Cannot get 802.1X EAP with mac-auth running

thomas heidkamp profi-it at outlook.de
Thu Jul 4 09:34:45 CEST 2019


First I will describe my setup:
Freeradius (Daloradius) running latest release on centos 7 with authentication
On local mysql as well on remote Microsoft ADS (Ldap) with ntlm_auth.

Everything works well with mac only auth as well user + pass 802.1x EAP accounts running on local Mysql as well on Microsoft ADS. 
I am familar with the radiusd -X and will provide debug outputs.

I made the changes in /etc/raddb/mods-available/eap

ttls {
copy_request_to_tunnel = yes

peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes


/etc/raddb/mods-available/mschap

mschap {
ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key --username=%{mschap:User-Name} --domain=DETMOLD.WORTMANN.COM --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"

passchange {
ntlm_auth = "/usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1 --allow-mschapv2"
ntlm_auth_username = "username: %{mschap:User-Name}"
ntlm_auth_domain = "nt-domain: DETMOLD.WORTMANN.COM"



/etc/raddb/mods-available/ntlm_auth

exec ntlm_auth {
        wait = yes
        program = "usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key --domain=DETMOLD.WORTMANN.COM --username=%{mschap:User-Name} --password=%{User-Password}"
}


/etc/raddb/sites-available/inner-tunnel

authenticate {
ntlm_auth


/etc/raddb/policy.d/group_authorization

group_authorization {

        if (&Huntgroup-Name == "wo-byod") {
                if (&LDAP-Group[*] == "CN=wo-byod,OU=Wifi,OU=Administration,DC=wifi,DC=wortmann,DC=com") {
                        #reject
                        ok
                }
                else {
                        reject
                      }

        }

        elsif (&Huntgroup-Name == "wo-secure") {
                if (&LDAP-Group[*] == "CN=wo-secure,OU=Wifi,OU=Administration,DC=wifi,DC=wortmann,DC=com") {
                        ok
                }
                else {
                       reject
                }
       }

}

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Now I would like to create account with 802.1x EAP  user + Pass + mac.

I created a user + pass on local server (not microsoft ADS) and the following attributes:

Calling-Station-Id  := XX:XX:YY: (MAC)
MS-CHAP-Use-NTLM-Auth :=No	                   #cause local user in mysql no user on microsoft ads


-----------

Output of 802.1x User + Pass + MAC-AUTH (This does not work)

(0) Received Access-Request Id 178 from 192.168.70.15:18487 to 192.168.199.69:1812 length 369
(0)   User-Name = "24:fb:65:69:06:af"
(0)   User-Password = "24:fb:65:69:06:af"
(0)   NAS-IP-Address = 192.168.70.63
(0)   NAS-Identifier = "ruckuscontroller"
(0)   Called-Station-Id = "34-FA-9F-BA-58-8F:test-radius-user+pass+mac"
(0)   Calling-Station-Id = "24-FB-65-69-06-AF"
(0)   Service-Type = Framed-User
(0)   NAS-Port-Type = Wireless-802.11
(0)   Location-Data = 0x31304445170a49542d53657276696365
(0)   Ruckus-SSID = "test-radius-user+pass+mac"
(0)   Ruckus-BSSID = 0x34fa9fba588f
(0)   Ruckus-Location = "IT-Service"
(0)   Ruckus-VLAN-ID = 1
(0)   Ruckus-SCG-CBlade-IP = 3232253455
(0)   Ruckus-Zone-Name = "Detmold"
(0)   Attr-26.25053.154 = 0x576f72746d616e6e
(0)   Ruckus-Wlan-Name = "test-radius-user+pass+mac"
(0)   Message-Authenticator = 0xacdb9cb8915c51eabb275d3f52265694
(0)   Chargeable-User-Identity = 0x00
(0)   Proxy-State = 0x3230
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0)   authorize {
rlm_ldap (ldap): Reserved connection (0)
(0) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap:    --> (name=24:fb:65:69:06:af)
(0) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=24:fb:65:69:06:af)", scope "sub"
(0) ldap: Waiting for search result...
(0) ldap: Search returned no results
rlm_ldap (ldap): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (ldap): Connecting to ldaps://ldap02.detmold.wortmann.com:50027
TLSMC: MozNSS compatibility interception begins.
tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.
tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0)     [ldap] = notfound
(0)     policy group_authorization {
(0)       if (&Huntgroup-Name == "wo-byod") {
(0)       ERROR: Failed retrieving values required to evaluate condition
(0)       elsif (&Huntgroup-Name == "wo-secure") {
(0)       ERROR: Failed retrieving values required to evaluate condition
(0)     } # policy group_authorization = notfound
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     policy filter_password {
(0)       if (&User-Password &&            (&User-Password != "%{string:User-Password}")) {
(0)       EXPAND %{string:User-Password}
(0)          --> 24:fb:65:69:06:af
(0)       if (&User-Password &&            (&User-Password != "%{string:User-Password}"))  -> FALSE
(0)     } # policy filter_password = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "24:fb:65:69:06:af", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0)     [files] = noop
(0) sql: EXPAND %{User-Name}
(0) sql:    --> 24:fb:65:69:06:af
(0) sql: SQL-User-Name set to '24:fb:65:69:06:af'
rlm_sql (sql): Reserved connection (1)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '24:fb:65:69:06:af' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '24:fb:65:69:06:af' ORDER BY id
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql:    --> SELECT groupname FROM radusergroup WHERE username = '24:fb:65:69:06:af' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = '24:fb:65:69:06:af' ORDER BY priority
(0) sql: User not found in any groups
rlm_sql (sql): Released connection (1)
Need 4 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.40-MariaDB, protocol version 10
(0)     [sql] = notfound
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available
(0)     [pap] = noop
(0)   } # authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0)   Post-Auth-Type REJECT {
(0) sql: EXPAND .query
(0) sql:    --> .query
(0) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (2)
(0) sql: EXPAND %{User-Name}
(0) sql:    --> 24:fb:65:69:06:af
(0) sql: SQL-User-Name set to '24:fb:65:69:06:af'
(0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(0) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '24:fb:65:69:06:af', '24:fb:65:69:06:af', 'Access-Reject', '2019-07-03 15:06:39.437779')
(0) sql: EXPAND /var/log/radius/sqllog.sql
(0) sql:    --> /var/log/radius/sqllog.sql
(0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '24:fb:65:69:06:af', '24:fb:65:69:06:af', 'Access-Reject', '2019-07-03 15:06:39.437779')
(0) sql: SQL query returned: success
(0) sql: 1 record(s) updated
rlm_sql (sql): Released connection (2)
(0)     [sql] = ok
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    --> 24:fb:65:69:06:af
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0)     [attr_filter.access_reject] = updated
(0)     [eap] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 178 from 192.168.199.69:1812 to 192.168.70.15:18487 length 24
(0)   Proxy-State = 0x3230
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 178 with timestamp +21
Ready to process requests



--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

And here comes the output with 802.1x with User + Pass (This works)





