Hi, I have Windows 10 correctly connecting to my WAP with a domain login, but if I then disconnect the WiFi then reconnect manually it never logs in. I've fixed the CN, SubjectAltName and certificate constraints at it was throwing a warning or error which has now gone. Below is the debug log. Sections (0) to (9) are the successful log in. I then manually disconnected and reconnected which are sections (10) onwards. I've cut the log at (30) but it keeps going. FreeRADIUS Version 3.0.13 Copyright (C) 1999-2017 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/raddb/dictionary including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clearos-proxy.conf including configuration file /etc/raddb/clearos-clients.conf including files in directory /etc/raddb/mods-enabled/ including configuration file /etc/raddb/mods-enabled/linelog including configuration file /etc/raddb/mods-enabled/radutmp including configuration file /etc/raddb/mods-enabled/preprocess including configuration file /etc/raddb/mods-enabled/dynamic_clients including configuration file /etc/raddb/mods-enabled/expr including configuration file /etc/raddb/mods-enabled/realm including configuration file /etc/raddb/mods-enabled/detail including configuration file /etc/raddb/mods-enabled/expiration including configuration file /etc/raddb/mods-enabled/dhcp including configuration file /etc/raddb/mods-enabled/echo including configuration file /etc/raddb/mods-enabled/pap including configuration file /etc/raddb/mods-enabled/sradutmp including configuration file /etc/raddb/mods-enabled/detail.log including configuration file /etc/raddb/mods-enabled/mschap including configuration file /etc/raddb/mods-enabled/logintime including configuration file /etc/raddb/mods-enabled/unpack including configuration file /etc/raddb/mods-enabled/eap including configuration file /etc/raddb/mods-enabled/always including configuration file /etc/raddb/mods-enabled/exec including configuration file /etc/raddb/mods-enabled/cache_eap including configuration file /etc/raddb/mods-enabled/files including configuration file /etc/raddb/mods-enabled/utf8 including configuration file /etc/raddb/mods-enabled/ldap including configuration file /etc/raddb/mods-enabled/passwd including configuration file /etc/raddb/mods-enabled/ntlm_auth including configuration file /etc/raddb/mods-enabled/replicate including configuration file /etc/raddb/mods-enabled/digest including configuration file /etc/raddb/mods-enabled/soh including configuration file /etc/raddb/mods-enabled/date including configuration file /etc/raddb/mods-enabled/attr_filter including configuration file /etc/raddb/mods-enabled/unix including configuration file /etc/raddb/mods-enabled/chap including files in directory /etc/raddb/policy.d/ including configuration file /etc/raddb/policy.d/debug including configuration file /etc/raddb/policy.d/control including configuration file /etc/raddb/policy.d/dhcp including configuration file /etc/raddb/policy.d/filter including configuration file /etc/raddb/policy.d/eap including configuration file /etc/raddb/policy.d/cui including configuration file /etc/raddb/policy.d/operator-name including configuration file /etc/raddb/policy.d/canonicalization including configuration file /etc/raddb/policy.d/accounting including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/default main { security { user = "radiusd" group = "radiusd" allow_core_dumps = no } name = "radiusd" prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" } main { name = "radiusd" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 16384 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } realm CLEARSYSTEM { } radiusd: #### Loading Clients #### client 10.0.2.15 { require_message_authenticator = no secret = <<< secret >>> shortname = "eapol_test1" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 10.0.2.15. Please fix your configuration Support for old-style clients will be removed in a future release client 172.17.2.5 { require_message_authenticator = no secret = <<< secret >>> shortname = "eapol_test2" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 172.17.2.5. Please fix your configuration Support for old-style clients will be removed in a future release client 172.22.22.2 { require_message_authenticator = no secret = <<< secret >>> shortname = "Draytek" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 172.22.22.2. Please fix your configuration Support for old-style clients will be removed in a future release client 172.22.22.3 { require_message_authenticator = no secret = <<< secret >>> shortname = "eapol_test" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 172.22.22.3. Please fix your configuration Support for old-style clients will be removed in a future release client 172.22.22.254 { require_message_authenticator = no secret = <<< secret >>> shortname = "Tomato" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 172.22.22.254. Please fix your configuration Support for old-style clients will be removed in a future release Debugger not attached # Creating Auth-Type = mschap # Creating Auth-Type = eap # Creating Auth-Type = PAP # Creating Auth-Type = CHAP # Creating Auth-Type = MS-CHAP # Creating Auth-Type = digest radiusd: #### Instantiating modules #### modules { # Loaded module rlm_linelog # Loading module "linelog" from file /etc/raddb/mods-enabled/linelog linelog { filename = "/var/log/radius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" } # Loading module "log_accounting" from file /etc/raddb/mods-enabled/linelog linelog log_accounting { filename = "/var/log/radius/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_radutmp # Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_preprocess # Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess preprocess { huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups" hints = "/etc/raddb/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /etc/raddb/mods-enabled/dynamic_clients # Loaded module rlm_expr # Loading module "expr" from file /etc/raddb/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüà âæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÃÔŒÙÛÜŸ" } # Loaded module rlm_realm # Loading module "IPASS" from file /etc/raddb/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /etc/raddb/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no } # Loaded module rlm_detail # Loading module "detail" from file /etc/raddb/mods-enabled/detail detail { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_expiration # Loading module "expiration" from file /etc/raddb/mods-enabled/expiration # Loaded module rlm_dhcp # Loading module "dhcp" from file /etc/raddb/mods-enabled/dhcp # Loaded module rlm_exec # Loading module "echo" from file /etc/raddb/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loaded module rlm_pap # Loading module "pap" from file /etc/raddb/mods-enabled/pap pap { normalise = yes } # Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/radius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log detail auth_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log detail reply_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_mschap # Loading module "mschap" from file /etc/raddb/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" passchange { } allow_retry = yes winbind_retry_with_normalised_username = no } # Loaded module rlm_logintime # Loading module "logintime" from file /etc/raddb/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_unpack # Loading module "unpack" from file /etc/raddb/mods-enabled/unpack # Loaded module rlm_eap # Loading module "eap" from file /etc/raddb/mods-enabled/eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 16384 } # Loaded module rlm_always # Loading module "reject" from file /etc/raddb/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /etc/raddb/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /etc/raddb/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /etc/raddb/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /etc/raddb/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /etc/raddb/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /etc/raddb/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /etc/raddb/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /etc/raddb/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loading module "exec" from file /etc/raddb/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_cache # Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap cache cache_eap { driver = "rlm_cache_rbtree" key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 0 epoch = 0 add_stats = no } # Loaded module rlm_files # Loading module "files" from file /etc/raddb/mods-enabled/files files { filename = "/etc/raddb/mods-config/files/authorize" acctusersfile = "/etc/raddb/mods-config/files/accounting" preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy" } # Loaded module rlm_utf8 # Loading module "utf8" from file /etc/raddb/mods-enabled/utf8 # Loaded module rlm_ldap # Loading module "ldap" from file /etc/raddb/mods-enabled/ldap ldap { server = "localhost" identity = "cn=manager,ou=Internal,dc=system,dc=lan" password = <<< secret >>> sasl { } user { scope = "sub" access_positive = yes sasl { } } group { filter = "(objectClass=posixGroup)" scope = "sub" name_attribute = "cn" membership_attribute = "memberOf" cacheable_name = no cacheable_dn = no } client { filter = "(objectClass=frClient)" scope = "sub" base_dn = "dc=system,dc=lan" } profile { } options { ldap_debug = 40 chase_referrals = yes rebind = yes net_timeout = 1 res_timeout = 20 srv_timelimit = 20 idle = 60 probes = 3 interval = 3 } tls { start_tls = no } } Creating attribute LDAP-Group # Loaded module rlm_passwd # Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_replicate # Loading module "replicate" from file /etc/raddb/mods-enabled/replicate # Loaded module rlm_digest # Loading module "digest" from file /etc/raddb/mods-enabled/digest # Loaded module rlm_soh # Loading module "soh" from file /etc/raddb/mods-enabled/soh soh { dhcp = yes } # Loaded module rlm_date # Loading module "date" from file /etc/raddb/mods-enabled/date date { format = "%b %e %Y %H:%M:%S %Z" } # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/raddb/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/raddb/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/raddb/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/raddb/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/raddb/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loaded module rlm_unix # Loading module "unix" from file /etc/raddb/mods-enabled/unix unix { radwtmp = "/var/log/radius/radwtmp" } Creating attribute Unix-Group # Loaded module rlm_chap # Loading module "chap" from file /etc/raddb/mods-enabled/chap instantiate { } # Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog # Instantiating module "log_accounting" from file /etc/raddb/mods-enabled/linelog # Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups reading pairlist file /etc/raddb/mods-config/preprocess/hints # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm # Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm # Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm # Instantiating module "detail" from file /etc/raddb/mods-enabled/detail # Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration # Instantiating module "pap" from file /etc/raddb/mods-enabled/pap # Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /etc/raddb/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log # Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap rlm_mschap (mschap): authenticating by calling 'ntlm_auth' # Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime # Instantiating module "eap" from file /etc/raddb/mods-enabled/eap # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_leap # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" ca_file = "/etc/raddb/certs/ca.pem" private_key_password = <<< secret >>> dh_file = "/etc/raddb/certs/dh" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" cipher_server_preference = no ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Instantiating module "reject" from file /etc/raddb/mods-enabled/always # Instantiating module "fail" from file /etc/raddb/mods-enabled/always # Instantiating module "ok" from file /etc/raddb/mods-enabled/always # Instantiating module "handled" from file /etc/raddb/mods-enabled/always # Instantiating module "invalid" from file /etc/raddb/mods-enabled/always # Instantiating module "userlock" from file /etc/raddb/mods-enabled/always # Instantiating module "notfound" from file /etc/raddb/mods-enabled/always # Instantiating module "noop" from file /etc/raddb/mods-enabled/always # Instantiating module "updated" from file /etc/raddb/mods-enabled/always # Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "files" from file /etc/raddb/mods-enabled/files reading pairlist file /etc/raddb/mods-config/files/authorize reading pairlist file /etc/raddb/clearos-users reading pairlist file /etc/raddb/mods-config/files/accounting reading pairlist file /etc/raddb/mods-config/files/pre-proxy # Instantiating module "ldap" from file /etc/raddb/mods-enabled/ldap rlm_ldap: libldap vendor: OpenLDAP, version: 20444 accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" } post-auth { reference = "." } rlm_ldap (ldap): Initialising connection pool pool { start = 5 min = 4 max = 32 spare = 3 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 1 spread = no } rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldap://localhost:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (1), 1 of 31 pending slots used rlm_ldap (ldap): Connecting to ldap://localhost:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (2), 1 of 30 pending slots used rlm_ldap (ldap): Connecting to ldap://localhost:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (3), 1 of 29 pending slots used rlm_ldap (ldap): Connecting to ldap://localhost:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (4), 1 of 28 pending slots used rlm_ldap (ldap): Connecting to ldap://localhost:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful # Instantiating module "etc_passwd" from file /etc/raddb/mods-enabled/passwd rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject [/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". [/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT". # Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/raddb/radiusd.conf } # server server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} Ignoring "sql" (see raddb/mods-available/README.rst) # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} # Skipping contents of 'if' as it is always 'false' -- /etc/raddb/sites-enabled/inner-tunnel:331 } # server inner-tunnel server default { # from file /etc/raddb/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} # Loading preacct {...} # Loading accounting {...} # Loading post-proxy {...} # Loading post-auth {...} } # server default radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on proxy address * port 57252 Listening on proxy address :: port 47451 Ready to process requests (0) Received Access-Request Id 0 from 172.22.22.254:2049 to 172.22.22.1:1812 length 147 (0) User-Name = "CLEARSYSTEM\\test1" (0) NAS-IP-Address = 172.22.22.254 (0) Called-Station-Id = "001601dfe596" (0) Calling-Station-Id = "74da38d41a8b" (0) NAS-Identifier = "001601dfe596" (0) NAS-Port = 5 (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) EAP-Message = 0x0200001601434c45415253595354454d5c7465737431 (0) Message-Authenticator = 0x1d84b5eda6657fc2b0664d6a26fab7c9 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "CLEARSYSTEM\test1", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) ntdomain: Checking for prefix before "\" (0) ntdomain: Looking up realm "CLEARSYSTEM" for User-Name = "CLEARSYSTEM\test1" (0) ntdomain: Found realm "CLEARSYSTEM" (0) ntdomain: Adding Stripped-User-Name = "test1" (0) ntdomain: Adding Realm = "CLEARSYSTEM" (0) ntdomain: Authentication realm is LOCAL (0) [ntdomain] = ok (0) eap: Peer sent EAP Response (code 2) ID 0 length 22 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_peap to process data (0) eap_peap: Initiating new EAP-TLS session (0) eap_peap: [eaptls start] = request (0) eap: Sending EAP Request (code 1) ID 1 length 6 (0) eap: EAP session adding &reply:State = 0x6d805dd76d814438 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Challenge { ... } # empty sub-section is ignored (0) Sent Access-Challenge Id 0 from 172.22.22.1:1812 to 172.22.22.254:2049 length 0 (0) EAP-Message = 0x010100061920 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x6d805dd76d814438dc40c2ae6afa62ac (0) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 0 with timestamp +13 (1) Received Access-Request Id 0 from 172.22.22.254:2049 to 172.22.22.1:1812 length 309 (1) User-Name = "CLEARSYSTEM\\test1" (1) NAS-IP-Address = 172.22.22.254 (1) Called-Station-Id = "001601dfe596" (1) Calling-Station-Id = "74da38d41a8b" (1) NAS-Identifier = "001601dfe596" (1) NAS-Port = 5 (1) Framed-MTU = 1400 (1) State = 0x6d805dd76d814438dc40c2ae6afa62ac (1) NAS-Port-Type = Wireless-802.11 (1) EAP-Message = 0x020100a619800000009c16030300970100009303035af2cd197aa9b2ed29f9de90733a7f3238b0584cd2319b55c1e84641e62ee34f00002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000040000500050100000000000a00080006001d (1) Message-Authenticator = 0x7fb87a121953bf0a44ec6a8e8af28586 (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/raddb/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "CLEARSYSTEM\test1", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) ntdomain: Checking for prefix before "\" (1) ntdomain: Looking up realm "CLEARSYSTEM" for User-Name = "CLEARSYSTEM\test1" (1) ntdomain: Found realm "CLEARSYSTEM" (1) ntdomain: Adding Stripped-User-Name = "test1" (1) ntdomain: Adding Realm = "CLEARSYSTEM" (1) ntdomain: Authentication realm is LOCAL (1) [ntdomain] = ok (1) eap: Peer sent EAP Response (code 2) ID 1 length 166 (1) eap: Continuing tunnel setup (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = eap (1) # Executing group from file /etc/raddb/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x6d805dd76d814438 (1) eap: Finished EAP session with state 0x6d805dd76d814438 (1) eap: Previous EAP request found for state 0x6d805dd76d814438, released from the list (1) eap: Peer sent packet with method EAP PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: Continuing EAP-TLS (1) eap_peap: Peer indicated complete TLS record size will be 156 bytes (1) eap_peap: Got complete TLS record (156 bytes) (1) eap_peap: [eaptls verify] = length included (1) eap_peap: (other): before/accept initialization (1) eap_peap: TLS_accept: before/accept initialization (1) eap_peap: <<< recv TLS 1.2 [length 0097] (1) eap_peap: TLS_accept: SSLv3 read client hello A (1) eap_peap: >>> send TLS 1.2 [length 0039] (1) eap_peap: TLS_accept: SSLv3 write server hello A (1) eap_peap: >>> send TLS 1.2 [length 08bd] (1) eap_peap: TLS_accept: SSLv3 write certificate A (1) eap_peap: >>> send TLS 1.2 [length 014d] (1) eap_peap: TLS_accept: SSLv3 write key exchange A (1) eap_peap: >>> send TLS 1.2 [length 0004] (1) eap_peap: TLS_accept: SSLv3 write server done A (1) eap_peap: TLS_accept: SSLv3 flush data (1) eap_peap: TLS_accept: SSLv3 read client certificate A (1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key exchange A (1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key exchange A (1) eap_peap: In SSL Handshake Phase (1) eap_peap: In SSL Accept mode (1) eap_peap: [eaptls process] = handled (1) eap: Sending EAP Request (code 1) ID 2 length 1004 (1) eap: EAP session adding &reply:State = 0x6d805dd76c824438 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) # Executing group from file /etc/raddb/sites-enabled/default (1) Challenge { ... } # empty sub-section is ignored (1) Sent Access-Challenge Id 0 from 172.22.22.1:1812 to 172.22.22.254:2049 length 0 (1) EAP-Message = 0x010203ec19c000000a5b160303003902000035030316a54dc3118ee9fa4b5f98e46a2b32d5ddecf2a97c4f67ea076f396d6ac2104e00c03000000dff01000100000b00040300010216030308bd0b0008b90008b60003fb308203f7308202dfa003020102020101300d06092a864886f70d01010b050030 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x6d805dd76c824438dc40c2ae6afa62ac (1) Finished request Waking up in 4.9 seconds. (1) Cleaning up request packet ID 0 with timestamp +13 (2) Received Access-Request Id 0 from 172.22.22.254:2049 to 172.22.22.1:1812 length 149 (2) User-Name = "CLEARSYSTEM\\test1" (2) NAS-IP-Address = 172.22.22.254 (2) Called-Station-Id = "001601dfe596" (2) Calling-Station-Id = "74da38d41a8b" (2) NAS-Identifier = "001601dfe596" (2) NAS-Port = 5 (2) Framed-MTU = 1400 (2) State = 0x6d805dd76c824438dc40c2ae6afa62ac (2) NAS-Port-Type = Wireless-802.11 (2) EAP-Message = 0x020200061900 (2) Message-Authenticator = 0x8c79c6a2fb19c89ac4017cfaee83ebeb (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/raddb/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "CLEARSYSTEM\test1", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) ntdomain: Checking for prefix before "\" (2) ntdomain: Looking up realm "CLEARSYSTEM" for User-Name = "CLEARSYSTEM\test1" (2) ntdomain: Found realm "CLEARSYSTEM" (2) ntdomain: Adding Stripped-User-Name = "test1" (2) ntdomain: Adding Realm = "CLEARSYSTEM" (2) ntdomain: Authentication realm is LOCAL (2) [ntdomain] = ok (2) eap: Peer sent EAP Response (code 2) ID 2 length 6 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/raddb/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x6d805dd76c824438 (2) eap: Finished EAP session with state 0x6d805dd76c824438 (2) eap: Previous EAP request found for state 0x6d805dd76c824438, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: Continuing EAP-TLS (2) eap_peap: Peer ACKed our handshake fragment (2) eap_peap: [eaptls verify] = request (2) eap_peap: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 3 length 1000 (2) eap: EAP session adding &reply:State = 0x6d805dd76f834438 (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) # Executing group from file /etc/raddb/sites-enabled/default (2) Challenge { ... } # empty sub-section is ignored (2) Sent Access-Challenge Id 0 from 172.22.22.1:1812 to 172.22.22.254:2049 length 0 (2) EAP-Message = 0x010303e819408444f5b804aa2d65ef2b23820bb1bf1bfcb24df6bd03eabe61d7bb630cfd9fd6165d19f24d23925593c04c7ec13d5afe51369fe487605e2de3073d043a15e72448712bca946e329e81ff36cebcdfe8be08dc6490da38ed9147e7eac88af7f25487bee0ef80700004b5308204b130820399 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x6d805dd76f834438dc40c2ae6afa62ac (2) Finished request Waking up in 4.9 seconds. (2) Cleaning up request packet ID 0 with timestamp +13 (3) Received Access-Request Id 0 from 172.22.22.254:2049 to 172.22.22.1:1812 length 149 (3) User-Name = "CLEARSYSTEM\\test1" (3) NAS-IP-Address = 172.22.22.254 (3) Called-Station-Id = "001601dfe596" (3) Calling-Station-Id = "74da38d41a8b" (3) NAS-Identifier = "001601dfe596" (3) NAS-Port = 5 (3) Framed-MTU = 1400 (3) State = 0x6d805dd76f834438dc40c2ae6afa62ac (3) NAS-Port-Type = Wireless-802.11 (3) EAP-Message = 0x020300061900 (3) Message-Authenticator = 0x35a39e6139230d22912378e6c8a35696 (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/raddb/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "CLEARSYSTEM\test1", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) ntdomain: Checking for prefix before "\" (3) ntdomain: Looking up realm "CLEARSYSTEM" for User-Name = "CLEARSYSTEM\test1" (3) ntdomain: Found realm "CLEARSYSTEM" (3) ntdomain: Adding Stripped-User-Name = "test1" (3) ntdomain: Adding Realm = "CLEARSYSTEM" (3) ntdomain: Authentication realm is LOCAL (3) [ntdomain] = ok (3) eap: Peer sent EAP Response (code 2) ID 3 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /etc/raddb/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0x6d805dd76f834438 (3) eap: Finished EAP session with state 0x6d805dd76f834438 (3) eap: Previous EAP request found for state 0x6d805dd76f834438, released from the list (3) eap: Peer sent packet with method EAP PEAP (25) (3) eap: Calling submodule eap_peap to process data (3) eap_peap: Continuing EAP-TLS (3) eap_peap: Peer ACKed our handshake fragment (3) eap_peap: [eaptls verify] = request (3) eap_peap: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 4 length 669 (3) eap: EAP session adding &reply:State = 0x6d805dd76e844438 (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) # Executing group from file /etc/raddb/sites-enabled/default (3) Challenge { ... } # empty sub-section is ignored (3) Sent Access-Challenge Id 0 from 172.22.22.1:1812 to 172.22.22.254:2049 length 0 (3) EAP-Message = 0x0104029d1900278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b050003820101000132a42023b4da19cd0464809979cba06e09409f4cbae9db226b41b48d0c97de8fa6092c00476cb9f16399e310996fb68c40e69b10 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x6d805dd76e844438dc40c2ae6afa62ac (3) Finished request Waking up in 4.9 seconds. (3) Cleaning up request packet ID 0 with timestamp +13 (4) Received Access-Request Id 0 from 172.22.22.254:2049 to 172.22.22.1:1812 length 279 (4) User-Name = "CLEARSYSTEM\\test1" (4) NAS-IP-Address = 172.22.22.254 (4) Called-Station-Id = "001601dfe596" (4) Calling-Station-Id = "74da38d41a8b" (4) NAS-Identifier = "001601dfe596" (4) NAS-Port = 5 (4) Framed-MTU = 1400 (4) State = 0x6d805dd76e844438dc40c2ae6afa62ac (4) NAS-Port-Type = Wireless-802.11 (4) EAP-Message = 0x0204008819800000007e1603030046100000424104f977f1abd9c3d74a88eac2ee83ee009474c95ec8e0d265416e7b88ea8c1109e7dc7c9d422d8eb0044f2dc31855ba3ddfd3bd4223dd12685b4b6388c6e83be67c14030300010116030300280000000000000000c9cdd6db357f227df3eaa98933ecdb (4) Message-Authenticator = 0xefd856add429620c23bf7cba64530c9e (4) session-state: No cached attributes (4) # Executing section authorize from file /etc/raddb/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "CLEARSYSTEM\test1", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) ntdomain: Checking for prefix before "\" (4) ntdomain: Looking up realm "CLEARSYSTEM" for User-Name = "CLEARSYSTEM\test1" (4) ntdomain: Found realm "CLEARSYSTEM" (4) ntdomain: Adding Stripped-User-Name = "test1" (4) ntdomain: Adding Realm = "CLEARSYSTEM" (4) ntdomain: Authentication realm is LOCAL (4) [ntdomain] = ok (4) eap: Peer sent EAP Response (code 2) ID 4 length 136 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/raddb/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0x6d805dd76e844438 (4) eap: Finished EAP session with state 0x6d805dd76e844438 (4) eap: Previous EAP request found for state 0x6d805dd76e844438, released from the list (4) eap: Peer sent packet with method EAP PEAP (25) (4) eap: Calling submodule eap_peap to process data (4) eap_peap: Continuing EAP-TLS (4) eap_peap: Peer indicated complete TLS record size will be 126 bytes (4) eap_peap: Got complete TLS record (126 bytes) (4) eap_peap: [eaptls verify] = length included (4) eap_peap: <<< recv TLS 1.2 [length 0046] (4) eap_peap: TLS_accept: SSLv3 read client key exchange A (4) eap_peap: TLS_accept: SSLv3 read certificate verify A (4) eap_peap: <<< recv TLS 1.2 [length 0001] (4) eap_peap: <<< recv TLS 1.2 [length 0010] (4) eap_peap: TLS_accept: SSLv3 read finished A (4) eap_peap: >>> send TLS 1.2 [length 0001] (4) eap_peap: TLS_accept: SSLv3 write change cipher spec A (4) eap_peap: >>> send TLS 1.2 [length 0010] (4) eap_peap: TLS_accept: SSLv3 write finished A (4) eap_peap: TLS_accept: SSLv3 flush data (4) eap_peap: (other): SSL negotiation finished successfully (4) eap_peap: SSL Connection Established (4) eap_peap: [eaptls process] = handled (4) eap: Sending EAP Request (code 1) ID 5 length 57 (4) eap: EAP session adding &reply:State = 0x6d805dd769854438 (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) # Executing group from file /etc/raddb/sites-enabled/default (4) Challenge { ... } # empty sub-section is ignored (4) Sent Access-Challenge Id 0 from 172.22.22.1:1812 to 172.22.22.254:2049 length 0 (4) EAP-Message = 0x0105003919001403030001011603030028dc5fcf74a4d4eceeb580ed30367b623e9b143f2e07946b341b187a4b5ffedaff73403f3ee546b992 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x6d805dd769854438dc40c2ae6afa62ac (4) Finished request Waking up in 4.9 seconds. (4) Cleaning up request packet ID 0 with timestamp +13 (5) Received Access-Request Id 0 from 172.22.22.254:2049 to 172.22.22.1:1812 length 149 (5) User-Name = "CLEARSYSTEM\\test1" (5) NAS-IP-Address = 172.22.22.254 (5) Called-Station-Id = "001601dfe596" (5) Calling-Station-Id = "74da38d41a8b" (5) NAS-Identifier = "001601dfe596" (5) NAS-Port = 5 (5) Framed-MTU = 1400 (5) State = 0x6d805dd769854438dc40c2ae6afa62ac (5) NAS-Port-Type = Wireless-802.11 (5) EAP-Message = 0x020500061900 (5) Message-Authenticator = 0x44670280e3acbc66b6f39801f08a9398 (5) session-state: No cached attributes (5) # Executing section authorize from file /etc/raddb/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "CLEARSYSTEM\test1", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) ntdomain: Checking for prefix before "\" (5) ntdomain: Looking up realm "CLEARSYSTEM" for User-Name = "CLEARSYSTEM\test1" (5) ntdomain: Found realm "CLEARSYSTEM" (5) ntdomain: Adding Stripped-User-Name = "test1" (5) ntdomain: Adding Realm = "CLEARSYSTEM" (5) ntdomain: Authentication realm is LOCAL (5) [ntdomain] = ok (5) eap: Peer sent EAP Response (code 2) ID 5 length 6 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/raddb/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0x6d805dd769854438 (5) eap: Finished EAP session with state 0x6d805dd769854438 (5) eap: Previous EAP request found for state 0x6d805dd769854438, released from the list (5) eap: Peer sent packet with method EAP PEAP (25) (5) eap: Calling submodule eap_peap to process data (5) eap_peap: Continuing EAP-TLS (5) eap_peap: Peer ACKed our handshake fragment. handshake is finished (5) eap_peap: [eaptls verify] = success (5) eap_peap: [eaptls process] = success (5) eap_peap: Session established. Decoding tunneled attributes (5) eap_peap: PEAP state TUNNEL ESTABLISHED (5) eap: Sending EAP Request (code 1) ID 6 length 40 (5) eap: EAP session adding &reply:State = 0x6d805dd768864438 (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) # Executing group from file /etc/raddb/sites-enabled/default (5) Challenge { ... } # empty sub-section is ignored (5) Sent Access-Challenge Id 0 from 172.22.22.1:1812 to 172.22.22.254:2049 length 0 (5) EAP-Message = 0x010600281900170303001ddc5fcf74a4d4eceff440279910950fcf0da56053dafc7b1a9acc0e9818 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x6d805dd768864438dc40c2ae6afa62ac (5) Finished request Waking up in 4.9 seconds. (5) Cleaning up request packet ID 0 with timestamp +13 (6) Received Access-Request Id 0 from 172.22.22.254:2049 to 172.22.22.1:1812 length 196 (6) User-Name = "CLEARSYSTEM\\test1" (6) NAS-IP-Address = 172.22.22.254 (6) Called-Station-Id = "001601dfe596" (6) Calling-Station-Id = "74da38d41a8b" (6) NAS-Identifier = "001601dfe596" (6) NAS-Port = 5 (6) Framed-MTU = 1400 (6) State = 0x6d805dd768864438dc40c2ae6afa62ac (6) NAS-Port-Type = Wireless-802.11 (6) EAP-Message = 0x020600351900170303002a0000000000000001dd244541a65b0c86c71280b371970a1a1c7be8090c517215185792c4ef34ace82894 (6) Message-Authenticator = 0xe01b3ffbd597dcf5f7f0f0dd8bc4ea9d (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/raddb/sites-enabled/default (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "CLEARSYSTEM\test1", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) ntdomain: Checking for prefix before "\" (6) ntdomain: Looking up realm "CLEARSYSTEM" for User-Name = "CLEARSYSTEM\test1" (6) ntdomain: Found realm "CLEARSYSTEM" (6) ntdomain: Adding Stripped-User-Name = "test1" (6) ntdomain: Adding Realm = "CLEARSYSTEM" (6) ntdomain: Authentication realm is LOCAL (6) [ntdomain] = ok (6) eap: Peer sent EAP Response (code 2) ID 6 length 53 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/raddb/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0x6d805dd768864438 (6) eap: Finished EAP session with state 0x6d805dd768864438 (6) eap: Previous EAP request found for state 0x6d805dd768864438, released from the list (6) eap: Peer sent packet with method EAP PEAP (25) (6) eap: Calling submodule eap_peap to process data (6) eap_peap: Continuing EAP-TLS (6) eap_peap: [eaptls verify] = ok (6) eap_peap: Done initial handshake (6) eap_peap: [eaptls process] = ok (6) eap_peap: Session established. Decoding tunneled attributes (6) eap_peap: PEAP state WAITING FOR INNER IDENTITY (6) eap_peap: Identity - CLEARSYSTEM\test1 (6) eap_peap: Got inner identity 'CLEARSYSTEM\test1' (6) eap_peap: Setting default EAP type for tunneled EAP session (6) eap_peap: Got tunneled request (6) eap_peap: EAP-Message = 0x0206001601434c45415253595354454d5c7465737431 (6) eap_peap: Setting User-Name to CLEARSYSTEM\test1 (6) eap_peap: Sending tunneled request to inner-tunnel (6) eap_peap: EAP-Message = 0x0206001601434c45415253595354454d5c7465737431 (6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (6) eap_peap: User-Name = "CLEARSYSTEM\\test1" (6) Virtual server inner-tunnel received request (6) EAP-Message = 0x0206001601434c45415253595354454d5c7465737431 (6) FreeRADIUS-Proxied-To = 127.0.0.1 (6) User-Name = "CLEARSYSTEM\\test1" (6) WARNING: Outer and inner identities are the same. User privacy is compromised. (6) server inner-tunnel { (6) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [chap] = noop (6) [mschap] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "CLEARSYSTEM\test1", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) ntdomain: Checking for prefix before "\" (6) ntdomain: Looking up realm "CLEARSYSTEM" for User-Name = "CLEARSYSTEM\test1" (6) ntdomain: Found realm "CLEARSYSTEM" (6) ntdomain: Adding Stripped-User-Name = "test1" (6) ntdomain: Adding Realm = "CLEARSYSTEM" (6) ntdomain: Authentication realm is LOCAL (6) [ntdomain] = ok (6) update control { (6) &Proxy-To-Realm := LOCAL (6) } # update control = noop (6) eap: Peer sent EAP Response (code 2) ID 6 length 22 (6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (6) authenticate { (6) eap: Peer sent packet with method EAP Identity (1) (6) eap: Calling submodule eap_mschapv2 to process data (6) eap_mschapv2: Issuing Challenge (6) eap: Sending EAP Request (code 1) ID 7 length 43 (6) eap: EAP session adding &reply:State = 0x66e3bd0266e4a7fb (6) [eap] = handled (6) } # authenticate = handled (6) } # server inner-tunnel (6) Virtual server sending reply (6) EAP-Message = 0x0107002b1a01070026108d0fd294b2abb0cb4390aef8e7e334f0667265657261646975732d332e302e3133 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x66e3bd0266e4a7fba16dc6bfc6cef435 (6) eap_peap: Got tunneled reply code 11 (6) eap_peap: EAP-Message = 0x0107002b1a01070026108d0fd294b2abb0cb4390aef8e7e334f0667265657261646975732d332e302e3133 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: State = 0x66e3bd0266e4a7fba16dc6bfc6cef435 (6) eap_peap: Got tunneled reply RADIUS code 11 (6) eap_peap: EAP-Message = 0x0107002b1a01070026108d0fd294b2abb0cb4390aef8e7e334f0667265657261646975732d332e302e3133 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: State = 0x66e3bd0266e4a7fba16dc6bfc6cef435 (6) eap_peap: Got tunneled Access-Challenge (6) eap: Sending EAP Request (code 1) ID 7 length 74 (6) eap: EAP session adding &reply:State = 0x6d805dd76b874438 (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) # Executing group from file /etc/raddb/sites-enabled/default (6) Challenge { ... } # empty sub-section is ignored (6) Sent Access-Challenge Id 0 from 172.22.22.1:1812 to 172.22.22.254:2049 length 0 (6) EAP-Message = 0x0107004a1900170303003fdc5fcf74a4d4ecf07ea22af536fa57cb428f1212cc762f73aecf7876928d4f6e657779a62eef9bc148c29f051acfe8f978bf7fcb45bcb1171b30e50382d3d3 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x6d805dd76b874438dc40c2ae6afa62ac (6) Finished request Waking up in 4.9 seconds. (6) Cleaning up request packet ID 0 with timestamp +13 (7) Received Access-Request Id 0 from 172.22.22.254:2049 to 172.22.22.1:1812 length 250 (7) User-Name = "CLEARSYSTEM\\test1" (7) NAS-IP-Address = 172.22.22.254 (7) Called-Station-Id = "001601dfe596" (7) Calling-Station-Id = "74da38d41a8b" (7) NAS-Identifier = "001601dfe596" (7) NAS-Port = 5 (7) Framed-MTU = 1400 (7) State = 0x6d805dd76b874438dc40c2ae6afa62ac (7) NAS-Port-Type = Wireless-802.11 (7) EAP-Message = 0x0207006b19001703030060000000000000000219bae2d0668bb3eee9ce6bb0fc2eac4874e11bb450e239ca968d6460f050052b35bc8db55c8593cd55d4c2a998164b1c6b61a943bf0ef78db528fdd3f1dca0e8e07ff24916a4c37694cb22128f00feadf1aca1c1b2490214 (7) Message-Authenticator = 0x6f366ccc31737e80ff78cd36f016f96d (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/raddb/sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "CLEARSYSTEM\test1", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) ntdomain: Checking for prefix before "\" (7) ntdomain: Looking up realm "CLEARSYSTEM" for User-Name = "CLEARSYSTEM\test1" (7) ntdomain: Found realm "CLEARSYSTEM" (7) ntdomain: Adding Stripped-User-Name = "test1" (7) ntdomain: Adding Realm = "CLEARSYSTEM" (7) ntdomain: Authentication realm is LOCAL (7) [ntdomain] = ok (7) eap: Peer sent EAP Response (code 2) ID 7 length 107 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/raddb/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0x66e3bd0266e4a7fb (7) eap: Finished EAP session with state 0x6d805dd76b874438 (7) eap: Previous EAP request found for state 0x6d805dd76b874438, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: Continuing EAP-TLS (7) eap_peap: [eaptls verify] = ok (7) eap_peap: Done initial handshake (7) eap_peap: [eaptls process] = ok (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state phase2 (7) eap_peap: EAP method MSCHAPv2 (26) (7) eap_peap: Got tunneled request (7) eap_peap: EAP-Message = 0x0207004c1a02070047313aedab25255aa4dcad5a9e911bf87fae00000000000000007d50d953955047745972cfe092bcc2c777fd52a69b03bebb00434c45415253595354454d5c7465737431 (7) eap_peap: Setting User-Name to CLEARSYSTEM\test1 (7) eap_peap: Sending tunneled request to inner-tunnel (7) eap_peap: EAP-Message = 0x0207004c1a02070047313aedab25255aa4dcad5a9e911bf87fae00000000000000007d50d953955047745972cfe092bcc2c777fd52a69b03bebb00434c45415253595354454d5c7465737431 (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (7) eap_peap: User-Name = "CLEARSYSTEM\\test1" (7) eap_peap: State = 0x66e3bd0266e4a7fba16dc6bfc6cef435 (7) Virtual server inner-tunnel received request (7) EAP-Message = 0x0207004c1a02070047313aedab25255aa4dcad5a9e911bf87fae00000000000000007d50d953955047745972cfe092bcc2c777fd52a69b03bebb00434c45415253595354454d5c7465737431 (7) FreeRADIUS-Proxied-To = 127.0.0.1 (7) User-Name = "CLEARSYSTEM\\test1" (7) State = 0x66e3bd0266e4a7fba16dc6bfc6cef435 (7) WARNING: Outer and inner identities are the same. User privacy is compromised. (7) server inner-tunnel { (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [chap] = noop (7) [mschap] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "CLEARSYSTEM\test1", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) ntdomain: Checking for prefix before "\" (7) ntdomain: Looking up realm "CLEARSYSTEM" for User-Name = "CLEARSYSTEM\test1" (7) ntdomain: Found realm "CLEARSYSTEM" (7) ntdomain: Adding Stripped-User-Name = "test1" (7) ntdomain: Adding Realm = "CLEARSYSTEM" (7) ntdomain: Authentication realm is LOCAL (7) [ntdomain] = ok (7) update control { (7) &Proxy-To-Realm := LOCAL (7) } # update control = noop (7) eap: Peer sent EAP Response (code 2) ID 7 length 76 (7) eap: No EAP Start, assuming it's an on-going EAP conversation (7) [eap] = updated (7) files: Searching for user in group "allusers" rlm_ldap (ldap): Reserved connection (0) (7) files: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (7) files: --> (uid=test1) (7) files: Performing search in "dc=system,dc=lan" with filter "(uid=test1)", scope "sub" (7) files: Waiting for search result... (7) files: User object found at DN "cn=test1 test1,ou=Users,ou=Accounts,dc=system,dc=lan" (7) files: Checking user object's memberOf attributes (7) files: Performing unfiltered search in "cn=test1 test1,ou=Users,ou=Accounts,dc=system,dc=lan", scope "base" (7) files: Waiting for search result... (7) files: Processing memberOf value "cn=ftp_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan" as a DN (7) files: Resolving group DN "cn=ftp_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan" to group name (7) files: Performing unfiltered search in "cn=ftp_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan", scope "base" (7) files: Waiting for search result... (7) files: Group DN "cn=ftp_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan" resolves to name "ftp_plugin" (7) files: Processing memberOf value "cn=web_proxy_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan" as a DN (7) files: Resolving group DN "cn=web_proxy_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan" to group name (7) files: Performing unfiltered search in "cn=web_proxy_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan", scope "base" (7) files: Waiting for search result... (7) files: Group DN "cn=web_proxy_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan" resolves to name "web_proxy_plugin" (7) files: Processing memberOf value "cn=webupload,ou=Groups,ou=Accounts,dc=system,dc=lan" as a DN (7) files: Resolving group DN "cn=webupload,ou=Groups,ou=Accounts,dc=system,dc=lan" to group name (7) files: Performing unfiltered search in "cn=webupload,ou=Groups,ou=Accounts,dc=system,dc=lan", scope "base" (7) files: Waiting for search result... (7) files: Group DN "cn=webupload,ou=Groups,ou=Accounts,dc=system,dc=lan" resolves to name "webupload" (7) files: Processing memberOf value "cn=allusers,ou=Groups,ou=Accounts,dc=system,dc=lan" as a DN (7) files: Resolving group DN "cn=allusers,ou=Groups,ou=Accounts,dc=system,dc=lan" to group name (7) files: Performing unfiltered search in "cn=allusers,ou=Groups,ou=Accounts,dc=system,dc=lan", scope "base" (7) files: Waiting for search result... (7) files: Group DN "cn=allusers,ou=Groups,ou=Accounts,dc=system,dc=lan" resolves to name "allusers" (7) files: User found in group "allusers". Comparison between membership: name (resolved from DN "cn=allusers,ou=Groups,ou=Accounts,dc=system,dc=lan"), check: name rlm_ldap (ldap): Released connection (0) (7) [files] = noop rlm_ldap (ldap): Reserved connection (1) (7) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (7) ldap: --> (uid=test1) (7) ldap: Performing search in "dc=system,dc=lan" with filter "(uid=test1)", scope "sub" (7) ldap: Waiting for search result... (7) ldap: User object found at DN "cn=test1 test1,ou=Users,ou=Accounts,dc=system,dc=lan" (7) ldap: Processing user attributes (7) ldap: control:Password-With-Header += '{sha}tESsBmE/yNY3lb6a0L6vVQEZNqw=' rlm_ldap (ldap): Released connection (1) (7) [ldap] = updated (7) [expiration] = noop (7) [logintime] = noop (7) pap: Converted: &control:Password-With-Header -> &control:SHA1-Password (7) pap: Removing &control:Password-With-Header (7) pap: Normalizing SHA1-Password from base64 encoding, 28 bytes -> 20 bytes (7) pap: WARNING: Auth-Type already set. Not setting to PAP (7) [pap] = noop (7) } # authorize = updated (7) Found Auth-Type = eap (7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (7) authenticate { (7) eap: Expiring EAP session with state 0x66e3bd0266e4a7fb (7) eap: Finished EAP session with state 0x66e3bd0266e4a7fb (7) eap: Previous EAP request found for state 0x66e3bd0266e4a7fb, released from the list (7) eap: Peer sent packet with method EAP MSCHAPv2 (26) (7) eap: Calling submodule eap_mschapv2 to process data (7) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (7) eap_mschapv2: authenticate { (7) mschap: Creating challenge hash with username: test1 (7) mschap: Client is using MS-CHAPv2 (7) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (7) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (7) mschap: --> --username=test1 (7) mschap: Creating challenge hash with username: test1 (7) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (7) mschap: --> --challenge=3b9d7892b41cf3b0 (7) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (7) mschap: --> --nt-response=7d50d953955047745972cfe092bcc2c777fd52a69b03bebb (7) mschap: Program returned code (0) and output 'NT_KEY: DAE53F1776DBD0817C5639A27629A27D' (7) mschap: Adding MS-CHAPv2 MPPE keys (7) [mschap] = ok (7) } # authenticate = ok (7) MSCHAP Success (7) eap: Sending EAP Request (code 1) ID 8 length 51 (7) eap: EAP session adding &reply:State = 0x66e3bd0267eba7fb (7) [eap] = handled (7) } # authenticate = handled (7) } # server inner-tunnel (7) Virtual server sending reply (7) EAP-Message = 0x010800331a0307002e533d39313144313544453236303432433942464146394246343432383636363746354335423938343630 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x66e3bd0267eba7fba16dc6bfc6cef435 (7) eap_peap: Got tunneled reply code 11 (7) eap_peap: EAP-Message = 0x010800331a0307002e533d39313144313544453236303432433942464146394246343432383636363746354335423938343630 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0x66e3bd0267eba7fba16dc6bfc6cef435 (7) eap_peap: Got tunneled reply RADIUS code 11 (7) eap_peap: EAP-Message = 0x010800331a0307002e533d39313144313544453236303432433942464146394246343432383636363746354335423938343630 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0x66e3bd0267eba7fba16dc6bfc6cef435 (7) eap_peap: Got tunneled Access-Challenge (7) eap: Sending EAP Request (code 1) ID 8 length 82 (7) eap: EAP session adding &reply:State = 0x6d805dd76a884438 (7) [eap] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) # Executing group from file /etc/raddb/sites-enabled/default (7) Challenge { ... } # empty sub-section is ignored (7) Sent Access-Challenge Id 0 from 172.22.22.1:1812 to 172.22.22.254:2049 length 0 (7) EAP-Message = 0x0108005219001703030047dc5fcf74a4d4ecf1ffeae2c864301f5752178e45427e243559fbf7f51b067715629d035309535ef9b4cbb1c8456cba01f0cd65f3a66724bec8cd596926856cc18e9a444620321d (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x6d805dd76a884438dc40c2ae6afa62ac (7) Finished request Waking up in 4.9 seconds. (7) Cleaning up request packet ID 0 with timestamp +13 (8) Received Access-Request Id 0 from 172.22.22.254:2049 to 172.22.22.1:1812 length 180 (8) User-Name = "CLEARSYSTEM\\test1" (8) NAS-IP-Address = 172.22.22.254 (8) Called-Station-Id = "001601dfe596" (8) Calling-Station-Id = "74da38d41a8b" (8) NAS-Identifier = "001601dfe596" (8) NAS-Port = 5 (8) Framed-MTU = 1400 (8) State = 0x6d805dd76a884438dc40c2ae6afa62ac (8) NAS-Port-Type = Wireless-802.11 (8) EAP-Message = 0x020800251900170303001a00000000000000034a80351d48d47617d97ab576bf0a41900ffa (8) Message-Authenticator = 0x8e3a7df7c36095515fae4cc97400d895 (8) session-state: No cached attributes (8) # Executing section authorize from file /etc/raddb/sites-enabled/default (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "CLEARSYSTEM\test1", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) ntdomain: Checking for prefix before "\" (8) ntdomain: Looking up realm "CLEARSYSTEM" for User-Name = "CLEARSYSTEM\test1" (8) ntdomain: Found realm "CLEARSYSTEM" (8) ntdomain: Adding Stripped-User-Name = "test1" (8) ntdomain: Adding Realm = "CLEARSYSTEM" (8) ntdomain: Authentication realm is LOCAL (8) [ntdomain] = ok (8) eap: Peer sent EAP Response (code 2) ID 8 length 37 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /etc/raddb/sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0x66e3bd0267eba7fb (8) eap: Finished EAP session with state 0x6d805dd76a884438 (8) eap: Previous EAP request found for state 0x6d805dd76a884438, released from the list (8) eap: Peer sent packet with method EAP PEAP (25) (8) eap: Calling submodule eap_peap to process data (8) eap_peap: Continuing EAP-TLS (8) eap_peap: [eaptls verify] = ok (8) eap_peap: Done initial handshake (8) eap_peap: [eaptls process] = ok (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state phase2 (8) eap_peap: EAP method MSCHAPv2 (26) (8) eap_peap: Got tunneled request (8) eap_peap: EAP-Message = 0x020800061a03 (8) eap_peap: Setting User-Name to CLEARSYSTEM\test1 (8) eap_peap: Sending tunneled request to inner-tunnel (8) eap_peap: EAP-Message = 0x020800061a03 (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (8) eap_peap: User-Name = "CLEARSYSTEM\\test1" (8) eap_peap: State = 0x66e3bd0267eba7fba16dc6bfc6cef435 (8) Virtual server inner-tunnel received request (8) EAP-Message = 0x020800061a03 (8) FreeRADIUS-Proxied-To = 127.0.0.1 (8) User-Name = "CLEARSYSTEM\\test1" (8) State = 0x66e3bd0267eba7fba16dc6bfc6cef435 (8) WARNING: Outer and inner identities are the same. User privacy is compromised. (8) server inner-tunnel { (8) session-state: No cached attributes (8) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [chap] = noop (8) [mschap] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "CLEARSYSTEM\test1", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) ntdomain: Checking for prefix before "\" (8) ntdomain: Looking up realm "CLEARSYSTEM" for User-Name = "CLEARSYSTEM\test1" (8) ntdomain: Found realm "CLEARSYSTEM" (8) ntdomain: Adding Stripped-User-Name = "test1" (8) ntdomain: Adding Realm = "CLEARSYSTEM" (8) ntdomain: Authentication realm is LOCAL (8) [ntdomain] = ok (8) update control { (8) &Proxy-To-Realm := LOCAL (8) } # update control = noop (8) eap: Peer sent EAP Response (code 2) ID 8 length 6 (8) eap: No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) files: Searching for user in group "allusers" rlm_ldap (ldap): Reserved connection (2) (8) files: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (8) files: --> (uid=test1) (8) files: Performing search in "dc=system,dc=lan" with filter "(uid=test1)", scope "sub" (8) files: Waiting for search result... (8) files: User object found at DN "cn=test1 test1,ou=Users,ou=Accounts,dc=system,dc=lan" (8) files: Checking user object's memberOf attributes (8) files: Performing unfiltered search in "cn=test1 test1,ou=Users,ou=Accounts,dc=system,dc=lan", scope "base" (8) files: Waiting for search result... (8) files: Processing memberOf value "cn=ftp_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan" as a DN (8) files: Resolving group DN "cn=ftp_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan" to group name (8) files: Performing unfiltered search in "cn=ftp_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan", scope "base" (8) files: Waiting for search result... (8) files: Group DN "cn=ftp_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan" resolves to name "ftp_plugin" (8) files: Processing memberOf value "cn=web_proxy_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan" as a DN (8) files: Resolving group DN "cn=web_proxy_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan" to group name (8) files: Performing unfiltered search in "cn=web_proxy_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan", scope "base" (8) files: Waiting for search result... (8) files: Group DN "cn=web_proxy_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan" resolves to name "web_proxy_plugin" (8) files: Processing memberOf value "cn=webupload,ou=Groups,ou=Accounts,dc=system,dc=lan" as a DN (8) files: Resolving group DN "cn=webupload,ou=Groups,ou=Accounts,dc=system,dc=lan" to group name (8) files: Performing unfiltered search in "cn=webupload,ou=Groups,ou=Accounts,dc=system,dc=lan", scope "base" (8) files: Waiting for search result... (8) files: Group DN "cn=webupload,ou=Groups,ou=Accounts,dc=system,dc=lan" resolves to name "webupload" (8) files: Processing memberOf value "cn=allusers,ou=Groups,ou=Accounts,dc=system,dc=lan" as a DN (8) files: Resolving group DN "cn=allusers,ou=Groups,ou=Accounts,dc=system,dc=lan" to group name (8) files: Performing unfiltered search in "cn=allusers,ou=Groups,ou=Accounts,dc=system,dc=lan", scope "base" (8) files: Waiting for search result... (8) files: Group DN "cn=allusers,ou=Groups,ou=Accounts,dc=system,dc=lan" resolves to name "allusers" (8) files: User found in group "allusers". Comparison between membership: name (resolved from DN "cn=allusers,ou=Groups,ou=Accounts,dc=system,dc=lan"), check: name rlm_ldap (ldap): Released connection (2) (8) [files] = noop rlm_ldap (ldap): Reserved connection (3) (8) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (8) ldap: --> (uid=test1) (8) ldap: Performing search in "dc=system,dc=lan" with filter "(uid=test1)", scope "sub" (8) ldap: Waiting for search result... (8) ldap: User object found at DN "cn=test1 test1,ou=Users,ou=Accounts,dc=system,dc=lan" (8) ldap: Processing user attributes (8) ldap: control:Password-With-Header += '{sha}tESsBmE/yNY3lb6a0L6vVQEZNqw=' rlm_ldap (ldap): Released connection (3) (8) [ldap] = updated (8) [expiration] = noop (8) [logintime] = noop (8) pap: Converted: &control:Password-With-Header -> &control:SHA1-Password (8) pap: Removing &control:Password-With-Header (8) pap: Normalizing SHA1-Password from base64 encoding, 28 bytes -> 20 bytes (8) pap: WARNING: Auth-Type already set. Not setting to PAP (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = eap (8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (8) authenticate { (8) eap: Expiring EAP session with state 0x66e3bd0267eba7fb (8) eap: Finished EAP session with state 0x66e3bd0267eba7fb (8) eap: Previous EAP request found for state 0x66e3bd0267eba7fb, released from the list (8) eap: Peer sent packet with method EAP MSCHAPv2 (26) (8) eap: Calling submodule eap_mschapv2 to process data (8) eap: Sending EAP Success (code 3) ID 8 length 4 (8) eap: Freeing handler (8) [eap] = ok (8) } # authenticate = ok (8) # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel (8) post-auth { (8) if (0) { (8) if (0) -> FALSE (8) } # post-auth = noop (8) } # server inner-tunnel (8) Virtual server sending reply (8) MS-MPPE-Encryption-Policy = Encryption-Allowed (8) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (8) MS-MPPE-Send-Key = 0xb0cef0c8f31ece219ae921fa8dd00a05 (8) MS-MPPE-Recv-Key = 0x0c0cf49c321e6e908780b3c6612b6feb (8) EAP-Message = 0x03080004 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) Stripped-User-Name = "test1" (8) eap_peap: Got tunneled reply code 2 (8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (8) eap_peap: MS-MPPE-Send-Key = 0xb0cef0c8f31ece219ae921fa8dd00a05 (8) eap_peap: MS-MPPE-Recv-Key = 0x0c0cf49c321e6e908780b3c6612b6feb (8) eap_peap: EAP-Message = 0x03080004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: Stripped-User-Name = "test1" (8) eap_peap: Got tunneled reply RADIUS code 2 (8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (8) eap_peap: MS-MPPE-Send-Key = 0xb0cef0c8f31ece219ae921fa8dd00a05 (8) eap_peap: MS-MPPE-Recv-Key = 0x0c0cf49c321e6e908780b3c6612b6feb (8) eap_peap: EAP-Message = 0x03080004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: Stripped-User-Name = "test1" (8) eap_peap: Tunneled authentication was successful (8) eap_peap: SUCCESS (8) eap: Sending EAP Request (code 1) ID 9 length 46 (8) eap: EAP session adding &reply:State = 0x6d805dd765894438 (8) [eap] = handled (8) } # authenticate = handled (8) Using Post-Auth-Type Challenge (8) # Executing group from file /etc/raddb/sites-enabled/default (8) Challenge { ... } # empty sub-section is ignored (8) Sent Access-Challenge Id 0 from 172.22.22.1:1812 to 172.22.22.254:2049 length 0 (8) EAP-Message = 0x0109002e19001703030023dc5fcf74a4d4ecf2e22cf6f1b9c7c262e75a225086d46b3b1094d6a2e54fad0e208021 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0x6d805dd765894438dc40c2ae6afa62ac (8) Finished request Waking up in 4.9 seconds. (8) Cleaning up request packet ID 0 with timestamp +13 (9) Received Access-Request Id 0 from 172.22.22.254:2049 to 172.22.22.1:1812 length 189 (9) User-Name = "CLEARSYSTEM\\test1" (9) NAS-IP-Address = 172.22.22.254 (9) Called-Station-Id = "001601dfe596" (9) Calling-Station-Id = "74da38d41a8b" (9) NAS-Identifier = "001601dfe596" (9) NAS-Port = 5 (9) Framed-MTU = 1400 (9) State = 0x6d805dd765894438dc40c2ae6afa62ac (9) NAS-Port-Type = Wireless-802.11 (9) EAP-Message = 0x0209002e190017030300230000000000000004274d7c08364b6d55ee3aa706f66f7126d6c1243d8d08bdbd7a9051 (9) Message-Authenticator = 0x36b35cb4fd0f6af8a94dfc86605dc543 (9) session-state: No cached attributes (9) # Executing section authorize from file /etc/raddb/sites-enabled/default (9) authorize { (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = notfound (9) } # policy filter_username = notfound (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "CLEARSYSTEM\test1", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) ntdomain: Checking for prefix before "\" (9) ntdomain: Looking up realm "CLEARSYSTEM" for User-Name = "CLEARSYSTEM\test1" (9) ntdomain: Found realm "CLEARSYSTEM" (9) ntdomain: Adding Stripped-User-Name = "test1" (9) ntdomain: Adding Realm = "CLEARSYSTEM" (9) ntdomain: Authentication realm is LOCAL (9) [ntdomain] = ok (9) eap: Peer sent EAP Response (code 2) ID 9 length 46 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = eap (9) # Executing group from file /etc/raddb/sites-enabled/default (9) authenticate { (9) eap: Expiring EAP session with state 0x6d805dd765894438 (9) eap: Finished EAP session with state 0x6d805dd765894438 (9) eap: Previous EAP request found for state 0x6d805dd765894438, released from the list (9) eap: Peer sent packet with method EAP PEAP (25) (9) eap: Calling submodule eap_peap to process data (9) eap_peap: Continuing EAP-TLS (9) eap_peap: [eaptls verify] = ok (9) eap_peap: Done initial handshake (9) eap_peap: [eaptls process] = ok (9) eap_peap: Session established. Decoding tunneled attributes (9) eap_peap: PEAP state send tlv success (9) eap_peap: Received EAP-TLV response (9) eap_peap: Success (9) eap: Sending EAP Success (code 3) ID 9 length 4 (9) eap: Freeing handler (9) [eap] = ok (9) } # authenticate = ok (9) # Executing section post-auth from file /etc/raddb/sites-enabled/default (9) post-auth { (9) update { (9) No attributes updated (9) } # update = noop (9) [exec] = noop (9) policy remove_reply_message_if_eap { (9) if (&reply:EAP-Message && &reply:Reply-Message) { (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (9) else { (9) [noop] = noop (9) } # else = noop (9) } # policy remove_reply_message_if_eap = noop (9) } # post-auth = noop (9) Sent Access-Accept Id 0 from 172.22.22.1:1812 to 172.22.22.254:2049 length 0 (9) MS-MPPE-Recv-Key = 0x0790725f316f49070c1b7729230cfb972a484adc36a235b208c4550295ea4187 (9) MS-MPPE-Send-Key = 0x92b2a51d0e06c17fdefa0e17bdc1efe33e5aae270f461bf4828d6fb2de315a80 (9) EAP-Message = 0x03090004 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) Finished request Waking up in 4.9 seconds. (9) Cleaning up request packet ID 0 with timestamp +13 Ready to process requests (10) Received Access-Request Id 0 from 172.22.22.254:2049 to 172.22.22.1:1812 length 147 (10) User-Name = "CLEARSYSTEM\\test1" (10) NAS-IP-Address = 172.22.22.254 (10) Called-Station-Id = "001601dfe596" (10) Calling-Station-Id = "74da38d41a8b" (10) NAS-Identifier = "001601dfe596" (10) NAS-Port = 5 (10) Framed-MTU = 1400 (10) NAS-Port-Type = Wireless-802.11 (10) EAP-Message = 0x0200001601434c45415253595354454d5c7465737431 (10) Message-Authenticator = 0x3e663781d018a3da35a626dc52214957 (10) # Executing section authorize from file /etc/raddb/sites-enabled/default (10) authorize { (10) policy filter_username { (10) if (&User-Name) { (10) if (&User-Name) -> TRUE (10) if (&User-Name) { (10) if (&User-Name =~ / /) { (10) if (&User-Name =~ / /) -> FALSE (10) if (&User-Name =~ /@[^@]*@/ ) { (10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (10) if (&User-Name =~ /\.\./ ) { (10) if (&User-Name =~ /\.\./ ) -> FALSE (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (10) if (&User-Name =~ /\.$/) { (10) if (&User-Name =~ /\.$/) -> FALSE (10) if (&User-Name =~ /@\./) { (10) if (&User-Name =~ /@\./) -> FALSE (10) } # if (&User-Name) = notfound (10) } # policy filter_username = notfound (10) [preprocess] = ok (10) [chap] = noop (10) [mschap] = noop (10) [digest] = noop (10) suffix: Checking for suffix after "@" (10) suffix: No '@' in User-Name = "CLEARSYSTEM\test1", looking up realm NULL (10) suffix: No such realm "NULL" (10) [suffix] = noop (10) ntdomain: Checking for prefix before "\" (10) ntdomain: Looking up realm "CLEARSYSTEM" for User-Name = "CLEARSYSTEM\test1" (10) ntdomain: Found realm "CLEARSYSTEM" (10) ntdomain: Adding Stripped-User-Name = "test1" (10) ntdomain: Adding Realm = "CLEARSYSTEM" (10) ntdomain: Authentication realm is LOCAL (10) [ntdomain] = ok (10) eap: Peer sent EAP Response (code 2) ID 0 length 22 (10) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (10) [eap] = ok (10) } # authorize = ok (10) Found Auth-Type = eap (10) # Executing group from file /etc/raddb/sites-enabled/default (10) authenticate { (10) eap: Peer sent packet with method EAP Identity (1) (10) eap: Calling submodule eap_peap to process data (10) eap_peap: Initiating new EAP-TLS session (10) eap_peap: [eaptls start] = request (10) eap: Sending EAP Request (code 1) ID 1 length 6 (10) eap: EAP session adding &reply:State = 0x5205bbdd5204a286 (10) [eap] = handled (10) } # authenticate = handled (10) Using Post-Auth-Type Challenge (10) # Executing group from file /etc/raddb/sites-enabled/default (10) Challenge { ... } # empty sub-section is ignored (10) Sent Access-Challenge Id 0 from 172.22.22.1:1812 to 172.22.22.254:2049 length 0 (10) EAP-Message = 0x010100061920 (10) Message-Authenticator = 0x00000000000000000000000000000000 (10) State = 0x5205bbdd5204a286e7a44a448065710e (10) Finished request Waking up in 4.9 seconds. (10) Cleaning up request packet ID 0 with timestamp +44 (11) Received Access-Request Id 0 from 172.22.22.254:2049 to 172.22.22.1:1812 length 309 (11) User-Name = "CLEARSYSTEM\\test1" (11) NAS-IP-Address = 172.22.22.254 (11) Called-Station-Id = "001601dfe596" (11) Calling-Station-Id = "74da38d41a8b" (11) NAS-Identifier = "001601dfe596" (11) NAS-Port = 5 (11) Framed-MTU = 1400 (11) State = 0x5205bbdd5204a286e7a44a448065710e (11) NAS-Port-Type = Wireless-802.11 (11) EAP-Message = 0x020100a619800000009c16030300970100009303035af2cd38a6bde90cac89c6193a2d76d271c9604c7ddfed3814c78b24ba8f7e5c00002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000040000500050100000000000a00080006001d (11) Message-Authenticator = 0xaed2c29e86157e53d66c93b98a2a81d6 (11) session-state: No cached attributes (11) # Executing section authorize from file /etc/raddb/sites-enabled/default (11) authorize { (11) policy filter_username { (11) if (&User-Name) { (11) if (&User-Name) -> TRUE (11) if (&User-Name) { (11) if (&User-Name =~ / /) { (11) if (&User-Name =~ / /) -> FALSE (11) if (&User-Name =~ /@[^@]*@/ ) { (11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (11) if (&User-Name =~ /\.\./ ) { (11) if (&User-Name =~ /\.\./ ) -> FALSE (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (11) if (&User-Name =~ /\.$/) { (11) if (&User-Name =~ /\.$/) -> FALSE (11) if (&User-Name =~ /@\./) { (11) if (&User-Name =~ /@\./) -> FALSE (11) } # if (&User-Name) = notfound (11) } # policy filter_username = notfound (11) [preprocess] = ok (11) [chap] = noop (11) [mschap] = noop (11) [digest] = noop (11) suffix: Checking for suffix after "@" (11) suffix: No '@' in User-Name = "CLEARSYSTEM\test1", looking up realm NULL (11) suffix: No such realm "NULL" (11) [suffix] = noop (11) ntdomain: Checking for prefix before "\" (11) ntdomain: Looking up realm "CLEARSYSTEM" for User-Name = "CLEARSYSTEM\test1" (11) ntdomain: Found realm "CLEARSYSTEM" (11) ntdomain: Adding Stripped-User-Name = "test1" (11) ntdomain: Adding Realm = "CLEARSYSTEM" (11) ntdomain: Authentication realm is LOCAL (11) [ntdomain] = ok (11) eap: Peer sent EAP Response (code 2) ID 1 length 166 (11) eap: Continuing tunnel setup (11) [eap] = ok (11) } # authorize = ok (11) Found Auth-Type = eap (11) # Executing group from file /etc/raddb/sites-enabled/default (11) authenticate { (11) eap: Expiring EAP session with state 0x5205bbdd5204a286 (11) eap: Finished EAP session with state 0x5205bbdd5204a286 (11) eap: Previous EAP request found for state 0x5205bbdd5204a286, released from the list (11) eap: Peer sent packet with method EAP PEAP (25) (11) eap: Calling submodule eap_peap to process data (11) eap_peap: Continuing EAP-TLS (11) eap_peap: Peer indicated complete TLS record size will be 156 bytes (11) eap_peap: Got complete TLS record (156 bytes) (11) eap_peap: [eaptls verify] = length included (11) eap_peap: (other): before/accept initialization (11) eap_peap: TLS_accept: before/accept initialization (11) eap_peap: <<< recv TLS 1.2 [length 0097] (11) eap_peap: TLS_accept: SSLv3 read client hello A (11) eap_peap: >>> send TLS 1.2 [length 0039] (11) eap_peap: TLS_accept: SSLv3 write server hello A (11) eap_peap: >>> send TLS 1.2 [length 08bd] (11) eap_peap: TLS_accept: SSLv3 write certificate A (11) eap_peap: >>> send TLS 1.2 [length 014d] (11) eap_peap: TLS_accept: SSLv3 write key exchange A (11) eap_peap: >>> send TLS 1.2 [length 0004] (11) eap_peap: TLS_accept: SSLv3 write server done A (11) eap_peap: TLS_accept: SSLv3 flush data (11) eap_peap: TLS_accept: SSLv3 read client certificate A (11) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key exchange A (11) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key exchange A (11) eap_peap: In SSL Handshake Phase (11) eap_peap: In SSL Accept mode (11) eap_peap: [eaptls process] = handled (11) eap: Sending EAP Request (code 1) ID 2 length 1004 (11) eap: EAP session adding &reply:State = 0x5205bbdd5307a286 (11) [eap] = handled (11) } # authenticate = handled (11) Using Post-Auth-Type Challenge (11) # Executing group from file /etc/raddb/sites-enabled/default (11) Challenge { ... } # empty sub-section is ignored (11) Sent Access-Challenge Id 0 from 172.22.22.1:1812 to 172.22.22.254:2049 length 0 (11) EAP-Message = 0x010203ec19c000000a5b1603030039020000350303b03cc28858b129d2eb2e9017deb4a9a6acdbb87cb5a0dbbed57be74b9ad0b07800c03000000dff01000100000b00040300010216030308bd0b0008b90008b60003fb308203f7308202dfa003020102020101300d06092a864886f70d01010b050030 (11) Message-Authenticator = 0x00000000000000000000000000000000 (11) State = 0x5205bbdd5307a286e7a44a448065710e (11) Finished request Waking up in 4.9 seconds. (11) Cleaning up request packet ID 0 with timestamp +44 (12) Received Access-Request Id 0 from 172.22.22.254:2049 to 172.22.22.1:1812 length 149 (12) User-Name = "CLEARSYSTEM\\test1" (12) NAS-IP-Address = 172.22.22.254 (12) Called-Station-Id = "001601dfe596" (12) Calling-Station-Id = "74da38d41a8b" (12) NAS-Identifier = "001601dfe596" (12) NAS-Port = 5 (12) Framed-MTU = 1400 (12) State = 0x5205bbdd5307a286e7a44a448065710e (12) NAS-Port-Type = Wireless-802.11 (12) EAP-Message = 0x020200061900 (12) Message-Authenticator = 0x2316426b772c524a5666fca10c78a6f7 (12) session-state: No cached attributes (12) # Executing section authorize from file /etc/raddb/sites-enabled/default (12) authorize { (12) policy filter_username { (12) if (&User-Name) { (12) if (&User-Name) -> TRUE (12) if (&User-Name) { (12) if (&User-Name =~ / /) { (12) if (&User-Name =~ / /) -> FALSE (12) if (&User-Name =~ /@[^@]*@/ ) { (12) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (12) if (&User-Name =~ /\.