Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
November 2025
- 8 participants
- 8 discussions
As we're working to finalize v4 (real soon now!) one question which came up is MongDB.
The Mongo team is currently looking into creating a fully async API for Mongo. We would need to use this in v4 in order to increase scalability. If we don't have such an API, then the Mongo drivers would be significantly slower than other databases.
Their forum as a poll available at: https://feedback.mongodb.com/forums/924286-drivers/suggestions/47080057-asy…
If you're interested in using Mongo with FreeRADIUS please vote on that page for their async API.
Alan DeKok.
5
7
You don't understand me. I know that Disconnect a user with Coa is very
easy.
But the problem is how to make the termination happen after the user's time
is expire.
What I am doing now is using an external tool
through disconnect.conf in mods-enabled.
It contains:
exec coa_disconnect {
wait = yes
program = “/usr/local/bin/coa_disconnect.sh %{User-Name}”
shell_escape = yes
}
And also policy.d/disconnect.conf
expire_disconnect {
update control {
&Tmp-Integer-0 := “%{sql:SELECT IF(expiration < NOW(), 1, 0) FROM
rm_users WHERE username = ‘%{User-Name}’ and ppp = ‘1’ LIMIT 1}”
}
if (&control:Tmp-Integer-0 == 1 && !&reply:Class) {
update reply {
&Reply-Message := “Your session has expired - redirecting...”
}
coa_disconnect
update control {
&Tmp-Integer-0 := “%{sql:UPDATE rm_users SET ppp=‘0’ WHERE
username=‘%{User-Name}’}”
}
}
}
في الاثنين، 24 نوفمبر 2025 في 10:58 م تمت كتابة ما يلي بواسطة Alexandre
Le Noir <muhanadali27@gmail.com>:
> The attached file is only a signature certificate.
>
>
>
> في الاثنين، 24 نوفمبر 2025 في 10:16 م تمت كتابة ما يلي بواسطة Alan DeKok
> via Freeradius-Users <freeradius-users@lists.freeradius.org>:
>
>> On Nov 24, 2025, at 2:09 PM, Alexandre Le Noir <muhanadali27(a)gmail.com>
>> wrote:
>> > where is the instructions ?
>>
>> Try reading my message:
>>
>> >> See sites-available/coa-relay
>> >>
>> >> That's a virtual server which makes it easy to disconnect users. You
>> >> will need to follow the instructions in the comments in that file, but
>> it
>> >> should work.
>>
>> Alan DeKok.
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
2
4
Hello,
I try to recycle some old HPE switches as radius client using EAP-TLS
based protocols for test only.
They are using old deprecated ciphers, so i rebuild openssl for legacy
suites on a raspbian (I know, it's bad idea and not secure).
# openssl ciphers -v ALL | grep RC4
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128)
Mac=MD5
So, when the server freeradius and the switch try to negociate, i can
see in the logs that the cipher RC4-MD5 is now common for the two devices.
...
Thu Nov 20 15:11:44 2025 : Debug: (26) eap_ttls: Authenticate
Thu Nov 20 15:11:44 2025 : Debug: (26) eap_ttls: (TLS) EAP Continuing ...
Thu Nov 20 15:11:44 2025 : Debug: (26) eap_ttls: (TLS) EAP Peer sent
flags ---
Thu Nov 20 15:11:44 2025 : Debug: (26) eap_ttls: (TLS) EAP Verification
says ok
Thu Nov 20 15:11:44 2025 : Debug: (26) eap_ttls: (TLS) EAP Done initial
handshake
Thu Nov 20 15:11:44 2025 : Debug: (26) eap_ttls: (TLS) TTLS - Handshake
state [PINIT] - before SSL initialization (0)
Thu Nov 20 15:11:44 2025 : Debug: (26) eap_ttls: (TLS) TTLS - Handshake
state [PINIT] - Server before SSL initialization (0)
Thu Nov 20 15:11:44 2025 : Debug: (TLS) Ignoring cbtls_msg call with
pseudo content type 256, version 00000301
Thu Nov 20 15:11:44 2025 : Debug: (26) eap_ttls: (TLS) TTLS - Handshake
state [PINIT] - Server before SSL initialization (0)
Thu Nov 20 15:11:44 2025 : Debug: (TLS) Received 58 bytes of TLS data
Thu Nov 20 15:11:44 2025 : Debug: (TLS) 01 00 00 36 03 01 cf 30
f0 07 73 5d 30 36 71 27
Thu Nov 20 15:11:44 2025 : Debug: (TLS) 65 2c ce 16 e6 41 0c 35
b4 d3 4c 9d 3a d2 8e 78
Thu Nov 20 15:11:44 2025 : Debug: (TLS) a9 5b 3d ac a5 a9 00 00
04 00 04 00 ff 01 00 00
Thu Nov 20 15:11:44 2025 : Debug: (TLS) 09 00 23 00 00 00 0f 00
01 01
Thu Nov 20 15:11:44 2025 : Debug: (26) eap_ttls: (TLS) TTLS - recv TLS
1.3 Handshake, ClientHello
Thu Nov 20 15:11:44 2025 : Debug: (TLS) Ignoring cbtls_msg call with
pseudo content type 256, version 00000301
Thu Nov 20 15:11:44 2025 : Debug: (TLS) Received 2 bytes of TLS data
Thu Nov 20 15:11:44 2025 : Debug: (TLS) 02 28
Thu Nov 20 15:11:44 2025 : Debug: (26) eap_ttls: (TLS) TTLS - send TLS
1.0 Alert, fatal handshake_failure
Thu Nov 20 15:11:44 2025 : ERROR: (26) eap_ttls: (TLS) TTLS - Alert
write:fatal:handshake failure
Thu Nov 20 15:11:44 2025 : ERROR: (26) eap_ttls: (TLS) TTLS - Server :
Error in error
Thu Nov 20 15:11:44 2025 : Debug: (26) eap_ttls: Server preferred
ciphers (by priority)
Thu Nov 20 15:11:44 2025 : Debug: (26) eap_ttls: (TLS) [0]
TLS_AES_256_GCM_SHA384
Thu Nov 20 15:11:44 2025 : Debug: (26) eap_ttls: (TLS) [1]
TLS_CHACHA20_POLY1305_SHA256
...
Thu Nov 20 15:11:44 2025 : Debug: (26) eap_ttls: (TLS) [166] RC4-MD5
Thu Nov 20 15:11:44 2025 : Debug: (26) eap_ttls: (TLS) [167] PSK-RC4-SHA
Thu Nov 20 15:11:44 2025 : Debug: (26) eap_ttls: (TLS) TTLS - Client
preferred ciphers (by priority)
Thu Nov 20 15:11:44 2025 : Debug: (26) eap_ttls: (TLS) [0] RC4-MD5
...
But i still got an error "no shared cipher"
...
Thu Nov 20 15:11:44 2025 : ERROR: (26) eap_ttls: (TLS) Failed reading
from OpenSSL: ../ssl/statem/statem_srvr.c[2333]:error:0A0000C1:SSL
routines::no shared cipher
Thu Nov 20 15:11:44 2025 : ERROR: (26) eap_ttls: (TLS) System call (I/O)
error (-1)
Thu Nov 20 15:11:44 2025 : ERROR: (26) eap_ttls: (TLS) EAP Receive
handshake failed during operation
Thu Nov 20 15:11:44 2025 : ERROR: (26) eap_ttls: [eaptls process] = fail
Thu Nov 20 15:11:44 2025 : ERROR: (26) eap: Failed continuing EAP TTLS
(21) session. EAP sub-module failed
...
Below, some samples of my configuration:
## cat /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 13 (trixie)"
## dpkg -l | grep freeradius
ii freeradius 3.2.7+dfsg-1+deb13u1+rpt1
## mods-available/eap ##
eap {
default_eap_type = tls
...
tls-config tls-common {
...
cipher_list = "ALL@SECLEVEL=0"
cipher_server_preference = no
tls_min_version = "1.0"
tls_max_version = "1.3"
ecdh_curve = ""
...
...
## /etc/ssl/openssl_legacy.cnf ##
[openssl_init]
providers = provider_sect
[provider_sect]
default = system_default_sect
legacy = legacy_sect
[legacy_sect]
activate = 1
MinProtocol = SSLv3
CipherString = ALL@SECLEVEL=0
[system_default_sect]
activate = 1
MinProtocol = SSLv3
CipherString = ALL@SECLEVEL=0
Is this mandatory to use tls_min_version/max options since the
deprecated cipher i try to use belong to SSLv3 suite ?
Do you have some hints to help debug further please ?
Thank you in advance.
Best regards,
--
Nicolas Godbert
3
2
I have two problems that I want to solve.
1- There is a duplicate in Radacct with acctstoptime null, knowing that I
linked the free radius with the microtech.
2- Users are located in users.
They have a username that matches the username in Radacct and they have an
expiration date.
If the expiration date has passed, I want them to be disconnected from the
service with coa or without, but I tried Chatgpt solutions and they did not
work.
Can you help me? Thank you.
2
3
I’m working on implementing a Simultaneous-Use check using the
rediswho module in the FreeRADIUS 3.2 branch.
The approach is inspired by the blog post “Preventing Fraudulent
Logins with a Session Database” (which unfortunately appears to be
offline).
At this stage, I’m successfully writing accounting records into Redis
through rediswho. However, I haven’t found any documentation or
examples describing how to query Redis for Simultaneous-Use checking
and verification — specifically, the equivalent of the
simul_count_query and simul_verify_query mechanisms used in the SQL
module
If anyone has implemented this or can provide guidance on best
practices for performing Simultaneous-Use checks with rediswho, I
would appreciate any insights or references.
Additionally, I noticed that the default rediswho configuration in
both versions 3.2 and 4.0 uses the same insert operation for all
Acct-Status-Type values. As a result, when querying the Redis, it’s
not possible to distinguish between sessions that have terminated with
an Acct-Status-Type = Stop and those that are still active.
Nitzan
2
3
Hi guys
I know there is already some information out there about this topic, for example in this post from back in 2018: https://lists.freeradius.org/pipermail/freeradius-users/2018-November/09377…
And there are also examples in the FreeRADIUS inner-proxy configuration file:
# Post-Authentication
# Once we KNOW that the user has been authenticated, there are
# additional steps we can take.
#
# Note that the last packet of the inner-tunnel authentication
# MAY NOT BE the last packet of the outer session. So updating
# the outer reply MIGHT work, and sometimes MIGHT NOT. The
# exact functionality depends on both the inner and outer
# authentication methods.
#
# If you need to send a reply attribute in the outer session,
# the ONLY safe way is to set "use_tunneled_reply = yes", and
# then update the inner-tunnel reply.
post-auth {
# If you want privacy to remain, see the
# Chargeable-User-Identity attribute from RFC 4372.
# If you want to use it just uncomment the line below.
# cui-inner
#
# If you want the Access-Accept to contain the inner
# User-Name, uncomment the following lines.
#
# update outer.session-state {
# User-Name := &User-Name
# }
We use PEAP/MS-CHAPv2 on our eduroam SSID.
Goal: copy the inner identity to the Access-Accept RADIUS packet, if possible at all (?!) à our Cisco WLAN infrastructure could «see» the real username instead of a bunch of anonymous(a)unibe.ch accounts, this will be used for further processing in a cloud service.
But based on the debug output (see below), the inner-proxy configuration is not hit at all; I think this is based on how our FreeRADIUS proxing is done, but here I am not 100% sure about this.
But maybe you can help me out and point me into the right direction; in short: is there a way (for us) to achieve the copying of the inner to the outer identity for the Access-Accept packet (only)?
