I only managed to make it work if i set "proxy_tunneled_request_as_eap = no" in my eap conf. From what I understand, It makes using plain mschapv2 between proxy and backend and not eap_mschapv2. But I think there is something weird in the end: It is like response sent from the backend server is not sent back to the client using the established PEAP tunnel, but it is send directly as it is in the outer tunnel. So it seems to work, but I see nothing saved in my TLS cache. Below the full debug: FreeRADIUS Version 3.2.4 Copyright (C) 1999-2023 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/freeradius/3.0/dictionary including configuration file /etc/freeradius/3.0/radiusd.conf including configuration file /etc/freeradius/3.0/proxy.conf including configuration file /etc/freeradius/3.0/clients.conf including files in directory /etc/freeradius/3.0/mods-enabled/ including configuration file /etc/freeradius/3.0/mods-enabled/ldap_ms-auth-04 including configuration file /etc/freeradius/3.0/mods-enabled/linelog including configuration file /etc/freeradius/3.0/mods-enabled/cache_wifi including configuration file /etc/freeradius/3.0/mods-enabled/eap_wlan_dot1x including configuration file /etc/freeradius/3.0/mods-enabled/cache_local including configuration file /etc/freeradius/3.0/mods-enabled/redis-lan including configuration file /etc/freeradius/3.0/mods-enabled/eap_lan_dot1x including configuration file /etc/freeradius/3.0/mods-enabled/redis-wlan including configuration file /etc/freeradius/3.0/mods-enabled/detail including configuration file /etc/freeradius/3.0/mods-enabled/preprocess including configuration file /etc/freeradius/3.0/mods-enabled/logintime including configuration file /etc/freeradius/3.0/mods-enabled/expiration including configuration file /etc/freeradius/3.0/mods-enabled/digest including configuration file /etc/freeradius/3.0/mods-enabled/exec including configuration file /etc/freeradius/3.0/mods-enabled/mschap including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp including configuration file /etc/freeradius/3.0/mods-enabled/radutmp including configuration file /etc/freeradius/3.0/mods-enabled/replicate including configuration file /etc/freeradius/3.0/mods-enabled/echo including configuration file /etc/freeradius/3.0/mods-enabled/unix including configuration file /etc/freeradius/3.0/mods-enabled/unpack including configuration file /etc/freeradius/3.0/mods-enabled/python3 including configuration file /etc/freeradius/3.0/mods-enabled/utf8 including configuration file /etc/freeradius/3.0/mods-enabled/my_module_ldap_m2 including configuration file /etc/freeradius/3.0/mods-enabled/ldap_ms-auth-00 including configuration file /etc/freeradius/3.0/mods-enabled/ldap_ms-auth-02 including configuration file /etc/freeradius/3.0/mods-enabled/cache including configuration file /etc/freeradius/3.0/mods-enabled/chap including configuration file /etc/freeradius/3.0/mods-enabled/my_module_sql including configuration file /etc/freeradius/3.0/mods-config/sql/main/postgresql/queries.conf including configuration file /etc/freeradius/3.0/mods-enabled/cache_wired including configuration file /etc/freeradius/3.0/mods-enabled/eap including configuration file /etc/freeradius/3.0/mods-enabled/ldap_ms-auth-01 including configuration file /etc/freeradius/3.0/mods-enabled/realm including configuration file /etc/freeradius/3.0/mods-enabled/passwd including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter including configuration file /etc/freeradius/3.0/mods-enabled/expr including configuration file /etc/freeradius/3.0/mods-enabled/my_module_files including configuration file /etc/freeradius/3.0/mods-enabled/cache_laps including configuration file /etc/freeradius/3.0/mods-enabled/pap including configuration file /etc/freeradius/3.0/mods-enabled/soh including configuration file /etc/freeradius/3.0/mods-enabled/always including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth including configuration file /etc/freeradius/3.0/mods-enabled/detail.log including files in directory /etc/freeradius/3.0/policy.d/ including configuration file /etc/freeradius/3.0/policy.d/filter including configuration file /etc/freeradius/3.0/policy.d/abfab-tr including configuration file /etc/freeradius/3.0/policy.d/my_policy_ldap_group including configuration file /etc/freeradius/3.0/policy.d/control including configuration file /etc/freeradius/3.0/policy.d/moonshot-targeted-ids including configuration file /etc/freeradius/3.0/policy.d/my_policy_username including configuration file /etc/freeradius/3.0/policy.d/my_policy_vlan-inner including configuration file /etc/freeradius/3.0/policy.d/cui including configuration file /etc/freeradius/3.0/policy.d/eap including configuration file /etc/freeradius/3.0/policy.d/my_policy_vlan-outer including configuration file /etc/freeradius/3.0/policy.d/dhcp including configuration file /etc/freeradius/3.0/policy.d/canonicalization including configuration file /etc/freeradius/3.0/policy.d/extreme-macaddress including configuration file /etc/freeradius/3.0/policy.d/debug including configuration file /etc/freeradius/3.0/policy.d/operator-name including configuration file /etc/freeradius/3.0/policy.d/accounting including files in directory /etc/freeradius/3.0/sites-enabled/ including configuration file /etc/freeradius/3.0/sites-enabled/inner-lan-dot1x including configuration file /etc/freeradius/3.0/sites-enabled/control-socket including configuration file /etc/freeradius/3.0/sites-enabled/inner-wlan-dot1x including configuration file /etc/freeradius/3.0/sites-enabled/tls-cache-wlan including configuration file /etc/freeradius/3.0/sites-enabled/dot1x including files in directory /etc/freeradius/3.0/server.d/ including configuration file /etc/freeradius/3.0/server.d/lan-dot1x including configuration file /etc/freeradius/3.0/server.d/wlan-dot1x including configuration file /etc/freeradius/3.0/sites-enabled/proxy-inner-tunnel including configuration file /etc/freeradius/3.0/sites-enabled/tls-cache-lan main { security { user = "freerad" group = "freerad" allow_core_dumps = no } name = "freeradius" prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" } main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 proxy_dedup_window = 1 cleanup_delay = 5 max_requests = 65535 max_fds = 512 postauth_client_lost = yes pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = yes auth = yes auth_badpass = no auth_goodpass = yes msg_badpass = "ALARM %{request:User-Name} V:%{%{%{reply:Extreme-Netlogin-Extended-Vlan}:-%{reply:Tunnel-Private-Group-Id}}:-UXXX} S:%{%{%{request:NAS-IP-Address}:-%{outer.request:NAS-IP-Address}}:-none} P:%{%{%{request:NAS-Port}:-%{outer.request:NAS-Port}}:-none} N:%{%{%{request:NAS-Identifier}:-%{outer.request:NAS-Identifier}}:-none} M:%{%{%{request:Calling-Station-Id}:-%{outer.request:Calling-Station-Id}}:-none} LDAP:%{%{control:ldap_AD-LDAP-Group}:-none} SR:%{%{request:EAP-Session-Resumed}:-none} H:%{%{request:Cache-Entry-Hits}:-0}" msg_goodpass = "OK %{request:User-Name} V:%{%{%{reply:Extreme-Netlogin-Extended-Vlan}:-%{reply:Tunnel-Private-Group-Id}}:-UXXX} S:%{%{%{request:NAS-IP-Address}:-%{outer.request:NAS-IP-Address}}:-none} P:%{%{%{request:NAS-Port}:-%{outer.request:NAS-Port}}:-none} N:%{%{%{request:NAS-Identifier}:-%{outer.request:NAS-Identifier}}:-none} M:%{%{%{request:Calling-Station-Id}:-%{outer.request:Calling-Station-Id}}:-none} LDAP:%{%{control:ldap_AD-LDAP-Group}:-none} SR:%{%{request:EAP-Session-Resumed}:-none} H:%{%{request:Cache-Entry-Hits}:-0}" colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = no } } radiusd: #### Loading Realms and Home Servers #### home_server nps_cabinet { nonblock = no ipaddr = 10.116.249.13 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server nps_server { nonblock = no ipaddr = 10.167.73.13 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool nps_pool { type = fail-over home_server = nps_server } realm nps_realm { auth_pool = nps_pool } realm PREPROD { auth_pool = nps_pool } home_server_pool cabinet_pool { type = fail-over home_server = nps_cabinet } realm CABINET { auth_pool = cabinet_pool } realm FORMATION { auth_pool = cabinet_pool nostrip } radiusd: #### Loading Clients #### client test { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> shortname = "localhost" nas_type = "other" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client test2 { ipaddr = 10.128.0.12 require_message_authenticator = no secret = <<< secret >>> shortname = "star-trek4" nas_type = "other" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client SWITCH { ipaddr = 10.128.0.0/20 require_message_authenticator = no secret = <<< secret >>> shortname = "SWITCH" nas_type = "other" virtual_server = "lan-dot1x" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 10.255.255.0/25 { ipaddr = 10.255.255.0/25 require_message_authenticator = no secret = <<< secret >>> shortname = "LAN_Switch_SNUM" virtual_server = "lan-dot1x" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 10.128.0.220 { ipaddr = 10.128.0.220 require_message_authenticator = no secret = <<< secret >>> shortname = "centreon-seq" nas_type = "other" virtual_server = "lan-dot1x" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 10.128.0.221 { ipaddr = 10.128.0.221 require_message_authenticator = no secret = <<< secret >>> shortname = "centreon-aps" nas_type = "other" virtual_server = "lan-dot1x" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 10.166.110.0/25 { ipaddr = 10.166.110.0/25 require_message_authenticator = no secret = <<< secret >>> shortname = "LAN_Switch_SNUM_110" virtual_server = "lan-dot1x" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 10.166.110.192/27 { ipaddr = 10.166.110.192/27 require_message_authenticator = no secret = <<< secret >>> shortname = "LAN_Switch_SNUM_110" virtual_server = "lan-dot1x" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 10.166.111.0/25 { ipaddr = 10.166.111.0/25 require_message_authenticator = no secret = <<< secret >>> shortname = "LAN_Switch_SNUM_111" virtual_server = "lan-dot1x" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 10.166.112.0/25 { ipaddr = 10.166.112.0/25 require_message_authenticator = no secret = <<< secret >>> shortname = "LAN_Switch_SNUM_112" virtual_server = "lan-dot1x" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 10.166.112.192/27 { ipaddr = 10.166.112.192/27 require_message_authenticator = no secret = <<< secret >>> shortname = "LAN_Switch_SNUM_112" virtual_server = "lan-dot1x" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 10.166.113.0/25 { ipaddr = 10.166.113.0/25 require_message_authenticator = no secret = <<< secret >>> shortname = "LAN_Switch_SNUM_113" virtual_server = "lan-dot1x" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 10.166.114.0/25 { ipaddr = 10.166.114.0/25 require_message_authenticator = no secret = <<< secret >>> shortname = "LAN_Switch_SNUM_114" virtual_server = "lan-dot1x" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 10.166.115.0/25 { ipaddr = 10.166.115.0/25 require_message_authenticator = no secret = <<< secret >>> shortname = "LAN_Switch_SNUM_115" virtual_server = "lan-dot1x" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 10.166.115.128/26 { ipaddr = 10.166.115.128/26 require_message_authenticator = no secret = <<< secret >>> shortname = "LAN_Switch_SNUM_115" virtual_server = "lan-dot1x" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 10.166.116.0/25 { ipaddr = 10.166.116.0/25 require_message_authenticator = no secret = <<< secret >>> shortname = "LAN_Switch_SNUM_116" virtual_server = "lan-dot1x" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 10.166.117.0/25 { ipaddr = 10.166.117.0/25 require_message_authenticator = no secret = <<< secret >>> shortname = "LAN_Switch_SNUM_117" virtual_server = "lan-dot1x" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client BORNE { ipaddr = 10.128.96.0/20 require_message_authenticator = no secret = <<< secret >>> shortname = "BORNE" nas_type = "other" virtual_server = "wlan-dot1x" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 10.166.110.224/27 { ipaddr = 10.166.110.224/27 require_message_authenticator = no secret = <<< secret >>> shortname = "WLAN_Switch_SNUM_110" virtual_server = "wlan-dot1x" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 10.166.111.224/27 { ipaddr = 10.166.111.224/27 require_message_authenticator = no secret = <<< secret >>> shortname = "WLAN_Switch_SNUM_111" virtual_server = "wlan-dot1x" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 10.166.112.224/27 { ipaddr = 10.166.112.224/27 require_message_authenticator = no secret = <<< secret >>> shortname = "WLAN_Switch_SNUM_112" virtual_server = "wlan-dot1x" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 10.166.113.224/27 { ipaddr = 10.166.113.224/27 require_message_authenticator = no secret = <<< secret >>> shortname = "WLAN_Switch_SNUM_113" virtual_server = "wlan-dot1x" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 10.166.114.224/27 { ipaddr = 10.166.114.224/27 require_message_authenticator = no secret = <<< secret >>> shortname = "WLAN_Switch_SNUM_114" virtual_server = "wlan-dot1x" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 10.166.115.224/27 { ipaddr = 10.166.115.224/27 require_message_authenticator = no secret = <<< secret >>> shortname = "WLAN_Switch_SNUM_115" virtual_server = "wlan-dot1x" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 10.166.116.224/27 { ipaddr = 10.166.116.224/27 require_message_authenticator = no secret = <<< secret >>> shortname = "WLAN_Switch_SNUM_116" virtual_server = "wlan-dot1x" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 10.166.117.224/27 { ipaddr = 10.166.117.224/27 require_message_authenticator = no secret = <<< secret >>> shortname = "WLAN_Switch_SNUM_117" virtual_server = "wlan-dot1x" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Debugger not attached systemd watchdog is disabled # Creating Auth-Type = eap # Creating Auth-Type = eap_wlan_dot1x # Creating Auth-Type = MS-CHAP # Creating Auth-Type = eap_lan_dot1x radiusd: #### Instantiating modules #### modules { # Loaded module rlm_ldap # Loading module "ldap_msauth04" from file /etc/freeradius/3.0/mods-enabled/ldap_ms-auth-04 ldap ldap_msauth04 { server = "ldaps://ms-auth-04.auth.ad.e2.rie.gouv.fr" port = 636 sasl { } user { scope = "sub" access_positive = yes sasl { } } group { filter = "(objectClass=group)" scope = "sub" name_attribute = "cn" membership_filter = "(member:1.2.840.113556.1.4.1941:=%{tolower:%{control:Ldap-UserDn}})(|(cn=aib.grp.vlan.