Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
June 2015
- 102 participants
- 146 discussions
Hi, I setup up a sql_counter fine… after access period is reached and active connections is reset user cannot login again.
The issue is to ‘kill’ that connection just in the moment access period limit is reached.
Can anybody explain me how to do that?
Kind Regards
JL
2
4
09 Jun '15
Hi Mate
I have need help.
I have to create a profile (Attributes) for connections multiple using a
user-name.
Each MAC can use the same profile.
Profile request : 1 hours (Duration connection) - Reset every daily -
Multi Connection.
Best Regard
Bruno D'Ambrosio
1
0
I want to set a usage counter for users on my Radius box and if possible disconnect them when they reach their usage allowance via a post-acct.
Is this possible to do without having to use an SQL back end counter as I currently only use the files to define users, store accounting etc.
What's the best recommendation on how to achieve this?
Thanks.
Marc Beaumont
Network Admin / Linux Specialist
Comms 365
marc.beaumont(a)comms365.com<mailto:marc.beaumont@comms365.com>
Scanned by MailDefender - managed email security from intY - www.maildefender.net
2
1
Is it possible to define a variable in the clients.conf file, and then use that in the users config file.
For example, I want to be able to pass back a particular setting based on which client the request comes from.
EG:
I have clients.conf:
client 01 {
ipaddr = 1.2.3.4
netmask = 28
secret = xxxxxxxx
}
client 02 {
ipaddr = 5.6.7.8
netmask = 28
secret = xxxxxxxxxx
}
Then in my users, I would like to pass back an attribute based on which client the request came from.
So I can do:
Username_test Cleartext-Password := "test"
Framed-IP-Address = 9.10.11.12
Framed-IP-Netmask = 255.255.255.255,
Tunnel-Type = L2TP,
Tunnel-Client-Auth-Id = xxxxx,
Tunnel-Server-Endpoint = <client IP>, (Want to base this on the client the request came from, eg just lift the ipaddr attribute)
Tunnel-Password = xxxxxxx,
Is this possible??
Marc Beaumont
Network Admin / Linux Specialist
Comms 365
marc.beaumont(a)comms365.com<mailto:marc.beaumont@comms365.com>
Scanned by MailDefender - managed email security from intY - www.maildefender.net
2
4
Hi Mate
I have need help.
I have to create a profile (Attributes) for connections multiple using a
user-name.
Each MAC can use the same profile.
Profile request : 1 hours (Duration connection) - Reset every daily -
Multi Connection.
Best Regard
Bruno D'Ambrosio
1
0
Thank you Alan for your response,
After I changed to 3.0.9 I am not getting a pass change window on my laptop anymore... it just tells me that the username or password is incorrect. I still can authenticate succesfully with a different user that has no expired password..
(0) Received Access-Request Id 239 from 10.70.1.1:32770 to 10.10.10.3:1812 length 234
(0) User-Name = 'vdiuser001'
(0) Calling-Station-Id = '00-c0-a8-c6-d7-79'
(0) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'
(0) NAS-Port = 13
(0) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78'
(0) NAS-IP-Address = 10.70.1.1
(0) NAS-Identifier = 'Cisco-WLC-5508'
(0) Airespace-Wlan-Id = 9
(0) Service-Type = Framed-User
(0) Framed-MTU = 1300
(0) NAS-Port-Type = Wireless-802.11
(0) Tunnel-Type:0 = VLAN
(0) Tunnel-Medium-Type:0 = IEEE-802
(0) Tunnel-Private-Group-Id:0 = '212'
(0) EAP-Message = 0x0202000f0176646975736572303031
(0) Message-Authenticator = 0x188f999c1ff661dbdf631889c89f601b
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (!&User-Name) {
(0) if (!&User-Name) -> FALSE
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@.*@/ ) {
(0) if (&User-Name =~ /@.*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent code Response (2) ID 2 length 15
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent method Identity (1)
(0) eap: Calling eap_peap to process EAP data
(0) eap_peap: Flushing SSL sessions (of #0)
(0) eap_peap: Initiate
(0) eap_peap: Start returned 1
(0) eap: EAP session adding &reply:State = 0xfcd853a7fcdb4aaf
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Sent Access-Challenge Id 239 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0
(0) EAP-Message = 0x010300061920
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0xfcd853a7fcdb4aafb400e9d91b88b168
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 240 from 10.70.1.1:32770 to 10.10.10.3:1812 length 378
(1) User-Name = 'vdiuser001'
(1) Calling-Station-Id = '00-c0-a8-c6-d7-79'
(1) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'
(1) NAS-Port = 13
(1) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78'
(1) NAS-IP-Address = 10.70.1.1
(1) NAS-Identifier = 'Cisco-WLC-5508'
(1) Airespace-Wlan-Id = 9
(1) Service-Type = Framed-User
(1) Framed-MTU = 1300
(1) NAS-Port-Type = Wireless-802.11
(1) Tunnel-Type:0 = VLAN
(1) Tunnel-Medium-Type:0 = IEEE-802
(1) Tunnel-Private-Group-Id:0 = '212'
(1) EAP-Message = 0x0203008d198000000083160301007e0100007a0301556f007139e2ef5fa810877430d9d30e669ea446efcc04237015dc29d6f6e88f20b48510af5eef4cad8b2d52382a9b8c9d69d2f5b409db03c2f576067eea76ab270018c014c0130035002fc00ac00900380032000a00130005000401000019ff0100
(1) State = 0xfcd853a7fcdb4aafb400e9d91b88b168
(1) Message-Authenticator = 0xc71382cba8adc5f62dd1d52c1f94eabd
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (!&User-Name) {
(1) if (!&User-Name) -> FALSE
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@.*@/ ) {
(1) if (&User-Name =~ /@.*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /(a)\./) {
(1) if (&User-Name =~ /(a)\./) -> FALSE
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent code Response (2) ID 3 length 141
(1) eap: Continuing tunnel setup
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = EAP
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0xfcd853a7fcdb4aaf
(1) eap: Finished EAP session with state 0xfcd853a7fcdb4aaf
(1) eap: Previous EAP request found for state 0xfcd853a7fcdb4aaf, released from the list
(1) eap: Peer sent method PEAP (25)
(1) eap: EAP PEAP (25)
(1) eap: Calling eap_peap to process EAP data
(1) eap_peap: processing EAP-TLS
(1) eap_peap: TLS Length 131
(1) eap_peap: Length Included
(1) eap_peap: eaptls_verify returned 11
(1) eap_peap: (other): before/accept initialization
(1) eap_peap: TLS_accept: before/accept initialization
(1) eap_peap: <<< TLS 1.0 Handshake [length 007e], ClientHello
SSL: Client requested cached session b48510af5eef4cad8b2d52382a9b8c9d69d2f5b409db03c2f576067eea76ab27
(1) eap_peap: TLS_accept: SSLv3 read client hello A
(1) eap_peap:>>> TLS 1.0 Handshake [length 0059], ServerHello
(1) eap_peap: TLS_accept: SSLv3 write server hello A
(1) eap_peap:>>> TLS 1.0 Handshake [length 08d0], Certificate
(1) eap_peap: TLS_accept: SSLv3 write certificate A
(1) eap_peap:>>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
(1) eap_peap: TLS_accept: SSLv3 write key exchange A
(1) eap_peap:>>> TLS 1.0 Handshake [length 0004], ServerHelloDone
(1) eap_peap: TLS_accept: SSLv3 write server done A
(1) eap_peap: TLS_accept: SSLv3 flush data
(1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
(1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
(1) eap_peap: eaptls_process returned 13
(1) eap_peap: FR_TLS_HANDLED
(1) eap: EAP session adding &reply:State = 0xfcd853a7fddc4aaf
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Sent Access-Challenge Id 240 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0
(1) EAP-Message = 0x010403ec19c000000a8c1603010059020000550301e33481638ab50505fd243d5f28281a03744290725fad8dda8caa9a4759feff2d20e43d8045ba796d2e07fef583a7bcf15886ba3822b31a075eca43b74aab2086c9c01400000dff01000100000b00040300010216030108d00b0008cc0008c90003de
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0xfcd853a7fddc4aafb400e9d91b88b168
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 241 from 10.70.1.1:32770 to 10.10.10.3:1812 length 243
(2) User-Name = 'vdiuser001'
(2) Calling-Station-Id = '00-c0-a8-c6-d7-79'
(2) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'
(2) NAS-Port = 13
(2) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78'
(2) NAS-IP-Address = 10.70.1.1
(2) NAS-Identifier = 'Cisco-WLC-5508'
(2) Airespace-Wlan-Id = 9
(2) Service-Type = Framed-User
(2) Framed-MTU = 1300
(2) NAS-Port-Type = Wireless-802.11
(2) Tunnel-Type:0 = VLAN
(2) Tunnel-Medium-Type:0 = IEEE-802
(2) Tunnel-Private-Group-Id:0 = '212'
(2) EAP-Message = 0x020400061900
(2) State = 0xfcd853a7fddc4aafb400e9d91b88b168
(2) Message-Authenticator = 0x69d10acc80d82e3a9c5aac64c3728ec0
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (!&User-Name) {
(2) if (!&User-Name) -> FALSE
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@.*@/ ) {
(2) if (&User-Name =~ /@.*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\./) {
(2) if (&User-Name =~ /(a)\./) -> FALSE
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent code Response (2) ID 4 length 6
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = EAP
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0xfcd853a7fddc4aaf
(2) eap: Finished EAP session with state 0xfcd853a7fddc4aaf
(2) eap: Previous EAP request found for state 0xfcd853a7fddc4aaf, released from the list
(2) eap: Peer sent method PEAP (25)
(2) eap: EAP PEAP (25)
(2) eap: Calling eap_peap to process EAP data
(2) eap_peap: processing EAP-TLS
(2) eap_peap: Received TLS ACK
(2) eap_peap: Received TLS ACK
(2) eap_peap: ACK handshake fragment handler
(2) eap_peap: eaptls_verify returned 1
(2) eap_peap: eaptls_process returned 13
(2) eap_peap: FR_TLS_HANDLED
(2) eap: EAP session adding &reply:State = 0xfcd853a7fedd4aaf
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) Sent Access-Challenge Id 241 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0
(2) EAP-Message = 0x010503e8194087d363ae51e9fa919a6062082c2ab782a717d7fede947271bcbe38ea3b9d04ee4cef44da92b58dfea437ba6764fd97950d4f99cb8e1b38b721f29b087ce94f71868ec5554e72d8d3a6f9a11c4108d6c8a7945c60f03a9991d841074df483c1574367aee17dbd11aaab0004e5308204e130
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0xfcd853a7fedd4aafb400e9d91b88b168
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 242 from 10.70.1.1:32770 to 10.10.10.3:1812 length 243
(3) User-Name = 'vdiuser001'
(3) Calling-Station-Id = '00-c0-a8-c6-d7-79'
(3) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'
(3) NAS-Port = 13
(3) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78'
(3) NAS-IP-Address = 10.70.1.1
(3) NAS-Identifier = 'Cisco-WLC-5508'
(3) Airespace-Wlan-Id = 9
(3) Service-Type = Framed-User
(3) Framed-MTU = 1300
(3) NAS-Port-Type = Wireless-802.11
(3) Tunnel-Type:0 = VLAN
(3) Tunnel-Medium-Type:0 = IEEE-802
(3) Tunnel-Private-Group-Id:0 = '212'
(3) EAP-Message = 0x020500061900
(3) State = 0xfcd853a7fedd4aafb400e9d91b88b168
(3) Message-Authenticator = 0x0adea1512f939350fd4ac3a6ab9f2460
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/raddb/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (!&User-Name) {
(3) if (!&User-Name) -> FALSE
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@.*@/ ) {
(3) if (&User-Name =~ /@.*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /(a)\./) {
(3) if (&User-Name =~ /(a)\./) -> FALSE
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent code Response (2) ID 5 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = EAP
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0xfcd853a7fedd4aaf
(3) eap: Finished EAP session with state 0xfcd853a7fedd4aaf
(3) eap: Previous EAP request found for state 0xfcd853a7fedd4aaf, released from the list
(3) eap: Peer sent method PEAP (25)
(3) eap: EAP PEAP (25)
(3) eap: Calling eap_peap to process EAP data
(3) eap_peap: processing EAP-TLS
(3) eap_peap: Received TLS ACK
(3) eap_peap: Received TLS ACK
(3) eap_peap: ACK handshake fragment handler
(3) eap_peap: eaptls_verify returned 1
(3) eap_peap: eaptls_process returned 13
(3) eap_peap: FR_TLS_HANDLED
(3) eap: EAP session adding &reply:State = 0xfcd853a7ffde4aaf
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found. Ignoring.
