tlscache

Munroe Sollog mus3 at lehigh.edu
Thu Aug 29 19:01:09 CEST 2019


I'm trying to enable tls caching on my radius server.  the radius -X output
is included below.  I'm also including some additional information for
reference.  Looking at the debug output I see where the cache config is
loaded and it looks right to me.  I don't see any errors around it.

I'm expecting to see a file in the tlscache folder after a successful auth,
however the folder remains empty.

# freeradius -v

radiusd: FreeRADIUS Version 3.0.17, for host x86_64-pc-linux-gnu, built on
Apr 22 2019 at 21:23:36

FreeRADIUS Version 3.0.17


# ls -al /var/lib/radiusd

total 12

drwxr-xr-x  3 freerad freerad 4096 Aug 29 12:27 .

drwxr-xr-x 29 root    root    4096 Aug 29 12:26 ..

drwxr-xr-x  2 freerad freerad 4096 Aug 29 12:27 tlscache
=============radius -X output=============

Ready to process requests

(0) Received Access-Request Id 0 from 128.180.10.10:37390 to
128.180.1.12:1812 length 126

(0)   User-Name = "x19a19"

(0)   Calling-Station-Id = "00-0A-CD-31-6C-B4"

(0)   Framed-MTU = 1400

(0)   NAS-Port-Type = Wireless-802.11

(0)   Service-Type = Framed-User

(0)   Connect-Info = "CONNECT 11Mbps 802.11b"

(0)   NAS-IP-Address = 128.180.10.10

(0)   EAP-Message = 0x0257000b01783139613139

(0)   Message-Authenticator = 0x3a48dc0be2decd0e236d376f69ffe48a

(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(0)   authorize {

(0)     policy filter_username {

(0)       if (&User-Name) {

(0)       if (&User-Name)  -> TRUE

(0)       if (&User-Name)  {

(0)         if (&User-Name =~ / /) {

(0)         if (&User-Name =~ / /)  -> FALSE

(0)         if (&User-Name =~ /@[^@]*@/ ) {

(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(0)         if (&User-Name =~ /\.\./ ) {

(0)         if (&User-Name =~ /\.\./ )  -> FALSE

(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(0)         if (&User-Name =~ /\.$/)  {

(0)         if (&User-Name =~ /\.$/)   -> FALSE

(0)         if (&User-Name =~ /@\./)  {

(0)         if (&User-Name =~ /@\./)   -> FALSE

(0)       } # if (&User-Name)  = notfound

(0)     } # policy filter_username = notfound

(0)     [preprocess] = ok

(0)     [mschap] = noop

(0) suffix: Checking for suffix after "@"

(0) suffix: No '@' in User-Name = "x19a19", looking up realm NULL

(0) suffix: No such realm "NULL"

(0)     [suffix] = noop

(0) eap: Peer sent EAP Response (code 2) ID 87 length 11

(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize

(0)     [eap] = ok

(0)   } # authorize = ok

(0) Found Auth-Type = eap

(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(0)   authenticate {

(0) eap: Peer sent packet with method EAP Identity (1)

(0) eap: Calling submodule eap_peap to process data

(0) eap_peap: Initiating new EAP-TLS session

(0) eap_peap: [eaptls start] = request

(0) eap: Sending EAP Request (code 1) ID 88 length 6

(0) eap: EAP session adding &reply:State = 0xd5cab529d592ace4

(0)     [eap] = handled

(0)   } # authenticate = handled

(0) Using Post-Auth-Type Challenge

(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(0)   Challenge { ... } # empty sub-section is ignored

(0) Sent Access-Challenge Id 0 from 128.180.1.12:1812 to 128.180.10.10:37390
length 0

(0)   EAP-Message = 0x015800061920

(0)   Message-Authenticator = 0x00000000000000000000000000000000

(0)   State = 0xd5cab529d592ace4f6d40de07aff4d01

(0) Finished request

Waking up in 4.9 seconds.

(1) Received Access-Request Id 1 from 128.180.10.10:37390 to
128.180.1.12:1812 length 333

(1)   User-Name = "x19a19"

(1)   Calling-Station-Id = "00-0A-CD-31-6C-B4"

(1)   Framed-MTU = 1400

(1)   NAS-Port-Type = Wireless-802.11

(1)   Service-Type = Framed-User

(1)   Connect-Info = "CONNECT 11Mbps 802.11b"

(1)   NAS-IP-Address = 128.180.10.10

(1)   EAP-Message =
0x025800c81980000000be16030100b9010000b50303132d25755eaabb15aee43b60d657ccc2cc1fd1edb3aae7d48eaabd8658411197000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff01000054000b00

(1)   State = 0xd5cab529d592ace4f6d40de07aff4d01

(1)   Message-Authenticator = 0xbd4519f715be469fa75c83986884eab7

(1) session-state: No cached attributes

(1) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(1)   authorize {

(1)     policy filter_username {

(1)       if (&User-Name) {

(1)       if (&User-Name)  -> TRUE

(1)       if (&User-Name)  {

(1)         if (&User-Name =~ / /) {

(1)         if (&User-Name =~ / /)  -> FALSE

(1)         if (&User-Name =~ /@[^@]*@/ ) {

(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(1)         if (&User-Name =~ /\.\./ ) {

(1)         if (&User-Name =~ /\.\./ )  -> FALSE

(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(1)         if (&User-Name =~ /\.$/)  {

(1)         if (&User-Name =~ /\.$/)   -> FALSE

(1)         if (&User-Name =~ /@\./)  {

(1)         if (&User-Name =~ /@\./)   -> FALSE

(1)       } # if (&User-Name)  = notfound

(1)     } # policy filter_username = notfound

(1)     [preprocess] = ok

(1)     [mschap] = noop

(1) suffix: Checking for suffix after "@"

(1) suffix: No '@' in User-Name = "x19a19", looking up realm NULL

(1) suffix: No such realm "NULL"

(1)     [suffix] = noop

(1) eap: Peer sent EAP Response (code 2) ID 88 length 200

(1) eap: Continuing tunnel setup

(1)     [eap] = ok

(1)   } # authorize = ok

(1) Found Auth-Type = eap

(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(1)   authenticate {

(1) eap: Expiring EAP session with state 0xd5cab529d592ace4

(1) eap: Finished EAP session with state 0xd5cab529d592ace4

(1) eap: Previous EAP request found for state 0xd5cab529d592ace4, released
from the list

(1) eap: Peer sent packet with method EAP PEAP (25)

(1) eap: Calling submodule eap_peap to process data

(1) eap_peap: Continuing EAP-TLS

(1) eap_peap: Peer indicated complete TLS record size will be 190 bytes

(1) eap_peap: Got complete TLS record (190 bytes)

