Good morning, It is my first time asking a question on the freeradius mailing list, i excuse myself in advance of any error or bad interpretation. I'm using a VPN named strongswan that communicates with a freeradius using the eap-radius plugin. The radius is authenticated agaisn't a samba AD that authentifies clients using ntlm_auth and mschapv2. It is working great. Now, I want for the clients to get the IP address that I assign in the users.conf file. What I did was to create an user named test1.vpn in the LDAP, and use rightsourceip=%radius in the ipsec.conf file on strongswan. I gave him a framed ip address like this : "test1.vpn" Framed-IP-Address == 10.10.10.6 Fall-Through = Yes The thing is, it doesn't work... It works great when, on the ipsec.conf file I put rightsourceip=10.10.10.1. The client gets the right framed-ip-address. But with %radius, I don't see the 10.10.10.6 ip address in the radius log and it makes an error on the strongswan since the client doesn't get a virtual IP address. Here are the output of radiusd -X : (0) Received Access-Request Id 211 from 172.16.10.111:47079 to 172.16.10.111:1812 length 168 (0) User-Name = "test1.vpn" (0) NAS-Port-Type = Virtual (0) Service-Type = Framed-User (0) NAS-Port = 3 (0) NAS-Port-Id = "test1.vpn" (0) NAS-IP-Address = X.X.X.X (0) Called-Station-Id = "X.X.X.X[4500]" (0) Calling-Station-Id = "X.X.X.X[4500]" (0) Acct-Session-Id = "1654086146-3" (0) EAP-Message = 0x0200000e0174657374312e76706e (0) NAS-Identifier = "strongSwan" (0) Message-Authenticator = 0xce4ddedff45a0a9bd69f9b913a963862 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) [files] = noop (0) [preprocess] = ok (0) [mschap] = noop (0) eap: Peer sent EAP Response (code 2) ID 0 length 14 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_md5 to process data (0) eap_md5: Issuing MD5 Challenge (0) eap: Sending EAP Request (code 1) ID 1 length 22 (0) eap: EAP session adding &reply:State = 0x6aa216d56aa312bf (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Sent Access-Challenge Id 211 from 172.16.10.111:1812 to 172.16.10.111:47079 length 0 (0) EAP-Message = 0x010100160410ff5cd34168d97f580fbfdfa92f86b05a (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x6aa216d56aa312bf987ea9fae6cd4048 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 212 from 172.16.10.111:47079 to 172.16.10.111:1812 length 178 (1) User-Name = "test1.vpn" (1) NAS-Port-Type = Virtual (1) Service-Type = Framed-User (1) NAS-Port = 3 (1) NAS-Port-Id = "test1.vpn" (1) NAS-IP-Address = X.X.X.X (1) Called-Station-Id = "X.X.X.X[4500]" (1) Calling-Station-Id = "X.X.X.X[4500]" (1) Acct-Session-Id = "1654086146-3" (1) EAP-Message = 0x020100060319 (1) NAS-Identifier = "strongSwan" (1) State = 0x6aa216d56aa312bf987ea9fae6cd4048 (1) Message-Authenticator = 0x031a4fe55f8ec1ee08d13034d8164e22 (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/raddb/sites-enabled/default (1) authorize { (1) [files] = noop (1) [preprocess] = ok (1) [mschap] = noop (1) eap: Peer sent EAP Response (code 2) ID 1 length 6 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) [expiration] = noop (1) [logintime] = noop (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /etc/raddb/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x6aa216d56aa312bf (1) eap: Finished EAP session with state 0x6aa216d56aa312bf (1) eap: Previous EAP request found for state 0x6aa216d56aa312bf, released from the list (1) eap: Peer sent packet with method EAP NAK (3) (1) eap: Found mutually acceptable type PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: Initiating new TLS session (1) eap_peap: [eaptls start] = request (1) eap: Sending EAP Request (code 1) ID 2 length 6 (1) eap: EAP session adding &reply:State = 0x6aa216d56ba00fbf (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /etc/raddb/sites-enabled/default (1) Sent Access-Challenge Id 212 from 172.16.10.111:1812 to 172.16.10.111:47079 length 0 (1) EAP-Message = 0x010200061920 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x6aa216d56ba00fbf987ea9fae6cd4048 (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 213 from 172.16.10.111:47079 to 172.16.10.111:1812 length 344 (2) User-Name = "test1.vpn" (2) NAS-Port-Type = Virtual (2) Service-Type = Framed-User (2) NAS-Port = 3 (2) NAS-Port-Id = "test1.vpn" (2) NAS-IP-Address = X.X.X.X (2) Called-Station-Id = "X.X.X.X[4500]" (2) Calling-Station-Id = "X.X.X.X[4500]" (2) Acct-Session-Id = "1654086146-3" (2) EAP-Message = 0x020200ac1980000000a2160303009d01000099030362975ce3469633ee61d0332929a35ae076af708048f1d1b8d8055196ee255f0700002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000046000500050100000000000a00080006001d00170018000b00020100000d001a00180804080508060401050102010403050302030202060106030023000000170000ff01000100 (2) NAS-Identifier = "strongSwan" (2) State = 0x6aa216d56ba00fbf987ea9fae6cd4048 (2) Message-Authenticator = 0x1380eb13af2c8eec169fe4a8c0f7947c (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/raddb/sites-enabled/default (2) authorize { (2) [files] = noop (2) [preprocess] = ok (2) [mschap] = noop (2) eap: Peer sent EAP Response (code 2) ID 2 length 172 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/raddb/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x6aa216d56ba00fbf (2) eap: Finished EAP session with state 0x6aa216d56ba00fbf (2) eap: Previous EAP request found for state 0x6aa216d56ba00fbf, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: Continuing EAP-TLS (2) eap_peap: Peer indicated complete TLS record size will be 162 bytes (2) eap_peap: Got complete TLS record (162 bytes) (2) eap_peap: [eaptls verify] = length included (2) eap_peap: (other): before SSL initialization (2) eap_peap: TLS_accept: before SSL initialization (2) eap_peap: TLS_accept: before SSL initialization (2) eap_peap: <<< recv TLS 1.3 [length 009d] (2) eap_peap: TLS_accept: SSLv3/TLS read client hello (2) eap_peap: >>> send TLS 1.2 [length 003d] (2) eap_peap: TLS_accept: SSLv3/TLS write server hello (2) eap_peap: >>> send TLS 1.2 [length 0a0e] (2) eap_peap: TLS_accept: SSLv3/TLS write certificate (2) eap_peap: >>> send TLS 1.2 [length 024d] (2) eap_peap: TLS_accept: SSLv3/TLS write key exchange (2) eap_peap: >>> send TLS 1.2 [length 0004] (2) eap_peap: TLS_accept: SSLv3/TLS write server done (2) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done (2) eap_peap: TLS - In Handshake Phase (2) eap_peap: TLS - got 3248 bytes of data (2) eap_peap: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 3 length 1004 (2) eap: EAP session adding &reply:State = 0x6aa216d568a10fbf (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) Post-Auth-Type sub-section not found. Ignoring. (2) # Executing group from file /etc/raddb/sites-enabled/default (2) Sent Access-Challenge Id 213 from 172.16.10.111:1812 to 172.16.10.111:47079 length 0 (2) EAP-Message = 0x010303ec19c000000cb0160303003d0200003903039f516795514d2124f963a729d1c1f5046a8ec1dc38e8620e0df6721d0ecd7bb400c030000011ff01000100000b000403000102001700001603030a0e0b000a0a000a0700050930820505308202eda003020102020859501ffb058af674300d06092a864886f70d01010c05003018311630140603550403130d4c696e6b736f2056504e204341301e170d3232303532373134333135355a170d3332303532343134333135355a3018311630140603550403130d3137382e31382e36322e32323030820222300d06092a864886f70d01010105000382020f003082020a0282020100a78d1c2b41f372a12f579b055680a56749aa46f0ec6c0031b424589ca4371f4904485b011adfebb5de0b47cd85a6009f7ed0d2f8b2ed60d624322e67c6ac0d92f8044774570dddfb12512d3f354dce91b84bab8c1281abc72f7776fb0aaf3d30ad0daf0c69a07709007fb40f2aff69de1effcbe748cab7c6a889d7df5e92488e33 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x6aa216d568a10fbf987ea9fae6cd4048 (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 214 from 172.16.10.111:47079 to 172.16.10.111:1812 length 178 (3) User-Name = "test1.vpn" (3) NAS-Port-Type = Virtual (3) Service-Type = Framed-User (3) NAS-Port = 3 (3) NAS-Port-Id = "test1.vpn" (3) NAS-IP-Address = X.X.X.X (3) Called-Station-Id = "X.X.X.X[4500]" (3) Calling-Station-Id = "X.X.X.X[4500]" (3) Acct-Session-Id = "1654086146-3" (3) EAP-Message = 0x020300061900 (3) NAS-Identifier = "strongSwan" (3) State = 0x6aa216d568a10fbf987ea9fae6cd4048 (3) Message-Authenticator = 0x8ec75da2a02763705c4be3fab6e7d4bd (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/raddb/sites-enabled/default (3) authorize { (3) [files] = noop (3) [preprocess] = ok (3) [mschap] = noop (3) eap: Peer sent EAP Response (code 2) ID 3 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /etc/raddb/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0x6aa216d568a10fbf (3) eap: Finished EAP session with state 0x6aa216d568a10fbf (3) eap: Previous EAP request found for state 0x6aa216d568a10fbf, released from the list (3) eap: Peer sent packet with method EAP PEAP (25) (3) eap: Calling submodule eap_peap to process data (3) eap_peap: Continuing EAP-TLS (3) eap_peap: Peer ACKed our handshake fragment (3) eap_peap: [eaptls verify] = request (3) eap_peap: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 4 length 1000 (3) eap: EAP session adding &reply:State = 0x6aa216d569a60fbf (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) Post-Auth-Type sub-section not found. Ignoring. (3) # Executing group from file /etc/raddb/sites-enabled/default (3) Sent Access-Challenge Id 214 from 172.16.10.111:1812 to 172.16.10.111:47079 length 0 (3) EAP-Message = 0x010403e81940bebf80d34d5d2ffadfe99593245c430b0545f71e325611a471ac019a0eb1b4cc51be9e4c4c6d7173cf00d6b53abe40a709dc7013a54897189721d836b31ae0ba84666749f762e02ab0f7b47d56d4ed0985084c55389e67476016143a29513ce10e4f779ba0e79cfedc620ce3b17c114081e2081221b32789bb7a167feb276b90bd6e5ccf3963a97c3da2a7cc5bee2b19fa21a4aa2f4a0abb2699dbe10fdbd42e93a395609bab8aded14fe6829a91017a7553d91e662a960b104d715a882298b2b57a106b608d5cbf18a416f047f92f8d6edc4631a136a88a1316574dfd306656f721427222732b84808fb63b38afe9f956af9969f506dbed0be473b1004960514231c75a8daff60a37ffe26fc85dcfb077c45ef88166b71a0ede035f7c5d79a749f30c64f5ed4e03ed8436e8f08c1d460fc0bd260ec944f99d183119868e804a7f93de415baea77ff7a29672b674e735b9d9170afd483208bec971d40ec0cb8b901f37c69d44d5c4d88bb63f59744c508a (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x6aa216d569a60fbf987ea9fae6cd4048 (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 215 from 172.16.10.111:47079 to 172.16.10.111:1812 length 178 (4) User-Name = "test1.vpn" (4) NAS-Port-Type = Virtual (4) Service-Type = Framed-User (4) NAS-Port = 3 (4) NAS-Port-Id = "test1.vpn" (4) NAS-IP-Address = X.X.X.X (4) Called-Station-Id = "X.X.X.X[4500]" (4) Calling-Station-Id = "X.X.X.X[4500]" (4) Acct-Session-Id = "1654086146-3" (4) EAP-Message = 0x020400061900 (4) NAS-Identifier = "strongSwan" (4) State = 0x6aa216d569a60fbf987ea9fae6cd4048 (4) Message-Authenticator = 0xe26fd6d586c478db00a6786eb735c999 (4) session-state: No cached attributes (4) # Executing section authorize from file /etc/raddb/sites-enabled/default (4) authorize { (4) [files] = noop (4) [preprocess] = ok (4) [mschap] = noop (4) eap: Peer sent EAP Response (code 2) ID 4 length 6 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/raddb/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0x6aa216d569a60fbf (4) eap: Finished EAP session with state 0x6aa216d569a60fbf (4) eap: Previous EAP request found for state 0x6aa216d569a60fbf, released from the list (4) eap: Peer sent packet with method EAP PEAP (25) (4) eap: Calling submodule eap_peap to process data (4) eap_peap: Continuing EAP-TLS (4) eap_peap: Peer ACKed our handshake fragment (4) eap_peap: [eaptls verify] = request (4) eap_peap: [eaptls process] = handled (4) eap: Sending EAP Request (code 1) ID 5 length 1000 (4) eap: EAP session adding &reply:State = 0x6aa216d56ea70fbf (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) Post-Auth-Type sub-section not found. Ignoring. (4) # Executing group from file /etc/raddb/sites-enabled/default (4) Sent Access-Challenge Id 215 from 172.16.10.111:1812 to 172.16.10.111:47079 length 0 (4) EAP-Message = 0x010503e819407082cf40cfcee0f3f12cba3aef5822670128cd6f911798eef08198423886ccf7755c826cdcbe3a99ce66a9eae20d46d7161e7b750203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414add6132f6bb457e0c198d140aba7a264e4dc0d8d300d06092a864886f70d01010c05000382020100902e25abac2dddd6ca56f04588ea1f33d011b08f31e625c387b2230a2f9f378387f2929f02a0e839e8ba589f3fa07aa97df211ce02ce75ca2eeff80a09234bc54ce1cb8be75c16b2356d36c1d4ad6bde1b5c8921a1e03d412bfd280c3cabe5b734bd209d9f8182cf64fd4ecf87ab4e677b6c9c70d10f25f6f2772a611a31fcb3e74a800142a211c766841ad6540913ba8c7b39025308a651829d2dfac79d8dac002e21bf72bd73ccf17774b31e0cd3fde6c927cfea62ed17982d4203aa7ab706fc7883dde5321895ae65e63ff503804f12ff80a8075e0f1f9b169d8a1adae22d (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x6aa216d56ea70fbf987ea9fae6cd4048 (4) Finished request Waking up in 4.9 seconds. (5) Received Access-Request Id 216 from 172.16.10.111:47079 to 172.16.10.111:1812 length 178 (5) User-Name = "test1.vpn" (5) NAS-Port-Type = Virtual (5) Service-Type = Framed-User (5) NAS-Port = 3 (5) NAS-Port-Id = "test1.vpn" (5) NAS-IP-Address = X.X.X.X (5) Called-Station-Id = "X.X.X.X[4500]" (5) Calling-Station-Id = "X.X.X.X[4500]" (5) Acct-Session-Id = "1654086146-3" (5) EAP-Message = 0x020500061900 (5) NAS-Identifier = "strongSwan" (5) State = 0x6aa216d56ea70fbf987ea9fae6cd4048 (5) Message-Authenticator = 0xeffc14397e2e2698bbe4717d2ad673d3 (5) session-state: No cached attributes (5) # Executing section authorize from file /etc/raddb/sites-enabled/default (5) authorize { (5) [files] = noop (5) [preprocess] = ok (5) [mschap] = noop (5) eap: Peer sent EAP Response (code 2) ID 5 length 6 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/raddb/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0x6aa216d56ea70fbf (5) eap: Finished EAP session with state 0x6aa216d56ea70fbf (5) eap: Previous EAP request found for state 0x6aa216d56ea70fbf, released from the list (5) eap: Peer sent packet with method EAP PEAP (25) (5) eap: Calling submodule eap_peap to process data (5) eap_peap: Continuing EAP-TLS (5) eap_peap: Peer ACKed our handshake fragment (5) eap_peap: [eaptls verify] = request (5) eap_peap: [eaptls process] = handled (5) eap: Sending EAP Request (code 1) ID 6 length 272 (5) eap: EAP session adding &reply:State = 0x6aa216d56fa40fbf (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) Post-Auth-Type sub-section not found. Ignoring. (5) # Executing group from file /etc/raddb/sites-enabled/default (5) Sent Access-Challenge Id 216 from 172.16.10.111:1812 to 172.16.10.111:47079 length 0 (5) EAP-Message = 0x010601101900b95388bf01bc568759d1bcedf399ac35756b2d9ec895c9bbf292cf9cda06422caa91d5ca45ab2b398afb223f946eb59b87855cc7785d21da7388857fe19c71cfddf3e529084da9fbaa5256780b893e76c7627c04a7a8cc73ab61b513a14673f7409dcdf0964badc5cc38b57011876d1ad8bd7a15435aefd05db948107f67da21e45679981950d18eafb02569be67a55b948744cf534598eac71778266dc937c43fd0bb64298d3b30f62299eca9de35fe60517131a19d76ea51648aec407756961b287dcb87e5e9a2674bc24af93f9777d57fa2d31759dc351d2821f731bad747e1231da13f909929fb1ed79ddbf9a1352606b860a0180fe6363d117e2bb45eb1f616030300040e000000 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x6aa216d56fa40fbf987ea9fae6cd4048 (5) Finished request Waking up in 4.9 seconds. (6) Received Access-Request Id 217 from 172.16.10.111:47079 to 172.16.10.111:1812 length 308 (6) User-Name = "test1.vpn" (6) NAS-Port-Type = Virtual (6) Service-Type = Framed-User (6) NAS-Port = 3 (6) NAS-Port-Id = "test1.vpn" (6) NAS-IP-Address = X.X.X.X (6) Called-Station-Id = "X.X.X.X[4500]" (6) Calling-Station-Id = "X.X.X.X[4500]" (6) Acct-Session-Id = "1654086146-3" (6) EAP-Message = 0x0206008819800000007e160303004610000042410402341187576763b91077af4fe0f7c05ab045f71ae0111bc7115da8543b730178500de82d67b06be13e3090850e22f014616bbe165f8e789c65e9796cde9ba77d14030300010116030300280000000000000000ef71b7cb6cc71ec0faa37e0680343b19996d8a7578f2057c965f450002579e68 (6) NAS-Identifier = "strongSwan" (6) State = 0x6aa216d56fa40fbf987ea9fae6cd4048 (6) Message-Authenticator = 0x7083d87098fb258fbf0258463f6b3dd1 (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/raddb/sites-enabled/default (6) authorize { (6) [files] = noop (6) [preprocess] = ok (6) [mschap] = noop (6) eap: Peer sent EAP Response (code 2) ID 6 length 136 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/raddb/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0x6aa216d56fa40fbf (6) eap: Finished EAP session with state 0x6aa216d56fa40fbf (6) eap: Previous EAP request found for state 0x6aa216d56fa40fbf, released from the list (6) eap: Peer sent packet with method EAP PEAP (25) (6) eap: Calling submodule eap_peap to process data (6) eap_peap: Continuing EAP-TLS (6) eap_peap: Peer indicated complete TLS record size will be 126 bytes (6) eap_peap: Got complete TLS record (126 bytes) (6) eap_peap: [eaptls verify] = length included (6) eap_peap: TLS_accept: SSLv3/TLS write server done (6) eap_peap: <<< recv TLS 1.2 [length 0046] (6) eap_peap: TLS_accept: SSLv3/TLS read client key exchange (6) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec (6) eap_peap: <<< recv TLS 1.2 [length 0010] (6) eap_peap: TLS_accept: SSLv3/TLS read finished (6) eap_peap: >>> send TLS 1.2 [length 0001] (6) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec (6) eap_peap: >>> send TLS 1.2 [length 0010] (6) eap_peap: TLS_accept: SSLv3/TLS write finished (6) eap_peap: (other): SSL negotiation finished successfully (6) eap_peap: TLS - Connection Established (6) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (6) eap_peap: TLS-Session-Version = "TLS 1.2" (6) eap_peap: TLS - got 51 bytes of data (6) eap_peap: [eaptls process] = handled (6) eap: Sending EAP Request (code 1) ID 7 length 57 (6) eap: EAP session adding &reply:State = 0x6aa216d56ca50fbf (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) Post-Auth-Type sub-section not found. Ignoring. (6) # Executing group from file /etc/raddb/sites-enabled/default (6) session-state: Saving cached attributes (6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (6) TLS-Session-Version = "TLS 1.2" (6) Sent Access-Challenge Id 217 from 172.16.10.111:1812 to 172.16.10.111:47079 length 0 (6) EAP-Message = 0x0107003919001403030001011603030028af9cbe4ad48a36eff3a6bdf4ef810aa3e994e6a355bb852f5ca35e72b2783ab141de53d1460b8f14 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x6aa216d56ca50fbf987ea9fae6cd4048 (6) Finished request Waking up in 4.9 seconds. (7) Received Access-Request Id 218 from 172.16.10.111:47079 to 172.16.10.111:1812 length 178 (7) User-Name = "test1.vpn" (7) NAS-Port-Type = Virtual (7) Service-Type = Framed-User (7) NAS-Port = 3 (7) NAS-Port-Id = "test1.vpn" (7) NAS-IP-Address = X.X.X.X (7) Called-Station-Id = "X.X.X.X[4500]" (7) Calling-Station-Id = "X.X.X.X[4500]" (7) Acct-Session-Id = "1654086146-3" (7) EAP-Message = 0x020700061900 (7) NAS-Identifier = "strongSwan" (7) State = 0x6aa216d56ca50fbf987ea9fae6cd4048 (7) Message-Authenticator = 0x839536bbc3f30d7434ad9d19cc1c99dd (7) Restoring &session-state (7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (7) &session-state:TLS-Session-Version = "TLS 1.2" (7) # Executing section authorize from file /etc/raddb/sites-enabled/default (7) authorize { (7) [files] = noop (7) [preprocess] = ok (7) [mschap] = noop (7) eap: Peer sent EAP Response (code 2) ID 7 length 6 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/raddb/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0x6aa216d56ca50fbf (7) eap: Finished EAP session with state 0x6aa216d56ca50fbf (7) eap: Previous EAP request found for state 0x6aa216d56ca50fbf, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: Continuing EAP-TLS (7) eap_peap: Peer ACKed our handshake fragment. handshake is finished (7) eap_peap: [eaptls verify] = success (7) eap_peap: [eaptls process] = success (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state TUNNEL ESTABLISHED (7) eap: Sending EAP Request (code 1) ID 8 length 40 (7) eap: EAP session adding &reply:State = 0x6aa216d56daa0fbf (7) [eap] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) Post-Auth-Type sub-section not found. Ignoring. (7) # Executing group from file /etc/raddb/sites-enabled/default (7) session-state: Saving cached attributes (7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (7) TLS-Session-Version = "TLS 1.2" (7) Sent Access-Challenge Id 218 from 172.16.10.111:1812 to 172.16.10.111:47079 length 0 (7) EAP-Message = 0x010800281900170303001daf9cbe4ad48a36f0f7e90ea4889d1ec61bd088cf1fa3b7c7d6b699dddb (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x6aa216d56daa0fbf987ea9fae6cd4048 (7) Finished request Waking up in 4.9 seconds. (8) Received Access-Request Id 219 from 172.16.10.111:47079 to 172.16.10.111:1812 length 217 (8) User-Name = "test1.vpn" (8) NAS-Port-Type = Virtual (8) Service-Type = Framed-User (8) NAS-Port = 3 (8) NAS-Port-Id = "test1.vpn" (8) NAS-IP-Address = X.X.X.X (8) Called-Station-Id = "X.X.X.X[4500]" (8) Calling-Station-Id = "X.X.X.X[4500]" (8) Acct-Session-Id = "1654086146-3" (8) EAP-Message = 0x0208002d190017030300220000000000000001153f9416a443657a5ff5eae96e278c16f1ea3e471bf3e6745738 (8) NAS-Identifier = "strongSwan" (8) State = 0x6aa216d56daa0fbf987ea9fae6cd4048 (8) Message-Authenticator = 0xa4ddd3745d4a15c98227f8f81b897453 (8) Restoring &session-state (8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (8) &session-state:TLS-Session-Version = "TLS 1.2" (8) # Executing section authorize from file /etc/raddb/sites-enabled/default (8) authorize { (8) [files] = noop (8) [preprocess] = ok (8) [mschap] = noop (8) eap: Peer sent EAP Response (code 2) ID 8 length 45 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /etc/raddb/sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0x6aa216d56daa0fbf (8) eap: Finished EAP session with state 0x6aa216d56daa0fbf (8) eap: Previous EAP request found for state 0x6aa216d56daa0fbf, released from the list (8) eap: Peer sent packet with method EAP PEAP (25) (8) eap: Calling submodule eap_peap to process data (8) eap_peap: Continuing EAP-TLS (8) eap_peap: [eaptls verify] = ok (8) eap_peap: Done initial handshake (8) eap_peap: [eaptls process] = ok (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state WAITING FOR INNER IDENTITY (8) eap_peap: Identity - test1.vpn (8) eap_peap: Got inner identity 'test1.vpn' (8) eap_peap: Setting default EAP type for tunneled EAP session (8) eap_peap: Got tunneled request (8) eap_peap: EAP-Message = 0x0208000e0174657374312e76706e (8) eap_peap: Setting User-Name to test1.vpn (8) eap_peap: Sending tunneled request to inner-tunnel (8) eap_peap: EAP-Message = 0x0208000e0174657374312e76706e (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (8) eap_peap: User-Name = "test1.vpn" (8) Virtual server inner-tunnel received request (8) EAP-Message = 0x0208000e0174657374312e76706e (8) FreeRADIUS-Proxied-To = 127.0.0.1 (8) User-Name = "test1.vpn" (8) WARNING: Outer and inner identities are the same. User privacy is compromised. (8) server inner-tunnel { (8) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [mschap] = noop (8) eap: Peer sent EAP Response (code 2) ID 8 length 14 (8) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (8) authenticate { (8) eap: Peer sent packet with method EAP Identity (1) (8) eap: Calling submodule eap_mschapv2 to process data (8) eap_mschapv2: Issuing Challenge (8) eap: Sending EAP Request (code 1) ID 9 length 43 (8) eap: EAP session adding &reply:State = 0xb5af7c78b5a66689 (8) [eap] = handled (8) } # authenticate = handled (8) } # server inner-tunnel (8) Virtual server sending reply (8) EAP-Message = 0x0109002b1a010900261087f1a89e580f82fb8741755cf9725926667265657261646975732d332e302e3230 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0xb5af7c78b5a66689306ef54310c66f70 (8) eap_peap: Got tunneled reply code 11 (8) eap_peap: EAP-Message = 0x0109002b1a010900261087f1a89e580f82fb8741755cf9725926667265657261646975732d332e302e3230 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: State = 0xb5af7c78b5a66689306ef54310c66f70 (8) eap_peap: Got tunneled reply RADIUS code 11 (8) eap_peap: EAP-Message = 0x0109002b1a010900261087f1a89e580f82fb8741755cf9725926667265657261646975732d332e302e3230 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: State = 0xb5af7c78b5a66689306ef54310c66f70 (8) eap_peap: Got tunneled Access-Challenge (8) eap: Sending EAP Request (code 1) ID 9 length 74 (8) eap: EAP session adding &reply:State = 0x6aa216d562ab0fbf (8) [eap] = handled (8) } # authenticate = handled (8) Using Post-Auth-Type Challenge (8) Post-Auth-Type sub-section not found. Ignoring. (8) # Executing group from file /etc/raddb/sites-enabled/default (8) session-state: Saving cached attributes (8) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (8) TLS-Session-Version = "TLS 1.2" (8) Sent Access-Challenge Id 219 from 172.16.10.111:1812 to 172.16.10.111:47079 length 0 (8) EAP-Message = 0x0109004a1900170303003faf9cbe4ad48a36f1d629f5421ac4bd1824440e73056b065a53331c3e0a92dc863006c61a4e3c5b2fd79ec0d2a0560e60915e009f9a35362e1cae48cd0ced91 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0x6aa216d562ab0fbf987ea9fae6cd4048 (8) Finished request Waking up in 4.9 seconds. (9) Received Access-Request Id 220 from 172.16.10.111:47079 to 172.16.10.111:1812 length 271 (9) User-Name = "test1.vpn" (9) NAS-Port-Type = Virtual (9) Service-Type = Framed-User (9) NAS-Port = 3 (9) NAS-Port-Id = "test1.vpn" (9) NAS-IP-Address = X.X.X.X (9) Called-Station-Id = "X.X.X.X[4500]" (9) Calling-Station-Id = "X.X.X.X[4500]" (9) Acct-Session-Id = "1654086146-3" (9) EAP-Message = 0x02090063190017030300580000000000000002f0c4c37ddbcba1c1e20a93357294aea5ad42b3ee3213a8669f1a63385ed6ca36ac718fa232c6b16b8cb665c475065e3efe5c09616bc2fe15fbef55fbc01bcd59a69df14f9e98a138ad31732fa8a60845 (9) NAS-Identifier = "strongSwan" (9) State = 0x6aa216d562ab0fbf987ea9fae6cd4048 (9) Message-Authenticator = 0x224b063c7046c016feef7eead14ad30e (9) Restoring &session-state (9) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (9) &session-state:TLS-Session-Version = "TLS 1.2" (9) # Executing section authorize from file /etc/raddb/sites-enabled/default (9) authorize { (9) [files] = noop (9) [preprocess] = ok (9) [mschap] = noop (9) eap: Peer sent EAP Response (code 2) ID 9 length 99 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = eap (9) # Executing group from file /etc/raddb/sites-enabled/default (9) authenticate { (9) eap: Expiring EAP session with state 0xb5af7c78b5a66689 (9) eap: Finished EAP session with state 0x6aa216d562ab0fbf (9) eap: Previous EAP request found for state 0x6aa216d562ab0fbf, released from the list (9) eap: Peer sent packet with method EAP PEAP (25) (9) eap: Calling submodule eap_peap to process data (9) eap_peap: Continuing EAP-TLS (9) eap_peap: [eaptls verify] = ok (9) eap_peap: Done initial handshake (9) eap_peap: [eaptls process] = ok (9) eap_peap: Session established. Decoding tunneled attributes (9) eap_peap: PEAP state phase2 (9) eap_peap: EAP method MSCHAPv2 (26) (9) eap_peap: Got tunneled request (9) eap_peap: EAP-Message = 0x020900441a0209003f31048bd0d906cf0bc9dc125a8b6a3a065f00000000000000009b2a6af5d7787c8c36e1b09356339ba3ec6a8acbf2be654b0074657374312e76706e (9) eap_peap: Setting User-Name to test1.vpn (9) eap_peap: Sending tunneled request to inner-tunnel (9) eap_peap: EAP-Message = 0x020900441a0209003f31048bd0d906cf0bc9dc125a8b6a3a065f00000000000000009b2a6af5d7787c8c36e1b09356339ba3ec6a8acbf2be654b0074657374312e76706e (9) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (9) eap_peap: User-Name = "test1.vpn" (9) eap_peap: State = 0xb5af7c78b5a66689306ef54310c66f70 (9) Virtual server inner-tunnel received request (9) EAP-Message = 0x020900441a0209003f31048bd0d906cf0bc9dc125a8b6a3a065f00000000000000009b2a6af5d7787c8c36e1b09356339ba3ec6a8acbf2be654b0074657374312e76706e (9) FreeRADIUS-Proxied-To = 127.0.0.1 (9) User-Name = "test1.vpn" (9) State = 0xb5af7c78b5a66689306ef54310c66f70 (9) WARNING: Outer and inner identities are the same. User privacy is compromised. (9) server inner-tunnel { (9) session-state: No cached attributes (9) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (9) authorize { (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = notfound (9) } # policy filter_username = notfound (9) [mschap] = noop (9) eap: Peer sent EAP Response (code 2) ID 9 length 68 (9) eap: No EAP Start, assuming it's an on-going EAP conversation (9) [eap] = updated (9) [files] = noop (9) [expiration] = noop (9) [logintime] = noop Not doing PAP as Auth-Type is already set. (9) [pap] = noop (9) } # authorize = updated (9) Found Auth-Type = eap (9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (9) authenticate { (9) eap: Expiring EAP session with state 0xb5af7c78b5a66689 (9) eap: Finished EAP session with state 0xb5af7c78b5a66689 (9) eap: Previous EAP request found for state 0xb5af7c78b5a66689, released from the list (9) eap: Peer sent packet with method EAP