(0) Received Access-Request Id 118 from 192.168.70.15:18487 to 192.168.199.69:1812 length 370
(0)   Acct-Session-Id = "5D1CA994-67A4B00F"
(0)   User-Name = "wifitestmac01"
(0)   NAS-IP-Address = 192.168.70.63
(0)   NAS-Identifier = "ruckuscontroller"
(0)   NAS-Port = 1
(0)   Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(0)   Calling-Station-Id = "24-FB-65-69-06-AF"
(0)   Location-Data = 0x31304445170a49542d53657276696365
(0)   Service-Type = Framed-User
(0)   Chargeable-User-Identity = 0x00
(0)   NAS-Port-Type = Wireless-802.11
(0)   Connect-Info = "CONNECT 802.11a/n/ac"
(0)   EAP-Message = 0x020000120177696669746573746d61633031
(0)   Ruckus-SSID = "test-radius-user+pass"
(0)   Ruckus-BSSID = 0x34fa9ffa588e
(0)   Ruckus-Location = "IT-Service"
(0)   Ruckus-VLAN-ID = 1
(0)   Ruckus-SCG-CBlade-IP = 3232253455
(0)   Ruckus-Zone-Name = "Detmold"
(0)   Ruckus-Wlan-Name = "test-radius-user+pass"
(0)   Message-Authenticator = 0x159a3af56a73ce0394ac2b647dab9fdc
(0)   Proxy-State = 0x3636
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0)   authorize {
rlm_ldap (ldap): Reserved connection (0)
(0) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap:    --> (name=wifitestmac01)
(0) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub"
(0) ldap: Waiting for search result...
(0) ldap: Search returned no results
rlm_ldap (ldap): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (ldap): Connecting to ldaps://ldap02.detmold.wortmann.com:50027
TLSMC: MozNSS compatibility interception begins.
tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.
tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0)     [ldap] = notfound
(0)     policy group_authorization {
(0)       if (&Huntgroup-Name == "wo-byod") {
(0)       ERROR: Failed retrieving values required to evaluate condition
(0)       elsif (&Huntgroup-Name == "wo-secure") {
(0)       ERROR: Failed retrieving values required to evaluate condition
(0)     } # policy group_authorization = notfound
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     policy filter_password {
(0)       if (&User-Password &&            (&User-Password != "%{string:User-Password}")) {
(0)       if (&User-Password &&            (&User-Password != "%{string:User-Password}"))  -> FALSE
(0)     } # policy filter_password = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 0 length 18
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0)     [eap] = ok
(0)   } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0)   authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_peap to process data
(0) eap_peap: Initiating new EAP-TLS session
(0) eap_peap: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 1 length 6
(0) eap: EAP session adding &reply:State = 0x3bd334c23bd22d5a
(0)     [eap] = handled
(0)   } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0)   Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 118 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0
(0)   EAP-Message = 0x010100061920
(0)   Message-Authenticator = 0x00000000000000000000000000000000
(0)   State = 0x3bd334c23bd22d5a464d9b22d2e35ffe
(0)   Proxy-State = 0x3636
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 192 from 192.168.70.15:18487 to 192.168.199.69:1812 length 523
(1)   Acct-Session-Id = "5D1CA994-67A4B00F"
(1)   User-Name = "wifitestmac01"
(1)   NAS-IP-Address = 192.168.70.63
(1)   NAS-Identifier = "ruckuscontroller"
(1)   NAS-Port = 1
(1)   Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(1)   Calling-Station-Id = "24-FB-65-69-06-AF"
(1)   Location-Data = 0x31304445170a49542d53657276696365
(1)   Service-Type = Framed-User
(1)   Chargeable-User-Identity = 0x00
(1)   NAS-Port-Type = Wireless-802.11
(1)   Connect-Info = "CONNECT 802.11a/n/ac"
(1)   EAP-Message = 0x0201009919800000008f160301008a010000860303835329bad69de11579396dd64e0f503fa00db84d3fa1677093e39b7a165697b600002ac02bc02fc02cc030cca9cca8c009c023c013c027c00ac024c014c028009c009d002f003c0035003d000a01000033ff0100010000170000000d001400120403
(1)   State = 0x3bd334c23bd22d5a464d9b22d2e35ffe
(1)   Ruckus-SSID = "test-radius-user+pass"
(1)   Ruckus-BSSID = 0x34fa9ffa588e
(1)   Ruckus-Location = "IT-Service"
(1)   Ruckus-VLAN-ID = 1
(1)   Ruckus-SCG-CBlade-IP = 3232253455
(1)   Ruckus-Zone-Name = "Detmold"
(1)   Ruckus-Wlan-Name = "test-radius-user+pass"
(1)   Message-Authenticator = 0x7bc819acb7da691a1924f0d0f7cdfe1c
(1)   Proxy-State = 0x3637
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1)   authorize {
rlm_ldap (ldap): Reserved connection (1)
(1) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}})
(1) ldap:    --> (name=wifitestmac01)
(1) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub"
(1) ldap: Waiting for search result...
(1) ldap: Search returned no results
rlm_ldap (ldap): Released connection (1)
(1)     [ldap] = notfound
(1)     policy group_authorization {
(1)       if (&Huntgroup-Name == "wo-byod") {
(1)       ERROR: Failed retrieving values required to evaluate condition
(1)       elsif (&Huntgroup-Name == "wo-secure") {
(1)       ERROR: Failed retrieving values required to evaluate condition
(1)     } # policy group_authorization = notfound
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if (&User-Name =~ /\.\./ ) {
(1)         if (&User-Name =~ /\.\./ )  -> FALSE
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(1)         if (&User-Name =~ /\.$/)  {
(1)         if (&User-Name =~ /\.$/)   -> FALSE
(1)         if (&User-Name =~ /@\./)  {
(1)         if (&User-Name =~ /@\./)   -> FALSE
(1)       } # if (&User-Name)  = notfound
(1)     } # policy filter_username = notfound
(1)     policy filter_password {
(1)       if (&User-Password &&            (&User-Password != "%{string:User-Password}")) {
(1)       if (&User-Password &&            (&User-Password != "%{string:User-Password}"))  -> FALSE
(1)     } # policy filter_password = notfound
(1)     [preprocess] = ok
(1)     [chap] = noop
(1)     [mschap] = noop
(1)     [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 1 length 153
(1) eap: Continuing tunnel setup
(1)     [eap] = ok
(1)   } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1)   authenticate {
(1) eap: Expiring EAP session with state 0x3bd334c23bd22d5a
(1) eap: Finished EAP session with state 0x3bd334c23bd22d5a
(1) eap: Previous EAP request found for state 0x3bd334c23bd22d5a, released from the list
(1) eap: Peer sent packet with method EAP PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Continuing EAP-TLS
(1) eap_peap: Peer indicated complete TLS record size will be 143 bytes
(1) eap_peap: Got complete TLS record (143 bytes)
(1) eap_peap: [eaptls verify] = length included
(1) eap_peap: (other): before/accept initialization
(1) eap_peap: TLS_accept: before/accept initialization
(1) eap_peap: <<< recv TLS 1.2  [length 008a]
(1) eap_peap: TLS_accept: SSLv3 read client hello A
(1) eap_peap: >>> send TLS 1.2  [length 0039]
(1) eap_peap: TLS_accept: SSLv3 write server hello A
(1) eap_peap: >>> send TLS 1.2  [length 08d3]
(1) eap_peap: TLS_accept: SSLv3 write certificate A
(1) eap_peap: >>> send TLS 1.2  [length 014d]
(1) eap_peap: TLS_accept: SSLv3 write key exchange A
(1) eap_peap: >>> send TLS 1.2  [length 0004]
(1) eap_peap: TLS_accept: SSLv3 write server done A
(1) eap_peap: TLS_accept: SSLv3 flush data
(1) eap_peap: TLS_accept: SSLv3 read client certificate A
(1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key exchange A
(1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key exchange A
(1) eap_peap: In SSL Handshake Phase
(1) eap_peap: In SSL Accept mode
(1) eap_peap: [eaptls process] = handled
(1) eap: Sending EAP Request (code 1) ID 2 length 1004
(1) eap: EAP session adding &reply:State = 0x3bd334c23ad12d5a
(1)     [eap] = handled
(1)   } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1)   Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 192 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0
(1)   EAP-Message = 0x010203ec19c000000a7116030300390200003503038fd7c9ffc7d69edac5f51c36f36bb4cd3683efff8a28e5db6b9b61ec4e4b534100c02f00000dff01000100000b00040300010216030308d30b0008cf0008cc0003de308203da308202c2a003020102020101300d06092a864886f70d01010b050030
(1)   Message-Authenticator = 0x00000000000000000000000000000000
(1)   State = 0x3bd334c23ad12d5a464d9b22d2e35ffe
(1)   Proxy-State = 0x3637
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 219 from 192.168.70.15:18487 to 192.168.199.69:1812 length 376
(2)   Acct-Session-Id = "5D1CA994-67A4B00F"
(2)   User-Name = "wifitestmac01"
(2)   NAS-IP-Address = 192.168.70.63
(2)   NAS-Identifier = "ruckuscontroller"
(2)   NAS-Port = 1
(2)   Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(2)   Calling-Station-Id = "24-FB-65-69-06-AF"
(2)   Location-Data = 0x31304445170a49542d53657276696365
(2)   Service-Type = Framed-User
(2)   Chargeable-User-Identity = 0x00
(2)   NAS-Port-Type = Wireless-802.11
(2)   Connect-Info = "CONNECT 802.11a/n/ac"
(2)   EAP-Message = 0x020200061900
(2)   State = 0x3bd334c23ad12d5a464d9b22d2e35ffe
(2)   Ruckus-SSID = "test-radius-user+pass"
(2)   Ruckus-BSSID = 0x34fa9ffa588e
(2)   Ruckus-Location = "IT-Service"
(2)   Ruckus-VLAN-ID = 1
(2)   Ruckus-SCG-CBlade-IP = 3232253455
(2)   Ruckus-Zone-Name = "Detmold"
(2)   Ruckus-Wlan-Name = "test-radius-user+pass"
(2)   Message-Authenticator = 0xb247f926b23e2510c40d16d6cff0ecab
(2)   Proxy-State = 0x3638
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2)   authorize {
rlm_ldap (ldap): Reserved connection (2)
(2) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}})
(2) ldap:    --> (name=wifitestmac01)
(2) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub"
