Issues with post-auth not running in inner-tunnel/proxy-inner-tunnel
Chris Griffin
cgriffin352 at gmail.com
Wed Aug 10 13:06:13 UTC 2022
I am currently migrating some Freeradius 2 based services over to
Freeradius 3 (3.2.0), and I am having an issue with post-auth executing in
the inner-tunnel. In Freeradius 2, I have some post-auth logic that runs
fine, but it seems that the post-auth section does not run in Freeradius
3. I have gone through the documentation and posts to the listserv and
haven't found any clues as to why. In my particular case, I am using the
proxy-inner-tunnel configuration and adding a post-auth section, but in
other tests, it doesn't seem that post-auth runs when I try to use the
"inner-tunnel" config, which already has a post-auth section. Just to make
things simple to debug, I was able to build a very simple test case which
shows the problem:
Steps to re-create:
build 3.2.0
delete link to inner-tunnel and link to proxy-inner-tunnel. edit eap to
point to proxy-inner-tunnel as virtual server
add section post-auth and put:
update outer.session-state {
User-Name := &User-Name
}
just as a test action to look for.
add config to proxy.conf to allow for proxying the inner tunnel to another
radius server.
Resulting logs when testing with eapol_test:
===================================================
(0) Received Access-Request Id 0 from 127.0.0.1:41445 to 127.0.0.1:1812
length 132
(0) User-Name = "anonymous"
(0) NAS-IP-Address = 127.0.0.1
(0) Calling-Station-Id = "02-00-00-00-00-01"
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Service-Type = Framed-User
(0) Connect-Info = "CONNECT 11Mbps 802.11b"
(0) EAP-Message = 0x021d000e01616e6f6e796d6f7573
(0) Message-Authenticator = 0x39ea158d433932e66e0bc072cfa388d8
(0) # Executing section authorize from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 29 length 14
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_md5 to process data
(0) eap_md5: Issuing MD5 Challenge
(0) eap: Sending EAP Request (code 1) ID 30 length 22
(0) eap: EAP session adding &reply:State = 0xe675df6ee66bdb2e
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 0 from 127.0.0.1:1812 to 127.0.0.1:41445
length 80
(0) EAP-Message = 0x011e001604102a157d4326f67fce4347da02b42ebd23
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0xe675df6ee66bdb2e8fcb18675fa52d04
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 1 from 127.0.0.1:41445 to 127.0.0.1:1812
length 142
(1) User-Name = "anonymous"
(1) NAS-IP-Address = 127.0.0.1
(1) Calling-Station-Id = "02-00-00-00-00-01"
(1) Framed-MTU = 1400
(1) NAS-Port-Type = Wireless-802.11
(1) Service-Type = Framed-User
(1) Connect-Info = "CONNECT 11Mbps 802.11b"
(1) EAP-Message = 0x021e00060319
(1) State = 0xe675df6ee66bdb2e8fcb18675fa52d04
(1) Message-Authenticator = 0xd42eec5a6a092ca329ae0713a3ef3cd6
(1) session-state: No cached attributes
(1) # Executing section authorize from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 30 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) [files] = noop
(1) [expiration] = noop
(1) [logintime] = noop
Not doing PAP as Auth-Type is already set.
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0xe675df6ee66bdb2e
(1) eap: Finished EAP session with state 0xe675df6ee66bdb2e
(1) eap: Previous EAP request found for state 0xe675df6ee66bdb2e, released
from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: (TLS) Initiating new session
(1) eap: Sending EAP Request (code 1) ID 31 length 6
(1) eap: EAP session adding &reply:State = 0xe675df6ee76ac62e
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(1) Challenge { ... } # empty sub-section is ignored
(1) session-state: Saving cached attributes
(1) Framed-MTU = 994
(1) Sent Access-Challenge Id 1 from 127.0.0.1:1812 to 127.0.0.1:41445
length 64
(1) EAP-Message = 0x011f00061920
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0xe675df6ee76ac62e8fcb18675fa52d04
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 2 from 127.0.0.1:41445 to 127.0.0.1:1812
length 326
(2) User-Name = "anonymous"
(2) NAS-IP-Address = 127.0.0.1
(2) Calling-Station-Id = "02-00-00-00-00-01"
(2) Framed-MTU = 1400
(2) NAS-Port-Type = Wireless-802.11
(2) Service-Type = Framed-User
(2) Connect-Info = "CONNECT 11Mbps 802.11b"
(2) EAP-Message =
0x021f00be1980000000b416030100af010000ab0303f1314c571be3433e52568c36e53402e80746307dd0b21b23326981a604679922000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100004a000b000403000102000a000c000a001d0017001e001900180016000000170000000d002600240403050306030807080808090804080a0805080b08060401050106010303030102030201
(2) State = 0xe675df6ee76ac62e8fcb18675fa52d04
(2) Message-Authenticator = 0x675e1043ccbb0dfe522b1d29bd34c303
(2) Restoring &session-state
(2) &session-state:Framed-MTU = 994
(2) # Executing section authorize from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /@\./) {
(2) if (&User-Name =~ /@\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 31 length 190
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0xe675df6ee76ac62e
(2) eap: Finished EAP session with state 0xe675df6ee76ac62e
(2) eap: Previous EAP request found for state 0xe675df6ee76ac62e, released
from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: (TLS) EAP Peer says that the final record size will be 180
bytes
(2) eap_peap: (TLS) EAP Got all data (180 bytes)
(2) eap_peap: (TLS) Handshake state - before SSL initialization
(2) eap_peap: (TLS) Handshake state - Server before SSL initialization
(2) eap_peap: (TLS) Handshake state - Server before SSL initialization
(2) eap_peap: (TLS) recv TLS 1.3 Handshake, ClientHello
(2) eap_peap: (TLS) Handshake state - Server SSLv3/TLS read client hello
(2) eap_peap: (TLS) send TLS 1.2 Handshake, ServerHello
(2) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write server hello
(2) eap_peap: (TLS) send TLS 1.2 Handshake, Certificate
(2) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write certificate
(2) eap_peap: (TLS) send TLS 1.2 Handshake, ServerKeyExchange
(2) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write key exchange
(2) eap_peap: (TLS) send TLS 1.2 Handshake, ServerHelloDone
(2) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write server done
(2) eap_peap: (TLS) Server : Need to read more data: SSLv3/TLS write server
done
(2) eap_peap: (TLS) In Handshake Phase
(2) eap: Sending EAP Request (code 1) ID 32 length 1004
(2) eap: EAP session adding &reply:State = 0xe675df6ee455c62e
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) session-state: Saving cached attributes
(2) Framed-MTU = 994
(2) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerKeyExchange"
(2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerHelloDone"
(2) Sent Access-Challenge Id 2 from 127.0.0.1:1812 to 127.0.0.1:41445
length 1068
(2) EAP-Message =
0x012003ec19c000000a84160303003d0200003903036da97779dcfc5a5bc9f1c9906948eaebe1baa0466fad865b3e0f2f7c01d4d05d00c030000011ff01000100000b0004030001020017000016030309030b0008ff0008fc0003f8308203f4308202dca003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3232303831303132313133365a170d3232313030393132313133365a307c310b3009060355040613024652310f300d06035504080c0652616469757331153013060355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d70
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0xe675df6ee455c62e8fcb18675fa52d04
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 3 from 127.0.0.1:41445 to 127.0.0.1:1812
length 142
(3) User-Name = "anonymous"
(3) NAS-IP-Address = 127.0.0.1
(3) Calling-Station-Id = "02-00-00-00-00-01"
(3) Framed-MTU = 1400
(3) NAS-Port-Type = Wireless-802.11
(3) Service-Type = Framed-User
(3) Connect-Info = "CONNECT 11Mbps 802.11b"
(3) EAP-Message = 0x022000061900
(3) State = 0xe675df6ee455c62e8fcb18675fa52d04
(3) Message-Authenticator = 0xfc03a376328f9a0499739fce27d2084c
(3) Restoring &session-state
(3) &session-state:Framed-MTU = 994
(3) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"
