Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
August 2022
- 35 participants
- 40 discussions
Hello,
I have a fairly new problem where some clients (Desktops/Laptops) have stopped using their certificates and using EAP and instead present their mac addresses. However this is a minority of clients and has only started to occur recently. The Radius server is configured to do both eap-tls and mac-based auth for clients that aren't compatible. Naturally we don't have mac addresses stored in authorized_macs for our EAP clients.
Furthermore the error is not consistent. Some clients throw errors in the logs but can continue to log in (they usually have a mix of successful EAP authentications and unsuccessful mac based auth). Some can log in after an ipconfig /release /renew. This occurs on a variety of access points (that is, different manufacturers) and nothing has changed on them or the radius server as far as I can tell.
Any ideas? I've attached a debug log with a few successful and unsuccessful requests.
Thanks,
David le Roux
FreeRADIUS Version 3.2.0
Copyright (C) 1999-2021 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/3.0/dictionary
including configuration file /etc/freeradius/3.0/radiusd.conf
including configuration file /etc/freeradius/3.0/proxy.conf
including configuration file /etc/freeradius/3.0/clients.conf
including configuration file /etc/freeradius/3.0/mwanclients.conf
including files in directory /etc/freeradius/3.0/mods-enabled/
including configuration file /etc/freeradius/3.0/mods-enabled/unpack
including configuration file /etc/freeradius/3.0/mods-enabled/detail.log
including configuration file /etc/freeradius/3.0/mods-enabled/detail
including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap
including configuration file /etc/freeradius/3.0/mods-enabled/logintime
including configuration file /etc/freeradius/3.0/mods-enabled/files
including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/3.0/mods-enabled/replicate
including configuration file /etc/freeradius/3.0/mods-enabled/pap
including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp
including configuration file /etc/freeradius/3.0/mods-enabled/linelog
including configuration file /etc/freeradius/3.0/mods-enabled/realm
including configuration file /etc/freeradius/3.0/mods-enabled/preprocess
including configuration file /etc/freeradius/3.0/mods-enabled/exec
including configuration file /etc/freeradius/3.0/mods-enabled/expr
including configuration file /etc/freeradius/3.0/mods-enabled/echo
including configuration file /etc/freeradius/3.0/mods-enabled/digest
including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/3.0/mods-enabled/radutmp
including configuration file /etc/freeradius/3.0/mods-enabled/utf8
including configuration file /etc/freeradius/3.0/mods-enabled/passwd
including configuration file /etc/freeradius/3.0/mods-enabled/unix
including configuration file /etc/freeradius/3.0/mods-enabled/eap
including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter
including configuration file /etc/freeradius/3.0/mods-enabled/expiration
including configuration file /etc/freeradius/3.0/mods-enabled/soh
including configuration file /etc/freeradius/3.0/mods-enabled/always
including configuration file /etc/freeradius/3.0/mods-enabled/mschap
including configuration file /etc/freeradius/3.0/mods-enabled/chap
including files in directory /etc/freeradius/3.0/policy.d/
including configuration file /etc/freeradius/3.0/policy.d/control
including configuration file /etc/freeradius/3.0/policy.d/dhcp
including configuration file /etc/freeradius/3.0/policy.d/debug
including configuration file /etc/freeradius/3.0/policy.d/operator-name
including configuration file /etc/freeradius/3.0/policy.d/filter
including configuration file /etc/freeradius/3.0/policy.d/cui
including configuration file /etc/freeradius/3.0/policy.d/canonicalization
including configuration file /etc/freeradius/3.0/policy.d/abfab-tr
including configuration file /etc/freeradius/3.0/policy.d/moonshot-targeted-ids
including configuration file /etc/freeradius/3.0/policy.d/rfc7542
including configuration file /etc/freeradius/3.0/policy.d/accounting
including configuration file /etc/freeradius/3.0/policy.d/eap
including files in directory /etc/freeradius/3.0/sites-enabled/
including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/3.0/sites-enabled/mh-site
main {
security {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
}
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 120
cleanup_delay = 10
max_requests = 80000
postauth_client_lost = no
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
recv_coa {
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client 127.0.0.1 {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
shortname = "localhost"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
systemd watchdog is disabled
# Creating Auth-Type = mschap
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/freeradius/3.0/mods-enabled/unpack
# Loaded module rlm_detail
# Loading module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail auth_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail reply_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "detail" from file /etc/freeradius/3.0/mods-enabled/detail
detail {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_files
# Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files
files {
filename = "/etc/freeradius/3.0/mods-config/files/authorize"
acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting"
preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy"
}
# Loading module "authorized_macs" from file /etc/freeradius/3.0/mods-enabled/files
files authorized_macs {
usersfile = "/etc/freeradius/3.0/authorized_macs"
key = "%{Calling-Station-ID}"
}
# Loaded module rlm_exec
# Loading module "ntlm_auth" from file /etc/freeradius/3.0/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /etc/freeradius/3.0/mods-enabled/replicate
# Loaded module rlm_pap
# Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_radutmp
# Loading module "sradutmp" from file /etc/freeradius/3.0/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/freeradius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog
linelog {
filename = "/var/log/freeradius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/freeradius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "bangpath" from file /etc/freeradius/3.0/mods-enabled/realm
realm bangpath {
format = "prefix"
delimiter = "!"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups"
hints = "/etc/freeradius/3.0/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_expr
# Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_digest
# Loading module "digest" from file /etc/freeradius/3.0/mods-enabled/digest
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /etc/freeradius/3.0/mods-enabled/dynamic_clients
# Loading module "radutmp" from file /etc/freeradius/3.0/mods-enabled/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_unix
# Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_eap
# Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
eap {
default_eap_type = "tls"
timer_expire = 600
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 80000
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration
# Loaded module rlm_soh
# Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_always
# Loading module "reject" from file /etc/freeradius/3.0/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/freeradius/3.0/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/freeradius/3.0/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/freeradius/3.0/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/freeradius/3.0/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/freeradius/3.0/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap
instantiate {
}
# Instantiating module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "detail" from file /etc/freeradius/3.0/mods-enabled/detail
# Instantiating module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime
# Instantiating module "files" from file /etc/freeradius/3.0/mods-enabled/files
reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize
reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting
reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy
# Instantiating module "authorized_macs" from file /etc/freeradius/3.0/mods-enabled/files
reading pairlist file /etc/freeradius/3.0/authorized_macs
# Instantiating module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
# Instantiating module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog
# Instantiating module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog
# Instantiating module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "bangpath" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints
# Instantiating module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/freeradius/3.0/certs/millerCA/RADIUS_CA/"
pem_file_type = yes
private_key_file = "/etc/freeradius/3.0/certs/radius.millerextra.com.key"
certificate_file = "/etc/freeradius/3.0/certs/radius.millerextra.com.pem"
dh_file = "/etc/freeradius/3.0/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = yes
check_all_crl = no
ca_path_reload_interval = 0
check_cert_cn = "%{%{Cert-CN}:-%{User-Name}}"
cipher_list = "DEFAULT"
cipher_server_preference = no
check_cert_issuer = "/C=GB/ST=Edinburgh/L=Edinburgh/O=Miller Group Ltd/OU=Group IT/CN=Intermediate CA"
reject_unknown_intermediate_ca = no
ecdh_curve = "prime256v1"
tls_max_version = "1.2"
tls_min_version = "1.2"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
tls: Setting DH parameters from /etc/freeradius/3.0/certs/dh - this is no longer necessary.
tls: You should comment out the 'dh_file' configuration item.
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/accounting_response
# Instantiating module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration
# Instantiating module "reject" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "fail" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "handled" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "invalid" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "userlock" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "notfound" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "noop" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "updated" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/3.0/radiusd.conf
} # server
server inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
# Loading authenticate {...}
Compiling Auth-Type PAP for attr Auth-Type
Compiling Auth-Type CHAP for attr Auth-Type
Compiling Auth-Type MS-CHAP for attr Auth-Type
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/3.0/sites-enabled/inner-tunnel:336
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
} # server inner-tunnel
server mh-site { # from file /etc/freeradius/3.0/sites-enabled/mh-site
# Loading authenticate {...}
Compiling Auth-Type EAP for attr Auth-Type
Compiling Auth-Type PAP for attr Auth-Type
Compiling Auth-Type CHAP for attr Auth-Type
# Loading authorize {...}
# Loading post-proxy {...}
} # server mh-site
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
listen {
type = "auth"
ipaddr = 10.10.251.2
port = 1812
}
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address 10.10.251.2 port 1812 bound to server mh-site
Listening on proxy address * port 34473
Ready to process requests
(10) Received Access-Request Id 72 from 10.35.80.11:1812 to 10.10.251.2:1812 length 353
(10) Framed-MTU = 1466
(10) NAS-IP-Address = 10.35.80.11
(10) NAS-Identifier = "ba-sw01"
(10) User-Name = "08-00-0f-82-60-2b"
(10) Service-Type = Call-Check
(10) Framed-Protocol = PPP
(10) NAS-Port = 39
(10) NAS-Port-Type = Ethernet
(10) NAS-Port-Id = "39"
(10) Called-Station-Id = "ec-9a-74-19-1f-19"
(10) Calling-Station-Id = "08-00-0f-82-60-2b"
(10) Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
(10) CHAP-Password = 0xfaa641782c5ee3ce1dd7a848d127e805fa
(10) Message-Authenticator = 0xc1f4a47df4d02594a7610daeae455561
(10) MS-RAS-Vendor = 11
(10) HP-Capability-Advert = 0x011a0000000b28
(10) HP-Capability-Advert = 0x011a0000000b2e
(10) HP-Capability-Advert = 0x011a0000000b30
(10) HP-Capability-Advert = 0x011a0000000b3d
(10) HP-Capability-Advert = 0x011a0000000b18
(10) HP-Capability-Advert = 0x011a0000000b19
(10) HP-Capability-Advert = 0x0138
(10) HP-Capability-Advert = 0x013a
(10) HP-Capability-Advert = 0x0140
(10) HP-Capability-Advert = 0x0141
(10) HP-Capability-Advert = 0x0151
(10) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/mh-site
(10) authorize {
(10) policy filter_username {
(10) if (&User-Name) {
(10) if (&User-Name) -> TRUE
(10) if (&User-Name) {
(10) if (&User-Name =~ / /) {
(10) if (&User-Name =~ / /) -> FALSE
(10) if (&User-Name =~ /@[^@]*@/ ) {
(10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(10) if (&User-Name =~ /\.\./ ) {
(10) if (&User-Name =~ /\.\./ ) -> FALSE
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(10) if (&User-Name =~ /\.$/) {
(10) if (&User-Name =~ /\.$/) -> FALSE
(10) if (&User-Name =~ /(a)\./) {
(10) if (&User-Name =~ /(a)\./) -> FALSE
(10) } # if (&User-Name) = notfound
(10) } # policy filter_username = notfound
(10) [preprocess] = ok
(10) chap: &control:Auth-Type := CHAP
(10) [chap] = ok
Not doing PAP as Auth-Type is already set.