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) Sent Access-Challenge Id 242 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0
(3) EAP-Message = 0x010602ce190020417574686f72697479820900cf57e5d1f44e11e4300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d010105050003820101001a21
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0xfcd853a7ffde4aafb400e9d91b88b168
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 243 from 10.70.1.1:32770 to 10.10.10.3:1812 length 381
(4) User-Name = 'vdiuser001'
(4) Calling-Station-Id = '00-c0-a8-c6-d7-79'
(4) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'
(4) NAS-Port = 13
(4) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78'
(4) NAS-IP-Address = 10.70.1.1
(4) NAS-Identifier = 'Cisco-WLC-5508'
(4) Airespace-Wlan-Id = 9
(4) Service-Type = Framed-User
(4) Framed-MTU = 1300
(4) NAS-Port-Type = Wireless-802.11
(4) Tunnel-Type:0 = VLAN
(4) Tunnel-Medium-Type:0 = IEEE-802
(4) Tunnel-Private-Group-Id:0 = '212'
(4) EAP-Message = 0x020600901980000000861603010046100000424104659013060486276c41b5734d0c4799ba9d6cb700dabbbc6bfa68a9b3b0c3b237b6f7ee8c9a194b8a20645279d3c7e05b5a7ee14383257f83eadf85aab1fc7d0d140301000101160301003042a06361b3cb896ea1b0476e10371b8eed883122419379
(4) State = 0xfcd853a7ffde4aafb400e9d91b88b168
(4) Message-Authenticator = 0x3674700353af1563ff78522ff0bf447d
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/raddb/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (!&User-Name) {
(4) if (!&User-Name) -> FALSE
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@.*@/ ) {
(4) if (&User-Name =~ /@.*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /(a)\./) {
(4) if (&User-Name =~ /(a)\./) -> FALSE
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent code Response (2) ID 6 length 144
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = EAP
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0xfcd853a7ffde4aaf
(4) eap: Finished EAP session with state 0xfcd853a7ffde4aaf
(4) eap: Previous EAP request found for state 0xfcd853a7ffde4aaf, released from the list
(4) eap: Peer sent method PEAP (25)
(4) eap: EAP PEAP (25)
(4) eap: Calling eap_peap to process EAP data
(4) eap_peap: processing EAP-TLS
(4) eap_peap: TLS Length 134
(4) eap_peap: Length Included
(4) eap_peap: eaptls_verify returned 11
(4) eap_peap: <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
(4) eap_peap: TLS_accept: SSLv3 read client key exchange A
(4) eap_peap: <<< TLS 1.0 ChangeCipherSpec [length 0001]
(4) eap_peap: <<< TLS 1.0 Handshake [length 0010], Finished
(4) eap_peap: TLS_accept: SSLv3 read finished A
(4) eap_peap:>>> TLS 1.0 ChangeCipherSpec [length 0001]
(4) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(4) eap_peap:>>> TLS 1.0 Handshake [length 0010], Finished
(4) eap_peap: TLS_accept: SSLv3 write finished A
(4) eap_peap: TLS_accept: SSLv3 flush data
TLS: adding session e43d8045ba796d2e07fef583a7bcf15886ba3822b31a075eca43b74aab2086c9 to cache
(4) eap_peap: (other): SSL negotiation finished successfully
SSL Connection Established
(4) eap_peap: eaptls_process returned 13
(4) eap_peap: FR_TLS_HANDLED
(4) eap: EAP session adding &reply:State = 0xfcd853a7f8df4aaf
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) Sent Access-Challenge Id 243 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0
(4) EAP-Message = 0x0107004119001403010001011603010030805396c196ecd0cfbcdf4262de648ff5c61404e719706e413e8c67f9169d03f6075a93a6402c6cb3df2681c909c13ca5
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0xfcd853a7f8df4aafb400e9d91b88b168
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 244 from 10.70.1.1:32770 to 10.10.10.3:1812 length 243
(5) User-Name = 'vdiuser001'
(5) Calling-Station-Id = '00-c0-a8-c6-d7-79'
(5) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'
(5) NAS-Port = 13
(5) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78'
(5) NAS-IP-Address = 10.70.1.1
(5) NAS-Identifier = 'Cisco-WLC-5508'
(5) Airespace-Wlan-Id = 9
(5) Service-Type = Framed-User
(5) Framed-MTU = 1300
(5) NAS-Port-Type = Wireless-802.11
(5) Tunnel-Type:0 = VLAN
(5) Tunnel-Medium-Type:0 = IEEE-802
(5) Tunnel-Private-Group-Id:0 = '212'
(5) EAP-Message = 0x020700061900
(5) State = 0xfcd853a7f8df4aafb400e9d91b88b168
(5) Message-Authenticator = 0x75def782b74b9f6aaae4b726602f9eae
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/raddb/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (!&User-Name) {
(5) if (!&User-Name) -> FALSE
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@.*@/ ) {
(5) if (&User-Name =~ /@.*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /(a)\./) {
(5) if (&User-Name =~ /(a)\./) -> FALSE
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent code Response (2) ID 7 length 6
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = EAP
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0xfcd853a7f8df4aaf
(5) eap: Finished EAP session with state 0xfcd853a7f8df4aaf
(5) eap: Previous EAP request found for state 0xfcd853a7f8df4aaf, released from the list
(5) eap: Peer sent method PEAP (25)
(5) eap: EAP PEAP (25)
(5) eap: Calling eap_peap to process EAP data
(5) eap_peap: processing EAP-TLS
(5) eap_peap: Received TLS ACK
(5) eap_peap: Received TLS ACK
(5) eap_peap: ACK handshake is finished
(5) eap_peap: eaptls_verify returned 3
(5) eap_peap: eaptls_process returned 3
(5) eap_peap: FR_TLS_SUCCESS
(5) eap_peap: Session established. Decoding tunneled attributes
(5) eap_peap: PEAP state TUNNEL ESTABLISHED
(5) eap: EAP session adding &reply:State = 0xfcd853a7f9d04aaf
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found. Ignoring.
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) Sent Access-Challenge Id 244 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0
(5) EAP-Message = 0x0108002b19001703010020e9acf4878f2cf9c9c79de729087ad3e19b253b8c0e50b1c26443853c5c984637
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0xfcd853a7f9d04aafb400e9d91b88b168
(5) Finished request
Waking up in 4.9 seconds.
(6) Received Access-Request Id 245 from 10.70.1.1:32770 to 10.10.10.3:1812 length 280
(6) User-Name = 'vdiuser001'
(6) Calling-Station-Id = '00-c0-a8-c6-d7-79'
(6) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'
(6) NAS-Port = 13
(6) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78'
(6) NAS-IP-Address = 10.70.1.1
(6) NAS-Identifier = 'Cisco-WLC-5508'
(6) Airespace-Wlan-Id = 9
(6) Service-Type = Framed-User
(6) Framed-MTU = 1300
(6) NAS-Port-Type = Wireless-802.11
(6) Tunnel-Type:0 = VLAN
(6) Tunnel-Medium-Type:0 = IEEE-802
(6) Tunnel-Private-Group-Id:0 = '212'
(6) EAP-Message = 0x0208002b190017030100204283191b2685faf2b92c873c8c3972380e81ab3a78cc797b6518e8af45963138
(6) State = 0xfcd853a7f9d04aafb400e9d91b88b168
(6) Message-Authenticator = 0x36d173beae56175a27434016ac0a82cb
(6) session-state: No cached attributes
(6) # Executing section authorize from file /etc/raddb/sites-enabled/default
(6) authorize {
(6) policy filter_username {
(6) if (!&User-Name) {
(6) if (!&User-Name) -> FALSE
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@.*@/ ) {
(6) if (&User-Name =~ /@.*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /(a)\./) {
(6) if (&User-Name =~ /(a)\./) -> FALSE
(6) } # policy filter_username = notfound
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) eap: Peer sent code Response (2) ID 8 length 43
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0xfcd853a7f9d04aaf
(6) eap: Finished EAP session with state 0xfcd853a7f9d04aaf
(6) eap: Previous EAP request found for state 0xfcd853a7f9d04aaf, released from the list
(6) eap: Peer sent method PEAP (25)
(6) eap: EAP PEAP (25)
(6) eap: Calling eap_peap to process EAP data
(6) eap_peap: processing EAP-TLS
(6) eap_peap: eaptls_verify returned 7
(6) eap_peap: Done initial handshake
(6) eap_peap: eaptls_process returned 7
(6) eap_peap: FR_TLS_OK
(6) eap_peap: Session established. Decoding tunneled attributes
(6) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(6) eap_peap: Identity - vdiuser001
(6) eap_peap: Got inner identity 'vdiuser001'
(6) eap_peap: Setting default EAP type for tunneled EAP session
(6) eap_peap: Got tunneled request
(6) eap_peap: EAP-Message = 0x0208000f0176646975736572303031
(6) eap_peap: Setting User-Name to vdiuser001
(6) eap_peap: Sending tunneled request to inner-tunnel
(6) eap_peap: EAP-Message = 0x0208000f0176646975736572303031
(6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(6) eap_peap: User-Name = 'vdiuser001'
(6) Virtual server inner-tunnel received request
(6) EAP-Message = 0x0208000f0176646975736572303031
(6) FreeRADIUS-Proxied-To = 127.0.0.1
(6) User-Name = 'vdiuser001'
(6) server inner-tunnel {
(6) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(6) authorize {
(6) [chap] = noop
(6) [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) update control {
(6) &Proxy-To-Realm := LOCAL
(6) } # update control = noop
(6) eap: Peer sent code Response (2) ID 8 length 15
(6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(6) authenticate {
(6) eap: Peer sent method Identity (1)
(6) eap: Calling eap_mschapv2 to process EAP data
(6) eap_mschapv2: Issuing Challenge
(6) eap: EAP session adding &reply:State = 0x6a2b492e6a22538f
(6) [eap] = handled
(6) } # authenticate = handled
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6) EAP-Message = 0x0109002a1a01090025107dea2c3598e93665587b4dba43189cfa667265657261646975732d332e302e39
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x6a2b492e6a22538fe503884f9d44e7ff
(6) eap_peap: Got tunneled reply code 11
(6) eap_peap: EAP-Message = 0x0109002a1a01090025107dea2c3598e93665587b4dba43189cfa667265657261646975732d332e302e39
(6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap: State = 0x6a2b492e6a22538fe503884f9d44e7ff
(6) eap_peap: Got tunneled reply RADIUS code 11
(6) eap_peap: EAP-Message = 0x0109002a1a01090025107dea2c3598e93665587b4dba43189cfa667265657261646975732d332e302e39
(6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap: State = 0x6a2b492e6a22538fe503884f9d44e7ff
(6) eap_peap: Got tunneled Access-Challenge
(6) eap: EAP session adding &reply:State = 0xfcd853a7fad14aaf
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found. Ignoring.