(3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHello"
(3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, Certificate"
(3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerKeyExchange"
(3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHelloDone"
(3) # Executing section authorize from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /@\./) {
(3) if (&User-Name =~ /@\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 32 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0xe675df6ee455c62e
(3) eap: Finished EAP session with state 0xe675df6ee455c62e
(3) eap: Previous EAP request found for state 0xe675df6ee455c62e, released
from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: (TLS) Peer ACKed our handshake fragment
(3) eap: Sending EAP Request (code 1) ID 33 length 1000
(3) eap: EAP session adding &reply:State = 0xe675df6ee554c62e
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(3) Challenge { ... } # empty sub-section is ignored
(3) session-state: Saving cached attributes
(3) Framed-MTU = 994
(3) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerKeyExchange"
(3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerHelloDone"
(3) Sent Access-Challenge Id 3 from 127.0.0.1:1812 to 127.0.0.1:41445
length 1064
(3) EAP-Message =
0x012103e819402adb595160175b017ed0e17a78bc099f1156837d868d3cbbf3e451228cba9c6d5ace7fa48e393591d454b4eeedf7a3c90910e6cd8dcc47b6e19ebe5d559324942cef992db2bd43102f8f5e89e5edb824cba0d5233dd57861bcd08acc9de162ba78fa450458c5530004fe308204fa308203e2a003020102021435d2a8dc2d1b2be61dc557b21db07c8fa0fc6647300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3232303831303132313133365a170d3232313030393132313133365a308193310b3009060355040613024652310f300d06035504080c0652616469
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0xe675df6ee554c62e8fcb18675fa52d04
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 4 from 127.0.0.1:41445 to 127.0.0.1:1812
length 142
(4) User-Name = "anonymous"
(4) NAS-IP-Address = 127.0.0.1
(4) Calling-Station-Id = "02-00-00-00-00-01"
(4) Framed-MTU = 1400
(4) NAS-Port-Type = Wireless-802.11
(4) Service-Type = Framed-User
(4) Connect-Info = "CONNECT 11Mbps 802.11b"
(4) EAP-Message = 0x022100061900
(4) State = 0xe675df6ee554c62e8fcb18675fa52d04
(4) Message-Authenticator = 0x8569b7d08d76ab03703a102f5d4288b5
(4) Restoring &session-state
(4) &session-state:Framed-MTU = 994
(4) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHello"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, Certificate"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerKeyExchange"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHelloDone"
(4) # Executing section authorize from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /@\./) {
(4) if (&User-Name =~ /@\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 33 length 6
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0xe675df6ee554c62e
(4) eap: Finished EAP session with state 0xe675df6ee554c62e
(4) eap: Previous EAP request found for state 0xe675df6ee554c62e, released
from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: (TLS) Peer ACKed our handshake fragment
(4) eap: Sending EAP Request (code 1) ID 34 length 710
(4) eap: EAP session adding &reply:State = 0xe675df6ee257c62e
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(4) Challenge { ... } # empty sub-section is ignored
(4) session-state: Saving cached attributes
(4) Framed-MTU = 994
(4) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerKeyExchange"
(4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerHelloDone"
(4) Sent Access-Challenge Id 4 from 127.0.0.1:1812 to 127.0.0.1:41445
length 772
(4) EAP-Message =
0x012202c6190072746966696361746520417574686f72697479821435d2a8dc2d1b2be61dc557b21db07c8fa0fc6647300f0603551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b0500038201010050d5336980e982145b06a8a407b19683d7f53faf13f80a0e7e74c5c629669a7b19e3046c6e075497f3ed348ba7f771991661ac6727f3247b2432c88f8d3ce43f4cbe446154361b182bf735339a4436f4d6a9c04dd86a8831ce2d5e82f534dc0dfa03b22936c611f13e376f283e56897337a54ce3bfba868789142a04b9be837250de393c66f399c36ffbd3e9d4f2053473e1b50079a53ea4c17888cea0e0b7dd8c3c1bc8cf9cd11522da747088e4a02cc3b15453b2a01fcf26852c934351321ee5ccee3da2c56d28939644f8d3c6bf0d14191a75c27b989b9ac66e025f8c0c8824dbf60d0c3677f0197712
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0xe675df6ee257c62e8fcb18675fa52d04
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 5 from 127.0.0.1:41445 to 127.0.0.1:1812
length 239
(5) User-Name = "anonymous"
(5) NAS-IP-Address = 127.0.0.1
(5) Calling-Station-Id = "02-00-00-00-00-01"
(5) Framed-MTU = 1400
(5) NAS-Port-Type = Wireless-802.11
(5) Service-Type = Framed-User
(5) Connect-Info = "CONNECT 11Mbps 802.11b"
(5) EAP-Message =
0x0222006719800000005d160303002510000021205badd466a638f7537d8010eab5e0d3d8d6aaa705b329068bef15e3059fd39f501403030001011603030028c9186d481dde735885d75fa1f3d4c72bda0f66f8632b5206d9f169111cdb694c8ca57fb878cbd583
(5) State = 0xe675df6ee257c62e8fcb18675fa52d04
(5) Message-Authenticator = 0x8ea387527f36de9ea4e8f4278e256010
(5) Restoring &session-state
(5) &session-state:Framed-MTU = 994
(5) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"
(5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHello"
(5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, Certificate"
(5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerKeyExchange"
(5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHelloDone"
(5) # Executing section authorize from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 34 length 103
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0xe675df6ee257c62e
(5) eap: Finished EAP session with state 0xe675df6ee257c62e
(5) eap: Previous EAP request found for state 0xe675df6ee257c62e, released
from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: (TLS) EAP Peer says that the final record size will be 93
bytes
(5) eap_peap: (TLS) EAP Got all data (93 bytes)
(5) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write server done
(5) eap_peap: (TLS) recv TLS 1.2 Handshake, ClientKeyExchange
(5) eap_peap: (TLS) Handshake state - Server SSLv3/TLS read client key
exchange
(5) eap_peap: (TLS) Handshake state - Server SSLv3/TLS read change cipher
spec
(5) eap_peap: (TLS) recv TLS 1.2 Handshake, Finished
(5) eap_peap: (TLS) Handshake state - Server SSLv3/TLS read finished
(5) eap_peap: (TLS) send TLS 1.2 ChangeCipherSpec
(5) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write change cipher
spec
(5) eap_peap: (TLS) send TLS 1.2 Handshake, Finished
(5) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write finished
(5) eap_peap: (TLS) Handshake state - SSL negotiation finished successfully
(5) eap_peap: (TLS) Connection Established
(5) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(5) eap_peap: TLS-Session-Version = "TLS 1.2"
(5) eap: Sending EAP Request (code 1) ID 35 length 57
(5) eap: EAP session adding &reply:State = 0xe675df6ee356c62e
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(5) Challenge { ... } # empty sub-section is ignored
(5) session-state: Saving cached attributes
(5) Framed-MTU = 994
(5) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerKeyExchange"
(5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerHelloDone"
(5) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake,
ClientKeyExchange"
(5) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(5) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(5) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(5) TLS-Session-Version = "TLS 1.2"
(5) Sent Access-Challenge Id 5 from 127.0.0.1:1812 to 127.0.0.1:41445
length 115
(5) EAP-Message =
0x01230039190014030300010116030300282054ff1c9b5e54f29863aa0bd69ed60ba57d30beacbe09fd503621ec887b1c6569231971db0cc58b
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0xe675df6ee356c62e8fcb18675fa52d04
(5) Finished request
Waking up in 4.9 seconds.
