Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
March 2016
- 80 participants
- 118 discussions
Re: RadPerf '-A delay,lifetime' arg does not copy the 'Calling-Station-Id' from Accept-Request
by Jim 03 Mar '16
by Jim 03 Mar '16
03 Mar '16
Thank you very much.
On 2016-03-03 15:24, freeradius-users-request(a)lists.freeradius.org
wrote:
> Send Freeradius-Users mailing list submissions to
> freeradius-users(a)lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users [1]
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request(a)lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner(a)lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
> Today's Topics:
>
> 1. Re: RadPerf '-A delay, lifetime' arg does not copy the
> 'Calling-Station-Id' from Accept-Request (Alan DeKok)
> 2. linelog problem (Maja Wolniewicz)
> 3. Stripping prefix with unlang (Bernd)
> 4. Re: Stripping prefix with unlang (Herwin Weststrate)
> 5. Re: Stripping prefix with unlang (Alan DeKok)
> 6. Re: linelog problem (Alan DeKok)
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 3 Mar 2016 08:17:24 -0500
> From: Alan DeKok <aland(a)deployingradius.com>
> To: jbaltero(a)gmail.com, FreeRadius users mailing list
> <freeradius-users(a)lists.freeradius.org>
> Subject: Re: RadPerf '-A delay, lifetime' arg does not copy the
> 'Calling-Station-Id' from Accept-Request
> Message-ID: <D0CC71E0-6386-4864-A2A4-865E115DC78A(a)deployingradius.com>
> Content-Type: text/plain; charset=us-ascii
>
> On Mar 2, 2016, at 11:24 PM, Jim <jbalatero(a)visp.net> wrote:
>
>> As you can see on the Accounting-Request, there's no
>> Calling-Station-Id. How do I get it to be included on the Accounting
>> Packet?
>
> We'll see if we can get a new version of radperf out soon to fix this.
>
> Alan DeKok.
>
> ------------------------------
>
> Message: 2
> Date: Thu, 3 Mar 2016 14:28:45 +0100
> From: Maja Wolniewicz <mgw(a)umk.pl>
> To: FreeRadius users mailing list
> <freeradius-users(a)lists.freeradius.org>
> Subject: linelog problem
> Message-ID: <56D83C0D.5070709(a)umk.pl>
> Content-Type: text/plain; charset="utf-8"; Format="flowed"
>
> We are running freeradius 3.0.11 on CentOS 6.7.
> Recently we experienced a few radius process hangs - it didn't handle
> any request and in the log
> appeared only a lot of:
>
> Thu Mar 3 08:48:24 2016 : Error: (187540) Ignoring duplicate packet
> from client CM port 1814 - ID: 118 due to unfinished request in
> component post-auth module eduroam_log
> Thu Mar 3 08:48:33 2016 : Error: (187814) Ignoring duplicate packet
> from client CM port 1814 - ID: 152 due to unfinished request in
> component <core> module <queue>
>
> Our investigation showed that these problems start after requests
> containing a "strange" username
> Wed Mar 2 08:01:52 2016 : Auth: (127068) Login incorrect: [юз] (from
> client AP-UMK port 20526 cli 88-A7-3C-DB-35-02)
> Thu Mar 3 08:48:14 2016 : Auth: (187534) Login incorrect: [በᑱ] (from
> client AP-SPEC port 36865 cli 24-0A-64-1F-C1-D3)
> Thu Mar 3 09:38:19 2016 : Auth: (53871) Login incorrect: [юз] (from
> client AP-UMK port 20613 cli 88-A7-3C-DB-35-02)
>
> It turned out that it is caused by linelog module. After we removed
> %{User-Name} from this line
>
> Access-Reject = "%S
> eduroam-auth#ORG=%{request:Realm}#USER=%{User-Name}#CSI=%{%{Calling-Station-Id}:-Unknown
> Caller Id}#NAS=%{%{request:NAS-IP-Address}:-No NAS
> IP}#CUI=%{%{reply:Chargeable-User-Identity}:-Unknown}#MSG=%{%{reply:Reply-Message}:-No
> Failure Reason}#RESULT=FAIL#"
>
> the problem disappeared and strange usernames are handled smoothly.
>
> It looks like a linelog bug.
>
> Maja
>
> --
> Maja Gorecka-Wolniewicz mgw(a)umk.pl
> Uczelniane Centrum Information & Communication
> Informatyczne Technology Centre
> Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University
> Coll. Maximum, pl. Rapackiego 1, 87-100 Torun, Poland
> tel.: +48 56-611-27-40 fax: +48 56-622-18-50 tel. kom.: +48-693032574
>
>
1
0
We are running freeradius 3.0.11 on CentOS 6.7.
Recently we experienced a few radius process hangs - it didn't handle
any request and in the log
appeared only a lot of:
Thu Mar 3 08:48:24 2016 : Error: (187540) Ignoring duplicate packet
from client CM port 1814 - ID: 118 due to unfinished request in
component post-auth module eduroam_log
Thu Mar 3 08:48:33 2016 : Error: (187814) Ignoring duplicate packet
from client CM port 1814 - ID: 152 due to unfinished request in
component <core> module <queue>
Our investigation showed that these problems start after requests
containing a "strange" username
Wed Mar 2 08:01:52 2016 : Auth: (127068) Login incorrect: [юз] (from
client AP-UMK port 20526 cli 88-A7-3C-DB-35-02)
Thu Mar 3 08:48:14 2016 : Auth: (187534) Login incorrect: [በᑱ] (from
client AP-SPEC port 36865 cli 24-0A-64-1F-C1-D3)
Thu Mar 3 09:38:19 2016 : Auth: (53871) Login incorrect: [юз] (from
client AP-UMK port 20613 cli 88-A7-3C-DB-35-02)
It turned out that it is caused by linelog module. After we removed
%{User-Name} from this line
Access-Reject = "%S
eduroam-auth#ORG=%{request:Realm}#USER=%{User-Name}#CSI=%{%{Calling-Station-Id}:-Unknown
Caller Id}#NAS=%{%{request:NAS-IP-Address}:-No NAS
IP}#CUI=%{%{reply:Chargeable-User-Identity}:-Unknown}#MSG=%{%{reply:Reply-Message}:-No
Failure Reason}#RESULT=FAIL#"
the problem disappeared and strange usernames are handled smoothly.
It looks like a linelog bug.
Maja
--
Maja Gorecka-Wolniewicz mgw(a)umk.pl
Uczelniane Centrum Information & Communication
Informatyczne Technology Centre
Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University
Coll. Maximum, pl. Rapackiego 1, 87-100 Torun, Poland
tel.: +48 56-611-27-40 fax: +48 56-622-18-50 tel. kom.: +48-693032574
2
1
RadPerf '-A delay,lifetime' arg does not copy the 'Calling-Station-Id' from Accept-Request
by Jim 03 Mar '16
by Jim 03 Mar '16
03 Mar '16
This is my Access-Request packet:
Calling-Station-Id = 'DD:F2:42:8A:DF:6D'
Mikrotik-Realm = 'betacleversoft.net'
User-Name = 'nflamel'
User-Password = 'weWE122123'
NAS-Port = 0
And the Accounting-Request:
User-Name = 'nflamel'
NAS-Port = 0
Acct-Status-Type := Start
Acct-Session-Id := '0000e88b968f'
Acct-Input-Octets := 0
Acct-Output-Octets := 0
FreeRADIUS-Acct-Session-Start-Time = 'Mar 3 2016 04:22:04 UTC'
As you can see on the Accounting-Request, there's no Calling-Station-Id.
How do I get it to be included on the Accounting Packet?
Thanks.
3
3
I'm trying to allow unmetered content over my network. Just shy of 1000 users.
I'm looking to use freeradius for this, and want to know if/how it's possible.
I don't think it's possible/under the purview of freeradius itself to distinguish between metered and unmetered traffic, I can have it done by another device and just come in on different physical ports on the machine.
My first thoughts are having freeradius virtual servers defined. I can have the unmetered and metered traffic come in on different physical ports with separate IPs.
The first port takes the metered content and authentication to one virtual server.
The second port takes the unmetered content, with authentication proxied to the other virtual server.
Then I'd measure data usage for both metered/unmetered networks by looking into each of the accounting tables for the virtual servers.
Is this how it would work? How else could it be done? Are there any how-tos?
Joshua C
2
5
I found my last outstanding bug before I deploy my configuration and it's
got me stumped.
When a Proxy server is down I would like to choose between sending a reject
or not sending a response at all.
Is there a way that do_not_respond will be honored on 3.0.11 is a
post-proxy failure situation?
I've tried various ways to have either do_not_respond or
update control {
&Response-Packet-Type := Do-Not-Respond
}
But there doesn't seem to be a way to disable the reject and not respond at
all when the Proxy fails.
Marking home server 222.222.222.1 port 1812 as zombie (it has not responded
in 1.000000 seconds).
(0) ERROR: Failing proxied request for user "peter", due to lack of any
response from home server 222.222.222.1 port 1812
(0) Clearing existing &reply: attributes
(0) Found Post-Proxy-Type Fail-Authentication
(0) # Executing group from file ./sites-enabled/default
(0) Post-Proxy-Type Fail-Authentication {
(0) policy do_not_respond {
(0) update control {
(0) &Response-Packet-Type := Do-Not-Respond
(0) } # update control = noop
(0) [handled] = handled
(0) } # policy do_not_respond = handled
(0) } # Post-Proxy-Type Fail-Authentication = handled
(0) There was no response configured: rejecting request
(0) Using Post-Auth-Type Reject
(0) # Executing group from file ./sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) if (&control:Proxy-To-Realm) {
(0) if (&control:Proxy-To-Realm) -> TRUE
(0) if (&control:Proxy-To-Realm) {
(0) update control {
(0) &Response-Packet-Type := Do-Not-Respond
(0) } # update control = noop
(0) } # if (&control:Proxy-To-Realm) = noop
(0) } # Post-Auth-Type REJECT = noop
(0) Sent Access-Reject Id 64 from 127.0.0.1:1812 to 127.0.0.1:40320 length 0
(0) Finished request
do_not_respond works fine for non-proxied requests, but I can't see how to
make it work for proxied requests when the proxy server fails to respond.
