Hi guys I was finally able to find some time to test and debug it (again). As suggested, I added „debug_all" in the post-auth section before anything else: post-auth { debug_all if (Service-Type == Call-Check) { MAC_auth_log } else { 802.1x_auth_log } ... } See full debug output at the end... I can see multiple places, where "TLS-Session-Cipher-Suite“ and "TLS-Session-Version“ are referenced: (357) Using Post-Auth-Type Challenge (357) Post-Auth-Type sub-section not found. Ignoring. (357) # Executing group from file /etc/freeradius/sites-enabled/default (357) session-state: Saving cached attributes ... (357) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (357) TLS-Session-Version = "TLS 1.2" (358) Restoring &session-state (358) &session-state:Framed-MTU = 1014 ... (358) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (358) &session-state:TLS-Session-Version = "TLS 1.2" (345) Auth-Type eap { (345) eap: Removing EAP session with state 0x0141131104460af2 (345) eap: Previous EAP request found for state 0x0141131104460af2, released from the list (345) eap: Peer sent packet with method EAP PEAP (25) (345) eap: Calling submodule eap_peap to process data (345) eap_peap: (TLS) EAP Peer says that the final record size will be 126 bytes (345) eap_peap: (TLS) EAP Got all data (126 bytes) (345) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done (345) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange (345) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client key exchange (345) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read change cipher spec (345) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, Finished (345) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read finished (345) eap_peap: (TLS) PEAP - send TLS 1.2 ChangeCipherSpec (345) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write change cipher spec (345) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Finished (345) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write finished (345) eap_peap: (TLS) PEAP - Handshake state - SSL negotiation finished successfully (345) eap_peap: (TLS) PEAP - Connection Established (345) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (345) eap_peap: TLS-Session-Version = "TLS 1.2" But nonetheless, it is not logged afterwards: (362) 802.1x_auth_log: EXPAND %t : AuthZ: (%I) %{reply:Packet-Type}: [%{%{reply:User-Name}:-%{User-Name}}] TLS-Version=%{%{session-state:TLS-Session-Version}:-NULL} TLS-Ciphers=%{%{session-state:TLS-Session-Cipher-Suite}:-NULL} SSID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} operator-name %{%{request:Operator-Name}:-Unknown}) (362) 802.1x_auth_log: --> Fri Dec 13 14:05:05 2024 : AuthZ: (111) Access-Accept: [xyz@realm.com] TLS-Version=NULL TLS-Ciphers=NULL SSID=eduroam Calling-Station-Id=22-E0-73-F2-50-23 Called-Station-Id=60-B9-C0-04-C4-40:eduroam Filter-ID=staff VLAN=xyz Class=0x7374616666 (from client xyz.wifi.realm.com port 4211 operator-name Unknown) What am I missing in this context? Regards Dominic *** Full debug output: (339) Received Access-Request Id 183 from 130.92.42.15:60533 to 130.92.10.33:1812 length 446 (339) User-Name = "xyz@realm.com" (339) Service-Type = Framed-User (339) Cisco-AVPair = "service-type=Framed" (339) Framed-MTU = 1485 (339) EAP-Message = 0x0201001d01646f6d696e69632e7374616c64657240756e6962652e6368 (339) Message-Authenticator = 0x4c3f3cc9745bd26770b48c2b3b9875fb (339) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58" (339) Cisco-AVPair = "method=dot1x" (339) Cisco-AVPair = "client-iif-id=2499807523" (339) Cisco-AVPair = "vlan-id=1876" (339) NAS-IP-Address = 130.92.42.15 (339) NAS-Port-Type = Wireless-802.11 (339) NAS-Port = 4211 (339) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (339) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (339) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (339) Calling-Station-Id = "22-e0-73-f2-50-23" (339) Airespace-Wlan-Id = 98 (339) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (339) WLAN-Group-Cipher = 1027076 (339) WLAN-Pairwise-Cipher = 1027076 (339) WLAN-AKM-Suite = 1027075 (339) # Executing section authorize from file /etc/freeradius/sites-enabled/default (339) authorize { (339) policy rewrite_called_station_id { (339) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (339) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (339) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (339) update request { (339) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (339) --> 60-B9-C0-04-C4-40 (339) &Called-Station-Id := 60-B9-C0-04-C4-40 (339) } # update request = noop (339) if ("%{8}") { (339) EXPAND %{8} (339) --> eduroam (339) if ("%{8}") -> TRUE (339) if ("%{8}") { (339) update request { (339) EXPAND %{8} (339) --> eduroam (339) &Called-Station-SSID := eduroam (339) EXPAND %{Called-Station-Id}:%{8} (339) --> 60-B9-C0-04-C4-40:eduroam (339) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (339) } # update request = noop (339) } # if ("%{8}") = noop (339) [updated] = updated (339) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (339) ... skipping else: Preceding "if" was taken (339) } # policy rewrite_called_station_id = updated (339) policy rewrite_calling_station_id { (339) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (339) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (339) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (339) update request { (339) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (339) --> 22-E0-73-F2-50-23 (339) &Calling-Station-Id := 22-E0-73-F2-50-23 (339) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (339) --> 22:E0:73:F2:50:23 (339) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (339) } # update request = noop (339) [updated] = updated (339) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (339) ... skipping else: Preceding "if" was taken (339) } # policy rewrite_calling_station_id = updated (339) if (NAS-Identifier == "uvisrz0215.insel.ch") { (339) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (339) if (Service-Type == Call-Check) { (339) if (Service-Type == Call-Check) -> FALSE (339) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (339) EXPAND Packet-Src-IP-Address (339) --> 130.92.42.15 (339) EXPAND Packet-Src-IP-Address (339) --> 130.92.42.15 (339) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (339) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (339) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (339) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (339) if (EAP-Message) { (339) if (EAP-Message) -> TRUE (339) if (EAP-Message) { (339) policy filter_username { (339) if (&User-Name) { (339) if (&User-Name) -> TRUE (339) if (&User-Name) { (339) if (&User-Name =~ / /) { (339) if (&User-Name =~ / /) -> FALSE (339) if (&User-Name =~ /@[^@]*@/ ) { (339) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (339) if (&User-Name =~ /\.\./ ) { (339) if (&User-Name =~ /\.\./ ) -> FALSE (339) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (339) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (339) if (&User-Name =~ /\.$/) { (339) if (&User-Name =~ /\.$/) -> FALSE (339) if (&User-Name =~ /@\./) { (339) if (&User-Name =~ /@\./) -> FALSE (339) } # if (&User-Name) = updated (339) } # policy filter_username = updated (339) suffix: Checking for suffix after "@" (339) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (339) suffix: Found realm "REALM.COM" (339) suffix: Adding Realm = "REALM.COM" (339) suffix: Authentication realm is LOCAL (339) [suffix] = ok (339) policy deny_no_realm { (339) if (User-Name && (User-Name !~ /@/)) { (339) if (User-Name && (User-Name !~ /@/)) -> FALSE (339) } # policy deny_no_realm = updated (339) update request { (339) EXPAND %{toupper:%{Realm}} (339) --> REALM.COM (339) Realm := REALM.COM (339) } # update request = noop (339) eap: Peer sent EAP Response (code 2) ID 1 length 29 (339) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (339) [eap] = ok (339) } # if (EAP-Message) = ok (339) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (339) } # authorize = updated (339) Found Auth-Type = eap (339) # Executing group from file /etc/freeradius/sites-enabled/default (339) Auth-Type eap { (339) eap: Peer sent packet with method EAP Identity (1) (339) eap: Calling submodule eap_peap to process data (339) eap_peap: (TLS) PEAP -Initiating new session (339) eap: Sending EAP Request (code 1) ID 2 length 6 (339) eap: EAP session adding &reply:State = 0x0141131101430af2 (339) [eap] = handled (339) if (handled && (Response-Packet-Type == Access-Challenge)) { (339) EXPAND Response-Packet-Type (339) --> Access-Challenge (339) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (339) if (handled && (Response-Packet-Type == Access-Challenge)) { (339) attr_filter.access_challenge: EXPAND %{User-Name} (339) attr_filter.access_challenge: --> xyz@realm.com (339) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (339) [attr_filter.access_challenge.post-auth] = updated (339) [handled] = handled (339) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (339) } # Auth-Type eap = handled (339) Using Post-Auth-Type Challenge (339) Post-Auth-Type sub-section not found. Ignoring. (339) # Executing group from file /etc/freeradius/sites-enabled/default (339) session-state: Saving cached attributes (339) Framed-MTU = 1014 (339) Sent Access-Challenge Id 183 from 130.92.10.33:1812 to 130.92.42.15:60533 length 64 (339) EAP-Message = 0x010200061920 (339) Message-Authenticator = 0x00000000000000000000000000000000 (339) State = 0x0141131101430af2159d1101103ebc16 (339) Finished request Waking up in 4.9 seconds. (340) Received Access-Request Id 191 from 130.92.42.15:60533 to 130.92.10.33:1812 length 596 (340) User-Name = "xyz@realm.com" (340) Service-Type = Framed-User (340) Cisco-AVPair = "service-type=Framed" (340) Framed-MTU = 1485 (340) EAP-Message = 0x020200a119800000009716030100920100008e0303675c30ff6a9b0b902f1e931a2758f15aa27a75704f9760726e5c03da301ba84800002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306030005000501000000000012000000170000 (340) Message-Authenticator = 0x1bf88fb93027e9dd852deff1d387f443 (340) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58" (340) Cisco-AVPair = "method=dot1x" (340) Cisco-AVPair = "client-iif-id=2499807523" (340) Cisco-AVPair = "vlan-id=1876" (340) NAS-IP-Address = 130.92.42.15 (340) NAS-Port-Type = Wireless-802.11 (340) NAS-Port = 4211 (340) State = 0x0141131101430af2159d1101103ebc16 (340) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (340) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (340) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (340) Calling-Station-Id = "22-e0-73-f2-50-23" (340) Airespace-Wlan-Id = 98 (340) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (340) WLAN-Group-Cipher = 1027076 (340) WLAN-Pairwise-Cipher = 1027076 (340) WLAN-AKM-Suite = 1027075 (340) Restoring &session-state (340) &session-state:Framed-MTU = 1014 (340) # Executing section authorize from file /etc/freeradius/sites-enabled/default (340) authorize { (340) policy rewrite_called_station_id { (340) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (340) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (340) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (340) update request { (340) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (340) --> 60-B9-C0-04-C4-40 (340) &Called-Station-Id := 60-B9-C0-04-C4-40 (340) } # update request = noop (340) if ("%{8}") { (340) EXPAND %{8} (340) --> eduroam (340) if ("%{8}") -> TRUE (340) if ("%{8}") { (340) update request { (340) EXPAND %{8} (340) --> eduroam (340) &Called-Station-SSID := eduroam (340) EXPAND %{Called-Station-Id}:%{8} (340) --> 60-B9-C0-04-C4-40:eduroam (340) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (340) } # update request = noop (340) } # if ("%{8}") = noop (340) [updated] = updated (340) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (340) ... skipping else: Preceding "if" was taken (340) } # policy rewrite_called_station_id = updated (340) policy rewrite_calling_station_id { (340) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (340) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (340) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (340) update request { (340) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (340) --> 22-E0-73-F2-50-23 (340) &Calling-Station-Id := 22-E0-73-F2-50-23 (340) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (340) --> 22:E0:73:F2:50:23 (340) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (340) } # update request = noop (340) [updated] = updated (340) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (340) ... skipping else: Preceding "if" was taken (340) } # policy rewrite_calling_station_id = updated (340) if (NAS-Identifier == "uvisrz0215.insel.ch") { (340) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (340) if (Service-Type == Call-Check) { (340) if (Service-Type == Call-Check) -> FALSE (340) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (340) EXPAND Packet-Src-IP-Address (340) --> 130.92.42.15 (340) EXPAND Packet-Src-IP-Address (340) --> 130.92.42.15 (340) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (340) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (340) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (340) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (340) if (EAP-Message) { (340) if (EAP-Message) -> TRUE (340) if (EAP-Message) { (340) policy filter_username { (340) if (&User-Name) { (340) if (&User-Name) -> TRUE (340) if (&User-Name) { (340) if (&User-Name =~ / /) { (340) if (&User-Name =~ / /) -> FALSE (340) if (&User-Name =~ /@[^@]*@/ ) { (340) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (340) if (&User-Name =~ /\.\./ ) { (340) if (&User-Name =~ /\.\./ ) -> FALSE (340) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (340) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (340) if (&User-Name =~ /\.$/) { (340) if (&User-Name =~ /\.$/) -> FALSE (340) if (&User-Name =~ /@\./) { (340) if (&User-Name =~ /@\./) -> FALSE (340) } # if (&User-Name) = updated (340) } # policy filter_username = updated (340) suffix: Checking for suffix after "@" (340) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (340) suffix: Found realm "REALM.COM" (340) suffix: Adding Realm = "REALM.COM" (340) suffix: Authentication realm is LOCAL (340) [suffix] = ok (340) policy deny_no_realm { (340) if (User-Name && (User-Name !~ /@/)) { (340) if (User-Name && (User-Name !~ /@/)) -> FALSE (340) } # policy deny_no_realm = updated (340) update request { (340) EXPAND %{toupper:%{Realm}} (340) --> REALM.COM (340) Realm := REALM.COM (340) } # update request = noop (340) eap: Peer sent EAP Response (code 2) ID 2 length 161 (340) eap: Continuing tunnel setup (340) [eap] = ok (340) } # if (EAP-Message) = ok (340) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (340) } # authorize = updated (340) Found Auth-Type = eap (340) # Executing group from file /etc/freeradius/sites-enabled/default (340) Auth-Type eap { (340) eap: Removing EAP session with state 0x0141131101430af2 (340) eap: Previous EAP request found for state 0x0141131101430af2, released from the list (340) eap: Peer sent packet with method EAP PEAP (25) (340) eap: Calling submodule eap_peap to process data (340) eap_peap: (TLS) EAP Peer says that the final record size will be 151 bytes (340) eap_peap: (TLS) EAP Got all data (151 bytes) (340) eap_peap: (TLS) PEAP - Handshake state - before SSL initialization (340) eap_peap: (TLS) PEAP - Handshake state - Server before SSL initialization (340) eap_peap: (TLS) PEAP - Handshake state - Server before SSL initialization (340) eap_peap: (TLS) PEAP - recv TLS 1.3 Handshake, ClientHello (340) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client hello (340) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHello (340) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server hello (340) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Certificate (340) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write certificate (340) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange (340) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write key exchange (340) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone (340) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done (340) eap_peap: (TLS) PEAP - Server : Need to read more data: SSLv3/TLS write server done (340) eap_peap: (TLS) PEAP - In Handshake Phase (340) eap: Sending EAP Request (code 1) ID 3 length 1024 (340) eap: EAP session adding &reply:State = 0x0141131100420af2 (340) [eap] = handled (340) if (handled && (Response-Packet-Type == Access-Challenge)) { (340) EXPAND Response-Packet-Type (340) --> Access-Challenge (340) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (340) if (handled && (Response-Packet-Type == Access-Challenge)) { (340) attr_filter.access_challenge: EXPAND %{User-Name} (340) attr_filter.access_challenge: --> xyz@realm.com (340) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (340) [attr_filter.access_challenge.post-auth] = updated (340) [handled] = handled (340) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (340) } # Auth-Type eap = handled (340) Using Post-Auth-Type Challenge (340) Post-Auth-Type sub-section not found. Ignoring. (340) # Executing group from file /etc/freeradius/sites-enabled/default (340) session-state: Saving cached attributes (340) Framed-MTU = 1014 (340) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (340) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (340) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (340) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (340) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (340) Sent Access-Challenge Id 191 from 130.92.10.33:1812 to 130.92.42.15:60533 length 1090 (340) EAP-Message = 0x0103040019c000001135160303003d020000390303c6f0abbfc21ebae81584415260a08bae7625b694abcfc744444f574e4752440100c030000011ff01000100000b000403000102001700001603030f930b000f8f000f8c0007253082072130820609a003020102021006387c8dc0feba6f5f4a0c47e7c561cd300d06092a864886f70d01010b05003059310b300906035504061302555331153013060355040a130c446967694365727420496e63313330310603550403132a446967694365727420476c6f62616c20473220544c532052534120534841323536203230323020434131301e170d3234303532393030303030305a170d3235303532383233353935395a305f310b3009060355040613024348310d300b060355040813044265726e310d300b060355040713044265726e311b3019060355040a1312556e6976657273697479206f66204265726e311530130603550403130c6161692e756e6962652e636830820122300d06092a864886f70d01010105 (340) Message-Authenticator = 0x00000000000000000000000000000000 (340) State = 0x0141131100420af2159d1101103ebc16 (340) Finished request Waking up in 4.9 seconds. (341) Received Access-Request Id 199 from 130.92.42.15:60533 to 130.92.10.33:1812 length 441 (341) User-Name = "xyz@realm.com" (341) Service-Type = Framed-User (341) Cisco-AVPair = "service-type=Framed" (341) Framed-MTU = 1485 (341) EAP-Message = 0x020300061900 (341) Message-Authenticator = 0xae5eb8ba2e18ea67433ce94f73ea9d45 (341) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58" (341) Cisco-AVPair = "method=dot1x" (341) Cisco-AVPair = "client-iif-id=2499807523" (341) Cisco-AVPair = "vlan-id=1876" (341) NAS-IP-Address = 130.92.42.15 (341) NAS-Port-Type = Wireless-802.11 (341) NAS-Port = 4211 (341) State = 0x0141131100420af2159d1101103ebc16 (341) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (341) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (341) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (341) Calling-Station-Id = "22-e0-73-f2-50-23" (341) Airespace-Wlan-Id = 98 (341) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (341) WLAN-Group-Cipher = 1027076 (341) WLAN-Pairwise-Cipher = 1027076 (341) WLAN-AKM-Suite = 1027075 (341) Restoring &session-state (341) &session-state:Framed-MTU = 1014 (341) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (341) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (341) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (341) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (341) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (341) # Executing section authorize from file /etc/freeradius/sites-enabled/default (341) authorize { (341) policy rewrite_called_station_id { (341) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (341) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (341) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (341) update request { (341) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (341) --> 60-B9-C0-04-C4-40 (341) &Called-Station-Id := 60-B9-C0-04-C4-40 (341) } # update request = noop (341) if ("%{8}") { (341) EXPAND %{8} (341) --> eduroam (341) if ("%{8}") -> TRUE (341) if ("%{8}") { (341) update request { (341) EXPAND %{8} (341) --> eduroam (341) &Called-Station-SSID := eduroam (341) EXPAND %{Called-Station-Id}:%{8} (341) --> 60-B9-C0-04-C4-40:eduroam (341) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (341) } # update request = noop (341) } # if ("%{8}") = noop (341) [updated] = updated (341) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (341) ... skipping else: Preceding "if" was taken (341) } # policy rewrite_called_station_id = updated (341) policy rewrite_calling_station_id { (341) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (341) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (341) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (341) update request { (341) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (341) --> 22-E0-73-F2-50-23 (341) &Calling-Station-Id := 22-E0-73-F2-50-23 (341) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (341) --> 22:E0:73:F2:50:23 (341) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (341) } # update request = noop (341) [updated] = updated (341) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (341) ... skipping else: Preceding "if" was taken (341) } # policy rewrite_calling_station_id = updated (341) if (NAS-Identifier == "uvisrz0215.insel.ch") { (341) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (341) if (Service-Type == Call-Check) { (341) if (Service-Type == Call-Check) -> FALSE (341) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (341) EXPAND Packet-Src-IP-Address (341) --> 130.92.42.15 (341) EXPAND Packet-Src-IP-Address (341) --> 130.92.42.15 (341) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (341) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (341) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (341) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (341) if (EAP-Message) { (341) if (EAP-Message) -> TRUE (341) if (EAP-Message) { (341) policy filter_username { (341) if (&User-Name) { (341) if (&User-Name) -> TRUE (341) if (&User-Name) { (341) if (&User-Name =~ / /) { (341) if (&User-Name =~ / /) -> FALSE (341) if (&User-Name =~ /@[^@]*@/ ) { (341) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (341) if (&User-Name =~ /\.\./ ) { (341) if (&User-Name =~ /\.\./ ) -> FALSE (341) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (341) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (341) if (&User-Name =~ /\.$/) { (341) if (&User-Name =~ /\.$/) -> FALSE (341) if (&User-Name =~ /@\./) { (341) if (&User-Name =~ /@\./) -> FALSE (341) } # if (&User-Name) = updated (341) } # policy filter_username = updated (341) suffix: Checking for suffix after "@" (341) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (341) suffix: Found realm "REALM.COM" (341) suffix: Adding Realm = "REALM.COM" (341) suffix: Authentication realm is LOCAL (341) [suffix] = ok (341) policy deny_no_realm { (341) if (User-Name && (User-Name !~ /@/)) { (341) if (User-Name && (User-Name !~ /@/)) -> FALSE (341) } # policy deny_no_realm = updated (341) update request { (341) EXPAND %{toupper:%{Realm}} (341) --> REALM.COM (341) Realm := REALM.COM (341) } # update request = noop (341) eap: Peer sent EAP Response (code 2) ID 3 length 6 (341) eap: Continuing tunnel setup (341) [eap] = ok (341) } # if (EAP-Message) = ok (341) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (341) } # authorize = updated (341) Found Auth-Type = eap (341) # Executing group from file /etc/freeradius/sites-enabled/default (341) Auth-Type eap { (341) eap: Removing EAP session with state 0x0141131100420af2 (341) eap: Previous EAP request found for state 0x0141131100420af2, released from the list (341) eap: Peer sent packet with method EAP PEAP (25) (341) eap: Calling submodule eap_peap to process data (341) eap_peap: (TLS) Peer ACKed our handshake fragment (341) eap: Sending EAP Request (code 1) ID 4 length 1020 (341) eap: EAP session adding &reply:State = 0x0141131103450af2 (341) [eap] = handled (341) if (handled && (Response-Packet-Type == Access-Challenge)) { (341) EXPAND Response-Packet-Type (341) --> Access-Challenge (341) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (341) if (handled && (Response-Packet-Type == Access-Challenge)) { (341) attr_filter.access_challenge: EXPAND %{User-Name} (341) attr_filter.access_challenge: --> xyz@realm.com (341) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (341) [attr_filter.access_challenge.post-auth] = updated (341) [handled] = handled (341) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (341) } # Auth-Type eap = handled (341) Using Post-Auth-Type Challenge (341) Post-Auth-Type sub-section not found. Ignoring. (341) # Executing group from file /etc/freeradius/sites-enabled/default (341) session-state: Saving cached attributes (341) Framed-MTU = 1014 (341) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (341) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (341) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (341) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (341) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (341) Sent Access-Challenge Id 199 from 130.92.10.33:1812 to 130.92.42.15:60533 length 1086 (341) EAP-Message = 0x010403fc1940312d312e63726c3048a046a0448642687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274476c6f62616c4732544c53525341534841323536323032304341312d312e63726c30818706082b06010505070101047b3079302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305106082b060105050730028645687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274476c6f62616c4732544c53525341534841323536323032304341312d312e637274300c0603551d130101ff040230003082017f060a2b06010401d6790204020482016f0482016b01690077004e75a3275c9a10c3385b6cd4df3f52eb1df0e08e1b8d69c0b1fa64b1629a39df0000018fc49a2e690000040300483046022100c3703d534899e5150ee51285759f020d6d69574d1db223e7a6fba90105e34a98022100a96786ea2924a95667b25b5efae9fb8e9b5e2b8494 (341) Message-Authenticator = 0x00000000000000000000000000000000 (341) State = 0x0141131103450af2159d1101103ebc16 (341) Finished request Waking up in 4.9 seconds. (342) Received Access-Request Id 207 from 130.92.42.15:60533 to 130.92.10.33:1812 length 441 (342) User-Name = "xyz@realm.com" (342) Service-Type = Framed-User (342) Cisco-AVPair = "service-type=Framed" (342) Framed-MTU = 1485 (342) EAP-Message = 0x020400061900 (342) Message-Authenticator = 0xa739713798de7cce72a754080e2e64f5 (342) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58" (342) Cisco-AVPair = "method=dot1x" (342) Cisco-AVPair = "client-iif-id=2499807523" (342) Cisco-AVPair = "vlan-id=1876" (342) NAS-IP-Address = 130.92.42.15 (342) NAS-Port-Type = Wireless-802.11 (342) NAS-Port = 4211 (342) State = 0x0141131103450af2159d1101103ebc16 (342) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (342) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (342) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (342) Calling-Station-Id = "22-e0-73-f2-50-23" (342) Airespace-Wlan-Id = 98 (342) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (342) WLAN-Group-Cipher = 1027076 (342) WLAN-Pairwise-Cipher = 1027076 (342) WLAN-AKM-Suite = 1027075 (342) Restoring &session-state (342) &session-state:Framed-MTU = 1014 (342) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (342) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (342) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (342) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (342) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (342) # Executing section authorize from file /etc/freeradius/sites-enabled/default (342) authorize { (342) policy rewrite_called_station_id { (342) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (342) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (342) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (342) update request { (342) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (342) --> 60-B9-C0-04-C4-40 (342) &Called-Station-Id := 60-B9-C0-04-C4-40 (342) } # update request = noop (342) if ("%{8}") { (342) EXPAND %{8} (342) --> eduroam (342) if ("%{8}") -> TRUE (342) if ("%{8}") { (342) update request { (342) EXPAND %{8} (342) --> eduroam (342) &Called-Station-SSID := eduroam (342) EXPAND %{Called-Station-Id}:%{8} (342) --> 60-B9-C0-04-C4-40:eduroam (342) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (342) } # update request = noop (342) } # if ("%{8}") = noop (342) [updated] = updated (342) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (342) ... skipping else: Preceding "if" was taken (342) } # policy rewrite_called_station_id = updated (342) policy rewrite_calling_station_id { (342) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (342) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (342) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (342) update request { (342) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (342) --> 22-E0-73-F2-50-23 (342) &Calling-Station-Id := 22-E0-73-F2-50-23 (342) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (342) --> 22:E0:73:F2:50:23 (342) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (342) } # update request = noop (342) [updated] = updated (342) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (342) ... skipping else: Preceding "if" was taken (342) } # policy rewrite_calling_station_id = updated (342) if (NAS-Identifier == "uvisrz0215.insel.ch") { (342) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (342) if (Service-Type == Call-Check) { (342) if (Service-Type == Call-Check) -> FALSE (342) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (342) EXPAND Packet-Src-IP-Address (342) --> 130.92.42.15 (342) EXPAND Packet-Src-IP-Address (342) --> 130.92.42.15 (342) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (342) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (342) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (342) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (342) if (EAP-Message) { (342) if (EAP-Message) -> TRUE (342) if (EAP-Message) { (342) policy filter_username { (342) if (&User-Name) { (342) if (&User-Name) -> TRUE (342) if (&User-Name) { (342) if (&User-Name =~ / /) { (342) if (&User-Name =~ / /) -> FALSE (342) if (&User-Name =~ /@[^@]*@/ ) { (342) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (342) if (&User-Name =~ /\.