Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
October 2022
- 31 participants
- 29 discussions
Hello all,
I've been searching the docs to see if TACACS+ is supported by
FreeRadius out-of-the-box. I've read a lot of the doc. It appears that
TACACS+ is not supported and there is no built in module for it.
Is that true?
Are there any third party TACACS+ modules that FreeRadius suggests I
look at?
Many thanks,
/Mike
2
1
Hi there all,
Quick question. Does freeradius support TACACS+ "out of the box". Or
do I have to find and use a plug in from a third party?
Many thanks,
/Mike
On Sat, Oct 22, 2022 at 8:00 AM
<freeradius-users-request(a)lists.freeradius.org> wrote:
>
> Send Freeradius-Users mailing list submissions to
> freeradius-users(a)lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request(a)lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner(a)lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Re: MD5 auth failed (Ihsan)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 22 Oct 2022 05:13:32 +0200
> From: Ihsan <ihsan(a)ihsansoft.nl>
> To: FreeRadius users mailing list
> <freeradius-users(a)lists.freeradius.org>
> Subject: Re: MD5 auth failed
> Message-ID: <E20C8D26-9F32-4C0F-B40A-1C9CF6715572(a)ihsansoft.nl>
> Content-Type: text/plain; charset=utf-8
>
> OMG So obvious ?. I?m sorry haha.
>
> Thank You!
> E-maildisclaimer: Aan dit bericht, waaronder ook de eventuele bijlagen worden bedoeld, kunnen geen rechten worden ontleend. Dit bericht is uitsluitend bestemd voor de geadresseerde en bevat persoonlijke en vertrouwelijke informatie. Het bekend maken, kopieren en verspreiden van een bericht dat niet voor u bestemd is, is niet toegestaan. Als u dit bericht per ongeluk heeft ontvangen, verzoeken wij u vriendelijk het direct te vernietigen en de afzender te informeren. Twijfelt u over de juistheid of volledigheid van dit bericht? Neem dan contact op met de afzender.?
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
> ------------------------------
>
> End of Freeradius-Users Digest, Vol 210, Issue 23
> *************************************************
--
Michael A Hawkins
203-550-5502
2
1
Hi,
I get this error (0) pap: ERROR: MD5 digest does not match "known good" digest
when i try to logon with name test and password testing123
sudo radtest test testing123 localhost 1812 testing123
this is inside the users :
"test" MD5-Password :=“c1fae6c8a0fc99eef1f026f556ce1b58"
E-maildisclaimer: Aan dit bericht, waaronder ook de eventuele bijlagen worden bedoeld, kunnen geen rechten worden ontleend. Dit bericht is uitsluitend bestemd voor de geadresseerde en bevat persoonlijke en vertrouwelijke informatie. Het bekend maken, kopieren en verspreiden van een bericht dat niet voor u bestemd is, is niet toegestaan. Als u dit bericht per ongeluk heeft ontvangen, verzoeken wij u vriendelijk het direct te vernietigen en de afzender te informeren. Twijfelt u over de juistheid of volledigheid van dit bericht? Neem dan contact op met de afzender.
6
9
Good morning,
I have an interesting use case for the linelog module. I want to get information about successful and unsuccessful authentication attempts in one place in a format that is easily consumable by, e.g. log shipping tools. So far, I’ve found that I can do a config snippet such as
Access-Accept = "%T Accepted User: %{User-Name} NAS-IP-Address %{NAS-IP-Address} Access-Level: %{Tmp-String-0}”
to get the user, device and access level granted to the engineer.
Is there any way that we could get the VSAs that get returned so we could log them here as well? Sure, we get them in the detailed reply_logs, but those aren’t the most useful thing for a log aggregation tool to parse. If I know the device is, e.g. Cisco or Juniper, I’d just log %{Cisco-AVPair} or %{JunOS-Local-User-Name}, but I’d rather do that in a more vendor-agnostic way if I can.
Worst case, I can just use the detail files if necessary and let the log-shipping tool figure it out.
Thanks,
--
Coy Hile
coy.hile(a)coyhile.com
4
5
On Oct 20, 2022, at 3:09 AM, Pascal Legrand <pascal.legrand(a)univ-orleans.fr> wrote:
>
> Hello and thank you for your answer,
> Is there a solution more simlpe to allow all stations to access the network punctually?
> Authorize punctually all MAC addresses?
You want a solution which is simpler than 10 lines of text?
I'm curious how you think you can write complex policies in extremely simple terms.
Alan DeKok.
1
0
Hi,
What is the data type returned by sql query using module syntax? Does freeradius support 8 byte integers for sql query result? What will happen if the sql returns 8 byte integer? Will it overflow?
Regards,
Tianchen
2
1
Greetings FR-users,
I'm standing up a new RADIUS server that needs to proxy requests to both
single and two factor RADIUS systems. I am looking for some feedback on my
design.
I'd like the option to configure local clients to either single factor or
two factor auth.
The proxy server I set up could listen on 1812 and 1814. Clients that
need/want single factor auth will request to 1812 and clients that
need/want two factor auth will request to 1814. With corresponding acct
listening on 1813 and 1815.
Is this sensible? Are there any standard FR configurations for working with
clients to proxy to different RADIUS servers?
Thanks for any feedback!
-m
3
4
14 Oct '22
Hello everyone, and thank you for your future help in solving this problem.
I’m trying to implement, a FreeRADIUS server for a wired usage using
EAP-TTLS/PAP protocol, I’m authorizing my users based on their credentials
saved in the users file.
I’ve created my certificates (CA and server) following the recommended
guidelines.
When I test EAP-TTLS/PAP with eapol_test, i’ve got a success message, the
same goes when I authenticate on my laptop under Windows 11 OS, with
EAP-PEAP, while previously disabling « check the identity of the server… ».
And when I click on the connect button after sending my credentials, to
acknowledge my certificate is not safe, I succeed to connect.
But when I try to authenticate with EAP-TTLS/PAP, it fails when I click on «
connect », I don’t have any following response to my Access-Challenge
packets.
I know there is an article on wiki.freeradius about certificate
compatibility, but I’ve not been able to solve the problem even with it.
FreeRADIUS Version 3.0.20
Copyright (C) 1999-2019 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/dynamic_clients
including configuration file /etc/raddb/mods-enabled/files
including configuration file /etc/raddb/mods-enabled/detail.log
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/cache_eap
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/ntlm_auth
including configuration file /etc/raddb/mods-enabled/utf8
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/unpack
including configuration file /etc/raddb/mods-enabled/unix
including configuration file /etc/raddb/mods-enabled/detail
including configuration file /etc/raddb/mods-enabled/logintime
including configuration file /etc/raddb/mods-enabled/eap
including configuration file /etc/raddb/mods-enabled/passwd
including configuration file /etc/raddb/mods-enabled/pap
including configuration file /etc/raddb/mods-enabled/soh
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/date
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/sradutmp
including configuration file /etc/raddb/mods-enabled/expiration
including configuration file /etc/raddb/mods-enabled/mschap
including configuration file /etc/raddb/mods-enabled/linelog
including configuration file /etc/raddb/mods-enabled/replicate
including configuration file /etc/raddb/mods-enabled/digest
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/cui
including configuration file /etc/raddb/policy.d/rfc7542
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/debug
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/operator-name
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/default
main {
security {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipv4addr = 127.0.0.1
port = 1812
type = "auth"
proto = "udp"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
shortname = "localhost"
proto = "udp"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client private-network-1 {
ipaddr = 10.101.0.20
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client swi-d1-p1-p173-001 {
ipv4addr = 10.100.0.16
require_message_authenticator = no
secret = <<< secret >>>
shortname = "swi_nico_p173"
nas_type = "cisco"
virtual_server = "serveur_eap_ttls_pap"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client swi-d1-p173-002 {
ipv4addr = 10.100.0.50
require_message_authenticator = no
secret = <<< secret >>>
shortname = "swi_said_edward_p173"
nas_type = "cisco"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client test-network {
ipaddr = 10.112.0.136
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
# Creating Auth-Type = mschap
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Auth-Type = digest
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file
/etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_files
# Loading module "files" from file /etc/raddb/mods-enabled/files
files {
filename = "/etc/raddb/mods-config/files/authorize"
acctusersfile = "/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
}
# Loaded module rlm_detail
# Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log
detail auth_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log
detail reply_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_exec
# Loading module "exec" from file /etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename =
"/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename =
"/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = yes
with_alvarion_vsa_hack = no
}
# Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key
--domain=MYDOMAIN --username=%{mschap:User-Name}
--password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/raddb/mods-enabled/utf8
# Loaded module rlm_chap
# Loading module "chap" from file /etc/raddb/mods-enabled/chap
# Loaded module rlm_expr
# Loading module "expr" from file /etc/raddb/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/raddb/mods-enabled/unpack
# Loaded module rlm_unix
# Loading module "unix" from file /etc/raddb/mods-enabled/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
# Loading module "detail" from file /etc/raddb/mods-enabled/detail
detail {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_eap
# Loading module "eap" from file /etc/raddb/mods-enabled/eap
eap {
default_eap_type = "ttls"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = yes
max_sessions = 16384
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_pap
# Loading module "pap" from file /etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_soh
# Loading module "soh" from file /etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "bangpath" from file /etc/raddb/mods-enabled/realm
realm bangpath {
format = "prefix"
delimiter = "!"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loading module "echo" from file /etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_date
# Loading module "date" from file /etc/raddb/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
utc = no
}
# Loading module "wispr2date" from file /etc/raddb/mods-enabled/date
date wispr2date {
format = "%Y-%m-%dT%H:%M:%S"
utc = no
}
# Loaded module rlm_always
# Loading module "reject" from file /etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/raddb/mods-enabled/expiration
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/raddb/mods-enabled/linelog
linelog {
filename = "/var/log/radius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file
/etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/radius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference =
"Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /etc/raddb/mods-enabled/replicate
# Loaded module rlm_digest
# Loading module "digest" from file /etc/raddb/mods-enabled/digest
instantiate {
}
# Instantiating module "files" from file /etc/raddb/mods-enabled/files
reading pairlist file /etc/raddb/mods-config/files/authorize
reading pairlist file /etc/raddb/mods-config/files/accounting
reading pairlist file /etc/raddb/mods-config/files/pre-proxy
# Instantiating module "auth_log" from file
/etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail
output
# Instantiating module "reply_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "cache_eap" from file
/etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree)
loaded and linked
# Instantiating module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "preprocess" from file
/etc/raddb/mods-enabled/preprocess
reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb/mods-config/preprocess/hints
# Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
# Instantiating module "logintime" from file
/etc/raddb/mods-enabled/logintime
# Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = yes
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.key"
certificate_file = "/etc/raddb/certs/server.pem"
ca_file = "/etc/raddb/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "PROFILE=SYSTEM"
cipher_server_preference = no
ecdh_curve = "prime256v1"
tls_max_version = "1.2"
tls_min_version = "1.2"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = yes
override_cert_url = no
url = http://127.0.0.1/ocsp/
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = yes
}
# Instantiating module "etc_passwd" from file
/etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
# Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
# Instantiating module "bangpath" from file /etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file
/etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
# Instantiating module "reject" from file /etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /etc/raddb/mods-enabled/always
# Instantiating module "expiration" from file
/etc/raddb/mods-enabled/expiration
# Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file
/etc/raddb/mods-enabled/linelog
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
} # server
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' --
/etc/raddb/sites-enabled/inner-tunnel:336
} # server inner-tunnel
server default { # from file /etc/raddb/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
listen {
type = "auth"
ipv4addr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv4addr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on proxy address * port 56698
Ready to process requests
(0) Received Accounting-Request Id 60 from 10.100.0.50:1646 to
10.101.0.20:1813 length 285
(0) Acct-Session-Id = "0000006A"
(0) Cisco-AVPair = "audit-session-id=0A6400320000003BB2AB2641"
(0) User-Name = "test"
(0) Acct-Authentic = RADIUS
(0) Acct-Terminate-Cause = Lost-Carrier
(0) Cisco-AVPair = "disc-cause-ext=No Reason"
(0) Cisco-AVPair = "connect-progress=Call Up"
(0) Acct-Session-Time = 93
(0) Acct-Input-Octets = 14097
(0) Acct-Output-Octets = 19204
(0) Acct-Input-Packets = 127
(0) Acct-Output-Packets = 74
(0) Acct-Status-Type = Stop
(0) NAS-Port-Type = Ethernet
(0) NAS-Port = 50006
(0) NAS-Port-Id = "GigabitEthernet0/6"
(0) Called-Station-Id = "24-01-C7-8E-84-86"
(0) Calling-Station-Id = "74-78-27-1B-F2-78"
(0) Service-Type = Framed-User
(0) NAS-IP-Address = 10.100.0.50
(0) Acct-Delay-Time = 19
(0) # Executing section preacct from file /etc/raddb/sites-enabled/default
(0) preacct {
(0) [preprocess] = ok
(0) policy acct_unique {
(0) update request {
(0) &Tmp-String-9 := "ai:"
(0) } # update request = noop
(0) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(0) EXPAND %{hex:&Class}
(0) -->
(0) EXPAND ^%{hex:&Tmp-String-9}
(0) --> ^61693a
(0) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
(0) else {
(0) update request {
(0) EXPAND
%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Addres
s}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(0) --> 0391b84a0867b3fc2bafaf4741bd212a
(0) &Acct-Unique-Session-Id := 0391b84a0867b3fc2bafaf4741bd212a
(0) } # update request = noop
(0) } # else = noop
(0) } # policy acct_unique = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "test", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) [files] = noop
(0) } # preacct = ok
(0) # Executing section accounting from file
/etc/raddb/sites-enabled/default
(0) accounting {
(0) detail: EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres
s}}/detail-%Y%m%d
(0) detail: --> /var/log/radius/radacct/10.100.0.50/detail-20220725
(0) detail:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres
s}}/detail-%Y%m%d expands to
/var/log/radius/radacct/10.100.0.50/detail-20220725
(0) detail: EXPAND %t
(0) detail: --> Mon Jul 25 18:15:40 2022
(0) [detail] = ok
(0) [unix] = ok
(0) radutmp: EXPAND /var/log/radius/radutmp
(0) radutmp: --> /var/log/radius/radutmp
(0) radutmp: EXPAND %{User-Name}
(0) radutmp: --> test
(0) [radutmp] = ok
(0) sradutmp: EXPAND /var/log/radius/sradutmp
(0) sradutmp: --> /var/log/radius/sradutmp
(0) sradutmp: EXPAND %{User-Name}
(0) sradutmp: --> test
(0) [sradutmp] = ok
(0) [exec] = noop
(0) attr_filter.accounting_response: EXPAND %{User-Name}
(0) attr_filter.accounting_response: --> test
(0) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(0) [attr_filter.accounting_response] = updated
(0) } # accounting = updated
(0) Sent Accounting-Response Id 60 from 10.101.0.20:1813 to 10.100.0.50:1646
length 0
(0) Finished request
(0) Cleaning up request packet ID 60 with timestamp +3
Ready to process requests
(1) Received Access-Request Id 0 from 127.0.0.1:48058 to 127.0.0.1:1812
length 142
(1) User-Name = "anonymous_test"
(1) NAS-IP-Address = 127.0.0.1
(1) Calling-Station-Id = "02-00-00-00-00-01"
(1) Framed-MTU = 1400
(1) NAS-Port-Type = Wireless-802.11
(1) Service-Type = Framed-User
(1) Connect-Info = "CONNECT 11Mbps 802.11b"
(1) EAP-Message = 0x02a1001301616e6f6e796d6f75735f74657374
(1) Message-Authenticator = 0x63e0215c3759e15af3f8b2b777ce8370
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /(a)\./) {
(1) if (&User-Name =~ /(a)\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "anonymous_test", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 161 length 19
(1) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest
of authorize
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Auth-Type eap {
(1) eap: Peer sent packet with method EAP Identity (1)
(1) eap: Calling submodule eap_ttls to process data
(1) eap_ttls: Initiating new TLS session
(1) eap_ttls: [eaptls start] = request
(1) eap: Sending EAP Request (code 1) ID 162 length 6
(1) eap: EAP session adding &reply:State = 0x594837c159ea227a
(1) [eap] = handled
(1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(1) EXPAND Response-Packet-Type
(1) --> Access-Challenge
(1) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(1) attr_filter.access_challenge: EXPAND %{User-Name}
(1) attr_filter.access_challenge: --> anonymous_test
(1) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(1) [attr_filter.access_challenge.post-auth] = updated
(1) [handled] = handled
(1) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(1) } # Auth-Type eap = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 0 from 127.0.0.1:1812 to 127.0.0.1:48058 length
0