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) Sent Access-Challenge Id 245 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0
(6) EAP-Message = 0x0109004b190017030100406a3b46095fb10b93a11e13b5e74fc5eac154270b5a9ef8fdfb482c1dab2a759a4872e47dec1beaf306303e2a07d5e762b3381999cc96604175fe9c6adf84eab2
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0xfcd853a7fad14aafb400e9d91b88b168
(6) Finished request
Waking up in 4.9 seconds.
(7) Received Access-Request Id 246 from 10.70.1.1:32770 to 10.10.10.3:1812 length 344
(7) User-Name = 'vdiuser001'
(7) Calling-Station-Id = '00-c0-a8-c6-d7-79'
(7) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'
(7) NAS-Port = 13
(7) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78'
(7) NAS-IP-Address = 10.70.1.1
(7) NAS-Identifier = 'Cisco-WLC-5508'
(7) Airespace-Wlan-Id = 9
(7) Service-Type = Framed-User
(7) Framed-MTU = 1300
(7) NAS-Port-Type = Wireless-802.11
(7) Tunnel-Type:0 = VLAN
(7) Tunnel-Medium-Type:0 = IEEE-802
(7) Tunnel-Private-Group-Id:0 = '212'
(7) EAP-Message = 0x0209006b19001703010060e3ebfd336d1c0bb5d36d68ac263e5e6d7f80e8a1e28be6bc752c0d06555b63f06367b0ca1803b17f092d89c35ce418ecce8b1425853a3dd6ccd16a292e80e46a1ecc98ba53222a0c1cccc827075993197807413d5778b2712ce2ad3eae35d7ce
(7) State = 0xfcd853a7fad14aafb400e9d91b88b168
(7) Message-Authenticator = 0x4c9a2819e43b37c8eadf9473681308a2
(7) session-state: No cached attributes
(7) # Executing section authorize from file /etc/raddb/sites-enabled/default
(7) authorize {
(7) policy filter_username {
(7) if (!&User-Name) {
(7) if (!&User-Name) -> FALSE
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@.*@/ ) {
(7) if (&User-Name =~ /@.*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /(a)\./) {
(7) if (&User-Name =~ /(a)\./) -> FALSE
(7) } # policy filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) eap: Peer sent code Response (2) ID 9 length 107
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) authenticate {
(7) eap: Expiring EAP session with state 0x6a2b492e6a22538f
(7) eap: Finished EAP session with state 0xfcd853a7fad14aaf
(7) eap: Previous EAP request found for state 0xfcd853a7fad14aaf, released from the list
(7) eap: Peer sent method PEAP (25)
(7) eap: EAP PEAP (25)
(7) eap: Calling eap_peap to process EAP data
(7) eap_peap: processing EAP-TLS
(7) eap_peap: eaptls_verify returned 7
(7) eap_peap: Done initial handshake
(7) eap_peap: eaptls_process returned 7
(7) eap_peap: FR_TLS_OK
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state phase2
(7) eap_peap: EAP type MSCHAPv2 (26)
(7) eap_peap: Got tunneled request
(7) eap_peap: EAP-Message = 0x020900451a0209004031f720f64e114a568afc3428e187fef2d20000000000000000bcae7bc9d2c22a1291791a130d422a537209282de03718a00076646975736572303031
(7) eap_peap: Setting User-Name to vdiuser001
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap: EAP-Message = 0x020900451a0209004031f720f64e114a568afc3428e187fef2d20000000000000000bcae7bc9d2c22a1291791a130d422a537209282de03718a00076646975736572303031
(7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap: User-Name = 'vdiuser001'
(7) eap_peap: State = 0x6a2b492e6a22538fe503884f9d44e7ff
(7) Virtual server inner-tunnel received request
(7) EAP-Message = 0x020900451a0209004031f720f64e114a568afc3428e187fef2d20000000000000000bcae7bc9d2c22a1291791a130d422a537209282de03718a00076646975736572303031
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) User-Name = 'vdiuser001'
(7) State = 0x6a2b492e6a22538fe503884f9d44e7ff
(7) server inner-tunnel {
(7) session-state: No cached attributes
(7) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(7) authorize {
(7) [chap] = noop
(7) [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) update control {
(7) &Proxy-To-Realm := LOCAL
(7) } # update control = noop
(7) eap: Peer sent code Response (2) ID 9 length 69
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7) [eap] = updated
(7) [files] = noop
(7) sql: EXPAND %{User-Name}
(7) sql: --> vdiuser001
(7) sql: SQL-User-Name set to 'vdiuser001'
rlm_sql (sql): Reserved connection (0)
(7) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(7) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'vdiuser001' ORDER BY id
(7) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'vdiuser001' ORDER BY id
(7) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(7) sql: --> SELECT groupname FROM radusergroup WHERE username = 'vdiuser001' ORDER BY priority
(7) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'vdiuser001' ORDER BY priority
(7) sql: User not found in any groups
rlm_sql (sql): Released connection (0)
rlm_sql (sql): Closing connection (1), from 1 unused connections
rlm_sql_mysql: Socket destructor called, closing socket
(7) [sql] = notfound
rlm_ldap (ldap): Reserved connection (0)
(7) ldap: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
(7) ldap: --> (sAMAccountName=vdiuser001)
(7) ldap: Performing search in "ou=_TerAA_Users,dc=teraa,dc=local" with filter "(sAMAccountName=vdiuser001)", scope "sub"
(7) ldap: Waiting for search result...
(7) ldap: User object found at DN "CN=VDIuser001,OU=VDI,OU=PRS,OU=_TerAA_Users,DC=teraa,DC=local"
(7) ldap: Processing user attributes
(7) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the
password attribute
(7) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (0)
rlm_ldap (ldap): Closing connection (1), from 1 unused connections
(7) [ldap] = ok
(7) if (control:Ldap-UserDn =~ /OU=EDU/) {
(7) if (control:Ldap-UserDn =~ /OU=EDU/) -> FALSE
(7) elsif (control:Ldap-UserDn =~ /OU=PRS/) {
(7) elsif (control:Ldap-UserDn =~ /OU=PRS/) -> TRUE
(7) elsif (control:Ldap-UserDn =~ /OU=PRS/) {
(7) update control {
(7) Simultaneous-Use := 3
(7) } # update control = noop
(7) update outer.session-state {
(7) Tunnel-type = VLAN
(7) Tunnel-medium-type = IEEE-802
(7) Tunnel-Private-Group-Id = PRS-WIFI-Client
(7) } # update outer.session-state = noop
(7) } # elsif (control:Ldap-UserDn =~ /OU=PRS/) = noop
(7) ... skipping elsif for request 7: Preceding "if" was taken
(7) ... skipping else for request 7: Preceding "if" was taken
(7) [expiration] = noop
(7) [logintime] = noop
(7) [pap] = noop
(7) } # authorize = updated
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap: Expiring EAP session with state 0x6a2b492e6a22538f
(7) eap: Finished EAP session with state 0x6a2b492e6a22538f
(7) eap: Previous EAP request found for state 0x6a2b492e6a22538f, released from the list
(7) eap: Peer sent method MSCHAPv2 (26)
(7) eap: EAP MSCHAPv2 (26)
(7) eap: Calling eap_mschapv2 to process EAP data
(7) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7) eap_mschapv2: Auth-Type MS-CHAP {
(7) mschap: Creating challenge hash with username: vdiuser001
(7) mschap: Client is using MS-CHAPv2
(7) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:
(7) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(7) mschap: --> --username=vdiuser001
(7) mschap: Creating challenge hash with username: vdiuser001
(7) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(7) mschap: --> --challenge=9f432e6abc4ec74e
(7) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(7) mschap: --> --nt-response=bcae7bc9d2c22a1291791a130d422a537209282de03718a0
(7) mschap: ERROR: Program returned code (1) and output 'Must change password (0xc0000224)'
(7) mschap: ERROR: Must change password (0xc0000224)
(7) mschap: Password has expired. The user should retry authentication
(7) [mschap] = reject
(7) } # Auth-Type MS-CHAP = reject
(7) MSCHAP-Error: E=648 R=1 C=00063b49e7c084b7016b35ab4336020d V=3 M=Password Expired
(7) Found new challenge from MS-CHAP-Error: err=648 retry=1 challenge=00063b49e7c084b7016b35ab4336020d
(7) ERROR: MSCHAP Failure
(7) eap: EAP session adding &reply:State = 0x6a2b492e6b21538f
(7) [eap] = handled
(7) } # authenticate = handled
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7) EAP-Message = 0x010a004c1a04090047453d36343820523d3120433d303030363362343965376330383462373031366233356162343333363032306420563d33204d3d50617373776f72642045787069726564
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x6a2b492e6b21538fe503884f9d44e7ff
(7) eap_peap: Got tunneled reply code 11
(7) eap_peap: EAP-Message = 0x010a004c1a04090047453d36343820523d3120433d303030363362343965376330383462373031366233356162343333363032306420563d33204d3d50617373776f72642045787069726564
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0x6a2b492e6b21538fe503884f9d44e7ff
(7) eap_peap: Got tunneled reply RADIUS code 11
(7) eap_peap: EAP-Message = 0x010a004c1a04090047453d36343820523d3120433d303030363362343965376330383462373031366233356162343333363032306420563d33204d3d50617373776f72642045787069726564
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0x6a2b492e6b21538fe503884f9d44e7ff
(7) eap_peap: Got tunneled Access-Challenge
(7) eap: EAP session adding &reply:State = 0xfcd853a7fbd24aaf
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) Post-Auth-Type sub-section not found. Ignoring.
