Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
January 2023
- 28 participants
- 30 discussions
All,
I've got authentication working nicely with MSCHAP, but now I'd like to
only allow users that are members of a certain AD group.
I would prefer to have this happen only when requests come from a
specific client (wireless access point). In this case the idea is to
have users only be able to get wireless access when they're in a
specific AD group.
How can I do this in freeradius?
Thanks,
Brian
7
18
Hi everyone!
I am facing a problem when freeradius reports that the limit of open
sessions has been reached. These are log entries, like "Too many open
sessions. Try increasing "max_sessions" in the EAP module configuration".
During the debugging, it was determined that some ios devices
(ipad/iphone), for a reason unknown to me, cyclically cannot complete
eap/tls authentication process. I found that these devices successfully
start communicating with the NAS (send EAP-Response/Identity). But after
receiving the (TLS Start)-message, they no longer send the (TLS
client_hello)-message, and restart the association process with the access
point and therefore open a new EAP session. If recreate a wifi connection
on such a device, it will connect successfully.
Until I find the root cause of this behavior, I would like to monitor the
number of open sessions of the radius server. But I couldn't find a
suitable way to do it. Here is what I tried:
- use the "status server" tool, but there is no suitable one among its
counters
- use tool "control-socket" and radmin but also i didn't find suitable
counter
Can you help me with this question?
Thanks!
2
4
Hi all,
I hope I may ask you regarding this topic.
I have a test setup of OPNsense firewall, FreeRADIUS 3.2.0 and using Linux,
Mac and especially Windows 10 (with the native Windows client) IKEv2 VPN
clients. OPNsense / Phase 1 is configured to use EAP-RADIUS (i.e.
FreeRADIUS) which is authenticating the VPN users against Active Directory.
The VPN clients are using IKEv2 and EAP-MSCHAPv2 with (AD-) username and
password. I use winbind for authentication
(https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind) and
do an additional check if the user is member of a special AD group (via
LDAP). These are the key points. And so far it's working fine.
But: I have the demand to use 2FA (especially OTP) to increase the security
of the VPN access. And that's my very question:
I searched around, read tons of articles etc. if that's possible and if
yes, what would be the best way to achive this goal. Among others I found this:
https://wiki.freeradius.org/guide/2FA-Active-Directory-plus-Proxy
and would like to ask if someone has such an environment with Windows 10
clients and used it with e.g. privacyIDEA, OpenOTP or similar systems
(other than the mentioned Gemalto Safenet Authentication Services)? It
would be the best if the OTP system is running on-prem.
Could this work and is it worth the effort to setup such a system?
Any feedback is highly appreciated.
Thank you and best regards,
Markus
4
5
Hello,
I followed this tutorial (https://www.nasirhafeez.com/wp-comments-post.php) for testing purposes several times and it worked flawlessly. several month later I wanted to put it in production and it stop working.
This is my setup: 2 Raspberry PIs with freeradius 3.0.12 (allready tried the Backport version 3.2.1 as well) Unifi AC HD AccessPoints and as clients macOS and iOS devices (tried macOS versions 11.7 to 13.1) for testing I tried an Ubuntu client as well.
Binding to Google LDAP works without any issues (radtest results in Access-Accept) I even see that the Radius server sends an “Access-Accept” to the clients but shortly after the client starts another Access-Request an that fails with:
(9) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x864de94f8144fc95
(9) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
(9) eap: Failed in handler
Any idea what is happening here?
Here the full output of a test with freeradius -X
Ready to process requests
(0) Received Access-Request Id 18 from 10.100.2.39:54686 to 10.100.1.65:1812 length 253
(0) User-Name = "klaus.mustermann"
(0) NAS-IP-Address = 10.100.2.39
(0) NAS-Identifier = "8283c219e7f9"
(0) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
(0) NAS-Port-Type = Wireless-802.11
(0) Service-Type = Framed-User
(0) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
(0) Connect-Info = "CONNECT 0Mbps 802.11b"
(0) Acct-Session-Id = "690B866461ACEC60"
(0) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
(0) Mobility-Domain-Id = 46476
(0) WLAN-Pairwise-Cipher = 1027076
(0) WLAN-Group-Cipher = 1027076
(0) WLAN-AKM-Suite = 1027075
(0) Framed-MTU = 1400
(0) EAP-Message = 0x02670015016b6c6175732e6d75737465726d616e6e
(0) Message-Authenticator = 0x8d4fe3c9b693e2d71ed16670b1d148a8
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 103 length 21
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_ttls to process data
(0) eap_ttls: (TLS) Initiating new session
(0) eap: Sending EAP Request (code 1) ID 104 length 6
(0) eap: EAP session adding &reply:State = 0x33754777331d52c5
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) session-state: Saving cached attributes
(0) Framed-MTU = 994
(0) Sent Access-Challenge Id 18 from 10.100.1.65:1812 to 10.100.2.39:54686 length 64
(0) EAP-Message = 0x016800061520
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x33754777331d52c5d9592c39c6f43193
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 19 from 10.100.2.39:54686 to 10.100.1.65:1812 length 411
(1) User-Name = "klaus.mustermann"
(1) NAS-IP-Address = 10.100.2.39
(1) NAS-Identifier = "8283c219e7f9"
(1) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
(1) NAS-Port-Type = Wireless-802.11
(1) Service-Type = Framed-User
(1) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
(1) Connect-Info = "CONNECT 0Mbps 802.11b"
(1) Acct-Session-Id = "690B866461ACEC60"
(1) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
(1) Mobility-Domain-Id = 46476
(1) WLAN-Pairwise-Cipher = 1027076
(1) WLAN-Group-Cipher = 1027076
(1) WLAN-AKM-Suite = 1027075
(1) Framed-MTU = 1400
(1) EAP-Message = 0x026800a115800000009716030100920100008e030363ce9a00af0158c4304b8191e349a5c4d7e344c71cf9ceb42fc1dc05eee1d4ea00002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306030005000501000000000012000000170000
(1) State = 0x33754777331d52c5d9592c39c6f43193
(1) Message-Authenticator = 0xaf2835db2d901930a1abf923e81f8d4b
(1) Restoring &session-state
(1) &session-state:Framed-MTU = 994
(1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /(a)\./) {
(1) if (&User-Name =~ /(a)\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 104 length 161
(1) eap: Continuing tunnel setup
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0x33754777331d52c5
(1) eap: Finished EAP session with state 0x33754777331d52c5
(1) eap: Previous EAP request found for state 0x33754777331d52c5, released from the list
(1) eap: Peer sent packet with method EAP TTLS (21)
(1) eap: Calling submodule eap_ttls to process data
(1) eap_ttls: Authenticate
(1) eap_ttls: (TLS) EAP Peer says that the final record size will be 151 bytes
(1) eap_ttls: (TLS) EAP Got all data (151 bytes)
(1) eap_ttls: (TLS) Handshake state - before SSL initialization
(1) eap_ttls: (TLS) Handshake state - Server before SSL initialization
(1) eap_ttls: (TLS) Handshake state - Server before SSL initialization
(1) eap_ttls: (TLS) recv TLS 1.3 Handshake, ClientHello
(1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read client hello
(1) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerHello
(1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server hello
(1) eap_ttls: (TLS) send TLS 1.2 Handshake, Certificate
(1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write certificate
(1) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerKeyExchange
(1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write key exchange
(1) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerHelloDone
(1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server done
(1) eap_ttls: (TLS) Server : Need to read more data: SSLv3/TLS write server done
(1) eap_ttls: (TLS) In Handshake Phase
(1) eap: Sending EAP Request (code 1) ID 105 length 1004
(1) eap: EAP session adding &reply:State = 0x33754777321c52c5
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) Challenge { ... } # empty sub-section is ignored
(1) session-state: Saving cached attributes
(1) Framed-MTU = 994
(1) Sent Access-Challenge Id 19 from 10.100.1.65:1812 to 10.100.2.39:54686 length 1068
(1) EAP-Message = 0x016903ec15c000001151160303003d02000039030333251bb0257a7e942419ced1c14e2115f3355723303c682158f6d50e662be4da00c030000011ff01000100000b000403000102001700001603030eaf0b000eab000ea800071930820715308204fda0030201020208651e057cf4b3407c300d06092a864886f70d01010b05003081bd310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31183016060355040a130f42756464796272616e6420476d624831293027060355040b132042756464796272616e6420436572746966696361746520417574686f72697479312630240603550403131d42756464796272616e6420496e7465726d656469617465204341203034311f301d06092a864886f70d010901161069744062756464796272616e642e6465301e170d3233303130323030303030305a170d3235303430353233353935395a3081bb310b3009060355040613024445310f300d0603
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x33754777321c52c5d9592c39c6f43193
(1) Finished request
Waking up in 4.8 seconds.
(2) Received Access-Request Id 20 from 10.100.2.39:54686 to 10.100.1.65:1812 length 256
(2) User-Name = "klaus.mustermann"
(2) NAS-IP-Address = 10.100.2.39
(2) NAS-Identifier = "8283c219e7f9"
(2) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
(2) NAS-Port-Type = Wireless-802.11
(2) Service-Type = Framed-User
(2) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
(2) Connect-Info = "CONNECT 0Mbps 802.11b"
(2) Acct-Session-Id = "690B866461ACEC60"
(2) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
(2) Mobility-Domain-Id = 46476
(2) WLAN-Pairwise-Cipher = 1027076
(2) WLAN-Group-Cipher = 1027076
(2) WLAN-AKM-Suite = 1027075
(2) Framed-MTU = 1400
(2) EAP-Message = 0x026900061500
(2) State = 0x33754777321c52c5d9592c39c6f43193
(2) Message-Authenticator = 0x61c34e69e7f5f253a9fdf8868c0f8826
(2) Restoring &session-state
(2) &session-state:Framed-MTU = 994
(2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\./) {
(2) if (&User-Name =~ /(a)\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 105 length 6
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0x33754777321c52c5
(2) eap: Finished EAP session with state 0x33754777321c52c5
(2) eap: Previous EAP request found for state 0x33754777321c52c5, released from the list
(2) eap: Peer sent packet with method EAP TTLS (21)
(2) eap: Calling submodule eap_ttls to process data
(2) eap_ttls: Authenticate
(2) eap_ttls: (TLS) Peer ACKed our handshake fragment
(2) eap: Sending EAP Request (code 1) ID 106 length 1004
(2) eap: EAP session adding &reply:State = 0x33754777311f52c5
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) session-state: Saving cached attributes
(2) Framed-MTU = 994
(2) Sent Access-Challenge Id 20 from 10.100.1.65:1812 to 10.100.2.39:54686 length 1068
(2) EAP-Message = 0x016a03ec15c000001151634a5ca32fca591c963a10e1e4fc909ecc4cf2f3259d2cc70fde28bea17fe514687c8e2ceb902a9d47fde53d01733845bba3e9d6a95f90195118e26a7a98ef957393cd519e06e02ec652ceb9fef0ef8e67a1dc250203010001a382011730820113300c0603551d130101ff04023000301d0603551d0e041604140d3fc210b4abae8368f6656c2f4182ded3cba973301f0603551d23041830168014bb50e659b6554824eb10703f59de33b5ab10d343300e0603551d0f0101ff0404030203e830130603551d25040c300a06082b0601050507030130260603551d11041f301d821b6265723072616430342e696e742e62756464796272616e642e646530430603551d1f0101ff043930373035a033a031862f687474703a2f2f63726c2e62756464796272616e642e64653a383038302f696e746572636130345f63726c2e70656d301106096086480186f8420101040403020640301e06096086480186f842010d0411160f7863612063657274
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x33754777311f52c5d9592c39c6f43193
(2) Finished request
Waking up in 4.8 seconds.
(3) Received Access-Request Id 21 from 10.100.2.39:54686 to 10.100.1.65:1812 length 256
(3) User-Name = "klaus.mustermann"
(3) NAS-IP-Address = 10.100.2.39
(3) NAS-Identifier = "8283c219e7f9"
(3) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
(3) NAS-Port-Type = Wireless-802.11
(3) Service-Type = Framed-User
(3) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
(3) Connect-Info = "CONNECT 0Mbps 802.11b"
(3) Acct-Session-Id = "690B866461ACEC60"
(3) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
(3) Mobility-Domain-Id = 46476
(3) WLAN-Pairwise-Cipher = 1027076
(3) WLAN-Group-Cipher = 1027076
(3) WLAN-AKM-Suite = 1027075
(3) Framed-MTU = 1400
(3) EAP-Message = 0x026a00061500
(3) State = 0x33754777311f52c5d9592c39c6f43193
(3) Message-Authenticator = 0xc8e04779851766a986a21ceea4790d00
(3) Restoring &session-state
(3) &session-state:Framed-MTU = 994
(3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /(a)\./) {
(3) if (&User-Name =~ /(a)\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 106 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0x33754777311f52c5
(3) eap: Finished EAP session with state 0x33754777311f52c5
(3) eap: Previous EAP request found for state 0x33754777311f52c5, released from the list
(3) eap: Peer sent packet with method EAP TTLS (21)
(3) eap: Calling submodule eap_ttls to process data
(3) eap_ttls: Authenticate
(3) eap_ttls: (TLS) Peer ACKed our handshake fragment
(3) eap: Sending EAP Request (code 1) ID 107 length 1004
(3) eap: EAP session adding &reply:State = 0x33754777301e52c5
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) Challenge { ... } # empty sub-section is ignored
(3) session-state: Saving cached attributes
(3) Framed-MTU = 994
(3) Sent Access-Challenge Id 21 from 10.100.1.65:1812 to 10.100.2.39:54686 length 1068
(3) EAP-Message = 0x016b03ec15c0000011516e31183016060355040a130f42756464796272616e6420476d624831293027060355040b132042756464796272616e6420436572746966696361746520417574686f72697479311b30190603550403131242756464796272616e6420526f6f74204341311f301d06092a864886f70d010901161069744062756464796272616e642e6465301e170d3231303432333131353030305a170d3331303432333131353030305a3081bd310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31183016060355040a130f42756464796272616e6420476d624831293027060355040b132042756464796272616e6420436572746966696361746520417574686f72697479312630240603550403131d42756464796272616e6420496e7465726d656469617465204341203034311f301d06092a864886f70d010901161069744062756464796272616e642e646530820222300d06092a
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x33754777301e52c5d9592c39c6f43193
(3) Finished request
Waking up in 4.8 seconds.
