Active Directory Attribute not extending to device

Luke Smith LukeS at coloradovalley.com
Wed Jul 7 00:33:15 CEST 2021


I am trying to setup my Cambium radios to use my instance of freeradius, which I have working for several other network devices. I have found out from Cambium that there are 2 attributes that need to be passed along to make it work. I have added to the dictionary files the attributes.

ATTRIBUTE       Cambium-Canopy-UserLevel                50      integer                                 #Userlevel permission for the User logging in remotely
ATTRIBUTE       Cambium-Canopy-UserMode                 51      integer                                 #UserMode  permission for the User logging in remotely(1=Read-Only 0=Read-Write)

I have added these attributes with the appropriate integer in active directory, but when I try to login the attributes are not being passed along to the device. The only thing I've seen where passing the attribute along successfully is to add individual users in clients.conf but I would rather not have to manage user information in radius when I have AD doing that.

Below is the debug attempt of my login. I see a successful login, but missing the 2 attributes. What might I be missing?

(0) Received Access-Request Id 0 from 65.120.4.177:1231 to 66.220.128.93:1812 length 101
(0)   Calling-Station-Id = "0A-00-3E-45-1E-66"
(0)   User-Name = "lukes"
(0)   NAS-IP-Address = 172.31.5.168
(0)   NAS-Port = 5
(0)   NAS-Port-Type = Wireless-Other
(0)   Framed-MTU = 1020
(0)   EAP-Message = 0x0201000b016c756b657300
(0)   Message-Authenticator = 0xc2694530afcdc83b4f125b59ef9f2f30
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "lukes", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 1 length 11
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0)     [eap] = ok
(0)   } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0)   authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_peap to process data
(0) eap_peap: Initiating new EAP-TLS session
(0) eap_peap: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 2 length 6
(0) eap: EAP session adding &reply:State = 0x862cdf61862ec680
(0)     [eap] = handled
(0)   } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0)   Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 0 from 66.220.128.93:1812 to 65.120.4.177:1231 length 0
(0)   EAP-Message = 0x010200061920
(0)   Message-Authenticator = 0x00000000000000000000000000000000
(0)   State = 0x862cdf61862ec680fd28d95218ffb4d1
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 0 with timestamp +59
(1) Received Access-Request Id 0 from 65.120.4.177:1231 to 66.220.128.93:1812 length 176
(1)   Calling-Station-Id = "0A-00-3E-45-1E-66"
(1)   User-Name = "lukes"
(1)   State = 0x862cdf61862ec680fd28d95218ffb4d1
(1)   NAS-IP-Address = 172.31.5.168
(1)   NAS-Port = 5
(1)   NAS-Port-Type = Wireless-Other
(1)   Framed-MTU = 1020
(1)   EAP-Message = 0x0202004419800000003a16030100350100003103018cd12ea3235c5bce505390ed819da84dbdaf430da7c28d9a376a82a56e9f3ef000000a0035002f00040005000a0100
(1)   Message-Authenticator = 0x48e4a0d10984feb213cf25bff897851d
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1)   authorize {
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if (&User-Name =~ /\.\./ ) {
(1)         if (&User-Name =~ /\.\./ )  -> FALSE
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(1)         if (&User-Name =~ /\.$/)  {
(1)         if (&User-Name =~ /\.$/)   -> FALSE
(1)         if (&User-Name =~ /@\./)  {
(1)         if (&User-Name =~ /@\./)   -> FALSE
(1)       } # if (&User-Name)  = notfound
(1)     } # policy filter_username = notfound
(1)     [preprocess] = ok
(1)     [chap] = noop
(1)     [mschap] = noop
(1)     [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "lukes", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 2 length 68
(1) eap: Continuing tunnel setup
(1)     [eap] = ok
(1)   } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1)   authenticate {
(1) eap: Expiring EAP session with state 0x862cdf61862ec680
(1) eap: Finished EAP session with state 0x862cdf61862ec680
(1) eap: Previous EAP request found for state 0x862cdf61862ec680, released from the list
(1) eap: Peer sent packet with method EAP PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Continuing EAP-TLS
(1) eap_peap: Peer indicated complete TLS record size will be 58 bytes
(1) eap_peap: Got complete TLS record (58 bytes)
(1) eap_peap: [eaptls verify] = length included
(1) eap_peap: (other): before/accept initialization
(1) eap_peap: TLS_accept: before/accept initialization
(1) eap_peap: <<< recv TLS 1.0 Handshake [length 0035], ClientHello
(1) eap_peap: TLS_accept: SSLv3 read client hello A
(1) eap_peap: >>> send TLS 1.0 Handshake [length 002a], ServerHello
(1) eap_peap: TLS_accept: SSLv3 write server hello A
(1) eap_peap: >>> send TLS 1.0 Handshake [length 06ab], Certificate
(1) eap_peap: TLS_accept: SSLv3 write certificate A
(1) eap_peap: >>> send TLS 1.0 Handshake [length 0004], ServerHelloDone
(1) eap_peap: TLS_accept: SSLv3 write server done A
(1) eap_peap: TLS_accept: SSLv3 flush data
(1) eap_peap: TLS_accept: SSLv3 read client certificate A
(1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key exchange A
(1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key exchange A
(1) eap_peap: In SSL Handshake Phase
(1) eap_peap: In SSL Accept mode
(1) eap_peap: [eaptls process] = handled
(1) eap: Sending EAP Request (code 1) ID 3 length 1004
(1) eap: EAP session adding &reply:State = 0x862cdf61872fc680
(1)     [eap] = handled
(1)   } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1)   Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 0 from 66.220.128.93:1812 to 65.120.4.177:1231 length 0
(1)   EAP-Message = 0x010303ec19c0000006e8160301002a02000026030171cb3f8517dc997d4442c272fbbf7781a6b651b974cf6ab281e452ff4523ef290000350016030106ab0b0006a70006a40003523082034e308202b7a003020102020101300d06092a864886f70d01010505003081c0310b3009060355040613025553
(1)   Message-Authenticator = 0x00000000000000000000000000000000
(1)   State = 0x862cdf61872fc680fd28d95218ffb4d1
(1) Finished request
Waking up in 4.9 seconds.