(1) eap_peap: [eaptls verify] = length included

(1) eap_peap: (other): before SSL initialization

(1) eap_peap: TLS_accept: before SSL initialization

(1) eap_peap: TLS_accept: before SSL initialization

(1) eap_peap: <<< recv UNKNOWN TLS VERSION ?0304? [length 00b9]

(1) eap_peap: TLS_accept: SSLv3/TLS read client hello

(1) eap_peap: >>> send TLS 1.2  [length 003d]

(1) eap_peap: TLS_accept: SSLv3/TLS write server hello

(1) eap_peap: >>> send TLS 1.2  [length 02ff]

(1) eap_peap: TLS_accept: SSLv3/TLS write certificate

(1) eap_peap: >>> send TLS 1.2  [length 014d]

(1) eap_peap: TLS_accept: SSLv3/TLS write key exchange

(1) eap_peap: >>> send TLS 1.2  [length 0004]

(1) eap_peap: TLS_accept: SSLv3/TLS write server done

(1) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server
done

(1) eap_peap: In SSL Handshake Phase

(1) eap_peap: In SSL Accept mode

(1) eap_peap: [eaptls process] = handled

(1) eap: Sending EAP Request (code 1) ID 89 length 1004

(1) eap: EAP session adding &reply:State = 0xd5cab529d493ace4

(1)     [eap] = handled

(1)   } # authenticate = handled

(1) Using Post-Auth-Type Challenge

(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(1)   Challenge { ... } # empty sub-section is ignored

(1) Sent Access-Challenge Id 1 from 128.180.1.12:1812 to 128.180.10.10:37390
length 0

(1)   EAP-Message =
0x015903ec19c0000004a1160303003d020000390303dd83be8c2d3373ce58eee72115d28fd891a538ba5fcf3717444f574e4752440100c030000011ff01000100000b0004030001020017000016030302ff0b0002fb0002f80002f5308202f1308201d9a00302010202146434b6d539827cbeb8e5394cc7

(1)   Message-Authenticator = 0x00000000000000000000000000000000

(1)   State = 0xd5cab529d493ace4f6d40de07aff4d01

(1) Finished request

Waking up in 4.9 seconds.

(2) Received Access-Request Id 2 from 128.180.10.10:37390 to
128.180.1.12:1812 length 139

(2)   User-Name = "x19a19"

(2)   Calling-Station-Id = "00-0A-CD-31-6C-B4"

(2)   Framed-MTU = 1400

(2)   NAS-Port-Type = Wireless-802.11

(2)   Service-Type = Framed-User

(2)   Connect-Info = "CONNECT 11Mbps 802.11b"

(2)   NAS-IP-Address = 128.180.10.10

(2)   EAP-Message = 0x025900061900

(2)   State = 0xd5cab529d493ace4f6d40de07aff4d01

(2)   Message-Authenticator = 0x7b647a04b11930721a7fe202c4e2db1d

(2) session-state: No cached attributes

(2) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(2)   authorize {

(2)     policy filter_username {

(2)       if (&User-Name) {

(2)       if (&User-Name)  -> TRUE

(2)       if (&User-Name)  {

(2)         if (&User-Name =~ / /) {

(2)         if (&User-Name =~ / /)  -> FALSE

(2)         if (&User-Name =~ /@[^@]*@/ ) {

(2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(2)         if (&User-Name =~ /\.\./ ) {

(2)         if (&User-Name =~ /\.\./ )  -> FALSE

(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(2)         if (&User-Name =~ /\.$/)  {

(2)         if (&User-Name =~ /\.$/)   -> FALSE

(2)         if (&User-Name =~ /@\./)  {

(2)         if (&User-Name =~ /@\./)   -> FALSE

(2)       } # if (&User-Name)  = notfound

(2)     } # policy filter_username = notfound

(2)     [preprocess] = ok

(2)     [mschap] = noop

(2) suffix: Checking for suffix after "@"

(2) suffix: No '@' in User-Name = "x19a19", looking up realm NULL

(2) suffix: No such realm "NULL"

(2)     [suffix] = noop

(2) eap: Peer sent EAP Response (code 2) ID 89 length 6

(2) eap: Continuing tunnel setup

(2)     [eap] = ok

(2)   } # authorize = ok

(2) Found Auth-Type = eap

(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(2)   authenticate {

(2) eap: Expiring EAP session with state 0xd5cab529d493ace4

(2) eap: Finished EAP session with state 0xd5cab529d493ace4

(2) eap: Previous EAP request found for state 0xd5cab529d493ace4, released
from the list

(2) eap: Peer sent packet with method EAP PEAP (25)

(2) eap: Calling submodule eap_peap to process data

(2) eap_peap: Continuing EAP-TLS

(2) eap_peap: Peer ACKed our handshake fragment

(2) eap_peap: [eaptls verify] = request

(2) eap_peap: [eaptls process] = handled

(2) eap: Sending EAP Request (code 1) ID 90 length 197

(2) eap: EAP session adding &reply:State = 0xd5cab529d790ace4

(2)     [eap] = handled

(2)   } # authenticate = handled

(2) Using Post-Auth-Type Challenge

(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(2)   Challenge { ... } # empty sub-section is ignored

(2) Sent Access-Challenge Id 2 from 128.180.1.12:1812 to 128.180.10.10:37390
length 0

(2)   EAP-Message =
0x015a00c519009514387a2a99cbc5bc7bf00cd5a29c255b83772ba796b69dae86ff9b01f62cd587cd98518e7b3476015a262ecd457d3d4907b7ea5078d7f296d2f954319aa2bff38c213fd16268b2602ae9b69d9e89420a7a7232915386dac92e9f835425586551deb8019cfb47aca33d279ff611294f8b

(2)   Message-Authenticator = 0x00000000000000000000000000000000

(2)   State = 0xd5cab529d790ace4f6d40de07aff4d01

(2) Finished request

Waking up in 4.9 seconds.