2
2
Hi Everyone,
We are using Freeradius + MYSQL. We are writing NAS information into MYSQL.
We are writing radheck information into MYSQL.
My question is, Can I make a different NAS device authorization for
different users? So,
For example, Username "Mike" and we have NAS device Cisco ASA Firewall.
Cisco only give approval for user "Mike". But do not allow the user to
David.
FreeRADIUS + MYSQ do that? Did it support this FreeRadius?
How can I do that?
Thank you.
Regards.
--
Adem DARGÜNER
Network Engineer
1
0
In our EAP-PEAP sessions, the typical conversation length is 10 packets.
We have TLS caching enabled, but I noticed the TLS cache is populated
during packet 4, which is before processing has started on the tunneled
authentication.
Is it possible to force an update of the cache entry from the
inner-tunnel server e.g. to add attributes that are only available at
this stage? I attempted to call an update by doing this in the
inner-tunnel server:
update control {
Cache-TTL := 0
}
cache_tls_session
This caused authentications to fail with "cache_tls_session (fail)" and
no further information is given. Is it possible to do this?
Thanks,
Jonathan
3
11
Hi,
When using FreeRADIUS v3.1 Windows devices fail to authenticate using PEAP. Other OS work fine but Windows fails. If I use a client cert and EAP-TLS windows succeeds.
It appears the Windows devices stop responding after the establishment of the PEAP tunnel. Can anyone point out where I am going wrong:
Ready to process requests
(0) - Received Access-Request Id 248 from 10.53.253.14:32770 to 158.125.161.128:1812 via ens160 length 316
(0) - User-Name = "anon(a)lboro.ac.uk"
(0) - Chargeable-User-Identity = 0x00
(0) - Location-Capable = Civix-Location
(0) - Calling-Station-Id = "18-cf-5e-12-75-c1"
(0) - Called-Station-Id = "b0-aa-77-57-cf-50:wirefree"
(0) - NAS-Port = 13
(0) - Cisco-AVPair = "audit-session-id=0a35fd0e000e790756d5a18b"
(0) - Acct-Session-Id = "56d5a18b/18:cf:5e:12:75:c1/766789"
(0) - NAS-IP-Address = 10.53.253.14
(0) - NAS-IPv6-Address = 2001:630:301:9101::14
(0) - NAS-Identifier = "wism-sport-park-3"
(0) - Airespace-Wlan-Id = 3
(0) - Service-Type = Framed-User
(0) - Framed-MTU = 1300
(0) - NAS-Port-Type = Wireless-802.11
(0) - Tunnel-Type:0 = VLAN
(0) - Tunnel-Medium-Type:0 = IEEE-802
(0) - Tunnel-Private-Group-Id:0 = "1112"
(0) - EAP-Message = 0x0202001501616e6f6e406c626f726f2e61632e756b
(0) - Message-Authenticator = 0x382df2f62c354bece72daa54ee2d5945
(0) - Running section authorize from file /etc/raddb/sites-enabled/lboro
(0) - authorize {
(0) - nagios_check {
(0) - if (User-Name == "nagios01aa" && "%{client:group}" == "nagios") {
(0) - ...
(0) - }
(0) - } # nagios_check (notfound)
(0) - wism_check {
(0) - if (User-Name =~ /wism-check/ ) {
(0) - ...
(0) - }
(0) - } # wism_check (notfound)
(0) - filter_duff_realms {
(0) - if (User-Name =~ /\\.ax\\.uk$/i ) {
(0) - ...
(0) - }
(0) - elsif (User-Name =~ /\\.sc\\.uk$/i ) {
(0) - ...
(0) - }
(0) - elsif (User-Name =~ /\\.ac\\.u$/i ) {
(0) - ...
(0) - }
(0) - elsif (User-Name =~ /lboro$/i ) {
(0) - ...
(0) - }
(0) - elsif (User-Name =~ /lboro\\.co\\.uk$/i ) {
(0) - ...
(0) - }
(0) - elsif (User-Name =~ /ac\\.lboro\\.uk$/i ) {
(0) - ...
(0) - }
(0) - elsif (User-Name =~ /unilboro\\.ac\\.uk$/i ) {
(0) - ...
(0) - }
(0) - elsif (User-Name =~ /\\.a\\.c\\.uk$/i ) {
(0) - ...
(0) - }
(0) - elsif (User-Name =~ /3gppnetwork\\.org$/i) {
(0) - ...
(0) - }
(0) - elsif (User-Name =~ /myabc\\.com$/i) {
(0) - ...
(0) - }
(0) - elsif (User-Name !~ /lboro\\.local$/i && User-Name =~ /\\.local$/i) {
(0) - ...
(0) - }
(0) - elsif (User-Name =~ /lbro\\.ac\\.uk$/i ) {
(0) - ...
(0) - }
(0) - elsif (User-Name =~ /lboro\\.student\\.ac\\.uk$/i ) {
(0) - ...
(0) - }
(0) - } # filter_duff_realms (notfound)
(0) - filter_username {
(0) - if (!&User-Name) {
(0) - ...
(0) - }
(0) - if (&User-Name =~ / /) {
(0) - ...
(0) - }
(0) - if (&User-Name =~ /@.*@/ ) {
(0) - ...
(0) - }
(0) - if (&User-Name =~ /\.\./ ) {
(0) - ...
(0) - }
(0) - if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) - ...
(0) - }
(0) - if (&User-Name =~ /\.$/) {
(0) - ...
(0) - }
(0) - if (&User-Name =~ /(a)\./) {
(0) - ...
(0) - }
(0) - } # filter_username (notfound)
(0) preprocess (ok)
(0) operator-name.authorize {
(0) if ("%{client:Operator-Name}") {
(0) EXPAND %{client:Operator-Name}
(0) -->
(0) ...
(0) }
(0) } # operator-name.authorize (ok)
(0) cui.authorize {
(0) if ("%{client:add_cui}" == 'yes') {
(0) EXPAND %{client:add_cui}
(0) --> yes
(0) update request {
(0) &Chargeable-User-Identity := 0x00
(0) } # update request (noop)
(0) } # if ("%{client:add_cui}" == 'yes') (noop)
(0) } # cui.authorize (noop)
(0) suffix - Checking for suffix after "@"
(0) suffix - Looking up realm "lboro.ac.uk" for User-Name = "anon(a)lboro.ac.uk"
(0) suffix - Found realm "lboro.ac.uk"
(0) suffix - Adding Stripped-User-Name = "anon"
(0) suffix - Adding Realm = "lboro.ac.uk"
(0) suffix - Authentication realm is LOCAL
(0) suffix (ok)
(0) ntdomain - Request already has destination realm set. Ignoring
(0) ntdomain (noop)
(0) if ( Called-Station-Id =~ /:eduroam$/ ) {
(0) ...
(0) }
(0) elsif ( Called-Station-Id =~ /.*:YST$/ ) {
(0) ...
(0) }
(0) elsif ( Called-Station-Id =~ /.*:ecb$/ || "%{client:group}" == "ecb" ) {
(0) EXPAND %{client:group}
(0) --> wireless
(0) ...
(0) }
(0) if ((User-Name =~ /youthsporttrust\\.org$/) || (User-Name =~ /^YOUTHSPORTTRUST\\\\/)) {
(0) ...
(0) }
(0) elsif (User-Name =~ /\(a)ecb\.co\.uk/i && "%{client:shortname}" == "dulcimer" ) {
(0) ...
(0) }
(0) elsif ( Realm == "ECB" || Realm == "ecb.co.uk" ) {
(0) ...
(0) }
(0) elsif (Service-Type == Call-Check && !EAP-Message && User-Name =~ /[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]/) {
(0) ...
(0) }
(0) elsif ( Realm == "lsu.co.uk" ) {
(0) ...
(0) }
(0) elsif (User-Name =~ /\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/) {
(0) ...
(0) }
(0) else {
(0) update request {
(0) &Realm := local
(0) } # update request (noop)
(0) } # else (noop)
(0) eap - Peer sent EAP Response (code 2) ID 2 length 21
(0) eap - Peer sent EAP-Identity. Returning 'ok' so we can short-circuit the rest of authorize
(0) eap (ok)
(0) } # authorize (ok)
(0) Using 'Auth-Type = eap' for authenticate {...}
(0) Running Auth-Type eap from file /etc/raddb/sites-enabled/lboro
(0) authenticate {
(0) eap - Peer sent packet with EAP method Identity (1)
(0) eap - Calling submodule eap_tls to process data
(0) eap_tls - Initiating new EAP-TLS session
(0) eap_tls - Setting verify mode to require certificate from client
(0) eap - Sending EAP Request (code 1) ID 3 length 6
(0) eap (handled)
(0) } # authenticate (handled)
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/lboro
(0) Sent Access-Challenge Id 248 from 158.125.161.128:1812 to 10.53.253.14:32770 via ens160 length 0
(0) EAP-Message = 0x010300060d20
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x01015100148ca6ec523c504e518c74e2
(0) Finished request
Waking up in 1.9 seconds.