(10) [pap] = noop
(10) eap: No EAP-Message, not doing EAP
(10) [eap] = noop
(10) files: users: Matched entry DEFAULT at line 167
(10) [files] = ok
(10) [expiration] = noop
(10) [logintime] = noop
(10) policy rewrite_calling_station_id {
(10) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(10) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(10) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(10) update request {
(10) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(10) --> 08-00-0f-82-60-2b
(10) &Calling-Station-Id := 08-00-0f-82-60-2b
(10) } # update request = noop
(10) [updated] = updated
(10) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(10) ... skipping else: Preceding "if" was taken
(10) } # policy rewrite_calling_station_id = updated
(10) if (&User-Name =~ /^host\/(.*)$/) {
(10) if (&User-Name =~ /^host\/(.*)$/) -> FALSE
(10) if (!EAP-Message) {
(10) if (!EAP-Message) -> TRUE
(10) if (!EAP-Message) {
(10) authorized_macs: EXPAND %{Calling-Station-ID}
(10) authorized_macs: --> 08-00-0f-82-60-2b
(10) authorized_macs: users: Matched entry 08-00-0f-82-60-2b at line 599
(10) authorized_macs: EXPAND Device with MAC Address %{Calling-Station-Id} authorized for network access mil057-Derby-01
(10) authorized_macs: --> Device with MAC Address 08-00-0f-82-60-2b authorized for network access mil057-Derby-01
(10) [authorized_macs] = ok
(10) if (!ok) {
(10) if (!ok) -> FALSE
(10) else {
(10) update control {
(10) Auth-Type := Accept
(10) } # update control = noop
(10) } # else = noop
(10) } # if (!EAP-Message) = ok
(10) ... skipping else: Preceding "if" was taken
(10) } # authorize = updated
(10) Found Auth-Type = Accept
(10) Auth-Type = Accept, accepting the user
(10) Login OK: [08-00-0f-82-60-2b] (from client ba-sw01 port 39 cli 08-00-0f-82-60-2b)
(10) Sent Access-Accept Id 72 from 10.10.251.2:1812 to 10.35.80.11:1812 length 121
(10) Framed-Protocol = PPP
(10) Framed-Compression = Van-Jacobson-TCP-IP
(10) Reply-Message = "Device with MAC Address 08-00-0f-82-60-2b authorized for network access mil057-Derby-01"
(10) Finished request
Waking up in 7.7 seconds.
(11) Received Access-Request Id 222 from 10.225.23.1:59952 to 10.10.251.2:1812 length 1794
(11) User-Name = "host/mh302290.millerextra.com"
(11) NAS-IP-Address = 0.0.0.0
(11) NAS-Identifier = "E0-55-3D-89-23-20:vap1"
(11) Called-Station-Id = "E2-55-6D-89-23-21:mhstaff"
(11) NAS-Port-Type = Wireless-802.11
(11) Service-Type = Framed-User
(11) NAS-Port = 1
(11) Calling-Station-Id = "DC-21-5C-C3-72-47"
(11) Connect-Info = "CONNECT 0.00 Mbps / 802. / RSSI: 0 / Channel: 0"
(11) Acct-Session-Id = "9CDB98DC889BEB86"
(11) Acct-Multi-Session-Id = "2D0EF608C685F0CB"
(11) WLAN-Pairwise-Cipher = 1027076
(11) WLAN-Group-Cipher = 1027076
(11) WLAN-AKM-Suite = 1027073
(11) Framed-MTU = 1400
(11) EAP-Message = 0x029005d40dc000000cc91603030c910b000b3f000b3c00039b308203973082027fa0030201020202517b300d06092a864886f70d0101050500307d310b300906035504061302474231123010060355040813094564696e627572676831123010060355040713094564696e627572676831193017060355040a13104d696c6c65722047726f7570204c74643111300f060355040b130847726f7570204954311830160603550403130f496e7465726d656469617465204341301e170d3138303630373130343235305a170d3338303630323130343235305a308186310b300906035504061302474231123010060355040813094564696e627572676831123010060355040713094564696e627572676831193017060355040a13104d696c6c65722047726f7570204c74643111300f060355040b130847726f75702049543121301f060355040313186d683330323239302e6d696c6c657265787472612e636f6d30820122300d06092a864886f70d0101010500038201
(11) State = 0xf72b5a5df3bb57a9c1efd3e6da559108
(11) Message-Authenticator = 0xfd14e06d0d481d0ddcc791481667491c
(11) session-state: No cached attributes
(11) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/mh-site
(11) authorize {
(11) policy filter_username {
(11) if (&User-Name) {
(11) if (&User-Name) -> TRUE
(11) if (&User-Name) {
(11) if (&User-Name =~ / /) {
(11) if (&User-Name =~ / /) -> FALSE
(11) if (&User-Name =~ /@[^@]*@/ ) {
(11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(11) if (&User-Name =~ /\.\./ ) {
(11) if (&User-Name =~ /\.\./ ) -> FALSE
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(11) if (&User-Name =~ /\.$/) {
(11) if (&User-Name =~ /\.$/) -> FALSE
(11) if (&User-Name =~ /(a)\./) {
(11) if (&User-Name =~ /(a)\./) -> FALSE
(11) } # if (&User-Name) = notfound
(11) } # policy filter_username = notfound
(11) [preprocess] = ok
(11) [chap] = noop
(11) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(11) pap: WARNING: Authentication will fail unless a "known good" password is available
(11) [pap] = noop
(11) eap: Peer sent EAP Response (code 2) ID 144 length 1492
(11) eap: No EAP Start, assuming it's an on-going EAP conversation
(11) [eap] = updated
(11) [files] = noop
(11) [expiration] = noop
(11) [logintime] = noop
(11) policy rewrite_calling_station_id {
(11) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(11) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(11) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(11) update request {
(11) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(11) --> dc-21-5c-c3-72-47
(11) &Calling-Station-Id := dc-21-5c-c3-72-47
(11) } # update request = noop
(11) [updated] = updated
(11) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(11) ... skipping else: Preceding "if" was taken
(11) } # policy rewrite_calling_station_id = updated
(11) if (&User-Name =~ /^host\/(.*)$/) {
(11) if (&User-Name =~ /^host\/(.*)$/) -> TRUE
(11) if (&User-Name =~ /^host\/(.*)$/) {
(11) update request {
(11) EXPAND %{1}
(11) --> mh302290.millerextra.com
(11) &Cert-CN := mh302290.millerextra.com
(11) } # update request = noop
(11) } # if (&User-Name =~ /^host\/(.*)$/) = noop
(11) if (!EAP-Message) {
(11) if (!EAP-Message) -> FALSE
(11) else {
(11) eap: Peer sent EAP Response (code 2) ID 144 length 1492
(11) eap: No EAP Start, assuming it's an on-going EAP conversation
(11) [eap] = updated
(11) } # else = updated
(11) } # authorize = updated
(11) Found Auth-Type = eap
(11) Found Auth-Type = eap
(11) ERROR: Warning: Found 2 auth-types on request for user 'host/mh302290.millerextra.com'
(11) # Executing group from file /etc/freeradius/3.0/sites-enabled/mh-site
(11) Auth-Type EAP {
(11) eap: Expiring EAP session with state 0xdd940e92d9030376
(11) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0xf72b5a5df3bb57a9
(11) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
(11) eap: Failed in handler
(11) [eap] = invalid
(11) } # Auth-Type EAP = invalid
(11) Failed to authenticate the user
(11) Using Post-Auth-Type Reject
(11) Post-Auth-Type sub-section not found. Ignoring.
(11) Login incorrect (Warning: Found 2 auth-types on request for user 'host/mh302290.millerextra.com'): [host/mh302290.millerextra.com] (from client MWAN-10.225.23.1 port 1 cli dc-21-5c-c3-72-47)
(11) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(11) Sending delayed response
(11) Sent Access-Reject Id 222 from 10.10.251.2:1812 to 10.225.23.1:59952 length 20
Waking up in 5.2 seconds.
(12) Received Access-Request Id 223 from 10.225.23.1:59952 to 10.10.251.2:1812 length 315
(12) User-Name = "host/mh302290.millerextra.com"
(12) NAS-IP-Address = 0.0.0.0
(12) NAS-Identifier = "E0-55-3D-89-23-20:vap1"
(12) Called-Station-Id = "E2-55-6D-89-23-21:mhstaff"
(12) NAS-Port-Type = Wireless-802.11
(12) Service-Type = Framed-User
(12) NAS-Port = 1
(12) Calling-Station-Id = "DC-21-5C-C3-72-47"
(12) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 43 / Channel: 44"
(12) Acct-Session-Id = "2658296537E87022"
(12) Acct-Multi-Session-Id = "998A54E28541EE6C"
(12) WLAN-Pairwise-Cipher = 1027076
(12) WLAN-Group-Cipher = 1027076
(12) WLAN-AKM-Suite = 1027073
(12) Framed-MTU = 1400
(12) EAP-Message = 0x02c4002201686f73742f6d683330323239302e6d696c6c657265787472612e636f6d
(12) Message-Authenticator = 0x5181770c1add38466ac200aa55ea74b1
(12) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/mh-site
(12) authorize {
(12) policy filter_username {
(12) if (&User-Name) {
(12) if (&User-Name) -> TRUE
(12) if (&User-Name) {
(12) if (&User-Name =~ / /) {
(12) if (&User-Name =~ / /) -> FALSE
(12) if (&User-Name =~ /@[^@]*@/ ) {
(12) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(12) if (&User-Name =~ /\.\./ ) {
(12) if (&User-Name =~ /\.\./ ) -> FALSE
(12) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(12) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(12) if (&User-Name =~ /\.$/) {
(12) if (&User-Name =~ /\.$/) -> FALSE
(12) if (&User-Name =~ /(a)\./) {
(12) if (&User-Name =~ /(a)\./) -> FALSE
(12) } # if (&User-Name) = notfound
(12) } # policy filter_username = notfound
(12) [preprocess] = ok
(12) [chap] = noop
(12) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(12) pap: WARNING: Authentication will fail unless a "known good" password is available
(12) [pap] = noop
(12) eap: Peer sent EAP Response (code 2) ID 196 length 34
(12) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(12) [eap] = ok
(12) } # authorize = ok
(12) Found Auth-Type = eap
(12) # Executing group from file /etc/freeradius/3.0/sites-enabled/mh-site
(12) Auth-Type EAP {
(12) eap: Peer sent packet with method EAP Identity (1)
(12) eap: Calling submodule eap_tls to process data
(12) eap_tls: (TLS) Initiating new session
(12) eap_tls: (TLS) Setting verify mode to require certificate from client
(12) eap: Sending EAP Request (code 1) ID 197 length 6
(12) eap: EAP session adding &reply:State = 0xaac2f7c8aa07faba
(12) [eap] = handled
(12) } # Auth-Type EAP = handled
(12) Using Post-Auth-Type Challenge
(12) Post-Auth-Type sub-section not found. Ignoring.
(12) session-state: Saving cached attributes
(12) Framed-MTU = 994
(12) Sent Access-Challenge Id 223 from 10.10.251.2:1812 to 10.225.23.1:59952 length 64
(12) EAP-Message = 0x01c500060d20
(12) Message-Authenticator = 0x00000000000000000000000000000000
(12) State = 0xaac2f7c8aa07fabaed78ca5277b3b026
(12) Finished request
Waking up in 4.0 seconds.
