Am 09.05.25 um 10:55 schrieb Matthew Newton via Freeradius-Users:
On 09/05/2025 08:56, Christoph Egger via Freeradius-Users wrote:
switch -> freeradius: access-request (1), id: 0x2d freeradius -> switch: access-reject (3), id: 0x2d freeradius -> switch: access-accept (2), id: 0x2c
FreeRADIUS never sends a reject followed by an accept for the same request.
As always, what does the full debug output show?
Here it is the EAP-TTLS + PAP, after that the corresponding tcpdump: authentik-freeradius-1 | (45) Received Access-Request Id 46 from 172.16.1.1:49514 to 172.16.1.2:1812 length 138 authentik-freeradius-1 | (45) User-Name = "apple_lan_thatsme" authentik-freeradius-1 | (45) EAP-Message = 0x02020016016170706c655f6c616e5f74686174736d65 authentik-freeradius-1 | (45) NAS-IP-Address = 10.0.0.3 authentik-freeradius-1 | (45) NAS-Port = 3 authentik-freeradius-1 | (45) NAS-Identifier = "DC6279CF8CB4" authentik-freeradius-1 | (45) Service-Type = Framed-User authentik-freeradius-1 | (45) if (&User-Name =~ / /) { authentik-freeradius-1 | (45) if (&User-Name =~ / /) -> FALSE authentik-freeradius-1 | (45) if (&User-Name =~ /@[^@]*@/ ) { authentik-freeradius-1 | (45) if (&User-Name =~ /@[^@]*@/ ) -> FALSE authentik-freeradius-1 | (45) if (&User-Name =~ /\.\./ ) { authentik-freeradius-1 | (45) if (&User-Name =~ /\.\./ ) -> FALSE authentik-freeradius-1 | (45) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { authentik-freeradius-1 | (45) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE authentik-freeradius-1 | (45) if (&User-Name =~ /\.$/) { authentik-freeradius-1 | (45) if (&User-Name =~ /\.$/) -> FALSE authentik-freeradius-1 | (45) if (&User-Name =~ /@\./) { authentik-freeradius-1 | (45) if (&User-Name =~ /@\./) -> FALSE authentik-freeradius-1 | (45) } # if (&User-Name) = notfound authentik-freeradius-1 | (45) suffix: No such realm "NULL" authentik-freeradius-1 | (45) [suffix] = noop authentik-freeradius-1 | (45) eap: Peer sent EAP Response (code 2) ID 2 length 22 authentik-freeradius-1 | (45) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize authentik-freeradius-1 | (45) [eap] = ok authentik-freeradius-1 | (45) } # authorize = ok authentik-freeradius-1 | (45) Found Auth-Type = eap authentik-freeradius-1 | (45) # Executing group from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (45) authenticate { authentik-freeradius-1 | (45) eap: Peer sent packet with method EAP Identity (1) authentik-freeradius-1 | (45) eap: Using default_eap_type = TTLS authentik-freeradius-1 | (45) eap: Calling submodule eap_ttls to process data authentik-freeradius-1 | (45) eap_ttls: (TLS) TTLS -Initiating new session authentik-freeradius-1 | (45) eap: Sending EAP Request (code 1) ID 3 length 6 authentik-freeradius-1 | (45) eap: EAP session adding &reply:State = 0x2d378bd52d349ea4 authentik-freeradius-1 | (45) [eap] = handled authentik-freeradius-1 | (45) } # authenticate = handled authentik-freeradius-1 | (45) Using Post-Auth-Type Challenge authentik-freeradius-1 | (45) # Executing group from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (45) Challenge { ... } # empty sub-section is ignored authentik-freeradius-1 | (45) session-state: Saving cached attributes authentik-freeradius-1 | (45) Framed-MTU = 994 authentik-freeradius-1 | (45) Sent Access-Challenge Id 46 from 172.16.1.2:1812 to 172.16.1.1:49514 length 64 authentik-freeradius-1 | (45) EAP-Message = 0x010300061520 authentik-freeradius-1 | (45) Message-Authenticator = 0x00000000000000000000000000000000 authentik-freeradius-1 | (45) State = 0x2d378bd52d349ea48c81890488f2e33c authentik-freeradius-1 | (45) Finished request authentik-freeradius-1 | Waking up in 4.9 seconds. authentik-freeradius-1 | (46) Received Access-Request Id 47 from 172.16.1.1:49514 to 172.16.1.2:1812 length 295 authentik-freeradius-1 | (46) User-Name = "apple_lan_thatsme" authentik-freeradius-1 | (46) EAP-Message = 0x020300a115800000009716030300920100008e0303681dc4befd642d026911306f371557d5d2f4a94b96242867061ce633f5245fe800002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306030005000501000000000012000000170000 authentik-freeradius-1 | (46) NAS-IP-Address = 10.0.0.3 authentik-freeradius-1 | (46) NAS-Port = 3 authentik-freeradius-1 | (46) NAS-Identifier = "DC6279CF8CB4" authentik-freeradius-1 | (46) Service-Type = Framed-User authentik-freeradius-1 | (46) Calling-Station-Id = "00-E0-4C-68-20-7E" authentik-freeradius-1 | (46) NAS-Port-Type = Ethernet authentik-freeradius-1 | (46) State = 0x2d378bd52d349ea48c81890488f2e33c authentik-freeradius-1 | (46) Message-Authenticator = 0x6dd431248b2fbe0228d157c2fa27a529 authentik-freeradius-1 | (46) Restoring &session-state authentik-freeradius-1 | (46) &session-state:Framed-MTU = 994 authentik-freeradius-1 | (46) # Executing section authorize from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (46) authorize { authentik-freeradius-1 | (46) policy filter_username { authentik-freeradius-1 | (46) if (&User-Name) { authentik-freeradius-1 | (46) if (&User-Name) -> TRUE authentik-freeradius-1 | (46) if (&User-Name) { authentik-freeradius-1 | (46) if (&User-Name =~ / /) { authentik-freeradius-1 | (46) if (&User-Name =~ / /) -> FALSE authentik-freeradius-1 | (46) if (&User-Name =~ /@[^@]*@/ ) { authentik-freeradius-1 | (46) if (&User-Name =~ /@[^@]*@/ ) -> FALSE authentik-freeradius-1 | (46) if (&User-Name =~ /\.\./ ) { authentik-freeradius-1 | (46) if (&User-Name =~ /\.\./ ) -> FALSE authentik-freeradius-1 | (46) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { authentik-freeradius-1 | (46) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE authentik-freeradius-1 | (46) if (&User-Name =~ /\.$/) { authentik-freeradius-1 | (46) if (&User-Name =~ /\.$/) -> FALSE authentik-freeradius-1 | (46) if (&User-Name =~ /@\./) { authentik-freeradius-1 | (46) if (&User-Name =~ /@\./) -> FALSE authentik-freeradius-1 | (46) } # if (&User-Name) = notfound authentik-freeradius-1 | (46) } # policy filter_username = notfound authentik-freeradius-1 | (46) [preprocess] = ok authentik-freeradius-1 | (46) [chap] = noop authentik-freeradius-1 | (46) [mschap] = noop authentik-freeradius-1 | (46) [digest] = noop authentik-freeradius-1 | (46) suffix: Checking for suffix after "@" authentik-freeradius-1 | (46) suffix: No '@' in User-Name = "apple_lan_thatsme", looking up realm NULL authentik-freeradius-1 | (46) suffix: No such realm "NULL" authentik-freeradius-1 | (46) [suffix] = noop authentik-freeradius-1 | (46) eap: Peer sent EAP Response (code 2) ID 3 length 161 authentik-freeradius-1 | (46) eap: Continuing tunnel setup authentik-freeradius-1 | (46) [eap] = ok authentik-freeradius-1 | (46) } # authorize = ok authentik-freeradius-1 | (46) Found Auth-Type = eap authentik-freeradius-1 | (46) # Executing group from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (46) authenticate { authentik-freeradius-1 | (46) eap: Removing EAP session with state 0x2d378bd52d349ea4 authentik-freeradius-1 | (46) eap: Previous EAP request found for state 0x2d378bd52d349ea4, released from the list authentik-freeradius-1 | (46) eap: Peer sent packet with method EAP TTLS (21) authentik-freeradius-1 | (46) eap: Calling submodule eap_ttls to process data authentik-freeradius-1 | (46) eap_ttls: Authenticate authentik-freeradius-1 | (46) eap_ttls: (TLS) EAP Peer says that the final record size will be 151 bytes authentik-freeradius-1 | (46) eap_ttls: (TLS) EAP Got all data (151 bytes) authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - Handshake state - before SSL initialization authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - Handshake state - Server before SSL initialization authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - Handshake state - Server before SSL initialization authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - recv TLS 1.3 Handshake, ClientHello authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read client hello authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, ServerHello authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write server hello authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, Certificate authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write certificate authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write key exchange authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write server done authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - Server : Need to read more data: SSLv3/TLS write server done authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - In Handshake Phase authentik-freeradius-1 | (46) eap: Sending EAP Request (code 1) ID 4 length 1000 authentik-freeradius-1 | (46) eap: EAP session adding &reply:State = 0x2d378bd52c339ea4 authentik-freeradius-1 | (46) [eap] = handled authentik-freeradius-1 | (46) } # authenticate = handled authentik-freeradius-1 | (46) Using Post-Auth-Type Challenge authentik-freeradius-1 | (46) # Executing group from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (46) Challenge { ... } # empty sub-section is ignored authentik-freeradius-1 | (46) session-state: Saving cached attributes authentik-freeradius-1 | (46) Framed-MTU = 994 authentik-freeradius-1 | (46) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello" authentik-freeradius-1 | (46) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello" authentik-freeradius-1 | (46) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate" authentik-freeradius-1 | (46) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange" authentik-freeradius-1 | (46) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone" authentik-freeradius-1 | (46) Sent Access-Challenge Id 47 from 172.16.1.2:1812 to 172.16.1.1:49514 length 1064 authentik-freeradius-1 | (46) EAP-Message = 0x010403e815c000000fb4160303003d02000039030388fff48d047feef3d5ff00a05d375edda874c47f374df3e3444f574e4752440100c030000011ff01000100000b000403000102001700001603030d120b000d0e000d0b00062b308206273082040fa003020102020101300d06092a864886f70d01010b0500308187310b3009060355040613024445310b300906035504080c024257310c300a06035504070c035348413111300f060355040a0c0852656c6576616e743121301f06092a864886f70d010901161269744076696e65796172642d7368612e64653127302506035504030c1e52656c6576616e7420436572746966696361746520417574686f72697479301e170d3235303432393132333934305a170d3235303732383132333934305a3079310b3009060355040613024445310b300906035504080c0242573111300f060355040a0c0852656c6576616e743127302506035504030c1e52656c6576616e742043657274696669636174652041757468 authentik-freeradius-1 | (46) Message-Authenticator = 0x00000000000000000000000000000000 authentik-freeradius-1 | (46) State = 0x2d378bd52c339ea48c81890488f2e33c authentik-freeradius-1 | (46) Finished request authentik-freeradius-1 | Waking up in 4.9 seconds. authentik-freeradius-1 | (47) Received Access-Request Id 48 from 172.16.1.1:49514 to 172.16.1.2:1812 length 140 authentik-freeradius-1 | (47) User-Name = "apple_lan_thatsme" authentik-freeradius-1 | (47) EAP-Message = 0x020400061500 authentik-freeradius-1 | (47) NAS-IP-Address = 10.0.0.3 authentik-freeradius-1 | (47) NAS-Port = 3 authentik-freeradius-1 | (47) NAS-Identifier = "DC6279CF8CB4" authentik-freeradius-1 | (47) Service-Type = Framed-User authentik-freeradius-1 | (47) Calling-Station-Id = "00-E0-4C-68-20-7E" authentik-freeradius-1 | (47) NAS-Port-Type = Ethernet authentik-freeradius-1 | (47) State = 0x2d378bd52c339ea48c81890488f2e33c authentik-freeradius-1 | (47) Message-Authenticator = 0x8ba8cf973db7dbf690257fd18897e523 authentik-freeradius-1 | (47) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello" authentik-freeradius-1 | (47) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate" authentik-freeradius-1 | (47) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange" authentik-freeradius-1 | (47) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone" authentik-freeradius-1 | (47) # Executing section authorize from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (47) authorize { authentik-freeradius-1 | (47) policy filter_username { authentik-freeradius-1 | (47) if (&User-Name) { authentik-freeradius-1 | (47) if (&User-Name) -> TRUE authentik-freeradius-1 | (47) if (&User-Name) { authentik-freeradius-1 | (47) if (&User-Name =~ / /) { authentik-freeradius-1 | (47) if (&User-Name =~ / /) -> FALSE authentik-freeradius-1 | (47) } # if (&User-Name) = notfound authentik-freeradius-1 | (47) } # policy filter_username = notfound authentik-freeradius-1 | (47) [preprocess] = ok authentik-freeradius-1 | (47) [chap] = noop authentik-freeradius-1 | (47) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange" authentik-freeradius-1 | (47) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone" authentik-freeradius-1 | (47) Sent Access-Challenge Id 48 from 172.16.1.2:1812 to 172.16.1.1:49514 length 1064 authentik-freeradius-1 | (47) EAP-Message = 0x010503e815c000000fb42f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c30180603551d200411300f300d060b2b0601040182be68010302301d0603551d0e041604144a7e2994148f5496048c2dc652719f5c7607bc98301f0603551d23041830168014701806d2e6c468e75987bb23a0b1d9f88d709ac4300d06092a864886f70d01010b0500038202010093980ec717a88f949a6937eb2936cd0debc7605e805a0b8630abbc62f35350a0fff1a7886d653db8558319b1bc2d2c31bfea23208c6426ca6f3e50e2572dc7d7a6d90c97a3ef13a70dac554e6549f528a113d0e2a20391b34f295a38966530b917f843450cff4f133d4478bdac234d2a688305ffe69e3220319337fe4903fcc7240c57c33a2c988bb015733f4175045e6d7af21979a035f0a9e10da845b181fd32ae894991b560372a07ebdb52499f94e2f94e271260f08711830b89d8e9ca8873d822f14d1cccd8a24be1e9cbd773 authentik-freeradius-1 | (47) Message-Authenticator = 0x00000000000000000000000000000000 authentik-freeradius-1 | (47) State = 0x2d378bd52f329ea48c81890488f2e33c authentik-freeradius-1 | (47) Finished request authentik-freeradius-1 | Waking up in 4.9 seconds. authentik-freeradius-1 | (48) Received Access-Request Id 49 from 172.16.1.1:49514 to 172.16.1.2:1812 length 140 authentik-freeradius-1 | (48) User-Name = "apple_lan_thatsme" authentik-freeradius-1 | (48) EAP-Message = 0x020500061500 authentik-freeradius-1 | (48) NAS-IP-Address = 10.0.0.3 authentik-freeradius-1 | (48) NAS-Port = 3 authentik-freeradius-1 | (48) NAS-Identifier = "DC6279CF8CB4" authentik-freeradius-1 | (48) Service-Type = Framed-User authentik-freeradius-1 | (48) Calling-Station-Id = "00-E0-4C-68-20-7E" authentik-freeradius-1 | (48) NAS-Port-Type = Ethernet authentik-freeradius-1 | (48) State = 0x2d378bd52f329ea48c81890488f2e33c authentik-freeradius-1 | (48) Message-Authenticator = 0x7e9c351c6e0c60bec88aae42cbfd7a82 authentik-freeradius-1 | (48) Restoring &session-state authentik-freeradius-1 | (48) &session-state:Framed-MTU = 994 authentik-freeradius-1 | (48) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello" authentik-freeradius-1 | (48) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello" authentik-freeradius-1 | (48) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate" authentik-freeradius-1 | (48) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange" authentik-freeradius-1 | (48) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone" authentik-freeradius-1 | (48) # Executing section authorize from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (48) authorize { authentik-freeradius-1 | (48) policy filter_username { authentik-freeradius-1 | (48) if (&User-Name) { authentik-freeradius-1 | (48) if (&User-Name) -> TRUE authentik-freeradius-1 | (48) if (&User-Name) { authentik-freeradius-1 | (48) if (&User-Name =~ / /) { authentik-freeradius-1 | (48) if (&User-Name =~ / /) -> FALSE authentik-freeradius-1 | (48) if (&User-Name =~ /@[^@]*@/ ) -> FALSE authentik-freeradius-1 | (48) if (&User-Name =~ /\.\./ ) { authentik-freeradius-1 | (48) if (&User-Name =~ /\.\./ ) -> FALSE authentik-freeradius-1 | (48) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { authentik-freeradius-1 | (48) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE authentik-freeradius-1 | (48) if (&User-Name =~ /\.$/) { authentik-freeradius-1 | (48) if (&User-Name =~ /\.$/) -> FALSE authentik-freeradius-1 | (48) if (&User-Name =~ /@\./) { authentik-freeradius-1 | (48) if (&User-Name =~ /@\./) -> FALSE authentik-freeradius-1 | (48) } # if (&User-Name) = notfound authentik-freeradius-1 | (48) } # policy filter_username = notfound authentik-freeradius-1 | (48) [preprocess] = ok authentik-freeradius-1 | (48) [chap] = noop authentik-freeradius-1 | (48) [mschap] = noop authentik-freeradius-1 | (48) [digest] = noop authentik-freeradius-1 | (48) suffix: Checking for suffix after "@" authentik-freeradius-1 | (48) suffix: No '@' in User-Name = "apple_lan_thatsme", looking up realm NULL authentik-freeradius-1 | (48) suffix: No such realm "NULL" authentik-freeradius-1 | (48) [suffix] = noop authentik-freeradius-1 | (48) eap: Peer sent EAP Response (code 2) ID 5 length 6 authentik-freeradius-1 | (48) eap: Continuing tunnel setup authentik-freeradius-1 | (48) [eap] = ok authentik-freeradius-1 | (48) } # authorize = ok authentik-freeradius-1 | (48) Found Auth-Type = eap authentik-freeradius-1 | (48) # Executing group from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (48) authenticate { authentik-freeradius-1 | (48) eap: Removing EAP session with state 0x2d378bd52f329ea4 authentik-freeradius-1 | (48) eap: Previous EAP request found for state 0x2d378bd52f329ea4, released from the list authentik-freeradius-1 | (48) eap: Peer sent packet with method EAP TTLS (21) authentik-freeradius-1 | (48) eap: Calling submodule eap_ttls to process data authentik-freeradius-1 | (48) eap_ttls: Authenticate authentik-freeradius-1 | (48) eap_ttls: (TLS) Peer ACKed our handshake fragment authentik-freeradius-1 | (48) eap: Sending EAP Request (code 1) ID 6 length 1000 authentik-freeradius-1 | (48) eap: EAP session adding &reply:State = 0x2d378bd52e319ea4 authentik-freeradius-1 | (48) [eap] = handled authentik-freeradius-1 | (48) } # authenticate = handled authentik-freeradius-1 | (48) Using Post-Auth-Type