(1) Cleaning up request packet ID 0 with timestamp +59
(2) Received Access-Request Id 0 from 65.120.4.177:1231 to 66.220.128.93:1812 length 114
(2)   Calling-Station-Id = "0A-00-3E-45-1E-66"
(2)   User-Name = "lukes"
(2)   State = 0x862cdf61872fc680fd28d95218ffb4d1
(2)   NAS-IP-Address = 172.31.5.168
(2)   NAS-Port = 5
(2)   NAS-Port-Type = Wireless-Other
(2)   Framed-MTU = 1020
(2)   EAP-Message = 0x020300061900
(2)   Message-Authenticator = 0x0046cb9bc798f6b3f90bcf16b34207c3
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2)   authorize {
(2)     policy filter_username {
(2)       if (&User-Name) {
(2)       if (&User-Name)  -> TRUE
(2)       if (&User-Name)  {
(2)         if (&User-Name =~ / /) {
(2)         if (&User-Name =~ / /)  -> FALSE
(2)         if (&User-Name =~ /@[^@]*@/ ) {
(2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(2)         if (&User-Name =~ /\.\./ ) {
(2)         if (&User-Name =~ /\.\./ )  -> FALSE
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(2)         if (&User-Name =~ /\.$/)  {
(2)         if (&User-Name =~ /\.$/)   -> FALSE
(2)         if (&User-Name =~ /@\./)  {
(2)         if (&User-Name =~ /@\./)   -> FALSE
(2)       } # if (&User-Name)  = notfound
(2)     } # policy filter_username = notfound
(2)     [preprocess] = ok
(2)     [chap] = noop
(2)     [mschap] = noop
(2)     [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "lukes", looking up realm NULL
(2) suffix: No such realm "NULL"
(2)     [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 3 length 6
(2) eap: Continuing tunnel setup
(2)     [eap] = ok
(2)   } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2)   authenticate {
(2) eap: Expiring EAP session with state 0x862cdf61872fc680
(2) eap: Finished EAP session with state 0x862cdf61872fc680
(2) eap: Previous EAP request found for state 0x862cdf61872fc680, released from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer ACKed our handshake fragment
(2) eap_peap: [eaptls verify] = request
(2) eap_peap: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 4 length 780
(2) eap: EAP session adding &reply:State = 0x862cdf618428c680
(2)     [eap] = handled
(2)   } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2)   Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 0 from 66.220.128.93:1812 to 65.120.4.177:1231 length 0
(2)   EAP-Message = 0x0104030c1900746f726f6c6120536f6c7574696f6e732c20496e632e31223020060355040b131943616e6f707920576972656c6573732042726f616462616e64312230200603550403131943616e6f707920414141205365727665722044656d6f2043413133303106092a864886f70d01090116247465
(2)   Message-Authenticator = 0x00000000000000000000000000000000
(2)   State = 0x862cdf618428c680fd28d95218ffb4d1
(2) Finished request
Waking up in 4.9 seconds.
(2) Cleaning up request packet ID 0 with timestamp +59
(3) Received Access-Request Id 0 from 65.120.4.177:1231 to 66.220.128.93:1812 length 316
(3)   Calling-Station-Id = "0A-00-3E-45-1E-66"
(3)   User-Name = "lukes"
(3)   State = 0x862cdf618428c680fd28d95218ffb4d1
(3)   NAS-IP-Address = 172.31.5.168
(3)   NAS-Port = 5
(3)   NAS-Port-Type = Wireless-Other
(3)   Framed-MTU = 1020
(3)   EAP-Message = 0x020400d01980000000c61603010086100000820080626fbad9808ba9dc777d6c1c2120b822859d3eb98bd4163f2f8bdfae63ab0209e1277be8ac9e533aa15a7f7299233af08d588310e9840a1101d240aac4c0e1b992f23ef5af48f54c031cb33fc320962196edf05ec1b56cb3074e57f3bc3607ea1097
(3)   Message-Authenticator = 0x2b825e7aacef0b15f8719e93c912a8e9
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/raddb/sites-enabled/default
(3)   authorize {
(3)     policy filter_username {
(3)       if (&User-Name) {
(3)       if (&User-Name)  -> TRUE
(3)       if (&User-Name)  {
(3)         if (&User-Name =~ / /) {
(3)         if (&User-Name =~ / /)  -> FALSE
(3)         if (&User-Name =~ /@[^@]*@/ ) {
(3)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(3)         if (&User-Name =~ /\.\./ ) {
(3)         if (&User-Name =~ /\.\./ )  -> FALSE
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(3)         if (&User-Name =~ /\.$/)  {
(3)         if (&User-Name =~ /\.$/)   -> FALSE
(3)         if (&User-Name =~ /@\./)  {
(3)         if (&User-Name =~ /@\./)   -> FALSE
(3)       } # if (&User-Name)  = notfound
(3)     } # policy filter_username = notfound
(3)     [preprocess] = ok
(3)     [chap] = noop
(3)     [mschap] = noop
(3)     [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "lukes", looking up realm NULL
(3) suffix: No such realm "NULL"
(3)     [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 4 length 208
(3) eap: Continuing tunnel setup
(3)     [eap] = ok
(3)   } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3)   authenticate {
(3) eap: Expiring EAP session with state 0x862cdf618428c680
(3) eap: Finished EAP session with state 0x862cdf618428c680
(3) eap: Previous EAP request found for state 0x862cdf618428c680, released from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer indicated complete TLS record size will be 198 bytes
(3) eap_peap: Got complete TLS record (198 bytes)
(3) eap_peap: [eaptls verify] = length included
(3) eap_peap: <<< recv TLS 1.0 Handshake [length 0086], ClientKeyExchange
(3) eap_peap: TLS_accept: SSLv3 read client key exchange A
(3) eap_peap: TLS_accept: SSLv3 read certificate verify A
(3) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
(3) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
(3) eap_peap: TLS_accept: SSLv3 read finished A
(3) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(3) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(3) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
(3) eap_peap: TLS_accept: SSLv3 write finished A
(3) eap_peap: TLS_accept: SSLv3 flush data
(3) eap_peap: (other): SSL negotiation finished successfully
(3) eap_peap: SSL Connection Established
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 5 length 65
(3) eap: EAP session adding &reply:State = 0x862cdf618529c680
(3)     [eap] = handled
(3)   } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3)   Challenge { ... } # empty sub-section is ignored
(3) Sent Access-Challenge Id 0 from 66.220.128.93:1812 to 65.120.4.177:1231 length 0
(3)   EAP-Message = 0x010500411900140301000101160301003047ab50ab141904a1bacf123ed1590136c8797a5cf8bf620ed35b8e625290044b6d112ec0e218c871002ae658c92ad88b
(3)   Message-Authenticator = 0x00000000000000000000000000000000
(3)   State = 0x862cdf618529c680fd28d95218ffb4d1
(3) Finished request
Waking up in 4.9 seconds.