\./ ) { (342) if (&User-Name =~ /\.\./ ) -> FALSE (342) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (342) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (342) if (&User-Name =~ /\.$/) { (342) if (&User-Name =~ /\.$/) -> FALSE (342) if (&User-Name =~ /@\./) { (342) if (&User-Name =~ /@\./) -> FALSE (342) } # if (&User-Name) = updated (342) } # policy filter_username = updated (342) suffix: Checking for suffix after "@" (342) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (342) suffix: Found realm "REALM.COM" (342) suffix: Adding Realm = "REALM.COM" (342) suffix: Authentication realm is LOCAL (342) [suffix] = ok (342) policy deny_no_realm { (342) if (User-Name && (User-Name !~ /@/)) { (342) if (User-Name && (User-Name !~ /@/)) -> FALSE (342) } # policy deny_no_realm = updated (342) update request { (342) EXPAND %{toupper:%{Realm}} (342) --> REALM.COM (342) Realm := REALM.COM (342) } # update request = noop (342) eap: Peer sent EAP Response (code 2) ID 4 length 6 (342) eap: Continuing tunnel setup (342) [eap] = ok (342) } # if (EAP-Message) = ok (342) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (342) } # authorize = updated (342) Found Auth-Type = eap (342) # Executing group from file /etc/freeradius/sites-enabled/default (342) Auth-Type eap { (342) eap: Removing EAP session with state 0x0141131103450af2 (342) eap: Previous EAP request found for state 0x0141131103450af2, released from the list (342) eap: Peer sent packet with method EAP PEAP (25) (342) eap: Calling submodule eap_peap to process data (342) eap_peap: (TLS) Peer ACKed our handshake fragment (342) eap: Sending EAP Request (code 1) ID 5 length 1020 (342) eap: EAP session adding &reply:State = 0x0141131102440af2 (342) [eap] = handled (342) if (handled && (Response-Packet-Type == Access-Challenge)) { (342) EXPAND Response-Packet-Type (342) --> Access-Challenge (342) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (342) if (handled && (Response-Packet-Type == Access-Challenge)) { (342) attr_filter.access_challenge: EXPAND %{User-Name} (342) attr_filter.access_challenge: --> xyz@realm.com (342) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (342) [attr_filter.access_challenge.post-auth] = updated (342) [handled] = handled (342) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (342) } # Auth-Type eap = handled (342) Using Post-Auth-Type Challenge (342) Post-Auth-Type sub-section not found. Ignoring. (342) # Executing group from file /etc/freeradius/sites-enabled/default (342) session-state: Saving cached attributes (342) Framed-MTU = 1014 (342) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (342) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (342) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (342) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (342) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (342) Sent Access-Challenge Id 207 from 130.92.10.33:1812 to 130.92.42.15:60533 length 1086 (342) EAP-Message = 0x010503fc194006035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3231303333303030303030305a170d3331303332393233353935395a3059310b300906035504061302555331153013060355040a130c446967694365727420496e63313330310603550403132a446967694365727420476c6f62616c20473220544c53205253412053484132353620323032302043413130820122300d06092a864886f70d01010105000382010f003082010a0282010100ccf710624fa6bb636fed905256c56d277b7a12568af1f4f9d6e7e18fbd95abf260411570db1200fa270ab557385b7db2519371950e6a41945b351bfa7bfabbc5be2430fe56efc4f37d97e314f5144dcba710f216eaab22f031221161699026ba78d9971fe37d66ab75449573c8acffef5d0a8a5943e1acb23a0ff348fcd76b37c163dcde46d6db45fe7d23fd90e851071e51a35fed4946547f2c88c5f4139c97153c03e8a139dc690c32c1af16574c9447427ca2c89c7d (342) Message-Authenticator = 0x00000000000000000000000000000000 (342) State = 0x0141131102440af2159d1101103ebc16 (342) Finished request Waking up in 4.9 seconds. (343) Received Access-Request Id 215 from 130.92.42.15:60533 to 130.92.10.33:1812 length 441 (343) User-Name = "xyz@realm.com" (343) Service-Type = Framed-User (343) Cisco-AVPair = "service-type=Framed" (343) Framed-MTU = 1485 (343) EAP-Message = 0x020500061900 (343) Message-Authenticator = 0x020e5248e9fa82c011bcabd01a028762 (343) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58" (343) Cisco-AVPair = "method=dot1x" (343) Cisco-AVPair = "client-iif-id=2499807523" (343) Cisco-AVPair = "vlan-id=1876" (343) NAS-IP-Address = 130.92.42.15 (343) NAS-Port-Type = Wireless-802.11 (343) NAS-Port = 4211 (343) State = 0x0141131102440af2159d1101103ebc16 (343) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (343) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (343) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (343) Calling-Station-Id = "22-e0-73-f2-50-23" (343) Airespace-Wlan-Id = 98 (343) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (343) WLAN-Group-Cipher = 1027076 (343) WLAN-Pairwise-Cipher = 1027076 (343) WLAN-AKM-Suite = 1027075 (343) Restoring &session-state (343) &session-state:Framed-MTU = 1014 (343) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (343) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (343) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (343) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (343) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (343) # Executing section authorize from file /etc/freeradius/sites-enabled/default (343) authorize { (343) policy rewrite_called_station_id { (343) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (343) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (343) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (343) update request { (343) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (343) --> 60-B9-C0-04-C4-40 (343) &Called-Station-Id := 60-B9-C0-04-C4-40 (343) } # update request = noop (343) if ("%{8}") { (343) EXPAND %{8} (343) --> eduroam (343) if ("%{8}") -> TRUE (343) if ("%{8}") { (343) update request { (343) EXPAND %{8} (343) --> eduroam (343) &Called-Station-SSID := eduroam (343) EXPAND %{Called-Station-Id}:%{8} (343) --> 60-B9-C0-04-C4-40:eduroam (343) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (343) } # update request = noop (343) } # if ("%{8}") = noop (343) [updated] = updated (343) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (343) ... skipping else: Preceding "if" was taken (343) } # policy rewrite_called_station_id = updated (343) policy rewrite_calling_station_id { (343) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (343) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (343) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (343) update request { (343) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (343) --> 22-E0-73-F2-50-23 (343) &Calling-Station-Id := 22-E0-73-F2-50-23 (343) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (343) --> 22:E0:73:F2:50:23 (343) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (343) } # update request = noop (343) [updated] = updated (343) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (343) ... skipping else: Preceding "if" was taken (343) } # policy rewrite_calling_station_id = updated (343) if (NAS-Identifier == "uvisrz0215.insel.ch") { (343) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (343) if (Service-Type == Call-Check) { (343) if (Service-Type == Call-Check) -> FALSE (343) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (343) EXPAND Packet-Src-IP-Address (343) --> 130.92.42.15 (343) EXPAND Packet-Src-IP-Address (343) --> 130.92.42.15 (343) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (343) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (343) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (343) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (343) if (EAP-Message) { (343) if (EAP-Message) -> TRUE (343) if (EAP-Message) { (343) policy filter_username { (343) if (&User-Name) { (343) if (&User-Name) -> TRUE (343) if (&User-Name) { (343) if (&User-Name =~ / /) { (343) if (&User-Name =~ / /) -> FALSE (343) if (&User-Name =~ /@[^@]*@/ ) { (343) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (343) if (&User-Name =~ /\.\./ ) { (343) if (&User-Name =~ /\.\./ ) -> FALSE (343) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (343) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (343) if (&User-Name =~ /\.$/) { (343) if (&User-Name =~ /\.$/) -> FALSE (343) if (&User-Name =~ /@\./) { (343) if (&User-Name =~ /@\./) -> FALSE (343) } # if (&User-Name) = updated (343) } # policy filter_username = updated (343) suffix: Checking for suffix after "@" (343) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (343) suffix: Found realm "REALM.COM" (343) suffix: Adding Realm = "REALM.COM" (343) suffix: Authentication realm is LOCAL (343) [suffix] = ok (343) policy deny_no_realm { (343) if (User-Name && (User-Name !~ /@/)) { (343) if (User-Name && (User-Name !~ /@/)) -> FALSE (343) } # policy deny_no_realm = updated (343) update request { (343) EXPAND %{toupper:%{Realm}} (343) --> REALM.COM (343) Realm := REALM.COM (343) } # update request = noop (343) eap: Peer sent EAP Response (code 2) ID 5 length 6 (343) eap: Continuing tunnel setup (343) [eap] = ok (343) } # if (EAP-Message) = ok (343) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (343) } # authorize = updated (343) Found Auth-Type = eap (343) # Executing group from file /etc/freeradius/sites-enabled/default (343) Auth-Type eap { (343) eap: Removing EAP session with state 0x0141131102440af2 (343) eap: Previous EAP request found for state 0x0141131102440af2, released from the list (343) eap: Peer sent packet with method EAP PEAP (25) (343) eap: Calling submodule eap_peap to process data (343) eap_peap: (TLS) Peer ACKed our handshake fragment (343) eap: Sending EAP Request (code 1) ID 6 length 1020 (343) eap: EAP session adding &reply:State = 0x0141131105470af2 (343) [eap] = handled (343) if (handled && (Response-Packet-Type == Access-Challenge)) { (343) EXPAND Response-Packet-Type (343) --> Access-Challenge (343) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (343) if (handled && (Response-Packet-Type == Access-Challenge)) { (343) attr_filter.access_challenge: EXPAND %{User-Name} (343) attr_filter.access_challenge: --> xyz@realm.com (343) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (343) [attr_filter.access_challenge.post-auth] = updated (343) [handled] = handled (343) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (343) } # Auth-Type eap = handled (343) Using Post-Auth-Type Challenge (343) Post-Auth-Type sub-section not found. Ignoring. (343) # Executing group from file /etc/freeradius/sites-enabled/default (343) session-state: Saving cached attributes (343) Framed-MTU = 1014 (343) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (343) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (343) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (343) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (343) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (343) Sent Access-Challenge Id 215 from 130.92.10.33:1812 to 130.92.42.15:60533 length 1086 (343) EAP-Message = 0x010603fc1940c6278481d47e8c8ca39b52e7c688ec377c2afbf0555a387210d80013cf4c73dbaa3735a82981699c76bcde187b90d4cacfef6703fd045a2116b1ffea3fdfdc82f5ebf45992230d242a95254ccaa191e6d4b7ac8774b3f16da399dbf9d5bd84409f07980003923082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f6261 (343) Message-Authenticator = 0x00000000000000000000000000000000 (343) State = 0x0141131105470af2159d1101103ebc16 (343) Finished request Waking up in 4.9 seconds. (344) Received Access-Request Id 223 from 130.92.42.15:60533 to 130.92.10.33:1812 length 441 (344) User-Name = "xyz@realm.com" (344) Service-Type = Framed-User (344) Cisco-AVPair = "service-type=Framed" (344) Framed-MTU = 1485 (344) EAP-Message = 0x020600061900 (344) Message-Authenticator = 0x394892b01209a11839df9ea01ffeffc0 (344) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58" (344) Cisco-AVPair = "method=dot1x" (344) Cisco-AVPair = "client-iif-id=2499807523" (344) Cisco-AVPair = "vlan-id=1876" (344) NAS-IP-Address = 130.92.42.15 (344) NAS-Port-Type = Wireless-802.11 (344) NAS-Port = 4211 (344) State = 0x0141131105470af2159d1101103ebc16 (344) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (344) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (344) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (344) Calling-Station-Id = "22-e0-73-f2-50-23" (344) Airespace-Wlan-Id = 98 (344) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (344) WLAN-Group-Cipher = 1027076 (344) WLAN-Pairwise-Cipher = 1027076 (344) WLAN-AKM-Suite = 1027075 (344) Restoring &session-state (344) &session-state:Framed-MTU = 1014 (344) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (344) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (344) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (344) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (344) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (344) # Executing section authorize from file /etc/freeradius/sites-enabled/default (344) authorize { (344) policy rewrite_called_station_id { (344) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (344) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (344) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (344) update request { (344) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (344) --> 60-B9-C0-04-C4-40 (344) &Called-Station-Id := 60-B9-C0-04-C4-40 (344) } # update request = noop (344) if ("%{8}") { (344) EXPAND %{8} (344) --> eduroam (344) if ("%{8}") -> TRUE (344) if ("%{8}") { (344) update request { (344) EXPAND %{8} (344) --> eduroam (344) &Called-Station-SSID := eduroam (344) EXPAND %{Called-Station-Id}:%{8} (344) --> 60-B9-C0-04-C4-40:eduroam (344) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (344) } # update request = noop (344) } # if ("%{8}") = noop (344) [updated] = updated (344) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (344) ... skipping else: Preceding "if" was taken (344) } # policy rewrite_called_station_id = updated (344) policy rewrite_calling_station_id { (344) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (344) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (344) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (344) update request { (344) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (344) --> 22-E0-73-F2-50-23 (344) &Calling-Station-Id := 22-E0-73-F2-50-23 (344) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (344) --> 22:E0:73:F2:50:23 (344) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (344) } # update request = noop (344) [updated] = updated (344) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (344) ... skipping else: Preceding "if" was taken (344) } # policy rewrite_calling_station_id = updated (344) if (NAS-Identifier == "uvisrz0215.insel.ch") { (344) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (344) if (Service-Type == Call-Check) { (344) if (Service-Type == Call-Check) -> FALSE (344) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (344) EXPAND Packet-Src-IP-Address (344) --> 130.92.42.15 (344) EXPAND Packet-Src-IP-Address (344) --> 130.92.42.15 (344) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (344) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (344) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (344) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (344) if (EAP-Message) { (344) if (EAP-Message) -> TRUE (344) if (EAP-Message) { (344) policy filter_username { (344) if (&User-Name) { (344) if (&User-Name) -> TRUE (344) if (&User-Name) { (344) if (&User-Name =~ / /) { (344) if (&User-Name =~ / /) -> FALSE (344) if (&User-Name =~ /@[^@]*@/ ) { (344) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (344) if (&User-Name =~ /\.\./ ) { (344) if (&User-Name =~ /\.\./ ) -> FALSE (344) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (344) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (344) if (&User-Name =~ /\.$/) { (344) if (&User-Name =~ /\.$/) -> FALSE (344) if (&User-Name =~ /@\./) { (344) if (&User-Name =~ /@\./) -> FALSE (344) } # if (&User-Name) = updated (344) } # policy filter_username = updated (344) suffix: Checking for suffix after "@" (344) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (344) suffix: Found realm "REALM.COM" (344) suffix: Adding Realm = "REALM.COM" (344) suffix: Authentication realm is LOCAL (344) [suffix] = ok (344) policy deny_no_realm { (344) if (User-Name && (User-Name !~ /@/)) { (344) if (User-Name && (User-Name !~ /@/)) -> FALSE (344) } # policy deny_no_realm = updated (344) update request { (344) EXPAND %{toupper:%{Realm}} (344) --> REALM.COM (344) Realm := REALM.COM (344) } # update request = noop (344) eap: Peer sent EAP Response (code 2) ID 6 length 6 (344) eap: Continuing tunnel setup (344) [eap] = ok (344) } # if (EAP-Message) = ok (344) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (344) } # authorize = updated (344) Found Auth-Type = eap (344) # Executing group from file /etc/freeradius/sites-enabled/default (344) Auth-Type eap { (344) eap: Removing EAP session with state 0x0141131105470af2 (344) eap: Previous EAP request found for state 0x0141131105470af2, released from the list (344) eap: Peer sent packet with method EAP PEAP (25) (344) eap: Calling submodule eap_peap to process data (344) eap_peap: (TLS) Peer ACKed our handshake fragment (344) eap: Sending EAP Request (code 1) ID 7 length 355 (344) eap: EAP session adding &reply:State = 0x0141131104460af2 (344) [eap] = handled (344) if (handled && (Response-Packet-Type == Access-Challenge)) { (344) EXPAND Response-Packet-Type (344) --> Access-Challenge (344) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (344) if (handled && (Response-Packet-Type == Access-Challenge)) { (344) attr_filter.access_challenge: EXPAND %{User-Name} (344) attr_filter.access_challenge: --> xyz@realm.com (344) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (344) [attr_filter.access_challenge.post-auth] = updated (344) [handled] = handled (344) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (344) } # Auth-Type eap = handled (344) Using Post-Auth-Type Challenge (344) Post-Auth-Type sub-section not found. Ignoring. (344) # Executing group from file /etc/freeradius/sites-enabled/default (344) session-state: Saving cached attributes (344) Framed-MTU = 1014 (344) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (344) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (344) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (344) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (344) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (344) Sent Access-Challenge Id 223 from 130.92.10.33:1812 to 130.92.42.15:60533 length 415 (344) EAP-Message = 0x01070163190032b6160303014d0c000149030017410421b4816cdaa0edb2a7ee262c3b373cc7a69aeef94dc7c93d1498397a2f41152a1064075835b63105e3604c9282cfc3638bce1eef1b4f930102c7539dd714fb2e040101006fe58b29c51045ad338888932385ae6a78a1b5a392198df18af907424975763b6bf96876d3609e2538dd16e910ab32539bb337a659539ecdd3f7ca99acc6a1de17ec69fbd64da47839a7e265d4286311067bbefdeb333d87844c916e53bb5cfe26aea3bae7d58ffe17330ccdf61e8b2f425b30128275d5c5a39a84a5d01c2f569dfce9c341f402ef2635f02a2ccd901ee27231c291fe3cfbed92207fefd60eaec7aa7fb54f182d9ef86eff5ed32ecb762e50c366639a23665d5991bfbfc83f27ff21df56cd9af3e5dece4e42956217eaf080218422733ceef848877e3b4f2299df15dfc25a4f5b435f510229d83f4e91828ec3bdf2ee28578ffeb0a39d8d459216030300040e000000 (344) Message-Authenticator = 0x00000000000000000000000000000000 (344) State = 0x0141131104460af2159d1101103ebc16 (344) Finished request Waking up in 4.9 seconds. (345) Received Access-Request Id 231 from 130.92.42.15:60533 to 130.92.10.33:1812 length 571 (345) User-Name = "xyz@realm.com" (345) Service-Type = Framed-User (345) Cisco-AVPair = "service-type=Framed" (345) Framed-MTU = 1485 (345) EAP-Message = 0x0207008819800000007e1603030046100000424104b76edd3264c4b2f971dabd1fb7c02951f64b4ce9fbae8a473198e5810e39a81e2c73c6755d1f1b31ee93a7df1d1b521c9aab988df46c0d334544c1703cffa02514030300010116030300289fbd8407fe6333ba5788a04d42ae35912e9ff891a0be9b8ab3744847434c371ca199fdb89ae2abbb (345) Message-Authenticator = 0xecc16c9bab6fe8444f01d6d5b0dfc951 (345) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58" (345) Cisco-AVPair = "method=dot1x" (345) Cisco-AVPair = "client-iif-id=2499807523" (345) Cisco-AVPair = "vlan-id=1876" (345) NAS-IP-Address = 130.92.42.15 (345) NAS-Port-Type = Wireless-802.11 (345) NAS-Port = 4211 (345) State = 0x0141131104460af2159d1101103ebc16 (345) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (345) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (345) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (345) Calling-Station-Id = "22-e0-73-f2-50-23" (345) Airespace-Wlan-Id = 98 (345) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (345) WLAN-Group-Cipher = 1027076 (345) WLAN-Pairwise-Cipher = 1027076 (345) WLAN-AKM-Suite = 1027075 (345) Restoring &session-state (345) &session-state:Framed-MTU = 1014 (345) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (345) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (345) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (345) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (345) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (345) # Executing section authorize from file /etc/freeradius/sites-enabled/default (345) authorize { (345) policy rewrite_called_station_id { (345) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (345) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (345) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (345) update request { (345) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (345) --> 60-B9-C0-04-C4-40 (345) &Called-Station-Id := 60-B9-C0-04-C4-40 (345) } # update request = noop (345) if ("%{8}") { (345) EXPAND %{8} (345) --> eduroam (345) if ("%{8}") -> TRUE (345) if ("%{8}") { (345) update request { (345) EXPAND %{8} (345) --> eduroam (345) &Called-Station-SSID := eduroam (345) EXPAND %{Called-Station-Id}:%{8} (345) --> 60-B9-C0-04-C4-40:eduroam (345) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (345) } # update request = noop (345) } # if ("%{8}") = noop (345) [updated] = updated (345) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (345) ... skipping else: Preceding "if" was taken (345) } # policy rewrite_called_station_id = updated (345) policy rewrite_calling_station_id { (345) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (345) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (345) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (345) update request { (345) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (345) --> 22-E0-73-F2-50-23 (345) &Calling-Station-Id := 22-E0-73-F2-50-23 (345) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (345) --> 22:E0:73:F2:50:23 (345) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (345) } # update request = noop (345) [updated] = updated (345) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (345) ... skipping else: Preceding "if" was taken (345) } # policy rewrite_calling_station_id = updated (345) if (NAS-Identifier == "uvisrz0215.insel.ch") { (345) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (345) if (Service-Type == Call-Check) { (345) if (Service-Type == Call-Check) -> FALSE (345) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (345) EXPAND Packet-Src-IP-Address (345) --> 130.92.42.15 (345) EXPAND Packet-Src-IP-Address (345) --> 130.92.42.15 (345) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (345) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (345) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (345) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (345) if (EAP-Message) { (345) if (EAP-Message) -> TRUE (345) if (EAP-Message) { (345) policy filter_username { (345) if (&User-Name) { (345) if (&User-Name) -> TRUE (345) if (&User-Name) { (345) if (&User-Name =~ / /) { (345) if (&User-Name =~ / /) -> FALSE (345) if (&User-Name =~ /@[^@]*@/ ) { (345) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (345) if (&User-Name =~ /\.\./ ) { (345) if (&User-Name =~ /\.\./ ) -> FALSE (345) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (345) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (345) if (&User-Name =~ /\.$/) { (345) if (&User-Name =~ /\.$/) -> FALSE (345) if (&User-Name =~ /@\./) { (345) if (&User-Name =~ /@\./) -> FALSE (345) } # if (&User-Name) = updated (345) } # policy filter_username = updated (345) suffix: Checking for suffix after "@" (345) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (345) suffix: Found realm "REALM.COM" (345) suffix: Adding Realm = "REALM.COM" (345) suffix: Authentication realm is LOCAL (345) [suffix] = ok (345) policy deny_no_realm { (345) if (User-Name && (User-Name !~ /@/)) { (345) if (User-Name && (User-Name !