Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- 10 participants
- 27046 discussions
Hi!
Is it possible to configure FR to write the last authentication attempt from a client (NAS) to LDAP?
For users I can set this:
https://bitbucket.org/code-orange/django-cdstack-tpl-accessradius/src/cad14…
Is there something similar for the clients? I'm interested in the same attribute update to see which clients are dead.
Thank you.
Kind regards
Kevin
2
3
Hi,
We unfortunately have network devices which exclusively support MSCHAPv2 but have had excellent success using freeradius 3.0.17 with Samba Winbind.
I presume freeRADIUS has built-in support to masquerade the presented username, as the mschap config file references the following:
winbind_username = "%{mschap:User-Name}"
winbind_domain = "%{mschap:NT-Domain}"
I'm aware of MS-CHAPv2 proving knowledge of the password and previously assumed that it only applied to the password hash exchanges. My Google-Fo however lead me to an article titled Understanding PEAP In-Depth, where values initiators and radius generate is summarised as:
Initiator:
AuthenticatorChallenge = b''.fromhex('f5 b8 ad ee e9 ff 08 15 dd 83 e8 2d 89 6e eb 2a')
PeerChallenge = b''.fromhex('e3 32 bf 8e c5 37 e5 72 1d 0d 9a 0e e4 40 46 d6')
chap = MSCHAPV2(UserName, Password, AuthenticatorChallenge, PeerChallenge)
PasswordHash = chap.NtPasswordHash(Password)
Challenge = chap.ChallengeHash(PeerChallenge, AuthenticatorChallenge, UserName)
NTResponse = chap.ChallengeResponse(Challenge, PasswordHash)
print ('Challenge : '+Challenge.hex())
print ('NTResponse: '+NTResponse.hex())
radius:
AuthenticatorChallenge = b''.fromhex('f5 b8 ad ee e9 ff 08 15 dd 83 e8 2d 89 6e eb 2a')
PeerChallenge = b''.fromhex('e3 32 bf 8e c5 37 e5 72 1d 0d 9a 0e e4 40 46 d6')
chap = MSCHAPV2(UserName, Password, AuthenticatorChallenge, PeerChallenge)
NTResponse = b''.fromhex('6c da db 80 dd 53 10 b8 05 f2 a0 da 9b b4 5e ad 51 ee 65 34 4c 95 e6 00')
PasswordHash = chap.NtPasswordHash(Password)
AuthenticatorResponse = chap.GenerateAuthenticatorResponse(Password, NTResponse, PeerChallenge, AuthenticatorChallenge, UserName)
print('Authenticator Response: ' + AuthenticatorResponse)
I presume FR generates the AuthenticatorResponse after obtaining the NTResponse from winbind, after feeding it winbind_username?
If that is the case, would it be feasible to replace winbind_username and have FR handle all the wizardry?
I'd like to essentially transform a MSCHAPv2 client using USERNAME/PASSWORD to winbind authenticating this as USER2/PASSWORD.
Why? I was hoping to implement 2FA by using my AD password as per normal, only replacing my username with the 44 char string that a YubiKey touch operation spits out via the USB HID keyboard. The prefix of this string is a globally unique 12 character fixed ID, unique to each key. This way I could lookup the username prefix in a file and then set winbind_username as the AD account name that key belong to. Thought process was to reject requests were the prefix wasn't found, then authenticate to AD using the username we looked up, check group membership and finally validate the Yubico OTP (the username supplied originally) against YubiCo validation servers.
[cid:image001.png@01D703BA.131606D0]
References:
* Understanding PEAP In-Depth
https://sensepost.com/blog/2019/understanding-peap-in-depth/
* Yubico OTPs Explained
https://developers.yubico.com/OTP/OTPs_Explained.html
Regards
David Herselman
2
12
We are using FreeRADIUS Version 3.0.20.
I have an anamoly in TLS Session Resumption using a Windows 10 laptop. I have not been able to reproduce this using other clients. While this appears to be bad behavior by Windows, I'm also asking if this unexpected supplicant behavior might reveal some undesirable behavior on the part of freeradius.
I deleted all TLS session cache records and restarted the server. In packet (2) you see the supplicant request a cached session, which is not found, so a full authentication takes place in packets (1) through (10).
I then "forget" the network on the client, which I would expect would also delete any record of a previous TLS session, and then I reauthenticate to the network, which requires entering a username/password (but, sadly, does not require me to trust the server's certificate).
At this point I would expect to see a full re-auth but in packet (13) you see the supplicant request a cached session, which is found and restored. In packet (14) the server declares a successful session resumption on its end and sends an Access-Challenge. But in packet (15) we then see:
eap_peap: Client rejected our response. The password is probably incorrect
eap_peap: Client rejected session resumption. Re-starting full authentication
We then proceed through the inner-tunnel and do the full re-auth but we are still using the resumed session ID along with the attributes cached from that session. In the final packet (19), we see "&request:EAP-Session-Resumed := 1"
This all came to my attention because I was originally using Cached-Session-Policy with the += operator. I ended up with duplicate session-state entries for Cached-Session-Policy, and, when that policy happened to change between authentications, one of those Cached-Session-Policy values was wrong.
We can't do anything about the bad Windows behavior, but do you consider it appropriate for freeradius to handle a rejected session resumption this way?
Doug
(1) Received Access-Request Id 64 from w.x.y.z:54989 to a.b.c.e:1812 length 201
(1) User-Name = "myUsername"
(1) NAS-IP-Address = a.b.c.d
(1) NAS-Port = 0
(1) NAS-Identifier = "w.x.y.z"
(1) NAS-Port-Type = Wireless-802.11
(1) Calling-Station-Id = "Calling-MAC"
(1) Called-Station-Id = "Called-MAC"
(1) Service-Type = Framed-User
(1) Framed-MTU = 1100
(1) EAP-Message = 0x0201000d016d616e74686f6e79
(1) Aruba-Essid-Name = "FSUCoreX"
(1) Aruba-Location-Id = "303H-mark"
(1) Aruba-AP-Group = "RAP-VoIP"
(1) Aruba-Device-Type = "Win 10"
(1) Message-Authenticator = 0x68c94109b228a1962fd060c64c8863cb
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(1) authorize {
(1) fsu-bad-passwords: EXPAND %{User-Name}
(1) fsu-bad-passwords: --> myUsername
(1) [fsu-bad-passwords] = noop
(1) if (ok) {
(1) if (ok) -> FALSE
(1) policy rewrite_calling_station_id {
(1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(1) update request {
(1) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(1) --> Calling-MAC
(1) } # update request = noop
(1) [updated] = updated
(1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(1) ... skipping else: Preceding "if" was taken
(1) } # policy rewrite_calling_station_id = updated
(1) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(1) fsu-bad-macs: --> Calling-MAC
(1) [fsu-bad-macs] = noop
(1) if (ok) {
(1) if (ok) -> FALSE
(1) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(1) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(1) if (&User-Name =~ /^host\//) {
(1) if (&User-Name =~ /^host\//) -> FALSE
(1) if ( &User-Name =~ /\s/ ) {
(1) if ( &User-Name =~ /\s/ ) -> FALSE
(1) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(1) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) -> FALSE
(1) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(1) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) -> FALSE
(1) if ( &User-Name =~ /(a)my\.fsu$/i ) {
(1) if ( &User-Name =~ /(a)my\.fsu$/i ) -> FALSE
(1) ntdomain: Checking for prefix before "\"
(1) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(1) [ntdomain] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(1) suffix: Found realm "NULL"
(1) suffix: Adding Stripped-User-Name = "myUsername"
(1) suffix: Adding Realm = "NULL"
(1) suffix: Authentication realm is LOCAL
(1) [suffix] = ok
(1) update request {
(1) } # update request = noop
(1) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(1) fsu-rsa-macs: --> Calling-MAC
(1) [fsu-rsa-macs] = noop
(1) if (ok) {
(1) if (ok) -> FALSE
(1) else {
(1) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(1) fsu-rsa-atwpa-aruba: --> FSUCoreX
(1) [fsu-rsa-atwpa-aruba] = noop
(1) if (ok) {
(1) if (ok) -> FALSE
(1) else {
(1) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(1) fsu-rsa-atwpa-cisco: -->
(1) [fsu-rsa-atwpa-cisco] = noop
(1) if (ok) {
(1) if (ok) -> FALSE
(1) } # else = noop
(1) } # else = noop
(1) if (&request:Hint == "RSA") {
(1) if (&request:Hint == "RSA") -> FALSE
(1) else {
(1) fsu-eap: Peer sent EAP Response (code 2) ID 1 length 13
(1) fsu-eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(1) [fsu-eap] = ok
(1) } # else = ok
(1) } # authorize = ok
(1) Found Auth-Type = fsu-eap
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(1) Auth-Type fsu-eap {
(1) fsu-eap: Peer sent packet with method EAP Identity (1)
(1) fsu-eap: Calling submodule eap_peap to process data
(1) eap_peap: Initiating new TLS session
(1) eap_peap: [eaptls start] = request
(1) fsu-eap: Sending EAP Request (code 1) ID 2 length 6
(1) fsu-eap: EAP session adding &reply:State = 0xbad3fd1bbad1e41c
(1) [fsu-eap] = handled
(1) } # Auth-Type fsu-eap = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(1) Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 64 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(1) EAP-Message = 0x010200061920
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0xbad3fd1bbad1e41c1c1cd17260df3cc0
(1) Finished request
(2) Received Access-Request Id 65 from w.x.y.z:54989 to a.b.c.e:1812 length 410
(2) User-Name = "myUsername"
(2) NAS-IP-Address = a.b.c.d
(2) NAS-Port = 0
(2) NAS-Identifier = "w.x.y.z"
(2) NAS-Port-Type = Wireless-802.11
(2) Calling-Station-Id = "Calling-MAC"
(2) Called-Station-Id = "Called-MAC"
(2) Service-Type = Framed-User
(2) Framed-MTU = 1100
(2) EAP-Message = 0x020200cc1980000000c216030300bd010000b90303602ed1269d888ec609f78e833194c064fd67012fbf825e56a50a8f228ad5760620478d25582f53a1dd580e9752f084466abf68961ab46bd12bc4085e1601e959cb002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000046000500050100000000000a00080006001d00170018000b00020100000d001a00180804080508060401050102010403050302030202060106030023000000170000ff01000100
(2) State = 0xbad3fd1bbad1e41c1c1cd17260df3cc0
(2) Aruba-Essid-Name = "FSUCoreX"
(2) Aruba-Location-Id = "303H-mark"
(2) Aruba-AP-Group = "RAP-VoIP"
(2) Aruba-Device-Type = "Win 10"
(2) Message-Authenticator = 0x018d8b6ea89b296c73c9cdd13c86ffdc
(2) session-state: No cached attributes
(2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(2) authorize {
(2) fsu-bad-passwords: EXPAND %{User-Name}
(2) fsu-bad-passwords: --> myUsername
(2) [fsu-bad-passwords] = noop
(2) if (ok) {
(2) if (ok) -> FALSE
(2) policy rewrite_calling_station_id {
(2) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(2) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(2) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(2) update request {
(2) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(2) --> Calling-MAC
(2) } # update request = noop
(2) [updated] = updated
(2) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(2) ... skipping else: Preceding "if" was taken
(2) } # policy rewrite_calling_station_id = updated
(2) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(2) fsu-bad-macs: --> Calling-MAC
(2) [fsu-bad-macs] = noop
(2) if (ok) {
(2) if (ok) -> FALSE
(2) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(2) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(2) if (&User-Name =~ /^host\//) {
(2) if (&User-Name =~ /^host\//) -> FALSE
(2) if ( &User-Name =~ /\s/ ) {
(2) if ( &User-Name =~ /\s/ ) -> FALSE
(2) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(2) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) -> FALSE
(2) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(2) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) -> FALSE
(2) if ( &User-Name =~ /(a)my\.fsu$/i ) {
(2) if ( &User-Name =~ /(a)my\.fsu$/i ) -> FALSE
(2) ntdomain: Checking for prefix before "\"
(2) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(2) [ntdomain] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(2) suffix: Found realm "NULL"
(2) suffix: Adding Stripped-User-Name = "myUsername"
(2) suffix: Adding Realm = "NULL"
(2) suffix: Authentication realm is LOCAL
(2) [suffix] = ok
(2) update request {
(2) } # update request = noop
(2) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(2) fsu-rsa-macs: --> Calling-MAC
(2) [fsu-rsa-macs] = noop
(2) if (ok) {
(2) if (ok) -> FALSE
(2) else {
(2) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(2) fsu-rsa-atwpa-aruba: --> FSUCoreX
(2) [fsu-rsa-atwpa-aruba] = noop
(2) if (ok) {
(2) if (ok) -> FALSE
(2) else {
(2) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(2) fsu-rsa-atwpa-cisco: -->
(2) [fsu-rsa-atwpa-cisco] = noop
(2) if (ok) {
(2) if (ok) -> FALSE
(2) } # else = noop
(2) } # else = noop
(2) if (&request:Hint == "RSA") {
(2) if (&request:Hint == "RSA") -> FALSE
(2) else {
(2) fsu-eap: Peer sent EAP Response (code 2) ID 2 length 204
(2) fsu-eap: Continuing tunnel setup
(2) [fsu-eap] = ok
(2) } # else = ok
(2) } # authorize = ok
(2) Found Auth-Type = fsu-eap
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(2) Auth-Type fsu-eap {
(2) fsu-eap: Expiring EAP session with state 0xbad3fd1bbad1e41c
(2) fsu-eap: Finished EAP session with state 0xbad3fd1bbad1e41c
(2) fsu-eap: Previous EAP request found for state 0xbad3fd1bbad1e41c, released from the list
(2) fsu-eap: Peer sent packet with method EAP PEAP (25)
(2) fsu-eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer indicated complete TLS record size will be 194 bytes
(2) eap_peap: Got complete TLS record (194 bytes)
(2) eap_peap: [eaptls verify] = length included
(2) eap_peap: (other): before SSL initialization
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: Peer requested cached session: 478d25582f53a1dd580e9752f084466abf68961ab46bd12bc4085e1601e959cb
(2) : eap_peap: No persisted session file /var/log/radius/tlscache/478d25582f53a1dd580e9752f084466abf68961ab46bd12bc4085e1601e959cb.asn1: No such file or directory
(2) eap_peap: TLS_accept: SSLv3/TLS read client hello
(2) eap_peap: TLS_accept: SSLv3/TLS write server hello
(2) eap_peap: TLS_accept: SSLv3/TLS write certificate
(2) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(2) eap_peap: TLS_accept: SSLv3/TLS write server done
(2) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done
(2) eap_peap: TLS - In Handshake Phase
(2) eap_peap: TLS - got 2767 bytes of data
(2) eap_peap: [eaptls process] = handled
(2) fsu-eap: Sending EAP Request (code 1) ID 3 length 1024
(2) fsu-eap: EAP session adding &reply:State = 0xbad3fd1bbbd0e41c
(2) [fsu-eap] = handled
(2) } # Auth-Type fsu-eap = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(2) Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 65 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(2) EAP-Message = 0x0103040019c000000acf160303005d020000590303931ef82c320593388fd052f008b384446eb7d423cfa3d8be2f14ff3355cca4b620422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5cc02b000011ff01000100000b0004030001020017000016030309c50b0009c10009be00060630820602308205a7a003020102021026a74309e2eaafaf31ae5776e74c05d3300a06082a8648ce3d040302308195310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f726431183016060355040a130f5365637469676f204c696d69746564313d303b060355040313345365637469676f20454343204f7267616e697a6174696f6e2056616c69646174696f6e2053656375726520536572766572204341301e170d3230303830333030303030305a170d3232303830333233353935395a30820103310b3009060355040613025553310e300c06035504
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0xbad3fd1bbbd0e41c1c1cd17260df3cc0
(2) Finished request
(3) Received Access-Request Id 66 from w.x.y.z:54989 to a.b.c.e:1812 length 212
(3) User-Name = "myUsername"
(3) NAS-IP-Address = a.b.c.d
(3) NAS-Port = 0
(3) NAS-Identifier = "w.x.y.z"
(3) NAS-Port-Type = Wireless-802.11
(3) Calling-Station-Id = "Calling-MAC"
(3) Called-Station-Id = "Called-MAC"
(3) Service-Type = Framed-User
(3) Framed-MTU = 1100
(3) EAP-Message = 0x020300061900
(3) State = 0xbad3fd1bbbd0e41c1c1cd17260df3cc0
(3) Aruba-Essid-Name = "FSUCoreX"
(3) Aruba-Location-Id = "303H-mark"
(3) Aruba-AP-Group = "RAP-VoIP"
(3) Aruba-Device-Type = "Win 10"
(3) Message-Authenticator = 0x989102d3ae927fa2abce294f1cc7210d
(3) session-state: No cached attributes
(3) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(3) authorize {
(3) fsu-bad-passwords: EXPAND %{User-Name}
(3) fsu-bad-passwords: --> myUsername
(3) [fsu-bad-passwords] = noop
(3) if (ok) {
(3) if (ok) -> FALSE
(3) policy rewrite_calling_station_id {
(3) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(3) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(3) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(3) update request {
(3) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(3) --> Calling-MAC
(3) } # update request = noop
(3) [updated] = updated
(3) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(3) ... skipping else: Preceding "if" was taken
(3) } # policy rewrite_calling_station_id = updated
(3) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(3) fsu-bad-macs: --> Calling-MAC
(3) [fsu-bad-macs] = noop
(3) if (ok) {
(3) if (ok) -> FALSE
(3) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(3) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(3) if (&User-Name =~ /^host\//) {
(3) if (&User-Name =~ /^host\//) -> FALSE
(3) if ( &User-Name =~ /\s/ ) {
(3) if ( &User-Name =~ /\s/ ) -> FALSE
(3) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(3) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) -> FALSE
(3) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(3) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) -> FALSE
(3) if ( &User-Name =~ /(a)my\.fsu$/i ) {
(3) if ( &User-Name =~ /(a)my\.fsu$/i ) -> FALSE
(3) ntdomain: Checking for prefix before "\"
(3) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(3) [ntdomain] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(3) suffix: Found realm "NULL"
(3) suffix: Adding Stripped-User-Name = "myUsername"
(3) suffix: Adding Realm = "NULL"
(3) suffix: Authentication realm is LOCAL
(3) [suffix] = ok
(3) update request {
(3) } # update request = noop
(3) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(3) fsu-rsa-macs: --> Calling-MAC
(3) [fsu-rsa-macs] = noop
(3) if (ok) {
(3) if (ok) -> FALSE
(3) else {
(3) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(3) fsu-rsa-atwpa-aruba: --> FSUCoreX
(3) [fsu-rsa-atwpa-aruba] = noop
(3) if (ok) {
(3) if (ok) -> FALSE
(3) else {
(3) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(3) fsu-rsa-atwpa-cisco: -->
(3) [fsu-rsa-atwpa-cisco] = noop
(3) if (ok) {
(3) if (ok) -> FALSE
(3) } # else = noop
(3) } # else = noop
(3) if (&request:Hint == "RSA") {
(3) if (&request:Hint == "RSA") -> FALSE
(3) else {
(3) fsu-eap: Peer sent EAP Response (code 2) ID 3 length 6
(3) fsu-eap: Continuing tunnel setup
(3) [fsu-eap] = ok
(3) } # else = ok
(3) } # authorize = ok
(3) Found Auth-Type = fsu-eap
(3) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(3) Auth-Type fsu-eap {
(3) fsu-eap: Expiring EAP session with state 0xbad3fd1bbbd0e41c
(3) fsu-eap: Finished EAP session with state 0xbad3fd1bbbd0e41c
(3) fsu-eap: Previous EAP request found for state 0xbad3fd1bbbd0e41c, released from the list
(3) fsu-eap: Peer sent packet with method EAP PEAP (25)
(3) fsu-eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer ACKed our handshake fragment
(3) eap_peap: [eaptls verify] = request
(3) eap_peap: [eaptls process] = handled
(3) fsu-eap: Sending EAP Request (code 1) ID 4 length 1020
(3) fsu-eap: EAP session adding &reply:State = 0xbad3fd1bb8d7e41c
(3) [fsu-eap] = handled
(3) } # Auth-Type fsu-eap = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(3) Challenge { ... } # empty sub-section is ignored
(3) Sent Access-Challenge Id 66 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(3) EAP-Message = 0x010403fc194006082b060105050730028649687474703a2f2f6372742e7365637469676f2e636f6d2f5365637469676f4543434f7267616e697a6174696f6e56616c69646174696f6e53656375726553657276657243412e637274302306082b060105050730018617687474703a2f2f6f6373702e7365637469676f2e636f6d3082017e060a2b06010401d6790204020482016e0482016a016800760046a555eb75fa912030b5a28969f4f37d112c4174befd49b885abf2fc70fe6d4700000173b4480f2d00000403004730450220289e527367d0857731154954f296721f9f37ef06d36eda0b0710dab4c3ca2fd2022100e212a014409ae8c4ba4f407a7070e714b2e7659f80a65af2a53ef9f39e06ccad007500dfa55eab68824f1f6cadeeb85f4e3e5aeacda212a46a5e8e3b12c020445c2a7300000173b4480f5e000004030046304402201c27dade36cab76fc20bd7888116d1c28e29360f798cc1141dc8562e857b509a02207b5c44654ee0a9c94e1390763ca3
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0xbad3fd1bb8d7e41c1c1cd17260df3cc0
(3) Finished request