(1) - Received Access-Request Id 249 from 10.53.253.14:32770 to 158.125.161.128:1812 via ens160 length 319
(1) - User-Name = "anon(a)lboro.ac.uk"
(1) - Chargeable-User-Identity = 0x00
(1) - Location-Capable = Civix-Location
(1) - Calling-Station-Id = "18-cf-5e-12-75-c1"
(1) - Called-Station-Id = "b0-aa-77-57-cf-50:wirefree"
(1) - NAS-Port = 13
(1) - Cisco-AVPair = "audit-session-id=0a35fd0e000e790756d5a18b"
(1) - Acct-Session-Id = "56d5a18b/18:cf:5e:12:75:c1/766789"
(1) - NAS-IP-Address = 10.53.253.14
(1) - NAS-IPv6-Address = 2001:630:301:9101::14
(1) - NAS-Identifier = "wism-sport-park-3"
(1) - Airespace-Wlan-Id = 3
(1) - Service-Type = Framed-User
(1) - Framed-MTU = 1300
(1) - NAS-Port-Type = Wireless-802.11
(1) - Tunnel-Type:0 = VLAN
(1) - Tunnel-Medium-Type:0 = IEEE-802
(1) - Tunnel-Private-Group-Id:0 = "1112"
(1) - EAP-Message = 0x020300060319
(1) - State = 0x01015100148ca6ec523c504e518c74e2
(1) - Message-Authenticator = 0x87079937708aa02274b90e7892aa4815
(1) - Running section authorize from file /etc/raddb/sites-enabled/lboro
(1) - authorize {
(1) - nagios_check {
(1) - if (User-Name == "nagios01aa" && "%{client:group}" == "nagios") {
(1) - ...
(1) - }
(1) - } # nagios_check (notfound)
(1) - wism_check {
(1) - if (User-Name =~ /wism-check/ ) {
(1) - ...
(1) - }
(1) - } # wism_check (notfound)
(1) - filter_duff_realms {
(1) - if (User-Name =~ /\\.ax\\.uk$/i ) {
(1) - ...
(1) - }
(1) - elsif (User-Name =~ /\\.sc\\.uk$/i ) {
(1) - ...
(1) - }
(1) - elsif (User-Name =~ /\\.ac\\.u$/i ) {
(1) - ...
(1) - }
(1) - elsif (User-Name =~ /lboro$/i ) {
(1) - ...
(1) - }
(1) - elsif (User-Name =~ /lboro\\.co\\.uk$/i ) {
(1) - ...
(1) - }
(1) - elsif (User-Name =~ /ac\\.lboro\\.uk$/i ) {
(1) - ...
(1) - }
(1) - elsif (User-Name =~ /unilboro\\.ac\\.uk$/i ) {
(1) - ...
(1) - }
(1) - elsif (User-Name =~ /\\.a\\.c\\.uk$/i ) {
(1) - ...
(1) - }
(1) - elsif (User-Name =~ /3gppnetwork\\.org$/i) {
(1) - ...
(1) - }
(1) - elsif (User-Name =~ /myabc\\.com$/i) {
(1) - ...
(1) - }
(1) - elsif (User-Name !~ /lboro\\.local$/i && User-Name =~ /\\.local$/i) {
(1) - ...
(1) - }
(1) - elsif (User-Name =~ /lbro\\.ac\\.uk$/i ) {
(1) - ...
(1) - }
(1) - elsif (User-Name =~ /lboro\\.student\\.ac\\.uk$/i ) {
(1) - ...
(1) - }
(1) - } # filter_duff_realms (notfound)
(1) - filter_username {
(1) - if (!&User-Name) {
(1) - ...
(1) - }
(1) - if (&User-Name =~ / /) {
(1) - ...
(1) - }
(1) - if (&User-Name =~ /@.*@/ ) {
(1) - ...
(1) - }
(1) - if (&User-Name =~ /\.\./ ) {
(1) - ...
(1) - }
(1) - if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(1) - ...
(1) - }
(1) - if (&User-Name =~ /\.$/) {
(1) - ...
(1) - }
(1) - if (&User-Name =~ /(a)\./) {
(1) - ...
(1) - }
(1) - } # filter_username (notfound)
(1) preprocess (ok)
(1) operator-name.authorize {
(1) if ("%{client:Operator-Name}") {
(1) EXPAND %{client:Operator-Name}
(1) -->
(1) ...
(1) }
(1) } # operator-name.authorize (ok)
(1) cui.authorize {
(1) if ("%{client:add_cui}" == 'yes') {
(1) EXPAND %{client:add_cui}
(1) --> yes
(1) update request {
(1) &Chargeable-User-Identity := 0x00
(1) } # update request (noop)
(1) } # if ("%{client:add_cui}" == 'yes') (noop)
(1) } # cui.authorize (noop)
(1) suffix - Checking for suffix after "@"
(1) suffix - Looking up realm "lboro.ac.uk" for User-Name = "anon(a)lboro.ac.uk"
(1) suffix - Found realm "lboro.ac.uk"
(1) suffix - Adding Stripped-User-Name = "anon"
(1) suffix - Adding Realm = "lboro.ac.uk"
(1) suffix - Authentication realm is LOCAL
(1) suffix (ok)
(1) ntdomain - Request already has destination realm set. Ignoring
(1) ntdomain (noop)
(1) if ( Called-Station-Id =~ /:eduroam$/ ) {
(1) ...
(1) }
(1) elsif ( Called-Station-Id =~ /.*:YST$/ ) {
(1) ...
(1) }
(1) elsif ( Called-Station-Id =~ /.*:ecb$/ || "%{client:group}" == "ecb" ) {
(1) EXPAND %{client:group}
(1) --> wireless
(1) ...
(1) }
(1) if ((User-Name =~ /youthsporttrust\\.org$/) || (User-Name =~ /^YOUTHSPORTTRUST\\\\/)) {
(1) ...
(1) }
(1) elsif (User-Name =~ /\(a)ecb\.co\.uk/i && "%{client:shortname}" == "dulcimer" ) {
(1) ...
(1) }
(1) elsif ( Realm == "ECB" || Realm == "ecb.co.uk" ) {
(1) ...
(1) }
(1) elsif (Service-Type == Call-Check && !EAP-Message && User-Name =~ /[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]/) {
(1) ...
(1) }
(1) elsif ( Realm == "lsu.co.uk" ) {
(1) ...
(1) }
(1) elsif (User-Name =~ /\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/) {
(1) ...
(1) }
(1) else {
(1) update request {
(1) &Realm := local
(1) } # update request (noop)
(1) } # else (noop)
(1) eap - Peer sent EAP Response (code 2) ID 3 length 6
(1) eap - Continuing on-going EAP conversation
(1) eap (updated)
(1) if (Realm != "SportPark") {
(1) files (noop)
(1) } # if (Realm != "SportPark") (noop)
(1) } # authorize (updated)
(1) Using 'Auth-Type = eap' for authenticate {...}
(1) Running Auth-Type eap from file /etc/raddb/sites-enabled/lboro
(1) authenticate {
(1) eap - Peer sent packet with EAP method NAK (3)
(1) eap - Found mutually acceptable type PEAP (25)
(1) eap - Calling submodule eap_peap to process data
(1) eap_peap - Initiating new EAP-TLS session
(1) eap - Sending EAP Request (code 1) ID 4 length 6
(1) eap (handled)
(1) } # authenticate (handled)
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/lboro
(1) Sent Access-Challenge Id 249 from 158.125.161.128:1812 to 10.53.253.14:32770 via ens160 length 0
(1) EAP-Message = 0x010400061920
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x020351002306bedc523c504e518c74e2
(1) Finished request
Waking up in 1.9 seconds.
(2) - Received Access-Request Id 250 from 10.53.253.14:32770 to 158.125.161.128:1812 via ens160 length 491
(2) - User-Name = "anon(a)lboro.ac.uk"
(2) - Chargeable-User-Identity = 0x00
(2) - Location-Capable = Civix-Location
(2) - Calling-Station-Id = "18-cf-5e-12-75-c1"
(2) - Called-Station-Id = "b0-aa-77-57-cf-50:wirefree"
(2) - NAS-Port = 13
(2) - Cisco-AVPair = "audit-session-id=0a35fd0e000e790756d5a18b"
(2) - Acct-Session-Id = "56d5a18b/18:cf:5e:12:75:c1/766789"
(2) - NAS-IP-Address = 10.53.253.14
(2) - NAS-IPv6-Address = 2001:630:301:9101::14
(2) - NAS-Identifier = "wism-sport-park-3"
(2) - Airespace-Wlan-Id = 3
(2) - Service-Type = Framed-User
(2) - Framed-MTU = 1300
(2) - NAS-Port-Type = Wireless-802.11
(2) - Tunnel-Type:0 = VLAN
(2) - Tunnel-Medium-Type:0 = IEEE-802
(2) - Tunnel-Private-Group-Id:0 = "1112"
(2) - EAP-Message = 0x020400b21980000000a816030300a30100009f030356d5a1d0b73b3ce7f8e814cc7bd174c70898c308769ae5cbf3b0a4fbd0895733000038c02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a006a0040003800320013000500040100003e000500
(2) - State = 0x020351002306bedc523c504e518c74e2
(2) - Message-Authenticator = 0x25df502901ee50b3554970e162bd935e
(2) - Running section authorize from file /etc/raddb/sites-enabled/lboro
(2) - authorize {
(2) - nagios_check {
(2) - if (User-Name == "nagios01aa" && "%{client:group}" == "nagios") {
(2) - ...
(2) - }
(2) - } # nagios_check (notfound)
(2) - wism_check {
(2) - if (User-Name =~ /wism-check/ ) {
(2) - ...
(2) - }
(2) - } # wism_check (notfound)
(2) - filter_duff_realms {
(2) - if (User-Name =~ /\\.ax\\.uk$/i ) {
(2) - ...
(2) - }
(2) - elsif (User-Name =~ /\\.sc\\.uk$/i ) {
(2) - ...
(2) - }
(2) - elsif (User-Name =~ /\\.ac\\.u$/i ) {
(2) - ...
(2) - }
(2) - elsif (User-Name =~ /lboro$/i ) {
(2) - ...
(2) - }
(2) - elsif (User-Name =~ /lboro\\.co\\.uk$/i ) {
(2) - ...