~ /@/)) -> FALSE (345) } # policy deny_no_realm = updated (345) update request { (345) EXPAND %{toupper:%{Realm}} (345) --> REALM.COM (345) Realm := REALM.COM (345) } # update request = noop (345) eap: Peer sent EAP Response (code 2) ID 7 length 136 (345) eap: Continuing tunnel setup (345) [eap] = ok (345) } # if (EAP-Message) = ok (345) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (345) } # authorize = updated (345) Found Auth-Type = eap (345) # Executing group from file /etc/freeradius/sites-enabled/default (345) Auth-Type eap { (345) eap: Removing EAP session with state 0x0141131104460af2 (345) eap: Previous EAP request found for state 0x0141131104460af2, released from the list (345) eap: Peer sent packet with method EAP PEAP (25) (345) eap: Calling submodule eap_peap to process data (345) eap_peap: (TLS) EAP Peer says that the final record size will be 126 bytes (345) eap_peap: (TLS) EAP Got all data (126 bytes) (345) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done (345) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange (345) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client key exchange (345) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read change cipher spec (345) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, Finished (345) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read finished (345) eap_peap: (TLS) PEAP - send TLS 1.2 ChangeCipherSpec (345) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write change cipher spec (345) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Finished (345) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write finished (345) eap_peap: (TLS) PEAP - Handshake state - SSL negotiation finished successfully (345) eap_peap: (TLS) PEAP - Connection Established (345) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (345) eap_peap: TLS-Session-Version = "TLS 1.2" (345) eap: Sending EAP Request (code 1) ID 8 length 57 (345) eap: EAP session adding &reply:State = 0x0141131107490af2 (345) [eap] = handled (345) if (handled && (Response-Packet-Type == Access-Challenge)) { (345) EXPAND Response-Packet-Type (345) --> Access-Challenge (345) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (345) if (handled && (Response-Packet-Type == Access-Challenge)) { (345) attr_filter.access_challenge: EXPAND %{User-Name} (345) attr_filter.access_challenge: --> xyz@realm.com (345) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (345) [attr_filter.access_challenge.post-auth] = updated (345) [handled] = handled (345) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (345) } # Auth-Type eap = handled (345) Using Post-Auth-Type Challenge (345) Post-Auth-Type sub-section not found. Ignoring. (345) # Executing group from file /etc/freeradius/sites-enabled/default (345) session-state: Saving cached attributes (345) Framed-MTU = 1014 (345) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (345) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (345) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (345) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (345) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (345) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (345) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (345) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (345) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (345) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (345) TLS-Session-Version = "TLS 1.2" (345) Sent Access-Challenge Id 231 from 130.92.10.33:1812 to 130.92.42.15:60533 length 115 (345) EAP-Message = 0x01080039190014030300010116030300288d6a1785e1a19b35bff8fec8a4a31fbf0d467203a7ab9d2d33327214fc49606596ea813ecf081d92 (345) Message-Authenticator = 0x00000000000000000000000000000000 (345) State = 0x0141131107490af2159d1101103ebc16 (345) Finished request Waking up in 4.9 seconds. (346) Received Access-Request Id 239 from 130.92.42.15:60533 to 130.92.10.33:1812 length 441 (346) User-Name = "xyz@realm.com" (346) Service-Type = Framed-User (346) Cisco-AVPair = "service-type=Framed" (346) Framed-MTU = 1485 (346) EAP-Message = 0x020800061900 (346) Message-Authenticator = 0x12c8eb6838048f2a905991bcda9d9973 (346) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58" (346) Cisco-AVPair = "method=dot1x" (346) Cisco-AVPair = "client-iif-id=2499807523" (346) Cisco-AVPair = "vlan-id=1876" (346) NAS-IP-Address = 130.92.42.15 (346) NAS-Port-Type = Wireless-802.11 (346) NAS-Port = 4211 (346) State = 0x0141131107490af2159d1101103ebc16 (346) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (346) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (346) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (346) Calling-Station-Id = "22-e0-73-f2-50-23" (346) Airespace-Wlan-Id = 98 (346) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (346) WLAN-Group-Cipher = 1027076 (346) WLAN-Pairwise-Cipher = 1027076 (346) WLAN-AKM-Suite = 1027075 (346) Restoring &session-state (346) &session-state:Framed-MTU = 1014 (346) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (346) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (346) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (346) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (346) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (346) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (346) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (346) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (346) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (346) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (346) &session-state:TLS-Session-Version = "TLS 1.2" (346) # Executing section authorize from file /etc/freeradius/sites-enabled/default (346) authorize { (346) policy rewrite_called_station_id { (346) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (346) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (346) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (346) update request { (346) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (346) --> 60-B9-C0-04-C4-40 (346) &Called-Station-Id := 60-B9-C0-04-C4-40 (346) } # update request = noop (346) if ("%{8}") { (346) EXPAND %{8} (346) --> eduroam (346) if ("%{8}") -> TRUE (346) if ("%{8}") { (346) update request { (346) EXPAND %{8} (346) --> eduroam (346) &Called-Station-SSID := eduroam (346) EXPAND %{Called-Station-Id}:%{8} (346) --> 60-B9-C0-04-C4-40:eduroam (346) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (346) } # update request = noop (346) } # if ("%{8}") = noop (346) [updated] = updated (346) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (346) ... skipping else: Preceding "if" was taken (346) } # policy rewrite_called_station_id = updated (346) policy rewrite_calling_station_id { (346) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (346) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (346) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (346) update request { (346) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (346) --> 22-E0-73-F2-50-23 (346) &Calling-Station-Id := 22-E0-73-F2-50-23 (346) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (346) --> 22:E0:73:F2:50:23 (346) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (346) } # update request = noop (346) [updated] = updated (346) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (346) ... skipping else: Preceding "if" was taken (346) } # policy rewrite_calling_station_id = updated (346) if (NAS-Identifier == "uvisrz0215.insel.ch") { (346) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (346) if (Service-Type == Call-Check) { (346) if (Service-Type == Call-Check) -> FALSE (346) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (346) EXPAND Packet-Src-IP-Address (346) --> 130.92.42.15 (346) EXPAND Packet-Src-IP-Address (346) --> 130.92.42.15 (346) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (346) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (346) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (346) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (346) if (EAP-Message) { (346) if (EAP-Message) -> TRUE (346) if (EAP-Message) { (346) policy filter_username { (346) if (&User-Name) { (346) if (&User-Name) -> TRUE (346) if (&User-Name) { (346) if (&User-Name =~ / /) { (346) if (&User-Name =~ / /) -> FALSE (346) if (&User-Name =~ /@[^@]*@/ ) { (346) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (346) if (&User-Name =~ /\.\./ ) { (346) if (&User-Name =~ /\.\./ ) -> FALSE (346) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (346) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (346) if (&User-Name =~ /\.$/) { (346) if (&User-Name =~ /\.$/) -> FALSE (346) if (&User-Name =~ /@\./) { (346) if (&User-Name =~ /@\./) -> FALSE (346) } # if (&User-Name) = updated (346) } # policy filter_username = updated (346) suffix: Checking for suffix after "@" (346) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (346) suffix: Found realm "REALM.COM" (346) suffix: Adding Realm = "REALM.COM" (346) suffix: Authentication realm is LOCAL (346) [suffix] = ok (346) policy deny_no_realm { (346) if (User-Name && (User-Name !~ /@/)) { (346) if (User-Name && (User-Name !~ /@/)) -> FALSE (346) } # policy deny_no_realm = updated (346) update request { (346) EXPAND %{toupper:%{Realm}} (346) --> REALM.COM (346) Realm := REALM.COM (346) } # update request = noop (346) eap: Peer sent EAP Response (code 2) ID 8 length 6 (346) eap: Continuing tunnel setup (346) [eap] = ok (346) } # if (EAP-Message) = ok (346) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (346) } # authorize = updated (346) Found Auth-Type = eap (346) # Executing group from file /etc/freeradius/sites-enabled/default (346) Auth-Type eap { (346) eap: Removing EAP session with state 0x0141131107490af2 (346) eap: Previous EAP request found for state 0x0141131107490af2, released from the list (346) eap: Peer sent packet with method EAP PEAP (25) (346) eap: Calling submodule eap_peap to process data (346) eap_peap: (TLS) Peer ACKed our handshake fragment. handshake is finished (346) eap_peap: Session established. Decoding tunneled attributes (346) eap_peap: PEAP state TUNNEL ESTABLISHED (346) eap: Sending EAP Request (code 1) ID 9 length 40 (346) eap: EAP session adding &reply:State = 0x0141131106480af2 (346) [eap] = handled (346) if (handled && (Response-Packet-Type == Access-Challenge)) { (346) EXPAND Response-Packet-Type (346) --> Access-Challenge (346) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (346) if (handled && (Response-Packet-Type == Access-Challenge)) { (346) attr_filter.access_challenge: EXPAND %{User-Name} (346) attr_filter.access_challenge: --> xyz@realm.com (346) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (346) [attr_filter.access_challenge.post-auth] = updated (346) [handled] = handled (346) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (346) } # Auth-Type eap = handled (346) Using Post-Auth-Type Challenge (346) Post-Auth-Type sub-section not found. Ignoring. (346) # Executing group from file /etc/freeradius/sites-enabled/default (346) session-state: Saving cached attributes (346) Framed-MTU = 1014 (346) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (346) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (346) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (346) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (346) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (346) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (346) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (346) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (346) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (346) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (346) TLS-Session-Version = "TLS 1.2" (346) Sent Access-Challenge Id 239 from 130.92.10.33:1812 to 130.92.42.15:60533 length 98 (346) EAP-Message = 0x010900281900170303001d8d6a1785e1a19b362ccd5b26197e5b168640ab6ed2e41351d039e42e6d (346) Message-Authenticator = 0x00000000000000000000000000000000 (346) State = 0x0141131106480af2159d1101103ebc16 (346) Finished request Waking up in 4.9 seconds. (347) Received Access-Request Id 247 from 130.92.42.15:60533 to 130.92.10.33:1812 length 495 (347) User-Name = "xyz@realm.com" (347) Service-Type = Framed-User (347) Cisco-AVPair = "service-type=Framed" (347) Framed-MTU = 1485 (347) EAP-Message = 0x0209003c190017030300319fbd8407fe6333bb244303616d5739594b13084b45f58810139d95bebfe0725dc0e87e9ce011682f4a68abecc457950423 (347) Message-Authenticator = 0xf21f9a5269c36daa7990d70408a1880d (347) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58" (347) Cisco-AVPair = "method=dot1x" (347) Cisco-AVPair = "client-iif-id=2499807523" (347) Cisco-AVPair = "vlan-id=1876" (347) NAS-IP-Address = 130.92.42.15 (347) NAS-Port-Type = Wireless-802.11 (347) NAS-Port = 4211 (347) State = 0x0141131106480af2159d1101103ebc16 (347) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (347) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (347) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (347) Calling-Station-Id = "22-e0-73-f2-50-23" (347) Airespace-Wlan-Id = 98 (347) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (347) WLAN-Group-Cipher = 1027076 (347) WLAN-Pairwise-Cipher = 1027076 (347) WLAN-AKM-Suite = 1027075 (347) Restoring &session-state (347) &session-state:Framed-MTU = 1014 (347) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (347) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (347) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (347) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (347) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (347) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (347) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (347) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (347) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (347) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (347) &session-state:TLS-Session-Version = "TLS 1.2" (347) # Executing section authorize from file /etc/freeradius/sites-enabled/default (347) authorize { (347) policy rewrite_called_station_id { (347) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (347) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (347) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (347) update request { (347) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (347) --> 60-B9-C0-04-C4-40 (347) &Called-Station-Id := 60-B9-C0-04-C4-40 (347) } # update request = noop (347) if ("%{8}") { (347) EXPAND %{8} (347) --> eduroam (347) if ("%{8}") -> TRUE (347) if ("%{8}") { (347) update request { (347) EXPAND %{8} (347) --> eduroam (347) &Called-Station-SSID := eduroam (347) EXPAND %{Called-Station-Id}:%{8} (347) --> 60-B9-C0-04-C4-40:eduroam (347) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (347) } # update request = noop (347) } # if ("%{8}") = noop (347) [updated] = updated (347) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (347) ... skipping else: Preceding "if" was taken (347) } # policy rewrite_called_station_id = updated (347) policy rewrite_calling_station_id { (347) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (347) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (347) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (347) update request { (347) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (347) --> 22-E0-73-F2-50-23 (347) &Calling-Station-Id := 22-E0-73-F2-50-23 (347) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (347) --> 22:E0:73:F2:50:23 (347) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (347) } # update request = noop (347) [updated] = updated (347) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (347) ... skipping else: Preceding "if" was taken (347) } # policy rewrite_calling_station_id = updated (347) if (NAS-Identifier == "uvisrz0215.insel.ch") { (347) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (347) if (Service-Type == Call-Check) { (347) if (Service-Type == Call-Check) -> FALSE (347) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (347) EXPAND Packet-Src-IP-Address (347) --> 130.92.42.15 (347) EXPAND Packet-Src-IP-Address (347) --> 130.92.42.15 (347) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (347) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (347) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (347) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (347) if (EAP-Message) { (347) if (EAP-Message) -> TRUE (347) if (EAP-Message) { (347) policy filter_username { (347) if (&User-Name) { (347) if (&User-Name) -> TRUE (347) if (&User-Name) { (347) if (&User-Name =~ / /) { (347) if (&User-Name =~ / /) -> FALSE (347) if (&User-Name =~ /@[^@]*@/ ) { (347) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (347) if (&User-Name =~ /\.\./ ) { (347) if (&User-Name =~ /\.\./ ) -> FALSE (347) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (347) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (347) if (&User-Name =~ /\.$/) { (347) if (&User-Name =~ /\.$/) -> FALSE (347) if (&User-Name =~ /@\./) { (347) if (&User-Name =~ /@\./) -> FALSE (347) } # if (&User-Name) = updated (347) } # policy filter_username = updated (347) suffix: Checking for suffix after "@" (347) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (347) suffix: Found realm "REALM.COM" (347) suffix: Adding Realm = "REALM.COM" (347) suffix: Authentication realm is LOCAL (347) [suffix] = ok (347) policy deny_no_realm { (347) if (User-Name && (User-Name !~ /@/)) { (347) if (User-Name && (User-Name !~ /@/)) -> FALSE (347) } # policy deny_no_realm = updated (347) update request { (347) EXPAND %{toupper:%{Realm}} (347) --> REALM.COM (347) Realm := REALM.COM (347) } # update request = noop (347) eap: Peer sent EAP Response (code 2) ID 9 length 60 (347) eap: Continuing tunnel setup (347) [eap] = ok (347) } # if (EAP-Message) = ok (347) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (347) } # authorize = updated (347) Found Auth-Type = eap (347) # Executing group from file /etc/freeradius/sites-enabled/default (347) Auth-Type eap { (347) eap: Removing EAP session with state 0x0141131106480af2 (347) eap: Previous EAP request found for state 0x0141131106480af2, released from the list (347) eap: Peer sent packet with method EAP PEAP (25) (347) eap: Calling submodule eap_peap to process data (347) eap_peap: (TLS) EAP Done initial handshake (347) eap_peap: Session established. Decoding tunneled attributes (347) eap_peap: PEAP state WAITING FOR INNER IDENTITY (347) eap_peap: Identity - xyz@realm.com (347) eap_peap: Got inner identity 'xyz@realm.com' (347) eap_peap: Setting default EAP type for tunneled EAP session (347) eap_peap: Got tunneled request (347) eap_peap: EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368 (347) eap_peap: Setting User-Name to xyz@realm.com (347) eap_peap: Sending tunneled request to proxy-inner-tunnel (347) eap_peap: EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368 (347) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (347) eap_peap: User-Name = "xyz@realm.com" (347) eap_peap: Service-Type = Framed-User (347) eap_peap: Cisco-AVPair = "service-type=Framed" (347) eap_peap: Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58" (347) eap_peap: Cisco-AVPair = "method=dot1x" (347) eap_peap: Cisco-AVPair = "client-iif-id=2499807523" (347) eap_peap: Cisco-AVPair = "vlan-id=1876" (347) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam" (347) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (347) eap_peap: Framed-MTU = 1485 (347) eap_peap: NAS-IP-Address = 130.92.42.15 (347) eap_peap: NAS-Port-Type = Wireless-802.11 (347) eap_peap: NAS-Port = 4211 (347) eap_peap: Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (347) eap_peap: Calling-Station-Id := "22-E0-73-F2-50-23" (347) eap_peap: Airespace-Wlan-Id = 98 (347) eap_peap: NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (347) eap_peap: WLAN-Group-Cipher = 1027076 (347) eap_peap: WLAN-Pairwise-Cipher = 1027076 (347) eap_peap: WLAN-AKM-Suite = 1027075 (347) Virtual server proxy-inner-tunnel received request (347) EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368 (347) FreeRADIUS-Proxied-To = 127.0.0.1 (347) User-Name = "xyz@realm.com" (347) Service-Type = Framed-User (347) Cisco-AVPair = "service-type=Framed" (347) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58" (347) Cisco-AVPair = "method=dot1x" (347) Cisco-AVPair = "client-iif-id=2499807523" (347) Cisco-AVPair = "vlan-id=1876" (347) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (347) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (347) Framed-MTU = 1485 (347) NAS-IP-Address = 130.92.42.15 (347) NAS-Port-Type = Wireless-802.11 (347) NAS-Port = 4211 (347) Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (347) Calling-Station-Id := "22-E0-73-F2-50-23" (347) Airespace-Wlan-Id = 98 (347) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (347) WLAN-Group-Cipher = 1027076 (347) WLAN-Pairwise-Cipher = 1027076 (347) WLAN-AKM-Suite = 1027075 (347) WARNING: Outer and inner identities are the same. User privacy is compromised. (347) server proxy-inner-tunnel { (347) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel (347) authorize { (347) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) { (347) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE (347) if (!NAS-Port-Type){ (347) if (!NAS-Port-Type) -> FALSE (347) update control { (347) &Proxy-To-Realm := REALM-NPS-DEV (347) } # update control = noop (347) } # authorize = noop (347) } # server proxy-inner-tunnel (347) Virtual server sending reply (347) eap_peap: Got tunneled reply code 0 (347) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV (347) eap: WARNING: Tunneled session will be proxied. Not doing EAP (347) [eap] = handled (347) if (handled && (Response-Packet-Type == Access-Challenge)) { (347) EXPAND Response-Packet-Type (347) --> (347) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (347) } # Auth-Type eap = handled (347) Starting proxy to home server 130.92.14.27 port 1812 (347) server default { (347) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default (347) pre-proxy { (347) attr_filter.pre-proxy: EXPAND %{Realm} (347) attr_filter.pre-proxy: --> REALM.COM (347) attr_filter.pre-proxy: Matched entry DEFAULT at line 58 (347) [attr_filter.pre-proxy] = updated (347) } # pre-proxy = updated (347) } (347) Proxying request to home server 130.92.14.27 port 1812 timeout 20.000000 (347) Sent Access-Request Id 91 from 0.0.0.0:37193 to 130.92.14.27:1812 length 196 (347) Operator-Name := "1realm.com" (347) EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368 (347) User-Name = "xyz@realm.com" (347) NAS-IP-Address = 130.92.42.15 (347) NAS-Port-Type = Wireless-802.11 (347) Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (347) Calling-Station-Id := "22-E0-73-F2-50-23" (347) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (347) Message-Authenticator = 0x (347) Proxy-State = 0x323437 Waking up in 0.3 seconds. (347) Clearing existing &reply: attributes (347) Received Access-Challenge Id 91 from 130.92.14.27:1812 to 130.92.10.33:37193 length 128 (347) Proxy-State = 0x323437 (347) Session-Timeout = 60 (347) EAP-Message = 0x010a00271a010a00221032f04e97ca648dea298bc54b39d784b74141492d4e50532d4544555632 (347) State = 0x225b02b60000013700010200825c0e1b000000000000000000000000000000043a975549 (347) Message-Authenticator = 0xaa8be9fdea2b630c7400322f91ea39ca (347) server default { (347) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default (347) post-proxy { (347) attr_filter.post-proxy: EXPAND %{Realm} (347) attr_filter.post-proxy: --> REALM.COM (347) attr_filter.post-proxy: Matched entry REALM.COM at line 102 (347) [attr_filter.post-proxy] = updated (347) eap: Doing post-proxy callback (347) eap: Passing reply from proxy back into the tunnel (347) eap: Got tunneled reply RADIUS code 11 (347) eap: Tunnel-Type := VLAN (347) eap: Tunnel-Medium-Type := IEEE-802 (347) eap: Proxy-State = 0x323437 (347) eap: EAP-Message = 0x010a00271a010a00221032f04e97ca648dea298bc54b39d784b74141492d4e50532d4544555632 (347) eap: State = 0x225b02b60000013700010200825c0e1b000000000000000000000000000000043a975549 (347) eap: Message-Authenticator = 0xaa8be9fdea2b630c7400322f91ea39ca (347) eap: Got tunneled Access-Challenge (347) eap: Reply was handled (347) eap: Sending EAP Request (code 1) ID 10 length 70 (347) eap: EAP session adding &reply:State = 0x01411311094b0af2 (347) [eap] = ok (347) } # post-proxy = updated (347) } (347) session-state: Saving cached attributes (347) Framed-MTU = 1014 (347) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (347) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (347) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (347) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (347) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (347) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (347) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (347) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (347) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (347) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (347) TLS-Session-Version = "TLS 1.2" (347) Using Post-Auth-Type Challenge (347) Post-Auth-Type sub-section not found. Ignoring. (347) # Executing group from file /etc/freeradius/sites-enabled/default (347) Sent Access-Challenge Id 247 from 130.92.10.33:1812 to 130.92.42.15:60533 length 128 (347) EAP-Message = 0x010a00461900170303003b8d6a1785e1a19b37d483644693f104a84978c79786ed2017cad5c263338a244716a02d702b4c15fb010aa386a8a1fd7beabedc25d128d0afb3766c (347) Message-Authenticator = 0x00000000000000000000000000000000 (347) State = 0x01411311094b0af2159d1101103ebc16 (347) Finished request Waking up in 4.8 seconds. (348) Received Access-Request Id 255 from 130.92.42.15:60533 to 130.92.10.33:1812 length 549 (348) User-Name = "xyz@realm.com" (348) Service-Type = Framed-User (348) Cisco-AVPair = "service-type=Framed" (348) Framed-MTU = 1485 (348) EAP-Message = 0x020a0072190017030300679fbd8407fe6333bca7d44d76b3ef3a225ccf9afdd164fe3f7aca7a7d0792abb9534fccfd07c307bee27d438c8396764c73587b33e49063fb07b7d02e49397b5732d6f62ab9934ca0d4414429928983334962453caa57e0e30107e514cab265c4f4f195780b48d8 (348) Message-Authenticator = 0x25e0d4d954b8d943b65166834e832a36 (348) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58" (348) Cisco-AVPair = "method=dot1x" (348) Cisco-AVPair = "client-iif-id=2499807523" (348) Cisco-AVPair = "vlan-id=1876" (348) NAS-IP-Address = 130.92.42.15 (348) NAS-Port-Type = Wireless-802.11 (348) NAS-Port = 4211 (348) State = 0x01411311094b0af2159d1101103ebc16 (348) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (348) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (348) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (348) Calling-Station-Id = "22-e0-73-f2-50-23" (348) Airespace-Wlan-Id = 98 (348) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (348) WLAN-Group-Cipher = 1027076 (348) WLAN-Pairwise-Cipher = 1027076 (348) WLAN-AKM-Suite = 1027075 (348) session-state: No cached attributes (348) # Executing section authorize from file /etc/freeradius/sites-enabled/default (348) authorize { (348) policy rewrite_called_station_id { (348) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (348) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (348) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (348) update request { (348) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (348) --> 60-B9-C0-04-C4-40 (348) &Called-Station-Id := 60-B9-C0-04-C4-40 (348) } # update request = noop (348) if ("%{8}") { (348) EXPAND %{8} (348) --> eduroam (348) if ("%{8}") -> TRUE (348) if ("%{8}") { (348) update request { (348) EXPAND %{8} (348) --> eduroam (348) &Called-Station-SSID := eduroam (348) EXPAND %{Called-Station-Id}:%{8} (348) --> 60-B9-C0-04-C4-40:eduroam (348) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (348) } # update request = noop (348) } # if ("%{8}") = noop (348) [updated] = updated (348) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (348) ... skipping else: Preceding "if" was taken (348) } # policy rewrite_called_station_id = updated (348) policy rewrite_calling_station_id { (348) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (348) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (348) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (348) update request { (348) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (348) --> 22-E0-73-F2-50-23 (348) &Calling-Station-Id := 22-E0-73-F2-50-23 (348) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (348) --> 22:E0:73:F2:50:23 (348) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (348) } # update request = noop (348) [updated] = updated (348) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (348) ... skipping else: Preceding "if" was taken (348) } # policy rewrite_calling_station_id = updated (348) if (NAS-Identifier == "uvisrz0215.insel.ch") { (348) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (348) if (Service-Type == Call-Check) { (348) if (Service-Type == Call-Check) -> FALSE (348) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (348) EXPAND Packet-Src-IP-Address (348) --> 130.92.42.15 (348) EXPAND Packet-Src-IP-Address (348) --> 130.92.42.15 (348) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (348) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (348) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (348) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (348) if (EAP-Message) { (348) if (EAP-Message) -> TRUE (348) if (EAP-Message) { (348) policy filter_username { (348) if (&User-Name) { (348) if (&User-Name) -> TRUE (348) if (&User-Name) { (348) if (&User-Name =~ / /) { (348) if (&User-Name =~ / /) -> FALSE (348) if (&User-Name =~ /@[^@]*@/ ) { (348) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (348) if (&User-Name =~ /\.\./ ) { (348) if (&User-Name =~ /\.\./ ) -> FALSE (348) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (348) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (348) if (&User-Name =~ /\.$/) { (348) if (&User-Name =~ /\.$/) -> FALSE (348) if (&User-Name =~ /@\./) { (348) if (&User-Name =~ /@\./) -> FALSE (348) } # if (&User-Name) = updated (348) } # policy filter_username = updated (348) suffix: Checking for suffix after "@" (348) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (348) suffix: Found realm "REALM.COM" (348) suffix: Adding Realm = "REALM.COM" (348) suffix: Authentication realm is LOCAL (348) [suffix] = ok (348) policy deny_no_realm { (348) if (User-Name && (User-Name !~ /@/)) { (348) if (User-Name && (User-Name !