(2) ldap: Waiting for search result...
(2) ldap: Search returned no results
rlm_ldap (ldap): Released connection (2)
Need 4 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (6), 1 of 26 pending slots used
rlm_ldap (ldap): Connecting to ldaps://ldap02.detmold.wortmann.com:50027
TLSMC: MozNSS compatibility interception begins.
tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.
tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(2)     [ldap] = notfound
(2)     policy group_authorization {
(2)       if (&Huntgroup-Name == "wo-byod") {
(2)       ERROR: Failed retrieving values required to evaluate condition
(2)       elsif (&Huntgroup-Name == "wo-secure") {
(2)       ERROR: Failed retrieving values required to evaluate condition
(2)     } # policy group_authorization = notfound
(2)     policy filter_username {
(2)       if (&User-Name) {
(2)       if (&User-Name)  -> TRUE
(2)       if (&User-Name)  {
(2)         if (&User-Name =~ / /) {
(2)         if (&User-Name =~ / /)  -> FALSE
(2)         if (&User-Name =~ /@[^@]*@/ ) {
(2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(2)         if (&User-Name =~ /\.\./ ) {
(2)         if (&User-Name =~ /\.\./ )  -> FALSE
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(2)         if (&User-Name =~ /\.$/)  {
(2)         if (&User-Name =~ /\.$/)   -> FALSE
(2)         if (&User-Name =~ /@\./)  {
(2)         if (&User-Name =~ /@\./)   -> FALSE
(2)       } # if (&User-Name)  = notfound
(2)     } # policy filter_username = notfound
(2)     policy filter_password {
(2)       if (&User-Password &&            (&User-Password != "%{string:User-Password}")) {
(2)       if (&User-Password &&            (&User-Password != "%{string:User-Password}"))  -> FALSE
(2)     } # policy filter_password = notfound
(2)     [preprocess] = ok
(2)     [chap] = noop
(2)     [mschap] = noop
(2)     [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
(2) suffix: No such realm "NULL"
(2)     [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 2 length 6
(2) eap: Continuing tunnel setup
(2)     [eap] = ok
(2)   } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2)   authenticate {
(2) eap: Expiring EAP session with state 0x3bd334c23ad12d5a
(2) eap: Finished EAP session with state 0x3bd334c23ad12d5a
(2) eap: Previous EAP request found for state 0x3bd334c23ad12d5a, released from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer ACKed our handshake fragment
(2) eap_peap: [eaptls verify] = request
(2) eap_peap: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 3 length 1000
(2) eap: EAP session adding &reply:State = 0x3bd334c239d02d5a
(2)     [eap] = handled
(2)   } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2)   Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 219 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0
(2)   EAP-Message = 0x010303e8194091bfa579e2faf519ba55b78dda4a69f41a426f5e0c2c6f73a6b54147ba90603059eb0e91ad1221d42cb94f40b2d6f4bfd1026f390833e0d09c94696b1b5bef8a50f83b31b6fff4e1a20004e8308204e4308203cca003020102020900fcbb37b2469beea7300d06092a864886f70d01010b
(2)   Message-Authenticator = 0x00000000000000000000000000000000
(2)   State = 0x3bd334c239d02d5a464d9b22d2e35ffe
(2)   Proxy-State = 0x3638
(2) Finished request
Waking up in 4.8 seconds.
(3) Received Access-Request Id 32 from 192.168.70.15:18487 to 192.168.199.69:1812 length 376
(3)   Acct-Session-Id = "5D1CA994-67A4B00F"
(3)   User-Name = "wifitestmac01"
(3)   NAS-IP-Address = 192.168.70.63
(3)   NAS-Identifier = "ruckuscontroller"
(3)   NAS-Port = 1
(3)   Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(3)   Calling-Station-Id = "24-FB-65-69-06-AF"
(3)   Location-Data = 0x31304445170a49542d53657276696365
(3)   Service-Type = Framed-User
(3)   Chargeable-User-Identity = 0x00
(3)   NAS-Port-Type = Wireless-802.11
(3)   Connect-Info = "CONNECT 802.11a/n/ac"
(3)   EAP-Message = 0x020300061900
(3)   State = 0x3bd334c239d02d5a464d9b22d2e35ffe
(3)   Ruckus-SSID = "test-radius-user+pass"
(3)   Ruckus-BSSID = 0x34fa9ffa588e
(3)   Ruckus-Location = "IT-Service"
(3)   Ruckus-VLAN-ID = 1
(3)   Ruckus-SCG-CBlade-IP = 3232253455
(3)   Ruckus-Zone-Name = "Detmold"
(3)   Ruckus-Wlan-Name = "test-radius-user+pass"
(3)   Message-Authenticator = 0x987f2b5f4dace466c0f0b4acf02c3574
(3)   Proxy-State = 0x3639
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/raddb/sites-enabled/default
(3)   authorize {
rlm_ldap (ldap): Reserved connection (3)
(3) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}})
(3) ldap:    --> (name=wifitestmac01)
(3) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub"
(3) ldap: Waiting for search result...
(3) ldap: Search returned no results
rlm_ldap (ldap): Released connection (3)
(3)     [ldap] = notfound
(3)     policy group_authorization {
(3)       if (&Huntgroup-Name == "wo-byod") {
(3)       ERROR: Failed retrieving values required to evaluate condition
(3)       elsif (&Huntgroup-Name == "wo-secure") {
(3)       ERROR: Failed retrieving values required to evaluate condition
(3)     } # policy group_authorization = notfound
(3)     policy filter_username {
(3)       if (&User-Name) {
(3)       if (&User-Name)  -> TRUE
(3)       if (&User-Name)  {
(3)         if (&User-Name =~ / /) {
(3)         if (&User-Name =~ / /)  -> FALSE
(3)         if (&User-Name =~ /@[^@]*@/ ) {
(3)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(3)         if (&User-Name =~ /\.\./ ) {
(3)         if (&User-Name =~ /\.\./ )  -> FALSE
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(3)         if (&User-Name =~ /\.$/)  {
(3)         if (&User-Name =~ /\.$/)   -> FALSE
(3)         if (&User-Name =~ /@\./)  {
(3)         if (&User-Name =~ /@\./)   -> FALSE
(3)       } # if (&User-Name)  = notfound
(3)     } # policy filter_username = notfound
(3)     policy filter_password {
(3)       if (&User-Password &&            (&User-Password != "%{string:User-Password}")) {
(3)       if (&User-Password &&            (&User-Password != "%{string:User-Password}"))  -> FALSE
(3)     } # policy filter_password = notfound
(3)     [preprocess] = ok
(3)     [chap] = noop
(3)     [mschap] = noop
(3)     [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
(3) suffix: No such realm "NULL"
(3)     [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 3 length 6
(3) eap: Continuing tunnel setup
(3)     [eap] = ok
(3)   } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3)   authenticate {
(3) eap: Expiring EAP session with state 0x3bd334c239d02d5a
(3) eap: Finished EAP session with state 0x3bd334c239d02d5a
(3) eap: Previous EAP request found for state 0x3bd334c239d02d5a, released from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer ACKed our handshake fragment
(3) eap_peap: [eaptls verify] = request
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 4 length 691
(3) eap: EAP session adding &reply:State = 0x3bd334c238d72d5a
(3)     [eap] = handled
(3)   } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3)   Challenge { ... } # empty sub-section is ignored
(3) Sent Access-Challenge Id 32 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0
(3)   EAP-Message = 0x010402b319000530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b050003820101009d2d36e5e65062434bce33d522f21aa5fc16f766f283a13b276fc9ebf7f118
(3)   Message-Authenticator = 0x00000000000000000000000000000000
(3)   State = 0x3bd334c238d72d5a464d9b22d2e35ffe
(3)   Proxy-State = 0x3639
(3) Finished request
Waking up in 4.7 seconds.
(4) Received Access-Request Id 28 from 192.168.70.15:18487 to 192.168.199.69:1812 length 506
(4)   Acct-Session-Id = "5D1CA994-67A4B00F"
(4)   User-Name = "wifitestmac01"
(4)   NAS-IP-Address = 192.168.70.63
(4)   NAS-Identifier = "ruckuscontroller"
(4)   NAS-Port = 1
(4)   Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(4)   Calling-Station-Id = "24-FB-65-69-06-AF"
(4)   Location-Data = 0x31304445170a49542d53657276696365
(4)   Service-Type = Framed-User
(4)   Chargeable-User-Identity = 0x00
(4)   NAS-Port-Type = Wireless-802.11
(4)   Connect-Info = "CONNECT 802.11a/n/ac"
(4)   EAP-Message = 0x0204008819800000007e1603030046100000424104adbbc0a47dec1a64cf71dd948d1cc6eeb600228b9ec1c419b2931cb6742f75033ea0cfe3368b858b07feb235a1c46f8936048a0d55e2f87fb62156f1fedb985814030300010116030300280000000000000000ab71501664950b092c4c0b8b88170f
(4)   State = 0x3bd334c238d72d5a464d9b22d2e35ffe
(4)   Ruckus-SSID = "test-radius-user+pass"
(4)   Ruckus-BSSID = 0x34fa9ffa588e
(4)   Ruckus-Location = "IT-Service"
(4)   Ruckus-VLAN-ID = 1
(4)   Ruckus-SCG-CBlade-IP = 3232253455
(4)   Ruckus-Zone-Name = "Detmold"
(4)   Ruckus-Wlan-Name = "test-radius-user+pass"
(4)   Message-Authenticator = 0xaa7a33857a9cd2bd2a0a520d9b8229f1
(4)   Proxy-State = 0x3730
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/raddb/sites-enabled/default
(4)   authorize {
rlm_ldap (ldap): Reserved connection (4)
(4) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}})
(4) ldap:    --> (name=wifitestmac01)
(4) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub"
(4) ldap: Waiting for search result...
(4) ldap: Search returned no results
rlm_ldap (ldap): Released connection (4)
(4)     [ldap] = notfound
(4)     policy group_authorization {
(4)       if (&Huntgroup-Name == "wo-byod") {
(4)       ERROR: Failed retrieving values required to evaluate condition
(4)       elsif (&Huntgroup-Name == "wo-secure") {
(4)       ERROR: Failed retrieving values required to evaluate condition
(4)     } # policy group_authorization = notfound
(4)     policy filter_username {
(4)       if (&User-Name) {
(4)       if (&User-Name)  -> TRUE
(4)       if (&User-Name)  {
