Hi Alan, Here's the debug information you requested. Thanks, Chris radiusd: #### Opening IP addresses and Ports #### Listening on command file /var/run/radiusd/control/radiusd.sock Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on auth address 127.0.0.1 port 18122 bound to server eduroam-inner-tunnel Listening on auth address 127.0.0.1 port 28120 bound to server captive-portal Listening on auth address X.X.X.X port 28120 bound to server captive-portal Listening on status address 127.0.0.1 port 18121 bound to server status Listening on proxy address * port 36322 Listening on proxy address :: port 57199 Ready to process requests (1) Received Access-Request Id 77 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 292 (1) User-Name = "testuser@realm" (1) Chargeable-User-Identity = 0x00 (1) Location-Capable = Civix-Location (1) Calling-Station-Id = "a4-d1-8c-e4-9f-22" (1) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST" (1) NAS-Port = 13 (1) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e" (1) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110" (1) NAS-IP-Address = Y.Y.Y.Y (1) NAS-Identifier = "WM13" (1) Airespace-Wlan-Id = 8 (1) Service-Type = Framed-User (1) Framed-MTU = 1300 (1) NAS-Port-Type = Wireless-802.11 (1) Tunnel-Type:0 = VLAN (1) Tunnel-Medium-Type:0 = IEEE-802 (1) Tunnel-Private-Group-Id:0 = "446" (1) EAP-Message = 0x020100170165636c366368406c656564732e61632e756b (1) Message-Authenticator = 0x2f0eff9e4f79f94e7189010a34c8fffe (1) Running section authorize from file /etc/raddb/sites-enabled/default (1) authorize { (1) local_rewrite_called_station_id { (1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (1) update request { (1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (1) --> 64:AE:0C:91:42:60 (1) &Called-Station-Id := 64:AE:0C:91:42:60 (1) } # update request (noop) (1) if ("%{8}") { (1) EXPAND %{8} (1) --> RADIUS-TEST (1) update request { (1) EXPAND %{8} (1) --> RADIUS-TEST (1) &Called-Station-SSID := RADIUS-TEST (1) } # update request (noop) (1) } # if ("%{8}") (noop) (1) updated (updated) (1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated) (1) else { (1) ... skipping else for request 1: Preceding "if" was taken (1) } (1) } # local_rewrite_called_station_id (updated) (1) local_rewrite_calling_station_id { (1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (1) update request { (1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (1) --> A4:D1:8C:E4:9F:22 (1) &Calling-Station-Id := A4:D1:8C:E4:9F:22 (1) } # update request (noop) (1) updated (updated) (1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated) (1) else { (1) ... skipping else for request 1: Preceding "if" was taken (1) } (1) } # local_rewrite_calling_station_id (updated) (1) filter_username { (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) ... (1) } (1) if (&User-Name =~ /@[^@]*@/ ) { (1) ... (1) } (1) if (&User-Name =~ /\.\./ ) { (1) ... (1) } (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) { (1) ... (1) } (1) if (&User-Name =~ /\.$/) { (1) ... (1) } (1) if (&User-Name =~ /@\./) { (1) ... (1) } (1) } # if (&User-Name) (updated) (1) } # filter_username (updated) (1) bad_realms { (1) if (&User-Name =~ /\.ax\.uk$/i) { (1) ... (1) } (1) if (&User-Name =~ /@ac\.uk$/i) { (1) ... (1) } (1) if (&User-Name =~ /3gppnetwork\.org$/i) { (1) ... (1) } (1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (1) ... (1) } (1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (1) ... (1) } (1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (1) ... (1) } (1) if (&User-Name =~ /myabc\.com$/i) { (1) ... (1) } (1) } # bad_realms (updated) (1) preprocess (ok) (1) operator-name.authorize { (1) if ("%{client:Operator-Name}") { (1) EXPAND %{client:Operator-Name} (1) --> 1realm.ac.uk (1) update request { (1) EXPAND %{client:Operator-Name} (1) --> 1realm.ac.uk (1) &Operator-Name = 1realm.ac.uk (1) } # update request (noop) (1) } # if ("%{client:Operator-Name}") (noop) (1) } # operator-name.authorize (noop) (1) suffix - Checking for suffix after "@" (1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm" (1) suffix - Found realm "realm.ac.uk" (1) suffix - Adding Stripped-User-Name = "testuser" (1) suffix - Adding Realm = "realm.ac.uk" (1) suffix - Authentication realm is LOCAL (1) suffix (ok) (1) if (&Realm) { (1) update control { (1) &control:Proxy-To-Realm := LOCAL (1) } # update control (noop) (1) } # if (&Realm) (noop) (1) else { (1) ... skipping else for request 1: Preceding "if" was taken (1) } (1) if (&Realm) { (1) if (&Stripped-User-Name != "") { (1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") { (1) EXPAND %{tolower:%{Stripped-User-Name}} (1) --> testuser (1) ... (1) } (1) group { (1) check_blacklist (ok) (1) if (&control:Local-Banned-User) { (1) ... (1) } (1) else { (1) noop (noop) (1) } # else (noop) (1) } # group (ok) (1) } # if (&Stripped-User-Name != "") (ok) (1) } # if (&Realm) (ok) (1) eap - Peer sent EAP Response (code 2) ID 1 length 23 (1) eap - Peer sent EAP-Identity. Returning 'ok' so we can short-circuit the rest of authorize (1) eap (ok) (1) } # authorize (ok) (1) Using 'Auth-Type = eap' for authenticate {...} (1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default (1) Auth-Type eap { (1) eap - Peer sent packet with EAP method Identity (1) (1) eap - Calling submodule eap_peap to process data (1) eap_peap - Initiating new TLS session (1) eap - Sending EAP Request (code 1) ID 2 length 6 (1) eap (handled) (1) if (handled && (Response-Packet-Type == Access-Challenge)) { (1) EXPAND Response-Packet-Type (1) --> Access-Challenge (1) attr_filter.access_challenge - EXPAND %{User-Name} (1) attr_filter.access_challenge - --> testuser@realm (1) attr_filter.access_challenge - Matched entry DEFAULT at line 12 (1) attr_filter.access_challenge.post-auth (updated) (1) handled (handled) (1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled) (1) } # Auth-Type eap (handled) (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default (1) Sent Access-Challenge Id 77 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0 (1) EAP-Message = 0x010200061920 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x010138003637b8d43b39393138ab9701 (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 78 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 418 (2) User-Name = "testuser@realm" (2) Chargeable-User-Identity = 0x00 (2) Location-Capable = Civix-Location (2) Calling-Station-Id = "a4-d1-8c-e4-9f-22" (2) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST" (2) NAS-Port = 13 (2) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e" (2) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110" (2) NAS-IP-Address = Y.Y.Y.Y (2) NAS-Identifier = "WM13" (2) Airespace-Wlan-Id = 8 (2) Service-Type = Framed-User (2) Framed-MTU = 1300 (2) NAS-Port-Type = Wireless-802.11 (2) Tunnel-Type:0 = VLAN (2) Tunnel-Medium-Type:0 = IEEE-802 (2) Tunnel-Private-Group-Id:0 = "446" (2) EAP-Message = 0x0202008319800000007916030100740100007003015838561f7c35db9df95d549eb9befc0ca9bbc9fbc9027794c6893d1c9b40e77000002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000ac007c011000500040100001f000a00080006001700180019000b0002010000050005010000000000120000 (2) State = 0x010138003637b8d43b39393138ab9701 (2) Message-Authenticator = 0xcf0cbabf5a3dcda1ac3c2f2c0a98eb8b (2,1) Running section authorize from file /etc/raddb/sites-enabled/default (2,1) authorize { (2,1) local_rewrite_called_station_id { (2,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (2,1) update request { (2,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (2,1) --> 64:AE:0C:91:42:60 (2,1) &Called-Station-Id := 64:AE:0C:91:42:60 (2,1) } # update request (noop) (2,1) if ("%{8}") { (2,1) EXPAND %{8} (2,1) --> RADIUS-TEST (2,1) update request { (2,1) EXPAND %{8} (2,1) --> RADIUS-TEST (2,1) &Called-Station-SSID := RADIUS-TEST (2,1) } # update request (noop) (2,1) } # if ("%{8}") (noop) (2,1) updated (updated) (2,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated) (2,1) else { (2,1) ... skipping else for request 2: Preceding "if" was taken (2,1) } (2,1) } # local_rewrite_called_station_id (updated) (2,1) local_rewrite_calling_station_id { (2,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (2,1) update request { (2,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (2,1) --> A4:D1:8C:E4:9F:22 (2,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22 (2,1) } # update request (noop) (2,1) updated (updated) (2,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated) (2,1) else { (2,1) ... skipping else for request 2: Preceding "if" was taken (2,1) } (2,1) } # local_rewrite_calling_station_id (updated) (2,1) filter_username { (2,1) if (&User-Name) { (2,1) if (&User-Name =~ / /) { (2,1) ... (2,1) } (2,1) if (&User-Name =~ /@[^@]*@/ ) { (2,1) ... (2,1) } (2,1) if (&User-Name =~ /\.\./ ) { (2,1) ... (2,1) } (2,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) { (2,1) ... (2,1) } (2,1) if (&User-Name =~ /\.$/) { (2,1) ... (2,1) } (2,1) if (&User-Name =~ /@\./) { (2,1) ... (2,1) } (2,1) } # if (&User-Name) (updated) (2,1) } # filter_username (updated) (2,1) bad_realms { (2,1) if (&User-Name =~ /\.ax\.uk$/i) { (2,1) ... (2,1) } (2,1) if (&User-Name =~ /@ac\.uk$/i) { (2,1) ... (2,1) } (2,1) if (&User-Name =~ /3gppnetwork\.org$/i) { (2,1) ... (2,1) } (2,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (2,1) ... (2,1) } (2,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (2,1) ... (2,1) } (2,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (2,1) ... (2,1) } (2,1) if (&User-Name =~ /myabc\.com$/i) { (2,1) ... (2,1) } (2,1) } # bad_realms (updated) (2,1) preprocess (ok) (2,1) operator-name.authorize { (2,1) if ("%{client:Operator-Name}") { (2,1) EXPAND %{client:Operator-Name} (2,1) --> 1realm.ac.uk (2,1) update request { (2,1) EXPAND %{client:Operator-Name} (2,1) --> 1realm.ac.uk (2,1) &Operator-Name = 1realm.ac.uk (2,1) } # update request (noop) (2,1) } # if ("%{client:Operator-Name}") (noop) (2,1) } # operator-name.authorize (noop) (2,1) suffix - Checking for suffix after "@" (2,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm" (2,1) suffix - Found realm "realm.ac.uk" (2,1) suffix - Adding Stripped-User-Name = "testuser" (2,1) suffix - Adding Realm = "realm.ac.uk" (2,1) suffix - Authentication realm is LOCAL (2,1) suffix (ok) (2,1) if (&Realm) { (2,1) update control { (2,1) &control:Proxy-To-Realm := LOCAL (2,1) } # update control (noop) (2,1) } # if (&Realm) (noop) (2,1) else { (2,1) ... skipping else for request 2: Preceding "if" was taken (2,1) } (2,1) if (&Realm) { (2,1) if (&Stripped-User-Name != "") { (2,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") { (2,1) EXPAND %{tolower:%{Stripped-User-Name}} (2,1) --> testuser (2,1) ... (2,1) } (2,1) group { (2,1) check_blacklist (ok) (2,1) if (&control:Local-Banned-User) { (2,1) ... (2,1) } (2,1) else { (2,1) noop (noop) (2,1) } # else (noop) (2,1) } # group (ok) (2,1) } # if (&Stripped-User-Name != "") (ok) (2,1) } # if (&Realm) (ok) (2,1) eap - Peer sent EAP Response (code 2) ID 2 length 131 (2,1) eap - Continuing tunnel setup (2,1) eap (ok) (2,1) } # authorize (ok) (2,1) Using 'Auth-Type = eap' for authenticate {...} (2,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default (2,1) Auth-Type eap { (2,1) eap - Peer sent packet with EAP method PEAP (25) (2,1) eap - Calling submodule eap_peap to process data (2,1) eap_peap - Continuing EAP-TLS (2,1) eap_peap - Peer indicated complete TLS record size will be 121 bytes (2,1) eap_peap - Got complete TLS record, with length field (121 bytes) (2,1) eap_peap - [eap-tls verify] = complete (2,1) eap_peap - Handshake state - before/accept initialization (2,1) eap_peap - Handshake state - Server before/accept initialization (2,1) eap_peap - <<< recv handshake [length 116], client_hello (2,1) eap_peap - Handshake state - Server SSLv3 read client hello A (2,1) eap_peap - >>> send handshake [length 57], server_hello (2,1) eap_peap - Handshake state - Server SSLv3 write server hello A (2,1) eap_peap - >>> send handshake [length 2643], certificate (2,1) eap_peap - Handshake state - Server SSLv3 write certificate A (2,1) eap_peap - >>> send handshake [length 331], server_key_exchange (2,1) eap_peap - Handshake state - Server SSLv3 write key exchange A (2,1) eap_peap - >>> send handshake [length 4], server_hello_done (2,1) eap_peap - Handshake state - Server SSLv3 write server done A (2,1) eap_peap - Handshake state - Server SSLv3 flush data (2,1) eap_peap - Need more data from client (2,1) eap_peap - Need more data from client (2,1) eap_peap - Complete TLS record (3055 bytes) larger than MTU (990 bytes), will fragment (2,1) eap_peap - Sending first TLS record fragment (990 bytes), 2065 bytes remaining (2,1) eap_peap - [eap-tls process] = handled (2,1) eap - Sending EAP Request (code 1) ID 3 length 1000 (2,1) eap (handled) (2,1) if (handled && (Response-Packet-Type == Access-Challenge)) { (2,1) EXPAND Response-Packet-Type (2,1) --> Access-Challenge (2,1) attr_filter.access_challenge - EXPAND %{User-Name} (2,1) attr_filter.access_challenge - --> testuser@realm (2,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12 (2,1) attr_filter.access_challenge.post-auth (updated) (2,1) handled (handled) (2,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled) (2,1) } # Auth-Type eap (handled) (2,1) Using Post-Auth-Type Challenge (2,1) Post-Auth-Type sub-section not