\./ ) { (12) if (&User-Name =~ /\.\./ ) -> FALSE (12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (12) if (&User-Name =~ /\.$/) { (12) if (&User-Name =~ /\.$/) -> FALSE (12) if (&User-Name =~ /@\./) { (12) if (&User-Name =~ /@\./) -> FALSE (12) } # if (&User-Name) = notfound (12) } # policy filter_username = notfound (12) [preprocess] = ok (12) [chap] = noop (12) [mschap] = noop (12) [digest] = noop (12) suffix: Checking for suffix after "@" (12) suffix: No '@' in User-Name = "CLEARSYSTEM\test1", looking up realm NULL (12) suffix: No such realm "NULL" (12) [suffix] = noop (12) ntdomain: Checking for prefix before "\" (12) ntdomain: Looking up realm "CLEARSYSTEM" for User-Name = "CLEARSYSTEM\test1" (12) ntdomain: Found realm "CLEARSYSTEM" (12) ntdomain: Adding Stripped-User-Name = "test1" (12) ntdomain: Adding Realm = "CLEARSYSTEM" (12) ntdomain: Authentication realm is LOCAL (12) [ntdomain] = ok (12) eap: Peer sent EAP Response (code 2) ID 2 length 6 (12) eap: Continuing tunnel setup (12) [eap] = ok (12) } # authorize = ok (12) Found Auth-Type = eap (12) # Executing group from file /etc/raddb/sites-enabled/default (12) authenticate { (12) eap: Expiring EAP session with state 0x5205bbdd5307a286 (12) eap: Finished EAP session with state 0x5205bbdd5307a286 (12) eap: Previous EAP request found for state 0x5205bbdd5307a286, released from the list (12) eap: Peer sent packet with method EAP PEAP (25) (12) eap: Calling submodule eap_peap to process data (12) eap_peap: Continuing EAP-TLS (12) eap_peap: Peer ACKed our handshake fragment (12) eap_peap: [eaptls verify] = request (12) eap_peap: [eaptls process] = handled (12) eap: Sending EAP Request (code 1) ID 3 length 1000 (12) eap: EAP session adding &reply:State = 0x5205bbdd5006a286 (12) [eap] = handled (12) } # authenticate = handled (12) Using Post-Auth-Type Challenge (12) # Executing group from file /etc/raddb/sites-enabled/default (12) Challenge { ... } # empty sub-section is ignored (12) Sent Access-Challenge Id 0 from 172.22.22.1:1812 to 172.22.22.254:2049 length 0 (12) EAP-Message = 0x010303e819408444f5b804aa2d65ef2b23820bb1bf1bfcb24df6bd03eabe61d7bb630cfd9fd6165d19f24d23925593c04c7ec13d5afe51369fe487605e2de3073d043a15e72448712bca946e329e81ff36cebcdfe8be08dc6490da38ed9147e7eac88af7f25487bee0ef80700004b5308204b130820399 (12) Message-Authenticator = 0x00000000000000000000000000000000 (12) State = 0x5205bbdd5006a286e7a44a448065710e (12) Finished request Waking up in 4.9 seconds. (12) Cleaning up request packet ID 0 with timestamp +44 (13) Received Access-Request Id 0 from 172.22.22.254:2049 to 172.22.22.1:1812 length 149 (13) User-Name = "CLEARSYSTEM\\test1" (13) NAS-IP-Address = 172.22.22.254 (13) Called-Station-Id = "001601dfe596" (13) Calling-Station-Id = "74da38d41a8b" (13) NAS-Identifier = "001601dfe596" (13) NAS-Port = 5 (13) Framed-MTU = 1400 (13) State = 0x5205bbdd5006a286e7a44a448065710e (13) NAS-Port-Type = Wireless-802.11 (13) EAP-Message = 0x020300061900 (13) Message-Authenticator = 0xb6167b86da6c3a72a5fa00cbb2898a5c (13) session-state: No cached attributes (13) # Executing section authorize from file /etc/raddb/sites-enabled/default (13) authorize { (13) policy filter_username { (13) if (&User-Name) { (13) if (&User-Name) -> TRUE (13) if (&User-Name) { (13) if (&User-Name =~ / /) { (13) if (&User-Name =~ / /) -> FALSE (13) if (&User-Name =~ /@[^@]*@/ ) { (13) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (13) if (&User-Name =~ /\.\./ ) { (13) if (&User-Name =~ /\.\./ ) -> FALSE (13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (13) if (&User-Name =~ /\.$/) { (13) if (&User-Name =~ /\.$/) -> FALSE (13) if (&User-Name =~ /@\./) { (13) if (&User-Name =~ /@\./) -> FALSE (13) } # if (&User-Name) = notfound (13) } # policy filter_username = notfound (13) [preprocess] = ok (13) [chap] = noop (13) [mschap] = noop (13) [digest] = noop (13) suffix: Checking for suffix after "@" (13) suffix: No '@' in User-Name = "CLEARSYSTEM\test1", looking up realm NULL (13) suffix: No such realm "NULL" (13) [suffix] = noop (13) ntdomain: Checking for prefix before "\" (13) ntdomain: Looking up realm "CLEARSYSTEM" for User-Name = "CLEARSYSTEM\test1" (13) ntdomain: Found realm "CLEARSYSTEM" (13) ntdomain: Adding Stripped-User-Name = "test1" (13) ntdomain: Adding Realm = "CLEARSYSTEM" (13) ntdomain: Authentication realm is LOCAL (13) [ntdomain] = ok (13) eap: Peer sent EAP Response (code 2) ID 3 length 6 (13) eap: Continuing tunnel setup (13) [eap] = ok (13) } # authorize = ok (13) Found Auth-Type = eap (13) # Executing group from file /etc/raddb/sites-enabled/default (13) authenticate { (13) eap: Expiring EAP session with state 0x5205bbdd5006a286 (13) eap: Finished EAP session with state 0x5205bbdd5006a286 (13) eap: Previous EAP request found for state 0x5205bbdd5006a286, released from the list (13) eap: Peer sent packet with method EAP PEAP (25) (13) eap: Calling submodule eap_peap to process data (13) eap_peap: Continuing EAP-TLS (13) eap_peap: Peer ACKed our handshake fragment (13) eap_peap: [eaptls verify] = request (13) eap_peap: [eaptls process] = handled (13) eap: Sending EAP Request (code 1) ID 4 length 669 (13) eap: EAP session adding &reply:State = 0x5205bbdd5101a286 (13) [eap] = handled (13) } # authenticate = handled (13) Using Post-Auth-Type Challenge (13) # Executing group from file /etc/raddb/sites-enabled/default (13) Challenge { ... } # empty sub-section is ignored (13) Sent Access-Challenge Id 0 from 172.22.22.1:1812 to 172.22.22.254:2049 length 0 (13) EAP-Message = 0x0104029d1900278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b050003820101000132a42023b4da19cd0464809979cba06e09409f4cbae9db226b41b48d0c97de8fa6092c00476cb9f16399e310996fb68c40e69b10 (13) Message-Authenticator = 0x00000000000000000000000000000000 (13) State = 0x5205bbdd5101a286e7a44a448065710e (13) Finished request Waking up in 4.9 seconds. (13) Cleaning up request packet ID 0 with timestamp +44 (14) Received Access-Request Id 0 from 172.22.22.254:2049 to 172.22.22.1:1812 length 279 (14) User-Name = "CLEARSYSTEM\\test1" (14) NAS-IP-Address = 172.22.22.254 (14) Called-Station-Id = "001601dfe596" (14) Calling-Station-Id = "74da38d41a8b" (14) NAS-Identifier = "001601dfe596" (14) NAS-Port = 5 (14) Framed-MTU = 1400 (14) State = 0x5205bbdd5101a286e7a44a448065710e (14) NAS-Port-Type = Wireless-802.11 (14) EAP-Message = 0x0204008819800000007e1603030046100000424104e75ed2454d55c1c56f5300e806d9964d68478eeb7c9f1af4e5695daeb6fa5f3f968c3621984b9fc4079a2bf4e7ace9f798901c2c1b52cbad15600761a017196b14030300010116030300280000000000000000a90ea118db4e321e4fd9a1f90e76ef (14) Message-Authenticator = 0x2254305b780a66f1e2c8b4c87549e709 (14) session-state: No cached attributes (14) # Executing section authorize from file /etc/raddb/sites-enabled/default (14) authorize { (14) policy filter_username { (14) if (&User-Name) { (14) if (&User-Name) -> TRUE (14) if (&User-Name) { (14) if (&User-Name =~ / /) { (14) if (&User-Name =~ / /) -> FALSE (14) if (&User-Name =~ /@[^@]*@/ ) { (14) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (14) if (&User-Name =~ /\.\./ ) { (14) if (&User-Name =~ /\.\./ ) -> FALSE (14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (14) if (&User-Name =~ /\.$/) { (14) if (&User-Name =~ /\.$/) -> FALSE (14) if (&User-Name =~ /@\./) { (14) if (&User-Name =~ /@\./) -> FALSE (14) } # if (&User-Name) = notfound (14) } # policy filter_username = notfound (14) [preprocess] = ok (14) [chap] = noop (14) [mschap] = noop (14) [digest] = noop (14) suffix: Checking for suffix after "@" (14) suffix: No '@' in User-Name = "CLEARSYSTEM\test1", looking up realm NULL (14) suffix: No such realm "NULL" (14) [suffix] = noop (14) ntdomain: Checking for prefix before "\" (14) ntdomain: Looking up realm "CLEARSYSTEM" for User-Name = "CLEARSYSTEM\test1" (14) ntdomain: Found realm "CLEARSYSTEM" (14) ntdomain: Adding Stripped-User-Name = "test1" (14) ntdomain: Adding Realm = "CLEARSYSTEM" (14) ntdomain: Authentication realm is LOCAL (14) [ntdomain] = ok (14) eap: Peer sent EAP Response (code 2) ID 4 length 136 (14) eap: Continuing tunnel setup (14) [eap] = ok (14) } # authorize = ok (14) Found Auth-Type = eap (14) # Executing group from file /etc/raddb/sites-enabled/default (14) authenticate { (14) eap: Expiring EAP session with state 0x5205bbdd5101a286 (14) eap: Finished EAP session with state 0x5205bbdd5101a286 (14) eap: Previous EAP request found for state 0x5205bbdd5101a286, released from the list (14) eap: Peer sent packet with method EAP PEAP (25) (14) eap: Calling submodule eap_peap to process data (14) eap_peap: Continuing EAP-TLS (14) eap_peap: Peer indicated complete TLS record size will be 126 bytes (14) eap_peap: Got complete TLS record (126 bytes) (14) eap_peap: [eaptls verify] = length included (14) eap_peap: <<< recv TLS 1.2 [length 0046] (14) eap_peap: TLS_accept: SSLv3 read client key exchange A (14) eap_peap: TLS_accept: SSLv3 read certificate verify A (14) eap_peap: <<< recv TLS 1.2 [length 0001] (14) eap_peap: <<< recv TLS 1.2 [length 0010] (14) eap_peap: TLS_accept: SSLv3 read finished A (14) eap_peap: >>> send TLS 1.2 [length 0001] (14) eap_peap: TLS_accept: SSLv3 write change cipher spec A (14) eap_peap: >>> send TLS 1.2 [length 0010] (14) eap_peap: TLS_accept: SSLv3 write finished A (14) eap_peap: TLS_accept: SSLv3 flush data (14) eap_peap: (other): SSL negotiation finished successfully (14) eap_peap: SSL Connection Established (14) eap_peap: [eaptls process] = handled (14) eap: Sending EAP Request (code 1) ID 5 length 57 (14) eap: EAP session adding &reply:State = 0x5205bbdd5600a286 (14) [eap] = handled (14) } # authenticate = handled (14) Using Post-Auth-Type Challenge (14) # Executing group from file /etc/raddb/sites-enabled/default (14) Challenge { ... } # empty sub-section is ignored (14) Sent Access-Challenge Id 0 from 172.22.22.1:1812 to 172.22.22.254:2049 length 0 (14) EAP-Message = 0x0105003919001403030001011603030028122ff0483babe9a32cbc96f0d25bf63a626964a174c6d14dcb7c9b46ce542267b243424249cc2558 (14) Message-Authenticator = 0x00000000000000000000000000000000 (14) State = 0x5205bbdd5600a286e7a44a448065710e (14) Finished request Waking up in 4.9 seconds. (14) Cleaning up request packet ID 0 with timestamp +44 (15) Received Access-Request Id 0 from 172.22.22.254:2049 to 172.22.22.1:1812 length 149 (15) User-Name = "CLEARSYSTEM\\test1" (15) NAS-IP-Address = 172.22.22.254 (15) Called-Station-Id = "001601dfe596" (15) Calling-Station-Id = "74da38d41a8b" (15) NAS-Identifier = "001601dfe596" (15) NAS-Port = 5 (15) Framed-MTU = 1400 (15) State = 0x5205bbdd5600a286e7a44a448065710e (15) NAS-Port-Type = Wireless-802.11 (15) EAP-Message = 0x020500061900 (15) Message-Authenticator = 0xba0c8dd74427d48a0598d69c4d657f2e (15) session-state: No cached attributes (15) # Executing section authorize from file /etc/raddb/sites-enabled/default (15) authorize { (15) policy filter_username { (15) if (&User-Name) { (15) if (&User-Name) -> TRUE (15) if (&User-Name) { (15) if (&User-Name =~ / /) { (15) if (&User-Name =~ / /) -> FALSE (15) if (&User-Name =~ /@[^@]*@/ ) { (15) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (15) if (&User-Name =~ /\.\./ ) { (15) if (&User-Name =~ /\.\./ ) -> FALSE (15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (15) if (&User-Name =~ /\.$/) { (15) if (&User-Name =~ /\.$/) -> FALSE (15) if (&User-Name =~ /@\./) { (15) if (&User-Name =~ /@\./) -> FALSE (15) } # if (&User-Name) = notfound (15) } # policy filter_username = notfound (15) [preprocess] = ok (15) [chap] = noop (15) [mschap] = noop (15) [digest] = noop (15) suffix: Checking for suffix after "@" (15) suffix: No '@' in User-Name = "CLEARSYSTEM\test1", looking up realm NULL (15) suffix: No such realm "NULL" (15) [suffix] = noop (15) ntdomain: Checking for prefix before "\" (15) ntdomain: Looking up realm "CLEARSYSTEM" for User-Name = "CLEARSYSTEM\test1" (15) ntdomain: Found realm "CLEARSYSTEM" (15) ntdomain: Adding Stripped-User-Name = "test1" (15) ntdomain: Adding Realm = "CLEARSYSTEM" (15) ntdomain: Authentication realm is LOCAL (15) [ntdomain] = ok (15) eap: Peer sent EAP Response (code 2) ID 5 length 6 (15) eap: Continuing tunnel setup (15) [eap] = ok (15) } # authorize = ok (15) Found Auth-Type = eap (15) # Executing group from file /etc/raddb/sites-enabled/default (15) authenticate { (15) eap: Expiring EAP session with state 0x5205bbdd5600a286 (15) eap: Finished EAP session with state 0x5205bbdd5600a286 (15) eap: Previous EAP request found for state 0x5205bbdd5600a286, released from the list (15) eap: Peer sent packet with method EAP PEAP (25) (15) eap: Calling submodule eap_peap to process data (15) eap_peap: Continuing EAP-TLS (15) eap_peap: Peer ACKed our handshake fragment. handshake is finished (15) eap_peap: [eaptls verify] = success (15) eap_peap: [eaptls process] = success (15) eap_peap: Session established. Decoding tunneled attributes (15) eap_peap: PEAP state TUNNEL ESTABLISHED (15) eap: Sending EAP Request (code 1) ID 6 length 40 (15) eap: EAP session adding &reply:State = 0x5205bbdd5703a286 (15) [eap] = handled (15) } # authenticate = handled (15) Using Post-Auth-Type Challenge (15) # Executing group from file /etc/raddb/sites-enabled/default (15) Challenge { ... } # empty sub-section is ignored (15) Sent Access-Challenge Id 0 from 172.22.22.1:1812 to 172.22.22.254:2049 length 0 (15) EAP-Message = 0x010600281900170303001d122ff0483babe9a424c759d906f9537f7d767703eec2c038b2f205ea12 (15) Message-Authenticator = 0x00000000000000000000000000000000 (15) State = 0x5205bbdd5703a286e7a44a448065710e (15) Finished request Waking up in 4.9 seconds. (15) Cleaning up request packet ID 0 with timestamp +44 (16) Received Access-Request Id 0 from 172.22.22.254:2049 to 172.22.22.1:1812 length 196 (16) User-Name = "CLEARSYSTEM\\test1" (16) NAS-IP-Address = 172.22.22.254 (16) Called-Station-Id = "001601dfe596" (16) Calling-Station-Id = "74da38d41a8b" (16) NAS-Identifier = "001601dfe596" (16) NAS-Port = 5 (16) Framed-MTU = 1400 (16) State = 0x5205bbdd5703a286e7a44a448065710e (16) NAS-Port-Type = Wireless-802.11 (16) EAP-Message = 0x020600351900170303002a0000000000000001e9ae658790bcf508c51af80646d2e96dbcf95fbb80c7aa0688d889cbd19217068129 (16) Message-Authenticator = 0x8a30e51d727a26dfab63163b3eca1458 (16) session-state: No cached attributes (16) # Executing section authorize from file /etc/raddb/sites-enabled/default (16) authorize { (16) policy filter_username { (16) if (&User-Name) { (16) if (&User-Name) -> TRUE (16) if (&User-Name) { (16) if (&User-Name =~ / /) { (16) if (&User-Name =~ / /) -> FALSE (16) if (&User-Name =~ /@[^@]*@/ ) { (16) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (16) if (&User-Name =~ /\.\./ ) { (16) if (&User-Name =~ /\.\./ ) -> FALSE (16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (16) if (&User-Name =~ /\.$/) { (16) if (&User-Name =~ /\.$/) -> FALSE (16) if (&User-Name =~ /@\./) { (16) if (&User-Name =~ /@\./) -> FALSE (16) } # if (&User-Name) = notfound (16) } # policy filter_username = notfound (16) [preprocess] = ok (16) [chap] = noop (16) [mschap] = noop (16) [digest] = noop (16) suffix: Checking for suffix after "@" (16) suffix: No '@' in User-Name = "CLEARSYSTEM\test1", looking up realm NULL (16) suffix: No such realm "NULL" (16) [suffix] = noop (16) ntdomain: Checking for prefix before "\" (16) ntdomain: Looking up realm "CLEARSYSTEM" for User-Name = "CLEARSYSTEM\test1" (16) ntdomain: Found realm "CLEARSYSTEM" (16) ntdomain: Adding Stripped-User-Name = "test1" (16) ntdomain: Adding Realm = "CLEARSYSTEM" (16) ntdomain: Authentication realm is LOCAL (16) [ntdomain] = ok (16) eap: Peer sent EAP Response (code 2) ID 6 length 53 (16) eap: Continuing tunnel setup (16) [eap] = ok (16) } # authorize = ok (16) Found Auth-Type = eap (16) # Executing group from file /etc/raddb/sites-enabled/default (16) authenticate { (16) eap: Expiring EAP session with state 0x5205bbdd5703a286 (16) eap: Finished EAP session with state 0x5205bbdd5703a286 (16) eap: Previous EAP request found for state 0x5205bbdd5703a286, released from the list (16) eap: Peer sent packet with method EAP PEAP (25) (16) eap: Calling submodule eap_peap to process data (16) eap_peap: Continuing EAP-TLS (16) eap_peap: [eaptls verify] = ok (16) eap_peap: Done initial handshake (16) eap_peap: [eaptls process] = ok (16) eap_peap: Session established. Decoding tunneled attributes (16) eap_peap: PEAP state WAITING FOR INNER IDENTITY (16) eap_peap: Identity - CLEARSYSTEM\test1 (16) eap_peap: Got inner identity 'CLEARSYSTEM\test1' (16) eap_peap: Setting default EAP type for tunneled EAP session (16) eap_peap: Got tunneled request (16) eap_peap: EAP-Message = 0x0206001601434c45415253595354454d5c7465737431 (16) eap_peap: Setting User-Name to CLEARSYSTEM\test1 (16) eap_peap: Sending tunneled request to inner-tunnel (16) eap_peap: EAP-Message = 0x0206001601434c45415253595354454d5c7465737431 (16) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (16) eap_peap: User-Name = "CLEARSYSTEM\\test1" (16) Virtual server inner-tunnel received request (16) EAP-Message = 0x0206001601434c45415253595354454d5c7465737431 (16) FreeRADIUS-Proxied-To = 127.0.0.1 (16) User-Name = "CLEARSYSTEM\\test1" (16) WARNING: Outer and inner identities are the same. User privacy is compromised. (16) server inner-tunnel { (16) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (16) authorize { (16) policy filter_username { (16) if (&User-Name) { (16) if (&User-Name) -> TRUE (16) if (&User-Name) { (16) if (&User-Name =~ / /) { (16) if (&User-Name =~ / /) -> FALSE (16) if (&User-Name =~ /@[^@]*@/ ) { (16) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (16) if (&User-Name =~ /\.\./ ) { (16) if (&User-Name =~ /\.\./ ) -> FALSE (16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (16) if (&User-Name =~ /\.$/) { (16) if (&User-Name =~ /\.$/) -> FALSE (16) if (&User-Name =~ /@\./) { (16) if (&User-Name =~ /@\./) -> FALSE (16) } # if (&User-Name) = notfound (16) } # policy filter_username = notfound (16) [chap] = noop (16) [mschap] = noop (16) suffix: Checking for suffix after "@" (16) suffix: No '@' in User-Name = "CLEARSYSTEM\test1", looking up realm NULL (16) suffix: No such realm "NULL" (16) [suffix] = noop (16) ntdomain: Checking for prefix before "\" (16) ntdomain: Looking up realm "CLEARSYSTEM" for User-Name = "CLEARSYSTEM\test1" (16) ntdomain: Found realm "CLEARSYSTEM" (16) ntdomain: Adding Stripped-User-Name = "test1" (16) ntdomain: Adding Realm = "CLEARSYSTEM" (16) ntdomain: Authentication realm is LOCAL (16) [ntdomain] = ok (16) update control { (16) &Proxy-To-Realm := LOCAL (16) } # update control = noop (16) eap: Peer sent EAP Response (code 2) ID 6 length 22 (16) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (16) [eap] = ok (16) } # authorize = ok (16) Found Auth-Type = eap (16) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (16) authenticate { (16) eap: Peer sent packet with method EAP Identity (1) (16) eap: Calling submodule eap_mschapv2 to process data (16) eap_mschapv2: Issuing Challenge (16) eap: Sending EAP Request (code 1) ID 7 length 43 (16) eap: EAP session adding &reply:State = 0x9f2abfcb9f2da540 (16) [eap] = handled (16) } # authenticate = handled (16) } # server inner-tunnel (16) Virtual server sending reply (16) EAP-Message = 0x0107002b1a0107002610ab071fbb0514782fb1bda2c0ac5e09c8667265657261646975732d332e302e3133 (16) Message-Authenticator = 0x00000000000000000000000000000000 (16) State = 0x9f2abfcb9f2da540a6c3ea21abac845a (16) eap_peap: Got tunneled reply code 11 (16) eap_peap: EAP-Message = 0x0107002b1a0107002610ab071fbb0514782fb1bda2c0ac5e09c8667265657261646975732d332e302e3133 (16) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (16) eap_peap: State = 0x9f2abfcb9f2da540a6c3ea21abac845a (16) eap_peap: Got tunneled reply RADIUS code 11 (16) eap_peap: EAP-Message = 0x0107002b1a0107002610ab071fbb0514782fb1bda2c0ac5e09c8667265657261646975732d332e302e3133 (16) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (16) eap_peap: State = 0x9f2abfcb9f2da540a6c3ea21abac845a (16) eap_peap: Got tunneled Access-Challenge (16) eap: Sending EAP Request (code 1) ID 7 length 74 (16) eap: EAP session adding &reply:State = 0x5205bbdd5402a286 (16) [eap] = handled (16) } # authenticate = handled (16) Using Post-Auth-Type Challenge (16) # Executing group from file /etc/raddb/sites-enabled/default (16) Challenge { ... } # empty sub-section is ignored (16) Sent Access-Challenge Id 0 from 172.22.22.1:1812 to 172.22.22.254:2049 length 0 (16) EAP-Message = 0x0107004a1900170303003f122ff0483babe9a513b02ec03d204efc57ab871b548e72aafff7ba98622273aa90a11010b9660956f197a045a87b30441d1c1d85195860ad5064611ed769d7 (16) Message-Authenticator = 0x00000000000000000000000000000000 (16) State = 0x5205bbdd5402a286e7a44a448065710e (16) Finished request Waking up in 4.9 seconds. (16) Cleaning up request packet ID 0 with timestamp +44 (17) Received Access-Request Id 0 from 172.22.22.254:2049 to 172.22.22.1:1812 length 250 (17) User-Name = "CLEARSYSTEM\\test1" (17) NAS-IP-Address = 172.22.22.254 (17) Called-Station-Id = "001601dfe596" (17) Calling-Station-Id = "74da38d41a8b" (17) NAS-Identifier = "001601dfe596" (17) NAS-Port = 5 (17) Framed-MTU = 1400 (17) State = 0x5205bbdd5402a286e7a44a448065710e (17) NAS-Port-Type = Wireless-802.11 (17) EAP-Message = 0x0207006b19001703030060000000000000000299fb53660f3339f803de24143aaa136dbbe1675bac64891edc1ae768085758bb81158d747f11b403c48bc4e5b936060a7a609a8ab04e3a89cc6b3c728d192b3da65f61401398db953f4170997389c9f34d07821ddde226e3 (17) Message-Authenticator = 0xfa99de92a4eace1085df9e301e533682 (17) session-state: No cached attributes (17) # Executing section authorize from file /etc/raddb/sites-enabled/default (17) authorize { (17) policy filter_username { (17) if (&User-Name) { (17) if (&User-Name) -> TRUE (17) if (&User-Name) { (17) if (&User-Name =~ / /) { (17) if (&User-Name =~ / /) -> FALSE (17) if (&User-Name =~ /@[^@]*@/ ) { (17) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (17) if (&User-Name =~ /\.