(4)         if (&User-Name =~ / /) {
(4)         if (&User-Name =~ / /)  -> FALSE
(4)         if (&User-Name =~ /@[^@]*@/ ) {
(4)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(4)         if (&User-Name =~ /\.\./ ) {
(4)         if (&User-Name =~ /\.\./ )  -> FALSE
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(4)         if (&User-Name =~ /\.$/)  {
(4)         if (&User-Name =~ /\.$/)   -> FALSE
(4)         if (&User-Name =~ /@\./)  {
(4)         if (&User-Name =~ /@\./)   -> FALSE
(4)       } # if (&User-Name)  = notfound
(4)     } # policy filter_username = notfound
(4)     policy filter_password {
(4)       if (&User-Password &&            (&User-Password != "%{string:User-Password}")) {
(4)       if (&User-Password &&            (&User-Password != "%{string:User-Password}"))  -> FALSE
(4)     } # policy filter_password = notfound
(4)     [preprocess] = ok
(4)     [chap] = noop
(4)     [mschap] = noop
(4)     [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
(4) suffix: No such realm "NULL"
(4)     [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 4 length 136
(4) eap: Continuing tunnel setup
(4)     [eap] = ok
(4)   } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4)   authenticate {
(4) eap: Expiring EAP session with state 0x3bd334c238d72d5a
(4) eap: Finished EAP session with state 0x3bd334c238d72d5a
(4) eap: Previous EAP request found for state 0x3bd334c238d72d5a, released from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(4) eap_peap: Got complete TLS record (126 bytes)
(4) eap_peap: [eaptls verify] = length included
(4) eap_peap: <<< recv TLS 1.2  [length 0046]
(4) eap_peap: TLS_accept: SSLv3 read client key exchange A
(4) eap_peap: TLS_accept: SSLv3 read certificate verify A
(4) eap_peap: <<< recv TLS 1.2  [length 0001]
(4) eap_peap: <<< recv TLS 1.2  [length 0010]
(4) eap_peap: TLS_accept: SSLv3 read finished A
(4) eap_peap: >>> send TLS 1.2  [length 0001]
(4) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(4) eap_peap: >>> send TLS 1.2  [length 0010]
(4) eap_peap: TLS_accept: SSLv3 write finished A
(4) eap_peap: TLS_accept: SSLv3 flush data
(4) eap_peap: (other): SSL negotiation finished successfully
(4) eap_peap: SSL Connection Established
(4) eap_peap: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 5 length 57
(4) eap: EAP session adding &reply:State = 0x3bd334c23fd62d5a
(4)     [eap] = handled
(4)   } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4)   Challenge { ... } # empty sub-section is ignored
(4) Sent Access-Challenge Id 28 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0
(4)   EAP-Message = 0x0105003919001403030001011603030028d5ec48bada42fbd160a0e9edd0eb49dfdd71efa906eeeeca879b4e3db15c178c51fb9fa222a5ed41
(4)   Message-Authenticator = 0x00000000000000000000000000000000
(4)   State = 0x3bd334c23fd62d5a464d9b22d2e35ffe
(4)   Proxy-State = 0x3730
(4) Finished request
Waking up in 4.6 seconds.
(5) Received Access-Request Id 53 from 192.168.70.15:18487 to 192.168.199.69:1812 length 376
(5)   Acct-Session-Id = "5D1CA994-67A4B00F"
(5)   User-Name = "wifitestmac01"
(5)   NAS-IP-Address = 192.168.70.63
(5)   NAS-Identifier = "ruckuscontroller"
(5)   NAS-Port = 1
(5)   Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(5)   Calling-Station-Id = "24-FB-65-69-06-AF"
(5)   Location-Data = 0x31304445170a49542d53657276696365
(5)   Service-Type = Framed-User
(5)   Chargeable-User-Identity = 0x00
(5)   NAS-Port-Type = Wireless-802.11
(5)   Connect-Info = "CONNECT 802.11a/n/ac"
(5)   EAP-Message = 0x020500061900
(5)   State = 0x3bd334c23fd62d5a464d9b22d2e35ffe
(5)   Ruckus-SSID = "test-radius-user+pass"
(5)   Ruckus-BSSID = 0x34fa9ffa588e
(5)   Ruckus-Location = "IT-Service"
(5)   Ruckus-VLAN-ID = 1
(5)   Ruckus-SCG-CBlade-IP = 3232253455
(5)   Ruckus-Zone-Name = "Detmold"
(5)   Ruckus-Wlan-Name = "test-radius-user+pass"
(5)   Message-Authenticator = 0x66edffe796ea4dd8ad07c9eb195678ba
(5)   Proxy-State = 0x3731
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/raddb/sites-enabled/default
(5)   authorize {
rlm_ldap (ldap): Reserved connection (0)
(5) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}})
(5) ldap:    --> (name=wifitestmac01)
(5) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub"
(5) ldap: Waiting for search result...
(5) ldap: Search returned no results
rlm_ldap (ldap): Released connection (0)
(5)     [ldap] = notfound
(5)     policy group_authorization {
(5)       if (&Huntgroup-Name == "wo-byod") {
(5)       ERROR: Failed retrieving values required to evaluate condition
(5)       elsif (&Huntgroup-Name == "wo-secure") {
(5)       ERROR: Failed retrieving values required to evaluate condition
(5)     } # policy group_authorization = notfound
(5)     policy filter_username {
(5)       if (&User-Name) {
(5)       if (&User-Name)  -> TRUE
(5)       if (&User-Name)  {
(5)         if (&User-Name =~ / /) {
(5)         if (&User-Name =~ / /)  -> FALSE
(5)         if (&User-Name =~ /@[^@]*@/ ) {
(5)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(5)         if (&User-Name =~ /\.\./ ) {
(5)         if (&User-Name =~ /\.\./ )  -> FALSE
(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(5)         if (&User-Name =~ /\.$/)  {
(5)         if (&User-Name =~ /\.$/)   -> FALSE
(5)         if (&User-Name =~ /@\./)  {
(5)         if (&User-Name =~ /@\./)   -> FALSE
(5)       } # if (&User-Name)  = notfound
(5)     } # policy filter_username = notfound
(5)     policy filter_password {
(5)       if (&User-Password &&            (&User-Password != "%{string:User-Password}")) {
(5)       if (&User-Password &&            (&User-Password != "%{string:User-Password}"))  -> FALSE
(5)     } # policy filter_password = notfound
(5)     [preprocess] = ok
(5)     [chap] = noop
(5)     [mschap] = noop
(5)     [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
(5) suffix: No such realm "NULL"
(5)     [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 5 length 6
(5) eap: Continuing tunnel setup
(5)     [eap] = ok
(5)   } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5)   authenticate {
(5) eap: Expiring EAP session with state 0x3bd334c23fd62d5a
(5) eap: Finished EAP session with state 0x3bd334c23fd62d5a
(5) eap: Previous EAP request found for state 0x3bd334c23fd62d5a, released from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer ACKed our handshake fragment.  handshake is finished
(5) eap_peap: [eaptls verify] = success
(5) eap_peap: [eaptls process] = success
(5) eap_peap: Session established.  Decoding tunneled attributes
(5) eap_peap: PEAP state TUNNEL ESTABLISHED
(5) eap: Sending EAP Request (code 1) ID 6 length 40
(5) eap: EAP session adding &reply:State = 0x3bd334c23ed52d5a
(5)     [eap] = handled
(5)   } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5)   Challenge { ... } # empty sub-section is ignored
(5) Sent Access-Challenge Id 53 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0
(5)   EAP-Message = 0x010600281900170303001dd5ec48bada42fbd2efc073480c7529e47c1add6cb4438a099c10325e70
(5)   Message-Authenticator = 0x00000000000000000000000000000000
(5)   State = 0x3bd334c23ed52d5a464d9b22d2e35ffe
(5)   Proxy-State = 0x3731
(5) Finished request
Waking up in 4.6 seconds.
(6) Received Access-Request Id 156 from 192.168.70.15:18487 to 192.168.199.69:1812 length 419
(6)   Acct-Session-Id = "5D1CA994-67A4B00F"
(6)   User-Name = "wifitestmac01"
(6)   NAS-IP-Address = 192.168.70.63
(6)   NAS-Identifier = "ruckuscontroller"
(6)   NAS-Port = 1
(6)   Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(6)   Calling-Station-Id = "24-FB-65-69-06-AF"
(6)   Location-Data = 0x31304445170a49542d53657276696365
(6)   Service-Type = Framed-User
(6)   Chargeable-User-Identity = 0x00
(6)   NAS-Port-Type = Wireless-802.11
(6)   Connect-Info = "CONNECT 802.11a/n/ac"
(6)   EAP-Message = 0x020600311900170303002600000000000000015698d55ae694291d750d607613ec0078f789474257506b16b6bbfb645851
(6)   State = 0x3bd334c23ed52d5a464d9b22d2e35ffe
(6)   Ruckus-SSID = "test-radius-user+pass"
(6)   Ruckus-BSSID = 0x34fa9ffa588e
(6)   Ruckus-Location = "IT-Service"
(6)   Ruckus-VLAN-ID = 1
(6)   Ruckus-SCG-CBlade-IP = 3232253455
(6)   Ruckus-Zone-Name = "Detmold"
(6)   Ruckus-Wlan-Name = "test-radius-user+pass"
(6)   Message-Authenticator = 0x34c64d7bfe181cdb376fcd5e5ddf54bc
(6)   Proxy-State = 0x3732
(6) session-state: No cached attributes
(6) # Executing section authorize from file /etc/raddb/sites-enabled/default
(6)   authorize {
rlm_ldap (ldap): Reserved connection (5)
(6) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}})
(6) ldap:    --> (name=wifitestmac01)
(6) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub"
(6) ldap: Waiting for search result...
(6) ldap: Search returned no results
rlm_ldap (ldap): Released connection (5)
(6)     [ldap] = notfound
(6)     policy group_authorization {
(6)       if (&Huntgroup-Name == "wo-byod") {
(6)       ERROR: Failed retrieving values required to evaluate condition
(6)       elsif (&Huntgroup-Name == "wo-secure") {
(6)       ERROR: Failed retrieving values required to evaluate condition
(6)     } # policy group_authorization = notfound
(6)     policy filter_username {
(6)       if (&User-Name) {
(6)       if (&User-Name)  -> TRUE
(6)       if (&User-Name)  {
(6)         if (&User-Name =~ / /) {
(6)         if (&User-Name =~ / /)  -> FALSE
(6)         if (&User-Name =~ /@[^@]*@/ ) {
(6)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(6)         if (&User-Name =~ /\.\./ ) {
(6)         if (&User-Name =~ /\.\./ )  -> FALSE
(6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(6)         if (&User-Name =~ /\.$/)  {