(1) EAP-Message = 0x01a200061520
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x594837c159ea227a35f4296c6c550caa
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 1 from 127.0.0.1:48058 to 127.0.0.1:1812
length 343
(2) User-Name = "anonymous_test"
(2) NAS-IP-Address = 127.0.0.1
(2) Calling-Station-Id = "02-00-00-00-00-01"
(2) Framed-MTU = 1400
(2) NAS-Port-Type = Wireless-802.11
(2) Service-Type = Framed-User
(2) Connect-Info = "CONNECT 11Mbps 802.11b"
(2) EAP-Message =
0x02a200ca150016030100bf010000bb03037526679cd3ccd5346e9ffc32b3a61bc85036d03f
f978485f54af4c4c4713eef2000048c02cc030cca9cca8c0adc02bc02fc0acc023c027c00ac0
14c009c013009dc09d009cc09c003d003c0035002f009fccaac09f009ec09e006b0067003900
33c008c012000a001600ff0100004a000b000403000102000a000c000a001d0017001e001900
180016000000170000000d002600240403050306030807080808090804080a0805080b080604
01050106010303030102030201
(2) State = 0x594837c159ea227a35f4296c6c550caa
(2) Message-Authenticator = 0xa2ab78a30c2fd4c0b1e73fbaaa7c1007
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\./) {
(2) if (&User-Name =~ /(a)\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "anonymous_test", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 162 length 202
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) Auth-Type eap {
(2) eap: Expiring EAP session with state 0x594837c159ea227a
(2) eap: Finished EAP session with state 0x594837c159ea227a
(2) eap: Previous EAP request found for state 0x594837c159ea227a, released
from the list
(2) eap: Peer sent packet with method EAP TTLS (21)
(2) eap: Calling submodule eap_ttls to process data
(2) eap_ttls: Authenticate
(2) eap_ttls: Continuing EAP-TLS
(2) eap_ttls: Got final TLS record fragment (196 bytes)
(2) eap_ttls: WARNING: Total received TLS record fragments (196 bytes), does
not equal indicated TLS record length (0 bytes)
(2) eap_ttls: [eaptls verify] = ok
(2) eap_ttls: Done initial handshake
(2) eap_ttls: (other): before SSL initialization
(2) eap_ttls: TLS_accept: before SSL initialization
(2) eap_ttls: TLS_accept: before SSL initialization
(2) eap_ttls: <<< recv TLS 1.3 [length 00bf]
(2) eap_ttls: TLS_accept: SSLv3/TLS read client hello
(2) eap_ttls: >>> send TLS 1.2 [length 003d]
(2) eap_ttls: TLS_accept: SSLv3/TLS write server hello
(2) eap_ttls: >>> send TLS 1.2 [length 08e9]
(2) eap_ttls: TLS_accept: SSLv3/TLS write certificate
(2) eap_ttls: >>> send TLS 1.2 [length 014d]
(2) eap_ttls: TLS_accept: SSLv3/TLS write key exchange
(2) eap_ttls: >>> send TLS 1.2 [length 0004]
(2) eap_ttls: TLS_accept: SSLv3/TLS write server done
(2) eap_ttls: TLS_accept: Need to read more data: SSLv3/TLS write server
done
(2) eap_ttls: TLS - In Handshake Phase
(2) eap_ttls: TLS - got 2699 bytes of data
(2) eap_ttls: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 163 length 1014
(2) eap: EAP session adding &reply:State = 0x594837c158eb227a
(2) [eap] = handled
(2) if (handled && (Response-Packet-Type == Access-Challenge)) {
(2) EXPAND Response-Packet-Type
(2) --> Access-Challenge
(2) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(2) if (handled && (Response-Packet-Type == Access-Challenge)) {
(2) attr_filter.access_challenge: EXPAND %{User-Name}
(2) attr_filter.access_challenge: --> anonymous_test
(2) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(2) [attr_filter.access_challenge.post-auth] = updated
(2) [handled] = handled
(2) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(2) } # Auth-Type eap = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 1 from 127.0.0.1:1812 to 127.0.0.1:48058 length
0
(2) EAP-Message =
0x01a303f615c000000a8b160303003d020000390303ce7f5bed68f2bdab8d4c8b7ee830f975
965fb3242093f407d9b7f3798ed45b2000c030000011ff01000100000b000403000102001700
0016030308e90b0008e50008e20003de308203da308202c2a003020102020101300d06092a86
4886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261
646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c457861
6d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c
652e6f72673126302406035504030c1d4578616d706c65204365727469666963617465204175
74686f72697479301e170d3232303630373133353631355a170d323230383036313335363135
5a307c310b3009060355040613024652310f300d06035504080c065261646975733115301306
0355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d70
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x594837c158eb227a35f4296c6c550caa
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 2 from 127.0.0.1:48058 to 127.0.0.1:1812
length 147
(3) User-Name = "anonymous_test"
(3) NAS-IP-Address = 127.0.0.1
(3) Calling-Station-Id = "02-00-00-00-00-01"
(3) Framed-MTU = 1400
(3) NAS-Port-Type = Wireless-802.11
(3) Service-Type = Framed-User
(3) Connect-Info = "CONNECT 11Mbps 802.11b"
(3) EAP-Message = 0x02a300061500
(3) State = 0x594837c158eb227a35f4296c6c550caa
(3) Message-Authenticator = 0x0281d393c2571ae6091802af7143b0ed
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/raddb/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /(a)\./) {
(3) if (&User-Name =~ /(a)\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "anonymous_test", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 163 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) Auth-Type eap {
(3) eap: Expiring EAP session with state 0x594837c158eb227a
(3) eap: Finished EAP session with state 0x594837c158eb227a
(3) eap: Previous EAP request found for state 0x594837c158eb227a, released
from the list
(3) eap: Peer sent packet with method EAP TTLS (21)
(3) eap: Calling submodule eap_ttls to process data
(3) eap_ttls: Authenticate
(3) eap_ttls: Continuing EAP-TLS
(3) eap_ttls: Peer ACKed our handshake fragment
(3) eap_ttls: [eaptls verify] = request
(3) eap_ttls: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 164 length 1014
(3) eap: EAP session adding &reply:State = 0x594837c15bec227a
(3) [eap] = handled
(3) if (handled && (Response-Packet-Type == Access-Challenge)) {
(3) EXPAND Response-Packet-Type
(3) --> Access-Challenge
(3) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(3) if (handled && (Response-Packet-Type == Access-Challenge)) {
(3) attr_filter.access_challenge: EXPAND %{User-Name}
(3) attr_filter.access_challenge: --> anonymous_test
(3) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(3) [attr_filter.access_challenge.post-auth] = updated
(3) [handled] = handled
(3) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(3) } # Auth-Type eap = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) Challenge { ... } # empty sub-section is ignored
(3) Sent Access-Challenge Id 2 from 127.0.0.1:1812 to 127.0.0.1:48058 length
0
(3) EAP-Message =
0x01a403f615c000000a8b2191b630136f9c3efec0d255f3b83b044d67821de971742e781d91
d550b267675e88e1945d729139f9b13cb3067ea7a8cf42f22afe3ad057afe04680c0484d0dd8
62dd0004fe308204fa308203e2a00302010202142612a65a56fe11648fbdca8d519264c57b3b
83f0300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06
035504080c065261646975733112301006035504070c09536f6d657768657265311530130603
55040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d69
6e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966
696361746520417574686f72697479301e170d3232303630373133353631355a170d32323038
30363133353631355a308193310b3009060355040613024652310f300d06035504080c065261
646975733112301006035504070c09536f6d65776865726531153013060355040a0c
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x594837c15bec227a35f4296c6c550caa
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 3 from 127.0.0.1:48058 to 127.0.0.1:1812
length 147
(4) User-Name = "anonymous_test"
(4) NAS-IP-Address = 127.0.0.1
(4) Calling-Station-Id = "02-00-00-00-00-01"
(4) Framed-MTU = 1400
(4) NAS-Port-Type = Wireless-802.11
(4) Service-Type = Framed-User
(4) Connect-Info = "CONNECT 11Mbps 802.11b"
(4) EAP-Message = 0x02a400061500
(4) State = 0x594837c15bec227a35f4296c6c550caa
(4) Message-Authenticator = 0x12aad93ece4c588ec719216bbaecd7fb
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/raddb/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /(a)\./) {
(4) if (&User-Name =~ /(a)\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "anonymous_test", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 164 length 6
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) Auth-Type eap {
(4) eap: Expiring EAP session with state 0x594837c15bec227a
(4) eap: Finished EAP session with state 0x594837c15bec227a
(4) eap: Previous EAP request found for state 0x594837c15bec227a, released
from the list
(4) eap: Peer sent packet with method EAP TTLS (21)
(4) eap: Calling submodule eap_ttls to process data
(4) eap_ttls: Authenticate
(4) eap_ttls: Continuing EAP-TLS
(4) eap_ttls: Peer ACKed our handshake fragment
(4) eap_ttls: [eaptls verify] = request
(4) eap_ttls: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 165 length 701
(4) eap: EAP session adding &reply:State = 0x594837c15aed227a
(4) [eap] = handled
(4) if (handled && (Response-Packet-Type == Access-Challenge)) {
(4) EXPAND Response-Packet-Type
(4) --> Access-Challenge
(4) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(4) if (handled && (Response-Packet-Type == Access-Challenge)) {
(4) attr_filter.access_challenge: EXPAND %{User-Name}
(4) attr_filter.access_challenge: --> anonymous_test
(4) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(4) [attr_filter.access_challenge.post-auth] = updated
(4) [handled] = handled
(4) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(4) } # Auth-Type eap = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) Challenge { ... } # empty sub-section is ignored
(4) Sent Access-Challenge Id 3 from 127.0.0.1:1812 to 127.0.0.1:48058 length
0
(4) EAP-Message =
0x01a502bd158000000a8b1d130101ff040530030101ff30360603551d1f042f302d302ba029
a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e
63726c300d06092a864886f70d01010b050003820101008834a7e636cc1b2ca1fb50f0241d14
2dea0f64ab2a18f737a1c61001f253baa32022d21b23e2d32ef93967a914fb7435030effabac
df1f473b35bfd23a886c4fbc7d6c194afd9160e340612d83f81e694c5813983a691a9ed83ee4
5ad98a879609630093e2ada4eb67dcafd2543577b94229d604cde33e0314dba26abd7d5674f5
7a3c465449fea9cd762ad1d4a39a0101a207c17e107c4bcc95024237ad91815bf140b75eb973
4ad9615781be60643011fc9718e8acffb9dc4ce9d051c3ea5712dc6aa7ba1d9d2ba8df6c3bdb
c7942c0d7f01c8fddbe6182cf8880f339a038ed8f0c7b579d87e4a30f42c1c978f36c070d759
b33199019e7d482f8786044516160303014d0c000149030017410489b770c1cc2ded
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x594837c15aed227a35f4296c6c550caa
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 4 from 127.0.0.1:48058 to 127.0.0.1:1812
length 273
(5) User-Name = "anonymous_test"
(5) NAS-IP-Address = 127.0.0.1
(5) Calling-Station-Id = "02-00-00-00-00-01"
(5) Framed-MTU = 1400
(5) NAS-Port-Type = Wireless-802.11
(5) Service-Type = Framed-User
(5) Connect-Info = "CONNECT 11Mbps 802.11b"
(5) EAP-Message =
0x02a500841500160303004610000042410490f5fd271b8155492b8cd225df9a917c58da15b7
53f67fd3321719ee5bc61ec5d7dcc4344910224de589c074295c7725827083aa2533f613f392
603ac84822891403030001011603030028297482347c2337f8e1cd6ab9e31cc6bcb3d37932cb
7cf4dbf7e728729f98c928414c9b895270d9c5
(5) State = 0x594837c15aed227a35f4296c6c550caa
(5) Message-Authenticator = 0xdbe58d4e8258b430621002f6a1cde860
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/raddb/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /(a)\./) {
(5) if (&User-Name =~ /(a)\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "anonymous_test", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 165 length 132
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) Auth-Type eap {
(5) eap: Expiring EAP session with state 0x594837c15aed227a
(5) eap: Finished EAP session with state 0x594837c15aed227a
(5) eap: Previous EAP request found for state 0x594837c15aed227a, released
from the list
(5) eap: Peer sent packet with method EAP TTLS (21)
(5) eap: Calling submodule eap_ttls to process data
(5) eap_ttls: Authenticate
(5) eap_ttls: Continuing EAP-TLS
(5) eap_ttls: [eaptls verify] = ok
(5) eap_ttls: Done initial handshake
(5) eap_ttls: TLS_accept: SSLv3/TLS write server done
(5) eap_ttls: <<< recv TLS 1.2 [length 0046]
(5) eap_ttls: TLS_accept: SSLv3/TLS read client key exchange
(5) eap_ttls: TLS_accept: SSLv3/TLS read change cipher spec
(5) eap_ttls: <<< recv TLS 1.2 [length 0010]
(5) eap_ttls: TLS_accept: SSLv3/TLS read finished
(5) eap_ttls: >>> send TLS 1.2 [length 0001]
(5) eap_ttls: TLS_accept: SSLv3/TLS write change cipher spec
(5) eap_ttls: >>> send TLS 1.2 [length 0010]
(5) eap_ttls: TLS_accept: SSLv3/TLS write finished
(5) eap_ttls: (other): SSL negotiation finished successfully
(5) eap_ttls: TLS - Connection Established
(5) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(5) eap_ttls: TLS-Session-Version = "TLS 1.2"
(5) eap_ttls: TLS - got 51 bytes of data
(5) eap_ttls: [eaptls process] = handled
(5) eap: Sending EAP Request (code 1) ID 166 length 61
(5) eap: EAP session adding &reply:State = 0x594837c15dee227a
(5) [eap] = handled
(5) if (handled && (Response-Packet-Type == Access-Challenge)) {
(5) EXPAND Response-Packet-Type
(5) --> Access-Challenge
(5) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(5) if (handled && (Response-Packet-Type == Access-Challenge)) {
(5) attr_filter.access_challenge: EXPAND %{User-Name}
(5) attr_filter.access_challenge: --> anonymous_test
(5) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(5) [attr_filter.access_challenge.post-auth] = updated
(5) [handled] = handled
(5) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(5) } # Auth-Type eap = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) Challenge { ... } # empty sub-section is ignored
(5) session-state: Saving cached attributes
(5) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(5) TLS-Session-Version = "TLS 1.2"
(5) Sent Access-Challenge Id 4 from 127.0.0.1:1812 to 127.0.0.1:48058 length
0
(5) EAP-Message =
0x01a6003d158000000033140303000101160303002868a7ea5e693524f968d02ec14fd7cb5a
629fbd3ff3d28e4a1fee62533733003052e86c7f2303bc2c
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x594837c15dee227a35f4296c6c550caa
(5) Finished request
Waking up in 4.9 seconds.
(6) Received Access-Request Id 5 from 127.0.0.1:48058 to 127.0.0.1:1812
length 212
(6) User-Name = "anonymous_test"
(6) NAS-IP-Address = 127.0.0.1
(6) Calling-Station-Id = "02-00-00-00-00-01"
(6) Framed-MTU = 1400
(6) NAS-Port-Type = Wireless-802.11
(6) Service-Type = Framed-User
(6) Connect-Info = "CONNECT 11Mbps 802.11b"
(6) EAP-Message =
0x02a600471500170303003c297482347c2337f99ae8244b354c6918951f0f3bde4cd3a1631f
568103bb1527d53de82d2d036cc96b994d91266bfc523eab035954577cc893219d7c
(6) State = 0x594837c15dee227a35f4296c6c550caa
(6) Message-Authenticator = 0x6aa1c90905881534f18620852003faf3
(6) Restoring &session-state
(6) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(6) &session-state:TLS-Session-Version = "TLS 1.2"
(6) # Executing section authorize from file /etc/raddb/sites-enabled/default
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /(a)\./) {
(6) if (&User-Name =~ /(a)\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "anonymous_test", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 166 length 71
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) Auth-Type eap {
(6) eap: Expiring EAP session with state 0x594837c15dee227a
(6) eap: Finished EAP session with state 0x594837c15dee227a
(6) eap: Previous EAP request found for state 0x594837c15dee227a, released
from the list
(6) eap: Peer sent packet with method EAP TTLS (21)
(6) eap: Calling submodule eap_ttls to process data
(6) eap_ttls: Authenticate
(6) eap_ttls: Continuing EAP-TLS
(6) eap_ttls: [eaptls verify] = ok
(6) eap_ttls: Done initial handshake
(6) eap_ttls: [eaptls process] = ok
(6) eap_ttls: Session established. Proceeding to decode tunneled attributes
(6) eap_ttls: Got tunneled request
(6) eap_ttls: User-Name = "test"
(6) eap_ttls: User-Password = "testing"
(6) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(6) eap_ttls: Sending tunneled request
(6) Virtual server inner-tunnel received request
(6) User-Name = "test"
(6) User-Password = "testing"
(6) FreeRADIUS-Proxied-To = 127.0.0.1
(6) NAS-IP-Address = 127.0.0.1
(6) Calling-Station-Id = "02-00-00-00-00-01"
(6) Framed-MTU = 1400
(6) NAS-Port-Type = Wireless-802.11
(6) Service-Type = Framed-User
(6) Connect-Info = "CONNECT 11Mbps 802.11b"
(6) Event-Timestamp = "Jul 25 2022 18:15:48 CEST"
(6) server inner-tunnel {
(6) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /(a)\./) {
(6) if (&User-Name =~ /(a)\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [chap] = noop
(6) [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "test", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) update control {
(6) &Proxy-To-Realm := LOCAL
(6) } # update control = noop
(6) eap: No EAP-Message, not doing EAP
(6) [eap] = noop
(6) files: users: Matched entry test at line 1
(6) files: EXPAND tu as reussi avec %{Auth-Type} et en etant %{User-Name}
(6) files: --> tu as reussi avec et en etant test
(6) [files] = ok
(6) [expiration] = noop
(6) [logintime] = noop
(6) [pap] = updated
(6) } # authorize = updated
(6) Found Auth-Type = PAP
(6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(6) Auth-Type PAP {
(6) pap: Login attempt with password
(6) pap: Comparing with "known good" Cleartext-Password
(6) pap: User authenticated successfully
(6) [pap] = ok
(6) } # Auth-Type PAP = ok
(6) # Executing section post-auth from file
/etc/raddb/sites-enabled/inner-tunnel
(6) post-auth {
(6) if (0) {
(6) if (0) -> FALSE
(6) } # post-auth = noop
(6) Login OK: [test] (from client localhost port 0 cli 02-00-00-00-00-01
via TLS tunnel)
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6) Reply-Message = "tu as reussi avec et en etant test"
(6) eap_ttls: Got tunneled Access-Accept
(6) eap: Sending EAP Success (code 3) ID 166 length 4
(6) eap: Freeing handler
(6) [eap] = ok
(6) if (handled && (Response-Packet-Type == Access-Challenge)) {
(6) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE
(6) } # Auth-Type eap = ok
(6) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(6) post-auth {
(6) if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) {
(6) if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) -> FALSE
(6) update {
(6) &reply::TLS-Session-Cipher-Suite +=
&session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384'
(6) &reply::TLS-Session-Version +=
&session-state:TLS-Session-Version[*] -> 'TLS 1.2'
(6) } # update = noop
(6) [exec] = noop
(6) policy remove_reply_message_if_eap {
(6) if (&reply:EAP-Message && &reply:Reply-Message) {
(6) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(6) else {
(6) [noop] = noop
(6) } # else = noop
(6) } # policy remove_reply_message_if_eap = noop
(6) } # post-auth = noop
(6) Login OK: [anonymous_test] (from client localhost port 0 cli
02-00-00-00-00-01)
(6) Sent Access-Accept Id 5 from 127.0.0.1:1812 to 127.0.0.1:48058 length 0
(6) MS-MPPE-Recv-Key =
0xe14135f14a872f650673a7f048b96e42d97e94269c4c9c764cc8957057a9f70a
(6) MS-MPPE-Send-Key =
0x196c96bc3d4308ae0bd2fe7ba2292a4008232c68960bbc67658a13bb966e74fd
(6) EAP-Message = 0x03a60004
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) User-Name = "anonymous_test"
(6) Finished request
Waking up in 4.9 seconds.
