Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
July 2015
- 85 participants
- 131 discussions
Re: Re: freeradius doesn't see user in group (Active Directory) but user belong to this group
by stefan nowak 06 Jul '15
by stefan nowak 06 Jul '15
06 Jul '15
> Message: 1
> Date: Sat, 04 Jul 2015 11:44:01 -0400
> From: Brendan Kearney <bpk678(a)gmail.com>
> To: freeradius-users(a)lists.freeradius.org
> Subject: Re: freeradius doesn't see user in group (Active Directory)
> but user belong to this group
> Message-ID: <5597FF41.6050706(a)gmail.com>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> On 07/04/2015 03:17 AM, stefan nowak wrote:
> > Hi All,
> >
> > since few days I've stocked with configuration freeradius. All works good
> > except one thing. I can't get info from Active Directory to freeradius in
> > which group user belong (this one I need to set vlan depend on group).
> > My version freeradius is 3.0.4
> >
> > as you can see below user "newuser" participate in group "computers",
> > here`s output from ldapsearch:
> >
> > dn: CN=newuser,CN=Users,DC=test,DC=ad,DC=com
> > objectClass: top
> > objectClass: person
> > objectClass: organizationalPerson
> > objectClass: user
> > cn: newuser
> > givenName: newuser
> > distinguishedName: CN=newuser,CN=Users,DC=test,DC=ad,DC=com
> > instanceType: 4
> > whenCreated: 20150702132126.0Z
> > whenChanged: 20150703105127.0Z
> > displayName: newuser
> > uSNCreated: 82039
> > memberOf: CN=computers,CN=Users,DC=test,DC=ad,DC=com
> > uSNChanged: 90187
> > name: newuser
> > objectGUID:: XX+6g4wMJEGdDfEOZF5Rgw==
> > userAccountControl: 66048
> > badPwdCount: 0
> > codePage: 0
> > countryCode: 0
> > badPasswordTime: 0
> > lastLogoff: 0
> > lastLogon: 0
> > pwdLastSet: 130803168865078125
> > primaryGroupID: 513
> > objectSid:: AQUAAAAAAAUVAAAAR3zVX0Ki+LP5AMXOVQQAAA==
> > accountExpires: 9223372036854775807
> > logonCount: 0
> > sAMAccountName: newuser
> > sAMAccountType: 805306368
> > userPrincipalName: newuser(a)test.ad.com
> > objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=test,DC=ad,DC=com
> > dSCorePropagationData: 16010101000000.0Z
> > lastLogonTimestamp: 130803172388710937
> >
> >
> > from log output I see that user "newuser" get access-accept but freeradius
> > didn`t find him in group "computers" here is output:
> >
> > Received Access-Request Id 182 from 192.168.0.2:1812 to 192.168.0.10:1812
> > length 129
> > NAS-IP-Address = 192.168.0.2
> > NAS-Port = 50024
> > NAS-Port-Type = Ethernet
> > User-Name = 'newuser'
> > Called-Station-Id = '00-16-9D-D3-40-D8'
> > Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > Service-Type = Framed-User
> > Framed-MTU = 1500
> > EAP-Message = 0x0200000c016e657775736572
> > Message-Authenticator = 0x4331712c3046bdcd9eb1614539cc6375
> > (0) Received Access-Request packet from host 192.168.0.2 port 1812, id=182,
> > length=129
> > (0) NAS-IP-Address = 192.168.0.2
> > (0) NAS-Port = 50024
> > (0) NAS-Port-Type = Ethernet
> > (0) User-Name = 'newuser'
> > (0) Called-Station-Id = '00-16-9D-D3-40-D8'
> > (0) Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > (0) Service-Type = Framed-User
> > (0) Framed-MTU = 1500
> > (0) EAP-Message = 0x0200000c016e657775736572
> > (0) Message-Authenticator = 0x4331712c3046bdcd9eb1614539cc6375
> > (0) # Executing section authorize from file /etc/raddb/sites-enabled/default
> > (0) authorize {
> > (0) filter_username filter_username {
> > (0) if (!&User-Name)
> > (0) if (!&User-Name) -> FALSE
> > (0) if (&User-Name =~ / /)
> > (0) if (&User-Name =~ / /) -> FALSE
> > (0) if (&User-Name =~ /@.*@/ )
> > (0) if (&User-Name =~ /@.*@/ ) -> FALSE
> > (0) if (&User-Name =~ /\\.\\./ )
> > (0) if (&User-Name =~ /\\.\\./ ) -> FALSE
> > (0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
> > (0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) ->
> > FALSE
> > (0) if (&User-Name =~ /\\.$/)
> > (0) if (&User-Name =~ /\\.$/) -> FALSE
> > (0) if (&User-Name =~ /(a)\\./)
> > (0) if (&User-Name =~ /(a)\\./) -> FALSE
> > (0) } # filter_username filter_username = notfound
> > (0) [preprocess] = ok
> > (0) [chap] = noop
> > (0) [mschap] = noop
> > (0) [digest] = noop
> > (0) suffix : Checking for suffix after "@"
> > (0) suffix : No '@' in User-Name = "newuser", looking up realm NULL
> > (0) suffix : No such realm "NULL"
> > (0) [suffix] = noop
> > (0) eap : Peer sent code Response (2) ID 0 length 12
> > (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the
> > rest of authorize
> > (0) [eap] = ok
> > (0) } # authorize = ok
> > (0) Found Auth-Type = EAP
> > (0) # Executing group from file /etc/raddb/sites-enabled/default
> > (0) authenticate {
> > (0) eap : Peer sent method Identity (1)
> > (0) eap : Calling eap_peap to process EAP data
> > (0) eap_peap : Flushing SSL sessions (of #0)
> > (0) eap_peap : Initiate
> > (0) eap_peap : Start returned 1
> > (0) eap : New EAP session, adding 'State' attribute to reply
> > 0x0e9027300e913e66
> > (0) [eap] = handled
> > (0) } # authenticate = handled
> > (0) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=182,
> > length=0
> > (0) EAP-Message = 0x010100061920
> > (0) Message-Authenticator = 0x00000000000000000000000000000000
> > (0) State = 0x0e9027300e913e6603c734ef610afcab
> > Sending Access-Challenge Id 182 from 192.168.0.10:1812 to 192.168.0.2:1812
> > EAP-Message = 0x010100061920
> > Message-Authenticator = 0x00000000000000000000000000000000
> > State = 0x0e9027300e913e6603c734ef610afcab
> > (0) Finished request
> > Waking up in 0.3 seconds.
> > Received Access-Request Id 183 from 192.168.0.2:1812 to 192.168.0.10:1812
> > length 276
> > NAS-IP-Address = 192.168.0.2
> > NAS-Port = 50024
> > NAS-Port-Type = Ethernet
> > User-Name = 'newuser'
> > Called-Station-Id = '00-16-9D-D3-40-D8'
> > Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > Service-Type = Framed-User
> > Framed-MTU = 1500
> > State = 0x0e9027300e913e6603c734ef610afcab
> > EAP-Message =
> > 0x0201008d198000000083160301007e0100007a0301559664033b1b4862038b2d1367a8d5b31031ef49921dca1e46e5720f5b2fa8f320fa4af0c0ab28637bf7d426826fc4d55981527e8e975dcc90dc4e38e9fbae1d940018002f00350005000ac013c014c009c00a003200380013000401000019ff01000100000a0006000400170018000b0002010000230000
> > Message-Authenticator = 0x266af039e3fea82832098be1d93cc75f
> > (1) Received Access-Request packet from host 192.168.0.2 port 1812, id=183,
> > length=276
> > (1) NAS-IP-Address = 192.168.0.2
> > (1) NAS-Port = 50024
> > (1) NAS-Port-Type = Ethernet
> > (1) User-Name = 'newuser'
> > (1) Called-Station-Id = '00-16-9D-D3-40-D8'
> > (1) Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > (1) Service-Type = Framed-User
> > (1) Framed-MTU = 1500
> > (1) State = 0x0e9027300e913e6603c734ef610afcab
> > (1) EAP-Message =
> > 0x0201008d198000000083160301007e0100007a0301559664033b1b4862038b2d1367a8d5b31031ef49921dca1e46e5720f5b2fa8f320fa4af0c0ab28637bf7d426826fc4d55981527e8e975dcc90dc4e38e9fbae1d940018002f00350005000ac013c014c009c00a003200380013000401000019ff01000100000a0006000400170018000b0002010000230000
> > (1) Message-Authenticator = 0x266af039e3fea82832098be1d93cc75f
> > (1) # Executing section authorize from file /etc/raddb/sites-enabled/default
> > (1) authorize {
> > (1) filter_username filter_username {
> > (1) if (!&User-Name)
> > (1) if (!&User-Name) -> FALSE
> > (1) if (&User-Name =~ / /)
> > (1) if (&User-Name =~ / /) -> FALSE
> > (1) if (&User-Name =~ /@.*@/ )
> > (1) if (&User-Name =~ /@.*@/ ) -> FALSE
> > (1) if (&User-Name =~ /\\.\\./ )
> > (1) if (&User-Name =~ /\\.\\./ ) -> FALSE
> > (1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
> > (1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) ->
> > FALSE
> > (1) if (&User-Name =~ /\\.$/)
> > (1) if (&User-Name =~ /\\.$/) -> FALSE
> > (1) if (&User-Name =~ /(a)\\./)
> > (1) if (&User-Name =~ /(a)\\./) -> FALSE
> > (1) } # filter_username filter_username = notfound
> > (1) [preprocess] = ok
> > (1) [chap] = noop
> > (1) [mschap] = noop
> > (1) [digest] = noop
> > (1) suffix : Checking for suffix after "@"
> > (1) suffix : No '@' in User-Name = "newuser", looking up realm NULL
> > (1) suffix : No such realm "NULL"
> > (1) [suffix] = noop
> > (1) eap : Peer sent code Response (2) ID 1 length 141
> > (1) eap : Continuing tunnel setup
> > (1) [eap] = ok
> > (1) } # authorize = ok
> > (1) Found Auth-Type = EAP
> > (1) # Executing group from file /etc/raddb/sites-enabled/default
> > (1) authenticate {
> > (1) eap : Expiring EAP session with state 0x0e9027300e913e66
> > (1) eap : Finished EAP session with state 0x0e9027300e913e66
> > (1) eap : Previous EAP request found for state 0x0e9027300e913e66,
> > released from the list
> > (1) eap : Peer sent method PEAP (25)
> > (1) eap : EAP PEAP (25)
> > (1) eap : Calling eap_peap to process EAP data
> > (1) eap_peap : processing EAP-TLS
> > TLS Length 131
> > (1) eap_peap : Length Included
> > (1) eap_peap : eaptls_verify returned 11
> > (1) eap_peap : (other): before/accept initialization
> > (1) eap_peap : TLS_accept: before/accept initialization
> > (1) eap_peap : <<< TLS 1.0 Handshake [length 007e], ClientHello
> > SSL: Client requested cached session
> > fa4af0c0ab28637bf7d426826fc4d55981527e8e975dcc90dc4e38e9fbae1d94
> > (1) eap_peap : TLS_accept: SSLv3 read client hello A
> > (1) eap_peap : >>> TLS 1.0 Handshake [length 0051], ServerHello
> > (1) eap_peap : TLS_accept: SSLv3 write server hello A
> > (1) eap_peap : >>> TLS 1.0 Handshake [length 08d0], Certificate
> > (1) eap_peap : TLS_accept: SSLv3 write certificate A
> > (1) eap_peap : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
> > (1) eap_peap : TLS_accept: SSLv3 write server done A
> > (1) eap_peap : TLS_accept: SSLv3 flush data
> > (1) eap_peap : TLS_accept: Need to read more data: SSLv3 read client
> > certificate A
> > In SSL Handshake Phase
> > In SSL Accept mode
> > (1) eap_peap : eaptls_process returned 13
> > (1) eap_peap : FR_TLS_HANDLED
> > (1) eap : New EAP session, adding 'State' attribute to reply
> > 0x0e9027300f923e66
> > (1) [eap] = handled
> > (1) } # authenticate = handled
> > (1) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=183,
> > length=0
> > (1) EAP-Message =
> > 0x010203ec19c00000093416030100510200004d030155967fdd334b8b93e13aaba983cf708cc59b52a195fa942852b7eb85c9e6b3132048fd8119fa32c7cb48b60449437ed3f1edad01e5ff81191e7be8d62b3e5f17c4002f000005ff0100010016030108d00b0008cc0008c90003de308203da308202c2a003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3135303632333039323031315a170d3135303832323039323031315a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100cb6b06d9bfe3e7b3b07012c1ffbeb410e02e9a2c
> > (1) Message-Authenticator = 0x00000000000000000000000000000000
> > (1) State = 0x0e9027300f923e6603c734ef610afcab
> > Sending Access-Challenge Id 183 from 192.168.0.10:1812 to 192.168.0.2:1812
> > EAP-Message =
> > 0x010203ec19c00000093416030100510200004d030155967fdd334b8b93e13aaba983cf708cc59b52a195fa942852b7eb85c9e6b3132048fd8119fa32c7cb48b60449437ed3f1edad01e5ff81191e7be8d62b3e5f17c4002f000005ff0100010016030108d00b0008cc0008c90003de308203da308202c2a003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3135303632333039323031315a170d3135303832323039323031315a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100cb6b06d9bfe3e7b3b07012c1ffbeb410e02e9a2
> > Message-Authenticator = 0x00000000000000000000000000000000
> > State = 0x0e9027300f923e6603c734ef610afcab
> > (1) Finished request
> > Waking up in 0.3 seconds.
> > Received Access-Request Id 184 from 192.168.0.2:1812 to 192.168.0.10:1812
> > length 141
> > NAS-IP-Address = 192.168.0.2
> > NAS-Port = 50024
> > NAS-Port-Type = Ethernet
> > User-Name = 'newuser'
> > Called-Station-Id = '00-16-9D-D3-40-D8'
> > Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > Service-Type = Framed-User
> > Framed-MTU = 1500
> > State = 0x0e9027300f923e6603c734ef610afcab
> > EAP-Message = 0x020200061900
> > Message-Authenticator = 0x8f82b650b4b634e464ffc5f8d5f78feb
> > (2) Received Access-Request packet from host 192.168.0.2 port 1812, id=184,
> > length=141
> > (2) NAS-IP-Address = 192.168.0.2
> > (2) NAS-Port = 50024
> > (2) NAS-Port-Type = Ethernet
> > (2) User-Name = 'newuser'
> > (2) Called-Station-Id = '00-16-9D-D3-40-D8'
> > (2) Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > (2) Service-Type = Framed-User
> > (2) Framed-MTU = 1500
> > (2) State = 0x0e9027300f923e6603c734ef610afcab
> > (2) EAP-Message = 0x020200061900
> > (2) Message-Authenticator = 0x8f82b650b4b634e464ffc5f8d5f78feb
> > (2) # Executing section authorize from file /etc/raddb/sites-enabled/default
> > (2) authorize {
> > (2) filter_username filter_username {
> > (2) if (!&User-Name)
> > (2) if (!&User-Name) -> FALSE
> > (2) if (&User-Name =~ / /)
> > (2) if (&User-Name =~ / /) -> FALSE
> > (2) if (&User-Name =~ /@.*@/ )
> > (2) if (&User-Name =~ /@.*@/ ) -> FALSE
> > (2) if (&User-Name =~ /\\.\\./ )
> > (2) if (&User-Name =~ /\\.\\./ ) -> FALSE
> > (2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
> > (2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) ->
> > FALSE
> > (2) if (&User-Name =~ /\\.$/)
> > (2) if (&User-Name =~ /\\.$/) -> FALSE
> > (2) if (&User-Name =~ /(a)\\./)
> > (2) if (&User-Name =~ /(a)\\./) -> FALSE
> > (2) } # filter_username filter_username = notfound
> > (2) [preprocess] = ok
> > (2) [chap] = noop
> > (2) [mschap] = noop
> > (2) [digest] = noop
> > (2) suffix : Checking for suffix after "@"
> > (2) suffix : No '@' in User-Name = "newuser", looking up realm NULL
> > (2) suffix : No such realm "NULL"
> > (2) [suffix] = noop
> > (2) eap : Peer sent code Response (2) ID 2 length 6
> > (2) eap : Continuing tunnel setup
> > (2) [eap] = ok
> > (2) } # authorize = ok
> > (2) Found Auth-Type = EAP
> > (2) # Executing group from file /etc/raddb/sites-enabled/default
> > (2) authenticate {
> > (2) eap : Expiring EAP session with state 0x0e9027300f923e66
> > (2) eap : Finished EAP session with state 0x0e9027300f923e66
> > (2) eap : Previous EAP request found for state 0x0e9027300f923e66,
> > released from the list
> > (2) eap : Peer sent method PEAP (25)
> > (2) eap : EAP PEAP (25)
> > (2) eap : Calling eap_peap to process EAP data
> > (2) eap_peap : processing EAP-TLS
> > (2) eap_peap : Received TLS ACK
> > (2) eap_peap : Received TLS ACK
> > (2) eap_peap : ACK handshake fragment handler
> > (2) eap_peap : eaptls_verify returned 1
> > (2) eap_peap : eaptls_process returned 13
> > (2) eap_peap : FR_TLS_HANDLED
> > (2) eap : New EAP session, adding 'State' attribute to reply
> > 0x0e9027300c933e66
> > (2) [eap] = handled
> > (2) } # authenticate = handled
> > (2) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=184,
> > length=0
> > (2) EAP-Message =
> > 0x010303e819405dadee37810b310ed26be4bf84d74c93ed4bec31d3134bb7a82b63f7c127649298b74b8aaa1cb9fcc7f38620180bc143afd04d038ef800534cc721eb60db5cbc61c6b9b07e52b2be16b702215ff87201c227e511bc39694982461c2d21008a4b0a0004e5308204e1308203c9a003020102020900d341ec42790a6fe5300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3135303632333039323031315a170d3135303832323039323031315a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082
> > (2) Message-Authenticator = 0x00000000000000000000000000000000
> > (2) State = 0x0e9027300c933e6603c734ef610afcab
> > Sending Access-Challenge Id 184 from 192.168.0.10:1812 to 192.168.0.2:1812
> > EAP-Message =
> > 0x010303e819405dadee37810b310ed26be4bf84d74c93ed4bec31d3134bb7a82b63f7c127649298b74b8aaa1cb9fcc7f38620180bc143afd04d038ef800534cc721eb60db5cbc61c6b9b07e52b2be16b702215ff87201c227e511bc39694982461c2d21008a4b0a0004e5308204e1308203c9a003020102020900d341ec42790a6fe5300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3135303632333039323031315a170d3135303832323039323031315a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f00308
> > Message-Authenticator = 0x00000000000000000000000000000000
> > State = 0x0e9027300c933e6603c734ef610afcab
> > (2) Finished request
> > Waking up in 0.3 seconds.
> > Received Access-Request Id 185 from 192.168.0.2:1812 to 192.168.0.10:1812
> > length 141
> > NAS-IP-Address = 192.168.0.2
> > NAS-Port = 50024
> > NAS-Port-Type = Ethernet
> > User-Name = 'newuser'
> > Called-Station-Id = '00-16-9D-D3-40-D8'
> > Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > Service-Type = Framed-User
> > Framed-MTU = 1500
> > State = 0x0e9027300c933e6603c734ef610afcab
> > EAP-Message = 0x020300061900
> > Message-Authenticator = 0x4612243013b59207a7128ea3f82af7c3
> > (3) Received Access-Request packet from host 192.168.0.2 port 1812, id=185,
> > length=141
> > (3) NAS-IP-Address = 192.168.0.2
> > (3) NAS-Port = 50024
> > (3) NAS-Port-Type = Ethernet
> > (3) User-Name = 'newuser'
> > (3) Called-Station-Id = '00-16-9D-D3-40-D8'
> > (3) Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > (3) Service-Type = Framed-User
> > (3) Framed-MTU = 1500
> > (3) State = 0x0e9027300c933e6603c734ef610afcab
> > (3) EAP-Message = 0x020300061900
> > (3) Message-Authenticator = 0x4612243013b59207a7128ea3f82af7c3
> > (3) # Executing section authorize from file /etc/raddb/sites-enabled/default
> > (3) authorize {
> > (3) filter_username filter_username {
> > (3) if (!&User-Name)
> > (3) if (!&User-Name) -> FALSE
> > (3) if (&User-Name =~ / /)
> > (3) if (&User-Name =~ / /) -> FALSE
> > (3) if (&User-Name =~ /@.*@/ )
> > (3) if (&User-Name =~ /@.*@/ ) -> FALSE
> > (3) if (&User-Name =~ /\\.\\./ )
> > (3) if (&User-Name =~ /\\.\\./ ) -> FALSE
> > (3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
> > (3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) ->
> > FALSE
> > (3) if (&User-Name =~ /\\.$/)
> > (3) if (&User-Name =~ /\\.$/) -> FALSE
> > (3) if (&User-Name =~ /(a)\\./)
> > (3) if (&User-Name =~ /(a)\\./) -> FALSE
> > (3) } # filter_username filter_username = notfound
> > (3) [preprocess] = ok
> > (3) [chap] = noop
> > (3) [mschap] = noop
> > (3) [digest] = noop
> > (3) suffix : Checking for suffix after "@"
> > (3) suffix : No '@' in User-Name = "newuser", looking up realm NULL
> > (3) suffix : No such realm "NULL"
> > (3) [suffix] = noop
> > (3) eap : Peer sent code Response (2) ID 3 length 6
> > (3) eap : Continuing tunnel setup
> > (3) [eap] = ok
> > (3) } # authorize = ok
> > (3) Found Auth-Type = EAP
> > (3) # Executing group from file /etc/raddb/sites-enabled/default
> > (3) authenticate {
> > (3) eap : Expiring EAP session with state 0x0e9027300c933e66
> > (3) eap : Finished EAP session with state 0x0e9027300c933e66
> > (3) eap : Previous EAP request found for state 0x0e9027300c933e66,
> > released from the list
> > (3) eap : Peer sent method PEAP (25)
> > (3) eap : EAP PEAP (25)
> > (3) eap : Calling eap_peap to process EAP data
> > (3) eap_peap : processing EAP-TLS
> > (3) eap_peap : Received TLS ACK
> > (3) eap_peap : Received TLS ACK
> > (3) eap_peap : ACK handshake fragment handler
> > (3) eap_peap : eaptls_verify returned 1
> > (3) eap_peap : eaptls_process returned 13
> > (3) eap_peap : FR_TLS_HANDLED
> > (3) eap : New EAP session, adding 'State' attribute to reply
> > 0x0e9027300d943e66
> > (3) [eap] = handled
> > (3) } # authenticate = handled
> > (3) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=185,
> > length=0
> > (3) EAP-Message =
> > 0x0104017619007479820900d341ec42790a6fe5300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010505000382010100ac39c26dec50bba63993d15c97f83ed294499bc6f92436a1b253966ce768d892d9c68aae360018347c9c54833061317e8c1768250d6cccc4adcf063a0e86c81dc9cff914de4d42cf06568494ce9ee4ae6852654d5160cabfe64f82e2ffea66c370698f88f72345954429fe25a91d10626e004dccc58a222bdae41daf083ca5259bae8f896a62454d37d648ca30dcde05f947866efc0ed7d73e7671954218729559ea417e6300a28cb165d68d2591e811118edd483888e77ab2695dde4c325340ea840f56fb31837fcf733069a89ed1f320b33a95572350fda6a7fbcfa850c719334e496b5ae294ee8769b9617ae8bf7830c86e79e0628d25a49a7a7afa6471ab16030100040e000000
> > (3) Message-Authenticator = 0x00000000000000000000000000000000
> > (3) State = 0x0e9027300d943e6603c734ef610afcab
> > Sending Access-Challenge Id 185 from 192.168.0.10:1812 to 192.168.0.2:1812
> > EAP-Message =
> > 0x0104017619007479820900d341ec42790a6fe5300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010505000382010100ac39c26dec50bba63993d15c97f83ed294499bc6f92436a1b253966ce768d892d9c68aae360018347c9c54833061317e8c1768250d6cccc4adcf063a0e86c81dc9cff914de4d42cf06568494ce9ee4ae6852654d5160cabfe64f82e2ffea66c370698f88f72345954429fe25a91d10626e004dccc58a222bdae41daf083ca5259bae8f896a62454d37d648ca30dcde05f947866efc0ed7d73e7671954218729559ea417e6300a28cb165d68d2591e811118edd483888e77ab2695dde4c325340ea840f56fb31837fcf733069a89ed1f320b33a95572350fda6a7fbcfa850c719334e496b5ae294ee8769b9617ae8bf7830c86e79e0628d25a49a7a7afa6471ab16030100040e000000
> > Message-Authenticator = 0x00000000000000000000000000000000
> > State = 0x0e9027300d943e6603c734ef610afcab
> > (3) Finished request
> > Waking up in 0.2 seconds.
