As promised, I send you an radiusd -X output. complete. I see that straight at the beginning, policy rewrite_called_station_id is done. --> EXPAND %{Called-Station-SSID} (0) --> TSSID1 even with that, as I said, I cannot use that "%{Called-Station-SSID} anywhere else than in "post-auth"... Is that normal? Do you see "horror" in those logs ? :-D Thanks for reading, and thanks for your return. (0) Received Access-Request Id 194 from 192.168.30.206:42291 to 192.168.30.66:1812 length 151 (0) User-Name = "u2" (0) NAS-Identifier = "44d9e7023ad1" (0) NAS-Port = 0 (0) Called-Station-Id = "46-D9-E7-03-3A-D1:TSSID1" (0) Calling-Station-Id = "C0-EE-FB-4B-FA-10" (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) Connect-Info = "CONNECT 0Mbps 802.11b" (0) EAP-Message = 0x02e20007017532 (0) Message-Authenticator = 0x6df4581814e8c5685f1821d6d50c6180 (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) policy rewrite_called_station_id { (0) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (0) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (0) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (0) update request { (0) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (0) --> 46-D9-E7-03-3A-D1 (0) &Called-Station-Id := 46-D9-E7-03-3A-D1 (0) } # update request = noop (0) if ("%{8}") { (0) EXPAND %{8} (0) --> TSSID1 (0) if ("%{8}") -> TRUE (0) if ("%{8}") { (0) update request { (0) EXPAND %{8} (0) --> TSSID1 (0) &Called-Station-SSID := TSSID1 (0) EXPAND %{Called-Station-SSID} (0) --> TSSID1 (0) &My-Called-Station-SSID := TSSID1 (0) } # update request = noop (0) } # if ("%{8}") = noop (0) [updated] = updated (0) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (0) ... skipping else: Preceding "if" was taken (0) } # policy rewrite_called_station_id = updated (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "u2", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 226 length 7 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_peap to process data (0) eap_peap: Initiating new EAP-TLS session (0) eap_peap: Flushing SSL sessions (of #0) (0) eap_peap: [eaptls start] = request (0) eap: Sending EAP Request (code 1) ID 227 length 6 (0) eap: EAP session adding &reply:State = 0x26e3acd92600b50e (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) Challenge { ... } # empty sub-section is ignored (0) Sent Access-Challenge Id 194 from 192.168.30.66:1812 to 192.168.30.206:42291 length 0 (0) EAP-Message = 0x01e300061920 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x26e3acd92600b50e9de8616e7140b5da (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 195 from 192.168.30.206:42291 to 192.168.30.66:1812 length 330 (1) User-Name = "u2" (1) NAS-Identifier = "44d9e7023ad1" (1) NAS-Port = 0 (1) Called-Station-Id = "46-D9-E7-03-3A-D1:TSSID1" (1) Calling-Station-Id = "C0-EE-FB-4B-FA-10" (1) Framed-MTU = 1400 (1) NAS-Port-Type = Wireless-802.11 (1) Connect-Info = "CONNECT 0Mbps 802.11b" (1) EAP-Message = 0x02e300a819800000009e1603010099010000950303b275ec6ca03d6c07079f0f5fd77bc702c544c56e69b4c7a9e3d595de38d5cd6200003cc02cc030009fc02bc02f009ec00ac024c014c0280039006bc009c023c013c02700330067c007c011009d009c0035003d002f003c00050004000a00ff010000 (1) State = 0x26e3acd92600b50e9de8616e7140b5da (1) Message-Authenticator = 0xf99f35009091fa6c60abe4f208c2805d (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/freeradius/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) policy rewrite_called_station_id { (1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (1) update request { (1) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (1) --> 46-D9-E7-03-3A-D1 (1) &Called-Station-Id := 46-D9-E7-03-3A-D1 (1) } # update request = noop (1) if ("%{8}") { (1) EXPAND %{8} (1) --> TSSID1 (1) if ("%{8}") -> TRUE (1) if ("%{8}") { (1) update request { (1) EXPAND %{8} (1) --> TSSID1 (1) &Called-Station-SSID := TSSID1 (1) EXPAND %{Called-Station-SSID} (1) --> TSSID1 (1) &My-Called-Station-SSID := TSSID1 (1) } # update request = noop (1) } # if ("%{8}") = noop (1) [updated] = updated (1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (1) ... skipping else: Preceding "if" was taken (1) } # policy rewrite_called_station_id = updated (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "u2", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 227 length 168 (1) eap: Continuing tunnel setup (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x26e3acd92600b50e (1) eap: Finished EAP session with state 0x26e3acd92600b50e (1) eap: Previous EAP request found for state 0x26e3acd92600b50e, released from the list (1) eap: Peer sent packet with method EAP PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: Continuing EAP-TLS (1) eap_peap: Peer indicated complete TLS record size will be 158 bytes (1) eap_peap: Got complete TLS record (158 bytes) (1) eap_peap: [eaptls verify] = length included (1) eap_peap: (other): before/accept initialization (1) eap_peap: TLS_accept: before/accept initialization (1) eap_peap: <<< recv TLS 1.2 [length 0099] (1) eap_peap: TLS_accept: unknown state (1) eap_peap: >>> send TLS 1.2 [length 0059] (1) eap_peap: TLS_accept: unknown state (1) eap_peap: >>> send TLS 1.2 [length 08d3] (1) eap_peap: TLS_accept: unknown state (1) eap_peap: >>> send TLS 1.2 [length 014d] (1) eap_peap: TLS_accept: unknown state (1) eap_peap: >>> send TLS 1.2 [length 0004] (1) eap_peap: TLS_accept: unknown state (1) eap_peap: TLS_accept: unknown state (1) eap_peap: TLS_accept: Need to read more data: unknown state (1) eap_peap: TLS_accept: Need to read more data: unknown state (1) eap_peap: In SSL Handshake Phase (1) eap_peap: In SSL Accept mode (1) eap_peap: [eaptls process] = handled (1) eap: Sending EAP Request (code 1) ID 228 length 1004 (1) eap: EAP session adding &reply:State = 0x26e3acd92707b50e (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) Challenge { ... } # empty sub-section is ignored (1) Sent Access-Challenge Id 195 from 192.168.30.66:1812 to 192.168.30.206:42291 length 0 (1) EAP-Message = 