Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- 12 participants
- 27047 discussions
Hello,
Please help me set up freeradius2 + iODBC + Informix
(I'm newbie in freeradius).
- I have a test-machine with Ubuntu 14.04 and Freeradius-server
v2.1.12.
- I have a server with Informix Database Server v 10.00
Step 1:
- I installed unixODBC on test-machine
- I installed informix-csdk for connect to Informix Database
Server (Driver)
- I configured files /etc/odbc.ini and /etc/odbcinst.ini to
connect to Informix Database Server
- Checking with isql:
+++++++++++++++++++++++++++++++++++++++++
root@test:/home/test# isql -v work
+---------------------------------------+
| Connected! |
| |
| sql-statement |
| help [tablename] |
| quit |
| |
+---------------------------------------+
SQL> select 1 from TABLES(SET{1})
1
+++++++++++++++++++++++++++++++++++++++++
- Everything is allright.
Step 2:
- I try to install freeradius-iodbc module to connect to
Informix Database Server
- During install I get next warning:
+++++++++++++++++++++++++++++++++++++++++++++
The following packages will be REMOVED:
unixodbc unixodbc-dev
The following NEW packages will be installed:
libiodbc2-dev
+++++++++++++++++++++++++++++++++++++++++++++
- so unixodbc and unixodbc-dev packages was removed after
install freeradius-iodbc
- I included in radiusd.conf:
+++++++++++++++++++++++++++++++++++++++++++++
sql {
#
# Set the database to one of:
#
# mysql, mssql, oracle, postgresql
#
database = "iodbc"
#
# Which FreeRADIUS driver to use.
#
driver = "rlm_sql_${database}"
# Connection info:
server = "test.server.ru"
port = 1425
login = "test"
password = "test123"
radius_db = "test"
...
+++++++++++++++++++++++++++++++++++++++++++++
- freeradius -XXX showed me next error:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
...
Fri Nov 21 14:53:48 2014 : Info: rlm_sql (sql): Driver
rlm_sql_iodbc (module rlm_sql_iodbc) loaded and linked
Fri Nov 21 14:53:48 2014 : Info: rlm_sql (sql): Attempting to
connect to test@test.server.ru:1425/test
Fri Nov 21 14:53:48 2014 : Debug: rlm_sql (sql): starting 0
Fri Nov 21 14:53:48 2014 : Info: rlm_sql (sql): Attempting to
connect rlm_sql_iodbc #0
Fri Nov 21 14:53:48 2014 : Error: sql_create_socket:
SQLConnectfailed: [iODBC][Driver Manager]Data source name
not found and no default driver specified. Driver could not be
loaded
Fri Nov 21 14:53:48 2014 : Error: rlm_sql (sql): Failed to
connect DB handle #0
...
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
- Error - "SQLConnectfailed: [iODBC][Driver Manager]Data
source name not found and no default driver specified. Driver
could not be loaded."
- Where did I go wrong?
- I found some information in net with same problem, but clear
decision nowhere not found.
4
4
Proposed behaviour for rlm_mruby (which might impact rlm_perl and rlm_python too)
by Herwin Weststrate 27 Nov '16
by Herwin Weststrate 27 Nov '16
27 Nov '16
This weekend I've been trying to get some work done in this very old
ticket[1] to remove rlm_ruby and replace it with rlm_mruby. mruby is a
kind of minified ruby that is suitable for embedding in processes (as
opposed to ruby, which does things like hooking its own signal handlers
into freeradius). It was definitely an interesting experience, not in
the least because documentation like this[2] is far from exceptional.
The code I currently have is feature complete[3], but during
construction I thought of a few limitations that I would like to solve.
This reminded me of the documented I wanted to write earlier this year
about my vision on the rlm_language-modules, and how to solve the
current problems.
There are currently 4 modules for scripting languages: rlm_perl,
rlm_python, rlm_ruby and rlm_lua. I haven't looked at that last one, so
for the sake of simplicity I'll just forget about that one for the rest
of this mail. rlm_python and rlm_ruby work pretty much the same: You
call a method with an array containing all attributes of the request
list, and the return value of that method can be either an integer (that
maps to things like RLM_MODULE_OK), or a list of 3 items: the first one
is the aforementioned integer, the second one is the updates to the
reply list, the last one is the updates to the control list (or those
might be the other way around, which indicates what a terrible interface
it actually is). A few improvements have been added to rlm_python, but
those are just minor differences and don't really change the
architecture. rlm_perl works completely different: there are a number of
global hash variables (for those not familiar with Perl lingo: a hash is
a key-value-map). Changes can be made to those hashes, there are no
parameters for the methods, and the return value is just a simple
integer (which is defined by some constants in that file, and copied
from the example.pl file, instead of injected by freeradius).
At the moment, rlm_perl is by far the most powerful of the three,
because it can access all lists. Although the request list is probably
enough when you call the module in the authorize section, it is almost
useless in the post-auth. There have been requests to add more lists to
rlm_python[4], but I don't like the idea of adding extra arguments to
the method (the ticket only mentions config and reply, but what about
session-state, proxy-request and proxy-reply? That makes a total of 6
arguments).
(As a side note: the same limitations of the input currently exist in
the rlm_rest module, I submitted a pull request[5] to fix this. The
output here is a bit more flexible)
Querying the value of an attribute is another thing that differs
greatly between rlm_{python,ruby} and rlm_perl. The main problem here is
that RADIUS allows us to have multiple values for an attribute. Perl
uses a hash, where each value can be either a scalar or an array (for
the people that know perl: yes, it's an arrayref instead of an array,
but I'd rather skip about those implementation details to make it easier
to understand for those who don't know perl). This means your code to
read a value first performs a hash lookup, than has to check if the
value is a scalar or an array. Output values are even worse: if the
attribute/key is not present in the hash: add the value as a scalar, if
it is a scalar: create an array with that value and your own value,
otherwise push it into the existing array. Output in rlm_python and
rlm_mruby is a bit better (rlm_mruby lacks functionality here, but we
want to get rid of it anyway), you can define an attribute, an operator
and a value, so you're basicly writing FreeRADIUS config in your code,
like `['Tmp-String-0', ':=', 'foo']`. The input is a bit different here,
you get an array of arrays, every attribute/value-pair has got its own
array (an example: `[['User-Name', 'bob'], ['User-Password', 'hello']]`.
This works with duplicate values, but a lookup requires you to loop over
the array, where a hash lookup could be more efficient.
I don't like any of these interfaces, so I'm trying to propose a new
one. We could use that in every rlm_language-module, so switching
between languages would be easier and functionality will be preserved.
Use an object for the input. This object has methods like request,
reply and session_state to get the correct lists. This means no more
globale variables (perl) and no excessive lists of argument (python,
ruby).
The result of these method calls would be objects too. These object
have methods like get_attribute and get_attributes. The first one
returns a scalar value, if there are multiple attributes it returns the
first one, If there is no attribute, it does something that is expected
in the language (perl and ruby would return a NULL-like value here, in
python a KeyError would be more suiteable). The second method always
returns a list, that might contain 0 or 1 elements. In the general case,
people are only interested in the first value.
Updates should be performed via those objects too, so we could use code
like `control.set_attribute('Cleartext-Password', 'hello')`. This means
we can update all lists from rlm_python/rlm_ruby as well, and we no
longer have to remember in what order "control" and "reply" were.
One of the drawbacks of the current implementation is that a lot of
attributes have to be copied from the request and converted into
language-specific strings. It is not unlikely that we copy and convert a
load of EAP-data, while the called script is only interested in the
User-Name attribute. By converting everything to objects we can make
these conversions on-demand, instead of doing everything up front.
We might even want to skip the parameter to the methods, and just
define an abstract base class that has to be subclassed in the script.
The downside of this being that it would become hard to test the script
without freeradius, because the base class has been implemented there.
Then again, the same problem arises with the rest of this proposal.
The biggest drawbacks here are that everything has to be coded, and
that the language modules become backwards incompatible with older
version. The changes for rlm_python are relatively small (I just hope
nobody is using rlm_ruby at the moment, so nothing would be backwards
incompatible here), but the behaviour of rlm_perl really changes here.
I would like to hear your comments on this proposal, I can't be the
only one who didn't like the interface of the scripting language
modules.
[1] https://github.com/FreeRADIUS/freeradius-server/issues/990
[2] http://mruby.org/docs/api/headers/mruby_2Fvariable.h.html
[3]
https://github.com/herwinw/freeradius-server/tree/rlm_mruby/src/modules/rlm…
[4] https://github.com/FreeRADIUS/freeradius-server/issues/1464
[5] https://github.com/FreeRADIUS/freeradius-server/pull/1843
--
Herwin Weststrate
3
2
Hi Alan,
Here's the debug information you requested.
Thanks, Chris
radiusd: #### Opening IP addresses and Ports ####
Listening on command file /var/run/radiusd/control/radiusd.sock
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address 127.0.0.1 port 18122 bound to server eduroam-inner-tunnel
Listening on auth address 127.0.0.1 port 28120 bound to server captive-portal
Listening on auth address X.X.X.X port 28120 bound to server captive-portal
Listening on status address 127.0.0.1 port 18121 bound to server status
Listening on proxy address * port 36322
Listening on proxy address :: port 57199
Ready to process requests
(1) Received Access-Request Id 77 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 292
(1) User-Name = "testuser@realm"
(1) Chargeable-User-Identity = 0x00
(1) Location-Capable = Civix-Location
(1) Calling-Station-Id = "a4-d1-8c-e4-9f-22"
(1) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST"
(1) NAS-Port = 13
(1) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e"
(1) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110"
(1) NAS-IP-Address = Y.Y.Y.Y
(1) NAS-Identifier = "WM13"
(1) Airespace-Wlan-Id = 8
(1) Service-Type = Framed-User
(1) Framed-MTU = 1300
(1) NAS-Port-Type = Wireless-802.11
(1) Tunnel-Type:0 = VLAN
(1) Tunnel-Medium-Type:0 = IEEE-802
(1) Tunnel-Private-Group-Id:0 = "446"
(1) EAP-Message = 0x020100170165636c366368406c656564732e61632e756b
(1) Message-Authenticator = 0x2f0eff9e4f79f94e7189010a34c8fffe
(1) Running section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) local_rewrite_called_station_id {
(1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(1) update request {
(1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(1) --> 64:AE:0C:91:42:60
(1) &Called-Station-Id := 64:AE:0C:91:42:60
(1) } # update request (noop)
(1) if ("%{8}") {
(1) EXPAND %{8}
(1) --> RADIUS-TEST
(1) update request {
(1) EXPAND %{8}
(1) --> RADIUS-TEST
(1) &Called-Station-SSID := RADIUS-TEST
(1) } # update request (noop)
(1) } # if ("%{8}") (noop)
(1) updated (updated)
(1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated)
(1) else {
(1) ... skipping else for request 1: Preceding "if" was taken
(1) }
(1) } # local_rewrite_called_station_id (updated)
(1) local_rewrite_calling_station_id {
(1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(1) update request {
(1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(1) --> A4:D1:8C:E4:9F:22
(1) &Calling-Station-Id := A4:D1:8C:E4:9F:22
(1) } # update request (noop)
(1) updated (updated)
(1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated)
(1) else {
(1) ... skipping else for request 1: Preceding "if" was taken
(1) }
(1) } # local_rewrite_calling_station_id (updated)
(1) filter_username {
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) ...
(1) }
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) ...
(1) }
(1) if (&User-Name =~ /\.\./ ) {
(1) ...
(1) }
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)[^.]+(\.[^.]+)+$/)) {
(1) ...
(1) }
(1) if (&User-Name =~ /\.$/) {
(1) ...
(1) }
(1) if (&User-Name =~ /(a)\./) {
(1) ...
(1) }
(1) } # if (&User-Name) (updated)
(1) } # filter_username (updated)
(1) bad_realms {
(1) if (&User-Name =~ /\.ax\.uk$/i) {
(1) ...
(1) }
(1) if (&User-Name =~ /(a)ac\.uk$/i) {
(1) ...
(1) }
(1) if (&User-Name =~ /3gppnetwork\.org$/i) {
(1) ...
(1) }
(1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(1) ...
(1) }
(1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(1) ...
(1) }
(1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(1) ...
(1) }
(1) if (&User-Name =~ /myabc\.com$/i) {
(1) ...
(1) }
(1) } # bad_realms (updated)
(1) preprocess (ok)
(1) operator-name.authorize {
(1) if ("%{client:Operator-Name}") {
(1) EXPAND %{client:Operator-Name}
(1) --> 1realm.ac.uk
(1) update request {
(1) EXPAND %{client:Operator-Name}
(1) --> 1realm.ac.uk
(1) &Operator-Name = 1realm.ac.uk
(1) } # update request (noop)
(1) } # if ("%{client:Operator-Name}") (noop)
(1) } # operator-name.authorize (noop)
(1) suffix - Checking for suffix after "@"
(1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm"
(1) suffix - Found realm "realm.ac.uk"
(1) suffix - Adding Stripped-User-Name = "testuser"
(1) suffix - Adding Realm = "realm.ac.uk"
(1) suffix - Authentication realm is LOCAL
(1) suffix (ok)
(1) if (&Realm) {
(1) update control {
(1) &control:Proxy-To-Realm := LOCAL
(1) } # update control (noop)
(1) } # if (&Realm) (noop)
(1) else {
(1) ... skipping else for request 1: Preceding "if" was taken
(1) }
(1) if (&Realm) {
(1) if (&Stripped-User-Name != "") {
(1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(1) EXPAND %{tolower:%{Stripped-User-Name}}
(1) --> testuser
(1) ...
(1) }
(1) group {
(1) check_blacklist (ok)
(1) if (&control:Local-Banned-User) {
(1) ...
(1) }
(1) else {
(1) noop (noop)
(1) } # else (noop)
(1) } # group (ok)
(1) } # if (&Stripped-User-Name != "") (ok)
(1) } # if (&Realm) (ok)
(1) eap - Peer sent EAP Response (code 2) ID 1 length 23
(1) eap - Peer sent EAP-Identity. Returning 'ok' so we can short-circuit the rest of authorize
(1) eap (ok)
(1) } # authorize (ok)
(1) Using 'Auth-Type = eap' for authenticate {...}
(1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default
(1) Auth-Type eap {
(1) eap - Peer sent packet with EAP method Identity (1)
(1) eap - Calling submodule eap_peap to process data
(1) eap_peap - Initiating new TLS session
(1) eap - Sending EAP Request (code 1) ID 2 length 6
(1) eap (handled)
(1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(1) EXPAND Response-Packet-Type
(1) --> Access-Challenge
(1) attr_filter.access_challenge - EXPAND %{User-Name}
(1) attr_filter.access_challenge - --> testuser@realm
(1) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(1) attr_filter.access_challenge.post-auth (updated)
(1) handled (handled)
(1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled)
(1) } # Auth-Type eap (handled)
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default
(1) Sent Access-Challenge Id 77 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0
(1) EAP-Message = 0x010200061920
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x010138003637b8d43b39393138ab9701
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 78 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 418
(2) User-Name = "testuser@realm"
(2) Chargeable-User-Identity = 0x00
(2) Location-Capable = Civix-Location
(2) Calling-Station-Id = "a4-d1-8c-e4-9f-22"
(2) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST"
(2) NAS-Port = 13
(2) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e"
(2) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110"
(2) NAS-IP-Address = Y.Y.Y.Y
(2) NAS-Identifier = "WM13"
(2) Airespace-Wlan-Id = 8
(2) Service-Type = Framed-User
(2) Framed-MTU = 1300
(2) NAS-Port-Type = Wireless-802.11
(2) Tunnel-Type:0 = VLAN
(2) Tunnel-Medium-Type:0 = IEEE-802
(2) Tunnel-Private-Group-Id:0 = "446"
(2) EAP-Message = 0x0202008319800000007916030100740100007003015838561f7c35db9df95d549eb9befc0ca9bbc9fbc9027794c6893d1c9b40e77000002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000ac007c011000500040100001f000a00080006001700180019000b0002010000050005010000000000120000
(2) State = 0x010138003637b8d43b39393138ab9701
(2) Message-Authenticator = 0xcf0cbabf5a3dcda1ac3c2f2c0a98eb8b
(2,1) Running section authorize from file /etc/raddb/sites-enabled/default
(2,1) authorize {
(2,1) local_rewrite_called_station_id {
(2,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(2,1) update request {
(2,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(2,1) --> 64:AE:0C:91:42:60
(2,1) &Called-Station-Id := 64:AE:0C:91:42:60
(2,1) } # update request (noop)
(2,1) if ("%{8}") {
(2,1) EXPAND %{8}
(2,1) --> RADIUS-TEST
(2,1) update request {
(2,1) EXPAND %{8}
(2,1) --> RADIUS-TEST
(2,1) &Called-Station-SSID := RADIUS-TEST
(2,1) } # update request (noop)
(2,1) } # if ("%{8}") (noop)
(2,1) updated (updated)
(2,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated)
(2,1) else {
(2,1) ... skipping else for request 2: Preceding "if" was taken
(2,1) }
(2,1) } # local_rewrite_called_station_id (updated)
(2,1) local_rewrite_calling_station_id {
(2,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(2,1) update request {
(2,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(2,1) --> A4:D1:8C:E4:9F:22
(2,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22
(2,1) } # update request (noop)
(2,1) updated (updated)
(2,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated)
(2,1) else {
(2,1) ... skipping else for request 2: Preceding "if" was taken
(2,1) }
(2,1) } # local_rewrite_calling_station_id (updated)
(2,1) filter_username {
(2,1) if (&User-Name) {
(2,1) if (&User-Name =~ / /) {
(2,1) ...
(2,1) }
(2,1) if (&User-Name =~ /@[^@]*@/ ) {
(2,1) ...
(2,1) }
(2,1) if (&User-Name =~ /\.\./ ) {
(2,1) ...
(2,1) }
(2,1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)[^.]+(\.[^.]+)+$/)) {
(2,1) ...
(2,1) }
(2,1) if (&User-Name =~ /\.$/) {
(2,1) ...
(2,1) }
(2,1) if (&User-Name =~ /(a)\./) {
(2,1) ...
(2,1) }
(2,1) } # if (&User-Name) (updated)
(2,1) } # filter_username (updated)
(2,1) bad_realms {
(2,1) if (&User-Name =~ /\.ax\.uk$/i) {
(2,1) ...
(2,1) }
(2,1) if (&User-Name =~ /(a)ac\.uk$/i) {
(2,1) ...
(2,1) }
(2,1) if (&User-Name =~ /3gppnetwork\.org$/i) {
(2,1) ...
(2,1) }
(2,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(2,1) ...
(2,1) }
(2,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(2,1) ...
(2,1) }
(2,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(2,1) ...
