Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
July 2019
- 69 participants
- 75 discussions
Hi
We have been working on tuning SQL behind a FreeRadius Server.
Part of this has been moving to stored procedures where possible and
these are working well. However we have some cases that I need some
help with.
EG at accounting start we have:
-----
(1735) sql1: --> EXEC radius.[dbo].proc_RadaccInsert_1
'S60000026971709702CD00',
'ae67d6f1a5a55e4868ff02b8f6d30da6', etc
(1735) sql1: EXPAND /usr/local/var/log/radius/accounting.sql
(1735) sql1: --> /usr/local/var/log/radius/accounting.sql
(1735) sql1: Executing query: EXEC radius.[dbo].proc_RadaccInsert_1
'S60000026971709702CD00',
'ae67d6f1a5a55e4868ff02b8f6d30da6', etc
(1735) sql1: SQL query returned: success
(1735) sql1: -1 record(s) updated
(1735) sql1: No additional queries configured
-----
Now the stored procedure worked fine - However as it does a few checks
after the insert we get
(1735) sql1: -1 record(s) updated
(1735) sql1: No additional queries configured
And FreeRadius assumes the query did not update the database
Is there a way that we can configure FreeRadius to 'ignore' the fact
that number of records updated was -1 if the query returned OK and
assume the query update was good (it was) ?
Obviously I can look at the stored procedure and create a 'fake' query
so that it returns the record update?
Richard Palmer | Director | Merula Limited
Company Registered in England and Wales No. 3243995
5 Avro Court, Huntingdon, Cambridgeshire, PE29 6XS
Phone 01480 222940 | Support 0845 330 0666
Support Email support(a)merula.net
3
2
Dear All,
I'm using an HP ProCurve MSM 710 as the NAS, and SQL for accounting
and authentication.
Simultaneous-Use works sometimes, but not all the time.
>From what I've read, for the NAS-type 'other', freeradius only queries
radutmp, and does no additional checkrad check. Obviously I would like
to change that. Could someone tell me please where I can make the
necessary changes? so I can add a checkrad routine for 'other'
nas-type, and change that routine according to my needs.
I would also like to point out that radwho only works if I specify the
file, via "radwho -F /var/log/freeradius/sradutmp". So if checkrad
wraps around radwho, like radzap, this might be an issue.
Here's my sites-available/default file, if anyone is interested in that:
https://termbin.com/334u
Thanks for any and all help!
Kind Regards,
Taymour
4
8
Hello,
We have been forwarding to the acct packet to third radius server with
copy-acct-to-home-server
feature. Last week we faced severe issue with this as the third radius
server unresponsive to the packet, with this case it hit all the DB
resources.
Is there any way to send response to my NASs about the acct packet, even
incase my third radius server didn't respond or get down.
Regards,
Srijan
2
1
Hi,
After reading the ‘FreeRADIUS-Technical-Guide.pdf’, I have a very good idea
on how to install the RADIUS Server.
Nevertheless, unless I missed something, I couldn’t find any instructions
on how to install the RADIUS client (aka Network Access Server, or NAS).
My NAS is a Linux box and I am trying to implement centralized
username/password scheme (not use the local /etc/passwd or /etc/group
files).
Any help will be greatly appreciated,
Thanks in advance,
Simon
2
1
I have Freeradius 3.0.19 acting as AAA and Dhcp, there is also atftpd with
iPXE bootloader for PXE booting.
Such clients are defined by %{string:&DHCP-Vendor-Class-Identifier} and
should get address from IP Pool from flat text file.
Other clients (for example Windows) receive IP successfuly.
But PXE clients don' t get IP at all.
Why ?
If address assignment is set up via static mac-ip bindings (mac2ip file) IP
is assigned but boot file undionly.pxe is not found.
Because Freeradius adds "M-^?" (in ASCII without quotes) or in 0x4d2d5e3fff
between file name undionly.pxe and trailing zero.
Why ?
And how do it correct ?
2
1
Hi
Indeed - there is (although I haven't tested it yet for ippools) the
option at top level.
I was trying (if possible) to only log the ippool queries rather than
everything - However I can look at this for now and grep/etc the
queries needed
On Thursday 04/07/2019 at 10:52 pm, Arran Cudbard-Bell wrote:
>
>
>>
>> On 4 Jul 2019, at 15:50, Richard J Palmer <richard(a)merula.net> wrote:
>>
>>
>> Hi All
>>
>> I am trying to optimize some SQL queries & Database performance here -
>> particularly for iptables
>>
>> Now for accounting I can have something like:
>>
>> accounting {
>> # Write SQL queries to a logfile. This is potentially useful
>> for bulk inserts
>> # when used with the rlm_sql_null driver.
>> logfile = ${logdir}/accounting.sql
>>
>>
>> I have tried adding that inside the iptables query file - but that
>> file does not seem to allow that.
>>
>> Is there any way to log just the queries from the SQL IP Pool module ?
>
> rlm_sql.c says there's a top level logfile config item, which'd
> presumably log requests sent from the ippool module.
>
> e.g.:
>
> sql {
> logfile = "<path>"
> }
>
> I think the ippool module calls a function which respects that
> logfile, if it doesn't, report back and someone will fix it for
> 3.0.20.
>
> Thanks,
> -Arran
>
> Arran Cudbard-Bell <a.cudbardb(a)freeradius.org>
> FreeRADIUS Development Team
>
> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
2
1
Hi All
I am trying to optimize some SQL queries & Database performance here -
particularly for iptables
Now for accounting I can have something like:
accounting {
# Write SQL queries to a logfile. This is potentially useful for
bulk inserts
# when used with the rlm_sql_null driver.
logfile = ${logdir}/accounting.sql
I have tried adding that inside the iptables query file - but that
file does not seem to allow that.
Is there any way to log just the queries from the SQL IP Pool module ?
Thanks in advance
Richard
2
1
First I will describe my setup:
Freeradius (Daloradius) running latest release on centos 7 with authentication
On local mysql as well on remote Microsoft ADS (Ldap) with ntlm_auth.
Everything works well with mac only auth as well user + pass 802.1x EAP accounts running on local Mysql as well on Microsoft ADS.
I am familar with the radiusd -X and will provide debug outputs.
I made the changes in /etc/raddb/mods-available/eap
ttls {
copy_request_to_tunnel = yes
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
/etc/raddb/mods-available/mschap
mschap {
ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key --username=%{mschap:User-Name} --domain=DETMOLD.WORTMANN.COM --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
passchange {
ntlm_auth = "/usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1 --allow-mschapv2"
ntlm_auth_username = "username: %{mschap:User-Name}"
ntlm_auth_domain = "nt-domain: DETMOLD.WORTMANN.COM"
/etc/raddb/mods-available/ntlm_auth
exec ntlm_auth {
wait = yes
program = "usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key --domain=DETMOLD.WORTMANN.COM --username=%{mschap:User-Name} --password=%{User-Password}"
}
/etc/raddb/sites-available/inner-tunnel
authenticate {
ntlm_auth
/etc/raddb/policy.d/group_authorization
group_authorization {
if (&Huntgroup-Name == "wo-byod") {
if (&LDAP-Group[*] == "CN=wo-byod,OU=Wifi,OU=Administration,DC=wifi,DC=wortmann,DC=com") {
#reject
ok
}
else {
reject
}
}
elsif (&Huntgroup-Name == "wo-secure") {
if (&LDAP-Group[*] == "CN=wo-secure,OU=Wifi,OU=Administration,DC=wifi,DC=wortmann,DC=com") {
ok
}
else {
reject
}
}
}
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Now I would like to create account with 802.1x EAP user + Pass + mac.
I created a user + pass on local server (not microsoft ADS) and the following attributes:
Calling-Station-Id := XX:XX:YY: (MAC)
MS-CHAP-Use-NTLM-Auth :=No #cause local user in mysql no user on microsoft ads
-----------
Output of 802.1x User + Pass + MAC-AUTH (This does not work)
(0) Received Access-Request Id 178 from 192.168.70.15:18487 to 192.168.199.69:1812 length 369
(0) User-Name = "24:fb:65:69:06:af"
(0) User-Password = "24:fb:65:69:06:af"
(0) NAS-IP-Address = 192.168.70.63
(0) NAS-Identifier = "ruckuscontroller"
(0) Called-Station-Id = "34-FA-9F-BA-58-8F:test-radius-user+pass+mac"
(0) Calling-Station-Id = "24-FB-65-69-06-AF"
(0) Service-Type = Framed-User
(0) NAS-Port-Type = Wireless-802.11
(0) Location-Data = 0x31304445170a49542d53657276696365
(0) Ruckus-SSID = "test-radius-user+pass+mac"
(0) Ruckus-BSSID = 0x34fa9fba588f
(0) Ruckus-Location = "IT-Service"
(0) Ruckus-VLAN-ID = 1
(0) Ruckus-SCG-CBlade-IP = 3232253455
(0) Ruckus-Zone-Name = "Detmold"
(0) Attr-26.25053.154 = 0x576f72746d616e6e
(0) Ruckus-Wlan-Name = "test-radius-user+pass+mac"
(0) Message-Authenticator = 0xacdb9cb8915c51eabb275d3f52265694
(0) Chargeable-User-Identity = 0x00
(0) Proxy-State = 0x3230
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
rlm_ldap (ldap): Reserved connection (0)
(0) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap: --> (name=24:fb:65:69:06:af)
(0) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=24:fb:65:69:06:af)", scope "sub"
(0) ldap: Waiting for search result...
