Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
February 2021
- 34 participants
- 41 discussions
Version 3.0.16, running on Ubuntu 18.04.
While running freeradius -X and trying to connect a user (Ubiquiti
controller), I see "eap_peap: ERROR: TLS Alert read:fatal:unknown CA".
/etc/freeradius/3.0/mods-enabled/eap has its tls-config tls-common section
like
private_key_file = /etc/freeradius/3.0/certs/letsencrypt/privkey.pem
certificate_file = /etc/freeradius/3.0/certs/letsencrypt/cert.pem
ca_file = /etc/ssl/certs/ca-certificates.crt
My CA was copied to /usr/local/share/ca-certificates/ and ran
dpkg-reconfigure ca-certificates. I then checked ca-certificates.crt and
confirmed my CA was appended to the bottom.
3
17
Comments on Active Directory IdP and YubiKey OTP integration that supports MS-CHAP v2
by David Herselman 23 Feb '21
by David Herselman 23 Feb '21
23 Feb '21
Hi,
I was hoping the following may provide a more complete start to finish integration guide for others that may have similar requirements. I would very much like to invite dialogue regarding any recommendations anyone may have.
Our requirements were:
* RADIUS servers domain joined to handle PAP and MS-CHAP v2 authentication using information only from Active Directory
* We do not want to store credentials in AD with reversible encryption
* AD Group membership validation based on source
* Yubico OTP Multi-Factor Authentication (MFA)
System are domain joined as member servers using Samba. Samba winbind subsequently presents users and groups as native system accounts, which allows references to just the group name and unlike LDAP does not make the link sensitive to the placement of the security group within the AD folders or organisational units (distinguished name or DN). Password Authentication Protocol (PAP) transmits unencrypted passwords (i.e. plain-text) over the network so connectivity should be encrypted using either IPSec or TLS (RadSec or EAP-TTLS). MS-CHAP v2 provides mutual authentication and uses a hash of the password. This means that the request only includes a hash representing the password, so there is nothing to cut the password and OTP out of. One can however transmit the OTP as the username and then lookup the associated owner's AD account name for FreeRADIUS to retrieve the hash used during authentication via Samba winbind.
Yubico devices generate a unique 32 character modhex passcode each time you press the button on a YubiKey 5 or scan it using NFC. This passcode comes after a 12 character public id, which is unique to each YubiKey. We therefore have two method of transmitting the OTP during login. The first is the classic RSA token method (although reversed) where we use our username, type our password and then press the YubiKey button, herewith an example:
Username: davidh
Password: secretcccccct00001krbhnvrjrdlujuujdcjvltdcrdkhhtit
This method requires PAP, as we require the client to transmit the entered credentials, so that we can cut the information in to a password and Yubico OTP.
The alternative is to make use of the YubiKey's public ID to lookup the AD username. This method works for PAP and allows MS-CHAP v2 authentication, herewith an example:
Username: cccccct00001krbhnvrjrdlujuujdcjvltdcrdkhhtit
Password: secret
In the second case we type out password out and then press the YubiKey when prompted for the username. Devices we were authenticating to are generally switches and routers where we can transmit attributes as part of the access accept message to grant eg access permissions. Some platforms however (eg Check Point Management and VyOS) require user accounts to be defined, in those cases you are stuck with PAP being the only possible integration.
PS: All is not lost, if you implement a jump host that you enforce MFA access to, which in turn simply uses single factor.
Additional detail on the Yubico OTP is available directly from Yubico:
https://developers.yubico.com/OTP/OTPs_Explained.html
The following notes pertain to a Debian buster (10) install, they would require path changes but should in essence work on any Linux distribution.
Join system to Active Directory:
apt-get install libnss-winbind samba winbind;
pico /etc/krb5.conf
[libdefaults]
default_realm = AD.ACME.COM
dns_lookup_realm = false
dns_lookup_kdc = true
pico /etc/samba/smb.conf
[---------------------------------------- /etc/samba/smb.conf ----------------------------------------]
[global]
server role = member server
workgroup = ACME
realm = ad.acme.com
netbios name = FreeRADIUS1
server string = FreeRADIUS and Yubico OTP
bind interfaces only = yes
interfaces = 127.0.0.1/8 192.168.1.48/24
ntlm auth = mschapv2-and-ntlmv2-only
guest account = nobody
idmap cache time = 300
kerberos method = system keytab
idmap config * : backend = tdb
idmap config * : range = 100001-120000
idmap config Domain-01 : backend = rid
idmap config Domain-01 : range = 1000-100000
template homedir = /home/users/%U
template shell = /sbin/nologin
log level = 2
log file = /var/log/samba/%m.log
enable core files = no
max log size = 50
dont descend = /dev, /mirror, /proc
time server = no
wins support = no
map acl inherit = yes
store dos attributes = yes
printing = cups
cups options = raw
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind expand groups = 2
[nobody]
path = /dev/null
comment = Access denied - Guest
guest ok = no
printable = no
browseable = no
[---------------------------------------- /etc/samba/smb.conf ----------------------------------------]
net ads join -U adm-domain-davidh;
systemctl restart smbd;
pico /etc/nsswitch.conf;
# Append 'winbind' to 'passwd' and 'group'
Check winbind and ntlm_auth authentication are working:
wbinfo -t
ntlm_auth --allow-mschapv2 --request-nt-key --domain=ACME --username=davidh
pico /etc/group /etc/gshadow
# Add 'freerad' to 'winbindd_priv:'
Finally check that you are able to retrieve users and groups as if they were local users:
getent passwd davidh
getent group client_cpe_admin
Install FreeRADIUS with the YubiKey module:
apt-get install freeradius-yubikey
If necessary set shortname on defined clients to apply different AD group membership or altering what reply attributes are sent back
/etc/freeradius/3.0/clients.conf
# Hash out existing active lines, then append:
client fw1.acme.com {
ipaddr = 192.168.10.1
secret = ****************
require_message_authenticator = yes
nastype = other
shortname = checkpoint
}
client switch6.acme.com {
ipaddr = 192.168.20.7
secret = ****************
require_message_authenticator = yes
nastype = cisco
shortname = client_cpe
}
Define custom attributes:
/etc/freeradius/3.0/dictionary.custom
ATTRIBUTE sAMAccountName 3000 string
ATTRIBUTE Original-User-Name 3001 string
Sample Livingston style users file, in this case for use with MikroTik RouterOS, make as many as you need with whatever reply attributes you require:
/etc/freeradius/3.0/users
DEFAULT FreeRADIUS-Client-Shortname == "client_cpe", Group == "client_cpe_view"
Mikrotik-Group = "view"
DEFAULT FreeRADIUS-Client-Shortname == "client_cpe", Group == "client_cpe_admin"
Mikrotik-Group = "full"
DEFAULT FreeRADIUS-Client-Shortname == "client_cpe", Auth-Type := Reject
Reply-Message = "Access Denied - Not a member of any client_cpe security groups"
DEFAULT Auth-Type := Reject
Reply-Message = "Access Denied"
Edit MS-CHAP v2 module to use winbind and alter the username:
/etc/freeradius/3.0/mods-available/mschap
winbind_username = "%{%{sAMAccountName}:-%{mschap:User-Name}}"
winbind_domain = "%{mschap:NT-Domain}"
Add 'allow-mschapv2' and again change the username expansion variable:
/etc/freeradius/3.0/mods-available/ntlm_auth
program = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key --domain=DOMAIN-01 --username=%{%{sAMAccountName}:-%{mschap:User-Name}} --password=%{User-Password}"
Register for a Yubico API integration account and then enable and configure the module:
cd /etc/freeradius/3.0/mods-enabled;
ln -s ../mods-available/yubikey yubikey;
/etc/freeradius/3.0/mods-enabled/yubikey
validate = yes
client_id = *****
api_key = '****************************'
The following changes are all in
/etc/freeradius/3.0/sites-available/default
Hash out 'pap', we'll force NTLMv2 by obtaining a hash of the password hash from AD with each authentication request and perform necessary operations on the plain text password we receive as part of the request
After 'preprocess' in 'authorize {'
if (&User-Name =~ /^([cbdefghijklnrtuv]{44})$/) {
update request {Yubikey-OTP = "%{1}"}
} elsif (&User-Password =~ /^(.+?)([cbdefghijklnrtuv]{44})$/) {
update request {User-Password := "%{1}", Yubikey-OTP = "%{2}"}
}
if (&Yubikey-OTP =~ /^([cbdefghijklnrtuv]{12})/) {
switch "%{1}" {
case cccccct00001 {update request {sAMAccountName = "davidh"}}
case cccccct00002 {update request {sAMAccountName = "philipo"}}
}
if (!&sAMAccountName || (&User-Name != &Yubikey-OTP && &User-Name != &sAMAccountName)) {
update reply {Reply-Message := "Unregistered or user mismatch"}
reject
}
}
Before and after 'files' in 'authorize {'
update request {FreeRADIUS-Client-Shortname = "%{Client-Shortname}"}
if (&sAMAccountName && &User-Name != &sAMAccountName) {
update request {
Original-User-Name := "%{User-Name}",
User-Name := "%{sAMAccountName}"}}
files
if (&Original-User-Name) {update request {User-Name := "%{Original-User-Name}"}}
End of 'authorize {'
if (&control:Auth-Type == "mschap") {
if (&Yubikey-OTP) {
update control {Auth-Type := "YubiCHAP"}
} else {update control {Auth-Type := "MS-CHAP"}}
if (!control:Auth-Type && User-Password) {
if (&Yubikey-OTP) {
update control {Auth-Type := "YubiNTLM"}
} else {update control {Auth-Type := "ntlm_auth"}}
}
Exclusively have the following in 'authenticate {'
Auth-Type MS-CHAP {
mschap
}
Auth-Type YubiCHAP {
mschap
yubikey
}
Auth-Type ntlm_auth {
ntlm_auth
}
Auth-Type YubiNTLM {
ntlm_auth
yubikey
}
Beginning of 'post-auth {'
if (&sAMAccountName && &User-Name != &sAMAccountName) {update request {User-Name := "%{sAMAccountName}"}}
Beginning of 'Post-Auth-Type REJECT {'
if (&sAMAccountName && &User-Name == &Yubikey-OTP) {update request {User-Name := "%{sAMAccountName}"}}
Herewith all active lines, as a comparative to where you've ended up:
[---------------------------------------- grep -v '^\s*#\|^\s*$' /etc/freeradius/3.0/sites-enabled/default ----------------------------------------]
server default {
listen {
type = auth
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipaddr = *
port = 0
type = acct
limit {
}
}
listen {
type = auth
ipv6addr = :: # any. ::1 == localhost
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipv6addr = ::
port = 0
type = acct
limit {
}
}
authorize {
filter_username
preprocess
if (&User-Name =~ /^([cbdefghijklnrtuv]{44})$/) {
update request {Yubikey-OTP = "%{1}"}
} elsif (&User-Password =~ /^(.+?)([cbdefghijklnrtuv]{44})$/) {
update request {User-Password := "%{1}", Yubikey-OTP = "%{2}"}
}
if (&Yubikey-OTP =~ /^([cbdefghijklnrtuv]{12})/) {
switch "%{1}" {
case cccccct0001 {update request {sAMAccountName = "davidh"}}
case cccccct0002 {update request {sAMAccountName = "philipo"}}
}
if (!&sAMAccountName || (&User-Name != &Yubikey-OTP && &User-Name != &sAMAccountName)) {
update reply {Reply-Message := "Unregistered or user missmatch"}
reject
}
}
chap
mschap
digest
suffix
eap {
ok = return
}
update request {FreeRADIUS-Client-Shortname = "%{Client-Shortname}"}
if (&sAMAccountName && &User-Name != &sAMAccountName) {
update request {
Original-User-Name := "%{User-Name}",
User-Name := "%{sAMAccountName}"}}
files
if (&Original-User-Name) {update request {User-Name := "%{Original-User-Name}"}}
-sql
-ldap
expiration
logintime
if (&control:Auth-Type == "mschap") {
if (&Yubikey-OTP) {
update control {Auth-Type := "YubiCHAP"}
} else {update control {Auth-Type := "MS-CHAP"}}
}
if (!control:Auth-Type && User-Password) {
if (&Yubikey-OTP) {
update control {Auth-Type := "YubiNTLM"}
} else {update control {Auth-Type := "ntlm_auth"}}
}
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
Auth-Type YubiCHAP {
mschap
yubikey
}
Auth-Type ntlm_auth {
ntlm_auth
}
Auth-Type YubiNTLM {
ntlm_auth
yubikey
}
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
-sql
exec
attr_filter.accounting_response
}
session {
}
post-auth {
if (&sAMAccountName && &User-Name != &sAMAccountName) {update request {User-Name := "%{sAMAccountName}"}}
update {
&reply: += &session-state:
}
-sql
exec
remove_reply_message_if_eap
Post-Auth-Type REJECT {
if (&sAMAccountName && &User-Name == &Yubikey-OTP) {update request {User-Name := "%{sAMAccountName}"}}
-sql
attr_filter.access_reject
eap
remove_reply_message_if_eap
}
Post-Auth-Type Challenge {
}
}
pre-proxy {
}
post-proxy {
eap
}
}
[---------------------------------------- grep -v '^\s*#\|^\s*$' /etc/freeradius/3.0/sites-enabled/default ----------------------------------------]
NB: Once everyone has a YubiKey hash out the single factor authenticate options (Auth-Type MS-CHAP and Auth-Type ntlm_auth) methods or update unlang to exempt 2FA from jump hosts or NMS.
Unvalidated idea for users file:
DEFAULT Yubikey-OTP !* "", Packet-Src-IP-Address !~ /192\.168\.14\./, Auth-Type := Reject
Reply-Message = "Access Denied - 2FA required"
Regards
David Herselman
2
3
Hi FreeRadius support,
I would like to remove my email account from the mailing list as I am being spam by email non-related by other users.
Regards,
Yew Fong
Off-in-Lieu
Planning: Nil
Annual Leave
Planning: 5th, 12th, 19th, 25th and 26th Mar 2021
National Reservist Leave
23rd Apr to 6th May 2021
Fujitsu Asia Pte Ltd
Nexus @One-North
1 Fusionopolis Link, #04-01
Singapore 138542
DID: +65 6512 7525
Mobile: +65 9794 6548
E-mail: yewfong.chua(a)fujitsu.com<mailto:yewfong.chua@fujitsu.com>
Web: http://sg.fujitsu.com<http://sg.fujitsu.com/> | LinkedIn: www.linkedin.com/company/fujitsu-asia<http://www.linkedin.com/company/fujitsu-asia>
2
1
Hi!
Is it possible to configure FR to write the last authentication attempt from a client (NAS) to LDAP?
For users I can set this:
https://bitbucket.org/code-orange/django-cdstack-tpl-accessradius/src/cad14…
Is there something similar for the clients? I'm interested in the same attribute update to see which clients are dead.
Thank you.
Kind regards
Kevin
2
3
Hi,
We unfortunately have network devices which exclusively support MSCHAPv2 but have had excellent success using freeradius 3.0.17 with Samba Winbind.
I presume freeRADIUS has built-in support to masquerade the presented username, as the mschap config file references the following:
winbind_username = "%{mschap:User-Name}"
winbind_domain = "%{mschap:NT-Domain}"
I'm aware of MS-CHAPv2 proving knowledge of the password and previously assumed that it only applied to the password hash exchanges. My Google-Fo however lead me to an article titled Understanding PEAP In-Depth, where values initiators and radius generate is summarised as:
Initiator:
AuthenticatorChallenge = b''.fromhex('f5 b8 ad ee e9 ff 08 15 dd 83 e8 2d 89 6e eb 2a')
PeerChallenge = b''.fromhex('e3 32 bf 8e c5 37 e5 72 1d 0d 9a 0e e4 40 46 d6')
chap = MSCHAPV2(UserName, Password, AuthenticatorChallenge, PeerChallenge)
PasswordHash = chap.NtPasswordHash(Password)
Challenge = chap.ChallengeHash(PeerChallenge, AuthenticatorChallenge, UserName)
NTResponse = chap.ChallengeResponse(Challenge, PasswordHash)
print ('Challenge : '+Challenge.hex())
print ('NTResponse: '+NTResponse.hex())
radius:
AuthenticatorChallenge = b''.fromhex('f5 b8 ad ee e9 ff 08 15 dd 83 e8 2d 89 6e eb 2a')
PeerChallenge = b''.fromhex('e3 32 bf 8e c5 37 e5 72 1d 0d 9a 0e e4 40 46 d6')
chap = MSCHAPV2(UserName, Password, AuthenticatorChallenge, PeerChallenge)
NTResponse = b''.fromhex('6c da db 80 dd 53 10 b8 05 f2 a0 da 9b b4 5e ad 51 ee 65 34 4c 95 e6 00')
PasswordHash = chap.NtPasswordHash(Password)
AuthenticatorResponse = chap.GenerateAuthenticatorResponse(Password, NTResponse, PeerChallenge, AuthenticatorChallenge, UserName)
print('Authenticator Response: ' + AuthenticatorResponse)
I presume FR generates the AuthenticatorResponse after obtaining the NTResponse from winbind, after feeding it winbind_username?
If that is the case, would it be feasible to replace winbind_username and have FR handle all the wizardry?
I'd like to essentially transform a MSCHAPv2 client using USERNAME/PASSWORD to winbind authenticating this as USER2/PASSWORD.
Why? I was hoping to implement 2FA by using my AD password as per normal, only replacing my username with the 44 char string that a YubiKey touch operation spits out via the USB HID keyboard. The prefix of this string is a globally unique 12 character fixed ID, unique to each key. This way I could lookup the username prefix in a file and then set winbind_username as the AD account name that key belong to. Thought process was to reject requests were the prefix wasn't found, then authenticate to AD using the username we looked up, check group membership and finally validate the Yubico OTP (the username supplied originally) against YubiCo validation servers.
[cid:image001.png@01D703BA.131606D0]
References:
* Understanding PEAP In-Depth
https://sensepost.com/blog/2019/understanding-peap-in-depth/
* Yubico OTPs Explained
https://developers.yubico.com/OTP/OTPs_Explained.html
Regards
David Herselman
2
12
We are using FreeRADIUS Version 3.0.20.
I have an anamoly in TLS Session Resumption using a Windows 10 laptop. I have not been able to reproduce this using other clients. While this appears to be bad behavior by Windows, I'm also asking if this unexpected supplicant behavior might reveal some undesirable behavior on the part of freeradius.
I deleted all TLS session cache records and restarted the server. In packet (2) you see the supplicant request a cached session, which is not found, so a full authentication takes place in packets (1) through (10).
I then "forget" the network on the client, which I would expect would also delete any record of a previous TLS session, and then I reauthenticate to the network, which requires entering a username/password (but, sadly, does not require me to trust the server's certificate).
At this point I would expect to see a full re-auth but in packet (13) you see the supplicant request a cached session, which is found and restored. In packet (14) the server declares a successful session resumption on its end and sends an Access-Challenge. But in packet (15) we then see:
eap_peap: Client rejected our response. The password is probably incorrect
eap_peap: Client rejected session resumption. Re-starting full authentication
We then proceed through the inner-tunnel and do the full re-auth but we are still using the resumed session ID along with the attributes cached from that session. In the final packet (19), we see "&request:EAP-Session-Resumed := 1"
This all came to my attention because I was originally using Cached-Session-Policy with the += operator. I ended up with duplicate session-state entries for Cached-Session-Policy, and, when that policy happened to change between authentications, one of those Cached-Session-Policy values was wrong.
We can't do anything about the bad Windows behavior, but do you consider it appropriate for freeradius to handle a rejected session resumption this way?