> > Received Access-Request Id 186 from 192.168.0.2:1812 to 192.168.0.10:1812
> > length 473
> > NAS-IP-Address = 192.168.0.2
> > NAS-Port = 50024
> > NAS-Port-Type = Ethernet
> > User-Name = 'newuser'
> > Called-Station-Id = '00-16-9D-D3-40-D8'
> > Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > Service-Type = Framed-User
> > Framed-MTU = 1500
> > State = 0x0e9027300d943e6603c734ef610afcab
> > EAP-Message =
> > 0x0204015019800000014616030101061000010201009c140457a5001869d3c4409886b6381ffbb3a3b2e588b5c1a8d432a0577faee12a585e5772dcbbcd7f54d7841cd2ef3c4241655a7ecca77efe6bbb11ef29698031973a611a05c0f2da4e21b11aec38e086460f2218cfa58a027596405e8a0b1e608f06424528ac7c978de90b5c6cb179a2d9e3eb016a85cd20e2d43c142a0af7a4b00f6e57348fe41e154b44a604fbf973d99b09af607f745a2045874f5870b878f1bfccfa1b5219a0cb60ad9bb7dca77628afeee09efe1b394bbbecff907c0e5b23bd8622b38a360cde10bf3bb568ba3e577b78a9e793d9204e5188976028b9873709604f2a1272a978745544efe39db3a4ceecf16dbab756ca4e7419a14e621403010001011603010030193a998b6522faa35707604a4ba153d81f0838c651a0a8f14679c6507654ef48ef301afcfcca06e70df0f907841c7cbd
> > Message-Authenticator = 0x1b895bbbb9e7981ab29d96346a062a54
> > (4) Received Access-Request packet from host 192.168.0.2 port 1812, id=186,
> > length=473
> > (4) NAS-IP-Address = 192.168.0.2
> > (4) NAS-Port = 50024
> > (4) NAS-Port-Type = Ethernet
> > (4) User-Name = 'newuser'
> > (4) Called-Station-Id = '00-16-9D-D3-40-D8'
> > (4) Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > (4) Service-Type = Framed-User
> > (4) Framed-MTU = 1500
> > (4) State = 0x0e9027300d943e6603c734ef610afcab
> > (4) EAP-Message =
> > 0x0204015019800000014616030101061000010201009c140457a5001869d3c4409886b6381ffbb3a3b2e588b5c1a8d432a0577faee12a585e5772dcbbcd7f54d7841cd2ef3c4241655a7ecca77efe6bbb11ef29698031973a611a05c0f2da4e21b11aec38e086460f2218cfa58a027596405e8a0b1e608f06424528ac7c978de90b5c6cb179a2d9e3eb016a85cd20e2d43c142a0af7a4b00f6e57348fe41e154b44a604fbf973d99b09af607f745a2045874f5870b878f1bfccfa1b5219a0cb60ad9bb7dca77628afeee09efe1b394bbbecff907c0e5b23bd8622b38a360cde10bf3bb568ba3e577b78a9e793d9204e5188976028b9873709604f2a1272a978745544efe39db3a4ceecf16dbab756ca4e7419a14e621403010001011603010030193a998b6522faa35707604a4ba153d81f0838c651a0a8f14679c6507654ef48ef301afcfcca06e70df0f907841c7cbd
> > (4) Message-Authenticator = 0x1b895bbbb9e7981ab29d96346a062a54
> > (4) # Executing section authorize from file /etc/raddb/sites-enabled/default
> > (4) authorize {
> > (4) filter_username filter_username {
> > (4) if (!&User-Name)
> > (4) if (!&User-Name) -> FALSE
> > (4) if (&User-Name =~ / /)
> > (4) if (&User-Name =~ / /) -> FALSE
> > (4) if (&User-Name =~ /@.*@/ )
> > (4) if (&User-Name =~ /@.*@/ ) -> FALSE
> > (4) if (&User-Name =~ /\\.\\./ )
> > (4) if (&User-Name =~ /\\.\\./ ) -> FALSE
> > (4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
> > (4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) ->
> > FALSE
> > (4) if (&User-Name =~ /\\.$/)
> > (4) if (&User-Name =~ /\\.$/) -> FALSE
> > (4) if (&User-Name =~ /(a)\\./)
> > (4) if (&User-Name =~ /(a)\\./) -> FALSE
> > (4) } # filter_username filter_username = notfound
> > (4) [preprocess] = ok
> > (4) [chap] = noop
> > (4) [mschap] = noop
> > (4) [digest] = noop
> > (4) suffix : Checking for suffix after "@"
> > (4) suffix : No '@' in User-Name = "newuser", looking up realm NULL
> > (4) suffix : No such realm "NULL"
> > (4) [suffix] = noop
> > (4) eap : Peer sent code Response (2) ID 4 length 336
> > (4) eap : Continuing tunnel setup
> > (4) [eap] = ok
> > (4) } # authorize = ok
> > (4) Found Auth-Type = EAP
> > (4) # Executing group from file /etc/raddb/sites-enabled/default
> > (4) authenticate {
> > (4) eap : Expiring EAP session with state 0x0e9027300d943e66
> > (4) eap : Finished EAP session with state 0x0e9027300d943e66
> > (4) eap : Previous EAP request found for state 0x0e9027300d943e66,
> > released from the list
> > (4) eap : Peer sent method PEAP (25)
> > (4) eap : EAP PEAP (25)
> > (4) eap : Calling eap_peap to process EAP data
> > (4) eap_peap : processing EAP-TLS
> > TLS Length 326
> > (4) eap_peap : Length Included
> > (4) eap_peap : eaptls_verify returned 11
> > (4) eap_peap : <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
> > (4) eap_peap : TLS_accept: SSLv3 read client key exchange A
> > (4) eap_peap : <<< TLS 1.0 ChangeCipherSpec [length 0001]
> > (4) eap_peap : <<< TLS 1.0 Handshake [length 0010], Finished
> > (4) eap_peap : TLS_accept: SSLv3 read finished A
> > (4) eap_peap : >>> TLS 1.0 ChangeCipherSpec [length 0001]
> > (4) eap_peap : TLS_accept: SSLv3 write change cipher spec A
> > (4) eap_peap : >>> TLS 1.0 Handshake [length 0010], Finished
> > (4) eap_peap : TLS_accept: SSLv3 write finished A
> > (4) eap_peap : TLS_accept: SSLv3 flush data
> > SSL: adding session
> > 48fd8119fa32c7cb48b60449437ed3f1edad01e5ff81191e7be8d62b3e5f17c4 to cache
> > (4) eap_peap : (other): SSL negotiation finished successfully
> > SSL Connection Established
> > (4) eap_peap : eaptls_process returned 13
> > (4) eap_peap : FR_TLS_HANDLED
> > (4) eap : New EAP session, adding 'State' attribute to reply
> > 0x0e9027300a953e66
> > (4) [eap] = handled
> > (4) } # authenticate = handled
> > (4) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=186,
> > length=0
> > (4) EAP-Message =
> > 0x0105004119001403010001011603010030aae4f10e97ee19adae53413d9aa1d8d43c053c8d9e737783e7b55e6ba93fe09df382bb6903423cc0a3e1e7c0d7581e6f
> > (4) Message-Authenticator = 0x00000000000000000000000000000000
> > (4) State = 0x0e9027300a953e6603c734ef610afcab
> > Sending Access-Challenge Id 186 from 192.168.0.10:1812 to 192.168.0.2:1812
> > EAP-Message =
> > 0x0105004119001403010001011603010030aae4f10e97ee19adae53413d9aa1d8d43c053c8d9e737783e7b55e6ba93fe09df382bb6903423cc0a3e1e7c0d7581e6f
> > Message-Authenticator = 0x00000000000000000000000000000000
> > State = 0x0e9027300a953e6603c734ef610afcab
> > (4) Finished request
> > Waking up in 0.2 seconds.
> > Received Access-Request Id 187 from 192.168.0.2:1812 to 192.168.0.10:1812
> > length 141
> > NAS-IP-Address = 192.168.0.2
> > NAS-Port = 50024
> > NAS-Port-Type = Ethernet
> > User-Name = 'newuser'
> > Called-Station-Id = '00-16-9D-D3-40-D8'
> > Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > Service-Type = Framed-User
> > Framed-MTU = 1500
> > State = 0x0e9027300a953e6603c734ef610afcab
> > EAP-Message = 0x020500061900
> > Message-Authenticator = 0xdac0ce591021e82f7d39f28aef2399d2
> > (5) Received Access-Request packet from host 192.168.0.2 port 1812, id=187,
> > length=141
> > (5) NAS-IP-Address = 192.168.0.2
> > (5) NAS-Port = 50024
> > (5) NAS-Port-Type = Ethernet
> > (5) User-Name = 'newuser'
> > (5) Called-Station-Id = '00-16-9D-D3-40-D8'
> > (5) Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > (5) Service-Type = Framed-User
> > (5) Framed-MTU = 1500
> > (5) State = 0x0e9027300a953e6603c734ef610afcab
> > (5) EAP-Message = 0x020500061900
> > (5) Message-Authenticator = 0xdac0ce591021e82f7d39f28aef2399d2
> > (5) # Executing section authorize from file /etc/raddb/sites-enabled/default
> > (5) authorize {
> > (5) filter_username filter_username {
> > (5) if (!&User-Name)
> > (5) if (!&User-Name) -> FALSE
> > (5) if (&User-Name =~ / /)
> > (5) if (&User-Name =~ / /) -> FALSE
> > (5) if (&User-Name =~ /@.*@/ )
> > (5) if (&User-Name =~ /@.*@/ ) -> FALSE
> > (5) if (&User-Name =~ /\\.\\./ )
> > (5) if (&User-Name =~ /\\.\\./ ) -> FALSE
> > (5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
> > (5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) ->
> > FALSE
> > (5) if (&User-Name =~ /\\.$/)
> > (5) if (&User-Name =~ /\\.$/) -> FALSE
> > (5) if (&User-Name =~ /(a)\\./)
> > (5) if (&User-Name =~ /(a)\\./) -> FALSE
> > (5) } # filter_username filter_username = notfound
> > (5) [preprocess] = ok
> > (5) [chap] = noop
> > (5) [mschap] = noop
> > (5) [digest] = noop
> > (5) suffix : Checking for suffix after "@"
> > (5) suffix : No '@' in User-Name = "newuser", looking up realm NULL
> > (5) suffix : No such realm "NULL"
> > (5) [suffix] = noop
> > (5) eap : Peer sent code Response (2) ID 5 length 6
> > (5) eap : Continuing tunnel setup
> > (5) [eap] = ok
> > (5) } # authorize = ok
> > (5) Found Auth-Type = EAP
> > (5) # Executing group from file /etc/raddb/sites-enabled/default
> > (5) authenticate {
> > (5) eap : Expiring EAP session with state 0x0e9027300a953e66
> > (5) eap : Finished EAP session with state 0x0e9027300a953e66
> > (5) eap : Previous EAP request found for state 0x0e9027300a953e66,
> > released from the list
> > (5) eap : Peer sent method PEAP (25)
> > (5) eap : EAP PEAP (25)
> > (5) eap : Calling eap_peap to process EAP data
> > (5) eap_peap : processing EAP-TLS
> > (5) eap_peap : Received TLS ACK
> > (5) eap_peap : Received TLS ACK
> > (5) eap_peap : ACK handshake is finished
> > (5) eap_peap : eaptls_verify returned 3
> > (5) eap_peap : eaptls_process returned 3
> > (5) eap_peap : FR_TLS_SUCCESS
> > (5) eap_peap : Session established. Decoding tunneled attributes
> > (5) eap_peap : Peap state TUNNEL ESTABLISHED
> > (5) eap : New EAP session, adding 'State' attribute to reply
> > 0x0e9027300b963e66
> > (5) [eap] = handled
> > (5) } # authenticate = handled
> > (5) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=187,
> > length=0
> > (5) EAP-Message =
> > 0x0106002b190017030100201ac493daff282d88bd079004b7a4124bc4a88fcee422591647b8a0784b2254a6
> > (5) Message-Authenticator = 0x00000000000000000000000000000000
> > (5) State = 0x0e9027300b963e6603c734ef610afcab
> > Sending Access-Challenge Id 187 from 192.168.0.10:1812 to 192.168.0.2:1812
> > EAP-Message =
> > 0x0106002b190017030100201ac493daff282d88bd079004b7a4124bc4a88fcee422591647b8a0784b2254a6
> > Message-Authenticator = 0x00000000000000000000000000000000
> > State = 0x0e9027300b963e6603c734ef610afcab
> > (5) Finished request
> > Waking up in 0.2 seconds.
> > Received Access-Request Id 188 from 192.168.0.2:1812 to 192.168.0.10:1812
> > length 178
> > NAS-IP-Address = 192.168.0.2
> > NAS-Port = 50024
> > NAS-Port-Type = Ethernet
> > User-Name = 'newuser'
> > Called-Station-Id = '00-16-9D-D3-40-D8'
> > Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > Service-Type = Framed-User
> > Framed-MTU = 1500
> > State = 0x0e9027300b963e6603c734ef610afcab
> > EAP-Message =
> > 0x0206002b19001703010020a4f998f13de99ca28ef10b62394a61c9b1a25d73a60b123f5ad5f64fdd887c6a
> > Message-Authenticator = 0x1794290733e67632bc38f2f4aa840390
> > (6) Received Access-Request packet from host 192.168.0.2 port 1812, id=188,
> > length=178
> > (6) NAS-IP-Address = 192.168.0.2
> > (6) NAS-Port = 50024
> > (6) NAS-Port-Type = Ethernet
> > (6) User-Name = 'newuser'
> > (6) Called-Station-Id = '00-16-9D-D3-40-D8'
> > (6) Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > (6) Service-Type = Framed-User
> > (6) Framed-MTU = 1500
> > (6) State = 0x0e9027300b963e6603c734ef610afcab
> > (6) EAP-Message =
> > 0x0206002b19001703010020a4f998f13de99ca28ef10b62394a61c9b1a25d73a60b123f5ad5f64fdd887c6a
> > (6) Message-Authenticator = 0x1794290733e67632bc38f2f4aa840390
> > (6) # Executing section authorize from file /etc/raddb/sites-enabled/default
> > (6) authorize {
> > (6) filter_username filter_username {
> > (6) if (!&User-Name)
> > (6) if (!&User-Name) -> FALSE
> > (6) if (&User-Name =~ / /)
> > (6) if (&User-Name =~ / /) -> FALSE
> > (6) if (&User-Name =~ /@.*@/ )
> > (6) if (&User-Name =~ /@.*@/ ) -> FALSE
> > (6) if (&User-Name =~ /\\.\\./ )
> > (6) if (&User-Name =~ /\\.\\./ ) -> FALSE
> > (6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
> > (6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) ->
> > FALSE
> > (6) if (&User-Name =~ /\\.$/)
> > (6) if (&User-Name =~ /\\.$/) -> FALSE
> > (6) if (&User-Name =~ /(a)\\./)
> > (6) if (&User-Name =~ /(a)\\./) -> FALSE
> > (6) } # filter_username filter_username = notfound
> > (6) [preprocess] = ok
> > (6) [chap] = noop
> > (6) [mschap] = noop
> > (6) [digest] = noop
> > (6) suffix : Checking for suffix after "@"
> > (6) suffix : No '@' in User-Name = "newuser", looking up realm NULL
> > (6) suffix : No such realm "NULL"
> > (6) [suffix] = noop
> > (6) eap : Peer sent code Response (2) ID 6 length 43
> > (6) eap : Continuing tunnel setup
> > (6) [eap] = ok
> > (6) } # authorize = ok
> > (6) Found Auth-Type = EAP
> > (6) # Executing group from file /etc/raddb/sites-enabled/default
> > (6) authenticate {
> > (6) eap : Expiring EAP session with state 0x0e9027300b963e66
> > (6) eap : Finished EAP session with state 0x0e9027300b963e66
> > (6) eap : Previous EAP request found for state 0x0e9027300b963e66,
> > released from the list
> > (6) eap : Peer sent method PEAP (25)
> > (6) eap : EAP PEAP (25)
> > (6) eap : Calling eap_peap to process EAP data
> > (6) eap_peap : processing EAP-TLS
> > (6) eap_peap : eaptls_verify returned 7
> > (6) eap_peap : Done initial handshake
> > (6) eap_peap : eaptls_process returned 7
> > (6) eap_peap : FR_TLS_OK
> > (6) eap_peap : Session established. Decoding tunneled attributes
> > (6) eap_peap : Peap state WAITING FOR INNER IDENTITY
> > (6) eap_peap : Identity - newuser
> > (6) eap_peap : Got inner identity 'newuser'
> > (6) eap_peap : Setting default EAP type for tunneled EAP session
> > (6) eap_peap : Got tunneled request
> > EAP-Message = 0x0206000c016e657775736572
> > server default {
> > (6) eap_peap : Setting User-Name to newuser
> > Sending tunneled request
> > EAP-Message = 0x0206000c016e657775736572
> > FreeRADIUS-Proxied-To = 127.0.0.1
> > User-Name = 'newuser'
> > NAS-IP-Address = 192.168.0.2
> > NAS-Port = 50024
> > NAS-Port-Type = Ethernet
> > Called-Station-Id = '00-16-9D-D3-40-D8'
> > Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > Service-Type = Framed-User
> > Framed-MTU = 1500
> > Event-Timestamp = 'Jul 3 2015 14:28:13 CEST'
> > server inner-tunnel {
> > (6) server inner-tunnel {
> > (6) Request:
> > EAP-Message = 0x0206000c016e657775736572
> > FreeRADIUS-Proxied-To = 127.0.0.1
> > User-Name = 'newuser'
> > NAS-IP-Address = 192.168.0.2
> > NAS-Port = 50024
> > NAS-Port-Type = Ethernet
> > Called-Station-Id = '00-16-9D-D3-40-D8'
> > Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > Service-Type = Framed-User
> > Framed-MTU = 1500
> > Event-Timestamp = 'Jul 3 2015 14:28:13 CEST'
> > (6) # Executing section authorize from file
> > /etc/raddb/sites-enabled/inner-tunnel
> > (6) authorize {
> > (6) [chap] = noop
> > (6) [mschap] = noop
> > (6) suffix : Checking for suffix after "@"
> > (6) suffix : No '@' in User-Name = "newuser", looking up realm NULL
> > (6) suffix : No such realm "NULL"
> > (6) [suffix] = noop
> > (6) update control {
> > (6) Proxy-To-Realm := 'LOCAL'
> > (6) } # update control = noop
> > (6) eap : Peer sent code Response (2) ID 6 length 12
> > (6) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the
> > rest of authorize
> > (6) [eap] = ok
> > (6) } # authorize = ok
> > (6) Found Auth-Type = EAP
> > (6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> > (6) authenticate {
> > (6) eap : Peer sent method Identity (1)
> > (6) eap : Calling eap_mschapv2 to process EAP data
> > (6) eap_mschapv2 : Issuing Challenge
> > (6) eap : New EAP session, adding 'State' attribute to reply
> > 0x51469e48514184c8
> > (6) [eap] = handled
> > (6) } # authenticate = handled
> > (6) Reply:
> > EAP-Message =
> > 0x010700211a0107001c10cfe19b93b6199ab73e048317618488706e657775736572
> > Message-Authenticator = 0x00000000000000000000000000000000
> > State = 0x51469e48514184c89c06397edfb2b9f6
> > (6) } # server inner-tunnel
> > } # server inner-tunnel
> > (6) eap_peap : Got tunneled reply code 11
> > EAP-Message =
> > 0x010700211a0107001c10cfe19b93b6199ab73e048317618488706e657775736572
> > Message-Authenticator = 0x00000000000000000000000000000000
> > State = 0x51469e48514184c89c06397edfb2b9f6
> > (6) eap_peap : Got tunneled reply RADIUS code 11
> > EAP-Message =
> > 0x010700211a0107001c10cfe19b93b6199ab73e048317618488706e657775736572
> > Message-Authenticator = 0x00000000000000000000000000000000
> > State = 0x51469e48514184c89c06397edfb2b9f6
> > (6) eap_peap : Got tunneled Access-Challenge
> > (6) eap : New EAP session, adding 'State' attribute to reply
> > 0x0e90273008973e66
> > (6) [eap] = handled
> > (6) } # authenticate = handled
> > (6) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=188,
> > length=0
> > (6) EAP-Message =
> > 0x0107004b190017030100407520c1faa1ff4cfd7a594b2669343aa993d4447045db39c0c1ef6a3af3fa94dd9b822e84eb8895730f1cabf76bc5593ee24398478a98364b6b52fd05dfd32c0a
> > (6) Message-Authenticator = 0x00000000000000000000000000000000
> > (6) State = 0x0e90273008973e6603c734ef610afcab
> > Sending Access-Challenge Id 188 from 192.168.0.10:1812 to 192.168.0.2:1812
> > EAP-Message =
> > 0x0107004b190017030100407520c1faa1ff4cfd7a594b2669343aa993d4447045db39c0c1ef6a3af3fa94dd9b822e84eb8895730f1cabf76bc5593ee24398478a98364b6b52fd05dfd32c0a
> > Message-Authenticator = 0x00000000000000000000000000000000
> > State = 0x0e90273008973e6603c734ef610afcab
> > (6) Finished request
> > Waking up in 0.2 seconds.