(0) ldap: Search returned no results
rlm_ldap (ldap): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (ldap): Connecting to ldaps://ldap02.detmold.wortmann.com:50027
TLSMC: MozNSS compatibility interception begins.
tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.
tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0) [ldap] = notfound
(0) policy group_authorization {
(0) if (&Huntgroup-Name == "wo-byod") {
(0) ERROR: Failed retrieving values required to evaluate condition
(0) elsif (&Huntgroup-Name == "wo-secure") {
(0) ERROR: Failed retrieving values required to evaluate condition
(0) } # policy group_authorization = notfound
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) policy filter_password {
(0) if (&User-Password && (&User-Password != "%{string:User-Password}")) {
(0) EXPAND %{string:User-Password}
(0) --> 24:fb:65:69:06:af
(0) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE
(0) } # policy filter_password = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "24:fb:65:69:06:af", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) [files] = noop
(0) sql: EXPAND %{User-Name}
(0) sql: --> 24:fb:65:69:06:af
(0) sql: SQL-User-Name set to '24:fb:65:69:06:af'
rlm_sql (sql): Reserved connection (1)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '24:fb:65:69:06:af' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '24:fb:65:69:06:af' ORDER BY id
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql: --> SELECT groupname FROM radusergroup WHERE username = '24:fb:65:69:06:af' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = '24:fb:65:69:06:af' ORDER BY priority
(0) sql: User not found in any groups
rlm_sql (sql): Released connection (1)
Need 4 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.40-MariaDB, protocol version 10
(0) [sql] = notfound
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available
(0) [pap] = noop
(0) } # authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) sql: EXPAND .query
(0) sql: --> .query
(0) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (2)
(0) sql: EXPAND %{User-Name}
(0) sql: --> 24:fb:65:69:06:af
(0) sql: SQL-User-Name set to '24:fb:65:69:06:af'
(0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '24:fb:65:69:06:af', '24:fb:65:69:06:af', 'Access-Reject', '2019-07-03 15:06:39.437779')
(0) sql: EXPAND /var/log/radius/sqllog.sql
(0) sql: --> /var/log/radius/sqllog.sql
(0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '24:fb:65:69:06:af', '24:fb:65:69:06:af', 'Access-Reject', '2019-07-03 15:06:39.437779')
(0) sql: SQL query returned: success
(0) sql: 1 record(s) updated
rlm_sql (sql): Released connection (2)
(0) [sql] = ok
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> 24:fb:65:69:06:af
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) [eap] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 178 from 192.168.199.69:1812 to 192.168.70.15:18487 length 24
(0) Proxy-State = 0x3230
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 178 with timestamp +21
Ready to process requests
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
And here comes the output with 802.1x with User + Pass (This works)
(0) Received Access-Request Id 118 from 192.168.70.15:18487 to 192.168.199.69:1812 length 370
(0) Acct-Session-Id = "5D1CA994-67A4B00F"
(0) User-Name = "wifitestmac01"
(0) NAS-IP-Address = 192.168.70.63
(0) NAS-Identifier = "ruckuscontroller"
(0) NAS-Port = 1
(0) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(0) Calling-Station-Id = "24-FB-65-69-06-AF"
(0) Location-Data = 0x31304445170a49542d53657276696365
(0) Service-Type = Framed-User
(0) Chargeable-User-Identity = 0x00
(0) NAS-Port-Type = Wireless-802.11
(0) Connect-Info = "CONNECT 802.11a/n/ac"
(0) EAP-Message = 0x020000120177696669746573746d61633031
(0) Ruckus-SSID = "test-radius-user+pass"
(0) Ruckus-BSSID = 0x34fa9ffa588e
(0) Ruckus-Location = "IT-Service"
(0) Ruckus-VLAN-ID = 1
(0) Ruckus-SCG-CBlade-IP = 3232253455
(0) Ruckus-Zone-Name = "Detmold"
(0) Ruckus-Wlan-Name = "test-radius-user+pass"
(0) Message-Authenticator = 0x159a3af56a73ce0394ac2b647dab9fdc
(0) Proxy-State = 0x3636
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
rlm_ldap (ldap): Reserved connection (0)
(0) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap: --> (name=wifitestmac01)
(0) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub"
(0) ldap: Waiting for search result...
(0) ldap: Search returned no results
rlm_ldap (ldap): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (ldap): Connecting to ldaps://ldap02.detmold.wortmann.com:50027
TLSMC: MozNSS compatibility interception begins.
tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.
tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0) [ldap] = notfound
(0) policy group_authorization {
(0) if (&Huntgroup-Name == "wo-byod") {
(0) ERROR: Failed retrieving values required to evaluate condition
(0) elsif (&Huntgroup-Name == "wo-secure") {
(0) ERROR: Failed retrieving values required to evaluate condition
(0) } # policy group_authorization = notfound
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) policy filter_password {
(0) if (&User-Password && (&User-Password != "%{string:User-Password}")) {
(0) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE
(0) } # policy filter_password = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 0 length 18
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_peap to process data
(0) eap_peap: Initiating new EAP-TLS session
(0) eap_peap: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 1 length 6
(0) eap: EAP session adding &reply:State = 0x3bd334c23bd22d5a
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 118 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0
(0) EAP-Message = 0x010100061920
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x3bd334c23bd22d5a464d9b22d2e35ffe
(0) Proxy-State = 0x3636
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 192 from 192.168.70.15:18487 to 192.168.199.69:1812 length 523
(1) Acct-Session-Id = "5D1CA994-67A4B00F"
(1) User-Name = "wifitestmac01"
(1) NAS-IP-Address = 192.168.70.63
(1) NAS-Identifier = "ruckuscontroller"
(1) NAS-Port = 1
(1) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(1) Calling-Station-Id = "24-FB-65-69-06-AF"
(1) Location-Data = 0x31304445170a49542d53657276696365
(1) Service-Type = Framed-User
(1) Chargeable-User-Identity = 0x00
(1) NAS-Port-Type = Wireless-802.11
(1) Connect-Info = "CONNECT 802.11a/n/ac"
(1) EAP-Message = 0x0201009919800000008f160301008a010000860303835329bad69de11579396dd64e0f503fa00db84d3fa1677093e39b7a165697b600002ac02bc02fc02cc030cca9cca8c009c023c013c027c00ac024c014c028009c009d002f003c0035003d000a01000033ff0100010000170000000d001400120403
(1) State = 0x3bd334c23bd22d5a464d9b22d2e35ffe
(1) Ruckus-SSID = "test-radius-user+pass"
(1) Ruckus-BSSID = 0x34fa9ffa588e
(1) Ruckus-Location = "IT-Service"
(1) Ruckus-VLAN-ID = 1
(1) Ruckus-SCG-CBlade-IP = 3232253455
(1) Ruckus-Zone-Name = "Detmold"
(1) Ruckus-Wlan-Name = "test-radius-user+pass"
(1) Message-Authenticator = 0x7bc819acb7da691a1924f0d0f7cdfe1c
(1) Proxy-State = 0x3637
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
rlm_ldap (ldap): Reserved connection (1)
(1) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}})
(1) ldap: --> (name=wifitestmac01)
(1) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub"
(1) ldap: Waiting for search result...
(1) ldap: Search returned no results
rlm_ldap (ldap): Released connection (1)
(1) [ldap] = notfound
(1) policy group_authorization {
(1) if (&Huntgroup-Name == "wo-byod") {
(1) ERROR: Failed retrieving values required to evaluate condition
(1) elsif (&Huntgroup-Name == "wo-secure") {
(1) ERROR: Failed retrieving values required to evaluate condition
(1) } # policy group_authorization = notfound
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /(a)\./) {
(1) if (&User-Name =~ /(a)\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) policy filter_password {
(1) if (&User-Password && (&User-Password != "%{string:User-Password}")) {
(1) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE
(1) } # policy filter_password = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 1 length 153
(1) eap: Continuing tunnel setup
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0x3bd334c23bd22d5a
(1) eap: Finished EAP session with state 0x3bd334c23bd22d5a
(1) eap: Previous EAP request found for state 0x3bd334c23bd22d5a, released from the list
(1) eap: Peer sent packet with method EAP PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Continuing EAP-TLS
(1) eap_peap: Peer indicated complete TLS record size will be 143 bytes
(1) eap_peap: Got complete TLS record (143 bytes)
(1) eap_peap: [eaptls verify] = length included
(1) eap_peap: (other): before/accept initialization
(1) eap_peap: TLS_accept: before/accept initialization
(1) eap_peap: <<< recv TLS 1.2 [length 008a]
(1) eap_peap: TLS_accept: SSLv3 read client hello A
(1) eap_peap: >>> send TLS 1.2 [length 0039]
(1) eap_peap: TLS_accept: SSLv3 write server hello A
(1) eap_peap: >>> send TLS 1.2 [length 08d3]
(1) eap_peap: TLS_accept: SSLv3 write certificate A
(1) eap_peap: >>> send TLS 1.2 [length 014d]
(1) eap_peap: TLS_accept: SSLv3 write key exchange A
(1) eap_peap: >>> send TLS 1.2 [length 0004]
(1) eap_peap: TLS_accept: SSLv3 write server done A
(1) eap_peap: TLS_accept: SSLv3 flush data
(1) eap_peap: TLS_accept: SSLv3 read client certificate A
(1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key exchange A
(1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key exchange A
(1) eap_peap: In SSL Handshake Phase
(1) eap_peap: In SSL Accept mode
(1) eap_peap: [eaptls process] = handled
(1) eap: Sending EAP Request (code 1) ID 2 length 1004
(1) eap: EAP session adding &reply:State = 0x3bd334c23ad12d5a
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 192 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0
(1) EAP-Message = 0x010203ec19c000000a7116030300390200003503038fd7c9ffc7d69edac5f51c36f36bb4cd3683efff8a28e5db6b9b61ec4e4b534100c02f00000dff01000100000b00040300010216030308d30b0008cf0008cc0003de308203da308202c2a003020102020101300d06092a864886f70d01010b050030
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x3bd334c23ad12d5a464d9b22d2e35ffe
(1) Proxy-State = 0x3637
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 219 from 192.168.70.15:18487 to 192.168.199.69:1812 length 376
(2) Acct-Session-Id = "5D1CA994-67A4B00F"
(2) User-Name = "wifitestmac01"
(2) NAS-IP-Address = 192.168.70.63
(2) NAS-Identifier = "ruckuscontroller"
(2) NAS-Port = 1
(2) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(2) Calling-Station-Id = "24-FB-65-69-06-AF"
(2) Location-Data = 0x31304445170a49542d53657276696365
(2) Service-Type = Framed-User
(2) Chargeable-User-Identity = 0x00
(2) NAS-Port-Type = Wireless-802.11
(2) Connect-Info = "CONNECT 802.11a/n/ac"
(2) EAP-Message = 0x020200061900
(2) State = 0x3bd334c23ad12d5a464d9b22d2e35ffe
(2) Ruckus-SSID = "test-radius-user+pass"
(2) Ruckus-BSSID = 0x34fa9ffa588e
(2) Ruckus-Location = "IT-Service"
(2) Ruckus-VLAN-ID = 1
(2) Ruckus-SCG-CBlade-IP = 3232253455
(2) Ruckus-Zone-Name = "Detmold"
(2) Ruckus-Wlan-Name = "test-radius-user+pass"
(2) Message-Authenticator = 0xb247f926b23e2510c40d16d6cff0ecab
(2) Proxy-State = 0x3638
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2) authorize {
rlm_ldap (ldap): Reserved connection (2)
(2) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}})
(2) ldap: --> (name=wifitestmac01)
(2) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub"
(2) ldap: Waiting for search result...
(2) ldap: Search returned no results
rlm_ldap (ldap): Released connection (2)
Need 4 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (6), 1 of 26 pending slots used
rlm_ldap (ldap): Connecting to ldaps://ldap02.detmold.wortmann.com:50027
TLSMC: MozNSS compatibility interception begins.
tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.
tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(2) [ldap] = notfound
(2) policy group_authorization {
(2) if (&Huntgroup-Name == "wo-byod") {
(2) ERROR: Failed retrieving values required to evaluate condition
(2) elsif (&Huntgroup-Name == "wo-secure") {
(2) ERROR: Failed retrieving values required to evaluate condition
(2) } # policy group_authorization = notfound
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\./) {
(2) if (&User-Name =~ /(a)\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) policy filter_password {
(2) if (&User-Password && (&User-Password != "%{string:User-Password}")) {
(2) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE
(2) } # policy filter_password = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 2 length 6
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0x3bd334c23ad12d5a
(2) eap: Finished EAP session with state 0x3bd334c23ad12d5a
(2) eap: Previous EAP request found for state 0x3bd334c23ad12d5a, released from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer ACKed our handshake fragment
(2) eap_peap: [eaptls verify] = request
(2) eap_peap: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 3 length 1000
(2) eap: EAP session adding &reply:State = 0x3bd334c239d02d5a
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 219 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0
(2) EAP-Message = 0x010303e8194091bfa579e2faf519ba55b78dda4a69f41a426f5e0c2c6f73a6b54147ba90603059eb0e91ad1221d42cb94f40b2d6f4bfd1026f390833e0d09c94696b1b5bef8a50f83b31b6fff4e1a20004e8308204e4308203cca003020102020900fcbb37b2469beea7300d06092a864886f70d01010b
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x3bd334c239d02d5a464d9b22d2e35ffe
(2) Proxy-State = 0x3638
(2) Finished request
Waking up in 4.8 seconds.