Thanks and best regards
Dominic
***
Debug output:
(14) Received Access-Request Id 161 from 1.2.3.4:63606 to 130.92.10.33:1812 length 461
(14) User-Name = anonymous(a)unibe.ch
(14) Service-Type = Framed-User
(14) Cisco-AVPair = "service-type=Framed"
(14) Framed-MTU = 1485
(14) EAP-Message = 0x0201001701616e6f6e796d6f757340756e6962652e6368
(14) Message-Authenticator = 0xcda0dbee35c44f95af0a726f08995386
(14) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8"
(14) Cisco-AVPair = "method=dot1x"
(14) Cisco-AVPair = "client-iif-id=2818574557"
(14) Cisco-AVPair = "vlan-id=1000"
(14) NAS-IP-Address = 1.2.3.4
(14) NAS-Port-Id = "capwap_9000000c"
(14) NAS-Port-Type = Wireless-802.11
(14) NAS-Port = 4211
(14) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(14) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM"
(14) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam"
(14) Calling-Station-Id = "ac-df-a1-b1-f1-5a"
(14) Airespace-Wlan-Id = 97
(14) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam"
(14) WLAN-Group-Cipher = 1027076
(14) WLAN-Pairwise-Cipher = 1027076
(14) WLAN-AKM-Suite = 1027075
(14) WLAN-Group-Mgmt-Cipher = 1027078
(14) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(14) authorize {
(14) policy rewrite_called_station_id {
(14) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(14) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(14) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(14) update request {
(14) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(14) --> 2C-E3-8E-ED-31-E0
(14) &Called-Station-Id := 2C-E3-8E-ED-31-E0
(14) } # update request = noop
(14) if ("%{8}") {
(14) EXPAND %{8}
(14) --> eduroam
(14) if ("%{8}") -> TRUE
(14) if ("%{8}") {
(14) update request {
(14) EXPAND %{8}
(14) --> eduroam
(14) &Called-Station-SSID := eduroam
(14) EXPAND %{Called-Station-Id}:%{8}
(14) --> 2C-E3-8E-ED-31-E0:eduroam
(14) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam
(14) } # update request = noop
(14) } # if ("%{8}") = noop
(14) [updated] = updated
(14) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(14) ... skipping else: Preceding "if" was taken
(14) } # policy rewrite_called_station_id = updated
(14) policy rewrite_calling_station_id {
(14) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(14) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(14) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(14) update request {
(14) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(14) --> AC-DF-A1-B1-F1-5A
(14) &Calling-Station-Id := AC-DF-A1-B1-F1-5A
(14) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(14) --> AC:DF:A1:B1:F1:5A
(14) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A
(14) } # update request = noop
(14) [updated] = updated
(14) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(14) ... skipping else: Preceding "if" was taken
(14) } # policy rewrite_calling_station_id = updated
(14) if (Service-Type == Call-Check) {
(14) if (Service-Type == Call-Check) -> FALSE
(14) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(14) EXPAND Packet-Src-IP-Address
(14) --> 1.2.3.4
(14) EXPAND Packet-Src-IP-Address
(14) --> 1.2.3.4
(14) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(14) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(14) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(14) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(14) if (EAP-Message) {
(14) if (EAP-Message) -> TRUE
(14) if (EAP-Message) {
(14) policy filter_username {
(14) if (&User-Name) {
(14) if (&User-Name) -> TRUE
(14) if (&User-Name) {
(14) if (&User-Name =~ / /) {
(14) if (&User-Name =~ / /) -> FALSE
(14) if (&User-Name =~ /@[^@]*@/ ) {
(14) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(14) if (&User-Name =~ /\.\./ ) {
(14) if (&User-Name =~ /\.\./ ) -> FALSE
(14) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(14) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(14) if (&User-Name =~ /\.$/) {
(14) if (&User-Name =~ /\.$/) -> FALSE
(14) if (&User-Name =~ /(a)\./) {
(14) if (&User-Name =~ /(a)\./) -> FALSE
(14) } # if (&User-Name) = updated
(14) } # policy filter_username = updated
(14) suffix: Checking for suffix after "@"
(14) suffix: Looking up realm "unibe.ch" for User-Name = anonymous(a)unibe.ch
(14) suffix: Found realm "UNIBE.CH"
(14) suffix: Adding Realm = "UNIBE.CH"
(14) suffix: Authentication realm is LOCAL
(14) [suffix] = ok
(14) policy deny_no_realm {
(14) if (User-Name && (User-Name !~ /@/)) {
(14) if (User-Name && (User-Name !~ /@/)) -> FALSE
(14) } # policy deny_no_realm = updated
(14) update request {
(14) EXPAND %{toupper:%{Realm}}
(14) --> UNIBE.CH
(14) Realm := UNIBE.CH
(14) } # update request = noop
(14) eap: Peer sent EAP Response (code 2) ID 1 length 23
(14) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(14) [eap] = ok
(14) } # if (EAP-Message) = ok
(14) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(14) } # authorize = updated
(14) Found Auth-Type = eap
(14) # Executing group from file /etc/freeradius/sites-enabled/default
(14) Auth-Type eap {
(14) eap: Peer sent packet with method EAP Identity (1)
(14) eap: Using default_eap_type = PEAP
(14) eap: Calling submodule eap_peap to process data
(14) eap_peap: (TLS) PEAP -Initiating new session
(14) eap: Sending EAP Request (code 1) ID 2 length 6
(14) eap: EAP session adding &reply:State = 0x1a0c7e771a0e6752
(14) [eap] = handled
(14) if (handled && (Response-Packet-Type == Access-Challenge)) {
(14) EXPAND Response-Packet-Type
(14) --> Access-Challenge
(14) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(14) if (handled && (Response-Packet-Type == Access-Challenge)) {
(14) attr_filter.access_challenge: EXPAND %{User-Name}
(14) attr_filter.access_challenge: --> anonymous(a)unibe.ch
(14) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(14) [attr_filter.access_challenge.post-auth] = updated
(14) [handled] = handled
(14) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(14) } # Auth-Type eap = handled
(14) Using Post-Auth-Type Challenge
(14) Post-Auth-Type sub-section not found. Ignoring.
(14) # Executing group from file /etc/freeradius/sites-enabled/default
(14) session-state: Saving cached attributes
(14) Framed-MTU = 1014
(14) Sent Access-Challenge Id 161 from 130.92.10.33:1812 to 1.2.3.4:63606 length 64
(14) EAP-Message = 0x010200061920
(14) Message-Authenticator = 0x00000000000000000000000000000000
(14) State = 0x1a0c7e771a0e675279b57cf47df95d07
(14) Finished request
(15) Received Access-Request Id 162 from 1.2.3.4:63606 to 130.92.10.33:1812 length 617
(15) User-Name = anonymous(a)unibe.ch
(15) Service-Type = Framed-User
(15) Cisco-AVPair = "service-type=Framed"
(15) Framed-MTU = 1485
(15) EAP-Message = 0x020200a119800000009716030100920100008e03036909999b25b7e27b2e2e231f9c546c4a37d3b858ee2635bdaf836b8c39d42d6800002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306010005000501000000000012000000170000
(15) Message-Authenticator = 0xdf959aef8b75ae98ed4dda59508b7a60
(15) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8"
(15) Cisco-AVPair = "method=dot1x"
(15) Cisco-AVPair = "client-iif-id=2818574557"
(15) Cisco-AVPair = "vlan-id=1000"
(15) NAS-IP-Address = 1.2.3.4
(15) NAS-Port-Id = "capwap_9000000c"
(15) NAS-Port-Type = Wireless-802.11
(15) NAS-Port = 4211
(15) State = 0x1a0c7e771a0e675279b57cf47df95d07
(15) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(15) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM"
(15) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam"
(15) Calling-Station-Id = "ac-df-a1-b1-f1-5a"
(15) Airespace-Wlan-Id = 97
(15) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam"
(15) WLAN-Group-Cipher = 1027076
(15) WLAN-Pairwise-Cipher = 1027076
(15) WLAN-AKM-Suite = 1027075
(15) WLAN-Group-Mgmt-Cipher = 1027078
(15) Restoring &session-state
(15) &session-state:Framed-MTU = 1014
(15) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(15) authorize {
(15) policy rewrite_called_station_id {
(15) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(15) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(15) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(15) update request {
(15) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(15) --> 2C-E3-8E-ED-31-E0
(15) &Called-Station-Id := 2C-E3-8E-ED-31-E0
(15) } # update request = noop
(15) if ("%{8}") {
(15) EXPAND %{8}
(15) --> eduroam
(15) if ("%{8}") -> TRUE
(15) if ("%{8}") {
(15) update request {
(15) EXPAND %{8}
(15) --> eduroam
(15) &Called-Station-SSID := eduroam
(15) EXPAND %{Called-Station-Id}:%{8}
(15) --> 2C-E3-8E-ED-31-E0:eduroam
(15) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam
(15) } # update request = noop
(15) } # if ("%{8}") = noop
(15) [updated] = updated
(15) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(15) ... skipping else: Preceding "if" was taken
(15) } # policy rewrite_called_station_id = updated
(15) policy rewrite_calling_station_id {
(15) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(15) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(15) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(15) update request {
(15) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(15) --> AC-DF-A1-B1-F1-5A
(15) &Calling-Station-Id := AC-DF-A1-B1-F1-5A
(15) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(15) --> AC:DF:A1:B1:F1:5A
(15) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A
(15) } # update request = noop
(15) [updated] = updated
(15) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(15) ... skipping else: Preceding "if" was taken
(15) } # policy rewrite_calling_station_id = updated
(15) if (Service-Type == Call-Check) {
(15) if (Service-Type == Call-Check) -> FALSE
(15) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(15) EXPAND Packet-Src-IP-Address
(15) --> 1.2.3.4
(15) EXPAND Packet-Src-IP-Address
(15) --> 1.2.3.4
(15) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(15) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(15) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(15) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(15) if (EAP-Message) {
(15) if (EAP-Message) -> TRUE
(15) if (EAP-Message) {
(15) policy filter_username {
(15) if (&User-Name) {
(15) if (&User-Name) -> TRUE
(15) if (&User-Name) {
(15) if (&User-Name =~ / /) {
(15) if (&User-Name =~ / /) -> FALSE
(15) if (&User-Name =~ /@[^@]*@/ ) {
(15) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(15) if (&User-Name =~ /\.\./ ) {
(15) if (&User-Name =~ /\.\./ ) -> FALSE
(15) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(15) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(15) if (&User-Name =~ /\.$/) {
(15) if (&User-Name =~ /\.$/) -> FALSE
(15) if (&User-Name =~ /(a)\./) {
(15) if (&User-Name =~ /(a)\./) -> FALSE
(15) } # if (&User-Name) = updated
(15) } # policy filter_username = updated
(15) suffix: Checking for suffix after "@"
(15) suffix: Looking up realm "unibe.ch" for User-Name = anonymous(a)unibe.ch
(15) suffix: Found realm "UNIBE.CH"
(15) suffix: Adding Realm = "UNIBE.CH"
(15) suffix: Authentication realm is LOCAL
(15) [suffix] = ok
(15) policy deny_no_realm {
(15) if (User-Name && (User-Name !~ /@/)) {
(15) if (User-Name && (User-Name !~ /@/)) -> FALSE
(15) } # policy deny_no_realm = updated
(15) update request {
(15) EXPAND %{toupper:%{Realm}}
(15) --> UNIBE.CH
(15) Realm := UNIBE.CH
(15) } # update request = noop
(15) eap: Peer sent EAP Response (code 2) ID 2 length 161
(15) eap: Continuing tunnel setup
(15) [eap] = ok
(15) } # if (EAP-Message) = ok
(15) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(15) } # authorize = updated
(15) Found Auth-Type = eap
(15) # Executing group from file /etc/freeradius/sites-enabled/default
(15) Auth-Type eap {
(15) eap: Removing EAP session with state 0x1a0c7e771a0e6752
(15) eap: Previous EAP request found for state 0x1a0c7e771a0e6752, released from the list
(15) eap: Peer sent packet with method EAP PEAP (25)
(15) eap: Calling submodule eap_peap to process data
(15) eap_peap: (TLS) EAP Peer says that the final record size will be 151 bytes
(15) eap_peap: (TLS) EAP Got all data (151 bytes)
(15) eap_peap: (TLS) PEAP - Handshake state - before SSL initialization
(15) eap_peap: (TLS) PEAP - Handshake state - Server before SSL initialization
(15) eap_peap: (TLS) PEAP - Handshake state - Server before SSL initialization
(15) eap_peap: (TLS) PEAP - recv TLS 1.3 Handshake, ClientHello
(15) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client hello
(15) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHello
(15) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server hello
(15) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Certificate
(15) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write certificate
(15) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange
(15) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write key exchange
(15) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone
(15) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done
(15) eap_peap: (TLS) PEAP - Server : Need to read more data: SSLv3/TLS write server done
(15) eap_peap: (TLS) PEAP - In Handshake Phase
(15) eap: Sending EAP Request (code 1) ID 3 length 1024
(15) eap: EAP session adding &reply:State = 0x1a0c7e771b0f6752
(15) [eap] = handled
(15) if (handled && (Response-Packet-Type == Access-Challenge)) {
(15) EXPAND Response-Packet-Type
(15) --> Access-Challenge
(15) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(15) if (handled && (Response-Packet-Type == Access-Challenge)) {
(15) attr_filter.access_challenge: EXPAND %{User-Name}
(15) attr_filter.access_challenge: --> anonymous(a)unibe.ch
(15) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(15) [attr_filter.access_challenge.post-auth] = updated
(15) [handled] = handled
(15) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(15) } # Auth-Type eap = handled
(15) Using Post-Auth-Type Challenge
(15) Post-Auth-Type sub-section not found. Ignoring.