Doug
(1) Received Access-Request Id 64 from w.x.y.z:54989 to a.b.c.e:1812 length 201
(1) User-Name = "myUsername"
(1) NAS-IP-Address = a.b.c.d
(1) NAS-Port = 0
(1) NAS-Identifier = "w.x.y.z"
(1) NAS-Port-Type = Wireless-802.11
(1) Calling-Station-Id = "Calling-MAC"
(1) Called-Station-Id = "Called-MAC"
(1) Service-Type = Framed-User
(1) Framed-MTU = 1100
(1) EAP-Message = 0x0201000d016d616e74686f6e79
(1) Aruba-Essid-Name = "FSUCoreX"
(1) Aruba-Location-Id = "303H-mark"
(1) Aruba-AP-Group = "RAP-VoIP"
(1) Aruba-Device-Type = "Win 10"
(1) Message-Authenticator = 0x68c94109b228a1962fd060c64c8863cb
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(1) authorize {
(1) fsu-bad-passwords: EXPAND %{User-Name}
(1) fsu-bad-passwords: --> myUsername
(1) [fsu-bad-passwords] = noop
(1) if (ok) {
(1) if (ok) -> FALSE
(1) policy rewrite_calling_station_id {
(1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(1) update request {
(1) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(1) --> Calling-MAC
(1) } # update request = noop
(1) [updated] = updated
(1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(1) ... skipping else: Preceding "if" was taken
(1) } # policy rewrite_calling_station_id = updated
(1) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(1) fsu-bad-macs: --> Calling-MAC
(1) [fsu-bad-macs] = noop
(1) if (ok) {
(1) if (ok) -> FALSE
(1) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(1) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(1) if (&User-Name =~ /^host\//) {
(1) if (&User-Name =~ /^host\//) -> FALSE
(1) if ( &User-Name =~ /\s/ ) {
(1) if ( &User-Name =~ /\s/ ) -> FALSE
(1) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(1) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) -> FALSE
(1) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(1) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) -> FALSE
(1) if ( &User-Name =~ /(a)my\.fsu$/i ) {
(1) if ( &User-Name =~ /(a)my\.fsu$/i ) -> FALSE
(1) ntdomain: Checking for prefix before "\"
(1) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(1) [ntdomain] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(1) suffix: Found realm "NULL"
(1) suffix: Adding Stripped-User-Name = "myUsername"
(1) suffix: Adding Realm = "NULL"
(1) suffix: Authentication realm is LOCAL
(1) [suffix] = ok
(1) update request {
(1) } # update request = noop
(1) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(1) fsu-rsa-macs: --> Calling-MAC
(1) [fsu-rsa-macs] = noop
(1) if (ok) {
(1) if (ok) -> FALSE
(1) else {
(1) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(1) fsu-rsa-atwpa-aruba: --> FSUCoreX
(1) [fsu-rsa-atwpa-aruba] = noop
(1) if (ok) {
(1) if (ok) -> FALSE
(1) else {
(1) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(1) fsu-rsa-atwpa-cisco: -->
(1) [fsu-rsa-atwpa-cisco] = noop
(1) if (ok) {
(1) if (ok) -> FALSE
(1) } # else = noop
(1) } # else = noop
(1) if (&request:Hint == "RSA") {
(1) if (&request:Hint == "RSA") -> FALSE
(1) else {
(1) fsu-eap: Peer sent EAP Response (code 2) ID 1 length 13
(1) fsu-eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(1) [fsu-eap] = ok
(1) } # else = ok
(1) } # authorize = ok
(1) Found Auth-Type = fsu-eap
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(1) Auth-Type fsu-eap {
(1) fsu-eap: Peer sent packet with method EAP Identity (1)
(1) fsu-eap: Calling submodule eap_peap to process data
(1) eap_peap: Initiating new TLS session
(1) eap_peap: [eaptls start] = request
(1) fsu-eap: Sending EAP Request (code 1) ID 2 length 6
(1) fsu-eap: EAP session adding &reply:State = 0xbad3fd1bbad1e41c
(1) [fsu-eap] = handled
(1) } # Auth-Type fsu-eap = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(1) Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 64 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(1) EAP-Message = 0x010200061920
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0xbad3fd1bbad1e41c1c1cd17260df3cc0
(1) Finished request
(2) Received Access-Request Id 65 from w.x.y.z:54989 to a.b.c.e:1812 length 410
(2) User-Name = "myUsername"
(2) NAS-IP-Address = a.b.c.d
(2) NAS-Port = 0
(2) NAS-Identifier = "w.x.y.z"
(2) NAS-Port-Type = Wireless-802.11
(2) Calling-Station-Id = "Calling-MAC"
(2) Called-Station-Id = "Called-MAC"
(2) Service-Type = Framed-User
(2) Framed-MTU = 1100
(2) EAP-Message = 0x020200cc1980000000c216030300bd010000b90303602ed1269d888ec609f78e833194c064fd67012fbf825e56a50a8f228ad5760620478d25582f53a1dd580e9752f084466abf68961ab46bd12bc4085e1601e959cb002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000046000500050100000000000a00080006001d00170018000b00020100000d001a00180804080508060401050102010403050302030202060106030023000000170000ff01000100
(2) State = 0xbad3fd1bbad1e41c1c1cd17260df3cc0
(2) Aruba-Essid-Name = "FSUCoreX"
(2) Aruba-Location-Id = "303H-mark"
(2) Aruba-AP-Group = "RAP-VoIP"
(2) Aruba-Device-Type = "Win 10"
(2) Message-Authenticator = 0x018d8b6ea89b296c73c9cdd13c86ffdc
(2) session-state: No cached attributes
(2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(2) authorize {
(2) fsu-bad-passwords: EXPAND %{User-Name}
(2) fsu-bad-passwords: --> myUsername
(2) [fsu-bad-passwords] = noop
(2) if (ok) {
(2) if (ok) -> FALSE
(2) policy rewrite_calling_station_id {
(2) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(2) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(2) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(2) update request {
(2) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(2) --> Calling-MAC
(2) } # update request = noop
(2) [updated] = updated
(2) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(2) ... skipping else: Preceding "if" was taken
(2) } # policy rewrite_calling_station_id = updated
(2) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(2) fsu-bad-macs: --> Calling-MAC
(2) [fsu-bad-macs] = noop
(2) if (ok) {
(2) if (ok) -> FALSE
(2) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(2) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(2) if (&User-Name =~ /^host\//) {
(2) if (&User-Name =~ /^host\//) -> FALSE
(2) if ( &User-Name =~ /\s/ ) {
(2) if ( &User-Name =~ /\s/ ) -> FALSE
(2) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(2) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) -> FALSE
(2) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(2) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) -> FALSE
(2) if ( &User-Name =~ /(a)my\.fsu$/i ) {
(2) if ( &User-Name =~ /(a)my\.fsu$/i ) -> FALSE
(2) ntdomain: Checking for prefix before "\"
(2) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(2) [ntdomain] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(2) suffix: Found realm "NULL"
(2) suffix: Adding Stripped-User-Name = "myUsername"
(2) suffix: Adding Realm = "NULL"
(2) suffix: Authentication realm is LOCAL
(2) [suffix] = ok
(2) update request {
(2) } # update request = noop
(2) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(2) fsu-rsa-macs: --> Calling-MAC
(2) [fsu-rsa-macs] = noop
(2) if (ok) {
(2) if (ok) -> FALSE
(2) else {
(2) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(2) fsu-rsa-atwpa-aruba: --> FSUCoreX
(2) [fsu-rsa-atwpa-aruba] = noop
(2) if (ok) {
(2) if (ok) -> FALSE
(2) else {
(2) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(2) fsu-rsa-atwpa-cisco: -->
(2) [fsu-rsa-atwpa-cisco] = noop
(2) if (ok) {
(2) if (ok) -> FALSE
(2) } # else = noop
(2) } # else = noop
(2) if (&request:Hint == "RSA") {
(2) if (&request:Hint == "RSA") -> FALSE
(2) else {
(2) fsu-eap: Peer sent EAP Response (code 2) ID 2 length 204
(2) fsu-eap: Continuing tunnel setup
(2) [fsu-eap] = ok
(2) } # else = ok
(2) } # authorize = ok
(2) Found Auth-Type = fsu-eap
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(2) Auth-Type fsu-eap {
(2) fsu-eap: Expiring EAP session with state 0xbad3fd1bbad1e41c
(2) fsu-eap: Finished EAP session with state 0xbad3fd1bbad1e41c
(2) fsu-eap: Previous EAP request found for state 0xbad3fd1bbad1e41c, released from the list
(2) fsu-eap: Peer sent packet with method EAP PEAP (25)
(2) fsu-eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer indicated complete TLS record size will be 194 bytes
(2) eap_peap: Got complete TLS record (194 bytes)
(2) eap_peap: [eaptls verify] = length included
(2) eap_peap: (other): before SSL initialization
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: Peer requested cached session: 478d25582f53a1dd580e9752f084466abf68961ab46bd12bc4085e1601e959cb
(2) : eap_peap: No persisted session file /var/log/radius/tlscache/478d25582f53a1dd580e9752f084466abf68961ab46bd12bc4085e1601e959cb.asn1: No such file or directory
(2) eap_peap: TLS_accept: SSLv3/TLS read client hello
(2) eap_peap: TLS_accept: SSLv3/TLS write server hello
(2) eap_peap: TLS_accept: SSLv3/TLS write certificate
(2) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(2) eap_peap: TLS_accept: SSLv3/TLS write server done
(2) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done
(2) eap_peap: TLS - In Handshake Phase
(2) eap_peap: TLS - got 2767 bytes of data
(2) eap_peap: [eaptls process] = handled
(2) fsu-eap: Sending EAP Request (code 1) ID 3 length 1024
(2) fsu-eap: EAP session adding &reply:State = 0xbad3fd1bbbd0e41c
(2) [fsu-eap] = handled
(2) } # Auth-Type fsu-eap = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(2) Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 65 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(2) EAP-Message = 0x0103040019c000000acf160303005d020000590303931ef82c320593388fd052f008b384446eb7d423cfa3d8be2f14ff3355cca4b620422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5cc02b000011ff01000100000b0004030001020017000016030309c50b0009c10009be00060630820602308205a7a003020102021026a74309e2eaafaf31ae5776e74c05d3300a06082a8648ce3d040302308195310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f726431183016060355040a130f5365637469676f204c696d69746564313d303b060355040313345365637469676f20454343204f7267616e697a6174696f6e2056616c69646174696f6e2053656375726520536572766572204341301e170d3230303830333030303030305a170d3232303830333233353935395a30820103310b3009060355040613025553310e300c06035504
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0xbad3fd1bbbd0e41c1c1cd17260df3cc0
(2) Finished request
(3) Received Access-Request Id 66 from w.x.y.z:54989 to a.b.c.e:1812 length 212
(3) User-Name = "myUsername"
(3) NAS-IP-Address = a.b.c.d
(3) NAS-Port = 0
(3) NAS-Identifier = "w.x.y.z"
(3) NAS-Port-Type = Wireless-802.11
(3) Calling-Station-Id = "Calling-MAC"
(3) Called-Station-Id = "Called-MAC"
(3) Service-Type = Framed-User
(3) Framed-MTU = 1100
(3) EAP-Message = 0x020300061900
(3) State = 0xbad3fd1bbbd0e41c1c1cd17260df3cc0
(3) Aruba-Essid-Name = "FSUCoreX"
(3) Aruba-Location-Id = "303H-mark"
(3) Aruba-AP-Group = "RAP-VoIP"
(3) Aruba-Device-Type = "Win 10"
(3) Message-Authenticator = 0x989102d3ae927fa2abce294f1cc7210d
(3) session-state: No cached attributes
(3) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(3) authorize {
(3) fsu-bad-passwords: EXPAND %{User-Name}
(3) fsu-bad-passwords: --> myUsername
(3) [fsu-bad-passwords] = noop
(3) if (ok) {
(3) if (ok) -> FALSE
(3) policy rewrite_calling_station_id {
(3) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(3) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(3) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(3) update request {
(3) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(3) --> Calling-MAC
(3) } # update request = noop
(3) [updated] = updated
(3) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(3) ... skipping else: Preceding "if" was taken
(3) } # policy rewrite_calling_station_id = updated
(3) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(3) fsu-bad-macs: --> Calling-MAC
(3) [fsu-bad-macs] = noop
(3) if (ok) {
(3) if (ok) -> FALSE
(3) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(3) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(3) if (&User-Name =~ /^host\//) {
(3) if (&User-Name =~ /^host\//) -> FALSE
(3) if ( &User-Name =~ /\s/ ) {
(3) if ( &User-Name =~ /\s/ ) -> FALSE
(3) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(3) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) -> FALSE
(3) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(3) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) -> FALSE
(3) if ( &User-Name =~ /(a)my\.fsu$/i ) {
(3) if ( &User-Name =~ /(a)my\.fsu$/i ) -> FALSE
(3) ntdomain: Checking for prefix before "\"
(3) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(3) [ntdomain] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(3) suffix: Found realm "NULL"
(3) suffix: Adding Stripped-User-Name = "myUsername"
(3) suffix: Adding Realm = "NULL"
(3) suffix: Authentication realm is LOCAL
(3) [suffix] = ok
(3) update request {
(3) } # update request = noop
(3) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(3) fsu-rsa-macs: --> Calling-MAC
(3) [fsu-rsa-macs] = noop
(3) if (ok) {
(3) if (ok) -> FALSE
(3) else {
(3) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(3) fsu-rsa-atwpa-aruba: --> FSUCoreX
(3) [fsu-rsa-atwpa-aruba] = noop
(3) if (ok) {
(3) if (ok) -> FALSE
(3) else {
(3) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(3) fsu-rsa-atwpa-cisco: -->
(3) [fsu-rsa-atwpa-cisco] = noop
(3) if (ok) {
(3) if (ok) -> FALSE
(3) } # else = noop
(3) } # else = noop
(3) if (&request:Hint == "RSA") {
(3) if (&request:Hint == "RSA") -> FALSE
(3) else {
(3) fsu-eap: Peer sent EAP Response (code 2) ID 3 length 6
(3) fsu-eap: Continuing tunnel setup
(3) [fsu-eap] = ok
(3) } # else = ok
(3) } # authorize = ok
(3) Found Auth-Type = fsu-eap
(3) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(3) Auth-Type fsu-eap {
(3) fsu-eap: Expiring EAP session with state 0xbad3fd1bbbd0e41c
(3) fsu-eap: Finished EAP session with state 0xbad3fd1bbbd0e41c
(3) fsu-eap: Previous EAP request found for state 0xbad3fd1bbbd0e41c, released from the list
(3) fsu-eap: Peer sent packet with method EAP PEAP (25)
(3) fsu-eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer ACKed our handshake fragment
(3) eap_peap: [eaptls verify] = request
(3) eap_peap: [eaptls process] = handled
(3) fsu-eap: Sending EAP Request (code 1) ID 4 length 1020
(3) fsu-eap: EAP session adding &reply:State = 0xbad3fd1bb8d7e41c
(3) [fsu-eap] = handled
(3) } # Auth-Type fsu-eap = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(3) Challenge { ... } # empty sub-section is ignored
(3) Sent Access-Challenge Id 66 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(3) EAP-Message = 0x010403fc194006082b060105050730028649687474703a2f2f6372742e7365637469676f2e636f6d2f5365637469676f4543434f7267616e697a6174696f6e56616c69646174696f6e53656375726553657276657243412e637274302306082b060105050730018617687474703a2f2f6f6373702e7365637469676f2e636f6d3082017e060a2b06010401d6790204020482016e0482016a016800760046a555eb75fa912030b5a28969f4f37d112c4174befd49b885abf2fc70fe6d4700000173b4480f2d00000403004730450220289e527367d0857731154954f296721f9f37ef06d36eda0b0710dab4c3ca2fd2022100e212a014409ae8c4ba4f407a7070e714b2e7659f80a65af2a53ef9f39e06ccad007500dfa55eab68824f1f6cadeeb85f4e3e5aeacda212a46a5e8e3b12c020445c2a7300000173b4480f5e000004030046304402201c27dade36cab76fc20bd7888116d1c28e29360f798cc1141dc8562e857b509a02207b5c44654ee0a9c94e1390763ca3
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0xbad3fd1bb8d7e41c1c1cd17260df3cc0
(3) Finished request
(4) Received Access-Request Id 67 from w.x.y.z:54989 to a.b.c.e:1812 length 212
(4) User-Name = "myUsername"
(4) NAS-IP-Address = a.b.c.d
(4) NAS-Port = 0
(4) NAS-Identifier = "w.x.y.z"
(4) NAS-Port-Type = Wireless-802.11
(4) Calling-Station-Id = "Calling-MAC"
(4) Called-Station-Id = "Called-MAC"
(4) Service-Type = Framed-User
(4) Framed-MTU = 1100
(4) EAP-Message = 0x020400061900
(4) State = 0xbad3fd1bb8d7e41c1c1cd17260df3cc0
(4) Aruba-Essid-Name = "FSUCoreX"
(4) Aruba-Location-Id = "303H-mark"
(4) Aruba-AP-Group = "RAP-VoIP"
(4) Aruba-Device-Type = "Win 10"
(4) Message-Authenticator = 0x3698f3bc788ccfe70c7c1b09e167ff81
(4) session-state: No cached attributes
(4) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(4) authorize {
(4) fsu-bad-passwords: EXPAND %{User-Name}
(4) fsu-bad-passwords: --> myUsername
(4) [fsu-bad-passwords] = noop
(4) if (ok) {
(4) if (ok) -> FALSE
(4) policy rewrite_calling_station_id {
(4) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(4) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(4) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(4) update request {
(4) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(4) --> Calling-MAC
(4) } # update request = noop
(4) [updated] = updated
(4) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(4) ... skipping else: Preceding "if" was taken
(4) } # policy rewrite_calling_station_id = updated
(4) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(4) fsu-bad-macs: --> Calling-MAC
(4) [fsu-bad-macs] = noop
(4) if (ok) {
(4) if (ok) -> FALSE
(4) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(4) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(4) if (&User-Name =~ /^host\//) {
(4) if (&User-Name =~ /^host\//) -> FALSE
(4) if ( &User-Name =~ /\s/ ) {
(4) if ( &User-Name =~ /\s/ ) -> FALSE
(4) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(4) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) -> FALSE
(4) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(4) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) -> FALSE
(4) if ( &User-Name =~ /(a)my\.fsu$/i ) {
(4) if ( &User-Name =~ /(a)my\.fsu$/i ) -> FALSE
(4) ntdomain: Checking for prefix before "\"
(4) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(4) [ntdomain] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(4) suffix: Found realm "NULL"
(4) suffix: Adding Stripped-User-Name = "myUsername"
(4) suffix: Adding Realm = "NULL"
(4) suffix: Authentication realm is LOCAL
(4) [suffix] = ok
(4) update request {
(4) } # update request = noop
(4) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(4) fsu-rsa-macs: --> Calling-MAC
(4) [fsu-rsa-macs] = noop
(4) if (ok) {
(4) if (ok) -> FALSE
(4) else {
(4) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(4) fsu-rsa-atwpa-aruba: --> FSUCoreX
(4) [fsu-rsa-atwpa-aruba] = noop
(4) if (ok) {
(4) if (ok) -> FALSE
(4) else {
(4) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(4) fsu-rsa-atwpa-cisco: -->
(4) [fsu-rsa-atwpa-cisco] = noop
(4) if (ok) {
(4) if (ok) -> FALSE
(4) } # else = noop
(4) } # else = noop
(4) if (&request:Hint == "RSA") {
(4) if (&request:Hint == "RSA") -> FALSE
(4) else {
(4) fsu-eap: Peer sent EAP Response (code 2) ID 4 length 6
(4) fsu-eap: Continuing tunnel setup
(4) [fsu-eap] = ok
(4) } # else = ok
(4) } # authorize = ok
(4) Found Auth-Type = fsu-eap
(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(4) Auth-Type fsu-eap {
(4) fsu-eap: Expiring EAP session with state 0xbad3fd1bb8d7e41c
(4) fsu-eap: Finished EAP session with state 0xbad3fd1bb8d7e41c
(4) fsu-eap: Previous EAP request found for state 0xbad3fd1bb8d7e41c, released from the list
(4) fsu-eap: Peer sent packet with method EAP PEAP (25)
(4) fsu-eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer ACKed our handshake fragment
(4) eap_peap: [eaptls verify] = request
(4) eap_peap: [eaptls process] = handled
(4) fsu-eap: Sending EAP Request (code 1) ID 5 length 745
(4) fsu-eap: EAP session adding &reply:State = 0xbad3fd1bb9d6e41c
(4) [fsu-eap] = handled
(4) } # Auth-Type fsu-eap = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(4) Challenge { ... } # empty sub-section is ignored
(4) Sent Access-Challenge Id 67 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(4) EAP-Message = 0x010502e9190006072a8648ce3d020106082a8648ce3d030107034200049c8e5c0a616fa158a3d0d5cefafc44f9ffba061e7b161a721f42d30ab266cdfb0f4972214d27b1afdd873a5cfe687aa8184d2f49efc24b02c5a16719f16d6339a382016e3082016a301f0603551d230418301680143ae10986d4cf19c29676744976dce035c663639a301d0603551d0e041604144d4aefc446b312ad4f4e9ab159e251ab08107808300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b06010505070302301b0603551d200414301230060604551d20003008060667810c01020230500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737445434343657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b0601050507300286336874
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0xbad3fd1bb9d6e41c1c1cd17260df3cc0
(4) Finished request
(5) Received Access-Request Id 68 from w.x.y.z:54989 to a.b.c.e:1812 length 342
(5) User-Name = "myUsername"
(5) NAS-IP-Address = a.b.c.d
(5) NAS-Port = 0
(5) NAS-Identifier = "w.x.y.z"
(5) NAS-Port-Type = Wireless-802.11
(5) Calling-Station-Id = "Calling-MAC"
(5) Called-Station-Id = "Called-MAC"
(5) Service-Type = Framed-User
(5) Framed-MTU = 1100
(5) EAP-Message = 0x0205008819800000007e16030300461000004241044d601518295cc957a589f6af50ba6fdb09db67090661cc9d393bd8adac0306fabec728fd8d3a566e56b18258956648fc03ddd2cba0d449d5c8f707dd63984fbb14030300010116030300280000000000000000e4ed788d8b79fbf52f838b98a845ffe9a50b58bbef917334728f28828c245327
(5) State = 0xbad3fd1bb9d6e41c1c1cd17260df3cc0
(5) Aruba-Essid-Name = "FSUCoreX"
(5) Aruba-Location-Id = "303H-mark"
(5) Aruba-AP-Group = "RAP-VoIP"
(5) Aruba-Device-Type = "Win 10"
(5) Message-Authenticator = 0x249cb5193fd1494a9d8b9912fa5af320
(5) session-state: No cached attributes
(5) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(5) authorize {
(5) fsu-bad-passwords: EXPAND %{User-Name}
(5) fsu-bad-passwords: --> myUsername
(5) [fsu-bad-passwords] = noop
(5) if (ok) {
(5) if (ok) -> FALSE
(5) policy rewrite_calling_station_id {
(5) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(5) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(5) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(5) update request {
(5) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(5) --> Calling-MAC
(5) } # update request = noop
(5) [updated] = updated
(5) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(5) ... skipping else: Preceding "if" was taken
(5) } # policy rewrite_calling_station_id = updated
