3.0.12 EAP-PEAP with OpenLDAP group membership and Packet-Src-IP-Address checking
Staiger, Moritz (RRZE)
moritz.staiger at fau.de
Wed Jan 11 18:05:28 CET 2017
Hi,
we are running freeradius 3.0.12 which is authenticating against an openldap server with EAP PEAP MSCHAPv2
In future we want to enable VLAN assignment via LDAP so we want to use LDAP group membership comparison and combine it with Packet-Src-IP-Address checking.
Users from LDAP group „Admins“ should be assigned to VLAN 10 (management)
Users from LDAP group „Operators“ should be assigned to VLAN 20 (operator)
Users from other LDAP groups „Group-X“ should be assigned to userspecific VLAN which is represented in the LDAP attribute „radiusTunnelPrivateGroupId“.
With group membership and Packet-Src-IP-Address we want to authenticate users only if they try to connect from their *home POP*.
What we have done:
1. according to Alan DeKoks suggestions here: http://lists.freeradius.org/pipermail/freeradius-users/2015-April/077171.html
configured freeradius/mods-enabled/ldap „group“ section for group checking.
In our case every LDAP user has an LDAP attribute 'gidNumber' which represents its group membership.
group {
base_dn = "${..base_dn}"
groupmembership_attribute = 'gidNumber'
}
2. configured /freeradius/users file
# in LDAP: Admins gidNumber = 111, Operators gidNumber = 222, Users in POP1 gidNumber = 901
DEFAULT LDAP-Group == "111", Auth-Type = LDAP
DEFAULT LDAP-Group == "222", Auth-Type = LDAP
DEFAULT Packet-Src-IP-Address == 10.0.0.1, LDAP-Group == „901“, Auth-Type = LDAP
...
DEFAULT Packet-Src-IP-Address == 10.0.0.15, LDAP-Group == „915“, Auth-Type = LDAP
DEFAULT Auth-Type := Reject
#
3. configured /freeradius/sites-enabled/default
>no "ldap" in the "authorize" section
so ldap gets commented here -> #ldap
>be sure there's "Auth-Type LDAP" in the "authenticate" section
so #Auth-Type LDAP {
# ldap
# }
gets uncommented here ->
Auth-Type LDAP {
ldap
}
4. configured /freeradius/sites-enabled/inner-tunnel
authorize {
ldap
authenticate {
#Auth-Type LDAP {
# ldap
# }
Within testing the config seems to do what we desire.
So my questions are:
Is this implementation correct for our needs?
Is there a more elegant way to implement it?
Is it possible to reduce the LDAP queries exept from sorting the POP listing in users file? (there seems to be a change in 3.0.13 ?)
>From my readings of the log I think authentication is done twice against the LDAP?
Do you have other hints or suggestions?
Regards Moritz
Ready to process requests
(0) Received Access-Request Id 10 from 172.17.26.160:22492 to 172.17.28.67:1812 length 169
(0) User-Name = "Test-A"
(0) NAS-Identifier = "44d9e7f96309"
(0) NAS-Port = 0
(0) Called-Station-Id = "46-D9-E7-FA-63-09:SSID "
(0) Calling-Station-Id = "60-A3-7D-2C-A2-19"
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Connect-Info = "CONNECT 0Mbps 802.11b"
(0) EAP-Message = 0x02ab000b01546573742d41
(0) Message-Authenticator = 0x40ce940b690d606fe714b004361dc50d
(0) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "Test-A", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 171 length 11
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_peap to process data
(0) eap_peap: Initiating new EAP-TLS session
(0) eap_peap: Flushing SSL sessions (of #0)
(0) eap_peap: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 172 length 6
(0) eap: EAP session adding &reply:State = 0xe87b0b92e8d71203
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) Sent Access-Challenge Id 10 from 172.17.28.67:1812 to 172.17.26.160:22492 length 0
(0) EAP-Message = 0x01ac00061920
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0xe87b0b92e8d7120391ed7d921e46c093
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 11 from 172.17.26.160:22492 to 172.17.28.67:1812 length 303
(1) User-Name = "Test-A"
(1) NAS-Identifier = "44d9e7f96309"
(1) NAS-Port = 0
(1) Called-Station-Id = "46-D9-E7-FA-63-09:SSID"
(1) Calling-Station-Id = "60-A3-7D-2C-A2-19"
(1) Framed-MTU = 1400
(1) NAS-Port-Type = Wireless-802.11
(1) Connect-Info = "CONNECT 0Mbps 802.11b"
(1) EAP-Message = 0x02ac007f19800000007516030100700100006c030158765972f4d9369be37fc8bb9981e44d884bd092457985f8cfa9746c7e4a07de00002000ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000a01000023000a00080006001700180019000b00020100000500050100000000
(1) State = 0xe87b0b92e8d7120391ed7d921e46c093
(1) Message-Authenticator = 0xc0e4bbed21698af0a845d633e7e1b98f
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "Test-A", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 172 length 127
(1) eap: Continuing tunnel setup
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0xe87b0b92e8d71203
(1) eap: Finished EAP session with state 0xe87b0b92e8d71203
(1) eap: Previous EAP request found for state 0xe87b0b92e8d71203, released from the list