(3) Cleaning up request packet ID 0 with timestamp +60
(4) Received Access-Request Id 0 from 65.120.4.177:1231 to 66.220.128.93:1812 length 114
(4)   Calling-Station-Id = "0A-00-3E-45-1E-66"
(4)   User-Name = "lukes"
(4)   State = 0x862cdf618529c680fd28d95218ffb4d1
(4)   NAS-IP-Address = 172.31.5.168
(4)   NAS-Port = 5
(4)   NAS-Port-Type = Wireless-Other
(4)   Framed-MTU = 1020
(4)   EAP-Message = 0x020500061900
(4)   Message-Authenticator = 0x915e0aac83abec3cf706555ab021998e
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/raddb/sites-enabled/default
(4)   authorize {
(4)     policy filter_username {
(4)       if (&User-Name) {
(4)       if (&User-Name)  -> TRUE
(4)       if (&User-Name)  {
(4)         if (&User-Name =~ / /) {
(4)         if (&User-Name =~ / /)  -> FALSE
(4)         if (&User-Name =~ /@[^@]*@/ ) {
(4)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(4)         if (&User-Name =~ /\.\./ ) {
(4)         if (&User-Name =~ /\.\./ )  -> FALSE
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(4)         if (&User-Name =~ /\.$/)  {
(4)         if (&User-Name =~ /\.$/)   -> FALSE
(4)         if (&User-Name =~ /@\./)  {
(4)         if (&User-Name =~ /@\./)   -> FALSE
(4)       } # if (&User-Name)  = notfound
(4)     } # policy filter_username = notfound
(4)     [preprocess] = ok
(4)     [chap] = noop
(4)     [mschap] = noop
(4)     [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "lukes", looking up realm NULL
(4) suffix: No such realm "NULL"
(4)     [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 5 length 6
(4) eap: Continuing tunnel setup
(4)     [eap] = ok
(4)   } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4)   authenticate {
(4) eap: Expiring EAP session with state 0x862cdf618529c680
(4) eap: Finished EAP session with state 0x862cdf618529c680
(4) eap: Previous EAP request found for state 0x862cdf618529c680, released from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer ACKed our handshake fragment.  handshake is finished
(4) eap_peap: [eaptls verify] = success
(4) eap_peap: [eaptls process] = success
(4) eap_peap: Session established.  Decoding tunneled attributes
(4) eap_peap: PEAP state TUNNEL ESTABLISHED
(4) eap: Sending EAP Request (code 1) ID 6 length 43
(4) eap: EAP session adding &reply:State = 0x862cdf61822ac680
(4)     [eap] = handled
(4)   } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4)   Challenge { ... } # empty sub-section is ignored
(4) Sent Access-Challenge Id 0 from 66.220.128.93:1812 to 65.120.4.177:1231 length 0
(4)   EAP-Message = 0x0106002b19001703010020344fa7772230ac754394b5b99acc7948c9323350d0235aa835d6d42efe262948
(4)   Message-Authenticator = 0x00000000000000000000000000000000
(4)   State = 0x862cdf61822ac680fd28d95218ffb4d1
(4) Finished request
Waking up in 4.9 seconds.