*)(cn=integrateur))" cacheable_name = yes cacheable_dn = no cache_attribute = "ldap_AD-LDAP-Group" allow_dangling_group_ref = no } client { filter = "(objectClass=radiusClient)" scope = "sub" base_dn = "dc=equipement,dc=gouv,dc=fr" } profile { } options { ldap_debug = 0 chase_referrals = yes rebind = yes net_timeout = 1 res_timeout = 10 srv_timelimit = 3 idle = 60 probes = 3 interval = 3 } tls { ca_file = "/etc/freeradius/3.0/certs/ac-mte-applicative-10ans.pem" check_crl = no start_tls = no require_cert = "hard" } } Creating attribute ldap_msauth04-LDAP-Group # Loaded module rlm_linelog # Loading module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog linelog { filename = "/var/log/freeradius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" } # Loading module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog linelog log_accounting { filename = "/var/log/freeradius/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_cache # Loading module "cache_wifi" from file /etc/freeradius/3.0/mods-enabled/cache_wifi cache cache_wifi { driver = "rlm_cache_rbtree" key = "%{User-Name}@%{%{&outer.request:Symbol-Current-ESSID}:-%{request:Symbol-Current-ESSID}}" ttl = 600 max_entries = 0 epoch = 0 add_stats = yes } # Loaded module rlm_eap # Loading module "eap_wlan_dot1x" from file /etc/freeradius/3.0/mods-enabled/eap_wlan_dot1x eap eap_wlan_dot1x { default_eap_type = "peap" timer_expire = 60 max_eap_type = 52 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 65535 dedup_key = "" } # Loading module "cache_local" from file /etc/freeradius/3.0/mods-enabled/cache_local cache cache_local { driver = "rlm_cache_rbtree" key = "%{User-Name}@%{%{&outer.request:NAS-IP-Address}:-%{request:NAS-IP-Address}}" ttl = 36000 max_entries = 0 epoch = 0 add_stats = yes } # Loaded module rlm_redis # Loading module "redis-lan" from file /etc/freeradius/3.0/mods-enabled/redis-lan redis redis-lan { server = "127.0.0.1" port = 6379 database = 0 query_timeout = 5 } rlm_redis: libhiredis version: 0.14.1 # Loading module "eap_lan_dot1x" from file /etc/freeradius/3.0/mods-enabled/eap_lan_dot1x eap eap_lan_dot1x { default_eap_type = "peap" timer_expire = 60 max_eap_type = 52 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 65535 dedup_key = "" } # Loading module "redis-wlan" from file /etc/freeradius/3.0/mods-enabled/redis-wlan redis redis-wlan { server = "127.0.0.1" port = 6379 database = 1 query_timeout = 5 } rlm_redis: libhiredis version: 0.14.1 # Loaded module rlm_detail # Loading module "detail" from file /etc/freeradius/3.0/mods-enabled/detail detail { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no dates_as_integer = no escape_filenames = no log_packet_header = no } # Loaded module rlm_preprocess # Loading module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess preprocess { huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups" hints = "/etc/freeradius/3.0/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_logintime # Loading module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_expiration # Loading module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration # Loaded module rlm_digest # Loading module "digest" from file /etc/freeradius/3.0/mods-enabled/digest # Loaded module rlm_exec # Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec exec { wait = yes input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_mschap # Loading module "mschap_AD" from file /etc/freeradius/3.0/mods-enabled/mschap mschap mschap_AD { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes passchange { } allow_retry = yes winbind_retry_with_normalised_username = no } # Loading module "mschap_LOCAL" from file /etc/freeradius/3.0/mods-enabled/mschap mschap mschap_LOCAL { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes passchange { } allow_retry = yes winbind_retry_with_normalised_username = no } # Loaded module rlm_radutmp # Loading module "sradutmp" from file /etc/freeradius/3.0/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/freeradius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loading module "radutmp" from file /etc/freeradius/3.0/mods-enabled/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_replicate # Loading module "replicate" from file /etc/freeradius/3.0/mods-enabled/replicate # Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loaded module rlm_unix # Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Creating attribute Unix-Group # Loaded module rlm_unpack # Loading module "unpack" from file /etc/freeradius/3.0/mods-enabled/unpack # Loaded module rlm_python3 # Loading module "python3" from file /etc/freeradius/3.0/mods-enabled/python3 python3 { mod_authorize = "laps" func_authorize = "authorize" python_path = "/etc/freeradius/3.0/mods-config/python3:/usr/local/lib/python3.10/dist-packages" cext_compat = yes pass_all_vps = no pass_all_vps_dict = no } # Loaded module rlm_utf8 # Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8 # Loading module "ldap_M2" from file /etc/freeradius/3.0/mods-enabled/my_module_ldap_m2 ldap ldap_M2 { server = "ldaps://ldapap.m2.e2.rie.gouv.fr" port = 636 sasl { } user { scope = "sub" access_positive = yes sasl { } } group { scope = "sub" name_attribute = "cn" cacheable_name = no cacheable_dn = no allow_dangling_group_ref = no } client { filter = "(objectClass=radiusClient)" scope = "sub" base_dn = "dc=equipement,dc=gouv,dc=fr" } profile { } options { ldap_debug = 0 chase_referrals = yes rebind = yes net_timeout = 1 res_timeout = 10 srv_timelimit = 3 idle = 60 probes = 3 interval = 3 } tls { ca_file = "/etc/freeradius/3.0/certs/isrg-root-x1-cross-signed.pem" check_crl = no start_tls = no require_cert = "never" } } Creating attribute ldap_M2-LDAP-Group # Loading module "ldap_msauth00" from file /etc/freeradius/3.0/mods-enabled/ldap_ms-auth-00 ldap ldap_msauth00 { server = "ldaps://ms-auth-00.auth.ad.e2.rie.gouv.fr" port = 636 identity = "radius.ac" password = <<< secret >>> sasl { } user { scope = "sub" access_positive = yes sasl { } } group { filter = "(objectClass=group)" scope = "sub" name_attribute = "cn" membership_filter = "(member:1.2.840.113556.1.4.1941:=%{tolower:%{control:Ldap-UserDn}})(|(cn=aib.grp.vlan.*)(cn=integrateur))" cacheable_name = yes cacheable_dn = no cache_attribute = "ldap_AD-LDAP-Group" allow_dangling_group_ref = no } client { filter = "(objectClass=radiusClient)" scope = "sub" base_dn = "dc=equipement,dc=gouv,dc=fr" } profile { } options { ldap_debug = 0 chase_referrals = yes rebind = yes net_timeout = 1 res_timeout = 10 srv_timelimit = 3 idle = 60 probes = 3 interval = 3 } tls { ca_file = "/etc/freeradius/3.0/certs/ac-mte-applicative-10ans.pem" check_crl = no start_tls = no require_cert = "hard" } } Creating attribute ldap_msauth00-LDAP-Group # Loading module "ldap_msauth02" from file /etc/freeradius/3.0/mods-enabled/ldap_ms-auth-02 ldap ldap_msauth02 { server = "ldaps://ms-auth-02.auth.ad.e2.rie.gouv.fr" port = 636 sasl { } user { scope = "sub" access_positive = yes sasl { } } group { filter = "(objectClass=group)" scope = "sub" name_attribute = "cn" membership_filter = "(member:1.2.840.113556.1.4.1941:=%{tolower:%{control:Ldap-UserDn}})(|(cn=aib.grp.vlan.*)(cn=integrateur))" cacheable_name = yes cacheable_dn = no cache_attribute = "ldap_AD-LDAP-Group" allow_dangling_group_ref = no } client { filter = "(objectClass=radiusClient)" scope = "sub" base_dn = "dc=equipement,dc=gouv,dc=fr" } profile { } options { ldap_debug = 0 chase_referrals = yes rebind = yes net_timeout = 1 res_timeout = 10 srv_timelimit = 3 idle = 60 probes = 3 interval = 3 } tls { ca_file = "/etc/freeradius/3.0/certs/ac-mte-applicative-10ans.pem" check_crl = no start_tls = no require_cert = "hard" } } Creating attribute ldap_msauth02-LDAP-Group # Loading module "cache" from file /etc/freeradius/3.0/mods-enabled/cache cache { driver = "rlm_cache_rbtree" key = "%{User-Name}@%{%{&outer.request:NAS-IP-Address}:-%{request:NAS-IP-Address}}@%{%{&outer.request:Calling-Station-Id}:-%{request:Calling-Station-Id}}" ttl = 15 max_entries = 0 epoch = 0 add_stats = yes } # Loaded module rlm_chap # Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap # Loaded module rlm_sql # Loading module "sql" from file /etc/freeradius/3.0/mods-enabled/my_module_sql sql { driver = "rlm_sql_postgresql" server = "10.128.0.10" port = 5432 login = "intranet" password = <<< secret >>> radius_db = "macip" read_groups = yes read_profiles = yes read_clients = no delete_stale_sessions = yes sql_user_name = "%{User-Name}" default_user_profile = "" client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas" authorize_check_query = "SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, GroupName, Attribute, Value, op FROM radgroupcheck WHERE GroupName = '%{SQL-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, GroupName, Attribute, Value, op FROM radgroupreply WHERE GroupName = '%{SQL-Group}' ORDER BY id" group_membership_query = "SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority" simul_count_query = "SELECT COUNT(*) FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime IS NULL" simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime IS NULL" safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" auto_escape = no accounting { reference = "%{tolower:type.%{%{Acct-Status-Type}:-none}.query}" type { accounting-on { query = "UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctSessionTime = (%{integer:Event-Timestamp} - EXTRACT(EPOCH FROM(AcctStartTime))), AcctTerminateCause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE AcctStopTime IS NULL AND NASIPAddress= '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' AND AcctStartTime <= '%S'::timestamp" } accounting-off { query = "UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctSessionTime = (%{integer:Event-Timestamp} - EXTRACT(EPOCH FROM(AcctStartTime))), AcctTerminateCause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE AcctStopTime IS NULL AND NASIPAddress= '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' AND AcctStartTime <= '%S'::timestamp" } start { query = "INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', NULLIF('%{Realm}', ''), '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}', NULLIF('%{%{NAS-Port-ID}:-%{NAS-Port}}', ''), '%{NAS-Port-Type}', TO_TIMESTAMP(%{integer:Event-Timestamp}), TO_TIMESTAMP(%{integer:Event-Timestamp}), NULL, 0, '%{Acct-Authentic}', '%{Connect-Info}', NULL, 0, 0, '%{Called-Station-Id}', '%{Calling-Station-Id}', NULL, '%{Service-Type}', '%{Framed-Protocol}', NULLIF('%{Framed-IP-Address}', '')::inet)" } interim-update { query = "UPDATE radacct SET FramedIPAddress = NULLIF('%{Framed-IP-Address}', '')::inet, AcctSessionTime = %{%{Acct-Session-Time}:-NULL}, AcctInterval = (%{integer:Event-Timestamp} - EXTRACT(EPOCH FROM (COALESCE(AcctUpdateTime, AcctStartTime)))), AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctInputOctets = (('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Input-Octets}:-0}'::bigint), AcctOutputOctets = (('%{%{Acct-Output-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Output-Octets}:-0}'::bigint) WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}' AND AcctStopTime IS NULL" } stop { query = "UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctSessionTime = COALESCE(%{%{Acct-Session-Time}:-NULL}, (%{integer:Event-Timestamp} - EXTRACT(EPOCH FROM(AcctStartTime)))), AcctInputOctets = (('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Input-Octets}:-0}'::bigint), AcctOutputOctets = (('%{%{Acct-Output-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Output-Octets}:-0}'::bigint), AcctTerminateCause = '%{Acct-Terminate-Cause}', FramedIPAddress = NULLIF('%{Framed-IP-Address}', '')::inet, ConnectInfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}' AND AcctStopTime IS NULL" } } } post-auth { reference = ".query" query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES('%{User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', NOW())" } } rlm_sql (sql): Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked Creating attribute SQL-Group # Loading module "cache_wired" from file /etc/freeradius/3.0/mods-enabled/cache_wired cache cache_wired { driver = "rlm_cache_rbtree" key = "%{User-Name}@%{%{&outer.request:NAS-IP-Address}:-%{request:NAS-IP-Address}}" ttl = 600 max_entries = 0 epoch = 0 add_stats = yes } # Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap eap { default_eap_type = "peap" timer_expire = 60 max_eap_type = 52 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 65535 dedup_key = "" } # Loading module "ldap_msauth01" from file /etc/freeradius/3.0/mods-enabled/ldap_ms-auth-01 ldap ldap_msauth01 { server = "ldaps://ms-auth-01.auth.ad.e2.rie.gouv.fr" port = 636 identity = "radius.ac" password = <<< secret >>> sasl { } user { scope = "sub" access_positive = yes sasl { } } group { filter = "(objectClass=group)" scope = "sub" name_attribute = "cn" membership_filter = "(member:1.2.840.113556.1.4.1941:=%{tolower:%{control:Ldap-UserDn}})(|(cn=aib.grp.vlan.