(6) Received Access-Request Id 6 from 127.0.0.1:41445 to 127.0.0.1:1812
length 142
(6) User-Name = "anonymous"
(6) NAS-IP-Address = 127.0.0.1
(6) Calling-Station-Id = "02-00-00-00-00-01"
(6) Framed-MTU = 1400
(6) NAS-Port-Type = Wireless-802.11
(6) Service-Type = Framed-User
(6) Connect-Info = "CONNECT 11Mbps 802.11b"
(6) EAP-Message = 0x022300061900
(6) State = 0xe675df6ee356c62e8fcb18675fa52d04
(6) Message-Authenticator = 0x78ff7dfd696415044fb2363b8595b00c
(6) Restoring &session-state
(6) &session-state:Framed-MTU = 994
(6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"
(6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHello"
(6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, Certificate"
(6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerKeyExchange"
(6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHelloDone"
(6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2
Handshake, ClientKeyExchange"
(6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2
Handshake, Finished"
(6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
ChangeCipherSpec"
(6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, Finished"
(6) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(6) &session-state:TLS-Session-Version = "TLS 1.2"
(6) # Executing section authorize from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 35 length 6
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0xe675df6ee356c62e
(6) eap: Finished EAP session with state 0xe675df6ee356c62e
(6) eap: Previous EAP request found for state 0xe675df6ee356c62e, released
from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: (TLS) Peer ACKed our handshake fragment. handshake is
finished
(6) eap_peap: Session established. Decoding tunneled attributes
(6) eap_peap: PEAP state TUNNEL ESTABLISHED
(6) eap: Sending EAP Request (code 1) ID 36 length 40
(6) eap: EAP session adding &reply:State = 0xe675df6ee051c62e
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(6) Challenge { ... } # empty sub-section is ignored
(6) session-state: Saving cached attributes
(6) Framed-MTU = 994
(6) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerKeyExchange"
(6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerHelloDone"
(6) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake,
ClientKeyExchange"
(6) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(6) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(6) TLS-Session-Version = "TLS 1.2"
(6) Sent Access-Challenge Id 6 from 127.0.0.1:1812 to 127.0.0.1:41445
length 98
(6) EAP-Message =
0x012400281900170303001d2054ff1c9b5e54f33382548c13b84579a2844d2cbe8a06080b85335aba
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0xe675df6ee051c62e8fcb18675fa52d04
(6) Finished request
Waking up in 4.9 seconds.
(7) Received Access-Request Id 7 from 127.0.0.1:41445 to 127.0.0.1:1812
length 188
(7) User-Name = "anonymous"
(7) NAS-IP-Address = 127.0.0.1
(7) Calling-Station-Id = "02-00-00-00-00-01"
(7) Framed-MTU = 1400
(7) NAS-Port-Type = Wireless-802.11
(7) Service-Type = Framed-User
(7) Connect-Info = "CONNECT 11Mbps 802.11b"
(7) EAP-Message =
0x0224003419001703030029c9186d481dde7359fda0277d5d1165a6f67f77bd2273b9e846ae774aa73ba8c5fd0122fffdf5364740
(7) State = 0xe675df6ee051c62e8fcb18675fa52d04
(7) Message-Authenticator = 0xe17bde94850882d1c7ab3953ffe189a8
(7) Restoring &session-state
(7) &session-state:Framed-MTU = 994
(7) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"
(7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHello"
(7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, Certificate"
(7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerKeyExchange"
(7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHelloDone"
(7) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2
Handshake, ClientKeyExchange"
(7) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2
Handshake, Finished"
(7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
ChangeCipherSpec"
(7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, Finished"
(7) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(7) &session-state:TLS-Session-Version = "TLS 1.2"
(7) # Executing section authorize from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 36 length 52
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(7) authenticate {
(7) eap: Expiring EAP session with state 0xe675df6ee051c62e
(7) eap: Finished EAP session with state 0xe675df6ee051c62e
(7) eap: Previous EAP request found for state 0xe675df6ee051c62e, released
from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: (TLS) EAP Done initial handshake
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(7) eap_peap: Identity - username at example.org
(7) eap_peap: Got inner identity 'username at example.org'
(7) eap_peap: Setting default EAP type for tunneled EAP session
(7) eap_peap: Got tunneled request
(7) eap_peap: EAP-Message = 0x0224001501636772696666696e4075666c2e656475
(7) eap_peap: Setting User-Name to username at example.org
(7) eap_peap: Sending tunneled request to proxy-inner-tunnel
(7) eap_peap: EAP-Message = 0x0224001501636772696666696e4075666c2e656475
(7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap: User-Name = "username at example.org"
(7) Virtual server proxy-inner-tunnel received request
(7) EAP-Message = 0x0224001501636772696666696e4075666c2e656475
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) User-Name = "username at example.org"
(7) server proxy-inner-tunnel {
(7) # Executing section authorize from file
/opt/freeradius-test/etc/raddb/sites-enabled/proxy-inner-tunnel
(7) authorize {
(7) update control {
(7) &Proxy-To-Realm := "example.org"
(7) } # update control = noop
(7) } # authorize = noop
(7) } # server proxy-inner-tunnel
(7) Virtual server sending reply
(7) eap_peap: Got tunneled reply code 0
(7) eap_peap: Tunnelled authentication will be proxied to example.org
(7) eap: WARNING: Tunneled session will be proxied. Not doing EAP
(7) [eap] = handled
(7) } # authenticate = handled
(7) Starting proxy to home server 127.0.0.1 port 1812
(7) server default {
(7) }
(7) Proxying request to home server 127.0.0.1 port 1812 timeout 20.000000
(7) Sent Access-Request Id 221 from 0.0.0.0:59393 to 127.0.0.1:1812 length
82
(7) EAP-Message = 0x0224001501636772696666696e4075666c2e656475
(7) User-Name = "username at example.org"
(7) Message-Authenticator = 0x
(7) Proxy-State = 0x37
Waking up in 0.3 seconds.
(8) Received Access-Request Id 221 from 127.0.0.1:59393 to 127.0.0.1:1812
length 82
(8) EAP-Message = 0x0224001501636772696666696e4075666c2e656475
(8) User-Name = "username at example.org"
(8) Message-Authenticator = 0x43b1c4ff0c835adf67913c98a827f03a
(8) Proxy-State = 0x37
(8) # Executing section authorize from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: Looking up realm "example.org" for User-Name = "
username at example.org"
(8) suffix: Found realm "example.org"
(8) suffix: Adding Realm = "example.org"
(8) suffix: Proxying request from user username at example.org to realm
example.org
(8) suffix: Preparing to proxy authentication request to realm "example.org"
(8) [suffix] = updated
(8) eap: Request is supposed to be proxied to Realm example.org. Not doing
EAP.