(13) Received Access-Request Id 224 from 10.225.23.1:59952 to 10.10.251.2:1812 length 465
(13) User-Name = "host/mh302290.millerextra.com"
(13) NAS-IP-Address = 0.0.0.0
(13) NAS-Identifier = "E0-55-3D-89-23-20:vap1"
(13) Called-Station-Id = "E2-55-6D-89-23-21:mhstaff"
(13) NAS-Port-Type = Wireless-802.11
(13) Service-Type = Framed-User
(13) NAS-Port = 1
(13) Calling-Station-Id = "DC-21-5C-C3-72-47"
(13) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 43 / Channel: 44"
(13) Acct-Session-Id = "2658296537E87022"
(13) Acct-Multi-Session-Id = "998A54E28541EE6C"
(13) WLAN-Pairwise-Cipher = 1027076
(13) WLAN-Group-Cipher = 1027076
(13) WLAN-AKM-Suite = 1027073
(13) Framed-MTU = 1400
(13) EAP-Message = 0x02c500a60d800000009c160303009701000093030362ebdf9c0af9efa6996f92ec7b67d43784dd9b91c9e727693384342d4b45e60a00002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000040000500050100000000000a00080006001d00170018000b00020100000d001400120401050102010403050302030202060106030023000000170000ff01000100
(13) State = 0xaac2f7c8aa07fabaed78ca5277b3b026
(13) Message-Authenticator = 0x429c1aebbd6926690dfe5c2b28211a0b
(13) Restoring &session-state
(13) &session-state:Framed-MTU = 994
(13) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/mh-site
(13) authorize {
(13) policy filter_username {
(13) if (&User-Name) {
(13) if (&User-Name) -> TRUE
(13) if (&User-Name) {
(13) if (&User-Name =~ / /) {
(13) if (&User-Name =~ / /) -> FALSE
(13) if (&User-Name =~ /@[^@]*@/ ) {
(13) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(13) if (&User-Name =~ /\.\./ ) {
(13) if (&User-Name =~ /\.\./ ) -> FALSE
(13) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(13) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(13) if (&User-Name =~ /\.$/) {
(13) if (&User-Name =~ /\.$/) -> FALSE
(13) if (&User-Name =~ /(a)\./) {
(13) if (&User-Name =~ /(a)\./) -> FALSE
(13) } # if (&User-Name) = notfound
(13) } # policy filter_username = notfound
(13) [preprocess] = ok
(13) [chap] = noop
(13) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(13) pap: WARNING: Authentication will fail unless a "known good" password is available
(13) [pap] = noop
(13) eap: Peer sent EAP Response (code 2) ID 197 length 166
(13) eap: No EAP Start, assuming it's an on-going EAP conversation
(13) [eap] = updated
(13) [files] = noop
(13) [expiration] = noop
(13) [logintime] = noop
(13) policy rewrite_calling_station_id {
(13) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(13) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(13) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(13) update request {
(13) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(13) --> dc-21-5c-c3-72-47
(13) &Calling-Station-Id := dc-21-5c-c3-72-47
(13) } # update request = noop
(13) [updated] = updated
(13) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(13) ... skipping else: Preceding "if" was taken
(13) } # policy rewrite_calling_station_id = updated
(13) if (&User-Name =~ /^host\/(.*)$/) {
(13) if (&User-Name =~ /^host\/(.*)$/) -> TRUE
(13) if (&User-Name =~ /^host\/(.*)$/) {
(13) update request {
(13) EXPAND %{1}
(13) --> mh302290.millerextra.com
(13) &Cert-CN := mh302290.millerextra.com
(13) } # update request = noop
(13) } # if (&User-Name =~ /^host\/(.*)$/) = noop
(13) if (!EAP-Message) {
(13) if (!EAP-Message) -> FALSE
(13) else {
(13) eap: Peer sent EAP Response (code 2) ID 197 length 166
(13) eap: No EAP Start, assuming it's an on-going EAP conversation
(13) [eap] = updated
(13) } # else = updated
(13) } # authorize = updated
(13) Found Auth-Type = eap
(13) Found Auth-Type = eap
(13) ERROR: Warning: Found 2 auth-types on request for user 'host/mh302290.millerextra.com'
(13) # Executing group from file /etc/freeradius/3.0/sites-enabled/mh-site
(13) Auth-Type EAP {
(13) eap: Expiring EAP session with state 0xdd940e92d9030376
(13) eap: Finished EAP session with state 0xaac2f7c8aa07faba
(13) eap: Previous EAP request found for state 0xaac2f7c8aa07faba, released from the list
(13) eap: Peer sent packet with method EAP TLS (13)
(13) eap: Calling submodule eap_tls to process data
(13) eap_tls: (TLS) EAP Peer says that the final record size will be 156 bytes
(13) eap_tls: (TLS) EAP Got all data (156 bytes)
(13) eap_tls: (TLS) Handshake state - before SSL initialization
(13) eap_tls: (TLS) Handshake state - Server before SSL initialization
(13) eap_tls: (TLS) Handshake state - Server before SSL initialization
(13) eap_tls: (TLS) recv TLS 1.3 Handshake, ClientHello
(13) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client hello
(13) eap_tls: (TLS) send TLS 1.2 Handshake, ServerHello
(13) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server hello
(13) eap_tls: (TLS) send TLS 1.2 Handshake, Certificate
(13) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write certificate
(13) eap_tls: (TLS) send TLS 1.2 Handshake, ServerKeyExchange
(13) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write key exchange
(13) eap_tls: (TLS) send TLS 1.2 Handshake, CertificateRequest
(13) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write certificate request
(13) eap_tls: (TLS) send TLS 1.2 Handshake, ServerHelloDone
(13) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server done
(13) eap_tls: (TLS) Server : Need to read more data: SSLv3/TLS write server done
(13) eap_tls: (TLS) In Handshake Phase
(13) eap: Sending EAP Request (code 1) ID 198 length 1004
(13) eap: EAP session adding &reply:State = 0xaac2f7c8ab04faba
(13) [eap] = handled
(13) } # Auth-Type EAP = handled
(13) Using Post-Auth-Type Challenge
(13) Post-Auth-Type sub-section not found. Ignoring.
(13) session-state: Saving cached attributes
(13) Framed-MTU = 994
(13) Sent Access-Challenge Id 224 from 10.10.251.2:1812 to 10.225.23.1:59952 length 1068
(13) EAP-Message = 0x01c603ec0dc000000d32160303003d0200003903039eff704a58b440584b1e5d1c3536fa72c99ce7848b12bbf59b31accafebe51df00c030000011ff01000100000b000403000102001700001603030bd10b000bcd000bca000698308206943082057ca00302010202142a0a15f6668df41777abc4b01cc71913d3621cea300d06092a864886f70d0101050500302e3110300e060355040a14074d475f54524545311a3018060355040b13114f7267616e697a6174696f6e616c204341301e170d3231313231323139313130305a170d3336303230333233353830305a308184310b300906035504061302554b31123010060355040813094564696e627572676831123010060355040713094564696e627572676831193017060355040a13104d696c6c657220486f6d6573204c74643111300f060355040b1308486f6d6573204954311f301d060355040313167261646975732e6d696c6c657265787472612e636f6d30819f300d06092a864886f70d010101050003
(13) Message-Authenticator = 0x00000000000000000000000000000000
(13) State = 0xaac2f7c8ab04fabaed78ca5277b3b026
(13) Finished request
Waking up in 3.9 seconds.
(14) Received Access-Request Id 225 from 10.225.23.1:59952 to 10.10.251.2:1812 length 305
(14) User-Name = "host/mh302290.millerextra.com"
(14) NAS-IP-Address = 0.0.0.0
(14) NAS-Identifier = "E0-55-3D-89-23-20:vap1"
(14) Called-Station-Id = "E2-55-6D-89-23-21:mhstaff"
(14) NAS-Port-Type = Wireless-802.11
(14) Service-Type = Framed-User
(14) NAS-Port = 1
(14) Calling-Station-Id = "DC-21-5C-C3-72-47"
(14) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 42 / Channel: 44"
(14) Acct-Session-Id = "2658296537E87022"
(14) Acct-Multi-Session-Id = "998A54E28541EE6C"
(14) WLAN-Pairwise-Cipher = 1027076
(14) WLAN-Group-Cipher = 1027076
(14) WLAN-AKM-Suite = 1027073
(14) Framed-MTU = 1400
(14) EAP-Message = 0x02c600060d00
(14) State = 0xaac2f7c8ab04fabaed78ca5277b3b026
(14) Message-Authenticator = 0xcd1501bb910ecdbf44f6a27cd1f054c7
(14) Restoring &session-state
(14) &session-state:Framed-MTU = 994
(14) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/mh-site
(14) authorize {
(14) policy filter_username {
(14) if (&User-Name) {
(14) if (&User-Name) -> TRUE
(14) if (&User-Name) {
(14) if (&User-Name =~ / /) {
(14) if (&User-Name =~ / /) -> FALSE
(14) if (&User-Name =~ /@[^@]*@/ ) {
(14) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(14) if (&User-Name =~ /\.\./ ) {
(14) if (&User-Name =~ /\.\./ ) -> FALSE
(14) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(14) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(14) if (&User-Name =~ /\.$/) {
(14) if (&User-Name =~ /\.$/) -> FALSE
(14) if (&User-Name =~ /(a)\./) {
(14) if (&User-Name =~ /(a)\./) -> FALSE
(14) } # if (&User-Name) = notfound
(14) } # policy filter_username = notfound
(14) [preprocess] = ok
(14) [chap] = noop
(14) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(14) pap: WARNING: Authentication will fail unless a "known good" password is available
(14) [pap] = noop
(14) eap: Peer sent EAP Response (code 2) ID 198 length 6
(14) eap: No EAP Start, assuming it's an on-going EAP conversation
(14) [eap] = updated
(14) [files] = noop
(14) [expiration] = noop
(14) [logintime] = noop
(14) policy rewrite_calling_station_id {
(14) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(14) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(14) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(14) update request {
(14) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(14) --> dc-21-5c-c3-72-47
(14) &Calling-Station-Id := dc-21-5c-c3-72-47
(14) } # update request = noop
(14) [updated] = updated
(14) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(14) ... skipping else: Preceding "if" was taken
(14) } # policy rewrite_calling_station_id = updated
(14) if (&User-Name =~ /^host\/(.*)$/) {
(14) if (&User-Name =~ /^host\/(.*)$/) -> TRUE
(14) if (&User-Name =~ /^host\/(.*)$/) {
(14) update request {
(14) EXPAND %{1}
(14) --> mh302290.millerextra.com
(14) &Cert-CN := mh302290.millerextra.com
(14) } # update request = noop
(14) } # if (&User-Name =~ /^host\/(.*)$/) = noop
(14) if (!EAP-Message) {
(14) if (!EAP-Message) -> FALSE
(14) else {
(14) eap: Peer sent EAP Response (code 2) ID 198 length 6
(14) eap: No EAP Start, assuming it's an on-going EAP conversation
(14) [eap] = updated
(14) } # else = updated
(14) } # authorize = updated
(14) Found Auth-Type = eap
(14) Found Auth-Type = eap
(14) ERROR: Warning: Found 2 auth-types on request for user 'host/mh302290.millerextra.com'
(14) # Executing group from file /etc/freeradius/3.0/sites-enabled/mh-site
(14) Auth-Type EAP {
(14) eap: Expiring EAP session with state 0xdd940e92d9030376
(14) eap: Finished EAP session with state 0xaac2f7c8ab04faba
(14) eap: Previous EAP request found for state 0xaac2f7c8ab04faba, released from the list
(14) eap: Peer sent packet with method EAP TLS (13)
(14) eap: Calling submodule eap_tls to process data
(14) eap_tls: (TLS) Peer ACKed our handshake fragment
(14) eap: Sending EAP Request (code 1) ID 199 length 1004
(14) eap: EAP session adding &reply:State = 0xaac2f7c8a805faba
(14) [eap] = handled
(14) } # Auth-Type EAP = handled
(14) Using Post-Auth-Type Challenge
(14) Post-Auth-Type sub-section not found. Ignoring.