(4) Cleaning up request packet ID 0 with timestamp +60
(5) Received Access-Request Id 0 from 65.120.4.177:1231 to 66.220.128.93:1812 length 151
(5)   Calling-Station-Id = "0A-00-3E-45-1E-66"
(5)   User-Name = "lukes"
(5)   State = 0x862cdf61822ac680fd28d95218ffb4d1
(5)   NAS-IP-Address = 172.31.5.168
(5)   NAS-Port = 5
(5)   NAS-Port-Type = Wireless-Other
(5)   Framed-MTU = 1020
(5)   EAP-Message = 0x0206002b1900170301002000f0b3297dc7898514bf71dc8216fc9faacd0b604c1b3099553553d4700b94af
(5)   Message-Authenticator = 0xfb4337c6da9dd9b5416dcd263b2e6bcd
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/raddb/sites-enabled/default
(5)   authorize {
(5)     policy filter_username {
(5)       if (&User-Name) {
(5)       if (&User-Name)  -> TRUE
(5)       if (&User-Name)  {
(5)         if (&User-Name =~ / /) {
(5)         if (&User-Name =~ / /)  -> FALSE
(5)         if (&User-Name =~ /@[^@]*@/ ) {
(5)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(5)         if (&User-Name =~ /\.\./ ) {
(5)         if (&User-Name =~ /\.\./ )  -> FALSE
(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(5)         if (&User-Name =~ /\.$/)  {
(5)         if (&User-Name =~ /\.$/)   -> FALSE
(5)         if (&User-Name =~ /@\./)  {
(5)         if (&User-Name =~ /@\./)   -> FALSE
(5)       } # if (&User-Name)  = notfound
(5)     } # policy filter_username = notfound
(5)     [preprocess] = ok
(5)     [chap] = noop
(5)     [mschap] = noop
(5)     [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "lukes", looking up realm NULL
(5) suffix: No such realm "NULL"
(5)     [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 6 length 43
(5) eap: Continuing tunnel setup
(5)     [eap] = ok
(5)   } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5)   authenticate {
(5) eap: Expiring EAP session with state 0x862cdf61822ac680
(5) eap: Finished EAP session with state 0x862cdf61822ac680
(5) eap: Previous EAP request found for state 0x862cdf61822ac680, released from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: [eaptls verify] = ok
(5) eap_peap: Done initial handshake
(5) eap_peap: [eaptls process] = ok
(5) eap_peap: Session established.  Decoding tunneled attributes
(5) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(5) eap_peap: Identity - lukes
(5) eap_peap: Got inner identity 'lukes'
(5) eap_peap: Setting default EAP type for tunneled EAP session
(5) eap_peap: Got tunneled request
(5) eap_peap:   EAP-Message = 0x0206000a016c756b6573
(5) eap_peap: Setting User-Name to lukes
(5) eap_peap: Sending tunneled request to inner-tunnel
(5) eap_peap:   EAP-Message = 0x0206000a016c756b6573
(5) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(5) eap_peap:   User-Name = "lukes"
(5) Virtual server inner-tunnel received request
(5)   EAP-Message = 0x0206000a016c756b6573
(5)   FreeRADIUS-Proxied-To = 127.0.0.1
(5)   User-Name = "lukes"
(5) WARNING: Outer and inner identities are the same.  User privacy is compromised.
(5) server inner-tunnel {
(5)   # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(5)     authorize {
(5)       policy filter_username {
(5)         if (&User-Name) {
(5)         if (&User-Name)  -> TRUE
(5)         if (&User-Name)  {
(5)           if (&User-Name =~ / /) {
(5)           if (&User-Name =~ / /)  -> FALSE
(5)           if (&User-Name =~ /@[^@]*@/ ) {
(5)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(5)           if (&User-Name =~ /\.\./ ) {
(5)           if (&User-Name =~ /\.\./ )  -> FALSE
(5)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(5)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(5)           if (&User-Name =~ /\.$/)  {
(5)           if (&User-Name =~ /\.$/)   -> FALSE
(5)           if (&User-Name =~ /@\./)  {
(5)           if (&User-Name =~ /@\./)   -> FALSE
(5)         } # if (&User-Name)  = notfound
(5)       } # policy filter_username = notfound
(5)       [chap] = noop
(5)       [mschap] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "lukes", looking up realm NULL
(5) suffix: No such realm "NULL"
(5)       [suffix] = noop
(5)       update control {
(5)         &Proxy-To-Realm := LOCAL
(5)       } # update control = noop
(5) eap: Peer sent EAP Response (code 2) ID 6 length 10
(5) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(5)       [eap] = ok
(5)     } # authorize = ok
(5)   Found Auth-Type = eap
(5)   # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(5)     authenticate {
(5) eap: Peer sent packet with method EAP Identity (1)
(5) eap: Calling submodule eap_mschapv2 to process data
(5) eap_mschapv2: Issuing Challenge
(5) eap: Sending EAP Request (code 1) ID 7 length 43
(5) eap: EAP session adding &reply:State = 0xe94ee4a2e949fec1
(5)       [eap] = handled
(5)     } # authenticate = handled
(5) } # server inner-tunnel
(5) Virtual server sending reply
(5)   EAP-Message = 0x0107002b1a010700261017281254cb063f1c9cb00c70480f2199667265657261646975732d332e302e3133
(5)   Message-Authenticator = 0x00000000000000000000000000000000
(5)   State = 0xe94ee4a2e949fec169cde954b0eea027
(5) eap_peap: Got tunneled reply code 11
(5) eap_peap:   EAP-Message = 0x0107002b1a010700261017281254cb063f1c9cb00c70480f2199667265657261646975732d332e302e3133
(5) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(5) eap_peap:   State = 0xe94ee4a2e949fec169cde954b0eea027
(5) eap_peap: Got tunneled reply RADIUS code 11
(5) eap_peap:   EAP-Message = 0x0107002b1a010700261017281254cb063f1c9cb00c70480f2199667265657261646975732d332e302e3133
(5) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(5) eap_peap:   State = 0xe94ee4a2e949fec169cde954b0eea027
(5) eap_peap: Got tunneled Access-Challenge
(5) eap: Sending EAP Request (code 1) ID 7 length 75
(5) eap: EAP session adding &reply:State = 0x862cdf61832bc680
(5)     [eap] = handled
(5)   } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5)   Challenge { ... } # empty sub-section is ignored
(5) Sent Access-Challenge Id 0 from 66.220.128.93:1812 to 65.120.4.177:1231 length 0
(5)   EAP-Message = 0x0107004b190017030100409d6e4e677431f2b28b57f28e3ad28dfcf4beebe46c6185e6a3fcaec6e366de878b310fb526ce8c5490a3cfa14a387537bd13571d132702fbb1fd414675f36564
(5)   Message-Authenticator = 0x00000000000000000000000000000000
(5)   State = 0x862cdf61832bc680fd28d95218ffb4d1
(5) Finished request
Waking up in 4.9 seconds.