(8) [eap] = noop
(8) [files] = noop
(8) [expiration] = noop
(8) [logintime] = noop
(8) [pap] = noop
(8) } # authorize = updated
(8) Starting proxy to home server 10.6.11.15 port 1812
(8) server default {
(8) }
(8) Proxying request to home server 10.6.11.15 port 1812 timeout 10.000000
(8) Sent Access-Request Id 186 from 0.0.0.0:59393 to 10.6.11.15:1812 length
99
(8) EAP-Message = 0x0224001501636772696666696e4075666c2e656475
(8) User-Name = "username at example.org"
(8) Message-Authenticator = 0x43b1c4ff0c835adf67913c98a827f03a
(8) Proxy-State = 0x37
(8) Event-Timestamp = "Aug 10 2022 08:18:59 EDT"
(8) NAS-IP-Address = 127.0.0.1
(8) Proxy-State = 0x323231
Waking up in 0.3 seconds.
(8) Marking home server 10.6.11.15 port 1812 alive
(8) Clearing existing &reply: attributes
(8) Received Access-Challenge Id 186 from 10.6.11.15:1812 to
10.6.11.22:59393 length 131
(8) Proxy-State = 0x37
(8) Proxy-State = 0x323231
(8) Session-Timeout = 60
(8) EAP-Message =
0x012500271a0125002210919965cf8da364883037da7f61f7f09e4e534c41422d4e5053324b3136
(8) State =
0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe
(8) Message-Authenticator = 0x75e2f8c4ebb5d17b32cc932f2d37777b
(8) server default {
(8) # Executing section post-proxy from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(8) post-proxy {
(8) eap: No pre-existing handler found
(8) [eap] = noop
(8) } # post-proxy = noop
(8) }
(8) Using Post-Auth-Type Challenge
(8) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(8) Challenge { ... } # empty sub-section is ignored
(8) Sent Access-Challenge Id 221 from 127.0.0.1:1812 to 127.0.0.1:59393
length 126
(8) Session-Timeout = 60
(8) EAP-Message =
0x012500271a0125002210919965cf8da364883037da7f61f7f09e4e534c41422d4e5053324b3136
(8) State =
0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe
(8) Message-Authenticator = 0x75e2f8c4ebb5d17b32cc932f2d37777b
(8) Proxy-State = 0x37
(8) Finished request
Waking up in 0.2 seconds.
(7) Marking home server 127.0.0.1 port 1812 alive
(7) Clearing existing &reply: attributes
(7) Received Access-Challenge Id 221 from 127.0.0.1:1812 to 127.0.0.1:59393
length 126
(7) Session-Timeout = 60
(7) EAP-Message =
0x012500271a0125002210919965cf8da364883037da7f61f7f09e4e534c41422d4e5053324b3136
(7) State =
0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe
(7) Message-Authenticator = 0xaec7f4f146d52066eb1af0e204283dcd
(7) Proxy-State = 0x37
(7) server default {
(7) # Executing section post-proxy from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(7) post-proxy {
(7) eap: Doing post-proxy callback
(7) eap: Passing reply from proxy back into the tunnel
(7) eap: Got tunneled reply RADIUS code 11
(7) eap: Session-Timeout = 60
(7) eap: EAP-Message =
0x012500271a0125002210919965cf8da364883037da7f61f7f09e4e534c41422d4e5053324b3136
(7) eap: State =
0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe
(7) eap: Message-Authenticator = 0xaec7f4f146d52066eb1af0e204283dcd
(7) eap: Proxy-State = 0x37
(7) eap: Got tunneled Access-Challenge
(7) eap: Reply was handled
(7) eap: Sending EAP Request (code 1) ID 37 length 70
(7) eap: EAP session adding &reply:State = 0xe675df6ee150c62e
(7) [eap] = ok
(7) } # post-proxy = ok
(7) }
(7) session-state: Saving cached attributes
(7) Framed-MTU = 994
(7) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerKeyExchange"
(7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerHelloDone"
(7) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake,
ClientKeyExchange"
(7) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(7) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(7) TLS-Session-Version = "TLS 1.2"
(7) Using Post-Auth-Type Challenge
(7) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(7) Challenge { ... } # empty sub-section is ignored
(7) Sent Access-Challenge Id 7 from 127.0.0.1:1812 to 127.0.0.1:41445
length 128
(7) EAP-Message =
0x012500461900170303003b2054ff1c9b5e54f41704b7e71c7b36fac19dc00a4c72e794816491552341929e3a29eaacb6ed73a86178e2a411236422b3f1fb96aa4050005cfd0c
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0xe675df6ee150c62e8fcb18675fa52d04
(7) Finished request
Waking up in 4.9 seconds.
(9) Received Access-Request Id 8 from 127.0.0.1:41445 to 127.0.0.1:1812
length 242
(9) User-Name = "anonymous"
(9) NAS-IP-Address = 127.0.0.1
(9) Calling-Station-Id = "02-00-00-00-00-01"
(9) Framed-MTU = 1400
(9) NAS-Port-Type = Wireless-802.11
(9) Service-Type = Framed-User
(9) Connect-Info = "CONNECT 11Mbps 802.11b"
(9) EAP-Message =
0x0225006a1900170303005fc9186d481dde735a6f6ed9296cacf6e5e023ec3f83ee85a45230752da0ad7ecadeda1694f5c57198ab6841dfd339157a386210e7f3ebd75a3f15c87e8b8013129a97f5b62c4066a50056afee0c1275fd499841f9f6c4d4e00c312aafe6272e
(9) State = 0xe675df6ee150c62e8fcb18675fa52d04
(9) Message-Authenticator = 0x2934573eb6545749fc175ddbb34b8896
(9) Restoring &session-state
(9) &session-state:Framed-MTU = 994
(9) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"
(9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHello"
(9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, Certificate"
(9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerKeyExchange"
(9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHelloDone"
(9) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2
Handshake, ClientKeyExchange"
(9) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2
Handshake, Finished"
(9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
ChangeCipherSpec"
(9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, Finished"
(9) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(9) &session-state:TLS-Session-Version = "TLS 1.2"
(9) # Executing section authorize from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(9) authorize {
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /@\./) {
(9) if (&User-Name =~ /@\./) -> FALSE
(9) } # if (&User-Name) = notfound
(9) } # policy filter_username = notfound
(9) [preprocess] = ok
(9) [chap] = noop
(9) [mschap] = noop
(9) [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 37 length 106
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(9) authenticate {
(9) eap: Expiring EAP session with state 0xe675df6ee150c62e
(9) eap: Finished EAP session with state 0xe675df6ee150c62e
(9) eap: Previous EAP request found for state 0xe675df6ee150c62e, released
from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: (TLS) EAP Done initial handshake
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state phase2
(9) eap_peap: EAP method MSCHAPv2 (26)
(9) eap_peap: Got tunneled request
(9) eap_peap: EAP-Message =
0x0225004b1a02250046316d86546d02682c467d806da7600f65070000000000000000e909fed167b345f628d792682860607f350019b3c2b83a3800636772696666696e4075666c2e656475
(9) eap_peap: Setting User-Name to username at example.org
(9) eap_peap: Sending tunneled request to proxy-inner-tunnel
(9) eap_peap: EAP-Message =
0x0225004b1a02250046316d86546d02682c467d806da7600f65070000000000000000e909fed167b345f628d792682860607f350019b3c2b83a3800636772696666696e4075666c2e656475
(9) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(9) eap_peap: User-Name = "username at example.org"
(9) eap_peap: State =
0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe
(9) Virtual server proxy-inner-tunnel received request
(9) EAP-Message =
0x0225004b1a02250046316d86546d02682c467d806da7600f65070000000000000000e909fed167b345f628d792682860607f350019b3c2b83a3800636772696666696e4075666c2e656475
(9) FreeRADIUS-Proxied-To = 127.0.0.1
(9) User-Name = "username at example.org"
(9) State =
0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe
(9) server proxy-inner-tunnel {
(9) session-state: No cached attributes
(9) # Executing section authorize from file
/opt/freeradius-test/etc/raddb/sites-enabled/proxy-inner-tunnel
(9) authorize {
(9) update control {
(9) &Proxy-To-Realm := "example.org"
(9) } # update control = noop
(9) } # authorize = noop
(9) } # server proxy-inner-tunnel
(9) Virtual server sending reply
(9) eap_peap: Got tunneled reply code 0
(9) eap_peap: Tunnelled authentication will be proxied to example.org
(9) eap: WARNING: Tunneled session will be proxied. Not doing EAP
(9) [eap] = handled
(9) } # authenticate = handled
(9) Starting proxy to home server 127.0.0.1 port 1812
(9) server default {
(9) }
(9) Proxying request to home server 127.0.0.1 port 1812 timeout 20.000000
(9) Sent Access-Request Id 235 from 0.0.0.0:59393 to 127.0.0.1:1812 length
174
(9) EAP-Message =
0x0225004b1a02250046316d86546d02682c467d806da7600f65070000000000000000e909fed167b345f628d792682860607f350019b3c2b83a3800636772696666696e4075666c2e656475
(9) User-Name = "username at example.org"
(9) State =
0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe
(9) Message-Authenticator = 0x
(9) Proxy-State = 0x38
Waking up in 0.3 seconds.