(14) session-state: Saving cached attributes
(14) Framed-MTU = 994
(14) Sent Access-Challenge Id 225 from 10.10.251.2:1812 to 10.225.23.1:59952 length 1068
(14) EAP-Message = 0x01c703ec0dc000000d32040562e55da24e304c020102020100020200ff030d0080000000000000000000000003090080000000000000003012301002010002087fffffffffffffff0101003012301002010002087fffffffffffffff0101003082019a0603551d1f048201913082018d302ba029a0278625687474703a2f2f31302e32302e31322e34373a383032382f63726c2f43524c5f362e63726c303ba039a0378635687474703a2f2f484f454449464f4c4430332e6d696c6c657265787472612e636f6d3a383032382f63726c2f43524c5f362e63726c3055a053a051864f6c6461703a2f2f31302e32302e31322e34373a3338392f43524c5f362c43524c5f362532302d253230436f6e66696775726174696f6e2e43524c253230436f6e7461696e65722e53656375726974793065a063a061865f6c6461703a2f2f484f454449464f4c4430332e6d696c6c657265787472612e636f6d3a3338392f43524c5f362c43524c5f362532302d253230436f6e6669
(14) Message-Authenticator = 0x00000000000000000000000000000000
(14) State = 0xaac2f7c8a805fabaed78ca5277b3b026
(14) Finished request
Waking up in 3.8 seconds.
(15) Received Access-Request Id 226 from 10.225.23.1:59952 to 10.10.251.2:1812 length 305
(15) User-Name = "host/mh302290.millerextra.com"
(15) NAS-IP-Address = 0.0.0.0
(15) NAS-Identifier = "E0-55-3D-89-23-20:vap1"
(15) Called-Station-Id = "E2-55-6D-89-23-21:mhstaff"
(15) NAS-Port-Type = Wireless-802.11
(15) Service-Type = Framed-User
(15) NAS-Port = 1
(15) Calling-Station-Id = "DC-21-5C-C3-72-47"
(15) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 42 / Channel: 44"
(15) Acct-Session-Id = "2658296537E87022"
(15) Acct-Multi-Session-Id = "998A54E28541EE6C"
(15) WLAN-Pairwise-Cipher = 1027076
(15) WLAN-Group-Cipher = 1027076
(15) WLAN-AKM-Suite = 1027073
(15) Framed-MTU = 1400
(15) EAP-Message = 0x02c700060d00
(15) State = 0xaac2f7c8a805fabaed78ca5277b3b026
(15) Message-Authenticator = 0x86b56f67d5c598cadcb3cebe70c55884
(15) Restoring &session-state
(15) &session-state:Framed-MTU = 994
(15) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/mh-site
(15) authorize {
(15) policy filter_username {
(15) if (&User-Name) {
(15) if (&User-Name) -> TRUE
(15) if (&User-Name) {
(15) if (&User-Name =~ / /) {
(15) if (&User-Name =~ / /) -> FALSE
(15) if (&User-Name =~ /@[^@]*@/ ) {
(15) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(15) if (&User-Name =~ /\.\./ ) {
(15) if (&User-Name =~ /\.\./ ) -> FALSE
(15) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(15) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(15) if (&User-Name =~ /\.$/) {
(15) if (&User-Name =~ /\.$/) -> FALSE
(15) if (&User-Name =~ /(a)\./) {
(15) if (&User-Name =~ /(a)\./) -> FALSE
(15) } # if (&User-Name) = notfound
(15) } # policy filter_username = notfound
(15) [preprocess] = ok
(15) [chap] = noop
(15) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(15) pap: WARNING: Authentication will fail unless a "known good" password is available
(15) [pap] = noop
(15) eap: Peer sent EAP Response (code 2) ID 199 length 6
(15) eap: No EAP Start, assuming it's an on-going EAP conversation
(15) [eap] = updated
(15) [files] = noop
(15) [expiration] = noop
(15) [logintime] = noop
(15) policy rewrite_calling_station_id {
(15) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(15) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(15) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(15) update request {
(15) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(15) --> dc-21-5c-c3-72-47
(15) &Calling-Station-Id := dc-21-5c-c3-72-47
(15) } # update request = noop
(15) [updated] = updated
(15) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(15) ... skipping else: Preceding "if" was taken
(15) } # policy rewrite_calling_station_id = updated
(15) if (&User-Name =~ /^host\/(.*)$/) {
(15) if (&User-Name =~ /^host\/(.*)$/) -> TRUE
(15) if (&User-Name =~ /^host\/(.*)$/) {
(15) update request {
(15) EXPAND %{1}
(15) --> mh302290.millerextra.com
(15) &Cert-CN := mh302290.millerextra.com
(15) } # update request = noop
(15) } # if (&User-Name =~ /^host\/(.*)$/) = noop
(15) if (!EAP-Message) {
(15) if (!EAP-Message) -> FALSE
(15) else {
(15) eap: Peer sent EAP Response (code 2) ID 199 length 6
(15) eap: No EAP Start, assuming it's an on-going EAP conversation
(15) [eap] = updated
(15) } # else = updated
(15) } # authorize = updated
(15) Found Auth-Type = eap
(15) Found Auth-Type = eap
(15) ERROR: Warning: Found 2 auth-types on request for user 'host/mh302290.millerextra.com'
(15) # Executing group from file /etc/freeradius/3.0/sites-enabled/mh-site
(15) Auth-Type EAP {
(15) eap: Expiring EAP session with state 0xdd940e92d9030376
(15) eap: Finished EAP session with state 0xaac2f7c8a805faba
(15) eap: Previous EAP request found for state 0xaac2f7c8a805faba, released from the list
(15) eap: Peer sent packet with method EAP TLS (13)
(15) eap: Calling submodule eap_tls to process data
(15) eap_tls: (TLS) Peer ACKed our handshake fragment
(15) eap: Sending EAP Request (code 1) ID 200 length 1004
(15) eap: EAP session adding &reply:State = 0xaac2f7c8a90afaba
(15) [eap] = handled
(15) } # Auth-Type EAP = handled
(15) Using Post-Auth-Type Challenge
(15) Post-Auth-Type sub-section not found. Ignoring.
(15) session-state: Saving cached attributes
(15) Framed-MTU = 994
(15) Sent Access-Challenge Id 226 from 10.10.251.2:1812 to 10.225.23.1:59952 length 1068
(15) EAP-Message = 0x01c803ec0dc000000d3282010a0282010100afe8c05b42d52935b536a6fa42812e4a2602f00f8af61dc80f06ad35a98240725575c871ace8f007660f658c267a5d3d05b6603cc0feabf83a564fc2eedae00f7e6fd174784ebd9cd137894f015925ed6a1773b4b61b37067144c02d147d5df187f71413edd100979a589a70d3e0a55eb0c0370741f5206707174ad5d330187c29d933c0109faae9d4951765ec353961265c61df4e388bfac27506a0f0e96794baa1aa529a57ba6f22c086f645e6dc3b3b84fa581e35b94303ea854780534e77b72a757031e2a7a60a14c6deb438bd8f8d2453081bd75c277ca9fe217f6475a198b07109366eff9a21aa651a48f8179b4c14dc73527d538b3de5ebc8b4b5e7eb0203010001a382022f3082022b301d0603551d0e0416041448b56e3c46f5fd7970b20617a23e566db474b156301f0603551d2304183016801448b56e3c46f5fd7970b20617a23e566db474b156300c0603551d13040530030101ff300b0603551d0f040403
(15) Message-Authenticator = 0x00000000000000000000000000000000
(15) State = 0xaac2f7c8a90afabaed78ca5277b3b026
(15) Finished request
Waking up in 3.7 seconds.
(16) Received Access-Request Id 227 from 10.225.23.1:59952 to 10.10.251.2:1812 length 305
(16) User-Name = "host/mh302290.millerextra.com"
(16) NAS-IP-Address = 0.0.0.0
(16) NAS-Identifier = "E0-55-3D-89-23-20:vap1"
(16) Called-Station-Id = "E2-55-6D-89-23-21:mhstaff"
(16) NAS-Port-Type = Wireless-802.11
(16) Service-Type = Framed-User
(16) NAS-Port = 1
(16) Calling-Station-Id = "DC-21-5C-C3-72-47"
(16) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 42 / Channel: 44"
(16) Acct-Session-Id = "2658296537E87022"
(16) Acct-Multi-Session-Id = "998A54E28541EE6C"
(16) WLAN-Pairwise-Cipher = 1027076
(16) WLAN-Group-Cipher = 1027076
(16) WLAN-AKM-Suite = 1027073
(16) Framed-MTU = 1400
(16) EAP-Message = 0x02c800060d00
(16) State = 0xaac2f7c8a90afabaed78ca5277b3b026
(16) Message-Authenticator = 0xc01149efd82fc9c07cad6bd237559ece
(16) Restoring &session-state
(16) &session-state:Framed-MTU = 994
(16) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/mh-site
(16) authorize {
(16) policy filter_username {
(16) if (&User-Name) {
(16) if (&User-Name) -> TRUE
(16) if (&User-Name) {
(16) if (&User-Name =~ / /) {
(16) if (&User-Name =~ / /) -> FALSE
(16) if (&User-Name =~ /@[^@]*@/ ) {
(16) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(16) if (&User-Name =~ /\.\./ ) {
(16) if (&User-Name =~ /\.\./ ) -> FALSE
(16) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(16) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(16) if (&User-Name =~ /\.$/) {
(16) if (&User-Name =~ /\.$/) -> FALSE
(16) if (&User-Name =~ /(a)\./) {
(16) if (&User-Name =~ /(a)\./) -> FALSE
(16) } # if (&User-Name) = notfound
(16) } # policy filter_username = notfound
(16) [preprocess] = ok
(16) [chap] = noop
(16) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(16) pap: WARNING: Authentication will fail unless a "known good" password is available
(16) [pap] = noop
(16) eap: Peer sent EAP Response (code 2) ID 200 length 6
(16) eap: No EAP Start, assuming it's an on-going EAP conversation
(16) [eap] = updated
(16) [files] = noop
(16) [expiration] = noop
(16) [logintime] = noop
(16) policy rewrite_calling_station_id {
(16) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(16) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(16) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(16) update request {
(16) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(16) --> dc-21-5c-c3-72-47
(16) &Calling-Station-Id := dc-21-5c-c3-72-47
(16) } # update request = noop
(16) [updated] = updated
(16) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(16) ... skipping else: Preceding "if" was taken
(16) } # policy rewrite_calling_station_id = updated
(16) if (&User-Name =~ /^host\/(.*)$/) {
(16) if (&User-Name =~ /^host\/(.*)$/) -> TRUE
(16) if (&User-Name =~ /^host\/(.*)$/) {
(16) update request {
(16) EXPAND %{1}
(16) --> mh302290.millerextra.com
(16) &Cert-CN := mh302290.millerextra.com
(16) } # update request = noop
(16) } # if (&User-Name =~ /^host\/(.*)$/) = noop
(16) if (!EAP-Message) {
(16) if (!EAP-Message) -> FALSE
(16) else {
(16) eap: Peer sent EAP Response (code 2) ID 200 length 6
(16) eap: No EAP Start, assuming it's an on-going EAP conversation
(16) [eap] = updated
(16) } # else = updated
(16) } # authorize = updated
(16) Found Auth-Type = eap
(16) Found Auth-Type = eap
(16) ERROR: Warning: Found 2 auth-types on request for user 'host/mh302290.millerextra.com'
(16) # Executing group from file /etc/freeradius/3.0/sites-enabled/mh-site
(16) Auth-Type EAP {
(16) eap: Expiring EAP session with state 0xdd940e92d9030376
(16) eap: Finished EAP session with state 0xaac2f7c8a90afaba
(16) eap: Previous EAP request found for state 0xaac2f7c8a90afaba, released from the list
(16) eap: Peer sent packet with method EAP TLS (13)
(16) eap: Calling submodule eap_tls to process data
(16) eap_tls: (TLS) Peer ACKed our handshake fragment
(16) eap: Sending EAP Request (code 1) ID 201 length 406
(16) eap: EAP session adding &reply:State = 0xaac2f7c8ae0bfaba
(16) [eap] = handled
(16) } # Auth-Type EAP = handled
(16) Using Post-Auth-Type Challenge
(16) Post-Auth-Type sub-section not found. Ignoring.
