Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
January 2015
- 86 participants
- 109 discussions
Hi Friends,
is it possible to use checkval module for Calling-Station-Id & nasidentifier
simultaneously ? i.e. i am already using calling-Station-Id attribute for
MAC authentication but i also need to use nas-identifier, to restrict a
user to specific NAS. Can i do the following?
*nano /etc/freeradius/modules/checkval*
checkval Calling-Station-Id {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
notfound-reject = no
}
checkval nasidentifier {
item-name = NAS-Identifier
check-name = NAS-Identifier
data-type = string
notfound-reject = no
}
Thanks / --RM
2
2
Hi,
I want to configure user access level info in FR. If I am using Cisco I
will be adding following line in users file
Cisco-AVPair = "shell:priv-lvl = 15"
But I want to add NET user access level info to 15,so that I can see the
same in radius response I receive from FR.
Could you please help me know where and what file I have to look into for
this info.
I know similar configuration and was successful when I used other radius
server.But I am not able to relate the same with FR.
Thanks in advance,
Kavya
On 20-Jan-2015 3:39 am, <freeradius-users-request(a)lists.freeradius.org>
wrote:
> Send Freeradius-Users mailing list submissions to
> freeradius-users(a)lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request(a)lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner(a)lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Freeradius 3 and routers problem (alter1)
> 2. Re: Freeradius 3 and routers problem (Alan DeKok)
> 3. Re: VMPS sql error - WARNING: Unknown module "sql" in string
> expansion "%" (Arran Cudbard-Bell)
> 4. Re: Re: Freeradius 3 and routers problem (alter1)
> 5. Re: Freeradius 3 and routers problem (Alan DeKok)
> 6. test PEAP (Jim Shi)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 19 Jan 2015 12:29:14 +0100
> From: alter1 <alter1(a)onet.pl>
> To: "freeradius-users(a)lists.freeradius.org"
> <freeradius-users(a)lists.freeradius.org>
> Subject: Freeradius 3 and routers problem
> Message-ID:
> <107867304-c4b8ba06baaf39b736858171721998e8(a)pmq5.m5r2.onet>
> Content-Type: text/plain; charset="utf-8"
>
> Hello,
> ?
> I have a network: 3 soho wifi routers Dlink wrt54gl, wrt320n and Asus
> RT-AC52U. On each is the same configuration (wifi wpa2-enterprise with
> radius auth on 192.168.10.x server with 1812 port and secret key for each
> client)
> ?
> Server is Centos 7 based with latest version with ip 192.168.10.x
> # repoquery freeradius
> freeradius-0:3.0.1-6.el7.x86_64
> # tail -19 /etc/raddb/clients.conf
> client rt-a1-2 {
> ??????? ipaddr = 192.168.10.4
> ??????? secret = test1
> ??????? shortname = rt-a1-2
> }
> client rt-a1-1 {
> ??????? ipaddr = 192.168.10.2
> ??????? secret = test2
> ??????? shortname = rt-a1-1
> }
> client rt-a2-1 {
> ??????? ipaddr = 192.168.10.3
> ??????? secret = test3
> ??????? shortname = rt-a2-1
> }
> In /etc/raddb/users par example:
> "test" Cleartext-Password := "test"
> and others in the same format...
> ?
> This server is relay to other dhcp server therefore I have:
> # cat /etc/raddb/sites-available/dhcp.relay
> server dhcp.ens160 {
> ??????? listen {
> ??????????????? ipaddr = *
> ??????????????? port = 67
> ??????????????? type = dhcp
> ??????????????? interface = ens160
> ??????? }
> ??????? dhcp DHCP-Discover {
> ??????????????? update config {
> ??????????????????????? DHCP-Relay-To-IP-Address := 192.168.10.1
> ??????????????? }
> ??????????????? update request {
> ??????????????????????? DHCP-Gateway-IP-Address := 192.168.10.254
> ??????????????? }
> ??????????????? ok
> ??????? }
> ??????? dhcp DHCP-Request {
> ??????????????? update config {
> ??????????????????????? DHCP-Relay-To-IP-Address := 192.168.10.1
> ??????????????? }
> ??????????????? update request {
> ??????????????????????? DHCP-Gateway-IP-Address := 192.168.10.254
> ??????????????? }
> ??????????????? ok
> ??????? }
> }
> On 192.168.10.1 dhcpserver works ok
> ?
> In logs
> /var/log/radius/radius.log
> Mon Jan 19 12:07:14 2015 : Auth: (44) Login OK: [test/<via Auth-Type =
> MSCHAP>] (from client rt-a1-1 port 0 via TLS tunnel)
> Mon Jan 19 12:07:14 2015 : Auth: (45) Login OK: [test/<via Auth-Type =
> EAP>] (from client rt-a1-1 port 13 cli 8c3ae3XXXXXX)
> Mon Jan 19 12:13:23 2015 : Auth: (59) Login OK: [test/<via Auth-Type =
> MSCHAP>] (from client rt-a1-1 port 0 via TLS tunnel)
> Mon Jan 19 12:13:23 2015 : Auth: (60) Login OK: [test/<via Auth-Type =
> EAP>] (from client rt-a1-1 port 13 cli 8c3ae3XXXXXX)
> Mon Jan 19 12:15:18 2015 : Auth: (70) Login OK: [test/<via Auth-Type =
> MSCHAP>] (from client rt-a1-2 port 0 via TLS tunnel)
> Mon Jan 19 12:15:18 2015 : Auth: (71) Login OK: [test/<via Auth-Type =
> EAP>] (from client rt-a1-2 port 0 cli 8C-3A-E3-XX-XX-XX)
> Mon Jan 19 12:16:10 2015 : Auth: (80) Login OK: [test/<via Auth-Type =
> MSCHAP>] (from client rt-a1-1 port 0 via TLS tunnel)
> Mon Jan 19 12:17:13 2015 : Auth: (85) Login OK: [test/<via Auth-Type =
> EAP>] (from client rt-a1-1 port 13 cli 8c3ae3XXXXXX)
> And all works... But... Ater some period of time 30-60 minutes noone can
> connect to wifi on AP's.
> I tried with alternative firmwares. Still the same.
> After tcpdump connections I have nothing... That mean. I tcpdump iface
> (ens160) and cannot see ANY PACKETS from any AP's to radius server...
> ?
> Problem disappear after restart freeradius (systemctl restart
> radiusd.service). And after some period of time... the same is happen.
> What the point? Where can be a problem?
> I tried to disable renew key on AP in radius configuration but this not
> helps.
> Thanx for help :-)
> ?
> With regards
> MK
> ?
> ?
> ?
>
> ------------------------------
>
> Message: 2
> Date: Mon, 19 Jan 2015 07:44:01 -0500
> From: Alan DeKok <aland(a)deployingradius.com>
> To: FreeRadius users mailing list
> <freeradius-users(a)lists.freeradius.org>
> Subject: Re: Freeradius 3 and routers problem
> Message-ID: <FE155EBC-B18E-4B96-B77B-0B4807DC21F8(a)deployingradius.com>
> Content-Type: text/plain; charset=windows-1252
>
> On Jan 19, 2015, at 6:29 AM, alter1 <alter1(a)onet.pl> wrote:
> > I have a network: 3 soho wifi routers Dlink wrt54gl, wrt320n and Asus
> RT-AC52U. On each is the same configuration (wifi wpa2-enterprise with
> radius auth on 192.168.10.x server with 1812 port and secret key for each
> client)
>
> OK. That should be simple enough.
> >
> > Mon Jan 19 12:16:10 2015 : Auth: (80) Login OK: [test/<via Auth-Type =
> MSCHAP>] (from client rt-a1-1 port 0 via TLS tunnel)
> > Mon Jan 19 12:17:13 2015 : Auth: (85) Login OK: [test/<via Auth-Type =
> EAP>] (from client rt-a1-1 port 13 cli 8c3ae3XXXXXX)
> > And all works... But... Ater some period of time 30-60 minutes noone can
> connect to wifi on AP?s.
>
> That?s bad.
>
> > I tried with alternative firmwares. Still the same.
> > After tcpdump connections I have nothing... That mean. I tcpdump iface
> (ens160) and cannot see ANY PACKETS from any AP's to radius server?
>
> Then the APs are broken. When a user logs in, the APs should start
> doing RADIUS.
>
> > Problem disappear after restart freeradius (systemctl restart
> radiusd.service).
>
> Restarting FreeRADIUS doesn?t cause the APs to start sending packets.
> Something else is going on.
>
> What happens if you reboot the APs instead of FreeRADIUS?
>
> Alan DeKok.
>
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 19 Jan 2015 20:59:37 +0700
> From: Arran Cudbard-Bell <a.cudbardb(a)freeradius.org>
> To: FreeRadius users mailing list
> <freeradius-users(a)lists.freeradius.org>
> Subject: Re: VMPS sql error - WARNING: Unknown module "sql" in string
> expansion "%"
> Message-ID: <B5E4DF5C-63CC-40EC-AAAA-527498C2DEAE(a)freeradius.org>
> Content-Type: text/plain; charset=windows-1252
>
>
> > On 19 Jan 2015, at 10:54, Keith Olsen <keith.r.olsen(a)gmail.com> wrote:
> >
> > Thanks Alan,
> >
> > that resolved it.
> >
> > I?ve spent a fair bit of time getting the VMPS stuff working, in
> particular with a mysql DB, and have been documenting for the project I am
> using this on.
> >
> > I would be more than happy to share the cookbook on configuring the VMPS
> if you think there?s any value.
>
> Yes, definitely.
>
> > I know there is not much call for VMPS, but I know I would have
> appreciated a single source to follow.
> >
> > IF there?s value, let me know where and how I can contribute the
> documentation.
>
> Feel free to add it to the wiki. There's already a cookbook section.
>
> -Arran
>
>
>
> ------------------------------
>
> Message: 4
> Date: Mon, 19 Jan 2015 20:58:29 +0100
> From: alter1 <alter1(a)onet.pl>
> To: FreeRadius users mailing list
> <freeradius-users(a)lists.freeradius.org>
> Subject: Re: Re: Freeradius 3 and routers problem
> Message-ID:
> <107959639-517888edf517a2f20159e5d9a91f7f7a(a)pmq5.m5r2.onet>
> Content-Type: text/plain; charset="utf-8"
>
> Hello again,
>
>
> I know it might sound impossible, but sometimes I have an idea that radius
> in certain moment sent some like "deauth" packet to radius clients on AP's
> and in this case those clients
> dont talk to radius server anymore. Sorry I haven't so many time to read
> right RFC :-). So just ask :)
>
> After rebooting AP's is the same as I described with radius server. It
> works for 30-60 minutes and then after another... after another...
> A few hours ago I compiled my favorite distro - gentoo and emerge
> freeradius for this platform.
>
> I flashed wrt54gl with dd-wrt firmware (for better testing client from
> linksys dd-wrt shell)
> # radius-client test test 192.168.10.19 1812 link1
> Accept
>
> I repeated it every 2 hours and ... is still working without any problems.
> But because of nighttime I can prove it tomorrowe with real wifi clients.
> I'll back soon
>
> With regards,
> MK
>
> The only difference is that is net-dialup/freeradius-2.2.5 version - not 3
> like in centos distr.
>
> W dniu 2015-01-19 13:44:01 u?ytkownik Alan DeKok <
> aland(a)deployingradius.com> napisa?:
> > On Jan 19, 2015, at 6:29 AM, alter1 <alter1(a)onet.pl> wrote:
> > > I have a network: 3 soho wifi routers Dlink wrt54gl, wrt320n and Asus
> RT-AC52U. On each is the same configuration (wifi wpa2-enterprise with
> radius auth on 192.168.10.x server with 1812 port and secret key for each
> client)
> >
> > OK. That should be simple enough.
> > >
> > > Mon Jan 19 12:16:10 2015 : Auth: (80) Login OK: [test/<via Auth-Type =
> MSCHAP>] (from client rt-a1-1 port 0 via TLS tunnel)
> > > Mon Jan 19 12:17:13 2015 : Auth: (85) Login OK: [test/<via Auth-Type =
> EAP>] (from client rt-a1-1 port 13 cli 8c3ae3XXXXXX)
> > > And all works... But... Ater some period of time 30-60 minutes noone
> can connect to wifi on AP?s.
> >
> > That?s bad.
> >
> > > I tried with alternative firmwares. Still the same.
> > > After tcpdump connections I have nothing... That mean. I tcpdump iface
> (ens160) and cannot see ANY PACKETS from any AP's to radius server?
> >
> > Then the APs are broken. When a user logs in, the APs should start
> doing RADIUS.
> >
> > > Problem disappear after restart freeradius (systemctl restart
> radiusd.service).
> >
> > Restarting FreeRADIUS doesn?t cause the APs to start sending packets.
> Something else is going on.
> >
> > What happens if you reboot the APs instead of FreeRADIUS?
> >
> > Alan DeKok.
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
>
>
>
>
>
> ------------------------------
>
> Message: 5
> Date: Mon, 19 Jan 2015 15:06:56 -0500
> From: Alan DeKok <aland(a)deployingradius.com>
> To: FreeRadius users mailing list
> <freeradius-users(a)lists.freeradius.org>
> Subject: Re: Freeradius 3 and routers problem
> Message-ID: <2D43F89A-7262-4C5D-955E-BD0A1330B194(a)deployingradius.com>
> Content-Type: text/plain; charset=us-ascii
>
> On Jan 19, 2015, at 2:58 PM, alter1 <alter1(a)onet.pl> wrote:
> > I know it might sound impossible, but sometimes I have an idea that
> radius in certain moment sent some like "deauth" packet to radius clients
> on AP's and in this case those clients
> > dont talk to radius server anymore.
>
> There is no such RADIUS packet.
>
> > After rebooting AP's is the same as I described with radius server. It
> works for 30-60 minutes and then after another... after another...
> > A few hours ago I compiled my favorite distro - gentoo and emerge
> freeradius for this platform.
>
> Take your APs, and throw them in the garbage. Then, buy APs that work.
>
> Alan DeKok.
>
>
>
> ------------------------------
>
> Message: 6
> Date: Mon, 19 Jan 2015 14:08:13 -0800
> From: Jim Shi <hanmao_shi(a)apple.com>
> To: FreeRadius users mailing list
> <freeradius-users(a)lists.freeradius.org>
> Subject: test PEAP
> Message-ID: <F64B0806-2459-4B40-94C2-A86FD367777A(a)apple.com>
> Content-Type: text/plain; charset=windows-1252
>
> I try test PEAP following steps described in
>
> http://www.freesoftwaremagazine.com/articles/howto_incremental_setup_freera…
>
> it says to send the following to radius server:
>
> $ cat eapol_test.conf.peap
> network={
> eap=PEAP
> eapol_flags=0
> key_mgmt=IEEE8021X
> identity="testuser"
> password="password"
> ca_cert="/home/gcheng/myCA/cacert.pem"
> phase2="auth=MSCHAPV2"
> anonymous_identity="anonymous"
> }
>
> When running the test, I noticed that it sends ?anonymous? user to the
> server and the server try to authenticate user ?anonymous? and failed.
> Any ideas what is ?anonymous? here? Do we need set up password for
> ?anonymous? on the server?
>
>
> Thanks
> Jim
>
>
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> End of Freeradius-Users Digest, Vol 117, Issue 56
> *************************************************
>
2
1
Hi, I have a question about setting up jradius with freeradius.
jradius version: build from trunk
free radius version: 2.1.12.