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) session-state: Saving cached attributes
(7) Tunnel-Type = VLAN
(7) Tunnel-Medium-Type = IEEE-802
(7) Tunnel-Private-Group-Id = 'PRS-WIFI-Client'
(7) Sent Access-Challenge Id 246 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0
(7) EAP-Message = 0x010a006b19001703010060b3897a1c79b4063ee3eea85ec0eb5b1ffef302d6c90c1819ac828808598205d33c2dbad5a1af49ff0f8add5f0cb05a598bdae558b2e839b44204ac2b0fbc80437323b4f46871add958ea20f13a19e66bb6c2402389e445ba3305ffea4be0b16b
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0xfcd853a7fbd24aafb400e9d91b88b168
(7) Finished request
----------------------------------------
> From: richardvanderveen(a)outlook.com
> To: a.l.m.buxey(a)lboro.ac.uk
> Subject: RE: Pass change/expiry problem
> Date: Wed, 3 Jun 2015 15:34:45 +0200
>
> Thank you Alan for your response,
>
> After I changed to 3.0.9 I am not getting a pass change window on my laptop anymore... it just tells me that the username or password is incorrect. I still can authenticate succesfully with a different user that has no expired password..
>
> (0) Received Access-Request Id 239 from 10.70.1.1:32770 to 10.10.10.3:1812 length 234
> (0) User-Name = 'vdiuser001'
> (0) Calling-Station-Id = '00-c0-a8-c6-d7-79'
> (0) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'
> (0) NAS-Port = 13
> (0) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78'
> (0) NAS-IP-Address = 10.70.1.1
> (0) NAS-Identifier = 'Cisco-WLC-5508'
> (0) Airespace-Wlan-Id = 9
> (0) Service-Type = Framed-User
> (0) Framed-MTU = 1300
> (0) NAS-Port-Type = Wireless-802.11
> (0) Tunnel-Type:0 = VLAN
> (0) Tunnel-Medium-Type:0 = IEEE-802
> (0) Tunnel-Private-Group-Id:0 = '212'
> (0) EAP-Message = 0x0202000f0176646975736572303031
> (0) Message-Authenticator = 0x188f999c1ff661dbdf631889c89f601b
> (0) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (0) authorize {
> (0) policy filter_username {
> (0) if (!&User-Name) {
> (0) if (!&User-Name) -> FALSE
> (0) if (&User-Name =~ / /) {
> (0) if (&User-Name =~ / /) -> FALSE
> (0) if (&User-Name =~ /@.*@/ ) {
> (0) if (&User-Name =~ /@.*@/ ) -> FALSE
> (0) if (&User-Name =~ /\.\./ ) {
> (0) if (&User-Name =~ /\.\./ ) -> FALSE
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
> (0) if (&User-Name =~ /\.$/) {
> (0) if (&User-Name =~ /\.$/) -> FALSE
> (0) if (&User-Name =~ /(a)\./) {
> (0) if (&User-Name =~ /(a)\./) -> FALSE
> (0) } # policy filter_username = notfound
> (0) [preprocess] = ok
> (0) [chap] = noop
> (0) [mschap] = noop
> (0) [digest] = noop
> (0) suffix: Checking for suffix after "@"
> (0) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
> (0) suffix: No such realm "NULL"
> (0) [suffix] = noop
> (0) eap: Peer sent code Response (2) ID 2 length 15
> (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
> (0) [eap] = ok
> (0) } # authorize = ok
> (0) Found Auth-Type = EAP
> (0) # Executing group from file /etc/raddb/sites-enabled/default
> (0) authenticate {
> (0) eap: Peer sent method Identity (1)
> (0) eap: Calling eap_peap to process EAP data
> (0) eap_peap: Flushing SSL sessions (of #0)
> (0) eap_peap: Initiate
> (0) eap_peap: Start returned 1
> (0) eap: EAP session adding &reply:State = 0xfcd853a7fcdb4aaf
> (0) [eap] = handled
> (0) } # authenticate = handled
> (0) Using Post-Auth-Type Challenge
> (0) Post-Auth-Type sub-section not found. Ignoring.
> (0) # Executing group from file /etc/raddb/sites-enabled/default
> (0) Sent Access-Challenge Id 239 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0
> (0) EAP-Message = 0x010300061920
> (0) Message-Authenticator = 0x00000000000000000000000000000000
> (0) State = 0xfcd853a7fcdb4aafb400e9d91b88b168
> (0) Finished request
> Waking up in 4.9 seconds.
> (1) Received Access-Request Id 240 from 10.70.1.1:32770 to 10.10.10.3:1812 length 378
> (1) User-Name = 'vdiuser001'
> (1) Calling-Station-Id = '00-c0-a8-c6-d7-79'
> (1) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'
> (1) NAS-Port = 13
> (1) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78'
> (1) NAS-IP-Address = 10.70.1.1
> (1) NAS-Identifier = 'Cisco-WLC-5508'
> (1) Airespace-Wlan-Id = 9
> (1) Service-Type = Framed-User
> (1) Framed-MTU = 1300
> (1) NAS-Port-Type = Wireless-802.11
> (1) Tunnel-Type:0 = VLAN
> (1) Tunnel-Medium-Type:0 = IEEE-802
> (1) Tunnel-Private-Group-Id:0 = '212'
> (1) EAP-Message = 0x0203008d198000000083160301007e0100007a0301556f007139e2ef5fa810877430d9d30e669ea446efcc04237015dc29d6f6e88f20b48510af5eef4cad8b2d52382a9b8c9d69d2f5b409db03c2f576067eea76ab270018c014c0130035002fc00ac00900380032000a00130005000401000019ff0100
> (1) State = 0xfcd853a7fcdb4aafb400e9d91b88b168
> (1) Message-Authenticator = 0xc71382cba8adc5f62dd1d52c1f94eabd
> (1) session-state: No cached attributes
> (1) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (1) authorize {
> (1) policy filter_username {
> (1) if (!&User-Name) {
> (1) if (!&User-Name) -> FALSE
> (1) if (&User-Name =~ / /) {
> (1) if (&User-Name =~ / /) -> FALSE
> (1) if (&User-Name =~ /@.*@/ ) {
> (1) if (&User-Name =~ /@.*@/ ) -> FALSE
> (1) if (&User-Name =~ /\.\./ ) {
> (1) if (&User-Name =~ /\.\./ ) -> FALSE
> (1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
> (1) if (&User-Name =~ /\.$/) {
> (1) if (&User-Name =~ /\.$/) -> FALSE
> (1) if (&User-Name =~ /(a)\./) {
> (1) if (&User-Name =~ /(a)\./) -> FALSE
> (1) } # policy filter_username = notfound
> (1) [preprocess] = ok
> (1) [chap] = noop
> (1) [mschap] = noop
> (1) [digest] = noop
> (1) suffix: Checking for suffix after "@"
> (1) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
> (1) suffix: No such realm "NULL"
> (1) [suffix] = noop
> (1) eap: Peer sent code Response (2) ID 3 length 141
> (1) eap: Continuing tunnel setup
> (1) [eap] = ok
> (1) } # authorize = ok
> (1) Found Auth-Type = EAP
> (1) # Executing group from file /etc/raddb/sites-enabled/default
> (1) authenticate {
> (1) eap: Expiring EAP session with state 0xfcd853a7fcdb4aaf
> (1) eap: Finished EAP session with state 0xfcd853a7fcdb4aaf
> (1) eap: Previous EAP request found for state 0xfcd853a7fcdb4aaf, released from the list
> (1) eap: Peer sent method PEAP (25)
> (1) eap: EAP PEAP (25)
> (1) eap: Calling eap_peap to process EAP data
> (1) eap_peap: processing EAP-TLS
> (1) eap_peap: TLS Length 131
> (1) eap_peap: Length Included
> (1) eap_peap: eaptls_verify returned 11
> (1) eap_peap: (other): before/accept initialization
> (1) eap_peap: TLS_accept: before/accept initialization
> (1) eap_peap: <<< TLS 1.0 Handshake [length 007e], ClientHello
> SSL: Client requested cached session b48510af5eef4cad8b2d52382a9b8c9d69d2f5b409db03c2f576067eea76ab27
> (1) eap_peap: TLS_accept: SSLv3 read client hello A
> (1) eap_peap:>>> TLS 1.0 Handshake [length 0059], ServerHello
> (1) eap_peap: TLS_accept: SSLv3 write server hello A
> (1) eap_peap:>>> TLS 1.0 Handshake [length 08d0], Certificate
> (1) eap_peap: TLS_accept: SSLv3 write certificate A
> (1) eap_peap:>>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
> (1) eap_peap: TLS_accept: SSLv3 write key exchange A
> (1) eap_peap:>>> TLS 1.0 Handshake [length 0004], ServerHelloDone
> (1) eap_peap: TLS_accept: SSLv3 write server done A
> (1) eap_peap: TLS_accept: SSLv3 flush data
> (1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
> (1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
> In SSL Handshake Phase
> In SSL Accept mode
> (1) eap_peap: eaptls_process returned 13
> (1) eap_peap: FR_TLS_HANDLED
> (1) eap: EAP session adding &reply:State = 0xfcd853a7fddc4aaf
> (1) [eap] = handled
> (1) } # authenticate = handled
> (1) Using Post-Auth-Type Challenge
> (1) Post-Auth-Type sub-section not found. Ignoring.
> (1) # Executing group from file /etc/raddb/sites-enabled/default
> (1) Sent Access-Challenge Id 240 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0
> (1) EAP-Message = 0x010403ec19c000000a8c1603010059020000550301e33481638ab50505fd243d5f28281a03744290725fad8dda8caa9a4759feff2d20e43d8045ba796d2e07fef583a7bcf15886ba3822b31a075eca43b74aab2086c9c01400000dff01000100000b00040300010216030108d00b0008cc0008c90003de
> (1) Message-Authenticator = 0x00000000000000000000000000000000
> (1) State = 0xfcd853a7fddc4aafb400e9d91b88b168
> (1) Finished request
> Waking up in 4.9 seconds.