(1) Cleaning up request packet ID 0 with timestamp +11
(2) Cleaning up request packet ID 1 with timestamp +11
(3) Cleaning up request packet ID 2 with timestamp +11
(4) Cleaning up request packet ID 3 with timestamp +11
(5) Cleaning up request packet ID 4 with timestamp +11
(6) Cleaning up request packet ID 5 with timestamp +11
Ready to process requests
(7) Received Access-Request Id 181 from 10.100.0.50:1645 to 10.101.0.20:1812
length 204
(7) User-Name = "anonymous"
(7) Service-Type = Framed-User
(7) Framed-MTU = 1500
(7) Called-Station-Id = "24-01-C7-8E-84-86"
(7) Calling-Station-Id = "74-78-27-1B-F2-78"
(7) EAP-Message = 0x0201000e01616e6f6e796d6f7573
(7) Message-Authenticator = 0x55c09e83405ccf67b9c08d1e70ac4b1d
(7) Cisco-AVPair = "audit-session-id=0A6400320000003DB2AD4898"
(7) NAS-Port-Type = Ethernet
(7) NAS-Port = 50006
(7) NAS-Port-Id = "GigabitEthernet0/6"
(7) NAS-IP-Address = 10.100.0.50
(7) # Executing section authorize from file /etc/raddb/sites-enabled/default
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /(a)\./) {
(7) if (&User-Name =~ /(a)\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 1 length 14
(7) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest
of authorize
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) Auth-Type eap {
(7) eap: Peer sent packet with method EAP Identity (1)
(7) eap: Calling submodule eap_ttls to process data
(7) eap_ttls: Initiating new TLS session
(7) eap_ttls: [eaptls start] = request
(7) eap: Sending EAP Request (code 1) ID 2 length 6
(7) eap: EAP session adding &reply:State = 0x1aff00fb1afd150b
(7) [eap] = handled
(7) if (handled && (Response-Packet-Type == Access-Challenge)) {
(7) EXPAND Response-Packet-Type
(7) --> Access-Challenge
(7) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(7) if (handled && (Response-Packet-Type == Access-Challenge)) {
(7) attr_filter.access_challenge: EXPAND %{User-Name}
(7) attr_filter.access_challenge: --> anonymous
(7) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(7) [attr_filter.access_challenge.post-auth] = updated
(7) [handled] = handled
(7) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(7) } # Auth-Type eap = handled
(7) Using Post-Auth-Type Challenge
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) Challenge { ... } # empty sub-section is ignored
(7) Sent Access-Challenge Id 181 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(7) EAP-Message = 0x010200061520
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x1aff00fb1afd150bdec157b3b6aa7742
(7) Finished request
Waking up in 4.9 seconds.
(8) Received Access-Request Id 182 from 10.100.0.50:1645 to 10.101.0.20:1812
length 380
(8) User-Name = "anonymous"
(8) Service-Type = Framed-User
(8) Framed-MTU = 1500
(8) Called-Station-Id = "24-01-C7-8E-84-86"
(8) Calling-Station-Id = "74-78-27-1B-F2-78"
(8) EAP-Message =
0x020200ac1580000000a2160303009d01000099030362dec1cb4de29748aa3f666036d19548
5065509be2151045e5ff5ad25a8dc96f00002ac02cc02bc030c02f009f009ec024c023c028c0
27c00ac009c014c013009d009c003d003c0035002f000a01000046000500050100000000000a
00080006001d00170018000b00020100000d001a001808040805080604010501020104030503
02030202060106030023000000170000ff01000100
(8) Message-Authenticator = 0xf4be43381cba5bcb881815edb82aaedc
(8) Cisco-AVPair = "audit-session-id=0A6400320000003DB2AD4898"
(8) NAS-Port-Type = Ethernet
(8) NAS-Port = 50006
(8) NAS-Port-Id = "GigabitEthernet0/6"
(8) State = 0x1aff00fb1afd150bdec157b3b6aa7742
(8) NAS-IP-Address = 10.100.0.50
(8) session-state: No cached attributes
(8) # Executing section authorize from file /etc/raddb/sites-enabled/default
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /(a)\./) {
(8) if (&User-Name =~ /(a)\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 2 length 172
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8) Auth-Type eap {
(8) eap: Expiring EAP session with state 0x1aff00fb1afd150b
(8) eap: Finished EAP session with state 0x1aff00fb1afd150b
(8) eap: Previous EAP request found for state 0x1aff00fb1afd150b, released
from the list
(8) eap: Peer sent packet with method EAP TTLS (21)
(8) eap: Calling submodule eap_ttls to process data
(8) eap_ttls: Authenticate
(8) eap_ttls: Continuing EAP-TLS
(8) eap_ttls: Peer indicated complete TLS record size will be 162 bytes
(8) eap_ttls: Got complete TLS record (162 bytes)
(8) eap_ttls: [eaptls verify] = length included
(8) eap_ttls: (other): before SSL initialization
(8) eap_ttls: TLS_accept: before SSL initialization
(8) eap_ttls: TLS_accept: before SSL initialization
(8) eap_ttls: <<< recv TLS 1.3 [length 009d]
(8) eap_ttls: TLS_accept: SSLv3/TLS read client hello
(8) eap_ttls: >>> send TLS 1.2 [length 003d]
(8) eap_ttls: TLS_accept: SSLv3/TLS write server hello
(8) eap_ttls: >>> send TLS 1.2 [length 08e9]
(8) eap_ttls: TLS_accept: SSLv3/TLS write certificate
(8) eap_ttls: >>> send TLS 1.2 [length 014d]
(8) eap_ttls: TLS_accept: SSLv3/TLS write key exchange
(8) eap_ttls: >>> send TLS 1.2 [length 0004]
(8) eap_ttls: TLS_accept: SSLv3/TLS write server done
(8) eap_ttls: TLS_accept: Need to read more data: SSLv3/TLS write server
done
(8) eap_ttls: TLS - In Handshake Phase
(8) eap_ttls: TLS - got 2699 bytes of data
(8) eap_ttls: [eaptls process] = handled
(8) eap: Sending EAP Request (code 1) ID 3 length 1014
(8) eap: EAP session adding &reply:State = 0x1aff00fb1bfc150b
(8) [eap] = handled
(8) if (handled && (Response-Packet-Type == Access-Challenge)) {
(8) EXPAND Response-Packet-Type
(8) --> Access-Challenge
(8) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(8) if (handled && (Response-Packet-Type == Access-Challenge)) {
(8) attr_filter.access_challenge: EXPAND %{User-Name}
(8) attr_filter.access_challenge: --> anonymous
(8) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(8) [attr_filter.access_challenge.post-auth] = updated
(8) [handled] = handled
(8) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(8) } # Auth-Type eap = handled
(8) Using Post-Auth-Type Challenge
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8) Challenge { ... } # empty sub-section is ignored
(8) Sent Access-Challenge Id 182 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(8) EAP-Message =
0x010303f615c000000a8b160303003d020000390303dc012d9023dc1e70f151f05ebf2e358c
66de5ac2dc909c71b3ff934c6deeb0bb00c030000011ff01000100000b000403000102001700
0016030308e90b0008e50008e20003de308203da308202c2a003020102020101300d06092a86
4886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261
646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c457861
6d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c
652e6f72673126302406035504030c1d4578616d706c65204365727469666963617465204175
74686f72697479301e170d3232303630373133353631355a170d323230383036313335363135
5a307c310b3009060355040613024652310f300d06035504080c065261646975733115301306
0355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d70
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x1aff00fb1bfc150bdec157b3b6aa7742
(8) Finished request
Waking up in 4.9 seconds.
(9) Received Access-Request Id 183 from 10.100.0.50:1645 to 10.101.0.20:1812
length 214
(9) User-Name = "anonymous"
(9) Service-Type = Framed-User
(9) Framed-MTU = 1500
(9) Called-Station-Id = "24-01-C7-8E-84-86"
(9) Calling-Station-Id = "74-78-27-1B-F2-78"
(9) EAP-Message = 0x020300061500
(9) Message-Authenticator = 0x27fa8829f5e4cbd6c0703ff10396bd50
(9) Cisco-AVPair = "audit-session-id=0A6400320000003DB2AD4898"
(9) NAS-Port-Type = Ethernet
(9) NAS-Port = 50006
(9) NAS-Port-Id = "GigabitEthernet0/6"
(9) State = 0x1aff00fb1bfc150bdec157b3b6aa7742
(9) NAS-IP-Address = 10.100.0.50
(9) session-state: No cached attributes
(9) # Executing section authorize from file /etc/raddb/sites-enabled/default
(9) authorize {
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /(a)\./) {
(9) if (&User-Name =~ /(a)\./) -> FALSE
(9) } # if (&User-Name) = notfound
(9) } # policy filter_username = notfound
(9) [preprocess] = ok
(9) [chap] = noop
(9) [mschap] = noop
(9) [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 3 length 6
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9) Auth-Type eap {
(9) eap: Expiring EAP session with state 0x1aff00fb1bfc150b
(9) eap: Finished EAP session with state 0x1aff00fb1bfc150b
(9) eap: Previous EAP request found for state 0x1aff00fb1bfc150b, released
from the list
(9) eap: Peer sent packet with method EAP TTLS (21)
(9) eap: Calling submodule eap_ttls to process data
(9) eap_ttls: Authenticate
(9) eap_ttls: Continuing EAP-TLS
(9) eap_ttls: Peer ACKed our handshake fragment
(9) eap_ttls: [eaptls verify] = request
(9) eap_ttls: [eaptls process] = handled
(9) eap: Sending EAP Request (code 1) ID 4 length 1014
(9) eap: EAP session adding &reply:State = 0x1aff00fb18fb150b
(9) [eap] = handled
(9) if (handled && (Response-Packet-Type == Access-Challenge)) {
(9) EXPAND Response-Packet-Type
(9) --> Access-Challenge
(9) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(9) if (handled && (Response-Packet-Type == Access-Challenge)) {
(9) attr_filter.access_challenge: EXPAND %{User-Name}
(9) attr_filter.access_challenge: --> anonymous
(9) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(9) [attr_filter.access_challenge.post-auth] = updated
(9) [handled] = handled
(9) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(9) } # Auth-Type eap = handled
(9) Using Post-Auth-Type Challenge
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9) Challenge { ... } # empty sub-section is ignored
(9) Sent Access-Challenge Id 183 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(9) EAP-Message =
0x010403f615c000000a8b2191b630136f9c3efec0d255f3b83b044d67821de971742e781d91
d550b267675e88e1945d729139f9b13cb3067ea7a8cf42f22afe3ad057afe04680c0484d0dd8
62dd0004fe308204fa308203e2a00302010202142612a65a56fe11648fbdca8d519264c57b3b
83f0300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06
035504080c065261646975733112301006035504070c09536f6d657768657265311530130603
55040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d69
6e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966
696361746520417574686f72697479301e170d3232303630373133353631355a170d32323038
30363133353631355a308193310b3009060355040613024652310f300d06035504080c065261
646975733112301006035504070c09536f6d65776865726531153013060355040a0c
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) State = 0x1aff00fb18fb150bdec157b3b6aa7742
(9) Finished request
Waking up in 4.9 seconds.
(10) Received Access-Request Id 184 from 10.100.0.50:1645 to
10.101.0.20:1812 length 214
(10) User-Name = "anonymous"
(10) Service-Type = Framed-User
(10) Framed-MTU = 1500
(10) Called-Station-Id = "24-01-C7-8E-84-86"
(10) Calling-Station-Id = "74-78-27-1B-F2-78"
(10) EAP-Message = 0x020400061500
(10) Message-Authenticator = 0xc343c114dc97c30f335f153612ee98ba
(10) Cisco-AVPair = "audit-session-id=0A6400320000003DB2AD4898"
(10) NAS-Port-Type = Ethernet
(10) NAS-Port = 50006
(10) NAS-Port-Id = "GigabitEthernet0/6"
(10) State = 0x1aff00fb18fb150bdec157b3b6aa7742
(10) NAS-IP-Address = 10.100.0.50
(10) session-state: No cached attributes
(10) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(10) authorize {
(10) policy filter_username {
(10) if (&User-Name) {
(10) if (&User-Name) -> TRUE
(10) if (&User-Name) {
(10) if (&User-Name =~ / /) {
(10) if (&User-Name =~ / /) -> FALSE
(10) if (&User-Name =~ /@[^@]*@/ ) {
(10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(10) if (&User-Name =~ /\.\./ ) {
(10) if (&User-Name =~ /\.\./ ) -> FALSE
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(10) if (&User-Name =~ /\.$/) {
(10) if (&User-Name =~ /\.$/) -> FALSE
(10) if (&User-Name =~ /(a)\./) {
(10) if (&User-Name =~ /(a)\./) -> FALSE
(10) } # if (&User-Name) = notfound
(10) } # policy filter_username = notfound
(10) [preprocess] = ok
(10) [chap] = noop
(10) [mschap] = noop
(10) [digest] = noop
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(10) suffix: No such realm "NULL"
(10) [suffix] = noop
(10) eap: Peer sent EAP Response (code 2) ID 4 length 6
(10) eap: Continuing tunnel setup
(10) [eap] = ok
(10) } # authorize = ok
(10) Found Auth-Type = eap
(10) # Executing group from file /etc/raddb/sites-enabled/default
(10) Auth-Type eap {
(10) eap: Expiring EAP session with state 0x1aff00fb18fb150b
(10) eap: Finished EAP session with state 0x1aff00fb18fb150b
(10) eap: Previous EAP request found for state 0x1aff00fb18fb150b, released
from the list
(10) eap: Peer sent packet with method EAP TTLS (21)
(10) eap: Calling submodule eap_ttls to process data
(10) eap_ttls: Authenticate
(10) eap_ttls: Continuing EAP-TLS
(10) eap_ttls: Peer ACKed our handshake fragment
(10) eap_ttls: [eaptls verify] = request
(10) eap_ttls: [eaptls process] = handled
(10) eap: Sending EAP Request (code 1) ID 5 length 701
(10) eap: EAP session adding &reply:State = 0x1aff00fb19fa150b
(10) [eap] = handled
(10) if (handled && (Response-Packet-Type == Access-Challenge)) {
(10) EXPAND Response-Packet-Type
(10) --> Access-Challenge
(10) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(10) if (handled && (Response-Packet-Type == Access-Challenge)) {
(10) attr_filter.access_challenge: EXPAND %{User-Name}
(10) attr_filter.access_challenge: --> anonymous
(10) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(10) [attr_filter.access_challenge.post-auth] = updated
(10) [handled] = handled
(10) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(10) } # Auth-Type eap = handled
(10) Using Post-Auth-Type Challenge
(10) # Executing group from file /etc/raddb/sites-enabled/default
(10) Challenge { ... } # empty sub-section is ignored
(10) Sent Access-Challenge Id 184 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(10) EAP-Message =
0x010502bd158000000a8b1d130101ff040530030101ff30360603551d1f042f302d302ba029
a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e
63726c300d06092a864886f70d01010b050003820101008834a7e636cc1b2ca1fb50f0241d14
2dea0f64ab2a18f737a1c61001f253baa32022d21b23e2d32ef93967a914fb7435030effabac
df1f473b35bfd23a886c4fbc7d6c194afd9160e340612d83f81e694c5813983a691a9ed83ee4
5ad98a879609630093e2ada4eb67dcafd2543577b94229d604cde33e0314dba26abd7d5674f5
7a3c465449fea9cd762ad1d4a39a0101a207c17e107c4bcc95024237ad91815bf140b75eb973
4ad9615781be60643011fc9718e8acffb9dc4ce9d051c3ea5712dc6aa7ba1d9d2ba8df6c3bdb
c7942c0d7f01c8fddbe6182cf8880f339a038ed8f0c7b579d87e4a30f42c1c978f36c070d759
b33199019e7d482f8786044516160303014d0c0001490300174104ea71ea5eb3ce16
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) State = 0x1aff00fb19fa150bdec157b3b6aa7742
(10) Finished request
Waking up in 4.8 seconds.