(3) Received Access-Request Id 3 from 128.180.10.10:37390 to
128.180.1.12:1812 length 269

(3)   User-Name = "x19a19"

(3)   Calling-Station-Id = "00-0A-CD-31-6C-B4"

(3)   Framed-MTU = 1400

(3)   NAS-Port-Type = Wireless-802.11

(3)   Service-Type = Framed-User

(3)   Connect-Info = "CONNECT 11Mbps 802.11b"

(3)   NAS-IP-Address = 128.180.10.10

(3)   EAP-Message =
0x025a008819800000007e1603030046100000424104fc5bb0a7a1c6d364acac1b9577d6da13d37ae7f5be2269a13a2dd8ff073c07355810fe52fe84b6478bf08c55e531ced723650d13c9c3eb6b6ccd8b9a303640be140303000101160303002850823d0b0711a0e3ca25a3d3c0b0608532302156d36f93

(3)   State = 0xd5cab529d790ace4f6d40de07aff4d01

(3)   Message-Authenticator = 0xb228fa99ab9bc2c005e4a529b3e61308

(3) session-state: No cached attributes

(3) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(3)   authorize {

(3)     policy filter_username {

(3)       if (&User-Name) {

(3)       if (&User-Name)  -> TRUE

(3)       if (&User-Name)  {

(3)         if (&User-Name =~ / /) {

(3)         if (&User-Name =~ / /)  -> FALSE

(3)         if (&User-Name =~ /@[^@]*@/ ) {

(3)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(3)         if (&User-Name =~ /\.\./ ) {

(3)         if (&User-Name =~ /\.\./ )  -> FALSE

(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(3)         if (&User-Name =~ /\.$/)  {

(3)         if (&User-Name =~ /\.$/)   -> FALSE

(3)         if (&User-Name =~ /@\./)  {

(3)         if (&User-Name =~ /@\./)   -> FALSE

(3)       } # if (&User-Name)  = notfound

(3)     } # policy filter_username = notfound

(3)     [preprocess] = ok

(3)     [mschap] = noop

(3) suffix: Checking for suffix after "@"

(3) suffix: No '@' in User-Name = "x19a19", looking up realm NULL

(3) suffix: No such realm "NULL"

(3)     [suffix] = noop

(3) eap: Peer sent EAP Response (code 2) ID 90 length 136

(3) eap: Continuing tunnel setup

(3)     [eap] = ok

(3)   } # authorize = ok

(3) Found Auth-Type = eap

(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(3)   authenticate {

(3) eap: Expiring EAP session with state 0xd5cab529d790ace4

(3) eap: Finished EAP session with state 0xd5cab529d790ace4

(3) eap: Previous EAP request found for state 0xd5cab529d790ace4, released
from the list

(3) eap: Peer sent packet with method EAP PEAP (25)

(3) eap: Calling submodule eap_peap to process data

(3) eap_peap: Continuing EAP-TLS

(3) eap_peap: Peer indicated complete TLS record size will be 126 bytes

(3) eap_peap: Got complete TLS record (126 bytes)

(3) eap_peap: [eaptls verify] = length included

(3) eap_peap: TLS_accept: SSLv3/TLS write server done

(3) eap_peap: <<< recv TLS 1.2  [length 0046]

(3) eap_peap: TLS_accept: SSLv3/TLS read client key exchange

(3) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec

(3) eap_peap: <<< recv TLS 1.2  [length 0010]

(3) eap_peap: TLS_accept: SSLv3/TLS read finished

(3) eap_peap: >>> send TLS 1.2  [length 0001]

(3) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec

(3) eap_peap: >>> send TLS 1.2  [length 0010]

(3) eap_peap: TLS_accept: SSLv3/TLS write finished

(3) eap_peap: (other): SSL negotiation finished successfully

(3) eap_peap: SSL Connection Established

(3) eap_peap: [eaptls process] = handled

(3) eap: Sending EAP Request (code 1) ID 91 length 57

(3) eap: EAP session adding &reply:State = 0xd5cab529d691ace4

(3)     [eap] = handled

(3)   } # authenticate = handled

(3) Using Post-Auth-Type Challenge

(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(3)   Challenge { ... } # empty sub-section is ignored

(3) Sent Access-Challenge Id 3 from 128.180.1.12:1812 to 128.180.10.10:37390
length 0

(3)   EAP-Message =
0x015b0039190014030300010116030300284d99b5c3c5193bcc51b4aa1ed19ca2be71cfdb79c560a09d671240792b6456674737f95c176ab1d7

(3)   Message-Authenticator = 0x00000000000000000000000000000000

(3)   State = 0xd5cab529d691ace4f6d40de07aff4d01

(3) Finished request

Waking up in 4.9 seconds.

(4) Received Access-Request Id 4 from 128.180.10.10:37390 to
128.180.1.12:1812 length 139

(4)   User-Name = "x19a19"

(4)   Calling-Station-Id = "00-0A-CD-31-6C-B4"

(4)   Framed-MTU = 1400

(4)   NAS-Port-Type = Wireless-802.11

(4)   Service-Type = Framed-User

(4)   Connect-Info = "CONNECT 11Mbps 802.11b"

(4)   NAS-IP-Address = 128.180.10.10

(4)   EAP-Message = 0x025b00061900

(4)   State = 0xd5cab529d691ace4f6d40de07aff4d01

(4)   Message-Authenticator = 0xf00cd599fd7c7eb90b7e5382f9f10bde

(4) session-state: No cached attributes

(4) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(4)   authorize {

(4)     policy filter_username {

(4)       if (&User-Name) {

(4)       if (&User-Name)  -> TRUE

(4)       if (&User-Name)  {

(4)         if (&User-Name =~ / /) {

(4)         if (&User-Name =~ / /)  -> FALSE

(4)         if (&User-Name =~ /@[^@]*@/ ) {

(4)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(4)         if (&User-Name =~ /\.\./ ) {

(4)         if (&User-Name =~ /\.\./ )  -> FALSE

(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(4)         if (&User-Name =~ /\.$/)  {

(4)         if (&User-Name =~ /\.$/)   -> FALSE

(4)         if (&User-Name =~ /@\./)  {

(4)         if (&User-Name =~ /@\./)   -> FALSE

(4)       } # if (&User-Name)  = notfound

(4)     } # policy filter_username = notfound

(4)     [preprocess] = ok

(4)     [mschap] = noop

(4) suffix: Checking for suffix after "@"

(4) suffix: No '@' in User-Name = "x19a19", looking up realm NULL

(4) suffix: No such realm "NULL"

(4)     [suffix] = noop

(4) eap: Peer sent EAP Response (code 2) ID 91 length 6

(4) eap: Continuing tunnel setup

(4)     [eap] = ok

(4)   } # authorize = ok

(4) Found Auth-Type = eap

(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(4)   authenticate {

(4) eap: Expiring EAP session with state 0xd5cab529d691ace4

(4) eap: Finished EAP session with state 0xd5cab529d691ace4

(4) eap: Previous EAP request found for state 0xd5cab529d691ace4, released
from the list

(4) eap: Peer sent packet with method EAP PEAP (25)