~ /@/)) -> FALSE (348) } # policy deny_no_realm = updated (348) update request { (348) EXPAND %{toupper:%{Realm}} (348) --> REALM.COM (348) Realm := REALM.COM (348) } # update request = noop (348) eap: Peer sent EAP Response (code 2) ID 10 length 114 (348) eap: Continuing tunnel setup (348) [eap] = ok (348) } # if (EAP-Message) = ok (348) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (348) } # authorize = updated (348) Found Auth-Type = eap (348) # Executing group from file /etc/freeradius/sites-enabled/default (348) Auth-Type eap { (348) eap: Removing EAP session with state 0x01411311094b0af2 (348) eap: Previous EAP request found for state 0x01411311094b0af2, released from the list (348) eap: Peer sent packet with method EAP PEAP (25) (348) eap: Calling submodule eap_peap to process data (348) eap_peap: (TLS) EAP Done initial handshake (348) eap_peap: Session established. Decoding tunneled attributes (348) eap_peap: PEAP state phase2 (348) eap_peap: EAP method MSCHAPv2 (26) (348) eap_peap: Got tunneled request (348) eap_peap: EAP-Message = 0x020a00531a020a004e310d961707cae581d64e5fbe54214237cb0000000000000000f89f7589746337a97c26dd2f4e42764f3e8e3d829307316600646f6d696e69632e7374616c64657240756e6962652e6368 (348) eap_peap: Setting User-Name to xyz@realm.com (348) eap_peap: Sending tunneled request to proxy-inner-tunnel (348) eap_peap: EAP-Message = 0x020a00531a020a004e310d961707cae581d64e5fbe54214237cb0000000000000000f89f7589746337a97c26dd2f4e42764f3e8e3d829307316600646f6d696e69632e7374616c64657240756e6962652e6368 (348) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (348) eap_peap: User-Name = "xyz@realm.com" (348) eap_peap: State = 0x225b02b60000013700010200825c0e1b000000000000000000000000000000043a975549 (348) eap_peap: Service-Type = Framed-User (348) eap_peap: Cisco-AVPair = "service-type=Framed" (348) eap_peap: Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58" (348) eap_peap: Cisco-AVPair = "method=dot1x" (348) eap_peap: Cisco-AVPair = "client-iif-id=2499807523" (348) eap_peap: Cisco-AVPair = "vlan-id=1876" (348) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam" (348) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (348) eap_peap: Framed-MTU = 1485 (348) eap_peap: NAS-IP-Address = 130.92.42.15 (348) eap_peap: NAS-Port-Type = Wireless-802.11 (348) eap_peap: NAS-Port = 4211 (348) eap_peap: Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (348) eap_peap: Calling-Station-Id := "22-E0-73-F2-50-23" (348) eap_peap: Airespace-Wlan-Id = 98 (348) eap_peap: NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (348) eap_peap: WLAN-Group-Cipher = 1027076 (348) eap_peap: WLAN-Pairwise-Cipher = 1027076 (348) eap_peap: WLAN-AKM-Suite = 1027075 (348) Virtual server proxy-inner-tunnel received request (348) EAP-Message = 0x020a00531a020a004e310d961707cae581d64e5fbe54214237cb0000000000000000f89f7589746337a97c26dd2f4e42764f3e8e3d829307316600646f6d696e69632e7374616c64657240756e6962652e6368 (348) FreeRADIUS-Proxied-To = 127.0.0.1 (348) User-Name = "xyz@realm.com" (348) State = 0x225b02b60000013700010200825c0e1b000000000000000000000000000000043a975549 (348) Service-Type = Framed-User (348) Cisco-AVPair = "service-type=Framed" (348) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58" (348) Cisco-AVPair = "method=dot1x" (348) Cisco-AVPair = "client-iif-id=2499807523" (348) Cisco-AVPair = "vlan-id=1876" (348) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (348) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (348) Framed-MTU = 1485 (348) NAS-IP-Address = 130.92.42.15 (348) NAS-Port-Type = Wireless-802.11 (348) NAS-Port = 4211 (348) Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (348) Calling-Station-Id := "22-E0-73-F2-50-23" (348) Airespace-Wlan-Id = 98 (348) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (348) WLAN-Group-Cipher = 1027076 (348) WLAN-Pairwise-Cipher = 1027076 (348) WLAN-AKM-Suite = 1027075 (348) WARNING: Outer and inner identities are the same. User privacy is compromised. (348) server proxy-inner-tunnel { (348) session-state: No cached attributes (348) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel (348) authorize { (348) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) { (348) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE (348) if (!NAS-Port-Type){ (348) if (!NAS-Port-Type) -> FALSE (348) update control { (348) &Proxy-To-Realm := REALM-NPS-DEV (348) } # update control = noop (348) } # authorize = noop (348) } # server proxy-inner-tunnel (348) Virtual server sending reply (348) eap_peap: Got tunneled reply code 0 (348) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV (348) eap: WARNING: Tunneled session will be proxied. Not doing EAP (348) [eap] = handled (348) if (handled && (Response-Packet-Type == Access-Challenge)) { (348) EXPAND Response-Packet-Type (348) --> (348) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (348) } # Auth-Type eap = handled (348) Starting proxy to home server 130.92.14.27 port 1812 (348) server default { (348) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default (348) pre-proxy { (348) attr_filter.pre-proxy: EXPAND %{Realm} (348) attr_filter.pre-proxy: --> REALM.COM (348) attr_filter.pre-proxy: Matched entry DEFAULT at line 58 (348) [attr_filter.pre-proxy] = updated (348) } # pre-proxy = updated (348) } (348) Proxying request to home server 130.92.14.27 port 1812 timeout 20.000000 (348) Sent Access-Request Id 92 from 0.0.0.0:37193 to 130.92.14.27:1812 length 288 (348) Operator-Name := "1realm.com" (348) EAP-Message = 0x020a00531a020a004e310d961707cae581d64e5fbe54214237cb0000000000000000f89f7589746337a97c26dd2f4e42764f3e8e3d829307316600646f6d696e69632e7374616c64657240756e6962652e6368 (348) User-Name = "xyz@realm.com" (348) State = 0x225b02b60000013700010200825c0e1b000000000000000000000000000000043a975549 (348) NAS-IP-Address = 130.92.42.15 (348) NAS-Port-Type = Wireless-802.11 (348) Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (348) Calling-Station-Id := "22-E0-73-F2-50-23" (348) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (348) Message-Authenticator = 0x (348) Proxy-State = 0x323535 Waking up in 0.3 seconds. (348) Clearing existing &reply: attributes (348) Received Access-Challenge Id 92 from 130.92.14.27:1812 to 130.92.10.33:37193 length 140 (348) Proxy-State = 0x323535 (348) Session-Timeout = 60 (348) EAP-Message = 0x010b00331a030a002e533d37383335434645373334433338443739423442384342424437343139463043373744463844463443 (348) State = 0x225b02b60000013700010200825c0e1b000000000000000000000000000000043a975549 (348) Message-Authenticator = 0xf518d1ae53d8771e9e2f854b1cefcea4 (348) server default { (348) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default (348) post-proxy { (348) attr_filter.post-proxy: EXPAND %{Realm} (348) attr_filter.post-proxy: --> REALM.COM (348) attr_filter.post-proxy: Matched entry REALM.COM at line 102 (348) [attr_filter.post-proxy] = updated (348) eap: Doing post-proxy callback (348) eap: Passing reply from proxy back into the tunnel (348) eap: Got tunneled reply RADIUS code 11 (348) eap: Tunnel-Type := VLAN (348) eap: Tunnel-Medium-Type := IEEE-802 (348) eap: Proxy-State = 0x323535 (348) eap: EAP-Message = 0x010b00331a030a002e533d37383335434645373334433338443739423442384342424437343139463043373744463844463443 (348) eap: State = 0x225b02b60000013700010200825c0e1b000000000000000000000000000000043a975549 (348) eap: Message-Authenticator = 0xf518d1ae53d8771e9e2f854b1cefcea4 (348) eap: Got tunneled Access-Challenge (348) eap: Reply was handled (348) eap: Sending EAP Request (code 1) ID 11 length 82 (348) eap: EAP session adding &reply:State = 0x01411311084a0af2 (348) [eap] = ok (348) } # post-proxy = updated (348) } (348) Using Post-Auth-Type Challenge (348) Post-Auth-Type sub-section not found. Ignoring. (348) # Executing group from file /etc/freeradius/sites-enabled/default (348) Sent Access-Challenge Id 255 from 130.92.10.33:1812 to 130.92.42.15:60533 length 140 (348) EAP-Message = 0x010b0052190017030300478d6a1785e1a19b384663d2dc91a1711cef1cb261daa2d4f19a156ca5f8155de69d5c25047974eebe1486ff1d7ad9a76afc7779361d7f5154712c2ec1f6e23de87e74b5a4458758 (348) Message-Authenticator = 0x00000000000000000000000000000000 (348) State = 0x01411311084a0af2159d1101103ebc16 (348) Finished request Waking up in 4.8 seconds. (349) Received Access-Request Id 7 from 130.92.42.15:60533 to 130.92.10.33:1812 length 472 (349) User-Name = "xyz@realm.com" (349) Service-Type = Framed-User (349) Cisco-AVPair = "service-type=Framed" (349) Framed-MTU = 1485 (349) EAP-Message = 0x020b00251900170303001a9fbd8407fe6333bdb6025139e3938bde3390d04c688d35ac81f6 (349) Message-Authenticator = 0xc8367c81169c032270223b7b0ea1ee2a (349) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58" (349) Cisco-AVPair = "method=dot1x" (349) Cisco-AVPair = "client-iif-id=2499807523" (349) Cisco-AVPair = "vlan-id=1876" (349) NAS-IP-Address = 130.92.42.15 (349) NAS-Port-Type = Wireless-802.11 (349) NAS-Port = 4211 (349) State = 0x01411311084a0af2159d1101103ebc16 (349) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (349) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (349) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (349) Calling-Station-Id = "22-e0-73-f2-50-23" (349) Airespace-Wlan-Id = 98 (349) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (349) WLAN-Group-Cipher = 1027076 (349) WLAN-Pairwise-Cipher = 1027076 (349) WLAN-AKM-Suite = 1027075 (349) session-state: No cached attributes (349) # Executing section authorize from file /etc/freeradius/sites-enabled/default (349) authorize { (349) policy rewrite_called_station_id { (349) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (349) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (349) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (349) update request { (349) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (349) --> 60-B9-C0-04-C4-40 (349) &Called-Station-Id := 60-B9-C0-04-C4-40 (349) } # update request = noop (349) if ("%{8}") { (349) EXPAND %{8} (349) --> eduroam (349) if ("%{8}") -> TRUE (349) if ("%{8}") { (349) update request { (349) EXPAND %{8} (349) --> eduroam (349) &Called-Station-SSID := eduroam (349) EXPAND %{Called-Station-Id}:%{8} (349) --> 60-B9-C0-04-C4-40:eduroam (349) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (349) } # update request = noop (349) } # if ("%{8}") = noop (349) [updated] = updated (349) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (349) ... skipping else: Preceding "if" was taken (349) } # policy rewrite_called_station_id = updated (349) policy rewrite_calling_station_id { (349) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (349) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (349) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (349) update request { (349) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (349) --> 22-E0-73-F2-50-23 (349) &Calling-Station-Id := 22-E0-73-F2-50-23 (349) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (349) --> 22:E0:73:F2:50:23 (349) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (349) } # update request = noop (349) [updated] = updated (349) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (349) ... skipping else: Preceding "if" was taken (349) } # policy rewrite_calling_station_id = updated (349) if (NAS-Identifier == "uvisrz0215.insel.ch") { (349) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (349) if (Service-Type == Call-Check) { (349) if (Service-Type == Call-Check) -> FALSE (349) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (349) EXPAND Packet-Src-IP-Address (349) --> 130.92.42.15 (349) EXPAND Packet-Src-IP-Address (349) --> 130.92.42.15 (349) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (349) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (349) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (349) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (349) if (EAP-Message) { (349) if (EAP-Message) -> TRUE (349) if (EAP-Message) { (349) policy filter_username { (349) if (&User-Name) { (349) if (&User-Name) -> TRUE (349) if (&User-Name) { (349) if (&User-Name =~ / /) { (349) if (&User-Name =~ / /) -> FALSE (349) if (&User-Name =~ /@[^@]*@/ ) { (349) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (349) if (&User-Name =~ /\.\./ ) { (349) if (&User-Name =~ /\.\./ ) -> FALSE (349) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (349) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (349) if (&User-Name =~ /\.$/) { (349) if (&User-Name =~ /\.$/) -> FALSE (349) if (&User-Name =~ /@\./) { (349) if (&User-Name =~ /@\./) -> FALSE (349) } # if (&User-Name) = updated (349) } # policy filter_username = updated (349) suffix: Checking for suffix after "@" (349) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (349) suffix: Found realm "REALM.COM" (349) suffix: Adding Realm = "REALM.COM" (349) suffix: Authentication realm is LOCAL (349) [suffix] = ok (349) policy deny_no_realm { (349) if (User-Name && (User-Name !~ /@/)) { (349) if (User-Name && (User-Name !~ /@/)) -> FALSE (349) } # policy deny_no_realm = updated (349) update request { (349) EXPAND %{toupper:%{Realm}} (349) --> REALM.COM (349) Realm := REALM.COM (349) } # update request = noop (349) eap: Peer sent EAP Response (code 2) ID 11 length 37 (349) eap: Continuing tunnel setup (349) [eap] = ok (349) } # if (EAP-Message) = ok (349) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (349) } # authorize = updated (349) Found Auth-Type = eap (349) # Executing group from file /etc/freeradius/sites-enabled/default (349) Auth-Type eap { (349) eap: Removing EAP session with state 0x01411311084a0af2 (349) eap: Previous EAP request found for state 0x01411311084a0af2, released from the list (349) eap: Peer sent packet with method EAP PEAP (25) (349) eap: Calling submodule eap_peap to process data (349) eap_peap: (TLS) EAP Done initial handshake (349) eap_peap: Session established. Decoding tunneled attributes (349) eap_peap: PEAP state phase2 (349) eap_peap: EAP method MSCHAPv2 (26) (349) eap_peap: Got tunneled request (349) eap_peap: EAP-Message = 0x020b00061a03 (349) eap_peap: Setting User-Name to xyz@realm.com (349) eap_peap: Sending tunneled request to proxy-inner-tunnel (349) eap_peap: EAP-Message = 0x020b00061a03 (349) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (349) eap_peap: User-Name = "xyz@realm.com" (349) eap_peap: State = 0x225b02b60000013700010200825c0e1b000000000000000000000000000000043a975549 (349) eap_peap: Service-Type = Framed-User (349) eap_peap: Cisco-AVPair = "service-type=Framed" (349) eap_peap: Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58" (349) eap_peap: Cisco-AVPair = "method=dot1x" (349) eap_peap: Cisco-AVPair = "client-iif-id=2499807523" (349) eap_peap: Cisco-AVPair = "vlan-id=1876" (349) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam" (349) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (349) eap_peap: Framed-MTU = 1485 (349) eap_peap: NAS-IP-Address = 130.92.42.15 (349) eap_peap: NAS-Port-Type = Wireless-802.11 (349) eap_peap: NAS-Port = 4211 (349) eap_peap: Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (349) eap_peap: Calling-Station-Id := "22-E0-73-F2-50-23" (349) eap_peap: Airespace-Wlan-Id = 98 (349) eap_peap: NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (349) eap_peap: WLAN-Group-Cipher = 1027076 (349) eap_peap: WLAN-Pairwise-Cipher = 1027076 (349) eap_peap: WLAN-AKM-Suite = 1027075 (349) Virtual server proxy-inner-tunnel received request (349) EAP-Message = 0x020b00061a03 (349) FreeRADIUS-Proxied-To = 127.0.0.1 (349) User-Name = "xyz@realm.com" (349) State = 0x225b02b60000013700010200825c0e1b000000000000000000000000000000043a975549 (349) Service-Type = Framed-User (349) Cisco-AVPair = "service-type=Framed" (349) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58" (349) Cisco-AVPair = "method=dot1x" (349) Cisco-AVPair = "client-iif-id=2499807523" (349) Cisco-AVPair = "vlan-id=1876" (349) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (349) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (349) Framed-MTU = 1485 (349) NAS-IP-Address = 130.92.42.15 (349) NAS-Port-Type = Wireless-802.11 (349) NAS-Port = 4211 (349) Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (349) Calling-Station-Id := "22-E0-73-F2-50-23" (349) Airespace-Wlan-Id = 98 (349) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (349) WLAN-Group-Cipher = 1027076 (349) WLAN-Pairwise-Cipher = 1027076 (349) WLAN-AKM-Suite = 1027075 (349) WARNING: Outer and inner identities are the same. User privacy is compromised. (349) server proxy-inner-tunnel { (349) session-state: No cached attributes (349) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel (349) authorize { (349) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) { (349) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE (349) if (!NAS-Port-Type){ (349) if (!NAS-Port-Type) -> FALSE (349) update control { (349) &Proxy-To-Realm := REALM-NPS-DEV (349) } # update control = noop (349) } # authorize = noop (349) } # server proxy-inner-tunnel (349) Virtual server sending reply (349) eap_peap: Got tunneled reply code 0 (349) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV (349) eap: WARNING: Tunneled session will be proxied. Not doing EAP (349) [eap] = handled (349) if (handled && (Response-Packet-Type == Access-Challenge)) { (349) EXPAND Response-Packet-Type (349) --> (349) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (349) } # Auth-Type eap = handled (349) Starting proxy to home server 130.92.14.27 port 1812 (349) server default { (349) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default (349) pre-proxy { (349) attr_filter.pre-proxy: EXPAND %{Realm} (349) attr_filter.pre-proxy: --> REALM.COM (349) attr_filter.pre-proxy: Matched entry DEFAULT at line 58 (349) [attr_filter.pre-proxy] = updated (349) } # pre-proxy = updated (349) } (349) Proxying request to home server 130.92.14.27 port 1812 timeout 20.000000 (349) Sent Access-Request Id 93 from 0.0.0.0:37193 to 130.92.14.27:1812 length 209 (349) Operator-Name := "1realm.com" (349) EAP-Message = 0x020b00061a03 (349) User-Name = "xyz@realm.com" (349) State = 0x225b02b60000013700010200825c0e1b000000000000000000000000000000043a975549 (349) NAS-IP-Address = 130.92.42.15 (349) NAS-Port-Type = Wireless-802.11 (349) Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (349) Calling-Station-Id := "22-E0-73-F2-50-23" (349) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (349) Message-Authenticator = 0x (349) Proxy-State = 0x37 Waking up in 0.3 seconds. (349) Clearing existing &reply: attributes (349) Received Access-Accept Id 93 from 130.92.14.27:1812 to 130.92.10.33:37193 length 287 (349) Proxy-State = 0x37 (349) Class = 0x7374616666 (349) Filter-Id = "staff" (349) Framed-Protocol = PPP (349) Service-Type = Framed-User (349) Tunnel-Medium-Type:0 = IEEE-802 (349) Tunnel-Private-Group-Id:0 = "1874" (349) Tunnel-Type:0 = VLAN (349) EAP-Message = 0x030b0004 (349) Class = 0x568605d30000013700010200825c0e1b00000000000000000000000001dac0032e975ae000000000005c9601 (349) MS-CHAP-Domain = "\001CAMPUS" (349) MS-MPPE-Send-Key = 0xd687deeb2f77eb638babd3daa38b43f3 (349) MS-MPPE-Recv-Key = 0x9fa8f6207d3942e543a85d7ab15ac0ca (349) MS-CHAP2-Success = 0x01533d37383335434645373334433338443739423442384342424437343139463043373744463844463443 (349) Message-Authenticator = 0xeaadc26a981ab8b1ea5cb2b537eb0a18 (349) server default { (349) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default (349) post-proxy { (349) attr_filter.post-proxy: EXPAND %{Realm} (349) attr_filter.post-proxy: --> REALM.COM (349) attr_filter.post-proxy: Matched entry REALM.COM at line 102 (349) [attr_filter.post-proxy] = updated (349) eap: Doing post-proxy callback (349) eap: Passing reply from proxy back into the tunnel (349) eap: Got tunneled reply RADIUS code 2 (349) eap: Tunnel-Type := VLAN (349) eap: Tunnel-Medium-Type := IEEE-802 (349) eap: Proxy-State = 0x37 (349) eap: Class = 0x7374616666 (349) eap: Filter-Id = "staff" (349) eap: Tunnel-Private-Group-Id:0 = "1874" (349) eap: EAP-Message = 0x030b0004 (349) eap: Class = 0x568605d30000013700010200825c0e1b00000000000000000000000001dac0032e975ae000000000005c9601 (349) eap: MS-MPPE-Send-Key = 0xd687deeb2f77eb638babd3daa38b43f3 (349) eap: MS-MPPE-Recv-Key = 0x9fa8f6207d3942e543a85d7ab15ac0ca (349) eap: Message-Authenticator = 0xeaadc26a981ab8b1ea5cb2b537eb0a18 (349) eap: Tunneled authentication was successful (349) eap: SUCCESS (349) eap: Saving tunneled attributes for later (349) eap: Reply was handled (349) eap: Sending EAP Request (code 1) ID 12 length 46 (349) eap: EAP session adding &reply:State = 0x014113110b4d0af2 (349) [eap] = ok (349) } # post-proxy = updated (349) } (349) Using Post-Auth-Type Challenge (349) Post-Auth-Type sub-section not found. Ignoring. (349) # Executing group from file /etc/freeradius/sites-enabled/default (349) Sent Access-Challenge Id 7 from 130.92.10.33:1812 to 130.92.42.15:60533 length 104 (349) EAP-Message = 0x010c002e190017030300238d6a1785e1a19b39b83c8d767db1a51679cc1ecabf6acedb8a2758d5b5f3203674984e (349) Message-Authenticator = 0x00000000000000000000000000000000 (349) State = 0x014113110b4d0af2159d1101103ebc16 (349) Finished request Waking up in 4.8 seconds. (350) Received Access-Request Id 15 from 130.92.42.15:60533 to 130.92.10.33:1812 length 481 (350) User-Name = "xyz@realm.com" (350) Service-Type = Framed-User (350) Cisco-AVPair = "service-type=Framed" (350) Framed-MTU = 1485 (350) EAP-Message = 0x020c002e190017030300239fbd8407fe6333be27f0732df0c86c2ae6b5faef72ecb9b63dfaadc83292179e360244 (350) Message-Authenticator = 0x2cc88f99728922a86d6615ad0bd7525c (350) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58" (350) Cisco-AVPair = "method=dot1x" (350) Cisco-AVPair = "client-iif-id=2499807523" (350) Cisco-AVPair = "vlan-id=1876" (350) NAS-IP-Address = 130.92.42.15 (350) NAS-Port-Type = Wireless-802.11 (350) NAS-Port = 4211 (350) State = 0x014113110b4d0af2159d1101103ebc16 (350) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (350) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (350) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (350) Calling-Station-Id = "22-e0-73-f2-50-23" (350) Airespace-Wlan-Id = 98 (350) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (350) WLAN-Group-Cipher = 1027076 (350) WLAN-Pairwise-Cipher = 1027076 (350) WLAN-AKM-Suite = 1027075 (350) session-state: No cached attributes (350) # Executing section authorize from file /etc/freeradius/sites-enabled/default (350) authorize { (350) policy rewrite_called_station_id { (350) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (350) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (350) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (350) update request { (350) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (350) --> 60-B9-C0-04-C4-40 (350) &Called-Station-Id := 60-B9-C0-04-C4-40 (350) } # update request = noop (350) if ("%{8}") { (350) EXPAND %{8} (350) --> eduroam (350) if ("%{8}") -> TRUE (350) if ("%{8}") { (350) update request { (350) EXPAND %{8} (350) --> eduroam (350) &Called-Station-SSID := eduroam (350) EXPAND %{Called-Station-Id}:%{8} (350) --> 60-B9-C0-04-C4-40:eduroam (350) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (350) } # update request = noop (350) } # if ("%{8}") = noop (350) [updated] = updated (350) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (350) ... skipping else: Preceding "if" was taken (350) } # policy rewrite_called_station_id = updated (350) policy rewrite_calling_station_id { (350) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (350) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (350) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (350) update request { (350) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (350) --> 22-E0-73-F2-50-23 (350) &Calling-Station-Id := 22-E0-73-F2-50-23 (350) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (350) --> 22:E0:73:F2:50:23 (350) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (350) } # update request = noop (350) [updated] = updated (350) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (350) ... skipping else: Preceding "if" was taken (350) } # policy rewrite_calling_station_id = updated (350) if (NAS-Identifier == "uvisrz0215.insel.ch") { (350) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (350) if (Service-Type == Call-Check) { (350) if (Service-Type == Call-Check) -> FALSE (350) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (350) EXPAND Packet-Src-IP-Address (350) --> 130.92.42.15 (350) EXPAND Packet-Src-IP-Address (350) --> 130.92.42.15 (350) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (350) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (350) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (350) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (350) if (EAP-Message) { (350) if (EAP-Message) -> TRUE (350) if (EAP-Message) { (350) policy filter_username { (350) if (&User-Name) { (350) if (&User-Name) -> TRUE (350) if (&User-Name) { (350) if (&User-Name =~ / /) { (350) if (&User-Name =~ / /) -> FALSE (350) if (&User-Name =~ /@[^@]*@/ ) { (350) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (350) if (&User-Name =~ /\.\./ ) { (350) if (&User-Name =~ /\.\./ ) -> FALSE (350) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (350) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (350) if (&User-Name =~ /\.$/) { (350) if (&User-Name =~ /\.$/) -> FALSE (350) if (&User-Name =~ /@\./) { (350) if (&User-Name =~ /@\./) -> FALSE (350) } # if (&User-Name) = updated (350) } # policy filter_username = updated (350) suffix: Checking for suffix after "@" (350) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (350) suffix: Found realm "REALM.COM" (350) suffix: Adding Realm = "REALM.COM" (350) suffix: Authentication realm is LOCAL (350) [suffix] = ok (350) policy deny_no_realm { (350) if (User-Name && (User-Name !~ /@/)) { (350) if (User-Name && (User-Name !~ /@/)) -> FALSE (350) } # policy deny_no_realm = updated (350) update request { (350) EXPAND %{toupper:%{Realm}} (350) --> REALM.COM (350) Realm := REALM.COM (350) } # update request = noop (350) eap: Peer sent EAP Response (code 2) ID 12 length 46 (350) eap: Continuing tunnel setup (350) [eap] = ok (350) } # if (EAP-Message) = ok (350) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (350) } # authorize = updated (350) Found Auth-Type = eap (350) # Executing group from file /etc/freeradius/sites-enabled/default (350) Auth-Type eap { (350) eap: Removing EAP session with state 0x014113110b4d0af2 (350) eap: Previous EAP request found for state 0x014113110b4d0af2, released from the list (350) eap: Peer sent packet with method EAP PEAP (25) (350) eap: Calling submodule eap_peap to process data (350) eap_peap: (TLS) EAP Done initial handshake (350) eap_peap: Session established. Decoding tunneled attributes (350) eap_peap: PEAP state send tlv success (350) eap_peap: Received EAP-TLV response (350) eap_peap: Success (350) eap_peap: Using saved attributes from the original Access-Accept (350) eap_peap: Tunnel-Type := VLAN (350) eap_peap: Tunnel-Medium-Type := IEEE-802 (350) eap_peap: Class = 0x7374616666 (350) eap_peap: Filter-Id = "staff" (350) eap_peap: Tunnel-Private-Group-Id:0 = "1874" (350) eap_peap: Class = 0x568605d30000013700010200825c0e1b00000000000000000000000001dac0032e975ae000000000005c9601 (350) eap: Sending EAP Success (code 3) ID 12 length 4 (350) eap: Freeing handler (350) [eap] = ok (350) if (handled && (Response-Packet-Type == Access-Challenge)) { (350) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (350) } # Auth-Type eap = ok (350) # Executing section post-auth from file /etc/freeradius/sites-enabled/default (350) post-auth { (350) policy debug_all { (350) policy debug_control { (350) if ("%{debug_attr:control:}" == '') { (350) Attributes matching "control:" (350) &control:Auth-Type = eap (350) EXPAND %{debug_attr:control:} (350) --> (350) if ("%{debug_attr:control:}" == '') -> TRUE (350) if ("%{debug_attr:control:}" == '') { (350) [noop] = noop (350) } # if ("%{debug_attr:control:}" == '') = noop (350) } # policy debug_control = noop (350) policy debug_request { (350) if ("%{debug_attr:request:}" == '') { (350) Attributes matching "request:" (350) &request:User-Name = xyz@realm.com (350) &request:Service-Type = Framed-User (350) &request:Cisco-AVPair = service-type=Framed (350) &request:Framed-MTU = 1485 (350) &request:EAP-Message = 0x020c002e190017030300239fbd8407fe6333be27f0732df0c86c2ae6b5faef72ecb9b63dfaadc83292179e360244 (350) &request:Message-Authenticator = 0x2cc88f99728922a86d6615ad0bd7525c (350) &request:Cisco-AVPair = audit-session-id=142A5C820037733BC01D7C58 (350) &request:Cisco-AVPair = method=dot1x (350) &request:Cisco-AVPair = client-iif-id=2499807523 (350) &request:Cisco-AVPair = vlan-id=1876 (350) &request:NAS-IP-Address = 130.92.42.15 (350) &request:NAS-Port-Type = Wireless-802.11 (350) &request:NAS-Port = 4211 (350) &request:State = 0x014113110b4d0af2159d1101103ebc16 (350) &request:Cisco-AVPair = cisco-wlan-ssid=eduroam (350) &request:Cisco-AVPair = wlan-profile-name=eduroam-DEV (350) &request:Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (350) &request:Calling-Station-Id := 22-E0-73-F2-50-23 (350) &request:Airespace-Wlan-Id = 98 (350) &request:NAS-Identifier = 60-b9-c0-04-c4-40:eduroam (350) &request:WLAN-Group-Cipher = 1027076 (350) &request:WLAN-Pairwise-Cipher = 1027076 (350) &request:WLAN-AKM-Suite = 1027075 (350) &request:Called-Station-SSID := eduroam (350) &request:locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (350) &request:Realm := REALM.COM (350) &request:EAP-Type = PEAP (350) EXPAND %{debug_attr:request:} (350) --> (350) if ("%{debug_attr:request:}" == '') -> TRUE (350) if ("%{debug_attr:request:}" == '') { (350) [noop] = noop (350) } # if ("%{debug_attr:request:}" == '') = noop (350) } # policy debug_request = noop (350) policy debug_coa { (350) if ("%{debug_attr:coa:}" == '') { (350) Attributes matching "coa:" (350) WARNING: List "coa" is not available (350) EXPAND %{debug_attr:coa:} (350) --> (350) if ("%{debug_attr:coa:}" == '') -> TRUE (350) if ("%{debug_attr:coa:}" == '') { (350) [noop] = noop (350) } # if ("%{debug_attr:coa:}" == '') = noop (350) } # policy debug_coa = noop (350) policy debug_reply { (350) if ("%{debug_attr:reply:}" == '') { (350) Attributes matching "reply:" (350) &reply:Tunnel-Type:-128 := VLAN (350) &reply:Tunnel-Medium-Type:-128 := IEEE-802 (350) &reply:Class = 0x7374616666 (350) &reply:Filter-Id = staff (350) &reply:Tunnel-Private-Group-Id:0 = 1874 (350) &reply:Class = 0x568605d30000013700010200825c0e1b00000000000000000000000001dac0032e975ae000000000005c9601 (350) &reply:MS-MPPE-Recv-Key = 0x30de94917d8e20cc27f44672a6f87fbb2196e8fd25f350356e6f5afe6d404ac5 (350) &reply:MS-MPPE-Send-Key = 0x65b71e153439623a162abad3bb04ce3ea34d1116d2c3524d0f8680d6aa6e93a9 (350) &reply:EAP-MSK = 0x30de94917d8e20cc27f44672a6f87fbb2196e8fd25f350356e6f5afe6d404ac565b71e153439623a162abad3bb04ce3ea34d1116d2c3524d0f8680d6aa6e93a9 (350) &reply:EAP-EMSK = 0x2700c8fa3f3c22ec78878753bbf46ce60a211bc408dc33d44079d7dccd51489c9d10b38d2e6a303da3766e1e2b7e38ec4b6e4b344c6be00360f6ae6b255b4236 (350) &reply:EAP-Session-Id = 0x19675c30ff6a9b0b902f1e931a2758f15aa27a75704f9760726e5c03da301ba848c6f0abbfc21ebae81584415260a08bae7625b694abcfc744444f574e47524401 (350) &reply:EAP-Message = 0x030c0004 (350) &reply:Message-Authenticator = 0x00000000000000000000000000000000 (350) &reply:User-Name = xyz@realm.com (350) EXPAND %{debug_attr:reply:} (350) --> (350) if ("%{debug_attr:reply:}" == '') -> TRUE (350) if ("%{debug_attr:reply:}" == '') { (350) [noop] = noop (350) } # if ("%{debug_attr:reply:}" == '') = noop (350) } # policy debug_reply = noop (350) policy debug_session_state { (350) if ("%{debug_attr:session-state:}" == '') { (350) Attributes matching "session-state:" (350) EXPAND %{debug_attr:session-state:} (350) --> (350) if ("%{debug_attr:session-state:}" == '') -> TRUE (350) if ("%{debug_attr:session-state:}" == '') { (350) [noop] = noop (350) } # if ("%{debug_attr:session-state:}" == '') = noop (350) } # policy debug_session_state = noop (350) } # policy debug_all = noop (350) update { (350) No attributes updated for RHS &session-state (350) } # update = noop (350) if (Service-Type == Call-Check) { (350) if (Service-Type == Call-Check) -> FALSE (350) else { (350) 802.1x_auth_log: EXPAND %t : AuthZ: (%I) %{reply:Packet-Type}: [%{%{reply:User-Name}:-%{User-Name}}] TLS-Version=%{%{session-state:TLS-Session-Version}:-NULL} TLS-Ciphers=%{%{session-state:TLS-Session-Cipher-Suite}:-NULL} SSID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} operator-name %{%{request:Operator-Name}:-Unknown}) (350) 802.1x_auth_log: --> Fri Dec 13 14:05:04 2024 : AuthZ: (15) Access-Accept: [xyz@realm.com] TLS-Version=NULL TLS-Ciphers=NULL SSID=eduroam Calling-Station-Id=22-E0-73-F2-50-23 Called-Station-Id=60-B9-C0-04-C4-40:eduroam Filter-ID=staff VLAN=1874 Class=0x7374616666 (from client xyz.wifi.realm.com port 4211 operator-name Unknown) (350) 802.1x_auth_log: EXPAND /var/log/freeradius/802.1x_auth.log (350) 802.1x_auth_log: --> /var/log/freeradius/802.1x_auth.log (350) [802.1x_auth_log] = ok (350) } # else = ok (350) policy remove_reply_message_if_eap { (350) if (&reply:EAP-Message && &reply:Reply-Message) { (350) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (350) else { (350) [noop] = noop (350) } # else = noop (350) } # policy remove_reply_message_if_eap = noop (350) } # post-auth = ok (350) Login OK: [xyz@realm.com] (from client xyz.wifi.realm.com port 4211 cli 22-E0-73-F2-50-23) (350) Sent Access-Accept Id 15 from 130.92.10.33:1812 to 130.92.42.15:60533 length 264 (350) Tunnel-Type := VLAN (350) Tunnel-Medium-Type := IEEE-802 (350) Class = 0x7374616666 (350) Filter-Id = "staff" (350) Tunnel-Private-Group-Id:0 = "1874" (350) Class = 0x568605d30000013700010200825c0e1b00000000000000000000000001dac0032e975ae000000000005c9601 (350) MS-MPPE-Recv-Key = 0x30de94917d8e20cc27f44672a6f87fbb2196e8fd25f350356e6f5afe6d404ac5 (350) MS-MPPE-Send-Key = 0x65b71e153439623a162abad3bb04ce3ea34d1116d2c3524d0f8680d6aa6e93a9 (350) EAP-Message = 0x030c0004 (350) Message-Authenticator = 0x00000000000000000000000000000000 (350) User-Name = "xyz@realm.com" (350) Finished request Waking up in 4.8 seconds. (351) Received Access-Request Id 23 from 130.92.42.15:60533 to 130.92.10.33:1812 length 445 (351) User-Name = "xyz@realm.com" (351) Service-Type = Framed-User (351) Cisco-AVPair = "service-type=Framed" (351) Framed-MTU = 1485 (351) EAP-Message = 0x0201001d01646f6d696e69632e7374616c64657240756e6962652e6368 (351) Message-Authenticator = 0x2933cb4d659e4203d7e8cbc1e21e548d (351) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1" (351) Cisco-AVPair = "method=dot1x" (351) Cisco-AVPair = "client-iif-id=201332865" (351) Cisco-AVPair = "vlan-id=1876" (351) NAS-IP-Address = 130.92.42.15 (351) NAS-Port-Type = Wireless-802.11 (351) NAS-Port = 4211 (351) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (351) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (351) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (351) Calling-Station-Id = "22-e0-73-f2-50-23" (351) Airespace-Wlan-Id = 98 (351) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (351) WLAN-Group-Cipher = 1027076 (351) WLAN-Pairwise-Cipher = 1027076 (351) WLAN-AKM-Suite = 1027075 (351) # Executing section authorize from file /etc/freeradius/sites-enabled/default (351) authorize { (351) policy rewrite_called_station_id { (351) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (351) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (351) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (351) update request { (351) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (351) --> 60-B9-C0-04-C4-40 (351) &Called-Station-Id := 60-B9-C0-04-C4-40 (351) } # update request = noop (351) if ("%{8}") { (351) EXPAND %{8} (351) --> eduroam (351) if ("%{8}") -> TRUE (351) if ("%{8}") { (351) update request { (351) EXPAND %{8} (351) --> eduroam (351) &Called-Station-SSID := eduroam (351) EXPAND %{Called-Station-Id}:%{8} (351) --> 60-B9-C0-04-C4-40:eduroam (351) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (351) } # update request = noop (351) } # if ("%{8}") = noop (351) [updated] = updated (351) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (351) ... skipping else: Preceding "if" was taken (351) } # policy rewrite_called_station_id = updated (351) policy rewrite_calling_station_id { (351) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (351) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (351) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (351) update request { (351) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (351) --> 22-E0-73-F2-50-23 (351) &Calling-Station-Id := 22-E0-73-F2-50-23 (351) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (351) --> 22:E0:73:F2:50:23 (351) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (351) } # update request = noop (351) [updated] = updated (351) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (351) ... skipping else: Preceding "if" was taken (351) } # policy rewrite_calling_station_id = updated (351) if (NAS-Identifier == "uvisrz0215.insel.ch") { (351) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (351) if (Service-Type == Call-Check) { (351) if (Service-Type == Call-Check) -> FALSE (351) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (351) EXPAND Packet-Src-IP-Address (351) --> 130.92.42.15 (351) EXPAND Packet-Src-IP-Address (351) --> 130.92.42.15 (351) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (351) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (351) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (351) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (351) if (EAP-Message) { (351) if (EAP-Message) -> TRUE (351) if (EAP-Message) { (351) policy filter_username { (351) if (&User-Name) { (351) if (&User-Name) -> TRUE (351) if (&User-Name) { (351) if (&User-Name =~ / /) { (351) if (&User-Name =~ / /) -> FALSE (351) if (&User-Name =~ /@[^@]*@/ ) { (351) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (351) if (&User-Name =~ /\.\./ ) { (351) if (&User-Name =~ /\.\./ ) -> FALSE (351) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (351) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (351) if (&User-Name =~ /\.$/) { (351) if (&User-Name =~ /\.$/) -> FALSE (351) if (&User-Name =~ /@\./) { (351) if (&User-Name =~ /@\./) -> FALSE (351) } # if (&User-Name) = updated (351) } # policy filter_username = updated (351) suffix: Checking for suffix after "@" (351) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (351) suffix: Found realm "REALM.COM" (351) suffix: Adding Realm = "REALM.COM" (351) suffix: Authentication realm is LOCAL (351) [suffix] = ok (351) policy deny_no_realm { (351) if (User-Name && (User-Name !~ /@/)) { (351) if (User-Name && (User-Name !~ /@/)) -> FALSE (351) } # policy deny_no_realm = updated (351) update request { (351) EXPAND %{toupper:%{Realm}} (351) --> REALM.COM (351) Realm := REALM.COM (351) } # update request = noop (351) eap: Peer sent EAP Response (code 2) ID 1 length 29 (351) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (351) [eap] = ok (351) } # if (EAP-Message) = ok (351) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (351) } # authorize = updated (351) Found Auth-Type = eap (351) # Executing group from file /etc/freeradius/sites-enabled/default (351) Auth-Type eap { (351) eap: Peer sent packet with method EAP Identity (1) (351) eap: Calling submodule eap_peap to process data (351) eap_peap: (TLS) PEAP -Initiating new session (351) eap: Sending EAP Request (code 1) ID 2 length 6 (351) eap: EAP session adding &reply:State = 0xceec9f67ceee86c2 (351) [eap] = handled (351) if (handled && (Response-Packet-Type == Access-Challenge)) { (351) EXPAND Response-Packet-Type (351) --> Access-Challenge (351) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (351) if (handled && (Response-Packet-Type == Access-Challenge)) { (351) attr_filter.access_challenge: EXPAND %{User-Name} (351) attr_filter.access_challenge: --> xyz@realm.com (351) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (351) [attr_filter.access_challenge.post-auth] = updated (351) [handled] = handled (351) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (351) } # Auth-Type eap = handled (351) Using Post-Auth-Type Challenge (351) Post-Auth-Type sub-section not found. Ignoring. (351) # Executing group from file /etc/freeradius/sites-enabled/default (351) session-state: Saving cached attributes (351) Framed-MTU = 1014 (351) Sent Access-Challenge Id 23 from 130.92.10.33:1812 to 130.92.42.15:60533 length 64 (351) EAP-Message = 0x010200061920 (351) Message-Authenticator = 0x00000000000000000000000000000000 (351) State = 0xceec9f67ceee86c299469da09cee92a1 (351) Finished request Waking up in 3.9 seconds. (352) Received Access-Request Id 31 from 130.92.42.15:60533 to 130.92.10.33:1812 length 595 (352) User-Name = "xyz@realm.com" (352) Service-Type = Framed-User (352) Cisco-AVPair = "service-type=Framed" (352) Framed-MTU = 1485 (352) EAP-Message = 0x020200a119800000009716030100920100008e0303675c3100dd1c7cdf9f74db6337b13313e75950e07ca8a60ec8a656c84cedb59700002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306030005000501000000000012000000170000 (352) Message-Authenticator = 0xd7069ec703e1171145ae6fb6ecf1d5a8 (352) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1" (352) Cisco-AVPair = "method=dot1x" (352) Cisco-AVPair = "client-iif-id=201332865" (352) Cisco-AVPair = "vlan-id=1876" (352) NAS-IP-Address = 130.92.42.15 (352) NAS-Port-Type = Wireless-802.11 (352) NAS-Port = 4211 (352) State = 0xceec9f67ceee86c299469da09cee92a1 (352) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (352) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (352) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (352) Calling-Station-Id = "22-e0-73-f2-50-23" (352) Airespace-Wlan-Id = 98 (352) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (352) WLAN-Group-Cipher = 1027076 (352) WLAN-Pairwise-Cipher = 1027076 (352) WLAN-AKM-Suite = 1027075 (352) Restoring &session-state (352) &session-state:Framed-MTU = 1014 (352) # Executing section authorize from file /etc/freeradius/sites-enabled/default (352) authorize { (352) policy rewrite_called_station_id { (352) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (352) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (352) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (352) update request { (352) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (352) --> 60-B9-C0-04-C4-40 (352) &Called-Station-Id := 60-B9-C0-04-C4-40 (352) } # update request = noop (352) if ("%{8}") { (352) EXPAND %{8} (352) --> eduroam (352) if ("%{8}") -> TRUE (352) if ("%{8}") { (352) update request { (352) EXPAND %{8} (352) --> eduroam (352) &Called-Station-SSID := eduroam (352) EXPAND %{Called-Station-Id}:%{8} (352) --> 60-B9-C0-04-C4-40:eduroam (352) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (352) } # update request = noop (352) } # if ("%{8}") = noop (352) [updated] = updated (352) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (352) ... skipping else: Preceding "if" was taken (352) } # policy rewrite_called_station_id = updated (352) policy rewrite_calling_station_id { (352) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (352) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (352) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (352) update request { (352) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (352) --> 22-E0-73-F2-50-23 (352) &Calling-Station-Id := 22-E0-73-F2-50-23 (352) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (352) --> 22:E0:73:F2:50:23 (352) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (352) } # update request = noop (352) [updated] = updated (352) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (352) ... skipping else: Preceding "if" was taken (352) } # policy rewrite_calling_station_id = updated (352) if (NAS-Identifier == "uvisrz0215.insel.ch") { (352) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (352) if (Service-Type == Call-Check) { (352) if (Service-Type == Call-Check) -> FALSE (352) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (352) EXPAND Packet-Src-IP-Address (352) --> 130.92.42.15 (352) EXPAND Packet-Src-IP-Address (352) --> 130.92.42.15 (352) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (352) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (352) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (352) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (352) if (EAP-Message) { (352) if (EAP-Message) -> TRUE (352) if (EAP-Message) { (352) policy filter_username { (352) if (&User-Name) { (352) if (&User-Name) -> TRUE (352) if (&User-Name) { (352) if (&User-Name =~ / /) { (352) if (&User-Name =~ / /) -> FALSE (352) if (&User-Name =~ /@[^@]*@/ ) { (352) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (352) if (&User-Name =~ /\.\./ ) { (352) if (&User-Name =~ /\.\./ ) -> FALSE (352) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (352) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (352) if (&User-Name =~ /\.$/) { (352) if (&User-Name =~ /\.$/) -> FALSE (352) if (&User-Name =~ /@\./) { (352) if (&User-Name =~ /@\./) -> FALSE (352) } # if (&User-Name) = updated (352) } # policy filter_username = updated (352) suffix: Checking for suffix after "@" (352) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (352) suffix: Found realm "REALM.COM" (352) suffix: Adding Realm = "REALM.COM" (352) suffix: Authentication realm is LOCAL (352) [suffix] = ok (352) policy deny_no_realm { (352) if (User-Name && (User-Name !~ /@/)) { (352) if (User-Name && (User-Name !~ /@/)) -> FALSE (352) } # policy deny_no_realm = updated (352) update request { (352) EXPAND %{toupper:%{Realm}} (352) --> REALM.COM (352) Realm := REALM.COM (352) } # update request = noop (352) eap: Peer sent EAP Response (code 2) ID 2 length 161 (352) eap: Continuing tunnel setup (352) [eap] = ok (352) } # if (EAP-Message) = ok (352) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (352) } # authorize = updated (352) Found Auth-Type = eap (352) # Executing group from file /etc/freeradius/sites-enabled/default (352) Auth-Type eap { (352) eap: Removing EAP session with state 0xceec9f67ceee86c2 (352) eap: Previous EAP request found for state 0xceec9f67ceee86c2, released from the list (352) eap: Peer sent packet with method EAP PEAP (25) (352) eap: Calling submodule eap_peap to process data (352) eap_peap: (TLS) EAP Peer says that the final record size will be 151 bytes (352) eap_peap: (TLS) EAP Got all data (151 bytes) (352) eap_peap: (TLS) PEAP - Handshake state - before SSL initialization (352) eap_peap: (TLS) PEAP - Handshake state - Server before SSL initialization (352) eap_peap: (TLS) PEAP - Handshake state - Server before SSL initialization (352) eap_peap: (TLS) PEAP - recv TLS 1.3 Handshake, ClientHello (352) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client hello (352) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHello (352) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server hello (352) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Certificate (352) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write certificate (352) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange (352) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write key exchange (352) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone (352) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done (352) eap_peap: (TLS) PEAP - Server : Need to read more data: SSLv3/TLS write server done (352) eap_peap: (TLS) PEAP - In Handshake Phase (352) eap: Sending EAP Request (code 1) ID 3 length 1024 (352) eap: EAP session adding &reply:State = 0xceec9f67cfef86c2 (352) [eap] = handled (352) if (handled && (Response-Packet-Type == Access-Challenge)) { (352) EXPAND Response-Packet-Type (352) --> Access-Challenge (352) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (352) if (handled && (Response-Packet-Type == Access-Challenge)) { (352) attr_filter.access_challenge: EXPAND %{User-Name} (352) attr_filter.access_challenge: --> xyz@realm.com (352) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (352) [attr_filter.access_challenge.post-auth] = updated (352) [handled] = handled (352) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (352) } # Auth-Type eap = handled (352) Using Post-Auth-Type Challenge (352) Post-Auth-Type sub-section not found. Ignoring. (352) # Executing group from file /etc/freeradius/sites-enabled/default (352) session-state: Saving cached attributes (352) Framed-MTU = 1014 (352) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (352) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (352) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (352) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (352) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (352) Sent Access-Challenge Id 31 from 130.92.10.33:1812 to 130.92.42.15:60533 length 1090 (352) EAP-Message = 0x0103040019c000001135160303003d020000390303a19642b1ba520223bc61e483ac418e3f44e0800ee85d2526444f574e4752440100c030000011ff01000100000b000403000102001700001603030f930b000f8f000f8c0007253082072130820609a003020102021006387c8dc0feba6f5f4a0c47e7c561cd300d06092a864886f70d01010b05003059310b300906035504061302555331153013060355040a130c446967694365727420496e63313330310603550403132a446967694365727420476c6f62616c20473220544c532052534120534841323536203230323020434131301e170d3234303532393030303030305a170d3235303532383233353935395a305f310b3009060355040613024348310d300b060355040813044265726e310d300b060355040713044265726e311b3019060355040a1312556e6976657273697479206f66204265726e311530130603550403130c6161692e756e6962652e636830820122300d06092a864886f70d01010105 (352) Message-Authenticator = 0x00000000000000000000000000000000 (352) State = 0xceec9f67cfef86c299469da09cee92a1 (352) Finished request Waking up in 3.9 seconds. (353) Received Access-Request Id 39 from 130.92.42.15:60533 to 130.92.10.33:1812 length 440 (353) User-Name = "xyz@realm.com" (353) Service-Type = Framed-User (353) Cisco-AVPair = "service-type=Framed" (353) Framed-MTU = 1485 (353) EAP-Message = 0x020300061900 (353) Message-Authenticator = 0xf3796f124c3546a4fff1a4495bc4bc3c (353) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1" (353) Cisco-AVPair = "method=dot1x" (353) Cisco-AVPair = "client-iif-id=201332865" (353) Cisco-AVPair = "vlan-id=1876" (353) NAS-IP-Address = 130.92.42.15 (353) NAS-Port-Type = Wireless-802.11 (353) NAS-Port = 4211 (353) State = 0xceec9f67cfef86c299469da09cee92a1 (353) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (353) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (353) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (353) Calling-Station-Id = "22-e0-73-f2-50-23" (353) Airespace-Wlan-Id = 98 (353) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (353) WLAN-Group-Cipher = 1027076 (353) WLAN-Pairwise-Cipher = 1027076 (353) WLAN-AKM-Suite = 1027075 (353) Restoring &session-state (353) &session-state:Framed-MTU = 1014 (353) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (353) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (353) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (353) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (353) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (353) # Executing section authorize from file /etc/freeradius/sites-enabled/default (353) authorize { (353) policy rewrite_called_station_id { (353) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (353) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (353) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (353) update request { (353) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (353) --> 60-B9-C0-04-C4-40 (353) &Called-Station-Id := 60-B9-C0-04-C4-40 (353) } # update request = noop (353) if ("%{8}") { (353) EXPAND %{8} (353) --> eduroam (353) if ("%{8}") -> TRUE (353) if ("%{8}") { (353) update request { (353) EXPAND %{8} (353) --> eduroam (353) &Called-Station-SSID := eduroam (353) EXPAND %{Called-Station-Id}:%{8} (353) --> 60-B9-C0-04-C4-40:eduroam (353) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (353) } # update request = noop (353) } # if ("%{8}") = noop (353) [updated] = updated (353) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (353) ... skipping else: Preceding "if" was taken (353) } # policy rewrite_called_station_id = updated (353) policy rewrite_calling_station_id { (353) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (353) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (353) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (353) update request { (353) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (353) --> 22-E0-73-F2-50-23 (353) &Calling-Station-Id := 22-E0-73-F2-50-23 (353) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (353) --> 22:E0:73:F2:50:23 (353) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (353) } # update request = noop (353) [updated] = updated (353) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (353) ... skipping else: Preceding "if" was taken (353) } # policy rewrite_calling_station_id = updated (353) if (NAS-Identifier == "uvisrz0215.insel.ch") { (353) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (353) if (Service-Type == Call-Check) { (353) if (Service-Type == Call-Check) -> FALSE (353) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (353) EXPAND Packet-Src-IP-Address (353) --> 130.92.42.15 (353) EXPAND Packet-Src-IP-Address (353) --> 130.92.42.15 (353) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (353) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (353) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (353) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (353) if (EAP-Message) { (353) if (EAP-Message) -> TRUE (353) if (EAP-Message) { (353) policy filter_username { (353) if (&User-Name) { (353) if (&User-Name) -> TRUE (353) if (&User-Name) { (353) if (&User-Name =~ / /) { (353) if (&User-Name =~ / /) -> FALSE (353) if (&User-Name =~ /@[^@]*@/ ) { (353) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (353) if (&User-Name =~ /\.\./ ) { (353) if (&User-Name =~ /\.\./ ) -> FALSE (353) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (353) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (353) if (&User-Name =~ /\.$/) { (353) if (&User-Name =~ /\.$/) -> FALSE (353) if (&User-Name =~ /@\./) { (353) if (&User-Name =~ /@\./) -> FALSE (353) } # if (&User-Name) = updated (353) } # policy filter_username = updated (353) suffix: Checking for suffix after "@" (353) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (353) suffix: Found realm "REALM.COM" (353) suffix: Adding Realm = "REALM.COM" (353) suffix: Authentication realm is LOCAL (353) [suffix] = ok (353) policy deny_no_realm { (353) if (User-Name && (User-Name !~ /@/)) { (353) if (User-Name && (User-Name !~ /@/)) -> FALSE (353) } # policy deny_no_realm = updated (353) update request { (353) EXPAND %{toupper:%{Realm}} (353) --> REALM.COM (353) Realm := REALM.COM (353) } # update request = noop (353) eap: Peer sent EAP Response (code 2) ID 3 length 6 (353) eap: Continuing tunnel setup (353) [eap] = ok (353) } # if (EAP-Message) = ok (353) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (353) } # authorize = updated (353) Found Auth-Type = eap (353) # Executing group from file /etc/freeradius/sites-enabled/default (353) Auth-Type eap { (353) eap: Removing EAP session with state 0xceec9f67cfef86c2 (353) eap: Previous EAP request found for state 0xceec9f67cfef86c2, released from the list (353) eap: Peer sent packet with method EAP PEAP (25) (353) eap: Calling submodule eap_peap to process data (353) eap_peap: (TLS) Peer ACKed our handshake fragment (353) eap: Sending EAP Request (code 1) ID 4 length 1020 (353) eap: EAP session adding &reply:State = 0xceec9f67cce886c2 (353) [eap] = handled (353) if (handled && (Response-Packet-Type == Access-Challenge)) { (353) EXPAND Response-Packet-Type (353) --> Access-Challenge (353) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (353) if (handled && (Response-Packet-Type == Access-Challenge)) { (353) attr_filter.access_challenge: EXPAND %{User-Name} (353) attr_filter.access_challenge: --> xyz@realm.com (353) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (353) [attr_filter.access_challenge.post-auth] = updated (353) [handled] = handled (353) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (353) } # Auth-Type eap = handled (353) Using Post-Auth-Type Challenge (353) Post-Auth-Type sub-section not found. Ignoring. (353) # Executing group from file /etc/freeradius/sites-enabled/default (353) session-state: Saving cached attributes (353) Framed-MTU = 1014 (353) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (353) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (353) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (353) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (353) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (353) Sent Access-Challenge Id 39 from 130.92.10.33:1812 to 130.92.42.15:60533 length 1086 (353) EAP-Message = 0x010403fc1940312d312e63726c3048a046a0448642687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274476c6f62616c4732544c53525341534841323536323032304341312d312e63726c30818706082b06010505070101047b3079302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305106082b060105050730028645687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274476c6f62616c4732544c53525341534841323536323032304341312d312e637274300c0603551d130101ff040230003082017f060a2b06010401d6790204020482016f0482016b01690077004e75a3275c9a10c3385b6cd4df3f52eb1df0e08e1b8d69c0b1fa64b1629a39df0000018fc49a2e690000040300483046022100c3703d534899e5150ee51285759f020d6d69574d1db223e7a6fba90105e34a98022100a96786ea2924a95667b25b5efae9fb8e9b5e2b8494 (353) Message-Authenticator = 0x00000000000000000000000000000000 (353) State = 0xceec9f67cce886c299469da09cee92a1 (353) Finished request Waking up in 3.9 seconds. (354) Received Access-Request Id 47 from 130.92.42.15:60533 to 130.92.10.33:1812 length 440 (354) User-Name = "xyz@realm.com" (354) Service-Type = Framed-User (354) Cisco-AVPair = "service-type=Framed" (354) Framed-MTU = 1485 (354) EAP-Message = 0x020400061900 (354) Message-Authenticator = 0xb510334983626c4527fe4b7d8fce100f (354) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1" (354) Cisco-AVPair = "method=dot1x" (354) Cisco-AVPair = "client-iif-id=201332865" (354) Cisco-AVPair = "vlan-id=1876" (354) NAS-IP-Address = 130.92.42.15 (354) NAS-Port-Type = Wireless-802.11 (354) NAS-Port = 4211 (354) State = 0xceec9f67cce886c299469da09cee92a1 (354) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (354) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (354) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (354) Calling-Station-Id = "22-e0-73-f2-50-23" (354) Airespace-Wlan-Id = 98 (354) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (354) WLAN-Group-Cipher = 1027076 (354) WLAN-Pairwise-Cipher = 1027076 (354) WLAN-AKM-Suite = 1027075 (354) Restoring &session-state (354) &session-state:Framed-MTU = 1014 (354) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (354) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (354) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (354) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (354) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (354) # Executing section authorize from file /etc/freeradius/sites-enabled/default (354) authorize { (354) policy rewrite_called_station_id { (354) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (354) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (354) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (354) update request { (354) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (354) --> 60-B9-C0-04-C4-40 (354) &Called-Station-Id := 60-B9-C0-04-C4-40 (354) } # update request = noop (354) if ("%{8}") { (354) EXPAND %{8} (354) --> eduroam (354) if ("%{8}") -> TRUE (354) if ("%{8}") { (354) update request { (354) EXPAND %{8} (354) --> eduroam (354) &Called-Station-SSID := eduroam (354) EXPAND %{Called-Station-Id}:%{8} (354) --> 60-B9-C0-04-C4-40:eduroam (354) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (354) } # update request = noop (354) } # if ("%{8}") = noop (354) [updated] = updated (354) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (354) ... skipping else: Preceding "if" was taken (354) } # policy rewrite_called_station_id = updated (354) policy rewrite_calling_station_id { (354) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (354) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (354) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (354) update request { (354) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (354) --> 22-E0-73-F2-50-23 (354) &Calling-Station-Id := 22-E0-73-F2-50-23 (354) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (354) --> 22:E0:73:F2:50:23 (354) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (354) } # update request = noop (354) [updated] = updated (354) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (354) ... skipping else: Preceding "if" was taken (354) } # policy rewrite_calling_station_id = updated (354) if (NAS-Identifier == "uvisrz0215.insel.ch") { (354) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (354) if (Service-Type == Call-Check) { (354) if (Service-Type == Call-Check) -> FALSE (354) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (354) EXPAND Packet-Src-IP-Address (354) --> 130.92.42.15 (354) EXPAND Packet-Src-IP-Address (354) --> 130.92.42.15 (354) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (354) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (354) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (354) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (354) if (EAP-Message) { (354) if (EAP-Message) -> TRUE (354) if (EAP-Message) { (354) policy filter_username { (354) if (&User-Name) { (354) if (&User-Name) -> TRUE (354) if (&User-Name) { (354) if (&User-Name =~ / /) { (354) if (&User-Name =~ / /) -> FALSE (354) if (&User-Name =~ /@[^@]*@/ ) { (354) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (354) if (&User-Name =~ /\.\./ ) { (354) if (&User-Name =~ /\.\./ ) -> FALSE (354) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (354) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (354) if (&User-Name =~ /\.$/) { (354) if (&User-Name =~ /\.