(1) eap: Peer sent packet with method EAP PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Continuing EAP-TLS
(1) eap_peap: Peer indicated complete TLS record size will be 117 bytes
(1) eap_peap: Got complete TLS record (117 bytes)
(1) eap_peap: [eaptls verify] = length included
(1) eap_peap: (other): before/accept initialization
(1) eap_peap: TLS_accept: before/accept initialization
(1) eap_peap: <<< recv TLS 1.0 Handshake [length 0070], ClientHello
(1) eap_peap: TLS_accept: SSLv3 read client hello A
(1) eap_peap: >>> send TLS 1.0 Handshake [length 0059], ServerHello
(1) eap_peap: TLS_accept: SSLv3 write server hello A
(1) eap_peap: >>> send TLS 1.0 Handshake [length 0973], Certificate
(1) eap_peap: TLS_accept: SSLv3 write certificate A
(1) eap_peap: >>> send TLS 1.0 Handshake [length 014b], ServerKeyExchange
(1) eap_peap: TLS_accept: SSLv3 write key exchange A
(1) eap_peap: >>> send TLS 1.0 Handshake [length 0004], ServerHelloDone
(1) eap_peap: TLS_accept: SSLv3 write server done A
(1) eap_peap: TLS_accept: SSLv3 flush data
(1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
(1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
(1) eap_peap: In SSL Handshake Phase
(1) eap_peap: In SSL Accept mode
(1) eap_peap: [eaptls process] = handled
(1) eap: Sending EAP Request (code 1) ID 173 length 1004
(1) eap: EAP session adding &reply:State = 0xe87b0b92e9d61203
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1) Sent Access-Challenge Id 11 from 172.17.28.67:1812 to 172.17.26.160:22492 length 0
(1) EAP-Message = 0x01ad03ec19c000000b2f160301005902000055030146df3e492a751185c5d2365a274915dd496ab3909cfa2b581b8e0f058d35413e20d8f7784bdabc1d0f47bfe939b6a8b6ecf01f2acae83ea6f7a5a1dcff7b869c5fc01400000dff01000100000b00040300010216030109730b00096f00096c0004e9
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0xe87b0b92e9d6120391ed7d921e46c093
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 12 from 172.17.26.160:22492 to 172.17.28.67:1812 length 182
(2) User-Name = "Test-A"
(2) NAS-Identifier = "44d9e7f96309"
(2) NAS-Port = 0
(2) Called-Station-Id = "46-D9-E7-FA-63-09:SSID"
(2) Calling-Station-Id = "60-A3-7D-2C-A2-19"
(2) Framed-MTU = 1400
(2) NAS-Port-Type = Wireless-802.11
(2) Connect-Info = "CONNECT 0Mbps 802.11b"
(2) EAP-Message = 0x02ad00061900
(2) State = 0xe87b0b92e9d6120391ed7d921e46c093
(2) Message-Authenticator = 0xce185ed0b264fb9f6d3d1be7d6991ed9
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /@\./) {
(2) if (&User-Name =~ /@\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "Test-A", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 173 length 6
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0xe87b0b92e9d61203
(2) eap: Finished EAP session with state 0xe87b0b92e9d61203
(2) eap: Previous EAP request found for state 0xe87b0b92e9d61203, released from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer ACKed our handshake fragment
(2) eap_peap: [eaptls verify] = request
(2) eap_peap: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 174 length 1000
(2) eap: EAP session adding &reply:State = 0xe87b0b92ead51203
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2) Sent Access-Challenge Id 12 from 172.17.28.67:1812 to 172.17.26.160:22492 length 0
(2) EAP-Message = 0x01ae03e81940864886f70d0109011613696e666f4064732d6e6574776f726b732e6465311c301a0603550403131344532d6e6574776f726b7320526f6f7420434182010030130603551d25040c300a06082b06010505070301300b0603551d0f0404030205a0300d06092a864886f70d01010b05000382
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0xe87b0b92ead5120391ed7d921e46c093
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 13 from 172.17.26.160:22492 to 172.17.28.67:1812 length 182
(3) User-Name = "Test-A"
(3) NAS-Identifier = "44d9e7f96309"
(3) NAS-Port = 0
(3) Called-Station-Id = "46-D9-E7-FA-63-09:SSID"
(3) Calling-Station-Id = "60-A3-7D-2C-A2-19"
(3) Framed-MTU = 1400
(3) NAS-Port-Type = Wireless-802.11
(3) Connect-Info = "CONNECT 0Mbps 802.11b"
(3) EAP-Message = 0x02ae00061900
(3) State = 0xe87b0b92ead5120391ed7d921e46c093
(3) Message-Authenticator = 0xd445aca761a3735e0e685c2dcc8fa971
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /@\./) {
(3) if (&User-Name =~ /@\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "Test-A", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 174 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0xe87b0b92ead51203
(3) eap: Finished EAP session with state 0xe87b0b92ead51203
(3) eap: Previous EAP request found for state 0xe87b0b92ead51203, released from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer ACKed our handshake fragment
(3) eap_peap: [eaptls verify] = request
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 175 length 881
(3) eap: EAP session adding &reply:State = 0xe87b0b92ebd41203
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found. Ignoring.