found. Ignoring. (2,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default (2,1) Sent Access-Challenge Id 78 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0 (2,1) EAP-Message = 0x010303e819c000000bef16030100390200003503015838561fbe318d85e54c607db0dc6d03c0b5e5d4d2266165638bd4fff41936b900c01400000dff01000100000b0004030001021603010a530b000a4f000a4c0004f6308204f2308203daa003020102021437ff648df0d47ee77e787cee2cab98c71324c34c300d06092a864886f70d01010b0500304d310b300906035504061302424d31193017060355040a131051756f5661646973204c696d69746564312330210603550403131a51756f566164697320476c6f62616c2053534c20494341204732301e170d3136303831313134353330385a170d3139303831313134353330355a307f310b3009060355040613024742311730150603550408130e5765737420596f726b7368697265310e300c060355040713054c45454453311c301a060355040a1313556e6976657273697479206f66204c65656473310c300a060355040b1303492e54311b3019060355040313127261646975732e6c656564732e61632e756b30820122300d06092a864886f70d01010105000382010f003082010a0282010100b05f6ffc1d8d9a1d6602e4e3fb505be1df826dbe0e8e2cd96127b2beeea934476f474d835388182926f52f7de4ef5dc0f0c439f59b88f0494c2f2f8724e69790e0c7f9379941b0524d7b74e95ae882f556a1f9df197fcbe00ef20677bb1bfaa66a575783594163b1efffda474b26101c56f6906d9434eab449a96f4d9aaa92d73bd83396f2fba04afb8fc92013d6ea56eb98ee202f87961616a391b33dbca45634aa899c9f5846b19935588fc6874c228bf01c4e5c930ed66feaacc52507d5753582dd7ac994ba1c067e1b22e6c72c1acdd141b4fa8a553f9acde4b6571bea31e280f298a5ace02370bff63b582325a3a8bcd10982f79059bac57a46f26949b70203010001a382019630820192307306082b0601050507010104673065302a06082b06010505073001861e687474703a2f2f6f6373702e71756f7661646973676c6f62616c2e636f6d303706082b06010505073002862b687474703a2f2f74727573742e71756f7661646973676c6f62616c2e636f6d2f717673736c67322e637274301d0603551d110416301482127261646975732e6c656564732e61632e756b30510603551d20044a30483046060c2b06010401be5800026401013036303406082b060105050702011628687474703a2f2f7777772e71756f7661646973676c6f62616c2e636f6d2f7265706f7369746f7279300e0603551d0f0101ff0404030205a0301d0603551d250416301406082b0601050507030106082b06010505070302301f0603551d23041830168014911962ad5b17a730fbf0de3925b1bd8cb9b85127303a0603551d1f043330 (2,1) Message-Authenticator = 0x00000000000000000000000000000000 (2,1) State = 0x02033800aecc10fa3b39393138ab9701 (2,1) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 79 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 293 (3) User-Name = "testuser@realm" (3) Chargeable-User-Identity = 0x00 (3) Location-Capable = Civix-Location (3) Calling-Station-Id = "a4-d1-8c-e4-9f-22" (3) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST" (3) NAS-Port = 13 (3) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e" (3) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110" (3) NAS-IP-Address = Y.Y.Y.Y (3) NAS-Identifier = "WM13" (3) Airespace-Wlan-Id = 8 (3) Service-Type = Framed-User (3) Framed-MTU = 1300 (3) NAS-Port-Type = Wireless-802.11 (3) Tunnel-Type:0 = VLAN (3) Tunnel-Medium-Type:0 = IEEE-802 (3) Tunnel-Private-Group-Id:0 = "446" (3) EAP-Message = 0x020300061900 (3) State = 0x02033800aecc10fa3b39393138ab9701 (3) Message-Authenticator = 0x34efdefe25b8b008e5bac82e18ee94ff (3,1) Running section authorize from file /etc/raddb/sites-enabled/default (3,1) authorize { (3,1) local_rewrite_called_station_id { (3,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (3,1) update request { (3,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (3,1) --> 64:AE:0C:91:42:60 (3,1) &Called-Station-Id := 64:AE:0C:91:42:60 (3,1) } # update request (noop) (3,1) if ("%{8}") { (3,1) EXPAND %{8} (3,1) --> RADIUS-TEST (3,1) update request { (3,1) EXPAND %{8} (3,1) --> RADIUS-TEST (3,1) &Called-Station-SSID := RADIUS-TEST (3,1) } # update request (noop) (3,1) } # if ("%{8}") (noop) (3,1) updated (updated) (3,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated) (3,1) else { (3,1) ... skipping else for request 3: Preceding "if" was taken (3,1) } (3,1) } # local_rewrite_called_station_id (updated) (3,1) local_rewrite_calling_station_id { (3,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (3,1) update request { (3,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (3,1) --> A4:D1:8C:E4:9F:22 (3,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22 (3,1) } # update request (noop) (3,1) updated (updated) (3,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated) (3,1) else { (3,1) ... skipping else for request 3: Preceding "if" was taken (3,1) } (3,1) } # local_rewrite_calling_station_id (updated) (3,1) filter_username { (3,1) if (&User-Name) { (3,1) if (&User-Name =~ / /) { (3,1) ... (3,1) } (3,1) if (&User-Name =~ /@[^@]*@/ ) { (3,1) ... (3,1) } (3,1) if (&User-Name =~ /\.\./ ) { (3,1) ... (3,1) } (3,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) { (3,1) ... (3,1) } (3,1) if (&User-Name =~ /\.$/) { (3,1) ... (3,1) } (3,1) if (&User-Name =~ /@\./) { (3,1) ... (3,1) } (3,1) } # if (&User-Name) (updated) (3,1) } # filter_username (updated) (3,1) bad_realms { (3,1) if (&User-Name =~ /\.ax\.uk$/i) { (3,1) ... (3,1) } (3,1) if (&User-Name =~ /@ac\.uk$/i) { (3,1) ... (3,1) } (3,1) if (&User-Name =~ /3gppnetwork\.org$/i) { (3,1) ... (3,1) } (3,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (3,1) ... (3,1) } (3,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (3,1) ... (3,1) } (3,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (3,1) ... (3,1) } (3,1) if (&User-Name =~ /myabc\.com$/i) { (3,1) ... (3,1) } (3,1) } # bad_realms (updated) (3,1) preprocess (ok) (3,1) operator-name.authorize { (3,1) if ("%{client:Operator-Name}") { (3,1) EXPAND %{client:Operator-Name} (3,1) --> 1realm.ac.uk (3,1) update request { (3,1) EXPAND %{client:Operator-Name} (3,1) --> 1realm.ac.uk (3,1) &Operator-Name = 1realm.ac.uk (3,1) } # update request (noop) (3,1) } # if ("%{client:Operator-Name}") (noop) (3,1) } # operator-name.authorize (noop) (3,1) suffix - Checking for suffix after "@" (3,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm" (3,1) suffix - Found realm "realm.ac.uk" (3,1) suffix - Adding Stripped-User-Name = "testuser" (3,1) suffix - Adding Realm = "realm.ac.uk" (3,1) suffix - Authentication realm is LOCAL (3,1) suffix (ok) (3,1) if (&Realm) { (3,1) update control { (3,1) &control:Proxy-To-Realm := LOCAL (3,1) } # update control (noop) (3,1) } # if (&Realm) (noop) (3,1) else { (3,1) ... skipping else for request 3: Preceding "if" was taken (3,1) } (3,1) if (&Realm) { (3,1) if (&Stripped-User-Name != "") { (3,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") { (3,1) EXPAND %{tolower:%{Stripped-User-Name}} (3,1) --> testuser (3,1) ... (3,1) } (3,1) group { (3,1) check_blacklist (ok) (3,1) if (&control:Local-Banned-User) { (3,1) ... (3,1) } (3,1) else { (3,1) noop (noop) (3,1) } # else (noop) (3,1) } # group (ok) (3,1) } # if (&Stripped-User-Name != "") (ok) (3,1) } # if (&Realm) (ok) (3,1) eap - Peer sent EAP Response (code 2) ID 3 length 6 (3,1) eap - Continuing tunnel setup (3,1) eap (ok) (3,1) } # authorize (ok) (3,1) Using 'Auth-Type = eap' for authenticate {...} (3,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default (3,1) Auth-Type eap { (3,1) eap - Peer sent packet with EAP method PEAP (25) (3,1) eap - Calling submodule eap_peap to process data (3,1) eap_peap - Continuing EAP-TLS (3,1) eap_peap - Peer ACKed our handshake fragment (3,1) eap_peap - [eap-tls verify] = request (3,1) eap_peap - Sending additional TLS record fragment (994 bytes), 1071 bytes remaining (3,1) eap_peap - [eap-tls process] = handled (3,1) eap - Sending EAP Request (code 1) ID 4 length 1000 (3,1) eap (handled) (3,1) if (handled && (Response-Packet-Type == Access-Challenge)) { (3,1) EXPAND Response-Packet-Type (3,1) --> Access-Challenge (3,1) attr_filter.access_challenge - EXPAND %{User-Name} (3,1) attr_filter.access_challenge - --> testuser@realm (3,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12 (3,1) attr_filter.access_challenge.post-auth (updated) (3,1) handled (handled) (3,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled) (3,1) } # Auth-Type eap (handled) (3,1) Using Post-Auth-Type Challenge (3,1) Post-Auth-Type sub-section not found. Ignoring. (3,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default (3,1) Sent Access-Challenge Id 79 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0 (3,1) EAP-Message = 0x010403e8194031302fa02da02b8629687474703a2f2f63726c2e71756f7661646973676c6f62616c2e636f6d2f717673736c67322e63726c301d0603551d0e0416041431cc0012c0528beb4f3ff6c7fb7f8265057c0dd9300d06092a864886f70d01010b05000382010100a7d52e44c1f46b51a9d7395b2a3822ec0ebd0fb9f6af1fbd6f72ee6495c8a74c83db45fc958dad681d19859b9c8c6bc988c4b727276d669ac9945dee1cf9c7916e21175104d073a1c26c901ba390d68354fdd2296bde3526405803dc37b8df49525a563c2db126dba32be5e33f646624c1e675da984a6bfef13f69019afe7664874b04c9b4b64abd637a8ad66929f0d148e5f8efdb9b298bfcc2d083c67c1fa115dced735d0f184950cbb99c6cfdbebd9e18f57f8735f3b90787cfb1618e2c4bb3a5f54a5f83f5c2683e2c6dfd25c31675d046143c13b5c5fa72b39a93c2242e5308853a9361af20d5a0c5a441246b2255b75870d43c8b2ef14cc183018b6ad20005503082054c30820334a003020102021448982de2a92cb339e1c8f933358275d3e4f88255300d06092a864886f70d01010b05003045310b300906035504061302424d31193017060355040a131051756f5661646973204c696d69746564311b30190603550403131251756f566164697320526f6f742043412032301e170d3133303630313133333530355a170d3233303630313133333530355a304d310b300906035504061302424d31193017060355040a131051756f5661646973204c696d69746564312330210603550403131a51756f566164697320476c6f62616c2053534c2049434120473230820122300d06092a864886f70d01010105000382010f003082010a0282010100e1e1856994c08f57fa34fec1b868e49990a9887ace57b7d0e4b554c2187dd0c319e8a96380f7b7dcd219a35ab060d976b41d325635f16ca39c42a18b8a233597417b056984288ece1e4d8b6024f1b488fec050f6c28fae9774f940aa6ef686b3a4e9c75f746514f43ddcbe4ea398645fe3066cc18fb61f5c9996c657c2cbad94890eadbeffb80ba5b638fbb54781d40fca09f10a3b120d1c0fe185b01336c3cb287dfca5f8373aa4ab404663829540bb12ac963f457df79de5037e24b89665631c5d8208414e7f6b5a8690c3f2ebe459f45e077b7d84b7ff31a199762f56cb80c489fc1a4f9869ea0b67c1fdb54be70c3de5107cef22c30fc6ab5dec881c55a30203010001a382012a3082012630120603551d130101ff040830060101ff02010030110603551d20040a300830060604551d2000307206082b0601050507010104663064302a06082b06010505073001861e687474703a2f2f6f6373702e71756f7661646973676c6f62616c2e636f6d30 (3,1) Message-Authenticator = 0x00000000000000000000000000000000 (3,1) State = 0x030138003637b8d43b39393138ab9701 (3,1) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 80 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 293 (4) User-Name = "testuser@realm" (4) Chargeable-User-Identity = 0x00 (4) Location-Capable = Civix-Location (4) Calling-Station-Id = "a4-d1-8c-e4-9f-22" (4) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST" (4) NAS-Port = 13 (4) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e" (4) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110" (4) NAS-IP-Address = Y.Y.Y.Y (4) NAS-Identifier = "WM13" (4) Airespace-Wlan-Id = 8 (4) Service-Type = Framed-User (4) Framed-MTU = 1300 (4) NAS-Port-Type = Wireless-802.11 (4) Tunnel-Type:0 = VLAN (4) Tunnel-Medium-Type:0 = IEEE-802 (4) Tunnel-Private-Group-Id:0 = "446" (4) EAP-Message = 0x020400061900 (4) State = 0x030138003637b8d43b39393138ab9701 (4) Message-Authenticator = 0x1443c965ed70ea0cdba34b15c0f14054 (4,1) Running section authorize from file /etc/raddb/sites-enabled/default (4,1) authorize { (4,1) local_rewrite_called_station_id { (4,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (4,1) update request { (4,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (4,1) --> 64:AE:0C:91:42:60 (4,1) &Called-Station-Id := 64:AE:0C:91:42:60 (4,1) } # update request (noop) (4,1) if ("%{8}") { (4,1) EXPAND %{8} (4,1) --> RADIUS-TEST (4,1) update request { (4,1) EXPAND %{8} (4,1) --> RADIUS-TEST (4,1) &Called-Station-SSID := RADIUS-TEST (4,1) } # update request (noop) (4,1) } # if ("%{8}") (noop) (4,1) updated (updated) (4,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated) (4,1) else { (4,1) ... skipping else for request 4: Preceding "if" was taken (4,1) } (4,1) } # local_rewrite_called_station_id (updated) (4,1) local_rewrite_calling_station_id { (4,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (4,1) update request { (4,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (4,1) --> A4:D1:8C:E4:9F:22 (4,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22 (4,1) } # update request (noop) (4,1) updated (updated) (4,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated) (4,1) else { (4,1) ... skipping else for request 4: Preceding "if" was taken (4,1) } (4,1) } # local_rewrite_calling_station_id (updated) (4,1) filter_username { (4,1) if (&User-Name) { (4,1) if (&User-Name =~ / /) { (4,1) ... (4,1) } (4,1) if (&User-Name =~ /@[^@]*@/ ) { (4,1) ... (4,1) } (4,1) if (&User-Name =~ /\.\./ ) { (4,1) ... (4,1) } (4,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) { (4,1) ... (4,1) } (4,1) if (&User-Name =~ /\.