(4) Received Access-Request Id 67 from w.x.y.z:54989 to a.b.c.e:1812 length 212
(4) User-Name = "myUsername"
(4) NAS-IP-Address = a.b.c.d
(4) NAS-Port = 0
(4) NAS-Identifier = "w.x.y.z"
(4) NAS-Port-Type = Wireless-802.11
(4) Calling-Station-Id = "Calling-MAC"
(4) Called-Station-Id = "Called-MAC"
(4) Service-Type = Framed-User
(4) Framed-MTU = 1100
(4) EAP-Message = 0x020400061900
(4) State = 0xbad3fd1bb8d7e41c1c1cd17260df3cc0
(4) Aruba-Essid-Name = "FSUCoreX"
(4) Aruba-Location-Id = "303H-mark"
(4) Aruba-AP-Group = "RAP-VoIP"
(4) Aruba-Device-Type = "Win 10"
(4) Message-Authenticator = 0x3698f3bc788ccfe70c7c1b09e167ff81
(4) session-state: No cached attributes
(4) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(4) authorize {
(4) fsu-bad-passwords: EXPAND %{User-Name}
(4) fsu-bad-passwords: --> myUsername
(4) [fsu-bad-passwords] = noop
(4) if (ok) {
(4) if (ok) -> FALSE
(4) policy rewrite_calling_station_id {
(4) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(4) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(4) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(4) update request {
(4) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(4) --> Calling-MAC
(4) } # update request = noop
(4) [updated] = updated
(4) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(4) ... skipping else: Preceding "if" was taken
(4) } # policy rewrite_calling_station_id = updated
(4) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(4) fsu-bad-macs: --> Calling-MAC
(4) [fsu-bad-macs] = noop
(4) if (ok) {
(4) if (ok) -> FALSE
(4) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(4) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(4) if (&User-Name =~ /^host\//) {
(4) if (&User-Name =~ /^host\//) -> FALSE
(4) if ( &User-Name =~ /\s/ ) {
(4) if ( &User-Name =~ /\s/ ) -> FALSE
(4) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(4) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) -> FALSE
(4) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(4) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) -> FALSE
(4) if ( &User-Name =~ /(a)my\.fsu$/i ) {
(4) if ( &User-Name =~ /(a)my\.fsu$/i ) -> FALSE
(4) ntdomain: Checking for prefix before "\"
(4) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(4) [ntdomain] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(4) suffix: Found realm "NULL"
(4) suffix: Adding Stripped-User-Name = "myUsername"
(4) suffix: Adding Realm = "NULL"
(4) suffix: Authentication realm is LOCAL
(4) [suffix] = ok
(4) update request {
(4) } # update request = noop
(4) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(4) fsu-rsa-macs: --> Calling-MAC
(4) [fsu-rsa-macs] = noop
(4) if (ok) {
(4) if (ok) -> FALSE
(4) else {
(4) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(4) fsu-rsa-atwpa-aruba: --> FSUCoreX
(4) [fsu-rsa-atwpa-aruba] = noop
(4) if (ok) {
(4) if (ok) -> FALSE
(4) else {
(4) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(4) fsu-rsa-atwpa-cisco: -->
(4) [fsu-rsa-atwpa-cisco] = noop
(4) if (ok) {
(4) if (ok) -> FALSE
(4) } # else = noop
(4) } # else = noop
(4) if (&request:Hint == "RSA") {
(4) if (&request:Hint == "RSA") -> FALSE
(4) else {
(4) fsu-eap: Peer sent EAP Response (code 2) ID 4 length 6
(4) fsu-eap: Continuing tunnel setup
(4) [fsu-eap] = ok
(4) } # else = ok
(4) } # authorize = ok
(4) Found Auth-Type = fsu-eap
(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(4) Auth-Type fsu-eap {
(4) fsu-eap: Expiring EAP session with state 0xbad3fd1bb8d7e41c
(4) fsu-eap: Finished EAP session with state 0xbad3fd1bb8d7e41c
(4) fsu-eap: Previous EAP request found for state 0xbad3fd1bb8d7e41c, released from the list
(4) fsu-eap: Peer sent packet with method EAP PEAP (25)
(4) fsu-eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer ACKed our handshake fragment
(4) eap_peap: [eaptls verify] = request
(4) eap_peap: [eaptls process] = handled
(4) fsu-eap: Sending EAP Request (code 1) ID 5 length 745
(4) fsu-eap: EAP session adding &reply:State = 0xbad3fd1bb9d6e41c
(4) [fsu-eap] = handled
(4) } # Auth-Type fsu-eap = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(4) Challenge { ... } # empty sub-section is ignored
(4) Sent Access-Challenge Id 67 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(4) EAP-Message = 0x010502e9190006072a8648ce3d020106082a8648ce3d030107034200049c8e5c0a616fa158a3d0d5cefafc44f9ffba061e7b161a721f42d30ab266cdfb0f4972214d27b1afdd873a5cfe687aa8184d2f49efc24b02c5a16719f16d6339a382016e3082016a301f0603551d230418301680143ae10986d4cf19c29676744976dce035c663639a301d0603551d0e041604144d4aefc446b312ad4f4e9ab159e251ab08107808300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b06010505070302301b0603551d200414301230060604551d20003008060667810c01020230500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737445434343657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b0601050507300286336874
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0xbad3fd1bb9d6e41c1c1cd17260df3cc0
(4) Finished request
(5) Received Access-Request Id 68 from w.x.y.z:54989 to a.b.c.e:1812 length 342
(5) User-Name = "myUsername"
(5) NAS-IP-Address = a.b.c.d
(5) NAS-Port = 0
(5) NAS-Identifier = "w.x.y.z"
(5) NAS-Port-Type = Wireless-802.11
(5) Calling-Station-Id = "Calling-MAC"
(5) Called-Station-Id = "Called-MAC"
(5) Service-Type = Framed-User
(5) Framed-MTU = 1100
(5) EAP-Message = 0x0205008819800000007e16030300461000004241044d601518295cc957a589f6af50ba6fdb09db67090661cc9d393bd8adac0306fabec728fd8d3a566e56b18258956648fc03ddd2cba0d449d5c8f707dd63984fbb14030300010116030300280000000000000000e4ed788d8b79fbf52f838b98a845ffe9a50b58bbef917334728f28828c245327
(5) State = 0xbad3fd1bb9d6e41c1c1cd17260df3cc0
(5) Aruba-Essid-Name = "FSUCoreX"
(5) Aruba-Location-Id = "303H-mark"
(5) Aruba-AP-Group = "RAP-VoIP"
(5) Aruba-Device-Type = "Win 10"
(5) Message-Authenticator = 0x249cb5193fd1494a9d8b9912fa5af320
(5) session-state: No cached attributes
(5) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(5) authorize {
(5) fsu-bad-passwords: EXPAND %{User-Name}
(5) fsu-bad-passwords: --> myUsername
(5) [fsu-bad-passwords] = noop
(5) if (ok) {
(5) if (ok) -> FALSE
(5) policy rewrite_calling_station_id {
(5) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(5) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(5) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(5) update request {
(5) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(5) --> Calling-MAC
(5) } # update request = noop
(5) [updated] = updated
(5) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(5) ... skipping else: Preceding "if" was taken
(5) } # policy rewrite_calling_station_id = updated
(5) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(5) fsu-bad-macs: --> Calling-MAC
(5) [fsu-bad-macs] = noop
(5) if (ok) {
(5) if (ok) -> FALSE
(5) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(5) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(5) if (&User-Name =~ /^host\//) {
(5) if (&User-Name =~ /^host\//) -> FALSE
(5) if ( &User-Name =~ /\s/ ) {
(5) if ( &User-Name =~ /\s/ ) -> FALSE
(5) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(5) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) -> FALSE
(5) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(5) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) -> FALSE
(5) if ( &User-Name =~ /(a)my\.fsu$/i ) {
(5) if ( &User-Name =~ /(a)my\.fsu$/i ) -> FALSE
(5) ntdomain: Checking for prefix before "\"
(5) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(5) [ntdomain] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(5) suffix: Found realm "NULL"
(5) suffix: Adding Stripped-User-Name = "myUsername"
(5) suffix: Adding Realm = "NULL"
(5) suffix: Authentication realm is LOCAL
(5) [suffix] = ok
(5) update request {
(5) } # update request = noop
(5) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(5) fsu-rsa-macs: --> Calling-MAC
(5) [fsu-rsa-macs] = noop
(5) if (ok) {
(5) if (ok) -> FALSE
(5) else {
(5) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(5) fsu-rsa-atwpa-aruba: --> FSUCoreX
(5) [fsu-rsa-atwpa-aruba] = noop
(5) if (ok) {
(5) if (ok) -> FALSE
(5) else {
(5) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(5) fsu-rsa-atwpa-cisco: -->
(5) [fsu-rsa-atwpa-cisco] = noop
(5) if (ok) {
(5) if (ok) -> FALSE
(5) } # else = noop
(5) } # else = noop
(5) if (&request:Hint == "RSA") {
(5) if (&request:Hint == "RSA") -> FALSE
(5) else {
(5) fsu-eap: Peer sent EAP Response (code 2) ID 5 length 136
(5) fsu-eap: Continuing tunnel setup
(5) [fsu-eap] = ok
(5) } # else = ok
(5) } # authorize = ok
(5) Found Auth-Type = fsu-eap
(5) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(5) Auth-Type fsu-eap {
(5) fsu-eap: Expiring EAP session with state 0xbad3fd1bb9d6e41c
(5) fsu-eap: Finished EAP session with state 0xbad3fd1bb9d6e41c
(5) fsu-eap: Previous EAP request found for state 0xbad3fd1bb9d6e41c, released from the list
(5) fsu-eap: Peer sent packet with method EAP PEAP (25)
(5) fsu-eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(5) eap_peap: Got complete TLS record (126 bytes)
(5) eap_peap: [eaptls verify] = length included
(5) eap_peap: TLS_accept: SSLv3/TLS write server done
(5) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(5) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(5) eap_peap: TLS_accept: SSLv3/TLS read finished
(5) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(5) eap_peap: TLS_accept: SSLv3/TLS write finished
(5) eap_peap: Serialising session 422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c, and storing in cache
(5) : eap_peap: Wrote session 422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c to /var/log/radius/tlscache/422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c.asn1 (149 bytes)
(5) eap_peap: (other): SSL negotiation finished successfully
(5) eap_peap: TLS - Connection Established
(5) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(5) eap_peap: TLS-Session-Version = "TLS 1.2"
(5) eap_peap: TLS - got 51 bytes of data
(5) eap_peap: [eaptls process] = handled
(5) fsu-eap: Sending EAP Request (code 1) ID 6 length 57
(5) fsu-eap: EAP session adding &reply:State = 0xbad3fd1bbed5e41c
(5) [fsu-eap] = handled
(5) } # Auth-Type fsu-eap = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(5) Challenge { ... } # empty sub-section is ignored
(5) session-state: Saving cached attributes
(5) TLS-Cache-Filename = "/var/log/radius/tlscache/422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c.asn1"
(5) TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(5) TLS-Session-Version = "TLS 1.2"
(5) Sent Access-Challenge Id 68 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(5) EAP-Message = 0x0106003919001403030001011603030028b7cf4af33aedeba1fff80ce3d934b51a5d1673ffd272096bc1c0e67566bd54c3d9e98aa7892a05ca
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0xbad3fd1bbed5e41c1c1cd17260df3cc0
(5) Finished request
(6) Received Access-Request Id 69 from w.x.y.z:54989 to a.b.c.e:1812 length 212
(6) User-Name = "myUsername"
(6) NAS-IP-Address = a.b.c.d
(6) NAS-Port = 0
(6) NAS-Identifier = "w.x.y.z"
(6) NAS-Port-Type = Wireless-802.11
(6) Calling-Station-Id = "Calling-MAC"
(6) Called-Station-Id = "Called-MAC"
(6) Service-Type = Framed-User
(6) Framed-MTU = 1100
(6) EAP-Message = 0x020600061900
(6) State = 0xbad3fd1bbed5e41c1c1cd17260df3cc0
(6) Aruba-Essid-Name = "FSUCoreX"
(6) Aruba-Location-Id = "303H-mark"
(6) Aruba-AP-Group = "RAP-VoIP"
(6) Aruba-Device-Type = "Win 10"
(6) Message-Authenticator = 0xa13a4c03acd0a8a3de7fd344f477f378
(6) Restoring &session-state
(6) &session-state:TLS-Cache-Filename = "/var/log/radius/tlscache/422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c.asn1"
(6) &session-state:TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(6) &session-state:TLS-Session-Version = "TLS 1.2"
(6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(6) authorize {
(6) fsu-bad-passwords: EXPAND %{User-Name}
(6) fsu-bad-passwords: --> myUsername
(6) [fsu-bad-passwords] = noop
(6) if (ok) {
(6) if (ok) -> FALSE
(6) policy rewrite_calling_station_id {
(6) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(6) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(6) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(6) update request {
(6) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(6) --> Calling-MAC
(6) } # update request = noop
(6) [updated] = updated
(6) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(6) ... skipping else: Preceding "if" was taken
(6) } # policy rewrite_calling_station_id = updated
(6) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(6) fsu-bad-macs: --> Calling-MAC
(6) [fsu-bad-macs] = noop
(6) if (ok) {
(6) if (ok) -> FALSE
(6) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(6) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(6) if (&User-Name =~ /^host\//) {
(6) if (&User-Name =~ /^host\//) -> FALSE
(6) if ( &User-Name =~ /\s/ ) {
(6) if ( &User-Name =~ /\s/ ) -> FALSE
(6) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(6) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) -> FALSE
(6) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(6) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) -> FALSE
(6) if ( &User-Name =~ /(a)my\.fsu$/i ) {
(6) if ( &User-Name =~ /(a)my\.fsu$/i ) -> FALSE
(6) ntdomain: Checking for prefix before "\"
(6) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(6) [ntdomain] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(6) suffix: Found realm "NULL"
(6) suffix: Adding Stripped-User-Name = "myUsername"
(6) suffix: Adding Realm = "NULL"
(6) suffix: Authentication realm is LOCAL
(6) [suffix] = ok
(6) update request {
(6) } # update request = noop
(6) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(6) fsu-rsa-macs: --> Calling-MAC
(6) [fsu-rsa-macs] = noop
(6) if (ok) {
(6) if (ok) -> FALSE
(6) else {
(6) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(6) fsu-rsa-atwpa-aruba: --> FSUCoreX
(6) [fsu-rsa-atwpa-aruba] = noop
(6) if (ok) {
(6) if (ok) -> FALSE
(6) else {
(6) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(6) fsu-rsa-atwpa-cisco: -->
(6) [fsu-rsa-atwpa-cisco] = noop
(6) if (ok) {
(6) if (ok) -> FALSE
(6) } # else = noop
(6) } # else = noop
(6) if (&request:Hint == "RSA") {
(6) if (&request:Hint == "RSA") -> FALSE
(6) else {
(6) fsu-eap: Peer sent EAP Response (code 2) ID 6 length 6
(6) fsu-eap: Continuing tunnel setup
(6) [fsu-eap] = ok
(6) } # else = ok
(6) } # authorize = ok
(6) Found Auth-Type = fsu-eap
(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(6) Auth-Type fsu-eap {
(6) fsu-eap: Expiring EAP session with state 0xbad3fd1bbed5e41c
(6) fsu-eap: Finished EAP session with state 0xbad3fd1bbed5e41c
(6) fsu-eap: Previous EAP request found for state 0xbad3fd1bbed5e41c, released from the list
(6) fsu-eap: Peer sent packet with method EAP PEAP (25)
(6) fsu-eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(6) eap_peap: [eaptls verify] = success
(6) eap_peap: [eaptls process] = success
(6) eap_peap: Session established. Decoding tunneled attributes
(6) eap_peap: PEAP state TUNNEL ESTABLISHED
(6) fsu-eap: Sending EAP Request (code 1) ID 7 length 40
(6) fsu-eap: EAP session adding &reply:State = 0xbad3fd1bbfd4e41c
(6) [fsu-eap] = handled
(6) } # Auth-Type fsu-eap = handled
(6) Using Post-Auth-Type Challenge
(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(6) Challenge { ... } # empty sub-section is ignored
(6) session-state: Saving cached attributes
(6) TLS-Cache-Filename = "/var/log/radius/tlscache/422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c.asn1"
(6) TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(6) TLS-Session-Version = "TLS 1.2"
(6) Sent Access-Challenge Id 69 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(6) EAP-Message = 0x010700281900170303001db7cf4af33aedeba2b21f528c211bf694c96d96a9f46043f8a3d4b25e39
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0xbad3fd1bbfd4e41c1c1cd17260df3cc0
(6) Finished request
(7) Received Access-Request Id 70 from w.x.y.z:54989 to a.b.c.e:1812 length 250
(7) User-Name = "myUsername"
(7) NAS-IP-Address = a.b.c.d
(7) NAS-Port = 0
(7) NAS-Identifier = "w.x.y.z"
(7) NAS-Port-Type = Wireless-802.11
(7) Calling-Station-Id = "Calling-MAC"
(7) Called-Station-Id = "Called-MAC"
(7) Service-Type = Framed-User
(7) Framed-MTU = 1100
(7) EAP-Message = 0x0207002c190017030300210000000000000001c5ef41f3042d7ba531433825f82a73cb4687ce9eb328fa6a3b
(7) State = 0xbad3fd1bbfd4e41c1c1cd17260df3cc0
(7) Aruba-Essid-Name = "FSUCoreX"
(7) Aruba-Location-Id = "303H-mark"
(7) Aruba-AP-Group = "RAP-VoIP"
(7) Aruba-Device-Type = "Win 10"
(7) Message-Authenticator = 0x007cfcc7b4f70a34ef867accfd218ae4
(7) Restoring &session-state
(7) &session-state:TLS-Cache-Filename = "/var/log/radius/tlscache/422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c.asn1"
(7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(7) &session-state:TLS-Session-Version = "TLS 1.2"
(7) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(7) authorize {
(7) fsu-bad-passwords: EXPAND %{User-Name}
(7) fsu-bad-passwords: --> myUsername
(7) [fsu-bad-passwords] = noop
(7) if (ok) {
(7) if (ok) -> FALSE
(7) policy rewrite_calling_station_id {
(7) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(7) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(7) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(7) update request {
(7) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(7) --> Calling-MAC
(7) } # update request = noop
(7) [updated] = updated
(7) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(7) ... skipping else: Preceding "if" was taken
(7) } # policy rewrite_calling_station_id = updated
(7) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(7) fsu-bad-macs: --> Calling-MAC
(7) [fsu-bad-macs] = noop
(7) if (ok) {
(7) if (ok) -> FALSE
(7) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(7) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(7) if (&User-Name =~ /^host\//) {
(7) if (&User-Name =~ /^host\//) -> FALSE
(7) if ( &User-Name =~ /\s/ ) {
(7) if ( &User-Name =~ /\s/ ) -> FALSE
(7) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(7) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) -> FALSE
(7) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(7) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) -> FALSE
(7) if ( &User-Name =~ /(a)my\.fsu$/i ) {
(7) if ( &User-Name =~ /(a)my\.fsu$/i ) -> FALSE
(7) ntdomain: Checking for prefix before "\"
(7) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(7) [ntdomain] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(7) suffix: Found realm "NULL"
(7) suffix: Adding Stripped-User-Name = "myUsername"
(7) suffix: Adding Realm = "NULL"
(7) suffix: Authentication realm is LOCAL
(7) [suffix] = ok
(7) update request {
(7) } # update request = noop
(7) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(7) fsu-rsa-macs: --> Calling-MAC
(7) [fsu-rsa-macs] = noop
(7) if (ok) {
(7) if (ok) -> FALSE
(7) else {
(7) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(7) fsu-rsa-atwpa-aruba: --> FSUCoreX
(7) [fsu-rsa-atwpa-aruba] = noop
(7) if (ok) {
(7) if (ok) -> FALSE
(7) else {
(7) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(7) fsu-rsa-atwpa-cisco: -->
(7) [fsu-rsa-atwpa-cisco] = noop
(7) if (ok) {
(7) if (ok) -> FALSE
(7) } # else = noop
(7) } # else = noop
(7) if (&request:Hint == "RSA") {
(7) if (&request:Hint == "RSA") -> FALSE
(7) else {
(7) fsu-eap: Peer sent EAP Response (code 2) ID 7 length 44
(7) fsu-eap: Continuing tunnel setup
(7) [fsu-eap] = ok
(7) } # else = ok
(7) } # authorize = ok
(7) Found Auth-Type = fsu-eap
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(7) Auth-Type fsu-eap {
(7) fsu-eap: Expiring EAP session with state 0xbad3fd1bbfd4e41c
(7) fsu-eap: Finished EAP session with state 0xbad3fd1bbfd4e41c
(7) fsu-eap: Previous EAP request found for state 0xbad3fd1bbfd4e41c, released from the list
(7) fsu-eap: Peer sent packet with method EAP PEAP (25)
(7) fsu-eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(7) eap_peap: Identity - myUsername
(7) eap_peap: Got inner identity 'myUsername'
(7) eap_peap: Setting default EAP type for tunneled EAP session
(7) eap_peap: Got tunneled request
(7) eap_peap: EAP-Message = 0x0207000d016d616e74686f6e79
(7) eap_peap: Setting User-Name to myUsername
(7) eap_peap: Sending tunneled request to fsu-peap-inner-tunnel
(7) eap_peap: EAP-Message = 0x0207000d016d616e74686f6e79
(7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap: User-Name = "myUsername"
(7) Virtual server fsu-peap-inner-tunnel received request
(7) EAP-Message = 0x0207000d016d616e74686f6e79
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) User-Name = "myUsername"
(7) : Outer and inner identities are the same. User privacy is compromised.