(10) Received Access-Request Id 235 from 127.0.0.1:59393 to 127.0.0.1:1812
length 174
(10) EAP-Message =
0x0225004b1a02250046316d86546d02682c467d806da7600f65070000000000000000e909fed167b345f628d792682860607f350019b3c2b83a3800636772696666696e4075666c2e656475
(10) User-Name = "username at example.org"
(10) State =
0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe
(10) Message-Authenticator = 0x2252e6f6a3cc56e21ec1162298e833f4
(10) Proxy-State = 0x38
(10) session-state: No cached attributes
(10) # Executing section authorize from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(10) authorize {
(10) policy filter_username {
(10) if (&User-Name) {
(10) if (&User-Name) -> TRUE
(10) if (&User-Name) {
(10) if (&User-Name =~ / /) {
(10) if (&User-Name =~ / /) -> FALSE
(10) if (&User-Name =~ /@[^@]*@/ ) {
(10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(10) if (&User-Name =~ /\.\./ ) {
(10) if (&User-Name =~ /\.\./ ) -> FALSE
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(10) if (&User-Name =~ /\.$/) {
(10) if (&User-Name =~ /\.$/) -> FALSE
(10) if (&User-Name =~ /@\./) {
(10) if (&User-Name =~ /@\./) -> FALSE
(10) } # if (&User-Name) = notfound
(10) } # policy filter_username = notfound
(10) [preprocess] = ok
(10) [chap] = noop
(10) [mschap] = noop
(10) [digest] = noop
(10) suffix: Checking for suffix after "@"
(10) suffix: Looking up realm "example.org" for User-Name = "
username at example.org"
(10) suffix: Found realm "example.org"
(10) suffix: Adding Realm = "example.org"
(10) suffix: Proxying request from user username at example.org to realm
example.org
(10) suffix: Preparing to proxy authentication request to realm "example.org"
(10) [suffix] = updated
(10) eap: Request is supposed to be proxied to Realm example.org. Not doing
EAP.
(10) [eap] = noop
(10) [files] = noop
(10) [expiration] = noop
(10) [logintime] = noop
(10) [pap] = noop
(10) } # authorize = updated
(10) Starting proxy to home server 10.6.11.15 port 1812
(10) server default {
(10) }
(10) Proxying request to home server 10.6.11.15 port 1812 timeout 10.000000
(10) Sent Access-Request Id 59 from 0.0.0.0:59393 to 10.6.11.15:1812 length
191
(10) EAP-Message =
0x0225004b1a02250046316d86546d02682c467d806da7600f65070000000000000000e909fed167b345f628d792682860607f350019b3c2b83a3800636772696666696e4075666c2e656475
(10) User-Name = "username at example.org"
(10) State =
0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe
(10) Message-Authenticator = 0x2252e6f6a3cc56e21ec1162298e833f4
(10) Proxy-State = 0x38
(10) Event-Timestamp = "Aug 10 2022 08:18:59 EDT"
(10) NAS-IP-Address = 127.0.0.1
(10) Proxy-State = 0x323335
Waking up in 0.3 seconds.
(10) Clearing existing &reply: attributes
(10) Received Access-Challenge Id 59 from 10.6.11.15:1812 to
10.6.11.22:59393 length 143
(10) Proxy-State = 0x38
(10) Proxy-State = 0x323335
(10) Session-Timeout = 60
(10) EAP-Message =
0x012600331a0325002e533d46444535443942333830393542413637373242454642363234354444323637313836363836374632
(10) State =
0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe
(10) Message-Authenticator = 0x6b8527e1973479a319453417a2c90f42
(10) server default {
(10) # Executing section post-proxy from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(10) post-proxy {
(10) eap: No pre-existing handler found
(10) [eap] = noop
(10) } # post-proxy = noop
(10) }
(10) Using Post-Auth-Type Challenge
(10) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(10) Challenge { ... } # empty sub-section is ignored
(10) Sent Access-Challenge Id 235 from 127.0.0.1:1812 to 127.0.0.1:59393
length 138
(10) Session-Timeout = 60
(10) EAP-Message =
0x012600331a0325002e533d46444535443942333830393542413637373242454642363234354444323637313836363836374632
(10) State =
0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe
(10) Message-Authenticator = 0x6b8527e1973479a319453417a2c90f42
(10) Proxy-State = 0x38
(10) Finished request
Waking up in 0.1 seconds.
(9) Clearing existing &reply: attributes
(9) Received Access-Challenge Id 235 from 127.0.0.1:1812 to 127.0.0.1:59393
length 138
(9) Session-Timeout = 60
(9) EAP-Message =
0x012600331a0325002e533d46444535443942333830393542413637373242454642363234354444323637313836363836374632
(9) State =
0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe
(9) Message-Authenticator = 0xa7a5d80e820957076837a9676974152d
(9) Proxy-State = 0x38
(9) server default {
(9) # Executing section post-proxy from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(9) post-proxy {
(9) eap: Doing post-proxy callback
(9) eap: Passing reply from proxy back into the tunnel
(9) eap: Got tunneled reply RADIUS code 11
(9) eap: Session-Timeout = 60
(9) eap: EAP-Message =
0x012600331a0325002e533d46444535443942333830393542413637373242454642363234354444323637313836363836374632
(9) eap: State =
0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe
(9) eap: Message-Authenticator = 0xa7a5d80e820957076837a9676974152d
(9) eap: Proxy-State = 0x38
(9) eap: Got tunneled Access-Challenge
(9) eap: Reply was handled
(9) eap: Sending EAP Request (code 1) ID 38 length 82
(9) eap: EAP session adding &reply:State = 0xe675df6eee53c62e
(9) [eap] = ok
(9) } # post-proxy = ok
(9) }
(9) session-state: Saving cached attributes
(9) Framed-MTU = 994
(9) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(9) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(9) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(9) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerKeyExchange"
(9) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerHelloDone"
(9) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake,
ClientKeyExchange"
(9) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(9) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(9) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(9) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(9) TLS-Session-Version = "TLS 1.2"
(9) Using Post-Auth-Type Challenge
(9) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(9) Challenge { ... } # empty sub-section is ignored
(9) Sent Access-Challenge Id 8 from 127.0.0.1:1812 to 127.0.0.1:41445
length 140
(9) EAP-Message =
0x01260052190017030300472054ff1c9b5e54f59cc0dcaebf53e944b82ed1c318ffbc62c980efe461b0d53ad17c41ec8d2ea20cee09c6fd2c291ff46f9f4c6f1c958b4f5bda67798c4c472160325089c9d09d
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) State = 0xe675df6eee53c62e8fcb18675fa52d04
(9) Finished request
Waking up in 4.7 seconds.