(5) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(5) fsu-bad-macs: --> Calling-MAC
(5) [fsu-bad-macs] = noop
(5) if (ok) {
(5) if (ok) -> FALSE
(5) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(5) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(5) if (&User-Name =~ /^host\//) {
(5) if (&User-Name =~ /^host\//) -> FALSE
(5) if ( &User-Name =~ /\s/ ) {
(5) if ( &User-Name =~ /\s/ ) -> FALSE
(5) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(5) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) -> FALSE
(5) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(5) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) -> FALSE
(5) if ( &User-Name =~ /(a)my\.fsu$/i ) {
(5) if ( &User-Name =~ /(a)my\.fsu$/i ) -> FALSE
(5) ntdomain: Checking for prefix before "\"
(5) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(5) [ntdomain] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(5) suffix: Found realm "NULL"
(5) suffix: Adding Stripped-User-Name = "myUsername"
(5) suffix: Adding Realm = "NULL"
(5) suffix: Authentication realm is LOCAL
(5) [suffix] = ok
(5) update request {
(5) } # update request = noop
(5) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(5) fsu-rsa-macs: --> Calling-MAC
(5) [fsu-rsa-macs] = noop
(5) if (ok) {
(5) if (ok) -> FALSE
(5) else {
(5) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(5) fsu-rsa-atwpa-aruba: --> FSUCoreX
(5) [fsu-rsa-atwpa-aruba] = noop
(5) if (ok) {
(5) if (ok) -> FALSE
(5) else {
(5) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(5) fsu-rsa-atwpa-cisco: -->
(5) [fsu-rsa-atwpa-cisco] = noop
(5) if (ok) {
(5) if (ok) -> FALSE
(5) } # else = noop
(5) } # else = noop
(5) if (&request:Hint == "RSA") {
(5) if (&request:Hint == "RSA") -> FALSE
(5) else {
(5) fsu-eap: Peer sent EAP Response (code 2) ID 5 length 136
(5) fsu-eap: Continuing tunnel setup
(5) [fsu-eap] = ok
(5) } # else = ok
(5) } # authorize = ok
(5) Found Auth-Type = fsu-eap
(5) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(5) Auth-Type fsu-eap {
(5) fsu-eap: Expiring EAP session with state 0xbad3fd1bb9d6e41c
(5) fsu-eap: Finished EAP session with state 0xbad3fd1bb9d6e41c
(5) fsu-eap: Previous EAP request found for state 0xbad3fd1bb9d6e41c, released from the list
(5) fsu-eap: Peer sent packet with method EAP PEAP (25)
(5) fsu-eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(5) eap_peap: Got complete TLS record (126 bytes)
(5) eap_peap: [eaptls verify] = length included
(5) eap_peap: TLS_accept: SSLv3/TLS write server done
(5) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(5) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(5) eap_peap: TLS_accept: SSLv3/TLS read finished
(5) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(5) eap_peap: TLS_accept: SSLv3/TLS write finished
(5) eap_peap: Serialising session 422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c, and storing in cache
(5) : eap_peap: Wrote session 422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c to /var/log/radius/tlscache/422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c.asn1 (149 bytes)
(5) eap_peap: (other): SSL negotiation finished successfully
(5) eap_peap: TLS - Connection Established
(5) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(5) eap_peap: TLS-Session-Version = "TLS 1.2"
(5) eap_peap: TLS - got 51 bytes of data
(5) eap_peap: [eaptls process] = handled
(5) fsu-eap: Sending EAP Request (code 1) ID 6 length 57
(5) fsu-eap: EAP session adding &reply:State = 0xbad3fd1bbed5e41c
(5) [fsu-eap] = handled
(5) } # Auth-Type fsu-eap = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(5) Challenge { ... } # empty sub-section is ignored
(5) session-state: Saving cached attributes
(5) TLS-Cache-Filename = "/var/log/radius/tlscache/422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c.asn1"
(5) TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(5) TLS-Session-Version = "TLS 1.2"
(5) Sent Access-Challenge Id 68 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(5) EAP-Message = 0x0106003919001403030001011603030028b7cf4af33aedeba1fff80ce3d934b51a5d1673ffd272096bc1c0e67566bd54c3d9e98aa7892a05ca
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0xbad3fd1bbed5e41c1c1cd17260df3cc0
(5) Finished request
(6) Received Access-Request Id 69 from w.x.y.z:54989 to a.b.c.e:1812 length 212
(6) User-Name = "myUsername"
(6) NAS-IP-Address = a.b.c.d
(6) NAS-Port = 0
(6) NAS-Identifier = "w.x.y.z"
(6) NAS-Port-Type = Wireless-802.11
(6) Calling-Station-Id = "Calling-MAC"
(6) Called-Station-Id = "Called-MAC"
(6) Service-Type = Framed-User
(6) Framed-MTU = 1100
(6) EAP-Message = 0x020600061900
(6) State = 0xbad3fd1bbed5e41c1c1cd17260df3cc0
(6) Aruba-Essid-Name = "FSUCoreX"
(6) Aruba-Location-Id = "303H-mark"
(6) Aruba-AP-Group = "RAP-VoIP"
(6) Aruba-Device-Type = "Win 10"
(6) Message-Authenticator = 0xa13a4c03acd0a8a3de7fd344f477f378
(6) Restoring &session-state
(6) &session-state:TLS-Cache-Filename = "/var/log/radius/tlscache/422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c.asn1"
(6) &session-state:TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(6) &session-state:TLS-Session-Version = "TLS 1.2"
(6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(6) authorize {
(6) fsu-bad-passwords: EXPAND %{User-Name}
(6) fsu-bad-passwords: --> myUsername
(6) [fsu-bad-passwords] = noop
(6) if (ok) {
(6) if (ok) -> FALSE
(6) policy rewrite_calling_station_id {
(6) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(6) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(6) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(6) update request {
(6) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(6) --> Calling-MAC
(6) } # update request = noop
(6) [updated] = updated
(6) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(6) ... skipping else: Preceding "if" was taken
(6) } # policy rewrite_calling_station_id = updated
(6) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(6) fsu-bad-macs: --> Calling-MAC
(6) [fsu-bad-macs] = noop
(6) if (ok) {
(6) if (ok) -> FALSE
(6) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(6) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(6) if (&User-Name =~ /^host\//) {
(6) if (&User-Name =~ /^host\//) -> FALSE
(6) if ( &User-Name =~ /\s/ ) {
(6) if ( &User-Name =~ /\s/ ) -> FALSE
(6) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(6) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) -> FALSE
(6) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(6) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) -> FALSE
(6) if ( &User-Name =~ /(a)my\.fsu$/i ) {
(6) if ( &User-Name =~ /(a)my\.fsu$/i ) -> FALSE
(6) ntdomain: Checking for prefix before "\"
(6) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(6) [ntdomain] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(6) suffix: Found realm "NULL"
(6) suffix: Adding Stripped-User-Name = "myUsername"
(6) suffix: Adding Realm = "NULL"
(6) suffix: Authentication realm is LOCAL
(6) [suffix] = ok
(6) update request {
(6) } # update request = noop
(6) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(6) fsu-rsa-macs: --> Calling-MAC
(6) [fsu-rsa-macs] = noop
(6) if (ok) {
(6) if (ok) -> FALSE
(6) else {
(6) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(6) fsu-rsa-atwpa-aruba: --> FSUCoreX
(6) [fsu-rsa-atwpa-aruba] = noop
(6) if (ok) {
(6) if (ok) -> FALSE
(6) else {
(6) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(6) fsu-rsa-atwpa-cisco: -->
(6) [fsu-rsa-atwpa-cisco] = noop
(6) if (ok) {
(6) if (ok) -> FALSE
(6) } # else = noop
(6) } # else = noop
(6) if (&request:Hint == "RSA") {
(6) if (&request:Hint == "RSA") -> FALSE
(6) else {
(6) fsu-eap: Peer sent EAP Response (code 2) ID 6 length 6
(6) fsu-eap: Continuing tunnel setup
(6) [fsu-eap] = ok
(6) } # else = ok
(6) } # authorize = ok
(6) Found Auth-Type = fsu-eap
(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(6) Auth-Type fsu-eap {
(6) fsu-eap: Expiring EAP session with state 0xbad3fd1bbed5e41c
(6) fsu-eap: Finished EAP session with state 0xbad3fd1bbed5e41c
(6) fsu-eap: Previous EAP request found for state 0xbad3fd1bbed5e41c, released from the list
(6) fsu-eap: Peer sent packet with method EAP PEAP (25)
(6) fsu-eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(6) eap_peap: [eaptls verify] = success
(6) eap_peap: [eaptls process] = success
(6) eap_peap: Session established. Decoding tunneled attributes
(6) eap_peap: PEAP state TUNNEL ESTABLISHED
(6) fsu-eap: Sending EAP Request (code 1) ID 7 length 40
(6) fsu-eap: EAP session adding &reply:State = 0xbad3fd1bbfd4e41c
(6) [fsu-eap] = handled
(6) } # Auth-Type fsu-eap = handled
(6) Using Post-Auth-Type Challenge
(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(6) Challenge { ... } # empty sub-section is ignored
(6) session-state: Saving cached attributes
(6) TLS-Cache-Filename = "/var/log/radius/tlscache/422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c.asn1"
(6) TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(6) TLS-Session-Version = "TLS 1.2"
(6) Sent Access-Challenge Id 69 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(6) EAP-Message = 0x010700281900170303001db7cf4af33aedeba2b21f528c211bf694c96d96a9f46043f8a3d4b25e39
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0xbad3fd1bbfd4e41c1c1cd17260df3cc0
(6) Finished request
(7) Received Access-Request Id 70 from w.x.y.z:54989 to a.b.c.e:1812 length 250
(7) User-Name = "myUsername"
(7) NAS-IP-Address = a.b.c.d
(7) NAS-Port = 0
(7) NAS-Identifier = "w.x.y.z"
(7) NAS-Port-Type = Wireless-802.11
(7) Calling-Station-Id = "Calling-MAC"
(7) Called-Station-Id = "Called-MAC"
(7) Service-Type = Framed-User
(7) Framed-MTU = 1100
(7) EAP-Message = 0x0207002c190017030300210000000000000001c5ef41f3042d7ba531433825f82a73cb4687ce9eb328fa6a3b
(7) State = 0xbad3fd1bbfd4e41c1c1cd17260df3cc0
(7) Aruba-Essid-Name = "FSUCoreX"
(7) Aruba-Location-Id = "303H-mark"
(7) Aruba-AP-Group = "RAP-VoIP"
(7) Aruba-Device-Type = "Win 10"
(7) Message-Authenticator = 0x007cfcc7b4f70a34ef867accfd218ae4
(7) Restoring &session-state
(7) &session-state:TLS-Cache-Filename = "/var/log/radius/tlscache/422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c.asn1"
(7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(7) &session-state:TLS-Session-Version = "TLS 1.2"
(7) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(7) authorize {
(7) fsu-bad-passwords: EXPAND %{User-Name}
(7) fsu-bad-passwords: --> myUsername
(7) [fsu-bad-passwords] = noop
(7) if (ok) {
(7) if (ok) -> FALSE
(7) policy rewrite_calling_station_id {
(7) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(7) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(7) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(7) update request {
(7) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(7) --> Calling-MAC
(7) } # update request = noop
(7) [updated] = updated
(7) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(7) ... skipping else: Preceding "if" was taken
(7) } # policy rewrite_calling_station_id = updated
(7) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(7) fsu-bad-macs: --> Calling-MAC
(7) [fsu-bad-macs] = noop
(7) if (ok) {
(7) if (ok) -> FALSE
(7) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(7) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(7) if (&User-Name =~ /^host\//) {
(7) if (&User-Name =~ /^host\//) -> FALSE
(7) if ( &User-Name =~ /\s/ ) {
(7) if ( &User-Name =~ /\s/ ) -> FALSE
(7) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(7) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) -> FALSE
(7) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(7) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) -> FALSE
(7) if ( &User-Name =~ /(a)my\.fsu$/i ) {
(7) if ( &User-Name =~ /(a)my\.fsu$/i ) -> FALSE
(7) ntdomain: Checking for prefix before "\"
(7) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(7) [ntdomain] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(7) suffix: Found realm "NULL"
(7) suffix: Adding Stripped-User-Name = "myUsername"
(7) suffix: Adding Realm = "NULL"
(7) suffix: Authentication realm is LOCAL
(7) [suffix] = ok
(7) update request {
(7) } # update request = noop
(7) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(7) fsu-rsa-macs: --> Calling-MAC
(7) [fsu-rsa-macs] = noop
(7) if (ok) {
(7) if (ok) -> FALSE
(7) else {
(7) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(7) fsu-rsa-atwpa-aruba: --> FSUCoreX
(7) [fsu-rsa-atwpa-aruba] = noop
(7) if (ok) {
(7) if (ok) -> FALSE
(7) else {
(7) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(7) fsu-rsa-atwpa-cisco: -->
(7) [fsu-rsa-atwpa-cisco] = noop
(7) if (ok) {
(7) if (ok) -> FALSE
(7) } # else = noop
(7) } # else = noop
(7) if (&request:Hint == "RSA") {
(7) if (&request:Hint == "RSA") -> FALSE
(7) else {
(7) fsu-eap: Peer sent EAP Response (code 2) ID 7 length 44
(7) fsu-eap: Continuing tunnel setup
(7) [fsu-eap] = ok
(7) } # else = ok
(7) } # authorize = ok
(7) Found Auth-Type = fsu-eap
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(7) Auth-Type fsu-eap {
(7) fsu-eap: Expiring EAP session with state 0xbad3fd1bbfd4e41c
(7) fsu-eap: Finished EAP session with state 0xbad3fd1bbfd4e41c
(7) fsu-eap: Previous EAP request found for state 0xbad3fd1bbfd4e41c, released from the list
(7) fsu-eap: Peer sent packet with method EAP PEAP (25)
(7) fsu-eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(7) eap_peap: Identity - myUsername
(7) eap_peap: Got inner identity 'myUsername'
(7) eap_peap: Setting default EAP type for tunneled EAP session
(7) eap_peap: Got tunneled request
(7) eap_peap: EAP-Message = 0x0207000d016d616e74686f6e79
(7) eap_peap: Setting User-Name to myUsername
(7) eap_peap: Sending tunneled request to fsu-peap-inner-tunnel
(7) eap_peap: EAP-Message = 0x0207000d016d616e74686f6e79
(7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap: User-Name = "myUsername"
(7) Virtual server fsu-peap-inner-tunnel received request
(7) EAP-Message = 0x0207000d016d616e74686f6e79
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) User-Name = "myUsername"
(7) : Outer and inner identities are the same. User privacy is compromised.
(7) server fsu-peap-inner-tunnel {
(7) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(7) authorize {
(7) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(7) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(7) if ( &User-Name =~ /\s/ ) {
(7) if ( &User-Name =~ /\s/ ) -> FALSE
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(7) suffix: Found realm "NULL"
(7) suffix: Adding Stripped-User-Name = "myUsername"
(7) suffix: Adding Realm = "NULL"
(7) suffix: Authentication realm is LOCAL
(7) [suffix] = ok
(7) update {
(7) EXPAND %{Client-Shortname}
(7) --> Cam2
(7) } # update = noop
(7) fsu-eap: Peer sent EAP Response (code 2) ID 7 length 13
(7) fsu-eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(7) [fsu-eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = fsu-eap
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(7) Auth-Type fsu-eap {
(7) fsu-eap: Peer sent packet with method EAP Identity (1)
(7) fsu-eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: Issuing Challenge
(7) fsu-eap: Sending EAP Request (code 1) ID 8 length 42
(7) fsu-eap: EAP session adding &reply:State = 0xbdbe91b7bdb68b3a
(7) [fsu-eap] = handled
(7) } # Auth-Type fsu-eap = handled
(7) } # server fsu-peap-inner-tunnel
(7) Virtual server sending reply
(7) EAP-Message = 0x0108002a1a01080025109baa445450222aec1beb19ba94ed03b56673755f6561705f6d73636861707632
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0xbdbe91b7bdb68b3a7f0fbe650d998692
(7) eap_peap: Got tunneled reply code 11
(7) eap_peap: EAP-Message = 0x0108002a1a01080025109baa445450222aec1beb19ba94ed03b56673755f6561705f6d73636861707632
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0xbdbe91b7bdb68b3a7f0fbe650d998692
(7) eap_peap: Got tunneled Access-Challenge
(7) fsu-eap: Sending EAP Request (code 1) ID 8 length 73
(7) fsu-eap: EAP session adding &reply:State = 0xbad3fd1bbcdbe41c
(7) [fsu-eap] = handled
(7) } # Auth-Type fsu-eap = handled
(7) Using Post-Auth-Type Challenge
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(7) Challenge { ... } # empty sub-section is ignored
(7) session-state: Saving cached attributes
(7) TLS-Cache-Filename = "/var/log/radius/tlscache/422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c.asn1"
(7) TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(7) TLS-Session-Version = "TLS 1.2"
(7) Sent Access-Challenge Id 70 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(7) EAP-Message = 0x010800491900170303003eb7cf4af33aedeba3cdd5c7ba70a4cc7d7cfd8a0762d9c26bc5ae93b4658121503793b363b4ed6304e0c4123a93536e70452c368f535ba3bad20de5e823a4
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0xbad3fd1bbcdbe41c1c1cd17260df3cc0
(7) Finished request
(8) Received Access-Request Id 71 from w.x.y.z:54989 to a.b.c.e:1812 length 304
(8) User-Name = "myUsername"
(8) NAS-IP-Address = a.b.c.d
(8) NAS-Port = 0
(8) NAS-Identifier = "w.x.y.z"
(8) NAS-Port-Type = Wireless-802.11
(8) Calling-Station-Id = "Calling-MAC"
(8) Called-Station-Id = "Called-MAC"
(8) Service-Type = Framed-User
(8) Framed-MTU = 1100
(8) EAP-Message = 0x020800621900170303005700000000000000028e27ce3a53464fde6326d09354698180aa53531ef4ca995a0ac159eb57b93070a23c5c40141bb0731e014889a5ff565ce9acc558fac42bd7c6373f1c2e52351836e75fd99d8944e0338b0d9d637118
(8) State = 0xbad3fd1bbcdbe41c1c1cd17260df3cc0
(8) Aruba-Essid-Name = "FSUCoreX"
(8) Aruba-Location-Id = "303H-mark"
(8) Aruba-AP-Group = "RAP-VoIP"
(8) Aruba-Device-Type = "Win 10"
(8) Message-Authenticator = 0xf6ff0643a9eed31b5cecf30091547c5a
(8) Restoring &session-state
(8) &session-state:TLS-Cache-Filename = "/var/log/radius/tlscache/422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c.asn1"
(8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(8) &session-state:TLS-Session-Version = "TLS 1.2"
(8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(8) authorize {
(8) fsu-bad-passwords: EXPAND %{User-Name}
(8) fsu-bad-passwords: --> myUsername
(8) [fsu-bad-passwords] = noop
(8) if (ok) {
(8) if (ok) -> FALSE
(8) policy rewrite_calling_station_id {
(8) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(8) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(8) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(8) update request {
(8) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(8) --> Calling-MAC
(8) } # update request = noop
(8) [updated] = updated
(8) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(8) ... skipping else: Preceding "if" was taken
(8) } # policy rewrite_calling_station_id = updated
(8) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(8) fsu-bad-macs: --> Calling-MAC
(8) [fsu-bad-macs] = noop
(8) if (ok) {
(8) if (ok) -> FALSE
(8) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(8) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(8) if (&User-Name =~ /^host\//) {
(8) if (&User-Name =~ /^host\//) -> FALSE
(8) if ( &User-Name =~ /\s/ ) {
(8) if ( &User-Name =~ /\s/ ) -> FALSE
(8) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(8) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) -> FALSE
(8) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(8) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) -> FALSE
(8) if ( &User-Name =~ /(a)my\.fsu$/i ) {
(8) if ( &User-Name =~ /(a)my\.fsu$/i ) -> FALSE
(8) ntdomain: Checking for prefix before "\"
(8) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(8) [ntdomain] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(8) suffix: Found realm "NULL"
(8) suffix: Adding Stripped-User-Name = "myUsername"
(8) suffix: Adding Realm = "NULL"
(8) suffix: Authentication realm is LOCAL
(8) [suffix] = ok
(8) update request {
(8) } # update request = noop
(8) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(8) fsu-rsa-macs: --> Calling-MAC
(8) [fsu-rsa-macs] = noop
(8) if (ok) {
(8) if (ok) -> FALSE
(8) else {
(8) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(8) fsu-rsa-atwpa-aruba: --> FSUCoreX
(8) [fsu-rsa-atwpa-aruba] = noop
(8) if (ok) {
(8) if (ok) -> FALSE
(8) else {
(8) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(8) fsu-rsa-atwpa-cisco: -->
(8) [fsu-rsa-atwpa-cisco] = noop
(8) if (ok) {
(8) if (ok) -> FALSE
(8) } # else = noop
(8) } # else = noop
(8) if (&request:Hint == "RSA") {
(8) if (&request:Hint == "RSA") -> FALSE
(8) else {
(8) fsu-eap: Peer sent EAP Response (code 2) ID 8 length 98
(8) fsu-eap: Continuing tunnel setup
(8) [fsu-eap] = ok
(8) } # else = ok
(8) } # authorize = ok
(8) Found Auth-Type = fsu-eap
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(8) Auth-Type fsu-eap {
(8) fsu-eap: Expiring EAP session with state 0xbdbe91b7bdb68b3a
(8) fsu-eap: Finished EAP session with state 0xbad3fd1bbcdbe41c
(8) fsu-eap: Previous EAP request found for state 0xbad3fd1bbcdbe41c, released from the list
(8) fsu-eap: Peer sent packet with method EAP PEAP (25)
(8) fsu-eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP method MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap: EAP-Message = 0x020800431a0208003e31833b15c9f3ef2852172280a74b6713570000000000000000744a1ec95ae0b4188d19786bca156b494eaeded4cf6c1848006d616e74686f6e79
(8) eap_peap: Setting User-Name to myUsername
(8) eap_peap: Sending tunneled request to fsu-peap-inner-tunnel
(8) eap_peap: EAP-Message = 0x020800431a0208003e31833b15c9f3ef2852172280a74b6713570000000000000000744a1ec95ae0b4188d19786bca156b494eaeded4cf6c1848006d616e74686f6e79
(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap: User-Name = "myUsername"
(8) eap_peap: State = 0xbdbe91b7bdb68b3a7f0fbe650d998692
(8) Virtual server fsu-peap-inner-tunnel received request
(8) EAP-Message = 0x020800431a0208003e31833b15c9f3ef2852172280a74b6713570000000000000000744a1ec95ae0b4188d19786bca156b494eaeded4cf6c1848006d616e74686f6e79
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = "myUsername"
(8) State = 0xbdbe91b7bdb68b3a7f0fbe650d998692
(8) : Outer and inner identities are the same. User privacy is compromised.
