Hi All, since few days I've stocked with configuration freeradius. All works good except one thing. I can't get info from Active Directory to freeradius in which group user belong (this one I need to set vlan depend on group). My version freeradius is 3.0.4 as you can see below user "newuser" participate in group "computers", here`s output from ldapsearch: dn: CN=newuser,CN=Users,DC=test,DC=ad,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: newuser givenName: newuser distinguishedName: CN=newuser,CN=Users,DC=test,DC=ad,DC=com instanceType: 4 whenCreated: 20150702132126.0Z whenChanged: 20150703105127.0Z displayName: newuser uSNCreated: 82039 memberOf: CN=computers,CN=Users,DC=test,DC=ad,DC=com uSNChanged: 90187 name: newuser objectGUID:: XX+6g4wMJEGdDfEOZF5Rgw== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 130803168865078125 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAR3zVX0Ki+LP5AMXOVQQAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: newuser sAMAccountType: 805306368 userPrincipalName: newuser@test.ad.com objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=test,DC=ad,DC=com dSCorePropagationData: 16010101000000.0Z lastLogonTimestamp: 130803172388710937 from log output I see that user "newuser" get access-accept but freeradius didn`t find him in group "computers" here is output: Received Access-Request Id 182 from 192.168.0.2:1812 to 192.168.0.10:1812 length 129 NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet User-Name = 'newuser' Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0200000c016e657775736572 Message-Authenticator = 0x4331712c3046bdcd9eb1614539cc6375 (0) Received Access-Request packet from host 192.168.0.2 port 1812, id=182, length=129 (0) NAS-IP-Address = 192.168.0.2 (0) NAS-Port = 50024 (0) NAS-Port-Type = Ethernet (0) User-Name = 'newuser' (0) Called-Station-Id = '00-16-9D-D3-40-D8' (0) Calling-Station-Id = '68-B5-99-C8-B0-5E' (0) Service-Type = Framed-User (0) Framed-MTU = 1500 (0) EAP-Message = 0x0200000c016e657775736572 (0) Message-Authenticator = 0x4331712c3046bdcd9eb1614539cc6375 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) filter_username filter_username { (0) if (!&User-Name) (0) if (!&User-Name) -> FALSE (0) if (&User-Name =~ / /) (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@.*@/ ) (0) if (&User-Name =~ /@.*@/ ) -> FALSE (0) if (&User-Name =~ /\\.\\./ ) (0) if (&User-Name =~ /\\.\\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\\.$/) (0) if (&User-Name =~ /\\.$/) -> FALSE (0) if (&User-Name =~ /@\\./) (0) if (&User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix : Checking for suffix after "@" (0) suffix : No '@' in User-Name = "newuser", looking up realm NULL (0) suffix : No such realm "NULL" (0) [suffix] = noop (0) eap : Peer sent code Response (2) ID 0 length 12 (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = EAP (0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) eap : Peer sent method Identity (1) (0) eap : Calling eap_peap to process EAP data (0) eap_peap : Flushing SSL sessions (of #0) (0) eap_peap : Initiate (0) eap_peap : Start returned 1 (0) eap : New EAP session, adding 'State' attribute to reply 0x0e9027300e913e66 (0) [eap] = handled (0) } # authenticate = handled (0) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=182, length=0 (0) EAP-Message = 0x010100061920 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x0e9027300e913e6603c734ef610afcab Sending Access-Challenge Id 182 from 192.168.0.10:1812 to 192.168.0.2:1812 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0e9027300e913e6603c734ef610afcab (0) Finished request Waking up in 0.3 seconds. Received Access-Request Id 183 from 192.168.0.2:1812 to 192.168.0.10:1812 length 276 NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet User-Name = 'newuser' Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 State = 0x0e9027300e913e6603c734ef610afcab EAP-Message = 0x0201008d198000000083160301007e0100007a0301559664033b1b4862038b2d1367a8d5b31031ef49921dca1e46e5720f5b2fa8f320fa4af0c0ab28637bf7d426826fc4d55981527e8e975dcc90dc4e38e9fbae1d940018002f00350005000ac013c014c009c00a003200380013000401000019ff01000100000a0006000400170018000b0002010000230000 Message-Authenticator = 0x266af039e3fea82832098be1d93cc75f (1) Received Access-Request packet from host 192.168.0.2 port 1812, id=183, length=276 (1) NAS-IP-Address = 192.168.0.2 (1) NAS-Port = 50024 (1) NAS-Port-Type = Ethernet (1) User-Name = 'newuser' (1) Called-Station-Id = '00-16-9D-D3-40-D8' (1) Calling-Station-Id = '68-B5-99-C8-B0-5E' (1) Service-Type = Framed-User (1) Framed-MTU = 1500 (1) State = 0x0e9027300e913e6603c734ef610afcab (1) EAP-Message = 0x0201008d198000000083160301007e0100007a0301559664033b1b4862038b2d1367a8d5b31031ef49921dca1e46e5720f5b2fa8f320fa4af0c0ab28637bf7d426826fc4d55981527e8e975dcc90dc4e38e9fbae1d940018002f00350005000ac013c014c009c00a003200380013000401000019ff01000100000a0006000400170018000b0002010000230000 (1) Message-Authenticator = 0x266af039e3fea82832098be1d93cc75f (1) # Executing section authorize from file /etc/raddb/sites-enabled/default (1) authorize { (1) filter_username filter_username { (1) if (!&User-Name) (1) if (!&User-Name) -> FALSE (1) if (&User-Name =~ / /) (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@.*@/ ) (1) if (&User-Name =~ /@.*@/ ) -> FALSE (1) if (&User-Name =~ /\\.\\./ ) (1) if (&User-Name =~ /\\.\\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\\.$/) (1) if (&User-Name =~ /\\.$/) -> FALSE (1) if (&User-Name =~ /@\\./) (1) if (&User-Name =~ /@\\./) -> FALSE (1) } # filter_username filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix : Checking for suffix after "@" (1) suffix : No '@' in User-Name = "newuser", looking up realm NULL (1) suffix : No such realm "NULL" (1) [suffix] = noop (1) eap : Peer sent code Response (2) ID 1 length 141 (1) eap : Continuing tunnel setup (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = EAP (1) # Executing group from file /etc/raddb/sites-enabled/default (1) authenticate { (1) eap : Expiring EAP session with state 0x0e9027300e913e66 (1) eap : Finished EAP session with state 0x0e9027300e913e66 (1) eap : Previous EAP request found for state 0x0e9027300e913e66, released from the list (1) eap : Peer sent method PEAP (25) (1) eap : EAP PEAP (25) (1) eap : Calling eap_peap to process EAP data (1) eap_peap : processing EAP-TLS TLS Length 131 (1) eap_peap : Length Included (1) eap_peap : eaptls_verify returned 11 (1) eap_peap : (other): before/accept initialization (1) eap_peap : TLS_accept: before/accept initialization (1) eap_peap : <<< TLS 1.0 Handshake [length 007e], ClientHello SSL: Client requested cached session fa4af0c0ab28637bf7d426826fc4d55981527e8e975dcc90dc4e38e9fbae1d94 (1) eap_peap : TLS_accept: SSLv3 read client hello A (1) eap_peap : >>> TLS 1.0 Handshake [length 0051], ServerHello (1) eap_peap : TLS_accept: SSLv3 write server hello A (1) eap_peap : >>> TLS 1.0 Handshake [length 08d0], Certificate (1) eap_peap : TLS_accept: SSLv3 write certificate A (1) eap_peap : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone (1) eap_peap : TLS_accept: SSLv3 write server done A (1) eap_peap : TLS_accept: SSLv3 flush data (1) eap_peap : TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode (1) eap_peap : eaptls_process returned 13 (1) eap_peap : FR_TLS_HANDLED (1) eap : New EAP session, adding 'State' attribute to reply 0x0e9027300f923e66 (1) [eap] = handled (1) } # authenticate = handled (1) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=183, length=0 (1) EAP-Message = 0x010203ec19c00000093416030100510200004d030155967fdd334b8b93e13aaba983cf708cc59b52a195fa942852b7eb85c9e6b3132048fd8119fa32c7cb48b60449437ed3f1edad01e5ff81191e7be8d62b3e5f17c4002f000005ff0100010016030108d00b0008cc0008c90003de308203da308202c2a003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3135303632333039323031315a170d3135303832323039323031315a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100cb6b06d9bfe3e7b3b07012c1ffbeb410e02e9a2c (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x0e9027300f923e6603c734ef610afcab Sending Access-Challenge Id 183 from 192.168.0.10:1812 to 192.168.0.2:1812 EAP-Message = 0x010203ec19c00000093416030100510200004d030155967fdd334b8b93e13aaba983cf708cc59b52a195fa942852b7eb85c9e6b3132048fd8119fa32c7cb48b60449437ed3f1edad01e5ff81191e7be8d62b3e5f17c4002f000005ff0100010016030108d00b0008cc0008c90003de308203da308202c2a003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3135303632333039323031315a170d3135303832323039323031315a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100cb6b06d9bfe3e7b3b07012c1ffbeb410e02e9a2 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0e9027300f923e6603c734ef610afcab (1) Finished request Waking up in 0.3 seconds. Received Access-Request Id 184 from 192.168.0.2:1812 to 192.168.0.10:1812 length 141 NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet User-Name = 'newuser' Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 State = 0x0e9027300f923e6603c734ef610afcab EAP-Message = 0x020200061900 Message-Authenticator = 0x8f82b650b4b634e464ffc5f8d5f78feb (2) Received Access-Request packet from host 192.168.0.2 port 1812, id=184, length=141 (2) NAS-IP-Address = 192.168.0.2 (2) NAS-Port = 50024 (2) NAS-Port-Type = Ethernet (2) User-Name = 'newuser' (2) Called-Station-Id = '00-16-9D-D3-40-D8' (2) Calling-Station-Id = '68-B5-99-C8-B0-5E' (2) Service-Type = Framed-User (2) Framed-MTU = 1500 (2) State = 0x0e9027300f923e6603c734ef610afcab (2) EAP-Message = 0x020200061900 (2) Message-Authenticator = 0x8f82b650b4b634e464ffc5f8d5f78feb (2) # Executing section authorize from file /etc/raddb/sites-enabled/default (2) authorize { (2) filter_username filter_username { (2) if (!&User-Name) (2) if (!&User-Name) -> FALSE (2) if (&User-Name =~ / /) (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@.*@/ ) (2) if (&User-Name =~ /@.*@/ ) -> FALSE (2) if (&User-Name =~ /\\.\\./ ) (2) if (&User-Name =~ /\\.\\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\\.$/) (2) if (&User-Name =~ /\\.$/) -> FALSE (2) if (&User-Name =~ /@\\./) (2) if (&User-Name =~ /@\\./) -> FALSE (2) } # filter_username filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix : Checking for suffix after "@" (2) suffix : No '@' in User-Name = "newuser", looking up realm NULL (2) suffix : No such realm "NULL" (2) [suffix] = noop (2) eap : Peer sent code Response (2) ID 2 length 6 (2) eap : Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = EAP (2) # Executing group from file /etc/raddb/sites-enabled/default (2) authenticate { (2) eap : Expiring EAP session with state 0x0e9027300f923e66 (2) eap : Finished EAP session with state 0x0e9027300f923e66 (2) eap : Previous EAP request found for state 0x0e9027300f923e66, released from the list (2) eap : Peer sent method PEAP (25) (2) eap : EAP PEAP (25) (2) eap : Calling eap_peap to process EAP data (2) eap_peap : processing EAP-TLS (2) eap_peap : Received TLS ACK (2) eap_peap : Received TLS ACK (2) eap_peap : ACK handshake fragment handler (2) eap_peap : eaptls_verify returned 1 (2) eap_peap : eaptls_process returned 13 (2) eap_peap : FR_TLS_HANDLED (2) eap : New EAP session, adding 'State' attribute to reply 0x0e9027300c933e66 (2) [eap] = handled (2) } # authenticate = handled (2) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=184, length=0 (2) EAP-Message = 0x010303e819405dadee37810b310ed26be4bf84d74c93ed4bec31d3134bb7a82b63f7c127649298b74b8aaa1cb9fcc7f38620180bc143afd04d038ef800534cc721eb60db5cbc61c6b9b07e52b2be16b702215ff87201c227e511bc39694982461c2d21008a4b0a0004e5308204e1308203c9a003020102020900d341ec42790a6fe5300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3135303632333039323031315a170d3135303832323039323031315a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x0e9027300c933e6603c734ef610afcab Sending Access-Challenge Id 184 from 192.168.0.10:1812 to 192.168.0.2:1812 EAP-Message = 0x010303e819405dadee37810b310ed26be4bf84d74c93ed4bec31d3134bb7a82b63f7c127649298b74b8aaa1cb9fcc7f38620180bc143afd04d038ef800534cc721eb60db5cbc61c6b9b07e52b2be16b702215ff87201c227e511bc39694982461c2d21008a4b0a0004e5308204e1308203c9a003020102020900d341ec42790a6fe5300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3135303632333039323031315a170d3135303832323039323031315a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f00308 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0e9027300c933e6603c734ef610afcab (2) Finished request Waking up in 0.3 seconds. Received Access-Request Id 185 from 192.168.0.2:1812 to 192.168.0.10:1812 length 141 NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet User-Name = 'newuser' Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 State = 0x0e9027300c933e6603c734ef610afcab EAP-Message = 0x020300061900 Message-Authenticator = 0x4612243013b59207a7128ea3f82af7c3 (3) Received Access-Request packet from host 192.168.0.2 port 1812, id=185, length=141 (3) NAS-IP-Address = 192.168.0.2 (3) NAS-Port = 50024 (3) NAS-Port-Type = Ethernet (3) User-Name = 'newuser' (3) Called-Station-Id = '00-16-9D-D3-40-D8' (3) Calling-Station-Id = '68-B5-99-C8-B0-5E' (3) Service-Type = Framed-User (3) Framed-MTU = 1500 (3) State = 0x0e9027300c933e6603c734ef610afcab (3) EAP-Message = 0x020300061900 (3) Message-Authenticator = 0x4612243013b59207a7128ea3f82af7c3 (3) # Executing section authorize from file /etc/raddb/sites-enabled/default (3) authorize { (3) filter_username filter_username { (3) if (!