The doc cjradius/freeradius/README says:
- Configure FreeRADIUS with the rlm_jradius module. Below we show bits of
the FreeRADIUS etc/raddb/radiusd.conf file. We are only showing the
configurations for JRadius.
modules {
...
jradius {
name = "example" # The "Requester" name (a single
# JRadius server can have
# multiple "applications")
primary = "localhost" # Uses default port 1814
secondary = "192.168.0.1" # Fail-over server
tertiary = "192.168.0.1:8002" # Fail-over server on port 8002
timeout = 1 # Connect Timeout
onfail = NOOP # What to do if no JRadius
# Server is found. Options are:
# FAIL (default), OK, REJECT, NOOP
}
}
authorize {
...
jradius
}
post-auth {
...
jradius
I noticed authorize and post-auth sections
are now moved into the files:
/etc/raddb/sites-enabled/default
/etc/raddb/sites-available/default
should I update these two files instead?
Thanks
Jim
4
7
19 Jan '15
Hi,
I am trying in configure my FR v3.0.4 to pass inner identity to outer in eap-peap setup. I read some of the old mails with similar issues, like the following:
http://lists.freeradius.org/pipermail/freeradius-users/2014-August/073458.h…
I made the following setting as suggested in the mail:
1. Update outer reply in file inner-tunnel, post auth:
update outer.reply {
User-Name = "%{request:User-Name}"
}
2. Set "use_tunneled_reply=yes" in file eap
With the above setting, I still couldn't get it working. I compared my debug with that of above article. I see the difference at this line:
eap_peap : Using saved attributes from the original Access-Accept
Stripped-User-Name = 'bob'
The above article uses "User-Name". Is this the difference?
I use "Stripped-User-Name" for actual authentication against ldap, but want "User-Name" (with domain) for logging and accounting. I am not sure when they are used in different phases.
At near the end of the debug, I even see:
Stripped-User-Name = 'bigman'
which is obviously wrong, as 'bigman' is the name I made up for "Anonymous Identity".
Can anyone give me a clue what I have done wrong? Thanks in advance. Debug log follows.
Fu-Keung
Received Access-Request Id 23 from 10.10.1.1:3406 to 10.80.1.1:1812 length 234
User-Name = 'bigman'
Framed-MTU = 1450
EAP-Message = 0x0201000b016269676d616e
Message-Authenticator = 0xccd5bdaaca2af26208231312039efd06
Chargeable-User-Identity = 0x00
NAS-IP-Address = 10.10.1.1
NAS-Identifier = 'WiFi-Controller-7'
NAS-Port = 33558758
NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = '00-18-60-68-03-EC'
Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
Acct-Session-Id = '115001511383b5ab70'
Framed-IP-Address = 202.189.123.194
(1) Received Access-Request packet from host 10.10.1.1 port 3406, id=23, length=234
(1) User-Name = 'bigman'
(1) Framed-MTU = 1450
(1) EAP-Message = 0x0201000b016269676d616e
(1) Message-Authenticator = 0xccd5bdaaca2af26208231312039efd06
(1) Chargeable-User-Identity = 0x00
(1) NAS-IP-Address = 10.10.1.1
(1) NAS-Identifier = 'WiFi-Controller-7'
(1) NAS-Port = 33558758
(1) NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
(1) NAS-Port-Type = Wireless-802.11
(1) Service-Type = Framed-User
(1) Framed-Protocol = PPP
(1) Calling-Station-Id = '00-18-60-68-03-EC'
(1) Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
(1) Acct-Session-Id = '115001511383b5ab70'
(1) Framed-IP-Address = 202.189.123.194
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(1) authorize {
(1) filter_username filter_username {
(1) if (&User-Name =~ / /)
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@.*@/ )
(1) if (&User-Name =~ /@.*@/ ) -> FALSE
(1) if (&User-Name =~ /\\.\\./ )
(1) if (&User-Name =~ /\\.\\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\\.$/)
(1) if (&User-Name =~ /\\.$/) -> FALSE
(1) if (&User-Name =~ /(a)\\./)
(1) if (&User-Name =~ /(a)\\./) -> FALSE
(1) } # filter_username filter_username = notfound
(1) auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d
(1) auth_log : --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(1) auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to
/usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(1) auth_log : EXPAND %t
(1) auth_log : --> Thu Jan 15 11:38:41 2015
(1) [auth_log] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) suffix : Checking for suffix after "@"
(1) suffix : No '@' in User-Name = "bigman", looking up realm NULL
(1) suffix : Found realm "NULL"
(1) suffix : Adding Stripped-User-Name = "bigman"
(1) suffix : Adding Realm = "NULL"
(1) suffix : Authentication realm is LOCAL
(1) [suffix] = ok
(1) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com')
(1) EXPAND %{Realm}
(1) --> NULL
(1) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') -> FALSE
(1) eap : Peer sent code Response (2) ID 1 length 11
(1) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = EAP
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(1) authenticate {
(1) eap : Peer sent method Identity (1)
(1) eap : Calling eap_peap to process EAP data
(1) eap_peap : Flushing SSL sessions (of #0)
(1) eap_peap : Initiate
(1) eap_peap : Start returned 1
(1) eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2c45dc8f5
(1) [eap] = handled
(1) } # authenticate = handled
(1) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=23, length=0
(1) EAP-Message = 0x010200061920
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0xc45fd1a2c45dc8f54b145a25fcad284d
Sending Access-Challenge Id 23 from 10.80.1.1:1812 to 10.10.1.1:3406
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc45fd1a2c45dc8f54b145a25fcad284d
(1) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 24 from 10.10.1.1:3406 to 10.80.1.1:1812 length 481
User-Name = 'bigman'
Framed-MTU = 1450
EAP-Message =
0x020200f01980000000e616030100e1010000dd030154b7364159780149473ee8f5fe51b610195a60bdef3a980353e6519897f8b16720976
ea3c73b3445f9cd75b76a2a37ce372ec9abb31f312e6af82f886225797e740054c014c00ac022c02100390038c00fc0050035c012c008c01c
c01b00160013c00dc003000ac013c009c01fc01e00330032c00ec004002fc011c007c00cc0020005000400150012000900140011000800060
00300ff01000040000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500
120013000100020003000f00100011
Message-Authenticator = 0x2482d0e8d2e786b72eeddfb5861726c7
Chargeable-User-Identity = 0x00
NAS-IP-Address = 10.10.1.1
NAS-Identifier = 'WiFi-Controller-7'
NAS-Port = 33558758
NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = '00-18-60-68-03-EC'
Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
Acct-Session-Id = '115001511383b5ab70'
Framed-IP-Address = 202.189.123.194
State = 0xc45fd1a2c45dc8f54b145a25fcad284d
(2) Received Access-Request packet from host 10.10.1.1 port 3406, id=24, length=481
(2) User-Name = 'bigman'
(2) Framed-MTU = 1450
(2) EAP-Message =
0x020200f01980000000e616030100e1010000dd030154b7364159780149473ee8f5fe51b610195a60bdef3a980353e6519897f8b16720976
ea3c73b3445f9cd75b76a2a37ce372ec9abb31f312e6af82f886225797e740054c014c00ac022c02100390038c00fc0050035c012c008c01c
c01b00160013c00dc003000ac013c009c01fc01e00330032c00ec004002fc011c007c00cc0020005000400150012000900140011000800060
00300ff01000040000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500
120013000100020003000f00100011
(2) Message-Authenticator = 0x2482d0e8d2e786b72eeddfb5861726c7
(2) Chargeable-User-Identity = 0x00
(2) NAS-IP-Address = 10.10.1.1
(2) NAS-Identifier = 'WiFi-Controller-7'
(2) NAS-Port = 33558758
(2) NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
(2) NAS-Port-Type = Wireless-802.11
(2) Service-Type = Framed-User
(2) Framed-Protocol = PPP
(2) Calling-Station-Id = '00-18-60-68-03-EC'
(2) Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
(2) Acct-Session-Id = '115001511383b5ab70'
(2) Framed-IP-Address = 202.189.123.194
(2) State = 0xc45fd1a2c45dc8f54b145a25fcad284d
(2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(2) authorize {
(2) filter_username filter_username {
(2) if (&User-Name =~ / /)
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@.*@/ )
(2) if (&User-Name =~ /@.*@/ ) -> FALSE
(2) if (&User-Name =~ /\\.\\./ )
(2) if (&User-Name =~ /\\.\\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\\.$/)
(2) if (&User-Name =~ /\\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\\./)
(2) if (&User-Name =~ /(a)\\./) -> FALSE
(2) } # filter_username filter_username = notfound
(2) auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d
(2) auth_log : --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(2) auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to
/usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(2) auth_log : EXPAND %t
(2) auth_log : --> Thu Jan 15 11:38:41 2015
(2) [auth_log] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) suffix : Checking for suffix after "@"
(2) suffix : No '@' in User-Name = "bigman", looking up realm NULL
(2) suffix : Found realm "NULL"
(2) suffix : Adding Stripped-User-Name = "bigman"
(2) suffix : Adding Realm = "NULL"
(2) suffix : Authentication realm is LOCAL
(2) [suffix] = ok
(2) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com')
(2) EXPAND %{Realm}
(2) --> NULL
(2) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') -> FALSE
(2) eap : Peer sent code Response (2) ID 2 length 240
(2) eap : Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = EAP
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(2) authenticate {
(2) eap : Expiring EAP session with state 0xc45fd1a2c45dc8f5
(2) eap : Finished EAP session with state 0xc45fd1a2c45dc8f5
(2) eap : Previous EAP request found for state 0xc45fd1a2c45dc8f5, released from the list
(2) eap : Peer sent method PEAP (25)
(2) eap : EAP PEAP (25)
(2) eap : Calling eap_peap to process EAP data
(2) eap_peap : processing EAP-TLS
TLS Length 230
(2) eap_peap : Length Included
(2) eap_peap : eaptls_verify returned 11
(2) eap_peap : (other): before/accept initialization
(2) eap_peap : TLS_accept: before/accept initialization
(2) eap_peap : <<< TLS 1.0 Handshake [length 00e1], ClientHello
SSL: Client requested cached session 976ea3c73b3445f9cd75b76a2a37ce372ec9abb31f312e6af82f886225797e74
(2) eap_peap : TLS_accept: SSLv3 read client hello A
(2) eap_peap : >>> TLS 1.0 Handshake [length 0059], ServerHello
(2) eap_peap : TLS_accept: SSLv3 write server hello A
(2) eap_peap : >>> TLS 1.0 Handshake [length 0cb2], Certificate
(2) eap_peap : TLS_accept: SSLv3 write certificate A
(2) eap_peap : >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
(2) eap_peap : TLS_accept: SSLv3 write key exchange A
(2) eap_peap : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
(2) eap_peap : TLS_accept: SSLv3 write server done A
(2) eap_peap : TLS_accept: SSLv3 flush data
(2) eap_peap : TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
(2) eap_peap : eaptls_process returned 13
(2) eap_peap : FR_TLS_HANDLED
(2) eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2c55cc8f5
(2) [eap] = handled
(2) } # authenticate = handled
(2) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=24, length=0
(2) EAP-Message =
0x010303ec19c000000e6e160301005902000055030154b73641e3caf729409a814c4e2c0f4c4522113a1cbfd2509d86377e80e55ca320de1
732ec96d8d5c6da625272bfc8a7c91f9c38a8cb5dba22086d7e918ef5f336c01400000dff01000100000b0004030001021603010cb20b000c
ae000cab00054c3082054830820430a003020102020309b957300d06092a864886f70d01010505003061310b3009060355040613025553311
63014060355040a130d47656f547275737420496e632e311d301b060355040b1314446f6d61696e2056616c6964617465642053534c311b30
190603550403131247656f54727573742044562053534c204341301e170d3134303732323135353131365a170d31363130323331373535333
95a3081c431293027060355040513204c4232345a54662d6b45566c68637173756f3533435a4f562f32434b66347a3231133011060355040b
130a475433333535373034363131302f060355040b1328536565207777772e67656f74727573742e636f6d2f7265736f75726365732f63707
320286329313431373035060355040b132e446f6d61696e20436f6e74726f6c2056616c696461746564202d20517569636b53534c28522920
5072656d69756d311630140603550403130d3830322e31782e686b752e686b30820122300d06092a864886f70d01010105000382
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0xc45fd1a2c55cc8f54b145a25fcad284d
Sending Access-Challenge Id 24 from 10.80.1.1:1812 to 10.10.1.1:3406
EAP-Message =
0x010303ec19c000000e6e160301005902000055030154b73641e3caf729409a814c4e2c0f4c4522113a1cbfd2509d86377e80e55ca320de1
732ec96d8d5c6da625272bfc8a7c91f9c38a8cb5dba22086d7e918ef5f336c01400000dff01000100000b0004030001021603010cb20b000c
ae000cab00054c3082054830820430a003020102020309b957300d06092a864886f70d01010505003061310b3009060355040613025553311
63014060355040a130d47656f547275737420496e632e311d301b060355040b1314446f6d61696e2056616c6964617465642053534c311b30
190603550403131247656f54727573742044562053534c204341301e170d3134303732323135353131365a170d31363130323331373535333
95a3081c431293027060355040513204c4232345a54662d6b45566c68637173756f3533435a4f562f32434b66347a3231133011060355040b
130a475433333535373034363131302f060355040b1328536565207777772e67656f74727573742e636f6d2f7265736f75726365732f63707
320286329313431373035060355040b132e446f6d61696e20436f6e74726f6c2056616c696461746564202d20517569636b53534c28522920
5072656d69756d311630140603550403130d3830322e31782e686b752e686b30820122300d06092a864886f70d0101010500038
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc45fd1a2c55cc8f54b145a25fcad284d
(2) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 25 from 10.10.1.1:3406 to 10.80.1.1:1812 length 247
User-Name = 'bigman'
Framed-MTU = 1450
EAP-Message = 0x020300061900
Message-Authenticator = 0xc76f52ad9452fcf86193c1cb317a875e
Chargeable-User-Identity = 0x00
NAS-IP-Address = 10.10.1.1
NAS-Identifier = 'WiFi-Controller-7'
NAS-Port = 33558758
NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = '00-18-60-68-03-EC'
Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
Acct-Session-Id = '115001511383b5ab70'
Framed-IP-Address = 202.189.123.194
State = 0xc45fd1a2c55cc8f54b145a25fcad284d