(3) # Executing group from file /etc/freeradius/sites-enabled/default
(3) Sent Access-Challenge Id 13 from 172.17.28.67:1812 to 172.17.26.160:22492 length 0
(3) EAP-Message = 0x01af03711900cd6b6a86ea145de10b316047370203010001a381e93081e6301d0603551d0e041604148cf1945262f33d0d656b8a1652dcfece15788e563081b60603551d230481ae3081ab80148cf1945262f33d0d656b8a1652dcfece15788e56a1818fa4818c308189310b3009060355040613024445
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0xe87b0b92ebd4120391ed7d921e46c093
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 14 from 172.17.26.160:22492 to 172.17.28.67:1812 length 320
(4) User-Name = "Test-A"
(4) NAS-Identifier = "44d9e7f96309"
(4) NAS-Port = 0
(4) Called-Station-Id = "46-D9-E7-FA-63-09:SSID"
(4) Calling-Station-Id = "60-A3-7D-2C-A2-19"
(4) Framed-MTU = 1400
(4) NAS-Port-Type = Wireless-802.11
(4) Connect-Info = "CONNECT 0Mbps 802.11b"
(4) EAP-Message = 0x02af0090198000000086160301004610000042410401cc455cf06611016d46d4588fdabcc9e63f1e6b14b1e4c3f8b2751c0877946e4c33f0e0d7d3e654085be67b994f906af4085c629f2bb6a42a6d4d2d76c3ed711403010001011603010030cae54345ff3c41b7b02f025f040509ce0debe78eeee8c1
(4) State = 0xe87b0b92ebd4120391ed7d921e46c093
(4) Message-Authenticator = 0x1c43bb71884d24ef2d421f8da92bb934
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /@\./) {
(4) if (&User-Name =~ /@\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "Test-A", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 175 length 144
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0xe87b0b92ebd41203
(4) eap: Finished EAP session with state 0xe87b0b92ebd41203
(4) eap: Previous EAP request found for state 0xe87b0b92ebd41203, released from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer indicated complete TLS record size will be 134 bytes
(4) eap_peap: Got complete TLS record (134 bytes)
(4) eap_peap: [eaptls verify] = length included
(4) eap_peap: <<< recv TLS 1.0 Handshake [length 0046], ClientKeyExchange
(4) eap_peap: TLS_accept: SSLv3 read client key exchange A
(4) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
(4) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
(4) eap_peap: TLS_accept: SSLv3 read finished A
(4) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(4) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(4) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
(4) eap_peap: TLS_accept: SSLv3 write finished A
(4) eap_peap: TLS_accept: SSLv3 flush data
(4) eap_peap: (other): SSL negotiation finished successfully
(4) eap_peap: SSL Connection Established
(4) eap_peap: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 176 length 65
(4) eap: EAP session adding &reply:State = 0xe87b0b92eccb1203
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) # Executing group from file /etc/freeradius/sites-enabled/default
(4) Sent Access-Challenge Id 14 from 172.17.28.67:1812 to 172.17.26.160:22492 length 0
(4) EAP-Message = 0x01b00041190014030100010116030100304aa51dcb700d63eea2551558c6204ef8229c47b635353d30613a28fe2d4422ca909b5f2d831e17bba1c7a51b659e7f23
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0xe87b0b92eccb120391ed7d921e46c093
(4) Finished request
Waking up in 4.8 seconds.
(5) Received Access-Request Id 15 from 172.17.26.160:22492 to 172.17.28.67:1812 length 182
(5) User-Name = "Test-A"
(5) NAS-Identifier = "44d9e7f96309"
(5) NAS-Port = 0
(5) Called-Station-Id = "46-D9-E7-FA-63-09:SSID"
(5) Calling-Station-Id = "60-A3-7D-2C-A2-19"
(5) Framed-MTU = 1400
(5) NAS-Port-Type = Wireless-802.11
(5) Connect-Info = "CONNECT 0Mbps 802.11b"
(5) EAP-Message = 0x02b000061900
(5) State = 0xe87b0b92eccb120391ed7d921e46c093
(5) Message-Authenticator = 0x8ab0a46258fcf64773c9b362e671f7ac
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "Test-A", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 176 length 6
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0xe87b0b92eccb1203
(5) eap: Finished EAP session with state 0xe87b0b92eccb1203
(5) eap: Previous EAP request found for state 0xe87b0b92eccb1203, released from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(5) eap_peap: [eaptls verify] = success
(5) eap_peap: [eaptls process] = success
(5) eap_peap: Session established. Decoding tunneled attributes
(5) eap_peap: PEAP state TUNNEL ESTABLISHED
(5) eap: Sending EAP Request (code 1) ID 177 length 43
(5) eap: EAP session adding &reply:State = 0xe87b0b92edca1203
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found. Ignoring.
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5) Sent Access-Challenge Id 15 from 172.17.28.67:1812 to 172.17.26.160:22492 length 0
(5) EAP-Message = 0x01b1002b19001703010020550050cf49a4170b4a5068088207c5f2a56e3f68e382a25e59ab3e8996402ab4
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0xe87b0b92edca120391ed7d921e46c093
(5) Finished request
Waking up in 4.8 seconds.