$/) { (4,1) ... (4,1) } (4,1) if (&User-Name =~ /@\./) { (4,1) ... (4,1) } (4,1) } # if (&User-Name) (updated) (4,1) } # filter_username (updated) (4,1) bad_realms { (4,1) if (&User-Name =~ /\.ax\.uk$/i) { (4,1) ... (4,1) } (4,1) if (&User-Name =~ /@ac\.uk$/i) { (4,1) ... (4,1) } (4,1) if (&User-Name =~ /3gppnetwork\.org$/i) { (4,1) ... (4,1) } (4,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (4,1) ... (4,1) } (4,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (4,1) ... (4,1) } (4,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (4,1) ... (4,1) } (4,1) if (&User-Name =~ /myabc\.com$/i) { (4,1) ... (4,1) } (4,1) } # bad_realms (updated) (4,1) preprocess (ok) (4,1) operator-name.authorize { (4,1) if ("%{client:Operator-Name}") { (4,1) EXPAND %{client:Operator-Name} (4,1) --> 1realm.ac.uk (4,1) update request { (4,1) EXPAND %{client:Operator-Name} (4,1) --> 1realm.ac.uk (4,1) &Operator-Name = 1realm.ac.uk (4,1) } # update request (noop) (4,1) } # if ("%{client:Operator-Name}") (noop) (4,1) } # operator-name.authorize (noop) (4,1) suffix - Checking for suffix after "@" (4,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm" (4,1) suffix - Found realm "realm.ac.uk" (4,1) suffix - Adding Stripped-User-Name = "testuser" (4,1) suffix - Adding Realm = "realm.ac.uk" (4,1) suffix - Authentication realm is LOCAL (4,1) suffix (ok) (4,1) if (&Realm) { (4,1) update control { (4,1) &control:Proxy-To-Realm := LOCAL (4,1) } # update control (noop) (4,1) } # if (&Realm) (noop) (4,1) else { (4,1) ... skipping else for request 4: Preceding "if" was taken (4,1) } (4,1) if (&Realm) { (4,1) if (&Stripped-User-Name != "") { (4,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") { (4,1) EXPAND %{tolower:%{Stripped-User-Name}} (4,1) --> testuser (4,1) ... (4,1) } (4,1) group { (4,1) check_blacklist (ok) (4,1) if (&control:Local-Banned-User) { (4,1) ... (4,1) } (4,1) else { (4,1) noop (noop) (4,1) } # else (noop) (4,1) } # group (ok) (4,1) } # if (&Stripped-User-Name != "") (ok) (4,1) } # if (&Realm) (ok) (4,1) eap - Peer sent EAP Response (code 2) ID 4 length 6 (4,1) eap - Continuing tunnel setup (4,1) eap (ok) (4,1) } # authorize (ok) (4,1) Using 'Auth-Type = eap' for authenticate {...} (4,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default (4,1) Auth-Type eap { (4,1) eap - Peer sent packet with EAP method PEAP (25) (4,1) eap - Calling submodule eap_peap to process data (4,1) eap_peap - Continuing EAP-TLS (4,1) eap_peap - Peer ACKed our handshake fragment (4,1) eap_peap - [eap-tls verify] = request (4,1) eap_peap - Sending additional TLS record fragment (994 bytes), 77 bytes remaining (4,1) eap_peap - [eap-tls process] = handled (4,1) eap - Sending EAP Request (code 1) ID 5 length 1000 (4,1) eap (handled) (4,1) if (handled && (Response-Packet-Type == Access-Challenge)) { (4,1) EXPAND Response-Packet-Type (4,1) --> Access-Challenge (4,1) attr_filter.access_challenge - EXPAND %{User-Name} (4,1) attr_filter.access_challenge - --> testuser@realm (4,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12 (4,1) attr_filter.access_challenge.post-auth (updated) (4,1) handled (handled) (4,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled) (4,1) } # Auth-Type eap (handled) (4,1) Using Post-Auth-Type Challenge (4,1) Post-Auth-Type sub-section not found. Ignoring. (4,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default (4,1) Sent Access-Challenge Id 80 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0 (4,1) EAP-Message = 0x010503e819403606082b06010505073002862a687474703a2f2f74727573742e71756f7661646973676c6f62616c2e636f6d2f7176726361322e637274300e0603551d0f0101ff040403020106301f0603551d230418301680141a8462bc484c332504d4eed0f603c41946d1946b30390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e71756f7661646973676c6f62616c2e636f6d2f7176726361322e63726c301d0603551d0e04160414911962ad5b17a730fbf0de3925b1bd8cb9b85127300d06092a864886f70d01010b050003820201007c0a60820041b52dcc39e5f4db6bce008a9c0c89e6727453b96dc221e54c975a0599e8e3f88dbffa2da89f10c2e34420b4994d781ba3eb3d4fa265088869eed7e446af866113100f096cb2028e20f873d63af9b80cb78b3310f899d9200b3908f5d01af81ca41fcbf3af6de7516cb6b1a7daa50c6e2a2604addee8a40c82526abc7a9a9804417bb4d1464d92211851f78ef215c65eb65bb439e4b9a8950ed33ab3dc98a5ca3217114eace46b120562688ecfdc425a0d8988e880d420f69204ce86ad532268835810c04bd6fda3662f2b5c3634c95b19ff40c021088204d36f4f53634394a7d44f8ef99062a830feac1bc1a0fb08eb275f74ab49babe582fe3a89092b678badc7bcdbcedac0871df053110dc670fcd5f56dcf2e2b27b9382b70a50d1de232f87a6b97c05bfc4ea51b661db1252872cb9edcab0dea5a804eb3f596cdadbdfc7ba7f0f5e442865ea7063fc5cfbd9c8d4d68a33c36a852a89353265bd78fbcdbde67696dedd847d0644973eba2537b97928ec79e2027b909eebeaa25826ec74dc7c8f335d4aa78c1f767d51b02d944396b00ba7e0ff75c4d87655932a898cac2a8789c56a22b910c57b0c7438a09c7d724983c3aa41bc36a83e8917cb375f27bda7fb525f1c63fec28ae472228d95d82a617e89e233eb08810806bb43b5ae10c4fd744f277d445bb5dd7984f12622fd55efadfde7ae241f019fe748160301014b0c0001470300174104356f9c0ffc364039f66ce9ba8838433a255ea2a399b34afbecaa477b7942a55279ca97694b8f9bf039e0cfb476d1d5b7addccdfb40abfd08e74a23a89104c93501002e556ff2c5c79a3c84eae2e8a77fcb7263c10644d4b699a1d5ea92aa93a2c37fb98d01b49885178ef67475a7bfa4c53029c5ff0d9ca42702cc6e7e8ba9cc7149442ed24e26f5ecb814be162323a3f86596628d2357842d946bfb18bcf0eef9421dbe502d58003cc6edfa496b89c0d24c5e04cb7006be2e797a17a603e9ed8d91bfdff22a264a12245e96a6538b148658affc8899f72a0cfd57ecde4d06fcb40957c6b416b686579c01f6415f69b7064f3fdd2e12d8ba96fe861c2c08 (4,1) Message-Authenticator = 0x00000000000000000000000000000000 (4,1) State = 0x04073800aecc10fa3b39393138ab9701 (4,1) Finished request Waking up in 4.9 seconds. (5) Received Access-Request Id 81 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 293 (5) User-Name = "testuser@realm" (5) Chargeable-User-Identity = 0x00 (5) Location-Capable = Civix-Location (5) Calling-Station-Id = "a4-d1-8c-e4-9f-22" (5) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST" (5) NAS-Port = 13 (5) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e" (5) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110" (5) NAS-IP-Address = Y.Y.Y.Y (5) NAS-Identifier = "WM13" (5) Airespace-Wlan-Id = 8 (5) Service-Type = Framed-User (5) Framed-MTU = 1300 (5) NAS-Port-Type = Wireless-802.11 (5) Tunnel-Type:0 = VLAN (5) Tunnel-Medium-Type:0 = IEEE-802 (5) Tunnel-Private-Group-Id:0 = "446" (5) EAP-Message = 0x020500061900 (5) State = 0x04073800aecc10fa3b39393138ab9701 (5) Message-Authenticator = 0x71120286c728aae1154c25c60db52811 (5,1) Running section authorize from file /etc/raddb/sites-enabled/default (5,1) authorize { (5,1) local_rewrite_called_station_id { (5,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (5,1) update request { (5,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (5,1) --> 64:AE:0C:91:42:60 (5,1) &Called-Station-Id := 64:AE:0C:91:42:60 (5,1) } # update request (noop) (5,1) if ("%{8}") { (5,1) EXPAND %{8} (5,1) --> RADIUS-TEST (5,1) update request { (5,1) EXPAND %{8} (5,1) --> RADIUS-TEST (5,1) &Called-Station-SSID := RADIUS-TEST (5,1) } # update request (noop) (5,1) } # if ("%{8}") (noop) (5,1) updated (updated) (5,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated) (5,1) else { (5,1) ... skipping else for request 5: Preceding "if" was taken (5,1) } (5,1) } # local_rewrite_called_station_id (updated) (5,1) local_rewrite_calling_station_id { (5,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (5,1) update request { (5,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (5,1) --> A4:D1:8C:E4:9F:22 (5,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22 (5,1) } # update request (noop) (5,1) updated (updated) (5,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated) (5,1) else { (5,1) ... skipping else for request 5: Preceding "if" was taken (5,1) } (5,1) } # local_rewrite_calling_station_id (updated) (5,1) filter_username { (5,1) if (&User-Name) { (5,1) if (&User-Name =~ / /) { (5,1) ... (5,1) } (5,1) if (&User-Name =~ /@[^@]*@/ ) { (5,1) ... (5,1) } (5,1) if (&User-Name =~ /\.\./ ) { (5,1) ... (5,1) } (5,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) { (5,1) ... (5,1) } (5,1) if (&User-Name =~ /\.$/) { (5,1) ... (5,1) } (5,1) if (&User-Name =~ /@\./) { (5,1) ... (5,1) } (5,1) } # if (&User-Name) (updated) (5,1) } # filter_username (updated) (5,1) bad_realms { (5,1) if (&User-Name =~ /\.ax\.uk$/i) { (5,1) ... (5,1) } (5,1) if (&User-Name =~ /@ac\.uk$/i) { (5,1) ... (5,1) } (5,1) if (&User-Name =~ /3gppnetwork\.org$/i) { (5,1) ... (5,1) } (5,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (5,1) ... (5,1) } (5,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (5,1) ... (5,1) } (5,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (5,1) ... (5,1) } (5,1) if (&User-Name =~ /myabc\.com$/i) { (5,1) ... (5,1) } (5,1) } # bad_realms (updated) (5,1) preprocess (ok) (5,1) operator-name.authorize { (5,1) if ("%{client:Operator-Name}") { (5,1) EXPAND %{client:Operator-Name} (5,1) --> 1realm.ac.uk (5,1) update request { (5,1) EXPAND %{client:Operator-Name} (5,1) --> 1realm.ac.uk (5,1) &Operator-Name = 1realm.ac.uk (5,1) } # update request (noop) (5,1) } # if ("%{client:Operator-Name}") (noop) (5,1) } # operator-name.authorize (noop) (5,1) suffix - Checking for suffix after "@" (5,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm" (5,1) suffix - Found realm "realm.ac.uk" (5,1) suffix - Adding Stripped-User-Name = "testuser" (5,1) suffix - Adding Realm = "realm.ac.uk" (5,1) suffix - Authentication realm is LOCAL (5,1) suffix (ok) (5,1) if (&Realm) { (5,1) update control { (5,1) &control:Proxy-To-Realm := LOCAL (5,1) } # update control (noop) (5,1) } # if (&Realm) (noop) (5,1) else { (5,1) ... skipping else for request 5: Preceding "if" was taken (5,1) } (5,1) if (&Realm) { (5,1) if (&Stripped-User-Name != "") { (5,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") { (5,1) EXPAND %{tolower:%{Stripped-User-Name}} (5,1) --> testuser (5,1) ... (5,1) } (5,1) group { (5,1) check_blacklist (ok) (5,1) if (&control:Local-Banned-User) { (5,1) ... (5,1) } (5,1) else { (5,1) noop (noop) (5,1) } # else (noop) (5,1) } # group (ok) (5,1) } # if (&Stripped-User-Name != "") (ok) (5,1) } # if (&Realm) (ok) (5,1) eap - Peer sent EAP Response (code 2) ID 5 length 6 (5,1) eap - Continuing tunnel setup (5,1) eap (ok) (5,1) } # authorize (ok) (5,1) Using 'Auth-Type = eap' for authenticate {...} (5,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default (5,1) Auth-Type eap { (5,1) eap - Peer sent packet with EAP method PEAP (25) (5,1) eap - Calling submodule eap_peap to process data (5,1) eap_peap - Continuing EAP-TLS (5,1) eap_peap - Peer ACKed our handshake fragment (5,1) eap_peap - [eap-tls verify] = request (5,1) eap_peap - Sending final TLS record fragment (77 bytes) (5,1) eap_peap - [eap-tls process] = handled (5,1) eap - Sending EAP Request (code 1) ID 6 length 83 (5,1) eap (handled) (5,1) if (handled && (Response-Packet-Type == Access-Challenge)) { (5,1) EXPAND Response-Packet-Type (5,1) --> Access-Challenge (5,1) attr_filter.access_challenge - EXPAND %{User-Name} (5,1) attr_filter.access_challenge - --> testuser@realm (5,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12 (5,1) attr_filter.access_challenge.post-auth (updated) (5,1) handled (handled) (5,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled) (5,1) } # Auth-Type eap (handled) (5,1) Using Post-Auth-Type Challenge (5,1) Post-Auth-Type sub-section not found. Ignoring. (5,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default (5,1) Sent Access-Challenge Id 81 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0 (5,1) EAP-Message = 0x0106005319004e06bbcfa59586d7b2ff4301f7a4dced7726344b96c142ba4f7edda40388cd1960d4509a41a041f4a249841cb2d310f71b7289440659999943f6e9e8d339d98ba10c468116030100040e000000 (5,1) Message-Authenticator = 0x00000000000000000000000000000000 (5,1) State = 0x050138003637b8d43b39393138ab9701 (5,1) Finished request Waking up in 4.9 seconds. (6) Received Access-Request Id 82 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 431 (6) User-Name = "testuser@realm" (6) Chargeable-User-Identity = 0x00 (6) Location-Capable = Civix-Location (6) Calling-Station-Id = "a4-d1-8c-e4-9f-22" (6) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST" (6) NAS-Port = 13 (6) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e" (6) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110" (6) NAS-IP-Address = Y.Y.Y.Y (6) NAS-Identifier = "WM13" (6) Airespace-Wlan-Id = 8 (6) Service-Type = Framed-User (6) Framed-MTU = 1300 (6) NAS-Port-Type = Wireless-802.11 (6) Tunnel-Type:0 = VLAN (6) Tunnel-Medium-Type:0 = IEEE-802 (6) Tunnel-Private-Group-Id:0 = "446" (6) EAP-Message = 0x0206009019800000008616030100461000004241042a5475e41a0623c852b7ef77add0a1b3f495bfe644190191922bd6567c29c76dd46784c71d47f29e9688a6fe7998febd4ebee0a3b1dd33fe0b604b4c3ec38308140301000101160301003048686a4b033d40f5f9526b1c98c9c4ea528ac0c54e84251ef82fb6efe6c197f662f7468f1631afe64f0846e6f63ad3bf (6) State = 0x050138003637b8d43b39393138ab9701 (6) Message-Authenticator = 0x8c61c24db4bce0512a7cfd792ebe1ec6 (6,1) Running section authorize from file /etc/raddb/sites-enabled/default (6,1) authorize { (6,1) local_rewrite_called_station_id { (6,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (6,1) update request { (6,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (6,1) --> 64:AE:0C:91:42:60 (6,1) &Called-Station-Id := 64:AE:0C:91:42:60 (6,1) } # update request (noop) (6,1) if ("%{8}") { (6,1) EXPAND %{8} (6,1) --> RADIUS-TEST (6,1) update request { (6,1) EXPAND %{8} (6,1) --> RADIUS-TEST (6,1) &Called-Station-SSID := RADIUS-TEST (6,1) } # update request (noop) (6,1) } # if ("%{8}") (noop) (6,1) updated (updated) (6,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated) (6,1) else { (6,1) ... skipping else for request 6: Preceding "if" was taken (6,1) } (6,1) } # local_rewrite_called_station_id (updated) (6,1) local_rewrite_calling_station_id { (6,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (6,1) update request { (6,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (6,1) --> A4:D1:8C:E4:9F:22 (6,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22 (6,1) } # update request (noop) (6,1) updated (updated) (6,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated) (6,1) else { (6,1) ... skipping else for request 6: Preceding "if" was taken (6,1) } (6,1) } # local_rewrite_calling_station_id (updated) (6,1) filter_username { (6,1) if (&User-Name) { (6,1) if (&User-Name =~ / /) { (6,1) ... (6,1) } (6,1) if (&User-Name =~ /@[^@]*@/ ) { (6,1) ... (6,1) } (6,1) if (&User-Name =~ /\.