(2) - }
(2) - elsif (User-Name =~ /ac\\.lboro\\.uk$/i ) {
(2) - ...
(2) - }
(2) - elsif (User-Name =~ /unilboro\\.ac\\.uk$/i ) {
(2) - ...
(2) - }
(2) - elsif (User-Name =~ /\\.a\\.c\\.uk$/i ) {
(2) - ...
(2) - }
(2) - elsif (User-Name =~ /3gppnetwork\\.org$/i) {
(2) - ...
(2) - }
(2) - elsif (User-Name =~ /myabc\\.com$/i) {
(2) - ...
(2) - }
(2) - elsif (User-Name !~ /lboro\\.local$/i && User-Name =~ /\\.local$/i) {
(2) - ...
(2) - }
(2) - elsif (User-Name =~ /lbro\\.ac\\.uk$/i ) {
(2) - ...
(2) - }
(2) - elsif (User-Name =~ /lboro\\.student\\.ac\\.uk$/i ) {
(2) - ...
(2) - }
(2) - } # filter_duff_realms (notfound)
(2) - filter_username {
(2) - if (!&User-Name) {
(2) - ...
(2) - }
(2) - if (&User-Name =~ / /) {
(2) - ...
(2) - }
(2) - if (&User-Name =~ /@.*@/ ) {
(2) - ...
(2) - }
(2) - if (&User-Name =~ /\.\./ ) {
(2) - ...
(2) - }
(2) - if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(2) - ...
(2) - }
(2) - if (&User-Name =~ /\.$/) {
(2) - ...
(2) - }
(2) - if (&User-Name =~ /(a)\./) {
(2) - ...
(2) - }
(2) - } # filter_username (notfound)
(2) preprocess (ok)
(2) operator-name.authorize {
(2) if ("%{client:Operator-Name}") {
(2) EXPAND %{client:Operator-Name}
(2) -->
(2) ...
(2) }
(2) } # operator-name.authorize (ok)
(2) cui.authorize {
(2) if ("%{client:add_cui}" == 'yes') {
(2) EXPAND %{client:add_cui}
(2) --> yes
(2) update request {
(2) &Chargeable-User-Identity := 0x00
(2) } # update request (noop)
(2) } # if ("%{client:add_cui}" == 'yes') (noop)
(2) } # cui.authorize (noop)
(2) suffix - Checking for suffix after "@"
(2) suffix - Looking up realm "lboro.ac.uk" for User-Name = "anon(a)lboro.ac.uk"
(2) suffix - Found realm "lboro.ac.uk"
(2) suffix - Adding Stripped-User-Name = "anon"
(2) suffix - Adding Realm = "lboro.ac.uk"
(2) suffix - Authentication realm is LOCAL
(2) suffix (ok)
(2) ntdomain - Request already has destination realm set. Ignoring
(2) ntdomain (noop)
(2) if ( Called-Station-Id =~ /:eduroam$/ ) {
(2) ...
(2) }
(2) elsif ( Called-Station-Id =~ /.*:YST$/ ) {
(2) ...
(2) }
(2) elsif ( Called-Station-Id =~ /.*:ecb$/ || "%{client:group}" == "ecb" ) {
(2) EXPAND %{client:group}
(2) --> wireless
(2) ...
(2) }
(2) if ((User-Name =~ /youthsporttrust\\.org$/) || (User-Name =~ /^YOUTHSPORTTRUST\\\\/)) {
(2) ...
(2) }
(2) elsif (User-Name =~ /\(a)ecb\.co\.uk/i && "%{client:shortname}" == "dulcimer" ) {
(2) ...
(2) }
(2) elsif ( Realm == "ECB" || Realm == "ecb.co.uk" ) {
(2) ...
(2) }
(2) elsif (Service-Type == Call-Check && !EAP-Message && User-Name =~ /[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]/) {
(2) ...
(2) }
(2) elsif ( Realm == "lsu.co.uk" ) {
(2) ...
(2) }
(2) elsif (User-Name =~ /\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/) {
(2) ...
(2) }
(2) else {
(2) update request {
(2) &Realm := local
(2) } # update request (noop)
(2) } # else (noop)
(2) eap - Peer sent EAP Response (code 2) ID 4 length 178
(2) eap - Continuing tunnel setup
(2) eap (ok)
(2) } # authorize (ok)
(2) Using 'Auth-Type = eap' for authenticate {...}
(2) Running Auth-Type eap from file /etc/raddb/sites-enabled/lboro
(2) authenticate {
(2) eap - Peer sent packet with EAP method PEAP (25)
(2) eap - Calling submodule eap_peap to process data
(2) eap_peap - Continuing EAP-TLS
(2) eap_peap - Peer indicated complete TLS record size will be 168 bytes
(2) eap_peap - Got complete TLS record, with length field (168 bytes)
(2) eap_peap - [eap-tls verify] = ok
(2) eap_peap - before/accept initialization
(2) eap_peap - TLS Accept: before/accept initialization
(2) eap_peap - <<< recv handshake [length 163], client_hello
(2) eap_peap - TLS Accept: SSLv3 read client hello A
(2) eap_peap - >>> send handshake [length 89], server_hello
(2) eap_peap - TLS Accept: SSLv3 write server hello A
(2) eap_peap - >>> send handshake [length 2457], certificate
(2) eap_peap - TLS Accept: SSLv3 write certificate A
(2) eap_peap - >>> send handshake [length 331], server_key_exchange
(2) eap_peap - TLS Accept: SSLv3 write key exchange A
(2) eap_peap - >>> send handshake [length 4], server_hello_done
(2) eap_peap - TLS Accept: SSLv3 write server done A
(2) eap_peap - TLS Accept: SSLv3 flush data
(2) eap_peap - TLS Accept: Need to read more data: SSLv3 read client certificate A
(2) eap_peap - TLS Accept: Need to read more data: SSLv3 read client certificate A
(2) eap_peap - In TLS handshake phase
(2) eap_peap - In TLS accept mode
(2) eap_peap - Complete TLS record (2901 bytes) larger than MTU (990 bytes), will fragment
(2) eap_peap - Sending first TLS record fragment (990 bytes), 1911 bytes remaining
(2) eap_peap - [eap-tls process] = handled
(2) eap - Sending EAP Request (code 1) ID 5 length 1000
(2) eap (handled)
(2) } # authenticate (handled)
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/lboro
(2) Sent Access-Challenge Id 250 from 158.125.161.128:1812 to 10.53.253.14:32770 via ens160 length 0
(2) EAP-Message = 0x010503e819c000000b55160302005902000055030256d5a18b0261059d716b941222cf3855ea00c34b5e728dc7be087afa7d75606d2076d5549bfc2e548e73d1176bbe9daa36dc0d0a1d16dc467e8a51b4989a04fd65c01400000dff01000100000b00040300010216030209990b000995000992000427
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x03015100148ca6ec523c504e518c74e2
(2) Finished request
Waking up in 1.9 seconds.
(3) - Received Access-Request Id 251 from 10.53.253.14:32770 to 158.125.161.128:1812 via ens160 length 319
(3) - User-Name = "anon(a)lboro.ac.uk"
(3) - Chargeable-User-Identity = 0x00
(3) - Location-Capable = Civix-Location
(3) - Calling-Station-Id = "18-cf-5e-12-75-c1"
(3) - Called-Station-Id = "b0-aa-77-57-cf-50:wirefree"
(3) - NAS-Port = 13
(3) - Cisco-AVPair = "audit-session-id=0a35fd0e000e790756d5a18b"
(3) - Acct-Session-Id = "56d5a18b/18:cf:5e:12:75:c1/766789"
(3) - NAS-IP-Address = 10.53.253.14
(3) - NAS-IPv6-Address = 2001:630:301:9101::14
(3) - NAS-Identifier = "wism-sport-park-3"
(3) - Airespace-Wlan-Id = 3
(3) - Service-Type = Framed-User
(3) - Framed-MTU = 1300
(3) - NAS-Port-Type = Wireless-802.11
(3) - Tunnel-Type:0 = VLAN
(3) - Tunnel-Medium-Type:0 = IEEE-802
(3) - Tunnel-Private-Group-Id:0 = "1112"
(3) - EAP-Message = 0x020500061900
(3) - State = 0x03015100148ca6ec523c504e518c74e2
(3) - Message-Authenticator = 0xc2308e039d2d27171a1a80d5fa914f3e
(3) - Running section authorize from file /etc/raddb/sites-enabled/lboro
(3) - authorize {
(3) - nagios_check {
(3) - if (User-Name == "nagios01aa" && "%{client:group}" == "nagios") {
(3) - ...
(3) - }
(3) - } # nagios_check (notfound)
(3) - wism_check {
(3) - if (User-Name =~ /wism-check/ ) {
(3) - ...
(3) - }
(3) - } # wism_check (notfound)
(3) - filter_duff_realms {
(3) - if (User-Name =~ /\\.ax\\.uk$/i ) {
(3) - ...
(3) - }
(3) - elsif (User-Name =~ /\\.sc\\.uk$/i ) {
(3) - ...
(3) - }
(3) - elsif (User-Name =~ /\\.ac\\.u$/i ) {
(3) - ...
(3) - }
(3) - elsif (User-Name =~ /lboro$/i ) {
(3) - ...
(3) - }
(3) - elsif (User-Name =~ /lboro\\.co\\.uk$/i ) {
(3) - ...
(3) - }
(3) - elsif (User-Name =~ /ac\\.lboro\\.uk$/i ) {
(3) - ...
(3) - }
(3) - elsif (User-Name =~ /unilboro\\.ac\\.uk$/i ) {
(3) - ...
(3) - }
(3) - elsif (User-Name =~ /\\.a\\.c\\.uk$/i ) {
(3) - ...
(3) - }
(3) - elsif (User-Name =~ /3gppnetwork\\.org$/i) {
(3) - ...