(3) Received Access-Request Id 32 from 192.168.70.15:18487 to 192.168.199.69:1812 length 376
(3) Acct-Session-Id = "5D1CA994-67A4B00F"
(3) User-Name = "wifitestmac01"
(3) NAS-IP-Address = 192.168.70.63
(3) NAS-Identifier = "ruckuscontroller"
(3) NAS-Port = 1
(3) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(3) Calling-Station-Id = "24-FB-65-69-06-AF"
(3) Location-Data = 0x31304445170a49542d53657276696365
(3) Service-Type = Framed-User
(3) Chargeable-User-Identity = 0x00
(3) NAS-Port-Type = Wireless-802.11
(3) Connect-Info = "CONNECT 802.11a/n/ac"
(3) EAP-Message = 0x020300061900
(3) State = 0x3bd334c239d02d5a464d9b22d2e35ffe
(3) Ruckus-SSID = "test-radius-user+pass"
(3) Ruckus-BSSID = 0x34fa9ffa588e
(3) Ruckus-Location = "IT-Service"
(3) Ruckus-VLAN-ID = 1
(3) Ruckus-SCG-CBlade-IP = 3232253455
(3) Ruckus-Zone-Name = "Detmold"
(3) Ruckus-Wlan-Name = "test-radius-user+pass"
(3) Message-Authenticator = 0x987f2b5f4dace466c0f0b4acf02c3574
(3) Proxy-State = 0x3639
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/raddb/sites-enabled/default
(3) authorize {
rlm_ldap (ldap): Reserved connection (3)
(3) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}})
(3) ldap: --> (name=wifitestmac01)
(3) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub"
(3) ldap: Waiting for search result...
(3) ldap: Search returned no results
rlm_ldap (ldap): Released connection (3)
(3) [ldap] = notfound
(3) policy group_authorization {
(3) if (&Huntgroup-Name == "wo-byod") {
(3) ERROR: Failed retrieving values required to evaluate condition
(3) elsif (&Huntgroup-Name == "wo-secure") {
(3) ERROR: Failed retrieving values required to evaluate condition
(3) } # policy group_authorization = notfound
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /(a)\./) {
(3) if (&User-Name =~ /(a)\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) policy filter_password {
(3) if (&User-Password && (&User-Password != "%{string:User-Password}")) {
(3) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE
(3) } # policy filter_password = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 3 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0x3bd334c239d02d5a
(3) eap: Finished EAP session with state 0x3bd334c239d02d5a
(3) eap: Previous EAP request found for state 0x3bd334c239d02d5a, released from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer ACKed our handshake fragment
(3) eap_peap: [eaptls verify] = request
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 4 length 691
(3) eap: EAP session adding &reply:State = 0x3bd334c238d72d5a
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) Challenge { ... } # empty sub-section is ignored
(3) Sent Access-Challenge Id 32 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0
(3) EAP-Message = 0x010402b319000530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b050003820101009d2d36e5e65062434bce33d522f21aa5fc16f766f283a13b276fc9ebf7f118
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x3bd334c238d72d5a464d9b22d2e35ffe
(3) Proxy-State = 0x3639
(3) Finished request
Waking up in 4.7 seconds.
(4) Received Access-Request Id 28 from 192.168.70.15:18487 to 192.168.199.69:1812 length 506
(4) Acct-Session-Id = "5D1CA994-67A4B00F"
(4) User-Name = "wifitestmac01"
(4) NAS-IP-Address = 192.168.70.63
(4) NAS-Identifier = "ruckuscontroller"
(4) NAS-Port = 1
(4) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(4) Calling-Station-Id = "24-FB-65-69-06-AF"
(4) Location-Data = 0x31304445170a49542d53657276696365
(4) Service-Type = Framed-User
(4) Chargeable-User-Identity = 0x00
(4) NAS-Port-Type = Wireless-802.11
(4) Connect-Info = "CONNECT 802.11a/n/ac"
(4) EAP-Message = 0x0204008819800000007e1603030046100000424104adbbc0a47dec1a64cf71dd948d1cc6eeb600228b9ec1c419b2931cb6742f75033ea0cfe3368b858b07feb235a1c46f8936048a0d55e2f87fb62156f1fedb985814030300010116030300280000000000000000ab71501664950b092c4c0b8b88170f
(4) State = 0x3bd334c238d72d5a464d9b22d2e35ffe
(4) Ruckus-SSID = "test-radius-user+pass"
(4) Ruckus-BSSID = 0x34fa9ffa588e
(4) Ruckus-Location = "IT-Service"
(4) Ruckus-VLAN-ID = 1
(4) Ruckus-SCG-CBlade-IP = 3232253455
(4) Ruckus-Zone-Name = "Detmold"
(4) Ruckus-Wlan-Name = "test-radius-user+pass"
(4) Message-Authenticator = 0xaa7a33857a9cd2bd2a0a520d9b8229f1
(4) Proxy-State = 0x3730
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/raddb/sites-enabled/default
(4) authorize {
rlm_ldap (ldap): Reserved connection (4)
(4) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}})
(4) ldap: --> (name=wifitestmac01)
(4) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub"
(4) ldap: Waiting for search result...
(4) ldap: Search returned no results
rlm_ldap (ldap): Released connection (4)
(4) [ldap] = notfound
(4) policy group_authorization {
(4) if (&Huntgroup-Name == "wo-byod") {
(4) ERROR: Failed retrieving values required to evaluate condition
(4) elsif (&Huntgroup-Name == "wo-secure") {
(4) ERROR: Failed retrieving values required to evaluate condition
(4) } # policy group_authorization = notfound
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /(a)\./) {
(4) if (&User-Name =~ /(a)\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) policy filter_password {
(4) if (&User-Password && (&User-Password != "%{string:User-Password}")) {
(4) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE
(4) } # policy filter_password = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 4 length 136
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0x3bd334c238d72d5a
(4) eap: Finished EAP session with state 0x3bd334c238d72d5a
(4) eap: Previous EAP request found for state 0x3bd334c238d72d5a, released from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(4) eap_peap: Got complete TLS record (126 bytes)
(4) eap_peap: [eaptls verify] = length included
(4) eap_peap: <<< recv TLS 1.2 [length 0046]
(4) eap_peap: TLS_accept: SSLv3 read client key exchange A
(4) eap_peap: TLS_accept: SSLv3 read certificate verify A
(4) eap_peap: <<< recv TLS 1.2 [length 0001]
(4) eap_peap: <<< recv TLS 1.2 [length 0010]
(4) eap_peap: TLS_accept: SSLv3 read finished A
(4) eap_peap: >>> send TLS 1.2 [length 0001]
(4) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(4) eap_peap: >>> send TLS 1.2 [length 0010]
(4) eap_peap: TLS_accept: SSLv3 write finished A
(4) eap_peap: TLS_accept: SSLv3 flush data
(4) eap_peap: (other): SSL negotiation finished successfully
(4) eap_peap: SSL Connection Established
(4) eap_peap: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 5 length 57
(4) eap: EAP session adding &reply:State = 0x3bd334c23fd62d5a
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) Challenge { ... } # empty sub-section is ignored
(4) Sent Access-Challenge Id 28 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0
(4) EAP-Message = 0x0105003919001403030001011603030028d5ec48bada42fbd160a0e9edd0eb49dfdd71efa906eeeeca879b4e3db15c178c51fb9fa222a5ed41
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x3bd334c23fd62d5a464d9b22d2e35ffe
(4) Proxy-State = 0x3730
(4) Finished request
Waking up in 4.6 seconds.
(5) Received Access-Request Id 53 from 192.168.70.15:18487 to 192.168.199.69:1812 length 376
(5) Acct-Session-Id = "5D1CA994-67A4B00F"
(5) User-Name = "wifitestmac01"
(5) NAS-IP-Address = 192.168.70.63
(5) NAS-Identifier = "ruckuscontroller"
(5) NAS-Port = 1
(5) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(5) Calling-Station-Id = "24-FB-65-69-06-AF"
(5) Location-Data = 0x31304445170a49542d53657276696365
(5) Service-Type = Framed-User
(5) Chargeable-User-Identity = 0x00
(5) NAS-Port-Type = Wireless-802.11
(5) Connect-Info = "CONNECT 802.11a/n/ac"
(5) EAP-Message = 0x020500061900
(5) State = 0x3bd334c23fd62d5a464d9b22d2e35ffe
(5) Ruckus-SSID = "test-radius-user+pass"
(5) Ruckus-BSSID = 0x34fa9ffa588e
(5) Ruckus-Location = "IT-Service"
(5) Ruckus-VLAN-ID = 1
(5) Ruckus-SCG-CBlade-IP = 3232253455
(5) Ruckus-Zone-Name = "Detmold"
(5) Ruckus-Wlan-Name = "test-radius-user+pass"
(5) Message-Authenticator = 0x66edffe796ea4dd8ad07c9eb195678ba
(5) Proxy-State = 0x3731
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/raddb/sites-enabled/default
(5) authorize {
rlm_ldap (ldap): Reserved connection (0)
(5) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}})
(5) ldap: --> (name=wifitestmac01)
(5) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub"
(5) ldap: Waiting for search result...
(5) ldap: Search returned no results
rlm_ldap (ldap): Released connection (0)
(5) [ldap] = notfound
(5) policy group_authorization {
(5) if (&Huntgroup-Name == "wo-byod") {
(5) ERROR: Failed retrieving values required to evaluate condition
(5) elsif (&Huntgroup-Name == "wo-secure") {
(5) ERROR: Failed retrieving values required to evaluate condition
(5) } # policy group_authorization = notfound
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /(a)\./) {
(5) if (&User-Name =~ /(a)\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) policy filter_password {
(5) if (&User-Password && (&User-Password != "%{string:User-Password}")) {
(5) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE
(5) } # policy filter_password = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 5 length 6
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0x3bd334c23fd62d5a
(5) eap: Finished EAP session with state 0x3bd334c23fd62d5a
(5) eap: Previous EAP request found for state 0x3bd334c23fd62d5a, released from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(5) eap_peap: [eaptls verify] = success
(5) eap_peap: [eaptls process] = success
(5) eap_peap: Session established. Decoding tunneled attributes
(5) eap_peap: PEAP state TUNNEL ESTABLISHED
(5) eap: Sending EAP Request (code 1) ID 6 length 40
(5) eap: EAP session adding &reply:State = 0x3bd334c23ed52d5a
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) Challenge { ... } # empty sub-section is ignored
(5) Sent Access-Challenge Id 53 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0
(5) EAP-Message = 0x010600281900170303001dd5ec48bada42fbd2efc073480c7529e47c1add6cb4438a099c10325e70
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x3bd334c23ed52d5a464d9b22d2e35ffe
(5) Proxy-State = 0x3731
(5) Finished request
Waking up in 4.6 seconds.