\./ ) { (6,1) ... (6,1) } (6,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) { (6,1) ... (6,1) } (6,1) if (&User-Name =~ /\.$/) { (6,1) ... (6,1) } (6,1) if (&User-Name =~ /@\./) { (6,1) ... (6,1) } (6,1) } # if (&User-Name) (updated) (6,1) } # filter_username (updated) (6,1) bad_realms { (6,1) if (&User-Name =~ /\.ax\.uk$/i) { (6,1) ... (6,1) } (6,1) if (&User-Name =~ /@ac\.uk$/i) { (6,1) ... (6,1) } (6,1) if (&User-Name =~ /3gppnetwork\.org$/i) { (6,1) ... (6,1) } (6,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (6,1) ... (6,1) } (6,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (6,1) ... (6,1) } (6,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (6,1) ... (6,1) } (6,1) if (&User-Name =~ /myabc\.com$/i) { (6,1) ... (6,1) } (6,1) } # bad_realms (updated) (6,1) preprocess (ok) (6,1) operator-name.authorize { (6,1) if ("%{client:Operator-Name}") { (6,1) EXPAND %{client:Operator-Name} (6,1) --> 1realm.ac.uk (6,1) update request { (6,1) EXPAND %{client:Operator-Name} (6,1) --> 1realm.ac.uk (6,1) &Operator-Name = 1realm.ac.uk (6,1) } # update request (noop) (6,1) } # if ("%{client:Operator-Name}") (noop) (6,1) } # operator-name.authorize (noop) (6,1) suffix - Checking for suffix after "@" (6,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm" (6,1) suffix - Found realm "realm.ac.uk" (6,1) suffix - Adding Stripped-User-Name = "testuser" (6,1) suffix - Adding Realm = "realm.ac.uk" (6,1) suffix - Authentication realm is LOCAL (6,1) suffix (ok) (6,1) if (&Realm) { (6,1) update control { (6,1) &control:Proxy-To-Realm := LOCAL (6,1) } # update control (noop) (6,1) } # if (&Realm) (noop) (6,1) else { (6,1) ... skipping else for request 6: Preceding "if" was taken (6,1) } (6,1) if (&Realm) { (6,1) if (&Stripped-User-Name != "") { (6,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") { (6,1) EXPAND %{tolower:%{Stripped-User-Name}} (6,1) --> testuser (6,1) ... (6,1) } (6,1) group { (6,1) check_blacklist (ok) (6,1) if (&control:Local-Banned-User) { (6,1) ... (6,1) } (6,1) else { (6,1) noop (noop) (6,1) } # else (noop) (6,1) } # group (ok) (6,1) } # if (&Stripped-User-Name != "") (ok) (6,1) } # if (&Realm) (ok) (6,1) eap - Peer sent EAP Response (code 2) ID 6 length 144 (6,1) eap - Continuing tunnel setup (6,1) eap (ok) (6,1) } # authorize (ok) (6,1) Using 'Auth-Type = eap' for authenticate {...} (6,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default (6,1) Auth-Type eap { (6,1) eap - Peer sent packet with EAP method PEAP (25) (6,1) eap - Calling submodule eap_peap to process data (6,1) eap_peap - Continuing EAP-TLS (6,1) eap_peap - Peer indicated complete TLS record size will be 134 bytes (6,1) eap_peap - Got complete TLS record, with length field (134 bytes) (6,1) eap_peap - [eap-tls verify] = complete (6,1) eap_peap - <<< recv handshake [length 70], client_key_exchange (6,1) eap_peap - Handshake state - Server SSLv3 read client key exchange A (6,1) eap_peap - <<< recv change_cipher_spec [length 1] (6,1) eap_peap - <<< recv handshake [length 16], finished (6,1) eap_peap - Handshake state - Server SSLv3 read finished A (6,1) eap_peap - >>> send change_cipher_spec [length 1] (6,1) eap_peap - Handshake state - Server SSLv3 write change cipher spec A (6,1) eap_peap - >>> send handshake [length 16], finished (6,1) eap_peap - Handshake state - Server SSLv3 write finished A (6,1) eap_peap - Handshake state - Server SSLv3 flush data (6,1) eap_peap - Handshake state - SSL negotiation finished successfully (6,1) eap_peap - Cipher suite: CDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1 (6,1) eap_peap - Sending complete TLS record (59 bytes) (6,1) eap_peap - [eap-tls process] = handled (6,1) eap - Sending EAP Request (code 1) ID 7 length 65 (6,1) eap (handled) (6,1) if (handled && (Response-Packet-Type == Access-Challenge)) { (6,1) EXPAND Response-Packet-Type (6,1) --> Access-Challenge (6,1) attr_filter.access_challenge - EXPAND %{User-Name} (6,1) attr_filter.access_challenge - --> testuser@realm (6,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12 (6,1) attr_filter.access_challenge.post-auth (updated) (6,1) handled (handled) (6,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled) (6,1) } # Auth-Type eap (handled) (6,1) Using Post-Auth-Type Challenge (6,1) Post-Auth-Type sub-section not found. Ignoring. (6,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default (6,1) Sent Access-Challenge Id 82 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0 (6,1) EAP-Message = 0x01070041190014030100010116030100306c8dcb9afcb8f73b414f202b96d6efd0bab2bd9ad150291d1ce462a9f4c7055f7c55a31447a4b2d6e724095cfc6c65d1 (6,1) Message-Authenticator = 0x00000000000000000000000000000000 (6,1) State = 0x06033800aecc10fa3b39393138ab9701 (6,1) Finished request Waking up in 4.8 seconds. (7) Received Access-Request Id 83 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 293 (7) User-Name = "testuser@realm" (7) Chargeable-User-Identity = 0x00 (7) Location-Capable = Civix-Location (7) Calling-Station-Id = "a4-d1-8c-e4-9f-22" (7) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST" (7) NAS-Port = 13 (7) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e" (7) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110" (7) NAS-IP-Address = Y.Y.Y.Y (7) NAS-Identifier = "WM13" (7) Airespace-Wlan-Id = 8 (7) Service-Type = Framed-User (7) Framed-MTU = 1300 (7) NAS-Port-Type = Wireless-802.11 (7) Tunnel-Type:0 = VLAN (7) Tunnel-Medium-Type:0 = IEEE-802 (7) Tunnel-Private-Group-Id:0 = "446" (7) EAP-Message = 0x020700061900 (7) State = 0x06033800aecc10fa3b39393138ab9701 (7) Message-Authenticator = 0x555162762d19bd82d35f798dba8e28aa (7,1) Running section authorize from file /etc/raddb/sites-enabled/default (7,1) authorize { (7,1) local_rewrite_called_station_id { (7,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (7,1) update request { (7,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (7,1) --> 64:AE:0C:91:42:60 (7,1) &Called-Station-Id := 64:AE:0C:91:42:60 (7,1) } # update request (noop) (7,1) if ("%{8}") { (7,1) EXPAND %{8} (7,1) --> RADIUS-TEST (7,1) update request { (7,1) EXPAND %{8} (7,1) --> RADIUS-TEST (7,1) &Called-Station-SSID := RADIUS-TEST (7,1) } # update request (noop) (7,1) } # if ("%{8}") (noop) (7,1) updated (updated) (7,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated) (7,1) else { (7,1) ... skipping else for request 7: Preceding "if" was taken (7,1) } (7,1) } # local_rewrite_called_station_id (updated) (7,1) local_rewrite_calling_station_id { (7,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (7,1) update request { (7,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (7,1) --> A4:D1:8C:E4:9F:22 (7,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22 (7,1) } # update request (noop) (7,1) updated (updated) (7,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated) (7,1) else { (7,1) ... skipping else for request 7: Preceding "if" was taken (7,1) } (7,1) } # local_rewrite_calling_station_id (updated) (7,1) filter_username { (7,1) if (&User-Name) { (7,1) if (&User-Name =~ / /) { (7,1) ... (7,1) } (7,1) if (&User-Name =~ /@[^@]*@/ ) { (7,1) ... (7,1) } (7,1) if (&User-Name =~ /\.\./ ) { (7,1) ... (7,1) } (7,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) { (7,1) ... (7,1) } (7,1) if (&User-Name =~ /\.$/) { (7,1) ... (7,1) } (7,1) if (&User-Name =~ /@\./) { (7,1) ... (7,1) } (7,1) } # if (&User-Name) (updated) (7,1) } # filter_username (updated) (7,1) bad_realms { (7,1) if (&User-Name =~ /\.ax\.uk$/i) { (7,1) ... (7,1) } (7,1) if (&User-Name =~ /@ac\.uk$/i) { (7,1) ... (7,1) } (7,1) if (&User-Name =~ /3gppnetwork\.org$/i) { (7,1) ... (7,1) } (7,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (7,1) ... (7,1) } (7,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (7,1) ... (7,1) } (7,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (7,1) ... (7,1) } (7,1) if (&User-Name =~ /myabc\.com$/i) { (7,1) ... (7,1) } (7,1) } # bad_realms (updated) (7,1) preprocess (ok) (7,1) operator-name.authorize { (7,1) if ("%{client:Operator-Name}") { (7,1) EXPAND %{client:Operator-Name} (7,1) --> 1realm.ac.uk (7,1) update request { (7,1) EXPAND %{client:Operator-Name} (7,1) --> 1realm.ac.uk (7,1) &Operator-Name = 1realm.ac.uk (7,1) } # update request (noop) (7,1) } # if ("%{client:Operator-Name}") (noop) (7,1) } # operator-name.authorize (noop) (7,1) suffix - Checking for suffix after "@" (7,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm" (7,1) suffix - Found realm "realm.ac.uk" (7,1) suffix - Adding Stripped-User-Name = "testuser" (7,1) suffix - Adding Realm = "realm.ac.uk" (7,1) suffix - Authentication realm is LOCAL (7,1) suffix (ok) (7,1) if (&Realm) { (7,1) update control { (7,1) &control:Proxy-To-Realm := LOCAL (7,1) } # update control (noop) (7,1) } # if (&Realm) (noop) (7,1) else { (7,1) ... skipping else for request 7: Preceding "if" was taken (7,1) } (7,1) if (&Realm) { (7,1) if (&Stripped-User-Name != "") { (7,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") { (7,1) EXPAND %{tolower:%{Stripped-User-Name}} (7,1) --> testuser (7,1) ... (7,1) } (7,1) group { (7,1) check_blacklist (ok) (7,1) if (&control:Local-Banned-User) { (7,1) ... (7,1) } (7,1) else { (7,1) noop (noop) (7,1) } # else (noop) (7,1) } # group (ok) (7,1) } # if (&Stripped-User-Name != "") (ok) (7,1) } # if (&Realm) (ok) (7,1) eap - Peer sent EAP Response (code 2) ID 7 length 6 (7,1) eap - Continuing tunnel setup (7,1) eap (ok) (7,1) } # authorize (ok) (7,1) Using 'Auth-Type = eap' for authenticate {...} (7,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default (7,1) Auth-Type eap { (7,1) eap - Peer sent packet with EAP method PEAP (25) (7,1) eap - Calling submodule eap_peap to process data (7,1) eap_peap - Continuing EAP-TLS (7,1) eap_peap - Peer ACKed our handshake fragment. handshake is finished (7,1) eap_peap - [eap-tls verify] = established (7,1) eap_peap - [eap-tls process] = established (7,1) eap_peap - Session established. Decoding tunneled data (7,1) eap_peap - PEAP state TUNNEL ESTABLISHED (7,1) eap_peap - TLS application data to encrypt (5 bytes) (7,1) eap_peap - Sending complete TLS record (37 bytes) (7,1) eap - Sending EAP Request (code 1) ID 8 length 43 (7,1) eap (handled) (7,1) if (handled && (Response-Packet-Type == Access-Challenge)) { (7,1) EXPAND Response-Packet-Type (7,1) --> Access-Challenge (7,1) attr_filter.access_challenge - EXPAND %{User-Name} (7,1) attr_filter.access_challenge - --> testuser@realm (7,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12 (7,1) attr_filter.access_challenge.post-auth (updated) (7,1) handled (handled) (7,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled) (7,1) } # Auth-Type eap (handled) (7,1) Using Post-Auth-Type Challenge (7,1) Post-Auth-Type sub-section not found. Ignoring. (7,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default (7,1) Sent Access-Challenge Id 83 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0 (7,1) EAP-Message = 0x0108002b1900170301002029a24f1d8456037b9aeceb8fbc4df51362f49d1b863dae0ea1e7e356cad48d55 (7,1) Message-Authenticator = 0x00000000000000000000000000000000 (7,1) State = 0x070138003637b8d43b39393138ab9701 (7,1) Finished request Waking up in 4.8 seconds. (8) Received Access-Request Id 84 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 346 (8) User-Name = "testuser@realm" (8) Chargeable-User-Identity = 0x00 (8) Location-Capable = Civix-Location (8) Calling-Station-Id = "a4-d1-8c-e4-9f-22" (8) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST" (8) NAS-Port = 13 (8) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e" (8) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110" (8) NAS-IP-Address = Y.Y.Y.Y (8) NAS-Identifier = "WM13" (8) Airespace-Wlan-Id = 8 (8) Service-Type = Framed-User (8) Framed-MTU = 1300 (8) NAS-Port-Type = Wireless-802.11 (8) Tunnel-Type:0 = VLAN (8) Tunnel-Medium-Type:0 = IEEE-802 (8) Tunnel-Private-Group-Id:0 = "446" (8) EAP-Message = 0x0208003b1900170301003012630f02d6ebc7a949180390128f6ca3bd2643ce89f12b1ea709648094fa2265ecdef69755c881656faf5d6debdb50f2 (8) State = 0x070138003637b8d43b39393138ab9701 (8) Message-Authenticator = 0x19dac562b9479efa42ea2766dc140211 (8,1) Running section authorize from file /etc/raddb/sites-enabled/default (8,1) authorize { (8,1) local_rewrite_called_station_id { (8,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (8,1) update request { (8,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (8,1) --> 64:AE:0C:91:42:60 (8,1) &Called-Station-Id := 64:AE:0C:91:42:60 (8,1) } # update request (noop) (8,1) if ("%{8}") { (8,1) EXPAND %{8} (8,1) --> RADIUS-TEST (8,1) update request { (8,1) EXPAND %{8} (8,1) --> RADIUS-TEST (8,1) &Called-Station-SSID := RADIUS-TEST (8,1) } # update request (noop) (8,1) } # if ("%{8}") (noop) (8,1) updated (updated) (8,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated) (8,1) else { (8,1) ... skipping else for request 8: Preceding "if" was taken (8,1) } (8,1) } # local_rewrite_called_station_id (updated) (8,1) local_rewrite_calling_station_id { (8,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (8,1) update request { (8,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (8,1) --> A4:D1:8C:E4:9F:22 (8,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22 (8,1) } # update request (noop) (8,1) updated (updated) (8,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated) (8,1) else { (8,1) ... skipping else for request 8: Preceding "if" was taken (8,1) } (8,1) } # local_rewrite_calling_station_id (updated) (8,1) filter_username { (8,1) if (&User-Name) { (8,1) if (&User-Name =~ / /) { (8,1) ... (8,1) } (8,1) if (&User-Name =~ /@[^@]*@/ ) { (8,1) ... (8,1) } (8,1) if (&User-Name =~ /\.