*)(cn=integrateur))" cacheable_name = yes cacheable_dn = no cache_attribute = "ldap_AD-LDAP-Group" allow_dangling_group_ref = no } client { filter = "(objectClass=radiusClient)" scope = "sub" base_dn = "dc=equipement,dc=gouv,dc=fr" } profile { } options { ldap_debug = 0 chase_referrals = yes rebind = yes net_timeout = 1 res_timeout = 10 srv_timelimit = 3 idle = 60 probes = 3 interval = 3 } tls { ca_file = "/etc/freeradius/3.0/certs/ac-mte-applicative-10ans.pem" check_crl = no start_tls = no require_cert = "hard" } } Creating attribute ldap_msauth01-LDAP-Group # Loaded module rlm_realm # Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = no } # Loaded module rlm_passwd # Loading module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/freeradius/3.0/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loaded module rlm_expr # Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loaded module rlm_files # Loading module "authfile" from file /etc/freeradius/3.0/mods-enabled/my_module_files files authfile { filename = "/etc/freeradius/3.0/files.d/authfile" } # Loading module "authorized_macs" from file /etc/freeradius/3.0/mods-enabled/my_module_files files authorized_macs { filename = "/etc/freeradius/3.0/files.d/authorized_macs" } # Loading module "cache_laps" from file /etc/freeradius/3.0/mods-enabled/cache_laps cache cache_laps { driver = "rlm_cache_rbtree" key = "%{User-Name}@%{%{&outer.request:Calling-Station-Id}:-%{request:Calling-Station-Id}}" ttl = 36000 max_entries = 0 epoch = 0 add_stats = yes } # Loaded module rlm_pap # Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_soh # Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh soh { dhcp = yes } # Loaded module rlm_always # Loading module "reject" from file /etc/freeradius/3.0/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /etc/freeradius/3.0/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /etc/freeradius/3.0/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /etc/freeradius/3.0/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /etc/freeradius/3.0/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /etc/freeradius/3.0/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /etc/freeradius/3.0/mods-enabled/dynamic_clients # Loading module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail auth_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no dates_as_integer = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail reply_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no dates_as_integer = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no dates_as_integer = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no dates_as_integer = no escape_filenames = no log_packet_header = no } instantiate { # Instantiating module "ldap_msauth00" from file /etc/freeradius/3.0/mods-enabled/ldap_ms-auth-00 rlm_ldap: libldap vendor: OpenLDAP, version: 20517 accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" } post-auth { reference = "." } !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !! libldap is using GnuTLS, while FreeRADIUS is using OpenSSL !! There may be random issues with TLS connections due to this conflict. !! The server may also crash. !! See https://wiki.freeradius.org/modules/Rlm_ldap for more information. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! rlm_ldap (ldap_msauth00): Initialising connection pool pool { start = 5 min = 3 max = 32 spare = 10 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 30 max_retries = 5 spread = no } rlm_ldap (ldap_msauth00): Opening additional connection (0), 1 of 32 pending slots used rlm_ldap (ldap_msauth00): Connecting to ldaps://ms-auth-00.auth.ad.e2.rie.gouv.fr:636 rlm_ldap (ldap_msauth00): Waiting for bind result... rlm_ldap (ldap_msauth00): Bind successful rlm_ldap (ldap_msauth00): Opening additional connection (1), 1 of 31 pending slots used rlm_ldap (ldap_msauth00): Connecting to ldaps://ms-auth-00.auth.ad.e2.rie.gouv.fr:636 rlm_ldap (ldap_msauth00): Waiting for bind result... rlm_ldap (ldap_msauth00): Bind successful rlm_ldap (ldap_msauth00): Opening additional connection (2), 1 of 30 pending slots used rlm_ldap (ldap_msauth00): Connecting to ldaps://ms-auth-00.auth.ad.e2.rie.gouv.fr:636 rlm_ldap (ldap_msauth00): Waiting for bind result... rlm_ldap (ldap_msauth00): Bind successful rlm_ldap (ldap_msauth00): Opening additional connection (3), 1 of 29 pending slots used rlm_ldap (ldap_msauth00): Connecting to ldaps://ms-auth-00.auth.ad.e2.rie.gouv.fr:636 rlm_ldap (ldap_msauth00): Waiting for bind result... rlm_ldap (ldap_msauth00): Bind successful rlm_ldap (ldap_msauth00): Opening additional connection (4), 1 of 28 pending slots used rlm_ldap (ldap_msauth00): Connecting to ldaps://ms-auth-00.auth.ad.e2.rie.gouv.fr:636 rlm_ldap (ldap_msauth00): Waiting for bind result... rlm_ldap (ldap_msauth00): Bind successful # Instantiating module "ldap_msauth01" from file /etc/freeradius/3.0/mods-enabled/ldap_ms-auth-01 accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" } post-auth { reference = "." } !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !! libldap is using GnuTLS, while FreeRADIUS is using OpenSSL !! There may be random issues with TLS connections due to this conflict. !! The server may also crash. !! See https://wiki.freeradius.org/modules/Rlm_ldap for more information. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! rlm_ldap (ldap_msauth01): Initialising connection pool pool { start = 5 min = 3 max = 32 spare = 10 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 30 max_retries = 5 spread = no } rlm_ldap (ldap_msauth01): Opening additional connection (0), 1 of 32 pending slots used rlm_ldap (ldap_msauth01): Connecting to ldaps://ms-auth-01.auth.ad.e2.rie.gouv.fr:636 rlm_ldap (ldap_msauth01): Waiting for bind result... rlm_ldap (ldap_msauth01): Bind successful rlm_ldap (ldap_msauth01): Opening additional connection (1), 1 of 31 pending slots used rlm_ldap (ldap_msauth01): Connecting to ldaps://ms-auth-01.auth.ad.e2.rie.gouv.fr:636 rlm_ldap (ldap_msauth01): Waiting for bind result... rlm_ldap (ldap_msauth01): Bind successful rlm_ldap (ldap_msauth01): Opening additional connection (2), 1 of 30 pending slots used rlm_ldap (ldap_msauth01): Connecting to ldaps://ms-auth-01.auth.ad.e2.rie.gouv.fr:636 rlm_ldap (ldap_msauth01): Waiting for bind result... rlm_ldap (ldap_msauth01): Bind successful rlm_ldap (ldap_msauth01): Opening additional connection (3), 1 of 29 pending slots used rlm_ldap (ldap_msauth01): Connecting to ldaps://ms-auth-01.auth.ad.e2.rie.gouv.fr:636 rlm_ldap (ldap_msauth01): Waiting for bind result... rlm_ldap (ldap_msauth01): Bind successful rlm_ldap (ldap_msauth01): Opening additional connection (4), 1 of 28 pending slots used rlm_ldap (ldap_msauth01): Connecting to ldaps://ms-auth-01.auth.ad.e2.rie.gouv.fr:636 rlm_ldap (ldap_msauth01): Waiting for bind result... rlm_ldap (ldap_msauth01): Bind successful # Instantiating module "ldap_msauth02" from file /etc/freeradius/3.0/mods-enabled/ldap_ms-auth-02 accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" } post-auth { reference = "." } !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !! libldap is using GnuTLS, while FreeRADIUS is using OpenSSL !! There may be random issues with TLS connections due to this conflict. !! The server may also crash. !! See https://wiki.freeradius.org/modules/Rlm_ldap for more information. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! rlm_ldap (ldap_msauth02): Initialising connection pool pool { start = 5 min = 3 max = 32 spare = 10 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 30 max_retries = 5 spread = no } rlm_ldap (ldap_msauth02): Opening additional connection (0), 1 of 32 pending slots used rlm_ldap (ldap_msauth02): Connecting to ldaps://ms-auth-02.auth.ad.e2.rie.gouv.fr:636 rlm_ldap (ldap_msauth02): Waiting for bind result... rlm_ldap (ldap_msauth02): Bind successful rlm_ldap (ldap_msauth02): Opening additional connection (1), 1 of 31 pending slots used rlm_ldap (ldap_msauth02): Connecting to ldaps://ms-auth-02.auth.ad.e2.rie.gouv.fr:636 rlm_ldap (ldap_msauth02): Waiting for bind result... rlm_ldap (ldap_msauth02): Bind successful rlm_ldap (ldap_msauth02): Opening additional connection (2), 1 of 30 pending slots used rlm_ldap (ldap_msauth02): Connecting to ldaps://ms-auth-02.auth.ad.e2.rie.gouv.fr:636 rlm_ldap (ldap_msauth02): Waiting for bind result... rlm_ldap (ldap_msauth02): Bind successful rlm_ldap (ldap_msauth02): Opening additional connection (3), 1 of 29 pending slots used rlm_ldap (ldap_msauth02): Connecting to ldaps://ms-auth-02.auth.ad.e2.rie.gouv.fr:636 rlm_ldap (ldap_msauth02): Waiting for bind result... rlm_ldap (ldap_msauth02): Bind successful rlm_ldap (ldap_msauth02): Opening additional connection (4), 1 of 28 pending slots used rlm_ldap (ldap_msauth02): Connecting to ldaps://ms-auth-02.auth.ad.e2.rie.gouv.fr:636 rlm_ldap (ldap_msauth02): Waiting for bind result... rlm_ldap (ldap_msauth02): Bind successful # Instantiating module "ldap_msauth04" from file /etc/freeradius/3.0/mods-enabled/ldap_ms-auth-04 accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" } post-auth { reference = "." } !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !! libldap is using GnuTLS, while FreeRADIUS is using OpenSSL !! There may be random issues with TLS connections due to this conflict. !! The server may also crash. !! See https://wiki.freeradius.org/modules/Rlm_ldap for more information. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! rlm_ldap (ldap_msauth04): Initialising connection pool pool { start = 5 min = 3 max = 32 spare = 10 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 30 max_retries = 5 spread = no } rlm_ldap (ldap_msauth04): Opening additional connection (0), 1 of 32 pending slots used rlm_ldap (ldap_msauth04): Connecting to ldaps://ms-auth-04.auth.ad.e2.rie.gouv.fr:636 rlm_ldap (ldap_msauth04): Waiting for bind result... rlm_ldap (ldap_msauth04): Bind successful rlm_ldap (ldap_msauth04): Opening additional connection (1), 1 of 31 pending slots used rlm_ldap (ldap_msauth04): Connecting to ldaps://ms-auth-04.auth.ad.e2.rie.gouv.fr:636 rlm_ldap (ldap_msauth04): Waiting for bind result... rlm_ldap (ldap_msauth04): Bind successful rlm_ldap (ldap_msauth04): Opening additional connection (2), 1 of 30 pending slots used rlm_ldap (ldap_msauth04): Connecting to ldaps://ms-auth-04.auth.ad.e2.rie.gouv.fr:636 rlm_ldap (ldap_msauth04): Waiting for bind result... rlm_ldap (ldap_msauth04): Bind successful rlm_ldap (ldap_msauth04): Opening additional connection (3), 1 of 29 pending slots used rlm_ldap (ldap_msauth04): Connecting to ldaps://ms-auth-04.auth.ad.e2.rie.gouv.fr:636 rlm_ldap (ldap_msauth04): Waiting for bind result... rlm_ldap (ldap_msauth04): Bind successful rlm_ldap (ldap_msauth04): Opening additional connection (4), 1 of 28 pending slots used rlm_ldap (ldap_msauth04): Connecting to ldaps://ms-auth-04.auth.ad.e2.rie.gouv.fr:636 rlm_ldap (ldap_msauth04): Waiting for bind result... rlm_ldap (ldap_msauth04): Bind successful } # Instantiating module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog # Instantiating module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog # Instantiating module "cache_wifi" from file /etc/freeradius/3.0/mods-enabled/cache_wifi rlm_cache (cache_wifi): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "eap_wlan_dot1x" from file /etc/freeradius/3.0/mods-enabled/eap_wlan_dot1x # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_tls tls { tls = "tls-cae" } tls-config tls-cae { verify_depth = 0 pem_file_type = yes private_key_file = "/etc/freeradius/3.0/certs/2021_radius.ac.e2.rie.gouv.fr.key" certificate_file = "/etc/freeradius/3.0/certs/2021_radius.ac.e2.rie.gouv.fr_avec_chaine_ACs.pem" ca_file = "/etc/freeradius/3.0/certs/AC-ANTSv3-AAE-3.pem" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no ca_path_reload_interval = 0 cipher_list = "DEFAULT@SECLEVEL=0" reject_unknown_intermediate_ca = no ecdh_curve = "prime256v1" disable_tlsv1_1 = no disable_tlsv1_2 = no tls_max_version = "1.2" tls_min_version = "1.0" cache { enable = yes lifetime = 11 name = "EAP module" max_entries = 0 virtual_server = "tls-cache-lan" } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = "inner-wlan-dot1x" soh = no require_client_cert = no } tls-config tls-common { verify_depth = 0 ca_path = "/etc/freeradius/3.0/certs" pem_file_type = yes private_key_file = "/etc/freeradius/3.0/certs/2021_radius.ac.e2.rie.gouv.fr.key" certificate_file = "/etc/freeradius/3.0/certs/2021_radius.ac.e2.rie.gouv.fr_avec_chaine_ACs.pem" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no ca_path_reload_interval = 0 cipher_list = "HIGH:MEDIUM:!LOW:!NULL:!EXPORT" reject_unknown_intermediate_ca = no ecdh_curve = "prime256v1" disable_tlsv1_1 = no disable_tlsv1_2 = no tls_max_version = "1.2" tls_min_version = "1.2" cache { enable = yes lifetime = 11 name = "EAP module" max_entries = 0 virtual_server = "tls-cache-wlan" } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no identity = "FreeRADIUS" } # Instantiating module "cache_local" from file /etc/freeradius/3.0/mods-enabled/cache_local rlm_cache (cache_local): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "redis-lan" from file /etc/freeradius/3.0/mods-enabled/redis-lan rlm_redis (redis-lan): Initialising connection pool pool { start = 5 min = 3 max = 32 spare = 10 uses = 0 lifetime = 86400 cleanup_interval = 300 idle_timeout = 600 retry_delay = 30 max_retries = 5 spread = no } rlm_redis (redis-lan): Opening additional connection (0), 1 of 32 pending slots used rlm_redis (redis-lan): Opening additional connection (1), 1 of 31 pending slots used rlm_redis (redis-lan): Opening additional connection (2), 1 of 30 pending slots used rlm_redis (redis-lan): Opening additional connection (3), 1 of 29 pending slots used rlm_redis (redis-lan): Opening additional connection (4), 1 of 28 pending slots used # Instantiating module "eap_lan_dot1x" from file /etc/freeradius/3.0/mods-enabled/eap_lan_dot1x # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_tls tls { tls = "tls-cae" } tls-config tls-cae { verify_depth = 0 pem_file_type = yes private_key_file = "/etc/freeradius/3.0/certs/2021_radius.ac.e2.rie.gouv.fr.key" certificate_file = "/etc/freeradius/3.0/certs/2021_radius.ac.e2.rie.gouv.fr_avec_chaine_ACs.pem" ca_file = "/etc/freeradius/3.0/certs/AC-ANTSv3-AAE-3.pem" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no ca_path_reload_interval = 0 cipher_list = "DEFAULT" reject_unknown_intermediate_ca = no ecdh_curve = "prime256v1" disable_tlsv1_1 = no disable_tlsv1_2 = no tls_max_version = "1.2" tls_min_version = "1.0" cache { enable = yes lifetime = 11 name = "EAP module" max_entries = 0 virtual_server = "tls-cache-lan" } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } tls: In order to use TLS 1.0 and/or TLS 1.1, you likely need to set: cipher_list = "DEFAULT@SECLEVEL=0" # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = yes proxy_tunneled_request_as_eap = no virtual_server = "inner-lan-dot1x" soh = no require_client_cert = no } tls-config tls-common { verify_depth = 0 ca_path = "/etc/freeradius/3.0/certs" pem_file_type = yes private_key_file = "/etc/freeradius/3.0/certs/2024_prod_radius.ac.e2.rie.gouv.fr.key" certificate_file = "/etc/freeradius/3.0/certs/2024_prod_radius.ac.e2.rie.gouv.fr_chain.pem" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no ca_path_reload_interval = 0 cipher_list = "DEFAULT@SECLEVEL=0" sigalgs_list = "ECDSA+SHA512:ECDSA+SHA384:ECDSA+SHA256:RSA+SHA512:RSA+SHA384:RSA+SHA256" reject_unknown_intermediate_ca = no ecdh_curve = "prime256v1" tls_max_version = "1.2" tls_min_version = "1.1" cache { enable = yes lifetime = 11 name = "EAP module" max_entries = 0 virtual_server = "tls-cache-lan" } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no identity = "FreeRADIUS" } # Instantiating module "redis-wlan" from file /etc/freeradius/3.0/mods-enabled/redis-wlan rlm_redis (redis-wlan): Initialising connection pool pool { start = 5 min = 3 max = 32 spare = 10 uses = 0 lifetime = 86400 cleanup_interval = 300 idle_timeout = 600 retry_delay = 30 max_retries = 5 spread = no } rlm_redis (redis-wlan): Opening additional connection (0), 1 of 32 pending slots used rlm_redis (redis-wlan): Opening additional connection (1), 1 of 31 pending slots used rlm_redis (redis-wlan): Opening additional connection (2), 1 of 30 pending slots used rlm_redis (redis-wlan): Opening additional connection (3), 1 of 29 pending slots used rlm_redis (redis-wlan): Opening additional connection (4), 1 of 28 pending slots used # Instantiating module "detail" from file /etc/freeradius/3.0/mods-enabled/detail # Instantiating module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints # Instantiating module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime # Instantiating module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration # Instantiating module "mschap_AD" from file /etc/freeradius/3.0/mods-enabled/mschap rlm_mschap (mschap_AD): Initialising connection pool pool { start = 5 min = 3 max = 32 spare = 10 uses = 0 lifetime = 86400 cleanup_interval = 300 idle_timeout = 600 retry_delay = 30 max_retries = 5 spread = no } rlm_mschap (mschap_AD): Opening additional connection (0), 1 of 32 pending slots used rlm_mschap (mschap_AD): Opening additional connection (1), 1 of 31 pending slots used rlm_mschap (mschap_AD): Opening additional connection (2), 1 of 30 pending slots used rlm_mschap (mschap_AD): Opening additional connection (3), 1 of 29 pending slots used rlm_mschap (mschap_AD): Opening additional connection (4), 1 of 28 pending slots used rlm_mschap (mschap_AD): authenticating directly to winbind # Instantiating module "mschap_LOCAL" from file /etc/freeradius/3.0/mods-enabled/mschap rlm_mschap (mschap_LOCAL): using internal authentication # Instantiating module "python3" from file /etc/freeradius/3.0/mods-enabled/python3 Python version: 3.10.12 (main, Nov 20 2023, 15:14:05) [GCC 11.4.0] # Instantiating module "ldap_M2" from file /etc/freeradius/3.0/mods-enabled/my_module_ldap_m2 accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" } post-auth { reference = "." } !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !! libldap is using GnuTLS, while FreeRADIUS is using OpenSSL !! There may be random issues with TLS connections due to this conflict. !! The server may also crash. !! See https://wiki.freeradius.org/modules/Rlm_ldap for more information. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! rlm_ldap (ldap_M2): Initialising connection pool pool { start = 5 min = 3 max = 32 spare = 10 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 30 max_retries = 5 spread = no } rlm_ldap (ldap_M2): Opening additional connection (0), 1 of 32 pending slots used rlm_ldap (ldap_M2): Connecting to ldaps://ldapap.m2.e2.rie.gouv.fr:636 rlm_ldap (ldap_M2): Waiting for bind result... rlm_ldap (ldap_M2): Bind successful rlm_ldap (ldap_M2): Opening additional connection (1), 1 of 31 pending slots used rlm_ldap (ldap_M2): Connecting to ldaps://ldapap.m2.e2.rie.gouv.fr:636 rlm_ldap (ldap_M2): Waiting for bind result... rlm_ldap (ldap_M2): Bind successful rlm_ldap (ldap_M2): Opening additional connection (2), 1 of 30 pending slots used rlm_ldap (ldap_M2): Connecting to ldaps://ldapap.m2.e2.rie.gouv.fr:636 rlm_ldap (ldap_M2): Waiting for bind result... rlm_ldap (ldap_M2): Bind successful rlm_ldap (ldap_M2): Opening additional connection (3), 1 of 29 pending slots used rlm_ldap (ldap_M2): Connecting to ldaps://ldapap.m2.e2.rie.gouv.fr:636 rlm_ldap (ldap_M2): Waiting for bind result... rlm_ldap (ldap_M2): Bind successful rlm_ldap (ldap_M2): Opening additional connection (4), 1 of 28 pending slots used rlm_ldap (ldap_M2): Connecting to ldaps://ldapap.m2.e2.rie.gouv.fr:636 rlm_ldap (ldap_M2): Waiting for bind result... rlm_ldap (ldap_M2): Bind successful # Instantiating module "cache" from file /etc/freeradius/3.0/mods-enabled/cache rlm_cache (cache): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "sql" from file /etc/freeradius/3.0/mods-enabled/my_module_sql postgresql { send_application_name = no } rlm_sql (sql): Attempting to connect to database "macip" rlm_sql (sql): Initialising connection pool pool { start = 5 min = 3 max = 32 spare = 10 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 30 max_retries = 5 spread = no } rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used rlm_sql_postgresql: Connecting using parameters: dbname='macip' host='10.128.0.10' port=5432 user='intranet' password='GoYaVe' Connected to database 'macip' on '10.128.0.10' server version 130013, protocol version 3, backend PID 1428654 rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used rlm_sql_postgresql: Connecting using parameters: dbname='macip' host='10.128.0.10' port=5432 user='intranet' password='GoYaVe' Connected to database 'macip' on '10.128.0.10' server version 130013, protocol version 3, backend PID 1428655 rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used rlm_sql_postgresql: Connecting using parameters: dbname='macip' host='10.128.0.10' port=5432 user='intranet' password='GoYaVe' Connected to database 'macip' on '10.128.0.10' server version 130013, protocol version 3, backend PID 1428656 rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used rlm_sql_postgresql: Connecting using parameters: dbname='macip' host='10.128.0.10' port=5432 user='intranet' password='GoYaVe' Connected to database 'macip' on '10.128.0.10' server version 130013, protocol version 3, backend PID 1428657 rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used rlm_sql_postgresql: Connecting using parameters: dbname='macip' host='10.128.0.10' port=5432 user='intranet' password='GoYaVe' Connected to database 'macip' on '10.128.0.10' server version 130013, protocol version 3, backend PID 1428658 # Instantiating module "cache_wired" from file /etc/freeradius/3.0/mods-enabled/cache_wired rlm_cache (cache_wired): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } tls-config tls-common { verify_depth = 0 ca_path = "/etc/freeradius/3.0/certs" pem_file_type = yes private_key_file = "/etc/freeradius/3.0/certs/2021_radius.ac.e2.rie.gouv.fr.key" certificate_file = "/etc/freeradius/3.0/certs/2021_radius.ac.e2.rie.gouv.fr_avec_chaine_ACs.pem" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no ca_path_reload_interval = 0 cipher_list = "HIGH:MEDIUM:!LOW:!NULL:!EXPORT" reject_unknown_intermediate_ca = no ecdh_curve = "secp521r1" disable_tlsv1 = no disable_tlsv1_1 = no disable_tlsv1_2 = no tls_max_version = "1.2" tls_min_version = "1.0" cache { enable = yes lifetime = 11 name = "EAP module" max_entries = 0 persist_dir = "/var/log/freeradius/tlscache" } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } tls: In order to use TLS 1.0 and/or TLS 1.1, you likely need to set: cipher_list = "DEFAULT@SECLEVEL=0" # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no identity = "FreeRADIUS" } # Instantiating module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_reject [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT". # Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/accounting_response # Instantiating module "authfile" from file /etc/freeradius/3.0/mods-enabled/my_module_files reading pairlist file /etc/freeradius/3.0/files.d/authfile # Instantiating module "authorized_macs" from file /etc/freeradius/3.0/mods-enabled/my_module_files reading pairlist file /etc/freeradius/3.0/files.d/authorized_macs # Instantiating module "cache_laps" from file /etc/freeradius/3.0/mods-enabled/cache_laps rlm_cache (cache_laps): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "pap" from file /etc/freeradius/3.0/mods-enabled/pap # Instantiating module "reject" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "fail" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "handled" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "invalid" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "userlock" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "notfound" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "noop" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "updated" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/3.0/radiusd.conf } # server server inner-lan-dot1x { # from file /etc/freeradius/3.0/sites-enabled/inner-lan-dot1x # Loading authenticate {...