(6) Received Access-Request Id 16 from 172.17.26.160:22492 to 172.17.28.67:1812 length 219
(6) User-Name = "Test-A"
(6) NAS-Identifier = "44d9e7f96309"
(6) NAS-Port = 0
(6) Called-Station-Id = "46-D9-E7-FA-63-09:SSID"
(6) Calling-Station-Id = "60-A3-7D-2C-A2-19"
(6) Framed-MTU = 1400
(6) NAS-Port-Type = Wireless-802.11
(6) Connect-Info = "CONNECT 0Mbps 802.11b"
(6) EAP-Message = 0x02b1002b19001703010020b565bc67f5cc3d10ece5c5da4177ef58267599d6b64681980823dbb0c1808b85
(6) State = 0xe87b0b92edca120391ed7d921e46c093
(6) Message-Authenticator = 0x714328f5012221ee7cdeab6006a4d7cc
(6) session-state: No cached attributes
(6) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "Test-A", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 177 length 43
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/freeradius/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0xe87b0b92edca1203
(6) eap: Finished EAP session with state 0xe87b0b92edca1203
(6) eap: Previous EAP request found for state 0xe87b0b92edca1203, released from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: [eaptls verify] = ok
(6) eap_peap: Done initial handshake
(6) eap_peap: [eaptls process] = ok
(6) eap_peap: Session established. Decoding tunneled attributes
(6) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(6) eap_peap: Identity - Test-A
(6) eap_peap: Got inner identity 'Test-A'
(6) eap_peap: Setting default EAP type for tunneled EAP session
(6) eap_peap: Got tunneled request
(6) eap_peap: EAP-Message = 0x02b1000b01546573742d41
(6) eap_peap: Setting User-Name to Test-A
(6) eap_peap: Sending tunneled request to inner-tunnel
(6) eap_peap: EAP-Message = 0x02b1000b01546573742d41
(6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(6) eap_peap: User-Name = "Test-A"
(6) Virtual server inner-tunnel received request
(6) EAP-Message = 0x02b1000b01546573742d41
(6) FreeRADIUS-Proxied-To = 127.0.0.1
(6) User-Name = "Test-A"
(6) WARNING: Outer and inner identities are the same. User privacy is compromised.
(6) server inner-tunnel {
(6) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [chap] = noop
(6) [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "Test-A", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) update control {
(6) &Proxy-To-Realm := LOCAL
(6) } # update control = noop
(6) eap: Peer sent EAP Response (code 2) ID 177 length 11
(6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(6) authenticate {
(6) eap: Peer sent packet with method EAP Identity (1)
(6) eap: Calling submodule eap_mschapv2 to process data
(6) eap_mschapv2: Issuing Challenge
(6) eap: Sending EAP Request (code 1) ID 178 length 43
(6) eap: EAP session adding &reply:State = 0xec7a3beaecc821b2
(6) [eap] = handled
(6) } # authenticate = handled
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6) EAP-Message = 0x01b2002b1a01b2002610b6b7394c705a6ea01ef745eb87cbbf15667265657261646975732d332e302e3132
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0xec7a3beaecc821b29dbc50eda2d30e1d
(6) eap_peap: Got tunneled reply code 11
(6) eap_peap: EAP-Message = 0x01b2002b1a01b2002610b6b7394c705a6ea01ef745eb87cbbf15667265657261646975732d332e302e3132
(6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap: State = 0xec7a3beaecc821b29dbc50eda2d30e1d
(6) eap_peap: Got tunneled reply RADIUS code 11
(6) eap_peap: EAP-Message = 0x01b2002b1a01b2002610b6b7394c705a6ea01ef745eb87cbbf15667265657261646975732d332e302e3132
(6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap: State = 0xec7a3beaecc821b29dbc50eda2d30e1d
(6) eap_peap: Got tunneled Access-Challenge
(6) eap: Sending EAP Request (code 1) ID 178 length 75
(6) eap: EAP session adding &reply:State = 0xe87b0b92eec91203
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found. Ignoring.
(6) # Executing group from file /etc/freeradius/sites-enabled/default
(6) Sent Access-Challenge Id 16 from 172.17.28.67:1812 to 172.17.26.160:22492 length 0
(6) EAP-Message = 0x01b2004b19001703010040f6b8b1f8f68b3a43e03787d98680f81264a9a22945668477cd66d5742465b9b441aa72d6644170ed5baf4259d26fbaec1b1d82c2b7646a93bfe36d5fd569aa87
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0xe87b0b92eec9120391ed7d921e46c093
(6) Finished request
Waking up in 4.8 seconds.
