AW: Additional reply attributes via eap-pwd possible?

denny.friebe at icera-network.de denny.friebe at icera-network.de
Tue Jan 26 15:54:53 CET 2021


> Yes.
> Alan DeKok.

Thank you for your answer. I am still stuck with the problem. The radius server just does not want to send me the attributes.
I suspect a problem with the inner-tunnel. Maybe you could help me here?

Ready to process requests
(0) Received Access-Request Id 131 from 10.30.156.65:37368 to 10.15.0.136:1812 length 217
(0)   User-Name = "5001"
(0)   NAS-IP-Address = 10.30.156.65
(0)   NAS-Identifier = "c0e4000b1733"
(0)   Called-Station-Id = "C0-E4-00-0B-17-33:TestAuth"
(0)   NAS-Port-Type = Wireless-802.11
(0)   Service-Type = Framed-User
(0)   Calling-Station-Id = "F6-1C-00-0B-07-03"
(0)   Connect-Info = "CONNECT 0Mbps 802.11b"
(0)   Acct-Session-Id = "212F019475EE742B"
(0)   Acct-Multi-Session-Id = "140719517FC880F8"
(0)   WLAN-Pairwise-Cipher = 1027076
(0)   WLAN-Group-Cipher = 1027076
(0)   WLAN-AKM-Suite = 1027073
(0)   Framed-MTU = 1400
(0)   EAP-Message = 0x026200090135303031
(0)   Message-Authenticator = 0x40c853e732061fe7ef8b834200e86e85
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "5001", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0)     policy rewrite_calling_station_id {
(0)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(0)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  -> TRUE
(0)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  {
(0)         update request {
(0)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(0)              --> F6-1C-00-0B-07-03
(0)           &Calling-Station-Id := F6-1C-00-0B-07-03
(0)         } # update request = noop
(0)         [updated] = updated
(0)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  = updated
(0)       ... skipping else: Preceding "if" was taken
(0)     } # policy rewrite_calling_station_id = updated
(0) eap: Peer sent EAP Response (code 2) ID 98 length 9
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0)     [eap] = ok
(0)   } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_pwd to process data
(0) eap: Sending EAP Request (code 1) ID 99 length 46
(0) eap: EAP session adding &reply:State = 0x7746780c77254c9b
(0)     [eap] = handled
(0)   } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 131 from 10.15.0.136:1812 to 10.30.156.65:37368 length 0
(0)   EAP-Message = 0x0163002e340100130101f04ae61e0066726565726164697573407372762d667265657261646975732d7664686f74
(0)   Message-Authenticator = 0x00000000000000000000000000000000
(0)   State = 0x7746780c77254c9bc64706082ad8092a
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 132 from 10.30.156.65:37368 to 10.15.0.136:1812 length 245
(1)   User-Name = "5001"
(1)   NAS-IP-Address = 10.30.156.65
(1)   NAS-Identifier = "c0e4000b1733"
(1)   Called-Station-Id = "C0-E4-00-0B-17-33:TestAuth"
(1)   NAS-Port-Type = Wireless-802.11
(1)   Service-Type = Framed-User
(1)   Calling-Station-Id = "F6-1C-00-0B-07-03"
(1)   Connect-Info = "CONNECT 0Mbps 802.11b"
(1)   Acct-Session-Id = "212F019475EE742B"
(1)   Acct-Multi-Session-Id = "140719517FC880F8"
(1)   WLAN-Pairwise-Cipher = 1027076
(1)   WLAN-Group-Cipher = 1027076
(1)   WLAN-AKM-Suite = 1027073
(1)   Framed-MTU = 1400
(1)   EAP-Message = 0x02630013340100130101f04ae61e0035303031
(1)   State = 0x7746780c77254c9bc64706082ad8092a
(1)   Message-Authenticator = 0x7b79b35ea1f61596294cd984d984b446
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(1)   authorize {
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if (&User-Name =~ /\.\./ ) {
(1)         if (&User-Name =~ /\.\./ )  -> FALSE
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(1)         if (&User-Name =~ /\.$/)  {
(1)         if (&User-Name =~ /\.$/)   -> FALSE
(1)         if (&User-Name =~ /@\./)  {
(1)         if (&User-Name =~ /@\./)   -> FALSE
(1)       } # if (&User-Name)  = notfound
(1)     } # policy filter_username = notfound
(1)     [preprocess] = ok
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "5001", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1)     policy rewrite_calling_station_id {