(4) Received Access-Request Id 22 from 10.100.2.39:54686 to 10.100.1.65:1812 length 256
(4) User-Name = "klaus.mustermann"
(4) NAS-IP-Address = 10.100.2.39
(4) NAS-Identifier = "8283c219e7f9"
(4) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
(4) NAS-Port-Type = Wireless-802.11
(4) Service-Type = Framed-User
(4) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
(4) Connect-Info = "CONNECT 0Mbps 802.11b"
(4) Acct-Session-Id = "690B866461ACEC60"
(4) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
(4) Mobility-Domain-Id = 46476
(4) WLAN-Pairwise-Cipher = 1027076
(4) WLAN-Group-Cipher = 1027076
(4) WLAN-AKM-Suite = 1027075
(4) Framed-MTU = 1400
(4) EAP-Message = 0x026b00061500
(4) State = 0x33754777301e52c5d9592c39c6f43193
(4) Message-Authenticator = 0x8ebe69d74f104b81490506fbfd4fcc22
(4) Restoring &session-state
(4) &session-state:Framed-MTU = 994
(4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /(a)\./) {
(4) if (&User-Name =~ /(a)\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 107 length 6
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0x33754777301e52c5
(4) eap: Finished EAP session with state 0x33754777301e52c5
(4) eap: Previous EAP request found for state 0x33754777301e52c5, released from the list
(4) eap: Peer sent packet with method EAP TTLS (21)
(4) eap: Calling submodule eap_ttls to process data
(4) eap_ttls: Authenticate
(4) eap_ttls: (TLS) Peer ACKed our handshake fragment
(4) eap: Sending EAP Request (code 1) ID 108 length 1004
(4) eap: EAP session adding &reply:State = 0x33754777371952c5
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4) Challenge { ... } # empty sub-section is ignored
(4) session-state: Saving cached attributes
(4) Framed-MTU = 994
(4) Sent Access-Challenge Id 22 from 10.100.1.65:1812 to 10.100.2.39:54686 length 1068
(4) EAP-Message = 0x016c03ec15c00000115155040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31183016060355040a130f42756464796272616e6420476d624831293027060355040b132042756464796272616e6420436572746966696361746520417574686f72697479311b30190603550403131242756464796272616e6420526f6f74204341311f301d06092a864886f70d010901161069744062756464796272616e642e64658209009ce5d9f001129991300e0603551d0f0101ff04040302018630400603551d1f0101ff043630343032a030a02e862c687474703a2f2f63726c2e62756464796272616e642e64653a383038302f726f6f7463615f63726c2e70656d301106096086480186f8420101040403020007301e06096086480186f842010d0411160f786361206365727469666963617465300d06092a864886f70d01010b0500038202010014ba00b7b369be8d469dc9fe7cb4ea2b8b69f5ddf664529e7cfa7e5c23
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x33754777371952c5d9592c39c6f43193
(4) Finished request
Waking up in 4.7 seconds.
(5) Received Access-Request Id 23 from 10.100.2.39:54686 to 10.100.1.65:1812 length 256
(5) User-Name = "klaus.mustermann"
(5) NAS-IP-Address = 10.100.2.39
(5) NAS-Identifier = "8283c219e7f9"
(5) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
(5) NAS-Port-Type = Wireless-802.11
(5) Service-Type = Framed-User
(5) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
(5) Connect-Info = "CONNECT 0Mbps 802.11b"
(5) Acct-Session-Id = "690B866461ACEC60"
(5) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
(5) Mobility-Domain-Id = 46476
(5) WLAN-Pairwise-Cipher = 1027076
(5) WLAN-Group-Cipher = 1027076
(5) WLAN-AKM-Suite = 1027075
(5) Framed-MTU = 1400
(5) EAP-Message = 0x026c00061500
(5) State = 0x33754777371952c5d9592c39c6f43193
(5) Message-Authenticator = 0x2954664567eb90b58df983559fafc7ef
(5) Restoring &session-state
(5) &session-state:Framed-MTU = 994
(5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /(a)\./) {
(5) if (&User-Name =~ /(a)\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 108 length 6
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0x33754777371952c5
(5) eap: Finished EAP session with state 0x33754777371952c5
(5) eap: Previous EAP request found for state 0x33754777371952c5, released from the list
(5) eap: Peer sent packet with method EAP TTLS (21)
(5) eap: Calling submodule eap_ttls to process data
(5) eap_ttls: Authenticate
(5) eap_ttls: (TLS) Peer ACKed our handshake fragment
(5) eap: Sending EAP Request (code 1) ID 109 length 467
(5) eap: EAP session adding &reply:State = 0x33754777361852c5
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5) Challenge { ... } # empty sub-section is ignored
(5) session-state: Saving cached attributes
(5) Framed-MTU = 994
(5) Sent Access-Challenge Id 23 from 10.100.1.65:1812 to 10.100.2.39:54686 length 527
(5) EAP-Message = 0x016d01d3158000001151c7ae0d9a4018dc0ce7aab22f77890b68228d8c81607a7cd59e58e5b314f938dfe8d81ca660735e53afd3f6eb0939e78859296a954ea1d3046dbcf4333aa72aaad39f3f152ab2b3a2ed59dc1bfdbc773787acbba803d0201cda94c46c440afa65d844464271d2a2dcb7e409ff9c9c30a411ea245b8c2424110ac5191f2c594afe070d15b670dd08c238fd3b672b5bbed9bc7141c3b6e95b61bb78889da5182b33b0883e08339b927b4fd0ef118175f30d3e232be2fc5c92ef1eae2a30a21ba88a0477b8a0a89b903ea37327d4b41dc15ac604f4c057eff9a454748056d6b919f4756ee70de3878196b23441f9252252e5ee8bebe2519a11cb9967ff91ce3d43a9f3e3e39e82277f7bc39200d0e9d8178afdf2b479684b66ee8b2c6b6d258d172684d801780ede278d3c6bbce36875649bc181dcecd10a2ecc83bc920f0b97cf3f2b51a234b69f88e884f5c248fb1062aba73cb402765bf2005825f8379389178cafae7ad9723c0f9e3f63b375c2
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x33754777361852c5d9592c39c6f43193
(5) Finished request
Waking up in 4.7 seconds.
(6) Received Access-Request Id 24 from 10.100.2.39:54686 to 10.100.1.65:1812 length 386
(6) User-Name = "klaus.mustermann"
(6) NAS-IP-Address = 10.100.2.39
(6) NAS-Identifier = "8283c219e7f9"
(6) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
(6) NAS-Port-Type = Wireless-802.11
(6) Service-Type = Framed-User
(6) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
(6) Connect-Info = "CONNECT 0Mbps 802.11b"
(6) Acct-Session-Id = "690B866461ACEC60"
(6) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
(6) Mobility-Domain-Id = 46476
(6) WLAN-Pairwise-Cipher = 1027076
(6) WLAN-Group-Cipher = 1027076
(6) WLAN-AKM-Suite = 1027075
(6) Framed-MTU = 1400
(6) EAP-Message = 0x026d008815800000007e16030300461000004241041bdfa74e961e11ce04aae11e59adff899c7e45c93c23a868913c8e6dbc6b61c8c93027484c43331a120609e34bb63d4a01335611c152662eda522aa015747d24140303000101160303002896671043239b41663014b73a88eb2b056a398cc8c31e8c6f1940273f2cc64b884907fe10b3c697de
(6) State = 0x33754777361852c5d9592c39c6f43193
(6) Message-Authenticator = 0x02f8f3ac8779506b6dc11ac581eb8a01
(6) Restoring &session-state
(6) &session-state:Framed-MTU = 994
(6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /(a)\./) {
(6) if (&User-Name =~ /(a)\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 109 length 136
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0x33754777361852c5
(6) eap: Finished EAP session with state 0x33754777361852c5
(6) eap: Previous EAP request found for state 0x33754777361852c5, released from the list
(6) eap: Peer sent packet with method EAP TTLS (21)
(6) eap: Calling submodule eap_ttls to process data
(6) eap_ttls: Authenticate
(6) eap_ttls: (TLS) EAP Peer says that the final record size will be 126 bytes
(6) eap_ttls: (TLS) EAP Got all data (126 bytes)
(6) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server done
(6) eap_ttls: (TLS) recv TLS 1.2 Handshake, ClientKeyExchange
(6) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read client key exchange
(6) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read change cipher spec
(6) eap_ttls: (TLS) recv TLS 1.2 Handshake, Finished
(6) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read finished
(6) eap_ttls: (TLS) send TLS 1.2 ChangeCipherSpec
(6) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write change cipher spec
(6) eap_ttls: (TLS) send TLS 1.2 Handshake, Finished
(6) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write finished
(6) eap_ttls: (TLS) Handshake state - SSL negotiation finished successfully
(6) eap_ttls: (TLS) Connection Established
(6) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(6) eap_ttls: TLS-Session-Version = "TLS 1.2"
(6) eap: Sending EAP Request (code 1) ID 110 length 61
(6) eap: EAP session adding &reply:State = 0x33754777351b52c5
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(6) Challenge { ... } # empty sub-section is ignored
(6) session-state: Saving cached attributes
(6) Framed-MTU = 994
(6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(6) TLS-Session-Version = "TLS 1.2"
(6) Sent Access-Challenge Id 24 from 10.100.1.65:1812 to 10.100.2.39:54686 length 119
(6) EAP-Message = 0x016e003d1580000000331403030001011603030028c5e315035630988a3b83c13d63026f7f68b51fc4cae498e85bec63a7b3beba6177951acbd7c9e48e
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x33754777351b52c5d9592c39c6f43193
(6) Finished request
Waking up in 4.7 seconds.
(7) Received Access-Request Id 25 from 10.100.2.39:54686 to 10.100.1.65:1812 length 321
(7) User-Name = "klaus.mustermann"
(7) NAS-IP-Address = 10.100.2.39
(7) NAS-Identifier = "8283c219e7f9"
(7) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
(7) NAS-Port-Type = Wireless-802.11
(7) Service-Type = Framed-User
(7) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
(7) Connect-Info = "CONNECT 0Mbps 802.11b"
(7) Acct-Session-Id = "690B866461ACEC60"
(7) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
(7) Mobility-Domain-Id = 46476
(7) WLAN-Pairwise-Cipher = 1027076
(7) WLAN-Group-Cipher = 1027076
(7) WLAN-AKM-Suite = 1027075
(7) Framed-MTU = 1400
(7) EAP-Message = 0x026e004715800000003d170303003896671043239b4167e00afbeca8b555b120c23769698d81a6b5a879ecc3c8fd3cd740dc135bdef5fcadd7fda6a166609e4d7957502348d9f3
(7) State = 0x33754777351b52c5d9592c39c6f43193
(7) Message-Authenticator = 0xa8b841519028def71e27cfef249be756
(7) Restoring &session-state
(7) &session-state:Framed-MTU = 994
(7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(7) &session-state:TLS-Session-Version = "TLS 1.2"
(7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /(a)\./) {
(7) if (&User-Name =~ /(a)\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 110 length 71
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(7) authenticate {
(7) eap: Expiring EAP session with state 0x33754777351b52c5
(7) eap: Finished EAP session with state 0x33754777351b52c5
(7) eap: Previous EAP request found for state 0x33754777351b52c5, released from the list
(7) eap: Peer sent packet with method EAP TTLS (21)
(7) eap: Calling submodule eap_ttls to process data
(7) eap_ttls: Authenticate
(7) eap_ttls: (TLS) EAP Peer says that the final record size will be 61 bytes
(7) eap_ttls: (TLS) EAP Got all data (61 bytes)
(7) eap_ttls: Session established. Proceeding to decode tunneled attributes
(7) eap_ttls: Got tunneled request
(7) eap_ttls: EAP-Message = 0x02000015016b6c6175732e6d75737465726d616e6e
(7) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_ttls: Got tunneled identity of klaus.mustermann
(7) eap_ttls: Setting default EAP type for tunneled EAP session
(7) eap_ttls: Sending tunneled request
(7) Virtual server inner-tunnel received request
(7) EAP-Message = 0x02000015016b6c6175732e6d75737465726d616e6e
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) User-Name = "klaus.mustermann"
(7) WARNING: Outer and inner identities are the same. User privacy is compromised.
(7) server inner-tunnel {
(7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /(a)\./) {
(7) if (&User-Name =~ /(a)\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [chap] = noop
(7) [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) update control {
(7) &Proxy-To-Realm := LOCAL
(7) } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 0 length 21
(7) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap: Peer sent packet with method EAP Identity (1)
(7) eap: Calling submodule eap_gtc to process data
(7) eap_gtc: EXPAND Password:
(7) eap_gtc: --> Password:
(7) eap: Sending EAP Request (code 1) ID 1 length 15
(7) eap: EAP session adding &reply:State = 0xb4a2b867b4a3bebf
(7) [eap] = handled
(7) } # authenticate = handled
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7) EAP-Message = 0x0101000f0650617373776f72643a20
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0xb4a2b867b4a3bebfd5edaac839855c28
(7) eap_ttls: Got tunneled Access-Challenge
(7) eap: Sending EAP Request (code 1) ID 111 length 63
(7) eap: EAP session adding &reply:State = 0x33754777341a52c5
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(7) Challenge { ... } # empty sub-section is ignored
(7) session-state: Saving cached attributes
(7) Framed-MTU = 994
(7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(7) TLS-Session-Version = "TLS 1.2"
(7) Sent Access-Challenge Id 25 from 10.100.1.65:1812 to 10.100.2.39:54686 length 121
(7) EAP-Message = 0x016f003f1580000000351703030030c5e315035630988b4ad830befda4dba2a51fa8f9388f8da63a7ea11b76e432bbb988ecf99f49e2ebe5cd501621aec81b
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x33754777341a52c5d9592c39c6f43193
(7) Finished request
Waking up in 4.6 seconds.
(8) Received Access-Request Id 26 from 10.100.2.39:54686 to 10.100.1.65:1812 length 317
(8) User-Name = "klaus.mustermann"
(8) NAS-IP-Address = 10.100.2.39
(8) NAS-Identifier = "8283c219e7f9"
(8) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
(8) NAS-Port-Type = Wireless-802.11
(8) Service-Type = Framed-User
(8) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
(8) Connect-Info = "CONNECT 0Mbps 802.11b"
(8) Acct-Session-Id = "690B866461ACEC60"
(8) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
(8) Mobility-Domain-Id = 46476
(8) WLAN-Pairwise-Cipher = 1027076
(8) WLAN-Group-Cipher = 1027076
(8) WLAN-AKM-Suite = 1027075
(8) Framed-MTU = 1400
(8) EAP-Message = 0x026f0043158000000039170303003496671043239b41683128359379c1a6a7ff944f84eb0b3f626e65ecb31042ebf597e0b5314226e2bcea13a41d6e380c98153d5dd7
(8) State = 0x33754777341a52c5d9592c39c6f43193
(8) Message-Authenticator = 0xe468605d47fb0bba1b52f632f0e1589a
(8) Restoring &session-state
(8) &session-state:Framed-MTU = 994
(8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(8) &session-state:TLS-Session-Version = "TLS 1.2"
(8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /(a)\./) {
(8) if (&User-Name =~ /(a)\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 111 length 67
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(8) authenticate {
(8) eap: Expiring EAP session with state 0xb4a2b867b4a3bebf
(8) eap: Finished EAP session with state 0x33754777341a52c5
(8) eap: Previous EAP request found for state 0x33754777341a52c5, released from the list
(8) eap: Peer sent packet with method EAP TTLS (21)
(8) eap: Calling submodule eap_ttls to process data
(8) eap_ttls: Authenticate
(8) eap_ttls: (TLS) EAP Peer says that the final record size will be 57 bytes
(8) eap_ttls: (TLS) EAP Got all data (57 bytes)
(8) eap_ttls: Session established. Proceeding to decode tunneled attributes
(8) eap_ttls: Got tunneled request
(8) eap_ttls: EAP-Message = 0x0201001306736167616e382e53697a61626c65
(8) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_ttls: Sending tunneled request
(8) Virtual server inner-tunnel received request
(8) EAP-Message = 0x0201001306736167616e382e53697a61626c65
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = "klaus.mustermann"
(8) State = 0xb4a2b867b4a3bebfd5edaac839855c28
(8) WARNING: Outer and inner identities are the same. User privacy is compromised.