(7) Received Access-Request Id 17 from 172.17.26.160:22492 to 172.17.28.67:1812 length 283
(7) User-Name = "Test-A"
(7) NAS-Identifier = "44d9e7f96309"
(7) NAS-Port = 0
(7) Called-Station-Id = "46-D9-E7-FA-63-09:SSID"
(7) Calling-Station-Id = "60-A3-7D-2C-A2-19"
(7) Framed-MTU = 1400
(7) NAS-Port-Type = Wireless-802.11
(7) Connect-Info = "CONNECT 0Mbps 802.11b"
(7) EAP-Message = 0x02b2006b190017030100601be51d9a2c77ae2394716398c49829473527d582098388162a81d1816ffafebc692107a6083e06185c246a89e24dea141fe8b20fb1c70b88099c634417747fa15ab632014b1726a3c0ddb10ea805bdd74ee5adac6a731cd2a77215192fad8024
(7) State = 0xe87b0b92eec9120391ed7d921e46c093
(7) Message-Authenticator = 0x93493329818005c84c715c4ba53ffd49
(7) session-state: No cached attributes
(7) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "Test-A", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 178 length 107
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/freeradius/sites-enabled/default
(7) authenticate {
(7) eap: Expiring EAP session with state 0xec7a3beaecc821b2
(7) eap: Finished EAP session with state 0xe87b0b92eec91203
(7) eap: Previous EAP request found for state 0xe87b0b92eec91203, released from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state phase2
(7) eap_peap: EAP method MSCHAPv2 (26)
(7) eap_peap: Got tunneled request
(7) eap_peap: EAP-Message = 0x02b200411a02b2003c314986e0f6871925a9900996f50368b8c30000000000000000170156e0b81df447dc98761a094eec647dbcdb8bfd2a54cc00546573742d41
(7) eap_peap: Setting User-Name to Test-A
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap: EAP-Message = 0x02b200411a02b2003c314986e0f6871925a9900996f50368b8c30000000000000000170156e0b81df447dc98761a094eec647dbcdb8bfd2a54cc00546573742d41
(7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap: User-Name = "Test-A"
(7) eap_peap: State = 0xec7a3beaecc821b29dbc50eda2d30e1d
(7) Virtual server inner-tunnel received request
(7) EAP-Message = 0x02b200411a02b2003c314986e0f6871925a9900996f50368b8c30000000000000000170156e0b81df447dc98761a094eec647dbcdb8bfd2a54cc00546573742d41
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) User-Name = "Test-A"
(7) State = 0xec7a3beaecc821b29dbc50eda2d30e1d
(7) WARNING: Outer and inner identities are the same. User privacy is compromised.
(7) server inner-tunnel {
(7) session-state: No cached attributes
(7) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [chap] = noop
(7) [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "Test-A", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) update control {
(7) &Proxy-To-Realm := LOCAL
(7) } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 178 length 65
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7) [eap] = updated
(7) files: Searching for user in group "601"
rlm_ldap (ldap): Reserved connection (0)
(7) files: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(7) files: --> (uid=Test-A)
(7) files: Performing search in "cn=users,dc=domain,dc=de" with filter "(uid=Test-A)", scope "sub"
(7) files: Waiting for search result...
(7) files: User object found at DN "uid=Test-A,cn=Admins,cn=users,dc=domain,dc=de"
(7) files: Checking user object's gidNumber attributes
(7) files: Performing unfiltered search in "uid=Test-A,cn=Admins,cn=users,dc=domain,dc=de", scope "base"
(7) files: Waiting for search result...
(7) files: Processing gidNumber value "601" as a group name
(7) files: User found in group "601". Comparison between membership: name, check: name
rlm_ldap (ldap): Released connection (0)
rlm_ldap (ldap): Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (ldap): Connecting to ldap://ldap.domain.de:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(7) files: users: Matched entry DEFAULT at line 93
(7) [files] = ok
rlm_ldap (ldap): Reserved connection (1)
(7) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(7) ldap: --> (uid=Test-A)
(7) ldap: Performing search in "cn=users,dc=domain,dc=de" with filter "(uid=Test-A)", scope "sub"
(7) ldap: Waiting for search result...
