BYOD and base on MAC
Luc Paulin
paulinster at gmail.com
Thu Feb 1 16:29:36 CET 2018
understand and aware about that the file format does matter. I have review
the file but couldn't see what's wrong I even redo the file entirely and
make sure about whitespace/tabs, not sure what I miss here cuz all look to
be the same as per the documentation ... Attach the full debug output and
the authorized_macs file content in addition to the post-auth section. Il
if this can be of any help
--
!!!!!
( o o )
--------------oOO----(_)----OOo--------------
Luc Paulin
email: paulinster(at)gmail.com
Skype: paulinster
2018-01-31 16:36 GMT-05:00 Alan DeKok <aland at deployingradius.com>:
> On Jan 31, 2018, at 3:41 PM, Luc Paulin <paulinster at gmail.com> wrote:
> >
> > Sorry if the file's format isn't correct but unless that I didn't
> > understand documentation correctly I follow what's on the following url
> > https://wiki.freeradius.org/guide/mac-auth#plain-mac-auth_
> raddb-authorized_macs
>
> Maybe the mailer mangled the text. Whitespace DOES matter in the
> "users" file.
>
> >
> > Here's the authorized mac module section
> >
> > [root at radius-corp-01_{{PROD}} raddb]# cat
> > mods-enabled/stingray-authorize-mac
> > files authorized_macs {
> > # The default key attribute to use for matches. The content
> > # of this attribute is used to match the "name" of the
> > # entry.
> > key = "%{Calling-Station-ID}"
> >
> > usersfile = ${confdir}/authorized_macs
>
> That should work.
> > ...
> > (9) authorized_macs: --> 18-65-90-CB-4C-69
> > (9) [authorized_macs] = noop
>
> That means the MAC address wasn't found in the file.
>
> I'm not sure what's going wrong. It's not clear from the debug output.
>
> But the file format DOES matter. Tabs and whitespace MUST exist as in
> the documentation.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
-------------- next part --------------
post-auth {
# Include Stingray postauth access policies
# Default update reply that apply to everyone.
update reply {
Tunnel-Type := VLAN
Tunnel-Private-Group-Id := 666
Tunnel-Medium-Type := 6
Idle-Timeout := 60
Session-Timeout := 60
Termination-Action := RADIUS-Request
}
# We send update reply to devops users only for Juniper/Network related stuff
if (Ldap-Group == "DevOpsUsers") {
update reply {
Juniper-Local-User-Name := "SU"
Juniper-Junosspace-Profile := "devops_users"
}
}
# We rewrite calling_station_id in order to do mac checkup
rewrite_calling_station_id
# Check against the authorized_macs file
authorized_macs
if (!ok) {
update reply {
Tunnel-Type := 13
Tunnel-Medium-Type := 6
Tunnel-Private-Group-Id := 155
}
}
else {
update reply {
Tunnel-Type := 13
Tunnel-Medium-Type := 6
Tunnel-Private-Group-Id := 157
}
}
# For Exec-Program and Exec-Program-Wait
exec
# Remove reply message if the response contains an EAP-Message
remove_reply_message_if_eap
#
# Access-Reject packets are sent through the REJECT sub-section of the
# post-auth section.
#
# Add the ldap module name (or instance) if you have set
# 'edir_account_policy_check = yes' in the ldap module configuration
#
Post-Auth-Type REJECT {
# log failed authentications in SQL, too.
-sql
attr_filter.access_reject
# Insert EAP-Failure message if the request was
# rejected by policy instead of because of an
# authentication failure
eap
# Remove reply message if the response contains an EAP-Message
remove_reply_message_if_eap
}
}
-------------- next part --------------
[root at radius-corp-01_{{PROD}} raddb]# /usr/sbin/radiusd -X -d /etc/raddb/
FreeRADIUS Version 3.0.13
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb//dictionary
including configuration file /etc/raddb//radiusd.conf
including configuration file /etc/raddb//proxy.conf
including configuration file /etc/raddb//clients.conf
including files in directory /etc/raddb//mods-enabled/
including configuration file /etc/raddb//mods-enabled/always
including configuration file /etc/raddb//mods-enabled/attr_filter
including configuration file /etc/raddb//mods-enabled/cache_eap
including configuration file /etc/raddb//mods-enabled/chap
including configuration file /etc/raddb//mods-enabled/detail
including configuration file /etc/raddb//mods-enabled/detail.log
including configuration file /etc/raddb//mods-enabled/dhcp
including configuration file /etc/raddb//mods-enabled/digest
including configuration file /etc/raddb//mods-enabled/dynamic_clients
including configuration file /etc/raddb//mods-enabled/eap
including configuration file /etc/raddb//mods-enabled/echo
including configuration file /etc/raddb//mods-enabled/exec
including configuration file /etc/raddb//mods-enabled/expiration
including configuration file /etc/raddb//mods-enabled/expr
including configuration file /etc/raddb//mods-enabled/files
including configuration file /etc/raddb//mods-enabled/linelog
including configuration file /etc/raddb//mods-enabled/logintime
including configuration file /etc/raddb//mods-enabled/mschap
including configuration file /etc/raddb//mods-enabled/ntlm_auth
including configuration file /etc/raddb//mods-enabled/pap
including configuration file /etc/raddb//mods-enabled/passwd
including configuration file /etc/raddb//mods-enabled/preprocess
including configuration file /etc/raddb//mods-enabled/radutmp
including configuration file /etc/raddb//mods-enabled/realm
including configuration file /etc/raddb//mods-enabled/replicate
including configuration file /etc/raddb//mods-enabled/soh
including configuration file /etc/raddb//mods-enabled/sradutmp
including configuration file /etc/raddb//mods-enabled/unix
including configuration file /etc/raddb//mods-enabled/unpack
including configuration file /etc/raddb//mods-enabled/utf8
including configuration file /etc/raddb//mods-enabled/ldap
including configuration file /etc/raddb//mods-enabled/date
including configuration file /etc/raddb//mods-enabled/stingray-authorize-mac
including files in directory /etc/raddb//policy.d/
including configuration file /etc/raddb//policy.d/accounting
including configuration file /etc/raddb//policy.d/canonicalization
including configuration file /etc/raddb//policy.d/control
including configuration file /etc/raddb//policy.d/cui
including configuration file /etc/raddb//policy.d/debug
including configuration file /etc/raddb//policy.d/dhcp
including configuration file /etc/raddb//policy.d/eap
including configuration file /etc/raddb//policy.d/operator-name
including configuration file /etc/raddb//policy.d/filter
including configuration file /etc/raddb//policy.d/ntlm_auth
including files in directory /etc/raddb//sites-enabled/
including configuration file /etc/raddb//sites-enabled/default
including configuration file /etc/raddb//stingray-authorize-policies.conf
including configuration file /etc/raddb//stingray-postauth-policies.conf
including configuration file /etc/raddb//sites-enabled/inner-tunnel
including configuration file /etc/raddb//sites-enabled/control-socket
main {
security {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1/0
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client clx3-fw-1 {
ipaddr = 10.1.0.81
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client wlt-sw-core-5110 {
ipaddr = 10.250.133.240
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client core-krk-01 {
ipaddr = 10.251.50.251
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client core-krk-02 {
ipaddr = 10.251.50.252
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client prc4-mgmt-01 {
ipaddr = 10.250.133.243
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client prc1-stack-01 {
ipaddr = 10.250.133.241
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client prc4-stack-01 {
ipaddr = 10.250.133.244
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client prc5-stack-01 {
ipaddr = 10.250.133.245
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client prc6-stack-01 {
ipaddr = 10.250.133.246
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client prc7-stack-01 {
ipaddr = 10.250.133.247
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client prc8-stack-01 {
ipaddr = 10.250.133.248
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client netdir-01-1 {
ipaddr = 10.250.50.120
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client netdir-01-2 {
ipaddr = 10.250.50.121
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
# Creating Auth-Type = digest
# Creating Auth-Type = eap
# Creating Auth-Type = ntlm_auth
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Auth-Type = mschap
# Creating Auth-Type = PAP
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_always
# Loading module "reject" from file /etc/raddb//mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/raddb//mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/raddb//mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/raddb//mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/raddb//mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/raddb//mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/raddb//mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/raddb//mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/raddb//mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /etc/raddb//mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/raddb//mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /etc/raddb//mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/raddb//mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /etc/raddb//mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/raddb//mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /etc/raddb//mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/raddb//mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /etc/raddb//mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/raddb//mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /etc/raddb//mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/raddb//mods-enabled/chap
# Loaded module rlm_detail
# Loading module "detail" from file /etc/raddb//mods-enabled/detail
detail {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "auth_log" from file /etc/raddb//mods-enabled/detail.log
detail auth_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/raddb//mods-enabled/detail.log
detail reply_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /etc/raddb//mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /etc/raddb//mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_dhcp
# Loading module "dhcp" from file /etc/raddb//mods-enabled/dhcp
# Loaded module rlm_digest
# Loading module "digest" from file /etc/raddb//mods-enabled/digest
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /etc/raddb//mods-enabled/dynamic_clients
# Loaded module rlm_eap
# Loading module "eap" from file /etc/raddb//mods-enabled/eap
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_exec
# Loading module "echo" from file /etc/raddb//mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loading module "exec" from file /etc/raddb//mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/raddb//mods-enabled/expiration
# Loaded module rlm_expr
# Loading module "expr" from file /etc/raddb//mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_files
# Loading module "files" from file /etc/raddb//mods-enabled/files
files {
filename = "/etc/raddb//mods-config/files/authorize"
acctusersfile = "/etc/raddb//mods-config/files/accounting"
preproxy_usersfile = "/etc/raddb//mods-config/files/pre-proxy"
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/raddb//mods-enabled/linelog
linelog {
filename = "/var/log/radius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /etc/raddb//mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/radius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/raddb//mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/raddb//mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00} --domain=%{%{mschap:NT-Domain}:-CORP}"
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loading module "ntlm_auth" from file /etc/raddb//mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/usr/bin/ntlm_auth --request-nt-key --domain=%{%{mschap:NT-Domain}:-CORP} --username=%{%{mschap:User-Name}:-%{%{User-Name}:-None}} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_pap
# Loading module "pap" from file /etc/raddb//mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/raddb//mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/raddb//mods-enabled/preprocess
preprocess {
huntgroups = "/etc/raddb//mods-config/preprocess/huntgroups"
hints = "/etc/raddb//mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /etc/raddb//mods-enabled/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/raddb//mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/raddb//mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/raddb//mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/raddb//mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /etc/raddb//mods-enabled/replicate
# Loaded module rlm_soh
# Loading module "soh" from file /etc/raddb//mods-enabled/soh
soh {
dhcp = yes
}
# Loading module "sradutmp" from file /etc/raddb//mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_unix
# Loading module "unix" from file /etc/raddb//mods-enabled/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/raddb//mods-enabled/unpack
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/raddb//mods-enabled/utf8
# Loaded module rlm_ldap
# Loading module "ldap" from file /etc/raddb//mods-enabled/ldap
ldap {
server = "mtldc01.corp.MYDOMAIN.com"
port = 389
identity = "radius at corp.MYDOMAIN.com"
password = <<< secret >>>
sasl {
}
user {
scope = "sub"
access_positive = yes
sasl {
}
}
group {
filter = "(objectClass=posixGroup)"
scope = "sub"
name_attribute = "cn"
membership_attribute = "memberOf"
membership_filter = "(&(objectClass=Group)(objectCategory=Group)(member=%{control:Ldap-UserDn}))"
cacheable_name = no
cacheable_dn = no
}
client {
filter = "(objectClass=frClient)"
scope = "sub"
base_dn = "DC=corp,DC=MYDOMAIN,DC=com"
}
profile {
}
options {
ldap_debug = 40
chase_referrals = no
rebind = yes
net_timeout = 1
res_timeout = 20
srv_timelimit = 20
idle = 60
probes = 3
interval = 3
}
tls {
start_tls = no
}
}
Creating attribute LDAP-Group
# Loaded module rlm_date
# Loading module "date" from file /etc/raddb//mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
}
# Loading module "authorized_macs" from file /etc/raddb//mods-enabled/stingray-authorize-mac
files authorized_macs {
usersfile = "/etc/raddb//authorized_macs"
key = "%{Calling-Station-ID}"
}
instantiate {
}
# Instantiating module "reject" from file /etc/raddb//mods-enabled/always
# Instantiating module "fail" from file /etc/raddb//mods-enabled/always
# Instantiating module "ok" from file /etc/raddb//mods-enabled/always
# Instantiating module "handled" from file /etc/raddb//mods-enabled/always
# Instantiating module "invalid" from file /etc/raddb//mods-enabled/always
# Instantiating module "userlock" from file /etc/raddb//mods-enabled/always
# Instantiating module "notfound" from file /etc/raddb//mods-enabled/always
# Instantiating module "noop" from file /etc/raddb//mods-enabled/always
# Instantiating module "updated" from file /etc/raddb//mods-enabled/always
# Instantiating module "attr_filter.post-proxy" from file /etc/raddb//mods-enabled/attr_filter
reading pairlist file /etc/raddb//mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /etc/raddb//mods-enabled/attr_filter
reading pairlist file /etc/raddb//mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /etc/raddb//mods-enabled/attr_filter
reading pairlist file /etc/raddb//mods-config/attr_filter/access_reject
[/etc/raddb//mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/etc/raddb//mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file /etc/raddb//mods-enabled/attr_filter
reading pairlist file /etc/raddb//mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /etc/raddb//mods-enabled/attr_filter
reading pairlist file /etc/raddb//mods-config/attr_filter/accounting_response
# Instantiating module "cache_eap" from file /etc/raddb//mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "detail" from file /etc/raddb//mods-enabled/detail
# Instantiating module "auth_log" from file /etc/raddb//mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /etc/raddb//mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /etc/raddb//mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /etc/raddb//mods-enabled/detail.log
# Instantiating module "eap" from file /etc/raddb//mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/raddb//certs"
pem_file_type = yes
private_key_file = "/etc/raddb//certs/server.key"
certificate_file = "/etc/raddb//certs/server.crt"
ca_file = "/etc/raddb//certs/ca.crt"
private_key_password = <<< secret >>>
dh_file = "/etc/raddb//certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = yes
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "expiration" from file /etc/raddb//mods-enabled/expiration
# Instantiating module "files" from file /etc/raddb//mods-enabled/files
reading pairlist file /etc/raddb//mods-config/files/authorize
reading pairlist file /etc/raddb//mods-config/files/accounting
reading pairlist file /etc/raddb//mods-config/files/pre-proxy
# Instantiating module "linelog" from file /etc/raddb//mods-enabled/linelog
# Instantiating module "log_accounting" from file /etc/raddb//mods-enabled/linelog
# Instantiating module "logintime" from file /etc/raddb//mods-enabled/logintime
# Instantiating module "mschap" from file /etc/raddb//mods-enabled/mschap
rlm_mschap (mschap): authenticating by calling 'ntlm_auth'
# Instantiating module "pap" from file /etc/raddb//mods-enabled/pap
# Instantiating module "etc_passwd" from file /etc/raddb//mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "preprocess" from file /etc/raddb//mods-enabled/preprocess
reading pairlist file /etc/raddb//mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb//mods-config/preprocess/hints
# Instantiating module "IPASS" from file /etc/raddb//mods-enabled/realm
# Instantiating module "suffix" from file /etc/raddb//mods-enabled/realm
# Instantiating module "realmpercent" from file /etc/raddb//mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/raddb//mods-enabled/realm
# Instantiating module "ldap" from file /etc/raddb//mods-enabled/ldap
rlm_ldap: libldap vendor: OpenLDAP, version: 20440
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
}
post-auth {
reference = "."