(6) Received Access-Request Id 156 from 192.168.70.15:18487 to 192.168.199.69:1812 length 419
(6) Acct-Session-Id = "5D1CA994-67A4B00F"
(6) User-Name = "wifitestmac01"
(6) NAS-IP-Address = 192.168.70.63
(6) NAS-Identifier = "ruckuscontroller"
(6) NAS-Port = 1
(6) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(6) Calling-Station-Id = "24-FB-65-69-06-AF"
(6) Location-Data = 0x31304445170a49542d53657276696365
(6) Service-Type = Framed-User
(6) Chargeable-User-Identity = 0x00
(6) NAS-Port-Type = Wireless-802.11
(6) Connect-Info = "CONNECT 802.11a/n/ac"
(6) EAP-Message = 0x020600311900170303002600000000000000015698d55ae694291d750d607613ec0078f789474257506b16b6bbfb645851
(6) State = 0x3bd334c23ed52d5a464d9b22d2e35ffe
(6) Ruckus-SSID = "test-radius-user+pass"
(6) Ruckus-BSSID = 0x34fa9ffa588e
(6) Ruckus-Location = "IT-Service"
(6) Ruckus-VLAN-ID = 1
(6) Ruckus-SCG-CBlade-IP = 3232253455
(6) Ruckus-Zone-Name = "Detmold"
(6) Ruckus-Wlan-Name = "test-radius-user+pass"
(6) Message-Authenticator = 0x34c64d7bfe181cdb376fcd5e5ddf54bc
(6) Proxy-State = 0x3732
(6) session-state: No cached attributes
(6) # Executing section authorize from file /etc/raddb/sites-enabled/default
(6) authorize {
rlm_ldap (ldap): Reserved connection (5)
(6) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}})
(6) ldap: --> (name=wifitestmac01)
(6) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub"
(6) ldap: Waiting for search result...
(6) ldap: Search returned no results
rlm_ldap (ldap): Released connection (5)
(6) [ldap] = notfound
(6) policy group_authorization {
(6) if (&Huntgroup-Name == "wo-byod") {
(6) ERROR: Failed retrieving values required to evaluate condition
(6) elsif (&Huntgroup-Name == "wo-secure") {
(6) ERROR: Failed retrieving values required to evaluate condition
(6) } # policy group_authorization = notfound
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /(a)\./) {
(6) if (&User-Name =~ /(a)\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) policy filter_password {
(6) if (&User-Password && (&User-Password != "%{string:User-Password}")) {
(6) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE
(6) } # policy filter_password = notfound
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 6 length 49
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0x3bd334c23ed52d5a
(6) eap: Finished EAP session with state 0x3bd334c23ed52d5a
(6) eap: Previous EAP request found for state 0x3bd334c23ed52d5a, released from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: [eaptls verify] = ok
(6) eap_peap: Done initial handshake
(6) eap_peap: [eaptls process] = ok
(6) eap_peap: Session established. Decoding tunneled attributes
(6) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(6) eap_peap: Identity - wifitestmac01
(6) eap_peap: Got inner identity 'wifitestmac01'
(6) eap_peap: Setting default EAP type for tunneled EAP session
(6) eap_peap: Got tunneled request
(6) eap_peap: EAP-Message = 0x020600120177696669746573746d61633031
(6) eap_peap: Setting User-Name to wifitestmac01
(6) eap_peap: Sending tunneled request to inner-tunnel
(6) eap_peap: EAP-Message = 0x020600120177696669746573746d61633031
(6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(6) eap_peap: User-Name = "wifitestmac01"
(6) eap_peap: Acct-Session-Id = "5D1CA994-67A4B00F"
(6) eap_peap: NAS-IP-Address = 192.168.70.63
(6) eap_peap: NAS-Identifier = "ruckuscontroller"
(6) eap_peap: NAS-Port = 1
(6) eap_peap: Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(6) eap_peap: Calling-Station-Id = "24-FB-65-69-06-AF"
(6) eap_peap: Location-Data = 0x31304445170a49542d53657276696365
(6) eap_peap: Service-Type = Framed-User
(6) eap_peap: Chargeable-User-Identity = 0x00
(6) eap_peap: NAS-Port-Type = Wireless-802.11
(6) eap_peap: Connect-Info = "CONNECT 802.11a/n/ac"
(6) eap_peap: Ruckus-SSID = "test-radius-user+pass"
(6) eap_peap: Ruckus-BSSID = 0x34fa9ffa588e
(6) eap_peap: Ruckus-Location = "IT-Service"
(6) eap_peap: Ruckus-VLAN-ID = 1
(6) eap_peap: Ruckus-SCG-CBlade-IP = 3232253455
(6) eap_peap: Ruckus-Zone-Name = "Detmold"
(6) eap_peap: Ruckus-Wlan-Name = "test-radius-user+pass"
(6) eap_peap: Event-Timestamp = "Jul 3 2019 15:11:54 CEST"
(6) Virtual server inner-tunnel received request
(6) EAP-Message = 0x020600120177696669746573746d61633031
(6) FreeRADIUS-Proxied-To = 127.0.0.1
(6) User-Name = "wifitestmac01"
(6) Acct-Session-Id = "5D1CA994-67A4B00F"
(6) NAS-IP-Address = 192.168.70.63
(6) NAS-Identifier = "ruckuscontroller"
(6) NAS-Port = 1
(6) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(6) Calling-Station-Id = "24-FB-65-69-06-AF"
(6) Location-Data = 0x31304445170a49542d53657276696365
(6) Service-Type = Framed-User
(6) Chargeable-User-Identity = 0x00
(6) NAS-Port-Type = Wireless-802.11
(6) Connect-Info = "CONNECT 802.11a/n/ac"
(6) Ruckus-SSID = "test-radius-user+pass"
(6) Ruckus-BSSID = 0x34fa9ffa588e
(6) Ruckus-Location = "IT-Service"
(6) Ruckus-VLAN-ID = 1
(6) Ruckus-SCG-CBlade-IP = 3232253455
(6) Ruckus-Zone-Name = "Detmold"
(6) Ruckus-Wlan-Name = "test-radius-user+pass"
(6) Event-Timestamp = "Jul 3 2019 15:11:54 CEST"
(6) WARNING: Outer and inner identities are the same. User privacy is compromised.
(6) server inner-tunnel {
(6) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /(a)\./) {
(6) if (&User-Name =~ /(a)\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [chap] = noop
(6) [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) update control {
(6) &Proxy-To-Realm := LOCAL
(6) } # update control = noop
(6) eap: Peer sent EAP Response (code 2) ID 6 length 18
(6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(6) authenticate {
(6) eap: Peer sent packet with method EAP Identity (1)
(6) eap: Calling submodule eap_mschapv2 to process data
(6) eap_mschapv2: Issuing Challenge
(6) eap: Sending EAP Request (code 1) ID 7 length 43
(6) eap: EAP session adding &reply:State = 0x78a9799278ae6313
(6) [eap] = handled
(6) } # authenticate = handled
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6) EAP-Message = 0x0107002b1a0107002610acc3fe6199de746d49fc93f49582fc03667265657261646975732d332e302e3133
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x78a9799278ae6313f359dd39dd5c9f11
(6) eap_peap: Got tunneled reply code 11
(6) eap_peap: EAP-Message = 0x0107002b1a0107002610acc3fe6199de746d49fc93f49582fc03667265657261646975732d332e302e3133
(6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap: State = 0x78a9799278ae6313f359dd39dd5c9f11
(6) eap_peap: Got tunneled reply RADIUS code 11
(6) eap_peap: EAP-Message = 0x0107002b1a0107002610acc3fe6199de746d49fc93f49582fc03667265657261646975732d332e302e3133
(6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap: State = 0x78a9799278ae6313f359dd39dd5c9f11
(6) eap_peap: Got tunneled Access-Challenge
(6) eap: Sending EAP Request (code 1) ID 7 length 74
(6) eap: EAP session adding &reply:State = 0x3bd334c23dd42d5a
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) Challenge { ... } # empty sub-section is ignored
(6) Sent Access-Challenge Id 156 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0
(6) EAP-Message = 0x0107004a1900170303003fd5ec48bada42fbd39481e9f00adb4e04c21da70a884fc7d37895cfdbd260a4aa2189d9d36c81ebc4a14d73b74ba2eb169b57fd36b0ecb4393df44715a4222e
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x3bd334c23dd42d5a464d9b22d2e35ffe
(6) Proxy-State = 0x3732
(6) Finished request
Waking up in 4.5 seconds.
(7) Received Access-Request Id 35 from 192.168.70.15:18487 to 192.168.199.69:1812 length 473
(7) Acct-Session-Id = "5D1CA994-67A4B00F"
(7) User-Name = "wifitestmac01"
(7) NAS-IP-Address = 192.168.70.63
(7) NAS-Identifier = "ruckuscontroller"
(7) NAS-Port = 1
(7) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(7) Calling-Station-Id = "24-FB-65-69-06-AF"
(7) Location-Data = 0x31304445170a49542d53657276696365
(7) Service-Type = Framed-User
(7) Chargeable-User-Identity = 0x00
(7) NAS-Port-Type = Wireless-802.11
(7) Connect-Info = "CONNECT 802.11a/n/ac"
(7) EAP-Message = 0x020700671900170303005c000000000000000260bd309024ce07ecc1dd6fb714cd4aab28a634e3636effeb72f8162068747c873ba798f59a4cd64c069ba2159698e14743104d45d20c019e727efc75fdac7624b0b06f869e8bc2cfc1cc6cfd33ed977ae6015649
(7) State = 0x3bd334c23dd42d5a464d9b22d2e35ffe
(7) Ruckus-SSID = "test-radius-user+pass"
(7) Ruckus-BSSID = 0x34fa9ffa588e
(7) Ruckus-Location = "IT-Service"
(7) Ruckus-VLAN-ID = 1
(7) Ruckus-SCG-CBlade-IP = 3232253455
(7) Ruckus-Zone-Name = "Detmold"
(7) Ruckus-Wlan-Name = "test-radius-user+pass"
(7) Message-Authenticator = 0x3b507e4e852475a8216cc0c453588426
(7) Proxy-State = 0x3733
(7) session-state: No cached attributes
(7) # Executing section authorize from file /etc/raddb/sites-enabled/default
(7) authorize {
rlm_ldap (ldap): Reserved connection (1)
(7) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}})
(7) ldap: --> (name=wifitestmac01)
(7) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub"
(7) ldap: Waiting for search result...
