First I will describe my setup: Freeradius (Daloradius) running latest release on centos 7 with authentication On local mysql as well on remote Microsoft ADS (Ldap) with ntlm_auth. Everything works well with mac only auth as well user + pass 802.1x EAP accounts running on local Mysql as well on Microsoft ADS. I am familar with the radiusd -X and will provide debug outputs. I made the changes in /etc/raddb/mods-available/eap ttls { copy_request_to_tunnel = yes peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes /etc/raddb/mods-available/mschap mschap { ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key --username=%{mschap:User-Name} --domain=DETMOLD.WORTMANN.COM --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" passchange { ntlm_auth = "/usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1 --allow-mschapv2" ntlm_auth_username = "username: %{mschap:User-Name}" ntlm_auth_domain = "nt-domain: DETMOLD.WORTMANN.COM" /etc/raddb/mods-available/ntlm_auth exec ntlm_auth { wait = yes program = "usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key --domain=DETMOLD.WORTMANN.COM --username=%{mschap:User-Name} --password=%{User-Password}" } /etc/raddb/sites-available/inner-tunnel authenticate { ntlm_auth /etc/raddb/policy.d/group_authorization group_authorization { if (&Huntgroup-Name == "wo-byod") { if (&LDAP-Group[*] == "CN=wo-byod,OU=Wifi,OU=Administration,DC=wifi,DC=wortmann,DC=com") { #reject ok } else { reject } } elsif (&Huntgroup-Name == "wo-secure") { if (&LDAP-Group[*] == "CN=wo-secure,OU=Wifi,OU=Administration,DC=wifi,DC=wortmann,DC=com") { ok } else { reject } } } ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Now I would like to create account with 802.1x EAP user + Pass + mac. I created a user + pass on local server (not microsoft ADS) and the following attributes: Calling-Station-Id := XX:XX:YY: (MAC) MS-CHAP-Use-NTLM-Auth :=No #cause local user in mysql no user on microsoft ads ----------- Output of 802.1x User + Pass + MAC-AUTH (This does not work) (0) Received Access-Request Id 178 from 192.168.70.15:18487 to 192.168.199.69:1812 length 369 (0) User-Name = "24:fb:65:69:06:af" (0) User-Password = "24:fb:65:69:06:af" (0) NAS-IP-Address = 192.168.70.63 (0) NAS-Identifier = "ruckuscontroller" (0) Called-Station-Id = "34-FA-9F-BA-58-8F:test-radius-user+pass+mac" (0) Calling-Station-Id = "24-FB-65-69-06-AF" (0) Service-Type = Framed-User (0) NAS-Port-Type = Wireless-802.11 (0) Location-Data = 0x31304445170a49542d53657276696365 (0) Ruckus-SSID = "test-radius-user+pass+mac" (0) Ruckus-BSSID = 0x34fa9fba588f (0) Ruckus-Location = "IT-Service" (0) Ruckus-VLAN-ID = 1 (0) Ruckus-SCG-CBlade-IP = 3232253455 (0) Ruckus-Zone-Name = "Detmold" (0) Attr-26.25053.154 = 0x576f72746d616e6e (0) Ruckus-Wlan-Name = "test-radius-user+pass+mac" (0) Message-Authenticator = 0xacdb9cb8915c51eabb275d3f52265694 (0) Chargeable-User-Identity = 0x00 (0) Proxy-State = 0x3230 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { rlm_ldap (ldap): Reserved connection (0) (0) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}}) (0) ldap: --> (name=24:fb:65:69:06:af) (0) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=24:fb:65:69:06:af)", scope "sub" (0) ldap: Waiting for search result... (0) ldap: Search returned no results rlm_ldap (ldap): Released connection (0) Need 5 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (ldap): Connecting to ldaps://ldap02.detmold.wortmann.com:50027 TLSMC: MozNSS compatibility interception begins. tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present. tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only. TLSMC: MozNSS compatibility interception ends. rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (0) [ldap] = notfound (0) policy group_authorization { (0) if (&Huntgroup-Name == "wo-byod") { (0) ERROR: Failed retrieving values required to evaluate condition (0) elsif (&Huntgroup-Name == "wo-secure") { (0) ERROR: Failed retrieving values required to evaluate condition (0) } # policy group_authorization = notfound (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) policy filter_password { (0) if (&User-Password && (&User-Password != "%{string:User-Password}")) { (0) EXPAND %{string:User-Password} (0) --> 24:fb:65:69:06:af (0) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE (0) } # policy filter_password = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "24:fb:65:69:06:af", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop (0) sql: EXPAND %{User-Name} (0) sql: --> 24:fb:65:69:06:af (0) sql: SQL-User-Name set to '24:fb:65:69:06:af' rlm_sql (sql): Reserved connection (1) (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '24:fb:65:69:06:af' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '24:fb:65:69:06:af' ORDER BY id (0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (0) sql: --> SELECT groupname FROM radusergroup WHERE username = '24:fb:65:69:06:af' ORDER BY priority (0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = '24:fb:65:69:06:af' ORDER BY priority (0) sql: User not found in any groups rlm_sql (sql): Released connection (1) Need 4 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.40-MariaDB, protocol version 10 (0) [sql] = notfound (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) sql: EXPAND .query (0) sql: --> .query (0) sql: Using query template 'query' rlm_sql (sql): Reserved connection (2) (0) sql: EXPAND %{User-Name} (0) sql: --> 24:fb:65:69:06:af (0) sql: SQL-User-Name set to '24:fb:65:69:06:af' (0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '24:fb:65:69:06:af', '24:fb:65:69:06:af', 'Access-Reject', '2019-07-03 15:06:39.437779') (0) sql: EXPAND /var/log/radius/sqllog.sql (0) sql: --> /var/log/radius/sqllog.sql (0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '24:fb:65:69:06:af', '24:fb:65:69:06:af', 'Access-Reject', '2019-07-03 15:06:39.437779') (0) sql: SQL query returned: success (0) sql: 1 record(s) updated rlm_sql (sql): Released connection (2) (0) [sql] = ok (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> 24:fb:65:69:06:af (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 178 from 192.168.199.69:1812 to 192.168.70.15:18487 length 24 (0) Proxy-State = 0x3230 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 178 with timestamp +21 Ready to process requests -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- And here comes the output with 802.1x with User + Pass (This works) (0) Received Access-Request Id 118 from 192.168.70.15:18487 to 192.168.199.69:1812 length 370 (0) Acct-Session-Id = "5D1CA994-67A4B00F" (0) User-Name = "wifitestmac01" (0) NAS-IP-Address = 192.168.70.63 (0) NAS-Identifier = "ruckuscontroller" (0) NAS-Port = 1 (0) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass" (0) Calling-Station-Id = "24-FB-65-69-06-AF" (0) Location-Data = 0x31304445170a49542d53657276696365 (0) Service-Type = Framed-User (0) Chargeable-User-Identity = 0x00 (0) NAS-Port-Type = Wireless-802.11 (0) Connect-Info = "CONNECT 802.11a/n/ac" (0) EAP-Message = 0x020000120177696669746573746d61633031 (0) Ruckus-SSID = "test-radius-user+pass" (0) Ruckus-BSSID = 0x34fa9ffa588e (0) Ruckus-Location = "IT-Service" (0) Ruckus-VLAN-ID = 1 (0) Ruckus-SCG-CBlade-IP = 3232253455 (0) Ruckus-Zone-Name = "Detmold" (0) Ruckus-Wlan-Name = "test-radius-user+pass" (0) Message-Authenticator = 0x159a3af56a73ce0394ac2b647dab9fdc (0) Proxy-State = 0x3636 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { rlm_ldap (ldap): Reserved connection (0) (0) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}}) (0) ldap: --> (name=wifitestmac01) (0) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub" (0) ldap: Waiting for search result... (0) ldap: Search returned no results rlm_ldap (ldap): Released connection (0) Need 5 