}
rlm_ldap (ldap): Initialising connection pool
pool {
start = 5
min = 4
max = 32
spare = 3
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 1
spread = no
}
rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used
rlm_ldap (ldap): Connecting to ldap://mtldc01.corp.MYDOMAIN.com:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (1), 1 of 31 pending slots used
rlm_ldap (ldap): Connecting to ldap://mtldc01.corp.MYDOMAIN.com:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (2), 1 of 30 pending slots used
rlm_ldap (ldap): Connecting to ldap://mtldc01.corp.MYDOMAIN.com:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (3), 1 of 29 pending slots used
rlm_ldap (ldap): Connecting to ldap://mtldc01.corp.MYDOMAIN.com:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (4), 1 of 28 pending slots used
rlm_ldap (ldap): Connecting to ldap://mtldc01.corp.MYDOMAIN.com:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
# Instantiating module "authorized_macs" from file /etc/raddb//mods-enabled/stingray-authorize-mac
reading pairlist file /etc/raddb//authorized_macs
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb//radiusd.conf
} # server
server default { # from file /etc/raddb//sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
server inner-tunnel { # from file /etc/raddb//sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' -- /etc/raddb//sites-enabled/inner-tunnel:330
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "control"
listen {
socket = "/var/run/radiusd/radiusd.sock"
mode = "rw"
peercred = yes
}
}
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on command file /var/run/radiusd/radiusd.sock
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 53944
Listening on proxy address :: port 34626
Ready to process requests
(0) Received Access-Request Id 219 from 10.1.0.81:1507 to 10.250.33.157:1812 length 234
(0) User-Name = "lpaulin"
(0) NAS-IP-Address = 10.1.0.81
(0) Framed-IP-Address = 10.250.156.2
(0) NAS-Identifier = "10.250.152.61/5246-wifi.net.test"
(0) Called-Station-Id = "A2-4C-A5-3F-BB-02:stingray-test"
(0) NAS-Port-Type = Wireless-802.11
(0) NAS-Port = 1
(0) Calling-Station-Id = "18-65-90-CB-4C-69"
(0) Connect-Info = "CONNECT 0Mbps 11AC"
(0) Acct-Session-Id = "5A5EA945-00080618"
(0) WLAN-Pairwise-Cipher = 1027076
(0) WLAN-Group-Cipher = 1027076
(0) WLAN-AKM-Suite = 1027073
(0) Framed-MTU = 1400
(0) EAP-Message = 0x024d000c016c7061756c696e
(0) Message-Authenticator = 0x7d90c289dc5180925d80915272d1dea7
(0) # Executing section authorize from file /etc/raddb//sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) auth_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(0) auth_log: --> /var/log/radius/radacct/10.1.0.81/auth-detail-20180201
(0) auth_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.1.0.81/auth-detail-20180201
(0) auth_log: EXPAND %t
(0) auth_log: --> Thu Feb 1 14:48:02 2018
(0) [auth_log] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "lpaulin", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) [files] = noop
rlm_ldap (ldap): Reserved connection (0)
(0) ldap: EXPAND (&(objectCategory=person)(objectClass=user)(sAMAccountName=%{%{mschap:User-Name}:-%{User-Name}}))
(0) ldap: --> (&(objectCategory=person)(objectClass=user)(sAMAccountName=lpaulin))
(0) ldap: Performing search in "DC=corp,DC=MYDOMAIN,DC=com" with filter "(&(objectCategory=person)(objectClass=user)(sAMAccountName=lpaulin))", scope "sub"
(0) ldap: Waiting for search result...
(0) ldap: User object found at DN "CN=Luc Paulin,OU=Users,OU=Montreal,DC=corp,DC=MYDOMAIN,DC=com"
(0) ldap: Processing user attributes
(0) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(0) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (0)
(0) [ldap] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) policy ntlm_auth.authorize {
(0) if (!control:Auth-Type && User-Password) {
(0) if (!control:Auth-Type && User-Password) -> FALSE
(0) } # policy ntlm_auth.authorize = ok
(0) switch &Huntgroup-Name {
(0) case wireless {
(0) if (!(Ldap-Group == "DevOpsUsers")) {
(0) Searching for user in group "DevOpsUsers"
rlm_ldap (ldap): Reserved connection (1)
(0) Using user DN from request "CN=Luc Paulin,OU=Users,OU=Montreal,DC=corp,DC=MYDOMAIN,DC=com"
(0) Checking for user in group objects
(0) EXPAND (&(cn=DevOpsUsers)(objectClass=posixGroup)(&(objectClass=Group)(objectCategory=Group)(member=%{control:Ldap-UserDn})))
(0) --> (&(cn=DevOpsUsers)(objectClass=posixGroup)(&(objectClass=Group)(objectCategory=Group)(member=CN\3dLuc Paulin\2cOU\3dUsers\2cOU\3dMontreal\2cDC\3dcorp\2cDC\3dMYDOMAIN\2cDC\3dcom)))
(0) Performing search in "DC=corp,DC=MYDOMAIN,DC=com" with filter "(&(cn=DevOpsUsers)(objectClass=posixGroup)(&(objectClass=Group)(objectCategory=Group)(member=CN\3dLuc Paulin\2cOU\3dUsers\2cOU\3dMontreal\2cDC\3dcorp\2cDC\3dMYDOMAIN\2cDC\3dcom)))", scope "sub"
(0) Waiting for search result...
(0) Search returned no results
(0) Checking user object's memberOf attributes
(0) Performing unfiltered search in "CN=Luc Paulin,OU=Users,OU=Montreal,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(0) Waiting for search result...
(0) Processing memberOf value "CN=VPN-OUTBOUND-USA,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(0) Resolving group DN "CN=VPN-OUTBOUND-USA,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(0) Performing unfiltered search in "CN=VPN-OUTBOUND-USA,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(0) Waiting for search result...
(0) Group DN "CN=VPN-OUTBOUND-USA,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "VPN-OUTBOUND-USA"
(0) Processing memberOf value "CN=tech-unit,OU=Distribution Lists,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(0) Resolving group DN "CN=tech-unit,OU=Distribution Lists,DC=corp,DC=MYDOMAIN,DC=com" to group name
(0) Performing unfiltered search in "CN=tech-unit,OU=Distribution Lists,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(0) Waiting for search result...
(0) Group DN "CN=tech-unit,OU=Distribution Lists,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "tech-unit"
(0) Processing memberOf value "CN=ITDEV-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(0) Resolving group DN "CN=ITDEV-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(0) Performing unfiltered search in "CN=ITDEV-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(0) Waiting for search result...
(0) Group DN "CN=ITDEV-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "ITDEV-L1"
(0) Processing memberOf value "CN=GLS-ContentGroup1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(0) Resolving group DN "CN=GLS-ContentGroup1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(0) Performing unfiltered search in "CN=GLS-ContentGroup1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(0) Waiting for search result...
(0) Group DN "CN=GLS-ContentGroup1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "GLS-ContentGroup1"
(0) Processing memberOf value "CN=Infrastructure-L2,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(0) Resolving group DN "CN=Infrastructure-L2,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(0) Performing unfiltered search in "CN=Infrastructure-L2,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(0) Waiting for search result...
(0) Group DN "CN=Infrastructure-L2,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "Infrastructure-L2"
(0) Processing memberOf value "CN=Projects-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(0) Resolving group DN "CN=Projects-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(0) Performing unfiltered search in "CN=Projects-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(0) Waiting for search result...
(0) Group DN "CN=Projects-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "Projects-L1"
(0) Processing memberOf value "CN=MTL_Projects_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(0) Resolving group DN "CN=MTL_Projects_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(0) Performing unfiltered search in "CN=MTL_Projects_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(0) Waiting for search result...
(0) Group DN "CN=MTL_Projects_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "MTL_Projects_Share"
(0) Processing memberOf value "CN=Confluence Users,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(0) Resolving group DN "CN=Confluence Users,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(0) Performing unfiltered search in "CN=Confluence Users,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(0) Waiting for search result...
(0) Group DN "CN=Confluence Users,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "Confluence Users"
(0) Processing memberOf value "CN=MTL_IT_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(0) Resolving group DN "CN=MTL_IT_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(0) Performing unfiltered search in "CN=MTL_IT_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(0) Waiting for search result...
(0) Group DN "CN=MTL_IT_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "MTL_IT_Share"
(0) Processing memberOf value "CN=VPN-SSL-ADMIN,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(0) Resolving group DN "CN=VPN-SSL-ADMIN,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(0) Performing unfiltered search in "CN=VPN-SSL-ADMIN,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(0) Waiting for search result...
(0) Group DN "CN=VPN-SSL-ADMIN,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "VPN-SSL-ADMIN"
(0) Processing memberOf value "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(0) Resolving group DN "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(0) Performing unfiltered search in "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(0) Waiting for search result...
(0) Group DN "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "DevOpsUsers"
(0) User found in group "DevOpsUsers". Comparison between membership: name (resolved from DN "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com"), check: name
rlm_ldap (ldap): Released connection (1)
(0) if (!(Ldap-Group == "DevOpsUsers")) -> FALSE
(0) } # case wireless = ok
(0) } # switch &Huntgroup-Name = ok
(0) eap: Peer sent EAP Response (code 2) ID 77 length 12
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/raddb//sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_peap to process data
(0) eap_peap: Initiating new EAP-TLS session
(0) eap_peap: Flushing SSL sessions (of #0)
(0) eap_peap: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 78 length 6
(0) eap: EAP session adding &reply:State = 0x77ecfe8777a2e75b
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) # Executing group from file /etc/raddb//sites-enabled/default
(0) Sent Access-Challenge Id 219 from 10.250.33.157:1812 to 10.1.0.81:1507 length 0
(0) EAP-Message = 0x014e00061920
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x77ecfe8777a2e75befb8e2119e348ef2
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 220 from 10.1.0.81:1507 to 10.250.33.157:1812 length 401
(1) User-Name = "lpaulin"
(1) NAS-IP-Address = 10.1.0.81
(1) Framed-IP-Address = 10.250.156.2
(1) NAS-Identifier = "10.250.152.61/5246-wifi.net.test"
(1) Called-Station-Id = "A2-4C-A5-3F-BB-02:stingray-test"
(1) NAS-Port-Type = Wireless-802.11
(1) NAS-Port = 1
(1) Calling-Station-Id = "18-65-90-CB-4C-69"
(1) Connect-Info = "CONNECT 0Mbps 11AC"
(1) Acct-Session-Id = "5A5EA945-00080618"
(1) WLAN-Pairwise-Cipher = 1027076
(1) WLAN-Group-Cipher = 1027076
(1) WLAN-AKM-Suite = 1027073
(1) Framed-MTU = 1400
(1) EAP-Message = 0x024e00a119800000009716030100920100008e03035a7328a2e97ebc3c017704e5f2f65c55f90b6ac92479b3c1fe7bd766e42e8a5300002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00
(1) State = 0x77ecfe8777a2e75befb8e2119e348ef2
(1) Message-Authenticator = 0xc8ef638a5bb3dd73407d74630e6dc85b
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/raddb//sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) auth_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(1) auth_log: --> /var/log/radius/radacct/10.1.0.81/auth-detail-20180201
(1) auth_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.1.0.81/auth-detail-20180201
(1) auth_log: EXPAND %t
(1) auth_log: --> Thu Feb 1 14:48:02 2018
(1) [auth_log] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "lpaulin", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) [files] = noop
rlm_ldap (ldap): Reserved connection (2)
(1) ldap: EXPAND (&(objectCategory=person)(objectClass=user)(sAMAccountName=%{%{mschap:User-Name}:-%{User-Name}}))
(1) ldap: --> (&(objectCategory=person)(objectClass=user)(sAMAccountName=lpaulin))
(1) ldap: Performing search in "DC=corp,DC=MYDOMAIN,DC=com" with filter "(&(objectCategory=person)(objectClass=user)(sAMAccountName=lpaulin))", scope "sub"
(1) ldap: Waiting for search result...
(1) ldap: User object found at DN "CN=Luc Paulin,OU=Users,OU=Montreal,DC=corp,DC=MYDOMAIN,DC=com"
(1) ldap: Processing user attributes
(1) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(1) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (2)
(1) [ldap] = ok
(1) [expiration] = noop
(1) [logintime] = noop
(1) policy ntlm_auth.authorize {
(1) if (!control:Auth-Type && User-Password) {
(1) if (!control:Auth-Type && User-Password) -> FALSE
(1) } # policy ntlm_auth.authorize = ok
(1) switch &Huntgroup-Name {
(1) case wireless {
(1) if (!(Ldap-Group == "DevOpsUsers")) {
(1) Searching for user in group "DevOpsUsers"
rlm_ldap (ldap): Reserved connection (3)
(1) Using user DN from request "CN=Luc Paulin,OU=Users,OU=Montreal,DC=corp,DC=MYDOMAIN,DC=com"
(1) Checking for user in group objects
(1) EXPAND (&(cn=DevOpsUsers)(objectClass=posixGroup)(&(objectClass=Group)(objectCategory=Group)(member=%{control:Ldap-UserDn})))
(1) --> (&(cn=DevOpsUsers)(objectClass=posixGroup)(&(objectClass=Group)(objectCategory=Group)(member=CN\3dLuc Paulin\2cOU\3dUsers\2cOU\3dMontreal\2cDC\3dcorp\2cDC\3dMYDOMAIN\2cDC\3dcom)))
(1) Performing search in "DC=corp,DC=MYDOMAIN,DC=com" with filter "(&(cn=DevOpsUsers)(objectClass=posixGroup)(&(objectClass=Group)(objectCategory=Group)(member=CN\3dLuc Paulin\2cOU\3dUsers\2cOU\3dMontreal\2cDC\3dcorp\2cDC\3dMYDOMAIN\2cDC\3dcom)))", scope "sub"
(1) Waiting for search result...
(1) Search returned no results
(1) Checking user object's memberOf attributes
(1) Performing unfiltered search in "CN=Luc Paulin,OU=Users,OU=Montreal,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(1) Waiting for search result...
(1) Processing memberOf value "CN=VPN-OUTBOUND-USA,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(1) Resolving group DN "CN=VPN-OUTBOUND-USA,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(1) Performing unfiltered search in "CN=VPN-OUTBOUND-USA,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(1) Waiting for search result...
(1) Group DN "CN=VPN-OUTBOUND-USA,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "VPN-OUTBOUND-USA"
(1) Processing memberOf value "CN=tech-unit,OU=Distribution Lists,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(1) Resolving group DN "CN=tech-unit,OU=Distribution Lists,DC=corp,DC=MYDOMAIN,DC=com" to group name
(1) Performing unfiltered search in "CN=tech-unit,OU=Distribution Lists,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(1) Waiting for search result...
(1) Group DN "CN=tech-unit,OU=Distribution Lists,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "tech-unit"
(1) Processing memberOf value "CN=ITDEV-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(1) Resolving group DN "CN=ITDEV-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(1) Performing unfiltered search in "CN=ITDEV-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(1) Waiting for search result...
(1) Group DN "CN=ITDEV-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "ITDEV-L1"
(1) Processing memberOf value "CN=GLS-ContentGroup1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(1) Resolving group DN "CN=GLS-ContentGroup1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(1) Performing unfiltered search in "CN=GLS-ContentGroup1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(1) Waiting for search result...
(1) Group DN "CN=GLS-ContentGroup1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "GLS-ContentGroup1"
(1) Processing memberOf value "CN=Infrastructure-L2,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(1) Resolving group DN "CN=Infrastructure-L2,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(1) Performing unfiltered search in "CN=Infrastructure-L2,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(1) Waiting for search result...
(1) Group DN "CN=Infrastructure-L2,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "Infrastructure-L2"
(1) Processing memberOf value "CN=Projects-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(1) Resolving group DN "CN=Projects-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(1) Performing unfiltered search in "CN=Projects-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(1) Waiting for search result...
(1) Group DN "CN=Projects-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "Projects-L1"
(1) Processing memberOf value "CN=MTL_Projects_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(1) Resolving group DN "CN=MTL_Projects_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(1) Performing unfiltered search in "CN=MTL_Projects_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(1) Waiting for search result...
(1) Group DN "CN=MTL_Projects_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "MTL_Projects_Share"
(1) Processing memberOf value "CN=Confluence Users,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(1) Resolving group DN "CN=Confluence Users,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(1) Performing unfiltered search in "CN=Confluence Users,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(1) Waiting for search result...