(7) ldap: User object found at DN "uid=Test-A,cn=Admins,cn=users,dc=domains,dc=de"
(7) ldap: Processing user attributes
(7) ldap: control:Password-With-Header += 'passwd'
(7) ldap: reply:Tunnel-Type := VLAN
(7) ldap: reply:Tunnel-Medium-Type := IEEE-802
(7) ldap: reply:Tunnel-Private-Group-ID := '1006'
rlm_ldap (ldap): Released connection (1)
(7) [ldap] = updated
(7) [expiration] = noop
(7) [logintime] = noop
(7) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password
(7) pap: Removing &control:Password-With-Header
(7) pap: WARNING: Auth-Type already set. Not setting to PAP
(7) [pap] = noop
(7) } # authorize = updated
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap: Expiring EAP session with state 0xec7a3beaecc821b2
(7) eap: Finished EAP session with state 0xec7a3beaecc821b2
(7) eap: Previous EAP request found for state 0xec7a3beaecc821b2, released from the list
(7) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(7) eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(7) eap_mschapv2: authenticate {
(7) mschap: Found Cleartext-Password, hashing to create NT-Password
(7) mschap: Found Cleartext-Password, hashing to create LM-Password
(7) mschap: Creating challenge hash with username: Test-A
(7) mschap: Client is using MS-CHAPv2
(7) mschap: Adding MS-CHAPv2 MPPE keys
(7) [mschap] = ok
(7) } # authenticate = ok
(7) MSCHAP Success
(7) eap: Sending EAP Request (code 1) ID 179 length 51
(7) eap: EAP session adding &reply:State = 0xec7a3beaedc921b2
(7) [eap] = handled
(7) } # authenticate = handled
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7) Tunnel-Type := VLAN
(7) Tunnel-Medium-Type := IEEE-802
(7) Tunnel-Private-Group-Id := "1006"
(7) EAP-Message = 0x01b300331a03b2002e533d30434644454436304345463344454633424543313439333738343531463242413030313242463032
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0xec7a3beaedc921b29dbc50eda2d30e1d
(7) eap_peap: Got tunneled reply code 11
(7) eap_peap: Tunnel-Type := VLAN
(7) eap_peap: Tunnel-Medium-Type := IEEE-802
(7) eap_peap: Tunnel-Private-Group-Id := "1006"
(7) eap_peap: EAP-Message = 0x01b300331a03b2002e533d30434644454436304345463344454633424543313439333738343531463242413030313242463032
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0xec7a3beaedc921b29dbc50eda2d30e1d
(7) eap_peap: Got tunneled reply RADIUS code 11
(7) eap_peap: Tunnel-Type := VLAN
(7) eap_peap: Tunnel-Medium-Type := IEEE-802
(7) eap_peap: Tunnel-Private-Group-Id := "1006"
(7) eap_peap: EAP-Message = 0x01b300331a03b2002e533d30434644454436304345463344454633424543313439333738343531463242413030313242463032
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0xec7a3beaedc921b29dbc50eda2d30e1d
(7) eap_peap: Got tunneled Access-Challenge
(7) eap: Sending EAP Request (code 1) ID 179 length 91
(7) eap: EAP session adding &reply:State = 0xe87b0b92efc81203
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) Post-Auth-Type sub-section not found. Ignoring.
(7) # Executing group from file /etc/freeradius/sites-enabled/default
(7) Sent Access-Challenge Id 17 from 172.17.28.67:1812 to 172.17.26.160:22492 length 0
(7) EAP-Message = 0x01b3005b1900170301005085e76d76b7fd26ed339a2318366b5864e8da7bdf59ac3951a290d8098cd8ec1a1ee437eae651d55ef8440cc22c9f96f4a8cd676bea605c88b03571e8edc7cb94b8788a01842aa082aa9429c7640a8d3c
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0xe87b0b92efc8120391ed7d921e46c093
(7) Finished request
Waking up in 4.6 seconds.
(8) Received Access-Request Id 18 from 172.17.26.160:22492 to 172.17.28.67:1812 length 219
(8) User-Name = "Test-A"
(8) NAS-Identifier = "44d9e7f96309"
(8) NAS-Port = 0
(8) Called-Station-Id = "46-D9-E7-FA-63-09:SSID"
(8) Calling-Station-Id = "60-A3-7D-2C-A2-19"
(8) Framed-MTU = 1400
(8) NAS-Port-Type = Wireless-802.11
(8) Connect-Info = "CONNECT 0Mbps 802.11b"
(8) EAP-Message = 0x02b3002b190017030100204c0ba5e15af0320dd9bdd0045a3219ec189d7f5989cd57eece0e8988224b22b8
(8) State = 0xe87b0b92efc8120391ed7d921e46c093
(8) Message-Authenticator = 0x1a853cc4e2cdbee13432326a5dd503b5
(8) session-state: No cached attributes
(8) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "Test-A", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 179 length 43
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/freeradius/sites-enabled/default
(8) authenticate {
(8) eap: Expiring EAP session with state 0xec7a3beaedc921b2
(8) eap: Finished EAP session with state 0xe87b0b92efc81203
(8) eap: Previous EAP request found for state 0xe87b0b92efc81203, released from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP method MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap: EAP-Message = 0x02b300061a03
(8) eap_peap: Setting User-Name to Test-A
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap: EAP-Message = 0x02b300061a03
(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap: User-Name = "Test-A"
(8) eap_peap: State = 0xec7a3beaedc921b29dbc50eda2d30e1d
(8) Virtual server inner-tunnel received request
(8) EAP-Message = 0x02b300061a03
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = "Test-A"
(8) State = 0xec7a3beaedc921b29dbc50eda2d30e1d
(8) WARNING: Outer and inner identities are the same. User privacy is compromised.
(8) server inner-tunnel {
(8) session-state: No cached attributes
(8) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [chap] = noop
(8) [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "Test-A", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) update control {
(8) &Proxy-To-Realm := LOCAL
(8) } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 179 length 6
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8) [eap] = updated
(8) files: Searching for user in group "601"
rlm_ldap (ldap): Reserved connection (2)
(8) files: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(8) files: --> (uid=Test-A)
(8) files: Performing search in "cn=users,dc=domain,dc=de" with filter "(uid=Test-A)", scope "sub"
(8) files: Waiting for search result...
(8) files: User object found at DN "uid=Test-A,cn=Admins,cn=users,dc=domain,dc=de"
(8) files: Checking user object's gidNumber attributes
(8) files: Performing unfiltered search in "uid=Test-A,cn=Admins,cn=users,dc=domain,dc=de", scope "base"
(8) files: Waiting for search result...