(4) eap: Calling submodule eap_peap to process data

(4) eap_peap: Continuing EAP-TLS

(4) eap_peap: Peer ACKed our handshake fragment.  handshake is finished

(4) eap_peap: [eaptls verify] = success

(4) eap_peap: [eaptls process] = success

(4) eap_peap: Session established.  Decoding tunneled attributes

(4) eap_peap: PEAP state TUNNEL ESTABLISHED

(4) eap: Sending EAP Request (code 1) ID 92 length 40

(4) eap: EAP session adding &reply:State = 0xd5cab529d196ace4

(4)     [eap] = handled

(4)   } # authenticate = handled

(4) Using Post-Auth-Type Challenge

(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(4)   Challenge { ... } # empty sub-section is ignored

(4) Sent Access-Challenge Id 4 from 128.180.1.12:1812 to 128.180.10.10:37390
length 0

(4)   EAP-Message =
0x015c00281900170303001d4d99b5c3c5193bcd9137302e88e4ffe708354e681dbf61a648e63395ac

(4)   Message-Authenticator = 0x00000000000000000000000000000000

(4)   State = 0xd5cab529d196ace4f6d40de07aff4d01

(4) Finished request

Waking up in 4.9 seconds.

(5) Received Access-Request Id 5 from 128.180.10.10:37390 to
128.180.1.12:1812 length 175

(5)   User-Name = "x19a19"

(5)   Calling-Station-Id = "00-0A-CD-31-6C-B4"

(5)   Framed-MTU = 1400

(5)   NAS-Port-Type = Wireless-802.11

(5)   Service-Type = Framed-User

(5)   Connect-Info = "CONNECT 11Mbps 802.11b"

(5)   NAS-IP-Address = 128.180.10.10

(5)   EAP-Message =
0x025c002a1900170303001f50823d0b0711a0e49fe1c10b3d17b529a59955d132202ac16d913e01a58e73

(5)   State = 0xd5cab529d196ace4f6d40de07aff4d01

(5)   Message-Authenticator = 0x3f6f9dcc52fc81ba4a45772b1c6ffc6b

(5) session-state: No cached attributes

(5) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(5)   authorize {

(5)     policy filter_username {

(5)       if (&User-Name) {

(5)       if (&User-Name)  -> TRUE

(5)       if (&User-Name)  {

(5)         if (&User-Name =~ / /) {

(5)         if (&User-Name =~ / /)  -> FALSE

(5)         if (&User-Name =~ /@[^@]*@/ ) {

(5)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(5)         if (&User-Name =~ /\.\./ ) {

(5)         if (&User-Name =~ /\.\./ )  -> FALSE

(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(5)         if (&User-Name =~ /\.$/)  {

(5)         if (&User-Name =~ /\.$/)   -> FALSE

(5)         if (&User-Name =~ /@\./)  {

(5)         if (&User-Name =~ /@\./)   -> FALSE

(5)       } # if (&User-Name)  = notfound

(5)     } # policy filter_username = notfound

(5)     [preprocess] = ok

(5)     [mschap] = noop

(5) suffix: Checking for suffix after "@"

(5) suffix: No '@' in User-Name = "x19a19", looking up realm NULL

(5) suffix: No such realm "NULL"

(5)     [suffix] = noop

(5) eap: Peer sent EAP Response (code 2) ID 92 length 42

(5) eap: Continuing tunnel setup

(5)     [eap] = ok

(5)   } # authorize = ok

(5) Found Auth-Type = eap

(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(5)   authenticate {

(5) eap: Expiring EAP session with state 0xd5cab529d196ace4

(5) eap: Finished EAP session with state 0xd5cab529d196ace4

(5) eap: Previous EAP request found for state 0xd5cab529d196ace4, released
from the list

(5) eap: Peer sent packet with method EAP PEAP (25)

(5) eap: Calling submodule eap_peap to process data

(5) eap_peap: Continuing EAP-TLS

(5) eap_peap: [eaptls verify] = ok

(5) eap_peap: Done initial handshake

(5) eap_peap: [eaptls process] = ok

(5) eap_peap: Session established.  Decoding tunneled attributes

(5) eap_peap: PEAP state WAITING FOR INNER IDENTITY

(5) eap_peap: Identity - x19a19

(5) eap_peap: Got inner identity 'x19a19'

(5) eap_peap: Setting default EAP type for tunneled EAP session

(5) eap_peap: Got tunneled request

(5) eap_peap:   EAP-Message = 0x025c000b01783139613139

(5) eap_peap: Setting User-Name to x19a19

(5) eap_peap: Sending tunneled request to inner-tunnel

(5) eap_peap:   EAP-Message = 0x025c000b01783139613139

(5) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1

(5) eap_peap:   User-Name = "x19a19"

(5) Virtual server inner-tunnel received request

(5)   EAP-Message = 0x025c000b01783139613139

(5)   FreeRADIUS-Proxied-To = 127.0.0.1

(5)   User-Name = "x19a19"

(5) WARNING: Outer and inner identities are the same.  User privacy is
compromised.

(5) server inner-tunnel {

(5)   # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel

(5)     authorize {

(5)       policy filter_username {

(5)         if (&User-Name) {

(5)         if (&User-Name)  -> TRUE

(5)         if (&User-Name)  {

(5)           if (&User-Name =~ / /) {

(5)           if (&User-Name =~ / /)  -> FALSE

(5)           if (&User-Name =~ /@[^@]*@/ ) {

(5)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(5)           if (&User-Name =~ /\.\./ ) {

(5)           if (&User-Name =~ /\.\./ )  -> FALSE

(5)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(5)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE

(5)           if (&User-Name =~ /\.$/)  {

(5)           if (&User-Name =~ /\.$/)   -> FALSE

(5)           if (&User-Name =~ /@\./)  {

(5)           if (&User-Name =~ /@\./)   -> FALSE

(5)         } # if (&User-Name)  = notfound

(5)       } # policy filter_username = notfound

(5)       [chap] = noop

(5)       [mschap] = noop

(5) suffix: Checking for suffix after "@"

(5) suffix: No '@' in User-Name = "x19a19", looking up realm NULL

(5) suffix: No such realm "NULL"

(5)       [suffix] = noop

(5)       update control {

(5)         &Proxy-To-Realm := LOCAL

(5)       } # update control = noop

(5) eap: Peer sent EAP Response (code 2) ID 92 length 11

(5) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize

(5)       [eap] = ok

(5)     } # authorize = ok

(5)   Found Auth-Type = eap

(5)   # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel

(5)     authenticate {

(5) eap: Peer sent packet with method EAP Identity (1)