> (2) Received Access-Request Id 241 from 10.70.1.1:32770 to 10.10.10.3:1812 length 243
> (2) User-Name = 'vdiuser001'
> (2) Calling-Station-Id = '00-c0-a8-c6-d7-79'
> (2) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'
> (2) NAS-Port = 13
> (2) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78'
> (2) NAS-IP-Address = 10.70.1.1
> (2) NAS-Identifier = 'Cisco-WLC-5508'
> (2) Airespace-Wlan-Id = 9
> (2) Service-Type = Framed-User
> (2) Framed-MTU = 1300
> (2) NAS-Port-Type = Wireless-802.11
> (2) Tunnel-Type:0 = VLAN
> (2) Tunnel-Medium-Type:0 = IEEE-802
> (2) Tunnel-Private-Group-Id:0 = '212'
> (2) EAP-Message = 0x020400061900
> (2) State = 0xfcd853a7fddc4aafb400e9d91b88b168
> (2) Message-Authenticator = 0x69d10acc80d82e3a9c5aac64c3728ec0
> (2) session-state: No cached attributes
> (2) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (2) authorize {
> (2) policy filter_username {
> (2) if (!&User-Name) {
> (2) if (!&User-Name) -> FALSE
> (2) if (&User-Name =~ / /) {
> (2) if (&User-Name =~ / /) -> FALSE
> (2) if (&User-Name =~ /@.*@/ ) {
> (2) if (&User-Name =~ /@.*@/ ) -> FALSE
> (2) if (&User-Name =~ /\.\./ ) {
> (2) if (&User-Name =~ /\.\./ ) -> FALSE
> (2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
> (2) if (&User-Name =~ /\.$/) {
> (2) if (&User-Name =~ /\.$/) -> FALSE
> (2) if (&User-Name =~ /(a)\./) {
> (2) if (&User-Name =~ /(a)\./) -> FALSE
> (2) } # policy filter_username = notfound
> (2) [preprocess] = ok
> (2) [chap] = noop
> (2) [mschap] = noop
> (2) [digest] = noop
> (2) suffix: Checking for suffix after "@"
> (2) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
> (2) suffix: No such realm "NULL"
> (2) [suffix] = noop
> (2) eap: Peer sent code Response (2) ID 4 length 6
> (2) eap: Continuing tunnel setup
> (2) [eap] = ok
> (2) } # authorize = ok
> (2) Found Auth-Type = EAP
> (2) # Executing group from file /etc/raddb/sites-enabled/default
> (2) authenticate {
> (2) eap: Expiring EAP session with state 0xfcd853a7fddc4aaf
> (2) eap: Finished EAP session with state 0xfcd853a7fddc4aaf
> (2) eap: Previous EAP request found for state 0xfcd853a7fddc4aaf, released from the list
> (2) eap: Peer sent method PEAP (25)
> (2) eap: EAP PEAP (25)
> (2) eap: Calling eap_peap to process EAP data
> (2) eap_peap: processing EAP-TLS
> (2) eap_peap: Received TLS ACK
> (2) eap_peap: Received TLS ACK
> (2) eap_peap: ACK handshake fragment handler
> (2) eap_peap: eaptls_verify returned 1
> (2) eap_peap: eaptls_process returned 13
> (2) eap_peap: FR_TLS_HANDLED
> (2) eap: EAP session adding &reply:State = 0xfcd853a7fedd4aaf
> (2) [eap] = handled
> (2) } # authenticate = handled
> (2) Using Post-Auth-Type Challenge
> (2) Post-Auth-Type sub-section not found. Ignoring.
> (2) # Executing group from file /etc/raddb/sites-enabled/default
> (2) Sent Access-Challenge Id 241 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0
> (2) EAP-Message = 0x010503e8194087d363ae51e9fa919a6062082c2ab782a717d7fede947271bcbe38ea3b9d04ee4cef44da92b58dfea437ba6764fd97950d4f99cb8e1b38b721f29b087ce94f71868ec5554e72d8d3a6f9a11c4108d6c8a7945c60f03a9991d841074df483c1574367aee17dbd11aaab0004e5308204e130
> (2) Message-Authenticator = 0x00000000000000000000000000000000
> (2) State = 0xfcd853a7fedd4aafb400e9d91b88b168
> (2) Finished request
> Waking up in 4.9 seconds.
> (3) Received Access-Request Id 242 from 10.70.1.1:32770 to 10.10.10.3:1812 length 243
> (3) User-Name = 'vdiuser001'
> (3) Calling-Station-Id = '00-c0-a8-c6-d7-79'
> (3) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'
> (3) NAS-Port = 13
> (3) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78'
> (3) NAS-IP-Address = 10.70.1.1
> (3) NAS-Identifier = 'Cisco-WLC-5508'
> (3) Airespace-Wlan-Id = 9
> (3) Service-Type = Framed-User
> (3) Framed-MTU = 1300
> (3) NAS-Port-Type = Wireless-802.11
> (3) Tunnel-Type:0 = VLAN
> (3) Tunnel-Medium-Type:0 = IEEE-802
> (3) Tunnel-Private-Group-Id:0 = '212'
> (3) EAP-Message = 0x020500061900
> (3) State = 0xfcd853a7fedd4aafb400e9d91b88b168
> (3) Message-Authenticator = 0x0adea1512f939350fd4ac3a6ab9f2460
> (3) session-state: No cached attributes
> (3) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (3) authorize {
> (3) policy filter_username {
> (3) if (!&User-Name) {
> (3) if (!&User-Name) -> FALSE
> (3) if (&User-Name =~ / /) {
> (3) if (&User-Name =~ / /) -> FALSE
> (3) if (&User-Name =~ /@.*@/ ) {
> (3) if (&User-Name =~ /@.*@/ ) -> FALSE
> (3) if (&User-Name =~ /\.\./ ) {
> (3) if (&User-Name =~ /\.\./ ) -> FALSE
> (3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
> (3) if (&User-Name =~ /\.$/) {
> (3) if (&User-Name =~ /\.$/) -> FALSE
> (3) if (&User-Name =~ /(a)\./) {
> (3) if (&User-Name =~ /(a)\./) -> FALSE
> (3) } # policy filter_username = notfound
> (3) [preprocess] = ok
> (3) [chap] = noop
> (3) [mschap] = noop
> (3) [digest] = noop
> (3) suffix: Checking for suffix after "@"
> (3) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
> (3) suffix: No such realm "NULL"
> (3) [suffix] = noop
> (3) eap: Peer sent code Response (2) ID 5 length 6
> (3) eap: Continuing tunnel setup
> (3) [eap] = ok
> (3) } # authorize = ok
> (3) Found Auth-Type = EAP
> (3) # Executing group from file /etc/raddb/sites-enabled/default
> (3) authenticate {
> (3) eap: Expiring EAP session with state 0xfcd853a7fedd4aaf
> (3) eap: Finished EAP session with state 0xfcd853a7fedd4aaf
> (3) eap: Previous EAP request found for state 0xfcd853a7fedd4aaf, released from the list
> (3) eap: Peer sent method PEAP (25)
> (3) eap: EAP PEAP (25)
> (3) eap: Calling eap_peap to process EAP data
> (3) eap_peap: processing EAP-TLS
> (3) eap_peap: Received TLS ACK
> (3) eap_peap: Received TLS ACK
> (3) eap_peap: ACK handshake fragment handler
> (3) eap_peap: eaptls_verify returned 1
> (3) eap_peap: eaptls_process returned 13
> (3) eap_peap: FR_TLS_HANDLED
> (3) eap: EAP session adding &reply:State = 0xfcd853a7ffde4aaf
> (3) [eap] = handled
> (3) } # authenticate = handled
> (3) Using Post-Auth-Type Challenge
> (3) Post-Auth-Type sub-section not found. Ignoring.
> (3) # Executing group from file /etc/raddb/sites-enabled/default
> (3) Sent Access-Challenge Id 242 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0
> (3) EAP-Message = 0x010602ce190020417574686f72697479820900cf57e5d1f44e11e4300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d010105050003820101001a21
> (3) Message-Authenticator = 0x00000000000000000000000000000000
> (3) State = 0xfcd853a7ffde4aafb400e9d91b88b168
> (3) Finished request
> Waking up in 4.9 seconds.
> (4) Received Access-Request Id 243 from 10.70.1.1:32770 to 10.10.10.3:1812 length 381
> (4) User-Name = 'vdiuser001'
> (4) Calling-Station-Id = '00-c0-a8-c6-d7-79'
> (4) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'
> (4) NAS-Port = 13
> (4) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78'
> (4) NAS-IP-Address = 10.70.1.1
> (4) NAS-Identifier = 'Cisco-WLC-5508'
> (4) Airespace-Wlan-Id = 9
> (4) Service-Type = Framed-User
> (4) Framed-MTU = 1300
> (4) NAS-Port-Type = Wireless-802.11
> (4) Tunnel-Type:0 = VLAN
> (4) Tunnel-Medium-Type:0 = IEEE-802
> (4) Tunnel-Private-Group-Id:0 = '212'
> (4) EAP-Message = 0x020600901980000000861603010046100000424104659013060486276c41b5734d0c4799ba9d6cb700dabbbc6bfa68a9b3b0c3b237b6f7ee8c9a194b8a20645279d3c7e05b5a7ee14383257f83eadf85aab1fc7d0d140301000101160301003042a06361b3cb896ea1b0476e10371b8eed883122419379
> (4) State = 0xfcd853a7ffde4aafb400e9d91b88b168
> (4) Message-Authenticator = 0x3674700353af1563ff78522ff0bf447d
> (4) session-state: No cached attributes
> (4) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (4) authorize {
> (4) policy filter_username {
> (4) if (!&User-Name) {
> (4) if (!&User-Name) -> FALSE
> (4) if (&User-Name =~ / /) {
> (4) if (&User-Name =~ / /) -> FALSE
> (4) if (&User-Name =~ /@.*@/ ) {
> (4) if (&User-Name =~ /@.*@/ ) -> FALSE
> (4) if (&User-Name =~ /\.\./ ) {
> (4) if (&User-Name =~ /\.\./ ) -> FALSE
> (4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
> (4) if (&User-Name =~ /\.$/) {
> (4) if (&User-Name =~ /\.$/) -> FALSE
> (4) if (&User-Name =~ /(a)\./) {
> (4) if (&User-Name =~ /(a)\./) -> FALSE
> (4) } # policy filter_username = notfound
> (4) [preprocess] = ok
> (4) [chap] = noop
> (4) [mschap] = noop
> (4) [digest] = noop
> (4) suffix: Checking for suffix after "@"
> (4) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
> (4) suffix: No such realm "NULL"
> (4) [suffix] = noop
> (4) eap: Peer sent code Response (2) ID 6 length 144
> (4) eap: Continuing tunnel setup
> (4) [eap] = ok
> (4) } # authorize = ok
> (4) Found Auth-Type = EAP
> (4) # Executing group from file /etc/raddb/sites-enabled/default
> (4) authenticate {
> (4) eap: Expiring EAP session with state 0xfcd853a7ffde4aaf
> (4) eap: Finished EAP session with state 0xfcd853a7ffde4aaf
> (4) eap: Previous EAP request found for state 0xfcd853a7ffde4aaf, released from the list
> (4) eap: Peer sent method PEAP (25)
> (4) eap: EAP PEAP (25)
> (4) eap: Calling eap_peap to process EAP data
> (4) eap_peap: processing EAP-TLS
> (4) eap_peap: TLS Length 134
> (4) eap_peap: Length Included
> (4) eap_peap: eaptls_verify returned 11
> (4) eap_peap: <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
> (4) eap_peap: TLS_accept: SSLv3 read client key exchange A
> (4) eap_peap: <<< TLS 1.0 ChangeCipherSpec [length 0001]
> (4) eap_peap: <<< TLS 1.0 Handshake [length 0010], Finished
> (4) eap_peap: TLS_accept: SSLv3 read finished A
> (4) eap_peap:>>> TLS 1.0 ChangeCipherSpec [length 0001]
> (4) eap_peap: TLS_accept: SSLv3 write change cipher spec A
> (4) eap_peap:>>> TLS 1.0 Handshake [length 0010], Finished
> (4) eap_peap: TLS_accept: SSLv3 write finished A
> (4) eap_peap: TLS_accept: SSLv3 flush data
> TLS: adding session e43d8045ba796d2e07fef583a7bcf15886ba3822b31a075eca43b74aab2086c9 to cache
> (4) eap_peap: (other): SSL negotiation finished successfully
> SSL Connection Established
> (4) eap_peap: eaptls_process returned 13
> (4) eap_peap: FR_TLS_HANDLED
> (4) eap: EAP session adding &reply:State = 0xfcd853a7f8df4aaf
> (4) [eap] = handled
> (4) } # authenticate = handled
> (4) Using Post-Auth-Type Challenge
> (4) Post-Auth-Type sub-section not found. Ignoring.