> > Received Access-Request Id 189 from 192.168.0.2:1812 to 192.168.0.10:1812
> > length 242
> > NAS-IP-Address = 192.168.0.2
> > NAS-Port = 50024
> > NAS-Port-Type = Ethernet
> > User-Name = 'newuser'
> > Called-Station-Id = '00-16-9D-D3-40-D8'
> > Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > Service-Type = Framed-User
> > Framed-MTU = 1500
> > State = 0x0e90273008973e6603c734ef610afcab
> > EAP-Message =
> > 0x0207006b19001703010060daa946c75fc076c70e3dee92725c9fd0e09e9b31f3e9b03e995463f030c9fcacaba7ef76b8890a117b40a4868e689f211491596b2e6acc7481a01ca4d9877415d99f18815dbd2879bca03fa940e258a486def5b5f08936eeade1d0f07ba9abfb
> > Message-Authenticator = 0x0c5af9b3231d04ec974f138a62c938b7
> > (7) Received Access-Request packet from host 192.168.0.2 port 1812, id=189,
> > length=242
> > (7) NAS-IP-Address = 192.168.0.2
> > (7) NAS-Port = 50024
> > (7) NAS-Port-Type = Ethernet
> > (7) User-Name = 'newuser'
> > (7) Called-Station-Id = '00-16-9D-D3-40-D8'
> > (7) Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > (7) Service-Type = Framed-User
> > (7) Framed-MTU = 1500
> > (7) State = 0x0e90273008973e6603c734ef610afcab
> > (7) EAP-Message =
> > 0x0207006b19001703010060daa946c75fc076c70e3dee92725c9fd0e09e9b31f3e9b03e995463f030c9fcacaba7ef76b8890a117b40a4868e689f211491596b2e6acc7481a01ca4d9877415d99f18815dbd2879bca03fa940e258a486def5b5f08936eeade1d0f07ba9abfb
> > (7) Message-Authenticator = 0x0c5af9b3231d04ec974f138a62c938b7
> > (7) # Executing section authorize from file /etc/raddb/sites-enabled/default
> > (7) authorize {
> > (7) filter_username filter_username {
> > (7) if (!&User-Name)
> > (7) if (!&User-Name) -> FALSE
> > (7) if (&User-Name =~ / /)
> > (7) if (&User-Name =~ / /) -> FALSE
> > (7) if (&User-Name =~ /@.*@/ )
> > (7) if (&User-Name =~ /@.*@/ ) -> FALSE
> > (7) if (&User-Name =~ /\\.\\./ )
> > (7) if (&User-Name =~ /\\.\\./ ) -> FALSE
> > (7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
> > (7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) ->
> > FALSE
> > (7) if (&User-Name =~ /\\.$/)
> > (7) if (&User-Name =~ /\\.$/) -> FALSE
> > (7) if (&User-Name =~ /(a)\\./)
> > (7) if (&User-Name =~ /(a)\\./) -> FALSE
> > (7) } # filter_username filter_username = notfound
> > (7) [preprocess] = ok
> > (7) [chap] = noop
> > (7) [mschap] = noop
> > (7) [digest] = noop
> > (7) suffix : Checking for suffix after "@"
> > (7) suffix : No '@' in User-Name = "newuser", looking up realm NULL
> > (7) suffix : No such realm "NULL"
> > (7) [suffix] = noop
> > (7) eap : Peer sent code Response (2) ID 7 length 107
> > (7) eap : Continuing tunnel setup
> > (7) [eap] = ok
> > (7) } # authorize = ok
> > (7) Found Auth-Type = EAP
> > (7) # Executing group from file /etc/raddb/sites-enabled/default
> > (7) authenticate {
> > (7) eap : Expiring EAP session with state 0x51469e48514184c8
> > (7) eap : Finished EAP session with state 0x0e90273008973e66
> > (7) eap : Previous EAP request found for state 0x0e90273008973e66,
> > released from the list
> > (7) eap : Peer sent method PEAP (25)
> > (7) eap : EAP PEAP (25)
> > (7) eap : Calling eap_peap to process EAP data
> > (7) eap_peap : processing EAP-TLS
> > (7) eap_peap : eaptls_verify returned 7
> > (7) eap_peap : Done initial handshake
> > (7) eap_peap : eaptls_process returned 7
> > (7) eap_peap : FR_TLS_OK
> > (7) eap_peap : Session established. Decoding tunneled attributes
> > (7) eap_peap : Peap state phase2
> > (7) eap_peap : EAP type MSCHAPv2 (26)
> > (7) eap_peap : Got tunneled request
> > EAP-Message =
> > 0x020700421a0207003d31cb99020a5de6871ad851f7e89c87138000000000000000008e66b16d791423c5ff26fd315d1cd9423b9866fc53939f0e006e657775736572
> > server default {
> > (7) eap_peap : Setting User-Name to newuser
> > Sending tunneled request
> > EAP-Message =
> > 0x020700421a0207003d31cb99020a5de6871ad851f7e89c87138000000000000000008e66b16d791423c5ff26fd315d1cd9423b9866fc53939f0e006e657775736572
> > FreeRADIUS-Proxied-To = 127.0.0.1
> > User-Name = 'newuser'
> > State = 0x51469e48514184c89c06397edfb2b9f6
> > NAS-IP-Address = 192.168.0.2
> > NAS-Port = 50024
> > NAS-Port-Type = Ethernet
> > Called-Station-Id = '00-16-9D-D3-40-D8'
> > Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > Service-Type = Framed-User
> > Framed-MTU = 1500
> > Event-Timestamp = 'Jul 3 2015 14:28:13 CEST'
> > server inner-tunnel {
> > (7) server inner-tunnel {
> > (7) Request:
> > EAP-Message =
> > 0x020700421a0207003d31cb99020a5de6871ad851f7e89c87138000000000000000008e66b16d791423c5ff26fd315d1cd9423b9866fc53939f0e006e657775736572
> > FreeRADIUS-Proxied-To = 127.0.0.1
> > User-Name = 'newuser'
> > State = 0x51469e48514184c89c06397edfb2b9f6
> > NAS-IP-Address = 192.168.0.2
> > NAS-Port = 50024
> > NAS-Port-Type = Ethernet
> > Called-Station-Id = '00-16-9D-D3-40-D8'
> > Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > Service-Type = Framed-User
> > Framed-MTU = 1500
> > Event-Timestamp = 'Jul 3 2015 14:28:13 CEST'
> > (7) # Executing section authorize from file
> > /etc/raddb/sites-enabled/inner-tunnel
> > (7) authorize {
> > (7) [chap] = noop
> > (7) [mschap] = noop
> > (7) suffix : Checking for suffix after "@"
> > (7) suffix : No '@' in User-Name = "newuser", looking up realm NULL
> > (7) suffix : No such realm "NULL"
> > (7) [suffix] = noop
> > (7) update control {
> > (7) Proxy-To-Realm := 'LOCAL'
> > (7) } # update control = noop
> > (7) eap : Peer sent code Response (2) ID 7 length 66
> > (7) eap : No EAP Start, assuming it's an on-going EAP conversation
> > (7) [eap] = updated
> > (7) [files] = noop
> > rlm_ldap (ldap): Reserved connection (4)
> > (7) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> > (7) ldap : --> (uid=newuser)
> > (7) ldap : EXPAND dc=test,dc=ad,dc=com
> > (7) ldap : --> dc=test,dc=ad,dc=com
> > (7) ldap : Performing search in 'dc=test,dc=ad,dc=com' with filter
> > '(uid=newuser)', scope 'sub'
> > (7) ldap : Waiting for search result...
> > rlm_ldap (ldap): Rebinding to URL ldap://
> > ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com
> > rlm_ldap (ldap): Waiting for bind result...
> > rlm_ldap (ldap): Rebinding to URL ldap://
> > DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com
> > rlm_ldap (ldap): Waiting for bind result...
> > rlm_ldap (ldap): Rebinding to URL ldap://
> > test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com
> > rlm_ldap (ldap): Waiting for bind result...
> > rlm_ldap (ldap): Bind successful
> > rlm_ldap (ldap): Bind successful
> > rlm_ldap (ldap): Bind successful
> > (7) ldap : Search returned no results
> > rlm_ldap (ldap): Deleting connection (4)
> > (7) [ldap] = notfound
> > (7) [expiration] = noop
> > (7) [logintime] = noop
> > (7) [pap] = noop
> > (7) } # authorize = updated
> > (7) Found Auth-Type = EAP
> > (7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> > (7) authenticate {
> > (7) eap : Expiring EAP session with state 0x51469e48514184c8
> > (7) eap : Finished EAP session with state 0x51469e48514184c8
> > (7) eap : Previous EAP request found for state 0x51469e48514184c8,
> > released from the list
> > (7) eap : Peer sent method MSCHAPv2 (26)
> > (7) eap : EAP MSCHAPv2 (26)
> > (7) eap : Calling eap_mschapv2 to process EAP data
> > (7) eap_mschapv2 : # Executing group from file
> > /etc/raddb/sites-enabled/inner-tunnel
> > (7) eap_mschapv2 : Auth-Type MS-CHAP {
> > (7) mschap : Creating challenge hash with username: newuser
> > (7) mschap : Client is using MS-CHAPv2
> > Executing: /usr/bin/ntlm_auth --request-nt-key
> > --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> > --challenge=%{%{mschap:Challenge}:-00}
> > --nt-response=%{%{mschap:NT-Response}:-00}:
> > (7) mschap : EXPAND
> > --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> > (7) mschap : --> --username=newuser
> > (7) mschap : Creating challenge hash with username: newuser
> > (7) mschap : EXPAND --challenge=%{%{mschap:Challenge}:-00}
> > (7) mschap : --> --challenge=141c75ef267aec37
> > (7) mschap : EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
> > (7) mschap : -->
> > --nt-response=8e66b16d791423c5ff26fd315d1cd9423b9866fc53939f0e
> > Program returned code (0) and output 'NT_KEY:
> > 917FDA71960ECCF4DF81D38405F86F42'
> > (7) mschap : Adding MS-CHAPv2 MPPE keys
> > (7) [mschap] = ok
> > (7) } # Auth-Type MS-CHAP = ok
> > MSCHAP Success
> > (7) eap : New EAP session, adding 'State' attribute to reply
> > 0x51469e48504e84c8
> > (7) [eap] = handled
> > (7) } # authenticate = handled
> > (7) Reply:
> > EAP-Message =
> > 0x010800331a0307002e533d45413244333642323330373038354334373443444233383738423444393141433936393944313533
> > Message-Authenticator = 0x00000000000000000000000000000000
> > State = 0x51469e48504e84c89c06397edfb2b9f6
> > (7) } # server inner-tunnel
> > } # server inner-tunnel
> > (7) eap_peap : Got tunneled reply code 11
> > EAP-Message =
> > 0x010800331a0307002e533d45413244333642323330373038354334373443444233383738423444393141433936393944313533
> > Message-Authenticator = 0x00000000000000000000000000000000
> > State = 0x51469e48504e84c89c06397edfb2b9f6
> > (7) eap_peap : Got tunneled reply RADIUS code 11
> > EAP-Message =
> > 0x010800331a0307002e533d45413244333642323330373038354334373443444233383738423444393141433936393944313533
> > Message-Authenticator = 0x00000000000000000000000000000000
> > State = 0x51469e48504e84c89c06397edfb2b9f6
> > (7) eap_peap : Got tunneled Access-Challenge
> > (7) eap : New EAP session, adding 'State' attribute to reply
> > 0x0e90273009983e66
> > (7) [eap] = handled
> > (7) } # authenticate = handled
> > (7) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=189,
> > length=0
> > (7) EAP-Message =
> > 0x0108005b19001703010050f5928f4ef2504f8111ab1eb22a3d7055f034eb84663b65bd07291d795cbd5a872c90146b2738a779cf42d7acd17f1425f25e5139936ce90ece8924c0ddf1dd6d66eb94efda5148cf5b8b62fd2f49fd5b
> > (7) Message-Authenticator = 0x00000000000000000000000000000000
> > (7) State = 0x0e90273009983e6603c734ef610afcab
> > Sending Access-Challenge Id 189 from 192.168.0.10:1812 to 192.168.0.2:1812
> > EAP-Message =
> > 0x0108005b19001703010050f5928f4ef2504f8111ab1eb22a3d7055f034eb84663b65bd07291d795cbd5a872c90146b2738a779cf42d7acd17f1425f25e5139936ce90ece8924c0ddf1dd6d66eb94efda5148cf5b8b62fd2f49fd5b
> > Message-Authenticator = 0x00000000000000000000000000000000
> > State = 0x0e90273009983e6603c734ef610afcab
> > (7) Finished request
> > Waking up in 4.5 seconds.
> > Received Access-Request Id 190 from 192.168.0.2:1812 to 192.168.0.10:1812
> > length 178
> > NAS-IP-Address = 192.168.0.2
> > NAS-Port = 50024
> > NAS-Port-Type = Ethernet
> > User-Name = 'newuser'
> > Called-Station-Id = '00-16-9D-D3-40-D8'
> > Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > Service-Type = Framed-User
> > Framed-MTU = 1500
> > State = 0x0e90273009983e6603c734ef610afcab
> > EAP-Message =
> > 0x0208002b19001703010020e5cacce91e4a996afb3b077c7b388bcf2f40b18a8eb5be8917a8ae01288fd33d
> > Message-Authenticator = 0x56d20e1c3ccff86847412ce9123ecb99
> > (8) Received Access-Request packet from host 192.168.0.2 port 1812, id=190,
> > length=178
> > (8) NAS-IP-Address = 192.168.0.2
> > (8) NAS-Port = 50024
> > (8) NAS-Port-Type = Ethernet
> > (8) User-Name = 'newuser'
> > (8) Called-Station-Id = '00-16-9D-D3-40-D8'
> > (8) Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > (8) Service-Type = Framed-User
> > (8) Framed-MTU = 1500
> > (8) State = 0x0e90273009983e6603c734ef610afcab
> > (8) EAP-Message =
> > 0x0208002b19001703010020e5cacce91e4a996afb3b077c7b388bcf2f40b18a8eb5be8917a8ae01288fd33d
> > (8) Message-Authenticator = 0x56d20e1c3ccff86847412ce9123ecb99
> > (8) # Executing section authorize from file /etc/raddb/sites-enabled/default
> > (8) authorize {
> > (8) filter_username filter_username {
> > (8) if (!&User-Name)
> > (8) if (!&User-Name) -> FALSE
> > (8) if (&User-Name =~ / /)
> > (8) if (&User-Name =~ / /) -> FALSE
> > (8) if (&User-Name =~ /@.*@/ )
> > (8) if (&User-Name =~ /@.*@/ ) -> FALSE
> > (8) if (&User-Name =~ /\\.\\./ )
> > (8) if (&User-Name =~ /\\.\\./ ) -> FALSE
> > (8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
> > (8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) ->
> > FALSE
> > (8) if (&User-Name =~ /\\.$/)
> > (8) if (&User-Name =~ /\\.$/) -> FALSE
> > (8) if (&User-Name =~ /(a)\\./)
> > (8) if (&User-Name =~ /(a)\\./) -> FALSE
> > (8) } # filter_username filter_username = notfound
> > (8) [preprocess] = ok
> > (8) [chap] = noop
> > (8) [mschap] = noop
> > (8) [digest] = noop
> > (8) suffix : Checking for suffix after "@"
> > (8) suffix : No '@' in User-Name = "newuser", looking up realm NULL
> > (8) suffix : No such realm "NULL"
> > (8) [suffix] = noop
> > (8) eap : Peer sent code Response (2) ID 8 length 43
> > (8) eap : Continuing tunnel setup
> > (8) [eap] = ok
> > (8) } # authorize = ok
> > (8) Found Auth-Type = EAP
> > (8) # Executing group from file /etc/raddb/sites-enabled/default
> > (8) authenticate {
> > (8) eap : Expiring EAP session with state 0x51469e48504e84c8
> > (8) eap : Finished EAP session with state 0x0e90273009983e66
> > (8) eap : Previous EAP request found for state 0x0e90273009983e66,
> > released from the list
> > (8) eap : Peer sent method PEAP (25)
> > (8) eap : EAP PEAP (25)
> > (8) eap : Calling eap_peap to process EAP data
> > (8) eap_peap : processing EAP-TLS
> > (8) eap_peap : eaptls_verify returned 7
> > (8) eap_peap : Done initial handshake
> > (8) eap_peap : eaptls_process returned 7
> > (8) eap_peap : FR_TLS_OK
> > (8) eap_peap : Session established. Decoding tunneled attributes
> > (8) eap_peap : Peap state phase2
> > (8) eap_peap : EAP type MSCHAPv2 (26)
> > (8) eap_peap : Got tunneled request
> > EAP-Message = 0x020800061a03
> > server default {
> > (8) eap_peap : Setting User-Name to newuser
> > Sending tunneled request
> > EAP-Message = 0x020800061a03
> > FreeRADIUS-Proxied-To = 127.0.0.1
> > User-Name = 'newuser'
> > State = 0x51469e48504e84c89c06397edfb2b9f6
> > NAS-IP-Address = 192.168.0.2
> > NAS-Port = 50024
> > NAS-Port-Type = Ethernet
> > Called-Station-Id = '00-16-9D-D3-40-D8'
> > Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > Service-Type = Framed-User
> > Framed-MTU = 1500
> > Event-Timestamp = 'Jul 3 2015 14:28:13 CEST'
> > server inner-tunnel {
> > (8) server inner-tunnel {
> > (8) Request:
> > EAP-Message = 0x020800061a03
> > FreeRADIUS-Proxied-To = 127.0.0.1
> > User-Name = 'newuser'
> > State = 0x51469e48504e84c89c06397edfb2b9f6
> > NAS-IP-Address = 192.168.0.2
> > NAS-Port = 50024
> > NAS-Port-Type = Ethernet
> > Called-Station-Id = '00-16-9D-D3-40-D8'
> > Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > Service-Type = Framed-User
> > Framed-MTU = 1500
> > Event-Timestamp = 'Jul 3 2015 14:28:13 CEST'
> > (8) # Executing section authorize from file
> > /etc/raddb/sites-enabled/inner-tunnel
> > (8) authorize {
> > (8) [chap] = noop
> > (8) [mschap] = noop
> > (8) suffix : Checking for suffix after "@"
> > (8) suffix : No '@' in User-Name = "newuser", looking up realm NULL
> > (8) suffix : No such realm "NULL"
> > (8) [suffix] = noop
> > (8) update control {
> > (8) Proxy-To-Realm := 'LOCAL'
> > (8) } # update control = noop
> > (8) eap : Peer sent code Response (2) ID 8 length 6
> > (8) eap : No EAP Start, assuming it's an on-going EAP conversation
> > (8) [eap] = updated
> > (8) [files] = noop
> > rlm_ldap (ldap): Reserved connection (3)
> > (8) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> > (8) ldap : --> (uid=newuser)
> > (8) ldap : EXPAND dc=test,dc=ad,dc=com
> > (8) ldap : --> dc=test,dc=ad,dc=com
> > (8) ldap : Performing search in 'dc=test,dc=ad,dc=com' with filter
> > '(uid=newuser)', scope 'sub'
> > (8) ldap : Waiting for search result...
> > rlm_ldap (ldap): Rebinding to URL ldap://
> > ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com
> > rlm_ldap (ldap): Waiting for bind result...
> > rlm_ldap (ldap): Rebinding to URL ldap://
> > DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com
> > rlm_ldap (ldap): Waiting for bind result...
> > rlm_ldap (ldap): Rebinding to URL ldap://
> > test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com
> > rlm_ldap (ldap): Waiting for bind result...
> > rlm_ldap (ldap): Bind successful
> > rlm_ldap (ldap): Bind successful
> > rlm_ldap (ldap): Bind successful
> > (8) ldap : Search returned no results
> > rlm_ldap (ldap): Deleting connection (3)
> > rlm_ldap (ldap): 0 of 3 connections in use. Need more spares
> > rlm_ldap (ldap): Opening additional connection (5)
> > rlm_ldap (ldap): Connecting to 192.168.0.20:389
> > rlm_ldap (ldap): Waiting for bind result...