(3) - }
(3) - elsif (User-Name =~ /myabc\\.com$/i) {
(3) - ...
(3) - }
(3) - elsif (User-Name !~ /lboro\\.local$/i && User-Name =~ /\\.local$/i) {
(3) - ...
(3) - }
(3) - elsif (User-Name =~ /lbro\\.ac\\.uk$/i ) {
(3) - ...
(3) - }
(3) - elsif (User-Name =~ /lboro\\.student\\.ac\\.uk$/i ) {
(3) - ...
(3) - }
(3) - } # filter_duff_realms (notfound)
(3) - filter_username {
(3) - if (!&User-Name) {
(3) - ...
(3) - }
(3) - if (&User-Name =~ / /) {
(3) - ...
(3) - }
(3) - if (&User-Name =~ /@.*@/ ) {
(3) - ...
(3) - }
(3) - if (&User-Name =~ /\.\./ ) {
(3) - ...
(3) - }
(3) - if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(3) - ...
(3) - }
(3) - if (&User-Name =~ /\.$/) {
(3) - ...
(3) - }
(3) - if (&User-Name =~ /(a)\./) {
(3) - ...
(3) - }
(3) - } # filter_username (notfound)
(3) preprocess (ok)
(3) operator-name.authorize {
(3) if ("%{client:Operator-Name}") {
(3) EXPAND %{client:Operator-Name}
(3) -->
(3) ...
(3) }
(3) } # operator-name.authorize (ok)
(3) cui.authorize {
(3) if ("%{client:add_cui}" == 'yes') {
(3) EXPAND %{client:add_cui}
(3) --> yes
(3) update request {
(3) &Chargeable-User-Identity := 0x00
(3) } # update request (noop)
(3) } # if ("%{client:add_cui}" == 'yes') (noop)
(3) } # cui.authorize (noop)
(3) suffix - Checking for suffix after "@"
(3) suffix - Looking up realm "lboro.ac.uk" for User-Name = "anon(a)lboro.ac.uk"
(3) suffix - Found realm "lboro.ac.uk"
(3) suffix - Adding Stripped-User-Name = "anon"
(3) suffix - Adding Realm = "lboro.ac.uk"
(3) suffix - Authentication realm is LOCAL
(3) suffix (ok)
(3) ntdomain - Request already has destination realm set. Ignoring
(3) ntdomain (noop)
(3) if ( Called-Station-Id =~ /:eduroam$/ ) {
(3) ...
(3) }
(3) elsif ( Called-Station-Id =~ /.*:YST$/ ) {
(3) ...
(3) }
(3) elsif ( Called-Station-Id =~ /.*:ecb$/ || "%{client:group}" == "ecb" ) {
(3) EXPAND %{client:group}
(3) --> wireless
(3) ...
(3) }
(3) if ((User-Name =~ /youthsporttrust\\.org$/) || (User-Name =~ /^YOUTHSPORTTRUST\\\\/)) {
(3) ...
(3) }
(3) elsif (User-Name =~ /\(a)ecb\.co\.uk/i && "%{client:shortname}" == "dulcimer" ) {
(3) ...
(3) }
(3) elsif ( Realm == "ECB" || Realm == "ecb.co.uk" ) {
(3) ...
(3) }
(3) elsif (Service-Type == Call-Check && !EAP-Message && User-Name =~ /[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]/) {
(3) ...
(3) }
(3) elsif ( Realm == "lsu.co.uk" ) {
(3) ...
(3) }
(3) elsif (User-Name =~ /\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/) {
(3) ...
(3) }
(3) else {
(3) update request {
(3) &Realm := local
(3) } # update request (noop)
(3) } # else (noop)
(3) eap - Peer sent EAP Response (code 2) ID 5 length 6
(3) eap - Continuing tunnel setup
(3) eap (ok)
(3) } # authorize (ok)
(3) Using 'Auth-Type = eap' for authenticate {...}
(3) Running Auth-Type eap from file /etc/raddb/sites-enabled/lboro
(3) authenticate {
(3) eap - Peer sent packet with EAP method PEAP (25)
(3) eap - Calling submodule eap_peap to process data
(3) eap_peap - Continuing EAP-TLS
(3) eap_peap - Peer ACKed our handshake fragment
(3) eap_peap - [eap-tls verify] = request
(3) eap_peap - Sending additional TLS record fragment (994 bytes), 917 bytes remaining
(3) eap_peap - [eap-tls process] = handled
(3) eap - Sending EAP Request (code 1) ID 6 length 1000
(3) eap (handled)
(3) } # authenticate (handled)
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found. Ignoring.
(3) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/lboro
(3) Sent Access-Challenge Id 251 from 158.125.161.128:1812 to 10.53.253.14:32770 via ens160 length 0
(3) EAP-Message = 0x010603e81940c11f90d2b74ee65a1109bc0009cc59bb16b11c4d981df09929ef3b97d4d9c5040db5321c087b14c214be61a7ff6eb953828ff106bb4180f20d7ba5a7781ef72b286dbe7d9b98dd2c43a67d4e87108d1d22a3253b103f2b5daf5115457e670fcc117461e793aef0eb01f72340aa8042b007
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x040751002306bedc523c504e518c74e2
(3) Finished request
Waking up in 1.9 seconds.
(4) - Received Access-Request Id 252 from 10.53.253.14:32770 to 158.125.161.128:1812 via ens160 length 319
(4) - User-Name = "anon(a)lboro.ac.uk"
(4) - Chargeable-User-Identity = 0x00
(4) - Location-Capable = Civix-Location
(4) - Calling-Station-Id = "18-cf-5e-12-75-c1"
(4) - Called-Station-Id = "b0-aa-77-57-cf-50:wirefree"
(4) - NAS-Port = 13
(4) - Cisco-AVPair = "audit-session-id=0a35fd0e000e790756d5a18b"
(4) - Acct-Session-Id = "56d5a18b/18:cf:5e:12:75:c1/766789"
(4) - NAS-IP-Address = 10.53.253.14
(4) - NAS-IPv6-Address = 2001:630:301:9101::14
(4) - NAS-Identifier = "wism-sport-park-3"
(4) - Airespace-Wlan-Id = 3
(4) - Service-Type = Framed-User
(4) - Framed-MTU = 1300
(4) - NAS-Port-Type = Wireless-802.11
(4) - Tunnel-Type:0 = VLAN
(4) - Tunnel-Medium-Type:0 = IEEE-802
(4) - Tunnel-Private-Group-Id:0 = "1112"
(4) - EAP-Message = 0x020600061900
(4) - State = 0x040751002306bedc523c504e518c74e2
(4) - Message-Authenticator = 0x9e01e0203a757d408a33b0e6da2d6371
(4) - Running section authorize from file /etc/raddb/sites-enabled/lboro
(4) - authorize {
(4) - nagios_check {
(4) - if (User-Name == "nagios01aa" && "%{client:group}" == "nagios") {
(4) - ...
(4) - }
(4) - } # nagios_check (notfound)
(4) - wism_check {
(4) - if (User-Name =~ /wism-check/ ) {
(4) - ...
(4) - }
(4) - } # wism_check (notfound)
(4) - filter_duff_realms {
(4) - if (User-Name =~ /\\.ax\\.uk$/i ) {
(4) - ...
(4) - }
(4) - elsif (User-Name =~ /\\.sc\\.uk$/i ) {
(4) - ...
(4) - }
(4) - elsif (User-Name =~ /\\.ac\\.u$/i ) {
(4) - ...
(4) - }
(4) - elsif (User-Name =~ /lboro$/i ) {
(4) - ...
(4) - }
(4) - elsif (User-Name =~ /lboro\\.co\\.uk$/i ) {
(4) - ...
(4) - }
(4) - elsif (User-Name =~ /ac\\.lboro\\.uk$/i ) {
(4) - ...
(4) - }
(4) - elsif (User-Name =~ /unilboro\\.ac\\.uk$/i ) {
(4) - ...
(4) - }
(4) - elsif (User-Name =~ /\\.a\\.c\\.uk$/i ) {
(4) - ...
(4) - }
(4) - elsif (User-Name =~ /3gppnetwork\\.org$/i) {
(4) - ...
(4) - }
(4) - elsif (User-Name =~ /myabc\\.com$/i) {
(4) - ...
(4) - }
(4) - elsif (User-Name !~ /lboro\\.local$/i && User-Name =~ /\\.local$/i) {
(4) - ...
(4) - }
(4) - elsif (User-Name =~ /lbro\\.ac\\.uk$/i ) {
(4) - ...
(4) - }
(4) - elsif (User-Name =~ /lboro\\.student\\.ac\\.uk$/i ) {
(4) - ...
(4) - }
(4) - } # filter_duff_realms (notfound)
(4) - filter_username {
(4) - if (!&User-Name) {
(4) - ...
(4) - }
(4) - if (&User-Name =~ / /) {
(4) - ...
(4) - }
(4) - if (&User-Name =~ /@.*@/ ) {
(4) - ...
(4) - }
(4) - if (&User-Name =~ /\.\./ ) {
(4) - ...
(4) - }
(4) - if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(4) - ...
(4) - }
(4) - if (&User-Name =~ /\.$/) {
(4) - ...
(4) - }
(4) - if (&User-Name =~ /(a)\./) {
(4) - ...
(4) - }
(4) - } # filter_username (notfound)
(4) preprocess (ok)
(4) operator-name.authorize {
(4) if ("%{client:Operator-Name}") {
(4) EXPAND %{client:Operator-Name}
(4) -->
(4) ...