} # Loading authorize {...} # Loading post-proxy {...} # Loading post-auth {...} Compiling Post-Auth-Type REJECT for attr Post-Auth-Type } # server inner-lan-dot1x server inner-wlan-dot1x { # from file /etc/freeradius/3.0/sites-enabled/inner-wlan-dot1x # Loading authenticate {...} Compiling Auth-Type MS-CHAP for attr Auth-Type # Loading authorize {...} # Loading post-auth {...} Compiling Post-Auth-Type REJECT for attr Post-Auth-Type } # server inner-wlan-dot1x server tls-cache-wlan { # from file /etc/freeradius/3.0/sites-enabled/tls-cache-wlan Compiling cache load for attr TLS-Cache-Method Compiling cache save for attr TLS-Cache-Method Compiling cache clear for attr TLS-Cache-Method Compiling cache refresh for attr TLS-Cache-Method } # server tls-cache-wlan server lan-dot1x { # from file /etc/freeradius/3.0/server.d/lan-dot1x # Loading authenticate {...} Compiling Auth-Type eap_lan_dot1x for attr Auth-Type # Loading authorize {...} # Loading post-auth {...} Compiling Post-Auth-Type REJECT for attr Post-Auth-Type Compiling Post-Auth-Type Challenge for attr Post-Auth-Type } # server lan-dot1x server wlan-dot1x { # from file /etc/freeradius/3.0/server.d/wlan-dot1x # Loading authenticate {...} Compiling Auth-Type eap_wlan_dot1x for attr Auth-Type Compiling Auth-Type eap for attr Auth-Type # Loading authorize {...} # Loading post-auth {...} Compiling Post-Auth-Type REJECT for attr Post-Auth-Type Compiling Post-Auth-Type Challenge for attr Post-Auth-Type } # server wlan-dot1x server proxy-inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/proxy-inner-tunnel # Loading authenticate {...} # Loading authorize {...} } # server proxy-inner-tunnel server tls-cache-lan { # from file /etc/freeradius/3.0/sites-enabled/tls-cache-lan Compiling cache load for attr TLS-Cache-Method Compiling cache save for attr TLS-Cache-Method Compiling cache clear for attr TLS-Cache-Method Compiling cache refresh for attr TLS-Cache-Method } # server tls-cache-lan radiusd: #### Opening IP addresses and Ports #### listen { type = "control" listen { socket = "/tmp/freeradius.sock" mode = "rw" peercred = yes } } listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18121 } listen { type = "auth" ipaddr = 127.0.0.1 port = 18122 } Listening on command file /tmp/freeradius.sock Listening on auth address * port 1812 Listening on auth address 127.0.0.1 port 18121 bound to server inner-lan-dot1x Listening on auth address 127.0.0.1 port 18122 bound to server inner-wlan-dot1x Listening on proxy address * port 37655 Ready to process requests (0) Received Access-Request Id 197 from 10.128.2.54:32769 to 10.128.0.58:1812 length 178 (0) Message-Authenticator = 0x681f93be02ffa3fa2d2ead82ffaf4433 (0) User-Name = "PREPROD\\pierrick.merle.i" (0) NAS-IP-Address = 10.128.2.54 (0) Called-Station-Id = "00-04-96-fa-2c-10" (0) NAS-Identifier = "SXT_APS20f" (0) NAS-Port = 1004 (0) NAS-Port-Id = "4" (0) NAS-Port-Type = Ethernet (0) Service-Type = Framed-User (0) Calling-Station-Id = "54-05-DB-EC-7A-F7" (0) EAP-Message = 0x02dc001d0150524550524f445c706965727269636b2e6d65726c652e69 (0) Framed-MTU = 1300 (0) # Executing section authorize from file /etc/freeradius/3.0/server.d/lan-dot1x (0) authorize { (0) [preprocess] = ok (0) policy extreme_rewrite_calling_station_id { (0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (0) update request { (0) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (0) --> 54:05:DB:EC:7A:F7 (0) &Calling-Station-Id := 54:05:DB:EC:7A:F7 (0) } # update request = noop (0) [updated] = updated (0) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (0) ... skipping else: Preceding "if" was taken (0) } # policy extreme_rewrite_calling_station_id = updated (0) if (!&request:EAP-Message) { (0) if (!&request:EAP-Message) -> FALSE (0) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) { (0) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) -> TRUE (0) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) { (0) eap_lan_dot1x: Peer sent EAP Response (code 2) ID 220 length 29 (0) eap_lan_dot1x: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap_lan_dot1x] = ok (0) } # elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) = ok (0) ... skipping elsif: Preceding "if" was taken (0) ... skipping else: Preceding "if" was taken (0) } # authorize = updated (0) Found Auth-Type = eap_lan_dot1x (0) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x (0) Auth-Type eap_lan_dot1x { (0) eap_lan_dot1x: Peer sent packet with method EAP Identity (1) (0) eap_lan_dot1x: Calling submodule eap_peap to process data (0) eap_peap: (TLS) PEAP -Initiating new session (0) eap_lan_dot1x: Sending EAP Request (code 1) ID 221 length 6 (0) eap_lan_dot1x: EAP session adding &reply:State = 0xab39f39fabe4ea12 (0) [eap_lan_dot1x] = handled (0) } # Auth-Type eap_lan_dot1x = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x (0) Challenge { ... } # empty sub-section is ignored (0) session-state: Saving cached attributes (0) Framed-MTU = 1014 (0) Sent Access-Challenge Id 197 from 10.128.0.58:1812 to 10.128.2.54:32769 length 64 (0) EAP-Message = 0x01dd00061920 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0xab39f39fabe4ea12f769f1fff0534bd1 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 198 from 10.128.2.54:32769 to 10.128.0.58:1812 length 362 (1) Message-Authenticator = 0xe82132d7fa8da33e0b0f07bbc832dd14 (1) User-Name = "PREPROD\\pierrick.merle.i" (1) State = 0xab39f39fabe4ea12f769f1fff0534bd1 (1) NAS-IP-Address = 10.128.2.54 (1) Called-Station-Id = "00-04-96-fa-2c-10" (1) NAS-Identifier = "SXT_APS20f" (1) NAS-Port = 1004 (1) NAS-Port-Id = "4" (1) NAS-Port-Type = Ethernet (1) Framed-MTU = 1300 (1) Service-Type = Framed-User (1) Calling-Station-Id = "54-05-DB-EC-7A-F7" (1) EAP-Message = 0x02dd00c31980000000b916030300b4010000b0030367c5a9517d60cd207bf08fd71f19f663cd5852706f2c03cd97e2ef911657e8622034aef38d484057e9cbdfd82468b4ca70a41bf9e30ef21bbb980c2cc5425db932002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a0100003d000a00080006001d00170018000b00020100000d001a00180804080508060401050102010403050302030202060106030023000000170000ff01000100 (1) Restoring &session-state (1) &session-state:Framed-MTU = 1014 (1) # Executing section authorize from file /etc/freeradius/3.0/server.d/lan-dot1x (1) authorize { (1) [preprocess] = ok (1) policy extreme_rewrite_calling_station_id { (1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (1) update request { (1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (1) --> 54:05:DB:EC:7A:F7 (1) &Calling-Station-Id := 54:05:DB:EC:7A:F7 (1) } # update request = noop (1) [updated] = updated (1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (1) ... skipping else: Preceding "if" was taken (1) } # policy extreme_rewrite_calling_station_id = updated (1) if (!&request:EAP-Message) { (1) if (!&request:EAP-Message) -> FALSE (1) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) { (1) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) -> TRUE (1) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) { (1) eap_lan_dot1x: Peer sent EAP Response (code 2) ID 221 length 195 (1) eap_lan_dot1x: Continuing tunnel setup (1) [eap_lan_dot1x] = ok (1) } # elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) = ok (1) ... skipping elsif: Preceding "if" was taken (1) ... skipping else: Preceding "if" was taken (1) } # authorize = updated (1) Found Auth-Type = eap_lan_dot1x (1) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x (1) Auth-Type eap_lan_dot1x { (1) eap_lan_dot1x: Removing EAP session with state 0xab39f39fabe4ea12 (1) eap_lan_dot1x: Previous EAP request found for state 0xab39f39fabe4ea12, released from the list (1) eap_lan_dot1x: Peer sent packet with method EAP PEAP (25) (1) eap_lan_dot1x: Calling submodule eap_peap to process data (1) eap_peap: (TLS) EAP Peer says that the final record size will be 185 bytes (1) eap_peap: (TLS) EAP Got all data (185 bytes) (1) eap_peap: (TLS) PEAP - Handshake state - before SSL initialization (1) eap_peap: (TLS) PEAP - Handshake state - Server before SSL initialization (1) eap_peap: (TLS) PEAP - Handshake state - Server before SSL initialization (1) eap_peap: (TLS) PEAP - recv TLS 1.3 Handshake, ClientHello (1) eap_peap: Peer requested cached session: 34aef38d484057e9cbdfd82468b4ca70a41bf9e30ef21bbb980c2cc5425db932 (0) cache load { (0) update { rlm_redis (redis-lan): Reserved connection (0) rlm_redis (redis-lan): executing the query: "GET 0x34aef38d484057e9cbdfd82468b4ca70a41bf9e30ef21bbb980c2cc5425db932" (0) rlm_redis (redis-lan): Can't write result, insufficient space or unsupported result rlm_redis (redis-lan): Released connection (0) Need more connections to reach 10 spares rlm_redis (redis-lan): Opening additional connection (5), 1 of 27 pending slots used (0) EXPAND %{redis-lan:GET %{request:TLS-Session-ID}} (0) --> (0) &Tmp-String-0 := (0) } # update = noop (0) if (!&Tmp-String-0 || &Tmp-String-0 !~ /^([^|]+)\|([^|]+)$/) { (0) if (!&Tmp-String-0 || &Tmp-String-0 !~ /^([^|]+)\|([^|]+)$/) -> TRUE (0) if (!&Tmp-String-0 || &Tmp-String-0 !~ /^([^|]+)\|([^|]+)$/) { (0) return (0) } # if (!&Tmp-String-0 || &Tmp-String-0 !~ /^([^|]+)\|([^|]+)$/) = noop (0) } # cache load = noop (1) eap_peap: WARNING: (TLS) PEAP - Failed to find TLS-Session-Data in 'session-state' list for session 34aef38d484057e9cbdfd82468b4ca70a41bf9e30ef21bbb980c2cc5425db932 (1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client hello (1) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHello (1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server hello (1) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Certificate (1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write certificate (1) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange (1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write key exchange (1) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone (1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done (1) eap_peap: (TLS) PEAP - Server : Need to read more data: SSLv3/TLS write server done (1) eap_peap: (TLS) PEAP - In Handshake Phase (1) eap_lan_dot1x: Sending EAP Request (code 1) ID 222 length 1024 (1) eap_lan_dot1x: EAP session adding &reply:State = 0xab39f39faae7ea12 (1) [eap_lan_dot1x] = handled (1) } # Auth-Type eap_lan_dot1x = handled (1) Using Post-Auth-Type Challenge (1) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x (1) Challenge { ... } # empty sub-section is ignored (1) session-state: Saving cached attributes (1) Framed-MTU = 1014 (1) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (1) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (1) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (1) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (1) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (1) Sent Access-Challenge Id 198 from 10.128.0.58:1812 to 10.128.2.54:32769 length 1090 (1) EAP-Message = 0x01de040019c000000e2c160303005d0200005903035e4ae8e817988c3566f217c68bf58793f7e07a63c47a49261acaaea76576eefa2084298149cd6dba04ae6b1bfd7e1569034959ac77a2d0a5ad27082b792402b726c030000011ff01000100000b000403000102001700001603030c6a0b000c66000c630005c4308205c0308203a8a00302010202143db2792d468f53db29cf70cd516deeb6d7d7e144300d06092a864886f70d01010b05003065310b3009060355040613024652311b3019060355040a13124d696e6973746572652045636f6c6f676965310d300b060355040b1304444e554d312a30280603550403132145434f20524d494e20414320496e7465726d65646961697265204d616368696e65301e170d3234303630353037353934365a170d3235303630353038303031365a30233121301f060355040313187261646975732e61632e65322e7269652e676f75762e667230820122300d06092a864886f70d01010105000382010f003082010a0282 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0xab39f39faae7ea12f769f1fff0534bd1 (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 199 from 10.128.2.54:32769 to 10.128.0.58:1812 length 173 (2) Message-Authenticator = 0xf48533d25521399963817e7616597244 (2) User-Name = "PREPROD\\pierrick.merle.i" (2) State = 0xab39f39faae7ea12f769f1fff0534bd1 (2) NAS-IP-Address = 10.128.2.54 (2) Called-Station-Id = "00-04-96-fa-2c-10" (2) NAS-Identifier = "SXT_APS20f" (2) NAS-Port = 1004 (2) NAS-Port-Id = "4" (2) NAS-Port-Type = Ethernet (2) Framed-MTU = 1300 (2) Service-Type = Framed-User (2) Calling-Station-Id = "54-05-DB-EC-7A-F7" (2) EAP-Message = 0x02de00061900 (2) Restoring &session-state (2) &session-state:Framed-MTU = 1014 (2) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (2) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (2) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (2) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (2) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (2) # Executing section authorize from file /etc/freeradius/3.0/server.d/lan-dot1x (2) authorize { (2) [preprocess] = ok (2) policy extreme_rewrite_calling_station_id { (2) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (2) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (2) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (2) update request { (2) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (2) --> 54:05:DB:EC:7A:F7 (2) &Calling-Station-Id := 54:05:DB:EC:7A:F7 (2) } # update request = noop (2) [updated] = updated (2) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (2) ... skipping else: Preceding "if" was taken (2) } # policy extreme_rewrite_calling_station_id = updated (2) if (!