(15) # Executing group from file /etc/freeradius/sites-enabled/default
(15) session-state: Saving cached attributes
(15) Framed-MTU = 1014
(15) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(15) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(15) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(15) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(15) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(15) Sent Access-Challenge Id 162 from 130.92.10.33:1812 to 1.2.3.4:63606 length 1090
(15) EAP-Message = 0x0103040019c000001135160303003d020000390303f0334014735b9a350f95ccc549063d3e99ba127b1d030030444f574e4752440100c010000011ff01000100000b000401000102001700001603030f930b000f8f000f8c0007253082072130820609a00302010202100dae0ee5cc17916457adb4fc96626395300d06092a864886f70d01010b05003059310b300906035504061302555331153013060355040a130c446967694365727420496e63313330310603550403132a446967694365727420476c6f62616c20473220544c532052534120534841323536203230323020434131301e170d3235303532333030303030305a170d3236303532323233353935395a305f310b3009060355040613024348310d300b060355040813044265726e310d300b060355040713044265726e311b3019060355040a1312556e6976657273697479206f66204265726e311530130603550403130c6161692e756e6962652e636830820122300d06092a864886f70d01010105
(15) Message-Authenticator = 0x00000000000000000000000000000000
(15) State = 0x1a0c7e771b0f675279b57cf47df95d07
(15) Finished request
(16) Received Access-Request Id 163 from 1.2.3.4:63606 to 130.92.10.33:1812 length 462
(16) User-Name = anonymous(a)unibe.ch
(16) Service-Type = Framed-User
(16) Cisco-AVPair = "service-type=Framed"
(16) Framed-MTU = 1485
(16) EAP-Message = 0x020100061900
(16) Message-Authenticator = 0x256013f8a4cd33b09aea930439831655
(16) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8"
(16) Cisco-AVPair = "method=dot1x"
(16) Cisco-AVPair = "client-iif-id=2818574557"
(16) Cisco-AVPair = "vlan-id=1000"
(16) NAS-IP-Address = 1.2.3.4
(16) NAS-Port-Id = "capwap_9000000c"
(16) NAS-Port-Type = Wireless-802.11
(16) NAS-Port = 4211
(16) State = 0x1a0c7e771b0f675279b57cf47df95d07
(16) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(16) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM"
(16) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam"
(16) Calling-Station-Id = "ac-df-a1-b1-f1-5a"
(16) Airespace-Wlan-Id = 97
(16) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam"
(16) WLAN-Group-Cipher = 1027076
(16) WLAN-Pairwise-Cipher = 1027076
(16) WLAN-AKM-Suite = 1027075
(16) WLAN-Group-Mgmt-Cipher = 1027078
(16) Restoring &session-state
(16) &session-state:Framed-MTU = 1014
(16) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(16) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(16) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(16) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(16) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(16) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(16) authorize {
(16) policy rewrite_called_station_id {
(16) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(16) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(16) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(16) update request {
(16) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(16) --> 2C-E3-8E-ED-31-E0
(16) &Called-Station-Id := 2C-E3-8E-ED-31-E0
(16) } # update request = noop
(16) if ("%{8}") {
(16) EXPAND %{8}
(16) --> eduroam
(16) if ("%{8}") -> TRUE
(16) if ("%{8}") {
(16) update request {
(16) EXPAND %{8}
(16) --> eduroam
(16) &Called-Station-SSID := eduroam
(16) EXPAND %{Called-Station-Id}:%{8}
(16) --> 2C-E3-8E-ED-31-E0:eduroam
(16) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam
(16) } # update request = noop
(16) } # if ("%{8}") = noop
(16) [updated] = updated
(16) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(16) ... skipping else: Preceding "if" was taken
(16) } # policy rewrite_called_station_id = updated
(16) policy rewrite_calling_station_id {
(16) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(16) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(16) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(16) update request {
(16) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(16) --> AC-DF-A1-B1-F1-5A
(16) &Calling-Station-Id := AC-DF-A1-B1-F1-5A
(16) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(16) --> AC:DF:A1:B1:F1:5A
(16) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A
(16) } # update request = noop
(16) [updated] = updated
(16) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(16) ... skipping else: Preceding "if" was taken
(16) } # policy rewrite_calling_station_id = updated
(16) if (Service-Type == Call-Check) {
(16) if (Service-Type == Call-Check) -> FALSE
(16) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(16) EXPAND Packet-Src-IP-Address
(16) --> 1.2.3.4
(16) EXPAND Packet-Src-IP-Address
(16) --> 1.2.3.4
(16) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(16) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(16) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(16) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(16) if (EAP-Message) {
(16) if (EAP-Message) -> TRUE
(16) if (EAP-Message) {
(16) policy filter_username {
(16) if (&User-Name) {
(16) if (&User-Name) -> TRUE
(16) if (&User-Name) {
(16) if (&User-Name =~ / /) {
(16) if (&User-Name =~ / /) -> FALSE
(16) if (&User-Name =~ /@[^@]*@/ ) {
(16) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(16) if (&User-Name =~ /\.\./ ) {
(16) if (&User-Name =~ /\.\./ ) -> FALSE
(16) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(16) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(16) if (&User-Name =~ /\.$/) {
(16) if (&User-Name =~ /\.$/) -> FALSE
(16) if (&User-Name =~ /(a)\./) {
(16) if (&User-Name =~ /(a)\./) -> FALSE
(16) } # if (&User-Name) = updated
(16) } # policy filter_username = updated
(16) suffix: Checking for suffix after "@"
(16) suffix: Looking up realm "unibe.ch" for User-Name = anonymous(a)unibe.ch
(16) suffix: Found realm "UNIBE.CH"
(16) suffix: Adding Realm = "UNIBE.CH"
(16) suffix: Authentication realm is LOCAL
(16) [suffix] = ok
(16) policy deny_no_realm {
(16) if (User-Name && (User-Name !~ /@/)) {
(16) if (User-Name && (User-Name !~ /@/)) -> FALSE
(16) } # policy deny_no_realm = updated
(16) update request {
(16) EXPAND %{toupper:%{Realm}}
(16) --> UNIBE.CH
(16) Realm := UNIBE.CH
(16) } # update request = noop
(16) eap: Peer sent EAP Response (code 2) ID 3 length 6
(16) eap: Continuing tunnel setup
(16) [eap] = ok
(16) } # if (EAP-Message) = ok
(16) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(16) } # authorize = updated
(16) Found Auth-Type = eap
(16) # Executing group from file /etc/freeradius/sites-enabled/default
(16) Auth-Type eap {
(16) eap: Removing EAP session with state 0x1a0c7e771b0f6752
(16) eap: Previous EAP request found for state 0x1a0c7e771b0f6752, released from the list
(16) eap: Peer sent packet with method EAP PEAP (25)
(16) eap: Calling submodule eap_peap to process data
(16) eap_peap: (TLS) Peer ACKed our handshake fragment
(16) eap: Sending EAP Request (code 1) ID 4 length 1020
(16) eap: EAP session adding &reply:State = 0x1a0c7e7718086752
(16) [eap] = handled
(16) if (handled && (Response-Packet-Type == Access-Challenge)) {
(16) EXPAND Response-Packet-Type
(16) --> Access-Challenge
(16) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(16) if (handled && (Response-Packet-Type == Access-Challenge)) {
(16) attr_filter.access_challenge: EXPAND %{User-Name}
(16) attr_filter.access_challenge: --> anonymous(a)unibe.ch
(16) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(16) [attr_filter.access_challenge.post-auth] = updated
(16) [handled] = handled
(16) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(16) } # Auth-Type eap = handled
(16) Using Post-Auth-Type Challenge
(16) Post-Auth-Type sub-section not found. Ignoring.
(16) # Executing group from file /etc/freeradius/sites-enabled/default
(16) session-state: Saving cached attributes
(16) Framed-MTU = 1014
(16) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(16) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(16) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(16) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(16) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(16) Sent Access-Challenge Id 163 from 130.92.10.33:1812 to 1.2.3.4:63606 length 1086
(16) EAP-Message = 0x010403fc1940312d312e63726c3048a046a0448642687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274476c6f62616c4732544c53525341534841323536323032304341312d312e63726c30818706082b06010505070101047b3079302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305106082b060105050730028645687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274476c6f62616c4732544c53525341534841323536323032304341312d312e637274300c0603551d130101ff040210003082017f060a2b06010401d6790204020482016f0482016b01690077000e5794bcf3aea93e331b2c9907b3f790df9bc23d713225dd21a925ac61c54e2100000196fd68459a0000040300483046022100abde8fd62ca059be569c5f14a3ce1588684528f0228b3c7320a7af6c1b29e485022100f139ea2369375155ef47d38c4e196798015b054e81
(16) Message-Authenticator = 0x00000000000000000000000000000000
(16) State = 0x1a0c7e771808675279b57cf47df95d07
(16) Finished request
(17) Received Access-Request Id 164 from 1.2.3.4:63606 to 130.92.10.33:1812 length 462
(17) User-Name = anonymous(a)unibe.ch
(17) Service-Type = Framed-User
(17) Cisco-AVPair = "service-type=Framed"
(17) Framed-MTU = 1485
(17) EAP-Message = 0x020400061900
(17) Message-Authenticator = 0x6f9b085346287fdd22fc589a3c0b70f2
(17) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8"
(17) Cisco-AVPair = "method=dot1x"
(17) Cisco-AVPair = "client-iif-id=2818574557"
(17) Cisco-AVPair = "vlan-id=1000"
(17) NAS-IP-Address = 1.2.3.4
(17) NAS-Port-Id = "capwap_9000000c"
(17) NAS-Port-Type = Wireless-802.11
(17) NAS-Port = 4211
(17) State = 0x1a0c7e771808675279b57cf47df95d07
(17) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(17) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM"
(17) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam"
(17) Calling-Station-Id = "ac-df-a1-b1-f1-5a"
(17) Airespace-Wlan-Id = 97
(17) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam"
(17) WLAN-Group-Cipher = 1027076
(17) WLAN-Pairwise-Cipher = 1027076
(17) WLAN-AKM-Suite = 1027075
(17) WLAN-Group-Mgmt-Cipher = 1027078
(17) Restoring &session-state
(17) &session-state:Framed-MTU = 1014
(17) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(17) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(17) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(17) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(17) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(17) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(17) authorize {
(17) policy rewrite_called_station_id {
(17) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(17) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(17) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(17) update request {
(17) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(17) --> 2C-E3-8E-ED-31-E0
(17) &Called-Station-Id := 2C-E3-8E-ED-31-E0
(17) } # update request = noop
(17) if ("%{8}") {
(17) EXPAND %{8}
(17) --> eduroam
(17) if ("%{8}") -> TRUE
(17) if ("%{8}") {
(17) update request {
(17) EXPAND %{8}
(17) --> eduroam
(17) &Called-Station-SSID := eduroam
(17) EXPAND %{Called-Station-Id}:%{8}
(17) --> 2C-E3-8E-ED-31-E0:eduroam
(17) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam
(17) } # update request = noop
(17) } # if ("%{8}") = noop
(17) [updated] = updated
(17) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(17) ... skipping else: Preceding "if" was taken
(17) } # policy rewrite_called_station_id = updated
(17) policy rewrite_calling_station_id {
(17) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(17) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(17) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(17) update request {
(17) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(17) --> AC-DF-A1-B1-F1-5A
(17) &Calling-Station-Id := AC-DF-A1-B1-F1-5A
(17) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(17) --> AC:DF:A1:B1:F1:5A
(17) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A
(17) } # update request = noop
(17) [updated] = updated
(17) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(17) ... skipping else: Preceding "if" was taken
(17) } # policy rewrite_calling_station_id = updated
(17) if (Service-Type == Call-Check) {
(17) if (Service-Type == Call-Check) -> FALSE
(17) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(17) EXPAND Packet-Src-IP-Address
(17) --> 1.2.3.4
(17) EXPAND Packet-Src-IP-Address
(17) --> 1.2.3.4
(17) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(17) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(17) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(17) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(17) if (EAP-Message) {
(17) if (EAP-Message) -> TRUE
(17) if (EAP-Message) {
(17) policy filter_username {
(17) if (&User-Name) {
(17) if (&User-Name) -> TRUE
(17) if (&User-Name) {
(17) if (&User-Name =~ / /) {
(17) if (&User-Name =~ / /) -> FALSE
(17) if (&User-Name =~ /@[^@]*@/ ) {
(17) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(17) if (&User-Name =~ /\.\./ ) {
(17) if (&User-Name =~ /\.\./ ) -> FALSE
(17) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(17) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(17) if (&User-Name =~ /\.$/) {
(17) if (&User-Name =~ /\.$/) -> FALSE
(17) if (&User-Name =~ /(a)\./) {
(17) if (&User-Name =~ /(a)\./) -> FALSE
(17) } # if (&User-Name) = updated
(17) } # policy filter_username = updated
(17) suffix: Checking for suffix after "@"
(17) suffix: Looking up realm "unibe.ch" for User-Name = anonymous(a)unibe.ch
(17) suffix: Found realm "UNIBE.CH"
(17) suffix: Adding Realm = "UNIBE.CH"
(17) suffix: Authentication realm is LOCAL
(17) [suffix] = ok
(17) policy deny_no_realm {
(17) if (User-Name && (User-Name !~ /@/)) {
(17) if (User-Name && (User-Name !~ /@/)) -> FALSE
(17) } # policy deny_no_realm = updated
(17) update request {
(17) EXPAND %{toupper:%{Realm}}
(17) --> UNIBE.CH
(17) Realm := UNIBE.CH
(17) } # update request = noop
(17) eap: Peer sent EAP Response (code 2) ID 4 length 6
(17) eap: Continuing tunnel setup
(17) [eap] = ok
(17) } # if (EAP-Message) = ok
(17) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(17) } # authorize = updated
(17) Found Auth-Type = eap
(17) # Executing group from file /etc/freeradius/sites-enabled/default
(17) Auth-Type eap {
(17) eap: Removing EAP session with state 0x1a0c7e7718086752
(17) eap: Previous EAP request found for state 0x1a0c7e7718086752, released from the list
(17) eap: Peer sent packet with method EAP PEAP (25)
(17) eap: Calling submodule eap_peap to process data
(17) eap_peap: (TLS) Peer ACKed our handshake fragment
(17) eap: Sending EAP Request (code 1) ID 5 length 1020
(17) eap: EAP session adding &reply:State = 0x1a0c7e7719096752
(17) [eap] = handled
(17) if (handled && (Response-Packet-Type == Access-Challenge)) {
(17) EXPAND Response-Packet-Type
(17) --> Access-Challenge
(17) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(17) if (handled && (Response-Packet-Type == Access-Challenge)) {
(17) attr_filter.access_challenge: EXPAND %{User-Name}
(17) attr_filter.access_challenge: --> anonymous(a)unibe.ch
(17) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(17) [attr_filter.access_challenge.post-auth] = updated
(17) [handled] = handled
(17) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(17) } # Auth-Type eap = handled
(17) Using Post-Auth-Type Challenge
(17) Post-Auth-Type sub-section not found. Ignoring.
(17) # Executing group from file /etc/freeradius/sites-enabled/default
(17) session-state: Saving cached attributes
(17) Framed-MTU = 1014
(17) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(17) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(17) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(17) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(17) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(17) Sent Access-Challenge Id 164 from 130.92.10.33:1812 to 1.2.3.4:63606 length 1086
(17) EAP-Message = 0x010503fc194006035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3231303333303030303030305a170d3331303332393233353935395a3059310b300906035504061302555331153013060355040a130c446967694365727420496e63313330310603550403132a446967694365727420476c6f62616c20473220544c53205253412053484132353620323032302043413130820122300d06092a864886f70d01010105000382010f003082010a0282010100ccf710624fa6bb636fed905256c56d277b7a12568af1f4f9d6e7e18fbd95abf260411570db1200fa270ab557385b7db2519371950e6a41945b351bfa7bfabbc5be2430fe56efc4f37d97e314f5144dcba710f216eaab22f031221161699026ba78d9971fe37d66ab75449573c8acffef5d0a8a5943e1acb23a0ff348fcd76b37c163dcde46d6db45fe7d23fd90e851071e51a35fed4946547f2c88c5f4139c97153c03e8a139dc690c32c1af16574c9447427ca2c89c7d
(17) Message-Authenticator = 0x00000000000000000000000000000000
(17) State = 0x1a0c7e771909675279b57cf47df95d07
(17) Finished request
(18) Received Access-Request Id 165 from 1.2.3.4:63606 to 130.92.10.33:1812 length 462
(18) User-Name = anonymous(a)unibe.ch
(18) Service-Type = Framed-User
(18) Cisco-AVPair = "service-type=Framed"
(18) Framed-MTU = 1485
(18) EAP-Message = 0x020500061900
(18) Message-Authenticator = 0xc196c62add7f8f693998f8856485d83b
(18) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8"
(18) Cisco-AVPair = "method=dot1x"
(18) Cisco-AVPair = "client-iif-id=2818574557"
(18) Cisco-AVPair = "vlan-id=1000"
(18) NAS-IP-Address = 1.2.3.4
(18) NAS-Port-Id = "capwap_9000000c"
(18) NAS-Port-Type = Wireless-802.11
(18) NAS-Port = 4211
(18) State = 0x1a0c7e771909675279b57cf47df95d07
(18) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(18) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM"
(18) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam"
(18) Calling-Station-Id = "ac-df-a1-b1-f1-5a"
(18) Airespace-Wlan-Id = 97
(18) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam"
(18) WLAN-Group-Cipher = 1027076
(18) WLAN-Pairwise-Cipher = 1027076
(18) WLAN-AKM-Suite = 1027075
(18) WLAN-Group-Mgmt-Cipher = 1027078
(18) Restoring &session-state
(18) &session-state:Framed-MTU = 1014
(18) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(18) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(18) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(18) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(18) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(18) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(18) authorize {
(18) policy rewrite_called_station_id {
(18) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(18) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(18) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(18) update request {
Waking up in 0.2 seconds.