&User-Name) (3) if (!&User-Name) -> FALSE (3) if (&User-Name =~ / /) (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@.*@/ ) (3) if (&User-Name =~ /@.*@/ ) -> FALSE (3) if (&User-Name =~ /\\.\\./ ) (3) if (&User-Name =~ /\\.\\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\\.$/) (3) if (&User-Name =~ /\\.$/) -> FALSE (3) if (&User-Name =~ /@\\./) (3) if (&User-Name =~ /@\\./) -> FALSE (3) } # filter_username filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix : Checking for suffix after "@" (3) suffix : No '@' in User-Name = "newuser", looking up realm NULL (3) suffix : No such realm "NULL" (3) [suffix] = noop (3) eap : Peer sent code Response (2) ID 3 length 6 (3) eap : Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = EAP (3) # Executing group from file /etc/raddb/sites-enabled/default (3) authenticate { (3) eap : Expiring EAP session with state 0x0e9027300c933e66 (3) eap : Finished EAP session with state 0x0e9027300c933e66 (3) eap : Previous EAP request found for state 0x0e9027300c933e66, released from the list (3) eap : Peer sent method PEAP (25) (3) eap : EAP PEAP (25) (3) eap : Calling eap_peap to process EAP data (3) eap_peap : processing EAP-TLS (3) eap_peap : Received TLS ACK (3) eap_peap : Received TLS ACK (3) eap_peap : ACK handshake fragment handler (3) eap_peap : eaptls_verify returned 1 (3) eap_peap : eaptls_process returned 13 (3) eap_peap : FR_TLS_HANDLED (3) eap : New EAP session, adding 'State' attribute to reply 0x0e9027300d943e66 (3) [eap] = handled (3) } # authenticate = handled (3) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=185, length=0 (3) EAP-Message = 0x0104017619007479820900d341ec42790a6fe5300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010505000382010100ac39c26dec50bba63993d15c97f83ed294499bc6f92436a1b253966ce768d892d9c68aae360018347c9c54833061317e8c1768250d6cccc4adcf063a0e86c81dc9cff914de4d42cf06568494ce9ee4ae6852654d5160cabfe64f82e2ffea66c370698f88f72345954429fe25a91d10626e004dccc58a222bdae41daf083ca5259bae8f896a62454d37d648ca30dcde05f947866efc0ed7d73e7671954218729559ea417e6300a28cb165d68d2591e811118edd483888e77ab2695dde4c325340ea840f56fb31837fcf733069a89ed1f320b33a95572350fda6a7fbcfa850c719334e496b5ae294ee8769b9617ae8bf7830c86e79e0628d25a49a7a7afa6471ab16030100040e000000 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x0e9027300d943e6603c734ef610afcab Sending Access-Challenge Id 185 from 192.168.0.10:1812 to 192.168.0.2:1812 EAP-Message = 0x0104017619007479820900d341ec42790a6fe5300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010505000382010100ac39c26dec50bba63993d15c97f83ed294499bc6f92436a1b253966ce768d892d9c68aae360018347c9c54833061317e8c1768250d6cccc4adcf063a0e86c81dc9cff914de4d42cf06568494ce9ee4ae6852654d5160cabfe64f82e2ffea66c370698f88f72345954429fe25a91d10626e004dccc58a222bdae41daf083ca5259bae8f896a62454d37d648ca30dcde05f947866efc0ed7d73e7671954218729559ea417e6300a28cb165d68d2591e811118edd483888e77ab2695dde4c325340ea840f56fb31837fcf733069a89ed1f320b33a95572350fda6a7fbcfa850c719334e496b5ae294ee8769b9617ae8bf7830c86e79e0628d25a49a7a7afa6471ab16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0e9027300d943e6603c734ef610afcab (3) Finished request Waking up in 0.2 seconds. Received Access-Request Id 186 from 192.168.0.2:1812 to 192.168.0.10:1812 length 473 NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet User-Name = 'newuser' Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 State = 0x0e9027300d943e6603c734ef610afcab EAP-Message = 0x0204015019800000014616030101061000010201009c140457a5001869d3c4409886b6381ffbb3a3b2e588b5c1a8d432a0577faee12a585e5772dcbbcd7f54d7841cd2ef3c4241655a7ecca77efe6bbb11ef29698031973a611a05c0f2da4e21b11aec38e086460f2218cfa58a027596405e8a0b1e608f06424528ac7c978de90b5c6cb179a2d9e3eb016a85cd20e2d43c142a0af7a4b00f6e57348fe41e154b44a604fbf973d99b09af607f745a2045874f5870b878f1bfccfa1b5219a0cb60ad9bb7dca77628afeee09efe1b394bbbecff907c0e5b23bd8622b38a360cde10bf3bb568ba3e577b78a9e793d9204e5188976028b9873709604f2a1272a978745544efe39db3a4ceecf16dbab756ca4e7419a14e621403010001011603010030193a998b6522faa35707604a4ba153d81f0838c651a0a8f14679c6507654ef48ef301afcfcca06e70df0f907841c7cbd Message-Authenticator = 0x1b895bbbb9e7981ab29d96346a062a54 (4) Received Access-Request packet from host 192.168.0.2 port 1812, id=186, length=473 (4) NAS-IP-Address = 192.168.0.2 (4) NAS-Port = 50024 (4) NAS-Port-Type = Ethernet (4) User-Name = 'newuser' (4) Called-Station-Id = '00-16-9D-D3-40-D8' (4) Calling-Station-Id = '68-B5-99-C8-B0-5E' (4) Service-Type = Framed-User (4) Framed-MTU = 1500 (4) State = 0x0e9027300d943e6603c734ef610afcab (4) EAP-Message = 0x0204015019800000014616030101061000010201009c140457a5001869d3c4409886b6381ffbb3a3b2e588b5c1a8d432a0577faee12a585e5772dcbbcd7f54d7841cd2ef3c4241655a7ecca77efe6bbb11ef29698031973a611a05c0f2da4e21b11aec38e086460f2218cfa58a027596405e8a0b1e608f06424528ac7c978de90b5c6cb179a2d9e3eb016a85cd20e2d43c142a0af7a4b00f6e57348fe41e154b44a604fbf973d99b09af607f745a2045874f5870b878f1bfccfa1b5219a0cb60ad9bb7dca77628afeee09efe1b394bbbecff907c0e5b23bd8622b38a360cde10bf3bb568ba3e577b78a9e793d9204e5188976028b9873709604f2a1272a978745544efe39db3a4ceecf16dbab756ca4e7419a14e621403010001011603010030193a998b6522faa35707604a4ba153d81f0838c651a0a8f14679c6507654ef48ef301afcfcca06e70df0f907841c7cbd (4) Message-Authenticator = 0x1b895bbbb9e7981ab29d96346a062a54 (4) # Executing section authorize from file /etc/raddb/sites-enabled/default (4) authorize { (4) filter_username filter_username { (4) if (!&User-Name) (4) if (!&User-Name) -> FALSE (4) if (&User-Name =~ / /) (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@.*@/ ) (4) if (&User-Name =~ /@.*@/ ) -> FALSE (4) if (&User-Name =~ /\\.\\./ ) (4) if (&User-Name =~ /\\.\\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\\.$/) (4) if (&User-Name =~ /\\.