(7) server fsu-peap-inner-tunnel {
(7) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(7) authorize {
(7) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(7) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(7) if ( &User-Name =~ /\s/ ) {
(7) if ( &User-Name =~ /\s/ ) -> FALSE
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(7) suffix: Found realm "NULL"
(7) suffix: Adding Stripped-User-Name = "myUsername"
(7) suffix: Adding Realm = "NULL"
(7) suffix: Authentication realm is LOCAL
(7) [suffix] = ok
(7) update {
(7) EXPAND %{Client-Shortname}
(7) --> Cam2
(7) } # update = noop
(7) fsu-eap: Peer sent EAP Response (code 2) ID 7 length 13
(7) fsu-eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(7) [fsu-eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = fsu-eap
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(7) Auth-Type fsu-eap {
(7) fsu-eap: Peer sent packet with method EAP Identity (1)
(7) fsu-eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: Issuing Challenge
(7) fsu-eap: Sending EAP Request (code 1) ID 8 length 42
(7) fsu-eap: EAP session adding &reply:State = 0xbdbe91b7bdb68b3a
(7) [fsu-eap] = handled
(7) } # Auth-Type fsu-eap = handled
(7) } # server fsu-peap-inner-tunnel
(7) Virtual server sending reply
(7) EAP-Message = 0x0108002a1a01080025109baa445450222aec1beb19ba94ed03b56673755f6561705f6d73636861707632
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0xbdbe91b7bdb68b3a7f0fbe650d998692
(7) eap_peap: Got tunneled reply code 11
(7) eap_peap: EAP-Message = 0x0108002a1a01080025109baa445450222aec1beb19ba94ed03b56673755f6561705f6d73636861707632
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0xbdbe91b7bdb68b3a7f0fbe650d998692
(7) eap_peap: Got tunneled Access-Challenge
(7) fsu-eap: Sending EAP Request (code 1) ID 8 length 73
(7) fsu-eap: EAP session adding &reply:State = 0xbad3fd1bbcdbe41c
(7) [fsu-eap] = handled
(7) } # Auth-Type fsu-eap = handled
(7) Using Post-Auth-Type Challenge
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(7) Challenge { ... } # empty sub-section is ignored
(7) session-state: Saving cached attributes
(7) TLS-Cache-Filename = "/var/log/radius/tlscache/422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c.asn1"
(7) TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(7) TLS-Session-Version = "TLS 1.2"
(7) Sent Access-Challenge Id 70 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(7) EAP-Message = 0x010800491900170303003eb7cf4af33aedeba3cdd5c7ba70a4cc7d7cfd8a0762d9c26bc5ae93b4658121503793b363b4ed6304e0c4123a93536e70452c368f535ba3bad20de5e823a4
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0xbad3fd1bbcdbe41c1c1cd17260df3cc0
(7) Finished request
(8) Received Access-Request Id 71 from w.x.y.z:54989 to a.b.c.e:1812 length 304
(8) User-Name = "myUsername"
(8) NAS-IP-Address = a.b.c.d
(8) NAS-Port = 0
(8) NAS-Identifier = "w.x.y.z"
(8) NAS-Port-Type = Wireless-802.11
(8) Calling-Station-Id = "Calling-MAC"
(8) Called-Station-Id = "Called-MAC"
(8) Service-Type = Framed-User
(8) Framed-MTU = 1100
(8) EAP-Message = 0x020800621900170303005700000000000000028e27ce3a53464fde6326d09354698180aa53531ef4ca995a0ac159eb57b93070a23c5c40141bb0731e014889a5ff565ce9acc558fac42bd7c6373f1c2e52351836e75fd99d8944e0338b0d9d637118
(8) State = 0xbad3fd1bbcdbe41c1c1cd17260df3cc0
(8) Aruba-Essid-Name = "FSUCoreX"
(8) Aruba-Location-Id = "303H-mark"
(8) Aruba-AP-Group = "RAP-VoIP"
(8) Aruba-Device-Type = "Win 10"
(8) Message-Authenticator = 0xf6ff0643a9eed31b5cecf30091547c5a
(8) Restoring &session-state
(8) &session-state:TLS-Cache-Filename = "/var/log/radius/tlscache/422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c.asn1"
(8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(8) &session-state:TLS-Session-Version = "TLS 1.2"
(8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(8) authorize {
(8) fsu-bad-passwords: EXPAND %{User-Name}
(8) fsu-bad-passwords: --> myUsername
(8) [fsu-bad-passwords] = noop
(8) if (ok) {
(8) if (ok) -> FALSE
(8) policy rewrite_calling_station_id {
(8) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(8) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(8) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(8) update request {
(8) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(8) --> Calling-MAC
(8) } # update request = noop
(8) [updated] = updated
(8) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(8) ... skipping else: Preceding "if" was taken
(8) } # policy rewrite_calling_station_id = updated
(8) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(8) fsu-bad-macs: --> Calling-MAC
(8) [fsu-bad-macs] = noop
(8) if (ok) {
(8) if (ok) -> FALSE
(8) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(8) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(8) if (&User-Name =~ /^host\//) {
(8) if (&User-Name =~ /^host\//) -> FALSE
(8) if ( &User-Name =~ /\s/ ) {
(8) if ( &User-Name =~ /\s/ ) -> FALSE
(8) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(8) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) -> FALSE
(8) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(8) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) -> FALSE
(8) if ( &User-Name =~ /(a)my\.fsu$/i ) {
(8) if ( &User-Name =~ /(a)my\.fsu$/i ) -> FALSE
(8) ntdomain: Checking for prefix before "\"
(8) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(8) [ntdomain] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(8) suffix: Found realm "NULL"
(8) suffix: Adding Stripped-User-Name = "myUsername"
(8) suffix: Adding Realm = "NULL"
(8) suffix: Authentication realm is LOCAL
(8) [suffix] = ok
(8) update request {
(8) } # update request = noop
(8) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(8) fsu-rsa-macs: --> Calling-MAC
(8) [fsu-rsa-macs] = noop
(8) if (ok) {
(8) if (ok) -> FALSE
(8) else {
(8) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(8) fsu-rsa-atwpa-aruba: --> FSUCoreX
(8) [fsu-rsa-atwpa-aruba] = noop
(8) if (ok) {
(8) if (ok) -> FALSE
(8) else {
(8) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(8) fsu-rsa-atwpa-cisco: -->
(8) [fsu-rsa-atwpa-cisco] = noop
(8) if (ok) {
(8) if (ok) -> FALSE
(8) } # else = noop
(8) } # else = noop
(8) if (&request:Hint == "RSA") {
(8) if (&request:Hint == "RSA") -> FALSE
(8) else {
(8) fsu-eap: Peer sent EAP Response (code 2) ID 8 length 98
(8) fsu-eap: Continuing tunnel setup
(8) [fsu-eap] = ok
(8) } # else = ok
(8) } # authorize = ok
(8) Found Auth-Type = fsu-eap
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(8) Auth-Type fsu-eap {
(8) fsu-eap: Expiring EAP session with state 0xbdbe91b7bdb68b3a
(8) fsu-eap: Finished EAP session with state 0xbad3fd1bbcdbe41c
(8) fsu-eap: Previous EAP request found for state 0xbad3fd1bbcdbe41c, released from the list
(8) fsu-eap: Peer sent packet with method EAP PEAP (25)
(8) fsu-eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP method MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap: EAP-Message = 0x020800431a0208003e31833b15c9f3ef2852172280a74b6713570000000000000000744a1ec95ae0b4188d19786bca156b494eaeded4cf6c1848006d616e74686f6e79
(8) eap_peap: Setting User-Name to myUsername
(8) eap_peap: Sending tunneled request to fsu-peap-inner-tunnel
(8) eap_peap: EAP-Message = 0x020800431a0208003e31833b15c9f3ef2852172280a74b6713570000000000000000744a1ec95ae0b4188d19786bca156b494eaeded4cf6c1848006d616e74686f6e79
(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap: User-Name = "myUsername"
(8) eap_peap: State = 0xbdbe91b7bdb68b3a7f0fbe650d998692
(8) Virtual server fsu-peap-inner-tunnel received request
(8) EAP-Message = 0x020800431a0208003e31833b15c9f3ef2852172280a74b6713570000000000000000744a1ec95ae0b4188d19786bca156b494eaeded4cf6c1848006d616e74686f6e79
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = "myUsername"
(8) State = 0xbdbe91b7bdb68b3a7f0fbe650d998692
(8) : Outer and inner identities are the same. User privacy is compromised.
(8) server fsu-peap-inner-tunnel {
(8) session-state: No cached attributes
(8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(8) authorize {
(8) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(8) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(8) if ( &User-Name =~ /\s/ ) {
(8) if ( &User-Name =~ /\s/ ) -> FALSE
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(8) suffix: Found realm "NULL"
(8) suffix: Adding Stripped-User-Name = "myUsername"
(8) suffix: Adding Realm = "NULL"
(8) suffix: Authentication realm is LOCAL
(8) [suffix] = ok
(8) update {
(8) EXPAND %{Client-Shortname}
(8) --> Cam2
(8) } # update = noop
(8) fsu-eap: Peer sent EAP Response (code 2) ID 8 length 67
(8) fsu-eap: No EAP Start, assuming it's an on-going EAP conversation
(8) [fsu-eap] = updated
(8) if ( &EAP-Message =~ /^0x02..00061a..$/ ) {
(8) if ( &EAP-Message =~ /^0x02..00061a..$/ ) -> FALSE
(8) if ( &User-Name =~ /^host\/(COB-RBA[A-Za-z0-9-]+)(\.fsu\.edu)*$/i) {
(8) if ( &User-Name =~ /^host\/(COB-RBA[A-Za-z0-9-]+)(\.fsu\.edu)*$/i) -> FALSE
(8) elsif (&User-Name =~ /^host\/([A-Z]{2,5}-A-[0-9A-Z]{6,7})(\.fsu\.edu)*$/) {
(8) elsif (&User-Name =~ /^host\/([A-Z]{2,5}-A-[0-9A-Z]{6,7})(\.fsu\.edu)*$/) -> FALSE
(8) elsif ( (&request:Realm) && (&request:Realm == "devices") ) {
(8) elsif ( (&request:Realm) && (&request:Realm == "devices") ) -> FALSE
(8) else {
(8) fsu-ldap-people: EXPAND (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(!(uid=lib-guest*)))
(8) fsu-ldap-people: --> (&(uid=myUsername)(!(uid=lib-guest*)))
(8) fsu-ldap-people: Performing search in "ou=people,dc=fsu,dc=edu" with filter "(&(uid=myUsername)(!(uid=lib-guest*)))", scope "sub"
(8) fsu-ldap-people: Waiting for search result...
(8) fsu-ldap-people: User object found at DN "uid=myUsername,ou=People,dc=fsu,dc=edu"
(8) fsu-ldap-people: Processing user attributes
(8) [fsu-ldap-people] = updated
(8) if (notfound) {
(8) if (notfound) -> FALSE
(8) if ( &reply:My-Local-fsuEduWINStatus ) {
(8) if ( &reply:My-Local-fsuEduWINStatus ) -> FALSE
(8) fsu-pap: Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes
(8) : fsu-pap: Auth-Type already set. Not setting to PAP
(8) [fsu-pap] = noop
(8) update control {
(8) } # update control = noop
(8) if ( (&reply:My-Local-VLAN) && (!&reply:My-Local-employeeStatus) ) {
(8) if ( (&reply:My-Local-VLAN) && (!&reply:My-Local-employeeStatus) ) -> FALSE
(8) if (&reply:My-Local-fsuEduAppRoles) {
(8) if (&reply:My-Local-fsuEduAppRoles) -> TRUE
(8) if (&reply:My-Local-fsuEduAppRoles) {
(8) if ((!&reply:My-Local-VLAN) && (&Client-Shortname !~ /^P/)) {
(8) if ((!&reply:My-Local-VLAN) && (&Client-Shortname !~ /^P/)) -> FALSE
(8) update {
(8) } # update = noop
(8) } # if (&reply:My-Local-fsuEduAppRoles) = noop
(8) if ((!&reply:My-Local-employeeStatus) && (!&reply:My-Local-VLAN)) {
(8) if ((!&reply:My-Local-employeeStatus) && (!&reply:My-Local-VLAN)) -> FALSE
(8) elsif (!&reply:My-Local-VLAN) {
(8) elsif (!&reply:My-Local-VLAN) -> FALSE
(8) fsu-cache-ldap-people-inner-tunnel-attributes: EXPAND %{User-Name}
(8) fsu-cache-ldap-people-inner-tunnel-attributes: --> myUsername
(8) fsu-cache-ldap-people-inner-tunnel-attributes: No cache entry found for "myUsername"
(8) fsu-cache-ldap-people-inner-tunnel-attributes: Creating new cache entry
(8) fsu-cache-ldap-people-inner-tunnel-attributes: &reply:My-Local-VLAN := &reply:My-Local-VLAN -> 'vlan1'
(8) fsu-cache-ldap-people-inner-tunnel-attributes: Merging cache entry into request
(8) fsu-cache-ldap-people-inner-tunnel-attributes: &reply:My-Local-VLAN := "vlan1"
(8) fsu-cache-ldap-people-inner-tunnel-attributes: Committed entry, TTL 10 seconds
(8) [fsu-cache-ldap-people-inner-tunnel-attributes] = updated
(8) } # else = updated
(8) } # authorize = updated
(8) Found Auth-Type = fsu-eap
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(8) Auth-Type fsu-eap {
(8) fsu-eap: Expiring EAP session with state 0xbdbe91b7bdb68b3a
(8) fsu-eap: Finished EAP session with state 0xbdbe91b7bdb68b3a
(8) fsu-eap: Previous EAP request found for state 0xbdbe91b7bdb68b3a, released from the list
(8) fsu-eap: Peer sent packet with method EAP MSCHAPv2 (26)
(8) fsu-eap: Calling submodule eap_mschapv2 to process data
(8) eap_mschapv2: # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(8) eap_mschapv2: Auth-Type MS-CHAP {
(8) fsu-mschap-winbind: Found NT-Password
(8) fsu-mschap-winbind: Creating challenge hash with username: myUsername
(8) fsu-mschap-winbind: Client is using MS-CHAPv2
(8) fsu-mschap-winbind: Adding MS-CHAPv2 MPPE keys
(8) eap_mschapv2: [fsu-mschap-winbind] = ok
(8) eap_mschapv2: } # Auth-Type MS-CHAP = ok
(8) eap_mschapv2: MSCHAP Success
(8) fsu-eap: Sending EAP Request (code 1) ID 9 length 51
(8) fsu-eap: EAP session adding &reply:State = 0xbdbe91b7bcb78b3a
(8) [fsu-eap] = handled
(8) } # Auth-Type fsu-eap = handled
(8) } # server fsu-peap-inner-tunnel
(8) Virtual server sending reply
(8) My-Local-employeeStatus = "Active"
(8) My-Local-VLAN = "vlan1"
(8) EAP-Message = 0x010900331a0308002e533d41393935354644354538374432394630414132383239393242333033343041313045414634313145
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0xbdbe91b7bcb78b3a7f0fbe650d998692
(8) eap_peap: Got tunneled reply code 11
(8) eap_peap: My-Local-employeeStatus = "Active"
(8) eap_peap: My-Local-VLAN = "vlan1"
(8) eap_peap: EAP-Message = 0x010900331a0308002e533d41393935354644354538374432394630414132383239393242333033343041313045414634313145
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: State = 0xbdbe91b7bcb78b3a7f0fbe650d998692
(8) eap_peap: Got tunneled Access-Challenge
(8) fsu-eap: Sending EAP Request (code 1) ID 9 length 82
(8) fsu-eap: EAP session adding &reply:State = 0xbad3fd1bbddae41c
(8) [fsu-eap] = handled
(8) } # Auth-Type fsu-eap = handled
(8) Using Post-Auth-Type Challenge
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(8) Challenge { ... } # empty sub-section is ignored
(8) session-state: Saving cached attributes
(8) TLS-Cache-Filename = "/var/log/radius/tlscache/422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c.asn1"
(8) TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(8) TLS-Session-Version = "TLS 1.2"
(8) Sent Access-Challenge Id 71 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(8) EAP-Message = 0x0109005219001703030047b7cf4af33aedeba476f0ca80606e3598427bd6060b0e2f916bcffa2c3fc9c58dd50f86471e0cf17757762211678028238727728422349caf8dfcce26ca5e11e712af3dfe455357
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0xbad3fd1bbddae41c1c1cd17260df3cc0
(8) Finished request
(9) Received Access-Request Id 72 from w.x.y.z:54989 to a.b.c.e:1812 length 243
(9) User-Name = "myUsername"
(9) NAS-IP-Address = a.b.c.d
(9) NAS-Port = 0
(9) NAS-Identifier = "w.x.y.z"
(9) NAS-Port-Type = Wireless-802.11
(9) Calling-Station-Id = "Calling-MAC"
(9) Called-Station-Id = "Called-MAC"
(9) Service-Type = Framed-User
(9) Framed-MTU = 1100
(9) EAP-Message = 0x020900251900170303001a00000000000000030d1699cbaf6586c78b66fceffb50df5f09e8
(9) State = 0xbad3fd1bbddae41c1c1cd17260df3cc0
(9) Aruba-Essid-Name = "FSUCoreX"
(9) Aruba-Location-Id = "303H-mark"
(9) Aruba-AP-Group = "RAP-VoIP"
(9) Aruba-Device-Type = "Win 10"
(9) Message-Authenticator = 0xdf62b863a702c3f6c3695ae393531b03
(9) Restoring &session-state
(9) &session-state:TLS-Cache-Filename = "/var/log/radius/tlscache/422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c.asn1"
(9) &session-state:TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(9) &session-state:TLS-Session-Version = "TLS 1.2"
(9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(9) authorize {
(9) fsu-bad-passwords: EXPAND %{User-Name}
(9) fsu-bad-passwords: --> myUsername
(9) [fsu-bad-passwords] = noop
(9) if (ok) {
(9) if (ok) -> FALSE
(9) policy rewrite_calling_station_id {
(9) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(9) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(9) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(9) update request {
(9) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(9) --> Calling-MAC
(9) } # update request = noop
(9) [updated] = updated
(9) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(9) ... skipping else: Preceding "if" was taken
(9) } # policy rewrite_calling_station_id = updated
(9) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(9) fsu-bad-macs: --> Calling-MAC
(9) [fsu-bad-macs] = noop
(9) if (ok) {
(9) if (ok) -> FALSE
(9) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(9) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(9) if (&User-Name =~ /^host\//) {
(9) if (&User-Name =~ /^host\//) -> FALSE
(9) if ( &User-Name =~ /\s/ ) {
(9) if ( &User-Name =~ /\s/ ) -> FALSE
(9) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(9) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) -> FALSE
(9) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(9) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) -> FALSE
(9) if ( &User-Name =~ /(a)my\.fsu$/i ) {
(9) if ( &User-Name =~ /(a)my\.fsu$/i ) -> FALSE
(9) ntdomain: Checking for prefix before "\"
(9) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(9) [ntdomain] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(9) suffix: Found realm "NULL"
(9) suffix: Adding Stripped-User-Name = "myUsername"
(9) suffix: Adding Realm = "NULL"
(9) suffix: Authentication realm is LOCAL
(9) [suffix] = ok
(9) update request {
(9) } # update request = noop
(9) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(9) fsu-rsa-macs: --> Calling-MAC
(9) [fsu-rsa-macs] = noop
(9) if (ok) {
(9) if (ok) -> FALSE
(9) else {
(9) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(9) fsu-rsa-atwpa-aruba: --> FSUCoreX
(9) [fsu-rsa-atwpa-aruba] = noop
(9) if (ok) {
(9) if (ok) -> FALSE
(9) else {
(9) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(9) fsu-rsa-atwpa-cisco: -->
(9) [fsu-rsa-atwpa-cisco] = noop
(9) if (ok) {
(9) if (ok) -> FALSE
(9) } # else = noop
(9) } # else = noop
(9) if (&request:Hint == "RSA") {
(9) if (&request:Hint == "RSA") -> FALSE
(9) else {
(9) fsu-eap: Peer sent EAP Response (code 2) ID 9 length 37
(9) fsu-eap: Continuing tunnel setup
(9) [fsu-eap] = ok
(9) } # else = ok
(9) } # authorize = ok
(9) Found Auth-Type = fsu-eap
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(9) Auth-Type fsu-eap {
(9) fsu-eap: Expiring EAP session with state 0xbdbe91b7bcb78b3a
(9) fsu-eap: Finished EAP session with state 0xbad3fd1bbddae41c
(9) fsu-eap: Previous EAP request found for state 0xbad3fd1bbddae41c, released from the list
(9) fsu-eap: Peer sent packet with method EAP PEAP (25)
(9) fsu-eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state phase2
(9) eap_peap: EAP method MSCHAPv2 (26)
(9) eap_peap: Got tunneled request
(9) eap_peap: EAP-Message = 0x020900061a03
(9) eap_peap: Setting User-Name to myUsername
(9) eap_peap: Sending tunneled request to fsu-peap-inner-tunnel
(9) eap_peap: EAP-Message = 0x020900061a03
(9) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(9) eap_peap: User-Name = "myUsername"
(9) eap_peap: State = 0xbdbe91b7bcb78b3a7f0fbe650d998692
(9) Virtual server fsu-peap-inner-tunnel received request
(9) EAP-Message = 0x020900061a03
(9) FreeRADIUS-Proxied-To = 127.0.0.1
(9) User-Name = "myUsername"
(9) State = 0xbdbe91b7bcb78b3a7f0fbe650d998692
(9) : Outer and inner identities are the same. User privacy is compromised.