(5) Cleaning up request packet ID 0 with timestamp +60
(6) Received Access-Request Id 0 from 65.120.4.177:1231 to 66.220.128.93:1812 length 215
(6)   Calling-Station-Id = "0A-00-3E-45-1E-66"
(6)   User-Name = "lukes"
(6)   State = 0x862cdf61832bc680fd28d95218ffb4d1
(6)   NAS-IP-Address = 172.31.5.168
(6)   NAS-Port = 5
(6)   NAS-Port-Type = Wireless-Other
(6)   Framed-MTU = 1020
(6)   EAP-Message = 0x0207006b190017030100600ab69ea31ea989df07f5baa0683373c64cb2e8cffccb4d26db5eaac310d9f35ece4cd771a3c48167d67aede638d4af2d927ce9f9e08c43fdc85091f4b62e586081047a74d8a9eef3568aded6ddd7f93e77a2b69a149f76665467e96f192bccc0
(6)   Message-Authenticator = 0xf9ee7bb6c5095c3b5b937546bd95d7a1
(6) session-state: No cached attributes
(6) # Executing section authorize from file /etc/raddb/sites-enabled/default
(6)   authorize {
(6)     policy filter_username {
(6)       if (&User-Name) {
(6)       if (&User-Name)  -> TRUE
(6)       if (&User-Name)  {
(6)         if (&User-Name =~ / /) {
(6)         if (&User-Name =~ / /)  -> FALSE
(6)         if (&User-Name =~ /@[^@]*@/ ) {
(6)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(6)         if (&User-Name =~ /\.\./ ) {
(6)         if (&User-Name =~ /\.\./ )  -> FALSE
(6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(6)         if (&User-Name =~ /\.$/)  {
(6)         if (&User-Name =~ /\.$/)   -> FALSE
(6)         if (&User-Name =~ /@\./)  {
(6)         if (&User-Name =~ /@\./)   -> FALSE
(6)       } # if (&User-Name)  = notfound
(6)     } # policy filter_username = notfound
(6)     [preprocess] = ok
(6)     [chap] = noop
(6)     [mschap] = noop
(6)     [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "lukes", looking up realm NULL
(6) suffix: No such realm "NULL"
(6)     [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 7 length 107
(6) eap: Continuing tunnel setup
(6)     [eap] = ok
(6)   } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6)   authenticate {
(6) eap: Expiring EAP session with state 0xe94ee4a2e949fec1
(6) eap: Finished EAP session with state 0x862cdf61832bc680
(6) eap: Previous EAP request found for state 0x862cdf61832bc680, released from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: [eaptls verify] = ok
(6) eap_peap: Done initial handshake
(6) eap_peap: [eaptls process] = ok
(6) eap_peap: Session established.  Decoding tunneled attributes
(6) eap_peap: PEAP state phase2
(6) eap_peap: EAP method MSCHAPv2 (26)
(6) eap_peap: Got tunneled request
(6) eap_peap:   EAP-Message = 0x020700401a0207003b316798f140cab3e05a89ea91c01e866f900000000000000000b1f21bd704e23807fcd5af4f01fb60fb9df06be9c8ab1e58006c756b6573
(6) eap_peap: Setting User-Name to lukes
(6) eap_peap: Sending tunneled request to inner-tunnel
(6) eap_peap:   EAP-Message = 0x020700401a0207003b316798f140cab3e05a89ea91c01e866f900000000000000000b1f21bd704e23807fcd5af4f01fb60fb9df06be9c8ab1e58006c756b6573
(6) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(6) eap_peap:   User-Name = "lukes"
(6) eap_peap:   State = 0xe94ee4a2e949fec169cde954b0eea027
(6) Virtual server inner-tunnel received request
(6)   EAP-Message = 0x020700401a0207003b316798f140cab3e05a89ea91c01e866f900000000000000000b1f21bd704e23807fcd5af4f01fb60fb9df06be9c8ab1e58006c756b6573
(6)   FreeRADIUS-Proxied-To = 127.0.0.1
(6)   User-Name = "lukes"
(6)   State = 0xe94ee4a2e949fec169cde954b0eea027
(6) WARNING: Outer and inner identities are the same.  User privacy is compromised.