(18) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(18) --> 2C-E3-8E-ED-31-E0
(18) &Called-Station-Id := 2C-E3-8E-ED-31-E0
(18) } # update request = noop
(18) if ("%{8}") {
(18) EXPAND %{8}
(18) --> eduroam
(18) if ("%{8}") -> TRUE
(18) if ("%{8}") {
(18) update request {
(18) EXPAND %{8}
(18) --> eduroam
(18) &Called-Station-SSID := eduroam
(18) EXPAND %{Called-Station-Id}:%{8}
(18) --> 2C-E3-8E-ED-31-E0:eduroam
(18) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam
(18) } # update request = noop
(18) } # if ("%{8}") = noop
(18) [updated] = updated
(18) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(18) ... skipping else: Preceding "if" was taken
(18) } # policy rewrite_called_station_id = updated
(18) policy rewrite_calling_station_id {
(18) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(18) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(18) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(18) update request {
(18) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(18) --> AC-DF-A1-B1-F1-5A
(18) &Calling-Station-Id := AC-DF-A1-B1-F1-5A
(18) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(18) --> AC:DF:A1:B1:F1:5A
(18) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A
(18) } # update request = noop
(18) [updated] = updated
(18) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(18) ... skipping else: Preceding "if" was taken
(18) } # policy rewrite_calling_station_id = updated
(18) if (Service-Type == Call-Check) {
(18) if (Service-Type == Call-Check) -> FALSE
(18) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(18) EXPAND Packet-Src-IP-Address
(18) --> 1.2.3.4
(18) EXPAND Packet-Src-IP-Address
(18) --> 1.2.3.4
(18) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(18) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(18) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(18) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(18) if (EAP-Message) {
(18) if (EAP-Message) -> TRUE
(18) if (EAP-Message) {
(18) policy filter_username {
(18) if (&User-Name) {
(18) if (&User-Name) -> TRUE
(18) if (&User-Name) {
(18) if (&User-Name =~ / /) {
(18) if (&User-Name =~ / /) -> FALSE
(18) if (&User-Name =~ /@[^@]*@/ ) {
(18) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(18) if (&User-Name =~ /\.\./ ) {
(18) if (&User-Name =~ /\.\./ ) -> FALSE
(18) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(18) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(18) if (&User-Name =~ /\.$/) {
(18) if (&User-Name =~ /\.$/) -> FALSE
(18) if (&User-Name =~ /(a)\./) {
(18) if (&User-Name =~ /(a)\./) -> FALSE
(18) } # if (&User-Name) = updated
(18) } # policy filter_username = updated
(18) suffix: Checking for suffix after "@"
(18) suffix: Looking up realm "unibe.ch" for User-Name = anonymous(a)unibe.ch
(18) suffix: Found realm "UNIBE.CH"
(18) suffix: Adding Realm = "UNIBE.CH"
(18) suffix: Authentication realm is LOCAL
(18) [suffix] = ok
(18) policy deny_no_realm {
(18) if (User-Name && (User-Name !~ /@/)) {
(18) if (User-Name && (User-Name !~ /@/)) -> FALSE
(18) } # policy deny_no_realm = updated
(18) update request {
(18) EXPAND %{toupper:%{Realm}}
(18) --> UNIBE.CH
(18) Realm := UNIBE.CH
(18) } # update request = noop
(18) eap: Peer sent EAP Response (code 2) ID 5 length 6
(18) eap: Continuing tunnel setup
(18) [eap] = ok
(18) } # if (EAP-Message) = ok
(18) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(18) } # authorize = updated
(18) Found Auth-Type = eap
(18) # Executing group from file /etc/freeradius/sites-enabled/default
(18) Auth-Type eap {
(18) eap: Removing EAP session with state 0x1a0c7e7719096752
(18) eap: Previous EAP request found for state 0x1a0c7e7719096752, released from the list
(18) eap: Peer sent packet with method EAP PEAP (25)
(18) eap: Calling submodule eap_peap to process data
(18) eap_peap: (TLS) Peer ACKed our handshake fragment
(18) eap: Sending EAP Request (code 1) ID 6 length 1020
(18) eap: EAP session adding &reply:State = 0x1a0c7e771e0a6752
(18) [eap] = handled
(18) if (handled && (Response-Packet-Type == Access-Challenge)) {
(18) EXPAND Response-Packet-Type
(18) --> Access-Challenge
(18) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(18) if (handled && (Response-Packet-Type == Access-Challenge)) {
(18) attr_filter.access_challenge: EXPAND %{User-Name}
(18) attr_filter.access_challenge: --> anonymous(a)unibe.ch
(18) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(18) [attr_filter.access_challenge.post-auth] = updated
(18) [handled] = handled
(18) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(18) } # Auth-Type eap = handled
(18) Using Post-Auth-Type Challenge
(18) Post-Auth-Type sub-section not found. Ignoring.
(18) # Executing group from file /etc/freeradius/sites-enabled/default
(18) session-state: Saving cached attributes
(18) Framed-MTU = 1014
(18) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(18) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(18) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(18) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(18) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(18) Sent Access-Challenge Id 165 from 130.92.10.33:1812 to 1.2.3.4:63606 length 1086
(18) EAP-Message = 0x010603fc1940c6278481d47e8c8ca39b52e7c688ec377c2afbf0555a387210d80013cf4c73dbaa3735a82981699c76bcde187b90d4cacfef6703fd045a2116b1ffea3fdfdc82f5ebf45992230d242a95254ccaa191e6d4b7ac8774b3f16da399dbf9d5bd84409f07980003923082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f6261
(18) Message-Authenticator = 0x00000000000000000000000000000000
(18) State = 0x1a0c7e771e0a675279b57cf47df95d07
(18) Finished request
(19) Received Access-Request Id 166 from 1.2.3.4:63606 to 130.92.10.33:1812 length 462
(19) User-Name = anonymous(a)unibe.ch
(19) Service-Type = Framed-User
(19) Cisco-AVPair = "service-type=Framed"
(19) Framed-MTU = 1485
(19) EAP-Message = 0x020600061900
(19) Message-Authenticator = 0x572ab59ccb8ceac06d4c053497b4dad6
(19) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8"
(19) Cisco-AVPair = "method=dot1x"
(19) Cisco-AVPair = "client-iif-id=2818574557"
(19) Cisco-AVPair = "vlan-id=1000"
(19) NAS-IP-Address = 1.2.3.4
(19) NAS-Port-Id = "capwap_9000000c"
(19) NAS-Port-Type = Wireless-802.11
(19) NAS-Port = 4211
(19) State = 0x1a0c7e771e0a675279b57cf47df95d07
(19) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(19) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM"
(19) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam"
(19) Calling-Station-Id = "ac-df-a1-b1-f1-5a"
(19) Airespace-Wlan-Id = 97
(19) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam"
(19) WLAN-Group-Cipher = 1027076
(19) WLAN-Pairwise-Cipher = 1027076
(19) WLAN-AKM-Suite = 1027075
(19) WLAN-Group-Mgmt-Cipher = 1027078
(19) Restoring &session-state
(19) &session-state:Framed-MTU = 1014
(19) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(19) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(19) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(19) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(19) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(19) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(19) authorize {
(19) policy rewrite_called_station_id {
(19) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(19) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(19) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(19) update request {
(19) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(19) --> 2C-E3-8E-ED-31-E0
(19) &Called-Station-Id := 2C-E3-8E-ED-31-E0
(19) } # update request = noop
(19) if ("%{8}") {
(19) EXPAND %{8}
(19) --> eduroam
(19) if ("%{8}") -> TRUE
(19) if ("%{8}") {
(19) update request {
(19) EXPAND %{8}
(19) --> eduroam
(19) &Called-Station-SSID := eduroam
(19) EXPAND %{Called-Station-Id}:%{8}
(19) --> 2C-E3-8E-ED-31-E0:eduroam
(19) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam
(19) } # update request = noop
(19) } # if ("%{8}") = noop
(19) [updated] = updated
(19) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(19) ... skipping else: Preceding "if" was taken
(19) } # policy rewrite_called_station_id = updated
(19) policy rewrite_calling_station_id {
(19) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(19) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(19) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(19) update request {
(19) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(19) --> AC-DF-A1-B1-F1-5A
(19) &Calling-Station-Id := AC-DF-A1-B1-F1-5A
(19) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(19) --> AC:DF:A1:B1:F1:5A
(19) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A
(19) } # update request = noop
(19) [updated] = updated
(19) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(19) ... skipping else: Preceding "if" was taken
(19) } # policy rewrite_calling_station_id = updated
(19) if (Service-Type == Call-Check) {
(19) if (Service-Type == Call-Check) -> FALSE
(19) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(19) EXPAND Packet-Src-IP-Address
(19) --> 1.2.3.4
(19) EXPAND Packet-Src-IP-Address
(19) --> 1.2.3.4
(19) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(19) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(19) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(19) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(19) if (EAP-Message) {
(19) if (EAP-Message) -> TRUE
(19) if (EAP-Message) {
(19) policy filter_username {
(19) if (&User-Name) {
(19) if (&User-Name) -> TRUE
(19) if (&User-Name) {
(19) if (&User-Name =~ / /) {
(19) if (&User-Name =~ / /) -> FALSE
(19) if (&User-Name =~ /@[^@]*@/ ) {
(19) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(19) if (&User-Name =~ /\.\./ ) {
(19) if (&User-Name =~ /\.\./ ) -> FALSE
(19) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(19) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(19) if (&User-Name =~ /\.$/) {
(19) if (&User-Name =~ /\.$/) -> FALSE
(19) if (&User-Name =~ /(a)\./) {
(19) if (&User-Name =~ /(a)\./) -> FALSE
(19) } # if (&User-Name) = updated
(19) } # policy filter_username = updated
(19) suffix: Checking for suffix after "@"
(19) suffix: Looking up realm "unibe.ch" for User-Name = anonymous(a)unibe.ch
(19) suffix: Found realm "UNIBE.CH"
(19) suffix: Adding Realm = "UNIBE.CH"
(19) suffix: Authentication realm is LOCAL
(19) [suffix] = ok
(19) policy deny_no_realm {
(19) if (User-Name && (User-Name !~ /@/)) {
(19) if (User-Name && (User-Name !~ /@/)) -> FALSE
(19) } # policy deny_no_realm = updated
(19) update request {
(19) EXPAND %{toupper:%{Realm}}
(19) --> UNIBE.CH
(19) Realm := UNIBE.CH
(19) } # update request = noop
(19) eap: Peer sent EAP Response (code 2) ID 6 length 6
(19) eap: Continuing tunnel setup
(19) [eap] = ok
(19) } # if (EAP-Message) = ok
(19) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(19) } # authorize = updated
(19) Found Auth-Type = eap
(19) # Executing group from file /etc/freeradius/sites-enabled/default
(19) Auth-Type eap {
(19) eap: Removing EAP session with state 0x1a0c7e771e0a6752
(19) eap: Previous EAP request found for state 0x1a0c7e771e0a6752, released from the list
(19) eap: Peer sent packet with method EAP PEAP (25)
(19) eap: Calling submodule eap_peap to process data
(19) eap_peap: (TLS) Peer ACKed our handshake fragment
(19) eap: Sending EAP Request (code 1) ID 7 length 355
(19) eap: EAP session adding &reply:State = 0x1a0c7e771f0b6752
(19) [eap] = handled
(19) if (handled && (Response-Packet-Type == Access-Challenge)) {
(19) EXPAND Response-Packet-Type
(19) --> Access-Challenge
(19) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(19) if (handled && (Response-Packet-Type == Access-Challenge)) {
(19) attr_filter.access_challenge: EXPAND %{User-Name}
(19) attr_filter.access_challenge: --> anonymous(a)unibe.ch
(19) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(19) [attr_filter.access_challenge.post-auth] = updated
(19) [handled] = handled
(19) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(19) } # Auth-Type eap = handled
(19) Using Post-Auth-Type Challenge
(19) Post-Auth-Type sub-section not found. Ignoring.
