Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
November 2016
- 73 participants
- 105 discussions
Not sure what happened, but I walked away from my freeradius and MOTP deployment for a month or so, when I came back I can't authenticate from my client. I can do it locally, but can't do it remotely. The log throws another message 'warning: rlm_sql (sql): you probably need to lower "min" '. Not sure where to start on this.
Thanks,
Pete
2
3
Dear all,
Ive installed and configured FreeRADIUS 3.0.12 on Ubuntu
16.04 LTS.
In the file /usr/local/etc/raddb/mods-available/eap Ive
specified:
- default_eap_type = peap in the general
eap section, and
- default_eap_type = mschapv2 in the
peap section.
After running the server with radiusd X, I test it with
the default user bob defined in /usr/local/etc/raddb/users:
radtest bob hello localhost 0 testing123
Regretfully, the authentication fails, the debugger saying:
} # server
radiusd: #### Opening IP addresses and Ports ####
Listening on auth address 127.0.0.1 port 1812
Listening on acct address 127.0.0.1 port 1813
Listening on proxy address * port 39814
Ready to process requests
(0) Received Access-Request Id 239 from 127.0.0.1:39509 to 127.0.0.1:1812
length 73
(0) User-Name = "bob"
(0) User-Password = "hello"
(0) NAS-IP-Address = 127.0.1.1
(0) NAS-Port = 0
(0) Message-Authenticator = 0x5456ab996d2c7087d14a1529bd8c950d
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 239 from 127.0.0.1:1812 to 127.0.0.1:39509 length
20
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 239 with timestamp +32
Ready to process requests
Ive tried radtest with other auth methods (-t
pap/chap/mschap) but it always fails!
Whats wrong?
Can someone help me, please?
Thanks in advance,
Pedro
5
8
[FreeRadius 2.2.8] Error: ASSERT FAILED event.c[164]: request->thread_id == NO_CHILD_THREAD
by Santi Pérez Fernández 28 Nov '16
by Santi Pérez Fernández 28 Nov '16
28 Nov '16
Hi,
I configured freeradius 2.2.8 with the coa update options according to the
documentation.
/etc/freeradius/sites-enabled
Auth-Type MS-CHAP {
mschap
update coa {
Packet-Dst-IP-Address = 10.0.1.80
Packet-Dst-Port = 4141
Alc-SLA-Prof-Str = "%{reply:Alc-Subsc-Prof-Str}"
}
}
/etc/freeradius/sites-available/originate-coa
home_server localhost-coa {
type = coa
#
# Note that a home server of type "coa" MUST be a real NAS,
# with an ipaddr or ipv6addr. It CANNOT point to a virtual
# server.
#
ipaddr = 10.0.1.80
port = 4141
# This secret SHOULD NOT be the same as the shared
# secret in a "client" section.
secret = testing1234
# CoA specific parameters. See raddb/proxy.conf for details.
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
This is the output from the logs:
Mon Nov 28 18:45:38 2016 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #30
Mon Nov 28 18:45:38 2016 : Info: rlm_sql (sql): Connected new DB handle, #30
Mon Nov 28 18:45:38 2016 : Info: rlm_sql (sql): Attempting to connect
rlm_sql_mysql #31
Mon Nov 28 18:45:38 2016 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #31
Mon Nov 28 18:45:38 2016 : Info: rlm_sql (sql): Connected new DB handle, #31
Mon Nov 28 18:45:38 2016 : Info: Loaded virtual server <default>
Mon Nov 28 18:45:38 2016 : Info: Loaded virtual server inner-tunnel
Mon Nov 28 18:45:38 2016 : Info: Ready to process requests.
Mon Nov 28 18:45:42 2016 : Auth: Login OK: [H-VPORT-CPE-LITE-i2cat-2/<via
Auth-Type = MSCHAP>] (from client localhost port 0)
Mon Nov 28 18:45:42 2016 : Error: ASSERT FAILED event.c[164]:
request->thread_id == NO_CHILD_THREAD
It only works for the first request. Then I got the following error:
Mon Nov 28 18:45:42 2016 : Error: ASSERT FAILED event.c[164]:
request->thread_id == NO_CHILD_THREAD
What i'm doing wrong? Am I missing something?
I am also not been capable of returning the custom attribute.
Thanks for your help.
2
1
rlm_ldap TLS: can't connect: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user..
by Reyor, William F. 28 Nov '16
by Reyor, William F. 28 Nov '16
28 Nov '16
Has anyone run into this issue on rhel 7? If I test unencrypted I can
authenticate against ldap without issue. However if I set
/etc/raddb/mods-enabled/ldap to use port 636 (encrypted) I receive the
following certificate error.
rlm_ldap (ldap): Opening additional connection (0)
rlm_ldap (ldap): Connecting to authdir.fairfield.edu:636
TLS: certificate [CN=AddTrust External CA Root,OU=AddTrust External TTP
Network,O=AddTrust AB,C=SE] is not valid - error -8172:Peer's certificate
issuer has been marked as not trusted by the user..
TLS: error: connect - force handshake failure: errno 21 - moznss error -8172
TLS: can't connect: TLS error -8172:Peer's certificate issuer has been marked
as not trusted by the user..
Thanks,
Bill
2
3
28 Nov '16
FreeRadius 2.2.8 running on Ubuntu 14.04 LTS
sql_log is enabled in the accounting section of /sites-enabled/default
When I execute radsqlrelay it repeatedly dumps the following error to the
screen and no records are created on the target server
/usr/bin/radsqlrelay -x -1 -b radius -d mysql -h xxx.xxx.xxx.xxx -u
radrelay_user -p somepassword /var/log/freeradius/radacct/sql-relay
Incorrect datetime value: '0' for column 'acctstarttime' at row 1
Incorrect datetime value: '0' for column 'acctstarttime' at row 1
Incorrect datetime value: '0' for column 'acctstarttime' at row 1
And indeed the file shows this:
head /var/log/freeradius/radacct/sql-relay
INSERT INTO radacct (AcctSessionId, UserName, NASIPAddress,
FramedIPAddress, AcctStartTime, AcctStopTime, AcctSessionTime,
AcctTerminateCause) VALUES ('810001a7', 'acct203', 'xxx.xxx.37.1',
'xxx.xxx.3.50', '0', '0', '4801','');
INSERT INTO radacct (AcctSessionId, UserName, NASIPAddress,
FramedIPAddress, AcctStartTime, AcctStopTime, AcctSessionTime,
AcctTerminateCause) VALUES ('810001a6', 'acct2150', 'xxx.xxx.37.1',
'xxx.xxx.3.16', '0', '0', '5400','');
But I am also logging to a local sql database and I see account start times
there
acctsessionid acctuniqueid username nasipaddress nasportid nasporttype
acctstarttime acctstoptime acctsessiontime
810001a7 b051e93c387cc6be acct2203 xxx.xxx.37.1 15729080 Ethernet 2016-11-27
11:09:51 *NULL* 4801
810001a6 830d03bc3cbe59de acct2150 xxx.xxx.37.1 15729079 Ethernet 2016-11-27
11:03:00 *NULL* 5400
I must be missing something but I can find very little info on radsqlrelay
other than the man
Thanks,
Ian
2
1
Hi List!
I'm wondering if anyone is using the freeradius-version in Debian Stable
that currently installs via apt (it's version 2.2.5+dfsg-0.2 ).
So, clearly this is a pretty old version (as so often in debian stable)
but if you use freeradius with jessie: what version do you use and did
you compile it from scratch or is there a source of precompiled packages
I'm not aware of yet?
--
Mit freundlichen Grüßen / Kind regards
Julian Scharrenbach - Informatik Betriebswirt (VWA)
7
9
Hello,
Please help me set up freeradius2 + iODBC + Informix
(I'm newbie in freeradius).
- I have a test-machine with Ubuntu 14.04 and Freeradius-server
v2.1.12.
- I have a server with Informix Database Server v 10.00
Step 1:
- I installed unixODBC on test-machine
- I installed informix-csdk for connect to Informix Database
Server (Driver)
- I configured files /etc/odbc.ini and /etc/odbcinst.ini to
connect to Informix Database Server
- Checking with isql:
+++++++++++++++++++++++++++++++++++++++++
root@test:/home/test# isql -v work
+---------------------------------------+
| Connected! |
| |
| sql-statement |
| help [tablename] |
| quit |
| |
+---------------------------------------+
SQL> select 1 from TABLES(SET{1})
1
+++++++++++++++++++++++++++++++++++++++++
- Everything is allright.
Step 2:
- I try to install freeradius-iodbc module to connect to
Informix Database Server
- During install I get next warning:
+++++++++++++++++++++++++++++++++++++++++++++
The following packages will be REMOVED:
unixodbc unixodbc-dev
The following NEW packages will be installed:
libiodbc2-dev
+++++++++++++++++++++++++++++++++++++++++++++
- so unixodbc and unixodbc-dev packages was removed after
install freeradius-iodbc
- I included in radiusd.conf:
+++++++++++++++++++++++++++++++++++++++++++++
sql {
#
# Set the database to one of:
#
# mysql, mssql, oracle, postgresql
#
database = "iodbc"
#
# Which FreeRADIUS driver to use.
#
driver = "rlm_sql_${database}"
# Connection info:
server = "test.server.ru"
port = 1425
login = "test"
password = "test123"
radius_db = "test"
...
+++++++++++++++++++++++++++++++++++++++++++++
- freeradius -XXX showed me next error:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
...
Fri Nov 21 14:53:48 2014 : Info: rlm_sql (sql): Driver
rlm_sql_iodbc (module rlm_sql_iodbc) loaded and linked
Fri Nov 21 14:53:48 2014 : Info: rlm_sql (sql): Attempting to
connect to test@test.server.ru:1425/test
Fri Nov 21 14:53:48 2014 : Debug: rlm_sql (sql): starting 0
Fri Nov 21 14:53:48 2014 : Info: rlm_sql (sql): Attempting to
connect rlm_sql_iodbc #0
Fri Nov 21 14:53:48 2014 : Error: sql_create_socket:
SQLConnectfailed: [iODBC][Driver Manager]Data source name
not found and no default driver specified. Driver could not be
loaded
Fri Nov 21 14:53:48 2014 : Error: rlm_sql (sql): Failed to
connect DB handle #0
...
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
- Error - "SQLConnectfailed: [iODBC][Driver Manager]Data
source name not found and no default driver specified. Driver
could not be loaded."
- Where did I go wrong?
- I found some information in net with same problem, but clear
decision nowhere not found.
4
4
Proposed behaviour for rlm_mruby (which might impact rlm_perl and rlm_python too)
by Herwin Weststrate 27 Nov '16
by Herwin Weststrate 27 Nov '16
27 Nov '16
This weekend I've been trying to get some work done in this very old
ticket[1] to remove rlm_ruby and replace it with rlm_mruby. mruby is a
kind of minified ruby that is suitable for embedding in processes (as
opposed to ruby, which does things like hooking its own signal handlers
into freeradius). It was definitely an interesting experience, not in
the least because documentation like this[2] is far from exceptional.
The code I currently have is feature complete[3], but during
construction I thought of a few limitations that I would like to solve.
This reminded me of the documented I wanted to write earlier this year
about my vision on the rlm_language-modules, and how to solve the
current problems.
There are currently 4 modules for scripting languages: rlm_perl,
rlm_python, rlm_ruby and rlm_lua. I haven't looked at that last one, so
for the sake of simplicity I'll just forget about that one for the rest
of this mail. rlm_python and rlm_ruby work pretty much the same: You
call a method with an array containing all attributes of the request
list, and the return value of that method can be either an integer (that
maps to things like RLM_MODULE_OK), or a list of 3 items: the first one
is the aforementioned integer, the second one is the updates to the
reply list, the last one is the updates to the control list (or those
might be the other way around, which indicates what a terrible interface
it actually is). A few improvements have been added to rlm_python, but
those are just minor differences and don't really change the
architecture. rlm_perl works completely different: there are a number of
global hash variables (for those not familiar with Perl lingo: a hash is
a key-value-map). Changes can be made to those hashes, there are no
parameters for the methods, and the return value is just a simple
integer (which is defined by some constants in that file, and copied
from the example.pl file, instead of injected by freeradius).
At the moment, rlm_perl is by far the most powerful of the three,
because it can access all lists. Although the request list is probably
enough when you call the module in the authorize section, it is almost
useless in the post-auth. There have been requests to add more lists to
rlm_python[4], but I don't like the idea of adding extra arguments to
the method (the ticket only mentions config and reply, but what about
session-state, proxy-request and proxy-reply? That makes a total of 6
arguments).
(As a side note: the same limitations of the input currently exist in
the rlm_rest module, I submitted a pull request[5] to fix this. The
output here is a bit more flexible)
Querying the value of an attribute is another thing that differs
greatly between rlm_{python,ruby} and rlm_perl. The main problem here is
that RADIUS allows us to have multiple values for an attribute. Perl
uses a hash, where each value can be either a scalar or an array (for
the people that know perl: yes, it's an arrayref instead of an array,
but I'd rather skip about those implementation details to make it easier
to understand for those who don't know perl). This means your code to
read a value first performs a hash lookup, than has to check if the
value is a scalar or an array. Output values are even worse: if the
attribute/key is not present in the hash: add the value as a scalar, if
it is a scalar: create an array with that value and your own value,
otherwise push it into the existing array. Output in rlm_python and
rlm_mruby is a bit better (rlm_mruby lacks functionality here, but we
want to get rid of it anyway), you can define an attribute, an operator
and a value, so you're basicly writing FreeRADIUS config in your code,
like `['Tmp-String-0', ':=', 'foo']`. The input is a bit different here,
you get an array of arrays, every attribute/value-pair has got its own
array (an example: `[['User-Name', 'bob'], ['User-Password', 'hello']]`.
This works with duplicate values, but a lookup requires you to loop over
the array, where a hash lookup could be more efficient.
I don't like any of these interfaces, so I'm trying to propose a new
one. We could use that in every rlm_language-module, so switching
between languages would be easier and functionality will be preserved.
Use an object for the input. This object has methods like request,
reply and session_state to get the correct lists. This means no more
globale variables (perl) and no excessive lists of argument (python,
ruby).
The result of these method calls would be objects too. These object
have methods like get_attribute and get_attributes. The first one
returns a scalar value, if there are multiple attributes it returns the
first one, If there is no attribute, it does something that is expected
in the language (perl and ruby would return a NULL-like value here, in
python a KeyError would be more suiteable). The second method always
returns a list, that might contain 0 or 1 elements. In the general case,
people are only interested in the first value.
Updates should be performed via those objects too, so we could use code
like `control.set_attribute('Cleartext-Password', 'hello')`. This means
we can update all lists from rlm_python/rlm_ruby as well, and we no
longer have to remember in what order "control" and "reply" were.
One of the drawbacks of the current implementation is that a lot of
attributes have to be copied from the request and converted into
language-specific strings. It is not unlikely that we copy and convert a
load of EAP-data, while the called script is only interested in the
User-Name attribute. By converting everything to objects we can make
these conversions on-demand, instead of doing everything up front.
We might even want to skip the parameter to the methods, and just
define an abstract base class that has to be subclassed in the script.
The downside of this being that it would become hard to test the script
without freeradius, because the base class has been implemented there.
Then again, the same problem arises with the rest of this proposal.
The biggest drawbacks here are that everything has to be coded, and
that the language modules become backwards incompatible with older
version. The changes for rlm_python are relatively small (I just hope
nobody is using rlm_ruby at the moment, so nothing would be backwards
incompatible here), but the behaviour of rlm_perl really changes here.
I would like to hear your comments on this proposal, I can't be the
only one who didn't like the interface of the scripting language
modules.
[1] https://github.com/FreeRADIUS/freeradius-server/issues/990
[2] http://mruby.org/docs/api/headers/mruby_2Fvariable.h.html
[3]
https://github.com/herwinw/freeradius-server/tree/rlm_mruby/src/modules/rlm…
[4] https://github.com/FreeRADIUS/freeradius-server/issues/1464
[5] https://github.com/FreeRADIUS/freeradius-server/pull/1843
--
Herwin Weststrate
3
2
Hi Alan,
Here's the debug information you requested.
Thanks, Chris
radiusd: #### Opening IP addresses and Ports ####
Listening on command file /var/run/radiusd/control/radiusd.sock
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address 127.0.0.1 port 18122 bound to server eduroam-inner-tunnel
Listening on auth address 127.0.0.1 port 28120 bound to server captive-portal
Listening on auth address X.X.X.X port 28120 bound to server captive-portal
Listening on status address 127.0.0.1 port 18121 bound to server status
Listening on proxy address * port 36322
Listening on proxy address :: port 57199
Ready to process requests
(1) Received Access-Request Id 77 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 292
(1) User-Name = "testuser@realm"
(1) Chargeable-User-Identity = 0x00
(1) Location-Capable = Civix-Location
(1) Calling-Station-Id = "a4-d1-8c-e4-9f-22"
(1) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST"
(1) NAS-Port = 13
(1) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e"
(1) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110"
(1) NAS-IP-Address = Y.Y.Y.Y
(1) NAS-Identifier = "WM13"
(1) Airespace-Wlan-Id = 8
(1) Service-Type = Framed-User
(1) Framed-MTU = 1300
(1) NAS-Port-Type = Wireless-802.11
(1) Tunnel-Type:0 = VLAN
(1) Tunnel-Medium-Type:0 = IEEE-802
(1) Tunnel-Private-Group-Id:0 = "446"
(1) EAP-Message = 0x020100170165636c366368406c656564732e61632e756b
(1) Message-Authenticator = 0x2f0eff9e4f79f94e7189010a34c8fffe
(1) Running section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) local_rewrite_called_station_id {
(1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(1) update request {
(1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(1) --> 64:AE:0C:91:42:60
(1) &Called-Station-Id := 64:AE:0C:91:42:60
(1) } # update request (noop)
(1) if ("%{8}") {
(1) EXPAND %{8}
(1) --> RADIUS-TEST
(1) update request {
(1) EXPAND %{8}
(1) --> RADIUS-TEST
(1) &Called-Station-SSID := RADIUS-TEST
(1) } # update request (noop)
(1) } # if ("%{8}") (noop)
(1) updated (updated)
(1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated)
(1) else {
(1) ... skipping else for request 1: Preceding "if" was taken
(1) }
(1) } # local_rewrite_called_station_id (updated)
(1) local_rewrite_calling_station_id {
(1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(1) update request {
(1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(1) --> A4:D1:8C:E4:9F:22
(1) &Calling-Station-Id := A4:D1:8C:E4:9F:22
(1) } # update request (noop)
(1) updated (updated)
(1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated)
(1) else {
(1) ... skipping else for request 1: Preceding "if" was taken
(1) }
(1) } # local_rewrite_calling_station_id (updated)
(1) filter_username {
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) ...