$/) -> FALSE (354) if (&User-Name =~ /@\./) { (354) if (&User-Name =~ /@\./) -> FALSE (354) } # if (&User-Name) = updated (354) } # policy filter_username = updated (354) suffix: Checking for suffix after "@" (354) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (354) suffix: Found realm "REALM.COM" (354) suffix: Adding Realm = "REALM.COM" (354) suffix: Authentication realm is LOCAL (354) [suffix] = ok (354) policy deny_no_realm { (354) if (User-Name && (User-Name !~ /@/)) { (354) if (User-Name && (User-Name !~ /@/)) -> FALSE (354) } # policy deny_no_realm = updated (354) update request { (354) EXPAND %{toupper:%{Realm}} (354) --> REALM.COM (354) Realm := REALM.COM (354) } # update request = noop (354) eap: Peer sent EAP Response (code 2) ID 4 length 6 (354) eap: Continuing tunnel setup (354) [eap] = ok (354) } # if (EAP-Message) = ok (354) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (354) } # authorize = updated (354) Found Auth-Type = eap (354) # Executing group from file /etc/freeradius/sites-enabled/default (354) Auth-Type eap { (354) eap: Removing EAP session with state 0xceec9f67cce886c2 (354) eap: Previous EAP request found for state 0xceec9f67cce886c2, released from the list (354) eap: Peer sent packet with method EAP PEAP (25) (354) eap: Calling submodule eap_peap to process data (354) eap_peap: (TLS) Peer ACKed our handshake fragment (354) eap: Sending EAP Request (code 1) ID 5 length 1020 (354) eap: EAP session adding &reply:State = 0xceec9f67cde986c2 (354) [eap] = handled (354) if (handled && (Response-Packet-Type == Access-Challenge)) { (354) EXPAND Response-Packet-Type (354) --> Access-Challenge (354) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (354) if (handled && (Response-Packet-Type == Access-Challenge)) { (354) attr_filter.access_challenge: EXPAND %{User-Name} (354) attr_filter.access_challenge: --> xyz@realm.com (354) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (354) [attr_filter.access_challenge.post-auth] = updated (354) [handled] = handled (354) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (354) } # Auth-Type eap = handled (354) Using Post-Auth-Type Challenge (354) Post-Auth-Type sub-section not found. Ignoring. (354) # Executing group from file /etc/freeradius/sites-enabled/default (354) session-state: Saving cached attributes (354) Framed-MTU = 1014 (354) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (354) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (354) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (354) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (354) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (354) Sent Access-Challenge Id 47 from 130.92.10.33:1812 to 130.92.42.15:60533 length 1086 (354) EAP-Message = 0x010503fc194006035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3231303333303030303030305a170d3331303332393233353935395a3059310b300906035504061302555331153013060355040a130c446967694365727420496e63313330310603550403132a446967694365727420476c6f62616c20473220544c53205253412053484132353620323032302043413130820122300d06092a864886f70d01010105000382010f003082010a0282010100ccf710624fa6bb636fed905256c56d277b7a12568af1f4f9d6e7e18fbd95abf260411570db1200fa270ab557385b7db2519371950e6a41945b351bfa7bfabbc5be2430fe56efc4f37d97e314f5144dcba710f216eaab22f031221161699026ba78d9971fe37d66ab75449573c8acffef5d0a8a5943e1acb23a0ff348fcd76b37c163dcde46d6db45fe7d23fd90e851071e51a35fed4946547f2c88c5f4139c97153c03e8a139dc690c32c1af16574c9447427ca2c89c7d (354) Message-Authenticator = 0x00000000000000000000000000000000 (354) State = 0xceec9f67cde986c299469da09cee92a1 (354) Finished request Waking up in 3.8 seconds. (355) Received Access-Request Id 55 from 130.92.42.15:60533 to 130.92.10.33:1812 length 440 (355) User-Name = "xyz@realm.com" (355) Service-Type = Framed-User (355) Cisco-AVPair = "service-type=Framed" (355) Framed-MTU = 1485 (355) EAP-Message = 0x020500061900 (355) Message-Authenticator = 0x8e81bbf2bf5fb1fbc216fcb932dee869 (355) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1" (355) Cisco-AVPair = "method=dot1x" (355) Cisco-AVPair = "client-iif-id=201332865" (355) Cisco-AVPair = "vlan-id=1876" (355) NAS-IP-Address = 130.92.42.15 (355) NAS-Port-Type = Wireless-802.11 (355) NAS-Port = 4211 (355) State = 0xceec9f67cde986c299469da09cee92a1 (355) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (355) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (355) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (355) Calling-Station-Id = "22-e0-73-f2-50-23" (355) Airespace-Wlan-Id = 98 (355) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (355) WLAN-Group-Cipher = 1027076 (355) WLAN-Pairwise-Cipher = 1027076 (355) WLAN-AKM-Suite = 1027075 (355) Restoring &session-state (355) &session-state:Framed-MTU = 1014 (355) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (355) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (355) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (355) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (355) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (355) # Executing section authorize from file /etc/freeradius/sites-enabled/default (355) authorize { (355) policy rewrite_called_station_id { (355) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (355) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (355) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (355) update request { (355) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (355) --> 60-B9-C0-04-C4-40 (355) &Called-Station-Id := 60-B9-C0-04-C4-40 (355) } # update request = noop (355) if ("%{8}") { (355) EXPAND %{8} (355) --> eduroam (355) if ("%{8}") -> TRUE (355) if ("%{8}") { (355) update request { (355) EXPAND %{8} (355) --> eduroam (355) &Called-Station-SSID := eduroam (355) EXPAND %{Called-Station-Id}:%{8} (355) --> 60-B9-C0-04-C4-40:eduroam (355) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (355) } # update request = noop (355) } # if ("%{8}") = noop (355) [updated] = updated (355) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (355) ... skipping else: Preceding "if" was taken (355) } # policy rewrite_called_station_id = updated (355) policy rewrite_calling_station_id { (355) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (355) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (355) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (355) update request { (355) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (355) --> 22-E0-73-F2-50-23 (355) &Calling-Station-Id := 22-E0-73-F2-50-23 (355) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (355) --> 22:E0:73:F2:50:23 (355) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (355) } # update request = noop (355) [updated] = updated (355) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (355) ... skipping else: Preceding "if" was taken (355) } # policy rewrite_calling_station_id = updated (355) if (NAS-Identifier == "uvisrz0215.insel.ch") { (355) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (355) if (Service-Type == Call-Check) { (355) if (Service-Type == Call-Check) -> FALSE (355) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (355) EXPAND Packet-Src-IP-Address (355) --> 130.92.42.15 (355) EXPAND Packet-Src-IP-Address (355) --> 130.92.42.15 (355) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (355) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (355) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (355) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (355) if (EAP-Message) { (355) if (EAP-Message) -> TRUE (355) if (EAP-Message) { (355) policy filter_username { (355) if (&User-Name) { (355) if (&User-Name) -> TRUE (355) if (&User-Name) { (355) if (&User-Name =~ / /) { (355) if (&User-Name =~ / /) -> FALSE (355) if (&User-Name =~ /@[^@]*@/ ) { (355) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (355) if (&User-Name =~ /\.\./ ) { (355) if (&User-Name =~ /\.\./ ) -> FALSE (355) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (355) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (355) if (&User-Name =~ /\.$/) { (355) if (&User-Name =~ /\.$/) -> FALSE (355) if (&User-Name =~ /@\./) { (355) if (&User-Name =~ /@\./) -> FALSE (355) } # if (&User-Name) = updated (355) } # policy filter_username = updated (355) suffix: Checking for suffix after "@" (355) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (355) suffix: Found realm "REALM.COM" (355) suffix: Adding Realm = "REALM.COM" (355) suffix: Authentication realm is LOCAL (355) [suffix] = ok (355) policy deny_no_realm { (355) if (User-Name && (User-Name !~ /@/)) { (355) if (User-Name && (User-Name !~ /@/)) -> FALSE (355) } # policy deny_no_realm = updated (355) update request { (355) EXPAND %{toupper:%{Realm}} (355) --> REALM.COM (355) Realm := REALM.COM (355) } # update request = noop (355) eap: Peer sent EAP Response (code 2) ID 5 length 6 (355) eap: Continuing tunnel setup (355) [eap] = ok (355) } # if (EAP-Message) = ok (355) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (355) } # authorize = updated (355) Found Auth-Type = eap (355) # Executing group from file /etc/freeradius/sites-enabled/default (355) Auth-Type eap { (355) eap: Removing EAP session with state 0xceec9f67cde986c2 (355) eap: Previous EAP request found for state 0xceec9f67cde986c2, released from the list (355) eap: Peer sent packet with method EAP PEAP (25) (355) eap: Calling submodule eap_peap to process data (355) eap_peap: (TLS) Peer ACKed our handshake fragment (355) eap: Sending EAP Request (code 1) ID 6 length 1020 (355) eap: EAP session adding &reply:State = 0xceec9f67caea86c2 (355) [eap] = handled (355) if (handled && (Response-Packet-Type == Access-Challenge)) { (355) EXPAND Response-Packet-Type (355) --> Access-Challenge (355) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (355) if (handled && (Response-Packet-Type == Access-Challenge)) { (355) attr_filter.access_challenge: EXPAND %{User-Name} (355) attr_filter.access_challenge: --> xyz@realm.com (355) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (355) [attr_filter.access_challenge.post-auth] = updated (355) [handled] = handled (355) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (355) } # Auth-Type eap = handled (355) Using Post-Auth-Type Challenge (355) Post-Auth-Type sub-section not found. Ignoring. (355) # Executing group from file /etc/freeradius/sites-enabled/default (355) session-state: Saving cached attributes (355) Framed-MTU = 1014 (355) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (355) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (355) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (355) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (355) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (355) Sent Access-Challenge Id 55 from 130.92.10.33:1812 to 130.92.42.15:60533 length 1086 (355) EAP-Message = 0x010603fc1940c6278481d47e8c8ca39b52e7c688ec377c2afbf0555a387210d80013cf4c73dbaa3735a82981699c76bcde187b90d4cacfef6703fd045a2116b1ffea3fdfdc82f5ebf45992230d242a95254ccaa191e6d4b7ac8774b3f16da399dbf9d5bd84409f07980003923082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f6261 (355) Message-Authenticator = 0x00000000000000000000000000000000 (355) State = 0xceec9f67caea86c299469da09cee92a1 (355) Finished request Waking up in 3.8 seconds. (356) Received Access-Request Id 63 from 130.92.42.15:60533 to 130.92.10.33:1812 length 440 (356) User-Name = "xyz@realm.com" (356) Service-Type = Framed-User (356) Cisco-AVPair = "service-type=Framed" (356) Framed-MTU = 1485 (356) EAP-Message = 0x020600061900 (356) Message-Authenticator = 0xc44289330177ed5b3c4d95479193adc0 (356) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1" (356) Cisco-AVPair = "method=dot1x" (356) Cisco-AVPair = "client-iif-id=201332865" (356) Cisco-AVPair = "vlan-id=1876" (356) NAS-IP-Address = 130.92.42.15 (356) NAS-Port-Type = Wireless-802.11 (356) NAS-Port = 4211 (356) State = 0xceec9f67caea86c299469da09cee92a1 (356) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (356) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (356) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (356) Calling-Station-Id = "22-e0-73-f2-50-23" (356) Airespace-Wlan-Id = 98 (356) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (356) WLAN-Group-Cipher = 1027076 (356) WLAN-Pairwise-Cipher = 1027076 (356) WLAN-AKM-Suite = 1027075 (356) Restoring &session-state (356) &session-state:Framed-MTU = 1014 (356) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (356) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (356) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (356) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (356) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (356) # Executing section authorize from file /etc/freeradius/sites-enabled/default (356) authorize { (356) policy rewrite_called_station_id { (356) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (356) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (356) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (356) update request { (356) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (356) --> 60-B9-C0-04-C4-40 (356) &Called-Station-Id := 60-B9-C0-04-C4-40 (356) } # update request = noop (356) if ("%{8}") { (356) EXPAND %{8} (356) --> eduroam (356) if ("%{8}") -> TRUE (356) if ("%{8}") { (356) update request { (356) EXPAND %{8} (356) --> eduroam (356) &Called-Station-SSID := eduroam (356) EXPAND %{Called-Station-Id}:%{8} (356) --> 60-B9-C0-04-C4-40:eduroam (356) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (356) } # update request = noop (356) } # if ("%{8}") = noop (356) [updated] = updated (356) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (356) ... skipping else: Preceding "if" was taken (356) } # policy rewrite_called_station_id = updated (356) policy rewrite_calling_station_id { (356) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (356) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (356) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (356) update request { (356) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (356) --> 22-E0-73-F2-50-23 (356) &Calling-Station-Id := 22-E0-73-F2-50-23 (356) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (356) --> 22:E0:73:F2:50:23 (356) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (356) } # update request = noop (356) [updated] = updated (356) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (356) ... skipping else: Preceding "if" was taken (356) } # policy rewrite_calling_station_id = updated (356) if (NAS-Identifier == "uvisrz0215.insel.ch") { (356) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (356) if (Service-Type == Call-Check) { (356) if (Service-Type == Call-Check) -> FALSE (356) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (356) EXPAND Packet-Src-IP-Address (356) --> 130.92.42.15 (356) EXPAND Packet-Src-IP-Address (356) --> 130.92.42.15 (356) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (356) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (356) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (356) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (356) if (EAP-Message) { (356) if (EAP-Message) -> TRUE (356) if (EAP-Message) { (356) policy filter_username { (356) if (&User-Name) { (356) if (&User-Name) -> TRUE (356) if (&User-Name) { (356) if (&User-Name =~ / /) { (356) if (&User-Name =~ / /) -> FALSE (356) if (&User-Name =~ /@[^@]*@/ ) { (356) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (356) if (&User-Name =~ /\.\./ ) { (356) if (&User-Name =~ /\.\./ ) -> FALSE (356) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (356) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (356) if (&User-Name =~ /\.$/) { (356) if (&User-Name =~ /\.$/) -> FALSE (356) if (&User-Name =~ /@\./) { (356) if (&User-Name =~ /@\./) -> FALSE (356) } # if (&User-Name) = updated (356) } # policy filter_username = updated (356) suffix: Checking for suffix after "@" (356) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (356) suffix: Found realm "REALM.COM" (356) suffix: Adding Realm = "REALM.COM" (356) suffix: Authentication realm is LOCAL (356) [suffix] = ok (356) policy deny_no_realm { (356) if (User-Name && (User-Name !~ /@/)) { (356) if (User-Name && (User-Name !~ /@/)) -> FALSE (356) } # policy deny_no_realm = updated (356) update request { (356) EXPAND %{toupper:%{Realm}} (356) --> REALM.COM (356) Realm := REALM.COM (356) } # update request = noop (356) eap: Peer sent EAP Response (code 2) ID 6 length 6 (356) eap: Continuing tunnel setup (356) [eap] = ok (356) } # if (EAP-Message) = ok (356) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (356) } # authorize = updated (356) Found Auth-Type = eap (356) # Executing group from file /etc/freeradius/sites-enabled/default (356) Auth-Type eap { (356) eap: Removing EAP session with state 0xceec9f67caea86c2 (356) eap: Previous EAP request found for state 0xceec9f67caea86c2, released from the list (356) eap: Peer sent packet with method EAP PEAP (25) (356) eap: Calling submodule eap_peap to process data (356) eap_peap: (TLS) Peer ACKed our handshake fragment (356) eap: Sending EAP Request (code 1) ID 7 length 355 (356) eap: EAP session adding &reply:State = 0xceec9f67cbeb86c2 (356) [eap] = handled (356) if (handled && (Response-Packet-Type == Access-Challenge)) { (356) EXPAND Response-Packet-Type (356) --> Access-Challenge (356) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (356) if (handled && (Response-Packet-Type == Access-Challenge)) { (356) attr_filter.access_challenge: EXPAND %{User-Name} (356) attr_filter.access_challenge: --> xyz@realm.com (356) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (356) [attr_filter.access_challenge.post-auth] = updated (356) [handled] = handled (356) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (356) } # Auth-Type eap = handled (356) Using Post-Auth-Type Challenge (356) Post-Auth-Type sub-section not found. Ignoring. (356) # Executing group from file /etc/freeradius/sites-enabled/default (356) session-state: Saving cached attributes (356) Framed-MTU = 1014 (356) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (356) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (356) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (356) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (356) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (356) Sent Access-Challenge Id 63 from 130.92.10.33:1812 to 130.92.42.15:60533 length 415 (356) EAP-Message = 0x01070163190032b6160303014d0c0001490300174104fd6e5579656e70bface3d2b6d7664dca8778ee606beca867cc96cbfeba740a9811c4088d3f08e679c201e01ba123428692cf6d1461cc0616e75a09374cbf5a59040101005148dfba1d9ef30df850975688a6168a9bff2732b603dc5588a1fb0940bb209aea2f0a9f68bc21c3405aaa6d12e4eb9a2254e2d66c6574d8c6606725c4e3d892c5ee30cacf546266a1f0ddce941a205c1bb6a8c3954c70cfda7ac819335b97e3fcc50e47058806fa895dd2940de272d1cd4c45ad8955e3aedbf11b406fc63ff963f7938e09f319660f5e9e2aebc29babb851f01af3880331b9cbbf671f154782a62464143d70c240b5ce6ad52a51a0c9f0df0d2337686d044595f6650de8e02702eb257118e24ea2525fd8a8b0d77ed6975ca0cf73e1a2d22148d96f74ef166ba96ae8488ff4c1369ce9998a47d91b145e83bccadd6fff90e44119e661cd482f16030300040e000000 (356) Message-Authenticator = 0x00000000000000000000000000000000 (356) State = 0xceec9f67cbeb86c299469da09cee92a1 (356) Finished request Waking up in 3.8 seconds. (357) Received Access-Request Id 71 from 130.92.42.15:60533 to 130.92.10.33:1812 length 570 (357) User-Name = "xyz@realm.com" (357) Service-Type = Framed-User (357) Cisco-AVPair = "service-type=Framed" (357) Framed-MTU = 1485 (357) EAP-Message = 0x0207008819800000007e1603030046100000424104dc75f0e99c0d10be5910b5ec7c9f9d1c239f795540d3f569fe73a2a28522d16ba31504a1cd5350b4b6bdff5dfc1527a84f9d4d38b82ef18a7a34cdf139cc71691403030001011603030028d818ac38e08209544a07329d759f59053fa0a4d1764f92143881d18b37e116582dc7d0618d43df56 (357) Message-Authenticator = 0x382bd2b906d4f4e2b5d7d11e1b7805a1 (357) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1" (357) Cisco-AVPair = "method=dot1x" (357) Cisco-AVPair = "client-iif-id=201332865" (357) Cisco-AVPair = "vlan-id=1876" (357) NAS-IP-Address = 130.92.42.15 (357) NAS-Port-Type = Wireless-802.11 (357) NAS-Port = 4211 (357) State = 0xceec9f67cbeb86c299469da09cee92a1 (357) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (357) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (357) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (357) Calling-Station-Id = "22-e0-73-f2-50-23" (357) Airespace-Wlan-Id = 98 (357) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (357) WLAN-Group-Cipher = 1027076 (357) WLAN-Pairwise-Cipher = 1027076 (357) WLAN-AKM-Suite = 1027075 (357) Restoring &session-state (357) &session-state:Framed-MTU = 1014 (357) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (357) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (357) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (357) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (357) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (357) # Executing section authorize from file /etc/freeradius/sites-enabled/default (357) authorize { (357) policy rewrite_called_station_id { (357) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (357) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (357) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (357) update request { (357) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (357) --> 60-B9-C0-04-C4-40 (357) &Called-Station-Id := 60-B9-C0-04-C4-40 (357) } # update request = noop (357) if ("%{8}") { (357) EXPAND %{8} (357) --> eduroam (357) if ("%{8}") -> TRUE (357) if ("%{8}") { (357) update request { (357) EXPAND %{8} (357) --> eduroam (357) &Called-Station-SSID := eduroam (357) EXPAND %{Called-Station-Id}:%{8} (357) --> 60-B9-C0-04-C4-40:eduroam (357) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (357) } # update request = noop (357) } # if ("%{8}") = noop (357) [updated] = updated (357) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (357) ... skipping else: Preceding "if" was taken (357) } # policy rewrite_called_station_id = updated (357) policy rewrite_calling_station_id { (357) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (357) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (357) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (357) update request { (357) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (357) --> 22-E0-73-F2-50-23 (357) &Calling-Station-Id := 22-E0-73-F2-50-23 (357) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (357) --> 22:E0:73:F2:50:23 (357) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (357) } # update request = noop (357) [updated] = updated (357) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (357) ... skipping else: Preceding "if" was taken (357) } # policy rewrite_calling_station_id = updated (357) if (NAS-Identifier == "uvisrz0215.insel.ch") { (357) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (357) if (Service-Type == Call-Check) { (357) if (Service-Type == Call-Check) -> FALSE (357) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (357) EXPAND Packet-Src-IP-Address (357) --> 130.92.42.15 (357) EXPAND Packet-Src-IP-Address (357) --> 130.92.42.15 (357) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (357) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (357) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (357) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (357) if (EAP-Message) { (357) if (EAP-Message) -> TRUE (357) if (EAP-Message) { (357) policy filter_username { (357) if (&User-Name) { (357) if (&User-Name) -> TRUE (357) if (&User-Name) { (357) if (&User-Name =~ / /) { (357) if (&User-Name =~ / /) -> FALSE (357) if (&User-Name =~ /@[^@]*@/ ) { (357) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (357) if (&User-Name =~ /\.\./ ) { (357) if (&User-Name =~ /\.\./ ) -> FALSE (357) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (357) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (357) if (&User-Name =~ /\.$/) { (357) if (&User-Name =~ /\.$/) -> FALSE (357) if (&User-Name =~ /@\./) { (357) if (&User-Name =~ /@\./) -> FALSE (357) } # if (&User-Name) = updated (357) } # policy filter_username = updated (357) suffix: Checking for suffix after "@" (357) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (357) suffix: Found realm "REALM.COM" (357) suffix: Adding Realm = "REALM.COM" (357) suffix: Authentication realm is LOCAL (357) [suffix] = ok (357) policy deny_no_realm { (357) if (User-Name && (User-Name !~ /@/)) { (357) if (User-Name && (User-Name !~ /@/)) -> FALSE (357) } # policy deny_no_realm = updated (357) update request { (357) EXPAND %{toupper:%{Realm}} (357) --> REALM.COM (357) Realm := REALM.COM (357) } # update request = noop (357) eap: Peer sent EAP Response (code 2) ID 7 length 136 (357) eap: Continuing tunnel setup (357) [eap] = ok (357) } # if (EAP-Message) = ok (357) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (357) } # authorize = updated (357) Found Auth-Type = eap (357) # Executing group from file /etc/freeradius/sites-enabled/default (357) Auth-Type eap { (357) eap: Removing EAP session with state 0xceec9f67cbeb86c2 (357) eap: Previous EAP request found for state 0xceec9f67cbeb86c2, released from the list (357) eap: Peer sent packet with method EAP PEAP (25) (357) eap: Calling submodule eap_peap to process data (357) eap_peap: (TLS) EAP Peer says that the final record size will be 126 bytes (357) eap_peap: (TLS) EAP Got all data (126 bytes) (357) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done (357) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange (357) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client key exchange (357) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read change cipher spec (357) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, Finished (357) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read finished (357) eap_peap: (TLS) PEAP - send TLS 1.2 ChangeCipherSpec (357) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write change cipher spec (357) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Finished (357) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write finished (357) eap_peap: (TLS) PEAP - Handshake state - SSL negotiation finished successfully (357) eap_peap: (TLS) PEAP - Connection Established (357) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (357) eap_peap: TLS-Session-Version = "TLS 1.2" (357) eap: Sending EAP Request (code 1) ID 8 length 57 (357) eap: EAP session adding &reply:State = 0xceec9f67c8e486c2 (357) [eap] = handled (357) if (handled && (Response-Packet-Type == Access-Challenge)) { (357) EXPAND Response-Packet-Type (357) --> Access-Challenge (357) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (357) if (handled && (Response-Packet-Type == Access-Challenge)) { (357) attr_filter.access_challenge: EXPAND %{User-Name} (357) attr_filter.access_challenge: --> xyz@realm.com (357) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (357) [attr_filter.access_challenge.post-auth] = updated (357) [handled] = handled (357) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (357) } # Auth-Type eap = handled (357) Using Post-Auth-Type Challenge (357) Post-Auth-Type sub-section not found. Ignoring. (357) # Executing group from file /etc/freeradius/sites-enabled/default (357) session-state: Saving cached attributes (357) Framed-MTU = 1014 (357) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (357) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (357) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (357) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (357) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (357) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (357) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (357) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (357) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (357) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (357) TLS-Session-Version = "TLS 1.2" (357) Sent Access-Challenge Id 71 from 130.92.10.33:1812 to 130.92.42.15:60533 length 115 (357) EAP-Message = 0x010800391900140303000101160303002873e2e1347334f5dd971479d4d9917d655bb89c8eb3ccb1feaff891be79433e47510170e89cd75911 (357) Message-Authenticator = 0x00000000000000000000000000000000 (357) State = 0xceec9f67c8e486c299469da09cee92a1 (357) Finished request Waking up in 3.8 seconds. (358) Received Access-Request Id 79 from 130.92.42.15:60533 to 130.92.10.33:1812 length 440 (358) User-Name = "xyz@realm.com" (358) Service-Type = Framed-User (358) Cisco-AVPair = "service-type=Framed" (358) Framed-MTU = 1485 (358) EAP-Message = 0x020800061900 (358) Message-Authenticator = 0xc637f3644e15e782c86c9fe11b23d1a0 (358) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1" (358) Cisco-AVPair = "method=dot1x" (358) Cisco-AVPair = "client-iif-id=201332865" (358) Cisco-AVPair = "vlan-id=1876" (358) NAS-IP-Address = 130.92.42.15 (358) NAS-Port-Type = Wireless-802.11 (358) NAS-Port = 4211 (358) State = 0xceec9f67c8e486c299469da09cee92a1 (358) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (358) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (358) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (358) Calling-Station-Id = "22-e0-73-f2-50-23" (358) Airespace-Wlan-Id = 98 (358) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (358) WLAN-Group-Cipher = 1027076 (358) WLAN-Pairwise-Cipher = 1027076 (358) WLAN-AKM-Suite = 1027075 (358) Restoring &session-state (358) &session-state:Framed-MTU = 1014 (358) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (358) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (358) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (358) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (358) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (358) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (358) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (358) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (358) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (358) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (358) &session-state:TLS-Session-Version = "TLS 1.2" (358) # Executing section authorize from file /etc/freeradius/sites-enabled/default (358) authorize { (358) policy rewrite_called_station_id { (358) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (358) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (358) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (358) update request { (358) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (358) --> 60-B9-C0-04-C4-40 (358) &Called-Station-Id := 60-B9-C0-04-C4-40 (358) } # update request = noop (358) if ("%{8}") { (358) EXPAND %{8} (358) --> eduroam (358) if ("%{8}") -> TRUE (358) if ("%{8}") { (358) update request { (358) EXPAND %{8} (358) --> eduroam (358) &Called-Station-SSID := eduroam (358) EXPAND %{Called-Station-Id}:%{8} (358) --> 60-B9-C0-04-C4-40:eduroam (358) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (358) } # update request = noop (358) } # if ("%{8}") = noop (358) [updated] = updated (358) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (358) ... skipping else: Preceding "if" was taken (358) } # policy rewrite_called_station_id = updated (358) policy rewrite_calling_station_id { (358) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (358) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (358) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (358) update request { (358) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (358) --> 22-E0-73-F2-50-23 (358) &Calling-Station-Id := 22-E0-73-F2-50-23 (358) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (358) --> 22:E0:73:F2:50:23 (358) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (358) } # update request = noop (358) [updated] = updated (358) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (358) ... skipping else: Preceding "if" was taken (358) } # policy rewrite_calling_station_id = updated (358) if (NAS-Identifier == "uvisrz0215.insel.ch") { (358) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (358) if (Service-Type == Call-Check) { (358) if (Service-Type == Call-Check) -> FALSE (358) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (358) EXPAND Packet-Src-IP-Address (358) --> 130.92.42.15 (358) EXPAND Packet-Src-IP-Address (358) --> 130.92.42.15 (358) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (358) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (358) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (358) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (358) if (EAP-Message) { (358) if (EAP-Message) -> TRUE (358) if (EAP-Message) { (358) policy filter_username { (358) if (&User-Name) { (358) if (&User-Name) -> TRUE (358) if (&User-Name) { (358) if (&User-Name =~ / /) { (358) if (&User-Name =~ / /) -> FALSE (358) if (&User-Name =~ /@[^@]*@/ ) { (358) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (358) if (&User-Name =~ /\.