(3) Received Access-Request packet from host 10.10.1.1 port 3406, id=25, length=247
(3) User-Name = 'bigman'
(3) Framed-MTU = 1450
(3) EAP-Message = 0x020300061900
(3) Message-Authenticator = 0xc76f52ad9452fcf86193c1cb317a875e
(3) Chargeable-User-Identity = 0x00
(3) NAS-IP-Address = 10.10.1.1
(3) NAS-Identifier = 'WiFi-Controller-7'
(3) NAS-Port = 33558758
(3) NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
(3) NAS-Port-Type = Wireless-802.11
(3) Service-Type = Framed-User
(3) Framed-Protocol = PPP
(3) Calling-Station-Id = '00-18-60-68-03-EC'
(3) Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
(3) Acct-Session-Id = '115001511383b5ab70'
(3) Framed-IP-Address = 202.189.123.194
(3) State = 0xc45fd1a2c55cc8f54b145a25fcad284d
(3) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(3) authorize {
(3) filter_username filter_username {
(3) if (&User-Name =~ / /)
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@.*@/ )
(3) if (&User-Name =~ /@.*@/ ) -> FALSE
(3) if (&User-Name =~ /\\.\\./ )
(3) if (&User-Name =~ /\\.\\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(3) if (&User-Name =~ /\\.$/)
(3) if (&User-Name =~ /\\.$/) -> FALSE
(3) if (&User-Name =~ /(a)\\./)
(3) if (&User-Name =~ /(a)\\./) -> FALSE
(3) } # filter_username filter_username = notfound
(3) auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d
(3) auth_log : --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(3) auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to
/usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(3) auth_log : EXPAND %t
(3) auth_log : --> Thu Jan 15 11:38:41 2015
(3) [auth_log] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) suffix : Checking for suffix after "@"
(3) suffix : No '@' in User-Name = "bigman", looking up realm NULL
(3) suffix : Found realm "NULL"
(3) suffix : Adding Stripped-User-Name = "bigman"
(3) suffix : Adding Realm = "NULL"
(3) suffix : Authentication realm is LOCAL
(3) [suffix] = ok
(3) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com')
(3) EXPAND %{Realm}
(3) --> NULL
(3) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') -> FALSE
(3) eap : Peer sent code Response (2) ID 3 length 6
(3) eap : Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = EAP
(3) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(3) authenticate {
(3) eap : Expiring EAP session with state 0xc45fd1a2c55cc8f5
(3) eap : Finished EAP session with state 0xc45fd1a2c55cc8f5
(3) eap : Previous EAP request found for state 0xc45fd1a2c55cc8f5, released from the list
(3) eap : Peer sent method PEAP (25)
(3) eap : EAP PEAP (25)
(3) eap : Calling eap_peap to process EAP data
(3) eap_peap : processing EAP-TLS
(3) eap_peap : Received TLS ACK
(3) eap_peap : Received TLS ACK
(3) eap_peap : ACK handshake fragment handler
(3) eap_peap : eaptls_verify returned 1
(3) eap_peap : eaptls_process returned 13
(3) eap_peap : FR_TLS_HANDLED
(3) eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2c65bc8f5
(3) [eap] = handled
(3) } # authenticate = handled
(3) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=25, length=0
(3) EAP-Message =
0x010403e8194006082b0601050507010104693067302c06082b060105050730018620687474703a2f2f677473736c64762d6f6373702e676
56f74727573742e636f6d303706082b06010505073002862b687474703a2f2f677473736c64762d6169612e67656f74727573742e636f6d2f
677473736c64762e637274304c0603551d20044530433041060a6086480186f8450107363033303106082b060105050702011625687474703
a2f2f7777772e67656f74727573742e636f6d2f7265736f75726365732f637073300d06092a864886f70d0101050500038201010091d9680d
46ffd03a63a8b6a897d185cfbadd715bf133d465a137d8c5d9da6f52124c7d843c8c2961a9e923e3631a02b1b407da20313cf6f33b01d58b3
88537ee19b61a635c945d33bdd18b93523979623be91b1b5c8ea1f0b9fd956ddd9acf6a6a8a2be3bca8e051d503dd28a719b19d25c6cab9dd
ca892ebb527a01aea253a7e68186ed2b1d887a4f8ef57f242f937dc9edb163f87d7cb20387c21a7c86f37ecfbd26f8396763a5c690a881663
c12a49543d86548e85831021fe5c0bb39e49cd0ec6dada40dfd6c016dc5bf8b95b6a3ebea2246bae7ce0cd4e0b4e9ff3eec76b5aeb91d3ca0
0bded4a484e0b24bcc61c2d37b827b12507838027759ceb9bca60003fe308203fa308202e2a00302010202030236d2300d06092a
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0xc45fd1a2c65bc8f54b145a25fcad284d
Sending Access-Challenge Id 25 from 10.80.1.1:1812 to 10.10.1.1:3406
EAP-Message =
0x010403e8194006082b0601050507010104693067302c06082b060105050730018620687474703a2f2f677473736c64762d6f6373702e676
56f74727573742e636f6d303706082b06010505073002862b687474703a2f2f677473736c64762d6169612e67656f74727573742e636f6d2f
677473736c64762e637274304c0603551d20044530433041060a6086480186f8450107363033303106082b060105050702011625687474703
a2f2f7777772e67656f74727573742e636f6d2f7265736f75726365732f637073300d06092a864886f70d0101050500038201010091d9680d
46ffd03a63a8b6a897d185cfbadd715bf133d465a137d8c5d9da6f52124c7d843c8c2961a9e923e3631a02b1b407da20313cf6f33b01d58b3
88537ee19b61a635c945d33bdd18b93523979623be91b1b5c8ea1f0b9fd956ddd9acf6a6a8a2be3bca8e051d503dd28a719b19d25c6cab9dd
ca892ebb527a01aea253a7e68186ed2b1d887a4f8ef57f242f937dc9edb163f87d7cb20387c21a7c86f37ecfbd26f8396763a5c690a881663
c12a49543d86548e85831021fe5c0bb39e49cd0ec6dada40dfd6c016dc5bf8b95b6a3ebea2246bae7ce0cd4e0b4e9ff3eec76b5aeb91d3ca0
0bded4a484e0b24bcc61c2d37b827b12507838027759ceb9bca60003fe308203fa308202e2a00302010202030236d2300d06092
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc45fd1a2c65bc8f54b145a25fcad284d
(3) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 26 from 10.10.1.1:3406 to 10.80.1.1:1812 length 247
User-Name = 'bigman'
Framed-MTU = 1450
EAP-Message = 0x020400061900
Message-Authenticator = 0x07909351500113863860a840942c0c81
Chargeable-User-Identity = 0x00
NAS-IP-Address = 10.10.1.1
NAS-Identifier = 'WiFi-Controller-7'
NAS-Port = 33558758
NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = '00-18-60-68-03-EC'
Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
Acct-Session-Id = '115001511383b5ab70'
Framed-IP-Address = 202.189.123.194
State = 0xc45fd1a2c65bc8f54b145a25fcad284d
(4) Received Access-Request packet from host 10.10.1.1 port 3406, id=26, length=247
(4) User-Name = 'bigman'
(4) Framed-MTU = 1450
(4) EAP-Message = 0x020400061900
(4) Message-Authenticator = 0x07909351500113863860a840942c0c81
(4) Chargeable-User-Identity = 0x00
(4) NAS-IP-Address = 10.10.1.1
(4) NAS-Identifier = 'WiFi-Controller-7'
(4) NAS-Port = 33558758
(4) NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
(4) NAS-Port-Type = Wireless-802.11
(4) Service-Type = Framed-User
(4) Framed-Protocol = PPP
(4) Calling-Station-Id = '00-18-60-68-03-EC'
(4) Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
(4) Acct-Session-Id = '115001511383b5ab70'
(4) Framed-IP-Address = 202.189.123.194
(4) State = 0xc45fd1a2c65bc8f54b145a25fcad284d
(4) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(4) authorize {
(4) filter_username filter_username {
(4) if (&User-Name =~ / /)
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@.*@/ )
(4) if (&User-Name =~ /@.*@/ ) -> FALSE
(4) if (&User-Name =~ /\\.\\./ )
(4) if (&User-Name =~ /\\.\\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\\.$/)
(4) if (&User-Name =~ /\\.$/) -> FALSE
(4) if (&User-Name =~ /(a)\\./)
(4) if (&User-Name =~ /(a)\\./) -> FALSE
(4) } # filter_username filter_username = notfound
(4) auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d
(4) auth_log : --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(4) auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to
/usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(4) auth_log : EXPAND %t
(4) auth_log : --> Thu Jan 15 11:38:41 2015
(4) [auth_log] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) suffix : Checking for suffix after "@"
(4) suffix : No '@' in User-Name = "bigman", looking up realm NULL
(4) suffix : Found realm "NULL"
(4) suffix : Adding Stripped-User-Name = "bigman"
(4) suffix : Adding Realm = "NULL"
(4) suffix : Authentication realm is LOCAL
(4) [suffix] = ok
(4) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com')
(4) EXPAND %{Realm}
(4) --> NULL
(4) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') -> FALSE
(4) eap : Peer sent code Response (2) ID 4 length 6
(4) eap : Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = EAP
(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(4) authenticate {
(4) eap : Expiring EAP session with state 0xc45fd1a2c65bc8f5
(4) eap : Finished EAP session with state 0xc45fd1a2c65bc8f5
(4) eap : Previous EAP request found for state 0xc45fd1a2c65bc8f5, released from the list
(4) eap : Peer sent method PEAP (25)
(4) eap : EAP PEAP (25)
(4) eap : Calling eap_peap to process EAP data
(4) eap_peap : processing EAP-TLS
(4) eap_peap : Received TLS ACK
(4) eap_peap : Received TLS ACK
(4) eap_peap : ACK handshake fragment handler
(4) eap_peap : eaptls_verify returned 1
(4) eap_peap : eaptls_process returned 13
(4) eap_peap : FR_TLS_HANDLED
(4) eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2c75ac8f5
(4) [eap] = handled
(4) } # authenticate = handled
(4) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=26, length=0
(4) EAP-Message =
0x010503e81940150203010001a381d93081d6300e0603551d0f0101ff040403020106301d0603551d0e041604148cf4d9930a47bc00a04ac
e4b756ea0b6b0b27efc301f0603551d23041830168014c07a98688d89fbab05640c117daa7d65b8cacc4e30120603551d130101ff04083006
0101ff020100303a0603551d1f04333031302fa02da02b8629687474703a2f2f63726c2e67656f74727573742e636f6d2f63726c732f67746
76c6f62616c2e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e67656f7472
7573742e636f6d300d06092a864886f70d0101050500038201010033913711db40f9de8cb2028877af6321c1adb00dfaa07856a382fdbb495
f146dc8dc5f94da11667c1e91c5b6d86d4faaf2bf21287e52a2927808616921fe2dec821884f4d38dc58abb8acc5de6a3b6cc6ead6fb30e61
ee89ce13344f4955f539bb9996f0f5ea5a3c9c16bd0253f02a0e416eebef9ef77036cd802a76c887e3eb23b3962ce61d945f1ca4e2cd24312
b0638326161395c894c481d42c9679ed2bf58f7f93731b067dd8d26361a781a09193c9307702ae17c29f5de66570b125e16ed5ebd37b33069
c692a5f619d81df83612b94b95959cd0ce6c30a716fbf64d64b65f2a149ca6c8558e20f9650724cc38054c2088b4b56794cf5d8e
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0xc45fd1a2c75ac8f54b145a25fcad284d
Sending Access-Challenge Id 26 from 10.80.1.1:1812 to 10.10.1.1:3406
EAP-Message =
0x010503e81940150203010001a381d93081d6300e0603551d0f0101ff040403020106301d0603551d0e041604148cf4d9930a47bc00a04ac
e4b756ea0b6b0b27efc301f0603551d23041830168014c07a98688d89fbab05640c117daa7d65b8cacc4e30120603551d130101ff04083006
0101ff020100303a0603551d1f04333031302fa02da02b8629687474703a2f2f63726c2e67656f74727573742e636f6d2f63726c732f67746
76c6f62616c2e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e67656f7472
7573742e636f6d300d06092a864886f70d0101050500038201010033913711db40f9de8cb2028877af6321c1adb00dfaa07856a382fdbb495
f146dc8dc5f94da11667c1e91c5b6d86d4faaf2bf21287e52a2927808616921fe2dec821884f4d38dc58abb8acc5de6a3b6cc6ead6fb30e61
ee89ce13344f4955f539bb9996f0f5ea5a3c9c16bd0253f02a0e416eebef9ef77036cd802a76c887e3eb23b3962ce61d945f1ca4e2cd24312
b0638326161395c894c481d42c9679ed2bf58f7f93731b067dd8d26361a781a09193c9307702ae17c29f5de66570b125e16ed5ebd37b33069
c692a5f619d81df83612b94b95959cd0ce6c30a716fbf64d64b65f2a149ca6c8558e20f9650724cc38054c2088b4b56794cf5d8
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc45fd1a2c75ac8f54b145a25fcad284d
(4) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 27 from 10.10.1.1:3406 to 10.80.1.1:1812 length 247
User-Name = 'bigman'
Framed-MTU = 1450
EAP-Message = 0x020500061900
Message-Authenticator = 0xdf11606407de46c9534e9e36c2af5b38
Chargeable-User-Identity = 0x00
NAS-IP-Address = 10.10.1.1
NAS-Identifier = 'WiFi-Controller-7'
NAS-Port = 33558758
NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = '00-18-60-68-03-EC'
Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
Acct-Session-Id = '115001511383b5ab70'
Framed-IP-Address = 202.189.123.194
State = 0xc45fd1a2c75ac8f54b145a25fcad284d
(5) Received Access-Request packet from host 10.10.1.1 port 3406, id=27, length=247
(5) User-Name = 'bigman'
(5) Framed-MTU = 1450
(5) EAP-Message = 0x020500061900
(5) Message-Authenticator = 0xdf11606407de46c9534e9e36c2af5b38
(5) Chargeable-User-Identity = 0x00
(5) NAS-IP-Address = 10.10.1.1
(5) NAS-Identifier = 'WiFi-Controller-7'
(5) NAS-Port = 33558758
(5) NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
(5) NAS-Port-Type = Wireless-802.11
(5) Service-Type = Framed-User
(5) Framed-Protocol = PPP
(5) Calling-Station-Id = '00-18-60-68-03-EC'
(5) Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
(5) Acct-Session-Id = '115001511383b5ab70'
(5) Framed-IP-Address = 202.189.123.194
(5) State = 0xc45fd1a2c75ac8f54b145a25fcad284d
(5) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(5) authorize {
(5) filter_username filter_username {
(5) if (&User-Name =~ / /)
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@.*@/ )
(5) if (&User-Name =~ /@.*@/ ) -> FALSE
(5) if (&User-Name =~ /\\.\\./ )
(5) if (&User-Name =~ /\\.\\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\\.$/)
(5) if (&User-Name =~ /\\.$/) -> FALSE
(5) if (&User-Name =~ /(a)\\./)
(5) if (&User-Name =~ /(a)\\./) -> FALSE
(5) } # filter_username filter_username = notfound
(5) auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d
(5) auth_log : --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(5) auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to
/usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(5) auth_log : EXPAND %t
(5) auth_log : --> Thu Jan 15 11:38:41 2015
(5) [auth_log] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) suffix : Checking for suffix after "@"
(5) suffix : No '@' in User-Name = "bigman", looking up realm NULL
(5) suffix : Found realm "NULL"
(5) suffix : Adding Stripped-User-Name = "bigman"
(5) suffix : Adding Realm = "NULL"
(5) suffix : Authentication realm is LOCAL
(5) [suffix] = ok