(9) server fsu-peap-inner-tunnel {
(9) session-state: No cached attributes
(9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(9) authorize {
(9) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(9) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(9) if ( &User-Name =~ /\s/ ) {
(9) if ( &User-Name =~ /\s/ ) -> FALSE
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(9) suffix: Found realm "NULL"
(9) suffix: Adding Stripped-User-Name = "myUsername"
(9) suffix: Adding Realm = "NULL"
(9) suffix: Authentication realm is LOCAL
(9) [suffix] = ok
(9) update {
(9) EXPAND %{Client-Shortname}
(9) --> Cam2
(9) } # update = noop
(9) fsu-eap: Peer sent EAP Response (code 2) ID 9 length 6
(9) fsu-eap: No EAP Start, assuming it's an on-going EAP conversation
(9) [fsu-eap] = updated
(9) if ( &EAP-Message =~ /^0x02..00061a..$/ ) {
(9) if ( &EAP-Message =~ /^0x02..00061a..$/ ) -> TRUE
(9) if ( &EAP-Message =~ /^0x02..00061a..$/ ) {
(9) policy fsu-peap-cache-policy {
(9) if ( &User-Name =~ /@devices/ ){
(9) if ( &User-Name =~ /@devices/ ) -> FALSE
(9) else {
(9) fsu-cache-ldap-people-inner-tunnel-attributes: EXPAND %{User-Name}
(9) fsu-cache-ldap-people-inner-tunnel-attributes: --> myUsername
(9) fsu-cache-ldap-people-inner-tunnel-attributes: Found entry for "myUsername"
(9) fsu-cache-ldap-people-inner-tunnel-attributes: Merging cache entry into request
(9) fsu-cache-ldap-people-inner-tunnel-attributes: &reply:My-Local-VLAN := "vlan1"
(9) [fsu-cache-ldap-people-inner-tunnel-attributes] = ok
(9) if (updated) {
(9) if (updated) -> FALSE
(9) elsif (noop) {
(9) elsif (noop) -> FALSE
(9) elsif (ok) {
(9) elsif (ok) -> TRUE
(9) elsif (ok) {
(9) update control {
(9) } # update control = noop
(9) } # elsif (ok) = noop
(9) ... skipping else: Preceding "if" was taken
(9) } # else = ok
(9) } # policy fsu-peap-cache-policy = ok
(9) return
(9) } # if ( &EAP-Message =~ /^0x02..00061a..$/ ) = ok
(9) } # authorize = updated
(9) Found Auth-Type = fsu-eap
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(9) Auth-Type fsu-eap {
(9) fsu-eap: Expiring EAP session with state 0xbdbe91b7bcb78b3a
(9) fsu-eap: Finished EAP session with state 0xbdbe91b7bcb78b3a
(9) fsu-eap: Previous EAP request found for state 0xbdbe91b7bcb78b3a, released from the list
(9) fsu-eap: Peer sent packet with method EAP MSCHAPv2 (26)
(9) fsu-eap: Calling submodule eap_mschapv2 to process data
(9) fsu-eap: Sending EAP Success (code 3) ID 9 length 4
(9) fsu-eap: Freeing handler
(9) [fsu-eap] = ok
(9) } # Auth-Type fsu-eap = ok
(9) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(9) post-auth {
(9) update reply {
(9) } # update reply = noop
(9) update outer.session-state {
(9) } # update outer.session-state = noop
(9) } # post-auth = noop
(9) EXPAND %{My-Local-SSID} %{My-Local-AP} %{My-Local-Group} %{My-Local-Device} %{reply:My-Local-VLAN}
(9) --> vlan1
(9) } # server fsu-peap-inner-tunnel
(9) Virtual server sending reply
(9) My-Local-VLAN = "vlan1"
(9) eap_peap: Got tunneled reply code 2
(9) eap_peap: My-Local-VLAN = "vlan1"
(9) eap_peap: Tunneled authentication was successful
(9) eap_peap: SUCCESS
(9) eap_peap: Saving tunneled attributes for later
(9) fsu-eap: Sending EAP Request (code 1) ID 10 length 46
(9) fsu-eap: EAP session adding &reply:State = 0xbad3fd1bb2d9e41c
(9) [fsu-eap] = handled
(9) } # Auth-Type fsu-eap = handled
(9) Using Post-Auth-Type Challenge
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(9) Challenge { ... } # empty sub-section is ignored
(9) session-state: Saving cached attributes
(9) TLS-Cache-Filename = "/var/log/radius/tlscache/422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c.asn1"
(9) TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(9) TLS-Session-Version = "TLS 1.2"
(9) My-Local-VLAN := "vlan1"
(9) Sent Access-Challenge Id 72 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(9) EAP-Message = 0x010a002e19001703030023b7cf4af33aedeba505c51c2e3171961fb71fe7fbd0c5c4e9758095d7bc824aa3c086c1
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) State = 0xbad3fd1bb2d9e41c1c1cd17260df3cc0
(9) Finished request
(10) Received Access-Request Id 73 from w.x.y.z:54989 to a.b.c.e:1812 length 252
(10) User-Name = "myUsername"
(10) NAS-IP-Address = a.b.c.d
(10) NAS-Port = 0
(10) NAS-Identifier = "w.x.y.z"
(10) NAS-Port-Type = Wireless-802.11
(10) Calling-Station-Id = "Calling-MAC"
(10) Called-Station-Id = "Called-MAC"
(10) Service-Type = Framed-User
(10) Framed-MTU = 1100
(10) EAP-Message = 0x020a002e190017030300230000000000000004de7c7a2af3bccdc1ab6fbe745bd674fade6975f3841b77dd0bc828
(10) State = 0xbad3fd1bb2d9e41c1c1cd17260df3cc0
(10) Aruba-Essid-Name = "FSUCoreX"
(10) Aruba-Location-Id = "303H-mark"
(10) Aruba-AP-Group = "RAP-VoIP"
(10) Aruba-Device-Type = "Win 10"
(10) Message-Authenticator = 0x5e7f2636fe8c9843ebeac76225d66d1b
(10) Restoring &session-state
(10) &session-state:TLS-Cache-Filename = "/var/log/radius/tlscache/422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c.asn1"
(10) &session-state:TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(10) &session-state:TLS-Session-Version = "TLS 1.2"
(10) &session-state:My-Local-VLAN := "vlan1"
(10) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(10) authorize {
(10) fsu-bad-passwords: EXPAND %{User-Name}
(10) fsu-bad-passwords: --> myUsername
(10) [fsu-bad-passwords] = noop
(10) if (ok) {
(10) if (ok) -> FALSE
(10) policy rewrite_calling_station_id {
(10) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(10) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(10) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(10) update request {
(10) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(10) --> Calling-MAC
(10) } # update request = noop
(10) [updated] = updated
(10) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(10) ... skipping else: Preceding "if" was taken
(10) } # policy rewrite_calling_station_id = updated
(10) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(10) fsu-bad-macs: --> Calling-MAC
(10) [fsu-bad-macs] = noop
(10) if (ok) {
(10) if (ok) -> FALSE
(10) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(10) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(10) if (&User-Name =~ /^host\//) {
(10) if (&User-Name =~ /^host\//) -> FALSE
(10) if ( &User-Name =~ /\s/ ) {
(10) if ( &User-Name =~ /\s/ ) -> FALSE
(10) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(10) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) -> FALSE
(10) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(10) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) -> FALSE
(10) if ( &User-Name =~ /(a)my\.fsu$/i ) {
(10) if ( &User-Name =~ /(a)my\.fsu$/i ) -> FALSE
(10) ntdomain: Checking for prefix before "\"
(10) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(10) [ntdomain] = noop
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(10) suffix: Found realm "NULL"
(10) suffix: Adding Stripped-User-Name = "myUsername"
(10) suffix: Adding Realm = "NULL"
(10) suffix: Authentication realm is LOCAL
(10) [suffix] = ok
(10) update request {
(10) } # update request = noop
(10) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(10) fsu-rsa-macs: --> Calling-MAC
(10) [fsu-rsa-macs] = noop
(10) if (ok) {
(10) if (ok) -> FALSE
(10) else {
(10) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(10) fsu-rsa-atwpa-aruba: --> FSUCoreX
(10) [fsu-rsa-atwpa-aruba] = noop
(10) if (ok) {
(10) if (ok) -> FALSE
(10) else {
(10) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(10) fsu-rsa-atwpa-cisco: -->
(10) [fsu-rsa-atwpa-cisco] = noop
(10) if (ok) {
(10) if (ok) -> FALSE
(10) } # else = noop
(10) } # else = noop
(10) if (&request:Hint == "RSA") {
(10) if (&request:Hint == "RSA") -> FALSE
(10) else {
(10) fsu-eap: Peer sent EAP Response (code 2) ID 10 length 46
(10) fsu-eap: Continuing tunnel setup
(10) [fsu-eap] = ok
(10) } # else = ok
(10) } # authorize = ok
(10) Found Auth-Type = fsu-eap
(10) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(10) Auth-Type fsu-eap {
(10) fsu-eap: Expiring EAP session with state 0xbad3fd1bb2d9e41c
(10) fsu-eap: Finished EAP session with state 0xbad3fd1bb2d9e41c
(10) fsu-eap: Previous EAP request found for state 0xbad3fd1bb2d9e41c, released from the list
(10) fsu-eap: Peer sent packet with method EAP PEAP (25)
(10) fsu-eap: Calling submodule eap_peap to process data
(10) eap_peap: Continuing EAP-TLS
(10) eap_peap: [eaptls verify] = ok
(10) eap_peap: Done initial handshake
(10) eap_peap: [eaptls process] = ok
(10) eap_peap: Session established. Decoding tunneled attributes
(10) eap_peap: PEAP state send tlv success
(10) eap_peap: Received EAP-TLV response
(10) eap_peap: Success
(10) eap_peap: Using saved attributes from the original Access-Accept
(10) eap_peap: My-Local-VLAN = "vlan1"
(10) eap_peap: caching Stripped-User-Name = "myUsername"
(10) eap_peap: caching My-Local-VLAN = "vlan1"
(10) eap_peap: Saving session 422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c in the disk cache
(10) fsu-eap: Sending EAP Success (code 3) ID 10 length 4
(10) fsu-eap: Freeing handler
(10) [fsu-eap] = ok
(10) } # Auth-Type fsu-eap = ok
(10) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(10) post-auth {
(10) update reply {
(10) } # update reply = noop
(10) if ( &reply:My-Local-VLAN == "student" ) {
(10) if ( &reply:My-Local-VLAN == "student" ) -> FALSE
(10) policy fsu-SSID-and-VLAN-policy {
(10) update {
(10) } # update = noop
(10) if ( &Aruba-Essid-Name ) {
(10) if ( &Aruba-Essid-Name ) -> TRUE
(10) if ( &Aruba-Essid-Name ) {
(10) update {
(10) } # update = noop
(10) if ( &My-Local-AP =~ /^(.*?)(\.wireless)?(\.fsu\.edu)$/i ) {
(10) if ( &My-Local-AP =~ /^(.*?)(\.wireless)?(\.fsu\.edu)$/i ) -> FALSE
(10) if ( &My-Local-Group =~ /^(.+) (.+$)/ ) {
(10) if ( &My-Local-Group =~ /^(.+) (.+$)/ ) -> FALSE
(10) } # if ( &Aruba-Essid-Name ) = noop
(10) ... skipping elsif: Preceding "if" was taken
(10) ... skipping elsif: Preceding "if" was taken
(10) ... skipping else: Preceding "if" was taken
(10) if (( !&My-Local-Device ) || ( &My-Local-Device == '' )) {
(10) if (( !&My-Local-Device ) || ( &My-Local-Device == '' )) -> FALSE
(10) elsif ( &My-Local-Device =~ /^(.+) (.+$)/ ) {
(10) elsif ( &My-Local-Device =~ /^(.+) (.+$)/ ) -> TRUE
(10) elsif ( &My-Local-Device =~ /^(.+) (.+$)/ ) {
(10) update {
(10) EXPAND %{1}_%{2}
(10) --> Win_10
(10) } # update = noop
(10) } # elsif ( &My-Local-Device =~ /^(.+) (.+$)/ ) = noop
(10) } # policy fsu-SSID-and-VLAN-policy = noop
(10) } # post-auth = noop
(10) EXPAND %{My-Local-SSID} %{My-Local-AP} %{My-Local-Group} %{My-Local-Device} %{reply:My-Local-VLAN}
(10) --> FSUCoreX 303H-mark RAP-VoIP Win_10 vlan1
(10) Sent Access-Accept Id 73 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(10) MS-MPPE-Recv-Key = 0x76c1709fb1a884db3c1dae08502e387b4ee3509699ba64fb2ac819dcd7cb9cf2
(10) MS-MPPE-Send-Key = 0x69113d50de374c367959ece9c252df752318770766c2fcd944e19608a88cd587
(10) EAP-Message = 0x030a0004
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) User-Name = "myUsername"
(10) Aruba-User-Vlan := vlan1
(10) Finished request
(1) Cleaning up request packet ID 64 with timestamp +100
(2) Cleaning up request packet ID 65 with timestamp +100
(3) Cleaning up request packet ID 66 with timestamp +100
(4) Cleaning up request packet ID 67 with timestamp +100
(5) Cleaning up request packet ID 68 with timestamp +100
(6) Cleaning up request packet ID 69 with timestamp +100
(7) Cleaning up request packet ID 70 with timestamp +100
(8) Cleaning up request packet ID 71 with timestamp +101
(9) Cleaning up request packet ID 72 with timestamp +101
(10) Cleaning up request packet ID 73 with timestamp +101
(12) Received Access-Request Id 75 from w.x.y.z:54989 to a.b.c.e:1812 length 201
(12) User-Name = "myUsername"
(12) NAS-IP-Address = a.b.c.d
(12) NAS-Port = 0
(12) NAS-Identifier = "w.x.y.z"
(12) NAS-Port-Type = Wireless-802.11
(12) Calling-Station-Id = "Calling-MAC"
(12) Called-Station-Id = "Called-MAC"
(12) Service-Type = Framed-User
(12) Framed-MTU = 1100
(12) EAP-Message = 0x0201000d016d616e74686f6e79
(12) Aruba-Essid-Name = "FSUCoreX"
(12) Aruba-Location-Id = "303H-mark"
(12) Aruba-AP-Group = "RAP-VoIP"
(12) Aruba-Device-Type = "Win 10"
(12) Message-Authenticator = 0xfba1cd2bb95371c14c3b6dec0b816152
(12) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(12) authorize {
(12) fsu-bad-passwords: EXPAND %{User-Name}
(12) fsu-bad-passwords: --> myUsername
(12) [fsu-bad-passwords] = noop
(12) if (ok) {
(12) if (ok) -> FALSE
(12) policy rewrite_calling_station_id {
(12) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(12) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(12) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(12) update request {
(12) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(12) --> Calling-MAC
(12) } # update request = noop
(12) [updated] = updated
(12) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(12) ... skipping else: Preceding "if" was taken
(12) } # policy rewrite_calling_station_id = updated
(12) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(12) fsu-bad-macs: --> Calling-MAC
(12) [fsu-bad-macs] = noop
(12) if (ok) {
(12) if (ok) -> FALSE
(12) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(12) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(12) if (&User-Name =~ /^host\//) {
(12) if (&User-Name =~ /^host\//) -> FALSE
(12) if ( &User-Name =~ /\s/ ) {
(12) if ( &User-Name =~ /\s/ ) -> FALSE
(12) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(12) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) -> FALSE
(12) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(12) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) -> FALSE
(12) if ( &User-Name =~ /(a)my\.fsu$/i ) {
(12) if ( &User-Name =~ /(a)my\.fsu$/i ) -> FALSE
(12) ntdomain: Checking for prefix before "\"
(12) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(12) [ntdomain] = noop
(12) suffix: Checking for suffix after "@"
(12) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(12) suffix: Found realm "NULL"
(12) suffix: Adding Stripped-User-Name = "myUsername"
(12) suffix: Adding Realm = "NULL"
(12) suffix: Authentication realm is LOCAL
(12) [suffix] = ok
(12) update request {
(12) } # update request = noop
(12) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(12) fsu-rsa-macs: --> Calling-MAC
(12) [fsu-rsa-macs] = noop
(12) if (ok) {
(12) if (ok) -> FALSE
(12) else {
(12) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(12) fsu-rsa-atwpa-aruba: --> FSUCoreX
(12) [fsu-rsa-atwpa-aruba] = noop
(12) if (ok) {
(12) if (ok) -> FALSE
(12) else {
(12) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(12) fsu-rsa-atwpa-cisco: -->
(12) [fsu-rsa-atwpa-cisco] = noop
(12) if (ok) {
(12) if (ok) -> FALSE
(12) } # else = noop
(12) } # else = noop
(12) if (&request:Hint == "RSA") {
(12) if (&request:Hint == "RSA") -> FALSE
(12) else {
(12) fsu-eap: Peer sent EAP Response (code 2) ID 1 length 13
(12) fsu-eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(12) [fsu-eap] = ok
(12) } # else = ok
(12) } # authorize = ok
(12) Found Auth-Type = fsu-eap
(12) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(12) Auth-Type fsu-eap {
(12) fsu-eap: Peer sent packet with method EAP Identity (1)
(12) fsu-eap: Calling submodule eap_peap to process data
(12) eap_peap: Initiating new TLS session
(12) eap_peap: [eaptls start] = request
(12) fsu-eap: Sending EAP Request (code 1) ID 2 length 6
(12) fsu-eap: EAP session adding &reply:State = 0xed876281ed857bf6
(12) [fsu-eap] = handled
(12) } # Auth-Type fsu-eap = handled
(12) Using Post-Auth-Type Challenge
(12) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(12) Challenge { ... } # empty sub-section is ignored
(12) Sent Access-Challenge Id 75 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(12) EAP-Message = 0x010200061920
(12) Message-Authenticator = 0x00000000000000000000000000000000
(12) State = 0xed876281ed857bf64bfe7e94b8bee491
(12) Finished request
(13) Received Access-Request Id 76 from w.x.y.z:54989 to a.b.c.e:1812 length 410
(13) User-Name = "myUsername"
(13) NAS-IP-Address = a.b.c.d
(13) NAS-Port = 0
(13) NAS-Identifier = "w.x.y.z"
(13) NAS-Port-Type = Wireless-802.11
(13) Calling-Station-Id = "Calling-MAC"
(13) Called-Station-Id = "Called-MAC"
(13) Service-Type = Framed-User
(13) Framed-MTU = 1100
(13) EAP-Message = 0x020200cc1980000000c216030300bd010000b90303602ed14ac1f2d653bd77e58e5213aeb2b1761c505dae0f91b5abafddc637c96f20422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000046000500050100000000000a00080006001d00170018000b00020100000d001a00180804080508060401050102010403050302030202060106030023000000170000ff01000100
(13) State = 0xed876281ed857bf64bfe7e94b8bee491
(13) Aruba-Essid-Name = "FSUCoreX"
(13) Aruba-Location-Id = "303H-mark"
(13) Aruba-AP-Group = "RAP-VoIP"
(13) Aruba-Device-Type = "Win 10"
(13) Message-Authenticator = 0x535aa1354009ea5836ccfd33734fcc8c
(13) session-state: No cached attributes
(13) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(13) authorize {
(13) fsu-bad-passwords: EXPAND %{User-Name}
(13) fsu-bad-passwords: --> myUsername
(13) [fsu-bad-passwords] = noop
(13) if (ok) {
(13) if (ok) -> FALSE
(13) policy rewrite_calling_station_id {
(13) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(13) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(13) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(13) update request {
(13) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(13) --> Calling-MAC
(13) } # update request = noop
(13) [updated] = updated
(13) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(13) ... skipping else: Preceding "if" was taken
(13) } # policy rewrite_calling_station_id = updated
(13) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(13) fsu-bad-macs: --> Calling-MAC
(13) [fsu-bad-macs] = noop
(13) if (ok) {
(13) if (ok) -> FALSE
(13) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(13) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(13) if (&User-Name =~ /^host\//) {
(13) if (&User-Name =~ /^host\//) -> FALSE
(13) if ( &User-Name =~ /\s/ ) {
(13) if ( &User-Name =~ /\s/ ) -> FALSE
(13) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(13) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) -> FALSE
(13) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(13) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) -> FALSE
(13) if ( &User-Name =~ /(a)my\.fsu$/i ) {
(13) if ( &User-Name =~ /(a)my\.fsu$/i ) -> FALSE
(13) ntdomain: Checking for prefix before "\"
(13) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(13) [ntdomain] = noop
(13) suffix: Checking for suffix after "@"
(13) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(13) suffix: Found realm "NULL"
(13) suffix: Adding Stripped-User-Name = "myUsername"
(13) suffix: Adding Realm = "NULL"
(13) suffix: Authentication realm is LOCAL
(13) [suffix] = ok
(13) update request {
(13) } # update request = noop
(13) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(13) fsu-rsa-macs: --> Calling-MAC
(13) [fsu-rsa-macs] = noop
(13) if (ok) {
(13) if (ok) -> FALSE
(13) else {
(13) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(13) fsu-rsa-atwpa-aruba: --> FSUCoreX
(13) [fsu-rsa-atwpa-aruba] = noop
(13) if (ok) {
(13) if (ok) -> FALSE
(13) else {
(13) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(13) fsu-rsa-atwpa-cisco: -->