(8) files: Processing gidNumber value "601" as a group name
(8) files: User found in group "601". Comparison between membership: name, check: name
rlm_ldap (ldap): Released connection (2)
rlm_ldap (ldap): Need 4 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (6), 1 of 26 pending slots used
rlm_ldap (ldap): Connecting to ldap://ldap.domain.de:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(8) files: users: Matched entry DEFAULT at line 93
(8) [files] = ok
rlm_ldap (ldap): Reserved connection (3)
(8) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(8) ldap: --> (uid=Test-A)
(8) ldap: Performing search in "cn=users,dc=domain,dc=de" with filter "(uid=Test-A)", scope "sub"
(8) ldap: Waiting for search result...
(8) ldap: User object found at DN "uid=Test-A,cn=Admins,cn=users,dc=domain,dc=de"
(8) ldap: Processing user attributes
(8) ldap: control:Password-With-Header += 'passwd'
(8) ldap: reply:Tunnel-Type := VLAN
(8) ldap: reply:Tunnel-Medium-Type := IEEE-802
(8) ldap: reply:Tunnel-Private-Group-ID := '1006'
rlm_ldap (ldap): Released connection (3)
(8) [ldap] = updated
(8) [expiration] = noop
(8) [logintime] = noop
(8) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password
(8) pap: Removing &control:Password-With-Header
(8) pap: WARNING: Auth-Type already set. Not setting to PAP
(8) [pap] = noop
(8) } # authorize = updated
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap: Expiring EAP session with state 0xec7a3beaedc921b2
(8) eap: Finished EAP session with state 0xec7a3beaedc921b2
(8) eap: Previous EAP request found for state 0xec7a3beaedc921b2, released from the list
(8) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap: Sending EAP Success (code 3) ID 179 length 4
(8) eap: Freeing handler
(8) [eap] = ok
(8) } # authenticate = ok
(8) # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel
(8) post-auth {
(8) update {
(8) &outer.session-state::Tunnel-Type += &reply:Tunnel-Type[*] -> VLAN
(8) &outer.session-state::Tunnel-Medium-Type += &reply:Tunnel-Medium-Type[*] -> IEEE-802
(8) &outer.session-state::Tunnel-Private-Group-Id += &reply:Tunnel-Private-Group-Id[*] -> '1006'
(8) &outer.session-state::MS-MPPE-Encryption-Policy += &reply:MS-MPPE-Encryption-Policy[*] -> Encryption-Allowed
(8) &outer.session-state::MS-MPPE-Encryption-Types += &reply:MS-MPPE-Encryption-Types[*] -> RC4-40or128-bit-Allowed
(8) &outer.session-state::MS-MPPE-Send-Key += &reply:MS-MPPE-Send-Key[*] -> 0xa850facd73abb0940518b842f0da51a0
(8) &outer.session-state::MS-MPPE-Recv-Key += &reply:MS-MPPE-Recv-Key[*] -> 0x171b0a416b36492d6c7389dd24ca27a2
(8) &outer.session-state::EAP-Message += &reply:EAP-Message[*] -> 0x03b30004
(8) &outer.session-state::Message-Authenticator += &reply:Message-Authenticator[*] -> 0x00000000000000000000000000000000
(8) &outer.session-state::User-Name += &reply:User-Name[*] -> 'Test-A'
(8) } # update = noop
(8) update outer.session-state {
(8) MS-MPPE-Encryption-Policy !* ANY
(8) MS-MPPE-Encryption-Types !* ANY
(8) MS-MPPE-Send-Key !* ANY
(8) MS-MPPE-Recv-Key !* ANY
(8) Message-Authenticator !* ANY
(8) EAP-Message !* ANY
(8) Proxy-State !* ANY
(8) } # update outer.session-state = noop
(8) } # post-auth = noop
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8) Tunnel-Type := VLAN
(8) Tunnel-Medium-Type := IEEE-802
(8) Tunnel-Private-Group-Id := "1006"
(8) MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) MS-MPPE-Send-Key = 0xa850facd73abb0940518b842f0da51a0
(8) MS-MPPE-Recv-Key = 0x171b0a416b36492d6c7389dd24ca27a2
(8) EAP-Message = 0x03b30004
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) User-Name = "Test-A"
(8) eap_peap: Got tunneled reply code 2
(8) eap_peap: Tunnel-Type := VLAN
(8) eap_peap: Tunnel-Medium-Type := IEEE-802
(8) eap_peap: Tunnel-Private-Group-Id := "1006"
(8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) eap_peap: MS-MPPE-Send-Key = 0xa850facd73abb0940518b842f0da51a0
(8) eap_peap: MS-MPPE-Recv-Key = 0x171b0a416b36492d6c7389dd24ca27a2
(8) eap_peap: EAP-Message = 0x03b30004
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: User-Name = "Test-A"
(8) eap_peap: Got tunneled reply RADIUS code 2
(8) eap_peap: Tunnel-Type := VLAN
(8) eap_peap: Tunnel-Medium-Type := IEEE-802
(8) eap_peap: Tunnel-Private-Group-Id := "1006"
(8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) eap_peap: MS-MPPE-Send-Key = 0xa850facd73abb0940518b842f0da51a0
(8) eap_peap: MS-MPPE-Recv-Key = 0x171b0a416b36492d6c7389dd24ca27a2
(8) eap_peap: EAP-Message = 0x03b30004
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: User-Name = "Test-A"
(8) eap_peap: Tunneled authentication was successful
(8) eap_peap: SUCCESS
(8) eap: Sending EAP Request (code 1) ID 180 length 43
(8) eap: EAP session adding &reply:State = 0xe87b0b92e0cf1203
(8) [eap] = handled
(8) } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found. Ignoring.