(6) server inner-tunnel {
(6)   session-state: No cached attributes
(6)   # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(6)     authorize {
(6)       policy filter_username {
(6)         if (&User-Name) {
(6)         if (&User-Name)  -> TRUE
(6)         if (&User-Name)  {
(6)           if (&User-Name =~ / /) {
(6)           if (&User-Name =~ / /)  -> FALSE
(6)           if (&User-Name =~ /@[^@]*@/ ) {
(6)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(6)           if (&User-Name =~ /\.\./ ) {
(6)           if (&User-Name =~ /\.\./ )  -> FALSE
(6)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(6)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(6)           if (&User-Name =~ /\.$/)  {
(6)           if (&User-Name =~ /\.$/)   -> FALSE
(6)           if (&User-Name =~ /@\./)  {
(6)           if (&User-Name =~ /@\./)   -> FALSE
(6)         } # if (&User-Name)  = notfound
(6)       } # policy filter_username = notfound
(6)       [chap] = noop
(6)       [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "lukes", looking up realm NULL
(6) suffix: No such realm "NULL"
(6)       [suffix] = noop
(6)       update control {
(6)         &Proxy-To-Realm := LOCAL
(6)       } # update control = noop
(6) eap: Peer sent EAP Response (code 2) ID 7 length 64
(6) eap: No EAP Start, assuming it's an on-going EAP conversation
(6)       [eap] = updated
(6)       [files] = noop
(6) sql: EXPAND %{User-Name}
(6) sql:    --> lukes
(6) sql: SQL-User-Name set to 'lukes'
rlm_sql (sql): Reserved connection (1)
(6) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(6) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'lukes' ORDER BY id
(6) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'lukes' ORDER BY id
(6) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(6) sql:    --> SELECT groupname FROM radusergroup WHERE username = 'lukes' ORDER BY priority
(6) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'lukes' ORDER BY priority
(6) sql: User not found in any groups
rlm_sql (sql): Released connection (1)
Need 4 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.48-MariaDB, protocol version 10
(6)       [sql] = notfound
(6)       [expiration] = noop
(6)       [logintime] = noop
(6)       [pap] = noop
(6)     } # authorize = updated
(6)   Found Auth-Type = eap
(6)   # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(6)     authenticate {
(6) eap: Expiring EAP session with state 0xe94ee4a2e949fec1
(6) eap: Finished EAP session with state 0xe94ee4a2e949fec1
(6) eap: Previous EAP request found for state 0xe94ee4a2e949fec1, released from the list
(6) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(6) eap: Calling submodule eap_mschapv2 to process data
(6) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(6) eap_mschapv2:   authenticate {
(6) mschap: Creating challenge hash with username: lukes
(6) mschap: Client is using MS-CHAPv2
(6) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:
(6) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(6) mschap:    --> --username=lukes
(6) mschap: Creating challenge hash with username: lukes
(6) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(6) mschap:    --> --challenge=04867947fd296713
(6) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(6) mschap:    --> --nt-response=b1f21bd704e23807fcd5af4f01fb60fb9df06be9c8ab1e58
(6) mschap: Program returned code (0) and output 'NT_KEY: E36E79D8BF84FACE5A939A91765AF335'
(6) mschap: Adding MS-CHAPv2 MPPE keys
(6)     [mschap] = ok
(6)   } # authenticate = ok
(6) MSCHAP Success
(6) eap: Sending EAP Request (code 1) ID 8 length 51
(6) eap: EAP session adding &reply:State = 0xe94ee4a2e846fec1
(6)       [eap] = handled
(6)     } # authenticate = handled
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6)   EAP-Message = 0x010800331a0307002e533d45374643313134394639433844364633333538384536324543373537344236394139453933384144
(6)   Message-Authenticator = 0x00000000000000000000000000000000
(6)   State = 0xe94ee4a2e846fec169cde954b0eea027
(6) eap_peap: Got tunneled reply code 11
(6) eap_peap:   EAP-Message = 0x010800331a0307002e533d45374643313134394639433844364633333538384536324543373537344236394139453933384144
(6) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap:   State = 0xe94ee4a2e846fec169cde954b0eea027
(6) eap_peap: Got tunneled reply RADIUS code 11
(6) eap_peap:   EAP-Message = 0x010800331a0307002e533d45374643313134394639433844364633333538384536324543373537344236394139453933384144
(6) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap:   State = 0xe94ee4a2e846fec169cde954b0eea027
(6) eap_peap: Got tunneled Access-Challenge
(6) eap: Sending EAP Request (code 1) ID 8 length 91
(6) eap: EAP session adding &reply:State = 0x862cdf618024c680
(6)     [eap] = handled
(6)   } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6)   Challenge { ... } # empty sub-section is ignored
(6) Sent Access-Challenge Id 0 from 66.220.128.93:1812 to 65.120.4.177:1231 length 0
(6)   EAP-Message = 0x0108005b190017030100509f9a8851a7d0c25e698e2d1dd757c58794f2c242bcf640cafcef6e7947df20257cfb4f6b3e9f267608fd3c75f8e4c220b04ab9c384a0bebd2706baa9ce7d907efb3a1730842c4e9b4e7fe2867dd320c7
(6)   Message-Authenticator = 0x00000000000000000000000000000000
(6)   State = 0x862cdf618024c680fd28d95218ffb4d1
(6) Finished request
Waking up in 4.9 seconds.
(6) Cleaning up request packet ID 0 with timestamp +60
(7) Received Access-Request Id 0 from 65.120.4.177:1231 to 66.220.128.93:1812 length 151
(7)   Calling-Station-Id = "0A-00-3E-45-1E-66"
(7)   User-Name = "lukes"
(7)   State = 0x862cdf618024c680fd28d95218ffb4d1
(7)   NAS-IP-Address = 172.31.5.168
(7)   NAS-Port = 5
(7)   NAS-Port-Type = Wireless-Other
(7)   Framed-MTU = 1020
(7)   EAP-Message = 0x0208002b19001703010020c23277220d0b12ab60813f67ced569f80e0a61be04e8b72bd093245b3a2e2045
(7)   Message-Authenticator = 0x43ff556019e29de4a943428604206ca1
(7) session-state: No cached attributes
(7) # Executing section authorize from file /etc/raddb/sites-enabled/default
(7)   authorize {
(7)     policy filter_username {
(7)       if (&User-Name) {
(7)       if (&User-Name)  -> TRUE
(7)       if (&User-Name)  {
(7)         if (&User-Name =~ / /) {
(7)         if (&User-Name =~ / /)  -> FALSE
(7)         if (&User-Name =~ /@[^@]*@/ ) {
(7)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(7)         if (&User-Name =~ /\.\./ ) {
(7)         if (&User-Name =~ /\.\./ )  -> FALSE
(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(7)         if (&User-Name =~ /\.$/)  {
(7)         if (&User-Name =~ /\.$/)   -> FALSE
(7)         if (&User-Name =~ /@\./)  {
(7)         if (&User-Name =~ /@\./)   -> FALSE
(7)       } # if (&User-Name)  = notfound
(7)     } # policy filter_username = notfound
(7)     [preprocess] = ok
(7)     [chap] = noop
(7)     [mschap] = noop
(7)     [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "lukes", looking up realm NULL
(7) suffix: No such realm "NULL"
(7)     [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 8 length 43
(7) eap: Continuing tunnel setup
(7)     [eap] = ok
(7)   } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7)   authenticate {
(7) eap: Expiring EAP session with state 0xe94ee4a2e846fec1
(7) eap: Finished EAP session with state 0x862cdf618024c680
(7) eap: Previous EAP request found for state 0x862cdf618024c680, released from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established.  Decoding tunneled attributes
(7) eap_peap: PEAP state phase2
(7) eap_peap: EAP method MSCHAPv2 (26)
(7) eap_peap: Got tunneled request
(7) eap_peap:   EAP-Message = 0x020800061a03
(7) eap_peap: Setting User-Name to lukes
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap:   EAP-Message = 0x020800061a03
(7) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap:   User-Name = "lukes"
(7) eap_peap:   State = 0xe94ee4a2e846fec169cde954b0eea027
(7) Virtual server inner-tunnel received request
(7)   EAP-Message = 0x020800061a03
(7)   FreeRADIUS-Proxied-To = 127.0.0.1
(7)   User-Name = "lukes"
(7)   State = 0xe94ee4a2e846fec169cde954b0eea027
(7) WARNING: Outer and inner identities are the same.  User privacy is compromised.