(6)         if (&User-Name =~ /\.$/)   -> FALSE
(6)         if (&User-Name =~ /@\./)  {
(6)         if (&User-Name =~ /@\./)   -> FALSE
(6)       } # if (&User-Name)  = notfound
(6)     } # policy filter_username = notfound
(6)     policy filter_password {
(6)       if (&User-Password &&            (&User-Password != "%{string:User-Password}")) {
(6)       if (&User-Password &&            (&User-Password != "%{string:User-Password}"))  -> FALSE
(6)     } # policy filter_password = notfound
(6)     [preprocess] = ok
(6)     [chap] = noop
(6)     [mschap] = noop
(6)     [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
(6) suffix: No such realm "NULL"
(6)     [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 6 length 49
(6) eap: Continuing tunnel setup
(6)     [eap] = ok
(6)   } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6)   authenticate {
(6) eap: Expiring EAP session with state 0x3bd334c23ed52d5a
(6) eap: Finished EAP session with state 0x3bd334c23ed52d5a
(6) eap: Previous EAP request found for state 0x3bd334c23ed52d5a, released from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: [eaptls verify] = ok
(6) eap_peap: Done initial handshake
(6) eap_peap: [eaptls process] = ok
(6) eap_peap: Session established.  Decoding tunneled attributes
(6) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(6) eap_peap: Identity - wifitestmac01
(6) eap_peap: Got inner identity 'wifitestmac01'
(6) eap_peap: Setting default EAP type for tunneled EAP session
(6) eap_peap: Got tunneled request
(6) eap_peap:   EAP-Message = 0x020600120177696669746573746d61633031
(6) eap_peap: Setting User-Name to wifitestmac01
(6) eap_peap: Sending tunneled request to inner-tunnel
(6) eap_peap:   EAP-Message = 0x020600120177696669746573746d61633031
(6) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(6) eap_peap:   User-Name = "wifitestmac01"
(6) eap_peap:   Acct-Session-Id = "5D1CA994-67A4B00F"
(6) eap_peap:   NAS-IP-Address = 192.168.70.63
(6) eap_peap:   NAS-Identifier = "ruckuscontroller"
(6) eap_peap:   NAS-Port = 1
(6) eap_peap:   Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(6) eap_peap:   Calling-Station-Id = "24-FB-65-69-06-AF"
(6) eap_peap:   Location-Data = 0x31304445170a49542d53657276696365
(6) eap_peap:   Service-Type = Framed-User
(6) eap_peap:   Chargeable-User-Identity = 0x00
(6) eap_peap:   NAS-Port-Type = Wireless-802.11
(6) eap_peap:   Connect-Info = "CONNECT 802.11a/n/ac"
(6) eap_peap:   Ruckus-SSID = "test-radius-user+pass"
(6) eap_peap:   Ruckus-BSSID = 0x34fa9ffa588e
(6) eap_peap:   Ruckus-Location = "IT-Service"
(6) eap_peap:   Ruckus-VLAN-ID = 1
(6) eap_peap:   Ruckus-SCG-CBlade-IP = 3232253455
(6) eap_peap:   Ruckus-Zone-Name = "Detmold"
(6) eap_peap:   Ruckus-Wlan-Name = "test-radius-user+pass"
(6) eap_peap:   Event-Timestamp = "Jul  3 2019 15:11:54 CEST"
(6) Virtual server inner-tunnel received request
(6)   EAP-Message = 0x020600120177696669746573746d61633031
(6)   FreeRADIUS-Proxied-To = 127.0.0.1
(6)   User-Name = "wifitestmac01"
(6)   Acct-Session-Id = "5D1CA994-67A4B00F"
(6)   NAS-IP-Address = 192.168.70.63
(6)   NAS-Identifier = "ruckuscontroller"
(6)   NAS-Port = 1
(6)   Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(6)   Calling-Station-Id = "24-FB-65-69-06-AF"
(6)   Location-Data = 0x31304445170a49542d53657276696365
(6)   Service-Type = Framed-User
(6)   Chargeable-User-Identity = 0x00
(6)   NAS-Port-Type = Wireless-802.11
(6)   Connect-Info = "CONNECT 802.11a/n/ac"
(6)   Ruckus-SSID = "test-radius-user+pass"
(6)   Ruckus-BSSID = 0x34fa9ffa588e
(6)   Ruckus-Location = "IT-Service"
(6)   Ruckus-VLAN-ID = 1
(6)   Ruckus-SCG-CBlade-IP = 3232253455
(6)   Ruckus-Zone-Name = "Detmold"
(6)   Ruckus-Wlan-Name = "test-radius-user+pass"
(6)   Event-Timestamp = "Jul  3 2019 15:11:54 CEST"
(6) WARNING: Outer and inner identities are the same.  User privacy is compromised.
(6) server inner-tunnel {
(6)   # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(6)     authorize {
(6)       policy filter_username {
(6)         if (&User-Name) {
(6)         if (&User-Name)  -> TRUE
(6)         if (&User-Name)  {
(6)           if (&User-Name =~ / /) {
(6)           if (&User-Name =~ / /)  -> FALSE
(6)           if (&User-Name =~ /@[^@]*@/ ) {
(6)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(6)           if (&User-Name =~ /\.\./ ) {
(6)           if (&User-Name =~ /\.\./ )  -> FALSE
(6)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(6)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(6)           if (&User-Name =~ /\.$/)  {
(6)           if (&User-Name =~ /\.$/)   -> FALSE
(6)           if (&User-Name =~ /@\./)  {
(6)           if (&User-Name =~ /@\./)   -> FALSE
(6)         } # if (&User-Name)  = notfound
(6)       } # policy filter_username = notfound
(6)       [chap] = noop
(6)       [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
(6) suffix: No such realm "NULL"
(6)       [suffix] = noop
(6)       update control {
(6)         &Proxy-To-Realm := LOCAL
(6)       } # update control = noop
(6) eap: Peer sent EAP Response (code 2) ID 6 length 18
(6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(6)       [eap] = ok
(6)     } # authorize = ok
(6)   Found Auth-Type = eap
(6)   # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(6)     authenticate {
(6) eap: Peer sent packet with method EAP Identity (1)
(6) eap: Calling submodule eap_mschapv2 to process data
(6) eap_mschapv2: Issuing Challenge
(6) eap: Sending EAP Request (code 1) ID 7 length 43
(6) eap: EAP session adding &reply:State = 0x78a9799278ae6313
(6)       [eap] = handled
(6)     } # authenticate = handled
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6)   EAP-Message = 0x0107002b1a0107002610acc3fe6199de746d49fc93f49582fc03667265657261646975732d332e302e3133
(6)   Message-Authenticator = 0x00000000000000000000000000000000
(6)   State = 0x78a9799278ae6313f359dd39dd5c9f11
(6) eap_peap: Got tunneled reply code 11
(6) eap_peap:   EAP-Message = 0x0107002b1a0107002610acc3fe6199de746d49fc93f49582fc03667265657261646975732d332e302e3133
(6) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap:   State = 0x78a9799278ae6313f359dd39dd5c9f11
(6) eap_peap: Got tunneled reply RADIUS code 11
(6) eap_peap:   EAP-Message = 0x0107002b1a0107002610acc3fe6199de746d49fc93f49582fc03667265657261646975732d332e302e3133
(6) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap:   State = 0x78a9799278ae6313f359dd39dd5c9f11
(6) eap_peap: Got tunneled Access-Challenge
(6) eap: Sending EAP Request (code 1) ID 7 length 74
(6) eap: EAP session adding &reply:State = 0x3bd334c23dd42d5a
(6)     [eap] = handled
(6)   } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6)   Challenge { ... } # empty sub-section is ignored
(6) Sent Access-Challenge Id 156 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0
(6)   EAP-Message = 0x0107004a1900170303003fd5ec48bada42fbd39481e9f00adb4e04c21da70a884fc7d37895cfdbd260a4aa2189d9d36c81ebc4a14d73b74ba2eb169b57fd36b0ecb4393df44715a4222e
(6)   Message-Authenticator = 0x00000000000000000000000000000000
(6)   State = 0x3bd334c23dd42d5a464d9b22d2e35ffe
(6)   Proxy-State = 0x3732
(6) Finished request
Waking up in 4.5 seconds.
(7) Received Access-Request Id 35 from 192.168.70.15:18487 to 192.168.199.69:1812 length 473
(7)   Acct-Session-Id = "5D1CA994-67A4B00F"
(7)   User-Name = "wifitestmac01"
(7)   NAS-IP-Address = 192.168.70.63
(7)   NAS-Identifier = "ruckuscontroller"
(7)   NAS-Port = 1
(7)   Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(7)   Calling-Station-Id = "24-FB-65-69-06-AF"
(7)   Location-Data = 0x31304445170a49542d53657276696365
(7)   Service-Type = Framed-User
(7)   Chargeable-User-Identity = 0x00
(7)   NAS-Port-Type = Wireless-802.11
(7)   Connect-Info = "CONNECT 802.11a/n/ac"
(7)   EAP-Message = 0x020700671900170303005c000000000000000260bd309024ce07ecc1dd6fb714cd4aab28a634e3636effeb72f8162068747c873ba798f59a4cd64c069ba2159698e14743104d45d20c019e727efc75fdac7624b0b06f869e8bc2cfc1cc6cfd33ed977ae6015649
(7)   State = 0x3bd334c23dd42d5a464d9b22d2e35ffe
(7)   Ruckus-SSID = "test-radius-user+pass"
(7)   Ruckus-BSSID = 0x34fa9ffa588e
(7)   Ruckus-Location = "IT-Service"
(7)   Ruckus-VLAN-ID = 1
(7)   Ruckus-SCG-CBlade-IP = 3232253455
(7)   Ruckus-Zone-Name = "Detmold"
(7)   Ruckus-Wlan-Name = "test-radius-user+pass"
(7)   Message-Authenticator = 0x3b507e4e852475a8216cc0c453588426
(7)   Proxy-State = 0x3733
(7) session-state: No cached attributes
(7) # Executing section authorize from file /etc/raddb/sites-enabled/default
(7)   authorize {
rlm_ldap (ldap): Reserved connection (1)
(7) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}})
(7) ldap:    --> (name=wifitestmac01)
(7) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub"
(7) ldap: Waiting for search result...
(7) ldap: Search returned no results
rlm_ldap (ldap): Released connection (1)
(7)     [ldap] = notfound
(7)     policy group_authorization {
(7)       if (&Huntgroup-Name == "wo-byod") {
(7)       ERROR: Failed retrieving values required to evaluate condition
(7)       elsif (&Huntgroup-Name == "wo-secure") {
(7)       ERROR: Failed retrieving values required to evaluate condition
(7)     } # policy group_authorization = notfound
(7)     policy filter_username {
(7)       if (&User-Name) {
(7)       if (&User-Name)  -> TRUE
(7)       if (&User-Name)  {
(7)         if (&User-Name =~ / /) {
(7)         if (&User-Name =~ / /)  -> FALSE
(7)         if (&User-Name =~ /@[^@]*@/ ) {
(7)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(7)         if (&User-Name =~ /\.\./ ) {
(7)         if (&User-Name =~ /\.\./ )  -> FALSE