(7) ldap: Search returned no results
rlm_ldap (ldap): Released connection (1)
(7) [ldap] = notfound
(7) policy group_authorization {
(7) if (&Huntgroup-Name == "wo-byod") {
(7) ERROR: Failed retrieving values required to evaluate condition
(7) elsif (&Huntgroup-Name == "wo-secure") {
(7) ERROR: Failed retrieving values required to evaluate condition
(7) } # policy group_authorization = notfound
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /(a)\./) {
(7) if (&User-Name =~ /(a)\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) policy filter_password {
(7) if (&User-Password && (&User-Password != "%{string:User-Password}")) {
(7) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE
(7) } # policy filter_password = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 7 length 103
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) authenticate {
(7) eap: Expiring EAP session with state 0x78a9799278ae6313
(7) eap: Finished EAP session with state 0x3bd334c23dd42d5a
(7) eap: Previous EAP request found for state 0x3bd334c23dd42d5a, released from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state phase2
(7) eap_peap: EAP method MSCHAPv2 (26)
(7) eap_peap: Got tunneled request
(7) eap_peap: EAP-Message = 0x020700481a0207004331511e472c9167eed5163063c100f421e70000000000000000f82f405055c2818c487d7d078bd9aafccf93e2e4db9c11f60077696669746573746d61633031
(7) eap_peap: Setting User-Name to wifitestmac01
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap: EAP-Message = 0x020700481a0207004331511e472c9167eed5163063c100f421e70000000000000000f82f405055c2818c487d7d078bd9aafccf93e2e4db9c11f60077696669746573746d61633031
(7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap: User-Name = "wifitestmac01"
(7) eap_peap: State = 0x78a9799278ae6313f359dd39dd5c9f11
(7) eap_peap: Acct-Session-Id = "5D1CA994-67A4B00F"
(7) eap_peap: NAS-IP-Address = 192.168.70.63
(7) eap_peap: NAS-Identifier = "ruckuscontroller"
(7) eap_peap: NAS-Port = 1
(7) eap_peap: Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(7) eap_peap: Calling-Station-Id = "24-FB-65-69-06-AF"
(7) eap_peap: Location-Data = 0x31304445170a49542d53657276696365
(7) eap_peap: Service-Type = Framed-User
(7) eap_peap: Chargeable-User-Identity = 0x00
(7) eap_peap: NAS-Port-Type = Wireless-802.11
(7) eap_peap: Connect-Info = "CONNECT 802.11a/n/ac"
(7) eap_peap: Ruckus-SSID = "test-radius-user+pass"
(7) eap_peap: Ruckus-BSSID = 0x34fa9ffa588e
(7) eap_peap: Ruckus-Location = "IT-Service"
(7) eap_peap: Ruckus-VLAN-ID = 1
(7) eap_peap: Ruckus-SCG-CBlade-IP = 3232253455
(7) eap_peap: Ruckus-Zone-Name = "Detmold"
(7) eap_peap: Ruckus-Wlan-Name = "test-radius-user+pass"
(7) eap_peap: Event-Timestamp = "Jul 3 2019 15:11:54 CEST"
(7) Virtual server inner-tunnel received request
(7) EAP-Message = 0x020700481a0207004331511e472c9167eed5163063c100f421e70000000000000000f82f405055c2818c487d7d078bd9aafccf93e2e4db9c11f60077696669746573746d61633031
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) User-Name = "wifitestmac01"
(7) State = 0x78a9799278ae6313f359dd39dd5c9f11
(7) Acct-Session-Id = "5D1CA994-67A4B00F"
(7) NAS-IP-Address = 192.168.70.63
(7) NAS-Identifier = "ruckuscontroller"
(7) NAS-Port = 1
(7) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(7) Calling-Station-Id = "24-FB-65-69-06-AF"
(7) Location-Data = 0x31304445170a49542d53657276696365
(7) Service-Type = Framed-User
(7) Chargeable-User-Identity = 0x00
(7) NAS-Port-Type = Wireless-802.11
(7) Connect-Info = "CONNECT 802.11a/n/ac"
(7) Ruckus-SSID = "test-radius-user+pass"
(7) Ruckus-BSSID = 0x34fa9ffa588e
(7) Ruckus-Location = "IT-Service"
(7) Ruckus-VLAN-ID = 1
(7) Ruckus-SCG-CBlade-IP = 3232253455
(7) Ruckus-Zone-Name = "Detmold"
(7) Ruckus-Wlan-Name = "test-radius-user+pass"
(7) Event-Timestamp = "Jul 3 2019 15:11:54 CEST"
(7) WARNING: Outer and inner identities are the same. User privacy is compromised.
(7) server inner-tunnel {
(7) session-state: No cached attributes
(7) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /(a)\./) {
(7) if (&User-Name =~ /(a)\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [chap] = noop
(7) [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) update control {
(7) &Proxy-To-Realm := LOCAL
(7) } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 7 length 72
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7) [eap] = updated
(7) [files] = noop
(7) sql: EXPAND %{User-Name}
(7) sql: --> wifitestmac01
(7) sql: SQL-User-Name set to 'wifitestmac01'
rlm_sql (sql): Reserved connection (1)
(7) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(7) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'wifitestmac01' ORDER BY id
(7) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'wifitestmac01' ORDER BY id
(7) sql: User found in radcheck table
(7) sql: Conditional check items matched, merging assignment check items
(7) sql: Cleartext-Password := "tester555"
(7) sql: MS-CHAP-Use-NTLM-Auth := No
(7) sql: Calling-Station-Id := "24-FB-65-69-06-AF"
(7) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(7) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'wifitestmac01' ORDER BY id
(7) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'wifitestmac01' ORDER BY id
(7) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(7) sql: --> SELECT groupname FROM radusergroup WHERE username = 'wifitestmac01' ORDER BY priority
(7) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'wifitestmac01' ORDER BY priority
(7) sql: User found in the group table
(7) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(7) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'wifi_wo-secure' ORDER BY id
(7) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'wifi_wo-secure' ORDER BY id
(7) sql: Group "wifi_wo-secure": Conditional check items matched
(7) sql: Group "wifi_wo-secure": Merging assignment check items
(7) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(7) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'wifi_wo-secure' ORDER BY id
(7) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'wifi_wo-secure' ORDER BY id
(7) sql: Group "wifi_wo-secure": Merging reply items
(7) sql: Huntgroup-Name := "wo-secure"
rlm_sql (sql): Released connection (1)
Need 4 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.40-MariaDB, protocol version 10
(7) [sql] = ok
(7) [expiration] = noop
(7) [logintime] = noop
(7) pap: WARNING: Auth-Type already set. Not setting to PAP
(7) [pap] = noop
(7) } # authorize = updated
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap: Expiring EAP session with state 0x78a9799278ae6313
(7) eap: Finished EAP session with state 0x78a9799278ae6313
(7) eap: Previous EAP request found for state 0x78a9799278ae6313, released from the list
(7) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(7) eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7) eap_mschapv2: authenticate {
(7) mschap: Found Cleartext-Password, hashing to create NT-Password
(7) mschap: Found Cleartext-Password, hashing to create LM-Password
(7) mschap: Creating challenge hash with username: wifitestmac01
(7) mschap: Client is using MS-CHAPv2
(7) mschap: Adding MS-CHAPv2 MPPE keys
(7) [mschap] = ok
(7) } # authenticate = ok
(7) MSCHAP Success
(7) eap: Sending EAP Request (code 1) ID 8 length 51
(7) eap: EAP session adding &reply:State = 0x78a9799279a16313
(7) [eap] = handled
(7) } # authenticate = handled
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7) Huntgroup-Name = "wo-secure"
(7) EAP-Message = 0x010800331a0307002e533d41423746314439413946443643463639353932453639354141353944454243424636423533383944
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x78a9799279a16313f359dd39dd5c9f11
(7) eap_peap: Got tunneled reply code 11
(7) eap_peap: Huntgroup-Name = "wo-secure"
(7) eap_peap: EAP-Message = 0x010800331a0307002e533d41423746314439413946443643463639353932453639354141353944454243424636423533383944
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0x78a9799279a16313f359dd39dd5c9f11
(7) eap_peap: Got tunneled reply RADIUS code 11
(7) eap_peap: Huntgroup-Name = "wo-secure"
(7) eap_peap: EAP-Message = 0x010800331a0307002e533d41423746314439413946443643463639353932453639354141353944454243424636423533383944
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0x78a9799279a16313f359dd39dd5c9f11
(7) eap_peap: Got tunneled Access-Challenge
(7) eap: Sending EAP Request (code 1) ID 8 length 82
(7) eap: EAP session adding &reply:State = 0x3bd334c23cdb2d5a
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) Challenge { ... } # empty sub-section is ignored
(7) Sent Access-Challenge Id 35 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0
(7) EAP-Message = 0x0108005219001703030047d5ec48bada42fbd4a02ea88aa51ecde0431fc6ac9846f7c0bc036ed64ec4a3c3a48c11c16ba8cdeed9c4ac5890895c8591ac992d69a16fc27bc54f573dc888eb7d087f53f723fd
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x3bd334c23cdb2d5a464d9b22d2e35ffe
(7) Proxy-State = 0x3733
(7) Finished request
Waking up in 4.5 seconds.
(8) Received Access-Request Id 62 from 192.168.70.15:18487 to 192.168.199.69:1812 length 407
(8) Acct-Session-Id = "5D1CA994-67A4B00F"
(8) User-Name = "wifitestmac01"
(8) NAS-IP-Address = 192.168.70.63
(8) NAS-Identifier = "ruckuscontroller"
(8) NAS-Port = 1
(8) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(8) Calling-Station-Id = "24-FB-65-69-06-AF"
(8) Location-Data = 0x31304445170a49542d53657276696365
(8) Service-Type = Framed-User
(8) Chargeable-User-Identity = 0x00
(8) NAS-Port-Type = Wireless-802.11
(8) Connect-Info = "CONNECT 802.11a/n/ac"
(8) EAP-Message = 0x020800251900170303001a0000000000000003559b9229317f3155d7720c582345c83dac3f
(8) State = 0x3bd334c23cdb2d5a464d9b22d2e35ffe
(8) Ruckus-SSID = "test-radius-user+pass"
(8) Ruckus-BSSID = 0x34fa9ffa588e
(8) Ruckus-Location = "IT-Service"
(8) Ruckus-VLAN-ID = 1
(8) Ruckus-SCG-CBlade-IP = 3232253455
(8) Ruckus-Zone-Name = "Detmold"
(8) Ruckus-Wlan-Name = "test-radius-user+pass"
(8) Message-Authenticator = 0x1990281948930e08ef66d420ea1928c8
(8) Proxy-State = 0x3734
(8) session-state: No cached attributes
(8) # Executing section authorize from file /etc/raddb/sites-enabled/default
(8) authorize {
rlm_ldap (ldap): Reserved connection (2)
(8) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}})
(8) ldap: --> (name=wifitestmac01)
(8) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub"
(8) ldap: Waiting for search result...