(5) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com')
(5) EXPAND %{Realm}
(5) --> NULL
(5) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') -> FALSE
(5) eap : Peer sent code Response (2) ID 5 length 6
(5) eap : Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = EAP
(5) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(5) authenticate {
(5) eap : Expiring EAP session with state 0xc45fd1a2c75ac8f5
(5) eap : Finished EAP session with state 0xc45fd1a2c75ac8f5
(5) eap : Previous EAP request found for state 0xc45fd1a2c75ac8f5, released from the list
(5) eap : Peer sent method PEAP (25)
(5) eap : EAP PEAP (25)
(5) eap : Calling eap_peap to process EAP data
(5) eap_peap : processing EAP-TLS
(5) eap_peap : Received TLS ACK
(5) eap_peap : Received TLS ACK
(5) eap_peap : ACK handshake fragment handler
(5) eap_peap : eaptls_verify returned 1
(5) eap_peap : eaptls_process returned 13
(5) eap_peap : FR_TLS_HANDLED
(5) eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2c059c8f5
(5) [eap] = handled
(5) } # authenticate = handled
(5) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=27, length=0
(5) EAP-Message =
0x010602ce1900f90203010001a3533051300f0603551d130101ff040530030101ff301d0603551d0e04160414c07a98688d89fbab05640c1
17daa7d65b8cacc4e301f0603551d23041830168014c07a98688d89fbab05640c117daa7d65b8cacc4e300d06092a864886f70d0101050500
038201010035e3296ae52f5d548e2950949f991a14e48f782a6294a227679ed0cf1a5e47e9c1b2a4cfdd411a054e9b4bee4a6f5552b324a13
70aeb64762a2e2cf3fd3b7590bffa71d8c73d37d2b5059562b9a6de893d367b38774897aca6208f2ea6c90cc2b2994500c7ce11512222e0a5
eab615480964ea5e4f74f7053ec78a520cdb15b4bd6d9be5c6b15468a9e36990b69aa50fb8b93f207dae4ab5b89ce41db6abe694a5c1c783a
ddbf527870e046cd5ffdda05ded8752b72b1502ae39a66a74e9dac4e7bc4d341ea95c4d335f92092f88665d7797c71d7613a9d5e5f1160911
35d5acdb2471702c98560bd917b4d1e3512b5e75e8d5d0dc4f34edc2056680a1cbe633160301014b0c00014703001741048d27ea32b74fe5d
a9e3397460cc54db568ef26e83a8679faf61369757c3c55897f3322fe3d33edbf92c82b88884720bb502ddb322cf64add34319a27b46727ed
0100d88337eb9edde4bf15bf4f6e8d421fc38fadd9fe00755902fb7786c5c56b18ea0cb2c58c807e7a0eb5509284dd571da751ac
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0xc45fd1a2c059c8f54b145a25fcad284d
Sending Access-Challenge Id 27 from 10.80.1.1:1812 to 10.10.1.1:3406
EAP-Message =
0x010602ce1900f90203010001a3533051300f0603551d130101ff040530030101ff301d0603551d0e04160414c07a98688d89fbab05640c1
17daa7d65b8cacc4e301f0603551d23041830168014c07a98688d89fbab05640c117daa7d65b8cacc4e300d06092a864886f70d0101050500
038201010035e3296ae52f5d548e2950949f991a14e48f782a6294a227679ed0cf1a5e47e9c1b2a4cfdd411a054e9b4bee4a6f5552b324a13
70aeb64762a2e2cf3fd3b7590bffa71d8c73d37d2b5059562b9a6de893d367b38774897aca6208f2ea6c90cc2b2994500c7ce11512222e0a5
eab615480964ea5e4f74f7053ec78a520cdb15b4bd6d9be5c6b15468a9e36990b69aa50fb8b93f207dae4ab5b89ce41db6abe694a5c1c783a
ddbf527870e046cd5ffdda05ded8752b72b1502ae39a66a74e9dac4e7bc4d341ea95c4d335f92092f88665d7797c71d7613a9d5e5f1160911
35d5acdb2471702c98560bd917b4d1e3512b5e75e8d5d0dc4f34edc2056680a1cbe633160301014b0c00014703001741048d27ea32b74fe5d
a9e3397460cc54db568ef26e83a8679faf61369757c3c55897f3322fe3d33edbf92c82b88884720bb502ddb322cf64add34319a27b46727ed
0100d88337eb9edde4bf15bf4f6e8d421fc38fadd9fe00755902fb7786c5c56b18ea0cb2c58c807e7a0eb5509284dd571da751a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc45fd1a2c059c8f54b145a25fcad284d
(5) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 28 from 10.10.1.1:3406 to 10.80.1.1:1812 length 385
User-Name = 'bigman'
Framed-MTU = 1450
EAP-Message =
0x0206009019800000008616030100461000004241044ef08b19473bec29ff662bdfb7ffa6eea08c3f109aef0d3bfb3ea0bd683d2ca383bdb
6ba0e9936e8adca78fe87f13f231f03a2eba0aba10ab70f019c042ed8ce14030100010116030100309057f22f8c1f4c43863ab5889b3dda04
886d8095d62b03324b066a9abe464436cbbd6989d2c1aa8679ef78775f541471
Message-Authenticator = 0x821c3a6346a04d4c00ab0b569714ccb4
Chargeable-User-Identity = 0x00
NAS-IP-Address = 10.10.1.1
NAS-Identifier = 'WiFi-Controller-7'
NAS-Port = 33558758
NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = '00-18-60-68-03-EC'
Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
Acct-Session-Id = '115001511383b5ab70'
Framed-IP-Address = 202.189.123.194
State = 0xc45fd1a2c059c8f54b145a25fcad284d
(6) Received Access-Request packet from host 10.10.1.1 port 3406, id=28, length=385
(6) User-Name = 'bigman'
(6) Framed-MTU = 1450
(6) EAP-Message =
0x0206009019800000008616030100461000004241044ef08b19473bec29ff662bdfb7ffa6eea08c3f109aef0d3bfb3ea0bd683d2ca383bdb
6ba0e9936e8adca78fe87f13f231f03a2eba0aba10ab70f019c042ed8ce14030100010116030100309057f22f8c1f4c43863ab5889b3dda04
886d8095d62b03324b066a9abe464436cbbd6989d2c1aa8679ef78775f541471
(6) Message-Authenticator = 0x821c3a6346a04d4c00ab0b569714ccb4
(6) Chargeable-User-Identity = 0x00
(6) NAS-IP-Address = 10.10.1.1
(6) NAS-Identifier = 'WiFi-Controller-7'
(6) NAS-Port = 33558758
(6) NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
(6) NAS-Port-Type = Wireless-802.11
(6) Service-Type = Framed-User
(6) Framed-Protocol = PPP
(6) Calling-Station-Id = '00-18-60-68-03-EC'
(6) Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
(6) Acct-Session-Id = '115001511383b5ab70'
(6) Framed-IP-Address = 202.189.123.194
(6) State = 0xc45fd1a2c059c8f54b145a25fcad284d
(6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(6) authorize {
(6) filter_username filter_username {
(6) if (&User-Name =~ / /)
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@.*@/ )
(6) if (&User-Name =~ /@.*@/ ) -> FALSE
(6) if (&User-Name =~ /\\.\\./ )
(6) if (&User-Name =~ /\\.\\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\\.$/)
(6) if (&User-Name =~ /\\.$/) -> FALSE
(6) if (&User-Name =~ /(a)\\./)
(6) if (&User-Name =~ /(a)\\./) -> FALSE
(6) } # filter_username filter_username = notfound
(6) auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d
(6) auth_log : --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(6) auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to
/usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(6) auth_log : EXPAND %t
(6) auth_log : --> Thu Jan 15 11:38:42 2015
(6) [auth_log] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) suffix : Checking for suffix after "@"
(6) suffix : No '@' in User-Name = "bigman", looking up realm NULL
(6) suffix : Found realm "NULL"
(6) suffix : Adding Stripped-User-Name = "bigman"
(6) suffix : Adding Realm = "NULL"
(6) suffix : Authentication realm is LOCAL
(6) [suffix] = ok
(6) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com')
(6) EXPAND %{Realm}
(6) --> NULL
(6) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') -> FALSE
(6) eap : Peer sent code Response (2) ID 6 length 144
(6) eap : Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(6) authenticate {
(6) eap : Expiring EAP session with state 0xc45fd1a2c059c8f5
(6) eap : Finished EAP session with state 0xc45fd1a2c059c8f5
(6) eap : Previous EAP request found for state 0xc45fd1a2c059c8f5, released from the list
(6) eap : Peer sent method PEAP (25)
(6) eap : EAP PEAP (25)
(6) eap : Calling eap_peap to process EAP data
(6) eap_peap : processing EAP-TLS
TLS Length 134
(6) eap_peap : Length Included
(6) eap_peap : eaptls_verify returned 11
(6) eap_peap : <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
(6) eap_peap : TLS_accept: SSLv3 read client key exchange A
(6) eap_peap : <<< TLS 1.0 ChangeCipherSpec [length 0001]
(6) eap_peap : <<< TLS 1.0 Handshake [length 0010], Finished
(6) eap_peap : TLS_accept: SSLv3 read finished A
(6) eap_peap : >>> TLS 1.0 ChangeCipherSpec [length 0001]
(6) eap_peap : TLS_accept: SSLv3 write change cipher spec A
(6) eap_peap : >>> TLS 1.0 Handshake [length 0010], Finished
(6) eap_peap : TLS_accept: SSLv3 write finished A
(6) eap_peap : TLS_accept: SSLv3 flush data
SSL: adding session de1732ec96d8d5c6da625272bfc8a7c91f9c38a8cb5dba22086d7e918ef5f336 to cache
(6) eap_peap : (other): SSL negotiation finished successfully
SSL Connection Established
(6) eap_peap : eaptls_process returned 13
(6) eap_peap : FR_TLS_HANDLED
(6) eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2c158c8f5
(6) [eap] = handled
(6) } # authenticate = handled
(6) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=28, length=0
(6) EAP-Message =
0x0107004119001403010001011603010030b401bfdca97f680fcd59e0d4020e5e46984935821e0adf9c27302e684e42c8a746961df985f96
da21b4bfc6fc733123a
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0xc45fd1a2c158c8f54b145a25fcad284d
Sending Access-Challenge Id 28 from 10.80.1.1:1812 to 10.10.1.1:3406
EAP-Message =
0x0107004119001403010001011603010030b401bfdca97f680fcd59e0d4020e5e46984935821e0adf9c27302e684e42c8a746961df985f96
da21b4bfc6fc733123a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc45fd1a2c158c8f54b145a25fcad284d
(6) Finished request
Received Access-Request Id 29 from 10.10.1.1:3406 to 10.80.1.1:1812 length 247
User-Name = 'bigman'
Framed-MTU = 1450
EAP-Message = 0x020700061900
Message-Authenticator = 0xa2b870a0c1d26b331ae96e5115a25cde
Chargeable-User-Identity = 0x00
NAS-IP-Address = 10.10.1.1
NAS-Identifier = 'WiFi-Controller-7'
NAS-Port = 33558758
NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = '00-18-60-68-03-EC'
Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
Acct-Session-Id = '115001511383b5ab70'
Framed-IP-Address = 202.189.123.194
State = 0xc45fd1a2c158c8f54b145a25fcad284d
(7) Received Access-Request packet from host 10.10.1.1 port 3406, id=29, length=247
(7) User-Name = 'bigman'
(7) Framed-MTU = 1450
(7) EAP-Message = 0x020700061900
(7) Message-Authenticator = 0xa2b870a0c1d26b331ae96e5115a25cde
(7) Chargeable-User-Identity = 0x00
(7) NAS-IP-Address = 10.10.1.1
(7) NAS-Identifier = 'WiFi-Controller-7'
(7) NAS-Port = 33558758
(7) NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
(7) NAS-Port-Type = Wireless-802.11
(7) Service-Type = Framed-User
(7) Framed-Protocol = PPP
(7) Calling-Station-Id = '00-18-60-68-03-EC'
(7) Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
(7) Acct-Session-Id = '115001511383b5ab70'
(7) Framed-IP-Address = 202.189.123.194
(7) State = 0xc45fd1a2c158c8f54b145a25fcad284d
(7) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(7) authorize {
(7) filter_username filter_username {
(7) if (&User-Name =~ / /)
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@.*@/ )
(7) if (&User-Name =~ /@.*@/ ) -> FALSE
(7) if (&User-Name =~ /\\.\\./ )
(7) if (&User-Name =~ /\\.\\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\\.$/)
(7) if (&User-Name =~ /\\.$/) -> FALSE
(7) if (&User-Name =~ /(a)\\./)
(7) if (&User-Name =~ /(a)\\./) -> FALSE
(7) } # filter_username filter_username = notfound
(7) auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d
(7) auth_log : --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(7) auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to
/usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(7) auth_log : EXPAND %t
(7) auth_log : --> Thu Jan 15 11:38:42 2015
(7) [auth_log] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) suffix : Checking for suffix after "@"
(7) suffix : No '@' in User-Name = "bigman", looking up realm NULL
(7) suffix : Found realm "NULL"
(7) suffix : Adding Stripped-User-Name = "bigman"
(7) suffix : Adding Realm = "NULL"
(7) suffix : Authentication realm is LOCAL
(7) [suffix] = ok
(7) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com')
(7) EXPAND %{Realm}
(7) --> NULL
(7) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') -> FALSE
(7) eap : Peer sent code Response (2) ID 7 length 6
(7) eap : Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(7) authenticate {
(7) eap : Expiring EAP session with state 0xc45fd1a2c158c8f5
(7) eap : Finished EAP session with state 0xc45fd1a2c158c8f5
(7) eap : Previous EAP request found for state 0xc45fd1a2c158c8f5, released from the list
(7) eap : Peer sent method PEAP (25)
(7) eap : EAP PEAP (25)
(7) eap : Calling eap_peap to process EAP data
(7) eap_peap : processing EAP-TLS
(7) eap_peap : Received TLS ACK
(7) eap_peap : Received TLS ACK
(7) eap_peap : ACK handshake is finished
(7) eap_peap : eaptls_verify returned 3
(7) eap_peap : eaptls_process returned 3
(7) eap_peap : FR_TLS_SUCCESS
(7) eap_peap : Session established. Decoding tunneled attributes
(7) eap_peap : Peap state TUNNEL ESTABLISHED
(7) eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2c257c8f5
(7) [eap] = handled
(7) } # authenticate = handled
(7) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=29, length=0
(7) EAP-Message = 0x0108002b19001703010020a89b65ad03ebca5329ece21c37c5593d4cedfd3874e7f7a9e96f24e9e86fdc6c
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0xc45fd1a2c257c8f54b145a25fcad284d
Sending Access-Challenge Id 29 from 10.80.1.1:1812 to 10.10.1.1:3406
EAP-Message = 0x0108002b19001703010020a89b65ad03ebca5329ece21c37c5593d4cedfd3874e7f7a9e96f24e9e86fdc6c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc45fd1a2c257c8f54b145a25fcad284d
(7) Finished request
Received Access-Request Id 30 from 10.10.1.1:3406 to 10.80.1.1:1812 length 337
User-Name = 'bigman'
Framed-MTU = 1450
EAP-Message =
0x0208006019001703010020f50786a291a9ee81678c5167214e105b05a93a0b187a4420363961287bc51462170301003004a9cd30907bd11
6f5cd4e3fd2e1674ea49b1f3255cb2f1f9ea3724ade4ef8cb1af7aca1e959a3420b95acbb3d847452
Message-Authenticator = 0xf52e5b4b4fc0d9e02d13d1140a753d8b
Chargeable-User-Identity = 0x00
NAS-IP-Address = 10.10.1.1
NAS-Identifier = 'WiFi-Controller-7'
NAS-Port = 33558758
NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = '00-18-60-68-03-EC'
Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
Acct-Session-Id = '115001511383b5ab70'
Framed-IP-Address = 202.189.123.194
State = 0xc45fd1a2c257c8f54b145a25fcad284d
(8) Received Access-Request packet from host 10.10.1.1 port 3406, id=30, length=337