0x01e403ec19c000000a911603030059020000550303a1388d44dabe97aee61c3b20a7ab8fc1aec4ad52dee38fe3c7b26167a0dbc1bc201e612a6685965633b12ff0d4fcb41a265c0e72dbded7812586c0e3347a5b896cc03000000dff01000100000b00040300010216030308d30b0008cf0008cc0003de (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x26e3acd92707b50e9de8616e7140b5da (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 196 from 192.168.30.206:42291 to 192.168.30.66:1812 length 168 (2) User-Name = "u2" (2) NAS-Identifier = "44d9e7023ad1" (2) NAS-Port = 0 (2) Called-Station-Id = "46-D9-E7-03-3A-D1:TSSID1" (2) Calling-Station-Id = "C0-EE-FB-4B-FA-10" (2) Framed-MTU = 1400 (2) NAS-Port-Type = Wireless-802.11 (2) Connect-Info = "CONNECT 0Mbps 802.11b" (2) EAP-Message = 0x02e400061900 (2) State = 0x26e3acd92707b50e9de8616e7140b5da (2) Message-Authenticator = 0x8a1d94e2d52ec81230dc52382337ebde (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/freeradius/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) policy rewrite_called_station_id { (2) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (2) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (2) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (2) update request { (2) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (2) --> 46-D9-E7-03-3A-D1 (2) &Called-Station-Id := 46-D9-E7-03-3A-D1 (2) } # update request = noop (2) if ("%{8}") { (2) EXPAND %{8} (2) --> TSSID1 (2) if ("%{8}") -> TRUE (2) if ("%{8}") { (2) update request { (2) EXPAND %{8} (2) --> TSSID1 (2) &Called-Station-SSID := TSSID1 (2) EXPAND %{Called-Station-SSID} (2) --> TSSID1 (2) &My-Called-Station-SSID := TSSID1 (2) } # update request = noop (2) } # if ("%{8}") = noop (2) [updated] = updated (2) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (2) ... skipping else: Preceding "if" was taken (2) } # policy rewrite_called_station_id = updated (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "u2", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 228 length 6 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x26e3acd92707b50e (2) eap: Finished EAP session with state 0x26e3acd92707b50e (2) eap: Previous EAP request found for state 0x26e3acd92707b50e, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: Continuing EAP-TLS (2) eap_peap: Peer ACKed our handshake fragment (2) eap_peap: [eaptls verify] = request (2) eap_peap: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 229 length 1000 (2) eap: EAP session adding &reply:State = 0x26e3acd92406b50e (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) # Executing group from file /etc/freeradius/sites-enabled/default (2) Challenge { ... } # empty sub-section is ignored (2) Sent Access-Challenge Id 196 from 192.168.30.66:1812 to 192.168.30.206:42291 length 0 (2) EAP-Message = 0x01e503e81940ca12fabb7964d6cb47ff4dbc736cca7b619482c69523520dbb422565f5fe26b0a27fa749595187b23ae6cdf379898cc96d5538f5a0203165548e1402a0716da7e63fe3d1a6f4f4d80e6dadca36b1d34815cb792b0d55ff2aa0a05d77b2ecefd55cbb7d356e7fb6ce430004e8308204e430 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x26e3acd92406b50e9de8616e7140b5da (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 197 from 192.168.30.206:42291 to 192.168.30.66:1812 length 168 (3) User-Name = "u2" (3) NAS-Identifier = "44d9e7023ad1" (3) NAS-Port = 0 (3) Called-Station-Id = "46-D9-E7-03-3A-D1:TSSID1" (3) Calling-Station-Id = "C0-EE-FB-4B-FA-10" (3) Framed-MTU = 1400 (3) NAS-Port-Type = Wireless-802.11 (3) Connect-Info = "CONNECT 0Mbps 802.11b" (3) EAP-Message = 0x02e500061900 (3) State = 0x26e3acd92406b50e9de8616e7140b5da (3) Message-Authenticator = 0x69984560004ba33d4af83118efaf52e9 (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/freeradius/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) policy rewrite_called_station_id { (3) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (3) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (3) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (3) update request { (3) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (3) --> 46-D9-E7-03-3A-D1 (3) &Called-Station-Id := 46-D9-E7-03-3A-D1 (3) } # update request = noop (3) if ("%{8}") { (3) EXPAND %{8} (3) --> TSSID1 (3) if ("%{8}") -> TRUE (3) if ("%{8}") { (3) update request { (3) EXPAND %{8} (3) --> TSSID1 (3) &Called-Station-SSID := TSSID1 (3) EXPAND %{Called-Station-SSID} (3) --> TSSID1 (3) &My-Called-Station-SSID := TSSID1 (3) } # update request = noop (3) } # if ("%{8}") = noop (3) [updated] = updated (3) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (3) ... skipping else: Preceding "if" was taken (3) } # policy rewrite_called_station_id = updated (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "u2", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 229 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /etc/freeradius/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0x26e3acd92406b50e (3) eap: Finished EAP session with state 0x26e3acd92406b50e (3) eap: Previous EAP request found for state 0x26e3acd92406b50e, released from the list (3) eap: Peer sent packet with method EAP PEAP (25) (3) eap: Calling submodule eap_peap to process data (3) eap_peap: Continuing EAP-TLS (3) eap_peap: Peer ACKed our handshake fragment (3) eap_peap: [eaptls verify] = request (3) eap_peap: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 230 length 723 (3) eap: EAP session adding &reply:State = 0x26e3acd92505b50e (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) # Executing group from file /etc/freeradius/sites-enabled/default (3) Challenge { ... } # empty sub-section is ignored (3) Sent Access-Challenge Id 197 from 192.168.30.66:1812 to 192.168.30.206:42291 length 0 (3) EAP-Message = 0x01e602d3190020417574686f72697479820900f93d1298efaa0149300f0603551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b050003820101 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x26e3acd92505b50e9de8616e7140b5da (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 198 from 192.168.30.206:42291 to 192.168.30.66:1812 length 298 (4) User-Name = "u2" (4) NAS-Identifier = "44d9e7023ad1" (4) NAS-Port = 0 (4) Called-Station-Id = "46-D9-E7-03-3A-D1:TSSID1" (4) Calling-Station-Id = "C0-EE-FB-4B-FA-10" (4) Framed-MTU = 1400 (4) NAS-Port-Type = Wireless-802.11 (4) Connect-Info = "CONNECT 0Mbps 802.11b" (4) EAP-Message = 0x02e6008819800000007e1603030046100000424104041b7c41a3bd64a8a8a136b69913d4abc758ff6523448fa1ee5da8cba6d7fb812d9d38c80e1f33e0bb86f396168fdf04b86ad694122d1860aa66672d05e3acc61403030001011603030028000000000000000030d814976854b1841781e86747494b (4) State = 0x26e3acd92505b50e9de8616e7140b5da (4) Message-Authenticator = 0x71361b97fa00595f1c1e7e1b49674c86 (4) session-state: No cached attributes (4) # Executing section authorize from file /etc/freeradius/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) policy rewrite_called_station_id { (4) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (4) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (4) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (4) update request { (4) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (4) --> 46-D9-E7-03-3A-D1 (4) &Called-Station-Id := 46-D9-E7-03-3A-D1 (4) } # update request = noop (4) if ("%{8}") { (4) EXPAND %{8} (4) --> TSSID1 (4) if ("%{8}") -> TRUE (4) if ("%{8}") { (4) update request { (4) EXPAND %{8} (4) --> TSSID1 (4) &Called-Station-SSID := TSSID1 (4) EXPAND %{Called-Station-SSID} (4) --> TSSID1 (4) &My-Called-Station-SSID := TSSID1 (4) } # update request = noop (4) } # if ("%{8}") = noop (4) [updated] = updated (4) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (4) ... skipping else: Preceding "if" was taken (4) } # policy rewrite_called_station_id = updated (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "u2", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 230 length 136 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/freeradius/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0x26e3acd92505b50e (4) eap: Finished EAP session with state 0x26e3acd92505b50e (4) eap: Previous EAP request found for state 0x26e3acd92505b50e, released from the list (4) eap: Peer sent packet with method EAP PEAP (25) (4) eap: Calling submodule eap_peap to process data (4) eap_peap: Continuing EAP-TLS (4) eap_peap: Peer indicated complete TLS record size will be 126 bytes (4) eap_peap: Got complete TLS record (126 bytes) (4) eap_peap: [eaptls verify] = length included (4) eap_peap: <<< recv TLS 1.2 [length 0046] (4) eap_peap: TLS_accept: unknown state (4) eap_peap: TLS_accept: unknown state (4) eap_peap: <<< recv TLS 1.2 [length 0001] (4) eap_peap: <<< recv TLS 1.2 [length 0010] (4) eap_peap: TLS_accept: unknown state (4) eap_peap: >>> send TLS 1.2 [length 0001] (4) eap_peap: TLS_accept: unknown state (4) eap_peap: >>> send TLS 1.2 [length 0010] (4) eap_peap: TLS_accept: unknown state (4) eap_peap: TLS_accept: unknown state (4) eap_peap: (other): SSL negotiation finished successfully (4) eap_peap: SSL Connection Established (4) eap_peap: [eaptls process] = handled (4) eap: Sending EAP Request (code 1) ID 231 length 57 (4) eap: EAP session adding &reply:State = 0x26e3acd92204b50e (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) # Executing group from file /etc/freeradius/sites-enabled/default (4) Challenge { ... } # empty sub-section is ignored (4) Sent Access-Challenge Id 198 from 192.168.30.66:1812 to 192.168.30.206:42291 length 0 (4) EAP-Message = 0x01e7003919001403030001011603030028afdc310d6ec3ecf82929a0132b49427d16fa26597f15966113b9002b91d656814059fce9e456ede0 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x26e3acd92204b50e9de8616e7140b5da (4) Finished request Waking up in 4.9 seconds. (5) Received Access-Request Id 199 from 192.168.30.206:42291 to 192.168.30.66:1812 length 168 (5) User-Name = "u2" (5) NAS-Identifier = "44d9e7023ad1" (5) NAS-Port = 0 (5) Called-Station-Id = "46-D9-E7-03-3A-D1:TSSID1" (5) Calling-Station-Id = "C0-EE-FB-4B-FA-10" (5) Framed-MTU = 1400 (5) NAS-Port-Type = Wireless-802.11 (5) Connect-Info = "CONNECT 0Mbps 802.11b" (5) EAP-Message = 0x02e700061900 (5) State = 0x26e3acd92204b50e9de8616e7140b5da (5) Message-Authenticator = 0x4f8ea83811fddc3ef626018a5a3028fd (5) session-state: No cached attributes (5) # Executing section authorize from file /etc/freeradius/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) policy rewrite_called_station_id { (5) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (5) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (5) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (5) update request { (5) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (5) --> 46-D9-E7-03-3A-D1 (5) &Called-Station-Id := 46-D9-E7-03-3A-D1 (5) } # update request = noop (5) if ("%{8}") { (5) EXPAND %{8} (5) --> TSSID1 (5) if ("%{8}") -> TRUE (5) if ("%{8}") { (5) update request { (5) EXPAND %{8} (5) --> TSSID1 (5) &Called-Station-SSID := TSSID1 (5) EXPAND %{Called-Station-SSID} (5) --> TSSID1 (5) &My-Called-Station-SSID := TSSID1 (5) } # update request = noop (5) } # if ("%{8}") = noop (5) [updated] = updated (5) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (5) ... skipping else: Preceding "if" was taken (5) } # policy rewrite_called_station_id = updated (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "u2", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 231 length 6 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0x26e3acd92204b50e (5) eap: Finished EAP session with state 0x26e3acd92204b50e (5) eap: Previous EAP request found for state 0x26e3acd92204b50e, released from the list (5) eap: Peer sent packet with method EAP PEAP (25) (5) eap: Calling submodule eap_peap to process data (5) eap_peap: Continuing EAP-TLS (5) eap_peap: Peer ACKed our handshake fragment. handshake is finished (5) eap_peap: [eaptls verify] = success (5) eap_peap: [eaptls process] = success (5) eap_peap: Session established. Decoding tunneled attributes (5) eap_peap: PEAP state TUNNEL ESTABLISHED (5) eap: Sending EAP Request (code 1) ID 232 length 40 (5) eap: EAP session adding &reply:State = 0x26e3acd9230bb50e (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) # Executing group from file /etc/freeradius/sites-enabled/default (5) Challenge { ... } # empty sub-section is ignored (5) Sent Access-Challenge Id 199 from 192.168.30.66:1812 to 192.168.30.206:42291 