(8) ldap: Search returned no results
rlm_ldap (ldap): Released connection (2)
(8) [ldap] = notfound
(8) policy group_authorization {
(8) if (&Huntgroup-Name == "wo-byod") {
(8) ERROR: Failed retrieving values required to evaluate condition
(8) elsif (&Huntgroup-Name == "wo-secure") {
(8) ERROR: Failed retrieving values required to evaluate condition
(8) } # policy group_authorization = notfound
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /(a)\./) {
(8) if (&User-Name =~ /(a)\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) policy filter_password {
(8) if (&User-Password && (&User-Password != "%{string:User-Password}")) {
(8) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE
(8) } # policy filter_password = notfound
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 8 length 37
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8) authenticate {
(8) eap: Expiring EAP session with state 0x78a9799279a16313
(8) eap: Finished EAP session with state 0x3bd334c23cdb2d5a
(8) eap: Previous EAP request found for state 0x3bd334c23cdb2d5a, released from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP method MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap: EAP-Message = 0x020800061a03
(8) eap_peap: Setting User-Name to wifitestmac01
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap: EAP-Message = 0x020800061a03
(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap: User-Name = "wifitestmac01"
(8) eap_peap: State = 0x78a9799279a16313f359dd39dd5c9f11
(8) eap_peap: Acct-Session-Id = "5D1CA994-67A4B00F"
(8) eap_peap: NAS-IP-Address = 192.168.70.63
(8) eap_peap: NAS-Identifier = "ruckuscontroller"
(8) eap_peap: NAS-Port = 1
(8) eap_peap: Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(8) eap_peap: Calling-Station-Id = "24-FB-65-69-06-AF"
(8) eap_peap: Location-Data = 0x31304445170a49542d53657276696365
(8) eap_peap: Service-Type = Framed-User
(8) eap_peap: Chargeable-User-Identity = 0x00
(8) eap_peap: NAS-Port-Type = Wireless-802.11
(8) eap_peap: Connect-Info = "CONNECT 802.11a/n/ac"
(8) eap_peap: Ruckus-SSID = "test-radius-user+pass"
(8) eap_peap: Ruckus-BSSID = 0x34fa9ffa588e
(8) eap_peap: Ruckus-Location = "IT-Service"
(8) eap_peap: Ruckus-VLAN-ID = 1
(8) eap_peap: Ruckus-SCG-CBlade-IP = 3232253455
(8) eap_peap: Ruckus-Zone-Name = "Detmold"
(8) eap_peap: Ruckus-Wlan-Name = "test-radius-user+pass"
(8) eap_peap: Event-Timestamp = "Jul 3 2019 15:11:54 CEST"
(8) Virtual server inner-tunnel received request
(8) EAP-Message = 0x020800061a03
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = "wifitestmac01"
(8) State = 0x78a9799279a16313f359dd39dd5c9f11
(8) Acct-Session-Id = "5D1CA994-67A4B00F"
(8) NAS-IP-Address = 192.168.70.63
(8) NAS-Identifier = "ruckuscontroller"
(8) NAS-Port = 1
(8) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(8) Calling-Station-Id = "24-FB-65-69-06-AF"
(8) Location-Data = 0x31304445170a49542d53657276696365
(8) Service-Type = Framed-User
(8) Chargeable-User-Identity = 0x00
(8) NAS-Port-Type = Wireless-802.11
(8) Connect-Info = "CONNECT 802.11a/n/ac"
(8) Ruckus-SSID = "test-radius-user+pass"
(8) Ruckus-BSSID = 0x34fa9ffa588e
(8) Ruckus-Location = "IT-Service"
(8) Ruckus-VLAN-ID = 1
(8) Ruckus-SCG-CBlade-IP = 3232253455
(8) Ruckus-Zone-Name = "Detmold"
(8) Ruckus-Wlan-Name = "test-radius-user+pass"
(8) Event-Timestamp = "Jul 3 2019 15:11:54 CEST"
(8) WARNING: Outer and inner identities are the same. User privacy is compromised.
(8) server inner-tunnel {
(8) session-state: No cached attributes
(8) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /(a)\./) {
(8) if (&User-Name =~ /(a)\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [chap] = noop
(8) [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) update control {
(8) &Proxy-To-Realm := LOCAL
(8) } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 8 length 6
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8) [eap] = updated
(8) [files] = noop
(8) sql: EXPAND %{User-Name}
(8) sql: --> wifitestmac01
(8) sql: SQL-User-Name set to 'wifitestmac01'
rlm_sql (sql): Reserved connection (2)
(8) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(8) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'wifitestmac01' ORDER BY id
(8) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'wifitestmac01' ORDER BY id
(8) sql: User found in radcheck table
(8) sql: Conditional check items matched, merging assignment check items
(8) sql: Cleartext-Password := "tester555"
(8) sql: MS-CHAP-Use-NTLM-Auth := No
(8) sql: Calling-Station-Id := "24-FB-65-69-06-AF"
(8) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(8) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'wifitestmac01' ORDER BY id
(8) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'wifitestmac01' ORDER BY id
(8) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(8) sql: --> SELECT groupname FROM radusergroup WHERE username = 'wifitestmac01' ORDER BY priority
(8) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'wifitestmac01' ORDER BY priority
(8) sql: User found in the group table
(8) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(8) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'wifi_wo-secure' ORDER BY id
(8) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'wifi_wo-secure' ORDER BY id
(8) sql: Group "wifi_wo-secure": Conditional check items matched
(8) sql: Group "wifi_wo-secure": Merging assignment check items
(8) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(8) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'wifi_wo-secure' ORDER BY id
(8) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'wifi_wo-secure' ORDER BY id
(8) sql: Group "wifi_wo-secure": Merging reply items
(8) sql: Huntgroup-Name := "wo-secure"
rlm_sql (sql): Released connection (2)
(8) [sql] = ok
(8) [expiration] = noop
(8) [logintime] = noop
(8) pap: WARNING: Auth-Type already set. Not setting to PAP
(8) [pap] = noop
(8) } # authorize = updated
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap: Expiring EAP session with state 0x78a9799279a16313
(8) eap: Finished EAP session with state 0x78a9799279a16313
(8) eap: Previous EAP request found for state 0x78a9799279a16313, released from the list
(8) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap: Sending EAP Success (code 3) ID 8 length 4
(8) eap: Freeing handler
(8) [eap] = ok
(8) } # authenticate = ok
(8) # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel
(8) post-auth {
(8) sql: EXPAND .query
(8) sql: --> .query
(8) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (3)
(8) sql: EXPAND %{User-Name}
(8) sql: --> wifitestmac01
(8) sql: SQL-User-Name set to 'wifitestmac01'
(8) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(8) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'wifitestmac01', '', 'Access-Accept', '2019-07-03 15:11:54.476885')
(8) sql: EXPAND /var/log/radius/sqllog.sql
(8) sql: --> /var/log/radius/sqllog.sql
(8) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'wifitestmac01', '', 'Access-Accept', '2019-07-03 15:11:54.476885')
(8) sql: SQL query returned: success
(8) sql: 1 record(s) updated
rlm_sql (sql): Released connection (3)
(8) [sql] = ok
(8) if (0) {
(8) if (0) -> FALSE
(8) } # post-auth = ok
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8) Huntgroup-Name = "wo-secure"
(8) MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) MS-MPPE-Send-Key = 0x09649f4423192a6d5709c19fe5125d4a
(8) MS-MPPE-Recv-Key = 0x6a4b0cefe1f26056c755aaa5f734ce7c
(8) EAP-Message = 0x03080004
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) User-Name = "wifitestmac01"
(8) eap_peap: Got tunneled reply code 2
(8) eap_peap: Huntgroup-Name = "wo-secure"
(8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) eap_peap: MS-MPPE-Send-Key = 0x09649f4423192a6d5709c19fe5125d4a
(8) eap_peap: MS-MPPE-Recv-Key = 0x6a4b0cefe1f26056c755aaa5f734ce7c
(8) eap_peap: EAP-Message = 0x03080004
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: User-Name = "wifitestmac01"
(8) eap_peap: Got tunneled reply RADIUS code 2
(8) eap_peap: Huntgroup-Name = "wo-secure"
(8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) eap_peap: MS-MPPE-Send-Key = 0x09649f4423192a6d5709c19fe5125d4a
(8) eap_peap: MS-MPPE-Recv-Key = 0x6a4b0cefe1f26056c755aaa5f734ce7c
(8) eap_peap: EAP-Message = 0x03080004
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: User-Name = "wifitestmac01"
(8) eap_peap: Tunneled authentication was successful
(8) eap_peap: SUCCESS
(8) eap: Sending EAP Request (code 1) ID 9 length 46
(8) eap: EAP session adding &reply:State = 0x3bd334c233da2d5a
(8) [eap] = handled
(8) } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8) Challenge { ... } # empty sub-section is ignored
(8) Sent Access-Challenge Id 62 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0
(8) EAP-Message = 0x0109002e19001703030023d5ec48bada42fbd57360d536a83db35fd6aa4c397ac57dc6b063543e6a7988551a9ecf
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x3bd334c233da2d5a464d9b22d2e35ffe
(8) Proxy-State = 0x3734
(8) Finished request
Waking up in 4.4 seconds.
(9) Received Access-Request Id 148 from 192.168.70.15:18487 to 192.168.199.69:1812 length 416
(9) Acct-Session-Id = "5D1CA994-67A4B00F"
(9) User-Name = "wifitestmac01"
(9) NAS-IP-Address = 192.168.70.63
(9) NAS-Identifier = "ruckuscontroller"
(9) NAS-Port = 1
(9) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(9) Calling-Station-Id = "24-FB-65-69-06-AF"
(9) Location-Data = 0x31304445170a49542d53657276696365
(9) Service-Type = Framed-User
(9) Chargeable-User-Identity = 0x00
(9) NAS-Port-Type = Wireless-802.11
(9) Connect-Info = "CONNECT 802.11a/n/ac"
(9) EAP-Message = 0x0209002e190017030300230000000000000004e71ecbff60c571603fd792638be1058058177b3ddab992ee20e458
(9) State = 0x3bd334c233da2d5a464d9b22d2e35ffe
(9) Ruckus-SSID = "test-radius-user+pass"
(9) Ruckus-BSSID = 0x34fa9ffa588e
(9) Ruckus-Location = "IT-Service"
(9) Ruckus-VLAN-ID = 1
(9) Ruckus-SCG-CBlade-IP = 3232253455
(9) Ruckus-Zone-Name = "Detmold"
(9) Ruckus-Wlan-Name = "test-radius-user+pass"
(9) Message-Authenticator = 0x162c711631dc2d5883505d06283cda48
(9) Proxy-State = 0x3735
(9) session-state: No cached attributes
(9) # Executing section authorize from file /etc/raddb/sites-enabled/default
(9) authorize {
rlm_ldap (ldap): Reserved connection (6)
(9) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}})
(9) ldap: --> (name=wifitestmac01)
(9) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub"
(9) ldap: Waiting for search result...