\./ ) { (8,1) ... (8,1) } (8,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) { (8,1) ... (8,1) } (8,1) if (&User-Name =~ /\.$/) { (8,1) ... (8,1) } (8,1) if (&User-Name =~ /@\./) { (8,1) ... (8,1) } (8,1) } # if (&User-Name) (updated) (8,1) } # filter_username (updated) (8,1) bad_realms { (8,1) if (&User-Name =~ /\.ax\.uk$/i) { (8,1) ... (8,1) } (8,1) if (&User-Name =~ /@ac\.uk$/i) { (8,1) ... (8,1) } (8,1) if (&User-Name =~ /3gppnetwork\.org$/i) { (8,1) ... (8,1) } (8,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (8,1) ... (8,1) } (8,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (8,1) ... (8,1) } (8,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (8,1) ... (8,1) } (8,1) if (&User-Name =~ /myabc\.com$/i) { (8,1) ... (8,1) } (8,1) } # bad_realms (updated) (8,1) preprocess (ok) (8,1) operator-name.authorize { (8,1) if ("%{client:Operator-Name}") { (8,1) EXPAND %{client:Operator-Name} (8,1) --> 1realm.ac.uk (8,1) update request { (8,1) EXPAND %{client:Operator-Name} (8,1) --> 1realm.ac.uk (8,1) &Operator-Name = 1realm.ac.uk (8,1) } # update request (noop) (8,1) } # if ("%{client:Operator-Name}") (noop) (8,1) } # operator-name.authorize (noop) (8,1) suffix - Checking for suffix after "@" (8,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm" (8,1) suffix - Found realm "realm.ac.uk" (8,1) suffix - Adding Stripped-User-Name = "testuser" (8,1) suffix - Adding Realm = "realm.ac.uk" (8,1) suffix - Authentication realm is LOCAL (8,1) suffix (ok) (8,1) if (&Realm) { (8,1) update control { (8,1) &control:Proxy-To-Realm := LOCAL (8,1) } # update control (noop) (8,1) } # if (&Realm) (noop) (8,1) else { (8,1) ... skipping else for request 8: Preceding "if" was taken (8,1) } (8,1) if (&Realm) { (8,1) if (&Stripped-User-Name != "") { (8,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") { (8,1) EXPAND %{tolower:%{Stripped-User-Name}} (8,1) --> testuser (8,1) ... (8,1) } (8,1) group { (8,1) check_blacklist (ok) (8,1) if (&control:Local-Banned-User) { (8,1) ... (8,1) } (8,1) else { (8,1) noop (noop) (8,1) } # else (noop) (8,1) } # group (ok) (8,1) } # if (&Stripped-User-Name != "") (ok) (8,1) } # if (&Realm) (ok) (8,1) eap - Peer sent EAP Response (code 2) ID 8 length 59 (8,1) eap - Continuing tunnel setup (8,1) eap (ok) (8,1) } # authorize (ok) (8,1) Using 'Auth-Type = eap' for authenticate {...} (8,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default (8,1) Auth-Type eap { (8,1) eap - Peer sent packet with EAP method PEAP (25) (8,1) eap - Calling submodule eap_peap to process data (8,1) eap_peap - Continuing EAP-TLS (8,1) eap_peap - Got complete TLS record (53 bytes) (8,1) eap_peap - [eap-tls verify] = complete (8,1) eap_peap - Decrypted TLS application data (19 bytes) (8,1) eap_peap - [eap-tls process] = complete (8,1) eap_peap - Session established. Decoding tunneled data (8,1) eap_peap - PEAP state WAITING FOR INNER IDENTITY (8,1) eap_peap - Received EAP-Identity-Response (8,1) eap_peap - Got inner identity 'testuser@realm' (8,1) eap_peap - Got tunneled request (8,1) eap_peap - &EAP-Message = 0x020800170165636c366368406c656564732e61632e756b (8,1) eap_peap - Setting &request:User-Name from tunnel (protected) identity "testuser@realm" (8,1) eap_peap - Proxying tunneled request to virtual server "inner-tunnel" (8,1) Virtual server inner-tunnel received request (8,1) &EAP-Message = 0x020800170165636c366368406c656564732e61632e756b (8,1) &FreeRADIUS-Proxied-To = 127.0.0.1 (8,1) &User-Name = "testuser@realm" (8,1) WARNING: Outer and inner identities are the same. User privacy is compromised. (8,1) server inner-tunnel { (8,1) Running section authorize from file /etc/raddb/sites-enabled/inner-tunnel (8,1) authorize { (8,1) filter_username { (8,1) if (&User-Name) { (8,1) if (&User-Name =~ / /) { (8,1) ... (8,1) } (8,1) if (&User-Name =~ /@[^@]*@/ ) { (8,1) ... (8,1) } (8,1) if (&User-Name =~ /\.\./ ) { (8,1) ... (8,1) } (8,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) { (8,1) ... (8,1) } (8,1) if (&User-Name =~ /\.$/) { (8,1) ... (8,1) } (8,1) if (&User-Name =~ /@\./) { (8,1) ... (8,1) } (8,1) } # if (&User-Name) (notfound) (8,1) } # filter_username (notfound) (8,1) local_filter_inner_identity { (8,1) if (!&outer.request:User-Name || !&User-Name) { (8,1) ... (8,1) } (8,1) if (&outer.request:User-Name != &User-Name) { (8,1) ... (8,1) } (8,1) } # local_filter_inner_identity (notfound) (8,1) chap (noop) (8,1) if (&outer.request:User-Name =~ /@realm\.ac\.uk$/i) { (8,1) mschap-ds (noop) (8,1) } # if (&outer.request:User-Name =~ /@realm\.ac\.uk$/i) (noop) (8,1) elsif (&outer.request:User-Name =~ /@admin\.realm\.ac\.uk$/i) { (8,1) ... skipping elsif for request 8: Preceding "if" was taken (8,1) } (8,1) suffix - Checking for suffix after "@" (8,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm" (8,1) suffix - Found realm "realm.ac.uk" (8,1) suffix - Adding Stripped-User-Name = "testuser" (8,1) suffix - Adding Realm = "realm.ac.uk" (8,1) suffix - Authentication realm is LOCAL (8,1) suffix (ok) (8,1) if (&User-Name =~ /^@/) { (8,1) ... (8,1) } (8,1) if (!(&Stripped-User-Name)) { (8,1) ... (8,1) } (8,1) else { (8,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") { (8,1) EXPAND %{tolower:%{Stripped-User-Name}} (8,1) --> testuser (8,1) ... (8,1) } (8,1) } # else (ok) (8,1) group { (8,1) check_blacklist (ok) (8,1) if (&control:Local-Banned-User) { (8,1) ... (8,1) } (8,1) else { (8,1) noop (noop) (8,1) } # else (noop) (8,1) } # group (ok) (8,1) update control { (8,1) &control:Proxy-To-Realm := LOCAL (8,1) } # update control (noop) (8,1) eap - Peer sent EAP Response (code 2) ID 8 length 23 (8,1) eap - Peer sent EAP-Identity. Returning 'ok' so we can short-circuit the rest of authorize (8,1) eap (ok) (8,1) } # authorize (ok) (8,1) Using 'Auth-Type = eap' for authenticate {...} (8,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/inner-tunnel (8,1) Auth-Type eap { (8,1) eap - Peer sent packet with EAP method Identity (1) (8,1) eap - Calling submodule eap_peap to process data (8,1) eap_peap - Initiating new TLS session (8,1) eap - Sending EAP Request (code 1) ID 9 length 6 (8,1) eap (handled) (8,1) } # Auth-Type eap (handled) (8,1) } # server inner-tunnel (8,1) Virtual server sending reply (8,1) &EAP-Message = 0x010900061920 (8,1) &Message-Authenticator = 0x00000000000000000000000000000000 (8,1) eap_peap - Got tunneled reply Access-Challenge (8,1) eap_peap - &EAP-Message = 0x010900061920 (8,1) eap_peap - &Message-Authenticator = 0x00000000000000000000000000000000 (8,1) eap_peap - Got tunneled Access-Challenge (8,1) eap_peap - TLS application data to encrypt (2 bytes) (8,1) eap_peap - Sending complete TLS record (37 bytes) (8,1) eap - Sending EAP Request (code 1) ID 9 length 43 (8,1) eap (handled) (8,1) if (handled && (Response-Packet-Type == Access-Challenge)) { (8,1) EXPAND Response-Packet-Type (8,1) --> Access-Challenge (8,1) attr_filter.access_challenge - EXPAND %{User-Name} (8,1) attr_filter.access_challenge - --> testuser@realm (8,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12 (8,1) attr_filter.access_challenge.post-auth (updated) (8,1) handled (handled) (8,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled) (8,1) } # Auth-Type eap (handled) (8,1) Using Post-Auth-Type Challenge (8,1) Post-Auth-Type sub-section not found. Ignoring. (8,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default (8,1) Sent Access-Challenge Id 84 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0 (8,1) EAP-Message = 0x0109002b1900170301002082145b33c41958c36bec8f18c2f9da22934d020d4e6d14b2a45a7258b2f336af (8,1) Message-Authenticator = 0x00000000000000000000000000000000 (8,1) State = 0x080f3800aecc10fa3b39393138ab9701 (8,1) Finished request Waking up in 4.8 seconds. (9) Received Access-Request Id 85 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 330 (9) User-Name = "testuser@realm" (9) Chargeable-User-Identity = 0x00 (9) Location-Capable = Civix-Location (9) Calling-Station-Id = "a4-d1-8c-e4-9f-22" (9) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST" (9) NAS-Port = 13 (9) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e" (9) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110" (9) NAS-IP-Address = Y.Y.Y.Y (9) NAS-Identifier = "WM13" (9) Airespace-Wlan-Id = 8 (9) Service-Type = Framed-User (9) Framed-MTU = 1300 (9) NAS-Port-Type = Wireless-802.11 (9) Tunnel-Type:0 = VLAN (9) Tunnel-Medium-Type:0 = IEEE-802 (9) Tunnel-Private-Group-Id:0 = "446" (9) EAP-Message = 0x0209002b19001703010020b5d3b91965958352c3a2297f539ee8f56616a107a36423c6b065b5bf73f4c0de (9) State = 0x080f3800aecc10fa3b39393138ab9701 (9) Message-Authenticator = 0x1e0662ee3ffb7f6c36d8f70ecd544acf (9,1) Running section authorize from file /etc/raddb/sites-enabled/default (9,1) authorize { (9,1) local_rewrite_called_station_id { (9,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (9,1) update request { (9,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (9,1) --> 64:AE:0C:91:42:60 (9,1) &Called-Station-Id := 64:AE:0C:91:42:60 (9,1) } # update request (noop) (9,1) if ("%{8}") { (9,1) EXPAND %{8} (9,1) --> RADIUS-TEST (9,1) update request { (9,1) EXPAND %{8} (9,1) --> RADIUS-TEST (9,1) &Called-Station-SSID := RADIUS-TEST (9,1) } # update request (noop) (9,1) } # if ("%{8}") (noop) (9,1) updated (updated) (9,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated) (9,1) else { (9,1) ... skipping else for request 9: Preceding "if" was taken (9,1) } (9,1) } # local_rewrite_called_station_id (updated) (9,1) local_rewrite_calling_station_id { (9,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (9,1) update request { (9,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (9,1) --> A4:D1:8C:E4:9F:22 (9,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22 (9,1) } # update request (noop) (9,1) updated (updated) (9,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated) (9,1) else { (9,1) ... skipping else for request 9: Preceding "if" was taken (9,1) } (9,1) } # local_rewrite_calling_station_id (updated) (9,1) filter_username { (9,1) if (&User-Name) { (9,1) if (&User-Name =~ / /) { (9,1) ... (9,1) } (9,1) if (&User-Name =~ /@[^@]*@/ ) { (9,1) ... (9,1) } (9,1) if (&User-Name =~ /\.\./ ) { (9,1) ... (9,1) } (9,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) { (9,1) ... (9,1) } (9,1) if (&User-Name =~ /\.$/) { (9,1) ... (9,1) } (9,1) if (&User-Name =~ /@\./) { (9,1) ... (9,1) } (9,1) } # if (&User-Name) (updated) (9,1) } # filter_username (updated) (9,1) bad_realms { (9,1) if (&User-Name =~ /\.ax\.uk$/i) { (9,1) ... (9,1) } (9,1) if (&User-Name =~ /@ac\.uk$/i) { (9,1) ... (9,1) } (9,1) if (&User-Name =~ /3gppnetwork\.org$/i) { (9,1) ... (9,1) } (9,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (9,1) ... (9,1) } (9,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (9,1) ... (9,1) } (9,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (9,1) ... (9,1) } (9,1) if (&User-Name =~ /myabc\.com$/i) { (9,1) ... (9,1) } (9,1) } # bad_realms (updated) (9,1) preprocess (ok) (9,1) operator-name.authorize { (9,1) if ("%{client:Operator-Name}") { (9,1) EXPAND %{client:Operator-Name} (9,1) --> 1realm.ac.uk (9,1) update request { (9,1) EXPAND %{client:Operator-Name} (9,1) --> 1realm.ac.uk (9,1) &Operator-Name = 1realm.ac.uk (9,1) } # update request (noop) (9,1) } # if ("%{client:Operator-Name}") (noop) (9,1) } # operator-name.authorize (noop) (9,1) suffix - Checking for suffix after "@" (9,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm" (9,1) suffix - Found realm "realm.ac.uk" (9,1) suffix - Adding Stripped-User-Name = "testuser" (9,1) suffix - Adding Realm = "realm.ac.uk" (9,1) suffix - Authentication realm is LOCAL (9,1) suffix (ok) (9,1) if (&Realm) { (9,1) update control { (9,1) &control:Proxy-To-Realm := LOCAL (9,1) } # update control (noop) (9,1) } # if (&Realm) (noop) (9,1) else { (9,1) ... skipping else for request 9: Preceding "if" was taken (9,1) } (9,1) if (&Realm) { (9,1) if (&Stripped-User-Name != "") { (9,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") { (9,1) EXPAND %{tolower:%{Stripped-User-Name}} (9,1) --> testuser (9,1) ... (9,1) } (9,1) group { (9,1) check_blacklist (ok) (9,1) if (&control:Local-Banned-User) { (9,1) ... (9,1) } (9,1) else { (9,1) noop (noop) (9,1) } # else (noop) (9,1) } # group (ok) (9,1) } # if (&Stripped-User-Name != "") (ok) (9,1) } # if (&Realm) (ok) (9,1) eap - Peer sent EAP Response (code 2) ID 9 length 43 (9,1) eap - Continuing tunnel setup (9,1) eap (ok) (9,1) } # authorize (ok) (9,1) Using 'Auth-Type = eap' for authenticate {...