(8) server fsu-peap-inner-tunnel {
(8) session-state: No cached attributes
(8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(8) authorize {
(8) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(8) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(8) if ( &User-Name =~ /\s/ ) {
(8) if ( &User-Name =~ /\s/ ) -> FALSE
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(8) suffix: Found realm "NULL"
(8) suffix: Adding Stripped-User-Name = "myUsername"
(8) suffix: Adding Realm = "NULL"
(8) suffix: Authentication realm is LOCAL
(8) [suffix] = ok
(8) update {
(8) EXPAND %{Client-Shortname}
(8) --> Cam2
(8) } # update = noop
(8) fsu-eap: Peer sent EAP Response (code 2) ID 8 length 67
(8) fsu-eap: No EAP Start, assuming it's an on-going EAP conversation
(8) [fsu-eap] = updated
(8) if ( &EAP-Message =~ /^0x02..00061a..$/ ) {
(8) if ( &EAP-Message =~ /^0x02..00061a..$/ ) -> FALSE
(8) if ( &User-Name =~ /^host\/(COB-RBA[A-Za-z0-9-]+)(\.fsu\.edu)*$/i) {
(8) if ( &User-Name =~ /^host\/(COB-RBA[A-Za-z0-9-]+)(\.fsu\.edu)*$/i) -> FALSE
(8) elsif (&User-Name =~ /^host\/([A-Z]{2,5}-A-[0-9A-Z]{6,7})(\.fsu\.edu)*$/) {
(8) elsif (&User-Name =~ /^host\/([A-Z]{2,5}-A-[0-9A-Z]{6,7})(\.fsu\.edu)*$/) -> FALSE
(8) elsif ( (&request:Realm) && (&request:Realm == "devices") ) {
(8) elsif ( (&request:Realm) && (&request:Realm == "devices") ) -> FALSE
(8) else {
(8) fsu-ldap-people: EXPAND (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(!(uid=lib-guest*)))
(8) fsu-ldap-people: --> (&(uid=myUsername)(!(uid=lib-guest*)))
(8) fsu-ldap-people: Performing search in "ou=people,dc=fsu,dc=edu" with filter "(&(uid=myUsername)(!(uid=lib-guest*)))", scope "sub"
(8) fsu-ldap-people: Waiting for search result...
(8) fsu-ldap-people: User object found at DN "uid=myUsername,ou=People,dc=fsu,dc=edu"
(8) fsu-ldap-people: Processing user attributes
(8) [fsu-ldap-people] = updated
(8) if (notfound) {
(8) if (notfound) -> FALSE
(8) if ( &reply:My-Local-fsuEduWINStatus ) {
(8) if ( &reply:My-Local-fsuEduWINStatus ) -> FALSE
(8) fsu-pap: Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes
(8) : fsu-pap: Auth-Type already set. Not setting to PAP
(8) [fsu-pap] = noop
(8) update control {
(8) } # update control = noop
(8) if ( (&reply:My-Local-VLAN) && (!&reply:My-Local-employeeStatus) ) {
(8) if ( (&reply:My-Local-VLAN) && (!&reply:My-Local-employeeStatus) ) -> FALSE
(8) if (&reply:My-Local-fsuEduAppRoles) {
(8) if (&reply:My-Local-fsuEduAppRoles) -> TRUE
(8) if (&reply:My-Local-fsuEduAppRoles) {
(8) if ((!&reply:My-Local-VLAN) && (&Client-Shortname !~ /^P/)) {
(8) if ((!&reply:My-Local-VLAN) && (&Client-Shortname !~ /^P/)) -> FALSE
(8) update {
(8) } # update = noop
(8) } # if (&reply:My-Local-fsuEduAppRoles) = noop
(8) if ((!&reply:My-Local-employeeStatus) && (!&reply:My-Local-VLAN)) {
(8) if ((!&reply:My-Local-employeeStatus) && (!&reply:My-Local-VLAN)) -> FALSE
(8) elsif (!&reply:My-Local-VLAN) {
(8) elsif (!&reply:My-Local-VLAN) -> FALSE
(8) fsu-cache-ldap-people-inner-tunnel-attributes: EXPAND %{User-Name}
(8) fsu-cache-ldap-people-inner-tunnel-attributes: --> myUsername
(8) fsu-cache-ldap-people-inner-tunnel-attributes: No cache entry found for "myUsername"
(8) fsu-cache-ldap-people-inner-tunnel-attributes: Creating new cache entry
(8) fsu-cache-ldap-people-inner-tunnel-attributes: &reply:My-Local-VLAN := &reply:My-Local-VLAN -> 'vlan1'
(8) fsu-cache-ldap-people-inner-tunnel-attributes: Merging cache entry into request
(8) fsu-cache-ldap-people-inner-tunnel-attributes: &reply:My-Local-VLAN := "vlan1"
(8) fsu-cache-ldap-people-inner-tunnel-attributes: Committed entry, TTL 10 seconds
(8) [fsu-cache-ldap-people-inner-tunnel-attributes] = updated
(8) } # else = updated
(8) } # authorize = updated
(8) Found Auth-Type = fsu-eap
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(8) Auth-Type fsu-eap {
(8) fsu-eap: Expiring EAP session with state 0xbdbe91b7bdb68b3a
(8) fsu-eap: Finished EAP session with state 0xbdbe91b7bdb68b3a
(8) fsu-eap: Previous EAP request found for state 0xbdbe91b7bdb68b3a, released from the list
(8) fsu-eap: Peer sent packet with method EAP MSCHAPv2 (26)
(8) fsu-eap: Calling submodule eap_mschapv2 to process data
(8) eap_mschapv2: # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(8) eap_mschapv2: Auth-Type MS-CHAP {
(8) fsu-mschap-winbind: Found NT-Password
(8) fsu-mschap-winbind: Creating challenge hash with username: myUsername
(8) fsu-mschap-winbind: Client is using MS-CHAPv2
(8) fsu-mschap-winbind: Adding MS-CHAPv2 MPPE keys
(8) eap_mschapv2: [fsu-mschap-winbind] = ok
(8) eap_mschapv2: } # Auth-Type MS-CHAP = ok
(8) eap_mschapv2: MSCHAP Success
(8) fsu-eap: Sending EAP Request (code 1) ID 9 length 51
(8) fsu-eap: EAP session adding &reply:State = 0xbdbe91b7bcb78b3a
(8) [fsu-eap] = handled
(8) } # Auth-Type fsu-eap = handled
(8) } # server fsu-peap-inner-tunnel
(8) Virtual server sending reply
(8) My-Local-employeeStatus = "Active"
(8) My-Local-VLAN = "vlan1"
(8) EAP-Message = 0x010900331a0308002e533d41393935354644354538374432394630414132383239393242333033343041313045414634313145
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0xbdbe91b7bcb78b3a7f0fbe650d998692
(8) eap_peap: Got tunneled reply code 11
(8) eap_peap: My-Local-employeeStatus = "Active"
(8) eap_peap: My-Local-VLAN = "vlan1"
(8) eap_peap: EAP-Message = 0x010900331a0308002e533d41393935354644354538374432394630414132383239393242333033343041313045414634313145
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: State = 0xbdbe91b7bcb78b3a7f0fbe650d998692
(8) eap_peap: Got tunneled Access-Challenge
(8) fsu-eap: Sending EAP Request (code 1) ID 9 length 82
(8) fsu-eap: EAP session adding &reply:State = 0xbad3fd1bbddae41c
(8) [fsu-eap] = handled
(8) } # Auth-Type fsu-eap = handled
(8) Using Post-Auth-Type Challenge
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(8) Challenge { ... } # empty sub-section is ignored
(8) session-state: Saving cached attributes
(8) TLS-Cache-Filename = "/var/log/radius/tlscache/422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c.asn1"
(8) TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(8) TLS-Session-Version = "TLS 1.2"
(8) Sent Access-Challenge Id 71 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(8) EAP-Message = 0x0109005219001703030047b7cf4af33aedeba476f0ca80606e3598427bd6060b0e2f916bcffa2c3fc9c58dd50f86471e0cf17757762211678028238727728422349caf8dfcce26ca5e11e712af3dfe455357
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0xbad3fd1bbddae41c1c1cd17260df3cc0
(8) Finished request
(9) Received Access-Request Id 72 from w.x.y.z:54989 to a.b.c.e:1812 length 243
(9) User-Name = "myUsername"
(9) NAS-IP-Address = a.b.c.d
(9) NAS-Port = 0
(9) NAS-Identifier = "w.x.y.z"
(9) NAS-Port-Type = Wireless-802.11
(9) Calling-Station-Id = "Calling-MAC"
(9) Called-Station-Id = "Called-MAC"
(9) Service-Type = Framed-User
(9) Framed-MTU = 1100
(9) EAP-Message = 0x020900251900170303001a00000000000000030d1699cbaf6586c78b66fceffb50df5f09e8
(9) State = 0xbad3fd1bbddae41c1c1cd17260df3cc0
(9) Aruba-Essid-Name = "FSUCoreX"
(9) Aruba-Location-Id = "303H-mark"
(9) Aruba-AP-Group = "RAP-VoIP"
(9) Aruba-Device-Type = "Win 10"
(9) Message-Authenticator = 0xdf62b863a702c3f6c3695ae393531b03
(9) Restoring &session-state
(9) &session-state:TLS-Cache-Filename = "/var/log/radius/tlscache/422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c.asn1"
(9) &session-state:TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(9) &session-state:TLS-Session-Version = "TLS 1.2"
(9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(9) authorize {
(9) fsu-bad-passwords: EXPAND %{User-Name}
(9) fsu-bad-passwords: --> myUsername
(9) [fsu-bad-passwords] = noop
(9) if (ok) {
(9) if (ok) -> FALSE
(9) policy rewrite_calling_station_id {
(9) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(9) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(9) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(9) update request {
(9) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(9) --> Calling-MAC
(9) } # update request = noop
(9) [updated] = updated
(9) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(9) ... skipping else: Preceding "if" was taken
(9) } # policy rewrite_calling_station_id = updated
(9) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(9) fsu-bad-macs: --> Calling-MAC
(9) [fsu-bad-macs] = noop
(9) if (ok) {
(9) if (ok) -> FALSE
(9) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(9) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(9) if (&User-Name =~ /^host\//) {
(9) if (&User-Name =~ /^host\//) -> FALSE
(9) if ( &User-Name =~ /\s/ ) {
(9) if ( &User-Name =~ /\s/ ) -> FALSE
(9) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(9) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) -> FALSE
(9) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(9) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) -> FALSE
(9) if ( &User-Name =~ /(a)my\.fsu$/i ) {
(9) if ( &User-Name =~ /(a)my\.fsu$/i ) -> FALSE
(9) ntdomain: Checking for prefix before "\"
(9) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(9) [ntdomain] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(9) suffix: Found realm "NULL"
(9) suffix: Adding Stripped-User-Name = "myUsername"
(9) suffix: Adding Realm = "NULL"
(9) suffix: Authentication realm is LOCAL
(9) [suffix] = ok
(9) update request {
(9) } # update request = noop
(9) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(9) fsu-rsa-macs: --> Calling-MAC
(9) [fsu-rsa-macs] = noop
(9) if (ok) {
(9) if (ok) -> FALSE
(9) else {
(9) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(9) fsu-rsa-atwpa-aruba: --> FSUCoreX
(9) [fsu-rsa-atwpa-aruba] = noop
(9) if (ok) {
(9) if (ok) -> FALSE
(9) else {
(9) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(9) fsu-rsa-atwpa-cisco: -->
(9) [fsu-rsa-atwpa-cisco] = noop
(9) if (ok) {
(9) if (ok) -> FALSE
(9) } # else = noop
(9) } # else = noop
(9) if (&request:Hint == "RSA") {
(9) if (&request:Hint == "RSA") -> FALSE
(9) else {
(9) fsu-eap: Peer sent EAP Response (code 2) ID 9 length 37
(9) fsu-eap: Continuing tunnel setup
(9) [fsu-eap] = ok
(9) } # else = ok
(9) } # authorize = ok
(9) Found Auth-Type = fsu-eap
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(9) Auth-Type fsu-eap {
(9) fsu-eap: Expiring EAP session with state 0xbdbe91b7bcb78b3a
(9) fsu-eap: Finished EAP session with state 0xbad3fd1bbddae41c
(9) fsu-eap: Previous EAP request found for state 0xbad3fd1bbddae41c, released from the list
(9) fsu-eap: Peer sent packet with method EAP PEAP (25)
(9) fsu-eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state phase2
(9) eap_peap: EAP method MSCHAPv2 (26)
(9) eap_peap: Got tunneled request
(9) eap_peap: EAP-Message = 0x020900061a03
(9) eap_peap: Setting User-Name to myUsername
(9) eap_peap: Sending tunneled request to fsu-peap-inner-tunnel
(9) eap_peap: EAP-Message = 0x020900061a03
(9) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(9) eap_peap: User-Name = "myUsername"
(9) eap_peap: State = 0xbdbe91b7bcb78b3a7f0fbe650d998692
(9) Virtual server fsu-peap-inner-tunnel received request
(9) EAP-Message = 0x020900061a03
(9) FreeRADIUS-Proxied-To = 127.0.0.1
(9) User-Name = "myUsername"
(9) State = 0xbdbe91b7bcb78b3a7f0fbe650d998692
(9) : Outer and inner identities are the same. User privacy is compromised.
(9) server fsu-peap-inner-tunnel {
(9) session-state: No cached attributes
(9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(9) authorize {
(9) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(9) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(9) if ( &User-Name =~ /\s/ ) {
(9) if ( &User-Name =~ /\s/ ) -> FALSE
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(9) suffix: Found realm "NULL"
(9) suffix: Adding Stripped-User-Name = "myUsername"
(9) suffix: Adding Realm = "NULL"
(9) suffix: Authentication realm is LOCAL
(9) [suffix] = ok
(9) update {
(9) EXPAND %{Client-Shortname}
(9) --> Cam2
(9) } # update = noop
(9) fsu-eap: Peer sent EAP Response (code 2) ID 9 length 6
(9) fsu-eap: No EAP Start, assuming it's an on-going EAP conversation
(9) [fsu-eap] = updated
(9) if ( &EAP-Message =~ /^0x02..00061a..$/ ) {
(9) if ( &EAP-Message =~ /^0x02..00061a..$/ ) -> TRUE
(9) if ( &EAP-Message =~ /^0x02..00061a..$/ ) {
(9) policy fsu-peap-cache-policy {
(9) if ( &User-Name =~ /@devices/ ){
(9) if ( &User-Name =~ /@devices/ ) -> FALSE
(9) else {
(9) fsu-cache-ldap-people-inner-tunnel-attributes: EXPAND %{User-Name}
(9) fsu-cache-ldap-people-inner-tunnel-attributes: --> myUsername
(9) fsu-cache-ldap-people-inner-tunnel-attributes: Found entry for "myUsername"
(9) fsu-cache-ldap-people-inner-tunnel-attributes: Merging cache entry into request
(9) fsu-cache-ldap-people-inner-tunnel-attributes: &reply:My-Local-VLAN := "vlan1"
(9) [fsu-cache-ldap-people-inner-tunnel-attributes] = ok
(9) if (updated) {
(9) if (updated) -> FALSE
(9) elsif (noop) {
(9) elsif (noop) -> FALSE
(9) elsif (ok) {
(9) elsif (ok) -> TRUE
(9) elsif (ok) {
(9) update control {
(9) } # update control = noop
(9) } # elsif (ok) = noop
(9) ... skipping else: Preceding "if" was taken
(9) } # else = ok
(9) } # policy fsu-peap-cache-policy = ok
(9) return
(9) } # if ( &EAP-Message =~ /^0x02..00061a..$/ ) = ok
(9) } # authorize = updated
(9) Found Auth-Type = fsu-eap
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(9) Auth-Type fsu-eap {
(9) fsu-eap: Expiring EAP session with state 0xbdbe91b7bcb78b3a
(9) fsu-eap: Finished EAP session with state 0xbdbe91b7bcb78b3a
(9) fsu-eap: Previous EAP request found for state 0xbdbe91b7bcb78b3a, released from the list
(9) fsu-eap: Peer sent packet with method EAP MSCHAPv2 (26)
(9) fsu-eap: Calling submodule eap_mschapv2 to process data
(9) fsu-eap: Sending EAP Success (code 3) ID 9 length 4
(9) fsu-eap: Freeing handler
(9) [fsu-eap] = ok
(9) } # Auth-Type fsu-eap = ok
(9) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(9) post-auth {
(9) update reply {
(9) } # update reply = noop
(9) update outer.session-state {
(9) } # update outer.session-state = noop
(9) } # post-auth = noop
(9) EXPAND %{My-Local-SSID} %{My-Local-AP} %{My-Local-Group} %{My-Local-Device} %{reply:My-Local-VLAN}
(9) --> vlan1
(9) } # server fsu-peap-inner-tunnel
(9) Virtual server sending reply
(9) My-Local-VLAN = "vlan1"
(9) eap_peap: Got tunneled reply code 2
(9) eap_peap: My-Local-VLAN = "vlan1"
(9) eap_peap: Tunneled authentication was successful
(9) eap_peap: SUCCESS
(9) eap_peap: Saving tunneled attributes for later
(9) fsu-eap: Sending EAP Request (code 1) ID 10 length 46
(9) fsu-eap: EAP session adding &reply:State = 0xbad3fd1bb2d9e41c
(9) [fsu-eap] = handled
(9) } # Auth-Type fsu-eap = handled
(9) Using Post-Auth-Type Challenge
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(9) Challenge { ... } # empty sub-section is ignored
(9) session-state: Saving cached attributes
(9) TLS-Cache-Filename = "/var/log/radius/tlscache/422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c.asn1"
(9) TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(9) TLS-Session-Version = "TLS 1.2"
(9) My-Local-VLAN := "vlan1"
(9) Sent Access-Challenge Id 72 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(9) EAP-Message = 0x010a002e19001703030023b7cf4af33aedeba505c51c2e3171961fb71fe7fbd0c5c4e9758095d7bc824aa3c086c1
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) State = 0xbad3fd1bb2d9e41c1c1cd17260df3cc0
(9) Finished request
(10) Received Access-Request Id 73 from w.x.y.z:54989 to a.b.c.e:1812 length 252
(10) User-Name = "myUsername"
(10) NAS-IP-Address = a.b.c.d
(10) NAS-Port = 0
(10) NAS-Identifier = "w.x.y.z"
(10) NAS-Port-Type = Wireless-802.11
(10) Calling-Station-Id = "Calling-MAC"
(10) Called-Station-Id = "Called-MAC"
(10) Service-Type = Framed-User
(10) Framed-MTU = 1100
(10) EAP-Message = 0x020a002e190017030300230000000000000004de7c7a2af3bccdc1ab6fbe745bd674fade6975f3841b77dd0bc828
(10) State = 0xbad3fd1bb2d9e41c1c1cd17260df3cc0
(10) Aruba-Essid-Name = "FSUCoreX"
(10) Aruba-Location-Id = "303H-mark"
(10) Aruba-AP-Group = "RAP-VoIP"
(10) Aruba-Device-Type = "Win 10"
(10) Message-Authenticator = 0x5e7f2636fe8c9843ebeac76225d66d1b
(10) Restoring &session-state
(10) &session-state:TLS-Cache-Filename = "/var/log/radius/tlscache/422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c.asn1"
(10) &session-state:TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(10) &session-state:TLS-Session-Version = "TLS 1.2"
(10) &session-state:My-Local-VLAN := "vlan1"
(10) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(10) authorize {
(10) fsu-bad-passwords: EXPAND %{User-Name}
(10) fsu-bad-passwords: --> myUsername
(10) [fsu-bad-passwords] = noop
(10) if (ok) {
(10) if (ok) -> FALSE
(10) policy rewrite_calling_station_id {
(10) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(10) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(10) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(10) update request {
(10) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(10) --> Calling-MAC
(10) } # update request = noop
(10) [updated] = updated
(10) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(10) ... skipping else: Preceding "if" was taken
(10) } # policy rewrite_calling_station_id = updated
(10) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(10) fsu-bad-macs: --> Calling-MAC
(10) [fsu-bad-macs] = noop
(10) if (ok) {
(10) if (ok) -> FALSE
(10) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(10) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(10) if (&User-Name =~ /^host\//) {
(10) if (&User-Name =~ /^host\//) -> FALSE
(10) if ( &User-Name =~ /\s/ ) {
(10) if ( &User-Name =~ /\s/ ) -> FALSE
(10) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(10) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) -> FALSE
(10) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(10) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) -> FALSE
(10) if ( &User-Name =~ /(a)my\.fsu$/i ) {
(10) if ( &User-Name =~ /(a)my\.fsu$/i ) -> FALSE
(10) ntdomain: Checking for prefix before "\"
(10) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(10) [ntdomain] = noop
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(10) suffix: Found realm "NULL"
(10) suffix: Adding Stripped-User-Name = "myUsername"
(10) suffix: Adding Realm = "NULL"
(10) suffix: Authentication realm is LOCAL
(10) [suffix] = ok
(10) update request {
(10) } # update request = noop
(10) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(10) fsu-rsa-macs: --> Calling-MAC
(10) [fsu-rsa-macs] = noop
(10) if (ok) {
(10) if (ok) -> FALSE
(10) else {
(10) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(10) fsu-rsa-atwpa-aruba: --> FSUCoreX
(10) [fsu-rsa-atwpa-aruba] = noop
(10) if (ok) {
(10) if (ok) -> FALSE
(10) else {
(10) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(10) fsu-rsa-atwpa-cisco: -->
(10) [fsu-rsa-atwpa-cisco] = noop
(10) if (ok) {
(10) if (ok) -> FALSE
(10) } # else = noop
(10) } # else = noop
(10) if (&request:Hint == "RSA") {
(10) if (&request:Hint == "RSA") -> FALSE
(10) else {