(16) session-state: Saving cached attributes
(16) Framed-MTU = 994
(16) Sent Access-Challenge Id 227 from 10.10.251.2:1812 to 10.225.23.1:59952 length 466
(16) EAP-Message = 0x01c901960d8000000d32ef53f57a455c108febd3d77c85c7bba183e2970232e0a57c48ef3374523b4c3d7b5fff7028ea28fc53476f1a9f3ba2f57bde6f4b4aa65bd0db7debe7ef052e234409f02dd108b426cc8e7cddc82f501e73f03bdf3875d2cada085de5e9af2bf7ebab413d24b073f44f694df44bad07691a3616030300cd0c0000c90300174104bf7fa3292066dc49f258a82260857a24a5deb2245ebde7def3735117c97082722d5eab3e86d2efe52e20b0d0e3347317ebff940709132426e71ae78ea7405747040100801f931ade0b5bcd12c4f8f36dd8cbb396f372a28eb6e9fbf10a5993ecc7664767e8cd8ed5502b79990b370cdfa818f1c795c76cc9e5b68f823e13cdca16e54ff21d8c9211ca09df258fdab61843edbc3d660cba9a2c856ecaf3e53977810ed983f403100d4030f7d83ad1372b612fb684cc732206ed9a52fc62eac49278358c06160303003a0d00003603010240002e040305030603080708080809080a080b08040805080604010501
(16) Message-Authenticator = 0x00000000000000000000000000000000
(16) State = 0xaac2f7c8ae0bfabaed78ca5277b3b026
(16) Finished request
Waking up in 3.6 seconds.
(17) Received Access-Request Id 228 from 10.225.23.1:59952 to 10.10.251.2:1812 length 1801
(17) User-Name = "host/mh302290.millerextra.com"
(17) NAS-IP-Address = 0.0.0.0
(17) NAS-Identifier = "E0-55-3D-89-23-20:vap1"
(17) Called-Station-Id = "E2-55-6D-89-23-21:mhstaff"
(17) NAS-Port-Type = Wireless-802.11
(17) Service-Type = Framed-User
(17) NAS-Port = 1
(17) Calling-Station-Id = "DC-21-5C-C3-72-47"
(17) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 42 / Channel: 44"
(17) Acct-Session-Id = "2658296537E87022"
(17) Acct-Multi-Session-Id = "998A54E28541EE6C"
(17) WLAN-Pairwise-Cipher = 1027076
(17) WLAN-Group-Cipher = 1027076
(17) WLAN-AKM-Suite = 1027073
(17) Framed-MTU = 1400
(17) EAP-Message = 0x02c905d40dc000000cc91603030c910b000b3f000b3c00039b308203973082027fa0030201020202517b300d06092a864886f70d0101050500307d310b300906035504061302474231123010060355040813094564696e627572676831123010060355040713094564696e627572676831193017060355040a13104d696c6c65722047726f7570204c74643111300f060355040b130847726f7570204954311830160603550403130f496e7465726d656469617465204341301e170d3138303630373130343235305a170d3338303630323130343235305a308186310b300906035504061302474231123010060355040813094564696e627572676831123010060355040713094564696e627572676831193017060355040a13104d696c6c65722047726f7570204c74643111300f060355040b130847726f75702049543121301f060355040313186d683330323239302e6d696c6c657265787472612e636f6d30820122300d06092a864886f70d0101010500038201
(17) State = 0xaac2f7c8ae0bfabaed78ca5277b3b026
(17) Message-Authenticator = 0x217b4ea05047c4bcc41c987c8fc5f8af
(17) Restoring &session-state
(17) &session-state:Framed-MTU = 994
(17) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/mh-site
(17) authorize {
(17) policy filter_username {
(17) if (&User-Name) {
(17) if (&User-Name) -> TRUE
(17) if (&User-Name) {
(17) if (&User-Name =~ / /) {
(17) if (&User-Name =~ / /) -> FALSE
(17) if (&User-Name =~ /@[^@]*@/ ) {
(17) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(17) if (&User-Name =~ /\.\./ ) {
(17) if (&User-Name =~ /\.\./ ) -> FALSE
(17) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(17) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(17) if (&User-Name =~ /\.$/) {
(17) if (&User-Name =~ /\.$/) -> FALSE
(17) if (&User-Name =~ /(a)\./) {
(17) if (&User-Name =~ /(a)\./) -> FALSE
(17) } # if (&User-Name) = notfound
(17) } # policy filter_username = notfound
(17) [preprocess] = ok
(17) [chap] = noop
(17) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(17) pap: WARNING: Authentication will fail unless a "known good" password is available
(17) [pap] = noop
(17) eap: Peer sent EAP Response (code 2) ID 201 length 1492
(17) eap: No EAP Start, assuming it's an on-going EAP conversation
(17) [eap] = updated
(17) [files] = noop
(17) [expiration] = noop
(17) [logintime] = noop
(17) policy rewrite_calling_station_id {
(17) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(17) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(17) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(17) update request {
(17) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(17) --> dc-21-5c-c3-72-47
(17) &Calling-Station-Id := dc-21-5c-c3-72-47
(17) } # update request = noop
(17) [updated] = updated
(17) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(17) ... skipping else: Preceding "if" was taken
(17) } # policy rewrite_calling_station_id = updated
(17) if (&User-Name =~ /^host\/(.*)$/) {
(17) if (&User-Name =~ /^host\/(.*)$/) -> TRUE
(17) if (&User-Name =~ /^host\/(.*)$/) {
(17) update request {
(17) EXPAND %{1}
(17) --> mh302290.millerextra.com
(17) &Cert-CN := mh302290.millerextra.com
(17) } # update request = noop
(17) } # if (&User-Name =~ /^host\/(.*)$/) = noop
(17) if (!EAP-Message) {
(17) if (!EAP-Message) -> FALSE
(17) else {
(17) eap: Peer sent EAP Response (code 2) ID 201 length 1492
(17) eap: No EAP Start, assuming it's an on-going EAP conversation
(17) [eap] = updated
(17) } # else = updated
(17) } # authorize = updated
(17) Found Auth-Type = eap
(17) Found Auth-Type = eap
(17) ERROR: Warning: Found 2 auth-types on request for user 'host/mh302290.millerextra.com'
(17) # Executing group from file /etc/freeradius/3.0/sites-enabled/mh-site
(17) Auth-Type EAP {
(17) eap: Expiring EAP session with state 0xdd940e92d9030376
(17) eap: Finished EAP session with state 0xaac2f7c8ae0bfaba
(17) eap: Previous EAP request found for state 0xaac2f7c8ae0bfaba, released from the list
(17) eap: Peer sent packet with method EAP TLS (13)
(17) eap: Calling submodule eap_tls to process data
(17) eap_tls: (TLS) EAP Peer says that the final record size will be 3273 bytes
(17) eap_tls: (TLS) EAP Expecting 3 fragments
(17) eap_tls: (TLS) EAP Got first TLS fragment (1482 bytes). Peer says more fragments will follow
(17) eap_tls: (TLS) EAP ACKing fragment, the peer should send more data.
(17) eap: Sending EAP Request (code 1) ID 202 length 6
(17) eap: EAP session adding &reply:State = 0xaac2f7c8af08faba
(17) [eap] = handled
(17) } # Auth-Type EAP = handled
(17) Using Post-Auth-Type Challenge
(17) Post-Auth-Type sub-section not found. Ignoring.
(17) session-state: Saving cached attributes
(17) Framed-MTU = 994
(17) Sent Access-Challenge Id 228 from 10.10.251.2:1812 to 10.225.23.1:59952 length 64
(17) EAP-Message = 0x01ca00060d00
(17) Message-Authenticator = 0x00000000000000000000000000000000
(17) State = 0xaac2f7c8af08fabaed78ca5277b3b026
(17) Finished request
Waking up in 3.4 seconds.