(11) Received Access-Request Id 185 from 10.100.0.50:1645 to
10.101.0.20:1812 length 344
(11) User-Name = "anonymous"
(11) Service-Type = Framed-User
(11) Framed-MTU = 1500
(11) Called-Station-Id = "24-01-C7-8E-84-86"
(11) Calling-Station-Id = "74-78-27-1B-F2-78"
(11) EAP-Message =
0x0205008815800000007e16030300461000004241041bafe37c8a64c35895a588b20bcfdef3
d2b1464ce4d5ae1c8e8e920de9406dc98f4a94b63bcd85a4cbbe35b06823f7cb4f7f6b7cb9ba
6c3f93273bbad00a32a214030300010116030300280000000000000000b2756332a6d5dece72
43e156997beb79b6e0890ac8bdf90da6ada1e3a02371ce
(11) Message-Authenticator = 0x12631f913feb4471ab0fca288c0638f1
(11) Cisco-AVPair = "audit-session-id=0A6400320000003DB2AD4898"
(11) NAS-Port-Type = Ethernet
(11) NAS-Port = 50006
(11) NAS-Port-Id = "GigabitEthernet0/6"
(11) State = 0x1aff00fb19fa150bdec157b3b6aa7742
(11) NAS-IP-Address = 10.100.0.50
(11) session-state: No cached attributes
(11) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(11) authorize {
(11) policy filter_username {
(11) if (&User-Name) {
(11) if (&User-Name) -> TRUE
(11) if (&User-Name) {
(11) if (&User-Name =~ / /) {
(11) if (&User-Name =~ / /) -> FALSE
(11) if (&User-Name =~ /@[^@]*@/ ) {
(11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(11) if (&User-Name =~ /\.\./ ) {
(11) if (&User-Name =~ /\.\./ ) -> FALSE
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(11) if (&User-Name =~ /\.$/) {
(11) if (&User-Name =~ /\.$/) -> FALSE
(11) if (&User-Name =~ /(a)\./) {
(11) if (&User-Name =~ /(a)\./) -> FALSE
(11) } # if (&User-Name) = notfound
(11) } # policy filter_username = notfound
(11) [preprocess] = ok
(11) [chap] = noop
(11) [mschap] = noop
(11) [digest] = noop
(11) suffix: Checking for suffix after "@"
(11) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(11) suffix: No such realm "NULL"
(11) [suffix] = noop
(11) eap: Peer sent EAP Response (code 2) ID 5 length 136
(11) eap: Continuing tunnel setup
(11) [eap] = ok
(11) } # authorize = ok
(11) Found Auth-Type = eap
(11) # Executing group from file /etc/raddb/sites-enabled/default
(11) Auth-Type eap {
(11) eap: Expiring EAP session with state 0x1aff00fb19fa150b
(11) eap: Finished EAP session with state 0x1aff00fb19fa150b
(11) eap: Previous EAP request found for state 0x1aff00fb19fa150b, released
from the list
(11) eap: Peer sent packet with method EAP TTLS (21)
(11) eap: Calling submodule eap_ttls to process data
(11) eap_ttls: Authenticate
(11) eap_ttls: Continuing EAP-TLS
(11) eap_ttls: Peer indicated complete TLS record size will be 126 bytes
(11) eap_ttls: Got complete TLS record (126 bytes)
(11) eap_ttls: [eaptls verify] = length included
(11) eap_ttls: TLS_accept: SSLv3/TLS write server done
(11) eap_ttls: <<< recv TLS 1.2 [length 0046]
(11) eap_ttls: TLS_accept: SSLv3/TLS read client key exchange
(11) eap_ttls: TLS_accept: SSLv3/TLS read change cipher spec
(11) eap_ttls: <<< recv TLS 1.2 [length 0010]
(11) eap_ttls: TLS_accept: SSLv3/TLS read finished
(11) eap_ttls: >>> send TLS 1.2 [length 0001]
(11) eap_ttls: TLS_accept: SSLv3/TLS write change cipher spec
(11) eap_ttls: >>> send TLS 1.2 [length 0010]
(11) eap_ttls: TLS_accept: SSLv3/TLS write finished
(11) eap_ttls: (other): SSL negotiation finished successfully
(11) eap_ttls: TLS - Connection Established
(11) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(11) eap_ttls: TLS-Session-Version = "TLS 1.2"
(11) eap_ttls: TLS - got 51 bytes of data
(11) eap_ttls: [eaptls process] = handled
(11) eap: Sending EAP Request (code 1) ID 6 length 61
(11) eap: EAP session adding &reply:State = 0x1aff00fb1ef9150b
(11) [eap] = handled
(11) if (handled && (Response-Packet-Type == Access-Challenge)) {
(11) EXPAND Response-Packet-Type
(11) --> Access-Challenge
(11) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(11) if (handled && (Response-Packet-Type == Access-Challenge)) {
(11) attr_filter.access_challenge: EXPAND %{User-Name}
(11) attr_filter.access_challenge: --> anonymous
(11) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(11) [attr_filter.access_challenge.post-auth] = updated
(11) [handled] = handled
(11) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(11) } # Auth-Type eap = handled
(11) Using Post-Auth-Type Challenge
(11) # Executing group from file /etc/raddb/sites-enabled/default
(11) Challenge { ... } # empty sub-section is ignored
(11) session-state: Saving cached attributes
(11) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(11) TLS-Session-Version = "TLS 1.2"
(11) Sent Access-Challenge Id 185 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(11) EAP-Message =
0x0106003d158000000033140303000101160303002890e19eed4974783059ef0d676e70aab3
470cc68cadd1254943ddd9bbe1307ceed06dc7a28a15b4b1
(11) Message-Authenticator = 0x00000000000000000000000000000000
(11) State = 0x1aff00fb1ef9150bdec157b3b6aa7742
(11) Finished request
Waking up in 4.8 seconds.
(7) Cleaning up request packet ID 181 with timestamp +35
(8) Cleaning up request packet ID 182 with timestamp +35
(9) Cleaning up request packet ID 183 with timestamp +35
(10) Cleaning up request packet ID 184 with timestamp +35
(11) Cleaning up request packet ID 185 with timestamp +35
Ready to process requests
(12) Received Access-Request Id 186 from 10.100.0.50:1645 to
10.101.0.20:1812 length 194
(12) User-Name = "test"
(12) Service-Type = Framed-User
(12) Framed-MTU = 1500
(12) Called-Station-Id = "24-01-C7-8E-84-86"
(12) Calling-Station-Id = "74-78-27-1B-F2-78"
(12) EAP-Message = 0x020100090174657374
(12) Message-Authenticator = 0x5064878bed8665909256b735e175b2d4
(12) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(12) NAS-Port-Type = Ethernet
(12) NAS-Port = 50006
(12) NAS-Port-Id = "GigabitEthernet0/6"
(12) NAS-IP-Address = 10.100.0.50
(12) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(12) authorize {
(12) policy filter_username {
(12) if (&User-Name) {
(12) if (&User-Name) -> TRUE
(12) if (&User-Name) {
(12) if (&User-Name =~ / /) {
(12) if (&User-Name =~ / /) -> FALSE
(12) if (&User-Name =~ /@[^@]*@/ ) {
(12) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(12) if (&User-Name =~ /\.\./ ) {
(12) if (&User-Name =~ /\.\./ ) -> FALSE
(12) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(12) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(12) if (&User-Name =~ /\.$/) {
(12) if (&User-Name =~ /\.$/) -> FALSE
(12) if (&User-Name =~ /(a)\./) {
(12) if (&User-Name =~ /(a)\./) -> FALSE
(12) } # if (&User-Name) = notfound
(12) } # policy filter_username = notfound
(12) [preprocess] = ok
(12) [chap] = noop
(12) [mschap] = noop
(12) [digest] = noop
(12) suffix: Checking for suffix after "@"
(12) suffix: No '@' in User-Name = "test", looking up realm NULL
(12) suffix: No such realm "NULL"
(12) [suffix] = noop
(12) eap: Peer sent EAP Response (code 2) ID 1 length 9
(12) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(12) [eap] = ok
(12) } # authorize = ok
(12) Found Auth-Type = eap
(12) # Executing group from file /etc/raddb/sites-enabled/default
(12) Auth-Type eap {
(12) eap: Peer sent packet with method EAP Identity (1)
(12) eap: Calling submodule eap_ttls to process data
(12) eap_ttls: Initiating new TLS session
(12) eap_ttls: [eaptls start] = request
(12) eap: Sending EAP Request (code 1) ID 2 length 6
(12) eap: EAP session adding &reply:State = 0x5709dc2c570bc95d
(12) [eap] = handled
(12) if (handled && (Response-Packet-Type == Access-Challenge)) {
(12) EXPAND Response-Packet-Type
(12) --> Access-Challenge
(12) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(12) if (handled && (Response-Packet-Type == Access-Challenge)) {
(12) attr_filter.access_challenge: EXPAND %{User-Name}
(12) attr_filter.access_challenge: --> test
(12) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(12) [attr_filter.access_challenge.post-auth] = updated
(12) [handled] = handled
(12) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(12) } # Auth-Type eap = handled
(12) Using Post-Auth-Type Challenge
(12) # Executing group from file /etc/raddb/sites-enabled/default
(12) Challenge { ... } # empty sub-section is ignored
(12) Sent Access-Challenge Id 186 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(12) EAP-Message = 0x010200061520
(12) Message-Authenticator = 0x00000000000000000000000000000000
(12) State = 0x5709dc2c570bc95d080b76220813d0d4
(12) Finished request
Waking up in 4.9 seconds.
(13) Received Access-Request Id 187 from 10.100.0.50:1645 to
10.101.0.20:1812 length 209
(13) User-Name = "test"
(13) Service-Type = Framed-User
(13) Framed-MTU = 1500
(13) Called-Station-Id = "24-01-C7-8E-84-86"
(13) Calling-Station-Id = "74-78-27-1B-F2-78"
(13) EAP-Message = 0x020200060319
(13) Message-Authenticator = 0xde3e82b04cacf9575f36bb5d7da5a570
(13) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(13) NAS-Port-Type = Ethernet
(13) NAS-Port = 50006
(13) NAS-Port-Id = "GigabitEthernet0/6"
(13) State = 0x5709dc2c570bc95d080b76220813d0d4
(13) NAS-IP-Address = 10.100.0.50
(13) session-state: No cached attributes
(13) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(13) authorize {
(13) policy filter_username {
(13) if (&User-Name) {
(13) if (&User-Name) -> TRUE
(13) if (&User-Name) {
(13) if (&User-Name =~ / /) {
(13) if (&User-Name =~ / /) -> FALSE
(13) if (&User-Name =~ /@[^@]*@/ ) {
(13) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(13) if (&User-Name =~ /\.\./ ) {
(13) if (&User-Name =~ /\.\./ ) -> FALSE
(13) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(13) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(13) if (&User-Name =~ /\.$/) {
(13) if (&User-Name =~ /\.$/) -> FALSE
(13) if (&User-Name =~ /(a)\./) {
(13) if (&User-Name =~ /(a)\./) -> FALSE
(13) } # if (&User-Name) = notfound
(13) } # policy filter_username = notfound
(13) [preprocess] = ok
(13) [chap] = noop
(13) [mschap] = noop
(13) [digest] = noop
(13) suffix: Checking for suffix after "@"
(13) suffix: No '@' in User-Name = "test", looking up realm NULL
(13) suffix: No such realm "NULL"
(13) [suffix] = noop
(13) eap: Peer sent EAP Response (code 2) ID 2 length 6
(13) eap: No EAP Start, assuming it's an on-going EAP conversation
(13) [eap] = updated
(13) } # authorize = updated
(13) Found Auth-Type = eap
(13) # Executing group from file /etc/raddb/sites-enabled/default
(13) Auth-Type eap {
(13) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(13) eap: Finished EAP session with state 0x5709dc2c570bc95d
(13) eap: Previous EAP request found for state 0x5709dc2c570bc95d, released
from the list
(13) eap: Peer sent packet with method EAP NAK (3)
(13) eap: Found mutually acceptable type PEAP (25)
(13) eap: Calling submodule eap_peap to process data
(13) eap_peap: Initiating new TLS session
(13) eap_peap: [eaptls start] = request
(13) eap: Sending EAP Request (code 1) ID 3 length 6
(13) eap: EAP session adding &reply:State = 0x5709dc2c560ac55d
(13) [eap] = handled
(13) if (handled && (Response-Packet-Type == Access-Challenge)) {
(13) EXPAND Response-Packet-Type
(13) --> Access-Challenge
(13) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(13) if (handled && (Response-Packet-Type == Access-Challenge)) {
(13) attr_filter.access_challenge: EXPAND %{User-Name}
(13) attr_filter.access_challenge: --> test
(13) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(13) [attr_filter.access_challenge.post-auth] = updated
(13) [handled] = handled
(13) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(13) } # Auth-Type eap = handled
(13) Using Post-Auth-Type Challenge
(13) # Executing group from file /etc/raddb/sites-enabled/default
(13) Challenge { ... } # empty sub-section is ignored
(13) Sent Access-Challenge Id 187 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(13) EAP-Message = 0x010300061920
(13) Message-Authenticator = 0x00000000000000000000000000000000
(13) State = 0x5709dc2c560ac55d080b76220813d0d4
(13) Finished request
Waking up in 4.9 seconds.
(14) Received Access-Request Id 188 from 10.100.0.50:1645 to
10.101.0.20:1812 length 375
(14) User-Name = "test"
(14) Service-Type = Framed-User
(14) Framed-MTU = 1500
(14) Called-Station-Id = "24-01-C7-8E-84-86"
(14) Calling-Station-Id = "74-78-27-1B-F2-78"
(14) EAP-Message =
0x020300ac1980000000a2160303009d01000099030362dec1e8bb336220b36115a2f152d4ff
bda23da4d62a4b3a3dd2d90243cfb65500002ac02cc02bc030c02f009f009ec024c023c028c0
27c00ac009c014c013009d009c003d003c0035002f000a01000046000500050100000000000a
00080006001d00170018000b00020100000d001a001808040805080604010501020104030503
02030202060106030023000000170000ff01000100
(14) Message-Authenticator = 0x723199c45f61b638f39acfd1af4ef706
(14) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(14) NAS-Port-Type = Ethernet
(14) NAS-Port = 50006
(14) NAS-Port-Id = "GigabitEthernet0/6"
(14) State = 0x5709dc2c560ac55d080b76220813d0d4
(14) NAS-IP-Address = 10.100.0.50
(14) session-state: No cached attributes
(14) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(14) authorize {
(14) policy filter_username {
(14) if (&User-Name) {
(14) if (&User-Name) -> TRUE
(14) if (&User-Name) {
(14) if (&User-Name =~ / /) {
(14) if (&User-Name =~ / /) -> FALSE
(14) if (&User-Name =~ /@[^@]*@/ ) {
(14) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(14) if (&User-Name =~ /\.\./ ) {
(14) if (&User-Name =~ /\.\./ ) -> FALSE
(14) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(14) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(14) if (&User-Name =~ /\.$/) {
(14) if (&User-Name =~ /\.$/) -> FALSE
(14) if (&User-Name =~ /(a)\./) {
(14) if (&User-Name =~ /(a)\./) -> FALSE
(14) } # if (&User-Name) = notfound
(14) } # policy filter_username = notfound
(14) [preprocess] = ok
(14) [chap] = noop
(14) [mschap] = noop
(14) [digest] = noop
(14) suffix: Checking for suffix after "@"
(14) suffix: No '@' in User-Name = "test", looking up realm NULL
(14) suffix: No such realm "NULL"
(14) [suffix] = noop
(14) eap: Peer sent EAP Response (code 2) ID 3 length 172
(14) eap: Continuing tunnel setup
(14) [eap] = ok
(14) } # authorize = ok
(14) Found Auth-Type = eap
(14) # Executing group from file /etc/raddb/sites-enabled/default
(14) Auth-Type eap {
(14) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(14) eap: Finished EAP session with state 0x5709dc2c560ac55d
(14) eap: Previous EAP request found for state 0x5709dc2c560ac55d, released
from the list
(14) eap: Peer sent packet with method EAP PEAP (25)
(14) eap: Calling submodule eap_peap to process data
(14) eap_peap: Continuing EAP-TLS
(14) eap_peap: Peer indicated complete TLS record size will be 162 bytes
(14) eap_peap: Got complete TLS record (162 bytes)
(14) eap_peap: [eaptls verify] = length included
(14) eap_peap: (other): before SSL initialization
(14) eap_peap: TLS_accept: before SSL initialization
(14) eap_peap: TLS_accept: before SSL initialization
(14) eap_peap: <<< recv TLS 1.3 [length 009d]
(14) eap_peap: TLS_accept: SSLv3/TLS read client hello
(14) eap_peap: >>> send TLS 1.2 [length 003d]
(14) eap_peap: TLS_accept: SSLv3/TLS write server hello
(14) eap_peap: >>> send TLS 1.2 [length 08e9]
(14) eap_peap: TLS_accept: SSLv3/TLS write certificate
(14) eap_peap: >>> send TLS 1.2 [length 014d]
(14) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(14) eap_peap: >>> send TLS 1.2 [length 0004]
(14) eap_peap: TLS_accept: SSLv3/TLS write server done
(14) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server
done
(14) eap_peap: TLS - In Handshake Phase
(14) eap_peap: TLS - got 2699 bytes of data
(14) eap_peap: [eaptls process] = handled
(14) eap: Sending EAP Request (code 1) ID 4 length 1014
(14) eap: EAP session adding &reply:State = 0x5709dc2c550dc55d
(14) [eap] = handled
(14) if (handled && (Response-Packet-Type == Access-Challenge)) {
(14) EXPAND Response-Packet-Type
(14) --> Access-Challenge
(14) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(14) if (handled && (Response-Packet-Type == Access-Challenge)) {
(14) attr_filter.access_challenge: EXPAND %{User-Name}
(14) attr_filter.access_challenge: --> test
(14) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(14) [attr_filter.access_challenge.post-auth] = updated
(14) [handled] = handled
(14) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(14) } # Auth-Type eap = handled
(14) Using Post-Auth-Type Challenge
(14) # Executing group from file /etc/raddb/sites-enabled/default
(14) Challenge { ... } # empty sub-section is ignored
(14) Sent Access-Challenge Id 188 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(14) EAP-Message =
0x010403f619c000000a8b160303003d020000390303e63773a6f4e7998fe2174245b1361d9d
6235d691817e1c0537491a129c815c5e00c030000011ff01000100000b000403000102001700
0016030308e90b0008e50008e20003de308203da308202c2a003020102020101300d06092a86
4886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261
646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c457861
6d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c
652e6f72673126302406035504030c1d4578616d706c65204365727469666963617465204175
74686f72697479301e170d3232303630373133353631355a170d323230383036313335363135
5a307c310b3009060355040613024652310f300d06035504080c065261646975733115301306
0355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d70
(14) Message-Authenticator = 0x00000000000000000000000000000000
(14) State = 0x5709dc2c550dc55d080b76220813d0d4
(14) Finished request
Waking up in 4.9 seconds.