(1) Group DN "CN=Confluence Users,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "Confluence Users"
(1) Processing memberOf value "CN=MTL_IT_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(1) Resolving group DN "CN=MTL_IT_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(1) Performing unfiltered search in "CN=MTL_IT_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(1) Waiting for search result...
(1) Group DN "CN=MTL_IT_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "MTL_IT_Share"
(1) Processing memberOf value "CN=VPN-SSL-ADMIN,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(1) Resolving group DN "CN=VPN-SSL-ADMIN,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(1) Performing unfiltered search in "CN=VPN-SSL-ADMIN,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(1) Waiting for search result...
(1) Group DN "CN=VPN-SSL-ADMIN,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "VPN-SSL-ADMIN"
(1) Processing memberOf value "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(1) Resolving group DN "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(1) Performing unfiltered search in "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(1) Waiting for search result...
(1) Group DN "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "DevOpsUsers"
(1) User found in group "DevOpsUsers". Comparison between membership: name (resolved from DN "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com"), check: name
rlm_ldap (ldap): Released connection (3)
(1) if (!(Ldap-Group == "DevOpsUsers")) -> FALSE
(1) } # case wireless = ok
(1) } # switch &Huntgroup-Name = ok
(1) eap: Peer sent EAP Response (code 2) ID 78 length 161
(1) eap: Continuing tunnel setup
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/raddb//sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0x77ecfe8777a2e75b
(1) eap: Finished EAP session with state 0x77ecfe8777a2e75b
(1) eap: Previous EAP request found for state 0x77ecfe8777a2e75b, released from the list
(1) eap: Peer sent packet with method EAP PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Continuing EAP-TLS
(1) eap_peap: Peer indicated complete TLS record size will be 151 bytes
(1) eap_peap: Got complete TLS record (151 bytes)
(1) eap_peap: [eaptls verify] = length included
(1) eap_peap: (other): before/accept initialization
(1) eap_peap: TLS_accept: before/accept initialization
(1) eap_peap: <<< recv TLS 1.2 [length 0092]
(1) eap_peap: TLS_accept: SSLv3 read client hello A
(1) eap_peap: >>> send TLS 1.2 [length 0059]
(1) eap_peap: TLS_accept: SSLv3 write server hello A
(1) eap_peap: >>> send TLS 1.2 [length 09c3]
(1) eap_peap: TLS_accept: SSLv3 write certificate A
(1) eap_peap: >>> send TLS 1.2 [length 014d]
(1) eap_peap: TLS_accept: SSLv3 write key exchange A
(1) eap_peap: >>> send TLS 1.2 [length 0004]
(1) eap_peap: TLS_accept: SSLv3 write server done A
(1) eap_peap: TLS_accept: SSLv3 flush data
(1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
(1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
(1) eap_peap: In SSL Handshake Phase
(1) eap_peap: In SSL Accept mode
(1) eap_peap: [eaptls process] = handled
(1) eap: Sending EAP Request (code 1) ID 79 length 1004
(1) eap: EAP session adding &reply:State = 0x77ecfe8776a3e75b
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) # Executing group from file /etc/raddb//sites-enabled/default
(1) Sent Access-Challenge Id 220 from 10.250.33.157:1812 to 10.1.0.81:1507 length 0
(1) EAP-Message = 0x014f03ec19c000000b8116030300590200005503035a7328a2ba129ef7e046157355785aef66e8c6a11311f15c58f542a23554ad3f2037175033e2b71fccf942dc510df0fe8449d058a0820c2f10147e72d18dfb4d17c03000000dff01000100000b00040300010216030309c30b0009bf0009bc0005ec
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x77ecfe8776a3e75befb8e2119e348ef2
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 221 from 10.1.0.81:1507 to 10.250.33.157:1812 length 246
(2) User-Name = "lpaulin"
(2) NAS-IP-Address = 10.1.0.81
(2) Framed-IP-Address = 10.250.156.2
(2) NAS-Identifier = "10.250.152.61/5246-wifi.net.test"
(2) Called-Station-Id = "A2-4C-A5-3F-BB-02:stingray-test"
(2) NAS-Port-Type = Wireless-802.11
(2) NAS-Port = 1
(2) Calling-Station-Id = "18-65-90-CB-4C-69"
(2) Connect-Info = "CONNECT 0Mbps 11AC"
(2) Acct-Session-Id = "5A5EA945-00080618"
(2) WLAN-Pairwise-Cipher = 1027076
(2) WLAN-Group-Cipher = 1027076
(2) WLAN-AKM-Suite = 1027073
(2) Framed-MTU = 1400
(2) EAP-Message = 0x024f00061900
(2) State = 0x77ecfe8776a3e75befb8e2119e348ef2
(2) Message-Authenticator = 0xb4ffe92f379b9f67bfaa603f3acc0ee1
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/raddb//sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /@\./) {
(2) if (&User-Name =~ /@\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) auth_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(2) auth_log: --> /var/log/radius/radacct/10.1.0.81/auth-detail-20180201
(2) auth_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.1.0.81/auth-detail-20180201
(2) auth_log: EXPAND %t
(2) auth_log: --> Thu Feb 1 14:48:02 2018
(2) [auth_log] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "lpaulin", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) [files] = noop
rlm_ldap (ldap): Reserved connection (4)
(2) ldap: EXPAND (&(objectCategory=person)(objectClass=user)(sAMAccountName=%{%{mschap:User-Name}:-%{User-Name}}))
(2) ldap: --> (&(objectCategory=person)(objectClass=user)(sAMAccountName=lpaulin))
(2) ldap: Performing search in "DC=corp,DC=MYDOMAIN,DC=com" with filter "(&(objectCategory=person)(objectClass=user)(sAMAccountName=lpaulin))", scope "sub"
(2) ldap: Waiting for search result...
(2) ldap: User object found at DN "CN=Luc Paulin,OU=Users,OU=Montreal,DC=corp,DC=MYDOMAIN,DC=com"
(2) ldap: Processing user attributes
(2) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(2) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (4)
(2) [ldap] = ok
(2) [expiration] = noop
(2) [logintime] = noop
(2) policy ntlm_auth.authorize {
(2) if (!control:Auth-Type && User-Password) {
(2) if (!control:Auth-Type && User-Password) -> FALSE
(2) } # policy ntlm_auth.authorize = ok
(2) switch &Huntgroup-Name {
(2) case wireless {
(2) if (!(Ldap-Group == "DevOpsUsers")) {
(2) Searching for user in group "DevOpsUsers"
rlm_ldap (ldap): Reserved connection (0)
(2) Using user DN from request "CN=Luc Paulin,OU=Users,OU=Montreal,DC=corp,DC=MYDOMAIN,DC=com"
(2) Checking for user in group objects
(2) EXPAND (&(cn=DevOpsUsers)(objectClass=posixGroup)(&(objectClass=Group)(objectCategory=Group)(member=%{control:Ldap-UserDn})))
(2) --> (&(cn=DevOpsUsers)(objectClass=posixGroup)(&(objectClass=Group)(objectCategory=Group)(member=CN\3dLuc Paulin\2cOU\3dUsers\2cOU\3dMontreal\2cDC\3dcorp\2cDC\3dMYDOMAIN\2cDC\3dcom)))
(2) Performing search in "DC=corp,DC=MYDOMAIN,DC=com" with filter "(&(cn=DevOpsUsers)(objectClass=posixGroup)(&(objectClass=Group)(objectCategory=Group)(member=CN\3dLuc Paulin\2cOU\3dUsers\2cOU\3dMontreal\2cDC\3dcorp\2cDC\3dMYDOMAIN\2cDC\3dcom)))", scope "sub"
(2) Waiting for search result...
(2) Search returned no results
(2) Checking user object's memberOf attributes
(2) Performing unfiltered search in "CN=Luc Paulin,OU=Users,OU=Montreal,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(2) Waiting for search result...
(2) Processing memberOf value "CN=VPN-OUTBOUND-USA,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(2) Resolving group DN "CN=VPN-OUTBOUND-USA,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(2) Performing unfiltered search in "CN=VPN-OUTBOUND-USA,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(2) Waiting for search result...
(2) Group DN "CN=VPN-OUTBOUND-USA,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "VPN-OUTBOUND-USA"
(2) Processing memberOf value "CN=tech-unit,OU=Distribution Lists,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(2) Resolving group DN "CN=tech-unit,OU=Distribution Lists,DC=corp,DC=MYDOMAIN,DC=com" to group name
(2) Performing unfiltered search in "CN=tech-unit,OU=Distribution Lists,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(2) Waiting for search result...
(2) Group DN "CN=tech-unit,OU=Distribution Lists,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "tech-unit"
(2) Processing memberOf value "CN=ITDEV-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(2) Resolving group DN "CN=ITDEV-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(2) Performing unfiltered search in "CN=ITDEV-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(2) Waiting for search result...
(2) Group DN "CN=ITDEV-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "ITDEV-L1"
(2) Processing memberOf value "CN=GLS-ContentGroup1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(2) Resolving group DN "CN=GLS-ContentGroup1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(2) Performing unfiltered search in "CN=GLS-ContentGroup1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(2) Waiting for search result...
(2) Group DN "CN=GLS-ContentGroup1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "GLS-ContentGroup1"
(2) Processing memberOf value "CN=Infrastructure-L2,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(2) Resolving group DN "CN=Infrastructure-L2,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(2) Performing unfiltered search in "CN=Infrastructure-L2,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(2) Waiting for search result...
(2) Group DN "CN=Infrastructure-L2,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "Infrastructure-L2"
(2) Processing memberOf value "CN=Projects-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(2) Resolving group DN "CN=Projects-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(2) Performing unfiltered search in "CN=Projects-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(2) Waiting for search result...
(2) Group DN "CN=Projects-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "Projects-L1"
(2) Processing memberOf value "CN=MTL_Projects_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(2) Resolving group DN "CN=MTL_Projects_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(2) Performing unfiltered search in "CN=MTL_Projects_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(2) Waiting for search result...
(2) Group DN "CN=MTL_Projects_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "MTL_Projects_Share"
(2) Processing memberOf value "CN=Confluence Users,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(2) Resolving group DN "CN=Confluence Users,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(2) Performing unfiltered search in "CN=Confluence Users,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(2) Waiting for search result...
(2) Group DN "CN=Confluence Users,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "Confluence Users"
(2) Processing memberOf value "CN=MTL_IT_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(2) Resolving group DN "CN=MTL_IT_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(2) Performing unfiltered search in "CN=MTL_IT_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(2) Waiting for search result...
(2) Group DN "CN=MTL_IT_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "MTL_IT_Share"
(2) Processing memberOf value "CN=VPN-SSL-ADMIN,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(2) Resolving group DN "CN=VPN-SSL-ADMIN,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(2) Performing unfiltered search in "CN=VPN-SSL-ADMIN,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(2) Waiting for search result...
(2) Group DN "CN=VPN-SSL-ADMIN,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "VPN-SSL-ADMIN"
(2) Processing memberOf value "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(2) Resolving group DN "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(2) Performing unfiltered search in "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(2) Waiting for search result...
(2) Group DN "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "DevOpsUsers"
(2) User found in group "DevOpsUsers". Comparison between membership: name (resolved from DN "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com"), check: name
rlm_ldap (ldap): Released connection (0)
(2) if (!(Ldap-Group == "DevOpsUsers")) -> FALSE
(2) } # case wireless = ok
(2) } # switch &Huntgroup-Name = ok
(2) eap: Peer sent EAP Response (code 2) ID 79 length 6
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/raddb//sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0x77ecfe8776a3e75b
(2) eap: Finished EAP session with state 0x77ecfe8776a3e75b
(2) eap: Previous EAP request found for state 0x77ecfe8776a3e75b, released from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer ACKed our handshake fragment
(2) eap_peap: [eaptls verify] = request
(2) eap_peap: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 80 length 1000
(2) eap: EAP session adding &reply:State = 0x77ecfe8775bce75b
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) # Executing group from file /etc/raddb//sites-enabled/default
(2) Sent Access-Challenge Id 221 from 10.250.33.157:1812 to 10.1.0.81:1507 length 0
(2) EAP-Message = 0x015003e8194044433d636f6d3f63657274696669636174655265766f636174696f6e4c6973743f626173653f6f626a656374436c6173733d63524c446973747269627574696f6e506f696e743081d506082b060105050701010481c83081c53081c206082b060105050730028681b56c6461703a2f2f2f
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x77ecfe8775bce75befb8e2119e348ef2
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 222 from 10.1.0.81:1507 to 10.250.33.157:1812 length 246
(3) User-Name = "lpaulin"
(3) NAS-IP-Address = 10.1.0.81
(3) Framed-IP-Address = 10.250.156.2
(3) NAS-Identifier = "10.250.152.61/5246-wifi.net.test"
(3) Called-Station-Id = "A2-4C-A5-3F-BB-02:stingray-test"
(3) NAS-Port-Type = Wireless-802.11
(3) NAS-Port = 1
(3) Calling-Station-Id = "18-65-90-CB-4C-69"
(3) Connect-Info = "CONNECT 0Mbps 11AC"
(3) Acct-Session-Id = "5A5EA945-00080618"
(3) WLAN-Pairwise-Cipher = 1027076
(3) WLAN-Group-Cipher = 1027076
(3) WLAN-AKM-Suite = 1027073
(3) Framed-MTU = 1400
(3) EAP-Message = 0x025000061900
(3) State = 0x77ecfe8775bce75befb8e2119e348ef2
(3) Message-Authenticator = 0x13f256b67ffb487d8d3868fc44ca7145
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/raddb//sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /@\./) {
(3) if (&User-Name =~ /@\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) auth_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(3) auth_log: --> /var/log/radius/radacct/10.1.0.81/auth-detail-20180201
(3) auth_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.1.0.81/auth-detail-20180201
(3) auth_log: EXPAND %t
(3) auth_log: --> Thu Feb 1 14:48:02 2018
(3) [auth_log] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "lpaulin", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) [files] = noop
rlm_ldap (ldap): Reserved connection (1)
(3) ldap: EXPAND (&(objectCategory=person)(objectClass=user)(sAMAccountName=%{%{mschap:User-Name}:-%{User-Name}}))
(3) ldap: --> (&(objectCategory=person)(objectClass=user)(sAMAccountName=lpaulin))
(3) ldap: Performing search in "DC=corp,DC=MYDOMAIN,DC=com" with filter "(&(objectCategory=person)(objectClass=user)(sAMAccountName=lpaulin))", scope "sub"
(3) ldap: Waiting for search result...
(3) ldap: User object found at DN "CN=Luc Paulin,OU=Users,OU=Montreal,DC=corp,DC=MYDOMAIN,DC=com"
(3) ldap: Processing user attributes
(3) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(3) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (1)
(3) [ldap] = ok
(3) [expiration] = noop
(3) [logintime] = noop
(3) policy ntlm_auth.authorize {
(3) if (!control:Auth-Type && User-Password) {
(3) if (!control:Auth-Type && User-Password) -> FALSE
(3) } # policy ntlm_auth.authorize = ok
(3) switch &Huntgroup-Name {
(3) case wireless {
(3) if (!(Ldap-Group == "DevOpsUsers")) {
(3) Searching for user in group "DevOpsUsers"
rlm_ldap (ldap): Reserved connection (2)
(3) Using user DN from request "CN=Luc Paulin,OU=Users,OU=Montreal,DC=corp,DC=MYDOMAIN,DC=com"
(3) Checking for user in group objects
(3) EXPAND (&(cn=DevOpsUsers)(objectClass=posixGroup)(&(objectClass=Group)(objectCategory=Group)(member=%{control:Ldap-UserDn})))
(3) --> (&(cn=DevOpsUsers)(objectClass=posixGroup)(&(objectClass=Group)(objectCategory=Group)(member=CN\3dLuc Paulin\2cOU\3dUsers\2cOU\3dMontreal\2cDC\3dcorp\2cDC\3dMYDOMAIN\2cDC\3dcom)))
(3) Performing search in "DC=corp,DC=MYDOMAIN,DC=com" with filter "(&(cn=DevOpsUsers)(objectClass=posixGroup)(&(objectClass=Group)(objectCategory=Group)(member=CN\3dLuc Paulin\2cOU\3dUsers\2cOU\3dMontreal\2cDC\3dcorp\2cDC\3dMYDOMAIN\2cDC\3dcom)))", scope "sub"
(3) Waiting for search result...