(2,1) }
(2,1) if (&User-Name =~ /myabc\.com$/i) {
(2,1) ...
(2,1) }
(2,1) } # bad_realms (updated)
(2,1) preprocess (ok)
(2,1) operator-name.authorize {
(2,1) if ("%{client:Operator-Name}") {
(2,1) EXPAND %{client:Operator-Name}
(2,1) --> 1realm.ac.uk
(2,1) update request {
(2,1) EXPAND %{client:Operator-Name}
(2,1) --> 1realm.ac.uk
(2,1) &Operator-Name = 1realm.ac.uk
(2,1) } # update request (noop)
(2,1) } # if ("%{client:Operator-Name}") (noop)
(2,1) } # operator-name.authorize (noop)
(2,1) suffix - Checking for suffix after "@"
(2,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm"
(2,1) suffix - Found realm "realm.ac.uk"
(2,1) suffix - Adding Stripped-User-Name = "testuser"
(2,1) suffix - Adding Realm = "realm.ac.uk"
(2,1) suffix - Authentication realm is LOCAL
(2,1) suffix (ok)
(2,1) if (&Realm) {
(2,1) update control {
(2,1) &control:Proxy-To-Realm := LOCAL
(2,1) } # update control (noop)
(2,1) } # if (&Realm) (noop)
(2,1) else {
(2,1) ... skipping else for request 2: Preceding "if" was taken
(2,1) }
(2,1) if (&Realm) {
(2,1) if (&Stripped-User-Name != "") {
(2,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(2,1) EXPAND %{tolower:%{Stripped-User-Name}}
(2,1) --> testuser
(2,1) ...
(2,1) }
(2,1) group {
(2,1) check_blacklist (ok)
(2,1) if (&control:Local-Banned-User) {
(2,1) ...
(2,1) }
(2,1) else {
(2,1) noop (noop)
(2,1) } # else (noop)
(2,1) } # group (ok)
(2,1) } # if (&Stripped-User-Name != "") (ok)
(2,1) } # if (&Realm) (ok)
(2,1) eap - Peer sent EAP Response (code 2) ID 2 length 131
(2,1) eap - Continuing tunnel setup
(2,1) eap (ok)
(2,1) } # authorize (ok)
(2,1) Using 'Auth-Type = eap' for authenticate {...}
(2,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default
(2,1) Auth-Type eap {
(2,1) eap - Peer sent packet with EAP method PEAP (25)
(2,1) eap - Calling submodule eap_peap to process data
(2,1) eap_peap - Continuing EAP-TLS
(2,1) eap_peap - Peer indicated complete TLS record size will be 121 bytes
(2,1) eap_peap - Got complete TLS record, with length field (121 bytes)
(2,1) eap_peap - [eap-tls verify] = complete
(2,1) eap_peap - Handshake state - before/accept initialization
(2,1) eap_peap - Handshake state - Server before/accept initialization
(2,1) eap_peap - <<< recv handshake [length 116], client_hello
(2,1) eap_peap - Handshake state - Server SSLv3 read client hello A
(2,1) eap_peap - >>> send handshake [length 57], server_hello
(2,1) eap_peap - Handshake state - Server SSLv3 write server hello A
(2,1) eap_peap - >>> send handshake [length 2643], certificate
(2,1) eap_peap - Handshake state - Server SSLv3 write certificate A
(2,1) eap_peap - >>> send handshake [length 331], server_key_exchange
(2,1) eap_peap - Handshake state - Server SSLv3 write key exchange A
(2,1) eap_peap - >>> send handshake [length 4], server_hello_done
(2,1) eap_peap - Handshake state - Server SSLv3 write server done A
(2,1) eap_peap - Handshake state - Server SSLv3 flush data
(2,1) eap_peap - Need more data from client
(2,1) eap_peap - Need more data from client
(2,1) eap_peap - Complete TLS record (3055 bytes) larger than MTU (990 bytes), will fragment
(2,1) eap_peap - Sending first TLS record fragment (990 bytes), 2065 bytes remaining
(2,1) eap_peap - [eap-tls process] = handled
(2,1) eap - Sending EAP Request (code 1) ID 3 length 1000
(2,1) eap (handled)
(2,1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(2,1) EXPAND Response-Packet-Type
(2,1) --> Access-Challenge
(2,1) attr_filter.access_challenge - EXPAND %{User-Name}
(2,1) attr_filter.access_challenge - --> testuser@realm
(2,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(2,1) attr_filter.access_challenge.post-auth (updated)
(2,1) handled (handled)
(2,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled)
(2,1) } # Auth-Type eap (handled)
(2,1) Using Post-Auth-Type Challenge
(2,1) Post-Auth-Type sub-section not found. Ignoring.
(2,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default
(2,1) Sent Access-Challenge Id 78 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0
(2,1) EAP-Message = 0x010303e819c000000bef16030100390200003503015838561fbe318d85e54c607db0dc6d03c0b5e5d4d2266165638bd4fff41936b900c01400000dff01000100000b0004030001021603010a530b000a4f000a4c0004f6308204f2308203daa003020102021437ff648df0d47ee77e787cee2cab98c71324c34c300d06092a864886f70d01010b0500304d310b300906035504061302424d31193017060355040a131051756f5661646973204c696d69746564312330210603550403131a51756f566164697320476c6f62616c2053534c20494341204732301e170d3136303831313134353330385a170d3139303831313134353330355a307f310b3009060355040613024742311730150603550408130e5765737420596f726b7368697265310e300c060355040713054c45454453311c301a060355040a1313556e6976657273697479206f66204c65656473310c300a060355040b1303492e54311b3019060355040313127261646975732e6c656564732e61632e756b30820122300d06092a864886f70d01010105000382010f003082010a0282010100b05f6ffc1d8d9a1d6602e4e3fb505be1df826dbe0e8e2cd96127b2beeea934476f474d835388182926f52f7de4ef5dc0f0c439f59b88f0494c2f2f8724e69790e0c7f9379941b0524d7b74e95ae882f556a1f9df197fcbe00ef20677bb1bfaa66a575783594163b1efffda474b26101c56f6906d9434eab449a96f4d9aaa92d73bd83396f2fba04afb8fc92013d6ea56eb98ee202f87961616a391b33dbca45634aa899c9f5846b19935588fc6874c228bf01c4e5c930ed66feaacc52507d5753582dd7ac994ba1c067e1b22e6c72c1acdd141b4fa8a553f9acde4b6571bea31e280f298a5ace02370bff63b582325a3a8bcd10982f79059bac57a46f26949b70203010001a382019630820192307306082b0601050507010104673065302a06082b06010505073001861e687474703a2f2f6f6373702e71756f7661646973676c6f62616c2e636f6d303706082b06010505073002862b687474703a2f2f74727573742e71756f7661646973676c6f62616c2e636f6d2f717673736c67322e637274301d0603551d110416301482127261646975732e6c656564732e61632e756b30510603551d20044a30483046060c2b06010401be5800026401013036303406082b060105050702011628687474703a2f2f7777772e71756f7661646973676c6f62616c2e636f6d2f7265706f7369746f7279300e0603551d0f0101ff0404030205a0301d0603551d250416301406082b0601050507030106082b06010505070302301f0603551d23041830168014911962ad5b17a730fbf0de3925b1bd8cb9b85127303a0603551d1f043330
(2,1) Message-Authenticator = 0x00000000000000000000000000000000
(2,1) State = 0x02033800aecc10fa3b39393138ab9701
(2,1) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 79 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 293
(3) User-Name = "testuser@realm"
(3) Chargeable-User-Identity = 0x00
(3) Location-Capable = Civix-Location
(3) Calling-Station-Id = "a4-d1-8c-e4-9f-22"
(3) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST"
(3) NAS-Port = 13
(3) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e"
(3) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110"
(3) NAS-IP-Address = Y.Y.Y.Y
(3) NAS-Identifier = "WM13"
(3) Airespace-Wlan-Id = 8
(3) Service-Type = Framed-User
(3) Framed-MTU = 1300
(3) NAS-Port-Type = Wireless-802.11
(3) Tunnel-Type:0 = VLAN
(3) Tunnel-Medium-Type:0 = IEEE-802
(3) Tunnel-Private-Group-Id:0 = "446"
(3) EAP-Message = 0x020300061900
(3) State = 0x02033800aecc10fa3b39393138ab9701
(3) Message-Authenticator = 0x34efdefe25b8b008e5bac82e18ee94ff
(3,1) Running section authorize from file /etc/raddb/sites-enabled/default
(3,1) authorize {
(3,1) local_rewrite_called_station_id {
(3,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(3,1) update request {
(3,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(3,1) --> 64:AE:0C:91:42:60
(3,1) &Called-Station-Id := 64:AE:0C:91:42:60
(3,1) } # update request (noop)
(3,1) if ("%{8}") {
(3,1) EXPAND %{8}
(3,1) --> RADIUS-TEST
(3,1) update request {
(3,1) EXPAND %{8}
(3,1) --> RADIUS-TEST
(3,1) &Called-Station-SSID := RADIUS-TEST
(3,1) } # update request (noop)
(3,1) } # if ("%{8}") (noop)
(3,1) updated (updated)
(3,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated)
(3,1) else {
(3,1) ... skipping else for request 3: Preceding "if" was taken
(3,1) }
(3,1) } # local_rewrite_called_station_id (updated)
(3,1) local_rewrite_calling_station_id {
(3,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(3,1) update request {
(3,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(3,1) --> A4:D1:8C:E4:9F:22
(3,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22
(3,1) } # update request (noop)
(3,1) updated (updated)
(3,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated)
(3,1) else {
(3,1) ... skipping else for request 3: Preceding "if" was taken
(3,1) }
(3,1) } # local_rewrite_calling_station_id (updated)
(3,1) filter_username {
(3,1) if (&User-Name) {
(3,1) if (&User-Name =~ / /) {
(3,1) ...
(3,1) }
(3,1) if (&User-Name =~ /@[^@]*@/ ) {
(3,1) ...
(3,1) }
(3,1) if (&User-Name =~ /\.\./ ) {
(3,1) ...
(3,1) }
(3,1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)[^.]+(\.[^.]+)+$/)) {
(3,1) ...
(3,1) }
(3,1) if (&User-Name =~ /\.$/) {
(3,1) ...
(3,1) }
(3,1) if (&User-Name =~ /(a)\./) {
(3,1) ...
(3,1) }
(3,1) } # if (&User-Name) (updated)
(3,1) } # filter_username (updated)
(3,1) bad_realms {
(3,1) if (&User-Name =~ /\.ax\.uk$/i) {
(3,1) ...
(3,1) }
(3,1) if (&User-Name =~ /(a)ac\.uk$/i) {
(3,1) ...
(3,1) }
(3,1) if (&User-Name =~ /3gppnetwork\.org$/i) {
(3,1) ...
(3,1) }
(3,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(3,1) ...
(3,1) }
(3,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(3,1) ...
(3,1) }
(3,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(3,1) ...
(3,1) }
(3,1) if (&User-Name =~ /myabc\.com$/i) {
(3,1) ...
(3,1) }
(3,1) } # bad_realms (updated)
(3,1) preprocess (ok)
(3,1) operator-name.authorize {
(3,1) if ("%{client:Operator-Name}") {
(3,1) EXPAND %{client:Operator-Name}
(3,1) --> 1realm.ac.uk
(3,1) update request {
(3,1) EXPAND %{client:Operator-Name}
(3,1) --> 1realm.ac.uk
(3,1) &Operator-Name = 1realm.ac.uk
(3,1) } # update request (noop)
(3,1) } # if ("%{client:Operator-Name}") (noop)
(3,1) } # operator-name.authorize (noop)
(3,1) suffix - Checking for suffix after "@"
(3,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm"
(3,1) suffix - Found realm "realm.ac.uk"
(3,1) suffix - Adding Stripped-User-Name = "testuser"
(3,1) suffix - Adding Realm = "realm.ac.uk"
(3,1) suffix - Authentication realm is LOCAL
(3,1) suffix (ok)
(3,1) if (&Realm) {
(3,1) update control {
(3,1) &control:Proxy-To-Realm := LOCAL
(3,1) } # update control (noop)
(3,1) } # if (&Realm) (noop)
(3,1) else {
(3,1) ... skipping else for request 3: Preceding "if" was taken
(3,1) }
(3,1) if (&Realm) {
(3,1) if (&Stripped-User-Name != "") {
(3,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(3,1) EXPAND %{tolower:%{Stripped-User-Name}}
(3,1) --> testuser
(3,1) ...
(3,1) }
(3,1) group {
(3,1) check_blacklist (ok)
(3,1) if (&control:Local-Banned-User) {
(3,1) ...
(3,1) }
(3,1) else {
(3,1) noop (noop)
(3,1) } # else (noop)
(3,1) } # group (ok)
(3,1) } # if (&Stripped-User-Name != "") (ok)
(3,1) } # if (&Realm) (ok)
(3,1) eap - Peer sent EAP Response (code 2) ID 3 length 6
(3,1) eap - Continuing tunnel setup
(3,1) eap (ok)
(3,1) } # authorize (ok)
(3,1) Using 'Auth-Type = eap' for authenticate {...}
(3,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default
(3,1) Auth-Type eap {
(3,1) eap - Peer sent packet with EAP method PEAP (25)
(3,1) eap - Calling submodule eap_peap to process data
(3,1) eap_peap - Continuing EAP-TLS
(3,1) eap_peap - Peer ACKed our handshake fragment
(3,1) eap_peap - [eap-tls verify] = request
(3,1) eap_peap - Sending additional TLS record fragment (994 bytes), 1071 bytes remaining
(3,1) eap_peap - [eap-tls process] = handled
(3,1) eap - Sending EAP Request (code 1) ID 4 length 1000
(3,1) eap (handled)
(3,1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(3,1) EXPAND Response-Packet-Type
(3,1) --> Access-Challenge
(3,1) attr_filter.access_challenge - EXPAND %{User-Name}
(3,1) attr_filter.access_challenge - --> testuser@realm
(3,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(3,1) attr_filter.access_challenge.post-auth (updated)
(3,1) handled (handled)
(3,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled)
(3,1) } # Auth-Type eap (handled)
(3,1) Using Post-Auth-Type Challenge
(3,1) Post-Auth-Type sub-section not found. Ignoring.
(3,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default
(3,1) Sent Access-Challenge Id 79 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0
(3,1) EAP-Message = 0x010403e8194031302fa02da02b8629687474703a2f2f63726c2e71756f7661646973676c6f62616c2e636f6d2f717673736c67322e63726c301d0603551d0e0416041431cc0012c0528beb4f3ff6c7fb7f8265057c0dd9300d06092a864886f70d01010b05000382010100a7d52e44c1f46b51a9d7395b2a3822ec0ebd0fb9f6af1fbd6f72ee6495c8a74c83db45fc958dad681d19859b9c8c6bc988c4b727276d669ac9945dee1cf9c7916e21175104d073a1c26c901ba390d68354fdd2296bde3526405803dc37b8df49525a563c2db126dba32be5e33f646624c1e675da984a6bfef13f69019afe7664874b04c9b4b64abd637a8ad66929f0d148e5f8efdb9b298bfcc2d083c67c1fa115dced735d0f184950cbb99c6cfdbebd9e18f57f8735f3b90787cfb1618e2c4bb3a5f54a5f83f5c2683e2c6dfd25c31675d046143c13b5c5fa72b39a93c2242e5308853a9361af20d5a0c5a441246b2255b75870d43c8b2ef14cc183018b6ad20005503082054c30820334a003020102021448982de2a92cb339e1c8f933358275d3e4f88255300d06092a864886f70d01010b05003045310b300906035504061302424d31193017060355040a131051756f5661646973204c696d69746564311b30190603550403131251756f566164697320526f6f742043412032301e170d3133303630313133333530355a170d3233303630313133333530355a304d310b300906035504061302424d31193017060355040a131051756f5661646973204c696d69746564312330210603550403131a51756f566164697320476c6f62616c2053534c2049434120473230820122300d06092a864886f70d01010105000382010f003082010a0282010100e1e1856994c08f57fa34fec1b868e49990a9887ace57b7d0e4b554c2187dd0c319e8a96380f7b7dcd219a35ab060d976b41d325635f16ca39c42a18b8a233597417b056984288ece1e4d8b6024f1b488fec050f6c28fae9774f940aa6ef686b3a4e9c75f746514f43ddcbe4ea398645fe3066cc18fb61f5c9996c657c2cbad94890eadbeffb80ba5b638fbb54781d40fca09f10a3b120d1c0fe185b01336c3cb287dfca5f8373aa4ab404663829540bb12ac963f457df79de5037e24b89665631c5d8208414e7f6b5a8690c3f2ebe459f45e077b7d84b7ff31a199762f56cb80c489fc1a4f9869ea0b67c1fdb54be70c3de5107cef22c30fc6ab5dec881c55a30203010001a382012a3082012630120603551d130101ff040830060101ff02010030110603551d20040a300830060604551d2000307206082b0601050507010104663064302a06082b06010505073001861e687474703a2f2f6f6373702e71756f7661646973676c6f62616c2e636f6d30
(3,1) Message-Authenticator = 0x00000000000000000000000000000000
(3,1) State = 0x030138003637b8d43b39393138ab9701
(3,1) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 80 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 293
(4) User-Name = "testuser@realm"
(4) Chargeable-User-Identity = 0x00
(4) Location-Capable = Civix-Location
(4) Calling-Station-Id = "a4-d1-8c-e4-9f-22"
(4) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST"
(4) NAS-Port = 13
(4) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e"
(4) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110"
(4) NAS-IP-Address = Y.Y.Y.Y
(4) NAS-Identifier = "WM13"
(4) Airespace-Wlan-Id = 8
(4) Service-Type = Framed-User
(4) Framed-MTU = 1300
(4) NAS-Port-Type = Wireless-802.11
(4) Tunnel-Type:0 = VLAN
(4) Tunnel-Medium-Type:0 = IEEE-802
(4) Tunnel-Private-Group-Id:0 = "446"
(4) EAP-Message = 0x020400061900
(4) State = 0x030138003637b8d43b39393138ab9701
(4) Message-Authenticator = 0x1443c965ed70ea0cdba34b15c0f14054
(4,1) Running section authorize from file /etc/raddb/sites-enabled/default
(4,1) authorize {
(4,1) local_rewrite_called_station_id {
(4,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(4,1) update request {
(4,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(4,1) --> 64:AE:0C:91:42:60
(4,1) &Called-Station-Id := 64:AE:0C:91:42:60
(4,1) } # update request (noop)
(4,1) if ("%{8}") {
(4,1) EXPAND %{8}
(4,1) --> RADIUS-TEST
(4,1) update request {
(4,1) EXPAND %{8}
(4,1) --> RADIUS-TEST
(4,1) &Called-Station-SSID := RADIUS-TEST
(4,1) } # update request (noop)
(4,1) } # if ("%{8}") (noop)
(4,1) updated (updated)
(4,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated)
(4,1) else {
(4,1) ... skipping else for request 4: Preceding "if" was taken
(4,1) }
(4,1) } # local_rewrite_called_station_id (updated)
(4,1) local_rewrite_calling_station_id {
(4,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(4,1) update request {
(4,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(4,1) --> A4:D1:8C:E4:9F:22
(4,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22
(4,1) } # update request (noop)
(4,1) updated (updated)
(4,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated)
(4,1) else {
(4,1) ... skipping else for request 4: Preceding "if" was taken
(4,1) }
(4,1) } # local_rewrite_calling_station_id (updated)
(4,1) filter_username {
(4,1) if (&User-Name) {
(4,1) if (&User-Name =~ / /) {
(4,1) ...