} (9,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default (9,1) Auth-Type eap { (9,1) eap - Peer sent packet with EAP method PEAP (25) (9,1) eap - Calling submodule eap_peap to process data (9,1) eap_peap - Continuing EAP-TLS (9,1) eap_peap - Got complete TLS record (37 bytes) (9,1) eap_peap - [eap-tls verify] = complete (9,1) eap_peap - Decrypted TLS application data (2 bytes) (9,1) eap_peap - [eap-tls process] = complete (9,1) eap_peap - Session established. Decoding tunneled data (9,1) eap_peap - PEAP state phase2 (9,1) eap_peap - EAP method NAK (3) (9,1) eap_peap - Got tunneled request (9,1) eap_peap - &EAP-Message = 0x02090006031a (9,1) eap_peap - Setting &request:User-Name from tunnel (protected) identity "testuser@realm" (9,1) eap_peap - Proxying tunneled request to virtual server "inner-tunnel" (9,1) Virtual server inner-tunnel received request (9,1) &EAP-Message = 0x02090006031a (9,1) &FreeRADIUS-Proxied-To = 127.0.0.1 (9,1) &User-Name = "testuser@realm" (9,1) WARNING: Outer and inner identities are the same. User privacy is compromised. (9,1) server inner-tunnel { (9,1) Running section authorize from file /etc/raddb/sites-enabled/inner-tunnel (9,1) authorize { (9,1) filter_username { (9,1) if (&User-Name) { (9,1) if (&User-Name =~ / /) { (9,1) ... (9,1) } (9,1) if (&User-Name =~ /@[^@]*@/ ) { (9,1) ... (9,1) } (9,1) if (&User-Name =~ /\.\./ ) { (9,1) ... (9,1) } (9,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) { (9,1) ... (9,1) } (9,1) if (&User-Name =~ /\.$/) { (9,1) ... (9,1) } (9,1) if (&User-Name =~ /@\./) { (9,1) ... (9,1) } (9,1) } # if (&User-Name) (notfound) (9,1) } # filter_username (notfound) (9,1) local_filter_inner_identity { (9,1) if (!&outer.request:User-Name || !&User-Name) { (9,1) ... (9,1) } (9,1) if (&outer.request:User-Name != &User-Name) { (9,1) ... (9,1) } (9,1) } # local_filter_inner_identity (notfound) (9,1) chap (noop) (9,1) if (&outer.request:User-Name =~ /@realm\.ac\.uk$/i) { (9,1) mschap-ds (noop) (9,1) } # if (&outer.request:User-Name =~ /@realm\.ac\.uk$/i) (noop) (9,1) elsif (&outer.request:User-Name =~ /@admin\.realm\.ac\.uk$/i) { (9,1) ... skipping elsif for request 9: Preceding "if" was taken (9,1) } (9,1) suffix - Checking for suffix after "@" (9,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm" (9,1) suffix - Found realm "realm.ac.uk" (9,1) suffix - Adding Stripped-User-Name = "testuser" (9,1) suffix - Adding Realm = "realm.ac.uk" (9,1) suffix - Authentication realm is LOCAL (9,1) suffix (ok) (9,1) if (&User-Name =~ /^@/) { (9,1) ... (9,1) } (9,1) if (!(&Stripped-User-Name)) { (9,1) ... (9,1) } (9,1) else { (9,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") { (9,1) EXPAND %{tolower:%{Stripped-User-Name}} (9,1) --> testuser (9,1) ... (9,1) } (9,1) } # else (ok) (9,1) group { (9,1) check_blacklist (ok) (9,1) if (&control:Local-Banned-User) { (9,1) ... (9,1) } (9,1) else { (9,1) noop (noop) (9,1) } # else (noop) (9,1) } # group (ok) (9,1) update control { (9,1) &control:Proxy-To-Realm := LOCAL (9,1) } # update control (noop) (9,1) eap - Peer sent EAP Response (code 2) ID 9 length 6 (9,1) eap - Continuing on-going EAP conversation (9,1) eap (updated) (9,1) files (noop) (9,1) expiration (noop) (9,1) logintime (noop) (9,1) pap (noop) (9,1) } # authorize (updated) (9,1) Using 'Auth-Type = eap' for authenticate {...} (9,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/inner-tunnel (9,1) Auth-Type eap { (9,1) eap - Peer sent packet with EAP method NAK (3) (9,1) eap - Found mutually acceptable type MSCHAPv2 (26) (9,1) eap - Calling submodule eap_mschapv2 to process data (9,1) eap_mschapv2 - Issuing Challenge (9,1) eap - Sending EAP Request (code 1) ID 10 length 47 (9,1) eap (handled) (9,1) } # Auth-Type eap (handled) (9,1) } # server inner-tunnel (9,1) Virtual server sending reply (9,1) &EAP-Message = 0x010a002f1a010a002a101591d608560c5c63a1d6f9157feba6cf667265657261646975732d332e312e302d64656164 (9,1) &Message-Authenticator = 0x00000000000000000000000000000000 (9,1) eap_peap - Got tunneled reply Access-Challenge (9,1) eap_peap - &EAP-Message = 0x010a002f1a010a002a101591d608560c5c63a1d6f9157feba6cf667265657261646975732d332e312e302d64656164 (9,1) eap_peap - &Message-Authenticator = 0x00000000000000000000000000000000 (9,1) eap_peap - Got tunneled Access-Challenge (9,1) eap_peap - TLS application data to encrypt (43 bytes) (9,1) eap_peap - Sending complete TLS record (69 bytes) (9,1) eap - Sending EAP Request (code 1) ID 10 length 75 (9,1) eap (handled) (9,1) if (handled && (Response-Packet-Type == Access-Challenge)) { (9,1) EXPAND Response-Packet-Type (9,1) --> Access-Challenge (9,1) attr_filter.access_challenge - EXPAND %{User-Name} (9,1) attr_filter.access_challenge - --> testuser@realm (9,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12 (9,1) attr_filter.access_challenge.post-auth (updated) (9,1) handled (handled) (9,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled) (9,1) } # Auth-Type eap (handled) (9,1) Using Post-Auth-Type Challenge (9,1) Post-Auth-Type sub-section not found. Ignoring. (9,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default (9,1) Sent Access-Challenge Id 85 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0 (9,1) EAP-Message = 0x010a004b19001703010040fd1adfa6152afb79c1fa0529c132191cc6180186595d874f715ef0b31bf5417fd2acb727f784d6ae580609b6434fb822695b8a0db91b849dbd55cd39f83f1b56 (9,1) Message-Authenticator = 0x00000000000000000000000000000000 (9,1) State = 0x090138003637b8d43b39393138ab9701 (9,1) Finished request Waking up in 4.8 seconds. (10) Received Access-Request Id 86 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 394 (10) User-Name = "testuser@realm" (10) Chargeable-User-Identity = 0x00 (10) Location-Capable = Civix-Location (10) Calling-Station-Id = "a4-d1-8c-e4-9f-22" (10) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST" (10) NAS-Port = 13 (10) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e" (10) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110" (10) NAS-IP-Address = Y.Y.Y.Y (10) NAS-Identifier = "WM13" (10) Airespace-Wlan-Id = 8 (10) Service-Type = Framed-User (10) Framed-MTU = 1300 (10) NAS-Port-Type = Wireless-802.11 (10) Tunnel-Type:0 = VLAN (10) Tunnel-Medium-Type:0 = IEEE-802 (10) Tunnel-Private-Group-Id:0 = "446" (10) EAP-Message = 0x020a006b19001703010060fb7b84dad699698f8e133528ec8b1ef0f8199de9c6170fb4c86582a647d47520ec17b41fc65471c47ceb60d9a206b2b54936ec02000e6b4894b77cf2a1c4f99e2747be80011ff04e7304a9ed47826067966d1318fd9ef8f95697e149a3355eea (10) State = 0x090138003637b8d43b39393138ab9701 (10) Message-Authenticator = 0x431e4c764049d08fa9567dfadb9ac07f (10,1) Running section authorize from file /etc/raddb/sites-enabled/default (10,1) authorize { (10,1) local_rewrite_called_station_id { (10,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (10,1) update request { (10,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (10,1) --> 64:AE:0C:91:42:60 (10,1) &Called-Station-Id := 64:AE:0C:91:42:60 (10,1) } # update request (noop) (10,1) if ("%{8}") { (10,1) EXPAND %{8} (10,1) --> RADIUS-TEST (10,1) update request { (10,1) EXPAND %{8} (10,1) --> RADIUS-TEST (10,1) &Called-Station-SSID := RADIUS-TEST (10,1) } # update request (noop) (10,1) } # if ("%{8}") (noop) (10,1) updated (updated) (10,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated) (10,1) else { (10,1) ... skipping else for request 10: Preceding "if" was taken (10,1) } (10,1) } # local_rewrite_called_station_id (updated) (10,1) local_rewrite_calling_station_id { (10,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (10,1) update request { (10,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (10,1) --> A4:D1:8C:E4:9F:22 (10,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22 (10,1) } # update request (noop) (10,1) updated (updated) (10,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated) (10,1) else { (10,1) ... skipping else for request 10: Preceding "if" was taken (10,1) } (10,1) } # local_rewrite_calling_station_id (updated) (10,1) filter_username { (10,1) if (&User-Name) { (10,1) if (&User-Name =~ / /) { (10,1) ... (10,1) } (10,1) if (&User-Name =~ /@[^@]*@/ ) { (10,1) ... (10,1) } (10,1) if (&User-Name =~ /\.\./ ) { (10,1) ... (10,1) } (10,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) { (10,1) ... (10,1) } (10,1) if (&User-Name =~ /\.$/) { (10,1) ... (10,1) } (10,1) if (&User-Name =~ /@\./) { (10,1) ... (10,1) } (10,1) } # if (&User-Name) (updated) (10,1) } # filter_username (updated) (10,1) bad_realms { (10,1) if (&User-Name =~ /\.ax\.uk$/i) { (10,1) ... (10,1) } (10,1) if (&User-Name =~ /@ac\.uk$/i) { (10,1) ... (10,1) } (10,1) if (&User-Name =~ /3gppnetwork\.org$/i) { (10,1) ... (10,1) } (10,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (10,1) ... (10,1) } (10,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (10,1) ... (10,1) } (10,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (10,1) ... (10,1) } (10,1) if (&User-Name =~ /myabc\.com$/i) { (10,1) ... (10,1) } (10,1) } # bad_realms (updated) (10,1) preprocess (ok) (10,1) operator-name.authorize { (10,1) if ("%{client:Operator-Name}") { (10,1) EXPAND %{client:Operator-Name} (10,1) --> 1realm.ac.uk (10,1) update request { (10,1) EXPAND %{client:Operator-Name} (10,1) --> 1realm.ac.uk (10,1) &Operator-Name = 1realm.ac.uk (10,1) } # update request (noop) (10,1) } # if ("%{client:Operator-Name}") (noop) (10,1) } # operator-name.authorize (noop) (10,1) suffix - Checking for suffix after "@" (10,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm" (10,1) suffix - Found realm "realm.ac.uk" (10,1) suffix - Adding Stripped-User-Name = "testuser" (10,1) suffix - Adding Realm = "realm.ac.uk" (10,1) suffix - Authentication realm is LOCAL (10,1) suffix (ok) (10,1) if (&Realm) { (10,1) update control { (10,1) &control:Proxy-To-Realm := LOCAL (10,1) } # update control (noop) (10,1) } # if (&Realm) (noop) (10,1) else { (10,1) ... skipping else for request 10: Preceding "if" was taken (10,1) } (10,1) if (&Realm) { (10,1) if (&Stripped-User-Name != "") { (10,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") { (10,1) EXPAND %{tolower:%{Stripped-User-Name}} (10,1) --> testuser (10,1) ... (10,1) } (10,1) group { (10,1) check_blacklist (ok) (10,1) if (&control:Local-Banned-User) { (10,1) ... (10,1) } (10,1) else { (10,1) noop (noop) (10,1) } # else (noop) (10,1) } # group (ok) (10,1) } # if (&Stripped-User-Name != "") (ok) (10,1) } # if (&Realm) (ok) (10,1) eap - Peer sent EAP Response (code 2) ID 10 length 107 (10,1) eap - Continuing tunnel setup (10,1) eap (ok) (10,1) } # authorize (ok) (10,1) Using 'Auth-Type = eap' for authenticate {...} (10,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default (10,1) Auth-Type eap { (10,1) eap - Peer sent packet with EAP method PEAP (25) (10,1) eap - Calling submodule eap_peap to process data (10,1) eap_peap - Continuing EAP-TLS (10,1) eap_peap - Got complete TLS record (101 bytes) (10,1) eap_peap - [eap-tls verify] = complete (10,1) eap_peap - Decrypted TLS application data (73 bytes) (10,1) eap_peap - [eap-tls process] = complete (10,1) eap_peap - Session established. Decoding tunneled data (10,1) eap_peap - PEAP state phase2 (10,1) eap_peap - EAP method MSCHAPv2 (26) (10,1) eap_peap - Got tunneled request (10,1) eap_peap - &EAP-Message = 0x020a004d1a020a004831329616f5f88860d55df21c3a71f27e040000000000000000f283736acdd6b31ecc9bdf0c7b021c5232c4bf8f5aa26a620065636c366368406c656564732e61632e756b (10,1) eap_peap - Setting &request:User-Name from tunnel (protected) identity "testuser@realm" (10,1) eap_peap - Proxying tunneled request to virtual server "inner-tunnel" (10,1) Virtual server inner-tunnel received request (10,1) &EAP-Message = 0x020a004d1a020a004831329616f5f88860d55df21c3a71f27e040000000000000000f283736acdd6b31ecc9bdf0c7b021c5232c4bf8f5aa26a620065636c366368406c656564732e61632e756b (10,1) &FreeRADIUS-Proxied-To = 127.0.0.1 (10,1) &User-Name = "testuser@realm" (10,1) WARNING: Outer and inner identities are the same. User privacy is compromised. (10,1) server inner-tunnel { (10,1) Running section authorize from file /etc/raddb/sites-enabled/inner-tunnel (10,1) authorize { (10,1) filter_username { (10,1) if (&User-Name) { (10,1) if (&User-Name =~ / /) { (10,1) ... (10,1) } (10,1) if (&User-Name =~ /@[^@]*@/ ) { (10,1) ... (10,1) } (10,1) if (&User-Name =~ /\.\./ ) { (10,1) ... (10,1) } (10,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) { (10,1) ... (10,1) } (10,1) if (&User-Name =~ /\.$/) { (10,1) ... (10,1) } (10,1) if (&User-Name =~ /@\./) { (10,1) ... (10,1) } (10,1) } # if (&User-Name) (notfound) (10,1) } # filter_username (notfound) (10,1) local_filter_inner_identity { (10,1) if (!&outer.request:User-Name || !&User-Name) { (10,1) ... (10,1) } (10,1) if (&outer.request:User-Name != &User-Name) { (10,1) ... (10,1) } (10,1) } # local_filter_inner_identity (notfound) (10,1) chap (noop) (10,1) if (&outer.request:User-Name =~ /@realm\.ac\.uk$/i) { (10,1) mschap-ds (noop) (10,1) } # if (&outer.request:User-Name =~ /@realm\.ac\.uk$/i) (noop) (10,1) elsif (&outer.request:User-Name =~ /@admin\.realm\.ac\.uk$/i) { (10,1) ... skipping elsif for request 10: Preceding "if" was taken (10,1) } (10,1) suffix - Checking for suffix after "@" (10,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm" (10,1) suffix - Found realm "realm.ac.uk" (10,1) suffix - Adding Stripped-User-Name = "testuser" (10,1) suffix - Adding Realm = "realm.ac.uk" (10,1) suffix - Authentication realm is LOCAL (10,1) suffix (ok) (10,1) if (&User-Name =~ /^@/) { (10,1) ... (10,1) } (10,1) if (!