(8) server inner-tunnel {
(8) session-state: No cached attributes
(8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /(a)\./) {
(8) if (&User-Name =~ /(a)\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [chap] = noop
(8) [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) update control {
(8) &Proxy-To-Realm := LOCAL
(8) } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 1 length 19
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8) [eap] = updated
(8) [files] = noop
rlm_ldap (ldap): Reserved connection (0)
(8) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(8) ldap: --> (uid=klaus.mustermann)
(8) ldap: Performing search in "dc=pretendco,dc=de" with filter "(uid=klaus.mustermann)", scope "sub"
(8) ldap: Waiting for search result...
(8) ldap: User object found at DN "uid=klaus.mustermann,ou=Standard Mitarbeiter,ou=Mitarbeiter,ou=Users,dc=pretendco,dc=de"
(8) ldap: Processing user attributes
(8) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(8) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (0)
Need more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636
rlm_ldap (ldap): Waiting for bind result...
ber_get_next failed, errno=11.
rlm_ldap (ldap): Bind successful
(8) [ldap] = ok
(8) [expiration] = noop
(8) [logintime] = noop
(8) [pap] = noop
(8) if (User-Password) {
(8) if (User-Password) -> FALSE
(8) } # authorize = updated
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap: Expiring EAP session with state 0xb4a2b867b4a3bebf
(8) eap: Finished EAP session with state 0xb4a2b867b4a3bebf
(8) eap: Previous EAP request found for state 0xb4a2b867b4a3bebf, released from the list
(8) eap: Peer sent packet with method EAP GTC (6)
(8) eap: Calling submodule eap_gtc to process data
(8) eap_gtc: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(8) eap_gtc: Auth-Type PAP {
rlm_ldap (ldap): Reserved connection (1)
(8) ldap: Login attempt by "klaus.mustermann"
(8) ldap: Using user DN from request "uid=klaus.mustermann,ou=Standard Mitarbeiter,ou=Mitarbeiter,ou=Users,dc=pretendco,dc=de"
(8) ldap: Waiting for bind result...
(8) ldap: Bind successful
(8) ldap: Bind as user "uid=klaus.mustermann,ou=Standard Mitarbeiter,ou=Mitarbeiter,ou=Users,dc=pretendco,dc=de" was successful
rlm_ldap (ldap): Released connection (1)
Need more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (6), 1 of 26 pending slots used
rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636
rlm_ldap (ldap): Waiting for bind result...
ber_get_next failed, errno=11.
rlm_ldap (ldap): Bind successful
(8) eap_gtc: [ldap] = ok
(8) eap_gtc: } # Auth-Type PAP = ok
(8) eap: Sending EAP Success (code 3) ID 1 length 4
(8) eap: Freeing handler
(8) [eap] = ok
(8) } # authenticate = ok
(8) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(8) post-auth {
(8) if (0) {
(8) if (0) -> FALSE
(8) } # post-auth = noop
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8) EAP-Message = 0x03010004
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) User-Name = "klaus.mustermann"
(8) eap_ttls: Got tunneled Access-Accept
(8) eap: Sending EAP Success (code 3) ID 111 length 4
(8) eap: Freeing handler
(8) [eap] = ok
(8) } # authenticate = ok
(8) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(8) post-auth {
(8) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
(8) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE
(8) update {
(8) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 994
(8) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384'
(8) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2'
(8) } # update = noop
(8) [exec] = noop
(8) policy remove_reply_message_if_eap {
(8) if (&reply:EAP-Message && &reply:Reply-Message) {
(8) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(8) else {
(8) [noop] = noop
(8) } # else = noop
(8) } # policy remove_reply_message_if_eap = noop
(8) } # post-auth = noop
(8) Sent Access-Accept Id 26 from 10.100.1.65:1812 to 10.100.2.39:54686 length 184
(8) MS-MPPE-Recv-Key = 0xeb472d316fdc874c9b4fab09804dffb9627d034a793910ca0f276473f2db3e62
(8) MS-MPPE-Send-Key = 0x3cde6513ea1f92c64ee3d938a85980091ecccdeb288c640f958a8f0d4324af64
(8) EAP-Message = 0x036f0004
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) User-Name = "klaus.mustermann"
(8) Framed-MTU += 994
(8) Finished request
Waking up in 1.1 seconds.
(9) Received Access-Request Id 26 from 10.100.2.39:38737 to 10.100.1.65:1812 length 317
(9) User-Name = "klaus.mustermann"
(9) NAS-IP-Address = 10.100.2.39
(9) NAS-Identifier = "8283c219e7f9"
(9) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
(9) NAS-Port-Type = Wireless-802.11
(9) Service-Type = Framed-User
(9) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
(9) Connect-Info = "CONNECT 0Mbps 802.11b"
(9) Acct-Session-Id = "690B866461ACEC60"
(9) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
(9) Mobility-Domain-Id = 46476
(9) WLAN-Pairwise-Cipher = 1027076
(9) WLAN-Group-Cipher = 1027076
(9) WLAN-AKM-Suite = 1027075
(9) Framed-MTU = 1400
(9) EAP-Message = 0x026f0043158000000039170303003496671043239b41683128359379c1a6a7ff944f84eb0b3f626e65ecb31042ebf597e0b5314226e2bcea13a41d6e380c98153d5dd7
(9) State = 0x33754777341a52c5d9592c39c6f43193
(9) Message-Authenticator = 0xe468605d47fb0bba1b52f632f0e1589a
(9) session-state: No cached attributes
(9) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(9) authorize {
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /(a)\./) {
(9) if (&User-Name =~ /(a)\./) -> FALSE
(9) } # if (&User-Name) = notfound
(9) } # policy filter_username = notfound
(9) [preprocess] = ok
(9) [chap] = noop
(9) [mschap] = noop
(9) [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 111 length 67
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(9) authenticate {
(9) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x33754777341a52c5
(9) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
(9) eap: Failed in handler
(9) [eap] = invalid
(9) } # authenticate = invalid
(9) Failed to authenticate the user
(9) Using Post-Auth-Type Reject
(9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(9) Post-Auth-Type REJECT {
(9) attr_filter.access_reject: EXPAND %{User-Name}
(9) attr_filter.access_reject: --> klaus.mustermann
(9) attr_filter.access_reject: Matched entry DEFAULT at line 11
(9) [attr_filter.access_reject] = updated
(9) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x33754777341a52c5
(9) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
(9) eap: Failed to get handler, probably already removed, not inserting EAP-Failure
(9) [eap] = noop
(9) policy remove_reply_message_if_eap {
(9) if (&reply:EAP-Message && &reply:Reply-Message) {
(9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(9) else {
(9) [noop] = noop
(9) } # else = noop
(9) } # policy remove_reply_message_if_eap = noop
(9) } # Post-Auth-Type REJECT = updated
(9) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(10) Received Access-Request Id 26 from 10.100.2.39:45497 to 10.100.1.65:1812 length 317
(10) User-Name = "klaus.mustermann"
(10) NAS-IP-Address = 10.100.2.39
(10) NAS-Identifier = "8283c219e7f9"
(10) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
(10) NAS-Port-Type = Wireless-802.11
(10) Service-Type = Framed-User
(10) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
(10) Connect-Info = "CONNECT 0Mbps 802.11b"
(10) Acct-Session-Id = "690B866461ACEC60"
(10) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
(10) Mobility-Domain-Id = 46476
(10) WLAN-Pairwise-Cipher = 1027076
(10) WLAN-Group-Cipher = 1027076
(10) WLAN-AKM-Suite = 1027075
(10) Framed-MTU = 1400
(10) EAP-Message = 0x026f0043158000000039170303003496671043239b41683128359379c1a6a7ff944f84eb0b3f626e65ecb31042ebf597e0b5314226e2bcea13a41d6e380c98153d5dd7
(10) State = 0x33754777341a52c5d9592c39c6f43193
(10) Message-Authenticator = 0xe468605d47fb0bba1b52f632f0e1589a
(10) session-state: No cached attributes
(10) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(10) authorize {
(10) policy filter_username {
(10) if (&User-Name) {
(10) if (&User-Name) -> TRUE
(10) if (&User-Name) {
(10) if (&User-Name =~ / /) {
(10) if (&User-Name =~ / /) -> FALSE
(10) if (&User-Name =~ /@[^@]*@/ ) {
(10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(10) if (&User-Name =~ /\.\./ ) {
(10) if (&User-Name =~ /\.\./ ) -> FALSE
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(10) if (&User-Name =~ /\.$/) {
(10) if (&User-Name =~ /\.$/) -> FALSE
(10) if (&User-Name =~ /(a)\./) {
(10) if (&User-Name =~ /(a)\./) -> FALSE
(10) } # if (&User-Name) = notfound
(10) } # policy filter_username = notfound
(10) [preprocess] = ok
(10) [chap] = noop
(10) [mschap] = noop
(10) [digest] = noop
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
(10) suffix: No such realm "NULL"
(10) [suffix] = noop
(10) eap: Peer sent EAP Response (code 2) ID 111 length 67
(10) eap: Continuing tunnel setup
(10) [eap] = ok
(10) } # authorize = ok
(10) Found Auth-Type = eap
(10) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(10) authenticate {
(10) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x33754777341a52c5
(10) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
(10) eap: Failed in handler
(10) [eap] = invalid
(10) } # authenticate = invalid
(10) Failed to authenticate the user
(10) Using Post-Auth-Type Reject
(10) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(10) Post-Auth-Type REJECT {
(10) attr_filter.access_reject: EXPAND %{User-Name}
(10) attr_filter.access_reject: --> klaus.mustermann
(10) attr_filter.access_reject: Matched entry DEFAULT at line 11
(10) [attr_filter.access_reject] = updated
(10) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x33754777341a52c5
(10) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
(10) eap: Failed to get handler, probably already removed, not inserting EAP-Failure
(10) [eap] = noop
(10) policy remove_reply_message_if_eap {
(10) if (&reply:EAP-Message && &reply:Reply-Message) {
(10) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(10) else {
(10) [noop] = noop
(10) } # else = noop
(10) } # policy remove_reply_message_if_eap = noop
(10) } # Post-Auth-Type REJECT = updated
(10) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.2 seconds.
(9) Sending delayed response
(9) Sent Access-Reject Id 26 from 10.100.1.65:1812 to 10.100.2.39:38737 length 20
Waking up in 0.1 seconds.
(0) Cleaning up request packet ID 18 with timestamp +35 due to cleanup_delay was reached
Waking up in 0.1 seconds.
(1) Cleaning up request packet ID 19 with timestamp +35 due to cleanup_delay was reached
(2) Cleaning up request packet ID 20 with timestamp +35 due to cleanup_delay was reached
(3) Cleaning up request packet ID 21 with timestamp +35 due to cleanup_delay was reached
(4) Cleaning up request packet ID 22 with timestamp +35 due to cleanup_delay was reached
(5) Cleaning up request packet ID 23 with timestamp +35 due to cleanup_delay was reached
(6) Cleaning up request packet ID 24 with timestamp +35 due to cleanup_delay was reached
(7) Cleaning up request packet ID 25 with timestamp +35 due to cleanup_delay was reached
(10) Sending delayed response
(10) Sent Access-Reject Id 26 from 10.100.1.65:1812 to 10.100.2.39:45497 length 20
Any Idea what I am doing wrong here?
Regards
Henning
3
4
Hi,
Good afternoon! I have a setup where RADIUS is set to write to multiple DBs
simultaneously. I have set this as follows:
1. Copied the SQL instance in /etc/raddb/mods-enabled/sql and had it
renamed and configured accordingly.
2. Called them both
3. In the pool, I have set start=0
4. Set read_client to no
Although from debug these seem to be correctly set, I am still getting the
message that RADIUS is trying to connect to the DB when it is unavailable.
After quite a number of minutes and 3 retries, RADIUS fails to start. I
have attached the full debug and included some explanation too along the
way.
Thanks in advance.
Kind Regards,
SG
3
9
Hello,
At my workplace we're planning a major infrastructure migration which involves (re)installing FreeRADIUS from the networkradius.com repositories.
I've been using vms and ansible scripting to test the migration path this past month and it has always gone just fine; however when I ran a general rehearsal test this morning several errors occurred involving intermittent connection timeouts downloading packages from the packages.networkradius.com source.
Proxies didn't help, and attempting a manual download via browser or wget similarly times out during the download.
Is this a known issue?
--Rens
2
3
Using attribute reference from variable content in unlang
by Charles-Antoine Guillat-Guignard 30 Jan '23
by Charles-Antoine Guillat-Guignard 30 Jan '23
30 Jan '23
Hello,
I am trying to implement some db based attribute handling (names, operator and values from db), and I am struggling with a dynamic handling of
attributes references (names).
Looking at https://freeradius.org/radiusd/man/unlang.txt (ATTRIBUTE REFERENCES section), I see no exemple matching what I want to do (attribute
name is always known, and static).
What I try to achieve would look a bit like that (which doesn't work) : :
# Exemple for Attributes-Actions values
# A-AL-AAA,:=,1
# A-AL-DHCP,:=,0
foreach &Attributes-Actions {
update request {
Attributes-Action := "%{Foreach-Variable-2}"
}
%{explode:Attributes-Action ,}
update reply {
# for debugging, contains expected value
Reply-Message += "index 0 : %{Attributes-Action[0]}"
# this fails
"%{Attributes-Action[0]}" := "%{Attributes-Action[2]}"
}
}
Am I missing something? Is there another way to achieve dynamic handling of attributes names, to be able to modify an attribute whose
name/reference is not pre-declared in unlang script (unknown in unlang script, but ofc declared in dictionary).
Thank you in advance.
Kind regards,
Charles-Antoine Guillat-Guignard
2
4
Hi,
With FR 3.2.1, ubuntu 20.04, I can't bind to LDAP server using an old
TLS 1.0 version.
With TLS section parameters in ldap.conf :
tls {
start_tls = no
ca_file = "/etc/freeradius/ca_cert_hosting/12126560.pem"
require_cert = demand
tls_min_version = "1.0"
cipher_list = "DEFAULT@SECLEVEL=1"
}
I have in debug log for this LDAP server :
# Loaded module rlm_ldap
...
tls {
ca_file = "/etc/freeradius/ca_cert_hosting/12126560.pem"
tls_min_version = "1.0"
start_tls = no
require_cert = "demand"
}
And the error when trying to bind :
TLS: can't connect: (unknown error code).