(18) Received Access-Request Id 229 from 10.225.23.1:59952 to 10.10.251.2:1812 length 1801
(18) User-Name = "host/mh302290.millerextra.com"
(18) NAS-IP-Address = 0.0.0.0
(18) NAS-Identifier = "E0-55-3D-89-23-20:vap1"
(18) Called-Station-Id = "E2-55-6D-89-23-21:mhstaff"
(18) NAS-Port-Type = Wireless-802.11
(18) Service-Type = Framed-User
(18) NAS-Port = 1
(18) Calling-Station-Id = "DC-21-5C-C3-72-47"
(18) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 41 / Channel: 44"
(18) Acct-Session-Id = "2658296537E87022"
(18) Acct-Multi-Session-Id = "998A54E28541EE6C"
(18) WLAN-Pairwise-Cipher = 1027076
(18) WLAN-Group-Cipher = 1027076
(18) WLAN-AKM-Suite = 1027073
(18) Framed-MTU = 1400
(18) EAP-Message = 0x02ca05d40d40f8580e1512af194151c08a331626b9a252b1b2007b0203010001a382044c30820448301d0603551d0e04160414c18fac9dce5109e9dc9968453ec6579592e055db301f0603551d2304183016801448b56e3c46f5fd7970b20617a23e566db474b156300b0603551d0f0404030201b6300c0603551d13040530030101ff308201cc060b6086480186f83701090401048201bb308201b7040201000101ff131d4e6f76656c6c2053656375726974792041747472696275746528746d291643687474703a2f2f646576656c6f7065722e6e6f76656c6c2e636f6d2f7265706f7369746f72792f617474726962757465732f6365727461747472735f7631302e68746d30820148a01a0101003008300602010102010030083006020101020100020100a11a0101003008300602010102010030083006020101020100020100a2060201000101ffa3820104a058020102020200ff020100030d0080000000000000000000000003090080000000000000003018
(18) State = 0xaac2f7c8af08fabaed78ca5277b3b026
(18) Message-Authenticator = 0x4ab1f39280efc838f54bcfb846c85e1a
(18) Restoring &session-state
(18) &session-state:Framed-MTU = 994
(18) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/mh-site
(18) authorize {
(18) policy filter_username {
(18) if (&User-Name) {
(18) if (&User-Name) -> TRUE
(18) if (&User-Name) {
(18) if (&User-Name =~ / /) {
(18) if (&User-Name =~ / /) -> FALSE
(18) if (&User-Name =~ /@[^@]*@/ ) {
(18) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(18) if (&User-Name =~ /\.\./ ) {
(18) if (&User-Name =~ /\.\./ ) -> FALSE
(18) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(18) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(18) if (&User-Name =~ /\.$/) {
(18) if (&User-Name =~ /\.$/) -> FALSE
(18) if (&User-Name =~ /(a)\./) {
(18) if (&User-Name =~ /(a)\./) -> FALSE
(18) } # if (&User-Name) = notfound
(18) } # policy filter_username = notfound
(18) [preprocess] = ok
(18) [chap] = noop
(18) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(18) pap: WARNING: Authentication will fail unless a "known good" password is available
(18) [pap] = noop
(18) eap: Peer sent EAP Response (code 2) ID 202 length 1492
(18) eap: No EAP Start, assuming it's an on-going EAP conversation
(18) [eap] = updated
(18) [files] = noop
(18) [expiration] = noop
(18) [logintime] = noop
(18) policy rewrite_calling_station_id {
(18) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(18) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(18) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(18) update request {
(18) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(18) --> dc-21-5c-c3-72-47
(18) &Calling-Station-Id := dc-21-5c-c3-72-47
(18) } # update request = noop
(18) [updated] = updated
(18) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(18) ... skipping else: Preceding "if" was taken
(18) } # policy rewrite_calling_station_id = updated
(18) if (&User-Name =~ /^host\/(.*)$/) {
(18) if (&User-Name =~ /^host\/(.*)$/) -> TRUE
(18) if (&User-Name =~ /^host\/(.*)$/) {
(18) update request {
(18) EXPAND %{1}
(18) --> mh302290.millerextra.com
(18) &Cert-CN := mh302290.millerextra.com
(18) } # update request = noop
(18) } # if (&User-Name =~ /^host\/(.*)$/) = noop
(18) if (!EAP-Message) {
(18) if (!EAP-Message) -> FALSE
(18) else {
(18) eap: Peer sent EAP Response (code 2) ID 202 length 1492
(18) eap: No EAP Start, assuming it's an on-going EAP conversation
(18) [eap] = updated
(18) } # else = updated
(18) } # authorize = updated
(18) Found Auth-Type = eap
(18) Found Auth-Type = eap
(18) ERROR: Warning: Found 2 auth-types on request for user 'host/mh302290.millerextra.com'
(18) # Executing group from file /etc/freeradius/3.0/sites-enabled/mh-site
(18) Auth-Type EAP {
(18) eap: Expiring EAP session with state 0xdd940e92d9030376
(18) eap: Finished EAP session with state 0xaac2f7c8af08faba
(18) eap: Previous EAP request found for state 0xaac2f7c8af08faba, released from the list
(18) eap: Peer sent packet with method EAP TLS (13)
(18) eap: Calling submodule eap_tls to process data
(18) eap_tls: (TLS) EAP Got additional fragment (1486 bytes). Peer says more fragments will follow
(18) eap_tls: (TLS) EAP ACKing fragment, the peer should send more data.
(18) eap: Sending EAP Request (code 1) ID 203 length 6
(18) eap: EAP session adding &reply:State = 0xaac2f7c8ac09faba
(18) [eap] = handled
(18) } # Auth-Type EAP = handled
(18) Using Post-Auth-Type Challenge
(18) Post-Auth-Type sub-section not found. Ignoring.
(18) session-state: Saving cached attributes
(18) Framed-MTU = 994
(18) Sent Access-Challenge Id 229 from 10.10.251.2:1812 to 10.225.23.1:59952 length 64
(18) EAP-Message = 0x01cb00060d00
(18) Message-Authenticator = 0x00000000000000000000000000000000
(18) State = 0xaac2f7c8ac09fabaed78ca5277b3b026
(18) Finished request
Waking up in 3.3 seconds.
(19) Received Access-Request Id 230 from 10.225.23.1:59952 to 10.10.251.2:1812 length 612
(19) User-Name = "host/mh302290.millerextra.com"
(19) NAS-IP-Address = 0.0.0.0
(19) NAS-Identifier = "E0-55-3D-89-23-20:vap1"
(19) Called-Station-Id = "E2-55-6D-89-23-21:mhstaff"
(19) NAS-Port-Type = Wireless-802.11
(19) Service-Type = Framed-User
(19) NAS-Port = 1
(19) Calling-Station-Id = "DC-21-5C-C3-72-47"
(19) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 41 / Channel: 44"
(19) Acct-Session-Id = "2658296537E87022"
(19) Acct-Multi-Session-Id = "998A54E28541EE6C"
(19) WLAN-Pairwise-Cipher = 1027076
(19) WLAN-Group-Cipher = 1027076
(19) WLAN-AKM-Suite = 1027073
(19) Framed-MTU = 1400
(19) EAP-Message = 0x02cb01370d0097684bd0417747e114dab87febd255035aa8dc9dd23d7e86022a8ad8fbced6ed3675b699a1a7126336c21024c705feadf9521b9707a08c12d462d9df139472cb578bddc9c56d52c45f8206d8e8207ad0d4a9d87a7f6ecb85694f99d9439ef638859102f2a4191debba3d0a35609568100021c3909487ccf3bf50a322f54125a79321d8145797b72b9f45c8555ba63bdd3c40e92ad88cb41095763645cfe278d1da06d2af103bb59a5e759b827d32d2b813085b465929d62d11e012e75ef5ec8009b8652f936c02ae7cd74f6a55fbd978b97e0dfb5df7de284ce3f09accfb55714216ddfd182b6df87dc4355e8b8f74addb6d3bd5a08cff8ac6492a61f9bb1403030001011603030028000000000000000019ab5ae7931cb1a19f7b6c7b0d353eb126ebbc01066007473ad8f49eef3fe040
(19) State = 0xaac2f7c8ac09fabaed78ca5277b3b026
(19) Message-Authenticator = 0x9ad0e6dd3ad8d8bfe60fcbf1d4877c4e
(19) Restoring &session-state
(19) &session-state:Framed-MTU = 994
(19) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/mh-site
(19) authorize {
(19) policy filter_username {
(19) if (&User-Name) {
(19) if (&User-Name) -> TRUE
(19) if (&User-Name) {
(19) if (&User-Name =~ / /) {
(19) if (&User-Name =~ / /) -> FALSE
(19) if (&User-Name =~ /@[^@]*@/ ) {
(19) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(19) if (&User-Name =~ /\.\./ ) {
(19) if (&User-Name =~ /\.\./ ) -> FALSE
(19) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(19) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(19) if (&User-Name =~ /\.$/) {
(19) if (&User-Name =~ /\.$/) -> FALSE
(19) if (&User-Name =~ /(a)\./) {
(19) if (&User-Name =~ /(a)\./) -> FALSE
(19) } # if (&User-Name) = notfound
(19) } # policy filter_username = notfound
(19) [preprocess] = ok
(19) [chap] = noop
(19) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(19) pap: WARNING: Authentication will fail unless a "known good" password is available
(19) [pap] = noop
(19) eap: Peer sent EAP Response (code 2) ID 203 length 311
(19) eap: No EAP Start, assuming it's an on-going EAP conversation
(19) [eap] = updated
(19) [files] = noop
(19) [expiration] = noop
(19) [logintime] = noop
(19) policy rewrite_calling_station_id {
(19) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(19) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(19) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(19) update request {
(19) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(19) --> dc-21-5c-c3-72-47
(19) &Calling-Station-Id := dc-21-5c-c3-72-47
(19) } # update request = noop
(19) [updated] = updated
(19) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(19) ... skipping else: Preceding "if" was taken
(19) } # policy rewrite_calling_station_id = updated
(19) if (&User-Name =~ /^host\/(.*)$/) {
(19) if (&User-Name =~ /^host\/(.*)$/) -> TRUE
(19) if (&User-Name =~ /^host\/(.*)$/) {
(19) update request {
(19) EXPAND %{1}
(19) --> mh302290.millerextra.com
(19) &Cert-CN := mh302290.millerextra.com
(19) } # update request = noop
(19) } # if (&User-Name =~ /^host\/(.*)$/) = noop
(19) if (!EAP-Message) {
(19) if (!EAP-Message) -> FALSE
(19) else {
(19) eap: Peer sent EAP Response (code 2) ID 203 length 311
(19) eap: No EAP Start, assuming it's an on-going EAP conversation
(19) [eap] = updated
(19) } # else = updated
(19) } # authorize = updated
(19) Found Auth-Type = eap
(19) Found Auth-Type = eap
(19) ERROR: Warning: Found 2 auth-types on request for user 'host/mh302290.millerextra.com'
(19) # Executing group from file /etc/freeradius/3.0/sites-enabled/mh-site
(19) Auth-Type EAP {
(19) eap: Expiring EAP session with state 0xdd940e92d9030376
(19) eap: Finished EAP session with state 0xaac2f7c8ac09faba
(19) eap: Previous EAP request found for state 0xaac2f7c8ac09faba, released from the list
(19) eap: Peer sent packet with method EAP TLS (13)
(19) eap: Calling submodule eap_tls to process data
(19) eap_tls: (TLS) EAP Got final fragment (305 bytes)
(19) eap_tls: (TLS) EAP Done initial handshake
(19) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server done
(19) eap_tls: (TLS) recv TLS 1.2 Handshake, Certificate
(19) eap_tls: (TLS) Creating attributes from TLS-Client-Cert-Serial certificate
(19) eap_tls: (TLS) Creating attributes from server certificate
(19) eap_tls: TLS-Cert-Expiration := "360203235800Z"
(19) eap_tls: TLS-Cert-Valid-Since := "111215110200Z"
(19) eap_tls: TLS-Cert-Subject := "/C=GB/ST=Edinburgh/L=Edinburgh/O=Miller Group Ltd/OU=Group IT/CN=Intermediate CA"
(19) eap_tls: TLS-Cert-Issuer := "/O=MG_TREE/OU=Organizational CA"
(19) eap_tls: TLS-Cert-Common-Name := "Intermediate CA"
(19) eap_tls: (TLS) Creating attributes from client certificate
(19) eap_tls: TLS-Client-Cert-Serial := "517b"
(19) eap_tls: TLS-Client-Cert-Expiration := "380602104250Z"
(19) eap_tls: TLS-Client-Cert-Valid-Since := "180607104250Z"
(19) eap_tls: TLS-Client-Cert-Subject := "/C=GB/ST=Edinburgh/L=Edinburgh/O=Miller Group Ltd/OU=Group IT/CN=mh302290.millerextra.com"
(19) eap_tls: TLS-Client-Cert-Issuer := "/C=GB/ST=Edinburgh/L=Edinburgh/O=Miller Group Ltd/OU=Group IT/CN=Intermediate CA"
(19) eap_tls: TLS-Client-Cert-Common-Name := "mh302290.millerextra.com"
(19) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication"
(19) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2"
Certificate chain - 1 cert(s) untrusted
(TLS) untrusted certificate with depth [1] subject name /C=GB/ST=Edinburgh/L=Edinburgh/O=Miller Group Ltd/OU=Group IT/CN=Intermediate CA
(TLS) untrusted certificate with depth [0] subject name /C=GB/ST=Edinburgh/L=Edinburgh/O=Miller Group Ltd/OU=Group IT/CN=mh302290.millerextra.com
(19) eap_tls: EXPAND %{%{Cert-CN}:-%{User-Name}}
(19) eap_tls: --> mh302290.millerextra.com
(19) eap_tls: checking certificate CN (mh302290.millerextra.com) with xlat'ed value (mh302290.millerextra.com)
(19) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client certificate
(19) eap_tls: (TLS) recv TLS 1.2 Handshake, ClientKeyExchange
(19) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client key exchange
(19) eap_tls: (TLS) recv TLS 1.2 Handshake, CertificateVerify
(19) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read certificate verify
(19) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read change cipher spec
(19) eap_tls: (TLS) recv TLS 1.2 Handshake, Finished
(19) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read finished
(19) eap_tls: (TLS) send TLS 1.2 ChangeCipherSpec
(19) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write change cipher spec
(19) eap_tls: (TLS) send TLS 1.2 Handshake, Finished
(19) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write finished
(19) eap_tls: (TLS) Handshake state - SSL negotiation finished successfully
(19) eap_tls: (TLS) Connection Established
(19) eap_tls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(19) eap_tls: TLS-Session-Version = "TLS 1.2"
(19) eap: Sending EAP Request (code 1) ID 204 length 61
(19) eap: EAP session adding &reply:State = 0xaac2f7c8ad0efaba
(19) [eap] = handled
(19) } # Auth-Type EAP = handled
(19) Using Post-Auth-Type Challenge
(19) Post-Auth-Type sub-section not found. Ignoring.