> > rlm_ldap (ldap): Bind successful
> > (8) [ldap] = notfound
> > (8) [expiration] = noop
> > (8) [logintime] = noop
> > (8) [pap] = noop
> > (8) } # authorize = updated
> > (8) Found Auth-Type = EAP
> > (8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> > (8) authenticate {
> > (8) eap : Expiring EAP session with state 0x51469e48504e84c8
> > (8) eap : Finished EAP session with state 0x51469e48504e84c8
> > (8) eap : Previous EAP request found for state 0x51469e48504e84c8,
> > released from the list
> > (8) eap : Peer sent method MSCHAPv2 (26)
> > (8) eap : EAP MSCHAPv2 (26)
> > (8) eap : Calling eap_mschapv2 to process EAP data
> > (8) eap : Freeing handler
> > (8) [eap] = ok
> > (8) } # authenticate = ok
> > (8) # Executing section post-auth from file
> > /etc/raddb/sites-enabled/inner-tunnel
> > (8) post-auth {
> > (8) ldap : EXPAND .
> > (8) ldap : --> .
> > (8) ldap : EXPAND Authenticated at %S
> > (8) ldap : --> Authenticated at 2015-07-03 14:28:13
> > rlm_ldap (ldap): Reserved connection (5)
> > (8) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> > (8) ldap : --> (uid=newuser)
> > (8) ldap : EXPAND dc=test,dc=ad,dc=com
> > (8) ldap : --> dc=test,dc=ad,dc=com
> > (8) ldap : Performing search in 'dc=test,dc=ad,dc=com' with filter
> > '(uid=newuser)', scope 'sub'
> > (8) ldap : Waiting for search result...
> > rlm_ldap (ldap): Rebinding to URL ldap://
> > ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com
> > rlm_ldap (ldap): Waiting for bind result...
> > rlm_ldap (ldap): Rebinding to URL ldap://
> > DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com
> > rlm_ldap (ldap): Waiting for bind result...
> > rlm_ldap (ldap): Rebinding to URL ldap://
> > test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com
> > rlm_ldap (ldap): Waiting for bind result...
> > rlm_ldap (ldap): Bind successful
> > rlm_ldap (ldap): Bind successful
> > rlm_ldap (ldap): Bind successful
> > (8) ldap : Search returned no results
> > rlm_ldap (ldap): Deleting connection (5)
> > (8) [ldap] = notfound
> > (8) } # post-auth = notfound
> > (8) Reply:
> > MS-MPPE-Encryption-Policy = Encryption-Required
> > MS-MPPE-Encryption-Types = 4
> > MS-MPPE-Send-Key = 0xd4fd4ee6a9d0cfb8627e5435bb5e91c9
> > MS-MPPE-Recv-Key = 0xd541128d165a6af4aba9ded016dce239
> > EAP-Message = 0x03080004
> > Message-Authenticator = 0x00000000000000000000000000000000
> > User-Name = 'newuser'
> > (8) } # server inner-tunnel
> > } # server inner-tunnel
> > (8) eap_peap : Got tunneled reply code 2
> > MS-MPPE-Encryption-Policy = Encryption-Required
> > MS-MPPE-Encryption-Types = 4
> > MS-MPPE-Send-Key = 0xd4fd4ee6a9d0cfb8627e5435bb5e91c9
> > MS-MPPE-Recv-Key = 0xd541128d165a6af4aba9ded016dce239
> > EAP-Message = 0x03080004
> > Message-Authenticator = 0x00000000000000000000000000000000
> > User-Name = 'newuser'
> > (8) eap_peap : Got tunneled reply RADIUS code 2
> > MS-MPPE-Encryption-Policy = Encryption-Required
> > MS-MPPE-Encryption-Types = 4
> > MS-MPPE-Send-Key = 0xd4fd4ee6a9d0cfb8627e5435bb5e91c9
> > MS-MPPE-Recv-Key = 0xd541128d165a6af4aba9ded016dce239
> > EAP-Message = 0x03080004
> > Message-Authenticator = 0x00000000000000000000000000000000
> > User-Name = 'newuser'
> > (8) eap_peap : Tunneled authentication was successful
> > (8) eap_peap : SUCCESS
> > (8) eap_peap : Saving tunneled attributes for later
> > (8) eap : New EAP session, adding 'State' attribute to reply
> > 0x0e90273006993e66
> > (8) [eap] = handled
> > (8) } # authenticate = handled
> > (8) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=190,
> > length=0
> > (8) EAP-Message =
> > 0x0109002b1900170301002002723a75a206ea487fd592ae1b9d31d8425a2d28fb6a567b530188cd74181696
> > (8) Message-Authenticator = 0x00000000000000000000000000000000
> > (8) State = 0x0e90273006993e6603c734ef610afcab
> > Sending Access-Challenge Id 190 from 192.168.0.10:1812 to 192.168.0.2:1812
> > EAP-Message =
> > 0x0109002b1900170301002002723a75a206ea487fd592ae1b9d31d8425a2d28fb6a567b530188cd74181696
> > Message-Authenticator = 0x00000000000000000000000000000000
> > State = 0x0e90273006993e6603c734ef610afcab
> > (8) Finished request
> > Waking up in 3.8 seconds.
> > Received Access-Request Id 191 from 192.168.0.2:1812 to 192.168.0.10:1812
> > length 178
> > NAS-IP-Address = 192.168.0.2
> > NAS-Port = 50024
> > NAS-Port-Type = Ethernet
> > User-Name = 'newuser'
> > Called-Station-Id = '00-16-9D-D3-40-D8'
> > Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > Service-Type = Framed-User
> > Framed-MTU = 1500
> > State = 0x0e90273006993e6603c734ef610afcab
> > EAP-Message =
> > 0x0209002b1900170301002092fda1c14de27079564bd73fade18792dd8f5f80adf9e4822b95949318de7efb
> > Message-Authenticator = 0xef39ceb8bfa36750354be19a6b2ebf17
> > (9) Received Access-Request packet from host 192.168.0.2 port 1812, id=191,
> > length=178
> > (9) NAS-IP-Address = 192.168.0.2
> > (9) NAS-Port = 50024
> > (9) NAS-Port-Type = Ethernet
> > (9) User-Name = 'newuser'
> > (9) Called-Station-Id = '00-16-9D-D3-40-D8'
> > (9) Calling-Station-Id = '68-B5-99-C8-B0-5E'
> > (9) Service-Type = Framed-User
> > (9) Framed-MTU = 1500
> > (9) State = 0x0e90273006993e6603c734ef610afcab
> > (9) EAP-Message =
> > 0x0209002b1900170301002092fda1c14de27079564bd73fade18792dd8f5f80adf9e4822b95949318de7efb
> > (9) Message-Authenticator = 0xef39ceb8bfa36750354be19a6b2ebf17
> > (9) # Executing section authorize from file /etc/raddb/sites-enabled/default
> > (9) authorize {
> > (9) filter_username filter_username {
> > (9) if (!&User-Name)
> > (9) if (!&User-Name) -> FALSE
> > (9) if (&User-Name =~ / /)
> > (9) if (&User-Name =~ / /) -> FALSE
> > (9) if (&User-Name =~ /@.*@/ )
> > (9) if (&User-Name =~ /@.*@/ ) -> FALSE
> > (9) if (&User-Name =~ /\\.\\./ )
> > (9) if (&User-Name =~ /\\.\\./ ) -> FALSE
> > (9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
> > (9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) ->
> > FALSE
> > (9) if (&User-Name =~ /\\.$/)
> > (9) if (&User-Name =~ /\\.$/) -> FALSE
> > (9) if (&User-Name =~ /(a)\\./)
> > (9) if (&User-Name =~ /(a)\\./) -> FALSE
> > (9) } # filter_username filter_username = notfound
> > (9) [preprocess] = ok
> > (9) [chap] = noop
> > (9) [mschap] = noop
> > (9) [digest] = noop
> > (9) suffix : Checking for suffix after "@"
> > (9) suffix : No '@' in User-Name = "newuser", looking up realm NULL
> > (9) suffix : No such realm "NULL"
> > (9) [suffix] = noop
> > (9) eap : Peer sent code Response (2) ID 9 length 43
> > (9) eap : Continuing tunnel setup
> > (9) [eap] = ok
> > (9) } # authorize = ok
> > (9) Found Auth-Type = EAP
> > (9) # Executing group from file /etc/raddb/sites-enabled/default
> > (9) authenticate {
> > (9) eap : Expiring EAP session with state 0x0e90273006993e66
> > (9) eap : Finished EAP session with state 0x0e90273006993e66
> > (9) eap : Previous EAP request found for state 0x0e90273006993e66,
> > released from the list
> > (9) eap : Peer sent method PEAP (25)
> > (9) eap : EAP PEAP (25)
> > (9) eap : Calling eap_peap to process EAP data
> > (9) eap_peap : processing EAP-TLS
> > (9) eap_peap : eaptls_verify returned 7
> > (9) eap_peap : Done initial handshake
> > (9) eap_peap : eaptls_process returned 7
> > (9) eap_peap : FR_TLS_OK
> > (9) eap_peap : Session established. Decoding tunneled attributes
> > (9) eap_peap : Peap state send tlv success
> > (9) eap_peap : Received EAP-TLV response
> > (9) eap_peap : Success
> > (9) eap_peap : Using saved attributes from the original Access-Accept
> > User-Name = 'newuser'
> > (9) eap_peap : Saving session
> > 48fd8119fa32c7cb48b60449437ed3f1edad01e5ff81191e7be8d62b3e5f17c4 vps
> > 0x7f6012aedf20 in the cache
> > (9) eap : Freeing handler
> > (9) [eap] = ok
> > (9) } # authenticate = ok
> > (9) # Executing section post-auth from file /etc/raddb/sites-enabled/default
> > (9) post-auth {
> > (9) ldap : EXPAND .
> > (9) ldap : --> .
> > (9) ldap : EXPAND Authenticated at %S
> > (9) ldap : --> Authenticated at 2015-07-03 14:28:14
> > rlm_ldap (ldap): Reserved connection (2)
> > (9) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> > (9) ldap : --> (uid=newuser)
> > (9) ldap : EXPAND dc=test,dc=ad,dc=com
> > (9) ldap : --> dc=test,dc=ad,dc=com
> > (9) ldap : Performing search in 'dc=test,dc=ad,dc=com' with filter
> > '(uid=newuser)', scope 'sub'
> > (9) ldap : Waiting for search result...
> > rlm_ldap (ldap): Rebinding to URL ldap://
> > ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com
> > rlm_ldap (ldap): Waiting for bind result...
> > rlm_ldap (ldap): Rebinding to URL ldap://
> > DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com
> > rlm_ldap (ldap): Waiting for bind result...
> > rlm_ldap (ldap): Rebinding to URL ldap://
> > test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com
> > rlm_ldap (ldap): Waiting for bind result...
> > rlm_ldap (ldap): Bind successful
> > rlm_ldap (ldap): Bind successful
> > rlm_ldap (ldap): Bind successful
> > (9) ldap : Search returned no results
> > rlm_ldap (ldap): Deleting connection (2)
> > (9) [ldap] = notfound
> > (9) if (LDAP-Group == "cn=computers,cn=Users,dc=test,dc=ad,dc=com")
> > (9) Searching for user in group "cn=computers,cn=Users,dc=test,dc=ad,dc=com"
> > rlm_ldap (ldap): Reserved connection (1)
> > (9) EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> > (9) --> (uid=newuser)
> > (9) EXPAND dc=test,dc=ad,dc=com
> > (9) --> dc=test,dc=ad,dc=com
> > (9) Performing search in 'dc=test,dc=ad,dc=com' with filter
> > '(uid=newuser)', scope 'sub'
> > (9) Waiting for search result...
> > rlm_ldap (ldap): Rebinding to URL ldap://
> > ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com
> > rlm_ldap (ldap): Waiting for bind result...
> > rlm_ldap (ldap): Rebinding to URL ldap://
> > DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com
> > rlm_ldap (ldap): Waiting for bind result...
> > rlm_ldap (ldap): Rebinding to URL ldap://
> > test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com
> > rlm_ldap (ldap): Waiting for bind result...
> > rlm_ldap (ldap): Bind successful
> > rlm_ldap (ldap): Bind successful
> > rlm_ldap (ldap): Bind successful
> > (9) Search returned no results
> > rlm_ldap (ldap): Deleting connection (1)
> > (9) if (LDAP-Group == "cn=computers,cn=Users,dc=test,dc=ad,dc=com") ->
> > FALSE
> > (9) [exec] = noop
> > (9) remove_reply_message_if_eap remove_reply_message_if_eap {
> > (9) if (&reply:EAP-Message && &reply:Reply-Message)
> > (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> > (9) else else {
> > (9) [noop] = noop
> > (9) } # else else = noop
> > (9) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
> > (9) } # post-auth = noop
> > (9) Sending Access-Accept packet to host 192.168.0.2 port 1812, id=191,
> > length=0
> > (9) User-Name = 'newuser'
> > (9) MS-MPPE-Recv-Key =
> > 0x770d0af8f17ddb90ae45050890e77a2f1284a252cb8a2dea9126d6e3ad90bda2
> > (9) MS-MPPE-Send-Key =
> > 0x71f8b9b7a8aa1a90922d6043ad069e7e436ef4cce627dbd2c2e6bea252154cce
> > (9) EAP-MSK =
> > 0x770d0af8f17ddb90ae45050890e77a2f1284a252cb8a2dea9126d6e3ad90bda271f8b9b7a8aa1a90922d6043ad069e7e436ef4cce627dbd2c2e6bea252154cce
> > (9) EAP-EMSK =
> > 0x1b54d22a41027762199d0673d2024afb9b75034f4486286e1ce600f42266b87c01bf8b7801e44f136c405e7098f74a39062c8d0fd8199ad362af3aa3fd939603
> > (9) EAP-Session-Id =
> > 0x19559664033b1b4862038b2d1367a8d5b31031ef49921dca1e46e5720f5b2fa8f355967fdd334b8b93e13aaba983cf708cc59b52a195fa942852b7eb85c9e6b313
> > (9) EAP-Message = 0x03090004
> > (9) Message-Authenticator = 0x00000000000000000000000000000000
> > Sending Access-Accept Id 191 from 192.168.0.10:1812 to 192.168.0.2:1812
> > User-Name = 'newuser'
> > MS-MPPE-Recv-Key =
> > 0x770d0af8f17ddb90ae45050890e77a2f1284a252cb8a2dea9126d6e3ad90bda2
> > MS-MPPE-Send-Key =
> > 0x71f8b9b7a8aa1a90922d6043ad069e7e436ef4cce627dbd2c2e6bea252154cce
> > EAP-Message = 0x03090004
> > Message-Authenticator = 0x00000000000000000000000000000000
> > (9) Finished request
> >
> >
> >
> > in ldap config file, part related user and groups looks like below:
> >
> > user {
> > base_dn = "dc=test,dc=ad,dc=com"
> > filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
> > }
> > group {
> >
> > base_dn ="dc=test,dc=ad,dc=com"
> > filter = "(objectClass=posixGroup)"
> > name_attribute = cn
> > membership_filter =
> > "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
> > membership_attribute = "memberOf"
> > }
> >
> >
> > Why freeradius can't match group "computers" to user "newuser"?
> >
> > I would be very glad on any help
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> your filter and membership_filter directives conflict.
>
> the objectClass posixGroup uses the memberUid attribute, while the
> objectClass groupOfNames uses the member attribute.
>
> because you are using AD, it should support RFC 2307bis, which makes the
> posixGroup an auxiliary objectClass, and not structural. both
> attributes (member and memberUid) can be defined for the same object,
> but it is likely that only one is used.
>
> get our your favorite LDAP browser (phpLdapAdmin, gq, lat, luma, or
> SoftTerra LDAP Browser for windows) and look at the group object you are
> trying to match on. note the used attributes and adjust your filter and
> membership_filter directives accordingly.
Thank you for reply,
as I understood I've changed :
filter = "(objectClass=posixgroup)" to->
filter = "(objectClass=group)"
and
membership_filter =
"(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
to ->
membership_filter = "(&(objectClass=group)(member=%{Ldap-UserDn}))"
and still nothing.
by the way I can't figure out in freeradius output logs part where
system is trying match this filters.
does my configuration is correct to searching groups?
2
1
radiusd debug understanding help needed (EAP session for state 0x... did not finish)
by Zeus Panchenko 06 Jul '15
by Zeus Panchenko 06 Jul '15
06 Jul '15
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
hi,
please, help me to be sure I understand `radiusd -X' output right way ...
some period of time, FR with EAP-TLS + LDAP was working in "test mode" ... now it is not
and I'm trying to understand why
FR: server is v.2.2.6 on FreeBSD 10.1R
WS: wpa_supplicant client on FreeBSD 10.1R
network (LAN) topology: FR <-> 100Mb Switch <-> WS
FR configured with EAP + LDAP and EAP/md5 for MAC auth works fine.
but EAP/tls spawns:
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x8c1a57f7885a5afa did not finish!
WARNING: !! Please read http://wiki.freeradius.org/guide/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
on this wiki page for this case it is told:
- - - Follow the instructions given above.
it is what I have folowed
- - - Consider to decreasing the tunnel MTU
there is no tunnel, but decreasing MTU on NIC didn't help
last time I faced this very problem on my VPN and MTU decreasing to 1250
helped well, but now it is not ...
in `radiusd -X' I see this:
- - ---[ quotation start ]-------------------------------------------
...
[files] expand: %{User-Name}, you have came from %{NAS-IP-Address} copper port %{NAS-Port}. -> jdoe-eap, you have came from 192.168.0.1 copper port 14.
++[files] = ok
++[expiration] = noop
++[logintime] = noop
++[pap] = noop
[ldap] performing user authorization for jdoe-eap
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> jdoe-eap
[ldap] expand: (&(cn=%{%{Stripped-User-Name}:-%{User-Name}})(|(authorizedService=802.1x-mac@xyz)(authorizedService=802.1x-eap@xyz)(authorizedService=802.1x@xyz))) -> (&(cn=jdoe-eap)(|(autho
rizedService=802.1x-mac@xyz)(authorizedService=802.1x-eap@xyz)(authorizedService=802.1x@xyz)))
[ldap] expand: ou=People,dc=xyz -> ou=People,dc=xyz
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=People,dc=xyz, with filter (&(cn=jdoe-eap)(|(authorizedService=802.1x-mac@xyz)(authorizedService=802.1x-eap@xyz)(authorizedService=802.1x@xyz)))
[ldap] performing search in cn=ethernet,ou=rad-profiles,dc=xyz, with filter (objectclass=radiusprofile)
[ldap] radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
[ldap] radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] radiusSessionTimeout -> Session-Timeout = 900
[ldap] looking for check items in directory...
[ldap] userPassword -> Cleartext-Password == "jdoe-eap"
[ldap] userPassword -> Password-With-Header == "jdoe-eap"
[ldap] looking for reply items in directory...
[ldap] radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "3495"
[ldap] radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
[ldap] radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] radiusServiceType -> Service-Type = Framed-User
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
- - ---[ quotation end ]-------------------------------------------
so, am I correct? here it is written that LDAP auth performed successfully
further:
- - ---[ quotation start ]-------------------------------------------
++? if (notfound)
? Evaluating (notfound) -> FALSE
++? if (notfound) -> FALSE
++? if (reject)
? Evaluating (reject) -> FALSE
++? if (reject) -> FALSE
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
...
- - ---[ quotation end ]-------------------------------------------
what does these rows mean?
- - ---[ quotation start ]-------------------------------------------
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
- - ---[ quotation end ]-------------------------------------------
wpa_supplicant debug shows this:
- - ---[ quotation start ]-------------------------------------------
...
1434988426.933490: SSL: (where=0x1001 ret=0x1)
1434988426.933492: SSL: SSL_connect:SSLv3 read server hello A
1434988426.933731: TLS: tls_verify_cb - preverify_ok=1 err=0 (ok) ca_cert_verify=1 depth=1 buf='/C=AU/ST=SDN/L=Sidney/O=RADIUS/OU=RADIUS/CN=changeme/emailAddress=security@xyz'
1434988426.933736: igb0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=AU/ST=SDN/L=Sidney/O=RADIUS/OU=RADIUS/CN=xyz-ca/emailAddress=security@xyz'
1434988426.933738: EAP: Status notification: remote certificate verification (param=success)
1434988426.933814: TLS: tls_verify_cb - preverify_ok=1 err=0 (ok) ca_cert_verify=1 depth=0 buf='/C=AU/ST=SDN/L=Sidney/O=RADIUS/OU=RADIUS/CN=office1.xyz/emailAddress=security@xyz'
1434988426.933818: igb0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=AU/ST=SDN/L=Sidney/O=RADIUS/OU=RADIUS/CN=office1.xyz/emailAddress=security@xyz'
1434988426.934102: EAP: Status notification: remote certificate verification (param=success)
1434988426.934106: SSL: (where=0x1001 ret=0x1)
1434988457.029252: SSL: SSL_connect:SSLv3 write finished A
1434988457.029254: SSL: (where=0x1001 ret=0x1)
1434988457.029255: SSL: SSL_connect:SSLv3 flush data
1434988457.029257: SSL: (where=0x1002 ret=0xffffffff)
1434988457.029258: SSL: SSL_connect:error in SSLv3 read finished A
1434988457.029260: SSL: SSL_connect - want more data
1434988457.029262: SSL: 2750 bytes pending from ssl_out
1434988457.029264: SSL: 2750 bytes left to be sent out (of total 2750 bytes)
1434988457.029266: SSL: sending 1398 bytes, more fragments will follow
1434988457.029268: EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
1434988457.029270: EAP: EAP entering state SEND_RESPONSE
1434988457.029272: EAP: EAP entering state IDLE
1434988457.029273: EAPOL: SUPP_BE entering state RESPONSE
1434988457.029274: EAPOL: txSuppRsp
1434988457.029276: TX EAPOL: dst=01:80:c2:00:00:03
1434988457.029278: TX EAPOL - hexdump(len=1412): 01 00 ...
...