It seems that 'cipher_list' parameter has disappeared in the debug log,
is this parameter
supported in ldap.conf ?
If not, how can I bind and check certificate ('demand' or 'hard' option)
to a TLS 1.0
LDAP server ?
Regards,
Arnaud
2
2
1
0
Hi Alan,
Is that mean Freeradius will show 0 in the Queue Statistics in both cases:
Full / Empty? this is what we are getting now.
Is there another way to check if the Queue full rather than checking the
logs?
Thanks
On Mon, Jan 23, 2023 at 6:39 PM <
freeradius-users-request(a)lists.freeradius.org> wrote:
> Send Freeradius-Users mailing list submissions to
> freeradius-users(a)lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request(a)lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner(a)lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Re: Queue Statistics always showing 0 (Alan DeKok)
> 2. FR 3.0.26 and TLS 1.3 (Chris Howley)
> 3. Freeradius-server-3.0.25 docking mariadb error
> (=?gb18030?B?zfjC58qxtPo=?=)
> 4. Freeradius Google Secure LDAP EAP-GTC issues (Henning Kessler)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 23 Jan 2023 08:46:56 -0500
> From: Alan DeKok <aland(a)deployingradius.com>
> To: FreeRadius users mailing list
> <freeradius-users(a)lists.freeradius.org>
> Subject: Re: Queue Statistics always showing 0
> Message-ID: <4F2136FC-DB9C-418B-995D-2C499FF7BD82(a)deployingradius.com>
> Content-Type: text/plain; charset=us-ascii
>
> On Jan 23, 2023, at 3:24 AM, Ashraf Al-Basti <albasti(a)gmail.com> wrote:
> > I'm trying to get Freeradius statistics but I can see that the Queue
> > statistics are always 0.
>
> That's a side effect of moving to the faster atomic queues. It''s more
> difficult to get accurate stats for the queue length.
>
> Plus, the queue starts are generally meaningless. Either everything is
> OK, and the queue length is zero, or things are going wrong, and the queue
> is full.
>
> There is very very few situations where the queue are partially full.
>
> Alan DeKok.
>
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 23 Jan 2023 14:18:56 +0000
> From: Chris Howley <C.P.Howley(a)leeds.ac.uk>
> To: "freeradius-users(a)lists.freeradius.org"
> <freeradius-users(a)lists.freeradius.org>
> Subject: FR 3.0.26 and TLS 1.3
> Message-ID:
> <
> AS4PR03MB823284ABA3422F7FBDAB898E8EC89(a)AS4PR03MB8232.eurprd03.prod.outlook.com
> >
>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hello Support team,
>
> I recently download the FR packages from your CentOS 7 repository, and I
> noticed that the 3.0.26 server was built with OpenSSL 1.0.2k (see below).
> Should the server be built with OpenSSL 1.1.1 to support TLS 1.3? Please
> excuse my ignorance if I've asked a stupid question.
>
> Thanks,
>
> Chris Howley
>
> Mon Jan 23 13:50:17 2023 : Debug: Server was built with:
> Mon Jan 23 13:50:17 2023 : Debug: accounting : yes
> Mon Jan 23 13:50:17 2023 : Debug: authentication : yes
> Mon Jan 23 13:50:17 2023 : Debug: ascend-binary-attributes : yes
> Mon Jan 23 13:50:17 2023 : Debug: coa : yes
> Mon Jan 23 13:50:17 2023 : Debug: control-socket : yes
> Mon Jan 23 13:50:17 2023 : Debug: detail : yes
> Mon Jan 23 13:50:17 2023 : Debug: dhcp : yes
> Mon Jan 23 13:50:17 2023 : Debug: dynamic-clients : yes
> Mon Jan 23 13:50:17 2023 : Debug: osfc2 : no
> Mon Jan 23 13:50:17 2023 : Debug: proxy : yes
> Mon Jan 23 13:50:17 2023 : Debug: regex-pcre : yes
> Mon Jan 23 13:50:17 2023 : Debug: regex-posix : no
> Mon Jan 23 13:50:17 2023 : Debug: regex-posix-extended : no
> Mon Jan 23 13:50:17 2023 : Debug: session-management : yes
> Mon Jan 23 13:50:17 2023 : Debug: stats : yes
> Mon Jan 23 13:50:17 2023 : Debug: systemd : yes
> Mon Jan 23 13:50:17 2023 : Debug: tcp : yes
> Mon Jan 23 13:50:17 2023 : Debug: threads : yes
> Mon Jan 23 13:50:17 2023 : Debug: tls : yes
> Mon Jan 23 13:50:17 2023 : Debug: unlang : yes
> Mon Jan 23 13:50:17 2023 : Debug: vmps : yes
> Mon Jan 23 13:50:17 2023 : Debug: developer : no
> Mon Jan 23 13:50:17 2023 : Debug: Server core libs:
> Mon Jan 23 13:50:17 2023 : Debug: freeradius-server : 3.0.26
> Mon Jan 23 13:50:17 2023 : Debug: talloc : 2.1.*
> Mon Jan 23 13:50:17 2023 : Debug: ssl : 1.0.2k
> release
> Mon Jan 23 13:50:17 2023 : Debug: pcre : 8.32
> 2012-11-30
> Mon Jan 23 13:50:17 2023 : Debug: Endianness:
> Mon Jan 23 13:50:17 2023 : Debug: little
> Mon Jan 23 13:50:17 2023 : Debug: Compilation flags:
> Mon Jan 23 13:50:17 2023 : Debug: cppflags :
> Mon Jan 23 13:50:17 2023 : Debug: cflags : -I. -Isrc -include
> src/freeradius-devel/autoconf.h -include src/freeradius-devel/build.h
> -include src/freeradius-devel/featur
> es.h -include src/freeradius-devel/radpaths.h -fno-strict-aliasing
> -Wno-date-time -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
> -fstack-protector-strong --param=s
> sp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wall -std=c99
> -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5
> -DNDEBUG -DIS_MODULE=1
> Mon Jan 23 13:50:17 2023 : Debug: ldflags : -Wl,--build-id
> Mon Jan 23 13:50:17 2023 : Debug: libs : -lcrypto -lssl -ltalloc
> -lpcre -lnsl -lresolv -ldl -lpthread -lreadline
> Mon Jan 23 13:50:17 2023 : Debug:
> Mon Jan 23 13:50:17 2023 : Info: FreeRADIUS Version 3.0.26
>
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 23 Jan 2023 22:29:20 +0800
> From: "=?gb18030?B?zfjC58qxtPo=?=" <1511815642(a)qq.com>
> To: "=?gb18030?B?ZnJlZXJhZGl1cy11c2Vycw==?="
> <freeradius-users(a)lists.freeradius.org>
> Subject: Freeradius-server-3.0.25 docking mariadb error
> Message-ID: <tencent_7F1BF56F0ABA0721320788A7754655CCA108(a)qq.com>
> Content-Type: text/plain; charset="gb18030"
>
> Hello,
> ezhangiso@ezhangiso-virtual-machine:/$ docker exec -it radius-test
> /bin/bash
> root@4ff809b932fe:/# chgrp -h freerad /etc/freeradius/mods-available/sql
> root@4ff809b932fe:/# chown -R freerad:freerad
> /etc/freeradius/mods-enabled/sql
> root@4ff809b932fe:/# vi etc/freeradius/mods-available/sql
> root@4ff809b932fe:/# vi /etc/freeradius/sites-available/default
> root@4ff809b932fe:/# vi /etc/freeradius/sites-available/inner-tunnel
> root@4ff809b932fe:/# vi radiusd.conf
> root@4ff809b932fe:/# vi /etc/freeradius/radiusd.conf
> root@4ff809b932fe:/# cat etc/freeradius/mods-available/sql
>
>
> dialect = "mysql"
> driver = "rlm_sql_mysql"
> sqlite {
> filename = "/tmp/freeradius.db"
> busy_timeout = 200
> bootstrap =
> "${modconfdir}/${..:name}/main/sqlite/schema.sql"
> }
>
>
> mysql {
>
> tls_required = no
> tls_check_cert = no
> tls_check_cert_cn = no
> }
> warnings = auto
> }
>
>
> postgresql {
>
>
> send_application_name = yes
> }
>
>
> #
> mongo {
> appname = "freeradius"
>
>
> tls {
> certificate_file = /path/to/file
> certificate_password = "password"
> ca_file = /path/to/file
> ca_dir = /path/to/directory
> crl_file = /path/to/file
> weak_cert_validation = false
> allow_invalid_hostname = false
>
>
> server = "10.0.8.31"
> port = 3306
> login = "radius"
> password = "radius"
>
>
> radius_db = "radius"
> acct_table1 = "radacct"
> acct_table2 = "radacct"
> postauth_table = "radpostauth"
> authcheck_table = "radcheck"
> groupcheck_table = "radgroupcheck"
> authreply_table = "radreply"
> groupreply_table = "radgroupreply"
> usergroup_table = "radusergroup"
>
>
> delete_stale_sessions = yes
>
>
> pool {
> start = ${thread[pool].start_servers}
> min = ${thread[pool].min_spare_servers}
> max = ${thread[pool].max_servers}
> uses = 0
> retry_delay = 30
> lifetime = 0
> idle_timeout = 60
> client_table = "nas"
> group_attribute = "SQL-Group"
> $INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf
> }
> root@4ff809b932fe:/# cat /etc/freeradius/radiusd.conf
>
>
> prefix = /usr
> exec_prefix = /usr
> sysconfdir = /etc
> localstatedir = /var
> sbindir = ${exec_prefix}/sbin
> logdir = /var/log/freeradius
> raddbdir = /etc/freeradius
> radacctdir = ${logdir}/radacct
>
>
> name = freeradius
>
>
> confdir = ${raddbdir}
> modconfdir = ${confdir}/mods-config
> certdir = ${confdir}/certs
> cadir = ${confdir}/certs
> run_dir = ${localstatedir}/run/${name}
>
>
> db_dir = ${raddbdir}
>
>
> libdir = /usr/lib/freeradius
>
>
> pidfile = ${run_dir}/${name}.pid
>
>
> correct_escapes = true
> max_request_time = 30
> cleanup_delay = 5
> hostname_lookups = no
> log {
> destination = files
> colourise = yes
> file = ${logdir}/radius.log
> syslog_facility = daemon
> stripped_names = no
> auth = no
> auth_badpass = no
> auth_goodpass = no
> msg_denied = "You are already logged in - access denied"
> }
> checkrad = ${sbindir}/checkrad
> ENV {
> }
>
>
> security {
> user = freerad
> group = freerad
> allow_core_dumps = no
> max_attributes = 200
> reject_delay = 1
> status_server = yes
> }
>
>
> proxy_requests = yes
> $INCLUDE proxy.conf
> $INCLUDE clients.conf
> thread pool {
> start_servers = 5
> max_servers = 32
> min_spare_servers = 3
> max_spare_servers = 10
> max_requests_per_server = 0
> modules {
> $INCLUDE mods-enabled/sql
>
>
> $INCLUDE mods-enabled/
> }
>
>
> policy {
> $INCLUDE policy.d/
> }
>
>
> $INCLUDE sites-enabled/
>
>
> root@4ff809b932fe:/# apt install mariadb-client
>
>
> root@4ff809b932fe:/# mysql -h 10.0.8.31 -uradius -p radius
> Enter password:
> Reading table information for completion of table and column names
> You can turn off this feature to get a quicker startup with -A
>
>
> Welcome to the MariaDB monitor. Commands end with ; or \g.
> Your MariaDB connection id is 3
> Server version: 10.6.5-MariaDB-1:10.6.5+maria~focal mariadb.org binary
> distribution
>
>
> Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
>
>
> Type 'help;' or '\h' for help. Type '\c' to clear the current input
> statement.
>
>
> MariaDB [radius]> show tables;
> +------------------+
> | Tables_in_radius |
> +------------------+
> | nas |
> | radacct |
> | radcheck |
> | radgroupcheck |
> | radgroupreply |
> | radpostauth |
> | radreply |
> | radusergroup |
> +------------------+
> 8 rows in set (0.00 sec)
>
>
> MariaDB [radius]> exit
> Bye
> root@4ff809b932fe:/# exit
> exit
> ezhangiso@ezhangiso-virtual-machine:/$ docker commit radius-test
> radius-mariadb
> sha256:1b5a68d2c3c3aaf70be72f8dcbfda27a7cf63e7ba448f412b73bd5f0d8aef63b
> ezhangiso@ezhangiso-virtual-machine:/$ docker stop radius-test
> radius-test
> ezhangiso@ezhangiso-virtual-machine:/$ docker run --rm --name myradius -t
> -p1812-1813:1812-1813/udp radius-mariadb -X
> FreeRADIUS Version 3.0.25
> Copyright (C) 1999-2021 The FreeRADIUS server project and contributors
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> PARTICULAR PURPOSE
> You may redistribute copies of FreeRADIUS under the terms of the
> GNU General Public License
> For more information about these matters, see the file named COPYRIGHT
> Starting - reading configuration files ...
> including dictionary file /usr/share/freeradius/dictionary
> including dictionary file /usr/share/freeradius/dictionary.dhcp
> including dictionary file /usr/share/freeradius/dictionary.vqp
> including dictionary file /etc/freeradius/dictionary
> including configuration file /etc/freeradius/radiusd.conf
> including configuration file /etc/freeradius/proxy.conf
> including configuration file /etc/freeradius/clients.conf
> including configuration file /etc/freeradius/mods-enabled/sql
> /etc/freeradius/mods-enabled/sql[365]: Reference "${dialect}" not found
> Errors reading or parsing /etc/freeradius/radiusd.conf
> ezhangiso@ezhangiso-virtual-machine:/$
>
>
> Can anyone shed some light on this and point me in the right direction what
> else should I do?
>
> ------------------------------
>
> Message: 4
> Date: Mon, 23 Jan 2023 15:38:42 +0100
> From: Henning Kessler <maillist(a)henningkessler.de>
> To: freeradius-users(a)lists.freeradius.org
> Subject: Freeradius Google Secure LDAP EAP-GTC issues
> Message-ID: <54ECCD6B-D2B4-4F67-9E5A-89EB44B2EBE3(a)henningkessler.de>
> Content-Type: text/plain; charset=utf-8
>
> Hello,
>
> I followed this tutorial (
> https://www.nasirhafeez.com/wp-comments-post.php) for testing purposes
> several times and it worked flawlessly. several month later I wanted to put
> it in production and it stop working.
>
> This is my setup: 2 Raspberry PIs with freeradius 3.0.12 (allready tried
> the Backport version 3.2.1 as well) Unifi AC HD AccessPoints and as clients
> macOS and iOS devices (tried macOS versions 11.7 to 13.1) for testing I
> tried an Ubuntu client as well.
>
> Binding to Google LDAP works without any issues (radtest results in
> Access-Accept) I even see that the Radius server sends an ?Access-Accept?