(3) Search returned no results
(3) Checking user object's memberOf attributes
(3) Performing unfiltered search in "CN=Luc Paulin,OU=Users,OU=Montreal,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(3) Waiting for search result...
(3) Processing memberOf value "CN=VPN-OUTBOUND-USA,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(3) Resolving group DN "CN=VPN-OUTBOUND-USA,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(3) Performing unfiltered search in "CN=VPN-OUTBOUND-USA,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(3) Waiting for search result...
(3) Group DN "CN=VPN-OUTBOUND-USA,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "VPN-OUTBOUND-USA"
(3) Processing memberOf value "CN=tech-unit,OU=Distribution Lists,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(3) Resolving group DN "CN=tech-unit,OU=Distribution Lists,DC=corp,DC=MYDOMAIN,DC=com" to group name
(3) Performing unfiltered search in "CN=tech-unit,OU=Distribution Lists,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(3) Waiting for search result...
(3) Group DN "CN=tech-unit,OU=Distribution Lists,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "tech-unit"
(3) Processing memberOf value "CN=ITDEV-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(3) Resolving group DN "CN=ITDEV-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(3) Performing unfiltered search in "CN=ITDEV-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(3) Waiting for search result...
(3) Group DN "CN=ITDEV-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "ITDEV-L1"
(3) Processing memberOf value "CN=GLS-ContentGroup1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(3) Resolving group DN "CN=GLS-ContentGroup1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(3) Performing unfiltered search in "CN=GLS-ContentGroup1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(3) Waiting for search result...
(3) Group DN "CN=GLS-ContentGroup1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "GLS-ContentGroup1"
(3) Processing memberOf value "CN=Infrastructure-L2,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(3) Resolving group DN "CN=Infrastructure-L2,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(3) Performing unfiltered search in "CN=Infrastructure-L2,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(3) Waiting for search result...
(3) Group DN "CN=Infrastructure-L2,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "Infrastructure-L2"
(3) Processing memberOf value "CN=Projects-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(3) Resolving group DN "CN=Projects-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(3) Performing unfiltered search in "CN=Projects-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(3) Waiting for search result...
(3) Group DN "CN=Projects-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "Projects-L1"
(3) Processing memberOf value "CN=MTL_Projects_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(3) Resolving group DN "CN=MTL_Projects_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(3) Performing unfiltered search in "CN=MTL_Projects_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(3) Waiting for search result...
(3) Group DN "CN=MTL_Projects_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "MTL_Projects_Share"
(3) Processing memberOf value "CN=Confluence Users,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(3) Resolving group DN "CN=Confluence Users,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(3) Performing unfiltered search in "CN=Confluence Users,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(3) Waiting for search result...
(3) Group DN "CN=Confluence Users,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "Confluence Users"
(3) Processing memberOf value "CN=MTL_IT_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(3) Resolving group DN "CN=MTL_IT_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(3) Performing unfiltered search in "CN=MTL_IT_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(3) Waiting for search result...
(3) Group DN "CN=MTL_IT_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "MTL_IT_Share"
(3) Processing memberOf value "CN=VPN-SSL-ADMIN,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(3) Resolving group DN "CN=VPN-SSL-ADMIN,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(3) Performing unfiltered search in "CN=VPN-SSL-ADMIN,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(3) Waiting for search result...
(3) Group DN "CN=VPN-SSL-ADMIN,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "VPN-SSL-ADMIN"
(3) Processing memberOf value "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(3) Resolving group DN "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(3) Performing unfiltered search in "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(3) Waiting for search result...
(3) Group DN "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "DevOpsUsers"
(3) User found in group "DevOpsUsers". Comparison between membership: name (resolved from DN "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com"), check: name
rlm_ldap (ldap): Released connection (2)
(3) if (!(Ldap-Group == "DevOpsUsers")) -> FALSE
(3) } # case wireless = ok
(3) } # switch &Huntgroup-Name = ok
(3) eap: Peer sent EAP Response (code 2) ID 80 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/raddb//sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0x77ecfe8775bce75b
(3) eap: Finished EAP session with state 0x77ecfe8775bce75b
(3) eap: Previous EAP request found for state 0x77ecfe8775bce75b, released from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer ACKed our handshake fragment
(3) eap_peap: [eaptls verify] = request
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 81 length 963
(3) eap: EAP session adding &reply:State = 0x77ecfe8774bde75b
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found. Ignoring.
(3) # Executing group from file /etc/raddb//sites-enabled/default
(3) Sent Access-Challenge Id 222 from 10.250.33.157:1812 to 10.1.0.81:1507 length 0
(3) EAP-Message = 0x015103c319009d0bbc816155cb2ca5ead4879ea04dd09017e9304217ee5589d54270c50f994698228ba7eb466a63a0b4d2bd404ca959a171f03e00b12d80e59067c8c29bd5c4f315c69534b2cf4732b2ed9fa3fc02a3d6d28b7b7f87cf2143432299a355458c77fe13b92d87e576d243099c545daec2ba
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x77ecfe8774bde75befb8e2119e348ef2
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 223 from 10.1.0.81:1507 to 10.250.33.157:1812 length 376
(4) User-Name = "lpaulin"
(4) NAS-IP-Address = 10.1.0.81
(4) Framed-IP-Address = 10.250.156.2
(4) NAS-Identifier = "10.250.152.61/5246-wifi.net.test"
(4) Called-Station-Id = "A2-4C-A5-3F-BB-02:stingray-test"
(4) NAS-Port-Type = Wireless-802.11
(4) NAS-Port = 1
(4) Calling-Station-Id = "18-65-90-CB-4C-69"
(4) Connect-Info = "CONNECT 0Mbps 11AC"
(4) Acct-Session-Id = "5A5EA945-00080618"
(4) WLAN-Pairwise-Cipher = 1027076
(4) WLAN-Group-Cipher = 1027076
(4) WLAN-AKM-Suite = 1027073
(4) Framed-MTU = 1400
(4) EAP-Message = 0x0251008819800000007e1603030046100000424104cb1fa4bb496cae75a04951ac8ed63aac85e30968c8ccc193929b75d81f6139a7dd9888b55e96af243b627a242573dd8415a626ae6fa82c2401eb4fbe1ee7333f140303000101160303002843e2c7b41ca499e61c4ee1050d038ad865693f33631bfb
(4) State = 0x77ecfe8774bde75befb8e2119e348ef2
(4) Message-Authenticator = 0xdac50c11e8262e8626fccf561e4d8ef5
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/raddb//sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /@\./) {
(4) if (&User-Name =~ /@\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) auth_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(4) auth_log: --> /var/log/radius/radacct/10.1.0.81/auth-detail-20180201
(4) auth_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.1.0.81/auth-detail-20180201
(4) auth_log: EXPAND %t
(4) auth_log: --> Thu Feb 1 14:48:02 2018
(4) [auth_log] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "lpaulin", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) [files] = noop
rlm_ldap (ldap): Reserved connection (3)
(4) ldap: EXPAND (&(objectCategory=person)(objectClass=user)(sAMAccountName=%{%{mschap:User-Name}:-%{User-Name}}))
(4) ldap: --> (&(objectCategory=person)(objectClass=user)(sAMAccountName=lpaulin))
(4) ldap: Performing search in "DC=corp,DC=MYDOMAIN,DC=com" with filter "(&(objectCategory=person)(objectClass=user)(sAMAccountName=lpaulin))", scope "sub"
(4) ldap: Waiting for search result...
(4) ldap: User object found at DN "CN=Luc Paulin,OU=Users,OU=Montreal,DC=corp,DC=MYDOMAIN,DC=com"
(4) ldap: Processing user attributes
(4) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(4) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (3)
(4) [ldap] = ok
(4) [expiration] = noop
(4) [logintime] = noop
(4) policy ntlm_auth.authorize {
(4) if (!control:Auth-Type && User-Password) {
(4) if (!control:Auth-Type && User-Password) -> FALSE
(4) } # policy ntlm_auth.authorize = ok
(4) switch &Huntgroup-Name {
(4) case wireless {
(4) if (!(Ldap-Group == "DevOpsUsers")) {
(4) Searching for user in group "DevOpsUsers"
rlm_ldap (ldap): Reserved connection (4)
(4) Using user DN from request "CN=Luc Paulin,OU=Users,OU=Montreal,DC=corp,DC=MYDOMAIN,DC=com"
(4) Checking for user in group objects
(4) EXPAND (&(cn=DevOpsUsers)(objectClass=posixGroup)(&(objectClass=Group)(objectCategory=Group)(member=%{control:Ldap-UserDn})))
(4) --> (&(cn=DevOpsUsers)(objectClass=posixGroup)(&(objectClass=Group)(objectCategory=Group)(member=CN\3dLuc Paulin\2cOU\3dUsers\2cOU\3dMontreal\2cDC\3dcorp\2cDC\3dMYDOMAIN\2cDC\3dcom)))
(4) Performing search in "DC=corp,DC=MYDOMAIN,DC=com" with filter "(&(cn=DevOpsUsers)(objectClass=posixGroup)(&(objectClass=Group)(objectCategory=Group)(member=CN\3dLuc Paulin\2cOU\3dUsers\2cOU\3dMontreal\2cDC\3dcorp\2cDC\3dMYDOMAIN\2cDC\3dcom)))", scope "sub"
(4) Waiting for search result...
(4) Search returned no results
(4) Checking user object's memberOf attributes
(4) Performing unfiltered search in "CN=Luc Paulin,OU=Users,OU=Montreal,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(4) Waiting for search result...
(4) Processing memberOf value "CN=VPN-OUTBOUND-USA,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(4) Resolving group DN "CN=VPN-OUTBOUND-USA,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(4) Performing unfiltered search in "CN=VPN-OUTBOUND-USA,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(4) Waiting for search result...
(4) Group DN "CN=VPN-OUTBOUND-USA,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "VPN-OUTBOUND-USA"
(4) Processing memberOf value "CN=tech-unit,OU=Distribution Lists,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(4) Resolving group DN "CN=tech-unit,OU=Distribution Lists,DC=corp,DC=MYDOMAIN,DC=com" to group name
(4) Performing unfiltered search in "CN=tech-unit,OU=Distribution Lists,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(4) Waiting for search result...
(4) Group DN "CN=tech-unit,OU=Distribution Lists,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "tech-unit"
(4) Processing memberOf value "CN=ITDEV-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(4) Resolving group DN "CN=ITDEV-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(4) Performing unfiltered search in "CN=ITDEV-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(4) Waiting for search result...
(4) Group DN "CN=ITDEV-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "ITDEV-L1"
(4) Processing memberOf value "CN=GLS-ContentGroup1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(4) Resolving group DN "CN=GLS-ContentGroup1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(4) Performing unfiltered search in "CN=GLS-ContentGroup1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(4) Waiting for search result...
(4) Group DN "CN=GLS-ContentGroup1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "GLS-ContentGroup1"
(4) Processing memberOf value "CN=Infrastructure-L2,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(4) Resolving group DN "CN=Infrastructure-L2,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(4) Performing unfiltered search in "CN=Infrastructure-L2,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(4) Waiting for search result...
(4) Group DN "CN=Infrastructure-L2,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "Infrastructure-L2"
(4) Processing memberOf value "CN=Projects-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(4) Resolving group DN "CN=Projects-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(4) Performing unfiltered search in "CN=Projects-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(4) Waiting for search result...
(4) Group DN "CN=Projects-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "Projects-L1"
(4) Processing memberOf value "CN=MTL_Projects_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(4) Resolving group DN "CN=MTL_Projects_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(4) Performing unfiltered search in "CN=MTL_Projects_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(4) Waiting for search result...
(4) Group DN "CN=MTL_Projects_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "MTL_Projects_Share"
(4) Processing memberOf value "CN=Confluence Users,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(4) Resolving group DN "CN=Confluence Users,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(4) Performing unfiltered search in "CN=Confluence Users,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(4) Waiting for search result...
(4) Group DN "CN=Confluence Users,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "Confluence Users"
(4) Processing memberOf value "CN=MTL_IT_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(4) Resolving group DN "CN=MTL_IT_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(4) Performing unfiltered search in "CN=MTL_IT_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(4) Waiting for search result...
(4) Group DN "CN=MTL_IT_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "MTL_IT_Share"
(4) Processing memberOf value "CN=VPN-SSL-ADMIN,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(4) Resolving group DN "CN=VPN-SSL-ADMIN,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(4) Performing unfiltered search in "CN=VPN-SSL-ADMIN,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(4) Waiting for search result...
(4) Group DN "CN=VPN-SSL-ADMIN,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "VPN-SSL-ADMIN"
(4) Processing memberOf value "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(4) Resolving group DN "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(4) Performing unfiltered search in "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(4) Waiting for search result...
(4) Group DN "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "DevOpsUsers"
(4) User found in group "DevOpsUsers". Comparison between membership: name (resolved from DN "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com"), check: name
rlm_ldap (ldap): Released connection (4)
(4) if (!(Ldap-Group == "DevOpsUsers")) -> FALSE
(4) } # case wireless = ok
(4) } # switch &Huntgroup-Name = ok
(4) eap: Peer sent EAP Response (code 2) ID 81 length 136
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/raddb//sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0x77ecfe8774bde75b
(4) eap: Finished EAP session with state 0x77ecfe8774bde75b
(4) eap: Previous EAP request found for state 0x77ecfe8774bde75b, released from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(4) eap_peap: Got complete TLS record (126 bytes)
(4) eap_peap: [eaptls verify] = length included
(4) eap_peap: <<< recv TLS 1.2 [length 0046]
(4) eap_peap: TLS_accept: SSLv3 read client key exchange A
(4) eap_peap: <<< recv TLS 1.2 [length 0001]
(4) eap_peap: <<< recv TLS 1.2 [length 0010]
(4) eap_peap: TLS_accept: SSLv3 read finished A
(4) eap_peap: >>> send TLS 1.2 [length 0001]
(4) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(4) eap_peap: >>> send TLS 1.2 [length 0010]
(4) eap_peap: TLS_accept: SSLv3 write finished A
(4) eap_peap: TLS_accept: SSLv3 flush data
(4) eap_peap: (other): SSL negotiation finished successfully
(4) eap_peap: SSL Connection Established
(4) eap_peap: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 82 length 57
(4) eap: EAP session adding &reply:State = 0x77ecfe8773bee75b
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) # Executing group from file /etc/raddb//sites-enabled/default
(4) Sent Access-Challenge Id 223 from 10.250.33.157:1812 to 10.1.0.81:1507 length 0
(4) EAP-Message = 0x015200391900140303000101160303002812e3ce9c8b002426948a5526fa6ba4b1b6fb000614229f4b88ef30826bbcc19262dffecc24e5178b
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x77ecfe8773bee75befb8e2119e348ef2
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 224 from 10.1.0.81:1507 to 10.250.33.157:1812 length 246
(5) User-Name = "lpaulin"
(5) NAS-IP-Address = 10.1.0.81
(5) Framed-IP-Address = 10.250.156.2
(5) NAS-Identifier = "10.250.152.61/5246-wifi.net.test"
(5) Called-Station-Id = "A2-4C-A5-3F-BB-02:stingray-test"
(5) NAS-Port-Type = Wireless-802.11
(5) NAS-Port = 1
(5) Calling-Station-Id = "18-65-90-CB-4C-69"
(5) Connect-Info = "CONNECT 0Mbps 11AC"
(5) Acct-Session-Id = "5A5EA945-00080618"
(5) WLAN-Pairwise-Cipher = 1027076
(5) WLAN-Group-Cipher = 1027076
(5) WLAN-AKM-Suite = 1027073
(5) Framed-MTU = 1400
(5) EAP-Message = 0x025200061900
(5) State = 0x77ecfe8773bee75befb8e2119e348ef2
(5) Message-Authenticator = 0x89b057bc7c5c843102a3b6668591a6cc
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/raddb//sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) auth_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(5) auth_log: --> /var/log/radius/radacct/10.1.0.81/auth-detail-20180201
(5) auth_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.1.0.81/auth-detail-20180201
(5) auth_log: EXPAND %t
(5) auth_log: --> Thu Feb 1 14:48:02 2018
(5) [auth_log] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "lpaulin", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) [files] = noop
rlm_ldap (ldap): Reserved connection (0)
(5) ldap: EXPAND (&(objectCategory=person)(objectClass=user)(sAMAccountName=%{%{mschap:User-Name}:-%{User-Name}}))
(5) ldap: --> (&(objectCategory=person)(objectClass=user)(sAMAccountName=lpaulin))
(5) ldap: Performing search in "DC=corp,DC=MYDOMAIN,DC=com" with filter "(&(objectCategory=person)(objectClass=user)(sAMAccountName=lpaulin))", scope "sub"
(5) ldap: Waiting for search result...