(13) [fsu-rsa-atwpa-cisco] = noop
(13) if (ok) {
(13) if (ok) -> FALSE
(13) } # else = noop
(13) } # else = noop
(13) if (&request:Hint == "RSA") {
(13) if (&request:Hint == "RSA") -> FALSE
(13) else {
(13) fsu-eap: Peer sent EAP Response (code 2) ID 2 length 204
(13) fsu-eap: Continuing tunnel setup
(13) [fsu-eap] = ok
(13) } # else = ok
(13) } # authorize = ok
(13) Found Auth-Type = fsu-eap
(13) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(13) Auth-Type fsu-eap {
(13) fsu-eap: Expiring EAP session with state 0xed876281ed857bf6
(13) fsu-eap: Finished EAP session with state 0xed876281ed857bf6
(13) fsu-eap: Previous EAP request found for state 0xed876281ed857bf6, released from the list
(13) fsu-eap: Peer sent packet with method EAP PEAP (25)
(13) fsu-eap: Calling submodule eap_peap to process data
(13) eap_peap: Continuing EAP-TLS
(13) eap_peap: Peer indicated complete TLS record size will be 194 bytes
(13) eap_peap: Got complete TLS record (194 bytes)
(13) eap_peap: [eaptls verify] = length included
(13) eap_peap: (other): before SSL initialization
(13) eap_peap: TLS_accept: before SSL initialization
(13) eap_peap: TLS_accept: before SSL initialization
(13) eap_peap: Peer requested cached session: 422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c
(13) eap_peap: Successfully restored session 422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c
(13) eap_peap: reply:Stripped-User-Name = "myUsername"
(13) eap_peap: reply:My-Local-VLAN = "vlan1"
(13) eap_peap: TLS_accept: SSLv3/TLS read client hello
(13) eap_peap: TLS_accept: SSLv3/TLS write server hello
(13) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(13) eap_peap: TLS_accept: SSLv3/TLS write finished
(13) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write finished
(13) eap_peap: TLS - In Handshake Phase
(13) eap_peap: TLS - got 141 bytes of data
(13) eap_peap: [eaptls process] = handled
(13) fsu-eap: Sending EAP Request (code 1) ID 3 length 147
(13) fsu-eap: EAP session adding &reply:State = 0xed876281ec847bf6
(13) [fsu-eap] = handled
(13) } # Auth-Type fsu-eap = handled
(13) Using Post-Auth-Type Challenge
(13) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(13) Challenge { ... } # empty sub-section is ignored
(13) Sent Access-Challenge Id 76 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(13) EAP-Message = 0x0103009319001603030055020000510303535c075d9ba79179c49631cfbe31ff45262678a833b2ae1c34e0949ff5ee853a20422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5cc02b000009ff0100010000170000140303000101160303002889c27588c852f56c61f9f2cf794234739860a9e037ffa2c8089ad130dbba4b5d4877e410b28dcf32
(13) Message-Authenticator = 0x00000000000000000000000000000000
(13) State = 0xed876281ec847bf64bfe7e94b8bee491
(13) Finished request
(14) Received Access-Request Id 77 from w.x.y.z:54989 to a.b.c.e:1812 length 267
(14) User-Name = "myUsername"
(14) NAS-IP-Address = a.b.c.d
(14) NAS-Port = 0
(14) NAS-Identifier = "w.x.y.z"
(14) NAS-Port-Type = Wireless-802.11
(14) Calling-Station-Id = "Calling-MAC"
(14) Called-Station-Id = "Called-MAC"
(14) Service-Type = Framed-User
(14) Framed-MTU = 1100
(14) EAP-Message = 0x0203003d198000000033140303000101160303002800000000000000008e96422f1c79714e1d0364108107f26591d1473152a392a5e62afcf078383caf
(14) State = 0xed876281ec847bf64bfe7e94b8bee491
(14) Aruba-Essid-Name = "FSUCoreX"
(14) Aruba-Location-Id = "303H-mark"
(14) Aruba-AP-Group = "RAP-VoIP"
(14) Aruba-Device-Type = "Win 10"
(14) Message-Authenticator = 0x8ecf71006fe00b92f9384c908fb856aa
(14) session-state: No cached attributes
(14) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(14) authorize {
(14) fsu-bad-passwords: EXPAND %{User-Name}
(14) fsu-bad-passwords: --> myUsername
(14) [fsu-bad-passwords] = noop
(14) if (ok) {
(14) if (ok) -> FALSE
(14) policy rewrite_calling_station_id {
(14) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(14) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(14) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(14) update request {
(14) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(14) --> Calling-MAC
(14) } # update request = noop
(14) [updated] = updated
(14) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(14) ... skipping else: Preceding "if" was taken
(14) } # policy rewrite_calling_station_id = updated
(14) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(14) fsu-bad-macs: --> Calling-MAC
(14) [fsu-bad-macs] = noop
(14) if (ok) {
(14) if (ok) -> FALSE
(14) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(14) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(14) if (&User-Name =~ /^host\//) {
(14) if (&User-Name =~ /^host\//) -> FALSE
(14) if ( &User-Name =~ /\s/ ) {
(14) if ( &User-Name =~ /\s/ ) -> FALSE
(14) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(14) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) -> FALSE
(14) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(14) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) -> FALSE
(14) if ( &User-Name =~ /(a)my\.fsu$/i ) {
(14) if ( &User-Name =~ /(a)my\.fsu$/i ) -> FALSE
(14) ntdomain: Checking for prefix before "\"
(14) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(14) [ntdomain] = noop
(14) suffix: Checking for suffix after "@"
(14) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(14) suffix: Found realm "NULL"
(14) suffix: Adding Stripped-User-Name = "myUsername"
(14) suffix: Adding Realm = "NULL"
(14) suffix: Authentication realm is LOCAL
(14) [suffix] = ok
(14) update request {
(14) } # update request = noop
(14) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(14) fsu-rsa-macs: --> Calling-MAC
(14) [fsu-rsa-macs] = noop
(14) if (ok) {
(14) if (ok) -> FALSE
(14) else {
(14) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(14) fsu-rsa-atwpa-aruba: --> FSUCoreX
(14) [fsu-rsa-atwpa-aruba] = noop
(14) if (ok) {
(14) if (ok) -> FALSE
(14) else {
(14) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(14) fsu-rsa-atwpa-cisco: -->
(14) [fsu-rsa-atwpa-cisco] = noop
(14) if (ok) {
(14) if (ok) -> FALSE
(14) } # else = noop
(14) } # else = noop
(14) if (&request:Hint == "RSA") {
(14) if (&request:Hint == "RSA") -> FALSE
(14) else {
(14) fsu-eap: Peer sent EAP Response (code 2) ID 3 length 61
(14) fsu-eap: Continuing tunnel setup
(14) [fsu-eap] = ok
(14) } # else = ok
(14) } # authorize = ok
(14) Found Auth-Type = fsu-eap
(14) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(14) Auth-Type fsu-eap {
(14) fsu-eap: Expiring EAP session with state 0xed876281ec847bf6
(14) fsu-eap: Finished EAP session with state 0xed876281ec847bf6
(14) fsu-eap: Previous EAP request found for state 0xed876281ec847bf6, released from the list
(14) fsu-eap: Peer sent packet with method EAP PEAP (25)
(14) fsu-eap: Calling submodule eap_peap to process data
(14) eap_peap: Continuing EAP-TLS
(14) eap_peap: Peer indicated complete TLS record size will be 51 bytes
(14) eap_peap: Got complete TLS record (51 bytes)
(14) eap_peap: [eaptls verify] = length included
(14) eap_peap: TLS_accept: SSLv3/TLS write finished
(14) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(14) eap_peap: TLS_accept: SSLv3/TLS read finished
(14) eap_peap: (other): SSL negotiation finished successfully
(14) eap_peap: TLS - Connection Established
(14) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(14) eap_peap: TLS-Session-Version = "TLS 1.2"
(14) eap_peap: TLS - Application data.
(14) eap_peap: Adding cached attributes from session 422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c
(14) eap_peap: &reply:Stripped-User-Name = "myUsername"
(14) eap_peap: &session-state:My-Local-VLAN = "vlan1"
(14) eap_peap: [eaptls process] = success
(14) eap_peap: Session established. Decoding tunneled attributes
(14) eap_peap: PEAP state TUNNEL ESTABLISHED
(14) eap_peap: Skipping Phase2 because of session resumption
(14) eap_peap: SUCCESS
(14) fsu-eap: Sending EAP Request (code 1) ID 4 length 46
(14) fsu-eap: EAP session adding &reply:State = 0xed876281ef837bf6
(14) [fsu-eap] = handled
(14) } # Auth-Type fsu-eap = handled
(14) Using Post-Auth-Type Challenge
(14) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(14) Challenge { ... } # empty sub-section is ignored
(14) session-state: Saving cached attributes
(14) TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(14) TLS-Session-Version = "TLS 1.2"
(14) My-Local-VLAN = "vlan1"
(14) Sent Access-Challenge Id 77 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(14) EAP-Message = 0x0104002e1900170303002389c27588c852f56d03998abf7aa436f822de6761ff8fa87d41936d48062a9435b3d6b6
(14) Message-Authenticator = 0x00000000000000000000000000000000
(14) State = 0xed876281ef837bf64bfe7e94b8bee491
(14) Finished request
(15) Received Access-Request Id 78 from w.x.y.z:54989 to a.b.c.e:1812 length 252
(15) User-Name = "myUsername"
(15) NAS-IP-Address = a.b.c.d
(15) NAS-Port = 0
(15) NAS-Identifier = "w.x.y.z"
(15) NAS-Port-Type = Wireless-802.11
(15) Calling-Station-Id = "Calling-MAC"
(15) Called-Station-Id = "Called-MAC"
(15) Service-Type = Framed-User
(15) Framed-MTU = 1100
(15) EAP-Message = 0x0204002e190017030300230000000000000001df1ace71998c697ac31fb2855c4002515ba65690aab44afcc4278e
(15) State = 0xed876281ef837bf64bfe7e94b8bee491
(15) Aruba-Essid-Name = "FSUCoreX"
(15) Aruba-Location-Id = "303H-mark"
(15) Aruba-AP-Group = "RAP-VoIP"
(15) Aruba-Device-Type = "Win 10"
(15) Message-Authenticator = 0x8f6ecf737fe491dfb9ce940b13a95d3d
(15) Restoring &session-state
(15) &session-state:TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(15) &session-state:TLS-Session-Version = "TLS 1.2"
(15) &session-state:My-Local-VLAN = "vlan1"
(15) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(15) authorize {
(15) fsu-bad-passwords: EXPAND %{User-Name}
(15) fsu-bad-passwords: --> myUsername
(15) [fsu-bad-passwords] = noop
(15) if (ok) {
(15) if (ok) -> FALSE
(15) policy rewrite_calling_station_id {
(15) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(15) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(15) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(15) update request {
(15) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(15) --> Calling-MAC
(15) } # update request = noop
(15) [updated] = updated
(15) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(15) ... skipping else: Preceding "if" was taken
(15) } # policy rewrite_calling_station_id = updated
(15) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(15) fsu-bad-macs: --> Calling-MAC
(15) [fsu-bad-macs] = noop
(15) if (ok) {
(15) if (ok) -> FALSE
(15) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(15) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(15) if (&User-Name =~ /^host\//) {
(15) if (&User-Name =~ /^host\//) -> FALSE
(15) if ( &User-Name =~ /\s/ ) {
(15) if ( &User-Name =~ /\s/ ) -> FALSE
(15) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(15) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) -> FALSE
(15) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(15) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) -> FALSE
(15) if ( &User-Name =~ /(a)my\.fsu$/i ) {
(15) if ( &User-Name =~ /(a)my\.fsu$/i ) -> FALSE
(15) ntdomain: Checking for prefix before "\"
(15) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(15) [ntdomain] = noop
(15) suffix: Checking for suffix after "@"
(15) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(15) suffix: Found realm "NULL"
(15) suffix: Adding Stripped-User-Name = "myUsername"
(15) suffix: Adding Realm = "NULL"
(15) suffix: Authentication realm is LOCAL
(15) [suffix] = ok
(15) update request {
(15) } # update request = noop
(15) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(15) fsu-rsa-macs: --> Calling-MAC
(15) [fsu-rsa-macs] = noop
(15) if (ok) {
(15) if (ok) -> FALSE
(15) else {
(15) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(15) fsu-rsa-atwpa-aruba: --> FSUCoreX
(15) [fsu-rsa-atwpa-aruba] = noop
(15) if (ok) {
(15) if (ok) -> FALSE
(15) else {
(15) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(15) fsu-rsa-atwpa-cisco: -->
(15) [fsu-rsa-atwpa-cisco] = noop
(15) if (ok) {
(15) if (ok) -> FALSE
(15) } # else = noop
(15) } # else = noop
(15) if (&request:Hint == "RSA") {
(15) if (&request:Hint == "RSA") -> FALSE
(15) else {
(15) fsu-eap: Peer sent EAP Response (code 2) ID 4 length 46
(15) fsu-eap: Continuing tunnel setup
(15) [fsu-eap] = ok
(15) } # else = ok
(15) } # authorize = ok
(15) Found Auth-Type = fsu-eap
(15) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(15) Auth-Type fsu-eap {
(15) fsu-eap: Expiring EAP session with state 0xed876281ef837bf6
(15) fsu-eap: Finished EAP session with state 0xed876281ef837bf6
(15) fsu-eap: Previous EAP request found for state 0xed876281ef837bf6, released from the list
(15) fsu-eap: Peer sent packet with method EAP PEAP (25)
(15) fsu-eap: Calling submodule eap_peap to process data
(15) eap_peap: Continuing EAP-TLS
(15) eap_peap: [eaptls verify] = ok
(15) eap_peap: Done initial handshake
(15) eap_peap: [eaptls process] = ok
(15) eap_peap: Session established. Decoding tunneled attributes
(15) eap_peap: PEAP state send tlv success
(15) eap_peap: Received EAP-TLV response
(15) eap_peap: Client rejected our response. The password is probably incorrect
(15) eap_peap: Client rejected session resumption. Re-starting full authentication
(15) fsu-eap: Sending EAP Request (code 1) ID 5 length 40
(15) fsu-eap: EAP session adding &reply:State = 0xed876281ee827bf6
(15) [fsu-eap] = handled
(15) } # Auth-Type fsu-eap = handled
(15) Using Post-Auth-Type Challenge
(15) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(15) Challenge { ... } # empty sub-section is ignored
(15) session-state: Saving cached attributes
(15) TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(15) TLS-Session-Version = "TLS 1.2"
(15) My-Local-VLAN = "vlan1"
(15) Sent Access-Challenge Id 78 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(15) EAP-Message = 0x010500281900170303001d89c27588c852f56eae73f7eeb5abced29ab24cd1c66e6aee6ff95dde12
(15) Message-Authenticator = 0x00000000000000000000000000000000
(15) State = 0xed876281ee827bf64bfe7e94b8bee491
(15) Finished request
(16) Received Access-Request Id 79 from w.x.y.z:54989 to a.b.c.e:1812 length 250
(16) User-Name = "myUsername"
(16) NAS-IP-Address = a.b.c.d
(16) NAS-Port = 0
(16) NAS-Identifier = "w.x.y.z"
(16) NAS-Port-Type = Wireless-802.11
(16) Calling-Station-Id = "Calling-MAC"
(16) Called-Station-Id = "Called-MAC"
(16) Service-Type = Framed-User
(16) Framed-MTU = 1100
(16) EAP-Message = 0x0205002c19001703030021000000000000000282558f8dd6938dc7f2fc9e87fe2dbd243191b612d5c9595c1d
(16) State = 0xed876281ee827bf64bfe7e94b8bee491
(16) Aruba-Essid-Name = "FSUCoreX"
(16) Aruba-Location-Id = "303H-mark"
(16) Aruba-AP-Group = "RAP-VoIP"
(16) Aruba-Device-Type = "Win 10"
(16) Message-Authenticator = 0x0323fd4fec32900b263af0272dba6948
(16) Restoring &session-state
(16) &session-state:TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(16) &session-state:TLS-Session-Version = "TLS 1.2"
(16) &session-state:My-Local-VLAN = "vlan1"
(16) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(16) authorize {
(16) fsu-bad-passwords: EXPAND %{User-Name}
(16) fsu-bad-passwords: --> myUsername
(16) [fsu-bad-passwords] = noop
(16) if (ok) {
(16) if (ok) -> FALSE
(16) policy rewrite_calling_station_id {
(16) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(16) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(16) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(16) update request {
(16) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(16) --> Calling-MAC
(16) } # update request = noop
(16) [updated] = updated
(16) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(16) ... skipping else: Preceding "if" was taken
(16) } # policy rewrite_calling_station_id = updated
(16) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(16) fsu-bad-macs: --> Calling-MAC
(16) [fsu-bad-macs] = noop
(16) if (ok) {
(16) if (ok) -> FALSE
(16) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(16) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(16) if (&User-Name =~ /^host\//) {
(16) if (&User-Name =~ /^host\//) -> FALSE
(16) if ( &User-Name =~ /\s/ ) {
(16) if ( &User-Name =~ /\s/ ) -> FALSE
(16) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(16) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) -> FALSE
(16) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(16) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) -> FALSE
(16) if ( &User-Name =~ /(a)my\.fsu$/i ) {
(16) if ( &User-Name =~ /(a)my\.fsu$/i ) -> FALSE
(16) ntdomain: Checking for prefix before "\"
(16) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(16) [ntdomain] = noop
(16) suffix: Checking for suffix after "@"
(16) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(16) suffix: Found realm "NULL"
(16) suffix: Adding Stripped-User-Name = "myUsername"
(16) suffix: Adding Realm = "NULL"
(16) suffix: Authentication realm is LOCAL
(16) [suffix] = ok
(16) update request {
(16) } # update request = noop
(16) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(16) fsu-rsa-macs: --> Calling-MAC
(16) [fsu-rsa-macs] = noop
(16) if (ok) {
(16) if (ok) -> FALSE
(16) else {
(16) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(16) fsu-rsa-atwpa-aruba: --> FSUCoreX
(16) [fsu-rsa-atwpa-aruba] = noop
(16) if (ok) {
(16) if (ok) -> FALSE
(16) else {
(16) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(16) fsu-rsa-atwpa-cisco: -->
(16) [fsu-rsa-atwpa-cisco] = noop
(16) if (ok) {
(16) if (ok) -> FALSE
(16) } # else = noop
(16) } # else = noop
(16) if (&request:Hint == "RSA") {
(16) if (&request:Hint == "RSA") -> FALSE
(16) else {
(16) fsu-eap: Peer sent EAP Response (code 2) ID 5 length 44
(16) fsu-eap: Continuing tunnel setup
(16) [fsu-eap] = ok
(16) } # else = ok
(16) } # authorize = ok
(16) Found Auth-Type = fsu-eap
(16) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(16) Auth-Type fsu-eap {
(16) fsu-eap: Expiring EAP session with state 0xed876281ee827bf6
(16) fsu-eap: Finished EAP session with state 0xed876281ee827bf6
(16) fsu-eap: Previous EAP request found for state 0xed876281ee827bf6, released from the list
(16) fsu-eap: Peer sent packet with method EAP PEAP (25)
(16) fsu-eap: Calling submodule eap_peap to process data
(16) eap_peap: Continuing EAP-TLS
(16) eap_peap: [eaptls verify] = ok
(16) eap_peap: Done initial handshake
(16) eap_peap: [eaptls process] = ok
(16) eap_peap: Session established. Decoding tunneled attributes
(16) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(16) eap_peap: Identity - myUsername
(16) eap_peap: Got inner identity 'myUsername'
(16) eap_peap: Setting default EAP type for tunneled EAP session
(16) eap_peap: Got tunneled request
(16) eap_peap: EAP-Message = 0x0205000d016d616e74686f6e79
(16) eap_peap: Setting User-Name to myUsername
(16) eap_peap: Sending tunneled request to fsu-peap-inner-tunnel
(16) eap_peap: EAP-Message = 0x0205000d016d616e74686f6e79
(16) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(16) eap_peap: User-Name = "myUsername"
(16) Virtual server fsu-peap-inner-tunnel received request
(16) EAP-Message = 0x0205000d016d616e74686f6e79
(16) FreeRADIUS-Proxied-To = 127.0.0.1
(16) User-Name = "myUsername"
(16)G: Outer and inner identities are the same. User privacy is compromised.