(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(7)         if (&User-Name =~ /\.$/)  {
(7)         if (&User-Name =~ /\.$/)   -> FALSE
(7)         if (&User-Name =~ /@\./)  {
(7)         if (&User-Name =~ /@\./)   -> FALSE
(7)       } # if (&User-Name)  = notfound
(7)     } # policy filter_username = notfound
(7)     policy filter_password {
(7)       if (&User-Password &&            (&User-Password != "%{string:User-Password}")) {
(7)       if (&User-Password &&            (&User-Password != "%{string:User-Password}"))  -> FALSE
(7)     } # policy filter_password = notfound
(7)     [preprocess] = ok
(7)     [chap] = noop
(7)     [mschap] = noop
(7)     [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
(7) suffix: No such realm "NULL"
(7)     [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 7 length 103
(7) eap: Continuing tunnel setup
(7)     [eap] = ok
(7)   } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7)   authenticate {
(7) eap: Expiring EAP session with state 0x78a9799278ae6313
(7) eap: Finished EAP session with state 0x3bd334c23dd42d5a
(7) eap: Previous EAP request found for state 0x3bd334c23dd42d5a, released from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established.  Decoding tunneled attributes
(7) eap_peap: PEAP state phase2
(7) eap_peap: EAP method MSCHAPv2 (26)
(7) eap_peap: Got tunneled request
(7) eap_peap:   EAP-Message = 0x020700481a0207004331511e472c9167eed5163063c100f421e70000000000000000f82f405055c2818c487d7d078bd9aafccf93e2e4db9c11f60077696669746573746d61633031
(7) eap_peap: Setting User-Name to wifitestmac01
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap:   EAP-Message = 0x020700481a0207004331511e472c9167eed5163063c100f421e70000000000000000f82f405055c2818c487d7d078bd9aafccf93e2e4db9c11f60077696669746573746d61633031
(7) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap:   User-Name = "wifitestmac01"
(7) eap_peap:   State = 0x78a9799278ae6313f359dd39dd5c9f11
(7) eap_peap:   Acct-Session-Id = "5D1CA994-67A4B00F"
(7) eap_peap:   NAS-IP-Address = 192.168.70.63
(7) eap_peap:   NAS-Identifier = "ruckuscontroller"
(7) eap_peap:   NAS-Port = 1
(7) eap_peap:   Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(7) eap_peap:   Calling-Station-Id = "24-FB-65-69-06-AF"
(7) eap_peap:   Location-Data = 0x31304445170a49542d53657276696365
(7) eap_peap:   Service-Type = Framed-User
(7) eap_peap:   Chargeable-User-Identity = 0x00
(7) eap_peap:   NAS-Port-Type = Wireless-802.11
(7) eap_peap:   Connect-Info = "CONNECT 802.11a/n/ac"
(7) eap_peap:   Ruckus-SSID = "test-radius-user+pass"
(7) eap_peap:   Ruckus-BSSID = 0x34fa9ffa588e
(7) eap_peap:   Ruckus-Location = "IT-Service"
(7) eap_peap:   Ruckus-VLAN-ID = 1
(7) eap_peap:   Ruckus-SCG-CBlade-IP = 3232253455
(7) eap_peap:   Ruckus-Zone-Name = "Detmold"
(7) eap_peap:   Ruckus-Wlan-Name = "test-radius-user+pass"
(7) eap_peap:   Event-Timestamp = "Jul  3 2019 15:11:54 CEST"
(7) Virtual server inner-tunnel received request
(7)   EAP-Message = 0x020700481a0207004331511e472c9167eed5163063c100f421e70000000000000000f82f405055c2818c487d7d078bd9aafccf93e2e4db9c11f60077696669746573746d61633031
(7)   FreeRADIUS-Proxied-To = 127.0.0.1
(7)   User-Name = "wifitestmac01"
(7)   State = 0x78a9799278ae6313f359dd39dd5c9f11
(7)   Acct-Session-Id = "5D1CA994-67A4B00F"
(7)   NAS-IP-Address = 192.168.70.63
(7)   NAS-Identifier = "ruckuscontroller"
(7)   NAS-Port = 1
(7)   Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(7)   Calling-Station-Id = "24-FB-65-69-06-AF"
(7)   Location-Data = 0x31304445170a49542d53657276696365
(7)   Service-Type = Framed-User
(7)   Chargeable-User-Identity = 0x00
(7)   NAS-Port-Type = Wireless-802.11
(7)   Connect-Info = "CONNECT 802.11a/n/ac"
(7)   Ruckus-SSID = "test-radius-user+pass"
(7)   Ruckus-BSSID = 0x34fa9ffa588e
(7)   Ruckus-Location = "IT-Service"
(7)   Ruckus-VLAN-ID = 1
(7)   Ruckus-SCG-CBlade-IP = 3232253455
(7)   Ruckus-Zone-Name = "Detmold"
(7)   Ruckus-Wlan-Name = "test-radius-user+pass"
(7)   Event-Timestamp = "Jul  3 2019 15:11:54 CEST"
(7) WARNING: Outer and inner identities are the same.  User privacy is compromised.
(7) server inner-tunnel {
(7)   session-state: No cached attributes
(7)   # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(7)     authorize {
(7)       policy filter_username {
(7)         if (&User-Name) {
(7)         if (&User-Name)  -> TRUE
(7)         if (&User-Name)  {
(7)           if (&User-Name =~ / /) {
(7)           if (&User-Name =~ / /)  -> FALSE
(7)           if (&User-Name =~ /@[^@]*@/ ) {
(7)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(7)           if (&User-Name =~ /\.\./ ) {
(7)           if (&User-Name =~ /\.\./ )  -> FALSE
(7)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(7)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(7)           if (&User-Name =~ /\.$/)  {
(7)           if (&User-Name =~ /\.$/)   -> FALSE
(7)           if (&User-Name =~ /@\./)  {
(7)           if (&User-Name =~ /@\./)   -> FALSE
(7)         } # if (&User-Name)  = notfound
(7)       } # policy filter_username = notfound
(7)       [chap] = noop
(7)       [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
(7) suffix: No such realm "NULL"
(7)       [suffix] = noop
(7)       update control {
(7)         &Proxy-To-Realm := LOCAL
(7)       } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 7 length 72
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7)       [eap] = updated
(7)       [files] = noop
(7) sql: EXPAND %{User-Name}
(7) sql:    --> wifitestmac01
(7) sql: SQL-User-Name set to 'wifitestmac01'
rlm_sql (sql): Reserved connection (1)
(7) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(7) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'wifitestmac01' ORDER BY id
(7) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'wifitestmac01' ORDER BY id
(7) sql: User found in radcheck table
(7) sql: Conditional check items matched, merging assignment check items
(7) sql:   Cleartext-Password := "tester555"
(7) sql:   MS-CHAP-Use-NTLM-Auth := No
(7) sql:   Calling-Station-Id := "24-FB-65-69-06-AF"
(7) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(7) sql:    --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'wifitestmac01' ORDER BY id
(7) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'wifitestmac01' ORDER BY id
(7) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(7) sql:    --> SELECT groupname FROM radusergroup WHERE username = 'wifitestmac01' ORDER BY priority
(7) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'wifitestmac01' ORDER BY priority
(7) sql: User found in the group table
(7) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(7) sql:    --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'wifi_wo-secure' ORDER BY id
(7) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'wifi_wo-secure' ORDER BY id
(7) sql: Group "wifi_wo-secure": Conditional check items matched
(7) sql: Group "wifi_wo-secure": Merging assignment check items
(7) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(7) sql:    --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'wifi_wo-secure' ORDER BY id
(7) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'wifi_wo-secure' ORDER BY id
(7) sql: Group "wifi_wo-secure": Merging reply items
(7) sql:   Huntgroup-Name := "wo-secure"
rlm_sql (sql): Released connection (1)
Need 4 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.40-MariaDB, protocol version 10
(7)       [sql] = ok
(7)       [expiration] = noop
(7)       [logintime] = noop
(7) pap: WARNING: Auth-Type already set.  Not setting to PAP
(7)       [pap] = noop
(7)     } # authorize = updated
(7)   Found Auth-Type = eap
(7)   # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7)     authenticate {
(7) eap: Expiring EAP session with state 0x78a9799278ae6313
(7) eap: Finished EAP session with state 0x78a9799278ae6313
(7) eap: Previous EAP request found for state 0x78a9799278ae6313, released from the list
(7) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(7) eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7) eap_mschapv2:   authenticate {
(7) mschap: Found Cleartext-Password, hashing to create NT-Password
(7) mschap: Found Cleartext-Password, hashing to create LM-Password
(7) mschap: Creating challenge hash with username: wifitestmac01
(7) mschap: Client is using MS-CHAPv2
(7) mschap: Adding MS-CHAPv2 MPPE keys
(7)     [mschap] = ok
(7)   } # authenticate = ok
(7) MSCHAP Success
(7) eap: Sending EAP Request (code 1) ID 8 length 51
(7) eap: EAP session adding &reply:State = 0x78a9799279a16313
(7)       [eap] = handled
(7)     } # authenticate = handled
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7)   Huntgroup-Name = "wo-secure"
(7)   EAP-Message = 0x010800331a0307002e533d41423746314439413946443643463639353932453639354141353944454243424636423533383944
(7)   Message-Authenticator = 0x00000000000000000000000000000000
(7)   State = 0x78a9799279a16313f359dd39dd5c9f11
(7) eap_peap: Got tunneled reply code 11
(7) eap_peap:   Huntgroup-Name = "wo-secure"
(7) eap_peap:   EAP-Message = 0x010800331a0307002e533d41423746314439413946443643463639353932453639354141353944454243424636423533383944
(7) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap:   State = 0x78a9799279a16313f359dd39dd5c9f11
(7) eap_peap: Got tunneled reply RADIUS code 11
(7) eap_peap:   Huntgroup-Name = "wo-secure"
(7) eap_peap:   EAP-Message = 0x010800331a0307002e533d41423746314439413946443643463639353932453639354141353944454243424636423533383944
(7) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap:   State = 0x78a9799279a16313f359dd39dd5c9f11
(7) eap_peap: Got tunneled Access-Challenge