(1)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(1)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  -> TRUE
(1)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  {
(1)         update request {
(1)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(1)              --> F6-1C-00-0B-07-03
(1)           &Calling-Station-Id := F6-1C-00-0B-07-03
(1)         } # update request = noop
(1)         [updated] = updated
(1)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  = updated
(1)       ... skipping else: Preceding "if" was taken
(1)     } # policy rewrite_calling_station_id = updated
(1) eap: Peer sent EAP Response (code 2) ID 99 length 19
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1)     [eap] = updated
(1)   } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1)   authenticate {
(1) eap: Expiring EAP session with state 0x7746780c77254c9b
(1) eap: Finished EAP session with state 0x7746780c77254c9b
(1) eap: Previous EAP request found for state 0x7746780c77254c9b, released from the list
(1) eap: Peer sent packet with method EAP PWD (52)
(1) eap: Calling submodule eap_pwd to process data
(1) eap_pwd: Sending tunneled request
(1) eap_pwd:   User-Name = "5001"
(1) eap_pwd: server inner-tunnel {
(1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(1)   authorize {
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if (&User-Name =~ /\.\./ ) {
(1)         if (&User-Name =~ /\.\./ )  -> FALSE
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(1)         if (&User-Name =~ /\.$/)  {
(1)         if (&User-Name =~ /\.$/)   -> FALSE
(1)         if (&User-Name =~ /@\./)  {
(1)         if (&User-Name =~ /@\./)   -> FALSE
(1)       } # if (&User-Name)  = notfound
(1)     } # policy filter_username = notfound
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "5001", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1)     update control {
(1)       &Proxy-To-Realm := LOCAL
(1)     } # update control = noop
(1) eap: No EAP-Message, not doing EAP
(1)     [eap] = noop
(1) sql: EXPAND %{User-Name}
(1) sql:    --> 5001
(1) sql: SQL-User-Name set to '5001'
rlm_sql (sql): Reserved connection (0)
(1) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '5001' ORDER BY id
(1) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '5001' ORDER BY id
(1) sql: User found in radcheck table
(1) sql: Conditional check items matched, merging assignment check items
(1) sql:   Cleartext-Password := "abc123"
(1) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sql:    --> SELECT id, username, attribute, value, op FROM radreply WHERE username = '5001' ORDER BY id
(1) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = '5001' ORDER BY id
(1) sql: User found in radreply table, merging reply items
(1) sql:   LCS-TxRateLimit = 10500
(1) sql:   LCS-RxRateLimit = 3600
(1) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(1) sql:    --> SELECT groupname FROM radusergroup WHERE username = '5001' ORDER BY priority
(1) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = '5001' ORDER BY priority
(1) sql: User not found in any groups
rlm_sql (sql): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on 10.15.0.134 via TCP/IP, server version 5.7.30-log, protocol version 10
(1)     [sql] = ok
(1)     [logintime] = noop
(1) pap: No User-Password attribute in the request.  Cannot do PAP
(1)     [pap] = noop
(1)   } # authorize = ok
(1) eap_pwd: } # server inner-tunnel
(1) eap_pwd: Got tunneled reply code 0
(1) eap_pwd:   LCS-TxRateLimit = 10500
(1) eap_pwd:   LCS-RxRateLimit = 3600
(1) eap: Sending EAP Request (code 1) ID 100 length 102
(1) eap: EAP session adding &reply:State = 0x7746780c76224c9b
(1)     [eap] = handled
(1)   } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1)   Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 132 from 10.15.0.136:1812 to 10.30.156.65:37368 length 0
(1)   EAP-Message = 0x016400663402c2210083a3269c8fdc7a59bd8f948c417cf16e9e0766b4ffbb3cebffa97df893a7561900ca1e1919da6a33fa8a92339ec8010b44accf6c9d4a01e427fee1f152720b5b45d4f710ff0996339038c280c217db7061d1b6337ced479ecde0815022