(16) server fsu-peap-inner-tunnel {
(16) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(16) authorize {
(16) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(16) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(16) if ( &User-Name =~ /\s/ ) {
(16) if ( &User-Name =~ /\s/ ) -> FALSE
(16) suffix: Checking for suffix after "@"
(16) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(16) suffix: Found realm "NULL"
(16) suffix: Adding Stripped-User-Name = "myUsername"
(16) suffix: Adding Realm = "NULL"
(16) suffix: Authentication realm is LOCAL
(16) [suffix] = ok
(16) update {
(16) EXPAND %{Client-Shortname}
(16) --> Cam2
(16) } # update = noop
(16) fsu-eap: Peer sent EAP Response (code 2) ID 5 length 13
(16) fsu-eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(16) [fsu-eap] = ok
(16) } # authorize = ok
(16) Found Auth-Type = fsu-eap
(16) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(16) Auth-Type fsu-eap {
(16) fsu-eap: Peer sent packet with method EAP Identity (1)
(16) fsu-eap: Calling submodule eap_mschapv2 to process data
(16) eap_mschapv2: Issuing Challenge
(16) fsu-eap: Sending EAP Request (code 1) ID 6 length 42
(16) fsu-eap: EAP session adding &reply:State = 0x6295751762936f56
(16) [fsu-eap] = handled
(16) } # Auth-Type fsu-eap = handled
(16) } # server fsu-peap-inner-tunnel
(16) Virtual server sending reply
(16) EAP-Message = 0x0106002a1a01060025109f50784156a46729b0cf55b725fe519e6673755f6561705f6d73636861707632
(16) Message-Authenticator = 0x00000000000000000000000000000000
(16) State = 0x6295751762936f5699fbad14c2f8e6da
(16) eap_peap: Got tunneled reply code 11
(16) eap_peap: EAP-Message = 0x0106002a1a01060025109f50784156a46729b0cf55b725fe519e6673755f6561705f6d73636861707632
(16) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(16) eap_peap: State = 0x6295751762936f5699fbad14c2f8e6da
(16) eap_peap: Got tunneled Access-Challenge
(16) fsu-eap: Sending EAP Request (code 1) ID 6 length 73
(16) fsu-eap: EAP session adding &reply:State = 0xed876281e9817bf6
(16) [fsu-eap] = handled
(16) } # Auth-Type fsu-eap = handled
(16) Using Post-Auth-Type Challenge
(16) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(16) Challenge { ... } # empty sub-section is ignored
(16) session-state: Saving cached attributes
(16) TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(16) TLS-Session-Version = "TLS 1.2"
(16) My-Local-VLAN = "vlan1"
(16) Sent Access-Challenge Id 79 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(16) EAP-Message = 0x010600491900170303003e89c27588c852f56f98c1d1a9fa6d0cc0a1e10e32209323a00f2555899d0c5b91cfa2736c4e76b4e6395920f98ab9de29bc0d8add2be3043afcff649388d1
(16) Message-Authenticator = 0x00000000000000000000000000000000
(16) State = 0xed876281e9817bf64bfe7e94b8bee491
(16) Finished request
(17) Received Access-Request Id 80 from w.x.y.z:54989 to a.b.c.e:1812 length 304
(17) User-Name = "myUsername"
(17) NAS-IP-Address = a.b.c.d
(17) NAS-Port = 0
(17) NAS-Identifier = "w.x.y.z"
(17) NAS-Port-Type = Wireless-802.11
(17) Calling-Station-Id = "Calling-MAC"
(17) Called-Station-Id = "Called-MAC"
(17) Service-Type = Framed-User
(17) Framed-MTU = 1100
(17) EAP-Message = 0x02060062190017030300570000000000000003b9e70fd69206a3d7a95ab9ac375fe2dc092d419ab0150d028624f3aef3776408b084186a1725af7691dfa0111e22d0016deef88177d33c53ade442ae16ea9b365f036d82f0a5b06eae811cc7eee242
(17) State = 0xed876281e9817bf64bfe7e94b8bee491
(17) Aruba-Essid-Name = "FSUCoreX"
(17) Aruba-Location-Id = "303H-mark"
(17) Aruba-AP-Group = "RAP-VoIP"
(17) Aruba-Device-Type = "Win 10"
(17) Message-Authenticator = 0xd65c14c6e79e81442cb62c7af5845f07
(17) Restoring &session-state
(17) &session-state:TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(17) &session-state:TLS-Session-Version = "TLS 1.2"
(17) &session-state:My-Local-VLAN = "vlan1"
(17) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(17) authorize {
(17) fsu-bad-passwords: EXPAND %{User-Name}
(17) fsu-bad-passwords: --> myUsername
(17) [fsu-bad-passwords] = noop
(17) if (ok) {
(17) if (ok) -> FALSE
(17) policy rewrite_calling_station_id {
(17) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(17) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(17) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(17) update request {
(17) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(17) --> Calling-MAC
(17) } # update request = noop
(17) [updated] = updated
(17) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(17) ... skipping else: Preceding "if" was taken
(17) } # policy rewrite_calling_station_id = updated
(17) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(17) fsu-bad-macs: --> Calling-MAC
(17) [fsu-bad-macs] = noop
(17) if (ok) {
(17) if (ok) -> FALSE
(17) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(17) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(17) if (&User-Name =~ /^host\//) {
(17) if (&User-Name =~ /^host\//) -> FALSE
(17) if ( &User-Name =~ /\s/ ) {
(17) if ( &User-Name =~ /\s/ ) -> FALSE
(17) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(17) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) -> FALSE
(17) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(17) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) -> FALSE
(17) if ( &User-Name =~ /(a)my\.fsu$/i ) {
(17) if ( &User-Name =~ /(a)my\.fsu$/i ) -> FALSE
(17) ntdomain: Checking for prefix before "\"
(17) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(17) [ntdomain] = noop
(17) suffix: Checking for suffix after "@"
(17) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(17) suffix: Found realm "NULL"
(17) suffix: Adding Stripped-User-Name = "myUsername"
(17) suffix: Adding Realm = "NULL"
(17) suffix: Authentication realm is LOCAL
(17) [suffix] = ok
(17) update request {
(17) } # update request = noop
(17) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(17) fsu-rsa-macs: --> Calling-MAC
(17) [fsu-rsa-macs] = noop
(17) if (ok) {
(17) if (ok) -> FALSE
(17) else {
(17) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(17) fsu-rsa-atwpa-aruba: --> FSUCoreX
(17) [fsu-rsa-atwpa-aruba] = noop
(17) if (ok) {
(17) if (ok) -> FALSE
(17) else {
(17) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(17) fsu-rsa-atwpa-cisco: -->
(17) [fsu-rsa-atwpa-cisco] = noop
(17) if (ok) {
(17) if (ok) -> FALSE
(17) } # else = noop
(17) } # else = noop
(17) if (&request:Hint == "RSA") {
(17) if (&request:Hint == "RSA") -> FALSE
(17) else {
(17) fsu-eap: Peer sent EAP Response (code 2) ID 6 length 98
(17) fsu-eap: Continuing tunnel setup
(17) [fsu-eap] = ok
(17) } # else = ok
(17) } # authorize = ok
(17) Found Auth-Type = fsu-eap
(17) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(17) Auth-Type fsu-eap {
(17) fsu-eap: Expiring EAP session with state 0x6295751762936f56
(17) fsu-eap: Finished EAP session with state 0xed876281e9817bf6
(17) fsu-eap: Previous EAP request found for state 0xed876281e9817bf6, released from the list
(17) fsu-eap: Peer sent packet with method EAP PEAP (25)
(17) fsu-eap: Calling submodule eap_peap to process data
(17) eap_peap: Continuing EAP-TLS
(17) eap_peap: [eaptls verify] = ok
(17) eap_peap: Done initial handshake
(17) eap_peap: [eaptls process] = ok
(17) eap_peap: Session established. Decoding tunneled attributes
(17) eap_peap: PEAP state phase2
(17) eap_peap: EAP method MSCHAPv2 (26)
(17) eap_peap: Got tunneled request
(17) eap_peap: EAP-Message = 0x020600431a0206003e315f7e3ca3f8250759d5875f3b03820d250000000000000000bd11aaca3c823d8c2cd3779eb03a248abe0580965b154b9d006d616e74686f6e79
(17) eap_peap: Setting User-Name to myUsername
(17) eap_peap: Sending tunneled request to fsu-peap-inner-tunnel
(17) eap_peap: EAP-Message = 0x020600431a0206003e315f7e3ca3f8250759d5875f3b03820d250000000000000000bd11aaca3c823d8c2cd3779eb03a248abe0580965b154b9d006d616e74686f6e79
(17) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(17) eap_peap: User-Name = "myUsername"
(17) eap_peap: State = 0x6295751762936f5699fbad14c2f8e6da
(17) Virtual server fsu-peap-inner-tunnel received request
(17) EAP-Message = 0x020600431a0206003e315f7e3ca3f8250759d5875f3b03820d250000000000000000bd11aaca3c823d8c2cd3779eb03a248abe0580965b154b9d006d616e74686f6e79
(17) FreeRADIUS-Proxied-To = 127.0.0.1
(17) User-Name = "myUsername"
(17) State = 0x6295751762936f5699fbad14c2f8e6da
(17)G: Outer and inner identities are the same. User privacy is compromised.
(17) server fsu-peap-inner-tunnel {
(17) session-state: No cached attributes
(17) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(17) authorize {
(17) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(17) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(17) if ( &User-Name =~ /\s/ ) {
(17) if ( &User-Name =~ /\s/ ) -> FALSE
(17) suffix: Checking for suffix after "@"
(17) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(17) suffix: Found realm "NULL"
(17) suffix: Adding Stripped-User-Name = "myUsername"
(17) suffix: Adding Realm = "NULL"
(17) suffix: Authentication realm is LOCAL
(17) [suffix] = ok
(17) update {
(17) EXPAND %{Client-Shortname}
(17) --> Cam2
(17) } # update = noop
(17) fsu-eap: Peer sent EAP Response (code 2) ID 6 length 67
(17) fsu-eap: No EAP Start, assuming it's an on-going EAP conversation
(17) [fsu-eap] = updated
(17) if ( &EAP-Message =~ /^0x02..00061a..$/ ) {
(17) if ( &EAP-Message =~ /^0x02..00061a..$/ ) -> FALSE
(17) if ( &User-Name =~ /^host\/(COB-RBA[A-Za-z0-9-]+)(\.fsu\.edu)*$/i) {
(17) if ( &User-Name =~ /^host\/(COB-RBA[A-Za-z0-9-]+)(\.fsu\.edu)*$/i) -> FALSE
(17) elsif (&User-Name =~ /^host\/([A-Z]{2,5}-A-[0-9A-Z]{6,7})(\.fsu\.edu)*$/) {
(17) elsif (&User-Name =~ /^host\/([A-Z]{2,5}-A-[0-9A-Z]{6,7})(\.fsu\.edu)*$/) -> FALSE
(17) elsif ( (&request:Realm) && (&request:Realm == "devices") ) {
(17) elsif ( (&request:Realm) && (&request:Realm == "devices") ) -> FALSE
(17) else {
(17) fsu-ldap-people: EXPAND (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(!(uid=lib-guest*)))
(17) fsu-ldap-people: --> (&(uid=myUsername)(!(uid=lib-guest*)))
(17) fsu-ldap-people: Performing search in "ou=people,dc=fsu,dc=edu" with filter "(&(uid=myUsername)(!(uid=lib-guest*)))", scope "sub"
(17) fsu-ldap-people: Waiting for search result...
(17) fsu-ldap-people: User object found at DN "uid=myUsername,ou=People,dc=fsu,dc=edu"
(17) fsu-ldap-people: Processing user attributes
(17) [fsu-ldap-people] = updated
(17) if (notfound) {
(17) if (notfound) -> FALSE
(17) if ( &reply:My-Local-fsuEduWINStatus ) {
(17) if ( &reply:My-Local-fsuEduWINStatus ) -> FALSE
(17) fsu-pap: Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes
(17)G: fsu-pap: Auth-Type already set. Not setting to PAP
(17) [fsu-pap] = noop
(17) update control {
(17) } # update control = noop
(17) if ( (&reply:My-Local-VLAN) && (!&reply:My-Local-employeeStatus) ) {
(17) if ( (&reply:My-Local-VLAN) && (!&reply:My-Local-employeeStatus) ) -> FALSE
(17) if (&reply:My-Local-fsuEduAppRoles) {
(17) if (&reply:My-Local-fsuEduAppRoles) -> TRUE
(17) if (&reply:My-Local-fsuEduAppRoles) {
(17) if ((!&reply:My-Local-VLAN) && (&Client-Shortname !~ /^P/)) {
(17) if ((!&reply:My-Local-VLAN) && (&Client-Shortname !~ /^P/)) -> FALSE
(17) update {
(17) } # update = noop
(17) } # if (&reply:My-Local-fsuEduAppRoles) = noop
(17) if ((!&reply:My-Local-employeeStatus) && (!&reply:My-Local-VLAN)) {
(17) if ((!&reply:My-Local-employeeStatus) && (!&reply:My-Local-VLAN)) -> FALSE
(17) elsif (!&reply:My-Local-VLAN) {
(17) elsif (!&reply:My-Local-VLAN) -> FALSE
(17) fsu-cache-ldap-people-inner-tunnel-attributes: EXPAND %{User-Name}
(17) fsu-cache-ldap-people-inner-tunnel-attributes: --> myUsername
(17) fsu-cache-ldap-people-inner-tunnel-attributes: No cache entry found for "myUsername"
(17) fsu-cache-ldap-people-inner-tunnel-attributes: Creating new cache entry
(17) fsu-cache-ldap-people-inner-tunnel-attributes: &reply:My-Local-VLAN := &reply:My-Local-VLAN -> 'vlan2'
(17) fsu-cache-ldap-people-inner-tunnel-attributes: Merging cache entry into request
(17) fsu-cache-ldap-people-inner-tunnel-attributes: &reply:My-Local-VLAN := "vlan2"
(17) fsu-cache-ldap-people-inner-tunnel-attributes: Committed entry, TTL 10 seconds
(17) [fsu-cache-ldap-people-inner-tunnel-attributes] = updated
(17) } # else = updated
(17) } # authorize = updated
(17) Found Auth-Type = fsu-eap
(17) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(17) Auth-Type fsu-eap {
(17) fsu-eap: Expiring EAP session with state 0x6295751762936f56
(17) fsu-eap: Finished EAP session with state 0x6295751762936f56
(17) fsu-eap: Previous EAP request found for state 0x6295751762936f56, released from the list
(17) fsu-eap: Peer sent packet with method EAP MSCHAPv2 (26)
(17) fsu-eap: Calling submodule eap_mschapv2 to process data
(17) eap_mschapv2: # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(17) eap_mschapv2: Auth-Type MS-CHAP {
(17) fsu-mschap-winbind: Found NT-Password
(17) fsu-mschap-winbind: Creating challenge hash with username: myUsername
(17) fsu-mschap-winbind: Client is using MS-CHAPv2
(17) fsu-mschap-winbind: Adding MS-CHAPv2 MPPE keys
(17) eap_mschapv2: [fsu-mschap-winbind] = ok
(17) eap_mschapv2: } # Auth-Type MS-CHAP = ok
(17) eap_mschapv2: MSCHAP Success
(17) fsu-eap: Sending EAP Request (code 1) ID 7 length 51
(17) fsu-eap: EAP session adding &reply:State = 0x6295751763926f56
(17) [fsu-eap] = handled
(17) } # Auth-Type fsu-eap = handled
(17) } # server fsu-peap-inner-tunnel
(17) Virtual server sending reply
(17) My-Local-employeeStatus = "Active"
(17) My-Local-VLAN = "vlan2"
(17) EAP-Message = 0x010700331a0306002e533d30453232363542464230323643314536413241423936443939354644443543343538423931444235
(17) Message-Authenticator = 0x00000000000000000000000000000000
(17) State = 0x6295751763926f5699fbad14c2f8e6da
(17) eap_peap: Got tunneled reply code 11
(17) eap_peap: My-Local-employeeStatus = "Active"
(17) eap_peap: My-Local-VLAN = "vlan2"
(17) eap_peap: EAP-Message = 0x010700331a0306002e533d30453232363542464230323643314536413241423936443939354644443543343538423931444235
(17) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(17) eap_peap: State = 0x6295751763926f5699fbad14c2f8e6da
(17) eap_peap: Got tunneled Access-Challenge
(17) fsu-eap: Sending EAP Request (code 1) ID 7 length 82
(17) fsu-eap: EAP session adding &reply:State = 0xed876281e8807bf6
(17) [fsu-eap] = handled
(17) } # Auth-Type fsu-eap = handled
(17) Using Post-Auth-Type Challenge
(17) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(17) Challenge { ... } # empty sub-section is ignored
(17) session-state: Saving cached attributes
(17) TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(17) TLS-Session-Version = "TLS 1.2"
(17) My-Local-VLAN = "vlan1"
(17) Sent Access-Challenge Id 80 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(17) EAP-Message = 0x010700521900170303004789c27588c852f57045aba025448705421526a0428cd53ca921a53102d6ba99fb07e81bab3ab01057cf487def2a59e6022f25e43177c85bed11c9d233cd9d04307552cca530e3f2
(17) Message-Authenticator = 0x00000000000000000000000000000000
(17) State = 0xed876281e8807bf64bfe7e94b8bee491
(17) Finished request
(18) Received Access-Request Id 81 from w.x.y.z:54989 to a.b.c.e:1812 length 243
(18) User-Name = "myUsername"
(18) NAS-IP-Address = a.b.c.d
(18) NAS-Port = 0
(18) NAS-Identifier = "w.x.y.z"
(18) NAS-Port-Type = Wireless-802.11
(18) Calling-Station-Id = "Calling-MAC"
(18) Called-Station-Id = "Called-MAC"
(18) Service-Type = Framed-User
(18) Framed-MTU = 1100
(18) EAP-Message = 0x020700251900170303001a00000000000000048d403c8866333c3a2458917f40809eb5d560
(18) State = 0xed876281e8807bf64bfe7e94b8bee491
(18) Aruba-Essid-Name = "FSUCoreX"
(18) Aruba-Location-Id = "303H-mark"
(18) Aruba-AP-Group = "RAP-VoIP"
(18) Aruba-Device-Type = "Win 10"
(18) Message-Authenticator = 0x652291c2e70a5b6b3eaeccfb35ec9c3e
(18) Restoring &session-state
(18) &session-state:TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(18) &session-state:TLS-Session-Version = "TLS 1.2"
(18) &session-state:My-Local-VLAN = "vlan1"
(18) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(18) authorize {
(18) fsu-bad-passwords: EXPAND %{User-Name}
(18) fsu-bad-passwords: --> myUsername
(18) [fsu-bad-passwords] = noop
(18) if (ok) {
(18) if (ok) -> FALSE
(18) policy rewrite_calling_station_id {
(18) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(18) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(18) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(18) update request {
(18) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(18) --> Calling-MAC
(18) } # update request = noop
(18) [updated] = updated
(18) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(18) ... skipping else: Preceding "if" was taken
(18) } # policy rewrite_calling_station_id = updated
(18) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(18) fsu-bad-macs: --> Calling-MAC
(18) [fsu-bad-macs] = noop
(18) if (ok) {
(18) if (ok) -> FALSE
(18) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(18) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(18) if (&User-Name =~ /^host\//) {
(18) if (&User-Name =~ /^host\//) -> FALSE
(18) if ( &User-Name =~ /\s/ ) {
(18) if ( &User-Name =~ /\s/ ) -> FALSE
(18) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(18) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) -> FALSE
(18) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(18) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) -> FALSE
(18) if ( &User-Name =~ /(a)my\.fsu$/i ) {
(18) if ( &User-Name =~ /(a)my\.fsu$/i ) -> FALSE
(18) ntdomain: Checking for prefix before "\"
(18) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(18) [ntdomain] = noop
(18) suffix: Checking for suffix after "@"
(18) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(18) suffix: Found realm "NULL"
(18) suffix: Adding Stripped-User-Name = "myUsername"
(18) suffix: Adding Realm = "NULL"
(18) suffix: Authentication realm is LOCAL
(18) [suffix] = ok
(18) update request {
(18) } # update request = noop
(18) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(18) fsu-rsa-macs: --> Calling-MAC
(18) [fsu-rsa-macs] = noop
(18) if (ok) {
(18) if (ok) -> FALSE
(18) else {
(18) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(18) fsu-rsa-atwpa-aruba: --> FSUCoreX
(18) [fsu-rsa-atwpa-aruba] = noop
(18) if (ok) {
(18) if (ok) -> FALSE
(18) else {
(18) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(18) fsu-rsa-atwpa-cisco: -->
(18) [fsu-rsa-atwpa-cisco] = noop
(18) if (ok) {
(18) if (ok) -> FALSE
(18) } # else = noop
(18) } # else = noop
(18) if (&request:Hint == "RSA") {
(18) if (&request:Hint == "RSA") -> FALSE
(18) else {
(18) fsu-eap: Peer sent EAP Response (code 2) ID 7 length 37
(18) fsu-eap: Continuing tunnel setup
(18) [fsu-eap] = ok
(18) } # else = ok
(18) } # authorize = ok
(18) Found Auth-Type = fsu-eap
(18) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(18) Auth-Type fsu-eap {
(18) fsu-eap: Expiring EAP session with state 0x6295751763926f56
(18) fsu-eap: Finished EAP session with state 0xed876281e8807bf6
(18) fsu-eap: Previous EAP request found for state 0xed876281e8807bf6, released from the list
(18) fsu-eap: Peer sent packet with method EAP PEAP (25)
(18) fsu-eap: Calling submodule eap_peap to process data
(18) eap_peap: Continuing EAP-TLS
(18) eap_peap: [eaptls verify] = ok
(18) eap_peap: Done initial handshake
(18) eap_peap: [eaptls process] = ok
(18) eap_peap: Session established. Decoding tunneled attributes
(18) eap_peap: PEAP state phase2
(18) eap_peap: EAP method MSCHAPv2 (26)
(18) eap_peap: Got tunneled request
(18) eap_peap: EAP-Message = 0x020700061a03
(18) eap_peap: Setting User-Name to myUsername
(18) eap_peap: Sending tunneled request to fsu-peap-inner-tunnel
(18) eap_peap: EAP-Message = 0x020700061a03
(18) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(18) eap_peap: User-Name = "myUsername"
(18) eap_peap: State = 0x6295751763926f5699fbad14c2f8e6da
(18) Virtual server fsu-peap-inner-tunnel received request
(18) EAP-Message = 0x020700061a03
(18) FreeRADIUS-Proxied-To = 127.0.0.1
(18) User-Name = "myUsername"
(18) State = 0x6295751763926f5699fbad14c2f8e6da
(18)G: Outer and inner identities are the same. User privacy is compromised.