> (4) # Executing group from file /etc/raddb/sites-enabled/default
> (4) Sent Access-Challenge Id 243 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0
> (4) EAP-Message = 0x0107004119001403010001011603010030805396c196ecd0cfbcdf4262de648ff5c61404e719706e413e8c67f9169d03f6075a93a6402c6cb3df2681c909c13ca5
> (4) Message-Authenticator = 0x00000000000000000000000000000000
> (4) State = 0xfcd853a7f8df4aafb400e9d91b88b168
> (4) Finished request
> Waking up in 4.9 seconds.
> (5) Received Access-Request Id 244 from 10.70.1.1:32770 to 10.10.10.3:1812 length 243
> (5) User-Name = 'vdiuser001'
> (5) Calling-Station-Id = '00-c0-a8-c6-d7-79'
> (5) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'
> (5) NAS-Port = 13
> (5) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78'
> (5) NAS-IP-Address = 10.70.1.1
> (5) NAS-Identifier = 'Cisco-WLC-5508'
> (5) Airespace-Wlan-Id = 9
> (5) Service-Type = Framed-User
> (5) Framed-MTU = 1300
> (5) NAS-Port-Type = Wireless-802.11
> (5) Tunnel-Type:0 = VLAN
> (5) Tunnel-Medium-Type:0 = IEEE-802
> (5) Tunnel-Private-Group-Id:0 = '212'
> (5) EAP-Message = 0x020700061900
> (5) State = 0xfcd853a7f8df4aafb400e9d91b88b168
> (5) Message-Authenticator = 0x75def782b74b9f6aaae4b726602f9eae
> (5) session-state: No cached attributes
> (5) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (5) authorize {
> (5) policy filter_username {
> (5) if (!&User-Name) {
> (5) if (!&User-Name) -> FALSE
> (5) if (&User-Name =~ / /) {
> (5) if (&User-Name =~ / /) -> FALSE
> (5) if (&User-Name =~ /@.*@/ ) {
> (5) if (&User-Name =~ /@.*@/ ) -> FALSE
> (5) if (&User-Name =~ /\.\./ ) {
> (5) if (&User-Name =~ /\.\./ ) -> FALSE
> (5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
> (5) if (&User-Name =~ /\.$/) {
> (5) if (&User-Name =~ /\.$/) -> FALSE
> (5) if (&User-Name =~ /(a)\./) {
> (5) if (&User-Name =~ /(a)\./) -> FALSE
> (5) } # policy filter_username = notfound
> (5) [preprocess] = ok
> (5) [chap] = noop
> (5) [mschap] = noop
> (5) [digest] = noop
> (5) suffix: Checking for suffix after "@"
> (5) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
> (5) suffix: No such realm "NULL"
> (5) [suffix] = noop
> (5) eap: Peer sent code Response (2) ID 7 length 6
> (5) eap: Continuing tunnel setup
> (5) [eap] = ok
> (5) } # authorize = ok
> (5) Found Auth-Type = EAP
> (5) # Executing group from file /etc/raddb/sites-enabled/default
> (5) authenticate {
> (5) eap: Expiring EAP session with state 0xfcd853a7f8df4aaf
> (5) eap: Finished EAP session with state 0xfcd853a7f8df4aaf
> (5) eap: Previous EAP request found for state 0xfcd853a7f8df4aaf, released from the list
> (5) eap: Peer sent method PEAP (25)
> (5) eap: EAP PEAP (25)
> (5) eap: Calling eap_peap to process EAP data
> (5) eap_peap: processing EAP-TLS
> (5) eap_peap: Received TLS ACK
> (5) eap_peap: Received TLS ACK
> (5) eap_peap: ACK handshake is finished
> (5) eap_peap: eaptls_verify returned 3
> (5) eap_peap: eaptls_process returned 3
> (5) eap_peap: FR_TLS_SUCCESS
> (5) eap_peap: Session established. Decoding tunneled attributes
> (5) eap_peap: PEAP state TUNNEL ESTABLISHED
> (5) eap: EAP session adding &reply:State = 0xfcd853a7f9d04aaf
> (5) [eap] = handled
> (5) } # authenticate = handled
> (5) Using Post-Auth-Type Challenge
> (5) Post-Auth-Type sub-section not found. Ignoring.
> (5) # Executing group from file /etc/raddb/sites-enabled/default
> (5) Sent Access-Challenge Id 244 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0
> (5) EAP-Message = 0x0108002b19001703010020e9acf4878f2cf9c9c79de729087ad3e19b253b8c0e50b1c26443853c5c984637
> (5) Message-Authenticator = 0x00000000000000000000000000000000
> (5) State = 0xfcd853a7f9d04aafb400e9d91b88b168
> (5) Finished request
> Waking up in 4.9 seconds.
> (6) Received Access-Request Id 245 from 10.70.1.1:32770 to 10.10.10.3:1812 length 280
> (6) User-Name = 'vdiuser001'
> (6) Calling-Station-Id = '00-c0-a8-c6-d7-79'
> (6) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'
> (6) NAS-Port = 13
> (6) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78'
> (6) NAS-IP-Address = 10.70.1.1
> (6) NAS-Identifier = 'Cisco-WLC-5508'
> (6) Airespace-Wlan-Id = 9
> (6) Service-Type = Framed-User
> (6) Framed-MTU = 1300
> (6) NAS-Port-Type = Wireless-802.11
> (6) Tunnel-Type:0 = VLAN
> (6) Tunnel-Medium-Type:0 = IEEE-802
> (6) Tunnel-Private-Group-Id:0 = '212'
> (6) EAP-Message = 0x0208002b190017030100204283191b2685faf2b92c873c8c3972380e81ab3a78cc797b6518e8af45963138
> (6) State = 0xfcd853a7f9d04aafb400e9d91b88b168
> (6) Message-Authenticator = 0x36d173beae56175a27434016ac0a82cb
> (6) session-state: No cached attributes
> (6) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (6) authorize {
> (6) policy filter_username {
> (6) if (!&User-Name) {
> (6) if (!&User-Name) -> FALSE
> (6) if (&User-Name =~ / /) {
> (6) if (&User-Name =~ / /) -> FALSE
> (6) if (&User-Name =~ /@.*@/ ) {
> (6) if (&User-Name =~ /@.*@/ ) -> FALSE
> (6) if (&User-Name =~ /\.\./ ) {
> (6) if (&User-Name =~ /\.\./ ) -> FALSE
> (6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
> (6) if (&User-Name =~ /\.$/) {
> (6) if (&User-Name =~ /\.$/) -> FALSE
> (6) if (&User-Name =~ /(a)\./) {
> (6) if (&User-Name =~ /(a)\./) -> FALSE
> (6) } # policy filter_username = notfound
> (6) [preprocess] = ok
> (6) [chap] = noop
> (6) [mschap] = noop
> (6) [digest] = noop
> (6) suffix: Checking for suffix after "@"
> (6) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
> (6) suffix: No such realm "NULL"
> (6) [suffix] = noop
> (6) eap: Peer sent code Response (2) ID 8 length 43
> (6) eap: Continuing tunnel setup
> (6) [eap] = ok
> (6) } # authorize = ok
> (6) Found Auth-Type = EAP
> (6) # Executing group from file /etc/raddb/sites-enabled/default
> (6) authenticate {
> (6) eap: Expiring EAP session with state 0xfcd853a7f9d04aaf
> (6) eap: Finished EAP session with state 0xfcd853a7f9d04aaf
> (6) eap: Previous EAP request found for state 0xfcd853a7f9d04aaf, released from the list
> (6) eap: Peer sent method PEAP (25)
> (6) eap: EAP PEAP (25)
> (6) eap: Calling eap_peap to process EAP data
> (6) eap_peap: processing EAP-TLS
> (6) eap_peap: eaptls_verify returned 7
> (6) eap_peap: Done initial handshake
> (6) eap_peap: eaptls_process returned 7
> (6) eap_peap: FR_TLS_OK
> (6) eap_peap: Session established. Decoding tunneled attributes
> (6) eap_peap: PEAP state WAITING FOR INNER IDENTITY
> (6) eap_peap: Identity - vdiuser001
> (6) eap_peap: Got inner identity 'vdiuser001'
> (6) eap_peap: Setting default EAP type for tunneled EAP session
> (6) eap_peap: Got tunneled request
> (6) eap_peap: EAP-Message = 0x0208000f0176646975736572303031
> (6) eap_peap: Setting User-Name to vdiuser001
> (6) eap_peap: Sending tunneled request to inner-tunnel
> (6) eap_peap: EAP-Message = 0x0208000f0176646975736572303031
> (6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
> (6) eap_peap: User-Name = 'vdiuser001'
> (6) Virtual server inner-tunnel received request
> (6) EAP-Message = 0x0208000f0176646975736572303031
> (6) FreeRADIUS-Proxied-To = 127.0.0.1
> (6) User-Name = 'vdiuser001'
> (6) server inner-tunnel {
> (6) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
> (6) authorize {
> (6) [chap] = noop
> (6) [mschap] = noop
> (6) suffix: Checking for suffix after "@"
> (6) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
> (6) suffix: No such realm "NULL"
> (6) [suffix] = noop
> (6) update control {
> (6) &Proxy-To-Realm := LOCAL
> (6) } # update control = noop
> (6) eap: Peer sent code Response (2) ID 8 length 15
> (6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
> (6) [eap] = ok
> (6) } # authorize = ok
> (6) Found Auth-Type = EAP
> (6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> (6) authenticate {
> (6) eap: Peer sent method Identity (1)
> (6) eap: Calling eap_mschapv2 to process EAP data
> (6) eap_mschapv2: Issuing Challenge
> (6) eap: EAP session adding &reply:State = 0x6a2b492e6a22538f
> (6) [eap] = handled
> (6) } # authenticate = handled
> (6) } # server inner-tunnel
> (6) Virtual server sending reply
> (6) EAP-Message = 0x0109002a1a01090025107dea2c3598e93665587b4dba43189cfa667265657261646975732d332e302e39
> (6) Message-Authenticator = 0x00000000000000000000000000000000
> (6) State = 0x6a2b492e6a22538fe503884f9d44e7ff
> (6) eap_peap: Got tunneled reply code 11
> (6) eap_peap: EAP-Message = 0x0109002a1a01090025107dea2c3598e93665587b4dba43189cfa667265657261646975732d332e302e39
> (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
> (6) eap_peap: State = 0x6a2b492e6a22538fe503884f9d44e7ff
> (6) eap_peap: Got tunneled reply RADIUS code 11
> (6) eap_peap: EAP-Message = 0x0109002a1a01090025107dea2c3598e93665587b4dba43189cfa667265657261646975732d332e302e39
> (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
> (6) eap_peap: State = 0x6a2b492e6a22538fe503884f9d44e7ff
> (6) eap_peap: Got tunneled Access-Challenge
> (6) eap: EAP session adding &reply:State = 0xfcd853a7fad14aaf
> (6) [eap] = handled
> (6) } # authenticate = handled
> (6) Using Post-Auth-Type Challenge
> (6) Post-Auth-Type sub-section not found. Ignoring.