(11) Received Access-Request Id 9 from 127.0.0.1:41445 to 127.0.0.1:1812
length 173
(11) User-Name = "anonymous"
(11) NAS-IP-Address = 127.0.0.1
(11) Calling-Station-Id = "02-00-00-00-00-01"
(11) Framed-MTU = 1400
(11) NAS-Port-Type = Wireless-802.11
(11) Service-Type = Framed-User
(11) Connect-Info = "CONNECT 11Mbps 802.11b"
(11) EAP-Message =
0x022600251900170303001ac9186d481dde735bda9d2d9bf418939943eeadac727b51daf83d
(11) State = 0xe675df6eee53c62e8fcb18675fa52d04
(11) Message-Authenticator = 0x4369ac0ea166f1c1235fad5555c6b7bf
(11) Restoring &session-state
(11) &session-state:Framed-MTU = 994
(11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"
(11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHello"
(11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, Certificate"
(11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerKeyExchange"
(11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHelloDone"
(11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2
Handshake, ClientKeyExchange"
(11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2
Handshake, Finished"
(11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
ChangeCipherSpec"
(11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, Finished"
(11) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(11) &session-state:TLS-Session-Version = "TLS 1.2"
(11) # Executing section authorize from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(11) authorize {
(11) policy filter_username {
(11) if (&User-Name) {
(11) if (&User-Name) -> TRUE
(11) if (&User-Name) {
(11) if (&User-Name =~ / /) {
(11) if (&User-Name =~ / /) -> FALSE
(11) if (&User-Name =~ /@[^@]*@/ ) {
(11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(11) if (&User-Name =~ /\.\./ ) {
(11) if (&User-Name =~ /\.\./ ) -> FALSE
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(11) if (&User-Name =~ /\.$/) {
(11) if (&User-Name =~ /\.$/) -> FALSE
(11) if (&User-Name =~ /@\./) {
(11) if (&User-Name =~ /@\./) -> FALSE
(11) } # if (&User-Name) = notfound
(11) } # policy filter_username = notfound
(11) [preprocess] = ok
(11) [chap] = noop
(11) [mschap] = noop
(11) [digest] = noop
(11) suffix: Checking for suffix after "@"
(11) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(11) suffix: No such realm "NULL"
(11) [suffix] = noop
(11) eap: Peer sent EAP Response (code 2) ID 38 length 37
(11) eap: Continuing tunnel setup
(11) [eap] = ok
(11) } # authorize = ok
(11) Found Auth-Type = eap
(11) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(11) authenticate {
(11) eap: Expiring EAP session with state 0xe675df6eee53c62e
(11) eap: Finished EAP session with state 0xe675df6eee53c62e
(11) eap: Previous EAP request found for state 0xe675df6eee53c62e, released
from the list
(11) eap: Peer sent packet with method EAP PEAP (25)
(11) eap: Calling submodule eap_peap to process data
(11) eap_peap: (TLS) EAP Done initial handshake
(11) eap_peap: Session established. Decoding tunneled attributes
(11) eap_peap: PEAP state phase2
(11) eap_peap: EAP method MSCHAPv2 (26)
(11) eap_peap: Got tunneled request
(11) eap_peap: EAP-Message = 0x022600061a03
(11) eap_peap: Setting User-Name to username at example.org
(11) eap_peap: Sending tunneled request to proxy-inner-tunnel
(11) eap_peap: EAP-Message = 0x022600061a03
(11) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(11) eap_peap: User-Name = "username at example.org"
(11) eap_peap: State =
0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe
(11) Virtual server proxy-inner-tunnel received request
(11) EAP-Message = 0x022600061a03
(11) FreeRADIUS-Proxied-To = 127.0.0.1
(11) User-Name = "username at example.org"
(11) State =
0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe
(11) server proxy-inner-tunnel {
(11) session-state: No cached attributes
(11) # Executing section authorize from file
/opt/freeradius-test/etc/raddb/sites-enabled/proxy-inner-tunnel
(11) authorize {
(11) update control {
(11) &Proxy-To-Realm := "example.org"
(11) } # update control = noop
(11) } # authorize = noop
(11) } # server proxy-inner-tunnel
(11) Virtual server sending reply
(11) eap_peap: Got tunneled reply code 0
(11) eap_peap: Tunnelled authentication will be proxied to example.org
(11) eap: WARNING: Tunneled session will be proxied. Not doing EAP
(11) [eap] = handled
(11) } # authenticate = handled
(11) Starting proxy to home server 127.0.0.1 port 1812
(11) server default {
(11) }
(11) Proxying request to home server 127.0.0.1 port 1812 timeout 20.000000
(11) Sent Access-Request Id 27 from 0.0.0.0:59393 to 127.0.0.1:1812 length
105
(11) EAP-Message = 0x022600061a03
(11) User-Name = "username at example.org"
(11) State =
0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe
(11) Message-Authenticator = 0x
(11) Proxy-State = 0x39
Waking up in 0.3 seconds.
(12) Received Access-Request Id 27 from 127.0.0.1:59393 to 127.0.0.1:1812
length 105
(12) EAP-Message = 0x022600061a03
(12) User-Name = "username at example.org"
(12) State =
0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe
(12) Message-Authenticator = 0x28dbdd5be33bb7040adfddfe8d9352cd
(12) Proxy-State = 0x39
(12) session-state: No cached attributes
(12) # Executing section authorize from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(12) authorize {
(12) policy filter_username {
(12) if (&User-Name) {
(12) if (&User-Name) -> TRUE
(12) if (&User-Name) {
(12) if (&User-Name =~ / /) {
(12) if (&User-Name =~ / /) -> FALSE
(12) if (&User-Name =~ /@[^@]*@/ ) {
(12) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(12) if (&User-Name =~ /\.\./ ) {
(12) if (&User-Name =~ /\.\./ ) -> FALSE
(12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(12) if (&User-Name =~ /\.$/) {
(12) if (&User-Name =~ /\.$/) -> FALSE
(12) if (&User-Name =~ /@\./) {
(12) if (&User-Name =~ /@\./) -> FALSE
(12) } # if (&User-Name) = notfound
(12) } # policy filter_username = notfound
(12) [preprocess] = ok
(12) [chap] = noop
(12) [mschap] = noop
(12) [digest] = noop
(12) suffix: Checking for suffix after "@"
(12) suffix: Looking up realm "example.org" for User-Name = "
username at example.org"
(12) suffix: Found realm "example.org"
(12) suffix: Adding Realm = "example.org"
(12) suffix: Proxying request from user username at example.org to realm
example.org
(12) suffix: Preparing to proxy authentication request to realm "example.org"
(12) [suffix] = updated
(12) eap: Request is supposed to be proxied to Realm example.org. Not doing
EAP.
