Hey Alan, sorry for the trouble. I want debug the script like you told me in your first response so I looked into the documentation https://wiki.freeradius.org/modules/Rlm_perl However it seems that my freeradius is not built because I can't find any rlm_perl file. My version of freeradius is "FreeRADIUS Version 3.0.16, for host x86_64-pc-linux-gnu, built on Apr 17 2019" can you guide me into setting the debug for the script? Another question: In the tutorial there is no need to create any users in the users file, however I've seen people setting Auth-Type there, I have only modified the perl, default, and inner-tunnel files. Is it necessary to use Auth-Type in the users file if the authentication info is in the default and inner-tunel files? This is the debug I get when adding "DEFAULT Auth-type := perl" into the users file (0) Received Access-Request Id 225 from 192.168.128.34:39135 to 146.83.124.26:1812 length 401 (0) User-Name = "wifi@ucn.cl" (0) NAS-IP-Address = 192.168.128.34 (0) Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius" (0) NAS-Port-Type = Wireless-802.11 (0) Service-Type = Framed-User (0) NAS-Port = 1 (0) Calling-Station-Id = "E4-6F-13-2C-A4-C3" (0) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 57 / Channel: 6" (0) Acct-Session-Id = "4A25A54837C27AEE" (0) Acct-Multi-Session-Id = "9B376A4223EDB7C1" (0) WLAN-Pairwise-Cipher = 1027076 (0) WLAN-Group-Cipher = 1027074 (0) WLAN-AKM-Suite = 1027073 (0) WLAN-Group-Mgmt-Cipher = 1027078 (0) Attr-26.29671.2 = 0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373 (0) Attr-26.29671.3 = 0x41502d56312d536f706f727465 (0) Attr-26.29671.4 = 0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649 (0) Meraki-Device-Name = "AP-V1-Soporte" (0) Framed-MTU = 1400 (0) EAP-Message = 0x0232001001776966694075636e2e636c (0) Message-Authenticator = 0xa68c411d72591cae60941b92339cdc75 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "ucn.cl" for User-Name = "wifi@ucn.cl" (0) suffix: No such realm "ucn.cl" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 50 length 16 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_peap to process data (0) eap_peap: Initiating new EAP-TLS session (0) eap_peap: [eaptls start] = request (0) eap: Sending EAP Request (code 1) ID 51 length 6 (0) eap: EAP session adding &reply:State = 0xbe3287d8be019e17 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Challenge { ... } # empty sub-section is ignored (0) Sent Access-Challenge Id 225 from 146.83.124.26:1812 to 192.168.128.34:39135 length 0 (0) EAP-Message = 0x013300061920 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0xbe3287d8be019e17d53d25d4ed3e92cc (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 226 from 192.168.128.34:39135 to 146.83.124.26:1812 length 569 (1) User-Name = "wifi@ucn.cl" (1) NAS-IP-Address = 192.168.128.34 (1) Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius" (1) NAS-Port-Type = Wireless-802.11 (1) Service-Type = Framed-User (1) NAS-Port = 1 (1) Calling-Station-Id = "E4-6F-13-2C-A4-C3" (1) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 56 / Channel: 6" (1) Acct-Session-Id = "4A25A54837C27AEE" (1) Acct-Multi-Session-Id = "9B376A4223EDB7C1" (1) WLAN-Pairwise-Cipher = 1027076 (1) WLAN-Group-Cipher = 1027074 (1) WLAN-AKM-Suite = 1027073 (1) WLAN-Group-Mgmt-Cipher = 1027078 (1) Attr-26.29671.2 = 0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373 (1) Attr-26.29671.3 = 0x41502d56312d536f706f727465 (1) Attr-26.29671.4 = 0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649 (1) Meraki-Device-Name = "AP-V1-Soporte" (1) Framed-MTU = 1400 (1) EAP-Message = 0x023300a619800000009c16030300970100009303035f6fd5a116236c3ad072cab86c6633e80c2cba2d3eba041ca77f9969d4cd27f200002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000040000500050100000000000a00080006001d (1) State = 0xbe3287d8be019e17d53d25d4ed3e92cc (1) Message-Authenticator = 0x70b430c44dc0223eeffbf4a461feaa1e (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: Looking up realm "ucn.cl" for User-Name = "wifi@ucn.cl" (1) suffix: No such realm "ucn.cl" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 51 length 166 (1) eap: Continuing tunnel setup (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0xbe3287d8be019e17 (1) eap: Finished EAP session with state 0xbe3287d8be019e17 (1) eap: Previous EAP request found for state 0xbe3287d8be019e17, released from the list (1) eap: Peer sent packet with method EAP PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: Continuing EAP-TLS (1) eap_peap: Peer indicated complete TLS record size will be 156 bytes (1) eap_peap: Got complete TLS record (156 bytes) (1) eap_peap: [eaptls verify] = length included (1) eap_peap: (other): before SSL initialization (1) eap_peap: TLS_accept: before SSL initialization (1) eap_peap: TLS_accept: before SSL initialization (1) eap_peap: <<< recv UNKNOWN TLS VERSION ?0304? [length 0097] (1) eap_peap: TLS_accept: SSLv3/TLS read client hello (1) eap_peap: >>> send TLS 1.2 [length 003d] (1) eap_peap: TLS_accept: SSLv3/TLS write server hello (1) eap_peap: >>> send TLS 1.2 [length 0302] (1) eap_peap: TLS_accept: SSLv3/TLS write certificate (1) eap_peap: >>> send TLS 1.2 [length 014d] (1) eap_peap: TLS_accept: SSLv3/TLS write key exchange (1) eap_peap: >>> send TLS 1.2 [length 0004] (1) eap_peap: TLS_accept: SSLv3/TLS write server done (1) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done (1) eap_peap: In SSL Handshake Phase (1) eap_peap: In SSL Accept mode (1) eap_peap: [eaptls process] = handled (1) eap: Sending EAP Request (code 1) ID 52 length 1004 (1) eap: EAP session adding &reply:State = 0xbe3287d8bf069e17 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) Challenge { ... } # empty sub-section is ignored (1) Sent Access-Challenge Id 226 from 146.83.124.26:1812 to 192.168.128.34:39135 length 0 (1) EAP-Message = 0x013403ec19c0000004a4160303003d0200003903036e154e4915de52516c17cf408a06f99a670a3b50aac05c6f3b26df830701bf2c00c030000011ff01000100000b0004030001020017000016030303020b0002fe0002fb0002f8308202f4308201dca00302010202147b86828007dd65cd4945e2b1e8 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0xbe3287d8bf069e17d53d25d4ed3e92cc (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 227 from 192.168.128.34:39135 to 146.83.124.26:1812 length 409 (2) User-Name = "wifi@ucn.cl" (2) NAS-IP-Address = 192.168.128.34 (2) Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius" (2) NAS-Port-Type = Wireless-802.11 (2) Service-Type = Framed-User (2) NAS-Port = 1 (2) Calling-Station-Id = "E4-6F-13-2C-A4-C3" (2) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 59 / Channel: 6" (2) Acct-Session-Id = "4A25A54837C27AEE" (2) Acct-Multi-Session-Id = "9B376A4223EDB7C1" (2) WLAN-Pairwise-Cipher = 1027076 (2) WLAN-Group-Cipher = 1027074 (2) WLAN-AKM-Suite = 1027073 (2) WLAN-Group-Mgmt-Cipher = 1027078 (2) Attr-26.29671.2 = 0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373 (2) Attr-26.29671.3 = 0x41502d56312d536f706f727465 (2) Attr-26.29671.4 = 0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649 (2) Meraki-Device-Name = "AP-V1-Soporte" (2) Framed-MTU = 1400 (2) EAP-Message = 0x023400061900 (2) State = 0xbe3287d8bf069e17d53d25d4ed3e92cc (2) Message-Authenticator = 0x11562e7bdea56d1ebfa5b1f7e9946f40 (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: Looking up realm "ucn.cl" for User-Name = "wifi@ucn.cl" (2) suffix: No such realm "ucn.cl" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 52 length 6 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0xbe3287d8bf069e17 (2) eap: Finished EAP session with state 0xbe3287d8bf069e17 (2) eap: Previous EAP request found for state 0xbe3287d8bf069e17, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: Continuing EAP-TLS (2) eap_peap: Peer ACKed our handshake fragment (2) eap_peap: [eaptls verify] = request (2) eap_peap: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 53 length 200 (2) eap: EAP session adding &reply:State = 0xbe3287d8bc079e17 (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) Challenge { ... } # empty sub-section is ignored (2) Sent Access-Challenge Id 227 from 146.83.124.26:1812 to 192.168.128.34:39135 length 0 (2) EAP-Message = 0x013500c81900b2537e36e34bbfd41cd623e11161bfd195e26f3e2661034c829b88a36d4db03012a40148fadc35efeceb571d964395e934ff1ee1749a8229793c8b0d4384ffff3a24ba3695143ba88ed57bdfd5fd522f63bed37b4c208e75a34a25046dd018cb9ed62f9f63e041b5653a461561831fb272 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0xbe3287d8bc079e17d53d25d4ed3e92cc (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 228 from 192.168.128.34:39135 to 146.83.124.26:1812 length 539 (3) User-Name = "wifi@ucn.cl" (3) NAS-IP-Address = 192.168.128.34 (3) Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius" (3) NAS-Port-Type = Wireless-802.11 (3) Service-Type = Framed-User (3) NAS-Port = 1 (3) Calling-Station-Id = "E4-6F-13-2C-A4-C3" (3) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 57 / Channel: 6" (3) Acct-Session-Id = "4A25A54837C27AEE" (3) Acct-Multi-Session-Id = "9B376A4223EDB7C1" (3) WLAN-Pairwise-Cipher = 1027076 (3) WLAN-Group-Cipher = 1027074 (3) WLAN-AKM-Suite = 1027073 (3) WLAN-Group-Mgmt-Cipher = 1027078 (3) Attr-26.29671.2 = 0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373 (3) Attr-26.29671.3 = 0x41502d56312d536f706f727465 (3) Attr-26.29671.4 = 0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649 (3) Meraki-Device-Name = "AP-V1-Soporte" (3) Framed-MTU = 1400 (3) EAP-Message = 0x0235008819800000007e16030300461000004241042307a597b9b273cc233709636cd0447db7d4b086714adef8bc57ec2b3da45d9d99f0a36a6cf2a176c210ac8f84f318c6d44b2eb732e2e0ef61b643976781423b140303000101160303002800000000000000009b5cb21b65da785cc3e452846f5d6d (3) State = 0xbe3287d8bc079e17d53d25d4ed3e92cc (3) Message-Authenticator = 0x99034d2bc046457d261c411dd34b5786 (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: Looking up realm "ucn.cl" for User-Name = "wifi@ucn.cl" (3) suffix: No such realm "ucn.cl" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 53 length 136 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0xbe3287d8bc079e17 (3) eap: Finished EAP session with state 0xbe3287d8bc079e17 (3) eap: Previous EAP request found for state 0xbe3287d8bc079e17, released from the list (3) eap: Peer sent packet with method EAP PEAP (25) (3) eap: Calling submodule eap_peap to process data (3) eap_peap: Continuing EAP-TLS (3) eap_peap: Peer indicated complete TLS record size will be 126 bytes (3) eap_peap: Got complete TLS record (126 bytes) (3) eap_peap: [eaptls verify] = length included (3) eap_peap: TLS_accept: SSLv3/TLS write server done (3) eap_peap: <<< recv TLS 1.2 [length 0046] (3) eap_peap: TLS_accept: SSLv3/TLS read client key exchange (3) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec (3) eap_peap: <<< recv TLS 1.2 [length 0010] (3) eap_peap: TLS_accept: SSLv3/TLS read finished (3) eap_peap: >>> send TLS 1.2 [length 0001] (3) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec (3) eap_peap: >>> send TLS 1.2 [length 0010] (3) eap_peap: TLS_accept: SSLv3/TLS write finished (3) eap_peap: (other): SSL negotiation finished successfully (3) eap_peap: SSL Connection Established (3) eap_peap: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 54 length 57 (3) eap: EAP session adding &reply:State = 0xbe3287d8bd049e17 (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) Challenge { ... } # empty sub-section is ignored (3) Sent Access-Challenge Id 228 from 146.83.124.26:1812 to 192.168.128.34:39135 length 0 (3) EAP-Message = 0x01360039190014030300010116030300288c3e77d5349c8e2f62583af5d783453bd16b6336af7f7e0587def2bff8fc8b5a76218d2a98dbc262 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0xbe3287d8bd049e17d53d25d4ed3e92cc (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 229 from 192.168.128.34:39135 to 146.83.124.26:1812 length 409 (4) User-Name = "wifi@ucn.cl" (4) NAS-IP-Address = 192.168.128.34 (4) Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius" (4) NAS-Port-Type = Wireless-802.11 (4) Service-Type = Framed-User (4) NAS-Port = 1 (4) Calling-Station-Id = "E4-6F-13-2C-A4-C3" (4) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 57 / Channel: 6" (4) Acct-Session-Id = "4A25A54837C27AEE" (4) Acct-Multi-Session-Id = "9B376A4223EDB7C1" (4) WLAN-Pairwise-Cipher = 1027076 (4) WLAN-Group-Cipher = 1027074 (4) WLAN-AKM-Suite = 1027073 (4) WLAN-Group-Mgmt-Cipher = 1027078 (4) Attr-26.29671.2 = 0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373 (4) Attr-26.29671.3 = 0x41502d56312d536f706f727465 (4) Attr-26.29671.4 = 0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649 (4) Meraki-Device-Name = "AP-V1-Soporte" (4) Framed-MTU = 1400 (4) EAP-Message = 0x023600061900 (4) State = 0xbe3287d8bd049e17d53d25d4ed3e92cc (4) Message-Authenticator = 0xf250133722573b7d77212ef09bf6e652 (4) session-state: No cached attributes (4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: Looking up realm "ucn.cl" for User-Name = "wifi@ucn.cl" (4) suffix: No such realm "ucn.cl" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 54 length 6 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0xbe3287d8bd049e17 (4) eap: Finished EAP session with state 0xbe3287d8bd049e17 (4) eap: Previous EAP request found for state 0xbe3287d8bd049e17, released from the list (4) eap: Peer sent packet with method EAP PEAP (25) (4) eap: Calling submodule eap_peap to process data (4) eap_peap: Continuing EAP-TLS (4) eap_peap: Peer ACKed our handshake fragment. handshake is finished (4) eap_peap: [eaptls verify] = success (4) eap_peap: [eaptls process] = success (4) eap_peap: Session established. Decoding tunneled attributes (4) eap_peap: PEAP state TUNNEL ESTABLISHED (4) eap: Sending EAP Request (code 1) ID 55 length 40 (4) eap: EAP session adding &reply:State = 0xbe3287d8ba059e17 (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) Challenge { ... } # empty sub-section is ignored (4) Sent Access-Challenge Id 229 from 146.83.124.26:1812 to 192.168.128.34:39135 length 0 (4) EAP-Message = 0x013700281900170303001d8c3e77d5349c8e30345da27aa3b6e6d3b8fe3fbc34b91bf7b09188991a (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0xbe3287d8ba059e17d53d25d4ed3e92cc (4) Finished request Waking up in 3.1 seconds. (5) Received Access-Request Id 230 from 192.168.128.34:39135 to 146.83.124.26:1812 length 450 (5) User-Name = "wifi@ucn.cl" (5) NAS-IP-Address = 192.168.128.34 (5) Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius" (5) NAS-Port-Type = Wireless-802.11 (5) Service-Type = Framed-User (5) NAS-Port = 1 (5) Calling-Station-Id = "E4-6F-13-2C-A4-C3" (5) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 59 / Channel: 6" (5) Acct-Session-Id = "4A25A54837C27AEE" (5) Acct-Multi-Session-Id = "9B376A4223EDB7C1" (5) WLAN-Pairwise-Cipher = 1027076 (5) WLAN-Group-Cipher = 1027074 (5) WLAN-AKM-Suite = 1027073 (5) WLAN-Group-Mgmt-Cipher = 1027078 (5) Attr-26.29671.2 = 0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373 (5) Attr-26.29671.3 = 0x41502d56312d536f706f727465 (5) Attr-26.29671.4 = 0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649 (5) Meraki-Device-Name = "AP-V1-Soporte" (5) Framed-MTU = 1400 (5) EAP-Message = 0x0237002f1900170303002400000000000000018f6ecdd91239f55b54a3fbb836f085dd9caf7ae762026cd9f0cdebea (5) State = 0xbe3287d8ba059e17d53d25d4ed3e92cc (5) Message-Authenticator = 0xd31ccd03124e30195bf3561cbdb7819d (5) session-state: No cached attributes (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: Looking up realm "ucn.cl" for User-Name = "wifi@ucn.cl" (5) suffix: No such realm "ucn.cl" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 55 length 47 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0xbe3287d8ba059e17 (5) eap: Finished EAP session with state 0xbe3287d8ba059e17 (5) eap: Previous EAP request found for state 0xbe3287d8ba059e17, released from the list (5) eap: Peer sent packet with method EAP PEAP (25) (5) eap: Calling submodule eap_peap to process data (5) eap_peap: Continuing EAP-TLS (5) eap_peap: [eaptls verify] = ok (5) eap_peap: Done initial handshake (5) eap_peap: [eaptls process] = ok (5) eap_peap: Session established. Decoding tunneled attributes (5) eap_peap: PEAP state WAITING FOR INNER IDENTITY (5) eap_peap: Identity - wifi@ucn.cl (5) eap_peap: Got inner identity 'wifi@ucn.cl' (5) eap_peap: Setting default EAP type for tunneled EAP session (5) eap_peap: Got tunneled request (5) eap_peap: EAP-Message = 0x0237001001776966694075636e2e636c (5) eap_peap: Setting User-Name to wifi@ucn.cl (5) eap_peap: Sending tunneled request to inner-tunnel (5) eap_peap: EAP-Message = 0x0237001001776966694075636e2e636c (5) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (5) eap_peap: User-Name = "wifi@ucn.cl" (5) Virtual server inner-tunnel received request (5) EAP-Message = 0x0237001001776966694075636e2e636c (5) FreeRADIUS-Proxied-To = 127.0.0.1 (5) User-Name = "wifi@ucn.cl" (5) WARNING: Outer and inner identities are the same. User privacy is compromised. (5) server inner-tunnel { (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [chap] = noop (5) [mschap] = noop (5) suffix: Checking for suffix after "@" (5) suffix: Looking up realm "ucn.cl" for User-Name = "wifi@ucn.cl" (5) suffix: No such realm "ucn.cl" (5) [suffix] = noop (5) update control { (5) &Proxy-To-Realm := LOCAL (5) } # update control = noop (5) eap: Peer sent EAP Response (code 2) ID 55 length 16 (5) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (5) authenticate { (5) eap: Peer sent packet with method EAP Identity (1) (5) eap: Calling submodule eap_gtc to process data (5) eap_gtc: EXPAND Password: (5) eap_gtc: --> Password: (5) eap: Sending EAP Request (code 1) ID 56 length 15 (5) eap: EAP session adding &reply:State = 0xe2b7c3f6e28fc511 (5) [eap] = handled (5) } # authenticate = handled (5) } # server inner-tunnel (5) Virtual server sending reply (5) EAP-Message = 0x0138000f0650617373776f72643a20 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0xe2b7c3f6e28fc5119e7be4a0e5b4d0b5 (5) eap_peap: Got tunneled reply code 11 (5) eap_peap: EAP-Message = 0x0138000f0650617373776f72643a20 (5) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (5) eap_peap: State = 0xe2b7c3f6e28fc5119e7be4a0e5b4d0b5 (5) eap_peap: Got tunneled reply RADIUS code 11 (5) eap_peap: EAP-Message = 0x0138000f0650617373776f72643a20 (5) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (5) eap_peap: State = 0xe2b7c3f6e28fc5119e7be4a0e5b4d0b5 (5) eap_peap: Got tunneled Access-Challenge (5) eap: Sending EAP Request (code 1) ID 56 length 46 (5) eap: EAP session adding &reply:State = 0xbe3287d8bb0a9e17 (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) Challenge { ... } # empty sub-section is ignored (5) Sent Access-Challenge Id 230 from 146.83.124.26:1812 to 192.168.128.34:39135 length 0 (5) EAP-Message = 0x0138002e190017030300238c3e77d5349c8e3104e1459e343ecf80b944f6189125f9cca25673e74bcb1dfa13948c (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0xbe3287d8bb0a9e17d53d25d4ed3e92cc (5) Finished request Waking up in 3.1 seconds. (6) Received Access-Request Id 231 from 192.168.128.34:39135 to 146.83.124.26:1812 length 440 (6) User-Name = "wifi@ucn.cl" (6) NAS-IP-Address = 192.168.128.34 (6) Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius" (6) NAS-Port-Type = Wireless-802.11 (6) Service-Type = Framed-User (6) NAS-Port = 1 (6) Calling-Station-Id = "E4-6F-13-2C-A4-C3" (6) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 56 / Channel: 6" (6) Acct-Session-Id = "4A25A54837C27AEE" (6) Acct-Multi-Session-Id = "9B376A4223EDB7C1" (6) WLAN-Pairwise-Cipher = 1027076 (6) WLAN-Group-Cipher = 1027074 (6) WLAN-AKM-Suite = 1027073 (6) WLAN-Group-Mgmt-Cipher = 1027078 (6) Attr-26.29671.2 = 0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373 (6) Attr-26.29671.3 = 0x41502d56312d536f706f727465 (6) Attr-26.29671.4 = 0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649 (6) Meraki-Device-Name = "AP-V1-Soporte" (6) Framed-MTU = 1400 (6) EAP-Message = 0x023800251900170303001a00000000000000021cac97495f504f4062d14dee34ce4a3088be (6) State = 0xbe3287d8bb0a9e17d53d25d4ed3e92cc (6) Message-Authenticator = 0x41a83c3c747a2e43eb827a5d57f6ccfc (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: Looking up realm "ucn.cl" for User-Name = "wifi@ucn.cl" (6) suffix: No such realm "ucn.cl" (6) [suffix] = noop (6) eap: Peer sent EAP Response (code 2) ID 56 length 37 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0xe2b7c3f6e28fc511 (6) eap: Finished EAP session with state 0xbe3287d8bb0a9e17 (6) eap: Previous EAP request found for state 0xbe3287d8bb0a9e17, released from the list (6) eap: Peer sent packet with method EAP PEAP (25) (6) eap: Calling submodule eap_peap to process data (6) eap_peap: Continuing EAP-TLS (6) eap_peap: [eaptls verify] = ok (6) eap_peap: Done initial handshake (6) eap_peap: [eaptls process] = ok (6) eap_peap: Session established. Decoding tunneled attributes (6) eap_peap: PEAP state phase2 (6) eap_peap: EAP method NAK (3) (6) eap_peap: Got tunneled request (6) eap_peap: EAP-Message = 0x02380006031a (6) eap_peap: Setting User-Name to wifi@ucn.cl (6) eap_peap: Sending tunneled request to inner-tunnel (6) eap_peap: EAP-Message = 0x02380006031a (6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (6) eap_peap: User-Name = "wifi@ucn.cl" (6) eap_peap: State = 0xe2b7c3f6e28fc5119e7be4a0e5b4d0b5 (6) Virtual server inner-tunnel received request (6) EAP-Message = 0x02380006031a (6) FreeRADIUS-Proxied-To = 127.0.0.1 (6) User-Name = "wifi@ucn.cl" (6) State = 0xe2b7c3f6e28fc5119e7be4a0e5b4d0b5 (6) WARNING: Outer and inner identities are the same. User privacy is compromised. (6) server inner-tunnel { (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [chap] = noop (6) [mschap] = noop (6) suffix: Checking for suffix after "@" (6) suffix: Looking up realm "ucn.cl" for User-Name = "wifi@ucn.cl" (6) suffix: No such realm "ucn.cl" (6) [suffix] = noop (6) update control { (6) &Proxy-To-Realm := LOCAL (6) } # update control = noop (6) eap: Peer sent EAP Response (code 2) ID 56 length 6 (6) eap: No EAP Start, assuming it's an on-going EAP conversation (6) [eap] = updated (6) files: users: Matched entry DEFAULT at line 6 (6) [files] = ok (6) [expiration] = noop (6) [logintime] = noop (6) [pap] = noop (6) } # authorize = updated (6) Found Auth-Type = Perl (6) Auth-Type sub-section not found. Ignoring. (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (6) Failed to authenticate the user (6) Using Post-Auth-Type Reject (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (6) Post-Auth-Type REJECT { (6) attr_filter.access_reject: EXPAND %{User-Name} (6) attr_filter.access_reject: --> wifi@ucn.cl (6) attr_filter.access_reject: Matched entry DEFAULT at line 11 (6) [attr_filter.access_reject] = updated (6) update outer.session-state { (6) No attributes updated (6) } # update outer.session-state = noop (6) } # Post-Auth-Type REJECT = updated (6) } # server inner-tunnel (6) Virtual server sending reply (6) eap_peap: Got tunneled reply code 3 (6) eap_peap: Got tunneled reply RADIUS code 3 (6) eap_peap: Tunneled authentication was rejected (6) eap_peap: FAILURE (6) eap: Sending EAP Request (code 1) ID 57 length 46 (6) eap: EAP session adding &reply:State = 0xbe3287d8b80b9e17 (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (6) Challenge { ... } # empty sub-section is ignored (6) Sent Access-Challenge Id 231 from 146.83.124.26:1812 to 192.168.128.34:39135 length 0 (6) EAP-Message = 0x0139002e190017030300238c3e77d5349c8e32d6ca3a9b03de1a9d598af354a2b5a0ffa693028a4603810a6a636a (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0xbe3287d8b80b9e17d53d25d4ed3e92cc (6) Finished request Waking up in 3.1 seconds. (7) Received Access-Request Id 232 from 192.168.128.34:39135 to 146.83.124.26:1812 length 449 (7) User-Name = "wifi@ucn.cl" (7) NAS-IP-Address = 192.168.128.34 (7) Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius" (7) NAS-Port-Type = Wireless-802.11 (7) Service-Type = Framed-User (7) NAS-Port = 1 (7) Calling-Station-Id = "E4-6F-13-2C-A4-C3" (7) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 