> (6) # Executing group from file /etc/raddb/sites-enabled/default
> (6) Sent Access-Challenge Id 245 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0
> (6) EAP-Message = 0x0109004b190017030100406a3b46095fb10b93a11e13b5e74fc5eac154270b5a9ef8fdfb482c1dab2a759a4872e47dec1beaf306303e2a07d5e762b3381999cc96604175fe9c6adf84eab2
> (6) Message-Authenticator = 0x00000000000000000000000000000000
> (6) State = 0xfcd853a7fad14aafb400e9d91b88b168
> (6) Finished request
> Waking up in 4.9 seconds.
> (7) Received Access-Request Id 246 from 10.70.1.1:32770 to 10.10.10.3:1812 length 344
> (7) User-Name = 'vdiuser001'
> (7) Calling-Station-Id = '00-c0-a8-c6-d7-79'
> (7) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'
> (7) NAS-Port = 13
> (7) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78'
> (7) NAS-IP-Address = 10.70.1.1
> (7) NAS-Identifier = 'Cisco-WLC-5508'
> (7) Airespace-Wlan-Id = 9
> (7) Service-Type = Framed-User
> (7) Framed-MTU = 1300
> (7) NAS-Port-Type = Wireless-802.11
> (7) Tunnel-Type:0 = VLAN
> (7) Tunnel-Medium-Type:0 = IEEE-802
> (7) Tunnel-Private-Group-Id:0 = '212'
> (7) EAP-Message = 0x0209006b19001703010060e3ebfd336d1c0bb5d36d68ac263e5e6d7f80e8a1e28be6bc752c0d06555b63f06367b0ca1803b17f092d89c35ce418ecce8b1425853a3dd6ccd16a292e80e46a1ecc98ba53222a0c1cccc827075993197807413d5778b2712ce2ad3eae35d7ce
> (7) State = 0xfcd853a7fad14aafb400e9d91b88b168
> (7) Message-Authenticator = 0x4c9a2819e43b37c8eadf9473681308a2
> (7) session-state: No cached attributes
> (7) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (7) authorize {
> (7) policy filter_username {
> (7) if (!&User-Name) {
> (7) if (!&User-Name) -> FALSE
> (7) if (&User-Name =~ / /) {
> (7) if (&User-Name =~ / /) -> FALSE
> (7) if (&User-Name =~ /@.*@/ ) {
> (7) if (&User-Name =~ /@.*@/ ) -> FALSE
> (7) if (&User-Name =~ /\.\./ ) {
> (7) if (&User-Name =~ /\.\./ ) -> FALSE
> (7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
> (7) if (&User-Name =~ /\.$/) {
> (7) if (&User-Name =~ /\.$/) -> FALSE
> (7) if (&User-Name =~ /(a)\./) {
> (7) if (&User-Name =~ /(a)\./) -> FALSE
> (7) } # policy filter_username = notfound
> (7) [preprocess] = ok
> (7) [chap] = noop
> (7) [mschap] = noop
> (7) [digest] = noop
> (7) suffix: Checking for suffix after "@"
> (7) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
> (7) suffix: No such realm "NULL"
> (7) [suffix] = noop
> (7) eap: Peer sent code Response (2) ID 9 length 107
> (7) eap: Continuing tunnel setup
> (7) [eap] = ok
> (7) } # authorize = ok
> (7) Found Auth-Type = EAP
> (7) # Executing group from file /etc/raddb/sites-enabled/default
> (7) authenticate {
> (7) eap: Expiring EAP session with state 0x6a2b492e6a22538f
> (7) eap: Finished EAP session with state 0xfcd853a7fad14aaf
> (7) eap: Previous EAP request found for state 0xfcd853a7fad14aaf, released from the list
> (7) eap: Peer sent method PEAP (25)
> (7) eap: EAP PEAP (25)
> (7) eap: Calling eap_peap to process EAP data
> (7) eap_peap: processing EAP-TLS
> (7) eap_peap: eaptls_verify returned 7
> (7) eap_peap: Done initial handshake
> (7) eap_peap: eaptls_process returned 7
> (7) eap_peap: FR_TLS_OK
> (7) eap_peap: Session established. Decoding tunneled attributes
> (7) eap_peap: PEAP state phase2
> (7) eap_peap: EAP type MSCHAPv2 (26)
> (7) eap_peap: Got tunneled request
> (7) eap_peap: EAP-Message = 0x020900451a0209004031f720f64e114a568afc3428e187fef2d20000000000000000bcae7bc9d2c22a1291791a130d422a537209282de03718a00076646975736572303031
> (7) eap_peap: Setting User-Name to vdiuser001
> (7) eap_peap: Sending tunneled request to inner-tunnel
> (7) eap_peap: EAP-Message = 0x020900451a0209004031f720f64e114a568afc3428e187fef2d20000000000000000bcae7bc9d2c22a1291791a130d422a537209282de03718a00076646975736572303031
> (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
> (7) eap_peap: User-Name = 'vdiuser001'
> (7) eap_peap: State = 0x6a2b492e6a22538fe503884f9d44e7ff
> (7) Virtual server inner-tunnel received request
> (7) EAP-Message = 0x020900451a0209004031f720f64e114a568afc3428e187fef2d20000000000000000bcae7bc9d2c22a1291791a130d422a537209282de03718a00076646975736572303031
> (7) FreeRADIUS-Proxied-To = 127.0.0.1
> (7) User-Name = 'vdiuser001'
> (7) State = 0x6a2b492e6a22538fe503884f9d44e7ff
> (7) server inner-tunnel {
> (7) session-state: No cached attributes
> (7) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
> (7) authorize {
> (7) [chap] = noop
> (7) [mschap] = noop
> (7) suffix: Checking for suffix after "@"
> (7) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
> (7) suffix: No such realm "NULL"
> (7) [suffix] = noop
> (7) update control {
> (7) &Proxy-To-Realm := LOCAL
> (7) } # update control = noop
> (7) eap: Peer sent code Response (2) ID 9 length 69
> (7) eap: No EAP Start, assuming it's an on-going EAP conversation
> (7) [eap] = updated
> (7) [files] = noop
> (7) sql: EXPAND %{User-Name}
> (7) sql: --> vdiuser001
> (7) sql: SQL-User-Name set to 'vdiuser001'
> rlm_sql (sql): Reserved connection (0)
> (7) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
> (7) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'vdiuser001' ORDER BY id
> (7) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'vdiuser001' ORDER BY id
> (7) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
> (7) sql: --> SELECT groupname FROM radusergroup WHERE username = 'vdiuser001' ORDER BY priority
> (7) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'vdiuser001' ORDER BY priority
> (7) sql: User not found in any groups
> rlm_sql (sql): Released connection (0)
> rlm_sql (sql): Closing connection (1), from 1 unused connections
> rlm_sql_mysql: Socket destructor called, closing socket
> (7) [sql] = notfound
> rlm_ldap (ldap): Reserved connection (0)
> (7) ldap: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
> (7) ldap: --> (sAMAccountName=vdiuser001)
> (7) ldap: Performing search in "ou=_TerAA_Users,dc=teraa,dc=local" with filter "(sAMAccountName=vdiuser001)", scope "sub"
> (7) ldap: Waiting for search result...
> (7) ldap: User object found at DN "CN=VDIuser001,OU=VDI,OU=PRS,OU=_TerAA_Users,DC=teraa,DC=local"
> (7) ldap: Processing user attributes
> (7) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the
> password attribute
> (7) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
> rlm_ldap (ldap): Released connection (0)
> rlm_ldap (ldap): Closing connection (1), from 1 unused connections
> (7) [ldap] = ok
> (7) if (control:Ldap-UserDn =~ /OU=EDU/) {
> (7) if (control:Ldap-UserDn =~ /OU=EDU/) -> FALSE
> (7) elsif (control:Ldap-UserDn =~ /OU=PRS/) {
> (7) elsif (control:Ldap-UserDn =~ /OU=PRS/) -> TRUE
> (7) elsif (control:Ldap-UserDn =~ /OU=PRS/) {
> (7) update control {
> (7) Simultaneous-Use := 3
> (7) } # update control = noop
> (7) update outer.session-state {
> (7) Tunnel-type = VLAN
> (7) Tunnel-medium-type = IEEE-802
> (7) Tunnel-Private-Group-Id = PRS-WIFI-Client
> (7) } # update outer.session-state = noop
> (7) } # elsif (control:Ldap-UserDn =~ /OU=PRS/) = noop
> (7) ... skipping elsif for request 7: Preceding "if" was taken
> (7) ... skipping else for request 7: Preceding "if" was taken
> (7) [expiration] = noop
> (7) [logintime] = noop
> (7) [pap] = noop
> (7) } # authorize = updated
> (7) Found Auth-Type = EAP
> (7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> (7) authenticate {
> (7) eap: Expiring EAP session with state 0x6a2b492e6a22538f
> (7) eap: Finished EAP session with state 0x6a2b492e6a22538f
> (7) eap: Previous EAP request found for state 0x6a2b492e6a22538f, released from the list
> (7) eap: Peer sent method MSCHAPv2 (26)
> (7) eap: EAP MSCHAPv2 (26)
> (7) eap: Calling eap_mschapv2 to process EAP data
> (7) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> (7) eap_mschapv2: Auth-Type MS-CHAP {
> (7) mschap: Creating challenge hash with username: vdiuser001
> (7) mschap: Client is using MS-CHAPv2
> (7) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:
>
> (7) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> (7) mschap: --> --username=vdiuser001
> (7) mschap: Creating challenge hash with username: vdiuser001
> (7) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
> (7) mschap: --> --challenge=9f432e6abc4ec74e
> (7) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
> (7) mschap: --> --nt-response=bcae7bc9d2c22a1291791a130d422a537209282de03718a0
> (7) mschap: ERROR: Program returned code (1) and output 'Must change password (0xc0000224)'
> (7) mschap: ERROR: Must change password (0xc0000224)
> (7) mschap: Password has expired. The user should retry authentication
> (7) [mschap] = reject
> (7) } # Auth-Type MS-CHAP = reject
> (7) MSCHAP-Error: E=648 R=1 C=00063b49e7c084b7016b35ab4336020d V=3 M=Password Expired
> (7) Found new challenge from MS-CHAP-Error: err=648 retry=1 challenge=00063b49e7c084b7016b35ab4336020d
> (7) ERROR: MSCHAP Failure
> (7) eap: EAP session adding &reply:State = 0x6a2b492e6b21538f
> (7) [eap] = handled
> (7) } # authenticate = handled
> (7) } # server inner-tunnel
> (7) Virtual server sending reply
> (7) EAP-Message = 0x010a004c1a04090047453d36343820523d3120433d303030363362343965376330383462373031366233356162343333363032306420563d33204d3d50617373776f72642045787069726564
> (7) Message-Authenticator = 0x00000000000000000000000000000000
> (7) State = 0x6a2b492e6b21538fe503884f9d44e7ff
> (7) eap_peap: Got tunneled reply code 11
> (7) eap_peap: EAP-Message = 0x010a004c1a04090047453d36343820523d3120433d303030363362343965376330383462373031366233356162343333363032306420563d33204d3d50617373776f72642045787069726564
> (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
> (7) eap_peap: State = 0x6a2b492e6b21538fe503884f9d44e7ff
> (7) eap_peap: Got tunneled reply RADIUS code 11
> (7) eap_peap: EAP-Message = 0x010a004c1a04090047453d36343820523d3120433d303030363362343965376330383462373031366233356162343333363032306420563d33204d3d50617373776f72642045787069726564
> (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
> (7) eap_peap: State = 0x6a2b492e6b21538fe503884f9d44e7ff
> (7) eap_peap: Got tunneled Access-Challenge
> (7) eap: EAP session adding &reply:State = 0xfcd853a7fbd24aaf
> (7) [eap] = handled
> (7) } # authenticate = handled
> (7) Using Post-Auth-Type Challenge
> (7) Post-Auth-Type sub-section not found. Ignoring.