(19) session-state: Saving cached attributes
(19) Framed-MTU = 994
(19) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(19) TLS-Session-Version = "TLS 1.2"
(19) Sent Access-Challenge Id 230 from 10.10.251.2:1812 to 10.225.23.1:59952 length 119
(19) EAP-Message = 0x01cc003d0d800000003314030300010116030300289fb66e19904cea77ce871c25754eba9282fba3ca777ca309c7283b774b8249df0d1ee5035915786f
(19) Message-Authenticator = 0x00000000000000000000000000000000
(19) State = 0xaac2f7c8ad0efabaed78ca5277b3b026
(19) Finished request
Waking up in 3.3 seconds.
(20) Received Access-Request Id 231 from 10.225.23.1:59952 to 10.10.251.2:1812 length 305
(20) User-Name = "host/mh302290.millerextra.com"
(20) NAS-IP-Address = 0.0.0.0
(20) NAS-Identifier = "E0-55-3D-89-23-20:vap1"
(20) Called-Station-Id = "E2-55-6D-89-23-21:mhstaff"
(20) NAS-Port-Type = Wireless-802.11
(20) Service-Type = Framed-User
(20) NAS-Port = 1
(20) Calling-Station-Id = "DC-21-5C-C3-72-47"
(20) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 41 / Channel: 44"
(20) Acct-Session-Id = "2658296537E87022"
(20) Acct-Multi-Session-Id = "998A54E28541EE6C"
(20) WLAN-Pairwise-Cipher = 1027076
(20) WLAN-Group-Cipher = 1027076
(20) WLAN-AKM-Suite = 1027073
(20) Framed-MTU = 1400
(20) EAP-Message = 0x02cc00060d00
(20) State = 0xaac2f7c8ad0efabaed78ca5277b3b026
(20) Message-Authenticator = 0xf00b72196a381c05f74df8e1bae5bc7c
(20) Restoring &session-state
(20) &session-state:Framed-MTU = 994
(20) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(20) &session-state:TLS-Session-Version = "TLS 1.2"
(20) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/mh-site
(20) authorize {
(20) policy filter_username {
(20) if (&User-Name) {
(20) if (&User-Name) -> TRUE
(20) if (&User-Name) {
(20) if (&User-Name =~ / /) {
(20) if (&User-Name =~ / /) -> FALSE
(20) if (&User-Name =~ /@[^@]*@/ ) {
(20) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(20) if (&User-Name =~ /\.\./ ) {
(20) if (&User-Name =~ /\.\./ ) -> FALSE
(20) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(20) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(20) if (&User-Name =~ /\.$/) {
(20) if (&User-Name =~ /\.$/) -> FALSE
(20) if (&User-Name =~ /(a)\./) {
(20) if (&User-Name =~ /(a)\./) -> FALSE
(20) } # if (&User-Name) = notfound
(20) } # policy filter_username = notfound
(20) [preprocess] = ok
(20) [chap] = noop
(20) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(20) pap: WARNING: Authentication will fail unless a "known good" password is available
(20) [pap] = noop
(20) eap: Peer sent EAP Response (code 2) ID 204 length 6
(20) eap: No EAP Start, assuming it's an on-going EAP conversation
(20) [eap] = updated
(20) [files] = noop
(20) [expiration] = noop
(20) [logintime] = noop
(20) policy rewrite_calling_station_id {
(20) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(20) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(20) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(20) update request {
(20) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(20) --> dc-21-5c-c3-72-47
(20) &Calling-Station-Id := dc-21-5c-c3-72-47
(20) } # update request = noop
(20) [updated] = updated
(20) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(20) ... skipping else: Preceding "if" was taken
(20) } # policy rewrite_calling_station_id = updated
(20) if (&User-Name =~ /^host\/(.*)$/) {
(20) if (&User-Name =~ /^host\/(.*)$/) -> TRUE
(20) if (&User-Name =~ /^host\/(.*)$/) {
(20) update request {
(20) EXPAND %{1}
(20) --> mh302290.millerextra.com
(20) &Cert-CN := mh302290.millerextra.com
(20) } # update request = noop
(20) } # if (&User-Name =~ /^host\/(.*)$/) = noop
(20) if (!EAP-Message) {
(20) if (!EAP-Message) -> FALSE
(20) else {
(20) eap: Peer sent EAP Response (code 2) ID 204 length 6
(20) eap: No EAP Start, assuming it's an on-going EAP conversation
(20) [eap] = updated
(20) } # else = updated
(20) } # authorize = updated
(20) Found Auth-Type = eap
(20) Found Auth-Type = eap
(20) ERROR: Warning: Found 2 auth-types on request for user 'host/mh302290.millerextra.com'
(20) # Executing group from file /etc/freeradius/3.0/sites-enabled/mh-site
(20) Auth-Type EAP {
(20) eap: Expiring EAP session with state 0xdd940e92d9030376
(20) eap: Finished EAP session with state 0xaac2f7c8ad0efaba
(20) eap: Previous EAP request found for state 0xaac2f7c8ad0efaba, released from the list
(20) eap: Peer sent packet with method EAP TLS (13)
(20) eap: Calling submodule eap_tls to process data
(20) eap_tls: (TLS) Peer ACKed our handshake fragment. handshake is finished
(20) eap: Sending EAP Success (code 3) ID 204 length 4
(20) eap: Freeing handler
(20) [eap] = ok
(20) } # Auth-Type EAP = ok
(20) Login OK: [host/mh302290.millerextra.com] (from client MWAN-10.225.23.1 port 1 cli dc-21-5c-c3-72-47)
(20) Sent Access-Accept Id 231 from 10.10.251.2:1812 to 10.225.23.1:59952 length 191
(20) MS-MPPE-Recv-Key = 0x5174a1fa6f9c95751d175f374296fbf6f2601dd7812286091c0a9299caa1d901
(20) MS-MPPE-Send-Key = 0x17b4077c5d99af4f534b6f6318b07a9eb29945b6a3221eced94cbcbf8a8011c1
(20) EAP-Message = 0x03cc0004
(20) Message-Authenticator = 0x00000000000000000000000000000000
(20) User-Name = "host/mh302290.millerextra.com"
(20) Finished request
Waking up in 3.2 seconds.
(21) Received Access-Request Id 197 from 10.20.80.11:3279 to 10.10.251.2:1812 length 219
(21) User-Name = "b4-45-06-c1-79-98"
(21) User-Password = "b4-45-06-c1-79-98"
(21) NAS-IP-Address = 10.20.80.11
(21) NAS-Identifier = "ed-sw-1f01"
(21) NAS-Port = 16863283
(21) NAS-Port-Id = "slot=1;subslot=0;port=21;vlanid=51"
(21) NAS-Port-Type = Ethernet
(21) Service-Type = Call-Check
(21) Framed-Protocol = PPP
(21) Calling-Station-Id = "B4-45-06-C1-79-98"
(21) Acct-Session-Id = "122070415033a1a010"
(21) Attr-26.43.230 = 0x4769676162697445746865726e6574312f302f3231
(21) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/mh-site
(21) authorize {
(21) policy filter_username {
(21) if (&User-Name) {
(21) if (&User-Name) -> TRUE
(21) if (&User-Name) {
(21) if (&User-Name =~ / /) {
(21) if (&User-Name =~ / /) -> FALSE
(21) if (&User-Name =~ /@[^@]*@/ ) {
(21) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(21) if (&User-Name =~ /\.\./ ) {
(21) if (&User-Name =~ /\.\./ ) -> FALSE
(21) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(21) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(21) if (&User-Name =~ /\.$/) {
(21) if (&User-Name =~ /\.$/) -> FALSE
(21) if (&User-Name =~ /(a)\./) {
(21) if (&User-Name =~ /(a)\./) -> FALSE
(21) } # if (&User-Name) = notfound
(21) } # policy filter_username = notfound
(21) [preprocess] = ok
(21) [chap] = noop
(21) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(21) pap: WARNING: Authentication will fail unless a "known good" password is available
(21) [pap] = noop
(21) eap: No EAP-Message, not doing EAP
(21) [eap] = noop
(21) files: users: Matched entry DEFAULT at line 167
(21) [files] = ok
(21) [expiration] = noop
(21) [logintime] = noop
(21) policy rewrite_calling_station_id {
(21) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(21) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(21) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(21) update request {
(21) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(21) --> b4-45-06-c1-79-98
(21) &Calling-Station-Id := b4-45-06-c1-79-98
(21) } # update request = noop
(21) [updated] = updated
(21) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(21) ... skipping else: Preceding "if" was taken
(21) } # policy rewrite_calling_station_id = updated
(21) if (&User-Name =~ /^host\/(.*)$/) {
(21) if (&User-Name =~ /^host\/(.*)$/) -> FALSE
(21) if (!EAP-Message) {
(21) if (!EAP-Message) -> TRUE
(21) if (!EAP-Message) {
(21) authorized_macs: EXPAND %{Calling-Station-ID}
(21) authorized_macs: --> b4-45-06-c1-79-98
(21) [authorized_macs] = noop
(21) if (!ok) {
(21) if (!ok) -> TRUE
(21) if (!ok) {
(21) [reject] = reject
(21) } # if (!ok) = reject
(21) } # if (!EAP-Message) = reject
(21) } # authorize = reject
(21) Invalid user: [b4-45-06-c1-79-98] (from client ed-sw-1f01 port 16863283 cli b4-45-06-c1-79-98)
(21) Using Post-Auth-Type Reject
(21) Post-Auth-Type sub-section not found. Ignoring.