(12) [eap] = noop
(12) [files] = noop
(12) [expiration] = noop
(12) [logintime] = noop
(12) [pap] = noop
(12) } # authorize = updated
(12) Starting proxy to home server 10.6.11.15 port 1812
(12) server default {
(12) }
(12) Proxying request to home server 10.6.11.15 port 1812 timeout 10.000000
(12) Sent Access-Request Id 52 from 0.0.0.0:59393 to 10.6.11.15:1812 length
121
(12) EAP-Message = 0x022600061a03
(12) User-Name = "username at example.org"
(12) State =
0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe
(12) Message-Authenticator = 0x28dbdd5be33bb7040adfddfe8d9352cd
(12) Proxy-State = 0x39
(12) Event-Timestamp = "Aug 10 2022 08:18:59 EDT"
(12) NAS-IP-Address = 127.0.0.1
(12) Proxy-State = 0x3237
Waking up in 0.3 seconds.
(12) Clearing existing &reply: attributes
(12) Received Access-Accept Id 52 from 10.6.11.15:1812 to 10.6.11.22:59393
length 281
(12) Proxy-State = 0x39
(12) Proxy-State = 0x3237
(12) Framed-Protocol = PPP
(12) Service-Type = Framed-User
(12) EAP-Message = 0x03260004
(12) Class =
0x9cfe09b000000137000102000a060b0f000000008df64cb7c2d3269401d830f9a2012075000000000006ed48
(12) MS-Link-Utilization-Threshold = 50
(12) MS-Link-Drop-Time-Limit = 120
(12) MS-CHAP-Domain = "\001UFAD"
(12) MS-MPPE-Send-Key = 0x10e45324b8c3d2c45a891f6068c60e8e
(12) MS-MPPE-Recv-Key = 0xe91ba4c29e258660071f4bfce79d0314
(12) MS-CHAP2-Success =
0x01533d46444535443942333830393542413637373242454642363234354444323637313836363836374632
(12) Message-Authenticator = 0xc89831d91964fd2ed5b22785ef179a2e
(12) server default {
(12) # Executing section post-proxy from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(12) post-proxy {
(12) eap: No pre-existing handler found
(12) [eap] = noop
(12) } # post-proxy = noop
(12) }
(12) Found Auth-Type = Accept
(12) Auth-Type = Accept, accepting the user
(12) # Executing section post-auth from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(12) post-auth {
(12) if (session-state:User-Name && reply:User-Name &&
request:User-Name && (reply:User-Name == request:User-Name)) {
(12) if (session-state:User-Name && reply:User-Name &&
request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE
(12) update {
(12) No attributes updated for RHS &session-state:
(12) } # update = noop
(12) [exec] = noop
(12) policy remove_reply_message_if_eap {
(12) if (&reply:EAP-Message && &reply:Reply-Message) {
(12) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(12) else {
(12) [noop] = noop
(12) } # else = noop
(12) } # policy remove_reply_message_if_eap = noop
(12) if (EAP-Key-Name && &reply:EAP-Session-Id) {
(12) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE
(12) } # post-auth = noop
(12) Sent Access-Accept Id 27 from 127.0.0.1:1812 to 127.0.0.1:59393 length
277
(12) Framed-Protocol = PPP
(12) Service-Type = Framed-User
(12) EAP-Message = 0x03260004
(12) Class =
0x9cfe09b000000137000102000a060b0f000000008df64cb7c2d3269401d830f9a2012075000000000006ed48
(12) MS-Link-Utilization-Threshold = 50
(12) MS-Link-Drop-Time-Limit = 120
(12) MS-CHAP-Domain = "\001UFAD"
(12) MS-MPPE-Send-Key = 0x10e45324b8c3d2c45a891f6068c60e8e
(12) MS-MPPE-Recv-Key = 0xe91ba4c29e258660071f4bfce79d0314
(12) MS-CHAP2-Success =
0x01533d46444535443942333830393542413637373242454642363234354444323637313836363836374632
(12) Message-Authenticator = 0xc89831d91964fd2ed5b22785ef179a2e
(12) Proxy-State = 0x39
(12) Finished request
Waking up in 0.3 seconds.
(11) Clearing existing &reply: attributes
(11) Received Access-Accept Id 27 from 127.0.0.1:1812 to 127.0.0.1:59393
length 277
(11) Framed-Protocol = PPP
(11) Service-Type = Framed-User
(11) EAP-Message = 0x03260004
(11) Class =
0x9cfe09b000000137000102000a060b0f000000008df64cb7c2d3269401d830f9a2012075000000000006ed48
(11) MS-Link-Utilization-Threshold = 50
(11) MS-Link-Drop-Time-Limit = 120
(11) MS-CHAP-Domain = "\001UFAD"
(11) MS-MPPE-Send-Key = 0x10e45324b8c3d2c45a891f6068c60e8e
(11) MS-MPPE-Recv-Key = 0xe91ba4c29e258660071f4bfce79d0314
(11) MS-CHAP2-Success =
0x01533d46444535443942333830393542413637373242454642363234354444323637313836363836374632
(11) Message-Authenticator = 0xde8fa57b092b483a7be18b2d1893aa40
(11) Proxy-State = 0x39
(11) server default {
(11) # Executing section post-proxy from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(11) post-proxy {
(11) eap: Doing post-proxy callback
(11) eap: Passing reply from proxy back into the tunnel
(11) eap: Got tunneled reply RADIUS code 2
(11) eap: Framed-Protocol = PPP
(11) eap: Service-Type = Framed-User
(11) eap: EAP-Message = 0x03260004
(11) eap: Class =
0x9cfe09b000000137000102000a060b0f000000008df64cb7c2d3269401d830f9a2012075000000000006ed48
(11) eap: MS-Link-Utilization-Threshold = 50
(11) eap: MS-Link-Drop-Time-Limit = 120
(11) eap: MS-CHAP-Domain = "\001UFAD"
(11) eap: MS-MPPE-Send-Key = 0x10e45324b8c3d2c45a891f6068c60e8e
(11) eap: MS-MPPE-Recv-Key = 0xe91ba4c29e258660071f4bfce79d0314
(11) eap: MS-CHAP2-Success =
0x01533d46444535443942333830393542413637373242454642363234354444323637313836363836374632
(11) eap: Message-Authenticator = 0xde8fa57b092b483a7be18b2d1893aa40
(11) eap: Proxy-State = 0x39
(11) eap: Tunneled authentication was successful
(11) eap: SUCCESS
(11) eap: Reply was handled
(11) eap: Sending EAP Request (code 1) ID 39 length 46
(11) eap: EAP session adding &reply:State = 0xe675df6eef52c62e
(11) [eap] = ok
(11) } # post-proxy = ok
(11) }
(11) session-state: Saving cached attributes
(11) Framed-MTU = 994
(11) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(11) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(11) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(11) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerKeyExchange"
(11) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerHelloDone"
(11) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake,
ClientKeyExchange"
(11) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(11) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(11) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(11) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(11) TLS-Session-Version = "TLS 1.2"
(11) Using Post-Auth-Type Challenge
(11) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(11) Challenge { ... } # empty sub-section is ignored
(11) Sent Access-Challenge Id 9 from 127.0.0.1:1812 to 127.0.0.1:41445
length 104
(11) EAP-Message =
0x0127002e190017030300232054ff1c9b5e54f65a96c6f9c26f4368dea611f63dd222bbc75a6489e3787981c6c053
(11) Message-Authenticator = 0x00000000000000000000000000000000
(11) State = 0xe675df6eef52c62e8fcb18675fa52d04
(11) Finished request
Waking up in 4.7 seconds.