(&Stripped-User-Name)) { (10,1) ... (10,1) } (10,1) else { (10,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") { (10,1) EXPAND %{tolower:%{Stripped-User-Name}} (10,1) --> testuser (10,1) ... (10,1) } (10,1) } # else (ok) (10,1) group { (10,1) check_blacklist (ok) (10,1) if (&control:Local-Banned-User) { (10,1) ... (10,1) } (10,1) else { (10,1) noop (noop) (10,1) } # else (noop) (10,1) } # group (ok) (10,1) update control { (10,1) &control:Proxy-To-Realm := LOCAL (10,1) } # update control (noop) (10,1) eap - Peer sent EAP Response (code 2) ID 10 length 77 (10,1) eap - Continuing on-going EAP conversation (10,1) eap (updated) (10,1) files (noop) (10,1) expiration (noop) (10,1) logintime (noop) (10,1) pap (noop) (10,1) } # authorize (updated) (10,1) Using 'Auth-Type = eap' for authenticate {...} (10,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/inner-tunnel (10,1) Auth-Type eap { (10,1) eap - Peer sent packet with EAP method MSCHAPv2 (26) (10,1) eap - Calling submodule eap_mschapv2 to process data (10,1) eap_mschapv2 - Running Auth-Type MS-CHAP from file /etc/raddb/sites-enabled/inner-tunnel (10,1) Auth-Type MS-CHAP { (10,1) if (&outer.request:User-Name =~ /@realm\.ac\.uk$/i) { (10,1) mschap-ds - Creating challenge hash with username: testuser@realm (10,1) mschap-ds - Client is using MS-CHAPv2 (10,1) mschap-ds - EXPAND %{%{Stripped-User-Name}:-%{mschap-ds:User-Name}} (10,1) mschap-ds - --> testuser (10,1) mschap-ds - Reserved connection (0) (10,1) mschap-ds - sending authentication request user='testuser' domain='DS' (10,1) mschap-ds - Released connection (0) (10,1) mschap-ds - Need 10 more connections to reach 20 spares (10,1) mschap-ds - Opening additional connection (10), 1 of 54 pending slots used (10,1) mschap-ds - Authenticated successfully (10,1) mschap-ds - Adding MS-CHAPv2 MPPE keys (10,1) mschap-ds (ok) (10,1) } # if (&outer.request:User-Name =~ /@realm\.ac\.uk$/i) (ok) (10,1) elsif (&outer.request:User-Name =~ /@admin\.realm\.ac\.uk$/i) { (10,1) ... skipping elsif for request 10: Preceding "if" was taken (10,1) } (10,1) } # Auth-Type MS-CHAP (ok) (10,1) eap_mschapv2 - MSCHAP Success (10,1) eap - Sending EAP Request (code 1) ID 11 length 51 (10,1) eap (handled) (10,1) } # Auth-Type eap (handled) (10,1) } # server inner-tunnel (10,1) Virtual server sending reply (10,1) &EAP-Message = 0x010b00331a030a002e533d35453739463637393739354343374436383233434142313433353737364643414246384539373932 (10,1) &Message-Authenticator = 0x00000000000000000000000000000000 (10,1) eap_peap - Got tunneled reply Access-Challenge (10,1) eap_peap - &EAP-Message = 0x010b00331a030a002e533d35453739463637393739354343374436383233434142313433353737364643414246384539373932 (10,1) eap_peap - &Message-Authenticator = 0x00000000000000000000000000000000 (10,1) eap_peap - Got tunneled Access-Challenge (10,1) eap_peap - TLS application data to encrypt (47 bytes) (10,1) eap_peap - Sending complete TLS record (85 bytes) (10,1) eap - Sending EAP Request (code 1) ID 11 length 91 (10,1) eap (handled) (10,1) if (handled && (Response-Packet-Type == Access-Challenge)) { (10,1) EXPAND Response-Packet-Type (10,1) --> Access-Challenge (10,1) attr_filter.access_challenge - EXPAND %{User-Name} (10,1) attr_filter.access_challenge - --> testuser@realm (10,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12 (10,1) attr_filter.access_challenge.post-auth (updated) (10,1) handled (handled) (10,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled) (10,1) } # Auth-Type eap (handled) (10,1) Using Post-Auth-Type Challenge (10,1) Post-Auth-Type sub-section not found. Ignoring. (10,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default (10,1) Sent Access-Challenge Id 86 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0 (10,1) EAP-Message = 0x010b005b19001703010050434a180e3726928b4d1485ba6b2897630e9165184c8e7b1b32265ba04908704d15ee8673ef1b5f4b1cb58c229d9ca96c31528959c7f338b7d83c0deca515c327d242225f1874037a58481664fc1f1360 (10,1) Message-Authenticator = 0x00000000000000000000000000000000 (10,1) State = 0x0a033800aecc10fa3b39393138ab9701 (10,1) Finished request Waking up in 4.8 seconds. (11) Received Access-Request Id 87 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 330 (11) User-Name = "testuser@realm" (11) Chargeable-User-Identity = 0x00 (11) Location-Capable = Civix-Location (11) Calling-Station-Id = "a4-d1-8c-e4-9f-22" (11) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST" (11) NAS-Port = 13 (11) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e" (11) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110" (11) NAS-IP-Address = Y.Y.Y.Y (11) NAS-Identifier = "WM13" (11) Airespace-Wlan-Id = 8 (11) Service-Type = Framed-User (11) Framed-MTU = 1300 (11) NAS-Port-Type = Wireless-802.11 (11) Tunnel-Type:0 = VLAN (11) Tunnel-Medium-Type:0 = IEEE-802 (11) Tunnel-Private-Group-Id:0 = "446" (11) EAP-Message = 0x020b002b19001703010020b5ec1928d5a22217345c5344b5ea9e8a35fa15ad8681bfb8c9873d10febf5798 (11) State = 0x0a033800aecc10fa3b39393138ab9701 (11) Message-Authenticator = 0x62328bab8c9d2ffc5877e080f63230c8 (11,1) Running section authorize from file /etc/raddb/sites-enabled/default (11,1) authorize { (11,1) local_rewrite_called_station_id { (11,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (11,1) update request { (11,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (11,1) --> 64:AE:0C:91:42:60 (11,1) &Called-Station-Id := 64:AE:0C:91:42:60 (11,1) } # update request (noop) (11,1) if ("%{8}") { (11,1) EXPAND %{8} (11,1) --> RADIUS-TEST (11,1) update request { (11,1) EXPAND %{8} (11,1) --> RADIUS-TEST (11,1) &Called-Station-SSID := RADIUS-TEST (11,1) } # update request (noop) (11,1) } # if ("%{8}") (noop) (11,1) updated (updated) (11,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated) (11,1) else { (11,1) ... skipping else for request 11: Preceding "if" was taken (11,1) } (11,1) } # local_rewrite_called_station_id (updated) (11,1) local_rewrite_calling_station_id { (11,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (11,1) update request { (11,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (11,1) --> A4:D1:8C:E4:9F:22 (11,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22 (11,1) } # update request (noop) (11,1) updated (updated) (11,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated) (11,1) else { (11,1) ... skipping else for request 11: Preceding "if" was taken (11,1) } (11,1) } # local_rewrite_calling_station_id (updated) (11,1) filter_username { (11,1) if (&User-Name) { (11,1) if (&User-Name =~ / /) { (11,1) ... (11,1) } (11,1) if (&User-Name =~ /@[^@]*@/ ) { (11,1) ... (11,1) } (11,1) if (&User-Name =~ /\.\./ ) { (11,1) ... (11,1) } (11,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) { (11,1) ... (11,1) } (11,1) if (&User-Name =~ /\.$/) { (11,1) ... (11,1) } (11,1) if (&User-Name =~ /@\./) { (11,1) ... (11,1) } (11,1) } # if (&User-Name) (updated) (11,1) } # filter_username (updated) (11,1) bad_realms { (11,1) if (&User-Name =~ /\.ax\.uk$/i) { (11,1) ... (11,1) } (11,1) if (&User-Name =~ /@ac\.uk$/i) { (11,1) ... (11,1) } (11,1) if (&User-Name =~ /3gppnetwork\.org$/i) { (11,1) ... (11,1) } (11,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (11,1) ... (11,1) } (11,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (11,1) ... (11,1) } (11,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (11,1) ... (11,1) } (11,1) if (&User-Name =~ /myabc\.com$/i) { (11,1) ... (11,1) } (11,1) } # bad_realms (updated) (11,1) preprocess (ok) (11,1) operator-name.authorize { (11,1) if ("%{client:Operator-Name}") { (11,1) EXPAND %{client:Operator-Name} (11,1) --> 1realm.ac.uk (11,1) update request { (11,1) EXPAND %{client:Operator-Name} (11,1) --> 1realm.ac.uk (11,1) &Operator-Name = 1realm.ac.uk (11,1) } # update request (noop) (11,1) } # if ("%{client:Operator-Name}") (noop) (11,1) } # operator-name.authorize (noop) (11,1) suffix - Checking for suffix after "@" (11,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm" (11,1) suffix - Found realm "realm.ac.uk" (11,1) suffix - Adding Stripped-User-Name = "testuser" (11,1) suffix - Adding Realm = "realm.ac.uk" (11,1) suffix - Authentication realm is LOCAL (11,1) suffix (ok) (11,1) if (&Realm) { (11,1) update control { (11,1) &control:Proxy-To-Realm := LOCAL (11,1) } # update control (noop) (11,1) } # if (&Realm) (noop) (11,1) else { (11,1) ... skipping else for request 11: Preceding "if" was taken (11,1) } (11,1) if (&Realm) { (11,1) if (&Stripped-User-Name != "") { (11,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") { (11,1) EXPAND %{tolower:%{Stripped-User-Name}} (11,1) --> testuser (11,1) ... (11,1) } (11,1) group { (11,1) check_blacklist (ok) (11,1) if (&control:Local-Banned-User) { (11,1) ... (11,1) } (11,1) else { (11,1) noop (noop) (11,1) } # else (noop) (11,1) } # group (ok) (11,1) } # if (&Stripped-User-Name != "") (ok) (11,1) } # if (&Realm) (ok) (11,1) eap - Peer sent EAP Response (code 2) ID 11 length 43 (11,1) eap - Continuing tunnel setup (11,1) eap (ok) (11,1) } # authorize (ok) (11,1) Using 'Auth-Type = eap' for authenticate {...} (11,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default (11,1) Auth-Type eap { (11,1) eap - Peer sent packet with EAP method PEAP (25) (11,1) eap - Calling submodule eap_peap to process data (11,1) eap_peap - Continuing EAP-TLS (11,1) eap_peap - Got complete TLS record (37 bytes) (11,1) eap_peap - [eap-tls verify] = complete (11,1) eap_peap - Decrypted TLS application data (2 bytes) (11,1) eap_peap - [eap-tls process] = complete (11,1) eap_peap - Session established. Decoding tunneled data (11,1) eap_peap - PEAP state phase2 (11,1) eap_peap - EAP method MSCHAPv2 (26) (11,1) eap_peap - Got tunneled request (11,1) eap_peap - &EAP-Message = 0x020b00061a03 (11,1) eap_peap - Setting &request:User-Name from tunnel (protected) identity "testuser@realm" (11,1) eap_peap - Proxying tunneled request to virtual server "inner-tunnel" (11,1) Virtual server inner-tunnel received request (11,1) &EAP-Message = 0x020b00061a03 (11,1) &FreeRADIUS-Proxied-To = 127.0.0.1 (11,1) &User-Name = "testuser@realm" (11,1) WARNING: Outer and inner identities are the same. User privacy is compromised. (11,1) server inner-tunnel { (11,1) Running section authorize from file /etc/raddb/sites-enabled/inner-tunnel (11,1) authorize { (11,1) filter_username { (11,1) if (&User-Name) { (11,1) if (&User-Name =~ / /) { (11,1) ... (11,1) } (11,1) if (&User-Name =~ /@[^@]*@/ ) { (11,1) ... (11,1) } (11,1) if (&User-Name =~ /\.\./ ) { (11,1) ... (11,1) } (11,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) { (11,1) ... (11,1) } (11,1) if (&User-Name =~ /\.$/) { (11,1) ... (11,1) } (11,1) if (&User-Name =~ /@\./) { (11,1) ... (11,1) } (11,1) } # if (&User-Name) (notfound) (11,1) } # filter_username (notfound) (11,1) local_filter_inner_identity { (11,1) if (!&outer.request:User-Name || !&User-Name) { (11,1) ... (11,1) } (11,1) if (&outer.request:User-Name != &User-Name) { (11,1) ... (11,1) } (11,1) } # local_filter_inner_identity (notfound) (11,1) chap (noop) (11,1) if (&outer.request:User-Name =~ /@realm\.ac\.uk$/i) { (11,1) mschap-ds (noop) (11,1) } # if (&outer.request:User-Name =~ /@realm\.ac\.uk$/i) (noop) (11,1) elsif (&outer.request:User-Name =~ /@admin\.realm\.ac\.uk$/i) { (11,1) ... skipping elsif for request 11: Preceding "if" was taken (11,1) } (11,1) suffix - Checking for suffix after "@" (11,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm" (11,1) suffix - Found realm "realm.ac.uk" (11,1) suffix - Adding Stripped-User-Name = "testuser" (11,1) suffix - Adding Realm = "realm.ac.uk" (11,1) suffix - Authentication realm is LOCAL (11,1) suffix (ok) (11,1) if (&User-Name =~ /^@/) { (11,1) ... (11,1) } (11,1) if (!(&Stripped-User-Name)) { (11,1) ... (11,1) } (11,1) else { (11,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") { (11,1) EXPAND %{tolower:%{Stripped-User-Name}} (11,1) --> testuser (11,1) ... (11,1) } (11,1) } # else (ok) (11,1) group { (11,1) check_blacklist (ok) (11,1) if (&control:Local-Banned-User) { (11,1) ... (11,1) } (11,1) else { (11,1) noop (noop) (11,1) } # else (noop) (11,1) } # group (ok) (11,1) update control { (11,1) &control:Proxy-To-Realm := LOCAL (11,1) } # update control (noop) (11,1) eap - Peer sent EAP Response (code 2) ID 11 length 6 (11,1) eap - Continuing on-going EAP conversation (11,1) eap (updated) (11,1) files (noop) (11,1) expiration (noop) (11,1) logintime (noop) (11,1) pap (noop) (11,1) } # authorize (updated) (11,1) Using 'Auth-Type = eap' for authenticate {...