> to the clients but shortly after the client starts another Access-Request
> an that fails with:
>
> (9) eap: ERROR: rlm_eap (EAP): No EAP session matching state
> 0x864de94f8144fc95
> (9) eap: Either EAP-request timed out OR EAP-response to an unknown
> EAP-request
> (9) eap: Failed in handler
>
> Any idea what is happening here?
>
> Here the full output of a test with freeradius -X
>
> Ready to process requests
> (0) Received Access-Request Id 18 from 10.100.2.39:54686 to
> 10.100.1.65:1812 length 253
> (0) User-Name = "klaus.mustermann"
> (0) NAS-IP-Address = 10.100.2.39
> (0) NAS-Identifier = "8283c219e7f9"
> (0) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
> (0) NAS-Port-Type = Wireless-802.11
> (0) Service-Type = Framed-User
> (0) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
> (0) Connect-Info = "CONNECT 0Mbps 802.11b"
> (0) Acct-Session-Id = "690B866461ACEC60"
> (0) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
> (0) Mobility-Domain-Id = 46476
> (0) WLAN-Pairwise-Cipher = 1027076
> (0) WLAN-Group-Cipher = 1027076
> (0) WLAN-AKM-Suite = 1027075
> (0) Framed-MTU = 1400
> (0) EAP-Message = 0x02670015016b6c6175732e6d75737465726d616e6e
> (0) Message-Authenticator = 0x8d4fe3c9b693e2d71ed16670b1d148a8
> (0) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (0) authorize {
> (0) policy filter_username {
> (0) if (&User-Name) {
> (0) if (&User-Name) -> TRUE
> (0) if (&User-Name) {
> (0) if (&User-Name =~ / /) {
> (0) if (&User-Name =~ / /) -> FALSE
> (0) if (&User-Name =~ /@[^@]*@/ ) {
> (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (0) if (&User-Name =~ /\.\./ ) {
> (0) if (&User-Name =~ /\.\./ ) -> FALSE
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (0) if (&User-Name =~ /\.$/) {
> (0) if (&User-Name =~ /\.$/) -> FALSE
> (0) if (&User-Name =~ /(a)\./) {
> (0) if (&User-Name =~ /(a)\./) -> FALSE
> (0) } # if (&User-Name) = notfound
> (0) } # policy filter_username = notfound
> (0) [preprocess] = ok
> (0) [chap] = noop
> (0) [mschap] = noop
> (0) [digest] = noop
> (0) suffix: Checking for suffix after "@"
> (0) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
> (0) suffix: No such realm "NULL"
> (0) [suffix] = noop
> (0) eap: Peer sent EAP Response (code 2) ID 103 length 21
> (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
> rest of authorize
> (0) [eap] = ok
> (0) } # authorize = ok
> (0) Found Auth-Type = eap
> (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (0) authenticate {
> (0) eap: Peer sent packet with method EAP Identity (1)
> (0) eap: Calling submodule eap_ttls to process data
> (0) eap_ttls: (TLS) Initiating new session
> (0) eap: Sending EAP Request (code 1) ID 104 length 6
> (0) eap: EAP session adding &reply:State = 0x33754777331d52c5
> (0) [eap] = handled
> (0) } # authenticate = handled
> (0) Using Post-Auth-Type Challenge
> (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (0) Challenge { ... } # empty sub-section is ignored
> (0) session-state: Saving cached attributes
> (0) Framed-MTU = 994
> (0) Sent Access-Challenge Id 18 from 10.100.1.65:1812 to 10.100.2.39:54686
> length 64
> (0) EAP-Message = 0x016800061520
> (0) Message-Authenticator = 0x00000000000000000000000000000000
> (0) State = 0x33754777331d52c5d9592c39c6f43193
> (0) Finished request
> Waking up in 4.9 seconds.
> (1) Received Access-Request Id 19 from 10.100.2.39:54686 to
> 10.100.1.65:1812 length 411
> (1) User-Name = "klaus.mustermann"
> (1) NAS-IP-Address = 10.100.2.39
> (1) NAS-Identifier = "8283c219e7f9"
> (1) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
> (1) NAS-Port-Type = Wireless-802.11
> (1) Service-Type = Framed-User
> (1) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
> (1) Connect-Info = "CONNECT 0Mbps 802.11b"
> (1) Acct-Session-Id = "690B866461ACEC60"
> (1) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
> (1) Mobility-Domain-Id = 46476
> (1) WLAN-Pairwise-Cipher = 1027076
> (1) WLAN-Group-Cipher = 1027076
> (1) WLAN-AKM-Suite = 1027075
> (1) Framed-MTU = 1400
> (1) EAP-Message =
> 0x026800a115800000009716030100920100008e030363ce9a00af0158c4304b8191e349a5c4d7e344c71cf9ceb42fc1dc05eee1d4ea00002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306030005000501000000000012000000170000
> (1) State = 0x33754777331d52c5d9592c39c6f43193
> (1) Message-Authenticator = 0xaf2835db2d901930a1abf923e81f8d4b
> (1) Restoring &session-state
> (1) &session-state:Framed-MTU = 994
> (1) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (1) authorize {
> (1) policy filter_username {
> (1) if (&User-Name) {
> (1) if (&User-Name) -> TRUE
> (1) if (&User-Name) {
> (1) if (&User-Name =~ / /) {
> (1) if (&User-Name =~ / /) -> FALSE
> (1) if (&User-Name =~ /@[^@]*@/ ) {
> (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (1) if (&User-Name =~ /\.\./ ) {
> (1) if (&User-Name =~ /\.\./ ) -> FALSE
> (1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (1) if (&User-Name =~ /\.$/) {
> (1) if (&User-Name =~ /\.$/) -> FALSE
> (1) if (&User-Name =~ /(a)\./) {
> (1) if (&User-Name =~ /(a)\./) -> FALSE
> (1) } # if (&User-Name) = notfound
> (1) } # policy filter_username = notfound
> (1) [preprocess] = ok
> (1) [chap] = noop
> (1) [mschap] = noop
> (1) [digest] = noop
> (1) suffix: Checking for suffix after "@"
> (1) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
> (1) suffix: No such realm "NULL"
> (1) [suffix] = noop
> (1) eap: Peer sent EAP Response (code 2) ID 104 length 161
> (1) eap: Continuing tunnel setup
> (1) [eap] = ok
> (1) } # authorize = ok
> (1) Found Auth-Type = eap
> (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (1) authenticate {
> (1) eap: Expiring EAP session with state 0x33754777331d52c5
> (1) eap: Finished EAP session with state 0x33754777331d52c5
> (1) eap: Previous EAP request found for state 0x33754777331d52c5, released
> from the list
> (1) eap: Peer sent packet with method EAP TTLS (21)
> (1) eap: Calling submodule eap_ttls to process data
> (1) eap_ttls: Authenticate
> (1) eap_ttls: (TLS) EAP Peer says that the final record size will be 151
> bytes
> (1) eap_ttls: (TLS) EAP Got all data (151 bytes)
> (1) eap_ttls: (TLS) Handshake state - before SSL initialization
> (1) eap_ttls: (TLS) Handshake state - Server before SSL initialization
> (1) eap_ttls: (TLS) Handshake state - Server before SSL initialization
> (1) eap_ttls: (TLS) recv TLS 1.3 Handshake, ClientHello
> (1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read client hello
> (1) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerHello
> (1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server hello
> (1) eap_ttls: (TLS) send TLS 1.2 Handshake, Certificate
> (1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write certificate
> (1) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerKeyExchange
> (1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write key exchange
> (1) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerHelloDone
> (1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server done
> (1) eap_ttls: (TLS) Server : Need to read more data: SSLv3/TLS write
> server done
> (1) eap_ttls: (TLS) In Handshake Phase
> (1) eap: Sending EAP Request (code 1) ID 105 length 1004
> (1) eap: EAP session adding &reply:State = 0x33754777321c52c5
> (1) [eap] = handled
> (1) } # authenticate = handled
> (1) Using Post-Auth-Type Challenge
> (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (1) Challenge { ... } # empty sub-section is ignored
> (1) session-state: Saving cached attributes
> (1) Framed-MTU = 994
> (1) Sent Access-Challenge Id 19 from 10.100.1.65:1812 to 10.100.2.39:54686
> length 1068
> (1) EAP-Message =
> 0x016903ec15c000001151160303003d02000039030333251bb0257a7e942419ced1c14e2115f3355723303c682158f6d50e662be4da00c030000011ff01000100000b000403000102001700001603030eaf0b000eab000ea800071930820715308204fda0030201020208651e057cf4b3407c300d06092a864886f70d01010b05003081bd310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31183016060355040a130f42756464796272616e6420476d624831293027060355040b132042756464796272616e6420436572746966696361746520417574686f72697479312630240603550403131d42756464796272616e6420496e7465726d656469617465204341203034311f301d06092a864886f70d010901161069744062756464796272616e642e6465301e170d3233303130323030303030305a170d3235303430353233353935395a3081bb310b3009060355040613024445310f300d0603
> (1) Message-Authenticator = 0x00000000000000000000000000000000
> (1) State = 0x33754777321c52c5d9592c39c6f43193
> (1) Finished request
> Waking up in 4.8 seconds.
> (2) Received Access-Request Id 20 from 10.100.2.39:54686 to
> 10.100.1.65:1812 length 256
> (2) User-Name = "klaus.mustermann"
> (2) NAS-IP-Address = 10.100.2.39
> (2) NAS-Identifier = "8283c219e7f9"
> (2) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
> (2) NAS-Port-Type = Wireless-802.11
> (2) Service-Type = Framed-User
> (2) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
> (2) Connect-Info = "CONNECT 0Mbps 802.11b"
> (2) Acct-Session-Id = "690B866461ACEC60"
> (2) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
> (2) Mobility-Domain-Id = 46476
> (2) WLAN-Pairwise-Cipher = 1027076
> (2) WLAN-Group-Cipher = 1027076
> (2) WLAN-AKM-Suite = 1027075
> (2) Framed-MTU = 1400
> (2) EAP-Message = 0x026900061500
> (2) State = 0x33754777321c52c5d9592c39c6f43193
> (2) Message-Authenticator = 0x61c34e69e7f5f253a9fdf8868c0f8826
> (2) Restoring &session-state
> (2) &session-state:Framed-MTU = 994
> (2) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (2) authorize {
> (2) policy filter_username {
> (2) if (&User-Name) {
> (2) if (&User-Name) -> TRUE
> (2) if (&User-Name) {
> (2) if (&User-Name =~ / /) {
> (2) if (&User-Name =~ / /) -> FALSE
> (2) if (&User-Name =~ /@[^@]*@/ ) {
> (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (2) if (&User-Name =~ /\.\./ ) {
> (2) if (&User-Name =~ /\.\./ ) -> FALSE
> (2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (2) if (&User-Name =~ /\.$/) {
> (2) if (&User-Name =~ /\.$/) -> FALSE
> (2) if (&User-Name =~ /(a)\./) {
> (2) if (&User-Name =~ /(a)\./) -> FALSE
> (2) } # if (&User-Name) = notfound
> (2) } # policy filter_username = notfound
> (2) [preprocess] = ok
> (2) [chap] = noop
> (2) [mschap] = noop
> (2) [digest] = noop
> (2) suffix: Checking for suffix after "@"
> (2) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
> (2) suffix: No such realm "NULL"
> (2) [suffix] = noop
> (2) eap: Peer sent EAP Response (code 2) ID 105 length 6
> (2) eap: Continuing tunnel setup
> (2) [eap] = ok
> (2) } # authorize = ok
> (2) Found Auth-Type = eap
> (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (2) authenticate {
> (2) eap: Expiring EAP session with state 0x33754777321c52c5
> (2) eap: Finished EAP session with state 0x33754777321c52c5
> (2) eap: Previous EAP request found for state 0x33754777321c52c5, released
> from the list
> (2) eap: Peer sent packet with method EAP TTLS (21)
> (2) eap: Calling submodule eap_ttls to process data
> (2) eap_ttls: Authenticate
> (2) eap_ttls: (TLS) Peer ACKed our handshake fragment
> (2) eap: Sending EAP Request (code 1) ID 106 length 1004
> (2) eap: EAP session adding &reply:State = 0x33754777311f52c5
> (2) [eap] = handled
> (2) } # authenticate = handled
> (2) Using Post-Auth-Type Challenge
> (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (2) Challenge { ... } # empty sub-section is ignored
> (2) session-state: Saving cached attributes
> (2) Framed-MTU = 994
> (2) Sent Access-Challenge Id 20 from 10.100.1.65:1812 to 10.100.2.39:54686
> length 1068
> (2) EAP-Message =
> 0x016a03ec15c000001151634a5ca32fca591c963a10e1e4fc909ecc4cf2f3259d2cc70fde28bea17fe514687c8e2ceb902a9d47fde53d01733845bba3e9d6a95f90195118e26a7a98ef957393cd519e06e02ec652ceb9fef0ef8e67a1dc250203010001a382011730820113300c0603551d130101ff04023000301d0603551d0e041604140d3fc210b4abae8368f6656c2f4182ded3cba973301f0603551d23041830168014bb50e659b6554824eb10703f59de33b5ab10d343300e0603551d0f0101ff0404030203e830130603551d25040c300a06082b0601050507030130260603551d11041f301d821b6265723072616430342e696e742e62756464796272616e642e646530430603551d1f0101ff043930373035a033a031862f687474703a2f2f63726c2e62756464796272616e642e64653a383038302f696e746572636130345f63726c2e70656d301106096086480186f8420101040403020640301e06096086480186f842010d0411160f7863612063657274
> (2) Message-Authenticator = 0x00000000000000000000000000000000
> (2) State = 0x33754777311f52c5d9592c39c6f43193
> (2) Finished request
> Waking up in 4.8 seconds.