$/) -> FALSE (4) if (&User-Name =~ /@\\./) (4) if (&User-Name =~ /@\\./) -> FALSE (4) } # filter_username filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix : Checking for suffix after "@" (4) suffix : No '@' in User-Name = "newuser", looking up realm NULL (4) suffix : No such realm "NULL" (4) [suffix] = noop (4) eap : Peer sent code Response (2) ID 4 length 336 (4) eap : Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = EAP (4) # Executing group from file /etc/raddb/sites-enabled/default (4) authenticate { (4) eap : Expiring EAP session with state 0x0e9027300d943e66 (4) eap : Finished EAP session with state 0x0e9027300d943e66 (4) eap : Previous EAP request found for state 0x0e9027300d943e66, released from the list (4) eap : Peer sent method PEAP (25) (4) eap : EAP PEAP (25) (4) eap : Calling eap_peap to process EAP data (4) eap_peap : processing EAP-TLS TLS Length 326 (4) eap_peap : Length Included (4) eap_peap : eaptls_verify returned 11 (4) eap_peap : <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange (4) eap_peap : TLS_accept: SSLv3 read client key exchange A (4) eap_peap : <<< TLS 1.0 ChangeCipherSpec [length 0001] (4) eap_peap : <<< TLS 1.0 Handshake [length 0010], Finished (4) eap_peap : TLS_accept: SSLv3 read finished A (4) eap_peap : >>> TLS 1.0 ChangeCipherSpec [length 0001] (4) eap_peap : TLS_accept: SSLv3 write change cipher spec A (4) eap_peap : >>> TLS 1.0 Handshake [length 0010], Finished (4) eap_peap : TLS_accept: SSLv3 write finished A (4) eap_peap : TLS_accept: SSLv3 flush data SSL: adding session 48fd8119fa32c7cb48b60449437ed3f1edad01e5ff81191e7be8d62b3e5f17c4 to cache (4) eap_peap : (other): SSL negotiation finished successfully SSL Connection Established (4) eap_peap : eaptls_process returned 13 (4) eap_peap : FR_TLS_HANDLED (4) eap : New EAP session, adding 'State' attribute to reply 0x0e9027300a953e66 (4) [eap] = handled (4) } # authenticate = handled (4) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=186, length=0 (4) EAP-Message = 0x0105004119001403010001011603010030aae4f10e97ee19adae53413d9aa1d8d43c053c8d9e737783e7b55e6ba93fe09df382bb6903423cc0a3e1e7c0d7581e6f (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x0e9027300a953e6603c734ef610afcab Sending Access-Challenge Id 186 from 192.168.0.10:1812 to 192.168.0.2:1812 EAP-Message = 0x0105004119001403010001011603010030aae4f10e97ee19adae53413d9aa1d8d43c053c8d9e737783e7b55e6ba93fe09df382bb6903423cc0a3e1e7c0d7581e6f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0e9027300a953e6603c734ef610afcab (4) Finished request Waking up in 0.2 seconds. Received Access-Request Id 187 from 192.168.0.2:1812 to 192.168.0.10:1812 length 141 NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet User-Name = 'newuser' Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 State = 0x0e9027300a953e6603c734ef610afcab EAP-Message = 0x020500061900 Message-Authenticator = 0xdac0ce591021e82f7d39f28aef2399d2 (5) Received Access-Request packet from host 192.168.0.2 port 1812, id=187, length=141 (5) NAS-IP-Address = 192.168.0.2 (5) NAS-Port = 50024 (5) NAS-Port-Type = Ethernet (5) User-Name = 'newuser' (5) Called-Station-Id = '00-16-9D-D3-40-D8' (5) Calling-Station-Id = '68-B5-99-C8-B0-5E' (5) Service-Type = Framed-User (5) Framed-MTU = 1500 (5) State = 0x0e9027300a953e6603c734ef610afcab (5) EAP-Message = 0x020500061900 (5) Message-Authenticator = 0xdac0ce591021e82f7d39f28aef2399d2 (5) # Executing section authorize from file /etc/raddb/sites-enabled/default (5) authorize { (5) filter_username filter_username { (5) if (!&User-Name) (5) if (!&User-Name) -> FALSE (5) if (&User-Name =~ / /) (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@.*@/ ) (5) if (&User-Name =~ /@.*@/ ) -> FALSE (5) if (&User-Name =~ /\\.\\./ ) (5) if (&User-Name =~ /\\.\\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\\.$/) (5) if (&User-Name =~ /\\.$/) -> FALSE (5) if (&User-Name =~ /@\\./) (5) if (&User-Name =~ /@\\./) -> FALSE (5) } # filter_username filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix : Checking for suffix after "@" (5) suffix : No '@' in User-Name = "newuser", looking up realm NULL (5) suffix : No such realm "NULL" (5) [suffix] = noop (5) eap : Peer sent code Response (2) ID 5 length 6 (5) eap : Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = EAP (5) # Executing group from file /etc/raddb/sites-enabled/default (5) authenticate { (5) eap : Expiring EAP session with state 0x0e9027300a953e66 (5) eap : Finished EAP session with state 0x0e9027300a953e66 (5) eap : Previous EAP request found for state 0x0e9027300a953e66, released from the list (5) eap : Peer sent method PEAP (25) (5) eap : EAP PEAP (25) (5) eap : Calling eap_peap to process EAP data (5) eap_peap : processing EAP-TLS (5) eap_peap : Received TLS ACK (5) eap_peap : Received TLS ACK (5) eap_peap : ACK handshake is finished (5) eap_peap : eaptls_verify returned 3 (5) eap_peap : eaptls_process returned 3 (5) eap_peap : FR_TLS_SUCCESS (5) eap_peap : Session established. Decoding tunneled attributes (5) eap_peap : Peap state TUNNEL ESTABLISHED (5) eap : New EAP session, adding 'State' attribute to reply 0x0e9027300b963e66 (5) [eap] = handled (5) } # authenticate = handled (5) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=187, length=0 (5) EAP-Message = 0x0106002b190017030100201ac493daff282d88bd079004b7a4124bc4a88fcee422591647b8a0784b2254a6 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x0e9027300b963e6603c734ef610afcab Sending Access-Challenge Id 187 from 192.168.0.10:1812 to 192.168.0.2:1812 EAP-Message = 0x0106002b190017030100201ac493daff282d88bd079004b7a4124bc4a88fcee422591647b8a0784b2254a6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0e9027300b963e6603c734ef610afcab (5) Finished request Waking up in 0.2 seconds. Received Access-Request Id 188 from 192.168.0.2:1812 to 192.168.0.10:1812 length 178 NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet User-Name = 'newuser' Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 State = 0x0e9027300b963e6603c734ef610afcab EAP-Message = 0x0206002b19001703010020a4f998f13de99ca28ef10b62394a61c9b1a25d73a60b123f5ad5f64fdd887c6a Message-Authenticator = 0x1794290733e67632bc38f2f4aa840390 (6) Received Access-Request packet from host 192.168.0.2 port 1812, id=188, length=178 (6) NAS-IP-Address = 192.168.0.2 (6) NAS-Port = 50024 (6) NAS-Port-Type = Ethernet (6) User-Name = 'newuser' (6) Called-Station-Id = '00-16-9D-D3-40-D8' (6) Calling-Station-Id = '68-B5-99-C8-B0-5E' (6) Service-Type = Framed-User (6) Framed-MTU = 1500 (6) State = 0x0e9027300b963e6603c734ef610afcab (6) EAP-Message = 0x0206002b19001703010020a4f998f13de99ca28ef10b62394a61c9b1a25d73a60b123f5ad5f64fdd887c6a (6) Message-Authenticator = 0x1794290733e67632bc38f2f4aa840390 (6) # Executing section authorize from file /etc/raddb/sites-enabled/default (6) authorize { (6) filter_username filter_username { (6) if (!&User-Name) (6) if (!&User-Name) -> FALSE (6) if (&User-Name =~ / /) (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@.*@/ ) (6) if (&User-Name =~ /@.*@/ ) -> FALSE (6) if (&User-Name =~ /\\.\\./ ) (6) if (&User-Name =~ /\\.\\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\\.$/) (6) if (&User-Name =~ /\\.