(4) }
(4) } # operator-name.authorize (ok)
(4) cui.authorize {
(4) if ("%{client:add_cui}" == 'yes') {
(4) EXPAND %{client:add_cui}
(4) --> yes
(4) update request {
(4) &Chargeable-User-Identity := 0x00
(4) } # update request (noop)
(4) } # if ("%{client:add_cui}" == 'yes') (noop)
(4) } # cui.authorize (noop)
(4) suffix - Checking for suffix after "@"
(4) suffix - Looking up realm "lboro.ac.uk" for User-Name = "anon(a)lboro.ac.uk"
(4) suffix - Found realm "lboro.ac.uk"
(4) suffix - Adding Stripped-User-Name = "anon"
(4) suffix - Adding Realm = "lboro.ac.uk"
(4) suffix - Authentication realm is LOCAL
(4) suffix (ok)
(4) ntdomain - Request already has destination realm set. Ignoring
(4) ntdomain (noop)
(4) if ( Called-Station-Id =~ /:eduroam$/ ) {
(4) ...
(4) }
(4) elsif ( Called-Station-Id =~ /.*:YST$/ ) {
(4) ...
(4) }
(4) elsif ( Called-Station-Id =~ /.*:ecb$/ || "%{client:group}" == "ecb" ) {
(4) EXPAND %{client:group}
(4) --> wireless
(4) ...
(4) }
(4) if ((User-Name =~ /youthsporttrust\\.org$/) || (User-Name =~ /^YOUTHSPORTTRUST\\\\/)) {
(4) ...
(4) }
(4) elsif (User-Name =~ /\(a)ecb\.co\.uk/i && "%{client:shortname}" == "dulcimer" ) {
(4) ...
(4) }
(4) elsif ( Realm == "ECB" || Realm == "ecb.co.uk" ) {
(4) ...
(4) }
(4) elsif (Service-Type == Call-Check && !EAP-Message && User-Name =~ /[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]/) {
(4) ...
(4) }
(4) elsif ( Realm == "lsu.co.uk" ) {
(4) ...
(4) }
(4) elsif (User-Name =~ /\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/) {
(4) ...
(4) }
(4) else {
(4) update request {
(4) &Realm := local
(4) } # update request (noop)
(4) } # else (noop)
(4) eap - Peer sent EAP Response (code 2) ID 6 length 6
(4) eap - Continuing tunnel setup
(4) eap (ok)
(4) } # authorize (ok)
(4) Using 'Auth-Type = eap' for authenticate {...}
(4) Running Auth-Type eap from file /etc/raddb/sites-enabled/lboro
(4) authenticate {
(4) eap - Peer sent packet with EAP method PEAP (25)
(4) eap - Calling submodule eap_peap to process data
(4) eap_peap - Continuing EAP-TLS
(4) eap_peap - Peer ACKed our handshake fragment
(4) eap_peap - [eap-tls verify] = request
(4) eap_peap - Sending final TLS record fragment (917 bytes)
(4) eap_peap - [eap-tls process] = handled
(4) eap - Sending EAP Request (code 1) ID 7 length 923
(4) eap (handled)
(4) } # authenticate (handled)
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/lboro
(4) Sent Access-Challenge Id 252 from 158.125.161.128:1812 to 10.53.253.14:32770 via ens160 length 0
(4) EAP-Message = 0x0107039b19007d6e67ce70384eded3ef06352db77da33a308201050603551d230481fd3081fa80140cf5aa7d6e67ce70384eded3ef06352db77da33aa181d6a481d33081d0310b3009060355040613024742311730150603550408130e4c65696365737465727368697265311530130603550407130c4c
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x05015100148ca6ec523c504e518c74e2
(4) Finished request
Waking up in 1.9 seconds.
(5) - Received Access-Request Id 253 from 10.53.253.14:32770 to 158.125.161.128:1812 via ens160 length 473
(5) - User-Name = "anon(a)lboro.ac.uk"
(5) - Chargeable-User-Identity = 0x00
(5) - Location-Capable = Civix-Location
(5) - Calling-Station-Id = "18-cf-5e-12-75-c1"
(5) - Called-Station-Id = "b0-aa-77-57-cf-50:wirefree"
(5) - NAS-Port = 13
(5) - Cisco-AVPair = "audit-session-id=0a35fd0e000e790756d5a18b"
(5) - Acct-Session-Id = "56d5a18b/18:cf:5e:12:75:c1/766789"
(5) - NAS-IP-Address = 10.53.253.14
(5) - NAS-IPv6-Address = 2001:630:301:9101::14
(5) - NAS-Identifier = "wism-sport-park-3"
(5) - Airespace-Wlan-Id = 3
(5) - Service-Type = Framed-User
(5) - Framed-MTU = 1300
(5) - NAS-Port-Type = Wireless-802.11
(5) - Tunnel-Type:0 = VLAN
(5) - Tunnel-Medium-Type:0 = IEEE-802
(5) - Tunnel-Private-Group-Id:0 = "1112"
(5) - EAP-Message = 0x020700a01980000000961603020046100000424104a1568ed754dd3f72a95e77cd1df1c55abf297742c6079bb39cdecf1f53cf855797776f56e08eacd682c5125da973f5f90ae119460d913d6b4757b78f288010651403020001011603020040fda3db9fe7afd24c7177fcafd292f1419d55de5910015b
(5) - State = 0x05015100148ca6ec523c504e518c74e2
(5) - Message-Authenticator = 0xe49aaca6ee4e0e1119ed3410ae02cb7d
(5) - Running section authorize from file /etc/raddb/sites-enabled/lboro
(5) - authorize {
(5) - nagios_check {
(5) - if (User-Name == "nagios01aa" && "%{client:group}" == "nagios") {
(5) - ...
(5) - }
(5) - } # nagios_check (notfound)
(5) - wism_check {
(5) - if (User-Name =~ /wism-check/ ) {
(5) - ...
(5) - }
(5) - } # wism_check (notfound)
(5) - filter_duff_realms {
(5) - if (User-Name =~ /\\.ax\\.uk$/i ) {
(5) - ...
(5) - }
(5) - elsif (User-Name =~ /\\.sc\\.uk$/i ) {
(5) - ...
(5) - }
(5) - elsif (User-Name =~ /\\.ac\\.u$/i ) {
(5) - ...
(5) - }
(5) - elsif (User-Name =~ /lboro$/i ) {
(5) - ...
(5) - }
(5) - elsif (User-Name =~ /lboro\\.co\\.uk$/i ) {
(5) - ...
(5) - }
(5) - elsif (User-Name =~ /ac\\.lboro\\.uk$/i ) {
(5) - ...
(5) - }
(5) - elsif (User-Name =~ /unilboro\\.ac\\.uk$/i ) {
(5) - ...
(5) - }
(5) - elsif (User-Name =~ /\\.a\\.c\\.uk$/i ) {
(5) - ...
(5) - }
(5) - elsif (User-Name =~ /3gppnetwork\\.org$/i) {
(5) - ...
(5) - }
(5) - elsif (User-Name =~ /myabc\\.com$/i) {
(5) - ...
(5) - }
(5) - elsif (User-Name !~ /lboro\\.local$/i && User-Name =~ /\\.local$/i) {
(5) - ...
(5) - }
(5) - elsif (User-Name =~ /lbro\\.ac\\.uk$/i ) {
(5) - ...
(5) - }
(5) - elsif (User-Name =~ /lboro\\.student\\.ac\\.uk$/i ) {
(5) - ...
(5) - }
(5) - } # filter_duff_realms (notfound)
(5) - filter_username {
(5) - if (!&User-Name) {
(5) - ...
(5) - }
(5) - if (&User-Name =~ / /) {
(5) - ...
(5) - }
(5) - if (&User-Name =~ /@.*@/ ) {
(5) - ...
(5) - }
(5) - if (&User-Name =~ /\.\./ ) {
(5) - ...
(5) - }
(5) - if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(5) - ...
(5) - }
(5) - if (&User-Name =~ /\.$/) {
(5) - ...
(5) - }
(5) - if (&User-Name =~ /(a)\./) {
(5) - ...
(5) - }
(5) - } # filter_username (notfound)
(5) preprocess (ok)
(5) operator-name.authorize {
(5) if ("%{client:Operator-Name}") {
(5) EXPAND %{client:Operator-Name}
(5) -->
(5) ...
(5) }
(5) } # operator-name.authorize (ok)
(5) cui.authorize {
(5) if ("%{client:add_cui}" == 'yes') {
(5) EXPAND %{client:add_cui}
(5) --> yes
(5) update request {
(5) &Chargeable-User-Identity := 0x00
(5) } # update request (noop)
(5) } # if ("%{client:add_cui}" == 'yes') (noop)
(5) } # cui.authorize (noop)
(5) suffix - Checking for suffix after "@"
(5) suffix - Looking up realm "lboro.ac.uk" for User-Name = "anon(a)lboro.ac.uk"
(5) suffix - Found realm "lboro.ac.uk"
(5) suffix - Adding Stripped-User-Name = "anon"
(5) suffix - Adding Realm = "lboro.ac.uk"
(5) suffix - Authentication realm is LOCAL
(5) suffix (ok)
(5) ntdomain - Request already has destination realm set. Ignoring
(5) ntdomain (noop)
(5) if ( Called-Station-Id =~ /:eduroam$/ ) {
(5) ...
(5) }
(5) elsif ( Called-Station-Id =~ /.*:YST$/ ) {
(5) ...
(5) }
(5) elsif ( Called-Station-Id =~ /.*:ecb$/ || "%{client:group}" == "ecb" ) {
(5) EXPAND %{client:group}
(5) --> wireless
(5) ...
(5) }
(5) if ((User-Name =~ /youthsporttrust\\.org$/) || (User-Name =~ /^YOUTHSPORTTRUST\\\\/)) {
(5) ...
(5) }
(5) elsif (User-Name =~ /\(a)ecb\.co\.uk/i && "%{client:shortname}" == "dulcimer" ) {
(5) ...
(5) }
(5) elsif ( Realm == "ECB" || Realm == "ecb.co.uk" ) {
(5) ...
(5) }
(5) elsif (Service-Type == Call-Check && !EAP-Message && User-Name =~ /[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]/) {
(5) ...