(10) fsu-eap: Peer sent EAP Response (code 2) ID 10 length 46
(10) fsu-eap: Continuing tunnel setup
(10) [fsu-eap] = ok
(10) } # else = ok
(10) } # authorize = ok
(10) Found Auth-Type = fsu-eap
(10) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(10) Auth-Type fsu-eap {
(10) fsu-eap: Expiring EAP session with state 0xbad3fd1bb2d9e41c
(10) fsu-eap: Finished EAP session with state 0xbad3fd1bb2d9e41c
(10) fsu-eap: Previous EAP request found for state 0xbad3fd1bb2d9e41c, released from the list
(10) fsu-eap: Peer sent packet with method EAP PEAP (25)
(10) fsu-eap: Calling submodule eap_peap to process data
(10) eap_peap: Continuing EAP-TLS
(10) eap_peap: [eaptls verify] = ok
(10) eap_peap: Done initial handshake
(10) eap_peap: [eaptls process] = ok
(10) eap_peap: Session established. Decoding tunneled attributes
(10) eap_peap: PEAP state send tlv success
(10) eap_peap: Received EAP-TLV response
(10) eap_peap: Success
(10) eap_peap: Using saved attributes from the original Access-Accept
(10) eap_peap: My-Local-VLAN = "vlan1"
(10) eap_peap: caching Stripped-User-Name = "myUsername"
(10) eap_peap: caching My-Local-VLAN = "vlan1"
(10) eap_peap: Saving session 422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c in the disk cache
(10) fsu-eap: Sending EAP Success (code 3) ID 10 length 4
(10) fsu-eap: Freeing handler
(10) [fsu-eap] = ok
(10) } # Auth-Type fsu-eap = ok
(10) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(10) post-auth {
(10) update reply {
(10) } # update reply = noop
(10) if ( &reply:My-Local-VLAN == "student" ) {
(10) if ( &reply:My-Local-VLAN == "student" ) -> FALSE
(10) policy fsu-SSID-and-VLAN-policy {
(10) update {
(10) } # update = noop
(10) if ( &Aruba-Essid-Name ) {
(10) if ( &Aruba-Essid-Name ) -> TRUE
(10) if ( &Aruba-Essid-Name ) {
(10) update {
(10) } # update = noop
(10) if ( &My-Local-AP =~ /^(.*?)(\.wireless)?(\.fsu\.edu)$/i ) {
(10) if ( &My-Local-AP =~ /^(.*?)(\.wireless)?(\.fsu\.edu)$/i ) -> FALSE
(10) if ( &My-Local-Group =~ /^(.+) (.+$)/ ) {
(10) if ( &My-Local-Group =~ /^(.+) (.+$)/ ) -> FALSE
(10) } # if ( &Aruba-Essid-Name ) = noop
(10) ... skipping elsif: Preceding "if" was taken
(10) ... skipping elsif: Preceding "if" was taken
(10) ... skipping else: Preceding "if" was taken
(10) if (( !&My-Local-Device ) || ( &My-Local-Device == '' )) {
(10) if (( !&My-Local-Device ) || ( &My-Local-Device == '' )) -> FALSE
(10) elsif ( &My-Local-Device =~ /^(.+) (.+$)/ ) {
(10) elsif ( &My-Local-Device =~ /^(.+) (.+$)/ ) -> TRUE
(10) elsif ( &My-Local-Device =~ /^(.+) (.+$)/ ) {
(10) update {
(10) EXPAND %{1}_%{2}
(10) --> Win_10
(10) } # update = noop
(10) } # elsif ( &My-Local-Device =~ /^(.+) (.+$)/ ) = noop
(10) } # policy fsu-SSID-and-VLAN-policy = noop
(10) } # post-auth = noop
(10) EXPAND %{My-Local-SSID} %{My-Local-AP} %{My-Local-Group} %{My-Local-Device} %{reply:My-Local-VLAN}
(10) --> FSUCoreX 303H-mark RAP-VoIP Win_10 vlan1
(10) Sent Access-Accept Id 73 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(10) MS-MPPE-Recv-Key = 0x76c1709fb1a884db3c1dae08502e387b4ee3509699ba64fb2ac819dcd7cb9cf2
(10) MS-MPPE-Send-Key = 0x69113d50de374c367959ece9c252df752318770766c2fcd944e19608a88cd587
(10) EAP-Message = 0x030a0004
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) User-Name = "myUsername"
(10) Aruba-User-Vlan := vlan1
(10) Finished request
(1) Cleaning up request packet ID 64 with timestamp +100
(2) Cleaning up request packet ID 65 with timestamp +100
(3) Cleaning up request packet ID 66 with timestamp +100
(4) Cleaning up request packet ID 67 with timestamp +100
(5) Cleaning up request packet ID 68 with timestamp +100
(6) Cleaning up request packet ID 69 with timestamp +100
(7) Cleaning up request packet ID 70 with timestamp +100
(8) Cleaning up request packet ID 71 with timestamp +101
(9) Cleaning up request packet ID 72 with timestamp +101
(10) Cleaning up request packet ID 73 with timestamp +101
(12) Received Access-Request Id 75 from w.x.y.z:54989 to a.b.c.e:1812 length 201
(12) User-Name = "myUsername"
(12) NAS-IP-Address = a.b.c.d
(12) NAS-Port = 0
(12) NAS-Identifier = "w.x.y.z"
(12) NAS-Port-Type = Wireless-802.11
(12) Calling-Station-Id = "Calling-MAC"
(12) Called-Station-Id = "Called-MAC"
(12) Service-Type = Framed-User
(12) Framed-MTU = 1100
(12) EAP-Message = 0x0201000d016d616e74686f6e79
(12) Aruba-Essid-Name = "FSUCoreX"
(12) Aruba-Location-Id = "303H-mark"
(12) Aruba-AP-Group = "RAP-VoIP"
(12) Aruba-Device-Type = "Win 10"
(12) Message-Authenticator = 0xfba1cd2bb95371c14c3b6dec0b816152
(12) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(12) authorize {
(12) fsu-bad-passwords: EXPAND %{User-Name}
(12) fsu-bad-passwords: --> myUsername
(12) [fsu-bad-passwords] = noop
(12) if (ok) {
(12) if (ok) -> FALSE
(12) policy rewrite_calling_station_id {
(12) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(12) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(12) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(12) update request {
(12) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(12) --> Calling-MAC
(12) } # update request = noop
(12) [updated] = updated
(12) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(12) ... skipping else: Preceding "if" was taken
(12) } # policy rewrite_calling_station_id = updated
(12) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(12) fsu-bad-macs: --> Calling-MAC
(12) [fsu-bad-macs] = noop
(12) if (ok) {
(12) if (ok) -> FALSE
(12) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(12) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(12) if (&User-Name =~ /^host\//) {
(12) if (&User-Name =~ /^host\//) -> FALSE
(12) if ( &User-Name =~ /\s/ ) {
(12) if ( &User-Name =~ /\s/ ) -> FALSE
(12) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(12) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) -> FALSE
(12) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(12) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) -> FALSE
(12) if ( &User-Name =~ /(a)my\.fsu$/i ) {
(12) if ( &User-Name =~ /(a)my\.fsu$/i ) -> FALSE
(12) ntdomain: Checking for prefix before "\"
(12) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(12) [ntdomain] = noop
(12) suffix: Checking for suffix after "@"
(12) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(12) suffix: Found realm "NULL"
(12) suffix: Adding Stripped-User-Name = "myUsername"
(12) suffix: Adding Realm = "NULL"
(12) suffix: Authentication realm is LOCAL
(12) [suffix] = ok
(12) update request {
(12) } # update request = noop
(12) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(12) fsu-rsa-macs: --> Calling-MAC
(12) [fsu-rsa-macs] = noop
(12) if (ok) {
(12) if (ok) -> FALSE
(12) else {
(12) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(12) fsu-rsa-atwpa-aruba: --> FSUCoreX
(12) [fsu-rsa-atwpa-aruba] = noop
(12) if (ok) {
(12) if (ok) -> FALSE
(12) else {
(12) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(12) fsu-rsa-atwpa-cisco: -->
(12) [fsu-rsa-atwpa-cisco] = noop
(12) if (ok) {
(12) if (ok) -> FALSE
(12) } # else = noop
(12) } # else = noop
(12) if (&request:Hint == "RSA") {
(12) if (&request:Hint == "RSA") -> FALSE
(12) else {
(12) fsu-eap: Peer sent EAP Response (code 2) ID 1 length 13
(12) fsu-eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(12) [fsu-eap] = ok
(12) } # else = ok
(12) } # authorize = ok
(12) Found Auth-Type = fsu-eap
(12) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(12) Auth-Type fsu-eap {
(12) fsu-eap: Peer sent packet with method EAP Identity (1)
(12) fsu-eap: Calling submodule eap_peap to process data
(12) eap_peap: Initiating new TLS session
(12) eap_peap: [eaptls start] = request
(12) fsu-eap: Sending EAP Request (code 1) ID 2 length 6
(12) fsu-eap: EAP session adding &reply:State = 0xed876281ed857bf6
(12) [fsu-eap] = handled
(12) } # Auth-Type fsu-eap = handled
(12) Using Post-Auth-Type Challenge
(12) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(12) Challenge { ... } # empty sub-section is ignored
(12) Sent Access-Challenge Id 75 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(12) EAP-Message = 0x010200061920
(12) Message-Authenticator = 0x00000000000000000000000000000000
(12) State = 0xed876281ed857bf64bfe7e94b8bee491
(12) Finished request
(13) Received Access-Request Id 76 from w.x.y.z:54989 to a.b.c.e:1812 length 410
(13) User-Name = "myUsername"
(13) NAS-IP-Address = a.b.c.d
(13) NAS-Port = 0
(13) NAS-Identifier = "w.x.y.z"
(13) NAS-Port-Type = Wireless-802.11
(13) Calling-Station-Id = "Calling-MAC"
(13) Called-Station-Id = "Called-MAC"
(13) Service-Type = Framed-User
(13) Framed-MTU = 1100
(13) EAP-Message = 0x020200cc1980000000c216030300bd010000b90303602ed14ac1f2d653bd77e58e5213aeb2b1761c505dae0f91b5abafddc637c96f20422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000046000500050100000000000a00080006001d00170018000b00020100000d001a00180804080508060401050102010403050302030202060106030023000000170000ff01000100
(13) State = 0xed876281ed857bf64bfe7e94b8bee491
(13) Aruba-Essid-Name = "FSUCoreX"
(13) Aruba-Location-Id = "303H-mark"
(13) Aruba-AP-Group = "RAP-VoIP"
(13) Aruba-Device-Type = "Win 10"
(13) Message-Authenticator = 0x535aa1354009ea5836ccfd33734fcc8c
(13) session-state: No cached attributes
(13) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(13) authorize {
(13) fsu-bad-passwords: EXPAND %{User-Name}
(13) fsu-bad-passwords: --> myUsername
(13) [fsu-bad-passwords] = noop
(13) if (ok) {
(13) if (ok) -> FALSE
(13) policy rewrite_calling_station_id {
(13) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(13) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(13) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(13) update request {
(13) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(13) --> Calling-MAC
(13) } # update request = noop
(13) [updated] = updated
(13) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(13) ... skipping else: Preceding "if" was taken
(13) } # policy rewrite_calling_station_id = updated
(13) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(13) fsu-bad-macs: --> Calling-MAC
(13) [fsu-bad-macs] = noop
(13) if (ok) {
(13) if (ok) -> FALSE
(13) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(13) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(13) if (&User-Name =~ /^host\//) {
(13) if (&User-Name =~ /^host\//) -> FALSE
(13) if ( &User-Name =~ /\s/ ) {
(13) if ( &User-Name =~ /\s/ ) -> FALSE
(13) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(13) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) -> FALSE
(13) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(13) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) -> FALSE
(13) if ( &User-Name =~ /(a)my\.fsu$/i ) {
(13) if ( &User-Name =~ /(a)my\.fsu$/i ) -> FALSE
(13) ntdomain: Checking for prefix before "\"
(13) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(13) [ntdomain] = noop
(13) suffix: Checking for suffix after "@"
(13) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(13) suffix: Found realm "NULL"
(13) suffix: Adding Stripped-User-Name = "myUsername"
(13) suffix: Adding Realm = "NULL"
(13) suffix: Authentication realm is LOCAL
(13) [suffix] = ok
(13) update request {
(13) } # update request = noop
(13) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(13) fsu-rsa-macs: --> Calling-MAC
(13) [fsu-rsa-macs] = noop
(13) if (ok) {
(13) if (ok) -> FALSE
(13) else {
(13) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(13) fsu-rsa-atwpa-aruba: --> FSUCoreX
(13) [fsu-rsa-atwpa-aruba] = noop
(13) if (ok) {
(13) if (ok) -> FALSE
(13) else {
(13) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(13) fsu-rsa-atwpa-cisco: -->
(13) [fsu-rsa-atwpa-cisco] = noop
(13) if (ok) {
(13) if (ok) -> FALSE
(13) } # else = noop
(13) } # else = noop
(13) if (&request:Hint == "RSA") {
(13) if (&request:Hint == "RSA") -> FALSE
(13) else {
(13) fsu-eap: Peer sent EAP Response (code 2) ID 2 length 204
(13) fsu-eap: Continuing tunnel setup
(13) [fsu-eap] = ok
(13) } # else = ok
(13) } # authorize = ok
(13) Found Auth-Type = fsu-eap
(13) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(13) Auth-Type fsu-eap {
(13) fsu-eap: Expiring EAP session with state 0xed876281ed857bf6
(13) fsu-eap: Finished EAP session with state 0xed876281ed857bf6
(13) fsu-eap: Previous EAP request found for state 0xed876281ed857bf6, released from the list
(13) fsu-eap: Peer sent packet with method EAP PEAP (25)
(13) fsu-eap: Calling submodule eap_peap to process data
(13) eap_peap: Continuing EAP-TLS
(13) eap_peap: Peer indicated complete TLS record size will be 194 bytes
(13) eap_peap: Got complete TLS record (194 bytes)
(13) eap_peap: [eaptls verify] = length included
(13) eap_peap: (other): before SSL initialization
(13) eap_peap: TLS_accept: before SSL initialization
(13) eap_peap: TLS_accept: before SSL initialization
(13) eap_peap: Peer requested cached session: 422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c
(13) eap_peap: Successfully restored session 422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c
(13) eap_peap: reply:Stripped-User-Name = "myUsername"
(13) eap_peap: reply:My-Local-VLAN = "vlan1"
(13) eap_peap: TLS_accept: SSLv3/TLS read client hello
(13) eap_peap: TLS_accept: SSLv3/TLS write server hello
(13) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(13) eap_peap: TLS_accept: SSLv3/TLS write finished
(13) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write finished
(13) eap_peap: TLS - In Handshake Phase
(13) eap_peap: TLS - got 141 bytes of data
(13) eap_peap: [eaptls process] = handled
(13) fsu-eap: Sending EAP Request (code 1) ID 3 length 147
(13) fsu-eap: EAP session adding &reply:State = 0xed876281ec847bf6
(13) [fsu-eap] = handled
(13) } # Auth-Type fsu-eap = handled
(13) Using Post-Auth-Type Challenge
(13) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(13) Challenge { ... } # empty sub-section is ignored
(13) Sent Access-Challenge Id 76 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(13) EAP-Message = 0x0103009319001603030055020000510303535c075d9ba79179c49631cfbe31ff45262678a833b2ae1c34e0949ff5ee853a20422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5cc02b000009ff0100010000170000140303000101160303002889c27588c852f56c61f9f2cf794234739860a9e037ffa2c8089ad130dbba4b5d4877e410b28dcf32
(13) Message-Authenticator = 0x00000000000000000000000000000000
(13) State = 0xed876281ec847bf64bfe7e94b8bee491
(13) Finished request
(14) Received Access-Request Id 77 from w.x.y.z:54989 to a.b.c.e:1812 length 267
(14) User-Name = "myUsername"
(14) NAS-IP-Address = a.b.c.d
(14) NAS-Port = 0
(14) NAS-Identifier = "w.x.y.z"
(14) NAS-Port-Type = Wireless-802.11
(14) Calling-Station-Id = "Calling-MAC"
(14) Called-Station-Id = "Called-MAC"
(14) Service-Type = Framed-User
(14) Framed-MTU = 1100
(14) EAP-Message = 0x0203003d198000000033140303000101160303002800000000000000008e96422f1c79714e1d0364108107f26591d1473152a392a5e62afcf078383caf
(14) State = 0xed876281ec847bf64bfe7e94b8bee491
(14) Aruba-Essid-Name = "FSUCoreX"
(14) Aruba-Location-Id = "303H-mark"
(14) Aruba-AP-Group = "RAP-VoIP"
(14) Aruba-Device-Type = "Win 10"
(14) Message-Authenticator = 0x8ecf71006fe00b92f9384c908fb856aa
(14) session-state: No cached attributes
(14) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(14) authorize {
(14) fsu-bad-passwords: EXPAND %{User-Name}
(14) fsu-bad-passwords: --> myUsername
(14) [fsu-bad-passwords] = noop
(14) if (ok) {
(14) if (ok) -> FALSE
(14) policy rewrite_calling_station_id {
(14) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(14) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(14) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(14) update request {
(14) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(14) --> Calling-MAC
(14) } # update request = noop
(14) [updated] = updated
(14) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(14) ... skipping else: Preceding "if" was taken
(14) } # policy rewrite_calling_station_id = updated
(14) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(14) fsu-bad-macs: --> Calling-MAC
(14) [fsu-bad-macs] = noop
(14) if (ok) {
(14) if (ok) -> FALSE
(14) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(14) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(14) if (&User-Name =~ /^host\//) {
(14) if (&User-Name =~ /^host\//) -> FALSE
(14) if ( &User-Name =~ /\s/ ) {
(14) if ( &User-Name =~ /\s/ ) -> FALSE
(14) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(14) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) -> FALSE
(14) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(14) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) -> FALSE
(14) if ( &User-Name =~ /(a)my\.fsu$/i ) {
(14) if ( &User-Name =~ /(a)my\.fsu$/i ) -> FALSE
(14) ntdomain: Checking for prefix before "\"
(14) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(14) [ntdomain] = noop
(14) suffix: Checking for suffix after "@"
(14) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(14) suffix: Found realm "NULL"
(14) suffix: Adding Stripped-User-Name = "myUsername"
(14) suffix: Adding Realm = "NULL"
(14) suffix: Authentication realm is LOCAL
(14) [suffix] = ok
(14) update request {
(14) } # update request = noop
(14) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(14) fsu-rsa-macs: --> Calling-MAC
(14) [fsu-rsa-macs] = noop
(14) if (ok) {
(14) if (ok) -> FALSE
(14) else {
(14) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(14) fsu-rsa-atwpa-aruba: --> FSUCoreX
(14) [fsu-rsa-atwpa-aruba] = noop
(14) if (ok) {
(14) if (ok) -> FALSE
(14) else {
(14) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(14) fsu-rsa-atwpa-cisco: -->
(14) [fsu-rsa-atwpa-cisco] = noop
(14) if (ok) {
(14) if (ok) -> FALSE
(14) } # else = noop
(14) } # else = noop
(14) if (&request:Hint == "RSA") {
(14) if (&request:Hint == "RSA") -> FALSE
(14) else {
(14) fsu-eap: Peer sent EAP Response (code 2) ID 3 length 61
(14) fsu-eap: Continuing tunnel setup
(14) [fsu-eap] = ok
(14) } # else = ok
(14) } # authorize = ok
(14) Found Auth-Type = fsu-eap
(14) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(14) Auth-Type fsu-eap {
(14) fsu-eap: Expiring EAP session with state 0xed876281ec847bf6
(14) fsu-eap: Finished EAP session with state 0xed876281ec847bf6
(14) fsu-eap: Previous EAP request found for state 0xed876281ec847bf6, released from the list
(14) fsu-eap: Peer sent packet with method EAP PEAP (25)
(14) fsu-eap: Calling submodule eap_peap to process data
(14) eap_peap: Continuing EAP-TLS
(14) eap_peap: Peer indicated complete TLS record size will be 51 bytes
(14) eap_peap: Got complete TLS record (51 bytes)
(14) eap_peap: [eaptls verify] = length included
(14) eap_peap: TLS_accept: SSLv3/TLS write finished
(14) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(14) eap_peap: TLS_accept: SSLv3/TLS read finished
(14) eap_peap: (other): SSL negotiation finished successfully
(14) eap_peap: TLS - Connection Established
(14) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(14) eap_peap: TLS-Session-Version = "TLS 1.2"
(14) eap_peap: TLS - Application data.