(5) ldap: User object found at DN "CN=Luc Paulin,OU=Users,OU=Montreal,DC=corp,DC=MYDOMAIN,DC=com"
(5) ldap: Processing user attributes
(5) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(5) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (0)
(5) [ldap] = ok
(5) [expiration] = noop
(5) [logintime] = noop
(5) policy ntlm_auth.authorize {
(5) if (!control:Auth-Type && User-Password) {
(5) if (!control:Auth-Type && User-Password) -> FALSE
(5) } # policy ntlm_auth.authorize = ok
(5) switch &Huntgroup-Name {
(5) case wireless {
(5) if (!(Ldap-Group == "DevOpsUsers")) {
(5) Searching for user in group "DevOpsUsers"
rlm_ldap (ldap): Reserved connection (1)
(5) Using user DN from request "CN=Luc Paulin,OU=Users,OU=Montreal,DC=corp,DC=MYDOMAIN,DC=com"
(5) Checking for user in group objects
(5) EXPAND (&(cn=DevOpsUsers)(objectClass=posixGroup)(&(objectClass=Group)(objectCategory=Group)(member=%{control:Ldap-UserDn})))
(5) --> (&(cn=DevOpsUsers)(objectClass=posixGroup)(&(objectClass=Group)(objectCategory=Group)(member=CN\3dLuc Paulin\2cOU\3dUsers\2cOU\3dMontreal\2cDC\3dcorp\2cDC\3dMYDOMAIN\2cDC\3dcom)))
(5) Performing search in "DC=corp,DC=MYDOMAIN,DC=com" with filter "(&(cn=DevOpsUsers)(objectClass=posixGroup)(&(objectClass=Group)(objectCategory=Group)(member=CN\3dLuc Paulin\2cOU\3dUsers\2cOU\3dMontreal\2cDC\3dcorp\2cDC\3dMYDOMAIN\2cDC\3dcom)))", scope "sub"
(5) Waiting for search result...
(5) Search returned no results
(5) Checking user object's memberOf attributes
(5) Performing unfiltered search in "CN=Luc Paulin,OU=Users,OU=Montreal,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(5) Waiting for search result...
(5) Processing memberOf value "CN=VPN-OUTBOUND-USA,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(5) Resolving group DN "CN=VPN-OUTBOUND-USA,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(5) Performing unfiltered search in "CN=VPN-OUTBOUND-USA,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(5) Waiting for search result...
(5) Group DN "CN=VPN-OUTBOUND-USA,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "VPN-OUTBOUND-USA"
(5) Processing memberOf value "CN=tech-unit,OU=Distribution Lists,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(5) Resolving group DN "CN=tech-unit,OU=Distribution Lists,DC=corp,DC=MYDOMAIN,DC=com" to group name
(5) Performing unfiltered search in "CN=tech-unit,OU=Distribution Lists,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(5) Waiting for search result...
(5) Group DN "CN=tech-unit,OU=Distribution Lists,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "tech-unit"
(5) Processing memberOf value "CN=ITDEV-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(5) Resolving group DN "CN=ITDEV-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(5) Performing unfiltered search in "CN=ITDEV-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(5) Waiting for search result...
(5) Group DN "CN=ITDEV-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "ITDEV-L1"
(5) Processing memberOf value "CN=GLS-ContentGroup1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(5) Resolving group DN "CN=GLS-ContentGroup1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(5) Performing unfiltered search in "CN=GLS-ContentGroup1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(5) Waiting for search result...
(5) Group DN "CN=GLS-ContentGroup1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "GLS-ContentGroup1"
(5) Processing memberOf value "CN=Infrastructure-L2,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(5) Resolving group DN "CN=Infrastructure-L2,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(5) Performing unfiltered search in "CN=Infrastructure-L2,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(5) Waiting for search result...
(5) Group DN "CN=Infrastructure-L2,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "Infrastructure-L2"
(5) Processing memberOf value "CN=Projects-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(5) Resolving group DN "CN=Projects-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(5) Performing unfiltered search in "CN=Projects-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(5) Waiting for search result...
(5) Group DN "CN=Projects-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "Projects-L1"
(5) Processing memberOf value "CN=MTL_Projects_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(5) Resolving group DN "CN=MTL_Projects_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(5) Performing unfiltered search in "CN=MTL_Projects_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(5) Waiting for search result...
(5) Group DN "CN=MTL_Projects_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "MTL_Projects_Share"
(5) Processing memberOf value "CN=Confluence Users,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(5) Resolving group DN "CN=Confluence Users,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(5) Performing unfiltered search in "CN=Confluence Users,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(5) Waiting for search result...
(5) Group DN "CN=Confluence Users,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "Confluence Users"
(5) Processing memberOf value "CN=MTL_IT_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(5) Resolving group DN "CN=MTL_IT_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(5) Performing unfiltered search in "CN=MTL_IT_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(5) Waiting for search result...
(5) Group DN "CN=MTL_IT_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "MTL_IT_Share"
(5) Processing memberOf value "CN=VPN-SSL-ADMIN,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(5) Resolving group DN "CN=VPN-SSL-ADMIN,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(5) Performing unfiltered search in "CN=VPN-SSL-ADMIN,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(5) Waiting for search result...
(5) Group DN "CN=VPN-SSL-ADMIN,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "VPN-SSL-ADMIN"
(5) Processing memberOf value "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(5) Resolving group DN "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(5) Performing unfiltered search in "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(5) Waiting for search result...
(5) Group DN "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "DevOpsUsers"
(5) User found in group "DevOpsUsers". Comparison between membership: name (resolved from DN "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com"), check: name
rlm_ldap (ldap): Released connection (1)
(5) if (!(Ldap-Group == "DevOpsUsers")) -> FALSE
(5) } # case wireless = ok
(5) } # switch &Huntgroup-Name = ok
(5) eap: Peer sent EAP Response (code 2) ID 82 length 6
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/raddb//sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0x77ecfe8773bee75b
(5) eap: Finished EAP session with state 0x77ecfe8773bee75b
(5) eap: Previous EAP request found for state 0x77ecfe8773bee75b, released from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(5) eap_peap: [eaptls verify] = success
(5) eap_peap: [eaptls process] = success
(5) eap_peap: Session established. Decoding tunneled attributes
(5) eap_peap: PEAP state TUNNEL ESTABLISHED
(5) eap: Sending EAP Request (code 1) ID 83 length 40
(5) eap: EAP session adding &reply:State = 0x77ecfe8772bfe75b
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found. Ignoring.
(5) # Executing group from file /etc/raddb//sites-enabled/default
(5) Sent Access-Challenge Id 224 from 10.250.33.157:1812 to 10.1.0.81:1507 length 0
(5) EAP-Message = 0x015300281900170303001d12e3ce9c8b0024271fec3999555181f4fc373c69af1ae054ec755ce1e7
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x77ecfe8772bfe75befb8e2119e348ef2
(5) Finished request
Waking up in 4.9 seconds.
(6) Received Access-Request Id 225 from 10.1.0.81:1507 to 10.250.33.157:1812 length 283
(6) User-Name = "lpaulin"
(6) NAS-IP-Address = 10.1.0.81
(6) Framed-IP-Address = 10.250.156.2
(6) NAS-Identifier = "10.250.152.61/5246-wifi.net.test"
(6) Called-Station-Id = "A2-4C-A5-3F-BB-02:stingray-test"
(6) NAS-Port-Type = Wireless-802.11
(6) NAS-Port = 1
(6) Calling-Station-Id = "18-65-90-CB-4C-69"
(6) Connect-Info = "CONNECT 0Mbps 11AC"
(6) Acct-Session-Id = "5A5EA945-00080618"
(6) WLAN-Pairwise-Cipher = 1027076
(6) WLAN-Group-Cipher = 1027076
(6) WLAN-AKM-Suite = 1027073
(6) Framed-MTU = 1400
(6) EAP-Message = 0x0253002b1900170303002043e2c7b41ca499e710ab56add640d893112647fa6ff44847ab192d9a76586509
(6) State = 0x77ecfe8772bfe75befb8e2119e348ef2
(6) Message-Authenticator = 0x5538ac84d58ec1bae263b625cbe03136
(6) session-state: No cached attributes
(6) # Executing section authorize from file /etc/raddb//sites-enabled/default
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [preprocess] = ok
(6) auth_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(6) auth_log: --> /var/log/radius/radacct/10.1.0.81/auth-detail-20180201
(6) auth_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.1.0.81/auth-detail-20180201
(6) auth_log: EXPAND %t
(6) auth_log: --> Thu Feb 1 14:48:02 2018
(6) [auth_log] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "lpaulin", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) [files] = noop
rlm_ldap (ldap): Reserved connection (2)
(6) ldap: EXPAND (&(objectCategory=person)(objectClass=user)(sAMAccountName=%{%{mschap:User-Name}:-%{User-Name}}))
(6) ldap: --> (&(objectCategory=person)(objectClass=user)(sAMAccountName=lpaulin))
(6) ldap: Performing search in "DC=corp,DC=MYDOMAIN,DC=com" with filter "(&(objectCategory=person)(objectClass=user)(sAMAccountName=lpaulin))", scope "sub"
(6) ldap: Waiting for search result...
(6) ldap: User object found at DN "CN=Luc Paulin,OU=Users,OU=Montreal,DC=corp,DC=MYDOMAIN,DC=com"
(6) ldap: Processing user attributes
(6) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(6) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (2)
(6) [ldap] = ok
(6) [expiration] = noop
(6) [logintime] = noop
(6) policy ntlm_auth.authorize {
(6) if (!control:Auth-Type && User-Password) {
(6) if (!control:Auth-Type && User-Password) -> FALSE
(6) } # policy ntlm_auth.authorize = ok
(6) switch &Huntgroup-Name {
(6) case wireless {
(6) if (!(Ldap-Group == "DevOpsUsers")) {
(6) Searching for user in group "DevOpsUsers"
rlm_ldap (ldap): Reserved connection (3)
(6) Using user DN from request "CN=Luc Paulin,OU=Users,OU=Montreal,DC=corp,DC=MYDOMAIN,DC=com"
(6) Checking for user in group objects
(6) EXPAND (&(cn=DevOpsUsers)(objectClass=posixGroup)(&(objectClass=Group)(objectCategory=Group)(member=%{control:Ldap-UserDn})))
(6) --> (&(cn=DevOpsUsers)(objectClass=posixGroup)(&(objectClass=Group)(objectCategory=Group)(member=CN\3dLuc Paulin\2cOU\3dUsers\2cOU\3dMontreal\2cDC\3dcorp\2cDC\3dMYDOMAIN\2cDC\3dcom)))
(6) Performing search in "DC=corp,DC=MYDOMAIN,DC=com" with filter "(&(cn=DevOpsUsers)(objectClass=posixGroup)(&(objectClass=Group)(objectCategory=Group)(member=CN\3dLuc Paulin\2cOU\3dUsers\2cOU\3dMontreal\2cDC\3dcorp\2cDC\3dMYDOMAIN\2cDC\3dcom)))", scope "sub"
(6) Waiting for search result...
(6) Search returned no results
(6) Checking user object's memberOf attributes
(6) Performing unfiltered search in "CN=Luc Paulin,OU=Users,OU=Montreal,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(6) Waiting for search result...
(6) Processing memberOf value "CN=VPN-OUTBOUND-USA,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(6) Resolving group DN "CN=VPN-OUTBOUND-USA,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(6) Performing unfiltered search in "CN=VPN-OUTBOUND-USA,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(6) Waiting for search result...
(6) Group DN "CN=VPN-OUTBOUND-USA,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "VPN-OUTBOUND-USA"
(6) Processing memberOf value "CN=tech-unit,OU=Distribution Lists,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(6) Resolving group DN "CN=tech-unit,OU=Distribution Lists,DC=corp,DC=MYDOMAIN,DC=com" to group name
(6) Performing unfiltered search in "CN=tech-unit,OU=Distribution Lists,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(6) Waiting for search result...
(6) Group DN "CN=tech-unit,OU=Distribution Lists,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "tech-unit"
(6) Processing memberOf value "CN=ITDEV-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(6) Resolving group DN "CN=ITDEV-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(6) Performing unfiltered search in "CN=ITDEV-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(6) Waiting for search result...
(6) Group DN "CN=ITDEV-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "ITDEV-L1"
(6) Processing memberOf value "CN=GLS-ContentGroup1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(6) Resolving group DN "CN=GLS-ContentGroup1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(6) Performing unfiltered search in "CN=GLS-ContentGroup1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(6) Waiting for search result...
(6) Group DN "CN=GLS-ContentGroup1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "GLS-ContentGroup1"
(6) Processing memberOf value "CN=Infrastructure-L2,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(6) Resolving group DN "CN=Infrastructure-L2,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(6) Performing unfiltered search in "CN=Infrastructure-L2,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(6) Waiting for search result...
(6) Group DN "CN=Infrastructure-L2,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "Infrastructure-L2"
(6) Processing memberOf value "CN=Projects-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(6) Resolving group DN "CN=Projects-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(6) Performing unfiltered search in "CN=Projects-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(6) Waiting for search result...
(6) Group DN "CN=Projects-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "Projects-L1"
(6) Processing memberOf value "CN=MTL_Projects_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(6) Resolving group DN "CN=MTL_Projects_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(6) Performing unfiltered search in "CN=MTL_Projects_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(6) Waiting for search result...
(6) Group DN "CN=MTL_Projects_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "MTL_Projects_Share"
(6) Processing memberOf value "CN=Confluence Users,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(6) Resolving group DN "CN=Confluence Users,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(6) Performing unfiltered search in "CN=Confluence Users,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(6) Waiting for search result...
(6) Group DN "CN=Confluence Users,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "Confluence Users"
(6) Processing memberOf value "CN=MTL_IT_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(6) Resolving group DN "CN=MTL_IT_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(6) Performing unfiltered search in "CN=MTL_IT_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(6) Waiting for search result...
(6) Group DN "CN=MTL_IT_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "MTL_IT_Share"
(6) Processing memberOf value "CN=VPN-SSL-ADMIN,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(6) Resolving group DN "CN=VPN-SSL-ADMIN,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(6) Performing unfiltered search in "CN=VPN-SSL-ADMIN,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(6) Waiting for search result...
(6) Group DN "CN=VPN-SSL-ADMIN,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "VPN-SSL-ADMIN"
(6) Processing memberOf value "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(6) Resolving group DN "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(6) Performing unfiltered search in "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(6) Waiting for search result...