Challenge authentik-freeradius-1 | (48) # Executing group from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (48) Challenge { ... } # empty sub-section is ignored authentik-freeradius-1 | (48) session-state: Saving cached attributes authentik-freeradius-1 | (48) Framed-MTU = 994 authentik-freeradius-1 | (48) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello" authentik-freeradius-1 | (48) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello" authentik-freeradius-1 | (48) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate" authentik-freeradius-1 | (48) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange" authentik-freeradius-1 | (48) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone" authentik-freeradius-1 | (48) Sent Access-Challenge Id 49 from 172.16.1.2:1812 to 172.16.1.1:49514 length 1064 authentik-freeradius-1 | (48) EAP-Message = 0x010603e815c000000fb43127302506035504030c1e52656c6576616e7420436572746966696361746520417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a0282020100e55d87d38cf2c678cd5e9b9cf81d94b6b91cd6463f8d77ec2fc375c2b6b502157c3ead93d845cda3997b1f428ee037cc776726254b9d4746fbf022bbf59228b2b912925af38f8647bc270e8052662caf474f4607aabb9b484b4b3cecfeafd6c483f7f3f77680ae050a7708020d92bda2c75a55113d207dc9511d2e1cac2e4b6dbed4f86a604e08dca9285f4edaf786c6e35f10f91bdad17e23ab955aa3e0f8c29fccedd093d20811fe24aefdc0b7635cb7c9e89a0dbe073a4e7f16180c21594c71660ccf797685939894048d34a8140428b943cb915289a0fc98b52316853f150037f925946cf9be5bfbdebd22bd12041ba4234091b663c0660b86a509bde5ed5116c928fea2bd51297cd2b1c47b076fe41b4a0daf19d765a1e6da397ce03b2816cedd authentik-freeradius-1 | (48) Message-Authenticator = 0x00000000000000000000000000000000 authentik-freeradius-1 | (48) State = 0x2d378bd52e319ea48c81890488f2e33c authentik-freeradius-1 | (48) Finished request authentik-freeradius-1 | Waking up in 4.9 seconds. authentik-freeradius-1 | (49) Received Access-Request Id 50 from 172.16.1.1:49514 to 172.16.1.2:1812 length 140 authentik-freeradius-1 | (49) User-Name = "apple_lan_thatsme" authentik-freeradius-1 | (49) EAP-Message = 0x020600061500 authentik-freeradius-1 | (49) NAS-IP-Address = 10.0.0.3 authentik-freeradius-1 | (49) NAS-Port = 3 authentik-freeradius-1 | (49) NAS-Identifier = "DC6279CF8CB4" authentik-freeradius-1 | (49) Service-Type = Framed-User authentik-freeradius-1 | (49) Calling-Station-Id = "00-E0-4C-68-20-7E" authentik-freeradius-1 | (49) NAS-Port-Type = Ethernet authentik-freeradius-1 | (49) Message-Authenticator = 0x813ff55ff1a4a9e8af7bfd6b291b0e9b authentik-freeradius-1 | (49) Restoring &session-state authentik-freeradius-1 | (49) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello" authentik-freeradius-1 | (49) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello" authentik-freeradius-1 | (49) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange" authentik-freeradius-1 | (49) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone" authentik-freeradius-1 | (49) # Executing section authorize from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (49) authorize { authentik-freeradius-1 | (49) policy filter_username { authentik-freeradius-1 | (49) if (&User-Name) { authentik-freeradius-1 | (49) if (&User-Name) -> TRUE authentik-freeradius-1 | (49) if (&User-Name) { authentik-freeradius-1 | (49) if (&User-Name =~ / /) -> FALSE authentik-freeradius-1 | (49) if (&User-Name =~ /@[^@]*@/ ) { authentik-freeradius-1 | (49) if (&User-Name =~ /\.\./ ) -> FALSE authentik-freeradius-1 | (49) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { authentik-freeradius-1 | (49) if (&User-Name =~ /\.$/) { authentik-freeradius-1 | (49) if (&User-Name =~ /\.$/) -> FALSE authentik-freeradius-1 | (49) if (&User-Name =~ /@\./) { authentik-freeradius-1 | (49) if (&User-Name =~ /@\./) -> FALSE authentik-freeradius-1 | (49) } # if (&User-Name) = notfound authentik-freeradius-1 | (49) } # policy filter_username = notfound authentik-freeradius-1 | (50) Received Access-Request Id 51 from 172.16.1.1:49514 to 172.16.1.2:1812 length 140 authentik-freeradius-1 | (50) User-Name = "apple_lan_thatsme" authentik-freeradius-1 | (50) EAP-Message = 0x020700061500 authentik-freeradius-1 | (50) NAS-IP-Address = 10.0.0.3 authentik-freeradius-1 | (50) NAS-Port = 3 authentik-freeradius-1 | (50) NAS-Identifier = "DC6279CF8CB4" authentik-freeradius-1 | (50) Service-Type = Framed-User authentik-freeradius-1 | (50) Calling-Station-Id = "00-E0-4C-68-20-7E" authentik-freeradius-1 | (50) NAS-Port-Type = Ethernet authentik-freeradius-1 | (50) State = 0x2d378bd529309ea48c81890488f2e33c authentik-freeradius-1 | (50) Message-Authenticator = 0xf81e574264216b6dad0e74b30869f07f authentik-freeradius-1 | (50) Restoring &session-state authentik-freeradius-1 | (50) &session-state:Framed-MTU = 994 authentik-freeradius-1 | (50) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello" authentik-freeradius-1 | (50) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello" authentik-freeradius-1 | (50) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate" authentik-freeradius-1 | (50) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange" authentik-freeradius-1 | (50) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone" authentik-freeradius-1 | (50) # Executing section authorize from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (50) authorize { authentik-freeradius-1 | (50) policy filter_username { authentik-freeradius-1 | (50) if (&User-Name) { authentik-freeradius-1 | (50) if (&User-Name) -> TRUE authentik-freeradius-1 | (50) if (&User-Name) { authentik-freeradius-1 | (50) if (&User-Name =~ / /) { authentik-freeradius-1 | (50) if (&User-Name =~ / /) -> FALSE authentik-freeradius-1 | (50) if (&User-Name =~ /@[^@]*@/ ) { authentik-freeradius-1 | (50) if (&User-Name =~ /@[^@]*@/ ) -> FALSE authentik-freeradius-1 | (50) if (&User-Name =~ /\.\./ ) { authentik-freeradius-1 | (50) if (&User-Name =~ /\.\./ ) -> FALSE authentik-freeradius-1 | (50) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE authentik-freeradius-1 | (50) if (&User-Name =~ /\.$/) { authentik-freeradius-1 | (50) if (&User-Name =~ /\.$/) -> FALSE authentik-freeradius-1 | (50) if (&User-Name =~ /@\./) { authentik-freeradius-1 | (50) if (&User-Name =~ /@\./) -> FALSE authentik-freeradius-1 | (50) } # if (&User-Name) = notfound authentik-freeradius-1 | (50) } # policy filter_username = notfound authentik-freeradius-1 | (50) [preprocess] = ok authentik-freeradius-1 | (50) [chap] = noop authentik-freeradius-1 | (50) [mschap] = noop authentik-freeradius-1 | (50) [digest] = noop authentik-freeradius-1 | (50) suffix: No '@' in User-Name = "apple_lan_thatsme", looking up realm NULL authentik-freeradius-1 | (50) suffix: No such realm "NULL" authentik-freeradius-1 | (50) [suffix] = noop authentik-freeradius-1 | (50) eap: Peer sent EAP Response (code 2) ID 7 length 6 authentik-freeradius-1 | (50) eap: Continuing tunnel setup authentik-freeradius-1 | (50) [eap] = ok authentik-freeradius-1 | (50) } # authorize = ok authentik-freeradius-1 | (50) Found Auth-Type = eap authentik-freeradius-1 | (50) # Executing group from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (50) authenticate { authentik-freeradius-1 | (50) eap: Removing EAP session with state 0x2d378bd529309ea4 authentik-freeradius-1 | (50) eap: Previous EAP request found for state 0x2d378bd529309ea4, released from the list authentik-freeradius-1 | (50) eap: Peer sent packet with method EAP TTLS (21) authentik-freeradius-1 | (50) eap: Calling submodule eap_ttls to process data authentik-freeradius-1 | (50) eap_ttls: Authenticate authentik-freeradius-1 | (50) eap_ttls: (TLS) Peer ACKed our handshake fragment authentik-freeradius-1 | (50) eap: Sending EAP Request (code 1) ID 8 length 70 authentik-freeradius-1 | (50) [eap] = handled authentik-freeradius-1 | (50) } # authenticate = handled authentik-freeradius-1 | (50) Using Post-Auth-Type Challenge authentik-freeradius-1 | (50) # Executing group from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (50) Challenge { ... } # empty sub-section is ignored authentik-freeradius-1 | (50) session-state: Saving cached attributes authentik-freeradius-1 | (50) Framed-MTU = 994 authentik-freeradius-1 | (50) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello" authentik-freeradius-1 | (50) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello" authentik-freeradius-1 | (50) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate" authentik-freeradius-1 | (50) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange" authentik-freeradius-1 | (50) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone" authentik-freeradius-1 | (50) Sent Access-Challenge Id 51 from 172.16.1.2:1812 to 172.16.1.1:49514 length 128 authentik-freeradius-1 | (50) EAP-Message = 0x01080046158000000fb4869667380632a4142079fb1f2ff5c8def2967978b74b3087d78a0bc118847696a8454a2a272af3d6cd31a29d59fbf04fcea73416030300040e000000 authentik-freeradius-1 | (50) Message-Authenticator = 0x00000000000000000000000000000000 