(14) eap_peap: Adding cached attributes from session 422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c
(14) eap_peap: &reply:Stripped-User-Name = "myUsername"
(14) eap_peap: &session-state:My-Local-VLAN = "vlan1"
(14) eap_peap: [eaptls process] = success
(14) eap_peap: Session established. Decoding tunneled attributes
(14) eap_peap: PEAP state TUNNEL ESTABLISHED
(14) eap_peap: Skipping Phase2 because of session resumption
(14) eap_peap: SUCCESS
(14) fsu-eap: Sending EAP Request (code 1) ID 4 length 46
(14) fsu-eap: EAP session adding &reply:State = 0xed876281ef837bf6
(14) [fsu-eap] = handled
(14) } # Auth-Type fsu-eap = handled
(14) Using Post-Auth-Type Challenge
(14) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(14) Challenge { ... } # empty sub-section is ignored
(14) session-state: Saving cached attributes
(14) TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(14) TLS-Session-Version = "TLS 1.2"
(14) My-Local-VLAN = "vlan1"
(14) Sent Access-Challenge Id 77 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(14) EAP-Message = 0x0104002e1900170303002389c27588c852f56d03998abf7aa436f822de6761ff8fa87d41936d48062a9435b3d6b6
(14) Message-Authenticator = 0x00000000000000000000000000000000
(14) State = 0xed876281ef837bf64bfe7e94b8bee491
(14) Finished request
(15) Received Access-Request Id 78 from w.x.y.z:54989 to a.b.c.e:1812 length 252
(15) User-Name = "myUsername"
(15) NAS-IP-Address = a.b.c.d
(15) NAS-Port = 0
(15) NAS-Identifier = "w.x.y.z"
(15) NAS-Port-Type = Wireless-802.11
(15) Calling-Station-Id = "Calling-MAC"
(15) Called-Station-Id = "Called-MAC"
(15) Service-Type = Framed-User
(15) Framed-MTU = 1100
(15) EAP-Message = 0x0204002e190017030300230000000000000001df1ace71998c697ac31fb2855c4002515ba65690aab44afcc4278e
(15) State = 0xed876281ef837bf64bfe7e94b8bee491
(15) Aruba-Essid-Name = "FSUCoreX"
(15) Aruba-Location-Id = "303H-mark"
(15) Aruba-AP-Group = "RAP-VoIP"
(15) Aruba-Device-Type = "Win 10"
(15) Message-Authenticator = 0x8f6ecf737fe491dfb9ce940b13a95d3d
(15) Restoring &session-state
(15) &session-state:TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(15) &session-state:TLS-Session-Version = "TLS 1.2"
(15) &session-state:My-Local-VLAN = "vlan1"
(15) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(15) authorize {
(15) fsu-bad-passwords: EXPAND %{User-Name}
(15) fsu-bad-passwords: --> myUsername
(15) [fsu-bad-passwords] = noop
(15) if (ok) {
(15) if (ok) -> FALSE
(15) policy rewrite_calling_station_id {
(15) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(15) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(15) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(15) update request {
(15) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(15) --> Calling-MAC
(15) } # update request = noop
(15) [updated] = updated
(15) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(15) ... skipping else: Preceding "if" was taken
(15) } # policy rewrite_calling_station_id = updated
(15) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(15) fsu-bad-macs: --> Calling-MAC
(15) [fsu-bad-macs] = noop
(15) if (ok) {
(15) if (ok) -> FALSE
(15) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(15) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(15) if (&User-Name =~ /^host\//) {
(15) if (&User-Name =~ /^host\//) -> FALSE
(15) if ( &User-Name =~ /\s/ ) {
(15) if ( &User-Name =~ /\s/ ) -> FALSE
(15) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(15) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) -> FALSE
(15) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(15) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) -> FALSE
(15) if ( &User-Name =~ /(a)my\.fsu$/i ) {
(15) if ( &User-Name =~ /(a)my\.fsu$/i ) -> FALSE
(15) ntdomain: Checking for prefix before "\"
(15) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(15) [ntdomain] = noop
(15) suffix: Checking for suffix after "@"
(15) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(15) suffix: Found realm "NULL"
(15) suffix: Adding Stripped-User-Name = "myUsername"
(15) suffix: Adding Realm = "NULL"
(15) suffix: Authentication realm is LOCAL
(15) [suffix] = ok
(15) update request {
(15) } # update request = noop
(15) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(15) fsu-rsa-macs: --> Calling-MAC
(15) [fsu-rsa-macs] = noop
(15) if (ok) {
(15) if (ok) -> FALSE
(15) else {
(15) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(15) fsu-rsa-atwpa-aruba: --> FSUCoreX
(15) [fsu-rsa-atwpa-aruba] = noop
(15) if (ok) {
(15) if (ok) -> FALSE
(15) else {
(15) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(15) fsu-rsa-atwpa-cisco: -->
(15) [fsu-rsa-atwpa-cisco] = noop
(15) if (ok) {
(15) if (ok) -> FALSE
(15) } # else = noop
(15) } # else = noop
(15) if (&request:Hint == "RSA") {
(15) if (&request:Hint == "RSA") -> FALSE
(15) else {
(15) fsu-eap: Peer sent EAP Response (code 2) ID 4 length 46
(15) fsu-eap: Continuing tunnel setup
(15) [fsu-eap] = ok
(15) } # else = ok
(15) } # authorize = ok
(15) Found Auth-Type = fsu-eap
(15) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(15) Auth-Type fsu-eap {
(15) fsu-eap: Expiring EAP session with state 0xed876281ef837bf6
(15) fsu-eap: Finished EAP session with state 0xed876281ef837bf6
(15) fsu-eap: Previous EAP request found for state 0xed876281ef837bf6, released from the list
(15) fsu-eap: Peer sent packet with method EAP PEAP (25)
(15) fsu-eap: Calling submodule eap_peap to process data
(15) eap_peap: Continuing EAP-TLS
(15) eap_peap: [eaptls verify] = ok
(15) eap_peap: Done initial handshake
(15) eap_peap: [eaptls process] = ok
(15) eap_peap: Session established. Decoding tunneled attributes
(15) eap_peap: PEAP state send tlv success
(15) eap_peap: Received EAP-TLV response
(15) eap_peap: Client rejected our response. The password is probably incorrect
(15) eap_peap: Client rejected session resumption. Re-starting full authentication
(15) fsu-eap: Sending EAP Request (code 1) ID 5 length 40
(15) fsu-eap: EAP session adding &reply:State = 0xed876281ee827bf6
(15) [fsu-eap] = handled
(15) } # Auth-Type fsu-eap = handled
(15) Using Post-Auth-Type Challenge
(15) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(15) Challenge { ... } # empty sub-section is ignored
(15) session-state: Saving cached attributes
(15) TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(15) TLS-Session-Version = "TLS 1.2"
(15) My-Local-VLAN = "vlan1"
(15) Sent Access-Challenge Id 78 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(15) EAP-Message = 0x010500281900170303001d89c27588c852f56eae73f7eeb5abced29ab24cd1c66e6aee6ff95dde12
(15) Message-Authenticator = 0x00000000000000000000000000000000
(15) State = 0xed876281ee827bf64bfe7e94b8bee491
(15) Finished request
(16) Received Access-Request Id 79 from w.x.y.z:54989 to a.b.c.e:1812 length 250
(16) User-Name = "myUsername"
(16) NAS-IP-Address = a.b.c.d
(16) NAS-Port = 0
(16) NAS-Identifier = "w.x.y.z"
(16) NAS-Port-Type = Wireless-802.11
(16) Calling-Station-Id = "Calling-MAC"
(16) Called-Station-Id = "Called-MAC"
(16) Service-Type = Framed-User
(16) Framed-MTU = 1100
(16) EAP-Message = 0x0205002c19001703030021000000000000000282558f8dd6938dc7f2fc9e87fe2dbd243191b612d5c9595c1d
(16) State = 0xed876281ee827bf64bfe7e94b8bee491
(16) Aruba-Essid-Name = "FSUCoreX"
(16) Aruba-Location-Id = "303H-mark"
(16) Aruba-AP-Group = "RAP-VoIP"
(16) Aruba-Device-Type = "Win 10"
(16) Message-Authenticator = 0x0323fd4fec32900b263af0272dba6948
(16) Restoring &session-state
(16) &session-state:TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(16) &session-state:TLS-Session-Version = "TLS 1.2"
(16) &session-state:My-Local-VLAN = "vlan1"
(16) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(16) authorize {
(16) fsu-bad-passwords: EXPAND %{User-Name}
(16) fsu-bad-passwords: --> myUsername
(16) [fsu-bad-passwords] = noop
(16) if (ok) {
(16) if (ok) -> FALSE
(16) policy rewrite_calling_station_id {
(16) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(16) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(16) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(16) update request {
(16) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(16) --> Calling-MAC
(16) } # update request = noop
(16) [updated] = updated
(16) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(16) ... skipping else: Preceding "if" was taken
(16) } # policy rewrite_calling_station_id = updated
(16) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(16) fsu-bad-macs: --> Calling-MAC
(16) [fsu-bad-macs] = noop
(16) if (ok) {
(16) if (ok) -> FALSE
(16) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(16) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(16) if (&User-Name =~ /^host\//) {
(16) if (&User-Name =~ /^host\//) -> FALSE
(16) if ( &User-Name =~ /\s/ ) {
(16) if ( &User-Name =~ /\s/ ) -> FALSE
(16) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(16) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) -> FALSE
(16) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(16) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) -> FALSE
(16) if ( &User-Name =~ /(a)my\.fsu$/i ) {
(16) if ( &User-Name =~ /(a)my\.fsu$/i ) -> FALSE
(16) ntdomain: Checking for prefix before "\"
(16) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(16) [ntdomain] = noop
(16) suffix: Checking for suffix after "@"
(16) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(16) suffix: Found realm "NULL"
(16) suffix: Adding Stripped-User-Name = "myUsername"
(16) suffix: Adding Realm = "NULL"
(16) suffix: Authentication realm is LOCAL
(16) [suffix] = ok
(16) update request {
(16) } # update request = noop
(16) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(16) fsu-rsa-macs: --> Calling-MAC
(16) [fsu-rsa-macs] = noop
(16) if (ok) {
(16) if (ok) -> FALSE
(16) else {
(16) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(16) fsu-rsa-atwpa-aruba: --> FSUCoreX
(16) [fsu-rsa-atwpa-aruba] = noop
(16) if (ok) {
(16) if (ok) -> FALSE
(16) else {
(16) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(16) fsu-rsa-atwpa-cisco: -->
(16) [fsu-rsa-atwpa-cisco] = noop
(16) if (ok) {
(16) if (ok) -> FALSE
(16) } # else = noop
(16) } # else = noop
(16) if (&request:Hint == "RSA") {
(16) if (&request:Hint == "RSA") -> FALSE
(16) else {
(16) fsu-eap: Peer sent EAP Response (code 2) ID 5 length 44
(16) fsu-eap: Continuing tunnel setup
(16) [fsu-eap] = ok
(16) } # else = ok
(16) } # authorize = ok
(16) Found Auth-Type = fsu-eap
(16) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(16) Auth-Type fsu-eap {
(16) fsu-eap: Expiring EAP session with state 0xed876281ee827bf6
(16) fsu-eap: Finished EAP session with state 0xed876281ee827bf6
(16) fsu-eap: Previous EAP request found for state 0xed876281ee827bf6, released from the list
(16) fsu-eap: Peer sent packet with method EAP PEAP (25)
(16) fsu-eap: Calling submodule eap_peap to process data
(16) eap_peap: Continuing EAP-TLS
(16) eap_peap: [eaptls verify] = ok
(16) eap_peap: Done initial handshake
(16) eap_peap: [eaptls process] = ok
(16) eap_peap: Session established. Decoding tunneled attributes
(16) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(16) eap_peap: Identity - myUsername
(16) eap_peap: Got inner identity 'myUsername'
(16) eap_peap: Setting default EAP type for tunneled EAP session
(16) eap_peap: Got tunneled request
(16) eap_peap: EAP-Message = 0x0205000d016d616e74686f6e79
(16) eap_peap: Setting User-Name to myUsername
(16) eap_peap: Sending tunneled request to fsu-peap-inner-tunnel
(16) eap_peap: EAP-Message = 0x0205000d016d616e74686f6e79
(16) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(16) eap_peap: User-Name = "myUsername"
(16) Virtual server fsu-peap-inner-tunnel received request
(16) EAP-Message = 0x0205000d016d616e74686f6e79
(16) FreeRADIUS-Proxied-To = 127.0.0.1
(16) User-Name = "myUsername"
(16)G: Outer and inner identities are the same. User privacy is compromised.
(16) server fsu-peap-inner-tunnel {
(16) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(16) authorize {
(16) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(16) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(16) if ( &User-Name =~ /\s/ ) {
(16) if ( &User-Name =~ /\s/ ) -> FALSE
(16) suffix: Checking for suffix after "@"
(16) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(16) suffix: Found realm "NULL"
(16) suffix: Adding Stripped-User-Name = "myUsername"
(16) suffix: Adding Realm = "NULL"
(16) suffix: Authentication realm is LOCAL
(16) [suffix] = ok
(16) update {
(16) EXPAND %{Client-Shortname}
(16) --> Cam2
(16) } # update = noop
(16) fsu-eap: Peer sent EAP Response (code 2) ID 5 length 13
(16) fsu-eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(16) [fsu-eap] = ok
(16) } # authorize = ok
(16) Found Auth-Type = fsu-eap
(16) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(16) Auth-Type fsu-eap {
(16) fsu-eap: Peer sent packet with method EAP Identity (1)
(16) fsu-eap: Calling submodule eap_mschapv2 to process data
(16) eap_mschapv2: Issuing Challenge
(16) fsu-eap: Sending EAP Request (code 1) ID 6 length 42
(16) fsu-eap: EAP session adding &reply:State = 0x6295751762936f56
(16) [fsu-eap] = handled
(16) } # Auth-Type fsu-eap = handled
(16) } # server fsu-peap-inner-tunnel
(16) Virtual server sending reply
(16) EAP-Message = 0x0106002a1a01060025109f50784156a46729b0cf55b725fe519e6673755f6561705f6d73636861707632
(16) Message-Authenticator = 0x00000000000000000000000000000000
(16) State = 0x6295751762936f5699fbad14c2f8e6da
(16) eap_peap: Got tunneled reply code 11
(16) eap_peap: EAP-Message = 0x0106002a1a01060025109f50784156a46729b0cf55b725fe519e6673755f6561705f6d73636861707632
(16) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(16) eap_peap: State = 0x6295751762936f5699fbad14c2f8e6da
(16) eap_peap: Got tunneled Access-Challenge
(16) fsu-eap: Sending EAP Request (code 1) ID 6 length 73
(16) fsu-eap: EAP session adding &reply:State = 0xed876281e9817bf6
(16) [fsu-eap] = handled
(16) } # Auth-Type fsu-eap = handled
(16) Using Post-Auth-Type Challenge
(16) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(16) Challenge { ... } # empty sub-section is ignored
(16) session-state: Saving cached attributes
(16) TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(16) TLS-Session-Version = "TLS 1.2"
(16) My-Local-VLAN = "vlan1"
(16) Sent Access-Challenge Id 79 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(16) EAP-Message = 0x010600491900170303003e89c27588c852f56f98c1d1a9fa6d0cc0a1e10e32209323a00f2555899d0c5b91cfa2736c4e76b4e6395920f98ab9de29bc0d8add2be3043afcff649388d1
(16) Message-Authenticator = 0x00000000000000000000000000000000
(16) State = 0xed876281e9817bf64bfe7e94b8bee491
(16) Finished request
(17) Received Access-Request Id 80 from w.x.y.z:54989 to a.b.c.e:1812 length 304
(17) User-Name = "myUsername"
(17) NAS-IP-Address = a.b.c.d
(17) NAS-Port = 0
(17) NAS-Identifier = "w.x.y.z"
(17) NAS-Port-Type = Wireless-802.11
(17) Calling-Station-Id = "Calling-MAC"
(17) Called-Station-Id = "Called-MAC"
(17) Service-Type = Framed-User
(17) Framed-MTU = 1100
(17) EAP-Message = 0x02060062190017030300570000000000000003b9e70fd69206a3d7a95ab9ac375fe2dc092d419ab0150d028624f3aef3776408b084186a1725af7691dfa0111e22d0016deef88177d33c53ade442ae16ea9b365f036d82f0a5b06eae811cc7eee242
(17) State = 0xed876281e9817bf64bfe7e94b8bee491
(17) Aruba-Essid-Name = "FSUCoreX"
(17) Aruba-Location-Id = "303H-mark"
(17) Aruba-AP-Group = "RAP-VoIP"
(17) Aruba-Device-Type = "Win 10"
(17) Message-Authenticator = 0xd65c14c6e79e81442cb62c7af5845f07
(17) Restoring &session-state
(17) &session-state:TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(17) &session-state:TLS-Session-Version = "TLS 1.2"
(17) &session-state:My-Local-VLAN = "vlan1"
(17) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(17) authorize {
(17) fsu-bad-passwords: EXPAND %{User-Name}
(17) fsu-bad-passwords: --> myUsername
(17) [fsu-bad-passwords] = noop
(17) if (ok) {
(17) if (ok) -> FALSE
(17) policy rewrite_calling_station_id {
(17) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(17) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(17) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(17) update request {
(17) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(17) --> Calling-MAC
(17) } # update request = noop
(17) [updated] = updated
(17) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(17) ... skipping else: Preceding "if" was taken
(17) } # policy rewrite_calling_station_id = updated
(17) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(17) fsu-bad-macs: --> Calling-MAC
(17) [fsu-bad-macs] = noop
(17) if (ok) {
(17) if (ok) -> FALSE
(17) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(17) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(17) if (&User-Name =~ /^host\//) {
(17) if (&User-Name =~ /^host\//) -> FALSE
(17) if ( &User-Name =~ /\s/ ) {
(17) if ( &User-Name =~ /\s/ ) -> FALSE
(17) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(17) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) -> FALSE
(17) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(17) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) -> FALSE
(17) if ( &User-Name =~ /(a)my\.fsu$/i ) {
(17) if ( &User-Name =~ /(a)my\.fsu$/i ) -> FALSE
(17) ntdomain: Checking for prefix before "\"
(17) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(17) [ntdomain] = noop
(17) suffix: Checking for suffix after "@"
(17) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(17) suffix: Found realm "NULL"
(17) suffix: Adding Stripped-User-Name = "myUsername"
(17) suffix: Adding Realm = "NULL"
(17) suffix: Authentication realm is LOCAL
(17) [suffix] = ok
(17) update request {
(17) } # update request = noop
(17) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(17) fsu-rsa-macs: --> Calling-MAC
(17) [fsu-rsa-macs] = noop
(17) if (ok) {
(17) if (ok) -> FALSE
(17) else {
(17) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(17) fsu-rsa-atwpa-aruba: --> FSUCoreX
(17) [fsu-rsa-atwpa-aruba] = noop
(17) if (ok) {
(17) if (ok) -> FALSE
(17) else {
(17) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(17) fsu-rsa-atwpa-cisco: -->
(17) [fsu-rsa-atwpa-cisco] = noop
(17) if (ok) {
(17) if (ok) -> FALSE
(17) } # else = noop
(17) } # else = noop
(17) if (&request:Hint == "RSA") {
(17) if (&request:Hint == "RSA") -> FALSE
(17) else {
(17) fsu-eap: Peer sent EAP Response (code 2) ID 6 length 98
(17) fsu-eap: Continuing tunnel setup
(17) [fsu-eap] = ok
(17) } # else = ok
(17) } # authorize = ok
(17) Found Auth-Type = fsu-eap
(17) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(17) Auth-Type fsu-eap {
(17) fsu-eap: Expiring EAP session with state 0x6295751762936f56
(17) fsu-eap: Finished EAP session with state 0xed876281e9817bf6
(17) fsu-eap: Previous EAP request found for state 0xed876281e9817bf6, released from the list
(17) fsu-eap: Peer sent packet with method EAP PEAP (25)
(17) fsu-eap: Calling submodule eap_peap to process data
(17) eap_peap: Continuing EAP-TLS
(17) eap_peap: [eaptls verify] = ok
(17) eap_peap: Done initial handshake
(17) eap_peap: [eaptls process] = ok
(17) eap_peap: Session established. Decoding tunneled attributes
(17) eap_peap: PEAP state phase2
(17) eap_peap: EAP method MSCHAPv2 (26)
(17) eap_peap: Got tunneled request
(17) eap_peap: EAP-Message = 0x020600431a0206003e315f7e3ca3f8250759d5875f3b03820d250000000000000000bd11aaca3c823d8c2cd3779eb03a248abe0580965b154b9d006d616e74686f6e79
(17) eap_peap: Setting User-Name to myUsername
(17) eap_peap: Sending tunneled request to fsu-peap-inner-tunnel
(17) eap_peap: EAP-Message = 0x020600431a0206003e315f7e3ca3f8250759d5875f3b03820d250000000000000000bd11aaca3c823d8c2cd3779eb03a248abe0580965b154b9d006d616e74686f6e79
(17) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(17) eap_peap: User-Name = "myUsername"
(17) eap_peap: State = 0x6295751762936f5699fbad14c2f8e6da
(17) Virtual server fsu-peap-inner-tunnel received request
(17) EAP-Message = 0x020600431a0206003e315f7e3ca3f8250759d5875f3b03820d250000000000000000bd11aaca3c823d8c2cd3779eb03a248abe0580965b154b9d006d616e74686f6e79
(17) FreeRADIUS-Proxied-To = 127.0.0.1
(17) User-Name = "myUsername"
(17) State = 0x6295751762936f5699fbad14c2f8e6da
(17)G: Outer and inner identities are the same. User privacy is compromised.
(17) server fsu-peap-inner-tunnel {
(17) session-state: No cached attributes
(17) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(17) authorize {
(17) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(17) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(17) if ( &User-Name =~ /\s/ ) {
(17) if ( &User-Name =~ /\s/ ) -> FALSE
(17) suffix: Checking for suffix after "@"
(17) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(17) suffix: Found realm "NULL"
(17) suffix: Adding Stripped-User-Name = "myUsername"
(17) suffix: Adding Realm = "NULL"
(17) suffix: Authentication realm is LOCAL
(17) [suffix] = ok
(17) update {
(17) EXPAND %{Client-Shortname}
(17) --> Cam2
(17) } # update = noop
(17) fsu-eap: Peer sent EAP Response (code 2) ID 6 length 67
(17) fsu-eap: No EAP Start, assuming it's an on-going EAP conversation
(17) [fsu-eap] = updated
(17) if ( &EAP-Message =~ /^0x02..00061a..$/ ) {
(17) if ( &EAP-Message =~ /^0x02..00061a..$/ ) -> FALSE
(17) if ( &User-Name =~ /^host\/(COB-RBA[A-Za-z0-9-]+)(\.fsu\.edu)*$/i) {
(17) if ( &User-Name =~ /^host\/(COB-RBA[A-Za-z0-9-]+)(\.fsu\.edu)*$/i) -> FALSE
(17) elsif (&User-Name =~ /^host\/([A-Z]{2,5}-A-[0-9A-Z]{6,7})(\.fsu\.edu)*$/) {
(17) elsif (&User-Name =~ /^host\/([A-Z]{2,5}-A-[0-9A-Z]{6,7})(\.fsu\.edu)*$/) -> FALSE
(17) elsif ( (&request:Realm) && (&request:Realm == "devices") ) {
(17) elsif ( (&request:Realm) && (&request:Realm == "devices") ) -> FALSE
(17) else {
(17) fsu-ldap-people: EXPAND (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(!(uid=lib-guest*)))
(17) fsu-ldap-people: --> (&(uid=myUsername)(!(uid=lib-guest*)))
(17) fsu-ldap-people: Performing search in "ou=people,dc=fsu,dc=edu" with filter "(&(uid=myUsername)(!(uid=lib-guest*)))", scope "sub"
(17) fsu-ldap-people: Waiting for search result...