(18) server fsu-peap-inner-tunnel {
(18) session-state: No cached attributes
(18) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(18) authorize {
(18) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(18) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(18) if ( &User-Name =~ /\s/ ) {
(18) if ( &User-Name =~ /\s/ ) -> FALSE
(18) suffix: Checking for suffix after "@"
(18) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(18) suffix: Found realm "NULL"
(18) suffix: Adding Stripped-User-Name = "myUsername"
(18) suffix: Adding Realm = "NULL"
(18) suffix: Authentication realm is LOCAL
(18) [suffix] = ok
(18) update {
(18) EXPAND %{Client-Shortname}
(18) --> Cam2
(18) } # update = noop
(18) fsu-eap: Peer sent EAP Response (code 2) ID 7 length 6
(18) fsu-eap: No EAP Start, assuming it's an on-going EAP conversation
(18) [fsu-eap] = updated
(18) if ( &EAP-Message =~ /^0x02..00061a..$/ ) {
(18) if ( &EAP-Message =~ /^0x02..00061a..$/ ) -> TRUE
(18) if ( &EAP-Message =~ /^0x02..00061a..$/ ) {
(18) policy fsu-peap-cache-policy {
(18) if ( &User-Name =~ /@devices/ ){
(18) if ( &User-Name =~ /@devices/ ) -> FALSE
(18) else {
(18) fsu-cache-ldap-people-inner-tunnel-attributes: EXPAND %{User-Name}
(18) fsu-cache-ldap-people-inner-tunnel-attributes: --> myUsername
(18) fsu-cache-ldap-people-inner-tunnel-attributes: Found entry for "myUsername"
(18) fsu-cache-ldap-people-inner-tunnel-attributes: Merging cache entry into request
(18) fsu-cache-ldap-people-inner-tunnel-attributes: &reply:My-Local-VLAN := "vlan2"
(18) [fsu-cache-ldap-people-inner-tunnel-attributes] = ok
(18) if (updated) {
(18) if (updated) -> FALSE
(18) elsif (noop) {
(18) elsif (noop) -> FALSE
(18) elsif (ok) {
(18) elsif (ok) -> TRUE
(18) elsif (ok) {
(18) update control {
(18) } # update control = noop
(18) } # elsif (ok) = noop
(18) ... skipping else: Preceding "if" was taken
(18) } # else = ok
(18) } # policy fsu-peap-cache-policy = ok
(18) return
(18) } # if ( &EAP-Message =~ /^0x02..00061a..$/ ) = ok
(18) } # authorize = updated
(18) Found Auth-Type = fsu-eap
(18) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(18) Auth-Type fsu-eap {
(18) fsu-eap: Expiring EAP session with state 0x6295751763926f56
(18) fsu-eap: Finished EAP session with state 0x6295751763926f56
(18) fsu-eap: Previous EAP request found for state 0x6295751763926f56, released from the list
(18) fsu-eap: Peer sent packet with method EAP MSCHAPv2 (26)
(18) fsu-eap: Calling submodule eap_mschapv2 to process data
(18) fsu-eap: Sending EAP Success (code 3) ID 7 length 4
(18) fsu-eap: Freeing handler
(18) [fsu-eap] = ok
(18) } # Auth-Type fsu-eap = ok
(18) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(18) post-auth {
(18) update reply {
(18) } # update reply = noop
(18) update outer.session-state {
(18) } # update outer.session-state = noop
(18) } # post-auth = noop
(18) EXPAND %{My-Local-SSID} %{My-Local-AP} %{My-Local-Group} %{My-Local-Device} %{reply:My-Local-VLAN}
(18) --> vlan2
(18) } # server fsu-peap-inner-tunnel
(18) Virtual server sending reply
(18) My-Local-VLAN = "vlan2"
(18) eap_peap: Got tunneled reply code 2
(18) eap_peap: My-Local-VLAN = "vlan2"
(18) eap_peap: Tunneled authentication was successful
(18) eap_peap: SUCCESS
(18) eap_peap: Saving tunneled attributes for later
(18) fsu-eap: Sending EAP Request (code 1) ID 8 length 46
(18) fsu-eap: EAP session adding &reply:State = 0xed876281eb8f7bf6
(18) [fsu-eap] = handled
(18) } # Auth-Type fsu-eap = handled
(18) Using Post-Auth-Type Challenge
(18) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(18) Challenge { ... } # empty sub-section is ignored
(18) session-state: Saving cached attributes
(18) TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(18) TLS-Session-Version = "TLS 1.2"
(18) My-Local-VLAN := "vlan2"
(18) Sent Access-Challenge Id 81 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(18) EAP-Message = 0x0108002e1900170303002389c27588c852f5715e6c41502105700e5214de10b96118258b9bc05e08f83024124f92
(18) Message-Authenticator = 0x00000000000000000000000000000000
(18) State = 0xed876281eb8f7bf64bfe7e94b8bee491
(18) Finished request
(19) Received Access-Request Id 82 from w.x.y.z:54989 to a.b.c.e:1812 length 252
(19) User-Name = "myUsername"
(19) NAS-IP-Address = a.b.c.d
(19) NAS-Port = 0
(19) NAS-Identifier = "w.x.y.z"
(19) NAS-Port-Type = Wireless-802.11
(19) Calling-Station-Id = "Calling-MAC"
(19) Called-Station-Id = "Called-MAC"
(19) Service-Type = Framed-User
(19) Framed-MTU = 1100
(19) EAP-Message = 0x0208002e190017030300230000000000000005b340395d206b4b01c23ec16546b856e439347ccfb389a5358bf72a
(19) State = 0xed876281eb8f7bf64bfe7e94b8bee491
(19) Aruba-Essid-Name = "FSUCoreX"
(19) Aruba-Location-Id = "303H-mark"
(19) Aruba-AP-Group = "RAP-VoIP"
(19) Aruba-Device-Type = "Win 10"
(19) Message-Authenticator = 0x627c9e1982dd68cca2ae68b38deb7992
(19) Restoring &session-state
(19) &session-state:TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(19) &session-state:TLS-Session-Version = "TLS 1.2"
(19) &session-state:My-Local-VLAN := "vlan2"
(19) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(19) authorize {
(19) fsu-bad-passwords: EXPAND %{User-Name}
(19) fsu-bad-passwords: --> myUsername
(19) [fsu-bad-passwords] = noop
(19) if (ok) {
(19) if (ok) -> FALSE
(19) policy rewrite_calling_station_id {
(19) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(19) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(19) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(19) update request {
(19) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(19) --> Calling-MAC
(19) } # update request = noop
(19) [updated] = updated
(19) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(19) ... skipping else: Preceding "if" was taken
(19) } # policy rewrite_calling_station_id = updated
(19) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(19) fsu-bad-macs: --> Calling-MAC
(19) [fsu-bad-macs] = noop
(19) if (ok) {
(19) if (ok) -> FALSE
(19) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(19) if ( ( ! &User-Name ) || ( &User-Name == "" ) ) -> FALSE
(19) if (&User-Name =~ /^host\//) {
(19) if (&User-Name =~ /^host\//) -> FALSE
(19) if ( &User-Name =~ /\s/ ) {
(19) if ( &User-Name =~ /\s/ ) -> FALSE
(19) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(19) if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) -> FALSE
(19) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(19) if ((&User-Name =~ /(a)med.fsu.edu/i) || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) -> FALSE
(19) if ( &User-Name =~ /(a)my\.fsu$/i ) {
(19) if ( &User-Name =~ /(a)my\.fsu$/i ) -> FALSE
(19) ntdomain: Checking for prefix before "\"
(19) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(19) [ntdomain] = noop
(19) suffix: Checking for suffix after "@"
(19) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(19) suffix: Found realm "NULL"
(19) suffix: Adding Stripped-User-Name = "myUsername"
(19) suffix: Adding Realm = "NULL"
(19) suffix: Authentication realm is LOCAL
(19) [suffix] = ok
(19) update request {
(19) } # update request = noop
(19) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(19) fsu-rsa-macs: --> Calling-MAC
(19) [fsu-rsa-macs] = noop
(19) if (ok) {
(19) if (ok) -> FALSE
(19) else {
(19) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(19) fsu-rsa-atwpa-aruba: --> FSUCoreX
(19) [fsu-rsa-atwpa-aruba] = noop
(19) if (ok) {
(19) if (ok) -> FALSE
(19) else {
(19) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(19) fsu-rsa-atwpa-cisco: -->
(19) [fsu-rsa-atwpa-cisco] = noop
(19) if (ok) {
(19) if (ok) -> FALSE
(19) } # else = noop
(19) } # else = noop
(19) if (&request:Hint == "RSA") {
(19) if (&request:Hint == "RSA") -> FALSE
(19) else {
(19) fsu-eap: Peer sent EAP Response (code 2) ID 8 length 46
(19) fsu-eap: Continuing tunnel setup
(19) [fsu-eap] = ok
(19) } # else = ok
(19) } # authorize = ok
(19) Found Auth-Type = fsu-eap
(19) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(19) Auth-Type fsu-eap {
(19) fsu-eap: Expiring EAP session with state 0xed876281eb8f7bf6
(19) fsu-eap: Finished EAP session with state 0xed876281eb8f7bf6
(19) fsu-eap: Previous EAP request found for state 0xed876281eb8f7bf6, released from the list
(19) fsu-eap: Peer sent packet with method EAP PEAP (25)
(19) fsu-eap: Calling submodule eap_peap to process data
(19) eap_peap: Continuing EAP-TLS
(19) eap_peap: [eaptls verify] = ok
(19) eap_peap: Done initial handshake
(19) eap_peap: [eaptls process] = ok
(19) eap_peap: Session established. Decoding tunneled attributes
(19) eap_peap: PEAP state send tlv success
(19) eap_peap: Received EAP-TLV response
(19) eap_peap: Success
(19) eap_peap: Using saved attributes from the original Access-Accept
(19) eap_peap: My-Local-VLAN = "vlan2"
(19) eap_peap: &request:EAP-Session-Resumed := 1
(19) fsu-eap: Sending EAP Success (code 3) ID 8 length 4
(19) fsu-eap: Freeing handler
(19) [fsu-eap] = ok
(19) } # Auth-Type fsu-eap = ok
(19) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(19) post-auth {
(19) update reply {
(19) } # update reply = noop
(19) if ( &reply:My-Local-VLAN == "student" ) {
(19) if ( &reply:My-Local-VLAN == "student" ) -> FALSE
(19) policy fsu-SSID-and-VLAN-policy {
(19) update {
(19) } # update = noop
(19) if ( &Aruba-Essid-Name ) {
(19) if ( &Aruba-Essid-Name ) -> TRUE
(19) if ( &Aruba-Essid-Name ) {
(19) update {
(19) } # update = noop
(19) if ( &My-Local-AP =~ /^(.*?)(\.wireless)?(\.fsu\.edu)$/i ) {
(19) if ( &My-Local-AP =~ /^(.*?)(\.wireless)?(\.fsu\.edu)$/i ) -> FALSE
(19) if ( &My-Local-Group =~ /^(.+) (.+$)/ ) {
(19) if ( &My-Local-Group =~ /^(.+) (.+$)/ ) -> FALSE
(19) } # if ( &Aruba-Essid-Name ) = noop
(19) ... skipping elsif: Preceding "if" was taken
(19) ... skipping elsif: Preceding "if" was taken
(19) ... skipping else: Preceding "if" was taken
(19) if (( !&My-Local-Device ) || ( &My-Local-Device == '' )) {
(19) if (( !&My-Local-Device ) || ( &My-Local-Device == '' )) -> FALSE
(19) elsif ( &My-Local-Device =~ /^(.+) (.+$)/ ) {
(19) elsif ( &My-Local-Device =~ /^(.+) (.+$)/ ) -> TRUE
(19) elsif ( &My-Local-Device =~ /^(.+) (.+$)/ ) {
(19) update {
(19) EXPAND %{1}_%{2}
(19) --> Win_10
(19) } # update = noop
(19) } # elsif ( &My-Local-Device =~ /^(.+) (.+$)/ ) = noop
(19) } # policy fsu-SSID-and-VLAN-policy = noop
(19) } # post-auth = noop
(19) EXPAND %{My-Local-SSID} %{My-Local-AP} %{My-Local-Group} %{My-Local-Device} %{reply:My-Local-VLAN}
(19) --> FSUCoreX 303H-mark RAP-VoIP Win_10 vlan2
(19) Sent Access-Accept Id 82 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(19) MS-MPPE-Recv-Key = 0xfc57aa43d0064c088b6c4375f15801b657c140dce3bbf3f12d588b495c095e46
(19) MS-MPPE-Send-Key = 0x27eb19dc16c19e8d22e9feb7c2b80cc7bc2840f2569955a368777696ef4d8bb6
(19) EAP-Message = 0x03080004
(19) Message-Authenticator = 0x00000000000000000000000000000000
(19) User-Name = "myUsername"
(19) Aruba-User-Vlan := vlan2
(19) Finished request
(12) Cleaning up request packet ID 75 with timestamp +136
(13) Cleaning up request packet ID 76 with timestamp +136
(14) Cleaning up request packet ID 77 with timestamp +137
(15) Cleaning up request packet ID 78 with timestamp +137
(16) Cleaning up request packet ID 79 with timestamp +137
(17) Cleaning up request packet ID 80 with timestamp +137
(18) Cleaning up request packet ID 81 with timestamp +137
(19) Cleaning up request packet ID 82 with timestamp +137
2
1
I should have specified that we are using FreeRADIUS Version 3.0.20
Doug
2
1
Dear admin,
because of identity fraud, please remove my whole post here:
http://lists.freeradius.org/pipermail/freeradius-users/2016-October/085222.…
Thanks a lot, please leave me a short reply.
All the best and stay save during covid19.
1
0
Re: v4: Can't see TLS certificate fields from `send Access-Accept` section anymore
by Nick Bogdanov 18 Feb '21
by Nick Bogdanov 18 Feb '21
18 Feb '21
>> In v4 I can see the cert fields in the `recv Access-Request` section
>> (after setting `virtual_server = default` in mods-available/eap) but
>> they are all empty when I try to read them from the `send
>> Access-Accept` section. In fact, if I uncomment these sections from
>> the default config, the fields are all empty too:
> Look at the debug output. You should be able to see when these attributes are added (or not).
Hi Alan,
They are getting set under "authenticate eap" and they are being
correctly parsed under "recv Access-Request". But then when I hit the
"send Access-Accept" step, they all vanish:
(14) Received Access-Request ID 237 from [redacted] to [redacted]
length 397 via socket radius_udp server * port 1812
(14) User-Name = "a"
(14) NAS-IP-Address = [redacted]
(14) NAS-Identifier = [redacted]
(14) Called-Station-Id = [redacted]
(14) NAS-Port-Type = Wireless-802.11
(14) Service-Type = Framed-User
(14) Calling-Station-Id = [redacted]
(14) Connect-Info = "CONNECT 0Mbps 802.11b"
(14) Acct-Session-Id = [redacted]
(14) Acct-Multi-Session-Id = [redacted]
(14) Mobility-Domain-Id = 21689
(14) WLAN-Pairwise-Cipher.OUI = [redacted]
(14) WLAN-Pairwise-Cipher.Suite-Type = 4
(14) WLAN-Group-Cipher.OUI = [redacted]
(14) WLAN-Group-Cipher.Type = 4
(14) WLAN-AKM-Suite.OUI = [redacted]
(14) WLAN-AKM-Suite.Suite-Type = 3
(14) Framed-MTU = 1400
(14) EAP-Message = [redacted]
(14) State = [redacted]
(14) Message-Authenticator = [redacted]
(14) Running request
(14,8) Restored &session-state
(14,8) &session-state.Session-State-User-Name = "a"
(14,8) Running 'recv Access-Request' from file
/root/freeradius-server/pfx/etc/raddb/sites-enabled/default
(14,8) recv Access-Request {
(14,8) policy filter_username {
(14,8) if (&State) {
(14,8) if (&User-Name) {
(14,8) if (!&session-state.Session-State-User-Name) {
(14,8) ...
(14,8) }
(14,8) if (&User-Name != &session-state.Session-State-User-Name) {
(14,8) ...
(14,8) }
(14,8) } # if (&User-Name) (...)
(14,8) } # if (&State) (...)
(14,8) } # policy filter_username (...)
(14,8) eap - Peer sent EAP Response (code 2) ID 19 length 153
(14,8) eap - Continuing on-going EAP conversation
(14,8) eap - Setting &control.Auth-Type = eap
(14,8) eap (updated)
(14,8) if ("%{session-state.TLS-Client-Cert-Common-Name}" != '') {
(14,8) EXPAND %{session-state.TLS-Client-Cert-Common-Name}
(14,8) -->
(14,8) ...