(5) eap: Calling submodule eap_mschapv2 to process data

(5) eap_mschapv2: Issuing Challenge

(5) eap: Sending EAP Request (code 1) ID 93 length 43

(5) eap: EAP session adding &reply:State = 0x97ebaf3b97b6b5d2

(5)       [eap] = handled

(5)     } # authenticate = handled

(5) } # server inner-tunnel

(5) Virtual server sending reply

(5)   EAP-Message =
0x015d002b1a015d0026107c13a4105e1039e486e7f86a4e2d4b9c667265657261646975732d332e302e3137

(5)   Message-Authenticator = 0x00000000000000000000000000000000

(5)   State = 0x97ebaf3b97b6b5d21f4ac90eaae0ae9c

(5) eap_peap: Got tunneled reply code 11

(5) eap_peap:   EAP-Message =
0x015d002b1a015d0026107c13a4105e1039e486e7f86a4e2d4b9c667265657261646975732d332e302e3137

(5) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000

(5) eap_peap:   State = 0x97ebaf3b97b6b5d21f4ac90eaae0ae9c

(5) eap_peap: Got tunneled reply RADIUS code 11

(5) eap_peap:   EAP-Message =
0x015d002b1a015d0026107c13a4105e1039e486e7f86a4e2d4b9c667265657261646975732d332e302e3137

(5) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000

(5) eap_peap:   State = 0x97ebaf3b97b6b5d21f4ac90eaae0ae9c

(5) eap_peap: Got tunneled Access-Challenge

(5) eap: Sending EAP Request (code 1) ID 93 length 74

(5) eap: EAP session adding &reply:State = 0xd5cab529d097ace4

(5)     [eap] = handled

(5)   } # authenticate = handled

(5) Using Post-Auth-Type Challenge

(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(5)   Challenge { ... } # empty sub-section is ignored

(5) Sent Access-Challenge Id 5 from 128.180.1.12:1812 to 128.180.10.10:37390
length 0

(5)   EAP-Message =
0x015d004a1900170303003f4d99b5c3c5193bced34dea26eb084492b33e0c0a8590d44411cccab329b81d25a3bb5c6eb0b98906ef940b0afff59de07f275f1743963056a5e713fdb5f1ae

(5)   Message-Authenticator = 0x00000000000000000000000000000000

(5)   State = 0xd5cab529d097ace4f6d40de07aff4d01

(5) Finished request

Waking up in 4.9 seconds.

(6) Received Access-Request Id 6 from 128.180.10.10:37390 to
128.180.1.12:1812 length 229

(6)   User-Name = "x19a19"

(6)   Calling-Station-Id = "00-0A-CD-31-6C-B4"

(6)   Framed-MTU = 1400

(6)   NAS-Port-Type = Wireless-802.11

(6)   Service-Type = Framed-User

(6)   Connect-Info = "CONNECT 11Mbps 802.11b"

(6)   NAS-IP-Address = 128.180.10.10

(6)   EAP-Message =
0x025d00601900170303005550823d0b0711a0e5c1ab4673218f7703e98d7ae9be258bb253344c2b53be68a837fd1f45e10d7a14397b7f051e20d1c55158b3638b42b8acfb55492ce8a90ba4f38da594d8dd9148ed0e509eee492ac6e9ab270a94

(6)   State = 0xd5cab529d097ace4f6d40de07aff4d01

(6)   Message-Authenticator = 0xcd8033c23d61a2240a845706bbc692e2

(6) session-state: No cached attributes

(6) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(6)   authorize {

(6)     policy filter_username {

(6)       if (&User-Name) {

(6)       if (&User-Name)  -> TRUE

(6)       if (&User-Name)  {

(6)         if (&User-Name =~ / /) {

(6)         if (&User-Name =~ / /)  -> FALSE

(6)         if (&User-Name =~ /@[^@]*@/ ) {

(6)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(6)         if (&User-Name =~ /\.\./ ) {

(6)         if (&User-Name =~ /\.\./ )  -> FALSE

(6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(6)         if (&User-Name =~ /\.$/)  {

(6)         if (&User-Name =~ /\.$/)   -> FALSE

(6)         if (&User-Name =~ /@\./)  {

(6)         if (&User-Name =~ /@\./)   -> FALSE

(6)       } # if (&User-Name)  = notfound

(6)     } # policy filter_username = notfound

(6)     [preprocess] = ok

(6)     [mschap] = noop

(6) suffix: Checking for suffix after "@"

(6) suffix: No '@' in User-Name = "x19a19", looking up realm NULL

(6) suffix: No such realm "NULL"

(6)     [suffix] = noop

(6) eap: Peer sent EAP Response (code 2) ID 93 length 96

(6) eap: Continuing tunnel setup

(6)     [eap] = ok

(6)   } # authorize = ok

(6) Found Auth-Type = eap

(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(6)   authenticate {

(6) eap: Expiring EAP session with state 0x97ebaf3b97b6b5d2

(6) eap: Finished EAP session with state 0xd5cab529d097ace4

(6) eap: Previous EAP request found for state 0xd5cab529d097ace4, released
from the list

(6) eap: Peer sent packet with method EAP PEAP (25)

(6) eap: Calling submodule eap_peap to process data

(6) eap_peap: Continuing EAP-TLS

(6) eap_peap: [eaptls verify] = ok

(6) eap_peap: Done initial handshake

(6) eap_peap: [eaptls process] = ok

(6) eap_peap: Session established.  Decoding tunneled attributes

(6) eap_peap: PEAP state phase2

(6) eap_peap: EAP method MSCHAPv2 (26)

(6) eap_peap: Got tunneled request

(6) eap_peap:   EAP-Message =
0x025d00411a025d003c31e0ecf5de1b0eaa47a2fae06c0ea80a06000000000000000061407f8eb8e26fb9e634cbed4006b3f6280b910bfaaf75c600783139613139

(6) eap_peap: Setting User-Name to x19a19

(6) eap_peap: Sending tunneled request to inner-tunnel

(6) eap_peap:   EAP-Message =
0x025d00411a025d003c31e0ecf5de1b0eaa47a2fae06c0ea80a06000000000000000061407f8eb8e26fb9e634cbed4006b3f6280b910bfaaf75c600783139613139

(6) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1

(6) eap_peap:   User-Name = "x19a19"

(6) eap_peap:   State = 0x97ebaf3b97b6b5d21f4ac90eaae0ae9c

(6) Virtual server inner-tunnel received request

(6)   EAP-Message =
0x025d00411a025d003c31e0ecf5de1b0eaa47a2fae06c0ea80a06000000000000000061407f8eb8e26fb9e634cbed4006b3f6280b910bfaaf75c600783139613139

(6)   FreeRADIUS-Proxied-To = 127.0.0.1

(6)   User-Name = "x19a19"

(6)   State = 0x97ebaf3b97b6b5d21f4ac90eaae0ae9c

(6) WARNING: Outer and inner identities are the same.  User privacy is
compromised.