(17) fsu-ldap-people: User object found at DN "uid=myUsername,ou=People,dc=fsu,dc=edu"
(17) fsu-ldap-people: Processing user attributes
(17) [fsu-ldap-people] = updated
(17) if (notfound) {
(17) if (notfound) -> FALSE
(17) if ( &reply:My-Local-fsuEduWINStatus ) {
(17) if ( &reply:My-Local-fsuEduWINStatus ) -> FALSE
(17) fsu-pap: Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes
(17)G: fsu-pap: Auth-Type already set. Not setting to PAP
(17) [fsu-pap] = noop
(17) update control {
(17) } # update control = noop
(17) if ( (&reply:My-Local-VLAN) && (!&reply:My-Local-employeeStatus) ) {
(17) if ( (&reply:My-Local-VLAN) && (!&reply:My-Local-employeeStatus) ) -> FALSE
(17) if (&reply:My-Local-fsuEduAppRoles) {
(17) if (&reply:My-Local-fsuEduAppRoles) -> TRUE
(17) if (&reply:My-Local-fsuEduAppRoles) {
(17) if ((!&reply:My-Local-VLAN) && (&Client-Shortname !~ /^P/)) {
(17) if ((!&reply:My-Local-VLAN) && (&Client-Shortname !~ /^P/)) -> FALSE
(17) update {
(17) } # update = noop
(17) } # if (&reply:My-Local-fsuEduAppRoles) = noop
(17) if ((!&reply:My-Local-employeeStatus) && (!&reply:My-Local-VLAN)) {
(17) if ((!&reply:My-Local-employeeStatus) && (!&reply:My-Local-VLAN)) -> FALSE
(17) elsif (!&reply:My-Local-VLAN) {
(17) elsif (!&reply:My-Local-VLAN) -> FALSE
(17) fsu-cache-ldap-people-inner-tunnel-attributes: EXPAND %{User-Name}
(17) fsu-cache-ldap-people-inner-tunnel-attributes: --> myUsername
(17) fsu-cache-ldap-people-inner-tunnel-attributes: No cache entry found for "myUsername"
(17) fsu-cache-ldap-people-inner-tunnel-attributes: Creating new cache entry
(17) fsu-cache-ldap-people-inner-tunnel-attributes: &reply:My-Local-VLAN := &reply:My-Local-VLAN -> 'vlan2'
(17) fsu-cache-ldap-people-inner-tunnel-attributes: Merging cache entry into request
(17) fsu-cache-ldap-people-inner-tunnel-attributes: &reply:My-Local-VLAN := "vlan2"
(17) fsu-cache-ldap-people-inner-tunnel-attributes: Committed entry, TTL 10 seconds
(17) [fsu-cache-ldap-people-inner-tunnel-attributes] = updated
(17) } # else = updated
(17) } # authorize = updated
(17) Found Auth-Type = fsu-eap
(17) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(17) Auth-Type fsu-eap {
(17) fsu-eap: Expiring EAP session with state 0x6295751762936f56
(17) fsu-eap: Finished EAP session with state 0x6295751762936f56
(17) fsu-eap: Previous EAP request found for state 0x6295751762936f56, released from the list
(17) fsu-eap: Peer sent packet with method EAP MSCHAPv2 (26)
(17) fsu-eap: Calling submodule eap_mschapv2 to process data
(17) eap_mschapv2: # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(17) eap_mschapv2: Auth-Type MS-CHAP {
(17) fsu-mschap-winbind: Found NT-Password
(17) fsu-mschap-winbind: Creating challenge hash with username: myUsername
(17) fsu-mschap-winbind: Client is using MS-CHAPv2
(17) fsu-mschap-winbind: Adding MS-CHAPv2 MPPE keys
(17) eap_mschapv2: [fsu-mschap-winbind] = ok
(17) eap_mschapv2: } # Auth-Type MS-CHAP = ok
(17) eap_mschapv2: MSCHAP Success
(17) fsu-eap: Sending EAP Request (code 1) ID 7 length 51
(17) fsu-eap: EAP session adding &reply:State = 0x6295751763926f56
(17) [fsu-eap] = handled
(17) } # Auth-Type fsu-eap = handled
(17) } # server fsu-peap-inner-tunnel
(17) Virtual server sending reply
(17) My-Local-employeeStatus = "Active"
(17) My-Local-VLAN = "vlan2"
(17) EAP-Message = 0x010700331a0306002e533d30453232363542464230323643314536413241423936443939354644443543343538423931444235
(17) Message-Authenticator = 0x00000000000000000000000000000000
(17) State = 0x6295751763926f5699fbad14c2f8e6da
(17) eap_peap: Got tunneled reply code 11
(17) eap_peap: My-Local-employeeStatus = "Active"
(17) eap_peap: My-Local-VLAN = "vlan2"
(17) eap_peap: EAP-Message = 0x010700331a0306002e533d30453232363542464230323643314536413241423936443939354644443543343538423931444235
(17) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(17) eap_peap: State = 0x6295751763926f5699fbad14c2f8e6da
(17) eap_peap: Got tunneled Access-Challenge
(17) fsu-eap: Sending EAP Request (code 1) ID 7 length 82
(17) fsu-eap: EAP session adding &reply:State = 0xed876281e8807bf6
(17) [fsu-eap] = handled
(17) } # Auth-Type fsu-eap = handled
(17) Using Post-Auth-Type Challenge
(17) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(17) Challenge { ... } # empty sub-section is ignored
(17) session-state: Saving cached attributes
(17) TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(17) TLS-Session-Version = "TLS 1.2"
(17) My-Local-VLAN = "vlan1"
(17) Sent Access-Challenge Id 80 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(17) EAP-Message = 0x010700521900170303004789c27588c852f57045aba025448705421526a0428cd53ca921a53102d6ba99fb07e81bab3ab01057cf487def2a59e6022f25e43177c85bed11c9d233cd9d04307552cca530e3f2
(17) Message-Authenticator = 0x00000000000000000000000000000000
(17) State = 0xed876281e8807bf64bfe7e94b8bee491
(17) Finished request
(18) Received Access-Request Id 81 from w.x.y.z:54989 to a.b.c.e:1812 length 243
(18) User-Name = "myUsername"
(18) NAS-IP-Address = a.b.c.d
(18) NAS-Port = 0
(18) NAS-Identifier = "w.x.y.z"
(18) NAS-Port-Type = Wireless-802.11
(18) Calling-Station-Id = "Calling-MAC"
(18) Called-Station-Id = "Called-MAC"
(18) Service-Type = Framed-User
(18) Framed-MTU = 1100
(18) EAP-Message = 0x020700251900170303001a00000000000000048d403c8866333c3a2458917f40809eb5d560
(18) State = 0xed876281e8807bf64bfe7e94b8bee491
(18) Aruba-Essid-Name = "FSUCoreX"
(18) Aruba-Location-Id = "303H-mark"
(18) Aruba-AP-Group = "RAP-VoIP"
(18) Aruba-Device-Type = "Win 10"
(18) Message-Authenticator = 0x652291c2e70a5b6b3eaeccfb35ec9c3e
(18) Restoring &session-state
(18) &session-state:TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(18) &session-state:TLS-Session-Version = "TLS 1.2"
(18) &session-state:My-Local-VLAN = "vlan1"
(18) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(18) authorize {
(18) fsu-bad-passwords: EXPAND %{User-Name}
(18) fsu-bad-passwords: --> myUsername
(18) [fsu-bad-passwords] = noop
(18) if (ok) {
(18) if (ok) -> FALSE
(18) policy rewrite_calling_station_id {
(18) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(18) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(18) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(18) update request {
(18) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(18) --> Calling-MAC
(18) } # update request = noop
(18) [updated] = updated
(18) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(18) ... skipping else: Preceding "if" was taken
(18) } # policy rewrite_calling_station_id = updated
(18) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(18) fsu-bad-macs: --> Calling-MAC
(18) [fsu-bad-macs] = noop
(18) if (ok) {
(18) if (ok) -> FALSE
(18) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(18) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(18) if (&User-Name =~ /^host\//) {
(18) if (&User-Name =~ /^host\//) -> FALSE
(18) if ( &User-Name =~ /\s/ ) {
(18) if ( &User-Name =~ /\s/ ) -> FALSE
(18) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(18) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) -> FALSE
(18) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(18) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) -> FALSE
(18) if ( &User-Name =~ /(a)my\.fsu$/i ) {
(18) if ( &User-Name =~ /(a)my\.fsu$/i ) -> FALSE
(18) ntdomain: Checking for prefix before "\"
(18) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(18) [ntdomain] = noop
(18) suffix: Checking for suffix after "@"
(18) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(18) suffix: Found realm "NULL"
(18) suffix: Adding Stripped-User-Name = "myUsername"
(18) suffix: Adding Realm = "NULL"
(18) suffix: Authentication realm is LOCAL
(18) [suffix] = ok
(18) update request {
(18) } # update request = noop
(18) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(18) fsu-rsa-macs: --> Calling-MAC
(18) [fsu-rsa-macs] = noop
(18) if (ok) {
(18) if (ok) -> FALSE
(18) else {
(18) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(18) fsu-rsa-atwpa-aruba: --> FSUCoreX
(18) [fsu-rsa-atwpa-aruba] = noop
(18) if (ok) {
(18) if (ok) -> FALSE
(18) else {
(18) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(18) fsu-rsa-atwpa-cisco: -->
(18) [fsu-rsa-atwpa-cisco] = noop
(18) if (ok) {
(18) if (ok) -> FALSE
(18) } # else = noop
(18) } # else = noop
(18) if (&request:Hint == "RSA") {
(18) if (&request:Hint == "RSA") -> FALSE
(18) else {
(18) fsu-eap: Peer sent EAP Response (code 2) ID 7 length 37
(18) fsu-eap: Continuing tunnel setup
(18) [fsu-eap] = ok
(18) } # else = ok
(18) } # authorize = ok
(18) Found Auth-Type = fsu-eap
(18) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(18) Auth-Type fsu-eap {
(18) fsu-eap: Expiring EAP session with state 0x6295751763926f56
(18) fsu-eap: Finished EAP session with state 0xed876281e8807bf6
(18) fsu-eap: Previous EAP request found for state 0xed876281e8807bf6, released from the list
(18) fsu-eap: Peer sent packet with method EAP PEAP (25)
(18) fsu-eap: Calling submodule eap_peap to process data
(18) eap_peap: Continuing EAP-TLS
(18) eap_peap: [eaptls verify] = ok
(18) eap_peap: Done initial handshake
(18) eap_peap: [eaptls process] = ok
(18) eap_peap: Session established. Decoding tunneled attributes
(18) eap_peap: PEAP state phase2
(18) eap_peap: EAP method MSCHAPv2 (26)
(18) eap_peap: Got tunneled request
(18) eap_peap: EAP-Message = 0x020700061a03
(18) eap_peap: Setting User-Name to myUsername
(18) eap_peap: Sending tunneled request to fsu-peap-inner-tunnel
(18) eap_peap: EAP-Message = 0x020700061a03
(18) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(18) eap_peap: User-Name = "myUsername"
(18) eap_peap: State = 0x6295751763926f5699fbad14c2f8e6da
(18) Virtual server fsu-peap-inner-tunnel received request
(18) EAP-Message = 0x020700061a03
(18) FreeRADIUS-Proxied-To = 127.0.0.1
(18) User-Name = "myUsername"
(18) State = 0x6295751763926f5699fbad14c2f8e6da
(18)G: Outer and inner identities are the same. User privacy is compromised.
(18) server fsu-peap-inner-tunnel {
(18) session-state: No cached attributes
(18) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(18) authorize {
(18) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(18) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(18) if ( &User-Name =~ /\s/ ) {
(18) if ( &User-Name =~ /\s/ ) -> FALSE
(18) suffix: Checking for suffix after "@"
(18) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(18) suffix: Found realm "NULL"
(18) suffix: Adding Stripped-User-Name = "myUsername"
(18) suffix: Adding Realm = "NULL"
(18) suffix: Authentication realm is LOCAL
(18) [suffix] = ok
(18) update {
(18) EXPAND %{Client-Shortname}
(18) --> Cam2
(18) } # update = noop
(18) fsu-eap: Peer sent EAP Response (code 2) ID 7 length 6
(18) fsu-eap: No EAP Start, assuming it's an on-going EAP conversation
(18) [fsu-eap] = updated
(18) if ( &EAP-Message =~ /^0x02..00061a..$/ ) {
(18) if ( &EAP-Message =~ /^0x02..00061a..$/ ) -> TRUE
(18) if ( &EAP-Message =~ /^0x02..00061a..$/ ) {
(18) policy fsu-peap-cache-policy {
(18) if ( &User-Name =~ /@devices/ ){
(18) if ( &User-Name =~ /@devices/ ) -> FALSE
(18) else {
(18) fsu-cache-ldap-people-inner-tunnel-attributes: EXPAND %{User-Name}
(18) fsu-cache-ldap-people-inner-tunnel-attributes: --> myUsername
(18) fsu-cache-ldap-people-inner-tunnel-attributes: Found entry for "myUsername"
(18) fsu-cache-ldap-people-inner-tunnel-attributes: Merging cache entry into request
(18) fsu-cache-ldap-people-inner-tunnel-attributes: &reply:My-Local-VLAN := "vlan2"
(18) [fsu-cache-ldap-people-inner-tunnel-attributes] = ok
(18) if (updated) {
(18) if (updated) -> FALSE
(18) elsif (noop) {
(18) elsif (noop) -> FALSE
(18) elsif (ok) {
(18) elsif (ok) -> TRUE
(18) elsif (ok) {
(18) update control {
(18) } # update control = noop
(18) } # elsif (ok) = noop
(18) ... skipping else: Preceding "if" was taken
(18) } # else = ok
(18) } # policy fsu-peap-cache-policy = ok
(18) return
(18) } # if ( &EAP-Message =~ /^0x02..00061a..$/ ) = ok
(18) } # authorize = updated
(18) Found Auth-Type = fsu-eap
(18) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(18) Auth-Type fsu-eap {
(18) fsu-eap: Expiring EAP session with state 0x6295751763926f56
(18) fsu-eap: Finished EAP session with state 0x6295751763926f56
(18) fsu-eap: Previous EAP request found for state 0x6295751763926f56, released from the list
(18) fsu-eap: Peer sent packet with method EAP MSCHAPv2 (26)
(18) fsu-eap: Calling submodule eap_mschapv2 to process data
(18) fsu-eap: Sending EAP Success (code 3) ID 7 length 4
(18) fsu-eap: Freeing handler
(18) [fsu-eap] = ok
(18) } # Auth-Type fsu-eap = ok
(18) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(18) post-auth {
(18) update reply {
(18) } # update reply = noop
(18) update outer.session-state {
(18) } # update outer.session-state = noop
(18) } # post-auth = noop
(18) EXPAND %{My-Local-SSID} %{My-Local-AP} %{My-Local-Group} %{My-Local-Device} %{reply:My-Local-VLAN}
(18) --> vlan2
(18) } # server fsu-peap-inner-tunnel
(18) Virtual server sending reply
(18) My-Local-VLAN = "vlan2"
(18) eap_peap: Got tunneled reply code 2
(18) eap_peap: My-Local-VLAN = "vlan2"
(18) eap_peap: Tunneled authentication was successful
(18) eap_peap: SUCCESS
(18) eap_peap: Saving tunneled attributes for later
(18) fsu-eap: Sending EAP Request (code 1) ID 8 length 46
(18) fsu-eap: EAP session adding &reply:State = 0xed876281eb8f7bf6
(18) [fsu-eap] = handled
(18) } # Auth-Type fsu-eap = handled
(18) Using Post-Auth-Type Challenge
(18) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(18) Challenge { ... } # empty sub-section is ignored
(18) session-state: Saving cached attributes
(18) TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(18) TLS-Session-Version = "TLS 1.2"
(18) My-Local-VLAN := "vlan2"
(18) Sent Access-Challenge Id 81 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(18) EAP-Message = 0x0108002e1900170303002389c27588c852f5715e6c41502105700e5214de10b96118258b9bc05e08f83024124f92
(18) Message-Authenticator = 0x00000000000000000000000000000000
(18) State = 0xed876281eb8f7bf64bfe7e94b8bee491
(18) Finished request
(19) Received Access-Request Id 82 from w.x.y.z:54989 to a.b.c.e:1812 length 252
(19) User-Name = "myUsername"
(19) NAS-IP-Address = a.b.c.d
(19) NAS-Port = 0
(19) NAS-Identifier = "w.x.y.z"
(19) NAS-Port-Type = Wireless-802.11
(19) Calling-Station-Id = "Calling-MAC"
(19) Called-Station-Id = "Called-MAC"
(19) Service-Type = Framed-User
(19) Framed-MTU = 1100
(19) EAP-Message = 0x0208002e190017030300230000000000000005b340395d206b4b01c23ec16546b856e439347ccfb389a5358bf72a
(19) State = 0xed876281eb8f7bf64bfe7e94b8bee491
(19) Aruba-Essid-Name = "FSUCoreX"
(19) Aruba-Location-Id = "303H-mark"
(19) Aruba-AP-Group = "RAP-VoIP"
(19) Aruba-Device-Type = "Win 10"
(19) Message-Authenticator = 0x627c9e1982dd68cca2ae68b38deb7992
(19) Restoring &session-state
(19) &session-state:TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(19) &session-state:TLS-Session-Version = "TLS 1.2"
(19) &session-state:My-Local-VLAN := "vlan2"
(19) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(19) authorize {
(19) fsu-bad-passwords: EXPAND %{User-Name}
(19) fsu-bad-passwords: --> myUsername
(19) [fsu-bad-passwords] = noop
(19) if (ok) {
(19) if (ok) -> FALSE
(19) policy rewrite_calling_station_id {
(19) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(19) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(19) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(19) update request {
(19) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(19) --> Calling-MAC
(19) } # update request = noop
(19) [updated] = updated
(19) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(19) ... skipping else: Preceding "if" was taken
(19) } # policy rewrite_calling_station_id = updated
(19) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(19) fsu-bad-macs: --> Calling-MAC
(19) [fsu-bad-macs] = noop
(19) if (ok) {
(19) if (ok) -> FALSE
(19) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(19) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(19) if (&User-Name =~ /^host\//) {
(19) if (&User-Name =~ /^host\//) -> FALSE
(19) if ( &User-Name =~ /\s/ ) {
(19) if ( &User-Name =~ /\s/ ) -> FALSE
(19) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(19) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) -> FALSE
(19) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(19) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) -> FALSE
(19) if ( &User-Name =~ /(a)my\.fsu$/i ) {
(19) if ( &User-Name =~ /(a)my\.fsu$/i ) -> FALSE
(19) ntdomain: Checking for prefix before "\"
(19) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(19) [ntdomain] = noop
(19) suffix: Checking for suffix after "@"
(19) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(19) suffix: Found realm "NULL"
(19) suffix: Adding Stripped-User-Name = "myUsername"
(19) suffix: Adding Realm = "NULL"
(19) suffix: Authentication realm is LOCAL
(19) [suffix] = ok
(19) update request {
(19) } # update request = noop
(19) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(19) fsu-rsa-macs: --> Calling-MAC
(19) [fsu-rsa-macs] = noop
(19) if (ok) {
(19) if (ok) -> FALSE
(19) else {
(19) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(19) fsu-rsa-atwpa-aruba: --> FSUCoreX
(19) [fsu-rsa-atwpa-aruba] = noop
(19) if (ok) {
(19) if (ok) -> FALSE
(19) else {
(19) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(19) fsu-rsa-atwpa-cisco: -->
(19) [fsu-rsa-atwpa-cisco] = noop
(19) if (ok) {
(19) if (ok) -> FALSE
(19) } # else = noop
(19) } # else = noop
(19) if (&request:Hint == "RSA") {
(19) if (&request:Hint == "RSA") -> FALSE
(19) else {
(19) fsu-eap: Peer sent EAP Response (code 2) ID 8 length 46
(19) fsu-eap: Continuing tunnel setup
(19) [fsu-eap] = ok
(19) } # else = ok
(19) } # authorize = ok
(19) Found Auth-Type = fsu-eap
(19) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(19) Auth-Type fsu-eap {
(19) fsu-eap: Expiring EAP session with state 0xed876281eb8f7bf6
(19) fsu-eap: Finished EAP session with state 0xed876281eb8f7bf6
(19) fsu-eap: Previous EAP request found for state 0xed876281eb8f7bf6, released from the list
(19) fsu-eap: Peer sent packet with method EAP PEAP (25)
(19) fsu-eap: Calling submodule eap_peap to process data
(19) eap_peap: Continuing EAP-TLS
(19) eap_peap: [eaptls verify] = ok
(19) eap_peap: Done initial handshake
(19) eap_peap: [eaptls process] = ok
(19) eap_peap: Session established. Decoding tunneled attributes
(19) eap_peap: PEAP state send tlv success
(19) eap_peap: Received EAP-TLV response
(19) eap_peap: Success
(19) eap_peap: Using saved attributes from the original Access-Accept
(19) eap_peap: My-Local-VLAN = "vlan2"
(19) eap_peap: &request:EAP-Session-Resumed := 1
(19) fsu-eap: Sending EAP Success (code 3) ID 8 length 4
(19) fsu-eap: Freeing handler
(19) [fsu-eap] = ok
(19) } # Auth-Type fsu-eap = ok
(19) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(19) post-auth {
(19) update reply {
(19) } # update reply = noop
(19) if ( &reply:My-Local-VLAN == "student" ) {
(19) if ( &reply:My-Local-VLAN == "student" ) -> FALSE
(19) policy fsu-SSID-and-VLAN-policy {
(19) update {
(19) } # update = noop
(19) if ( &Aruba-Essid-Name ) {
(19) if ( &Aruba-Essid-Name ) -> TRUE
(19) if ( &Aruba-Essid-Name ) {
(19) update {
(19) } # update = noop
(19) if ( &My-Local-AP =~ /^(.*?)(\.wireless)?(\.fsu\.edu)$/i ) {
(19) if ( &My-Local-AP =~ /^(.*?)(\.wireless)?(\.fsu\.edu)$/i ) -> FALSE
(19) if ( &My-Local-Group =~ /^(.+) (.+$)/ ) {
(19) if ( &My-Local-Group =~ /^(.+) (.+$)/ ) -> FALSE
(19) } # if ( &Aruba-Essid-Name ) = noop
(19) ... skipping elsif: Preceding "if" was taken
(19) ... skipping elsif: Preceding "if" was taken
(19) ... skipping else: Preceding "if" was taken
(19) if (( !&My-Local-Device ) || ( &My-Local-Device == '' )) {
(19) if (( !&My-Local-Device ) || ( &My-Local-Device == '' )) -> FALSE
(19) elsif ( &My-Local-Device =~ /^(.+) (.+$)/ ) {
(19) elsif ( &My-Local-Device =~ /^(.+) (.+$)/ ) -> TRUE
(19) elsif ( &My-Local-Device =~ /^(.+) (.+$)/ ) {
(19) update {
(19) EXPAND %{1}_%{2}
(19) --> Win_10
(19) } # update = noop
(19) } # elsif ( &My-Local-Device =~ /^(.+) (.+$)/ ) = noop
(19) } # policy fsu-SSID-and-VLAN-policy = noop
(19) } # post-auth = noop
(19) EXPAND %{My-Local-SSID} %{My-Local-AP} %{My-Local-Group} %{My-Local-Device} %{reply:My-Local-VLAN}
(19) --> FSUCoreX 303H-mark RAP-VoIP Win_10 vlan2
(19) Sent Access-Accept Id 82 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(19) MS-MPPE-Recv-Key = 0xfc57aa43d0064c088b6c4375f15801b657c140dce3bbf3f12d588b495c095e46
(19) MS-MPPE-Send-Key = 0x27eb19dc16c19e8d22e9feb7c2b80cc7bc2840f2569955a368777696ef4d8bb6
(19) EAP-Message = 0x03080004
(19) Message-Authenticator = 0x00000000000000000000000000000000
(19) User-Name = "myUsername"
(19) Aruba-User-Vlan := vlan2
(19) Finished request
(12) Cleaning up request packet ID 75 with timestamp +136
(13) Cleaning up request packet ID 76 with timestamp +136
(14) Cleaning up request packet ID 77 with timestamp +137
(15) Cleaning up request packet ID 78 with timestamp +137
(16) Cleaning up request packet ID 79 with timestamp +137
(17) Cleaning up request packet ID 80 with timestamp +137
(18) Cleaning up request packet ID 81 with timestamp +137
(19) Cleaning up request packet ID 82 with timestamp +137
2
1
I should have specified that we are using FreeRADIUS Version 3.0.20
Doug
2
1
Dear admin,
because of identity fraud, please remove my whole post here:
http://lists.freeradius.org/pipermail/freeradius-users/2016-October/085222.…
Thanks a lot, please leave me a short reply.