(7) server inner-tunnel {
(7)   session-state: No cached attributes
(7)   # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(7)     authorize {
(7)       policy filter_username {
(7)         if (&User-Name) {
(7)         if (&User-Name)  -> TRUE
(7)         if (&User-Name)  {
(7)           if (&User-Name =~ / /) {
(7)           if (&User-Name =~ / /)  -> FALSE
(7)           if (&User-Name =~ /@[^@]*@/ ) {
(7)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(7)           if (&User-Name =~ /\.\./ ) {
(7)           if (&User-Name =~ /\.\./ )  -> FALSE
(7)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(7)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(7)           if (&User-Name =~ /\.$/)  {
(7)           if (&User-Name =~ /\.$/)   -> FALSE
(7)           if (&User-Name =~ /@\./)  {
(7)           if (&User-Name =~ /@\./)   -> FALSE
(7)         } # if (&User-Name)  = notfound
(7)       } # policy filter_username = notfound
(7)       [chap] = noop
(7)       [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "lukes", looking up realm NULL
(7) suffix: No such realm "NULL"
(7)       [suffix] = noop
(7)       update control {
(7)         &Proxy-To-Realm := LOCAL
(7)       } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 8 length 6
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7)       [eap] = updated
(7)       [files] = noop
(7) sql: EXPAND %{User-Name}
(7) sql:    --> lukes
(7) sql: SQL-User-Name set to 'lukes'
rlm_sql (sql): Reserved connection (2)
(7) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(7) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'lukes' ORDER BY id
(7) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'lukes' ORDER BY id
(7) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(7) sql:    --> SELECT groupname FROM radusergroup WHERE username = 'lukes' ORDER BY priority
(7) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'lukes' ORDER BY priority
(7) sql: User not found in any groups
rlm_sql (sql): Released connection (2)
(7)       [sql] = notfound
(7)       [expiration] = noop
(7)       [logintime] = noop
(7)       [pap] = noop
(7)     } # authorize = updated
(7)   Found Auth-Type = eap
(7)   # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7)     authenticate {
(7) eap: Expiring EAP session with state 0xe94ee4a2e846fec1
(7) eap: Finished EAP session with state 0xe94ee4a2e846fec1
(7) eap: Previous EAP request found for state 0xe94ee4a2e846fec1, released from the list
(7) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(7) eap: Calling submodule eap_mschapv2 to process data
(7) eap: Sending EAP Success (code 3) ID 8 length 4
(7) eap: Freeing handler
(7)       [eap] = ok
(7)     } # authenticate = ok
(7)   # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel
(7)     post-auth {
(7) sql: EXPAND .query
(7) sql:    --> .query
(7) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (3)
(7) sql: EXPAND %{User-Name}
(7) sql:    --> lukes
(7) sql: SQL-User-Name set to 'lukes'
(7) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(7) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'lukes', '', 'Access-Accept', '2021-07-06 17:33:23.154126')
(7) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'lukes', '', 'Access-Accept', '2021-07-06 17:33:23.154126')
(7) sql: SQL query returned: success
(7) sql: 1 record(s) updated
rlm_sql (sql): Released connection (3)
(7)       [sql] = ok
(7)       if (0) {
(7)       if (0)  -> FALSE
(7)     } # post-auth = ok
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7)   MS-MPPE-Encryption-Policy = Encryption-Allowed
(7)   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(7)   MS-MPPE-Send-Key = 0x7b1be35b0c3af98fbc8f4f2198b79765
(7)   MS-MPPE-Recv-Key = 0xdd464bd529edef025efdf6f0fde4438c
(7)   EAP-Message = 0x03080004
(7)   Message-Authenticator = 0x00000000000000000000000000000000
(7)   User-Name = "lukes"
(7) eap_peap: Got tunneled reply code 2
(7) eap_peap:   MS-MPPE-Encryption-Policy = Encryption-Allowed
(7) eap_peap:   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(7) eap_peap:   MS-MPPE-Send-Key = 0x7b1be35b0c3af98fbc8f4f2198b79765
(7) eap_peap:   MS-MPPE-Recv-Key = 0xdd464bd529edef025efdf6f0fde4438c
(7) eap_peap:   EAP-Message = 0x03080004
(7) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap:   User-Name = "lukes"
(7) eap_peap: Got tunneled reply RADIUS code 2
(7) eap_peap:   MS-MPPE-Encryption-Policy = Encryption-Allowed
(7) eap_peap:   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(7) eap_peap:   MS-MPPE-Send-Key = 0x7b1be35b0c3af98fbc8f4f2198b79765
(7) eap_peap:   MS-MPPE-Recv-Key = 0xdd464bd529edef025efdf6f0fde4438c
(7) eap_peap:   EAP-Message = 0x03080004
(7) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap:   User-Name = "lukes"
(7) eap_peap: Tunneled authentication was successful
(7) eap_peap: SUCCESS
(7) eap: Sending EAP Request (code 1) ID 9 length 43
(7) eap: EAP session adding &reply:State = 0x862cdf618125c680
(7)     [eap] = handled
(7)   } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7)   Challenge { ... } # empty sub-section is ignored
(7) Sent Access-Challenge Id 0 from 66.220.128.93:1812 to 65.120.4.177:1231 length 0
(7)   EAP-Message = 0x0109002b190017030100206ad2e10561cef68d22a47ee73229c8d671eef552077cd586fd9e8b55cb58ba33
(7)   Message-Authenticator = 0x00000000000000000000000000000000
(7)   State = 0x862cdf618125c680fd28d95218ffb4d1
(7) Finished request
Waking up in 4.9 seconds.