(1) }
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) ...
(1) }
(1) if (&User-Name =~ /\.\./ ) {
(1) ...
(1) }
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)[^.]+(\.[^.]+)+$/)) {
(1) ...
(1) }
(1) if (&User-Name =~ /\.$/) {
(1) ...
(1) }
(1) if (&User-Name =~ /(a)\./) {
(1) ...
(1) }
(1) } # if (&User-Name) (updated)
(1) } # filter_username (updated)
(1) bad_realms {
(1) if (&User-Name =~ /\.ax\.uk$/i) {
(1) ...
(1) }
(1) if (&User-Name =~ /(a)ac\.uk$/i) {
(1) ...
(1) }
(1) if (&User-Name =~ /3gppnetwork\.org$/i) {
(1) ...
(1) }
(1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(1) ...
(1) }
(1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(1) ...
(1) }
(1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(1) ...
(1) }
(1) if (&User-Name =~ /myabc\.com$/i) {
(1) ...
(1) }
(1) } # bad_realms (updated)
(1) preprocess (ok)
(1) operator-name.authorize {
(1) if ("%{client:Operator-Name}") {
(1) EXPAND %{client:Operator-Name}
(1) --> 1realm.ac.uk
(1) update request {
(1) EXPAND %{client:Operator-Name}
(1) --> 1realm.ac.uk
(1) &Operator-Name = 1realm.ac.uk
(1) } # update request (noop)
(1) } # if ("%{client:Operator-Name}") (noop)
(1) } # operator-name.authorize (noop)
(1) suffix - Checking for suffix after "@"
(1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm"
(1) suffix - Found realm "realm.ac.uk"
(1) suffix - Adding Stripped-User-Name = "testuser"
(1) suffix - Adding Realm = "realm.ac.uk"
(1) suffix - Authentication realm is LOCAL
(1) suffix (ok)
(1) if (&Realm) {
(1) update control {
(1) &control:Proxy-To-Realm := LOCAL
(1) } # update control (noop)
(1) } # if (&Realm) (noop)
(1) else {
(1) ... skipping else for request 1: Preceding "if" was taken
(1) }
(1) if (&Realm) {
(1) if (&Stripped-User-Name != "") {
(1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(1) EXPAND %{tolower:%{Stripped-User-Name}}
(1) --> testuser
(1) ...
(1) }
(1) group {
(1) check_blacklist (ok)
(1) if (&control:Local-Banned-User) {
(1) ...
(1) }
(1) else {
(1) noop (noop)
(1) } # else (noop)
(1) } # group (ok)
(1) } # if (&Stripped-User-Name != "") (ok)
(1) } # if (&Realm) (ok)
(1) eap - Peer sent EAP Response (code 2) ID 1 length 23
(1) eap - Peer sent EAP-Identity. Returning 'ok' so we can short-circuit the rest of authorize
(1) eap (ok)
(1) } # authorize (ok)
(1) Using 'Auth-Type = eap' for authenticate {...}
(1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default
(1) Auth-Type eap {
(1) eap - Peer sent packet with EAP method Identity (1)
(1) eap - Calling submodule eap_peap to process data
(1) eap_peap - Initiating new TLS session
(1) eap - Sending EAP Request (code 1) ID 2 length 6
(1) eap (handled)
(1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(1) EXPAND Response-Packet-Type
(1) --> Access-Challenge
(1) attr_filter.access_challenge - EXPAND %{User-Name}
(1) attr_filter.access_challenge - --> testuser@realm
(1) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(1) attr_filter.access_challenge.post-auth (updated)
(1) handled (handled)
(1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled)
(1) } # Auth-Type eap (handled)
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default
(1) Sent Access-Challenge Id 77 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0
(1) EAP-Message = 0x010200061920
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x010138003637b8d43b39393138ab9701
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 78 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 418
(2) User-Name = "testuser@realm"
(2) Chargeable-User-Identity = 0x00
(2) Location-Capable = Civix-Location
(2) Calling-Station-Id = "a4-d1-8c-e4-9f-22"
(2) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST"
(2) NAS-Port = 13
(2) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e"
(2) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110"
(2) NAS-IP-Address = Y.Y.Y.Y
(2) NAS-Identifier = "WM13"
(2) Airespace-Wlan-Id = 8
(2) Service-Type = Framed-User
(2) Framed-MTU = 1300
(2) NAS-Port-Type = Wireless-802.11
(2) Tunnel-Type:0 = VLAN
(2) Tunnel-Medium-Type:0 = IEEE-802
(2) Tunnel-Private-Group-Id:0 = "446"
(2) EAP-Message = 0x0202008319800000007916030100740100007003015838561f7c35db9df95d549eb9befc0ca9bbc9fbc9027794c6893d1c9b40e77000002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000ac007c011000500040100001f000a00080006001700180019000b0002010000050005010000000000120000
(2) State = 0x010138003637b8d43b39393138ab9701
(2) Message-Authenticator = 0xcf0cbabf5a3dcda1ac3c2f2c0a98eb8b
(2,1) Running section authorize from file /etc/raddb/sites-enabled/default
(2,1) authorize {
(2,1) local_rewrite_called_station_id {
(2,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(2,1) update request {
(2,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(2,1) --> 64:AE:0C:91:42:60
(2,1) &Called-Station-Id := 64:AE:0C:91:42:60
(2,1) } # update request (noop)
(2,1) if ("%{8}") {
(2,1) EXPAND %{8}
(2,1) --> RADIUS-TEST
(2,1) update request {
(2,1) EXPAND %{8}
(2,1) --> RADIUS-TEST
(2,1) &Called-Station-SSID := RADIUS-TEST
(2,1) } # update request (noop)
(2,1) } # if ("%{8}") (noop)
(2,1) updated (updated)
(2,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated)
(2,1) else {
(2,1) ... skipping else for request 2: Preceding "if" was taken
(2,1) }
(2,1) } # local_rewrite_called_station_id (updated)
(2,1) local_rewrite_calling_station_id {
(2,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(2,1) update request {
(2,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(2,1) --> A4:D1:8C:E4:9F:22
(2,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22
(2,1) } # update request (noop)
(2,1) updated (updated)
(2,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated)
(2,1) else {
(2,1) ... skipping else for request 2: Preceding "if" was taken
(2,1) }
(2,1) } # local_rewrite_calling_station_id (updated)
(2,1) filter_username {
(2,1) if (&User-Name) {
(2,1) if (&User-Name =~ / /) {
(2,1) ...
(2,1) }
(2,1) if (&User-Name =~ /@[^@]*@/ ) {
(2,1) ...
(2,1) }
(2,1) if (&User-Name =~ /\.\./ ) {
(2,1) ...
(2,1) }
(2,1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)[^.]+(\.[^.]+)+$/)) {
(2,1) ...
(2,1) }
(2,1) if (&User-Name =~ /\.$/) {
(2,1) ...
(2,1) }
(2,1) if (&User-Name =~ /(a)\./) {
(2,1) ...
(2,1) }
(2,1) } # if (&User-Name) (updated)
(2,1) } # filter_username (updated)
(2,1) bad_realms {
(2,1) if (&User-Name =~ /\.ax\.uk$/i) {
(2,1) ...
(2,1) }
(2,1) if (&User-Name =~ /(a)ac\.uk$/i) {
(2,1) ...
(2,1) }
(2,1) if (&User-Name =~ /3gppnetwork\.org$/i) {
(2,1) ...
(2,1) }
(2,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(2,1) ...
(2,1) }
(2,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(2,1) ...
(2,1) }
(2,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(2,1) ...
(2,1) }
(2,1) if (&User-Name =~ /myabc\.com$/i) {
(2,1) ...
(2,1) }
(2,1) } # bad_realms (updated)
(2,1) preprocess (ok)
(2,1) operator-name.authorize {
(2,1) if ("%{client:Operator-Name}") {
(2,1) EXPAND %{client:Operator-Name}
(2,1) --> 1realm.ac.uk
(2,1) update request {
(2,1) EXPAND %{client:Operator-Name}
(2,1) --> 1realm.ac.uk
(2,1) &Operator-Name = 1realm.ac.uk
(2,1) } # update request (noop)
(2,1) } # if ("%{client:Operator-Name}") (noop)
(2,1) } # operator-name.authorize (noop)
(2,1) suffix - Checking for suffix after "@"
(2,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm"
(2,1) suffix - Found realm "realm.ac.uk"
(2,1) suffix - Adding Stripped-User-Name = "testuser"
(2,1) suffix - Adding Realm = "realm.ac.uk"
(2,1) suffix - Authentication realm is LOCAL
(2,1) suffix (ok)
(2,1) if (&Realm) {
(2,1) update control {
(2,1) &control:Proxy-To-Realm := LOCAL
(2,1) } # update control (noop)
(2,1) } # if (&Realm) (noop)
(2,1) else {
(2,1) ... skipping else for request 2: Preceding "if" was taken
(2,1) }
(2,1) if (&Realm) {
(2,1) if (&Stripped-User-Name != "") {
(2,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(2,1) EXPAND %{tolower:%{Stripped-User-Name}}
(2,1) --> testuser
(2,1) ...
(2,1) }
(2,1) group {
(2,1) check_blacklist (ok)
(2,1) if (&control:Local-Banned-User) {
(2,1) ...
(2,1) }
(2,1) else {
(2,1) noop (noop)
(2,1) } # else (noop)
(2,1) } # group (ok)
(2,1) } # if (&Stripped-User-Name != "") (ok)
(2,1) } # if (&Realm) (ok)
(2,1) eap - Peer sent EAP Response (code 2) ID 2 length 131
(2,1) eap - Continuing tunnel setup
(2,1) eap (ok)
(2,1) } # authorize (ok)
(2,1) Using 'Auth-Type = eap' for authenticate {...}
(2,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default
(2,1) Auth-Type eap {
(2,1) eap - Peer sent packet with EAP method PEAP (25)
(2,1) eap - Calling submodule eap_peap to process data
(2,1) eap_peap - Continuing EAP-TLS
(2,1) eap_peap - Peer indicated complete TLS record size will be 121 bytes
(2,1) eap_peap - Got complete TLS record, with length field (121 bytes)
(2,1) eap_peap - [eap-tls verify] = complete
(2,1) eap_peap - Handshake state - before/accept initialization
(2,1) eap_peap - Handshake state - Server before/accept initialization
(2,1) eap_peap - <<< recv handshake [length 116], client_hello
(2,1) eap_peap - Handshake state - Server SSLv3 read client hello A
(2,1) eap_peap - >>> send handshake [length 57], server_hello
(2,1) eap_peap - Handshake state - Server SSLv3 write server hello A
(2,1) eap_peap - >>> send handshake [length 2643], certificate
(2,1) eap_peap - Handshake state - Server SSLv3 write certificate A
(2,1) eap_peap - >>> send handshake [length 331], server_key_exchange
(2,1) eap_peap - Handshake state - Server SSLv3 write key exchange A
(2,1) eap_peap - >>> send handshake [length 4], server_hello_done
(2,1) eap_peap - Handshake state - Server SSLv3 write server done A
(2,1) eap_peap - Handshake state - Server SSLv3 flush data
(2,1) eap_peap - Need more data from client
(2,1) eap_peap - Need more data from client
(2,1) eap_peap - Complete TLS record (3055 bytes) larger than MTU (990 bytes), will fragment
(2,1) eap_peap - Sending first TLS record fragment (990 bytes), 2065 bytes remaining
(2,1) eap_peap - [eap-tls process] = handled
(2,1) eap - Sending EAP Request (code 1) ID 3 length 1000
(2,1) eap (handled)
(2,1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(2,1) EXPAND Response-Packet-Type
(2,1) --> Access-Challenge
(2,1) attr_filter.access_challenge - EXPAND %{User-Name}
(2,1) attr_filter.access_challenge - --> testuser@realm
(2,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(2,1) attr_filter.access_challenge.post-auth (updated)
(2,1) handled (handled)
(2,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled)
(2,1) } # Auth-Type eap (handled)
(2,1) Using Post-Auth-Type Challenge
(2,1) Post-Auth-Type sub-section not found. Ignoring.
(2,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default
(2,1) Sent Access-Challenge Id 78 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0
(2,1) EAP-Message = 0x010303e819c000000bef16030100390200003503015838561fbe318d85e54c607db0dc6d03c0b5e5d4d2266165638bd4fff41936b900c01400000dff01000100000b0004030001021603010a530b000a4f000a4c0004f6308204f2308203daa003020102021437ff648df0d47ee77e787cee2cab98c71324c34c300d06092a864886f70d01010b0500304d310b300906035504061302424d31193017060355040a131051756f5661646973204c696d69746564312330210603550403131a51756f566164697320476c6f62616c2053534c20494341204732301e170d3136303831313134353330385a170d3139303831313134353330355a307f310b3009060355040613024742311730150603550408130e5765737420596f726b7368697265310e300c060355040713054c45454453311c301a060355040a1313556e6976657273697479206f66204c65656473310c300a060355040b1303492e54311b3019060355040313127261646975732e6c656564732e61632e756b30820122300d06092a864886f70d01010105000382010f003082010a0282010100b05f6ffc1d8d9a1d6602e4e3fb505be1df826dbe0e8e2cd96127b2beeea934476f474d835388182926f52f7de4ef5dc0f0c439f59b88f0494c2f2f8724e69790e0c7f9379941b0524d7b74e95ae882f556a1f9df197fcbe00ef20677bb1bfaa66a575783594163b1efffda474b26101c56f6906d9434eab449a96f4d9aaa92d73bd83396f2fba04afb8fc92013d6ea56eb98ee202f87961616a391b33dbca45634aa899c9f5846b19935588fc6874c228bf01c4e5c930ed66feaacc52507d5753582dd7ac994ba1c067e1b22e6c72c1acdd141b4fa8a553f9acde4b6571bea31e280f298a5ace02370bff63b582325a3a8bcd10982f79059bac57a46f26949b70203010001a382019630820192307306082b0601050507010104673065302a06082b06010505073001861e687474703a2f2f6f6373702e71756f7661646973676c6f62616c2e636f6d303706082b06010505073002862b687474703a2f2f74727573742e71756f7661646973676c6f62616c2e636f6d2f717673736c67322e637274301d0603551d110416301482127261646975732e6c656564732e61632e756b30510603551d20044a30483046060c2b06010401be5800026401013036303406082b060105050702011628687474703a2f2f7777772e71756f7661646973676c6f62616c2e636f6d2f7265706f7369746f7279300e0603551d0f0101ff0404030205a0301d0603551d250416301406082b0601050507030106082b06010505070302301f0603551d23041830168014911962ad5b17a730fbf0de3925b1bd8cb9b85127303a0603551d1f043330
(2,1) Message-Authenticator = 0x00000000000000000000000000000000
(2,1) State = 0x02033800aecc10fa3b39393138ab9701
(2,1) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 79 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 293
(3) User-Name = "testuser@realm"
(3) Chargeable-User-Identity = 0x00
(3) Location-Capable = Civix-Location
(3) Calling-Station-Id = "a4-d1-8c-e4-9f-22"
(3) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST"
(3) NAS-Port = 13
(3) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e"
(3) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110"
(3) NAS-IP-Address = Y.Y.Y.Y
(3) NAS-Identifier = "WM13"
(3) Airespace-Wlan-Id = 8
(3) Service-Type = Framed-User
(3) Framed-MTU = 1300
(3) NAS-Port-Type = Wireless-802.11
(3) Tunnel-Type:0 = VLAN
(3) Tunnel-Medium-Type:0 = IEEE-802
(3) Tunnel-Private-Group-Id:0 = "446"
(3) EAP-Message = 0x020300061900
(3) State = 0x02033800aecc10fa3b39393138ab9701
(3) Message-Authenticator = 0x34efdefe25b8b008e5bac82e18ee94ff
(3,1) Running section authorize from file /etc/raddb/sites-enabled/default
(3,1) authorize {
(3,1) local_rewrite_called_station_id {
(3,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(3,1) update request {
(3,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(3,1) --> 64:AE:0C:91:42:60
(3,1) &Called-Station-Id := 64:AE:0C:91:42:60
(3,1) } # update request (noop)
(3,1) if ("%{8}") {
(3,1) EXPAND %{8}
(3,1) --> RADIUS-TEST
(3,1) update request {
(3,1) EXPAND %{8}
(3,1) --> RADIUS-TEST
(3,1) &Called-Station-SSID := RADIUS-TEST
(3,1) } # update request (noop)
(3,1) } # if ("%{8}") (noop)
(3,1) updated (updated)
(3,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated)
(3,1) else {
(3,1) ... skipping else for request 3: Preceding "if" was taken
(3,1) }
(3,1) } # local_rewrite_called_station_id (updated)
(3,1) local_rewrite_calling_station_id {
(3,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(3,1) update request {
(3,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(3,1) --> A4:D1:8C:E4:9F:22
(3,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22
(3,1) } # update request (noop)
(3,1) updated (updated)
(3,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated)
(3,1) else {
(3,1) ... skipping else for request 3: Preceding "if" was taken
(3,1) }
(3,1) } # local_rewrite_calling_station_id (updated)
(3,1) filter_username {
(3,1) if (&User-Name) {
(3,1) if (&User-Name =~ / /) {
(3,1) ...
(3,1) }
(3,1) if (&User-Name =~ /@[^@]*@/ ) {
(3,1) ...
(3,1) }
(3,1) if (&User-Name =~ /\.\./ ) {
(3,1) ...
(3,1) }
(3,1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)[^.]+(\.[^.]+)+$/)) {
(3,1) ...