(4,1) }
(4,1) if (&User-Name =~ /@[^@]*@/ ) {
(4,1) ...
(4,1) }
(4,1) if (&User-Name =~ /\.\./ ) {
(4,1) ...
(4,1) }
(4,1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)[^.]+(\.[^.]+)+$/)) {
(4,1) ...
(4,1) }
(4,1) if (&User-Name =~ /\.$/) {
(4,1) ...
(4,1) }
(4,1) if (&User-Name =~ /(a)\./) {
(4,1) ...
(4,1) }
(4,1) } # if (&User-Name) (updated)
(4,1) } # filter_username (updated)
(4,1) bad_realms {
(4,1) if (&User-Name =~ /\.ax\.uk$/i) {
(4,1) ...
(4,1) }
(4,1) if (&User-Name =~ /(a)ac\.uk$/i) {
(4,1) ...
(4,1) }
(4,1) if (&User-Name =~ /3gppnetwork\.org$/i) {
(4,1) ...
(4,1) }
(4,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(4,1) ...
(4,1) }
(4,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(4,1) ...
(4,1) }
(4,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(4,1) ...
(4,1) }
(4,1) if (&User-Name =~ /myabc\.com$/i) {
(4,1) ...
(4,1) }
(4,1) } # bad_realms (updated)
(4,1) preprocess (ok)
(4,1) operator-name.authorize {
(4,1) if ("%{client:Operator-Name}") {
(4,1) EXPAND %{client:Operator-Name}
(4,1) --> 1realm.ac.uk
(4,1) update request {
(4,1) EXPAND %{client:Operator-Name}
(4,1) --> 1realm.ac.uk
(4,1) &Operator-Name = 1realm.ac.uk
(4,1) } # update request (noop)
(4,1) } # if ("%{client:Operator-Name}") (noop)
(4,1) } # operator-name.authorize (noop)
(4,1) suffix - Checking for suffix after "@"
(4,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm"
(4,1) suffix - Found realm "realm.ac.uk"
(4,1) suffix - Adding Stripped-User-Name = "testuser"
(4,1) suffix - Adding Realm = "realm.ac.uk"
(4,1) suffix - Authentication realm is LOCAL
(4,1) suffix (ok)
(4,1) if (&Realm) {
(4,1) update control {
(4,1) &control:Proxy-To-Realm := LOCAL
(4,1) } # update control (noop)
(4,1) } # if (&Realm) (noop)
(4,1) else {
(4,1) ... skipping else for request 4: Preceding "if" was taken
(4,1) }
(4,1) if (&Realm) {
(4,1) if (&Stripped-User-Name != "") {
(4,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(4,1) EXPAND %{tolower:%{Stripped-User-Name}}
(4,1) --> testuser
(4,1) ...
(4,1) }
(4,1) group {
(4,1) check_blacklist (ok)
(4,1) if (&control:Local-Banned-User) {
(4,1) ...
(4,1) }
(4,1) else {
(4,1) noop (noop)
(4,1) } # else (noop)
(4,1) } # group (ok)
(4,1) } # if (&Stripped-User-Name != "") (ok)
(4,1) } # if (&Realm) (ok)
(4,1) eap - Peer sent EAP Response (code 2) ID 4 length 6
(4,1) eap - Continuing tunnel setup
(4,1) eap (ok)
(4,1) } # authorize (ok)
(4,1) Using 'Auth-Type = eap' for authenticate {...}
(4,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default
(4,1) Auth-Type eap {
(4,1) eap - Peer sent packet with EAP method PEAP (25)
(4,1) eap - Calling submodule eap_peap to process data
(4,1) eap_peap - Continuing EAP-TLS
(4,1) eap_peap - Peer ACKed our handshake fragment
(4,1) eap_peap - [eap-tls verify] = request
(4,1) eap_peap - Sending additional TLS record fragment (994 bytes), 77 bytes remaining
(4,1) eap_peap - [eap-tls process] = handled
(4,1) eap - Sending EAP Request (code 1) ID 5 length 1000
(4,1) eap (handled)
(4,1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(4,1) EXPAND Response-Packet-Type
(4,1) --> Access-Challenge
(4,1) attr_filter.access_challenge - EXPAND %{User-Name}
(4,1) attr_filter.access_challenge - --> testuser@realm
(4,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(4,1) attr_filter.access_challenge.post-auth (updated)
(4,1) handled (handled)
(4,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled)
(4,1) } # Auth-Type eap (handled)
(4,1) Using Post-Auth-Type Challenge
(4,1) Post-Auth-Type sub-section not found. Ignoring.
(4,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default
(4,1) Sent Access-Challenge Id 80 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0
(4,1) EAP-Message = 0x010503e819403606082b06010505073002862a687474703a2f2f74727573742e71756f7661646973676c6f62616c2e636f6d2f7176726361322e637274300e0603551d0f0101ff040403020106301f0603551d230418301680141a8462bc484c332504d4eed0f603c41946d1946b30390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e71756f7661646973676c6f62616c2e636f6d2f7176726361322e63726c301d0603551d0e04160414911962ad5b17a730fbf0de3925b1bd8cb9b85127300d06092a864886f70d01010b050003820201007c0a60820041b52dcc39e5f4db6bce008a9c0c89e6727453b96dc221e54c975a0599e8e3f88dbffa2da89f10c2e34420b4994d781ba3eb3d4fa265088869eed7e446af866113100f096cb2028e20f873d63af9b80cb78b3310f899d9200b3908f5d01af81ca41fcbf3af6de7516cb6b1a7daa50c6e2a2604addee8a40c82526abc7a9a9804417bb4d1464d92211851f78ef215c65eb65bb439e4b9a8950ed33ab3dc98a5ca3217114eace46b120562688ecfdc425a0d8988e880d420f69204ce86ad532268835810c04bd6fda3662f2b5c3634c95b19ff40c021088204d36f4f53634394a7d44f8ef99062a830feac1bc1a0fb08eb275f74ab49babe582fe3a89092b678badc7bcdbcedac0871df053110dc670fcd5f56dcf2e2b27b9382b70a50d1de232f87a6b97c05bfc4ea51b661db1252872cb9edcab0dea5a804eb3f596cdadbdfc7ba7f0f5e442865ea7063fc5cfbd9c8d4d68a33c36a852a89353265bd78fbcdbde67696dedd847d0644973eba2537b97928ec79e2027b909eebeaa25826ec74dc7c8f335d4aa78c1f767d51b02d944396b00ba7e0ff75c4d87655932a898cac2a8789c56a22b910c57b0c7438a09c7d724983c3aa41bc36a83e8917cb375f27bda7fb525f1c63fec28ae472228d95d82a617e89e233eb08810806bb43b5ae10c4fd744f277d445bb5dd7984f12622fd55efadfde7ae241f019fe748160301014b0c0001470300174104356f9c0ffc364039f66ce9ba8838433a255ea2a399b34afbecaa477b7942a55279ca97694b8f9bf039e0cfb476d1d5b7addccdfb40abfd08e74a23a89104c93501002e556ff2c5c79a3c84eae2e8a77fcb7263c10644d4b699a1d5ea92aa93a2c37fb98d01b49885178ef67475a7bfa4c53029c5ff0d9ca42702cc6e7e8ba9cc7149442ed24e26f5ecb814be162323a3f86596628d2357842d946bfb18bcf0eef9421dbe502d58003cc6edfa496b89c0d24c5e04cb7006be2e797a17a603e9ed8d91bfdff22a264a12245e96a6538b148658affc8899f72a0cfd57ecde4d06fcb40957c6b416b686579c01f6415f69b7064f3fdd2e12d8ba96fe861c2c08
(4,1) Message-Authenticator = 0x00000000000000000000000000000000
(4,1) State = 0x04073800aecc10fa3b39393138ab9701
(4,1) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 81 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 293
(5) User-Name = "testuser@realm"
(5) Chargeable-User-Identity = 0x00
(5) Location-Capable = Civix-Location
(5) Calling-Station-Id = "a4-d1-8c-e4-9f-22"
(5) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST"
(5) NAS-Port = 13
(5) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e"
(5) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110"
(5) NAS-IP-Address = Y.Y.Y.Y
(5) NAS-Identifier = "WM13"
(5) Airespace-Wlan-Id = 8
(5) Service-Type = Framed-User
(5) Framed-MTU = 1300
(5) NAS-Port-Type = Wireless-802.11
(5) Tunnel-Type:0 = VLAN
(5) Tunnel-Medium-Type:0 = IEEE-802
(5) Tunnel-Private-Group-Id:0 = "446"
(5) EAP-Message = 0x020500061900
(5) State = 0x04073800aecc10fa3b39393138ab9701
(5) Message-Authenticator = 0x71120286c728aae1154c25c60db52811
(5,1) Running section authorize from file /etc/raddb/sites-enabled/default
(5,1) authorize {
(5,1) local_rewrite_called_station_id {
(5,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(5,1) update request {
(5,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(5,1) --> 64:AE:0C:91:42:60
(5,1) &Called-Station-Id := 64:AE:0C:91:42:60
(5,1) } # update request (noop)
(5,1) if ("%{8}") {
(5,1) EXPAND %{8}
(5,1) --> RADIUS-TEST
(5,1) update request {
(5,1) EXPAND %{8}
(5,1) --> RADIUS-TEST
(5,1) &Called-Station-SSID := RADIUS-TEST
(5,1) } # update request (noop)
(5,1) } # if ("%{8}") (noop)
(5,1) updated (updated)
(5,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated)
(5,1) else {
(5,1) ... skipping else for request 5: Preceding "if" was taken
(5,1) }
(5,1) } # local_rewrite_called_station_id (updated)
(5,1) local_rewrite_calling_station_id {
(5,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(5,1) update request {
(5,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(5,1) --> A4:D1:8C:E4:9F:22
(5,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22
(5,1) } # update request (noop)
(5,1) updated (updated)
(5,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated)
(5,1) else {
(5,1) ... skipping else for request 5: Preceding "if" was taken
(5,1) }
(5,1) } # local_rewrite_calling_station_id (updated)
(5,1) filter_username {
(5,1) if (&User-Name) {
(5,1) if (&User-Name =~ / /) {
(5,1) ...
(5,1) }
(5,1) if (&User-Name =~ /@[^@]*@/ ) {
(5,1) ...
(5,1) }
(5,1) if (&User-Name =~ /\.\./ ) {
(5,1) ...
(5,1) }
(5,1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)[^.]+(\.[^.]+)+$/)) {
(5,1) ...
(5,1) }
(5,1) if (&User-Name =~ /\.$/) {
(5,1) ...
(5,1) }
(5,1) if (&User-Name =~ /(a)\./) {
(5,1) ...
(5,1) }
(5,1) } # if (&User-Name) (updated)
(5,1) } # filter_username (updated)
(5,1) bad_realms {
(5,1) if (&User-Name =~ /\.ax\.uk$/i) {
(5,1) ...
(5,1) }
(5,1) if (&User-Name =~ /(a)ac\.uk$/i) {
(5,1) ...
(5,1) }
(5,1) if (&User-Name =~ /3gppnetwork\.org$/i) {
(5,1) ...
(5,1) }
(5,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(5,1) ...
(5,1) }
(5,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(5,1) ...
(5,1) }
(5,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(5,1) ...
(5,1) }
(5,1) if (&User-Name =~ /myabc\.com$/i) {
(5,1) ...
(5,1) }
(5,1) } # bad_realms (updated)
(5,1) preprocess (ok)
(5,1) operator-name.authorize {
(5,1) if ("%{client:Operator-Name}") {
(5,1) EXPAND %{client:Operator-Name}
(5,1) --> 1realm.ac.uk
(5,1) update request {
(5,1) EXPAND %{client:Operator-Name}
(5,1) --> 1realm.ac.uk
(5,1) &Operator-Name = 1realm.ac.uk
(5,1) } # update request (noop)
(5,1) } # if ("%{client:Operator-Name}") (noop)
(5,1) } # operator-name.authorize (noop)
(5,1) suffix - Checking for suffix after "@"
(5,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm"
(5,1) suffix - Found realm "realm.ac.uk"
(5,1) suffix - Adding Stripped-User-Name = "testuser"
(5,1) suffix - Adding Realm = "realm.ac.uk"
(5,1) suffix - Authentication realm is LOCAL
(5,1) suffix (ok)
(5,1) if (&Realm) {
(5,1) update control {
(5,1) &control:Proxy-To-Realm := LOCAL
(5,1) } # update control (noop)
(5,1) } # if (&Realm) (noop)
(5,1) else {
(5,1) ... skipping else for request 5: Preceding "if" was taken
(5,1) }
(5,1) if (&Realm) {
(5,1) if (&Stripped-User-Name != "") {
(5,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(5,1) EXPAND %{tolower:%{Stripped-User-Name}}
(5,1) --> testuser
(5,1) ...
(5,1) }
(5,1) group {
(5,1) check_blacklist (ok)
(5,1) if (&control:Local-Banned-User) {
(5,1) ...
(5,1) }
(5,1) else {
(5,1) noop (noop)
(5,1) } # else (noop)
(5,1) } # group (ok)
(5,1) } # if (&Stripped-User-Name != "") (ok)
(5,1) } # if (&Realm) (ok)
(5,1) eap - Peer sent EAP Response (code 2) ID 5 length 6
(5,1) eap - Continuing tunnel setup
(5,1) eap (ok)
(5,1) } # authorize (ok)
(5,1) Using 'Auth-Type = eap' for authenticate {...}
(5,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default
(5,1) Auth-Type eap {
(5,1) eap - Peer sent packet with EAP method PEAP (25)
(5,1) eap - Calling submodule eap_peap to process data
(5,1) eap_peap - Continuing EAP-TLS
(5,1) eap_peap - Peer ACKed our handshake fragment
(5,1) eap_peap - [eap-tls verify] = request
(5,1) eap_peap - Sending final TLS record fragment (77 bytes)
(5,1) eap_peap - [eap-tls process] = handled
(5,1) eap - Sending EAP Request (code 1) ID 6 length 83
(5,1) eap (handled)
(5,1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(5,1) EXPAND Response-Packet-Type
(5,1) --> Access-Challenge
(5,1) attr_filter.access_challenge - EXPAND %{User-Name}
(5,1) attr_filter.access_challenge - --> testuser@realm
(5,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(5,1) attr_filter.access_challenge.post-auth (updated)
(5,1) handled (handled)
(5,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled)
(5,1) } # Auth-Type eap (handled)
(5,1) Using Post-Auth-Type Challenge
(5,1) Post-Auth-Type sub-section not found. Ignoring.
(5,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default
(5,1) Sent Access-Challenge Id 81 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0
(5,1) EAP-Message = 0x0106005319004e06bbcfa59586d7b2ff4301f7a4dced7726344b96c142ba4f7edda40388cd1960d4509a41a041f4a249841cb2d310f71b7289440659999943f6e9e8d339d98ba10c468116030100040e000000
(5,1) Message-Authenticator = 0x00000000000000000000000000000000
(5,1) State = 0x050138003637b8d43b39393138ab9701
(5,1) Finished request
Waking up in 4.9 seconds.
(6) Received Access-Request Id 82 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 431
(6) User-Name = "testuser@realm"
(6) Chargeable-User-Identity = 0x00
(6) Location-Capable = Civix-Location
(6) Calling-Station-Id = "a4-d1-8c-e4-9f-22"
(6) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST"
(6) NAS-Port = 13
(6) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e"
(6) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110"
(6) NAS-IP-Address = Y.Y.Y.Y
(6) NAS-Identifier = "WM13"
(6) Airespace-Wlan-Id = 8
(6) Service-Type = Framed-User
(6) Framed-MTU = 1300
(6) NAS-Port-Type = Wireless-802.11
(6) Tunnel-Type:0 = VLAN
(6) Tunnel-Medium-Type:0 = IEEE-802
(6) Tunnel-Private-Group-Id:0 = "446"
(6) EAP-Message = 0x0206009019800000008616030100461000004241042a5475e41a0623c852b7ef77add0a1b3f495bfe644190191922bd6567c29c76dd46784c71d47f29e9688a6fe7998febd4ebee0a3b1dd33fe0b604b4c3ec38308140301000101160301003048686a4b033d40f5f9526b1c98c9c4ea528ac0c54e84251ef82fb6efe6c197f662f7468f1631afe64f0846e6f63ad3bf
(6) State = 0x050138003637b8d43b39393138ab9701
(6) Message-Authenticator = 0x8c61c24db4bce0512a7cfd792ebe1ec6
(6,1) Running section authorize from file /etc/raddb/sites-enabled/default
(6,1) authorize {
(6,1) local_rewrite_called_station_id {
(6,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(6,1) update request {
(6,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(6,1) --> 64:AE:0C:91:42:60
(6,1) &Called-Station-Id := 64:AE:0C:91:42:60
(6,1) } # update request (noop)
(6,1) if ("%{8}") {
(6,1) EXPAND %{8}
(6,1) --> RADIUS-TEST
(6,1) update request {
(6,1) EXPAND %{8}
(6,1) --> RADIUS-TEST
(6,1) &Called-Station-SSID := RADIUS-TEST
(6,1) } # update request (noop)
(6,1) } # if ("%{8}") (noop)
(6,1) updated (updated)
(6,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated)
(6,1) else {
(6,1) ... skipping else for request 6: Preceding "if" was taken
(6,1) }
(6,1) } # local_rewrite_called_station_id (updated)
(6,1) local_rewrite_calling_station_id {
(6,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(6,1) update request {
(6,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(6,1) --> A4:D1:8C:E4:9F:22
(6,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22
(6,1) } # update request (noop)
(6,1) updated (updated)
(6,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated)
(6,1) else {
(6,1) ... skipping else for request 6: Preceding "if" was taken
(6,1) }
(6,1) } # local_rewrite_calling_station_id (updated)
(6,1) filter_username {
(6,1) if (&User-Name) {
(6,1) if (&User-Name =~ / /) {
(6,1) ...
