name) -> FALSE
> (9) if (&User-Name =~ /@.*@/ )
> (9) if (&User-Name =~ /@.*@/ ) -> FALSE
> (9) if (&User-Name =~ /\\.\\./ )
> (9) if (&User-Name =~ /\\.\\./ ) -> FALSE
> (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
> (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) ->
> FALSE
> (9) if (&User-Name =~ /\\.$/)
> (9) if (&User-Name =~ /\\.$/) -> FALSE
> (9) if (&User-Name =~ /@\\./)
> (9) if (&User-Name =~ /@\\./) -> FALSE
> (9) } # filter_username filter_username = notfound
> (9) [preprocess] = ok
> (9) [chap] = noop
> (9) [mschap] = noop
> (9) [digest] = noop
> (9) suffix : Checking for suffix after "@"
> (9) suffix : No '@' in User-Name = "Matthew West", looking up realm NULL
> (9) suffix : No such realm "NULL"
> (9) [suffix] = noop
> (9) eap : Peer sent code Response (2) ID 10 length 6
> (9) eap : No EAP Start, assuming it's an on-going EAP conversation
> (9) [eap] = updated
> (9) [files] = noop
> (9) [expiration] = noop
> (9) [logintime] = noop
> (9) [pap] = noop
> (9) } # authorize = updated
> (9) Found Auth-Type = EAP
> (9) # Executing group from file /etc/raddb/sites-enabled/default
> (9) authenticate {
> (9) eap : Expiring EAP session with state 0xf04fa9faf845a423
> (9) eap : Finished EAP session with state 0xf04fa9faf845a423
> (9) eap : Previous EAP request found for state 0xf04fa9faf845a423,
> released from the list
> (9) eap : Peer sent method TLS (13)
> (9) eap : EAP TLS (13)
> (9) eap : Calling eap_tls to process EAP data
> (9) eap_tls : Authenticate
> (9) eap_tls : processing EAP-TLS
> (9) eap_tls : Received TLS ACK
> (9) eap_tls : Received TLS ACK
> (9) eap_tls : ACK handshake is finished
> (9) eap_tls : eaptls_verify returned 3
> (9) eap_tls : eaptls_process returned 3
> (9) eap_tls : Saving session
> f334a0969557e364415cbfb4ba2bd54f418d1da5490524c1d394b8b9317942b4 vps
> 0x7f995732fc00 in the cache
> (9) eap : Freeing handler
> (9) [eap] = ok
> (9) } # authenticate = ok
> (9) # Executing section post-auth from file /etc/raddb/sites-enabled/
> default
> (9) post-auth {
> (9) [exec] = noop
> (9) remove_reply_message_if_eap remove_reply_message_if_eap {
> (9) if (&reply:EAP-Message && &reply:Reply-Message)
> (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (9) else else {
> (9) [noop] = noop
> (9) } # else else = noop
> (9) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
> (9) } # post-auth = noop
> (9) Sending Access-Accept packet to host 10.XX.XX.123 port 1645, id=6,
> length=0
> (9) MS-MPPE-Recv-Key =
> 0xfaa281c3617f3014221f9d701eb760e7849e6c93550f52b2a05cc943c79a2b4e
> (9) MS-MPPE-Send-Key =
> 0x108a6022d883528237ae8c72beadde69a362e94c7a836f4af3159783f038c3e5
> (9) EAP-MSK = 0xfaa281c3617f3014221f9d701eb760e7849e6c93550f52b2a05cc943c7
> 9a2b4e108a6022d883528237ae8c72beadde69a362e94c7a836f4af3159783f038c3e5
> (9) EAP-EMSK = 0x6480d679d4e11b6cdc2526aa3105
> 29e3221d573bba71d705aa779dae0e33968bae4d88c840ff91facd7e6dfd
> a0c53b311a9f24279eddab746cf21cbd089187a9
> (9) EAP-Session-Id =
> 0x0d57d1d43ecd441f115e1ec3d0d32af15b2732f7a02aa95c91b6a65096
> 6deab46b57d1dd45939c6a0dee55299d21b5463464981d5fb34fdd834e6e335f1d618323
> (9) EAP-Message = 0x030a0004
> (9) Message-Authenticator = 0x00000000000000000000000000000000
> (9) User-Name = 'Matthew West'
> Sending Access-Accept Id 6 from 10.XX.1.122:1812 to 10.XX.XX.123:1645
> MS-MPPE-Recv-Key =
> 0xfaa281c3617f3014221f9d701eb760e7849e6c93550f52b2a05cc943c79a2b4e
> MS-MPPE-Send-Key =
> 0x108a6022d883528237ae8c72beadde69a362e94c7a836f4af3159783f038c3e5
> EAP-Message = 0x030a0004
> Message-Authenticator = 0x00000000000000000000000000000000
> User-Name = 'Matthew West'
> (9) Finished request
> Waking up in 0.1 seconds.
> Waking up in 4.5 seconds.