(14,8) }
(14,8) files - EXPAND %{session-state.TLS-Client-Cert-Common-Name}
(14,8) files - -->
(14,8) files (noop)
(14,8) expiration (noop)
(14,8) logintime (noop)
(14,8) pap (noop)
(14,8) } # recv Access-Request (updated)
(14,8) Running 'authenticate eap' from file
/root/freeradius-server/pfx/etc/raddb/sites-enabled/default
(14,8) authenticate eap {
(14,8) eap - Continuing EAP session
(14,8) eap - Peer sent packet with EAP method TLS (13)
(14,8) eap - Calling submodule eap_tls
(14,8) eap (noop)
(14,8) subrequest {
(14,8) Creating subrequest (14.0)
(14,8) EAP-Type = TLS
(14,8) EAP-Identity = "a"
(14.0) eap.tls - Continuing EAP-TLS
(14.0) eap.tls - Got final TLS record fragment (147 bytes)
(14.0) eap.tls - [eap-tls verify] = complete
(14.0) eap.tls - Handshake state - Server SSLv3/TLS write server done (26)
(14.0) eap.tls - <<< recv TLS 1.2, handshake[length 2543],
unknown_handshake_type_0x000b
(14.0) eap.tls - [verify chain] = ok
(14.0) eap.tls - Adding certificate attributes to session-state
(14.0) eap.tls - &session-state.TLS-Cert-Serial = [redacted]
(14.0) eap.tls - &session-state.TLS-Cert-Expiration = "Jun 11
1979 21:19:41 UTC"
(14.0) eap.tls - &session-state.TLS-Cert-Subject = [redacted]
(14.0) eap.tls - &session-state.TLS-Cert-Common-Name = [redacted]
(14.0) eap.tls - &session-state.TLS-Cert-Issuer = [redacted]
(14.0) eap.tls - [verify chain] = ok
(14.0) eap.tls - Adding certificate attributes to session-state
(14.0) eap.tls - &session-state.TLS-Client-Cert-Serial = [redacted]
(14.0) eap.tls - &session-state.TLS-Client-Cert-Expiration = [redacted]
(14.0) eap.tls - &session-state.TLS-Client-Cert-Subject = [redacted]
(14.0) eap.tls - &session-state.TLS-Client-Cert-Common-Name = [redacted]
(14.0) eap.tls - &session-state.TLS-Client-Cert-Issuer = [redacted]
(14.0) eap.tls -
&session-state.TLS-Client-Cert-X509v3-Basic-Constraints = "CA:FALSE"
(14.0) eap.tls -
&session-state.TLS-Client-Cert-X509v3-Subject-Key-Identifier =
[redacted]
(14.0) eap.tls -
&session-state.TLS-Client-Cert-X509v3-Authority-Key-Identifier =
[redacted]
(14.0) eap.tls - [verify client] = ok
(14.0) eap.tls - Handshake state - Server SSLv3/TLS read client
certificate (27)
(14.0) eap.tls - <<< recv TLS 1.2, handshake[length 70],
unknown_handshake_type_0x0010
(14.0) eap.tls - Handshake state - Server SSLv3/TLS read client key
exchange (28)
(14.0) eap.tls - <<< recv TLS 1.2, handshake[length 264],
unknown_handshake_type_0x000f
(14.0) eap.tls - Handshake state - Server SSLv3/TLS read
certificate verify (29)
(14.0) eap.tls - Handshake state - Server SSLv3/TLS read change
cipher spec (31)
(14.0) eap.tls - <<< recv TLS 1.2, handshake[length 16],
unknown_handshake_type_0x0014
(14.0) eap.tls - Handshake state - Server SSLv3/TLS read finished (32)
(14.0) eap.tls - >>> send TLS 1.2, change_cipher_spec[length 1]
(14.0) eap.tls - Handshake state - Server SSLv3/TLS write change
cipher spec (35)
(14.0) eap.tls - >>> send TLS 1.2, handshake[length 16],
unknown_handshake_type_0x0014
(14.0) eap.tls - Handshake state - Server SSLv3/TLS write finished (36)
(14.0) eap.tls - Handshake state - SSL negotiation finished successfully (1)
(14.0) eap.tls - Cipher suite: ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2
Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
(14.0) eap.tls - Adding TLS session information to request
(14.0) eap.tls - &session-state.TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(14.0) eap.tls - &session-state.TLS-Session-Version := "TLS 1.2"
(14.0) eap.tls - Sending complete TLS record (51 bytes)
(14.0) eap.tls - [eap-tls process] = handled
(14.0) eap.tls (handled)
(14,8) } # subrequest (handled)
(14,8) eap - Sending EAP Request (code 1) ID 20 length 61
(14,8) eap (handled)
(14,8) } # authenticate eap (handled)
(14,8) Running 'send Access-Challenge' from file
/root/freeradius-server/pfx/etc/raddb/sites-enabled/default
(14,8) send Access-Challenge {
(14,8) attr_filter.access_challenge - EXPAND %{User-Name}
(14,8) attr_filter.access_challenge - --> a
(14,8) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(14,8) attr_filter.access_challenge.post-auth (updated)
(14,8) handled (handled)
(14,8) } # send Access-Challenge (handled)
(14,8) Saving &session-state
(14,8) &session-state.Session-State-User-Name = "a"
(14,8) Done request
(14,8) Sending Access-Challenge ID 237 from [redacted] to [redacted]
length 119 via socket radius_udp server * port 1812
(14,8) State = [redacted]
(14,8) Message-Authenticator = [redacted]
(14,8) EAP-Message = [redacted]
(14,8) Finished request
proto_radius_udp - cleaning up request in 5.000000s
proto_radius_udp - Received Access-Request ID 238 length 250
radius_udp server * port 1812
(15) Received Access-Request ID 238 from [redacted] to [redacted]
length 250 via socket radius_udp server * port 1812
(15) User-Name = "a"
(15) NAS-IP-Address = [redacted]
(15) NAS-Identifier = [redacted]
(15) Called-Station-Id = [redacted]
(15) NAS-Port-Type = Wireless-802.11
(15) Service-Type = Framed-User
(15) Calling-Station-Id = [redacted]
(15) Connect-Info = "CONNECT 0Mbps 802.11b"
(15) Acct-Session-Id = [redacted]
(15) Acct-Multi-Session-Id = [redacted]
(15) Mobility-Domain-Id = 21689
(15) WLAN-Pairwise-Cipher.OUI = [redacted]
(15) WLAN-Pairwise-Cipher.Suite-Type = 4
(15) WLAN-Group-Cipher.OUI = [redacted]
(15) WLAN-Group-Cipher.Type = 4
(15) WLAN-AKM-Suite.OUI = [redacted]
(15) WLAN-AKM-Suite.Suite-Type = 3
(15) Framed-MTU = 1400
(15) EAP-Message = [redacted]
(15) State = [redacted]
(15) Message-Authenticator = [redacted]
(15) Running request
(15,8) Restored &session-state
(15,8) &session-state.Session-State-User-Name = "a"
(15,8) Running 'recv Access-Request' from file
/root/freeradius-server/pfx/etc/raddb/sites-enabled/default
(15,8) recv Access-Request {
(15,8) policy filter_username {
(15,8) if (&State) {
(15,8) if (&User-Name) {
(15,8) if (!&session-state.Session-State-User-Name) {
(15,8) ...
(15,8) }
(15,8) if (&User-Name != &session-state.Session-State-User-Name) {
(15,8) ...
(15,8) }
(15,8) } # if (&User-Name) (...)
(15,8) } # if (&State) (...)
(15,8) } # policy filter_username (...)
(15,8) eap - Peer sent EAP Response (code 2) ID 20 length 6
(15,8) eap - Continuing on-going EAP conversation
(15,8) eap - Setting &control.Auth-Type = eap
(15,8) eap (updated)
(15,8) if ("%{session-state.TLS-Client-Cert-Common-Name}" != '') {
(15,8) EXPAND %{session-state.TLS-Client-Cert-Common-Name}
(15,8) -->
(15,8) ...
(15,8) }
(15,8) files - EXPAND %{session-state.TLS-Client-Cert-Common-Name}
(15,8) files - -->
(15,8) files (noop)
(15,8) expiration (noop)
(15,8) logintime (noop)
(15,8) pap (noop)
(15,8) } # recv Access-Request (updated)
(15,8) Running 'authenticate eap' from file
/root/freeradius-server/pfx/etc/raddb/sites-enabled/default
(15,8) authenticate eap {
(15,8) eap - Continuing EAP session
(15,8) eap - Peer sent packet with EAP method TLS (13)
(15,8) eap - Calling submodule eap_tls
(15,8) eap (noop)
(15,8) subrequest {
(15,8) Creating subrequest (15.0)
(15,8) EAP-Type = TLS
(15,8) EAP-Identity = "a"
(15.0) eap.tls - Continuing EAP-TLS
(15.0) eap.tls - Peer ACKed our handshake fragment. handshake is finished
(15.0) eap.tls - [eap-tls verify] = established
(15.0) eap.tls - [eap-tls process] = established
(15.0) eap.tls - Validating certificate
(15.0) eap.tls (yield)
(15.0) recv Access-Request {
(15.0) policy filter_username {
(15.0) if (&State) {
(15.0) ...
(15.0) }
(15.0) elsif (&User-Name) {
(15.0) ...
(15.0) }
(15.0) } # policy filter_username (...)
(15.0) eap - No EAP-Message, not doing EAP
(15.0) eap (noop)
(15.0) if ("%{session-state.TLS-Client-Cert-Common-Name}" != '') {
(15.0) EXPAND %{session-state.TLS-Client-Cert-Common-Name}
(15.0) --> [redacted]
(15.0) files - EXPAND %{session-state.TLS-Client-Cert-Common-Name}
(15.0) files - --> [redacted]
(15.0) files - Found match "[redacted]" on line 3 of
/root/freeradius-server/pfx/etc/raddb/mods-config/files/authorize
(15.0) files (ok)
(15.0) if (!ok) {
(15.0) ...
(15.0) }
(15.0) update reply {
(15.0) &Tunnel-Type = VLAN
(15.0) &Tunnel-Medium-Type = IEEE-802
(15.0) } # update reply (noop)
(15.0) if ("%{session-state.TLS-Client-Cert-Subject}" =~ /[redacted]/) {
(15.0) EXPAND %{session-state.TLS-Client-Cert-Subject}
(15.0) --> /CN=[redacted]
(15.0) ...
(15.0) }
(15.0) elsif ("%{session-state.TLS-Client-Cert-Subject}" =~
/[redacted]/) {
(15.0) EXPAND %{session-state.TLS-Client-Cert-Subject}
(15.0) --> /CN=[redacted]
(15.0) update reply {
(15.0) &Tunnel-Private-Group-Id = "7"
(15.0) } # update reply (noop)
(15.0) update session-state {
(15.0) &Tmp-String-9 = "7"
(15.0) } # update session-state (noop)
(15.0) } # elsif ("%{session-state.TLS-Client-Cert-Subject}" =~
/[redacted]/) (noop)
(15.0) } # if ("%{session-state.TLS-Client-Cert-Common-Name}" != '') (ok)
(15.0) files - EXPAND %{session-state.TLS-Client-Cert-Common-Name}
(15.0) files - --> [redacted]
(15.0) files - Found match "[redacted]" on line 3 of
/root/freeradius-server/pfx/etc/raddb/mods-config/files/authorize
(15.0) files (ok)
(15.0) expiration (noop)
(15.0) logintime (noop)
(15.0) pap - No User-Password attribute in the request. Cannot do PAP
(15.0) pap (noop)
(15.0) } # recv Access-Request (ok)
(15.0) No session data available to cache
(15,8) Adding session keys
(15,8) &reply.Vendor-Specific.Microsoft.MPPE-Recv-Key = [redacted]
(15,8) &reply.Vendor-Specific.Microsoft.MPPE-Send-Key = [redacted]
(15,8) &reply.EAP-MSK = [redacted]
(15,8) &reply.EAP-EMSK = [redacted]
(15.0) &reply.EAP-Session-Id = [redacted]
(15,8) } # subrequest (ok)
(15,8) eap - Sending EAP Success (code 3) ID 20 length 4
(15,8) eap - Cleaning up EAP session
(15,8) eap (ok)
(15,8) } # authenticate eap (ok)
(15,8) Running 'send Access-Accept' from file
/root/freeradius-server/pfx/etc/raddb/sites-enabled/default
(15,8) send Access-Accept {
(15,8) update {
(15,8) &reply += &session-state -> "a"
(15,8) } # update (noop)
(15,8) eap (noop)
(15,8) update reply {
(15,8) EXPAND %{session-state.TLS-Cert-Serial}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Cert-Expiration}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Cert-Subject}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Cert-Issuer}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Cert-Common-Name}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Cert-Subject-Alt-Name-Email}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Client-Cert-Serial}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Client-Cert-Expiration}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Client-Cert-Subject}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Client-Cert-Issuer}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Client-Cert-Common-Name}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Client-Cert-Subject-Alt-Name-Email}
(15,8) --> (null)
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) } # update reply (noop)
(15,8) update reply {
(15,8) EXPAND %{session-state.Tmp-String-9}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Client-Cert-Subject}
(15,8) --> (null)
(15,8) &Tunnel-Type = VLAN
(15,8) &Tunnel-Medium-Type = IEEE-802
(15,8) &Tunnel-Private-Group-Id = ""
(15,8) &Tmp-String-9 := ""
(15,8) } # update reply (noop)
(15,8) if ("%{reply.Tunnel-Private-Group-Id}" == "") {
(15,8) EXPAND %{reply.Tunnel-Private-Group-Id}
(15,8) -->
(15,8) reject (reject)
(15,8) } # if ("%{reply.Tunnel-Private-Group-Id}" == "") (reject)
(15,8) } # send Access-Accept (reject)
(15,8) WARNING: Failed running 'send Access-Accept', trying 'send
Access-Reject'
Notes:
1) The above log also reflects some unsuccessful experiments I was
doing to try to get the Tunnel-Private-Group-Id to propagate to the
Access-Accept stage, so some of the variable assignments might not
make sense.
2) I don't think session-state.TLS-Cert-Expiration is being parsed correctly.
3) I didn't enable delivery of every freeradius-users message, so if
you could cc: me on replies that would be much appreciated.
2
4
v4: Can't see TLS certificate fields from `send Access-Accept` section anymore
by Nick Bogdanov 17 Feb '21
by Nick Bogdanov 17 Feb '21
17 Feb '21
I am using EAP-TLS authentication and trying to read the
%{session-state.TLS-Client-Cert-Subject} attribute in order to set the
reply.Tunnel-Private-Group-Id field. In v3 I could just add this to
my post-auth section:
if (TLS-Client-Cert-Subject =~ /\/OU=VLAN 1\//) {
update reply {
&Tunnel-Private-Group-Id = "1"
}
}
In v4 I can see the cert fields in the `recv Access-Request` section
(after setting `virtual_server = default` in mods-available/eap) but
they are all empty when I try to read them from the `send
Access-Accept` section. In fact, if I uncomment these sections from
the default config, the fields are all empty too:
# update reply {
# &Reply-Message += "%{session-state.TLS-Cert-Serial}"
# &Reply-Message += "%{session-state.TLS-Cert-Expiration}"
# &Reply-Message += "%{session-state.TLS-Cert-Subject}"
# &Reply-Message += "%{session-state.TLS-Cert-Issuer}"
# &Reply-Message += "%{session-state.TLS-Cert-Common-Name}"
# &Reply-Message += "%{session-state.TLS-Cert-Subject-Alt-Name-Email}"
#
# &Reply-Message += "%{session-state.TLS-Client-Cert-Serial}"
# &Reply-Message += "%{session-state.TLS-Client-Cert-Expiration}"
# &Reply-Message += "%{session-state.TLS-Client-Cert-Subject}"
# &Reply-Message += "%{session-state.TLS-Client-Cert-Issuer}"
# &Reply-Message += "%{session-state.TLS-Client-Cert-Common-Name}"
# &Reply-Message += "%{session-state.TLS-Client-Cert-Subject-Alt-Name-Email}"
# }
The log says:
(15,8) update reply {
(15,8) EXPAND %{session-state.TLS-Cert-Serial}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Cert-Expiration}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Cert-Subject}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Cert-Issuer}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Cert-Common-Name}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Cert-Subject-Alt-Name-Email}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Client-Cert-Serial}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Client-Cert-Expiration}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Client-Cert-Subject}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Client-Cert-Issuer}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Client-Cert-Common-Name}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Client-Cert-Subject-Alt-Name-Email}
(15,8) --> (null)
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) } # update reply (noop)
I am running git rev 89b77dc09571cb4ac3cd4d639aee6c17bea23182, built
from source. I saw something in upgrade.adoc about using the `filter`
directive but it wasn't clear to me what that meant. Am I missing
something simple or is this a bug?
2
1
advice for breaking an array of vendor attributes into local attributes and updating a database
by Matt Zagrabelny 16 Feb '21
by Matt Zagrabelny 16 Feb '21
16 Feb '21
Greetings FR-users,
Scenario:
I receive an accounting packet from a Cisco NAS. It has an array of
Cisco-AVPair tuples that FR processes. I am hoping to break out the various
Cisco-AVPair tuples into key-value pairs to insert into a database. I am
starting with a single (and specific) Cisco-AVPair.
Snippets of freeradius -X follows...
Here is the AVP in the accounting packet...
(23) Cisco-AVPair = "mdm-tlv=device-platform-version=10.0.18363 "
Here is my unlang...
(23) elsif ("%{Foreach-Variable-0}" =~
/^mdm-tlv=device-platform-version=(.*?) *$/) {
(23) update reply {
(23) EXPAND %{1}
(23) --> 10.0.18363
(23) &Local-MDM-TLV-Device-Platform-Version := 10.0.18363
(23) } # update reply = noop
Here is the SQL...
(23) sql_netdb: EXPAND UPDATE radius_accounting SET [...]
cisco_device_platform_version =
NULLIF('%{Local-MDM-TLV-Device-Platform-Version}', '') [...] WHERE
AcctUniqueId = '%{Acct-Unique-Session-Id}' AND AcctStopTime IS NULL
(23) sql_netdb: --> UPDATE radius_accounting SET [...]
cisco_device_platform_version = NULLIF('', '') [...] WHERE AcctUniqueId =
'FOOBAR' AND AcctStopTime IS NULL
You can see the attribute Local-MDM-TLV-Device-Platform-Version is the
empty string in the SQL.
I am having success with the foreach statement and a regex. In my default
site:
accounting {
[...]
foreach Cisco-AVPair {
if ("%{Foreach-Variable-0}" =~
/^mdm-tlv=device-platform-version=(.*?) *$/) {
update reply {
&Local-MDM-TLV-Device-Platform-Version := "%{1}"
}
}
}
[...]
}
My dictionary looks like:
ATTRIBUTE Local-MDM-TLV-Device-Platform-Version 7772 string
Am I using the wrong section in my default site for attempting to set a
local (internal) attribute?
I know that I am using "update reply" in my unlang. That doesn't feel
correct for accounting unlang, but I'll need correction or confirmation in
that area.
Any advice for breaking an array of vendor attributes into local attributes
and then updating a database with those local attributes?
Thank you for any help or hints!
-m
2
1
Hello,
first post here.
I'm trying to implement dynamic access lists for 802.1X authenticated
users. To do so, I'm using attribute NAS-Filter-Rule, as defined in
RFC 4849 and FreeRADIUS Version 3.0.21 as the RADIUS server.
To do so, I've modified users file with the following entry
user1 Cleartext-Password := "pass1"
Service-Type = Framed-User,
Nas-filter-Rule = "permit in tcp from any to 10.2.3.4/24",
Nas-filter-Rule += 0x00,
Nas-filter-Rule += "permit in ip from 192.168.101.5/32
to 192.168.101.1",
Nas-filter-Rule += 0x00,
Nas-filter-Rule += "deny in ip from any to any",
Nas-filter-Rule += 0x00
According to RFC 4849
"The String field is one or more octets. It contains filter rules
in the IPFilterRule syntax defined in [RFC3588], Section 4.3, with
individual filter rules separated by a NUL (0x00). A NAS-Filter-
Rule attribute may contain a partial rule, one rule, or more than
one rule. Filter rules may be continued across attribute
boundaries, so implementations cannot assume that individual
filter rules begin or end on attribute boundaries.
The set of NAS-Filter-Rule attributes SHOULD be created by
concatenating the individual filter rules, separated by a NUL
(0x00) octet. The resulting data should be split on 253-octet
boundaries to obtain a set of NAS-Filter-Rule attributes. On
reception, the individual filter rules are determined by
concatenating the contents of all NAS-Filter-Rule attributes, and
then splitting individual filter rules with the NUL octet (0x00)
as a delimiter.
"
In my example above, RADIUS server is sending NAS-Filter-Rule as a
string, thus converting 0x00 into strings "0x00".
If I remove the 0x00, then rules are not NUL separated which goes
against the RFC,
share/dictionary/radius/dictionary.rfc4849 defines NAS-Filter-Rule as
ATTRIBUTE NAS-Filter-Rule 92 string
I've been able to make it work as I think it should adding the
following line to my dictionary
# override NAS-Filter-Rule to convey NUL character between rules
ATTRIBUTE NAS-Filter-Rule 92 octets
My question is, is there any other way to force freeradius to send the
entry rules as strings with NUL terminated character? Should I report
this as an issue (bug) to freeradius developers so that they change
the dictionary.rfc4849 entry?
I hope my question is clear. Best regards
Pablo
2
3
Hi!
My goal is to authenticate WiFi-Users via FreeRadius with an eDirectory
backend. FreeRadius should then send an accounting packet to a
FortiGate firewall where a SSO agent is running.
The authentication part is working find, a user can connect to the
WiFi.
As far as I understood it, I should configure FreeRadius to write a
detail file which is then parsed an an accounting package sent to the
Fortigate firewall.
I configured a realm in proxy.conf:
realm Fortigate {
accthost = 172.16.1.253
secret = ***********
}
And I enabled the site "copy-accounting-to-home-server" with the
following configuration:
server copy-acct-to-home-server {
listen {
type = detail
filename = ${radacctdir}/detail-*
load_factor = 10
}
preacct {
preprocess
suffix
files
update control {
Proxy-To-Realm := 'Fortigate'
}
}
accounting {
ok
}
pre-proxy {
}
post-proxy {
}
}
Reading the detail file seems to work fine, but no accounting package
is sent to the FortiGate firewall (I even checked using Wireshark). See
a part of the debug-log here:
(9) Login OK: [fimi] (from client private-network-1 port 0 cli F4-60-
E2-B3-96-5C)
(9) Sent Access-Accept Id 107 from 172.16.1.104:1812 to
192.168.251.51:39578 length 0
(9) Class := 0x54657374
(9) MS-MPPE-Recv-Key =
0x28765691676b5035b99c8aa3b2b5bb8c1e9b4b3e32a457239e11df0cdac127ea
(9) MS-MPPE-Send-Key =
0x1120b9224c29ff96b3ed507b19eabd80bb1c7728772cbe8305a876cede81c224
(9) EAP-Message = 0x03d10004
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) User-Name += "fimi"
(9) Finished request
Waking up in 4.8 seconds.
detail (/var/log/radius/radacct/detail-*): Polling for detail file
detail (/var/log/radius/radacct/detail-*): Renaming
/var/log/radius/radacct/detail-192.168.251.51-20210216 ->
/var/log/radius/radacct/detail.work
detail (/var/log/radius/radacct/detail-*): Read packet from
/var/log/radius/radacct/detail.work
Packet-Type = Access-Accept
Class = 0x54657374
User-Name = "fimi"
MS-MPPE-Recv-Key =
0x28765691676b5035b99c8aa3b2b5bb8c1e9b4b3e32a457239e11df0cdac127ea
MS-MPPE-Send-Key =
0x1120b9224c29ff96b3ed507b19eabd80bb1c7728772cbe8305a876cede81c224
EAP-MSK =
0x28765691676b5035b99c8aa3b2b5bb8c1e9b4b3e32a457239e11df0cdac127ea1120b
9224c29ff96b3ed507b19eabd80bb1c7728772cbe8305a876cede81c224
EAP-EMSK =
0xd3a64e1f290603568302a9f6c13c3ae00eaea0f45caeff1503b5609e2faf9b06be114
12f1243564b0a08b8df5d58cc33235989699b860f0171b9b73a29bb0e36
EAP-Session-Id =
0x19c2bce2a85918a3ba9ea0068fd39acacb8173753f6c2a19ac67249b606157c82923f
2dacd82dc178f0df970ea5031e0e57b82ad5100de437f43b4f8303af37cae
EAP-Message = 0x03d10004
Message-Authenticator = 0x00000000000000000000000000000000
Packet-Original-Timestamp = "Feb 16 2021 14:22:24 CET"
Packet-Transmit-Counter = 1
Waking up in 4.6 seconds.
See full debug-log attached.
I would really appreciate your help!
Thanks, Mike
2
3