> (3) Received Access-Request Id 21 from 10.100.2.39:54686 to
> 10.100.1.65:1812 length 256
> (3) User-Name = "klaus.mustermann"
> (3) NAS-IP-Address = 10.100.2.39
> (3) NAS-Identifier = "8283c219e7f9"
> (3) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
> (3) NAS-Port-Type = Wireless-802.11
> (3) Service-Type = Framed-User
> (3) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
> (3) Connect-Info = "CONNECT 0Mbps 802.11b"
> (3) Acct-Session-Id = "690B866461ACEC60"
> (3) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
> (3) Mobility-Domain-Id = 46476
> (3) WLAN-Pairwise-Cipher = 1027076
> (3) WLAN-Group-Cipher = 1027076
> (3) WLAN-AKM-Suite = 1027075
> (3) Framed-MTU = 1400
> (3) EAP-Message = 0x026a00061500
> (3) State = 0x33754777311f52c5d9592c39c6f43193
> (3) Message-Authenticator = 0xc8e04779851766a986a21ceea4790d00
> (3) Restoring &session-state
> (3) &session-state:Framed-MTU = 994
> (3) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (3) authorize {
> (3) policy filter_username {
> (3) if (&User-Name) {
> (3) if (&User-Name) -> TRUE
> (3) if (&User-Name) {
> (3) if (&User-Name =~ / /) {
> (3) if (&User-Name =~ / /) -> FALSE
> (3) if (&User-Name =~ /@[^@]*@/ ) {
> (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (3) if (&User-Name =~ /\.\./ ) {
> (3) if (&User-Name =~ /\.\./ ) -> FALSE
> (3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (3) if (&User-Name =~ /\.$/) {
> (3) if (&User-Name =~ /\.$/) -> FALSE
> (3) if (&User-Name =~ /(a)\./) {
> (3) if (&User-Name =~ /(a)\./) -> FALSE
> (3) } # if (&User-Name) = notfound
> (3) } # policy filter_username = notfound
> (3) [preprocess] = ok
> (3) [chap] = noop
> (3) [mschap] = noop
> (3) [digest] = noop
> (3) suffix: Checking for suffix after "@"
> (3) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
> (3) suffix: No such realm "NULL"
> (3) [suffix] = noop
> (3) eap: Peer sent EAP Response (code 2) ID 106 length 6
> (3) eap: Continuing tunnel setup
> (3) [eap] = ok
> (3) } # authorize = ok
> (3) Found Auth-Type = eap
> (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (3) authenticate {
> (3) eap: Expiring EAP session with state 0x33754777311f52c5
> (3) eap: Finished EAP session with state 0x33754777311f52c5
> (3) eap: Previous EAP request found for state 0x33754777311f52c5, released
> from the list
> (3) eap: Peer sent packet with method EAP TTLS (21)
> (3) eap: Calling submodule eap_ttls to process data
> (3) eap_ttls: Authenticate
> (3) eap_ttls: (TLS) Peer ACKed our handshake fragment
> (3) eap: Sending EAP Request (code 1) ID 107 length 1004
> (3) eap: EAP session adding &reply:State = 0x33754777301e52c5
> (3) [eap] = handled
> (3) } # authenticate = handled
> (3) Using Post-Auth-Type Challenge
> (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (3) Challenge { ... } # empty sub-section is ignored
> (3) session-state: Saving cached attributes
> (3) Framed-MTU = 994
> (3) Sent Access-Challenge Id 21 from 10.100.1.65:1812 to 10.100.2.39:54686
> length 1068
> (3) EAP-Message =
> 0x016b03ec15c0000011516e31183016060355040a130f42756464796272616e6420476d624831293027060355040b132042756464796272616e6420436572746966696361746520417574686f72697479311b30190603550403131242756464796272616e6420526f6f74204341311f301d06092a864886f70d010901161069744062756464796272616e642e6465301e170d3231303432333131353030305a170d3331303432333131353030305a3081bd310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31183016060355040a130f42756464796272616e6420476d624831293027060355040b132042756464796272616e6420436572746966696361746520417574686f72697479312630240603550403131d42756464796272616e6420496e7465726d656469617465204341203034311f301d06092a864886f70d010901161069744062756464796272616e642e646530820222300d06092a
> (3) Message-Authenticator = 0x00000000000000000000000000000000
> (3) State = 0x33754777301e52c5d9592c39c6f43193
> (3) Finished request
> Waking up in 4.8 seconds.
> (4) Received Access-Request Id 22 from 10.100.2.39:54686 to
> 10.100.1.65:1812 length 256
> (4) User-Name = "klaus.mustermann"
> (4) NAS-IP-Address = 10.100.2.39
> (4) NAS-Identifier = "8283c219e7f9"
> (4) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
> (4) NAS-Port-Type = Wireless-802.11
> (4) Service-Type = Framed-User
> (4) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
> (4) Connect-Info = "CONNECT 0Mbps 802.11b"
> (4) Acct-Session-Id = "690B866461ACEC60"
> (4) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
> (4) Mobility-Domain-Id = 46476
> (4) WLAN-Pairwise-Cipher = 1027076
> (4) WLAN-Group-Cipher = 1027076
> (4) WLAN-AKM-Suite = 1027075
> (4) Framed-MTU = 1400
> (4) EAP-Message = 0x026b00061500
> (4) State = 0x33754777301e52c5d9592c39c6f43193
> (4) Message-Authenticator = 0x8ebe69d74f104b81490506fbfd4fcc22
> (4) Restoring &session-state
> (4) &session-state:Framed-MTU = 994
> (4) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (4) authorize {
> (4) policy filter_username {
> (4) if (&User-Name) {
> (4) if (&User-Name) -> TRUE
> (4) if (&User-Name) {
> (4) if (&User-Name =~ / /) {
> (4) if (&User-Name =~ / /) -> FALSE
> (4) if (&User-Name =~ /@[^@]*@/ ) {
> (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (4) if (&User-Name =~ /\.\./ ) {
> (4) if (&User-Name =~ /\.\./ ) -> FALSE
> (4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (4) if (&User-Name =~ /\.$/) {
> (4) if (&User-Name =~ /\.$/) -> FALSE
> (4) if (&User-Name =~ /(a)\./) {
> (4) if (&User-Name =~ /(a)\./) -> FALSE
> (4) } # if (&User-Name) = notfound
> (4) } # policy filter_username = notfound
> (4) [preprocess] = ok
> (4) [chap] = noop
> (4) [mschap] = noop
> (4) [digest] = noop
> (4) suffix: Checking for suffix after "@"
> (4) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
> (4) suffix: No such realm "NULL"
> (4) [suffix] = noop
> (4) eap: Peer sent EAP Response (code 2) ID 107 length 6
> (4) eap: Continuing tunnel setup
> (4) [eap] = ok
> (4) } # authorize = ok
> (4) Found Auth-Type = eap
> (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (4) authenticate {
> (4) eap: Expiring EAP session with state 0x33754777301e52c5
> (4) eap: Finished EAP session with state 0x33754777301e52c5
> (4) eap: Previous EAP request found for state 0x33754777301e52c5, released
> from the list
> (4) eap: Peer sent packet with method EAP TTLS (21)
> (4) eap: Calling submodule eap_ttls to process data
> (4) eap_ttls: Authenticate
> (4) eap_ttls: (TLS) Peer ACKed our handshake fragment
> (4) eap: Sending EAP Request (code 1) ID 108 length 1004
> (4) eap: EAP session adding &reply:State = 0x33754777371952c5
> (4) [eap] = handled
> (4) } # authenticate = handled
> (4) Using Post-Auth-Type Challenge
> (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (4) Challenge { ... } # empty sub-section is ignored
> (4) session-state: Saving cached attributes
> (4) Framed-MTU = 994
> (4) Sent Access-Challenge Id 22 from 10.100.1.65:1812 to 10.100.2.39:54686
> length 1068
> (4) EAP-Message =
> 0x016c03ec15c00000115155040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31183016060355040a130f42756464796272616e6420476d624831293027060355040b132042756464796272616e6420436572746966696361746520417574686f72697479311b30190603550403131242756464796272616e6420526f6f74204341311f301d06092a864886f70d010901161069744062756464796272616e642e64658209009ce5d9f001129991300e0603551d0f0101ff04040302018630400603551d1f0101ff043630343032a030a02e862c687474703a2f2f63726c2e62756464796272616e642e64653a383038302f726f6f7463615f63726c2e70656d301106096086480186f8420101040403020007301e06096086480186f842010d0411160f786361206365727469666963617465300d06092a864886f70d01010b0500038202010014ba00b7b369be8d469dc9fe7cb4ea2b8b69f5ddf664529e7cfa7e5c23
> (4) Message-Authenticator = 0x00000000000000000000000000000000
> (4) State = 0x33754777371952c5d9592c39c6f43193
> (4) Finished request
> Waking up in 4.7 seconds.
> (5) Received Access-Request Id 23 from 10.100.2.39:54686 to
> 10.100.1.65:1812 length 256
> (5) User-Name = "klaus.mustermann"
> (5) NAS-IP-Address = 10.100.2.39
> (5) NAS-Identifier = "8283c219e7f9"
> (5) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
> (5) NAS-Port-Type = Wireless-802.11
> (5) Service-Type = Framed-User
> (5) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
> (5) Connect-Info = "CONNECT 0Mbps 802.11b"
> (5) Acct-Session-Id = "690B866461ACEC60"
> (5) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
> (5) Mobility-Domain-Id = 46476
> (5) WLAN-Pairwise-Cipher = 1027076
> (5) WLAN-Group-Cipher = 1027076
> (5) WLAN-AKM-Suite = 1027075
> (5) Framed-MTU = 1400
> (5) EAP-Message = 0x026c00061500
> (5) State = 0x33754777371952c5d9592c39c6f43193
> (5) Message-Authenticator = 0x2954664567eb90b58df983559fafc7ef
> (5) Restoring &session-state
> (5) &session-state:Framed-MTU = 994
> (5) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (5) authorize {
> (5) policy filter_username {
> (5) if (&User-Name) {
> (5) if (&User-Name) -> TRUE
> (5) if (&User-Name) {
> (5) if (&User-Name =~ / /) {
> (5) if (&User-Name =~ / /) -> FALSE
> (5) if (&User-Name =~ /@[^@]*@/ ) {
> (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (5) if (&User-Name =~ /\.\./ ) {
> (5) if (&User-Name =~ /\.\./ ) -> FALSE
> (5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (5) if (&User-Name =~ /\.$/) {
> (5) if (&User-Name =~ /\.$/) -> FALSE
> (5) if (&User-Name =~ /(a)\./) {
> (5) if (&User-Name =~ /(a)\./) -> FALSE
> (5) } # if (&User-Name) = notfound
> (5) } # policy filter_username = notfound
> (5) [preprocess] = ok
> (5) [chap] = noop
> (5) [mschap] = noop
> (5) [digest] = noop
> (5) suffix: Checking for suffix after "@"
> (5) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
> (5) suffix: No such realm "NULL"
> (5) [suffix] = noop
> (5) eap: Peer sent EAP Response (code 2) ID 108 length 6
> (5) eap: Continuing tunnel setup
> (5) [eap] = ok
> (5) } # authorize = ok
> (5) Found Auth-Type = eap
> (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (5) authenticate {
> (5) eap: Expiring EAP session with state 0x33754777371952c5
> (5) eap: Finished EAP session with state 0x33754777371952c5
> (5) eap: Previous EAP request found for state 0x33754777371952c5, released
> from the list
> (5) eap: Peer sent packet with method EAP TTLS (21)
> (5) eap: Calling submodule eap_ttls to process data
> (5) eap_ttls: Authenticate
> (5) eap_ttls: (TLS) Peer ACKed our handshake fragment
> (5) eap: Sending EAP Request (code 1) ID 109 length 467
> (5) eap: EAP session adding &reply:State = 0x33754777361852c5
> (5) [eap] = handled
> (5) } # authenticate = handled
> (5) Using Post-Auth-Type Challenge
> (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (5) Challenge { ... } # empty sub-section is ignored
> (5) session-state: Saving cached attributes
> (5) Framed-MTU = 994
> (5) Sent Access-Challenge Id 23 from 10.100.1.65:1812 to 10.100.2.39:54686
> length 527
> (5) EAP-Message =
> 0x016d01d3158000001151c7ae0d9a4018dc0ce7aab22f77890b68228d8c81607a7cd59e58e5b314f938dfe8d81ca660735e53afd3f6eb0939e78859296a954ea1d3046dbcf4333aa72aaad39f3f152ab2b3a2ed59dc1bfdbc773787acbba803d0201cda94c46c440afa65d844464271d2a2dcb7e409ff9c9c30a411ea245b8c2424110ac5191f2c594afe070d15b670dd08c238fd3b672b5bbed9bc7141c3b6e95b61bb78889da5182b33b0883e08339b927b4fd0ef118175f30d3e232be2fc5c92ef1eae2a30a21ba88a0477b8a0a89b903ea37327d4b41dc15ac604f4c057eff9a454748056d6b919f4756ee70de3878196b23441f9252252e5ee8bebe2519a11cb9967ff91ce3d43a9f3e3e39e82277f7bc39200d0e9d8178afdf2b479684b66ee8b2c6b6d258d172684d801780ede278d3c6bbce36875649bc181dcecd10a2ecc83bc920f0b97cf3f2b51a234b69f88e884f5c248fb1062aba73cb402765bf2005825f8379389178cafae7ad9723c0f9e3f63b375c2
> (5) Message-Authenticator = 0x00000000000000000000000000000000
> (5) State = 0x33754777361852c5d9592c39c6f43193
> (5) Finished request
> Waking up in 4.7 seconds.
> (6) Received Access-Request Id 24 from 10.100.2.39:54686 to
> 10.100.1.65:1812 length 386
> (6) User-Name = "klaus.mustermann"
> (6) NAS-IP-Address = 10.100.2.39
> (6) NAS-Identifier = "8283c219e7f9"
> (6) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
> (6) NAS-Port-Type = Wireless-802.11
> (6) Service-Type = Framed-User
> (6) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
> (6) Connect-Info = "CONNECT 0Mbps 802.11b"
> (6) Acct-Session-Id = "690B866461ACEC60"
> (6) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
> (6) Mobility-Domain-Id = 46476
> (6) WLAN-Pairwise-Cipher = 1027076
> (6) WLAN-Group-Cipher = 1027076
> (6) WLAN-AKM-Suite = 1027075
> (6) Framed-MTU = 1400
> (6) EAP-Message =
> 0x026d008815800000007e16030300461000004241041bdfa74e961e11ce04aae11e59adff899c7e45c93c23a868913c8e6dbc6b61c8c93027484c43331a120609e34bb63d4a01335611c152662eda522aa015747d24140303000101160303002896671043239b41663014b73a88eb2b056a398cc8c31e8c6f1940273f2cc64b884907fe10b3c697de
> (6) State = 0x33754777361852c5d9592c39c6f43193
> (6) Message-Authenticator = 0x02f8f3ac8779506b6dc11ac581eb8a01
> (6) Restoring &session-state
> (6) &session-state:Framed-MTU = 994
> (6) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (6) authorize {
> (6) policy filter_username {
> (6) if (&User-Name) {
> (6) if (&User-Name) -> TRUE
> (6) if (&User-Name) {
> (6) if (&User-Name =~ / /) {
> (6) if (&User-Name =~ / /) -> FALSE
> (6) if (&User-Name =~ /@[^@]*@/ ) {
> (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (6) if (&User-Name =~ /\.\./ ) {
> (6) if (&User-Name =~ /\.\./ ) -> FALSE
> (6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (6) if (&User-Name =~ /\.$/) {
> (6) if (&User-Name =~ /\.$/) -> FALSE
> (6) if (&User-Name =~ /(a)\./) {
> (6) if (&User-Name =~ /(a)\./) -> FALSE
> (6) } # if (&User-Name) = notfound
> (6) } # policy filter_username = notfound
> (6) [preprocess] = ok
> (6) [chap] = noop
> (6) [mschap] = noop
> (6) [digest] = noop
> (6) suffix: Checking for suffix after "@"
> (6) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
> (6) suffix: No such realm "NULL"
> (6) [suffix] = noop
> (6) eap: Peer sent EAP Response (code 2) ID 109 length 136
> (6) eap: Continuing tunnel setup
> (6) [eap] = ok
> (6) } # authorize = ok
> (6) Found Auth-Type = eap
> (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (6) authenticate {
> (6) eap: Expiring EAP session with state 0x33754777361852c5
> (6) eap: Finished EAP session with state 0x33754777361852c5
> (6) eap: Previous EAP request found for state 0x33754777361852c5, released
> from the list
> (6) eap: Peer sent packet with method EAP TTLS (21)
> (6) eap: Calling submodule eap_ttls to process data
> (6) eap_ttls: Authenticate
> (6) eap_ttls: (TLS) EAP Peer says that the final record size will be 126
> bytes
> (6) eap_ttls: (TLS) EAP Got all data (126 bytes)
> (6) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server done
> (6) eap_ttls: (TLS) recv TLS 1.2 Handshake, ClientKeyExchange
> (6) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read client key
> exchange
> (6) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read change cipher
> spec
> (6) eap_ttls: (TLS) recv TLS 1.2 Handshake, Finished
> (6) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read finished
> (6) eap_ttls: (TLS) send TLS 1.2 ChangeCipherSpec
> (6) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write change cipher
> spec
> (6) eap_ttls: (TLS) send TLS 1.2 Handshake, Finished
> (6) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write finished
> (6) eap_ttls: (TLS) Handshake state - SSL negotiation finished successfully
> (6) eap_ttls: (TLS) Connection Established
> (6) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
> (6) eap_ttls: TLS-Session-Version = "TLS 1.2"
> (6) eap: Sending EAP Request (code 1) ID 110 length 61
> (6) eap: EAP session adding &reply:State = 0x33754777351b52c5
> (6) [eap] = handled
> (6) } # authenticate = handled
> (6) Using Post-Auth-Type Challenge
> (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (6) Challenge { ... } # empty sub-section is ignored
> (6) session-state: Saving cached attributes
> (6) Framed-MTU = 994
> (6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
> (6) TLS-Session-Version = "TLS 1.2"
> (6) Sent Access-Challenge Id 24 from 10.100.1.65:1812 to 10.100.2.39:54686
> length 119
> (6) EAP-Message =
> 0x016e003d1580000000331403030001011603030028c5e315035630988a3b83c13d63026f7f68b51fc4cae498e85bec63a7b3beba6177951acbd7c9e48e
> (6) Message-Authenticator = 0x00000000000000000000000000000000
> (6) State = 0x33754777351b52c5d9592c39c6f43193
> (6) Finished request
> Waking up in 4.7 seconds.