(3,1) }
(3,1) if (&User-Name =~ /\.$/) {
(3,1) ...
(3,1) }
(3,1) if (&User-Name =~ /(a)\./) {
(3,1) ...
(3,1) }
(3,1) } # if (&User-Name) (updated)
(3,1) } # filter_username (updated)
(3,1) bad_realms {
(3,1) if (&User-Name =~ /\.ax\.uk$/i) {
(3,1) ...
(3,1) }
(3,1) if (&User-Name =~ /(a)ac\.uk$/i) {
(3,1) ...
(3,1) }
(3,1) if (&User-Name =~ /3gppnetwork\.org$/i) {
(3,1) ...
(3,1) }
(3,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(3,1) ...
(3,1) }
(3,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(3,1) ...
(3,1) }
(3,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(3,1) ...
(3,1) }
(3,1) if (&User-Name =~ /myabc\.com$/i) {
(3,1) ...
(3,1) }
(3,1) } # bad_realms (updated)
(3,1) preprocess (ok)
(3,1) operator-name.authorize {
(3,1) if ("%{client:Operator-Name}") {
(3,1) EXPAND %{client:Operator-Name}
(3,1) --> 1realm.ac.uk
(3,1) update request {
(3,1) EXPAND %{client:Operator-Name}
(3,1) --> 1realm.ac.uk
(3,1) &Operator-Name = 1realm.ac.uk
(3,1) } # update request (noop)
(3,1) } # if ("%{client:Operator-Name}") (noop)
(3,1) } # operator-name.authorize (noop)
(3,1) suffix - Checking for suffix after "@"
(3,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm"
(3,1) suffix - Found realm "realm.ac.uk"
(3,1) suffix - Adding Stripped-User-Name = "testuser"
(3,1) suffix - Adding Realm = "realm.ac.uk"
(3,1) suffix - Authentication realm is LOCAL
(3,1) suffix (ok)
(3,1) if (&Realm) {
(3,1) update control {
(3,1) &control:Proxy-To-Realm := LOCAL
(3,1) } # update control (noop)
(3,1) } # if (&Realm) (noop)
(3,1) else {
(3,1) ... skipping else for request 3: Preceding "if" was taken
(3,1) }
(3,1) if (&Realm) {
(3,1) if (&Stripped-User-Name != "") {
(3,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(3,1) EXPAND %{tolower:%{Stripped-User-Name}}
(3,1) --> testuser
(3,1) ...
(3,1) }
(3,1) group {
(3,1) check_blacklist (ok)
(3,1) if (&control:Local-Banned-User) {
(3,1) ...
(3,1) }
(3,1) else {
(3,1) noop (noop)
(3,1) } # else (noop)
(3,1) } # group (ok)
(3,1) } # if (&Stripped-User-Name != "") (ok)
(3,1) } # if (&Realm) (ok)
(3,1) eap - Peer sent EAP Response (code 2) ID 3 length 6
(3,1) eap - Continuing tunnel setup
(3,1) eap (ok)
(3,1) } # authorize (ok)
(3,1) Using 'Auth-Type = eap' for authenticate {...}
(3,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default
(3,1) Auth-Type eap {
(3,1) eap - Peer sent packet with EAP method PEAP (25)
(3,1) eap - Calling submodule eap_peap to process data
(3,1) eap_peap - Continuing EAP-TLS
(3,1) eap_peap - Peer ACKed our handshake fragment
(3,1) eap_peap - [eap-tls verify] = request
(3,1) eap_peap - Sending additional TLS record fragment (994 bytes), 1071 bytes remaining
(3,1) eap_peap - [eap-tls process] = handled
(3,1) eap - Sending EAP Request (code 1) ID 4 length 1000
(3,1) eap (handled)
(3,1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(3,1) EXPAND Response-Packet-Type
(3,1) --> Access-Challenge
(3,1) attr_filter.access_challenge - EXPAND %{User-Name}
(3,1) attr_filter.access_challenge - --> testuser@realm
(3,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(3,1) attr_filter.access_challenge.post-auth (updated)
(3,1) handled (handled)
(3,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled)
(3,1) } # Auth-Type eap (handled)
(3,1) Using Post-Auth-Type Challenge
(3,1) Post-Auth-Type sub-section not found. Ignoring.
(3,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default
(3,1) Sent Access-Challenge Id 79 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0
(3,1) EAP-Message = 0x010403e8194031302fa02da02b8629687474703a2f2f63726c2e71756f7661646973676c6f62616c2e636f6d2f717673736c67322e63726c301d0603551d0e0416041431cc0012c0528beb4f3ff6c7fb7f8265057c0dd9300d06092a864886f70d01010b05000382010100a7d52e44c1f46b51a9d7395b2a3822ec0ebd0fb9f6af1fbd6f72ee6495c8a74c83db45fc958dad681d19859b9c8c6bc988c4b727276d669ac9945dee1cf9c7916e21175104d073a1c26c901ba390d68354fdd2296bde3526405803dc37b8df49525a563c2db126dba32be5e33f646624c1e675da984a6bfef13f69019afe7664874b04c9b4b64abd637a8ad66929f0d148e5f8efdb9b298bfcc2d083c67c1fa115dced735d0f184950cbb99c6cfdbebd9e18f57f8735f3b90787cfb1618e2c4bb3a5f54a5f83f5c2683e2c6dfd25c31675d046143c13b5c5fa72b39a93c2242e5308853a9361af20d5a0c5a441246b2255b75870d43c8b2ef14cc183018b6ad20005503082054c30820334a003020102021448982de2a92cb339e1c8f933358275d3e4f88255300d06092a864886f70d01010b05003045310b300906035504061302424d31193017060355040a131051756f5661646973204c696d69746564311b30190603550403131251756f566164697320526f6f742043412032301e170d3133303630313133333530355a170d3233303630313133333530355a304d310b300906035504061302424d31193017060355040a131051756f5661646973204c696d69746564312330210603550403131a51756f566164697320476c6f62616c2053534c2049434120473230820122300d06092a864886f70d01010105000382010f003082010a0282010100e1e1856994c08f57fa34fec1b868e49990a9887ace57b7d0e4b554c2187dd0c319e8a96380f7b7dcd219a35ab060d976b41d325635f16ca39c42a18b8a233597417b056984288ece1e4d8b6024f1b488fec050f6c28fae9774f940aa6ef686b3a4e9c75f746514f43ddcbe4ea398645fe3066cc18fb61f5c9996c657c2cbad94890eadbeffb80ba5b638fbb54781d40fca09f10a3b120d1c0fe185b01336c3cb287dfca5f8373aa4ab404663829540bb12ac963f457df79de5037e24b89665631c5d8208414e7f6b5a8690c3f2ebe459f45e077b7d84b7ff31a199762f56cb80c489fc1a4f9869ea0b67c1fdb54be70c3de5107cef22c30fc6ab5dec881c55a30203010001a382012a3082012630120603551d130101ff040830060101ff02010030110603551d20040a300830060604551d2000307206082b0601050507010104663064302a06082b06010505073001861e687474703a2f2f6f6373702e71756f7661646973676c6f62616c2e636f6d30
(3,1) Message-Authenticator = 0x00000000000000000000000000000000
(3,1) State = 0x030138003637b8d43b39393138ab9701
(3,1) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 80 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 293
(4) User-Name = "testuser@realm"
(4) Chargeable-User-Identity = 0x00
(4) Location-Capable = Civix-Location
(4) Calling-Station-Id = "a4-d1-8c-e4-9f-22"
(4) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST"
(4) NAS-Port = 13
(4) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e"
(4) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110"
(4) NAS-IP-Address = Y.Y.Y.Y
(4) NAS-Identifier = "WM13"
(4) Airespace-Wlan-Id = 8
(4) Service-Type = Framed-User
(4) Framed-MTU = 1300
(4) NAS-Port-Type = Wireless-802.11
(4) Tunnel-Type:0 = VLAN
(4) Tunnel-Medium-Type:0 = IEEE-802
(4) Tunnel-Private-Group-Id:0 = "446"
(4) EAP-Message = 0x020400061900
(4) State = 0x030138003637b8d43b39393138ab9701
(4) Message-Authenticator = 0x1443c965ed70ea0cdba34b15c0f14054
(4,1) Running section authorize from file /etc/raddb/sites-enabled/default
(4,1) authorize {
(4,1) local_rewrite_called_station_id {
(4,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(4,1) update request {
(4,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(4,1) --> 64:AE:0C:91:42:60
(4,1) &Called-Station-Id := 64:AE:0C:91:42:60
(4,1) } # update request (noop)
(4,1) if ("%{8}") {
(4,1) EXPAND %{8}
(4,1) --> RADIUS-TEST
(4,1) update request {
(4,1) EXPAND %{8}
(4,1) --> RADIUS-TEST
(4,1) &Called-Station-SSID := RADIUS-TEST
(4,1) } # update request (noop)
(4,1) } # if ("%{8}") (noop)
(4,1) updated (updated)
(4,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated)
(4,1) else {
(4,1) ... skipping else for request 4: Preceding "if" was taken
(4,1) }
(4,1) } # local_rewrite_called_station_id (updated)
(4,1) local_rewrite_calling_station_id {
(4,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(4,1) update request {
(4,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(4,1) --> A4:D1:8C:E4:9F:22
(4,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22
(4,1) } # update request (noop)
(4,1) updated (updated)
(4,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated)
(4,1) else {
(4,1) ... skipping else for request 4: Preceding "if" was taken
(4,1) }
(4,1) } # local_rewrite_calling_station_id (updated)
(4,1) filter_username {
(4,1) if (&User-Name) {
(4,1) if (&User-Name =~ / /) {
(4,1) ...
(4,1) }
(4,1) if (&User-Name =~ /@[^@]*@/ ) {
(4,1) ...
(4,1) }
(4,1) if (&User-Name =~ /\.\./ ) {
(4,1) ...
(4,1) }
(4,1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)[^.]+(\.[^.]+)+$/)) {
(4,1) ...
(4,1) }
(4,1) if (&User-Name =~ /\.$/) {
(4,1) ...
(4,1) }
(4,1) if (&User-Name =~ /(a)\./) {
(4,1) ...
(4,1) }
(4,1) } # if (&User-Name) (updated)
(4,1) } # filter_username (updated)
(4,1) bad_realms {
(4,1) if (&User-Name =~ /\.ax\.uk$/i) {
(4,1) ...
(4,1) }
(4,1) if (&User-Name =~ /(a)ac\.uk$/i) {
(4,1) ...
(4,1) }
(4,1) if (&User-Name =~ /3gppnetwork\.org$/i) {
(4,1) ...
(4,1) }
(4,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(4,1) ...
(4,1) }
(4,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(4,1) ...
(4,1) }
(4,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(4,1) ...
(4,1) }
(4,1) if (&User-Name =~ /myabc\.com$/i) {
(4,1) ...
(4,1) }
(4,1) } # bad_realms (updated)
(4,1) preprocess (ok)
(4,1) operator-name.authorize {
(4,1) if ("%{client:Operator-Name}") {
(4,1) EXPAND %{client:Operator-Name}
(4,1) --> 1realm.ac.uk
(4,1) update request {
(4,1) EXPAND %{client:Operator-Name}
(4,1) --> 1realm.ac.uk
(4,1) &Operator-Name = 1realm.ac.uk
(4,1) } # update request (noop)
(4,1) } # if ("%{client:Operator-Name}") (noop)
(4,1) } # operator-name.authorize (noop)
(4,1) suffix - Checking for suffix after "@"
(4,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm"
(4,1) suffix - Found realm "realm.ac.uk"
(4,1) suffix - Adding Stripped-User-Name = "testuser"
(4,1) suffix - Adding Realm = "realm.ac.uk"
(4,1) suffix - Authentication realm is LOCAL
(4,1) suffix (ok)
(4,1) if (&Realm) {
(4,1) update control {
(4,1) &control:Proxy-To-Realm := LOCAL
(4,1) } # update control (noop)
(4,1) } # if (&Realm) (noop)
(4,1) else {
(4,1) ... skipping else for request 4: Preceding "if" was taken
(4,1) }
(4,1) if (&Realm) {
(4,1) if (&Stripped-User-Name != "") {
(4,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(4,1) EXPAND %{tolower:%{Stripped-User-Name}}
(4,1) --> testuser
(4,1) ...
(4,1) }
(4,1) group {
(4,1) check_blacklist (ok)
(4,1) if (&control:Local-Banned-User) {
(4,1) ...
(4,1) }
(4,1) else {
(4,1) noop (noop)
(4,1) } # else (noop)
(4,1) } # group (ok)
(4,1) } # if (&Stripped-User-Name != "") (ok)
(4,1) } # if (&Realm) (ok)
(4,1) eap - Peer sent EAP Response (code 2) ID 4 length 6
(4,1) eap - Continuing tunnel setup
(4,1) eap (ok)
(4,1) } # authorize (ok)
(4,1) Using 'Auth-Type = eap' for authenticate {...}
(4,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default
(4,1) Auth-Type eap {
(4,1) eap - Peer sent packet with EAP method PEAP (25)
(4,1) eap - Calling submodule eap_peap to process data
(4,1) eap_peap - Continuing EAP-TLS
(4,1) eap_peap - Peer ACKed our handshake fragment
(4,1) eap_peap - [eap-tls verify] = request
(4,1) eap_peap - Sending additional TLS record fragment (994 bytes), 77 bytes remaining
(4,1) eap_peap - [eap-tls process] = handled
(4,1) eap - Sending EAP Request (code 1) ID 5 length 1000
(4,1) eap (handled)
(4,1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(4,1) EXPAND Response-Packet-Type
(4,1) --> Access-Challenge
(4,1) attr_filter.access_challenge - EXPAND %{User-Name}
(4,1) attr_filter.access_challenge - --> testuser@realm
(4,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(4,1) attr_filter.access_challenge.post-auth (updated)
(4,1) handled (handled)
(4,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled)
(4,1) } # Auth-Type eap (handled)
(4,1) Using Post-Auth-Type Challenge
(4,1) Post-Auth-Type sub-section not found. Ignoring.
(4,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default
(4,1) Sent Access-Challenge Id 80 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0
(4,1) EAP-Message = 0x010503e819403606082b06010505073002862a687474703a2f2f74727573742e71756f7661646973676c6f62616c2e636f6d2f7176726361322e637274300e0603551d0f0101ff040403020106301f0603551d230418301680141a8462bc484c332504d4eed0f603c41946d1946b30390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e71756f7661646973676c6f62616c2e636f6d2f7176726361322e63726c301d0603551d0e04160414911962ad5b17a730fbf0de3925b1bd8cb9b85127300d06092a864886f70d01010b050003820201007c0a60820041b52dcc39e5f4db6bce008a9c0c89e6727453b96dc221e54c975a0599e8e3f88dbffa2da89f10c2e34420b4994d781ba3eb3d4fa265088869eed7e446af866113100f096cb2028e20f873d63af9b80cb78b3310f899d9200b3908f5d01af81ca41fcbf3af6de7516cb6b1a7daa50c6e2a2604addee8a40c82526abc7a9a9804417bb4d1464d92211851f78ef215c65eb65bb439e4b9a8950ed33ab3dc98a5ca3217114eace46b120562688ecfdc425a0d8988e880d420f69204ce86ad532268835810c04bd6fda3662f2b5c3634c95b19ff40c021088204d36f4f53634394a7d44f8ef99062a830feac1bc1a0fb08eb275f74ab49babe582fe3a89092b678badc7bcdbcedac0871df053110dc670fcd5f56dcf2e2b27b9382b70a50d1de232f87a6b97c05bfc4ea51b661db1252872cb9edcab0dea5a804eb3f596cdadbdfc7ba7f0f5e442865ea7063fc5cfbd9c8d4d68a33c36a852a89353265bd78fbcdbde67696dedd847d0644973eba2537b97928ec79e2027b909eebeaa25826ec74dc7c8f335d4aa78c1f767d51b02d944396b00ba7e0ff75c4d87655932a898cac2a8789c56a22b910c57b0c7438a09c7d724983c3aa41bc36a83e8917cb375f27bda7fb525f1c63fec28ae472228d95d82a617e89e233eb08810806bb43b5ae10c4fd744f277d445bb5dd7984f12622fd55efadfde7ae241f019fe748160301014b0c0001470300174104356f9c0ffc364039f66ce9ba8838433a255ea2a399b34afbecaa477b7942a55279ca97694b8f9bf039e0cfb476d1d5b7addccdfb40abfd08e74a23a89104c93501002e556ff2c5c79a3c84eae2e8a77fcb7263c10644d4b699a1d5ea92aa93a2c37fb98d01b49885178ef67475a7bfa4c53029c5ff0d9ca42702cc6e7e8ba9cc7149442ed24e26f5ecb814be162323a3f86596628d2357842d946bfb18bcf0eef9421dbe502d58003cc6edfa496b89c0d24c5e04cb7006be2e797a17a603e9ed8d91bfdff22a264a12245e96a6538b148658affc8899f72a0cfd57ecde4d06fcb40957c6b416b686579c01f6415f69b7064f3fdd2e12d8ba96fe861c2c08
(4,1) Message-Authenticator = 0x00000000000000000000000000000000
(4,1) State = 0x04073800aecc10fa3b39393138ab9701
(4,1) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 81 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 293
(5) User-Name = "testuser@realm"
(5) Chargeable-User-Identity = 0x00
(5) Location-Capable = Civix-Location
(5) Calling-Station-Id = "a4-d1-8c-e4-9f-22"
(5) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST"
(5) NAS-Port = 13
(5) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e"
(5) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110"
(5) NAS-IP-Address = Y.Y.Y.Y
(5) NAS-Identifier = "WM13"
(5) Airespace-Wlan-Id = 8
(5) Service-Type = Framed-User
(5) Framed-MTU = 1300
(5) NAS-Port-Type = Wireless-802.11
(5) Tunnel-Type:0 = VLAN
(5) Tunnel-Medium-Type:0 = IEEE-802
(5) Tunnel-Private-Group-Id:0 = "446"
(5) EAP-Message = 0x020500061900
(5) State = 0x04073800aecc10fa3b39393138ab9701
(5) Message-Authenticator = 0x71120286c728aae1154c25c60db52811
(5,1) Running section authorize from file /etc/raddb/sites-enabled/default
(5,1) authorize {
(5,1) local_rewrite_called_station_id {
(5,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(5,1) update request {
(5,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(5,1) --> 64:AE:0C:91:42:60
(5,1) &Called-Station-Id := 64:AE:0C:91:42:60
(5,1) } # update request (noop)
(5,1) if ("%{8}") {
(5,1) EXPAND %{8}
(5,1) --> RADIUS-TEST
(5,1) update request {
(5,1) EXPAND %{8}
(5,1) --> RADIUS-TEST
(5,1) &Called-Station-SSID := RADIUS-TEST
(5,1) } # update request (noop)
(5,1) } # if ("%{8}") (noop)
(5,1) updated (updated)
(5,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated)
(5,1) else {
(5,1) ... skipping else for request 5: Preceding "if" was taken
(5,1) }
(5,1) } # local_rewrite_called_station_id (updated)
(5,1) local_rewrite_calling_station_id {
(5,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(5,1) update request {
(5,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(5,1) --> A4:D1:8C:E4:9F:22
(5,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22
(5,1) } # update request (noop)
(5,1) updated (updated)
(5,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated)
(5,1) else {
(5,1) ... skipping else for request 5: Preceding "if" was taken
(5,1) }
(5,1) } # local_rewrite_calling_station_id (updated)
(5,1) filter_username {
(5,1) if (&User-Name) {
(5,1) if (&User-Name =~ / /) {
(5,1) ...