(6) Group DN "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "DevOpsUsers"
(6) User found in group "DevOpsUsers". Comparison between membership: name (resolved from DN "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=?"), check: name
rlm_ldap (ldap): Released connection (3)
(6) if (!(Ldap-Group == "DevOpsUsers")) -> FALSE
(6) } # case wireless = ok
(6) } # switch &Huntgroup-Name = ok
(6) eap: Peer sent EAP Response (code 2) ID 83 length 43
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/raddb//sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0x77ecfe8772bfe75b
(6) eap: Finished EAP session with state 0x77ecfe8772bfe75b
(6) eap: Previous EAP request found for state 0x77ecfe8772bfe75b, released from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: [eaptls verify] = ok
(6) eap_peap: Done initial handshake
(6) eap_peap: [eaptls process] = ok
(6) eap_peap: Session established. Decoding tunneled attributes
(6) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(6) eap_peap: Identity - lpaulin
(6) eap_peap: Got inner identity 'lpaulin'
(6) eap_peap: Setting default EAP type for tunneled EAP session
(6) eap_peap: Got tunneled request
(6) eap_peap: EAP-Message = 0x0253000c016c7061756c696e
(6) eap_peap: Setting User-Name to lpaulin
(6) eap_peap: Sending tunneled request to inner-tunnel
(6) eap_peap: EAP-Message = 0x0253000c016c7061756c696e
(6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(6) eap_peap: User-Name = "lpaulin"
(6) Virtual server inner-tunnel received request
(6) EAP-Message = 0x0253000c016c7061756c696e
(6) FreeRADIUS-Proxied-To = 127.0.0.1
(6) User-Name = "lpaulin"
(6) WARNING: Outer and inner identities are the same. User privacy is compromised.
(6) server inner-tunnel {
(6) # Executing section authorize from file /etc/raddb//sites-enabled/inner-tunnel
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [chap] = noop
(6) [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "lpaulin", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) update control {
(6) &Proxy-To-Realm := LOCAL
(6) } # update control = noop
(6) eap: Peer sent EAP Response (code 2) ID 83 length 12
(6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/raddb//sites-enabled/inner-tunnel
(6) authenticate {
(6) eap: Peer sent packet with method EAP Identity (1)
(6) eap: Calling submodule eap_mschapv2 to process data
(6) eap_mschapv2: Issuing Challenge
(6) eap: Sending EAP Request (code 1) ID 84 length 43
(6) eap: EAP session adding &reply:State = 0x091761d209437b6f
(6) [eap] = handled
(6) } # authenticate = handled
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6) EAP-Message = 0x0154002b1a015400261038cc714c347c187d60ffcdd4557a1e1f667265657261646975732d332e302e3133
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x091761d209437b6f25e7051f47f8b70b
(6) eap_peap: Got tunneled reply code 11
(6) eap_peap: EAP-Message = 0x0154002b1a015400261038cc714c347c187d60ffcdd4557a1e1f667265657261646975732d332e302e3133
(6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap: State = 0x091761d209437b6f25e7051f47f8b70b
(6) eap_peap: Got tunneled reply RADIUS code 11
(6) eap_peap: EAP-Message = 0x0154002b1a015400261038cc714c347c187d60ffcdd4557a1e1f667265657261646975732d332e302e3133
(6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap: State = 0x091761d209437b6f25e7051f47f8b70b
(6) eap_peap: Got tunneled Access-Challenge
(6) eap: Sending EAP Request (code 1) ID 84 length 74
(6) eap: EAP session adding &reply:State = 0x77ecfe8771b8e75b
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found. Ignoring.
(6) # Executing group from file /etc/raddb//sites-enabled/default
(6) Sent Access-Challenge Id 225 from 10.250.33.157:1812 to 10.1.0.81:1507 length 0
(6) EAP-Message = 0x0154004a1900170303003f12e3ce9c8b0024280c168cd92cbe2ebd2f0d13841b8ff157d2e0d23c91269965a78c49825e82673aaa47b6fac1c5f2eb555202ccecad5959c80cc1dab1e674
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x77ecfe8771b8e75befb8e2119e348ef2
(6) Finished request
Waking up in 4.9 seconds.
(7) Received Access-Request Id 226 from 10.1.0.81:1507 to 10.250.33.157:1812 length 337
(7) User-Name = "lpaulin"
(7) NAS-IP-Address = 10.1.0.81
(7) Framed-IP-Address = 10.250.156.2
(7) NAS-Identifier = "10.250.152.61/5246-wifi.net.test"
(7) Called-Station-Id = "A2-4C-A5-3F-BB-02:stingray-test"
(7) NAS-Port-Type = Wireless-802.11
(7) NAS-Port = 1
(7) Calling-Station-Id = "18-65-90-CB-4C-69"
(7) Connect-Info = "CONNECT 0Mbps 11AC"
(7) Acct-Session-Id = "5A5EA945-00080618"
(7) WLAN-Pairwise-Cipher = 1027076
(7) WLAN-Group-Cipher = 1027076
(7) WLAN-AKM-Suite = 1027073
(7) Framed-MTU = 1400
(7) EAP-Message = 0x025400611900170303005643e2c7b41ca499e894545487b723cfc38d9ea835ffc83f95b1f2eabd4997e417e373fc19dc9bcc00fbeb3f0bf9347ecef9bf8118e03885ca2d22efd098e3764b7cc9bb32cdc401622c57165d1b35a062a66874752086
(7) State = 0x77ecfe8771b8e75befb8e2119e348ef2
(7) Message-Authenticator = 0x31285a5b6860097cb50f63eff56a305c
(7) session-state: No cached attributes
(7) # Executing section authorize from file /etc/raddb//sites-enabled/default
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [preprocess] = ok
(7) auth_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(7) auth_log: --> /var/log/radius/radacct/10.1.0.81/auth-detail-20180201
(7) auth_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.1.0.81/auth-detail-20180201
(7) auth_log: EXPAND %t
(7) auth_log: --> Thu Feb 1 14:48:02 2018
(7) [auth_log] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "lpaulin", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) [files] = noop
rlm_ldap (ldap): Reserved connection (4)
(7) ldap: EXPAND (&(objectCategory=person)(objectClass=user)(sAMAccountName=%{%{mschap:User-Name}:-%{User-Name}}))
(7) ldap: --> (&(objectCategory=person)(objectClass=user)(sAMAccountName=lpaulin))
(7) ldap: Performing search in "DC=corp,DC=MYDOMAIN,DC=com" with filter "(&(objectCategory=person)(objectClass=user)(sAMAccountName=lpaulin))", scope "sub"
(7) ldap: Waiting for search result...
(7) ldap: User object found at DN "CN=Luc Paulin,OU=Users,OU=Montreal,DC=corp,DC=MYDOMAIN,DC=com"
(7) ldap: Processing user attributes
(7) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(7) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (4)
(7) [ldap] = ok
(7) [expiration] = noop
(7) [logintime] = noop
(7) policy ntlm_auth.authorize {
(7) if (!control:Auth-Type && User-Password) {
(7) if (!control:Auth-Type && User-Password) -> FALSE
(7) } # policy ntlm_auth.authorize = ok
(7) switch &Huntgroup-Name {
(7) case wireless {
(7) if (!(Ldap-Group == "DevOpsUsers")) {
(7) Searching for user in group "DevOpsUsers"
rlm_ldap (ldap): Reserved connection (0)
(7) Using user DN from request "CN=Luc Paulin,OU=Users,OU=Montreal,DC=corp,DC=MYDOMAIN,DC=com"
(7) Checking for user in group objects
(7) EXPAND (&(cn=DevOpsUsers)(objectClass=posixGroup)(&(objectClass=Group)(objectCategory=Group)(member=%{control:Ldap-UserDn})))
(7) --> (&(cn=DevOpsUsers)(objectClass=posixGroup)(&(objectClass=Group)(objectCategory=Group)(member=CN\3dLuc Paulin\2cOU\3dUsers\2cOU\3dMontreal\2cDC\3dcorp\2cDC\3dMYDOMAIN\2cDC\3dcom)))
(7) Performing search in "DC=corp,DC=MYDOMAIN,DC=com" with filter "(&(cn=DevOpsUsers)(objectClass=posixGroup)(&(objectClass=Group)(objectCategory=Group)(member=CN\3dLuc Paulin\2cOU\3dUsers\2cOU\3dMontreal\2cDC\3dcorp\2cDC\3dMYDOMAIN\2cDC\3dcom)))", scope "sub"
(7) Waiting for search result...
(7) Search returned no results
(7) Checking user object's memberOf attributes
(7) Performing unfiltered search in "CN=Luc Paulin,OU=Users,OU=Montreal,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(7) Waiting for search result...
(7) Processing memberOf value "CN=VPN-OUTBOUND-USA,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(7) Resolving group DN "CN=VPN-OUTBOUND-USA,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(7) Performing unfiltered search in "CN=VPN-OUTBOUND-USA,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(7) Waiting for search result...
(7) Group DN "CN=VPN-OUTBOUND-USA,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "VPN-OUTBOUND-USA"
(7) Processing memberOf value "CN=tech-unit,OU=Distribution Lists,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(7) Resolving group DN "CN=tech-unit,OU=Distribution Lists,DC=corp,DC=MYDOMAIN,DC=com" to group name
(7) Performing unfiltered search in "CN=tech-unit,OU=Distribution Lists,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(7) Waiting for search result...
(7) Group DN "CN=tech-unit,OU=Distribution Lists,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "tech-unit"
(7) Processing memberOf value "CN=ITDEV-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(7) Resolving group DN "CN=ITDEV-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(7) Performing unfiltered search in "CN=ITDEV-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(7) Waiting for search result...
(7) Group DN "CN=ITDEV-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "ITDEV-L1"
(7) Processing memberOf value "CN=GLS-ContentGroup1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(7) Resolving group DN "CN=GLS-ContentGroup1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(7) Performing unfiltered search in "CN=GLS-ContentGroup1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(7) Waiting for search result...
(7) Group DN "CN=GLS-ContentGroup1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "GLS-ContentGroup1"
(7) Processing memberOf value "CN=Infrastructure-L2,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(7) Resolving group DN "CN=Infrastructure-L2,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(7) Performing unfiltered search in "CN=Infrastructure-L2,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(7) Waiting for search result...
(7) Group DN "CN=Infrastructure-L2,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "Infrastructure-L2"
(7) Processing memberOf value "CN=Projects-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(7) Resolving group DN "CN=Projects-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(7) Performing unfiltered search in "CN=Projects-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(7) Waiting for search result...
(7) Group DN "CN=Projects-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "Projects-L1"
(7) Processing memberOf value "CN=MTL_Projects_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(7) Resolving group DN "CN=MTL_Projects_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(7) Performing unfiltered search in "CN=MTL_Projects_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(7) Waiting for search result...
(7) Group DN "CN=MTL_Projects_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "MTL_Projects_Share"
(7) Processing memberOf value "CN=Confluence Users,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(7) Resolving group DN "CN=Confluence Users,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(7) Performing unfiltered search in "CN=Confluence Users,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(7) Waiting for search result...
(7) Group DN "CN=Confluence Users,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "Confluence Users"
(7) Processing memberOf value "CN=MTL_IT_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(7) Resolving group DN "CN=MTL_IT_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(7) Performing unfiltered search in "CN=MTL_IT_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(7) Waiting for search result...
(7) Group DN "CN=MTL_IT_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "MTL_IT_Share"
(7) Processing memberOf value "CN=VPN-SSL-ADMIN,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(7) Resolving group DN "CN=VPN-SSL-ADMIN,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(7) Performing unfiltered search in "CN=VPN-SSL-ADMIN,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(7) Waiting for search result...
(7) Group DN "CN=VPN-SSL-ADMIN,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "VPN-SSL-ADMIN"
(7) Processing memberOf value "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(7) Resolving group DN "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(7) Performing unfiltered search in "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(7) Waiting for search result...
(7) Group DN "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "DevOpsUsers"
(7) User found in group "DevOpsUsers". Comparison between membership: name (resolved from DN "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com"), check: name
rlm_ldap (ldap): Released connection (0)
(7) if (!(Ldap-Group == "DevOpsUsers")) -> FALSE
(7) } # case wireless = ok
(7) } # switch &Huntgroup-Name = ok
(7) eap: Peer sent EAP Response (code 2) ID 84 length 97
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/raddb//sites-enabled/default
(7) authenticate {
(7) eap: Expiring EAP session with state 0x091761d209437b6f
(7) eap: Finished EAP session with state 0x77ecfe8771b8e75b
(7) eap: Previous EAP request found for state 0x77ecfe8771b8e75b, released from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state phase2
(7) eap_peap: EAP method MSCHAPv2 (26)
(7) eap_peap: Got tunneled request
(7) eap_peap: EAP-Message = 0x025400421a0254003d3131c059d56ec6587c99d58d8f6d0c5d1f000000000000000044627d24623e170382cd9f9f0e3cdc6711c3bea4e8404665006c7061756c696e
(7) eap_peap: Setting User-Name to lpaulin
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap: EAP-Message = 0x025400421a0254003d3131c059d56ec6587c99d58d8f6d0c5d1f000000000000000044627d24623e170382cd9f9f0e3cdc6711c3bea4e8404665006c7061756c696e
(7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap: User-Name = "lpaulin"
(7) eap_peap: State = 0x091761d209437b6f25e7051f47f8b70b
(7) Virtual server inner-tunnel received request
(7) EAP-Message = 0x025400421a0254003d3131c059d56ec6587c99d58d8f6d0c5d1f000000000000000044627d24623e170382cd9f9f0e3cdc6711c3bea4e8404665006c7061756c696e
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) User-Name = "lpaulin"
(7) State = 0x091761d209437b6f25e7051f47f8b70b
(7) WARNING: Outer and inner identities are the same. User privacy is compromised.
(7) server inner-tunnel {
(7) session-state: No cached attributes
(7) # Executing section authorize from file /etc/raddb//sites-enabled/inner-tunnel
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [chap] = noop
(7) [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "lpaulin", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) update control {
(7) &Proxy-To-Realm := LOCAL
(7) } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 84 length 66
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7) [eap] = updated
(7) [files] = noop
rlm_ldap (ldap): Reserved connection (1)
(7) ldap: EXPAND (&(objectCategory=person)(objectClass=user)(sAMAccountName=%{%{mschap:User-Name}:-%{User-Name}}))
(7) ldap: --> (&(objectCategory=person)(objectClass=user)(sAMAccountName=lpaulin))
(7) ldap: Performing search in "DC=corp,DC=MYDOMAIN,DC=com" with filter "(&(objectCategory=person)(objectClass=user)(sAMAccountName=lpaulin))", scope "sub"
(7) ldap: Waiting for search result...
(7) ldap: User object found at DN "CN=Luc Paulin,OU=Users,OU=Montreal,DC=corp,DC=MYDOMAIN,DC=com"
(7) ldap: Processing user attributes
(7) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(7) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (1)
(7) [ldap] = ok
(7) [expiration] = noop
(7) [logintime] = noop
(7) [pap] = noop
(7) } # authorize = updated
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/raddb//sites-enabled/inner-tunnel
(7) authenticate {
(7) eap: Expiring EAP session with state 0x091761d209437b6f
(7) eap: Finished EAP session with state 0x091761d209437b6f
(7) eap: Previous EAP request found for state 0x091761d209437b6f, released from the list
(7) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(7) eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: # Executing group from file /etc/raddb//sites-enabled/inner-tunnel
(7) eap_mschapv2: authenticate {
(7) mschap: Creating challenge hash with username: lpaulin
(7) mschap: Client is using MS-CHAPv2
(7) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00} --domain=%{%{mschap:NT-Domain}:-CORP}:
(7) mschap: EXPAND --username=%{%{mschap:User-Name}:-%{%{User-Name}:-None}}
(7) mschap: --> --username=lpaulin
(7) mschap: Creating challenge hash with username: lpaulin
(7) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(7) mschap: --> --challenge=9cedb32035eb3956
(7) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(7) mschap: --> --nt-response=44627d24623e170382cd9f9f0e3cdc6711c3bea4e8404665
(7) mschap: ERROR: No NT-Domain was found in the User-Name
(7) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-CORP}
(7) mschap: --> --domain=CORP
(7) mschap: Program returned code (0) and output 'NT_KEY: 3868BD14995A4EF77CD7210C44503510'
(7) mschap: Adding MS-CHAPv2 MPPE keys
(7) [mschap] = ok
(7) } # authenticate = ok
(7) MSCHAP Success
(7) eap: Sending EAP Request (code 1) ID 85 length 51
(7) eap: EAP session adding &reply:State = 0x091761d208427b6f
(7) [eap] = handled
(7) } # authenticate = handled
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7) EAP-Message = 0x015500331a0354002e533d46344230374433423330394337373432433837464338323635424539354146463737414533354445
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x091761d208427b6f25e7051f47f8b70b
(7) eap_peap: Got tunneled reply code 11
(7) eap_peap: EAP-Message = 0x015500331a0354002e533d46344230374433423330394337373432433837464338323635424539354146463737414533354445
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0x091761d208427b6f25e7051f47f8b70b
(7) eap_peap: Got tunneled reply RADIUS code 11
(7) eap_peap: EAP-Message = 0x015500331a0354002e533d46344230374433423330394337373432433837464338323635424539354146463737414533354445
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0x091761d208427b6f25e7051f47f8b70b
(7) eap_peap: Got tunneled Access-Challenge
(7) eap: Sending EAP Request (code 1) ID 85 length 82
(7) eap: EAP session adding &reply:State = 0x77ecfe8770b9e75b
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) Post-Auth-Type sub-section not found. Ignoring.