> (7) Received Access-Request Id 25 from 10.100.2.39:54686 to
> 10.100.1.65:1812 length 321
> (7) User-Name = "klaus.mustermann"
> (7) NAS-IP-Address = 10.100.2.39
> (7) NAS-Identifier = "8283c219e7f9"
> (7) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
> (7) NAS-Port-Type = Wireless-802.11
> (7) Service-Type = Framed-User
> (7) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
> (7) Connect-Info = "CONNECT 0Mbps 802.11b"
> (7) Acct-Session-Id = "690B866461ACEC60"
> (7) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
> (7) Mobility-Domain-Id = 46476
> (7) WLAN-Pairwise-Cipher = 1027076
> (7) WLAN-Group-Cipher = 1027076
> (7) WLAN-AKM-Suite = 1027075
> (7) Framed-MTU = 1400
> (7) EAP-Message =
> 0x026e004715800000003d170303003896671043239b4167e00afbeca8b555b120c23769698d81a6b5a879ecc3c8fd3cd740dc135bdef5fcadd7fda6a166609e4d7957502348d9f3
> (7) State = 0x33754777351b52c5d9592c39c6f43193
> (7) Message-Authenticator = 0xa8b841519028def71e27cfef249be756
> (7) Restoring &session-state
> (7) &session-state:Framed-MTU = 994
> (7) &session-state:TLS-Session-Cipher-Suite =
> "ECDHE-RSA-AES256-GCM-SHA384"
> (7) &session-state:TLS-Session-Version = "TLS 1.2"
> (7) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (7) authorize {
> (7) policy filter_username {
> (7) if (&User-Name) {
> (7) if (&User-Name) -> TRUE
> (7) if (&User-Name) {
> (7) if (&User-Name =~ / /) {
> (7) if (&User-Name =~ / /) -> FALSE
> (7) if (&User-Name =~ /@[^@]*@/ ) {
> (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (7) if (&User-Name =~ /\.\./ ) {
> (7) if (&User-Name =~ /\.\./ ) -> FALSE
> (7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (7) if (&User-Name =~ /\.$/) {
> (7) if (&User-Name =~ /\.$/) -> FALSE
> (7) if (&User-Name =~ /(a)\./) {
> (7) if (&User-Name =~ /(a)\./) -> FALSE
> (7) } # if (&User-Name) = notfound
> (7) } # policy filter_username = notfound
> (7) [preprocess] = ok
> (7) [chap] = noop
> (7) [mschap] = noop
> (7) [digest] = noop
> (7) suffix: Checking for suffix after "@"
> (7) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
> (7) suffix: No such realm "NULL"
> (7) [suffix] = noop
> (7) eap: Peer sent EAP Response (code 2) ID 110 length 71
> (7) eap: Continuing tunnel setup
> (7) [eap] = ok
> (7) } # authorize = ok
> (7) Found Auth-Type = eap
> (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (7) authenticate {
> (7) eap: Expiring EAP session with state 0x33754777351b52c5
> (7) eap: Finished EAP session with state 0x33754777351b52c5
> (7) eap: Previous EAP request found for state 0x33754777351b52c5, released
> from the list
> (7) eap: Peer sent packet with method EAP TTLS (21)
> (7) eap: Calling submodule eap_ttls to process data
> (7) eap_ttls: Authenticate
> (7) eap_ttls: (TLS) EAP Peer says that the final record size will be 61
> bytes
> (7) eap_ttls: (TLS) EAP Got all data (61 bytes)
> (7) eap_ttls: Session established. Proceeding to decode tunneled
> attributes
> (7) eap_ttls: Got tunneled request
> (7) eap_ttls: EAP-Message = 0x02000015016b6c6175732e6d75737465726d616e6e
> (7) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
> (7) eap_ttls: Got tunneled identity of klaus.mustermann
> (7) eap_ttls: Setting default EAP type for tunneled EAP session
> (7) eap_ttls: Sending tunneled request
> (7) Virtual server inner-tunnel received request
> (7) EAP-Message = 0x02000015016b6c6175732e6d75737465726d616e6e
> (7) FreeRADIUS-Proxied-To = 127.0.0.1
> (7) User-Name = "klaus.mustermann"
> (7) WARNING: Outer and inner identities are the same. User privacy is
> compromised.
> (7) server inner-tunnel {
> (7) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (7) authorize {
> (7) policy filter_username {
> (7) if (&User-Name) {
> (7) if (&User-Name) -> TRUE
> (7) if (&User-Name) {
> (7) if (&User-Name =~ / /) {
> (7) if (&User-Name =~ / /) -> FALSE
> (7) if (&User-Name =~ /@[^@]*@/ ) {
> (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (7) if (&User-Name =~ /\.\./ ) {
> (7) if (&User-Name =~ /\.\./ ) -> FALSE
> (7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (7) if (&User-Name =~ /\.$/) {
> (7) if (&User-Name =~ /\.$/) -> FALSE
> (7) if (&User-Name =~ /(a)\./) {
> (7) if (&User-Name =~ /(a)\./) -> FALSE
> (7) } # if (&User-Name) = notfound
> (7) } # policy filter_username = notfound
> (7) [chap] = noop
> (7) [mschap] = noop
> (7) suffix: Checking for suffix after "@"
> (7) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
> (7) suffix: No such realm "NULL"
> (7) [suffix] = noop
> (7) update control {
> (7) &Proxy-To-Realm := LOCAL
> (7) } # update control = noop
> (7) eap: Peer sent EAP Response (code 2) ID 0 length 21
> (7) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
> rest of authorize
> (7) [eap] = ok
> (7) } # authorize = ok
> (7) Found Auth-Type = eap
> (7) # Executing group from file
> /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (7) authenticate {
> (7) eap: Peer sent packet with method EAP Identity (1)
> (7) eap: Calling submodule eap_gtc to process data
> (7) eap_gtc: EXPAND Password:
> (7) eap_gtc: --> Password:
> (7) eap: Sending EAP Request (code 1) ID 1 length 15
> (7) eap: EAP session adding &reply:State = 0xb4a2b867b4a3bebf
> (7) [eap] = handled
> (7) } # authenticate = handled
> (7) } # server inner-tunnel
> (7) Virtual server sending reply
> (7) EAP-Message = 0x0101000f0650617373776f72643a20
> (7) Message-Authenticator = 0x00000000000000000000000000000000
> (7) State = 0xb4a2b867b4a3bebfd5edaac839855c28
> (7) eap_ttls: Got tunneled Access-Challenge
> (7) eap: Sending EAP Request (code 1) ID 111 length 63
> (7) eap: EAP session adding &reply:State = 0x33754777341a52c5
> (7) [eap] = handled
> (7) } # authenticate = handled
> (7) Using Post-Auth-Type Challenge
> (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (7) Challenge { ... } # empty sub-section is ignored
> (7) session-state: Saving cached attributes
> (7) Framed-MTU = 994
> (7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
> (7) TLS-Session-Version = "TLS 1.2"
> (7) Sent Access-Challenge Id 25 from 10.100.1.65:1812 to 10.100.2.39:54686
> length 121
> (7) EAP-Message =
> 0x016f003f1580000000351703030030c5e315035630988b4ad830befda4dba2a51fa8f9388f8da63a7ea11b76e432bbb988ecf99f49e2ebe5cd501621aec81b
> (7) Message-Authenticator = 0x00000000000000000000000000000000
> (7) State = 0x33754777341a52c5d9592c39c6f43193
> (7) Finished request
> Waking up in 4.6 seconds.
> (8) Received Access-Request Id 26 from 10.100.2.39:54686 to
> 10.100.1.65:1812 length 317
> (8) User-Name = "klaus.mustermann"
> (8) NAS-IP-Address = 10.100.2.39
> (8) NAS-Identifier = "8283c219e7f9"
> (8) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
> (8) NAS-Port-Type = Wireless-802.11
> (8) Service-Type = Framed-User
> (8) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
> (8) Connect-Info = "CONNECT 0Mbps 802.11b"
> (8) Acct-Session-Id = "690B866461ACEC60"
> (8) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
> (8) Mobility-Domain-Id = 46476
> (8) WLAN-Pairwise-Cipher = 1027076
> (8) WLAN-Group-Cipher = 1027076
> (8) WLAN-AKM-Suite = 1027075
> (8) Framed-MTU = 1400
> (8) EAP-Message =
> 0x026f0043158000000039170303003496671043239b41683128359379c1a6a7ff944f84eb0b3f626e65ecb31042ebf597e0b5314226e2bcea13a41d6e380c98153d5dd7
> (8) State = 0x33754777341a52c5d9592c39c6f43193
> (8) Message-Authenticator = 0xe468605d47fb0bba1b52f632f0e1589a
> (8) Restoring &session-state
> (8) &session-state:Framed-MTU = 994
> (8) &session-state:TLS-Session-Cipher-Suite =
> "ECDHE-RSA-AES256-GCM-SHA384"
> (8) &session-state:TLS-Session-Version = "TLS 1.2"
> (8) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (8) authorize {
> (8) policy filter_username {
> (8) if (&User-Name) {
> (8) if (&User-Name) -> TRUE
> (8) if (&User-Name) {
> (8) if (&User-Name =~ / /) {
> (8) if (&User-Name =~ / /) -> FALSE
> (8) if (&User-Name =~ /@[^@]*@/ ) {
> (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (8) if (&User-Name =~ /\.\./ ) {
> (8) if (&User-Name =~ /\.\./ ) -> FALSE
> (8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (8) if (&User-Name =~ /\.$/) {
> (8) if (&User-Name =~ /\.$/) -> FALSE
> (8) if (&User-Name =~ /(a)\./) {
> (8) if (&User-Name =~ /(a)\./) -> FALSE
> (8) } # if (&User-Name) = notfound
> (8) } # policy filter_username = notfound
> (8) [preprocess] = ok
> (8) [chap] = noop
> (8) [mschap] = noop
> (8) [digest] = noop
> (8) suffix: Checking for suffix after "@"
> (8) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
> (8) suffix: No such realm "NULL"
> (8) [suffix] = noop
> (8) eap: Peer sent EAP Response (code 2) ID 111 length 67
> (8) eap: Continuing tunnel setup
> (8) [eap] = ok
> (8) } # authorize = ok
> (8) Found Auth-Type = eap
> (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (8) authenticate {
> (8) eap: Expiring EAP session with state 0xb4a2b867b4a3bebf
> (8) eap: Finished EAP session with state 0x33754777341a52c5
> (8) eap: Previous EAP request found for state 0x33754777341a52c5, released
> from the list
> (8) eap: Peer sent packet with method EAP TTLS (21)
> (8) eap: Calling submodule eap_ttls to process data
> (8) eap_ttls: Authenticate
> (8) eap_ttls: (TLS) EAP Peer says that the final record size will be 57
> bytes
> (8) eap_ttls: (TLS) EAP Got all data (57 bytes)
> (8) eap_ttls: Session established. Proceeding to decode tunneled
> attributes
> (8) eap_ttls: Got tunneled request
> (8) eap_ttls: EAP-Message = 0x0201001306736167616e382e53697a61626c65
> (8) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
> (8) eap_ttls: Sending tunneled request
> (8) Virtual server inner-tunnel received request
> (8) EAP-Message = 0x0201001306736167616e382e53697a61626c65
> (8) FreeRADIUS-Proxied-To = 127.0.0.1
> (8) User-Name = "klaus.mustermann"
> (8) State = 0xb4a2b867b4a3bebfd5edaac839855c28
> (8) WARNING: Outer and inner identities are the same. User privacy is
> compromised.
> (8) server inner-tunnel {
> (8) session-state: No cached attributes
> (8) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (8) authorize {
> (8) policy filter_username {
> (8) if (&User-Name) {
> (8) if (&User-Name) -> TRUE
> (8) if (&User-Name) {
> (8) if (&User-Name =~ / /) {
> (8) if (&User-Name =~ / /) -> FALSE
> (8) if (&User-Name =~ /@[^@]*@/ ) {
> (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (8) if (&User-Name =~ /\.\./ ) {
> (8) if (&User-Name =~ /\.\./ ) -> FALSE
> (8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (8) if (&User-Name =~ /\.$/) {
> (8) if (&User-Name =~ /\.$/) -> FALSE
> (8) if (&User-Name =~ /(a)\./) {
> (8) if (&User-Name =~ /(a)\./) -> FALSE
> (8) } # if (&User-Name) = notfound
> (8) } # policy filter_username = notfound
> (8) [chap] = noop
> (8) [mschap] = noop
> (8) suffix: Checking for suffix after "@"
> (8) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
> (8) suffix: No such realm "NULL"
> (8) [suffix] = noop
> (8) update control {
> (8) &Proxy-To-Realm := LOCAL
> (8) } # update control = noop
> (8) eap: Peer sent EAP Response (code 2) ID 1 length 19
> (8) eap: No EAP Start, assuming it's an on-going EAP conversation
> (8) [eap] = updated
> (8) [files] = noop
> rlm_ldap (ldap): Reserved connection (0)
> (8) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> (8) ldap: --> (uid=klaus.mustermann)
> (8) ldap: Performing search in "dc=pretendco,dc=de" with filter
> "(uid=klaus.mustermann)", scope "sub"
> (8) ldap: Waiting for search result...