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (ldap): Connecting to ldaps://ldap02.detmold.wortmann.com:50027 TLSMC: MozNSS compatibility interception begins. tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present. tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only. TLSMC: MozNSS compatibility interception ends. rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (0) [ldap] = notfound (0) policy group_authorization { (0) if (&Huntgroup-Name == "wo-byod") { (0) ERROR: Failed retrieving values required to evaluate condition (0) elsif (&Huntgroup-Name == "wo-secure") { (0) ERROR: Failed retrieving values required to evaluate condition (0) } # policy group_authorization = notfound (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) policy filter_password { (0) if (&User-Password && (&User-Password != "%{string:User-Password}")) { (0) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE (0) } # policy filter_password = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 0 length 18 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_peap to process data (0) eap_peap: Initiating new EAP-TLS session (0) eap_peap: [eaptls start] = request (0) eap: Sending EAP Request (code 1) ID 1 length 6 (0) eap: EAP session adding &reply:State = 0x3bd334c23bd22d5a (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Challenge { ... } # empty sub-section is ignored (0) Sent Access-Challenge Id 118 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0 (0) EAP-Message = 0x010100061920 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x3bd334c23bd22d5a464d9b22d2e35ffe (0) Proxy-State = 0x3636 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 192 from 192.168.70.15:18487 to 192.168.199.69:1812 length 523 (1) Acct-Session-Id = "5D1CA994-67A4B00F" (1) User-Name = "wifitestmac01" (1) NAS-IP-Address = 192.168.70.63 (1) NAS-Identifier = "ruckuscontroller" (1) NAS-Port = 1 (1) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass" (1) Calling-Station-Id = "24-FB-65-69-06-AF" (1) Location-Data = 0x31304445170a49542d53657276696365 (1) Service-Type = Framed-User (1) Chargeable-User-Identity = 0x00 (1) NAS-Port-Type = Wireless-802.11 (1) Connect-Info = "CONNECT 802.11a/n/ac" (1) EAP-Message = 0x0201009919800000008f160301008a010000860303835329bad69de11579396dd64e0f503fa00db84d3fa1677093e39b7a165697b600002ac02bc02fc02cc030cca9cca8c009c023c013c027c00ac024c014c028009c009d002f003c0035003d000a01000033ff0100010000170000000d001400120403 (1) State = 0x3bd334c23bd22d5a464d9b22d2e35ffe (1) Ruckus-SSID = "test-radius-user+pass" (1) Ruckus-BSSID = 0x34fa9ffa588e (1) Ruckus-Location = "IT-Service" (1) Ruckus-VLAN-ID = 1 (1) Ruckus-SCG-CBlade-IP = 3232253455 (1) Ruckus-Zone-Name = "Detmold" (1) Ruckus-Wlan-Name = "test-radius-user+pass" (1) Message-Authenticator = 0x7bc819acb7da691a1924f0d0f7cdfe1c (1) Proxy-State = 0x3637 (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/raddb/sites-enabled/default (1) authorize { rlm_ldap (ldap): Reserved connection (1) (1) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}}) (1) ldap: --> (name=wifitestmac01) (1) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub" (1) ldap: Waiting for search result... (1) ldap: Search returned no results rlm_ldap (ldap): Released connection (1) (1) [ldap] = notfound (1) policy group_authorization { (1) if (&Huntgroup-Name == "wo-byod") { (1) ERROR: Failed retrieving values required to evaluate condition (1) elsif (&Huntgroup-Name == "wo-secure") { (1) ERROR: Failed retrieving values required to evaluate condition (1) } # policy group_authorization = notfound (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) policy filter_password { (1) if (&User-Password && (&User-Password != "%{string:User-Password}")) { (1) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE (1) } # policy filter_password = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 1 length 153 (1) eap: Continuing tunnel setup (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = eap (1) # Executing group from file /etc/raddb/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x3bd334c23bd22d5a (1) eap: Finished EAP session with state 0x3bd334c23bd22d5a (1) eap: Previous EAP request found for state 0x3bd334c23bd22d5a, released from the list (1) eap: Peer sent packet with method EAP PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: Continuing EAP-TLS (1) eap_peap: Peer indicated complete TLS record size will be 143 bytes (1) eap_peap: Got complete TLS record (143 bytes) (1) eap_peap: [eaptls verify] = length included (1) eap_peap: (other): before/accept initialization (1) eap_peap: TLS_accept: before/accept initialization (1) eap_peap: <<< recv TLS 1.2 [length 008a] (1) eap_peap: TLS_accept: SSLv3 read client hello A (1) eap_peap: >>> send TLS 1.2 [length 0039] (1) eap_peap: TLS_accept: SSLv3 write server hello A (1) eap_peap: >>> send TLS 1.2 [length 08d3] (1) eap_peap: TLS_accept: SSLv3 write certificate A (1) eap_peap: >>> send TLS 1.2 [length 014d] (1) eap_peap: TLS_accept: SSLv3 write key exchange A (1) eap_peap: >>> send TLS 1.2 [length 0004] (1) eap_peap: TLS_accept: SSLv3 write server done A (1) eap_peap: TLS_accept: SSLv3 flush data (1) eap_peap: TLS_accept: SSLv3 read client certificate A (1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key exchange A (1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key exchange A (1) eap_peap: In SSL Handshake Phase (1) eap_peap: In SSL Accept mode (1) eap_peap: [eaptls process] = handled (1) eap: Sending EAP Request (code 1) ID 2 length 1004 (1) eap: EAP session adding &reply:State = 0x3bd334c23ad12d5a (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) # Executing group from file /etc/raddb/sites-enabled/default (1) Challenge { ... } # empty sub-section is ignored (1) Sent Access-Challenge Id 192 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0 (1) EAP-Message = 0x010203ec19c000000a7116030300390200003503038fd7c9ffc7d69edac5f51c36f36bb4cd3683efff8a28e5db6b9b61ec4e4b534100c02f00000dff01000100000b00040300010216030308d30b0008cf0008cc0003de308203da308202c2a003020102020101300d06092a864886f70d01010b050030 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x3bd334c23ad12d5a464d9b22d2e35ffe (1) Proxy-State = 0x3637 (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 219 from 192.168.70.15:18487 to 192.168.199.69:1812 length 376 (2) Acct-Session-Id = "5D1CA994-67A4B00F" (2) User-Name = "wifitestmac01" (2) NAS-IP-Address = 192.168.70.63 (2) NAS-Identifier = "ruckuscontroller" (2) NAS-Port = 1 (2) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass" (2) Calling-Station-Id = "24-FB-65-69-06-AF" (2) Location-Data = 0x31304445170a49542d53657276696365 (2) Service-Type = Framed-User (2) Chargeable-User-Identity = 0x00 (2) NAS-Port-Type = Wireless-802.11 (2) Connect-Info = "CONNECT 802.11a/n/ac" (2) EAP-Message = 0x020200061900 (2) State = 0x3bd334c23ad12d5a464d9b22d2e35ffe (2) Ruckus-SSID = "test-radius-user+pass" (2) Ruckus-BSSID = 0x34fa9ffa588e (2) Ruckus-Location = "IT-Service" (2) Ruckus-VLAN-ID = 1 (2) Ruckus-SCG-CBlade-IP = 3232253455 (2) Ruckus-Zone-Name = "Detmold" (2) Ruckus-Wlan-Name = "test-radius-user+pass" (2) Message-Authenticator = 0xb247f926b23e2510c40d16d6cff0ecab (2) Proxy-State = 0x3638 (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/raddb/sites-enabled/default (2) authorize { rlm_ldap (ldap): Reserved connection (2) (2) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}}) (2) ldap: --> (name=wifitestmac01) (2) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub" (2) ldap: Waiting for search result... (2) ldap: Search returned no results rlm_ldap (ldap): Released connection (2) Need 4 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (6), 1 of 26 pending slots used rlm_ldap (ldap): Connecting to ldaps://ldap02.detmold.wortmann.com:50027 TLSMC: MozNSS