(5) }
(5) elsif ( Realm == "lsu.co.uk" ) {
(5) ...
(5) }
(5) elsif (User-Name =~ /\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/) {
(5) ...
(5) }
(5) else {
(5) update request {
(5) &Realm := local
(5) } # update request (noop)
(5) } # else (noop)
(5) eap - Peer sent EAP Response (code 2) ID 7 length 160
(5) eap - Continuing tunnel setup
(5) eap (ok)
(5) } # authorize (ok)
(5) Using 'Auth-Type = eap' for authenticate {...}
(5) Running Auth-Type eap from file /etc/raddb/sites-enabled/lboro
(5) authenticate {
(5) eap - Peer sent packet with EAP method PEAP (25)
(5) eap - Calling submodule eap_peap to process data
(5) eap_peap - Continuing EAP-TLS
(5) eap_peap - Peer indicated complete TLS record size will be 150 bytes
(5) eap_peap - Got complete TLS record, with length field (150 bytes)
(5) eap_peap - [eap-tls verify] = ok
(5) eap_peap - <<< recv handshake [length 70], client_key_exchange
(5) eap_peap - TLS Accept: SSLv3 read client key exchange A
(5) eap_peap - <<< recv change_cipher_spec [length 1]
(5) eap_peap - <<< recv handshake [length 16], finished
(5) eap_peap - TLS Accept: SSLv3 read finished A
(5) eap_peap - >>> send change_cipher_spec [length 1]
(5) eap_peap - TLS Accept: SSLv3 write change cipher spec A
(5) eap_peap - >>> send handshake [length 16], finished
(5) eap_peap - TLS Accept: SSLv3 write finished A
(5) eap_peap - TLS Accept: SSLv3 flush data
(5) eap_peap - &TLS-Session-Id = 0x76d5549bfc2e548e73d1176bbe9daa36dc0d0a1d16dc467e8a51b4989a04fd65
(5) eap_peap - &config:TLS-Session-Cache-Action = Write
(5) eap_peap - &session-state:TLS-Session-Data = 0x308181020101020203020402c014042076d5549bfc2e548e73d1176bbe9daa36dc0d0a1d16dc467e8a51b4989a04fd650430c180225ce975cca326ffd8557be08a6827c3c8b8f1010231e9160c29a7e8b14285cdd2956228049c70c3494a7d0ed6bda106020456d5a18ba2040202012ca412041046
(5) Running Autz-Type Session-Cache-Write from file /etc/raddb/sites-enabled/tls-cache
(5) Autz-Type Session-Cache-Write {
(5) update control {
(5) &control:Cache-TTL := 0
(5) } # update control (noop)
(5) cache_tls_session - Key "v\325T\233\374.T\216s\321\027k\276\235\2526\334\r\n\035\026\334F~\212Q\264\230\232\004\375e" -> slot 6093
(5) cache_tls_session - Reserved connection (0)
(5) cache_tls_session - [3] >>> Sending command(s) to 158.125.160.61:6379
(5) cache_tls_session - [3] <<< Returned: success
(5) cache_tls_session - Released connection (0)
(5) cache_tls_session - No cache entry found for "v\325T\233\374.T\216s\321\027k\276\235\2526\334\r\n\035\026\334F~\212Q\264\230\232\004\375e"
(5) cache_tls_session - Creating new cache entry
(5) cache_tls_session - &session-state:TLS-Session-Data := &session-state:TLS-Session-Data -> 0x308181020101020203020402c014042076d5549bfc2e548e73d1176bbe9daa36dc0d0a1d16dc467e8a51b4989a04fd650430c180225ce975cca326ffd8557be08a6827c3c8b8f1010231e9160c29a7e8b14285cdd2956228049c70c3494a7d0ed6bda106020456d5a18ba2040202012ca412041046522065617020307832386434353130
(5) cache_tls_session - Key "v\325T\233\374.T\216s\321\027k\276\235\2526\334\r\n\035\026\334F~\212Q\264\230\232\004\375e" -> slot 6093
(5) cache_tls_session - Reserved connection (1)
(5) cache_tls_session - [3] >>> Sending command(s) to 158.125.160.61:6379
(5) cache_tls_session - [3] <<< Returned: success
(5) cache_tls_session - Released connection (1)
(5) cache_tls_session - Committed entry, TTL 3600 seconds
(5) cache_tls_session - Removing &control:Cache-TTL
(5) cache_tls_session (ok)
(5) } # Autz-Type Session-Cache-Write (ok)
(5) eap_peap - SSL negotiation finished successfully
(5) eap_peap - TLS established with cipher suite: ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
(5) eap_peap - Sending complete TLS record (75 bytes)
(5) eap_peap - [eap-tls process] = handled
(5) eap - Sending EAP Request (code 1) ID 8 length 85
(5) eap (handled)
(5) } # authenticate (handled)
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found. Ignoring.
(5) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/lboro
(5) Sent Access-Challenge Id 253 from 158.125.161.128:1812 to 10.53.253.14:32770 via ens160 length 0
(5) EAP-Message = 0x0108005519800000004b1403020001011603020040c4d3afd74b9a05f561d6b102b9650cfbedd82c0fbec9829aedc29f7522df2d1eaf21e1521aee2dbea62ed8ccfd75b59c28289fddff69b2a7b403ed50e789fec1
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x060351002306bedc523c504e518c74e2
(5) Finished request
Waking up in 1.9 seconds.
(6) - Received Accounting-Request Id 72 from 10.51.2.44:1646 to 158.125.161.128:1813 via ens160 length 127
(6) - Acct-Session-Id = "00001ED6"
(6) - Calling-Station-Id = "E8-94-F6-E3-73-EC"
(6) - Acct-Authentic = Local
(6) - Acct-Status-Type = Start
(6) - NAS-Port-Type = Ethernet
(6) - NAS-Port = 50002
(6) - NAS-Port-Id = "FastEthernet0/2"
(6) - Called-Station-Id = "00-1B-8F-1A-17-82"
(6) - Service-Type = Framed-User
(6) - NAS-IP-Address = 10.51.2.44
(6) - Acct-Delay-Time = 20
(6) - Running section preacct from file /etc/raddb/sites-enabled/lboro
(6) - preacct {
(6) preprocess (ok)
(6) acct_counters64.preacct {
(6) update request {
(6) EXPAND %{expr:(&Acct-Input-Gigawords << 32) | &Acct-Input-Octets}
(6) WARNING: Can't find &Acct-Input-Gigawords. Using 0 as operand value
(6) WARNING: Can't find &Acct-Input-Octets. Using 0 as operand value
(6) --> 0
(6) &Acct-Input-Octets64 = 0
(6) EXPAND %{expr:(&Acct-Output-Gigawords << 32) | &Acct-Output-Octets}
(6) WARNING: Can't find &Acct-Output-Gigawords. Using 0 as operand value
(6) WARNING: Can't find &Acct-Output-Octets. Using 0 as operand value
(6) --> 0
(6) &Acct-Output-Octets64 = 0
(6) } # update request (noop)
(6) } # acct_counters64.preacct (noop)
(6) update request {
(6) EXPAND %{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}
(6) --> 1456841080
(6) &FreeRADIUS-Acct-Session-Start-Time = Mar 1 2016 14:04:40 GMT
(6) } # update request (noop)
(6) acct_unique {
(6) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) {
(6) EXPAND %{string:Class}
(6) -->
(6) ...
(6) }
(6) else {
(6) update request {
(6) EXPAND %{md5:%{User-Name},%{Acct-Multi-Session-ID},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(6) --> 0da3dd9e2370ee8eb568667ef3bea757
(6) &Acct-Unique-Session-Id := 0da3dd9e2370ee8eb568667ef3bea757
(6) } # update request (noop)
(6) } # else (noop)
(6) } # acct_unique (noop)
(6) suffix (noop)
(6) ntdomain (noop)
(6) files (noop)
(6) } # preacct (ok)
(6) Running section accounting from file /etc/raddb/sites-enabled/lboro
(6) accounting {
(6) if (Acct-Session-Time != 0) {
(6) ERROR: Condition evaluation failed because the value of an operand could not be determined
(6) ...
(6) }
(6) sql - EXPAND %{tolower:type.%{%{Acct-Status-Type}:-none}.query}
(6) sql - --> type.start.query
(6) sql - Using query template 'query'
(6) sql - Reserved connection (0)
(6) sql - EXPAND %{User-Name}
(6) sql - -->
(6) sql - SQL-User-Name set to ''
(6) sql - EXPAND INSERT INTO staffbaseschema.radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', NULLIF('%{Realm}', ''), '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}', NULLIF('%{%{NAS-Port-ID}:-%{NAS-Port}}', ''), '%{NAS-Port-Type}', TO_TIMESTAMP(%{integer:Event-Timestamp}), TO_TIMESTAMP(%{integer:Event-Timestamp}), NULL, 0, '%{Acct-Authentic}', '%{Connect-Info}', NULL, 0, 0, '%{Called-Station-Id}', '%{Calling-Station-Id}', NULL, '%{Service-Type}', '%{Framed-Protocol}', NULLIF('%{Framed-IP-Address}', '')::inet)
(6) sql - --> INSERT INTO staffbaseschema.radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('00001ED6', '0da3dd9e2370ee8eb568667ef3bea757', '', NULLIF('', ''), '10.51.2.44', NULLIF('FastEthernet0/2', ''), 'Ethernet', TO_TIMESTAMP(1456841080), TO_TIMESTAMP(1456841080), NULL, 0, 'Local', '', NULL, 0, 0, '00-1B-8F-1A-17-82', 'E8-94-F6-E3-73-EC', NULL, 'Framed-User', '', NULLIF('', '')::inet)
(6) sql - Executing query: INSERT INTO staffbaseschema.radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('00001ED6', '0da3dd9e2370ee8eb568667ef3bea757', '', NULLIF('', ''), '10.51.2.44', NULLIF('FastEthernet0/2', ''), 'Ethernet', TO_TIMESTAMP(1456841080), TO_TIMESTAMP(1456841080), NULL, 0, 'Local', '', NULL, 0, 0, '00-1B-8F-1A-17-82', 'E8-94-F6-E3-73-EC', NULL, 'Framed-User', '', NULLIF('', '')::inet)
rlm_sql_postgresql - Status: PGRES_COMMAND_OK
rlm_sql_postgresql - query affected rows = 1
(6) sql - SQL query returned: success
(6) sql - 1 record(s) updated
(6) sql - Released connection (0)
(6) sql (ok)
(6) if (noop) {
(6) ...