(8) User-Name = 'bigman'
(8) Framed-MTU = 1450
(8) EAP-Message =
0x0208006019001703010020f50786a291a9ee81678c5167214e105b05a93a0b187a4420363961287bc51462170301003004a9cd30907bd11
6f5cd4e3fd2e1674ea49b1f3255cb2f1f9ea3724ade4ef8cb1af7aca1e959a3420b95acbb3d847452
(8) Message-Authenticator = 0xf52e5b4b4fc0d9e02d13d1140a753d8b
(8) Chargeable-User-Identity = 0x00
(8) NAS-IP-Address = 10.10.1.1
(8) NAS-Identifier = 'WiFi-Controller-7'
(8) NAS-Port = 33558758
(8) NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
(8) NAS-Port-Type = Wireless-802.11
(8) Service-Type = Framed-User
(8) Framed-Protocol = PPP
(8) Calling-Station-Id = '00-18-60-68-03-EC'
(8) Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
(8) Acct-Session-Id = '115001511383b5ab70'
(8) Framed-IP-Address = 202.189.123.194
(8) State = 0xc45fd1a2c257c8f54b145a25fcad284d
(8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(8) authorize {
(8) filter_username filter_username {
(8) if (&User-Name =~ / /)
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@.*@/ )
(8) if (&User-Name =~ /@.*@/ ) -> FALSE
(8) if (&User-Name =~ /\\.\\./ )
(8) if (&User-Name =~ /\\.\\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\\.$/)
(8) if (&User-Name =~ /\\.$/) -> FALSE
(8) if (&User-Name =~ /(a)\\./)
(8) if (&User-Name =~ /(a)\\./) -> FALSE
(8) } # filter_username filter_username = notfound
(8) auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d
(8) auth_log : --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(8) auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to
/usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(8) auth_log : EXPAND %t
(8) auth_log : --> Thu Jan 15 11:38:42 2015
(8) [auth_log] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) suffix : Checking for suffix after "@"
(8) suffix : No '@' in User-Name = "bigman", looking up realm NULL
(8) suffix : Found realm "NULL"
(8) suffix : Adding Stripped-User-Name = "bigman"
(8) suffix : Adding Realm = "NULL"
(8) suffix : Authentication realm is LOCAL
(8) [suffix] = ok
(8) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com')
(8) EXPAND %{Realm}
(8) --> NULL
(8) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') -> FALSE
(8) eap : Peer sent code Response (2) ID 8 length 96
(8) eap : Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = EAP
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(8) authenticate {
(8) eap : Expiring EAP session with state 0xc45fd1a2c257c8f5
(8) eap : Finished EAP session with state 0xc45fd1a2c257c8f5
(8) eap : Previous EAP request found for state 0xc45fd1a2c257c8f5, released from the list
(8) eap : Peer sent method PEAP (25)
(8) eap : EAP PEAP (25)
(8) eap : Calling eap_peap to process EAP data
(8) eap_peap : processing EAP-TLS
(8) eap_peap : eaptls_verify returned 7
(8) eap_peap : Done initial handshake
(8) eap_peap : eaptls_process returned 7
(8) eap_peap : FR_TLS_OK
(8) eap_peap : Session established. Decoding tunneled attributes
(8) eap_peap : Peap state WAITING FOR INNER IDENTITY
(8) eap_peap : Identity - bob(a)abc.com
(8) eap_peap : Got inner identity 'bob(a)abc.com'
(8) eap_peap : Setting default EAP type for tunneled EAP session
(8) eap_peap : Got tunneled request
EAP-Message = 0x020800120174666b6c616940686b752e686b
server Local-WiFi {
(8) eap_peap : Setting User-Name to bob(a)abc.com
Sending tunneled request
EAP-Message = 0x020800120174666b6c616940686b752e686b
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'bob(a)abc.com'
Framed-MTU = 1450
Chargeable-User-Identity = 0x00
NAS-IP-Address = 10.10.1.1
NAS-Identifier = 'WiFi-Controller-7'
NAS-Port = 33558758
NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = '00-18-60-68-03-EC'
Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
Acct-Session-Id = '115001511383b5ab70'
Framed-IP-Address = 202.189.123.194
server inner-tunnel {
(8) server inner-tunnel {
(8) Request:
EAP-Message = 0x020800120174666b6c616940686b752e686b
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'bob(a)abc.com'
Framed-MTU = 1450
Chargeable-User-Identity = 0x00
NAS-IP-Address = 10.10.1.1
NAS-Identifier = 'WiFi-Controller-7'
NAS-Port = 33558758
NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = '00-18-60-68-03-EC'
Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
Acct-Session-Id = '115001511383b5ab70'
Framed-IP-Address = 202.189.123.194
(8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(8) authorize {
(8) [chap] = noop
(8) [mschap] = noop
(8) suffix : Checking for suffix after "@"
(8) suffix : Looking up realm "abc.com" for User-Name = "bob(a)abc.com"
(8) suffix : Found realm "abc.com"
(8) suffix : Adding Stripped-User-Name = "bob"
(8) suffix : Adding Realm = "abc.com"
(8) suffix : Authentication realm is LOCAL
(8) [suffix] = ok
(8) update control {
(8) &Proxy-To-Realm := 'LOCAL'
(8) } # update control = noop
(8) eap : Peer sent code Response (2) ID 8 length 18
(8) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = EAP
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap : Peer sent method Identity (1)
(8) eap : Calling eap_mschapv2 to process EAP data
(8) eap_mschapv2 : Issuing Challenge
(8) eap : New EAP session, adding 'State' attribute to reply 0xde946618de9d7cad
(8) [eap] = handled
(8) } # authenticate = handled
(8) Reply:
EAP-Message = 0x010900271a010900221018ac5c8a7635ee191511dec059c4cdd974666b6c616940686b752e686b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xde946618de9d7cad0c64434fd93f0777
(8) } # server inner-tunnel
} # server inner-tunnel
(8) eap_peap : Got tunneled reply code 11
EAP-Message = 0x010900271a010900221018ac5c8a7635ee191511dec059c4cdd974666b6c616940686b752e686b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xde946618de9d7cad0c64434fd93f0777
(8) eap_peap : Got tunneled reply RADIUS code 11
EAP-Message = 0x010900271a010900221018ac5c8a7635ee191511dec059c4cdd974666b6c616940686b752e686b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xde946618de9d7cad0c64434fd93f0777
(8) eap_peap : Got tunneled Access-Challenge
(8) eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2c356c8f5
(8) [eap] = handled
(8) } # authenticate = handled
(8) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=30, length=0
(8) EAP-Message =
0x0109004b1900170301004007be3047e1eb16e37b103c6ff61d86933d46514f3de6fe14cbc032aff0b11f6b8f4bec705bb6db8a8d1119d0c
ec006126ddbd781a3811c45a43cc665fa6e6b88
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0xc45fd1a2c356c8f54b145a25fcad284d
Sending Access-Challenge Id 30 from 10.80.1.1:1812 to 10.10.1.1:3406
EAP-Message =
0x0109004b1900170301004007be3047e1eb16e37b103c6ff61d86933d46514f3de6fe14cbc032aff0b11f6b8f4bec705bb6db8a8d1119d0c
ec006126ddbd781a3811c45a43cc665fa6e6b88
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc45fd1a2c356c8f54b145a25fcad284d
(8) Finished request
Received Access-Request Id 31 from 10.10.1.1:3406 to 10.80.1.1:1812 length 385
User-Name = 'bigman'
Framed-MTU = 1450
EAP-Message =
0x02090090190017030100206e925feff248ba1c95b4c464dd9fe3ad2c8647b374a227ffd7aaad65978820dd170301006054e6d07b6705506
f75da2fc14c6b1beaa61a605db1e8a7660cb1d96f0d7cb11c70440f4c217a66e9d0ce1283caf3cc8b4287f31ea7e9399b607acba895072017
3a6d8bd875faeb2e663bbc8e780f4e4507c863a1167ee3140488c0249cdf0ed4
Message-Authenticator = 0xccd068fbeef16e972f848e1c06279fba
Chargeable-User-Identity = 0x00
NAS-IP-Address = 10.10.1.1
NAS-Identifier = 'WiFi-Controller-7'
NAS-Port = 33558758
NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = '00-18-60-68-03-EC'
Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
Acct-Session-Id = '115001511383b5ab70'
Framed-IP-Address = 202.189.123.194
State = 0xc45fd1a2c356c8f54b145a25fcad284d
(9) Received Access-Request packet from host 10.10.1.1 port 3406, id=31, length=385
(9) User-Name = 'bigman'
(9) Framed-MTU = 1450
(9) EAP-Message =
0x02090090190017030100206e925feff248ba1c95b4c464dd9fe3ad2c8647b374a227ffd7aaad65978820dd170301006054e6d07b6705506
f75da2fc14c6b1beaa61a605db1e8a7660cb1d96f0d7cb11c70440f4c217a66e9d0ce1283caf3cc8b4287f31ea7e9399b607acba895072017
3a6d8bd875faeb2e663bbc8e780f4e4507c863a1167ee3140488c0249cdf0ed4
(9) Message-Authenticator = 0xccd068fbeef16e972f848e1c06279fba
(9) Chargeable-User-Identity = 0x00
(9) NAS-IP-Address = 10.10.1.1
(9) NAS-Identifier = 'WiFi-Controller-7'
(9) NAS-Port = 33558758
(9) NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
(9) NAS-Port-Type = Wireless-802.11
(9) Service-Type = Framed-User
(9) Framed-Protocol = PPP
(9) Calling-Station-Id = '00-18-60-68-03-EC'
(9) Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
(9) Acct-Session-Id = '115001511383b5ab70'
(9) Framed-IP-Address = 202.189.123.194
(9) State = 0xc45fd1a2c356c8f54b145a25fcad284d
(9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(9) authorize {
(9) filter_username filter_username {
(9) if (&User-Name =~ / /)
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@.*@/ )
(9) if (&User-Name =~ /@.*@/ ) -> FALSE
(9) if (&User-Name =~ /\\.\\./ )
(9) if (&User-Name =~ /\\.\\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(9) if (&User-Name =~ /\\.$/)
(9) if (&User-Name =~ /\\.$/) -> FALSE
(9) if (&User-Name =~ /(a)\\./)
(9) if (&User-Name =~ /(a)\\./) -> FALSE
(9) } # filter_username filter_username = notfound
(9) auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d
(9) auth_log : --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(9) auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to
/usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(9) auth_log : EXPAND %t
(9) auth_log : --> Thu Jan 15 11:38:42 2015
(9) [auth_log] = ok
(9) [chap] = noop
(9) [mschap] = noop
(9) suffix : Checking for suffix after "@"
(9) suffix : No '@' in User-Name = "bigman", looking up realm NULL
(9) suffix : Found realm "NULL"
(9) suffix : Adding Stripped-User-Name = "bigman"
(9) suffix : Adding Realm = "NULL"
(9) suffix : Authentication realm is LOCAL
(9) [suffix] = ok
(9) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com')
(9) EXPAND %{Realm}
(9) --> NULL
(9) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') -> FALSE
(9) eap : Peer sent code Response (2) ID 9 length 144
(9) eap : Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = EAP
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(9) authenticate {
(9) eap : Expiring EAP session with state 0xde946618de9d7cad
(9) eap : Finished EAP session with state 0xc45fd1a2c356c8f5
(9) eap : Previous EAP request found for state 0xc45fd1a2c356c8f5, released from the list
(9) eap : Peer sent method PEAP (25)
(9) eap : EAP PEAP (25)
(9) eap : Calling eap_peap to process EAP data
(9) eap_peap : processing EAP-TLS
(9) eap_peap : eaptls_verify returned 7
(9) eap_peap : Done initial handshake
(9) eap_peap : eaptls_process returned 7
(9) eap_peap : FR_TLS_OK
(9) eap_peap : Session established. Decoding tunneled attributes
(9) eap_peap : Peap state phase2
(9) eap_peap : EAP type MSCHAPv2 (26)
(9) eap_peap : Got tunneled request
EAP-Message =
0x020900481a020900433119eac5ac410e3701ee9c5d4738586f2f0000000000000000b7fec538603419890e4145b9401322bc0838b400016
36d8f0074666b6c616940686b752e686b
server Local-WiFi {
(9) eap_peap : Setting User-Name to bob(a)abc.com
Sending tunneled request
EAP-Message =
0x020900481a020900433119eac5ac410e3701ee9c5d4738586f2f0000000000000000b7fec538603419890e4145b9401322bc0838b400016
36d8f0074666b6c616940686b752e686b
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'bob(a)abc.com'
State = 0xde946618de9d7cad0c64434fd93f0777
Framed-MTU = 1450
Chargeable-User-Identity = 0x00
NAS-IP-Address = 10.10.1.1
NAS-Identifier = 'WiFi-Controller-7'
NAS-Port = 33558758
NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = '00-18-60-68-03-EC'
Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
Acct-Session-Id = '115001511383b5ab70'
Framed-IP-Address = 202.189.123.194
server inner-tunnel {
(9) server inner-tunnel {
(9) Request:
EAP-Message =
0x020900481a020900433119eac5ac410e3701ee9c5d4738586f2f0000000000000000b7fec538603419890e4145b9401322bc0838b400016
36d8f0074666b6c616940686b752e686b
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'bob(a)abc.com'
State = 0xde946618de9d7cad0c64434fd93f0777
Framed-MTU = 1450
Chargeable-User-Identity = 0x00
NAS-IP-Address = 10.10.1.1
NAS-Identifier = 'WiFi-Controller-7'
NAS-Port = 33558758
NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = '00-18-60-68-03-EC'
Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
Acct-Session-Id = '115001511383b5ab70'
Framed-IP-Address = 202.189.123.194
(9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(9) authorize {
(9) [chap] = noop
(9) [mschap] = noop
(9) suffix : Checking for suffix after "@"
(9) suffix : Looking up realm "abc.com" for User-Name = "bob(a)abc.com"
(9) suffix : Found realm "abc.com"
(9) suffix : Adding Stripped-User-Name = "bob"
(9) suffix : Adding Realm = "abc.com"
(9) suffix : Authentication realm is LOCAL
(9) [suffix] = ok
(9) update control {
(9) &Proxy-To-Realm := 'LOCAL'
(9) } # update control = noop
(9) eap : Peer sent code Response (2) ID 9 length 72
(9) eap : No EAP Start, assuming it's an on-going EAP conversation
(9) [eap] = updated
(9) if (&EAP-Message)
(9) if (&EAP-Message) -> TRUE
(9) if (&EAP-Message) {
(9) load-balance ldap_Portal_redundant {
(9) redundant-load-balance group ldap_Portal_redundant {
rlm_ldap (ldap_PortalPwd_2): Reserved connection (4)
(9) ldap_PortalPwd_2 : EXPAND (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(&(!(givenName=disable802.1x))(!
(postOfficeBox=nowifi))))
(9) ldap_PortalPwd_2 : --> (&(uid=bob)(&(!(givenName=disable802.1x))(!(postOfficeBox=nowifi))))
(9) ldap_PortalPwd_2 : EXPAND ou=802.1x,o=hku,c=hk
(9) ldap_PortalPwd_2 : --> ou=802.1x,o=hku,c=hk
(9) ldap_PortalPwd_2 : Performing search in 'ou=802.1x,o=hku,c=hk' with filter '(&(uid=bob)(&(!
(givenName=disable802.1x))(!(postOfficeBox=nowifi))))', scope 'sub'
(9) ldap_PortalPwd_2 : Waiting for search result...