(15) Received Access-Request Id 189 from 10.100.0.50:1645 to
10.101.0.20:1812 length 209
(15) User-Name = "test"
(15) Service-Type = Framed-User
(15) Framed-MTU = 1500
(15) Called-Station-Id = "24-01-C7-8E-84-86"
(15) Calling-Station-Id = "74-78-27-1B-F2-78"
(15) EAP-Message = 0x020400061900
(15) Message-Authenticator = 0x5c6dceb7d89b74812695116e8c825b77
(15) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(15) NAS-Port-Type = Ethernet
(15) NAS-Port = 50006
(15) NAS-Port-Id = "GigabitEthernet0/6"
(15) State = 0x5709dc2c550dc55d080b76220813d0d4
(15) NAS-IP-Address = 10.100.0.50
(15) session-state: No cached attributes
(15) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(15) authorize {
(15) policy filter_username {
(15) if (&User-Name) {
(15) if (&User-Name) -> TRUE
(15) if (&User-Name) {
(15) if (&User-Name =~ / /) {
(15) if (&User-Name =~ / /) -> FALSE
(15) if (&User-Name =~ /@[^@]*@/ ) {
(15) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(15) if (&User-Name =~ /\.\./ ) {
(15) if (&User-Name =~ /\.\./ ) -> FALSE
(15) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(15) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(15) if (&User-Name =~ /\.$/) {
(15) if (&User-Name =~ /\.$/) -> FALSE
(15) if (&User-Name =~ /(a)\./) {
(15) if (&User-Name =~ /(a)\./) -> FALSE
(15) } # if (&User-Name) = notfound
(15) } # policy filter_username = notfound
(15) [preprocess] = ok
(15) [chap] = noop
(15) [mschap] = noop
(15) [digest] = noop
(15) suffix: Checking for suffix after "@"
(15) suffix: No '@' in User-Name = "test", looking up realm NULL
(15) suffix: No such realm "NULL"
(15) [suffix] = noop
(15) eap: Peer sent EAP Response (code 2) ID 4 length 6
(15) eap: Continuing tunnel setup
(15) [eap] = ok
(15) } # authorize = ok
(15) Found Auth-Type = eap
(15) # Executing group from file /etc/raddb/sites-enabled/default
(15) Auth-Type eap {
(15) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(15) eap: Finished EAP session with state 0x5709dc2c550dc55d
(15) eap: Previous EAP request found for state 0x5709dc2c550dc55d, released
from the list
(15) eap: Peer sent packet with method EAP PEAP (25)
(15) eap: Calling submodule eap_peap to process data
(15) eap_peap: Continuing EAP-TLS
(15) eap_peap: Peer ACKed our handshake fragment
(15) eap_peap: [eaptls verify] = request
(15) eap_peap: [eaptls process] = handled
(15) eap: Sending EAP Request (code 1) ID 5 length 1010
(15) eap: EAP session adding &reply:State = 0x5709dc2c540cc55d
(15) [eap] = handled
(15) if (handled && (Response-Packet-Type == Access-Challenge)) {
(15) EXPAND Response-Packet-Type
(15) --> Access-Challenge
(15) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(15) if (handled && (Response-Packet-Type == Access-Challenge)) {
(15) attr_filter.access_challenge: EXPAND %{User-Name}
(15) attr_filter.access_challenge: --> test
(15) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(15) [attr_filter.access_challenge.post-auth] = updated
(15) [handled] = handled
(15) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(15) } # Auth-Type eap = handled
(15) Using Post-Auth-Type Challenge
(15) # Executing group from file /etc/raddb/sites-enabled/default
(15) Challenge { ... } # empty sub-section is ignored
(15) Sent Access-Challenge Id 189 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(15) EAP-Message =
0x010503f219402191b630136f9c3efec0d255f3b83b044d67821de971742e781d91d550b267
675e88e1945d729139f9b13cb3067ea7a8cf42f22afe3ad057afe04680c0484d0dd862dd0004
fe308204fa308203e2a00302010202142612a65a56fe11648fbdca8d519264c57b3b83f0300d
06092a864886f70d01010b0500308193310b3009060355040613024652310f300d0603550408
0c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c
0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578
616d706c652e6f72673126302406035504030c1d4578616d706c652043657274696669636174
6520417574686f72697479301e170d3232303630373133353631355a170d3232303830363133
353631355a308193310b3009060355040613024652310f300d06035504080c06526164697573
3112301006035504070c09536f6d65776865726531153013060355040a0c0c457861
(15) Message-Authenticator = 0x00000000000000000000000000000000
(15) State = 0x5709dc2c540cc55d080b76220813d0d4
(15) Finished request
Waking up in 4.9 seconds.
(16) Received Access-Request Id 190 from 10.100.0.50:1645 to
10.101.0.20:1812 length 209
(16) User-Name = "test"
(16) Service-Type = Framed-User
(16) Framed-MTU = 1500
(16) Called-Station-Id = "24-01-C7-8E-84-86"
(16) Calling-Station-Id = "74-78-27-1B-F2-78"
(16) EAP-Message = 0x020500061900
(16) Message-Authenticator = 0x338407f535f332f0091f8b6a8546c39a
(16) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(16) NAS-Port-Type = Ethernet
(16) NAS-Port = 50006
(16) NAS-Port-Id = "GigabitEthernet0/6"
(16) State = 0x5709dc2c540cc55d080b76220813d0d4
(16) NAS-IP-Address = 10.100.0.50
(16) session-state: No cached attributes
(16) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(16) authorize {
(16) policy filter_username {
(16) if (&User-Name) {
(16) if (&User-Name) -> TRUE
(16) if (&User-Name) {
(16) if (&User-Name =~ / /) {
(16) if (&User-Name =~ / /) -> FALSE
(16) if (&User-Name =~ /@[^@]*@/ ) {
(16) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(16) if (&User-Name =~ /\.\./ ) {
(16) if (&User-Name =~ /\.\./ ) -> FALSE
(16) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(16) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(16) if (&User-Name =~ /\.$/) {
(16) if (&User-Name =~ /\.$/) -> FALSE
(16) if (&User-Name =~ /(a)\./) {
(16) if (&User-Name =~ /(a)\./) -> FALSE
(16) } # if (&User-Name) = notfound
(16) } # policy filter_username = notfound
(16) [preprocess] = ok
(16) [chap] = noop
(16) [mschap] = noop
(16) [digest] = noop
(16) suffix: Checking for suffix after "@"
(16) suffix: No '@' in User-Name = "test", looking up realm NULL
(16) suffix: No such realm "NULL"
(16) [suffix] = noop
(16) eap: Peer sent EAP Response (code 2) ID 5 length 6
(16) eap: Continuing tunnel setup
(16) [eap] = ok
(16) } # authorize = ok
(16) Found Auth-Type = eap
(16) # Executing group from file /etc/raddb/sites-enabled/default
(16) Auth-Type eap {
(16) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(16) eap: Finished EAP session with state 0x5709dc2c540cc55d
(16) eap: Previous EAP request found for state 0x5709dc2c540cc55d, released
from the list
(16) eap: Peer sent packet with method EAP PEAP (25)
(16) eap: Calling submodule eap_peap to process data
(16) eap_peap: Continuing EAP-TLS
(16) eap_peap: Peer ACKed our handshake fragment
(16) eap_peap: [eaptls verify] = request
(16) eap_peap: [eaptls process] = handled
(16) eap: Sending EAP Request (code 1) ID 6 length 697
(16) eap: EAP session adding &reply:State = 0x5709dc2c530fc55d
(16) [eap] = handled
(16) if (handled && (Response-Packet-Type == Access-Challenge)) {
(16) EXPAND Response-Packet-Type
(16) --> Access-Challenge
(16) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(16) if (handled && (Response-Packet-Type == Access-Challenge)) {
(16) attr_filter.access_challenge: EXPAND %{User-Name}
(16) attr_filter.access_challenge: --> test
(16) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(16) [attr_filter.access_challenge.post-auth] = updated
(16) [handled] = handled
(16) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(16) } # Auth-Type eap = handled
(16) Using Post-Auth-Type Challenge
(16) # Executing group from file /etc/raddb/sites-enabled/default
(16) Challenge { ... } # empty sub-section is ignored
(16) Sent Access-Challenge Id 190 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(16) EAP-Message =
0x010602b919001d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625
687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c30
0d06092a864886f70d01010b050003820101008834a7e636cc1b2ca1fb50f0241d142dea0f64
ab2a18f737a1c61001f253baa32022d21b23e2d32ef93967a914fb7435030effabacdf1f473b
35bfd23a886c4fbc7d6c194afd9160e340612d83f81e694c5813983a691a9ed83ee45ad98a87
9609630093e2ada4eb67dcafd2543577b94229d604cde33e0314dba26abd7d5674f57a3c4654
49fea9cd762ad1d4a39a0101a207c17e107c4bcc95024237ad91815bf140b75eb9734ad96157
81be60643011fc9718e8acffb9dc4ce9d051c3ea5712dc6aa7ba1d9d2ba8df6c3bdbc7942c0d
7f01c8fddbe6182cf8880f339a038ed8f0c7b579d87e4a30f42c1c978f36c070d759b3319901
9e7d482f8786044516160303014d0c00014903001741045122cc6a47b169b7a16ff1
(16) Message-Authenticator = 0x00000000000000000000000000000000
(16) State = 0x5709dc2c530fc55d080b76220813d0d4
(16) Finished request
Waking up in 4.8 seconds.
(17) Received Access-Request Id 191 from 10.100.0.50:1645 to
10.101.0.20:1812 length 339
(17) User-Name = "test"
(17) Service-Type = Framed-User
(17) Framed-MTU = 1500
(17) Called-Station-Id = "24-01-C7-8E-84-86"
(17) Calling-Station-Id = "74-78-27-1B-F2-78"
(17) EAP-Message =
0x0206008819800000007e160303004610000042410446771ce3728af651ce38b33f2dbad2de
2ec1398220b2deca4e147610a28845f811a15650a23e9c2d6cda8703a81d827e6d5c3335a7ad
ed1f9348bed6398856db140303000101160303002800000000000000006467b41f8f49082292
2783c45df9e0ab3f5f3ee2d6b27ac824a0291d83fc0cbb
(17) Message-Authenticator = 0x9881bcce42caeb449d1792b76c542650
(17) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(17) NAS-Port-Type = Ethernet
(17) NAS-Port = 50006
(17) NAS-Port-Id = "GigabitEthernet0/6"
(17) State = 0x5709dc2c530fc55d080b76220813d0d4
(17) NAS-IP-Address = 10.100.0.50
(17) session-state: No cached attributes
(17) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(17) authorize {
(17) policy filter_username {
(17) if (&User-Name) {
(17) if (&User-Name) -> TRUE
(17) if (&User-Name) {
(17) if (&User-Name =~ / /) {
(17) if (&User-Name =~ / /) -> FALSE
(17) if (&User-Name =~ /@[^@]*@/ ) {
(17) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(17) if (&User-Name =~ /\.\./ ) {
(17) if (&User-Name =~ /\.\./ ) -> FALSE
(17) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(17) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(17) if (&User-Name =~ /\.$/) {
(17) if (&User-Name =~ /\.$/) -> FALSE
(17) if (&User-Name =~ /(a)\./) {
(17) if (&User-Name =~ /(a)\./) -> FALSE
(17) } # if (&User-Name) = notfound
(17) } # policy filter_username = notfound
(17) [preprocess] = ok
(17) [chap] = noop
(17) [mschap] = noop
(17) [digest] = noop
(17) suffix: Checking for suffix after "@"
(17) suffix: No '@' in User-Name = "test", looking up realm NULL
(17) suffix: No such realm "NULL"
(17) [suffix] = noop
(17) eap: Peer sent EAP Response (code 2) ID 6 length 136
(17) eap: Continuing tunnel setup
(17) [eap] = ok
(17) } # authorize = ok
(17) Found Auth-Type = eap
(17) # Executing group from file /etc/raddb/sites-enabled/default
(17) Auth-Type eap {
(17) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(17) eap: Finished EAP session with state 0x5709dc2c530fc55d
(17) eap: Previous EAP request found for state 0x5709dc2c530fc55d, released
from the list
(17) eap: Peer sent packet with method EAP PEAP (25)
(17) eap: Calling submodule eap_peap to process data
(17) eap_peap: Continuing EAP-TLS
(17) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(17) eap_peap: Got complete TLS record (126 bytes)
(17) eap_peap: [eaptls verify] = length included
(17) eap_peap: TLS_accept: SSLv3/TLS write server done
(17) eap_peap: <<< recv TLS 1.2 [length 0046]
(17) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(17) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(17) eap_peap: <<< recv TLS 1.2 [length 0010]
(17) eap_peap: TLS_accept: SSLv3/TLS read finished
(17) eap_peap: >>> send TLS 1.2 [length 0001]
(17) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(17) eap_peap: >>> send TLS 1.2 [length 0010]
(17) eap_peap: TLS_accept: SSLv3/TLS write finished
(17) eap_peap: (other): SSL negotiation finished successfully
(17) eap_peap: TLS - Connection Established
(17) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(17) eap_peap: TLS-Session-Version = "TLS 1.2"
(17) eap_peap: TLS - got 51 bytes of data
(17) eap_peap: [eaptls process] = handled
(17) eap: Sending EAP Request (code 1) ID 7 length 57
(17) eap: EAP session adding &reply:State = 0x5709dc2c520ec55d
(17) [eap] = handled
(17) if (handled && (Response-Packet-Type == Access-Challenge)) {
(17) EXPAND Response-Packet-Type
(17) --> Access-Challenge
(17) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(17) if (handled && (Response-Packet-Type == Access-Challenge)) {
(17) attr_filter.access_challenge: EXPAND %{User-Name}
(17) attr_filter.access_challenge: --> test
(17) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(17) [attr_filter.access_challenge.post-auth] = updated
(17) [handled] = handled
(17) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(17) } # Auth-Type eap = handled
(17) Using Post-Auth-Type Challenge
(17) # Executing group from file /etc/raddb/sites-enabled/default
(17) Challenge { ... } # empty sub-section is ignored
(17) session-state: Saving cached attributes
(17) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(17) TLS-Session-Version = "TLS 1.2"
(17) Sent Access-Challenge Id 191 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(17) EAP-Message =
0x01070039190014030300010116030300285bc3632e6b443560a1c7f7fcfd4d4dce83eb70b6
a001d27389578382a78d0283e43c7e8969d6f3ba
(17) Message-Authenticator = 0x00000000000000000000000000000000
(17) State = 0x5709dc2c520ec55d080b76220813d0d4
(17) Finished request
Waking up in 4.8 seconds.
(18) Received Access-Request Id 192 from 10.100.0.50:1645 to
10.101.0.20:1812 length 209
(18) User-Name = "test"
(18) Service-Type = Framed-User
(18) Framed-MTU = 1500
(18) Called-Station-Id = "24-01-C7-8E-84-86"
(18) Calling-Station-Id = "74-78-27-1B-F2-78"
(18) EAP-Message = 0x020700061900
(18) Message-Authenticator = 0x33689c92606612b6d8b208e12717fd08
(18) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(18) NAS-Port-Type = Ethernet
(18) NAS-Port = 50006
(18) NAS-Port-Id = "GigabitEthernet0/6"
(18) State = 0x5709dc2c520ec55d080b76220813d0d4
(18) NAS-IP-Address = 10.100.0.50
(18) Restoring &session-state
(18) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(18) &session-state:TLS-Session-Version = "TLS 1.2"
(18) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(18) authorize {
(18) policy filter_username {
(18) if (&User-Name) {
(18) if (&User-Name) -> TRUE
(18) if (&User-Name) {
(18) if (&User-Name =~ / /) {
(18) if (&User-Name =~ / /) -> FALSE
(18) if (&User-Name =~ /@[^@]*@/ ) {
(18) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(18) if (&User-Name =~ /\.\./ ) {
(18) if (&User-Name =~ /\.\./ ) -> FALSE
(18) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(18) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(18) if (&User-Name =~ /\.$/) {
(18) if (&User-Name =~ /\.$/) -> FALSE
(18) if (&User-Name =~ /(a)\./) {
(18) if (&User-Name =~ /(a)\./) -> FALSE
(18) } # if (&User-Name) = notfound
(18) } # policy filter_username = notfound
(18) [preprocess] = ok
(18) [chap] = noop
(18) [mschap] = noop
(18) [digest] = noop
(18) suffix: Checking for suffix after "@"
(18) suffix: No '@' in User-Name = "test", looking up realm NULL
(18) suffix: No such realm "NULL"
(18) [suffix] = noop
(18) eap: Peer sent EAP Response (code 2) ID 7 length 6
(18) eap: Continuing tunnel setup
(18) [eap] = ok
(18) } # authorize = ok
(18) Found Auth-Type = eap
(18) # Executing group from file /etc/raddb/sites-enabled/default
(18) Auth-Type eap {
(18) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(18) eap: Finished EAP session with state 0x5709dc2c520ec55d
(18) eap: Previous EAP request found for state 0x5709dc2c520ec55d, released
from the list
(18) eap: Peer sent packet with method EAP PEAP (25)
(18) eap: Calling submodule eap_peap to process data
(18) eap_peap: Continuing EAP-TLS
(18) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(18) eap_peap: [eaptls verify] = success
(18) eap_peap: [eaptls process] = success
(18) eap_peap: Session established. Decoding tunneled attributes
(18) eap_peap: PEAP state TUNNEL ESTABLISHED
(18) eap: Sending EAP Request (code 1) ID 8 length 40
(18) eap: EAP session adding &reply:State = 0x5709dc2c5101c55d
(18) [eap] = handled
(18) if (handled && (Response-Packet-Type == Access-Challenge)) {
(18) EXPAND Response-Packet-Type
(18) --> Access-Challenge
(18) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(18) if (handled && (Response-Packet-Type == Access-Challenge)) {
(18) attr_filter.access_challenge: EXPAND %{User-Name}
(18) attr_filter.access_challenge: --> test
(18) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(18) [attr_filter.access_challenge.post-auth] = updated
(18) [handled] = handled
(18) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(18) } # Auth-Type eap = handled
(18) Using Post-Auth-Type Challenge
(18) # Executing group from file /etc/raddb/sites-enabled/default
(18) Challenge { ... } # empty sub-section is ignored
(18) session-state: Saving cached attributes
(18) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(18) TLS-Session-Version = "TLS 1.2"
(18) Sent Access-Challenge Id 192 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(18) EAP-Message =
0x010800281900170303001d5bc3632e6b443561fcf82593fda17abbf449f59d02196666fae6
9cf929
(18) Message-Authenticator = 0x00000000000000000000000000000000
(18) State = 0x5709dc2c5101c55d080b76220813d0d4
(18) Finished request
Waking up in 2.1 seconds.