authentik-freeradius-1 | (50) State = 0x2d378bd5283f9ea48c81890488f2e33c authentik-freeradius-1 | (50) Finished request authentik-freeradius-1 | Waking up in 4.9 seconds. authentik-freeradius-1 | (51) Received Access-Request Id 52 from 172.16.1.1:49514 to 172.16.1.2:1812 length 270 authentik-freeradius-1 | (51) User-Name = "apple_lan_thatsme" authentik-freeradius-1 | (51) EAP-Message = 0x0208008815800000007e160303004610000042410419ae54fd8e6d6cf9d33816dcca4bf092ad18d110ad1ca18ad0b68e5a397c0a604e49c6add9cb514acac0811f412580d3cef6aa3a37a814eedfebef46ec8f48aa1403030001011603030028f5828f0161eb6130a671794392becd9618fa618cb47c6265cadcaea18ccfc8b2b2e03cd124ea548b authentik-freeradius-1 | (51) NAS-IP-Address = 10.0.0.3 authentik-freeradius-1 | (51) NAS-Port = 3 authentik-freeradius-1 | (51) NAS-Identifier = "DC6279CF8CB4" authentik-freeradius-1 | (51) Service-Type = Framed-User authentik-freeradius-1 | (51) Calling-Station-Id = "00-E0-4C-68-20-7E" authentik-freeradius-1 | (51) NAS-Port-Type = Ethernet authentik-freeradius-1 | (51) State = 0x2d378bd5283f9ea48c81890488f2e33c authentik-freeradius-1 | (51) Message-Authenticator = 0x31d9c558591c9fa84bb37e2443138f02 authentik-freeradius-1 | (51) Restoring &session-state authentik-freeradius-1 | (51) &session-state:Framed-MTU = 994 authentik-freeradius-1 | (51) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello" authentik-freeradius-1 | (51) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate" authentik-freeradius-1 | (51) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange" authentik-freeradius-1 | (51) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone" authentik-freeradius-1 | (51) # Executing section authorize from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (51) authorize { authentik-freeradius-1 | (51) policy filter_username { authentik-freeradius-1 | (51) if (&User-Name) { authentik-freeradius-1 | (51) if (&User-Name) -> TRUE authentik-freeradius-1 | (51) if (&User-Name) { authentik-freeradius-1 | (51) if (&User-Name =~ / /) { authentik-freeradius-1 | (51) if (&User-Name =~ / /) -> FALSE authentik-freeradius-1 | (51) [mschap] = noop authentik-freeradius-1 | (51) [digest] = noop authentik-freeradius-1 | (51) suffix: Checking for suffix after "@" authentik-freeradius-1 | (51) [suffix] = noop authentik-freeradius-1 | (51) eap: Peer sent EAP Response (code 2) ID 8 length 136 authentik-freeradius-1 | (51) [eap] = ok authentik-freeradius-1 | (51) } # authorize = ok authentik-freeradius-1 | (51) Found Auth-Type = eap authentik-freeradius-1 | (51) # Executing group from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (51) authenticate { authentik-freeradius-1 | (51) eap: Removing EAP session with state 0x2d378bd5283f9ea4 authentik-freeradius-1 | (51) eap: Peer sent packet with method EAP TTLS (21) authentik-freeradius-1 | (51) eap: Calling submodule eap_ttls to process data authentik-freeradius-1 | (51) eap_ttls: Authenticate authentik-freeradius-1 | (51) eap_ttls: (TLS) EAP Peer says that the final record size will be 126 bytes authentik-freeradius-1 | (51) eap_ttls: (TLS) EAP Got all data (126 bytes) authentik-freeradius-1 | (51) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write server done authentik-freeradius-1 | (51) eap_ttls: (TLS) TTLS - recv TLS 1.2 Handshake, ClientKeyExchange authentik-freeradius-1 | (51) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read client key exchange authentik-freeradius-1 | (51) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read change cipher spec authentik-freeradius-1 | (51) eap_ttls: (TLS) TTLS - send TLS 1.2 ChangeCipherSpec authentik-freeradius-1 | (51) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write change cipher spec authentik-freeradius-1 | (51) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, Finished authentik-freeradius-1 | (51) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write finished authentik-freeradius-1 | (51) eap_ttls: (TLS) TTLS - Handshake state - SSL negotiation finished successfully authentik-freeradius-1 | (51) eap_ttls: (TLS) TTLS - Connection Established authentik-freeradius-1 | (51) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" authentik-freeradius-1 | (51) eap_ttls: TLS-Session-Version = "TLS 1.2" authentik-freeradius-1 | (51) eap: Sending EAP Request (code 1) ID 9 length 61 authentik-freeradius-1 | (51) eap: EAP session adding &reply:State = 0x2d378bd52b3e9ea4 authentik-freeradius-1 | (51) } # authenticate = handled authentik-freeradius-1 | (51) Using Post-Auth-Type Challenge authentik-freeradius-1 | (51) # Executing group from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (51) Challenge { ... } # empty sub-section is ignored authentik-freeradius-1 | (51) session-state: Saving cached attributes authentik-freeradius-1 | (51) Framed-MTU = 994 authentik-freeradius-1 | (51) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello" authentik-freeradius-1 | (51) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello" authentik-freeradius-1 | (51) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate" authentik-freeradius-1 | (51) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange" authentik-freeradius-1 | (51) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone" authentik-freeradius-1 | (51) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.2 Handshake, ClientKeyExchange" authentik-freeradius-1 | (51) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.2 Handshake, Finished" authentik-freeradius-1 | (51) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 ChangeCipherSpec" authentik-freeradius-1 | (51) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Finished" authentik-freeradius-1 | (51) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" authentik-freeradius-1 | (51) TLS-Session-Version = "TLS 1.2" authentik-freeradius-1 | (51) Sent Access-Challenge Id 52 from 172.16.1.2:1812 to 172.16.1.1:49514 length 119 authentik-freeradius-1 | (51) EAP-Message = 0x0109003d15800000003314030300010116030300281c6440dcdfdbf05f1f9394118125311533b66d6444bdb7f11ce8b2a04b349adc2bb5de540eb22132 authentik-freeradius-1 | (51) Message-Authenticator = 0x00000000000000000000000000000000 authentik-freeradius-1 | (51) State = 0x2d378bd52b3e9ea48c81890488f2e33c authentik-freeradius-1 | (51) Finished request authentik-freeradius-1 | Waking up in 4.9 seconds. authentik-freeradius-1 | (52) Received Access-Request Id 53 from 172.16.1.1:49514 to 172.16.1.2:1812 length 217 authentik-freeradius-1 | (52) User-Name = "apple_lan_thatsme" authentik-freeradius-1 | (52) NAS-Identifier = "DC6279CF8CB4" authentik-freeradius-1 | (52) Service-Type = Framed-User authentik-freeradius-1 | (52) # Executing section authorize from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (52) authorize { authentik-freeradius-1 | (52) } # policy filter_username = notfound authentik-freeradius-1 | (52) [preprocess] = ok authentik-freeradius-1 | (52) [chap] = noop authentik-freeradius-1 | (52) [mschap] = noop authentik-freeradius-1 | (52) [digest] = noop authentik-freeradius-1 | (52) suffix: Checking for suffix after "@" authentik-freeradius-1 | (52) # Executing section authorize from file /opt/etc/raddb/sites-enabled/proxy-inner-tunnel authentik-freeradius-1 | (52) authorize { authentik-freeradius-1 | (52) eap: No EAP-Message, not doing EAP authentik-freeradius-1 | (52) Expecting proxy response no later than 29.667705 seconds from now authentik-freeradius-1 | Waking up in 4.6 seconds. authentik-freeradius-1 | (45) Cleaning up request packet ID 46 with timestamp +11387 due to cleanup_delay was reached authentik-freeradius-1 | (46) Cleaning up request packet ID 47 with timestamp +11387 due to cleanup_delay was reached authentik-freeradius-1 | (47) Cleaning up request packet ID 48 with timestamp +11387 due to cleanup_delay was reached authentik-freeradius-1 | (48) Cleaning up request packet ID 49 with timestamp +11387 due to cleanup_delay was reached authentik-freeradius-1 | (49) Cleaning up request packet ID 50 with timestamp +11387 due to cleanup_delay was reached authentik-freeradius-1 | (50) Cleaning up request packet ID 51 with timestamp +11387 due to cleanup_delay was reached authentik-freeradius-1 | (53) Received Access-Request Id 54 from 172.16.1.1:49514 to 172.16.1.2:1812 length 199 authentik-freeradius-1 | (53) User-Name = "apple_lan_thatsme" authentik-freeradius-1 | (53) EAP-Message = 0x020900531580000000491703030044f5828f0161eb61316a55dc0318f1460b3b7334667f0071641ae2e702ff03769d06cb5b770a0b91a2406baea074cc3469f3bb06a9b829d90524f48ca3d56d8dc94c46827d authentik-freeradius-1 | (53) NAS-IP-Address = 10.0.0.3 authentik-freeradius-1 | (53) NAS-Port = 3 authentik-freeradius-1 | (53) NAS-Identifier = "DC6279CF8CB4" authentik-freeradius-1 | (53) Service-Type = Framed-User authentik-freeradius-1 | (53) Calling-Station-Id = "00-E0-4C-68-20-7E" authentik-freeradius-1 | (53) NAS-Port-Type = Ethernet authentik-freeradius-1 | (53) Message-Authenticator = 0xfdd12d739d02d46620b603b2b5201094 authentik-freeradius-1 | (53) # Executing section authorize from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (53) authorize { authentik-freeradius-1 | (53) policy filter_username { authentik-freeradius-1 | (53) if (&User-Name) { authentik-freeradius-1 | (53) if (&User-Name) -> TRUE authentik-freeradius-1 | (53) if (&User-Name) { authentik-freeradius-1 | (53) if (&User-Name =~ / /) { authentik-freeradius-1 | (53) if (&User-Name =~ / /) -> FALSE authentik-freeradius-1 | (53) if (&User-Name =~ /@[^@]*@/ ) { authentik-freeradius-1 | (53) if (&User-Name =~ /@[^@]*@/ ) -> FALSE authentik-freeradius-1 | (53) if (&User-Name =~ /\.