(9) ldap_PortalPwd_2 : User object found at DN "uid=bob,ou=802.1x,o=hku,c=hk"
(9) ldap_PortalPwd_2 : Processing user attributes
(9) ldap_PortalPwd_2 : &control:Password-With-Header += '{CRYPT}UBTV7x2uV4Jhg'
(9) ldap_PortalPwd_2 : &control:NT-Password :=
0x4433343845383035444432323934453241424435424438433732303143334345
rlm_ldap (ldap_PortalPwd_2): Released connection (4)
(9) [ldap_PortalPwd_2] = ok
(9) } # redundant-load-balance ldap_Portal_redundant = ok
(9) if (notfound)
(9) if (notfound) -> FALSE
(9) } # if (&EAP-Message) = ok
(9) ... skipping else for request 9: Preceding "if" was taken
(9) [expiration] = noop
(9) [logintime] = noop
(9) pap : Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes
(9) WARNING: pap : Auth-Type already set. Not setting to PAP
(9) [pap] = noop
(9) } # authorize = updated
(9) Found Auth-Type = EAP
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(9) authenticate {
(9) eap : Expiring EAP session with state 0xde946618de9d7cad
(9) eap : Finished EAP session with state 0xde946618de9d7cad
(9) eap : Previous EAP request found for state 0xde946618de9d7cad, released from the list
(9) eap : Peer sent method MSCHAPv2 (26)
(9) eap : EAP MSCHAPv2 (26)
(9) eap : Calling eap_mschapv2 to process EAP data
(9) eap_mschapv2 : # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(9) eap_mschapv2 : Auth-Type MS-CHAP {
(9) WARNING: mschap : No Cleartext-Password configured. Cannot create LM-Password
(9) mschap : Found NT-Password
(9) WARNING: mschap : No Cleartext-Password configured. Cannot create NT-Password
(9) mschap : Creating challenge hash with username: bob(a)abc.com
(9) mschap : Client is using MS-CHAPv2
(9) mschap : Adding MS-CHAPv2 MPPE keys
(9) [mschap] = ok
(9) } # Auth-Type MS-CHAP = ok
MSCHAP Success
(9) eap : New EAP session, adding 'State' attribute to reply 0xde946618df9e7cad
(9) [eap] = handled
(9) } # authenticate = handled
(9) Reply:
EAP-Message =
0x010a00331a0309002e533d45354535353739453137304335343334443245454639414434413238423835333439354437434443
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xde946618df9e7cad0c64434fd93f0777
(9) } # server inner-tunnel
} # server inner-tunnel
(9) eap_peap : Got tunneled reply code 11
EAP-Message =
0x010a00331a0309002e533d45354535353739453137304335343334443245454639414434413238423835333439354437434443
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xde946618df9e7cad0c64434fd93f0777
(9) eap_peap : Got tunneled reply RADIUS code 11
EAP-Message =
0x010a00331a0309002e533d45354535353739453137304335343334443245454639414434413238423835333439354437434443
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xde946618df9e7cad0c64434fd93f0777
(9) eap_peap : Got tunneled Access-Challenge
(9) eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2cc55c8f5
(9) [eap] = handled
(9) } # authenticate = handled
(9) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=31, length=0
(9) EAP-Message =
0x010a005b190017030100509b80a805e9fa52b4d6cf753c4aebdf5b044a34aebae2d1de47c0e4c2f04f7c964bd69e3d433670a252e81d961
0df706610f31a74fa68ba3b1bb1c7805bdae7841e3690904948eb1c5d35484453273b64
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) State = 0xc45fd1a2cc55c8f54b145a25fcad284d
Sending Access-Challenge Id 31 from 10.80.1.1:1812 to 10.10.1.1:3406
EAP-Message =
0x010a005b190017030100509b80a805e9fa52b4d6cf753c4aebdf5b044a34aebae2d1de47c0e4c2f04f7c964bd69e3d433670a252e81d961
0df706610f31a74fa68ba3b1bb1c7805bdae7841e3690904948eb1c5d35484453273b64
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc45fd1a2cc55c8f54b145a25fcad284d
(9) Finished request
Received Access-Request Id 32 from 10.10.1.1:3406 to 10.80.1.1:1812 length 321
User-Name = 'bigman'
Framed-MTU = 1450
EAP-Message =
0x020a00501900170301002034ff50c38beb17d3585d2aedeb60a2c9a4cff8754ee089f09976879f52cf7dd81703010020bbea0731b1c7b2a
27b2567bcad467bd76abba38fd6b5dabf10a9d962c4086cd1
Message-Authenticator = 0xafa05275fb17b3a599f1d70e38896e35
Chargeable-User-Identity = 0x00
NAS-IP-Address = 10.10.1.1
NAS-Identifier = 'WiFi-Controller-7'
NAS-Port = 33558758
NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = '00-18-60-68-03-EC'
Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
Acct-Session-Id = '115001511383b5ab70'
Framed-IP-Address = 202.189.123.194
State = 0xc45fd1a2cc55c8f54b145a25fcad284d
(10) Received Access-Request packet from host 10.10.1.1 port 3406, id=32, length=321
(10) User-Name = 'bigman'
(10) Framed-MTU = 1450
(10) EAP-Message =
0x020a00501900170301002034ff50c38beb17d3585d2aedeb60a2c9a4cff8754ee089f09976879f52cf7dd81703010020bbea0731b1c7b2a
27b2567bcad467bd76abba38fd6b5dabf10a9d962c4086cd1
(10) Message-Authenticator = 0xafa05275fb17b3a599f1d70e38896e35
(10) Chargeable-User-Identity = 0x00
(10) NAS-IP-Address = 10.10.1.1
(10) NAS-Identifier = 'WiFi-Controller-7'
(10) NAS-Port = 33558758
(10) NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
(10) NAS-Port-Type = Wireless-802.11
(10) Service-Type = Framed-User
(10) Framed-Protocol = PPP
(10) Calling-Station-Id = '00-18-60-68-03-EC'
(10) Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
(10) Acct-Session-Id = '115001511383b5ab70'
(10) Framed-IP-Address = 202.189.123.194
(10) State = 0xc45fd1a2cc55c8f54b145a25fcad284d
(10) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(10) authorize {
(10) filter_username filter_username {
(10) if (&User-Name =~ / /)
(10) if (&User-Name =~ / /) -> FALSE
(10) if (&User-Name =~ /@.*@/ )
(10) if (&User-Name =~ /@.*@/ ) -> FALSE
(10) if (&User-Name =~ /\\.\\./ )
(10) if (&User-Name =~ /\\.\\./ ) -> FALSE
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(10) if (&User-Name =~ /\\.$/)
(10) if (&User-Name =~ /\\.$/) -> FALSE
(10) if (&User-Name =~ /(a)\\./)
(10) if (&User-Name =~ /(a)\\./) -> FALSE
(10) } # filter_username filter_username = notfound
(10) auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d
(10) auth_log : --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(10) auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to
/usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(10) auth_log : EXPAND %t
(10) auth_log : --> Thu Jan 15 11:38:42 2015
(10) [auth_log] = ok
(10) [chap] = noop
(10) [mschap] = noop
(10) suffix : Checking for suffix after "@"
(10) suffix : No '@' in User-Name = "bigman", looking up realm NULL
(10) suffix : Found realm "NULL"
(10) suffix : Adding Stripped-User-Name = "bigman"
(10) suffix : Adding Realm = "NULL"
(10) suffix : Authentication realm is LOCAL
(10) [suffix] = ok
(10) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com')
(10) EXPAND %{Realm}
(10) --> NULL
(10) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') -> FALSE
(10) eap : Peer sent code Response (2) ID 10 length 80
(10) eap : Continuing tunnel setup
(10) [eap] = ok
(10) } # authorize = ok
(10) Found Auth-Type = EAP
(10) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(10) authenticate {
(10) eap : Expiring EAP session with state 0xde946618df9e7cad
(10) eap : Finished EAP session with state 0xc45fd1a2cc55c8f5
(10) eap : Previous EAP request found for state 0xc45fd1a2cc55c8f5, released from the list
(10) eap : Peer sent method PEAP (25)
(10) eap : EAP PEAP (25)
(10) eap : Calling eap_peap to process EAP data
(10) eap_peap : processing EAP-TLS
(10) eap_peap : eaptls_verify returned 7
(10) eap_peap : Done initial handshake
(10) eap_peap : eaptls_process returned 7
(10) eap_peap : FR_TLS_OK
(10) eap_peap : Session established. Decoding tunneled attributes
(10) eap_peap : Peap state phase2
(10) eap_peap : EAP type MSCHAPv2 (26)
(10) eap_peap : Got tunneled request
EAP-Message = 0x020a00061a03
server Local-WiFi {
(10) eap_peap : Setting User-Name to bob(a)abc.com
Sending tunneled request
EAP-Message = 0x020a00061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'bob(a)abc.com'
State = 0xde946618df9e7cad0c64434fd93f0777
Framed-MTU = 1450
Chargeable-User-Identity = 0x00
NAS-IP-Address = 10.10.1.1
NAS-Identifier = 'WiFi-Controller-7'
NAS-Port = 33558758
NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = '00-18-60-68-03-EC'
Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
Acct-Session-Id = '115001511383b5ab70'
Framed-IP-Address = 202.189.123.194
server inner-tunnel {
(10) server inner-tunnel {
(10) Request:
EAP-Message = 0x020a00061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'bob(a)abc.com'
State = 0xde946618df9e7cad0c64434fd93f0777
Framed-MTU = 1450
Chargeable-User-Identity = 0x00
NAS-IP-Address = 10.10.1.1
NAS-Identifier = 'WiFi-Controller-7'
NAS-Port = 33558758
NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = '00-18-60-68-03-EC'
Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
Acct-Session-Id = '115001511383b5ab70'
Framed-IP-Address = 202.189.123.194
(10) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(10) authorize {
(10) [chap] = noop
(10) [mschap] = noop
(10) suffix : Checking for suffix after "@"
(10) suffix : Looking up realm "abc.com" for User-Name = "bob(a)abc.com"
(10) suffix : Found realm "abc.com"
(10) suffix : Adding Stripped-User-Name = "bob"
(10) suffix : Adding Realm = "abc.com"
(10) suffix : Authentication realm is LOCAL
(10) [suffix] = ok
(10) update control {
(10) &Proxy-To-Realm := 'LOCAL'
(10) } # update control = noop
(10) eap : Peer sent code Response (2) ID 10 length 6
(10) eap : No EAP Start, assuming it's an on-going EAP conversation
(10) [eap] = updated
(10) if (&EAP-Message)
(10) if (&EAP-Message) -> TRUE
(10) if (&EAP-Message) {
(10) load-balance ldap_Portal_redundant {
(10) redundant-load-balance group ldap_Portal_redundant {
rlm_ldap (ldap_PortalPwd_2): Reserved connection (4)
(10) ldap_PortalPwd_2 : EXPAND (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(&(!(givenName=disable802.1x))(!
(postOfficeBox=nowifi))))
(10) ldap_PortalPwd_2 : --> (&(uid=bob)(&(!(givenName=disable802.1x))(!(postOfficeBox=nowifi))))
(10) ldap_PortalPwd_2 : EXPAND ou=802.1x,o=hku,c=hk
(10) ldap_PortalPwd_2 : --> ou=802.1x,o=hku,c=hk
(10) ldap_PortalPwd_2 : Performing search in 'ou=802.1x,o=hku,c=hk' with filter '(&(uid=bob)(&(!
(givenName=disable802.1x))(!(postOfficeBox=nowifi))))', scope 'sub'
(10) ldap_PortalPwd_2 : Waiting for search result...
(10) ldap_PortalPwd_2 : User object found at DN "uid=bob,ou=802.1x,o=hku,c=hk"
(10) ldap_PortalPwd_2 : Processing user attributes
(10) ldap_PortalPwd_2 : &control:Password-With-Header += '{CRYPT}UBTV7x2uV4Jhg'
(10) ldap_PortalPwd_2 : &control:NT-Password :=
0x4433343845383035444432323934453241424435424438433732303143334345
rlm_ldap (ldap_PortalPwd_2): Released connection (4)
(10) [ldap_PortalPwd_2] = ok
(10) } # redundant-load-balance ldap_Portal_redundant = ok
(10) if (notfound)
(10) if (notfound) -> FALSE
(10) } # if (&EAP-Message) = ok
(10) ... skipping else for request 10: Preceding "if" was taken
(10) [expiration] = noop
(10) [logintime] = noop
(10) pap : Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes
(10) WARNING: pap : Auth-Type already set. Not setting to PAP
(10) [pap] = noop
(10) } # authorize = updated
(10) Found Auth-Type = EAP
(10) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(10) authenticate {
(10) eap : Expiring EAP session with state 0xde946618df9e7cad
(10) eap : Finished EAP session with state 0xde946618df9e7cad
(10) eap : Previous EAP request found for state 0xde946618df9e7cad, released from the list
(10) eap : Peer sent method MSCHAPv2 (26)
(10) eap : EAP MSCHAPv2 (26)
(10) eap : Calling eap_mschapv2 to process EAP data
(10) eap : Freeing handler
(10) [eap] = ok
(10) } # authenticate = ok
(10) Login OK: [bob(a)abc.com] (from client WiFi-Ctrl-7 port 4326 cli 00-18-60-68-03-EC via TLS tunnel)
(10) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(10) post-auth {
(10) update outer.reply {
(10) EXPAND %{request:User-Name}
(10) --> bob(a)abc.com
(10) User-Name = "bob(a)abc.com"
(10) } # update outer.reply = noop
(10) } # post-auth = noop
(10) Reply:
MS-MPPE-Encryption-Policy = Encryption-Required
MS-MPPE-Encryption-Types = 4
MS-MPPE-Send-Key = 0x01294c4ad9e8209a788021c890f0e6f7
MS-MPPE-Recv-Key = 0xd9070a34c4190e2429ba5eadbb6454b1
EAP-Message = 0x030a0004
Message-Authenticator = 0x00000000000000000000000000000000
Stripped-User-Name = 'bob'
(10) } # server inner-tunnel
} # server inner-tunnel
(10) eap_peap : Got tunneled reply code 2
MS-MPPE-Encryption-Policy = Encryption-Required
MS-MPPE-Encryption-Types = 4
MS-MPPE-Send-Key = 0x01294c4ad9e8209a788021c890f0e6f7
MS-MPPE-Recv-Key = 0xd9070a34c4190e2429ba5eadbb6454b1
EAP-Message = 0x030a0004
Message-Authenticator = 0x00000000000000000000000000000000
Stripped-User-Name = 'bob'
(10) eap_peap : Got tunneled reply RADIUS code 2
MS-MPPE-Encryption-Policy = Encryption-Required
MS-MPPE-Encryption-Types = 4
MS-MPPE-Send-Key = 0x01294c4ad9e8209a788021c890f0e6f7
MS-MPPE-Recv-Key = 0xd9070a34c4190e2429ba5eadbb6454b1
EAP-Message = 0x030a0004
Message-Authenticator = 0x00000000000000000000000000000000
Stripped-User-Name = 'bob'
(10) eap_peap : Tunneled authentication was successful
(10) eap_peap : SUCCESS
(10) eap_peap : Saving tunneled attributes for later
(10) eap : New EAP session, adding 'State' attribute to reply 0xc45fd1a2cd54c8f5
(10) [eap] = handled
(10) } # authenticate = handled
(10) Sending Access-Challenge packet to host 10.10.1.1 port 3406, id=32, length=0
(10) User-Name = 'bob(a)abc.com'
(10) EAP-Message = 0x010b002b1900170301002058ae7d7be701fa3265785d69f295b87d58bb612a996bab26c2c90a01721850f1
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) State = 0xc45fd1a2cd54c8f54b145a25fcad284d
Sending Access-Challenge Id 32 from 10.80.1.1:1812 to 10.10.1.1:3406
User-Name = 'bob(a)abc.com'
EAP-Message = 0x010b002b1900170301002058ae7d7be701fa3265785d69f295b87d58bb612a996bab26c2c90a01721850f1
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc45fd1a2cd54c8f54b145a25fcad284d
(10) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 33 from 10.10.1.1:3406 to 10.80.1.1:1812 length 321
User-Name = 'bigman'
Framed-MTU = 1450
EAP-Message =
0x020b00501900170301002021cbe8ca4eba425d103086aeb4ea08e54d10b7be2715a676225187b8404cc2761703010020da0d747e710d778
261ea16be65cf71ded006b6fb4008d6ea71419701c173bbaf
Message-Authenticator = 0x1aba9da0442f6a0f24f9ce92bc830cc9
Chargeable-User-Identity = 0x00
NAS-IP-Address = 10.10.1.1
NAS-Identifier = 'WiFi-Controller-7'
NAS-Port = 33558758
NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = '00-18-60-68-03-EC'
Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
Acct-Session-Id = '115001511383b5ab70'
Framed-IP-Address = 202.189.123.194
State = 0xc45fd1a2cd54c8f54b145a25fcad284d
(11) Received Access-Request packet from host 10.10.1.1 port 3406, id=33, length=321
(11) User-Name = 'bigman'
(11) Framed-MTU = 1450
(11) EAP-Message =
0x020b00501900170301002021cbe8ca4eba425d103086aeb4ea08e54d10b7be2715a676225187b8404cc2761703010020da0d747e710d778
261ea16be65cf71ded006b6fb4008d6ea71419701c173bbaf
(11) Message-Authenticator = 0x1aba9da0442f6a0f24f9ce92bc830cc9
(11) Chargeable-User-Identity = 0x00
(11) NAS-IP-Address = 10.10.1.1
(11) NAS-Identifier = 'WiFi-Controller-7'
(11) NAS-Port = 33558758
(11) NAS-Port-Id = 'slot=2;subslot=0;port=1;vlanid=230'
(11) NAS-Port-Type = Wireless-802.11
(11) Service-Type = Framed-User
(11) Framed-Protocol = PPP
(11) Calling-Station-Id = '00-18-60-68-03-EC'
(11) Called-Station-Id = '58-66-BA-A0-8A-A0:WiFi SSID'
(11) Acct-Session-Id = '115001511383b5ab70'
(11) Framed-IP-Address = 202.189.123.194
(11) State = 0xc45fd1a2cd54c8f54b145a25fcad284d
(11) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(11) authorize {