(6) }
(6) attr_filter.accounting_response - EXPAND %{User-Name}
(6) attr_filter.accounting_response - -->
(6) attr_filter.accounting_response - Matched entry DEFAULT at line 12
(6) attr_filter.accounting_response (updated)
(6) } # accounting (updated)
(6) Sent Accounting-Response Id 72 from 158.125.161.128:1813 to 10.51.2.44:1646 via ens160 length 0
(6) Finished request
(6) Cleaning up request packet ID 72 with timestamp +4
Waking up in 1.6 seconds.
(7) - Received Access-Request Id 254 from 10.53.253.14:32770 to 158.125.161.128:1812 via ens160 length 319
(7) - User-Name = "anon(a)lboro.ac.uk"
(7) - Chargeable-User-Identity = 0x00
(7) - Location-Capable = Civix-Location
(7) - Calling-Station-Id = "18-cf-5e-12-75-c1"
(7) - Called-Station-Id = "b0-aa-77-57-cf-50:wirefree"
(7) - NAS-Port = 13
(7) - Cisco-AVPair = "audit-session-id=0a35fd0e000e790756d5a18b"
(7) - Acct-Session-Id = "56d5a18b/18:cf:5e:12:75:c1/766789"
(7) - NAS-IP-Address = 10.53.253.14
(7) - NAS-IPv6-Address = 2001:630:301:9101::14
(7) - NAS-Identifier = "wism-sport-park-3"
(7) - Airespace-Wlan-Id = 3
(7) - Service-Type = Framed-User
(7) - Framed-MTU = 1300
(7) - NAS-Port-Type = Wireless-802.11
(7) - Tunnel-Type:0 = VLAN
(7) - Tunnel-Medium-Type:0 = IEEE-802
(7) - Tunnel-Private-Group-Id:0 = "1112"
(7) - EAP-Message = 0x020800061900
(7) - State = 0x060351002306bedc523c504e518c74e2
(7) - Message-Authenticator = 0xf70d79e724c5206f4b6e87dbae453927
(7) - Running section authorize from file /etc/raddb/sites-enabled/lboro
(7) - authorize {
(7) - nagios_check {
(7) - if (User-Name == "nagios01aa" && "%{client:group}" == "nagios") {
(7) - ...
(7) - }
(7) - } # nagios_check (notfound)
(7) - wism_check {
(7) - if (User-Name =~ /wism-check/ ) {
(7) - ...
(7) - }
(7) - } # wism_check (notfound)
(7) - filter_duff_realms {
(7) - if (User-Name =~ /\\.ax\\.uk$/i ) {
(7) - ...
(7) - }
(7) - elsif (User-Name =~ /\\.sc\\.uk$/i ) {
(7) - ...
(7) - }
(7) - elsif (User-Name =~ /\\.ac\\.u$/i ) {
(7) - ...
(7) - }
(7) - elsif (User-Name =~ /lboro$/i ) {
(7) - ...
(7) - }
(7) - elsif (User-Name =~ /lboro\\.co\\.uk$/i ) {
(7) - ...
(7) - }
(7) - elsif (User-Name =~ /ac\\.lboro\\.uk$/i ) {
(7) - ...
(7) - }
(7) - elsif (User-Name =~ /unilboro\\.ac\\.uk$/i ) {
(7) - ...
(7) - }
(7) - elsif (User-Name =~ /\\.a\\.c\\.uk$/i ) {
(7) - ...
(7) - }
(7) - elsif (User-Name =~ /3gppnetwork\\.org$/i) {
(7) - ...
(7) - }
(7) - elsif (User-Name =~ /myabc\\.com$/i) {
(7) - ...
(7) - }
(7) - elsif (User-Name !~ /lboro\\.local$/i && User-Name =~ /\\.local$/i) {
(7) - ...
(7) - }
(7) - elsif (User-Name =~ /lbro\\.ac\\.uk$/i ) {
(7) - ...
(7) - }
(7) - elsif (User-Name =~ /lboro\\.student\\.ac\\.uk$/i ) {
(7) - ...
(7) - }
(7) - } # filter_duff_realms (notfound)
(7) - filter_username {
(7) - if (!&User-Name) {
(7) - ...
(7) - }
(7) - if (&User-Name =~ / /) {
(7) - ...
(7) - }
(7) - if (&User-Name =~ /@.*@/ ) {
(7) - ...
(7) - }
(7) - if (&User-Name =~ /\.\./ ) {
(7) - ...
(7) - }
(7) - if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(7) - ...
(7) - }
(7) - if (&User-Name =~ /\.$/) {
(7) - ...
(7) - }
(7) - if (&User-Name =~ /(a)\./) {
(7) - ...
(7) - }
(7) - } # filter_username (notfound)
(7) preprocess (ok)
(7) operator-name.authorize {
(7) if ("%{client:Operator-Name}") {
(7) EXPAND %{client:Operator-Name}
(7) -->
(7) ...
(7) }
(7) } # operator-name.authorize (ok)
(7) cui.authorize {
(7) if ("%{client:add_cui}" == 'yes') {
(7) EXPAND %{client:add_cui}
(7) --> yes
(7) update request {
(7) &Chargeable-User-Identity := 0x00
(7) } # update request (noop)
(7) } # if ("%{client:add_cui}" == 'yes') (noop)
(7) } # cui.authorize (noop)
(7) suffix - Checking for suffix after "@"
(7) suffix - Looking up realm "lboro.ac.uk" for User-Name = "anon(a)lboro.ac.uk"
(7) suffix - Found realm "lboro.ac.uk"
(7) suffix - Adding Stripped-User-Name = "anon"
(7) suffix - Adding Realm = "lboro.ac.uk"
(7) suffix - Authentication realm is LOCAL
(7) suffix (ok)
(7) ntdomain - Request already has destination realm set. Ignoring
(7) ntdomain (noop)
(7) if ( Called-Station-Id =~ /:eduroam$/ ) {
(7) ...
(7) }
(7) elsif ( Called-Station-Id =~ /.*:YST$/ ) {
(7) ...
(7) }
(7) elsif ( Called-Station-Id =~ /.*:ecb$/ || "%{client:group}" == "ecb" ) {
(7) EXPAND %{client:group}
(7) --> wireless
(7) ...
(7) }
(7) if ((User-Name =~ /youthsporttrust\\.org$/) || (User-Name =~ /^YOUTHSPORTTRUST\\\\/)) {
(7) ...
(7) }
(7) elsif (User-Name =~ /\(a)ecb\.co\.uk/i && "%{client:shortname}" == "dulcimer" ) {
(7) ...
(7) }
(7) elsif ( Realm == "ECB" || Realm == "ecb.co.uk" ) {
(7) ...
(7) }
(7) elsif (Service-Type == Call-Check && !EAP-Message && User-Name =~ /[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]/) {
(7) ...
(7) }
(7) elsif ( Realm == "lsu.co.uk" ) {
(7) ...
(7) }
(7) elsif (User-Name =~ /\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/) {
(7) ...
(7) }
(7) else {
(7) update request {
(7) &Realm := local
(7) } # update request (noop)
(7) } # else (noop)
(7) eap - Peer sent EAP Response (code 2) ID 8 length 6
(7) eap - Continuing tunnel setup
(7) eap (ok)
(7) } # authorize (ok)
(7) Using 'Auth-Type = eap' for authenticate {...}
(7) Running Auth-Type eap from file /etc/raddb/sites-enabled/lboro
(7) authenticate {
(7) eap - Peer sent packet with EAP method PEAP (25)
(7) eap - Calling submodule eap_peap to process data
(7) eap_peap - Continuing EAP-TLS
(7) eap_peap - Peer ACKed our handshake fragment. handshake is finished
(7) eap_peap - [eap-tls verify] = success
(7) eap_peap - [eap-tls process] = success
(7) eap_peap - Session established. Decoding tunneled data
(7) eap_peap - PEAP state TUNNEL ESTABLISHED
(7) eap_peap - Sending complete TLS record (53 bytes)
(7) eap - Sending EAP Request (code 1) ID 9 length 63
(7) eap (handled)
(7) } # authenticate (handled)
(7) Using Post-Auth-Type Challenge
(7) Post-Auth-Type sub-section not found. Ignoring.
(7) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/lboro
(7) Sent Access-Challenge Id 254 from 158.125.161.128:1812 to 10.53.253.14:32770 via ens160 length 0
(7) EAP-Message = 0x0109003f198000000035170302003094eda224ed5bd67356b6b9e5e9cb3f4e402a8774515ad7ff767acd2a8960e9fa58e5020503986828312b7c8b944a0e61
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x07015100148ca6ec523c504e518c74e2
(7) Finished request
Waking up in 0.8 seconds.
(0) Cleaning up request packet ID 248 with timestamp +3
(1) Cleaning up request packet ID 249 with timestamp +3
(2) Cleaning up request packet ID 250 with timestamp +3
(3) Cleaning up request packet ID 251 with timestamp +3
(4) Cleaning up request packet ID 252 with timestamp +3
(5) Cleaning up request packet ID 253 with timestamp +3
Waking up in 1.0 seconds.
(7) Cleaning up request packet ID 254 with timestamp +5
Ready to process requests
2
2