\./ ) { authentik-freeradius-1 | (53) if (&User-Name =~ /\.\./ ) -> FALSE authentik-freeradius-1 | (53) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { authentik-freeradius-1 | (53) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE authentik-freeradius-1 | (53) if (&User-Name =~ /\.$/) { authentik-freeradius-1 | (53) if (&User-Name =~ /\.$/) -> FALSE authentik-freeradius-1 | (53) if (&User-Name =~ /@\./) { authentik-freeradius-1 | (53) if (&User-Name =~ /@\./) -> FALSE authentik-freeradius-1 | (53) } # if (&User-Name) = notfound authentik-freeradius-1 | (53) } # policy filter_username = notfound authentik-freeradius-1 | (53) [preprocess] = ok authentik-freeradius-1 | (53) [chap] = noop authentik-freeradius-1 | (53) [mschap] = noop authentik-freeradius-1 | (53) [digest] = noop authentik-freeradius-1 | (53) suffix: Checking for suffix after "@" authentik-freeradius-1 | (53) suffix: No '@' in User-Name = "apple_lan_thatsme", looking up realm NULL authentik-freeradius-1 | (53) suffix: No such realm "NULL" authentik-freeradius-1 | (53) eap: Continuing tunnel setup authentik-freeradius-1 | (53) [eap] = ok authentik-freeradius-1 | (53) } # authorize = ok authentik-freeradius-1 | (53) Found Auth-Type = eap authentik-freeradius-1 | (53) # Executing group from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (53) authenticate { authentik-freeradius-1 | (53) eap: ERROR: EAP requires the State attribute to work, but no State exists in the Access-Request packet. authentik-freeradius-1 | (53) eap: ERROR: The RADIUS client is broken. No amount of changing FreeRADIUS will fix the RADIUS client. authentik-freeradius-1 | (53) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request authentik-freeradius-1 | Waking up in 0.6 seconds. authentik-freeradius-1 | (53) Sending delayed response authentik-freeradius-1 | (53) Sent Access-Reject Id 54 from 172.16.1.2:1812 to 172.16.1.1:49514 length 38 authentik-freeradius-1 | Waking up in 3.9 seconds. authentik-freeradius-1 | (52) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! authentik-freeradius-1 | (52) BlastRADIUS check: Received packet without Message-Authenticator from home_server authentik_radius_outpost authentik-freeradius-1 | (52) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! authentik-freeradius-1 | (52) The packet does not contain Message-Authenticator, which is a security issue authentik-freeradius-1 | (52) Once the home server is upgraded, set "require_message_authenticator = true" for home_server authentik_radius_outpost authentik-freeradius-1 | (52) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! authentik-freeradius-1 | (52) Clearing existing &reply: attributes authentik-freeradius-1 | (52) Found Auth-Type = eap authentik-freeradius-1 | (52) Found Auth-Type = Accept authentik-freeradius-1 | (52) ERROR: Warning: Found 2 auth-types on request for user 'apple_lan_thatsme' authentik-freeradius-1 | (52) Auth-Type = Accept, accepting the user authentik-freeradius-1 | (52) # Executing section post-auth from file /opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (52) post-auth { authentik-freeradius-1 | (52) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { authentik-freeradius-1 | (52) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE authentik-freeradius-1 | (52) update { authentik-freeradius-1 | (52) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 994 authentik-freeradius-1 | (52) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello' authentik-freeradius-1 | (52) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TTLS - send TLS 1.2 Handshake, ServerHello' authentik-freeradius-1 | (52) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TTLS - send TLS 1.2 Handshake, Certificate' authentik-freeradius-1 | (52) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange' authentik-freeradius-1 | (52) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone' authentik-freeradius-1 | (52) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TTLS - recv TLS 1.2 Handshake, ClientKeyExchange' authentik-freeradius-1 | (52) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TTLS - recv TLS 1.2 Handshake, Finished' authentik-freeradius-1 | (52) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TTLS - send TLS 1.2 Handshake, Finished' authentik-freeradius-1 | (52) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384' authentik-freeradius-1 | (52) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2' authentik-freeradius-1 | (52) } # update = noop authentik-freeradius-1 | (52) reply_log: EXPAND /opt/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d authentik-freeradius-1 | (52) reply_log: --> /opt/var/log/radius/radacct/172.16.1.1/reply-detail-20250509 authentik-freeradius-1 | (52) reply_log: /opt/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to /opt/var/log/radius/radacct/172.16.1.1/reply-detail-20250509 authentik-freeradius-1 | (52) reply_log: EXPAND %t authentik-freeradius-1 | (52) reply_log: --> Fri May 9 09:02:54 2025 authentik-freeradius-1 | (52) [reply_log] = ok authentik-freeradius-1 | (52) [exec] = noop authentik-freeradius-1 | (52) policy remove_reply_message_if_eap { authentik-freeradius-1 | (52) if (&reply:EAP-Message && &reply:Reply-Message) { authentik-freeradius-1 | (52) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE authentik-freeradius-1 | (52) else { authentik-freeradius-1 | (52) [noop] = noop authentik-freeradius-1 | (52) } # else = noop authentik-freeradius-1 | (52) } # policy remove_reply_message_if_eap = noop authentik-freeradius-1 | (52) if (EAP-Key-Name && &reply:EAP-Session-Id) { authentik-freeradius-1 | rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare" authentik-freeradius-1 | rlm_ldap (ldap): Opening additional connection (15), 1 of 32 pending slots used authentik-freeradius-1 | rlm_ldap (ldap): Connecting to ldap://outpost-ldap:3389 authentik-freeradius-1 | rlm_ldap (ldap): Waiting for bind result... authentik-freeradius-1 | rlm_ldap (ldap): Bind successful authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (15) authentik-freeradius-1 | (52) EXPAND (&(objectClass=posixAccount)(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}})) authentik-freeradius-1 | (52) --> (&(objectClass=posixAccount)(cn=christoph)) authentik-freeradius-1 | (52) Performing search in "ou=users,dc=ldap,dc=example,dc=com" with filter "(&(objectClass=posixAccount)(cn=christoph))", scope "sub" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) User object found at DN "cn=christoph,ou=users,dc=ldap,dc=ldap,dc=example,dc=com" authentik-freeradius-1 | (52) Checking for user in group objects authentik-freeradius-1 | (52) EXPAND (&(cn=RelVY_Teamboss)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}}))) authentik-freeradius-1 | (52) --> (&(cn=RelVY_Teamboss)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph))) authentik-freeradius-1 | (52) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=RelVY_Teamboss)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph)))", scope "sub" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Search returned no results authentik-freeradius-1 | (52) Checking user object's memberOf attributes authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Public" authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Teamleader_1" authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Team_1" authentik-freeradius-1 | rlm_ldap (ldap): Released connection (15) authentik-freeradius-1 | rlm_ldap (ldap): Waiting for bind result... authentik-freeradius-1 | rlm_ldap (ldap): Bind successful authentik-freeradius-1 | (52) User is not a member of "RelVY_Teamboss" authentik-freeradius-1 | (52) if (LDAP-Group == "RelVY_Teamboss") -> FALSE authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Orgaleitung_1") { authentik-freeradius-1 | (52) Searching for user in group "RelVY_Orgaleitung_1" authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (15) authentik-freeradius-1 | (52) Using user DN from request "cn=christoph,ou=users,dc=ldap,dc=example,dc=com" authentik-freeradius-1 | (52) Checking for user in group objects authentik-freeradius-1 | (52) EXPAND (&(cn=RelVY_Orgaleitung_1)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}}))) authentik-freeradius-1 | (52) --> (&(cn=RelVY_Orgaleitung_1)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph))) authentik-freeradius-1 | (52) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=RelVY_Orgaleitung_1)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph)))", scope "sub" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Search returned no results authentik-freeradius-1 | (52) Checking user object's memberOf attributes authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Public" authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Teamleader_1" authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Team_1" authentik-freeradius-1 | rlm_ldap (ldap): Released connection (15) authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Orgaleitung_1") -> FALSE authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Orgaleitung_2") { authentik-freeradius-1 | (52) Searching for user in group "RelVY_Orgaleitung_2" authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (16) authentik-freeradius-1 | (52) Using user DN from request "cn=christoph,ou=users,dc=ldap,dc=example,dc=com" authentik-freeradius-1 | (52) Checking for user in group objects authentik-freeradius-1 | (52) EXPAND (&(cn=RelVY_Orgaleitung_2)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}}))) authentik-freeradius-1 | (52) --> (&(cn=RelVY_Orgaleitung_2)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph))) authentik-freeradius-1 | (52) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=RelVY_Orgaleitung_2)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph)))", scope "sub" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Search returned no results authentik-freeradius-1 | (52) Checking user object's memberOf attributes authentik-freeradius-1 | (52) Performing unfiltered search in "cn=christoph,ou=users,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Public" authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Teamleader_1" authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Team_1" authentik-freeradius-1 | rlm_ldap (ldap): Released connection (16) authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Orgaleitung_2") -> FALSE authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Verein") { authentik-freeradius-1 | (52) Searching for user in group "RelVY_Verein" authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (15) authentik-freeradius-1 | (52) Using user DN from request "cn=christoph,ou=users,dc=ldap,dc=example,dc=com" authentik-freeradius-1 | (52) Checking for user in group objects authentik-freeradius-1 | (52) EXPAND (&(cn=RelVY_Verein)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}}))) authentik-freeradius-1 | (52) --> (&(cn=RelVY_Verein)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph))) authentik-freeradius-1 | (52) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=RelVY_Verein)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph)))", scope "sub" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Search returned no results authentik-freeradius-1 | (52) Checking user object's memberOf attributes authentik-freeradius-1 | (52) Performing unfiltered search in "cn=christoph,ou=users,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Public" authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Teamleader_1" authentik-freeradius-1 | (52) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=RelVY_Verein_1)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph)))", scope "sub" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Search returned no results authentik-freeradius-1 | (52) Checking user object's memberOf attributes authentik-freeradius-1 | (52) Performing unfiltered search in "cn=christoph,ou=users,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Public" authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Teamleader_1" authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Team_1" authentik-freeradius-1 | rlm_ldap (ldap): Released connection (16) authentik-freeradius-1 | (52) User is not a member of "RelVY_Verein_1" authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Verein_1") -> FALSE authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Verein_2") { authentik-freeradius-1 | (52) Searching for user in group "RelVY_Verein_2" authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (15) authentik-freeradius-1 | (52) Using user DN from request "cn=christoph,ou=users,dc=ldap,dc=example,dc=com" authentik-freeradius-1 | (52) Checking for user in group objects authentik-freeradius-1 | (52) EXPAND (&(cn=RelVY_Verein_2)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}}))) authentik-freeradius-1 | (52) --> (&(cn=RelVY_Verein_2)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph))) authentik-freeradius-1 | (52) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=RelVY_Verein_2)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph)))", scope "sub" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Search returned no results authentik-freeradius-1 | (52) Checking user object's memberOf attributes authentik-freeradius-1 | (52) Performing unfiltered search in "cn=christoph,ou=users,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Public" authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Teamleader_1" authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Team_1" authentik-freeradius-1 | rlm_ldap (ldap): Released connection (15) authentik-freeradius-1 | (52) User is not a member of "RelVY_Verein_2" authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Verein_2") -> FALSE authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Verein_3") { authentik-freeradius-1 | (52) Searching for user in group "RelVY_Verein_3" authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (16) authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Search returned no results authentik-freeradius-1 | (52) Checking user object's memberOf attributes authentik-freeradius-1 | (52) Performing unfiltered search in "cn=christoph,ou=users,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Public" authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Teamleader_1" authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Team_1" authentik-freeradius-1 | rlm_ldap (ldap): Released connection (16) authentik-freeradius-1 | (52) User is not a member of "RelVY_Verein_3" authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Verein_3") -> FALSE authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Verein_4") { authentik-freeradius-1 | (52) Searching for user in group "RelVY_Verein_4" authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (15) authentik-freeradius-1 | (52) Using user DN from request "cn=christoph,ou=users,dc=ldap,dc=example,dc=com" authentik-freeradius-1 | (52) Checking for user in group objects authentik-freeradius-1 | (52) EXPAND (&(cn=RelVY_Verein_4)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}}))) authentik-freeradius-1 | (52) --> (&(cn=RelVY_Verein_4)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph))) authentik-freeradius-1 | (52) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=RelVY_Verein_4)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph)))", scope "sub" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Search returned no results authentik-freeradius-1 | (52) Checking user object's memberOf attributes authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Public" authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Teamleader_1" authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Team_1" authentik-freeradius-1 | rlm_ldap (ldap): Released connection (15) authentik-freeradius-1 | (52) User is not a member of "RelVY_Verein_4" authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Verein_4") -> FALSE authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Verein_Vorsitz") { authentik-freeradius-1 | (52) Searching for user in group "RelVY_Verein_Vorsitz" authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (16) authentik-freeradius-1 | (52) Using user DN from request "cn=christoph,ou=users,dc=ldap,dc=example,dc=com" authentik-freeradius-1 | (52) Checking for user in group objects authentik-freeradius-1 | (52) EXPAND (&(cn=RelVY_Verein_Vorsitz)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}}))) authentik-freeradius-1 | (52) --> (&(cn=RelVY_Verein_Vorsitz)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph))) authentik-freeradius-1 | (52) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=RelVY_Verein_Vorsitz)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph)))", scope "sub" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Search returned no results authentik-freeradius-1 | (52) Checking user object's memberOf attributes authentik-freeradius-1 | (52) Performing unfiltered search in "cn=christoph,ou=users,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Public" authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Team_1" authentik-freeradius-1 | rlm_ldap (ldap): Released connection (16) authentik-freeradius-1 | (52) User is not a member of "RelVY_Verein_Vorsitz" authentik-freeradius-1 | (52) --> (&(cn=RelVY_Teamleader_2)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph))) authentik-freeradius-1 | (52) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=RelVY_Teamleader_2)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph)))", scope "sub" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Public" authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Teamleader_1" authentik-freeradius-1 | (52) Group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Team_1" authentik-freeradius-1 | rlm_ldap (ldap): Released connection (15) authentik-freeradius-1 | (52) User is not a member of "RelVY_Teamleader_2" authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Teamleader_2") -> FALSE authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Team_2") { authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Search returned no results authentik-freeradius-1 | (52) Checking user object's memberOf attributes authentik-freeradius-1 | (52) Performing unfiltered search in "cn=christoph,ou=users,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Public" authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Teamleader_1" authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" to group name authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) Group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Team_1" authentik-freeradius-1 | rlm_ldap (ldap): Released connection (16) authentik-freeradius-1 | (52) User is not a member of "RelVY_Team_2" authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Team_2") -> FALSE authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Teamleader_1") { authentik-freeradius-1 | (52) Searching for user in group "RelVY_Teamleader_1" authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (15) authentik-freeradius-1 | (52) Using user DN from request "cn=christoph,ou=users,dc=ldap,dc=example,dc=com" authentik-freeradius-1 | (52) Checking for user in group objects authentik-freeradius-1 | (52) EXPAND (&(cn=RelVY_Teamleader_1)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}}))) authentik-freeradius-1 | (52) --> (&(cn=RelVY_Teamleader_1)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph))) authentik-freeradius-1 | (52) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=RelVY_Teamleader_1)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph)))", scope "sub" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | (52) User found in group object "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" authentik-freeradius-1 | rlm_ldap (ldap): Released connection (15) authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Teamleader_1") -> TRUE authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Teamleader_1") { authentik-freeradius-1 | (52) update reply { authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (16) authentik-freeradius-1 | (52) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=RelVY_Teamleader_1)(member=*christoph*))", scope "one" authentik-freeradius-1 | (52) Waiting for search result... authentik-freeradius-1 | rlm_ldap (ldap): Released connection (16) authentik-freeradius-1 | (52) EXPAND %{%{ldap:ldap:///ou=groups,dc=ldap,dc=example,dc=com?Tunnel-Private-Group-Id?one?(&(cn=RelVY_Teamleader_1)(member=*%{&control:User-Name}*))}:-20} authentik-freeradius-1 | (52) --> 11 authentik-freeradius-1 | (52) &Tunnel-Private-Group-Id = 11 authentik-freeradius-1 | (52) } # update reply = noop authentik-freeradius-1 | (52) } # elsif (LDAP-Group == "RelVY_Teamleader_1") = noop authentik-freeradius-1 | (52) ... skipping elsif: Preceding "if" was taken authentik-freeradius-1 | (52) ... skipping elsif: Preceding "if" was taken authentik-freeradius-1 | (52) ... skipping elsif: Preceding "if" was taken authentik-freeradius-1 | (52) ... skipping elsif: Preceding "if" was taken authentik-freeradius-1 | (52) ... skipping elsif: Preceding "if" was taken authentik-freeradius-1 | (52) ... skipping else: Preceding "if" was taken authentik-freeradius-1 | (52) [updated] = updated authentik-freeradius-1 | (52) } # post-auth = updated authentik-freeradius-1 | (52) Sent Access-Accept Id 53 from 172.16.1.2:1812 to 172.16.1.1:49514 length 60 authentik-freeradius-1 | (52) Framed-MTU += 994 authentik-freeradius-1 | (52) Tunnel-Type = VLAN authentik-freeradius-1 | (52) Tunnel-Medium-Type = IEEE-802 authentik-freeradius-1 | (52) Finished request authentik-freeradius-1 | Waking up in 2.0 seconds. authentik-freeradius-1 | (53) Cleaning up request packet ID 54 with timestamp +11392 due to cleanup_delay was reached authentik-freeradius-1 | Waking up in 2.9 seconds. authentik-freeradius-1 | (52) Cleaning up request packet ID 53 with timestamp +11387 due to cleanup_delay was reached authentik-freeradius-1 | Ready to process requests Here is the corresponding tcpdump: 11:02:54.478033 IP (tos 0x0, ttl 64, id 16203, offset 0, flags [DF], proto UDP (17), length 166) SG3206X-M2.example.com.46115 > 10.1.2.1.radius: RADIUS, length: 138 Access-Request (1), id: 0x2e, Authenticator: 4b738f889cbc442647b2c2e8536f3ccf User-Name Attribute (1), length: 19, Value: apple_lan_thatsme EAP-Message Attribute (79), length: 24, Value: Response (2), id 2, len 22 Type Identity (1), Identity: apple_lan_thatsme NAS-IP-Address Attribute (4), length: 6, Value: SG3206X-M2.example.com NAS-Port Attribute (5), length: 6, Value: 3 NAS-Identifier Attribute (32), length: 14, Value: DC6279CF8CB4 Service-Type Attribute (6), length: 6, Value: Framed Calling-Station-Id Attribute (31), length: 19, Value: 00-E0-4C-68-20-7E NAS-Port-Type Attribute (61), length: 6, Value: Ethernet Message-Authenticator Attribute (80), length: 18, Value: .....O.Z'.x. .g. 11:02:54.479542 IP (tos 0x0, ttl 63, id 29929, offset 0, flags [DF], proto UDP (17), length 92) 10.1.2.1.radius > SG3206X-M2.example.com.46115: RADIUS, length: 64 Access-Challenge (11), id: 0x2e, Authenticator: d7071e95b29ff0017add0f037e666954 Message-Authenticator Attribute (80), length: 18, Value: ...-.. ).@...9.. EAP-Message Attribute (79), length: 8, Value: Request (1), id 3, len 6 Type TTLS (21) TTLSv0 flags [Start bit] 0x20 State Attribute (24), length: 18, Value: -7..-4.........< 11:02:54.485256 IP (tos 0x0, ttl 64, id 16204, offset 0, flags [DF], proto UDP (17), length 323) SG3206X-M2.example.com.46115 > 10.1.2.1.radius: RADIUS, length: 295 Access-Request (1), id: 0x2f, Authenticator: 4b738f889cbc442647b2c2e8536f3ccf User-Name Attribute (1), length: 19, Value: apple_lan_thatsme EAP-Message Attribute (79), length: 163, Value: Response (2), id 3, len 161 Type TTLS (21) TTLSv0 flags [L bit] 0x80, len 151 NAS-IP-Address Attribute (4), length: 6, Value: SG3206X-M2.example.com NAS-Port Attribute (5), length: 6, Value: 3 NAS-Identifier Attribute (32), length: 14, Value: DC6279CF8CB4 Service-Type Attribute (6), length: 6, Value: Framed Calling-Station-Id Attribute (31), length: 19, Value: 00-E0-4C-68-20-7E NAS-Port-Type Attribute (61), length: 6, Value: Ethernet State Attribute (24), length: 18, Value: -7..-4.........< Message-Authenticator Attribute (80), length: 18, Value: m.1$./..(.W..'.) 11:02:54.495593 IP (tos 0x0, ttl 63, id 29939, offset 0, flags [DF], proto UDP (17), length 1092) 10.1.2.1.radius > SG3206X-M2.example.com.46115: RADIUS, length: 1064 Access-Challenge (11), id: 0x2f, Authenticator: 3fbed79113c4ccfc7b70b06bfe90ddc6 Message-Authenticator Attribute (80), length: 18, Value: ......>.?......> EAP-Message Attribute (79), length: 255, Value: EAP fragment? EAP-Message Attribute (79), length: 255, Value: EAP fragment? EAP-Message Attribute (79), length: 255, Value: EAP fragment? EAP-Message Attribute (79), length: 243, Value: EAP fragment? State Attribute (24), length: 18, Value: -7..,3.........< 11:02:54.508580 IP (tos 0x0, ttl 64, id 16206, offset 0, flags [DF], proto UDP (17), length 168) SG3206X-M2.example.com.46115 > 10.1.2.1.radius: RADIUS, length: 140 Access-Request (1), id: 0x30, Authenticator: 3328535e7b536cf9b318055d8dce19fa User-Name Attribute (1), length: 19, Value: apple_lan_thatsme EAP-Message Attribute (79), length: 8, Value: Response (2), id 4, len 6 Type TTLS (21) TTLSv0 flags [none] 0x00 NAS-IP-Address Attribute (4), length: 6, Value: SG3206X-M2.example.com NAS-Port Attribute (5), length: 6, Value: 3 NAS-Identifier Attribute (32), length: 14, Value: DC6279CF8CB4 Service-Type Attribute (6), length: 6, Value: Framed Calling-Station-Id Attribute (31), length: 19, Value: 00-E0-4C-68-20-7E NAS-Port-Type Attribute (61), length: 6, Value: Ethernet State Attribute (24), length: 18, Value: -7..,3.........< Message-Authenticator Attribute (80), length: 18, Value: ....=....%.....# 11:02:54.510434 IP (tos 0x0, ttl 63, id 29954, offset 0, flags [DF], proto UDP (17), length 1092) 10.1.2.1.radius > SG3206X-M2.example.com.46115: RADIUS, length: 1064 Access-Challenge (11), id: 0x30, Authenticator: f1155949a826c03d78b88c8716492fc5 Message-Authenticator Attribute (80), length: 18, Value: ^.Q.Vj.