(19) # Executing group from file /etc/freeradius/sites-enabled/default
(19) session-state: Saving cached attributes
(19) Framed-MTU = 1014
(19) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(19) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(19) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(19) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(19) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(19) Sent Access-Challenge Id 166 from 130.92.10.33:1812 to 1.2.3.4:63606 length 415
(19) EAP-Message = 0x01070163190032b6160303014d0c0001490300174104b201a57bca112447dfce17a89ba625c372e0c009eea006a95c79ba5b83514cfc4abe5c00673d4584a35b11ecef0ee23a6e2a18d0c95f8a48f744f685b7bfb054040101001e420d428e4df3bafadfc43614f7e02a46b54eb352afdd238fbe58786c1286d9f48726ae0f45415d47bfb81a54ebf3ac667c828dea5428d65f8c0a1634fc04cd2fddd88809d833251f68c1b85caea91c7c135b8d87ee7b5c91c3fec8e93d09ae2157a548d07e80f8a8ba9cc9267bef2fc1e9433312e89e45d1dbf9650fa7c0f5eb555b12ebf51e2575fe325de4871702c00041a05bf89a779a12f8b0eba2fe702054fb0fc16ec288b6861c55fd6d9a853a574516dbb5684d8b61318e526bc7328643edc25ee4692ac13c9843aba9a028992b5befa9331b65a63b890e5432d66d27e4fc6eae4f0aa2625394096c5e7e469992c9e8003b3af457be9e8309fac01116030100040e000000
(19) Message-Authenticator = 0x00000000000000000000000000000000
(19) State = 0x1a0c7e771f0b675279b57cf47df95d07
(19) Finished request
(20) Received Access-Request Id 167 from 1.2.3.4:63606 to 130.92.10.33:1812 length 592
(20) User-Name = anonymous(a)unibe.ch
(20) Service-Type = Framed-User
(20) Cisco-AVPair = "service-type=Framed"
(20) Framed-MTU = 1485
(20) EAP-Message = 0x0207008819800000007e16030300461000004241044bdd335d8636b35b96f838a591e11c19c257fa1853f19b291dd5e25fc57342414c3f644fb0abbd7078454afdc6a47d7f15433d807ebbb5d30efaeb9bc509783f14030100010116030300283667ef69fc720083fa52d1f339bce71060104b344322cb0514ad95532ba10a78d425cd99eb1ea915
(20) Message-Authenticator = 0xfa3c07c12db0b8ddfacd1df94f1e5aff
(20) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8"
(20) Cisco-AVPair = "method=dot1x"
(20) Cisco-AVPair = "client-iif-id=2818574557"
(20) Cisco-AVPair = "vlan-id=1000"
(20) NAS-IP-Address = 1.2.3.4
(20) NAS-Port-Id = "capwap_9000000c"
(20) NAS-Port-Type = Wireless-802.11
(20) NAS-Port = 4211
(20) State = 0x1a0c7e771f0b675279b57cf47df95d07
(20) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(20) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM"
(20) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam"
(20) Calling-Station-Id = "ac-df-a1-b1-f1-5a"
(20) Airespace-Wlan-Id = 97
(20) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam"
(20) WLAN-Group-Cipher = 1027076
(20) WLAN-Pairwise-Cipher = 1027076
(20) WLAN-AKM-Suite = 1027075
(20) WLAN-Group-Mgmt-Cipher = 1027078
(20) Restoring &session-state
(20) &session-state:Framed-MTU = 1014
(20) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(20) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(20) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(20) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(20) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(20) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(20) authorize {
(20) policy rewrite_called_station_id {
(20) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(20) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(20) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(20) update request {
(20) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(20) --> 2C-E3-8E-ED-31-E0
(20) &Called-Station-Id := 2C-E3-8E-ED-31-E0
(20) } # update request = noop
(20) if ("%{8}") {
(20) EXPAND %{8}
(20) --> eduroam
(20) if ("%{8}") -> TRUE
(20) if ("%{8}") {
(20) update request {
(20) EXPAND %{8}
(20) --> eduroam
(20) &Called-Station-SSID := eduroam
(20) EXPAND %{Called-Station-Id}:%{8}
(20) --> 2C-E3-8E-ED-31-E0:eduroam
(20) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam
(20) } # update request = noop
(20) } # if ("%{8}") = noop
(20) [updated] = updated
(20) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(20) ... skipping else: Preceding "if" was taken
(20) } # policy rewrite_called_station_id = updated
(20) policy rewrite_calling_station_id {
(20) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(20) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(20) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(20) update request {
(20) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(20) --> AC-DF-A1-B1-F1-5A
(20) &Calling-Station-Id := AC-DF-A1-B1-F1-5A
(20) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(20) --> AC:DF:A1:B1:F1:5A
(20) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A
(20) } # update request = noop
(20) [updated] = updated
(20) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(20) ... skipping else: Preceding "if" was taken
(20) } # policy rewrite_calling_station_id = updated
(20) if (Service-Type == Call-Check) {
(20) if (Service-Type == Call-Check) -> FALSE
(20) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(20) EXPAND Packet-Src-IP-Address
(20) --> 1.2.3.4
(20) EXPAND Packet-Src-IP-Address
(20) --> 1.2.3.4
(20) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(20) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(20) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(20) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(20) if (EAP-Message) {
(20) if (EAP-Message) -> TRUE
(20) if (EAP-Message) {
(20) policy filter_username {
(20) if (&User-Name) {
(20) if (&User-Name) -> TRUE
(20) if (&User-Name) {
(20) if (&User-Name =~ / /) {
(20) if (&User-Name =~ / /) -> FALSE
(20) if (&User-Name =~ /@[^@]*@/ ) {
(20) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(20) if (&User-Name =~ /\.\./ ) {
(20) if (&User-Name =~ /\.\./ ) -> FALSE
(20) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(20) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(20) if (&User-Name =~ /\.$/) {
(20) if (&User-Name =~ /\.$/) -> FALSE
(20) if (&User-Name =~ /(a)\./) {
(20) if (&User-Name =~ /(a)\./) -> FALSE
(20) } # if (&User-Name) = updated
(20) } # policy filter_username = updated
(20) suffix: Checking for suffix after "@"
(20) suffix: Looking up realm "unibe.ch" for User-Name = anonymous(a)unibe.ch
(20) suffix: Found realm "UNIBE.CH"
(20) suffix: Adding Realm = "UNIBE.CH"
(20) suffix: Authentication realm is LOCAL
(20) [suffix] = ok
(20) policy deny_no_realm {
(20) if (User-Name && (User-Name !~ /@/)) {
(20) if (User-Name && (User-Name !~ /@/)) -> FALSE
(20) } # policy deny_no_realm = updated
(20) update request {
(20) EXPAND %{toupper:%{Realm}}
(20) --> UNIBE.CH
(20) Realm := UNIBE.CH
(20) } # update request = noop
(20) eap: Peer sent EAP Response (code 2) ID 7 length 136
(20) eap: Continuing tunnel setup
(20) [eap] = ok
(20) } # if (EAP-Message) = ok
(20) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(20) } # authorize = updated
(20) Found Auth-Type = eap
(20) # Executing group from file /etc/freeradius/sites-enabled/default
(20) Auth-Type eap {
(20) eap: Removing EAP session with state 0x1a0c7e771f0b6752
(20) eap: Previous EAP request found for state 0x1a0c7e771f0b6752, released from the list
(20) eap: Peer sent packet with method EAP PEAP (25)
(20) eap: Calling submodule eap_peap to process data
(20) eap_peap: (TLS) EAP Peer says that the final record size will be 126 bytes
(20) eap_peap: (TLS) EAP Got all data (126 bytes)
(20) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done
(20) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange
(20) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client key exchange
(20) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read change cipher spec
(20) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, Finished
(20) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read finished
(20) eap_peap: (TLS) PEAP - send TLS 1.2 ChangeCipherSpec
(20) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write change cipher spec
(20) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Finished
(20) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write finished
(20) eap_peap: (TLS) PEAP - Handshake state - SSL negotiation finished successfully
(20) eap_peap: (TLS) PEAP - Connection Established
(20) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(20) eap_peap: TLS-Session-Version = "TLS 1.2"
(20) eap: Sending EAP Request (code 1) ID 8 length 57
(20) eap: EAP session adding &reply:State = 0x1a0c7e771c046752
(20) [eap] = handled
(20) if (handled && (Response-Packet-Type == Access-Challenge)) {
(20) EXPAND Response-Packet-Type
(20) --> Access-Challenge
(20) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(20) if (handled && (Response-Packet-Type == Access-Challenge)) {
(20) attr_filter.access_challenge: EXPAND %{User-Name}
(20) attr_filter.access_challenge: --> anonymous(a)unibe.ch
(20) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(20) [attr_filter.access_challenge.post-auth] = updated
(20) [handled] = handled
(20) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(20) } # Auth-Type eap = handled
(20) Using Post-Auth-Type Challenge
(20) Post-Auth-Type sub-section not found. Ignoring.
(20) # Executing group from file /etc/freeradius/sites-enabled/default
(20) session-state: Saving cached attributes
(20) Framed-MTU = 1014
(20) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(20) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(20) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(20) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(20) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(20) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange"
(20) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished"
(20) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(20) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished"
(20) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(20) TLS-Session-Version = "TLS 1.2"
(20) Sent Access-Challenge Id 167 from 130.92.10.33:1812 to 1.2.3.4:63606 length 115
(20) EAP-Message = 0x010800391900140301000101160303002869cd9549766a5c057197e758662301e6fe3808b412033491c980bcc9560e2fe6e86f4e532b875f92
(20) Message-Authenticator = 0x00000000000000000000000000000000
(20) State = 0x1a0c7e771c04675279b57cf47df95d07
(20) Finished request
(21) Received Access-Request Id 168 from 1.2.3.4:63606 to 130.92.10.33:1812 length 462
(21) User-Name = anonymous(a)unibe.ch
(21) Service-Type = Framed-User
(21) Cisco-AVPair = "service-type=Framed"
(21) Framed-MTU = 1485
(21) EAP-Message = 0x020800061900
(21) Message-Authenticator = 0x9c7f30b1e78bb9f5274c566d1a73f367
(21) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8"
(21) Cisco-AVPair = "method=dot1x"
(21) Cisco-AVPair = "client-iif-id=2818574557"
(21) Cisco-AVPair = "vlan-id=1000"
(21) NAS-IP-Address = 1.2.3.4
(21) NAS-Port-Id = "capwap_9000000c"
(21) NAS-Port-Type = Wireless-802.11
(21) NAS-Port = 4211
(21) State = 0x1a0c7e771c04675279b57cf47df95d07
(21) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(21) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM"
(21) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam"
(21) Calling-Station-Id = "ac-df-a1-b1-f1-5a"
(21) Airespace-Wlan-Id = 97
(21) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam"
(21) WLAN-Group-Cipher = 1027076
(21) WLAN-Pairwise-Cipher = 1027076
(21) WLAN-AKM-Suite = 1027075
(21) WLAN-Group-Mgmt-Cipher = 1027078
(21) Restoring &session-state
(21) &session-state:Framed-MTU = 1014
(21) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(21) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(21) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(21) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(21) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
Waking up in 0.2 seconds.
(21) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange"
(21) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished"
(21) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(21) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished"
(21) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(21) &session-state:TLS-Session-Version = "TLS 1.2"
(21) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(21) authorize {
(21) policy rewrite_called_station_id {
(21) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(21) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(21) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(21) update request {
(21) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(21) --> 2C-E3-8E-ED-31-E0
(21) &Called-Station-Id := 2C-E3-8E-ED-31-E0
(21) } # update request = noop
(21) if ("%{8}") {
(21) EXPAND %{8}
(21) --> eduroam
(21) if ("%{8}") -> TRUE
(21) if ("%{8}") {
(21) update request {
(21) EXPAND %{8}
(21) --> eduroam
(21) &Called-Station-SSID := eduroam
(21) EXPAND %{Called-Station-Id}:%{8}
(21) --> 2C-E3-8E-ED-31-E0:eduroam
(21) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam
(21) } # update request = noop
(21) } # if ("%{8}") = noop
(21) [updated] = updated
(21) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(21) ... skipping else: Preceding "if" was taken
(21) } # policy rewrite_called_station_id = updated
(21) policy rewrite_calling_station_id {
(21) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(21) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(21) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(21) update request {
(21) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(21) --> AC-DF-A1-B1-F1-5A
(21) &Calling-Station-Id := AC-DF-A1-B1-F1-5A
(21) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(21) --> AC:DF:A1:B1:F1:5A
(21) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A
(21) } # update request = noop
(21) [updated] = updated
(21) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(21) ... skipping else: Preceding "if" was taken
(21) } # policy rewrite_calling_station_id = updated
(21) if (Service-Type == Call-Check) {
(21) if (Service-Type == Call-Check) -> FALSE
(21) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(21) EXPAND Packet-Src-IP-Address
(21) --> 1.2.3.4
(21) EXPAND Packet-Src-IP-Address
(21) --> 1.2.3.4
(21) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(21) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(21) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(21) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(21) if (EAP-Message) {
(21) if (EAP-Message) -> TRUE
(21) if (EAP-Message) {
(21) policy filter_username {
(21) if (&User-Name) {
(21) if (&User-Name) -> TRUE
(21) if (&User-Name) {
(21) if (&User-Name =~ / /) {
(21) if (&User-Name =~ / /) -> FALSE
(21) if (&User-Name =~ /@[^@]*@/ ) {
(21) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(21) if (&User-Name =~ /\.\./ ) {
(21) if (&User-Name =~ /\.\./ ) -> FALSE
(21) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(21) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(21) if (&User-Name =~ /\.$/) {
(21) if (&User-Name =~ /\.$/) -> FALSE
(21) if (&User-Name =~ /(a)\./) {
(21) if (&User-Name =~ /(a)\./) -> FALSE
(21) } # if (&User-Name) = updated
(21) } # policy filter_username = updated
(21) suffix: Checking for suffix after "@"
(21) suffix: Looking up realm "unibe.ch" for User-Name = anonymous(a)unibe.ch
(21) suffix: Found realm "UNIBE.CH"
(21) suffix: Adding Realm = "UNIBE.CH"
(21) suffix: Authentication realm is LOCAL
(21) [suffix] = ok
(21) policy deny_no_realm {
(21) if (User-Name && (User-Name !~ /@/)) {
(21) if (User-Name && (User-Name !~ /@/)) -> FALSE
(21) } # policy deny_no_realm = updated
(21) update request {
(21) EXPAND %{toupper:%{Realm}}
(21) --> UNIBE.CH
(21) Realm := UNIBE.CH
(21) } # update request = noop
(21) eap: Peer sent EAP Response (code 2) ID 8 length 6
(21) eap: Continuing tunnel setup
(21) [eap] = ok
(21) } # if (EAP-Message) = ok
(21) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(21) } # authorize = updated
(21) Found Auth-Type = eap
(21) # Executing group from file /etc/freeradius/sites-enabled/default
(21) Auth-Type eap {
(21) eap: Removing EAP session with state 0x1a0c7e771c046752
(21) eap: Previous EAP request found for state 0x1a0c7e771c046752, released from the list
(21) eap: Peer sent packet with method EAP PEAP (25)
(21) eap: Calling submodule eap_peap to process data
(21) eap_peap: (TLS) Peer ACKed our handshake fragment. handshake is finished
(21) eap_peap: Session established. Decoding tunneled attributes
(21) eap_peap: PEAP state TUNNEL ESTABLISHED
(21) eap: Sending EAP Request (code 1) ID 9 length 40
(21) eap: EAP session adding &reply:State = 0x1a0c7e771d056752
(21) [eap] = handled
(21) if (handled && (Response-Packet-Type == Access-Challenge)) {
(21) EXPAND Response-Packet-Type
(21) --> Access-Challenge
(21) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(21) if (handled && (Response-Packet-Type == Access-Challenge)) {
(21) attr_filter.access_challenge: EXPAND %{User-Name}
(21) attr_filter.access_challenge: --> anonymous(a)unibe.ch
(21) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(21) [attr_filter.access_challenge.post-auth] = updated
(21) [handled] = handled
(21) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(21) } # Auth-Type eap = handled
(21) Using Post-Auth-Type Challenge
(21) Post-Auth-Type sub-section not found. Ignoring.