(8) # Executing group from file /etc/freeradius/sites-enabled/default
(8) session-state: Saving cached attributes
(8) Tunnel-Type += VLAN
(8) Tunnel-Medium-Type += IEEE-802
(8) Tunnel-Private-Group-Id += "1006"
(8) User-Name += "Test-A"
(8) Sent Access-Challenge Id 18 from 172.17.28.67:1812 to 172.17.26.160:22492 length 0
(8) EAP-Message = 0x01b4002b1900170301002043738395e9d352c0a39ba3320922dcad449fea594061a41e682dd8d7c80a8183
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0xe87b0b92e0cf120391ed7d921e46c093
(8) Finished request
Waking up in 4.3 seconds.
(9) Received Access-Request Id 19 from 172.17.26.160:22492 to 172.17.28.67:1812 length 219
(9) User-Name = "Test-A"
(9) NAS-Identifier = "44d9e7f96309"
(9) NAS-Port = 0
(9) Called-Station-Id = "46-D9-E7-FA-63-09:SSID"
(9) Calling-Station-Id = "60-A3-7D-2C-A2-19"
(9) Framed-MTU = 1400
(9) NAS-Port-Type = Wireless-802.11
(9) Connect-Info = "CONNECT 0Mbps 802.11b"
(9) EAP-Message = 0x02b4002b190017030100207ef889c7d2622aacff178bc6c0873a2cebf20cdc694dc5d78309a6ea8d241204
(9) State = 0xe87b0b92e0cf120391ed7d921e46c093
(9) Message-Authenticator = 0x6a57e6e906d2f5c42685efd242e96e00
(9) Restoring &session-state
(9) &session-state:Tunnel-Type += VLAN
(9) &session-state:Tunnel-Medium-Type += IEEE-802
(9) &session-state:Tunnel-Private-Group-Id += "1006"
(9) &session-state:User-Name += "Test-A"
(9) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(9) authorize {
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /@\./) {
(9) if (&User-Name =~ /@\./) -> FALSE
(9) } # if (&User-Name) = notfound
(9) } # policy filter_username = notfound
(9) [preprocess] = ok
(9) [chap] = noop
(9) [mschap] = noop
(9) [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "Test-A", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 180 length 43
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/freeradius/sites-enabled/default
(9) authenticate {
(9) eap: Expiring EAP session with state 0xe87b0b92e0cf1203
(9) eap: Finished EAP session with state 0xe87b0b92e0cf1203
(9) eap: Previous EAP request found for state 0xe87b0b92e0cf1203, released from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state send tlv success
(9) eap_peap: Received EAP-TLV response
(9) eap_peap: Success
(9) eap_peap: No information to cache: session caching will be disabled for session d8f7784bdabc1d0f47bfe939b6a8b6ecf01f2acae83ea6f7a5a1dcff7b869c5f
(9) eap: Sending EAP Success (code 3) ID 180 length 4
(9) eap: Freeing handler
(9) [eap] = ok
(9) } # authenticate = ok
(9) # Executing section post-auth from file /etc/freeradius/sites-enabled/default
(9) post-auth {
(9) update {
(9) &reply::Tunnel-Type += &session-state:Tunnel-Type[*] -> VLAN
(9) &reply::Tunnel-Medium-Type += &session-state:Tunnel-Medium-Type[*] -> IEEE-802
(9) &reply::Tunnel-Private-Group-Id += &session-state:Tunnel-Private-Group-Id[*] -> '1006'
(9) &reply::User-Name += &session-state:User-Name[*] -> 'Test-A'
(9) } # update = noop
(9) [exec] = noop
(9) policy remove_reply_message_if_eap {
(9) if (&reply:EAP-Message && &reply:Reply-Message) {
(9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(9) else {
(9) [noop] = noop
(9) } # else = noop
(9) } # policy remove_reply_message_if_eap = noop
(9) } # post-auth = noop
(9) Sent Access-Accept Id 19 from 172.17.28.67:1812 to 172.17.26.160:22492 length 0
(9) MS-MPPE-Recv-Key = 0x494d4c1a1c11447875b167dffa41b23d04f888ca430351f2e79ae0a2a5d66cf4
(9) MS-MPPE-Send-Key = 0x76c071086f956bbf8bbd0e5aed6f552fa1df2caec39e8ea47448042dbad7ec73
(9) EAP-Message = 0x03b40004
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) User-Name = "Test-A"
(9) Tunnel-Type += VLAN
(9) Tunnel-Medium-Type += IEEE-802
(9) Tunnel-Private-Group-Id += "1006"
(9) User-Name += "Test-A"
(9) Finished request
More information about the Freeradius-Users
mailing list