(5,1) }
(5,1) if (&User-Name =~ /@[^@]*@/ ) {
(5,1) ...
(5,1) }
(5,1) if (&User-Name =~ /\.\./ ) {
(5,1) ...
(5,1) }
(5,1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)[^.]+(\.[^.]+)+$/)) {
(5,1) ...
(5,1) }
(5,1) if (&User-Name =~ /\.$/) {
(5,1) ...
(5,1) }
(5,1) if (&User-Name =~ /(a)\./) {
(5,1) ...
(5,1) }
(5,1) } # if (&User-Name) (updated)
(5,1) } # filter_username (updated)
(5,1) bad_realms {
(5,1) if (&User-Name =~ /\.ax\.uk$/i) {
(5,1) ...
(5,1) }
(5,1) if (&User-Name =~ /(a)ac\.uk$/i) {
(5,1) ...
(5,1) }
(5,1) if (&User-Name =~ /3gppnetwork\.org$/i) {
(5,1) ...
(5,1) }
(5,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(5,1) ...
(5,1) }
(5,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(5,1) ...
(5,1) }
(5,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(5,1) ...
(5,1) }
(5,1) if (&User-Name =~ /myabc\.com$/i) {
(5,1) ...
(5,1) }
(5,1) } # bad_realms (updated)
(5,1) preprocess (ok)
(5,1) operator-name.authorize {
(5,1) if ("%{client:Operator-Name}") {
(5,1) EXPAND %{client:Operator-Name}
(5,1) --> 1realm.ac.uk
(5,1) update request {
(5,1) EXPAND %{client:Operator-Name}
(5,1) --> 1realm.ac.uk
(5,1) &Operator-Name = 1realm.ac.uk
(5,1) } # update request (noop)
(5,1) } # if ("%{client:Operator-Name}") (noop)
(5,1) } # operator-name.authorize (noop)
(5,1) suffix - Checking for suffix after "@"
(5,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm"
(5,1) suffix - Found realm "realm.ac.uk"
(5,1) suffix - Adding Stripped-User-Name = "testuser"
(5,1) suffix - Adding Realm = "realm.ac.uk"
(5,1) suffix - Authentication realm is LOCAL
(5,1) suffix (ok)
(5,1) if (&Realm) {
(5,1) update control {
(5,1) &control:Proxy-To-Realm := LOCAL
(5,1) } # update control (noop)
(5,1) } # if (&Realm) (noop)
(5,1) else {
(5,1) ... skipping else for request 5: Preceding "if" was taken
(5,1) }
(5,1) if (&Realm) {
(5,1) if (&Stripped-User-Name != "") {
(5,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(5,1) EXPAND %{tolower:%{Stripped-User-Name}}
(5,1) --> testuser
(5,1) ...
(5,1) }
(5,1) group {
(5,1) check_blacklist (ok)
(5,1) if (&control:Local-Banned-User) {
(5,1) ...
(5,1) }
(5,1) else {
(5,1) noop (noop)
(5,1) } # else (noop)
(5,1) } # group (ok)
(5,1) } # if (&Stripped-User-Name != "") (ok)
(5,1) } # if (&Realm) (ok)
(5,1) eap - Peer sent EAP Response (code 2) ID 5 length 6
(5,1) eap - Continuing tunnel setup
(5,1) eap (ok)
(5,1) } # authorize (ok)
(5,1) Using 'Auth-Type = eap' for authenticate {...}
(5,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default
(5,1) Auth-Type eap {
(5,1) eap - Peer sent packet with EAP method PEAP (25)
(5,1) eap - Calling submodule eap_peap to process data
(5,1) eap_peap - Continuing EAP-TLS
(5,1) eap_peap - Peer ACKed our handshake fragment
(5,1) eap_peap - [eap-tls verify] = request
(5,1) eap_peap - Sending final TLS record fragment (77 bytes)
(5,1) eap_peap - [eap-tls process] = handled
(5,1) eap - Sending EAP Request (code 1) ID 6 length 83
(5,1) eap (handled)
(5,1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(5,1) EXPAND Response-Packet-Type
(5,1) --> Access-Challenge
(5,1) attr_filter.access_challenge - EXPAND %{User-Name}
(5,1) attr_filter.access_challenge - --> testuser@realm
(5,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(5,1) attr_filter.access_challenge.post-auth (updated)
(5,1) handled (handled)
(5,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled)
(5,1) } # Auth-Type eap (handled)
(5,1) Using Post-Auth-Type Challenge
(5,1) Post-Auth-Type sub-section not found. Ignoring.
(5,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default
(5,1) Sent Access-Challenge Id 81 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0
(5,1) EAP-Message = 0x0106005319004e06bbcfa59586d7b2ff4301f7a4dced7726344b96c142ba4f7edda40388cd1960d4509a41a041f4a249841cb2d310f71b7289440659999943f6e9e8d339d98ba10c468116030100040e000000
(5,1) Message-Authenticator = 0x00000000000000000000000000000000
(5,1) State = 0x050138003637b8d43b39393138ab9701
(5,1) Finished request
Waking up in 4.9 seconds.
(6) Received Access-Request Id 82 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 431
(6) User-Name = "testuser@realm"
(6) Chargeable-User-Identity = 0x00
(6) Location-Capable = Civix-Location
(6) Calling-Station-Id = "a4-d1-8c-e4-9f-22"
(6) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST"
(6) NAS-Port = 13
(6) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e"
(6) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110"
(6) NAS-IP-Address = Y.Y.Y.Y
(6) NAS-Identifier = "WM13"
(6) Airespace-Wlan-Id = 8
(6) Service-Type = Framed-User
(6) Framed-MTU = 1300
(6) NAS-Port-Type = Wireless-802.11
(6) Tunnel-Type:0 = VLAN
(6) Tunnel-Medium-Type:0 = IEEE-802
(6) Tunnel-Private-Group-Id:0 = "446"
(6) EAP-Message = 0x0206009019800000008616030100461000004241042a5475e41a0623c852b7ef77add0a1b3f495bfe644190191922bd6567c29c76dd46784c71d47f29e9688a6fe7998febd4ebee0a3b1dd33fe0b604b4c3ec38308140301000101160301003048686a4b033d40f5f9526b1c98c9c4ea528ac0c54e84251ef82fb6efe6c197f662f7468f1631afe64f0846e6f63ad3bf
(6) State = 0x050138003637b8d43b39393138ab9701
(6) Message-Authenticator = 0x8c61c24db4bce0512a7cfd792ebe1ec6
(6,1) Running section authorize from file /etc/raddb/sites-enabled/default
(6,1) authorize {
(6,1) local_rewrite_called_station_id {
(6,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(6,1) update request {
(6,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(6,1) --> 64:AE:0C:91:42:60
(6,1) &Called-Station-Id := 64:AE:0C:91:42:60
(6,1) } # update request (noop)
(6,1) if ("%{8}") {
(6,1) EXPAND %{8}
(6,1) --> RADIUS-TEST
(6,1) update request {
(6,1) EXPAND %{8}
(6,1) --> RADIUS-TEST
(6,1) &Called-Station-SSID := RADIUS-TEST
(6,1) } # update request (noop)
(6,1) } # if ("%{8}") (noop)
(6,1) updated (updated)
(6,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated)
(6,1) else {
(6,1) ... skipping else for request 6: Preceding "if" was taken
(6,1) }
(6,1) } # local_rewrite_called_station_id (updated)
(6,1) local_rewrite_calling_station_id {
(6,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(6,1) update request {
(6,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(6,1) --> A4:D1:8C:E4:9F:22
(6,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22
(6,1) } # update request (noop)
(6,1) updated (updated)
(6,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated)
(6,1) else {
(6,1) ... skipping else for request 6: Preceding "if" was taken
(6,1) }
(6,1) } # local_rewrite_calling_station_id (updated)
(6,1) filter_username {
(6,1) if (&User-Name) {
(6,1) if (&User-Name =~ / /) {
(6,1) ...
(6,1) }
(6,1) if (&User-Name =~ /@[^@]*@/ ) {
(6,1) ...
(6,1) }
(6,1) if (&User-Name =~ /\.\./ ) {
(6,1) ...
(6,1) }
(6,1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)[^.]+(\.[^.]+)+$/)) {
(6,1) ...
(6,1) }
(6,1) if (&User-Name =~ /\.$/) {
(6,1) ...
(6,1) }
(6,1) if (&User-Name =~ /(a)\./) {
(6,1) ...
(6,1) }
(6,1) } # if (&User-Name) (updated)
(6,1) } # filter_username (updated)
(6,1) bad_realms {
(6,1) if (&User-Name =~ /\.ax\.uk$/i) {
(6,1) ...
(6,1) }
(6,1) if (&User-Name =~ /(a)ac\.uk$/i) {
(6,1) ...
(6,1) }
(6,1) if (&User-Name =~ /3gppnetwork\.org$/i) {
(6,1) ...
(6,1) }
(6,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(6,1) ...
(6,1) }
(6,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(6,1) ...
(6,1) }
(6,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(6,1) ...
(6,1) }
(6,1) if (&User-Name =~ /myabc\.com$/i) {
(6,1) ...
(6,1) }
(6,1) } # bad_realms (updated)
(6,1) preprocess (ok)
(6,1) operator-name.authorize {
(6,1) if ("%{client:Operator-Name}") {
(6,1) EXPAND %{client:Operator-Name}
(6,1) --> 1realm.ac.uk
(6,1) update request {
(6,1) EXPAND %{client:Operator-Name}
(6,1) --> 1realm.ac.uk
(6,1) &Operator-Name = 1realm.ac.uk
(6,1) } # update request (noop)
(6,1) } # if ("%{client:Operator-Name}") (noop)
(6,1) } # operator-name.authorize (noop)
(6,1) suffix - Checking for suffix after "@"
(6,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm"
(6,1) suffix - Found realm "realm.ac.uk"
(6,1) suffix - Adding Stripped-User-Name = "testuser"
(6,1) suffix - Adding Realm = "realm.ac.uk"
(6,1) suffix - Authentication realm is LOCAL
(6,1) suffix (ok)
(6,1) if (&Realm) {
(6,1) update control {
(6,1) &control:Proxy-To-Realm := LOCAL
(6,1) } # update control (noop)
(6,1) } # if (&Realm) (noop)
(6,1) else {
(6,1) ... skipping else for request 6: Preceding "if" was taken
(6,1) }
(6,1) if (&Realm) {
(6,1) if (&Stripped-User-Name != "") {
(6,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(6,1) EXPAND %{tolower:%{Stripped-User-Name}}
(6,1) --> testuser
(6,1) ...
(6,1) }
(6,1) group {
(6,1) check_blacklist (ok)
(6,1) if (&control:Local-Banned-User) {
(6,1) ...
(6,1) }
(6,1) else {
(6,1) noop (noop)
(6,1) } # else (noop)
(6,1) } # group (ok)
(6,1) } # if (&Stripped-User-Name != "") (ok)
(6,1) } # if (&Realm) (ok)
(6,1) eap - Peer sent EAP Response (code 2) ID 6 length 144
(6,1) eap - Continuing tunnel setup
(6,1) eap (ok)
(6,1) } # authorize (ok)
(6,1) Using 'Auth-Type = eap' for authenticate {...}
(6,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default
(6,1) Auth-Type eap {
(6,1) eap - Peer sent packet with EAP method PEAP (25)
(6,1) eap - Calling submodule eap_peap to process data
(6,1) eap_peap - Continuing EAP-TLS
(6,1) eap_peap - Peer indicated complete TLS record size will be 134 bytes
(6,1) eap_peap - Got complete TLS record, with length field (134 bytes)
(6,1) eap_peap - [eap-tls verify] = complete
(6,1) eap_peap - <<< recv handshake [length 70], client_key_exchange
(6,1) eap_peap - Handshake state - Server SSLv3 read client key exchange A
(6,1) eap_peap - <<< recv change_cipher_spec [length 1]
(6,1) eap_peap - <<< recv handshake [length 16], finished
(6,1) eap_peap - Handshake state - Server SSLv3 read finished A
(6,1) eap_peap - >>> send change_cipher_spec [length 1]
(6,1) eap_peap - Handshake state - Server SSLv3 write change cipher spec A
(6,1) eap_peap - >>> send handshake [length 16], finished
(6,1) eap_peap - Handshake state - Server SSLv3 write finished A
(6,1) eap_peap - Handshake state - Server SSLv3 flush data
(6,1) eap_peap - Handshake state - SSL negotiation finished successfully
(6,1) eap_peap - Cipher suite: CDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
(6,1) eap_peap - Sending complete TLS record (59 bytes)
(6,1) eap_peap - [eap-tls process] = handled
(6,1) eap - Sending EAP Request (code 1) ID 7 length 65
(6,1) eap (handled)
(6,1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(6,1) EXPAND Response-Packet-Type
(6,1) --> Access-Challenge
(6,1) attr_filter.access_challenge - EXPAND %{User-Name}
(6,1) attr_filter.access_challenge - --> testuser@realm
(6,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(6,1) attr_filter.access_challenge.post-auth (updated)
(6,1) handled (handled)
(6,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled)
(6,1) } # Auth-Type eap (handled)
(6,1) Using Post-Auth-Type Challenge
(6,1) Post-Auth-Type sub-section not found. Ignoring.
(6,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default
(6,1) Sent Access-Challenge Id 82 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0
(6,1) EAP-Message = 0x01070041190014030100010116030100306c8dcb9afcb8f73b414f202b96d6efd0bab2bd9ad150291d1ce462a9f4c7055f7c55a31447a4b2d6e724095cfc6c65d1
(6,1) Message-Authenticator = 0x00000000000000000000000000000000
(6,1) State = 0x06033800aecc10fa3b39393138ab9701
(6,1) Finished request
Waking up in 4.8 seconds.
(7) Received Access-Request Id 83 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 293
(7) User-Name = "testuser@realm"
(7) Chargeable-User-Identity = 0x00
(7) Location-Capable = Civix-Location
(7) Calling-Station-Id = "a4-d1-8c-e4-9f-22"
(7) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST"
(7) NAS-Port = 13
(7) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e"
(7) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110"
(7) NAS-IP-Address = Y.Y.Y.Y
(7) NAS-Identifier = "WM13"
(7) Airespace-Wlan-Id = 8
(7) Service-Type = Framed-User
(7) Framed-MTU = 1300
(7) NAS-Port-Type = Wireless-802.11
(7) Tunnel-Type:0 = VLAN
(7) Tunnel-Medium-Type:0 = IEEE-802
(7) Tunnel-Private-Group-Id:0 = "446"
(7) EAP-Message = 0x020700061900
(7) State = 0x06033800aecc10fa3b39393138ab9701
(7) Message-Authenticator = 0x555162762d19bd82d35f798dba8e28aa
(7,1) Running section authorize from file /etc/raddb/sites-enabled/default
(7,1) authorize {
(7,1) local_rewrite_called_station_id {
(7,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(7,1) update request {
(7,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(7,1) --> 64:AE:0C:91:42:60
(7,1) &Called-Station-Id := 64:AE:0C:91:42:60
(7,1) } # update request (noop)
(7,1) if ("%{8}") {
(7,1) EXPAND %{8}
(7,1) --> RADIUS-TEST
(7,1) update request {
(7,1) EXPAND %{8}
(7,1) --> RADIUS-TEST
(7,1) &Called-Station-SSID := RADIUS-TEST
(7,1) } # update request (noop)
(7,1) } # if ("%{8}") (noop)
(7,1) updated (updated)
(7,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated)
(7,1) else {
(7,1) ... skipping else for request 7: Preceding "if" was taken
(7,1) }
(7,1) } # local_rewrite_called_station_id (updated)
(7,1) local_rewrite_calling_station_id {
(7,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(7,1) update request {
(7,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(7,1) --> A4:D1:8C:E4:9F:22
(7,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22
(7,1) } # update request (noop)
(7,1) updated (updated)
(7,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated)
(7,1) else {
(7,1) ... skipping else for request 7: Preceding "if" was taken
(7,1) }
(7,1) } # local_rewrite_calling_station_id (updated)
(7,1) filter_username {
(7,1) if (&User-Name) {
(7,1) if (&User-Name =~ / /) {
(7,1) ...
(7,1) }
(7,1) if (&User-Name =~ /@[^@]*@/ ) {
(7,1) ...
(7,1) }
(7,1) if (&User-Name =~ /\.\./ ) {
(7,1) ...
(7,1) }
(7,1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)[^.]+(\.[^.]+)+$/)) {
(7,1) ...
(7,1) }
(7,1) if (&User-Name =~ /\.$/) {
(7,1) ...