1 09 01 16 0c 73 65 63 75 72 69 74 79 40 69 62 73 30 1e 17 0d 31 34 30 33 31 30 31
1434988457.030267: EAPOL: SUPP_BE entering state RECEIVE
...
1434989781.980570: igb0: RX EAPOL from 34:db:fd:81:43:2b
1434989781.980571: RX EAPOL - hexdump(len=46): 01 00 00 04 04 cf 00 04 00 00 ...
1434989781.980579: EAPOL: Received EAP-Packet frame
1434989781.980580: EAPOL: SUPP_BE entering state REQUEST
1434989781.980581: EAPOL: getSuppRsp
1434989781.980582: EAP: EAP entering state RECEIVED
1434989781.980584: EAP: Received EAP-Failure
1434989781.980585: EAP: Status notification: completion (param=failure)
1434989781.980587: EAP: EAP entering state FAILURE
1434989781.980589: igb0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
1434989781.980590: EAPOL: SUPP_PAE entering state HELD
1434989781.980591: EAPOL: Supplicant port status: Unauthorized
1434989781.980593: EAPOL: SUPP_BE entering state RECEIVE
1434989781.980594: EAPOL: SUPP_BE entering state FAIL
1434989781.980595: EAPOL: SUPP_BE entering state IDLE
1434989781.980596: EAPOL authentication completed unsuccessfully
...
- - ---[ quotation end ]-------------------------------------------
looks like OpenSSL related something, is it?
so, may somebody advise where to look at? how to know who is guilty?
- --
Zeus V. Panchenko jid:zeus@im.ibs.dn.ua
IT Dpt., I.B.S. LLC GMT+2 (EET)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlWIPtsACgkQr3jpPg/3oyoZIwCg5AcO12uDdmpWBPvLskHTp4ct
X3IAn0QOx/e0dLm+6erzEMKeTW6LB5Z2
=DtVP
-----END PGP SIGNATURE-----
6
24
> myserver:389
> [ldap] waiting for bind result ...
> [ldap] Bind was successful
> [ldap] performing search in dc=3Dad,dc=3D****,dc=3Dfr, with filter
> sAMAccountName=3Dhatim
> [ldap] rebind to URL ldap://*****
> [ldap] rebind to URL ldap://*****
> [ldap] rebind to URL ldap://*****
> [ldap] no uid attribute - access denied by default
>Active Directory has no uid by default. The schema needs to be extended to
provide it. And most provisioning software does not populate it even if it
exists.
So this was the problem, I changed the value uid and set "sAMAccountName"
and now it works.
Thank you guys for you help.
I have an other question, the ldap search is taking too much time, more
than 10 seconds.
I don't know if there is a way to speed up the search??
Thanks!
2015-07-06 16:10 GMT+02:00 Hatim CHIKHI <hatim.networking(a)gmail.com>:
> > myserver:389
> > [ldap] waiting for bind result ...
> > [ldap] Bind was successful
> > [ldap] performing search in dc=3Dad,dc=3D****,dc=3Dfr, with filter
> > sAMAccountName=3Dhatim
> > [ldap] rebind to URL ldap://*****
> > [ldap] rebind to URL ldap://*****
> > [ldap] rebind to URL ldap://*****
> > [ldap] no uid attribute - access denied by default
>
> >Active Directory has no uid by default. The schema needs to be extended
> to provide it. And most provisioning software does not populate it even if
> it exists.
>
> So this was the problem, I changed the value uid and set "sAMAccountName"
> and now it works.
> Thank you guys for you help.
>
>
> I have an other question, the ldap search is taking too much time, more
> than 10 seconds.
> I don't know if there is a way to speed up the search??
>
>
> Thanks!
>
> 2015-07-03 18:05 GMT+02:00 Hatim CHIKHI <hatim.networking(a)gmail.com>:
>
>>
>> >When FreeRADIUS does the search for the user, it gets nothing.
>> >
>> > Perhaps because the search string is broken?
>>
>> But I get a result when I issue the search with ldapsearch
>>
>>
>> >That doesn't look right. Where does that string come from?
>> The 3D is added by gmail so it's not a problem
>>
>>
>>
>> 2015-07-03 15:25 GMT+02:00 Alan DeKok-2 [via FreeRADIUS] <
>> ml-node+s1045715n5735114h65(a)n5.nabble.com>:
>>
>>> On Jul 3, 2015, at 7:01 AM, Hatim CHIKHI <[hidden email]
>>> <http:///user/SendEmail.jtp?type=node&node=5735114&i=0>> wrote:
>>> > When I issue an ldap search I get many information about the user I'm
>>> > looking for but I'm not sure if the search is successful:
>>>
>>> When FreeRADIUS does the search for the user, it gets nothing.
>>>
>>> Perhaps because the search string is broken?
>>>
>>> > In the radius logs, this time I'm getting this error:
>>> >
>>> > [ldap] performing user authorization for hatim
>>> > [ldap] expand: sAMAccountName=3D%{User-Name} ->
>>> sAMAccountName=3Dhatim
>>> > [ldap] expand: dc=3Dad,dc=3D****,dc=3Dfr -> dc=3Dad,dc=3D****,dc=3Dfr
>>>
>>> That doesn't look right. Where does that string come from?
>>>
>>> Alan DeKok.
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>>
>>> ------------------------------
>>> If you reply to this email, your message will be added to the
>>> discussion below:
>>>
>>> http://freeradius.1045715.n5.nabble.com/LDAP-search-failed-tp5735079p573511…
>>> To unsubscribe from FreeRADIUS, click here
>>> <http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsu…>
>>> .
>>> NAML
>>> <http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=macr…>
>>>
>>
>>
>
2
1
Hi,
We are configuring FreeRadius with Mikrotik router. All the expected things
are working but the maximum data usage allowed for a user is showing some
issues.
mysql> select * from radusergroup;
+-----------+-----------+----------+
| username | groupname | priority |
+-----------+-----------+----------+
*| lukup | testing | 1 |*
mysql> select * from radgroupcheck;
+----+---------------------------+---------------------+----+--------------+
| id | groupname | attribute | op | value |
+----+---------------------------+---------------------+----+--------------+
| 1 | daloRADIUS-Disabled-Users | Auth-Type | := | Reject |
| 25 | testing | Mikrotik-Rate-Limit | := | 1024k/1024k |
*| 26 | testing | Max-Data | := | 5368709120
|*
But its not taking the Max-Data value as defined. Its taking maximum 4GB.
Fri Jul 3 14:20:31 2015 : Info: [acct_unique] Hashing 'NAS-Port =
2162163720,NAS-Identifier = "MikroTik",NAS-IP-Address =
192.168.1.1,Acct-Session-Id = "80e00008",User-Name = "lukup"'
Fri Jul 3 14:20:31 2015 : Info: [sql] expand: %{User-Name} -> lukup
Fri Jul 3 14:20:31 2015 : Info: [sql] sql_set_user escaped user --> 'lukup'
Fri Jul 3 14:20:31 2015 : Info: [sql] expand: %{Acct-Input-Gigawords} -> 0
Fri Jul 3 14:20:31 2015 : Info: [sql] expand: %{Acct-Input-Octets} ->
397958
Fri Jul 3 14:20:31 2015 : Info: [sql] expand: %{Acct-Output-Gigawords} ->
0
Fri Jul 3 14:20:31 2015 : Info: [sql] expand: %{Acct-Output-Octets} ->
10134336
Fri Jul 3 14:20:31 2015 : Info: [sql] expand: UPDATE radacct
SET framedipaddress = '%{Framed-IP-Address}',
acctsessiontime = '%{Acct-Session-Time}',
acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}',
acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}' WHERE
acctsessionid = '%{Acct-Session-Id}' AND username =
'%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}' ->
UPDATE radacct SET framedipaddress =
'192.168.1.178', acctsessiontime = '61',
acctinputoctets = '0' << 32 |
'397958', acctoutputoctets = '0' << 32 |
'10134336' WHERE acctsessionid = '80e00008'
AND username = 'lukup' AND n
Fri Jul 3 14:20:31 2015 : Debug: rlm_sql (sql): Reserving sql socket id: 0
Fri Jul 3 14:20:31 2015 : Debug: rlm_sql (sql): Released sql socket id: 0
Fri Jul 3 14:20:31 2015 : Info: ++[sql] = ok
Fri Jul 3 14:20:31 2015 : Info: ++update control {
Fri Jul 3 14:20:31 2015 : Info: sql_xlat
Fri Jul 3 14:20:31 2015 : Info: expand: %{User-Name} -> lukup
Fri Jul 3 14:20:31 2015 : Info: sql_set_user escaped user --> 'lukup'
Fri Jul 3 14:20:31 2015 : Info: expand: SELECT
(SUM(acctinputoctets)+SUM(acctoutputoctets)) AS Total FROM radacct where
radacct.username='%{User-Name}' -> SELECT
(SUM(acctinputoctets)+SUM(acctoutputoctets)) AS Total FROM radacct where
radacct.username='lukup'
Fri Jul 3 14:20:31 2015 : Debug: rlm_sql (sql): Reserving sql socket id: 4
Fri Jul 3 14:20:31 2015 : Info: sql_xlat finished
Fri Jul 3 14:20:31 2015 : Debug: rlm_sql (sql): Released sql socket id: 4
Fri Jul 3 14:20:31 2015 : Info: expand: %{sql:SELECT
(SUM(acctinputoctets)+SUM(acctoutputoctets)) AS Total FROM radacct where
radacct.username='%{User-Name}'} -> 79051669
Fri Jul 3 14:20:31 2015 : Info: sql_xlat
Fri Jul 3 14:20:31 2015 : Info: expand: %{User-Name} -> lukup
Fri Jul 3 14:20:31 2015 : Info: sql_set_user escaped user --> 'lukup'
Fri Jul 3 14:20:31 2015 : Info: expand: SELECT radgroupcheck.value
FROM radusergroup INNER JOIN radgroupcheck ON radusergroup.groupname =
radgroupcheck.groupname WHERE radusergroup.username='%{User-Name}' AND
radgroupcheck.attribute='Max-Data' -> SELECT radgroupcheck.value FROM
radusergroup INNER JOIN radgroupcheck ON radusergroup.groupname =
radgroupcheck.groupname WHERE radusergroup.username='lukup' AND
radgroupcheck.attribute='Max-Data'
Fri Jul 3 14:20:31 2015 : Debug: rlm_sql (sql): Reserving sql socket id: 3
Fri Jul 3 14:20:31 2015 : Info: sql_xlat finished
Fri Jul 3 14:20:31 2015 : Debug: rlm_sql (sql): Released sql socket id: 3
Fri Jul 3 14:20:31 2015 : Info: expand: %{sql: SELECT
radgroupcheck.value FROM radusergroup INNER JOIN radgroupcheck ON
radusergroup.groupname = radgroupcheck.groupname WHERE
radusergroup.username='%{User-Name}' AND
radgroupcheck.attribute='Max-Data'} -> 5368709120
Fri Jul 3 14:20:31 2015 : Info: sql_xlat
Fri Jul 3 14:20:31 2015 : Info: expand: %{User-Name} -> lukup
Fri Jul 3 14:20:31 2015 : Info: sql_set_user escaped user --> 'lukup'
Fri Jul 3 14:20:31 2015 : Info: expand: SELECT radgroupcheck.value
FROM radusergroup INNER JOIN radgroupcheck ON radusergroup.groupname =
radgroupcheck.groupname WHERE radusergroup.username='%{User-Name}' AND
radgroupcheck.attribute='Mikrotik-Rate-Limit' -> SELECT
radgroupcheck.value FROM radusergroup INNER JOIN radgroupcheck ON
radusergroup.groupname = radgroupcheck.groupname WHERE
radusergroup.username='lukup' AND
radgroupcheck.attribute='Mikrotik-Rate-Limit'
Fri Jul 3 14:20:31 2015 : Debug: rlm_sql (sql): Reserving sql socket id: 2
Fri Jul 3 14:20:31 2015 : Info: sql_xlat finished
Fri Jul 3 14:20:31 2015 : Debug: rlm_sql (sql): Released sql socket id: 2
Fri Jul 3 14:20:31 2015 : Info: expand: %{sql: SELECT
radgroupcheck.value FROM radusergroup INNER JOIN radgroupcheck ON
radusergroup.groupname = radgroupcheck.groupname WHERE
radusergroup.username='%{User-Name}' AND
radgroupcheck.attribute='Mikrotik-Rate-Limit'} -> 1024k/1024k
Fri Jul 3 14:20:31 2015 : Info: ++} # update control = noop
Fri Jul 3 14:20:31 2015 : Info: ++? if ("%{control:Tmp-Integer-0}" >
"%{control:Tmp-Integer-1}")
Fri Jul 3 14:20:31 2015 : Info: expand: %{control:Tmp-Integer-0} ->
79051669
Fri Jul 3 14:20:31 2015 : Info: *expand: %{control:Tmp-Integer-1}
-> 4294967295*
Fri Jul 3 14:20:31 2015 : Info: ? Evaluating ("%{control:Tmp-Integer-0}" >
"%{control:Tmp-Integer-1}") -> FALSE
Fri Jul 3 14:20:31 2015 : Info: ++? if ("%{control:Tmp-Integer-0}" >
"%{control:Tmp-Integer-1}") -> FALSE
We have to limit the max data limit for the user as 30. How we can do it?
We have to use gigawords? can anyone advice on how this can be done.
--
Randeep
Mob: +919447831699[kerala]
Mob: +919880050349[B'lore]
http://twitter.com/Randeeppr
http://in.linkedin.com/in/randeeppr
[image: --]
Randeep Raman
[image: http://]about.me/Randeeppr
<http://about.me/Randeeppr>
4
6
Hello, i'm trying to get to work Expiration. I creating system which add
time to Expiration and stack if someone clicked some offer.
For example:
User clicked in captive portal offer at 8:00 and it gives a Expiration to
8:10. Then user clicked again offer in captive portal at 8:05 and it gives
time to 8:20. But my problem is:
if user log in in 8:00 it will disconnect him at 8:10 and he need to
"relog" to system.
I want to make a "update" that will not disconnect user at 8:10 but at 8:20
, because time will be stacked.
Sorry for my english, hope you understand something.
Jakub
1
0
freeradius doesn't see user in group (Active Directory) but user belong to this group
by stefan nowak 04 Jul '15
by stefan nowak 04 Jul '15
04 Jul '15
Hi All,
since few days I've stocked with configuration freeradius. All works good
except one thing. I can't get info from Active Directory to freeradius in
which group user belong (this one I need to set vlan depend on group).
My version freeradius is 3.0.4
as you can see below user "newuser" participate in group "computers",
here`s output from ldapsearch:
dn: CN=newuser,CN=Users,DC=test,DC=ad,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: newuser
givenName: newuser
distinguishedName: CN=newuser,CN=Users,DC=test,DC=ad,DC=com
instanceType: 4
whenCreated: 20150702132126.0Z
whenChanged: 20150703105127.0Z
displayName: newuser
uSNCreated: 82039
memberOf: CN=computers,CN=Users,DC=test,DC=ad,DC=com
uSNChanged: 90187
name: newuser
objectGUID:: XX+6g4wMJEGdDfEOZF5Rgw==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 130803168865078125
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAR3zVX0Ki+LP5AMXOVQQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: newuser
sAMAccountType: 805306368
userPrincipalName: newuser(a)test.ad.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=test,DC=ad,DC=com
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 130803172388710937
from log output I see that user "newuser" get access-accept but freeradius
didn`t find him in group "computers" here is output:
Received Access-Request Id 182 from 192.168.0.2:1812 to 192.168.0.10:1812
length 129
NAS-IP-Address = 192.168.0.2
NAS-Port = 50024
NAS-Port-Type = Ethernet
User-Name = 'newuser'
Called-Station-Id = '00-16-9D-D3-40-D8'
Calling-Station-Id = '68-B5-99-C8-B0-5E'
Service-Type = Framed-User
Framed-MTU = 1500
EAP-Message = 0x0200000c016e657775736572
Message-Authenticator = 0x4331712c3046bdcd9eb1614539cc6375
(0) Received Access-Request packet from host 192.168.0.2 port 1812, id=182,
length=129
(0) NAS-IP-Address = 192.168.0.2
(0) NAS-Port = 50024
(0) NAS-Port-Type = Ethernet
(0) User-Name = 'newuser'
(0) Called-Station-Id = '00-16-9D-D3-40-D8'
(0) Calling-Station-Id = '68-B5-99-C8-B0-5E'
(0) Service-Type = Framed-User
(0) Framed-MTU = 1500
(0) EAP-Message = 0x0200000c016e657775736572
(0) Message-Authenticator = 0x4331712c3046bdcd9eb1614539cc6375
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) filter_username filter_username {
(0) if (!&User-Name)
(0) if (!&User-Name) -> FALSE
(0) if (&User-Name =~ / /)
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@.*@/ )
(0) if (&User-Name =~ /@.*@/ ) -> FALSE
(0) if (&User-Name =~ /\\.\\./ )
(0) if (&User-Name =~ /\\.\\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\\.$/)
(0) if (&User-Name =~ /\\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\\./)
(0) if (&User-Name =~ /(a)\\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix : Checking for suffix after "@"
(0) suffix : No '@' in User-Name = "newuser", looking up realm NULL
(0) suffix : No such realm "NULL"
(0) [suffix] = noop
(0) eap : Peer sent code Response (2) ID 0 length 12
(0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap : Peer sent method Identity (1)
(0) eap : Calling eap_peap to process EAP data
(0) eap_peap : Flushing SSL sessions (of #0)
(0) eap_peap : Initiate
(0) eap_peap : Start returned 1
(0) eap : New EAP session, adding 'State' attribute to reply
0x0e9027300e913e66
(0) [eap] = handled
(0) } # authenticate = handled
(0) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=182,
length=0
(0) EAP-Message = 0x010100061920
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x0e9027300e913e6603c734ef610afcab
Sending Access-Challenge Id 182 from 192.168.0.10:1812 to 192.168.0.2:1812
EAP-Message = 0x010100061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0e9027300e913e6603c734ef610afcab
(0) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 183 from 192.168.0.2:1812 to 192.168.0.10:1812
length 276
NAS-IP-Address = 192.168.0.2
NAS-Port = 50024
NAS-Port-Type = Ethernet
User-Name = 'newuser'
Called-Station-Id = '00-16-9D-D3-40-D8'
Calling-Station-Id = '68-B5-99-C8-B0-5E'
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x0e9027300e913e6603c734ef610afcab
EAP-Message =
0x0201008d198000000083160301007e0100007a0301559664033b1b4862038b2d1367a8d5b31031ef49921dca1e46e5720f5b2fa8f320fa4af0c0ab28637bf7d426826fc4d55981527e8e975dcc90dc4e38e9fbae1d940018002f00350005000ac013c014c009c00a003200380013000401000019ff01000100000a0006000400170018000b0002010000230000
Message-Authenticator = 0x266af039e3fea82832098be1d93cc75f
(1) Received Access-Request packet from host 192.168.0.2 port 1812, id=183,
length=276
(1) NAS-IP-Address = 192.168.0.2
(1) NAS-Port = 50024
(1) NAS-Port-Type = Ethernet
(1) User-Name = 'newuser'
(1) Called-Station-Id = '00-16-9D-D3-40-D8'
(1) Calling-Station-Id = '68-B5-99-C8-B0-5E'
(1) Service-Type = Framed-User
(1) Framed-MTU = 1500
(1) State = 0x0e9027300e913e6603c734ef610afcab
(1) EAP-Message =
0x0201008d198000000083160301007e0100007a0301559664033b1b4862038b2d1367a8d5b31031ef49921dca1e46e5720f5b2fa8f320fa4af0c0ab28637bf7d426826fc4d55981527e8e975dcc90dc4e38e9fbae1d940018002f00350005000ac013c014c009c00a003200380013000401000019ff01000100000a0006000400170018000b0002010000230000
(1) Message-Authenticator = 0x266af039e3fea82832098be1d93cc75f
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) filter_username filter_username {
(1) if (!&User-Name)
(1) if (!&User-Name) -> FALSE
(1) if (&User-Name =~ / /)
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@.*@/ )
(1) if (&User-Name =~ /@.*@/ ) -> FALSE
(1) if (&User-Name =~ /\\.\\./ )
(1) if (&User-Name =~ /\\.\\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) ->
FALSE
(1) if (&User-Name =~ /\\.$/)
(1) if (&User-Name =~ /\\.$/) -> FALSE
(1) if (&User-Name =~ /(a)\\./)
(1) if (&User-Name =~ /(a)\\./) -> FALSE
(1) } # filter_username filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix : Checking for suffix after "@"
(1) suffix : No '@' in User-Name = "newuser", looking up realm NULL
(1) suffix : No such realm "NULL"
(1) [suffix] = noop
(1) eap : Peer sent code Response (2) ID 1 length 141
(1) eap : Continuing tunnel setup
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = EAP
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap : Expiring EAP session with state 0x0e9027300e913e66
(1) eap : Finished EAP session with state 0x0e9027300e913e66
(1) eap : Previous EAP request found for state 0x0e9027300e913e66,
released from the list
(1) eap : Peer sent method PEAP (25)
(1) eap : EAP PEAP (25)
(1) eap : Calling eap_peap to process EAP data
(1) eap_peap : processing EAP-TLS
TLS Length 131
(1) eap_peap : Length Included
(1) eap_peap : eaptls_verify returned 11
(1) eap_peap : (other): before/accept initialization
(1) eap_peap : TLS_accept: before/accept initialization
(1) eap_peap : <<< TLS 1.0 Handshake [length 007e], ClientHello
SSL: Client requested cached session
fa4af0c0ab28637bf7d426826fc4d55981527e8e975dcc90dc4e38e9fbae1d94
(1) eap_peap : TLS_accept: SSLv3 read client hello A
(1) eap_peap : >>> TLS 1.0 Handshake [length 0051], ServerHello
(1) eap_peap : TLS_accept: SSLv3 write server hello A
(1) eap_peap : >>> TLS 1.0 Handshake [length 08d0], Certificate
(1) eap_peap : TLS_accept: SSLv3 write certificate A
(1) eap_peap : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
(1) eap_peap : TLS_accept: SSLv3 write server done A
(1) eap_peap : TLS_accept: SSLv3 flush data
(1) eap_peap : TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