(6,1) }
(6,1) if (&User-Name =~ /@[^@]*@/ ) {
(6,1) ...
(6,1) }
(6,1) if (&User-Name =~ /\.\./ ) {
(6,1) ...
(6,1) }
(6,1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)[^.]+(\.[^.]+)+$/)) {
(6,1) ...
(6,1) }
(6,1) if (&User-Name =~ /\.$/) {
(6,1) ...
(6,1) }
(6,1) if (&User-Name =~ /(a)\./) {
(6,1) ...
(6,1) }
(6,1) } # if (&User-Name) (updated)
(6,1) } # filter_username (updated)
(6,1) bad_realms {
(6,1) if (&User-Name =~ /\.ax\.uk$/i) {
(6,1) ...
(6,1) }
(6,1) if (&User-Name =~ /(a)ac\.uk$/i) {
(6,1) ...
(6,1) }
(6,1) if (&User-Name =~ /3gppnetwork\.org$/i) {
(6,1) ...
(6,1) }
(6,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(6,1) ...
(6,1) }
(6,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(6,1) ...
(6,1) }
(6,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(6,1) ...
(6,1) }
(6,1) if (&User-Name =~ /myabc\.com$/i) {
(6,1) ...
(6,1) }
(6,1) } # bad_realms (updated)
(6,1) preprocess (ok)
(6,1) operator-name.authorize {
(6,1) if ("%{client:Operator-Name}") {
(6,1) EXPAND %{client:Operator-Name}
(6,1) --> 1realm.ac.uk
(6,1) update request {
(6,1) EXPAND %{client:Operator-Name}
(6,1) --> 1realm.ac.uk
(6,1) &Operator-Name = 1realm.ac.uk
(6,1) } # update request (noop)
(6,1) } # if ("%{client:Operator-Name}") (noop)
(6,1) } # operator-name.authorize (noop)
(6,1) suffix - Checking for suffix after "@"
(6,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm"
(6,1) suffix - Found realm "realm.ac.uk"
(6,1) suffix - Adding Stripped-User-Name = "testuser"
(6,1) suffix - Adding Realm = "realm.ac.uk"
(6,1) suffix - Authentication realm is LOCAL
(6,1) suffix (ok)
(6,1) if (&Realm) {
(6,1) update control {
(6,1) &control:Proxy-To-Realm := LOCAL
(6,1) } # update control (noop)
(6,1) } # if (&Realm) (noop)
(6,1) else {
(6,1) ... skipping else for request 6: Preceding "if" was taken
(6,1) }
(6,1) if (&Realm) {
(6,1) if (&Stripped-User-Name != "") {
(6,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(6,1) EXPAND %{tolower:%{Stripped-User-Name}}
(6,1) --> testuser
(6,1) ...
(6,1) }
(6,1) group {
(6,1) check_blacklist (ok)
(6,1) if (&control:Local-Banned-User) {
(6,1) ...
(6,1) }
(6,1) else {
(6,1) noop (noop)
(6,1) } # else (noop)
(6,1) } # group (ok)
(6,1) } # if (&Stripped-User-Name != "") (ok)
(6,1) } # if (&Realm) (ok)
(6,1) eap - Peer sent EAP Response (code 2) ID 6 length 144
(6,1) eap - Continuing tunnel setup
(6,1) eap (ok)
(6,1) } # authorize (ok)
(6,1) Using 'Auth-Type = eap' for authenticate {...}
(6,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default
(6,1) Auth-Type eap {
(6,1) eap - Peer sent packet with EAP method PEAP (25)
(6,1) eap - Calling submodule eap_peap to process data
(6,1) eap_peap - Continuing EAP-TLS
(6,1) eap_peap - Peer indicated complete TLS record size will be 134 bytes
(6,1) eap_peap - Got complete TLS record, with length field (134 bytes)
(6,1) eap_peap - [eap-tls verify] = complete
(6,1) eap_peap - <<< recv handshake [length 70], client_key_exchange
(6,1) eap_peap - Handshake state - Server SSLv3 read client key exchange A
(6,1) eap_peap - <<< recv change_cipher_spec [length 1]
(6,1) eap_peap - <<< recv handshake [length 16], finished
(6,1) eap_peap - Handshake state - Server SSLv3 read finished A
(6,1) eap_peap - >>> send change_cipher_spec [length 1]
(6,1) eap_peap - Handshake state - Server SSLv3 write change cipher spec A
(6,1) eap_peap - >>> send handshake [length 16], finished
(6,1) eap_peap - Handshake state - Server SSLv3 write finished A
(6,1) eap_peap - Handshake state - Server SSLv3 flush data
(6,1) eap_peap - Handshake state - SSL negotiation finished successfully
(6,1) eap_peap - Cipher suite: CDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
(6,1) eap_peap - Sending complete TLS record (59 bytes)
(6,1) eap_peap - [eap-tls process] = handled
(6,1) eap - Sending EAP Request (code 1) ID 7 length 65
(6,1) eap (handled)
(6,1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(6,1) EXPAND Response-Packet-Type
(6,1) --> Access-Challenge
(6,1) attr_filter.access_challenge - EXPAND %{User-Name}
(6,1) attr_filter.access_challenge - --> testuser@realm
(6,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(6,1) attr_filter.access_challenge.post-auth (updated)
(6,1) handled (handled)
(6,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled)
(6,1) } # Auth-Type eap (handled)
(6,1) Using Post-Auth-Type Challenge
(6,1) Post-Auth-Type sub-section not found. Ignoring.
(6,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default
(6,1) Sent Access-Challenge Id 82 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0
(6,1) EAP-Message = 0x01070041190014030100010116030100306c8dcb9afcb8f73b414f202b96d6efd0bab2bd9ad150291d1ce462a9f4c7055f7c55a31447a4b2d6e724095cfc6c65d1
(6,1) Message-Authenticator = 0x00000000000000000000000000000000
(6,1) State = 0x06033800aecc10fa3b39393138ab9701
(6,1) Finished request
Waking up in 4.8 seconds.
(7) Received Access-Request Id 83 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 293
(7) User-Name = "testuser@realm"
(7) Chargeable-User-Identity = 0x00
(7) Location-Capable = Civix-Location
(7) Calling-Station-Id = "a4-d1-8c-e4-9f-22"
(7) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST"
(7) NAS-Port = 13
(7) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e"
(7) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110"
(7) NAS-IP-Address = Y.Y.Y.Y
(7) NAS-Identifier = "WM13"
(7) Airespace-Wlan-Id = 8
(7) Service-Type = Framed-User
(7) Framed-MTU = 1300
(7) NAS-Port-Type = Wireless-802.11
(7) Tunnel-Type:0 = VLAN
(7) Tunnel-Medium-Type:0 = IEEE-802
(7) Tunnel-Private-Group-Id:0 = "446"
(7) EAP-Message = 0x020700061900
(7) State = 0x06033800aecc10fa3b39393138ab9701
(7) Message-Authenticator = 0x555162762d19bd82d35f798dba8e28aa
(7,1) Running section authorize from file /etc/raddb/sites-enabled/default
(7,1) authorize {
(7,1) local_rewrite_called_station_id {
(7,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(7,1) update request {
(7,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(7,1) --> 64:AE:0C:91:42:60
(7,1) &Called-Station-Id := 64:AE:0C:91:42:60
(7,1) } # update request (noop)
(7,1) if ("%{8}") {
(7,1) EXPAND %{8}
(7,1) --> RADIUS-TEST
(7,1) update request {
(7,1) EXPAND %{8}
(7,1) --> RADIUS-TEST
(7,1) &Called-Station-SSID := RADIUS-TEST
(7,1) } # update request (noop)
(7,1) } # if ("%{8}") (noop)
(7,1) updated (updated)
(7,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated)
(7,1) else {
(7,1) ... skipping else for request 7: Preceding "if" was taken
(7,1) }
(7,1) } # local_rewrite_called_station_id (updated)
(7,1) local_rewrite_calling_station_id {
(7,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(7,1) update request {
(7,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(7,1) --> A4:D1:8C:E4:9F:22
(7,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22
(7,1) } # update request (noop)
(7,1) updated (updated)
(7,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated)
(7,1) else {
(7,1) ... skipping else for request 7: Preceding "if" was taken
(7,1) }
(7,1) } # local_rewrite_calling_station_id (updated)
(7,1) filter_username {
(7,1) if (&User-Name) {
(7,1) if (&User-Name =~ / /) {
(7,1) ...
(7,1) }
(7,1) if (&User-Name =~ /@[^@]*@/ ) {
(7,1) ...
(7,1) }
(7,1) if (&User-Name =~ /\.\./ ) {
(7,1) ...
(7,1) }
(7,1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)[^.]+(\.[^.]+)+$/)) {
(7,1) ...
(7,1) }
(7,1) if (&User-Name =~ /\.$/) {
(7,1) ...
(7,1) }
(7,1) if (&User-Name =~ /(a)\./) {
(7,1) ...
(7,1) }
(7,1) } # if (&User-Name) (updated)
(7,1) } # filter_username (updated)
(7,1) bad_realms {
(7,1) if (&User-Name =~ /\.ax\.uk$/i) {
(7,1) ...
(7,1) }
(7,1) if (&User-Name =~ /(a)ac\.uk$/i) {
(7,1) ...
(7,1) }
(7,1) if (&User-Name =~ /3gppnetwork\.org$/i) {
(7,1) ...
(7,1) }
(7,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(7,1) ...
(7,1) }
(7,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(7,1) ...
(7,1) }
(7,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(7,1) ...
(7,1) }
(7,1) if (&User-Name =~ /myabc\.com$/i) {
(7,1) ...
(7,1) }
(7,1) } # bad_realms (updated)
(7,1) preprocess (ok)
(7,1) operator-name.authorize {
(7,1) if ("%{client:Operator-Name}") {
(7,1) EXPAND %{client:Operator-Name}
(7,1) --> 1realm.ac.uk
(7,1) update request {
(7,1) EXPAND %{client:Operator-Name}
(7,1) --> 1realm.ac.uk
(7,1) &Operator-Name = 1realm.ac.uk
(7,1) } # update request (noop)
(7,1) } # if ("%{client:Operator-Name}") (noop)
(7,1) } # operator-name.authorize (noop)
(7,1) suffix - Checking for suffix after "@"
(7,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm"
(7,1) suffix - Found realm "realm.ac.uk"
(7,1) suffix - Adding Stripped-User-Name = "testuser"
(7,1) suffix - Adding Realm = "realm.ac.uk"
(7,1) suffix - Authentication realm is LOCAL
(7,1) suffix (ok)
(7,1) if (&Realm) {
(7,1) update control {
(7,1) &control:Proxy-To-Realm := LOCAL
(7,1) } # update control (noop)
(7,1) } # if (&Realm) (noop)
(7,1) else {
(7,1) ... skipping else for request 7: Preceding "if" was taken
(7,1) }
(7,1) if (&Realm) {
(7,1) if (&Stripped-User-Name != "") {
(7,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(7,1) EXPAND %{tolower:%{Stripped-User-Name}}
(7,1) --> testuser
(7,1) ...
(7,1) }
(7,1) group {
(7,1) check_blacklist (ok)
(7,1) if (&control:Local-Banned-User) {
(7,1) ...
(7,1) }
(7,1) else {
(7,1) noop (noop)
(7,1) } # else (noop)
(7,1) } # group (ok)
(7,1) } # if (&Stripped-User-Name != "") (ok)
(7,1) } # if (&Realm) (ok)
(7,1) eap - Peer sent EAP Response (code 2) ID 7 length 6
(7,1) eap - Continuing tunnel setup
(7,1) eap (ok)
(7,1) } # authorize (ok)
(7,1) Using 'Auth-Type = eap' for authenticate {...}
(7,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default
(7,1) Auth-Type eap {
(7,1) eap - Peer sent packet with EAP method PEAP (25)
(7,1) eap - Calling submodule eap_peap to process data
(7,1) eap_peap - Continuing EAP-TLS
(7,1) eap_peap - Peer ACKed our handshake fragment. handshake is finished
(7,1) eap_peap - [eap-tls verify] = established
(7,1) eap_peap - [eap-tls process] = established
(7,1) eap_peap - Session established. Decoding tunneled data
(7,1) eap_peap - PEAP state TUNNEL ESTABLISHED
(7,1) eap_peap - TLS application data to encrypt (5 bytes)
(7,1) eap_peap - Sending complete TLS record (37 bytes)
(7,1) eap - Sending EAP Request (code 1) ID 8 length 43
(7,1) eap (handled)
(7,1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(7,1) EXPAND Response-Packet-Type
(7,1) --> Access-Challenge
(7,1) attr_filter.access_challenge - EXPAND %{User-Name}
(7,1) attr_filter.access_challenge - --> testuser@realm
(7,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(7,1) attr_filter.access_challenge.post-auth (updated)
(7,1) handled (handled)
(7,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled)
(7,1) } # Auth-Type eap (handled)
(7,1) Using Post-Auth-Type Challenge
(7,1) Post-Auth-Type sub-section not found. Ignoring.
(7,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default
(7,1) Sent Access-Challenge Id 83 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0
(7,1) EAP-Message = 0x0108002b1900170301002029a24f1d8456037b9aeceb8fbc4df51362f49d1b863dae0ea1e7e356cad48d55
(7,1) Message-Authenticator = 0x00000000000000000000000000000000
(7,1) State = 0x070138003637b8d43b39393138ab9701
(7,1) Finished request
Waking up in 4.8 seconds.
(8) Received Access-Request Id 84 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 346
(8) User-Name = "testuser@realm"
(8) Chargeable-User-Identity = 0x00
(8) Location-Capable = Civix-Location
(8) Calling-Station-Id = "a4-d1-8c-e4-9f-22"
(8) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST"
(8) NAS-Port = 13
(8) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e"
(8) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110"
(8) NAS-IP-Address = Y.Y.Y.Y
(8) NAS-Identifier = "WM13"
(8) Airespace-Wlan-Id = 8
(8) Service-Type = Framed-User
(8) Framed-MTU = 1300
(8) NAS-Port-Type = Wireless-802.11
(8) Tunnel-Type:0 = VLAN
(8) Tunnel-Medium-Type:0 = IEEE-802
(8) Tunnel-Private-Group-Id:0 = "446"
(8) EAP-Message = 0x0208003b1900170301003012630f02d6ebc7a949180390128f6ca3bd2643ce89f12b1ea709648094fa2265ecdef69755c881656faf5d6debdb50f2
(8) State = 0x070138003637b8d43b39393138ab9701
(8) Message-Authenticator = 0x19dac562b9479efa42ea2766dc140211
(8,1) Running section authorize from file /etc/raddb/sites-enabled/default
(8,1) authorize {
(8,1) local_rewrite_called_station_id {
(8,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(8,1) update request {
(8,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(8,1) --> 64:AE:0C:91:42:60
(8,1) &Called-Station-Id := 64:AE:0C:91:42:60
(8,1) } # update request (noop)
(8,1) if ("%{8}") {
(8,1) EXPAND %{8}
(8,1) --> RADIUS-TEST
(8,1) update request {
(8,1) EXPAND %{8}
(8,1) --> RADIUS-TEST
(8,1) &Called-Station-SSID := RADIUS-TEST
(8,1) } # update request (noop)
(8,1) } # if ("%{8}") (noop)
(8,1) updated (updated)
(8,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated)
(8,1) else {
(8,1) ... skipping else for request 8: Preceding "if" was taken
(8,1) }
(8,1) } # local_rewrite_called_station_id (updated)
(8,1) local_rewrite_calling_station_id {
(8,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(8,1) update request {
(8,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(8,1) --> A4:D1:8C:E4:9F:22
(8,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22
(8,1) } # update request (noop)
(8,1) updated (updated)
(8,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated)
(8,1) else {
(8,1) ... skipping else for request 8: Preceding "if" was taken
(8,1) }
(8,1) } # local_rewrite_calling_station_id (updated)
(8,1) filter_username {
(8,1) if (&User-Name) {
(8,1) if (&User-Name =~ / /) {
(8,1) ...
(8,1) }
(8,1) if (&User-Name =~ /@[^@]*@/ ) {
(8,1) ...
(8,1) }
(8,1) if (&User-Name =~ /\.\./ ) {
(8,1) ...
(8,1) }
(8,1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)[^.]+(\.[^.]+)+$/)) {
(8,1) ...
(8,1) }
(8,1) if (&User-Name =~ /\.$/) {
(8,1) ...
(8,1) }
(8,1) if (&User-Name =~ /(a)\./) {
(8,1) ...
(8,1) }
(8,1) } # if (&User-Name) (updated)
(8,1) } # filter_username (updated)
(8,1) bad_realms {
(8,1) if (&User-Name =~ /\.ax\.uk$/i) {
(8,1) ...
(8,1) }
(8,1) if (&User-Name =~ /(a)ac\.uk$/i) {
(8,1) ...
(8,1) }
(8,1) if (&User-Name =~ /3gppnetwork\.org$/i) {
(8,1) ...
(8,1) }
(8,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(8,1) ...
(8,1) }
(8,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(8,1) ...
(8,1) }
(8,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(8,1) ...
(8,1) }
(8,1) if (&User-Name =~ /myabc\.com$/i) {
(8,1) ...
(8,1) }
(8,1) } # bad_realms (updated)
(8,1) preprocess (ok)
(8,1) operator-name.authorize {
(8,1) if ("%{client:Operator-Name}") {
(8,1) EXPAND %{client:Operator-Name}
(8,1) --> 1realm.ac.uk
(8,1) update request {
(8,1) EXPAND %{client:Operator-Name}
(8,1) --> 1realm.ac.uk
(8,1) &Operator-Name = 1realm.ac.uk
(8,1) } # update request (noop)
(8,1) } # if ("%{client:Operator-Name}") (noop)
(8,1) } # operator-name.authorize (noop)
(8,1) suffix - Checking for suffix after "@"
(8,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm"
(8,1) suffix - Found realm "realm.ac.uk"
(8,1) suffix - Adding Stripped-User-Name = "testuser"
(8,1) suffix - Adding Realm = "realm.ac.uk"
(8,1) suffix - Authentication realm is LOCAL
(8,1) suffix (ok)
(8,1) if (&Realm) {
(8,1) update control {
(8,1) &control:Proxy-To-Realm := LOCAL
(8,1) } # update control (noop)
(8,1) } # if (&Realm) (noop)
(8,1) else {
(8,1) ... skipping else for request 8: Preceding "if" was taken
(8,1) }
(8,1) if (&Realm) {
(8,1) if (&Stripped-User-Name != "") {
(8,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(8,1) EXPAND %{tolower:%{Stripped-User-Name}}
(8,1) --> testuser
(8,1) ...
(8,1) }
(8,1) group {
(8,1) check_blacklist (ok)
(8,1) if (&control:Local-Banned-User) {
(8,1) ...