(7,1) }
(7,1) if (&User-Name =~ /(a)\./) {
(7,1) ...
(7,1) }
(7,1) } # if (&User-Name) (updated)
(7,1) } # filter_username (updated)
(7,1) bad_realms {
(7,1) if (&User-Name =~ /\.ax\.uk$/i) {
(7,1) ...
(7,1) }
(7,1) if (&User-Name =~ /(a)ac\.uk$/i) {
(7,1) ...
(7,1) }
(7,1) if (&User-Name =~ /3gppnetwork\.org$/i) {
(7,1) ...
(7,1) }
(7,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(7,1) ...
(7,1) }
(7,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(7,1) ...
(7,1) }
(7,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(7,1) ...
(7,1) }
(7,1) if (&User-Name =~ /myabc\.com$/i) {
(7,1) ...
(7,1) }
(7,1) } # bad_realms (updated)
(7,1) preprocess (ok)
(7,1) operator-name.authorize {
(7,1) if ("%{client:Operator-Name}") {
(7,1) EXPAND %{client:Operator-Name}
(7,1) --> 1realm.ac.uk
(7,1) update request {
(7,1) EXPAND %{client:Operator-Name}
(7,1) --> 1realm.ac.uk
(7,1) &Operator-Name = 1realm.ac.uk
(7,1) } # update request (noop)
(7,1) } # if ("%{client:Operator-Name}") (noop)
(7,1) } # operator-name.authorize (noop)
(7,1) suffix - Checking for suffix after "@"
(7,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm"
(7,1) suffix - Found realm "realm.ac.uk"
(7,1) suffix - Adding Stripped-User-Name = "testuser"
(7,1) suffix - Adding Realm = "realm.ac.uk"
(7,1) suffix - Authentication realm is LOCAL
(7,1) suffix (ok)
(7,1) if (&Realm) {
(7,1) update control {
(7,1) &control:Proxy-To-Realm := LOCAL
(7,1) } # update control (noop)
(7,1) } # if (&Realm) (noop)
(7,1) else {
(7,1) ... skipping else for request 7: Preceding "if" was taken
(7,1) }
(7,1) if (&Realm) {
(7,1) if (&Stripped-User-Name != "") {
(7,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(7,1) EXPAND %{tolower:%{Stripped-User-Name}}
(7,1) --> testuser
(7,1) ...
(7,1) }
(7,1) group {
(7,1) check_blacklist (ok)
(7,1) if (&control:Local-Banned-User) {
(7,1) ...
(7,1) }
(7,1) else {
(7,1) noop (noop)
(7,1) } # else (noop)
(7,1) } # group (ok)
(7,1) } # if (&Stripped-User-Name != "") (ok)
(7,1) } # if (&Realm) (ok)
(7,1) eap - Peer sent EAP Response (code 2) ID 7 length 6
(7,1) eap - Continuing tunnel setup
(7,1) eap (ok)
(7,1) } # authorize (ok)
(7,1) Using 'Auth-Type = eap' for authenticate {...}
(7,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default
(7,1) Auth-Type eap {
(7,1) eap - Peer sent packet with EAP method PEAP (25)
(7,1) eap - Calling submodule eap_peap to process data
(7,1) eap_peap - Continuing EAP-TLS
(7,1) eap_peap - Peer ACKed our handshake fragment. handshake is finished
(7,1) eap_peap - [eap-tls verify] = established
(7,1) eap_peap - [eap-tls process] = established
(7,1) eap_peap - Session established. Decoding tunneled data
(7,1) eap_peap - PEAP state TUNNEL ESTABLISHED
(7,1) eap_peap - TLS application data to encrypt (5 bytes)
(7,1) eap_peap - Sending complete TLS record (37 bytes)
(7,1) eap - Sending EAP Request (code 1) ID 8 length 43
(7,1) eap (handled)
(7,1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(7,1) EXPAND Response-Packet-Type
(7,1) --> Access-Challenge
(7,1) attr_filter.access_challenge - EXPAND %{User-Name}
(7,1) attr_filter.access_challenge - --> testuser@realm
(7,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(7,1) attr_filter.access_challenge.post-auth (updated)
(7,1) handled (handled)
(7,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled)
(7,1) } # Auth-Type eap (handled)
(7,1) Using Post-Auth-Type Challenge
(7,1) Post-Auth-Type sub-section not found. Ignoring.
(7,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default
(7,1) Sent Access-Challenge Id 83 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0
(7,1) EAP-Message = 0x0108002b1900170301002029a24f1d8456037b9aeceb8fbc4df51362f49d1b863dae0ea1e7e356cad48d55
(7,1) Message-Authenticator = 0x00000000000000000000000000000000
(7,1) State = 0x070138003637b8d43b39393138ab9701
(7,1) Finished request
Waking up in 4.8 seconds.
(8) Received Access-Request Id 84 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 346
(8) User-Name = "testuser@realm"
(8) Chargeable-User-Identity = 0x00
(8) Location-Capable = Civix-Location
(8) Calling-Station-Id = "a4-d1-8c-e4-9f-22"
(8) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST"
(8) NAS-Port = 13
(8) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e"
(8) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110"
(8) NAS-IP-Address = Y.Y.Y.Y
(8) NAS-Identifier = "WM13"
(8) Airespace-Wlan-Id = 8
(8) Service-Type = Framed-User
(8) Framed-MTU = 1300
(8) NAS-Port-Type = Wireless-802.11
(8) Tunnel-Type:0 = VLAN
(8) Tunnel-Medium-Type:0 = IEEE-802
(8) Tunnel-Private-Group-Id:0 = "446"
(8) EAP-Message = 0x0208003b1900170301003012630f02d6ebc7a949180390128f6ca3bd2643ce89f12b1ea709648094fa2265ecdef69755c881656faf5d6debdb50f2
(8) State = 0x070138003637b8d43b39393138ab9701
(8) Message-Authenticator = 0x19dac562b9479efa42ea2766dc140211
(8,1) Running section authorize from file /etc/raddb/sites-enabled/default
(8,1) authorize {
(8,1) local_rewrite_called_station_id {
(8,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(8,1) update request {
(8,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(8,1) --> 64:AE:0C:91:42:60
(8,1) &Called-Station-Id := 64:AE:0C:91:42:60
(8,1) } # update request (noop)
(8,1) if ("%{8}") {
(8,1) EXPAND %{8}
(8,1) --> RADIUS-TEST
(8,1) update request {
(8,1) EXPAND %{8}
(8,1) --> RADIUS-TEST
(8,1) &Called-Station-SSID := RADIUS-TEST
(8,1) } # update request (noop)
(8,1) } # if ("%{8}") (noop)
(8,1) updated (updated)
(8,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated)
(8,1) else {
(8,1) ... skipping else for request 8: Preceding "if" was taken
(8,1) }
(8,1) } # local_rewrite_called_station_id (updated)
(8,1) local_rewrite_calling_station_id {
(8,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(8,1) update request {
(8,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(8,1) --> A4:D1:8C:E4:9F:22
(8,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22
(8,1) } # update request (noop)
(8,1) updated (updated)
(8,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated)
(8,1) else {
(8,1) ... skipping else for request 8: Preceding "if" was taken
(8,1) }
(8,1) } # local_rewrite_calling_station_id (updated)
(8,1) filter_username {
(8,1) if (&User-Name) {
(8,1) if (&User-Name =~ / /) {
(8,1) ...
(8,1) }
(8,1) if (&User-Name =~ /@[^@]*@/ ) {
(8,1) ...
(8,1) }
(8,1) if (&User-Name =~ /\.\./ ) {
(8,1) ...
(8,1) }
(8,1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)[^.]+(\.[^.]+)+$/)) {
(8,1) ...
(8,1) }
(8,1) if (&User-Name =~ /\.$/) {
(8,1) ...
(8,1) }
(8,1) if (&User-Name =~ /(a)\./) {
(8,1) ...
(8,1) }
(8,1) } # if (&User-Name) (updated)
(8,1) } # filter_username (updated)
(8,1) bad_realms {
(8,1) if (&User-Name =~ /\.ax\.uk$/i) {
(8,1) ...
(8,1) }
(8,1) if (&User-Name =~ /(a)ac\.uk$/i) {
(8,1) ...
(8,1) }
(8,1) if (&User-Name =~ /3gppnetwork\.org$/i) {
(8,1) ...
(8,1) }
(8,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(8,1) ...
(8,1) }
(8,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(8,1) ...
(8,1) }
(8,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(8,1) ...
(8,1) }
(8,1) if (&User-Name =~ /myabc\.com$/i) {
(8,1) ...
(8,1) }
(8,1) } # bad_realms (updated)
(8,1) preprocess (ok)
(8,1) operator-name.authorize {
(8,1) if ("%{client:Operator-Name}") {
(8,1) EXPAND %{client:Operator-Name}
(8,1) --> 1realm.ac.uk
(8,1) update request {
(8,1) EXPAND %{client:Operator-Name}
(8,1) --> 1realm.ac.uk
(8,1) &Operator-Name = 1realm.ac.uk
(8,1) } # update request (noop)
(8,1) } # if ("%{client:Operator-Name}") (noop)
(8,1) } # operator-name.authorize (noop)
(8,1) suffix - Checking for suffix after "@"
(8,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm"
(8,1) suffix - Found realm "realm.ac.uk"
(8,1) suffix - Adding Stripped-User-Name = "testuser"
(8,1) suffix - Adding Realm = "realm.ac.uk"
(8,1) suffix - Authentication realm is LOCAL
(8,1) suffix (ok)
(8,1) if (&Realm) {
(8,1) update control {
(8,1) &control:Proxy-To-Realm := LOCAL
(8,1) } # update control (noop)
(8,1) } # if (&Realm) (noop)
(8,1) else {
(8,1) ... skipping else for request 8: Preceding "if" was taken
(8,1) }
(8,1) if (&Realm) {
(8,1) if (&Stripped-User-Name != "") {
(8,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(8,1) EXPAND %{tolower:%{Stripped-User-Name}}
(8,1) --> testuser
(8,1) ...
(8,1) }
(8,1) group {
(8,1) check_blacklist (ok)
(8,1) if (&control:Local-Banned-User) {
(8,1) ...
(8,1) }
(8,1) else {
(8,1) noop (noop)
(8,1) } # else (noop)
(8,1) } # group (ok)
(8,1) } # if (&Stripped-User-Name != "") (ok)
(8,1) } # if (&Realm) (ok)
(8,1) eap - Peer sent EAP Response (code 2) ID 8 length 59
(8,1) eap - Continuing tunnel setup
(8,1) eap (ok)
(8,1) } # authorize (ok)
(8,1) Using 'Auth-Type = eap' for authenticate {...}
(8,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default
(8,1) Auth-Type eap {
(8,1) eap - Peer sent packet with EAP method PEAP (25)
(8,1) eap - Calling submodule eap_peap to process data
(8,1) eap_peap - Continuing EAP-TLS
(8,1) eap_peap - Got complete TLS record (53 bytes)
(8,1) eap_peap - [eap-tls verify] = complete
(8,1) eap_peap - Decrypted TLS application data (19 bytes)
(8,1) eap_peap - [eap-tls process] = complete
(8,1) eap_peap - Session established. Decoding tunneled data
(8,1) eap_peap - PEAP state WAITING FOR INNER IDENTITY
(8,1) eap_peap - Received EAP-Identity-Response
(8,1) eap_peap - Got inner identity 'testuser@realm'
(8,1) eap_peap - Got tunneled request
(8,1) eap_peap - &EAP-Message = 0x020800170165636c366368406c656564732e61632e756b
(8,1) eap_peap - Setting &request:User-Name from tunnel (protected) identity "testuser@realm"
(8,1) eap_peap - Proxying tunneled request to virtual server "inner-tunnel"
(8,1) Virtual server inner-tunnel received request
(8,1) &EAP-Message = 0x020800170165636c366368406c656564732e61632e756b
(8,1) &FreeRADIUS-Proxied-To = 127.0.0.1
(8,1) &User-Name = "testuser@realm"
(8,1) WARNING: Outer and inner identities are the same. User privacy is compromised.
(8,1) server inner-tunnel {
(8,1) Running section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(8,1) authorize {
(8,1) filter_username {
(8,1) if (&User-Name) {
(8,1) if (&User-Name =~ / /) {
(8,1) ...
(8,1) }
(8,1) if (&User-Name =~ /@[^@]*@/ ) {
(8,1) ...
(8,1) }
(8,1) if (&User-Name =~ /\.\./ ) {
(8,1) ...
(8,1) }
(8,1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)[^.]+(\.[^.]+)+$/)) {
(8,1) ...
(8,1) }
(8,1) if (&User-Name =~ /\.$/) {
(8,1) ...
(8,1) }
(8,1) if (&User-Name =~ /(a)\./) {
(8,1) ...
(8,1) }
(8,1) } # if (&User-Name) (notfound)
(8,1) } # filter_username (notfound)
(8,1) local_filter_inner_identity {
(8,1) if (!&outer.request:User-Name || !&User-Name) {
(8,1) ...
(8,1) }
(8,1) if (&outer.request:User-Name != &User-Name) {
(8,1) ...
(8,1) }
(8,1) } # local_filter_inner_identity (notfound)
(8,1) chap (noop)
(8,1) if (&outer.request:User-Name =~ /(a)realm\.ac\.uk$/i) {
(8,1) mschap-ds (noop)
(8,1) } # if (&outer.request:User-Name =~ /(a)realm\.ac\.uk$/i) (noop)
(8,1) elsif (&outer.request:User-Name =~ /(a)admin\.realm\.ac\.uk$/i) {
(8,1) ... skipping elsif for request 8: Preceding "if" was taken
(8,1) }
(8,1) suffix - Checking for suffix after "@"
(8,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm"
(8,1) suffix - Found realm "realm.ac.uk"
(8,1) suffix - Adding Stripped-User-Name = "testuser"
(8,1) suffix - Adding Realm = "realm.ac.uk"
(8,1) suffix - Authentication realm is LOCAL
(8,1) suffix (ok)
(8,1) if (&User-Name =~ /^@/) {
(8,1) ...
(8,1) }
(8,1) if (!(&Stripped-User-Name)) {
(8,1) ...
(8,1) }
(8,1) else {
(8,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(8,1) EXPAND %{tolower:%{Stripped-User-Name}}
(8,1) --> testuser
(8,1) ...
(8,1) }
(8,1) } # else (ok)
(8,1) group {
(8,1) check_blacklist (ok)
(8,1) if (&control:Local-Banned-User) {
(8,1) ...
(8,1) }
(8,1) else {
(8,1) noop (noop)
(8,1) } # else (noop)
(8,1) } # group (ok)
(8,1) update control {
(8,1) &control:Proxy-To-Realm := LOCAL
(8,1) } # update control (noop)
(8,1) eap - Peer sent EAP Response (code 2) ID 8 length 23
(8,1) eap - Peer sent EAP-Identity. Returning 'ok' so we can short-circuit the rest of authorize
(8,1) eap (ok)
(8,1) } # authorize (ok)
(8,1) Using 'Auth-Type = eap' for authenticate {...}
(8,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/inner-tunnel
(8,1) Auth-Type eap {
(8,1) eap - Peer sent packet with EAP method Identity (1)
(8,1) eap - Calling submodule eap_peap to process data
(8,1) eap_peap - Initiating new TLS session
(8,1) eap - Sending EAP Request (code 1) ID 9 length 6
(8,1) eap (handled)
(8,1) } # Auth-Type eap (handled)
(8,1) } # server inner-tunnel
(8,1) Virtual server sending reply
(8,1) &EAP-Message = 0x010900061920
(8,1) &Message-Authenticator = 0x00000000000000000000000000000000
(8,1) eap_peap - Got tunneled reply Access-Challenge
(8,1) eap_peap - &EAP-Message = 0x010900061920
(8,1) eap_peap - &Message-Authenticator = 0x00000000000000000000000000000000
(8,1) eap_peap - Got tunneled Access-Challenge
(8,1) eap_peap - TLS application data to encrypt (2 bytes)
(8,1) eap_peap - Sending complete TLS record (37 bytes)
(8,1) eap - Sending EAP Request (code 1) ID 9 length 43
(8,1) eap (handled)
(8,1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(8,1) EXPAND Response-Packet-Type
(8,1) --> Access-Challenge
(8,1) attr_filter.access_challenge - EXPAND %{User-Name}
(8,1) attr_filter.access_challenge - --> testuser@realm
(8,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(8,1) attr_filter.access_challenge.post-auth (updated)
(8,1) handled (handled)
(8,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled)
(8,1) } # Auth-Type eap (handled)
(8,1) Using Post-Auth-Type Challenge
(8,1) Post-Auth-Type sub-section not found. Ignoring.
(8,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default
(8,1) Sent Access-Challenge Id 84 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0
(8,1) EAP-Message = 0x0109002b1900170301002082145b33c41958c36bec8f18c2f9da22934d020d4e6d14b2a45a7258b2f336af
(8,1) Message-Authenticator = 0x00000000000000000000000000000000
(8,1) State = 0x080f3800aecc10fa3b39393138ab9701
(8,1) Finished request
Waking up in 4.8 seconds.