\./ ) { (17) if (&User-Name =~ /\.\./ ) -> FALSE (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (17) if (&User-Name =~ /\.$/) { (17) if (&User-Name =~ /\.$/) -> FALSE (17) if (&User-Name =~ /@\./) { (17) if (&User-Name =~ /@\./) -> FALSE (17) } # if (&User-Name) = notfound (17) } # policy filter_username = notfound (17) [preprocess] = ok (17) [chap] = noop (17) [mschap] = noop (17) [digest] = noop (17) suffix: Checking for suffix after "@" (17) suffix: No '@' in User-Name = "CLEARSYSTEM\test1", looking up realm NULL (17) suffix: No such realm "NULL" (17) [suffix] = noop (17) ntdomain: Checking for prefix before "\" (17) ntdomain: Looking up realm "CLEARSYSTEM" for User-Name = "CLEARSYSTEM\test1" (17) ntdomain: Found realm "CLEARSYSTEM" (17) ntdomain: Adding Stripped-User-Name = "test1" (17) ntdomain: Adding Realm = "CLEARSYSTEM" (17) ntdomain: Authentication realm is LOCAL (17) [ntdomain] = ok (17) eap: Peer sent EAP Response (code 2) ID 7 length 107 (17) eap: Continuing tunnel setup (17) [eap] = ok (17) } # authorize = ok (17) Found Auth-Type = eap (17) # Executing group from file /etc/raddb/sites-enabled/default (17) authenticate { (17) eap: Expiring EAP session with state 0x9f2abfcb9f2da540 (17) eap: Finished EAP session with state 0x5205bbdd5402a286 (17) eap: Previous EAP request found for state 0x5205bbdd5402a286, released from the list (17) eap: Peer sent packet with method EAP PEAP (25) (17) eap: Calling submodule eap_peap to process data (17) eap_peap: Continuing EAP-TLS (17) eap_peap: [eaptls verify] = ok (17) eap_peap: Done initial handshake (17) eap_peap: [eaptls process] = ok (17) eap_peap: Session established. Decoding tunneled attributes (17) eap_peap: PEAP state phase2 (17) eap_peap: EAP method MSCHAPv2 (26) (17) eap_peap: Got tunneled request (17) eap_peap: EAP-Message = 0x0207004c1a020700473158997abcf14dc72e0ca245a5dee28d1900000000000000006ae124b20068086b3497643a4966950e331dae11243fcd6f00434c45415253595354454d5c7465737431 (17) eap_peap: Setting User-Name to CLEARSYSTEM\test1 (17) eap_peap: Sending tunneled request to inner-tunnel (17) eap_peap: EAP-Message = 0x0207004c1a020700473158997abcf14dc72e0ca245a5dee28d1900000000000000006ae124b20068086b3497643a4966950e331dae11243fcd6f00434c45415253595354454d5c7465737431 (17) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (17) eap_peap: User-Name = "CLEARSYSTEM\\test1" (17) eap_peap: State = 0x9f2abfcb9f2da540a6c3ea21abac845a (17) Virtual server inner-tunnel received request (17) EAP-Message = 0x0207004c1a020700473158997abcf14dc72e0ca245a5dee28d1900000000000000006ae124b20068086b3497643a4966950e331dae11243fcd6f00434c45415253595354454d5c7465737431 (17) FreeRADIUS-Proxied-To = 127.0.0.1 (17) User-Name = "CLEARSYSTEM\\test1" (17) State = 0x9f2abfcb9f2da540a6c3ea21abac845a (17) WARNING: Outer and inner identities are the same. User privacy is compromised. (17) server inner-tunnel { (17) session-state: No cached attributes (17) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (17) authorize { (17) policy filter_username { (17) if (&User-Name) { (17) if (&User-Name) -> TRUE (17) if (&User-Name) { (17) if (&User-Name =~ / /) { (17) if (&User-Name =~ / /) -> FALSE (17) if (&User-Name =~ /@[^@]*@/ ) { (17) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (17) if (&User-Name =~ /\.\./ ) { (17) if (&User-Name =~ /\.\./ ) -> FALSE (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (17) if (&User-Name =~ /\.$/) { (17) if (&User-Name =~ /\.$/) -> FALSE (17) if (&User-Name =~ /@\./) { (17) if (&User-Name =~ /@\./) -> FALSE (17) } # if (&User-Name) = notfound (17) } # policy filter_username = notfound (17) [chap] = noop (17) [mschap] = noop (17) suffix: Checking for suffix after "@" (17) suffix: No '@' in User-Name = "CLEARSYSTEM\test1", looking up realm NULL (17) suffix: No such realm "NULL" (17) [suffix] = noop (17) ntdomain: Checking for prefix before "\" (17) ntdomain: Looking up realm "CLEARSYSTEM" for User-Name = "CLEARSYSTEM\test1" (17) ntdomain: Found realm "CLEARSYSTEM" (17) ntdomain: Adding Stripped-User-Name = "test1" (17) ntdomain: Adding Realm = "CLEARSYSTEM" (17) ntdomain: Authentication realm is LOCAL (17) [ntdomain] = ok (17) update control { (17) &Proxy-To-Realm := LOCAL (17) } # update control = noop (17) eap: Peer sent EAP Response (code 2) ID 7 length 76 (17) eap: No EAP Start, assuming it's an on-going EAP conversation (17) [eap] = updated (17) files: Searching for user in group "allusers" rlm_ldap (ldap): Reserved connection (4) (17) files: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (17) files: --> (uid=test1) (17) files: Performing search in "dc=system,dc=lan" with filter "(uid=test1)", scope "sub" (17) files: Waiting for search result... (17) files: User object found at DN "cn=test1 test1,ou=Users,ou=Accounts,dc=system,dc=lan" (17) files: Checking user object's memberOf attributes (17) files: Performing unfiltered search in "cn=test1 test1,ou=Users,ou=Accounts,dc=system,dc=lan", scope "base" (17) files: Waiting for search result... (17) files: Processing memberOf value "cn=ftp_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan" as a DN (17) files: Resolving group DN "cn=ftp_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan" to group name (17) files: Performing unfiltered search in "cn=ftp_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan", scope "base" (17) files: Waiting for search result... (17) files: Group DN "cn=ftp_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan" resolves to name "ftp_plugin" (17) files: Processing memberOf value "cn=web_proxy_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan" as a DN (17) files: Resolving group DN "cn=web_proxy_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan" to group name (17) files: Performing unfiltered search in "cn=web_proxy_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan", scope "base" (17) files: Waiting for search result... (17) files: Group DN "cn=web_proxy_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan" resolves to name "web_proxy_plugin" (17) files: Processing memberOf value "cn=webupload,ou=Groups,ou=Accounts,dc=system,dc=lan" as a DN (17) files: Resolving group DN "cn=webupload,ou=Groups,ou=Accounts,dc=system,dc=lan" to group name (17) files: Performing unfiltered search in "cn=webupload,ou=Groups,ou=Accounts,dc=system,dc=lan", scope "base" (17) files: Waiting for search result... (17) files: Group DN "cn=webupload,ou=Groups,ou=Accounts,dc=system,dc=lan" resolves to name "webupload" (17) files: Processing memberOf value "cn=allusers,ou=Groups,ou=Accounts,dc=system,dc=lan" as a DN (17) files: Resolving group DN "cn=allusers,ou=Groups,ou=Accounts,dc=system,dc=lan" to group name (17) files: Performing unfiltered search in "cn=allusers,ou=Groups,ou=Accounts,dc=system,dc=lan", scope "base" (17) files: Waiting for search result... (17) files: Group DN "cn=allusers,ou=Groups,ou=Accounts,dc=system,dc=lan" resolves to name "allusers" (17) files: User found in group "allusers". Comparison between membership: name (resolved from DN "cn=allusers,ou=Groups,ou=Accounts,dc=system,dc=lan"), check: name rlm_ldap (ldap): Released connection (4) rlm_ldap (ldap): Closing connection (0), from 1 unused connections (17) [files] = noop rlm_ldap (ldap): Reserved connection (1) (17) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (17) ldap: --> (uid=test1) (17) ldap: Performing search in "dc=system,dc=lan" with filter "(uid=test1)", scope "sub" (17) ldap: Waiting for search result... (17) ldap: User object found at DN "cn=test1 test1,ou=Users,ou=Accounts,dc=system,dc=lan" (17) ldap: Processing user attributes (17) ldap: control:Password-With-Header += '{sha}tESsBmE/yNY3lb6a0L6vVQEZNqw=' rlm_ldap (ldap): Released connection (1) (17) [ldap] = updated (17) [expiration] = noop (17) [logintime] = noop (17) pap: Converted: &control:Password-With-Header -> &control:SHA1-Password (17) pap: Removing &control:Password-With-Header (17) pap: Normalizing SHA1-Password from base64 encoding, 28 bytes -> 20 bytes (17) pap: WARNING: Auth-Type already set. Not setting to PAP (17) [pap] = noop (17) } # authorize = updated (17) Found Auth-Type = eap (17) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (17) authenticate { (17) eap: Expiring EAP session with state 0x9f2abfcb9f2da540 (17) eap: Finished EAP session with state 0x9f2abfcb9f2da540 (17) eap: Previous EAP request found for state 0x9f2abfcb9f2da540, released from the list (17) eap: Peer sent packet with method EAP MSCHAPv2 (26) (17) eap: Calling submodule eap_mschapv2 to process data (17) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (17) eap_mschapv2: authenticate { (17) mschap: Creating challenge hash with username: test1 (17) mschap: Client is using MS-CHAPv2 (17) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (17) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (17) mschap: --> --username=test1 (17) mschap: Creating challenge hash with username: test1 (17) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (17) mschap: --> --challenge=259875cdeba4749e (17) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (17) mschap: --> --nt-response=6ae124b20068086b3497643a4966950e331dae11243fcd6f (17) mschap: Program returned code (0) and output 'NT_KEY: DAE53F1776DBD0817C5639A27629A27D' (17) mschap: Adding MS-CHAPv2 MPPE keys (17) [mschap] = ok (17) } # authenticate = ok (17) MSCHAP Success (17) eap: Sending EAP Request (code 1) ID 8 length 51 (17) eap: EAP session adding &reply:State = 0x9f2abfcb9e22a540 (17) [eap] = handled (17) } # authenticate = handled (17) } # server inner-tunnel (17) Virtual server sending reply (17) EAP-Message = 0x010800331a0307002e533d34453836303736424638434130354230383244423136383334433839364133464331464146343135 (17) Message-Authenticator = 0x00000000000000000000000000000000 (17) State = 0x9f2abfcb9e22a540a6c3ea21abac845a (17) eap_peap: Got tunneled reply code 11 (17) eap_peap: EAP-Message = 0x010800331a0307002e533d34453836303736424638434130354230383244423136383334433839364133464331464146343135 (17) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (17) eap_peap: State = 0x9f2abfcb9e22a540a6c3ea21abac845a (17) eap_peap: Got tunneled reply RADIUS code 11 (17) eap_peap: EAP-Message = 0x010800331a0307002e533d34453836303736424638434130354230383244423136383334433839364133464331464146343135 (17) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (17) eap_peap: State = 0x9f2abfcb9e22a540a6c3ea21abac845a (17) eap_peap: Got tunneled Access-Challenge (17) eap: Sending EAP Request (code 1) ID 8 length 82 (17) eap: EAP session adding &reply:State = 0x5205bbdd550da286 (17) [eap] = handled (17) } # authenticate = handled (17) Using Post-Auth-Type Challenge (17) # Executing group from file /etc/raddb/sites-enabled/default (17) Challenge { ... } # empty sub-section is ignored (17) Sent Access-Challenge Id 0 from 172.22.22.1:1812 to 172.22.22.254:2049 length 0 (17) EAP-Message = 0x0108005219001703030047122ff0483babe9a629ef7e39c3646169247fd488b6a98ca283175ebbc1280cb371a00156e2a8b26a3a7c4757c476af1fecdda2a199fe60a6cc1e085515cc6af0acbed0445bea81 (17) Message-Authenticator = 0x00000000000000000000000000000000 (17) State = 0x5205bbdd550da286e7a44a448065710e (17) Finished request Waking up in 4.9 seconds. (17) Cleaning up request packet ID 0 with timestamp +44 (18) Received Access-Request Id 0 from 172.22.22.254:2049 to 172.22.22.1:1812 length 180 (18) User-Name = "CLEARSYSTEM\\test1" (18) NAS-IP-Address = 172.22.22.254 (18) Called-Station-Id = "001601dfe596" (18) Calling-Station-Id = "74da38d41a8b" (18) NAS-Identifier = "001601dfe596" (18) NAS-Port = 5 (18) Framed-MTU = 1400 (18) State = 0x5205bbdd550da286e7a44a448065710e (18) NAS-Port-Type = Wireless-802.11 (18) EAP-Message = 0x020800251900170303001a0000000000000003ca0270723e03845843b2cb34cebae8dbe894 (18) Message-Authenticator = 0xa3f3022ca15ddf63716794674aad60fe (18) session-state: No cached attributes (18) # Executing section authorize from file /etc/raddb/sites-enabled/default (18) authorize { (18) policy filter_username { (18) if (&User-Name) { (18) if (&User-Name) -> TRUE (18) if (&User-Name) { (18) if (&User-Name =~ / /) { (18) if (&User-Name =~ / /) -> FALSE (18) if (&User-Name =~ /@[^@]*@/ ) { (18) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (18) if (&User-Name =~ /\.\./ ) { (18) if (&User-Name =~ /\.\./ ) -> FALSE (18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (18) if (&User-Name =~ /\.$/) { (18) if (&User-Name =~ /\.$/) -> FALSE (18) if (&User-Name =~ /@\./) { (18) if (&User-Name =~ /@\./) -> FALSE (18) } # if (&User-Name) = notfound (18) } # policy filter_username = notfound (18) [preprocess] = ok (18) [chap] = noop (18) [mschap] = noop (18) [digest] = noop (18) suffix: Checking for suffix after "@" (18) suffix: No '@' in User-Name = "CLEARSYSTEM\test1", looking up realm NULL (18) suffix: No such realm "NULL" (18) [suffix] = noop (18) ntdomain: Checking for prefix before "\" (18) ntdomain: Looking up realm "CLEARSYSTEM" for User-Name = "CLEARSYSTEM\test1" (18) ntdomain: Found realm "CLEARSYSTEM" (18) ntdomain: Adding Stripped-User-Name = "test1" (18) ntdomain: Adding Realm = "CLEARSYSTEM" (18) ntdomain: Authentication realm is LOCAL (18) [ntdomain] = ok (18) eap: Peer sent EAP Response (code 2) ID 8 length 37 (18) eap: Continuing tunnel setup (18) [eap] = ok (18) } # authorize = ok (18) Found Auth-Type = eap (18) # Executing group from file /etc/raddb/sites-enabled/default (18) authenticate { (18) eap: Expiring EAP session with state 0x9f2abfcb9e22a540 (18) eap: Finished EAP session with state 0x5205bbdd550da286 (18) eap: Previous EAP request found for state 0x5205bbdd550da286, released from the list (18) eap: Peer sent packet with method EAP PEAP (25) (18) eap: Calling submodule eap_peap to process data (18) eap_peap: Continuing EAP-TLS (18) eap_peap: [eaptls verify] = ok (18) eap_peap: Done initial handshake (18) eap_peap: [eaptls process] = ok (18) eap_peap: Session established. Decoding tunneled attributes (18) eap_peap: PEAP state phase2 (18) eap_peap: EAP method MSCHAPv2 (26) (18) eap_peap: Got tunneled request (18) eap_peap: EAP-Message = 0x020800061a03 (18) eap_peap: Setting User-Name to CLEARSYSTEM\test1 (18) eap_peap: Sending tunneled request to inner-tunnel (18) eap_peap: EAP-Message = 0x020800061a03 (18) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (18) eap_peap: User-Name = "CLEARSYSTEM\\test1" (18) eap_peap: State = 0x9f2abfcb9e22a540a6c3ea21abac845a (18) Virtual server inner-tunnel received request (18) EAP-Message = 0x020800061a03 (18) FreeRADIUS-Proxied-To = 127.0.0.1 (18) User-Name = "CLEARSYSTEM\\test1" (18) State = 0x9f2abfcb9e22a540a6c3ea21abac845a (18) WARNING: Outer and inner identities are the same. User privacy is compromised. (18) server inner-tunnel { (18) session-state: No cached attributes (18) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (18) authorize { (18) policy filter_username { (18) if (&User-Name) { (18) if (&User-Name) -> TRUE (18) if (&User-Name) { (18) if (&User-Name =~ / /) { (18) if (&User-Name =~ / /) -> FALSE (18) if (&User-Name =~ /@[^@]*@/ ) { (18) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (18) if (&User-Name =~ /\.\./ ) { (18) if (&User-Name =~ /\.\./ ) -> FALSE (18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (18) if (&User-Name =~ /\.$/) { (18) if (&User-Name =~ /\.$/) -> FALSE (18) if (&User-Name =~ /@\./) { (18) if (&User-Name =~ /@\./) -> FALSE (18) } # if (&User-Name) = notfound (18) } # policy filter_username = notfound (18) [chap] = noop (18) [mschap] = noop (18) suffix: Checking for suffix after "@" (18) suffix: No '@' in User-Name = "CLEARSYSTEM\test1", looking up realm NULL (18) suffix: No such realm "NULL" (18) [suffix] = noop (18) ntdomain: Checking for prefix before "\" (18) ntdomain: Looking up realm "CLEARSYSTEM" for User-Name = "CLEARSYSTEM\test1" (18) ntdomain: Found realm "CLEARSYSTEM" (18) ntdomain: Adding Stripped-User-Name = "test1" (18) ntdomain: Adding Realm = "CLEARSYSTEM" (18) ntdomain: Authentication realm is LOCAL (18) [ntdomain] = ok (18) update control { (18) &Proxy-To-Realm := LOCAL (18) } # update control = noop (18) eap: Peer sent EAP Response (code 2) ID 8 length 6 (18) eap: No EAP Start, assuming it's an on-going EAP conversation (18) [eap] = updated (18) files: Searching for user in group "allusers" rlm_ldap (ldap): Reserved connection (2) (18) files: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (18) files: --> (uid=test1) (18) files: Performing search in "dc=system,dc=lan" with filter "(uid=test1)", scope "sub" (18) files: Waiting for search result... (18) files: User object found at DN "cn=test1 test1,ou=Users,ou=Accounts,dc=system,dc=lan" (18) files: Checking user object's memberOf attributes (18) files: Performing unfiltered search in "cn=test1 test1,ou=Users,ou=Accounts,dc=system,dc=lan", scope "base" (18) files: Waiting for search result... (18) files: Processing memberOf value "cn=ftp_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan" as a DN (18) files: Resolving group DN "cn=ftp_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan" to group name (18) files: Performing unfiltered search in "cn=ftp_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan", scope "base" (18) files: Waiting for search result... (18) files: Group DN "cn=ftp_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan" resolves to name "ftp_plugin" (18) files: Processing memberOf value "cn=web_proxy_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan" as a DN (18) files: Resolving group DN "cn=web_proxy_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan" to group name (18) files: Performing unfiltered search in "cn=web_proxy_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan", scope "base" (18) files: Waiting for search result... (18) files: Group DN "cn=web_proxy_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan" resolves to name "web_proxy_plugin" (18) files: Processing memberOf value "cn=webupload,ou=Groups,ou=Accounts,dc=system,dc=lan" as a DN (18) files: Resolving group DN "cn=webupload,ou=Groups,ou=Accounts,dc=system,dc=lan" to group name (18) files: Performing unfiltered search in "cn=webupload,ou=Groups,ou=Accounts,dc=system,dc=lan", scope "base" (18) files: Waiting for search result... (18) files: Group DN "cn=webupload,ou=Groups,ou=Accounts,dc=system,dc=lan" resolves to name "webupload" (18) files: Processing memberOf value "cn=allusers,ou=Groups,ou=Accounts,dc=system,dc=lan" as a DN (18) files: Resolving group DN "cn=allusers,ou=Groups,ou=Accounts,dc=system,dc=lan" to group name (18) files: Performing unfiltered search in "cn=allusers,ou=Groups,ou=Accounts,dc=system,dc=lan", scope "base" (18) files: Waiting for search result... (18) files: Group DN "cn=allusers,ou=Groups,ou=Accounts,dc=system,dc=lan" resolves to name "allusers" (18) files: User found in group "allusers". Comparison between membership: name (resolved from DN "cn=allusers,ou=Groups,ou=Accounts,dc=system,dc=l?"), check: name rlm_ldap (ldap): Released connection (2) (18) [files] = noop rlm_ldap (ldap): Reserved connection (3) (18) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (18) ldap: --> (uid=test1) (18) ldap: Performing search in "dc=system,dc=lan" with filter "(uid=test1)", scope "sub" (18) ldap: Waiting for search result... (18) ldap: User object found at DN "cn=test1 test1,ou=Users,ou=Accounts,dc=system,dc=lan" (18) ldap: Processing user attributes (18) ldap: control:Password-With-Header += '{sha}tESsBmE/yNY3lb6a0L6vVQEZNqw=' rlm_ldap (ldap): Released connection (3) (18) [ldap] = updated (18) [expiration] = noop (18) [logintime] = noop (18) pap: Converted: &control:Password-With-Header -> &control:SHA1-Password (18) pap: Removing &control:Password-With-Header (18) pap: Normalizing SHA1-Password from base64 encoding, 28 bytes -> 20 bytes (18) pap: WARNING: Auth-Type already set. Not setting to PAP (18) [pap] = noop (18) } # authorize = updated (18) Found Auth-Type = eap (18) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (18) authenticate { (18) eap: Expiring EAP session with state 0x9f2abfcb9e22a540 (18) eap: Finished EAP session with state 0x9f2abfcb9e22a540 (18) eap: Previous EAP request found for state 0x9f2abfcb9e22a540, released from the list (18) eap: Peer sent packet with method EAP MSCHAPv2 (26) (18) eap: Calling submodule eap_mschapv2 to process data (18) eap: Sending EAP Success (code 3) ID 8 length 4 (18) eap: Freeing handler (18) [eap] = ok (18) } # authenticate = ok (18) # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel (18) post-auth { (18) if (0) { (18) if (0) -> FALSE (18) } # post-auth = noop (18) } # server inner-tunnel (18) Virtual server sending reply (18) MS-MPPE-Encryption-Policy = Encryption-Allowed (18) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (18) MS-MPPE-Send-Key = 0x9f37c0e1d4ae81eaea7ac004f3bb5134 (18) MS-MPPE-Recv-Key = 0x8f50bbb6f8efe9070c7af89a4d834531 (18) EAP-Message = 0x03080004 (18) Message-Authenticator = 0x00000000000000000000000000000000 (18) Stripped-User-Name = "test1" (18) eap_peap: Got tunneled reply code 2 (18) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (18) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (18) eap_peap: MS-MPPE-Send-Key = 0x9f37c0e1d4ae81eaea7ac004f3bb5134 (18) eap_peap: MS-MPPE-Recv-Key = 0x8f50bbb6f8efe9070c7af89a4d834531 (18) eap_peap: EAP-Message = 0x03080004 (18) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (18) eap_peap: Stripped-User-Name = "test1" (18) eap_peap: Got tunneled reply RADIUS code 2 (18) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (18) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (18) eap_peap: MS-MPPE-Send-Key = 0x9f37c0e1d4ae81eaea7ac004f3bb5134 (18) eap_peap: MS-MPPE-Recv-Key = 0x8f50bbb6f8efe9070c7af89a4d834531 (18) eap_peap: EAP-Message = 0x03080004 (18) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (18) eap_peap: Stripped-User-Name = "test1" (18) eap_peap: Tunneled authentication was successful (18) eap_peap: SUCCESS (18) eap: Sending EAP Request (code 1) ID 9 length 46 (18) eap: EAP session adding &reply:State = 0x5205bbdd5a0ca286 (18) [eap] = handled (18) } # authenticate = handled (18) Using Post-Auth-Type Challenge (18) # Executing group from file /etc/raddb/sites-enabled/default (18) Challenge { ... } # empty sub-section is ignored (18) Sent Access-Challenge Id 0 from 172.22.22.1:1812 to 172.22.22.254:2049 length 0 (18) EAP-Message = 0x0109002e19001703030023122ff0483babe9a792158bc6ad78757a858837b878ce0bc7a162c340720b68c2f14dff (18) Message-Authenticator = 0x00000000000000000000000000000000 (18) State = 0x5205bbdd5a0ca286e7a44a448065710e (18) Finished request Waking up in 4.9 seconds. (18) Cleaning up request packet ID 0 with timestamp +44 (19) Received Access-Request Id 0 from 172.22.22.254:2049 to 172.22.22.1:1812 length 189 (19) User-Name = "CLEARSYSTEM\\test1" (19) NAS-IP-Address = 172.22.22.254 (19) Called-Station-Id = "001601dfe596" (19) Calling-Station-Id = "74da38d41a8b" (19) NAS-Identifier = "001601dfe596" (19) NAS-Port = 5 (19) Framed-MTU = 1400 (19) State = 0x5205bbdd5a0ca286e7a44a448065710e (19) NAS-Port-Type = Wireless-802.11 (19) EAP-Message = 0x0209002e190017030300230000000000000004b670ecb66f45a52089029ef2d2526cd88f998a49f04e0a33532b8f (19) Message-Authenticator = 0x1547e8623f812242aa168cffa15b4bf4 (19) session-state: No cached attributes (19) # Executing section authorize from file /etc/raddb/sites-enabled/default (19) authorize { (19) policy filter_username { (19) if (&User-Name) { (19) if (&User-Name) -> TRUE (19) if (&User-Name) { (19) if (&User-Name =~ / /) { (19) if (&User-Name =~ / /) -> FALSE (19) if (&User-Name =~ /@[^@]*@/ ) { (19) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (19) if (&User-Name =~ /\.