(1) eap_peap : eaptls_process returned 13
(1) eap_peap : FR_TLS_HANDLED
(1) eap : New EAP session, adding 'State' attribute to reply
0x0e9027300f923e66
(1) [eap] = handled
(1) } # authenticate = handled
(1) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=183,
length=0
(1) EAP-Message =
0x010203ec19c00000093416030100510200004d030155967fdd334b8b93e13aaba983cf708cc59b52a195fa942852b7eb85c9e6b3132048fd8119fa32c7cb48b60449437ed3f1edad01e5ff81191e7be8d62b3e5f17c4002f000005ff0100010016030108d00b0008cc0008c90003de308203da308202c2a003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3135303632333039323031315a170d3135303832323039323031315a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100cb6b06d9bfe3e7b3b07012c1ffbeb410e02e9a2c
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x0e9027300f923e6603c734ef610afcab
Sending Access-Challenge Id 183 from 192.168.0.10:1812 to 192.168.0.2:1812
EAP-Message =
0x010203ec19c00000093416030100510200004d030155967fdd334b8b93e13aaba983cf708cc59b52a195fa942852b7eb85c9e6b3132048fd8119fa32c7cb48b60449437ed3f1edad01e5ff81191e7be8d62b3e5f17c4002f000005ff0100010016030108d00b0008cc0008c90003de308203da308202c2a003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3135303632333039323031315a170d3135303832323039323031315a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100cb6b06d9bfe3e7b3b07012c1ffbeb410e02e9a2
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0e9027300f923e6603c734ef610afcab
(1) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 184 from 192.168.0.2:1812 to 192.168.0.10:1812
length 141
NAS-IP-Address = 192.168.0.2
NAS-Port = 50024
NAS-Port-Type = Ethernet
User-Name = 'newuser'
Called-Station-Id = '00-16-9D-D3-40-D8'
Calling-Station-Id = '68-B5-99-C8-B0-5E'
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x0e9027300f923e6603c734ef610afcab
EAP-Message = 0x020200061900
Message-Authenticator = 0x8f82b650b4b634e464ffc5f8d5f78feb
(2) Received Access-Request packet from host 192.168.0.2 port 1812, id=184,
length=141
(2) NAS-IP-Address = 192.168.0.2
(2) NAS-Port = 50024
(2) NAS-Port-Type = Ethernet
(2) User-Name = 'newuser'
(2) Called-Station-Id = '00-16-9D-D3-40-D8'
(2) Calling-Station-Id = '68-B5-99-C8-B0-5E'
(2) Service-Type = Framed-User
(2) Framed-MTU = 1500
(2) State = 0x0e9027300f923e6603c734ef610afcab
(2) EAP-Message = 0x020200061900
(2) Message-Authenticator = 0x8f82b650b4b634e464ffc5f8d5f78feb
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2) authorize {
(2) filter_username filter_username {
(2) if (!&User-Name)
(2) if (!&User-Name) -> FALSE
(2) if (&User-Name =~ / /)
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@.*@/ )
(2) if (&User-Name =~ /@.*@/ ) -> FALSE
(2) if (&User-Name =~ /\\.\\./ )
(2) if (&User-Name =~ /\\.\\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) ->
FALSE
(2) if (&User-Name =~ /\\.$/)
(2) if (&User-Name =~ /\\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\\./)
(2) if (&User-Name =~ /(a)\\./) -> FALSE
(2) } # filter_username filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix : Checking for suffix after "@"
(2) suffix : No '@' in User-Name = "newuser", looking up realm NULL
(2) suffix : No such realm "NULL"
(2) [suffix] = noop
(2) eap : Peer sent code Response (2) ID 2 length 6
(2) eap : Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = EAP
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) authenticate {
(2) eap : Expiring EAP session with state 0x0e9027300f923e66
(2) eap : Finished EAP session with state 0x0e9027300f923e66
(2) eap : Previous EAP request found for state 0x0e9027300f923e66,
released from the list
(2) eap : Peer sent method PEAP (25)
(2) eap : EAP PEAP (25)
(2) eap : Calling eap_peap to process EAP data
(2) eap_peap : processing EAP-TLS
(2) eap_peap : Received TLS ACK
(2) eap_peap : Received TLS ACK
(2) eap_peap : ACK handshake fragment handler
(2) eap_peap : eaptls_verify returned 1
(2) eap_peap : eaptls_process returned 13
(2) eap_peap : FR_TLS_HANDLED
(2) eap : New EAP session, adding 'State' attribute to reply
0x0e9027300c933e66
(2) [eap] = handled
(2) } # authenticate = handled
(2) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=184,
length=0
(2) EAP-Message =
0x010303e819405dadee37810b310ed26be4bf84d74c93ed4bec31d3134bb7a82b63f7c127649298b74b8aaa1cb9fcc7f38620180bc143afd04d038ef800534cc721eb60db5cbc61c6b9b07e52b2be16b702215ff87201c227e511bc39694982461c2d21008a4b0a0004e5308204e1308203c9a003020102020900d341ec42790a6fe5300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3135303632333039323031315a170d3135303832323039323031315a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x0e9027300c933e6603c734ef610afcab
Sending Access-Challenge Id 184 from 192.168.0.10:1812 to 192.168.0.2:1812
EAP-Message =
0x010303e819405dadee37810b310ed26be4bf84d74c93ed4bec31d3134bb7a82b63f7c127649298b74b8aaa1cb9fcc7f38620180bc143afd04d038ef800534cc721eb60db5cbc61c6b9b07e52b2be16b702215ff87201c227e511bc39694982461c2d21008a4b0a0004e5308204e1308203c9a003020102020900d341ec42790a6fe5300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3135303632333039323031315a170d3135303832323039323031315a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f00308
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0e9027300c933e6603c734ef610afcab
(2) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 185 from 192.168.0.2:1812 to 192.168.0.10:1812
length 141
NAS-IP-Address = 192.168.0.2
NAS-Port = 50024
NAS-Port-Type = Ethernet
User-Name = 'newuser'
Called-Station-Id = '00-16-9D-D3-40-D8'
Calling-Station-Id = '68-B5-99-C8-B0-5E'
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x0e9027300c933e6603c734ef610afcab
EAP-Message = 0x020300061900
Message-Authenticator = 0x4612243013b59207a7128ea3f82af7c3
(3) Received Access-Request packet from host 192.168.0.2 port 1812, id=185,
length=141
(3) NAS-IP-Address = 192.168.0.2
(3) NAS-Port = 50024
(3) NAS-Port-Type = Ethernet
(3) User-Name = 'newuser'
(3) Called-Station-Id = '00-16-9D-D3-40-D8'
(3) Calling-Station-Id = '68-B5-99-C8-B0-5E'
(3) Service-Type = Framed-User
(3) Framed-MTU = 1500
(3) State = 0x0e9027300c933e6603c734ef610afcab
(3) EAP-Message = 0x020300061900
(3) Message-Authenticator = 0x4612243013b59207a7128ea3f82af7c3
(3) # Executing section authorize from file /etc/raddb/sites-enabled/default
(3) authorize {
(3) filter_username filter_username {
(3) if (!&User-Name)
(3) if (!&User-Name) -> FALSE
(3) if (&User-Name =~ / /)
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@.*@/ )
(3) if (&User-Name =~ /@.*@/ ) -> FALSE
(3) if (&User-Name =~ /\\.\\./ )
(3) if (&User-Name =~ /\\.\\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) ->
FALSE
(3) if (&User-Name =~ /\\.$/)
(3) if (&User-Name =~ /\\.$/) -> FALSE
(3) if (&User-Name =~ /(a)\\./)
(3) if (&User-Name =~ /(a)\\./) -> FALSE
(3) } # filter_username filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix : Checking for suffix after "@"
(3) suffix : No '@' in User-Name = "newuser", looking up realm NULL
(3) suffix : No such realm "NULL"
(3) [suffix] = noop
(3) eap : Peer sent code Response (2) ID 3 length 6
(3) eap : Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = EAP
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) authenticate {
(3) eap : Expiring EAP session with state 0x0e9027300c933e66
(3) eap : Finished EAP session with state 0x0e9027300c933e66
(3) eap : Previous EAP request found for state 0x0e9027300c933e66,
released from the list
(3) eap : Peer sent method PEAP (25)
(3) eap : EAP PEAP (25)
(3) eap : Calling eap_peap to process EAP data
(3) eap_peap : processing EAP-TLS
(3) eap_peap : Received TLS ACK
(3) eap_peap : Received TLS ACK
(3) eap_peap : ACK handshake fragment handler
(3) eap_peap : eaptls_verify returned 1
(3) eap_peap : eaptls_process returned 13
(3) eap_peap : FR_TLS_HANDLED
(3) eap : New EAP session, adding 'State' attribute to reply
0x0e9027300d943e66
(3) [eap] = handled
(3) } # authenticate = handled
(3) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=185,
length=0
(3) EAP-Message =
0x0104017619007479820900d341ec42790a6fe5300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010505000382010100ac39c26dec50bba63993d15c97f83ed294499bc6f92436a1b253966ce768d892d9c68aae360018347c9c54833061317e8c1768250d6cccc4adcf063a0e86c81dc9cff914de4d42cf06568494ce9ee4ae6852654d5160cabfe64f82e2ffea66c370698f88f72345954429fe25a91d10626e004dccc58a222bdae41daf083ca5259bae8f896a62454d37d648ca30dcde05f947866efc0ed7d73e7671954218729559ea417e6300a28cb165d68d2591e811118edd483888e77ab2695dde4c325340ea840f56fb31837fcf733069a89ed1f320b33a95572350fda6a7fbcfa850c719334e496b5ae294ee8769b9617ae8bf7830c86e79e0628d25a49a7a7afa6471ab16030100040e000000
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x0e9027300d943e6603c734ef610afcab
Sending Access-Challenge Id 185 from 192.168.0.10:1812 to 192.168.0.2:1812
EAP-Message =
0x0104017619007479820900d341ec42790a6fe5300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010505000382010100ac39c26dec50bba63993d15c97f83ed294499bc6f92436a1b253966ce768d892d9c68aae360018347c9c54833061317e8c1768250d6cccc4adcf063a0e86c81dc9cff914de4d42cf06568494ce9ee4ae6852654d5160cabfe64f82e2ffea66c370698f88f72345954429fe25a91d10626e004dccc58a222bdae41daf083ca5259bae8f896a62454d37d648ca30dcde05f947866efc0ed7d73e7671954218729559ea417e6300a28cb165d68d2591e811118edd483888e77ab2695dde4c325340ea840f56fb31837fcf733069a89ed1f320b33a95572350fda6a7fbcfa850c719334e496b5ae294ee8769b9617ae8bf7830c86e79e0628d25a49a7a7afa6471ab16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0e9027300d943e6603c734ef610afcab
(3) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 186 from 192.168.0.2:1812 to 192.168.0.10:1812
length 473
NAS-IP-Address = 192.168.0.2
NAS-Port = 50024
NAS-Port-Type = Ethernet
User-Name = 'newuser'
Called-Station-Id = '00-16-9D-D3-40-D8'
Calling-Station-Id = '68-B5-99-C8-B0-5E'
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x0e9027300d943e6603c734ef610afcab
EAP-Message =
0x0204015019800000014616030101061000010201009c140457a5001869d3c4409886b6381ffbb3a3b2e588b5c1a8d432a0577faee12a585e5772dcbbcd7f54d7841cd2ef3c4241655a7ecca77efe6bbb11ef29698031973a611a05c0f2da4e21b11aec38e086460f2218cfa58a027596405e8a0b1e608f06424528ac7c978de90b5c6cb179a2d9e3eb016a85cd20e2d43c142a0af7a4b00f6e57348fe41e154b44a604fbf973d99b09af607f745a2045874f5870b878f1bfccfa1b5219a0cb60ad9bb7dca77628afeee09efe1b394bbbecff907c0e5b23bd8622b38a360cde10bf3bb568ba3e577b78a9e793d9204e5188976028b9873709604f2a1272a978745544efe39db3a4ceecf16dbab756ca4e7419a14e621403010001011603010030193a998b6522faa35707604a4ba153d81f0838c651a0a8f14679c6507654ef48ef301afcfcca06e70df0f907841c7cbd
Message-Authenticator = 0x1b895bbbb9e7981ab29d96346a062a54
(4) Received Access-Request packet from host 192.168.0.2 port 1812, id=186,
length=473
(4) NAS-IP-Address = 192.168.0.2
(4) NAS-Port = 50024
(4) NAS-Port-Type = Ethernet
(4) User-Name = 'newuser'
(4) Called-Station-Id = '00-16-9D-D3-40-D8'
(4) Calling-Station-Id = '68-B5-99-C8-B0-5E'
(4) Service-Type = Framed-User
(4) Framed-MTU = 1500
(4) State = 0x0e9027300d943e6603c734ef610afcab
(4) EAP-Message =
0x0204015019800000014616030101061000010201009c140457a5001869d3c4409886b6381ffbb3a3b2e588b5c1a8d432a0577faee12a585e5772dcbbcd7f54d7841cd2ef3c4241655a7ecca77efe6bbb11ef29698031973a611a05c0f2da4e21b11aec38e086460f2218cfa58a027596405e8a0b1e608f06424528ac7c978de90b5c6cb179a2d9e3eb016a85cd20e2d43c142a0af7a4b00f6e57348fe41e154b44a604fbf973d99b09af607f745a2045874f5870b878f1bfccfa1b5219a0cb60ad9bb7dca77628afeee09efe1b394bbbecff907c0e5b23bd8622b38a360cde10bf3bb568ba3e577b78a9e793d9204e5188976028b9873709604f2a1272a978745544efe39db3a4ceecf16dbab756ca4e7419a14e621403010001011603010030193a998b6522faa35707604a4ba153d81f0838c651a0a8f14679c6507654ef48ef301afcfcca06e70df0f907841c7cbd
(4) Message-Authenticator = 0x1b895bbbb9e7981ab29d96346a062a54
(4) # Executing section authorize from file /etc/raddb/sites-enabled/default
(4) authorize {
(4) filter_username filter_username {
(4) if (!&User-Name)
(4) if (!&User-Name) -> FALSE
(4) if (&User-Name =~ / /)
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@.*@/ )
(4) if (&User-Name =~ /@.*@/ ) -> FALSE
(4) if (&User-Name =~ /\\.\\./ )
(4) if (&User-Name =~ /\\.\\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) ->
FALSE
(4) if (&User-Name =~ /\\.$/)
(4) if (&User-Name =~ /\\.$/) -> FALSE
(4) if (&User-Name =~ /(a)\\./)
(4) if (&User-Name =~ /(a)\\./) -> FALSE
(4) } # filter_username filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix : Checking for suffix after "@"
(4) suffix : No '@' in User-Name = "newuser", looking up realm NULL
(4) suffix : No such realm "NULL"
(4) [suffix] = noop
(4) eap : Peer sent code Response (2) ID 4 length 336
(4) eap : Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = EAP
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) authenticate {
(4) eap : Expiring EAP session with state 0x0e9027300d943e66
(4) eap : Finished EAP session with state 0x0e9027300d943e66
(4) eap : Previous EAP request found for state 0x0e9027300d943e66,
released from the list
(4) eap : Peer sent method PEAP (25)
(4) eap : EAP PEAP (25)
(4) eap : Calling eap_peap to process EAP data
(4) eap_peap : processing EAP-TLS
TLS Length 326
(4) eap_peap : Length Included
(4) eap_peap : eaptls_verify returned 11
(4) eap_peap : <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
(4) eap_peap : TLS_accept: SSLv3 read client key exchange A
(4) eap_peap : <<< TLS 1.0 ChangeCipherSpec [length 0001]
(4) eap_peap : <<< TLS 1.0 Handshake [length 0010], Finished
(4) eap_peap : TLS_accept: SSLv3 read finished A
(4) eap_peap : >>> TLS 1.0 ChangeCipherSpec [length 0001]
(4) eap_peap : TLS_accept: SSLv3 write change cipher spec A
(4) eap_peap : >>> TLS 1.0 Handshake [length 0010], Finished
(4) eap_peap : TLS_accept: SSLv3 write finished A
(4) eap_peap : TLS_accept: SSLv3 flush data
SSL: adding session
48fd8119fa32c7cb48b60449437ed3f1edad01e5ff81191e7be8d62b3e5f17c4 to cache
(4) eap_peap : (other): SSL negotiation finished successfully
SSL Connection Established
(4) eap_peap : eaptls_process returned 13
(4) eap_peap : FR_TLS_HANDLED
(4) eap : New EAP session, adding 'State' attribute to reply
0x0e9027300a953e66
(4) [eap] = handled
(4) } # authenticate = handled
(4) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=186,
length=0
(4) EAP-Message =
0x0105004119001403010001011603010030aae4f10e97ee19adae53413d9aa1d8d43c053c8d9e737783e7b55e6ba93fe09df382bb6903423cc0a3e1e7c0d7581e6f
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x0e9027300a953e6603c734ef610afcab
Sending Access-Challenge Id 186 from 192.168.0.10:1812 to 192.168.0.2:1812
EAP-Message =
0x0105004119001403010001011603010030aae4f10e97ee19adae53413d9aa1d8d43c053c8d9e737783e7b55e6ba93fe09df382bb6903423cc0a3e1e7c0d7581e6f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0e9027300a953e6603c734ef610afcab
(4) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 187 from 192.168.0.2:1812 to 192.168.0.10:1812
length 141
NAS-IP-Address = 192.168.0.2
NAS-Port = 50024
NAS-Port-Type = Ethernet
User-Name = 'newuser'
Called-Station-Id = '00-16-9D-D3-40-D8'
Calling-Station-Id = '68-B5-99-C8-B0-5E'
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x0e9027300a953e6603c734ef610afcab
EAP-Message = 0x020500061900
Message-Authenticator = 0xdac0ce591021e82f7d39f28aef2399d2
(5) Received Access-Request packet from host 192.168.0.2 port 1812, id=187,
length=141
(5) NAS-IP-Address = 192.168.0.2
(5) NAS-Port = 50024
(5) NAS-Port-Type = Ethernet
(5) User-Name = 'newuser'
(5) Called-Station-Id = '00-16-9D-D3-40-D8'
(5) Calling-Station-Id = '68-B5-99-C8-B0-5E'
(5) Service-Type = Framed-User
(5) Framed-MTU = 1500
(5) State = 0x0e9027300a953e6603c734ef610afcab
(5) EAP-Message = 0x020500061900
(5) Message-Authenticator = 0xdac0ce591021e82f7d39f28aef2399d2
(5) # Executing section authorize from file /etc/raddb/sites-enabled/default
(5) authorize {
(5) filter_username filter_username {
(5) if (!&User-Name)
(5) if (!&User-Name) -> FALSE
(5) if (&User-Name =~ / /)
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@.*@/ )
(5) if (&User-Name =~ /@.*@/ ) -> FALSE
(5) if (&User-Name =~ /\\.\\./ )
(5) if (&User-Name =~ /\\.\\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) ->
FALSE
(5) if (&User-Name =~ /\\.$/)
(5) if (&User-Name =~ /\\.$/) -> FALSE
(5) if (&User-Name =~ /(a)\\./)
(5) if (&User-Name =~ /(a)\\./) -> FALSE
(5) } # filter_username filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix : Checking for suffix after "@"
(5) suffix : No '@' in User-Name = "newuser", looking up realm NULL
(5) suffix : No such realm "NULL"
(5) [suffix] = noop
(5) eap : Peer sent code Response (2) ID 5 length 6
(5) eap : Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = EAP
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) authenticate {
(5) eap : Expiring EAP session with state 0x0e9027300a953e66
(5) eap : Finished EAP session with state 0x0e9027300a953e66
(5) eap : Previous EAP request found for state 0x0e9027300a953e66,
released from the list
(5) eap : Peer sent method PEAP (25)
(5) eap : EAP PEAP (25)
(5) eap : Calling eap_peap to process EAP data
(5) eap_peap : processing EAP-TLS
(5) eap_peap : Received TLS ACK
(5) eap_peap : Received TLS ACK
(5) eap_peap : ACK handshake is finished
(5) eap_peap : eaptls_verify returned 3
(5) eap_peap : eaptls_process returned 3
(5) eap_peap : FR_TLS_SUCCESS
(5) eap_peap : Session established. Decoding tunneled attributes
(5) eap_peap : Peap state TUNNEL ESTABLISHED
(5) eap : New EAP session, adding 'State' attribute to reply
0x0e9027300b963e66
(5) [eap] = handled
(5) } # authenticate = handled
(5) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=187,
length=0
(5) EAP-Message =
0x0106002b190017030100201ac493daff282d88bd079004b7a4124bc4a88fcee422591647b8a0784b2254a6
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x0e9027300b963e6603c734ef610afcab
Sending Access-Challenge Id 187 from 192.168.0.10:1812 to 192.168.0.2:1812
EAP-Message =
0x0106002b190017030100201ac493daff282d88bd079004b7a4124bc4a88fcee422591647b8a0784b2254a6
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0e9027300b963e6603c734ef610afcab
(5) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 188 from 192.168.0.2:1812 to 192.168.0.10:1812
length 178
NAS-IP-Address = 192.168.0.2
NAS-Port = 50024
NAS-Port-Type = Ethernet
User-Name = 'newuser'
Called-Station-Id = '00-16-9D-D3-40-D8'
Calling-Station-Id = '68-B5-99-C8-B0-5E'
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x0e9027300b963e6603c734ef610afcab
EAP-Message =
0x0206002b19001703010020a4f998f13de99ca28ef10b62394a61c9b1a25d73a60b123f5ad5f64fdd887c6a
Message-Authenticator = 0x1794290733e67632bc38f2f4aa840390
(6) Received Access-Request packet from host 192.168.0.2 port 1812, id=188,
length=178
(6) NAS-IP-Address = 192.168.0.2
(6) NAS-Port = 50024
(6) NAS-Port-Type = Ethernet
(6) User-Name = 'newuser'
(6) Called-Station-Id = '00-16-9D-D3-40-D8'
(6) Calling-Station-Id = '68-B5-99-C8-B0-5E'
(6) Service-Type = Framed-User
(6) Framed-MTU = 1500
(6) State = 0x0e9027300b963e6603c734ef610afcab
(6) EAP-Message =
0x0206002b19001703010020a4f998f13de99ca28ef10b62394a61c9b1a25d73a60b123f5ad5f64fdd887c6a
(6) Message-Authenticator = 0x1794290733e67632bc38f2f4aa840390
(6) # Executing section authorize from file /etc/raddb/sites-enabled/default