&request:EAP-Message) { (2) if (!&request:EAP-Message) -> FALSE (2) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) { (2) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) -> TRUE (2) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) { (2) eap_lan_dot1x: Peer sent EAP Response (code 2) ID 222 length 6 (2) eap_lan_dot1x: Continuing tunnel setup (2) [eap_lan_dot1x] = ok (2) } # elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) = ok (2) ... skipping elsif: Preceding "if" was taken (2) ... skipping else: Preceding "if" was taken (2) } # authorize = updated (2) Found Auth-Type = eap_lan_dot1x (2) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x (2) Auth-Type eap_lan_dot1x { (2) eap_lan_dot1x: Removing EAP session with state 0xab39f39faae7ea12 (2) eap_lan_dot1x: Previous EAP request found for state 0xab39f39faae7ea12, released from the list (2) eap_lan_dot1x: Peer sent packet with method EAP PEAP (25) (2) eap_lan_dot1x: Calling submodule eap_peap to process data (2) eap_peap: (TLS) Peer ACKed our handshake fragment (2) eap_lan_dot1x: Sending EAP Request (code 1) ID 223 length 1020 (2) eap_lan_dot1x: EAP session adding &reply:State = 0xab39f39fa9e6ea12 (2) [eap_lan_dot1x] = handled (2) } # Auth-Type eap_lan_dot1x = handled (2) Using Post-Auth-Type Challenge (2) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x (2) Challenge { ... } # empty sub-section is ignored (2) session-state: Saving cached attributes (2) Framed-MTU = 1014 (2) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (2) Sent Access-Challenge Id 199 from 10.128.0.58:1812 to 10.128.2.54:32769 length 1086 (2) EAP-Message = 0x01df03fc19402a687474703a2f2f63726c2e726d696e2e656463732e66722f696e7465726d616368696e6563612e63726c300d06092a864886f70d01010b050003820201000957bae2949136fbad39f5a4a62ca927fc84ff2f8c3b26bd5d5d50b753f24eaabc1e54b28481b405939853ec0fc868eb772139d2ee6c90c911bbd3f168409f9338587f3e61a2913145f8c9309ccc325b48d70149859c9f42d92a42a4ff93680181283565f5b3b37ad35e8ba57d089465b31e255f08ad34bfd63cde54374f10a4d18fb2ed50f1486146e74acfb8e211e439e841bfc54932ff929b98913e769cdf7e45d36657e9d3481d6d5216ac6c725591cb7154cb666062ebabb4096fa189865766abb1722ea1e15768ba1cf7e6ac805fb92f2495bf517b9e7730047fc54f69d20727f0cea8e3573e4a0fa69a4a6f0a6ca11266277cb448d61fa22e0a68009c42fdd11b2d4c3989fd2908fa3d7d0624616237610c1374afb462e42291dc44d78f9dfbe1cba02ea44c2817bd4ba9f1bc2160 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0xab39f39fa9e6ea12f769f1fff0534bd1 (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 200 from 10.128.2.54:32769 to 10.128.0.58:1812 length 173 (3) Message-Authenticator = 0x53d1a6aee16c8987edf25b57090e579e (3) User-Name = "PREPROD\\pierrick.merle.i" (3) State = 0xab39f39fa9e6ea12f769f1fff0534bd1 (3) NAS-IP-Address = 10.128.2.54 (3) Called-Station-Id = "00-04-96-fa-2c-10" (3) NAS-Identifier = "SXT_APS20f" (3) NAS-Port = 1004 (3) NAS-Port-Id = "4" (3) NAS-Port-Type = Ethernet (3) Framed-MTU = 1300 (3) Service-Type = Framed-User (3) Calling-Station-Id = "54-05-DB-EC-7A-F7" (3) EAP-Message = 0x02df00061900 (3) Restoring &session-state (3) &session-state:Framed-MTU = 1014 (3) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (3) # Executing section authorize from file /etc/freeradius/3.0/server.d/lan-dot1x (3) authorize { (3) [preprocess] = ok (3) policy extreme_rewrite_calling_station_id { (3) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (3) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (3) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (3) update request { (3) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (3) --> 54:05:DB:EC:7A:F7 (3) &Calling-Station-Id := 54:05:DB:EC:7A:F7 (3) } # update request = noop (3) [updated] = updated (3) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (3) ... skipping else: Preceding "if" was taken (3) } # policy extreme_rewrite_calling_station_id = updated (3) if (!&request:EAP-Message) { (3) if (!&request:EAP-Message) -> FALSE (3) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) { (3) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) -> TRUE (3) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) { (3) eap_lan_dot1x: Peer sent EAP Response (code 2) ID 223 length 6 (3) eap_lan_dot1x: Continuing tunnel setup (3) [eap_lan_dot1x] = ok (3) } # elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) = ok (3) ... skipping elsif: Preceding "if" was taken (3) ... skipping else: Preceding "if" was taken (3) } # authorize = updated (3) Found Auth-Type = eap_lan_dot1x (3) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x (3) Auth-Type eap_lan_dot1x { (3) eap_lan_dot1x: Removing EAP session with state 0xab39f39fa9e6ea12 (3) eap_lan_dot1x: Previous EAP request found for state 0xab39f39fa9e6ea12, released from the list (3) eap_lan_dot1x: Peer sent packet with method EAP PEAP (25) (3) eap_lan_dot1x: Calling submodule eap_peap to process data (3) eap_peap: (TLS) Peer ACKed our handshake fragment (3) eap_lan_dot1x: Sending EAP Request (code 1) ID 224 length 1020 (3) eap_lan_dot1x: EAP session adding &reply:State = 0xab39f39fa8d9ea12 (3) [eap_lan_dot1x] = handled (3) } # Auth-Type eap_lan_dot1x = handled (3) Using Post-Auth-Type Challenge (3) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x (3) Challenge { ... } # empty sub-section is ignored (3) session-state: Saving cached attributes (3) Framed-MTU = 1014 (3) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (3) Sent Access-Challenge Id 200 from 10.128.0.58:1812 to 10.128.2.54:32769 length 1086 (3) EAP-Message = 0x01e003fc1940c7aa2e068818a20c750b7184a76445710d8c429a0221abbca66a5c355a3b63af6aeeaf6d1a77c800677b4998101328f4397e2b50b8d164dab887585adea9b07d64c14a5204b198944d6cfd333f9355d5e4d52810957a3c456fbbfc29f7be81704f0be0d4df65f0dfd7201550291a8195121cda6d3cc26ecc2326ed652f1934507e7dbc4d3318b6945a138f1ccca762d1e6382415a48f043902ab7735bad049d2ba09877d8a90cae08ba3e285fe097d9ac4e1eed66bebfcbe780d434e63003cb2dc51bd91d1b95d0287616b244ce4ed4e4da198f22be8017b6eb37ed521b9457f3fc07056374a2b41afa846e2359e63e1bdd93adce5ac9409c3d2d5650eb55376ccf9dad6d40ef7fbe0e5de98614702da923e3d512f90382acb5ca948f1a4338f6bbf3eebecb51d5ae4d5abf35d8738f4da2d57310f8e42eba1b2db4a92a4853d5919d695b11d92b0a2b89229a9f2b9e3472429d31e3ae29772b96a03216732a0452b7e6d60518fdb04cb0203010001a382 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0xab39f39fa8d9ea12f769f1fff0534bd1 (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 201 from 10.128.2.54:32769 to 10.128.0.58:1812 length 173 (4) Message-Authenticator = 0xfd539975736768f13f95221dbf4d0ca0 (4) User-Name = "PREPROD\\pierrick.merle.i" (4) State = 0xab39f39fa8d9ea12f769f1fff0534bd1 (4) NAS-IP-Address = 10.128.2.54 (4) Called-Station-Id = "00-04-96-fa-2c-10" (4) NAS-Identifier = "SXT_APS20f" (4) NAS-Port = 1004 (4) NAS-Port-Id = "4" (4) NAS-Port-Type = Ethernet (4) Framed-MTU = 1300 (4) Service-Type = Framed-User (4) Calling-Station-Id = "54-05-DB-EC-7A-F7" (4) EAP-Message = 0x02e000061900 (4) Restoring &session-state (4) &session-state:Framed-MTU = 1014 (4) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (4) # Executing section authorize from file /etc/freeradius/3.0/server.d/lan-dot1x (4) authorize { (4) [preprocess] = ok (4) policy extreme_rewrite_calling_station_id { (4) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (4) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (4) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (4) update request { (4) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (4) --> 54:05:DB:EC:7A:F7 (4) &Calling-Station-Id := 54:05:DB:EC:7A:F7 (4) } # update request = noop (4) [updated] = updated (4) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (4) ... skipping else: Preceding "if" was taken (4) } # policy extreme_rewrite_calling_station_id = updated (4) if (!&request:EAP-Message) { (4) if (!&request:EAP-Message) -> FALSE (4) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) { (4) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) -> TRUE (4) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) { (4) eap_lan_dot1x: Peer sent EAP Response (code 2) ID 224 length 6 (4) eap_lan_dot1x: Continuing tunnel setup (4) [eap_lan_dot1x] = ok (4) } # elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) = ok (4) ... skipping elsif: Preceding "if" was taken (4) ... skipping else: Preceding "if" was taken (4) } # authorize = updated (4) Found Auth-Type = eap_lan_dot1x (4) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x (4) Auth-Type eap_lan_dot1x { (4) eap_lan_dot1x: Removing EAP session with state 0xab39f39fa8d9ea12 (4) eap_lan_dot1x: Previous EAP request found for state 0xab39f39fa8d9ea12, released from the list (4) eap_lan_dot1x: Peer sent packet with method EAP PEAP (25) (4) eap_lan_dot1x: Calling submodule eap_peap to process data (4) eap_peap: (TLS) Peer ACKed our handshake fragment (4) eap_lan_dot1x: Sending EAP Request (code 1) ID 225 length 592 (4) eap_lan_dot1x: EAP session adding &reply:State = 0xab39f39fafd8ea12 (4) [eap_lan_dot1x] = handled (4) } # Auth-Type eap_lan_dot1x = handled (4) Using Post-Auth-Type Challenge (4) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x (4) Challenge { ... } # empty sub-section is ignored (4) session-state: Saving cached attributes (4) Framed-MTU = 1014 (4) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (4) Sent Access-Challenge Id 201 from 10.128.0.58:1812 to 10.128.2.54:32769 length 654 (4) EAP-Message = 0x01e1025019008e6fb31e34c535308289f4dcd79f82c53469189129212beebbde8a69f5239dc84fd2c00a0a7d30564f2c48ea5a49a49cdf79f200b5c408ce7354bc7ffef171a8724b15b86e52f27ad9991181caff2bf1f7190c900c2d5358bed4ddc9f853d5664b6a76f15a32c324277fb1f78b9970f9f7a483e1c7999e04a87a05af8469e90b6c535b322711f64111eff1dfd1eeabdfdc380204be62d525762e25471838b54ae3bfb8c0fd01b0cbf2b0542aa907585ab52f386d5d627d6cc965cbb9444bdd046a0422251c3368ecd8be1e917029987e66cb511820cd2a2cdaa570575416c54081271204d245581e28cec2dd66cfa2160303014d0c00014903001741046251b7e62bf95cb9ab08709f7abb30c19e7d19d4c5cd3e4f6aadf2f1a8ff4387c913b1b36b9f93931c77c74993a7573a9ff64c27e3b67b0d4e7c75eaec2d6f0b040101007b152e53b8146e29162fcba24e92a04629f33dcd7f70e9a9d28e044e7d9faf1c8888c407c4b3fe0be85c59c9b8a8633b (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0xab39f39fafd8ea12f769f1fff0534bd1 (4) Finished request Waking up in 4.9 seconds. (5) Received Access-Request Id 202 from 10.128.2.54:32769 to 10.128.0.58:1812 length 303 (5) Message-Authenticator = 0x330d17d58367b7c7debbd2388d24da3b (5) User-Name = "PREPROD\\pierrick.merle.i" (5) State = 0xab39f39fafd8ea12f769f1fff0534bd1 (5) NAS-IP-Address = 10.128.2.54 (5) Called-Station-Id = "00-04-96-fa-2c-10" (5) NAS-Identifier = "SXT_APS20f" (5) NAS-Port = 1004 (5) NAS-Port-Id = "4" (5) NAS-Port-Type = Ethernet (5) Framed-MTU = 1300 (5) Service-Type = Framed-User (5) Calling-Station-Id = "54-05-DB-EC-7A-F7" (5) EAP-Message = 0x02e1008819800000007e1603030046100000424104478011a091c5392414894d3b1d96709c1c3a41ce60f156911ec687f2955d4e40e567885782f0be58e1374d4a11656554927dc06481a8e4023f6f96359b6c66cf1403030001011603030028000000000000000042308fd559fe9927cfb60949046a6718bbcb97c8243c745e3f0cd09ce51e7c01 (5) Restoring &session-state (5) &session-state:Framed-MTU = 1014 (5) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (5) # Executing section authorize from file /etc/freeradius/3.0/server.d/lan-dot1x (5) authorize { (5) [preprocess] = ok (5) policy extreme_rewrite_calling_station_id { (5) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (5) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (5) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (5) update request { (5) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (5) --> 54:05:DB:EC:7A:F7 (5) &Calling-Station-Id := 54:05:DB:EC:7A:F7 (5) } # update request = noop (5) [updated] = updated (5) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (5) ... skipping else: Preceding "if" was taken (5) } # policy extreme_rewrite_calling_station_id = updated (5) if (!&request:EAP-Message) { (5) if (!