(21) # Executing group from file /etc/freeradius/sites-enabled/default
(21) session-state: Saving cached attributes
(21) Framed-MTU = 1014
(21) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(21) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(21) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(21) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(21) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(21) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange"
(21) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished"
(21) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(21) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished"
(21) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(21) TLS-Session-Version = "TLS 1.2"
(21) Sent Access-Challenge Id 168 from 130.92.10.33:1812 to 1.2.3.4:63606 length 98
(21) EAP-Message = 0x010900281900170303001d69cd9549766a5c065b771e1e6ad4419bc5deec9aca8c6dc933d69e4320
(21) Message-Authenticator = 0x00000000000000000000000000000000
(21) State = 0x1a0c7e771d05675279b57cf47df95d07
(21) Finished request
(22) Received Access-Request Id 169 from 1.2.3.4:63606 to 130.92.10.33:1812 length 516
(22) User-Name = anonymous(a)unibe.ch
(22) Service-Type = Framed-User
(22) Cisco-AVPair = "service-type=Framed"
(22) Framed-MTU = 1485
(22) EAP-Message = 0x0209003c190017030300313667ef69fc720084f72dcb9c5d07674afc517dc2cee1604014c42f78dd87c1fc4dd53bf9579819c736546b1d6568257d75
(22) Message-Authenticator = 0x06ac4226a9e15764f25be4a011e74e0d
(22) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8"
(22) Cisco-AVPair = "method=dot1x"
(22) Cisco-AVPair = "client-iif-id=2818574557"
(22) Cisco-AVPair = "vlan-id=1000"
(22) NAS-IP-Address = 1.2.3.4
(22) NAS-Port-Id = "capwap_9000000c"
(22) NAS-Port-Type = Wireless-802.11
(22) NAS-Port = 4211
(22) State = 0x1a0c7e771d05675279b57cf47df95d07
(22) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(22) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM"
(22) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam"
(22) Calling-Station-Id = "ac-df-a1-b1-f1-5a"
(22) Airespace-Wlan-Id = 97
(22) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam"
(22) WLAN-Group-Cipher = 1027076
(22) WLAN-Pairwise-Cipher = 1027076
(22) WLAN-AKM-Suite = 1027075
(22) WLAN-Group-Mgmt-Cipher = 1027078
(22) Restoring &session-state
(22) &session-state:Framed-MTU = 1014
(22) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(22) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(22) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(22) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(22) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(22) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange"
(22) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished"
(22) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(22) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished"
(22) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(22) &session-state:TLS-Session-Version = "TLS 1.2"
(22) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(22) authorize {
(22) policy rewrite_called_station_id {
(22) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(22) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(22) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(22) update request {
(22) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(22) --> 2C-E3-8E-ED-31-E0
(22) &Called-Station-Id := 2C-E3-8E-ED-31-E0
(22) } # update request = noop
(22) if ("%{8}") {
(22) EXPAND %{8}
(22) --> eduroam
(22) if ("%{8}") -> TRUE
(22) if ("%{8}") {
(22) update request {
(22) EXPAND %{8}
(22) --> eduroam
(22) &Called-Station-SSID := eduroam
(22) EXPAND %{Called-Station-Id}:%{8}
(22) --> 2C-E3-8E-ED-31-E0:eduroam
(22) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam
(22) } # update request = noop
(22) } # if ("%{8}") = noop
(22) [updated] = updated
(22) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(22) ... skipping else: Preceding "if" was taken
(22) } # policy rewrite_called_station_id = updated
(22) policy rewrite_calling_station_id {
(22) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(22) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(22) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(22) update request {
(22) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(22) --> AC-DF-A1-B1-F1-5A
(22) &Calling-Station-Id := AC-DF-A1-B1-F1-5A
(22) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(22) --> AC:DF:A1:B1:F1:5A
(22) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A
(22) } # update request = noop
(22) [updated] = updated
(22) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(22) ... skipping else: Preceding "if" was taken
(22) } # policy rewrite_calling_station_id = updated
(22) if (Service-Type == Call-Check) {
(22) if (Service-Type == Call-Check) -> FALSE
(22) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(22) EXPAND Packet-Src-IP-Address
(22) --> 1.2.3.4
(22) EXPAND Packet-Src-IP-Address
(22) --> 1.2.3.4
(22) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(22) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(22) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(22) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(22) if (EAP-Message) {
(22) if (EAP-Message) -> TRUE
(22) if (EAP-Message) {
(22) policy filter_username {
(22) if (&User-Name) {
(22) if (&User-Name) -> TRUE
(22) if (&User-Name) {
(22) if (&User-Name =~ / /) {
(22) if (&User-Name =~ / /) -> FALSE
(22) if (&User-Name =~ /@[^@]*@/ ) {
(22) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(22) if (&User-Name =~ /\.\./ ) {
(22) if (&User-Name =~ /\.\./ ) -> FALSE
(22) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(22) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(22) if (&User-Name =~ /\.$/) {
(22) if (&User-Name =~ /\.$/) -> FALSE
(22) if (&User-Name =~ /(a)\./) {
(22) if (&User-Name =~ /(a)\./) -> FALSE
(22) } # if (&User-Name) = updated
(22) } # policy filter_username = updated
(22) suffix: Checking for suffix after "@"
(22) suffix: Looking up realm "unibe.ch" for User-Name = anonymous(a)unibe.ch
(22) suffix: Found realm "UNIBE.CH"
(22) suffix: Adding Realm = "UNIBE.CH"
(22) suffix: Authentication realm is LOCAL
(22) [suffix] = ok
(22) policy deny_no_realm {
(22) if (User-Name && (User-Name !~ /@/)) {
(22) if (User-Name && (User-Name !~ /@/)) -> FALSE
(22) } # policy deny_no_realm = updated
(22) update request {
(22) EXPAND %{toupper:%{Realm}}
(22) --> UNIBE.CH
(22) Realm := UNIBE.CH
(22) } # update request = noop
(22) eap: Peer sent EAP Response (code 2) ID 9 length 60
(22) eap: Continuing tunnel setup
(22) [eap] = ok
(22) } # if (EAP-Message) = ok
(22) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(22) } # authorize = updated
(22) Found Auth-Type = eap
(22) # Executing group from file /etc/freeradius/sites-enabled/default
(22) Auth-Type eap {
(22) eap: Removing EAP session with state 0x1a0c7e771d056752
(22) eap: Previous EAP request found for state 0x1a0c7e771d056752, released from the list
(22) eap: Peer sent packet with method EAP PEAP (25)
(22) eap: Calling submodule eap_peap to process data
(22) eap_peap: (TLS) EAP Done initial handshake
(22) eap_peap: Session established. Decoding tunneled attributes
(22) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(22) eap_peap: Identity - jon.doe(a)unibe.ch
(22) eap_peap: Got inner identity 'jon.doe(a)unibe.ch'
(22) eap_peap: Setting default EAP type for tunneled EAP session
(22) eap_peap: Got tunneled request
(22) eap_peap: EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368
(22) eap_peap: Setting User-Name to jon.doe(a)unibe.ch
(22) eap_peap: Sending tunneled request to proxy-inner-tunnel
(22) eap_peap: EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368
(22) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(22) eap_peap: User-Name = jon.doe(a)unibe.ch
(22) eap_peap: Service-Type = Framed-User
(22) eap_peap: Cisco-AVPair = "service-type=Framed"
(22) eap_peap: Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8"
(22) eap_peap: Cisco-AVPair = "method=dot1x"
(22) eap_peap: Cisco-AVPair = "client-iif-id=2818574557"
(22) eap_peap: Cisco-AVPair = "vlan-id=1000"
(22) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(22) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM"
(22) eap_peap: Framed-MTU = 1485
(22) eap_peap: NAS-IP-Address = 1.2.3.4
(22) eap_peap: NAS-Port-Id = "capwap_9000000c"
(22) eap_peap: NAS-Port-Type = Wireless-802.11
(22) eap_peap: NAS-Port = 4211
(22) eap_peap: Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam"
(22) eap_peap: Calling-Station-Id := "AC-DF-A1-B1-F1-5A"
(22) eap_peap: Airespace-Wlan-Id = 97
(22) eap_peap: NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam"
(22) eap_peap: WLAN-Group-Cipher = 1027076
(22) eap_peap: WLAN-Pairwise-Cipher = 1027076
(22) eap_peap: WLAN-AKM-Suite = 1027075
(22) eap_peap: WLAN-Group-Mgmt-Cipher = 1027078
(22) Virtual server proxy-inner-tunnel received request
(22) EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368
(22) FreeRADIUS-Proxied-To = 127.0.0.1
(22) User-Name = jon.doe(a)unibe.ch
(22) Service-Type = Framed-User
(22) Cisco-AVPair = "service-type=Framed"
(22) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8"
(22) Cisco-AVPair = "method=dot1x"
(22) Cisco-AVPair = "client-iif-id=2818574557"
(22) Cisco-AVPair = "vlan-id=1000"
(22) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(22) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM"
(22) Framed-MTU = 1485
(22) NAS-IP-Address = 1.2.3.4
(22) NAS-Port-Id = "capwap_9000000c"
(22) NAS-Port-Type = Wireless-802.11
(22) NAS-Port = 4211
(22) Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam"
(22) Calling-Station-Id := "AC-DF-A1-B1-F1-5A"
(22) Airespace-Wlan-Id = 97
(22) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam"
(22) WLAN-Group-Cipher = 1027076
(22) WLAN-Pairwise-Cipher = 1027076
(22) WLAN-AKM-Suite = 1027075
(22) WLAN-Group-Mgmt-Cipher = 1027078
(22) server proxy-inner-tunnel {
(22) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel
(22) authorize {
(22) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) {
(22) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE
(22) if (!NAS-Port-Type){
(22) if (!NAS-Port-Type) -> FALSE
(22) update control {
(22) &Proxy-To-Realm := REALM-NPS-DEV
(22) } # update control = noop
(22) } # authorize = noop
(22) } # server proxy-inner-tunnel
(22) Virtual server sending reply
(22) eap_peap: Got tunneled reply code 0
(22) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV
(22) eap: WARNING: Tunneled session will be proxied. Not doing EAP
(22) [eap] = handled
(22) if (handled && (Response-Packet-Type == Access-Challenge)) {
(22) EXPAND Response-Packet-Type
(22) -->
(22) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE
(22) } # Auth-Type eap = handled
(22) Starting proxy to home server 9.9.9.9 port 1812
(22) server default {
(22) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default
(22) pre-proxy {
(22) attr_filter.pre-proxy: EXPAND %{Realm}
(22) attr_filter.pre-proxy: --> UNIBE.CH
(22) attr_filter.pre-proxy: Matched entry DEFAULT at line 50
(22) [attr_filter.pre-proxy] = updated
(22) } # pre-proxy = updated
(22) }
(22) Proxying request to home server 9.9.9.9 port 1812 timeout 20.000000
(22) Sent Access-Request Id 22 from 0.0.0.0:57225 to 9.9.9.9:1812 length 196
(22) Operator-Name := "1unibe.ch"
(22) EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368
(22) User-Name = jon.doe(a)unibe.ch
(22) NAS-IP-Address = 1.2.3.4
(22) NAS-Port-Type = Wireless-802.11
(22) Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam"
(22) Calling-Station-Id := "AC-DF-A1-B1-F1-5A"
(22) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam"
(22) Message-Authenticator = 0x
(22) Proxy-State = 0x313639
(22) Clearing existing &reply: attributes
(22) Received Access-Challenge Id 22 from 9.9.9.9:1812 to 130.92.10.33:57225 length 128
(22) Message-Authenticator = 0x244c144bb9e47072809171dc07b68fe3
(22) Proxy-State = 0x313639
(22) Session-Timeout = 60
(22) EAP-Message = 0x010a00271a010a002210eeffe7fe7433fc33577c646e400a39e24141492d4e50532d4544555632
(22) State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73
(22) server default {
Waking up in 0.2 seconds.
(22) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default
(22) post-proxy {
(22) attr_filter.post-proxy: EXPAND %{Realm}
(22) attr_filter.post-proxy: --> UNIBE.CH
(22) attr_filter.post-proxy: Matched entry UNIBE.CH at line 102
(22) [attr_filter.post-proxy] = updated
(22) eap: Doing post-proxy callback
(22) eap: Passing reply from proxy back into the tunnel
(22) eap: Got tunneled reply RADIUS code 11
(22) eap: Tunnel-Type := VLAN
(22) eap: Tunnel-Medium-Type := IEEE-802
(22) eap: Message-Authenticator = 0x244c144bb9e47072809171dc07b68fe3
(22) eap: Proxy-State = 0x313639
(22) eap: EAP-Message = 0x010a00271a010a002210eeffe7fe7433fc33577c646e400a39e24141492d4e50532d4544555632
(22) eap: State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73
(22) eap: Got tunneled Access-Challenge
(22) eap: Reply was handled
(22) eap: Sending EAP Request (code 1) ID 10 length 70
(22) eap: EAP session adding &reply:State = 0x1a0c7e7712066752
(22) [eap] = ok
(22) } # post-proxy = updated
(22) }
(22) session-state: Saving cached attributes
(22) Framed-MTU = 1014
(22) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(22) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(22) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(22) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(22) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(22) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange"
(22) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished"
(22) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(22) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished"
(22) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(22) TLS-Session-Version = "TLS 1.2"
(22) Using Post-Auth-Type Challenge
(22) Post-Auth-Type sub-section not found. Ignoring.