\./ ) { (358) if (&User-Name =~ /\.\./ ) -> FALSE (358) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (358) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (358) if (&User-Name =~ /\.$/) { (358) if (&User-Name =~ /\.$/) -> FALSE (358) if (&User-Name =~ /@\./) { (358) if (&User-Name =~ /@\./) -> FALSE (358) } # if (&User-Name) = updated (358) } # policy filter_username = updated (358) suffix: Checking for suffix after "@" (358) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (358) suffix: Found realm "REALM.COM" (358) suffix: Adding Realm = "REALM.COM" (358) suffix: Authentication realm is LOCAL (358) [suffix] = ok (358) policy deny_no_realm { (358) if (User-Name && (User-Name !~ /@/)) { (358) if (User-Name && (User-Name !~ /@/)) -> FALSE (358) } # policy deny_no_realm = updated (358) update request { (358) EXPAND %{toupper:%{Realm}} (358) --> REALM.COM (358) Realm := REALM.COM (358) } # update request = noop (358) eap: Peer sent EAP Response (code 2) ID 8 length 6 (358) eap: Continuing tunnel setup (358) [eap] = ok (358) } # if (EAP-Message) = ok (358) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (358) } # authorize = updated (358) Found Auth-Type = eap (358) # Executing group from file /etc/freeradius/sites-enabled/default (358) Auth-Type eap { (358) eap: Removing EAP session with state 0xceec9f67c8e486c2 (358) eap: Previous EAP request found for state 0xceec9f67c8e486c2, released from the list (358) eap: Peer sent packet with method EAP PEAP (25) (358) eap: Calling submodule eap_peap to process data (358) eap_peap: (TLS) Peer ACKed our handshake fragment. handshake is finished (358) eap_peap: Session established. Decoding tunneled attributes (358) eap_peap: PEAP state TUNNEL ESTABLISHED (358) eap: Sending EAP Request (code 1) ID 9 length 40 (358) eap: EAP session adding &reply:State = 0xceec9f67c9e586c2 (358) [eap] = handled (358) if (handled && (Response-Packet-Type == Access-Challenge)) { (358) EXPAND Response-Packet-Type (358) --> Access-Challenge (358) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (358) if (handled && (Response-Packet-Type == Access-Challenge)) { (358) attr_filter.access_challenge: EXPAND %{User-Name} (358) attr_filter.access_challenge: --> xyz@realm.com (358) attr_filter.access_challenge: Matched entry DEFAULT at line 12 (358) [attr_filter.access_challenge.post-auth] = updated (358) [handled] = handled (358) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (358) } # Auth-Type eap = handled (358) Using Post-Auth-Type Challenge (358) Post-Auth-Type sub-section not found. Ignoring. (358) # Executing group from file /etc/freeradius/sites-enabled/default (358) session-state: Saving cached attributes (358) Framed-MTU = 1014 (358) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (358) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (358) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (358) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (358) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (358) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (358) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (358) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (358) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (358) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (358) TLS-Session-Version = "TLS 1.2" (358) Sent Access-Challenge Id 79 from 130.92.10.33:1812 to 130.92.42.15:60533 length 98 (358) EAP-Message = 0x010900281900170303001d73e2e1347334f5dee8b4d42eb4a6ac1f21e84645180ec145b6e6f3c747 (358) Message-Authenticator = 0x00000000000000000000000000000000 (358) State = 0xceec9f67c9e586c299469da09cee92a1 (358) Finished request Waking up in 3.8 seconds. (359) Received Access-Request Id 87 from 130.92.42.15:60533 to 130.92.10.33:1812 length 494 (359) User-Name = "xyz@realm.com" (359) Service-Type = Framed-User (359) Cisco-AVPair = "service-type=Framed" (359) Framed-MTU = 1485 (359) EAP-Message = 0x0209003c19001703030031d818ac38e0820955dfa6371a6b6a589774c9c0627ebd45e6682397c1e3b42b5dc37c9c55586bc468386d5729515b62a634 (359) Message-Authenticator = 0x0b1308903782a64609d4283693fee522 (359) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1" (359) Cisco-AVPair = "method=dot1x" (359) Cisco-AVPair = "client-iif-id=201332865" (359) Cisco-AVPair = "vlan-id=1876" (359) NAS-IP-Address = 130.92.42.15 (359) NAS-Port-Type = Wireless-802.11 (359) NAS-Port = 4211 (359) State = 0xceec9f67c9e586c299469da09cee92a1 (359) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (359) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (359) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (359) Calling-Station-Id = "22-e0-73-f2-50-23" (359) Airespace-Wlan-Id = 98 (359) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (359) WLAN-Group-Cipher = 1027076 (359) WLAN-Pairwise-Cipher = 1027076 (359) WLAN-AKM-Suite = 1027075 (359) Restoring &session-state (359) &session-state:Framed-MTU = 1014 (359) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (359) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (359) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (359) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (359) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (359) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (359) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (359) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (359) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (359) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (359) &session-state:TLS-Session-Version = "TLS 1.2" (359) # Executing section authorize from file /etc/freeradius/sites-enabled/default (359) authorize { (359) policy rewrite_called_station_id { (359) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (359) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (359) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (359) update request { (359) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (359) --> 60-B9-C0-04-C4-40 (359) &Called-Station-Id := 60-B9-C0-04-C4-40 (359) } # update request = noop (359) if ("%{8}") { (359) EXPAND %{8} (359) --> eduroam (359) if ("%{8}") -> TRUE (359) if ("%{8}") { (359) update request { (359) EXPAND %{8} (359) --> eduroam (359) &Called-Station-SSID := eduroam (359) EXPAND %{Called-Station-Id}:%{8} (359) --> 60-B9-C0-04-C4-40:eduroam (359) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (359) } # update request = noop (359) } # if ("%{8}") = noop (359) [updated] = updated (359) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (359) ... skipping else: Preceding "if" was taken (359) } # policy rewrite_called_station_id = updated (359) policy rewrite_calling_station_id { (359) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (359) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (359) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (359) update request { (359) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (359) --> 22-E0-73-F2-50-23 (359) &Calling-Station-Id := 22-E0-73-F2-50-23 (359) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (359) --> 22:E0:73:F2:50:23 (359) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (359) } # update request = noop (359) [updated] = updated (359) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (359) ... skipping else: Preceding "if" was taken (359) } # policy rewrite_calling_station_id = updated (359) if (NAS-Identifier == "uvisrz0215.insel.ch") { (359) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (359) if (Service-Type == Call-Check) { (359) if (Service-Type == Call-Check) -> FALSE (359) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (359) EXPAND Packet-Src-IP-Address (359) --> 130.92.42.15 (359) EXPAND Packet-Src-IP-Address (359) --> 130.92.42.15 (359) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (359) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (359) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (359) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (359) if (EAP-Message) { (359) if (EAP-Message) -> TRUE (359) if (EAP-Message) { (359) policy filter_username { (359) if (&User-Name) { (359) if (&User-Name) -> TRUE (359) if (&User-Name) { (359) if (&User-Name =~ / /) { (359) if (&User-Name =~ / /) -> FALSE (359) if (&User-Name =~ /@[^@]*@/ ) { (359) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (359) if (&User-Name =~ /\.\./ ) { (359) if (&User-Name =~ /\.\./ ) -> FALSE (359) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (359) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (359) if (&User-Name =~ /\.$/) { (359) if (&User-Name =~ /\.$/) -> FALSE (359) if (&User-Name =~ /@\./) { (359) if (&User-Name =~ /@\./) -> FALSE (359) } # if (&User-Name) = updated (359) } # policy filter_username = updated (359) suffix: Checking for suffix after "@" (359) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (359) suffix: Found realm "REALM.COM" (359) suffix: Adding Realm = "REALM.COM" (359) suffix: Authentication realm is LOCAL (359) [suffix] = ok (359) policy deny_no_realm { (359) if (User-Name && (User-Name !~ /@/)) { (359) if (User-Name && (User-Name !~ /@/)) -> FALSE (359) } # policy deny_no_realm = updated (359) update request { (359) EXPAND %{toupper:%{Realm}} (359) --> REALM.COM (359) Realm := REALM.COM (359) } # update request = noop (359) eap: Peer sent EAP Response (code 2) ID 9 length 60 (359) eap: Continuing tunnel setup (359) [eap] = ok (359) } # if (EAP-Message) = ok (359) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (359) } # authorize = updated (359) Found Auth-Type = eap (359) # Executing group from file /etc/freeradius/sites-enabled/default (359) Auth-Type eap { (359) eap: Removing EAP session with state 0xceec9f67c9e586c2 (359) eap: Previous EAP request found for state 0xceec9f67c9e586c2, released from the list (359) eap: Peer sent packet with method EAP PEAP (25) (359) eap: Calling submodule eap_peap to process data (359) eap_peap: (TLS) EAP Done initial handshake (359) eap_peap: Session established. Decoding tunneled attributes (359) eap_peap: PEAP state WAITING FOR INNER IDENTITY (359) eap_peap: Identity - xyz@realm.com (359) eap_peap: Got inner identity 'xyz@realm.com' (359) eap_peap: Setting default EAP type for tunneled EAP session (359) eap_peap: Got tunneled request (359) eap_peap: EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368 (359) eap_peap: Setting User-Name to xyz@realm.com (359) eap_peap: Sending tunneled request to proxy-inner-tunnel (359) eap_peap: EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368 (359) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (359) eap_peap: User-Name = "xyz@realm.com" (359) eap_peap: Service-Type = Framed-User (359) eap_peap: Cisco-AVPair = "service-type=Framed" (359) eap_peap: Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1" (359) eap_peap: Cisco-AVPair = "method=dot1x" (359) eap_peap: Cisco-AVPair = "client-iif-id=201332865" (359) eap_peap: Cisco-AVPair = "vlan-id=1876" (359) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam" (359) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (359) eap_peap: Framed-MTU = 1485 (359) eap_peap: NAS-IP-Address = 130.92.42.15 (359) eap_peap: NAS-Port-Type = Wireless-802.11 (359) eap_peap: NAS-Port = 4211 (359) eap_peap: Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (359) eap_peap: Calling-Station-Id := "22-E0-73-F2-50-23" (359) eap_peap: Airespace-Wlan-Id = 98 (359) eap_peap: NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (359) eap_peap: WLAN-Group-Cipher = 1027076 (359) eap_peap: WLAN-Pairwise-Cipher = 1027076 (359) eap_peap: WLAN-AKM-Suite = 1027075 (359) Virtual server proxy-inner-tunnel received request (359) EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368 (359) FreeRADIUS-Proxied-To = 127.0.0.1 (359) User-Name = "xyz@realm.com" (359) Service-Type = Framed-User (359) Cisco-AVPair = "service-type=Framed" (359) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1" (359) Cisco-AVPair = "method=dot1x" (359) Cisco-AVPair = "client-iif-id=201332865" (359) Cisco-AVPair = "vlan-id=1876" (359) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (359) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (359) Framed-MTU = 1485 (359) NAS-IP-Address = 130.92.42.15 (359) NAS-Port-Type = Wireless-802.11 (359) NAS-Port = 4211 (359) Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (359) Calling-Station-Id := "22-E0-73-F2-50-23" (359) Airespace-Wlan-Id = 98 (359) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (359) WLAN-Group-Cipher = 1027076 (359) WLAN-Pairwise-Cipher = 1027076 (359) WLAN-AKM-Suite = 1027075 (359) WARNING: Outer and inner identities are the same. User privacy is compromised. (359) server proxy-inner-tunnel { (359) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel (359) authorize { (359) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) { (359) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE (359) if (!NAS-Port-Type){ (359) if (!NAS-Port-Type) -> FALSE (359) update control { (359) &Proxy-To-Realm := REALM-NPS-DEV (359) } # update control = noop (359) } # authorize = noop (359) } # server proxy-inner-tunnel (359) Virtual server sending reply (359) eap_peap: Got tunneled reply code 0 (359) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV (359) eap: WARNING: Tunneled session will be proxied. Not doing EAP (359) [eap] = handled (359) if (handled && (Response-Packet-Type == Access-Challenge)) { (359) EXPAND Response-Packet-Type (359) --> (359) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (359) } # Auth-Type eap = handled (359) Starting proxy to home server 130.92.14.27 port 1812 (359) server default { (359) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default (359) pre-proxy { (359) attr_filter.pre-proxy: EXPAND %{Realm} (359) attr_filter.pre-proxy: --> REALM.COM (359) attr_filter.pre-proxy: Matched entry DEFAULT at line 58 (359) [attr_filter.pre-proxy] = updated (359) } # pre-proxy = updated (359) } (359) Proxying request to home server 130.92.14.27 port 1812 timeout 20.000000 (359) Sent Access-Request Id 103 from 0.0.0.0:37193 to 130.92.14.27:1812 length 195 (359) Operator-Name := "1realm.com" (359) EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368 (359) User-Name = "xyz@realm.com" (359) NAS-IP-Address = 130.92.42.15 (359) NAS-Port-Type = Wireless-802.11 (359) Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (359) Calling-Station-Id := "22-E0-73-F2-50-23" (359) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (359) Message-Authenticator = 0x (359) Proxy-State = 0x3837 Waking up in 0.3 seconds. (359) Clearing existing &reply: attributes (359) Received Access-Challenge Id 103 from 130.92.14.27:1812 to 130.92.10.33:37193 length 127 (359) Proxy-State = 0x3837 (359) Session-Timeout = 60 (359) EAP-Message = 0x010a00271a010a002210b525a5e4caa7f64b01519323866680a94141492d4e50532d4544555632 (359) State = 0x225c02b70000013700010200825c0e1b000000000000000000000000000000043a97554a (359) Message-Authenticator = 0x6c901afb83800964ca430f40dbb6a48b (359) server default { (359) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default (359) post-proxy { (359) attr_filter.post-proxy: EXPAND %{Realm} (359) attr_filter.post-proxy: --> REALM.COM (359) attr_filter.post-proxy: Matched entry REALM.COM at line 102 (359) [attr_filter.post-proxy] = updated (359) eap: Doing post-proxy callback (359) eap: Passing reply from proxy back into the tunnel (359) eap: Got tunneled reply RADIUS code 11 (359) eap: Tunnel-Type := VLAN (359) eap: Tunnel-Medium-Type := IEEE-802 (359) eap: Proxy-State = 0x3837 (359) eap: EAP-Message = 0x010a00271a010a002210b525a5e4caa7f64b01519323866680a94141492d4e50532d4544555632 (359) eap: State = 0x225c02b70000013700010200825c0e1b000000000000000000000000000000043a97554a (359) eap: Message-Authenticator = 0x6c901afb83800964ca430f40dbb6a48b (359) eap: Got tunneled Access-Challenge (359) eap: Reply was handled (359) eap: Sending EAP Request (code 1) ID 10 length 70 (359) eap: EAP session adding &reply:State = 0xceec9f67c6e686c2 (359) [eap] = ok (359) } # post-proxy = updated (359) } (359) session-state: Saving cached attributes (359) Framed-MTU = 1014 (359) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (359) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (359) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (359) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (359) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (359) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (359) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (359) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (359) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (359) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (359) TLS-Session-Version = "TLS 1.2" (359) Using Post-Auth-Type Challenge (359) Post-Auth-Type sub-section not found. Ignoring. (359) # Executing group from file /etc/freeradius/sites-enabled/default (359) Sent Access-Challenge Id 87 from 130.92.10.33:1812 to 130.92.42.15:60533 length 128 (359) EAP-Message = 0x010a00461900170303003b73e2e1347334f5df1334975397eb27f2ea72218216b601e30cf6534633cacf5a4f96d474e4bffc863fe12f3e090719d63005d2a90bc4c033687695 (359) Message-Authenticator = 0x00000000000000000000000000000000 (359) State = 0xceec9f67c6e686c299469da09cee92a1 (359) Finished request Waking up in 3.8 seconds. (360) Received Access-Request Id 95 from 130.92.42.15:60533 to 130.92.10.33:1812 length 548 (360) User-Name = "xyz@realm.com" (360) Service-Type = Framed-User (360) Cisco-AVPair = "service-type=Framed" (360) Framed-MTU = 1485 (360) EAP-Message = 0x020a007219001703030067d818ac38e0820956a55dbc84dc8dbff396eccf45bb84d17cc4414d36aa58a10bfade9f10e4c8549941c34c865f02def6b2a999172f24205fd30a5703670a8fe6fc25539a682f648d3b9335e448383a088e0a335073a2f1eaa5928e025acc5025caa3e63b446141 (360) Message-Authenticator = 0x5d740b470e2d200c7136d0498c3882b5 (360) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1" (360) Cisco-AVPair = "method=dot1x" (360) Cisco-AVPair = "client-iif-id=201332865" (360) Cisco-AVPair = "vlan-id=1876" (360) NAS-IP-Address = 130.92.42.15 (360) NAS-Port-Type = Wireless-802.11 (360) NAS-Port = 4211 (360) State = 0xceec9f67c6e686c299469da09cee92a1 (360) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (360) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (360) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (360) Calling-Station-Id = "22-e0-73-f2-50-23" (360) Airespace-Wlan-Id = 98 (360) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (360) WLAN-Group-Cipher = 1027076 (360) WLAN-Pairwise-Cipher = 1027076 (360) WLAN-AKM-Suite = 1027075 (360) session-state: No cached attributes (360) # Executing section authorize from file /etc/freeradius/sites-enabled/default (360) authorize { (360) policy rewrite_called_station_id { (360) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (360) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (360) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (360) update request { (360) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (360) --> 60-B9-C0-04-C4-40 (360) &Called-Station-Id := 60-B9-C0-04-C4-40 (360) } # update request = noop (360) if ("%{8}") { (360) EXPAND %{8} (360) --> eduroam (360) if ("%{8}") -> TRUE (360) if ("%{8}") { (360) update request { (360) EXPAND %{8} (360) --> eduroam (360) &Called-Station-SSID := eduroam (360) EXPAND %{Called-Station-Id}:%{8} (360) --> 60-B9-C0-04-C4-40:eduroam (360) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (360) } # update request = noop (360) } # if ("%{8}") = noop (360) [updated] = updated (360) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (360) ... skipping else: Preceding "if" was taken (360) } # policy rewrite_called_station_id = updated (360) policy rewrite_calling_station_id { (360) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (360) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (360) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (360) update request { (360) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (360) --> 22-E0-73-F2-50-23 (360) &Calling-Station-Id := 22-E0-73-F2-50-23 (360) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (360) --> 22:E0:73:F2:50:23 (360) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (360) } # update request = noop (360) [updated] = updated (360) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (360) ... skipping else: Preceding "if" was taken (360) } # policy rewrite_calling_station_id = updated (360) if (NAS-Identifier == "uvisrz0215.insel.ch") { (360) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (360) if (Service-Type == Call-Check) { (360) if (Service-Type == Call-Check) -> FALSE (360) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (360) EXPAND Packet-Src-IP-Address (360) --> 130.92.42.15 (360) EXPAND Packet-Src-IP-Address (360) --> 130.92.42.15 (360) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (360) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (360) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (360) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (360) if (EAP-Message) { (360) if (EAP-Message) -> TRUE (360) if (EAP-Message) { (360) policy filter_username { (360) if (&User-Name) { (360) if (&User-Name) -> TRUE (360) if (&User-Name) { (360) if (&User-Name =~ / /) { (360) if (&User-Name =~ / /) -> FALSE (360) if (&User-Name =~ /@[^@]*@/ ) { (360) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (360) if (&User-Name =~ /\.\./ ) { (360) if (&User-Name =~ /\.\./ ) -> FALSE (360) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (360) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (360) if (&User-Name =~ /\.$/) { (360) if (&User-Name =~ /\.$/) -> FALSE (360) if (&User-Name =~ /@\./) { (360) if (&User-Name =~ /@\./) -> FALSE (360) } # if (&User-Name) = updated (360) } # policy filter_username = updated (360) suffix: Checking for suffix after "@" (360) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (360) suffix: Found realm "REALM.COM" (360) suffix: Adding Realm = "REALM.COM" (360) suffix: Authentication realm is LOCAL (360) [suffix] = ok (360) policy deny_no_realm { (360) if (User-Name && (User-Name !~ /@/)) { (360) if (User-Name && (User-Name !~ /@/)) -> FALSE (360) } # policy deny_no_realm = updated (360) update request { (360) EXPAND %{toupper:%{Realm}} (360) --> REALM.COM (360) Realm := REALM.COM (360) } # update request = noop (360) eap: Peer sent EAP Response (code 2) ID 10 length 114 (360) eap: Continuing tunnel setup (360) [eap] = ok (360) } # if (EAP-Message) = ok (360) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (360) } # authorize = updated (360) Found Auth-Type = eap (360) # Executing group from file /etc/freeradius/sites-enabled/default (360) Auth-Type eap { (360) eap: Removing EAP session with state 0xceec9f67c6e686c2 (360) eap: Previous EAP request found for state 0xceec9f67c6e686c2, released from the list (360) eap: Peer sent packet with method EAP PEAP (25) (360) eap: Calling submodule eap_peap to process data (360) eap_peap: (TLS) EAP Done initial handshake (360) eap_peap: Session established. Decoding tunneled attributes (360) eap_peap: PEAP state phase2 (360) eap_peap: EAP method MSCHAPv2 (26) (360) eap_peap: Got tunneled request (360) eap_peap: EAP-Message = 0x020a00531a020a004e31eedbe3edb2c8dab25469d6799f7457e10000000000000000172138e88718b79481fa3052f5d30b07434ece6a30bd74a400646f6d696e69632e7374616c64657240756e6962652e6368 (360) eap_peap: Setting User-Name to xyz@realm.com (360) eap_peap: Sending tunneled request to proxy-inner-tunnel (360) eap_peap: EAP-Message = 0x020a00531a020a004e31eedbe3edb2c8dab25469d6799f7457e10000000000000000172138e88718b79481fa3052f5d30b07434ece6a30bd74a400646f6d696e69632e7374616c64657240756e6962652e6368 (360) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (360) eap_peap: User-Name = "xyz@realm.com" (360) eap_peap: State = 0x225c02b70000013700010200825c0e1b000000000000000000000000000000043a97554a (360) eap_peap: Service-Type = Framed-User (360) eap_peap: Cisco-AVPair = "service-type=Framed" (360) eap_peap: Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1" (360) eap_peap: Cisco-AVPair = "method=dot1x" (360) eap_peap: Cisco-AVPair = "client-iif-id=201332865" (360) eap_peap: Cisco-AVPair = "vlan-id=1876" (360) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam" (360) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (360) eap_peap: Framed-MTU = 1485 (360) eap_peap: NAS-IP-Address = 130.92.42.15 (360) eap_peap: NAS-Port-Type = Wireless-802.11 (360) eap_peap: NAS-Port = 4211 (360) eap_peap: Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (360) eap_peap: Calling-Station-Id := "22-E0-73-F2-50-23" (360) eap_peap: Airespace-Wlan-Id = 98 (360) eap_peap: NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (360) eap_peap: WLAN-Group-Cipher = 1027076 (360) eap_peap: WLAN-Pairwise-Cipher = 1027076 (360) eap_peap: WLAN-AKM-Suite = 1027075 (360) Virtual server proxy-inner-tunnel received request (360) EAP-Message = 0x020a00531a020a004e31eedbe3edb2c8dab25469d6799f7457e10000000000000000172138e88718b79481fa3052f5d30b07434ece6a30bd74a400646f6d696e69632e7374616c64657240756e6962652e6368 (360) FreeRADIUS-Proxied-To = 127.0.0.1 (360) User-Name = "xyz@realm.com" (360) State = 0x225c02b70000013700010200825c0e1b000000000000000000000000000000043a97554a (360) Service-Type = Framed-User (360) Cisco-AVPair = "service-type=Framed" (360) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1" (360) Cisco-AVPair = "method=dot1x" (360) Cisco-AVPair = "client-iif-id=201332865" (360) Cisco-AVPair = "vlan-id=1876" (360) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (360) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (360) Framed-MTU = 1485 (360) NAS-IP-Address = 130.92.42.15 (360) NAS-Port-Type = Wireless-802.11 (360) NAS-Port = 4211 (360) Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (360) Calling-Station-Id := "22-E0-73-F2-50-23" (360) Airespace-Wlan-Id = 98 (360) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (360) WLAN-Group-Cipher = 1027076 (360) WLAN-Pairwise-Cipher = 1027076 (360) WLAN-AKM-Suite = 1027075 (360) WARNING: Outer and inner identities are the same. User privacy is compromised. (360) server proxy-inner-tunnel { (360) session-state: No cached attributes (360) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel (360) authorize { (360) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) { (360) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE (360) if (!NAS-Port-Type){ (360) if (!NAS-Port-Type) -> FALSE (360) update control { (360) &Proxy-To-Realm := REALM-NPS-DEV (360) } # update control = noop (360) } # authorize = noop (360) } # server proxy-inner-tunnel (360) Virtual server sending reply (360) eap_peap: Got tunneled reply code 0 (360) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV (360) eap: WARNING: Tunneled session will be proxied. Not doing EAP (360) [eap] = handled (360) if (handled && (Response-Packet-Type == Access-Challenge)) { (360) EXPAND Response-Packet-Type (360) --> (360) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (360) } # Auth-Type eap = handled (360) Starting proxy to home server 130.92.14.27 port 1812 (360) server default { (360) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default (360) pre-proxy { (360) attr_filter.pre-proxy: EXPAND %{Realm} (360) attr_filter.pre-proxy: --> REALM.COM (360) attr_filter.pre-proxy: Matched entry DEFAULT at line 58 (360) [attr_filter.pre-proxy] = updated (360) } # pre-proxy = updated (360) } (360) Proxying request to home server 130.92.14.27 port 1812 timeout 20.000000 (360) Sent Access-Request Id 104 from 0.0.0.0:37193 to 130.92.14.27:1812 length 287 (360) Operator-Name := "1realm.com" (360) EAP-Message = 0x020a00531a020a004e31eedbe3edb2c8dab25469d6799f7457e10000000000000000172138e88718b79481fa3052f5d30b07434ece6a30bd74a400646f6d696e69632e7374616c64657240756e6962652e6368 (360) User-Name = "xyz@realm.com" (360) State = 0x225c02b70000013700010200825c0e1b000000000000000000000000000000043a97554a (360) NAS-IP-Address = 130.92.42.15 (360) NAS-Port-Type = Wireless-802.11 (360) Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (360) Calling-Station-Id := "22-E0-73-F2-50-23" (360) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (360) Message-Authenticator = 0x (360) Proxy-State = 0x3935 Waking up in 0.3 seconds. (360) Clearing existing &reply: attributes (360) Received Access-Challenge Id 104 from 130.92.14.27:1812 to 130.92.10.33:37193 length 139 (360) Proxy-State = 0x3935 (360) Session-Timeout = 60 (360) EAP-Message = 0x010b00331a030a002e533d37303432393739324338443032374436374337313037313343324335364334414338354532443632 (360) State = 0x225c02b70000013700010200825c0e1b000000000000000000000000000000043a97554a (360) Message-Authenticator = 0xee40e7346c5b8d679a4dc1c43877c728 (360) server default { (360) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default (360) post-proxy { (360) attr_filter.post-proxy: EXPAND %{Realm} (360) attr_filter.post-proxy: --> REALM.COM (360) attr_filter.post-proxy: Matched entry REALM.COM at line 102 (360) [attr_filter.post-proxy] = updated (360) eap: Doing post-proxy callback (360) eap: Passing reply from proxy back into the tunnel (360) eap: Got tunneled reply RADIUS code 11 (360) eap: Tunnel-Type := VLAN (360) eap: Tunnel-Medium-Type := IEEE-802 (360) eap: Proxy-State = 0x3935 (360) eap: EAP-Message = 0x010b00331a030a002e533d37303432393739324338443032374436374337313037313343324335364334414338354532443632 (360) eap: State = 0x225c02b70000013700010200825c0e1b000000000000000000000000000000043a97554a (360) eap: Message-Authenticator = 0xee40e7346c5b8d679a4dc1c43877c728 (360) eap: Got tunneled Access-Challenge (360) eap: Reply was handled (360) eap: Sending EAP Request (code 1) ID 11 length 82 (360) eap: EAP session adding &reply:State = 0xceec9f67c7e786c2 (360) [eap] = ok (360) } # post-proxy = updated (360) } (360) Using Post-Auth-Type Challenge (360) Post-Auth-Type sub-section not found. Ignoring. (360) # Executing group from file /etc/freeradius/sites-enabled/default (360) Sent Access-Challenge Id 95 from 130.92.10.33:1812 to 130.92.42.15:60533 length 140 (360) EAP-Message = 0x010b00521900170303004773e2e1347334f5e09bc24daa64eee9138e1f2e55345df04bbcd5dd711c6c333de68f50de7d780d87c6d6336c23586f6b0fd197b261dd6213360e814416f8f2b07957dcacdce9c6 (360) Message-Authenticator = 0x00000000000000000000000000000000 (360) State = 0xceec9f67c7e786c299469da09cee92a1 (360) Finished request Waking up in 3.8 seconds. (361) Received Access-Request Id 103 from 130.92.42.15:60533 to 130.92.10.33:1812 length 471 (361) User-Name = "xyz@realm.com" (361) Service-Type = Framed-User (361) Cisco-AVPair = "service-type=Framed" (361) Framed-MTU = 1485 (361) EAP-Message = 0x020b00251900170303001ad818ac38e082095774adfff902d724d0af5865cbe4c9b8c4b279 (361) Message-Authenticator = 0x2b9af5a6d3cafcc76039c652203d8380 (361) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1" (361) Cisco-AVPair = "method=dot1x" (361) Cisco-AVPair = "client-iif-id=201332865" (361) Cisco-AVPair = "vlan-id=1876" (361) NAS-IP-Address = 130.92.42.15 (361) NAS-Port-Type = Wireless-802.11 (361) NAS-Port = 4211 (361) State = 0xceec9f67c7e786c299469da09cee92a1 (361) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (361) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (361) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (361) Calling-Station-Id = "22-e0-73-f2-50-23" (361) Airespace-Wlan-Id = 98 (361) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (361) WLAN-Group-Cipher = 1027076 (361) WLAN-Pairwise-Cipher = 1027076 (361) WLAN-AKM-Suite = 1027075 (361) session-state: No cached attributes (361) # Executing section authorize from file /etc/freeradius/sites-enabled/default (361) authorize { (361) policy rewrite_called_station_id { (361) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (361) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (361) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (361) update request { (361) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (361) --> 60-B9-C0-04-C4-40 (361) &Called-Station-Id := 60-B9-C0-04-C4-40 (361) } # update request = noop (361) if ("%{8}") { (361) EXPAND %{8} (361) --> eduroam (361) if ("%{8}") -> TRUE (361) if ("%{8}") { (361) update request { (361) EXPAND %{8} (361) --> eduroam (361) &Called-Station-SSID := eduroam (361) EXPAND %{Called-Station-Id}:%{8} (361) --> 60-B9-C0-04-C4-40:eduroam (361) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (361) } # update request = noop (361) } # if ("%{8}") = noop (361) [updated] = updated (361) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (361) ... skipping else: Preceding "if" was taken (361) } # policy rewrite_called_station_id = updated (361) policy rewrite_calling_station_id { (361) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (361) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (361) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (361) update request { (361) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (361) --> 22-E0-73-F2-50-23 (361) &Calling-Station-Id := 22-E0-73-F2-50-23 (361) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (361) --> 22:E0:73:F2:50:23 (361) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (361) } # update request = noop (361) [updated] = updated (361) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (361) ... skipping else: Preceding "if" was taken (361) } # policy rewrite_calling_station_id = updated (361) if (NAS-Identifier == "uvisrz0215.insel.ch") { (361) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (361) if (Service-Type == Call-Check) { (361) if (Service-Type == Call-Check) -> FALSE (361) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (361) EXPAND Packet-Src-IP-Address (361) --> 130.92.42.15 (361) EXPAND Packet-Src-IP-Address (361) --> 130.92.42.15 (361) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (361) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (361) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (361) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (361) if (EAP-Message) { (361) if (EAP-Message) -> TRUE (361) if (EAP-Message) { (361) policy filter_username { (361) if (&User-Name) { (361) if (&User-Name) -> TRUE (361) if (&User-Name) { (361) if (&User-Name =~ / /) { (361) if (&User-Name =~ / /) -> FALSE (361) if (&User-Name =~ /@[^@]*@/ ) { (361) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (361) if (&User-Name =~ /\.\./ ) { (361) if (&User-Name =~ /\.\./ ) -> FALSE (361) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (361) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (361) if (&User-Name =~ /\.$/) { (361) if (&User-Name =~ /\.$/) -> FALSE (361) if (&User-Name =~ /@\./) { (361) if (&User-Name =~ /@\./) -> FALSE (361) } # if (&User-Name) = updated (361) } # policy filter_username = updated (361) suffix: Checking for suffix after "@" (361) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (361) suffix: Found realm "REALM.COM" (361) suffix: Adding Realm = "REALM.COM" (361) suffix: Authentication realm is LOCAL (361) [suffix] = ok (361) policy deny_no_realm { (361) if (User-Name && (User-Name !~ /@/)) { (361) if (User-Name && (User-Name !~ /@/)) -> FALSE (361) } # policy deny_no_realm = updated (361) update request { (361) EXPAND %{toupper:%{Realm}} (361) --> REALM.COM (361) Realm := REALM.COM (361) } # update request = noop (361) eap: Peer sent EAP Response (code 2) ID 11 length 37 (361) eap: Continuing tunnel setup (361) [eap] = ok (361) } # if (EAP-Message) = ok (361) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (361) } # authorize = updated (361) Found Auth-Type = eap (361) # Executing group from file /etc/freeradius/sites-enabled/default (361) Auth-Type eap { (361) eap: Removing EAP session with state 0xceec9f67c7e786c2 (361) eap: Previous EAP request found for state 0xceec9f67c7e786c2, released from the list (361) eap: Peer sent packet with method EAP PEAP (25) (361) eap: Calling submodule eap_peap to process data (361) eap_peap: (TLS) EAP Done initial handshake (361) eap_peap: Session established. Decoding tunneled attributes (361) eap_peap: PEAP state phase2 (361) eap_peap: EAP method MSCHAPv2 (26) (361) eap_peap: Got tunneled request (361) eap_peap: EAP-Message = 0x020b00061a03 (361) eap_peap: Setting User-Name to xyz@realm.com (361) eap_peap: Sending tunneled request to proxy-inner-tunnel (361) eap_peap: EAP-Message = 0x020b00061a03 (361) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (361) eap_peap: User-Name = "xyz@realm.com" (361) eap_peap: State = 0x225c02b70000013700010200825c0e1b000000000000000000000000000000043a97554a (361) eap_peap: Service-Type = Framed-User (361) eap_peap: Cisco-AVPair = "service-type=Framed" (361) eap_peap: Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1" (361) eap_peap: Cisco-AVPair = "method=dot1x" (361) eap_peap: Cisco-AVPair = "client-iif-id=201332865" (361) eap_peap: Cisco-AVPair = "vlan-id=1876" (361) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam" (361) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (361) eap_peap: Framed-MTU = 1485 (361) eap_peap: NAS-IP-Address = 130.92.42.15 (361) eap_peap: NAS-Port-Type = Wireless-802.11 (361) eap_peap: NAS-Port = 4211 (361) eap_peap: Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (361) eap_peap: Calling-Station-Id := "22-E0-73-F2-50-23" (361) eap_peap: Airespace-Wlan-Id = 98 (361) eap_peap: NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (361) eap_peap: WLAN-Group-Cipher = 1027076 (361) eap_peap: WLAN-Pairwise-Cipher = 1027076 (361) eap_peap: WLAN-AKM-Suite = 1027075 (361) Virtual server proxy-inner-tunnel received request (361) EAP-Message = 0x020b00061a03 (361) FreeRADIUS-Proxied-To = 127.0.0.1 (361) User-Name = "xyz@realm.com" (361) State = 0x225c02b70000013700010200825c0e1b000000000000000000000000000000043a97554a (361) Service-Type = Framed-User (361) Cisco-AVPair = "service-type=Framed" (361) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1" (361) Cisco-AVPair = "method=dot1x" (361) Cisco-AVPair = "client-iif-id=201332865" (361) Cisco-AVPair = "vlan-id=1876" (361) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (361) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (361) Framed-MTU = 1485 (361) NAS-IP-Address = 130.92.42.15 (361) NAS-Port-Type = Wireless-802.11 (361) NAS-Port = 4211 (361) Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (361) Calling-Station-Id := "22-E0-73-F2-50-23" (361) Airespace-Wlan-Id = 98 (361) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (361) WLAN-Group-Cipher = 1027076 (361) WLAN-Pairwise-Cipher = 1027076 (361) WLAN-AKM-Suite = 1027075 (361) WARNING: Outer and inner identities are the same. User privacy is compromised. (361) server proxy-inner-tunnel { (361) session-state: No cached attributes (361) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel (361) authorize { (361) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) { (361) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE (361) if (!NAS-Port-Type){ (361) if (!NAS-Port-Type) -> FALSE (361) update control { (361) &Proxy-To-Realm := REALM-NPS-DEV (361) } # update control = noop (361) } # authorize = noop (361) } # server proxy-inner-tunnel (361) Virtual server sending reply (361) eap_peap: Got tunneled reply code 0 (361) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV (361) eap: WARNING: Tunneled session will be proxied. Not doing EAP (361) [eap] = handled (361) if (handled && (Response-Packet-Type == Access-Challenge)) { (361) EXPAND Response-Packet-Type (361) --> (361) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (361) } # Auth-Type eap = handled (361) Starting proxy to home server 130.92.14.27 port 1812 (361) server default { (361) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default (361) pre-proxy { (361) attr_filter.pre-proxy: EXPAND %{Realm} (361) attr_filter.pre-proxy: --> REALM.COM (361) attr_filter.pre-proxy: Matched entry DEFAULT at line 58 (361) [attr_filter.pre-proxy] = updated (361) } # pre-proxy = updated (361) } (361) Proxying request to home server 130.92.14.27 port 1812 timeout 20.000000 (361) Sent Access-Request Id 105 from 0.0.0.0:37193 to 130.92.14.27:1812 length 211 (361) Operator-Name := "1realm.com" (361) EAP-Message = 0x020b00061a03 (361) User-Name = "xyz@realm.com" (361) State = 0x225c02b70000013700010200825c0e1b000000000000000000000000000000043a97554a (361) NAS-IP-Address = 130.92.42.15 (361) NAS-Port-Type = Wireless-802.11 (361) Called-Station-Id := "60-B9-C0-04-C4-40:eduroam" (361) Calling-Station-Id := "22-E0-73-F2-50-23" (361) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (361) Message-Authenticator = 0x (361) Proxy-State = 0x313033 Waking up in 0.3 seconds. (361) Clearing existing &reply: attributes (361) Received Access-Accept Id 105 from 130.92.14.27:1812 to 130.92.10.33:37193 length 289 (361) Proxy-State = 0x313033 (361) Class = 0x7374616666 (361) Filter-Id = "staff" (361) Framed-Protocol = PPP (361) Service-Type = Framed-User (361) Tunnel-Medium-Type:0 = IEEE-802 (361) Tunnel-Private-Group-Id:0 = "1874" (361) Tunnel-Type:0 = VLAN (361) EAP-Message = 0x030b0004 (361) Class = 0x568905d60000013700010200825c0e1b00000000000000000000000001dac0032e975ae000000000005c9604 (361) MS-CHAP-Domain = "\001CAMPUS" (361) MS-MPPE-Send-Key = 0xa60a3993fdf2f10954366e08c310b7db (361) MS-MPPE-Recv-Key = 0x0952b4931153bd484c9c87e2891a374f (361) MS-CHAP2-Success = 0x01533d37303432393739324338443032374436374337313037313343324335364334414338354532443632 (361) Message-Authenticator = 0xf2e723cb6be9221293681e605767b8f6 (361) server default { (361) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default (361) post-proxy { (361) attr_filter.post-proxy: EXPAND %{Realm} (361) attr_filter.post-proxy: --> REALM.COM (361) attr_filter.post-proxy: Matched entry REALM.COM at line 102 (361) [attr_filter.post-proxy] = updated (361) eap: Doing post-proxy callback (361) eap: Passing reply from proxy back into the tunnel (361) eap: Got tunneled reply RADIUS code 2 (361) eap: Tunnel-Type := VLAN (361) eap: Tunnel-Medium-Type := IEEE-802 (361) eap: Proxy-State = 0x313033 (361) eap: Class = 0x7374616666 (361) eap: Filter-Id = "staff" (361) eap: Tunnel-Private-Group-Id:0 = "1874" (361) eap: EAP-Message = 0x030b0004 (361) eap: Class = 0x568905d60000013700010200825c0e1b00000000000000000000000001dac0032e975ae000000000005c9604 (361) eap: MS-MPPE-Send-Key = 0xa60a3993fdf2f10954366e08c310b7db (361) eap: MS-MPPE-Recv-Key = 0x0952b4931153bd484c9c87e2891a374f (361) eap: Message-Authenticator = 0xf2e723cb6be9221293681e605767b8f6 (361) eap: Tunneled authentication was successful (361) eap: SUCCESS (361) eap: Saving tunneled attributes for later (361) eap: Reply was handled (361) eap: Sending EAP Request (code 1) ID 12 length 46 (361) eap: EAP session adding &reply:State = 0xceec9f67c4e086c2 (361) [eap] = ok (361) } # post-proxy = updated (361) } (361) Using Post-Auth-Type Challenge (361) Post-Auth-Type sub-section not found. Ignoring. (361) # Executing group from file /etc/freeradius/sites-enabled/default (361) Sent Access-Challenge Id 103 from 130.92.10.33:1812 to 130.92.42.15:60533 length 104 (361) EAP-Message = 0x010c002e1900170303002373e2e1347334f5e1bba381c4911add30b08c615c0d0362241c25f21eb1ff0cf311aab6 (361) Message-Authenticator = 0x00000000000000000000000000000000 (361) State = 0xceec9f67c4e086c299469da09cee92a1 (361) Finished request Waking up in 3.7 seconds. (362) Received Access-Request Id 111 from 130.92.42.15:60533 to 130.92.10.33:1812 length 480 (362) User-Name = "xyz@realm.com" (362) Service-Type = Framed-User (362) Cisco-AVPair = "service-type=Framed" (362) Framed-MTU = 1485 (362) EAP-Message = 0x020c002e19001703030023d818ac38e0820958689f4ed07787c227590ec1912b79c63017ac770cf137f4e047aae4 (362) Message-Authenticator = 0x356431e13542aff242df4e9cd2f24d4a (362) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1" (362) Cisco-AVPair = "method=dot1x" (362) Cisco-AVPair = "client-iif-id=201332865" (362) Cisco-AVPair = "vlan-id=1876" (362) NAS-IP-Address = 130.92.42.15 (362) NAS-Port-Type = Wireless-802.11 (362) NAS-Port = 4211 (362) State = 0xceec9f67c4e086c299469da09cee92a1 (362) Cisco-AVPair = "cisco-wlan-ssid=eduroam" (362) Cisco-AVPair = "wlan-profile-name=eduroam-DEV" (362) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam" (362) Calling-Station-Id = "22-e0-73-f2-50-23" (362) Airespace-Wlan-Id = 98 (362) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam" (362) WLAN-Group-Cipher = 1027076 (362) WLAN-Pairwise-Cipher = 1027076 (362) WLAN-AKM-Suite = 1027075 (362) session-state: No cached attributes (362) # Executing section authorize from file /etc/freeradius/sites-enabled/default (362) authorize { (362) policy rewrite_called_station_id { (362) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (362) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (362) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (362) update request { (362) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (362) --> 60-B9-C0-04-C4-40 (362) &Called-Station-Id := 60-B9-C0-04-C4-40 (362) } # update request = noop (362) if ("%{8}") { (362) EXPAND %{8} (362) --> eduroam (362) if ("%{8}") -> TRUE (362) if ("%{8}") { (362) update request { (362) EXPAND %{8} (362) --> eduroam (362) &Called-Station-SSID := eduroam (362) EXPAND %{Called-Station-Id}:%{8} (362) --> 60-B9-C0-04-C4-40:eduroam (362) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (362) } # update request = noop (362) } # if ("%{8}") = noop (362) [updated] = updated (362) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (362) ... skipping else: Preceding "if" was taken (362) } # policy rewrite_called_station_id = updated (362) policy rewrite_calling_station_id { (362) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (362) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (362) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (362) update request { (362) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (362) --> 22-E0-73-F2-50-23 (362) &Calling-Station-Id := 22-E0-73-F2-50-23 (362) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (362) --> 22:E0:73:F2:50:23 (362) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (362) } # update request = noop (362) [updated] = updated (362) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (362) ... skipping else: Preceding "if" was taken (362) } # policy rewrite_calling_station_id = updated (362) if (NAS-Identifier == "uvisrz0215.insel.ch") { (362) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (362) if (Service-Type == Call-Check) { (362) if (Service-Type == Call-Check) -> FALSE (362) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) { (362) EXPAND Packet-Src-IP-Address (362) --> 130.92.42.15 (362) EXPAND Packet-Src-IP-Address (362) --> 130.92.42.15 (362) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE (362) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (362) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (362) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (362) if (EAP-Message) { (362) if (EAP-Message) -> TRUE (362) if (EAP-Message) { (362) policy filter_username { (362) if (&User-Name) { (362) if (&User-Name) -> TRUE (362) if (&User-Name) { (362) if (&User-Name =~ / /) { (362) if (&User-Name =~ / /) -> FALSE (362) if (&User-Name =~ /@[^@]*@/ ) { (362) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (362) if (&User-Name =~ /\.\./ ) { (362) if (&User-Name =~ /\.\./ ) -> FALSE (362) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (362) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (362) if (&User-Name =~ /\.$/) { (362) if (&User-Name =~ /\.$/) -> FALSE (362) if (&User-Name =~ /@\./) { (362) if (&User-Name =~ /@\./) -> FALSE (362) } # if (&User-Name) = updated (362) } # policy filter_username = updated (362) suffix: Checking for suffix after "@" (362) suffix: Looking up realm "realm.com" for User-Name = "xyz@realm.com" (362) suffix: Found realm "REALM.COM" (362) suffix: Adding Realm = "REALM.COM" (362) suffix: Authentication realm is LOCAL (362) [suffix] = ok (362) policy deny_no_realm { (362) if (User-Name && (User-Name !~ /@/)) { (362) if (User-Name && (User-Name !~ /@/)) -> FALSE (362) } # policy deny_no_realm = updated (362) update request { (362) EXPAND %{toupper:%{Realm}} (362) --> REALM.COM (362) Realm := REALM.COM (362) } # update request = noop (362) eap: Peer sent EAP Response (code 2) ID 12 length 46 (362) eap: Continuing tunnel setup (362) [eap] = ok (362) } # if (EAP-Message) = ok (362) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok (362) } # authorize = updated (362) Found Auth-Type = eap (362) # Executing group from file /etc/freeradius/sites-enabled/default (362) Auth-Type eap { (362) eap: Removing EAP session with state 0xceec9f67c4e086c2 (362) eap: Previous EAP request found for state 0xceec9f67c4e086c2, released from the list (362) eap: Peer sent packet with method EAP PEAP (25) (362) eap: Calling submodule eap_peap to process data (362) eap_peap: (TLS) EAP Done initial handshake (362) eap_peap: Session established. Decoding tunneled attributes (362) eap_peap: PEAP state send tlv success (362) eap_peap: Received EAP-TLV response (362) eap_peap: Success (362) eap_peap: Using saved attributes from the original Access-Accept (362) eap_peap: Tunnel-Type := VLAN (362) eap_peap: Tunnel-Medium-Type := IEEE-802 (362) eap_peap: Class = 0x7374616666 (362) eap_peap: Filter-Id = "staff" (362) eap_peap: Tunnel-Private-Group-Id:0 = "1874" (362) eap_peap: Class = 0x568905d60000013700010200825c0e1b00000000000000000000000001dac0032e975ae000000000005c9604 (362) eap: Sending EAP Success (code 3) ID 12 length 4 (362) eap: Freeing handler (362) [eap] = ok (362) if (handled && (Response-Packet-Type == Access-Challenge)) { (362) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE (362) } # Auth-Type eap = ok (362) # Executing section post-auth from file /etc/freeradius/sites-enabled/default (362) post-auth { (362) policy debug_all { (362) policy debug_control { (362) if ("%{debug_attr:control:}" == '') { (362) Attributes matching "control:" (362) &control:Auth-Type = eap (362) EXPAND %{debug_attr:control:} (362) --> (362) if ("%{debug_attr:control:}" == '') -> TRUE (362) if ("%{debug_attr:control:}" == '') { (362) [noop] = noop (362) } # if ("%{debug_attr:control:}" == '') = noop (362) } # policy debug_control = noop (362) policy debug_request { (362) if ("%{debug_attr:request:}" == '') { (362) Attributes matching "request:" (362) &request:User-Name = xyz@realm.com (362) &request:Service-Type = Framed-User (362) &request:Cisco-AVPair = service-type=Framed (362) &request:Framed-MTU = 1485 (362) &request:EAP-Message = 0x020c002e19001703030023d818ac38e0820958689f4ed07787c227590ec1912b79c63017ac770cf137f4e047aae4 (362) &request:Message-Authenticator = 0x356431e13542aff242df4e9cd2f24d4a (362) &request:Cisco-AVPair = audit-session-id=0F2A5C8200001021C01F69E1 (362) &request:Cisco-AVPair = method=dot1x (362) &request:Cisco-AVPair = client-iif-id=201332865 (362) &request:Cisco-AVPair = vlan-id=1876 (362) &request:NAS-IP-Address = 130.92.42.15 (362) &request:NAS-Port-Type = Wireless-802.11 (362) &request:NAS-Port = 4211 (362) &request:State = 0xceec9f67c4e086c299469da09cee92a1 (362) &request:Cisco-AVPair = cisco-wlan-ssid=eduroam (362) &request:Cisco-AVPair = wlan-profile-name=eduroam-DEV (362) &request:Called-Station-Id := 60-B9-C0-04-C4-40:eduroam (362) &request:Calling-Station-Id := 22-E0-73-F2-50-23 (362) &request:Airespace-Wlan-Id = 98 (362) &request:NAS-Identifier = 60-b9-c0-04-c4-40:eduroam (362) &request:WLAN-Group-Cipher = 1027076 (362) &request:WLAN-Pairwise-Cipher = 1027076 (362) &request:WLAN-AKM-Suite = 1027075 (362) &request:Called-Station-SSID := eduroam (362) &request:locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23 (362) &request:Realm := REALM.COM (362) &request:EAP-Type = PEAP (362) EXPAND %{debug_attr:request:} (362) --> (362) if ("%{debug_attr:request:}" == '') -> TRUE (362) if ("%{debug_attr:request:}" == '') { (362) [noop] = noop (362) } # if ("%{debug_attr:request:}" == '') = noop (362) } # policy debug_request = noop (362) policy debug_coa { (362) if ("%{debug_attr:coa:}" == '') { (362) Attributes matching "coa:" (362) WARNING: List "coa" is not available (362) EXPAND %{debug_attr:coa:} (362) --> (362) if ("%{debug_attr:coa:}" == '') -> TRUE (362) if ("%{debug_attr:coa:}" == '') { (362) [noop] = noop (362) } # if ("%{debug_attr:coa:}" == '') = noop (362) } # policy debug_coa = noop (362) policy debug_reply { (362) if ("%{debug_attr:reply:}" == '') { (362) Attributes matching "reply:" (362) &reply:Tunnel-Type:-128 := VLAN (362) &reply:Tunnel-Medium-Type:-128 := IEEE-802 (362) &reply:Class = 0x7374616666 (362) &reply:Filter-Id = staff (362) &reply:Tunnel-Private-Group-Id:0 = 1874 (362) &reply:Class = 0x568905d60000013700010200825c0e1b00000000000000000000000001dac0032e975ae000000000005c9604 (362) &reply:MS-MPPE-Recv-Key = 0x61178aafdea2c28ba065e567e0094e7e8cf727509d76d4f6de7a09f4878d7a6c (362) &reply:MS-MPPE-Send-Key = 0xaf30a32b5acec9ee771c1a065ff1707fae023734e263873c185acb4c4fde39e8 (362) &reply:EAP-MSK = 0x61178aafdea2c28ba065e567e0094e7e8cf727509d76d4f6de7a09f4878d7a6caf30a32b5acec9ee771c1a065ff1707fae023734e263873c185acb4c4fde39e8 (362) &reply:EAP-EMSK = 0xc424a437bf386f3c790b6d4e981ac218f7bb39ecb682c0f7174da275922e64d1ab7db6825d96e096b8875bb8b777543c642771e9f1f4f877593bd2425a7b1a13 (362) &reply:EAP-Session-Id = 0x19675c3100dd1c7cdf9f74db6337b13313e75950e07ca8a60ec8a656c84cedb597a19642b1ba520223bc61e483ac418e3f44e0800ee85d2526444f574e47524401 (362) &reply:EAP-Message = 0x030c0004 (362) &reply:Message-Authenticator = 0x00000000000000000000000000000000 (362) &reply:User-Name = xyz@realm.com (362) EXPAND %{debug_attr:reply:} (362) --> (362) if ("%{debug_attr:reply:}" == '') -> TRUE (362) if ("%{debug_attr:reply:}" == '') { (362) [noop] = noop (362) } # if ("%{debug_attr:reply:}" == '') = noop (362) } # policy debug_reply = noop (362) policy debug_session_state { (362) if ("%{debug_attr:session-state:}" == '') { (362) Attributes matching "session-state:" (362) EXPAND %{debug_attr:session-state:} (362) --> (362) if ("%{debug_attr:session-state:}" == '') -> TRUE (362) if ("%{debug_attr:session-state:}" == '') { (362) [noop] = noop (362) } # if ("%{debug_attr:session-state:}" == '') = noop (362) } # policy debug_session_state = noop (362) } # policy debug_all = noop (362) update { (362) No attributes updated for RHS &session-state (362) } # update = noop (362) if (Service-Type == Call-Check) { (362) if (Service-Type == Call-Check) -> FALSE (362) else { (362) 802.1x_auth_log: EXPAND %t : AuthZ: (%I) %{reply:Packet-Type}: [%{%{reply:User-Name}:-%{User-Name}}] TLS-Version=%{%{session-state:TLS-Session-Version}:-NULL} TLS-Ciphers=%{%{session-state:TLS-Session-Cipher-Suite}:-NULL} SSID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} operator-name %{%{request:Operator-Name}:-Unknown}) (362) 802.1x_auth_log: --> Fri Dec 13 14:05:05 2024 : AuthZ: (111) Access-Accept: [xyz@realm.com] TLS-Version=NULL TLS-Ciphers=NULL SSID=eduroam Calling-Station-Id=22-E0-73-F2-50-23 Called-Station-Id=60-B9-C0-04-C4-40:eduroam Filter-ID=staff VLAN=1874 Class=0x7374616666 (from client xyz.wifi.realm.com port 4211 operator-name Unknown) (362) 802.1x_auth_log: EXPAND /var/log/freeradius/802.1x_auth.log (362) 802.1x_auth_log: --> /var/log/freeradius/802.1x_auth.log (362) [802.1x_auth_log] = ok (362) } # else = ok (362) policy remove_reply_message_if_eap { (362) if (&reply:EAP-Message && &reply:Reply-Message) { (362) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (362) else { (362) [noop] = noop (362) } # else = noop (362) } # policy remove_reply_message_if_eap = noop (362) } # post-auth = ok (362) Login OK: [xyz@realm.com] (from client xyz.wifi.realm.com port 4211 cli 22-E0-73-F2-50-23) (362) Sent Access-Accept Id 111 from 130.92.10.33:1812 to 130.92.42.15:60533 length 264 (362) Tunnel-Type := VLAN (362) Tunnel-Medium-Type := IEEE-802 (362) Class = 0x7374616666 (362) Filter-Id = "staff" (362) Tunnel-Private-Group-Id:0 = "1874" (362) Class = 0x568905d60000013700010200825c0e1b00000000000000000000000001dac0032e975ae000000000005c9604 (362) MS-MPPE-Recv-Key = 0x61178aafdea2c28ba065e567e0094e7e8cf727509d76d4f6de7a09f4878d7a6c (362) MS-MPPE-Send-Key = 0xaf30a32b5acec9ee771c1a065ff1707fae023734e263873c185acb4c4fde39e8 (362) EAP-Message = 0x030c0004 (362) Message-Authenticator = 0x00000000000000000000000000000000 (362) User-Name = "xyz@realm.com" (362) Finished request Waking up in 3.7 seconds.