$/) -> FALSE (6) if (&User-Name =~ /@\\./) (6) if (&User-Name =~ /@\\./) -> FALSE (6) } # filter_username filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix : Checking for suffix after "@" (6) suffix : No '@' in User-Name = "newuser", looking up realm NULL (6) suffix : No such realm "NULL" (6) [suffix] = noop (6) eap : Peer sent code Response (2) ID 6 length 43 (6) eap : Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = EAP (6) # Executing group from file /etc/raddb/sites-enabled/default (6) authenticate { (6) eap : Expiring EAP session with state 0x0e9027300b963e66 (6) eap : Finished EAP session with state 0x0e9027300b963e66 (6) eap : Previous EAP request found for state 0x0e9027300b963e66, released from the list (6) eap : Peer sent method PEAP (25) (6) eap : EAP PEAP (25) (6) eap : Calling eap_peap to process EAP data (6) eap_peap : processing EAP-TLS (6) eap_peap : eaptls_verify returned 7 (6) eap_peap : Done initial handshake (6) eap_peap : eaptls_process returned 7 (6) eap_peap : FR_TLS_OK (6) eap_peap : Session established. Decoding tunneled attributes (6) eap_peap : Peap state WAITING FOR INNER IDENTITY (6) eap_peap : Identity - newuser (6) eap_peap : Got inner identity 'newuser' (6) eap_peap : Setting default EAP type for tunneled EAP session (6) eap_peap : Got tunneled request EAP-Message = 0x0206000c016e657775736572 server default { (6) eap_peap : Setting User-Name to newuser Sending tunneled request EAP-Message = 0x0206000c016e657775736572 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'newuser' NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 Event-Timestamp = 'Jul 3 2015 14:28:13 CEST' server inner-tunnel { (6) server inner-tunnel { (6) Request: EAP-Message = 0x0206000c016e657775736572 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'newuser' NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 Event-Timestamp = 'Jul 3 2015 14:28:13 CEST' (6) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (6) authorize { (6) [chap] = noop (6) [mschap] = noop (6) suffix : Checking for suffix after "@" (6) suffix : No '@' in User-Name = "newuser", looking up realm NULL (6) suffix : No such realm "NULL" (6) [suffix] = noop (6) update control { (6) Proxy-To-Realm := 'LOCAL' (6) } # update control = noop (6) eap : Peer sent code Response (2) ID 6 length 12 (6) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = EAP (6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (6) authenticate { (6) eap : Peer sent method Identity (1) (6) eap : Calling eap_mschapv2 to process EAP data (6) eap_mschapv2 : Issuing Challenge (6) eap : New EAP session, adding 'State' attribute to reply 0x51469e48514184c8 (6) [eap] = handled (6) } # authenticate = handled (6) Reply: EAP-Message = 0x010700211a0107001c10cfe19b93b6199ab73e048317618488706e657775736572 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x51469e48514184c89c06397edfb2b9f6 (6) } # server inner-tunnel } # server inner-tunnel (6) eap_peap : Got tunneled reply code 11 EAP-Message = 0x010700211a0107001c10cfe19b93b6199ab73e048317618488706e657775736572 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x51469e48514184c89c06397edfb2b9f6 (6) eap_peap : Got tunneled reply RADIUS code 11 EAP-Message = 0x010700211a0107001c10cfe19b93b6199ab73e048317618488706e657775736572 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x51469e48514184c89c06397edfb2b9f6 (6) eap_peap : Got tunneled Access-Challenge (6) eap : New EAP session, adding 'State' attribute to reply 0x0e90273008973e66 (6) [eap] = handled (6) } # authenticate = handled (6) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=188, length=0 (6) EAP-Message = 0x0107004b190017030100407520c1faa1ff4cfd7a594b2669343aa993d4447045db39c0c1ef6a3af3fa94dd9b822e84eb8895730f1cabf76bc5593ee24398478a98364b6b52fd05dfd32c0a (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x0e90273008973e6603c734ef610afcab Sending Access-Challenge Id 188 from 192.168.0.10:1812 to 192.168.0.2:1812 EAP-Message = 0x0107004b190017030100407520c1faa1ff4cfd7a594b2669343aa993d4447045db39c0c1ef6a3af3fa94dd9b822e84eb8895730f1cabf76bc5593ee24398478a98364b6b52fd05dfd32c0a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0e90273008973e6603c734ef610afcab (6) Finished request Waking up in 0.2 seconds. Received Access-Request Id 189 from 192.168.0.2:1812 to 192.168.0.10:1812 length 242 NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet User-Name = 'newuser' Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 State = 0x0e90273008973e6603c734ef610afcab EAP-Message = 0x0207006b19001703010060daa946c75fc076c70e3dee92725c9fd0e09e9b31f3e9b03e995463f030c9fcacaba7ef76b8890a117b40a4868e689f211491596b2e6acc7481a01ca4d9877415d99f18815dbd2879bca03fa940e258a486def5b5f08936eeade1d0f07ba9abfb Message-Authenticator = 0x0c5af9b3231d04ec974f138a62c938b7 (7) Received Access-Request packet from host 192.168.0.2 port 1812, id=189, length=242 (7) NAS-IP-Address = 192.168.0.2 (7) NAS-Port = 50024 (7) NAS-Port-Type = Ethernet (7) User-Name = 'newuser' (7) Called-Station-Id = '00-16-9D-D3-40-D8' (7) Calling-Station-Id = '68-B5-99-C8-B0-5E' (7) Service-Type = Framed-User (7) Framed-MTU = 1500 (7) State = 0x0e90273008973e6603c734ef610afcab (7) EAP-Message = 0x0207006b19001703010060daa946c75fc076c70e3dee92725c9fd0e09e9b31f3e9b03e995463f030c9fcacaba7ef76b8890a117b40a4868e689f211491596b2e6acc7481a01ca4d9877415d99f18815dbd2879bca03fa940e258a486def5b5f08936eeade1d0f07ba9abfb (7) Message-Authenticator = 0x0c5af9b3231d04ec974f138a62c938b7 (7) # Executing section authorize from file /etc/raddb/sites-enabled/default (7) authorize { (7) filter_username filter_username { (7) if (!&User-Name) (7) if (!&User-Name) -> FALSE (7) if (&User-Name =~ / /) (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@.*@/ ) (7) if (&User-Name =~ /@.*@/ ) -> FALSE (7) if (&User-Name =~ /\\.\\./ ) (7) if (&User-Name =~ /\\.\\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\\.$/) (7) if (&User-Name =~ /\\.$/) -> FALSE (7) if (&User-Name =~ /@\\./) (7) if (&User-Name =~ /@\\./) -> FALSE (7) } # filter_username filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix : Checking for suffix after "@" (7) suffix : No '@' in User-Name = "newuser", looking up realm NULL (7) suffix : No such realm "NULL" (7) [suffix] = noop (7) eap : Peer sent code Response (2) ID 7 length 107 (7) eap : Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = EAP (7) # Executing group from file /etc/raddb/sites-enabled/default (7) authenticate { (7) eap : Expiring EAP session with state 0x51469e48514184c8 (7) eap : Finished EAP session with state 0x0e90273008973e66 (7) eap : Previous EAP request found for state 0x0e90273008973e66, released from the list (7) eap : Peer sent method PEAP (25) (7) eap : EAP PEAP (25) (7) eap : Calling eap_peap to process EAP data (7) eap_peap : processing EAP-TLS (7) eap_peap : eaptls_verify returned 7 (7) eap_peap : Done initial handshake (7) eap_peap : eaptls_process returned 7 (7) eap_peap : FR_TLS_OK (7) eap_peap : Session established. Decoding tunneled attributes (7) eap_peap : Peap state phase2 (7) eap_peap : EAP type MSCHAPv2 (26) (7) eap_peap : Got tunneled request EAP-Message = 0x020700421a0207003d31cb99020a5de6871ad851f7e89c87138000000000000000008e66b16d791423c5ff26fd315d1cd9423b9866fc53939f0e006e657775736572 server default { (7) eap_peap : Setting User-Name to newuser Sending tunneled request EAP-Message = 0x020700421a0207003d31cb99020a5de6871ad851f7e89c87138000000000000000008e66b16d791423c5ff26fd315d1cd9423b9866fc53939f0e006e657775736572 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'newuser' State = 0x51469e48514184c89c06397edfb2b9f6 NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 Event-Timestamp = 'Jul 3 2015 14:28:13 CEST' server inner-tunnel { (7) server inner-tunnel { (7) Request: EAP-Message = 0x020700421a0207003d31cb99020a5de6871ad851f7e89c87138000000000000000008e66b16d791423c5ff26fd315d1cd9423b9866fc53939f0e006e657775736572 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'newuser' State = 0x51469e48514184c89c06397edfb2b9f6 NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 Event-Timestamp = 'Jul 3 2015 14:28:13 CEST' (7) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (7) authorize { (7) [chap] = noop (7) [mschap] = noop (7) suffix : Checking for suffix after "@" (7) suffix : No '@' in User-Name = "newuser", looking up realm NULL (7) suffix : No such realm "NULL" (7) [suffix] = noop (7) update control { (7) Proxy-To-Realm := 'LOCAL' (7) } # update control = noop (7) eap : Peer sent code Response (2) ID 7 length 66 (7) eap : No EAP Start, assuming it's an on-going EAP conversation (7) [eap] = updated (7) [files] = noop rlm_ldap (ldap): Reserved connection (4) (7) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (7) ldap : --> (uid=newuser) (7) ldap : EXPAND dc=test,dc=ad,dc=com (7) ldap : --> dc=test,dc=ad,dc=com (7) ldap : Performing search in 'dc=test,dc=ad,dc=com' with filter '(uid=newuser)', scope 'sub' (7) ldap : Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldap:// ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap:// DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap:// test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (7) ldap : Search returned no results rlm_ldap (ldap): Deleting connection (4) (7) [ldap] = notfound (7) [expiration] = noop (7) [logintime] = noop (7) [pap] = noop (7) } # authorize = updated (7) Found Auth-Type = EAP (7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (7) authenticate { (7) eap : Expiring EAP session with state 0x51469e48514184c8 (7) eap : Finished EAP session with state 0x51469e48514184c8 (7) eap : Previous EAP request found for state 0x51469e48514184c8, released from the list (7) eap : Peer sent method MSCHAPv2 (26) (7) eap : EAP MSCHAPv2 (26) (7) eap : Calling eap_mschapv2 to process EAP data (7) eap_mschapv2 : # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (7) eap_mschapv2 : Auth-Type MS-CHAP { (7) mschap : Creating challenge hash with username: newuser (7) mschap : Client is using MS-CHAPv2 Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (7) mschap : EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (7) mschap : --> --username=newuser (7) mschap : Creating challenge hash with username: newuser (7) mschap : EXPAND --challenge=%{%{mschap:Challenge}:-00} (7) mschap : --> --challenge=141c75ef267aec37 (7) mschap : EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (7) mschap : --> --nt-response=8e66b16d791423c5ff26fd315d1cd9423b9866fc53939f0e Program returned code (0) and output 'NT_KEY: 917FDA71960ECCF4DF81D38405F86F42' (7) mschap : Adding MS-CHAPv2 MPPE keys (7) [mschap] = ok (7) } # Auth-Type MS-CHAP = ok MSCHAP Success (7) eap : New EAP session, adding 'State' attribute to reply 0x51469e48504e84c8 (7) [eap] = handled (7) } # authenticate = handled (7) Reply: EAP-Message = 0x010800331a0307002e533d45413244333642323330373038354334373443444233383738423444393141433936393944313533 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x51469e48504e84c89c06397edfb2b9f6 (7) } # server inner-tunnel } # server inner-tunnel (7) eap_peap : Got tunneled reply code 11 EAP-Message = 0x010800331a0307002e533d45413244333642323330373038354334373443444233383738423444393141433936393944313533 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x51469e48504e84c89c06397edfb2b9f6 (7) eap_peap : Got tunneled reply RADIUS code 11 EAP-Message = 0x010800331a0307002e533d45413244333642323330373038354334373443444233383738423444393141433936393944313533 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x51469e48504e84c89c06397edfb2b9f6 (7) eap_peap : Got tunneled Access-Challenge (7) eap : New EAP session, adding 'State' attribute to reply 0x0e90273009983e66 (7) [eap] = handled (7) } # authenticate = handled (7) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=189, length=0 (7) EAP-Message = 0x0108005b19001703010050f5928f4ef2504f8111ab1eb22a3d7055f034eb84663b65bd07291d795cbd5a872c90146b2738a779cf42d7acd17f1425f25e5139936ce90ece8924c0ddf1dd6d66eb94efda5148cf5b8b62fd2f49fd5b (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x0e90273009983e6603c734ef610afcab Sending Access-Challenge Id 189 from 192.168.0.10:1812 to 192.168.0.2:1812 EAP-Message = 0x0108005b19001703010050f5928f4ef2504f8111ab1eb22a3d7055f034eb84663b65bd07291d795cbd5a872c90146b2738a779cf42d7acd17f1425f25e5139936ce90ece8924c0ddf1dd6d66eb94efda5148cf5b8b62fd2f49fd5b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0e90273009983e6603c734ef610afcab (7) Finished request Waking up in 4.5 seconds. Received Access-Request Id 190 from 192.168.0.2:1812 to 192.168.0.10:1812 length 178 NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet User-Name = 'newuser' Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 State = 0x0e90273009983e6603c734ef610afcab EAP-Message = 0x0208002b19001703010020e5cacce91e4a996afb3b077c7b388bcf2f40b18a8eb5be8917a8ae01288fd33d Message-Authenticator = 0x56d20e1c3ccff86847412ce9123ecb99 (8) Received Access-Request packet from host 192.168.0.2 port 1812, id=190, length=178 (8) NAS-IP-Address = 192.168.0.2 (8) NAS-Port = 50024 (8) NAS-Port-Type = Ethernet (8) User-Name = 'newuser' (8) Called-Station-Id = '00-16-9D-D3-40-D8' (8) Calling-Station-Id = '68-B5-99-C8-B0-5E' (8) Service-Type = Framed-User (8) Framed-MTU = 1500 (8) State = 0x0e90273009983e6603c734ef610afcab (8) EAP-Message = 0x0208002b19001703010020e5cacce91e4a996afb3b077c7b388bcf2f40b18a8eb5be8917a8ae01288fd33d (8) Message-Authenticator = 0x56d20e1c3ccff86847412ce9123ecb99 (8) # Executing section authorize from file /etc/raddb/sites-enabled/default (8) authorize { (8) filter_username filter_username { (8) if (!&User-Name) (8) if (!&User-Name) -> FALSE (8) if (&User-Name =~ / /) (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@.