(7) Cleaning up request packet ID 0 with timestamp +60
(8) Received Access-Request Id 0 from 65.120.4.177:1231 to 66.220.128.93:1812 length 151
(8)   Calling-Station-Id = "0A-00-3E-45-1E-66"
(8)   User-Name = "lukes"
(8)   State = 0x862cdf618125c680fd28d95218ffb4d1
(8)   NAS-IP-Address = 172.31.5.168
(8)   NAS-Port = 5
(8)   NAS-Port-Type = Wireless-Other
(8)   Framed-MTU = 1020
(8)   EAP-Message = 0x0209002b19001703010020bfef51c4df1e3ff8a1d27d7c239e6296dc3b6cb7fe3d7addcb021c60c5f6dc9a
(8)   Message-Authenticator = 0x704e6d5b8799d90b4c34b0f5adef6715
(8) session-state: No cached attributes
(8) # Executing section authorize from file /etc/raddb/sites-enabled/default
(8)   authorize {
(8)     policy filter_username {
(8)       if (&User-Name) {
(8)       if (&User-Name)  -> TRUE
(8)       if (&User-Name)  {
(8)         if (&User-Name =~ / /) {
(8)         if (&User-Name =~ / /)  -> FALSE
(8)         if (&User-Name =~ /@[^@]*@/ ) {
(8)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(8)         if (&User-Name =~ /\.\./ ) {
(8)         if (&User-Name =~ /\.\./ )  -> FALSE
(8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(8)         if (&User-Name =~ /\.$/)  {
(8)         if (&User-Name =~ /\.$/)   -> FALSE
(8)         if (&User-Name =~ /@\./)  {
(8)         if (&User-Name =~ /@\./)   -> FALSE
(8)       } # if (&User-Name)  = notfound
(8)     } # policy filter_username = notfound
(8)     [preprocess] = ok
(8)     [chap] = noop
(8)     [mschap] = noop
(8)     [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "lukes", looking up realm NULL
(8) suffix: No such realm "NULL"
(8)     [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 9 length 43
(8) eap: Continuing tunnel setup
(8)     [eap] = ok
(8)   } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8)   authenticate {
(8) eap: Expiring EAP session with state 0x862cdf618125c680
(8) eap: Finished EAP session with state 0x862cdf618125c680
(8) eap: Previous EAP request found for state 0x862cdf618125c680, released from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established.  Decoding tunneled attributes
(8) eap_peap: PEAP state send tlv success
(8) eap_peap: Received EAP-TLV response
(8) eap_peap: Success
(8) eap: Sending EAP Success (code 3) ID 9 length 4
(8) eap: Freeing handler
(8)     [eap] = ok
(8)   } # authenticate = ok
(8) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(8)   post-auth {
(8)     update {
(8)       No attributes updated
(8)     } # update = noop
(8) sql: EXPAND .query
(8) sql:    --> .query
(8) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (4)
(8) sql: EXPAND %{User-Name}
(8) sql:    --> lukes
(8) sql: SQL-User-Name set to 'lukes'
(8) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(8) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'lukes', '', 'Access-Accept', '2021-07-06 17:33:23.168107')
(8) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'lukes', '', 'Access-Accept', '2021-07-06 17:33:23.168107')
(8) sql: SQL query returned: success
(8) sql: 1 record(s) updated
rlm_sql (sql): Released connection (4)
(8)     [sql] = ok
(8)     [exec] = noop
(8)     policy remove_reply_message_if_eap {
(8)       if (&reply:EAP-Message && &reply:Reply-Message) {
(8)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(8)       else {
(8)         [noop] = noop
(8)       } # else = noop
(8)     } # policy remove_reply_message_if_eap = noop
(8)   } # post-auth = ok
(8) Sent Access-Accept Id 0 from 66.220.128.93:1812 to 65.120.4.177:1231 length 0
(8)   MS-MPPE-Recv-Key = 0xaf3148b50b955422e4acb9ecf538c9ade9ba196b6a6551ce645cfd544dfbadef
(8)   MS-MPPE-Send-Key = 0x12ced10a940f42ddaede4e7216a1c48e9383f8319af2848d4527a2753e5044e9
(8)   EAP-Message = 0x03090004
(8)   Message-Authenticator = 0x00000000000000000000000000000000
(8)   User-Name = "lukes"
(8) Finished request
Waking up in 4.9 seconds.
(8) Cleaning up request packet ID 0 with timestamp +60
Ready to process requests


Confidentiality Notice: The information herein transmitted or attached is intended only for the person or entity to which this e-mail is addressed and may contain confidential and/or legally privileged material. Any review, retransmission, dissemination, other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you have received this in error, please contact the sender immediately and delete the material from any and all computers, servers, and e-mail programs. Any views or opinions presented are solely those of the author and do not necessarily represent those of the company.


More information about the Freeradius-Users mailing list