(11) filter_username filter_username {
(11) if (&User-Name =~ / /)
(11) if (&User-Name =~ / /) -> FALSE
(11) if (&User-Name =~ /@.*@/ )
(11) if (&User-Name =~ /@.*@/ ) -> FALSE
(11) if (&User-Name =~ /\\.\\./ )
(11) if (&User-Name =~ /\\.\\./ ) -> FALSE
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(11) if (&User-Name =~ /\\.$/)
(11) if (&User-Name =~ /\\.$/) -> FALSE
(11) if (&User-Name =~ /(a)\\./)
(11) if (&User-Name =~ /(a)\\./) -> FALSE
(11) } # filter_username filter_username = notfound
(11) auth_log : EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d
(11) auth_log : --> /usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(11) auth_log : /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to
/usr/local/var/log/radius/radacct/10.10.1.1/auth-20150115
(11) auth_log : EXPAND %t
(11) auth_log : --> Thu Jan 15 11:38:42 2015
(11) [auth_log] = ok
(11) [chap] = noop
(11) [mschap] = noop
(11) suffix : Checking for suffix after "@"
(11) suffix : No '@' in User-Name = "bigman", looking up realm NULL
(11) suffix : Found realm "NULL"
(11) suffix : Adding Stripped-User-Name = "bigman"
(11) suffix : Adding Realm = "NULL"
(11) suffix : Authentication realm is LOCAL
(11) [suffix] = ok
(11) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com')
(11) EXPAND %{Realm}
(11) --> NULL
(11) if ("%{Realm}" != NULL && "%{Realm}" != 'abc.com' && "%{Realm}" != 'hkucc.abc.com') -> FALSE
(11) eap : Peer sent code Response (2) ID 11 length 80
(11) eap : Continuing tunnel setup
(11) [eap] = ok
(11) } # authorize = ok
(11) Found Auth-Type = EAP
(11) # Executing group from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(11) authenticate {
(11) eap : Expiring EAP session with state 0xc45fd1a2cd54c8f5
(11) eap : Finished EAP session with state 0xc45fd1a2cd54c8f5
(11) eap : Previous EAP request found for state 0xc45fd1a2cd54c8f5, released from the list
(11) eap : Peer sent method PEAP (25)
(11) eap : EAP PEAP (25)
(11) eap : Calling eap_peap to process EAP data
(11) eap_peap : processing EAP-TLS
(11) eap_peap : eaptls_verify returned 7
(11) eap_peap : Done initial handshake
(11) eap_peap : eaptls_process returned 7
(11) eap_peap : FR_TLS_OK
(11) eap_peap : Session established. Decoding tunneled attributes
(11) eap_peap : Peap state send tlv success
(11) eap_peap : Received EAP-TLV response
(11) eap_peap : Success
(11) eap_peap : Using saved attributes from the original Access-Accept
Stripped-User-Name = 'bob'
(11) eap_peap : Saving session de1732ec96d8d5c6da625272bfc8a7c91f9c38a8cb5dba22086d7e918ef5f336 vps 0xdb9b50 in
the cache
(11) eap : Freeing handler
(11) [eap] = ok
(11) } # authenticate = ok
(11) Login OK: [bigman] (from client WiFi-Ctrl-7 port 4326 cli 00-18-60-68-03-EC)
(11) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/Local-WiFi
(11) post-auth {
(11) [exec] = noop
(11) remove_reply_message_if_eap remove_reply_message_if_eap {
(11) if (&reply:EAP-Message && &reply:Reply-Message)
(11) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(11) else else {
(11) [noop] = noop
(11) } # else else = noop
(11) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(11) } # post-auth = noop
(11) Sending Access-Accept packet to host 10.10.1.1 port 3406, id=33, length=0
(11) Stripped-User-Name = 'bob'
(11) MS-MPPE-Recv-Key = 0xb59b0cabdd27cd4d2e0add4533ab53852dbbd72e7fe8b257b28ecf80c40bafbf
(11) MS-MPPE-Send-Key = 0xdaf0a1d47638167d017bcef4e125ec0b6f29e03eb7597a17134fe0b843a3bb19
(11) EAP-MSK =
0xb59b0cabdd27cd4d2e0add4533ab53852dbbd72e7fe8b257b28ecf80c40bafbfdaf0a1d47638167d017bcef4e125ec0b6f29e03eb7597a1
7134fe0b843a3bb19
(11) EAP-EMSK =
0x7a6b367b28793e34682cef71b58ec94c2f9dc00044d0e0a83b3b574158756196e40940146e5bbcba4d03755a09bc9ceafe3305b3da7bfe9
bffd812066bea9cbb
(11) EAP-Session-Id =
0x1954b7364159780149473ee8f5fe51b610195a60bdef3a980353e6519897f8b16754b73641e3caf729409a814c4e2c0f4c4522113a1cbfd
2509d86377e80e55ca3
(11) EAP-Message = 0x030b0004
(11) Message-Authenticator = 0x00000000000000000000000000000000
(11) Stripped-User-Name = 'bigman'
Sending Access-Accept Id 33 from 10.80.1.1:1812 to 10.10.1.1:3406
MS-MPPE-Recv-Key = 0xb59b0cabdd27cd4d2e0add4533ab53852dbbd72e7fe8b257b28ecf80c40bafbf
MS-MPPE-Send-Key = 0xdaf0a1d47638167d017bcef4e125ec0b6f29e03eb7597a17134fe0b843a3bb19
EAP-Message = 0x030b0004
Message-Authenticator = 0x00000000000000000000000000000000
(11) Finished request
Waking up in 0.2 seconds.
5
8
Hello again,
I know it might sound impossible, but sometimes I have an idea that radius in certain moment sent some like "deauth" packet to radius clients on AP's and in this case those clients
dont talk to radius server anymore. Sorry I haven't so many time to read right RFC :-). So just ask :)
After rebooting AP's is the same as I described with radius server. It works for 30-60 minutes and then after another... after another...
A few hours ago I compiled my favorite distro - gentoo and emerge freeradius for this platform.
I flashed wrt54gl with dd-wrt firmware (for better testing client from linksys dd-wrt shell)
# radius-client test test 192.168.10.19 1812 link1
Accept
I repeated it every 2 hours and ... is still working without any problems. But because of nighttime I can prove it tomorrowe with real wifi clients.
I'll back soon
With regards,
MK
The only difference is that is net-dialup/freeradius-2.2.5 version - not 3 like in centos distr.
W dniu 2015-01-19 13:44:01 użytkownik Alan DeKok <aland(a)deployingradius.com> napisał:
> On Jan 19, 2015, at 6:29 AM, alter1 <alter1(a)onet.pl> wrote:
> > I have a network: 3 soho wifi routers Dlink wrt54gl, wrt320n and Asus RT-AC52U. On each is the same configuration (wifi wpa2-enterprise with radius auth on 192.168.10.x server with 1812 port and secret key for each client)
>
> OK. That should be simple enough.
> >
> > Mon Jan 19 12:16:10 2015 : Auth: (80) Login OK: [test/<via Auth-Type = MSCHAP>] (from client rt-a1-1 port 0 via TLS tunnel)
> > Mon Jan 19 12:17:13 2015 : Auth: (85) Login OK: [test/<via Auth-Type = EAP>] (from client rt-a1-1 port 13 cli 8c3ae3XXXXXX)
> > And all works... But... Ater some period of time 30-60 minutes noone can connect to wifi on AP’s.
>
> That’s bad.
>
> > I tried with alternative firmwares. Still the same.
> > After tcpdump connections I have nothing... That mean. I tcpdump iface (ens160) and cannot see ANY PACKETS from any AP's to radius server…
>
> Then the APs are broken. When a user logs in, the APs should start doing RADIUS.
>
> > Problem disappear after restart freeradius (systemctl restart radiusd.service).
>
> Restarting FreeRADIUS doesn’t cause the APs to start sending packets. Something else is going on.
>
> What happens if you reboot the APs instead of FreeRADIUS?
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
2
1
19 Jan '15
Hello,
I have installed 2.2.6 from source on Ubuntu 14.10 and compiled and installed the sql driver
I uncommented the $INCLUDE sql.conf line in radiusd.conf and assured the sql.conf is configured for my mysql environment.
radiusd -X starts without any errors, but when my switch queries for the mac 2 vlan mapping I get the error:
WARNING: Unknown module "sql" in string expansion “%”
Not sure what I am missing….
Thanks!
Keith
radiusd -X output:
root@freerad02:/usr/local/etc/raddb# radiusd -X
radiusd: FreeRADIUS Version 2.2.6, for host x86_64-unknown-linux-gnu, built on Jan 18 2015 at 12:34:27
Copyright (C) 1999-2013 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/dynamic_clients
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/cache
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/replicate
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/radrelay
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/dhcp_sqlippool
including configuration file /usr/local/etc/raddb/sql/mysql/ippool-dhcp.conf
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/redis
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/opendirectory
including configuration file /usr/local/etc/raddb/modules/soh
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/rediswho
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/sql.conf
including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/vmps
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including configuration file /usr/local/etc/raddb/sites-enabled/control-socket
main {
allow_core_dumps = no
}
including dictionary file /usr/local/etc/raddb/dictionary
main {
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/usr/local/var"
sbindir = "/usr/local/sbin"
logdir = "/usr/local/var/log/radius"
run_dir = "/usr/local/var/run/radiusd"
libdir = "/usr/local/lib"
radacctdir = "/usr/local/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
allow_vulnerable_openssl = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client cisco {
ipaddr = 192.168.30.11
require_message_authenticator = no
secret = "password"
nastype = "cisco"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /usr/local/etc/raddb/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /usr/local/etc/raddb/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file /usr/local/etc/raddb/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file /usr/local/etc/raddb/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file ?
modules {
Module: Creating Auth-Type = digest
Module: Creating Post-Auth-Type = REJECT
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /usr/local/etc/raddb/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /usr/local/etc/raddb/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /usr/local/etc/raddb/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
allow_retry = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file /usr/local/etc/raddb/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /usr/local/etc/raddb/modules/unix
unix {
radwtmp = "/usr/local/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /usr/local/etc/raddb/eap.conf
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 1024
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/usr/local/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/server.pem"
certificate_file = "/usr/local/etc/raddb/certs/server.pem"
CA_file = "/usr/local/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/usr/local/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/usr/local/etc/raddb/certs/bootstrap"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file /usr/local/etc/raddb/modules/preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/huntgroups"
hints = "/usr/local/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /usr/local/etc/raddb/huntgroups
reading pairlist file /usr/local/etc/raddb/hints
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /usr/local/etc/raddb/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /usr/local/etc/raddb/modules/files
files {
usersfile = "/usr/local/etc/raddb/users"
acctusersfile = "/usr/local/etc/raddb/acct_users"
preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
compat = "no"
}
reading pairlist file /usr/local/etc/raddb/users
reading pairlist file /usr/local/etc/raddb/acct_users
reading pairlist file /usr/local/etc/raddb/preproxy_users
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file /usr/local/etc/raddb/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /usr/local/etc/raddb/modules/detail
detail {
detailfile = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/usr/local/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /usr/local/etc/raddb/attrs.accounting_response
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /usr/local/etc/raddb/modules/radutmp
radutmp {
filename = "/usr/local/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/usr/local/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /usr/local/etc/raddb/attrs.access_reject
} # modules
} # server
server vmps { # from file /usr/local/etc/raddb/sites-enabled/vmps
modules {
Module: Checking vmps {...} for more modules to load
} # modules
} # server
server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/usr/local/var/run/radiusd/radiusd.sock"
}
}
listen {
type = "vmps"
ipaddr = *
port = 1589
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
... adding new socket proxy address * port 50880
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on vmps address * port 1589 as server vmps
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
vmps config
# -*- text -*-
######################################################################
#
# As of version 2.0.0, the server also supports the VMPS
# protocol.
#
# $Id: 13f4e955799583b1b8f843e8965465178ff6038f $
#
######################################################################
server vmps {
listen {
# VMPS sockets only support IPv4 addresses.
ipaddr = *
# Port on which to listen.
# Allowed values are:
# integer port number
# 1589 is the default VMPS port.
port = 1589
# Type of packets to listen for. Here, it is VMPS.
type = vmps
# Some systems support binding to an interface, in addition
# to the IP address. This feature isn't strictly necessary,
# but for sites with many IP addresses on one interface,
# it's useful to say "listen on all addresses for
# eth0".
#
# If your system does not support this feature, you will
# get an error if you try to use it.
#
# interface = eth0
}
# If you have switches that are allowed to send VMPS, but NOT
# RADIUS packets, then list them here as "client" sections.
#
# Note that for compatibility with RADIUS, you still have to
# list a "secret" for each client, though that secret will not
# be used for anything.
# And the REAL contents. This section is just like the
# "post-auth" section of radiusd.conf. In fact, it calls the
# "post-auth" component of the modules that are listed here.
# But it's called "vmps" to highlight that it's for VMPS.
#
vmps {
#
# Some requests may not have a MAC address. Try to
# create one using other attributes.
if (!VMPS-Mac) {
if (VMPS-Ethernet-Frame =~ /0x.{12}(..)(..)(..)(..)(..)(..).*/) {
update request {
VMPS-Mac = "%{1}:%{2}:%{3}:%{4}:%{5}:%{6}"
}
}
else {
update request {
VMPS-Mac = "%{VMPS-Cookie}"
}
}
}
# Do a simple mapping of MAC to VLAN.
#
# See radiusd.conf for the definition of the "mac2vlan"
# module.
#
#mac2vlan
# required VMPS reply attributes
update reply {
VMPS-Packet-Type = VMPS-Join-Response
VMPS-Cookie = "%{VMPS-Mac}"
# VMPS-VLAN-Name = "please_use_real_vlan_here"
#
# If you have VLAN's in a database, you can select
# the VLAN name based on the MAC address.
#
#VMPS-VLAN-Name = "%{sql:select ... where mac='%{VMPS-Mac}'}"
VMPS-VLAN-Name = "%{%{sql:SELECT vlan FROM mac2vlan WHERE mac='%{VMPS-Mac}'}:-'default'}"
}
# correct reply packet type for reconfirmation requests
#
if (VMPS-Packet-Type == VMPS-Reconfirm-Request){
update reply {
VMPS-Packet-Type := VMPS-Reconfirm-Response
}
}
}
# Proxying of VMPS requests is NOT supported.
}
3
3
Hello,
I have a network: 3 soho wifi routers Dlink wrt54gl, wrt320n and Asus RT-AC52U. On each is the same configuration (wifi wpa2-enterprise with radius auth on 192.168.10.x server with 1812 port and secret key for each client)
Server is Centos 7 based with latest version with ip 192.168.10.x
# repoquery freeradius
freeradius-0:3.0.1-6.el7.x86_64
# tail -19 /etc/raddb/clients.conf
client rt-a1-2 {
ipaddr = 192.168.10.4
secret = test1
shortname = rt-a1-2
}
client rt-a1-1 {
ipaddr = 192.168.10.2
secret = test2
shortname = rt-a1-1
}
client rt-a2-1 {
ipaddr = 192.168.10.3
secret = test3
shortname = rt-a2-1
}
In /etc/raddb/users par example:
"test" Cleartext-Password := "test"
and others in the same format...