} (11,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/inner-tunnel (11,1) Auth-Type eap { (11,1) eap - Peer sent packet with EAP method MSCHAPv2 (26) (11,1) eap - Calling submodule eap_mschapv2 to process data (11,1) eap - Sending EAP Success (code 3) ID 11 length 4 (11,1) eap - Cleaning up EAP session (11,1) eap (ok) (11,1) } # Auth-Type eap (ok) (11,1) Login OK: [testuser@realm] (from client wism13 port 0 via TLS tunnel) (11,1) Running section post-auth from file /etc/raddb/sites-enabled/inner-tunnel (11,1) post-auth { (11,1) update reply { (11,1) &reply:Reply-Message := successful authentication (11,1) } # update reply (noop) (11,1) inner-tunnel-accept-log - Using default message (11,1) inner-tunnel-accept-log - EXPAND %S (%l) id %I INNER ACCEPT %{User-Name} cli %{%{outer.request:Calling-Station-Id}:--} outer-id %{outer.request:User-Name} auth-type %{outer.control:Auth-Type}/%{outer.request:EAP-Type} realm %{Realm} operator %{%{outer.request:Operator-Name}:--} client %{%{Packet-Src-IP-Address}:-%{%{Packet-Src-IPv6-Address}:--}} (%{Client-Shortname}) essid (%{%{outer.request:Called-Station-SSID}:--}) reply-msg '%{reply:Reply-Message}' (11,1) inner-tunnel-accept-log - --> 2016-11-25 15:17:51 (1480087071) id 11 INNER ACCEPT testuser@realm cli A4:D1:8C:E4:9F:22 outer-id testuser@realm.ac.uk auth-type eap/PEAP realm realm.ac.uk operator 1realm.ac.uk client Y.Y.Y.Y (wism13) essid (RADIUS-TEST) reply-msg 'successful authentication' (11,1) inner-tunnel-accept-log - EXPAND /var/log/radius/auth.log (11,1) inner-tunnel-accept-log - --> /var/log/radius/auth.log (11,1) inner-tunnel-accept-log (ok) (11,1) update { (11,1) &outer.session-state: += &reply:MS-MPPE-Encryption-Policy -> Encryption-Required (11,1) &outer.session-state: += &reply:MS-MPPE-Encryption-Types -> 4 (11,1) &outer.session-state: += &reply:MS-MPPE-Send-Key -> 0xd8d3d48df0050ef926fee45a7025a880 (11,1) &outer.session-state: += &reply:MS-MPPE-Recv-Key -> 0x1d3a468cf7a531c07677d5c70e683dd0 (11,1) &outer.session-state: += &reply:EAP-Message -> 0x030b0004 (11,1) &outer.session-state: += &reply:Message-Authenticator -> 0x00000000000000000000000000000000 (11,1) &outer.session-state: += &reply:Stripped-User-Name -> "testuser" (11,1) &outer.session-state: += &reply:Reply-Message -> "successful authentication" (11,1) } # update (noop) (11,1) update outer.session-state { (11,1) &outer.session-state:MS-MPPE-Encryption-Policy !* ANY (11,1) &outer.session-state:MS-MPPE-Encryption-Types !* ANY (11,1) &outer.session-state:MS-MPPE-Send-Key !* ANY (11,1) &outer.session-state:MS-MPPE-Recv-Key !* ANY (11,1) &outer.session-state:Message-Authenticator !* ANY (11,1) &outer.session-state:EAP-Message !* ANY (11,1) &outer.session-state:Proxy-State !* ANY (11,1) } # update outer.session-state (noop) (11,1) } # post-auth (ok) (11,1) } # server inner-tunnel (11,1) Virtual server sending reply (11,1) &MS-MPPE-Encryption-Policy = Encryption-Required (11,1) &MS-MPPE-Encryption-Types = 4 (11,1) &MS-MPPE-Send-Key = 0xd8d3d48df0050ef926fee45a7025a880 (11,1) &MS-MPPE-Recv-Key = 0x1d3a468cf7a531c07677d5c70e683dd0 (11,1) &EAP-Message = 0x030b0004 (11,1) &Message-Authenticator = 0x00000000000000000000000000000000 (11,1) &Stripped-User-Name = "testuser" (11,1) &Reply-Message := "successful authentication" (11,1) eap_peap - Got tunneled reply Access-Accept (11,1) eap_peap - &MS-MPPE-Encryption-Policy = Encryption-Required (11,1) eap_peap - &MS-MPPE-Encryption-Types = 4 (11,1) eap_peap - &MS-MPPE-Send-Key = 0xd8d3d48df0050ef926fee45a7025a880 (11,1) eap_peap - &MS-MPPE-Recv-Key = 0x1d3a468cf7a531c07677d5c70e683dd0 (11,1) eap_peap - &EAP-Message = 0x030b0004 (11,1) eap_peap - &Message-Authenticator = 0x00000000000000000000000000000000 (11,1) eap_peap - &Stripped-User-Name = "testuser" (11,1) eap_peap - &Reply-Message := "successful authentication" (11,1) eap_peap - Tunneled authentication was successful (11,1) eap_peap - SUCCESS (11,1) eap_peap - TLS application data to encrypt (11 bytes) (11,1) eap_peap - Sending complete TLS record (37 bytes) (11,1) eap - Sending EAP Request (code 1) ID 12 length 43 (11,1) eap (handled) (11,1) if (handled && (Response-Packet-Type == Access-Challenge)) { (11,1) EXPAND Response-Packet-Type (11,1) --> Access-Challenge (11,1) attr_filter.access_challenge - EXPAND %{User-Name} (11,1) attr_filter.access_challenge - --> testuser@realm (11,1) attr_filter.access_challenge - Matched entry DEFAULT at line 12 (11,1) attr_filter.access_challenge.post-auth (updated) (11,1) handled (handled) (11,1) } # if (handled && (Response-Packet-Type == Access-Challenge)) (handled) (11,1) } # Auth-Type eap (handled) (11,1) Using Post-Auth-Type Challenge (11,1) Post-Auth-Type sub-section not found. Ignoring. (11,1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/default (11,1) Saving &session-state (11,1) &session-state:Stripped-User-Name += "testuser" (11,1) &session-state:Reply-Message += "successful authentication" (11,1) Sent Access-Challenge Id 87 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0 (11,1) EAP-Message = 0x010c002b1900170301002075fcd60b064f8189f89cd88d8ea3821c5e02316d81a985ae28e6772c0f91527a (11,1) Message-Authenticator = 0x00000000000000000000000000000000 (11,1) State = 0x0b0138003637b8d43b39393138ab9701 (11,1) Finished request Waking up in 4.8 seconds. (12) Received Access-Request Id 88 from Y.Y.Y.Y:32769 to X.X.X.X:1812 via em1 length 330 (12) User-Name = "testuser@realm" (12) Chargeable-User-Identity = 0x00 (12) Location-Capable = Civix-Location (12) Calling-Station-Id = "a4-d1-8c-e4-9f-22" (12) Called-Station-Id = "64-ae-0c-91-42-60:RADIUS-TEST" (12) NAS-Port = 13 (12) Cisco-AVPair = "audit-session-id=0a0c504f00ba906c5838561e" (12) Acct-Session-Id = "5838561e/a4:d1:8c:e4:9f:22/7846110" (12) NAS-IP-Address = Y.Y.Y.Y (12) NAS-Identifier = "WM13" (12) Airespace-Wlan-Id = 8 (12) Service-Type = Framed-User (12) Framed-MTU = 1300 (12) NAS-Port-Type = Wireless-802.11 (12) Tunnel-Type:0 = VLAN (12) Tunnel-Medium-Type:0 = IEEE-802 (12) Tunnel-Private-Group-Id:0 = "446" (12) EAP-Message = 0x020c002b190017030100205260e734aa19b0c57421ab4de8ee9119c043f03f0751f165dc6cc2a0f5157a8c (12) State = 0x0b0138003637b8d43b39393138ab9701 (12) Message-Authenticator = 0xa330d14becbcd2b557c3aeb3deb98ff4 (12,1) Restored &session-state (12,1) &session-state:Stripped-User-Name += "testuser" (12,1) &session-state:Reply-Message += "successful authentication" (12,1) Running section authorize from file /etc/raddb/sites-enabled/default (12,1) authorize { (12,1) local_rewrite_called_station_id { (12,1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (12,1) update request { (12,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (12,1) --> 64:AE:0C:91:42:60 (12,1) &Called-Station-Id := 64:AE:0C:91:42:60 (12,1) } # update request (noop) (12,1) if ("%{8}") { (12,1) EXPAND %{8} (12,1) --> RADIUS-TEST (12,1) update request { (12,1) EXPAND %{8} (12,1) --> RADIUS-TEST (12,1) &Called-Station-SSID := RADIUS-TEST (12,1) } # update request (noop) (12,1) } # if ("%{8}") (noop) (12,1) updated (updated) (12,1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) (updated) (12,1) else { (12,1) ... skipping else for request 12: Preceding "if" was taken (12,1) } (12,1) } # local_rewrite_called_station_id (updated) (12,1) local_rewrite_calling_station_id { (12,1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (12,1) update request { (12,1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (12,1) --> A4:D1:8C:E4:9F:22 (12,1) &Calling-Station-Id := A4:D1:8C:E4:9F:22 (12,1) } # update request (noop) (12,1) updated (updated) (12,1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) (updated) (12,1) else { (12,1) ... skipping else for request 12: Preceding "if" was taken (12,1) } (12,1) } # local_rewrite_calling_station_id (updated) (12,1) filter_username { (12,1) if (&User-Name) { (12,1) if (&User-Name =~ / /) { (12,1) ... (12,1) } (12,1) if (&User-Name =~ /@[^@]*@/ ) { (12,1) ... (12,1) } (12,1) if (&User-Name =~ /\.\./ ) { (12,1) ... (12,1) } (12,1) if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) { (12,1) ... (12,1) } (12,1) if (&User-Name =~ /\.$/) { (12,1) ... (12,1) } (12,1) if (&User-Name =~ /@\./) { (12,1) ... (12,1) } (12,1) } # if (&User-Name) (updated) (12,1) } # filter_username (updated) (12,1) bad_realms { (12,1) if (&User-Name =~ /\.ax\.uk$/i) { (12,1) ... (12,1) } (12,1) if (&User-Name =~ /@ac\.uk$/i) { (12,1) ... (12,1) } (12,1) if (&User-Name =~ /3gppnetwork\.org$/i) { (12,1) ... (12,1) } (12,1) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (12,1) ... (12,1) } (12,1) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (12,1) ... (12,1) } (12,1) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) { (12,1) ... (12,1) } (12,1) if (&User-Name =~ /myabc\.com$/i) { (12,1) ... (12,1) } (12,1) } # bad_realms (updated) (12,1) preprocess (ok) (12,1) operator-name.authorize { (12,1) if ("%{client:Operator-Name}") { (12,1) EXPAND %{client:Operator-Name} (12,1) --> 1realm.ac.uk (12,1) update request { (12,1) EXPAND %{client:Operator-Name} (12,1) --> 1realm.ac.uk (12,1) &Operator-Name = 1realm.ac.uk (12,1) } # update request (noop) (12,1) } # if ("%{client:Operator-Name}") (noop) (12,1) } # operator-name.authorize (noop) (12,1) suffix - Checking for suffix after "@" (12,1) suffix - Looking up realm "realm.ac.uk" for User-Name = "testuser@realm" (12,1) suffix - Found realm "realm.ac.uk" (12,1) suffix - Adding Stripped-User-Name = "testuser" (12,1) suffix - Adding Realm = "realm.ac.uk" (12,1) suffix - Authentication realm is LOCAL (12,1) suffix (ok) (12,1) if (&Realm) { (12,1) update control { (12,1) &control:Proxy-To-Realm := LOCAL (12,1) } # update control (noop) (12,1) } # if (&Realm) (noop) (12,1) else { (12,1) ... skipping else for request 12: Preceding "if" was taken (12,1) } (12,1) if (&Realm) { (12,1) if (&Stripped-User-Name != "") { (12,1) if (&Stripped-User-Name != "%{tolower:%{Stripped-User-Name}}") { (12,1) EXPAND %{tolower:%{Stripped-User-Name}} (12,1) --> testuser (12,1) ... (12,1) } (12,1) group { (12,1) check_blacklist (ok) (12,1) if (&control:Local-Banned-User) { (12,1) ... (12,1) } (12,1) else { (12,1) noop (noop) (12,1) } # else (noop) (12,1) } # group (ok) (12,1) } # if (&Stripped-User-Name != "") (ok) (12,1) } # if (&Realm) (ok) (12,1) eap - Peer sent EAP Response (code 2) ID 12 length 43 (12,1) eap - Continuing tunnel setup (12,1) eap (ok) (12,1) } # authorize (ok) (12,1) Using 'Auth-Type = eap' for authenticate {...} (12,1) Running Auth-Type eap from file /etc/raddb/sites-enabled/default (12,1) Auth-Type eap { (12,1) eap - Peer sent packet with EAP method PEAP (25) (12,1) eap - Calling submodule eap_peap to process data (12,1) eap_peap - Continuing EAP-TLS (12,1) eap_peap - Got complete TLS record (37 bytes) (12,1) eap_peap - [eap-tls verify] = complete (12,1) eap_peap - Decrypted TLS application data (11 bytes) (12,1) eap_peap - [eap-tls process] = complete (12,1) eap_peap - Session established. Decoding tunneled data (12,1) eap_peap - PEAP state send tlv success (12,1) eap_peap - Received EAP-TLV response (12,1) eap_peap - Success (12,1) eap_peap - Adding session keys (12,1) eap_peap - &reply:MS-MPPE-Recv-Key = 0xc2b1108d6edcbaab7acbc6cb02381f392e459fecfbd849f9ec05ed541dcbd8ec (12,1) eap_peap - &reply:MS-MPPE-Send-Key = 0x71011003ab851c697e371755227994e8ab1ff5a15b2a5e4433273ac6b71b363e (12,1) eap_peap - &reply:EAP-MSK = 0xc2b1108d6edcbaab7acbc6cb02381f392e459fecfbd849f9ec05ed541dcbd8ec71011003ab851c697e371755227994e8ab1ff5a15b2a5e4433273ac6b71b363e (12,1) eap_peap - &reply:EAP-EMSK = 0x4d4889f2308cc16ca2dfb5c43fd14af93e7a927a9ab73d43433258508c312fa5d2774e063dd8d0ceb56bea3134b9fb99691718545b00139d8dc9e61bf277a526 (12,1) eap - Sending EAP Success (code 3) ID 12 length 4 (12,1) eap - Cleaning up EAP session (12,1) eap (ok) (12,1) if (handled && (Response-Packet-Type == Access-Challenge)) { (12,1) ... (12,1) } (12,1) } # Auth-Type eap (ok) (12,1) Login OK: [testuser@realm] (from client wism13 port 13 cli A4:D1:8C:E4:9F:22) (12,1) Running section post-auth from file /etc/raddb/sites-enabled/default (12,1) post-auth { (12,1) update { (12,1) &reply: += &session-state:Stripped-User-Name -> "testuser" (12,1) &reply: += &session-state:Reply-Message -> "successful authentication" (12,1) } # update (noop) (12,1) update reply { (12,1) &reply:Reply-Message := successful authentication (12,1) } # update reply (noop) (12,1) default-accept-log - Using default message (12,1) default-accept-log - EXPAND %S (%l) id %I DEFAULT ACCEPT %{User-Name} cli %{%{Calling-Station-Id}:--} auth-type %{control:Auth-Type}/%{EAP-Type} realm %{Realm} operator %{%{Operator-Name}:--} client %{%{Packet-Src-IP-Address}:-%{%{Packet-Src-IPv6-Address}:--}} (%{Client-Shortname}) essid (%{%{Called-Station-SSID}:--}) reply-msg '%{reply:Reply-Message}' (12,1) default-accept-log - --> 2016-11-25 15:17:51 (1480087071) id 88 DEFAULT ACCEPT testuser@realm cli A4:D1:8C:E4:9F:22 auth-type eap/PEAP realm realm.ac.uk operator 1realm.ac.uk client Y.Y.Y.Y (wism13) essid (RADIUS-TEST) reply-msg 'successful authentication' (12,1) default-accept-log - EXPAND /var/log/radius/auth.log (12,1) default-accept-log - --> /var/log/radius/auth.log (12,1) default-accept-log (ok) (12,1) exec (noop) (12,1) remove_reply_message_if_eap { (12,1) if (&reply:EAP-Message && &reply:Reply-Message) { (12,1) update reply { (12,1) &reply:Reply-Message !* ANY (12,1) } # update reply (noop) (12,1) } # if (&reply:EAP-Message && &reply:Reply-Message) (noop) (12,1) else { (12,1) ... skipping else for request 12: Preceding "if" was taken (12,1) } (12,1) } # remove_reply_message_if_eap (noop) (12,1) } # post-auth (ok) (12,1) Sent Access-Accept Id 88 from X.X.X.X:1812 to Y.Y.Y.Y:32769 via em1 length 0 (12,1) MS-MPPE-Recv-Key = 0xc2b1108d6edcbaab7acbc6cb02381f392e459fecfbd849f9ec05ed541dcbd8ec (12,1) MS-MPPE-Send-Key = 0x71011003ab851c697e371755227994e8ab1ff5a15b2a5e4433273ac6b71b363e (12,1) EAP-Message = 0x030c0004 (12,1) Message-Authenticator = 0x00000000000000000000000000000000 (12,1) Finished request Waking up in 4.8 seconds. ^CWaking up in 3.1 seconds.