(19) Received Access-Request Id 193 from 10.100.0.50:1645 to
10.101.0.20:1812 length 243
(19) User-Name = "test"
(19) Service-Type = Framed-User
(19) Framed-MTU = 1500
(19) Called-Station-Id = "24-01-C7-8E-84-86"
(19) Calling-Station-Id = "74-78-27-1B-F2-78"
(19) EAP-Message =
0x020800281900170303001d0000000000000001f4b75ef3c9c70e7de845b7ad53435ce649bc
e97bd6
(19) Message-Authenticator = 0xdd6a472f02ab76bc724223ac8592f303
(19) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(19) NAS-Port-Type = Ethernet
(19) NAS-Port = 50006
(19) NAS-Port-Id = "GigabitEthernet0/6"
(19) State = 0x5709dc2c5101c55d080b76220813d0d4
(19) NAS-IP-Address = 10.100.0.50
(19) Restoring &session-state
(19) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(19) &session-state:TLS-Session-Version = "TLS 1.2"
(19) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(19) authorize {
(19) policy filter_username {
(19) if (&User-Name) {
(19) if (&User-Name) -> TRUE
(19) if (&User-Name) {
(19) if (&User-Name =~ / /) {
(19) if (&User-Name =~ / /) -> FALSE
(19) if (&User-Name =~ /@[^@]*@/ ) {
(19) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(19) if (&User-Name =~ /\.\./ ) {
(19) if (&User-Name =~ /\.\./ ) -> FALSE
(19) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(19) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(19) if (&User-Name =~ /\.$/) {
(19) if (&User-Name =~ /\.$/) -> FALSE
(19) if (&User-Name =~ /(a)\./) {
(19) if (&User-Name =~ /(a)\./) -> FALSE
(19) } # if (&User-Name) = notfound
(19) } # policy filter_username = notfound
(19) [preprocess] = ok
(19) [chap] = noop
(19) [mschap] = noop
(19) [digest] = noop
(19) suffix: Checking for suffix after "@"
(19) suffix: No '@' in User-Name = "test", looking up realm NULL
(19) suffix: No such realm "NULL"
(19) [suffix] = noop
(19) eap: Peer sent EAP Response (code 2) ID 8 length 40
(19) eap: Continuing tunnel setup
(19) [eap] = ok
(19) } # authorize = ok
(19) Found Auth-Type = eap
(19) # Executing group from file /etc/raddb/sites-enabled/default
(19) Auth-Type eap {
(19) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(19) eap: Finished EAP session with state 0x5709dc2c5101c55d
(19) eap: Previous EAP request found for state 0x5709dc2c5101c55d, released
from the list
(19) eap: Peer sent packet with method EAP PEAP (25)
(19) eap: Calling submodule eap_peap to process data
(19) eap_peap: Continuing EAP-TLS
(19) eap_peap: [eaptls verify] = ok
(19) eap_peap: Done initial handshake
(19) eap_peap: [eaptls process] = ok
(19) eap_peap: Session established. Decoding tunneled attributes
(19) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(19) eap_peap: Identity - test
(19) eap_peap: Got inner identity 'test'
(19) eap_peap: Setting default EAP type for tunneled EAP session
(19) eap_peap: Got tunneled request
(19) eap_peap: EAP-Message = 0x020800090174657374
(19) eap_peap: Setting User-Name to test
(19) eap_peap: Sending tunneled request to inner-tunnel
(19) eap_peap: EAP-Message = 0x020800090174657374
(19) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(19) eap_peap: User-Name = "test"
(19) Virtual server inner-tunnel received request
(19) EAP-Message = 0x020800090174657374
(19) FreeRADIUS-Proxied-To = 127.0.0.1
(19) User-Name = "test"
(19) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(19) server inner-tunnel {
(19) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(19) authorize {
(19) policy filter_username {
(19) if (&User-Name) {
(19) if (&User-Name) -> TRUE
(19) if (&User-Name) {
(19) if (&User-Name =~ / /) {
(19) if (&User-Name =~ / /) -> FALSE
(19) if (&User-Name =~ /@[^@]*@/ ) {
(19) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(19) if (&User-Name =~ /\.\./ ) {
(19) if (&User-Name =~ /\.\./ ) -> FALSE
(19) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(19) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(19) if (&User-Name =~ /\.$/) {
(19) if (&User-Name =~ /\.$/) -> FALSE
(19) if (&User-Name =~ /(a)\./) {
(19) if (&User-Name =~ /(a)\./) -> FALSE
(19) } # if (&User-Name) = notfound
(19) } # policy filter_username = notfound
(19) [chap] = noop
(19) [mschap] = noop
(19) suffix: Checking for suffix after "@"
(19) suffix: No '@' in User-Name = "test", looking up realm NULL
(19) suffix: No such realm "NULL"
(19) [suffix] = noop
(19) update control {
(19) &Proxy-To-Realm := LOCAL
(19) } # update control = noop
(19) eap: Peer sent EAP Response (code 2) ID 8 length 9
(19) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(19) [eap] = ok
(19) } # authorize = ok
(19) Found Auth-Type = eap
(19) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(19) authenticate {
(19) eap: Peer sent packet with method EAP Identity (1)
(19) eap: Calling submodule eap_mschapv2 to process data
(19) eap_mschapv2: Issuing Challenge
(19) eap: Sending EAP Request (code 1) ID 9 length 43
(19) eap: EAP session adding &reply:State = 0xc8f1f8bdc8f8e24d
(19) [eap] = handled
(19) } # authenticate = handled
(19) } # server inner-tunnel
(19) Virtual server sending reply
(19) EAP-Message =
0x0109002b1a0109002610a8aea7b97f9ff88acc6d299565ea3e33667265657261646975732d
332e302e3230
(19) Message-Authenticator = 0x00000000000000000000000000000000
(19) State = 0xc8f1f8bdc8f8e24d226d055121876240
(19) eap_peap: Got tunneled reply code 11
(19) eap_peap: EAP-Message =
0x0109002b1a0109002610a8aea7b97f9ff88acc6d299565ea3e33667265657261646975732d
332e302e3230
(19) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(19) eap_peap: State = 0xc8f1f8bdc8f8e24d226d055121876240
(19) eap_peap: Got tunneled reply RADIUS code 11
(19) eap_peap: EAP-Message =
0x0109002b1a0109002610a8aea7b97f9ff88acc6d299565ea3e33667265657261646975732d
332e302e3230
(19) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(19) eap_peap: State = 0xc8f1f8bdc8f8e24d226d055121876240
(19) eap_peap: Got tunneled Access-Challenge
(19) eap: Sending EAP Request (code 1) ID 9 length 74
(19) eap: EAP session adding &reply:State = 0x5709dc2c5000c55d
(19) [eap] = handled
(19) if (handled && (Response-Packet-Type == Access-Challenge)) {
(19) EXPAND Response-Packet-Type
(19) --> Access-Challenge
(19) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(19) if (handled && (Response-Packet-Type == Access-Challenge)) {
(19) attr_filter.access_challenge: EXPAND %{User-Name}
(19) attr_filter.access_challenge: --> test
(19) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(19) [attr_filter.access_challenge.post-auth] = updated
(19) [handled] = handled
(19) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(19) } # Auth-Type eap = handled
(19) Using Post-Auth-Type Challenge
(19) # Executing group from file /etc/raddb/sites-enabled/default
(19) Challenge { ... } # empty sub-section is ignored
(19) session-state: Saving cached attributes
(19) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(19) TLS-Session-Version = "TLS 1.2"
(19) Sent Access-Challenge Id 193 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(19) EAP-Message =
0x0109004a1900170303003f5bc3632e6b4435625e5c5051af7c363be95d4ee4f3f3b7ac445d
1ecac6abc90cb5263d48732e332fae270276b7d924f672cc1b74d6916b68c2e03e7ebe1975
(19) Message-Authenticator = 0x00000000000000000000000000000000
(19) State = 0x5709dc2c5000c55d080b76220813d0d4
(19) Finished request
Waking up in 2.0 seconds.
(20) Received Access-Request Id 194 from 10.100.0.50:1645 to
10.101.0.20:1812 length 297
(20) User-Name = "test"
(20) Service-Type = Framed-User
(20) Framed-MTU = 1500
(20) Called-Station-Id = "24-01-C7-8E-84-86"
(20) Calling-Station-Id = "74-78-27-1B-F2-78"
(20) EAP-Message =
0x0209005e19001703030053000000000000000267df274f7aba3c388821a73daf611375d9d7
2eef18a2029801924010afde0f8c56c84035beb392c5d720651c2253091340fa76a3f6a37152
3b42fb59bacd4ff5ff77aa734d8f4abc3bfe4c
(20) Message-Authenticator = 0xdd9df03d48297b3c9942e21f2b832e07
(20) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(20) NAS-Port-Type = Ethernet
(20) NAS-Port = 50006
(20) NAS-Port-Id = "GigabitEthernet0/6"
(20) State = 0x5709dc2c5000c55d080b76220813d0d4
(20) NAS-IP-Address = 10.100.0.50
(20) Restoring &session-state
(20) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(20) &session-state:TLS-Session-Version = "TLS 1.2"
(20) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(20) authorize {
(20) policy filter_username {
(20) if (&User-Name) {
(20) if (&User-Name) -> TRUE
(20) if (&User-Name) {
(20) if (&User-Name =~ / /) {
(20) if (&User-Name =~ / /) -> FALSE
(20) if (&User-Name =~ /@[^@]*@/ ) {
(20) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(20) if (&User-Name =~ /\.\./ ) {
(20) if (&User-Name =~ /\.\./ ) -> FALSE
(20) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(20) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(20) if (&User-Name =~ /\.$/) {
(20) if (&User-Name =~ /\.$/) -> FALSE
(20) if (&User-Name =~ /(a)\./) {
(20) if (&User-Name =~ /(a)\./) -> FALSE
(20) } # if (&User-Name) = notfound
(20) } # policy filter_username = notfound
(20) [preprocess] = ok
(20) [chap] = noop
(20) [mschap] = noop
(20) [digest] = noop
(20) suffix: Checking for suffix after "@"
(20) suffix: No '@' in User-Name = "test", looking up realm NULL
(20) suffix: No such realm "NULL"
(20) [suffix] = noop
(20) eap: Peer sent EAP Response (code 2) ID 9 length 94
(20) eap: Continuing tunnel setup
(20) [eap] = ok
(20) } # authorize = ok
(20) Found Auth-Type = eap
(20) # Executing group from file /etc/raddb/sites-enabled/default
(20) Auth-Type eap {
(20) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(20) eap: Finished EAP session with state 0x5709dc2c5000c55d
(20) eap: Previous EAP request found for state 0x5709dc2c5000c55d, released
from the list
(20) eap: Peer sent packet with method EAP PEAP (25)
(20) eap: Calling submodule eap_peap to process data
(20) eap_peap: Continuing EAP-TLS
(20) eap_peap: [eaptls verify] = ok
(20) eap_peap: Done initial handshake
(20) eap_peap: [eaptls process] = ok
(20) eap_peap: Session established. Decoding tunneled attributes
(20) eap_peap: PEAP state phase2
(20) eap_peap: EAP method MSCHAPv2 (26)
(20) eap_peap: Got tunneled request
(20) eap_peap: EAP-Message =
0x0209003f1a0209003a31f90a4533756415a1b4ea82f294876b6100000000000000009e08d5
2c72cd923feca32b6ac7eeece3627638836e7d19f60074657374
(20) eap_peap: Setting User-Name to test
(20) eap_peap: Sending tunneled request to inner-tunnel
(20) eap_peap: EAP-Message =
0x0209003f1a0209003a31f90a4533756415a1b4ea82f294876b6100000000000000009e08d5
2c72cd923feca32b6ac7eeece3627638836e7d19f60074657374
(20) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(20) eap_peap: User-Name = "test"
(20) eap_peap: State = 0xc8f1f8bdc8f8e24d226d055121876240
(20) Virtual server inner-tunnel received request
(20) EAP-Message =
0x0209003f1a0209003a31f90a4533756415a1b4ea82f294876b6100000000000000009e08d5
2c72cd923feca32b6ac7eeece3627638836e7d19f60074657374
(20) FreeRADIUS-Proxied-To = 127.0.0.1
(20) User-Name = "test"
(20) State = 0xc8f1f8bdc8f8e24d226d055121876240
(20) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(20) server inner-tunnel {
(20) session-state: No cached attributes
(20) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(20) authorize {
(20) policy filter_username {
(20) if (&User-Name) {
(20) if (&User-Name) -> TRUE
(20) if (&User-Name) {
(20) if (&User-Name =~ / /) {
(20) if (&User-Name =~ / /) -> FALSE
(20) if (&User-Name =~ /@[^@]*@/ ) {
(20) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(20) if (&User-Name =~ /\.\./ ) {
(20) if (&User-Name =~ /\.\./ ) -> FALSE
(20) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(20) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(20) if (&User-Name =~ /\.$/) {
(20) if (&User-Name =~ /\.$/) -> FALSE
(20) if (&User-Name =~ /(a)\./) {
(20) if (&User-Name =~ /(a)\./) -> FALSE
(20) } # if (&User-Name) = notfound
(20) } # policy filter_username = notfound
(20) [chap] = noop
(20) [mschap] = noop
(20) suffix: Checking for suffix after "@"
(20) suffix: No '@' in User-Name = "test", looking up realm NULL
(20) suffix: No such realm "NULL"
(20) [suffix] = noop
(20) update control {
(20) &Proxy-To-Realm := LOCAL
(20) } # update control = noop
(20) eap: Peer sent EAP Response (code 2) ID 9 length 63
(20) eap: No EAP Start, assuming it's an on-going EAP conversation
(20) [eap] = updated
(20) files: users: Matched entry test at line 1
(20) files: EXPAND tu as reussi avec %{Auth-Type} et en etant %{User-Name}
(20) files: --> tu as reussi avec et en etant test
(20) [files] = ok
(20) [expiration] = noop
(20) [logintime] = noop
(20) pap: WARNING: Auth-Type already set. Not setting to PAP
(20) [pap] = noop
(20) } # authorize = updated
(20) Found Auth-Type = eap
(20) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(20) authenticate {
(20) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(20) eap: Finished EAP session with state 0xc8f1f8bdc8f8e24d
(20) eap: Previous EAP request found for state 0xc8f1f8bdc8f8e24d, released
from the list
(20) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(20) eap: Calling submodule eap_mschapv2 to process data
(20) eap_mschapv2: # Executing group from file
/etc/raddb/sites-enabled/inner-tunnel
(20) eap_mschapv2: authenticate {
(20) mschap: Found Cleartext-Password, hashing to create NT-Password
(20) mschap: Creating challenge hash with username: test
(20) mschap: Client is using MS-CHAPv2
(20) mschap: Adding MS-CHAPv2 MPPE keys
(20) eap_mschapv2: [mschap] = ok
(20) eap_mschapv2: } # authenticate = ok
(20) eap_mschapv2: MSCHAP Success
(20) eap: Sending EAP Request (code 1) ID 10 length 51
(20) eap: EAP session adding &reply:State = 0xc8f1f8bdc9fbe24d
(20) [eap] = handled
(20) } # authenticate = handled
(20) } # server inner-tunnel
(20) Virtual server sending reply
(20) Reply-Message = "tu as reussi avec et en etant test"
(20) EAP-Message =
0x010a00331a0309002e533d4231333644304637383233454339313739434339373332454336
3034393136433231333534313235
(20) Message-Authenticator = 0x00000000000000000000000000000000
(20) State = 0xc8f1f8bdc9fbe24d226d055121876240
(20) eap_peap: Got tunneled reply code 11
(20) eap_peap: Reply-Message = "tu as reussi avec et en etant test"
(20) eap_peap: EAP-Message =
0x010a00331a0309002e533d4231333644304637383233454339313739434339373332454336
3034393136433231333534313235
(20) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(20) eap_peap: State = 0xc8f1f8bdc9fbe24d226d055121876240
(20) eap_peap: Got tunneled reply RADIUS code 11
(20) eap_peap: Reply-Message = "tu as reussi avec et en etant test"
(20) eap_peap: EAP-Message =
0x010a00331a0309002e533d4231333644304637383233454339313739434339373332454336
3034393136433231333534313235
(20) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(20) eap_peap: State = 0xc8f1f8bdc9fbe24d226d055121876240
(20) eap_peap: Got tunneled Access-Challenge
(20) eap: Sending EAP Request (code 1) ID 10 length 82
(20) eap: EAP session adding &reply:State = 0x5709dc2c5f03c55d
(20) [eap] = handled
(20) if (handled && (Response-Packet-Type == Access-Challenge)) {
(20) EXPAND Response-Packet-Type
(20) --> Access-Challenge
(20) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(20) if (handled && (Response-Packet-Type == Access-Challenge)) {
(20) attr_filter.access_challenge: EXPAND %{User-Name}
(20) attr_filter.access_challenge: --> test
(20) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(20) [attr_filter.access_challenge.post-auth] = updated
(20) [handled] = handled
(20) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(20) } # Auth-Type eap = handled
(20) Using Post-Auth-Type Challenge
(20) # Executing group from file /etc/raddb/sites-enabled/default
(20) Challenge { ... } # empty sub-section is ignored
(20) session-state: Saving cached attributes
(20) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(20) TLS-Session-Version = "TLS 1.2"
(20) Sent Access-Challenge Id 194 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(20) EAP-Message =
0x010a0052190017030300475bc3632e6b443563bfdb8a34b1d033e80abaed0886740e922409
cc823028e6c31f02665c568a46c5f021df9853700a6be0d1b2248b9520ffad2833cdfccb681b
bfefac58b6c6e8
(20) Message-Authenticator = 0x00000000000000000000000000000000
(20) State = 0x5709dc2c5f03c55d080b76220813d0d4
(20) Finished request
Waking up in 2.0 seconds.