{.q_..... EAP-Message Attribute (79), length: 255, Value: EAP fragment? EAP-Message Attribute (79), length: 255, Value: EAP fragment? EAP-Message Attribute (79), length: 255, Value: EAP fragment? EAP-Message Attribute (79), length: 243, Value: EAP fragment? State Attribute (24), length: 18, Value: -7../2.........< 11:02:54.513539 IP (tos 0x0, ttl 64, id 16207, offset 0, flags [DF], proto UDP (17), length 168) SG3206X-M2.example.com.46115 > 10.1.2.1.radius: RADIUS, length: 140 Access-Request (1), id: 0x31, Authenticator: 3328535e7b536cf9b318055d8dce19fa User-Name Attribute (1), length: 19, Value: apple_lan_thatsme EAP-Message Attribute (79), length: 8, Value: Response (2), id 5, len 6 Type TTLS (21) TTLSv0 flags [none] 0x00 NAS-IP-Address Attribute (4), length: 6, Value: SG3206X-M2.example.com NAS-Port Attribute (5), length: 6, Value: 3 NAS-Identifier Attribute (32), length: 14, Value: DC6279CF8CB4 Service-Type Attribute (6), length: 6, Value: Framed Calling-Station-Id Attribute (31), length: 19, Value: 00-E0-4C-68-20-7E NAS-Port-Type Attribute (61), length: 6, Value: Ethernet State Attribute (24), length: 18, Value: -7../2.........< Message-Authenticator Attribute (80), length: 18, Value: ~.5.n.`....B..z. 11:02:54.514849 IP (tos 0x0, ttl 63, id 29957, offset 0, flags [DF], proto UDP (17), length 1092) 10.1.2.1.radius > SG3206X-M2.example.com.46115: RADIUS, length: 1064 Access-Challenge (11), id: 0x31, Authenticator: 4c61ec5020319a7800baf316893e7018 Message-Authenticator Attribute (80), length: 18, Value: .$+R.R..d..o.s2. EAP-Message Attribute (79), length: 255, Value: EAP fragment? EAP-Message Attribute (79), length: 255, Value: EAP fragment? EAP-Message Attribute (79), length: 255, Value: EAP fragment? EAP-Message Attribute (79), length: 243, Value: EAP fragment? State Attribute (24), length: 18, Value: -7...1.........< 11:02:54.518103 IP (tos 0x0, ttl 64, id 16208, offset 0, flags [DF], proto UDP (17), length 168) SG3206X-M2.example.com.46115 > 10.1.2.1.radius: RADIUS, length: 140 Access-Request (1), id: 0x32, Authenticator: 3328535e7b536cf9b318055d8dce19fa User-Name Attribute (1), length: 19, Value: apple_lan_thatsme EAP-Message Attribute (79), length: 8, Value: Response (2), id 6, len 6 Type TTLS (21) TTLSv0 flags [none] 0x00 NAS-IP-Address Attribute (4), length: 6, Value: SG3206X-M2.example.com NAS-Port Attribute (5), length: 6, Value: 3 NAS-Identifier Attribute (32), length: 14, Value: DC6279CF8CB4 Service-Type Attribute (6), length: 6, Value: Framed Calling-Station-Id Attribute (31), length: 19, Value: 00-E0-4C-68-20-7E NAS-Port-Type Attribute (61), length: 6, Value: Ethernet State Attribute (24), length: 18, Value: -7...1.........< Message-Authenticator Attribute (80), length: 18, Value: .?._.....{.k)... 11:02:54.519623 IP (tos 0x0, ttl 63, id 29960, offset 0, flags [DF], proto UDP (17), length 1092) 10.1.2.1.radius > SG3206X-M2.example.com.46115: RADIUS, length: 1064 Access-Challenge (11), id: 0x32, Authenticator: 678824bd907c75c8b2d8dc6ff22aeb60 Message-Authenticator Attribute (80), length: 18, Value: ........Y..{.... EAP-Message Attribute (79), length: 255, Value: EAP fragment? EAP-Message Attribute (79), length: 255, Value: EAP fragment? EAP-Message Attribute (79), length: 255, Value: EAP fragment? EAP-Message Attribute (79), length: 243, Value: EAP fragment? State Attribute (24), length: 18, Value: -7..)0.........< 11:02:54.522606 IP (tos 0x0, ttl 64, id 16209, offset 0, flags [DF], proto UDP (17), length 168) SG3206X-M2.example.com.46115 > 10.1.2.1.radius: RADIUS, length: 140 Access-Request (1), id: 0x33, Authenticator: 3328535e7b536cf9b318055d8dce19fa User-Name Attribute (1), length: 19, Value: apple_lan_thatsme EAP-Message Attribute (79), length: 8, Value: Response (2), id 7, len 6 Type TTLS (21) TTLSv0 flags [none] 0x00 NAS-IP-Address Attribute (4), length: 6, Value: SG3206X-M2.example.com NAS-Port Attribute (5), length: 6, Value: 3 NAS-Identifier Attribute (32), length: 14, Value: DC6279CF8CB4 Service-Type Attribute (6), length: 6, Value: Framed Calling-Station-Id Attribute (31), length: 19, Value: 00-E0-4C-68-20-7E NAS-Port-Type Attribute (61), length: 6, Value: Ethernet State Attribute (24), length: 18, Value: -7..)0.........< Message-Authenticator Attribute (80), length: 18, Value: ..WBd!km..t..i.. 11:02:54.523961 IP (tos 0x0, ttl 63, id 29962, offset 0, flags [DF], proto UDP (17), length 156) 10.1.2.1.radius > SG3206X-M2.example.com.46115: RADIUS, length: 128 Access-Challenge (11), id: 0x33, Authenticator: 0304fcd86e7f86ba4c2a0b92bd96ae44 Message-Authenticator Attribute (80), length: 18, Value: h..o..../f..V... EAP-Message Attribute (79), length: 72, Value: Request (1), id 8, len 70 Type TTLS (21) TTLSv0 flags [L bit] 0x80, len 4020 State Attribute (24), length: 18, Value: -7..(?.........< 11:02:54.535647 IP (tos 0x0, ttl 64, id 16210, offset 0, flags [DF], proto UDP (17), length 298) SG3206X-M2.example.com.46115 > 10.1.2.1.radius: RADIUS, length: 270 Access-Request (1), id: 0x34, Authenticator: 4fd8cd77ef97eaabb05b6a6788b19ff9 User-Name Attribute (1), length: 19, Value: apple_lan_thatsme EAP-Message Attribute (79), length: 138, Value: Response (2), id 8, len 136 Type TTLS (21) TTLSv0 flags [L bit] 0x80, len 126 NAS-IP-Address Attribute (4), length: 6, Value: SG3206X-M2.example.com NAS-Port Attribute (5), length: 6, Value: 3 NAS-Identifier Attribute (32), length: 14, Value: DC6279CF8CB4 Service-Type Attribute (6), length: 6, Value: Framed Calling-Station-Id Attribute (31), length: 19, Value: 00-E0-4C-68-20-7E NAS-Port-Type Attribute (61), length: 6, Value: Ethernet State Attribute (24), length: 18, Value: -7..(?.........< Message-Authenticator Attribute (80), length: 18, Value: 1..XY...K.~$C... 11:02:54.539823 IP (tos 0x0, ttl 63, id 29975, offset 0, flags [DF], proto UDP (17), length 147) 10.1.2.1.radius > SG3206X-M2.example.com.46115: RADIUS, length: 119 Access-Challenge (11), id: 0x34, Authenticator: 2d0dcced9b854c9b21bc8f66158d5f53 Message-Authenticator Attribute (80), length: 18, Value: ..$.3..#...:..U. EAP-Message Attribute (79), length: 63, Value: Request (1), id 9, len 61 Type TTLS (21) TTLSv0 flags [L bit] 0x80, len 51 State Attribute (24), length: 18, Value: -7..+>.........< 11:02:54.542691 IP (tos 0x0, ttl 64, id 16211, offset 0, flags [DF], proto UDP (17), length 245) SG3206X-M2.example.com.46115 > 10.1.2.1.radius: RADIUS, length: 217 Access-Request (1), id: 0x35, Authenticator: 4fd8cd77ef97eaabb05b6a6788b19ff9 User-Name Attribute (1), length: 19, Value: apple_lan_thatsme EAP-Message Attribute (79), length: 85, Value: Response (2), id 9, len 83 Type TTLS (21) TTLSv0 flags [L bit] 0x80, len 73 NAS-IP-Address Attribute (4), length: 6, Value: SG3206X-M2.example.com NAS-Port Attribute (5), length: 6, Value: 3 NAS-Identifier Attribute (32), length: 14, Value: DC6279CF8CB4 Service-Type Attribute (6), length: 6, Value: Framed Calling-Station-Id Attribute (31), length: 19, Value: 00-E0-4C-68-20-7E NAS-Port-Type Attribute (61), length: 6, Value: Ethernet State Attribute (24), length: 18, Value: -7..+>.........< Message-Authenticator Attribute (80), length: 18, Value: x....g.q..R..... 11:02:59.486633 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.0.0.1 tell SG3206X-M2.example.com, length 46 11:02:59.486636 ARP, Ethernet (len 6), IPv4 (len 4), Reply 10.0.0.1 is-at 00:00:5e:00:01:02 (oui IANA), length 28 11:02:59.537570 IP (tos 0x0, ttl 64, id 16391, offset 0, flags [DF], proto UDP (17), length 227) SG3206X-M2.example.com.46115 > 10.1.2.1.radius: RADIUS, length: 199 Access-Request (1), id: 0x36, Authenticator: 1c90635e4f03a9b669a2402965fc8e41 User-Name Attribute (1), length: 19, Value: apple_lan_thatsme EAP-Message Attribute (79), length: 85, Value: Response (2), id 9, len 83 Type TTLS (21) TTLSv0 flags [L bit] 0x80, len 73 NAS-IP-Address Attribute (4), length: 6, Value: SG3206X-M2.example.com NAS-Port Attribute (5), length: 6, Value: 3 NAS-Identifier Attribute (32), length: 14, Value: DC6279CF8CB4 Service-Type Attribute (6), length: 6, Value: Framed Calling-Station-Id Attribute (31), length: 19, Value: 00-E0-4C-68-20-7E NAS-Port-Type Attribute (61), length: 6, Value: Ethernet Message-Authenticator Attribute (80), length: 18, Value: ..-s...f .... .. 11:03:00.540835 IP (tos 0x0, ttl 63, id 34812, offset 0, flags [DF], proto UDP (17), length 66) 10.1.2.1.radius > SG3206X-M2.example.com.46115: RADIUS, length: 38 Access-Reject (3), id: 0x36, Authenticator: d657e1caadf330afa206db0ffe469c17 Message-Authenticator Attribute (80), length: 18, Value: pK.._.....JN.j\0 11:03:02.449220 IP (tos 0x0, ttl 63, id 35102, offset 0, flags [DF], proto UDP (17), length 88) 10.1.2.1.radius > SG3206X-M2.example.com.46115: RADIUS, length: 60 Access-Accept (2), id: 0x35, Authenticator: dfd3f8ac0586d2551621d599d5a00839 Message-Authenticator Attribute (80), length: 18, Value: .d.U.....q.K.... Framed-MTU Attribute (12), length: 6, Value: 994 Tunnel-Type Attribute (64), length: 6, Value: Tag[Unused] VLAN Tunnel-Medium-Type Attribute (65), length: 6, Value: Tag[Unused] 802 Tunnel-Private-Group-ID Attribute (81), length: 4, Value: 11