(9) Received Access-Request Id 85 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 330
(9) User-Name = "testuser@realm"
(9) Chargeable-User-Identity = 0x00
(9) Location-Capable = Civix-Location
(9) Calling-Station-Id = "a4-d1-8c-e4-9f-22"
(9) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST"
(9) NAS-Port = 13
(9) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e"
(9) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110"
(9) NAS-IP-Address = Y.Y.Y.Y
(9) NAS-Identifier = "WM13"
(9) Airespace-Wlan-Id = 8
(9) Service-Type = Framed-User
(9) Framed-MTU = 1300
(9) NAS-Port-Type = Wireless-802.11
(9) Tunnel-Type:0 = VLAN
(9) Tunnel-Medium-Type:0 = IEEE-802
(9) Tunnel-Private-Group-Id:0 = "446"
(9) EAP-Message = 0x0209002b19001703010020b5d3b91965958352c3a2297f539ee8f56616a107a36423c6b065b5bf73f4c0de
(9) State = 0x080f3800aecc10fa3b39393138ab9701
(9) Message-Authenticator = 0x1e0662ee3ffb7f6c36d8f70ecd544acf
(9,1) Running section authorize from file /etc/raddb/sites-enabled/default
(9,1) authorize {
(9,1) local_rewrite_called_station_id {
(9,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(9,1) update request {
(9,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(9,1) --> 64:AE:0C:91:42:60
(9,1) &Called-Station-Id := 64:AE:0C:91:42:60
(9,1) } # update request (noop)
(9,1) if ("%{8}") {
(9,1) EXPAND %{8}
(9,1) --> RADIUS-TEST
(9,1) update request {
(9,1) EXPAND %{8}
(9,1) --> RADIUS-TEST
(9,1) &Called-Station-SSID := RADIUS-TEST
(9,1) } # update request (noop)
(9,1) } # if ("%{8}") (noop)
(9,1) updated (updated)
(9,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated)
(9,1) else {
(9,1) ... skipping else for request 9: Preceding "if" was taken
(9,1) }
(9,1) } # local_rewrite_called_station_id (updated)
(9,1) local_rewrite_calling_station_id {
(9,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(9,1) update request {
(9,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(9,1) --> A4:D1:8C:E4:9F:22
(9,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22
(9,1) } # update request (noop)
(9,1) updated (updated)
(9,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated)
(9,1) else {
(9,1) ... skipping else for request 9: Preceding "if" was taken
(9,1) }
(9,1) } # local_rewrite_calling_station_id (updated)
(9,1) filter_username {
(9,1) if (&User-Name) {
(9,1) if (&User-Name =~ / /) {
(9,1) ...
(9,1) }
(9,1) if (&User-Name =~ /@[^@]*@/ ) {
(9,1) ...
(9,1) }
(9,1) if (&User-Name =~ /\.\./ ) {
(9,1) ...
(9,1) }
(9,1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)[^.]+(\.[^.]+)+$/)) {
(9,1) ...
(9,1) }
(9,1) if (&User-Name =~ /\.$/) {
(9,1) ...
(9,1) }
(9,1) if (&User-Name =~ /(a)\./) {
(9,1) ...
(9,1) }
(9,1) } # if (&User-Name) (updated)
(9,1) } # filter_username (updated)
(9,1) bad_realms {
(9,1) if (&User-Name =~ /\.ax\.uk$/i) {
(9,1) ...
(9,1) }
(9,1) if (&User-Name =~ /(a)ac\.uk$/i) {
(9,1) ...
(9,1) }
(9,1) if (&User-Name =~ /3gppnetwork\.org$/i) {
(9,1) ...
(9,1) }
(9,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(9,1) ...
(9,1) }
(9,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(9,1) ...
(9,1) }
(9,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(9,1) ...
(9,1) }
(9,1) if (&User-Name =~ /myabc\.com$/i) {
(9,1) ...
(9,1) }
(9,1) } # bad_realms (updated)
(9,1) preprocess (ok)
(9,1) operator-name.authorize {
(9,1) if ("%{client:Operator-Name}") {
(9,1) EXPAND %{client:Operator-Name}
(9,1) --> 1realm.ac.uk
(9,1) update request {
(9,1) EXPAND %{client:Operator-Name}
(9,1) --> 1realm.ac.uk
(9,1) &Operator-Name = 1realm.ac.uk
(9,1) } # update request (noop)
(9,1) } # if ("%{client:Operator-Name}") (noop)
(9,1) } # operator-name.authorize (noop)
(9,1) suffix - Checking for suffix after "@"
(9,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm"
(9,1) suffix - Found realm "realm.ac.uk"
(9,1) suffix - Adding Stripped-User-Name = "testuser"
(9,1) suffix - Adding Realm = "realm.ac.uk"
(9,1) suffix - Authentication realm is LOCAL
(9,1) suffix (ok)
(9,1) if (&Realm) {
(9,1) update control {
(9,1) &control:Proxy-To-Realm := LOCAL
(9,1) } # update control (noop)
(9,1) } # if (&Realm) (noop)
(9,1) else {
(9,1) ... skipping else for request 9: Preceding "if" was taken
(9,1) }
(9,1) if (&Realm) {
(9,1) if (&Stripped-User-Name != "") {
(9,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(9,1) EXPAND %{tolower:%{Stripped-User-Name}}
(9,1) --> testuser
(9,1) ...
(9,1) }
(9,1) group {
(9,1) check_blacklist (ok)
(9,1) if (&control:Local-Banned-User) {
(9,1) ...
(9,1) }
(9,1) else {
(9,1) noop (noop)
(9,1) } # else (noop)
(9,1) } # group (ok)
(9,1) } # if (&Stripped-User-Name != "") (ok)
(9,1) } # if (&Realm) (ok)
(9,1) eap - Peer sent EAP Response (code 2) ID 9 length 43
(9,1) eap - Continuing tunnel setup
(9,1) eap (ok)
(9,1) } # authorize (ok)
(9,1) Using 'Auth-Type = eap' for authenticate {...}
(9,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default
(9,1) Auth-Type eap {
(9,1) eap - Peer sent packet with EAP method PEAP (25)
(9,1) eap - Calling submodule eap_peap to process data
(9,1) eap_peap - Continuing EAP-TLS
(9,1) eap_peap - Got complete TLS record (37 bytes)
(9,1) eap_peap - [eap-tls verify] = complete
(9,1) eap_peap - Decrypted TLS application data (2 bytes)
(9,1) eap_peap - [eap-tls process] = complete
(9,1) eap_peap - Session established. Decoding tunneled data
(9,1) eap_peap - PEAP state phase2
(9,1) eap_peap - EAP method NAK (3)
(9,1) eap_peap - Got tunneled request
(9,1) eap_peap - &EAP-Message = 0x02090006031a
(9,1) eap_peap - Setting &request:User-Name from tunnel (protected) identity "testuser@realm"
(9,1) eap_peap - Proxying tunneled request to virtual server "inner-tunnel"
(9,1) Virtual server inner-tunnel received request
(9,1) &EAP-Message = 0x02090006031a
(9,1) &FreeRADIUS-Proxied-To = 127.0.0.1
(9,1) &User-Name = "testuser@realm"
(9,1) WARNING: Outer and inner identities are the same. User privacy is compromised.
(9,1) server inner-tunnel {
(9,1) Running section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(9,1) authorize {
(9,1) filter_username {
(9,1) if (&User-Name) {
(9,1) if (&User-Name =~ / /) {
(9,1) ...
(9,1) }
(9,1) if (&User-Name =~ /@[^@]*@/ ) {
(9,1) ...
(9,1) }
(9,1) if (&User-Name =~ /\.\./ ) {
(9,1) ...
(9,1) }
(9,1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)[^.]+(\.[^.]+)+$/)) {
(9,1) ...
(9,1) }
(9,1) if (&User-Name =~ /\.$/) {
(9,1) ...
(9,1) }
(9,1) if (&User-Name =~ /(a)\./) {
(9,1) ...
(9,1) }
(9,1) } # if (&User-Name) (notfound)
(9,1) } # filter_username (notfound)
(9,1) local_filter_inner_identity {
(9,1) if (!&outer.request:User-Name || !&User-Name) {
(9,1) ...
(9,1) }
(9,1) if (&outer.request:User-Name != &User-Name) {
(9,1) ...
(9,1) }
(9,1) } # local_filter_inner_identity (notfound)
(9,1) chap (noop)
(9,1) if (&outer.request:User-Name =~ /(a)realm\.ac\.uk$/i) {
(9,1) mschap-ds (noop)
(9,1) } # if (&outer.request:User-Name =~ /(a)realm\.ac\.uk$/i) (noop)
(9,1) elsif (&outer.request:User-Name =~ /(a)admin\.realm\.ac\.uk$/i) {
(9,1) ... skipping elsif for request 9: Preceding "if" was taken
(9,1) }
(9,1) suffix - Checking for suffix after "@"
(9,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm"
(9,1) suffix - Found realm "realm.ac.uk"
(9,1) suffix - Adding Stripped-User-Name = "testuser"
(9,1) suffix - Adding Realm = "realm.ac.uk"
(9,1) suffix - Authentication realm is LOCAL
(9,1) suffix (ok)
(9,1) if (&User-Name =~ /^@/) {
(9,1) ...
(9,1) }
(9,1) if (!(&Stripped-User-Name)) {
(9,1) ...
(9,1) }
(9,1) else {
(9,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(9,1) EXPAND %{tolower:%{Stripped-User-Name}}
(9,1) --> testuser
(9,1) ...
(9,1) }
(9,1) } # else (ok)
(9,1) group {
(9,1) check_blacklist (ok)
(9,1) if (&control:Local-Banned-User) {
(9,1) ...
(9,1) }
(9,1) else {
(9,1) noop (noop)
(9,1) } # else (noop)
(9,1) } # group (ok)
(9,1) update control {
(9,1) &control:Proxy-To-Realm := LOCAL
(9,1) } # update control (noop)
(9,1) eap - Peer sent EAP Response (code 2) ID 9 length 6
(9,1) eap - Continuing on-going EAP conversation
(9,1) eap (updated)
(9,1) files (noop)
(9,1) expiration (noop)
(9,1) logintime (noop)
(9,1) pap (noop)
(9,1) } # authorize (updated)
(9,1) Using 'Auth-Type = eap' for authenticate {...}
(9,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/inner-tunnel
(9,1) Auth-Type eap {
(9,1) eap - Peer sent packet with EAP method NAK (3)
(9,1) eap - Found mutually acceptable type MSCHAPv2 (26)
(9,1) eap - Calling submodule eap_mschapv2 to process data
(9,1) eap_mschapv2 - Issuing Challenge
(9,1) eap - Sending EAP Request (code 1) ID 10 length 47
(9,1) eap (handled)
(9,1) } # Auth-Type eap (handled)
(9,1) } # server inner-tunnel
(9,1) Virtual server sending reply
(9,1) &EAP-Message = 0x010a002f1a010a002a101591d608560c5c63a1d6f9157feba6cf667265657261646975732d332e312e302d64656164
(9,1) &Message-Authenticator = 0x00000000000000000000000000000000
(9,1) eap_peap - Got tunneled reply Access-Challenge
(9,1) eap_peap - &EAP-Message = 0x010a002f1a010a002a101591d608560c5c63a1d6f9157feba6cf667265657261646975732d332e312e302d64656164
(9,1) eap_peap - &Message-Authenticator = 0x00000000000000000000000000000000
(9,1) eap_peap - Got tunneled Access-Challenge
(9,1) eap_peap - TLS application data to encrypt (43 bytes)
(9,1) eap_peap - Sending complete TLS record (69 bytes)
(9,1) eap - Sending EAP Request (code 1) ID 10 length 75
(9,1) eap (handled)
(9,1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(9,1) EXPAND Response-Packet-Type
(9,1) --> Access-Challenge
(9,1) attr_filter.access_challenge - EXPAND %{User-Name}
(9,1) attr_filter.access_challenge - --> testuser@realm
(9,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(9,1) attr_filter.access_challenge.post-auth (updated)
(9,1) handled (handled)
(9,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled)
(9,1) } # Auth-Type eap (handled)
(9,1) Using Post-Auth-Type Challenge
(9,1) Post-Auth-Type sub-section not found. Ignoring.
(9,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default
(9,1) Sent Access-Challenge Id 85 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0
(9,1) EAP-Message = 0x010a004b19001703010040fd1adfa6152afb79c1fa0529c132191cc6180186595d874f715ef0b31bf5417fd2acb727f784d6ae580609b6434fb822695b8a0db91b849dbd55cd39f83f1b56
(9,1) Message-Authenticator = 0x00000000000000000000000000000000
(9,1) State = 0x090138003637b8d43b39393138ab9701
(9,1) Finished request
Waking up in 4.8 seconds.
(10) Received Access-Request Id 86 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 394
(10) User-Name = "testuser@realm"
(10) Chargeable-User-Identity = 0x00
(10) Location-Capable = Civix-Location
(10) Calling-Station-Id = "a4-d1-8c-e4-9f-22"
(10) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST"
(10) NAS-Port = 13
(10) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e"
(10) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110"
(10) NAS-IP-Address = Y.Y.Y.Y
(10) NAS-Identifier = "WM13"
(10) Airespace-Wlan-Id = 8
(10) Service-Type = Framed-User
(10) Framed-MTU = 1300
(10) NAS-Port-Type = Wireless-802.11
(10) Tunnel-Type:0 = VLAN
(10) Tunnel-Medium-Type:0 = IEEE-802
(10) Tunnel-Private-Group-Id:0 = "446"
(10) EAP-Message = 0x020a006b19001703010060fb7b84dad699698f8e133528ec8b1ef0f8199de9c6170fb4c86582a647d47520ec17b41fc65471c47ceb60d9a206b2b54936ec02000e6b4894b77cf2a1c4f99e2747be80011ff04e7304a9ed47826067966d1318fd9ef8f95697e149a3355eea
(10) State = 0x090138003637b8d43b39393138ab9701
(10) Message-Authenticator = 0x431e4c764049d08fa9567dfadb9ac07f
(10,1) Running section authorize from file /etc/raddb/sites-enabled/default
(10,1) authorize {
(10,1) local_rewrite_called_station_id {
(10,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(10,1) update request {
(10,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(10,1) --> 64:AE:0C:91:42:60
(10,1) &Called-Station-Id := 64:AE:0C:91:42:60
(10,1) } # update request (noop)
(10,1) if ("%{8}") {
(10,1) EXPAND %{8}
(10,1) --> RADIUS-TEST
(10,1) update request {
(10,1) EXPAND %{8}
(10,1) --> RADIUS-TEST
(10,1) &Called-Station-SSID := RADIUS-TEST
(10,1) } # update request (noop)
(10,1) } # if ("%{8}") (noop)
(10,1) updated (updated)
(10,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated)
(10,1) else {
(10,1) ... skipping else for request 10: Preceding "if" was taken
(10,1) }
(10,1) } # local_rewrite_called_station_id (updated)
(10,1) local_rewrite_calling_station_id {
(10,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(10,1) update request {
(10,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(10,1) --> A4:D1:8C:E4:9F:22
(10,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22
(10,1) } # update request (noop)
(10,1) updated (updated)
(10,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated)
(10,1) else {
(10,1) ... skipping else for request 10: Preceding "if" was taken
(10,1) }
(10,1) } # local_rewrite_calling_station_id (updated)
(10,1) filter_username {
(10,1) if (&User-Name) {
(10,1) if (&User-Name =~ / /) {
(10,1) ...
(10,1) }
(10,1) if (&User-Name =~ /@[^@]*@/ ) {
(10,1) ...
(10,1) }
(10,1) if (&User-Name =~ /\.\./ ) {
(10,1) ...
(10,1) }
(10,1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)[^.]+(\.[^.]+)+$/)) {
(10,1) ...
(10,1) }
(10,1) if (&User-Name =~ /\.$/) {
(10,1) ...
(10,1) }
(10,1) if (&User-Name =~ /(a)\./) {
(10,1) ...
(10,1) }
(10,1) } # if (&User-Name) (updated)
(10,1) } # filter_username (updated)
(10,1) bad_realms {
(10,1) if (&User-Name =~ /\.ax\.uk$/i) {
(10,1) ...
(10,1) }
(10,1) if (&User-Name =~ /(a)ac\.uk$/i) {
(10,1) ...
(10,1) }
(10,1) if (&User-Name =~ /3gppnetwork\.org$/i) {
(10,1) ...
(10,1) }
(10,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(10,1) ...
(10,1) }
(10,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(10,1) ...
(10,1) }
(10,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(10,1) ...
(10,1) }
(10,1) if (&User-Name =~ /myabc\.com$/i) {
(10,1) ...
(10,1) }
(10,1) } # bad_realms (updated)
(10,1) preprocess (ok)
(10,1) operator-name.authorize {
(10,1) if ("%{client:Operator-Name}") {
(10,1) EXPAND %{client:Operator-Name}
(10,1) --> 1realm.ac.uk
(10,1) update request {
(10,1) EXPAND %{client:Operator-Name}
(10,1) --> 1realm.ac.uk
(10,1) &Operator-Name = 1realm.ac.uk
(10,1) } # update request (noop)
(10,1) } # if ("%{client:Operator-Name}") (noop)
(10,1) } # operator-name.authorize (noop)
(10,1) suffix - Checking for suffix after "@"
(10,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm"
(10,1) suffix - Found realm "realm.ac.uk"
(10,1) suffix - Adding Stripped-User-Name = "testuser"
(10,1) suffix - Adding Realm = "realm.ac.uk"
(10,1) suffix - Authentication realm is LOCAL
(10,1) suffix (ok)
(10,1) if (&Realm) {
(10,1) update control {
(10,1) &control:Proxy-To-Realm := LOCAL
(10,1) } # update control (noop)
(10,1) } # if (&Realm) (noop)
(10,1) else {
(10,1) ... skipping else for request 10: Preceding "if" was taken
(10,1) }
(10,1) if (&Realm) {
(10,1) if (&Stripped-User-Name != "") {
(10,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(10,1) EXPAND %{tolower:%{Stripped-User-Name}}
(10,1) --> testuser
(10,1) ...
(10,1) }
(10,1) group {
(10,1) check_blacklist (ok)
(10,1) if (&control:Local-Banned-User) {
(10,1) ...