compatibility interception begins. tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present. tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only. TLSMC: MozNSS compatibility interception ends. rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (2) [ldap] = notfound (2) policy group_authorization { (2) if (&Huntgroup-Name == "wo-byod") { (2) ERROR: Failed retrieving values required to evaluate condition (2) elsif (&Huntgroup-Name == "wo-secure") { (2) ERROR: Failed retrieving values required to evaluate condition (2) } # policy group_authorization = notfound (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) policy filter_password { (2) if (&User-Password && (&User-Password != "%{string:User-Password}")) { (2) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE (2) } # policy filter_password = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 2 length 6 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/raddb/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x3bd334c23ad12d5a (2) eap: Finished EAP session with state 0x3bd334c23ad12d5a (2) eap: Previous EAP request found for state 0x3bd334c23ad12d5a, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: Continuing EAP-TLS (2) eap_peap: Peer ACKed our handshake fragment (2) eap_peap: [eaptls verify] = request (2) eap_peap: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 3 length 1000 (2) eap: EAP session adding &reply:State = 0x3bd334c239d02d5a (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) # Executing group from file /etc/raddb/sites-enabled/default (2) Challenge { ... } # empty sub-section is ignored (2) Sent Access-Challenge Id 219 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0 (2) EAP-Message = 0x010303e8194091bfa579e2faf519ba55b78dda4a69f41a426f5e0c2c6f73a6b54147ba90603059eb0e91ad1221d42cb94f40b2d6f4bfd1026f390833e0d09c94696b1b5bef8a50f83b31b6fff4e1a20004e8308204e4308203cca003020102020900fcbb37b2469beea7300d06092a864886f70d01010b (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x3bd334c239d02d5a464d9b22d2e35ffe (2) Proxy-State = 0x3638 (2) Finished request Waking up in 4.8 seconds. (3) Received Access-Request Id 32 from 192.168.70.15:18487 to 192.168.199.69:1812 length 376 (3) Acct-Session-Id = "5D1CA994-67A4B00F" (3) User-Name = "wifitestmac01" (3) NAS-IP-Address = 192.168.70.63 (3) NAS-Identifier = "ruckuscontroller" (3) NAS-Port = 1 (3) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass" (3) Calling-Station-Id = "24-FB-65-69-06-AF" (3) Location-Data = 0x31304445170a49542d53657276696365 (3) Service-Type = Framed-User (3) Chargeable-User-Identity = 0x00 (3) NAS-Port-Type = Wireless-802.11 (3) Connect-Info = "CONNECT 802.11a/n/ac" (3) EAP-Message = 0x020300061900 (3) State = 0x3bd334c239d02d5a464d9b22d2e35ffe (3) Ruckus-SSID = "test-radius-user+pass" (3) Ruckus-BSSID = 0x34fa9ffa588e (3) Ruckus-Location = "IT-Service" (3) Ruckus-VLAN-ID = 1 (3) Ruckus-SCG-CBlade-IP = 3232253455 (3) Ruckus-Zone-Name = "Detmold" (3) Ruckus-Wlan-Name = "test-radius-user+pass" (3) Message-Authenticator = 0x987f2b5f4dace466c0f0b4acf02c3574 (3) Proxy-State = 0x3639 (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/raddb/sites-enabled/default (3) authorize { rlm_ldap (ldap): Reserved connection (3) (3) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}}) (3) ldap: --> (name=wifitestmac01) (3) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub" (3) ldap: Waiting for search result... (3) ldap: Search returned no results rlm_ldap (ldap): Released connection (3) (3) [ldap] = notfound (3) policy group_authorization { (3) if (&Huntgroup-Name == "wo-byod") { (3) ERROR: Failed retrieving values required to evaluate condition (3) elsif (&Huntgroup-Name == "wo-secure") { (3) ERROR: Failed retrieving values required to evaluate condition (3) } # policy group_authorization = notfound (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) policy filter_password { (3) if (&User-Password && (&User-Password != "%{string:User-Password}")) { (3) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE (3) } # policy filter_password = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 3 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /etc/raddb/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0x3bd334c239d02d5a (3) eap: Finished EAP session with state 0x3bd334c239d02d5a (3) eap: Previous EAP request found for state 0x3bd334c239d02d5a, released from the list (3) eap: Peer sent packet with method EAP PEAP (25) (3) eap: Calling submodule eap_peap to process data (3) eap_peap: Continuing EAP-TLS (3) eap_peap: Peer ACKed our handshake fragment (3) eap_peap: [eaptls verify] = request (3) eap_peap: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 4 length 691 (3) eap: EAP session adding &reply:State = 0x3bd334c238d72d5a (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) # Executing group from file /etc/raddb/sites-enabled/default (3) Challenge { ... } # empty sub-section is ignored (3) Sent Access-Challenge Id 32 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0 (3) EAP-Message = 0x010402b319000530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b050003820101009d2d36e5e65062434bce33d522f21aa5fc16f766f283a13b276fc9ebf7f118 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x3bd334c238d72d5a464d9b22d2e35ffe (3) Proxy-State = 0x3639 (3) Finished request Waking up in 4.7 seconds. (4) Received Access-Request Id 28 from 192.168.70.15:18487 to 192.168.199.69:1812 length 506 (4) Acct-Session-Id = "5D1CA994-67A4B00F" (4) User-Name = "wifitestmac01" (4) NAS-IP-Address = 192.168.70.63 (4) NAS-Identifier = "ruckuscontroller" (4) NAS-Port = 1 (4) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass" (4) Calling-Station-Id = "24-FB-65-69-06-AF" (4) Location-Data = 0x31304445170a49542d53657276696365 (4) Service-Type = Framed-User (4) Chargeable-User-Identity = 0x00 (4) NAS-Port-Type = Wireless-802.11 (4) Connect-Info = "CONNECT 802.11a/n/ac" (4) EAP-Message = 0x0204008819800000007e1603030046100000424104adbbc0a47dec1a64cf71dd948d1cc6eeb600228b9ec1c419b2931cb6742f75033ea0cfe3368b858b07feb235a1c46f8936048a0d55e2f87fb62156f1fedb985814030300010116030300280000000000000000ab71501664950b092c4c0b8b88170f (4) State = 0x3bd334c238d72d5a464d9b22d2e35ffe (4) Ruckus-SSID = "test-radius-user+pass" (4) Ruckus-BSSID = 0x34fa9ffa588e (4) Ruckus-Location = "IT-Service" (4) Ruckus-VLAN-ID = 1 (4) Ruckus-SCG-CBlade-IP = 3232253455 (4) Ruckus-Zone-Name = "Detmold" (4) Ruckus-Wlan-Name = "test-radius-user+pass" (4) Message-Authenticator = 0xaa7a33857a9cd2bd2a0a520d9b8229f1 (4) Proxy-State = 0x3730 (4) session-state: No cached attributes (4) # Executing section authorize from file /etc/raddb/sites-enabled/default (4) authorize { rlm_ldap (ldap): Reserved connection (4) (4) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}}) (4) ldap: --> (name=wifitestmac01) (4) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub" (4) ldap: Waiting for search result... (4) ldap: Search returned no results rlm_ldap (ldap): Released connection (4) (4) [ldap] = notfound (4) policy group_authorization { (4) if (&Huntgroup-Name == "wo-byod") { (4) ERROR: Failed retrieving values required to evaluate condition (4) elsif (&Huntgroup-Name == "wo-secure") { (4) ERROR: Failed retrieving values required to evaluate condition (4) } # policy group_authorization = notfound (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) policy filter_password { (4) if (&User-Password && (&User-Password != "%{string:User-Password}")) { (4) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE (4) } # policy filter_password = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 4 length 136 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/raddb/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0x3bd334c238d72d5a (4) eap: Finished