(22) # Executing group from file /etc/freeradius/sites-enabled/default
(22) Sent Access-Challenge Id 169 from 130.92.10.33:1812 to 1.2.3.4:63606 length 128
(22) EAP-Message = 0x010a00461900170303003b69cd9549766a5c07e7a533b4954f2b8a2f7d523485391d6347a7c8b129d5f82e531ee88bad59bbd4d844e6ca0cdcd6368cc58ada378c7aa1d5fb65
(22) Message-Authenticator = 0x00000000000000000000000000000000
(22) State = 0x1a0c7e771206675279b57cf47df95d07
(22) Finished request
(23) Received Access-Request Id 170 from 1.2.3.4:63606 to 130.92.10.33:1812 length 570
(23) User-Name = anonymous(a)unibe.ch
(23) Service-Type = Framed-User
(23) Cisco-AVPair = "service-type=Framed"
(23) Framed-MTU = 1485
(23) EAP-Message = 0x020a0072190017030300673667ef69fc7200855481c10f1f4a4302825d6e8e053a95b0043c86a557ab14b7cff518ef0e171c44cf1611aa60a6c005975617ce937379fa7458eb80d9295d9eec138d40cce24f5c736bc8763e2ef3ed83500c10663e2db0027b9bccb0657050e251766881076a
(23) Message-Authenticator = 0xbae882ea47144349739d08cdc2273497
(23) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8"
(23) Cisco-AVPair = "method=dot1x"
(23) Cisco-AVPair = "client-iif-id=2818574557"
(23) Cisco-AVPair = "vlan-id=1000"
(23) NAS-IP-Address = 1.2.3.4
(23) NAS-Port-Id = "capwap_9000000c"
(23) NAS-Port-Type = Wireless-802.11
(23) NAS-Port = 4211
(23) State = 0x1a0c7e771206675279b57cf47df95d07
(23) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(23) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM"
(23) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam"
(23) Calling-Station-Id = "ac-df-a1-b1-f1-5a"
(23) Airespace-Wlan-Id = 97
(23) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam"
(23) WLAN-Group-Cipher = 1027076
(23) WLAN-Pairwise-Cipher = 1027076
(23) WLAN-AKM-Suite = 1027075
(23) WLAN-Group-Mgmt-Cipher = 1027078
(23) session-state: No cached attributes
(23) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(23) authorize {
(23) policy rewrite_called_station_id {
(23) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(23) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(23) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(23) update request {
(23) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(23) --> 2C-E3-8E-ED-31-E0
(23) &Called-Station-Id := 2C-E3-8E-ED-31-E0
(23) } # update request = noop
(23) if ("%{8}") {
(23) EXPAND %{8}
(23) --> eduroam
(23) if ("%{8}") -> TRUE
(23) if ("%{8}") {
(23) update request {
(23) EXPAND %{8}
(23) --> eduroam
(23) &Called-Station-SSID := eduroam
(23) EXPAND %{Called-Station-Id}:%{8}
(23) --> 2C-E3-8E-ED-31-E0:eduroam
(23) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam
(23) } # update request = noop
(23) } # if ("%{8}") = noop
(23) [updated] = updated
(23) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(23) ... skipping else: Preceding "if" was taken
(23) } # policy rewrite_called_station_id = updated
(23) policy rewrite_calling_station_id {
(23) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(23) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(23) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(23) update request {
(23) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(23) --> AC-DF-A1-B1-F1-5A
(23) &Calling-Station-Id := AC-DF-A1-B1-F1-5A
(23) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(23) --> AC:DF:A1:B1:F1:5A
(23) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A
(23) } # update request = noop
(23) [updated] = updated
(23) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(23) ... skipping else: Preceding "if" was taken
(23) } # policy rewrite_calling_station_id = updated
(23) if (Service-Type == Call-Check) {
(23) if (Service-Type == Call-Check) -> FALSE
(23) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(23) EXPAND Packet-Src-IP-Address
(23) --> 1.2.3.4
(23) EXPAND Packet-Src-IP-Address
(23) --> 1.2.3.4
(23) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(23) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(23) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(23) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(23) if (EAP-Message) {
(23) if (EAP-Message) -> TRUE
(23) if (EAP-Message) {
(23) policy filter_username {
(23) if (&User-Name) {
(23) if (&User-Name) -> TRUE
(23) if (&User-Name) {
(23) if (&User-Name =~ / /) {
(23) if (&User-Name =~ / /) -> FALSE
(23) if (&User-Name =~ /@[^@]*@/ ) {
(23) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(23) if (&User-Name =~ /\.\./ ) {
(23) if (&User-Name =~ /\.\./ ) -> FALSE
(23) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(23) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(23) if (&User-Name =~ /\.$/) {
(23) if (&User-Name =~ /\.$/) -> FALSE
(23) if (&User-Name =~ /(a)\./) {
(23) if (&User-Name =~ /(a)\./) -> FALSE
(23) } # if (&User-Name) = updated
(23) } # policy filter_username = updated
(23) suffix: Checking for suffix after "@"
(23) suffix: Looking up realm "unibe.ch" for User-Name = anonymous(a)unibe.ch
(23) suffix: Found realm "UNIBE.CH"
(23) suffix: Adding Realm = "UNIBE.CH"
(23) suffix: Authentication realm is LOCAL
(23) [suffix] = ok
(23) policy deny_no_realm {
(23) if (User-Name && (User-Name !~ /@/)) {
(23) if (User-Name && (User-Name !~ /@/)) -> FALSE
(23) } # policy deny_no_realm = updated
(23) update request {
(23) EXPAND %{toupper:%{Realm}}
(23) --> UNIBE.CH
(23) Realm := UNIBE.CH
(23) } # update request = noop
(23) eap: Peer sent EAP Response (code 2) ID 10 length 114
(23) eap: Continuing tunnel setup
(23) [eap] = ok
(23) } # if (EAP-Message) = ok
(23) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(23) } # authorize = updated
(23) Found Auth-Type = eap
(23) # Executing group from file /etc/freeradius/sites-enabled/default
(23) Auth-Type eap {
(23) eap: Removing EAP session with state 0x1a0c7e7712066752
(23) eap: Previous EAP request found for state 0x1a0c7e7712066752, released from the list
(23) eap: Peer sent packet with method EAP PEAP (25)
(23) eap: Calling submodule eap_peap to process data
(23) eap_peap: (TLS) EAP Done initial handshake
(23) eap_peap: Session established. Decoding tunneled attributes
(23) eap_peap: PEAP state phase2
(23) eap_peap: EAP method MSCHAPv2 (26)
(23) eap_peap: Got tunneled request
(23) eap_peap: EAP-Message = 0x020a00531a020a004e316d21ec3fe67486d2d26c6862f0a06a7100000000000000000d46c0e0974d505effde132e036b1e1dd2d838687203752c00646f6d696e69632e7374616c64657240756e6962652e6368
(23) eap_peap: Setting User-Name to jon.doe(a)unibe.ch
(23) eap_peap: Sending tunneled request to proxy-inner-tunnel
(23) eap_peap: EAP-Message = 0x020a00531a020a004e316d21ec3fe67486d2d26c6862f0a06a7100000000000000000d46c0e0974d505effde132e036b1e1dd2d838687203752c00646f6d696e69632e7374616c64657240756e6962652e6368
(23) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(23) eap_peap: User-Name = jon.doe(a)unibe.ch
(23) eap_peap: State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73
(23) eap_peap: Service-Type = Framed-User
(23) eap_peap: Cisco-AVPair = "service-type=Framed"
(23) eap_peap: Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8"
(23) eap_peap: Cisco-AVPair = "method=dot1x"
(23) eap_peap: Cisco-AVPair = "client-iif-id=2818574557"
(23) eap_peap: Cisco-AVPair = "vlan-id=1000"
(23) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(23) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM"
(23) eap_peap: Framed-MTU = 1485
(23) eap_peap: NAS-IP-Address = 1.2.3.4
(23) eap_peap: NAS-Port-Id = "capwap_9000000c"
(23) eap_peap: NAS-Port-Type = Wireless-802.11
(23) eap_peap: NAS-Port = 4211
(23) eap_peap: Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam"
(23) eap_peap: Calling-Station-Id := "AC-DF-A1-B1-F1-5A"
(23) eap_peap: Airespace-Wlan-Id = 97
(23) eap_peap: NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam"
(23) eap_peap: WLAN-Group-Cipher = 1027076
(23) eap_peap: WLAN-Pairwise-Cipher = 1027076
(23) eap_peap: WLAN-AKM-Suite = 1027075
(23) eap_peap: WLAN-Group-Mgmt-Cipher = 1027078
(23) Virtual server proxy-inner-tunnel received request
(23) EAP-Message = 0x020a00531a020a004e316d21ec3fe67486d2d26c6862f0a06a7100000000000000000d46c0e0974d505effde132e036b1e1dd2d838687203752c00646f6d696e69632e7374616c64657240756e6962652e6368
(23) FreeRADIUS-Proxied-To = 127.0.0.1
(23) User-Name = jon.doe(a)unibe.ch
(23) State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73
(23) Service-Type = Framed-User
(23) Cisco-AVPair = "service-type=Framed"
(23) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8"
(23) Cisco-AVPair = "method=dot1x"
(23) Cisco-AVPair = "client-iif-id=2818574557"
(23) Cisco-AVPair = "vlan-id=1000"
(23) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(23) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM"
(23) Framed-MTU = 1485
(23) NAS-IP-Address = 1.2.3.4
(23) NAS-Port-Id = "capwap_9000000c"
(23) NAS-Port-Type = Wireless-802.11
(23) NAS-Port = 4211
(23) Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam"
(23) Calling-Station-Id := "AC-DF-A1-B1-F1-5A"
(23) Airespace-Wlan-Id = 97
(23) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam"
(23) WLAN-Group-Cipher = 1027076
(23) WLAN-Pairwise-Cipher = 1027076
(23) WLAN-AKM-Suite = 1027075
(23) WLAN-Group-Mgmt-Cipher = 1027078
(23) server proxy-inner-tunnel {
(23) session-state: No cached attributes
(23) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel
(23) authorize {
(23) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) {
(23) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE
(23) if (!NAS-Port-Type){
(23) if (!NAS-Port-Type) -> FALSE
(23) update control {
(23) &Proxy-To-Realm := REALM-NPS-DEV
(23) } # update control = noop
(23) } # authorize = noop
(23) } # server proxy-inner-tunnel
(23) Virtual server sending reply
(23) eap_peap: Got tunneled reply code 0
(23) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV
(23) eap: WARNING: Tunneled session will be proxied. Not doing EAP
(23) [eap] = handled
(23) if (handled && (Response-Packet-Type == Access-Challenge)) {
(23) EXPAND Response-Packet-Type
(23) -->
(23) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE
(23) } # Auth-Type eap = handled
(23) Starting proxy to home server 9.9.9.9 port 1812
(23) server default {
(23) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default
(23) pre-proxy {
(23) attr_filter.pre-proxy: EXPAND %{Realm}
(23) attr_filter.pre-proxy: --> UNIBE.CH
(23) attr_filter.pre-proxy: Matched entry DEFAULT at line 50
(23) [attr_filter.pre-proxy] = updated
(23) } # pre-proxy = updated
(23) }
(23) Proxying request to home server 9.9.9.9 port 1812 timeout 20.000000
(23) Sent Access-Request Id 23 from 0.0.0.0:57225 to 9.9.9.9:1812 length 288
(23) Operator-Name := "1unibe.ch"
(23) EAP-Message = 0x020a00531a020a004e316d21ec3fe67486d2d26c6862f0a06a7100000000000000000d46c0e0974d505effde132e036b1e1dd2d838687203752c00646f6d696e69632e7374616c64657240756e6962652e6368
(23) User-Name = jon.doe(a)unibe.ch
(23) State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73
(23) NAS-IP-Address = 1.2.3.4
(23) NAS-Port-Type = Wireless-802.11
(23) Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam"
(23) Calling-Station-Id := "AC-DF-A1-B1-F1-5A"
(23) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam"
(23) Message-Authenticator = 0x
(23) Proxy-State = 0x313730
(23) Clearing existing &reply: attributes
(23) Received Access-Challenge Id 23 from 9.9.9.9:1812 to 130.92.10.33:57225 length 140
(23) Message-Authenticator = 0xe5cf1cf35e1d318a4f24f6ac4de8166a
(23) Proxy-State = 0x313730
(23) Session-Timeout = 60
(23) EAP-Message = 0x010b00331a030a002e533d42374430413432353333434331463134413332324334454333354443333837434632353343383943
(23) State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73
(23) server default {
(23) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default
(23) post-proxy {
(23) attr_filter.post-proxy: EXPAND %{Realm}
(23) attr_filter.post-proxy: --> UNIBE.CH
(23) attr_filter.post-proxy: Matched entry UNIBE.CH at line 102
(23) [attr_filter.post-proxy] = updated
(23) eap: Doing post-proxy callback
(23) eap: Passing reply from proxy back into the tunnel
(23) eap: Got tunneled reply RADIUS code 11
(23) eap: Tunnel-Type := VLAN
(23) eap: Tunnel-Medium-Type := IEEE-802
(23) eap: Message-Authenticator = 0xe5cf1cf35e1d318a4f24f6ac4de8166a
(23) eap: Proxy-State = 0x313730
(23) eap: EAP-Message = 0x010b00331a030a002e533d42374430413432353333434331463134413332324334454333354443333837434632353343383943
(23) eap: State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73
(23) eap: Got tunneled Access-Challenge
(23) eap: Reply was handled
(23) eap: Sending EAP Request (code 1) ID 11 length 82
(23) eap: EAP session adding &reply:State = 0x1a0c7e7713076752
(23) [eap] = ok
(23) } # post-proxy = updated
(23) }
(23) Using Post-Auth-Type Challenge
(23) Post-Auth-Type sub-section not found. Ignoring.