(7) # Executing group from file /etc/raddb//sites-enabled/default
(7) Sent Access-Challenge Id 226 from 10.250.33.157:1812 to 10.1.0.81:1507 length 0
(7) EAP-Message = 0x015500521900170303004712e3ce9c8b00242996c51b15873966482b3241eee2b9cc0b62ffb0d252274e0e8e854d1092996bc3e610e5b64ecb7ad15f266bea11271d1786f11dfc085af5659e547168488386
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x77ecfe8770b9e75befb8e2119e348ef2
(7) Finished request
Waking up in 4.8 seconds.
(8) Received Access-Request Id 227 from 10.1.0.81:1507 to 10.250.33.157:1812 length 277
(8) User-Name = "lpaulin"
(8) NAS-IP-Address = 10.1.0.81
(8) Framed-IP-Address = 10.250.156.2
(8) NAS-Identifier = "10.250.152.61/5246-wifi.net.test"
(8) Called-Station-Id = "A2-4C-A5-3F-BB-02:stingray-test"
(8) NAS-Port-Type = Wireless-802.11
(8) NAS-Port = 1
(8) Calling-Station-Id = "18-65-90-CB-4C-69"
(8) Connect-Info = "CONNECT 0Mbps 11AC"
(8) Acct-Session-Id = "5A5EA945-00080618"
(8) WLAN-Pairwise-Cipher = 1027076
(8) WLAN-Group-Cipher = 1027076
(8) WLAN-AKM-Suite = 1027073
(8) Framed-MTU = 1400
(8) EAP-Message = 0x025500251900170303001a43e2c7b41ca499e914c0d3baa357d0da39c8ad41f265a02dcc4b
(8) State = 0x77ecfe8770b9e75befb8e2119e348ef2
(8) Message-Authenticator = 0xf3cbecf193d811dcc9ea30e2aa6c580b
(8) session-state: No cached attributes
(8) # Executing section authorize from file /etc/raddb//sites-enabled/default
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [preprocess] = ok
(8) auth_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(8) auth_log: --> /var/log/radius/radacct/10.1.0.81/auth-detail-20180201
(8) auth_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.1.0.81/auth-detail-20180201
(8) auth_log: EXPAND %t
(8) auth_log: --> Thu Feb 1 14:48:03 2018
(8) [auth_log] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "lpaulin", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) [files] = noop
rlm_ldap (ldap): Reserved connection (2)
(8) ldap: EXPAND (&(objectCategory=person)(objectClass=user)(sAMAccountName=%{%{mschap:User-Name}:-%{User-Name}}))
(8) ldap: --> (&(objectCategory=person)(objectClass=user)(sAMAccountName=lpaulin))
(8) ldap: Performing search in "DC=corp,DC=MYDOMAIN,DC=com" with filter "(&(objectCategory=person)(objectClass=user)(sAMAccountName=lpaulin))", scope "sub"
(8) ldap: Waiting for search result...
(8) ldap: User object found at DN "CN=Luc Paulin,OU=Users,OU=Montreal,DC=corp,DC=MYDOMAIN,DC=com"
(8) ldap: Processing user attributes
(8) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(8) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (2)
(8) [ldap] = ok
(8) [expiration] = noop
(8) [logintime] = noop
(8) policy ntlm_auth.authorize {
(8) if (!control:Auth-Type && User-Password) {
(8) if (!control:Auth-Type && User-Password) -> FALSE
(8) } # policy ntlm_auth.authorize = ok
(8) switch &Huntgroup-Name {
(8) case wireless {
(8) if (!(Ldap-Group == "DevOpsUsers")) {
(8) Searching for user in group "DevOpsUsers"
rlm_ldap (ldap): Reserved connection (3)
(8) Using user DN from request "CN=Luc Paulin,OU=Users,OU=Montreal,DC=corp,DC=MYDOMAIN,DC=com"
(8) Checking for user in group objects
(8) EXPAND (&(cn=DevOpsUsers)(objectClass=posixGroup)(&(objectClass=Group)(objectCategory=Group)(member=%{control:Ldap-UserDn})))
(8) --> (&(cn=DevOpsUsers)(objectClass=posixGroup)(&(objectClass=Group)(objectCategory=Group)(member=CN\3dLuc Paulin\2cOU\3dUsers\2cOU\3dMontreal\2cDC\3dcorp\2cDC\3dMYDOMAIN\2cDC\3dcom)))
(8) Performing search in "DC=corp,DC=MYDOMAIN,DC=com" with filter "(&(cn=DevOpsUsers)(objectClass=posixGroup)(&(objectClass=Group)(objectCategory=Group)(member=CN\3dLuc Paulin\2cOU\3dUsers\2cOU\3dMontreal\2cDC\3dcorp\2cDC\3dMYDOMAIN\2cDC\3dcom)))", scope "sub"
(8) Waiting for search result...
(8) Search returned no results
(8) Checking user object's memberOf attributes
(8) Performing unfiltered search in "CN=Luc Paulin,OU=Users,OU=Montreal,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(8) Waiting for search result...
(8) Processing memberOf value "CN=VPN-OUTBOUND-USA,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(8) Resolving group DN "CN=VPN-OUTBOUND-USA,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(8) Performing unfiltered search in "CN=VPN-OUTBOUND-USA,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(8) Waiting for search result...
(8) Group DN "CN=VPN-OUTBOUND-USA,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "VPN-OUTBOUND-USA"
(8) Processing memberOf value "CN=tech-unit,OU=Distribution Lists,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(8) Resolving group DN "CN=tech-unit,OU=Distribution Lists,DC=corp,DC=MYDOMAIN,DC=com" to group name
(8) Performing unfiltered search in "CN=tech-unit,OU=Distribution Lists,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(8) Waiting for search result...
(8) Group DN "CN=tech-unit,OU=Distribution Lists,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "tech-unit"
(8) Processing memberOf value "CN=ITDEV-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(8) Resolving group DN "CN=ITDEV-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(8) Performing unfiltered search in "CN=ITDEV-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(8) Waiting for search result...
(8) Group DN "CN=ITDEV-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "ITDEV-L1"
(8) Processing memberOf value "CN=GLS-ContentGroup1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(8) Resolving group DN "CN=GLS-ContentGroup1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(8) Performing unfiltered search in "CN=GLS-ContentGroup1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(8) Waiting for search result...
(8) Group DN "CN=GLS-ContentGroup1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "GLS-ContentGroup1"
(8) Processing memberOf value "CN=Infrastructure-L2,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(8) Resolving group DN "CN=Infrastructure-L2,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(8) Performing unfiltered search in "CN=Infrastructure-L2,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(8) Waiting for search result...
(8) Group DN "CN=Infrastructure-L2,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "Infrastructure-L2"
(8) Processing memberOf value "CN=Projects-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(8) Resolving group DN "CN=Projects-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(8) Performing unfiltered search in "CN=Projects-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(8) Waiting for search result...
(8) Group DN "CN=Projects-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "Projects-L1"
(8) Processing memberOf value "CN=MTL_Projects_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(8) Resolving group DN "CN=MTL_Projects_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(8) Performing unfiltered search in "CN=MTL_Projects_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(8) Waiting for search result...
(8) Group DN "CN=MTL_Projects_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "MTL_Projects_Share"
(8) Processing memberOf value "CN=Confluence Users,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(8) Resolving group DN "CN=Confluence Users,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(8) Performing unfiltered search in "CN=Confluence Users,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(8) Waiting for search result...
(8) Group DN "CN=Confluence Users,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "Confluence Users"
(8) Processing memberOf value "CN=MTL_IT_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(8) Resolving group DN "CN=MTL_IT_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(8) Performing unfiltered search in "CN=MTL_IT_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(8) Waiting for search result...
(8) Group DN "CN=MTL_IT_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "MTL_IT_Share"
(8) Processing memberOf value "CN=VPN-SSL-ADMIN,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(8) Resolving group DN "CN=VPN-SSL-ADMIN,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(8) Performing unfiltered search in "CN=VPN-SSL-ADMIN,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(8) Waiting for search result...
(8) Group DN "CN=VPN-SSL-ADMIN,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "VPN-SSL-ADMIN"
(8) Processing memberOf value "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(8) Resolving group DN "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(8) Performing unfiltered search in "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(8) Waiting for search result...
(8) Group DN "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "DevOpsUsers"
(8) User found in group "DevOpsUsers". Comparison between membership: name (resolved from DN "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com"), check: name
rlm_ldap (ldap): Released connection (3)
(8) if (!(Ldap-Group == "DevOpsUsers")) -> FALSE
(8) } # case wireless = ok
(8) } # switch &Huntgroup-Name = ok
(8) eap: Peer sent EAP Response (code 2) ID 85 length 37
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/raddb//sites-enabled/default
(8) authenticate {
(8) eap: Expiring EAP session with state 0x091761d208427b6f
(8) eap: Finished EAP session with state 0x77ecfe8770b9e75b
(8) eap: Previous EAP request found for state 0x77ecfe8770b9e75b, released from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP method MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap: EAP-Message = 0x025500061a03
(8) eap_peap: Setting User-Name to lpaulin
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap: EAP-Message = 0x025500061a03
(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap: User-Name = "lpaulin"
(8) eap_peap: State = 0x091761d208427b6f25e7051f47f8b70b
(8) Virtual server inner-tunnel received request
(8) EAP-Message = 0x025500061a03
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = "lpaulin"
(8) State = 0x091761d208427b6f25e7051f47f8b70b
(8) WARNING: Outer and inner identities are the same. User privacy is compromised.
(8) server inner-tunnel {
(8) session-state: No cached attributes
(8) # Executing section authorize from file /etc/raddb//sites-enabled/inner-tunnel
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [chap] = noop
(8) [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "lpaulin", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) update control {
(8) &Proxy-To-Realm := LOCAL
(8) } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 85 length 6
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8) [eap] = updated
(8) [files] = noop
rlm_ldap (ldap): Reserved connection (4)
(8) ldap: EXPAND (&(objectCategory=person)(objectClass=user)(sAMAccountName=%{%{mschap:User-Name}:-%{User-Name}}))
(8) ldap: --> (&(objectCategory=person)(objectClass=user)(sAMAccountName=lpaulin))
(8) ldap: Performing search in "DC=corp,DC=MYDOMAIN,DC=com" with filter "(&(objectCategory=person)(objectClass=user)(sAMAccountName=lpaulin))", scope "sub"
(8) ldap: Waiting for search result...
(8) ldap: User object found at DN "CN=Luc Paulin,OU=Users,OU=Montreal,DC=corp,DC=MYDOMAIN,DC=com"
(8) ldap: Processing user attributes
(8) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(8) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (4)
(8) [ldap] = ok
(8) [expiration] = noop
(8) [logintime] = noop
(8) [pap] = noop
(8) } # authorize = updated
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/raddb//sites-enabled/inner-tunnel
(8) authenticate {
(8) eap: Expiring EAP session with state 0x091761d208427b6f
(8) eap: Finished EAP session with state 0x091761d208427b6f
(8) eap: Previous EAP request found for state 0x091761d208427b6f, released from the list
(8) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap: Sending EAP Success (code 3) ID 85 length 4
(8) eap: Freeing handler
(8) [eap] = ok
(8) } # authenticate = ok
(8) # Executing section post-auth from file /etc/raddb//sites-enabled/inner-tunnel
(8) post-auth {
(8) if (0) {
(8) if (0) -> FALSE
(8) } # post-auth = noop
(8) Login OK: [lpaulin] (from client clx3-fw-1 port 0 via TLS tunnel)
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8) MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) MS-MPPE-Send-Key = 0xb09d2ac95048793c09fddf63ccc1f551
(8) MS-MPPE-Recv-Key = 0xf79bda44f58d37ab97c9f8da4ba8faed
(8) EAP-Message = 0x03550004
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) User-Name = "lpaulin"
(8) eap_peap: Got tunneled reply code 2
(8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) eap_peap: MS-MPPE-Send-Key = 0xb09d2ac95048793c09fddf63ccc1f551
(8) eap_peap: MS-MPPE-Recv-Key = 0xf79bda44f58d37ab97c9f8da4ba8faed
(8) eap_peap: EAP-Message = 0x03550004
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: User-Name = "lpaulin"
(8) eap_peap: Got tunneled reply RADIUS code 2
(8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) eap_peap: MS-MPPE-Send-Key = 0xb09d2ac95048793c09fddf63ccc1f551
(8) eap_peap: MS-MPPE-Recv-Key = 0xf79bda44f58d37ab97c9f8da4ba8faed
(8) eap_peap: EAP-Message = 0x03550004
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: User-Name = "lpaulin"
(8) eap_peap: Tunneled authentication was successful
(8) eap_peap: SUCCESS
(8) eap: Sending EAP Request (code 1) ID 86 length 46
(8) eap: EAP session adding &reply:State = 0x77ecfe877fbae75b
(8) [eap] = handled
(8) } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found. Ignoring.
(8) # Executing group from file /etc/raddb//sites-enabled/default
(8) Sent Access-Challenge Id 227 from 10.250.33.157:1812 to 10.1.0.81:1507 length 0
(8) EAP-Message = 0x0156002e1900170303002312e3ce9c8b00242a3a745aa55c04ddfa322cf6dc6b80ac89c631ab3463f3dd4339f847
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x77ecfe877fbae75befb8e2119e348ef2
(8) Finished request
Waking up in 4.8 seconds.
(9) Received Access-Request Id 228 from 10.1.0.81:1507 to 10.250.33.157:1812 length 286
(9) User-Name = "lpaulin"
(9) NAS-IP-Address = 10.1.0.81
(9) Framed-IP-Address = 10.250.156.2
(9) NAS-Identifier = "10.250.152.61/5246-wifi.net.test"
(9) Called-Station-Id = "A2-4C-A5-3F-BB-02:stingray-test"
(9) NAS-Port-Type = Wireless-802.11
(9) NAS-Port = 1
(9) Calling-Station-Id = "18-65-90-CB-4C-69"
(9) Connect-Info = "CONNECT 0Mbps 11AC"
(9) Acct-Session-Id = "5A5EA945-00080618"
(9) WLAN-Pairwise-Cipher = 1027076
(9) WLAN-Group-Cipher = 1027076
(9) WLAN-AKM-Suite = 1027073
(9) Framed-MTU = 1400
(9) EAP-Message = 0x0256002e1900170303002343e2c7b41ca499eac14022d927acd0e41f0a402cb6b76145b934b9e24c0e6976995117
(9) State = 0x77ecfe877fbae75befb8e2119e348ef2
(9) Message-Authenticator = 0x1e3916dd54c1093ccb8eb8025e77fd26
(9) session-state: No cached attributes
(9) # Executing section authorize from file /etc/raddb//sites-enabled/default
(9) authorize {
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /@\./) {
(9) if (&User-Name =~ /@\./) -> FALSE
(9) } # if (&User-Name) = notfound
(9) } # policy filter_username = notfound
(9) [preprocess] = ok
(9) auth_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(9) auth_log: --> /var/log/radius/radacct/10.1.0.81/auth-detail-20180201
(9) auth_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.1.0.81/auth-detail-20180201
(9) auth_log: EXPAND %t
(9) auth_log: --> Thu Feb 1 14:48:03 2018
(9) [auth_log] = ok
(9) [chap] = noop
(9) [mschap] = noop
(9) [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "lpaulin", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) [files] = noop
rlm_ldap (ldap): Reserved connection (0)
(9) ldap: EXPAND (&(objectCategory=person)(objectClass=user)(sAMAccountName=%{%{mschap:User-Name}:-%{User-Name}}))
(9) ldap: --> (&(objectCategory=person)(objectClass=user)(sAMAccountName=lpaulin))
(9) ldap: Performing search in "DC=corp,DC=MYDOMAIN,DC=com" with filter "(&(objectCategory=person)(objectClass=user)(sAMAccountName=lpaulin))", scope "sub"
(9) ldap: Waiting for search result...