\./ ) { (19) if (&User-Name =~ /\.\./ ) -> FALSE (19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (19) if (&User-Name =~ /\.$/) { (19) if (&User-Name =~ /\.$/) -> FALSE (19) if (&User-Name =~ /@\./) { (19) if (&User-Name =~ /@\./) -> FALSE (19) } # if (&User-Name) = notfound (19) } # policy filter_username = notfound (19) [preprocess] = ok (19) [chap] = noop (19) [mschap] = noop (19) [digest] = noop (19) suffix: Checking for suffix after "@" (19) suffix: No '@' in User-Name = "CLEARSYSTEM\test1", looking up realm NULL (19) suffix: No such realm "NULL" (19) [suffix] = noop (19) ntdomain: Checking for prefix before "\" (19) ntdomain: Looking up realm "CLEARSYSTEM" for User-Name = "CLEARSYSTEM\test1" (19) ntdomain: Found realm "CLEARSYSTEM" (19) ntdomain: Adding Stripped-User-Name = "test1" (19) ntdomain: Adding Realm = "CLEARSYSTEM" (19) ntdomain: Authentication realm is LOCAL (19) [ntdomain] = ok (19) eap: Peer sent EAP Response (code 2) ID 9 length 46 (19) eap: Continuing tunnel setup (19) [eap] = ok (19) } # authorize = ok (19) Found Auth-Type = eap (19) # Executing group from file /etc/raddb/sites-enabled/default (19) authenticate { (19) eap: Expiring EAP session with state 0x5205bbdd5a0ca286 (19) eap: Finished EAP session with state 0x5205bbdd5a0ca286 (19) eap: Previous EAP request found for state 0x5205bbdd5a0ca286, released from the list (19) eap: Peer sent packet with method EAP PEAP (25) (19) eap: Calling submodule eap_peap to process data (19) eap_peap: Continuing EAP-TLS (19) eap_peap: [eaptls verify] = ok (19) eap_peap: Done initial handshake (19) eap_peap: [eaptls process] = ok (19) eap_peap: Session established. Decoding tunneled attributes (19) eap_peap: PEAP state send tlv success (19) eap_peap: Received EAP-TLV response (19) eap_peap: Success (19) eap: Sending EAP Success (code 3) ID 9 length 4 (19) eap: Freeing handler (19) [eap] = ok (19) } # authenticate = ok (19) # Executing section post-auth from file /etc/raddb/sites-enabled/default (19) post-auth { (19) update { (19) No attributes updated (19) } # update = noop (19) [exec] = noop (19) policy remove_reply_message_if_eap { (19) if (&reply:EAP-Message && &reply:Reply-Message) { (19) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (19) else { (19) [noop] = noop (19) } # else = noop (19) } # policy remove_reply_message_if_eap = noop (19) } # post-auth = noop (19) Sent Access-Accept Id 0 from 172.22.22.1:1812 to 172.22.22.254:2049 length 0 (19) MS-MPPE-Recv-Key = 0x2a974e72a8e47133de5164a69bcadf7e50cb5b8e597302ea8864926ace2ad5fa (19) MS-MPPE-Send-Key = 0xa82102166fbb9ded233362e3ee602ba3dc3e63538e8cf48d2a1db1c6eb7fe9b6 (19) EAP-Message = 0x03090004 (19) Message-Authenticator = 0x00000000000000000000000000000000 (19) Finished request Waking up in 4.9 seconds. (19) Cleaning up request packet ID 0 with timestamp +44 Ready to process requests (20) Received Access-Request Id 0 from 172.22.22.254:2049 to 172.22.22.1:1812 length 147 (20) User-Name = "CLEARSYSTEM\\test1" (20) NAS-IP-Address = 172.22.22.254 (20) Called-Station-Id = "001601dfe596" (20) Calling-Station-Id = "74da38d41a8b" (20) NAS-Identifier = "001601dfe596" (20) NAS-Port = 5 (20) Framed-MTU = 1400 (20) NAS-Port-Type = Wireless-802.11 (20) EAP-Message = 0x0200001601434c45415253595354454d5c7465737431 (20) Message-Authenticator = 0x9933ba7d639c9f63e9cb320a8b41e98f (20) # Executing section authorize from file /etc/raddb/sites-enabled/default (20) authorize { (20) policy filter_username { (20) if (&User-Name) { (20) if (&User-Name) -> TRUE (20) if (&User-Name) { (20) if (&User-Name =~ / /) { (20) if (&User-Name =~ / /) -> FALSE (20) if (&User-Name =~ /@[^@]*@/ ) { (20) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (20) if (&User-Name =~ /\.\./ ) { (20) if (&User-Name =~ /\.\./ ) -> FALSE (20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (20) if (&User-Name =~ /\.$/) { (20) if (&User-Name =~ /\.$/) -> FALSE (20) if (&User-Name =~ /@\./) { (20) if (&User-Name =~ /@\./) -> FALSE (20) } # if (&User-Name) = notfound (20) } # policy filter_username = notfound (20) [preprocess] = ok (20) [chap] = noop (20) [mschap] = noop (20) [digest] = noop (20) suffix: Checking for suffix after "@" (20) suffix: No '@' in User-Name = "CLEARSYSTEM\test1", looking up realm NULL (20) suffix: No such realm "NULL" (20) [suffix] = noop (20) ntdomain: Checking for prefix before "\" (20) ntdomain: Looking up realm "CLEARSYSTEM" for User-Name = "CLEARSYSTEM\test1" (20) ntdomain: Found realm "CLEARSYSTEM" (20) ntdomain: Adding Stripped-User-Name = "test1" (20) ntdomain: Adding Realm = "CLEARSYSTEM" (20) ntdomain: Authentication realm is LOCAL (20) [ntdomain] = ok (20) eap: Peer sent EAP Response (code 2) ID 0 length 22 (20) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (20) [eap] = ok (20) } # authorize = ok (20) Found Auth-Type = eap (20) # Executing group from file /etc/raddb/sites-enabled/default (20) authenticate { (20) eap: Peer sent packet with method EAP Identity (1) (20) eap: Calling submodule eap_peap to process data (20) eap_peap: Initiating new EAP-TLS session (20) eap_peap: [eaptls start] = request (20) eap: Sending EAP Request (code 1) ID 1 length 6 (20) eap: EAP session adding &reply:State = 0xfa6d51bcfa6c4896 (20) [eap] = handled (20) } # authenticate = handled (20) Using Post-Auth-Type Challenge (20) # Executing group from file /etc/raddb/sites-enabled/default (20) Challenge { ... } # empty sub-section is ignored (20) Sent Access-Challenge Id 0 from 172.22.22.1:1812 to 172.22.22.254:2049 length 0 (20) EAP-Message = 0x010100061920 (20) Message-Authenticator = 0x00000000000000000000000000000000 (20) State = 0xfa6d51bcfa6c489698062bca06912e67 (20) Finished request Waking up in 4.9 seconds. (20) Cleaning up request packet ID 0 with timestamp +52 (21) Received Access-Request Id 0 from 172.22.22.254:2049 to 172.22.22.1:1812 length 309 (21) User-Name = "CLEARSYSTEM\\test1" (21) NAS-IP-Address = 172.22.22.254 (21) Called-Station-Id = "001601dfe596" (21) Calling-Station-Id = "74da38d41a8b" (21) NAS-Identifier = "001601dfe596" (21) NAS-Port = 5 (21) Framed-MTU = 1400 (21) State = 0xfa6d51bcfa6c489698062bca06912e67 (21) NAS-Port-Type = Wireless-802.11 (21) EAP-Message = 0x020100a619800000009c16030300970100009303035af2cd4182a5d752449f9f3c82907f8a3241b08562a2f580b7510c209b1ad8ee00002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000040000500050100000000000a00080006001d (21) Message-Authenticator = 0xd7ca5568b71b5db979cc885bbb70864c (21) session-state: No cached attributes (21) # Executing section authorize from file /etc/raddb/sites-enabled/default (21) authorize { (21) policy filter_username { (21) if (&User-Name) { (21) if (&User-Name) -> TRUE (21) if (&User-Name) { (21) if (&User-Name =~ / /) { (21) if (&User-Name =~ / /) -> FALSE (21) if (&User-Name =~ /@[^@]*@/ ) { (21) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (21) if (&User-Name =~ /\.\./ ) { (21) if (&User-Name =~ /\.\./ ) -> FALSE (21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (21) if (&User-Name =~ /\.$/) { (21) if (&User-Name =~ /\.$/) -> FALSE (21) if (&User-Name =~ /@\./) { (21) if (&User-Name =~ /@\./) -> FALSE (21) } # if (&User-Name) = notfound (21) } # policy filter_username = notfound (21) [preprocess] = ok (21) [chap] = noop (21) [mschap] = noop (21) [digest] = noop (21) suffix: Checking for suffix after "@" (21) suffix: No '@' in User-Name = "CLEARSYSTEM\test1", looking up realm NULL (21) suffix: No such realm "NULL" (21) [suffix] = noop (21) ntdomain: Checking for prefix before "\" (21) ntdomain: Looking up realm "CLEARSYSTEM" for User-Name = "CLEARSYSTEM\test1" (21) ntdomain: Found realm "CLEARSYSTEM" (21) ntdomain: Adding Stripped-User-Name = "test1" (21) ntdomain: Adding Realm = "CLEARSYSTEM" (21) ntdomain: Authentication realm is LOCAL (21) [ntdomain] = ok (21) eap: Peer sent EAP Response (code 2) ID 1 length 166 (21) eap: Continuing tunnel setup (21) [eap] = ok (21) } # authorize = ok (21) Found Auth-Type = eap (21) # Executing group from file /etc/raddb/sites-enabled/default (21) authenticate { (21) eap: Expiring EAP session with state 0xfa6d51bcfa6c4896 (21) eap: Finished EAP session with state 0xfa6d51bcfa6c4896 (21) eap: Previous EAP request found for state 0xfa6d51bcfa6c4896, released from the list (21) eap: Peer sent packet with method EAP PEAP (25) (21) eap: Calling submodule eap_peap to process data (21) eap_peap: Continuing EAP-TLS (21) eap_peap: Peer indicated complete TLS record size will be 156 bytes (21) eap_peap: Got complete TLS record (156 bytes) (21) eap_peap: [eaptls verify] = length included (21) eap_peap: (other): before/accept initialization (21) eap_peap: TLS_accept: before/accept initialization (21) eap_peap: <<< recv TLS 1.2 [length 0097] (21) eap_peap: TLS_accept: SSLv3 read client hello A (21) eap_peap: >>> send TLS 1.2 [length 0039] (21) eap_peap: TLS_accept: SSLv3 write server hello A (21) eap_peap: >>> send TLS 1.2 [length 08bd] (21) eap_peap: TLS_accept: SSLv3 write certificate A (21) eap_peap: >>> send TLS 1.2 [length 014d] (21) eap_peap: TLS_accept: SSLv3 write key exchange A (21) eap_peap: >>> send TLS 1.2 [length 0004] (21) eap_peap: TLS_accept: SSLv3 write server done A (21) eap_peap: TLS_accept: SSLv3 flush data (21) eap_peap: TLS_accept: SSLv3 read client certificate A (21) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key exchange A (21) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key exchange A (21) eap_peap: In SSL Handshake Phase (21) eap_peap: In SSL Accept mode (21) eap_peap: [eaptls process] = handled (21) eap: Sending EAP Request (code 1) ID 2 length 1004 (21) eap: EAP session adding &reply:State = 0xfa6d51bcfb6f4896 (21) [eap] = handled (21) } # authenticate = handled (21) Using Post-Auth-Type Challenge (21) # Executing group from file /etc/raddb/sites-enabled/default (21) Challenge { ... } # empty sub-section is ignored (21) Sent Access-Challenge Id 0 from 172.22.22.1:1812 to 172.22.22.254:2049 length 0 (21) EAP-Message = 0x010203ec19c000000a5b1603030039020000350303efe7db12e59487a4ce090d0f4ba3b259512e5009c80752cd2d3f4b01afc6b7ed00c03000000dff01000100000b00040300010216030308bd0b0008b90008b60003fb308203f7308202dfa003020102020101300d06092a864886f70d01010b050030 (21) Message-Authenticator = 0x00000000000000000000000000000000 (21) State = 0xfa6d51bcfb6f489698062bca06912e67 (21) Finished request Waking up in 4.9 seconds. (21) Cleaning up request packet ID 0 with timestamp +53 (22) Received Access-Request Id 0 from 172.22.22.254:2049 to 172.22.22.1:1812 length 149 (22) User-Name = "CLEARSYSTEM\\test1" (22) NAS-IP-Address = 172.22.22.254 (22) Called-Station-Id = "001601dfe596" (22) Calling-Station-Id = "74da38d41a8b" (22) NAS-Identifier = "001601dfe596" (22) NAS-Port = 5 (22) Framed-MTU = 1400 (22) State = 0xfa6d51bcfb6f489698062bca06912e67 (22) NAS-Port-Type = Wireless-802.11 (22) EAP-Message = 0x020200061900 (22) Message-Authenticator = 0xa6e13757d66ca64391cce7904f9323cb (22) session-state: No cached attributes (22) # Executing section authorize from file /etc/raddb/sites-enabled/default (22) authorize { (22) policy filter_username { (22) if (&User-Name) { (22) if (&User-Name) -> TRUE (22) if (&User-Name) { (22) if (&User-Name =~ / /) { (22) if (&User-Name =~ / /) -> FALSE (22) if (&User-Name =~ /@[^@]*@/ ) { (22) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (22) if (&User-Name =~ /\.\./ ) { (22) if (&User-Name =~ /\.\./ ) -> FALSE (22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (22) if (&User-Name =~ /\.$/) { (22) if (&User-Name =~ /\.$/) -> FALSE (22) if (&User-Name =~ /@\./) { (22) if (&User-Name =~ /@\./) -> FALSE (22) } # if (&User-Name) = notfound (22) } # policy filter_username = notfound (22) [preprocess] = ok (22) [chap] = noop (22) [mschap] = noop (22) [digest] = noop (22) suffix: Checking for suffix after "@" (22) suffix: No '@' in User-Name = "CLEARSYSTEM\test1", looking up realm NULL (22) suffix: No such realm "NULL" (22) [suffix] = noop (22) ntdomain: Checking for prefix before "\" (22) ntdomain: Looking up realm "CLEARSYSTEM" for User-Name = "CLEARSYSTEM\test1" (22) ntdomain: Found realm "CLEARSYSTEM" (22) ntdomain: Adding Stripped-User-Name = "test1" (22) ntdomain: Adding Realm = "CLEARSYSTEM" (22) ntdomain: Authentication realm is LOCAL (22) [ntdomain] = ok (22) eap: Peer sent EAP Response (code 2) ID 2 length 6 (22) eap: Continuing tunnel setup (22) [eap] = ok (22) } # authorize = ok (22) Found Auth-Type = eap (22) # Executing group from file /etc/raddb/sites-enabled/default (22) authenticate { (22) eap: Expiring EAP session with state 0xfa6d51bcfb6f4896 (22) eap: Finished EAP session with state 0xfa6d51bcfb6f4896 (22) eap: Previous EAP request found for state 0xfa6d51bcfb6f4896, released from the list (22) eap: Peer sent packet with method EAP PEAP (25) (22) eap: Calling submodule eap_peap to process data (22) eap_peap: Continuing EAP-TLS (22) eap_peap: Peer ACKed our handshake fragment (22) eap_peap: [eaptls verify] = request (22) eap_peap: [eaptls process] = handled (22) eap: Sending EAP Request (code 1) ID 3 length 1000 (22) eap: EAP session adding &reply:State = 0xfa6d51bcf86e4896 (22) [eap] = handled (22) } # authenticate = handled (22) Using Post-Auth-Type Challenge (22) # Executing group from file /etc/raddb/sites-enabled/default (22) Challenge { ... } # empty sub-section is ignored (22) Sent Access-Challenge Id 0 from 172.22.22.1:1812 to 172.22.22.254:2049 length 0 (22) EAP-Message = 0x010303e819408444f5b804aa2d65ef2b23820bb1bf1bfcb24df6bd03eabe61d7bb630cfd9fd6165d19f24d23925593c04c7ec13d5afe51369fe487605e2de3073d043a15e72448712bca946e329e81ff36cebcdfe8be08dc6490da38ed9147e7eac88af7f25487bee0ef80700004b5308204b130820399 (22) Message-Authenticator = 0x00000000000000000000000000000000 (22) State = 0xfa6d51bcf86e489698062bca06912e67 (22) Finished request Waking up in 4.9 seconds. (22) Cleaning up request packet ID 0 with timestamp +53 (23) Received Access-Request Id 0 from 172.22.22.254:2049 to 172.22.22.1:1812 length 149 (23) User-Name = "CLEARSYSTEM\\test1" (23) NAS-IP-Address = 172.22.22.254 (23) Called-Station-Id = "001601dfe596" (23) Calling-Station-Id = "74da38d41a8b" (23) NAS-Identifier = "001601dfe596" (23) NAS-Port = 5 (23) Framed-MTU = 1400 (23) State = 0xfa6d51bcf86e489698062bca06912e67 (23) NAS-Port-Type = Wireless-802.11 (23) EAP-Message = 0x020300061900 (23) Message-Authenticator = 0x12fe245e46b21f527d4441886e6f31df (23) session-state: No cached attributes (23) # Executing section authorize from file /etc/raddb/sites-enabled/default (23) authorize { (23) policy filter_username { (23) if (&User-Name) { (23) if (&User-Name) -> TRUE (23) if (&User-Name) { (23) if (&User-Name =~ / /) { (23) if (&User-Name =~ / /) -> FALSE (23) if (&User-Name =~ /@[^@]*@/ ) { (23) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (23) if (&User-Name =~ /\.\./ ) { (23) if (&User-Name =~ /\.\./ ) -> FALSE (23) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (23) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (23) if (&User-Name =~ /\.$/) { (23) if (&User-Name =~ /\.$/) -> FALSE (23) if (&User-Name =~ /@\./) { (23) if (&User-Name =~ /@\./) -> FALSE (23) } # if (&User-Name) = notfound (23) } # policy filter_username = notfound (23) [preprocess] = ok (23) [chap] = noop (23) [mschap] = noop (23) [digest] = noop (23) suffix: Checking for suffix after "@" (23) suffix: No '@' in User-Name = "CLEARSYSTEM\test1", looking up realm NULL (23) suffix: No such realm "NULL" (23) [suffix] = noop (23) ntdomain: Checking for prefix before "\" (23) ntdomain: Looking up realm "CLEARSYSTEM" for User-Name = "CLEARSYSTEM\test1" (23) ntdomain: Found realm "CLEARSYSTEM" (23) ntdomain: Adding Stripped-User-Name = "test1" (23) ntdomain: Adding Realm = "CLEARSYSTEM" (23) ntdomain: Authentication realm is LOCAL (23) [ntdomain] = ok (23) eap: Peer sent EAP Response (code 2) ID 3 length 6 (23) eap: Continuing tunnel setup (23) [eap] = ok (23) } # authorize = ok (23) Found Auth-Type = eap (23) # Executing group from file /etc/raddb/sites-enabled/default (23) authenticate { (23) eap: Expiring EAP session with state 0xfa6d51bcf86e4896 (23) eap: Finished EAP session with state 0xfa6d51bcf86e4896 (23) eap: Previous EAP request found for state 0xfa6d51bcf86e4896, released from the list (23) eap: Peer sent packet with method EAP PEAP (25) (23) eap: Calling submodule eap_peap to process data (23) eap_peap: Continuing EAP-TLS (23) eap_peap: Peer ACKed our handshake fragment (23) eap_peap: [eaptls verify] = request (23) eap_peap: [eaptls process] = handled (23) eap: Sending EAP Request (code 1) ID 4 length 669 (23) eap: EAP session adding &reply:State = 0xfa6d51bcf9694896 (23) [eap] = handled (23) } # authenticate = handled (23) Using Post-Auth-Type Challenge (23) # Executing group from file /etc/raddb/sites-enabled/default (23) Challenge { ... } # empty sub-section is ignored (23) Sent Access-Challenge Id 0 from 172.22.22.1:1812 to 172.22.22.254:2049 length 0 (23) EAP-Message = 0x0104029d1900278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b050003820101000132a42023b4da19cd0464809979cba06e09409f4cbae9db226b41b48d0c97de8fa6092c00476cb9f16399e310996fb68c40e69b10 (23) Message-Authenticator = 0x00000000000000000000000000000000 (23) State = 0xfa6d51bcf969489698062bca06912e67 (23) Finished request Waking up in 4.9 seconds. (23) Cleaning up request packet ID 0 with timestamp +53 (24) Received Access-Request Id 0 from 172.22.22.254:2049 to 172.22.22.1:1812 length 279 (24) User-Name = "CLEARSYSTEM\\test1" (24) NAS-IP-Address = 172.22.22.254 (24) Called-Station-Id = "001601dfe596" (24) Calling-Station-Id = "74da38d41a8b" (24) NAS-Identifier = "001601dfe596" (24) NAS-Port = 5 (24) Framed-MTU = 1400 (24) State = 0xfa6d51bcf969489698062bca06912e67 (24) NAS-Port-Type = Wireless-802.11 (24) EAP-Message = 0x0204008819800000007e16030300461000004241049e1a625d2b93e6a0c9c56f2c9ac9ff69abdc4f1ca93b1351d875e78f8aa12296537dfac26fda08297759aa812bdcd6a246e57257ee8f71aa07939bb4a5f5f6a914030300010116030300280000000000000000c1c16214c7db50ef874f9234cd8c36 (24) Message-Authenticator = 0xef04f914f34ef56740417c68c8f84c29 (24) session-state: No cached attributes (24) # Executing section authorize from file /etc/raddb/sites-enabled/default (24) authorize { (24) policy filter_username { (24) if (&User-Name) { (24) if (&User-Name) -> TRUE (24) if (&User-Name) { (24) if (&User-Name =~ / /) { (24) if (&User-Name =~ / /) -> FALSE (24) if (&User-Name =~ /@[^@]*@/ ) { (24) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (24) if (&User-Name =~ /\.\./ ) { (24) if (&User-Name =~ /\.\./ ) -> FALSE (24) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (24) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (24) if (&User-Name =~ /\.$/) { (24) if (&User-Name =~ /\.