> (8) ldap: User object found at DN "uid=klaus.mustermann,ou=Standard
> Mitarbeiter,ou=Mitarbeiter,ou=Users,dc=pretendco,dc=de"
> (8) ldap: Processing user attributes
> (8) ldap: WARNING: No "known good" password added. Ensure the admin user
> has permission to read the password attribute
> (8) ldap: WARNING: PAP authentication will *NOT* work with Active
> Directory (if that is what you were trying to configure)
> rlm_ldap (ldap): Released connection (0)
> Need more connections to reach 10 spares
> rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots
> used
> rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636
> rlm_ldap (ldap): Waiting for bind result...
> ber_get_next failed, errno=11.
> rlm_ldap (ldap): Bind successful
> (8) [ldap] = ok
> (8) [expiration] = noop
> (8) [logintime] = noop
> (8) [pap] = noop
> (8) if (User-Password) {
> (8) if (User-Password) -> FALSE
> (8) } # authorize = updated
> (8) Found Auth-Type = eap
> (8) # Executing group from file
> /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (8) authenticate {
> (8) eap: Expiring EAP session with state 0xb4a2b867b4a3bebf
> (8) eap: Finished EAP session with state 0xb4a2b867b4a3bebf
> (8) eap: Previous EAP request found for state 0xb4a2b867b4a3bebf, released
> from the list
> (8) eap: Peer sent packet with method EAP GTC (6)
> (8) eap: Calling submodule eap_gtc to process data
> (8) eap_gtc: # Executing group from file
> /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (8) eap_gtc: Auth-Type PAP {
> rlm_ldap (ldap): Reserved connection (1)
> (8) ldap: Login attempt by "klaus.mustermann"
> (8) ldap: Using user DN from request "uid=klaus.mustermann,ou=Standard
> Mitarbeiter,ou=Mitarbeiter,ou=Users,dc=pretendco,dc=de"
> (8) ldap: Waiting for bind result...
> (8) ldap: Bind successful
> (8) ldap: Bind as user "uid=klaus.mustermann,ou=Standard
> Mitarbeiter,ou=Mitarbeiter,ou=Users,dc=pretendco,dc=de" was successful
> rlm_ldap (ldap): Released connection (1)
> Need more connections to reach 10 spares
> rlm_ldap (ldap): Opening additional connection (6), 1 of 26 pending slots
> used
> rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636
> rlm_ldap (ldap): Waiting for bind result...
> ber_get_next failed, errno=11.
> rlm_ldap (ldap): Bind successful
> (8) eap_gtc: [ldap] = ok
> (8) eap_gtc: } # Auth-Type PAP = ok
> (8) eap: Sending EAP Success (code 3) ID 1 length 4
> (8) eap: Freeing handler
> (8) [eap] = ok
> (8) } # authenticate = ok
> (8) # Executing section post-auth from file
> /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (8) post-auth {
> (8) if (0) {
> (8) if (0) -> FALSE
> (8) } # post-auth = noop
> (8) } # server inner-tunnel
> (8) Virtual server sending reply
> (8) EAP-Message = 0x03010004
> (8) Message-Authenticator = 0x00000000000000000000000000000000
> (8) User-Name = "klaus.mustermann"
> (8) eap_ttls: Got tunneled Access-Accept
> (8) eap: Sending EAP Success (code 3) ID 111 length 4
> (8) eap: Freeing handler
> (8) [eap] = ok
> (8) } # authenticate = ok
> (8) # Executing section post-auth from file
> /etc/freeradius/3.0/sites-enabled/default
> (8) post-auth {
> (8) if (session-state:User-Name && reply:User-Name &&
> request:User-Name && (reply:User-Name == request:User-Name)) {
> (8) if (session-state:User-Name && reply:User-Name &&
> request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE
> (8) update {
> (8) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 994
> (8) &reply::TLS-Session-Cipher-Suite +=
> &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384'
> (8) &reply::TLS-Session-Version +=
> &session-state:TLS-Session-Version[*] -> 'TLS 1.2'
> (8) } # update = noop
> (8) [exec] = noop
> (8) policy remove_reply_message_if_eap {
> (8) if (&reply:EAP-Message && &reply:Reply-Message) {
> (8) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (8) else {
> (8) [noop] = noop
> (8) } # else = noop
> (8) } # policy remove_reply_message_if_eap = noop
> (8) } # post-auth = noop
> (8) Sent Access-Accept Id 26 from 10.100.1.65:1812 to 10.100.2.39:54686
> length 184
> (8) MS-MPPE-Recv-Key =
> 0xeb472d316fdc874c9b4fab09804dffb9627d034a793910ca0f276473f2db3e62
> (8) MS-MPPE-Send-Key =
> 0x3cde6513ea1f92c64ee3d938a85980091ecccdeb288c640f958a8f0d4324af64
> (8) EAP-Message = 0x036f0004
> (8) Message-Authenticator = 0x00000000000000000000000000000000
> (8) User-Name = "klaus.mustermann"
> (8) Framed-MTU += 994
> (8) Finished request
> Waking up in 1.1 seconds.
> (9) Received Access-Request Id 26 from 10.100.2.39:38737 to
> 10.100.1.65:1812 length 317
> (9) User-Name = "klaus.mustermann"
> (9) NAS-IP-Address = 10.100.2.39
> (9) NAS-Identifier = "8283c219e7f9"
> (9) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
> (9) NAS-Port-Type = Wireless-802.11
> (9) Service-Type = Framed-User
> (9) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
> (9) Connect-Info = "CONNECT 0Mbps 802.11b"
> (9) Acct-Session-Id = "690B866461ACEC60"
> (9) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
> (9) Mobility-Domain-Id = 46476
> (9) WLAN-Pairwise-Cipher = 1027076
> (9) WLAN-Group-Cipher = 1027076
> (9) WLAN-AKM-Suite = 1027075
> (9) Framed-MTU = 1400
> (9) EAP-Message =
> 0x026f0043158000000039170303003496671043239b41683128359379c1a6a7ff944f84eb0b3f626e65ecb31042ebf597e0b5314226e2bcea13a41d6e380c98153d5dd7
> (9) State = 0x33754777341a52c5d9592c39c6f43193
> (9) Message-Authenticator = 0xe468605d47fb0bba1b52f632f0e1589a
> (9) session-state: No cached attributes
> (9) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (9) authorize {
> (9) policy filter_username {
> (9) if (&User-Name) {
> (9) if (&User-Name) -> TRUE
> (9) if (&User-Name) {
> (9) if (&User-Name =~ / /) {
> (9) if (&User-Name =~ / /) -> FALSE
> (9) if (&User-Name =~ /@[^@]*@/ ) {
> (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (9) if (&User-Name =~ /\.\./ ) {
> (9) if (&User-Name =~ /\.\./ ) -> FALSE
> (9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (9) if (&User-Name =~ /\.$/) {
> (9) if (&User-Name =~ /\.$/) -> FALSE
> (9) if (&User-Name =~ /(a)\./) {
> (9) if (&User-Name =~ /(a)\./) -> FALSE
> (9) } # if (&User-Name) = notfound
> (9) } # policy filter_username = notfound
> (9) [preprocess] = ok
> (9) [chap] = noop
> (9) [mschap] = noop
> (9) [digest] = noop
> (9) suffix: Checking for suffix after "@"
> (9) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
> (9) suffix: No such realm "NULL"
> (9) [suffix] = noop
> (9) eap: Peer sent EAP Response (code 2) ID 111 length 67
> (9) eap: Continuing tunnel setup
> (9) [eap] = ok
> (9) } # authorize = ok
> (9) Found Auth-Type = eap
> (9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (9) authenticate {
> (9) eap: ERROR: rlm_eap (EAP): No EAP session matching state
> 0x33754777341a52c5
> (9) eap: Either EAP-request timed out OR EAP-response to an unknown
> EAP-request
> (9) eap: Failed in handler
> (9) [eap] = invalid
> (9) } # authenticate = invalid
> (9) Failed to authenticate the user
> (9) Using Post-Auth-Type Reject
> (9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (9) Post-Auth-Type REJECT {
> (9) attr_filter.access_reject: EXPAND %{User-Name}
> (9) attr_filter.access_reject: --> klaus.mustermann
> (9) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (9) [attr_filter.access_reject] = updated
> (9) eap: ERROR: rlm_eap (EAP): No EAP session matching state
> 0x33754777341a52c5
> (9) eap: Either EAP-request timed out OR EAP-response to an unknown
> EAP-request
> (9) eap: Failed to get handler, probably already removed, not inserting
> EAP-Failure
> (9) [eap] = noop
> (9) policy remove_reply_message_if_eap {
> (9) if (&reply:EAP-Message && &reply:Reply-Message) {
> (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (9) else {
> (9) [noop] = noop
> (9) } # else = noop
> (9) } # policy remove_reply_message_if_eap = noop
> (9) } # Post-Auth-Type REJECT = updated
> (9) Delaying response for 1.000000 seconds
> Waking up in 0.3 seconds.
> Waking up in 0.6 seconds.
> (10) Received Access-Request Id 26 from 10.100.2.39:45497 to
> 10.100.1.65:1812 length 317
> (10) User-Name = "klaus.mustermann"
> (10) NAS-IP-Address = 10.100.2.39
> (10) NAS-Identifier = "8283c219e7f9"
> (10) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
> (10) NAS-Port-Type = Wireless-802.11
> (10) Service-Type = Framed-User
> (10) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
> (10) Connect-Info = "CONNECT 0Mbps 802.11b"
> (10) Acct-Session-Id = "690B866461ACEC60"
> (10) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
> (10) Mobility-Domain-Id = 46476
> (10) WLAN-Pairwise-Cipher = 1027076
> (10) WLAN-Group-Cipher = 1027076
> (10) WLAN-AKM-Suite = 1027075
> (10) Framed-MTU = 1400
> (10) EAP-Message =
> 0x026f0043158000000039170303003496671043239b41683128359379c1a6a7ff944f84eb0b3f626e65ecb31042ebf597e0b5314226e2bcea13a41d6e380c98153d5dd7
> (10) State = 0x33754777341a52c5d9592c39c6f43193
> (10) Message-Authenticator = 0xe468605d47fb0bba1b52f632f0e1589a
> (10) session-state: No cached attributes
> (10) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (10) authorize {
> (10) policy filter_username {
> (10) if (&User-Name) {
> (10) if (&User-Name) -> TRUE
> (10) if (&User-Name) {
> (10) if (&User-Name =~ / /) {
> (10) if (&User-Name =~ / /) -> FALSE
> (10) if (&User-Name =~ /@[^@]*@/ ) {
> (10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (10) if (&User-Name =~ /\.\./ ) {
> (10) if (&User-Name =~ /\.\./ ) -> FALSE
> (10) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (10) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (10) if (&User-Name =~ /\.$/) {
> (10) if (&User-Name =~ /\.$/) -> FALSE
> (10) if (&User-Name =~ /(a)\./) {
> (10) if (&User-Name =~ /(a)\./) -> FALSE
> (10) } # if (&User-Name) = notfound
> (10) } # policy filter_username = notfound
> (10) [preprocess] = ok
> (10) [chap] = noop
> (10) [mschap] = noop
> (10) [digest] = noop
> (10) suffix: Checking for suffix after "@"
> (10) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm
> NULL
> (10) suffix: No such realm "NULL"
> (10) [suffix] = noop
> (10) eap: Peer sent EAP Response (code 2) ID 111 length 67
> (10) eap: Continuing tunnel setup
> (10) [eap] = ok
> (10) } # authorize = ok
> (10) Found Auth-Type = eap
> (10) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (10) authenticate {
> (10) eap: ERROR: rlm_eap (EAP): No EAP session matching state
> 0x33754777341a52c5
> (10) eap: Either EAP-request timed out OR EAP-response to an unknown
> EAP-request
> (10) eap: Failed in handler
> (10) [eap] = invalid
> (10) } # authenticate = invalid
> (10) Failed to authenticate the user
> (10) Using Post-Auth-Type Reject
> (10) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (10) Post-Auth-Type REJECT {
> (10) attr_filter.access_reject: EXPAND %{User-Name}
> (10) attr_filter.access_reject: --> klaus.mustermann
> (10) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (10) [attr_filter.access_reject] = updated
> (10) eap: ERROR: rlm_eap (EAP): No EAP session matching state
> 0x33754777341a52c5
> (10) eap: Either EAP-request timed out OR EAP-response to an unknown
> EAP-request
> (10) eap: Failed to get handler, probably already removed, not inserting
> EAP-Failure
> (10) [eap] = noop
> (10) policy remove_reply_message_if_eap {
> (10) if (&reply:EAP-Message && &reply:Reply-Message) {
> (10) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (10) else {
> (10) [noop] = noop
> (10) } # else = noop
> (10) } # policy remove_reply_message_if_eap = noop
> (10) } # Post-Auth-Type REJECT = updated
> (10) Delaying response for 1.000000 seconds
> Waking up in 0.3 seconds.
> Waking up in 0.2 seconds.
> (9) Sending delayed response
> (9) Sent Access-Reject Id 26 from 10.100.1.65:1812 to 10.100.2.39:38737
> length 20
> Waking up in 0.1 seconds.
> (0) Cleaning up request packet ID 18 with timestamp +35 due to
> cleanup_delay was reached
> Waking up in 0.1 seconds.
> (1) Cleaning up request packet ID 19 with timestamp +35 due to
> cleanup_delay was reached
> (2) Cleaning up request packet ID 20 with timestamp +35 due to
> cleanup_delay was reached
> (3) Cleaning up request packet ID 21 with timestamp +35 due to
> cleanup_delay was reached
> (4) Cleaning up request packet ID 22 with timestamp +35 due to
> cleanup_delay was reached
> (5) Cleaning up request packet ID 23 with timestamp +35 due to
> cleanup_delay was reached
> (6) Cleaning up request packet ID 24 with timestamp +35 due to
> cleanup_delay was reached
> (7) Cleaning up request packet ID 25 with timestamp +35 due to
> cleanup_delay was reached
> (10) Sending delayed response
> (10) Sent Access-Reject Id 26 from 10.100.1.65:1812 to 10.100.2.39:45497
> length 20
>
> Any Idea what I am doing wrong here?
>
> Regards
>
>
> Henning
>
> ------------------------------
>
> Subject: Digest Footer
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> ------------------------------
>
> End of Freeradius-Users Digest, Vol 213, Issue 21
> *************************************************
>
--
Best regards,
Ashraf Al-Basti
2
1