(1)   Message-Authenticator = 0x00000000000000000000000000000000
(1)   State = 0x7746780c76224c9bc64706082ad8092a
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 133 from 10.30.156.65:37368 to 10.15.0.136:1812 length 328
(2)   User-Name = "5001"
(2)   NAS-IP-Address = 10.30.156.65
(2)   NAS-Identifier = "c0e4000b1733"
(2)   Called-Station-Id = "C0-E4-00-0B-17-33:TestAuth"
(2)   NAS-Port-Type = Wireless-802.11
(2)   Service-Type = Framed-User
(2)   Calling-Station-Id = "F6-1C-00-0B-07-03"
(2)   Connect-Info = "CONNECT 0Mbps 802.11b"
(2)   Acct-Session-Id = "212F019475EE742B"
(2)   Acct-Multi-Session-Id = "140719517FC880F8"
(2)   WLAN-Pairwise-Cipher = 1027076
(2)   WLAN-Group-Cipher = 1027076
(2)   WLAN-AKM-Suite = 1027073
(2)   Framed-MTU = 1400
(2)   EAP-Message = 0x026400663402e5ff4eb08991c163fd5128ce39375ab5aacf1e10cbc62d289e9cdec763bd51be0391bf4a4a550cefbd37564819fbee344376feaba44f726566f2f655b714c314c544af8bc9d0149f7fb6565ecbd5083d2f9c57f51431dce45488765ba1c987ea
(2)   State = 0x7746780c76224c9bc64706082ad8092a
(2)   Message-Authenticator = 0xa9f3aced80dc79fc22b8af1713a940e0
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(2)   authorize {
(2)     policy filter_username {
(2)       if (&User-Name) {
(2)       if (&User-Name)  -> TRUE
(2)       if (&User-Name)  {
(2)         if (&User-Name =~ / /) {
(2)         if (&User-Name =~ / /)  -> FALSE
(2)         if (&User-Name =~ /@[^@]*@/ ) {
(2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(2)         if (&User-Name =~ /\.\./ ) {
(2)         if (&User-Name =~ /\.\./ )  -> FALSE
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(2)         if (&User-Name =~ /\.$/)  {
(2)         if (&User-Name =~ /\.$/)   -> FALSE
(2)         if (&User-Name =~ /@\./)  {
(2)         if (&User-Name =~ /@\./)   -> FALSE
(2)       } # if (&User-Name)  = notfound
(2)     } # policy filter_username = notfound
(2)     [preprocess] = ok
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "5001", looking up realm NULL
(2) suffix: No such realm "NULL"
(2)     [suffix] = noop
(2)     policy rewrite_calling_station_id {
(2)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(2)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  -> TRUE
(2)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  {
(2)         update request {
(2)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(2)              --> F6-1C-00-0B-07-03
(2)           &Calling-Station-Id := F6-1C-00-0B-07-03
(2)         } # update request = noop
(2)         [updated] = updated
(2)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  = updated
(2)       ... skipping else: Preceding "if" was taken
(2)     } # policy rewrite_calling_station_id = updated
(2) eap: Peer sent EAP Response (code 2) ID 100 length 102
(2) eap: No EAP Start, assuming it's an on-going EAP conversation
(2)     [eap] = updated
(2)   } # authorize = updated
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2)   authenticate {
(2) eap: Expiring EAP session with state 0x7746780c76224c9b
(2) eap: Finished EAP session with state 0x7746780c76224c9b
(2) eap: Previous EAP request found for state 0x7746780c76224c9b, released from the list
(2) eap: Peer sent packet with method EAP PWD (52)
(2) eap: Calling submodule eap_pwd to process data
(2) eap: Sending EAP Request (code 1) ID 101 length 38
(2) eap: EAP session adding &reply:State = 0x7746780c75234c9b
(2)     [eap] = handled
(2)   } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2)   Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 133 from 10.15.0.136:1812 to 10.30.156.65:37368 length 0
(2)   EAP-Message = 0x0165002634037466e2384d2efd73818f0e4cdcc666a769a4bc85fe6895a78b0f5fc853d4e5cd
(2)   Message-Authenticator = 0x00000000000000000000000000000000
(2)   State = 0x7746780c75234c9bc64706082ad8092a
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 134 from 10.30.156.65:37368 to 10.15.0.136:1812 length 264
(3)   User-Name = "5001"
(3)   NAS-IP-Address = 10.30.156.65
(3)   NAS-Identifier = "c0e4000b1733"
(3)   Called-Station-Id = "C0-E4-00-0B-17-33:TestAuth"
(3)   NAS-Port-Type = Wireless-802.11
(3)   Service-Type = Framed-User