(7) eap: Sending EAP Request (code 1) ID 8 length 82
(7) eap: EAP session adding &reply:State = 0x3bd334c23cdb2d5a
(7)     [eap] = handled
(7)   } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7)   Challenge { ... } # empty sub-section is ignored
(7) Sent Access-Challenge Id 35 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0
(7)   EAP-Message = 0x0108005219001703030047d5ec48bada42fbd4a02ea88aa51ecde0431fc6ac9846f7c0bc036ed64ec4a3c3a48c11c16ba8cdeed9c4ac5890895c8591ac992d69a16fc27bc54f573dc888eb7d087f53f723fd
(7)   Message-Authenticator = 0x00000000000000000000000000000000
(7)   State = 0x3bd334c23cdb2d5a464d9b22d2e35ffe
(7)   Proxy-State = 0x3733
(7) Finished request
Waking up in 4.5 seconds.
(8) Received Access-Request Id 62 from 192.168.70.15:18487 to 192.168.199.69:1812 length 407
(8)   Acct-Session-Id = "5D1CA994-67A4B00F"
(8)   User-Name = "wifitestmac01"
(8)   NAS-IP-Address = 192.168.70.63
(8)   NAS-Identifier = "ruckuscontroller"
(8)   NAS-Port = 1
(8)   Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(8)   Calling-Station-Id = "24-FB-65-69-06-AF"
(8)   Location-Data = 0x31304445170a49542d53657276696365
(8)   Service-Type = Framed-User
(8)   Chargeable-User-Identity = 0x00
(8)   NAS-Port-Type = Wireless-802.11
(8)   Connect-Info = "CONNECT 802.11a/n/ac"
(8)   EAP-Message = 0x020800251900170303001a0000000000000003559b9229317f3155d7720c582345c83dac3f
(8)   State = 0x3bd334c23cdb2d5a464d9b22d2e35ffe
(8)   Ruckus-SSID = "test-radius-user+pass"
(8)   Ruckus-BSSID = 0x34fa9ffa588e
(8)   Ruckus-Location = "IT-Service"
(8)   Ruckus-VLAN-ID = 1
(8)   Ruckus-SCG-CBlade-IP = 3232253455
(8)   Ruckus-Zone-Name = "Detmold"
(8)   Ruckus-Wlan-Name = "test-radius-user+pass"
(8)   Message-Authenticator = 0x1990281948930e08ef66d420ea1928c8
(8)   Proxy-State = 0x3734
(8) session-state: No cached attributes
(8) # Executing section authorize from file /etc/raddb/sites-enabled/default
(8)   authorize {
rlm_ldap (ldap): Reserved connection (2)
(8) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}})
(8) ldap:    --> (name=wifitestmac01)
(8) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub"
(8) ldap: Waiting for search result...
(8) ldap: Search returned no results
rlm_ldap (ldap): Released connection (2)
(8)     [ldap] = notfound
(8)     policy group_authorization {
(8)       if (&Huntgroup-Name == "wo-byod") {
(8)       ERROR: Failed retrieving values required to evaluate condition
(8)       elsif (&Huntgroup-Name == "wo-secure") {
(8)       ERROR: Failed retrieving values required to evaluate condition
(8)     } # policy group_authorization = notfound
(8)     policy filter_username {
(8)       if (&User-Name) {
(8)       if (&User-Name)  -> TRUE
(8)       if (&User-Name)  {
(8)         if (&User-Name =~ / /) {
(8)         if (&User-Name =~ / /)  -> FALSE
(8)         if (&User-Name =~ /@[^@]*@/ ) {
(8)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(8)         if (&User-Name =~ /\.\./ ) {
(8)         if (&User-Name =~ /\.\./ )  -> FALSE
(8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(8)         if (&User-Name =~ /\.$/)  {
(8)         if (&User-Name =~ /\.$/)   -> FALSE
(8)         if (&User-Name =~ /@\./)  {
(8)         if (&User-Name =~ /@\./)   -> FALSE
(8)       } # if (&User-Name)  = notfound
(8)     } # policy filter_username = notfound
(8)     policy filter_password {
(8)       if (&User-Password &&            (&User-Password != "%{string:User-Password}")) {
(8)       if (&User-Password &&            (&User-Password != "%{string:User-Password}"))  -> FALSE
(8)     } # policy filter_password = notfound
(8)     [preprocess] = ok
(8)     [chap] = noop
(8)     [mschap] = noop
(8)     [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
(8) suffix: No such realm "NULL"
(8)     [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 8 length 37
(8) eap: Continuing tunnel setup
(8)     [eap] = ok
(8)   } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8)   authenticate {
(8) eap: Expiring EAP session with state 0x78a9799279a16313
(8) eap: Finished EAP session with state 0x3bd334c23cdb2d5a
(8) eap: Previous EAP request found for state 0x3bd334c23cdb2d5a, released from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established.  Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP method MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap:   EAP-Message = 0x020800061a03
(8) eap_peap: Setting User-Name to wifitestmac01
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap:   EAP-Message = 0x020800061a03
(8) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap:   User-Name = "wifitestmac01"
(8) eap_peap:   State = 0x78a9799279a16313f359dd39dd5c9f11
(8) eap_peap:   Acct-Session-Id = "5D1CA994-67A4B00F"
(8) eap_peap:   NAS-IP-Address = 192.168.70.63
(8) eap_peap:   NAS-Identifier = "ruckuscontroller"
(8) eap_peap:   NAS-Port = 1
(8) eap_peap:   Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(8) eap_peap:   Calling-Station-Id = "24-FB-65-69-06-AF"
(8) eap_peap:   Location-Data = 0x31304445170a49542d53657276696365
(8) eap_peap:   Service-Type = Framed-User
(8) eap_peap:   Chargeable-User-Identity = 0x00
(8) eap_peap:   NAS-Port-Type = Wireless-802.11
(8) eap_peap:   Connect-Info = "CONNECT 802.11a/n/ac"
(8) eap_peap:   Ruckus-SSID = "test-radius-user+pass"
(8) eap_peap:   Ruckus-BSSID = 0x34fa9ffa588e
(8) eap_peap:   Ruckus-Location = "IT-Service"
(8) eap_peap:   Ruckus-VLAN-ID = 1
(8) eap_peap:   Ruckus-SCG-CBlade-IP = 3232253455
(8) eap_peap:   Ruckus-Zone-Name = "Detmold"
(8) eap_peap:   Ruckus-Wlan-Name = "test-radius-user+pass"
(8) eap_peap:   Event-Timestamp = "Jul  3 2019 15:11:54 CEST"
(8) Virtual server inner-tunnel received request
(8)   EAP-Message = 0x020800061a03
(8)   FreeRADIUS-Proxied-To = 127.0.0.1
(8)   User-Name = "wifitestmac01"
(8)   State = 0x78a9799279a16313f359dd39dd5c9f11
(8)   Acct-Session-Id = "5D1CA994-67A4B00F"
(8)   NAS-IP-Address = 192.168.70.63
(8)   NAS-Identifier = "ruckuscontroller"
(8)   NAS-Port = 1
(8)   Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(8)   Calling-Station-Id = "24-FB-65-69-06-AF"
(8)   Location-Data = 0x31304445170a49542d53657276696365
(8)   Service-Type = Framed-User
(8)   Chargeable-User-Identity = 0x00
(8)   NAS-Port-Type = Wireless-802.11
(8)   Connect-Info = "CONNECT 802.11a/n/ac"
(8)   Ruckus-SSID = "test-radius-user+pass"
(8)   Ruckus-BSSID = 0x34fa9ffa588e
(8)   Ruckus-Location = "IT-Service"
(8)   Ruckus-VLAN-ID = 1
(8)   Ruckus-SCG-CBlade-IP = 3232253455
(8)   Ruckus-Zone-Name = "Detmold"
(8)   Ruckus-Wlan-Name = "test-radius-user+pass"
(8)   Event-Timestamp = "Jul  3 2019 15:11:54 CEST"
(8) WARNING: Outer and inner identities are the same.  User privacy is compromised.
(8) server inner-tunnel {
(8)   session-state: No cached attributes
(8)   # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(8)     authorize {
(8)       policy filter_username {
(8)         if (&User-Name) {
(8)         if (&User-Name)  -> TRUE
(8)         if (&User-Name)  {
(8)           if (&User-Name =~ / /) {
(8)           if (&User-Name =~ / /)  -> FALSE
(8)           if (&User-Name =~ /@[^@]*@/ ) {
(8)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(8)           if (&User-Name =~ /\.\./ ) {
(8)           if (&User-Name =~ /\.\./ )  -> FALSE
(8)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(8)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(8)           if (&User-Name =~ /\.$/)  {
(8)           if (&User-Name =~ /\.$/)   -> FALSE
(8)           if (&User-Name =~ /@\./)  {
(8)           if (&User-Name =~ /@\./)   -> FALSE
(8)         } # if (&User-Name)  = notfound
(8)       } # policy filter_username = notfound
(8)       [chap] = noop
(8)       [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
(8) suffix: No such realm "NULL"
(8)       [suffix] = noop
(8)       update control {
(8)         &Proxy-To-Realm := LOCAL
(8)       } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 8 length 6
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8)       [eap] = updated
(8)       [files] = noop
(8) sql: EXPAND %{User-Name}
(8) sql:    --> wifitestmac01
(8) sql: SQL-User-Name set to 'wifitestmac01'
rlm_sql (sql): Reserved connection (2)
(8) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(8) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'wifitestmac01' ORDER BY id
(8) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'wifitestmac01' ORDER BY id
(8) sql: User found in radcheck table
(8) sql: Conditional check items matched, merging assignment check items
(8) sql:   Cleartext-Password := "tester555"
(8) sql:   MS-CHAP-Use-NTLM-Auth := No
(8) sql:   Calling-Station-Id := "24-FB-65-69-06-AF"
(8) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(8) sql:    --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'wifitestmac01' ORDER BY id
(8) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'wifitestmac01' ORDER BY id
(8) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(8) sql:    --> SELECT groupname FROM radusergroup WHERE username = 'wifitestmac01' ORDER BY priority
(8) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'wifitestmac01' ORDER BY priority
(8) sql: User found in the group table
(8) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(8) sql:    --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'wifi_wo-secure' ORDER BY id
(8) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'wifi_wo-secure' ORDER BY id
(8) sql: Group "wifi_wo-secure": Conditional check items matched
(8) sql: Group "wifi_wo-secure": Merging assignment check items