59 / Channel: 6" (7) Acct-Session-Id = "4A25A54837C27AEE" (7) Acct-Multi-Session-Id = "9B376A4223EDB7C1" (7) WLAN-Pairwise-Cipher = 1027076 (7) WLAN-Group-Cipher = 1027074 (7) WLAN-AKM-Suite = 1027073 (7) WLAN-Group-Mgmt-Cipher = 1027078 (7) Attr-26.29671.2 = 0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373 (7) Attr-26.29671.3 = 0x41502d56312d536f706f727465 (7) Attr-26.29671.4 = 0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649 (7) Meraki-Device-Name = "AP-V1-Soporte" (7) Framed-MTU = 1400 (7) EAP-Message = 0x0239002e190017030300230000000000000003615fbcaddee81e2f9c7c17d32c21d594e0264b256a8296b8738214 (7) State = 0xbe3287d8b80b9e17d53d25d4ed3e92cc (7) Message-Authenticator = 0x7dcf7aa29be880baebb100d40c138ee7 (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: Looking up realm "ucn.cl" for User-Name = "wifi@ucn.cl" (7) suffix: No such realm "ucn.cl" (7) [suffix] = noop (7) eap: Peer sent EAP Response (code 2) ID 57 length 46 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0xe2b7c3f6e28fc511 (7) eap: Finished EAP session with state 0xbe3287d8b80b9e17 (7) eap: Previous EAP request found for state 0xbe3287d8b80b9e17, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: Continuing EAP-TLS (7) eap_peap: [eaptls verify] = ok (7) eap_peap: Done initial handshake (7) eap_peap: [eaptls process] = ok (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state send tlv failure (7) eap_peap: Received EAP-TLV response (7) eap_peap: ERROR: The users session was previously rejected: returning reject (again.) (7) eap_peap: This means you need to read the PREVIOUS messages in the debug output (7) eap_peap: to find out the reason why the user was rejected (7) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you (7) eap_peap: what went wrong, and how to fix the problem (7) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (7) eap: Sending EAP Failure (code 4) ID 57 length 4 (7) eap: Failed in EAP select (7) [eap] = invalid (7) } # authenticate = invalid (7) Failed to authenticate the user (7) Using Post-Auth-Type Reject (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) Post-Auth-Type REJECT { (7) attr_filter.access_reject: EXPAND %{User-Name} (7) attr_filter.access_reject: --> wifi@ucn.cl (7) attr_filter.access_reject: Matched entry DEFAULT at line 11 (7) [attr_filter.access_reject] = updated (7) [eap] = noop (7) policy remove_reply_message_if_eap { (7) if (&reply:EAP-Message && &reply:Reply-Message) { (7) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (7) else { (7) [noop] = noop (7) } # else = noop (7) } # policy remove_reply_message_if_eap = noop (7) } # Post-Auth-Type REJECT = updated (7) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (7) Sending delayed response (7) Sent Access-Reject Id 232 from 146.83.124.26:1812 to 192.168.128.34:39135 length 44 (7) EAP-Message = 0x04390004 (7) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 2.0 seconds. (0) Cleaning up request packet ID 225 with timestamp +61 (1) Cleaning up request packet ID 226 with timestamp +61 (2) Cleaning up request packet ID 227 with timestamp +61 (3) Cleaning up request packet ID 228 with timestamp +61 Waking up in 1.8 seconds. (4) Cleaning up request packet ID 229 with timestamp +63 (5) Cleaning up request packet ID 230 with timestamp +63 (6) Cleaning up request packet ID 231 with timestamp +63 (7) Cleaning up request packet ID 232 with timestamp +63 And this is the output without anything in the users file (like the tutorial) (0) Received Access-Request Id 233 from 192.168.128.34:39135 to 146.83.124.26:1812 length 401 (0) User-Name = "wifi@ucn.cl" (0) NAS-IP-Address = 192.168.128.34 (0) Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius" (0) NAS-Port-Type = Wireless-802.11 (0) Service-Type = Framed-User (0) NAS-Port = 1 (0) Calling-Station-Id = "E4-6F-13-2C-A4-C3" (0) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 59 / Channel: 6" (0) Acct-Session-Id = "23B63E3CCB9D303A" (0) Acct-Multi-Session-Id = "D2CFCA267CC6A1B1" (0) WLAN-Pairwise-Cipher = 1027076 (0) WLAN-Group-Cipher = 1027074 (0) WLAN-AKM-Suite = 1027073 (0) WLAN-Group-Mgmt-Cipher = 1027078 (0) Attr-26.29671.2 = 0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373 (0) Attr-26.29671.3 = 0x41502d56312d536f706f727465 (0) Attr-26.29671.4 = 0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649 (0) Meraki-Device-Name = "AP-V1-Soporte" (0) Framed-MTU = 1400 (0) EAP-Message = 0x0215001001776966694075636e2e636c (0) Message-Authenticator = 0x8dd238936888555d416ce50161d4a51e (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "ucn.cl" for User-Name = "wifi@ucn.cl" (0) suffix: No such realm "ucn.cl" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 21 length 16 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_peap to process data (0) eap_peap: Initiating new EAP-TLS session (0) eap_peap: [eaptls start] = request (0) eap: Sending EAP Request (code 1) ID 22 length 6 (0) eap: EAP session adding &reply:State = 0x6ad69de36ac084d4 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Challenge { ... } # empty sub-section is ignored (0) Sent Access-Challenge Id 233 from 146.83.124.26:1812 to 192.168.128.34:39135 length 0 (0) EAP-Message = 0x011600061920 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x6ad69de36ac084d46d2973b34eeb86b0 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 234 from 192.168.128.34:39135 to 146.83.124.26:1812 length 569 (1) User-Name = "wifi@ucn.cl" (1) NAS-IP-Address = 192.168.128.34 (1) Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius" (1) NAS-Port-Type = Wireless-802.11 (1) Service-Type = Framed-User (1) NAS-Port = 1 (1) Calling-Station-Id = "E4-6F-13-2C-A4-C3" (1) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 56 / Channel: 6" (1) Acct-Session-Id = "23B63E3CCB9D303A" (1) Acct-Multi-Session-Id = "D2CFCA267CC6A1B1" (1) WLAN-Pairwise-Cipher = 1027076 (1) WLAN-Group-Cipher = 1027074 (1) WLAN-AKM-Suite = 1027073 (1) WLAN-Group-Mgmt-Cipher = 1027078 (1) Attr-26.29671.2 = 0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373 (1) Attr-26.29671.3 = 0x41502d56312d536f706f727465 (1) Attr-26.29671.4 = 0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649 (1) Meraki-Device-Name = "AP-V1-Soporte" (1) Framed-MTU = 1400 (1) EAP-Message = 0x021600a619800000009c16030300970100009303035f6fd6edbe6bd2a4ffffa547c0e4e14592a91d3675f372cccfb622521d15008100002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000040000500050100000000000a00080006001d (1) State = 0x6ad69de36ac084d46d2973b34eeb86b0 (1) Message-Authenticator = 0xee340f5c4665c8a86e5f7ccbe3047a02 (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: Looking up realm "ucn.cl" for User-Name = "wifi@ucn.cl" (1) suffix: No such realm "ucn.cl" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 22 length 166 (1) eap: Continuing tunnel setup (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x6ad69de36ac084d4 (1) eap: Finished EAP session with state 0x6ad69de36ac084d4 (1) eap: Previous EAP request found for state 0x6ad69de36ac084d4, released from the list (1) eap: Peer sent packet with method EAP PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: Continuing EAP-TLS (1) eap_peap: Peer indicated complete TLS record size will be 156 bytes (1) eap_peap: Got complete TLS record (156 bytes) (1) eap_peap: [eaptls verify] = length included (1) eap_peap: (other): before SSL initialization (1) eap_peap: TLS_accept: before SSL initialization (1) eap_peap: TLS_accept: before SSL initialization (1) eap_peap: <<< recv UNKNOWN TLS VERSION ?0304? [length 0097] (1) eap_peap: TLS_accept: SSLv3/TLS read client hello (1) eap_peap: >>> send TLS 1.2 [length 003d] (1) eap_peap: TLS_accept: SSLv3/TLS write server hello (1) eap_peap: >>> send TLS 1.2 [length 0302] (1) eap_peap: TLS_accept: SSLv3/TLS write certificate (1) eap_peap: >>> send TLS 1.2 [length 014d] (1) eap_peap: TLS_accept: SSLv3/TLS write key exchange (1) eap_peap: >>> send TLS 1.2 [length 0004] (1) eap_peap: TLS_accept: SSLv3/TLS write server done (1) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done (1) eap_peap: In SSL Handshake Phase (1) eap_peap: In SSL Accept mode (1) eap_peap: [eaptls process] = handled (1) eap: Sending EAP Request (code 1) ID 23 length 1004 (1) eap: EAP session adding &reply:State = 0x6ad69de36bc184d4 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) Challenge { ... } # empty sub-section is ignored (1) Sent Access-Challenge Id 234 from 146.83.124.26:1812 to 192.168.128.34:39135 length 0 (1) EAP-Message = 0x011703ec19c0000004a4160303003d02000039030376a744862e1aa8e551923d46047090ee28e8834b27f89e4d3721123b746aa8b100c030000011ff01000100000b0004030001020017000016030303020b0002fe0002fb0002f8308202f4308201dca00302010202147b86828007dd65cd4945e2b1e8 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x6ad69de36bc184d46d2973b34eeb86b0 (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 235 from 192.168.128.34:39135 to 146.83.124.26:1812 length 409 (2) User-Name = "wifi@ucn.cl" (2) NAS-IP-Address = 192.168.128.34 (2) Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius" (2) NAS-Port-Type = Wireless-802.11 (2) Service-Type = Framed-User (2) NAS-Port = 1 (2) Calling-Station-Id = "E4-6F-13-2C-A4-C3" (2) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 58 / Channel: 6" (2) Acct-Session-Id = "23B63E3CCB9D303A" (2) Acct-Multi-Session-Id = "D2CFCA267CC6A1B1" (2) WLAN-Pairwise-Cipher = 1027076 (2) WLAN-Group-Cipher = 1027074 (2) WLAN-AKM-Suite = 1027073 (2) WLAN-Group-Mgmt-Cipher = 1027078 (2) Attr-26.29671.2 = 0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373 (2) Attr-26.29671.3 = 0x41502d56312d536f706f727465 (2) Attr-26.29671.4 = 0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649 (2) Meraki-Device-Name = "AP-V1-Soporte" (2) Framed-MTU = 1400 (2) EAP-Message = 0x021700061900 (2) State = 0x6ad69de36bc184d46d2973b34eeb86b0 (2) Message-Authenticator = 0x3a4f384e954bd460d74e79bfff5769c3 (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: Looking up realm "ucn.cl" for User-Name = "wifi@ucn.cl" (2) suffix: No such realm "ucn.cl" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 23 length 6 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x6ad69de36bc184d4 (2) eap: Finished EAP session with state 0x6ad69de36bc184d4 (2) eap: Previous EAP request found for state 0x6ad69de36bc184d4, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: Continuing EAP-TLS (2) eap_peap: Peer ACKed our handshake fragment (2) eap_peap: [eaptls verify] = request (2) eap_peap: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 24 length 200 (2) eap: EAP session adding &reply:State = 0x6ad69de368ce84d4 (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) Challenge { ... } # empty sub-section is ignored (2) Sent Access-Challenge Id 235 from 146.83.124.26:1812 to 192.168.128.34:39135 length 0 (2) EAP-Message = 0x011800c81900444c65413d39c91a3f03992d12e0cf4b0a1b5a9fcde4c888afa0fc3589594087e009becc0d6a31adf43d3f30793550ec081bc59642d5b71583ec131ec1433d4646d9e051860ca570c0ba3babef73f21c640db1add8ef45ed00ee8b70b4fbd298df33f628fcd29b46cc4fb59569e8a07dd4 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x6ad69de368ce84d46d2973b34eeb86b0 (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 236 from 192.168.128.34:39135 to 146.83.124.26:1812 length 539 (3) User-Name = "wifi@ucn.cl" (3) NAS-IP-Address = 192.168.128.34 (3) Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius" (3) NAS-Port-Type = Wireless-802.11 (3) Service-Type = Framed-User (3) NAS-Port = 1 (3) Calling-Station-Id = "E4-6F-13-2C-A4-C3" (3) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 56 / Channel: 6" (3) Acct-Session-Id = "23B63E3CCB9D303A" (3) Acct-Multi-Session-Id = "D2CFCA267CC6A1B1" (3) WLAN-Pairwise-Cipher = 1027076 (3) WLAN-Group-Cipher = 1027074 (3) WLAN-AKM-Suite = 1027073 (3) WLAN-Group-Mgmt-Cipher = 1027078 (3) Attr-26.29671.2 = 0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373 (3) Attr-26.29671.3 = 0x41502d56312d536f706f727465 (3) Attr-26.29671.4 = 0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649 (3) Meraki-Device-Name = "AP-V1-Soporte" (3) Framed-MTU = 1400 (3) EAP-Message = 0x0218008819800000007e160303004610000042410485e9fffe687c209d9b67963b680a6227fdb998f81e9570ec54586ebdc2c5ff48475ee98fd551c40e598e0b260acf021d5a6c5437038c62adcfbe31f4ac2c0e0b14030300010116030300280000000000000000b3930e73af6cc97c197e1d5a4c327c (3) State = 0x6ad69de368ce84d46d2973b34eeb86b0 (3) Message-Authenticator = 0x1cca575a0826f96e99e8b780a238c818 (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: Looking up realm "ucn.cl" for User-Name = "wifi@ucn.cl" (3) suffix: No such realm "ucn.cl" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 24 length 136 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0x6ad69de368ce84d4 (3) eap: Finished EAP session with state 0x6ad69de368ce84d4 (3) eap: Previous EAP request found for state 0x6ad69de368ce84d4, released from the list (3) eap: Peer sent packet with method EAP PEAP (25) (3) eap: Calling submodule eap_peap to process data (3) eap_peap: Continuing EAP-TLS (3) eap_peap: Peer indicated complete TLS record size will be 126 bytes (3) eap_peap: Got complete TLS record (126 bytes) (3) eap_peap: [eaptls verify] = length included (3) eap_peap: TLS_accept: SSLv3/TLS write server done (3) eap_peap: <<< recv TLS 1.2 [length 0046] (3) eap_peap: TLS_accept: SSLv3/TLS read client key exchange (3) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec (3) eap_peap: <<< recv TLS 1.2 [length 0010] (3) eap_peap: TLS_accept: SSLv3/TLS read finished (3) eap_peap: >>> send TLS 1.2 [length 0001] (3) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec (3) eap_peap: >>> send TLS 1.2 [length 0010] (3) eap_peap: TLS_accept: SSLv3/TLS write finished (3) eap_peap: (other): SSL negotiation finished successfully (3) eap_peap: SSL Connection Established (3) eap_peap: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 25 length 57 (3) eap: EAP session adding &reply:State = 0x6ad69de369cf84d4 (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) Challenge { ... } # empty sub-section is ignored (3) Sent Access-Challenge Id 236 from 146.83.124.26:1812 to 192.168.128.34:39135 length 0 (3) EAP-Message = 0x0119003919001403030001011603030028f78c11b0ef5a70f07f3e47207a02b3c4b3c1ffbc4d1f87d3ee8d30100070d389e575de8ac372c617 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x6ad69de369cf84d46d2973b34eeb86b0 (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 237 from 192.168.128.34:39135 to 146.83.124.26:1812 length 409 (4) User-Name = "wifi@ucn.cl" (4) NAS-IP-Address = 192.168.128.34 (4) Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius" (4) NAS-Port-Type = Wireless-802.11 (4) Service-Type = Framed-User (4) NAS-Port = 1 (4) Calling-Station-Id = "E4-6F-13-2C-A4-C3" (4) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 56 / Channel: 6" (4) Acct-Session-Id = "23B63E3CCB9D303A" (4) Acct-Multi-Session-Id = "D2CFCA267CC6A1B1" (4) WLAN-Pairwise-Cipher = 1027076 (4) WLAN-Group-Cipher = 1027074 (4) WLAN-AKM-Suite = 1027073 (4) WLAN-Group-Mgmt-Cipher = 1027078 (4) Attr-26.29671.2 = 0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373 (4) Attr-26.29671.3 = 0x41502d56312d536f706f727465 (4) Attr-26.29671.4 = 0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649 (4) Meraki-Device-Name = "AP-V1-Soporte" (4) Framed-MTU = 1400 (4) EAP-Message = 0x021900061900 (4) State = 0x6ad69de369cf84d46d2973b34eeb86b0 (4) Message-Authenticator = 0x527b607bdf79a41a4ead8fb439e209ae (4) session-state: No cached attributes (4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: Looking up realm "ucn.cl" for User-Name = "wifi@ucn.cl" (4) suffix: No such realm "ucn.cl" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 25 length 6 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0x6ad69de369cf84d4 (4) eap: Finished EAP session with state 0x6ad69de369cf84d4 (4) eap: Previous EAP request found for state 0x6ad69de369cf84d4, released from the list (4) eap: Peer sent packet with method EAP PEAP (25) (4) eap: Calling submodule eap_peap to process data (4) eap_peap: Continuing EAP-TLS (4) eap_peap: Peer ACKed our handshake fragment. handshake is finished (4) eap_peap: [eaptls verify] = success (4) eap_peap: [eaptls process] = success (4) eap_peap: Session established. Decoding tunneled attributes (4) eap_peap: PEAP state TUNNEL ESTABLISHED (4) eap: Sending EAP Request (code 1) ID 26 length 40 (4) eap: EAP session adding &reply:State = 0x6ad69de36ecc84d4 (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) Challenge { ... } # empty sub-section is ignored (4) Sent Access-Challenge Id 237 from 146.83.124.26:1812 to 192.168.128.34:39135 length 0 (4) EAP-Message = 0x011a00281900170303001df78c11b0ef5a70f19808dcc71088b35221975d9fd11d000e5f9d5034e9 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x6ad69de36ecc84d46d2973b34eeb86b0 (4) Finished request Waking up in 3.2 seconds. (5) Received Access-Request Id 238 from 192.168.128.34:39135 to 146.83.124.26:1812 length 450 (5) User-Name = "wifi@ucn.cl" (5) NAS-IP-Address = 192.168.128.34 (5) Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius" (5) NAS-Port-Type = Wireless-802.11 (5) Service-Type = Framed-User (5) NAS-Port = 1 (5) Calling-Station-Id = "E4-6F-13-2C-A4-C3" (5) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 59 / Channel: 6" (5) Acct-Session-Id = "23B63E3CCB9D303A" (5) Acct-Multi-Session-Id = "D2CFCA267CC6A1B1" (5) WLAN-Pairwise-Cipher = 1027076 (5) WLAN-Group-Cipher = 1027074 (5) WLAN-AKM-Suite = 1027073 (5) WLAN-Group-Mgmt-Cipher = 1027078 (5) Attr-26.29671.2 = 0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373 (5) Attr-26.29671.3 = 0x41502d56312d536f706f727465 (5) Attr-26.29671.4 = 0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649 (5) Meraki-Device-Name = "AP-V1-Soporte" (5) Framed-MTU = 1400 (5) EAP-Message = 0x021a002f1900170303002400000000000000015be4b0038f810ebc0471036a59f620b95f62c382078d0faee2358b5f (5) State = 0x6ad69de36ecc84d46d2973b34eeb86b0 (5) Message-Authenticator = 0x6b3df7c2248e6201f5834ee5b695fe04 (5) session-state: No cached attributes (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: Looking up realm "ucn.cl" for User-Name = "wifi@ucn.cl" (5) suffix: No such realm "ucn.cl" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 26 length 47 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0x6ad69de36ecc84d4 (5) eap: Finished EAP session with state 0x6ad69de36ecc84d4 (5) eap: Previous EAP request found for state 0x6ad69de36ecc84d4, released from the list (5) eap: Peer sent packet with method EAP PEAP (25) (5) eap: Calling submodule eap_peap to process data (5) eap_peap: Continuing EAP-TLS (5) eap_peap: [eaptls verify] = ok (5) eap_peap: Done initial handshake (5) eap_peap: [eaptls process] = ok (5) eap_peap: Session established. Decoding tunneled attributes (5) eap_peap: PEAP state WAITING FOR INNER IDENTITY (5) eap_peap: Identity - wifi@ucn.cl (5) eap_peap: Got inner identity 'wifi@ucn.cl' (5) eap_peap: Setting default EAP type for tunneled EAP session (5) eap_peap: Got tunneled request (5) eap_peap: EAP-Message = 0x021a001001776966694075636e2e636c (5) eap_peap: Setting User-Name to wifi@ucn.cl (5) eap_peap: Sending tunneled request to inner-tunnel (5) eap_peap: EAP-Message = 0x021a001001776966694075636e2e636c (5) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (5) eap_peap: User-Name = "wifi@ucn.cl" (5) Virtual server inner-tunnel received request (5) EAP-Message = 0x021a001001776966694075636e2e636c (5) FreeRADIUS-Proxied-To = 127.0.0.1 (5) User-Name = "wifi@ucn.cl" (5) WARNING: Outer and inner identities are the same. User privacy is compromised. (5) server inner-tunnel { (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [chap] = noop (5) [mschap] = noop (5) suffix: Checking for suffix after "@" (5) suffix: Looking up realm "ucn.cl" for User-Name = "wifi@ucn.cl" (5) suffix: No such realm "ucn.cl" (5) [suffix] = noop (5) update control { (5) &Proxy-To-Realm := LOCAL (5) } # update control = noop (5) eap: Peer sent EAP Response (code 2) ID 26 length 16 (5) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (5) authenticate { (5) eap: Peer sent packet with method EAP Identity (1) (5) eap: Calling submodule eap_gtc to process data (5) eap_gtc: EXPAND Password: (5) eap_gtc: --> Password: (5) eap: Sending EAP Request (code 1) ID 27 length 15 (5) eap: EAP session adding &reply:State = 0xd7cb9988d7d09f6c (5) [eap] = handled (5) } # authenticate = handled (5) } # server inner-tunnel (5) Virtual server sending reply (5) EAP-Message = 0x011b000f0650617373776f72643a20 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0xd7cb9988d7d09f6cbc011ffc4c1837c6 (5) eap_peap: Got tunneled reply code 11 (5) eap_peap: EAP-Message = 0x011b000f0650617373776f72643a20 (5) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (5) eap_peap: State = 0xd7cb9988d7d09f6cbc011ffc4c1837c6 (5) eap_peap: Got tunneled reply RADIUS code 11 (5) eap_peap: EAP-Message = 0x011b000f0650617373776f72643a20 (5) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (5) eap_peap: State = 0xd7cb9988d7d09f6cbc011ffc4c1837c6 (5) eap_peap: Got tunneled Access-Challenge (5) eap: Sending EAP Request (code 1) ID 27 length 46 (5) eap: EAP session adding &reply:State = 0x6ad69de36fcd84d4 (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) Challenge { ... } # empty sub-section is ignored (5) Sent Access-Challenge Id 238 from 146.83.124.26:1812 to 192.168.128.34:39135 length 0 (5) EAP-Message = 0x011b002e19001703030023f78c11b0ef5a70f2687e33c1b77be383f86d5b2f47fa678b105760e894a1df71575d35 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x6ad69de36fcd84d46d2973b34eeb86b0 (5) Finished request Waking up in 3.2 seconds. (6) Received Access-Request Id 239 from 192.168.128.34:39135 to 146.83.124.26:1812 length 440 (6) User-Name = "wifi@ucn.cl" (6) NAS-IP-Address = 192.168.128.34 (6) Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius" (6) NAS-Port-Type = Wireless-802.11 (6) Service-Type = Framed-User (6) NAS-Port = 1 (6) Calling-Station-Id = "E4-6F-13-2C-A4-C3" (6) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 58 / Channel: 6" (6) Acct-Session-Id = "23B63E3CCB9D303A" (6) Acct-Multi-Session-Id = "D2CFCA267CC6A1B1" (6) WLAN-Pairwise-Cipher = 1027076 (6) WLAN-Group-Cipher = 1027074 (6) WLAN-AKM-Suite = 1027073 (6) WLAN-Group-Mgmt-Cipher = 1027078 (6) Attr-26.29671.2 = 0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373 (6) Attr-26.29671.3 = 0x41502d56312d536f706f727465 (6) Attr-26.29671.4 = 0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649 (6) Meraki-Device-Name = "AP-V1-Soporte" (6) Framed-MTU = 1400 (6) EAP-Message = 0x021b00251900170303001a00000000000000022174921174271e19d71271da29e503c17a05 (6) State = 0x6ad69de36fcd84d46d2973b34eeb86b0 (6) Message-Authenticator = 0x17697a1ac272270792eb2f0bf1cd519b (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: Looking up realm "ucn.cl" for User-Name = "wifi@ucn.cl" (6) suffix: No such realm "ucn.cl" (6) [suffix] = noop (6) eap: Peer sent EAP Response (code 2) ID 27 length 37 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0xd7cb9988d7d09f6c (6) eap: Finished EAP session with state 0x6ad69de36fcd84d4 (6) eap: Previous EAP request found for state 0x6ad69de36fcd84d4, released from the list (6) eap: Peer sent packet with method EAP PEAP (25) (6) eap: Calling submodule eap_peap to process data (6) eap_peap: Continuing EAP-TLS (6) eap_peap: [eaptls verify] = ok (6) eap_peap: Done initial handshake (6) eap_peap: [eaptls process] = ok (6) eap_peap: Session established. Decoding tunneled attributes (6) eap_peap: PEAP state phase2 (6) eap_peap: EAP method NAK (3) (6) eap_peap: Got tunneled request (6) eap_peap: EAP-Message = 0x021b0006031a (6) eap_peap: Setting User-Name to wifi@ucn.cl (6) eap_peap: Sending tunneled request to inner-tunnel (6) eap_peap: EAP-Message = 0x021b0006031a (6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (6) eap_peap: User-Name = "wifi@ucn.cl" (6) eap_peap: State = 0xd7cb9988d7d09f6cbc011ffc4c1837c6 (6) Virtual server inner-tunnel received request (6) EAP-Message = 0x021b0006031a (6) FreeRADIUS-Proxied-To = 127.0.0.1 (6) User-Name = "wifi@ucn.cl" (6) State = 0xd7cb9988d7d09f6cbc011ffc4c1837c6 (6) WARNING: Outer and inner identities are the same. User privacy is compromised. (6) server inner-tunnel { (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [chap] = noop (6) [mschap] = noop (6) suffix: Checking for suffix after "@" (6) suffix: Looking up realm "ucn.cl" for User-Name = "wifi@ucn.cl" (6) suffix: No such realm "ucn.cl" (6) [suffix] = noop (6) update control { (6) &Proxy-To-Realm := LOCAL (6) } # update control = noop (6) eap: Peer sent EAP Response (code 2) ID 27 length 6 (6) eap: No EAP Start, assuming it's an on-going EAP conversation (6) [eap] = updated (6) [files] = noop (6) [expiration] = noop (6) [logintime] = noop (6) [pap] = noop (6) } # authorize = updated (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (6) authenticate { (6) eap: Expiring EAP session with state 0xd7cb9988d7d09f6c (6) eap: Finished EAP session with state 0xd7cb9988d7d09f6c (6) eap: Previous EAP request found for state 0xd7cb9988d7d09f6c, released from the list (6) eap: Peer sent packet with method EAP NAK (3) (6) eap: Found mutually acceptable type MSCHAPv2 (26) (6) eap: Calling submodule eap_mschapv2 to process data (6) eap_mschapv2: Issuing Challenge (6) eap: Sending EAP Request (code 1) ID 28 length 43 (6) eap: EAP session adding &reply:State = 0xd7cb9988d6d7836c (6) [eap] = handled (6) } # authenticate = handled (6) } # server inner-tunnel (6) Virtual server sending reply (6) EAP-Message = 0x011c002b1a011c002610c913d976ec31369fef6c84c78edbec4c667265657261646975732d332e302e3136 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0xd7cb9988d6d7836cbc011ffc4c1837c6 (6) eap_peap: Got tunneled reply code 11 (6) eap_peap: EAP-Message = 0x011c002b1a011c002610c913d976ec31369fef6c84c78edbec4c667265657261646975732d332e302e3136 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: State = 0xd7cb9988d6d7836cbc011ffc4c1837c6 (6) eap_peap: Got tunneled reply RADIUS code 11 (6) eap_peap: EAP-Message = 0x011c002b1a011c002610c913d976ec31369fef6c84c78edbec4c667265657261646975732d332e302e3136 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: State = 0xd7cb9988d6d7836cbc011ffc4c1837c6 (6) eap_peap: Got tunneled Access-Challenge (6) eap: Sending EAP Request (code 1) ID 28 length 74 (6) eap: EAP session adding &reply:State = 0x6ad69de36cca84d4 (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (6) Challenge { ... } # empty sub-section is ignored (6) Sent Access-Challenge Id 239 from 146.83.124.26:1812 to 192.168.128.34:39135 length 0 (6) EAP-Message = 0x011c004a1900170303003ff78c11b0ef5a70f3645ddb1c566bbbe40c14311163f5678fe96c4c0f59a59ee92c6dc12e91a2c83380af8fd7b2c7e29fec5be7f62512ffac2470f709c5801b (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x6ad69de36cca84d46d2973b34eeb86b0 (6) Finished request Waking up in 3.2 seconds. (7) Received Access-Request Id 240 from 192.168.128.34:39135 to 146.83.124.26:1812 length 504 (7) User-Name = "wifi@ucn.cl" (7) NAS-IP-Address = 192.168.128.34 (7) Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius" (7) NAS-Port-Type = Wireless-802.11 (7) Service-Type = Framed-User (7) NAS-Port = 1 (7) Calling-Station-Id = "E4-6F-13-2C-A4-C3" (7) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 56 / Channel: 6" (7) Acct-Session-Id = "23B63E3CCB9D303A" (7) Acct-Multi-Session-Id = "D2CFCA267CC6A1B1" (7) WLAN-Pairwise-Cipher = 1027076 (7) WLAN-Group-Cipher = 1027074 (7) WLAN-AKM-Suite = 1027073 (7) WLAN-Group-Mgmt-Cipher = 1027078 (7) Attr-26.29671.2 = 0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373 (7) Attr-26.29671.3 = 0x41502d56312d536f706f727465 (7) Attr-26.29671.4 = 0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649 (7) Meraki-Device-Name = "AP-V1-Soporte" (7) Framed-MTU = 1400 (7) EAP-Message = 0x021c00651900170303005a0000000000000003076f0970d6c7ef028a7a0cd4d2b29f5f743f27ad30b7917764773fbb61eb8e7216ca8a2e9dfbebb302a65ea624a5e472f89ebf891acd48bb768d23278f550c3029b2c2e9693ee8764f035d1de2d6f6fb5309 (7) State = 0x6ad69de36cca84d46d2973b34eeb86b0 (7) Message-Authenticator = 0xcf56fbac4a5ad153343e3c9b99c31ec4 (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: Looking up realm "ucn.cl" for User-Name = "wifi@ucn.cl" (7) suffix: No such realm "ucn.cl" (7) [suffix] = noop (7) eap: Peer sent EAP Response (code 2) ID 28 length 101 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0xd7cb9988d6d7836c (7) eap: Finished EAP session with state 0x6ad69de36cca84d4 (7) eap: Previous EAP request found for state 0x6ad69de36cca84d4, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: Continuing EAP-TLS (7) eap_peap: [eaptls verify] = ok (7) eap_peap: Done initial handshake (7) eap_peap: [eaptls process] = ok (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state phase2 (7) eap_peap: EAP method MSCHAPv2 (26) (7) eap_peap: Got tunneled request (7) eap_peap: EAP-Message = 0x021c00461a021c004131ab048fa3db377388ecc5be4a9dc872fc00000000000000001b7c2d6891b5b524d381a3223525e574d0d88d1990d6418900776966694075636e2e636c (7) eap_peap: Setting User-Name to wifi@ucn.cl (7) eap_peap: Sending tunneled request to inner-tunnel (7) eap_peap: EAP-Message = 0x021c00461a021c004131ab048fa3db377388ecc5be4a9dc872fc00000000000000001b7c2d6891b5b524d381a3223525e574d0d88d1990d6418900776966694075636e2e636c (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (7) eap_peap: User-Name = "wifi@ucn.cl" (7) eap_peap: State = 0xd7cb9988d6d7836cbc011ffc4c1837c6 (7) Virtual server inner-tunnel received request (7) EAP-Message = 0x021c00461a021c004131ab048fa3db377388ecc5be4a9dc872fc00000000000000001b7c2d6891b5b524d381a3223525e574d0d88d1990d6418900776966694075636e2e636c (7) FreeRADIUS-Proxied-To = 127.0.0.1 (7) User-Name = "wifi@ucn.cl" (7) State = 0xd7cb9988d6d7836cbc011ffc4c1837c6 (7) WARNING: Outer and inner identities are the same. User privacy is compromised. (7) server inner-tunnel { (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [chap] = noop (7) [mschap] = noop (7) suffix: Checking for suffix after "@" (7) suffix: Looking up realm "ucn.cl" for User-Name = "wifi@ucn.cl" (7) suffix: No such realm "ucn.cl" (7) [suffix] = noop (7) update control { (7) &Proxy-To-Realm := LOCAL (7) } # update control = noop (7) eap: Peer sent EAP Response (code 2) ID 28 length 70 (7) eap: No EAP Start, assuming it's an on-going EAP conversation (7) [eap] = updated (7) [files] = noop (7) [expiration] = noop (7) [logintime] = noop (7) [pap] = noop (7) } # authorize = updated (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) authenticate { (7) eap: Expiring EAP session with state 0xd7cb9988d6d7836c (7) eap: Finished EAP session with state 0xd7cb9988d6d7836c (7) eap: Previous EAP request found for state 0xd7cb9988d6d7836c, released from the list (7) eap: Peer sent packet with method EAP MSCHAPv2 (26) (7) eap: Calling submodule eap_mschapv2 to process data (7) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) eap_mschapv2: authenticate { (7) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (7) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password (7) mschap: Creating challenge hash with username: wifi@ucn.cl (7) mschap: Client is using MS-CHAPv2 (7) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication (7) mschap: ERROR: MS-CHAP2-Response is incorrect (7) [mschap] = reject (7) } # authenticate = reject (7) eap: Sending EAP Failure (code 4) ID 28 length 4 (7) eap: Freeing handler (7) [eap] = reject (7) } # authenticate = reject (7) Failed to authenticate the user (7) Using Post-Auth-Type Reject (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) Post-Auth-Type REJECT { (7) attr_filter.access_reject: EXPAND %{User-Name} (7) attr_filter.access_reject: --> wifi@ucn.cl (7) attr_filter.access_reject: Matched entry DEFAULT at line 11 (7) [attr_filter.access_reject] = updated (7) update outer.session-state { (7) &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: FAILED: No NT/LM-Password. Cannot perform authentication' (7) } # update outer.session-state = noop (7) } # Post-Auth-Type REJECT = updated (7) } # server inner-tunnel (7) Virtual server sending reply (7) MS-CHAP-Error = "\034E=691 R=1 C=5a4bb43eb35ed2e205c477227990bfba V=3 M=Authentication rejected" (7) EAP-Message = 0x041c0004 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: Got tunneled reply code 3 (7) eap_peap: MS-CHAP-Error = "\034E=691 R=1 C=5a4bb43eb35ed2e205c477227990bfba V=3 M=Authentication rejected" (7) eap_peap: EAP-Message = 0x041c0004 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: Got tunneled reply RADIUS code 3 (7) eap_peap: MS-CHAP-Error = "\034E=691 R=1 C=5a4bb43eb35ed2e205c477227990bfba V=3 M=Authentication rejected" (7) eap_peap: EAP-Message = 0x041c0004 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: Tunneled authentication was rejected (7) eap_peap: FAILURE (7) eap: Sending EAP Request (code 1) ID 29 length 46 (7) eap: EAP session adding &reply:State = 0x6ad69de36dcb84d4 (7) [eap] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) Challenge { ... } # empty sub-section is ignored (7) session-state: Saving cached attributes (7) Module-Failure-Message := "mschap: FAILED: No NT/LM-Password. Cannot perform authentication" (7) Sent Access-Challenge Id 240 from 146.83.124.26:1812 to 192.168.128.34:39135 length 0 (7) EAP-Message = 0x011d002e19001703030023f78c11b0ef5a70f49af45c0e369fe8daf948bf41add8e543ad8adf9db255610e28aa2b (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x6ad69de36dcb84d46d2973b34eeb86b0 (7) Finished request Waking up in 3.2 seconds. (8) Received Access-Request Id 241 from 192.168.128.34:39135 to 146.83.124.26:1812 length 449 (8) User-Name = "wifi@ucn.cl" (8) NAS-IP-Address = 192.168.128.34 (8) Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius" (8) NAS-Port-Type = Wireless-802.11 (8) Service-Type = Framed-User (8) NAS-Port = 1 (8) Calling-Station-Id = "E4-6F-13-2C-A4-C3" (8) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 59 / Channel: 6" (8) Acct-Session-Id = "23B63E3CCB9D303A" (8) Acct-Multi-Session-Id = "D2CFCA267CC6A1B1" (8) WLAN-Pairwise-Cipher = 1027076 (8) WLAN-Group-Cipher = 1027074 (8) WLAN-AKM-Suite = 1027073 (8) WLAN-Group-Mgmt-Cipher = 1027078 (8) Attr-26.29671.2 = 0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373 (8) Attr-26.29671.3 = 0x41502d56312d536f706f727465 (8) Attr-26.29671.4 = 0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649 (8) Meraki-Device-Name = "AP-V1-Soporte" (8) Framed-MTU = 1400 (8) EAP-Message = 0x021d002e19001703030023000000000000000463bc7cf7f04b6ad6d4ddab033589c578f326342327fc79aca56807 (8) State = 0x6ad69de36dcb84d46d2973b34eeb86b0 (8) Message-Authenticator = 0x2336ed602fc775bed0cc3efec5a813e1 (8) Restoring &session-state (8) &session-state:Module-Failure-Message := "mschap: FAILED: No NT/LM-Password. Cannot perform authentication" (8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix: Checking for suffix after "@" (8) suffix: Looking up realm "ucn.cl" for User-Name = "wifi@ucn.cl" (8) suffix: No such realm "ucn.cl" (8) [suffix] = noop (8) eap: Peer sent EAP Response (code 2) ID 29 length 46 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0x6ad69de36dcb84d4 (8) eap: Finished EAP session with state 0x6ad69de36dcb84d4 (8) eap: Previous EAP request found for state 0x6ad69de36dcb84d4, released from the list (8) eap: Peer sent packet with method EAP PEAP (25) (8) eap: Calling submodule eap_peap to process data (8) eap_peap: Continuing EAP-TLS (8) eap_peap: [eaptls verify] = ok (8) eap_peap: Done initial handshake (8) eap_peap: [eaptls process] = ok (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state send tlv failure (8) eap_peap: Received EAP-TLV response (8) eap_peap: ERROR: The users session was previously rejected: returning reject (again.) (8) eap_peap: This means you need to read the PREVIOUS messages in the debug output (8) eap_peap: to find out the reason why the user was rejected (8) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you (8) eap_peap: what went wrong, and how to fix the problem (8) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (8) eap: Sending EAP Failure (code 4) ID 29 length 4 (8) eap: Failed in EAP select (8) [eap] = invalid (8) } # authenticate = invalid (8) Failed to authenticate the user (8) Using Post-Auth-Type Reject (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (8) Post-Auth-Type REJECT { (8) attr_filter.access_reject: EXPAND %{User-Name} (8) attr_filter.access_reject: --> wifi@ucn.cl (8) attr_filter.access_reject: Matched entry DEFAULT at line 11 (8) [attr_filter.access_reject] = updated (8) [eap] = noop (8) policy remove_reply_message_if_eap { (8) if (&reply:EAP-Message && &reply:Reply-Message) { (8) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (8) else { (8) [noop] = noop (8) } # else = noop (8) } # policy remove_reply_message_if_eap = noop (8) } # Post-Auth-Type REJECT = updated (8) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (8) Sending delayed response (8) Sent Access-Reject Id 241 from 146.83.124.26:1812 to 192.168.128.34:39135 length 44 (8) EAP-Message = 0x041d0004 (8) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 2.1 seconds. (0) Cleaning up request packet ID 233 with timestamp +20 (1) Cleaning up request packet ID 234 with timestamp +20 (2) Cleaning up request packet ID 235 with timestamp +20 (3) Cleaning up request packet ID 236 with timestamp +20 Waking up in 1.7 seconds. (4) Cleaning up request packet ID 237 with timestamp +22 (5) Cleaning up request packet ID 238 with timestamp +22 (6) Cleaning up request packet ID 239 with timestamp +22 (7) Cleaning up request packet ID 240 with timestamp +22 (8) Cleaning up request packet ID 241 with timestamp +22 El vie., 25 sept. 2020 a las 9:13, Alan DeKok (<aland@deployingradius.com>) escribió:
On Sep 24, 2020, at 9:26 PM, HORMAZABAL PI�ONES BARBARA FRANCISCA < bhp001@alumnos.ucn.cl> wrote:
If you have a Perl script which does pop3 authentication, it should be straightforward to run it in FreeRADIUS. Sorry, I don't know what you meant by that.
It's a Perl script... if you can run it from the command line, you can tell FreeRADIUS to load the same script. Maybe with some modifications, but that's it.
There's no magic here.
But the Perl script rejected the user.
Ok so I was testing some things in a virtual machine and realized something. I did the exact same configuration that in the server and radtest locally was sucessful in the VM but not in the server. And that's when I noticed that whenever I used radtest [gmail acc] [password] localhost 0 testing123 the output I recieved had the localhost IP address as NAS-IP-Address and this was successful without adding the user to the users file. However when running the same command in the server the NAS-IP-Address was the IP of the server and not localhost (the same happens with user bob) and gets rejected,
So... something *else* in the configuration is broken. You added local rules which set the password for the user, but only if the packet includes the correct NAS-IP-Address.
i.e. you edited the server configuration so that packets using one NAS-IP-Address work, and packets using another NAS-IP-Address fail.
We don't know the IP of your RADIUS server. So we didn't create that configuration. The default configuration doesn't contain these rules.
So... what did you change, and why? It's your configuration. You should know that.
but it's successful if you add the mail and password in the users file.
That is sort of how the RADIUS server works... if you add a username && password, that's user gets authenticated with that password.
Basically, in VM: $radtest wifi@ucn.cl password localhost 0 testing123
And all of that is useless. I have NO idea why people are so insistent on looking at *client* output when they're trying to debug the *server*.
ALL of the documentation says to run the server in debugging mode. Then READ It. If you're not clear on what it means, POST IT to the list. ALL OF IT.
You're working hard to do every EXCEPT what the documentation says to do. Why?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html