(10,1) }
(10,1) else {
(10,1) noop (noop)
(10,1) } # else (noop)
(10,1) } # group (ok)
(10,1) } # if (&Stripped-User-Name != "") (ok)
(10,1) } # if (&Realm) (ok)
(10,1) eap - Peer sent EAP Response (code 2) ID 10 length 107
(10,1) eap - Continuing tunnel setup
(10,1) eap (ok)
(10,1) } # authorize (ok)
(10,1) Using 'Auth-Type = eap' for authenticate {...}
(10,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default
(10,1) Auth-Type eap {
(10,1) eap - Peer sent packet with EAP method PEAP (25)
(10,1) eap - Calling submodule eap_peap to process data
(10,1) eap_peap - Continuing EAP-TLS
(10,1) eap_peap - Got complete TLS record (101 bytes)
(10,1) eap_peap - [eap-tls verify] = complete
(10,1) eap_peap - Decrypted TLS application data (73 bytes)
(10,1) eap_peap - [eap-tls process] = complete
(10,1) eap_peap - Session established. Decoding tunneled data
(10,1) eap_peap - PEAP state phase2
(10,1) eap_peap - EAP method MSCHAPv2 (26)
(10,1) eap_peap - Got tunneled request
(10,1) eap_peap - &EAP-Message = 0x020a004d1a020a004831329616f5f88860d55df21c3a71f27e040000000000000000f283736acdd6b31ecc9bdf0c7b021c5232c4bf8f5aa26a620065636c366368406c656564732e61632e756b
(10,1) eap_peap - Setting &request:User-Name from tunnel (protected) identity "testuser@realm"
(10,1) eap_peap - Proxying tunneled request to virtual server "inner-tunnel"
(10,1) Virtual server inner-tunnel received request
(10,1) &EAP-Message = 0x020a004d1a020a004831329616f5f88860d55df21c3a71f27e040000000000000000f283736acdd6b31ecc9bdf0c7b021c5232c4bf8f5aa26a620065636c366368406c656564732e61632e756b
(10,1) &FreeRADIUS-Proxied-To = 127.0.0.1
(10,1) &User-Name = "testuser@realm"
(10,1) WARNING: Outer and inner identities are the same. User privacy is compromised.
(10,1) server inner-tunnel {
(10,1) Running section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(10,1) authorize {
(10,1) filter_username {
(10,1) if (&User-Name) {
(10,1) if (&User-Name =~ / /) {
(10,1) ...
(10,1) }
(10,1) if (&User-Name =~ /@[^@]*@/ ) {
(10,1) ...
(10,1) }
(10,1) if (&User-Name =~ /\.\./ ) {
(10,1) ...
(10,1) }
(10,1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)[^.]+(\.[^.]+)+$/)) {
(10,1) ...
(10,1) }
(10,1) if (&User-Name =~ /\.$/) {
(10,1) ...
(10,1) }
(10,1) if (&User-Name =~ /(a)\./) {
(10,1) ...
(10,1) }
(10,1) } # if (&User-Name) (notfound)
(10,1) } # filter_username (notfound)
(10,1) local_filter_inner_identity {
(10,1) if (!&outer.request:User-Name || !&User-Name) {
(10,1) ...
(10,1) }
(10,1) if (&outer.request:User-Name != &User-Name) {
(10,1) ...
(10,1) }
(10,1) } # local_filter_inner_identity (notfound)
(10,1) chap (noop)
(10,1) if (&outer.request:User-Name =~ /(a)realm\.ac\.uk$/i) {
(10,1) mschap-ds (noop)
(10,1) } # if (&outer.request:User-Name =~ /(a)realm\.ac\.uk$/i) (noop)
(10,1) elsif (&outer.request:User-Name =~ /(a)admin\.realm\.ac\.uk$/i) {
(10,1) ... skipping elsif for request 10: Preceding "if" was taken
(10,1) }
(10,1) suffix - Checking for suffix after "@"
(10,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm"
(10,1) suffix - Found realm "realm.ac.uk"
(10,1) suffix - Adding Stripped-User-Name = "testuser"
(10,1) suffix - Adding Realm = "realm.ac.uk"
(10,1) suffix - Authentication realm is LOCAL
(10,1) suffix (ok)
(10,1) if (&User-Name =~ /^@/) {
(10,1) ...
(10,1) }
(10,1) if (!(&Stripped-User-Name)) {
(10,1) ...
(10,1) }
(10,1) else {
(10,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(10,1) EXPAND %{tolower:%{Stripped-User-Name}}
(10,1) --> testuser
(10,1) ...
(10,1) }
(10,1) } # else (ok)
(10,1) group {
(10,1) check_blacklist (ok)
(10,1) if (&control:Local-Banned-User) {
(10,1) ...
(10,1) }
(10,1) else {
(10,1) noop (noop)
(10,1) } # else (noop)
(10,1) } # group (ok)
(10,1) update control {
(10,1) &control:Proxy-To-Realm := LOCAL
(10,1) } # update control (noop)
(10,1) eap - Peer sent EAP Response (code 2) ID 10 length 77
(10,1) eap - Continuing on-going EAP conversation
(10,1) eap (updated)
(10,1) files (noop)
(10,1) expiration (noop)
(10,1) logintime (noop)
(10,1) pap (noop)
(10,1) } # authorize (updated)
(10,1) Using 'Auth-Type = eap' for authenticate {...}
(10,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/inner-tunnel
(10,1) Auth-Type eap {
(10,1) eap - Peer sent packet with EAP method MSCHAPv2 (26)
(10,1) eap - Calling submodule eap_mschapv2 to process data
(10,1) eap_mschapv2 - Running Auth-Type MS-CHAP from file /etc/raddb/sites-enabled/inner-tunnel
(10,1) Auth-Type MS-CHAP {
(10,1) if (&outer.request:User-Name =~ /(a)realm\.ac\.uk$/i) {
(10,1) mschap-ds - Creating challenge hash with username: testuser@realm
(10,1) mschap-ds - Client is using MS-CHAPv2
(10,1) mschap-ds - EXPAND %{%{Stripped-User-Name}:-%{mschap-ds:User-Name}}
(10,1) mschap-ds - --> testuser
(10,1) mschap-ds - Reserved connection (0)
(10,1) mschap-ds - sending authentication request user='testuser' domain='DS'
(10,1) mschap-ds - Released connection (0)
(10,1) mschap-ds - Need 10 more connections to reach 20 spares
(10,1) mschap-ds - Opening additional connection (10), 1 of 54 pending slots used
(10,1) mschap-ds - Authenticated successfully
(10,1) mschap-ds - Adding MS-CHAPv2 MPPE keys
(10,1) mschap-ds (ok)
(10,1) } # if (&outer.request:User-Name =~ /(a)realm\.ac\.uk$/i) (ok)
(10,1) elsif (&outer.request:User-Name =~ /(a)admin\.realm\.ac\.uk$/i) {
(10,1) ... skipping elsif for request 10: Preceding "if" was taken
(10,1) }
(10,1) } # Auth-Type MS-CHAP (ok)
(10,1) eap_mschapv2 - MSCHAP Success
(10,1) eap - Sending EAP Request (code 1) ID 11 length 51
(10,1) eap (handled)
(10,1) } # Auth-Type eap (handled)
(10,1) } # server inner-tunnel
(10,1) Virtual server sending reply
(10,1) &EAP-Message = 0x010b00331a030a002e533d35453739463637393739354343374436383233434142313433353737364643414246384539373932
(10,1) &Message-Authenticator = 0x00000000000000000000000000000000
(10,1) eap_peap - Got tunneled reply Access-Challenge
(10,1) eap_peap - &EAP-Message = 0x010b00331a030a002e533d35453739463637393739354343374436383233434142313433353737364643414246384539373932
(10,1) eap_peap - &Message-Authenticator = 0x00000000000000000000000000000000
(10,1) eap_peap - Got tunneled Access-Challenge
(10,1) eap_peap - TLS application data to encrypt (47 bytes)
(10,1) eap_peap - Sending complete TLS record (85 bytes)
(10,1) eap - Sending EAP Request (code 1) ID 11 length 91
(10,1) eap (handled)
(10,1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(10,1) EXPAND Response-Packet-Type
(10,1) --> Access-Challenge
(10,1) attr_filter.access_challenge - EXPAND %{User-Name}
(10,1) attr_filter.access_challenge - --> testuser@realm
(10,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(10,1) attr_filter.access_challenge.post-auth (updated)
(10,1) handled (handled)
(10,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled)
(10,1) } # Auth-Type eap (handled)
(10,1) Using Post-Auth-Type Challenge
(10,1) Post-Auth-Type sub-section not found. Ignoring.
(10,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default
(10,1) Sent Access-Challenge Id 86 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0
(10,1) EAP-Message = 0x010b005b19001703010050434a180e3726928b4d1485ba6b2897630e9165184c8e7b1b32265ba04908704d15ee8673ef1b5f4b1cb58c229d9ca96c31528959c7f338b7d83c0deca515c327d242225f1874037a58481664fc1f1360
(10,1) Message-Authenticator = 0x00000000000000000000000000000000
(10,1) State = 0x0a033800aecc10fa3b39393138ab9701
(10,1) Finished request
Waking up in 4.8 seconds.
(11) Received Access-Request Id 87 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 330
(11) User-Name = "testuser@realm"
(11) Chargeable-User-Identity = 0x00
(11) Location-Capable = Civix-Location
(11) Calling-Station-Id = "a4-d1-8c-e4-9f-22"
(11) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST"
(11) NAS-Port = 13
(11) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e"
(11) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110"
(11) NAS-IP-Address = Y.Y.Y.Y
(11) NAS-Identifier = "WM13"
(11) Airespace-Wlan-Id = 8
(11) Service-Type = Framed-User
(11) Framed-MTU = 1300
(11) NAS-Port-Type = Wireless-802.11
(11) Tunnel-Type:0 = VLAN
(11) Tunnel-Medium-Type:0 = IEEE-802
(11) Tunnel-Private-Group-Id:0 = "446"
(11) EAP-Message = 0x020b002b19001703010020b5ec1928d5a22217345c5344b5ea9e8a35fa15ad8681bfb8c9873d10febf5798
(11) State = 0x0a033800aecc10fa3b39393138ab9701
(11) Message-Authenticator = 0x62328bab8c9d2ffc5877e080f63230c8
(11,1) Running section authorize from file /etc/raddb/sites-enabled/default
(11,1) authorize {
(11,1) local_rewrite_called_station_id {
(11,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(11,1) update request {
(11,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(11,1) --> 64:AE:0C:91:42:60
(11,1) &Called-Station-Id := 64:AE:0C:91:42:60
(11,1) } # update request (noop)
(11,1) if ("%{8}") {
(11,1) EXPAND %{8}
(11,1) --> RADIUS-TEST
(11,1) update request {
(11,1) EXPAND %{8}
(11,1) --> RADIUS-TEST
(11,1) &Called-Station-SSID := RADIUS-TEST
(11,1) } # update request (noop)
(11,1) } # if ("%{8}") (noop)
(11,1) updated (updated)
(11,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated)
(11,1) else {
(11,1) ... skipping else for request 11: Preceding "if" was taken
(11,1) }
(11,1) } # local_rewrite_called_station_id (updated)
(11,1) local_rewrite_calling_station_id {
(11,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(11,1) update request {
(11,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(11,1) --> A4:D1:8C:E4:9F:22
(11,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22
(11,1) } # update request (noop)
(11,1) updated (updated)
(11,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated)
(11,1) else {
(11,1) ... skipping else for request 11: Preceding "if" was taken
(11,1) }
(11,1) } # local_rewrite_calling_station_id (updated)
(11,1) filter_username {
(11,1) if (&User-Name) {
(11,1) if (&User-Name =~ / /) {
(11,1) ...
(11,1) }
(11,1) if (&User-Name =~ /@[^@]*@/ ) {
(11,1) ...
(11,1) }
(11,1) if (&User-Name =~ /\.\./ ) {
(11,1) ...
(11,1) }
(11,1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)[^.]+(\.[^.]+)+$/)) {
(11,1) ...
(11,1) }
(11,1) if (&User-Name =~ /\.$/) {
(11,1) ...
(11,1) }
(11,1) if (&User-Name =~ /(a)\./) {
(11,1) ...
(11,1) }
(11,1) } # if (&User-Name) (updated)
(11,1) } # filter_username (updated)
(11,1) bad_realms {
(11,1) if (&User-Name =~ /\.ax\.uk$/i) {
(11,1) ...
(11,1) }
(11,1) if (&User-Name =~ /(a)ac\.uk$/i) {
(11,1) ...
(11,1) }
(11,1) if (&User-Name =~ /3gppnetwork\.org$/i) {
(11,1) ...
(11,1) }
(11,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(11,1) ...
(11,1) }
(11,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(11,1) ...
(11,1) }
(11,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(11,1) ...
(11,1) }
(11,1) if (&User-Name =~ /myabc\.com$/i) {
(11,1) ...
(11,1) }
(11,1) } # bad_realms (updated)
(11,1) preprocess (ok)
(11,1) operator-name.authorize {
(11,1) if ("%{client:Operator-Name}") {
(11,1) EXPAND %{client:Operator-Name}
(11,1) --> 1realm.ac.uk
(11,1) update request {
(11,1) EXPAND %{client:Operator-Name}
(11,1) --> 1realm.ac.uk
(11,1) &Operator-Name = 1realm.ac.uk
(11,1) } # update request (noop)
(11,1) } # if ("%{client:Operator-Name}") (noop)
(11,1) } # operator-name.authorize (noop)
(11,1) suffix - Checking for suffix after "@"
(11,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm"
(11,1) suffix - Found realm "realm.ac.uk"
(11,1) suffix - Adding Stripped-User-Name = "testuser"
(11,1) suffix - Adding Realm = "realm.ac.uk"
(11,1) suffix - Authentication realm is LOCAL
(11,1) suffix (ok)
(11,1) if (&Realm) {
(11,1) update control {
(11,1) &control:Proxy-To-Realm := LOCAL
(11,1) } # update control (noop)
(11,1) } # if (&Realm) (noop)
(11,1) else {
(11,1) ... skipping else for request 11: Preceding "if" was taken
(11,1) }
(11,1) if (&Realm) {
(11,1) if (&Stripped-User-Name != "") {
(11,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(11,1) EXPAND %{tolower:%{Stripped-User-Name}}
(11,1) --> testuser
(11,1) ...
(11,1) }
(11,1) group {
(11,1) check_blacklist (ok)
(11,1) if (&control:Local-Banned-User) {
(11,1) ...
(11,1) }
(11,1) else {
(11,1) noop (noop)
(11,1) } # else (noop)
(11,1) } # group (ok)
(11,1) } # if (&Stripped-User-Name != "") (ok)
(11,1) } # if (&Realm) (ok)
(11,1) eap - Peer sent EAP Response (code 2) ID 11 length 43
(11,1) eap - Continuing tunnel setup
(11,1) eap (ok)
(11,1) } # authorize (ok)
(11,1) Using 'Auth-Type = eap' for authenticate {...}
(11,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default
(11,1) Auth-Type eap {
(11,1) eap - Peer sent packet with EAP method PEAP (25)
(11,1) eap - Calling submodule eap_peap to process data
(11,1) eap_peap - Continuing EAP-TLS
(11,1) eap_peap - Got complete TLS record (37 bytes)
(11,1) eap_peap - [eap-tls verify] = complete
(11,1) eap_peap - Decrypted TLS application data (2 bytes)
(11,1) eap_peap - [eap-tls process] = complete
(11,1) eap_peap - Session established. Decoding tunneled data
(11,1) eap_peap - PEAP state phase2
(11,1) eap_peap - EAP method MSCHAPv2 (26)
(11,1) eap_peap - Got tunneled request
(11,1) eap_peap - &EAP-Message = 0x020b00061a03
(11,1) eap_peap - Setting &request:User-Name from tunnel (protected) identity "testuser@realm"
(11,1) eap_peap - Proxying tunneled request to virtual server "inner-tunnel"
(11,1) Virtual server inner-tunnel received request
(11,1) &EAP-Message = 0x020b00061a03
(11,1) &FreeRADIUS-Proxied-To = 127.0.0.1
(11,1) &User-Name = "testuser@realm"
(11,1) WARNING: Outer and inner identities are the same. User privacy is compromised.
(11,1) server inner-tunnel {
(11,1) Running section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(11,1) authorize {
(11,1) filter_username {
(11,1) if (&User-Name) {
(11,1) if (&User-Name =~ / /) {
(11,1) ...
(11,1) }
(11,1) if (&User-Name =~ /@[^@]*@/ ) {
(11,1) ...
(11,1) }
(11,1) if (&User-Name =~ /\.\./ ) {
(11,1) ...
(11,1) }
(11,1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)[^.]+(\.[^.]+)+$/)) {
(11,1) ...
(11,1) }
(11,1) if (&User-Name =~ /\.$/) {
(11,1) ...
(11,1) }
(11,1) if (&User-Name =~ /(a)\./) {
(11,1) ...
(11,1) }
(11,1) } # if (&User-Name) (notfound)
(11,1) } # filter_username (notfound)
(11,1) local_filter_inner_identity {
(11,1) if (!&outer.request:User-Name || !&User-Name) {
(11,1) ...
(11,1) }
(11,1) if (&outer.request:User-Name != &User-Name) {
(11,1) ...
(11,1) }
(11,1) } # local_filter_inner_identity (notfound)
(11,1) chap (noop)
(11,1) if (&outer.request:User-Name =~ /(a)realm\.ac\.uk$/i) {
(11,1) mschap-ds (noop)
(11,1) } # if (&outer.request:User-Name =~ /(a)realm\.ac\.uk$/i) (noop)
(11,1) elsif (&outer.request:User-Name =~ /(a)admin\.realm\.ac\.uk$/i) {
(11,1) ... skipping elsif for request 11: Preceding "if" was taken
(11,1) }
(11,1) suffix - Checking for suffix after "@"
(11,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm"
(11,1) suffix - Found realm "realm.ac.uk"
(11,1) suffix - Adding Stripped-User-Name = "testuser"
(11,1) suffix - Adding Realm = "realm.ac.uk"
(11,1) suffix - Authentication realm is LOCAL
(11,1) suffix (ok)
(11,1) if (&User-Name =~ /^@/) {
(11,1) ...
(11,1) }
(11,1) if (!(&Stripped-User-Name)) {
(11,1) ...
(11,1) }
(11,1) else {
(11,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(11,1) EXPAND %{tolower:%{Stripped-User-Name}}
(11,1) --> testuser
(11,1) ...
(11,1) }
(11,1) } # else (ok)
(11,1) group {
(11,1) check_blacklist (ok)
(11,1) if (&control:Local-Banned-User) {
(11,1) ...