(8) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(8) sql:    --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'wifi_wo-secure' ORDER BY id
(8) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'wifi_wo-secure' ORDER BY id
(8) sql: Group "wifi_wo-secure": Merging reply items
(8) sql:   Huntgroup-Name := "wo-secure"
rlm_sql (sql): Released connection (2)
(8)       [sql] = ok
(8)       [expiration] = noop
(8)       [logintime] = noop
(8) pap: WARNING: Auth-Type already set.  Not setting to PAP
(8)       [pap] = noop
(8)     } # authorize = updated
(8)   Found Auth-Type = eap
(8)   # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8)     authenticate {
(8) eap: Expiring EAP session with state 0x78a9799279a16313
(8) eap: Finished EAP session with state 0x78a9799279a16313
(8) eap: Previous EAP request found for state 0x78a9799279a16313, released from the list
(8) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap: Sending EAP Success (code 3) ID 8 length 4
(8) eap: Freeing handler
(8)       [eap] = ok
(8)     } # authenticate = ok
(8)   # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel
(8)     post-auth {
(8) sql: EXPAND .query
(8) sql:    --> .query
(8) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (3)
(8) sql: EXPAND %{User-Name}
(8) sql:    --> wifitestmac01
(8) sql: SQL-User-Name set to 'wifitestmac01'
(8) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(8) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'wifitestmac01', '', 'Access-Accept', '2019-07-03 15:11:54.476885')
(8) sql: EXPAND /var/log/radius/sqllog.sql
(8) sql:    --> /var/log/radius/sqllog.sql
(8) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'wifitestmac01', '', 'Access-Accept', '2019-07-03 15:11:54.476885')
(8) sql: SQL query returned: success
(8) sql: 1 record(s) updated
rlm_sql (sql): Released connection (3)
(8)       [sql] = ok
(8)       if (0) {
(8)       if (0)  -> FALSE
(8)     } # post-auth = ok
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8)   Huntgroup-Name = "wo-secure"
(8)   MS-MPPE-Encryption-Policy = Encryption-Allowed
(8)   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8)   MS-MPPE-Send-Key = 0x09649f4423192a6d5709c19fe5125d4a
(8)   MS-MPPE-Recv-Key = 0x6a4b0cefe1f26056c755aaa5f734ce7c
(8)   EAP-Message = 0x03080004
(8)   Message-Authenticator = 0x00000000000000000000000000000000
(8)   User-Name = "wifitestmac01"
(8) eap_peap: Got tunneled reply code 2
(8) eap_peap:   Huntgroup-Name = "wo-secure"
(8) eap_peap:   MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) eap_peap:   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) eap_peap:   MS-MPPE-Send-Key = 0x09649f4423192a6d5709c19fe5125d4a
(8) eap_peap:   MS-MPPE-Recv-Key = 0x6a4b0cefe1f26056c755aaa5f734ce7c
(8) eap_peap:   EAP-Message = 0x03080004
(8) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap:   User-Name = "wifitestmac01"
(8) eap_peap: Got tunneled reply RADIUS code 2
(8) eap_peap:   Huntgroup-Name = "wo-secure"
(8) eap_peap:   MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) eap_peap:   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) eap_peap:   MS-MPPE-Send-Key = 0x09649f4423192a6d5709c19fe5125d4a
(8) eap_peap:   MS-MPPE-Recv-Key = 0x6a4b0cefe1f26056c755aaa5f734ce7c
(8) eap_peap:   EAP-Message = 0x03080004
(8) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap:   User-Name = "wifitestmac01"
(8) eap_peap: Tunneled authentication was successful
(8) eap_peap: SUCCESS
(8) eap: Sending EAP Request (code 1) ID 9 length 46
(8) eap: EAP session adding &reply:State = 0x3bd334c233da2d5a
(8)     [eap] = handled
(8)   } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8)   Challenge { ... } # empty sub-section is ignored
(8) Sent Access-Challenge Id 62 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0
(8)   EAP-Message = 0x0109002e19001703030023d5ec48bada42fbd57360d536a83db35fd6aa4c397ac57dc6b063543e6a7988551a9ecf
(8)   Message-Authenticator = 0x00000000000000000000000000000000
(8)   State = 0x3bd334c233da2d5a464d9b22d2e35ffe
(8)   Proxy-State = 0x3734
(8) Finished request
Waking up in 4.4 seconds.
(9) Received Access-Request Id 148 from 192.168.70.15:18487 to 192.168.199.69:1812 length 416
(9)   Acct-Session-Id = "5D1CA994-67A4B00F"
(9)   User-Name = "wifitestmac01"
(9)   NAS-IP-Address = 192.168.70.63
(9)   NAS-Identifier = "ruckuscontroller"
(9)   NAS-Port = 1
(9)   Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(9)   Calling-Station-Id = "24-FB-65-69-06-AF"
(9)   Location-Data = 0x31304445170a49542d53657276696365
(9)   Service-Type = Framed-User
(9)   Chargeable-User-Identity = 0x00
(9)   NAS-Port-Type = Wireless-802.11
(9)   Connect-Info = "CONNECT 802.11a/n/ac"
(9)   EAP-Message = 0x0209002e190017030300230000000000000004e71ecbff60c571603fd792638be1058058177b3ddab992ee20e458
(9)   State = 0x3bd334c233da2d5a464d9b22d2e35ffe
(9)   Ruckus-SSID = "test-radius-user+pass"
(9)   Ruckus-BSSID = 0x34fa9ffa588e
(9)   Ruckus-Location = "IT-Service"
(9)   Ruckus-VLAN-ID = 1
(9)   Ruckus-SCG-CBlade-IP = 3232253455
(9)   Ruckus-Zone-Name = "Detmold"
(9)   Ruckus-Wlan-Name = "test-radius-user+pass"
(9)   Message-Authenticator = 0x162c711631dc2d5883505d06283cda48
(9)   Proxy-State = 0x3735
(9) session-state: No cached attributes
(9) # Executing section authorize from file /etc/raddb/sites-enabled/default
(9)   authorize {
rlm_ldap (ldap): Reserved connection (6)
(9) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}})
(9) ldap:    --> (name=wifitestmac01)
(9) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub"
(9) ldap: Waiting for search result...
(9) ldap: Search returned no results
rlm_ldap (ldap): Released connection (6)
(9)     [ldap] = notfound
(9)     policy group_authorization {
(9)       if (&Huntgroup-Name == "wo-byod") {
(9)       ERROR: Failed retrieving values required to evaluate condition
(9)       elsif (&Huntgroup-Name == "wo-secure") {
(9)       ERROR: Failed retrieving values required to evaluate condition
(9)     } # policy group_authorization = notfound
(9)     policy filter_username {
(9)       if (&User-Name) {
(9)       if (&User-Name)  -> TRUE
(9)       if (&User-Name)  {
(9)         if (&User-Name =~ / /) {
(9)         if (&User-Name =~ / /)  -> FALSE
(9)         if (&User-Name =~ /@[^@]*@/ ) {
(9)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(9)         if (&User-Name =~ /\.\./ ) {
(9)         if (&User-Name =~ /\.\./ )  -> FALSE
(9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(9)         if (&User-Name =~ /\.$/)  {
(9)         if (&User-Name =~ /\.$/)   -> FALSE
(9)         if (&User-Name =~ /@\./)  {
(9)         if (&User-Name =~ /@\./)   -> FALSE
(9)       } # if (&User-Name)  = notfound
(9)     } # policy filter_username = notfound
(9)     policy filter_password {
(9)       if (&User-Password &&            (&User-Password != "%{string:User-Password}")) {
(9)       if (&User-Password &&            (&User-Password != "%{string:User-Password}"))  -> FALSE
(9)     } # policy filter_password = notfound
(9)     [preprocess] = ok
(9)     [chap] = noop
(9)     [mschap] = noop
(9)     [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
(9) suffix: No such realm "NULL"
(9)     [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 9 length 46
(9) eap: Continuing tunnel setup
(9)     [eap] = ok
(9)   } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9)   authenticate {
(9) eap: Expiring EAP session with state 0x3bd334c233da2d5a
(9) eap: Finished EAP session with state 0x3bd334c233da2d5a
(9) eap: Previous EAP request found for state 0x3bd334c233da2d5a, released from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established.  Decoding tunneled attributes
(9) eap_peap: PEAP state send tlv success
(9) eap_peap: Received EAP-TLV response
(9) eap_peap: Success
(9) eap: Sending EAP Success (code 3) ID 9 length 4
(9) eap: Freeing handler
(9)     [eap] = ok
(9)   } # authenticate = ok
(9) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(9)   post-auth {
(9)     update {
(9)       No attributes updated
(9)     } # update = noop
(9) sql: EXPAND .query
(9) sql:    --> .query
(9) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (4)
(9) sql: EXPAND %{User-Name}
(9) sql:    --> wifitestmac01
(9) sql: SQL-User-Name set to 'wifitestmac01'
(9) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(9) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'wifitestmac01', '', 'Access-Accept', '2019-07-03 15:11:54.531951')
(9) sql: EXPAND /var/log/radius/sqllog.sql
(9) sql:    --> /var/log/radius/sqllog.sql
(9) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'wifitestmac01', '', 'Access-Accept', '2019-07-03 15:11:54.531951')
(9) sql: SQL query returned: success
(9) sql: 1 record(s) updated
rlm_sql (sql): Released connection (4)
(9)     [sql] = ok
(9)     [exec] = noop
(9)     policy remove_reply_message_if_eap {
(9)       if (&reply:EAP-Message && &reply:Reply-Message) {
(9)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(9)       else {
(9)         [noop] = noop
(9)       } # else = noop
(9)     } # policy remove_reply_message_if_eap = noop
(9)   } # post-auth = ok
(9) Sent Access-Accept Id 148 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0
(9)   MS-MPPE-Recv-Key = 0xa63d5b43df19ab6338895fc4f40050e4990bc4207f4412edceb938cf1fcadd3e
(9)   MS-MPPE-Send-Key = 0x29dabf22b9bda920c708becdd0886e0a8216f4d5881268045a296076fd901b90
(9)   EAP-Message = 0x03090004
(9)   Message-Authenticator = 0x00000000000000000000000000000000
(9)   User-Name = "wifitestmac01"
(9)   Proxy-State = 0x3735
(9) Finished request
Waking up in 4.4 seconds.
(0) Cleaning up request packet ID 118 with timestamp +48



More information about the Freeradius-Users mailing list