(3)   Calling-Station-Id = "F6-1C-00-0B-07-03"
(3)   Connect-Info = "CONNECT 0Mbps 802.11b"
(3)   Acct-Session-Id = "212F019475EE742B"
(3)   Acct-Multi-Session-Id = "140719517FC880F8"
(3)   WLAN-Pairwise-Cipher = 1027076
(3)   WLAN-Group-Cipher = 1027076
(3)   WLAN-AKM-Suite = 1027073
(3)   Framed-MTU = 1400
(3)   EAP-Message = 0x026500263403bb6184d17965cbf286f91ab7a6bce8af297c878e5d4ef27995065b48833e06ce
(3)   State = 0x7746780c75234c9bc64706082ad8092a
(3)   Message-Authenticator = 0x68727675cf8809530dd137abdfbb4589
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(3)   authorize {
(3)     policy filter_username {
(3)       if (&User-Name) {
(3)       if (&User-Name)  -> TRUE
(3)       if (&User-Name)  {
(3)         if (&User-Name =~ / /) {
(3)         if (&User-Name =~ / /)  -> FALSE
(3)         if (&User-Name =~ /@[^@]*@/ ) {
(3)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(3)         if (&User-Name =~ /\.\./ ) {
(3)         if (&User-Name =~ /\.\./ )  -> FALSE
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(3)         if (&User-Name =~ /\.$/)  {
(3)         if (&User-Name =~ /\.$/)   -> FALSE
(3)         if (&User-Name =~ /@\./)  {
(3)         if (&User-Name =~ /@\./)   -> FALSE
(3)       } # if (&User-Name)  = notfound
(3)     } # policy filter_username = notfound
(3)     [preprocess] = ok
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "5001", looking up realm NULL
(3) suffix: No such realm "NULL"
(3)     [suffix] = noop
(3)     policy rewrite_calling_station_id {
(3)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(3)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  -> TRUE
(3)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  {
(3)         update request {
(3)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(3)              --> F6-1C-00-0B-07-03
(3)           &Calling-Station-Id := F6-1C-00-0B-07-03
(3)         } # update request = noop
(3)         [updated] = updated
(3)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  = updated
(3)       ... skipping else: Preceding "if" was taken
(3)     } # policy rewrite_calling_station_id = updated
(3) eap: Peer sent EAP Response (code 2) ID 101 length 38
(3) eap: No EAP Start, assuming it's an on-going EAP conversation
(3)     [eap] = updated
(3)   } # authorize = updated
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3)   authenticate {
(3) eap: Expiring EAP session with state 0x7746780c75234c9b
(3) eap: Finished EAP session with state 0x7746780c75234c9b
(3) eap: Previous EAP request found for state 0x7746780c75234c9b, released from the list
(3) eap: Peer sent packet with method EAP PWD (52)
(3) eap: Calling submodule eap_pwd to process data
(3) eap: Sending EAP Success (code 3) ID 101 length 4
(3) eap: Freeing handler
(3)     [eap] = ok
(3)   } # authenticate = ok
(3) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(3)   post-auth {
(3)     update {
(3)       No attributes updated
(3)     } # update = noop
(3) sql: EXPAND .query
(3) sql:    --> .query
(3) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (1)
(3) sql: EXPAND %{User-Name}
(3) sql:    --> 5001
(3) sql: SQL-User-Name set to '5001'
(3) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(3) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '5001', '', 'Access-Accept', '2021-01-26 14:21:40')
(3) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '5001', '', 'Access-Accept', '2021-01-26 14:21:40')
(3) sql: SQL query returned: success
(3) sql: 1 record(s) updated
rlm_sql (sql): Released connection (1)
(3)     [sql] = ok
(3)     [exec] = noop
(3)   } # post-auth = ok
(3) Sent Access-Accept Id 134 from 10.15.0.136:1812 to 10.30.156.65:37368 length 0
(3)   MS-MPPE-Recv-Key = 0x54f1496249a0aeed71eebb1a9b0e0cff5a1f1992fb46553c655f308b108591cd
(3)   MS-MPPE-Send-Key = 0x6fc7161e06565a9b0c1bb0d85559807aba0a65aa8accc2bec14a2fffa6835be4
(3)   EAP-Message = 0x03650004
(3)   Message-Authenticator = 0x00000000000000000000000000000000
(3)   User-Name = "5001"
(3) Finished request
Waking up in 4.8 seconds.




More information about the Freeradius-Users mailing list