(23) # Executing group from file /etc/freeradius/sites-enabled/default
(23) Sent Access-Challenge Id 170 from 130.92.10.33:1812 to 1.2.3.4:63606 length 140
(23) EAP-Message = 0x010b00521900170303004769cd9549766a5c08877f9dcc3d5bbb0c7718563cf3286f690c07a08da31ea6540f21eb3c1933d7d92dbe22551b18a7d5e2cbf116856b2a68d3fff389ebdb8926e8d42e50522ca4
(23) Message-Authenticator = 0x00000000000000000000000000000000
(23) State = 0x1a0c7e771307675279b57cf47df95d07
(23) Finished request
(24) Received Access-Request Id 171 from 1.2.3.4:63606 to 130.92.10.33:1812 length 493
(24) User-Name = anonymous(a)unibe.ch
(24) Service-Type = Framed-User
(24) Cisco-AVPair = "service-type=Framed"
(24) Framed-MTU = 1485
(24) EAP-Message = 0x020b00251900170303001a3667ef69fc7200864f7f9410f449a59651d6a1975df235030608
(24) Message-Authenticator = 0x9b70bdd088abd8b737cf77c71d3ba2c0
(24) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8"
(24) Cisco-AVPair = "method=dot1x"
(24) Cisco-AVPair = "client-iif-id=2818574557"
(24) Cisco-AVPair = "vlan-id=1000"
(24) NAS-IP-Address = 1.2.3.4
(24) NAS-Port-Id = "capwap_9000000c"
(24) NAS-Port-Type = Wireless-802.11
(24) NAS-Port = 4211
(24) State = 0x1a0c7e771307675279b57cf47df95d07
(24) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(24) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM"
(24) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam"
(24) Calling-Station-Id = "ac-df-a1-b1-f1-5a"
(24) Airespace-Wlan-Id = 97
(24) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam"
(24) WLAN-Group-Cipher = 1027076
(24) WLAN-Pairwise-Cipher = 1027076
(24) WLAN-AKM-Suite = 1027075
(24) WLAN-Group-Mgmt-Cipher = 1027078
(24) session-state: No cached attributes
(24) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(24) authorize {
(24) policy rewrite_called_station_id {
(24) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(24) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(24) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(24) update request {
(24) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(24) --> 2C-E3-8E-ED-31-E0
(24) &Called-Station-Id := 2C-E3-8E-ED-31-E0
(24) } # update request = noop
(24) if ("%{8}") {
(24) EXPAND %{8}
(24) --> eduroam
(24) if ("%{8}") -> TRUE
(24) if ("%{8}") {
(24) update request {
(24) EXPAND %{8}
(24) --> eduroam
(24) &Called-Station-SSID := eduroam
(24) EXPAND %{Called-Station-Id}:%{8}
(24) --> 2C-E3-8E-ED-31-E0:eduroam
(24) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam
(24) } # update request = noop
(24) } # if ("%{8}") = noop
(24) [updated] = updated
(24) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(24) ... skipping else: Preceding "if" was taken
(24) } # policy rewrite_called_station_id = updated
(24) policy rewrite_calling_station_id {
(24) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(24) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(24) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(24) update request {
(24) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(24) --> AC-DF-A1-B1-F1-5A
(24) &Calling-Station-Id := AC-DF-A1-B1-F1-5A
(24) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(24) --> AC:DF:A1:B1:F1:5A
(24) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A
(24) } # update request = noop
(24) [updated] = updated
(24) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(24) ... skipping else: Preceding "if" was taken
(24) } # policy rewrite_calling_station_id = updated
(24) if (Service-Type == Call-Check) {
(24) if (Service-Type == Call-Check) -> FALSE
(24) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(24) EXPAND Packet-Src-IP-Address
(24) --> 1.2.3.4
(24) EXPAND Packet-Src-IP-Address
(24) --> 1.2.3.4
(24) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(24) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(24) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(24) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(24) if (EAP-Message) {
(24) if (EAP-Message) -> TRUE
(24) if (EAP-Message) {
(24) policy filter_username {
(24) if (&User-Name) {
(24) if (&User-Name) -> TRUE
(24) if (&User-Name) {
(24) if (&User-Name =~ / /) {
(24) if (&User-Name =~ / /) -> FALSE
(24) if (&User-Name =~ /@[^@]*@/ ) {
(24) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(24) if (&User-Name =~ /\.\./ ) {
(24) if (&User-Name =~ /\.\./ ) -> FALSE
(24) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(24) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(24) if (&User-Name =~ /\.$/) {
(24) if (&User-Name =~ /\.$/) -> FALSE
(24) if (&User-Name =~ /(a)\./) {
(24) if (&User-Name =~ /(a)\./) -> FALSE
(24) } # if (&User-Name) = updated
(24) } # policy filter_username = updated
(24) suffix: Checking for suffix after "@"
(24) suffix: Looking up realm "unibe.ch" for User-Name = anonymous(a)unibe.ch
(24) suffix: Found realm "UNIBE.CH"
(24) suffix: Adding Realm = "UNIBE.CH"
(24) suffix: Authentication realm is LOCAL
(24) [suffix] = ok
(24) policy deny_no_realm {
(24) if (User-Name && (User-Name !~ /@/)) {
(24) if (User-Name && (User-Name !~ /@/)) -> FALSE
(24) } # policy deny_no_realm = updated
(24) update request {
(24) EXPAND %{toupper:%{Realm}}
(24) --> UNIBE.CH
(24) Realm := UNIBE.CH
(24) } # update request = noop
(24) eap: Peer sent EAP Response (code 2) ID 11 length 37
(24) eap: Continuing tunnel setup
(24) [eap] = ok
(24) } # if (EAP-Message) = ok
(24) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(24) } # authorize = updated
(24) Found Auth-Type = eap
(24) # Executing group from file /etc/freeradius/sites-enabled/default
(24) Auth-Type eap {
(24) eap: Removing EAP session with state 0x1a0c7e7713076752
(24) eap: Previous EAP request found for state 0x1a0c7e7713076752, released from the list
(24) eap: Peer sent packet with method EAP PEAP (25)
(24) eap: Calling submodule eap_peap to process data
(24) eap_peap: (TLS) EAP Done initial handshake
(24) eap_peap: Session established. Decoding tunneled attributes
(24) eap_peap: PEAP state phase2
(24) eap_peap: EAP method MSCHAPv2 (26)
(24) eap_peap: Got tunneled request
(24) eap_peap: EAP-Message = 0x020b00061a03
(24) eap_peap: Setting User-Name to jon.doe(a)unibe.ch
(24) eap_peap: Sending tunneled request to proxy-inner-tunnel
(24) eap_peap: EAP-Message = 0x020b00061a03
(24) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(24) eap_peap: User-Name = jon.doe(a)unibe.ch
(24) eap_peap: State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73
(24) eap_peap: Service-Type = Framed-User
(24) eap_peap: Cisco-AVPair = "service-type=Framed"
(24) eap_peap: Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8"
(24) eap_peap: Cisco-AVPair = "method=dot1x"
(24) eap_peap: Cisco-AVPair = "client-iif-id=2818574557"
(24) eap_peap: Cisco-AVPair = "vlan-id=1000"
(24) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(24) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM"
(24) eap_peap: Framed-MTU = 1485
(24) eap_peap: NAS-IP-Address = 1.2.3.4
(24) eap_peap: NAS-Port-Id = "capwap_9000000c"
(24) eap_peap: NAS-Port-Type = Wireless-802.11
(24) eap_peap: NAS-Port = 4211
(24) eap_peap: Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam"
(24) eap_peap: Calling-Station-Id := "AC-DF-A1-B1-F1-5A"
(24) eap_peap: Airespace-Wlan-Id = 97
(24) eap_peap: NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam"
(24) eap_peap: WLAN-Group-Cipher = 1027076
(24) eap_peap: WLAN-Pairwise-Cipher = 1027076
(24) eap_peap: WLAN-AKM-Suite = 1027075
(24) eap_peap: WLAN-Group-Mgmt-Cipher = 1027078
(24) Virtual server proxy-inner-tunnel received request
(24) EAP-Message = 0x020b00061a03
(24) FreeRADIUS-Proxied-To = 127.0.0.1
(24) User-Name = jon.doe(a)unibe.ch
(24) State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73
(24) Service-Type = Framed-User
(24) Cisco-AVPair = "service-type=Framed"
(24) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8"
(24) Cisco-AVPair = "method=dot1x"
(24) Cisco-AVPair = "client-iif-id=2818574557"
(24) Cisco-AVPair = "vlan-id=1000"
(24) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(24) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM"
(24) Framed-MTU = 1485
(24) NAS-IP-Address = 1.2.3.4
(24) NAS-Port-Id = "capwap_9000000c"
(24) NAS-Port-Type = Wireless-802.11
(24) NAS-Port = 4211
(24) Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam"
(24) Calling-Station-Id := "AC-DF-A1-B1-F1-5A"
(24) Airespace-Wlan-Id = 97
(24) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam"
(24) WLAN-Group-Cipher = 1027076
(24) WLAN-Pairwise-Cipher = 1027076
(24) WLAN-AKM-Suite = 1027075
(24) WLAN-Group-Mgmt-Cipher = 1027078
(24) server proxy-inner-tunnel {
(24) session-state: No cached attributes
(24) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel
(24) authorize {
(24) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) {
(24) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE
(24) if (!NAS-Port-Type){
(24) if (!NAS-Port-Type) -> FALSE
(24) update control {
(24) &Proxy-To-Realm := REALM-NPS-DEV
(24) } # update control = noop
(24) } # authorize = noop
(24) } # server proxy-inner-tunnel
(24) Virtual server sending reply
(24) eap_peap: Got tunneled reply code 0
(24) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV
(24) eap: WARNING: Tunneled session will be proxied. Not doing EAP
(24) [eap] = handled
(24) if (handled && (Response-Packet-Type == Access-Challenge)) {
(24) EXPAND Response-Packet-Type
(24) -->
(24) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE
(24) } # Auth-Type eap = handled
(24) Starting proxy to home server 9.9.9.9 port 1812
(24) server default {
(24) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default
(24) pre-proxy {
(24) attr_filter.pre-proxy: EXPAND %{Realm}
(24) attr_filter.pre-proxy: --> UNIBE.CH
(24) attr_filter.pre-proxy: Matched entry DEFAULT at line 50
(24) [attr_filter.pre-proxy] = updated
(24) } # pre-proxy = updated
(24) }
(24) Proxying request to home server 9.9.9.9 port 1812 timeout 20.000000
(24) Sent Access-Request Id 24 from 0.0.0.0:57225 to 9.9.9.9:1812 length 211
(24) Operator-Name := "1unibe.ch"
(24) EAP-Message = 0x020b00061a03
(24) User-Name = jon.doe(a)unibe.ch
(24) State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73
(24) NAS-IP-Address = 1.2.3.4
(24) NAS-Port-Type = Wireless-802.11
(24) Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam"
(24) Calling-Station-Id := "AC-DF-A1-B1-F1-5A"
(24) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam"
(24) Message-Authenticator = 0x
(24) Proxy-State = 0x313731
Thread 3 waiting to be assigned a request
Waking up in 0.1 seconds.
Thread 5 got semaphore
Thread 5 handling request 24, (7 handled so far)
(24) Clearing existing &reply: attributes
(24) Received Access-Accept Id 24 from 9.9.9.9:1812 to 130.92.10.33:57225 length 289
(24) Message-Authenticator = 0xe2aeca8badf38cd8faee768a6bd7fd56
(24) Proxy-State = 0x313731
(24) Class = 0x7374616666
(24) Filter-Id = "staff"
(24) Framed-Protocol = PPP
(24) Service-Type = Framed-User
(24) Tunnel-Medium-Type:0 = IEEE-802
(24) Tunnel-Private-Group-Id:0 = "2000"
(24) Tunnel-Type:0 = VLAN
(24) EAP-Message = 0x030b0004
(24) Class = 0x5cf107910000013700010200825c0e1b00000000000000000000000001db980ee94295bf000000000060effe
(24) MS-CHAP-Domain = "\001CAMPUS"
(24) MS-MPPE-Send-Key = 0x9052dea3ac1da5021ae0464d2083676f
(24) MS-MPPE-Recv-Key = 0xc408c2c0fe593f0134a78f1a4fee5dc0
(24) MS-CHAP2-Success = 0x01533d42374430413432353333434331463134413332324334454333354443333837434632353343383943
(24) server default {
(24) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default
(24) post-proxy {
(24) attr_filter.post-proxy: EXPAND %{Realm}
(24) attr_filter.post-proxy: --> UNIBE.CH
(24) attr_filter.post-proxy: Matched entry UNIBE.CH at line 102
(24) [attr_filter.post-proxy] = updated
(24) eap: Doing post-proxy callback
(24) eap: Passing reply from proxy back into the tunnel
(24) eap: Got tunneled reply RADIUS code 2
(24) eap: Tunnel-Type := VLAN
(24) eap: Tunnel-Medium-Type := IEEE-802
(24) eap: Message-Authenticator = 0xe2aeca8badf38cd8faee768a6bd7fd56
(24) eap: Proxy-State = 0x313731
(24) eap: Class = 0x7374616666
(24) eap: Filter-Id = "staff"
(24) eap: Tunnel-Private-Group-Id:0 = "2000"
(24) eap: EAP-Message = 0x030b0004
(24) eap: Class = 0x5cf107910000013700010200825c0e1b00000000000000000000000001db980ee94295bf000000000060effe
(24) eap: MS-MPPE-Send-Key = 0x9052dea3ac1da5021ae0464d2083676f
(24) eap: MS-MPPE-Recv-Key = 0xc408c2c0fe593f0134a78f1a4fee5dc0
(24) eap: Tunneled authentication was successful
(24) eap: SUCCESS
(24) eap: Saving tunneled attributes for later
(24) eap: Reply was handled
(24) eap: Sending EAP Request (code 1) ID 12 length 46
(24) eap: EAP session adding &reply:State = 0x1a0c7e7710006752
(24) [eap] = ok
(24) } # post-proxy = updated
(24) }
(24) Using Post-Auth-Type Challenge
(24) Post-Auth-Type sub-section not found. Ignoring.
(24) # Executing group from file /etc/freeradius/sites-enabled/default
(24) Sent Access-Challenge Id 171 from 130.92.10.33:1812 to 1.2.3.4:63606 length 104
(24) EAP-Message = 0x010c002e1900170303002369cd9549766a5c096f1e1c66977ad4a91fd857608710d39bf55e09ca568c703d98ec8f
(24) Message-Authenticator = 0x00000000000000000000000000000000
(24) State = 0x1a0c7e771000675279b57cf47df95d07
(24) Finished request
2
13
I'm sure that there are "good business reasons" for this.
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/8.…
...
Limited support for FreeRADIUS
In RHEL 8, the following external authentication modules are deprecated as part of the FreeRADIUS offering:
* The MySQL, PostgreSQL, SQlite, and unixODBC database connectors
* The Perl language module
* The REST API module
...
In addition, the scope of support for the freeradius package will be limited to the following use cases in future RHEL releases:
* Using FreeRADIUS as an authentication provider with Identity Management (IdM) as the backend source of authentication. The authentication occurs through the krb5 and LDAP authentication packages or as PAM authentication in the main FreeRADIUS package
* Using FreeRADIUS to provide a source-of-truth for authentication in IdM, through the Python 3 authentication package
In contrast to these deprecations, Red Hat will strengthen the support of the following external authentication modules with FreeRADIUS:
* Authentication based on krb5 and LDAP
* Python 3 authentication
The focus on these integration options is in close alignment with the strategic direction of Red Hat IdM.
....
My comments: RedHat is doubling down in forcing people to use their IdM / LDAP solution. If you're an ISP using FreeRADIUS + MySQL, you will no longer be getting support from RedHat. So too bad for you.
The good news is that we will continue to provide free packages for the community at https://packages.inkbridge.io <https://packages.inkbridge.io/>
Alan DeKok.
3
4
I am receiving the below error in MariaDB and have managed to get to the
third page of Google trying to fix it but nothing has worked.
2025-11-04 12:25:36 3 [Warning] Could not read packet: fd: 55 state: 1
read_length: 4 errno: 11 vio_errno: 1158 length: 0 2025-11-04 12:25:36 3
[Warning] Aborted connection 3 to db: '***' user: '***' host: 'localhost'
(Got an error reading communication packets)
The above errors seem to point to MariaDB being the issue but I've tried
multiple versions and multiple different operating systems and all manner
of different settings in MariaDB and cannot seem to get FreeRADIUS and
MariaDB to contact each other correctly. Because of this I just wanted to
clarify if this is a known issue.
Thanks in advance.
2
1