(21) Login incorrect: [b4-45-06-c1-79-98] (from client ed-sw-1f01 port 16863283 cli b4-45-06-c1-79-98)
(21) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(21) Sending delayed response
(21) Sent Access-Reject Id 197 from 10.10.251.2:1812 to 10.20.80.11:3279 length 32
(21) Framed-Protocol = PPP
(21) Framed-Compression = Van-Jacobson-TCP-IP
Waking up in 0.3 seconds.
(0) Cleaning up request packet ID 34 with timestamp +0 due to cleanup_delay was reached
________________________________
Miller Homes Limited Registered in Scotland - SC255429
2 Lochside View, Edinburgh Park, Edinburgh, EH12 9DH
Disclaimer: The Information in this e-mail is confidential and for use by the addressee(s) only. It may also be privileged. If you are not the intended recipient please notify us immediately on +44 (0) 870 336 5000 and delete the message from your computer: you may not copy or forward it, or use or disclose its contents to any other person. We do not accept any liability or responsibility for: (1) changes made to this email after it was sent, or (2) viruses transmitted through this email or any attachment.
Miller Homes Limited <https://www.millerhomes.co.uk>
3
3
Hi,
we have the task to authenticate network access against a Azure Active
Directory. I have seen some solutions. So basically it should be
possible to use the Azure AD Directory Services (LDAP).
Is there an easier way to use the SAML REST API of Azure AD? Perhaps not
in the recent REST module of FR, but in the upcoming, improved module?
Mit freundlichen Grüßen,
--
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
2
1
Hello,
Does Freeradius 3.2.0 fully support MACSEC/dot1x? The only information
I've found is that the following snippet in sites-available/default needs
to be uncommented. Are there any additional RADIUS AV pairs I need to
configure to make it work with Macsec/dot1x on Cisco devices?
# MacSEC requires the use of EAP-Key-Name. However, we don't
# want to send it for all EAP sessions. Therefore, the EAP
# modules put required data into the EAP-Session-Id attribute.
# This attribute is never put into a request or reply packet.
#
# Uncomment the next few lines to copy the required data into
# the EAP-Key-Name attribute
if (&reply:EAP-Session-Id) {
update reply {
EAP-Key-Name := &reply:EAP-Session-Id
}
}
Thanks a lot.
2
2
freeradius <=> radsecproxy: Login incorrect (Failed to find live home server)
by Michael Baye 08 Aug '22
by Michael Baye 08 Aug '22
08 Aug '22
2
3
dear savers ...
I have to apply these needed configuration to my exist radius box
First ...
I need to implement module that check if this box is can work and accept users via call php script I think this can be achieved any advice from you
Second ....
my box accept radsec TLS users , I need to implement acceptance from nas table via 1812 , 1813 UDP and let them work together , how I can achieve that
Your's
Mohammed
2
1
Hi Alan,
Are we sure it is the Google Adroid phone which is the culprit. If that then this issue should be seen with most Android phones.
Also, the Radius client would be Access Point, in this case Netgear RAX200 which I am using.
Any support on resoling this will be helpful. Thanks.
Regards,
Arvinder.
-----Original Message-----
From: Freeradius-Users <freeradius-users-bounces+arvinder.singh=gm.com(a)lists.freeradius.org> On Behalf Of freeradius-users-request(a)lists.freeradius.org
Sent: Thursday, July 28, 2022 8:00 AM
To: freeradius-users(a)lists.freeradius.org
Subject: [EXTERNAL] Freeradius-Users Digest, Vol 207, Issue 47
ATTENTION: This email originated from outside of GM.
Send Freeradius-Users mailing list submissions to
freeradius-users(a)lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-request(a)lists.freeradius.org
You can reach the person managing the list at
freeradius-users-owner(a)lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: EAP-TLS failure with Freeradius 3.2.0 : Failed reading
from OpenSSL: ../ssl/record/rec_layer_s3.c[1528]:error:14094438
(Alan DeKok)
----------------------------------------------------------------------
Message: 1
Date: Thu, 28 Jul 2022 07:23:49 -0400
From: Alan DeKok <aland(a)deployingradius.com>
To: FreeRadius users mailing list
<freeradius-users(a)lists.freeradius.org>
Subject: Re: EAP-TLS failure with Freeradius 3.2.0 : Failed reading
from OpenSSL: ../ssl/record/rec_layer_s3.c[1528]:error:14094438
Message-ID: <890B6D01-D871-46C7-880C-AC000F3F457E(a)deployingradius.com>
Content-Type: text/plain;charset=us-ascii
Don't send messages to my private email address. I read the list, and that's good enough.
Also read the instructions at http://wiki.freeradius.org/list-help
I have no idea why so many people refuse to follow the documentation. W don't need to see "radiusd -Xxxx" or anything else. Just "radiusd -X". You get told this in the "welcome" message when you join the list.
Can you explain why you're not following the documentation? i.e. the first message you post to the list tells us that you didn't read the docs, or you have no intention of following the documentation. Why is that useful? All it does is convince people that there's no point in answering your questions, because you'll just ignore any answer.
And read the debug messages you post to the list. This isn't a FreeRADIUS issue. FreeRADIUS is telling you that the problem is the peer. i.e. the client machine. It's not following the specifications correctly.
Go ask Google why their software is broken. No amount of poking FreeRADIUS will fix the Android phone.
Alan DeKok.
------------------------------
Subject: Digest Footer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------
End of Freeradius-Users Digest, Vol 207, Issue 47
*************************************************
Nothing in this message is intended to constitute an electronic signature unless a specific statement to the contrary is included in this message.
Confidentiality Note: This message is intended only for the person or entity to which it is addressed. It may contain confidential and/or privileged material. Any review, transmission, dissemination or other use, or taking of any action in reliance upon this message by persons or entities other than the intended recipient is prohibited and may be unlawful. If you received this message in error, please contact the sender and delete it from your computer.
2
1
Providing dynamic DHCP leases for multiple routers on multiple interfaces
by Matthew McTague 04 Aug '22
by Matthew McTague 04 Aug '22
04 Aug '22
Hi,
I want to use FreeRADIUS to provide DHCP, using a MySQL database to store information.
I have multiple MikroTik routers that each have DHCP Relay configured for multiple interfaces, with unique local / source addresses.
I want to configure an IP pool per interface, and authenticate client devices by mac address.
I see I can configure clients in sites-available/dhcp using their IPv4 addresses, and I think this will allow me to set IP-Pool.Name for each client. In my scenario, these clients would each represent a DHCP Relay configured for a specific interface on a MikroTik router).
I understand that I can use mods-available/sqlippool to configure IP pools using an SQL table. I like this, it's ideal for my needs.
Rather than storing these clients in sites-available/dhcp, I would like to store these in MySQL. Is this possible?
For authenticating by mac address, I understand that I can include sql.authorize in sites-available/dhcp and this will allow me to authenticate using the radcheck and radreply tables.
Would this plan work, and is this the correct way to achieve my goal?
Many thanks,
.[cid:vg-email_e752d47f-182a-48d0-8808-3796b2df8d4a.png]<https://www.vetta.nz> .[cid:058_line_9bae9502-1e3a-48a3-ba5e-34ed9cd44185.png] Matthew McTague
Head of Infrastructure [cid:bea-finalist-email_2ddba0ed-b9bb-4ab9-b680-84aa7f54077f.png] [cid:bea-winner-banner-email_590096c3-05a6-4c98-b071-1c4d748c3534.png] .
D +64 3 222 6013<tel:+64%203%20222%206013> | P +64 3 684 5770
E matthew.mctague(a)vetta.nz<mailto:matthew.mctague@vetta.nz> | W www.vetta.nz<https://www.vetta.nz>
Vetta Group Ltd and its subsidiaries accepts no liability for the content of this email, or for the consequences of any actions taken on the basis of the information provided, unless that information is subsequently confirmed in writing. Any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company, its subsidiaries, partners or contractors.
.
2
1
03 Aug '22
I have a requirement to provide the reason why authentication failed.
For non-EAP clients, it is easy just include Reply-Message in
Access-Reject packet. But for EAP clients RFC says Reply-Message
should not be sent with EAP-Message together.
First I've tried to include the second EAP-Message attribute with a
reason using `EAP-Message+= "error code"`. I.e. supplicant will
receive first EAP-Message with reply from some "eap" module and then
my custom message. At least eapol_test tool sees both attributes, but
I didn't test it with end-user devices.
And I've read RFC 3579 more.
In §2.6.5 Displayable Messages the RFC saying
"An EAP-Message/EAP-Request/Notification SHOULD NOT be included within
an Access-Accept or Access-Reject packet."
First question why it saying this? I am confused because in real life
I see EAP-Message attribute in Access-Reject response
EAPOL: SUPP_BE entering state RECEIVE
Received 44 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=3 (Access-Reject) identifier=8 length=44
Attribute 79 (EAP-Message) length=6
Value: 046a0004
Attribute 80 (Message-Authenticator) length=18
Value: 9f3224d1705f2e3cb32708dbea4cc348
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending
request, round trip time 1.05 sec
But ok, assuming this is fine, there is § 2.6.3. Conflicting Messages saying
" Access-Reject packets SHOULD have only one EAP-Message attribute in
them, containing EAP Failure."
I bet this forbids me from using this hack EAP-Message+= "error code"
I didn't find the exact wording that says if you want to include
"error code" in Access-Reject reply use only EAP Notification. §2.6.5
saying
"When sending a displayable message to a NAS during an EAP
conversation, the RADIUS server MUST encapsulate displayable messages
within EAP-Message/EAP-Request/Notification attribute(s)"
But I guess this is the proper way to do it. The second question - am
I, right about it? Or there is another proper way to send an error
reason?
If I am right about the EAP-Notification attribute can I ask to
provide an example of how to do it properly? Since RFC says to use
Access-Challenge for notification and then disconnect probably I can
try to adapt the example site "challenge". But maybe it is overkill.
All I need as I imagine is to send "Access-Challenge " from
Post-Auth-Type REJECT section the first time and when the supplicant
will repeat the request, send Access-Reject for the second time.
--
Vladimir
3
5
Hello,
I want to Allow an user to connect freeradius only if the SSID match, with the ssid stored in the database.
I tried to add the Check Attibute « Called-Station-id » == « SSID name » to the user profile but this is not working.
I also tried to add the attribue Allow-called-station-id but this is not working.
What is the right check attribute to add to the user profile please, for a check on the SSID name ?
Thanks for your help 😉
3
5
Hello,
sorry for using the ML for business purposes. It's been days I've been
trying to contact somebody from NeworkRadius but nobody replies to emails
nor picks up the phone.
What would be the best way to get in contact with them?
Thanks,
Alex
4
4