All the best and stay save during covid19.
1
0
Re: v4: Can't see TLS certificate fields from `send Access-Accept` section anymore
by Nick Bogdanov 18 Feb '21
by Nick Bogdanov 18 Feb '21
18 Feb '21
>> In v4 I can see the cert fields in the `recv Access-Request` section
>> (after setting `virtual_server = default` in mods-available/eap) but
>> they are all empty when I try to read them from the `send
>> Access-Accept` section. In fact, if I uncomment these sections from
>> the default config, the fields are all empty too:
> Look at the debug output. You should be able to see when these attributes are added (or not).
Hi Alan,
They are getting set under "authenticate eap" and they are being
correctly parsed under "recv Access-Request". But then when I hit the
"send Access-Accept" step, they all vanish:
(14) Received Access-Request ID 237 from [redacted] to [redacted]
length 397 via socket radius_udp server * port 1812
(14) User-Name = "a"
(14) NAS-IP-Address = [redacted]
(14) NAS-Identifier = [redacted]
(14) Called-Station-Id = [redacted]
(14) NAS-Port-Type = Wireless-802.11
(14) Service-Type = Framed-User
(14) Calling-Station-Id = [redacted]
(14) Connect-Info = "CONNECT 0Mbps 802.11b"
(14) Acct-Session-Id = [redacted]
(14) Acct-Multi-Session-Id = [redacted]
(14) Mobility-Domain-Id = 21689
(14) WLAN-Pairwise-Cipher.OUI = [redacted]
(14) WLAN-Pairwise-Cipher.Suite-Type = 4
(14) WLAN-Group-Cipher.OUI = [redacted]
(14) WLAN-Group-Cipher.Type = 4
(14) WLAN-AKM-Suite.OUI = [redacted]
(14) WLAN-AKM-Suite.Suite-Type = 3
(14) Framed-MTU = 1400
(14) EAP-Message = [redacted]
(14) State = [redacted]
(14) Message-Authenticator = [redacted]
(14) Running request
(14,8) Restored &session-state
(14,8) &session-state.Session-State-User-Name = "a"
(14,8) Running 'recv Access-Request' from file
/root/freeradius-server/pfx/etc/raddb/sites-enabled/default
(14,8) recv Access-Request {
(14,8) policy filter_username {
(14,8) if (&State) {
(14,8) if (&User-Name) {
(14,8) if (!&session-state.Session-State-User-Name) {
(14,8) ...
(14,8) }
(14,8) if (&User-Name != &session-state.Session-State-User-Name) {
(14,8) ...
(14,8) }
(14,8) } # if (&User-Name) (...)
(14,8) } # if (&State) (...)
(14,8) } # policy filter_username (...)
(14,8) eap - Peer sent EAP Response (code 2) ID 19 length 153
(14,8) eap - Continuing on-going EAP conversation
(14,8) eap - Setting &control.Auth-Type = eap
(14,8) eap (updated)
(14,8) if ("%{session-state.TLS-Client-Cert-Common-Name}" != '') {
(14,8) EXPAND %{session-state.TLS-Client-Cert-Common-Name}
(14,8) -->
(14,8) ...
(14,8) }
(14,8) files - EXPAND %{session-state.TLS-Client-Cert-Common-Name}
(14,8) files - -->
(14,8) files (noop)
(14,8) expiration (noop)
(14,8) logintime (noop)
(14,8) pap (noop)
(14,8) } # recv Access-Request (updated)
(14,8) Running 'authenticate eap' from file
/root/freeradius-server/pfx/etc/raddb/sites-enabled/default
(14,8) authenticate eap {
(14,8) eap - Continuing EAP session
(14,8) eap - Peer sent packet with EAP method TLS (13)
(14,8) eap - Calling submodule eap_tls
(14,8) eap (noop)
(14,8) subrequest {
(14,8) Creating subrequest (14.0)
(14,8) EAP-Type = TLS
(14,8) EAP-Identity = "a"
(14.0) eap.tls - Continuing EAP-TLS
(14.0) eap.tls - Got final TLS record fragment (147 bytes)
(14.0) eap.tls - [eap-tls verify] = complete
(14.0) eap.tls - Handshake state - Server SSLv3/TLS write server done (26)
(14.0) eap.tls - <<< recv TLS 1.2, handshake[length 2543],
unknown_handshake_type_0x000b
(14.0) eap.tls - [verify chain] = ok
(14.0) eap.tls - Adding certificate attributes to session-state
(14.0) eap.tls - &session-state.TLS-Cert-Serial = [redacted]
(14.0) eap.tls - &session-state.TLS-Cert-Expiration = "Jun 11
1979 21:19:41 UTC"
(14.0) eap.tls - &session-state.TLS-Cert-Subject = [redacted]
(14.0) eap.tls - &session-state.TLS-Cert-Common-Name = [redacted]
(14.0) eap.tls - &session-state.TLS-Cert-Issuer = [redacted]
(14.0) eap.tls - [verify chain] = ok
(14.0) eap.tls - Adding certificate attributes to session-state
(14.0) eap.tls - &session-state.TLS-Client-Cert-Serial = [redacted]
(14.0) eap.tls - &session-state.TLS-Client-Cert-Expiration = [redacted]
(14.0) eap.tls - &session-state.TLS-Client-Cert-Subject = [redacted]
(14.0) eap.tls - &session-state.TLS-Client-Cert-Common-Name = [redacted]
(14.0) eap.tls - &session-state.TLS-Client-Cert-Issuer = [redacted]
(14.0) eap.tls -
&session-state.TLS-Client-Cert-X509v3-Basic-Constraints = "CA:FALSE"
(14.0) eap.tls -
&session-state.TLS-Client-Cert-X509v3-Subject-Key-Identifier =
[redacted]
(14.0) eap.tls -
&session-state.TLS-Client-Cert-X509v3-Authority-Key-Identifier =
[redacted]
(14.0) eap.tls - [verify client] = ok
(14.0) eap.tls - Handshake state - Server SSLv3/TLS read client
certificate (27)
(14.0) eap.tls - <<< recv TLS 1.2, handshake[length 70],
unknown_handshake_type_0x0010
(14.0) eap.tls - Handshake state - Server SSLv3/TLS read client key
exchange (28)
(14.0) eap.tls - <<< recv TLS 1.2, handshake[length 264],
unknown_handshake_type_0x000f
(14.0) eap.tls - Handshake state - Server SSLv3/TLS read
certificate verify (29)
(14.0) eap.tls - Handshake state - Server SSLv3/TLS read change
cipher spec (31)
(14.0) eap.tls - <<< recv TLS 1.2, handshake[length 16],
unknown_handshake_type_0x0014
(14.0) eap.tls - Handshake state - Server SSLv3/TLS read finished (32)
(14.0) eap.tls - >>> send TLS 1.2, change_cipher_spec[length 1]
(14.0) eap.tls - Handshake state - Server SSLv3/TLS write change
cipher spec (35)
(14.0) eap.tls - >>> send TLS 1.2, handshake[length 16],
unknown_handshake_type_0x0014
(14.0) eap.tls - Handshake state - Server SSLv3/TLS write finished (36)
(14.0) eap.tls - Handshake state - SSL negotiation finished successfully (1)
(14.0) eap.tls - Cipher suite: ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2
Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
(14.0) eap.tls - Adding TLS session information to request
(14.0) eap.tls - &session-state.TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(14.0) eap.tls - &session-state.TLS-Session-Version := "TLS 1.2"
(14.0) eap.tls - Sending complete TLS record (51 bytes)
(14.0) eap.tls - [eap-tls process] = handled
(14.0) eap.tls (handled)
(14,8) } # subrequest (handled)
(14,8) eap - Sending EAP Request (code 1) ID 20 length 61
(14,8) eap (handled)
(14,8) } # authenticate eap (handled)
(14,8) Running 'send Access-Challenge' from file
/root/freeradius-server/pfx/etc/raddb/sites-enabled/default
(14,8) send Access-Challenge {
(14,8) attr_filter.access_challenge - EXPAND %{User-Name}
(14,8) attr_filter.access_challenge - --> a
(14,8) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(14,8) attr_filter.access_challenge.post-auth (updated)
(14,8) handled (handled)
(14,8) } # send Access-Challenge (handled)
(14,8) Saving &session-state
(14,8) &session-state.Session-State-User-Name = "a"
(14,8) Done request
(14,8) Sending Access-Challenge ID 237 from [redacted] to [redacted]
length 119 via socket radius_udp server * port 1812
(14,8) State = [redacted]
(14,8) Message-Authenticator = [redacted]
(14,8) EAP-Message = [redacted]
(14,8) Finished request
proto_radius_udp - cleaning up request in 5.000000s
proto_radius_udp - Received Access-Request ID 238 length 250
radius_udp server * port 1812
(15) Received Access-Request ID 238 from [redacted] to [redacted]
length 250 via socket radius_udp server * port 1812
(15) User-Name = "a"
(15) NAS-IP-Address = [redacted]
(15) NAS-Identifier = [redacted]
(15) Called-Station-Id = [redacted]
(15) NAS-Port-Type = Wireless-802.11
(15) Service-Type = Framed-User
(15) Calling-Station-Id = [redacted]
(15) Connect-Info = "CONNECT 0Mbps 802.11b"
(15) Acct-Session-Id = [redacted]
(15) Acct-Multi-Session-Id = [redacted]
(15) Mobility-Domain-Id = 21689
(15) WLAN-Pairwise-Cipher.OUI = [redacted]
(15) WLAN-Pairwise-Cipher.Suite-Type = 4
(15) WLAN-Group-Cipher.OUI = [redacted]
(15) WLAN-Group-Cipher.Type = 4
(15) WLAN-AKM-Suite.OUI = [redacted]
(15) WLAN-AKM-Suite.Suite-Type = 3
(15) Framed-MTU = 1400
(15) EAP-Message = [redacted]
(15) State = [redacted]
(15) Message-Authenticator = [redacted]
(15) Running request
(15,8) Restored &session-state
(15,8) &session-state.Session-State-User-Name = "a"
(15,8) Running 'recv Access-Request' from file
/root/freeradius-server/pfx/etc/raddb/sites-enabled/default
(15,8) recv Access-Request {
(15,8) policy filter_username {
(15,8) if (&State) {
(15,8) if (&User-Name) {
(15,8) if (!&session-state.Session-State-User-Name) {
(15,8) ...
(15,8) }
(15,8) if (&User-Name != &session-state.Session-State-User-Name) {
(15,8) ...
(15,8) }
(15,8) } # if (&User-Name) (...)
(15,8) } # if (&State) (...)
(15,8) } # policy filter_username (...)
(15,8) eap - Peer sent EAP Response (code 2) ID 20 length 6
(15,8) eap - Continuing on-going EAP conversation
(15,8) eap - Setting &control.Auth-Type = eap
(15,8) eap (updated)
(15,8) if ("%{session-state.TLS-Client-Cert-Common-Name}" != '') {
(15,8) EXPAND %{session-state.TLS-Client-Cert-Common-Name}
(15,8) -->
(15,8) ...
(15,8) }
(15,8) files - EXPAND %{session-state.TLS-Client-Cert-Common-Name}
(15,8) files - -->
(15,8) files (noop)
(15,8) expiration (noop)
(15,8) logintime (noop)
(15,8) pap (noop)
(15,8) } # recv Access-Request (updated)
(15,8) Running 'authenticate eap' from file
/root/freeradius-server/pfx/etc/raddb/sites-enabled/default
(15,8) authenticate eap {
(15,8) eap - Continuing EAP session
(15,8) eap - Peer sent packet with EAP method TLS (13)
(15,8) eap - Calling submodule eap_tls
(15,8) eap (noop)
(15,8) subrequest {
(15,8) Creating subrequest (15.0)
(15,8) EAP-Type = TLS
(15,8) EAP-Identity = "a"
(15.0) eap.tls - Continuing EAP-TLS
(15.0) eap.tls - Peer ACKed our handshake fragment. handshake is finished
(15.0) eap.tls - [eap-tls verify] = established
(15.0) eap.tls - [eap-tls process] = established
(15.0) eap.tls - Validating certificate
(15.0) eap.tls (yield)
(15.0) recv Access-Request {
(15.0) policy filter_username {
(15.0) if (&State) {
(15.0) ...
(15.0) }
(15.0) elsif (&User-Name) {
(15.0) ...
(15.0) }
(15.0) } # policy filter_username (...)
(15.0) eap - No EAP-Message, not doing EAP
(15.0) eap (noop)
(15.0) if ("%{session-state.TLS-Client-Cert-Common-Name}" != '') {
(15.0) EXPAND %{session-state.TLS-Client-Cert-Common-Name}
(15.0) --> [redacted]
(15.0) files - EXPAND %{session-state.TLS-Client-Cert-Common-Name}
(15.0) files - --> [redacted]
(15.0) files - Found match "[redacted]" on line 3 of
/root/freeradius-server/pfx/etc/raddb/mods-config/files/authorize
(15.0) files (ok)
(15.0) if (!ok) {
(15.0) ...
(15.0) }
(15.0) update reply {
(15.0) &Tunnel-Type = VLAN
(15.0) &Tunnel-Medium-Type = IEEE-802
(15.0) } # update reply (noop)
(15.0) if ("%{session-state.TLS-Client-Cert-Subject}" =~ /[redacted]/) {
(15.0) EXPAND %{session-state.TLS-Client-Cert-Subject}
(15.0) --> /CN=[redacted]
(15.0) ...
(15.0) }
(15.0) elsif ("%{session-state.TLS-Client-Cert-Subject}" =~
/[redacted]/) {
(15.0) EXPAND %{session-state.TLS-Client-Cert-Subject}
(15.0) --> /CN=[redacted]
(15.0) update reply {
(15.0) &Tunnel-Private-Group-Id = "7"
(15.0) } # update reply (noop)
(15.0) update session-state {
(15.0) &Tmp-String-9 = "7"
(15.0) } # update session-state (noop)
(15.0) } # elsif ("%{session-state.TLS-Client-Cert-Subject}" =~
/[redacted]/) (noop)
(15.0) } # if ("%{session-state.TLS-Client-Cert-Common-Name}" != '') (ok)
(15.0) files - EXPAND %{session-state.TLS-Client-Cert-Common-Name}
(15.0) files - --> [redacted]
(15.0) files - Found match "[redacted]" on line 3 of
/root/freeradius-server/pfx/etc/raddb/mods-config/files/authorize
(15.0) files (ok)
(15.0) expiration (noop)
(15.0) logintime (noop)
(15.0) pap - No User-Password attribute in the request. Cannot do PAP
(15.0) pap (noop)
(15.0) } # recv Access-Request (ok)
(15.0) No session data available to cache
(15,8) Adding session keys
(15,8) &reply.Vendor-Specific.Microsoft.MPPE-Recv-Key = [redacted]
(15,8) &reply.Vendor-Specific.Microsoft.MPPE-Send-Key = [redacted]
(15,8) &reply.EAP-MSK = [redacted]
(15,8) &reply.EAP-EMSK = [redacted]
(15.0) &reply.EAP-Session-Id = [redacted]
(15,8) } # subrequest (ok)
(15,8) eap - Sending EAP Success (code 3) ID 20 length 4
(15,8) eap - Cleaning up EAP session
(15,8) eap (ok)
(15,8) } # authenticate eap (ok)
(15,8) Running 'send Access-Accept' from file
/root/freeradius-server/pfx/etc/raddb/sites-enabled/default
(15,8) send Access-Accept {
(15,8) update {
(15,8) &reply += &session-state -> "a"
(15,8) } # update (noop)
(15,8) eap (noop)
(15,8) update reply {
(15,8) EXPAND %{session-state.TLS-Cert-Serial}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Cert-Expiration}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Cert-Subject}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Cert-Issuer}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Cert-Common-Name}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Cert-Subject-Alt-Name-Email}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Client-Cert-Serial}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Client-Cert-Expiration}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Client-Cert-Subject}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Client-Cert-Issuer}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Client-Cert-Common-Name}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Client-Cert-Subject-Alt-Name-Email}
(15,8) --> (null)
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) } # update reply (noop)
(15,8) update reply {
(15,8) EXPAND %{session-state.Tmp-String-9}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Client-Cert-Subject}
(15,8) --> (null)
(15,8) &Tunnel-Type = VLAN
(15,8) &Tunnel-Medium-Type = IEEE-802
(15,8) &Tunnel-Private-Group-Id = ""
(15,8) &Tmp-String-9 := ""
(15,8) } # update reply (noop)
(15,8) if ("%{reply.Tunnel-Private-Group-Id}" == "") {
(15,8) EXPAND %{reply.Tunnel-Private-Group-Id}
(15,8) -->
(15,8) reject (reject)
(15,8) } # if ("%{reply.Tunnel-Private-Group-Id}" == "") (reject)
(15,8) } # send Access-Accept (reject)
(15,8) WARNING: Failed running 'send Access-Accept', trying 'send
Access-Reject'
Notes:
1) The above log also reflects some unsuccessful experiments I was
doing to try to get the Tunnel-Private-Group-Id to propagate to the
Access-Accept stage, so some of the variable assignments might not
make sense.
2) I don't think session-state.TLS-Cert-Expiration is being parsed correctly.
3) I didn't enable delivery of every freeradius-users message, so if
you could cc: me on replies that would be much appreciated.
2
4
v4: Can't see TLS certificate fields from `send Access-Accept` section anymore
by Nick Bogdanov 17 Feb '21
by Nick Bogdanov 17 Feb '21
17 Feb '21
I am using EAP-TLS authentication and trying to read the
%{session-state.TLS-Client-Cert-Subject} attribute in order to set the
reply.Tunnel-Private-Group-Id field. In v3 I could just add this to
my post-auth section:
if (TLS-Client-Cert-Subject =~ /\/OU=VLAN 1\//) {
update reply {
&Tunnel-Private-Group-Id = "1"
}
}
In v4 I can see the cert fields in the `recv Access-Request` section
(after setting `virtual_server = default` in mods-available/eap) but
they are all empty when I try to read them from the `send
Access-Accept` section. In fact, if I uncomment these sections from
the default config, the fields are all empty too:
# update reply {
# &Reply-Message += "%{session-state.TLS-Cert-Serial}"
# &Reply-Message += "%{session-state.TLS-Cert-Expiration}"
# &Reply-Message += "%{session-state.TLS-Cert-Subject}"
# &Reply-Message += "%{session-state.TLS-Cert-Issuer}"
# &Reply-Message += "%{session-state.TLS-Cert-Common-Name}"
# &Reply-Message += "%{session-state.TLS-Cert-Subject-Alt-Name-Email}"
#
# &Reply-Message += "%{session-state.TLS-Client-Cert-Serial}"
# &Reply-Message += "%{session-state.TLS-Client-Cert-Expiration}"
# &Reply-Message += "%{session-state.TLS-Client-Cert-Subject}"
# &Reply-Message += "%{session-state.TLS-Client-Cert-Issuer}"
# &Reply-Message += "%{session-state.TLS-Client-Cert-Common-Name}"
# &Reply-Message += "%{session-state.TLS-Client-Cert-Subject-Alt-Name-Email}"
# }
The log says:
(15,8) update reply {
(15,8) EXPAND %{session-state.TLS-Cert-Serial}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Cert-Expiration}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Cert-Subject}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Cert-Issuer}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Cert-Common-Name}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Cert-Subject-Alt-Name-Email}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Client-Cert-Serial}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Client-Cert-Expiration}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Client-Cert-Subject}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Client-Cert-Issuer}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Client-Cert-Common-Name}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Client-Cert-Subject-Alt-Name-Email}
(15,8) --> (null)
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) } # update reply (noop)
I am running git rev 89b77dc09571cb4ac3cd4d639aee6c17bea23182, built
from source. I saw something in upgrade.adoc about using the `filter`
directive but it wasn't clear to me what that meant. Am I missing
something simple or is this a bug?
2
1