(8,1) }
(8,1) else {
(8,1) noop (noop)
(8,1) } # else (noop)
(8,1) } # group (ok)
(8,1) } # if (&Stripped-User-Name != "") (ok)
(8,1) } # if (&Realm) (ok)
(8,1) eap - Peer sent EAP Response (code 2) ID 8 length 59
(8,1) eap - Continuing tunnel setup
(8,1) eap (ok)
(8,1) } # authorize (ok)
(8,1) Using 'Auth-Type = eap' for authenticate {...}
(8,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default
(8,1) Auth-Type eap {
(8,1) eap - Peer sent packet with EAP method PEAP (25)
(8,1) eap - Calling submodule eap_peap to process data
(8,1) eap_peap - Continuing EAP-TLS
(8,1) eap_peap - Got complete TLS record (53 bytes)
(8,1) eap_peap - [eap-tls verify] = complete
(8,1) eap_peap - Decrypted TLS application data (19 bytes)
(8,1) eap_peap - [eap-tls process] = complete
(8,1) eap_peap - Session established. Decoding tunneled data
(8,1) eap_peap - PEAP state WAITING FOR INNER IDENTITY
(8,1) eap_peap - Received EAP-Identity-Response
(8,1) eap_peap - Got inner identity 'testuser@realm'
(8,1) eap_peap - Got tunneled request
(8,1) eap_peap - &EAP-Message = 0x020800170165636c366368406c656564732e61632e756b
(8,1) eap_peap - Setting &request:User-Name from tunnel (protected) identity "testuser@realm"
(8,1) eap_peap - Proxying tunneled request to virtual server "inner-tunnel"
(8,1) Virtual server inner-tunnel received request
(8,1) &EAP-Message = 0x020800170165636c366368406c656564732e61632e756b
(8,1) &FreeRADIUS-Proxied-To = 127.0.0.1
(8,1) &User-Name = "testuser@realm"
(8,1) WARNING: Outer and inner identities are the same. User privacy is compromised.
(8,1) server inner-tunnel {
(8,1) Running section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(8,1) authorize {
(8,1) filter_username {
(8,1) if (&User-Name) {
(8,1) if (&User-Name =~ / /) {
(8,1) ...
(8,1) }
(8,1) if (&User-Name =~ /@[^@]*@/ ) {
(8,1) ...
(8,1) }
(8,1) if (&User-Name =~ /\.\./ ) {
(8,1) ...
(8,1) }
(8,1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)[^.]+(\.[^.]+)+$/)) {
(8,1) ...
(8,1) }
(8,1) if (&User-Name =~ /\.$/) {
(8,1) ...
(8,1) }
(8,1) if (&User-Name =~ /(a)\./) {
(8,1) ...
(8,1) }
(8,1) } # if (&User-Name) (notfound)
(8,1) } # filter_username (notfound)
(8,1) local_filter_inner_identity {
(8,1) if (!&outer.request:User-Name || !&User-Name) {
(8,1) ...
(8,1) }
(8,1) if (&outer.request:User-Name != &User-Name) {
(8,1) ...
(8,1) }
(8,1) } # local_filter_inner_identity (notfound)
(8,1) chap (noop)
(8,1) if (&outer.request:User-Name =~ /(a)realm\.ac\.uk$/i) {
(8,1) mschap-ds (noop)
(8,1) } # if (&outer.request:User-Name =~ /(a)realm\.ac\.uk$/i) (noop)
(8,1) elsif (&outer.request:User-Name =~ /(a)admin\.realm\.ac\.uk$/i) {
(8,1) ... skipping elsif for request 8: Preceding "if" was taken
(8,1) }
(8,1) suffix - Checking for suffix after "@"
(8,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm"
(8,1) suffix - Found realm "realm.ac.uk"
(8,1) suffix - Adding Stripped-User-Name = "testuser"
(8,1) suffix - Adding Realm = "realm.ac.uk"
(8,1) suffix - Authentication realm is LOCAL
(8,1) suffix (ok)
(8,1) if (&User-Name =~ /^@/) {
(8,1) ...
(8,1) }
(8,1) if (!(&Stripped-User-Name)) {
(8,1) ...
(8,1) }
(8,1) else {
(8,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(8,1) EXPAND %{tolower:%{Stripped-User-Name}}
(8,1) --> testuser
(8,1) ...
(8,1) }
(8,1) } # else (ok)
(8,1) group {
(8,1) check_blacklist (ok)
(8,1) if (&control:Local-Banned-User) {
(8,1) ...
(8,1) }
(8,1) else {
(8,1) noop (noop)
(8,1) } # else (noop)
(8,1) } # group (ok)
(8,1) update control {
(8,1) &control:Proxy-To-Realm := LOCAL
(8,1) } # update control (noop)
(8,1) eap - Peer sent EAP Response (code 2) ID 8 length 23
(8,1) eap - Peer sent EAP-Identity. Returning 'ok' so we can short-circuit the rest of authorize
(8,1) eap (ok)
(8,1) } # authorize (ok)
(8,1) Using 'Auth-Type = eap' for authenticate {...}
(8,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/inner-tunnel
(8,1) Auth-Type eap {
(8,1) eap - Peer sent packet with EAP method Identity (1)
(8,1) eap - Calling submodule eap_peap to process data
(8,1) eap_peap - Initiating new TLS session
(8,1) eap - Sending EAP Request (code 1) ID 9 length 6
(8,1) eap (handled)
(8,1) } # Auth-Type eap (handled)
(8,1) } # server inner-tunnel
(8,1) Virtual server sending reply
(8,1) &EAP-Message = 0x010900061920
(8,1) &Message-Authenticator = 0x00000000000000000000000000000000
(8,1) eap_peap - Got tunneled reply Access-Challenge
(8,1) eap_peap - &EAP-Message = 0x010900061920
(8,1) eap_peap - &Message-Authenticator = 0x00000000000000000000000000000000
(8,1) eap_peap - Got tunneled Access-Challenge
(8,1) eap_peap - TLS application data to encrypt (2 bytes)
(8,1) eap_peap - Sending complete TLS record (37 bytes)
(8,1) eap - Sending EAP Request (code 1) ID 9 length 43
(8,1) eap (handled)
(8,1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(8,1) EXPAND Response-Packet-Type
(8,1) --> Access-Challenge
(8,1) attr_filter.access_challenge - EXPAND %{User-Name}
(8,1) attr_filter.access_challenge - --> testuser@realm
(8,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(8,1) attr_filter.access_challenge.post-auth (updated)
(8,1) handled (handled)
(8,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled)
(8,1) } # Auth-Type eap (handled)
(8,1) Using Post-Auth-Type Challenge
(8,1) Post-Auth-Type sub-section not found. Ignoring.
(8,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default
(8,1) Sent Access-Challenge Id 84 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0
(8,1) EAP-Message = 0x0109002b1900170301002082145b33c41958c36bec8f18c2f9da22934d020d4e6d14b2a45a7258b2f336af
(8,1) Message-Authenticator = 0x00000000000000000000000000000000
(8,1) State = 0x080f3800aecc10fa3b39393138ab9701
(8,1) Finished request
Waking up in 4.8 seconds.
(9) Received Access-Request Id 85 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 330
(9) User-Name = "testuser@realm"
(9) Chargeable-User-Identity = 0x00
(9) Location-Capable = Civix-Location
(9) Calling-Station-Id = "a4-d1-8c-e4-9f-22"
(9) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST"
(9) NAS-Port = 13
(9) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e"
(9) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110"
(9) NAS-IP-Address = Y.Y.Y.Y
(9) NAS-Identifier = "WM13"
(9) Airespace-Wlan-Id = 8
(9) Service-Type = Framed-User
(9) Framed-MTU = 1300
(9) NAS-Port-Type = Wireless-802.11
(9) Tunnel-Type:0 = VLAN
(9) Tunnel-Medium-Type:0 = IEEE-802
(9) Tunnel-Private-Group-Id:0 = "446"
(9) EAP-Message = 0x0209002b19001703010020b5d3b91965958352c3a2297f539ee8f56616a107a36423c6b065b5bf73f4c0de
(9) State = 0x080f3800aecc10fa3b39393138ab9701
(9) Message-Authenticator = 0x1e0662ee3ffb7f6c36d8f70ecd544acf
(9,1) Running section authorize from file /etc/raddb/sites-enabled/default
(9,1) authorize {
(9,1) local_rewrite_called_station_id {
(9,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(9,1) update request {
(9,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(9,1) --> 64:AE:0C:91:42:60
(9,1) &Called-Station-Id := 64:AE:0C:91:42:60
(9,1) } # update request (noop)
(9,1) if ("%{8}") {
(9,1) EXPAND %{8}
(9,1) --> RADIUS-TEST
(9,1) update request {
(9,1) EXPAND %{8}
(9,1) --> RADIUS-TEST
(9,1) &Called-Station-SSID := RADIUS-TEST
(9,1) } # update request (noop)
(9,1) } # if ("%{8}") (noop)
(9,1) updated (updated)
(9,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated)
(9,1) else {
(9,1) ... skipping else for request 9: Preceding "if" was taken
(9,1) }
(9,1) } # local_rewrite_called_station_id (updated)
(9,1) local_rewrite_calling_station_id {
(9,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(9,1) update request {
(9,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(9,1) --> A4:D1:8C:E4:9F:22
(9,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22
(9,1) } # update request (noop)
(9,1) updated (updated)
(9,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated)
(9,1) else {
(9,1) ... skipping else for request 9: Preceding "if" was taken
(9,1) }
(9,1) } # local_rewrite_calling_station_id (updated)
(9,1) filter_username {
(9,1) if (&User-Name) {
(9,1) if (&User-Name =~ / /) {
(9,1) ...
(9,1) }
(9,1) if (&User-Name =~ /@[^@]*@/ ) {
(9,1) ...
(9,1) }
(9,1) if (&User-Name =~ /\.\./ ) {
(9,1) ...
(9,1) }
(9,1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)[^.]+(\.[^.]+)+$/)) {
(9,1) ...
(9,1) }
(9,1) if (&User-Name =~ /\.$/) {
(9,1) ...
(9,1) }
(9,1) if (&User-Name =~ /(a)\./) {
(9,1) ...
(9,1) }
(9,1) } # if (&User-Name) (updated)
(9,1) } # filter_username (updated)
(9,1) bad_realms {
(9,1) if (&User-Name =~ /\.ax\.uk$/i) {
(9,1) ...
(9,1) }
(9,1) if (&User-Name =~ /(a)ac\.uk$/i) {
(9,1) ...
(9,1) }
(9,1) if (&User-Name =~ /3gppnetwork\.org$/i) {
(9,1) ...
(9,1) }
(9,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(9,1) ...
(9,1) }
(9,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(9,1) ...
(9,1) }
(9,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(9,1) ...
(9,1) }
(9,1) if (&User-Name =~ /myabc\.com$/i) {
(9,1) ...
(9,1) }
(9,1) } # bad_realms (updated)
(9,1) preprocess (ok)
(9,1) operator-name.authorize {
(9,1) if ("%{client:Operator-Name}") {
(9,1) EXPAND %{client:Operator-Name}
(9,1) --> 1realm.ac.uk
(9,1) update request {
(9,1) EXPAND %{client:Operator-Name}
(9,1) --> 1realm.ac.uk
(9,1) &Operator-Name = 1realm.ac.uk
(9,1) } # update request (noop)
(9,1) } # if ("%{client:Operator-Name}") (noop)
(9,1) } # operator-name.authorize (noop)
(9,1) suffix - Checking for suffix after "@"
(9,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm"
(9,1) suffix - Found realm "realm.ac.uk"
(9,1) suffix - Adding Stripped-User-Name = "testuser"
(9,1) suffix - Adding Realm = "realm.ac.uk"
(9,1) suffix - Authentication realm is LOCAL
(9,1) suffix (ok)
(9,1) if (&Realm) {
(9,1) update control {
(9,1) &control:Proxy-To-Realm := LOCAL
(9,1) } # update control (noop)
(9,1) } # if (&Realm) (noop)
(9,1) else {
(9,1) ... skipping else for request 9: Preceding "if" was taken
(9,1) }
(9,1) if (&Realm) {
(9,1) if (&Stripped-User-Name != "") {
(9,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(9,1) EXPAND %{tolower:%{Stripped-User-Name}}
(9,1) --> testuser
(9,1) ...
(9,1) }
(9,1) group {
(9,1) check_blacklist (ok)
(9,1) if (&control:Local-Banned-User) {
(9,1) ...
(9,1) }
(9,1) else {
(9,1) noop (noop)
(9,1) } # else (noop)
(9,1) } # group (ok)
(9,1) } # if (&Stripped-User-Name != "") (ok)
(9,1) } # if (&Realm) (ok)
(9,1) eap - Peer sent EAP Response (code 2) ID 9 length 43
(9,1) eap - Continuing tunnel setup
(9,1) eap (ok)
(9,1) } # authorize (ok)
(9,1) Using 'Auth-Type = eap' for authenticate {...}
(9,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default
(9,1) Auth-Type eap {
(9,1) eap - Peer sent packet with EAP method PEAP (25)
(9,1) eap - Calling submodule eap_peap to process data
(9,1) eap_peap - Continuing EAP-TLS
(9,1) eap_peap - Got complete TLS record (37 bytes)
(9,1) eap_peap - [eap-tls verify] = complete
(9,1) eap_peap - Decrypted TLS application data (2 bytes)
(9,1) eap_peap - [eap-tls process] = complete
(9,1) eap_peap - Session established. Decoding tunneled data
(9,1) eap_peap - PEAP state phase2
(9,1) eap_peap - EAP method NAK (3)
(9,1) eap_peap - Got tunneled request
(9,1) eap_peap - &EAP-Message = 0x02090006031a
(9,1) eap_peap - Setting &request:User-Name from tunnel (protected) identity "testuser@realm"
(9,1) eap_peap - Proxying tunneled request to virtual server "inner-tunnel"
(9,1) Virtual server inner-tunnel received request
(9,1) &EAP-Message = 0x02090006031a
(9,1) &FreeRADIUS-Proxied-To = 127.0.0.1
(9,1) &User-Name = "testuser@realm"
(9,1) WARNING: Outer and inner identities are the same. User privacy is compromised.
(9,1) server inner-tunnel {
(9,1) Running section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(9,1) authorize {
(9,1) filter_username {
(9,1) if (&User-Name) {
(9,1) if (&User-Name =~ / /) {
(9,1) ...
(9,1) }
(9,1) if (&User-Name =~ /@[^@]*@/ ) {
(9,1) ...
(9,1) }
(9,1) if (&User-Name =~ /\.\./ ) {
(9,1) ...
(9,1) }
(9,1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)[^.]+(\.[^.]+)+$/)) {
(9,1) ...
(9,1) }
(9,1) if (&User-Name =~ /\.$/) {
(9,1) ...
(9,1) }
(9,1) if (&User-Name =~ /(a)\./) {
(9,1) ...
(9,1) }
(9,1) } # if (&User-Name) (notfound)
(9,1) } # filter_username (notfound)
(9,1) local_filter_inner_identity {
(9,1) if (!&outer.request:User-Name || !&User-Name) {
(9,1) ...
(9,1) }
(9,1) if (&outer.request:User-Name != &User-Name) {
(9,1) ...
(9,1) }
(9,1) } # local_filter_inner_identity (notfound)
(9,1) chap (noop)
(9,1) if (&outer.request:User-Name =~ /(a)realm\.ac\.uk$/i) {
(9,1) mschap-ds (noop)
(9,1) } # if (&outer.request:User-Name =~ /(a)realm\.ac\.uk$/i) (noop)
(9,1) elsif (&outer.request:User-Name =~ /(a)admin\.realm\.ac\.uk$/i) {
(9,1) ... skipping elsif for request 9: Preceding "if" was taken
(9,1) }
(9,1) suffix - Checking for suffix after "@"
(9,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm"
(9,1) suffix - Found realm "realm.ac.uk"
(9,1) suffix - Adding Stripped-User-Name = "testuser"
(9,1) suffix - Adding Realm = "realm.ac.uk"
(9,1) suffix - Authentication realm is LOCAL
(9,1) suffix (ok)
(9,1) if (&User-Name =~ /^@/) {
(9,1) ...
(9,1) }
(9,1) if (!(&Stripped-User-Name)) {
(9,1) ...
(9,1) }
(9,1) else {
(9,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(9,1) EXPAND %{tolower:%{Stripped-User-Name}}
(9,1) --> testuser
(9,1) ...
(9,1) }
(9,1) } # else (ok)
(9,1) group {
(9,1) check_blacklist (ok)
(9,1) if (&control:Local-Banned-User) {
(9,1) ...
(9,1) }
(9,1) else {
(9,1) noop (noop)
(9,1) } # else (noop)
(9,1) } # group (ok)
(9,1) update control {
(9,1) &control:Proxy-To-Realm := LOCAL
(9,1) } # update control (noop)
(9,1) eap - Peer sent EAP Response (code 2) ID 9 length 6
(9,1) eap - Continuing on-going EAP conversation
(9,1) eap (updated)
(9,1) files (noop)
(9,1) expiration (noop)
(9,1) logintime (noop)
(9,1) pap (noop)
(9,1) } # authorize (updated)
(9,1) Using 'Auth-Type = eap' for authenticate {...}
(9,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/inner-tunnel
(9,1) Auth-Type eap {
(9,1) eap - Peer sent packet with EAP method NAK (3)
(9,1) eap - Found mutually acceptable type MSCHAPv2 (26)
(9,1) eap - Calling submodule eap_mschapv2 to process data
(9,1) eap_mschapv2 - Issuing Challenge
(9,1) eap - Sending EAP Request (code 1) ID 10 length 47
(9,1) eap (handled)
(9,1) } # Auth-Type eap (handled)
(9,1) } # server inner-tunnel
(9,1) Virtual server sending reply
(9,1) &EAP-Message = 0x010a002f1a010a002a101591d608560c5c63a1d6f9157feba6cf667265657261646975732d332e312e302d64656164
(9,1) &Message-Authenticator = 0x00000000000000000000000000000000
(9,1) eap_peap - Got tunneled reply Access-Challenge
(9,1) eap_peap - &EAP-Message = 0x010a002f1a010a002a101591d608560c5c63a1d6f9157feba6cf667265657261646975732d332e312e302d64656164
(9,1) eap_peap - &Message-Authenticator = 0x00000000000000000000000000000000
(9,1) eap_peap - Got tunneled Access-Challenge
(9,1) eap_peap - TLS application data to encrypt (43 bytes)
(9,1) eap_peap - Sending complete TLS record (69 bytes)
(9,1) eap - Sending EAP Request (code 1) ID 10 length 75
(9,1) eap (handled)
(9,1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(9,1) EXPAND Response-Packet-Type
(9,1) --> Access-Challenge
(9,1) attr_filter.access_challenge - EXPAND %{User-Name}
(9,1) attr_filter.access_challenge - --> testuser@realm
(9,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(9,1) attr_filter.access_challenge.post-auth (updated)
(9,1) handled (handled)
(9,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled)
(9,1) } # Auth-Type eap (handled)
(9,1) Using Post-Auth-Type Challenge
(9,1) Post-Auth-Type sub-section not found. Ignoring.