(9) ldap: Search returned no results
rlm_ldap (ldap): Released connection (6)
(9) [ldap] = notfound
(9) policy group_authorization {
(9) if (&Huntgroup-Name == "wo-byod") {
(9) ERROR: Failed retrieving values required to evaluate condition
(9) elsif (&Huntgroup-Name == "wo-secure") {
(9) ERROR: Failed retrieving values required to evaluate condition
(9) } # policy group_authorization = notfound
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /(a)\./) {
(9) if (&User-Name =~ /(a)\./) -> FALSE
(9) } # if (&User-Name) = notfound
(9) } # policy filter_username = notfound
(9) policy filter_password {
(9) if (&User-Password && (&User-Password != "%{string:User-Password}")) {
(9) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE
(9) } # policy filter_password = notfound
(9) [preprocess] = ok
(9) [chap] = noop
(9) [mschap] = noop
(9) [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 9 length 46
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9) authenticate {
(9) eap: Expiring EAP session with state 0x3bd334c233da2d5a
(9) eap: Finished EAP session with state 0x3bd334c233da2d5a
(9) eap: Previous EAP request found for state 0x3bd334c233da2d5a, released from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state send tlv success
(9) eap_peap: Received EAP-TLV response
(9) eap_peap: Success
(9) eap: Sending EAP Success (code 3) ID 9 length 4
(9) eap: Freeing handler
(9) [eap] = ok
(9) } # authenticate = ok
(9) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(9) post-auth {
(9) update {
(9) No attributes updated
(9) } # update = noop
(9) sql: EXPAND .query
(9) sql: --> .query
(9) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (4)
(9) sql: EXPAND %{User-Name}
(9) sql: --> wifitestmac01
(9) sql: SQL-User-Name set to 'wifitestmac01'
(9) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(9) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'wifitestmac01', '', 'Access-Accept', '2019-07-03 15:11:54.531951')
(9) sql: EXPAND /var/log/radius/sqllog.sql
(9) sql: --> /var/log/radius/sqllog.sql
(9) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'wifitestmac01', '', 'Access-Accept', '2019-07-03 15:11:54.531951')
(9) sql: SQL query returned: success
(9) sql: 1 record(s) updated
rlm_sql (sql): Released connection (4)
(9) [sql] = ok
(9) [exec] = noop
(9) policy remove_reply_message_if_eap {
(9) if (&reply:EAP-Message && &reply:Reply-Message) {
(9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(9) else {
(9) [noop] = noop
(9) } # else = noop
(9) } # policy remove_reply_message_if_eap = noop
(9) } # post-auth = ok
(9) Sent Access-Accept Id 148 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0
(9) MS-MPPE-Recv-Key = 0xa63d5b43df19ab6338895fc4f40050e4990bc4207f4412edceb938cf1fcadd3e
(9) MS-MPPE-Send-Key = 0x29dabf22b9bda920c708becdd0886e0a8216f4d5881268045a296076fd901b90
(9) EAP-Message = 0x03090004
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) User-Name = "wifitestmac01"
(9) Proxy-State = 0x3735
(9) Finished request
Waking up in 4.4 seconds.
(0) Cleaning up request packet ID 118 with timestamp +48
2
1
04 Jul '19
Hi,
I’m having a bit of trouble with getting the inner-tunnel username to
appear in the outgoing Access-Accept packet.
Background info
FR 3.0.19
Collaboration with York City council to provide eduroam in city centre. As
auth and traffic comes via us we need then to send appropriate accounting
info back to us hence the need to pass back a valid username in the
access-accept instead of just an anonymous one
Am using sesion-state to pass inner User-Name back to the outer reply
I’ve selectively enabled debugging at both the inner and outer level just
for auth requests that have an outer anonymous user-name of @york.ac.uk.
and an inner User-Name of <fred>@york.ac.uk. For those people that haven’t
configured their clients properly and have outer=inner=userid(a)york.ac.uk …
stuff works :-(
Long and short of it is I can either have the anonymous outer realm in the
access-accept user-name or have both the outer and inner user-names in the
access accept packet which is illegal.
What am I doing wrong?
Rgds
Alex
Outer processing as shown below
//////////////////////
# Post-Authentication
# Once we KNOW that the user has been authenticated, there are
# additional steps we can take.
post-auth {
#
# We might have to debug some traffic
#
if ( ("%{client:shortname}" == "yorkcc") && (User-Name == "@
york.ac.uk") ) {
update control {
Tmp-String-2 := "%{debug:1}"
}
}
#
# If you need to have a State attribute, you can
# add it here. e.g. for later CoA-Request with
# State, and Service-Type = Authorize-Only.
#
# if (!&reply:State) {
# update reply {
# State := "0x%{randstr:16h}"
# }
# }
#
# For EAP-TTLS and PEAP, add the cached attributes to the reply.
# The "session-state" attributes are automatically cached when
# an Access-Challenge is sent, and automatically retrieved
# when an Access-Request is received.
#
# The session-state attributes are automatically deleted after
# an Access-Reject or Access-Accept is sent.
#
# If both session-state and reply contain a User-Name attribute,
remove
# the one in the reply if it is just a copy of the one in the
request, so
# we don't end up with two User-Name attributes.
if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name) ) {
update reply {
User-Name !* ANY
}
}
# Just to make really sure
update reply {
User-Name !* ANY
}
# if ( session-state:User-Name !="@york.ac.uk" &&
session-state:User-Name =~ /york.ac.uk$/i) {
# update reply {
# User-Name := session-state:User-Name
# }
# }
#
# So this should put the inner User-name into the reply ... but it doesn't
#
update {
&reply: += &session-state:
}
# Get an address from the IP Pool.
# main_pool
# Create the CUI value and add the attribute to Access-Accept.
# Uncomment the line below if *returning* the CUI.
cui
# Create empty accounting session to make simultaneous check
# more robust. See the accounting queries configuration in
# raddb/mods-config/sql/main/*/queries.conf for details.
#
# The "sql_session_start" policy is defined in
# raddb/policy.d/accounting. See that file for more details.
# sql_session_start
#
# If you want to have a log of authentication replies,
# un-comment the following line, and enable the
# 'detail reply_log' module.
# reply_log
#
# After authenticating the user, do another SQL query.
#
# See "Authentication Logging Queries" in mods-available/sql
#
# Instead of sending the query to the SQL server,
# write it into a log file.
#
# sql_log
#
# Un-comment the following if you want to modify the user's object
# in LDAP after a successful login.
#
# ldap
# For Exec-Program and Exec-Program-Wait
exec
#
# Calculate the various WiMAX keys. In order for this to work,
# you will need to define the WiMAX NAI, usually via
#
# update request {
# WiMAX-MN-NAI = "%{User-Name}"
# }
#
# If you want various keys to be calculated, you will need to
# update the reply with "template" values. The module will see
# this, and replace the template values with the correct ones
# taken from the cryptographic calculations. e.g.
#
# update reply {
# WiMAX-FA-RK-Key = 0x00
# WiMAX-MSK = "%{EAP-MSK}"
# }
#
# You may want to delete the MS-MPPE-*-Keys from the reply,
# as some WiMAX clients behave badly when those attributes
# are included. See "raddb/modules/wimax", configuration
# entry "delete_mppe_keys" for more information.
#
# wimax
# If there is a client certificate (EAP-TLS, sometimes PEAP
# and TTLS), then some attributes are filled out after the
# certificate verification has been performed. These fields
# MAY be available during the authentication, or they may be
# available only in the "post-auth" section.
#
# The first set of attributes contains information about the
# issuing certificate which is being used. The second
# contains information about the client certificate (if
# available).
#
# update reply {
# Reply-Message += "%{TLS-Cert-Serial}"
# Reply-Message += "%{TLS-Cert-Expiration}"
# Reply-Message += "%{TLS-Cert-Subject}"
# Reply-Message += "%{TLS-Cert-Issuer}"
# Reply-Message += "%{TLS-Cert-Common-Name}"
# Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}"
#
# Reply-Message += "%{TLS-Client-Cert-Serial}"
# Reply-Message += "%{TLS-Client-Cert-Expiration}"
# Reply-Message += "%{TLS-Client-Cert-Subject}"
# Reply-Message += "%{TLS-Client-Cert-Issuer}"
# Reply-Message += "%{TLS-Client-Cert-Common-Name}"
# Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}"