MSCHAPv2 (26) (9) eap: Calling submodule eap_mschapv2 to process data (9) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (9) eap_mschapv2: authenticate { (9) mschap: Creating challenge hash with username: test1.vpn (9) mschap: Client is using MS-CHAPv2 (9) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{mschap:User-Name} --domain=BRANCHET --challenge=%{mschap:Challenge:-01} --nt-response=%{mschap:NT-Response:-00}: (9) mschap: EXPAND --username=%{mschap:User-Name} (9) mschap: --> --username=test1.vpn (9) mschap: Creating challenge hash with username: test1.vpn (9) mschap: EXPAND --challenge=%{mschap:Challenge:-01} (9) mschap: --> --challenge=578147340978c207 (9) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00} (9) mschap: --> --nt-response=9b2a6af5d7787c8c36e1b09356339ba3ec6a8acbf2be654b lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated added interface ens3 ip=172.16.10.111 bcast=172.16.10.255 netmask=255.255.255.0 added interface ens4 ip=X.X.X.X bcast=X.X.X.X netmask=255.255.255.224 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[global]" lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated added interface ens3 ip=172.16.10.111 bcast=172.16.10.255 netmask=255.255.255.0 added interface ens4 ip=X.X.X.X bcast=X.X.X.X netmask=255.255.255.224 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[global]" lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated added interface ens3 ip=172.16.10.111 bcast=172.16.10.255 netmask=255.255.255.0 added interface ens4 ip=X.X.X.X bcast=X.X.X.X netmask=255.255.255.224 (9) mschap: Program returned code (0) and output 'NT_KEY: 6F5564CE191F31EAC91AE7DAFA4E36FE' (9) mschap: Adding MS-CHAPv2 MPPE keys (9) eap_mschapv2: [mschap] = ok (9) eap_mschapv2: } # authenticate = ok (9) eap_mschapv2: MSCHAP Success (9) eap: Sending EAP Request (code 1) ID 10 length 51 (9) eap: EAP session adding &reply:State = 0xb5af7c78b4a56689 (9) [eap] = handled (9) } # authenticate = handled (9) } # server inner-tunnel (9) Virtual server sending reply (9) EAP-Message = 0x010a00331a0309002e533d46383132373533393846324338373131353643444443333330463841323639363744364137373436 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) State = 0xb5af7c78b4a56689306ef54310c66f70 (9) eap_peap: Got tunneled reply code 11 (9) eap_peap: EAP-Message = 0x010a00331a0309002e533d46383132373533393846324338373131353643444443333330463841323639363744364137373436 (9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (9) eap_peap: State = 0xb5af7c78b4a56689306ef54310c66f70 (9) eap_peap: Got tunneled reply RADIUS code 11 (9) eap_peap: EAP-Message = 0x010a00331a0309002e533d46383132373533393846324338373131353643444443333330463841323639363744364137373436 (9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (9) eap_peap: State = 0xb5af7c78b4a56689306ef54310c66f70 (9) eap_peap: Got tunneled Access-Challenge (9) eap: Sending EAP Request (code 1) ID 10 length 82 (9) eap: EAP session adding &reply:State = 0x6aa216d563a80fbf (9) [eap] = handled (9) } # authenticate = handled (9) Using Post-Auth-Type Challenge (9) Post-Auth-Type sub-section not found. Ignoring. (9) # Executing group from file /etc/raddb/sites-enabled/default (9) session-state: Saving cached attributes (9) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (9) TLS-Session-Version = "TLS 1.2" (9) Sent Access-Challenge Id 220 from 172.16.10.111:1812 to 172.16.10.111:47079 length 0 (9) EAP-Message = 0x010a005219001703030047af9cbe4ad48a36f200cc2406e608e52bf7ca0116a6a6ad1c82837ff257670d9493de1d036022b1d203ec1b0ae8eafe1f394197f42c44488b5c18f803c8044e550e72240fd51805 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) State = 0x6aa216d563a80fbf987ea9fae6cd4048 (9) Finished request Waking up in 4.7 seconds. (10) Received Access-Request Id 221 from 172.16.10.111:47079 to 172.16.10.111:1812 length 209 (10) User-Name = "test1.vpn" (10) NAS-Port-Type = Virtual (10) Service-Type = Framed-User (10) NAS-Port = 3 (10) NAS-Port-Id = "test1.vpn" (10) NAS-IP-Address = X.X.X.X (10) Called-Station-Id = "X.X.X.X[4500]" (10) Calling-Station-Id = "X.X.X.X[4500]" (10) Acct-Session-Id = "1654086146-3" (10) EAP-Message = 0x020a00251900170303001a00000000000000036997b7ebc43aa9f223d249567570b31c76a8 (10) NAS-Identifier = "strongSwan" (10) State = 0x6aa216d563a80fbf987ea9fae6cd4048 (10) Message-Authenticator = 0xa363ba931cbea130a76c5684496de326 (10) Restoring &session-state (10) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (10) &session-state:TLS-Session-Version = "TLS 1.2" (10) # Executing section authorize from file /etc/raddb/sites-enabled/default (10) authorize { (10) [files] = noop (10) [preprocess] = ok (10) [mschap] = noop (10) eap: Peer sent EAP Response (code 2) ID 10 length 37 (10) eap: Continuing tunnel setup (10) [eap] = ok (10) } # authorize = ok (10) Found Auth-Type = eap (10) # Executing group from file /etc/raddb/sites-enabled/default (10) authenticate { (10) eap: Expiring EAP session with state 0xb5af7c78b4a56689 (10) eap: Finished EAP session with state 0x6aa216d563a80fbf (10) eap: Previous EAP request found for state 0x6aa216d563a80fbf, released from the list (10) eap: Peer sent packet with method EAP PEAP (25) (10) eap: Calling submodule eap_peap to process data (10) eap_peap: Continuing EAP-TLS (10) eap_peap: [eaptls verify] = ok (10) eap_peap: Done initial handshake (10) eap_peap: [eaptls process] = ok (10) eap_peap: Session established. Decoding tunneled attributes (10) eap_peap: PEAP state phase2 (10) eap_peap: EAP method MSCHAPv2 (26) (10) eap_peap: Got tunneled request (10) eap_peap: EAP-Message = 0x020a00061a03 (10) eap_peap: Setting User-Name to test1.vpn (10) eap_peap: Sending tunneled request to inner-tunnel (10) eap_peap: EAP-Message = 0x020a00061a03 (10) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (10) eap_peap: User-Name = "test1.vpn" (10) eap_peap: State = 0xb5af7c78b4a56689306ef54310c66f70 (10) Virtual server inner-tunnel received request (10) EAP-Message = 0x020a00061a03 (10) FreeRADIUS-Proxied-To = 127.0.0.1 (10) User-Name = "test1.vpn" (10) State = 0xb5af7c78b4a56689306ef54310c66f70 (10) WARNING: Outer and inner identities are the same. User privacy is compromised. (10) server inner-tunnel { (10) session-state: No cached attributes (10) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (10) authorize { (10) policy filter_username { (10) if (&User-Name) { (10) if (&User-Name) -> TRUE (10) if (&User-Name) { (10) if (&User-Name =~ / /) { (10) if (&User-Name =~ / /) -> FALSE (10) if (&User-Name =~ /@[^@]*@/ ) { (10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (10) if (&User-Name =~ /\.