(9,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default
(9,1) Sent Access-Challenge Id 85 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0
(9,1) EAP-Message = 0x010a004b19001703010040fd1adfa6152afb79c1fa0529c132191cc6180186595d874f715ef0b31bf5417fd2acb727f784d6ae580609b6434fb822695b8a0db91b849dbd55cd39f83f1b56
(9,1) Message-Authenticator = 0x00000000000000000000000000000000
(9,1) State = 0x090138003637b8d43b39393138ab9701
(9,1) Finished request
Waking up in 4.8 seconds.
(10) Received Access-Request Id 86 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 394
(10) User-Name = "testuser@realm"
(10) Chargeable-User-Identity = 0x00
(10) Location-Capable = Civix-Location
(10) Calling-Station-Id = "a4-d1-8c-e4-9f-22"
(10) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST"
(10) NAS-Port = 13
(10) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e"
(10) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110"
(10) NAS-IP-Address = Y.Y.Y.Y
(10) NAS-Identifier = "WM13"
(10) Airespace-Wlan-Id = 8
(10) Service-Type = Framed-User
(10) Framed-MTU = 1300
(10) NAS-Port-Type = Wireless-802.11
(10) Tunnel-Type:0 = VLAN
(10) Tunnel-Medium-Type:0 = IEEE-802
(10) Tunnel-Private-Group-Id:0 = "446"
(10) EAP-Message = 0x020a006b19001703010060fb7b84dad699698f8e133528ec8b1ef0f8199de9c6170fb4c86582a647d47520ec17b41fc65471c47ceb60d9a206b2b54936ec02000e6b4894b77cf2a1c4f99e2747be80011ff04e7304a9ed47826067966d1318fd9ef8f95697e149a3355eea
(10) State = 0x090138003637b8d43b39393138ab9701
(10) Message-Authenticator = 0x431e4c764049d08fa9567dfadb9ac07f
(10,1) Running section authorize from file /etc/raddb/sites-enabled/default
(10,1) authorize {
(10,1) local_rewrite_called_station_id {
(10,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(10,1) update request {
(10,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(10,1) --> 64:AE:0C:91:42:60
(10,1) &Called-Station-Id := 64:AE:0C:91:42:60
(10,1) } # update request (noop)
(10,1) if ("%{8}") {
(10,1) EXPAND %{8}
(10,1) --> RADIUS-TEST
(10,1) update request {
(10,1) EXPAND %{8}
(10,1) --> RADIUS-TEST
(10,1) &Called-Station-SSID := RADIUS-TEST
(10,1) } # update request (noop)
(10,1) } # if ("%{8}") (noop)
(10,1) updated (updated)
(10,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated)
(10,1) else {
(10,1) ... skipping else for request 10: Preceding "if" was taken
(10,1) }
(10,1) } # local_rewrite_called_station_id (updated)
(10,1) local_rewrite_calling_station_id {
(10,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(10,1) update request {
(10,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(10,1) --> A4:D1:8C:E4:9F:22
(10,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22
(10,1) } # update request (noop)
(10,1) updated (updated)
(10,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated)
(10,1) else {
(10,1) ... skipping else for request 10: Preceding "if" was taken
(10,1) }
(10,1) } # local_rewrite_calling_station_id (updated)
(10,1) filter_username {
(10,1) if (&User-Name) {
(10,1) if (&User-Name =~ / /) {
(10,1) ...
(10,1) }
(10,1) if (&User-Name =~ /@[^@]*@/ ) {
(10,1) ...
(10,1) }
(10,1) if (&User-Name =~ /\.\./ ) {
(10,1) ...
(10,1) }
(10,1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)[^.]+(\.[^.]+)+$/)) {
(10,1) ...
(10,1) }
(10,1) if (&User-Name =~ /\.$/) {
(10,1) ...
(10,1) }
(10,1) if (&User-Name =~ /(a)\./) {
(10,1) ...
(10,1) }
(10,1) } # if (&User-Name) (updated)
(10,1) } # filter_username (updated)
(10,1) bad_realms {
(10,1) if (&User-Name =~ /\.ax\.uk$/i) {
(10,1) ...
(10,1) }
(10,1) if (&User-Name =~ /(a)ac\.uk$/i) {
(10,1) ...
(10,1) }
(10,1) if (&User-Name =~ /3gppnetwork\.org$/i) {
(10,1) ...
(10,1) }
(10,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(10,1) ...
(10,1) }
(10,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(10,1) ...
(10,1) }
(10,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(10,1) ...
(10,1) }
(10,1) if (&User-Name =~ /myabc\.com$/i) {
(10,1) ...
(10,1) }
(10,1) } # bad_realms (updated)
(10,1) preprocess (ok)
(10,1) operator-name.authorize {
(10,1) if ("%{client:Operator-Name}") {
(10,1) EXPAND %{client:Operator-Name}
(10,1) --> 1realm.ac.uk
(10,1) update request {
(10,1) EXPAND %{client:Operator-Name}
(10,1) --> 1realm.ac.uk
(10,1) &Operator-Name = 1realm.ac.uk
(10,1) } # update request (noop)
(10,1) } # if ("%{client:Operator-Name}") (noop)
(10,1) } # operator-name.authorize (noop)
(10,1) suffix - Checking for suffix after "@"
(10,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm"
(10,1) suffix - Found realm "realm.ac.uk"
(10,1) suffix - Adding Stripped-User-Name = "testuser"
(10,1) suffix - Adding Realm = "realm.ac.uk"
(10,1) suffix - Authentication realm is LOCAL
(10,1) suffix (ok)
(10,1) if (&Realm) {
(10,1) update control {
(10,1) &control:Proxy-To-Realm := LOCAL
(10,1) } # update control (noop)
(10,1) } # if (&Realm) (noop)
(10,1) else {
(10,1) ... skipping else for request 10: Preceding "if" was taken
(10,1) }
(10,1) if (&Realm) {
(10,1) if (&Stripped-User-Name != "") {
(10,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(10,1) EXPAND %{tolower:%{Stripped-User-Name}}
(10,1) --> testuser
(10,1) ...
(10,1) }
(10,1) group {
(10,1) check_blacklist (ok)
(10,1) if (&control:Local-Banned-User) {
(10,1) ...
(10,1) }
(10,1) else {
(10,1) noop (noop)
(10,1) } # else (noop)
(10,1) } # group (ok)
(10,1) } # if (&Stripped-User-Name != "") (ok)
(10,1) } # if (&Realm) (ok)
(10,1) eap - Peer sent EAP Response (code 2) ID 10 length 107
(10,1) eap - Continuing tunnel setup
(10,1) eap (ok)
(10,1) } # authorize (ok)
(10,1) Using 'Auth-Type = eap' for authenticate {...}
(10,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default
(10,1) Auth-Type eap {
(10,1) eap - Peer sent packet with EAP method PEAP (25)
(10,1) eap - Calling submodule eap_peap to process data
(10,1) eap_peap - Continuing EAP-TLS
(10,1) eap_peap - Got complete TLS record (101 bytes)
(10,1) eap_peap - [eap-tls verify] = complete
(10,1) eap_peap - Decrypted TLS application data (73 bytes)
(10,1) eap_peap - [eap-tls process] = complete
(10,1) eap_peap - Session established. Decoding tunneled data
(10,1) eap_peap - PEAP state phase2
(10,1) eap_peap - EAP method MSCHAPv2 (26)
(10,1) eap_peap - Got tunneled request
(10,1) eap_peap - &EAP-Message = 0x020a004d1a020a004831329616f5f88860d55df21c3a71f27e040000000000000000f283736acdd6b31ecc9bdf0c7b021c5232c4bf8f5aa26a620065636c366368406c656564732e61632e756b
(10,1) eap_peap - Setting &request:User-Name from tunnel (protected) identity "testuser@realm"
(10,1) eap_peap - Proxying tunneled request to virtual server "inner-tunnel"
(10,1) Virtual server inner-tunnel received request
(10,1) &EAP-Message = 0x020a004d1a020a004831329616f5f88860d55df21c3a71f27e040000000000000000f283736acdd6b31ecc9bdf0c7b021c5232c4bf8f5aa26a620065636c366368406c656564732e61632e756b
(10,1) &FreeRADIUS-Proxied-To = 127.0.0.1
(10,1) &User-Name = "testuser@realm"
(10,1) WARNING: Outer and inner identities are the same. User privacy is compromised.
(10,1) server inner-tunnel {
(10,1) Running section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(10,1) authorize {
(10,1) filter_username {
(10,1) if (&User-Name) {
(10,1) if (&User-Name =~ / /) {
(10,1) ...
(10,1) }
(10,1) if (&User-Name =~ /@[^@]*@/ ) {
(10,1) ...
(10,1) }
(10,1) if (&User-Name =~ /\.\./ ) {
(10,1) ...
(10,1) }
(10,1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)[^.]+(\.[^.]+)+$/)) {
(10,1) ...
(10,1) }
(10,1) if (&User-Name =~ /\.$/) {
(10,1) ...
(10,1) }
(10,1) if (&User-Name =~ /(a)\./) {
(10,1) ...
(10,1) }
(10,1) } # if (&User-Name) (notfound)
(10,1) } # filter_username (notfound)
(10,1) local_filter_inner_identity {
(10,1) if (!&outer.request:User-Name || !&User-Name) {
(10,1) ...
(10,1) }
(10,1) if (&outer.request:User-Name != &User-Name) {
(10,1) ...
(10,1) }
(10,1) } # local_filter_inner_identity (notfound)
(10,1) chap (noop)
(10,1) if (&outer.request:User-Name =~ /(a)realm\.ac\.uk$/i) {
(10,1) mschap-ds (noop)
(10,1) } # if (&outer.request:User-Name =~ /(a)realm\.ac\.uk$/i) (noop)
(10,1) elsif (&outer.request:User-Name =~ /(a)admin\.realm\.ac\.uk$/i) {
(10,1) ... skipping elsif for request 10: Preceding "if" was taken
(10,1) }
(10,1) suffix - Checking for suffix after "@"
(10,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm"
(10,1) suffix - Found realm "realm.ac.uk"
(10,1) suffix - Adding Stripped-User-Name = "testuser"
(10,1) suffix - Adding Realm = "realm.ac.uk"
(10,1) suffix - Authentication realm is LOCAL
(10,1) suffix (ok)
(10,1) if (&User-Name =~ /^@/) {
(10,1) ...
(10,1) }
(10,1) if (!(&Stripped-User-Name)) {
(10,1) ...
(10,1) }
(10,1) else {
(10,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(10,1) EXPAND %{tolower:%{Stripped-User-Name}}
(10,1) --> testuser
(10,1) ...
(10,1) }
(10,1) } # else (ok)
(10,1) group {
(10,1) check_blacklist (ok)
(10,1) if (&control:Local-Banned-User) {
(10,1) ...
(10,1) }
(10,1) else {
(10,1) noop (noop)
(10,1) } # else (noop)
(10,1) } # group (ok)
(10,1) update control {
(10,1) &control:Proxy-To-Realm := LOCAL
(10,1) } # update control (noop)
(10,1) eap - Peer sent EAP Response (code 2) ID 10 length 77
(10,1) eap - Continuing on-going EAP conversation
(10,1) eap (updated)
(10,1) files (noop)
(10,1) expiration (noop)
(10,1) logintime (noop)
(10,1) pap (noop)
(10,1) } # authorize (updated)
(10,1) Using 'Auth-Type = eap' for authenticate {...}
(10,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/inner-tunnel
(10,1) Auth-Type eap {
(10,1) eap - Peer sent packet with EAP method MSCHAPv2 (26)
(10,1) eap - Calling submodule eap_mschapv2 to process data
(10,1) eap_mschapv2 - Running Auth-Type MS-CHAP from file /etc/raddb/sites-enabled/inner-tunnel
(10,1) Auth-Type MS-CHAP {
(10,1) if (&outer.request:User-Name =~ /(a)realm\.ac\.uk$/i) {
(10,1) mschap-ds - Creating challenge hash with username: testuser@realm
(10,1) mschap-ds - Client is using MS-CHAPv2
(10,1) mschap-ds - EXPAND %{%{Stripped-User-Name}:-%{mschap-ds:User-Name}}
(10,1) mschap-ds - --> testuser
(10,1) mschap-ds - Reserved connection (0)
(10,1) mschap-ds - sending authentication request user='testuser' domain='DS'
(10,1) mschap-ds - Released connection (0)
(10,1) mschap-ds - Need 10 more connections to reach 20 spares
(10,1) mschap-ds - Opening additional connection (10), 1 of 54 pending slots used
(10,1) mschap-ds - Authenticated successfully
(10,1) mschap-ds - Adding MS-CHAPv2 MPPE keys
(10,1) mschap-ds (ok)
(10,1) } # if (&outer.request:User-Name =~ /(a)realm\.ac\.uk$/i) (ok)
(10,1) elsif (&outer.request:User-Name =~ /(a)admin\.realm\.ac\.uk$/i) {
(10,1) ... skipping elsif for request 10: Preceding "if" was taken
(10,1) }
(10,1) } # Auth-Type MS-CHAP (ok)
(10,1) eap_mschapv2 - MSCHAP Success
(10,1) eap - Sending EAP Request (code 1) ID 11 length 51
(10,1) eap (handled)
(10,1) } # Auth-Type eap (handled)
(10,1) } # server inner-tunnel
(10,1) Virtual server sending reply
(10,1) &EAP-Message = 0x010b00331a030a002e533d35453739463637393739354343374436383233434142313433353737364643414246384539373932
(10,1) &Message-Authenticator = 0x00000000000000000000000000000000
(10,1) eap_peap - Got tunneled reply Access-Challenge
(10,1) eap_peap - &EAP-Message = 0x010b00331a030a002e533d35453739463637393739354343374436383233434142313433353737364643414246384539373932
(10,1) eap_peap - &Message-Authenticator = 0x00000000000000000000000000000000
(10,1) eap_peap - Got tunneled Access-Challenge
(10,1) eap_peap - TLS application data to encrypt (47 bytes)
(10,1) eap_peap - Sending complete TLS record (85 bytes)
(10,1) eap - Sending EAP Request (code 1) ID 11 length 91
(10,1) eap (handled)
(10,1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(10,1) EXPAND Response-Packet-Type
(10,1) --> Access-Challenge
(10,1) attr_filter.access_challenge - EXPAND %{User-Name}
(10,1) attr_filter.access_challenge - --> testuser@realm
(10,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(10,1) attr_filter.access_challenge.post-auth (updated)
(10,1) handled (handled)
(10,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled)
(10,1) } # Auth-Type eap (handled)
(10,1) Using Post-Auth-Type Challenge
(10,1) Post-Auth-Type sub-section not found. Ignoring.
(10,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default
(10,1) Sent Access-Challenge Id 86 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0
(10,1) EAP-Message = 0x010b005b19001703010050434a180e3726928b4d1485ba6b2897630e9165184c8e7b1b32265ba04908704d15ee8673ef1b5f4b1cb58c229d9ca96c31528959c7f338b7d83c0deca515c327d242225f1874037a58481664fc1f1360
(10,1) Message-Authenticator = 0x00000000000000000000000000000000
(10,1) State = 0x0a033800aecc10fa3b39393138ab9701
(10,1) Finished request
Waking up in 4.8 seconds.
(11) Received Access-Request Id 87 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 330
(11) User-Name = "testuser@realm"
(11) Chargeable-User-Identity = 0x00
(11) Location-Capable = Civix-Location
(11) Calling-Station-Id = "a4-d1-8c-e4-9f-22"
(11) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST"
(11) NAS-Port = 13
(11) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e"
(11) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110"
(11) NAS-IP-Address = Y.Y.Y.Y
(11) NAS-Identifier = "WM13"
(11) Airespace-Wlan-Id = 8
(11) Service-Type = Framed-User
(11) Framed-MTU = 1300
(11) NAS-Port-Type = Wireless-802.11
(11) Tunnel-Type:0 = VLAN
(11) Tunnel-Medium-Type:0 = IEEE-802
(11) Tunnel-Private-Group-Id:0 = "446"
(11) EAP-Message = 0x020b002b19001703010020b5ec1928d5a22217345c5344b5ea9e8a35fa15ad8681bfb8c9873d10febf5798
(11) State = 0x0a033800aecc10fa3b39393138ab9701
(11) Message-Authenticator = 0x62328bab8c9d2ffc5877e080f63230c8
(11,1) Running section authorize from file /etc/raddb/sites-enabled/default
(11,1) authorize {
(11,1) local_rewrite_called_station_id {
(11,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(11,1) update request {
(11,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(11,1) --> 64:AE:0C:91:42:60
(11,1) &Called-Station-Id := 64:AE:0C:91:42:60
(11,1) } # update request (noop)
(11,1) if ("%{8}") {
(11,1) EXPAND %{8}
(11,1) --> RADIUS-TEST
(11,1) update request {
(11,1) EXPAND %{8}
(11,1) --> RADIUS-TEST
(11,1) &Called-Station-SSID := RADIUS-TEST
(11,1) } # update request (noop)
(11,1) } # if ("%{8}") (noop)
(11,1) updated (updated)
(11,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated)
(11,1) else {
(11,1) ... skipping else for request 11: Preceding "if" was taken
(11,1) }
(11,1) } # local_rewrite_called_station_id (updated)
(11,1) local_rewrite_calling_station_id {
(11,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(11,1) update request {
(11,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(11,1) --> A4:D1:8C:E4:9F:22
(11,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22
(11,1) } # update request (noop)
(11,1) updated (updated)
(11,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated)
(11,1) else {
(11,1) ... skipping else for request 11: Preceding "if" was taken
(11,1) }
(11,1) } # local_rewrite_calling_station_id (updated)
(11,1) filter_username {
(11,1) if (&User-Name) {
(11,1) if (&User-Name =~ / /) {
(11,1) ...
(11,1) }
(11,1) if (&User-Name =~ /@[^@]*@/ ) {
(11,1) ...
(11,1) }
(11,1) if (&User-Name =~ /\.\./ ) {
(11,1) ...
(11,1) }
(11,1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)[^.]+(\.[^.]+)+$/)) {
(11,1) ...
(11,1) }
(11,1) if (&User-Name =~ /\.$/) {
(11,1) ...
(11,1) }
(11,1) if (&User-Name =~ /(a)\./) {
(11,1) ...