(21) Received Access-Request Id 195 from 10.100.0.50:1645 to
10.101.0.20:1812 length 240
(21) User-Name = "test"
(21) Service-Type = Framed-User
(21) Framed-MTU = 1500
(21) Called-Station-Id = "24-01-C7-8E-84-86"
(21) Calling-Station-Id = "74-78-27-1B-F2-78"
(21) EAP-Message =
0x020a00251900170303001a0000000000000003b7e4977bb2c798f1390f20f4c06d08798279
(21) Message-Authenticator = 0xc450ef4dd19f37f7ff7136f788d710b0
(21) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(21) NAS-Port-Type = Ethernet
(21) NAS-Port = 50006
(21) NAS-Port-Id = "GigabitEthernet0/6"
(21) State = 0x5709dc2c5f03c55d080b76220813d0d4
(21) NAS-IP-Address = 10.100.0.50
(21) Restoring &session-state
(21) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(21) &session-state:TLS-Session-Version = "TLS 1.2"
(21) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(21) authorize {
(21) policy filter_username {
(21) if (&User-Name) {
(21) if (&User-Name) -> TRUE
(21) if (&User-Name) {
(21) if (&User-Name =~ / /) {
(21) if (&User-Name =~ / /) -> FALSE
(21) if (&User-Name =~ /@[^@]*@/ ) {
(21) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(21) if (&User-Name =~ /\.\./ ) {
(21) if (&User-Name =~ /\.\./ ) -> FALSE
(21) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(21) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(21) if (&User-Name =~ /\.$/) {
(21) if (&User-Name =~ /\.$/) -> FALSE
(21) if (&User-Name =~ /(a)\./) {
(21) if (&User-Name =~ /(a)\./) -> FALSE
(21) } # if (&User-Name) = notfound
(21) } # policy filter_username = notfound
(21) [preprocess] = ok
(21) [chap] = noop
(21) [mschap] = noop
(21) [digest] = noop
(21) suffix: Checking for suffix after "@"
(21) suffix: No '@' in User-Name = "test", looking up realm NULL
(21) suffix: No such realm "NULL"
(21) [suffix] = noop
(21) eap: Peer sent EAP Response (code 2) ID 10 length 37
(21) eap: Continuing tunnel setup
(21) [eap] = ok
(21) } # authorize = ok
(21) Found Auth-Type = eap
(21) # Executing group from file /etc/raddb/sites-enabled/default
(21) Auth-Type eap {
(21) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(21) eap: Finished EAP session with state 0x5709dc2c5f03c55d
(21) eap: Previous EAP request found for state 0x5709dc2c5f03c55d, released
from the list
(21) eap: Peer sent packet with method EAP PEAP (25)
(21) eap: Calling submodule eap_peap to process data
(21) eap_peap: Continuing EAP-TLS
(21) eap_peap: [eaptls verify] = ok
(21) eap_peap: Done initial handshake
(21) eap_peap: [eaptls process] = ok
(21) eap_peap: Session established. Decoding tunneled attributes
(21) eap_peap: PEAP state phase2
(21) eap_peap: EAP method MSCHAPv2 (26)
(21) eap_peap: Got tunneled request
(21) eap_peap: EAP-Message = 0x020a00061a03
(21) eap_peap: Setting User-Name to test
(21) eap_peap: Sending tunneled request to inner-tunnel
(21) eap_peap: EAP-Message = 0x020a00061a03
(21) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(21) eap_peap: User-Name = "test"
(21) eap_peap: State = 0xc8f1f8bdc9fbe24d226d055121876240
(21) Virtual server inner-tunnel received request
(21) EAP-Message = 0x020a00061a03
(21) FreeRADIUS-Proxied-To = 127.0.0.1
(21) User-Name = "test"
(21) State = 0xc8f1f8bdc9fbe24d226d055121876240
(21) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(21) server inner-tunnel {
(21) session-state: No cached attributes
(21) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(21) authorize {
(21) policy filter_username {
(21) if (&User-Name) {
(21) if (&User-Name) -> TRUE
(21) if (&User-Name) {
(21) if (&User-Name =~ / /) {
(21) if (&User-Name =~ / /) -> FALSE
(21) if (&User-Name =~ /@[^@]*@/ ) {
(21) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(21) if (&User-Name =~ /\.\./ ) {
(21) if (&User-Name =~ /\.\./ ) -> FALSE
(21) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(21) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(21) if (&User-Name =~ /\.$/) {
(21) if (&User-Name =~ /\.$/) -> FALSE
(21) if (&User-Name =~ /(a)\./) {
(21) if (&User-Name =~ /(a)\./) -> FALSE
(21) } # if (&User-Name) = notfound
(21) } # policy filter_username = notfound
(21) [chap] = noop
(21) [mschap] = noop
(21) suffix: Checking for suffix after "@"
(21) suffix: No '@' in User-Name = "test", looking up realm NULL
(21) suffix: No such realm "NULL"
(21) [suffix] = noop
(21) update control {
(21) &Proxy-To-Realm := LOCAL
(21) } # update control = noop
(21) eap: Peer sent EAP Response (code 2) ID 10 length 6
(21) eap: No EAP Start, assuming it's an on-going EAP conversation
(21) [eap] = updated
(21) files: users: Matched entry test at line 1
(21) files: EXPAND tu as reussi avec %{Auth-Type} et en etant %{User-Name}
(21) files: --> tu as reussi avec et en etant test
(21) [files] = ok
(21) [expiration] = noop
(21) [logintime] = noop
(21) pap: WARNING: Auth-Type already set. Not setting to PAP
(21) [pap] = noop
(21) } # authorize = updated
(21) Found Auth-Type = eap
(21) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(21) authenticate {
(21) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(21) eap: Finished EAP session with state 0xc8f1f8bdc9fbe24d
(21) eap: Previous EAP request found for state 0xc8f1f8bdc9fbe24d, released
from the list
(21) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(21) eap: Calling submodule eap_mschapv2 to process data
(21) eap: Sending EAP Success (code 3) ID 10 length 4
(21) eap: Freeing handler
(21) [eap] = ok
(21) } # authenticate = ok
(21) # Executing section post-auth from file
/etc/raddb/sites-enabled/inner-tunnel
(21) post-auth {
(21) if (0) {
(21) if (0) -> FALSE
(21) } # post-auth = noop
(21) Login OK: [test] (from client swi_said_edward_p173 port 0 via TLS
tunnel)
(21) } # server inner-tunnel
(21) Virtual server sending reply
(21) Reply-Message = "tu as reussi avec et en etant test"
(21) MS-MPPE-Encryption-Policy = Encryption-Allowed
(21) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(21) MS-MPPE-Send-Key = 0x81238317805f6b67fec93e45b3692a81
(21) MS-MPPE-Recv-Key = 0xca79e92c0f2a71aedddd4dce55d7b4bc
(21) EAP-Message = 0x030a0004
(21) Message-Authenticator = 0x00000000000000000000000000000000
(21) User-Name = "test"
(21) eap_peap: Got tunneled reply code 2
(21) eap_peap: Reply-Message = "tu as reussi avec et en etant test"
(21) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(21) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(21) eap_peap: MS-MPPE-Send-Key = 0x81238317805f6b67fec93e45b3692a81
(21) eap_peap: MS-MPPE-Recv-Key = 0xca79e92c0f2a71aedddd4dce55d7b4bc
(21) eap_peap: EAP-Message = 0x030a0004
(21) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(21) eap_peap: User-Name = "test"
(21) eap_peap: Got tunneled reply RADIUS code 2
(21) eap_peap: Reply-Message = "tu as reussi avec et en etant test"
(21) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(21) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(21) eap_peap: MS-MPPE-Send-Key = 0x81238317805f6b67fec93e45b3692a81
(21) eap_peap: MS-MPPE-Recv-Key = 0xca79e92c0f2a71aedddd4dce55d7b4bc
(21) eap_peap: EAP-Message = 0x030a0004
(21) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(21) eap_peap: User-Name = "test"
(21) eap_peap: Tunneled authentication was successful
(21) eap_peap: SUCCESS
(21) eap: Sending EAP Request (code 1) ID 11 length 46
(21) eap: EAP session adding &reply:State = 0x5709dc2c5e02c55d
(21) [eap] = handled
(21) if (handled && (Response-Packet-Type == Access-Challenge)) {
(21) EXPAND Response-Packet-Type
(21) --> Access-Challenge
(21) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(21) if (handled && (Response-Packet-Type == Access-Challenge)) {
(21) attr_filter.access_challenge: EXPAND %{User-Name}
(21) attr_filter.access_challenge: --> test
(21) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(21) [attr_filter.access_challenge.post-auth] = updated
(21) [handled] = handled
(21) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(21) } # Auth-Type eap = handled
(21) Using Post-Auth-Type Challenge
(21) # Executing group from file /etc/raddb/sites-enabled/default
(21) Challenge { ... } # empty sub-section is ignored
(21) session-state: Saving cached attributes
(21) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(21) TLS-Session-Version = "TLS 1.2"
(21) Sent Access-Challenge Id 195 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(21) EAP-Message =
0x010b002e190017030300235bc3632e6b443564d2723008ae0ef670403b61176bfb8668e1ff
44cb3c02f7217871f0
(21) Message-Authenticator = 0x00000000000000000000000000000000
(21) State = 0x5709dc2c5e02c55d080b76220813d0d4
(21) Finished request
Waking up in 2.0 seconds.
(22) Received Access-Request Id 196 from 10.100.0.50:1645 to
10.101.0.20:1812 length 249
(22) User-Name = "test"
(22) Service-Type = Framed-User
(22) Framed-MTU = 1500
(22) Called-Station-Id = "24-01-C7-8E-84-86"
(22) Calling-Station-Id = "74-78-27-1B-F2-78"
(22) EAP-Message =
0x020b002e19001703030023000000000000000445fbfc432839d0f47cc453ff5500e022d602
41ef8e33106eda0936
(22) Message-Authenticator = 0x7ca959931442315cd10d49eb490df5db
(22) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(22) NAS-Port-Type = Ethernet
(22) NAS-Port = 50006
(22) NAS-Port-Id = "GigabitEthernet0/6"
(22) State = 0x5709dc2c5e02c55d080b76220813d0d4
(22) NAS-IP-Address = 10.100.0.50
(22) Restoring &session-state
(22) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(22) &session-state:TLS-Session-Version = "TLS 1.2"
(22) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(22) authorize {
(22) policy filter_username {
(22) if (&User-Name) {
(22) if (&User-Name) -> TRUE
(22) if (&User-Name) {
(22) if (&User-Name =~ / /) {
(22) if (&User-Name =~ / /) -> FALSE
(22) if (&User-Name =~ /@[^@]*@/ ) {
(22) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(22) if (&User-Name =~ /\.\./ ) {
(22) if (&User-Name =~ /\.\./ ) -> FALSE
(22) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(22) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(22) if (&User-Name =~ /\.$/) {
(22) if (&User-Name =~ /\.$/) -> FALSE
(22) if (&User-Name =~ /(a)\./) {
(22) if (&User-Name =~ /(a)\./) -> FALSE
(22) } # if (&User-Name) = notfound
(22) } # policy filter_username = notfound
(22) [preprocess] = ok
(22) [chap] = noop
(22) [mschap] = noop
(22) [digest] = noop
(22) suffix: Checking for suffix after "@"
(22) suffix: No '@' in User-Name = "test", looking up realm NULL
(22) suffix: No such realm "NULL"
(22) [suffix] = noop
(22) eap: Peer sent EAP Response (code 2) ID 11 length 46
(22) eap: Continuing tunnel setup
(22) [eap] = ok
(22) } # authorize = ok
(22) Found Auth-Type = eap
(22) # Executing group from file /etc/raddb/sites-enabled/default
(22) Auth-Type eap {
(22) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(22) eap: Finished EAP session with state 0x5709dc2c5e02c55d
(22) eap: Previous EAP request found for state 0x5709dc2c5e02c55d, released
from the list
(22) eap: Peer sent packet with method EAP PEAP (25)
(22) eap: Calling submodule eap_peap to process data
(22) eap_peap: Continuing EAP-TLS
(22) eap_peap: [eaptls verify] = ok
(22) eap_peap: Done initial handshake
(22) eap_peap: [eaptls process] = ok
(22) eap_peap: Session established. Decoding tunneled attributes
(22) eap_peap: PEAP state send tlv success
(22) eap_peap: Received EAP-TLV response
(22) eap_peap: Success
(22) eap: Sending EAP Success (code 3) ID 11 length 4
(22) eap: Freeing handler
(22) [eap] = ok
(22) if (handled && (Response-Packet-Type == Access-Challenge)) {
(22) if (handled && (Response-Packet-Type == Access-Challenge)) ->
FALSE
(22) } # Auth-Type eap = ok
(22) # Executing section post-auth from file
/etc/raddb/sites-enabled/default
(22) post-auth {
(22) if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) {
(22) if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) -> FALSE
(22) update {
(22) &reply::TLS-Session-Cipher-Suite +=
&session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384'
(22) &reply::TLS-Session-Version +=
&session-state:TLS-Session-Version[*] -> 'TLS 1.2'
(22) } # update = noop
(22) [exec] = noop
(22) policy remove_reply_message_if_eap {
(22) if (&reply:EAP-Message && &reply:Reply-Message) {
(22) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(22) else {
(22) [noop] = noop
(22) } # else = noop
(22) } # policy remove_reply_message_if_eap = noop
(22) } # post-auth = noop
(22) Login OK: [test] (from client swi_said_edward_p173 port 50006 cli
74-78-27-1B-F2-78)
(22) Sent Access-Accept Id 196 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(22) MS-MPPE-Recv-Key =
0xb3963e8d4a98a9a2b83fc3463f4aee62e926bbe31e9fab554887fbef5efce59d
(22) MS-MPPE-Send-Key =
0xe659945053c03ec5ae6b8b0ceef6fa83d90c3718f2a69f013f86f3870e5349ed
(22) EAP-Message = 0x030b0004
(22) Message-Authenticator = 0x00000000000000000000000000000000
(22) User-Name = "test"
(22) Finished request
Waking up in 2.0 seconds.
(23) Received Accounting-Request Id 61 from 10.100.0.50:1646 to
10.101.0.20:1813 length 217
(23) Acct-Session-Id = "0000006D"
(23) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(23) User-Name = "test"
(23) Cisco-AVPair = "connect-progress=Call Up"
(23) Acct-Authentic = RADIUS
(23) Acct-Status-Type = Start
(23) NAS-Port-Type = Ethernet
(23) NAS-Port = 50006
(23) NAS-Port-Id = "GigabitEthernet0/6"
(23) Called-Station-Id = "24-01-C7-8E-84-86"
(23) Calling-Station-Id = "74-78-27-1B-F2-78"
(23) Service-Type = Framed-User
(23) NAS-IP-Address = 10.100.0.50
(23) Acct-Delay-Time = 0
(23) # Executing section preacct from file /etc/raddb/sites-enabled/default
(23) preacct {
(23) [preprocess] = ok
(23) policy acct_unique {
(23) update request {
(23) &Tmp-String-9 := "ai:"
(23) } # update request = noop
(23) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(23) EXPAND %{hex:&Class}
(23) -->
(23) EXPAND ^%{hex:&Tmp-String-9}
(23) --> ^61693a
(23) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
(23) else {
(23) update request {
(23) EXPAND
%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Addres
s}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(23) --> ec3bf2e33c3293d656fc4362227660f2
(23) &Acct-Unique-Session-Id := ec3bf2e33c3293d656fc4362227660f2
(23) } # update request = noop
(23) } # else = noop
(23) } # policy acct_unique = noop
(23) suffix: Checking for suffix after "@"
(23) suffix: No '@' in User-Name = "test", looking up realm NULL
(23) suffix: No such realm "NULL"
(23) [suffix] = noop
(23) [files] = noop
(23) } # preacct = ok
(23) # Executing section accounting from file
/etc/raddb/sites-enabled/default
(23) accounting {
(23) detail: EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres
s}}/detail-%Y%m%d
(23) detail: --> /var/log/radius/radacct/10.100.0.50/detail-20220725
(23) detail:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres
s}}/detail-%Y%m%d expands to
/var/log/radius/radacct/10.100.0.50/detail-20220725
(23) detail: EXPAND %t
(23) detail: --> Mon Jul 25 18:16:45 2022
(23) [detail] = ok
(23) [unix] = ok
(23) radutmp: EXPAND /var/log/radius/radutmp
(23) radutmp: --> /var/log/radius/radutmp
(23) radutmp: EXPAND %{User-Name}
(23) radutmp: --> test
(23) [radutmp] = ok
(23) sradutmp: EXPAND /var/log/radius/sradutmp
(23) sradutmp: --> /var/log/radius/sradutmp
(23) sradutmp: EXPAND %{User-Name}
(23) sradutmp: --> test
(23) [sradutmp] = ok
(23) [exec] = noop
(23) attr_filter.accounting_response: EXPAND %{User-Name}
(23) attr_filter.accounting_response: --> test
(23) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(23) [attr_filter.accounting_response] = updated
(23) } # accounting = updated
(23) Sent Accounting-Response Id 61 from 10.101.0.20:1813 to
10.100.0.50:1646 length 0
(23) Finished request
(23) Cleaning up request packet ID 61 with timestamp +68
Waking up in 0.8 seconds.
(12) Cleaning up request packet ID 186 with timestamp +64
(13) Cleaning up request packet ID 187 with timestamp +64
(14) Cleaning up request packet ID 188 with timestamp +64
(15) Cleaning up request packet ID 189 with timestamp +64
(16) Cleaning up request packet ID 190 with timestamp +64
(17) Cleaning up request packet ID 191 with timestamp +64
Waking up in 2.7 seconds.