&request:EAP-Message) -> FALSE (5) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) { (5) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) -> TRUE (5) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) { (5) eap_lan_dot1x: Peer sent EAP Response (code 2) ID 225 length 136 (5) eap_lan_dot1x: Continuing tunnel setup (5) [eap_lan_dot1x] = ok (5) } # elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) = ok (5) ... skipping elsif: Preceding "if" was taken (5) ... skipping else: Preceding "if" was taken (5) } # authorize = updated (5) Found Auth-Type = eap_lan_dot1x (5) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x (5) Auth-Type eap_lan_dot1x { (5) eap_lan_dot1x: Removing EAP session with state 0xab39f39fafd8ea12 (5) eap_lan_dot1x: Previous EAP request found for state 0xab39f39fafd8ea12, released from the list (5) eap_lan_dot1x: Peer sent packet with method EAP PEAP (25) (5) eap_lan_dot1x: Calling submodule eap_peap to process data (5) eap_peap: (TLS) EAP Peer says that the final record size will be 126 bytes (5) eap_peap: (TLS) EAP Got all data (126 bytes) (5) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done (5) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange (5) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client key exchange (5) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read change cipher spec (5) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, Finished (5) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read finished (5) eap_peap: (TLS) PEAP - send TLS 1.2 ChangeCipherSpec (5) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write change cipher spec (5) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Finished (5) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write finished (5) eap_peap: (TLS) PEAP - Handshake state - SSL negotiation finished successfully (5) eap_peap: (TLS) PEAP - Connection Established (5) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (5) eap_peap: TLS-Session-Version = "TLS 1.2" (5) eap_lan_dot1x: Sending EAP Request (code 1) ID 226 length 57 (5) eap_lan_dot1x: EAP session adding &reply:State = 0xab39f39faedbea12 (5) [eap_lan_dot1x] = handled (5) } # Auth-Type eap_lan_dot1x = handled (5) Using Post-Auth-Type Challenge (5) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x (5) Challenge { ... } # empty sub-section is ignored (5) session-state: Saving cached attributes (5) Framed-MTU = 1014 (5) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (5) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (5) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (5) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (5) TLS-Session-Version = "TLS 1.2" (5) Sent Access-Challenge Id 202 from 10.128.0.58:1812 to 10.128.2.54:32769 length 115 (5) EAP-Message = 0x01e2003919001403030001011603030028992e1d08a6281f94437d18a88f2f337b9abbd59b6c10d58320ae5341ff5cb1be50d4e0e30627f0e3 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0xab39f39faedbea12f769f1fff0534bd1 (5) Finished request Waking up in 4.9 seconds. (6) Received Access-Request Id 203 from 10.128.2.54:32769 to 10.128.0.58:1812 length 173 (6) Message-Authenticator = 0x01e2569fa0d0a5ef89068ddfa1ffba9d (6) User-Name = "PREPROD\\pierrick.merle.i" (6) State = 0xab39f39faedbea12f769f1fff0534bd1 (6) NAS-IP-Address = 10.128.2.54 (6) Called-Station-Id = "00-04-96-fa-2c-10" (6) NAS-Identifier = "SXT_APS20f" (6) NAS-Port = 1004 (6) NAS-Port-Id = "4" (6) NAS-Port-Type = Ethernet (6) Framed-MTU = 1300 (6) Service-Type = Framed-User (6) Calling-Station-Id = "54-05-DB-EC-7A-F7" (6) EAP-Message = 0x02e200061900 (6) Restoring &session-state (6) &session-state:Framed-MTU = 1014 (6) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (6) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (6) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (6) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (6) &session-state:TLS-Session-Version = "TLS 1.2" (6) # Executing section authorize from file /etc/freeradius/3.0/server.d/lan-dot1x (6) authorize { (6) [preprocess] = ok (6) policy extreme_rewrite_calling_station_id { (6) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (6) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (6) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (6) update request { (6) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (6) --> 54:05:DB:EC:7A:F7 (6) &Calling-Station-Id := 54:05:DB:EC:7A:F7 (6) } # update request = noop (6) [updated] = updated (6) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (6) ... skipping else: Preceding "if" was taken (6) } # policy extreme_rewrite_calling_station_id = updated (6) if (!&request:EAP-Message) { (6) if (!&request:EAP-Message) -> FALSE (6) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) { (6) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) -> TRUE (6) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) { (6) eap_lan_dot1x: Peer sent EAP Response (code 2) ID 226 length 6 (6) eap_lan_dot1x: Continuing tunnel setup (6) [eap_lan_dot1x] = ok (6) } # elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) = ok (6) ... skipping elsif: Preceding "if" was taken (6) ... skipping else: Preceding "if" was taken (6) } # authorize = updated (6) Found Auth-Type = eap_lan_dot1x (6) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x (6) Auth-Type eap_lan_dot1x { (6) eap_lan_dot1x: Removing EAP session with state 0xab39f39faedbea12 (6) eap_lan_dot1x: Previous EAP request found for state 0xab39f39faedbea12, released from the list (6) eap_lan_dot1x: Peer sent packet with method EAP PEAP (25) (6) eap_lan_dot1x: Calling submodule eap_peap to process data (6) eap_peap: (TLS) Peer ACKed our handshake fragment. handshake is finished (6) eap_peap: Session established. Decoding tunneled attributes (6) eap_peap: PEAP state TUNNEL ESTABLISHED (6) eap_lan_dot1x: Sending EAP Request (code 1) ID 227 length 40 (6) eap_lan_dot1x: EAP session adding &reply:State = 0xab39f39faddaea12 (6) [eap_lan_dot1x] = handled (6) } # Auth-Type eap_lan_dot1x = handled (6) Using Post-Auth-Type Challenge (6) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x (6) Challenge { ... } # empty sub-section is ignored (6) session-state: Saving cached attributes (6) Framed-MTU = 1014 (6) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (6) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (6) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (6) TLS-Session-Version = "TLS 1.2" (6) Sent Access-Challenge Id 203 from 10.128.0.58:1812 to 10.128.2.54:32769 length 98 (6) EAP-Message = 0x01e300281900170303001d992e1d08a6281f952ddff245583c3e11a01f3a0811d5f52af6dc4daf1b (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0xab39f39faddaea12f769f1fff0534bd1 (6) Finished request Waking up in 4.9 seconds. (7) Received Access-Request Id 204 from 10.128.2.54:32769 to 10.128.0.58:1812 length 227 (7) Message-Authenticator = 0x96497c11b13a76a5b23e44be8f7d5ff9 (7) User-Name = "PREPROD\\pierrick.merle.i" (7) State = 0xab39f39faddaea12f769f1fff0534bd1 (7) NAS-IP-Address = 10.128.2.54 (7) Called-Station-Id = "00-04-96-fa-2c-10" (7) NAS-Identifier = "SXT_APS20f" (7) NAS-Port = 1004 (7) NAS-Port-Id = "4" (7) NAS-Port-Type = Ethernet (7) Framed-MTU = 1300 (7) Service-Type = Framed-User (7) Calling-Station-Id = "54-05-DB-EC-7A-F7" (7) EAP-Message = 0x02e3003c190017030300310000000000000001a09b6c88393f3903b90ebde72d0ec97a46ae05e7c48e47576720783176f2be7dfdd79503de20f2603a (7) Restoring &session-state (7) &session-state:Framed-MTU = 1014 (7) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (7) &session-state:TLS-Session-Version = "TLS 1.2" (7) # Executing section authorize from file /etc/freeradius/3.0/server.d/lan-dot1x (7) authorize { (7) [preprocess] = ok (7) policy extreme_rewrite_calling_station_id { (7) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (7) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (7) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (7) update request { (7) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (7) --> 54:05:DB:EC:7A:F7 (7) &Calling-Station-Id := 54:05:DB:EC:7A:F7 (7) } # update request = noop (7) [updated] = updated (7) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (7) ... skipping else: Preceding "if" was taken (7) } # policy extreme_rewrite_calling_station_id = updated (7) if (!&request:EAP-Message) { (7) if (!&request:EAP-Message) -> FALSE (7) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) { (7) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) -> TRUE (7) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) { (7) eap_lan_dot1x: Peer sent EAP Response (code 2) ID 227 length 60 (7) eap_lan_dot1x: Continuing tunnel setup (7) [eap_lan_dot1x] = ok (7) } # elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) = ok (7) ... skipping elsif: Preceding "if" was taken (7) ... skipping else: Preceding "if" was taken (7) } # authorize = updated (7) Found Auth-Type = eap_lan_dot1x (7) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x (7) Auth-Type eap_lan_dot1x { (7) eap_lan_dot1x: Removing EAP session with state 0xab39f39faddaea12 (7) eap_lan_dot1x: Previous EAP request found for state 0xab39f39faddaea12, released from the list (7) eap_lan_dot1x: Peer sent packet with method EAP PEAP (25) (7) eap_lan_dot1x: Calling submodule eap_peap to process data (7) eap_peap: (TLS) EAP Done initial handshake (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state WAITING FOR INNER IDENTITY (7) eap_peap: Identity - PREPROD\pierrick.merle.i (7) eap_peap: Got inner identity 'PREPROD\pierrick.merle.i' (7) eap_peap: Setting default EAP type for tunneled EAP session (7) eap_peap: Got tunneled request (7) eap_peap: EAP-Message = 0x02e3001d0150524550524f445c706965727269636b2e6d65726c652e69 (7) eap_peap: Setting User-Name to PREPROD\pierrick.merle.i (7) eap_peap: Sending tunneled request to inner-lan-dot1x (7) eap_peap: EAP-Message = 0x02e3001d0150524550524f445c706965727269636b2e6d65726c652e69 (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (7) eap_peap: User-Name = "PREPROD\\pierrick.merle.i" (7) Virtual server inner-lan-dot1x received request (7) EAP-Message = 0x02e3001d0150524550524f445c706965727269636b2e6d65726c652e69 (7) FreeRADIUS-Proxied-To = 127.0.0.1 (7) User-Name = "PREPROD\\pierrick.merle.i" (7) WARNING: Outer and inner identities are the same. User privacy is compromised. (7) server inner-lan-dot1x { (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-lan-dot1x (7) authorize { (7) if (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/ || &request:User-Name =~ /^FORMATION/ ) { (7) if (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/ || &request:User-Name =~ /^FORMATION/ ) -> TRUE (7) if (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/ || &request:User-Name =~ /^FORMATION/ ) { (7) ntdomain: Checking for prefix before "\" (7) ntdomain: Looking up realm "PREPROD" for User-Name = "PREPROD\pierrick.merle.i" (7) ntdomain: Found realm "PREPROD" (7) ntdomain: Adding Stripped-User-Name = "pierrick.merle.i" (7) ntdomain: Adding Realm = "PREPROD" (7) ntdomain: Proxying request from user pierrick.merle.i to realm PREPROD (7) ntdomain: Preparing to proxy authentication request to realm "PREPROD" (7) [ntdomain] = updated (7) } # if (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/ || &request:User-Name =~ /^FORMATION/ ) = updated (7) ... skipping elsif: Preceding "if" was taken (7) ... skipping elsif: Preceding "if" was taken (7) ... skipping elsif: Preceding "if" was taken (7) update { (7) No attributes updated for RHS &control:Extreme-Netlogin-Extended-Vlan (7) No attributes updated for RHS &control:Extreme-Policy-ACL[*] (7) No attributes updated for RHS &control:Fabric-Attach-Service-Request[*] (7) No attributes updated for RHS &control:Filter-Id (7) No attributes updated for RHS &control:Tunnel-Private-Group-Id (7) reply:User-Name := User-Name -> 'PREPROD\\pierrick.merle.i' (7) } # update = noop (7) } # authorize = updated (7) } # server inner-lan-dot1x (7) Virtual server sending reply (7) User-Name := "PREPROD\\pierrick.merle.i" (7) eap_peap: Got tunneled reply code 0 (7) eap_peap: User-Name := "PREPROD\\pierrick.merle.i" (7) eap_peap: Calling authenticate in order to initiate tunneled EAP session (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-lan-dot1x (7) authenticate { (7) eap: Peer sent packet with method EAP Identity (1) (7) eap: Calling submodule eap_mschapv2 to process data (7) eap_mschapv2: Issuing Challenge (7) eap: Sending EAP Request (code 1) ID 228 length 36 (7) eap: EAP session adding &reply:State = 0x7b60a4d57b84bea7 (7) [eap] = handled (7) } # authenticate = handled (7) eap_peap: Cancelling proxy to realm PREPROD until the tunneled EAP session has been established (7) eap_peap: Got tunneled reply RADIUS code 11 (7) eap_peap: User-Name := "PREPROD\\pierrick.merle.i" (7) eap_peap: EAP-Message = 0x01e400241a01e4001f10f0a506e01e192881a4906d742fc4b2e646726565524144495553 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0x7b60a4d57b84bea7a078a662a72147dc (7) eap_peap: Got tunneled Access-Challenge (7) eap_lan_dot1x: Sending EAP Request (code 1) ID 228 length 67 (7) eap_lan_dot1x: EAP session adding &reply:State = 0xab39f39facddea12 (7) [eap_lan_dot1x] = handled (7) } # Auth-Type eap_lan_dot1x = handled (7) Using Post-Auth-Type Challenge (7) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x (7) Challenge { ... } # empty sub-section is ignored (7) session-state: Saving cached attributes (7) Framed-MTU = 1014 (7) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (7) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (7) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (7) TLS-Session-Version = "TLS 1.2" (7) Sent Access-Challenge Id 204 from 10.128.0.58:1812 to 10.128.2.54:32769 length 125 (7) EAP-Message = 0x01e4004319001703030038992e1d08a6281f9686a180dc1b41a0f8984c319974a02913f93e71bac56da78cda96880678431a2282a64c261c993c336832c275f722fc55 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0xab39f39facddea12f769f1fff0534bd1 (7) Finished request Waking up in 4.9 seconds. (8) Received Access-Request Id 205 from 10.128.2.54:32769 to 10.128.0.58:1812 length 281 (8) Message-Authenticator = 0xf73b3d46fcc452447830970250510653 (8) User-Name = "PREPROD\\pierrick.merle.i" (8) State = 0xab39f39facddea12f769f1fff0534bd1 (8) NAS-IP-Address = 10.128.2.54 (8) Called-Station-Id = "00-04-96-fa-2c-10" (8) NAS-Identifier = "SXT_APS20f" (8) NAS-Port = 1004 (8) NAS-Port-Id = "4" (8) NAS-Port-Type = Ethernet (8) Framed-MTU = 1300 (8) Service-Type = Framed-User (8) Calling-Station-Id = "54-05-DB-EC-7A-F7" (8) EAP-Message = 0x02e40072190017030300670000000000000002cca31e7eae2c47f00df3d68a7c9871cbdf92c0ba98e0ed3b8e88e7af8d6620cbfa71200ac29d972f1304402d8ca4992f94e9d2bba3878f1e7c37139b64efc0c8a44e693a2c6e7b9a24f2b2f424c0987c51dd5b6b3345814d5a991fd963aca0 (8) Restoring &session-state (8) &session-state:Framed-MTU = 1014 (8) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (8) &session-state:TLS-Session-Version = "TLS 1.2" (8) # Executing section authorize from file /etc/freeradius/3.0/server.d/lan-dot1x (8) authorize { (8) [preprocess] = ok (8) policy extreme_rewrite_calling_station_id { (8) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (8) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (8) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (8) update request { (8) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (8) --> 54:05:DB:EC:7A:F7 (8) &Calling-Station-Id := 54:05:DB:EC:7A:F7 (8) } # update request = noop (8) [updated] = updated (8) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (8) ... skipping else: Preceding "if" was taken (8) } # policy extreme_rewrite_calling_station_id = updated (8) if (!&request:EAP-Message) { (8) if (!&request:EAP-Message) -> FALSE (8) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) { (8) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) -> TRUE (8) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) { (8) eap_lan_dot1x: Peer sent EAP Response (code 2) ID 228 length 114 (8) eap_lan_dot1x: Continuing tunnel setup (8) [eap_lan_dot1x] = ok (8) } # elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) = ok (8) ... skipping elsif: Preceding "if" was taken (8) ... skipping else: Preceding "if" was taken (8) } # authorize = updated (8) Found Auth-Type = eap_lan_dot1x (8) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x (8) Auth-Type eap_lan_dot1x { (8) eap_lan_dot1x: Removing EAP session with state 0xab39f39facddea12 (8) eap_lan_dot1x: Previous EAP request found for state 0xab39f39facddea12, released from the list (8) eap_lan_dot1x: Peer sent packet with method EAP PEAP (25) (8) eap_lan_dot1x: Calling submodule eap_peap to process data (8) eap_peap: (TLS) EAP Done initial handshake (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state phase2 (8) eap_peap: EAP method MSCHAPv2 (26) (8) eap_peap: Got tunneled request (8) eap_peap: EAP-Message = 0x02e400531a02e4004e31ec8a1fbe71764029e6c856e60d94056e0000000000000000001c71308495add1402553b25cfd1fffa1b30d00f8d1838f0050524550524f445c706965727269636b2e6d65726c652e69 (8) eap_peap: Setting User-Name to PREPROD\pierrick.merle.i (8) eap_peap: Sending tunneled request to inner-lan-dot1x (8) eap_peap: EAP-Message = 0x02e400531a02e4004e31ec8a1fbe71764029e6c856e60d94056e0000000000000000001c71308495add1402553b25cfd1fffa1b30d00f8d1838f0050524550524f445c706965727269636b2e6d65726c652e69 (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (8) eap_peap: User-Name = "PREPROD\\pierrick.merle.i" (8) eap_peap: State = 0x7b60a4d57b84bea7a078a662a72147dc (8) Virtual server inner-lan-dot1x received request (8) EAP-Message = 0x02e400531a02e4004e31ec8a1fbe71764029e6c856e60d94056e0000000000000000001c71308495add1402553b25cfd1fffa1b30d00f8d1838f0050524550524f445c706965727269636b2e6d65726c652e69 (8) FreeRADIUS-Proxied-To = 127.0.0.1 (8) User-Name = "PREPROD\\pierrick.merle.i" (8) State = 0x7b60a4d57b84bea7a078a662a72147dc (8) WARNING: Outer and inner identities are the same. User privacy is compromised. (8) server inner-lan-dot1x { (8) session-state: No cached attributes (8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-lan-dot1x (8) authorize { (8) if (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/ || &request:User-Name =~ /^FORMATION/ ) { (8) if (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/ || &request:User-Name =~ /^FORMATION/ ) -> TRUE (8) if (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/ || &request:User-Name =~ /^FORMATION/ ) { (8) ntdomain: Checking for prefix before "\" (8) ntdomain: Looking up realm "PREPROD" for User-Name = "PREPROD\pierrick.merle.i" (8) ntdomain: Found realm "PREPROD" (8) ntdomain: Adding Stripped-User-Name = "pierrick.merle.i" (8) ntdomain: Adding Realm = "PREPROD" (8) ntdomain: Proxying request from user pierrick.merle.i to realm PREPROD (8) ntdomain: Preparing to proxy authentication request to realm "PREPROD" (8) [ntdomain] = updated (8) } # if (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/ || &request:User-Name =~ /^FORMATION/ ) = updated (8) ... skipping elsif: Preceding "if" was taken (8) ... skipping elsif: Preceding "if" was taken (8) ... skipping elsif: Preceding "if" was taken (8) update { (8) No attributes updated for RHS &control:Extreme-Netlogin-Extended-Vlan (8) No attributes updated for RHS &control:Extreme-Policy-ACL[*] (8) No attributes updated for RHS &control:Fabric-Attach-Service-Request[*] (8) No attributes updated for RHS &control:Filter-Id (8) No attributes updated for RHS &control:Tunnel-Private-Group-Id (8) reply:User-Name := User-Name -> 'PREPROD\\pierrick.merle.i' (8) } # update = noop (8) } # authorize = updated (8) } # server inner-lan-dot1x (8) Virtual server sending reply (8) User-Name := "PREPROD\\pierrick.merle.i" (8) eap_peap: Got tunneled reply code 0 (8) eap_peap: User-Name := "PREPROD\\pierrick.merle.i" (8) eap_peap: Calling authenticate in order to initiate tunneled EAP session (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-lan-dot1x (8) authenticate { (8) eap: Removing EAP session with state 0x7b60a4d57b84bea7 (8) eap: Previous EAP request found for state 0x7b60a4d57b84bea7, released from the list (8) eap: Peer sent packet with method EAP MSCHAPv2 (26) (8) eap: Calling submodule eap_mschapv2 to process data (8) eap_mschapv2: Cancelling authentication and letting it be proxied (8) eap: No EAP proxy set. Not composing EAP (8) [eap] = handled (8) } # authenticate = handled (8) eap_peap: Tunnelled authentication will be proxied to PREPROD (8) eap_peap: Remembering to do EAP-MS-CHAP-V2 post-proxy (8) eap_lan_dot1x: WARNING: Tunneled session will be proxied. Not doing EAP (8) [eap_lan_dot1x] = handled (8) } # Auth-Type eap_lan_dot1x = handled (8) Starting proxy to home server 10.167.73.13 port 1812 (8) server lan-dot1x { (8) } (8) Proxying request to home server 10.167.73.13 port 1812 timeout 20.000000 (8) Sent Access-Request Id 248 from 0.0.0.0:37655 to 10.167.73.13:1812 length 143 (8) User-Name = "pierrick.merle.i" (8) MS-CHAP-Challenge = <redacted> (8) MS-CHAP2-Response = <redacted> (8) Message-Authenticator := 0x00 (8) Proxy-State = 0x323035 Waking up in 0.3 seconds. (8) Marking home server 10.167.73.13 port 1812 alive (8) Clearing existing &reply: attributes (8) Received Access-Accept Id 248 from 10.167.73.13:1812 to 10.166.1.58:37655 length 252 (8) Message-Authenticator = 0xea84928db30f8c9b048865c87d621a8a (8) Proxy-State = 0x323035 (8) Framed-Protocol = PPP (8) Service-Type = Framed-User (8) Class = 0x595505e400000137000102000aa7490d00000000000000000000000001db82dd2c49bf8300000000000000af (8) MS-MPPE-Recv-Key = <redacted> (8) MS-MPPE-Send-Key = <redacted> (8) MS-CHAP2-Success = <redacted> (8) MS-CHAP-Domain = "\344PREPROD" (8) server lan-dot1x { (8) } (8) Found Auth-Type = eap_lan_dot1x (8) Found Auth-Type = Accept (8) ERROR: Warning: Found 2 auth-types on request for user 'PREPROD\pierrick.merle.i' (8) Auth-Type = Accept, accepting the user (8) # Executing section post-auth from file /etc/freeradius/3.0/server.d/lan-dot1x (8) post-auth { (8) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { (8) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE (8) update { (8) &reply:MS-MPPE-Recv-Key !* ANY (8) &reply:MS-MPPE-Send-Key !* ANY (8) &reply:Tunnel-Private-Group-Id:0 !* ANY (8) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 1014 (8) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello' (8) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - send TLS 1.2 Handshake, ServerHello' (8) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - send TLS 1.2 Handshake, Certificate' (8) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange' (8) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone' (8) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange' (8) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - recv TLS 1.2 Handshake, Finished' (8) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - send TLS 1.2 ChangeCipherSpec' (8) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - send TLS 1.2 Handshake, Finished' (8) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384' (8) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2' (8) &reply:User-Name := &request:User-Name -> 'PREPROD\\pierrick.merle.i' (8) No attributes updated for RHS &control:Extreme-Policy-ACL[*] (8) No attributes updated for RHS &control:Fabric-Attach-Service-Request[*] (8) No attributes updated for RHS &control:Filter-Id (8) No attributes updated for RHS &control:Tunnel-Private-Group-Id (8) } # update = noop (8) if (request:Calling-Station-Id == "F4:A8:0D:A3:D5:AD" ) { (8) if (request:Calling-Station-Id == "F4:A8:0D:A3:D5:AD" ) -> FALSE (8) policy remove_reply_message_if_eap { (8) if (&reply:EAP-Message && &reply:Reply-Message) { (8) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (8) else { (8) [noop] = noop (8) } # else = noop (8) } # policy remove_reply_message_if_eap = noop (8) } # post-auth = noop (8) EXPAND OK %{request:User-Name} V:%{%{%{reply:Extreme-Netlogin-Extended-Vlan}:-%{reply:Tunnel-Private-Group-Id}}:-UXXX} S:%{%{%{request:NAS-IP-Address}:-%{outer.request:NAS-IP-Address}}:-none} P:%{%{%{request:NAS-Port}:-%{outer.request:NAS-Port}}:-none} N:%{%{%{request:NAS-Identifier}:-%{outer.request:NAS-Identifier}}:-none} M:%{%{%{request:Calling-Station-Id}:-%{outer.request:Calling-Station-Id}}:-none} LDAP:%{%{control:ldap_AD-LDAP-Group}:-none} SR:%{%{request:EAP-Session-Resumed}:-none} H:%{%{request:Cache-Entry-Hits}:-0} (8) --> OK PREPROD\\pierrick.merle.i V:UXXX S:10.128.2.54 P:1004 N:SXT_APS20f M:54:05:DB:EC:7A:F7 LDAP:none SR:none H:0 (8) Login OK: [PREPROD\pierrick.merle.i/<via Auth-Type = eap_lan_dot1x>] (from client SWITCH port 1004 cli 54:05:DB:EC:7A:F7) OK PREPROD\\pierrick.merle.i V:UXXX S:10.128.2.54 P:1004 N:SXT_APS20f M:54:05:DB:EC:7A:F7 LDAP:none SR:none H:0 (8) Sent Access-Accept Id 205 from 10.128.0.58:1812 to 10.128.2.54:32769 length 195 (8) Message-Authenticator = 0xea84928db30f8c9b048865c87d621a8a (8) Framed-Protocol = PPP (8) Service-Type = Framed-User (8) Class = 0x595505e400000137000102000aa7490d00000000000000000000000001db82dd2c49bf8300000000000000af (8) MS-CHAP2-Success = <redacted> (8) MS-CHAP-Domain = "\344PREPROD" (8) Framed-MTU += 1014 (8) User-Name := "PREPROD\\pierrick.merle.i" (8) Finished request Waking up in 4.9 seconds. Le 21/02/2025 19:28, > aland a écrit :
On Feb 21, 2025, at 1:04 PM, MERLE Pierrick (Chef de projet réseau) - SG/DNUM/MSP/DIS/GIR via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I am currently using FreeRADIUS 3.2.x as a RADIUS proxy to forward EAP-PEAP/MSCHAPv2 authentication requests to a backend Microsoft NPS server. The setup is working correctly, but I am facing an issue with TLS session resumption when using a proxy in the inner-tunnel: Attributes are never saved in the tls cache.
There's no reason why it shouldn't work.
When I use this setup without any proxy at all, TLS session resumption just works as expected.
Is TLS session resumption supported when using FreeRADIUS as a proxy for the inner authentication? If so, how can I properly cache the TLS session in this scenario?
If you configure it, it should work. The code to save / restore session resumption data is independent of the inner-tunnel proxying. It's part of the TLS connection setup instead.
Please post the full debug log for a situation where the session resumption doesn't work. The code is FULL of debug messages which explain when / why it's saving sessions, or not.
Alan DeKok.