> (0) Cleaning up request packet ID 253 with timestamp +98
> (1) Cleaning up request packet ID 254 with timestamp +98
> (2) Cleaning up request packet ID 255 with timestamp +98
> (3) Cleaning up request packet ID 0 with timestamp +98
> (4) Cleaning up request packet ID 1 with timestamp +98
> (5) Cleaning up request packet ID 2 with timestamp +98
> (6) Cleaning up request packet ID 3 with timestamp +98
> (7) Cleaning up request packet ID 4 with timestamp +98
> (8) Cleaning up request packet ID 5 with timestamp +98
> (9) Cleaning up request packet ID 6 with timestamp +98
> Ready to process requests
>
> On Thu, Aug 25, 2016 at 10:54 AM, Matthew West <matthew.t.west at gmail.com>
> wrote:
> > Hi Alan,
> >
> >> For 802.1X is a closed loop system. Only those clients authing against
> you should trust you, this they can be configured to trust you. ..knowing
> your CA. If you use a public CA then anyone else can get a cert signed by
> that CA for small change, they can then do eg evil twin etc attacks and
> badly configured clients will auth against them. ..thus giving them the
> users password (or easily cloud cracked mschap challenge/response)... many
> clients have basic security...eg only trust the CA. So local CA is the one
> way to ensure lowest common denominator is secure.
> >
> > So the client would trust anyone holding a cert issued by the root CA?
> > That's not good.
> >
> >> Also there are requirements/flags in the root CA and server CA for
> RADIUS clients. ....and several clients do not work with wildcard server
> certs in RADIUS land (Note, you don't need a cert per RADIUS server either
> if its the same service)
> >
> > Fun. So at this point, I'm looking at either MS-CHAPv2 tied to an AD
> > server, using 3rd party server cert, or using self-signed certs for
> > authentication. When using self-signed/generated certs, if I have
> > multiple locations with a RADIUS server at each location, can I use
> > the same user and ca certs across locations so users can roam? Each
> > RADIUS server should have it's own server certificate, though,
> > correct?
> >
> > I'm trying to understand feasibility here. My directive was: wired
> > 802.1X with existing user certs.
> >
> > I've been doing network-specific work for the last decade (Firewalls,
> > routers, switches, load balancers, APs, etc.), so please excuse any
> > systems-specific knowledge I'm missing. All my 802.1X work previously
> > was using AD, so I'm also new to using certs for network auth as well.
> >
> > Thanks for your time, Alan. I'm going back to the drawing board to
> > see what direction is best pursued.
> >
> > Thank you,
> >
> > Matthew
> >
> >
> >
> > On Thu, Aug 25, 2016 at 10:36 AM, Alan Buxey <A.L.M.Buxey at lboro.ac.uk>
> wrote:
> >> For 802.1X is a closed loop system. Only those clients authing against
> you
> >> should trust you, this they can be configured to trust you. ..knowing
> your
> >> CA. If you use a public CA then anyone else can get a cert signed by
> that CA
> >> for small change, they can then do eg evil twin etc attacks and badly
> >> configured clients will auth against them. ..thus giving them the users
> >> password (or easily cloud cracked mschap challenge/response)... many
> clients
> >> have basic security...eg only trust the CA. So local CA is the one way
> to
> >> ensure lowest common denominator is secure. Couple this with other
> things -
> >> eg if you use a public CA you are a slave to THEIR server timeframes,
> >> policies etc. If that root becomes intermediate or the CA gets revoked
> by
> >> the OS your service is hosed. Also there are requirements/flags in the
> root
> >> CA and server CA for RADIUS clients. ....and several clients do not work
> >> with wildcard server certs in RADIUS land
> >> (Note, you don't need a cert per RADIUS server either if its the same
> >> service)
> >>
> >> Don't just take my word for it, its Best Common Practice to not use
> public
> >> CAs - ask one of the main RADIUS RFC authors ;)
> >>
> >>
> >> alan
>
>
Hello Mattew,
You are probably confusing with your past expirience with SSL certificates
used for web sites or email servers. In that cases the certificate was used
to validate ownership of domain name you are connecting to. In case of WLAN
there are no domain names hierarchy and there are nothing to validate. I
hope one day standard will allow us to acknowledge SSID ownership, but
AFAIK there are no such option now. So either you are installing your own
CA everywhere and force all your WLAN clients to validate EAP-TTLS
handshakes using it, or your users can send their weak hashes (NTLM, MD5)
and even plaintext passwords (PAP) to the spoofed WLAN with same SSID.
Dear FR users, please, correct me if i've mistaken above.
Thank you.
--
Bogdan Rudas
Head of Minsk IT Support Department
Exadel Inc.
http://www.exadel.com/
E-mail: brudas at exadel.com
Skype ID: bogdan.rudas
--
CONFIDENTIALITY NOTICE: This email and files attached to it are
confidential. If you are not the intended recipient you are hereby notified
that using, copying, distributing or taking any action in reliance on the
contents of this information is strictly prohibited. If you have received
this email in error please notify the sender and delete this email.
More information about the Freeradius-Users
mailing list