(18) Cleaning up request packet ID 192 with timestamp +67
(19) Cleaning up request packet ID 193 with timestamp +67
(20) Cleaning up request packet ID 194 with timestamp +67
(21) Cleaning up request packet ID 195 with timestamp +67
(22) Cleaning up request packet ID 196 with timestamp +67
Ready to process requests
3
7
Hi All.
I'm migrating ClearBox Radius Software to freeradius, And I need to pass
the attribute Mikrotik-Rate-Limit via query.
The Query for ClearBox is:
"SELECT 'Mikrotik-Rate-Limit' AS Expr1, \
CASE WHEN sync = 1 THEN \
REPLACE(CAST(idvelocidad as char) + 'K',' ','') \
ELSE \
REPLACE(CAST(idvelocidad /2 as char)+'K/'+ CAST(idvelocidad as
char)+'K',' ','') \
END \
AS Expr2 \
FROM SubAccounts with(nolock) \
WHERE Login = '%{SQL-User-Name}'"
This query takes the bandwidth of a table in the CRM software. If the
client is a business (synchronization), the bandwidth is symmetric, but if
the client is an ordinary client, the bandwidth is not symmetric and the
upload bandwidth is divided by 2 and the upload bandwidth is divided by 2.
download is integer.
How can I keep this in freeradius and pass the parameter through a query?
Thanks
2
1
Hello.
Im trying to configure freeradius with MSSQL, and when I start freeradius
-X, I receive the following error:
*Could not link driver rlm_sql_unixodbc:
/usr/lib/freeradius/rlm_sql_unixodbc.so: cannot open shared object file: No
such file or directoryMake sure it (and all its dependent libraries!) are
in the search path of your system's
ld /etc/freeradius/mods-enabled/sql[27]: Instantiation failed for module
"sql"*
The ODBC driver is installed and working:
isql -v MSSQLdb radius radtest
+---------------------------------+
| Connected! |
| |
| sql-statement |
| help [tablename] |
| quit |
| |
+--------------------------------+
I'm download the package, from this link
https://networkradius.com/packages/#fr32-ubuntu-jammy, and I try with
freetds, but I receive the same error message: *"Could not link driver
rlm_sql_freetds: /usr/lib/freeradius/rlm_sql_freetds.so: cannot open shared
object file: No such file or directory"*
I checked in the directory, and the file is not there.
root@radsrv:/usr/lib/freeradius# ll
total 1820
drwxr-xr-x 2 root root 4096 oct 2 19:13 ./
drwxr-xr-x 92 root root 4096 oct 2 19:13 ../
-rw-r--r-- 1 root root 63560 may 9 20:09 libfreeradius-eap.so
-rw-r--r-- 1 root root 256648 may 9 20:09 libfreeradius-radius.so
-rw-r--r-- 1 root root 215288 may 9 20:09 libfreeradius-server.so
-rw-r--r-- 1 root root 22632 may 9 20:09 proto_vmps.so
-rw-r--r-- 1 root root 14576 may 9 20:09 rlm_always.so
-rw-r--r-- 1 root root 14576 may 9 20:09 rlm_attr_filter.so
-rw-r--r-- 1 root root 14440 may 9 20:09 rlm_cache_rbtree.so
-rw-r--r-- 1 root root 26864 may 9 20:09 rlm_cache.so
-rw-r--r-- 1 root root 14496 may 9 20:09 rlm_chap.so
-rw-r--r-- 1 root root 26864 may 9 20:09 rlm_counter.so
-rw-r--r-- 1 root root 14576 may 9 20:09 rlm_date.so
-rw-r--r-- 1 root root 26864 may 9 20:09 rlm_detail.so
-rw-r--r-- 1 root root 22688 may 9 20:09 rlm_digest.so
-rw-r--r-- 1 root root 14496 may 9 20:09 rlm_dynamic_clients.so
-rw-r--r-- 1 root root 47624 may 9 20:09 rlm_eap_fast.so
-rw-r--r-- 1 root root 14536 may 9 20:09 rlm_eap_gtc.so
-rw-r--r-- 1 root root 18488 may 9 20:09 rlm_eap_md5.so
-rw-r--r-- 1 root root 22768 may 9 20:09 rlm_eap_mschapv2.so
-rw-r--r-- 1 root root 39432 may 9 20:09 rlm_eap_peap.so
-rw-r--r-- 1 root root 55656 may 9 20:09 rlm_eap_pwd.so
-rw-r--r-- 1 root root 18488 may 9 20:09 rlm_eap_sim.so
-rw-r--r-- 1 root root 51440 may 9 20:09 rlm_eap.so
-rw-r--r-- 1 root root 14424 may 9 20:09 rlm_eap_tls.so
-rw-r--r-- 1 root root 35216 may 9 20:09 rlm_eap_ttls.so
-rw-r--r-- 1 root root 14576 may 9 20:09 rlm_exec.so
-rw-r--r-- 1 root root 14496 may 9 20:09 rlm_expiration.so
-rw-r--r-- 1 root root 43248 may 9 20:09 rlm_expr.so
-rw-r--r-- 1 root root 14576 may 9 20:09 rlm_files.so
-rw-r--r-- 1 root root 26864 may 9 20:09 rlm_ippool.so
-rw-r--r-- 1 root root 14576 may 9 20:09 rlm_linelog.so
-rw-r--r-- 1 root root 18672 may 9 20:09 rlm_logintime.so
-rw-r--r-- 1 root root 55536 may 9 20:09 rlm_mschap.so
-rw-r--r-- 1 root root 14576 may 9 20:09 rlm_pam.so
-rw-r--r-- 1 root root 39152 may 9 20:09 rlm_pap.so
-rw-r--r-- 1 root root 22768 may 9 20:09 rlm_passwd.so
-rw-r--r-- 1 root root 39152 may 9 20:09 rlm_perl.so
-rw-r--r-- 1 root root 18672 may 9 20:09 rlm_preprocess.so
-rw-r--r-- 1 root root 22768 may 9 20:09 rlm_radutmp.so
-rw-r--r-- 1 root root 14720 may 9 20:09 rlm_realm.so
-rw-r--r-- 1 root root 14496 may 9 20:09 rlm_replicate.so
-rw-r--r-- 1 root root 14576 may 9 20:09 rlm_soh.so
-rw-r--r-- 1 root root 14416 may 9 20:09 rlm_sometimes.so
-rw-r--r-- 1 root root 22768 may 9 20:09 rlm_sqlcounter.so
-rw-r--r-- 1 root root 29504 may 9 20:09 rlm_sqlippool.so
-rw-r--r-- 1 root root 18672 may 9 20:09 rlm_sql_map.so
-rw-r--r-- 1 root root 14336 may 9 20:09 rlm_sql_null.so
-rw-r--r-- 1 root root 51440 may 9 20:09 rlm_sql.so
-rw-r--r-- 1 root root 26848 may 9 20:09 rlm_sql_sqlite.so
-rw-r--r-- 1 root root 14576 may 9 20:09 rlm_test.so
-rw-r--r-- 1 root root 14496 may 9 20:09 rlm_totp.so
-rw-r--r-- 1 root root 14576 may 9 20:09 rlm_unix.so
-rw-r--r-- 1 root root 14496 may 9 20:09 rlm_unpack.so
-rw-r--r-- 1 root root 14496 may 9 20:09 rlm_utf8.so
-rw-r--r-- 1 root root 35056 may 9 20:09 rlm_wimax.so
Debug Output:
radiusd -X 2>&1 | tee debugfile
FreeRADIUS Version 3.2.0
Copyright (C) 1999-2021 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/local/share/freeradius/dictionary
including dictionary file /usr/local/share/freeradius/dictionary.dhcp
including dictionary file /usr/local/share/freeradius/dictionary.vqp
including dictionary file /usr/local/etc/raddb/dictionary
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/mods-enabled/
including configuration file /usr/local/etc/raddb/mods-enabled/utf8
including configuration file
/usr/local/etc/raddb/mods-enabled/dynamic_clients
including configuration file /usr/local/etc/raddb/mods-enabled/replicate
including configuration file /usr/local/etc/raddb/mods-enabled/unpack
including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter
including configuration file /usr/local/etc/raddb/mods-enabled/always
including configuration file /usr/local/etc/raddb/mods-enabled/totp
including configuration file /usr/local/etc/raddb/mods-enabled/expr
including configuration file /usr/local/etc/raddb/mods-enabled/preprocess
including configuration file /usr/local/etc/raddb/mods-enabled/eap
including configuration file /usr/local/etc/raddb/mods-enabled/mschap
including configuration file /usr/local/etc/raddb/mods-enabled/passwd
including configuration file /usr/local/etc/raddb/mods-enabled/digest
including configuration file /usr/local/etc/raddb/mods-enabled/files
including configuration file /usr/local/etc/raddb/mods-enabled/radutmp
including configuration file /usr/local/etc/raddb/mods-enabled/exec
including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp
including configuration file /usr/local/etc/raddb/mods-enabled/linelog
including configuration file /usr/local/etc/raddb/mods-enabled/realm
including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth
including configuration file /usr/local/etc/raddb/mods-enabled/detail
including configuration file /usr/local/etc/raddb/mods-enabled/logintime
including configuration file /usr/local/etc/raddb/mods-enabled/chap
including configuration file /usr/local/etc/raddb/mods-enabled/pap
including configuration file /usr/local/etc/raddb/mods-enabled/date
including configuration file /usr/local/etc/raddb/mods-enabled/soh
including configuration file /usr/local/etc/raddb/mods-enabled/unix
including configuration file /usr/local/etc/raddb/mods-enabled/detail.log
including configuration file /usr/local/etc/raddb/mods-enabled/expiration
including configuration file /usr/local/etc/raddb/mods-enabled/echo
including files in directory /usr/local/etc/raddb/policy.d/
including configuration file /usr/local/etc/raddb/policy.d/cui
including configuration file /usr/local/etc/raddb/policy.d/debug
including configuration file /usr/local/etc/raddb/policy.d/dhcp
including configuration file
/usr/local/etc/raddb/policy.d/moonshot-targeted-ids
including configuration file /usr/local/etc/raddb/policy.d/eap
including configuration file /usr/local/etc/raddb/policy.d/canonicalization
including configuration file /usr/local/etc/raddb/policy.d/operator-name
including configuration file /usr/local/etc/raddb/policy.d/abfab-tr
including configuration file /usr/local/etc/raddb/policy.d/filter
including configuration file /usr/local/etc/raddb/policy.d/rfc7542
including configuration file /usr/local/etc/raddb/policy.d/control
including configuration file /usr/local/etc/raddb/policy.d/accounting
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including configuration file /usr/local/etc/raddb/sites-enabled/default
main {
security {
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/usr/local/var"
logdir = "/usr/local/var/log/radius"
run_dir = "/usr/local/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/usr/local/var"
sbindir = "/usr/local/sbin"
logdir = "/usr/local/var/log/radius"
run_dir = "/usr/local/var/run/radiusd"
libdir = "/usr/local/lib"
radacctdir = "/usr/local/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
postauth_client_lost = no
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
allow_vulnerable_openssl = "no"
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
recv_coa {
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
# Creating Auth-Type = mschap
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Auth-Type = digest
# Creating Autz-Type = New-TLS-Connection
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_utf8
# Loading module "utf8" from file /usr/local/etc/raddb/mods-enabled/utf8
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file
/usr/local/etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_replicate
# Loading module "replicate" from file
/usr/local/etc/raddb/mods-enabled/replicate
# Loaded module rlm_unpack
# Loading module "unpack" from file
/usr/local/etc/raddb/mods-enabled/unpack
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file
/usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file
/usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file
/usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename =
"/usr/local/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file
/usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename =
"/usr/local/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file
/usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename =
"/usr/local/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.coa" from file
/usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.coa {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/coa"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_always
# Loading module "reject" from file
/usr/local/etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /usr/local/etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /usr/local/etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file
/usr/local/etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file
/usr/local/etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file
/usr/local/etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file
/usr/local/etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /usr/local/etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file
/usr/local/etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_totp
# Loading module "totp" from file /usr/local/etc/raddb/mods-enabled/totp
# Loaded module rlm_expr
# Loading module "expr" from file /usr/local/etc/raddb/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file
/usr/local/etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups =
"/usr/local/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/usr/local/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_eap
# Loading module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_mschap
# Loading module "mschap" from file
/usr/local/etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file
/usr/local/etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_digest
# Loading module "digest" from file
/usr/local/etc/raddb/mods-enabled/digest
# Loaded module rlm_files
# Loading module "files" from file /usr/local/etc/raddb/mods-enabled/files
files {
filename = "/usr/local/etc/raddb/mods-config/files/authorize"
acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting"
preproxy_usersfile =
"/usr/local/etc/raddb/mods-config/files/pre-proxy"
}
# Loaded module rlm_radutmp
# Loading module "radutmp" from file
/usr/local/etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/usr/local/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_exec
# Loading module "exec" from file /usr/local/etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loading module "sradutmp" from file
/usr/local/etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/usr/local/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_linelog
# Loading module "linelog" from file
/usr/local/etc/raddb/mods-enabled/linelog
linelog {
filename = "/usr/local/var/log/radius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file
/usr/local/etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/usr/local/var/log/radius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file
/usr/local/etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "bangpath" from file
/usr/local/etc/raddb/mods-enabled/realm
realm bangpath {
format = "prefix"
delimiter = "!"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file
/usr/local/etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file
/usr/local/etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loading module "ntlm_auth" from file
/usr/local/etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_detail
# Loading module "detail" from file
/usr/local/etc/raddb/mods-enabled/detail
detail {
filename =
"/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_logintime
# Loading module "logintime" from file
/usr/local/etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_chap
# Loading module "chap" from file /usr/local/etc/raddb/mods-enabled/chap
# Loaded module rlm_pap
# Loading module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_date
# Loading module "date" from file /usr/local/etc/raddb/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
utc = no
}
# Loading module "wispr2date" from file
/usr/local/etc/raddb/mods-enabled/date
date wispr2date {
format = "%Y-%m-%dT%H:%M:%S"
utc = no
}
# Loaded module rlm_soh
# Loading module "soh" from file /usr/local/etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_unix
# Loading module "unix" from file /usr/local/etc/raddb/mods-enabled/unix
unix {
radwtmp = "/usr/local/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
# Loading module "auth_log" from file
/usr/local/etc/raddb/mods-enabled/detail.log
detail auth_log {
filename =
"/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file
/usr/local/etc/raddb/mods-enabled/detail.log
detail reply_log {
filename =
"/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file
/usr/local/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file
/usr/local/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_expiration
# Loading module "expiration" from file
/usr/local/etc/raddb/mods-enabled/expiration
# Loading module "echo" from file /usr/local/etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
instantiate {
}
# Instantiating module "attr_filter.post-proxy" from file
/usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file
/usr/local/etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file
/usr/local/etc/raddb/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file
/usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file
/usr/local/etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file
/usr/local/etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "attr_filter.coa" from file
/usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/coa
# Instantiating module "reject" from file
/usr/local/etc/raddb/mods-enabled/always
# Instantiating module "fail" from file
/usr/local/etc/raddb/mods-enabled/always
# Instantiating module "ok" from file
/usr/local/etc/raddb/mods-enabled/always
# Instantiating module "handled" from file
/usr/local/etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file
/usr/local/etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file
/usr/local/etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file
/usr/local/etc/raddb/mods-enabled/always
# Instantiating module "noop" from file
/usr/local/etc/raddb/mods-enabled/always
# Instantiating module "updated" from file
/usr/local/etc/raddb/mods-enabled/always
# Instantiating module "preprocess" from file
/usr/local/etc/raddb/mods-enabled/preprocess
reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints
# Instantiating module "eap" from file
/usr/local/etc/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/usr/local/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/server.pem"
certificate_file = "/usr/local/etc/raddb/certs/server.pem"
ca_file = "/usr/local/etc/raddb/certs/ca.pem"
private_key_password = <<< secret >>>
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
ca_path_reload_interval = 0
cipher_list = "DEFAULT"
cipher_server_preference = no
reject_unknown_intermediate_ca = no
ecdh_curve = ""
tls_max_version = "1.2"
tls_min_version = "1.2"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "mschap" from file
/usr/local/etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "etc_passwd" from file
/usr/local/etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "files" from file
/usr/local/etc/raddb/mods-enabled/files
reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize
reading pairlist file /usr/local/etc/raddb/mods-config/files/accounting
reading pairlist file /usr/local/etc/raddb/mods-config/files/pre-proxy
# Instantiating module "linelog" from file
/usr/local/etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file
/usr/local/etc/raddb/mods-enabled/linelog
# Instantiating module "IPASS" from file
/usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file
/usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "bangpath" from file
/usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file
/usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file
/usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "detail" from file
/usr/local/etc/raddb/mods-enabled/detail
# Instantiating module "logintime" from file
/usr/local/etc/raddb/mods-enabled/logintime
# Instantiating module "pap" from file
/usr/local/etc/raddb/mods-enabled/pap
# Instantiating module "auth_log" from file
/usr/local/etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output
# Instantiating module "reply_log" from file
/usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file
/usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file
/usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "expiration" from file
/usr/local/etc/raddb/mods-enabled/expiration
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
} # server
server inner-tunnel { # from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
Compiling Auth-Type PAP for attr Auth-Type
Compiling Auth-Type CHAP for attr Auth-Type
Compiling Auth-Type MS-CHAP for attr Auth-Type
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' --
/usr/local/etc/raddb/sites-enabled/inner-tunnel:336
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
} # server inner-tunnel
server default { # from file /usr/local/etc/raddb/sites-enabled/default
# Loading authenticate {...}
Compiling Auth-Type PAP for attr Auth-Type
Compiling Auth-Type CHAP for attr Auth-Type
Compiling Auth-Type MS-CHAP for attr Auth-Type
# Loading authorize {...}
Compiling Autz-Type New-TLS-Connection for attr Autz-Type
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
Compiling Post-Auth-Type Challenge for attr Post-Auth-Type
Compiling Post-Auth-Type Client-Lost for attr Post-Auth-Type
} # server default
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 47993
Listening on proxy address :: port 37205
Ready to process requests
Thanks!
3
4