(6) server inner-tunnel {

(6)   session-state: No cached attributes

(6)   # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel

(6)     authorize {

(6)       policy filter_username {

(6)         if (&User-Name) {

(6)         if (&User-Name)  -> TRUE

(6)         if (&User-Name)  {

(6)           if (&User-Name =~ / /) {

(6)           if (&User-Name =~ / /)  -> FALSE

(6)           if (&User-Name =~ /@[^@]*@/ ) {

(6)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(6)           if (&User-Name =~ /\.\./ ) {

(6)           if (&User-Name =~ /\.\./ )  -> FALSE

(6)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(6)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE

(6)           if (&User-Name =~ /\.$/)  {

(6)           if (&User-Name =~ /\.$/)   -> FALSE

(6)           if (&User-Name =~ /@\./)  {

(6)           if (&User-Name =~ /@\./)   -> FALSE

(6)         } # if (&User-Name)  = notfound

(6)       } # policy filter_username = notfound

(6)       [chap] = noop

(6)       [mschap] = noop

(6) suffix: Checking for suffix after "@"

(6) suffix: No '@' in User-Name = "x19a19", looking up realm NULL

(6) suffix: No such realm "NULL"

(6)       [suffix] = noop

(6)       update control {

(6)         &Proxy-To-Realm := LOCAL

(6)       } # update control = noop

(6) eap: Peer sent EAP Response (code 2) ID 93 length 65

(6) eap: No EAP Start, assuming it's an on-going EAP conversation

(6)       [eap] = updated

(6)       [files] = noop

(6)       [expiration] = noop

(6)       [logintime] = noop

(6)       [pap] = noop

(6)     } # authorize = updated

(6)   Found Auth-Type = eap

(6)   # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel

(6)     authenticate {

(6) eap: Expiring EAP session with state 0x97ebaf3b97b6b5d2

(6) eap: Finished EAP session with state 0x97ebaf3b97b6b5d2

(6) eap: Previous EAP request found for state 0x97ebaf3b97b6b5d2, released
from the list

(6) eap: Peer sent packet with method EAP MSCHAPv2 (26)

(6) eap: Calling submodule eap_mschapv2 to process data

(6) eap_mschapv2: # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel

(6) eap_mschapv2:   authenticate {

(6) mschap: Creating challenge hash with username: x19a19

(6) mschap: Client is using MS-CHAPv2

(6) mschap: EXPAND %{mschap:User-Name}

(6) mschap:    --> x19a19

rlm_mschap (mschap): Reserved connection (0)

(6) mschap: sending authentication request user='x19a19' domain='AD'

rlm_mschap (mschap): Released connection (0)

Need 5 more connections to reach 10 spares

rlm_mschap (mschap): Opening additional connection (5), 1 of 27 pending
slots used

(6) mschap: Authenticated successfully

(6) mschap: Adding MS-CHAPv2 MPPE keys

(6)     [mschap] = ok

(6)   } # authenticate = ok

(6) MSCHAP Success

(6) eap: Sending EAP Request (code 1) ID 94 length 51

(6) eap: EAP session adding &reply:State = 0x97ebaf3b96b5b5d2

(6)       [eap] = handled

(6)     } # authenticate = handled

(6) } # server inner-tunnel

(6) Virtual server sending reply

(6)   EAP-Message =
0x015e00331a035d002e533d32364236443532434631443937453031424333314332343541464438364431304133363037454234

(6)   Message-Authenticator = 0x00000000000000000000000000000000

(6)   State = 0x97ebaf3b96b5b5d21f4ac90eaae0ae9c

(6) eap_peap: Got tunneled reply code 11

(6) eap_peap:   EAP-Message =
0x015e00331a035d002e533d32364236443532434631443937453031424333314332343541464438364431304133363037454234

(6) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000

(6) eap_peap:   State = 0x97ebaf3b96b5b5d21f4ac90eaae0ae9c

(6) eap_peap: Got tunneled reply RADIUS code 11

(6) eap_peap:   EAP-Message =
0x015e00331a035d002e533d32364236443532434631443937453031424333314332343541464438364431304133363037454234

(6) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000

(6) eap_peap:   State = 0x97ebaf3b96b5b5d21f4ac90eaae0ae9c

(6) eap_peap: Got tunneled Access-Challenge

(6) eap: Sending EAP Request (code 1) ID 94 length 82

(6) eap: EAP session adding &reply:State = 0xd5cab529d394ace4

(6)     [eap] = handled

(6)   } # authenticate = handled

(6) Using Post-Auth-Type Challenge

(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(6)   Challenge { ... } # empty sub-section is ignored

(6) Sent Access-Challenge Id 6 from 128.180.1.12:1812 to 128.180.10.10:37390
length 0

(6)   EAP-Message =
0x015e0052190017030300474d99b5c3c5193bcfed6bc205bbb3e97baa83ae82f585e2f28775992d1da91a9e8cba0c1a820eee27064fc71137c771a15c648a1dc5e69d794a37d671a294003a83ce621e4c9ca8

(6)   Message-Authenticator = 0x00000000000000000000000000000000

(6)   State = 0xd5cab529d394ace4f6d40de07aff4d01

(6) Finished request

Waking up in 4.9 seconds.

(7) Received Access-Request Id 7 from 128.180.10.10:37390 to
128.180.1.12:1812 length 170

(7)   User-Name = "x19a19"

(7)   Calling-Station-Id = "00-0A-CD-31-6C-B4"

(7)   Framed-MTU = 1400

(7)   NAS-Port-Type = Wireless-802.11

(7)   Service-Type = Framed-User

(7)   Connect-Info = "CONNECT 11Mbps 802.11b"

(7)   NAS-IP-Address = 128.180.10.10

(7)   EAP-Message =
0x025e00251900170303001a50823d0b0711a0e6d862f400ba40e4e3346eb03ba1666f089bdb

(7)   State = 0xd5cab529d394ace4f6d40de07aff4d01

(7)   Message-Authenticator = 0x2187a05fc656d964f49bac68b0d01e1f

(7) session-state: No cached attributes

(7) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(7)   authorize {

(7)     policy filter_username {

(7)       if (&User-Name) {

(7)       if (&User-Name)  -> TRUE

(7)       if (&User-Name)  {

(7)         if (&User-Name =~ / /) {

(7)         if (&User-Name =~ / /)  -> FALSE

(7)         if (&User-Name =~ /@[^@]*@/ ) {

(7)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(7)         if (&User-Name =~ /\.\./ ) {