(6) authorize {
(6) filter_username filter_username {
(6) if (!&User-Name)
(6) if (!&User-Name) -> FALSE
(6) if (&User-Name =~ / /)
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@.*@/ )
(6) if (&User-Name =~ /@.*@/ ) -> FALSE
(6) if (&User-Name =~ /\\.\\./ )
(6) if (&User-Name =~ /\\.\\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) ->
FALSE
(6) if (&User-Name =~ /\\.$/)
(6) if (&User-Name =~ /\\.$/) -> FALSE
(6) if (&User-Name =~ /(a)\\./)
(6) if (&User-Name =~ /(a)\\./) -> FALSE
(6) } # filter_username filter_username = notfound
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix : Checking for suffix after "@"
(6) suffix : No '@' in User-Name = "newuser", looking up realm NULL
(6) suffix : No such realm "NULL"
(6) [suffix] = noop
(6) eap : Peer sent code Response (2) ID 6 length 43
(6) eap : Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) authenticate {
(6) eap : Expiring EAP session with state 0x0e9027300b963e66
(6) eap : Finished EAP session with state 0x0e9027300b963e66
(6) eap : Previous EAP request found for state 0x0e9027300b963e66,
released from the list
(6) eap : Peer sent method PEAP (25)
(6) eap : EAP PEAP (25)
(6) eap : Calling eap_peap to process EAP data
(6) eap_peap : processing EAP-TLS
(6) eap_peap : eaptls_verify returned 7
(6) eap_peap : Done initial handshake
(6) eap_peap : eaptls_process returned 7
(6) eap_peap : FR_TLS_OK
(6) eap_peap : Session established. Decoding tunneled attributes
(6) eap_peap : Peap state WAITING FOR INNER IDENTITY
(6) eap_peap : Identity - newuser
(6) eap_peap : Got inner identity 'newuser'
(6) eap_peap : Setting default EAP type for tunneled EAP session
(6) eap_peap : Got tunneled request
EAP-Message = 0x0206000c016e657775736572
server default {
(6) eap_peap : Setting User-Name to newuser
Sending tunneled request
EAP-Message = 0x0206000c016e657775736572
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'newuser'
NAS-IP-Address = 192.168.0.2
NAS-Port = 50024
NAS-Port-Type = Ethernet
Called-Station-Id = '00-16-9D-D3-40-D8'
Calling-Station-Id = '68-B5-99-C8-B0-5E'
Service-Type = Framed-User
Framed-MTU = 1500
Event-Timestamp = 'Jul 3 2015 14:28:13 CEST'
server inner-tunnel {
(6) server inner-tunnel {
(6) Request:
EAP-Message = 0x0206000c016e657775736572
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'newuser'
NAS-IP-Address = 192.168.0.2
NAS-Port = 50024
NAS-Port-Type = Ethernet
Called-Station-Id = '00-16-9D-D3-40-D8'
Calling-Station-Id = '68-B5-99-C8-B0-5E'
Service-Type = Framed-User
Framed-MTU = 1500
Event-Timestamp = 'Jul 3 2015 14:28:13 CEST'
(6) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(6) authorize {
(6) [chap] = noop
(6) [mschap] = noop
(6) suffix : Checking for suffix after "@"
(6) suffix : No '@' in User-Name = "newuser", looking up realm NULL
(6) suffix : No such realm "NULL"
(6) [suffix] = noop
(6) update control {
(6) Proxy-To-Realm := 'LOCAL'
(6) } # update control = noop
(6) eap : Peer sent code Response (2) ID 6 length 12
(6) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(6) authenticate {
(6) eap : Peer sent method Identity (1)
(6) eap : Calling eap_mschapv2 to process EAP data
(6) eap_mschapv2 : Issuing Challenge
(6) eap : New EAP session, adding 'State' attribute to reply
0x51469e48514184c8
(6) [eap] = handled
(6) } # authenticate = handled
(6) Reply:
EAP-Message =
0x010700211a0107001c10cfe19b93b6199ab73e048317618488706e657775736572
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x51469e48514184c89c06397edfb2b9f6
(6) } # server inner-tunnel
} # server inner-tunnel
(6) eap_peap : Got tunneled reply code 11
EAP-Message =
0x010700211a0107001c10cfe19b93b6199ab73e048317618488706e657775736572
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x51469e48514184c89c06397edfb2b9f6
(6) eap_peap : Got tunneled reply RADIUS code 11
EAP-Message =
0x010700211a0107001c10cfe19b93b6199ab73e048317618488706e657775736572
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x51469e48514184c89c06397edfb2b9f6
(6) eap_peap : Got tunneled Access-Challenge
(6) eap : New EAP session, adding 'State' attribute to reply
0x0e90273008973e66
(6) [eap] = handled
(6) } # authenticate = handled
(6) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=188,
length=0
(6) EAP-Message =
0x0107004b190017030100407520c1faa1ff4cfd7a594b2669343aa993d4447045db39c0c1ef6a3af3fa94dd9b822e84eb8895730f1cabf76bc5593ee24398478a98364b6b52fd05dfd32c0a
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x0e90273008973e6603c734ef610afcab
Sending Access-Challenge Id 188 from 192.168.0.10:1812 to 192.168.0.2:1812
EAP-Message =
0x0107004b190017030100407520c1faa1ff4cfd7a594b2669343aa993d4447045db39c0c1ef6a3af3fa94dd9b822e84eb8895730f1cabf76bc5593ee24398478a98364b6b52fd05dfd32c0a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0e90273008973e6603c734ef610afcab
(6) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 189 from 192.168.0.2:1812 to 192.168.0.10:1812
length 242
NAS-IP-Address = 192.168.0.2
NAS-Port = 50024
NAS-Port-Type = Ethernet
User-Name = 'newuser'
Called-Station-Id = '00-16-9D-D3-40-D8'
Calling-Station-Id = '68-B5-99-C8-B0-5E'
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x0e90273008973e6603c734ef610afcab
EAP-Message =
0x0207006b19001703010060daa946c75fc076c70e3dee92725c9fd0e09e9b31f3e9b03e995463f030c9fcacaba7ef76b8890a117b40a4868e689f211491596b2e6acc7481a01ca4d9877415d99f18815dbd2879bca03fa940e258a486def5b5f08936eeade1d0f07ba9abfb
Message-Authenticator = 0x0c5af9b3231d04ec974f138a62c938b7
(7) Received Access-Request packet from host 192.168.0.2 port 1812, id=189,
length=242
(7) NAS-IP-Address = 192.168.0.2
(7) NAS-Port = 50024
(7) NAS-Port-Type = Ethernet
(7) User-Name = 'newuser'
(7) Called-Station-Id = '00-16-9D-D3-40-D8'
(7) Calling-Station-Id = '68-B5-99-C8-B0-5E'
(7) Service-Type = Framed-User
(7) Framed-MTU = 1500
(7) State = 0x0e90273008973e6603c734ef610afcab
(7) EAP-Message =
0x0207006b19001703010060daa946c75fc076c70e3dee92725c9fd0e09e9b31f3e9b03e995463f030c9fcacaba7ef76b8890a117b40a4868e689f211491596b2e6acc7481a01ca4d9877415d99f18815dbd2879bca03fa940e258a486def5b5f08936eeade1d0f07ba9abfb
(7) Message-Authenticator = 0x0c5af9b3231d04ec974f138a62c938b7
(7) # Executing section authorize from file /etc/raddb/sites-enabled/default
(7) authorize {
(7) filter_username filter_username {
(7) if (!&User-Name)
(7) if (!&User-Name) -> FALSE
(7) if (&User-Name =~ / /)
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@.*@/ )
(7) if (&User-Name =~ /@.*@/ ) -> FALSE
(7) if (&User-Name =~ /\\.\\./ )
(7) if (&User-Name =~ /\\.\\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) ->
FALSE
(7) if (&User-Name =~ /\\.$/)
(7) if (&User-Name =~ /\\.$/) -> FALSE
(7) if (&User-Name =~ /(a)\\./)
(7) if (&User-Name =~ /(a)\\./) -> FALSE
(7) } # filter_username filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix : Checking for suffix after "@"
(7) suffix : No '@' in User-Name = "newuser", looking up realm NULL
(7) suffix : No such realm "NULL"
(7) [suffix] = noop
(7) eap : Peer sent code Response (2) ID 7 length 107
(7) eap : Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) authenticate {
(7) eap : Expiring EAP session with state 0x51469e48514184c8
(7) eap : Finished EAP session with state 0x0e90273008973e66
(7) eap : Previous EAP request found for state 0x0e90273008973e66,
released from the list
(7) eap : Peer sent method PEAP (25)
(7) eap : EAP PEAP (25)
(7) eap : Calling eap_peap to process EAP data
(7) eap_peap : processing EAP-TLS
(7) eap_peap : eaptls_verify returned 7
(7) eap_peap : Done initial handshake
(7) eap_peap : eaptls_process returned 7
(7) eap_peap : FR_TLS_OK
(7) eap_peap : Session established. Decoding tunneled attributes
(7) eap_peap : Peap state phase2
(7) eap_peap : EAP type MSCHAPv2 (26)
(7) eap_peap : Got tunneled request
EAP-Message =
0x020700421a0207003d31cb99020a5de6871ad851f7e89c87138000000000000000008e66b16d791423c5ff26fd315d1cd9423b9866fc53939f0e006e657775736572
server default {
(7) eap_peap : Setting User-Name to newuser
Sending tunneled request
EAP-Message =
0x020700421a0207003d31cb99020a5de6871ad851f7e89c87138000000000000000008e66b16d791423c5ff26fd315d1cd9423b9866fc53939f0e006e657775736572
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'newuser'
State = 0x51469e48514184c89c06397edfb2b9f6
NAS-IP-Address = 192.168.0.2
NAS-Port = 50024
NAS-Port-Type = Ethernet
Called-Station-Id = '00-16-9D-D3-40-D8'
Calling-Station-Id = '68-B5-99-C8-B0-5E'
Service-Type = Framed-User
Framed-MTU = 1500
Event-Timestamp = 'Jul 3 2015 14:28:13 CEST'
server inner-tunnel {
(7) server inner-tunnel {
(7) Request:
EAP-Message =
0x020700421a0207003d31cb99020a5de6871ad851f7e89c87138000000000000000008e66b16d791423c5ff26fd315d1cd9423b9866fc53939f0e006e657775736572
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'newuser'
State = 0x51469e48514184c89c06397edfb2b9f6
NAS-IP-Address = 192.168.0.2
NAS-Port = 50024
NAS-Port-Type = Ethernet
Called-Station-Id = '00-16-9D-D3-40-D8'
Calling-Station-Id = '68-B5-99-C8-B0-5E'
Service-Type = Framed-User
Framed-MTU = 1500
Event-Timestamp = 'Jul 3 2015 14:28:13 CEST'
(7) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(7) authorize {
(7) [chap] = noop
(7) [mschap] = noop
(7) suffix : Checking for suffix after "@"
(7) suffix : No '@' in User-Name = "newuser", looking up realm NULL
(7) suffix : No such realm "NULL"
(7) [suffix] = noop
(7) update control {
(7) Proxy-To-Realm := 'LOCAL'
(7) } # update control = noop
(7) eap : Peer sent code Response (2) ID 7 length 66
(7) eap : No EAP Start, assuming it's an on-going EAP conversation
(7) [eap] = updated
(7) [files] = noop
rlm_ldap (ldap): Reserved connection (4)
(7) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(7) ldap : --> (uid=newuser)
(7) ldap : EXPAND dc=test,dc=ad,dc=com
(7) ldap : --> dc=test,dc=ad,dc=com
(7) ldap : Performing search in 'dc=test,dc=ad,dc=com' with filter
'(uid=newuser)', scope 'sub'
(7) ldap : Waiting for search result...
rlm_ldap (ldap): Rebinding to URL ldap://
ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL ldap://
DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL ldap://
test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
(7) ldap : Search returned no results
rlm_ldap (ldap): Deleting connection (4)
(7) [ldap] = notfound
(7) [expiration] = noop
(7) [logintime] = noop
(7) [pap] = noop
(7) } # authorize = updated
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap : Expiring EAP session with state 0x51469e48514184c8
(7) eap : Finished EAP session with state 0x51469e48514184c8
(7) eap : Previous EAP request found for state 0x51469e48514184c8,
released from the list
(7) eap : Peer sent method MSCHAPv2 (26)
(7) eap : EAP MSCHAPv2 (26)
(7) eap : Calling eap_mschapv2 to process EAP data
(7) eap_mschapv2 : # Executing group from file
/etc/raddb/sites-enabled/inner-tunnel
(7) eap_mschapv2 : Auth-Type MS-CHAP {
(7) mschap : Creating challenge hash with username: newuser
(7) mschap : Client is using MS-CHAPv2
Executing: /usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}:
(7) mschap : EXPAND
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(7) mschap : --> --username=newuser
(7) mschap : Creating challenge hash with username: newuser
(7) mschap : EXPAND --challenge=%{%{mschap:Challenge}:-00}
(7) mschap : --> --challenge=141c75ef267aec37
(7) mschap : EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(7) mschap : -->
--nt-response=8e66b16d791423c5ff26fd315d1cd9423b9866fc53939f0e
Program returned code (0) and output 'NT_KEY:
917FDA71960ECCF4DF81D38405F86F42'
(7) mschap : Adding MS-CHAPv2 MPPE keys
(7) [mschap] = ok
(7) } # Auth-Type MS-CHAP = ok
MSCHAP Success
(7) eap : New EAP session, adding 'State' attribute to reply
0x51469e48504e84c8
(7) [eap] = handled
(7) } # authenticate = handled
(7) Reply:
EAP-Message =
0x010800331a0307002e533d45413244333642323330373038354334373443444233383738423444393141433936393944313533
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x51469e48504e84c89c06397edfb2b9f6
(7) } # server inner-tunnel
} # server inner-tunnel
(7) eap_peap : Got tunneled reply code 11
EAP-Message =
0x010800331a0307002e533d45413244333642323330373038354334373443444233383738423444393141433936393944313533
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x51469e48504e84c89c06397edfb2b9f6
(7) eap_peap : Got tunneled reply RADIUS code 11
EAP-Message =
0x010800331a0307002e533d45413244333642323330373038354334373443444233383738423444393141433936393944313533
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x51469e48504e84c89c06397edfb2b9f6
(7) eap_peap : Got tunneled Access-Challenge
(7) eap : New EAP session, adding 'State' attribute to reply
0x0e90273009983e66
(7) [eap] = handled
(7) } # authenticate = handled
(7) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=189,
length=0
(7) EAP-Message =
0x0108005b19001703010050f5928f4ef2504f8111ab1eb22a3d7055f034eb84663b65bd07291d795cbd5a872c90146b2738a779cf42d7acd17f1425f25e5139936ce90ece8924c0ddf1dd6d66eb94efda5148cf5b8b62fd2f49fd5b
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x0e90273009983e6603c734ef610afcab
Sending Access-Challenge Id 189 from 192.168.0.10:1812 to 192.168.0.2:1812
EAP-Message =
0x0108005b19001703010050f5928f4ef2504f8111ab1eb22a3d7055f034eb84663b65bd07291d795cbd5a872c90146b2738a779cf42d7acd17f1425f25e5139936ce90ece8924c0ddf1dd6d66eb94efda5148cf5b8b62fd2f49fd5b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0e90273009983e6603c734ef610afcab
(7) Finished request
Waking up in 4.5 seconds.
Received Access-Request Id 190 from 192.168.0.2:1812 to 192.168.0.10:1812
length 178
NAS-IP-Address = 192.168.0.2
NAS-Port = 50024
NAS-Port-Type = Ethernet
User-Name = 'newuser'
Called-Station-Id = '00-16-9D-D3-40-D8'
Calling-Station-Id = '68-B5-99-C8-B0-5E'
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x0e90273009983e6603c734ef610afcab
EAP-Message =
0x0208002b19001703010020e5cacce91e4a996afb3b077c7b388bcf2f40b18a8eb5be8917a8ae01288fd33d
Message-Authenticator = 0x56d20e1c3ccff86847412ce9123ecb99
(8) Received Access-Request packet from host 192.168.0.2 port 1812, id=190,
length=178
(8) NAS-IP-Address = 192.168.0.2
(8) NAS-Port = 50024
(8) NAS-Port-Type = Ethernet
(8) User-Name = 'newuser'
(8) Called-Station-Id = '00-16-9D-D3-40-D8'
(8) Calling-Station-Id = '68-B5-99-C8-B0-5E'
(8) Service-Type = Framed-User
(8) Framed-MTU = 1500
(8) State = 0x0e90273009983e6603c734ef610afcab
(8) EAP-Message =
0x0208002b19001703010020e5cacce91e4a996afb3b077c7b388bcf2f40b18a8eb5be8917a8ae01288fd33d
(8) Message-Authenticator = 0x56d20e1c3ccff86847412ce9123ecb99
(8) # Executing section authorize from file /etc/raddb/sites-enabled/default
(8) authorize {
(8) filter_username filter_username {
(8) if (!&User-Name)
(8) if (!&User-Name) -> FALSE
(8) if (&User-Name =~ / /)
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@.*@/ )
(8) if (&User-Name =~ /@.*@/ ) -> FALSE
(8) if (&User-Name =~ /\\.\\./ )
(8) if (&User-Name =~ /\\.\\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) ->
FALSE
(8) if (&User-Name =~ /\\.$/)
(8) if (&User-Name =~ /\\.$/) -> FALSE
(8) if (&User-Name =~ /(a)\\./)
(8) if (&User-Name =~ /(a)\\./) -> FALSE
(8) } # filter_username filter_username = notfound
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix : Checking for suffix after "@"
(8) suffix : No '@' in User-Name = "newuser", looking up realm NULL
(8) suffix : No such realm "NULL"
(8) [suffix] = noop
(8) eap : Peer sent code Response (2) ID 8 length 43
(8) eap : Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = EAP
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8) authenticate {
(8) eap : Expiring EAP session with state 0x51469e48504e84c8
(8) eap : Finished EAP session with state 0x0e90273009983e66
(8) eap : Previous EAP request found for state 0x0e90273009983e66,
released from the list
(8) eap : Peer sent method PEAP (25)
(8) eap : EAP PEAP (25)
(8) eap : Calling eap_peap to process EAP data
(8) eap_peap : processing EAP-TLS
(8) eap_peap : eaptls_verify returned 7
(8) eap_peap : Done initial handshake
(8) eap_peap : eaptls_process returned 7
(8) eap_peap : FR_TLS_OK
(8) eap_peap : Session established. Decoding tunneled attributes
(8) eap_peap : Peap state phase2
(8) eap_peap : EAP type MSCHAPv2 (26)
(8) eap_peap : Got tunneled request
EAP-Message = 0x020800061a03
server default {
(8) eap_peap : Setting User-Name to newuser
Sending tunneled request
EAP-Message = 0x020800061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'newuser'
State = 0x51469e48504e84c89c06397edfb2b9f6
NAS-IP-Address = 192.168.0.2
NAS-Port = 50024
NAS-Port-Type = Ethernet
Called-Station-Id = '00-16-9D-D3-40-D8'
Calling-Station-Id = '68-B5-99-C8-B0-5E'
Service-Type = Framed-User
Framed-MTU = 1500
Event-Timestamp = 'Jul 3 2015 14:28:13 CEST'
server inner-tunnel {
(8) server inner-tunnel {
(8) Request:
EAP-Message = 0x020800061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'newuser'
State = 0x51469e48504e84c89c06397edfb2b9f6
NAS-IP-Address = 192.168.0.2
NAS-Port = 50024
NAS-Port-Type = Ethernet
Called-Station-Id = '00-16-9D-D3-40-D8'
Calling-Station-Id = '68-B5-99-C8-B0-5E'
Service-Type = Framed-User
Framed-MTU = 1500
Event-Timestamp = 'Jul 3 2015 14:28:13 CEST'
(8) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(8) authorize {
(8) [chap] = noop
(8) [mschap] = noop
(8) suffix : Checking for suffix after "@"
(8) suffix : No '@' in User-Name = "newuser", looking up realm NULL
(8) suffix : No such realm "NULL"
(8) [suffix] = noop
(8) update control {
(8) Proxy-To-Realm := 'LOCAL'
(8) } # update control = noop
(8) eap : Peer sent code Response (2) ID 8 length 6
(8) eap : No EAP Start, assuming it's an on-going EAP conversation
(8) [eap] = updated
(8) [files] = noop
rlm_ldap (ldap): Reserved connection (3)
(8) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(8) ldap : --> (uid=newuser)
(8) ldap : EXPAND dc=test,dc=ad,dc=com
(8) ldap : --> dc=test,dc=ad,dc=com
(8) ldap : Performing search in 'dc=test,dc=ad,dc=com' with filter
'(uid=newuser)', scope 'sub'
(8) ldap : Waiting for search result...
rlm_ldap (ldap): Rebinding to URL ldap://
ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL ldap://
DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL ldap://
test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
(8) ldap : Search returned no results
rlm_ldap (ldap): Deleting connection (3)
rlm_ldap (ldap): 0 of 3 connections in use. Need more spares
rlm_ldap (ldap): Opening additional connection (5)
rlm_ldap (ldap): Connecting to 192.168.0.20:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(8) [ldap] = notfound
(8) [expiration] = noop
(8) [logintime] = noop
(8) [pap] = noop
(8) } # authorize = updated
(8) Found Auth-Type = EAP
(8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap : Expiring EAP session with state 0x51469e48504e84c8
(8) eap : Finished EAP session with state 0x51469e48504e84c8
(8) eap : Previous EAP request found for state 0x51469e48504e84c8,
released from the list
(8) eap : Peer sent method MSCHAPv2 (26)
(8) eap : EAP MSCHAPv2 (26)
(8) eap : Calling eap_mschapv2 to process EAP data
(8) eap : Freeing handler
(8) [eap] = ok
(8) } # authenticate = ok
(8) # Executing section post-auth from file
/etc/raddb/sites-enabled/inner-tunnel
(8) post-auth {
(8) ldap : EXPAND .