(9) ldap: User object found at DN "CN=Luc Paulin,OU=Users,OU=Montreal,DC=corp,DC=MYDOMAIN,DC=com"
(9) ldap: Processing user attributes
(9) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(9) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (0)
(9) [ldap] = ok
(9) [expiration] = noop
(9) [logintime] = noop
(9) policy ntlm_auth.authorize {
(9) if (!control:Auth-Type && User-Password) {
(9) if (!control:Auth-Type && User-Password) -> FALSE
(9) } # policy ntlm_auth.authorize = ok
(9) switch &Huntgroup-Name {
(9) case wireless {
(9) if (!(Ldap-Group == "DevOpsUsers")) {
(9) Searching for user in group "DevOpsUsers"
rlm_ldap (ldap): Reserved connection (1)
(9) Using user DN from request "CN=Luc Paulin,OU=Users,OU=Montreal,DC=corp,DC=MYDOMAIN,DC=com"
(9) Checking for user in group objects
(9) EXPAND (&(cn=DevOpsUsers)(objectClass=posixGroup)(&(objectClass=Group)(objectCategory=Group)(member=%{control:Ldap-UserDn})))
(9) --> (&(cn=DevOpsUsers)(objectClass=posixGroup)(&(objectClass=Group)(objectCategory=Group)(member=CN\3dLuc Paulin\2cOU\3dUsers\2cOU\3dMontreal\2cDC\3dcorp\2cDC\3dMYDOMAIN\2cDC\3dcom)))
(9) Performing search in "DC=corp,DC=MYDOMAIN,DC=com" with filter "(&(cn=DevOpsUsers)(objectClass=posixGroup)(&(objectClass=Group)(objectCategory=Group)(member=CN\3dLuc Paulin\2cOU\3dUsers\2cOU\3dMontreal\2cDC\3dcorp\2cDC\3dMYDOMAIN\2cDC\3dcom)))", scope "sub"
(9) Waiting for search result...
(9) Search returned no results
(9) Checking user object's memberOf attributes
(9) Performing unfiltered search in "CN=Luc Paulin,OU=Users,OU=Montreal,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(9) Waiting for search result...
(9) Processing memberOf value "CN=VPN-OUTBOUND-USA,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(9) Resolving group DN "CN=VPN-OUTBOUND-USA,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(9) Performing unfiltered search in "CN=VPN-OUTBOUND-USA,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(9) Waiting for search result...
(9) Group DN "CN=VPN-OUTBOUND-USA,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "VPN-OUTBOUND-USA"
(9) Processing memberOf value "CN=tech-unit,OU=Distribution Lists,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(9) Resolving group DN "CN=tech-unit,OU=Distribution Lists,DC=corp,DC=MYDOMAIN,DC=com" to group name
(9) Performing unfiltered search in "CN=tech-unit,OU=Distribution Lists,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(9) Waiting for search result...
(9) Group DN "CN=tech-unit,OU=Distribution Lists,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "tech-unit"
(9) Processing memberOf value "CN=ITDEV-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(9) Resolving group DN "CN=ITDEV-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(9) Performing unfiltered search in "CN=ITDEV-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(9) Waiting for search result...
(9) Group DN "CN=ITDEV-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "ITDEV-L1"
(9) Processing memberOf value "CN=GLS-ContentGroup1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(9) Resolving group DN "CN=GLS-ContentGroup1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(9) Performing unfiltered search in "CN=GLS-ContentGroup1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(9) Waiting for search result...
(9) Group DN "CN=GLS-ContentGroup1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "GLS-ContentGroup1"
(9) Processing memberOf value "CN=Infrastructure-L2,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(9) Resolving group DN "CN=Infrastructure-L2,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(9) Performing unfiltered search in "CN=Infrastructure-L2,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(9) Waiting for search result...
(9) Group DN "CN=Infrastructure-L2,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "Infrastructure-L2"
(9) Processing memberOf value "CN=Projects-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(9) Resolving group DN "CN=Projects-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(9) Performing unfiltered search in "CN=Projects-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(9) Waiting for search result...
(9) Group DN "CN=Projects-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "Projects-L1"
(9) Processing memberOf value "CN=MTL_Projects_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(9) Resolving group DN "CN=MTL_Projects_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(9) Performing unfiltered search in "CN=MTL_Projects_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(9) Waiting for search result...
(9) Group DN "CN=MTL_Projects_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "MTL_Projects_Share"
(9) Processing memberOf value "CN=Confluence Users,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(9) Resolving group DN "CN=Confluence Users,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(9) Performing unfiltered search in "CN=Confluence Users,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(9) Waiting for search result...
(9) Group DN "CN=Confluence Users,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "Confluence Users"
(9) Processing memberOf value "CN=MTL_IT_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(9) Resolving group DN "CN=MTL_IT_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(9) Performing unfiltered search in "CN=MTL_IT_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(9) Waiting for search result...
(9) Group DN "CN=MTL_IT_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "MTL_IT_Share"
(9) Processing memberOf value "CN=VPN-SSL-ADMIN,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(9) Resolving group DN "CN=VPN-SSL-ADMIN,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(9) Performing unfiltered search in "CN=VPN-SSL-ADMIN,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(9) Waiting for search result...
(9) Group DN "CN=VPN-SSL-ADMIN,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "VPN-SSL-ADMIN"
(9) Processing memberOf value "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(9) Resolving group DN "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(9) Performing unfiltered search in "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(9) Waiting for search result...
(9) Group DN "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "DevOpsUsers"
(9) User found in group "DevOpsUsers". Comparison between membership: name (resolved from DN "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com"), check: name
rlm_ldap (ldap): Released connection (1)
(9) if (!(Ldap-Group == "DevOpsUsers")) -> FALSE
(9) } # case wireless = ok
(9) } # switch &Huntgroup-Name = ok
(9) eap: Peer sent EAP Response (code 2) ID 86 length 46
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/raddb//sites-enabled/default
(9) authenticate {
(9) eap: Expiring EAP session with state 0x77ecfe877fbae75b
(9) eap: Finished EAP session with state 0x77ecfe877fbae75b
(9) eap: Previous EAP request found for state 0x77ecfe877fbae75b, released from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state send tlv success
(9) eap_peap: Received EAP-TLV response
(9) eap_peap: Success
(9) eap_peap: No information to cache: session caching will be disabled for session 37175033e2b71fccf942dc510df0fe8449d058a0820c2f10147e72d18dfb4d17
(9) eap: Sending EAP Success (code 3) ID 86 length 4
(9) eap: Freeing handler
(9) [eap] = ok
(9) } # authenticate = ok
(9) # Executing section post-auth from file /etc/raddb//sites-enabled/default
(9) post-auth {
(9) update reply {
(9) Tunnel-Type := VLAN
(9) Tunnel-Private-Group-Id := 666
(9) Tunnel-Medium-Type := IEEE-802
(9) Idle-Timeout := 60
(9) Session-Timeout := 60
(9) Termination-Action := RADIUS-Request
(9) } # update reply = noop
(9) if (Ldap-Group == "DevOpsUsers") {
(9) Searching for user in group "DevOpsUsers"
rlm_ldap (ldap): Reserved connection (2)
(9) Using user DN from request "CN=Luc Paulin,OU=Users,OU=Montreal,DC=corp,DC=MYDOMAIN,DC=com"
(9) Checking for user in group objects
(9) EXPAND (&(cn=DevOpsUsers)(objectClass=posixGroup)(&(objectClass=Group)(objectCategory=Group)(member=%{control:Ldap-UserDn})))
(9) --> (&(cn=DevOpsUsers)(objectClass=posixGroup)(&(objectClass=Group)(objectCategory=Group)(member=CN\3dLuc Paulin\2cOU\3dUsers\2cOU\3dMontreal\2cDC\3dcorp\2cDC\3dMYDOMAIN\2cDC\3dcom)))
(9) Performing search in "DC=corp,DC=MYDOMAIN,DC=com" with filter "(&(cn=DevOpsUsers)(objectClass=posixGroup)(&(objectClass=Group)(objectCategory=Group)(member=CN\3dLuc Paulin\2cOU\3dUsers\2cOU\3dMontreal\2cDC\3dcorp\2cDC\3dMYDOMAIN\2cDC\3dcom)))", scope "sub"
(9) Waiting for search result...
(9) Search returned no results
(9) Checking user object's memberOf attributes
(9) Performing unfiltered search in "CN=Luc Paulin,OU=Users,OU=Montreal,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(9) Waiting for search result...
(9) Processing memberOf value "CN=VPN-OUTBOUND-USA,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(9) Resolving group DN "CN=VPN-OUTBOUND-USA,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(9) Performing unfiltered search in "CN=VPN-OUTBOUND-USA,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(9) Waiting for search result...
(9) Group DN "CN=VPN-OUTBOUND-USA,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "VPN-OUTBOUND-USA"
(9) Processing memberOf value "CN=tech-unit,OU=Distribution Lists,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(9) Resolving group DN "CN=tech-unit,OU=Distribution Lists,DC=corp,DC=MYDOMAIN,DC=com" to group name
(9) Performing unfiltered search in "CN=tech-unit,OU=Distribution Lists,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(9) Waiting for search result...
(9) Group DN "CN=tech-unit,OU=Distribution Lists,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "tech-unit"
(9) Processing memberOf value "CN=ITDEV-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(9) Resolving group DN "CN=ITDEV-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(9) Performing unfiltered search in "CN=ITDEV-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(9) Waiting for search result...
(9) Group DN "CN=ITDEV-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "ITDEV-L1"
(9) Processing memberOf value "CN=GLS-ContentGroup1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(9) Resolving group DN "CN=GLS-ContentGroup1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(9) Performing unfiltered search in "CN=GLS-ContentGroup1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(9) Waiting for search result...
(9) Group DN "CN=GLS-ContentGroup1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "GLS-ContentGroup1"
(9) Processing memberOf value "CN=Infrastructure-L2,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(9) Resolving group DN "CN=Infrastructure-L2,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(9) Performing unfiltered search in "CN=Infrastructure-L2,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(9) Waiting for search result...
(9) Group DN "CN=Infrastructure-L2,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "Infrastructure-L2"
(9) Processing memberOf value "CN=Projects-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(9) Resolving group DN "CN=Projects-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(9) Performing unfiltered search in "CN=Projects-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(9) Waiting for search result...
(9) Group DN "CN=Projects-L1,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "Projects-L1"
(9) Processing memberOf value "CN=MTL_Projects_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(9) Resolving group DN "CN=MTL_Projects_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(9) Performing unfiltered search in "CN=MTL_Projects_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(9) Waiting for search result...
(9) Group DN "CN=MTL_Projects_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "MTL_Projects_Share"
(9) Processing memberOf value "CN=Confluence Users,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(9) Resolving group DN "CN=Confluence Users,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(9) Performing unfiltered search in "CN=Confluence Users,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(9) Waiting for search result...
(9) Group DN "CN=Confluence Users,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "Confluence Users"
(9) Processing memberOf value "CN=MTL_IT_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(9) Resolving group DN "CN=MTL_IT_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(9) Performing unfiltered search in "CN=MTL_IT_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(9) Waiting for search result...
(9) Group DN "CN=MTL_IT_Share,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "MTL_IT_Share"
(9) Processing memberOf value "CN=VPN-SSL-ADMIN,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(9) Resolving group DN "CN=VPN-SSL-ADMIN,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(9) Performing unfiltered search in "CN=VPN-SSL-ADMIN,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(9) Waiting for search result...
(9) Group DN "CN=VPN-SSL-ADMIN,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "VPN-SSL-ADMIN"
(9) Processing memberOf value "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" as a DN
(9) Resolving group DN "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" to group name
(9) Performing unfiltered search in "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com", scope "base"
(9) Waiting for search result...
(9) Group DN "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com" resolves to name "DevOpsUsers"
(9) User found in group "DevOpsUsers". Comparison between membership: name (resolved from DN "CN=DevOpsUsers,OU=Security Groups,DC=corp,DC=MYDOMAIN,DC=com"), check: name
rlm_ldap (ldap): Released connection (2)
(9) if (Ldap-Group == "DevOpsUsers") -> TRUE
(9) if (Ldap-Group == "DevOpsUsers") {
(9) update reply {
(9) Juniper-Local-User-Name := "SU"
(9) Juniper-Junosspace-Profile := "devops_users"
(9) } # update reply = noop
(9) } # if (Ldap-Group == "DevOpsUsers") = noop
(9) policy rewrite_calling_station_id {
(9) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(9) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(9) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(9) update request {
(9) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(9) --> 18-65-90-CB-4C-69
(9) &Calling-Station-Id := 18-65-90-CB-4C-69
(9) } # update request = noop
(9) [updated] = updated
(9) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(9) ... skipping else: Preceding "if" was taken
(9) } # policy rewrite_calling_station_id = updated
(9) authorized_macs: EXPAND %{Calling-Station-ID}
(9) authorized_macs: --> 18-65-90-CB-4C-69
(9) [authorized_macs] = noop
(9) if (!ok) {
(9) if (!ok) -> TRUE
(9) if (!ok) {
(9) update reply {
(9) Tunnel-Type := VLAN
(9) Tunnel-Medium-Type := IEEE-802
(9) Tunnel-Private-Group-Id := 155
(9) } # update reply = noop
(9) } # if (!ok) = noop
(9) ... skipping else: Preceding "if" was taken
(9) [exec] = noop
(9) policy remove_reply_message_if_eap {
(9) if (&reply:EAP-Message && &reply:Reply-Message) {
(9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(9) else {
(9) [noop] = noop
(9) } # else = noop
(9) } # policy remove_reply_message_if_eap = noop
(9) } # post-auth = updated
(9) Login OK: [lpaulin] (from client clx3-fw-1 port 1 cli 18-65-90-CB-4C-69)
(9) Sent Access-Accept Id 228 from 10.250.33.157:1812 to 10.1.0.81:1507 length 0
(9) MS-MPPE-Recv-Key = 0x06690e8b518668d12ba10c52b1ba6703ebbf9647b5a360f9e6cc7f2f07ef11c4
(9) MS-MPPE-Send-Key = 0x4deda2f1eb8e898267feced65486d45ce094a19afb4f5ea621cd4dc5c8f13b00
(9) EAP-Message = 0x03560004
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) User-Name = "lpaulin"
(9) Tunnel-Type := VLAN
(9) Tunnel-Private-Group-Id := "155"
(9) Tunnel-Medium-Type := IEEE-802
(9) Idle-Timeout := 60
(9) Session-Timeout := 60
(9) Termination-Action := RADIUS-Request
(9) Juniper-Local-User-Name := "SU"
(9) Juniper-Junosspace-Profile := "devops_users"
(9) Finished request
Waking up in 4.8 seconds.
(0) Cleaning up request packet ID 219 with timestamp +5
(1) Cleaning up request packet ID 220 with timestamp +5
(2) Cleaning up request packet ID 221 with timestamp +5
(3) Cleaning up request packet ID 222 with timestamp +5
(4) Cleaning up request packet ID 223 with timestamp +5
(5) Cleaning up request packet ID 224 with timestamp +5
(6) Cleaning up request packet ID 225 with timestamp +5
(7) Cleaning up request packet ID 226 with timestamp +5
(8) Cleaning up request packet ID 227 with timestamp +6
(9) Cleaning up request packet ID 228 with timestamp +6
Ready to process requests
-------------- next part --------------
A non-text attachment was scrubbed...
Name: authorized_macs
Type: application/octet-stream
Size: 113 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20180201/e998a14b/attachment-0001.obj>
More information about the Freeradius-Users
mailing list