(11,1) }
(11,1) } # if (&User-Name) (updated)
(11,1) } # filter_username (updated)
(11,1) bad_realms {
(11,1) if (&User-Name =~ /\.ax\.uk$/i) {
(11,1) ...
(11,1) }
(11,1) if (&User-Name =~ /(a)ac\.uk$/i) {
(11,1) ...
(11,1) }
(11,1) if (&User-Name =~ /3gppnetwork\.org$/i) {
(11,1) ...
(11,1) }
(11,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(11,1) ...
(11,1) }
(11,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(11,1) ...
(11,1) }
(11,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(11,1) ...
(11,1) }
(11,1) if (&User-Name =~ /myabc\.com$/i) {
(11,1) ...
(11,1) }
(11,1) } # bad_realms (updated)
(11,1) preprocess (ok)
(11,1) operator-name.authorize {
(11,1) if ("%{client:Operator-Name}") {
(11,1) EXPAND %{client:Operator-Name}
(11,1) --> 1realm.ac.uk
(11,1) update request {
(11,1) EXPAND %{client:Operator-Name}
(11,1) --> 1realm.ac.uk
(11,1) &Operator-Name = 1realm.ac.uk
(11,1) } # update request (noop)
(11,1) } # if ("%{client:Operator-Name}") (noop)
(11,1) } # operator-name.authorize (noop)
(11,1) suffix - Checking for suffix after "@"
(11,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm"
(11,1) suffix - Found realm "realm.ac.uk"
(11,1) suffix - Adding Stripped-User-Name = "testuser"
(11,1) suffix - Adding Realm = "realm.ac.uk"
(11,1) suffix - Authentication realm is LOCAL
(11,1) suffix (ok)
(11,1) if (&Realm) {
(11,1) update control {
(11,1) &control:Proxy-To-Realm := LOCAL
(11,1) } # update control (noop)
(11,1) } # if (&Realm) (noop)
(11,1) else {
(11,1) ... skipping else for request 11: Preceding "if" was taken
(11,1) }
(11,1) if (&Realm) {
(11,1) if (&Stripped-User-Name != "") {
(11,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(11,1) EXPAND %{tolower:%{Stripped-User-Name}}
(11,1) --> testuser
(11,1) ...
(11,1) }
(11,1) group {
(11,1) check_blacklist (ok)
(11,1) if (&control:Local-Banned-User) {
(11,1) ...
(11,1) }
(11,1) else {
(11,1) noop (noop)
(11,1) } # else (noop)
(11,1) } # group (ok)
(11,1) } # if (&Stripped-User-Name != "") (ok)
(11,1) } # if (&Realm) (ok)
(11,1) eap - Peer sent EAP Response (code 2) ID 11 length 43
(11,1) eap - Continuing tunnel setup
(11,1) eap (ok)
(11,1) } # authorize (ok)
(11,1) Using 'Auth-Type = eap' for authenticate {...}
(11,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default
(11,1) Auth-Type eap {
(11,1) eap - Peer sent packet with EAP method PEAP (25)
(11,1) eap - Calling submodule eap_peap to process data
(11,1) eap_peap - Continuing EAP-TLS
(11,1) eap_peap - Got complete TLS record (37 bytes)
(11,1) eap_peap - [eap-tls verify] = complete
(11,1) eap_peap - Decrypted TLS application data (2 bytes)
(11,1) eap_peap - [eap-tls process] = complete
(11,1) eap_peap - Session established. Decoding tunneled data
(11,1) eap_peap - PEAP state phase2
(11,1) eap_peap - EAP method MSCHAPv2 (26)
(11,1) eap_peap - Got tunneled request
(11,1) eap_peap - &EAP-Message = 0x020b00061a03
(11,1) eap_peap - Setting &request:User-Name from tunnel (protected) identity "testuser@realm"
(11,1) eap_peap - Proxying tunneled request to virtual server "inner-tunnel"
(11,1) Virtual server inner-tunnel received request
(11,1) &EAP-Message = 0x020b00061a03
(11,1) &FreeRADIUS-Proxied-To = 127.0.0.1
(11,1) &User-Name = "testuser@realm"
(11,1) WARNING: Outer and inner identities are the same. User privacy is compromised.
(11,1) server inner-tunnel {
(11,1) Running section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(11,1) authorize {
(11,1) filter_username {
(11,1) if (&User-Name) {
(11,1) if (&User-Name =~ / /) {
(11,1) ...
(11,1) }
(11,1) if (&User-Name =~ /@[^@]*@/ ) {
(11,1) ...
(11,1) }
(11,1) if (&User-Name =~ /\.\./ ) {
(11,1) ...
(11,1) }
(11,1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)[^.]+(\.[^.]+)+$/)) {
(11,1) ...
(11,1) }
(11,1) if (&User-Name =~ /\.$/) {
(11,1) ...
(11,1) }
(11,1) if (&User-Name =~ /(a)\./) {
(11,1) ...
(11,1) }
(11,1) } # if (&User-Name) (notfound)
(11,1) } # filter_username (notfound)
(11,1) local_filter_inner_identity {
(11,1) if (!&outer.request:User-Name || !&User-Name) {
(11,1) ...
(11,1) }
(11,1) if (&outer.request:User-Name != &User-Name) {
(11,1) ...
(11,1) }
(11,1) } # local_filter_inner_identity (notfound)
(11,1) chap (noop)
(11,1) if (&outer.request:User-Name =~ /(a)realm\.ac\.uk$/i) {
(11,1) mschap-ds (noop)
(11,1) } # if (&outer.request:User-Name =~ /(a)realm\.ac\.uk$/i) (noop)
(11,1) elsif (&outer.request:User-Name =~ /(a)admin\.realm\.ac\.uk$/i) {
(11,1) ... skipping elsif for request 11: Preceding "if" was taken
(11,1) }
(11,1) suffix - Checking for suffix after "@"
(11,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm"
(11,1) suffix - Found realm "realm.ac.uk"
(11,1) suffix - Adding Stripped-User-Name = "testuser"
(11,1) suffix - Adding Realm = "realm.ac.uk"
(11,1) suffix - Authentication realm is LOCAL
(11,1) suffix (ok)
(11,1) if (&User-Name =~ /^@/) {
(11,1) ...
(11,1) }
(11,1) if (!(&Stripped-User-Name)) {
(11,1) ...
(11,1) }
(11,1) else {
(11,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(11,1) EXPAND %{tolower:%{Stripped-User-Name}}
(11,1) --> testuser
(11,1) ...
(11,1) }
(11,1) } # else (ok)
(11,1) group {
(11,1) check_blacklist (ok)
(11,1) if (&control:Local-Banned-User) {
(11,1) ...
(11,1) }
(11,1) else {
(11,1) noop (noop)
(11,1) } # else (noop)
(11,1) } # group (ok)
(11,1) update control {
(11,1) &control:Proxy-To-Realm := LOCAL
(11,1) } # update control (noop)
(11,1) eap - Peer sent EAP Response (code 2) ID 11 length 6
(11,1) eap - Continuing on-going EAP conversation
(11,1) eap (updated)
(11,1) files (noop)
(11,1) expiration (noop)
(11,1) logintime (noop)
(11,1) pap (noop)
(11,1) } # authorize (updated)
(11,1) Using 'Auth-Type = eap' for authenticate {...}
(11,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/inner-tunnel
(11,1) Auth-Type eap {
(11,1) eap - Peer sent packet with EAP method MSCHAPv2 (26)
(11,1) eap - Calling submodule eap_mschapv2 to process data
(11,1) eap - Sending EAP Success (code 3) ID 11 length 4
(11,1) eap - Cleaning up EAP session
(11,1) eap (ok)
(11,1) } # Auth-Type eap (ok)
(11,1) Login OK: [testuser@realm] (from client wism13 port 0 via TLS tunnel)
(11,1) Running section post-auth from file /etc/raddb/sites-enabled/inner-tunnel
(11,1) post-auth {
(11,1) update reply {
(11,1) &reply:Reply-Message := successful authentication
(11,1) } # update reply (noop)
(11,1) inner-tunnel-accept-log - Using default message
(11,1) inner-tunnel-accept-log - EXPAND %S (%l) id %I INNER ACCEPT %{User-Name} cli %{%{outer.request:Calling-Station-Id}:--} outer-id %{outer.request:User-Name} auth-type %{outer.control:Auth-Type}/%{outer.request:EAP-Type} realm %{Realm} operator %{%{outer.request:Operator-Name}:--} client %{%{Packet-Src-IP-Address}:-%{%{Packet-Src-IPv6-Address}:--}} (%{Client-Shortname}) essid (%{%{outer.request:Called-Station-SSID}:--}) reply-msg '%{reply:Reply-Message}'
(11,1) inner-tunnel-accept-log - --> 2016-11-25 15:17:51 (1480087071) id 11 INNER ACCEPT testuser@realm cli A4:D1:8C:E4:9F:22 outer-id testuser(a)realm.ac.uk auth-type eap/PEAP realm realm.ac.uk operator 1realm.ac.uk client Y.Y.Y.Y (wism13) essid (RADIUS-TEST) reply-msg 'successful authentication'
(11,1) inner-tunnel-accept-log - EXPAND /var/log/radius/auth.log
(11,1) inner-tunnel-accept-log - --> /var/log/radius/auth.log
(11,1) inner-tunnel-accept-log (ok)
(11,1) update {
(11,1) &outer.session-state: += &reply:MS-MPPE-Encryption-Policy -> Encryption-Required
(11,1) &outer.session-state: += &reply:MS-MPPE-Encryption-Types -> 4
(11,1) &outer.session-state: += &reply:MS-MPPE-Send-Key -> 0xd8d3d48df0050ef926fee45a7025a880
(11,1) &outer.session-state: += &reply:MS-MPPE-Recv-Key -> 0x1d3a468cf7a531c07677d5c70e683dd0
(11,1) &outer.session-state: += &reply:EAP-Message -> 0x030b0004
(11,1) &outer.session-state: += &reply:Message-Authenticator -> 0x00000000000000000000000000000000
(11,1) &outer.session-state: += &reply:Stripped-User-Name -> "testuser"
(11,1) &outer.session-state: += &reply:Reply-Message -> "successful authentication"
(11,1) } # update (noop)
(11,1) update outer.session-state {
(11,1) &outer.session-state:MS-MPPE-Encryption-Policy !* ANY
(11,1) &outer.session-state:MS-MPPE-Encryption-Types !* ANY
(11,1) &outer.session-state:MS-MPPE-Send-Key !* ANY
(11,1) &outer.session-state:MS-MPPE-Recv-Key !* ANY
(11,1) &outer.session-state:Message-Authenticator !* ANY
(11,1) &outer.session-state:EAP-Message !* ANY
(11,1) &outer.session-state:Proxy-State !* ANY
(11,1) } # update outer.session-state (noop)
(11,1) } # post-auth (ok)
(11,1) } # server inner-tunnel
(11,1) Virtual server sending reply
(11,1) &MS-MPPE-Encryption-Policy = Encryption-Required
(11,1) &MS-MPPE-Encryption-Types = 4
(11,1) &MS-MPPE-Send-Key = 0xd8d3d48df0050ef926fee45a7025a880
(11,1) &MS-MPPE-Recv-Key = 0x1d3a468cf7a531c07677d5c70e683dd0
(11,1) &EAP-Message = 0x030b0004
(11,1) &Message-Authenticator = 0x00000000000000000000000000000000
(11,1) &Stripped-User-Name = "testuser"
(11,1) &Reply-Message := "successful authentication"
(11,1) eap_peap - Got tunneled reply Access-Accept
(11,1) eap_peap - &MS-MPPE-Encryption-Policy = Encryption-Required
(11,1) eap_peap - &MS-MPPE-Encryption-Types = 4
(11,1) eap_peap - &MS-MPPE-Send-Key = 0xd8d3d48df0050ef926fee45a7025a880
(11,1) eap_peap - &MS-MPPE-Recv-Key = 0x1d3a468cf7a531c07677d5c70e683dd0
(11,1) eap_peap - &EAP-Message = 0x030b0004
(11,1) eap_peap - &Message-Authenticator = 0x00000000000000000000000000000000
(11,1) eap_peap - &Stripped-User-Name = "testuser"
(11,1) eap_peap - &Reply-Message := "successful authentication"
(11,1) eap_peap - Tunneled authentication was successful
(11,1) eap_peap - SUCCESS
(11,1) eap_peap - TLS application data to encrypt (11 bytes)
(11,1) eap_peap - Sending complete TLS record (37 bytes)
(11,1) eap - Sending EAP Request (code 1) ID 12 length 43
(11,1) eap (handled)
(11,1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(11,1) EXPAND Response-Packet-Type
(11,1) --> Access-Challenge
(11,1) attr_filter.access_challenge - EXPAND %{User-Name}
(11,1) attr_filter.access_challenge - --> testuser@realm
(11,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(11,1) attr_filter.access_challenge.post-auth (updated)
(11,1) handled (handled)
(11,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled)
(11,1) } # Auth-Type eap (handled)
(11,1) Using Post-Auth-Type Challenge
(11,1) Post-Auth-Type sub-section not found. Ignoring.
(11,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default
(11,1) Saving &session-state
(11,1) &session-state:Stripped-User-Name += "testuser"
(11,1) &session-state:Reply-Message += "successful authentication"
(11,1) Sent Access-Challenge Id 87 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0
(11,1) EAP-Message = 0x010c002b1900170301002075fcd60b064f8189f89cd88d8ea3821c5e02316d81a985ae28e6772c0f91527a
(11,1) Message-Authenticator = 0x00000000000000000000000000000000
(11,1) State = 0x0b0138003637b8d43b39393138ab9701
(11,1) Finished request
Waking up in 4.8 seconds.
(12) Received Access-Request Id 88 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 330
(12) User-Name = "testuser@realm"
(12) Chargeable-User-Identity = 0x00
(12) Location-Capable = Civix-Location
(12) Calling-Station-Id = "a4-d1-8c-e4-9f-22"
(12) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST"
(12) NAS-Port = 13
(12) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e"
(12) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110"
(12) NAS-IP-Address = Y.Y.Y.Y
(12) NAS-Identifier = "WM13"
(12) Airespace-Wlan-Id = 8
(12) Service-Type = Framed-User
(12) Framed-MTU = 1300
(12) NAS-Port-Type = Wireless-802.11
(12) Tunnel-Type:0 = VLAN
(12) Tunnel-Medium-Type:0 = IEEE-802
(12) Tunnel-Private-Group-Id:0 = "446"
(12) EAP-Message = 0x020c002b190017030100205260e734aa19b0c57421ab4de8ee9119c043f03f0751f165dc6cc2a0f5157a8c
(12) State = 0x0b0138003637b8d43b39393138ab9701
(12) Message-Authenticator = 0xa330d14becbcd2b557c3aeb3deb98ff4
(12,1) Restored &session-state
(12,1) &session-state:Stripped-User-Name += "testuser"
(12,1) &session-state:Reply-Message += "successful authentication"
(12,1) Running section authorize from file /etc/raddb/sites-enabled/default
(12,1) authorize {
(12,1) local_rewrite_called_station_id {
(12,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(12,1) update request {
(12,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(12,1) --> 64:AE:0C:91:42:60
(12,1) &Called-Station-Id := 64:AE:0C:91:42:60
(12,1) } # update request (noop)
(12,1) if ("%{8}") {
(12,1) EXPAND %{8}
(12,1) --> RADIUS-TEST
(12,1) update request {
(12,1) EXPAND %{8}
(12,1) --> RADIUS-TEST
(12,1) &Called-Station-SSID := RADIUS-TEST
(12,1) } # update request (noop)
(12,1) } # if ("%{8}") (noop)
(12,1) updated (updated)
(12,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated)
(12,1) else {
(12,1) ... skipping else for request 12: Preceding "if" was taken
(12,1) }
(12,1) } # local_rewrite_called_station_id (updated)
(12,1) local_rewrite_calling_station_id {
(12,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(12,1) update request {
(12,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(12,1) --> A4:D1:8C:E4:9F:22
(12,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22
(12,1) } # update request (noop)
(12,1) updated (updated)
(12,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated)
(12,1) else {
(12,1) ... skipping else for request 12: Preceding "if" was taken
(12,1) }
(12,1) } # local_rewrite_calling_station_id (updated)
(12,1) filter_username {
(12,1) if (&User-Name) {
(12,1) if (&User-Name =~ / /) {
(12,1) ...
(12,1) }
(12,1) if (&User-Name =~ /@[^@]*@/ ) {
(12,1) ...
(12,1) }
(12,1) if (&User-Name =~ /\.\./ ) {
(12,1) ...
(12,1) }
(12,1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)[^.]+(\.[^.]+)+$/)) {
(12,1) ...
(12,1) }
(12,1) if (&User-Name =~ /\.$/) {
(12,1) ...
(12,1) }
(12,1) if (&User-Name =~ /(a)\./) {
(12,1) ...
(12,1) }
(12,1) } # if (&User-Name) (updated)
(12,1) } # filter_username (updated)
(12,1) bad_realms {
(12,1) if (&User-Name =~ /\.ax\.uk$/i) {
(12,1) ...
(12,1) }
(12,1) if (&User-Name =~ /(a)ac\.uk$/i) {
(12,1) ...
(12,1) }
(12,1) if (&User-Name =~ /3gppnetwork\.org$/i) {
(12,1) ...
(12,1) }
(12,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(12,1) ...
(12,1) }
(12,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(12,1) ...
(12,1) }
(12,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) {
(12,1) ...
(12,1) }
(12,1) if (&User-Name =~ /myabc\.com$/i) {
(12,1) ...
(12,1) }
(12,1) } # bad_realms (updated)
(12,1) preprocess (ok)
(12,1) operator-name.authorize {
(12,1) if ("%{client:Operator-Name}") {
(12,1) EXPAND %{client:Operator-Name}
(12,1) --> 1realm.ac.uk
(12,1) update request {
(12,1) EXPAND %{client:Operator-Name}
(12,1) --> 1realm.ac.uk
(12,1) &Operator-Name = 1realm.ac.uk
(12,1) } # update request (noop)
(12,1) } # if ("%{client:Operator-Name}") (noop)
(12,1) } # operator-name.authorize (noop)
(12,1) suffix - Checking for suffix after "@"
(12,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm"
(12,1) suffix - Found realm "realm.ac.uk"
(12,1) suffix - Adding Stripped-User-Name = "testuser"
(12,1) suffix - Adding Realm = "realm.ac.uk"
(12,1) suffix - Authentication realm is LOCAL
(12,1) suffix (ok)
(12,1) if (&Realm) {
(12,1) update control {
(12,1) &control:Proxy-To-Realm := LOCAL
(12,1) } # update control (noop)
(12,1) } # if (&Realm) (noop)
(12,1) else {
(12,1) ... skipping else for request 12: Preceding "if" was taken
(12,1) }
(12,1) if (&Realm) {
(12,1) if (&Stripped-User-Name != "") {
(12,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") {
(12,1) EXPAND %{tolower:%{Stripped-User-Name}}
(12,1) --> testuser
(12,1) ...