> (7) # Executing group from file /etc/raddb/sites-enabled/default
> (7) session-state: Saving cached attributes
> (7) Tunnel-Type = VLAN
> (7) Tunnel-Medium-Type = IEEE-802
> (7) Tunnel-Private-Group-Id = 'PRS-WIFI-Client'
> (7) Sent Access-Challenge Id 246 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0
> (7) EAP-Message = 0x010a006b19001703010060b3897a1c79b4063ee3eea85ec0eb5b1ffef302d6c90c1819ac828808598205d33c2dbad5a1af49ff0f8add5f0cb05a598bdae558b2e839b44204ac2b0fbc80437323b4f46871add958ea20f13a19e66bb6c2402389e445ba3305ffea4be0b16b
> (7) Message-Authenticator = 0x00000000000000000000000000000000
> (7) State = 0xfcd853a7fbd24aafb400e9d91b88b168
> (7) Finished request
>
> ________________________________
>> Subject: Re: Pass change/expiry problem
>> From: A.L.M.Buxey(a)lboro.ac.uk
>> Date: Wed, 3 Jun 2015 08:20:33 +0100
>> To: freeradius-users(a)lists.freeradius.org;
>> richardvanderveen(a)outlook.com; freeradius-users(a)lists.freeradius.org
>>
>> I seem to recall a very recent change related to that feature. Can you
>> try the latest pre 3.0.9 release (get it via git)?
>>
>> alan
>
3
4
updates:
I added the sql file which contains the connection information to mysql db
into the mods-enabled (find the find attached).
Now when I try to start my radiusd it failed with following errors:
[root@freeradius mods-enabled]# systemctl status radiusd
radiusd.service - FreeRADIUS high performance RADIUS server.
Loaded: loaded (/usr/lib/systemd/system/radiusd.service; disabled)
Active: failed (Result: exit-code) since mar. 2015-06-09 09:09:35 UTC;
1min 33s ago
Process: 20981 ExecStartPre=/usr/sbin/radiusd -C (code=exited,
status=1/FAILURE)
Process: 20979 ExecStartPre=/bin/chown -R radiusd.radiusd
/var/run/radiusd (code=exited, status=0/SUCCESS)
juin 09 09:09:35 freeradius systemd[1]: Starting FreeRADIUS high
performance RADIUS server....
juin 09 09:09:35 freeradius systemd[1]: radiusd.service: control process
exited, code=exited status=1
juin 09 09:09:35 freeradius systemd[1]: Failed to start FreeRADIUS high
performance RADIUS server..
juin 09 09:09:35 freeradius systemd[1]: Unit radiusd.service entered failed
state.
[root@freeradius mods-enabled]# systemctl start radiusd
Job for radiusd.service failed. See 'systemctl status radiusd.service' and
'journalctl -xn' for details.
and when I do radiusd -X i got the msg Ready to process requests.
Is it normal??
2015-06-09 10:52 GMT+02:00 ICHIBA Sara <ichi.sara(a)gmail.com>:
> it's me again i'm looking for the sql.conf file where I can provide the
> connection info related to mysql database.
>
> 2015-06-09 10:04 GMT+02:00 ICHIBA Sara <ichi.sara(a)gmail.com>:
>
>> Thank you for your response; Actually I can see now that I have the files
>> needed but I'm confused which one to choose. I think I should go with the
>> main/mysql folder. Am I right?
>>
>> /etc/raddb/mods-config/sql/counter/mysql
>> /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf
>> /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf
>> /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf
>> /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf
>> /etc/raddb/mods-config/sql/cui/mysql
>> /etc/raddb/mods-config/sql/cui/mysql/queries.conf
>> /etc/raddb/mods-config/sql/cui/mysql/schema.sql
>> /etc/raddb/mods-config/sql/ippool-dhcp/mysql
>> /etc/raddb/mods-config/sql/ippool-dhcp/mysql/queries.conf
>> /etc/raddb/mods-config/sql/ippool-dhcp/mysql/schema.sql
>> /etc/raddb/mods-config/sql/ippool/mysql
>> /etc/raddb/mods-config/sql/ippool/mysql/queries.conf
>> /etc/raddb/mods-config/sql/ippool/mysql/schema.sql
>> /etc/raddb/mods-config/sql/main/mysql
>> /etc/raddb/mods-config/sql/main/mysql/extras
>> /etc/raddb/mods-config/sql/main/mysql/extras/wimax
>> /etc/raddb/mods-config/sql/main/mysql/extras/wimax/queries.conf
>> /etc/raddb/mods-config/sql/main/mysql/extras/wimax/schema.sql
>> /etc/raddb/mods-config/sql/main/mysql/queries.conf
>> /etc/raddb/mods-config/sql/main/mysql/schema.sql
>> /etc/raddb/mods-config/sql/main/mysql/setup.sql
>> /etc/raddb/mods-config/sql/main/ndb
>> /etc/raddb/mods-config/sql/main/ndb/README
>> /etc/raddb/mods-config/sql/main/ndb/schema.sql
>> /etc/raddb/mods-config/sql/main/ndb/setup.sql
>> /usr/lib64/freeradius/rlm_sql_mysql.so
>>
>>
>>
>> 2015-06-09 9:27 GMT+02:00 ICHIBA Sara <ichi.sara(a)gmail.com>:
>>
>>> hello there,
>>>
>>> I'm trying to install freeradius on a centos 7 VM. So far I installed
>>> mariadb-server 1:5.5.41-2.el7_0 , freeradius 3.0.4-6.el7 ,
>>> freeradius-mysql 3.0.4-6.el7 and freeradius-utils 3.0.4-6.el7 .
>>>
>>> I'm using yum to install these packages. But when I try to import the
>>> sql schema i can't find it.
>>>
>>> any ideas? What's wrong whith what I did??
>>>
>>
>>
>
2
2
Thank you for your response; Actually I can see now that I have the files
needed but I'm confused which one to choose. I think I should go with the
main/mysql folder. Am I right?
/etc/raddb/mods-config/sql/counter/mysql
/etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf
/etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf
/etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf
/etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf
/etc/raddb/mods-config/sql/cui/mysql
/etc/raddb/mods-config/sql/cui/mysql/queries.conf
/etc/raddb/mods-config/sql/cui/mysql/schema.sql
/etc/raddb/mods-config/sql/ippool-dhcp/mysql
/etc/raddb/mods-config/sql/ippool-dhcp/mysql/queries.conf
/etc/raddb/mods-config/sql/ippool-dhcp/mysql/schema.sql
/etc/raddb/mods-config/sql/ippool/mysql
/etc/raddb/mods-config/sql/ippool/mysql/queries.conf
/etc/raddb/mods-config/sql/ippool/mysql/schema.sql
/etc/raddb/mods-config/sql/main/mysql
/etc/raddb/mods-config/sql/main/mysql/extras
/etc/raddb/mods-config/sql/main/mysql/extras/wimax
/etc/raddb/mods-config/sql/main/mysql/extras/wimax/queries.conf
/etc/raddb/mods-config/sql/main/mysql/extras/wimax/schema.sql
/etc/raddb/mods-config/sql/main/mysql/queries.conf
/etc/raddb/mods-config/sql/main/mysql/schema.sql
/etc/raddb/mods-config/sql/main/mysql/setup.sql
/etc/raddb/mods-config/sql/main/ndb
/etc/raddb/mods-config/sql/main/ndb/README
/etc/raddb/mods-config/sql/main/ndb/schema.sql
/etc/raddb/mods-config/sql/main/ndb/setup.sql
/usr/lib64/freeradius/rlm_sql_mysql.so
2015-06-09 9:27 GMT+02:00 ICHIBA Sara <ichi.sara(a)gmail.com>:
> hello there,
>
> I'm trying to install freeradius on a centos 7 VM. So far I installed
> mariadb-server 1:5.5.41-2.el7_0 , freeradius 3.0.4-6.el7 ,
> freeradius-mysql 3.0.4-6.el7 and freeradius-utils 3.0.4-6.el7 .
>
> I'm using yum to install these packages. But when I try to import the sql
> schema i can't find it.
>
> any ideas? What's wrong whith what I did??
>
1
1
hello there,
I'm trying to install freeradius on a centos 7 VM. So far I installed
mariadb-server 1:5.5.41-2.el7_0 , freeradius 3.0.4-6.el7 ,
freeradius-mysql 3.0.4-6.el7 and freeradius-utils 3.0.4-6.el7 .
I'm using yum to install these packages. But when I try to import the sql
schema i can't find it.
any ideas? What's wrong whith what I did??
2
1
Hi,
How do I realize this scenario?
I have Cisco IP phones which do 802.1X EAP-TLS with their manufactoring installed cert.
Behind (through the internal switch in the phone) there are clients which do 802.1X PEAP.
So the phone needs to validate against the Cisco CA and the client against another CA.
Is there any fallback mechanism so that I can specify 2 CA_file lines in the eap config file?
Or is there any other approach?
Thanks,
Chris
3
3