length 0 (5) EAP-Message = 0x01e800281900170303001dafdc310d6ec3ecf911d9a53ca339359c7b7e5d1d31e2740ac7b3cc1fc8 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x26e3acd9230bb50e9de8616e7140b5da (5) Finished request Waking up in 4.9 seconds. (6) Received Access-Request Id 200 from 192.168.30.206:42291 to 192.168.30.66:1812 length 200 (6) User-Name = "u2" (6) NAS-Identifier = "44d9e7023ad1" (6) NAS-Port = 0 (6) Called-Station-Id = "46-D9-E7-03-3A-D1:TSSID1" (6) Calling-Station-Id = "C0-EE-FB-4B-FA-10" (6) Framed-MTU = 1400 (6) NAS-Port-Type = Wireless-802.11 (6) Connect-Info = "CONNECT 0Mbps 802.11b" (6) EAP-Message = 0x02e800261900170303001b0000000000000001a7d595fb1c1358287b3a2de65b1505c2800a8c (6) State = 0x26e3acd9230bb50e9de8616e7140b5da (6) Message-Authenticator = 0xfd38b6b4bced113086272427b1e47ec5 (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/freeradius/sites-enabled/default (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) policy rewrite_called_station_id { (6) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (6) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (6) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (6) update request { (6) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (6) --> 46-D9-E7-03-3A-D1 (6) &Called-Station-Id := 46-D9-E7-03-3A-D1 (6) } # update request = noop (6) if ("%{8}") { (6) EXPAND %{8} (6) --> TSSID1 (6) if ("%{8}") -> TRUE (6) if ("%{8}") { (6) update request { (6) EXPAND %{8} (6) --> TSSID1 (6) &Called-Station-SSID := TSSID1 (6) EXPAND %{Called-Station-SSID} (6) --> TSSID1 (6) &My-Called-Station-SSID := TSSID1 (6) } # update request = noop (6) } # if ("%{8}") = noop (6) [updated] = updated (6) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (6) ... skipping else: Preceding "if" was taken (6) } # policy rewrite_called_station_id = updated (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "u2", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) eap: Peer sent EAP Response (code 2) ID 232 length 38 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0x26e3acd9230bb50e (6) eap: Finished EAP session with state 0x26e3acd9230bb50e (6) eap: Previous EAP request found for state 0x26e3acd9230bb50e, released from the list (6) eap: Peer sent packet with method EAP PEAP (25) (6) eap: Calling submodule eap_peap to process data (6) eap_peap: Continuing EAP-TLS (6) eap_peap: [eaptls verify] = ok (6) eap_peap: Done initial handshake (6) eap_peap: [eaptls process] = ok (6) eap_peap: Session established. Decoding tunneled attributes (6) eap_peap: PEAP state WAITING FOR INNER IDENTITY (6) eap_peap: Identity - u2 (6) eap_peap: Got inner identity 'u2' (6) eap_peap: Setting default EAP type for tunneled EAP session (6) eap_peap: Got tunneled request (6) eap_peap: EAP-Message = 0x02e80007017532 (6) eap_peap: Setting User-Name to u2 (6) eap_peap: Sending tunneled request to inner-tunnel (6) eap_peap: EAP-Message = 0x02e80007017532 (6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (6) eap_peap: User-Name = "u2" (6) Virtual server inner-tunnel received request (6) EAP-Message = 0x02e80007017532 (6) FreeRADIUS-Proxied-To = 127.0.0.1 (6) User-Name = "u2" (6) WARNING: Outer and inner identities are the same. User privacy is compromised. (6) server inner-tunnel { (6) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [chap] = noop (6) [mschap] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "u2", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) update control { (6) &Proxy-To-Realm := LOCAL (6) } # update control = noop (6) eap: Peer sent EAP Response (code 2) ID 232 length 7 (6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (6) authenticate { (6) eap: Peer sent packet with method EAP Identity (1) (6) eap: Calling submodule eap_mschapv2 to process data (6) eap_mschapv2: Issuing Challenge (6) eap: Sending EAP Request (code 1) ID 233 length 43 (6) eap: EAP session adding &reply:State = 0xe964d6a3e98dccf7 (6) [eap] = handled (6) } # authenticate = handled (6) } # server inner-tunnel (6) Virtual server sending reply (6) EAP-Message = 0x01e9002b1a01e9002610da269c8e35bd6e35d1e82df925280719667265657261646975732d332e302e3133 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0xe964d6a3e98dccf7d9a7bb91d2128446 (6) eap_peap: Got tunneled reply code 11 (6) eap_peap: EAP-Message = 0x01e9002b1a01e9002610da269c8e35bd6e35d1e82df925280719667265657261646975732d332e302e3133 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: State = 0xe964d6a3e98dccf7d9a7bb91d2128446 (6) eap_peap: Got tunneled reply RADIUS code 11 (6) eap_peap: EAP-Message = 0x01e9002b1a01e9002610da269c8e35bd6e35d1e82df925280719667265657261646975732d332e302e3133 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: State = 0xe964d6a3e98dccf7d9a7bb91d2128446 (6) eap_peap: Got tunneled Access-Challenge (6) eap: Sending EAP Request (code 1) ID 233 length 74 (6) eap: EAP session adding &reply:State = 0x26e3acd9200ab50e (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) # Executing group from file /etc/freeradius/sites-enabled/default (6) Challenge { ... } # empty sub-section is ignored (6) Sent Access-Challenge Id 200 from 192.168.30.66:1812 to 192.168.30.206:42291 length 0 (6) EAP-Message = 0x01e9004a1900170303003fafdc310d6ec3ecfa6ad7b9bd7b5b3d632836005d9b48d843c30661e85ac54e7f84b5c8cd2cc6e05b9a0707af2f27b0a300ddb2b161bcf37c279ed789d753df (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x26e3acd9200ab50e9de8616e7140b5da (6) Finished request Waking up in 4.9 seconds. (7) Received Access-Request Id 201 from 192.168.30.206:42291 to 192.168.30.66:1812 length 254 (7) User-Name = "u2" (7) NAS-Identifier = "44d9e7023ad1" (7) NAS-Port = 0 (7) Called-Station-Id = "46-D9-E7-03-3A-D1:TSSID1" (7) Calling-Station-Id = "C0-EE-FB-4B-FA-10" (7) Framed-MTU = 1400 (7) NAS-Port-Type = Wireless-802.11 (7) Connect-Info = "CONNECT 0Mbps 802.11b" (7) EAP-Message = 0x02e9005c1900170303005100000000000000029d8c08242bcc95810a5b03538963ca587b615f552ddeec106afa23ac3a8d27adb88db9eeb117c104ece273d2b6fc96fdb2389f69a80ee3f417d1d98781ad9b31d22375b85325728ba4 (7) State = 0x26e3acd9200ab50e9de8616e7140b5da (7) Message-Authenticator = 0xb5acd68497179836600f3c0e5e91bffa (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/freeradius/sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) policy rewrite_called_station_id { (7) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (7) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (7) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (7) update request { (7) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (7) --> 46-D9-E7-03-3A-D1 (7) &Called-Station-Id := 46-D9-E7-03-3A-D1 (7) } # update request = noop (7) if ("%{8}") { (7) EXPAND %{8} (7) --> TSSID1 (7) if ("%{8}") -> TRUE (7) if ("%{8}") { (7) update request { (7) EXPAND %{8} (7) --> TSSID1 (7) &Called-Station-SSID := TSSID1 (7) EXPAND %{Called-Station-SSID} (7) --> TSSID1 (7) &My-Called-Station-SSID := TSSID1 (7) } # update request = noop (7) } # if ("%{8}") = noop (7) [updated] = updated (7) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (7) ... skipping else: Preceding "if" was taken (7) } # policy rewrite_called_station_id = updated (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "u2", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) eap: Peer sent EAP Response (code 2) ID 233 length 92 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0xe964d6a3e98dccf7 (7) eap: Finished EAP session with state 0x26e3acd9200ab50e (7) eap: Previous EAP request found for state 0x26e3acd9200ab50e, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: Continuing EAP-TLS (7) eap_peap: [eaptls verify] = ok (7) eap_peap: Done initial handshake (7) eap_peap: [eaptls process] = ok (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state phase2 (7) eap_peap: EAP method MSCHAPv2 (26) (7) eap_peap: Got tunneled request (7) eap_peap: EAP-Message = 0x02e9003d1a02e90038314f450d7d3778496ac408ec5ae22c5cf800000000000000007e8efaecb1519f66b99fda6c16258fac43cd7d2ab37ae22b007532 (7) eap_peap: Setting User-Name to u2 (7) eap_peap: Sending tunneled request to inner-tunnel (7) eap_peap: EAP-Message = 0x02e9003d1a02e90038314f450d7d3778496ac408ec5ae22c5cf800000000000000007e8efaecb1519f66b99fda6c16258fac43cd7d2ab37ae22b007532 (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (7) eap_peap: User-Name = "u2" (7) eap_peap: State = 0xe964d6a3e98dccf7d9a7bb91d2128446 (7) Virtual server inner-tunnel received request (7) EAP-Message = 0x02e9003d1a02e90038314f450d7d3778496ac408ec5ae22c5cf800000000000000007e8efaecb1519f66b99fda6c16258fac43cd7d2ab37ae22b007532 (7) FreeRADIUS-Proxied-To = 127.0.0.1 (7) User-Name = "u2" (7) State = 0xe964d6a3e98dccf7d9a7bb91d2128446 (7) WARNING: Outer and inner identities are the same. User privacy is compromised. (7) server inner-tunnel { (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [chap] = noop (7) [mschap] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "u2", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) update control { (7) &Proxy-To-Realm := LOCAL (7) } # update control = noop (7) eap: Peer sent EAP Response (code 2) ID 233 length 61 (7) eap: No EAP Start, assuming it's an on-going EAP conversation (7) [eap] = updated (7) [files] = noop rlm_ldap (ldap): Reserved connection (0) (7) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}}) (7) ldap: --> (samaccountname=u2) (7) ldap: Performing search in "dc=mt,dc=priv" with filter "(samaccountname=u2)", scope "sub" (7) ldap: Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldap://ForestDnsZones.mt.priv/DC=ForestDnsZones,DC=mt,DC=priv rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap://DomainDnsZones.mt.priv/DC=DomainDnsZones,DC=mt,DC=priv rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap://mt.priv/CN=Configuration,DC=mt,DC=priv rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (7) ldap: User object found at DN "CN=User2 last,OU=MT-Users,OU=MT-Objects,DC=mt,DC=priv" (7) ldap: Processing user attributes (7) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (7) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Deleting connection (0) Need 6 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (5), 1 of 28 pending slots used rlm_ldap (ldap): Connecting to ldap://192.168.30.64:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (7) [ldap] = ok (7) [expiration] = noop (7) [logintime] = noop (7) [pap] = noop (7) } # authorize = updated (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (7) authenticate { (7) eap: Expiring EAP session with state 0xe964d6a3e98dccf7 (7) eap: Finished EAP session with state 0xe964d6a3e98dccf7 (7) eap: Previous EAP request found for state 0xe964d6a3e98dccf7, released from the list (7) eap: Peer sent packet with method EAP MSCHAPv2 (26) (7) eap: Calling submodule eap_mschapv2 to process data (7) eap_mschapv2: # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (7) eap_mschapv2: authenticate { (7) mschap: Creating challenge hash with username: u2 (7) mschap: Client is using MS-CHAPv2 (7) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=%{%{mschap:NT-Domain}:-mt.priv} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (7) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (7) mschap: --> --username=u2 (7) mschap: ERROR: No NT-Domain was found in the User-Name (7) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-mt.priv} (7) mschap: --> --domain=mt.priv (7) mschap: Creating challenge hash with username: u2 (7) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (7) mschap: --> --challenge=fec47cb1e1e89ea6 (7) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (7) mschap: --> --nt-response=7e8efaecb1519f66b99fda6c16258fac43cd7d2ab37ae22b (7) mschap: Program returned code (0) and output 'NT_KEY: 9B2636A6B6FEB8B39BA0972EB1B4126F' (7) mschap: Adding MS-CHAPv2 MPPE keys (7) [mschap] = ok (7) } # authenticate = ok (7) MSCHAP Success (7) eap: Sending EAP Request (code 1) ID 234 length 51 (7) eap: EAP session adding &reply:State = 0xe964d6a3e88eccf7 (7) [eap] = handled (7) } # authenticate = handled (7) } # server inner-tunnel (7) Virtual server sending reply (7) EAP-Message = 0x01ea00331a03e9002e533d32324130423439373042463632383037453537374235344635323145393844463546344141383736 