\./ ) { (10) if (&User-Name =~ /\.\./ ) -> FALSE (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (10) if (&User-Name =~ /\.$/) { (10) if (&User-Name =~ /\.$/) -> FALSE (10) if (&User-Name =~ /@\./) { (10) if (&User-Name =~ /@\./) -> FALSE (10) } # if (&User-Name) = notfound (10) } # policy filter_username = notfound (10) [mschap] = noop (10) eap: Peer sent EAP Response (code 2) ID 10 length 6 (10) eap: No EAP Start, assuming it's an on-going EAP conversation (10) [eap] = updated (10) [files] = noop (10) [expiration] = noop (10) [logintime] = noop Not doing PAP as Auth-Type is already set. (10) [pap] = noop (10) } # authorize = updated (10) Found Auth-Type = eap (10) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (10) authenticate { (10) eap: Expiring EAP session with state 0xb5af7c78b4a56689 (10) eap: Finished EAP session with state 0xb5af7c78b4a56689 (10) eap: Previous EAP request found for state 0xb5af7c78b4a56689, released from the list (10) eap: Peer sent packet with method EAP MSCHAPv2 (26) (10) eap: Calling submodule eap_mschapv2 to process data (10) eap: Sending EAP Success (code 3) ID 10 length 4 (10) eap: Freeing handler (10) [eap] = ok (10) } # authenticate = ok (10) # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel (10) } # server inner-tunnel (10) Virtual server sending reply (10) MS-MPPE-Encryption-Policy = Encryption-Allowed (10) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (10) MS-MPPE-Send-Key = 0x38f00ae461f810993896a387f0103cae (10) MS-MPPE-Recv-Key = 0xb9343e513345bafd0f237fec4de02f9d (10) EAP-Message = 0x030a0004 (10) Message-Authenticator = 0x00000000000000000000000000000000 (10) User-Name = "test1.vpn" (10) eap_peap: Got tunneled reply code 2 (10) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (10) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (10) eap_peap: MS-MPPE-Send-Key = 0x38f00ae461f810993896a387f0103cae (10) eap_peap: MS-MPPE-Recv-Key = 0xb9343e513345bafd0f237fec4de02f9d (10) eap_peap: EAP-Message = 0x030a0004 (10) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (10) eap_peap: User-Name = "test1.vpn" (10) eap_peap: Got tunneled reply RADIUS code 2 (10) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (10) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (10) eap_peap: MS-MPPE-Send-Key = 0x38f00ae461f810993896a387f0103cae (10) eap_peap: MS-MPPE-Recv-Key = 0xb9343e513345bafd0f237fec4de02f9d (10) eap_peap: EAP-Message = 0x030a0004 (10) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (10) eap_peap: User-Name = "test1.vpn" (10) eap_peap: Tunneled authentication was successful (10) eap_peap: SUCCESS (10) eap: Sending EAP Request (code 1) ID 11 length 46 (10) eap: EAP session adding &reply:State = 0x6aa216d560a90fbf (10) [eap] = handled (10) } # authenticate = handled (10) Using Post-Auth-Type Challenge (10) Post-Auth-Type sub-section not found. Ignoring. (10) # Executing group from file /etc/raddb/sites-enabled/default (10) session-state: Saving cached attributes (10) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (10) TLS-Session-Version = "TLS 1.2" (10) Sent Access-Challenge Id 221 from 172.16.10.111:1812 to 172.16.10.111:47079 length 0 (10) EAP-Message = 0x010b002e19001703030023af9cbe4ad48a36f35cb384eb93f8c567b161c1bd7d269ba5882c40b425d5243b03aaad (10) Message-Authenticator = 0x00000000000000000000000000000000 (10) State = 0x6aa216d560a90fbf987ea9fae6cd4048 (10) Finished request Waking up in 4.7 seconds. (11) Received Access-Request Id 222 from 172.16.10.111:47079 to 172.16.10.111:1812 length 218 (11) User-Name = "test1.vpn" (11) NAS-Port-Type = Virtual (11) Service-Type = Framed-User (11) NAS-Port = 3 (11) NAS-Port-Id = "test1.vpn" (11) NAS-IP-Address =X.X.X.X (11) Called-Station-Id = "X.X.X.X[4500]" (11) Calling-Station-Id = "X.X.X.X[4500]" (11) Acct-Session-Id = "1654086146-3" (11) EAP-Message = 0x020b002e190017030300230000000000000004c7753a144d7875cf1f9f774ec59202fa053603eb1b3e706bb2e274 (11) NAS-Identifier = "strongSwan" (11) State = 0x6aa216d560a90fbf987ea9fae6cd4048 (11) Message-Authenticator = 0x167bcc052f0017f11a83525b00cf4925 (11) Restoring &session-state (11) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (11) &session-state:TLS-Session-Version = "TLS 1.2" (11) # Executing section authorize from file /etc/raddb/sites-enabled/default (11) authorize { (11) [files] = noop (11) [preprocess] = ok (11) [mschap] = noop (11) eap: Peer sent EAP Response (code 2) ID 11 length 46 (11) eap: Continuing tunnel setup (11) [eap] = ok (11) } # authorize = ok (11) Found Auth-Type = eap (11) # Executing group from file /etc/raddb/sites-enabled/default (11) authenticate { (11) eap: Expiring EAP session with state 0x6aa216d560a90fbf (11) eap: Finished EAP session with state 0x6aa216d560a90fbf (11) eap: Previous EAP request found for state 0x6aa216d560a90fbf, released from the list (11) eap: Peer sent packet with method EAP PEAP (25) (11) eap: Calling submodule eap_peap to process data (11) eap_peap: Continuing EAP-TLS (11) eap_peap: [eaptls verify] = ok (11) eap_peap: Done initial handshake (11) eap_peap: [eaptls process] = ok (11) eap_peap: Session established. Decoding tunneled attributes (11) eap_peap: PEAP state send tlv success (11) eap_peap: Received EAP-TLV response (11) eap_peap: Success (11) eap: Sending EAP Success (code 3) ID 11 length 4 (11) eap: Freeing handler (11) [eap] = ok (11) } # authenticate = ok (11) # Executing section post-auth from file /etc/raddb/sites-enabled/default (11) post-auth { (11) policy remove_reply_message_if_eap { (11) if (&reply:EAP-Message && &reply:Reply-Message) { (11) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (11) else { (11) [noop] = noop (11) } # else = noop (11) } # policy remove_reply_message_if_eap = noop (11) } # post-auth = noop (11) Sent Access-Accept Id 222 from 172.16.10.111:1812 to 172.16.10.111:47079 length 0 (11) MS-MPPE-Recv-Key = 0xfbbfa1eb5d9e5f987d2f628b5ff6b79a3640ff3a061dd1feaf86725d22d772f4 (11) MS-MPPE-Send-Key = 0x8417c69e87eaf761ea94f5348adb9f0d5101b513fe918c81a5953b73997c04a6 (11) EAP-Message = 0x030b0004 (11) Message-Authenticator = 0x00000000000000000000000000000000 (11) User-Name = "test1.vpn" (11) Finished request Waking up in 4.7 seconds. (12) Received Accounting-Request Id 223 from 172.16.10.111:42384 to 172.16.10.111:1813 length 140 (12) Acct-Status-Type = Start (12) Acct-Session-Id = "1654086146-3" (12) NAS-Port-Type = Virtual (12) Service-Type = Framed-User (12) NAS-Port = 3 (12) NAS-Port-Id = "test1.vpn" (12) NAS-IP-Address =X.X.X.X (12) Called-Station-Id = "X.X.X.X[4500]" (12) Calling-Station-Id = "X.X.X.X[4500]" (12) User-Name = "test1.vpn" (12) NAS-Identifier = "strongSwan" (12) # Executing section preacct from file /etc/raddb/sites-enabled/default (12) preacct { (12) [files] = noop (12) [preprocess] = ok (12) policy acct_unique { (12) update request { (12) &Tmp-String-9 := "ai:" (12) } # update request = noop (12) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) { (12) EXPAND %{hex:&Class} (12) --> (12) EXPAND ^%{hex:&Tmp-String-9} (12) --> ^61693a (12) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE (12) else { (12) update request { (12) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}} (12) --> a6b8d5646c70fd58db892395d8013f10 (12) &Acct-Unique-Session-Id := a6b8d5646c70fd58db892395d8013f10 (12) } # update request = noop (12) } # else = noop (12) } # policy acct_unique = noop (12) } # preacct = ok (12) # Executing section accounting from file /etc/raddb/sites-enabled/default (12) accounting { (12) attr_filter.accounting_response: EXPAND %{User-Name} (12) attr_filter.accounting_response: --> test1.vpn (12) attr_filter.accounting_response: Matched entry DEFAULT at line 12 (12) [attr_filter.accounting_response] = updated (12) } # accounting = updated (12) Sent Accounting-Response Id 223 from 172.16.10.111:1813 to 172.16.10.111:42384 length 0 (12) Finished request (12) Cleaning up request packet ID 223 with timestamp +6 Waking up in 4.7 seconds. (13) Received Accounting-Request Id 224 from 172.16.10.111:42384 to 172.16.10.111:1813 length 176 (13) Acct-Status-Type = Stop (13) Acct-Session-Id = "1654086146-3" (13) NAS-Port-Type = Virtual (13) Service-Type = Framed-User (13) NAS-Port = 3 (13) NAS-Port-Id = "test1.vpn" (13) NAS-IP-Address =X.X.X.X (13) Called-Station-Id = "X.X.X.X[4500]" (13) Calling-Station-Id = "X.X.X.X[4500]" (13) User-Name = "test1.vpn" (13) Acct-Output-Octets = 0 (13) Acct-Output-Packets = 0 (13) Acct-Input-Octets = 0 (13) Acct-Input-Packets = 0 (13) Acct-Session-Time = 0 (13) Acct-Terminate-Cause = User-Request (13) NAS-Identifier = "strongSwan" (13) # Executing section preacct from file /etc/raddb/sites-enabled/default (13) preacct { (13) [files] = noop (13) [preprocess] = ok (13) policy acct_unique { (13) update request { (13) &Tmp-String-9 := "ai:" (13) } # update request = noop (13) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) { (13) EXPAND %{hex:&Class} (13) --> (13) EXPAND ^%{hex:&Tmp-String-9} (13) --> ^61693a (13) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE (13) else { (13) update request { (13) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}} (13) --> a6b8d5646c70fd58db892395d8013f10 (13) &Acct-Unique-Session-Id := a6b8d5646c70fd58db892395d8013f10 (13) } # update request = noop (13) } # else = noop (13) } # policy acct_unique = noop (13) } # preacct = ok (13) # Executing section accounting from file /etc/raddb/sites-enabled/default (13) accounting { (13) attr_filter.accounting_response: EXPAND %{User-Name} (13) attr_filter.accounting_response: --> test1.vpn (13) attr_filter.accounting_response: Matched entry DEFAULT at line 12 (13) [attr_filter.accounting_response] = updated (13) } # accounting = updated (13) Sent Accounting-Response Id 224 from 172.16.10.111:1813 to 172.16.10.111:42384 length 0 (13) Finished request (13) Cleaning up request packet ID 224 with timestamp +6 Waking up in 4.7 seconds. (0) Cleaning up request packet ID 211 with timestamp +5 (1) Cleaning up request packet ID 212 with timestamp +5 (2) Cleaning up request packet ID 213 with timestamp +5 (3) Cleaning up request packet ID 214 with timestamp +5 (4) Cleaning up request packet ID 215 with timestamp +5 (5) Cleaning up request packet ID 216 with timestamp +5 (6) Cleaning up request packet ID 217 with timestamp +5 (7) Cleaning up request packet ID 218 with timestamp +5 (8) Cleaning up request packet ID 219 with timestamp +5 Waking up in 0.1 seconds. (9) Cleaning up request packet ID 220 with timestamp +5 (10) Cleaning up request packet ID 221 with timestamp +6 (11) Cleaning up request packet ID 222 with timestamp +6 Ready to process requests I replaced the public IP address with X.X.X.X. Thanks in advance for any tips, or leads. Have a wonderful day.