*@/ ) (8) if (&User-Name =~ /@.*@/ ) -> FALSE (8) if (&User-Name =~ /\\.\\./ ) (8) if (&User-Name =~ /\\.\\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\\.$/) (8) if (&User-Name =~ /\\.$/) -> FALSE (8) if (&User-Name =~ /@\\./) (8) if (&User-Name =~ /@\\./) -> FALSE (8) } # filter_username filter_username = notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix : Checking for suffix after "@" (8) suffix : No '@' in User-Name = "newuser", looking up realm NULL (8) suffix : No such realm "NULL" (8) [suffix] = noop (8) eap : Peer sent code Response (2) ID 8 length 43 (8) eap : Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = EAP (8) # Executing group from file /etc/raddb/sites-enabled/default (8) authenticate { (8) eap : Expiring EAP session with state 0x51469e48504e84c8 (8) eap : Finished EAP session with state 0x0e90273009983e66 (8) eap : Previous EAP request found for state 0x0e90273009983e66, released from the list (8) eap : Peer sent method PEAP (25) (8) eap : EAP PEAP (25) (8) eap : Calling eap_peap to process EAP data (8) eap_peap : processing EAP-TLS (8) eap_peap : eaptls_verify returned 7 (8) eap_peap : Done initial handshake (8) eap_peap : eaptls_process returned 7 (8) eap_peap : FR_TLS_OK (8) eap_peap : Session established. Decoding tunneled attributes (8) eap_peap : Peap state phase2 (8) eap_peap : EAP type MSCHAPv2 (26) (8) eap_peap : Got tunneled request EAP-Message = 0x020800061a03 server default { (8) eap_peap : Setting User-Name to newuser Sending tunneled request EAP-Message = 0x020800061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'newuser' State = 0x51469e48504e84c89c06397edfb2b9f6 NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 Event-Timestamp = 'Jul 3 2015 14:28:13 CEST' server inner-tunnel { (8) server inner-tunnel { (8) Request: EAP-Message = 0x020800061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'newuser' State = 0x51469e48504e84c89c06397edfb2b9f6 NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 Event-Timestamp = 'Jul 3 2015 14:28:13 CEST' (8) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (8) authorize { (8) [chap] = noop (8) [mschap] = noop (8) suffix : Checking for suffix after "@" (8) suffix : No '@' in User-Name = "newuser", looking up realm NULL (8) suffix : No such realm "NULL" (8) [suffix] = noop (8) update control { (8) Proxy-To-Realm := 'LOCAL' (8) } # update control = noop (8) eap : Peer sent code Response (2) ID 8 length 6 (8) eap : No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) [files] = noop rlm_ldap (ldap): Reserved connection (3) (8) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (8) ldap : --> (uid=newuser) (8) ldap : EXPAND dc=test,dc=ad,dc=com (8) ldap : --> dc=test,dc=ad,dc=com (8) ldap : Performing search in 'dc=test,dc=ad,dc=com' with filter '(uid=newuser)', scope 'sub' (8) ldap : Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldap:// ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap:// DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap:// test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (8) ldap : Search returned no results rlm_ldap (ldap): Deleting connection (3) rlm_ldap (ldap): 0 of 3 connections in use. Need more spares rlm_ldap (ldap): Opening additional connection (5) rlm_ldap (ldap): Connecting to 192.168.0.20:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (8) [ldap] = notfound (8) [expiration] = noop (8) [logintime] = noop (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = EAP (8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (8) authenticate { (8) eap : Expiring EAP session with state 0x51469e48504e84c8 (8) eap : Finished EAP session with state 0x51469e48504e84c8 (8) eap : Previous EAP request found for state 0x51469e48504e84c8, released from the list (8) eap : Peer sent method MSCHAPv2 (26) (8) eap : EAP MSCHAPv2 (26) (8) eap : Calling eap_mschapv2 to process EAP data (8) eap : Freeing handler (8) [eap] = ok (8) } # authenticate = ok (8) # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel (8) post-auth { (8) ldap : EXPAND . (8) ldap : --> . (8) ldap : EXPAND Authenticated at %S (8) ldap : --> Authenticated at 2015-07-03 14:28:13 rlm_ldap (ldap): Reserved connection (5) (8) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (8) ldap : --> (uid=newuser) (8) ldap : EXPAND dc=test,dc=ad,dc=com (8) ldap : --> dc=test,dc=ad,dc=com (8) ldap : Performing search in 'dc=test,dc=ad,dc=com' with filter '(uid=newuser)', scope 'sub' (8) ldap : Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldap:// ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap:// DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap:// test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (8) ldap : Search returned no results rlm_ldap (ldap): Deleting connection (5) (8) [ldap] = notfound (8) } # post-auth = notfound (8) Reply: MS-MPPE-Encryption-Policy = Encryption-Required MS-MPPE-Encryption-Types = 4 MS-MPPE-Send-Key = 0xd4fd4ee6a9d0cfb8627e5435bb5e91c9 MS-MPPE-Recv-Key = 0xd541128d165a6af4aba9ded016dce239 EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = 'newuser' (8) } # server inner-tunnel } # server inner-tunnel (8) eap_peap : Got tunneled reply code 2 MS-MPPE-Encryption-Policy = Encryption-Required MS-MPPE-Encryption-Types = 4 MS-MPPE-Send-Key = 0xd4fd4ee6a9d0cfb8627e5435bb5e91c9 MS-MPPE-Recv-Key = 0xd541128d165a6af4aba9ded016dce239 EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = 'newuser' (8) eap_peap : Got tunneled reply RADIUS code 2 MS-MPPE-Encryption-Policy = Encryption-Required MS-MPPE-Encryption-Types = 4 MS-MPPE-Send-Key = 0xd4fd4ee6a9d0cfb8627e5435bb5e91c9 MS-MPPE-Recv-Key = 0xd541128d165a6af4aba9ded016dce239 EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = 'newuser' (8) eap_peap : Tunneled authentication was successful (8) eap_peap : SUCCESS (8) eap_peap : Saving tunneled attributes for later (8) eap : New EAP session, adding 'State' attribute to reply 0x0e90273006993e66 (8) [eap] = handled (8) } # authenticate = handled (8) Sending Access-Challenge packet to host 192.168.0.2 port 1812, id=190, length=0 (8) EAP-Message = 0x0109002b1900170301002002723a75a206ea487fd592ae1b9d31d8425a2d28fb6a567b530188cd74181696 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0x0e90273006993e6603c734ef610afcab Sending Access-Challenge Id 190 from 192.168.0.10:1812 to 192.168.0.2:1812 EAP-Message = 0x0109002b1900170301002002723a75a206ea487fd592ae1b9d31d8425a2d28fb6a567b530188cd74181696 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0e90273006993e6603c734ef610afcab (8) Finished request Waking up in 3.8 seconds. Received Access-Request Id 191 from 192.168.0.2:1812 to 192.168.0.10:1812 