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0xe964d6a3e88eccf7d9a7bb91d2128446 (7) eap_peap: Got tunneled reply code 11 (7) eap_peap: EAP-Message = 0x01ea00331a03e9002e533d32324130423439373042463632383037453537374235344635323145393844463546344141383736 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0xe964d6a3e88eccf7d9a7bb91d2128446 (7) eap_peap: Got tunneled reply RADIUS code 11 (7) eap_peap: EAP-Message = 0x01ea00331a03e9002e533d32324130423439373042463632383037453537374235344635323145393844463546344141383736 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0xe964d6a3e88eccf7d9a7bb91d2128446 (7) eap_peap: Got tunneled Access-Challenge (7) eap: Sending EAP Request (code 1) ID 234 length 82 (7) eap: EAP session adding &reply:State = 0x26e3acd92109b50e (7) [eap] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) # Executing group from file /etc/freeradius/sites-enabled/default (7) Challenge { ... } # empty sub-section is ignored (7) Sent Access-Challenge Id 201 from 192.168.30.66:1812 to 192.168.30.206:42291 length 0 (7) EAP-Message = 0x01ea005219001703030047afdc310d6ec3ecfb9e6c30da4240048c4f730e520ea1adb199993e22a9af5b7974473effa782835f7aa711cfada821e84f3a1cabf0393f522379e3e9223b7418611722b9db7623 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x26e3acd92109b50e9de8616e7140b5da (7) Finished request Waking up in 4.8 seconds. (8) Received Access-Request Id 202 from 192.168.30.206:42291 to 192.168.30.66:1812 length 199 (8) User-Name = "u2" (8) NAS-Identifier = "44d9e7023ad1" (8) NAS-Port = 0 (8) Called-Station-Id = "46-D9-E7-03-3A-D1:TSSID1" (8) Calling-Station-Id = "C0-EE-FB-4B-FA-10" (8) Framed-MTU = 1400 (8) NAS-Port-Type = Wireless-802.11 (8) Connect-Info = "CONNECT 0Mbps 802.11b" (8) EAP-Message = 0x02ea00251900170303001a0000000000000003d92e7f5e0e434d437cc57a596fcb7e4d3177 (8) State = 0x26e3acd92109b50e9de8616e7140b5da (8) Message-Authenticator = 0x87b4b40497cd83d6c2bc7ff399ebbc67 (8) session-state: No cached attributes (8) # Executing section authorize from file /etc/freeradius/sites-enabled/default (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) policy rewrite_called_station_id { (8) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (8) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (8) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (8) update request { (8) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (8) --> 46-D9-E7-03-3A-D1 (8) &Called-Station-Id := 46-D9-E7-03-3A-D1 (8) } # update request = noop (8) if ("%{8}") { (8) EXPAND %{8} (8) --> TSSID1 (8) if ("%{8}") -> TRUE (8) if ("%{8}") { (8) update request { (8) EXPAND %{8} (8) --> TSSID1 (8) &Called-Station-SSID := TSSID1 (8) EXPAND %{Called-Station-SSID} (8) --> TSSID1 (8) &My-Called-Station-SSID := TSSID1 (8) } # update request = noop (8) } # if ("%{8}") = noop (8) [updated] = updated (8) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (8) ... skipping else: Preceding "if" was taken (8) } # policy rewrite_called_station_id = updated (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "u2", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) eap: Peer sent EAP Response (code 2) ID 234 length 37 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /etc/freeradius/sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0xe964d6a3e88eccf7 (8) eap: Finished EAP session with state 0x26e3acd92109b50e (8) eap: Previous EAP request found for state 0x26e3acd92109b50e, released from the list (8) eap: Peer sent packet with method EAP PEAP (25) (8) eap: Calling submodule eap_peap to process data (8) eap_peap: Continuing EAP-TLS (8) eap_peap: [eaptls verify] = ok (8) eap_peap: Done initial handshake (8) eap_peap: [eaptls process] = ok (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state phase2 (8) eap_peap: EAP method MSCHAPv2 (26) (8) eap_peap: Got tunneled request (8) eap_peap: EAP-Message = 0x02ea00061a03 (8) eap_peap: Setting User-Name to u2 (8) eap_peap: Sending tunneled request to inner-tunnel (8) eap_peap: EAP-Message = 0x02ea00061a03 (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (8) eap_peap: User-Name = "u2" (8) eap_peap: State = 0xe964d6a3e88eccf7d9a7bb91d2128446 (8) Virtual server inner-tunnel received request (8) EAP-Message = 0x02ea00061a03 (8) FreeRADIUS-Proxied-To = 127.0.0.1 (8) User-Name = "u2" (8) State = 0xe964d6a3e88eccf7d9a7bb91d2128446 (8) WARNING: Outer and inner identities are the same. User privacy is compromised. (8) server inner-tunnel { (8) session-state: No cached attributes (8) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [chap] = noop (8) [mschap] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "u2", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) update control { (8) &Proxy-To-Realm := LOCAL (8) } # update control = noop (8) eap: Peer sent EAP Response (code 2) ID 234 length 6 (8) eap: No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) [files] = noop rlm_ldap (ldap): Reserved connection (1) (8) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}}) (8) ldap: --> (samaccountname=u2) (8) ldap: Performing search in "dc=mt,dc=priv" with filter "(samaccountname=u2)", scope "sub" (8) ldap: Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldap://ForestDnsZones.mt.priv/DC=ForestDnsZones,DC=mt,DC=priv rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap://DomainDnsZones.mt.priv/DC=DomainDnsZones,DC=mt,DC=priv rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap://mt.priv/CN=Configuration,DC=mt,DC=priv rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (8) ldap: User object found at DN "CN=User2 last,OU=MT-Users,OU=MT-Objects,DC=mt,DC=priv" (8) ldap: Processing user attributes (8) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (8) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Deleting connection (1) (8) [ldap] = ok (8) [expiration] = noop (8) [logintime] = noop (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = eap (8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (8) authenticate { (8) eap: Expiring EAP session with state 0xe964d6a3e88eccf7 (8) eap: Finished EAP session with state 