(8) ldap : --> .
(8) ldap : EXPAND Authenticated at %S
(8) ldap : --> Authenticated at 2015-07-03 14:28:13
rlm_ldap (ldap): Reserved connection (5)
(8) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(8) ldap : --> (uid=newuser)
(8) ldap : EXPAND dc=test,dc=ad,dc=com
(8) ldap : --> dc=test,dc=ad,dc=com
(8) ldap : Performing search in 'dc=test,dc=ad,dc=com' with filter
'(uid=newuser)', scope 'sub'
(8) ldap : Waiting for search result...
rlm_ldap (ldap): Rebinding to URL ldap://
ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL ldap://
DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL ldap://
test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
(8) ldap : Search returned no results
rlm_ldap (ldap): Deleting connection (5)
(8) [ldap] = notfound
(8) } # post-auth = notfound
(8) Reply:
MS-MPPE-Encryption-Policy = Encryption-Required
MS-MPPE-Encryption-Types = 4
MS-MPPE-Send-Key = 0xd4fd4ee6a9d0cfb8627e5435bb5e91c9
MS-MPPE-Recv-Key = 0xd541128d165a6af4aba9ded016dce239
EAP-Message = 0x03080004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = 'newuser'
(8) } # server inner-tunnel
} # server inner-tunnel
(8) eap_peap : Got tunneled reply code 2
MS-MPPE-Encryption-Policy = Encryption-Required
MS-MPPE-Encryption-Types = 4
MS-MPPE-Send-Key = 0xd4fd4ee6a9d0cfb8627e5435bb5e91c9
MS-MPPE-Recv-Key = 0xd541128d165a6af4aba9ded016dce239
EAP-Message = 0x03080004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = 'newuser'
(8) eap_peap : Got tunneled reply RADIUS code 2
MS-MPPE-Encryption-Policy = Encryption-Required
MS-MPPE-Encryption-Types = 4
MS-MPPE-Send-Key = 0xd4fd4ee6a9d0cfb8627e5435bb5e91c9
MS-MPPE-Recv-Key = 0xd541128d165a6af4aba9ded016dce239
EAP-Message = 0x03080004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = 'newuser'
(8) eap_peap : Tunneled authentication was successful
(8) eap_peap : SUCCESS
(8) eap_peap : Saving tunneled attributes for later
(8) eap : New EAP session, adding 'State' attribute to reply
0x0e90273006993e66
(8) [eap] = handled
(8) } # authenticate = handled
(8) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=190,
length=0
(8) EAP-Message =
0x0109002b1900170301002002723a75a206ea487fd592ae1b9d31d8425a2d28fb6a567b530188cd74181696
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x0e90273006993e6603c734ef610afcab
Sending Access-Challenge Id 190 from 192.168.0.10:1812 to 192.168.0.2:1812
EAP-Message =
0x0109002b1900170301002002723a75a206ea487fd592ae1b9d31d8425a2d28fb6a567b530188cd74181696
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0e90273006993e6603c734ef610afcab
(8) Finished request
Waking up in 3.8 seconds.
Received Access-Request Id 191 from 192.168.0.2:1812 to 192.168.0.10:1812
length 178
NAS-IP-Address = 192.168.0.2
NAS-Port = 50024
NAS-Port-Type = Ethernet
User-Name = 'newuser'
Called-Station-Id = '00-16-9D-D3-40-D8'
Calling-Station-Id = '68-B5-99-C8-B0-5E'
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x0e90273006993e6603c734ef610afcab
EAP-Message =
0x0209002b1900170301002092fda1c14de27079564bd73fade18792dd8f5f80adf9e4822b95949318de7efb
Message-Authenticator = 0xef39ceb8bfa36750354be19a6b2ebf17
(9) Received Access-Request packet from host 192.168.0.2 port 1812, id=191,
length=178
(9) NAS-IP-Address = 192.168.0.2
(9) NAS-Port = 50024
(9) NAS-Port-Type = Ethernet
(9) User-Name = 'newuser'
(9) Called-Station-Id = '00-16-9D-D3-40-D8'
(9) Calling-Station-Id = '68-B5-99-C8-B0-5E'
(9) Service-Type = Framed-User
(9) Framed-MTU = 1500
(9) State = 0x0e90273006993e6603c734ef610afcab
(9) EAP-Message =
0x0209002b1900170301002092fda1c14de27079564bd73fade18792dd8f5f80adf9e4822b95949318de7efb
(9) Message-Authenticator = 0xef39ceb8bfa36750354be19a6b2ebf17
(9) # Executing section authorize from file /etc/raddb/sites-enabled/default
(9) authorize {
(9) filter_username filter_username {
(9) if (!&User-Name)
(9) if (!&User-Name) -> FALSE
(9) if (&User-Name =~ / /)
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@.*@/ )
(9) if (&User-Name =~ /@.*@/ ) -> FALSE
(9) if (&User-Name =~ /\\.\\./ )
(9) if (&User-Name =~ /\\.\\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) ->
FALSE
(9) if (&User-Name =~ /\\.$/)
(9) if (&User-Name =~ /\\.$/) -> FALSE
(9) if (&User-Name =~ /(a)\\./)
(9) if (&User-Name =~ /(a)\\./) -> FALSE
(9) } # filter_username filter_username = notfound
(9) [preprocess] = ok
(9) [chap] = noop
(9) [mschap] = noop
(9) [digest] = noop
(9) suffix : Checking for suffix after "@"
(9) suffix : No '@' in User-Name = "newuser", looking up realm NULL
(9) suffix : No such realm "NULL"
(9) [suffix] = noop
(9) eap : Peer sent code Response (2) ID 9 length 43
(9) eap : Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = EAP
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9) authenticate {
(9) eap : Expiring EAP session with state 0x0e90273006993e66
(9) eap : Finished EAP session with state 0x0e90273006993e66
(9) eap : Previous EAP request found for state 0x0e90273006993e66,
released from the list
(9) eap : Peer sent method PEAP (25)
(9) eap : EAP PEAP (25)
(9) eap : Calling eap_peap to process EAP data
(9) eap_peap : processing EAP-TLS
(9) eap_peap : eaptls_verify returned 7
(9) eap_peap : Done initial handshake
(9) eap_peap : eaptls_process returned 7
(9) eap_peap : FR_TLS_OK
(9) eap_peap : Session established. Decoding tunneled attributes
(9) eap_peap : Peap state send tlv success
(9) eap_peap : Received EAP-TLV response
(9) eap_peap : Success
(9) eap_peap : Using saved attributes from the original Access-Accept
User-Name = 'newuser'
(9) eap_peap : Saving session
48fd8119fa32c7cb48b60449437ed3f1edad01e5ff81191e7be8d62b3e5f17c4 vps
0x7f6012aedf20 in the cache
(9) eap : Freeing handler
(9) [eap] = ok
(9) } # authenticate = ok
(9) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(9) post-auth {
(9) ldap : EXPAND .
(9) ldap : --> .
(9) ldap : EXPAND Authenticated at %S
(9) ldap : --> Authenticated at 2015-07-03 14:28:14
rlm_ldap (ldap): Reserved connection (2)
(9) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(9) ldap : --> (uid=newuser)
(9) ldap : EXPAND dc=test,dc=ad,dc=com
(9) ldap : --> dc=test,dc=ad,dc=com
(9) ldap : Performing search in 'dc=test,dc=ad,dc=com' with filter
'(uid=newuser)', scope 'sub'
(9) ldap : Waiting for search result...
rlm_ldap (ldap): Rebinding to URL ldap://
ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL ldap://
DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL ldap://
test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
(9) ldap : Search returned no results
rlm_ldap (ldap): Deleting connection (2)
(9) [ldap] = notfound
(9) if (LDAP-Group == "cn=computers,cn=Users,dc=test,dc=ad,dc=com")
(9) Searching for user in group "cn=computers,cn=Users,dc=test,dc=ad,dc=com"
rlm_ldap (ldap): Reserved connection (1)
(9) EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(9) --> (uid=newuser)
(9) EXPAND dc=test,dc=ad,dc=com
(9) --> dc=test,dc=ad,dc=com
(9) Performing search in 'dc=test,dc=ad,dc=com' with filter
'(uid=newuser)', scope 'sub'
(9) Waiting for search result...
rlm_ldap (ldap): Rebinding to URL ldap://
ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL ldap://
DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL ldap://
test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
(9) Search returned no results
rlm_ldap (ldap): Deleting connection (1)
(9) if (LDAP-Group == "cn=computers,cn=Users,dc=test,dc=ad,dc=com") ->
FALSE
(9) [exec] = noop
(9) remove_reply_message_if_eap remove_reply_message_if_eap {
(9) if (&reply:EAP-Message && &reply:Reply-Message)
(9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(9) else else {
(9) [noop] = noop
(9) } # else else = noop
(9) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(9) } # post-auth = noop
(9) Sending Access-Accept packet to host 192.168.0.2 port 1812, id=191,
length=0
(9) User-Name = 'newuser'
(9) MS-MPPE-Recv-Key =
0x770d0af8f17ddb90ae45050890e77a2f1284a252cb8a2dea9126d6e3ad90bda2
(9) MS-MPPE-Send-Key =
0x71f8b9b7a8aa1a90922d6043ad069e7e436ef4cce627dbd2c2e6bea252154cce
(9) EAP-MSK =
0x770d0af8f17ddb90ae45050890e77a2f1284a252cb8a2dea9126d6e3ad90bda271f8b9b7a8aa1a90922d6043ad069e7e436ef4cce627dbd2c2e6bea252154cce
(9) EAP-EMSK =
0x1b54d22a41027762199d0673d2024afb9b75034f4486286e1ce600f42266b87c01bf8b7801e44f136c405e7098f74a39062c8d0fd8199ad362af3aa3fd939603
(9) EAP-Session-Id =
0x19559664033b1b4862038b2d1367a8d5b31031ef49921dca1e46e5720f5b2fa8f355967fdd334b8b93e13aaba983cf708cc59b52a195fa942852b7eb85c9e6b313
(9) EAP-Message = 0x03090004
(9) Message-Authenticator = 0x00000000000000000000000000000000
Sending Access-Accept Id 191 from 192.168.0.10:1812 to 192.168.0.2:1812
User-Name = 'newuser'
MS-MPPE-Recv-Key =
0x770d0af8f17ddb90ae45050890e77a2f1284a252cb8a2dea9126d6e3ad90bda2
MS-MPPE-Send-Key =
0x71f8b9b7a8aa1a90922d6043ad069e7e436ef4cce627dbd2c2e6bea252154cce
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
(9) Finished request
in ldap config file, part related user and groups looks like below:
user {
base_dn = "dc=test,dc=ad,dc=com"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
}
group {
base_dn ="dc=test,dc=ad,dc=com"
filter = "(objectClass=posixGroup)"
name_attribute = cn
membership_filter =
"(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
membership_attribute = "memberOf"
}
Why freeradius can't match group "computers" to user "newuser"?
I would be very glad on any help
2
1
Hello,
I'm using FreeRADIUS Version 2.2.7, for host x86_64-pc-linux-gnu, built on
Jul 1 2015 at 06:19:40
My goal is to proxy Access and Accounting Request to another RADIUS server.
My Problem is I'm not able to proxy the Access and Accounting Request.
Instead I do see the following logs:
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.134.24 port 51123, id=2,
length=130
Called-Station-Id = "test.example.com"
Calling-Station-Id = "1234567890"
User-Name = "test(a)example.com"
User-Password = "test"
3GPP-SGSN-MCC-MNC = "74602"
3GPP-SGSN-Address = 190.98.125.65
Message-Authenticator = 0x86458de919d5aa8d628f2a051ba6caf8
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "example.com" for User-Name = "test(a)example.com"
[suffix] Found realm "example.com"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "example.com"
[suffix] Proxying request from user test to realm example.com
[suffix] Preparing to proxy authentication request to realm "example.com"
++[suffix] = updated
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[files] users: Matched entry test at line 61
++[files] = ok
++[expiration] = noop
++[logintime] = noop
++[pap] = noop
+} # group authorize = updated
There was no response configured: rejecting request 1
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> test(a)example.com
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 2 to 192.168.134.24 port 51123
Waking up in 4.9 seconds.
Cleaning up request 1 ID 2 with timestamp +99
Ready to process requests.
A you can see there is no "Proxying request 0 to home server" in the log,
but instead I see this "There was no response configured: rejecting request
1"
I'm out of idea and was hoping you can help me out. Find below the
configuration files, I think that are relevant:
proxy.conf:
proxy server {
default_fallback = no
}
home_server localhost {
type = auth+acct
ipaddr = 192.168.146.133
port = 1645
secret = test123
require_message_authenticator = yes
response_window = 20
zombie_period = 40
revive_interval = 120
status_check = status-server
check_interval = 30
num_answers_to_alive = 3
max_outstanding = 65536
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
sites-enabled/default
authorize {
preprocess
chap
mschap
digest
suffix
eap {
ok = return
}
files
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
digest
unix
eap
Auth-Type Perl {
perl
}
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
sqlippool
exec
attr_filter.accounting_response
perl
}
session {
radutmp
}
post-auth {
sqlippool
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
Hope to have gave you the necessary information the right way, so that you
can help me.
Thank you.
Regards,
S. Martes
3
5
Hi arr2036,
Thanks for your reply.
When I issue an ldap search I get many information about the user I'm
looking for but I'm not sure if the search is successful:
# search result
search: 2
result: 0 Success
# numResponses: 8
# numEntries: 1
# numReferences: 6
In the radius logs, this time I'm getting this error:
[ldap] performing user authorization for hatim
[ldap] expand: sAMAccountName=3D%{User-Name} -> sAMAccountName=3Dhatim
[ldap] expand: dc=3Dad,dc=3D****,dc=3Dfr -> dc=3Dad,dc=3D****,dc=3Dfr
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to myserver:389, authentication 0
[ldap] bind as
cn=3DLinOTP-Auth,ou=3DAD-Man,ou=3DRessources,dc=3Dad,dc=3D****,dc=3Dfr/****=
**** to
myserver:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in dc=3Dad,dc=3D****,dc=3Dfr, with filter
sAMAccountName=3Dhatim
[ldap] rebind to URL ldap://*****
[ldap] rebind to URL ldap://*****
[ldap] rebind to URL ldap://*****
[ldap] no uid attribute - access denied by default
[ldap] ldap_release_conn: Release Id: 0
++[ldap] =3D userlock
Is it an ldapsearch problem?
Thanks for your help!
2015-07-03 12:52 GMT+02:00 Hatim CHIKHI <hatim.networking(a)gmail.com>:
> Hi arr2036,
>
> Thanks for your reply.
>
> When I issue an ldap search I get many information about the user I'm
> looking for but I'm not sure if the search is successful:
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 8
> # numEntries: 1
> # numReferences: 6
>
>
>
> In the radius logs, this time I'm getting this error:
>
> [ldap] performing user authorization for hatim
> [ldap] expand: sAMAccountName=%{User-Name} -> sAMAccountName=hatim
> [ldap] expand: dc=ad,dc=****,dc=fr -> dc=ad,dc=****,dc=fr
> [ldap] ldap_get_conn: Checking Id: 0
> [ldap] ldap_get_conn: Got Id: 0
> [ldap] attempting LDAP reconnection
> [ldap] (re)connect to myserver:389, authentication 0
> [ldap] bind as
> cn=LinOTP-Auth,ou=AD-Man,ou=Ressources,dc=ad,dc=****,dc=fr/******** to
> myserver:389
> [ldap] waiting for bind result ...
> [ldap] Bind was successful
> [ldap] performing search in dc=ad,dc=****,dc=fr, with filter
> sAMAccountName=hatim
> [ldap] rebind to URL ldap://*****
> [ldap] rebind to URL ldap://*****
> [ldap] rebind to URL ldap://*****
> [ldap] no uid attribute - access denied by default
> [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] = userlock
>
>
> Is it an ldapsearch problem?
>
>
> Thanks for your help!
>
>
>
>
>
> 2015-07-02 17:51 GMT+02:00 arr2036 [via FreeRADIUS] <
> ml-node+s1045715n5735089h90(a)n5.nabble.com>:
>
>>
>> > On 2 Jul 2015, at 11:46, Hatim CHIKHI <[hidden email]
>> <http:///user/SendEmail.jtp?type=node&node=5735089&i=0>> wrote:
>> >
>> > Now, when I add password = "****" to the ldap config I get this error
>> > instead:
>> >
>> > [ldap] waiting for bind result ...
>> > [ldap] Bind was successful
>> > [ldap] performing search in dc=ad,dc=domain,dc=fr, with filter
>> > sAMAccountName=hatim
>> > [ldap] ldap_search() failed: Timed out while waiting for server to
>> > respond. Please increase the timeout.
>> > [ldap] ldap_release_conn: Release Id: 0
>> > ++[ldap] = fail
>> Likely hopping around the AD forrest and timing out.
>>
>> Use ldapsearch to repeat the search and check the results.
>>
>> If it times out as well then that's your issue. Fix AD.
>>
>> If not, then compare the wireshark captures to see what's different
>> between the two searches.
>>
>> If you think rlm_ldap is doing something wrong, upgrade to v3.0.8, and
>> state what you think it should do different.
>>
>> -Arran
>>
>>
>> >
>> > I increased the timeout but in vain!!
>> >
>> > 2015-07-02 17:29 GMT+02:00 Hatim CHIKHI <[hidden email]
>> <http:///user/SendEmail.jtp?type=node&node=5735089&i=1>>:
>> >
>> >> Thanks guys for your reply.
>> >>
>> >> I upgraded to freeradius 2.2.7 but I still have the same problem.
>> >>
>> >> If it is not a version issue, what whould be the cause of the problem?
>> >>
>> >>
>> >> 2015-07-02 13:07 GMT+02:00 Alan DeKok <[hidden email]
>> <http:///user/SendEmail.jtp?type=node&node=5735089&i=2>>:
>> >>
>> >>> On Jul 2, 2015, at 5:31 AM, Hatim CHIKHI <[hidden email]
>> <http:///user/SendEmail.jtp?type=node&node=5735089&i=3>>
>> >>> wrote:
>> >>>> I'm using freeRaduis version 2.1.12+dfsg-1.2.
>> >>>
>> >>> You should upgrade.
>> >>>
>> >>>> I'm trying to get some parameters from an AD server but I have
>> problems
>> >>>> with the search filter.
>> >>>> ...
>> >>>> [ldap] ldap_search() failed: Operations error
>> >>>
>> >>> This is fixed (and documented) in later versions of the server.
>> >>> Install 2.2.7.
>> >>>
>> >>> Alan DeKok.
>> >>>
>> >>>
>> >>> -
>> >>> List info/subscribe/unsubscribe? See
>> >>> http://www.freeradius.org/list/users.html
>> >>>
>> >>
>> >>
>> > -
>> > List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>> Arran Cudbard-Bell <[hidden email]
>> <http:///user/SendEmail.jtp?type=node&node=5735089&i=4>>
>> FreeRADIUS development team
>>
>> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>> *signature.asc* (890 bytes) Download Attachment
>> <http://freeradius.1045715.n5.nabble.com/attachment/5735089/0/signature.asc>
>>
>>
>> ------------------------------
>> If you reply to this email, your message will be added to the
>> discussion below:
>>
>> http://freeradius.1045715.n5.nabble.com/LDAP-search-failed-tp5735079p573508…
>> To unsubscribe from FreeRADIUS, click here
>> <http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsu…>
>> .
>> NAML
>> <http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=macr…>
>>
>
>
3
2
Hi,
I am using freeradius 2.2.1
Whenever I use wrong credentials, NAS sends access reject.
Access reject packet is received when I do a packet capture.
But freeradius doesn't acknowledge access reject the same way it
does for access accept.
I changed reject_delay parameter to 0. But I still don't receive
the access reject from freeradius.
So every time wrong credentials is entered, I get time out instead
of access reject.
Is there some other configuration is need to change ?
Regards,
Sairam
2
3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello,
I'm trying to use a postgresql database in a redundant block on v3.0.8
like so:
redundant {
pgsql
detail
ok
}
Unfortunately, whenever a request hits this part of the config, it hangs
for over 120 seconds waiting for the connection to set up before moving
down the redundant block.
PQconnectdb() does have a connect_timeout option to configure how long
the function will wait before returning an error, but I don't see a way
to configure this in FR. mod_instantiate() in rlm_sql_postgresql.c looks
like it only supports the dbname, host, port, user, password, and
application_name.
Would it be possible to get a patch that will add a connect_timeout
option to the rlm_sql_postgresql config? It would be greatly appreciated.
Thanks,
Kyle
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJVktkHAAoJEBZxgM7w3gB17ckIANbugIy+HW/jH4wo6lLkKigf
xRW0nUXZ05P3+E4N3B8GWnpVokK5tAIiX7LhYBTTlrLzpKbOAQRr1EMfEzvQW4Ij
kj5QFGtnZ/18dnz8MAYWYrOnkvzg6ym53ks4rNOEhUhpsp6B6P23lwCp24jT7MYV
MGmbuJieQV9Dz8MePEbRzeDrfCt8qE3DLKotOjSjgf62+H1jL1fQlpjF96QO/6nF
AV4BVLXba/AsQNbCh6fWlKljtTEPnjfI1RzBgzlvVoC3AX8BVu0dCuMYI7Rw8rSe
ZPne+iQ80/ycM6zU6ux86kKsTfmeQvgZM+TIS5aCZLsoxibZEvgJciswBhT3kkU=
=xp7I
-----END PGP SIGNATURE-----
3
3