(7)         if (&User-Name =~ /\.\./ )  -> FALSE

(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(7)         if (&User-Name =~ /\.$/)  {

(7)         if (&User-Name =~ /\.$/)   -> FALSE

(7)         if (&User-Name =~ /@\./)  {

(7)         if (&User-Name =~ /@\./)   -> FALSE

(7)       } # if (&User-Name)  = notfound

(7)     } # policy filter_username = notfound

(7)     [preprocess] = ok

(7)     [mschap] = noop

(7) suffix: Checking for suffix after "@"

(7) suffix: No '@' in User-Name = "x19a19", looking up realm NULL

(7) suffix: No such realm "NULL"

(7)     [suffix] = noop

(7) eap: Peer sent EAP Response (code 2) ID 94 length 37

(7) eap: Continuing tunnel setup

(7)     [eap] = ok

(7)   } # authorize = ok

(7) Found Auth-Type = eap

(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(7)   authenticate {

(7) eap: Expiring EAP session with state 0x97ebaf3b96b5b5d2

(7) eap: Finished EAP session with state 0xd5cab529d394ace4

(7) eap: Previous EAP request found for state 0xd5cab529d394ace4, released
from the list

(7) eap: Peer sent packet with method EAP PEAP (25)

(7) eap: Calling submodule eap_peap to process data

(7) eap_peap: Continuing EAP-TLS

(7) eap_peap: [eaptls verify] = ok

(7) eap_peap: Done initial handshake

(7) eap_peap: [eaptls process] = ok

(7) eap_peap: Session established.  Decoding tunneled attributes

(7) eap_peap: PEAP state phase2

(7) eap_peap: EAP method MSCHAPv2 (26)

(7) eap_peap: Got tunneled request

(7) eap_peap:   EAP-Message = 0x025e00061a03

(7) eap_peap: Setting User-Name to x19a19

(7) eap_peap: Sending tunneled request to inner-tunnel

(7) eap_peap:   EAP-Message = 0x025e00061a03

(7) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1

(7) eap_peap:   User-Name = "x19a19"

(7) eap_peap:   State = 0x97ebaf3b96b5b5d21f4ac90eaae0ae9c

(7) Virtual server inner-tunnel received request

(7)   EAP-Message = 0x025e00061a03

(7)   FreeRADIUS-Proxied-To = 127.0.0.1

(7)   User-Name = "x19a19"

(7)   State = 0x97ebaf3b96b5b5d21f4ac90eaae0ae9c

(7) WARNING: Outer and inner identities are the same.  User privacy is
compromised.

(7) server inner-tunnel {

(7)   session-state: No cached attributes

(7)   # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel

(7)     authorize {

(7)       policy filter_username {

(7)         if (&User-Name) {

(7)         if (&User-Name)  -> TRUE

(7)         if (&User-Name)  {

(7)           if (&User-Name =~ / /) {

(7)           if (&User-Name =~ / /)  -> FALSE

(7)           if (&User-Name =~ /@[^@]*@/ ) {

(7)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(7)           if (&User-Name =~ /\.\./ ) {

(7)           if (&User-Name =~ /\.\./ )  -> FALSE

(7)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(7)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE

(7)           if (&User-Name =~ /\.$/)  {

(7)           if (&User-Name =~ /\.$/)   -> FALSE

(7)           if (&User-Name =~ /@\./)  {

(7)           if (&User-Name =~ /@\./)   -> FALSE

(7)         } # if (&User-Name)  = notfound

(7)       } # policy filter_username = notfound

(7)       [chap] = noop

(7)       [mschap] = noop

(7) suffix: Checking for suffix after "@"

(7) suffix: No '@' in User-Name = "x19a19", looking up realm NULL

(7) suffix: No such realm "NULL"

(7)       [suffix] = noop

(7)       update control {

(7)         &Proxy-To-Realm := LOCAL

(7)       } # update control = noop

(7) eap: Peer sent EAP Response (code 2) ID 94 length 6

(7) eap: No EAP Start, assuming it's an on-going EAP conversation

(7)       [eap] = updated

(7)       [files] = noop

(7)       [expiration] = noop

(7)       [logintime] = noop

(7)       [pap] = noop

(7)     } # authorize = updated

(7)   Found Auth-Type = eap

(7)   # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel

(7)     authenticate {

(7) eap: Expiring EAP session with state 0x97ebaf3b96b5b5d2

(7) eap: Finished EAP session with state 0x97ebaf3b96b5b5d2

(7) eap: Previous EAP request found for state 0x97ebaf3b96b5b5d2, released
from the list

(7) eap: Peer sent packet with method EAP MSCHAPv2 (26)

(7) eap: Calling submodule eap_mschapv2 to process data

(7) eap: Sending EAP Success (code 3) ID 94 length 4

(7) eap: Freeing handler

(7)       [eap] = ok

(7)     } # authenticate = ok

(7)   # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel

(7)     post-auth {

(7)       if (0) {

(7)       if (0)  -> FALSE

(7)     } # post-auth = noop

(7)   Login OK: [x19a19] (from client newguy port 0 via TLS tunnel)

(7) } # server inner-tunnel

(7) Virtual server sending reply

(7)   MS-MPPE-Encryption-Policy = Encryption-Allowed

(7)   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed

(7)   MS-MPPE-Send-Key = 0x3dbd0e514b1011ad90ebe00e330e8c11

(7)   MS-MPPE-Recv-Key = 0xd49ea8ea1406bcc4b9177cfd006a0a4d

(7)   EAP-Message = 0x035e0004

(7)   Message-Authenticator = 0x00000000000000000000000000000000

(7)   User-Name = "x19a19"

(7) eap_peap: Got tunneled reply code 2

(7) eap_peap:   MS-MPPE-Encryption-Policy = Encryption-Allowed

(7) eap_peap:   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed

(7) eap_peap:   MS-MPPE-Send-Key = 0x3dbd0e514b1011ad90ebe00e330e8c11

(7) eap_peap:   MS-MPPE-Recv-Key = 0xd49ea8ea1406bcc4b9177cfd006a0a4d

(7) eap_peap:   EAP-Message = 0x035e0004

(7) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000

(7) eap_peap:   User-Name = "x19a19"