This server is relay to other dhcp server therefore I have:
# cat /etc/raddb/sites-available/dhcp.relay
server dhcp.ens160 {
listen {
ipaddr = *
port = 67
type = dhcp
interface = ens160
}
dhcp DHCP-Discover {
update config {
DHCP-Relay-To-IP-Address := 192.168.10.1
}
update request {
DHCP-Gateway-IP-Address := 192.168.10.254
}
ok
}
dhcp DHCP-Request {
update config {
DHCP-Relay-To-IP-Address := 192.168.10.1
}
update request {
DHCP-Gateway-IP-Address := 192.168.10.254
}
ok
}
}
On 192.168.10.1 dhcpserver works ok
In logs
/var/log/radius/radius.log
Mon Jan 19 12:07:14 2015 : Auth: (44) Login OK: [test/<via Auth-Type = MSCHAP>] (from client rt-a1-1 port 0 via TLS tunnel)
Mon Jan 19 12:07:14 2015 : Auth: (45) Login OK: [test/<via Auth-Type = EAP>] (from client rt-a1-1 port 13 cli 8c3ae3XXXXXX)
Mon Jan 19 12:13:23 2015 : Auth: (59) Login OK: [test/<via Auth-Type = MSCHAP>] (from client rt-a1-1 port 0 via TLS tunnel)
Mon Jan 19 12:13:23 2015 : Auth: (60) Login OK: [test/<via Auth-Type = EAP>] (from client rt-a1-1 port 13 cli 8c3ae3XXXXXX)
Mon Jan 19 12:15:18 2015 : Auth: (70) Login OK: [test/<via Auth-Type = MSCHAP>] (from client rt-a1-2 port 0 via TLS tunnel)
Mon Jan 19 12:15:18 2015 : Auth: (71) Login OK: [test/<via Auth-Type = EAP>] (from client rt-a1-2 port 0 cli 8C-3A-E3-XX-XX-XX)
Mon Jan 19 12:16:10 2015 : Auth: (80) Login OK: [test/<via Auth-Type = MSCHAP>] (from client rt-a1-1 port 0 via TLS tunnel)
Mon Jan 19 12:17:13 2015 : Auth: (85) Login OK: [test/<via Auth-Type = EAP>] (from client rt-a1-1 port 13 cli 8c3ae3XXXXXX)
And all works... But... Ater some period of time 30-60 minutes noone can connect to wifi on AP's.
I tried with alternative firmwares. Still the same.
After tcpdump connections I have nothing... That mean. I tcpdump iface (ens160) and cannot see ANY PACKETS from any AP's to radius server...
Problem disappear after restart freeradius (systemctl restart radiusd.service). And after some period of time... the same is happen.
What the point? Where can be a problem?
I tried to disable renew key on AP in radius configuration but this not helps.
Thanx for help :-)
With regards
MK
2
1
How to configure freeradius on switch cisco catalyst 2940 and switch juniper ex2200 ?
by Sautron Nick 19 Jan '15
by Sautron Nick 19 Jan '15
19 Jan '15
Hi,
I would like to know, How to configure freeradius on switch cisco "catalyst 2940" and switch "juniper ex2200" ?
Best Regards
2
1
So after a long time, radperf is back and available for download. I've got
it downloaded and it's working well, although there is no readme for the
product. And since i never used the old version, I don't have the
requisite knowledge to do what I need. I need to implement the -T
feature (template) for radius requests in order to add the NAS-ID or
NAS-IP-Address fields.
I'm assuming there is a specific format for adding these fields to the
Radius-Request, but no clue what it needs to be. Any help would be
appreciated.
Thanks
Jake
3
2
UPN, NTLM_AUTH, Freeradius: It shouldn't work ... but it does (sometimes).
by Sam Fakhreddine 17 Jan '15
by Sam Fakhreddine 17 Jan '15
17 Jan '15
Hello Esteemed Colleagues,
I know that using samba and NTLM_auth UPN authentication is not meant to work.
However, much to my embarrassment with management, it does. Sometimes. I am able to login to our WiFi with my UPN login instead of my windows login (these 2 addresses differ significantly for everyone).
I cannot determine when and where it works. Sometimes it lets us through, other times denies us.
Any help is appreciated.
Here is the output of radiusd -X
radiusd: #### Instantiating modules ####
instantiate {
}
modules {
# Loaded module rlm_always
# Instantiating module "fail" from file /usr/local/etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Instantiating module "reject" from file /usr/local/etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Instantiating module "noop" from file /usr/local/etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Instantiating module "handled" from file /usr/local/etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Instantiating module "updated" from file /usr/local/etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Instantiating module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Instantiating module "ok" from file /usr/local/etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loaded module rlm_pap
# Instantiating module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
pap {
auto_header = no
normalise = yes
}
# Loaded module rlm_radutmp
# Instantiating module "radutmp" from file /usr/local/etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/usr/local/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_exec
# Instantiating module "ntlm_auth" from file /usr/local/etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/usr/bin/ntlm_auth --request-nt-key --domain=company.net --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_preprocess
# Instantiating module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/usr/local/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints
# Instantiating module "echo" from file /usr/local/etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Instantiating module "sradutmp" from file /usr/local/etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/usr/local/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_detail
# Instantiating module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
detail {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
dir_permissions = 493
locking = no
log_packet_header = no
}
# Loaded module rlm_mschap
# Instantiating module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=%{mschap:NT-Domain} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
passchange {
}
allow_retry = yes
}
# Loaded module rlm_realm
# Instantiating module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Instantiating module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Instantiating module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Instantiating module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_replicate
# Instantiating module "replicate" from file /usr/local/etc/raddb/mods-enabled/replicate
# Loaded module rlm_attr_filter
# Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/accounting_response
# Loaded module rlm_cache
# Instantiating module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap
cache cache_eap {
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 16384
epoch = 0
add_stats = no
}
# Loaded module rlm_logintime
# Instantiating module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_dynamic_clients
# Instantiating module "dynamic_clients" from file /usr/local/etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_soh
# Instantiating module "soh" from file /usr/local/etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_files
# Instantiating module "files" from file /usr/local/etc/raddb/mods-enabled/files
files {
filename = "/usr/local/etc/raddb/mods-config/files/authorize"
usersfile = "/usr/local/etc/raddb/mods-config/files/authorize"
acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/usr/local/etc/raddb/mods-config/files/pre-proxy"
compat = "no"
}
reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize
reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize
reading pairlist file /usr/local/etc/raddb/mods-config/files/accounting
reading pairlist file /usr/local/etc/raddb/mods-config/files/pre-proxy
# Loaded module rlm_passwd
# Instantiating module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Loaded module rlm_chap
# Instantiating module "chap" from file /usr/local/etc/raddb/mods-enabled/chap
# Instantiating module "exec" from file /usr/local/etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_expiration
# Instantiating module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
# Loaded module rlm_utf8
# Instantiating module "utf8" from file /usr/local/etc/raddb/mods-enabled/utf8
# Loaded module rlm_dhcp
# Instantiating module "dhcp" from file /usr/local/etc/raddb/mods-enabled/dhcp
# Loaded module rlm_expr
# Instantiating module "expr" from file /usr/local/etc/raddb/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
# Loaded module rlm_eap
# Instantiating module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
mod_accounting_username_bug = no
max_sessions = 4096
}
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
ca_path = "/usr/local/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/radius.key"
certificate_file = "/usr/local/etc/raddb/certs/radius.CompanyRadiusCA.pem"
private_key_password = "corled"
dh_file = "/usr/local/etc/raddb/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = yes
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = yes
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_method = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Loaded module rlm_linelog
# Instantiating module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
linelog {
filename = "/usr/local/var/log/radius/linelog"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "%{%{Packet-Type}:-format}"
}
# Loaded module rlm_unix
# Instantiating module "unix" from file /usr/local/etc/raddb/mods-enabled/unix
unix {
radwtmp = "/usr/local/var/log/radius/radwtmp"
}
# Loaded module rlm_digest
# Instantiating module "digest" from file /usr/local/etc/raddb/mods-enabled/digest
# Instantiating module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail auth_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
dir_permissions = 493
locking = no
log_packet_header = no
}
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail reply_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
dir_permissions = 493
locking = no
log_packet_header = no
}
# Instantiating module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
dir_permissions = 493
locking = no
log_packet_header = no
}
# Instantiating module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
dir_permissions = 493
locking = no
log_packet_header = no
}
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
} # server
server default { # from file /usr/local/etc/raddb/sites-enabled/default
# Creating Auth-Type = ntlm_auth
# Creating Auth-Type = digest
# Loading authenticate {...}
# Loading authorize {...}
# Loading virtual module ntlm_auth
# Loading virtual module filter_username
WARNING: Ignoring "sql" (see raddb/mods-available/README.rst)
WARNING: Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading preacct {...}
# Loading virtual module acct_unique
# Loading accounting {...}
WARNING: Ignoring "sql" (see raddb/mods-available/README.rst)
# Loading post-proxy {...}
# Loading post-auth {...}
WARNING: Ignoring "sql" (see raddb/mods-available/README.rst)
# Loading virtual module remove_reply_message_if_eap
# Loading virtual module remove_reply_message_if_eap
} # server default
server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading virtual module ntlm_auth
WARNING: Ignoring "sql" (see raddb/mods-available/README.rst)
WARNING: Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
WARNING: Ignoring "sql" (see raddb/mods-available/README.rst)
} # server inner-tunnel
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
cleanup_delay = 5
max_queue_size = 65536
auto_limit_acct = no
Thread spawned new child 1. Total threads in pool: 1
Thread spawned new child 2. Total threads in pool: 2
Thread 1 waiting to be assigned a request
Thread spawned new child 3. Total threads in pool: 3
Thread 2 waiting to be assigned a request
Thread 3 waiting to be assigned a request
Thread spawned new child 4. Total threads in pool: 4
Thread spawned new child 5. Total threads in pool: 5
Thread 4 waiting to be assigned a request
Thread pool initialized
radiusd: #### Opening IP addresses and Ports ####
Thread 5 waiting to be assigned a request
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on auth address * port 1812 as server default
Listening on acct address * port 1813 as server default
Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel
Opening new proxy address * port 1814
Listening on proxy address * port 1814
Ready to process requests.
Threads: total/active/spare threads = 5/0/5
And here is an example of freeradius allowing through my login with UPN:
Thread 4 waiting to be assigned a request
Waking up in 0.2 seconds.
Thread 3 got semaphore
Thread 3 handling request 16, (4 handled so far)
(16) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(16) authorize {
(16) ntlm_auth.authorize ntlm_auth.authorize {
(16) ? if (!control:Auth-Type && User-Password)
(16) ? if (!control:Auth-Type && User-Password) -> FALSE
(16) } # ntlm_auth.authorize ntlm_auth.authorize = notfound
(16) filter_username filter_username {
(16) ? if (User-Name =~ / /)
(16) ? if (User-Name =~ / /) -> FALSE
(16) ? if (User-Name =~ /@.*@/ )
(16) ? if (User-Name =~ /@.*@/ ) -> FALSE
(16) ? if (User-Name =~ /\\.\\./ )
(16) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(16) ? if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(16) ? if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(16) ? if (User-Name =~ /\\.$/)
(16) ? if (User-Name =~ /\\.$/) -> FALSE
(16) ? if (User-Name =~ /(a)\\./)
(16) ? if (User-Name =~ /(a)\\./) -> FALSE
(16) } # filter_username filter_username = notfound
(16) [preprocess] = ok
(16) [chap] = noop
(16) [mschap] = noop
(16) [digest] = noop
(16) suffix : Looking up realm "company.com" for User-Name = "sam.fakhreddine(a)company.com"
(16) suffix : No such realm "company.com"
(16) [suffix] = noop
(16) eap : EAP packet type response id 226 length 96
(16) eap : Continuing tunnel setup.
(16) [eap] = ok
(16) } # authorize = ok
(16) Found Auth-Type = EAP
(16) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(16) authenticate {
(16) eap : Expiring EAP session with state 0xab50bbb0aeb2a2e9
(16) eap : Finished EAP session with state 0xab50bbb0aeb2a2e9
(16) eap : Previous EAP request found for state 0xab50bbb0aeb2a2e9, released from the list
(16) eap : Peer sent PEAP (25)
(16) eap : EAP PEAP (25)
(16) eap : Calling eap_peap to process EAP data
(16) eap_peap : processing EAP-TLS
(16) eap_peap : eaptls_verify returned 7
(16) eap_peap : Done initial handshake
(16) eap_peap : eaptls_process returned 7
(16) eap_peap : FR_TLS_OK
(16) eap_peap : Session established. Decoding tunneled attributes.
(16) eap_peap : Peap state WAITING FOR INNER IDENTITY
(16) eap_peap : Identity - sam.fakhreddine(a)company.com
(16) eap_peap : Got inner identity 'sam.fakhreddine(a)company.com'
(16) eap_peap : Setting default EAP type for tunneled EAP session.
(16) eap_peap : Setting User-Name to sam.fakhreddine(a)company.com
(16) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(16) authorize {
(16) ntlm_auth.authorize ntlm_auth.authorize {
(16) ? if (!control:Auth-Type && User-Password)
(16) ? if (!control:Auth-Type && User-Password) -> FALSE
(16) } # ntlm_auth.authorize ntlm_auth.authorize = notfound
(16) [chap] = noop
(16) [mschap] = noop
(16) suffix : Looking up realm "company.com" for User-Name = "sam.fakhreddine(a)company.com"
(16) suffix : No such realm "company.com"
(16) [suffix] = noop
(16) update control {
(16) Proxy-To-Realm := 'LOCAL'
(16) } # update control = noop
(16) eap : EAP packet type response id 226 length 31
(16) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(16) [eap] = ok
(16) } # authorize = ok
(16) Found Auth-Type = EAP
(16) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(16) authenticate {
(16) eap : Peer sent Identity (1)
(16) eap : Calling eap_mschapv2 to process EAP data
(16) eap_mschapv2 : Issuing Challenge
(16) eap : New EAP session, adding 'State' attribute to reply 0x78c6265278253c43
(16) [eap] = handled
(16) } # authenticate = handled
(16) eap_peap : Got tunneled Access-Challenge
(16) eap : New EAP session, adding 'State' attribute to reply 0xab50bbb0adb3a2e9
(16) [eap] = handled
(16) } # authenticate = handled
(16) Finished request 16.
Thread 3 waiting to be assigned a request
Sam Fakhreddine
Site System Administrator
Ledcor Industries Inc., Information Services
7008 Roper Road NW, Edmonton, AB T6B 3H2
p 780-395-5455 | c 780-996-0763
www.ledcor.com<http://www.ledcor.com/>
FORWARD. TOGETHER.
2
1