length 178 NAS-IP-Address = 192.168.0.2 NAS-Port = 50024 NAS-Port-Type = Ethernet User-Name = 'newuser' Called-Station-Id = '00-16-9D-D3-40-D8' Calling-Station-Id = '68-B5-99-C8-B0-5E' Service-Type = Framed-User Framed-MTU = 1500 State = 0x0e90273006993e6603c734ef610afcab EAP-Message = 0x0209002b1900170301002092fda1c14de27079564bd73fade18792dd8f5f80adf9e4822b95949318de7efb Message-Authenticator = 0xef39ceb8bfa36750354be19a6b2ebf17 (9) Received Access-Request packet from host 192.168.0.2 port 1812, id=191, length=178 (9) NAS-IP-Address = 192.168.0.2 (9) NAS-Port = 50024 (9) NAS-Port-Type = Ethernet (9) User-Name = 'newuser' (9) Called-Station-Id = '00-16-9D-D3-40-D8' (9) Calling-Station-Id = '68-B5-99-C8-B0-5E' (9) Service-Type = Framed-User (9) Framed-MTU = 1500 (9) State = 0x0e90273006993e6603c734ef610afcab (9) EAP-Message = 0x0209002b1900170301002092fda1c14de27079564bd73fade18792dd8f5f80adf9e4822b95949318de7efb (9) Message-Authenticator = 0xef39ceb8bfa36750354be19a6b2ebf17 (9) # Executing section authorize from file /etc/raddb/sites-enabled/default (9) authorize { (9) filter_username filter_username { (9) if (!&User-Name) (9) if (!&User-Name) -> FALSE (9) if (&User-Name =~ / /) (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@.*@/ ) (9) if (&User-Name =~ /@.*@/ ) -> FALSE (9) if (&User-Name =~ /\\.\\./ ) (9) if (&User-Name =~ /\\.\\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\\.$/) (9) if (&User-Name =~ /\\.$/) -> FALSE (9) if (&User-Name =~ /@\\./) (9) if (&User-Name =~ /@\\./) -> FALSE (9) } # filter_username filter_username = notfound (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix : Checking for suffix after "@" (9) suffix : No '@' in User-Name = "newuser", looking up realm NULL (9) suffix : No such realm "NULL" (9) [suffix] = noop (9) eap : Peer sent code Response (2) ID 9 length 43 (9) eap : Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = EAP (9) # Executing group from file /etc/raddb/sites-enabled/default (9) authenticate { (9) eap : Expiring EAP session with state 0x0e90273006993e66 (9) eap : Finished EAP session with state 0x0e90273006993e66 (9) eap : Previous EAP request found for state 0x0e90273006993e66, released from the list (9) eap : Peer sent method PEAP (25) (9) eap : EAP PEAP (25) (9) eap : Calling eap_peap to process EAP data (9) eap_peap : processing EAP-TLS (9) eap_peap : eaptls_verify returned 7 (9) eap_peap : Done initial handshake (9) eap_peap : eaptls_process returned 7 (9) eap_peap : FR_TLS_OK (9) eap_peap : Session established. Decoding tunneled attributes (9) eap_peap : Peap state send tlv success (9) eap_peap : Received EAP-TLV response (9) eap_peap : Success (9) eap_peap : Using saved attributes from the original Access-Accept User-Name = 'newuser' (9) eap_peap : Saving session 48fd8119fa32c7cb48b60449437ed3f1edad01e5ff81191e7be8d62b3e5f17c4 vps 0x7f6012aedf20 in the cache (9) eap : Freeing handler (9) [eap] = ok (9) } # authenticate = ok (9) # Executing section post-auth from file /etc/raddb/sites-enabled/default (9) post-auth { (9) ldap : EXPAND . (9) ldap : --> . (9) ldap : EXPAND Authenticated at %S (9) ldap : --> Authenticated at 2015-07-03 14:28:14 rlm_ldap (ldap): Reserved connection (2) (9) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (9) ldap : --> (uid=newuser) (9) ldap : EXPAND dc=test,dc=ad,dc=com (9) ldap : --> dc=test,dc=ad,dc=com (9) ldap : Performing search in 'dc=test,dc=ad,dc=com' with filter '(uid=newuser)', scope 'sub' (9) ldap : Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldap:// ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap:// DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap:// test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (9) ldap : Search returned no results rlm_ldap (ldap): Deleting connection (2) (9) [ldap] = notfound (9) if (LDAP-Group == "cn=computers,cn=Users,dc=test,dc=ad,dc=com") (9) Searching for user in group "cn=computers,cn=Users,dc=test,dc=ad,dc=com" rlm_ldap (ldap): Reserved connection (1) (9) EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (9) --> (uid=newuser) (9) EXPAND dc=test,dc=ad,dc=com (9) --> dc=test,dc=ad,dc=com (9) Performing search in 'dc=test,dc=ad,dc=com' with filter '(uid=newuser)', scope 'sub' (9) Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldap:// ForestDnsZones.test.ad.com/DC=ForestDnsZones,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap:// DomainDnsZones.test.ad.com/DC=DomainDnsZones,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldap:// test.ad.com/CN=Configuration,DC=test,DC=ad,DC=com rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (9) Search returned no results rlm_ldap (ldap): Deleting connection (1) (9) if (LDAP-Group == "cn=computers,cn=Users,dc=test,dc=ad,dc=com") -> FALSE (9) [exec] = noop (9) remove_reply_message_if_eap remove_reply_message_if_eap { (9) if (&reply:EAP-Message && &reply:Reply-Message) (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (9) else else { (9) [noop] = noop (9) } # else else = noop (9) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (9) } # post-auth = noop (9) Sending Access-Accept packet to host 192.168.0.2 port 1812, id=191, length=0 (9) User-Name = 'newuser' (9) MS-MPPE-Recv-Key = 0x770d0af8f17ddb90ae45050890e77a2f1284a252cb8a2dea9126d6e3ad90bda2 (9) MS-MPPE-Send-Key = 0x71f8b9b7a8aa1a90922d6043ad069e7e436ef4cce627dbd2c2e6bea252154cce (9) EAP-MSK = 0x770d0af8f17ddb90ae45050890e77a2f1284a252cb8a2dea9126d6e3ad90bda271f8b9b7a8aa1a90922d6043ad069e7e436ef4cce627dbd2c2e6bea252154cce (9) EAP-EMSK = 0x1b54d22a41027762199d0673d2024afb9b75034f4486286e1ce600f42266b87c01bf8b7801e44f136c405e7098f74a39062c8d0fd8199ad362af3aa3fd939603 (9) EAP-Session-Id = 0x19559664033b1b4862038b2d1367a8d5b31031ef49921dca1e46e5720f5b2fa8f355967fdd334b8b93e13aaba983cf708cc59b52a195fa942852b7eb85c9e6b313 (9) EAP-Message = 0x03090004 (9) Message-Authenticator = 0x00000000000000000000000000000000 Sending Access-Accept Id 191 from 192.168.0.10:1812 to 192.168.0.2:1812 User-Name = 'newuser' MS-MPPE-Recv-Key = 0x770d0af8f17ddb90ae45050890e77a2f1284a252cb8a2dea9126d6e3ad90bda2 MS-MPPE-Send-Key = 0x71f8b9b7a8aa1a90922d6043ad069e7e436ef4cce627dbd2c2e6bea252154cce EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 (9) Finished request in ldap config file, part related user and groups looks like below: user { base_dn = "dc=test,dc=ad,dc=com" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" } group { base_dn ="dc=test,dc=ad,dc=com" filter = "(objectClass=posixGroup)" name_attribute = cn membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))" membership_attribute = "memberOf" } Why freeradius can't match group "computers" to user "newuser"? I would be very glad on any help