(7) eap_peap: Got tunneled reply RADIUS code 2

(7) eap_peap:   MS-MPPE-Encryption-Policy = Encryption-Allowed

(7) eap_peap:   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed

(7) eap_peap:   MS-MPPE-Send-Key = 0x3dbd0e514b1011ad90ebe00e330e8c11

(7) eap_peap:   MS-MPPE-Recv-Key = 0xd49ea8ea1406bcc4b9177cfd006a0a4d

(7) eap_peap:   EAP-Message = 0x035e0004

(7) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000

(7) eap_peap:   User-Name = "x19a19"

(7) eap_peap: Tunneled authentication was successful

(7) eap_peap: SUCCESS

(7) eap_peap: Saving tunneled attributes for later

(7) eap: Sending EAP Request (code 1) ID 95 length 46

(7) eap: EAP session adding &reply:State = 0xd5cab529d295ace4

(7)     [eap] = handled

(7)   } # authenticate = handled

(7) Using Post-Auth-Type Challenge

(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(7)   Challenge { ... } # empty sub-section is ignored

(7) Sent Access-Challenge Id 7 from 128.180.1.12:1812 to 128.180.10.10:37390
length 0

(7)   EAP-Message =
0x015f002e190017030300234d99b5c3c5193bd0e3e0b11c153c0a53c5faf2042fe8196c9af5cb39839e67021928c9

(7)   Message-Authenticator = 0x00000000000000000000000000000000

(7)   State = 0xd5cab529d295ace4f6d40de07aff4d01

(7) Finished request

Waking up in 4.9 seconds.

(8) Received Access-Request Id 8 from 128.180.10.10:37390 to
128.180.1.12:1812 length 179

(8)   User-Name = "x19a19"

(8)   Calling-Station-Id = "00-0A-CD-31-6C-B4"

(8)   Framed-MTU = 1400

(8)   NAS-Port-Type = Wireless-802.11

(8)   Service-Type = Framed-User

(8)   Connect-Info = "CONNECT 11Mbps 802.11b"

(8)   NAS-IP-Address = 128.180.10.10

(8)   EAP-Message =
0x025f002e1900170303002350823d0b0711a0e7d347b3a8a91250f7493bf70002a55422ab652f6755c4548e415fe6

(8)   State = 0xd5cab529d295ace4f6d40de07aff4d01

(8)   Message-Authenticator = 0x1a6e7c8c91c24cf2f319ba78834bf0a3

(8) session-state: No cached attributes

(8) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(8)   authorize {

(8)     policy filter_username {

(8)       if (&User-Name) {

(8)       if (&User-Name)  -> TRUE

(8)       if (&User-Name)  {

(8)         if (&User-Name =~ / /) {

(8)         if (&User-Name =~ / /)  -> FALSE

(8)         if (&User-Name =~ /@[^@]*@/ ) {

(8)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(8)         if (&User-Name =~ /\.\./ ) {

(8)         if (&User-Name =~ /\.\./ )  -> FALSE

(8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(8)         if (&User-Name =~ /\.$/)  {

(8)         if (&User-Name =~ /\.$/)   -> FALSE

(8)         if (&User-Name =~ /@\./)  {

(8)         if (&User-Name =~ /@\./)   -> FALSE

(8)       } # if (&User-Name)  = notfound

(8)     } # policy filter_username = notfound

(8)     [preprocess] = ok

(8)     [mschap] = noop

(8) suffix: Checking for suffix after "@"

(8) suffix: No '@' in User-Name = "x19a19", looking up realm NULL

(8) suffix: No such realm "NULL"

(8)     [suffix] = noop

(8) eap: Peer sent EAP Response (code 2) ID 95 length 46

(8) eap: Continuing tunnel setup

(8)     [eap] = ok

(8)   } # authorize = ok

(8) Found Auth-Type = eap

(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(8)   authenticate {

(8) eap: Expiring EAP session with state 0xd5cab529d295ace4

(8) eap: Finished EAP session with state 0xd5cab529d295ace4

(8) eap: Previous EAP request found for state 0xd5cab529d295ace4, released
from the list

(8) eap: Peer sent packet with method EAP PEAP (25)

(8) eap: Calling submodule eap_peap to process data

(8) eap_peap: Continuing EAP-TLS

(8) eap_peap: [eaptls verify] = ok

(8) eap_peap: Done initial handshake

(8) eap_peap: [eaptls process] = ok

(8) eap_peap: Session established.  Decoding tunneled attributes

(8) eap_peap: PEAP state send tlv success

(8) eap_peap: Received EAP-TLV response

(8) eap_peap: Success

(8) eap_peap: Using saved attributes from the original Access-Accept

(8) eap_peap:   User-Name = "x19a19"

(8) eap: Sending EAP Success (code 3) ID 95 length 4

(8) eap: Freeing handler

(8)     [eap] = ok

(8)   } # authenticate = ok

(8) # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/default

(8)   post-auth {

(8)     update {

(8)       No attributes updated

(8)     } # update = noop

(8)     [exec] = noop

(8)     policy remove_reply_message_if_eap {

(8)       if (&reply:EAP-Message && &reply:Reply-Message) {

(8)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE

(8)       else {

(8)         [noop] = noop

(8)       } # else = noop

(8)     } # policy remove_reply_message_if_eap = noop

(8)   } # post-auth = noop

(8) Login OK: [x19a19] (from client newguy port 0 cli 00-0A-CD-31-6C-B4)

(8) Sent Access-Accept Id 8 from 128.180.1.12:1812 to 128.180.10.10:37390
length 0

(8)   User-Name = "x19a19"

(8)   MS-MPPE-Recv-Key =
0xed9fcdc627d86a2652543851d8f6e2cc7aca7e941eaaac46904ea2d5cae72824

(8)   MS-MPPE-Send-Key =
0x8d5faa43ee07dc194f806593f94351a2c29933f4944df7044a49b984e13e65a3

(8)   EAP-Message = 0x035f0004

(8)   Message-Authenticator = 0x00000000000000000000000000000000

(8) Finished request

Waking up in 4.9 seconds.

(0) Cleaning up request packet ID 0 with timestamp +3

(1) Cleaning up request packet ID 1 with timestamp +3

(2) Cleaning up request packet ID 2 with timestamp +3

(3) Cleaning up request packet ID 3 with timestamp +3

(4) Cleaning up request packet ID 4 with timestamp +3

(5) Cleaning up request packet ID 5 with timestamp +3

(6) Cleaning up request packet ID 6 with timestamp +3

(7) Cleaning up request packet ID 7 with timestamp +3

(8) Cleaning up request packet ID 8 with timestamp +3

Ready to process requests


-- 
Munroe Sollog
Senior Network Engineer
munroe at lehigh.edu


More information about the Freeradius-Users mailing list