(12,1) }
(12,1) group {
(12,1) check_blacklist (ok)
(12,1) if (&control:Local-Banned-User) {
(12,1) ...
(12,1) }
(12,1) else {
(12,1) noop (noop)
(12,1) } # else (noop)
(12,1) } # group (ok)
(12,1) } # if (&Stripped-User-Name != "") (ok)
(12,1) } # if (&Realm) (ok)
(12,1) eap - Peer sent EAP Response (code 2) ID 12 length 43
(12,1) eap - Continuing tunnel setup
(12,1) eap (ok)
(12,1) } # authorize (ok)
(12,1) Using 'Auth-Type = eap' for authenticate {...}
(12,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default
(12,1) Auth-Type eap {
(12,1) eap - Peer sent packet with EAP method PEAP (25)
(12,1) eap - Calling submodule eap_peap to process data
(12,1) eap_peap - Continuing EAP-TLS
(12,1) eap_peap - Got complete TLS record (37 bytes)
(12,1) eap_peap - [eap-tls verify] = complete
(12,1) eap_peap - Decrypted TLS application data (11 bytes)
(12,1) eap_peap - [eap-tls process] = complete
(12,1) eap_peap - Session established. Decoding tunneled data
(12,1) eap_peap - PEAP state send tlv success
(12,1) eap_peap - Received EAP-TLV response
(12,1) eap_peap - Success
(12,1) eap_peap - Adding session keys
(12,1) eap_peap - &reply:MS-MPPE-Recv-Key = 0xc2b1108d6edcbaab7acbc6cb02381f392e459fecfbd849f9ec05ed541dcbd8ec
(12,1) eap_peap - &reply:MS-MPPE-Send-Key = 0x71011003ab851c697e371755227994e8ab1ff5a15b2a5e4433273ac6b71b363e
(12,1) eap_peap - &reply:EAP-MSK = 0xc2b1108d6edcbaab7acbc6cb02381f392e459fecfbd849f9ec05ed541dcbd8ec71011003ab851c697e371755227994e8ab1ff5a15b2a5e4433273ac6b71b363e
(12,1) eap_peap - &reply:EAP-EMSK = 0x4d4889f2308cc16ca2dfb5c43fd14af93e7a927a9ab73d43433258508c312fa5d2774e063dd8d0ceb56bea3134b9fb99691718545b00139d8dc9e61bf277a526
(12,1) eap - Sending EAP Success (code 3) ID 12 length 4
(12,1) eap - Cleaning up EAP session
(12,1) eap (ok)
(12,1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(12,1) ...
(12,1) }
(12,1) } # Auth-Type eap (ok)
(12,1) Login OK: [testuser@realm] (from client wism13 port 13 cli A4:D1:8C:E4:9F:22)
(12,1) Running section post-auth from file /etc/raddb/sites-enabled/default
(12,1) post-auth {
(12,1) update {
(12,1) &reply: += &session-state:Stripped-User-Name -> "testuser"
(12,1) &reply: += &session-state:Reply-Message -> "successful authentication"
(12,1) } # update (noop)
(12,1) update reply {
(12,1) &reply:Reply-Message := successful authentication
(12,1) } # update reply (noop)
(12,1) default-accept-log - Using default message
(12,1) default-accept-log - EXPAND %S (%l) id %I DEFAULT ACCEPT %{User-Name} cli %{%{Calling-Station-Id}:--} auth-type %{control:Auth-Type}/%{EAP-Type} realm %{Realm} operator %{%{Operator-Name}:--} client %{%{Packet-Src-IP-Address}:-%{%{Packet-Src-IPv6-Address}:--}} (%{Client-Shortname}) essid (%{%{Called-Station-SSID}:--}) reply-msg '%{reply:Reply-Message}'
(12,1) default-accept-log - --> 2016-11-25 15:17:51 (1480087071) id 88 DEFAULT ACCEPT testuser@realm cli A4:D1:8C:E4:9F:22 auth-type eap/PEAP realm realm.ac.uk operator 1realm.ac.uk client Y.Y.Y.Y (wism13) essid (RADIUS-TEST) reply-msg 'successful authentication'
(12,1) default-accept-log - EXPAND /var/log/radius/auth.log
(12,1) default-accept-log - --> /var/log/radius/auth.log
(12,1) default-accept-log (ok)
(12,1) exec (noop)
(12,1) remove_reply_message_if_eap {
(12,1) if (&reply:EAP-Message && &reply:Reply-Message) {
(12,1) update reply {
(12,1) &reply:Reply-Message !* ANY
(12,1) } # update reply (noop)
(12,1) } # if (&reply:EAP-Message && &reply:Reply-Message) (noop)
(12,1) else {
(12,1) ... skipping else for request 12: Preceding "if" was taken
(12,1) }
(12,1) } # remove_reply_message_if_eap (noop)
(12,1) } # post-auth (ok)
(12,1) Sent Access-Accept Id 88 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0
(12,1) MS-MPPE-Recv-Key = 0xc2b1108d6edcbaab7acbc6cb02381f392e459fecfbd849f9ec05ed541dcbd8ec
(12,1) MS-MPPE-Send-Key = 0x71011003ab851c697e371755227994e8ab1ff5a15b2a5e4433273ac6b71b363e
(12,1) EAP-Message = 0x030c0004
(12,1) Message-Authenticator = 0x00000000000000000000000000000000
(12,1) Finished request
Waking up in 4.8 seconds.
^CWaking up in 3.1 seconds.
2
1
25 Nov '16
Hello Everybody,
I have read on several blogs and also on this mailing list about problems
with NAS in deployments. Problems applying such important attributes as to
end sessions or prevent multiple sessions. I had in mind to buy a Linksys
WRT but I have dedicated to investigate what would be the best device for
my wireless implementation with FreeRadius. But I want to know from the
mouth of the experts ... Which device have tried and has worked for the
best?
100% or at least 95% compatible with this.
THANKS IN ADVANCE!
Jose Quezada
2
1
Hi List!
The concept for "known good password" is something that really gives me
a hard time to understand. Can anyone tell me what I have to change to
make this setup working?
I get the following debug-output:
(0) pap: WARNING: No "known good" password found for the user. Not
setting Auth-Type
The user in the User file is defined like this:
testuser SMD5-Password := "6i2WbPPxOt2zLBrM/KzNEnRlc3Q=" ,
NAS-IP-Address == '10.0.0.29', Auth-Type := Accept
... and I have a NAS defined as a client:
client ap29 {
ipaddr = 10.0.0.29/32
secret = testing123
}
see the full debug-output here:
http://pastebin.com/raw/52eZPhQj
--
Mit freundlichen Grüßen / Kind regards
Julian Scharrenbach - Informatik Betriebswirt (VWA)
5
7
Hello,
my 3.0.12 server usually sends SQL statements into a buffer file for
radsqlrelay pickup.
This choked today on invalid SQL syntax, and the reason was a bit
surprising:
INSERT INTO radpostauth (user, pass, reply, date) VALUES ('xxx', 'IMAP', 'Access-Accept', '2016-11-24 22:53:54');
INSERT INTO radpostauth (user, pass, reply, date) VALUES ('yyy', 'IMAP', 'Access-Accept', '2016-11-24 22:53:54');
INSERT INTO radpostauth (user, pass, reply, date) VALUES ('zzz', 'IMAP', 'Access-Accept', '2016-11-24 22:53:54');
CAUGHT SIGNAL: Aborted
Backtrace of last 19 frames:
/usr/local/freeradius/3.0.12/lib/libfreeradius-radius.so(fr_fault+0x115)[0x7f16483f5226]
/usr/local/freeradius/3.0.12/lib/libfreeradius-server.so(rad_assert_fail+0x46)[0x7f1648655fea]
/usr/local/freeradius/current/sbin/radiusd[0x436a47]
/usr/local/freeradius/current/sbin/radiusd(fr_connection_get+0x1d)[0x4379b2]
/usr/local/freeradius/3.0.12/lib/rlm_sql.so(+0x5d4a)[0x7f164466ed4a]
/usr/local/freeradius/3.0.12/lib/rlm_sql.so(+0x6a51)[0x7f164466fa51]
/usr/local/freeradius/current/sbin/radiusd[0x428d5d]
/usr/local/freeradius/current/sbin/radiusd[0x42940a]
/usr/local/freeradius/current/sbin/radiusd[0x428f1e]
/usr/local/freeradius/current/sbin/radiusd[0x429e3e]
/usr/local/freeradius/current/sbin/radiusd(modcall+0xa2)[0x42ab83]
/usr/local/freeradius/current/sbin/radiusd(indexed_modcall+0x363)[0x426393]
/usr/local/freeradius/current/sbin/radiusd(process_post_auth+0x22)[0x4287a0]
/usr/local/freeradius/current/sbin/radiusd(rad_postauth+0x1b5)[0x40f967]
/usr/local/freeradius/current/sbin/radiusd[0x43d01c]
/usr/local/freeradius/current/sbin/radiusd[0x43d7a3]
/usr/local/freeradius/current/sbin/radiusd[0x4393c1]
/lib64/libpthread.so.0(+0x7dc5)[0x7f1646cc2dc5]
/lib64/libc.so.6(clone+0x6d)[0x7f16467b8ced]
Calling: gdb -silent -x /usr/local/freeradius/config/raddb/panic.gdb /usr/local/freeradius/current/sbin/radiusd 4172 2>&1 | tee /var/log/radius/gdb-radiusd-4172.log
Panic action exited with 0
_EXIT(0) CALLED src/lib/debug.c[743]
INSERT INTO radpostauth (user, pass, reply, date) VALUES ('aaa', 'IMAP', 'Access-Accept', '2016-11-24 22:53:55');
INSERT INTO radpostauth (user, pass, reply, date) VALUES ('bbb', 'IMAP', 'Access-Accept', '2016-11-24 22:53:56');
INSERT INTO radpostauth (user, pass, reply, date) VALUES ('ccc', 'IMAP', 'Access-Accept', '2016-11-24 22:53:56');
I'm a bit stunned by that. It's one thing that FR crashes, but how
can it be that it writes its backtrace into a logfile file
descriptor? Something horrible with file handles must have happened
there. Unfortunately, this server is running for very long without
issues and I don't think I can reproduce this.
Greetings,
Stefan Winter
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
2
1
Got a small problem with the use of buffered-sql virtual server . I've been
moving over to using this in an attempt to being a bit more considerate of
our postgresql database which currently has 6 FR 3.0.12 systems
concurrently updating my freeraidus database.
The following problem is present in both 3.0.12 and a 3.0.13 systems.
Initially I replaced the -sql statements in my inner-tunnel virt server
with a call to detail and that worked just fine. I then tried to the same
thing with my "default" virtual host so that proxied auths for visiting
eduroam users would use buffered-sql as well. As soon as I did this (this
was trying to use buffered sql for post-auth and accounting packets
although the details.work file continued to grow, it never came down.
Looking at contents of details.work, the 1st thing I noticed was that while
Authentication packets had a Packet-Type = Access-Request just after the
timestamp, Accounting packets didn't have a Packet-Type attribute.
Accounting packet
Fri Nov 25 09:09:14 2016
User-Name = "@leicester.ac.uk"
NAS-IP-Address = 144.32.64.38
NAS-Port = 0
NAS-Port-Type = Wireless-802.11
Acct-Session-Id = "@leicestA8667F143971-5837FD04"
Event-Timestamp = "Nov 25 2016 09:08:54 GMT"
Acct-Multi-Session-Id = "A8667F143971-0013936352"
Framed-IP-Address = 10.241.6.100
Calling-Station-Id = "A8-66-7F-14-39-71"
Called-Station-Id = "00-1A-1E-00-C9-00"
Class =
0xa79cda48d0da4a94a13fcfdcc173bd24ba0b0000040000005230313332326633632d32342d35383337666431340000000000000000000000
Acct-Delay-Time = 20
Aruba-Essid-Name = "eduroam"
Aruba-Location-Id = "coheeap28"
Aruba-AP-Group = "Constantine"
Aruba-User-Role = "authenticated"
Aruba-User-Vlan = 3865
Aruba-Device-Type = "OS X"
Acct-Status-Type = Interim-Update
Acct-Input-Octets = 48797
Acct-Output-Octets = 123431
Acct-Input-Packets = 310
Acct-Output-Packets = 249
Acct-Session-Time = 674
NAS-Identifier = "aruba0"
Proxy-State = 0x323039
FreeRADIUS-Acct-Session-Start-Time = "Nov 25 2016 08:57:40 GMT"
Module-Failure-Message = "regex failed: Found null in subject at
offset 18. String unsafe for evaluation"
Module-Failure-Message = "Failed retrieving values required to
evaluate condition"
Acct-Unique-Session-Id = "4d4f17755ded442a500b90bded7f1746"
Stripped-User-Name = ""
Realm = "DEFAULT"
Timestamp = 1480064954
Access-Request packet
Fri Nov 25 09:09:15 2016
Packet-Type = Access-Request
User-Name = ""
Calling-Station-Id = ""
NAS-IP-Address = 10.237.0.3
NAS-Port = 164
Called-Station-Id = ""
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "2"
Connect-Info = "CONNECT 802.11g/n"
EAP-Message =
Ruckus-SSID = "eduroam"
Message-Authenticator = 0x6d912a50a69db5ec8e97fe20d8a281e5
Event-Timestamp = "Nov 25 2016 09:09:15 GMT"
Called-Station-SSID = "eduroam"
SQL-User-Name = ""
Realm = "eduroam"
Operator-Name = "1york.ac.uk"
Chargeable-User-Identity = 0x00
EAP-Type = Identity
Timestamp = 1480064955
Removing all references to using detail in my default virtual server but
using it in my inner-tunnel server returned things to normal all my servers
I made the change to.
Should I be able to use buffered-sql to process accounting packets?
Rgds
Alex
2
4
Hi,
I've noticed a couple of issues with FR 3.1 and I'm hoping someone
can help me resolve them.
Thanks, Chris
1. No output written to file using radmin
listen {
type = "control"
listen {
socket = "/var/run/radiusd/control/radiusd.sock"
gid = "radiusd"
mode = "rw"
peercred = yes
}
}
[XXXXXXXXX ~]# radmin -f /var/run/radiusd/control/radiusd.sock
radmin version 3.1.0-dead (git #4870102), built on Sep 9 2016 at 15:42:04 - FreeRADIUS Server administration tool.
Copyright (C) 2008-2016 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
radmin> debug file /var/log/radius/tmp/bob.log
ERROR: Cannot direct debug logs to absolute path.
radmin> show debug file
radmin> debug condition '(User-Name == "bob")'
radmin> show debug condition
&User-Name == "bob"
radmin>
2. No User-Name attribute in Access-Accept when using EAP-TLS PEAP.
(12,1) } # remove_reply_message_if_eap (noop)
(12,1) } # post-auth (ok)
(12,1) Sent Access-Accept Id 30 from 129.11.76.149:1812 to 10.12.80.79:32769 via em1 length 0
(12,1) MS-MPPE-Recv-Key = 0x0026c6259b41b7d2a79beed337a42a4a719e6604cbfa3ea381d44c795ce9c900
(12,1) MS-MPPE-Send-Key = 0x993c8b2ac3b792c214ccbe8362cd277dde3f560c3f2eff38f0860408bf6daf43
(12,1) EAP-Message = 0x030c0004
(12,1) Message-Authenticator = 0x00000000000000000000000000000000
(12,1) Finished request
2
1
Hi,
I have set up have running setup with the following features
1) WPA-Enterprise with PEAP MSChapv2.
2) Authenticate with Microsoft AD via winbindd
3) Authorize with Microsoft AD via LDAP
Now I want to enable MySQL logging, I followed the setup as per the wiki
but I only get table radpostauth populated. What I want is to see table
radacct populated.
I am monitoring the output from radiusd -X but three is no error to
indicate any problems. What else am I missing here? Thank you.
https://wiki.freeradius.org/guide/SQL-HOWTO-for-freeradius-3.x-on-Debian-Ub…
2
1
24 Nov '16
Hi,
I'm working through setting up FreeRADIUS to behave as a DHCP Server so that it can read and respond to DHCP Packets (including Option 82 info).
I'm making progress - however I am facing a few roadblocks that I would like some guidance on if possible.
*Packets forwarded from an internal network which are translated out to us and carry a DHCP-Relay-IP-Address*
DHCP Requests that are being sent to us include a Relay-IP-Address - and implicitly the DHCP module seems to use this as an authority and attempts to return the packet to the Relay IP, not the source of the packet. I was able to comment out in the source (3.0.12) - "modules/proto_dhcp/dhcpd.c" on line 497 (where it sets a new destination IP address) - and the packet was returned to the originator. Obviously this is not the way I should be doing this - so any suggestions are welcome.
*DHCP IP Addressing from SQLIPool*
I have the radippool (via dhcp_sqlippool) process able to extract an IP address based on the Circuit ID (Option 82) contained within the DHCP Packet.
The challenge I have, is the IP addresses I am allocating (for the same provider, but we will also have multiple providers who use our system) - has different gateways based on the location of the service and the IP allocated. From what I can ascertain looking at the source code, the DHCP Pool functionality presently only deals with the returning of the Framed-IP-Address.
Looking at "modules/rlm_sqlippool/rlm_sqlippool.c" (line 580) - there is an object called 'inst' with a property called framed_ip_address. This is used to build a 'vp' and adds it to the reply.
How would one go about providing database driven gateway/dns settings?
Is there a way? Or is the only option to add support for additional properties in the code for this? (I would need to isolate where the framed_ip_address is mapped to Framed-IP-Address to follow the similar behaviour.
Hope you can help!
Thanks
Martin.
Martin Edge
Chief Technical Officer
[Description: Description: Emersion Logo]
Emersion saves you time and money, by providing an easy to use, secure and scalable
billing, provisioning & operational support system delivered as a service in the cloud.
Emersion Software Systems Pty Ltd
Twitter: .......... @EmersionBilling
________________________________
This communication may contain CONFIDENTIAL or copyright information of Emersion Software Systems Pty Ltd (ABN 28 119 061 791). If you are not an intended recipient, you MUST NOT read, print, keep, forward, copy, use, save, retransmit or rely on this communication or any attachments, and any such action is unauthorised and prohibited. If you have received this communication in error, please reply to this e-mail to notify the sender of its incorrect delivery, and then delete both it and your reply. Emersion does not guarantee the integrity of any emails or any attached files. The views or opinions expressed are the author's own and may not reflect the views or opinions of Emersion. Thank you.
________________________________
4
6