EAP session with state 0x3bd334c238d72d5a (4) eap: Previous EAP request found for state 0x3bd334c238d72d5a, released from the list (4) eap: Peer sent packet with method EAP PEAP (25) (4) eap: Calling submodule eap_peap to process data (4) eap_peap: Continuing EAP-TLS (4) eap_peap: Peer indicated complete TLS record size will be 126 bytes (4) eap_peap: Got complete TLS record (126 bytes) (4) eap_peap: [eaptls verify] = length included (4) eap_peap: <<< recv TLS 1.2 [length 0046] (4) eap_peap: TLS_accept: SSLv3 read client key exchange A (4) eap_peap: TLS_accept: SSLv3 read certificate verify A (4) eap_peap: <<< recv TLS 1.2 [length 0001] (4) eap_peap: <<< recv TLS 1.2 [length 0010] (4) eap_peap: TLS_accept: SSLv3 read finished A (4) eap_peap: >>> send TLS 1.2 [length 0001] (4) eap_peap: TLS_accept: SSLv3 write change cipher spec A (4) eap_peap: >>> send TLS 1.2 [length 0010] (4) eap_peap: TLS_accept: SSLv3 write finished A (4) eap_peap: TLS_accept: SSLv3 flush data (4) eap_peap: (other): SSL negotiation finished successfully (4) eap_peap: SSL Connection Established (4) eap_peap: [eaptls process] = handled (4) eap: Sending EAP Request (code 1) ID 5 length 57 (4) eap: EAP session adding &reply:State = 0x3bd334c23fd62d5a (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) # Executing group from file /etc/raddb/sites-enabled/default (4) Challenge { ... } # empty sub-section is ignored (4) Sent Access-Challenge Id 28 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0 (4) EAP-Message = 0x0105003919001403030001011603030028d5ec48bada42fbd160a0e9edd0eb49dfdd71efa906eeeeca879b4e3db15c178c51fb9fa222a5ed41 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x3bd334c23fd62d5a464d9b22d2e35ffe (4) Proxy-State = 0x3730 (4) Finished request Waking up in 4.6 seconds. (5) Received Access-Request Id 53 from 192.168.70.15:18487 to 192.168.199.69:1812 length 376 (5) Acct-Session-Id = "5D1CA994-67A4B00F" (5) User-Name = "wifitestmac01" (5) NAS-IP-Address = 192.168.70.63 (5) NAS-Identifier = "ruckuscontroller" (5) NAS-Port = 1 (5) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass" (5) Calling-Station-Id = "24-FB-65-69-06-AF" (5) Location-Data = 0x31304445170a49542d53657276696365 (5) Service-Type = Framed-User (5) Chargeable-User-Identity = 0x00 (5) NAS-Port-Type = Wireless-802.11 (5) Connect-Info = "CONNECT 802.11a/n/ac" (5) EAP-Message = 0x020500061900 (5) State = 0x3bd334c23fd62d5a464d9b22d2e35ffe (5) Ruckus-SSID = "test-radius-user+pass" (5) Ruckus-BSSID = 0x34fa9ffa588e (5) Ruckus-Location = "IT-Service" (5) Ruckus-VLAN-ID = 1 (5) Ruckus-SCG-CBlade-IP = 3232253455 (5) Ruckus-Zone-Name = "Detmold" (5) Ruckus-Wlan-Name = "test-radius-user+pass" (5) Message-Authenticator = 0x66edffe796ea4dd8ad07c9eb195678ba (5) Proxy-State = 0x3731 (5) session-state: No cached attributes (5) # Executing section authorize from file /etc/raddb/sites-enabled/default (5) authorize { rlm_ldap (ldap): Reserved connection (0) (5) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}}) (5) ldap: --> (name=wifitestmac01) (5) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub" (5) ldap: Waiting for search result... (5) ldap: Search returned no results rlm_ldap (ldap): Released connection (0) (5) [ldap] = notfound (5) policy group_authorization { (5) if (&Huntgroup-Name == "wo-byod") { (5) ERROR: Failed retrieving values required to evaluate condition (5) elsif (&Huntgroup-Name == "wo-secure") { (5) ERROR: Failed retrieving values required to evaluate condition (5) } # policy group_authorization = notfound (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) policy filter_password { (5) if (&User-Password && (&User-Password != "%{string:User-Password}")) { (5) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE (5) } # policy filter_password = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 5 length 6 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/raddb/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0x3bd334c23fd62d5a (5) eap: Finished EAP session with state 0x3bd334c23fd62d5a (5) eap: Previous EAP request found for state 0x3bd334c23fd62d5a, released from the list (5) eap: Peer sent packet with method EAP PEAP (25) (5) eap: Calling submodule eap_peap to process data (5) eap_peap: Continuing EAP-TLS (5) eap_peap: Peer ACKed our handshake fragment. handshake is finished (5) eap_peap: [eaptls verify] = success (5) eap_peap: [eaptls process] = success (5) eap_peap: Session established. Decoding tunneled attributes (5) eap_peap: PEAP state TUNNEL ESTABLISHED (5) eap: Sending EAP Request (code 1) ID 6 length 40 (5) eap: EAP session adding &reply:State = 0x3bd334c23ed52d5a (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) # Executing group from file /etc/raddb/sites-enabled/default (5) Challenge { ... } # empty sub-section is ignored (5) Sent Access-Challenge Id 53 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0 (5) EAP-Message = 0x010600281900170303001dd5ec48bada42fbd2efc073480c7529e47c1add6cb4438a099c10325e70 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x3bd334c23ed52d5a464d9b22d2e35ffe (5) Proxy-State = 0x3731 (5) Finished request Waking up in 4.6 seconds. (6) Received Access-Request Id 156 from 192.168.70.15:18487 to 192.168.199.69:1812 length 419 (6) Acct-Session-Id = "5D1CA994-67A4B00F" (6) User-Name = "wifitestmac01" (6) NAS-IP-Address = 192.168.70.63 (6) NAS-Identifier = "ruckuscontroller" (6) NAS-Port = 1 (6) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass" (6) Calling-Station-Id = "24-FB-65-69-06-AF" (6) Location-Data = 0x31304445170a49542d53657276696365 (6) Service-Type = Framed-User (6) Chargeable-User-Identity = 0x00 (6) NAS-Port-Type = Wireless-802.11 (6) Connect-Info = "CONNECT 802.11a/n/ac" (6) EAP-Message = 0x020600311900170303002600000000000000015698d55ae694291d750d607613ec0078f789474257506b16b6bbfb645851 (6) State = 0x3bd334c23ed52d5a464d9b22d2e35ffe (6) Ruckus-SSID = "test-radius-user+pass" (6) Ruckus-BSSID = 0x34fa9ffa588e (6) Ruckus-Location = "IT-Service" (6) Ruckus-VLAN-ID = 1 (6) Ruckus-SCG-CBlade-IP = 3232253455 (6) Ruckus-Zone-Name = "Detmold" (6) Ruckus-Wlan-Name = "test-radius-user+pass" (6) Message-Authenticator = 0x34c64d7bfe181cdb376fcd5e5ddf54bc (6) Proxy-State = 0x3732 (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/raddb/sites-enabled/default (6) authorize { rlm_ldap (ldap): Reserved connection (5) (6) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}}) (6) ldap: --> (name=wifitestmac01) (6) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub" (6) ldap: Waiting for search result... (6) ldap: Search returned no results rlm_ldap (ldap): Released connection (5) (6) [ldap] = notfound (6) policy group_authorization { (6) if (&Huntgroup-Name == "wo-byod") { (6) ERROR: Failed retrieving values required to evaluate condition (6) elsif (&Huntgroup-Name == "wo-secure") { (6) ERROR: Failed retrieving values required to evaluate condition (6) } # policy group_authorization = notfound (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) policy filter_password { (6) if (&User-Password && (&User-Password != "%{string:User-Password}")) { (6) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE (6) } # policy filter_password = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) eap: Peer sent EAP Response (code 2) ID 6 length 49 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/raddb/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0x3bd334c23ed52d5a (6) eap: Finished EAP session with state 0x3bd334c23ed52d5a (6) eap: Previous EAP request found for state 0x3bd334c23ed52d5a, released from the list (6) eap: Peer sent packet with method EAP PEAP (25) (6) eap: Calling submodule eap_peap to process data (6) eap_peap: Continuing EAP-TLS (6) eap_peap: [eaptls verify] = ok (6) eap_peap: Done initial handshake (6) eap_peap: [eaptls process] = ok (6) eap_peap: Session established. Decoding tunneled attributes (6) eap_peap: PEAP state WAITING FOR INNER IDENTITY (6) eap_peap: Identity - wifitestmac01 (6) eap_peap: Got inner identity 'wifitestmac01' (6) eap_peap: Setting default EAP type for tunneled EAP session (6) eap_peap: Got tunneled request (6) eap_peap: EAP-Message = 0x020600120177696669746573746d61633031 (6) eap_peap: Setting User-Name to wifitestmac01 (6) eap_peap: Sending tunneled request to inner-tunnel (6) eap_peap: EAP-Message = 0x020600120177696669746573746d61633031 (6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (6) eap_peap: User-Name = "wifitestmac01" (6) eap_peap: Acct-Session-Id = "5D1CA994-67A4B00F" (6) eap_peap: NAS-IP-Address = 192.168.70.63 (6) eap_peap: NAS-Identifier = "ruckuscontroller" (6) eap_peap: NAS-Port = 1 (6) eap_peap: Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass" (6) eap_peap: Calling-Station-Id = "24-FB-65-69-06-AF" (6) eap_peap: Location-Data = 0x31304445170a49542d53657276696365 (6) eap_peap: Service-Type = Framed-User (6) eap_peap: Chargeable-User-Identity = 0x00 (6) eap_peap: NAS-Port-Type = Wireless-802.11 (6) eap_peap: Connect-Info = "CONNECT 802.11a/n/ac" (6) eap_peap: Ruckus-SSID = "test-radius-user+pass" (6) eap_peap: Ruckus-BSSID = 0x34fa9ffa588e (6) eap_peap: Ruckus-Location = "IT-Service" (6) eap_peap: Ruckus-VLAN-ID = 1 (6) eap_peap: Ruckus-SCG-CBlade-IP = 3232253455 (6) eap_peap: Ruckus-Zone-Name = "Detmold" (6) eap_peap: Ruckus-Wlan-Name = "test-radius-user+pass" (6) eap_peap: Event-Timestamp = "Jul 3 2019 15:11:54 CEST" (6) Virtual server inner-tunnel received request (6) EAP-Message = 0x020600120177696669746573746d61633031 (6) FreeRADIUS-Proxied-To = 127.0.0.1 (6) User-Name = "wifitestmac01" (6) Acct-Session-Id = "5D1CA994-67A4B00F" (6) NAS-IP-Address = 192.168.70.63 (6) NAS-Identifier = "ruckuscontroller" (6) NAS-Port = 1 (6) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass" (6) Calling-Station-Id = "24-FB-65-69-06-AF" (6) Location-Data = 0x31304445170a49542d53657276696365 (6) Service-Type = Framed-User (6) Chargeable-User-Identity = 0x00 (6) NAS-Port-Type = Wireless-802.11 (6) Connect-Info = "CONNECT 802.11a/n/ac" (6) Ruckus-SSID = "test-radius-user+pass" (6) Ruckus-BSSID = 0x34fa9ffa588e (6) Ruckus-Location = "IT-Service" (6) Ruckus-VLAN-ID = 1 (6) Ruckus-SCG-CBlade-IP = 3232253455 (6) Ruckus-Zone-Name = "Detmold" (6) Ruckus-Wlan-Name = "test-radius-user+pass" (6) Event-Timestamp = "Jul 3 2019 15:11:54 CEST" (6) WARNING: Outer and inner identities are the same. User privacy is compromised. (6) server inner-tunnel { (6) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [chap] = noop (6) [mschap] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) update control { (6) &Proxy-To-Realm := LOCAL (6) } # update control = noop (6) eap: Peer sent EAP Response (code 2) ID 6 length 18 (6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (6) authenticate { (6) eap: Peer sent packet with method EAP Identity (1) (6) eap: Calling submodule eap_mschapv2 to process data (6) eap_mschapv2: Issuing Challenge (6) eap: Sending EAP Request (code 1) ID 7 length 43 (6) eap: EAP session adding &reply:State = 0x78a9799278ae6313 (6) [eap] = handled (6) } # authenticate = handled (6) } # server inner-tunnel (6) Virtual server sending reply (6) EAP-Message = 0x0107002b1a0107002610acc3fe6199de746d49fc93f49582fc03667265657261646975732d332e302e3133 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x78a9799278ae6313f359dd39dd5c9f11 (6) eap_peap: Got tunneled reply code 11 (6) eap_peap: EAP-Message = 0x0107002b1a0107002610acc3fe6199de746d49fc93f49582fc03667265657261646975732d332e302e3133 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: State = 0x78a9799278ae6313f359dd39dd5c9f11 (6) eap_peap: Got tunneled reply RADIUS code 11 (6) eap_peap: EAP-Message = 0x0107002b1a0107002610acc3fe6199de746d49fc93f49582fc03667265657261646975732d332e302e3133 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: State = 0x78a9799278ae6313f359dd39dd5c9f11 (6) eap_peap: Got tunneled Access-Challenge (6) eap: Sending EAP Request (code 1) ID 7 length 74 (6) eap: EAP session adding &reply:State = 0x3bd334c23dd42d5a (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) # Executing group from file /etc/raddb/sites-enabled/default (6) Challenge { ... } # empty sub-section is ignored (6) Sent Access-Challenge Id 156 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0 (6) EAP-Message = 0x0107004a1900170303003fd5ec48bada42fbd39481e9f00adb4e04c21da70a884fc7d37895cfdbd260a4aa2189d9d36c81ebc4a14d73b74ba2eb169b57fd36b0ecb4393df44715a4222e (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x3bd334c23dd42d5a464d9b22d2e35ffe (6) Proxy-State = 0x3732 (6) Finished request Waking up in 4.5 seconds. (7) Received Access-Request Id 35 from 192.168.70.15:18487 to 192.168.199.69:1812 length 473 (7) Acct-Session-Id = "5D1CA994-67A4B00F" (7) User-Name = "wifitestmac01" (7) NAS-IP-Address = 192.168.70.63 (7) NAS-Identifier = "ruckuscontroller" (7) NAS-Port = 1 (7) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass" (7) Calling-Station-Id = "24-FB-65-69-06-AF" (7) Location-Data = 0x31304445170a49542d53657276696365 (7) Service-Type = Framed-User (7) Chargeable-User-Identity = 0x00 (7) NAS-Port-Type = Wireless-802.11 (7) Connect-Info = "CONNECT 802.11a/n/ac" (7) EAP-Message = 0x020700671900170303005c000000000000000260bd309024ce07ecc1dd6fb714cd4aab28a634e3636effeb72f8162068747c873ba798f59a4cd64c069ba2159698e14743104d45d20c019e727efc75fdac7624b0b06f869e8bc2cfc1cc6cfd33ed977ae6015649 (7) State = 0x3bd334c23dd42d5a464d9b22d2e35ffe (7) Ruckus-SSID = "test-radius-user+pass" (7) Ruckus-BSSID = 0x34fa9ffa588e (7) Ruckus-Location = "IT-Service" (7) Ruckus-VLAN-ID = 1 (7) Ruckus-SCG-CBlade-IP = 3232253455 (7) Ruckus-Zone-Name = "Detmold" (7) Ruckus-Wlan-Name = "test-radius-user+pass" (7) Message-Authenticator = 0x3b507e4e852475a8216cc0c453588426 (7) Proxy-State = 0x3733 (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/raddb/sites-enabled/default (7) authorize { rlm_ldap (ldap): Reserved connection (1) (7) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}}) (7) ldap: --> (name=wifitestmac01) (7) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub" (7) ldap: Waiting for search result... (7) ldap: Search returned no results rlm_ldap (ldap): Released connection (1) (7) [ldap] = notfound (7) policy group_authorization { (7) if (&Huntgroup-Name == "wo-byod") { (7) ERROR: Failed retrieving values required to evaluate condition (7) elsif (&Huntgroup-Name == "wo-secure") { (7) ERROR: Failed retrieving values required to evaluate condition (7) } # policy group_authorization = notfound (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) policy filter_password { (7) if (&User-Password && (&User-Password != "%{string:User-Password}")) { (7) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE (7) } # policy filter_password = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) eap: Peer sent EAP Response (code 2) ID 7 length 103 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/raddb/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0x78a9799278ae6313 (7) eap: Finished EAP session with state 0x3bd334c23dd42d5a (7) eap: Previous EAP request found for state 0x3bd334c23dd42d5a, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: Continuing EAP-TLS (7) eap_peap: [eaptls verify] = ok (7) eap_peap: Done initial handshake (7) eap_peap: [eaptls process] = ok (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state phase2 (7) eap_peap: EAP method MSCHAPv2 (26) (7) eap_peap: Got tunneled request (7) eap_peap: EAP-Message = 0x020700481a0207004331511e472c9167eed5163063c100f421e70000000000000000f82f405055c2818c487d7d078bd9aafccf93e2e4db9c11f60077696669746573746d61633031 (7) eap_peap: Setting User-Name to wifitestmac01 (7) eap_peap: Sending tunneled request to inner-tunnel (7) eap_peap: EAP-Message = 0x020700481a0207004331511e472c9167eed5163063c100f421e70000000000000000f82f405055c2818c487d7d078bd9aafccf93e2e4db9c11f60077696669746573746d61633031 (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (7) eap_peap: User-Name = "wifitestmac01" (7) eap_peap: State = 0x78a9799278ae6313f359dd39dd5c9f11 (7) eap_peap: Acct-Session-Id = "5D1CA994-67A4B00F" (7) eap_peap: NAS-IP-Address = 192.168.70.63 (7) eap_peap: NAS-Identifier = "ruckuscontroller" (7) eap_peap: NAS-Port = 1 (7) eap_peap: Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass" (7) eap_peap: Calling-Station-Id = "24-FB-65-69-06-AF" (7) eap_peap: Location-Data = 0x31304445170a49542d53657276696365 (7) eap_peap: Service-Type = Framed-User (7) eap_peap: Chargeable-User-Identity = 0x00 (7) eap_peap: NAS-Port-Type = Wireless-802.11 (7) eap_peap: Connect-Info = "CONNECT 802.11a/n/ac" (7) eap_peap: Ruckus-SSID = "test-radius-user+pass" (7) eap_peap: Ruckus-BSSID = 0x34fa9ffa588e (7) eap_peap: Ruckus-Location = "IT-Service" (7) eap_peap: Ruckus-VLAN-ID = 1 (7) eap_peap: Ruckus-SCG-CBlade-IP = 3232253455 (7) eap_peap: Ruckus-Zone-Name = "Detmold" (7) eap_peap: Ruckus-Wlan-Name = "test-radius-user+pass" (7) eap_peap: Event-Timestamp = "Jul 3 2019 15:11:54 CEST" (7) Virtual server inner-tunnel received request (7) EAP-Message = 0x020700481a0207004331511e472c9167eed5163063c100f421e70000000000000000f82f405055c2818c487d7d078bd9aafccf93e2e4db9c11f60077696669746573746d61633031 (7) FreeRADIUS-Proxied-To = 127.0.0.1 (7) User-Name = "wifitestmac01" (7) State = 0x78a9799278ae6313f359dd39dd5c9f11 (7) Acct-Session-Id = "5D1CA994-67A4B00F" (7) NAS-IP-Address = 192.168.70.63 (7) NAS-Identifier = "ruckuscontroller" (7) NAS-Port = 1 (7) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass" (7) Calling-Station-Id = "24-FB-65-69-06-AF" (7) Location-Data = 0x31304445170a49542d53657276696365 (7) Service-Type = Framed-User (7) Chargeable-User-Identity = 0x00 (7) NAS-Port-Type = Wireless-802.11 (7) Connect-Info = "CONNECT 802.11a/n/ac" (7) Ruckus-SSID = "test-radius-user+pass" (7) Ruckus-BSSID = 0x34fa9ffa588e (7) Ruckus-Location = "IT-Service" (7) Ruckus-VLAN-ID = 1 (7) Ruckus-SCG-CBlade-IP = 3232253455 (7) Ruckus-Zone-Name = "Detmold" (7) Ruckus-Wlan-Name = "test-radius-user+pass" (7) Event-Timestamp = "Jul 3 2019 15:11:54 CEST" (7) WARNING: Outer and inner identities are the same. User privacy is compromised. (7) server inner-tunnel { (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [chap] = noop (7) [mschap] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) update control { (7) &Proxy-To-Realm := LOCAL (7) } # update control = noop (7) eap: Peer sent EAP Response (code 2) ID 7 length 72 (7) eap: No EAP Start, assuming it's an on-going EAP conversation (7) [eap] = updated (7) [files] = noop (7) sql: EXPAND %{User-Name} (7) sql: --> wifitestmac01 (7) sql: SQL-User-Name set to 'wifitestmac01' rlm_sql (sql): Reserved connection (1) (7) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (7) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'wifitestmac01' ORDER BY id (7) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'wifitestmac01' ORDER BY id (7) sql: User found in radcheck table (7) sql: Conditional check items matched, merging assignment check items (7) sql: Cleartext-Password := "tester555" (7) sql: MS-CHAP-Use-NTLM-Auth := No (7) sql: Calling-Station-Id := "24-FB-65-69-06-AF" (7) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (7) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'wifitestmac01' ORDER BY id (7) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'wifitestmac01' ORDER BY id (7) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (7) sql: --> SELECT groupname FROM radusergroup WHERE username = 'wifitestmac01' ORDER BY priority (7) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'wifitestmac01' ORDER BY priority (7) sql: User found in the group table (7) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id (7) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'wifi_wo-secure' ORDER BY id (7) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'wifi_wo-secure' ORDER BY id (7) sql: Group "wifi_wo-secure": Conditional check items matched (7) sql: Group "wifi_wo-secure": Merging assignment check items (7) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id (7) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'wifi_wo-secure' ORDER BY id (7) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'wifi_wo-secure' ORDER BY id (7) sql: Group "wifi_wo-secure": Merging reply items (7) sql: Huntgroup-Name := "wo-secure" rlm_sql (sql): Released connection (1) Need 4 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.40-MariaDB, protocol version 10 (7) [sql] = ok (7) [expiration] = noop (7) [logintime] = noop (7) pap: WARNING: Auth-Type already set. Not setting to PAP (7) [pap] = noop (7) } # authorize = updated (7) Found Auth-Type = eap (7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (7) authenticate { (7) eap: Expiring EAP session with state 0x78a9799278ae6313 (7) eap: Finished EAP session with state 0x78a9799278ae6313 (7) eap: Previous EAP request found for state 0x78a9799278ae6313, released from the list (7) eap: Peer sent packet with method EAP MSCHAPv2 (26) (7) eap: Calling submodule eap_mschapv2 to process data (7) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (7) eap_mschapv2: authenticate { (7) mschap: Found Cleartext-Password, hashing to create NT-Password (7) mschap: Found Cleartext-Password, hashing to create LM-Password (7) mschap: Creating challenge hash with username: wifitestmac01 (7) mschap: Client is using MS-CHAPv2 (7) mschap: Adding MS-CHAPv2 MPPE keys (7) [mschap] = ok (7) } # authenticate = ok (7) MSCHAP Success (7) eap: Sending EAP Request (code 1) ID 8 length 51 (7) eap: EAP session adding &reply:State = 0x78a9799279a16313 (7) [eap] = handled (7) } # authenticate = handled (7) } # server inner-tunnel (7) Virtual server sending reply (7) Huntgroup-Name = "wo-secure" (7) EAP-Message = 0x010800331a0307002e533d41423746314439413946443643463639353932453639354141353944454243424636423533383944 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x78a9799279a16313f359dd39dd5c9f11 (7) eap_peap: Got tunneled reply code 11 (7) eap_peap: Huntgroup-Name = "wo-secure" (7) eap_peap: EAP-Message = 0x010800331a0307002e533d41423746314439413946443643463639353932453639354141353944454243424636423533383944 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0x78a9799279a16313f359dd39dd5c9f11 (7) eap_peap: Got tunneled reply RADIUS code 11 (7) eap_peap: Huntgroup-Name = "wo-secure" (7) eap_peap: EAP-Message = 0x010800331a0307002e533d41423746314439413946443643463639353932453639354141353944454243424636423533383944 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0x78a9799279a16313f359dd39dd5c9f11 (7) eap_peap: Got tunneled Access-Challenge (7) eap: Sending EAP Request (code 1) ID 8 length 82 (7) eap: EAP session adding &reply:State = 0x3bd334c23cdb2d5a (7) [eap] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) # Executing group from file /etc/raddb/sites-enabled/default (7) Challenge { ... } # empty sub-section is ignored (7) Sent Access-Challenge Id 35 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0 (7) EAP-Message = 0x0108005219001703030047d5ec48bada42fbd4a02ea88aa51ecde0431fc6ac9846f7c0bc036ed64ec4a3c3a48c11c16ba8cdeed9c4ac5890895c8591ac992d69a16fc27bc54f573dc888eb7d087f53f723fd (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x3bd334c23cdb2d5a464d9b22d2e35ffe (7) Proxy-State = 0x3733 (7) Finished request Waking up in 4.5 seconds. (8) Received Access-Request Id 62 from 192.168.70.15:18487 to 192.168.199.69:1812 length 407 (8) Acct-Session-Id = "5D1CA994-67A4B00F" (8) User-Name = "wifitestmac01" (8) NAS-IP-Address = 192.168.70.63 (8) NAS-Identifier = "ruckuscontroller" (8) NAS-Port = 1 (8) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass" (8) Calling-Station-Id = "24-FB-65-69-06-AF" (8) Location-Data = 0x31304445170a49542d53657276696365 (8) Service-Type = Framed-User (8) Chargeable-User-Identity = 0x00 (8) NAS-Port-Type = Wireless-802.11 (8) Connect-Info = "CONNECT 802.11a/n/ac" (8) EAP-Message = 0x020800251900170303001a0000000000000003559b9229317f3155d7720c582345c83dac3f (8) State = 0x3bd334c23cdb2d5a464d9b22d2e35ffe (8) Ruckus-SSID = "test-radius-user+pass" (8) Ruckus-BSSID = 0x34fa9ffa588e (8) Ruckus-Location = "IT-Service" (8) Ruckus-VLAN-ID = 1 (8) Ruckus-SCG-CBlade-IP = 3232253455 (8) Ruckus-Zone-Name = "Detmold" (8) Ruckus-Wlan-Name = "test-radius-user+pass" (8) Message-Authenticator = 0x1990281948930e08ef66d420ea1928c8 (8) Proxy-State = 0x3734 (8) session-state: No cached attributes (8) # Executing section authorize from file /etc/raddb/sites-enabled/default (8) authorize { rlm_ldap (ldap): Reserved connection (2) (8) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}}) (8) ldap: --> (name=wifitestmac01) (8) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub" (8) ldap: Waiting for search result... (8) ldap: Search returned no results rlm_ldap (ldap): Released connection (2) (8) [ldap] = notfound (8) policy group_authorization { (8) if (&Huntgroup-Name == "wo-byod") { (8) ERROR: Failed retrieving values required to evaluate condition (8) elsif (&Huntgroup-Name == "wo-secure") { (8) ERROR: Failed retrieving values required to evaluate condition (8) } # policy group_authorization = notfound (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) policy filter_password { (8) if (&User-Password && (&User-Password != "%{string:User-Password}")) { (8) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE (8) } # policy filter_password = notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) eap: Peer sent EAP Response (code 2) ID 8 length 37 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /etc/raddb/sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0x78a9799279a16313 (8) eap: Finished EAP session with state 0x3bd334c23cdb2d5a (8) eap: Previous EAP request found for state 0x3bd334c23cdb2d5a, released from the list (8) eap: Peer sent packet with method EAP PEAP (25) (8) eap: Calling submodule eap_peap to process data (8) eap_peap: Continuing EAP-TLS (8) eap_peap: [eaptls verify] = ok (8) eap_peap: Done initial handshake (8) eap_peap: [eaptls process] = ok (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state phase2 (8) eap_peap: EAP method MSCHAPv2 (26) (8) eap_peap: Got tunneled request (8) eap_peap: EAP-Message = 0x020800061a03 (8) eap_peap: Setting User-Name to wifitestmac01 (8) eap_peap: Sending tunneled request to inner-tunnel (8) eap_peap: EAP-Message = 0x020800061a03 (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (8) eap_peap: User-Name = "wifitestmac01" (8) eap_peap: State = 0x78a9799279a16313f359dd39dd5c9f11 (8) eap_peap: Acct-Session-Id = "5D1CA994-67A4B00F" (8) eap_peap: NAS-IP-Address = 192.168.70.63 (8) eap_peap: NAS-Identifier = "ruckuscontroller" (8) eap_peap: NAS-Port = 1 (8) eap_peap: Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass" (8) eap_peap: Calling-Station-Id = "24-FB-65-69-06-AF" (8) eap_peap: Location-Data = 0x31304445170a49542d53657276696365 (8) eap_peap: Service-Type = Framed-User (8) eap_peap: Chargeable-User-Identity = 0x00 (8) eap_peap: NAS-Port-Type = Wireless-802.11 (8) eap_peap: Connect-Info = "CONNECT 802.11a/n/ac" (8) eap_peap: Ruckus-SSID = "test-radius-user+pass" (8) eap_peap: Ruckus-BSSID = 0x34fa9ffa588e (8) eap_peap: Ruckus-Location = "IT-Service" (8) eap_peap: Ruckus-VLAN-ID = 1 (8) eap_peap: Ruckus-SCG-CBlade-IP = 3232253455 (8) eap_peap: Ruckus-Zone-Name = "Detmold" (8) eap_peap: Ruckus-Wlan-Name = "test-radius-user+pass" (8) eap_peap: Event-Timestamp = "Jul 3 2019 15:11:54 CEST" (8) Virtual server inner-tunnel received request (8) EAP-Message = 0x020800061a03 (8) FreeRADIUS-Proxied-To = 127.0.0.1 (8) User-Name = "wifitestmac01" (8) State = 0x78a9799279a16313f359dd39dd5c9f11 (8) Acct-Session-Id = "5D1CA994-67A4B00F" (8) NAS-IP-Address = 192.168.70.63 (8) NAS-Identifier = "ruckuscontroller" (8) NAS-Port = 1 (8) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass" (8) Calling-Station-Id = "24-FB-65-69-06-AF" (8) Location-Data = 0x31304445170a49542d53657276696365 (8) Service-Type = Framed-User (8) Chargeable-User-Identity = 0x00 (8) NAS-Port-Type = Wireless-802.11 (8) Connect-Info = "CONNECT 802.11a/n/ac" (8) Ruckus-SSID = "test-radius-user+pass" (8) Ruckus-BSSID = 0x34fa9ffa588e (8) Ruckus-Location = "IT-Service" (8) Ruckus-VLAN-ID = 1 (8) Ruckus-SCG-CBlade-IP = 3232253455 (8) Ruckus-Zone-Name = "Detmold" (8) Ruckus-Wlan-Name = "test-radius-user+pass" (8) Event-Timestamp = "Jul 3 2019 15:11:54 CEST" (8) WARNING: Outer and inner identities are the same. User privacy is compromised. (8) server inner-tunnel { (8) session-state: No cached attributes (8) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [chap] = noop (8) [mschap] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) update control { (8) &Proxy-To-Realm := LOCAL (8) } # update control = noop (8) eap: Peer sent EAP Response (code 2) ID 8 length 6 (8) eap: No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) [files] = noop (8) sql: EXPAND %{User-Name} (8) sql: --> wifitestmac01 (8) sql: SQL-User-Name set to 'wifitestmac01' rlm_sql (sql): Reserved connection (2) (8) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (8) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'wifitestmac01' ORDER BY id (8) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'wifitestmac01' ORDER BY id (8) sql: User found in radcheck table (8) sql: Conditional check items matched, merging assignment check items (8) sql: Cleartext-Password := "tester555" (8) sql: MS-CHAP-Use-NTLM-Auth := No (8) sql: Calling-Station-Id := "24-FB-65-69-06-AF" (8) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (8) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'wifitestmac01' ORDER BY id (8) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'wifitestmac01' ORDER BY id (8) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (8) sql: --> SELECT groupname FROM radusergroup WHERE username = 'wifitestmac01' ORDER BY priority (8) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'wifitestmac01' ORDER BY priority (8) sql: User found in the group table (8) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id (8) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'wifi_wo-secure' ORDER BY id (8) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'wifi_wo-secure' ORDER BY id (8) sql: Group "wifi_wo-secure": Conditional check items matched (8) sql: Group "wifi_wo-secure": Merging assignment check items (8) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id (8) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'wifi_wo-secure' ORDER BY id (8) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'wifi_wo-secure' ORDER BY id (8) sql: Group "wifi_wo-secure": Merging reply items (8) sql: Huntgroup-Name := "wo-secure" rlm_sql (sql): Released connection (2) (8) [sql] = ok (8) [expiration] = noop (8) [logintime] = noop (8) pap: WARNING: Auth-Type already set. Not setting to PAP (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = eap (8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (8) authenticate { (8) eap: Expiring EAP session with state 0x78a9799279a16313 (8) eap: Finished EAP session with state 0x78a9799279a16313 (8) eap: Previous EAP request found for state 0x78a9799279a16313, released from the list (8) eap: Peer sent packet with method EAP MSCHAPv2 (26) (8) eap: Calling submodule eap_mschapv2 to process data (8) eap: Sending EAP Success (code 3) ID 8 length 4 (8) eap: Freeing handler (8) [eap] = ok (8) } # authenticate = ok (8) # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel (8) post-auth { (8) sql: EXPAND .query (8) sql: --> .query (8) sql: Using query template 'query' rlm_sql (sql): Reserved connection (3) (8) sql: EXPAND %{User-Name} (8) sql: --> wifitestmac01 (8) sql: SQL-User-Name set to 'wifitestmac01' (8) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (8) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'wifitestmac01', '', 'Access-Accept', '2019-07-03 15:11:54.476885') (8) sql: EXPAND /var/log/radius/sqllog.sql (8) sql: --> /var/log/radius/sqllog.sql (8) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'wifitestmac01', '', 'Access-Accept', '2019-07-03 15:11:54.476885') (8) sql: SQL query returned: success (8) sql: 1 record(s) updated rlm_sql (sql): Released connection (3) (8) [sql] = ok (8) if (0) { (8) if (0) -> FALSE (8) } # post-auth = ok (8) } # server inner-tunnel (8) Virtual server sending reply (8) Huntgroup-Name = "wo-secure" (8) MS-MPPE-Encryption-Policy = Encryption-Allowed (8) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (8) MS-MPPE-Send-Key = 0x09649f4423192a6d5709c19fe5125d4a (8) MS-MPPE-Recv-Key = 0x6a4b0cefe1f26056c755aaa5f734ce7c (8) EAP-Message = 0x03080004 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) User-Name = "wifitestmac01" (8) eap_peap: Got tunneled reply code 2 (8) eap_peap: Huntgroup-Name = "wo-secure" (8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (8) eap_peap: MS-MPPE-Send-Key = 0x09649f4423192a6d5709c19fe5125d4a (8) eap_peap: MS-MPPE-Recv-Key = 0x6a4b0cefe1f26056c755aaa5f734ce7c (8) eap_peap: EAP-Message = 0x03080004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: User-Name = "wifitestmac01" (8) eap_peap: Got tunneled reply RADIUS code 2 (8) eap_peap: Huntgroup-Name = "wo-secure" (8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (8) eap_peap: MS-MPPE-Send-Key = 0x09649f4423192a6d5709c19fe5125d4a (8) eap_peap: MS-MPPE-Recv-Key = 0x6a4b0cefe1f26056c755aaa5f734ce7c (8) eap_peap: EAP-Message = 0x03080004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: User-Name = "wifitestmac01" (8) eap_peap: Tunneled authentication was successful (8) eap_peap: SUCCESS (8) eap: Sending EAP Request (code 1) ID 9 length 46 (8) eap: EAP session adding &reply:State = 0x3bd334c233da2d5a (8) [eap] = handled (8) } # authenticate = handled (8) Using Post-Auth-Type Challenge (8) # Executing group from file /etc/raddb/sites-enabled/default (8) Challenge { ... } # empty sub-section is ignored (8) Sent Access-Challenge Id 62 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0 (8) EAP-Message = 0x0109002e19001703030023d5ec48bada42fbd57360d536a83db35fd6aa4c397ac57dc6b063543e6a7988551a9ecf (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0x3bd334c233da2d5a464d9b22d2e35ffe (8) Proxy-State = 0x3734 (8) Finished request Waking up in 4.4 seconds. (9) Received Access-Request Id 148 from 192.168.70.15:18487 to 192.168.199.69:1812 length 416 (9) Acct-Session-Id = "5D1CA994-67A4B00F" (9) User-Name = "wifitestmac01" (9) NAS-IP-Address = 192.168.70.63 (9) NAS-Identifier = "ruckuscontroller" (9) NAS-Port = 1 (9) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass" (9) Calling-Station-Id = "24-FB-65-69-06-AF" (9) Location-Data = 0x31304445170a49542d53657276696365 (9) Service-Type = Framed-User (9) Chargeable-User-Identity = 0x00 (9) NAS-Port-Type = Wireless-802.11 (9) Connect-Info = "CONNECT 802.11a/n/ac" (9) EAP-Message = 0x0209002e190017030300230000000000000004e71ecbff60c571603fd792638be1058058177b3ddab992ee20e458 (9) State = 0x3bd334c233da2d5a464d9b22d2e35ffe (9) Ruckus-SSID = "test-radius-user+pass" (9) Ruckus-BSSID = 0x34fa9ffa588e (9) Ruckus-Location = "IT-Service" (9) Ruckus-VLAN-ID = 1 (9) Ruckus-SCG-CBlade-IP = 3232253455 (9) Ruckus-Zone-Name = "Detmold" (9) Ruckus-Wlan-Name = "test-radius-user+pass" (9) Message-Authenticator = 0x162c711631dc2d5883505d06283cda48 (9) Proxy-State = 0x3735 (9) session-state: No cached attributes (9) # Executing section authorize from file /etc/raddb/sites-enabled/default (9) authorize { rlm_ldap (ldap): Reserved connection (6) (9) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}}) (9) ldap: --> (name=wifitestmac01) (9) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub" (9) ldap: Waiting for search result... (9) ldap: Search returned no results rlm_ldap (ldap): Released connection (6) (9) [ldap] = notfound (9) policy group_authorization { (9) if (&Huntgroup-Name == "wo-byod") { (9) ERROR: Failed retrieving values required to evaluate condition (9) elsif (&Huntgroup-Name == "wo-secure") { (9) ERROR: Failed retrieving values required to evaluate condition (9) } # policy group_authorization = notfound (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = notfound (9) } # policy filter_username = notfound (9) policy filter_password { (9) if (&User-Password && (&User-Password != "%{string:User-Password}")) { (9) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE (9) } # policy filter_password = notfound (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) eap: Peer sent EAP Response (code 2) ID 9 length 46 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = eap (9) # Executing group from file /etc/raddb/sites-enabled/default (9) authenticate { (9) eap: Expiring EAP session with state 0x3bd334c233da2d5a (9) eap: Finished EAP session with state 0x3bd334c233da2d5a (9) eap: Previous EAP request found for state 0x3bd334c233da2d5a, released from the list (9) eap: Peer sent packet with method EAP PEAP (25) (9) eap: Calling submodule eap_peap to process data (9) eap_peap: Continuing EAP-TLS (9) eap_peap: [eaptls verify] = ok (9) eap_peap: Done initial handshake (9) eap_peap: [eaptls process] = ok (9) eap_peap: Session established. Decoding tunneled attributes (9) eap_peap: PEAP state send tlv success (9) eap_peap: Received EAP-TLV response (9) eap_peap: Success (9) eap: Sending EAP Success (code 3) ID 9 length 4 (9) eap: Freeing handler (9) [eap] = ok (9) } # authenticate = ok (9) # Executing section post-auth from file /etc/raddb/sites-enabled/default (9) post-auth { (9) update { (9) No attributes updated (9) } # update = noop (9) sql: EXPAND .query (9) sql: --> .query (9) sql: Using query template 'query' rlm_sql (sql): Reserved connection (4) (9) sql: EXPAND %{User-Name} (9) sql: --> wifitestmac01 (9) sql: SQL-User-Name set to 'wifitestmac01' (9) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (9) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'wifitestmac01', '', 'Access-Accept', '2019-07-03 15:11:54.531951') (9) sql: EXPAND /var/log/radius/sqllog.sql (9) sql: --> /var/log/radius/sqllog.sql (9) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'wifitestmac01', '', 'Access-Accept', '2019-07-03 15:11:54.531951') (9) sql: SQL query returned: success (9) sql: 1 record(s) updated rlm_sql (sql): Released connection (4) (9) [sql] = ok (9) [exec] = noop (9) policy remove_reply_message_if_eap { (9) if (&reply:EAP-Message && &reply:Reply-Message) { (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (9) else { (9) [noop] = noop (9) } # else = noop (9) } # policy remove_reply_message_if_eap = noop (9) } # post-auth = ok (9) Sent Access-Accept Id 148 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0 (9) MS-MPPE-Recv-Key = 0xa63d5b43df19ab6338895fc4f40050e4990bc4207f4412edceb938cf1fcadd3e (9) MS-MPPE-Send-Key = 0x29dabf22b9bda920c708becdd0886e0a8216f4d5881268045a296076fd901b90 (9) EAP-Message = 0x03090004 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) User-Name = "wifitestmac01" (9) Proxy-State = 0x3735 (9) Finished request Waking up in 4.4 seconds. (0) Cleaning up request packet ID 118 with timestamp +48