# }
# Insert class attribute (with unique value) into response,
# aids matching auth and acct records, and protects against duplicate
# Acct-Session-Id. Note: Only works if the NAS has implemented
# RFC 2865 behaviour for the class attribute, AND if the NAS
# supports long Class attributes. Many older or cheap NASes
# only support 16-octet Class attributes.
insert_acct_class
# MacSEC requires the use of EAP-Key-Name. However, we don't
# want to send it for all EAP sessions. Therefore, the EAP
# modules put required data into the EAP-Session-Id attribute.
# This attribute is never put into a request or reply packet.
#
# Uncomment the next few lines to copy the required data into
# the EAP-Key-Name attribute
# if (&reply:EAP-Session-Id) {
# update reply {
# EAP-Key-Name := &reply:EAP-Session-Id
# }
# }
# Remove reply message if the response contains an EAP-Message
remove_reply_message_if_eap
#
# Access-Reject packets are sent through the REJECT sub-section of the
# post-auth section.
#
# Add the ldap module name (or instance) if you have set
# 'edir_account_policy_check = yes' in the ldap module configuration
#
# The "session-state" attributes are not available here.
#
Post-Auth-Type REJECT {
# log failed authentications in SQL, too.
if (User-Name != "cisco-probe") {
detail-filebeat
-sql
}
attr_filter.access_reject
# Insert EAP-Failure message if the request was
# rejected by policy instead of because of an
# authentication failure
eap
# Remove reply message if the response contains an EAP-Message
remove_reply_message_if_eap
}
#
# Filter access challenges.
#
Post-Auth-Type Challenge {
# remove_reply_message_if_eap
# attr_filter.access_challenge.post-auth
}
}
/////////////////////
The debugging inn radius log shows an ear auth request with an
access-accepts packet with a User-Name of @york.ac.uk see below. If I
enabled auth_log I’d see the same thing
Wed Jul 3 15:43:17 2019 : Debug: (924582) Virtual server inner-tunnel
received request
Wed Jul 3 15:43:17 2019 : Debug: (924582) EAP-Message = 0x020a00061a03
Wed Jul 3 15:43:17 2019 : Debug: (924582) FreeRADIUS-Proxied-To =
127.0.0.1
Wed Jul 3 15:43:17 2019 : Debug: (924582) User-Name = "em878(a)york.ac.uk"
Wed Jul 3 15:43:17 2019 : Debug: (924582) State =
0xdcc2c059ddc8da2ddc351a9518782ae0
Wed Jul 3 15:43:17 2019 : Debug: (924582) server inner-tunnel {
Wed Jul 3 15:43:17 2019 : Debug: (924582) # Executing section authorize
from file /etc/freeradius/sites-enabled/inner-tunnel
Wed Jul 3 15:43:17 2019 : Debug: (924582) # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
Wed Jul 3 15:43:17 2019 : Debug: (924582) eap: Expiring EAP session with
state 0xcce8732ccce16987
Wed Jul 3 15:43:17 2019 : Debug: (924582) eap: Finished EAP session with
state 0xdcc2c059ddc8da2d
Wed Jul 3 15:43:17 2019 : Debug: (924582) eap: Previous EAP request found
for state 0xdcc2c059ddc8da2d, released from the list
Wed Jul 3 15:43:17 2019 : Debug: (924582) # Executing section post-auth
from file /etc/freeradius/sites-enabled/inner-tunnel
Wed Jul 3 15:43:17 2019 : Debug: (924582) sql: SQL query returned: success
Wed Jul 3 15:43:17 2019 : Debug: (924582) sql: 1 record(s) updated
Wed Jul 3 15:43:17 2019 : Auth: (924582) Login OK: [em878(a)york.ac.uk]
(from client yorkcc port 0 via TLS tunnel)
Wed Jul 3 15:43:17 2019 : Debug: (924582) } # server inner-tunnel
Wed Jul 3 15:43:17 2019 : Debug: (924582) Virtual server sending reply
Wed Jul 3 15:43:17 2019 : Debug: (924582) Chargeable-User-Identity :=
0x65323133646431353864366238373633383037396534656632373539383264386439363136623863
Wed Jul 3 15:43:17 2019 : Debug: (924582) eap: EAP session adding
&reply:State = 0x6782f4146d89edcd
Wed Jul 3 15:43:17 2019 : Debug: (924582) # Executing group from file
/etc/freeradius/sites-enabled/eduroam
Wed Jul 3 15:43:17 2019 : Debug: (924582) TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
Wed Jul 3 15:43:17 2019 : Debug: (924582) TLS-Session-Version = "TLS 1.2"
Wed Jul 3 15:43:17 2019 : Debug: (924582) User-Name := "em878(a)york.ac.uk"
Wed Jul 3 15:43:17 2019 : Debug: (924582) Chargeable-User-Identity +=
0x65323133646431353864366238373633383037396534656632373539383264386439363136623863
Wed Jul 3 15:43:17 2019 : Debug: (924582) Sent Access-Challenge Id 77 from
144.32.129.2:1812 to 10.237.0.3:40803 length 0
Wed Jul 3 15:43:17 2019 : Debug: (924582) EAP-Message =
0x010b002e1900170303002353ff18d19f60e380f99ac2de9f86b64211108cd7e8ba6fdf64afc0fb7c6e1638ad466f
Wed Jul 3 15:43:17 2019 : Debug: (924582) Message-Authenticator =
0x00000000000000000000000000000000
Wed Jul 3 15:43:17 2019 : Debug: (924582) State =
0x6782f4146d89edcd473492427f93e0e2
Wed Jul 3 15:43:17 2019 : Debug: (924583) # Executing group from file
/etc/freeradius/sites-enabled/eduroam
Wed Jul 3 15:43:17 2019 : Debug: (924583) eap: Expiring EAP session with
state 0xcce8732ccce16987
Wed Jul 3 15:43:17 2019 : Debug: (924583) eap: Finished EAP session with
state 0x6782f4146d89edcd
Wed Jul 3 15:43:17 2019 : Debug: (924583) eap: Previous EAP request found
for state 0x6782f4146d89edcd, released from the list
Wed Jul 3 15:43:17 2019 : Debug: (924583) # Executing section post-auth
from file /etc/freeradius/sites-enabled/eduroam
Wed Jul 3 15:43:17 2019 : Debug: (924583) cuisql: SQL query returned:
success
Wed Jul 3 15:43:17 2019 : Debug: (924583) cuisql: 0 record(s) updated
Wed Jul 3 15:43:17 2019 : Debug: (924583) cuisql: No additional queries
configured
Wed Jul 3 15:43:17 2019 : Debug: (924583) sql: SQL query returned: success
Wed Jul 3 15:43:17 2019 : Debug: (924583) sql: 1 record(s) updated
Wed Jul 3 15:43:17 2019 : Auth: (924583) Login OK: [@york.ac.uk] (from
client yorkcc port 32 cli A8-5C-2C-51-B6-93)
Wed Jul 3 15:43:17 2019 : Debug: (924583) Sent Access-Accept Id 78 from
144.32.129.2:1812 to 10.237.0.3:40803 length 0
Wed Jul 3 15:43:17 2019 : Debug: (924583) MS-MPPE-Recv-Key =
0xdd0b78bdc3d590ab0f52b72a6249c0cb737d5be7ceab405265a8f60d6a9ce835
Wed Jul 3 15:43:17 2019 : Debug: (924583) MS-MPPE-Send-Key =
0xa84727723cbe1877c2d43913627ccb09c3d960e4729ec04fec6f127bec384b70
Wed Jul 3 15:43:17 2019 : Debug: (924583) EAP-Message = 0x030b0004
Wed Jul 3 15:43:17 2019 : Debug: (924583) Message-Authenticator =
0x00000000000000000000000000000000
Wed Jul 3 15:43:17 2019 : Debug: (924583) User-Name := "@york.ac.uk"
Wed Jul 3 15:43:17 2019 : Debug: (924583) Chargeable-User-Identity +=
0x65323133646431353864366238373633383037396534656632373539383264386439363136623863
Wed Jul 3 15:43:17 2019 : Debug: (924583) Class =
0x656475726f616d312e796f726b2e61632e756b61693a3564333131653730306537613431663661643362343666323863646236313239
///////////
If I explicitly add the session-state User-Name value to the reply packet
by uncommenting the
# if ( session-state:User-Name !="@york.ac.uk" &&
session-state:User-Name =~ /york.ac.uk$/i) {
# update reply {
# User-Name := session-state:User-Name
# }
# }
Then what I get are two User-Names in the Access -Accept packet.. both the
outer and the inner … see below
Wed Jul 3 16:13:26 2019 : Auth: (9706) Login OK: [kp951(a)york.ac.uk]
(from client yorkcc port 0 via TLS tunnel)
Wed Jul 3 16:13:26 2019 : Debug: (9706) } # server inner-tunnel
Wed Jul 3 16:13:26 2019 : Debug: (9706) Virtual server sending reply
Wed Jul 3 16:13:26 2019 : Debug: (9706) Chargeable-User-Identity :=
0x33386639326231363161646238323162336336646461313566373563316230326233323163643263
Wed Jul 3 16:13:26 2019 : Debug: (9706) eap: EAP session adding
&reply:State = 0x4d9c1fde47970696
Wed Jul 3 16:13:26 2019 : Debug: (9706) # Executing group from file
/etc/freeradius/sites-enabled/eduroam
Wed Jul 3 16:13:26 2019 : Debug: (9706) TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES128-GCM-SHA256"
Wed Jul 3 16:13:26 2019 : Debug: (9706) TLS-Session-Version = "TLS 1.2"
Wed Jul 3 16:13:26 2019 : Debug: (9706) User-Name := "kp951(a)york.ac.uk"
Wed Jul 3 16:13:26 2019 : Debug: (9706) Chargeable-User-Identity +=
0x33386639326231363161646238323162336336646461313566373563316230326233323163643263
Wed Jul 3 16:13:26 2019 : Debug: (9706) Sent Access-Challenge Id 105 from
144.32.129.2:1812 to 10.237.0.3:35838 length 0
Wed Jul 3 16:13:26 2019 : Debug: (9706) EAP-Message =
0x010b002e19001703030023ebc680c47273a6f5925d906f94c12e86f19d43045b2b2a030efd6968dc6e715679ca85
Wed Jul 3 16:13:26 2019 : Debug: (9706) Message-Authenticator =
0x00000000000000000000000000000000
Wed Jul 3 16:13:26 2019 : Debug: (9706) State =
0x4d9c1fde47970696b6b09be82cc57d97
Wed Jul 3 16:13:26 2019 : Debug: (9708) # Executing group from file
/etc/freeradius/sites-enabled/eduroam
Wed Jul 3 16:13:26 2019 : Debug: (9708) eap: Expiring EAP session with
state 0x2ce89ba92ce98291
Wed Jul 3 16:13:26 2019 : Debug: (9708) eap: Finished EAP session with
state 0x4d9c1fde47970696
Wed Jul 3 16:13:26 2019 : Debug: (9708) eap: Previous EAP request found
for state 0x4d9c1fde47970696, released from the list
Wed Jul 3 16:13:26 2019 : Debug: (9708) # Executing section post-auth from
file /etc/freeradius/sites-enabled/eduroam
Wed Jul 3 16:13:26 2019 : Debug: (9708) cuisql: SQL query returned: success
Wed Jul 3 16:13:26 2019 : Debug: (9708) cuisql: 0 record(s) updated
Wed Jul 3 16:13:26 2019 : Debug: (9708) cuisql: No additional queries
configured
Wed Jul 3 16:13:26 2019 : Debug: (9708) sql: SQL query returned: success
Wed Jul 3 16:13:26 2019 : Debug: (9708) sql: 1 record(s) updated
Wed Jul 3 16:13:26 2019 : Auth: (9708) Login OK: [@york.ac.uk] (from
client yorkcc port 88 cli 24-18-1D-38-15-06)
Wed Jul 3 16:13:26 2019 : Debug: (9708) Sent Access-Accept Id 106 from
144.32.129.2:1812 to 10.237.0.3:35838 length 0
Wed Jul 3 16:13:26 2019 : Debug: (9708) MS-MPPE-Recv-Key =
0xa2d4dd7ba73b43f9caa398ee2aec52ef4acb5568c70099a88582dd5a7ce79611
Wed Jul 3 16:13:26 2019 : Debug: (9708) MS-MPPE-Send-Key =
0x60347e94d1057b1ad051aff95b77af98fa4b1d56088e3b73ce307e7ae9b0ffe6
Wed Jul 3 16:13:26 2019 : Debug: (9708) EAP-Message = 0x030b0004
Wed Jul 3 16:13:26 2019 : Debug: (9708) Message-Authenticator =
0x00000000000000000000000000000000
Wed Jul 3 16:13:26 2019 : Debug: (9708) User-Name := "@york.ac.uk"
Wed Jul 3 16:13:26 2019 : Debug: (9708) User-Name += "kp951(a)york.ac.uk"
Wed Jul 3 16:13:26 2019 : Debug: (9708) Chargeable-User-Identity +=
0x33386639326231363161646238323162336336646461313566373563316230326233323163643263
Wed Jul 3 16:13:26 2019 : Debug: (9708) Class =
0x656475726f616d312e796f726b2e61632e756b61693a3839616465343166376130313464353535356464663466313739306565663432
2
2
Hello,
Some time ago i've configured a freeeradius file so freeradius could behave
in the next way:
If an access-request is received and the user (Limited to one simultaneous
use) has a previous session with the same mac-address, close the session
and validate the user request.
I've been searching for this configuration for two days now and i'm not
able to find it. Does anyone has this configuration so you can share it
with us?
Best regards, Juanjo.
2
1