0xe964d6a3e88eccf7 (8) eap: Previous EAP request found for state 0xe964d6a3e88eccf7, released from the list (8) eap: Peer sent packet with method EAP MSCHAPv2 (26) (8) eap: Calling submodule eap_mschapv2 to process data (8) eap: Sending EAP Success (code 3) ID 234 length 4 (8) eap: Freeing handler (8) [eap] = ok (8) } # authenticate = ok (8) # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel (8) post-auth { (8) if (0) { (8) if (0) -> FALSE (8) } # post-auth = noop (8) EXPAND GOODPASS (8) --> GOODPASS (8) Login OK: [u2/<via Auth-Type = eap>] (from client vLan-Tech port 0 via TLS tunnel) GOODPASS (8) } # server inner-tunnel (8) Virtual server sending reply (8) MS-MPPE-Encryption-Policy = Encryption-Allowed (8) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (8) MS-MPPE-Send-Key = 0x5a63cb9a1d9e080f1d59d075194aaef7 (8) MS-MPPE-Recv-Key = 0x351a8649c506ccb5556cc2e2a6ad00dc (8) EAP-Message = 0x03ea0004 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) User-Name = "u2" (8) eap_peap: Got tunneled reply code 2 (8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (8) eap_peap: MS-MPPE-Send-Key = 0x5a63cb9a1d9e080f1d59d075194aaef7 (8) eap_peap: MS-MPPE-Recv-Key = 0x351a8649c506ccb5556cc2e2a6ad00dc (8) eap_peap: EAP-Message = 0x03ea0004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: User-Name = "u2" (8) eap_peap: Got tunneled reply RADIUS code 2 (8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (8) eap_peap: MS-MPPE-Send-Key = 0x5a63cb9a1d9e080f1d59d075194aaef7 (8) eap_peap: MS-MPPE-Recv-Key = 0x351a8649c506ccb5556cc2e2a6ad00dc (8) eap_peap: EAP-Message = 0x03ea0004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: User-Name = "u2" (8) eap_peap: Tunneled authentication was successful (8) eap_peap: SUCCESS (8) eap: Sending EAP Request (code 1) ID 235 length 46 (8) eap: EAP session adding &reply:State = 0x26e3acd92e08b50e (8) [eap] = handled (8) } # authenticate = handled (8) Using Post-Auth-Type Challenge (8) # Executing group from file /etc/freeradius/sites-enabled/default (8) Challenge { ... } # empty sub-section is ignored (8) Sent Access-Challenge Id 202 from 192.168.30.66:1812 to 192.168.30.206:42291 length 0 (8) EAP-Message = 0x01eb002e19001703030023afdc310d6ec3ecfc229ddfb0d67089decdf03a173fe43279508cff8728033097145447 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0x26e3acd92e08b50e9de8616e7140b5da (8) Finished request Waking up in 4.8 seconds. (9) Received Access-Request Id 203 from 192.168.30.206:42291 to 192.168.30.66:1812 length 208 (9) User-Name = "u2" (9) NAS-Identifier = "44d9e7023ad1" (9) NAS-Port = 0 (9) Called-Station-Id = "46-D9-E7-03-3A-D1:TSSID1" (9) Calling-Station-Id = "C0-EE-FB-4B-FA-10" (9) Framed-MTU = 1400 (9) NAS-Port-Type = Wireless-802.11 (9) Connect-Info = "CONNECT 0Mbps 802.11b" (9) EAP-Message = 0x02eb002e190017030300230000000000000004bbad0c85fff213c85c3df86106c8a96db5e13ddd612c77dee32bd2 (9) State = 0x26e3acd92e08b50e9de8616e7140b5da (9) Message-Authenticator = 0x8d03cc4904839e96543fb59eb8936d63 (9) session-state: No cached attributes (9) # Executing section authorize from file /etc/freeradius/sites-enabled/default (9) authorize { (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = notfound (9) } # policy filter_username = notfound (9) policy rewrite_called_station_id { (9) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (9) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (9) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (9) update request { (9) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (9) --> 46-D9-E7-03-3A-D1 (9) &Called-Station-Id := 46-D9-E7-03-3A-D1 (9) } # update request = noop (9) if ("%{8}") { (9) EXPAND %{8} (9) --> TSSID1 (9) if ("%{8}") -> TRUE (9) if ("%{8}") { (9) update request { (9) EXPAND %{8} (9) --> TSSID1 (9) &Called-Station-SSID := TSSID1 (9) EXPAND %{Called-Station-SSID} (9) --> TSSID1 (9) &My-Called-Station-SSID := TSSID1 (9) } # update request = noop (9) } # if ("%{8}") = noop (9) [updated] = updated (9) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (9) ... skipping else: Preceding "if" was taken (9) } # policy rewrite_called_station_id = updated (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "u2", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) eap: Peer sent EAP Response (code 2) ID 235 length 46 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = eap (9) # Executing group from file /etc/freeradius/sites-enabled/default (9) authenticate { (9) eap: Expiring EAP session with state 0x26e3acd92e08b50e (9) eap: Finished EAP session with state 0x26e3acd92e08b50e (9) eap: Previous EAP request found for state 0x26e3acd92e08b50e, released from the list (9) eap: Peer sent packet with method EAP PEAP (25) (9) eap: Calling submodule eap_peap to process data (9) eap_peap: Continuing EAP-TLS (9) eap_peap: [eaptls verify] = ok (9) eap_peap: Done initial handshake (9) eap_peap: [eaptls process] = ok (9) eap_peap: Session established. Decoding tunneled attributes (9) eap_peap: PEAP state send tlv success (9) eap_peap: Received EAP-TLV response (9) eap_peap: Success (9) eap_peap: No information to cache: session caching will be disabled for session 1e612a6685965633b12ff0d4fcb41a265c0e72dbded7812586c0e3347a5b896c (9) eap: Sending EAP Success (code 3) ID 235 length 4 (9) eap: Freeing handler (9) [eap] = ok (9) } # authenticate = ok (9) # Executing section post-auth from file /etc/freeradius/sites-enabled/default (9) post-auth { (9) if (NAS-Port-Type == Wireless-802.11) { (9) if (NAS-Port-Type == Wireless-802.11) -> TRUE (9) if (NAS-Port-Type == Wireless-802.11) { (9) if (&LDAP-Group[*] == "grp-ssid-%{Called-Station-SSID}") { (9) EXPAND grp-ssid-%{Called-Station-SSID} (9) --> grp-ssid-TSSID1 (9) Searching for user in group "grp-ssid-TSSID1" rlm_ldap (ldap): Reserved connection (2) (9) EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}}) (9) --> (samaccountname=u2) (9) Performing search in "dc=mt,dc=priv" with filter "(samaccountname=u2)", scope "sub" (9) Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldap://ForestDnsZones.mt.priv/DC=ForestDnsZones,DC=mt,DC=priv rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap://DomainDnsZones.mt.priv/DC=DomainDnsZones,DC=mt,DC=priv rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap://mt.priv/CN=Configuration,DC=mt,DC=priv rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (9) User object found at DN "CN=User2 last,OU=MT-Users,OU=MT-Objects,DC=mt,DC=priv" (9) Checking user object's memberOf attributes (9) Waiting for bind result... (9) Bind successful (9) Performing unfiltered search in "CN=User2 last,OU=MT-Users,OU=MT-Objects,DC=mt,DC=priv", scope "base" (9) Waiting for search result... (9) Processing memberOf value "CN=grp-ssid-TSSID2,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv" as a DN (9) Resolving group DN "CN=grp-ssid-TSSID2,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv" to group name (9) Performing unfiltered search in "CN=grp-ssid-TSSID2,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv", scope "base" (9) Waiting for search result... (9) Group DN "CN=grp-ssid-TSSID2,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv" resolves to name "grp-ssid-TSSID2" (9) Processing memberOf value "CN=GRP-SEC-ALL-USERS,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv" as a DN (9) Resolving group DN "CN=GRP-SEC-ALL-USERS,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv" to group name (9) Performing unfiltered search in "CN=GRP-SEC-ALL-USERS,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv", scope "base" (9) Waiting for search result... (9) Group DN "CN=GRP-SEC-ALL-USERS,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv" resolves to name "GRP-SEC-ALL-USERS" (9) Processing memberOf value "CN=Profs,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv" as a DN (9) Resolving group DN "CN=Profs,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv" to group name (9) Performing unfiltered search in "CN=Profs,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv", scope "base" (9) Waiting for search result... (9) Group DN "CN=Profs,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv" resolves to name "Profs" (9) Processing memberOf value "CN=Mt-Folder-Redirection,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv" as a DN (9) Resolving group DN "CN=Mt-Folder-Redirection,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv" to group name (9) Performing unfiltered search in "CN=Mt-Folder-Redirection,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv", scope "base" (9) Waiting for search result... (9) Group DN "CN=Mt-Folder-Redirection,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv" resolves to name "Mt-Folder-Redirection" rlm_ldap (ldap): Deleting connection (2) (9) User is not a member of "grp-ssid-TSSID1" (9) if (&LDAP-Group[*] == "grp-ssid-%{Called-Station-SSID}") -> FALSE (9) else { (9) update reply { (9) EXPAND Hello %{User-Name}: Vous n'avez pas accès (9) --> Hello u2: Vous n'avez pas accès (9) Reply-Message = Hello u2: Vous n'avez pas accès (9) } # update reply = noop (9) [reject] = reject (9) } # else = reject (9) } # if (NAS-Port-Type == Wireless-802.11) = reject (9) } # post-auth = reject (9) Using Post-Auth-Type Reject (9) # Executing group from file /etc/freeradius/sites-enabled/default (9) Post-Auth-Type REJECT { (9) attr_filter.access_reject: EXPAND %{User-Name} (9) attr_filter.access_reject: --> u2 (9) attr_filter.access_reject: Matched entry DEFAULT at line 11 (9) [attr_filter.access_reject] = updated (9) [eap] = noop (9) policy remove_reply_message_if_eap { (9) if (&reply:EAP-Message && &reply:Reply-Message) { (9) if (&reply:EAP-Message && &reply:Reply-Message) -> TRUE (9) if (&reply:EAP-Message && &reply:Reply-Message) { (9) update reply { (9) &Reply-Message !* ANY (9) } # update reply = noop (9) } # if (&reply:EAP-Message && &reply:Reply-Message) = noop (9) ... skipping else: Preceding "if" was taken (9) } # policy remove_reply_message_if_eap = noop (9) } # Post-Auth-Type REJECT = updated (9) EXPAND BADPASS (9) --> BADPASS (9) Rejected in post-auth: [u2/<via Auth-Type = eap>] (from client vLan-Tech port 0 cli C0-EE-FB-4B-FA-10) BADPASS (9) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (9) Sending delayed response (9) Sent Access-Reject Id 203 from 192.168.30.66:1812 to 192.168.30.206:42291 length 44 (9) EAP-Message = 0x03eb0004 (9) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.7 seconds. (0) Cleaning up request packet ID 194 with timestamp +36 (1) Cleaning up request packet ID 195 with timestamp +36 (2) Cleaning up request packet ID 196 with timestamp +36 (3) Cleaning up request packet ID 197 with timestamp +36 (4) Cleaning up request packet ID 198 with timestamp +36 (5) Cleaning up request packet ID 199 with timestamp +36 (6) Cleaning up request packet ID 200 with timestamp +36 (7) Cleaning up request packet ID 201 with timestamp +36 (8) Cleaning up request packet ID 202 with timestamp +36 (9) Cleaning up request packet ID 203 with timestamp +36 Ready to process requests Pierre de Jong -.-.-.-.-.-.-.-.-.-.- 2017-04-04 14:38 GMT+02:00 Alan DeKok <aland@deployingradius.com>:
On Apr 4, 2017, at 7:47 AM, Pierre de Jong <pierredejong@gmail.com> wrote:
UNABLE to use "%{Called-Station-SSID}" (nor %Called-Station-SSID)
What do you mean by "unable to use"?
I mean that when i try to "show" the %{Called-Station-SSID} ..... like,
in
a message, we do a" ## %{user} - %{Called-Station-SSID} ## --> it returns: ## username - ##
That is what I mean.
Then at the Called-Station-Id isn't available at that point.
I will send and radiusd -X output soon...
But YES, in the radiusd -X, I can see that Called-Station-SSID is set to a "RIGHT" value.... but we do not seem to be able to use it "anywhere".
I doubt that very much.
Put that check at the start of the "authorize" section, in the default virtual server. You *will* see it.
My guess is that you're trying to expand it in the "inner-tunnel" virtual server, where it's not available. There are solutions for that.
Again, as always... a *careful* reading of the debug output will show this. The server tells you what attributes are received, and what attributes are sent to the inner-tunnel virtual server.
Alan DeKok.