(13) Received Access-Request Id 10 from 127.0.0.1:41445 to 127.0.0.1:1812
length 182
(13) User-Name = "anonymous"
(13) NAS-IP-Address = 127.0.0.1
(13) Calling-Station-Id = "02-00-00-00-00-01"
(13) Framed-MTU = 1400
(13) NAS-Port-Type = Wireless-802.11
(13) Service-Type = Framed-User
(13) Connect-Info = "CONNECT 11Mbps 802.11b"
(13) EAP-Message =
0x0227002e19001703030023c9186d481dde735c252cdf5e4f904d6191485ee65d136156c4a980ed966e9fc425cbd7
(13) State = 0xe675df6eef52c62e8fcb18675fa52d04
(13) Message-Authenticator = 0x1d9975ec3f07b5971e779a3aaa8d0a4d
(13) Restoring &session-state
(13) &session-state:Framed-MTU = 994
(13) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"
(13) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHello"
(13) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, Certificate"
(13) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerKeyExchange"
(13) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHelloDone"
(13) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2
Handshake, ClientKeyExchange"
(13) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2
Handshake, Finished"
(13) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
ChangeCipherSpec"
(13) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, Finished"
(13) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(13) &session-state:TLS-Session-Version = "TLS 1.2"
(13) # Executing section authorize from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(13) authorize {
(13) policy filter_username {
(13) if (&User-Name) {
(13) if (&User-Name) -> TRUE
(13) if (&User-Name) {
(13) if (&User-Name =~ / /) {
(13) if (&User-Name =~ / /) -> FALSE
(13) if (&User-Name =~ /@[^@]*@/ ) {
(13) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(13) if (&User-Name =~ /\.\./ ) {
(13) if (&User-Name =~ /\.\./ ) -> FALSE
(13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(13) if (&User-Name =~ /\.$/) {
(13) if (&User-Name =~ /\.$/) -> FALSE
(13) if (&User-Name =~ /@\./) {
(13) if (&User-Name =~ /@\./) -> FALSE
(13) } # if (&User-Name) = notfound
(13) } # policy filter_username = notfound
(13) [preprocess] = ok
(13) [chap] = noop
(13) [mschap] = noop
(13) [digest] = noop
(13) suffix: Checking for suffix after "@"
(13) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(13) suffix: No such realm "NULL"
(13) [suffix] = noop
(13) eap: Peer sent EAP Response (code 2) ID 39 length 46
(13) eap: Continuing tunnel setup
(13) [eap] = ok
(13) } # authorize = ok
(13) Found Auth-Type = eap
(13) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(13) authenticate {
(13) eap: Expiring EAP session with state 0xe675df6eef52c62e
(13) eap: Finished EAP session with state 0xe675df6eef52c62e
(13) eap: Previous EAP request found for state 0xe675df6eef52c62e, released
from the list
(13) eap: Peer sent packet with method EAP PEAP (25)
(13) eap: Calling submodule eap_peap to process data
(13) eap_peap: (TLS) EAP Done initial handshake
(13) eap_peap: Session established. Decoding tunneled attributes
(13) eap_peap: PEAP state send tlv success
(13) eap_peap: Received EAP-TLV response
(13) eap_peap: Success
(13) eap: Sending EAP Success (code 3) ID 39 length 4
(13) eap: Freeing handler
(13) [eap] = ok
(13) } # authenticate = ok
(13) # Executing section post-auth from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(13) post-auth {
(13) if (session-state:User-Name && reply:User-Name &&
request:User-Name && (reply:User-Name == request:User-Name)) {
(13) if (session-state:User-Name && reply:User-Name &&
request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE
(13) update {
(13) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 994
(13) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.3 Handshake,
ClientHello'
(13) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake,
ServerHello'
(13) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake,
Certificate'
(13) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake,
ServerKeyExchange'
(13) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake,
ServerHelloDone'
(13) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake,
ClientKeyExchange'
(13) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake,
Finished'
(13) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2
ChangeCipherSpec'
(13) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake,
Finished'
(13) &reply::TLS-Session-Cipher-Suite +=
&session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384'
(13) &reply::TLS-Session-Version +=
&session-state:TLS-Session-Version[*] -> 'TLS 1.2'
(13) } # update = noop
(13) [exec] = noop
(13) policy remove_reply_message_if_eap {
(13) if (&reply:EAP-Message && &reply:Reply-Message) {
(13) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(13) else {
(13) [noop] = noop
(13) } # else = noop
(13) } # policy remove_reply_message_if_eap = noop
(13) if (EAP-Key-Name && &reply:EAP-Session-Id) {
(13) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE
(13) } # post-auth = noop
(13) Sent Access-Accept Id 10 from 127.0.0.1:1812 to 127.0.0.1:41445 length
177
(13) MS-MPPE-Recv-Key =
0x62648fa7a7f83a26511884879c34872597bf15b27f0fe7c0e8b9426e2de1e5b4
(13) MS-MPPE-Send-Key =
0x9e1e4d2c8aede721a947dfc545f44960236c983e73f6883659db7ddf618c46fc
(13) EAP-Message = 0x03270004
(13) Message-Authenticator = 0x00000000000000000000000000000000
(13) User-Name = "anonymous"
(13) Framed-MTU += 994
(13) Finished request
Waking up in 4.7 seconds.
(0) Cleaning up request packet ID 0 with timestamp +3 due to cleanup_delay
was reached
(1) Cleaning up request packet ID 1 with timestamp +3 due to cleanup_delay
was reached
(2) Cleaning up request packet ID 2 with timestamp +3 due to cleanup_delay
was reached
(3) Cleaning up request packet ID 3 with timestamp +3 due to cleanup_delay
was reached
(4) Cleaning up request packet ID 4 with timestamp +3 due to cleanup_delay
was reached
(5) Cleaning up request packet ID 5 with timestamp +3 due to cleanup_delay
was reached
(6) Cleaning up request packet ID 6 with timestamp +3 due to cleanup_delay
was reached
(8) Cleaning up request packet ID 221 with timestamp +3 due to
cleanup_delay was reached
(7) Cleaning up request packet ID 7 with timestamp +3 due to cleanup_delay
was reached
Waking up in 0.1 seconds.
(10) Cleaning up request packet ID 235 with timestamp +3 due to
cleanup_delay was reached
(9) Cleaning up request packet ID 8 with timestamp +3 due to cleanup_delay
was reached
(12) Cleaning up request packet ID 27 with timestamp +3 due to
cleanup_delay was reached
(11) Cleaning up request packet ID 9 with timestamp +3 due to cleanup_delay
was reached
(13) Cleaning up request packet ID 10 with timestamp +3 due to
cleanup_delay was reached
Ready to process requests
==============================================
I don't see post-auth being called from proxy-inner-tunnel. Is there any
trick that I missed to get it to run?
Thanks!
Chris
More information about the Freeradius-Users
mailing list