(11,1) }
(11,1) else {
(11,1) noop (noop)
(11,1) } # else (noop)
(11,1) } # group (ok)
(11,1) update control {
(11,1) &control:Proxy-To-Realm := LOCAL
(11,1) } # update control (noop)
(11,1) eap - Peer sent EAP Response (code 2) ID 11 length 6
(11,1) eap - Continuing on-going EAP conversation
(11,1) eap (updated)
(11,1) files (noop)
(11,1) expiration (noop)
(11,1) logintime (noop)
(11,1) pap (noop)
(11,1) } # authorize (updated)
(11,1) Using 'Auth-Type = eap' for authenticate {...}
(11,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/inner-tunnel
(11,1) Auth-Type eap {
(11,1) eap - Peer sent packet with EAP method MSCHAPv2 (26)
(11,1) eap - Calling submodule eap_mschapv2 to process data
(11,1) eap - Sending EAP Success (code 3) ID 11 length 4
(11,1) eap - Cleaning up EAP session
(11,1) eap (ok)
(11,1) } # Auth-Type eap (ok)
(11,1) Login OK: [testuser@realm] (from client wism13 port 0 via TLS tunnel)
(11,1) Running section post-auth from file /etc/raddb/sites-enabled/inner-tunnel
(11,1) post-auth {
(11,1) update reply {
(11,1) &reply:Reply-Message := successful authentication
(11,1) } # update reply (noop)
(11,1) inner-tunnel-accept-log - Using default message
(11,1) inner-tunnel-accept-log - EXPAND %S (%l) id %I INNER ACCEPT %{User-Name} cli %{%{outer.request:Calling-Station-Id}:--} outer-id %{outer.request:User-Name} auth-type %{outer.control:Auth-Type}/%{outer.request:EAP-Type} realm %{Realm} operator %{%{outer.request:Operator-Name}:--} client %{%{Packet-Src-IP-Address}:-%{%{Packet-Src-IPv6-Address}:--}} (%{Client-Shortname}) essid (%{%{outer.request:Called-Station-SSID}:--}) reply-msg '%{reply:Reply-Message}'
(11,1) inner-tunnel-accept-log - --> 2016-11-25 15:17:51 (1480087071) id 11 INNER ACCEPT testuser@realm cli A4:D1:8C:E4:9F:22 outer-id testuser(a)realm.ac.uk auth-type eap/PEAP realm realm.ac.uk operator 1realm.ac.uk client Y.Y.Y.Y (wism13) essid (RADIUS-TEST) reply-msg 'successful authentication'
(11,1) inner-tunnel-accept-log - EXPAND /var/log/radius/auth.log
(11,1) inner-tunnel-accept-log - --> /var/log/radius/auth.log
(11,1) inner-tunnel-accept-log (ok)
(11,1) update {
(11,1) &outer.session-state: += &reply:MS-MPPE-Encryption-Policy -> Encryption-Required
(11,1) &outer.session-state: += &reply:MS-MPPE-Encryption-Types -> 4
(11,1) &outer.session-state: += &reply:MS-MPPE-Send-Key -> 0xd8d3d48df0050ef926fee45a7025a880
(11,1) &outer.session-state: += &reply:MS-MPPE-Recv-Key -> 0x1d3a468cf7a531c07677d5c70e683dd0
(11,1) &outer.session-state: += &reply:EAP-Message -> 0x030b0004
(11,1) &outer.session-state: += &reply:Message-Authenticator -> 0x00000000000000000000000000000000
(11,1) &outer.session-state: += &reply:Stripped-User-Name -> "testuser"
(11,1) &outer.session-state: += &reply:Reply-Message -> "successful authentication"
(11,1) } # update (noop)
(11,1) update outer.session-state {
(11,1) &outer.session-state:MS-MPPE-Encryption-Policy !* ANY
(11,1) &outer.session-state:MS-MPPE-Encryption-Types !* ANY
(11,1) &outer.session-state:MS-MPPE-Send-Key !* ANY
(11,1) &outer.session-state:MS-MPPE-Recv-Key !* ANY
(11,1) &outer.session-state:Message-Authenticator !* ANY
(11,1) &outer.session-state:EAP-Message !* ANY
(11,1) &outer.session-state:Proxy-State !* ANY
(11,1) } # update outer.session-state (noop)
(11,1) } # post-auth (ok)
(11,1) } # server inner-tunnel
(11,1) Virtual server sending reply
(11,1) &MS-MPPE-Encryption-Policy = Encryption-Required
(11,1) &MS-MPPE-Encryption-Types = 4
(11,1) &MS-MPPE-Send-Key = 0xd8d3d48df0050ef926fee45a7025a880
(11,1) &MS-MPPE-Recv-Key = 0x1d3a468cf7a531c07677d5c70e683dd0
(11,1) &EAP-Message = 0x030b0004
(11,1) &Message-Authenticator = 0x00000000000000000000000000000000
(11,1) &Stripped-User-Name = "testuser"
(11,1) &Reply-Message := "successful authentication"
(11,1) eap_peap - Got tunneled reply Access-Accept
(11,1) eap_peap - &MS-MPPE-Encryption-Policy = Encryption-Required
(11,1) eap_peap - &MS-MPPE-Encryption-Types = 4
(11,1) eap_peap - &MS-MPPE-Send-Key = 0xd8d3d48df0050ef926fee45a7025a880
(11,1) eap_peap - &MS-MPPE-Recv-Key = 0x1d3a468cf7a531c07677d5c70e683dd0
(11,1) eap_peap - &EAP-Message = 0x030b0004
(11,1) eap_peap - &Message-Authenticator = 0x00000000000000000000000000000000
(11,1) eap_peap - &Stripped-User-Name = "testuser"
(11,1) eap_peap - &Reply-Message := "successful authentication"
(11,1) eap_peap - Tunneled authentication was successful
(11,1) eap_peap - SUCCESS
(11,1) eap_peap - TLS application data to encrypt (11 bytes)
(11,1) eap_peap - Sending complete TLS record (37 bytes)
(11,1) eap - Sending EAP Request (code 1) ID 12 length 43
(11,1) eap (handled)
(11,1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(11,1) EXPAND Response-Packet-Type
(11,1) --> Access-Challenge
(11,1) attr_filter.access_challenge - EXPAND %{User-Name}
(11,1) attr_filter.access_challenge - --> testuser@realm
(11,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(11,1) attr_filter.access_challenge.post-auth (updated)
(11,1) handled (handled)
(11,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled)
(11,1) } # Auth-Type eap (handled)
(11,1) Using Post-Auth-Type Challenge
(11,1) Post-Auth-Type sub-section not found. Ignoring.
(11,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default
(11,1) Saving &session-state
(11,1) &session-state:Stripped-User-Name += "testuser"
(11,1) &session-state:Reply-Message += "successful authentication"
(11,1) Sent Access-Challenge Id 87 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0
(11,1) EAP-Message = 0x010c002b1900170301002075fcd60b064f8189f89cd88d8ea3821c5e02316d81a985ae28e6772c0f91527a
(11,1) Message-Authenticator = 0x00000000000000000000000000000000
(11,1) State = 0x0b0138003637b8d43b39393138ab9701
(11,1) Finished request
Waking up in 4.8 seconds.
(12) Received Access-Request Id 88 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 330
(12) User-Name = "testuser@realm"
(12) Chargeable-User-Identity = 0x00
(12) Location-Capable = Civix-Location
(12) Calling-Station-Id = "a4-d1-8c-e4-9f-22"
(12) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST"
(12) NAS-Port = 13
(12) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e"
(12) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110"
(12) NAS-IP-Address = Y.Y.Y.Y
(12) NAS-Identifier = "WM13"
(12) Airespace-Wlan-Id = 8
(12) Service-Type = Framed-User
(12) Framed-MTU = 1300
(12) NAS-Port-Type = Wireless-802.11
(12) Tunnel-Type:0 = VLAN
(12) Tunnel-Medium-Type:0 = IEEE-802
(12) Tunnel-Private-Group-Id:0 = "446"
(12) EAP-Message = 0x020c002b190017030100205260e734aa19b0c57421ab4de8ee9119c043f03f0751f165dc6cc2a0f5157a8c
(12) State = 0x0b0138003637b8d43b39393138ab9701
(12) Message-Authenticator = 0xa330d14becbcd2b557c3aeb3deb98ff4
(12,1) Restored &session-state
(12,1) &session-state:Stripped-User-Name += "testuser"
(12,1) &session-state:Reply-Message += "successful authentication"
(12,1) Running section authorize from file /etc/raddb/sites-enabled/default
(12,1) authorize {
(12,1) local_rewrite_called_station_id {
(12,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(12,1) update request {
(12,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(12,1) --> 64:AE:0C:91:42:60
(12,1) &Called-Station-Id := 64:AE:0C:91:42:60
(12,1) } # update request (noop)
(12,1) if ("%{8}") {
(12,1) EXPAND %{8}
(12,1) --> RADIUS-TEST
(12,1) update request {
(12,1) EXPAND %{8}
(12,1) --> RADIUS-TEST
(12,1) &Called-Station-SSID := RADIUS-TEST
(12,1) } # update request (noop)
(12,1) } # if ("%{8}") (noop)
(12,1) updated (updated)
(12,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated)
(12,1) else {
(12,1) ... skipping else for request 12: Preceding "if" was taken
(12,1) }
(12,1) } # local_rewrite_called_station_id (updated)
(12,1) local_rewrite_calling_station_id {
(12,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(12,1) update request {
(12,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(12,1) --> A4:D1:8C:E4:9F:22
(12,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22
(12,1) } # update request (noop)
(12,1) updated (updated)
(12,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated)
(12,1) else {
(12,1) ... skipping else for request 12: Preceding "if" was taken
(12,1) }
(12,1) } # local_rewrite_calling_station_id (updated)
(12,1) filter_username {
(12,1) if (&User-Name) {
(12,1) if (&User-Name =~ / /) {
(12,1) ...
(12,1) }
(12,1) if (&User-Name =~ /@[^@]*@/ ) {
(12,1) ...
(12,1) }
(12,1) if (&User-Name =~ /\.\./ ) {
(12,1) ...
(12,1) }
(12,1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)[^.]+(\.[^.]+)+$/)) {
(12,1) ...
(12,1) }
(12,1) if (&User-Name =~ /\.$/) {
(12,1) ...
(12,1) }
(12,1) if (&User-Name =~ /(a)\./) {
(12,1) ...
(12,1) }
(12,1) } # if (&User-Name) (updated)
(12,1) } # filter_username (updated)
(12,1) bad_realms {
(12,1) if (&User-Name =~ /\.ax\.uk$/i) {
(12,1) ...
(12,1) }
(12,1) if (&User-Name =~ /(a)ac\.uk$/i) {
(12,1) ...
(12,1) }
(12,1) if (&User-Name =~ /3gppnetwork\.org$/i) {
(12,1) ...
(12,1) }
(12,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(12,1) ...
(12,1) }
(12,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(12,1) ...
(12,1) }
(12,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(12,1) ...
(12,1) }
(12,1) if (&User-Name =~ /myabc\.com$/i) {
(12,1) ...
(12,1) }
(12,1) } # bad_realms (updated)
(12,1) preprocess (ok)
(12,1) operator-name.authorize {
(12,1) if ("%{client:Operator-Name}") {
(12,1) EXPAND %{client:Operator-Name}
(12,1) --> 1realm.ac.uk
(12,1) update request {
(12,1) EXPAND %{client:Operator-Name}
(12,1) --> 1realm.ac.uk
(12,1) &Operator-Name = 1realm.ac.uk
(12,1) } # update request (noop)
(12,1) } # if ("%{client:Operator-Name}") (noop)
(12,1) } # operator-name.authorize (noop)
(12,1) suffix - Checking for suffix after "@"
(12,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm"
(12,1) suffix - Found realm "realm.ac.uk"
(12,1) suffix - Adding Stripped-User-Name = "testuser"
(12,1) suffix - Adding Realm = "realm.ac.uk"
(12,1) suffix - Authentication realm is LOCAL
(12,1) suffix (ok)
(12,1) if (&Realm) {
(12,1) update control {
(12,1) &control:Proxy-To-Realm := LOCAL
(12,1) } # update control (noop)
(12,1) } # if (&Realm) (noop)
(12,1) else {
(12,1) ... skipping else for request 12: Preceding "if" was taken
(12,1) }
(12,1) if (&Realm) {
(12,1) if (&Stripped-User-Name != "") {
(12,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(12,1) EXPAND %{tolower:%{Stripped-User-Name}}
(12,1) --> testuser
(12,1) ...
(12,1) }
(12,1) group {
(12,1) check_blacklist (ok)
(12,1) if (&control:Local-Banned-User) {
(12,1) ...
(12,1) }
(12,1) else {
(12,1) noop (noop)
(12,1) } # else (noop)
(12,1) } # group (ok)
(12,1) } # if (&Stripped-User-Name != "") (ok)
(12,1) } # if (&Realm) (ok)
(12,1) eap - Peer sent EAP Response (code 2) ID 12 length 43
(12,1) eap - Continuing tunnel setup
(12,1) eap (ok)
(12,1) } # authorize (ok)
(12,1) Using 'Auth-Type = eap' for authenticate {...}
(12,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default
(12,1) Auth-Type eap {
(12,1) eap - Peer sent packet with EAP method PEAP (25)
(12,1) eap - Calling submodule eap_peap to process data
(12,1) eap_peap - Continuing EAP-TLS
(12,1) eap_peap - Got complete TLS record (37 bytes)
(12,1) eap_peap - [eap-tls verify] = complete
(12,1) eap_peap - Decrypted TLS application data (11 bytes)
(12,1) eap_peap - [eap-tls process] = complete
(12,1) eap_peap - Session established. Decoding tunneled data
(12,1) eap_peap - PEAP state send tlv success
(12,1) eap_peap - Received EAP-TLV response
(12,1) eap_peap - Success
(12,1) eap_peap - Adding session keys
(12,1) eap_peap - &reply:MS-MPPE-Recv-Key = 0xc2b1108d6edcbaab7acbc6cb02381f392e459fecfbd849f9ec05ed541dcbd8ec
(12,1) eap_peap - &reply:MS-MPPE-Send-Key = 0x71011003ab851c697e371755227994e8ab1ff5a15b2a5e4433273ac6b71b363e
(12,1) eap_peap - &reply:EAP-MSK = 0xc2b1108d6edcbaab7acbc6cb02381f392e459fecfbd849f9ec05ed541dcbd8ec71011003ab851c697e371755227994e8ab1ff5a15b2a5e4433273ac6b71b363e
(12,1) eap_peap - &reply:EAP-EMSK = 0x4d4889f2308cc16ca2dfb5c43fd14af93e7a927a9ab73d43433258508c312fa5d2774e063dd8d0ceb56bea3134b9fb99691718545b00139d8dc9e61bf277a526
(12,1) eap - Sending EAP Success (code 3) ID 12 length 4
(12,1) eap - Cleaning up EAP session
(12,1) eap (ok)
(12,1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(12,1) ...
(12,1) }
(12,1) } # Auth-Type eap (ok)
(12,1) Login OK: [testuser@realm] (from client wism13 port 13 cli A4:D1:8C:E4:9F:22)
(12,1) Running section post-auth from file /etc/raddb/sites-enabled/default
(12,1) post-auth {
(12,1) update {
(12,1) &reply: += &session-state:Stripped-User-Name -> "testuser"
(12,1) &reply: += &session-state:Reply-Message -> "successful authentication"
(12,1) } # update (noop)
(12,1) update reply {
(12,1) &reply:Reply-Message := successful authentication
(12,1) } # update reply (noop)
(12,1) default-accept-log - Using default message
(12,1) default-accept-log - EXPAND %S (%l) id %I DEFAULT ACCEPT %{User-Name} cli %{%{Calling-Station-Id}:--} auth-type %{control:Auth-Type}/%{EAP-Type} realm %{Realm} operator %{%{Operator-Name}:--} client %{%{Packet-Src-IP-Address}:-%{%{Packet-Src-IPv6-Address}:--}} (%{Client-Shortname}) essid (%{%{Called-Station-SSID}:--}) reply-msg '%{reply:Reply-Message}'
(12,1) default-accept-log - --> 2016-11-25 15:17:51 (1480087071) id 88 DEFAULT ACCEPT testuser@realm cli A4:D1:8C:E4:9F:22 auth-type eap/PEAP realm realm.ac.uk operator 1realm.ac.uk client Y.Y.Y.Y (wism13) essid (RADIUS-TEST) reply-msg 'successful authentication'
(12,1) default-accept-log - EXPAND /var/log/radius/auth.log
(12,1) default-accept-log - --> /var/log/radius/auth.log
(12,1) default-accept-log (ok)
(12,1) exec (noop)
(12,1) remove_reply_message_if_eap {
(12,1) if (&reply:EAP-Message && &reply:Reply-Message) {
(12,1) update reply {
(12,1) &reply:Reply-Message !* ANY
(12,1) } # update reply (noop)
(12,1) } # if (&reply:EAP-Message && &reply:Reply-Message) (noop)
(12,1) else {
(12,1) ... skipping else for request 12: Preceding "if" was taken
(12,1) }
(12,1) } # remove_reply_message_if_eap (noop)
(12,1) } # post-auth (ok)
(12,1) Sent Access-Accept Id 88 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0
(12,1) MS-MPPE-Recv-Key = 0xc2b1108d6edcbaab7acbc6cb02381f392e459fecfbd849f9ec05ed541dcbd8ec
(12,1) MS-MPPE-Send-Key = 0x71011003ab851c697e371755227994e8ab1ff5a15b2a5e4433273ac6b71b363e
(12,1) EAP-Message = 0x030c0004
(12,1) Message-Authenticator = 0x00000000000000000000000000000000
(12,1) Finished request
Waking up in 4.8 seconds.
^CWaking up in 3.1 seconds.
2
1
25 Nov '16
Hello Everybody,
I have read on several blogs and also on this mailing list about problems
with NAS in deployments. Problems applying such important attributes as to
end sessions or prevent multiple sessions. I had in mind to buy a Linksys
WRT but I have dedicated to investigate what would be the best device for
my wireless implementation with FreeRadius. But I want to know from the
mouth of the experts ... Which device have tried and has worked for the
best?
100% or at least 95% compatible with this.
THANKS IN ADVANCE!
Jose Quezada
2
1