$/) -> FALSE (24) if (&User-Name =~ /@\./) { (24) if (&User-Name =~ /@\./) -> FALSE (24) } # if (&User-Name) = notfound (24) } # policy filter_username = notfound (24) [preprocess] = ok (24) [chap] = noop (24) [mschap] = noop (24) [digest] = noop (24) suffix: Checking for suffix after "@" (24) suffix: No '@' in User-Name = "CLEARSYSTEM\test1", looking up realm NULL (24) suffix: No such realm "NULL" (24) [suffix] = noop (24) ntdomain: Checking for prefix before "\" (24) ntdomain: Looking up realm "CLEARSYSTEM" for User-Name = "CLEARSYSTEM\test1" (24) ntdomain: Found realm "CLEARSYSTEM" (24) ntdomain: Adding Stripped-User-Name = "test1" (24) ntdomain: Adding Realm = "CLEARSYSTEM" (24) ntdomain: Authentication realm is LOCAL (24) [ntdomain] = ok (24) eap: Peer sent EAP Response (code 2) ID 4 length 136 (24) eap: Continuing tunnel setup (24) [eap] = ok (24) } # authorize = ok (24) Found Auth-Type = eap (24) # Executing group from file /etc/raddb/sites-enabled/default (24) authenticate { (24) eap: Expiring EAP session with state 0xfa6d51bcf9694896 (24) eap: Finished EAP session with state 0xfa6d51bcf9694896 (24) eap: Previous EAP request found for state 0xfa6d51bcf9694896, released from the list (24) eap: Peer sent packet with method EAP PEAP (25) (24) eap: Calling submodule eap_peap to process data (24) eap_peap: Continuing EAP-TLS (24) eap_peap: Peer indicated complete TLS record size will be 126 bytes (24) eap_peap: Got complete TLS record (126 bytes) (24) eap_peap: [eaptls verify] = length included (24) eap_peap: <<< recv TLS 1.2 [length 0046] (24) eap_peap: TLS_accept: SSLv3 read client key exchange A (24) eap_peap: TLS_accept: SSLv3 read certificate verify A (24) eap_peap: <<< recv TLS 1.2 [length 0001] (24) eap_peap: <<< recv TLS 1.2 [length 0010] (24) eap_peap: TLS_accept: SSLv3 read finished A (24) eap_peap: >>> send TLS 1.2 [length 0001] (24) eap_peap: TLS_accept: SSLv3 write change cipher spec A (24) eap_peap: >>> send TLS 1.2 [length 0010] (24) eap_peap: TLS_accept: SSLv3 write finished A (24) eap_peap: TLS_accept: SSLv3 flush data (24) eap_peap: (other): SSL negotiation finished successfully (24) eap_peap: SSL Connection Established (24) eap_peap: [eaptls process] = handled (24) eap: Sending EAP Request (code 1) ID 5 length 57 (24) eap: EAP session adding &reply:State = 0xfa6d51bcfe684896 (24) [eap] = handled (24) } # authenticate = handled (24) Using Post-Auth-Type Challenge (24) # Executing group from file /etc/raddb/sites-enabled/default (24) Challenge { ... } # empty sub-section is ignored (24) Sent Access-Challenge Id 0 from 172.22.22.1:1812 to 172.22.22.254:2049 length 0 (24) EAP-Message = 0x01050039190014030300010116030300289fc5de61f40ef791b66109d7e36af16596d84e0d117df80d2a801f121f79b4700b8a5712ac9eb200 (24) Message-Authenticator = 0x00000000000000000000000000000000 (24) State = 0xfa6d51bcfe68489698062bca06912e67 (24) Finished request Waking up in 4.9 seconds. (24) Cleaning up request packet ID 0 with timestamp +53 (25) Received Access-Request Id 0 from 172.22.22.254:2049 to 172.22.22.1:1812 length 149 (25) User-Name = "CLEARSYSTEM\\test1" (25) NAS-IP-Address = 172.22.22.254 (25) Called-Station-Id = "001601dfe596" (25) Calling-Station-Id = "74da38d41a8b" (25) NAS-Identifier = "001601dfe596" (25) NAS-Port = 5 (25) Framed-MTU = 1400 (25) State = 0xfa6d51bcfe68489698062bca06912e67 (25) NAS-Port-Type = Wireless-802.11 (25) EAP-Message = 0x020500061900 (25) Message-Authenticator = 0xc4d5b25261ca14db4b0b4afd1509d942 (25) session-state: No cached attributes (25) # Executing section authorize from file /etc/raddb/sites-enabled/default (25) authorize { (25) policy filter_username { (25) if (&User-Name) { (25) if (&User-Name) -> TRUE (25) if (&User-Name) { (25) if (&User-Name =~ / /) { (25) if (&User-Name =~ / /) -> FALSE (25) if (&User-Name =~ /@[^@]*@/ ) { (25) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (25) if (&User-Name =~ /\.\./ ) { (25) if (&User-Name =~ /\.\./ ) -> FALSE (25) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (25) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (25) if (&User-Name =~ /\.$/) { (25) if (&User-Name =~ /\.$/) -> FALSE (25) if (&User-Name =~ /@\./) { (25) if (&User-Name =~ /@\./) -> FALSE (25) } # if (&User-Name) = notfound (25) } # policy filter_username = notfound (25) [preprocess] = ok (25) [chap] = noop (25) [mschap] = noop (25) [digest] = noop (25) suffix: Checking for suffix after "@" (25) suffix: No '@' in User-Name = "CLEARSYSTEM\test1", looking up realm NULL (25) suffix: No such realm "NULL" (25) [suffix] = noop (25) ntdomain: Checking for prefix before "\" (25) ntdomain: Looking up realm "CLEARSYSTEM" for User-Name = "CLEARSYSTEM\test1" (25) ntdomain: Found realm "CLEARSYSTEM" (25) ntdomain: Adding Stripped-User-Name = "test1" (25) ntdomain: Adding Realm = "CLEARSYSTEM" (25) ntdomain: Authentication realm is LOCAL (25) [ntdomain] = ok (25) eap: Peer sent EAP Response (code 2) ID 5 length 6 (25) eap: Continuing tunnel setup (25) [eap] = ok (25) } # authorize = ok (25) Found Auth-Type = eap (25) # Executing group from file /etc/raddb/sites-enabled/default (25) authenticate { (25) eap: Expiring EAP session with state 0xfa6d51bcfe684896 (25) eap: Finished EAP session with state 0xfa6d51bcfe684896 (25) eap: Previous EAP request found for state 0xfa6d51bcfe684896, released from the list (25) eap: Peer sent packet with method EAP PEAP (25) (25) eap: Calling submodule eap_peap to process data (25) eap_peap: Continuing EAP-TLS (25) eap_peap: Peer ACKed our handshake fragment. handshake is finished (25) eap_peap: [eaptls verify] = success (25) eap_peap: [eaptls process] = success (25) eap_peap: Session established. Decoding tunneled attributes (25) eap_peap: PEAP state TUNNEL ESTABLISHED (25) eap: Sending EAP Request (code 1) ID 6 length 40 (25) eap: EAP session adding &reply:State = 0xfa6d51bcff6b4896 (25) [eap] = handled (25) } # authenticate = handled (25) Using Post-Auth-Type Challenge (25) # Executing group from file /etc/raddb/sites-enabled/default (25) Challenge { ... } # empty sub-section is ignored (25) Sent Access-Challenge Id 0 from 172.22.22.1:1812 to 172.22.22.254:2049 length 0 (25) EAP-Message = 0x010600281900170303001d9fc5de61f40ef7925497e0f03071577e94fda8fc4dca1cd9802e483d4e (25) Message-Authenticator = 0x00000000000000000000000000000000 (25) State = 0xfa6d51bcff6b489698062bca06912e67 (25) Finished request Waking up in 4.9 seconds. (25) Cleaning up request packet ID 0 with timestamp +53 (26) Received Access-Request Id 0 from 172.22.22.254:2049 to 172.22.22.1:1812 length 196 (26) User-Name = "CLEARSYSTEM\\test1" (26) NAS-IP-Address = 172.22.22.254 (26) Called-Station-Id = "001601dfe596" (26) Calling-Station-Id = "74da38d41a8b" (26) NAS-Identifier = "001601dfe596" (26) NAS-Port = 5 (26) Framed-MTU = 1400 (26) State = 0xfa6d51bcff6b489698062bca06912e67 (26) NAS-Port-Type = Wireless-802.11 (26) EAP-Message = 0x020600351900170303002a00000000000000010c933fa0100b5f27e5b96564694cce21d984340dcb6f16c8d77d6ca418f7bc3355c0 (26) Message-Authenticator = 0x3bb9fc8b6b5e0df1d67ba95dd5dded2d (26) session-state: No cached attributes (26) # Executing section authorize from file /etc/raddb/sites-enabled/default (26) authorize { (26) policy filter_username { (26) if (&User-Name) { (26) if (&User-Name) -> TRUE (26) if (&User-Name) { (26) if (&User-Name =~ / /) { (26) if (&User-Name =~ / /) -> FALSE (26) if (&User-Name =~ /@[^@]*@/ ) { (26) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (26) if (&User-Name =~ /\.\./ ) { (26) if (&User-Name =~ /\.\./ ) -> FALSE (26) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (26) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (26) if (&User-Name =~ /\.$/) { (26) if (&User-Name =~ /\.$/) -> FALSE (26) if (&User-Name =~ /@\./) { (26) if (&User-Name =~ /@\./) -> FALSE (26) } # if (&User-Name) = notfound (26) } # policy filter_username = notfound (26) [preprocess] = ok (26) [chap] = noop (26) [mschap] = noop (26) [digest] = noop (26) suffix: Checking for suffix after "@" (26) suffix: No '@' in User-Name = "CLEARSYSTEM\test1", looking up realm NULL (26) suffix: No such realm "NULL" (26) [suffix] = noop (26) ntdomain: Checking for prefix before "\" (26) ntdomain: Looking up realm "CLEARSYSTEM" for User-Name = "CLEARSYSTEM\test1" (26) ntdomain: Found realm "CLEARSYSTEM" (26) ntdomain: Adding Stripped-User-Name = "test1" (26) ntdomain: Adding Realm = "CLEARSYSTEM" (26) ntdomain: Authentication realm is LOCAL (26) [ntdomain] = ok (26) eap: Peer sent EAP Response (code 2) ID 6 length 53 (26) eap: Continuing tunnel setup (26) [eap] = ok (26) } # authorize = ok (26) Found Auth-Type = eap (26) # Executing group from file /etc/raddb/sites-enabled/default (26) authenticate { (26) eap: Expiring EAP session with state 0xfa6d51bcff6b4896 (26) eap: Finished EAP session with state 0xfa6d51bcff6b4896 (26) eap: Previous EAP request found for state 0xfa6d51bcff6b4896, released from the list (26) eap: Peer sent packet with method EAP PEAP (25) (26) eap: Calling submodule eap_peap to process data (26) eap_peap: Continuing EAP-TLS (26) eap_peap: [eaptls verify] = ok (26) eap_peap: Done initial handshake (26) eap_peap: [eaptls process] = ok (26) eap_peap: Session established. Decoding tunneled attributes (26) eap_peap: PEAP state WAITING FOR INNER IDENTITY (26) eap_peap: Identity - CLEARSYSTEM\test1 (26) eap_peap: Got inner identity 'CLEARSYSTEM\test1' (26) eap_peap: Setting default EAP type for tunneled EAP session (26) eap_peap: Got tunneled request (26) eap_peap: EAP-Message = 0x0206001601434c45415253595354454d5c7465737431 (26) eap_peap: Setting User-Name to CLEARSYSTEM\test1 (26) eap_peap: Sending tunneled request to inner-tunnel (26) eap_peap: EAP-Message = 0x0206001601434c45415253595354454d5c7465737431 (26) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (26) eap_peap: User-Name = "CLEARSYSTEM\\test1" (26) Virtual server inner-tunnel received request (26) EAP-Message = 0x0206001601434c45415253595354454d5c7465737431 (26) FreeRADIUS-Proxied-To = 127.0.0.1 (26) User-Name = "CLEARSYSTEM\\test1" (26) WARNING: Outer and inner identities are the same. User privacy is compromised. (26) server inner-tunnel { (26) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (26) authorize { (26) policy filter_username { (26) if (&User-Name) { (26) if (&User-Name) -> TRUE (26) if (&User-Name) { (26) if (&User-Name =~ / /) { (26) if (&User-Name =~ / /) -> FALSE (26) if (&User-Name =~ /@[^@]*@/ ) { (26) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (26) if (&User-Name =~ /\.\./ ) { (26) if (&User-Name =~ /\.\./ ) -> FALSE (26) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (26) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (26) if (&User-Name =~ /\.$/) { (26) if (&User-Name =~ /\.$/) -> FALSE (26) if (&User-Name =~ /@\./) { (26) if (&User-Name =~ /@\./) -> FALSE (26) } # if (&User-Name) = notfound (26) } # policy filter_username = notfound (26) [chap] = noop (26) [mschap] = noop (26) suffix: Checking for suffix after "@" (26) suffix: No '@' in User-Name = "CLEARSYSTEM\test1", looking up realm NULL (26) suffix: No such realm "NULL" (26) [suffix] = noop (26) ntdomain: Checking for prefix before "\" (26) ntdomain: Looking up realm "CLEARSYSTEM" for User-Name = "CLEARSYSTEM\test1" (26) ntdomain: Found realm "CLEARSYSTEM" (26) ntdomain: Adding Stripped-User-Name = "test1" (26) ntdomain: Adding Realm = "CLEARSYSTEM" (26) ntdomain: Authentication realm is LOCAL (26) [ntdomain] = ok (26) update control { (26) &Proxy-To-Realm := LOCAL (26) } # update control = noop (26) eap: Peer sent EAP Response (code 2) ID 6 length 22 (26) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (26) [eap] = ok (26) } # authorize = ok (26) Found Auth-Type = eap (26) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (26) authenticate { (26) eap: Peer sent packet with method EAP Identity (1) (26) eap: Calling submodule eap_mschapv2 to process data (26) eap_mschapv2: Issuing Challenge (26) eap: Sending EAP Request (code 1) ID 7 length 43 (26) eap: EAP session adding &reply:State = 0x67f4154867f30fc7 (26) [eap] = handled (26) } # authenticate = handled (26) } # server inner-tunnel (26) Virtual server sending reply (26) EAP-Message = 0x0107002b1a0107002610924e60a23ee51c27491d1ede23d3f645667265657261646975732d332e302e3133 (26) Message-Authenticator = 0x00000000000000000000000000000000 (26) State = 0x67f4154867f30fc7e3fcab03d0b75466 (26) eap_peap: Got tunneled reply code 11 (26) eap_peap: EAP-Message = 0x0107002b1a0107002610924e60a23ee51c27491d1ede23d3f645667265657261646975732d332e302e3133 (26) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (26) eap_peap: State = 0x67f4154867f30fc7e3fcab03d0b75466 (26) eap_peap: Got tunneled reply RADIUS code 11 (26) eap_peap: EAP-Message = 0x0107002b1a0107002610924e60a23ee51c27491d1ede23d3f645667265657261646975732d332e302e3133 (26) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (26) eap_peap: State = 0x67f4154867f30fc7e3fcab03d0b75466 (26) eap_peap: Got tunneled Access-Challenge (26) eap: Sending EAP Request (code 1) ID 7 length 74 (26) eap: EAP session adding &reply:State = 0xfa6d51bcfc6a4896 (26) [eap] = handled (26) } # authenticate = handled (26) Using Post-Auth-Type Challenge (26) # Executing group from file /etc/raddb/sites-enabled/default (26) Challenge { ... } # empty sub-section is ignored (26) Sent Access-Challenge Id 0 from 172.22.22.1:1812 to 172.22.22.254:2049 length 0 (26) EAP-Message = 0x0107004a1900170303003f9fc5de61f40ef79320067b88f1b9e625058f12902741fb970becb9261d941d1b266fa753bee467888aab0af7d34c9f313426aa5a51d1aa69aa798529ede786 (26) Message-Authenticator = 0x00000000000000000000000000000000 (26) State = 0xfa6d51bcfc6a489698062bca06912e67 (26) Finished request Waking up in 4.9 seconds. (26) Cleaning up request packet ID 0 with timestamp +53 (27) Received Access-Request Id 0 from 172.22.22.254:2049 to 172.22.22.1:1812 length 250 (27) User-Name = "CLEARSYSTEM\\test1" (27) NAS-IP-Address = 172.22.22.254 (27) Called-Station-Id = "001601dfe596" (27) Calling-Station-Id = "74da38d41a8b" (27) NAS-Identifier = "001601dfe596" (27) NAS-Port = 5 (27) Framed-MTU = 1400 (27) State = 0xfa6d51bcfc6a489698062bca06912e67 (27) NAS-Port-Type = Wireless-802.11 (27) EAP-Message = 0x0207006b1900170303006000000000000000021164b401a6b91edb40d45e1ae33a3fea0cec4342e9431f3070feae69d5c873b621ce5e2ca831677e11c81a47eb117c073c0825ef4ce462d2b041e0dbe753411783cbeed0efd3072a2d2548310371af5a119da170a961b921 (27) Message-Authenticator = 0xf080de21399d6eac0a27d43417e9a92c (27) session-state: No cached attributes (27) # Executing section authorize from file /etc/raddb/sites-enabled/default (27) authorize { (27) policy filter_username { (27) if (&User-Name) { (27) if (&User-Name) -> TRUE (27) if (&User-Name) { (27) if (&User-Name =~ / /) { (27) if (&User-Name =~ / /) -> FALSE (27) if (&User-Name =~ /@[^@]*@/ ) { (27) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (27) if (&User-Name =~ /\.\./ ) { (27) if (&User-Name =~ /\.\./ ) -> FALSE (27) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (27) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (27) if (&User-Name =~ /\.$/) { (27) if (&User-Name =~ /\.$/) -> FALSE (27) if (&User-Name =~ /@\./) { (27) if (&User-Name =~ /@\./) -> FALSE (27) } # if (&User-Name) = notfound (27) } # policy filter_username = notfound (27) [preprocess] = ok (27) [chap] = noop (27) [mschap] = noop (27) [digest] = noop (27) suffix: Checking for suffix after "@" (27) suffix: No '@' in User-Name = "CLEARSYSTEM\test1", looking up realm NULL (27) suffix: No such realm "NULL" (27) [suffix] = noop (27) ntdomain: Checking for prefix before "\" (27) ntdomain: Looking up realm "CLEARSYSTEM" for User-Name = "CLEARSYSTEM\test1" (27) ntdomain: Found realm "CLEARSYSTEM" (27) ntdomain: Adding Stripped-User-Name = "test1" (27) ntdomain: Adding Realm = "CLEARSYSTEM" (27) ntdomain: Authentication realm is LOCAL (27) [ntdomain] = ok (27) eap: Peer sent EAP Response (code 2) ID 7 length 107 (27) eap: Continuing tunnel setup (27) [eap] = ok (27) } # authorize = ok (27) Found Auth-Type = eap (27) # Executing group from file /etc/raddb/sites-enabled/default (27) authenticate { (27) eap: Expiring EAP session with state 0x67f4154867f30fc7 (27) eap: Finished EAP session with state 0xfa6d51bcfc6a4896 (27) eap: Previous EAP request found for state 0xfa6d51bcfc6a4896, released from the list (27) eap: Peer sent packet with method EAP PEAP (25) (27) eap: Calling submodule eap_peap to process data (27) eap_peap: Continuing EAP-TLS (27) eap_peap: [eaptls verify] = ok (27) eap_peap: Done initial handshake (27) eap_peap: [eaptls process] = ok (27) eap_peap: Session established. Decoding tunneled attributes (27) eap_peap: PEAP state phase2 (27) eap_peap: EAP method MSCHAPv2 (26) (27) eap_peap: Got tunneled request (27) eap_peap: EAP-Message = 0x0207004c1a02070047318ebe9e5e7d389ad1bc7eb58ddee3294600000000000000009192d897cc33bc83f03bd7b7e725852e1cefe0cd1cabcebc00434c45415253595354454d5c7465737431 (27) eap_peap: Setting User-Name to CLEARSYSTEM\test1 (27) eap_peap: Sending tunneled request to inner-tunnel (27) eap_peap: EAP-Message = 0x0207004c1a02070047318ebe9e5e7d389ad1bc7eb58ddee3294600000000000000009192d897cc33bc83f03bd7b7e725852e1cefe0cd1cabcebc00434c45415253595354454d5c7465737431 (27) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (27) eap_peap: User-Name = "CLEARSYSTEM\\test1" (27) eap_peap: State = 0x67f4154867f30fc7e3fcab03d0b75466 (27) Virtual server inner-tunnel received request (27) EAP-Message = 0x0207004c1a02070047318ebe9e5e7d389ad1bc7eb58ddee3294600000000000000009192d897cc33bc83f03bd7b7e725852e1cefe0cd1cabcebc00434c45415253595354454d5c7465737431 (27) FreeRADIUS-Proxied-To = 127.0.0.1 (27) User-Name = "CLEARSYSTEM\\test1" (27) State = 0x67f4154867f30fc7e3fcab03d0b75466 (27) WARNING: Outer and inner identities are the same. User privacy is compromised. (27) server inner-tunnel { (27) session-state: No cached attributes (27) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (27) authorize { (27) policy filter_username { (27) if (&User-Name) { (27) if (&User-Name) -> TRUE (27) if (&User-Name) { (27) if (&User-Name =~ / /) { (27) if (&User-Name =~ / /) -> FALSE (27) if (&User-Name =~ /@[^@]*@/ ) { (27) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (27) if (&User-Name =~ /\.\./ ) { (27) if (&User-Name =~ /\.\./ ) -> FALSE (27) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (27) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (27) if (&User-Name =~ /\.$/) { (27) if (&User-Name =~ /\.$/) -> FALSE (27) if (&User-Name =~ /@\./) { (27) if (&User-Name =~ /@\./) -> FALSE (27) } # if (&User-Name) = notfound (27) } # policy filter_username = notfound (27) [chap] = noop (27) [mschap] = noop (27) suffix: Checking for suffix after "@" (27) suffix: No '@' in User-Name = "CLEARSYSTEM\test1", looking up realm NULL (27) suffix: No such realm "NULL" (27) [suffix] = noop (27) ntdomain: Checking for prefix before "\" (27) ntdomain: Looking up realm "CLEARSYSTEM" for User-Name = "CLEARSYSTEM\test1" (27) ntdomain: Found realm "CLEARSYSTEM" (27) ntdomain: Adding Stripped-User-Name = "test1" (27) ntdomain: Adding Realm = "CLEARSYSTEM" (27) ntdomain: Authentication realm is LOCAL (27) [ntdomain] = ok (27) update control { (27) &Proxy-To-Realm := LOCAL (27) } # update control = noop (27) eap: Peer sent EAP Response (code 2) ID 7 length 76 (27) eap: No EAP Start, assuming it's an on-going EAP conversation (27) [eap] = updated (27) files: Searching for user in group "allusers" rlm_ldap (ldap): Reserved connection (4) (27) files: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (27) files: --> (uid=test1) (27) files: Performing search in "dc=system,dc=lan" with filter "(uid=test1)", scope "sub" (27) files: Waiting for search result... (27) files: User object found at DN "cn=test1 test1,ou=Users,ou=Accounts,dc=system,dc=lan" (27) files: Checking user object's memberOf attributes (27) files: Performing unfiltered search in "cn=test1 test1,ou=Users,ou=Accounts,dc=system,dc=lan", scope "base" (27) files: Waiting for search result... (27) files: Processing memberOf value "cn=ftp_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan" as a DN (27) files: Resolving group DN "cn=ftp_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan" to group name (27) files: Performing unfiltered search in "cn=ftp_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan", scope "base" (27) files: Waiting for search result... (27) files: Group DN "cn=ftp_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan" resolves to name "ftp_plugin" (27) files: Processing memberOf value "cn=web_proxy_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan" as a DN (27) files: Resolving group DN "cn=web_proxy_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan" to group name (27) files: Performing unfiltered search in "cn=web_proxy_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan", scope "base" (27) files: Waiting for search result... (27) files: Group DN "cn=web_proxy_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan" resolves to name "web_proxy_plugin" (27) files: Processing memberOf value "cn=webupload,ou=Groups,ou=Accounts,dc=system,dc=lan" as a DN (27) files: Resolving group DN "cn=webupload,ou=Groups,ou=Accounts,dc=system,dc=lan" to group name (27) files: Performing unfiltered search in "cn=webupload,ou=Groups,ou=Accounts,dc=system,dc=lan", scope "base" (27) files: Waiting for search result... (27) files: Group DN "cn=webupload,ou=Groups,ou=Accounts,dc=system,dc=lan" resolves to name "webupload" (27) files: Processing memberOf value "cn=allusers,ou=Groups,ou=Accounts,dc=system,dc=lan" as a DN (27) files: Resolving group DN "cn=allusers,ou=Groups,ou=Accounts,dc=system,dc=lan" to group name (27) files: Performing unfiltered search in "cn=allusers,ou=Groups,ou=Accounts,dc=system,dc=lan", scope "base" (27) files: Waiting for search result... (27) files: Group DN "cn=allusers,ou=Groups,ou=Accounts,dc=system,dc=lan" resolves to name "allusers" (27) files: User found in group "allusers". Comparison between membership: name (resolved from DN "cn=allusers,ou=Groups,ou=Accounts,dc=system,dc=l?"), check: name rlm_ldap (ldap): Released connection (4) (27) [files] = noop rlm_ldap (ldap): Reserved connection (1) (27) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (27) ldap: --> (uid=test1) (27) ldap: Performing search in "dc=system,dc=lan" with filter "(uid=test1)", scope "sub" (27) ldap: Waiting for search result... (27) ldap: User object found at DN "cn=test1 test1,ou=Users,ou=Accounts,dc=system,dc=lan" (27) ldap: Processing user attributes (27) ldap: control:Password-With-Header += '{sha}tESsBmE/yNY3lb6a0L6vVQEZNqw=' rlm_ldap (ldap): Released connection (1) (27) [ldap] = updated (27) [expiration] = noop (27) [logintime] = noop (27) pap: Converted: &control:Password-With-Header -> &control:SHA1-Password (27) pap: Removing &control:Password-With-Header (27) pap: Normalizing SHA1-Password from base64 encoding, 28 bytes -> 20 bytes (27) pap: WARNING: Auth-Type already set. Not setting to PAP (27) [pap] = noop (27) } # authorize = updated (27) Found Auth-Type = eap (27) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (27) authenticate { (27) eap: Expiring EAP session with state 0x67f4154867f30fc7 (27) eap: Finished EAP session with state 0x67f4154867f30fc7 (27) eap: Previous EAP request found for state 0x67f4154867f30fc7, released from the list (27) eap: Peer sent packet with method EAP MSCHAPv2 (26) (27) eap: Calling submodule eap_mschapv2 to process data (27) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (27) eap_mschapv2: authenticate { (27) mschap: Creating challenge hash with username: test1 (27) mschap: Client is using MS-CHAPv2 (27) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (27) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (27) mschap: --> --username=test1 (27) mschap: Creating challenge hash with username: test1 (27) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (27) mschap: --> --challenge=b7881bdaef5718d0 (27) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (27) mschap: --> --nt-response=9192d897cc33bc83f03bd7b7e725852e1cefe0cd1cabcebc (27) mschap: Program returned code (0) and output 'NT_KEY: DAE53F1776DBD0817C5639A27629A27D' (27) mschap: Adding MS-CHAPv2 MPPE keys (27) [mschap] = ok (27) } # authenticate = ok (27) MSCHAP Success (27) eap: Sending EAP Request (code 1) ID 8 length 51 (27) eap: EAP session adding &reply:State = 0x67f4154866fc0fc7 (27) [eap] = handled (27) } # authenticate = handled (27) } # server inner-tunnel (27) Virtual server sending reply (27) EAP-Message = 0x010800331a0307002e533d43433037464444353744443738353244433532393433303036333836383832433333303235313235 (27) Message-Authenticator = 0x00000000000000000000000000000000 (27) State = 0x67f4154866fc0fc7e3fcab03d0b75466 (27) eap_peap: Got tunneled reply code 11 (27) eap_peap: EAP-Message = 0x010800331a0307002e533d43433037464444353744443738353244433532393433303036333836383832433333303235313235 (27) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (27) eap_peap: State = 0x67f4154866fc0fc7e3fcab03d0b75466 (27) eap_peap: Got tunneled reply RADIUS code 11 (27) eap_peap: EAP-Message = 0x010800331a0307002e533d43433037464444353744443738353244433532393433303036333836383832433333303235313235 (27) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (27) eap_peap: State = 0x67f4154866fc0fc7e3fcab03d0b75466 (27) eap_peap: Got tunneled Access-Challenge (27) eap: Sending EAP Request (code 1) ID 8 length 82 (27) eap: EAP session adding &reply:State = 0xfa6d51bcfd654896 (27) [eap] = handled (27) } # authenticate = handled (27) Using Post-Auth-Type Challenge (27) # Executing group from file /etc/raddb/sites-enabled/default (27) Challenge { ... } # empty sub-section is ignored (27) Sent Access-Challenge Id 0 from 172.22.22.1:1812 to 172.22.22.254:2049 length 0 (27) EAP-Message = 0x01080052190017030300479fc5de61f40ef79494eff5694d56e768cdb21779bc552c78a169ac0f8530b9de062bb9e00f19afd761d18aabce43510a9de602925b9274ddb52b6383f31803be6bd4971c2690bf (27) Message-Authenticator = 0x00000000000000000000000000000000 (27) State = 0xfa6d51bcfd65489698062bca06912e67 (27) Finished request Waking up in 4.9 seconds. (27) Cleaning up request packet ID 0 with timestamp +53 (28) Received Access-Request Id 0 from 172.22.22.254:2049 to 172.22.22.1:1812 length 180 (28) User-Name = "CLEARSYSTEM\\test1" (28) NAS-IP-Address = 172.22.22.254 (28) Called-Station-Id = "001601dfe596" (28) Calling-Station-Id = "74da38d41a8b" (28) NAS-Identifier = "001601dfe596" (28) NAS-Port = 5 (28) Framed-MTU = 1400 (28) State = 0xfa6d51bcfd65489698062bca06912e67 (28) NAS-Port-Type = Wireless-802.11 (28) EAP-Message = 0x020800251900170303001a0000000000000003f17c071701f2900218e05b0493a96e129742 (28) Message-Authenticator = 0x1d570e56fa27451711dbb7b15f04968d (28) session-state: No cached attributes (28) # Executing section authorize from file /etc/raddb/sites-enabled/default (28) authorize { (28) policy filter_username { (28) if (&User-Name) { (28) if (&User-Name) -> TRUE (28) if (&User-Name) { (28) if (&User-Name =~ / /) { (28) if (&User-Name =~ / /) -> FALSE (28) if (&User-Name =~ /@[^@]*@/ ) { (28) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (28) if (&User-Name =~ /\.\./ ) { (28) if (&User-Name =~ /\.\./ ) -> FALSE (28) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (28) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (28) if (&User-Name =~ /\.$/) { (28) if (&User-Name =~ /\.$/) -> FALSE (28) if (&User-Name =~ /@\./) { (28) if (&User-Name =~ /@\./) -> FALSE (28) } # if (&User-Name) = notfound (28) } # policy filter_username = notfound (28) [preprocess] = ok (28) [chap] = noop (28) [mschap] = noop (28) [digest] = noop (28) suffix: Checking for suffix after "@" (28) suffix: No '@' in User-Name = "CLEARSYSTEM\test1", looking up realm NULL (28) suffix: No such realm "NULL" (28) [suffix] = noop (28) ntdomain: Checking for prefix before "\" (28) ntdomain: Looking up realm "CLEARSYSTEM" for User-Name = "CLEARSYSTEM\test1" (28) ntdomain: Found realm "CLEARSYSTEM" (28) ntdomain: Adding Stripped-User-Name = "test1" (28) ntdomain: Adding Realm = "CLEARSYSTEM" (28) ntdomain: Authentication realm is LOCAL (28) [ntdomain] = ok (28) eap: Peer sent EAP Response (code 2) ID 8 length 37 (28) eap: Continuing tunnel setup (28) [eap] = ok (28) } # authorize = ok (28) Found Auth-Type = eap (28) # Executing group from file /etc/raddb/sites-enabled/default (28) authenticate { (28) eap: Expiring EAP session with state 0x67f4154866fc0fc7 (28) eap: Finished EAP session with state 0xfa6d51bcfd654896 (28) eap: Previous EAP request found for state 0xfa6d51bcfd654896, released from the list (28) eap: Peer sent packet with method EAP PEAP (25) (28) eap: Calling submodule eap_peap to process data (28) eap_peap: Continuing EAP-TLS (28) eap_peap: [eaptls verify] = ok (28) eap_peap: Done initial handshake (28) eap_peap: [eaptls process] = ok (28) eap_peap: Session established. Decoding tunneled attributes (28) eap_peap: PEAP state phase2 (28) eap_peap: EAP method MSCHAPv2 (26) (28) eap_peap: Got tunneled request (28) eap_peap: EAP-Message = 0x020800061a03 (28) eap_peap: Setting User-Name to CLEARSYSTEM\test1 (28) eap_peap: Sending tunneled request to inner-tunnel (28) eap_peap: EAP-Message = 0x020800061a03 (28) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (28) eap_peap: User-Name = "CLEARSYSTEM\\test1" (28) eap_peap: State = 0x67f4154866fc0fc7e3fcab03d0b75466 (28) Virtual server inner-tunnel received request (28) EAP-Message = 0x020800061a03 (28) FreeRADIUS-Proxied-To = 127.0.0.1 (28) User-Name = "CLEARSYSTEM\\test1" (28) State = 0x67f4154866fc0fc7e3fcab03d0b75466 (28) WARNING: Outer and inner identities are the same. User privacy is compromised. (28) server inner-tunnel { (28) session-state: No cached attributes (28) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (28) authorize { (28) policy filter_username { (28) if (&User-Name) { (28) if (&User-Name) -> TRUE (28) if (&User-Name) { (28) if (&User-Name =~ / /) { (28) if (&User-Name =~ / /) -> FALSE (28) if (&User-Name =~ /@[^@]*@/ ) { (28) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (28) if (&User-Name =~ /\.\./ ) { (28) if (&User-Name =~ /\.\./ ) -> FALSE (28) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (28) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (28) if (&User-Name =~ /\.$/) { (28) if (&User-Name =~ /\.$/) -> FALSE (28) if (&User-Name =~ /@\./) { (28) if (&User-Name =~ /@\./) -> FALSE (28) } # if (&User-Name) = notfound (28) } # policy filter_username = notfound (28) [chap] = noop (28) [mschap] = noop (28) suffix: Checking for suffix after "@" (28) suffix: No '@' in User-Name = "CLEARSYSTEM\test1", looking up realm NULL (28) suffix: No such realm "NULL" (28) [suffix] = noop (28) ntdomain: Checking for prefix before "\" (28) ntdomain: Looking up realm "CLEARSYSTEM" for User-Name = "CLEARSYSTEM\test1" (28) ntdomain: Found realm "CLEARSYSTEM" (28) ntdomain: Adding Stripped-User-Name = "test1" (28) ntdomain: Adding Realm = "CLEARSYSTEM" (28) ntdomain: Authentication realm is LOCAL (28) [ntdomain] = ok (28) update control { (28) &Proxy-To-Realm := LOCAL (28) } # update control = noop (28) eap: Peer sent EAP Response (code 2) ID 8 length 6 (28) eap: No EAP Start, assuming it's an on-going EAP conversation (28) [eap] = updated (28) files: Searching for user in group "allusers" rlm_ldap (ldap): Reserved connection (2) (28) files: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (28) files: --> (uid=test1) (28) files: Performing search in "dc=system,dc=lan" with filter "(uid=test1)", scope "sub" (28) files: Waiting for search result... (28) files: User object found at DN "cn=test1 test1,ou=Users,ou=Accounts,dc=system,dc=lan" (28) files: Checking user object's memberOf attributes (28) files: Performing unfiltered search in "cn=test1 test1,ou=Users,ou=Accounts,dc=system,dc=lan", scope "base" (28) files: Waiting for search result... (28) files: Processing memberOf value "cn=ftp_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan" as a DN (28) files: Resolving group DN "cn=ftp_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan" to group name (28) files: Performing unfiltered search in "cn=ftp_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan", scope "base" (28) files: Waiting for search result... (28) files: Group DN "cn=ftp_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan" resolves to name "ftp_plugin" (28) files: Processing memberOf value "cn=web_proxy_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan" as a DN (28) files: Resolving group DN "cn=web_proxy_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan" to group name (28) files: Performing unfiltered search in "cn=web_proxy_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan", scope "base" (28) files: Waiting for search result... (28) files: Group DN "cn=web_proxy_plugin,ou=Groups,ou=Accounts,dc=system,dc=lan" resolves to name "web_proxy_plugin" (28) files: Processing memberOf value "cn=webupload,ou=Groups,ou=Accounts,dc=system,dc=lan" as a DN (28) files: Resolving group DN "cn=webupload,ou=Groups,ou=Accounts,dc=system,dc=lan" to group name (28) files: Performing unfiltered search in "cn=webupload,ou=Groups,ou=Accounts,dc=system,dc=lan", scope "base" (28) files: Waiting for search result... (28) files: Group DN "cn=webupload,ou=Groups,ou=Accounts,dc=system,dc=lan" resolves to name "webupload" (28) files: Processing memberOf value "cn=allusers,ou=Groups,ou=Accounts,dc=system,dc=lan" as a DN (28) files: Resolving group DN "cn=allusers,ou=Groups,ou=Accounts,dc=system,dc=lan" to group name (28) files: Performing unfiltered search in "cn=allusers,ou=Groups,ou=Accounts,dc=system,dc=lan", scope "base" (28) files: Waiting for search result... (28) files: Group DN "cn=allusers,ou=Groups,ou=Accounts,dc=system,dc=lan" resolves to name "allusers" (28) files: User found in group "allusers". Comparison between membership: name (resolved from DN "cn=allusers,ou=Groups,ou=Accounts,dc=system,dc=lan"), check: name rlm_ldap (ldap): Released connection (2) (28) [files] = noop rlm_ldap (ldap): Reserved connection (3) (28) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (28) ldap: --> (uid=test1) (28) ldap: Performing search in "dc=system,dc=lan" with filter "(uid=test1)", scope "sub" (28) ldap: Waiting for search result... (28) ldap: User object found at DN "cn=test1 test1,ou=Users,ou=Accounts,dc=system,dc=lan" (28) ldap: Processing user attributes (28) ldap: control:Password-With-Header += '{sha}tESsBmE/yNY3lb6a0L6vVQEZNqw=' rlm_ldap (ldap): Released connection (3) (28) [ldap] = updated (28) [expiration] = noop (28) [logintime] = noop (28) pap: Converted: &control:Password-With-Header -> &control:SHA1-Password (28) pap: Removing &control:Password-With-Header (28) pap: Normalizing SHA1-Password from base64 encoding, 28 bytes -> 20 bytes (28) pap: WARNING: Auth-Type already set. Not setting to PAP (28) [pap] = noop (28) } # authorize = updated (28) Found Auth-Type = eap (28) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (28) authenticate { (28) eap: Expiring EAP session with state 0x67f4154866fc0fc7 (28) eap: Finished EAP session with state 0x67f4154866fc0fc7 (28) eap: Previous EAP request found for state 0x67f4154866fc0fc7, released from the list (28) eap: Peer sent packet with method EAP MSCHAPv2 (26) (28) eap: Calling submodule eap_mschapv2 to process data (28) eap: Sending EAP Success (code 3) ID 8 length 4 (28) eap: Freeing handler (28) [eap] = ok (28) } # authenticate = ok (28) # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel (28) post-auth { (28) if (0) { (28) if (0) -> FALSE (28) } # post-auth = noop (28) } # server inner-tunnel (28) Virtual server sending reply (28) MS-MPPE-Encryption-Policy = Encryption-Allowed (28) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (28) MS-MPPE-Send-Key = 0xfb5f52a89ab44a864d241d4b18249347 (28) MS-MPPE-Recv-Key = 0xda830131fe0600676623f4fe3bbd9685 (28) EAP-Message = 0x03080004 (28) Message-Authenticator = 0x00000000000000000000000000000000 (28) Stripped-User-Name = "test1" (28) eap_peap: Got tunneled reply code 2 (28) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (28) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (28) eap_peap: MS-MPPE-Send-Key = 0xfb5f52a89ab44a864d241d4b18249347 (28) eap_peap: MS-MPPE-Recv-Key = 0xda830131fe0600676623f4fe3bbd9685 (28) eap_peap: EAP-Message = 0x03080004 (28) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (28) eap_peap: Stripped-User-Name = "test1" (28) eap_peap: Got tunneled reply RADIUS code 2 (28) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (28) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (28) eap_peap: MS-MPPE-Send-Key = 0xfb5f52a89ab44a864d241d4b18249347 (28) eap_peap: MS-MPPE-Recv-Key = 0xda830131fe0600676623f4fe3bbd9685 (28) eap_peap: EAP-Message = 0x03080004 (28) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (28) eap_peap: Stripped-User-Name = "test1" (28) eap_peap: Tunneled authentication was successful (28) eap_peap: SUCCESS (28) eap: Sending EAP Request (code 1) ID 9 length 46 (28) eap: EAP session adding &reply:State = 0xfa6d51bcf2644896 (28) [eap] = handled (28) } # authenticate = handled (28) Using Post-Auth-Type Challenge (28) # Executing group from file /etc/raddb/sites-enabled/default (28) Challenge { ... } # empty sub-section is ignored (28) Sent Access-Challenge Id 0 from 172.22.22.1:1812 to 172.22.22.254:2049 length 0 (28) EAP-Message = 0x0109002e190017030300239fc5de61f40ef795ba8f693d2d93d08ada2e3c4dc8cdf1c2eac7662be4b2d7d3a09444 (28) Message-Authenticator = 0x00000000000000000000000000000000 (28) State = 0xfa6d51bcf264489698062bca06912e67 (28) Finished request Waking up in 4.9 seconds. (28) Cleaning up request packet ID 0 with timestamp +53 (29) Received Access-Request Id 0 from 172.22.22.254:2049 to 172.22.22.1:1812 length 189 (29) User-Name = "CLEARSYSTEM\\test1" (29) NAS-IP-Address = 172.22.22.254 (29) Called-Station-Id = "001601dfe596" (29) Calling-Station-Id = "74da38d41a8b" (29) NAS-Identifier = "001601dfe596" (29) NAS-Port = 5 (29) Framed-MTU = 1400 (29) State = 0xfa6d51bcf264489698062bca06912e67 (29) NAS-Port-Type = Wireless-802.11 (29) EAP-Message = 0x0209002e190017030300230000000000000004471af753e3bf22745065af3a198931d3ee8a9faeb2d337841e44a2 (29) Message-Authenticator = 0x75b133c737e069f2748c6b5b9222a581 (29) session-state: No cached attributes (29) # Executing section authorize from file /etc/raddb/sites-enabled/default (29) authorize { (29) policy filter_username { (29) if (&User-Name) { (29) if (&User-Name) -> TRUE (29) if (&User-Name) { (29) if (&User-Name =~ / /) { (29) if (&User-Name =~ / /) -> FALSE (29) if (&User-Name =~ /@[^@]*@/ ) { (29) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (29) if (&User-Name =~ /\.\./ ) { (29) if (&User-Name =~ /\.\./ ) -> FALSE (29) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (29) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (29) if (&User-Name =~ /\.$/) { (29) if (&User-Name =~ /\.$/) -> FALSE (29) if (&User-Name =~ /@\./) { (29) if (&User-Name =~ /@\./) -> FALSE (29) } # if (&User-Name) = notfound (29) } # policy filter_username = notfound (29) [preprocess] = ok (29) [chap] = noop (29) [mschap] = noop (29) [digest] = noop (29) suffix: Checking for suffix after "@" (29) suffix: No '@' in User-Name = "CLEARSYSTEM\test1", looking up realm NULL (29) suffix: No such realm "NULL" (29) [suffix] = noop (29) ntdomain: Checking for prefix before "\" (29) ntdomain: Looking up realm "CLEARSYSTEM" for User-Name = "CLEARSYSTEM\test1" (29) ntdomain: Found realm "CLEARSYSTEM" (29) ntdomain: Adding Stripped-User-Name = "test1" (29) ntdomain: Adding Realm = "CLEARSYSTEM" (29) ntdomain: Authentication realm is LOCAL (29) [ntdomain] = ok (29) eap: Peer sent EAP Response (code 2) ID 9 length 46 (29) eap: Continuing tunnel setup (29) [eap] = ok (29) } # authorize = ok (29) Found Auth-Type = eap (29) # Executing group from file /etc/raddb/sites-enabled/default (29) authenticate { (29) eap: Expiring EAP session with state 0xfa6d51bcf2644896 (29) eap: Finished EAP session with state 0xfa6d51bcf2644896 (29) eap: Previous EAP request found for state 0xfa6d51bcf2644896, released from the list (29) eap: Peer sent packet with method EAP PEAP (25) (29) eap: Calling submodule eap_peap to process data (29) eap_peap: Continuing EAP-TLS (29) eap_peap: [eaptls verify] = ok (29) eap_peap: Done initial handshake (29) eap_peap: [eaptls process] = ok (29) eap_peap: Session established. Decoding tunneled attributes (29) eap_peap: PEAP state send tlv success (29) eap_peap: Received EAP-TLV response (29) eap_peap: Success (29) eap: Sending EAP Success (code 3) ID 9 length 4 (29) eap: Freeing handler (29) [eap] = ok (29) } # authenticate = ok (29) # Executing section post-auth from file /etc/raddb/sites-enabled/default (29) post-auth { (29) update { (29) No attributes updated (29) } # update = noop (29) [exec] = noop (29) policy remove_reply_message_if_eap { (29) if (&reply:EAP-Message && &reply:Reply-Message) { (29) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (29) else { (29) [noop] = noop (29) } # else = noop (29) } # policy remove_reply_message_if_eap = noop (29) } # post-auth = noop (29) Sent Access-Accept Id 0 from 172.22.22.1:1812 to 172.22.22.254:2049 length 0 (29) MS-MPPE-Recv-Key = 0x3a2a679722b005acbb715114d8a3916f36531e4efb83c3158fb73a7e0d95a8cd (29) MS-MPPE-Send-Key = 0x73e2a159504c68f4b2a9b09c2cd3eda884da46f07bb478c2f637de7986d02c05 (29) EAP-Message = 0x03090004 (29) Message-Authenticator = 0x00000000000000000000000000000000 (29) Finished request Waking up in 4.9 seconds. (29) Cleaning up request packet ID 0 with timestamp +53 Ready to process requests (30) Received Access-Request Id 0 from 172.22.22.254:2049 to 172.22.22.1:1812 length 147 (30) User-Name = "CLEARSYSTEM\\test1" (30) NAS-IP-Address = 172.22.22.254 (30) Called-Station-Id = "001601dfe596" (30) Calling-Station-Id = "74da38d41a8b" (30) NAS-Identifier = "001601dfe596" (30) NAS-Port = 5 (30) Framed-MTU = 1400 (30) NAS-Port-Type = Wireless-802.11 (30) EAP-Message = 0x0200001601434c45415253595354454d5c7465737431 (30) Message-Authenticator = 0x26a6a6e06a663a4348a73e61f6370656 (30) # Executing section authorize from file /etc/raddb/sites-enabled/default (30) authorize { (30) policy filter_username { (30) if (&User-Name) { (30) if (&User-Name) -> TRUE (30) if (&User-Name) { (30) if (&User-Name =~ / /) { (30) if (&User-Name =~ / /) -> FALSE (30) if (&User-Name =~ /@[^@]*@/ ) { (30) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (30) if (&User-Name =~ /\.\./ ) { (30) if (&User-Name =~ /\.\./ ) -> FALSE (30) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (30) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (30) if (&User-Name =~ /\.$/) { (30) if (&User-Name =~ /\.$/) -> FALSE (30) if (&User-Name =~ /@\./) { (30) if (&User-Name =~ /@\./) -> FALSE (30) } # if (&User-Name) = notfound (30) } # policy filter_username = notfound (30) [preprocess] = ok (30) [chap] = noop (30) [mschap] = noop (30) [digest] = noop (30) suffix: Checking for suffix after "@" (30) suffix: No '@' in User-Name = "CLEARSYSTEM\test1", looking up realm NULL (30) suffix: No such realm "NULL" (30) [suffix] = noop (30) ntdomain: Checking for prefix before "\" (30) ntdomain: Looking up realm "CLEARSYSTEM" for User-Name = "CLEARSYSTEM\test1" (30) ntdomain: Found realm "CLEARSYSTEM" (30) ntdomain: Adding Stripped-User-Name = "test1" (30) ntdomain: Adding Realm = "CLEARSYSTEM" (30) ntdomain: Authentication realm is LOCAL (30) [ntdomain] = ok (30) eap: Peer sent EAP Response (code 2) ID 0 length 22 (30) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (30) [eap] = ok (30) } # authorize = ok (30) Found Auth-Type = eap (30) # Executing group from file /etc/raddb/sites-enabled/default (30) authenticate { (30) eap: Peer sent packet with method EAP Identity (1) (30) eap: Calling submodule eap_peap to process data (30) eap_peap: Initiating new EAP-TLS session (30) eap_peap: [eaptls start] = request (30) eap: Sending EAP Request (code 1) ID 1 length 6 (30) eap: EAP session adding &reply:State = 0x436131c543602893 (30) [eap] = handled (30) } # authenticate = handled (30) Using Post-Auth-Type Challenge (30) # Executing group from file /etc/raddb/sites-enabled/default (30) Challenge { ... } # empty sub-section is ignored (30) Sent Access-Challenge Id 0 from 172.22.22.1:1812 to 172.22.22.254:2049 length 0 (30) EAP-Message = 0x010100061920 (30) Message-Authenticator = 0x00000000000000000000000000000000 (30) State = 0x436131c543602893bb7dfeada35c18c4 (30) Finished request Waking up in 4.9 seconds. I'm afraid I don't see what is going wrong and any pointers would be welcome. Thanks, Nick